/** convert to ldns rr */ static ldns_rr* to_rr(struct ub_packed_rrset_key* k, struct packed_rrset_data* d, uint32_t now, size_t i, uint16_t type) { ldns_rr* rr = ldns_rr_new(); ldns_rdf* rdf; ldns_status status; size_t pos; log_assert(i < d->count + d->rrsig_count); if(!rr) { return NULL; } ldns_rr_set_type(rr, type); ldns_rr_set_class(rr, ntohs(k->rk.rrset_class)); if(d->rr_ttl[i] < now) ldns_rr_set_ttl(rr, 0); else ldns_rr_set_ttl(rr, d->rr_ttl[i] - now); pos = 0; status = ldns_wire2dname(&rdf, k->rk.dname, k->rk.dname_len, &pos); if(status != LDNS_STATUS_OK) { /* we drop detailed error in status */ ldns_rr_free(rr); return NULL; } ldns_rr_set_owner(rr, rdf); pos = 0; status = ldns_wire2rdf(rr, d->rr_data[i], d->rr_len[i], &pos); if(status != LDNS_STATUS_OK) { /* we drop detailed error in status */ ldns_rr_free(rr); return NULL; } return rr; }
/** * Publish the NSEC3 parameters as indicated by the signer configuration. * */ ods_status zone_publish_nsec3param(zone_type* zone) { rrset_type* rrset = NULL; rr_type* n3prr = NULL; ldns_rr* rr = NULL; ods_status status = ODS_STATUS_OK; if (!zone || !zone->name || !zone->db || !zone->signconf) { return ODS_STATUS_ASSERT_ERR; } if (!zone->signconf->nsec3params) { /* NSEC */ ods_log_assert(zone->signconf->nsec_type == LDNS_RR_TYPE_NSEC); return ODS_STATUS_OK; } if (!zone->signconf->nsec3params->rr) { rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS); if (!rr) { ods_log_error("[%s] unable to publish nsec3params for zone %s: " "error creating rr (%s)", zone_str, zone->name, ods_status2str(status)); return ODS_STATUS_MALLOC_ERR; } ldns_rr_set_class(rr, zone->klass); ldns_rr_set_ttl(rr, 0); ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex)); ldns_nsec3_add_param_rdfs(rr, zone->signconf->nsec3params->algorithm, 0, zone->signconf->nsec3params->iterations, zone->signconf->nsec3params->salt_len, zone->signconf->nsec3params->salt_data); /** * Always set bit 7 of the flags to zero, * according to rfc5155 section 11 */ ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(rr, 1)), 7, 0); zone->signconf->nsec3params->rr = rr; } ods_log_assert(zone->signconf->nsec3params->rr); status = zone_add_rr(zone, zone->signconf->nsec3params->rr, 0); if (status == ODS_STATUS_UNCHANGED) { /* rr already exists, adjust pointer */ rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_NSEC3PARAMS); ods_log_assert(rrset); n3prr = rrset_lookup_rr(rrset, zone->signconf->nsec3params->rr); ods_log_assert(n3prr); if (n3prr->rr != zone->signconf->nsec3params->rr) { ldns_rr_free(zone->signconf->nsec3params->rr); } zone->signconf->nsec3params->rr = n3prr->rr; status = ODS_STATUS_OK; } else if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to publish nsec3params for zone %s: " "error adding nsec3params (%s)", zone_str, zone->name, ods_status2str(status)); } return status; }
/** * Process DNSKEY. * */ static void adapi_process_dnskey(zone_type* zone, ldns_rr* rr) { uint32_t tmp = 0; ods_log_assert(rr); ods_log_assert(zone); ods_log_assert(zone->name); ods_log_assert(zone->signconf); tmp = (uint32_t) duration2time(zone->signconf->dnskey_ttl); ods_log_verbose("[%s] zone %s set dnskey ttl to %u", adapi_str, zone->name, tmp); ldns_rr_set_ttl(rr, tmp); }
ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs) { ldns_rbnode_t *first_node, *cur_node, *next_node; ldns_dnssec_name *cur_name, *next_name; ldns_rr *nsec_rr; uint32_t nsec_ttl; ldns_dnssec_rrsets *soa; /* the TTL of NSEC rrs should be set to the minimum TTL of * the zone SOA (RFC4035 Section 2.3) */ soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); /* did the caller actually set it? if not, * fall back to default ttl */ if (soa && soa->rrs && soa->rrs->rr) { nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf( soa->rrs->rr, 6)); } else { nsec_ttl = LDNS_DEFAULT_TTL; } first_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_first(zone->names)); cur_node = first_node; if (cur_node) { next_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_next(cur_node)); } else { next_node = NULL; } while (cur_node && next_node) { cur_name = (ldns_dnssec_name *)cur_node->data; next_name = (ldns_dnssec_name *)next_node->data; nsec_rr = ldns_dnssec_create_nsec(cur_name, next_name, LDNS_RR_TYPE_NSEC); ldns_rr_set_ttl(nsec_rr, nsec_ttl); ldns_dnssec_name_add_rr(cur_name, nsec_rr); ldns_rr_list_push_rr(new_rrs, nsec_rr); cur_node = next_node; if (cur_node) { next_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_next(cur_node)); } } if (cur_node && !next_node) { cur_name = (ldns_dnssec_name *)cur_node->data; next_name = (ldns_dnssec_name *)first_node->data; nsec_rr = ldns_dnssec_create_nsec(cur_name, next_name, LDNS_RR_TYPE_NSEC); ldns_rr_set_ttl(nsec_rr, nsec_ttl); ldns_dnssec_name_add_rr(cur_name, nsec_rr); ldns_rr_list_push_rr(new_rrs, nsec_rr); } else { printf("error\n"); } return LDNS_STATUS_OK; }
ldns_rr * ldns_create_empty_rrsig(ldns_rr_list *rrset, ldns_key *current_key) { uint32_t orig_ttl; time_t now; ldns_rr *current_sig; uint8_t label_count; label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset, 0))); current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG); /* set the type on the new signature */ orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)); ldns_rr_set_ttl(current_sig, orig_ttl); ldns_rr_set_owner(current_sig, ldns_rdf_clone( ldns_rr_owner( ldns_rr_list_rr(rrset, 0)))); /* fill in what we know of the signature */ /* set the orig_ttl */ (void)ldns_rr_rrsig_set_origttl( current_sig, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, orig_ttl)); /* the signers name */ (void)ldns_rr_rrsig_set_signame( current_sig, ldns_rdf_clone(ldns_key_pubkey_owner(current_key))); /* label count - get it from the first rr in the rr_list */ (void)ldns_rr_rrsig_set_labels( current_sig, ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, label_count)); /* inception, expiration */ now = time(NULL); if (ldns_key_inception(current_key) != 0) { (void)ldns_rr_rrsig_set_inception( current_sig, ldns_native2rdf_int32( LDNS_RDF_TYPE_TIME, ldns_key_inception(current_key))); } else { (void)ldns_rr_rrsig_set_inception( current_sig, ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now)); } if (ldns_key_expiration(current_key) != 0) { (void)ldns_rr_rrsig_set_expiration( current_sig, ldns_native2rdf_int32( LDNS_RDF_TYPE_TIME, ldns_key_expiration(current_key))); } else { (void)ldns_rr_rrsig_set_expiration( current_sig, ldns_native2rdf_int32( LDNS_RDF_TYPE_TIME, now + LDNS_DEFAULT_EXP_TIME)); } (void)ldns_rr_rrsig_set_keytag( current_sig, ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_key_keytag(current_key))); (void)ldns_rr_rrsig_set_algorithm( current_sig, ldns_native2rdf_int8( LDNS_RDF_TYPE_ALG, ldns_key_algorithm(current_key))); (void)ldns_rr_rrsig_set_typecovered( current_sig, ldns_native2rdf_int16( LDNS_RDF_TYPE_TYPE, ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)))); return current_sig; }
static uint16_t dnskey_from_id(std::string &dnskey, const char *id, ::ods::keystate::keyrole role, const char *zone, int algorithm, int bDS, uint32_t ttl) { hsm_key_t *key; hsm_sign_params_t *sign_params; ldns_rr *dnskey_rr; ldns_algorithm algo = (ldns_algorithm)algorithm; /* Code to output the DNSKEY record (stolen from hsmutil) */ hsm_ctx_t *hsm_ctx = hsm_create_context(); if (!hsm_ctx) { ods_log_error("[%s] Could not connect to HSM", module_str); return false; } key = hsm_find_key_by_id(hsm_ctx, id); if (!key) { // printf("Key %s in DB but not repository\n", id); hsm_destroy_context(hsm_ctx); return 0; } /* * Sign params only need to be kept around * for the hsm_get_dnskey() call. */ sign_params = hsm_sign_params_new(); sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone); sign_params->algorithm = algo; sign_params->flags = LDNS_KEY_ZONE_KEY; if (role == ::ods::keystate::KSK) sign_params->flags += LDNS_KEY_SEP_KEY; /*KSK=>SEP*/ /* Get the DNSKEY record */ dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params); hsm_sign_params_free(sign_params); /* Calculate the keytag for this key, we return it. */ uint16_t keytag = ldns_calc_keytag(dnskey_rr); /* Override the TTL in the dnskey rr */ if (ttl) ldns_rr_set_ttl(dnskey_rr, ttl); char *rrstr; if (!bDS) { #if 0 ldns_rr_print(stdout, dnskey_rr); #endif rrstr = ldns_rr2str(dnskey_rr); dnskey = rrstr; LDNS_FREE(rrstr); } else { switch (algo) { case LDNS_RSASHA1: // 5 { /* DS record (SHA1) */ ldns_rr *ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1); #if 0 ldns_rr_print(stdout, ds_sha1_rr); #endif rrstr = ldns_rr2str(ds_sha1_rr); dnskey = rrstr; LDNS_FREE(rrstr); ldns_rr_free(ds_sha1_rr); break; } case LDNS_RSASHA256: // 8 - RFC 5702 { /* DS record (SHA256) */ ldns_rr *ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256); #if 0 ldns_rr_print(stdout, ds_sha256_rr); #endif rrstr = ldns_rr2str(ds_sha256_rr); dnskey = rrstr; LDNS_FREE(rrstr); ldns_rr_free(ds_sha256_rr); break; } default: keytag = 0; } } ldns_rr_free(dnskey_rr); hsm_key_free(key); hsm_destroy_context(hsm_ctx); return keytag; }
ldns_status ldns_pkt2buffer_wire(ldns_buffer *buffer, const ldns_pkt *packet) { ldns_rr_list *rr_list; uint16_t i; /* edns tmp vars */ ldns_rr *edns_rr; uint8_t edata[4]; (void) ldns_hdr2buffer_wire(buffer, packet); rr_list = ldns_pkt_question(packet); if (rr_list) { for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) { (void) ldns_rr2buffer_wire(buffer, ldns_rr_list_rr(rr_list, i), LDNS_SECTION_QUESTION); } } rr_list = ldns_pkt_answer(packet); if (rr_list) { for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) { (void) ldns_rr2buffer_wire(buffer, ldns_rr_list_rr(rr_list, i), LDNS_SECTION_ANSWER); } } rr_list = ldns_pkt_authority(packet); if (rr_list) { for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) { (void) ldns_rr2buffer_wire(buffer, ldns_rr_list_rr(rr_list, i), LDNS_SECTION_AUTHORITY); } } rr_list = ldns_pkt_additional(packet); if (rr_list) { for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) { (void) ldns_rr2buffer_wire(buffer, ldns_rr_list_rr(rr_list, i), LDNS_SECTION_ADDITIONAL); } } /* add EDNS to additional if it is needed */ if (ldns_pkt_edns(packet)) { edns_rr = ldns_rr_new(); ldns_rr_set_owner(edns_rr, ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, ".")); ldns_rr_set_type(edns_rr, LDNS_RR_TYPE_OPT); ldns_rr_set_class(edns_rr, ldns_pkt_edns_udp_size(packet)); edata[0] = ldns_pkt_edns_extended_rcode(packet); edata[1] = ldns_pkt_edns_version(packet); ldns_write_uint16(&edata[2], ldns_pkt_edns_z(packet)); ldns_rr_set_ttl(edns_rr, ldns_read_uint32(edata)); (void)ldns_rr2buffer_wire(buffer, edns_rr, LDNS_SECTION_ADDITIONAL); ldns_rr_free(edns_rr); } /* add TSIG to additional if it is there */ if (ldns_pkt_tsig(packet)) { (void) ldns_rr2buffer_wire(buffer, ldns_pkt_tsig(packet), LDNS_SECTION_ADDITIONAL); } return LDNS_STATUS_OK; }
/** * Process RR. * */ static ods_status adapi_process_rr(zone_type* zone, ldns_rr* rr, int add, int backup) { ods_status status = ODS_STATUS_OK; uint32_t tmp = 0; ods_log_assert(rr); ods_log_assert(zone); ods_log_assert(zone->name); ods_log_assert(zone->db); ods_log_assert(zone->signconf); /* We only support IN class */ if (ldns_rr_get_class(rr) != LDNS_RR_CLASS_IN) { ods_log_warning("[%s] only class in is supported, changing class " "to in", adapi_str); ldns_rr_set_class(rr, LDNS_RR_CLASS_IN); } /* RR processing */ if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) { if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) { ods_log_error("[%s] unable to %s rr to zone: soa record has " "invalid owner name", adapi_str, add?"add":"delete"); return ODS_STATUS_ERR; } status = adapi_process_soa(zone, rr, add, backup); if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to %s rr: failed to process soa " "record", adapi_str, add?"add":"delete"); return status; } } else { if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex) && !ldns_dname_is_subdomain(ldns_rr_owner(rr), zone->apex)) { ods_log_warning("[%s] zone %s contains out-of-zone data, " "skipping", adapi_str, zone->name); return ODS_STATUS_UNCHANGED; } else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY) { adapi_process_dnskey(zone, rr); } else if (util_is_dnssec_rr(rr) && !backup) { ods_log_warning("[%s] zone %s contains dnssec data (type=%u), " "skipping", adapi_str, zone->name, (unsigned) ldns_rr_get_type(rr)); return ODS_STATUS_UNCHANGED; } else if (zone->signconf->max_zone_ttl) { /* Convert MaxZoneTTL */ tmp = (uint32_t) duration2time(zone->signconf->max_zone_ttl); } } /* //MaxZoneTTL. Only set for RRtype != SOA && RRtype != DNSKEY */ if (tmp && tmp < ldns_rr_ttl(rr)) { char* str = ldns_rdf2str(ldns_rr_owner(rr)); if (str) { size_t i = 0; str[(strlen(str))-1] = '\0'; /* replace tabs with white space */ for (i=0; i < strlen(str); i++) { if (str[i] == '\t') { str[i] = ' '; } } ods_log_debug("[%s] capping ttl %u to MaxZoneTTL %u for rrset " "<%s,%s>", adapi_str, ldns_rr_ttl(rr), tmp, str, rrset_type2str(ldns_rr_get_type(rr))); } ldns_rr_set_ttl(rr, tmp); } /* TODO: DNAME and CNAME checks */ /* TODO: NS and DS checks */ if (add) { return zone_add_rr(zone, rr, 1); } else { return zone_del_rr(zone, rr, 1); } /* not reached */ return ODS_STATUS_ERR; }
/** * use this function to sign with a public/private key alg * return the created signatures */ ldns_rr_list * ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) { ldns_rr_list *signatures; ldns_rr_list *rrset_clone; ldns_rr *current_sig; ldns_rdf *b64rdf; ldns_key *current_key; size_t key_count; uint16_t i; ldns_buffer *sign_buf; ldns_rdf *new_owner; if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) { return NULL; } new_owner = NULL; signatures = ldns_rr_list_new(); /* prepare a signature and add all the know data * prepare the rrset. Sign this together. */ rrset_clone = ldns_rr_list_clone(rrset); if (!rrset_clone) { return NULL; } /* make it canonical */ for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) { ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), ldns_rr_ttl(ldns_rr_list_rr(rrset, 0))); ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i)); } /* sort */ ldns_rr_list_sort(rrset_clone); for (key_count = 0; key_count < ldns_key_list_key_count(keys); key_count++) { if (!ldns_key_use(ldns_key_list_key(keys, key_count))) { continue; } sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN); if (!sign_buf) { ldns_rr_list_free(rrset_clone); ldns_rr_list_free(signatures); ldns_rdf_free(new_owner); return NULL; } b64rdf = NULL; current_key = ldns_key_list_key(keys, key_count); /* sign all RRs with keys that have ZSKbit, !SEPbit. sign DNSKEY RRs with keys that have ZSKbit&SEPbit */ if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) { current_sig = ldns_create_empty_rrsig(rrset_clone, current_key); /* right now, we have: a key, a semi-sig and an rrset. For * which we can create the sig and base64 encode that and * add that to the signature */ if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) { ldns_buffer_free(sign_buf); /* ERROR */ ldns_rr_list_deep_free(rrset_clone); ldns_rr_free(current_sig); ldns_rr_list_deep_free(signatures); return NULL; } /* add the rrset in sign_buf */ if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) { ldns_buffer_free(sign_buf); ldns_rr_list_deep_free(rrset_clone); ldns_rr_free(current_sig); ldns_rr_list_deep_free(signatures); return NULL; } b64rdf = ldns_sign_public_buffer(sign_buf, current_key); if (!b64rdf) { /* signing went wrong */ ldns_rr_list_deep_free(rrset_clone); ldns_rr_free(current_sig); ldns_rr_list_deep_free(signatures); return NULL; } ldns_rr_rrsig_set_sig(current_sig, b64rdf); /* push the signature to the signatures list */ ldns_rr_list_push_rr(signatures, current_sig); } ldns_buffer_free(sign_buf); /* restart for the next key */ } ldns_rr_list_deep_free(rrset_clone); return signatures; }
static ldns_status ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, ldns_rbtree_t **map) { ldns_rbnode_t *first_name_node; ldns_rbnode_t *current_name_node; ldns_dnssec_name *current_name; ldns_status result = LDNS_STATUS_OK; ldns_rr *nsec_rr; ldns_rr_list *nsec3_list; uint32_t nsec_ttl; ldns_dnssec_rrsets *soa; ldns_rbnode_t *hashmap_node; if (!zone || !new_rrs || !zone->names) { return LDNS_STATUS_ERR; } /* the TTL of NSEC rrs should be set to the minimum TTL of * the zone SOA (RFC4035 Section 2.3) */ soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); /* did the caller actually set it? if not, * fall back to default ttl */ if (soa && soa->rrs && soa->rrs->rr && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) { nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6)); } else { nsec_ttl = LDNS_DEFAULT_TTL; } if (zone->hashed_names) { ldns_traverse_postorder(zone->hashed_names, ldns_hashed_names_node_free, NULL); LDNS_FREE(zone->hashed_names); } zone->hashed_names = ldns_rbtree_create(ldns_dname_compare_v); if (zone->hashed_names && map) { *map = zone->hashed_names; } first_name_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_first(zone->names)); current_name_node = first_name_node; while (current_name_node && current_name_node != LDNS_RBTREE_NULL && result == LDNS_STATUS_OK) { current_name = (ldns_dnssec_name *) current_name_node->data; nsec_rr = ldns_dnssec_create_nsec3(current_name, NULL, zone->soa->name, algorithm, flags, iterations, salt_length, salt); /* by default, our nsec based generator adds rrsigs * remove the bitmap for empty nonterminals */ if (!current_name->rrsets) { ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr)); } ldns_rr_set_ttl(nsec_rr, nsec_ttl); result = ldns_dnssec_name_add_rr(current_name, nsec_rr); ldns_rr_list_push_rr(new_rrs, nsec_rr); if (ldns_rr_owner(nsec_rr)) { hashmap_node = LDNS_MALLOC(ldns_rbnode_t); if (hashmap_node == NULL) { return LDNS_STATUS_MEM_ERR; } current_name->hashed_name = ldns_dname_label(ldns_rr_owner(nsec_rr), 0); if (current_name->hashed_name == NULL) { LDNS_FREE(hashmap_node); return LDNS_STATUS_MEM_ERR; } hashmap_node->key = current_name->hashed_name; hashmap_node->data = current_name; if (! ldns_rbtree_insert(zone->hashed_names , hashmap_node)) { LDNS_FREE(hashmap_node); } } current_name_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_next(current_name_node)); } if (result != LDNS_STATUS_OK) { return result; } /* Make sorted list of nsec3s (via zone->hashed_names) */ nsec3_list = ldns_rr_list_new(); if (nsec3_list == NULL) { return LDNS_STATUS_MEM_ERR; } for ( hashmap_node = ldns_rbtree_first(zone->hashed_names) ; hashmap_node != LDNS_RBTREE_NULL ; hashmap_node = ldns_rbtree_next(hashmap_node) ) { current_name = (ldns_dnssec_name *) hashmap_node->data; nsec_rr = ((ldns_dnssec_name *) hashmap_node->data)->nsec; if (nsec_rr) { ldns_rr_list_push_rr(nsec3_list, nsec_rr); } } result = ldns_dnssec_chain_nsec3_list(nsec3_list); ldns_rr_list_free(nsec3_list); return result; }
ldns_status ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs) { uint16_t nsec_i; ldns_rr_list *nsecs; ldns_status result; if (verbosity >= 5) { printf("VERIFY DENIAL FROM:\n"); ldns_pkt_print(stdout, pkt); } result = LDNS_STATUS_CRYPTO_NO_RRSIG; /* Try to see if there are NSECS in the packet */ nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION); if (nsecs) { for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) { /* there are four options: * - name equals ownername and is covered by the type bitmap * - name equals ownername but is not covered by the type bitmap * - name falls within nsec coverage but is not equal to the owner name * - name falls outside of nsec coverage */ if (ldns_dname_compare(ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), name) == 0) { /* printf("CHECKING NSEC:\n"); ldns_rr_print(stdout, ldns_rr_list_rr(nsecs, nsec_i)); printf("DAWASEM\n"); */ if (ldns_nsec_bitmap_covers_type( ldns_nsec_get_bitmap(ldns_rr_list_rr(nsecs, nsec_i)), type)) { /* Error, according to the nsec this rrset is signed */ result = LDNS_STATUS_CRYPTO_NO_RRSIG; } else { /* ok nsec denies existence */ if (verbosity >= 3) { printf(";; Existence of data set with this type denied by NSEC\n"); } /*printf(";; Verifiably insecure.\n");*/ if (nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_OK; } } else if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, nsec_i), name)) { if (verbosity >= 3) { printf(";; Existence of data set with this name denied by NSEC\n"); } if (nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_OK; } else { /* nsec has nothing to do with this data */ } } ldns_rr_list_deep_free(nsecs); } else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) { ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION); ldns_rr* q = ldns_rr_new(); if(!sigs) return LDNS_STATUS_MEM_ERR; if(!q) return LDNS_STATUS_MEM_ERR; ldns_rr_set_question(q, 1); ldns_rr_set_ttl(q, 0); ldns_rr_set_owner(q, ldns_rdf_clone(name)); if(!ldns_rr_owner(q)) return LDNS_STATUS_MEM_ERR; ldns_rr_set_type(q, type); result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0); ldns_rr_free(q); ldns_rr_list_deep_free(nsecs); ldns_rr_list_deep_free(sigs); } return result; }
ldns_rr_list* loadAnchorfile(const char *filename) { int col = 0; int line = 0; int grouped = 0; int tk_section = 0; FILE *key_file; char c; char linebuffer[LDNS_MAX_PACKETLEN]; ldns_rdf *rd; ldns_rr *rr; ldns_rr_list *trusted_keys; // Try open trusted key file key_file = fopen(filename, "r"); if (!key_file) { if (mp_verbose >= 1) fprintf(stderr,"Error opening trusted-key file %s: %s\n", filename, strerror(errno)); return NULL; } // Create empty list trusted_keys = ldns_rr_list_new(); // Read File do { c = getc(key_file); if ((c == '\n' && grouped == 0) || c == EOF) { linebuffer[col] = '\0'; line++; if(strstr(linebuffer, "trusted-keys")) { col = 0; tk_section = 1; continue; } // Strip leading spaces. char *cur = linebuffer; cur += strspn(linebuffer," \t\n"); if (cur[0] == ';' || strncmp(cur,"//",2) == 0 || col == 0 || tk_section == 0) { col = 0; continue; } col = 0; rr = ldns_rr_new(); ldns_rr_set_class(rr, LDNS_RR_CLASS_IN); ldns_rr_set_type(rr, LDNS_RR_TYPE_DNSKEY); ldns_rr_set_ttl(rr, 3600); char *t = strsep(&cur, " \t"); ldns_str2rdf_dname(&rd, t); ldns_rr_set_owner(rr, rd); t = strsep(&cur, " \t"); ldns_str2rdf_int16(&rd, t); ldns_rr_push_rdf(rr, rd); t = strsep(&cur, " \t"); ldns_str2rdf_int8(&rd, t); ldns_rr_push_rdf(rr, rd); t = strsep(&cur, " \t"); ldns_str2rdf_alg(&rd, t); ldns_rr_push_rdf(rr, rd); if (cur[strlen(cur)-1] == ';') cur[strlen(cur)-1] = '\0'; ldns_str2rdf_b64(&rd, cur); ldns_rr_push_rdf(rr, rd); ldns_rr_list_push_rr(trusted_keys,rr); } else { if (c == '}') { tk_section = 0; } else if (c == '"') { grouped = (grouped+1)%2; } else { linebuffer[col++] = c; } } } while (c != EOF); fclose(key_file); return trusted_keys; }
/** * Add RR. * */ ods_status zone_add_rr(zone_type* zone, ldns_rr* rr, int do_stats) { domain_type* domain = NULL; rrset_type* rrset = NULL; rr_type* record = NULL; ods_status status = ODS_STATUS_OK; ods_log_assert(rr); ods_log_assert(zone); ods_log_assert(zone->name); ods_log_assert(zone->db); ods_log_assert(zone->signconf); /* If we already have this RR, return ODS_STATUS_UNCHANGED */ domain = namedb_lookup_domain(zone->db, ldns_rr_owner(rr)); if (!domain) { domain = namedb_add_domain(zone->db, ldns_rr_owner(rr)); if (!domain) { ods_log_error("[%s] unable to add RR to zone %s: " "failed to add domain", zone_str, zone->name); return ODS_STATUS_ERR; } if (ldns_dname_compare(domain->dname, zone->apex) == 0) { domain->is_apex = 1; } else { status = namedb_domain_entize(zone->db, domain, zone->apex); if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to add RR to zone %s: " "failed to entize domain", zone_str, zone->name); return ODS_STATUS_ERR; } } } rrset = domain_lookup_rrset(domain, ldns_rr_get_type(rr)); if (!rrset) { rrset = rrset_create(domain->zone, ldns_rr_get_type(rr)); if (!rrset) { ods_log_error("[%s] unable to add RR to zone %s: " "failed to add RRset", zone_str, zone->name); return ODS_STATUS_ERR; } domain_add_rrset(domain, rrset); } record = rrset_lookup_rr(rrset, rr); if (record) { record->is_added = 1; /* already exists, just mark added */ record->is_removed = 0; /* unset is_removed */ if (ldns_rr_ttl(rr) != ldns_rr_ttl(record->rr)) { ldns_rr_set_ttl(record->rr, ldns_rr_ttl(rr)); rrset->needs_signing = 1; } return ODS_STATUS_UNCHANGED; } else { record = rrset_add_rr(rrset, rr); ods_log_assert(record); ods_log_assert(record->rr); ods_log_assert(record->is_added); } /* update stats */ if (do_stats && zone->stats) { zone->stats->sort_count += 1; } return ODS_STATUS_OK; }
ldns_status ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt) { ldns_rbnode_t *first_name_node; ldns_rbnode_t *current_name_node; ldns_dnssec_name *current_name; ldns_status result = LDNS_STATUS_OK; ldns_rr *nsec_rr; ldns_rr_list *nsec3_list; uint32_t nsec_ttl; ldns_dnssec_rrsets *soa; if (!zone || !new_rrs || !zone->names) { return LDNS_STATUS_ERR; } /* the TTL of NSEC rrs should be set to the minimum TTL of * the zone SOA (RFC4035 Section 2.3) */ soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); /* did the caller actually set it? if not, * fall back to default ttl */ if (soa && soa->rrs && soa->rrs->rr) { nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf( soa->rrs->rr, 6)); } else { nsec_ttl = LDNS_DEFAULT_TTL; } nsec3_list = ldns_rr_list_new(); first_name_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_first(zone->names)); current_name_node = first_name_node; while (current_name_node && current_name_node != LDNS_RBTREE_NULL) { current_name = (ldns_dnssec_name *) current_name_node->data; nsec_rr = ldns_dnssec_create_nsec3(current_name, NULL, zone->soa->name, algorithm, flags, iterations, salt_length, salt); /* by default, our nsec based generator adds rrsigs * remove the bitmap for empty nonterminals */ if (!current_name->rrsets) { ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr)); } ldns_rr_set_ttl(nsec_rr, nsec_ttl); ldns_dnssec_name_add_rr(current_name, nsec_rr); ldns_rr_list_push_rr(new_rrs, nsec_rr); ldns_rr_list_push_rr(nsec3_list, nsec_rr); current_name_node = ldns_dnssec_name_node_next_nonglue( ldns_rbtree_next(current_name_node)); } ldns_rr_list_sort_nsec3(nsec3_list); ldns_dnssec_chain_nsec3_list(nsec3_list); if (result != LDNS_STATUS_OK) { return result; } ldns_rr_list_free(nsec3_list); return result; }
/** * Process SOA. * */ static ods_status adapi_process_soa(zone_type* zone, ldns_rr* rr, int add, int backup) { uint32_t tmp = 0; ldns_rdf* soa_rdata = NULL; ods_status status = ODS_STATUS_OK; ods_log_assert(rr); ods_log_assert(zone); ods_log_assert(zone->name); ods_log_assert(zone->signconf); if (backup) { /* no need to do processing */ return ODS_STATUS_OK; } if (zone->signconf->soa_ttl) { tmp = (uint32_t) duration2time(zone->signconf->soa_ttl); ods_log_verbose("[%s] zone %s set soa ttl to %u", adapi_str, zone->name, tmp); ldns_rr_set_ttl(rr, tmp); } if (zone->signconf->soa_min) { tmp = (uint32_t) duration2time(zone->signconf->soa_min); ods_log_verbose("[%s] zone %s set soa minimum to %u", adapi_str, zone->name, tmp); soa_rdata = ldns_rr_set_rdf(rr, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, tmp), SE_SOA_RDATA_MINIMUM); if (soa_rdata) { ldns_rdf_deep_free(soa_rdata); soa_rdata = NULL; } else { ods_log_error("[%s] unable to %s soa to zone %s: failed to replace " "soa minimum rdata", adapi_str, add?"add":"delete", zone->name); return ODS_STATUS_ASSERT_ERR; } } if (!add) { /* we are done */ return ODS_STATUS_OK; } tmp = ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL)); status = namedb_update_serial(zone->db, zone->name, zone->signconf->soa_serial, tmp); if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to add soa to zone %s: failed to replace " "soa serial rdata (%s)", adapi_str, zone->name, ods_status2str(status)); if (status == ODS_STATUS_CONFLICT_ERR) { ods_log_error("[%s] If this is the result of a key rollover, " "please increment the serial in the unsigned zone %s", adapi_str, zone->name); } return status; } ods_log_verbose("[%s] zone %s set soa serial to %u", adapi_str, zone->name, zone->db->intserial); soa_rdata = ldns_rr_set_rdf(rr, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, zone->db->intserial), SE_SOA_RDATA_SERIAL); if (soa_rdata) { ldns_rdf_deep_free(soa_rdata); soa_rdata = NULL; } else { ods_log_error("[%s] unable to add soa to zone %s: failed to replace " "soa serial rdata", adapi_str, zone->name); return ODS_STATUS_ERR; } zone->db->serial_updated = 1; return ODS_STATUS_OK; }
ldns_status ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only) { ldns_rr *tsig_rr; ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name); ldns_rdf *fudge_rdf = NULL; ldns_rdf *orig_id_rdf = NULL; ldns_rdf *algorithm_rdf; ldns_rdf *error_rdf = NULL; ldns_rdf *mac_rdf = NULL; ldns_rdf *other_data_rdf = NULL; ldns_status status = LDNS_STATUS_OK; uint8_t *pkt_wire = NULL; size_t pkt_wire_len; struct timeval tv_time_signed; uint8_t *time_signed = NULL; ldns_rdf *time_signed_rdf = NULL; algorithm_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, algorithm_name); if(!key_name_rdf || !algorithm_rdf) { status = LDNS_STATUS_MEM_ERR; goto clean; } /* eww don't have create tsigtime rdf yet :( */ /* bleh :p */ if (gettimeofday(&tv_time_signed, NULL) == 0) { time_signed = LDNS_XMALLOC(uint8_t, 6); if(!time_signed) { status = LDNS_STATUS_MEM_ERR; goto clean; } ldns_write_uint64_as_uint48(time_signed, (uint64_t)tv_time_signed.tv_sec); } else { status = LDNS_STATUS_INTERNAL_ERR; goto clean; } time_signed_rdf = ldns_rdf_new(LDNS_RDF_TYPE_TSIGTIME, 6, time_signed); if(!time_signed_rdf) { LDNS_FREE(time_signed); status = LDNS_STATUS_MEM_ERR; goto clean; } fudge_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, fudge); orig_id_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_pkt_id(pkt)); error_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 0); other_data_rdf = ldns_native2rdf_int16_data(0, NULL); if(!fudge_rdf || !orig_id_rdf || !error_rdf || !other_data_rdf) { status = LDNS_STATUS_MEM_ERR; goto clean; } if (ldns_pkt2wire(&pkt_wire, pkt, &pkt_wire_len) != LDNS_STATUS_OK) { status = LDNS_STATUS_ERR; goto clean; } status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len, key_data, key_name_rdf, fudge_rdf, algorithm_rdf, time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only); if (!mac_rdf) { goto clean; } LDNS_FREE(pkt_wire); /* Create the TSIG RR */ tsig_rr = ldns_rr_new(); if(!tsig_rr) { status = LDNS_STATUS_MEM_ERR; goto clean; } ldns_rr_set_owner(tsig_rr, key_name_rdf); ldns_rr_set_class(tsig_rr, LDNS_RR_CLASS_ANY); ldns_rr_set_type(tsig_rr, LDNS_RR_TYPE_TSIG); ldns_rr_set_ttl(tsig_rr, 0); ldns_rr_push_rdf(tsig_rr, algorithm_rdf); ldns_rr_push_rdf(tsig_rr, time_signed_rdf); ldns_rr_push_rdf(tsig_rr, fudge_rdf); ldns_rr_push_rdf(tsig_rr, mac_rdf); ldns_rr_push_rdf(tsig_rr, orig_id_rdf); ldns_rr_push_rdf(tsig_rr, error_rdf); ldns_rr_push_rdf(tsig_rr, other_data_rdf); ldns_pkt_set_tsig(pkt, tsig_rr); return status; clean: LDNS_FREE(pkt_wire); ldns_rdf_free(key_name_rdf); ldns_rdf_free(algorithm_rdf); ldns_rdf_free(time_signed_rdf); ldns_rdf_free(fudge_rdf); ldns_rdf_free(orig_id_rdf); ldns_rdf_free(error_rdf); ldns_rdf_free(other_data_rdf); return status; }
/** * Publish the keys as indicated by the signer configuration. * */ ods_status zone_publish_dnskeys(zone_type* zone) { hsm_ctx_t* ctx = NULL; uint32_t ttl = 0; uint16_t i = 0; ods_status status = ODS_STATUS_OK; rrset_type* rrset = NULL; rr_type* dnskey = NULL; if (!zone || !zone->db || !zone->signconf || !zone->signconf->keys) { return ODS_STATUS_ASSERT_ERR; } ods_log_assert(zone->name); /* hsm access */ ctx = hsm_create_context(); if (ctx == NULL) { ods_log_error("[%s] unable to publish keys for zone %s: " "error creating libhsm context", zone_str, zone->name); return ODS_STATUS_HSM_ERR; } /* dnskey ttl */ ttl = zone->default_ttl; if (zone->signconf->dnskey_ttl) { ttl = (uint32_t) duration2time(zone->signconf->dnskey_ttl); } /* publish keys */ for (i=0; i < zone->signconf->keys->count; i++) { if (!zone->signconf->keys->keys[i].publish) { continue; } if (!zone->signconf->keys->keys[i].dnskey) { /* get dnskey */ status = lhsm_get_key(ctx, zone->apex, &zone->signconf->keys->keys[i]); if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to publish dnskeys for zone %s: " "error creating dnskey", zone_str, zone->name); break; } } ods_log_assert(zone->signconf->keys->keys[i].dnskey); ldns_rr_set_ttl(zone->signconf->keys->keys[i].dnskey, ttl); ldns_rr_set_class(zone->signconf->keys->keys[i].dnskey, zone->klass); status = zone_add_rr(zone, zone->signconf->keys->keys[i].dnskey, 0); if (status == ODS_STATUS_UNCHANGED) { /* rr already exists, adjust pointer */ rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_DNSKEY); ods_log_assert(rrset); dnskey = rrset_lookup_rr(rrset, zone->signconf->keys->keys[i].dnskey); ods_log_assert(dnskey); if (dnskey->rr != zone->signconf->keys->keys[i].dnskey) { ldns_rr_free(zone->signconf->keys->keys[i].dnskey); } zone->signconf->keys->keys[i].dnskey = dnskey->rr; status = ODS_STATUS_OK; } else if (status != ODS_STATUS_OK) { ods_log_error("[%s] unable to publish dnskeys for zone %s: " "error adding dnskey", zone_str, zone->name); break; } } /* done */ hsm_destroy_context(ctx); return status; }