1 /* 2 * securechasetrace.c 3 * Where all the hard work concerning secure tracing is done 4 * 5 * (c) 2005, 2006 NLnet Labs 6 * 7 * See the file LICENSE for the license 8 * 9 */ 10 11 #include "drill.h" 12 #include <ldns/ldns.h> 13 14 #define SELF "[S]" /* self sig ok */ 15 #define TRUST "[T]" /* chain from parent */ 16 #define BOGUS "[B]" /* bogus */ 17 #define UNSIGNED "[U]" /* no relevant dnssec data found */ 18 19 #if 0 20 /* See if there is a key/ds in trusted that matches 21 * a ds in *ds. 22 */ 23 static ldns_rr_list * 24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted) 25 { 26 size_t i, j; 27 bool match; 28 ldns_rr *rr_i, *rr_j; 29 ldns_rr_list *keys; 30 31 if (!trusted || !ds) { 32 return NULL; 33 } 34 35 match = false; 36 keys = ldns_rr_list_new(); 37 if (!keys) { 38 return NULL; 39 } 40 41 if (!ds || !trusted) { 42 return NULL; 43 } 44 45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) { 46 rr_i = ldns_rr_list_rr(trusted, i); 47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) { 48 49 rr_j = ldns_rr_list_rr(ds, j); 50 if (ldns_rr_compare_ds(rr_i, rr_j)) { 51 match = true; 52 /* only allow unique RRs to match */ 53 ldns_rr_set_push_rr(keys, rr_i); 54 } 55 } 56 } 57 if (match) { 58 return keys; 59 } else { 60 return NULL; 61 } 62 } 63 #endif 64 65 ldns_pkt * 66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 67 { 68 ldns_pkt *p = NULL; 69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 70 if (!p) { 71 return NULL; 72 } else { 73 if (verbosity >= 5) { 74 ldns_pkt_print(stdout, p); 75 } 76 return p; 77 } 78 } 79 80 #ifdef HAVE_SSL 81 /* 82 * retrieve keys for this zone 83 */ 84 static ldns_pkt_type 85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 86 { 87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig); 88 } 89 90 /* 91 * check to see if we can find a DS rrset here which we can then follow 92 */ 93 static ldns_pkt_type 94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 95 { 96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig); 97 } 98 #endif /* HAVE_SSL */ 99 100 void 101 remove_resolver_nameservers(ldns_resolver *res) 102 { 103 ldns_rdf *pop; 104 105 /* remove the old nameserver from the resolver */ 106 while((pop = ldns_resolver_pop_nameserver(res))) { 107 ldns_rdf_deep_free(pop); 108 } 109 110 } 111 112 void 113 show_current_nameservers(FILE *out, ldns_resolver *res) 114 { 115 size_t i; 116 fprintf(out, "Current nameservers for resolver object:\n"); 117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) { 118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]); 119 fprintf(out, "\n"); 120 } 121 } 122 123 /*ldns_pkt **/ 124 #ifdef HAVE_SSL 125 int 126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name 128 ) 129 { 130 ldns_resolver *res; 131 ldns_pkt *p, *local_p; 132 ldns_rr_list *new_nss; 133 ldns_rr_list *ns_addr; 134 ldns_rdf *pop; 135 ldns_rdf **labels = NULL; 136 ldns_status status, st; 137 ssize_t i; 138 size_t j; 139 size_t k; 140 size_t l; 141 uint8_t labels_count; 142 143 /* dnssec */ 144 ldns_rr_list *key_list; 145 ldns_rr_list *key_sig_list; 146 ldns_rr_list *ds_list; 147 ldns_rr_list *ds_sig_list; 148 ldns_rr_list *correct_key_list; 149 ldns_rr_list *trusted_ds_rrs; 150 bool new_keys_trusted = false; 151 ldns_rr_list *current_correct_keys; 152 ldns_rr_list *dataset; 153 154 ldns_rr_list *nsec_rrs = NULL; 155 ldns_rr_list *nsec_rr_sigs = NULL; 156 157 /* empty non-terminal check */ 158 bool ent; 159 160 /* glue handling */ 161 ldns_rr_list *new_ns_addr; 162 ldns_rr_list *old_ns_addr; 163 ldns_rr *ns_rr; 164 165 int result = 0; 166 167 /* printing niceness */ 168 const ldns_rr_descriptor *descriptor; 169 170 descriptor = ldns_rr_descript(t); 171 172 new_nss = NULL; 173 ns_addr = NULL; 174 key_list = NULL; 175 ds_list = NULL; 176 177 p = NULL; 178 local_p = NULL; 179 res = ldns_resolver_new(); 180 key_sig_list = NULL; 181 ds_sig_list = NULL; 182 183 if (!res) { 184 error("Memory allocation failed"); 185 result = -1; 186 return result; 187 } 188 189 correct_key_list = ldns_rr_list_new(); 190 if (!correct_key_list) { 191 error("Memory allocation failed"); 192 result = -1; 193 return result; 194 } 195 196 trusted_ds_rrs = ldns_rr_list_new(); 197 if (!trusted_ds_rrs) { 198 error("Memory allocation failed"); 199 result = -1; 200 return result; 201 } 202 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */ 203 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 204 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j); 205 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) { 206 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr)); 207 } 208 } 209 210 /* transfer some properties of local_res to res */ 211 ldns_resolver_set_ip6(res, 212 ldns_resolver_ip6(local_res)); 213 ldns_resolver_set_port(res, 214 ldns_resolver_port(local_res)); 215 ldns_resolver_set_debug(res, 216 ldns_resolver_debug(local_res)); 217 ldns_resolver_set_fail(res, 218 ldns_resolver_fail(local_res)); 219 ldns_resolver_set_usevc(res, 220 ldns_resolver_usevc(local_res)); 221 ldns_resolver_set_random(res, 222 ldns_resolver_random(local_res)); 223 ldns_resolver_set_recursive(local_res, true); 224 225 ldns_resolver_set_recursive(res, false); 226 ldns_resolver_set_dnssec_cd(res, false); 227 ldns_resolver_set_dnssec(res, true); 228 229 /* setup the root nameserver in the new resolver */ 230 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 231 if (status != LDNS_STATUS_OK) { 232 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status)); 233 ldns_rr_list_print(stdout, global_dns_root); 234 result = status; 235 goto done; 236 } 237 labels_count = ldns_dname_label_count(name); 238 if (start_name) { 239 if (ldns_dname_is_subdomain(name, start_name)) { 240 labels_count -= ldns_dname_label_count(start_name); 241 } else { 242 fprintf(stderr, "Error; "); 243 ldns_rdf_print(stderr, name); 244 fprintf(stderr, " is not a subdomain of "); 245 ldns_rdf_print(stderr, start_name); 246 fprintf(stderr, "\n"); 247 goto done; 248 } 249 } 250 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2); 251 if (!labels) { 252 goto done; 253 } 254 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); 255 labels[1] = ldns_rdf_clone(name); 256 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { 257 labels[i] = ldns_dname_left_chop(labels[i - 1]); 258 } 259 260 /* get the nameserver for the label 261 * ask: dnskey and ds for the label 262 */ 263 for(i = (ssize_t)labels_count + 1; i > 0; i--) { 264 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); 265 266 if (verbosity >= 5) { 267 ldns_pkt_print(stdout, local_p); 268 } 269 270 new_nss = ldns_pkt_rr_list_by_type(local_p, 271 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); 272 if (!new_nss) { 273 /* if it's a delegation, servers put them in the auth section */ 274 new_nss = ldns_pkt_rr_list_by_type(local_p, 275 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 276 } 277 278 /* if this is the final step there might not be nameserver records 279 of course if the data is in the apex, there are, so cover both 280 cases */ 281 if (new_nss || i > 1) { 282 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) { 283 ns_rr = ldns_rr_list_rr(new_nss, j); 284 pop = ldns_rr_rdf(ns_rr, 0); 285 if (!pop) { 286 printf("nopo\n"); 287 break; 288 } 289 /* retrieve it's addresses */ 290 /* trust glue? */ 291 new_ns_addr = NULL; 292 if (ldns_dname_is_subdomain(pop, labels[i])) { 293 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 294 } 295 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 296 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0); 297 } 298 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 299 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0); 300 } 301 302 if (new_ns_addr) { 303 old_ns_addr = ns_addr; 304 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr); 305 ldns_rr_list_deep_free(old_ns_addr); 306 } 307 ldns_rr_list_deep_free(new_ns_addr); 308 } 309 ldns_rr_list_deep_free(new_nss); 310 311 if (ns_addr) { 312 remove_resolver_nameservers(res); 313 314 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 315 LDNS_STATUS_OK) { 316 error("Error adding new nameservers"); 317 ldns_pkt_free(local_p); 318 goto done; 319 } 320 ldns_rr_list_deep_free(ns_addr); 321 } else { 322 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs); 323 324 /* verify the nsec3 themselves*/ 325 if (verbosity >= 4) { 326 printf("NSEC(3) Records to verify:\n"); 327 ldns_rr_list_print(stdout, nsec_rrs); 328 printf("With signatures:\n"); 329 ldns_rr_list_print(stdout, nsec_rr_sigs); 330 printf("correct keys:\n"); 331 ldns_rr_list_print(stdout, correct_key_list); 332 } 333 334 if (status == LDNS_STATUS_OK) { 335 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 336 fprintf(stdout, "%s ", TRUST); 337 fprintf(stdout, "Existence denied: "); 338 ldns_rdf_print(stdout, labels[i]); 339 /* 340 if (descriptor && descriptor->_name) { 341 printf(" %s", descriptor->_name); 342 } else { 343 printf(" TYPE%u", t); 344 } 345 */ fprintf(stdout, " NS\n"); 346 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 347 fprintf(stdout, "%s ", SELF); 348 fprintf(stdout, "Existence denied: "); 349 ldns_rdf_print(stdout, labels[i]); 350 /* 351 if (descriptor && descriptor->_name) { 352 printf(" %s", descriptor->_name); 353 } else { 354 printf(" TYPE%u", t); 355 } 356 */ 357 fprintf(stdout, " NS\n"); 358 } else { 359 fprintf(stdout, "%s ", BOGUS); 360 result = 1; 361 printf(";; Error verifying denial of existence for name "); 362 ldns_rdf_print(stdout, labels[i]); 363 /* 364 printf(" type "); 365 if (descriptor && descriptor->_name) { 366 printf("%s", descriptor->_name); 367 } else { 368 printf("TYPE%u", t); 369 } 370 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); 371 } 372 } else { 373 fprintf(stdout, "%s ", BOGUS); 374 result = 1; 375 printf(";; Error verifying denial of existence for name "); 376 ldns_rdf_print(stdout, labels[i]); 377 printf("NS: %s\n", ldns_get_errorstr_by_id(status)); 378 } 379 380 /* there might be an empty non-terminal, in which case we need to continue */ 381 ent = false; 382 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) { 383 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) { 384 ent = true; 385 } 386 } 387 if (!ent) { 388 ldns_rr_list_deep_free(nsec_rrs); 389 ldns_rr_list_deep_free(nsec_rr_sigs); 390 ldns_pkt_free(local_p); 391 goto done; 392 } else { 393 printf(";; There is an empty non-terminal here, continue\n"); 394 continue; 395 } 396 } 397 398 if (ldns_resolver_nameserver_count(res) == 0) { 399 error("No nameservers found for this node"); 400 goto done; 401 } 402 } 403 ldns_pkt_free(local_p); 404 405 fprintf(stdout, ";; Domain: "); 406 ldns_rdf_print(stdout, labels[i]); 407 fprintf(stdout, "\n"); 408 409 /* retrieve keys for current domain, and verify them 410 if they match an already trusted DS, or if one of the 411 keys used to sign these is trusted, add the keys to 412 the trusted list */ 413 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY); 414 (void) get_key(p, labels[i], &key_list, &key_sig_list); 415 if (key_sig_list) { 416 if (key_list) { 417 current_correct_keys = ldns_rr_list_new(); 418 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) == 419 LDNS_STATUS_OK) { 420 /* add all signed keys (don't just add current_correct, you'd miss 421 * the zsk's then */ 422 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) { 423 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j))); 424 } 425 426 /* check whether these keys were signed 427 * by a trusted keys. if so, these 428 * keys are also trusted */ 429 new_keys_trusted = false; 430 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 431 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) { 432 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k), 433 ldns_rr_list_rr(trusted_ds_rrs, j))) { 434 new_keys_trusted = true; 435 } 436 } 437 } 438 439 /* also all keys are trusted if one of the current correct keys is trusted */ 440 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 441 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 442 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k), 443 ldns_rr_list_rr(trusted_keys, j)) == 0) { 444 new_keys_trusted = true; 445 } 446 } 447 } 448 449 450 if (new_keys_trusted) { 451 ldns_rr_list_push_rr_list(trusted_keys, key_list); 452 print_rr_list_abbr(stdout, key_list, TRUST); 453 ldns_rr_list_free(key_list); 454 key_list = NULL; 455 } else { 456 if (verbosity >= 2) { 457 printf(";; Signature ok but no chain to a trusted key or ds record\n"); 458 } 459 print_rr_list_abbr(stdout, key_list, SELF); 460 ldns_rr_list_deep_free(key_list); 461 key_list = NULL; 462 } 463 } else { 464 print_rr_list_abbr(stdout, key_list, BOGUS); 465 result = 2; 466 ldns_rr_list_deep_free(key_list); 467 key_list = NULL; 468 } 469 ldns_rr_list_free(current_correct_keys); 470 current_correct_keys = NULL; 471 } else { 472 printf(";; No DNSKEY record found for "); 473 ldns_rdf_print(stdout, labels[i]); 474 printf("\n"); 475 } 476 } 477 478 ldns_pkt_free(p); 479 ldns_rr_list_deep_free(key_sig_list); 480 key_sig_list = NULL; 481 482 /* check the DS records for the next child domain */ 483 if (i > 1) { 484 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 485 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 486 if (!ds_list) { 487 ldns_pkt_free(p); 488 if (ds_sig_list) { 489 ldns_rr_list_deep_free(ds_sig_list); 490 } 491 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY); 492 (void) get_ds(p, NULL, &ds_list, &ds_sig_list); 493 } 494 if (ds_sig_list) { 495 if (ds_list) { 496 if (verbosity >= 4) { 497 printf("VERIFYING:\n"); 498 printf("DS LIST:\n"); 499 ldns_rr_list_print(stdout, ds_list); 500 printf("SIGS:\n"); 501 ldns_rr_list_print(stdout, ds_sig_list); 502 printf("KEYS:\n"); 503 ldns_rr_list_print(stdout, correct_key_list); 504 } 505 506 current_correct_keys = ldns_rr_list_new(); 507 508 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) == 509 LDNS_STATUS_OK) { 510 /* if the ds is signed by a trusted key and a key from correct keys 511 matches that ds, add that key to the trusted keys */ 512 new_keys_trusted = false; 513 if (verbosity >= 2) { 514 printf("Checking if signing key is trusted:\n"); 515 } 516 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) { 517 if (verbosity >= 2) { 518 printf("New key: "); 519 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j)); 520 } 521 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) { 522 if (verbosity >= 2) { 523 printf("\tTrusted key: "); 524 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k)); 525 } 526 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j), 527 ldns_rr_list_rr(trusted_keys, k)) == 0) { 528 if (verbosity >= 2) { 529 printf("Key is now trusted!\n"); 530 } 531 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) { 532 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l))); 533 new_keys_trusted = true; 534 } 535 } 536 } 537 } 538 if (new_keys_trusted) { 539 print_rr_list_abbr(stdout, ds_list, TRUST); 540 } else { 541 print_rr_list_abbr(stdout, ds_list, SELF); 542 } 543 } else { 544 result = 3; 545 print_rr_list_abbr(stdout, ds_list, BOGUS); 546 } 547 548 ldns_rr_list_free(current_correct_keys); 549 current_correct_keys = NULL; 550 } else { 551 /* wait apparently there were no keys either, go back to the ds packet */ 552 ldns_pkt_free(p); 553 ldns_rr_list_deep_free(ds_sig_list); 554 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 555 (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 556 557 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs); 558 559 if (verbosity >= 4) { 560 printf("NSEC(3) Records to verify:\n"); 561 ldns_rr_list_print(stdout, nsec_rrs); 562 printf("With signatures:\n"); 563 ldns_rr_list_print(stdout, nsec_rr_sigs); 564 printf("correct keys:\n"); 565 ldns_rr_list_print(stdout, correct_key_list); 566 } 567 568 if (status == LDNS_STATUS_OK) { 569 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 570 fprintf(stdout, "%s ", TRUST); 571 fprintf(stdout, "Existence denied: "); 572 ldns_rdf_print(stdout, labels[i-1]); 573 printf(" DS"); 574 fprintf(stdout, "\n"); 575 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 576 fprintf(stdout, "%s ", SELF); 577 fprintf(stdout, "Existence denied: "); 578 ldns_rdf_print(stdout, labels[i-1]); 579 printf(" DS"); 580 fprintf(stdout, "\n"); 581 } else { 582 result = 4; 583 fprintf(stdout, "%s ", BOGUS); 584 printf("Error verifying denial of existence for "); 585 ldns_rdf_print(stdout, labels[i-1]); 586 printf(" DS"); 587 printf(": %s\n", ldns_get_errorstr_by_id(st)); 588 } 589 590 591 } else { 592 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 593 printf(";; No DS for "); 594 ldns_rdf_print(stdout, labels[i - 1]); 595 } else { 596 printf("[B] Unable to verify denial of existence for "); 597 ldns_rdf_print(stdout, labels[i - 1]); 598 printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); 599 } 600 } 601 if (verbosity >= 2) { 602 printf(";; No ds record for delegation\n"); 603 } 604 } 605 } 606 ldns_rr_list_deep_free(ds_list); 607 ldns_pkt_free(p); 608 } else { 609 /* if this is the last label, just verify the data and stop */ 610 p = get_dnssec_pkt(res, labels[i], t); 611 (void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list); 612 if (dataset && ldns_rr_list_rr_count(dataset) > 0) { 613 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) { 614 615 /* If this is a wildcard, you must be able to deny exact match */ 616 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) { 617 fprintf(stdout, "%s ", TRUST); 618 ldns_rr_list_print(stdout, dataset); 619 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) { 620 fprintf(stdout, "%s ", SELF); 621 ldns_rr_list_print(stdout, dataset); 622 } else { 623 result = 5; 624 fprintf(stdout, "%s ", BOGUS); 625 ldns_rr_list_print(stdout, dataset); 626 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st)); 627 } 628 } else { 629 fprintf(stdout, "%s ", UNSIGNED); 630 ldns_rr_list_print(stdout, dataset); 631 } 632 ldns_rr_list_deep_free(dataset); 633 } else { 634 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs); 635 if (status == LDNS_STATUS_OK) { 636 /* verify the nsec3 themselves*/ 637 if (verbosity >= 5) { 638 printf("NSEC(3) Records to verify:\n"); 639 ldns_rr_list_print(stdout, nsec_rrs); 640 printf("With signatures:\n"); 641 ldns_rr_list_print(stdout, nsec_rr_sigs); 642 printf("correct keys:\n"); 643 ldns_rr_list_print(stdout, correct_key_list); 644 /* 645 printf("trusted keys at %p:\n", trusted_keys); 646 ldns_rr_list_print(stdout, trusted_keys); 647 */ } 648 649 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 650 fprintf(stdout, "%s ", TRUST); 651 fprintf(stdout, "Existence denied: "); 652 ldns_rdf_print(stdout, name); 653 if (descriptor && descriptor->_name) { 654 printf(" %s", descriptor->_name); 655 } else { 656 printf(" TYPE%u", t); 657 } 658 fprintf(stdout, "\n"); 659 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 660 fprintf(stdout, "%s ", SELF); 661 fprintf(stdout, "Existence denied: "); 662 ldns_rdf_print(stdout, name); 663 if (descriptor && descriptor->_name) { 664 printf(" %s", descriptor->_name); 665 } else { 666 printf(" TYPE%u", t); 667 } 668 fprintf(stdout, "\n"); 669 } else { 670 result = 6; 671 fprintf(stdout, "%s ", BOGUS); 672 printf("Error verifying denial of existence for "); 673 ldns_rdf_print(stdout, name); 674 printf(" type "); 675 if (descriptor && descriptor->_name) { 676 printf("%s", descriptor->_name); 677 } else { 678 printf("TYPE%u", t); 679 } 680 printf(": %s\n", ldns_get_errorstr_by_id(st)); 681 } 682 683 ldns_rr_list_deep_free(nsec_rrs); 684 ldns_rr_list_deep_free(nsec_rr_sigs); 685 } else { 686 /* 687 */ 688 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 689 printf("%s ", UNSIGNED); 690 printf("No data found for: "); 691 ldns_rdf_print(stdout, name); 692 printf(" type "); 693 if (descriptor && descriptor->_name) { 694 printf("%s", descriptor->_name); 695 } else { 696 printf("TYPE%u", t); 697 } 698 printf("\n"); 699 } else { 700 printf("[B] Unable to verify denial of existence for "); 701 ldns_rdf_print(stdout, name); 702 printf(" type "); 703 if (descriptor && descriptor->_name) { 704 printf("%s", descriptor->_name); 705 } else { 706 printf("TYPE%u", t); 707 } 708 printf("\n"); 709 } 710 711 } 712 } 713 ldns_pkt_free(p); 714 } 715 716 new_nss = NULL; 717 ns_addr = NULL; 718 ldns_rr_list_deep_free(key_list); 719 key_list = NULL; 720 ldns_rr_list_deep_free(key_sig_list); 721 key_sig_list = NULL; 722 ds_list = NULL; 723 ldns_rr_list_deep_free(ds_sig_list); 724 ds_sig_list = NULL; 725 } 726 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n"); 727 /* verbose mode? 728 printf("Trusted keys:\n"); 729 ldns_rr_list_print(stdout, trusted_keys); 730 printf("trusted dss:\n"); 731 ldns_rr_list_print(stdout, trusted_ds_rrs); 732 */ 733 734 done: 735 ldns_rr_list_deep_free(trusted_ds_rrs); 736 ldns_rr_list_deep_free(correct_key_list); 737 ldns_resolver_deep_free(res); 738 if (labels) { 739 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) { 740 ldns_rdf_deep_free(labels[i]); 741 } 742 LDNS_FREE(labels); 743 } 744 return result; 745 } 746 #endif /* HAVE_SSL */ 747