1 /* 2 * securechasetrace.c 3 * Where all the hard work concerning secure tracing is done 4 * 5 * (c) 2005, 2006 NLnet Labs 6 * 7 * See the file LICENSE for the license 8 * 9 */ 10 11 #include "drill.h" 12 #include <ldns/ldns.h> 13 14 #define SELF "[S]" /* self sig ok */ 15 #define TRUST "[T]" /* chain from parent */ 16 #define BOGUS "[B]" /* bogus */ 17 #define UNSIGNED "[U]" /* no relevant dnssec data found */ 18 19 #if 0 20 /* See if there is a key/ds in trusted that matches 21 * a ds in *ds. 22 */ 23 static ldns_rr_list * 24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted) 25 { 26 size_t i, j; 27 bool match; 28 ldns_rr *rr_i, *rr_j; 29 ldns_rr_list *keys; 30 31 if (!trusted || !ds) { 32 return NULL; 33 } 34 35 match = false; 36 keys = ldns_rr_list_new(); 37 if (!keys) { 38 return NULL; 39 } 40 41 if (!ds || !trusted) { 42 return NULL; 43 } 44 45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) { 46 rr_i = ldns_rr_list_rr(trusted, i); 47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) { 48 49 rr_j = ldns_rr_list_rr(ds, j); 50 if (ldns_rr_compare_ds(rr_i, rr_j)) { 51 match = true; 52 /* only allow unique RRs to match */ 53 ldns_rr_set_push_rr(keys, rr_i); 54 } 55 } 56 } 57 if (match) { 58 return keys; 59 } else { 60 return NULL; 61 } 62 } 63 #endif 64 65 ldns_pkt * 66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 67 { 68 ldns_pkt *p = NULL; 69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 70 if (!p) { 71 return NULL; 72 } else { 73 if (verbosity >= 5) { 74 ldns_pkt_print(stdout, p); 75 } 76 return p; 77 } 78 } 79 80 #ifdef HAVE_SSL 81 /* 82 * retrieve keys for this zone 83 */ 84 static ldns_pkt_type 85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 86 { 87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig); 88 } 89 90 /* 91 * check to see if we can find a DS rrset here which we can then follow 92 */ 93 static ldns_pkt_type 94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 95 { 96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig); 97 } 98 #endif /* HAVE_SSL */ 99 100 void 101 remove_resolver_nameservers(ldns_resolver *res) 102 { 103 ldns_rdf *pop; 104 105 /* remove the old nameserver from the resolver */ 106 while((pop = ldns_resolver_pop_nameserver(res))) { 107 ldns_rdf_deep_free(pop); 108 } 109 110 } 111 112 void 113 show_current_nameservers(FILE *out, ldns_resolver *res) 114 { 115 size_t i; 116 fprintf(out, "Current nameservers for resolver object:\n"); 117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) { 118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]); 119 fprintf(out, "\n"); 120 } 121 } 122 123 /*ldns_pkt **/ 124 #ifdef HAVE_SSL 125 int 126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name 128 ) 129 { 130 ldns_resolver *res; 131 ldns_pkt *p, *local_p; 132 ldns_rr_list *new_nss_a; 133 ldns_rr_list *new_nss_aaaa; 134 ldns_rr_list *new_nss; 135 ldns_rr_list *ns_addr; 136 uint16_t loop_count; 137 ldns_rdf *pop; 138 ldns_rdf **labels = NULL; 139 ldns_status status, st; 140 ssize_t i; 141 size_t j; 142 size_t k; 143 size_t l; 144 uint8_t labels_count; 145 ldns_pkt_type pt; 146 147 /* dnssec */ 148 ldns_rr_list *key_list; 149 ldns_rr_list *key_sig_list; 150 ldns_rr_list *ds_list; 151 ldns_rr_list *ds_sig_list; 152 ldns_rr_list *correct_key_list; 153 ldns_rr_list *trusted_ds_rrs; 154 bool new_keys_trusted = false; 155 ldns_rr_list *current_correct_keys; 156 ldns_rr_list *dataset; 157 158 ldns_rr_list *nsec_rrs = NULL; 159 ldns_rr_list *nsec_rr_sigs = NULL; 160 161 /* empty non-terminal check */ 162 bool ent; 163 164 /* glue handling */ 165 ldns_rr_list *new_ns_addr; 166 ldns_rr_list *old_ns_addr; 167 ldns_rr *ns_rr; 168 169 int result = 0; 170 171 /* printing niceness */ 172 const ldns_rr_descriptor *descriptor; 173 174 descriptor = ldns_rr_descript(t); 175 176 loop_count = 0; 177 new_nss_a = NULL; 178 new_nss_aaaa = NULL; 179 new_nss = NULL; 180 ns_addr = NULL; 181 key_list = NULL; 182 ds_list = NULL; 183 pt = LDNS_PACKET_UNKNOWN; 184 185 p = NULL; 186 local_p = NULL; 187 res = ldns_resolver_new(); 188 key_sig_list = NULL; 189 ds_sig_list = NULL; 190 191 if (!res) { 192 error("Memory allocation failed"); 193 result = -1; 194 return result; 195 } 196 197 correct_key_list = ldns_rr_list_new(); 198 if (!correct_key_list) { 199 error("Memory allocation failed"); 200 result = -1; 201 return result; 202 } 203 204 trusted_ds_rrs = ldns_rr_list_new(); 205 206 if (!trusted_ds_rrs) { 207 error("Memory allocation failed"); 208 result = -1; 209 return result; 210 } 211 212 /* transfer some properties of local_res to res */ 213 ldns_resolver_set_ip6(res, 214 ldns_resolver_ip6(local_res)); 215 ldns_resolver_set_port(res, 216 ldns_resolver_port(local_res)); 217 ldns_resolver_set_debug(res, 218 ldns_resolver_debug(local_res)); 219 ldns_resolver_set_fail(res, 220 ldns_resolver_fail(local_res)); 221 ldns_resolver_set_usevc(res, 222 ldns_resolver_usevc(local_res)); 223 ldns_resolver_set_random(res, 224 ldns_resolver_random(local_res)); 225 ldns_resolver_set_recursive(local_res, true); 226 227 ldns_resolver_set_recursive(res, false); 228 ldns_resolver_set_dnssec_cd(res, false); 229 ldns_resolver_set_dnssec(res, true); 230 231 /* setup the root nameserver in the new resolver */ 232 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 233 if (status != LDNS_STATUS_OK) { 234 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status)); 235 ldns_rr_list_print(stdout, global_dns_root); 236 return status; 237 } 238 labels_count = ldns_dname_label_count(name); 239 if (start_name) { 240 if (ldns_dname_is_subdomain(name, start_name)) { 241 labels_count -= ldns_dname_label_count(start_name); 242 } else { 243 fprintf(stderr, "Error; "); 244 ldns_rdf_print(stderr, name); 245 fprintf(stderr, " is not a subdomain of "); 246 ldns_rdf_print(stderr, start_name); 247 fprintf(stderr, "\n"); 248 goto done; 249 } 250 } 251 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2); 252 if (!labels) { 253 goto done; 254 } 255 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); 256 labels[1] = ldns_rdf_clone(name); 257 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { 258 labels[i] = ldns_dname_left_chop(labels[i - 1]); 259 } 260 /* if no servers is given with @, start by asking local resolver */ 261 /* first part todo :) */ 262 for (i = 0; i < (ssize_t) ldns_resolver_nameserver_count(local_res); i++) { 263 (void) ldns_resolver_push_nameserver(res, ldns_resolver_nameservers(local_res)[i]); 264 } 265 266 /* get the nameserver for the label 267 * ask: dnskey and ds for the label 268 */ 269 for(i = (ssize_t)labels_count + 1; i > 0; i--) { 270 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); 271 272 if (verbosity >= 5) { 273 ldns_pkt_print(stdout, local_p); 274 } 275 276 new_nss = ldns_pkt_rr_list_by_type(local_p, 277 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); 278 if (!new_nss) { 279 /* if it's a delegation, servers put them in the auth section */ 280 new_nss = ldns_pkt_rr_list_by_type(local_p, 281 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 282 } 283 284 /* if this is the final step there might not be nameserver records 285 of course if the data is in the apex, there are, so cover both 286 cases */ 287 if (new_nss || i > 1) { 288 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) { 289 ns_rr = ldns_rr_list_rr(new_nss, j); 290 pop = ldns_rr_rdf(ns_rr, 0); 291 if (!pop) { 292 printf("nopo\n"); 293 break; 294 } 295 /* retrieve it's addresses */ 296 /* trust glue? */ 297 new_ns_addr = NULL; 298 if (ldns_dname_is_subdomain(pop, labels[i])) { 299 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 300 } 301 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 302 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0); 303 } 304 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 305 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0); 306 } 307 308 if (new_ns_addr) { 309 old_ns_addr = ns_addr; 310 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr); 311 ldns_rr_list_deep_free(old_ns_addr); 312 } 313 ldns_rr_list_deep_free(new_ns_addr); 314 } 315 ldns_rr_list_deep_free(new_nss); 316 317 if (ns_addr) { 318 remove_resolver_nameservers(res); 319 320 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 321 LDNS_STATUS_OK) { 322 error("Error adding new nameservers"); 323 ldns_pkt_free(local_p); 324 goto done; 325 } 326 ldns_rr_list_deep_free(ns_addr); 327 } else { 328 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs); 329 330 /* verify the nsec3 themselves*/ 331 if (verbosity >= 4) { 332 printf("NSEC(3) Records to verify:\n"); 333 ldns_rr_list_print(stdout, nsec_rrs); 334 printf("With signatures:\n"); 335 ldns_rr_list_print(stdout, nsec_rr_sigs); 336 printf("correct keys:\n"); 337 ldns_rr_list_print(stdout, correct_key_list); 338 } 339 340 if (status == LDNS_STATUS_OK) { 341 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 342 fprintf(stdout, "%s ", TRUST); 343 fprintf(stdout, "Existence denied: "); 344 ldns_rdf_print(stdout, labels[i]); 345 /* 346 if (descriptor && descriptor->_name) { 347 printf(" %s", descriptor->_name); 348 } else { 349 printf(" TYPE%u", t); 350 } 351 */ fprintf(stdout, " NS\n"); 352 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 353 fprintf(stdout, "%s ", SELF); 354 fprintf(stdout, "Existence denied: "); 355 ldns_rdf_print(stdout, labels[i]); 356 /* 357 if (descriptor && descriptor->_name) { 358 printf(" %s", descriptor->_name); 359 } else { 360 printf(" TYPE%u", t); 361 } 362 */ 363 fprintf(stdout, " NS\n"); 364 } else { 365 fprintf(stdout, "%s ", BOGUS); 366 result = 1; 367 printf(";; Error verifying denial of existence for name "); 368 ldns_rdf_print(stdout, labels[i]); 369 /* 370 printf(" type "); 371 if (descriptor && descriptor->_name) { 372 printf("%s", descriptor->_name); 373 } else { 374 printf("TYPE%u", t); 375 } 376 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); 377 } 378 } else { 379 fprintf(stdout, "%s ", BOGUS); 380 result = 1; 381 printf(";; Error verifying denial of existence for name "); 382 ldns_rdf_print(stdout, labels[i]); 383 printf("NS: %s\n", ldns_get_errorstr_by_id(status)); 384 } 385 386 /* there might be an empty non-terminal, in which case we need to continue */ 387 ent = false; 388 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) { 389 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) { 390 ent = true; 391 } 392 } 393 if (!ent) { 394 ldns_rr_list_deep_free(nsec_rrs); 395 ldns_rr_list_deep_free(nsec_rr_sigs); 396 ldns_pkt_free(local_p); 397 goto done; 398 } else { 399 printf(";; There is an empty non-terminal here, continue\n"); 400 } 401 goto done; 402 } 403 404 if (ldns_resolver_nameserver_count(res) == 0) { 405 error("No nameservers found for this node"); 406 goto done; 407 } 408 } 409 ldns_pkt_free(local_p); 410 411 fprintf(stdout, ";; Domain: "); 412 ldns_rdf_print(stdout, labels[i]); 413 fprintf(stdout, "\n"); 414 415 /* retrieve keys for current domain, and verify them 416 if they match an already trusted DS, or if one of the 417 keys used to sign these is trusted, add the keys to 418 the trusted list */ 419 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY); 420 pt = get_key(p, labels[i], &key_list, &key_sig_list); 421 if (key_sig_list) { 422 if (key_list) { 423 current_correct_keys = ldns_rr_list_new(); 424 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) == 425 LDNS_STATUS_OK) { 426 /* add all signed keys (don't just add current_correct, you'd miss 427 * the zsk's then */ 428 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) { 429 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j))); 430 } 431 432 /* check whether these keys were signed 433 * by a trusted keys. if so, these 434 * keys are also trusted */ 435 new_keys_trusted = false; 436 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 437 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) { 438 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k), 439 ldns_rr_list_rr(trusted_ds_rrs, j))) { 440 new_keys_trusted = true; 441 } 442 } 443 } 444 445 /* also all keys are trusted if one of the current correct keys is trusted */ 446 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 447 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 448 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k), 449 ldns_rr_list_rr(trusted_keys, j)) == 0) { 450 new_keys_trusted = true; 451 } 452 } 453 } 454 455 456 if (new_keys_trusted) { 457 ldns_rr_list_push_rr_list(trusted_keys, key_list); 458 print_rr_list_abbr(stdout, key_list, TRUST); 459 ldns_rr_list_free(key_list); 460 key_list = NULL; 461 } else { 462 if (verbosity >= 2) { 463 printf(";; Signature ok but no chain to a trusted key or ds record\n"); 464 } 465 print_rr_list_abbr(stdout, key_list, SELF); 466 ldns_rr_list_deep_free(key_list); 467 key_list = NULL; 468 } 469 } else { 470 print_rr_list_abbr(stdout, key_list, BOGUS); 471 result = 2; 472 ldns_rr_list_deep_free(key_list); 473 key_list = NULL; 474 } 475 ldns_rr_list_free(current_correct_keys); 476 current_correct_keys = NULL; 477 } else { 478 printf(";; No DNSKEY record found for "); 479 ldns_rdf_print(stdout, labels[i]); 480 printf("\n"); 481 } 482 } 483 484 ldns_pkt_free(p); 485 ldns_rr_list_deep_free(key_sig_list); 486 key_sig_list = NULL; 487 488 /* check the DS records for the next child domain */ 489 if (i > 1) { 490 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 491 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 492 if (!ds_list) { 493 ldns_pkt_free(p); 494 if (ds_sig_list) { 495 ldns_rr_list_deep_free(ds_sig_list); 496 } 497 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY); 498 pt = get_ds(p, NULL, &ds_list, &ds_sig_list); 499 } 500 if (ds_sig_list) { 501 if (ds_list) { 502 if (verbosity >= 4) { 503 printf("VERIFYING:\n"); 504 printf("DS LIST:\n"); 505 ldns_rr_list_print(stdout, ds_list); 506 printf("SIGS:\n"); 507 ldns_rr_list_print(stdout, ds_sig_list); 508 printf("KEYS:\n"); 509 ldns_rr_list_print(stdout, correct_key_list); 510 } 511 512 current_correct_keys = ldns_rr_list_new(); 513 514 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) == 515 LDNS_STATUS_OK) { 516 /* if the ds is signed by a trusted key and a key from correct keys 517 matches that ds, add that key to the trusted keys */ 518 new_keys_trusted = false; 519 if (verbosity >= 2) { 520 printf("Checking if signing key is trusted:\n"); 521 } 522 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) { 523 if (verbosity >= 2) { 524 printf("New key: "); 525 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j)); 526 } 527 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) { 528 if (verbosity >= 2) { 529 printf("\tTrusted key: "); 530 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k)); 531 } 532 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j), 533 ldns_rr_list_rr(trusted_keys, k)) == 0) { 534 if (verbosity >= 2) { 535 printf("Key is now trusted!\n"); 536 } 537 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) { 538 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l))); 539 new_keys_trusted = true; 540 } 541 } 542 } 543 } 544 if (new_keys_trusted) { 545 print_rr_list_abbr(stdout, ds_list, TRUST); 546 } else { 547 print_rr_list_abbr(stdout, ds_list, SELF); 548 } 549 } else { 550 result = 3; 551 print_rr_list_abbr(stdout, ds_list, BOGUS); 552 } 553 554 ldns_rr_list_free(current_correct_keys); 555 current_correct_keys = NULL; 556 } else { 557 /* wait apparently there were no keys either, go back to the ds packet */ 558 ldns_pkt_free(p); 559 ldns_rr_list_deep_free(ds_sig_list); 560 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 561 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 562 563 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs); 564 565 if (verbosity >= 4) { 566 printf("NSEC(3) Records to verify:\n"); 567 ldns_rr_list_print(stdout, nsec_rrs); 568 printf("With signatures:\n"); 569 ldns_rr_list_print(stdout, nsec_rr_sigs); 570 printf("correct keys:\n"); 571 ldns_rr_list_print(stdout, correct_key_list); 572 } 573 574 if (status == LDNS_STATUS_OK) { 575 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 576 fprintf(stdout, "%s ", TRUST); 577 fprintf(stdout, "Existence denied: "); 578 ldns_rdf_print(stdout, labels[i-1]); 579 printf(" DS"); 580 fprintf(stdout, "\n"); 581 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 582 fprintf(stdout, "%s ", SELF); 583 fprintf(stdout, "Existence denied: "); 584 ldns_rdf_print(stdout, labels[i-1]); 585 printf(" DS"); 586 fprintf(stdout, "\n"); 587 } else { 588 result = 4; 589 fprintf(stdout, "%s ", BOGUS); 590 printf("Error verifying denial of existence for "); 591 ldns_rdf_print(stdout, labels[i-1]); 592 printf(" DS"); 593 printf(": %s\n", ldns_get_errorstr_by_id(st)); 594 } 595 596 597 } else { 598 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 599 printf(";; No DS for "); 600 ldns_rdf_print(stdout, labels[i - 1]); 601 } else { 602 printf("[B] Unable to verify denial of existence for "); 603 ldns_rdf_print(stdout, labels[i - 1]); 604 printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); 605 } 606 } 607 if (verbosity >= 2) { 608 printf(";; No ds record for delegation\n"); 609 } 610 } 611 } 612 ldns_rr_list_deep_free(ds_list); 613 ldns_pkt_free(p); 614 } else { 615 /* if this is the last label, just verify the data and stop */ 616 p = get_dnssec_pkt(res, labels[i], t); 617 pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list); 618 if (dataset && ldns_rr_list_rr_count(dataset) > 0) { 619 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) { 620 621 /* If this is a wildcard, you must be able to deny exact match */ 622 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) { 623 fprintf(stdout, "%s ", TRUST); 624 ldns_rr_list_print(stdout, dataset); 625 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) { 626 fprintf(stdout, "%s ", SELF); 627 ldns_rr_list_print(stdout, dataset); 628 } else { 629 result = 5; 630 fprintf(stdout, "%s ", BOGUS); 631 ldns_rr_list_print(stdout, dataset); 632 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st)); 633 } 634 } else { 635 fprintf(stdout, "%s ", UNSIGNED); 636 ldns_rr_list_print(stdout, dataset); 637 } 638 ldns_rr_list_deep_free(dataset); 639 } else { 640 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs); 641 if (status == LDNS_STATUS_OK) { 642 /* verify the nsec3 themselves*/ 643 if (verbosity >= 5) { 644 printf("NSEC(3) Records to verify:\n"); 645 ldns_rr_list_print(stdout, nsec_rrs); 646 printf("With signatures:\n"); 647 ldns_rr_list_print(stdout, nsec_rr_sigs); 648 printf("correct keys:\n"); 649 ldns_rr_list_print(stdout, correct_key_list); 650 /* 651 printf("trusted keys at %p:\n", trusted_keys); 652 ldns_rr_list_print(stdout, trusted_keys); 653 */ } 654 655 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 656 fprintf(stdout, "%s ", TRUST); 657 fprintf(stdout, "Existence denied: "); 658 ldns_rdf_print(stdout, name); 659 if (descriptor && descriptor->_name) { 660 printf(" %s", descriptor->_name); 661 } else { 662 printf(" TYPE%u", t); 663 } 664 fprintf(stdout, "\n"); 665 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 666 fprintf(stdout, "%s ", SELF); 667 fprintf(stdout, "Existence denied: "); 668 ldns_rdf_print(stdout, name); 669 if (descriptor && descriptor->_name) { 670 printf(" %s", descriptor->_name); 671 } else { 672 printf(" TYPE%u", t); 673 } 674 fprintf(stdout, "\n"); 675 } else { 676 result = 6; 677 fprintf(stdout, "%s ", BOGUS); 678 printf("Error verifying denial of existence for "); 679 ldns_rdf_print(stdout, name); 680 printf(" type "); 681 if (descriptor && descriptor->_name) { 682 printf("%s", descriptor->_name); 683 } else { 684 printf("TYPE%u", t); 685 } 686 printf(": %s\n", ldns_get_errorstr_by_id(st)); 687 } 688 689 ldns_rr_list_deep_free(nsec_rrs); 690 ldns_rr_list_deep_free(nsec_rr_sigs); 691 } else { 692 /* 693 */ 694 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 695 printf("%s ", UNSIGNED); 696 printf("No data found for: "); 697 ldns_rdf_print(stdout, name); 698 printf(" type "); 699 if (descriptor && descriptor->_name) { 700 printf("%s", descriptor->_name); 701 } else { 702 printf("TYPE%u", t); 703 } 704 printf("\n"); 705 } else { 706 printf("[B] Unable to verify denial of existence for "); 707 ldns_rdf_print(stdout, name); 708 printf(" type "); 709 if (descriptor && descriptor->_name) { 710 printf("%s", descriptor->_name); 711 } else { 712 printf("TYPE%u", t); 713 } 714 printf("\n"); 715 } 716 717 } 718 } 719 ldns_pkt_free(p); 720 } 721 722 new_nss_aaaa = NULL; 723 new_nss_a = NULL; 724 new_nss = NULL; 725 ns_addr = NULL; 726 ldns_rr_list_deep_free(key_list); 727 key_list = NULL; 728 ldns_rr_list_deep_free(key_sig_list); 729 key_sig_list = NULL; 730 ds_list = NULL; 731 ldns_rr_list_deep_free(ds_sig_list); 732 ds_sig_list = NULL; 733 } 734 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n"); 735 /* verbose mode? 736 printf("Trusted keys:\n"); 737 ldns_rr_list_print(stdout, trusted_keys); 738 printf("trusted dss:\n"); 739 ldns_rr_list_print(stdout, trusted_ds_rrs); 740 */ 741 742 done: 743 ldns_rr_list_deep_free(trusted_ds_rrs); 744 ldns_rr_list_deep_free(correct_key_list); 745 ldns_resolver_deep_free(res); 746 if (labels) { 747 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) { 748 ldns_rdf_deep_free(labels[i]); 749 } 750 LDNS_FREE(labels); 751 } 752 return result; 753 } 754 #endif /* HAVE_SSL */ 755