enum sec_status
nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, int* nodata)
{
enum sec_status sec, secnx;
rbtree_t ct;
struct nsec3_filter flt;
*nodata = 0;
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus; /* no valid NSEC3s, bogus */
rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone)
return sec_status_bogus; /* no RRs */
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */
/* try nxdomain and nodata after another, while keeping the
* hash cache intact */
secnx = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
if(secnx==sec_status_secure)
return sec_status_secure;
sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
if(sec==sec_status_secure) {
*nodata = 1;
} else if(sec == sec_status_insecure) {
*nodata = 1;
} else if(secnx == sec_status_insecure) {
sec = sec_status_insecure;
}
return sec;
}
enum sec_status
nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, uint8_t* wc)
{
rbtree_t ct;
struct nsec3_filter flt;
struct ce_response ce;
uint8_t* nc;
size_t nc_len;
size_t wclen;
(void)dname_count_size_labels(wc, &wclen);
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus; /* no valid NSEC3s, bogus */
rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone)
return sec_status_bogus; /* no RRs */
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */
/* We know what the (purported) closest encloser is by just
* looking at the supposed generating wildcard.
* The *. has already been removed from the wc name.
*/
memset(&ce, 0, sizeof(ce));
ce.ce = wc;
ce.ce_len = wclen;
/* Now we still need to prove that the original data did not exist.
* Otherwise, we need to show that the next closer name is covered. */
next_closer(qinfo->qname, qinfo->qname_len, ce.ce, &nc, &nc_len);
if(!find_covering_nsec3(env, &flt, &ct, nc, nc_len,
&ce.nc_rrset, &ce.nc_rr)) {
verbose(VERB_ALGO, "proveWildcard: did not find a covering "
"NSEC3 that covered the next closer name.");
return sec_status_bogus;
}
if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "proveWildcard: NSEC3 optout");
return sec_status_insecure;
}
return sec_status_secure;
}
enum sec_status
nsec3_prove_nodata(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey)
{
rbtree_t ct;
struct nsec3_filter flt;
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus; /* no valid NSEC3s, bogus */
rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone)
return sec_status_bogus; /* no RRs */
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */
return nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
}
int
iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
struct dns_msg* msg, uint16_t dclass)
{
struct trust_anchor* a;
/* information not available, !env->anchors can be common */
if(!env || !env->anchors || !dp || !dp->name)
return 0;
/* a trust anchor exists with this name, RRSIGs expected */
if((a=anchor_find(env->anchors, dp->name, dp->namelabs, dp->namelen,
dclass))) {
lock_basic_unlock(&a->lock);
return 1;
}
/* see if DS rrset was given, in AUTH section */
if(msg && msg->rep &&
reply_find_rrset_section_ns(msg->rep, dp->name, dp->namelen,
LDNS_RR_TYPE_DS, dclass))
return 1;
/* look in key cache */
if(env->key_cache) {
struct key_entry_key* kk = key_cache_obtain(env->key_cache,
dp->name, dp->namelen, dclass, env->scratch, *env->now);
if(kk) {
if(query_dname_compare(kk->name, dp->name) == 0) {
if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
regional_free_all(env->scratch);
return 1;
} else if(key_entry_isnull(kk)) {
regional_free_all(env->scratch);
return 0;
}
}
regional_free_all(env->scratch);
}
}
return 0;
}
enum sec_status
nsec3_prove_nods(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, char** reason)
{
rbtree_t ct;
struct nsec3_filter flt;
struct ce_response ce;
struct ub_packed_rrset_key* rrset;
int rr;
log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey)) {
*reason = "no valid NSEC3s";
return sec_status_bogus; /* no valid NSEC3s, bogus */
}
if(!list_is_secure(env, ve, list, num, kkey, reason))
return sec_status_bogus; /* not all NSEC3 records secure */
rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone) {
*reason = "no NSEC3 records";
return sec_status_bogus; /* no RRs */
}
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */
/* Look for a matching NSEC3 to qname -- this is the normal
* NODATA case. */
if(find_matching_nsec3(env, &flt, &ct, qinfo->qname, qinfo->qname_len,
&rrset, &rr)) {
/* If the matching NSEC3 has the SOA bit set, it is from
* the wrong zone (the child instead of the parent). If
* it has the DS bit set, then we were lied to. */
if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
qinfo->qname_len != 1) {
verbose(VERB_ALGO, "nsec3 provenods: NSEC3 is from"
" child zone, bogus");
*reason = "NSEC3 from child zone";
return sec_status_bogus;
} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_DS)) {
verbose(VERB_ALGO, "nsec3 provenods: NSEC3 has qtype"
" DS, bogus");
*reason = "NSEC3 has DS in bitmap";
return sec_status_bogus;
}
/* If the NSEC3 RR doesn't have the NS bit set, then
* this wasn't a delegation point. */
if(!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS))
return sec_status_indeterminate;
/* Otherwise, this proves no DS. */
return sec_status_secure;
}
/* Otherwise, we are probably in the opt-out case. */
if(nsec3_prove_closest_encloser(env, &flt, &ct, qinfo, 1, &ce)
!= sec_status_secure) {
/* an insecure delegation *above* the qname does not prove
* anything about this qname exactly, and bogus is bogus */
verbose(VERB_ALGO, "nsec3 provenods: did not match qname, "
"nor found a proven closest encloser.");
*reason = "no NSEC3 closest encloser";
return sec_status_bogus;
}
/* robust extra check */
if(!ce.nc_rrset) {
verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3");
*reason = "no NSEC3 next closer";
return sec_status_bogus;
}
/* we had the closest encloser proof, then we need to check that the
* covering NSEC3 was opt-out -- the proveClosestEncloser step already
* checked to see if the closest encloser was a delegation or DNAME.
*/
log_assert(ce.nc_rrset);
if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "nsec3 provenods: covering NSEC3 was not "
"opt-out in an opt-out DS NOERROR/NODATA case.");
*reason = "covering NSEC3 was not opt-out in an opt-out "
"DS NOERROR/NODATA case";
return sec_status_bogus;
}
/* RFC5155 section 9.2: if nc has optout then no AD flag set */
return sec_status_insecure;
}
