1/* $NetBSD: validator.h,v 1.9 2024/02/21 22:52:11 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16#pragma once 17 18/***** 19***** Module Info 20*****/ 21 22/*! \file dns/validator.h 23 * 24 * \brief 25 * DNS Validator 26 * This is the BIND 9 validator, the module responsible for validating the 27 * rdatasets and negative responses (messages). It makes use of zones in 28 * the view and may fetch RRset to complete trust chains. It implements 29 * DNSSEC as specified in RFC 4033, 4034 and 4035. 30 * 31 * Correct operation is critical to preventing spoofed answers from secure 32 * zones being accepted. 33 * 34 * MP: 35 *\li The module ensures appropriate synchronization of data structures it 36 * creates and manipulates. 37 * 38 * Reliability: 39 *\li No anticipated impact. 40 * 41 * Resources: 42 *\li TBS 43 * 44 * Security: 45 *\li No anticipated impact. 46 * 47 * Standards: 48 *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035. 49 */ 50 51#include <stdbool.h> 52 53#include <isc/event.h> 54#include <isc/lang.h> 55#include <isc/mutex.h> 56 57#include <dns/fixedname.h> 58#include <dns/rdataset.h> 59#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */ 60#include <dns/types.h> 61 62#include <dst/dst.h> 63 64/*% 65 * A dns_validatorevent_t is sent when a 'validation' completes. 66 * \brief 67 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were 68 * supplied when dns_validator_create() was called. They are returned to the 69 * caller so that they may be freed. 70 * 71 * If the RESULT is ISC_R_SUCCESS and the answer is secure then 72 * proofs[] will contain the names of the NSEC records that hold the 73 * various proofs. Note the same name may appear multiple times. 74 */ 75typedef struct dns_validatorevent { 76 ISC_EVENT_COMMON(struct dns_validatorevent); 77 dns_validator_t *validator; 78 isc_result_t result; 79 /* 80 * Name and type of the response to be validated. 81 */ 82 dns_name_t *name; 83 dns_rdatatype_t type; 84 /* 85 * Rdata and RRSIG (if any) for positive responses. 86 */ 87 dns_rdataset_t *rdataset; 88 dns_rdataset_t *sigrdataset; 89 /* 90 * The full response. Required for negative responses. 91 * Also required for positive wildcard responses. 92 */ 93 dns_message_t *message; 94 /* 95 * Proofs to be cached. 96 */ 97 dns_name_t *proofs[4]; 98 /* 99 * Optout proof seen. 100 */ 101 bool optout; 102 /* 103 * Answer is secure. 104 */ 105 bool secure; 106} dns_validatorevent_t; 107 108#define DNS_VALIDATOR_NOQNAMEPROOF 0 109#define DNS_VALIDATOR_NODATAPROOF 1 110#define DNS_VALIDATOR_NOWILDCARDPROOF 2 111#define DNS_VALIDATOR_CLOSESTENCLOSER 3 112 113/*% 114 * A validator object represents a validation in progress. 115 * \brief 116 * Clients are strongly discouraged from using this type directly, with 117 * the exception of the 'link' field, which may be used directly for 118 * whatever purpose the client desires. 119 */ 120struct dns_validator { 121 /* Unlocked. */ 122 unsigned int magic; 123 isc_mutex_t lock; 124 dns_view_t *view; 125 /* Locked by lock. */ 126 unsigned int options; 127 unsigned int attributes; 128 dns_validatorevent_t *event; 129 dns_fetch_t *fetch; 130 dns_validator_t *subvalidator; 131 dns_validator_t *parent; 132 dns_keytable_t *keytable; 133 dst_key_t *key; 134 dns_rdata_rrsig_t *siginfo; 135 isc_task_t *task; 136 isc_taskaction_t action; 137 void *arg; 138 unsigned int labels; 139 dns_rdataset_t *currentset; 140 dns_rdataset_t *keyset; 141 dns_rdataset_t *dsset; 142 dns_rdataset_t fdsset; 143 dns_rdataset_t frdataset; 144 dns_rdataset_t fsigrdataset; 145 dns_fixedname_t fname; 146 dns_fixedname_t wild; 147 dns_fixedname_t closest; 148 ISC_LINK(dns_validator_t) link; 149 bool mustbesecure; 150 unsigned int depth; 151 unsigned int authcount; 152 unsigned int authfail; 153 bool failed; 154 isc_stdtime_t start; 155}; 156 157/*% 158 * dns_validator_create() options. 159 */ 160/* obsolete: #define DNS_VALIDATOR_DLV 0x0001U */ 161#define DNS_VALIDATOR_DEFER 0x0002U 162#define DNS_VALIDATOR_NOCDFLAG 0x0004U 163#define DNS_VALIDATOR_NONTA 0x0008U /*% Ignore NTA table */ 164 165ISC_LANG_BEGINDECLS 166 167isc_result_t 168dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, 169 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 170 dns_message_t *message, unsigned int options, 171 isc_task_t *task, isc_taskaction_t action, void *arg, 172 dns_validator_t **validatorp); 173/*%< 174 * Start a DNSSEC validation. 175 * 176 * This validates a response to the question given by 177 * 'name' and 'type'. 178 * 179 * To validate a positive response, the response data is 180 * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' 181 * is NULL, the data is presumed insecure and an attempt 182 * is made to prove its insecurity by finding the appropriate 183 * null key. 184 * 185 * The complete response message may be given in 'message', 186 * to make available any authority section NSECs that may be 187 * needed for validation of a response resulting from a 188 * wildcard expansion (though no such wildcard validation 189 * is implemented yet). If the complete response message 190 * is not available, 'message' is NULL. 191 * 192 * To validate a negative response, the complete negative response 193 * message is given in 'message'. The 'rdataset', and 194 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type' 195 * arguments must be provided. 196 * 197 * The validation is performed in the context of 'view'. 198 * 199 * When the validation finishes, a dns_validatorevent_t with 200 * the given 'action' and 'arg' are sent to 'task'. 201 * Its 'result' field will be ISC_R_SUCCESS iff the 202 * response was successfully proven to be either secure or 203 * part of a known insecure domain. 204 */ 205 206void 207dns_validator_send(dns_validator_t *validator); 208/*%< 209 * Send a deferred validation request 210 * 211 * Requires: 212 * 'validator' to points to a valid DNSSEC validator. 213 */ 214 215void 216dns_validator_cancel(dns_validator_t *validator); 217/*%< 218 * Cancel a DNSSEC validation in progress. 219 * 220 * Requires: 221 *\li 'validator' points to a valid DNSSEC validator, which 222 * may or may not already have completed. 223 * 224 * Ensures: 225 *\li It the validator has not already sent its completion 226 * event, it will send it with result code ISC_R_CANCELED. 227 */ 228 229void 230dns_validator_destroy(dns_validator_t **validatorp); 231/*%< 232 * Destroy a DNSSEC validator. 233 * 234 * Requires: 235 *\li '*validatorp' points to a valid DNSSEC validator. 236 * \li The validator must have completed and sent its completion 237 * event. 238 * 239 * Ensures: 240 *\li All resources used by the validator are freed. 241 */ 242 243ISC_LANG_ENDDECLS 244