Cross Reference: /freebsd-10.2-release/contrib/unbound/validator/val

Deleted Added

sdiff udiff text old ( 256281 ) new ( 269257 )

full compact

val_nsec.c (256281)	val_nsec.c (269257)
1/* 2 * validator/val_nsec.c - validator NSEC denial of existance functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	1/* 2 * validator/val_nsec.c - validator NSEC denial of existance functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE.	24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 / 35 36/* 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC checking, the different NSEC proofs 41 * for denial of existance, and proofs for presence of types. 42 */ 43#include "config.h"	34 / 35 36/* 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC checking, the different NSEC proofs 41 * for denial of existance, and proofs for presence of types. 42 */ 43#include "config.h"
44#include <ldns/packet.h>
45#include "validator/val_nsec.h" 46#include "validator/val_utils.h" 47#include "util/data/msgreply.h" 48#include "util/data/dname.h" 49#include "util/net_help.h" 50#include "util/module.h" 51#include "services/cache/rrset.h" 52 53/** get ttl of rrset / 54static uint32_t 55rrset_get_ttl(struct ub_packed_rrset_key k) 56{ 57 struct packed_rrset_data* d = (struct packed_rrset_data)k->entry.data; 58 return d->ttl; 59} 60 61int 62nsecbitmap_has_type_rdata(uint8_t bitmap, size_t len, uint16_t type) 63{ 64 /* Check type present in NSEC typemap with bitmap arg / 65 / bitmasks for determining type-lowerbits presence / 66 uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01}; 67 uint8_t type_window = type>>8; 68 uint8_t type_low = type&0xff; 69 uint8_t win, winlen; 70 / read each of the type bitmap windows and see if the searched 71 * type is amongst it / 72 while(len > 0) { 73 if(len < 3) / bad window, at least window# winlen bitmap / 74 return 0; 75 win = bitmap++; 76 winlen = bitmap++; 77 len -= 2; 78 if(len < winlen \|\| winlen < 1 \|\| winlen > 32) 79 return 0; / bad window length / 80 if(win == type_window) { 81 / search window bitmap for the correct byte / 82 / mybyte is 0 if we need the first byte / 83 size_t mybyte = type_low>>3; 84 if(winlen <= mybyte) 85 return 0; / window too short / 86 return (int)(bitmap[mybyte] & masks[type_low&0x7]); 87 } else { 88 / not the window we are looking for / 89 bitmap += winlen; 90 len -= winlen; 91 } 92 } 93 / end of bitmap reached, no type found / 94 return 0; 95} 96 97int 98nsec_has_type(struct ub_packed_rrset_key nsec, uint16_t type) 99{ 100 struct packed_rrset_data* d = (struct packed_rrset_data)nsec-> 101* entry.data; 102 size_t len; 103 if(!d \|\| d->count == 0 \|\| d->rr_len[0] < 2+1) 104 return 0; 105 len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2); 106 if(!len) 107 return 0; 108 return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len, 109 d->rr_len[0]-2-len, type); 110} 111 112/** 113 * Get next owner name from nsec record 114 * @param nsec: the nsec RRset. 115 * If there are multiple RRs, then this will only return one of them. 116 * @param nm: the next name is returned. 117 * @param ln: length of nm is returned. 118 * @return false on a bad NSEC RR (too short, malformed dname). 119 / 120static int 121nsec_get_next(struct ub_packed_rrset_key nsec, uint8_t** nm, size_t* ln) 122{ 123 struct packed_rrset_data* d = (struct packed_rrset_data)nsec-> 124* entry.data; 125 if(!d \|\| d->count == 0 \|\| d->rr_len[0] < 2+1) { 126 nm = 0; 127* ln = 0; 128* return 0; 129 } 130 nm = d->rr_data[0]+2; 131* ln = dname_valid(nm, d->rr_len[0]-2); 132 if(!ln) { 133* nm = 0; 134* ln = 0; 135* return 0; 136 } 137 return 1; 138} 139 140/** 141 * For an NSEC that matches the DS queried for, check absence of DS type. 142 * 143 * @param nsec: NSEC for proof, must be trusted. 144 * @param qinfo: what is queried for. 145 * @return if secure the nsec proves that no DS is present, or 146 * insecure if it proves it is not a delegation point. 147 * or bogus if something was wrong. 148 / 149static enum sec_status 150val_nsec_proves_no_ds(struct ub_packed_rrset_key nsec, 151 struct query_info* qinfo) 152{ 153 log_assert(qinfo->qtype == LDNS_RR_TYPE_DS); 154 log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC); 155 156 if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) { 157 /* SOA present means that this is the NSEC from the child, 158 * not the parent (so it is the wrong one). / 159* return sec_status_bogus; 160 } 161 if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) { 162 /* DS present means that there should have been a positive 163 * response to the DS query, so there is something wrong. / 164* return sec_status_bogus; 165 } 166 167 if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) { 168 /* If there is no NS at this point at all, then this 169 * doesn't prove anything one way or the other. / 170* return sec_status_insecure; 171 } 172 /* Otherwise, this proves no DS. / 173* return sec_status_secure; 174} 175 176/** check security status from cache or verify rrset, returns true if secure / 177static int 178nsec_verify_rrset(struct module_env env, struct val_env* ve, 179 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey, 180 char** reason) 181{ 182 struct packed_rrset_data* d = (struct packed_rrset_data) 183* nsec->entry.data; 184 if(d->security == sec_status_secure) 185 return 1; 186 rrset_check_sec_status(env->rrset_cache, nsec, env->now); 187* if(d->security == sec_status_secure) 188 return 1; 189 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason); 190 if(d->security == sec_status_secure) { 191 rrset_update_sec_status(env->rrset_cache, nsec, env->now); 192* return 1; 193 } 194 return 0; 195} 196 197enum sec_status 198val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, 199 struct query_info* qinfo, struct reply_info* rep,	44#include "validator/val_nsec.h" 45#include "validator/val_utils.h" 46#include "util/data/msgreply.h" 47#include "util/data/dname.h" 48#include "util/net_help.h" 49#include "util/module.h" 50#include "services/cache/rrset.h" 51 52/** get ttl of rrset / 53static uint32_t 54rrset_get_ttl(struct ub_packed_rrset_key k) 55{ 56 struct packed_rrset_data* d = (struct packed_rrset_data)k->entry.data; 57 return d->ttl; 58} 59 60int 61nsecbitmap_has_type_rdata(uint8_t bitmap, size_t len, uint16_t type) 62{ 63 /* Check type present in NSEC typemap with bitmap arg / 64 / bitmasks for determining type-lowerbits presence / 65 uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01}; 66 uint8_t type_window = type>>8; 67 uint8_t type_low = type&0xff; 68 uint8_t win, winlen; 69 / read each of the type bitmap windows and see if the searched 70 * type is amongst it / 71 while(len > 0) { 72 if(len < 3) / bad window, at least window# winlen bitmap / 73 return 0; 74 win = bitmap++; 75 winlen = bitmap++; 76 len -= 2; 77 if(len < winlen \|\| winlen < 1 \|\| winlen > 32) 78 return 0; / bad window length / 79 if(win == type_window) { 80 / search window bitmap for the correct byte / 81 / mybyte is 0 if we need the first byte / 82 size_t mybyte = type_low>>3; 83 if(winlen <= mybyte) 84 return 0; / window too short / 85 return (int)(bitmap[mybyte] & masks[type_low&0x7]); 86 } else { 87 / not the window we are looking for / 88 bitmap += winlen; 89 len -= winlen; 90 } 91 } 92 / end of bitmap reached, no type found / 93 return 0; 94} 95 96int 97nsec_has_type(struct ub_packed_rrset_key nsec, uint16_t type) 98{ 99 struct packed_rrset_data* d = (struct packed_rrset_data)nsec-> 100* entry.data; 101 size_t len; 102 if(!d \|\| d->count == 0 \|\| d->rr_len[0] < 2+1) 103 return 0; 104 len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2); 105 if(!len) 106 return 0; 107 return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len, 108 d->rr_len[0]-2-len, type); 109} 110 111/** 112 * Get next owner name from nsec record 113 * @param nsec: the nsec RRset. 114 * If there are multiple RRs, then this will only return one of them. 115 * @param nm: the next name is returned. 116 * @param ln: length of nm is returned. 117 * @return false on a bad NSEC RR (too short, malformed dname). 118 / 119static int 120nsec_get_next(struct ub_packed_rrset_key nsec, uint8_t** nm, size_t* ln) 121{ 122 struct packed_rrset_data* d = (struct packed_rrset_data)nsec-> 123* entry.data; 124 if(!d \|\| d->count == 0 \|\| d->rr_len[0] < 2+1) { 125 nm = 0; 126* ln = 0; 127* return 0; 128 } 129 nm = d->rr_data[0]+2; 130* ln = dname_valid(nm, d->rr_len[0]-2); 131 if(!ln) { 132* nm = 0; 133* ln = 0; 134* return 0; 135 } 136 return 1; 137} 138 139/** 140 * For an NSEC that matches the DS queried for, check absence of DS type. 141 * 142 * @param nsec: NSEC for proof, must be trusted. 143 * @param qinfo: what is queried for. 144 * @return if secure the nsec proves that no DS is present, or 145 * insecure if it proves it is not a delegation point. 146 * or bogus if something was wrong. 147 / 148static enum sec_status 149val_nsec_proves_no_ds(struct ub_packed_rrset_key nsec, 150 struct query_info* qinfo) 151{ 152 log_assert(qinfo->qtype == LDNS_RR_TYPE_DS); 153 log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC); 154 155 if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) { 156 /* SOA present means that this is the NSEC from the child, 157 * not the parent (so it is the wrong one). / 158* return sec_status_bogus; 159 } 160 if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) { 161 /* DS present means that there should have been a positive 162 * response to the DS query, so there is something wrong. / 163* return sec_status_bogus; 164 } 165 166 if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) { 167 /* If there is no NS at this point at all, then this 168 * doesn't prove anything one way or the other. / 169* return sec_status_insecure; 170 } 171 /* Otherwise, this proves no DS. / 172* return sec_status_secure; 173} 174 175/** check security status from cache or verify rrset, returns true if secure / 176static int 177nsec_verify_rrset(struct module_env env, struct val_env* ve, 178 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey, 179 char** reason) 180{ 181 struct packed_rrset_data* d = (struct packed_rrset_data) 182* nsec->entry.data; 183 if(d->security == sec_status_secure) 184 return 1; 185 rrset_check_sec_status(env->rrset_cache, nsec, env->now); 186* if(d->security == sec_status_secure) 187 return 1; 188 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason); 189 if(d->security == sec_status_secure) { 190 rrset_update_sec_status(env->rrset_cache, nsec, env->now); 191* return 1; 192 } 193 return 0; 194} 195 196enum sec_status 197val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, 198 struct query_info* qinfo, struct reply_info* rep,
200 struct key_entry_key* kkey, uint32_t* proof_ttl, char** reason)	199 struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
201{ 202 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns( 203 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC, 204 qinfo->qclass); 205 enum sec_status sec; 206 size_t i; 207 uint8_t* wc = NULL, ce = NULL; 208* int valid_nsec = 0; 209 struct ub_packed_rrset_key* wc_nsec = NULL; 210 211 /* If we have a NSEC at the same name, it must prove one 212 * of two things 213 * -- 214 * 1) this is a delegation point and there is no DS 215 * 2) this is not a delegation point / 216* if(nsec) { 217 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) { 218 verbose(VERB_ALGO, "NSEC RRset for the " 219 "referral did not verify."); 220 return sec_status_bogus; 221 } 222 sec = val_nsec_proves_no_ds(nsec, qinfo); 223 if(sec == sec_status_bogus) { 224 /* something was wrong. / 225* reason = "NSEC does not prove absence of DS"; 226* return sec; 227 } else if(sec == sec_status_insecure) { 228 /* this wasn't a delegation point. / 229* return sec; 230 } else if(sec == sec_status_secure) { 231 /* this proved no DS. / 232* proof_ttl = ub_packed_rrset_ttl(nsec); 233* return sec; 234 } 235 /* if unchecked, fall through to next proof / 236* } 237 238 /* Otherwise, there is no NSEC at qname. This could be an ENT. 239 * (ENT=empty non terminal). If not, this is broken. / 240* 241 /* verify NSEC rrsets in auth section / 242* for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets; 243 i++) { 244 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC)) 245 continue; 246 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) { 247 verbose(VERB_ALGO, "NSEC for empty non-terminal " 248 "did not verify."); 249 return sec_status_bogus; 250 } 251 if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) { 252 verbose(VERB_ALGO, "NSEC for empty non-terminal " 253 "proved no DS."); 254 proof_ttl = rrset_get_ttl(rep->rrsets[i]); 255* if(wc && dname_is_wild(rep->rrsets[i]->rk.dname)) 256 wc_nsec = rep->rrsets[i]; 257 valid_nsec = 1; 258 } 259 if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) { 260 ce = nsec_closest_encloser(qinfo->qname, 261 rep->rrsets[i]); 262 } 263 } 264 if(wc && !ce) 265 valid_nsec = 0; 266 else if(wc && ce) { 267 /* ce and wc must match / 268* if(query_dname_compare(wc, ce) != 0) 269 valid_nsec = 0; 270 else if(!wc_nsec) 271 valid_nsec = 0; 272 } 273 if(valid_nsec) { 274 if(wc) { 275 /* check if this is a delegation / 276* reason = "NSEC for wildcard does not prove absence of DS"; 277* return val_nsec_proves_no_ds(wc_nsec, qinfo); 278 } 279 /* valid nsec proves empty nonterminal / 280* return sec_status_insecure; 281 } 282 283 /* NSEC proof did not conlusively point to DS or no DS / 284* return sec_status_unchecked; 285} 286 287int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 288 struct query_info* qinfo, uint8_t** wc) 289{ 290 log_assert(wc); 291 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) { 292 uint8_t* nm; 293 size_t ln; 294 295 /* empty-non-terminal checking. 296 * Done before wildcard, because this is an exact match, 297 * and would prevent a wildcard from matching. / 298* 299 /* If the nsec is proving that qname is an ENT, the nsec owner 300 * will be less than qname, and the next name will be a child 301 * domain of the qname. / 302* if(!nsec_get_next(nsec, &nm, &ln)) 303 return 0; /* bad nsec / 304* if(dname_strict_subdomain_c(nm, qinfo->qname) && 305 dname_canonical_compare(nsec->rk.dname, 306 qinfo->qname) < 0) { 307 return 1; /* proves ENT / 308* } 309 310 /* wildcard checking. / 311* 312 /* If this is a wildcard NSEC, make sure that a) it was 313 * possible to have generated qname from the wildcard and 314 * b) the type map does not contain qtype. Note that this 315 * does NOT prove that this wildcard was the applicable 316 * wildcard. / 317* if(dname_is_wild(nsec->rk.dname)) { 318 /* the purported closest encloser. / 319* uint8_t* ce = nsec->rk.dname; 320 size_t ce_len = nsec->rk.dname_len; 321 dname_remove_label(&ce, &ce_len); 322 323 /* The qname must be a strict subdomain of the 324 * closest encloser, for the wildcard to apply 325 / 326* if(dname_strict_subdomain_c(qinfo->qname, ce)) { 327 /* here we have a matching NSEC for the qname, 328 * perform matching NSEC checks / 329* if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) { 330 /* should have gotten the wildcard CNAME / 331* return 0; 332 } 333 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 334 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 335 /* wrong parentside (wildcard) NSEC used / 336* return 0; 337 } 338 if(nsec_has_type(nsec, qinfo->qtype)) { 339 return 0; 340 } 341 wc = ce; 342* return 1; 343 } 344 } 345 346 /* Otherwise, this NSEC does not prove ENT and is not a 347 * wildcard, so it does not prove NODATA. / 348* return 0; 349 } 350 351 /* If the qtype exists, then we should have gotten it. / 352* if(nsec_has_type(nsec, qinfo->qtype)) { 353 return 0; 354 } 355 356 /* if the name is a CNAME node, then we should have gotten the CNAME/ 357* if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) { 358 return 0; 359 } 360 361 /* If an NS set exists at this name, and NOT a SOA (so this is a 362 * zone cut, not a zone apex), then we should have gotten a 363 * referral (or we just got the wrong NSEC). 364 * The reverse of this check is used when qtype is DS, since that 365 * must use the NSEC from above the zone cut. / 366* if(qinfo->qtype != LDNS_RR_TYPE_DS && 367 nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 368 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 369 return 0; 370 } else if(qinfo->qtype == LDNS_RR_TYPE_DS && 371 nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && 372 !dname_is_root(qinfo->qname)) { 373 return 0; 374 } 375 376 return 1; 377} 378 379int 380val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname) 381{ 382 uint8_t* owner = nsec->rk.dname; 383 uint8_t* next; 384 size_t nlen; 385 if(!nsec_get_next(nsec, &next, &nlen)) 386 return 0; 387 388 /* If NSEC owner == qname, then this NSEC proves that qname exists. / 389* if(query_dname_compare(qname, owner) == 0) { 390 return 0; 391 } 392 393 /* If NSEC is a parent of qname, we need to check the type map 394 * If the parent name has a DNAME or is a delegation point, then 395 * this NSEC is being misused. / 396* if(dname_subdomain_c(qname, owner) && 397 (nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) \|\| 398 (nsec_has_type(nsec, LDNS_RR_TYPE_NS) 399 && !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) 400 )) { 401 return 0; 402 } 403 404 if(query_dname_compare(owner, next) == 0) { 405 /* this nsec is the only nsec / 406* /* zone.name NSEC zone.name, disproves everything else / 407* /* but only for subdomains of that zone / 408* if(dname_strict_subdomain_c(qname, next)) 409 return 1; 410 } 411 else if(dname_canonical_compare(owner, next) > 0) { 412 /* this is the last nsec, ....(bigger) NSEC zonename(smaller) / 413* /* the names after the last (owner) name do not exist 414 * there are no names before the zone name in the zone 415 * but the qname must be a subdomain of the zone name(next). / 416* if(dname_canonical_compare(owner, qname) < 0 && 417 dname_strict_subdomain_c(qname, next)) 418 return 1; 419 } else { 420 /* regular NSEC, (smaller) NSEC (larger) / 421* if(dname_canonical_compare(owner, qname) < 0 && 422 dname_canonical_compare(qname, next) < 0) { 423 return 1; 424 } 425 } 426 return 0; 427} 428 429int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec, 430 struct query_info* qinfo) 431{ 432 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 433 !nsec_has_type(nsec, LDNS_RR_TYPE_DS) && 434 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 435 /* see if nsec signals an insecure delegation / 436* if(qinfo->qtype == LDNS_RR_TYPE_DS) { 437 /* if type is DS and qname is equal to nsec, then it 438 * is an exact match nsec, result not insecure / 439* if(dname_strict_subdomain_c(qinfo->qname, 440 nsec->rk.dname)) 441 return 1; 442 } else { 443 if(dname_subdomain_c(qinfo->qname, nsec->rk.dname)) 444 return 1; 445 } 446 } 447 return 0; 448} 449 450uint8_t* 451nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec) 452{ 453 uint8_t* next; 454 size_t nlen; 455 uint8_t* common1, common2; 456* if(!nsec_get_next(nsec, &next, &nlen)) 457 return NULL; 458 /* longest common with owner or next name / 459* common1 = dname_get_shared_topdomain(nsec->rk.dname, qname); 460 common2 = dname_get_shared_topdomain(next, qname); 461 if(dname_count_labels(common1) > dname_count_labels(common2)) 462 return common1; 463 return common2; 464} 465 466int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 467 struct query_info* qinf, uint8_t* wc) 468{ 469 uint8_t* ce; 470 /* 1) prove that qname doesn't exist and 471 * 2) that the correct wildcard was used 472 * nsec has been verified already. / 473* if(!val_nsec_proves_name_error(nsec, qinf->qname)) 474 return 0; 475 /* check wildcard name / 476* ce = nsec_closest_encloser(qinf->qname, nsec); 477 if(!ce) 478 return 0; 479 if(query_dname_compare(wc, ce) != 0) { 480 return 0; 481 } 482 return 1; 483} 484 485int 486val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 487 size_t qnamelen) 488{ 489 /* Determine if a NSEC record proves the non-existence of a 490 * wildcard that could have produced qname. / 491* int labs; 492 int i; 493 uint8_t* ce = nsec_closest_encloser(qname, nsec); 494 uint8_t* strip; 495 size_t striplen; 496 uint8_t buf[LDNS_MAX_DOMAINLEN+3]; 497 if(!ce) 498 return 0; 499 /* we can subtract the closest encloser count - since that is the 500 * largest shared topdomain with owner and next NSEC name, 501 * because the NSEC is no proof for names shorter than the owner 502 * and next names. / 503* labs = dname_count_labels(qname) - dname_count_labels(ce); 504 505 for(i=labs; i>0; i--) { 506 /* i is number of labels to strip off qname, prepend * wild / 507* strip = qname; 508 striplen = qnamelen; 509 dname_remove_labels(&strip, &striplen, i); 510 if(striplen > LDNS_MAX_DOMAINLEN-2) 511 continue; /* too long to prepend wildcard / 512* buf[0] = 1; 513 buf[1] = (uint8_t)''; 514* memmove(buf+2, strip, striplen); 515 if(val_nsec_proves_name_error(nsec, buf)) { 516 return 1; 517 } 518 } 519 return 0; 520} 521 522/** 523 * Find shared topdomain that exists 524 / 525static void 526dlv_topdomain(struct ub_packed_rrset_key nsec, uint8_t* qname, 527 uint8_t** nm, size_t* nm_len) 528{ 529 /* make sure reply is part of nm / 530* /* take shared topdomain with left of NSEC. / 531* 532 /* because, if empty nonterminal, then right is subdomain of qname. 533 * and any shared topdomain would be empty nonterminals. 534 * 535 * If nxdomain, then the right is bigger, and could have an 536 * interesting shared topdomain, but if it does have one, it is 537 * an empty nonterminal. An empty nonterminal shared with the left 538 * one. / 539* int n; 540 uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname); 541 n = dname_count_labels(nm) - dname_count_labels(common); 542* dname_remove_labels(nm, nm_len, n); 543} 544 545int val_nsec_check_dlv(struct query_info* qinfo, 546 struct reply_info* rep, uint8_t** nm, size_t* nm_len) 547{ 548 uint8_t* next; 549 size_t i, nlen; 550 int c; 551 /* we should now have a NOERROR/NODATA or NXDOMAIN message / 552* if(rep->an_numrrsets != 0) { 553 return 0; 554 } 555 /* is this NOERROR ? / 556* if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 557 /* it can be a plain NSEC match - go up one more level. / 558* /* or its an empty nonterminal - go up to nonempty level / 559* for(i=0; i<rep->ns_numrrsets; i++) { 560 if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC \|\| 561 !nsec_get_next(rep->rrsets[i], &next, &nlen)) 562 continue; 563 c = dname_canonical_compare( 564 rep->rrsets[i]->rk.dname, qinfo->qname); 565 if(c == 0) { 566 /* plain match / 567* if(nsec_has_type(rep->rrsets[i], 568 LDNS_RR_TYPE_DLV)) 569 return 0; 570 dname_remove_label(nm, nm_len); 571 return 1; 572 } else if(c < 0 && 573 dname_strict_subdomain_c(next, qinfo->qname)) { 574 /* ENT / 575* dlv_topdomain(rep->rrsets[i], qinfo->qname, 576 nm, nm_len); 577 return 1; 578 } 579 } 580 return 0; 581 } 582 583 /* is this NXDOMAIN ? / 584* if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) { 585 /* find the qname denial NSEC record. It can tell us 586 * a closest encloser name; or that we not need bother / 587* for(i=0; i<rep->ns_numrrsets; i++) { 588 if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC) 589 continue; 590 if(val_nsec_proves_name_error(rep->rrsets[i], 591 qinfo->qname)) { 592 log_nametypeclass(VERB_ALGO, "topdomain on", 593 rep->rrsets[i]->rk.dname, 594 ntohs(rep->rrsets[i]->rk.type), 0); 595 dlv_topdomain(rep->rrsets[i], qinfo->qname, 596 nm, nm_len); 597 return 1; 598 } 599 } 600 return 0; 601 } 602 return 0; 603}	200{ 201 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns( 202 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC, 203 qinfo->qclass); 204 enum sec_status sec; 205 size_t i; 206 uint8_t* wc = NULL, ce = NULL; 207* int valid_nsec = 0; 208 struct ub_packed_rrset_key* wc_nsec = NULL; 209 210 /* If we have a NSEC at the same name, it must prove one 211 * of two things 212 * -- 213 * 1) this is a delegation point and there is no DS 214 * 2) this is not a delegation point / 215* if(nsec) { 216 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) { 217 verbose(VERB_ALGO, "NSEC RRset for the " 218 "referral did not verify."); 219 return sec_status_bogus; 220 } 221 sec = val_nsec_proves_no_ds(nsec, qinfo); 222 if(sec == sec_status_bogus) { 223 /* something was wrong. / 224* reason = "NSEC does not prove absence of DS"; 225* return sec; 226 } else if(sec == sec_status_insecure) { 227 /* this wasn't a delegation point. / 228* return sec; 229 } else if(sec == sec_status_secure) { 230 /* this proved no DS. / 231* proof_ttl = ub_packed_rrset_ttl(nsec); 232* return sec; 233 } 234 /* if unchecked, fall through to next proof / 235* } 236 237 /* Otherwise, there is no NSEC at qname. This could be an ENT. 238 * (ENT=empty non terminal). If not, this is broken. / 239* 240 /* verify NSEC rrsets in auth section / 241* for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets; 242 i++) { 243 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC)) 244 continue; 245 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) { 246 verbose(VERB_ALGO, "NSEC for empty non-terminal " 247 "did not verify."); 248 return sec_status_bogus; 249 } 250 if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) { 251 verbose(VERB_ALGO, "NSEC for empty non-terminal " 252 "proved no DS."); 253 proof_ttl = rrset_get_ttl(rep->rrsets[i]); 254* if(wc && dname_is_wild(rep->rrsets[i]->rk.dname)) 255 wc_nsec = rep->rrsets[i]; 256 valid_nsec = 1; 257 } 258 if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) { 259 ce = nsec_closest_encloser(qinfo->qname, 260 rep->rrsets[i]); 261 } 262 } 263 if(wc && !ce) 264 valid_nsec = 0; 265 else if(wc && ce) { 266 /* ce and wc must match / 267* if(query_dname_compare(wc, ce) != 0) 268 valid_nsec = 0; 269 else if(!wc_nsec) 270 valid_nsec = 0; 271 } 272 if(valid_nsec) { 273 if(wc) { 274 /* check if this is a delegation / 275* reason = "NSEC for wildcard does not prove absence of DS"; 276* return val_nsec_proves_no_ds(wc_nsec, qinfo); 277 } 278 /* valid nsec proves empty nonterminal / 279* return sec_status_insecure; 280 } 281 282 /* NSEC proof did not conlusively point to DS or no DS / 283* return sec_status_unchecked; 284} 285 286int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 287 struct query_info* qinfo, uint8_t** wc) 288{ 289 log_assert(wc); 290 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) { 291 uint8_t* nm; 292 size_t ln; 293 294 /* empty-non-terminal checking. 295 * Done before wildcard, because this is an exact match, 296 * and would prevent a wildcard from matching. / 297* 298 /* If the nsec is proving that qname is an ENT, the nsec owner 299 * will be less than qname, and the next name will be a child 300 * domain of the qname. / 301* if(!nsec_get_next(nsec, &nm, &ln)) 302 return 0; /* bad nsec / 303* if(dname_strict_subdomain_c(nm, qinfo->qname) && 304 dname_canonical_compare(nsec->rk.dname, 305 qinfo->qname) < 0) { 306 return 1; /* proves ENT / 307* } 308 309 /* wildcard checking. / 310* 311 /* If this is a wildcard NSEC, make sure that a) it was 312 * possible to have generated qname from the wildcard and 313 * b) the type map does not contain qtype. Note that this 314 * does NOT prove that this wildcard was the applicable 315 * wildcard. / 316* if(dname_is_wild(nsec->rk.dname)) { 317 /* the purported closest encloser. / 318* uint8_t* ce = nsec->rk.dname; 319 size_t ce_len = nsec->rk.dname_len; 320 dname_remove_label(&ce, &ce_len); 321 322 /* The qname must be a strict subdomain of the 323 * closest encloser, for the wildcard to apply 324 / 325* if(dname_strict_subdomain_c(qinfo->qname, ce)) { 326 /* here we have a matching NSEC for the qname, 327 * perform matching NSEC checks / 328* if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) { 329 /* should have gotten the wildcard CNAME / 330* return 0; 331 } 332 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 333 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 334 /* wrong parentside (wildcard) NSEC used / 335* return 0; 336 } 337 if(nsec_has_type(nsec, qinfo->qtype)) { 338 return 0; 339 } 340 wc = ce; 341* return 1; 342 } 343 } 344 345 /* Otherwise, this NSEC does not prove ENT and is not a 346 * wildcard, so it does not prove NODATA. / 347* return 0; 348 } 349 350 /* If the qtype exists, then we should have gotten it. / 351* if(nsec_has_type(nsec, qinfo->qtype)) { 352 return 0; 353 } 354 355 /* if the name is a CNAME node, then we should have gotten the CNAME/ 356* if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) { 357 return 0; 358 } 359 360 /* If an NS set exists at this name, and NOT a SOA (so this is a 361 * zone cut, not a zone apex), then we should have gotten a 362 * referral (or we just got the wrong NSEC). 363 * The reverse of this check is used when qtype is DS, since that 364 * must use the NSEC from above the zone cut. / 365* if(qinfo->qtype != LDNS_RR_TYPE_DS && 366 nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 367 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 368 return 0; 369 } else if(qinfo->qtype == LDNS_RR_TYPE_DS && 370 nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && 371 !dname_is_root(qinfo->qname)) { 372 return 0; 373 } 374 375 return 1; 376} 377 378int 379val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname) 380{ 381 uint8_t* owner = nsec->rk.dname; 382 uint8_t* next; 383 size_t nlen; 384 if(!nsec_get_next(nsec, &next, &nlen)) 385 return 0; 386 387 /* If NSEC owner == qname, then this NSEC proves that qname exists. / 388* if(query_dname_compare(qname, owner) == 0) { 389 return 0; 390 } 391 392 /* If NSEC is a parent of qname, we need to check the type map 393 * If the parent name has a DNAME or is a delegation point, then 394 * this NSEC is being misused. / 395* if(dname_subdomain_c(qname, owner) && 396 (nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) \|\| 397 (nsec_has_type(nsec, LDNS_RR_TYPE_NS) 398 && !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) 399 )) { 400 return 0; 401 } 402 403 if(query_dname_compare(owner, next) == 0) { 404 /* this nsec is the only nsec / 405* /* zone.name NSEC zone.name, disproves everything else / 406* /* but only for subdomains of that zone / 407* if(dname_strict_subdomain_c(qname, next)) 408 return 1; 409 } 410 else if(dname_canonical_compare(owner, next) > 0) { 411 /* this is the last nsec, ....(bigger) NSEC zonename(smaller) / 412* /* the names after the last (owner) name do not exist 413 * there are no names before the zone name in the zone 414 * but the qname must be a subdomain of the zone name(next). / 415* if(dname_canonical_compare(owner, qname) < 0 && 416 dname_strict_subdomain_c(qname, next)) 417 return 1; 418 } else { 419 /* regular NSEC, (smaller) NSEC (larger) / 420* if(dname_canonical_compare(owner, qname) < 0 && 421 dname_canonical_compare(qname, next) < 0) { 422 return 1; 423 } 424 } 425 return 0; 426} 427 428int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec, 429 struct query_info* qinfo) 430{ 431 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) && 432 !nsec_has_type(nsec, LDNS_RR_TYPE_DS) && 433 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) { 434 /* see if nsec signals an insecure delegation / 435* if(qinfo->qtype == LDNS_RR_TYPE_DS) { 436 /* if type is DS and qname is equal to nsec, then it 437 * is an exact match nsec, result not insecure / 438* if(dname_strict_subdomain_c(qinfo->qname, 439 nsec->rk.dname)) 440 return 1; 441 } else { 442 if(dname_subdomain_c(qinfo->qname, nsec->rk.dname)) 443 return 1; 444 } 445 } 446 return 0; 447} 448 449uint8_t* 450nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec) 451{ 452 uint8_t* next; 453 size_t nlen; 454 uint8_t* common1, common2; 455* if(!nsec_get_next(nsec, &next, &nlen)) 456 return NULL; 457 /* longest common with owner or next name / 458* common1 = dname_get_shared_topdomain(nsec->rk.dname, qname); 459 common2 = dname_get_shared_topdomain(next, qname); 460 if(dname_count_labels(common1) > dname_count_labels(common2)) 461 return common1; 462 return common2; 463} 464 465int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 466 struct query_info* qinf, uint8_t* wc) 467{ 468 uint8_t* ce; 469 /* 1) prove that qname doesn't exist and 470 * 2) that the correct wildcard was used 471 * nsec has been verified already. / 472* if(!val_nsec_proves_name_error(nsec, qinf->qname)) 473 return 0; 474 /* check wildcard name / 475* ce = nsec_closest_encloser(qinf->qname, nsec); 476 if(!ce) 477 return 0; 478 if(query_dname_compare(wc, ce) != 0) { 479 return 0; 480 } 481 return 1; 482} 483 484int 485val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 486 size_t qnamelen) 487{ 488 /* Determine if a NSEC record proves the non-existence of a 489 * wildcard that could have produced qname. / 490* int labs; 491 int i; 492 uint8_t* ce = nsec_closest_encloser(qname, nsec); 493 uint8_t* strip; 494 size_t striplen; 495 uint8_t buf[LDNS_MAX_DOMAINLEN+3]; 496 if(!ce) 497 return 0; 498 /* we can subtract the closest encloser count - since that is the 499 * largest shared topdomain with owner and next NSEC name, 500 * because the NSEC is no proof for names shorter than the owner 501 * and next names. / 502* labs = dname_count_labels(qname) - dname_count_labels(ce); 503 504 for(i=labs; i>0; i--) { 505 /* i is number of labels to strip off qname, prepend * wild / 506* strip = qname; 507 striplen = qnamelen; 508 dname_remove_labels(&strip, &striplen, i); 509 if(striplen > LDNS_MAX_DOMAINLEN-2) 510 continue; /* too long to prepend wildcard / 511* buf[0] = 1; 512 buf[1] = (uint8_t)''; 513* memmove(buf+2, strip, striplen); 514 if(val_nsec_proves_name_error(nsec, buf)) { 515 return 1; 516 } 517 } 518 return 0; 519} 520 521/** 522 * Find shared topdomain that exists 523 / 524static void 525dlv_topdomain(struct ub_packed_rrset_key nsec, uint8_t* qname, 526 uint8_t** nm, size_t* nm_len) 527{ 528 /* make sure reply is part of nm / 529* /* take shared topdomain with left of NSEC. / 530* 531 /* because, if empty nonterminal, then right is subdomain of qname. 532 * and any shared topdomain would be empty nonterminals. 533 * 534 * If nxdomain, then the right is bigger, and could have an 535 * interesting shared topdomain, but if it does have one, it is 536 * an empty nonterminal. An empty nonterminal shared with the left 537 * one. / 538* int n; 539 uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname); 540 n = dname_count_labels(nm) - dname_count_labels(common); 541* dname_remove_labels(nm, nm_len, n); 542} 543 544int val_nsec_check_dlv(struct query_info* qinfo, 545 struct reply_info* rep, uint8_t** nm, size_t* nm_len) 546{ 547 uint8_t* next; 548 size_t i, nlen; 549 int c; 550 /* we should now have a NOERROR/NODATA or NXDOMAIN message / 551* if(rep->an_numrrsets != 0) { 552 return 0; 553 } 554 /* is this NOERROR ? / 555* if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 556 /* it can be a plain NSEC match - go up one more level. / 557* /* or its an empty nonterminal - go up to nonempty level / 558* for(i=0; i<rep->ns_numrrsets; i++) { 559 if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC \|\| 560 !nsec_get_next(rep->rrsets[i], &next, &nlen)) 561 continue; 562 c = dname_canonical_compare( 563 rep->rrsets[i]->rk.dname, qinfo->qname); 564 if(c == 0) { 565 /* plain match / 566* if(nsec_has_type(rep->rrsets[i], 567 LDNS_RR_TYPE_DLV)) 568 return 0; 569 dname_remove_label(nm, nm_len); 570 return 1; 571 } else if(c < 0 && 572 dname_strict_subdomain_c(next, qinfo->qname)) { 573 /* ENT / 574* dlv_topdomain(rep->rrsets[i], qinfo->qname, 575 nm, nm_len); 576 return 1; 577 } 578 } 579 return 0; 580 } 581 582 /* is this NXDOMAIN ? / 583* if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) { 584 /* find the qname denial NSEC record. It can tell us 585 * a closest encloser name; or that we not need bother / 586* for(i=0; i<rep->ns_numrrsets; i++) { 587 if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC) 588 continue; 589 if(val_nsec_proves_name_error(rep->rrsets[i], 590 qinfo->qname)) { 591 log_nametypeclass(VERB_ALGO, "topdomain on", 592 rep->rrsets[i]->rk.dname, 593 ntohs(rep->rrsets[i]->rk.type), 0); 594 dlv_topdomain(rep->rrsets[i], qinfo->qname, 595 nm, nm_len); 596 return 1; 597 } 598 } 599 return 0; 600 } 601 return 0; 602}