/**
* Update serial.
*
*/
ods_status
zone_update_serial(zone_type* zone)
{
ods_status status = ODS_STATUS_OK;
rrset_type* rrset = NULL;
rr_type* soa = NULL;
ldns_rr* rr = NULL;
ldns_rdf* soa_rdata = NULL;
ods_log_assert(zone);
ods_log_assert(zone->apex);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
if (zone->db->serial_updated) {
/* already done, unmark and return ok */
ods_log_debug("[%s] zone %s soa serial already up to date",
zone_str, zone->name);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_SOA);
ods_log_assert(rrset);
ods_log_assert(rrset->rrs);
ods_log_assert(rrset->rrs[0].rr);
rr = ldns_rr_clone(rrset->rrs[0].rr);
if (!rr) {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"clone soa rr", zone_str, zone->name);
return ODS_STATUS_ERR;
}
status = namedb_update_serial(zone->db, zone->signconf->soa_serial,
zone->db->inbserial);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to update zone %s soa serial: %s",
zone_str, zone->name, ods_status2str(status));
ldns_rr_free(rr);
return status;
}
ods_log_verbose("[%s] zone %s set soa serial to %u", zone_str,
zone->name, zone->db->intserial);
soa_rdata = ldns_rr_set_rdf(rr,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
zone->db->intserial), SE_SOA_RDATA_SERIAL);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"replace soa serial rdata", zone_str, zone->name);
ldns_rr_free(rr);
return ODS_STATUS_ERR;
}
soa = rrset_add_rr(rrset, rr);
ods_log_assert(soa);
rrset_diff(rrset, 0, 0);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
/* this will probably be moved to a better place in the library itself */
ldns_rr_list *
get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
{
const char* result;
switch(qtype)
{
case LDNS_RR_TYPE_A:
result = rp_get_a_record(rp_handle, owner_name->_data);
break;
default:
result = 0;
}
if(!result)
{
return 0;
}
uint16_t i;
ldns_rr_list *rrlist = ldns_rr_list_new();
if (!zone || !owner_name) {
fprintf(stderr, "Warning: get_rrset called with NULL zone or owner name\n");
return rrlist;
}
ldns_rr* rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_A);
ldns_rr_set_owner(rr, ldns_rdf_clone(owner_name));
ldns_rdf* rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, result);
ldns_rr_push_rdf(rr, rdf);
ldns_rr_list_push_rr(rrlist, ldns_rr_clone(rr));
return rrlist;
}
ldns_rr *
ldns_axfr_next(ldns_resolver *resolver)
{
ldns_rr *cur_rr;
uint8_t *packet_wire;
size_t packet_wire_size;
ldns_lookup_table *rcode;
ldns_status status;
/* check if start() has been called */
if (!resolver || resolver->_socket == 0) {
return NULL;
}
if (resolver->_cur_axfr_pkt) {
if (resolver->_axfr_i == ldns_pkt_ancount(resolver->_cur_axfr_pkt)) {
ldns_pkt_free(resolver->_cur_axfr_pkt);
resolver->_cur_axfr_pkt = NULL;
return ldns_axfr_next(resolver);
}
cur_rr = ldns_rr_clone(ldns_rr_list_rr(
ldns_pkt_answer(resolver->_cur_axfr_pkt),
resolver->_axfr_i));
resolver->_axfr_i++;
if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_SOA) {
resolver->_axfr_soa_count++;
if (resolver->_axfr_soa_count >= 2) {
close(resolver->_socket);
resolver->_socket = 0;
ldns_pkt_free(resolver->_cur_axfr_pkt);
resolver->_cur_axfr_pkt = NULL;
}
}
return cur_rr;
} else {
packet_wire = ldns_tcp_read_wire(resolver->_socket, &packet_wire_size);
if(!packet_wire)
return NULL;
status = ldns_wire2pkt(&resolver->_cur_axfr_pkt, packet_wire,
packet_wire_size);
free(packet_wire);
resolver->_axfr_i = 0;
if (status != LDNS_STATUS_OK) {
/* TODO: make status return type of this function (...api change) */
fprintf(stderr, "Error parsing rr during AXFR: %s\n", ldns_get_errorstr_by_id(status));
return NULL;
} else if (ldns_pkt_get_rcode(resolver->_cur_axfr_pkt) != 0) {
rcode = ldns_lookup_by_id(ldns_rcodes, (int) ldns_pkt_get_rcode(resolver->_cur_axfr_pkt));
fprintf(stderr, "Error in AXFR: %s\n", rcode->name);
return NULL;
} else {
return ldns_axfr_next(resolver);
}
}
}
ldns_zone *
ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
{
ldns_dnssec_zone *dnssec_zone;
ldns_zone *signed_zone;
ldns_rr_list *new_rrs;
size_t i;
signed_zone = ldns_zone_new();
dnssec_zone = ldns_dnssec_zone_new();
(void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
ldns_zone_set_soa(signed_zone, ldns_zone_soa(zone));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
(void) ldns_dnssec_zone_add_rr(dnssec_zone,
ldns_rr_list_rr(ldns_zone_rrs(zone),
i));
ldns_zone_push_rr(signed_zone,
ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
i)));
}
new_rrs = ldns_rr_list_new();
(void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
new_rrs,
key_list,
ldns_dnssec_default_replace_signatures,
NULL,
algorithm,
flags,
iterations,
salt_length,
salt);
for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
}
ldns_rr_list_deep_free(new_rrs);
ldns_dnssec_zone_free(dnssec_zone);
return signed_zone;
}
/*
* generic function to get some RRset from a nameserver
* and possible some signatures too (that would be the day...)
*/
ldns_pkt_type
get_dnssec_rr(ldns_pkt *p, ldns_rdf *name, ldns_rr_type t,
ldns_rr_list **rrlist, ldns_rr_list **sig)
{
ldns_pkt_type pt = LDNS_PACKET_UNKNOWN;
ldns_rr_list *rr = NULL;
ldns_rr_list *sigs = NULL;
size_t i;
if (!p) {
if (rrlist) {
*rrlist = NULL;
}
return LDNS_PACKET_UNKNOWN;
}
pt = ldns_pkt_reply_type(p);
if (name) {
rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_ANSWER);
if (!rr) {
rr = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_AUTHORITY);
}
sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_ANSWER);
if (!sigs) {
sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_AUTHORITY);
}
} else {
/* A DS-referral - get the DS records if they are there */
rr = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_AUTHORITY);
sigs = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_AUTHORITY);
}
if (sig) {
*sig = ldns_rr_list_new();
for (i = 0; i < ldns_rr_list_rr_count(sigs); i++) {
/* only add the sigs that cover this type */
if (ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(ldns_rr_list_rr(sigs, i))) ==
t) {
ldns_rr_list_push_rr(*sig, ldns_rr_clone(ldns_rr_list_rr(sigs, i)));
}
}
}
ldns_rr_list_deep_free(sigs);
if (rrlist) {
*rrlist = rr;
}
if (pt == LDNS_PACKET_NXDOMAIN || pt == LDNS_PACKET_NODATA) {
return pt;
} else {
return LDNS_PACKET_ANSWER;
}
}
/*
* Read a hints file as root
*
* The file with the given path should contain a list of NS RRs
* for the root zone and A records for those NS RRs.
* Read them, check them, and append the a records to the rr list given.
*/
ldns_rr_list *
read_root_hints(const char *filename)
{
FILE *fp = NULL;
int line_nr = 0;
ldns_zone *z;
ldns_status status;
ldns_rr_list *addresses = NULL;
ldns_rr *rr;
size_t i;
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "Unable to open %s for reading: %s\n", filename, strerror(errno));
return NULL;
}
status = ldns_zone_new_frm_fp_l(&z, fp, NULL, 0, 0, &line_nr);
fclose(fp);
if (status != LDNS_STATUS_OK) {
fprintf(stderr, "Error reading root hints file: %s\n", ldns_get_errorstr_by_id(status));
return NULL;
} else {
addresses = ldns_rr_list_new();
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z)); i++) {
rr = ldns_rr_list_rr(ldns_zone_rrs(z), i);
/*if ((address_family == 0 || address_family == 1) &&
*/
if ( ldns_rr_get_type(rr) == LDNS_RR_TYPE_A ) {
ldns_rr_list_push_rr(addresses, ldns_rr_clone(rr));
}
/*if ((address_family == 0 || address_family == 2) &&*/
if ( ldns_rr_get_type(rr) == LDNS_RR_TYPE_AAAA) {
ldns_rr_list_push_rr(addresses, ldns_rr_clone(rr));
}
}
ldns_zone_deep_free(z);
return addresses;
}
}
ldns_zone *
ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
{
ldns_dnssec_zone *dnssec_zone;
ldns_zone *signed_zone;
ldns_rr_list *new_rrs;
size_t i;
signed_zone = ldns_zone_new();
dnssec_zone = ldns_dnssec_zone_new();
(void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
ldns_zone_set_soa(signed_zone, ldns_zone_soa(zone));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
(void) ldns_dnssec_zone_add_rr(dnssec_zone,
ldns_rr_list_rr(ldns_zone_rrs(zone),
i));
ldns_zone_push_rr(signed_zone,
ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
i)));
}
new_rrs = ldns_rr_list_new();
(void) ldns_dnssec_zone_sign(dnssec_zone,
new_rrs,
key_list,
ldns_dnssec_default_replace_signatures,
NULL);
for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
}
ldns_rr_list_deep_free(new_rrs);
ldns_dnssec_zone_free(dnssec_zone);
return signed_zone;
}
static int udp_bind(int sock, int port, const char *my_address)
{
struct sockaddr_in addr;
in_addr_t maddr = INADDR_ANY;
if (my_address) {
#ifdef AF_INET6
if (inet_pton(AF_INET6, my_address, &maddr) < 1) {
#else
if (0) {
#endif
if (inet_pton(AF_INET, my_address, &maddr) < 1) {
return -2;
}
}
}
#ifndef S_SPLINT_S
addr.sin_family = AF_INET;
#endif
addr.sin_port = (in_port_t) htons((uint16_t)port);
addr.sin_addr.s_addr = maddr;
return bind(sock, (struct sockaddr *)&addr, (socklen_t) sizeof(addr));
}
/* this will probably be moved to a better place in the library itself */
ldns_rr_list *
get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
{
uint16_t i;
ldns_rr_list *rrlist = ldns_rr_list_new();
ldns_rr *cur_rr;
if (!zone || !owner_name) {
fprintf(stderr, "Warning: get_rrset called with NULL zone or owner name\n");
return rrlist;
}
for (i = 0; i < ldns_zone_rr_count(zone); i++) {
cur_rr = ldns_rr_list_rr(ldns_zone_rrs(zone), i);
if (ldns_dname_compare(ldns_rr_owner(cur_rr), owner_name) == 0 &&
ldns_rr_get_class(cur_rr) == qclass &&
ldns_rr_get_type(cur_rr) == qtype
) {
ldns_rr_list_push_rr(rrlist, ldns_rr_clone(cur_rr));
}
}
printf("Found rrset of %u rrs\n", (unsigned int) ldns_rr_list_rr_count(rrlist));
return rrlist;
}
ldns_status
ldns_resolver_push_dnssec_anchor(ldns_resolver *r, ldns_rr *rr)
{
ldns_rr_list * trust_anchors;
if ((!rr) || (ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY)) {
return LDNS_STATUS_ERR;
}
if (!(trust_anchors = ldns_resolver_dnssec_anchors(r))) { /* Initialize */
trust_anchors = ldns_rr_list_new();
ldns_resolver_set_dnssec_anchors(r, trust_anchors);
}
return (ldns_rr_list_push_rr(trust_anchors, ldns_rr_clone(rr))) ? LDNS_STATUS_OK : LDNS_STATUS_ERR;
}
/**
* Send notifies.
*
*/
static void
dnsout_send_notify(void* zone)
{
zone_type* z = (zone_type*) zone;
rrset_type* rrset = NULL;
ldns_rr* soa = NULL;
if (!z || !z->notify) {
ods_log_error("[%s] unable to send notify for zone %s: no notify "
"handler", adapter_str, z->name);
return;
}
ods_log_assert(z->adoutbound);
ods_log_assert(z->adoutbound->config);
ods_log_assert(z->adoutbound->type == ADAPTER_DNS);
ods_log_assert(z->db);
ods_log_assert(z->name);
ods_log_debug("[%s] enable notify for zone %s serial %u", adapter_str,
z->name, z->db->intserial);
rrset = zone_lookup_rrset(z, z->apex, LDNS_RR_TYPE_SOA);
ods_log_assert(rrset);
soa = ldns_rr_clone(rrset->rrs[0].rr);
notify_enable(z->notify, soa);
return;
}
void zkdns_start(const char* my_address, int port, const char* my_zone)
{
rp_handle = rp_initialize(my_zone);
/* network */
int sock;
ssize_t nb;
struct sockaddr addr_me;
struct sockaddr addr_him;
socklen_t hislen = (socklen_t) sizeof(addr_him);
uint8_t inbuf[INBUF_SIZE];
uint8_t *outbuf;
/* dns */
ldns_status status;
ldns_pkt *query_pkt;
ldns_pkt *answer_pkt;
size_t answer_size;
ldns_rr *query_rr;
ldns_rr_list *answer_qr;
ldns_rr_list *answer_an;
ldns_rr_list *answer_ns;
ldns_rr_list *answer_ad;
ldns_rdf *origin = NULL;
/* zone */
ldns_zone *zone;
int line_nr;
FILE *zone_fp;
if (ldns_str2rdf_dname(&origin, my_zone) != LDNS_STATUS_OK) {
fprintf(stderr, "Bad origin, not a correct domain name\n");
exit(EXIT_FAILURE);
}
printf("Listening on port %d\n", port);
sock = socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) {
fprintf(stderr, "socket(): %s\n", strerror(errno));
exit(1);
}
memset(&addr_me, 0, sizeof(addr_me));
/* bind: try all ports in that range */
if (udp_bind(sock, port, my_address)) {
fprintf(stderr, "cannot bind(): %s\n", strerror(errno));
exit(errno);
}
/* Done. Now receive */
while (1) {
nb = recvfrom(sock, (void*)inbuf, INBUF_SIZE, 0,
&addr_him, &hislen);
if (nb < 1) {
fprintf(stderr, "recvfrom(): %s\n",
strerror(errno));
exit(1);
}
/*
show(inbuf, nb, nn, hp, sp, ip, bp);
*/
status = ldns_wire2pkt(&query_pkt, inbuf, (size_t) nb);
if (status != LDNS_STATUS_OK) {
printf("Got bad packet: %s\n", ldns_get_errorstr_by_id(status));
}
query_rr = ldns_rr_list_rr(ldns_pkt_question(query_pkt), 0);
answer_qr = ldns_rr_list_new();
ldns_rr_list_push_rr(answer_qr, ldns_rr_clone(query_rr));
answer_an = get_rrset(zone, ldns_rr_owner(query_rr), ldns_rr_get_type(query_rr), ldns_rr_get_class(query_rr));
answer_pkt = ldns_pkt_new();
answer_ns = ldns_rr_list_new();
answer_ad = ldns_rr_list_new();
ldns_pkt_set_qr(answer_pkt, 1);
ldns_pkt_set_aa(answer_pkt, 1);
ldns_pkt_set_id(answer_pkt, ldns_pkt_id(query_pkt));
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_QUESTION, answer_qr);
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_ANSWER, answer_an);
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_AUTHORITY, answer_ns);
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_ADDITIONAL, answer_ad);
status = ldns_pkt2wire(&outbuf, answer_pkt, &answer_size);
if (status != LDNS_STATUS_OK) {
printf("Error creating answer: %s\n", ldns_get_errorstr_by_id(status));
} else {
nb = sendto(sock, (void*)outbuf, answer_size, 0,
&addr_him, hislen);
}
ldns_pkt_free(query_pkt);
ldns_pkt_free(answer_pkt);
LDNS_FREE(outbuf);
ldns_rr_list_free(answer_qr);
ldns_rr_list_free(answer_an);
ldns_rr_list_free(answer_ns);
ldns_rr_list_free(answer_ad);
}
ldns_rdf_deep_free(origin);
ldns_zone_deep_free(zone);
rp_shutdown(rp_handle);
}
int
main(int argc, char **argv)
{
/* arguments */
int port;
const char *zone_file;
/* network */
int sock;
ssize_t nb;
struct sockaddr addr_me;
struct sockaddr addr_him;
socklen_t hislen = (socklen_t) sizeof(addr_him);
uint8_t inbuf[INBUF_SIZE];
uint8_t *outbuf;
/* dns */
ldns_status status;
ldns_pkt *query_pkt;
ldns_pkt *answer_pkt;
size_t answer_size;
ldns_rr *query_rr;
ldns_rr_list *answer_qr;
ldns_rr_list *answer_an;
ldns_rr_list *answer_ns;
ldns_rr_list *answer_ad;
ldns_rdf *origin = NULL;
/* zone */
ldns_zone *zone;
int line_nr;
FILE *zone_fp;
/* use this to listen on specified interfaces later? */
char *my_address = NULL;
if (argc < 5) {
usage(stderr);
exit(EXIT_FAILURE);
} else {
my_address = argv[1];
port = atoi(argv[2]);
if (port < 1) {
usage(stderr);
exit(EXIT_FAILURE);
}
if (ldns_str2rdf_dname(&origin, argv[3]) != LDNS_STATUS_OK) {
fprintf(stderr, "Bad origin, not a correct domain name\n");
usage(stderr);
exit(EXIT_FAILURE);
}
zone_file = argv[4];
}
printf("Reading zone file %s\n", zone_file);
zone_fp = fopen(zone_file, "r");
if (!zone_fp) {
fprintf(stderr, "Unable to open %s: %s\n", zone_file, strerror(errno));
exit(EXIT_FAILURE);
}
line_nr = 0;
status = ldns_zone_new_frm_fp_l(&zone, zone_fp, origin, 0, LDNS_RR_CLASS_IN, &line_nr);
if (status != LDNS_STATUS_OK) {
printf("Zone reader failed, aborting\n");
exit(EXIT_FAILURE);
} else {
printf("Read %u resource records in zone file\n", (unsigned int) ldns_zone_rr_count(zone));
}
fclose(zone_fp);
printf("Listening on port %d\n", port);
sock = socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) {
fprintf(stderr, "%s: socket(): %s\n", argv[0], strerror(errno));
exit(1);
}
memset(&addr_me, 0, sizeof(addr_me));
/* bind: try all ports in that range */
if (udp_bind(sock, port, my_address)) {
fprintf(stderr, "%s: cannot bind(): %s\n", argv[0], strerror(errno));
exit(errno);
}
/* Done. Now receive */
while (1) {
nb = recvfrom(sock, (void*)inbuf, INBUF_SIZE, 0,
&addr_him, &hislen);
if (nb < 1) {
fprintf(stderr, "%s: recvfrom(): %s\n",
argv[0], strerror(errno));
exit(1);
}
/*
show(inbuf, nb, nn, hp, sp, ip, bp);
*/
printf("Got query of %u bytes\n", (unsigned int) nb);
status = ldns_wire2pkt(&query_pkt, inbuf, (size_t) nb);
if (status != LDNS_STATUS_OK) {
printf("Got bad packet: %s\n", ldns_get_errorstr_by_id(status));
} else {
ldns_pkt_print(stdout, query_pkt);
}
query_rr = ldns_rr_list_rr(ldns_pkt_question(query_pkt), 0);
printf("QUERY RR: \n");
ldns_rr_print(stdout, query_rr);
answer_qr = ldns_rr_list_new();
ldns_rr_list_push_rr(answer_qr, ldns_rr_clone(query_rr));
answer_an = get_rrset(zone, ldns_rr_owner(query_rr), ldns_rr_get_type(query_rr), ldns_rr_get_class(query_rr));
answer_pkt = ldns_pkt_new();
answer_ns = ldns_rr_list_new();
answer_ad = ldns_rr_list_new();
ldns_pkt_set_qr(answer_pkt, 1);
ldns_pkt_set_aa(answer_pkt, 1);
ldns_pkt_set_id(answer_pkt, ldns_pkt_id(query_pkt));
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_QUESTION, answer_qr);
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_ANSWER, answer_an);
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_AUTHORITY, answer_ns);
ldns_pkt_push_rr_list(answer_pkt, LDNS_SECTION_ADDITIONAL, answer_ad);
status = ldns_pkt2wire(&outbuf, answer_pkt, &answer_size);
printf("Answer packet size: %u bytes.\n", (unsigned int) answer_size);
if (status != LDNS_STATUS_OK) {
printf("Error creating answer: %s\n", ldns_get_errorstr_by_id(status));
} else {
nb = sendto(sock, (void*)outbuf, answer_size, 0,
&addr_him, hislen);
}
ldns_pkt_free(query_pkt);
ldns_pkt_free(answer_pkt);
LDNS_FREE(outbuf);
ldns_rr_list_free(answer_qr);
ldns_rr_list_free(answer_an);
ldns_rr_list_free(answer_ns);
ldns_rr_list_free(answer_ad);
}
/* No cleanup because of the infinite loop
*
* ldns_rdf_deep_free(origin);
* ldns_zone_deep_free(zone);
* return 0;
*/
}
ldns_status
do_chase(ldns_resolver *res,
ldns_rdf *name,
ldns_rr_type type,
ldns_rr_class c,
ldns_rr_list *trusted_keys,
ldns_pkt *pkt_o,
uint16_t qflags,
ldns_rr_list *prev_key_list,
int verbosity)
{
ldns_rr_list *rrset = NULL;
ldns_status result;
ldns_rr *orig_rr = NULL;
/*
ldns_rr_list *sigs;
ldns_rr *cur_sig;
uint16_t sig_i;
ldns_rr_list *keys;
*/
ldns_pkt *pkt;
ldns_status tree_result;
ldns_dnssec_data_chain *chain;
ldns_dnssec_trust_tree *tree;
const ldns_rr_descriptor *descriptor;
descriptor = ldns_rr_descript(type);
ldns_dname2canonical(name);
pkt = ldns_pkt_clone(pkt_o);
if (!name) {
ldns_pkt_free(pkt);
return LDNS_STATUS_EMPTY_LABEL;
}
if (verbosity != -1) {
printf(";; Chasing: ");
ldns_rdf_print(stdout, name);
if (descriptor && descriptor->_name) {
printf(" %s\n", descriptor->_name);
} else {
printf(" type %d\n", type);
}
}
if (!trusted_keys || ldns_rr_list_rr_count(trusted_keys) < 1) {
}
if (pkt) {
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
type,
LDNS_SECTION_ANSWER
);
if (!rrset) {
/* nothing in answer, try authority */
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
type,
LDNS_SECTION_AUTHORITY
);
}
/* answer might be a cname, chase that first, then chase
cname target? (TODO) */
if (!rrset) {
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
LDNS_RR_TYPE_CNAME,
LDNS_SECTION_ANSWER
);
if (!rrset) {
/* nothing in answer, try authority */
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
LDNS_RR_TYPE_CNAME,
LDNS_SECTION_AUTHORITY
);
}
}
} else {
/* no packet? */
if (verbosity >= 0) {
fprintf(stderr, "%s", ldns_get_errorstr_by_id(LDNS_STATUS_MEM_ERR));
fprintf(stderr, "\n");
}
return LDNS_STATUS_MEM_ERR;
}
if (!rrset) {
/* not found in original packet, try again */
ldns_pkt_free(pkt);
pkt = NULL;
pkt = ldns_resolver_query(res, name, type, c, qflags);
if (!pkt) {
if (verbosity >= 0) {
fprintf(stderr, "%s", ldns_get_errorstr_by_id(LDNS_STATUS_NETWORK_ERR));
fprintf(stderr, "\n");
}
return LDNS_STATUS_NETWORK_ERR;
}
if (verbosity >= 5) {
ldns_pkt_print(stdout, pkt);
}
rrset = ldns_pkt_rr_list_by_name_and_type(pkt,
name,
type,
LDNS_SECTION_ANSWER
);
}
orig_rr = ldns_rr_new();
/* if the answer had no answer section, we need to construct our own rr (for instance if
* the rr qe asked for doesn't exist. This rr will be destroyed when the chain is freed */
if (ldns_pkt_ancount(pkt) < 1) {
ldns_rr_set_type(orig_rr, type);
ldns_rr_set_owner(orig_rr, ldns_rdf_clone(name));
chain = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, ldns_rr_clone(orig_rr));
} else {
/* chase the first answer */
chain = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, NULL);
}
if (verbosity >= 4) {
printf("\n\nDNSSEC Data Chain:\n");
ldns_dnssec_data_chain_print(stdout, chain);
}
result = LDNS_STATUS_OK;
tree = ldns_dnssec_derive_trust_tree(chain, NULL);
if (verbosity >= 2) {
printf("\n\nDNSSEC Trust tree:\n");
ldns_dnssec_trust_tree_print(stdout, tree, 0, true);
}
if (ldns_rr_list_rr_count(trusted_keys) > 0) {
tree_result = ldns_dnssec_trust_tree_contains_keys(tree, trusted_keys);
if (tree_result == LDNS_STATUS_DNSSEC_EXISTENCE_DENIED) {
if (verbosity >= 1) {
printf("Existence denied or verifiably insecure\n");
}
result = LDNS_STATUS_OK;
} else if (tree_result != LDNS_STATUS_OK) {
if (verbosity >= 1) {
printf("No trusted keys found in tree: first error was: %s\n", ldns_get_errorstr_by_id(tree_result));
}
result = tree_result;
}
} else {
result = -1;
if (verbosity >= 0) {
printf("You have not provided any trusted keys.\n");
}
}
ldns_rr_free(orig_rr);
ldns_dnssec_trust_tree_free(tree);
ldns_dnssec_data_chain_deep_free(chain);
ldns_rr_list_deep_free(rrset);
ldns_pkt_free(pkt);
/* ldns_rr_free(orig_rr);*/
return result;
}
ldns_rr *
ldns_axfr_next(ldns_resolver *resolver)
{
ldns_rr *cur_rr;
uint8_t *packet_wire;
size_t packet_wire_size;
ldns_lookup_table *rcode;
ldns_status status;
/* check if start() has been called */
if (!resolver || resolver->_socket == 0) {
return NULL;
}
if (resolver->_cur_axfr_pkt) {
if (resolver->_axfr_i == ldns_pkt_ancount(resolver->_cur_axfr_pkt)) {
ldns_pkt_free(resolver->_cur_axfr_pkt);
resolver->_cur_axfr_pkt = NULL;
return ldns_axfr_next(resolver);
}
cur_rr = ldns_rr_clone(ldns_rr_list_rr(
ldns_pkt_answer(resolver->_cur_axfr_pkt),
resolver->_axfr_i));
resolver->_axfr_i++;
if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_SOA) {
resolver->_axfr_soa_count++;
if (resolver->_axfr_soa_count >= 2) {
#ifndef USE_WINSOCK
close(resolver->_socket);
#else
closesocket(resolver->_socket);
#endif
resolver->_socket = 0;
ldns_pkt_free(resolver->_cur_axfr_pkt);
resolver->_cur_axfr_pkt = NULL;
}
}
return cur_rr;
} else {
packet_wire = ldns_tcp_read_wire(resolver->_socket, &packet_wire_size);
if(!packet_wire)
return NULL;
status = ldns_wire2pkt(&resolver->_cur_axfr_pkt, packet_wire,
packet_wire_size);
free(packet_wire);
resolver->_axfr_i = 0;
if (status != LDNS_STATUS_OK) {
/* TODO: make status return type of this function (...api change) */
fprintf(stderr, "Error parsing rr during AXFR: %s\n", ldns_get_errorstr_by_id(status));
/* RoRi: we must now also close the socket, otherwise subsequent uses of the
same resolver structure will fail because the link is still open or
in an undefined state */
#ifndef USE_WINSOCK
close(resolver->_socket);
#else
closesocket(resolver->_socket);
#endif
resolver->_socket = 0;
return NULL;
} else if (ldns_pkt_get_rcode(resolver->_cur_axfr_pkt) != 0) {
rcode = ldns_lookup_by_id(ldns_rcodes, (int) ldns_pkt_get_rcode(resolver->_cur_axfr_pkt));
fprintf(stderr, "Error in AXFR: %s\n", rcode->name);
/* RoRi: we must now also close the socket, otherwise subsequent uses of the
same resolver structure will fail because the link is still open or
in an undefined state */
#ifndef USE_WINSOCK
close(resolver->_socket);
#else
closesocket(resolver->_socket);
#endif
resolver->_socket = 0;
return NULL;
} else {
return ldns_axfr_next(resolver);
}
}
}
int main(int argc, char **argv) {
/* Local Vars */
int i;
int soa_valid = 0;
int ns_valid = 0;
ldns_rdf *rd_domain;
ldns_rdf *rd_trace;
ldns_rdf *rd_cdomain;
ldns_pkt *pkt;
ldns_resolver *res;
ldns_rr *rr;
ldns_rr_list *rrl;
ldns_rr_list *rrl_domain_soa;
ldns_rr_list *rrl_domain_soa_rrsig;
ldns_rr_list *rrl_domain_ns;
ldns_rr_list *rrl_domain_ns_rrsig;
ldns_rr_list *rrl_valid_keys;
ldns_status status;
/* Set signal handling and alarm */
if (signal(SIGALRM, timeout_alarm_handler) == SIG_ERR)
critical("Setup SIGALRM trap failed!");
/* Process check arguments */
if (process_arguments(argc, argv) != OK)
unknown("Parsing arguments failed!");
/* Start plugin timeout */
alarm(mp_timeout);
rd_domain = ldns_dname_new_frm_str(domainname);
if (!rd_domain)
unknown("Illegal domain name");
rd_trace = ldns_dname_new_frm_str(domaintrace);
if (!rd_trace)
unknown("Illegal trace domain name");
/* Check domain is subdomain from trace start */
if (!ldns_dname_is_subdomain(rd_domain, rd_trace)) {
ldns_rr_list_deep_free(trusted_keys);
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
unknown("'%s' is not a subdomain of '%s'.", domainname,
domaintrace);
}
/* Add trusted keys for trace domain to rrl_valid_keys. */
rrl_valid_keys = ldns_rr_list_new();
for(i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) {
rr = ldns_rr_list_rr(trusted_keys, i);
if (ldns_dname_compare(ldns_rr_owner(rr),rd_trace) == 0)
ldns_rr_list_push_rr(rrl_valid_keys, ldns_rr_clone(rr));
}
ldns_rr_list_deep_free(trusted_keys);
if (ldns_rr_list_rr_count(rrl_valid_keys) == 0) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
critical("No trusted key for trace start '%s'", domaintrace?domaintrace:".");
}
if (mp_verbose >= 2) {
printf("--[ Trusted keys used ]-------------------------------------\n");
ldns_rr_list_sort(rrl_valid_keys);
ldns_rr_list_print(stdout, rrl_valid_keys);
printf("------------------------------------------------------------\n");
}
/* create a new resolver with dns_server or server from /etc/resolv.conf */
res = createResolver(hostname);
if (!res) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
unknown("Creating resolver failed.");
}
resolverEnableDnssec(res);
ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys);
/* check domain exists */
pkt = mp_ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_SOA,
LDNS_RR_CLASS_IN, LDNS_RD);
if (pkt == NULL || ldns_pkt_get_rcode(pkt) != LDNS_RCODE_NOERROR) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
if (pkt && ldns_pkt_get_rcode(pkt) == LDNS_RCODE_NXDOMAIN) {
ldns_pkt_free(pkt);
critical("Domain '%s' don't exist.", domainname);
}
ldns_pkt_free(pkt);
critical("Unable to get SOA for %s.", domainname);
}
rrl_domain_soa = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain,
LDNS_RR_TYPE_SOA,
LDNS_SECTION_ANSWER);
if (rrl_domain_soa == NULL || ldns_rr_list_rr_count(rrl_domain_soa) == 0) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
ldns_pkt_free(pkt);
critical("Domain '%s' not found.", domainname);
}
rrl_domain_soa_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
rd_domain, LDNS_RR_TYPE_SOA);
if (rrl_domain_soa_rrsig == NULL ||
ldns_rr_list_rr_count(rrl_domain_soa_rrsig) == 0) {
free(domaintrace);
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_resolver_deep_free(res);
ldns_pkt_free(pkt);
ldns_rr_list_deep_free(rrl_domain_soa);
critical("Domain '%s' not signed.", domainname);
}
ldns_pkt_free(pkt);
pkt = ldns_resolver_query(res, rd_domain, LDNS_RR_TYPE_NS,
LDNS_RR_CLASS_IN, LDNS_RD);
rrl_domain_ns = ldns_pkt_rr_list_by_name_and_type(pkt, rd_domain,
LDNS_RR_TYPE_NS,
LDNS_SECTION_ANSWER);
rrl_domain_ns_rrsig = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
rd_domain,
LDNS_RR_TYPE_NS);
ldns_pkt_free(pkt);
if (mp_verbose >= 2) {
printf("--[ Checked Domain ]----------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_soa);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_soa_rrsig);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_ns);
printf("------------------------------------------------------------\n");
ldns_rr_list_print(stdout, rrl_domain_ns_rrsig);
printf("------------------------------------------------------------\n");
}
/* create a new resolver with dns_server or server from /etc/resolv.conf */
ldns_resolver_free(res);
res = createResolver(resolver);
if (!res) {
ldns_rdf_deep_free(rd_domain);
ldns_rdf_deep_free(rd_trace);
ldns_rr_list_deep_free(rrl_valid_keys);
unknown("Creating resolver failed.");
}
resolverEnableDnssec(res);
ldns_resolver_set_dnssec_anchors(res, rrl_valid_keys);
/* Fetch valid keys from top down */
i = ldns_dname_label_count(rd_domain) - ldns_dname_label_count(rd_trace);
for (; i>=0; i--) {
rd_cdomain = ldns_dname_clone_from(rd_domain, i);
if (mp_verbose) {
char *str = ldns_rdf2str(rd_cdomain);
printf("Trace: %s\n", str);
free(str);
}
rrl = ldns_fetch_valid_domain_keys(res, rd_cdomain, rrl_valid_keys, &status);
if (mp_verbose >= 2) {
printf("--[ Valid Keys ]----------------------------------------\n");
ldns_rr_list_sort(rrl);
ldns_rr_list_print(stdout, rrl);
printf("------------------------------------------------------------\n");
}
ldns_rr_list_cat(rrl_valid_keys, rrl);
ldns_rr_list_free(rrl);
ldns_rdf_deep_free(rd_cdomain);
}
ldns_rdf_deep_free(rd_trace);
ldns_rdf_deep_free(rd_domain);
/* Validate SOA */
for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_soa_rrsig); i++) {
rr = ldns_rr_list_rr(rrl_domain_soa_rrsig, i);
status = ldns_verify_rrsig_keylist(rrl_domain_soa, rr, rrl_valid_keys, NULL);
if (status == LDNS_STATUS_OK)
soa_valid++;
else if (mp_verbose > 0)
fprintf(stderr, "ldns_verify_rrsig_keylist SOA failed: %s\n",
ldns_get_errorstr_by_id(status));
}
ldns_rr_list_deep_free(rrl_domain_soa);
ldns_rr_list_deep_free(rrl_domain_soa_rrsig);
if (soa_valid == 0) {
critical("No valid Signatur for SOA of '%s'", domainname);
free(domainname);
free(domaintrace);
ldns_resolver_deep_free(res);
ldns_rr_list_deep_free(rrl_domain_ns);
ldns_rr_list_deep_free(rrl_domain_ns_rrsig);
return checkState;
}
/* Validate NS */
for(i = 0; i < ldns_rr_list_rr_count(rrl_domain_ns_rrsig); i++) {
rr = ldns_rr_list_rr(rrl_domain_ns_rrsig, i);
status = ldns_verify_rrsig_keylist(rrl_domain_ns, rr, rrl_valid_keys, NULL);
if (status == LDNS_STATUS_OK)
ns_valid++;
else if (mp_verbose > 0)
fprintf(stderr, "ldns_verify_rrsig_keylist NS failed: %s\n",
ldns_get_errorstr_by_id(status));
}
ldns_rr_list_deep_free(rrl_domain_ns);
ldns_rr_list_deep_free(rrl_domain_ns_rrsig);
ldns_resolver_deep_free(res);
if (ns_valid == 0) {
critical("No valid Signatur for NS of '%s'", domainname);
free(domainname);
free(domaintrace);
return checkState;
}
ok("Trust for '%s' successfull traces from '%s'", domainname,
domaintrace);
free(domainname);
free(domaintrace);
return checkState;
}
