1/*
2 * validator/val_nsec.c - validator NSEC denial of existance functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * The functions help with NSEC checking, the different NSEC proofs
41 * for denial of existance, and proofs for presence of types.
42 */
43#include "config.h"
44#include "validator/val_nsec.h"
45#include "validator/val_utils.h"
46#include "util/data/msgreply.h"
47#include "util/data/dname.h"
48#include "util/net_help.h"
49#include "util/module.h"
50#include "services/cache/rrset.h"
51
52/** get ttl of rrset */
53static uint32_t
54rrset_get_ttl(struct ub_packed_rrset_key* k)
55{
56 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
57 return d->ttl;
58}
59
60int
61nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type)
62{
63 /* Check type present in NSEC typemap with bitmap arg */
64 /* bitmasks for determining type-lowerbits presence */
65 uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
66 uint8_t type_window = type>>8;
67 uint8_t type_low = type&0xff;
68 uint8_t win, winlen;
69 /* read each of the type bitmap windows and see if the searched
70 * type is amongst it */
71 while(len > 0) {
72 if(len < 3) /* bad window, at least window# winlen bitmap */
73 return 0;
74 win = *bitmap++;
75 winlen = *bitmap++;
76 len -= 2;
77 if(len < winlen || winlen < 1 || winlen > 32)
78 return 0; /* bad window length */
79 if(win == type_window) {
80 /* search window bitmap for the correct byte */
81 /* mybyte is 0 if we need the first byte */
82 size_t mybyte = type_low>>3;
83 if(winlen <= mybyte)
84 return 0; /* window too short */
85 return (int)(bitmap[mybyte] & masks[type_low&0x7]);
86 } else {
87 /* not the window we are looking for */
88 bitmap += winlen;
89 len -= winlen;
90 }
91 }
92 /* end of bitmap reached, no type found */
93 return 0;
94}
95
96int
97nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type)
98{
99 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
100 entry.data;
101 size_t len;
102 if(!d || d->count == 0 || d->rr_len[0] < 2+1)
103 return 0;
104 len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2);
105 if(!len)
106 return 0;
107 return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len,
108 d->rr_len[0]-2-len, type);
109}
110
111/**
112 * Get next owner name from nsec record
113 * @param nsec: the nsec RRset.
114 * If there are multiple RRs, then this will only return one of them.
115 * @param nm: the next name is returned.
116 * @param ln: length of nm is returned.
117 * @return false on a bad NSEC RR (too short, malformed dname).
118 */
119static int
120nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln)
121{
122 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
123 entry.data;
124 if(!d || d->count == 0 || d->rr_len[0] < 2+1) {
125 *nm = 0;
126 *ln = 0;
127 return 0;
128 }
129 *nm = d->rr_data[0]+2;
130 *ln = dname_valid(*nm, d->rr_len[0]-2);
131 if(!*ln) {
132 *nm = 0;
133 *ln = 0;
134 return 0;
135 }
136 return 1;
137}
138
139/**
140 * For an NSEC that matches the DS queried for, check absence of DS type.
141 *
142 * @param nsec: NSEC for proof, must be trusted.
143 * @param qinfo: what is queried for.
144 * @return if secure the nsec proves that no DS is present, or
145 * insecure if it proves it is not a delegation point.
146 * or bogus if something was wrong.
147 */
148static enum sec_status
149val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
150 struct query_info* qinfo)
151{
152 log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
153 log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC);
154
155 if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) {
156 /* SOA present means that this is the NSEC from the child,
157 * not the parent (so it is the wrong one). */
158 return sec_status_bogus;
159 }
160 if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) {
161 /* DS present means that there should have been a positive
162 * response to the DS query, so there is something wrong. */
163 return sec_status_bogus;
164 }
165
166 if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) {
167 /* If there is no NS at this point at all, then this
168 * doesn't prove anything one way or the other. */
169 return sec_status_insecure;
170 }
171 /* Otherwise, this proves no DS. */
172 return sec_status_secure;
173}
174
175/** check security status from cache or verify rrset, returns true if secure */
176static int
177nsec_verify_rrset(struct module_env* env, struct val_env* ve,
178 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
179 char** reason)
180{
181 struct packed_rrset_data* d = (struct packed_rrset_data*)
182 nsec->entry.data;
183 if(d->security == sec_status_secure)
184 return 1;
185 rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
186 if(d->security == sec_status_secure)
187 return 1;
188 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
189 if(d->security == sec_status_secure) {
190 rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
191 return 1;
192 }
193 return 0;
194}
195
196enum sec_status
197val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
198 struct query_info* qinfo, struct reply_info* rep,
199 struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
200{
201 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
202 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
203 qinfo->qclass);
204 enum sec_status sec;
205 size_t i;
206 uint8_t* wc = NULL, *ce = NULL;
207 int valid_nsec = 0;
208 struct ub_packed_rrset_key* wc_nsec = NULL;
209
210 /* If we have a NSEC at the same name, it must prove one
211 * of two things
212 * --
213 * 1) this is a delegation point and there is no DS
214 * 2) this is not a delegation point */
215 if(nsec) {
216 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
217 verbose(VERB_ALGO, "NSEC RRset for the "
218 "referral did not verify.");
219 return sec_status_bogus;
220 }
221 sec = val_nsec_proves_no_ds(nsec, qinfo);
222 if(sec == sec_status_bogus) {
223 /* something was wrong. */
224 *reason = "NSEC does not prove absence of DS";
225 return sec;
226 } else if(sec == sec_status_insecure) {
227 /* this wasn't a delegation point. */
228 return sec;
229 } else if(sec == sec_status_secure) {
230 /* this proved no DS. */
231 *proof_ttl = ub_packed_rrset_ttl(nsec);
232 return sec;
233 }
234 /* if unchecked, fall through to next proof */
235 }
236
237 /* Otherwise, there is no NSEC at qname. This could be an ENT.
238 * (ENT=empty non terminal). If not, this is broken. */
239
240 /* verify NSEC rrsets in auth section */
241 for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets;
242 i++) {
243 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
244 continue;
245 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
246 verbose(VERB_ALGO, "NSEC for empty non-terminal "
247 "did not verify.");
248 return sec_status_bogus;
249 }
250 if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
251 verbose(VERB_ALGO, "NSEC for empty non-terminal "
252 "proved no DS.");
253 *proof_ttl = rrset_get_ttl(rep->rrsets[i]);
254 if(wc && dname_is_wild(rep->rrsets[i]->rk.dname))
255 wc_nsec = rep->rrsets[i];
256 valid_nsec = 1;
257 }
258 if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) {
259 ce = nsec_closest_encloser(qinfo->qname,
260 rep->rrsets[i]);
261 }
262 }
263 if(wc && !ce)
264 valid_nsec = 0;
265 else if(wc && ce) {
266 /* ce and wc must match */
267 if(query_dname_compare(wc, ce) != 0)
268 valid_nsec = 0;
269 else if(!wc_nsec)
270 valid_nsec = 0;
271 }
272 if(valid_nsec) {
273 if(wc) {
274 /* check if this is a delegation */
275 *reason = "NSEC for wildcard does not prove absence of DS";
276 return val_nsec_proves_no_ds(wc_nsec, qinfo);
277 }
278 /* valid nsec proves empty nonterminal */
279 return sec_status_insecure;
280 }
281
282 /* NSEC proof did not conlusively point to DS or no DS */
283 return sec_status_unchecked;
284}
285
286int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
287 struct query_info* qinfo, uint8_t** wc)
288{
289 log_assert(wc);
290 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) {
291 uint8_t* nm;
292 size_t ln;
293
294 /* empty-non-terminal checking.
295 * Done before wildcard, because this is an exact match,
296 * and would prevent a wildcard from matching. */
297
298 /* If the nsec is proving that qname is an ENT, the nsec owner
299 * will be less than qname, and the next name will be a child
300 * domain of the qname. */
301 if(!nsec_get_next(nsec, &nm, &ln))
302 return 0; /* bad nsec */
303 if(dname_strict_subdomain_c(nm, qinfo->qname) &&
304 dname_canonical_compare(nsec->rk.dname,
305 qinfo->qname) < 0) {
306 return 1; /* proves ENT */
307 }
308
309 /* wildcard checking. */
310
311 /* If this is a wildcard NSEC, make sure that a) it was
312 * possible to have generated qname from the wildcard and
313 * b) the type map does not contain qtype. Note that this
314 * does NOT prove that this wildcard was the applicable
315 * wildcard. */
316 if(dname_is_wild(nsec->rk.dname)) {
317 /* the purported closest encloser. */
318 uint8_t* ce = nsec->rk.dname;
319 size_t ce_len = nsec->rk.dname_len;
320 dname_remove_label(&ce, &ce_len);
321
322 /* The qname must be a strict subdomain of the
323 * closest encloser, for the wildcard to apply
324 */
325 if(dname_strict_subdomain_c(qinfo->qname, ce)) {
326 /* here we have a matching NSEC for the qname,
327 * perform matching NSEC checks */
328 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
329 /* should have gotten the wildcard CNAME */
330 return 0;
331 }
332 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
333 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
334 /* wrong parentside (wildcard) NSEC used */
335 return 0;
336 }
337 if(nsec_has_type(nsec, qinfo->qtype)) {
338 return 0;
339 }
340 *wc = ce;
341 return 1;
342 }
343 }
344
345 /* Otherwise, this NSEC does not prove ENT and is not a
346 * wildcard, so it does not prove NODATA. */
347 return 0;
348 }
349
350 /* If the qtype exists, then we should have gotten it. */
351 if(nsec_has_type(nsec, qinfo->qtype)) {
352 return 0;
353 }
354
355 /* if the name is a CNAME node, then we should have gotten the CNAME*/
356 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
357 return 0;
358 }
359
360 /* If an NS set exists at this name, and NOT a SOA (so this is a
361 * zone cut, not a zone apex), then we should have gotten a
362 * referral (or we just got the wrong NSEC).
363 * The reverse of this check is used when qtype is DS, since that
364 * must use the NSEC from above the zone cut. */
365 if(qinfo->qtype != LDNS_RR_TYPE_DS &&
366 nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
367 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
368 return 0;
369 } else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
370 nsec_has_type(nsec, LDNS_RR_TYPE_SOA) &&
371 !dname_is_root(qinfo->qname)) {
372 return 0;
373 }
374
375 return 1;
376}
377
378int
379val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname)
380{
381 uint8_t* owner = nsec->rk.dname;
382 uint8_t* next;
383 size_t nlen;
384 if(!nsec_get_next(nsec, &next, &nlen))
385 return 0;
386
387 /* If NSEC owner == qname, then this NSEC proves that qname exists. */
388 if(query_dname_compare(qname, owner) == 0) {
389 return 0;
390 }
391
392 /* If NSEC is a parent of qname, we need to check the type map
393 * If the parent name has a DNAME or is a delegation point, then
394 * this NSEC is being misused. */
395 if(dname_subdomain_c(qname, owner) &&
396 (nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) ||
397 (nsec_has_type(nsec, LDNS_RR_TYPE_NS)
398 && !nsec_has_type(nsec, LDNS_RR_TYPE_SOA))
399 )) {
400 return 0;
401 }
402
403 if(query_dname_compare(owner, next) == 0) {
404 /* this nsec is the only nsec */
405 /* zone.name NSEC zone.name, disproves everything else */
406 /* but only for subdomains of that zone */
407 if(dname_strict_subdomain_c(qname, next))
408 return 1;
409 }
410 else if(dname_canonical_compare(owner, next) > 0) {
411 /* this is the last nsec, ....(bigger) NSEC zonename(smaller) */
412 /* the names after the last (owner) name do not exist
413 * there are no names before the zone name in the zone
414 * but the qname must be a subdomain of the zone name(next). */
415 if(dname_canonical_compare(owner, qname) < 0 &&
416 dname_strict_subdomain_c(qname, next))
417 return 1;
418 } else {
419 /* regular NSEC, (smaller) NSEC (larger) */
420 if(dname_canonical_compare(owner, qname) < 0 &&
421 dname_canonical_compare(qname, next) < 0) {
422 return 1;
423 }
424 }
425 return 0;
426}
427
428int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
429 struct query_info* qinfo)
430{
431 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
432 !nsec_has_type(nsec, LDNS_RR_TYPE_DS) &&
433 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
434 /* see if nsec signals an insecure delegation */
435 if(qinfo->qtype == LDNS_RR_TYPE_DS) {
436 /* if type is DS and qname is equal to nsec, then it
437 * is an exact match nsec, result not insecure */
438 if(dname_strict_subdomain_c(qinfo->qname,
439 nsec->rk.dname))
440 return 1;
441 } else {
442 if(dname_subdomain_c(qinfo->qname, nsec->rk.dname))
443 return 1;
444 }
445 }
446 return 0;
447}
448
449uint8_t*
450nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec)
451{
452 uint8_t* next;
453 size_t nlen;
454 uint8_t* common1, *common2;
455 if(!nsec_get_next(nsec, &next, &nlen))
456 return NULL;
457 /* longest common with owner or next name */
458 common1 = dname_get_shared_topdomain(nsec->rk.dname, qname);
459 common2 = dname_get_shared_topdomain(next, qname);
460 if(dname_count_labels(common1) > dname_count_labels(common2))
461 return common1;
462 return common2;
463}
464
465int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
466 struct query_info* qinf, uint8_t* wc)
467{
468 uint8_t* ce;
469 /* 1) prove that qname doesn't exist and
470 * 2) that the correct wildcard was used
471 * nsec has been verified already. */
472 if(!val_nsec_proves_name_error(nsec, qinf->qname))
473 return 0;
474 /* check wildcard name */
475 ce = nsec_closest_encloser(qinf->qname, nsec);
476 if(!ce)
477 return 0;
478 if(query_dname_compare(wc, ce) != 0) {
479 return 0;
480 }
481 return 1;
482}
483
484int
485val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
486 size_t qnamelen)
487{
488 /* Determine if a NSEC record proves the non-existence of a
489 * wildcard that could have produced qname. */
490 int labs;
491 int i;
492 uint8_t* ce = nsec_closest_encloser(qname, nsec);
493 uint8_t* strip;
494 size_t striplen;
495 uint8_t buf[LDNS_MAX_DOMAINLEN+3];
496 if(!ce)
497 return 0;
498 /* we can subtract the closest encloser count - since that is the
499 * largest shared topdomain with owner and next NSEC name,
500 * because the NSEC is no proof for names shorter than the owner
501 * and next names. */
502 labs = dname_count_labels(qname) - dname_count_labels(ce);
503
504 for(i=labs; i>0; i--) {
505 /* i is number of labels to strip off qname, prepend * wild */
506 strip = qname;
507 striplen = qnamelen;
508 dname_remove_labels(&strip, &striplen, i);
509 if(striplen > LDNS_MAX_DOMAINLEN-2)
510 continue; /* too long to prepend wildcard */
511 buf[0] = 1;
512 buf[1] = (uint8_t)'*';
513 memmove(buf+2, strip, striplen);
514 if(val_nsec_proves_name_error(nsec, buf)) {
515 return 1;
516 }
517 }
518 return 0;
519}
520
521/**
522 * Find shared topdomain that exists
523 */
524static void
525dlv_topdomain(struct ub_packed_rrset_key* nsec, uint8_t* qname,
526 uint8_t** nm, size_t* nm_len)
527{
528 /* make sure reply is part of nm */
529 /* take shared topdomain with left of NSEC. */
530
531 /* because, if empty nonterminal, then right is subdomain of qname.
532 * and any shared topdomain would be empty nonterminals.
533 *
534 * If nxdomain, then the right is bigger, and could have an
535 * interesting shared topdomain, but if it does have one, it is
536 * an empty nonterminal. An empty nonterminal shared with the left
537 * one. */
538 int n;
539 uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname);
540 n = dname_count_labels(*nm) - dname_count_labels(common);
541 dname_remove_labels(nm, nm_len, n);
542}
543
544int val_nsec_check_dlv(struct query_info* qinfo,
545 struct reply_info* rep, uint8_t** nm, size_t* nm_len)
546{
547 uint8_t* next;
548 size_t i, nlen;
549 int c;
550 /* we should now have a NOERROR/NODATA or NXDOMAIN message */
551 if(rep->an_numrrsets != 0) {
552 return 0;
553 }
554 /* is this NOERROR ? */
555 if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
556 /* it can be a plain NSEC match - go up one more level. */
557 /* or its an empty nonterminal - go up to nonempty level */
558 for(i=0; i<rep->ns_numrrsets; i++) {
559 if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC ||
560 !nsec_get_next(rep->rrsets[i], &next, &nlen))
561 continue;
562 c = dname_canonical_compare(
563 rep->rrsets[i]->rk.dname, qinfo->qname);
564 if(c == 0) {
565 /* plain match */
566 if(nsec_has_type(rep->rrsets[i],
567 LDNS_RR_TYPE_DLV))
568 return 0;
569 dname_remove_label(nm, nm_len);
570 return 1;
571 } else if(c < 0 &&
572 dname_strict_subdomain_c(next, qinfo->qname)) {
573 /* ENT */
574 dlv_topdomain(rep->rrsets[i], qinfo->qname,
575 nm, nm_len);
576 return 1;
577 }
578 }
579 return 0;
580 }
581
582 /* is this NXDOMAIN ? */
583 if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) {
584 /* find the qname denial NSEC record. It can tell us
585 * a closest encloser name; or that we not need bother */
586 for(i=0; i<rep->ns_numrrsets; i++) {
587 if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC)
588 continue;
589 if(val_nsec_proves_name_error(rep->rrsets[i],
590 qinfo->qname)) {
591 log_nametypeclass(VERB_ALGO, "topdomain on",
592 rep->rrsets[i]->rk.dname,
593 ntohs(rep->rrsets[i]->rk.type), 0);
594 dlv_topdomain(rep->rrsets[i], qinfo->qname,
595 nm, nm_len);
596 return 1;
597 }
598 }
599 return 0;
600 }
601 return 0;
602}
2 * validator/val_nsec.c - validator NSEC denial of existance functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * The functions help with NSEC checking, the different NSEC proofs
41 * for denial of existance, and proofs for presence of types.
42 */
43#include "config.h"
44#include "validator/val_nsec.h"
45#include "validator/val_utils.h"
46#include "util/data/msgreply.h"
47#include "util/data/dname.h"
48#include "util/net_help.h"
49#include "util/module.h"
50#include "services/cache/rrset.h"
51
52/** get ttl of rrset */
53static uint32_t
54rrset_get_ttl(struct ub_packed_rrset_key* k)
55{
56 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
57 return d->ttl;
58}
59
60int
61nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type)
62{
63 /* Check type present in NSEC typemap with bitmap arg */
64 /* bitmasks for determining type-lowerbits presence */
65 uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
66 uint8_t type_window = type>>8;
67 uint8_t type_low = type&0xff;
68 uint8_t win, winlen;
69 /* read each of the type bitmap windows and see if the searched
70 * type is amongst it */
71 while(len > 0) {
72 if(len < 3) /* bad window, at least window# winlen bitmap */
73 return 0;
74 win = *bitmap++;
75 winlen = *bitmap++;
76 len -= 2;
77 if(len < winlen || winlen < 1 || winlen > 32)
78 return 0; /* bad window length */
79 if(win == type_window) {
80 /* search window bitmap for the correct byte */
81 /* mybyte is 0 if we need the first byte */
82 size_t mybyte = type_low>>3;
83 if(winlen <= mybyte)
84 return 0; /* window too short */
85 return (int)(bitmap[mybyte] & masks[type_low&0x7]);
86 } else {
87 /* not the window we are looking for */
88 bitmap += winlen;
89 len -= winlen;
90 }
91 }
92 /* end of bitmap reached, no type found */
93 return 0;
94}
95
96int
97nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type)
98{
99 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
100 entry.data;
101 size_t len;
102 if(!d || d->count == 0 || d->rr_len[0] < 2+1)
103 return 0;
104 len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2);
105 if(!len)
106 return 0;
107 return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len,
108 d->rr_len[0]-2-len, type);
109}
110
111/**
112 * Get next owner name from nsec record
113 * @param nsec: the nsec RRset.
114 * If there are multiple RRs, then this will only return one of them.
115 * @param nm: the next name is returned.
116 * @param ln: length of nm is returned.
117 * @return false on a bad NSEC RR (too short, malformed dname).
118 */
119static int
120nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln)
121{
122 struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
123 entry.data;
124 if(!d || d->count == 0 || d->rr_len[0] < 2+1) {
125 *nm = 0;
126 *ln = 0;
127 return 0;
128 }
129 *nm = d->rr_data[0]+2;
130 *ln = dname_valid(*nm, d->rr_len[0]-2);
131 if(!*ln) {
132 *nm = 0;
133 *ln = 0;
134 return 0;
135 }
136 return 1;
137}
138
139/**
140 * For an NSEC that matches the DS queried for, check absence of DS type.
141 *
142 * @param nsec: NSEC for proof, must be trusted.
143 * @param qinfo: what is queried for.
144 * @return if secure the nsec proves that no DS is present, or
145 * insecure if it proves it is not a delegation point.
146 * or bogus if something was wrong.
147 */
148static enum sec_status
149val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
150 struct query_info* qinfo)
151{
152 log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
153 log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC);
154
155 if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) {
156 /* SOA present means that this is the NSEC from the child,
157 * not the parent (so it is the wrong one). */
158 return sec_status_bogus;
159 }
160 if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) {
161 /* DS present means that there should have been a positive
162 * response to the DS query, so there is something wrong. */
163 return sec_status_bogus;
164 }
165
166 if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) {
167 /* If there is no NS at this point at all, then this
168 * doesn't prove anything one way or the other. */
169 return sec_status_insecure;
170 }
171 /* Otherwise, this proves no DS. */
172 return sec_status_secure;
173}
174
175/** check security status from cache or verify rrset, returns true if secure */
176static int
177nsec_verify_rrset(struct module_env* env, struct val_env* ve,
178 struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
179 char** reason)
180{
181 struct packed_rrset_data* d = (struct packed_rrset_data*)
182 nsec->entry.data;
183 if(d->security == sec_status_secure)
184 return 1;
185 rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
186 if(d->security == sec_status_secure)
187 return 1;
188 d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
189 if(d->security == sec_status_secure) {
190 rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
191 return 1;
192 }
193 return 0;
194}
195
196enum sec_status
197val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
198 struct query_info* qinfo, struct reply_info* rep,
199 struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
200{
201 struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
202 rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
203 qinfo->qclass);
204 enum sec_status sec;
205 size_t i;
206 uint8_t* wc = NULL, *ce = NULL;
207 int valid_nsec = 0;
208 struct ub_packed_rrset_key* wc_nsec = NULL;
209
210 /* If we have a NSEC at the same name, it must prove one
211 * of two things
212 * --
213 * 1) this is a delegation point and there is no DS
214 * 2) this is not a delegation point */
215 if(nsec) {
216 if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
217 verbose(VERB_ALGO, "NSEC RRset for the "
218 "referral did not verify.");
219 return sec_status_bogus;
220 }
221 sec = val_nsec_proves_no_ds(nsec, qinfo);
222 if(sec == sec_status_bogus) {
223 /* something was wrong. */
224 *reason = "NSEC does not prove absence of DS";
225 return sec;
226 } else if(sec == sec_status_insecure) {
227 /* this wasn't a delegation point. */
228 return sec;
229 } else if(sec == sec_status_secure) {
230 /* this proved no DS. */
231 *proof_ttl = ub_packed_rrset_ttl(nsec);
232 return sec;
233 }
234 /* if unchecked, fall through to next proof */
235 }
236
237 /* Otherwise, there is no NSEC at qname. This could be an ENT.
238 * (ENT=empty non terminal). If not, this is broken. */
239
240 /* verify NSEC rrsets in auth section */
241 for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets;
242 i++) {
243 if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
244 continue;
245 if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
246 verbose(VERB_ALGO, "NSEC for empty non-terminal "
247 "did not verify.");
248 return sec_status_bogus;
249 }
250 if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
251 verbose(VERB_ALGO, "NSEC for empty non-terminal "
252 "proved no DS.");
253 *proof_ttl = rrset_get_ttl(rep->rrsets[i]);
254 if(wc && dname_is_wild(rep->rrsets[i]->rk.dname))
255 wc_nsec = rep->rrsets[i];
256 valid_nsec = 1;
257 }
258 if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) {
259 ce = nsec_closest_encloser(qinfo->qname,
260 rep->rrsets[i]);
261 }
262 }
263 if(wc && !ce)
264 valid_nsec = 0;
265 else if(wc && ce) {
266 /* ce and wc must match */
267 if(query_dname_compare(wc, ce) != 0)
268 valid_nsec = 0;
269 else if(!wc_nsec)
270 valid_nsec = 0;
271 }
272 if(valid_nsec) {
273 if(wc) {
274 /* check if this is a delegation */
275 *reason = "NSEC for wildcard does not prove absence of DS";
276 return val_nsec_proves_no_ds(wc_nsec, qinfo);
277 }
278 /* valid nsec proves empty nonterminal */
279 return sec_status_insecure;
280 }
281
282 /* NSEC proof did not conlusively point to DS or no DS */
283 return sec_status_unchecked;
284}
285
286int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
287 struct query_info* qinfo, uint8_t** wc)
288{
289 log_assert(wc);
290 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) {
291 uint8_t* nm;
292 size_t ln;
293
294 /* empty-non-terminal checking.
295 * Done before wildcard, because this is an exact match,
296 * and would prevent a wildcard from matching. */
297
298 /* If the nsec is proving that qname is an ENT, the nsec owner
299 * will be less than qname, and the next name will be a child
300 * domain of the qname. */
301 if(!nsec_get_next(nsec, &nm, &ln))
302 return 0; /* bad nsec */
303 if(dname_strict_subdomain_c(nm, qinfo->qname) &&
304 dname_canonical_compare(nsec->rk.dname,
305 qinfo->qname) < 0) {
306 return 1; /* proves ENT */
307 }
308
309 /* wildcard checking. */
310
311 /* If this is a wildcard NSEC, make sure that a) it was
312 * possible to have generated qname from the wildcard and
313 * b) the type map does not contain qtype. Note that this
314 * does NOT prove that this wildcard was the applicable
315 * wildcard. */
316 if(dname_is_wild(nsec->rk.dname)) {
317 /* the purported closest encloser. */
318 uint8_t* ce = nsec->rk.dname;
319 size_t ce_len = nsec->rk.dname_len;
320 dname_remove_label(&ce, &ce_len);
321
322 /* The qname must be a strict subdomain of the
323 * closest encloser, for the wildcard to apply
324 */
325 if(dname_strict_subdomain_c(qinfo->qname, ce)) {
326 /* here we have a matching NSEC for the qname,
327 * perform matching NSEC checks */
328 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
329 /* should have gotten the wildcard CNAME */
330 return 0;
331 }
332 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
333 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
334 /* wrong parentside (wildcard) NSEC used */
335 return 0;
336 }
337 if(nsec_has_type(nsec, qinfo->qtype)) {
338 return 0;
339 }
340 *wc = ce;
341 return 1;
342 }
343 }
344
345 /* Otherwise, this NSEC does not prove ENT and is not a
346 * wildcard, so it does not prove NODATA. */
347 return 0;
348 }
349
350 /* If the qtype exists, then we should have gotten it. */
351 if(nsec_has_type(nsec, qinfo->qtype)) {
352 return 0;
353 }
354
355 /* if the name is a CNAME node, then we should have gotten the CNAME*/
356 if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
357 return 0;
358 }
359
360 /* If an NS set exists at this name, and NOT a SOA (so this is a
361 * zone cut, not a zone apex), then we should have gotten a
362 * referral (or we just got the wrong NSEC).
363 * The reverse of this check is used when qtype is DS, since that
364 * must use the NSEC from above the zone cut. */
365 if(qinfo->qtype != LDNS_RR_TYPE_DS &&
366 nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
367 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
368 return 0;
369 } else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
370 nsec_has_type(nsec, LDNS_RR_TYPE_SOA) &&
371 !dname_is_root(qinfo->qname)) {
372 return 0;
373 }
374
375 return 1;
376}
377
378int
379val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname)
380{
381 uint8_t* owner = nsec->rk.dname;
382 uint8_t* next;
383 size_t nlen;
384 if(!nsec_get_next(nsec, &next, &nlen))
385 return 0;
386
387 /* If NSEC owner == qname, then this NSEC proves that qname exists. */
388 if(query_dname_compare(qname, owner) == 0) {
389 return 0;
390 }
391
392 /* If NSEC is a parent of qname, we need to check the type map
393 * If the parent name has a DNAME or is a delegation point, then
394 * this NSEC is being misused. */
395 if(dname_subdomain_c(qname, owner) &&
396 (nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) ||
397 (nsec_has_type(nsec, LDNS_RR_TYPE_NS)
398 && !nsec_has_type(nsec, LDNS_RR_TYPE_SOA))
399 )) {
400 return 0;
401 }
402
403 if(query_dname_compare(owner, next) == 0) {
404 /* this nsec is the only nsec */
405 /* zone.name NSEC zone.name, disproves everything else */
406 /* but only for subdomains of that zone */
407 if(dname_strict_subdomain_c(qname, next))
408 return 1;
409 }
410 else if(dname_canonical_compare(owner, next) > 0) {
411 /* this is the last nsec, ....(bigger) NSEC zonename(smaller) */
412 /* the names after the last (owner) name do not exist
413 * there are no names before the zone name in the zone
414 * but the qname must be a subdomain of the zone name(next). */
415 if(dname_canonical_compare(owner, qname) < 0 &&
416 dname_strict_subdomain_c(qname, next))
417 return 1;
418 } else {
419 /* regular NSEC, (smaller) NSEC (larger) */
420 if(dname_canonical_compare(owner, qname) < 0 &&
421 dname_canonical_compare(qname, next) < 0) {
422 return 1;
423 }
424 }
425 return 0;
426}
427
428int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
429 struct query_info* qinfo)
430{
431 if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
432 !nsec_has_type(nsec, LDNS_RR_TYPE_DS) &&
433 !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
434 /* see if nsec signals an insecure delegation */
435 if(qinfo->qtype == LDNS_RR_TYPE_DS) {
436 /* if type is DS and qname is equal to nsec, then it
437 * is an exact match nsec, result not insecure */
438 if(dname_strict_subdomain_c(qinfo->qname,
439 nsec->rk.dname))
440 return 1;
441 } else {
442 if(dname_subdomain_c(qinfo->qname, nsec->rk.dname))
443 return 1;
444 }
445 }
446 return 0;
447}
448
449uint8_t*
450nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec)
451{
452 uint8_t* next;
453 size_t nlen;
454 uint8_t* common1, *common2;
455 if(!nsec_get_next(nsec, &next, &nlen))
456 return NULL;
457 /* longest common with owner or next name */
458 common1 = dname_get_shared_topdomain(nsec->rk.dname, qname);
459 common2 = dname_get_shared_topdomain(next, qname);
460 if(dname_count_labels(common1) > dname_count_labels(common2))
461 return common1;
462 return common2;
463}
464
465int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
466 struct query_info* qinf, uint8_t* wc)
467{
468 uint8_t* ce;
469 /* 1) prove that qname doesn't exist and
470 * 2) that the correct wildcard was used
471 * nsec has been verified already. */
472 if(!val_nsec_proves_name_error(nsec, qinf->qname))
473 return 0;
474 /* check wildcard name */
475 ce = nsec_closest_encloser(qinf->qname, nsec);
476 if(!ce)
477 return 0;
478 if(query_dname_compare(wc, ce) != 0) {
479 return 0;
480 }
481 return 1;
482}
483
484int
485val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
486 size_t qnamelen)
487{
488 /* Determine if a NSEC record proves the non-existence of a
489 * wildcard that could have produced qname. */
490 int labs;
491 int i;
492 uint8_t* ce = nsec_closest_encloser(qname, nsec);
493 uint8_t* strip;
494 size_t striplen;
495 uint8_t buf[LDNS_MAX_DOMAINLEN+3];
496 if(!ce)
497 return 0;
498 /* we can subtract the closest encloser count - since that is the
499 * largest shared topdomain with owner and next NSEC name,
500 * because the NSEC is no proof for names shorter than the owner
501 * and next names. */
502 labs = dname_count_labels(qname) - dname_count_labels(ce);
503
504 for(i=labs; i>0; i--) {
505 /* i is number of labels to strip off qname, prepend * wild */
506 strip = qname;
507 striplen = qnamelen;
508 dname_remove_labels(&strip, &striplen, i);
509 if(striplen > LDNS_MAX_DOMAINLEN-2)
510 continue; /* too long to prepend wildcard */
511 buf[0] = 1;
512 buf[1] = (uint8_t)'*';
513 memmove(buf+2, strip, striplen);
514 if(val_nsec_proves_name_error(nsec, buf)) {
515 return 1;
516 }
517 }
518 return 0;
519}
520
521/**
522 * Find shared topdomain that exists
523 */
524static void
525dlv_topdomain(struct ub_packed_rrset_key* nsec, uint8_t* qname,
526 uint8_t** nm, size_t* nm_len)
527{
528 /* make sure reply is part of nm */
529 /* take shared topdomain with left of NSEC. */
530
531 /* because, if empty nonterminal, then right is subdomain of qname.
532 * and any shared topdomain would be empty nonterminals.
533 *
534 * If nxdomain, then the right is bigger, and could have an
535 * interesting shared topdomain, but if it does have one, it is
536 * an empty nonterminal. An empty nonterminal shared with the left
537 * one. */
538 int n;
539 uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname);
540 n = dname_count_labels(*nm) - dname_count_labels(common);
541 dname_remove_labels(nm, nm_len, n);
542}
543
544int val_nsec_check_dlv(struct query_info* qinfo,
545 struct reply_info* rep, uint8_t** nm, size_t* nm_len)
546{
547 uint8_t* next;
548 size_t i, nlen;
549 int c;
550 /* we should now have a NOERROR/NODATA or NXDOMAIN message */
551 if(rep->an_numrrsets != 0) {
552 return 0;
553 }
554 /* is this NOERROR ? */
555 if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
556 /* it can be a plain NSEC match - go up one more level. */
557 /* or its an empty nonterminal - go up to nonempty level */
558 for(i=0; i<rep->ns_numrrsets; i++) {
559 if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC ||
560 !nsec_get_next(rep->rrsets[i], &next, &nlen))
561 continue;
562 c = dname_canonical_compare(
563 rep->rrsets[i]->rk.dname, qinfo->qname);
564 if(c == 0) {
565 /* plain match */
566 if(nsec_has_type(rep->rrsets[i],
567 LDNS_RR_TYPE_DLV))
568 return 0;
569 dname_remove_label(nm, nm_len);
570 return 1;
571 } else if(c < 0 &&
572 dname_strict_subdomain_c(next, qinfo->qname)) {
573 /* ENT */
574 dlv_topdomain(rep->rrsets[i], qinfo->qname,
575 nm, nm_len);
576 return 1;
577 }
578 }
579 return 0;
580 }
581
582 /* is this NXDOMAIN ? */
583 if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) {
584 /* find the qname denial NSEC record. It can tell us
585 * a closest encloser name; or that we not need bother */
586 for(i=0; i<rep->ns_numrrsets; i++) {
587 if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC)
588 continue;
589 if(val_nsec_proves_name_error(rep->rrsets[i],
590 qinfo->qname)) {
591 log_nametypeclass(VERB_ALGO, "topdomain on",
592 rep->rrsets[i]->rk.dname,
593 ntohs(rep->rrsets[i]->rk.type), 0);
594 dlv_topdomain(rep->rrsets[i], qinfo->qname,
595 nm, nm_len);
596 return 1;
597 }
598 }
599 return 0;
600 }
601 return 0;
602}