1 /* $NetBSD: validator.h,v 1.6 2014/12/10 04:37:58 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2004-2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 5 * Copyright (C) 2000-2003 Internet Software Consortium. 6 * 7 * Permission to use, copy, modify, and/or distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 * PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 /* Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp */ 21 22 #ifndef DNS_VALIDATOR_H 23 #define DNS_VALIDATOR_H 1 24 25 /***** 26 ***** Module Info 27 *****/ 28 29 /*! \file dns/validator.h 30 * 31 * \brief 32 * DNS Validator 33 * This is the BIND 9 validator, the module responsible for validating the 34 * rdatasets and negative responses (messages). It makes use of zones in 35 * the view and may fetch RRset to complete trust chains. It implements 36 * DNSSEC as specified in RFC 4033, 4034 and 4035. 37 * 38 * It can also optionally implement ISC's DNSSEC look-aside validation. 39 * 40 * Correct operation is critical to preventing spoofed answers from secure 41 * zones being accepted. 42 * 43 * MP: 44 *\li The module ensures appropriate synchronization of data structures it 45 * creates and manipulates. 46 * 47 * Reliability: 48 *\li No anticipated impact. 49 * 50 * Resources: 51 *\li TBS 52 * 53 * Security: 54 *\li No anticipated impact. 55 * 56 * Standards: 57 *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035. 58 */ 59 60 #include <isc/lang.h> 61 #include <isc/event.h> 62 #include <isc/mutex.h> 63 64 #include <dns/fixedname.h> 65 #include <dns/types.h> 66 #include <dns/rdataset.h> 67 #include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */ 68 69 #include <dst/dst.h> 70 71 /*% 72 * A dns_validatorevent_t is sent when a 'validation' completes. 73 * \brief 74 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were 75 * supplied when dns_validator_create() was called. They are returned to the 76 * caller so that they may be freed. 77 * 78 * If the RESULT is ISC_R_SUCCESS and the answer is secure then 79 * proofs[] will contain the names of the NSEC records that hold the 80 * various proofs. Note the same name may appear multiple times. 81 */ 82 typedef struct dns_validatorevent { 83 ISC_EVENT_COMMON(struct dns_validatorevent); 84 dns_validator_t * validator; 85 isc_result_t result; 86 /* 87 * Name and type of the response to be validated. 88 */ 89 dns_name_t * name; 90 dns_rdatatype_t type; 91 /* 92 * Rdata and RRSIG (if any) for positive responses. 93 */ 94 dns_rdataset_t * rdataset; 95 dns_rdataset_t * sigrdataset; 96 /* 97 * The full response. Required for negative responses. 98 * Also required for positive wildcard responses. 99 */ 100 dns_message_t * message; 101 /* 102 * Proofs to be cached. 103 */ 104 dns_name_t * proofs[4]; 105 /* 106 * Optout proof seen. 107 */ 108 isc_boolean_t optout; 109 /* 110 * Answer is secure. 111 */ 112 isc_boolean_t secure; 113 } dns_validatorevent_t; 114 115 #define DNS_VALIDATOR_NOQNAMEPROOF 0 116 #define DNS_VALIDATOR_NODATAPROOF 1 117 #define DNS_VALIDATOR_NOWILDCARDPROOF 2 118 #define DNS_VALIDATOR_CLOSESTENCLOSER 3 119 120 /*% 121 * A validator object represents a validation in progress. 122 * \brief 123 * Clients are strongly discouraged from using this type directly, with 124 * the exception of the 'link' field, which may be used directly for 125 * whatever purpose the client desires. 126 */ 127 struct dns_validator { 128 /* Unlocked. */ 129 unsigned int magic; 130 isc_mutex_t lock; 131 dns_view_t * view; 132 /* Locked by lock. */ 133 unsigned int options; 134 unsigned int attributes; 135 dns_validatorevent_t * event; 136 dns_fetch_t * fetch; 137 dns_validator_t * subvalidator; 138 dns_validator_t * parent; 139 dns_keytable_t * keytable; 140 dns_keynode_t * keynode; 141 dst_key_t * key; 142 dns_rdata_rrsig_t * siginfo; 143 isc_task_t * task; 144 isc_taskaction_t action; 145 void * arg; 146 unsigned int labels; 147 dns_rdataset_t * currentset; 148 isc_boolean_t seensig; 149 dns_rdataset_t * keyset; 150 dns_rdataset_t * dsset; 151 dns_rdataset_t * soaset; 152 dns_rdataset_t * nsecset; 153 dns_rdataset_t * nsec3set; 154 dns_name_t * soaname; 155 dns_rdataset_t frdataset; 156 dns_rdataset_t fsigrdataset; 157 dns_fixedname_t fname; 158 dns_fixedname_t wild; 159 dns_fixedname_t nearest; 160 dns_fixedname_t closest; 161 ISC_LINK(dns_validator_t) link; 162 dns_rdataset_t dlv; 163 dns_fixedname_t dlvsep; 164 isc_boolean_t havedlvsep; 165 isc_boolean_t mustbesecure; 166 unsigned int dlvlabels; 167 unsigned int depth; 168 unsigned int authcount; 169 unsigned int authfail; 170 }; 171 172 /*% 173 * dns_validator_create() options. 174 */ 175 #define DNS_VALIDATOR_DLV 0x0001U 176 #define DNS_VALIDATOR_DEFER 0x0002U 177 #define DNS_VALIDATOR_NOCDFLAG 0x0004U 178 179 ISC_LANG_BEGINDECLS 180 181 isc_result_t 182 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, 183 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 184 dns_message_t *message, unsigned int options, 185 isc_task_t *task, isc_taskaction_t action, void *arg, 186 dns_validator_t **validatorp); 187 /*%< 188 * Start a DNSSEC validation. 189 * 190 * This validates a response to the question given by 191 * 'name' and 'type'. 192 * 193 * To validate a positive response, the response data is 194 * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' 195 * is NULL, the data is presumed insecure and an attempt 196 * is made to prove its insecurity by finding the appropriate 197 * null key. 198 * 199 * The complete response message may be given in 'message', 200 * to make available any authority section NSECs that may be 201 * needed for validation of a response resulting from a 202 * wildcard expansion (though no such wildcard validation 203 * is implemented yet). If the complete response message 204 * is not available, 'message' is NULL. 205 * 206 * To validate a negative response, the complete negative response 207 * message is given in 'message'. The 'rdataset', and 208 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type' 209 * arguments must be provided. 210 * 211 * The validation is performed in the context of 'view'. 212 * 213 * When the validation finishes, a dns_validatorevent_t with 214 * the given 'action' and 'arg' are sent to 'task'. 215 * Its 'result' field will be ISC_R_SUCCESS iff the 216 * response was successfully proven to be either secure or 217 * part of a known insecure domain. 218 * 219 * options: 220 * If DNS_VALIDATOR_DLV is set the caller knows there is not a 221 * trusted key and the validator should immediately attempt to validate 222 * the answer by looking for an appropriate DLV RRset. 223 */ 224 225 void 226 dns_validator_send(dns_validator_t *validator); 227 /*%< 228 * Send a deferred validation request 229 * 230 * Requires: 231 * 'validator' to points to a valid DNSSEC validator. 232 */ 233 234 void 235 dns_validator_cancel(dns_validator_t *validator); 236 /*%< 237 * Cancel a DNSSEC validation in progress. 238 * 239 * Requires: 240 *\li 'validator' points to a valid DNSSEC validator, which 241 * may or may not already have completed. 242 * 243 * Ensures: 244 *\li It the validator has not already sent its completion 245 * event, it will send it with result code ISC_R_CANCELED. 246 */ 247 248 void 249 dns_validator_destroy(dns_validator_t **validatorp); 250 /*%< 251 * Destroy a DNSSEC validator. 252 * 253 * Requires: 254 *\li '*validatorp' points to a valid DNSSEC validator. 255 * \li The validator must have completed and sent its completion 256 * event. 257 * 258 * Ensures: 259 *\li All resources used by the validator are freed. 260 */ 261 262 ISC_LANG_ENDDECLS 263 264 #endif /* DNS_VALIDATOR_H */ 265