// Return the number of labels that matches starting from the right (excluding the // root label) mDNSexport int CountLabelsMatch(const domainname *const d1, const domainname *const d2) { int count, c1, c2; int match, i, skip1, skip2; c1 = CountLabels(d1); skip1 = c1 - 1; c2 = CountLabels(d2); skip2 = c2 - 1; // Root label always matches. And we don't include it here to // match CountLabels match = 0; // Compare as many labels as possible starting from the rightmost count = c1 < c2 ? c1 : c2; for (i = count; i > 0; i--) { const domainname *da, *db; da = SkipLeadingLabels(d1, skip1); db = SkipLeadingLabels(d2, skip2); if (!SameDomainName(da, db)) return match; skip1--; skip2--; match++; } return match; }
mDNSlocal const domainname *NSECClosestEncloser(ResourceRecord *rr, domainname *qname) { const domainname *oname = rr->name; const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; const domainname *nxt = (const domainname *)&rdb->data; int match1, match2; match1 = CountLabelsMatch(oname, qname); match2 = CountLabelsMatch(nxt, qname); // Return the closest i.e the one that matches more labels if (match1 > match2) return SkipLeadingLabels(oname, CountLabels(oname) - match1); else return SkipLeadingLabels(nxt, CountLabels(nxt) - match2); }
mDNSexport mDNSBool NSEC3WildcardAnswerProof(mDNS *const m, CacheRecord *ncr, DNSSECVerifier *dv) { int skip; const domainname *nc; CacheRecord *closerEncloser; (void) m; // Find the next closer name and prove that it is covered by the NSEC3 skip = CountLabels(&dv->origName) - CountLabels(dv->wildcardName) - 1; if (skip) nc = SkipLeadingLabels(&dv->origName, skip); else nc = &dv->origName; LogDNSSEC("NSEC3WildcardAnswerProof: wildcard name %##s", nc->c); if (!NSEC3Find(m, NSEC3Covers, ncr, (domainname *)nc, mDNSNULL, &closerEncloser, mDNSNULL, dv->q.qtype)) { LogMsg("NSEC3WildcardAnswerProof: Cannot find closer encloser"); return mDNSfalse; } if (!closerEncloser) { LogMsg("NSEC3WildcardAnswerProof: closerEncloser NULL"); return mDNSfalse; } if (NSEC3OptOut(closerEncloser)) { dv->flags |= NSEC3_OPT_OUT; } // NSEC3 Verification is done by the caller return mDNStrue; }
// This function can be called with NSEC3ClosestEncloser, NSEC3Covers and NSEC3CEProof // // Passing in NSEC3ClosestEncloser means "find an exact match for the origName". // Passing in NSEC3Covers means "find an NSEC3 that covers the origName". // // i.e., in both cases the nsec3 records are iterated to find the best match and returned. // With NSEC3ClosestEncloser, as we are just looking for a name match, extra checks for // the types being present or absent will not be checked. // // If NSEC3CEProof is passed, the name is tried as such first by iterating through all NSEC3s // finding a ClosestEncloser or CloserEncloser and then one label skipped from the left and // retried again till both the closest and closer encloser is found. // // ncr is the negative cache record that has the NSEC3 chain // origName is the name for which we are trying to find the ClosestEncloser etc. // closestEncloser and closerEncloser are the return values of the function // ce is the closest encloser that will be returned if we find one mDNSlocal mDNSBool NSEC3Find(mDNS *const m, NSEC3FindValues val, CacheRecord *ncr, domainname *origName, CacheRecord **closestEncloser, CacheRecord **closerEncloser, const domainname **ce, mDNSu16 qtype) { int i; int labelCount = CountLabels(origName); CacheRecord *cr; rdataNSEC3 *nsec3; (void) qtype; // unused // Pick the first NSEC for the iterations, salt etc. for (cr = ncr->nsec; cr; cr = cr->next) { if (cr->resrec.rrtype == kDNSType_NSEC3) { const RDataBody2 *const rdb = (RDataBody2 *)cr->resrec.rdata->u.data; nsec3 = (rdataNSEC3 *)rdb->data; break; } } if (!cr) { LogMsg("NSEC3Find: cr NULL"); return mDNSfalse; } // Note: The steps defined in this function are for "NSEC3CEProof". As part of NSEC3CEProof, // we need to find both the closestEncloser and closerEncloser which can also be found // by passing NSEC3ClosestEncloser and NSEC3Covers respectively. // // Section 8.3 of RFC 5155. // 1. Set SNAME=QNAME. Clear the flag. // // closerEncloser is the "flag". "name" below is SNAME. if (closestEncloser) { *ce = mDNSNULL; *closestEncloser = mDNSNULL; } if (closerEncloser) *closerEncloser = mDNSNULL; // If we are looking for a closestEncloser or a covering NSEC3, we don't have // to truncate the name. For the give name, try to find the closest or closer // encloser. if (val != NSEC3CEProof) { labelCount = 0; } for (i = 0; i < labelCount + 1; i++) { int hlen; const mDNSu8 hashName[NSEC3_MAX_HASH_LEN]; const domainname *name; const mDNSu8 b32Name[NSEC3_MAX_B32_LEN+1]; int b32len; name = SkipLeadingLabels(origName, i); if (!NSEC3HashName(name, nsec3, mDNSNULL, 0, hashName, &hlen)) { LogMsg("NSEC3Find: NSEC3HashName failed for ##s", name->c); continue; } b32len = baseEncode((char *)b32Name, sizeof(b32Name), (mDNSu8 *)hashName, hlen, ENC_BASE32); if (!b32len) { LogMsg("NSEC3Find: baseEncode of name %##s failed", name->c); continue; } for (cr = ncr->nsec; cr; cr = cr->next) { const domainname *nsecZone; int result, subdomain; if (cr->resrec.rrtype != kDNSType_NSEC3) continue; nsecZone = SkipLeadingLabels(cr->resrec.name, 1); if (!nsecZone) { LogMsg("NSEC3Find: SkipLeadingLabel failed for %s, current name %##s", CRDisplayString(m, cr), name->c); continue; } // NSEC3 owner names are formed by hashing the owner name and then appending // the zone name to it. If we skip the first label, the rest should be // the zone name. See whether it is the subdomain of the name we are looking // for. result = DNSSECCanonicalOrder(origName, nsecZone, &subdomain); // The check can't be a strict subdomain check. When NSEC3ClosestEncloser is // passed in, there can be an exact match. If it is a subdomain or an exact // match, we should continue with the proof. if (!(subdomain || !result)) { LogMsg("NSEC3Find: NSEC3 %s not a subdomain of %##s, result %d", CRDisplayString(m, cr), origName->c, result); continue; } // 2.1) If there is no NSEC3 RR in the response that matches SNAME // (i.e., an NSEC3 RR whose owner name is the same as the hash of // SNAME, prepended as a single label to the zone name), clear // the flag. // // Note: We don't try to determine the actual zone name. We know that // the labels following the hash (nsecZone) is the ancestor and we don't // know where the zone cut is. Hence, we verify just the hash to be // the same. if (val == NSEC3ClosestEncloser || val == NSEC3CEProof) { if (!NSEC3SameName(&cr->resrec.name->c[1], cr->resrec.name->c[0], (const mDNSu8 *)b32Name, b32len)) { int bmaplen; mDNSu8 *bmap; // For NSEC3ClosestEncloser, we are finding an exact match and // "type" specific checks should be done by the caller. if (val != NSEC3ClosestEncloser) { // DNAME bit must not be set and NS bit may be set only if SOA bit is set NSEC3Parse(&cr->resrec, mDNSNULL, mDNSNULL, mDNSNULL, &bmaplen, &bmap); if (BitmapTypeCheck(bmap, bmaplen, kDNSType_DNAME)) { LogDNSSEC("NSEC3Find: DNAME bit set in %s, ignoring", CRDisplayString(m, cr)); return mDNSfalse; } // This is the closest encloser and should come from the right zone. if (BitmapTypeCheck(bmap, bmaplen, kDNSType_NS) && !BitmapTypeCheck(bmap, bmaplen, kDNSType_SOA)) { LogDNSSEC("NSEC3Find: NS bit set without SOA bit in %s, ignoring", CRDisplayString(m, cr)); return mDNSfalse; } } LogDNSSEC("NSEC3Find: ClosestEncloser %s found for name %##s", CRDisplayString(m, cr), name->c); if (closestEncloser) { *ce = name; *closestEncloser = cr; } if (val == NSEC3ClosestEncloser) return mDNStrue; else break; } } if ((val == NSEC3Covers || val == NSEC3CEProof) && !(*closerEncloser)) { if (NSEC3CoversName(m, cr, hashName, hlen, b32Name, b32len)) { // 2.2) If there is an NSEC3 RR in the response that covers SNAME, set the flag. if (closerEncloser) *closerEncloser = cr; if (val == NSEC3Covers) return mDNStrue; else break; } } } // 2.3) If there is a matching NSEC3 RR in the response and the flag // was set, then the proof is complete, and SNAME is the closest // encloser. if (val == NSEC3CEProof) { if (*closestEncloser && *closerEncloser) { LogDNSSEC("NSEC3Find: Found closest and closer encloser"); return mDNStrue; } // 2.4) If there is a matching NSEC3 RR in the response, but the flag // is not set, then the response is bogus. // // Note: We don't have to wait till we finish trying all the names. If the matchName // happens, we found the closest encloser which means we should have found the closer // encloser before. if (*closestEncloser && !(*closerEncloser)) { LogDNSSEC("NSEC3Find: Found closest, but not closer encloser"); return mDNSfalse; } } // 3. Truncate SNAME by one label from the left, go to step 2. } LogDNSSEC("NSEC3Find: Cannot find name %##s (%s)", origName->c, DNSTypeName(qtype)); return mDNSfalse; }
// We have a NSEC. Need to see if it proves that NODATA exists for the given name. Note that this // function does not prove anything as proof may require more than one NSEC and this function // processes only one NSEC at a time. // // Returns mDNSfalse if the NSEC does not prove the NODATA error // Returns mDNStrue if the NSEC proves the NODATA error // mDNSlocal mDNSBool NSECNoDataError(mDNS *const m, ResourceRecord *rr, domainname *name, mDNSu16 qtype, domainname **wildcard) { const domainname *oname = rr->name; // owner name if (wildcard) *wildcard = mDNSNULL; // RFC 4035 // // section 3.1.3.1 : Name matches. Prove that the type does not exist and also CNAME is // not set as in that case CNAME should have been returned ( CNAME part is mentioned in // section 4.3 of dnssec-bis-updates.) Without the CNAME check, a positive response can // be converted to a NODATA/NOERROR response. // // section 3.1.3.4 : No exact match for the name but there is a wildcard that could match // the name but not the type. There are two NSECs in this case. One of them is a wildcard // NSEC and another NSEC proving that the qname does not exist. We are called with one // NSEC at a time. We return what we matched and the caller should decide whether all // conditions are met for the proof. if (SameDomainName(oname, name)) { mDNSBool soa = RRAssertsExistence(rr, kDNSType_SOA); mDNSBool ns = RRAssertsExistence(rr, kDNSType_NS); if (qtype != kDNSType_DS) { // For non-DS type questions, we don't want to use the parent side records to // answer it if (ns && !soa) { LogDNSSEC("NSECNoDataError: Parent side NSEC %s, can't use for child qname %##s (%s)", RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); return mDNSfalse; } } else { if (soa) { LogDNSSEC("NSECNoDataError: Child side NSEC %s, can't use for parent qname %##s (%s)", RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); return mDNSfalse; } } if (RRAssertsExistence(rr, qtype) || RRAssertsExistence(rr, kDNSType_CNAME)) { LogMsg("NSECNoDataError: ERROR!! qtype %s exists in %s", DNSTypeName(qtype), RRDisplayString(m, rr)); return mDNSfalse; } LogDNSSEC("NSECNoDataError: qype %s does not exist in %s", DNSTypeName(qtype), RRDisplayString(m, rr)); return mDNStrue; } else { // Name does not exist. Before we check for a wildcard match, make sure that // this is not an ENT. if (NSECAnswersENT(rr, name)) { LogDNSSEC("NSECNoDataError: name %##s exists %s", name->c, RRDisplayString(m, rr)); return mDNSfalse; } // Wildcard check. If this is a wildcard NSEC, then check to see if we could // have answered the question using this wildcard and it should not have the // "qtype" passed in with its bitmap. // // See RFC 4592, on how wildcards are used to synthesize answers. Find the // closest encloser and the qname should be a subdomain i.e if the wildcard // is *.x.example, x.example is the closest encloser and the qname should be // a subdomain e.g., y.x.example or z.y.x.example and so on. if (oname->c[0] == 1 && oname->c[1] == '*') { int r, s; const domainname *ce = SkipLeadingLabels(oname, 1); r = DNSSECCanonicalOrder(name, ce, &s); if (s) { if (RRAssertsExistence(rr, qtype) || RRAssertsExistence(rr, kDNSType_CNAME)) { LogMsg("NSECNoDataError: ERROR!! qtype %s exists in wildcard %s", DNSTypeName(qtype), RRDisplayString(m, rr)); return mDNSfalse; } if (qtype == kDNSType_DS && RRAssertsExistence(rr, kDNSType_SOA)) { LogDNSSEC("NSECNoDataError: Child side wildcard NSEC %s, can't use for parent qname %##s (%s)", RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); return mDNSfalse; } else if (qtype != kDNSType_DS && RRAssertsNonexistence(rr, kDNSType_SOA) && RRAssertsExistence(rr, kDNSType_NS)) { // Don't use the parent side record for this LogDNSSEC("NSECNoDataError: Parent side wildcard NSEC %s, can't use for child qname %##s (%s)", RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); return mDNSfalse; } *wildcard = (domainname *)ce; LogDNSSEC("NSECNoDataError: qtype %s does not exist in wildcard %s", DNSTypeName(qtype), RRDisplayString(m, rr)); return mDNStrue; } } return mDNSfalse; } }