clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 06:37:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Review for #759:

Browse Source 
- Keep EDE information for keys close to key creation.
- Fix inconsistencies between reply and cached EDEs.
- Incorporate EDE caching checks in EDE tests.
- Fix some EDE cases where missing DNSKEY was wrongly reported.
This commit is contained in:
George Thessalonikefs 2023-07-19 14:52:20 +02:00
parent f5a2a58ce3
commit 95604a90e8
40 changed files with 726 additions and 346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
services/mesh.c
View File

@ -1234,36 +1234,34 @@ mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
}
static inline int
mesh_is_udp(struct mesh_reply const* r) {
mesh_is_udp(struct mesh_reply const* r)
{
return r->query_reply.c->type == comm_udp;
}
static inline void
mesh_find_and_attach_ede_and_reason(struct mesh_state* m,
struct reply_info* rep, struct mesh_reply* r) {
char *reason = m->s.env->cfg->val_log_level >= 2
? errinf_to_str_bogus(&m->s) : NULL;
/* During validation the EDE code can be received via two
struct reply_info* rep, struct mesh_reply* r)
{
/* OLD note:
* During validation the EDE code can be received via two
* code paths. One code path fills the reply_info EDE, and
* the other fills it in the errinf_strlist. These paths
* intersect at some points, but where is opaque due to
* the complexity of the validator. At the time of writing
* we make the choice to prefer the EDE from errinf_strlist
* but a compelling reason to do otherwise is just as valid
* NEW note:
* The compelling reason is that with caching support, the value
* in the * reply_info is cached.
* The reason members of the reply_info struct should be
* updated as they are already cached. No reason to
* try and find the EDE information in errinf anymore.
*/
sldns_ede_code reason_bogus = errinf_to_reason_bogus(&m->s);
if ((reason_bogus == LDNS_EDE_DNSSEC_BOGUS &&
rep->reason_bogus != LDNS_EDE_NONE) ||
reason_bogus == LDNS_EDE_NONE) {
reason_bogus = rep->reason_bogus;
}
if(reason_bogus != LDNS_EDE_NONE) {
if(rep->reason_bogus != LDNS_EDE_NONE) {
edns_opt_list_append_ede(&r->edns.opt_list_out,
m->s.region, reason_bogus, reason);
m->s.region, rep->reason_bogus, rep->reason_bogus_str);
}
free(reason);
}
/**

18
testdata/autotrust_init_fail.rpl vendored
View File

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -159,6 +160,23 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 21 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 22 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com

18
testdata/autotrust_init_failsig.rpl vendored
View File

@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -147,6 +148,23 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 21 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 22 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com

18
testdata/autotrust_probefail.rpl vendored
View File

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -164,4 +165,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 40 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/autotrust_probefailsig.rpl vendored
View File

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -164,4 +165,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 40 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

35
testdata/black_ds_entry.rpl vendored
View File

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -586,6 +587,23 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 20 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
@ -603,6 +621,23 @@ ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 121 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ftp.sub.example.com. IN A
ENTRY_END
STEP 122 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901

35
testdata/black_key_entry.rpl vendored
View File

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -568,6 +569,23 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 20 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
@ -585,6 +603,23 @@ ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 121 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ftp.sub.example.com. IN A
ENTRY_END
STEP 122 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901

33
testdata/black_prime_entry.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -292,6 +293,22 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 100 TIME_PASSES ELAPSE 10
; second query should not result in going to the network.
@ -311,5 +328,21 @@ SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 121 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
STEP 122 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
SCENARIO_END

0
testdata/ede_cache_snoop_noth_auth.rpl → testdata/ede_cache_snoop_not_auth.rpl vendored
View File

187
testdata/ede_caching.rpl vendored
View File

@ -1,187 +0,0 @@
; @TODO decide if we want to keep this, or change the original test(s)
; This test is a copy of autotrust_probefail, where the query is executed twide
; config options
server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
AUTOTRUST_FILE example.com
; autotrust trust anchor file
;;id: example.com. 1
;;last_queried: 1258962400 ;;Mon Nov 23 08:46:40 2009
;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009
;;next_probe_time: 1258967360 ;;Mon Nov 23 10:09:20 2009
;;query_failed: 0
;;query_interval: 5400
;;retry_time: 3600
example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
AUTOTRUST_END
CONFIG_END
SCENARIO_BEGIN Test autotrust with probe failure
; K-ROOT
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id copy_query
REPLY QR AA
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS k.root-servers.net.
SECTION ADDITIONAL
k.root-servers.net IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA SERVFAIL
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA
SECTION QUESTION
ns.example.com. IN A
SECTION ANSWER
ns.example.com. 3600 IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
SECTION AUTHORITY
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
SECTION ADDITIONAL
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA SERVFAIL
SECTION QUESTION
example.com. IN DNSKEY
SECTION ANSWER
; revoked keys
example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b}
example.com. 10800 IN DNSKEY 385 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16614 (ksk), size = 512b}
; signatures
example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 55710 example.com. zOSlB1iwtlP2lum1RK0WoDQrMVj0JKwk2E5Mu1okzV38hAx3Xm9IGMK6WrNkVVLmx4OkhYmdPVA95jVsFpwLMw== ;{id = 55710}
example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 16614 example.com. qP49cCYP3lvNnLBYty/JxAwHqBIGjpup5zQ7qpjPnaZpBb/TlpOhY17LBZrqD86VvBbEVz5tkxC9UrCy85ePDQ== ;{id = 16614}
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
RANGE_END
RANGE_END
; set date/time to Mon Nov 23 09:46:40 2009
STEP 5 TIME_PASSES EVAL ${1258962400 + 7200}
STEP 6 TRAFFIC ; do the probe
STEP 7 ASSIGN t0 = ${time}
STEP 8 ASSIGN probe0 = ${range 3200 ${timeout} 3600}
STEP 9 ASSIGN tp = ${1258962400}
; the auto probing should have been done now.
STEP 11 CHECK_AUTOTRUST example.com
FILE_BEGIN
; autotrust trust anchor file
;;id: example.com. 1
;;last_queried: 1258962400 ;;Mon Nov 23 08:46:40 2009
;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009
;;next_probe_time: 1258967360 ;;Mon Nov 23 10:09:20 2009
;;query_failed: 0
;;query_interval: 5400
;;retry_time: 3600
example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
FILE_END
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

30
testdata/nsid_bogus.rpl vendored
View File

@ -10,6 +10,7 @@ server:
minimal-responses: no
nsid: "ascii_hopsa kidee"
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -175,4 +176,33 @@ SECTION ADDITIONAL
HEX_EDNSDATA_END
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 03 ; Opcode NSID (3)
00 00 ; Length 0
HEX_EDNSDATA_END
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 03 ; Opcode NSID (3)
00 0b ; Length 11
68 6F 70 73 61 20 ; "hopsa "
6B 69 64 65 65 ; "kidee"
HEX_EDNSDATA_END
ENTRY_END
SCENARIO_END

33
testdata/root_key_sentinel.rpl vendored
View File

@ -5,6 +5,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -145,6 +146,22 @@ SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 23 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
STEP 24 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD DO
@ -161,6 +178,22 @@ SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 34 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
STEP 35 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD DO

19
testdata/val_cnametocloser_nosig.rpl vendored
View File

@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
forward-zone:
name: "."
@ -89,11 +90,27 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 20 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN AAAA
ENTRY_END
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_cnametonodata_nonsec.rpl vendored
View File

@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -268,4 +269,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_cnametoposnowc.rpl vendored
View File

@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -261,4 +262,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_deleg_nons.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -269,4 +270,21 @@ foo.www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
foo.www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
foo.www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_dnamewc.rpl vendored
View File

@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -264,4 +265,21 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

17
testdata/val_ds_cname.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -204,4 +205,20 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
SCENARIO_END

18
testdata/val_faildnskey.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -171,4 +172,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nodata_failsig.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -162,4 +163,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

22
testdata/val_nodata_failwc.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
@ -17,8 +18,8 @@ CONFIG_END
SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test.
; ns.example.com.
RANGE_BEGIN 0 100
; ns.example.com.
RANGE_BEGIN 0 100
ADDRESS 185.49.140.60
; response to DNSKEY priming query
@ -69,4 +70,21 @@ _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nokeyprime.rpl vendored
View File

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -161,4 +162,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

25
testdata/val_nsec3_b1_nameerror_nowc.rpl vendored
View File

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -140,12 +141,24 @@ SECTION QUESTION
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
; example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
; example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
a.c.x.w.example. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
ENTRY_END
SCENARIO_END

18
testdata/val_nsec3_b2_nodata_nons.rpl vendored
View File

@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -138,4 +139,21 @@ ns1.example. IN MX
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ns1.example. IN MX
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=12
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ns1.example. IN MX
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nsec3_entnodata_optout_badopt.rpl vendored
View File

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -194,4 +195,21 @@ ent.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
ent.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
ent.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

17
testdata/val_nsec3_nods_badsig.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -234,4 +235,20 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=7
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nx_failwc.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
@ -67,4 +68,21 @@ a.nsecwc.nlnetlabs.nl. IN TXT
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
a.nsecwc.nlnetlabs.nl. IN TXT
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
a.nsecwc.nlnetlabs.nl. IN TXT
SECTION ANSWER
ENTRY_END
SCENARIO_END

18
testdata/val_nx_overreach.rpl vendored
View File

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -162,4 +163,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
; Redo the query without RD to check EDE caching.
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

16
testdata/val_secds_nosig.rpl vendored
View File

@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -230,4 +231,19 @@ SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=10
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
SCENARIO_END

19
testdata/val_ta_algo_missing.rpl vendored
View File

@ -11,6 +11,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@ -166,11 +167,27 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=9
MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ede=6
REPLY QR RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END

16
util/module.c
View File

@ -84,8 +84,10 @@ void errinf_ede(struct module_qstate* qstate,
const char* str, sldns_ede_code reason_bogus)
{
struct errinf_strlist* p;
if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str)
if(!str || (qstate->env->cfg->val_log_level < 2 &&
!qstate->env->cfg->log_servfail)) {
return;
}
p = (struct errinf_strlist*)regional_alloc(qstate->region, sizeof(*p));
if(!p) {
log_err("malloc failure in validator-error-info string");
@ -152,15 +154,19 @@ char* errinf_to_str_bogus(struct module_qstate* qstate)
return p;
}
/* Try to find the latest (most specific) dnssec failure */
sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate)
{
struct errinf_strlist* s;
sldns_ede_code ede = LDNS_EDE_NONE;
for(s=qstate->errinf; s; s=s->next) {
if (s->reason_bogus != LDNS_EDE_NONE) {
return s->reason_bogus;
}
if(s->reason_bogus == LDNS_EDE_NONE) continue;
if(ede != LDNS_EDE_NONE
&& ede != LDNS_EDE_DNSSEC_BOGUS
&& s->reason_bogus == LDNS_EDE_DNSSEC_BOGUS) continue;
ede = s->reason_bogus;
}
return LDNS_EDE_NONE;
return ede;
}
char* errinf_to_str_servfail(struct module_qstate* qstate)

10
validator/val_kcache.c
View File

@ -81,17 +81,11 @@ key_cache_delete(struct key_cache* kcache)
void
key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
struct module_qstate* qstate)
int copy_reason)
{
struct key_entry_key* k = key_entry_copy(kkey);
struct key_entry_key* k = key_entry_copy(kkey, copy_reason);
if(!k)
return;
if(key_entry_isbad(k) && qstate->errinf &&
qstate->env->cfg->val_log_level >= 2) {
/* on malloc failure there is simply no reason string */
key_entry_set_reason(k, errinf_to_str_bogus(qstate));
key_entry_set_reason_bogus(k, errinf_to_reason_bogus(qstate));
}
key_entry_hash(k);
slabhash_insert(kcache->slab, k->entry.hash, &k->entry,
k->entry.data, NULL);

4
validator/val_kcache.h
View File

@ -76,10 +76,10 @@ void key_cache_delete(struct key_cache* kcache);
* @param kcache: the key cache.
* @param kkey: key entry key, assumed malloced in a region, is copied
* to perform update or insertion. Its data pointer is also copied.
* @param qstate: store errinf reason in case its bad.
* @param copy_reason: if the reason string needs to be copied (allocated).
*/
void key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
struct module_qstate* qstate);
int copy_reason);
/**
* Remove an entry from the key cache.

48
validator/val_kentry.c
View File

@ -152,7 +152,7 @@ key_entry_copy_toregion(struct key_entry_key* kkey, struct regional* region)
}
struct key_entry_key*
key_entry_copy(struct key_entry_key* kkey)
key_entry_copy(struct key_entry_key* kkey, int copy_reason)
{
struct key_entry_key* newk;
if(!kkey)
@ -190,7 +190,7 @@ key_entry_copy(struct key_entry_key* kkey)
}
packed_rrset_ptr_fixup(newd->rrset_data);
}
if(d->reason) {
if(copy_reason && d->reason && *d->reason != 0) {
newd->reason = strdup(d->reason);
if(!newd->reason) {
free(newd->rrset_data);
@ -199,6 +199,8 @@ key_entry_copy(struct key_entry_key* kkey)
free(newk);
return NULL;
}
} else {
newd->reason = NULL;
}
if(d->algo) {
newd->algo = (uint8_t*)strdup((char*)d->algo);
@ -237,22 +239,6 @@ key_entry_isbad(struct key_entry_key* kkey)
return (int)(d->isbad);
}
void
key_entry_set_reason(struct key_entry_key* kkey, char* reason)
{
struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data;
d->reason = reason;
}
void
key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede)
{
struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data;
if (ede != LDNS_EDE_NONE) { /* reason_bogus init is LDNS_EDE_NONE already */
d->reason_bogus = ede;
}
}
char*
key_entry_get_reason(struct key_entry_key* kkey)
{
@ -294,6 +280,7 @@ key_entry_setup(struct regional* region,
struct key_entry_key*
key_entry_create_null(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
@ -302,8 +289,10 @@ key_entry_create_null(struct regional* region,
return NULL;
d->ttl = now + ttl;
d->isbad = 0;
d->reason = NULL;
d->reason_bogus = LDNS_EDE_NONE;
d->reason = (!reason || *reason == 0)
?NULL :(char*)regional_strdup(region, reason);
/* On allocation error we don't store the reason string */
d->reason_bogus = reason_bogus;
d->rrset_type = LDNS_RR_TYPE_DNSKEY;
d->rrset_data = NULL;
d->algo = NULL;
@ -313,7 +302,9 @@ key_entry_create_null(struct regional* region,
struct key_entry_key*
key_entry_create_rrset(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass,
struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now)
struct ub_packed_rrset_key* rrset, uint8_t* sigalg,
sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
struct key_entry_data* d;
@ -323,8 +314,10 @@ key_entry_create_rrset(struct regional* region,
return NULL;
d->ttl = rd->ttl + now;
d->isbad = 0;
d->reason = NULL;
d->reason_bogus = LDNS_EDE_NONE;
d->reason = (!reason || *reason == 0)
?NULL :(char*)regional_strdup(region, reason);
/* On allocation error we don't store the reason string */
d->reason_bogus = reason_bogus;
d->rrset_type = ntohs(rrset->rk.type);
d->rrset_data = (struct packed_rrset_data*)regional_alloc_init(region,
rd, packed_rrset_sizeof(rd));
@ -341,7 +334,8 @@ key_entry_create_rrset(struct regional* region,
struct key_entry_key*
key_entry_create_bad(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
@ -350,8 +344,10 @@ key_entry_create_bad(struct regional* region,
return NULL;
d->ttl = now + ttl;
d->isbad = 1;
d->reason = NULL;
d->reason_bogus = LDNS_EDE_NONE;
d->reason = (!reason || *reason == 0)
?NULL :(char*)regional_strdup(region, reason);
/* On allocation error we don't store the reason string */
d->reason_bogus = reason_bogus;
d->rrset_type = LDNS_RR_TYPE_DNSKEY;
d->rrset_data = NULL;
d->algo = NULL;

37
validator/val_kentry.h
View File

@ -120,9 +120,11 @@ struct key_entry_key* key_entry_copy_toregion(struct key_entry_key* kkey,
/**
* Copy a key entry, malloced.
* @param kkey: the key entry key (and data pointer) to copy.
* @param copy_reason: if the reason string needs to be copied (allocated).
* @return newly allocated entry or NULL on a failure to allocate memory.
*/
struct key_entry_key* key_entry_copy(struct key_entry_key* kkey);
struct key_entry_key* key_entry_copy(struct key_entry_key* kkey,
int copy_reason);
/**
* See if this is a null entry. Does not do locking.
@ -145,23 +147,6 @@ int key_entry_isgood(struct key_entry_key* kkey);
*/
int key_entry_isbad(struct key_entry_key* kkey);
/**
* Set reason why a key is bad.
* @param kkey: bad key.
* @param reason: string to attach, you must allocate it.
* Not safe to call twice unless you deallocate it yourself.
*/
void key_entry_set_reason(struct key_entry_key* kkey, char* reason);
/**
* Set the EDE (RFC8914) code why the key is bad, if it
* exists (so not LDNS_EDE_NONE).
* @param kkey: bad key.
* @param ede: EDE code to attach to this key.
*/
void key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede);
/**
* Get reason why a key is bad.
* @param kkey: bad key
@ -184,11 +169,14 @@ sldns_ede_code key_entry_get_reason_bogus(struct key_entry_key* kkey);
* @param namelen: length of name
* @param dclass: class of key entry. (host order);
* @param ttl: what ttl should the key have. relative.
* @param reason_bogus: accompanying EDE code.
* @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl).
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_null(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**
@ -199,12 +187,16 @@ struct key_entry_key* key_entry_create_null(struct regional* region,
* @param dclass: class of key entry. (host order);
* @param rrset: data for key entry. This is copied to the region.
* @param sigalg: signalled algorithm list (or NULL).
* @param reason_bogus: accompanying EDE code (usually LDNS_EDE_NONE).
* @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl of rrset)
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_rrset(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass,
struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now);
uint8_t* name, size_t namelen, uint16_t dclass,
struct ub_packed_rrset_key* rrset, uint8_t* sigalg,
sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**
* Create a bad entry, in the given region.
@ -213,11 +205,14 @@ struct key_entry_key* key_entry_create_rrset(struct regional* region,
* @param namelen: length of name
* @param dclass: class of key entry. (host order);
* @param ttl: what ttl should the key have. relative.
* @param reason_bogus: accompanying EDE code.
* @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl).
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_bad(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**

19
validator/val_nsec.c
View File

@ -174,9 +174,10 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
/** check security status from cache or verify rrset, returns true if secure */
static int
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason, struct module_qstate* qstate)
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason, sldns_ede_code* reason_bogus,
struct module_qstate* qstate)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
@ -187,7 +188,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
if(d->security == sec_status_secure)
return 1;
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
NULL, LDNS_SECTION_AUTHORITY, qstate);
reason_bogus, LDNS_SECTION_AUTHORITY, qstate);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
@ -199,7 +200,7 @@ enum sec_status
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
struct module_qstate* qstate)
sldns_ede_code* reason_bogus, struct module_qstate* qstate)
{
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
@ -216,7 +217,8 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason,
reason_bogus, qstate)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
@ -225,6 +227,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
if(sec == sec_status_bogus) {
/* something was wrong. */
*reason = "NSEC does not prove absence of DS";
*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
return sec;
} else if(sec == sec_status_insecure) {
/* this wasn't a delegation point. */
@ -246,9 +249,11 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
qstate)) {
reason_bogus, qstate)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
*reason = "NSEC for empty non-terminal "
"did not verify.";
return sec_status_bogus;
}
if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {

5
validator/val_nsec.h
View File

@ -44,6 +44,7 @@
#ifndef VALIDATOR_VAL_NSEC_H
#define VALIDATOR_VAL_NSEC_H
#include "util/data/packed_rrset.h"
#include "sldns/rrdef.h"
struct val_env;
struct module_env;
struct module_qstate;
@ -65,6 +66,7 @@ struct key_entry_key;
* @param kkey: key entry to use for verification of signatures.
* @param proof_ttl: if secure, the TTL of how long this proof lasts.
* @param reason: string explaining why bogus.
* @param reason_bogus: relevant EDE code for validation failure.
* @param qstate: qstate with region.
* @return security status.
* SECURE: proved absence of DS.
@ -75,7 +77,8 @@ struct key_entry_key;
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
struct val_env* ve, struct query_info* qinfo,
struct reply_info* rep, struct key_entry_key* kkey,
time_t* proof_ttl, char** reason, struct module_qstate* qstate);
time_t* proof_ttl, char** reason, sldns_ede_code* reason_bogus,
struct module_qstate* qstate);
/**
* nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.

4
validator/val_sigcrypt.c
View File

@ -718,9 +718,9 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) {
*reason = "signature missing";
*reason = "signatures bogus";
if(reason_bogus)
*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
} else if(numchecked == numindeterminate) {
verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
"refusal by cryptolib");

19
validator/val_utils.c
View File

@ -587,16 +587,18 @@ val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
return key_entry_create_rrset(region,
ds_rrset->rk.dname, ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, *env->now);
downprot?sigalg:NULL, LDNS_EDE_NONE, NULL,
*env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len,
ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class),
rrset_get_ttl(ds_rrset), *env->now);
rrset_get_ttl(ds_rrset), *reason_bogus, *reason,
*env->now);
}
return key_entry_create_bad(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
BOGUS_KEY_TTL, *env->now);
BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
enum sec_status
@ -694,7 +696,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
has_useful_ta = 1;
sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
ta_dnskey, i, reason, NULL, LDNS_SECTION_ANSWER, qstate);
ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
@ -743,16 +745,17 @@ val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
return key_entry_create_rrset(region,
dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, *env->now);
downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class),
rrset_get_ttl(dnskey_rrset), *env->now);
rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason,
*env->now);
}
return key_entry_create_bad(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
BOGUS_KEY_TTL, *env->now);
BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
int

122
validator/validator.c
View File

@ -70,16 +70,16 @@ static void process_ds_response(struct module_qstate* qstate,
struct query_info* qinfo, struct sock_list* origin);
/* Updates the suplied EDE (RFC8914) code selectively so we don't loose
* a more specific code
*/
/* Updates the suplied EDE (RFC8914) code selectively so we don't lose
* a more specific code */
static void
update_reason_bogus(struct reply_info* rep, sldns_ede_code reason_bogus)
{
if (rep->reason_bogus == LDNS_EDE_DNSSEC_BOGUS ||
rep->reason_bogus == LDNS_EDE_NONE) {
rep->reason_bogus = reason_bogus;
}
if(reason_bogus == LDNS_EDE_NONE) return;
if(reason_bogus == LDNS_EDE_DNSSEC_BOGUS
&& rep->reason_bogus != LDNS_EDE_NONE
&& rep->reason_bogus != LDNS_EDE_DNSSEC_BOGUS) return;
rep->reason_bogus = reason_bogus;
}
@ -1672,20 +1672,13 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
vq->state = VAL_FINISHED_STATE;
return 1;
} else if(key_entry_isbad(vq->key_entry)) {
sldns_ede_code ede = LDNS_EDE_DNSSEC_BOGUS;
/* the key could have a more spefic EDE than just bogus */
if(key_entry_get_reason_bogus(vq->key_entry) != LDNS_EDE_NONE) {
ede = key_entry_get_reason_bogus(vq->key_entry);
}
/* Bad keys should have the relevant EDE code and text */
sldns_ede_code ede = key_entry_get_reason_bogus(vq->key_entry);
/* key is bad, chain is bad, reply is bogus */
errinf_dname(qstate, "key for validation", vq->key_entry->name);
errinf_ede(qstate, "is marked as invalid", ede);
if(key_entry_get_reason(vq->key_entry)) {
errinf(qstate, "because of a previous");
errinf(qstate, key_entry_get_reason(vq->key_entry));
}
errinf(qstate, "because of a previous");
errinf(qstate, key_entry_get_reason(vq->key_entry));
/* no retries, stop bothering the authority until timeout */
vq->restart_count = ve->max_restart;
@ -1888,7 +1881,8 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
vq->chase_reply->security = sec_status_insecure;
val_mark_insecure(vq->chase_reply, vq->key_entry->name,
qstate->env->rrset_cache, qstate->env);
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
return 1;
}
@ -1897,12 +1891,13 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
"of trust to keys for", vq->key_entry->name,
LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
vq->chase_reply->security = sec_status_bogus;
update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSKEY_MISSING);
update_reason_bogus(vq->chase_reply,
key_entry_get_reason_bogus(vq->key_entry));
errinf_ede(qstate, "while building chain of trust",
LDNS_EDE_DNSKEY_MISSING);
key_entry_get_reason_bogus(vq->key_entry));
if(vq->restart_count >= ve->max_restart)
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
return 1;
}
@ -2156,7 +2151,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
size_t err_str_len = strlen(err_str);
log_info("%s", err_str);
/* allocate space and store the error
* string; */
* string */
vq->orig_msg->rep->reason_bogus_str = regional_alloc(
qstate->region,
sizeof(char) * (err_str_len+1));
@ -2206,6 +2201,8 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
}
}
/* Update rep->reason_bogus as it is the one being cached */
update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate));
/* store results in cache */
if(qstate->query_flags&BIT_RD) {
/* if secure, this will override cache anyway, no need
@ -2381,13 +2378,17 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset,
log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- "
"could not fetch DNSKEY rrset",
ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
reason_bogus = LDNS_EDE_DNSKEY_MISSING;
reason = "no DNSKEY rrset";
if(qstate->env->cfg->harden_dnssec_stripped) {
errinf_ede(qstate, "no DNSKEY rrset", LDNS_EDE_DNSKEY_MISSING);
errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
} else kkey = key_entry_create_null(qstate->region, ta->name,
ta->namelen, ta->dclass, NULL_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
if(!kkey) {
log_err("out of memory: allocate fail prime key");
@ -2420,9 +2421,11 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset,
errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
} else kkey = key_entry_create_null(qstate->region, ta->name,
ta->namelen, ta->dclass, NULL_KEY_TTL,
reason_bogus, reason,
*qstate->env->now);
if(!kkey) {
log_err("out of memory: allocate null prime key");
@ -2469,8 +2472,9 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* errors here pretty much break validation */
verbose(VERB_DETAIL, "DS response was error, thus bogus");
errinf(qstate, rc);
errinf_ede(qstate, "no DS", LDNS_EDE_NETWORK_ERROR);
reason = "no DS";
reason_bogus = LDNS_EDE_NETWORK_ERROR;
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
@ -2484,7 +2488,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
if(!ds) {
log_warn("internal error: POSITIVE DS response was "
"missing DS.");
errinf_ede(qstate, "no DS record", LDNS_EDE_DNSSEC_BOGUS);
reason = "no DS record";
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
/* Verify only returns BOGUS or SECURE. If the rrset is
@ -2503,13 +2508,11 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
if(!val_dsset_isusable(ds)) {
/* If they aren't usable, then we treat it like
* there was no DS. */
/* TODO add EDE Unsupported DS Digest Type; this needs
* EDE to be added on non SERVFAIL answers. */
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
ub_packed_rrset_ttl(ds), *qstate->env->now);
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
ub_packed_rrset_ttl(ds),
LDNS_EDE_UNSUPPORTED_DS_DIGEST, NULL,
*qstate->env->now);
return (*ke) != NULL;
}
@ -2517,7 +2520,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
log_query_info(VERB_DETAIL, "validated DS", qinfo);
*ke = key_entry_create_rrset(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass, ds,
NULL, *qstate->env->now);
NULL, LDNS_EDE_NONE, NULL, *qstate->env->now);
return (*ke) != NULL;
} else if(subtype == VAL_CLASS_NODATA ||
subtype == VAL_CLASS_NAMEERROR) {
@ -2529,7 +2532,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* make sure there are NSECs or NSEC3s with signatures */
if(!val_has_signed_nsecs(msg->rep, &reason)) {
verbose(VERB_ALGO, "no NSECs: %s", reason);
errinf_ede(qstate, reason, LDNS_EDE_NSEC_MISSING);
reason_bogus = LDNS_EDE_NSEC_MISSING;
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
@ -2541,7 +2545,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* Try to prove absence of the DS with NSEC */
sec = val_nsec_prove_nodata_dsreply(
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
&proof_ttl, &reason, qstate);
&proof_ttl, &reason, &reason_bogus, qstate);
switch(sec) {
case sec_status_secure:
verbose(VERB_DETAIL, "NSEC RRset for the "
@ -2549,6 +2553,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len,
qinfo->qclass, proof_ttl,
LDNS_EDE_NONE, NULL,
*qstate->env->now);
return (*ke) != NULL;
case sec_status_insecure:
@ -2582,6 +2587,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len,
qinfo->qclass, proof_ttl,
LDNS_EDE_NONE, NULL,
*qstate->env->now);
return (*ke) != NULL;
case sec_status_indeterminate:
@ -2604,7 +2610,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
* this is BOGUS. */
verbose(VERB_DETAIL, "DS %s ran out of options, so return "
"bogus", val_classification_to_string(subtype));
errinf(qstate, "no DS but also no proof of that");
reason = "no DS but also no proof of that";
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
} else if(subtype == VAL_CLASS_CNAME ||
subtype == VAL_CLASS_CNAMENOANSWER) {
@ -2616,22 +2623,25 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
cname = reply_find_rrset_section_an(msg->rep, qinfo->qname,
qinfo->qname_len, LDNS_RR_TYPE_CNAME, qinfo->qclass);
if(!cname) {
errinf(qstate, "validator classified CNAME but no "
"CNAME of the queried name for DS");
reason = "validator classified CNAME but no "
"CNAME of the queried name for DS";
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
if(((struct packed_rrset_data*)cname->entry.data)->rrsig_count
== 0) {
if(msg->rep->an_numrrsets != 0 && ntohs(msg->rep->
rrsets[0]->rk.type)==LDNS_RR_TYPE_DNAME) {
errinf(qstate, "DS got DNAME answer");
reason = "DS got DNAME answer";
} else {
errinf(qstate, "DS got unsigned CNAME answer");
reason = "DS got unsigned CNAME answer";
}
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
sec = val_verify_rrset_entry(qstate->env, ve, cname,
vq->key_entry, &reason, NULL, LDNS_SECTION_ANSWER, qstate);
sec = val_verify_rrset_entry(qstate->env, ve, cname,
vq->key_entry, &reason, &reason_bogus,
LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
verbose(VERB_ALGO, "CNAME validated, "
"proof that DS does not exist");
@ -2640,12 +2650,13 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
return 1;
}
errinf(qstate, "CNAME in DS response was not secure.");
errinf(qstate, reason);
errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
} else {
verbose(VERB_QUERY, "Encountered an unhandled type of "
"DS response, thus bogus.");
errinf(qstate, "no DS and");
reason = "no DS";
if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) {
char rc[16];
rc[0]=0;
@ -2658,8 +2669,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
}
return_bogus:
*ke = key_entry_create_bad(qstate->region, qinfo->qname,
qinfo->qname_len, qinfo->qclass,
BOGUS_KEY_TTL, *qstate->env->now);
qinfo->qname_len, qinfo->qclass, BOGUS_KEY_TTL,
reason_bogus, reason, *qstate->env->now);
return (*ke) != NULL;
}
@ -2779,14 +2790,17 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
vq->restart_count++;
return;
}
vq->key_entry = key_entry_create_bad(qstate->region,
reason = "No DNSKEY record";
reason_bogus = LDNS_EDE_DNSKEY_MISSING;
vq->key_entry = key_entry_create_bad(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
BOGUS_KEY_TTL, *qstate->env->now);
BOGUS_KEY_TTL, reason_bogus, reason,
*qstate->env->now);
if(!vq->key_entry) {
log_err("alloc failure in missing dnskey response");
/* key_entry is NULL for failure in Validate */
}
errinf_ede(qstate, "No DNSKEY record", LDNS_EDE_DNSKEY_MISSING);
errinf_ede(qstate, reason, reason_bogus);
errinf_origin(qstate, origin);
errinf_dname(qstate, "for key", qinfo->qname);
vq->state = VAL_VALIDATE_STATE;
@ -2833,7 +2847,8 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
qstate->errinf = NULL;
/* The DNSKEY validated, so cache it as a trusted key rrset. */
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
/* If good, we stay in the FINDKEY state. */
log_query_info(VERB_DETAIL, "validated DNSKEY", qinfo);
@ -2901,7 +2916,8 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
errinf_origin(qstate, origin);
errinf_dname(qstate, "for trust anchor", ta->name);
/* store the freshly primed entry in the cache */
key_cache_insert(ve->kcache, vq->key_entry, qstate);
key_cache_insert(ve->kcache, vq->key_entry,
qstate->env->cfg->val_log_level >= 2);
}
/* If the result of the prime is a null key, skip the FINDKEY state.*/