1 /*
2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
8 *
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22 #pragma once
23
24 #include "dnsparser.hh"
25 #include "dnsname.hh"
26 #include <vector>
27 #include "namespaces.hh"
28 #include "dnsrecords.hh"
29 #include "dnssecinfra.hh"
30
31 extern bool g_dnssecLOG;
32 extern time_t g_signatureInceptionSkew;
33 extern uint16_t g_maxNSEC3Iterations;
34
35 // 4033 5
36 enum class vState : uint8_t { Indeterminate, Insecure, Secure, NTA, TA, BogusNoValidDNSKEY, BogusInvalidDenial, BogusUnableToGetDSs, BogusUnableToGetDNSKEYs, BogusSelfSignedDS, BogusNoRRSIG, BogusNoValidRRSIG, BogusMissingNegativeIndication, BogusSignatureNotYetValid, BogusSignatureExpired, BogusUnsupportedDNSKEYAlgo, BogusUnsupportedDSDigestType, BogusNoZoneKeyBitSet, BogusRevokedDNSKEY, BogusInvalidDNSKEYProtocol };
37 const std::string& vStateToString(vState state);
vStateIsBogus(vState state)38 inline bool vStateIsBogus(vState state)
39 {
40 return state >= vState::BogusNoValidDNSKEY;
41 }
42
43 // NSEC(3) results
44 enum class dState : uint8_t { NODENIAL, INCONCLUSIVE, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
45
46 std::ostream& operator<<(std::ostream &os, const vState d);
47 std::ostream& operator<<(std::ostream &os, const dState d);
48
49 class DNSRecordOracle
50 {
51 public:
52 virtual std::vector<DNSRecord> get(const DNSName& qname, uint16_t qtype)=0;
53 };
54
55
56 struct ContentSigPair
57 {
58 sortedRecords_t records;
59 vector<shared_ptr<RRSIGRecordContent>> signatures;
60 // ponder adding a validate method that accepts a key
61 };
62 typedef map<pair<DNSName,uint16_t>, ContentSigPair> cspmap_t;
63 typedef std::set<DSRecordContent> dsmap_t;
64
65 struct sharedDNSKeyRecordContentCompare
66 {
operator ()sharedDNSKeyRecordContentCompare67 bool operator() (const shared_ptr<DNSKEYRecordContent>& a, const shared_ptr<DNSKEYRecordContent>& b) const
68 {
69 return *a < *b;
70 }
71 };
72
73 typedef set<shared_ptr<DNSKEYRecordContent>, sharedDNSKeyRecordContentCompare > skeyset_t;
74
75
76 vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& records, const vector<shared_ptr<RRSIGRecordContent> >& signatures, const skeyset_t& keys, bool validateAllSigs=true);
77 bool isCoveredByNSEC(const DNSName& name, const DNSName& begin, const DNSName& next);
78 bool isCoveredByNSEC3Hash(const std::string& h, const std::string& beginHash, const std::string& nextHash);
79 bool isCoveredByNSEC3Hash(const DNSName& h, const DNSName& beginHash, const DNSName& nextHash);
80 void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const skeyset_t& keys);
81 cspmap_t harvestCSPFromRecs(const vector<DNSRecord>& recs);
82 vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, skeyset_t& keyset);
83 bool getTrustAnchor(const map<DNSName,dsmap_t>& anchors, const DNSName& zone, dsmap_t &res);
84 bool haveNegativeTrustAnchor(const map<DNSName,std::string>& negAnchors, const DNSName& zone, std::string& reason);
85 vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<RRSIGRecordContent> >& sigs, skeyset_t& validkeys);
86 dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, bool needsWildcardProof=true, unsigned int wildcardLabelsCount=0);
87 bool isSupportedDS(const DSRecordContent& ds);
88 DNSName getSigner(const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
89 bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords);
90 bool isRRSIGNotExpired(const time_t now, const std::shared_ptr<RRSIGRecordContent>& sig);
91 bool isRRSIGIncepted(const time_t now, const shared_ptr<RRSIGRecordContent>& sig);
92 bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
93 bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
94 void updateDNSSECValidationState(vState& state, const vState stateUpdate);
95
96 dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner, const std::shared_ptr<NSECRecordContent>& nsec, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures);
97
98 bool isNSEC3AncestorDelegation(const DNSName& signer, const DNSName& owner, const std::shared_ptr<NSEC3RecordContent>& nsec3);
99 DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
100 DNSName getClosestEncloserFromNSEC(const DNSName& name, const DNSName& owner, const DNSName& next);
101
isTypeDenied(const NSEC & nsec,const QType & type)102 template <typename NSEC> bool isTypeDenied(const NSEC& nsec, const QType& type)
103 {
104 if (nsec->isSet(type.getCode())) {
105 return false;
106 }
107
108 /* RFC 6840 section 4.3 */
109 if (nsec->isSet(QType::CNAME)) {
110 return false;
111 }
112
113 return true;
114 }
115