lib » dns

validator.c File Reference

Basic processing sequences. More...

#include <config.h>
#include <isc/base32.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/sha2.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/dnssec.h>
#include <dns/ds.h>
#include <dns/events.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/message.h>
#include <dns/ncache.h>
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
#include <dns/rdatatype.h>
#include <dns/resolver.h>
#include <dns/result.h>
#include <dns/validator.h>
#include <dns/view.h>

Go to the source code of this file.

Defines

#define VALIDATOR_MAGIC   ISC_MAGIC('V', 'a', 'l', '?')
#define VALID_VALIDATOR(v)   ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
#define VALATTR_SHUTDOWN   0x0001
 Shutting down.
#define VALATTR_CANCELED   0x0002
 Canceled.
#define VALATTR_TRIEDVERIFY   0x0004
 We have found a key and have attempted a verify.
#define VALATTR_INSECURITY   0x0010
 Attempting proveunsecure.
#define VALATTR_DLVTRIED   0x0020
 Looked for a DLV record.
#define VALATTR_NEEDNOQNAME   0x00000100
#define VALATTR_NEEDNOWILDCARD   0x00000200
#define VALATTR_NEEDNODATA   0x00000400
#define VALATTR_FOUNDNOQNAME   0x00001000
#define VALATTR_FOUNDNOWILDCARD   0x00002000
#define VALATTR_FOUNDNODATA   0x00004000
#define VALATTR_FOUNDCLOSEST   0x00008000
#define VALATTR_FOUNDOPTOUT   0x00010000
#define VALATTR_FOUNDUNKNOWN   0x00020000
#define NEEDNODATA(val)   ((val->attributes & VALATTR_NEEDNODATA) != 0)
#define NEEDNOQNAME(val)   ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
#define NEEDNOWILDCARD(val)   ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
#define DLVTRIED(val)   ((val->attributes & VALATTR_DLVTRIED) != 0)
#define FOUNDNODATA(val)   ((val->attributes & VALATTR_FOUNDNODATA) != 0)
#define FOUNDNOQNAME(val)   ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
#define FOUNDNOWILDCARD(val)   ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
#define FOUNDCLOSEST(val)   ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
#define FOUNDOPTOUT(val)   ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
#define SHUTDOWN(v)   (((v)->attributes & VALATTR_SHUTDOWN) != 0)
#define CANCELED(v)   (((v)->attributes & VALATTR_CANCELED) != 0)
#define NEGATIVE(r)   (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)

Functions

static void destroy (dns_validator_t *val)
static isc_result_t get_dst_key (dns_validator_t *val, dns_rdata_rrsig_t *siginfo, dns_rdataset_t *rdataset)
 Try to find a key that could have signed 'siginfo' among those in 'rdataset'. If found, build a dst_key_t for it and point val->key at it.
static isc_result_t validate (dns_validator_t *val, isc_boolean_t resume)
 Attempts positive response validation of a normal RRset.
static isc_result_t validatezonekey (dns_validator_t *val)
 Attempts positive response validation of an RRset containing zone keys (i.e. a DNSKEY rrset).
static isc_result_t nsecvalidate (dns_validator_t *val, isc_boolean_t resume)
 Prove a negative answer is good or that there is a NOQNAME when the answer is from a wildcard.
static isc_result_t proveunsecure (dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 proveunsecure walks down from the SEP looking for a break in the chain of trust. That occurs when we can prove the DS record does not exist at a delegation point or the DS exists at a delegation but we don't support the algorithm/digest.
static void validator_logv (dns_validator_t *val, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5
static void static void validator_log (void *val, int level, const char *fmt,...) ISC_FORMAT_PRINTF(3
static void static void static void validator_logcreate (dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, const char *caller, const char *operation)
static isc_result_t dlv_validatezonekey (dns_validator_t *val)
 Validate the DNSKEY RRset by looking for a DNSKEY that matches a DLV record and that also verifies the DNSKEY RRset.
static void dlv_validator_start (dns_validator_t *val)
 Reset state and revalidate the answer using DLV.
static isc_result_t finddlvsep (dns_validator_t *val, isc_boolean_t resume)
 Continue the DLV lookup process.
static isc_result_t startfinddlvsep (dns_validator_t *val, dns_name_t *unsecure)
 Start the DLV lookup process.
static void markanswer (dns_validator_t *val, const char *where)
 Mark the RRsets as a answer.
static void marksecure (dns_validatorevent_t *event)
static void validator_done (dns_validator_t *val, isc_result_t result)
static isc_boolean_t exit_check (dns_validator_t *val)
static isc_boolean_t dlv_algorithm_supported (dns_validator_t *val)
static isc_boolean_t isdelegation (dns_name_t *name, dns_rdataset_t *rdataset, isc_result_t dbresult)
 Look in the NSEC record returned from a DS query to see if there is a NS RRset at this name. If it is found we are at a delegation point.
static void fetch_callback_validator (isc_task_t *task, isc_event_t *event)
 We have been asked to look for a key. If found resume the validation process. If not found fail the validation process.
static void dsfetched (isc_task_t *task, isc_event_t *event)
 We were asked to look for a DS record as part of following a key chain upwards. If found resume the validation process. If not found fail the validation process.
static void dsfetched2 (isc_task_t *task, isc_event_t *event)
 We were asked to look for the DS record as part of proving that a name is unsecure.
static void keyvalidated (isc_task_t *task, isc_event_t *event)
 Callback from when a DNSKEY RRset has been validated.
static void dsvalidated (isc_task_t *task, isc_event_t *event)
 Callback when the DS record has been validated.
static void cnamevalidated (isc_task_t *task, isc_event_t *event)
 Callback when the CNAME record has been validated.
static void authvalidated (isc_task_t *task, isc_event_t *event)
 Callback for when NSEC records have been validated.
static isc_result_t view_find (dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type)
 Looks for the requested name and type in the view (zones and cache).
static isc_boolean_t check_deadlock (dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
 Checks to make sure we are not going to loop. As we use a SHARED fetch the validation process will stall if looping was to occur.
static isc_result_t create_fetch (dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, isc_taskaction_t callback, const char *caller)
 Start a fetch for the requested name and type.
static isc_result_t create_validator (dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_taskaction_t action, const char *caller)
 Start a subvalidation process.
static isc_result_t get_key (dns_validator_t *val, dns_rdata_rrsig_t *siginfo)
 Get the key that generated this signature.
static dns_keytag_t compute_keytag (dns_rdata_t *rdata, dns_rdata_dnskey_t *key)
static isc_boolean_t isselfsigned (dns_validator_t *val)
 Is this keyset self-signed?
static isc_result_t verify (dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, isc_uint16_t keyid)
 Attempt to verify the rdataset using the given key and rdata (RRSIG). The signature was good and from a wildcard record and the QNAME does not match the wildcard we need to look for a NOQNAME proof.
static isc_result_t checkkey (dns_validator_t *val, dns_rdata_t *keyrdata, isc_uint16_t keyid, dns_secalg_t algorithm)
 Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset (val->event->rdataset).
static isc_result_t keyfromds (dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata, isc_uint8_t digest, isc_uint16_t keyid, dns_secalg_t algorithm, dns_rdata_t *keyrdata)
 Find the DNSKEY that corresponds to the DS.
static isc_result_t start_positive_validation (dns_validator_t *val)
 Starts a positive response validation.
static isc_result_t val_rdataset_first (dns_validator_t *val, dns_name_t **namep, dns_rdataset_t **rdatasetp)
 val_rdataset_first and val_rdataset_next provide iteration methods that hide whether we are iterating across a message or a negative cache rdataset.
static isc_result_t val_rdataset_next (dns_validator_t *val, dns_name_t **namep, dns_rdataset_t **rdatasetp)
static isc_result_t checkwildcard (dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
 Look for NODATA at the wildcard and NOWILDCARD proofs in the previously validated NSEC records. As these proofs are mutually exclusive we stop when one is found.
static isc_result_t findnsec3proofs (dns_validator_t *val)
static isc_result_t validate_authority (dns_validator_t *val, isc_boolean_t resume)
 Validate the authority section records.
static isc_result_t validate_ncache (dns_validator_t *val, isc_boolean_t resume)
 Validate the ncache elements.
static isc_boolean_t check_ds (dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset)
static void dlvvalidated (isc_task_t *task, isc_event_t *event)
static void dlvfetched (isc_task_t *task, isc_event_t *event)
 Callback from fetching a DLV record.
static void validator_start (isc_task_t *task, isc_event_t *event)
 Start the validation process.
isc_result_t dns_validator_create (dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_validator_t **validatorp)
 Start a DNSSEC validation.
void dns_validator_send (dns_validator_t *validator)
 Send a deferred validation request.
void dns_validator_cancel (dns_validator_t *validator)
 Cancel a DNSSEC validation in progress.
void dns_validator_destroy (dns_validator_t **validatorp)
 Destroy a DNSSEC validator.

Detailed Description

Basic processing sequences.

validator_start -> validate -> nsecvalidate (secure wildcard answer)

Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate() to always validate the authority section even when it does not contain signatures.

validator_start: determines what type of validation to do. validate: attempts to perform a positive validation. proveunsecure: attempts to prove the answer comes from a unsecure zone. nsecvalidate: attempts to prove a negative response. startfinddlvsep: starts the DLV record lookup. dlv_validator_start: resets state and restarts the lookup using the DLV RRset found by startfinddlvsep.

Definition in file validator.c.

Define Documentation

#define VALIDATOR_MAGIC   ISC_MAGIC('V', 'a', 'l', '?')

Definition at line 86 of file validator.c.

Referenced by dns_validator_create().

#define VALID_VALIDATOR (  )     ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)

Definition at line 87 of file validator.c.

Referenced by dns_validator_cancel(), dns_validator_destroy(), and dns_validator_send().

#define VALATTR_SHUTDOWN   0x0001

Shutting down.

Definition at line 89 of file validator.c.

Referenced by dns_validator_destroy().

#define VALATTR_CANCELED   0x0002

Canceled.

Definition at line 90 of file validator.c.

Referenced by dns_validator_cancel().

#define VALATTR_TRIEDVERIFY   0x0004

We have found a key and have attempted a verify.

Definition at line 91 of file validator.c.

Referenced by fetch_callback_validator(), keyvalidated(), validatezonekey(), validator_start(), and verify().

#define VALATTR_INSECURITY   0x0010

Attempting proveunsecure.

Definition at line 93 of file validator.c.

Referenced by cnamevalidated(), dsfetched(), dsvalidated(), fetch_callback_validator(), keyvalidated(), nsecvalidate(), and validator_start().

#define VALATTR_DLVTRIED   0x0020

Looked for a DLV record.

Definition at line 94 of file validator.c.

Referenced by dlv_validator_start(), and startfinddlvsep().

#define VALATTR_NEEDNOQNAME   0x00000100

NSEC proofs to be looked for.

Definition at line 99 of file validator.c.

Referenced by validator_start(), and verify().

#define VALATTR_NEEDNOWILDCARD   0x00000200

Definition at line 100 of file validator.c.

Referenced by validator_start().

#define VALATTR_NEEDNODATA   0x00000400

Definition at line 101 of file validator.c.

Referenced by validator_start().

#define VALATTR_FOUNDNOQNAME   0x00001000

NSEC proofs that have been found.

Definition at line 106 of file validator.c.

Referenced by authvalidated(), and findnsec3proofs().

#define VALATTR_FOUNDNOWILDCARD   0x00002000

Definition at line 107 of file validator.c.

Referenced by checkwildcard().

#define VALATTR_FOUNDNODATA   0x00004000

Definition at line 108 of file validator.c.

Referenced by authvalidated(), checkwildcard(), and findnsec3proofs().

#define VALATTR_FOUNDCLOSEST   0x00008000

Definition at line 109 of file validator.c.

Referenced by authvalidated(), and findnsec3proofs().

#define VALATTR_FOUNDOPTOUT   0x00010000

Definition at line 114 of file validator.c.

Referenced by findnsec3proofs(), and nsecvalidate().

#define VALATTR_FOUNDUNKNOWN   0x00020000

Definition at line 115 of file validator.c.

Referenced by findnsec3proofs(), and nsecvalidate().

#define NEEDNODATA ( val   )     ((val->attributes & VALATTR_NEEDNODATA) != 0)

Definition at line 117 of file validator.c.

Referenced by authvalidated(), checkwildcard(), findnsec3proofs(), and nsecvalidate().

#define NEEDNOQNAME ( val   )     ((val->attributes & VALATTR_NEEDNOQNAME) != 0)

Definition at line 118 of file validator.c.

Referenced by authvalidated(), checkwildcard(), nsecvalidate(), and validate().

#define NEEDNOWILDCARD ( val   )     ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)

Definition at line 119 of file validator.c.

Referenced by checkwildcard(), findnsec3proofs(), and nsecvalidate().

#define DLVTRIED ( val   )     ((val->attributes & VALATTR_DLVTRIED) != 0)

Definition at line 120 of file validator.c.

Referenced by dsfetched2(), dsvalidated(), proveunsecure(), startfinddlvsep(), validatezonekey(), and validator_start().

#define FOUNDNODATA ( val   )     ((val->attributes & VALATTR_FOUNDNODATA) != 0)

Definition at line 121 of file validator.c.

Referenced by authvalidated(), checkwildcard(), findnsec3proofs(), and nsecvalidate().

#define FOUNDNOQNAME ( val   )     ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)

Definition at line 122 of file validator.c.

Referenced by authvalidated(), findnsec3proofs(), and nsecvalidate().

#define FOUNDNOWILDCARD ( val   )     ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)

Definition at line 123 of file validator.c.

Referenced by checkwildcard(), and nsecvalidate().

#define FOUNDCLOSEST ( val   )     ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)

Definition at line 124 of file validator.c.

Referenced by findnsec3proofs(), and nsecvalidate().

#define FOUNDOPTOUT ( val   )     ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)

Definition at line 125 of file validator.c.

Referenced by nsecvalidate().

#define SHUTDOWN (  )     (((v)->attributes & VALATTR_SHUTDOWN) != 0)

Definition at line 127 of file validator.c.

Referenced by destroy(), and exit_check().

#define CANCELED (  )     (((v)->attributes & VALATTR_CANCELED) != 0)

Definition at line 128 of file validator.c.

Referenced by authvalidated(), cnamevalidated(), dlvvalidated(), dsfetched(), dsfetched2(), dsvalidated(), fetch_callback_validator(), and keyvalidated().

#define NEGATIVE ( r   )     (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)

Definition at line 130 of file validator.c.

Function Documentation

static void destroy ( dns_validator_t val  )  [static]

Definition at line 3876 of file validator.c.

References DESTROYLOCK, dns_validator::dlv, dns_keytable_detach(), dns_keytable_detachkeynode(), dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_validator_destroy(), dns_view_weakdetach(), dst_key_free(), dns_validator::event, dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, isc_mem_put, dns_validator::key, dns_validator::keynode, dns_validator::keytable, dns_validator::lock, dns_validator::magic, dns_view::mctx, mctx, REQUIRE, SHUTDOWN, dns_validator::siginfo, dns_validator::subvalidator, and dns_validator::view.

static isc_result_t get_dst_key ( dns_validator_t val,
dns_rdata_rrsig_t *  siginfo,
dns_rdataset_t rdataset 
) [static]

Try to find a key that could have signed 'siginfo' among those in 'rdataset'. If found, build a dst_key_t for it and point val->key at it.

If val->key is non-NULL, this returns the next matching key.

Definition at line 1209 of file validator.c.

References dns_rdata::data, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dst_key_alg(), dst_key_compare(), dst_key_free(), dst_key_fromdns(), dst_key_id(), dst_key_iszonekey(), INSIST, isc_buffer_add, isc_buffer_init, ISC_FALSE, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_TRUE, dns_validator::key, dns_rdata::length, dns_view::mctx, dns_rdata::rdclass, and dns_validator::view.

Referenced by fetch_callback_validator(), get_key(), keyvalidated(), and validate().

static isc_result_t validate ( dns_validator_t val,
isc_boolean_t  resume 
) [static]

Attempts positive response validation of a normal RRset.

Returns:

Definition at line 1571 of file validator.c.

References dns_view::acceptexpired, dns_keynode_key(), dns_keytable_detachkeynode(), dns_keytable_findnextkeynode(), DNS_R_CONTINUE, DNS_R_NOVALIDSIG, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_next(), dns_rdataset_trimttl(), dns_resolver_algorithm_supported(), dst_key_free(), dns_validator::event, get_dst_key(), get_key(), ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_INFO, isc_mem_get, ISC_R_NOMEMORY, ISC_R_NOMORE, ISC_R_SUCCESS, isc_result_totext(), dns_validator::key, dns_validator::keynode, dns_validator::keyset, dns_validator::keytable, marksecure(), dns_view::mctx, dns_validatorevent::message, dns_validatorevent::name, NEEDNOQNAME, nsecvalidate(), dns_validatorevent::rdataset, dns_view::resolver, dns_validator::siginfo, dns_validatorevent::sigrdataset, dns_validator::start, validator_log(), verify(), and dns_validator::view.

Referenced by fetch_callback_validator(), keyvalidated(), query_addadditional(), query_addadditional2(), query_addbestns(), and start_positive_validation().

static isc_result_t validatezonekey ( dns_validator_t val  )  [static]

Attempts positive response validation of an RRset containing zone keys (i.e. a DNSKEY rrset).

Returns:

Definition at line 1936 of file validator.c.

References dns_validator::attributes, checkkey(), create_fetch(), create_validator(), dns_view::dlv, dns_validator::dlv, dlv_validatezonekey(), dns_validator::dlvsep, DLVTRIED, DNS_DSDIGEST_SHA1, DNS_DSDIGEST_SHA256, dns_fixedname_init, dns_fixedname_name, dns_keynode_key(), dns_keytable_detachkeynode(), dns_keytable_finddeepestmatch(), dns_keytable_findkeynode(), dns_keytable_findnextkeynode(), dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, DNS_R_BROKENCHAIN, DNS_R_CNAME, DNS_R_EMPTYNAME, DNS_R_MUSTBESECURE, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NOVALIDDS, DNS_R_NOVALIDKEY, DNS_R_NOVALIDSIG, DNS_R_NXDOMAIN, DNS_R_NXRRSET, DNS_R_PARTIALMATCH, DNS_R_WAIT, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_resolver_algorithm_supported(), dns_resolver_ds_digest_supported(), dns_rootname, DNS_TRUST_ANSWER, DNS_TRUST_PENDING, dns_trust_secure, dsfetched(), dns_validator::dsset, dsvalidated(), dns_validator::event, fixed, dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, INSIST, ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_INFO, ISC_LOG_NOTICE, ISC_LOG_WARNING, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_SHA256_DIGESTLENGTH, ISC_TRUE, keyfromds(), dns_validator::keytable, markanswer(), marksecure(), dns_validator::mustbesecure, dns_validatorevent::name, namebuf, POST, dns_validatorevent::rdataset, dns_view::resolver, RUNTIME_CHECK, dns_validatorevent::sigrdataset, startfinddlvsep(), dns_rdataset::trust, VALATTR_TRIEDVERIFY, validator_log(), verify(), dns_validator::view, and view_find().

Referenced by dsfetched(), dsvalidated(), and start_positive_validation().

static isc_result_t nsecvalidate ( dns_validator_t val,
isc_boolean_t  resume 
) [static]

Prove a negative answer is good or that there is a NOQNAME when the answer is from a wildcard.

Loop through the authority section looking for NODATA, NOWILDCARD and NOQNAME proofs in the NSEC records by calling authvalidated().

If the required proofs are found we are done.

If the proofs are not found attempt to prove this is a unsecure response.

Definition at line 2798 of file validator.c.

References dns_validator::attributes, dns_validator::authcount, dns_validator::authfail, checkwildcard(), dns_fixedname_name, dns_name_countlabels(), DNS_R_BROKENCHAIN, DNS_R_NOVALIDNSEC, dns_validator::event, findnsec3proofs(), FOUNDCLOSEST, FOUNDNODATA, FOUNDNOQNAME, FOUNDNOWILDCARD, FOUNDOPTOUT, ISC_FALSE, ISC_LOG_DEBUG, ISC_R_SUCCESS, ISC_TRUE, markanswer(), marksecure(), dns_validatorevent::message, NEEDNODATA, NEEDNOQNAME, NEEDNOWILDCARD, dns_validatorevent::optout, proveunsecure(), dns_validatorevent::secure, VALATTR_FOUNDOPTOUT, VALATTR_FOUNDUNKNOWN, VALATTR_INSECURITY, validate_authority(), validate_ncache(), validator_log(), and dns_validator::wild.

Referenced by authvalidated(), validate(), and validator_start().

static isc_result_t proveunsecure ( dns_validator_t val,
isc_boolean_t  have_ds,
isc_boolean_t  resume 
) [static]

proveunsecure walks down from the SEP looking for a break in the chain of trust. That occurs when we can prove the DS record does not exist at a delegation point or the DS exists at a delegation but we don't support the algorithm/digest.

If DLV is active and we look for a DLV record at or below the point we go insecure. If found we restart the validation process. If not found or DLV isn't active we mark the response as a answer.

Returns:

Definition at line 3267 of file validator.c.

References check_ds(), cnamevalidated(), create_fetch(), create_validator(), dns_view::dlv, dns_validator::dlvsep, DLVTRIED, dns_fixedname_init, dns_fixedname_name, dns_keytable_finddeepestmatch(), dns_name_copy(), dns_name_countlabels(), dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_getlabelsequence(), dns_name_split(), DNS_R_BROKENCHAIN, DNS_R_CNAME, DNS_R_MUSTBESECURE, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NOTINSECURE, DNS_R_NOVALIDNSEC, DNS_R_NOVALIDSIG, DNS_R_NXDOMAIN, DNS_R_NXRRSET, DNS_R_WAIT, dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_rootname, DNS_TRUST_ANSWER, DNS_TRUST_PENDING, dns_trust_secure, dns_view_findzonecut2(), dsfetched2(), dsvalidated(), dns_validator::event, dns_validator::fname, dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_WARNING, ISC_R_NOTFOUND, ISC_R_SUCCESS, isdelegation(), dns_validator::keytable, dns_validator::labels, markanswer(), dns_validator::mustbesecure, dns_validatorevent::name, namebuf, startfinddlvsep(), dns_rdataset::trust, dns_validatorevent::type, validator_log(), dns_validator::view, and view_find().

Referenced by cnamevalidated(), dsfetched(), dsfetched2(), dsvalidated(), fetch_callback_validator(), keyvalidated(), nsecvalidate(), and validator_start().

static void validator_logv ( dns_validator_t val,
isc_logcategory_t category,
isc_logmodule_t module,
int  level,
const char *  fmt,
va_list  ap 
) [static]

Definition at line 3931 of file validator.c.

References dns_validator::depth, dns_lctx, dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdatatype_format(), DNS_RDATATYPE_FORMATSIZE, dns_validator::event, isc_log_write(), dns_validatorevent::name, namebuf, spaces, and dns_validatorevent::type.

Referenced by validator_log().

static void validator_log ( void *  val,
int  level,
const char *  fmt,
  ... 
) [static]

Definition at line 3961 of file validator.c.

References dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_VALIDATOR, isc_log_wouldlog(), and validator_logv().

Referenced by authvalidated(), check_deadlock(), checkwildcard(), cnamevalidated(), create_fetch(), create_validator(), dlv_validatezonekey(), dlv_validator_start(), dlvfetched(), dlvvalidated(), dns_validator_cancel(), dns_validator_destroy(), dsfetched(), dsfetched2(), dsvalidated(), fetch_callback_validator(), finddlvsep(), findnsec3proofs(), get_key(), keyfromds(), keyvalidated(), markanswer(), nsecvalidate(), proveunsecure(), startfinddlvsep(), validate(), validatezonekey(), validator_logcreate(), validator_start(), verify(), and view_find().

static void validator_logcreate ( dns_validator_t val,
dns_name_t name,
dns_rdatatype_t  type,
const char *  caller,
const char *  operation 
) [static]

Definition at line 3975 of file validator.c.

References dns_name_format(), DNS_NAME_FORMATSIZE, dns_rdatatype_format(), DNS_RDATATYPE_FORMATSIZE, ISC_LOG_DEBUG, and validator_log().

Referenced by create_fetch(), and create_validator().

static isc_result_t dlv_validatezonekey ( dns_validator_t val  )  [static]

Validate the DNSKEY RRset by looking for a DNSKEY that matches a DLV record and that also verifies the DNSKEY RRset.

Definition at line 1807 of file validator.c.

References checkkey(), dns_validator::dlv, dlv, DNS_DSDIGEST_SHA1, DNS_DSDIGEST_SHA256, DNS_R_MUSTBESECURE, DNS_R_NOVALIDSIG, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), dns_resolver_algorithm_supported(), dns_resolver_ds_digest_supported(), dns_validator::event, ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_WARNING, ISC_R_NOMORE, ISC_R_SUCCESS, ISC_SHA256_DIGESTLENGTH, ISC_TRUE, keyfromds(), markanswer(), marksecure(), dns_validator::mustbesecure, dns_validatorevent::name, dns_validatorevent::rdataset, dns_view::resolver, RUNTIME_CHECK, dns_rdata::type, validator_log(), and dns_validator::view.

Referenced by validatezonekey().

static void dlv_validator_start ( dns_validator_t val  )  [static]

Reset state and revalidate the answer using DLV.

Definition at line 3581 of file validator.c.

References dns_validator::attributes, DNS_VALIDATOR_DLV, dns_validator::event, ISC_LOG_DEBUG, isc_task_send(), dns_validator::options, dns_validator::task, VALATTR_DLVTRIED, and validator_log().

Referenced by dlvfetched(), dlvvalidated(), and startfinddlvsep().

static isc_result_t finddlvsep ( dns_validator_t val,
isc_boolean_t  resume 
) [static]

Continue the DLV lookup process.

Returns

Definition at line 3122 of file validator.c.

References create_fetch(), create_validator(), dns_validator::dlv, dns_view::dlv, dlvfetched(), dns_validator::dlvlabels, dns_validator::dlvsep, dlvvalidated(), dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_copy(), dns_name_countlabels(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_getlabelsequence(), dns_name_init(), dns_name_issubdomain(), DNS_R_EMPTYNAME, DNS_R_MUSTBESECURE, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NOVALIDSIG, DNS_R_NTACOVERED, DNS_R_NXDOMAIN, DNS_R_NXRRSET, DNS_R_WAIT, dns_rdataset_clone(), dns_rdataset_isassociated(), DNS_TRUST_PENDING, dns_trust_secure, DNS_VALIDATOR_NONTA, dns_view_ntacovers(), dns_validator::event, dns_validator::fname, dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, INSIST, ISC_LOG_DEBUG, ISC_LOG_WARNING, ISC_R_NOSPACE, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_TRUE, dns_validatorevent::name, namebuf, dns_validator::options, dns_validator::start, dns_rdataset::trust, dns_validatorevent::type, validator_log(), dns_validator::view, and view_find().

Referenced by dlvfetched(), and startfinddlvsep().

static isc_result_t startfinddlvsep ( dns_validator_t val,
dns_name_t unsecure 
) [static]

Start the DLV lookup process.

Returns

Definition at line 3062 of file validator.c.

References dns_validator::attributes, dns_view::dlv, dlv_algorithm_supported(), dlv_validator_start(), dns_validator::dlvlabels, dns_validator::dlvsep, DLVTRIED, dns_fixedname_name, dns_name_countlabels(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_issubdomain(), DNS_R_MUSTBESECURE, DNS_R_NTACOVERED, DNS_R_WAIT, dns_result_totext(), dns_validator::event, finddlvsep(), INSIST, ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_WARNING, ISC_R_NOTFOUND, ISC_R_SUCCESS, markanswer(), dns_validatorevent::name, namebuf, VALATTR_DLVTRIED, validator_done(), validator_log(), and dns_validator::view.

Referenced by dsfetched2(), dsvalidated(), proveunsecure(), validatezonekey(), and validator_start().

static void markanswer ( dns_validator_t val,
const char *  where 
) [inline, static]

Mark the RRsets as a answer.

Definition at line 182 of file validator.c.

References dns_rdataset_settrust(), dns_trust_answer, ISC_LOG_DEBUG, and validator_log().

Referenced by dlv_validatezonekey(), dlvfetched(), dlvvalidated(), dsfetched2(), dsvalidated(), nsecvalidate(), proveunsecure(), startfinddlvsep(), and validatezonekey().

static void marksecure ( dns_validatorevent_t event  )  [inline, static]

Definition at line 192 of file validator.c.

References dns_rdataset_settrust(), dns_trust_secure, ISC_TRUE, dns_validatorevent::rdataset, and dns_validatorevent::sigrdataset.

Referenced by dlv_validatezonekey(), nsecvalidate(), validate(), and validatezonekey().

static void validator_done ( dns_validator_t val,
isc_result_t  result 
) [static]

Definition at line 200 of file validator.c.

References dns_validator::action, dns_validator::arg, DNS_EVENT_VALIDATORDONE, dns_validator::event, isc_task_sendanddetach(), and dns_validatorevent::result.

Referenced by authvalidated(), cnamevalidated(), dlvfetched(), dlvvalidated(), dns_validator_cancel(), dsfetched(), dsfetched2(), dsvalidated(), fetch_callback_validator(), keyvalidated(), startfinddlvsep(), and validator_start().

static isc_boolean_t exit_check ( dns_validator_t val  )  [inline, static]

Definition at line 220 of file validator.c.

References dns_validator::event, dns_validator::fetch, INSIST, ISC_FALSE, ISC_TRUE, SHUTDOWN, and dns_validator::subvalidator.

Referenced by authvalidated(), client_newconn(), client_request(), client_shutdown(), client_start(), client_timeout(), cnamevalidated(), dlvfetched(), dlvvalidated(), dns_validator_destroy(), dns_zone_idetach(), dsfetched(), dsfetched2(), dsvalidated(), fetch_callback_validator(), keyfetch_done(), keyvalidated(), ns_client_detach(), ns_client_next(), validator_start(), zone_shutdown(), and zone_xfrdone().

static isc_boolean_t dlv_algorithm_supported ( dns_validator_t val  )  [inline, static]

Definition at line 239 of file validator.c.

References dns_validator::dlv, dlv, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dns_resolver_algorithm_supported(), dns_resolver_ds_digest_supported(), dns_validator::event, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, dns_validatorevent::name, dns_view::resolver, RUNTIME_CHECK, and dns_validator::view.

Referenced by dlvfetched(), dlvvalidated(), and startfinddlvsep().

static isc_boolean_t isdelegation ( dns_name_t name,
dns_rdataset_t rdataset,
isc_result_t  dbresult 
) [static]

Look in the NSEC record returned from a DS query to see if there is a NS RRset at this name. If it is found we are at a delegation point.

Definition at line 272 of file validator.c.

References buffer, dns_fixedname_init, dns_fixedname_name, dns_name_downcase(), dns_name_getlabel(), dns_name_init(), dns_ncache_current(), dns_ncache_getrdataset(), dns_nsec3_typepresent(), dns_nsec_typepresent(), DNS_R_NCACHENXRRSET, DNS_R_NXRRSET, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), fixed, hash, INSIST, isc_base32hexnp_decoderegion(), isc_buffer_init, isc_buffer_usedlength, ISC_FALSE, isc_iterated_hash(), ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_region_consume, ISC_TRUE, dns_name::length, dns_name::ndata, NSEC3_MAX_HASH_LENGTH, and REQUIRE.

Referenced by dsfetched2(), dsvalidated(), proveunsecure(), signname(), and verifyzone().

static void fetch_callback_validator ( isc_task_t task,
isc_event_t event 
) [static]

We have been asked to look for a key. If found resume the validation process. If not found fail the validation process.

Definition at line 390 of file validator.c.

References dns_validator::attributes, CANCELED, destroy(), dns_db_detach(), dns_db_detachnode(), DNS_EVENT_FETCHDONE, DNS_R_BROKENCHAIN, DNS_R_NOTINSECURE, DNS_R_NOVALIDSIG, DNS_R_WAIT, dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_resolver_destroyfetch(), dns_trust_secure, dns_trust_totext(), dns_validator::event, exit_check(), dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, get_dst_key(), INSIST, isc_event_free(), ISC_FALSE, ISC_LOG_DEBUG, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_validator::keyset, dns_validator::lock, LOCK, proveunsecure(), dns_validator::siginfo, dns_rdataset::trust, UNLOCK, UNUSED, VALATTR_INSECURITY, VALATTR_TRIEDVERIFY, validate(), validator_done(), and validator_log().

Referenced by get_key().

static void dsfetched ( isc_task_t task,
isc_event_t event 
) [static]

We were asked to look for a DS record as part of following a key chain upwards. If found resume the validation process. If not found fail the validation process.

Definition at line 473 of file validator.c.

References dns_validator::attributes, CANCELED, destroy(), dns_db_detach(), dns_db_detachnode(), DNS_EVENT_FETCHDONE, DNS_R_BROKENCHAIN, DNS_R_CNAME, DNS_R_NCACHENXRRSET, DNS_R_NXRRSET, DNS_R_SERVFAIL, DNS_R_WAIT, dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_resolver_destroyfetch(), dns_result_totext(), dns_trust_totext(), dns_validator::dsset, dns_validator::event, exit_check(), dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, INSIST, isc_event_free(), ISC_FALSE, ISC_LOG_DEBUG, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), dns_validator::lock, LOCK, proveunsecure(), dns_rdataset::trust, UNLOCK, UNUSED, VALATTR_INSECURITY, validatezonekey(), validator_done(), and validator_log().

Referenced by validatezonekey().

static void dsfetched2 ( isc_task_t task,
isc_event_t event 
) [static]

We were asked to look for the DS record as part of proving that a name is unsecure.

If the DS record doesn't exist and the query name corresponds to a delegation point we are transitioning from a secure zone to a unsecure zone.

If the DS record exists it will be secure. We can continue looking for the break point in the chain of trust.

Definition at line 555 of file validator.c.

References CANCELED, destroy(), dns_view::dlv, DLVTRIED, dns_db_detach(), dns_db_detachnode(), DNS_EVENT_FETCHDONE, dns_fixedname_name, DNS_R_CNAME, DNS_R_MUSTBESECURE, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NOVALIDDS, DNS_R_NXDOMAIN, DNS_R_NXRRSET, DNS_R_WAIT, dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_resolver_destroyfetch(), dns_result_totext(), dns_validator::event, exit_check(), dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, INSIST, isc_event_free(), ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_WARNING, ISC_R_CANCELED, ISC_R_SUCCESS, ISC_TF, ISC_TRUE, isdelegation(), dns_validator::lock, LOCK, markanswer(), dns_validator::mustbesecure, proveunsecure(), startfinddlvsep(), UNLOCK, UNUSED, validator_done(), validator_log(), and dns_validator::view.

Referenced by proveunsecure().

static void keyvalidated ( isc_task_t task,
isc_event_t event 
) [static]

Callback from when a DNSKEY RRset has been validated.

Resumes the stalled validation process.

Definition at line 649 of file validator.c.

References dns_validator::attributes, CANCELED, destroy(), DNS_EVENT_VALIDATORDONE, DNS_R_BROKENCHAIN, DNS_R_NOTINSECURE, DNS_R_NOVALIDSIG, DNS_R_WAIT, dns_rdataset_expire(), dns_rdataset_isassociated(), dns_trust_secure, dns_trust_totext(), dns_validator_destroy(), dns_validator::event, exit_check(), dns_validator::frdataset, dns_validator::fsigrdataset, get_dst_key(), INSIST, isc_event_free(), ISC_FALSE, ISC_LOG_DEBUG, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_validator::lock, LOCK, proveunsecure(), dns_validatorevent::result, dns_validator::siginfo, dns_validator::subvalidator, dns_rdataset::trust, UNLOCK, UNUSED, VALATTR_INSECURITY, VALATTR_TRIEDVERIFY, validate(), validator_done(), and validator_log().

Referenced by get_key().

static void dsvalidated ( isc_task_t task,
isc_event_t event 
) [static]

Callback when the DS record has been validated.

Resumes validation of the zone key or the unsecure zone proof.

Definition at line 720 of file validator.c.

References dns_validator::attributes, CANCELED, dns_rdataset::covers, destroy(), dns_view::dlv, DLVTRIED, DNS_EVENT_VALIDATORDONE, dns_fixedname_name, DNS_R_BROKENCHAIN, DNS_R_MUSTBESECURE, DNS_R_NCACHENXRRSET, DNS_R_WAIT, dns_rdataset_expire(), dns_rdataset_isassociated(), dns_trust_totext(), dns_validator_destroy(), dns_validator::event, exit_check(), dns_validator::fname, dns_validator::frdataset, dns_validator::fsigrdataset, INSIST, isc_event_free(), ISC_LOG_DEBUG, ISC_LOG_WARNING, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), ISC_TF, ISC_TRUE, isdelegation(), dns_validator::lock, LOCK, markanswer(), dns_validator::mustbesecure, name, NEGATIVE, proveunsecure(), dns_validatorevent::result, startfinddlvsep(), dns_validator::subvalidator, dns_rdataset::trust, dns_rdataset::type, UNLOCK, UNUSED, VALATTR_INSECURITY, validatezonekey(), validator_done(), validator_log(), and dns_validator::view.

Referenced by proveunsecure(), and validatezonekey().

static void cnamevalidated ( isc_task_t task,
isc_event_t event 
) [static]

Callback when the CNAME record has been validated.

Resumes validation of the unsecure zone proof.

Definition at line 797 of file validator.c.

References dns_validator::attributes, CANCELED, destroy(), DNS_EVENT_VALIDATORDONE, DNS_R_BROKENCHAIN, DNS_R_WAIT, dns_rdataset_expire(), dns_rdataset_isassociated(), dns_trust_totext(), dns_validator_destroy(), dns_validator::event, exit_check(), dns_validator::frdataset, dns_validator::fsigrdataset, INSIST, isc_event_free(), ISC_FALSE, ISC_LOG_DEBUG, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_validator::lock, LOCK, proveunsecure(), dns_validatorevent::result, dns_validator::subvalidator, dns_rdataset::trust, UNLOCK, UNUSED, VALATTR_INSECURITY, validator_done(), and validator_log().

Referenced by proveunsecure().

static void authvalidated ( isc_task_t task,
isc_event_t event 
) [static]

Callback for when NSEC records have been validated.

Looks for NOQNAME, NODATA and OPTOUT proofs.

Resumes nsecvalidate.

Definition at line 853 of file validator.c.

References dns_validator::attributes, dns_validator::authfail, CANCELED, dns_validator::closest, destroy(), DNS_EVENT_VALIDATORDONE, dns_fixedname_name, dns_name_countlabels(), dns_nsec_noexistnodata(), DNS_R_BROKENCHAIN, DNS_R_WAIT, dns_trust_secure, dns_validator_destroy(), DNS_VALIDATOR_NODATAPROOF, DNS_VALIDATOR_NOQNAMEPROOF, dns_validator::event, exit_check(), FOUNDNODATA, FOUNDNOQNAME, INSIST, isc_event_free(), ISC_LOG_DEBUG, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_validator::lock, LOCK, dns_validatorevent::name, NEEDNODATA, NEEDNOQNAME, nsecvalidate(), dns_validatorevent::proofs, dns_validatorevent::rdataset, dns_validatorevent::result, dns_validator::seensig, dns_validator::subvalidator, dns_rdataset::trust, dns_validatorevent::type, dns_rdataset::type, UNLOCK, UNUSED, VALATTR_FOUNDCLOSEST, VALATTR_FOUNDNODATA, VALATTR_FOUNDNOQNAME, validator_done(), validator_log(), dns_validator::wild, and wild.

Referenced by validate_authority(), and validate_ncache().

static isc_result_t view_find ( dns_validator_t val,
dns_name_t name,
dns_rdatatype_t  type 
) [inline, static]

Looks for the requested name and type in the view (zones and cache).

When looking for a DLV record also checks to make sure the NSEC record returns covers the query name as part of aggressive negative caching.

Returns:

Definition at line 970 of file validator.c.

References DNS_DBFIND_COVERINGNSEC, DNS_DBFIND_PENDINGOK, dns_fixedname_init, dns_fixedname_name, dns_lctx, dns_name_compare(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_issubdomain(), dns_nsec_typepresent(), DNS_R_BROKENCHAIN, DNS_R_COVERINGNSEC, DNS_R_EMPTYNAME, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NXDOMAIN, DNS_R_NXRRSET, dns_rdata_freestruct(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_isassociated(), dns_rdatatype_format(), DNS_RDATATYPE_FORMATSIZE, dns_resolver_getbadcache(), dns_trust_secure, dns_trust_totext(), dns_view_find(), dns_validator::frdataset, dns_validator::fsigrdataset, INSIST, ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_INFO, isc_log_wouldlog(), ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_time_now(), namebuf, now, dns_view::resolver, dns_rdataset::trust, validator_log(), and dns_validator::view.

static isc_boolean_t check_deadlock ( dns_validator_t val,
dns_name_t name,
dns_rdatatype_t  type,
dns_rdataset_t rdataset,
dns_rdataset_t sigrdataset 
) [inline, static]

Checks to make sure we are not going to loop. As we use a SHARED fetch the validation process will stall if looping was to occur.

Definition at line 1104 of file validator.c.

References dns_name_equal(), dns_validator::event, ISC_FALSE, ISC_LOG_DEBUG, ISC_TRUE, dns_validatorevent::message, dns_validatorevent::name, dns_validator::parent, dns_validatorevent::rdataset, dns_validatorevent::sigrdataset, dns_validatorevent::type, and validator_log().

Referenced by create_fetch(), and create_validator().

static isc_result_t create_fetch ( dns_validator_t val,
dns_name_t name,
dns_rdatatype_t  type,
isc_taskaction_t  callback,
const char *  caller 
) [inline, static]

Start a fetch for the requested name and type.

Definition at line 1137 of file validator.c.

References check_deadlock(), DNS_FETCHOPT_NOCDFLAG, DNS_FETCHOPT_NONTA, DNS_R_NOVALIDSIG, dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_resolver_createfetch(), DNS_VALIDATOR_NOCDFLAG, DNS_VALIDATOR_NONTA, dns_validator::event, dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, ISC_LOG_DEBUG, dns_validator::options, dns_view::resolver, validator_log(), validator_logcreate(), and dns_validator::view.

Referenced by finddlvsep(), get_key(), proveunsecure(), and validatezonekey().

static isc_result_t create_validator ( dns_validator_t val,
dns_name_t name,
dns_rdatatype_t  type,
dns_rdataset_t rdataset,
dns_rdataset_t sigrdataset,
isc_taskaction_t  action,
const char *  caller 
) [inline, static]

Start a subvalidation process.

Definition at line 1173 of file validator.c.

References check_deadlock(), dns_validator::depth, DNS_R_NOVALIDSIG, dns_validator_create(), DNS_VALIDATOR_NOCDFLAG, DNS_VALIDATOR_NONTA, ISC_LOG_DEBUG, ISC_R_SUCCESS, dns_validator::options, dns_validator::parent, dns_validator::subvalidator, dns_validator::task, validator_log(), validator_logcreate(), and dns_validator::view.

Referenced by finddlvsep(), get_key(), proveunsecure(), validate_authority(), validate_ncache(), and validatezonekey().

static isc_result_t get_key ( dns_validator_t val,
dns_rdata_rrsig_t *  siginfo 
) [static]

Get the key that generated this signature.

Definition at line 1273 of file validator.c.

References create_fetch(), create_validator(), dns_name_fullcompare(), dns_namereln_equal, dns_namereln_subdomain, DNS_R_BROKENCHAIN, DNS_R_CONTINUE, DNS_R_EMPTYNAME, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NXDOMAIN, DNS_R_NXRRSET, DNS_R_WAIT, dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_rdatatype_atparent(), DNS_TRUST_ANSWER, DNS_TRUST_PENDING, dns_trust_secure, dns_trust_totext(), dns_validator::event, fetch_callback_validator(), dns_validator::frdataset, dns_validator::fsigrdataset, get_dst_key(), ISC_LOG_DEBUG, ISC_R_NOTFOUND, ISC_R_SUCCESS, dns_validator::key, dns_validator::keyset, keyvalidated(), dns_validatorevent::name, dns_validatorevent::rdataset, dns_rdataset::trust, dns_rdataset::type, validator_log(), and view_find().

Referenced by validate().

static dns_keytag_t compute_keytag ( dns_rdata_t rdata,
dns_rdata_dnskey_t *  key 
) [static]

Definition at line 1414 of file validator.c.

References dns_rdata_toregion(), dst_region_computeid(), and r.

Referenced by isselfsigned(), and keyfromds().

static isc_boolean_t isselfsigned ( dns_validator_t val  )  [static]

Is this keyset self-signed?

Definition at line 1425 of file validator.c.

References answer, compute_keytag(), dns_dnssec_keyfromrdata(), dns_dnssec_verify3(), dns_fixedname_name, DNS_KEYFLAG_REVOKE, dns_name_equal(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dns_view_untrust(), dst_key_free(), dns_validator::event, fixed, INSIST, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, key, dns_view::maxbits, dns_view::mctx, mctx, dns_validatorevent::name, name, dns_validatorevent::rdataset, RUNTIME_CHECK, dns_validatorevent::sigrdataset, dns_rdataset::type, and dns_validator::view.

Referenced by start_positive_validation().

static isc_result_t verify ( dns_validator_t val,
dst_key_t key,
dns_rdata_t rdata,
isc_uint16_t  keyid 
) [static]

Attempt to verify the rdataset using the given key and rdata (RRSIG). The signature was good and from a wildcard record and the QNAME does not match the wildcard we need to look for a NOQNAME proof.

Returns:

Definition at line 1507 of file validator.c.

References dns_view::acceptexpired, dns_validator::attributes, dns_validator::closest, dns_dnssec_verify3(), dns_fixedname_init, dns_fixedname_name, dns_name_copy(), dns_name_countlabels(), dns_name_equal(), dns_name_getlabelsequence(), DNS_R_FROMWILDCARD, DNS_R_SIGEXPIRED, DNS_R_SIGFUTURE, dns_validator::event, fixed, ignore(), ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_INFO, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_view::maxbits, dns_view::mctx, dns_validatorevent::name, dns_validatorevent::rdataset, VALATTR_NEEDNOQNAME, VALATTR_TRIEDVERIFY, validator_log(), dns_validator::view, and wild.

Referenced by checkkey(), table_fromwire(), validate(), and validatezonekey().

static isc_result_t checkkey ( dns_validator_t val,
dns_rdata_t keyrdata,
isc_uint16_t  keyid,
dns_secalg_t  algorithm 
) [static]

Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset (val->event->rdataset).

Definition at line 1723 of file validator.c.

References dns_dnssec_keyfromrdata(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dst_key_free(), dns_validator::event, ISC_R_SUCCESS, dns_view::mctx, dns_validatorevent::name, RUNTIME_CHECK, dns_validatorevent::sigrdataset, verify(), and dns_validator::view.

Referenced by dlv_validatezonekey(), and validatezonekey().

static isc_result_t keyfromds ( dns_validator_t val,
dns_rdataset_t rdataset,
dns_rdata_t dsrdata,
isc_uint8_t  digest,
isc_uint16_t  keyid,
dns_secalg_t  algorithm,
dns_rdata_t keyrdata 
) [static]

Find the DNSKEY that corresponds to the DS.

Definition at line 1765 of file validator.c.

References compute_keytag(), DNS_DS_BUFFERSIZE, dns_ds_buildrdata(), dns_rdata_compare(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dns_result_totext(), dns_validator::event, ISC_LOG_DEBUG, ISC_R_SUCCESS, key, dns_validatorevent::name, RUNTIME_CHECK, and validator_log().

Referenced by dlv_validatezonekey(), and validatezonekey().

static isc_result_t start_positive_validation ( dns_validator_t val  )  [static]

Starts a positive response validation.

Returns:

Definition at line 2286 of file validator.c.

References dns_validator::event, ISC_FALSE, isselfsigned(), dns_validatorevent::type, validate(), and validatezonekey().

Referenced by validator_start().

static isc_result_t val_rdataset_first ( dns_validator_t val,
dns_name_t **  namep,
dns_rdataset_t **  rdatasetp 
) [static]

val_rdataset_first and val_rdataset_next provide iteration methods that hide whether we are iterating across a message or a negative cache rdataset.

Definition at line 2302 of file validator.c.

References dns_message_currentname(), dns_message_firstname(), dns_ncache_current(), dns_rdataset_first(), DNS_SECTION_AUTHORITY, dns_validator::event, INSIST, ISC_LIST_HEAD, ISC_R_SUCCESS, dns_validatorevent::message, dns_validatorevent::rdataset, and REQUIRE.

Referenced by checkwildcard(), and findnsec3proofs().

static isc_result_t val_rdataset_next ( dns_validator_t val,
dns_name_t **  namep,
dns_rdataset_t **  rdatasetp 
) [static]

Definition at line 2335 of file validator.c.

References dns_message_currentname(), dns_message_nextname(), dns_ncache_current(), dns_rdataset_disassociate(), dns_rdataset_next(), DNS_SECTION_AUTHORITY, dns_validator::event, INSIST, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_SUCCESS, dns_validatorevent::message, dns_validatorevent::rdataset, and REQUIRE.

Referenced by checkwildcard(), and findnsec3proofs().

static isc_result_t checkwildcard ( dns_validator_t val,
dns_rdatatype_t  type,
dns_name_t zonename 
) [static]

Look for NODATA at the wildcard and NOWILDCARD proofs in the previously validated NSEC records. As these proofs are mutually exclusive we stop when one is found.

Returns

Definition at line 2379 of file validator.c.

References dns_validator::attributes, dns_fixedname_name, dns_name_countlabels(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_init(), dns_nsec3_noexistnodata(), dns_nsec_noexistnodata(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_trust_secure, DNS_VALIDATOR_NODATAPROOF, DNS_VALIDATOR_NOWILDCARDPROOF, dns_validator::event, FOUNDNODATA, FOUNDNOWILDCARD, ISC_LOG_DEBUG, ISC_R_NOMORE, ISC_R_SUCCESS, dns_validatorevent::message, name, namebuf, NEEDNODATA, NEEDNOQNAME, NEEDNOWILDCARD, dns_validatorevent::proofs, dns_rdataset::trust, dns_validatorevent::type, dns_rdataset::type, val_rdataset_first(), val_rdataset_next(), VALATTR_FOUNDNODATA, VALATTR_FOUNDNOWILDCARD, validator_log(), dns_validator::wild, and wild.

Referenced by findnsec3proofs(), and nsecvalidate().

static isc_result_t findnsec3proofs ( dns_validator_t val  )  [static]

Definition at line 2475 of file validator.c.

References dns_validator::attributes, checkwildcard(), dns_validator::closest, dns_fixedname_init, dns_fixedname_name, dns_name_concatenate(), dns_name_copy(), dns_name_countlabels(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_init(), dns_name_issubdomain(), dns_nsec3_noexistnodata(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_trust_secure, DNS_VALIDATOR_CLOSESTENCLOSER, DNS_VALIDATOR_NODATAPROOF, DNS_VALIDATOR_NOQNAMEPROOF, dns_wildcardname, dns_validator::event, FOUNDCLOSEST, FOUNDNODATA, FOUNDNOQNAME, ISC_FALSE, ISC_LOG_DEBUG, ISC_R_IGNORE, ISC_R_NOMORE, ISC_R_SUCCESS, dns_validatorevent::message, dns_validatorevent::name, name, namebuf, NEEDNODATA, NEEDNOWILDCARD, POST, dns_validatorevent::proofs, RUNTIME_CHECK, dns_rdataset::trust, dns_validatorevent::type, dns_rdataset::type, val_rdataset_first(), val_rdataset_next(), VALATTR_FOUNDCLOSEST, VALATTR_FOUNDNODATA, VALATTR_FOUNDNOQNAME, VALATTR_FOUNDOPTOUT, VALATTR_FOUNDUNKNOWN, validator_log(), and dns_validator::wild.

Referenced by nsecvalidate().

static isc_result_t validate_authority ( dns_validator_t val,
isc_boolean_t  resume 
) [static]

Validate the authority section records.

Definition at line 2627 of file validator.c.

References dns_validator::authcount, authvalidated(), create_validator(), dns_validator::currentset, dns_message_currentname(), dns_message_firstname(), dns_message_nextname(), dns_name_equal(), dns_nsec_typepresent(), DNS_R_WAIT, DNS_RDATA_INIT, dns_rdataset_current(), dns_rdataset_first(), DNS_SECTION_AUTHORITY, dns_validator::event, ISC_FALSE, ISC_LIST_HEAD, ISC_LIST_NEXT, ISC_R_NOMORE, ISC_R_SUCCESS, dns_validatorevent::message, dns_validatorevent::name, name, dns_validatorevent::type, and dns_rdataset::type.

Referenced by nsecvalidate().

static isc_result_t validate_ncache ( dns_validator_t val,
isc_boolean_t  resume 
) [static]

Validate the ncache elements.

Definition at line 2712 of file validator.c.

References dns_validator::authcount, authvalidated(), create_validator(), dns_validator::currentset, dns_fixedname_init, dns_fixedname_name, dns_name_equal(), dns_ncache_current(), dns_ncache_getsigrdataset(), dns_nsec_typepresent(), DNS_R_WAIT, DNS_RDATA_INIT, dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_validator::event, dns_validator::fname, dns_validator::frdataset, dns_validator::fsigrdataset, ISC_R_NOMORE, ISC_R_SUCCESS, dns_validatorevent::name, name, dns_validatorevent::rdataset, dns_validatorevent::type, and dns_rdataset::type.

Referenced by nsecvalidate().

static isc_boolean_t check_ds ( dns_validator_t val,
dns_name_t name,
dns_rdataset_t rdataset 
) [static]

Definition at line 2881 of file validator.c.

References DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), dns_resolver_algorithm_supported(), dns_resolver_ds_digest_supported(), ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, dns_view::resolver, RUNTIME_CHECK, and dns_validator::view.

Referenced by proveunsecure().

static void dlvvalidated ( isc_task_t task,
isc_event_t event 
) [static]

Definition at line 2906 of file validator.c.

References CANCELED, destroy(), dns_validator::dlv, dlv_algorithm_supported(), dlv_validator_start(), DNS_EVENT_VALIDATORDONE, DNS_R_BROKENCHAIN, dns_rdataset_clone(), dns_rdataset_expire(), dns_rdataset_isassociated(), dns_trust_totext(), dns_validator_destroy(), dns_validator::event, exit_check(), dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, INSIST, isc_event_free(), ISC_LOG_DEBUG, ISC_R_CANCELED, ISC_R_SUCCESS, isc_result_totext(), ISC_TRUE, dns_validator::lock, LOCK, markanswer(), dns_validatorevent::result, dns_validator::subvalidator, dns_rdataset::trust, UNLOCK, UNUSED, validator_done(), and validator_log().

Referenced by finddlvsep().

static void dlvfetched ( isc_task_t task,
isc_event_t event 
) [static]

Callback from fetching a DLV record.

Resumes the DLV lookup process.

Definition at line 2964 of file validator.c.

References destroy(), dns_validator::dlv, dlv_algorithm_supported(), dlv_validator_start(), dns_validator::dlvsep, dns_db_detach(), dns_db_detachnode(), DNS_EVENT_FETCHDONE, dns_fixedname_name, dns_name_format(), DNS_NAME_FORMATSIZE, DNS_R_NCACHENXDOMAIN, DNS_R_NCACHENXRRSET, DNS_R_NXDOMAIN, DNS_R_NXRRSET, DNS_R_WAIT, dns_rdataset_clone(), dns_rdataset_disassociate(), dns_rdataset_isassociated(), dns_resolver_destroyfetch(), dns_result_totext(), dns_validator::event, exit_check(), dns_validator::fetch, finddlvsep(), dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, INSIST, isc_event_free(), ISC_LOG_DEBUG, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_TRUE, dns_validator::lock, LOCK, markanswer(), namebuf, UNLOCK, UNUSED, validator_done(), and validator_log().

Referenced by finddlvsep().

static void validator_start ( isc_task_t task,
isc_event_t event 
) [static]

Start the validation process.

Attempt to validate the answer based on the category it appears to fall in.

Note a answer that appears to be a secure positive answer may actually be an unsecure positive answer.

Definition at line 3609 of file validator.c.

References dns_validator::attributes, dns_rdataset::covers, destroy(), DLVTRIED, DNS_EVENT_VALIDATORSTART, DNS_R_NOTINSECURE, DNS_R_NOVALIDSIG, DNS_R_WAIT, dns_rcode_nxdomain, dns_rdataset_isassociated(), dns_rootname, DNS_VALIDATOR_DLV, dns_validator::event, exit_check(), INSIST, ISC_FALSE, ISC_LOG_DEBUG, ISC_LOG_INFO, ISC_R_FAILURE, dns_validator::lock, LOCK, dns_validatorevent::message, NEGATIVE, nsecvalidate(), dns_validator::options, proveunsecure(), dns_message::rcode, dns_validatorevent::rdataset, REQUIRE, dns_validatorevent::sigrdataset, start_positive_validation(), startfinddlvsep(), dns_rdataset::type, UNLOCK, UNUSED, VALATTR_INSECURITY, VALATTR_NEEDNODATA, VALATTR_NEEDNOQNAME, VALATTR_NEEDNOWILDCARD, VALATTR_TRIEDVERIFY, dns_validatorevent::validator, validator_done(), and validator_log().

Referenced by dns_validator_create().

isc_result_t dns_validator_create ( dns_view_t view,
dns_name_t name,
dns_rdatatype_t  type,
dns_rdataset_t rdataset,
dns_rdataset_t sigrdataset,
dns_message_t message,
unsigned int  options,
isc_task_t task,
isc_taskaction_t  action,
void *  arg,
dns_validator_t **  validatorp 
)

Start a DNSSEC validation.

This validates a response to the question given by 'name' and 'type'.

To validate a positive response, the response data is given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' is NULL, the data is presumed insecure and an attempt is made to prove its insecurity by finding the appropriate null key.

The complete response message may be given in 'message', to make available any authority section NSECs that may be needed for validation of a response resulting from a wildcard expansion (though no such wildcard validation is implemented yet). If the complete response message is not available, 'message' is NULL.

To validate a negative response, the complete negative response message is given in 'message'. The 'rdataset', and 'sigrdataset' arguments must be NULL, but the 'name' and 'type' arguments must be provided.

The validation is performed in the context of 'view'.

When the validation finishes, a dns_validatorevent_t with the given 'action' and 'arg' are sent to 'task'. Its 'result' field will be ISC_R_SUCCESS iff the response was successfully proven to be either secure or part of a known insecure domain.

options: If DNS_VALIDATOR_DLV is set the caller knows there is not a trusted key and the validator should immediately attempt to validate the answer by looking for an appropriate DLV RRset.

Definition at line 3724 of file validator.c.

References dns_validator::action, dns_validator::arg, dns_validator::attributes, dns_validator::authcount, dns_validator::authfail, dns_validator::closest, dns_validator::currentset, dns_validator::depth, DESTROYLOCK, dns_validator::dlv, DNS_EVENT_VALIDATORSTART, dns_fixedname_init, dns_rdataset_init(), dns_resolver_getmustbesecure(), DNS_VALIDATOR_DEFER, dns_view_getsecroots(), dns_view_weakattach(), dns_view_weakdetach(), dns_validator::dsset, dns_validator::event, dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, isc_event_allocate(), isc_event_free(), ISC_EVENT_PTR, ISC_FALSE, ISC_LINK_INIT, isc_mem_get, isc_mem_put, isc_mutex_init, ISC_R_FAILURE, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_stdtime_get(), isc_task_attach(), isc_task_detach(), isc_task_send(), dns_validator::key, dns_validator::keynode, dns_validator::keyset, dns_validator::keytable, dns_validator::labels, dns_validator::lock, dns_validator::magic, dns_view::mctx, dns_validator::mustbesecure, dns_validator::nearest, dns_validator::options, dns_validator::parent, dns_validatorevent::proofs, REQUIRE, dns_view::resolver, dns_validator::seensig, dns_validator::siginfo, dns_validator::start, dns_validator::subvalidator, dns_validator::task, VALIDATOR_MAGIC, validator_start(), dns_validator::view, and dns_validator::wild.

Referenced by create_validator(), and valcreate().

void dns_validator_send ( dns_validator_t validator  ) 

Send a deferred validation request.

Requires: 'validator' to points to a valid DNSSEC validator.

Definition at line 3828 of file validator.c.

References DNS_VALIDATOR_DEFER, dns_validator::event, INSIST, ISC_EVENT_PTR, isc_task_send(), dns_validator::lock, LOCK, dns_validator::options, REQUIRE, dns_validator::task, UNLOCK, and VALID_VALIDATOR.

void dns_validator_cancel ( dns_validator_t validator  ) 

Cancel a DNSSEC validation in progress.

Requires:

Ensures:

Definition at line 3843 of file validator.c.

References dns_validator::attributes, dns_resolver_cancelfetch(), dns_resolver_destroyfetch(), dns_validator_cancel(), DNS_VALIDATOR_DEFER, dns_validator::event, dns_validator::fetch, ISC_LOG_DEBUG, ISC_R_CANCELED, dns_validator::lock, LOCK, dns_validator::options, REQUIRE, dns_validator::subvalidator, UNLOCK, VALATTR_CANCELED, VALID_VALIDATOR, validator_done(), and validator_log().

Referenced by dns_validator_cancel(), fctx_doshutdown(), and maybe_destroy().

void dns_validator_destroy ( dns_validator_t **  validatorp  ) 

Destroy a DNSSEC validator.

Requires:

Ensures:

Definition at line 3907 of file validator.c.

References dns_validator::attributes, destroy(), exit_check(), ISC_FALSE, ISC_LOG_DEBUG, dns_validator::lock, LOCK, REQUIRE, UNLOCK, VALATTR_SHUTDOWN, VALID_VALIDATOR, and validator_log().

Referenced by authvalidated(), cnamevalidated(), destroy(), dlvvalidated(), dsvalidated(), and keyvalidated().

Generated on Tue Apr 28 17:41:13 2015 by Doxygen 1.5.4 for BIND9 Internals 9.11.0pre-alpha