1 /* 2 * securechasetrace.c 3 * Where all the hard work concerning secure tracing is done 4 * 5 * (c) 2005, 2006 NLnet Labs 6 * 7 * See the file LICENSE for the license 8 * 9 */ 10 11 #include "drill.h" 12 #include <ldns/ldns.h> 13 14 #define SELF "[S]" /* self sig ok */ 15 #define TRUST "[T]" /* chain from parent */ 16 #define BOGUS "[B]" /* bogus */ 17 #define UNSIGNED "[U]" /* no relevant dnssec data found */ 18 19 #if 0 20 /* See if there is a key/ds in trusted that matches 21 * a ds in *ds. 22 */ 23 static ldns_rr_list * 24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted) 25 { 26 size_t i, j; 27 bool match; 28 ldns_rr *rr_i, *rr_j; 29 ldns_rr_list *keys; 30 31 if (!trusted || !ds) { 32 return NULL; 33 } 34 35 match = false; 36 keys = ldns_rr_list_new(); 37 if (!keys) { 38 return NULL; 39 } 40 41 if (!ds || !trusted) { 42 return NULL; 43 } 44 45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) { 46 rr_i = ldns_rr_list_rr(trusted, i); 47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) { 48 49 rr_j = ldns_rr_list_rr(ds, j); 50 if (ldns_rr_compare_ds(rr_i, rr_j)) { 51 match = true; 52 /* only allow unique RRs to match */ 53 ldns_rr_set_push_rr(keys, rr_i); 54 } 55 } 56 } 57 if (match) { 58 return keys; 59 } else { 60 return NULL; 61 } 62 } 63 #endif 64 65 ldns_pkt * 66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 67 { 68 ldns_pkt *p = NULL; 69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 70 if (!p) { 71 return NULL; 72 } else { 73 if (verbosity >= 5) { 74 ldns_pkt_print(stdout, p); 75 } 76 return p; 77 } 78 } 79 80 #ifdef HAVE_SSL 81 /* 82 * retrieve keys for this zone 83 */ 84 static ldns_pkt_type 85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 86 { 87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig); 88 } 89 90 /* 91 * check to see if we can find a DS rrset here which we can then follow 92 */ 93 static ldns_pkt_type 94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 95 { 96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig); 97 } 98 #endif /* HAVE_SSL */ 99 100 void 101 remove_resolver_nameservers(ldns_resolver *res) 102 { 103 ldns_rdf *pop; 104 105 /* remove the old nameserver from the resolver */ 106 while((pop = ldns_resolver_pop_nameserver(res))) { 107 ldns_rdf_deep_free(pop); 108 } 109 110 } 111 112 void 113 show_current_nameservers(FILE *out, ldns_resolver *res) 114 { 115 size_t i; 116 fprintf(out, "Current nameservers for resolver object:\n"); 117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) { 118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]); 119 fprintf(out, "\n"); 120 } 121 } 122 123 /*ldns_pkt **/ 124 #ifdef HAVE_SSL 125 int 126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name 128 ) 129 { 130 ldns_resolver *res; 131 ldns_pkt *p, *local_p; 132 ldns_rr_list *new_nss_a; 133 ldns_rr_list *new_nss_aaaa; 134 ldns_rr_list *new_nss; 135 ldns_rr_list *ns_addr; 136 uint16_t loop_count; 137 ldns_rdf *pop; 138 ldns_rdf **labels = NULL; 139 ldns_status status, st; 140 ssize_t i; 141 size_t j; 142 size_t k; 143 size_t l; 144 uint8_t labels_count; 145 ldns_pkt_type pt; 146 147 /* dnssec */ 148 ldns_rr_list *key_list; 149 ldns_rr_list *key_sig_list; 150 ldns_rr_list *ds_list; 151 ldns_rr_list *ds_sig_list; 152 ldns_rr_list *correct_key_list; 153 ldns_rr_list *trusted_ds_rrs; 154 bool new_keys_trusted = false; 155 ldns_rr_list *current_correct_keys; 156 ldns_rr_list *dataset; 157 158 ldns_rr_list *nsec_rrs = NULL; 159 ldns_rr_list *nsec_rr_sigs = NULL; 160 161 /* empty non-terminal check */ 162 bool ent; 163 164 /* glue handling */ 165 ldns_rr_list *new_ns_addr; 166 ldns_rr_list *old_ns_addr; 167 ldns_rr *ns_rr; 168 169 int result = 0; 170 171 /* printing niceness */ 172 const ldns_rr_descriptor *descriptor; 173 174 descriptor = ldns_rr_descript(t); 175 176 loop_count = 0; 177 new_nss_a = NULL; 178 new_nss_aaaa = NULL; 179 new_nss = NULL; 180 ns_addr = NULL; 181 key_list = NULL; 182 ds_list = NULL; 183 pt = LDNS_PACKET_UNKNOWN; 184 185 p = NULL; 186 local_p = NULL; 187 res = ldns_resolver_new(); 188 key_sig_list = NULL; 189 ds_sig_list = NULL; 190 191 if (!res) { 192 error("Memory allocation failed"); 193 result = -1; 194 return result; 195 } 196 197 correct_key_list = ldns_rr_list_new(); 198 if (!correct_key_list) { 199 error("Memory allocation failed"); 200 result = -1; 201 return result; 202 } 203 204 trusted_ds_rrs = ldns_rr_list_new(); 205 if (!trusted_ds_rrs) { 206 error("Memory allocation failed"); 207 result = -1; 208 return result; 209 } 210 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */ 211 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 212 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j); 213 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) { 214 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr)); 215 } 216 } 217 218 /* transfer some properties of local_res to res */ 219 ldns_resolver_set_ip6(res, 220 ldns_resolver_ip6(local_res)); 221 ldns_resolver_set_port(res, 222 ldns_resolver_port(local_res)); 223 ldns_resolver_set_debug(res, 224 ldns_resolver_debug(local_res)); 225 ldns_resolver_set_fail(res, 226 ldns_resolver_fail(local_res)); 227 ldns_resolver_set_usevc(res, 228 ldns_resolver_usevc(local_res)); 229 ldns_resolver_set_random(res, 230 ldns_resolver_random(local_res)); 231 ldns_resolver_set_recursive(local_res, true); 232 233 ldns_resolver_set_recursive(res, false); 234 ldns_resolver_set_dnssec_cd(res, false); 235 ldns_resolver_set_dnssec(res, true); 236 237 /* setup the root nameserver in the new resolver */ 238 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 239 if (status != LDNS_STATUS_OK) { 240 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status)); 241 ldns_rr_list_print(stdout, global_dns_root); 242 return status; 243 } 244 labels_count = ldns_dname_label_count(name); 245 if (start_name) { 246 if (ldns_dname_is_subdomain(name, start_name)) { 247 labels_count -= ldns_dname_label_count(start_name); 248 } else { 249 fprintf(stderr, "Error; "); 250 ldns_rdf_print(stderr, name); 251 fprintf(stderr, " is not a subdomain of "); 252 ldns_rdf_print(stderr, start_name); 253 fprintf(stderr, "\n"); 254 goto done; 255 } 256 } 257 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2); 258 if (!labels) { 259 goto done; 260 } 261 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); 262 labels[1] = ldns_rdf_clone(name); 263 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { 264 labels[i] = ldns_dname_left_chop(labels[i - 1]); 265 } 266 /* if no servers is given with @, start by asking local resolver */ 267 /* first part todo :) */ 268 for (i = 0; i < (ssize_t) ldns_resolver_nameserver_count(local_res); i++) { 269 (void) ldns_resolver_push_nameserver(res, ldns_resolver_nameservers(local_res)[i]); 270 } 271 272 /* get the nameserver for the label 273 * ask: dnskey and ds for the label 274 */ 275 for(i = (ssize_t)labels_count + 1; i > 0; i--) { 276 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); 277 278 if (verbosity >= 5) { 279 ldns_pkt_print(stdout, local_p); 280 } 281 282 new_nss = ldns_pkt_rr_list_by_type(local_p, 283 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); 284 if (!new_nss) { 285 /* if it's a delegation, servers put them in the auth section */ 286 new_nss = ldns_pkt_rr_list_by_type(local_p, 287 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 288 } 289 290 /* if this is the final step there might not be nameserver records 291 of course if the data is in the apex, there are, so cover both 292 cases */ 293 if (new_nss || i > 1) { 294 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) { 295 ns_rr = ldns_rr_list_rr(new_nss, j); 296 pop = ldns_rr_rdf(ns_rr, 0); 297 if (!pop) { 298 printf("nopo\n"); 299 break; 300 } 301 /* retrieve it's addresses */ 302 /* trust glue? */ 303 new_ns_addr = NULL; 304 if (ldns_dname_is_subdomain(pop, labels[i])) { 305 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 306 } 307 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 308 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0); 309 } 310 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 311 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0); 312 } 313 314 if (new_ns_addr) { 315 old_ns_addr = ns_addr; 316 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr); 317 ldns_rr_list_deep_free(old_ns_addr); 318 } 319 ldns_rr_list_deep_free(new_ns_addr); 320 } 321 ldns_rr_list_deep_free(new_nss); 322 323 if (ns_addr) { 324 remove_resolver_nameservers(res); 325 326 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 327 LDNS_STATUS_OK) { 328 error("Error adding new nameservers"); 329 ldns_pkt_free(local_p); 330 goto done; 331 } 332 ldns_rr_list_deep_free(ns_addr); 333 } else { 334 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs); 335 336 /* verify the nsec3 themselves*/ 337 if (verbosity >= 4) { 338 printf("NSEC(3) Records to verify:\n"); 339 ldns_rr_list_print(stdout, nsec_rrs); 340 printf("With signatures:\n"); 341 ldns_rr_list_print(stdout, nsec_rr_sigs); 342 printf("correct keys:\n"); 343 ldns_rr_list_print(stdout, correct_key_list); 344 } 345 346 if (status == LDNS_STATUS_OK) { 347 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 348 fprintf(stdout, "%s ", TRUST); 349 fprintf(stdout, "Existence denied: "); 350 ldns_rdf_print(stdout, labels[i]); 351 /* 352 if (descriptor && descriptor->_name) { 353 printf(" %s", descriptor->_name); 354 } else { 355 printf(" TYPE%u", t); 356 } 357 */ fprintf(stdout, " NS\n"); 358 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 359 fprintf(stdout, "%s ", SELF); 360 fprintf(stdout, "Existence denied: "); 361 ldns_rdf_print(stdout, labels[i]); 362 /* 363 if (descriptor && descriptor->_name) { 364 printf(" %s", descriptor->_name); 365 } else { 366 printf(" TYPE%u", t); 367 } 368 */ 369 fprintf(stdout, " NS\n"); 370 } else { 371 fprintf(stdout, "%s ", BOGUS); 372 result = 1; 373 printf(";; Error verifying denial of existence for name "); 374 ldns_rdf_print(stdout, labels[i]); 375 /* 376 printf(" type "); 377 if (descriptor && descriptor->_name) { 378 printf("%s", descriptor->_name); 379 } else { 380 printf("TYPE%u", t); 381 } 382 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); 383 } 384 } else { 385 fprintf(stdout, "%s ", BOGUS); 386 result = 1; 387 printf(";; Error verifying denial of existence for name "); 388 ldns_rdf_print(stdout, labels[i]); 389 printf("NS: %s\n", ldns_get_errorstr_by_id(status)); 390 } 391 392 /* there might be an empty non-terminal, in which case we need to continue */ 393 ent = false; 394 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) { 395 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) { 396 ent = true; 397 } 398 } 399 if (!ent) { 400 ldns_rr_list_deep_free(nsec_rrs); 401 ldns_rr_list_deep_free(nsec_rr_sigs); 402 ldns_pkt_free(local_p); 403 goto done; 404 } else { 405 printf(";; There is an empty non-terminal here, continue\n"); 406 continue; 407 } 408 goto done; 409 } 410 411 if (ldns_resolver_nameserver_count(res) == 0) { 412 error("No nameservers found for this node"); 413 goto done; 414 } 415 } 416 ldns_pkt_free(local_p); 417 418 fprintf(stdout, ";; Domain: "); 419 ldns_rdf_print(stdout, labels[i]); 420 fprintf(stdout, "\n"); 421 422 /* retrieve keys for current domain, and verify them 423 if they match an already trusted DS, or if one of the 424 keys used to sign these is trusted, add the keys to 425 the trusted list */ 426 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY); 427 pt = get_key(p, labels[i], &key_list, &key_sig_list); 428 if (key_sig_list) { 429 if (key_list) { 430 current_correct_keys = ldns_rr_list_new(); 431 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) == 432 LDNS_STATUS_OK) { 433 /* add all signed keys (don't just add current_correct, you'd miss 434 * the zsk's then */ 435 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) { 436 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j))); 437 } 438 439 /* check whether these keys were signed 440 * by a trusted keys. if so, these 441 * keys are also trusted */ 442 new_keys_trusted = false; 443 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 444 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) { 445 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k), 446 ldns_rr_list_rr(trusted_ds_rrs, j))) { 447 new_keys_trusted = true; 448 } 449 } 450 } 451 452 /* also all keys are trusted if one of the current correct keys is trusted */ 453 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 454 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 455 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k), 456 ldns_rr_list_rr(trusted_keys, j)) == 0) { 457 new_keys_trusted = true; 458 } 459 } 460 } 461 462 463 if (new_keys_trusted) { 464 ldns_rr_list_push_rr_list(trusted_keys, key_list); 465 print_rr_list_abbr(stdout, key_list, TRUST); 466 ldns_rr_list_free(key_list); 467 key_list = NULL; 468 } else { 469 if (verbosity >= 2) { 470 printf(";; Signature ok but no chain to a trusted key or ds record\n"); 471 } 472 print_rr_list_abbr(stdout, key_list, SELF); 473 ldns_rr_list_deep_free(key_list); 474 key_list = NULL; 475 } 476 } else { 477 print_rr_list_abbr(stdout, key_list, BOGUS); 478 result = 2; 479 ldns_rr_list_deep_free(key_list); 480 key_list = NULL; 481 } 482 ldns_rr_list_free(current_correct_keys); 483 current_correct_keys = NULL; 484 } else { 485 printf(";; No DNSKEY record found for "); 486 ldns_rdf_print(stdout, labels[i]); 487 printf("\n"); 488 } 489 } 490 491 ldns_pkt_free(p); 492 ldns_rr_list_deep_free(key_sig_list); 493 key_sig_list = NULL; 494 495 /* check the DS records for the next child domain */ 496 if (i > 1) { 497 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 498 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 499 if (!ds_list) { 500 ldns_pkt_free(p); 501 if (ds_sig_list) { 502 ldns_rr_list_deep_free(ds_sig_list); 503 } 504 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY); 505 pt = get_ds(p, NULL, &ds_list, &ds_sig_list); 506 } 507 if (ds_sig_list) { 508 if (ds_list) { 509 if (verbosity >= 4) { 510 printf("VERIFYING:\n"); 511 printf("DS LIST:\n"); 512 ldns_rr_list_print(stdout, ds_list); 513 printf("SIGS:\n"); 514 ldns_rr_list_print(stdout, ds_sig_list); 515 printf("KEYS:\n"); 516 ldns_rr_list_print(stdout, correct_key_list); 517 } 518 519 current_correct_keys = ldns_rr_list_new(); 520 521 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) == 522 LDNS_STATUS_OK) { 523 /* if the ds is signed by a trusted key and a key from correct keys 524 matches that ds, add that key to the trusted keys */ 525 new_keys_trusted = false; 526 if (verbosity >= 2) { 527 printf("Checking if signing key is trusted:\n"); 528 } 529 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) { 530 if (verbosity >= 2) { 531 printf("New key: "); 532 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j)); 533 } 534 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) { 535 if (verbosity >= 2) { 536 printf("\tTrusted key: "); 537 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k)); 538 } 539 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j), 540 ldns_rr_list_rr(trusted_keys, k)) == 0) { 541 if (verbosity >= 2) { 542 printf("Key is now trusted!\n"); 543 } 544 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) { 545 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l))); 546 new_keys_trusted = true; 547 } 548 } 549 } 550 } 551 if (new_keys_trusted) { 552 print_rr_list_abbr(stdout, ds_list, TRUST); 553 } else { 554 print_rr_list_abbr(stdout, ds_list, SELF); 555 } 556 } else { 557 result = 3; 558 print_rr_list_abbr(stdout, ds_list, BOGUS); 559 } 560 561 ldns_rr_list_free(current_correct_keys); 562 current_correct_keys = NULL; 563 } else { 564 /* wait apparently there were no keys either, go back to the ds packet */ 565 ldns_pkt_free(p); 566 ldns_rr_list_deep_free(ds_sig_list); 567 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 568 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 569 570 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs); 571 572 if (verbosity >= 4) { 573 printf("NSEC(3) Records to verify:\n"); 574 ldns_rr_list_print(stdout, nsec_rrs); 575 printf("With signatures:\n"); 576 ldns_rr_list_print(stdout, nsec_rr_sigs); 577 printf("correct keys:\n"); 578 ldns_rr_list_print(stdout, correct_key_list); 579 } 580 581 if (status == LDNS_STATUS_OK) { 582 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 583 fprintf(stdout, "%s ", TRUST); 584 fprintf(stdout, "Existence denied: "); 585 ldns_rdf_print(stdout, labels[i-1]); 586 printf(" DS"); 587 fprintf(stdout, "\n"); 588 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 589 fprintf(stdout, "%s ", SELF); 590 fprintf(stdout, "Existence denied: "); 591 ldns_rdf_print(stdout, labels[i-1]); 592 printf(" DS"); 593 fprintf(stdout, "\n"); 594 } else { 595 result = 4; 596 fprintf(stdout, "%s ", BOGUS); 597 printf("Error verifying denial of existence for "); 598 ldns_rdf_print(stdout, labels[i-1]); 599 printf(" DS"); 600 printf(": %s\n", ldns_get_errorstr_by_id(st)); 601 } 602 603 604 } else { 605 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 606 printf(";; No DS for "); 607 ldns_rdf_print(stdout, labels[i - 1]); 608 } else { 609 printf("[B] Unable to verify denial of existence for "); 610 ldns_rdf_print(stdout, labels[i - 1]); 611 printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); 612 } 613 } 614 if (verbosity >= 2) { 615 printf(";; No ds record for delegation\n"); 616 } 617 } 618 } 619 ldns_rr_list_deep_free(ds_list); 620 ldns_pkt_free(p); 621 } else { 622 /* if this is the last label, just verify the data and stop */ 623 p = get_dnssec_pkt(res, labels[i], t); 624 pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list); 625 if (dataset && ldns_rr_list_rr_count(dataset) > 0) { 626 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) { 627 628 /* If this is a wildcard, you must be able to deny exact match */ 629 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) { 630 fprintf(stdout, "%s ", TRUST); 631 ldns_rr_list_print(stdout, dataset); 632 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) { 633 fprintf(stdout, "%s ", SELF); 634 ldns_rr_list_print(stdout, dataset); 635 } else { 636 result = 5; 637 fprintf(stdout, "%s ", BOGUS); 638 ldns_rr_list_print(stdout, dataset); 639 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st)); 640 } 641 } else { 642 fprintf(stdout, "%s ", UNSIGNED); 643 ldns_rr_list_print(stdout, dataset); 644 } 645 ldns_rr_list_deep_free(dataset); 646 } else { 647 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs); 648 if (status == LDNS_STATUS_OK) { 649 /* verify the nsec3 themselves*/ 650 if (verbosity >= 5) { 651 printf("NSEC(3) Records to verify:\n"); 652 ldns_rr_list_print(stdout, nsec_rrs); 653 printf("With signatures:\n"); 654 ldns_rr_list_print(stdout, nsec_rr_sigs); 655 printf("correct keys:\n"); 656 ldns_rr_list_print(stdout, correct_key_list); 657 /* 658 printf("trusted keys at %p:\n", trusted_keys); 659 ldns_rr_list_print(stdout, trusted_keys); 660 */ } 661 662 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 663 fprintf(stdout, "%s ", TRUST); 664 fprintf(stdout, "Existence denied: "); 665 ldns_rdf_print(stdout, name); 666 if (descriptor && descriptor->_name) { 667 printf(" %s", descriptor->_name); 668 } else { 669 printf(" TYPE%u", t); 670 } 671 fprintf(stdout, "\n"); 672 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 673 fprintf(stdout, "%s ", SELF); 674 fprintf(stdout, "Existence denied: "); 675 ldns_rdf_print(stdout, name); 676 if (descriptor && descriptor->_name) { 677 printf(" %s", descriptor->_name); 678 } else { 679 printf(" TYPE%u", t); 680 } 681 fprintf(stdout, "\n"); 682 } else { 683 result = 6; 684 fprintf(stdout, "%s ", BOGUS); 685 printf("Error verifying denial of existence for "); 686 ldns_rdf_print(stdout, name); 687 printf(" type "); 688 if (descriptor && descriptor->_name) { 689 printf("%s", descriptor->_name); 690 } else { 691 printf("TYPE%u", t); 692 } 693 printf(": %s\n", ldns_get_errorstr_by_id(st)); 694 } 695 696 ldns_rr_list_deep_free(nsec_rrs); 697 ldns_rr_list_deep_free(nsec_rr_sigs); 698 } else { 699 /* 700 */ 701 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 702 printf("%s ", UNSIGNED); 703 printf("No data found for: "); 704 ldns_rdf_print(stdout, name); 705 printf(" type "); 706 if (descriptor && descriptor->_name) { 707 printf("%s", descriptor->_name); 708 } else { 709 printf("TYPE%u", t); 710 } 711 printf("\n"); 712 } else { 713 printf("[B] Unable to verify denial of existence for "); 714 ldns_rdf_print(stdout, name); 715 printf(" type "); 716 if (descriptor && descriptor->_name) { 717 printf("%s", descriptor->_name); 718 } else { 719 printf("TYPE%u", t); 720 } 721 printf("\n"); 722 } 723 724 } 725 } 726 ldns_pkt_free(p); 727 } 728 729 new_nss_aaaa = NULL; 730 new_nss_a = NULL; 731 new_nss = NULL; 732 ns_addr = NULL; 733 ldns_rr_list_deep_free(key_list); 734 key_list = NULL; 735 ldns_rr_list_deep_free(key_sig_list); 736 key_sig_list = NULL; 737 ds_list = NULL; 738 ldns_rr_list_deep_free(ds_sig_list); 739 ds_sig_list = NULL; 740 } 741 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n"); 742 /* verbose mode? 743 printf("Trusted keys:\n"); 744 ldns_rr_list_print(stdout, trusted_keys); 745 printf("trusted dss:\n"); 746 ldns_rr_list_print(stdout, trusted_ds_rrs); 747 */ 748 749 done: 750 ldns_rr_list_deep_free(trusted_ds_rrs); 751 ldns_rr_list_deep_free(correct_key_list); 752 ldns_resolver_deep_free(res); 753 if (labels) { 754 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) { 755 ldns_rdf_deep_free(labels[i]); 756 } 757 LDNS_FREE(labels); 758 } 759 return result; 760 } 761 #endif /* HAVE_SSL */ 762