41 // the answer delivered to the application needs DNSSEC validation. If a question needs DNSSEC
43 // original question, we create another question as part of the verification process (question is part of
44 // DNSSECVerifier). This question sets "ValidatingResponse" to distinguish itself from the original
45 // question. Without this, it will be a duplicate and never sent out. The "core" almost treats both the
47 // are added to the cache, "ValidatingResponse" question gets called back as long as the typeCovered matches
48 // the question's qtype. See the comment in DNSSECRecordAnswersQuestion for the details. The other big
49 // difference is that "ValidationRequired" question kicks off the verification process by calling into
52 // VerifySignature does not retain the original question that started the verification process. It just
63 // If the original question resulted in NODATA/NXDOMAIN error, there should have been NSECs as part of the response.
73 // validation results to the original question that started the validation.
83 mDNSlocal void VerifySigCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord);
226 // Initialize the question enough so that it can be answered from the cache using SameNameRecordAnswersQuestion or
228 mDNSexport void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname,
233     if (question->ThisQInterval != -1) mDNS_StopQuery(m, question);
235     mDNS_SetupQuestion(question, InterfaceID, qname, qtype, callback, context);
236     question->qnamehash  = DomainNameHashValue(qname);
237     question->ValidatingResponse = mDNStrue;
241     // We need to set the DNS server appropriately to match the question against the cache record.
243     SetValidDNSServers(m, question);
244     question->qDNSServer = GetServerForQuestion(m, question);
248     question->TargetQID = onesID;
249     question->TimeoutQuestion = 1;
250     question->ReturnIntermed = 1;
252     question->LongLived = 0;
266     // Remember the question's name and type so that when we are done processing all
267     // the verifications, we can trace the original question back
283     // The verifier's question has to be initialized as some of the callers assume it
735             // We would expect RRSIGs, if we had previously issued the question with the
921             // looking for. We would expect RRSIGs, if we had previously issued the question
1102         // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs
1104         // a CNAME and dv->rrset->rrtype would be set to CNAME and not the original question type that
1120             // DO bit set again to get the RRSIG. Normally this would happen if there was question which did not require
1121             // DNSSEC validation (ValidationRequied = 0) populated the cache and later when the ValidationRequired question
1122             // comes along, we need to get the RRSIGs. If we started off with ValidationRequired question we would have
1144         // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs
1172         // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs
1204         // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs
2332     DNSQuestion question;
2358     mDNSPlatformMemZero(&question, sizeof(DNSQuestion));
2363     // we do it whenever we validate which happens whenever a ValidationRequired question
2368     question.ThisQInterval = -1;
2369     InitializeQuestion(m, &question, dv->InterfaceID, qname, qtype, mDNSNULL, mDNSNULL);
2370     slot = HashSlot(&question.qname);
2371     cg = CacheGroupForName(m, slot, question.qnamehash, &question.qname);
2380         if (SameNameRecordAnswersQuestion(&rr->resrec, &question))
2514         if (SameNameRecordAnswersQuestion(&rr->resrec, &question))
2516             LogDNSSEC("SetTTLRRSet: Setting the TTL %d for %s, question %##s (%s)", rrTTL, CRDisplayString(m, rr),
2517                       question.qname.c, DNSTypeName(rr->resrec.rrtype));
2723     // RRSIGs that can match the original question
2809     // 2. Walk the question list to find the matching question. The original question that started
2810     //    the DNSSEC verification may or may not be there. As long as there is a matching question
2928     // 2. Walk the question list to find the matching question. The original question that started
2929     //    the DNSSEC verification may or may not be there. As long as there is a matching question
3071     // the original question
3108         // We assume that the verifier's question has been initialized here so that ValidateWithNSECS below
3118     // If we find a CNAME response to the question, remember what qtype
3349 mDNSlocal void VerifySigCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord)
3351     DNSSECVerifier *dv = (DNSSECVerifier *)question->QuestionContext;
3360     // After the first ADD event, we should ideally stop the question. If we don't stop
3361     // the question, we might get more callbacks and that can cause problems. For example,
3369     // yet e.g., no RRSIGs. In that case if the question is stopped, we will never get any
3371     // the result or wait for more results. Note that the question eventually times out
3376         LogDNSSEC("VerifySigCallback: Question %##s (%s) no dnssec response", question->qname.c, DNSTypeName(question->qtype));
3377         mDNS_StopQuery(m, question);
3382     LogDNSSEC("VerifySigCallback(%p): Called with record %s for question %##s (%s)", dv, RRDisplayString(m, answer), question->qname.c,
3383         DNSTypeName(question->qtype));
3385     if ((m->timenow - question->StopTime) >= 0)
3388         LogDNSSEC("VerifySigCallback: Question %##s (%s) timed out", question->qname.c, DNSTypeName(question->qtype));
3389         mDNS_StopQuery(m, question);
3400         mDNS_StopQuery(m, question);
3418         mDNS_StopQuery(m, question);
3424     // Check whether we got any answers for the question. If there are no answers, we
3447     // 2) DNSSECRecordAnswersQuestion does not answer a question with RRSIGs matching the
3470         mDNS_StopQuery(m, question);
3473             LogDNSSEC("VerifySigCallback: Unable to find RRSIG for %##s (%s), question %##s", dv->rrset->name.c,
3474                       DNSTypeName(dv->rrset->rrtype), question->qname.c);
3483             LogDNSSEC("VerifySigCallback: ERROR!! RRVS_key dv->key non-NULL for %##s", question->qname.c);
3486             LogDNSSEC("VerifySigCallback: RRVS_key rrset type %s, %##s received before DNSKEY", DNSTypeName(rrtype), question->qname.c);
3489         if (rrtype != question->qtype)
3491             LogDNSSEC("VerifySigCallback: ERROR!! RRVS_key rrset type %s, %##s not matching qtype %d", DNSTypeName(rrtype), question->qname.c,
3492                 question->qtype);
3495         mDNS_StopQuery(m, question);
3498             LogDNSSEC("VerifySigCallback: Unable to find DNSKEY for %##s (%s), question %##s", dv->rrset->name.c,
3499                       DNSTypeName(dv->rrset->rrtype), question->qname.c);
3509             LogDNSSEC("VerifySigCallback: ERROR!! RRVS_rrsig_key dv->key NULL for %##s", question->qname.c);
3510         if (rrtype == question->qtype)
3512             LogDNSSEC("VerifySigCallback: RRVS_rrsig_key rrset type %s, %##s", DNSTypeName(rrtype), question->qname.c);
3518             LogDNSSEC("VerifySigCallback: RRVS_rrsig_key rrset type %s, %##s not matching qtype %d", DNSTypeName(rrtype), question->qname.c,
3519                 question->qtype);
3522         mDNS_StopQuery(m, question);
3525             LogDNSSEC("VerifySigCallback: Unable to find RRSIG for %##s (%s), question %##s", dv->rrset->name.c,
3526                       DNSTypeName(dv->rrset->rrtype), question->qname.c);
3532         if (rrtype == question->qtype)
3534             LogDNSSEC("VerifySigCallback: RRVS_ds rrset type %s, %##s", DNSTypeName(rrtype), question->qname.c);
3538             LogDNSSEC("VerifySigCallback: RRVS_ds rrset type %s, %##s received before DS", DNSTypeName(rrtype), question->qname.c);
3540         mDNS_StopQuery(m, question);
3546             LogDNSSEC("VerifySigCallback: Unable find DS for %##s (%s), question %##s", dv->rrset->name.c,
3547                       DNSTypeName(dv->rrset->rrtype), question->qname.c);
3566         LogDNSSEC("VerifySigCallback: ERROR!! default case rrset %##s question %##s", dv->rrset->name.c, question->qname.c);
3567         mDNS_StopQuery(m, question);
3683     // Stop the question before we schedule the block so that we don't receive additional
3722 mDNSlocal void ProveInsecureCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord)
3724     InsecureContext *ic = (InsecureContext *)question->QuestionContext;
3734     if ((m->timenow - question->StopTime) >= 0)
3737         LogDNSSEC("ProveInsecureCallback: Question %##s (%s) timed out", question->qname.c, DNSTypeName(question->qtype));
3747         LogDNSSEC("ProveInsecureCallback: Question %##s (%s), AddRecord %d, answer %s", question->qname.c,
3748             DNSTypeName(question->qtype), AddRecord, RRDisplayString(m, answer));
3752     LogDNSSEC("ProveInsecureCallback: ic %p Question %##s (%s), DNSSEC status %s", ic, question->qname.c, DNSTypeName(question->qtype),
3753             DNSSECStatusName(question->ValidationStatus));
3756     if (question->ValidationStatus != DNSSEC_Secure && question->ValidationStatus != DNSSEC_Insecure)
3758         LogDNSSEC("ProveInsecureCallback: Question %##s (%s) returned DNSSEC status %s", question->qname.c,
3759             DNSTypeName(question->qtype), DNSSECStatusName(question->ValidationStatus));
3762     ac = (AuthChain *)question->DNSSECAuthInfo;
3765         LogDNSSEC("ProveInsecureCallback: ac NULL for question %##s, %s", question->qname.c, DNSTypeName(question->qtype));
3770         LogDNSSEC("ProveInsecureCallback: ac->rrset NULL for question %##s, %s", question->qname.c, DNSTypeName(question->qtype));
3780     question->DNSSECAuthInfo = mDNSNULL;
3799         if (SameDomainName(&question->qname, &pdv->origName))
3801             LogDNSSEC("ProveInsecureCallback: Insecure proof reached original name %##s, error", question->qname.c);
3814             cr = NSECRecordIsDelegation(m, &question->qname, question->qtype);
3816             cr = NSEC3RecordIsDelegation(m, &question->qname, question->qtype);
3820 				question->qname.c, DNSTypeName(question->qtype));
3825         if (!SameDomainName(&question->qname, &pdv->origName))
3827             LogDNSSEC("ProveInsecureCallback: Not a delegation %##s (%s), go one more level down", question->qname.c, DNSTypeName(question->qtype));
3837              LogDNSSEC("ProveInsecureCallback: Not a delegation %##s (%s), but reached original name", question->qname.c,
3838                  DNSTypeName(question->qtype));
4093 mDNSexport void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname, mDNSu16 qtype, mDNSQuestionCallback *callback, void *context)
4096     (void) question;

Indexes created Thu Jun 27 20:29:42 MDT 2024