1 /* 2 * securechasetrace.c 3 * Where all the hard work concerning secure tracing is done 4 * 5 * (c) 2005, 2006 NLnet Labs 6 * 7 * See the file LICENSE for the license 8 * 9 */ 10 11 #include "drill.h" 12 #include <ldns/ldns.h> 13 14 #define SELF "[S]" /* self sig ok */ 15 #define TRUST "[T]" /* chain from parent */ 16 #define BOGUS "[B]" /* bogus */ 17 #define UNSIGNED "[U]" /* no relevant dnssec data found */ 18 19 #if 0 20 /* See if there is a key/ds in trusted that matches 21 * a ds in *ds. 22 */ 23 static ldns_rr_list * 24 ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted) 25 { 26 size_t i, j; 27 bool match; 28 ldns_rr *rr_i, *rr_j; 29 ldns_rr_list *keys; 30 31 if (!trusted || !ds) { 32 return NULL; 33 } 34 35 match = false; 36 keys = ldns_rr_list_new(); 37 if (!keys) { 38 return NULL; 39 } 40 41 if (!ds || !trusted) { 42 return NULL; 43 } 44 45 for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) { 46 rr_i = ldns_rr_list_rr(trusted, i); 47 for (j = 0; j < ldns_rr_list_rr_count(ds); j++) { 48 49 rr_j = ldns_rr_list_rr(ds, j); 50 if (ldns_rr_compare_ds(rr_i, rr_j)) { 51 match = true; 52 /* only allow unique RRs to match */ 53 ldns_rr_set_push_rr(keys, rr_i); 54 } 55 } 56 } 57 if (match) { 58 return keys; 59 } else { 60 return NULL; 61 } 62 } 63 #endif 64 65 ldns_pkt * 66 get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 67 { 68 ldns_pkt *p = NULL; 69 p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 70 if (!p) { 71 return NULL; 72 } else { 73 if (verbosity >= 5) { 74 ldns_pkt_print(stdout, p); 75 } 76 return p; 77 } 78 } 79 80 #ifdef HAVE_SSL 81 /* 82 * retrieve keys for this zone 83 */ 84 static ldns_pkt_type 85 get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 86 { 87 return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig); 88 } 89 90 /* 91 * check to see if we can find a DS rrset here which we can then follow 92 */ 93 static ldns_pkt_type 94 get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig) 95 { 96 return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig); 97 } 98 #endif /* HAVE_SSL */ 99 100 void 101 remove_resolver_nameservers(ldns_resolver *res) 102 { 103 ldns_rdf *pop; 104 105 /* remove the old nameserver from the resolver */ 106 while((pop = ldns_resolver_pop_nameserver(res))) { 107 ldns_rdf_deep_free(pop); 108 } 109 110 } 111 112 void 113 show_current_nameservers(FILE *out, ldns_resolver *res) 114 { 115 size_t i; 116 fprintf(out, "Current nameservers for resolver object:\n"); 117 for (i = 0; i < ldns_resolver_nameserver_count(res); i++) { 118 ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]); 119 fprintf(out, "\n"); 120 } 121 } 122 123 /*ldns_pkt **/ 124 #ifdef HAVE_SSL 125 int 126 do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, 127 ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name 128 ) 129 { 130 ldns_resolver *res; 131 ldns_pkt *p, *local_p; 132 ldns_rr_list *new_nss_a; 133 ldns_rr_list *new_nss_aaaa; 134 ldns_rr_list *new_nss; 135 ldns_rr_list *ns_addr; 136 uint16_t loop_count; 137 ldns_rdf *pop; 138 ldns_rdf **labels = NULL; 139 ldns_status status, st; 140 ssize_t i; 141 size_t j; 142 size_t k; 143 size_t l; 144 uint8_t labels_count; 145 ldns_pkt_type pt; 146 147 /* dnssec */ 148 ldns_rr_list *key_list; 149 ldns_rr_list *key_sig_list; 150 ldns_rr_list *ds_list; 151 ldns_rr_list *ds_sig_list; 152 ldns_rr_list *correct_key_list; 153 ldns_rr_list *trusted_ds_rrs; 154 bool new_keys_trusted = false; 155 ldns_rr_list *current_correct_keys; 156 ldns_rr_list *dataset; 157 158 ldns_rr_list *nsec_rrs = NULL; 159 ldns_rr_list *nsec_rr_sigs = NULL; 160 161 /* empty non-terminal check */ 162 bool ent; 163 164 /* glue handling */ 165 ldns_rr_list *new_ns_addr; 166 ldns_rr_list *old_ns_addr; 167 ldns_rr *ns_rr; 168 169 int result = 0; 170 171 /* printing niceness */ 172 const ldns_rr_descriptor *descriptor; 173 174 descriptor = ldns_rr_descript(t); 175 176 loop_count = 0; 177 new_nss_a = NULL; 178 new_nss_aaaa = NULL; 179 new_nss = NULL; 180 ns_addr = NULL; 181 key_list = NULL; 182 ds_list = NULL; 183 pt = LDNS_PACKET_UNKNOWN; 184 185 p = NULL; 186 local_p = NULL; 187 res = ldns_resolver_new(); 188 key_sig_list = NULL; 189 ds_sig_list = NULL; 190 191 if (!res) { 192 error("Memory allocation failed"); 193 result = -1; 194 return result; 195 } 196 197 correct_key_list = ldns_rr_list_new(); 198 if (!correct_key_list) { 199 error("Memory allocation failed"); 200 result = -1; 201 return result; 202 } 203 204 trusted_ds_rrs = ldns_rr_list_new(); 205 if (!trusted_ds_rrs) { 206 error("Memory allocation failed"); 207 result = -1; 208 return result; 209 } 210 /* Add all preset trusted DS signatures to the list of trusted DS RRs. */ 211 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 212 ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j); 213 if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) { 214 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr)); 215 } 216 } 217 218 /* transfer some properties of local_res to res */ 219 ldns_resolver_set_ip6(res, 220 ldns_resolver_ip6(local_res)); 221 ldns_resolver_set_port(res, 222 ldns_resolver_port(local_res)); 223 ldns_resolver_set_debug(res, 224 ldns_resolver_debug(local_res)); 225 ldns_resolver_set_fail(res, 226 ldns_resolver_fail(local_res)); 227 ldns_resolver_set_usevc(res, 228 ldns_resolver_usevc(local_res)); 229 ldns_resolver_set_random(res, 230 ldns_resolver_random(local_res)); 231 ldns_resolver_set_recursive(local_res, true); 232 233 ldns_resolver_set_recursive(res, false); 234 ldns_resolver_set_dnssec_cd(res, false); 235 ldns_resolver_set_dnssec(res, true); 236 237 /* setup the root nameserver in the new resolver */ 238 status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root); 239 if (status != LDNS_STATUS_OK) { 240 printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status)); 241 ldns_rr_list_print(stdout, global_dns_root); 242 return status; 243 } 244 labels_count = ldns_dname_label_count(name); 245 if (start_name) { 246 if (ldns_dname_is_subdomain(name, start_name)) { 247 labels_count -= ldns_dname_label_count(start_name); 248 } else { 249 fprintf(stderr, "Error; "); 250 ldns_rdf_print(stderr, name); 251 fprintf(stderr, " is not a subdomain of "); 252 ldns_rdf_print(stderr, start_name); 253 fprintf(stderr, "\n"); 254 goto done; 255 } 256 } 257 labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2); 258 if (!labels) { 259 goto done; 260 } 261 labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); 262 labels[1] = ldns_rdf_clone(name); 263 for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { 264 labels[i] = ldns_dname_left_chop(labels[i - 1]); 265 } 266 267 /* get the nameserver for the label 268 * ask: dnskey and ds for the label 269 */ 270 for(i = (ssize_t)labels_count + 1; i > 0; i--) { 271 status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); 272 273 if (verbosity >= 5) { 274 ldns_pkt_print(stdout, local_p); 275 } 276 277 new_nss = ldns_pkt_rr_list_by_type(local_p, 278 LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); 279 if (!new_nss) { 280 /* if it's a delegation, servers put them in the auth section */ 281 new_nss = ldns_pkt_rr_list_by_type(local_p, 282 LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY); 283 } 284 285 /* if this is the final step there might not be nameserver records 286 of course if the data is in the apex, there are, so cover both 287 cases */ 288 if (new_nss || i > 1) { 289 for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) { 290 ns_rr = ldns_rr_list_rr(new_nss, j); 291 pop = ldns_rr_rdf(ns_rr, 0); 292 if (!pop) { 293 printf("nopo\n"); 294 break; 295 } 296 /* retrieve it's addresses */ 297 /* trust glue? */ 298 new_ns_addr = NULL; 299 if (ldns_dname_is_subdomain(pop, labels[i])) { 300 new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL); 301 } 302 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 303 new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0); 304 } 305 if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) { 306 new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0); 307 } 308 309 if (new_ns_addr) { 310 old_ns_addr = ns_addr; 311 ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr); 312 ldns_rr_list_deep_free(old_ns_addr); 313 } 314 ldns_rr_list_deep_free(new_ns_addr); 315 } 316 ldns_rr_list_deep_free(new_nss); 317 318 if (ns_addr) { 319 remove_resolver_nameservers(res); 320 321 if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) != 322 LDNS_STATUS_OK) { 323 error("Error adding new nameservers"); 324 ldns_pkt_free(local_p); 325 goto done; 326 } 327 ldns_rr_list_deep_free(ns_addr); 328 } else { 329 status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs); 330 331 /* verify the nsec3 themselves*/ 332 if (verbosity >= 4) { 333 printf("NSEC(3) Records to verify:\n"); 334 ldns_rr_list_print(stdout, nsec_rrs); 335 printf("With signatures:\n"); 336 ldns_rr_list_print(stdout, nsec_rr_sigs); 337 printf("correct keys:\n"); 338 ldns_rr_list_print(stdout, correct_key_list); 339 } 340 341 if (status == LDNS_STATUS_OK) { 342 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 343 fprintf(stdout, "%s ", TRUST); 344 fprintf(stdout, "Existence denied: "); 345 ldns_rdf_print(stdout, labels[i]); 346 /* 347 if (descriptor && descriptor->_name) { 348 printf(" %s", descriptor->_name); 349 } else { 350 printf(" TYPE%u", t); 351 } 352 */ fprintf(stdout, " NS\n"); 353 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 354 fprintf(stdout, "%s ", SELF); 355 fprintf(stdout, "Existence denied: "); 356 ldns_rdf_print(stdout, labels[i]); 357 /* 358 if (descriptor && descriptor->_name) { 359 printf(" %s", descriptor->_name); 360 } else { 361 printf(" TYPE%u", t); 362 } 363 */ 364 fprintf(stdout, " NS\n"); 365 } else { 366 fprintf(stdout, "%s ", BOGUS); 367 result = 1; 368 printf(";; Error verifying denial of existence for name "); 369 ldns_rdf_print(stdout, labels[i]); 370 /* 371 printf(" type "); 372 if (descriptor && descriptor->_name) { 373 printf("%s", descriptor->_name); 374 } else { 375 printf("TYPE%u", t); 376 } 377 */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); 378 } 379 } else { 380 fprintf(stdout, "%s ", BOGUS); 381 result = 1; 382 printf(";; Error verifying denial of existence for name "); 383 ldns_rdf_print(stdout, labels[i]); 384 printf("NS: %s\n", ldns_get_errorstr_by_id(status)); 385 } 386 387 /* there might be an empty non-terminal, in which case we need to continue */ 388 ent = false; 389 for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) { 390 if (ldns_dname_is_subdomain(ldns_rr_rdf(ldns_rr_list_rr(nsec_rrs, j), 0), labels[i])) { 391 ent = true; 392 } 393 } 394 if (!ent) { 395 ldns_rr_list_deep_free(nsec_rrs); 396 ldns_rr_list_deep_free(nsec_rr_sigs); 397 ldns_pkt_free(local_p); 398 goto done; 399 } else { 400 printf(";; There is an empty non-terminal here, continue\n"); 401 continue; 402 } 403 goto done; 404 } 405 406 if (ldns_resolver_nameserver_count(res) == 0) { 407 error("No nameservers found for this node"); 408 goto done; 409 } 410 } 411 ldns_pkt_free(local_p); 412 413 fprintf(stdout, ";; Domain: "); 414 ldns_rdf_print(stdout, labels[i]); 415 fprintf(stdout, "\n"); 416 417 /* retrieve keys for current domain, and verify them 418 if they match an already trusted DS, or if one of the 419 keys used to sign these is trusted, add the keys to 420 the trusted list */ 421 p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY); 422 pt = get_key(p, labels[i], &key_list, &key_sig_list); 423 if (key_sig_list) { 424 if (key_list) { 425 current_correct_keys = ldns_rr_list_new(); 426 if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) == 427 LDNS_STATUS_OK) { 428 /* add all signed keys (don't just add current_correct, you'd miss 429 * the zsk's then */ 430 for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) { 431 ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j))); 432 } 433 434 /* check whether these keys were signed 435 * by a trusted keys. if so, these 436 * keys are also trusted */ 437 new_keys_trusted = false; 438 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 439 for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) { 440 if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k), 441 ldns_rr_list_rr(trusted_ds_rrs, j))) { 442 new_keys_trusted = true; 443 } 444 } 445 } 446 447 /* also all keys are trusted if one of the current correct keys is trusted */ 448 for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) { 449 for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) { 450 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k), 451 ldns_rr_list_rr(trusted_keys, j)) == 0) { 452 new_keys_trusted = true; 453 } 454 } 455 } 456 457 458 if (new_keys_trusted) { 459 ldns_rr_list_push_rr_list(trusted_keys, key_list); 460 print_rr_list_abbr(stdout, key_list, TRUST); 461 ldns_rr_list_free(key_list); 462 key_list = NULL; 463 } else { 464 if (verbosity >= 2) { 465 printf(";; Signature ok but no chain to a trusted key or ds record\n"); 466 } 467 print_rr_list_abbr(stdout, key_list, SELF); 468 ldns_rr_list_deep_free(key_list); 469 key_list = NULL; 470 } 471 } else { 472 print_rr_list_abbr(stdout, key_list, BOGUS); 473 result = 2; 474 ldns_rr_list_deep_free(key_list); 475 key_list = NULL; 476 } 477 ldns_rr_list_free(current_correct_keys); 478 current_correct_keys = NULL; 479 } else { 480 printf(";; No DNSKEY record found for "); 481 ldns_rdf_print(stdout, labels[i]); 482 printf("\n"); 483 } 484 } 485 486 ldns_pkt_free(p); 487 ldns_rr_list_deep_free(key_sig_list); 488 key_sig_list = NULL; 489 490 /* check the DS records for the next child domain */ 491 if (i > 1) { 492 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 493 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 494 if (!ds_list) { 495 ldns_pkt_free(p); 496 if (ds_sig_list) { 497 ldns_rr_list_deep_free(ds_sig_list); 498 } 499 p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY); 500 pt = get_ds(p, NULL, &ds_list, &ds_sig_list); 501 } 502 if (ds_sig_list) { 503 if (ds_list) { 504 if (verbosity >= 4) { 505 printf("VERIFYING:\n"); 506 printf("DS LIST:\n"); 507 ldns_rr_list_print(stdout, ds_list); 508 printf("SIGS:\n"); 509 ldns_rr_list_print(stdout, ds_sig_list); 510 printf("KEYS:\n"); 511 ldns_rr_list_print(stdout, correct_key_list); 512 } 513 514 current_correct_keys = ldns_rr_list_new(); 515 516 if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) == 517 LDNS_STATUS_OK) { 518 /* if the ds is signed by a trusted key and a key from correct keys 519 matches that ds, add that key to the trusted keys */ 520 new_keys_trusted = false; 521 if (verbosity >= 2) { 522 printf("Checking if signing key is trusted:\n"); 523 } 524 for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) { 525 if (verbosity >= 2) { 526 printf("New key: "); 527 ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j)); 528 } 529 for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) { 530 if (verbosity >= 2) { 531 printf("\tTrusted key: "); 532 ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k)); 533 } 534 if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j), 535 ldns_rr_list_rr(trusted_keys, k)) == 0) { 536 if (verbosity >= 2) { 537 printf("Key is now trusted!\n"); 538 } 539 for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) { 540 ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l))); 541 new_keys_trusted = true; 542 } 543 } 544 } 545 } 546 if (new_keys_trusted) { 547 print_rr_list_abbr(stdout, ds_list, TRUST); 548 } else { 549 print_rr_list_abbr(stdout, ds_list, SELF); 550 } 551 } else { 552 result = 3; 553 print_rr_list_abbr(stdout, ds_list, BOGUS); 554 } 555 556 ldns_rr_list_free(current_correct_keys); 557 current_correct_keys = NULL; 558 } else { 559 /* wait apparently there were no keys either, go back to the ds packet */ 560 ldns_pkt_free(p); 561 ldns_rr_list_deep_free(ds_sig_list); 562 p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); 563 pt = get_ds(p, labels[i-1], &ds_list, &ds_sig_list); 564 565 status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs); 566 567 if (verbosity >= 4) { 568 printf("NSEC(3) Records to verify:\n"); 569 ldns_rr_list_print(stdout, nsec_rrs); 570 printf("With signatures:\n"); 571 ldns_rr_list_print(stdout, nsec_rr_sigs); 572 printf("correct keys:\n"); 573 ldns_rr_list_print(stdout, correct_key_list); 574 } 575 576 if (status == LDNS_STATUS_OK) { 577 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 578 fprintf(stdout, "%s ", TRUST); 579 fprintf(stdout, "Existence denied: "); 580 ldns_rdf_print(stdout, labels[i-1]); 581 printf(" DS"); 582 fprintf(stdout, "\n"); 583 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 584 fprintf(stdout, "%s ", SELF); 585 fprintf(stdout, "Existence denied: "); 586 ldns_rdf_print(stdout, labels[i-1]); 587 printf(" DS"); 588 fprintf(stdout, "\n"); 589 } else { 590 result = 4; 591 fprintf(stdout, "%s ", BOGUS); 592 printf("Error verifying denial of existence for "); 593 ldns_rdf_print(stdout, labels[i-1]); 594 printf(" DS"); 595 printf(": %s\n", ldns_get_errorstr_by_id(st)); 596 } 597 598 599 } else { 600 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 601 printf(";; No DS for "); 602 ldns_rdf_print(stdout, labels[i - 1]); 603 } else { 604 printf("[B] Unable to verify denial of existence for "); 605 ldns_rdf_print(stdout, labels[i - 1]); 606 printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); 607 } 608 } 609 if (verbosity >= 2) { 610 printf(";; No ds record for delegation\n"); 611 } 612 } 613 } 614 ldns_rr_list_deep_free(ds_list); 615 ldns_pkt_free(p); 616 } else { 617 /* if this is the last label, just verify the data and stop */ 618 p = get_dnssec_pkt(res, labels[i], t); 619 pt = get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list); 620 if (dataset && ldns_rr_list_rr_count(dataset) > 0) { 621 if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) { 622 623 /* If this is a wildcard, you must be able to deny exact match */ 624 if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) { 625 fprintf(stdout, "%s ", TRUST); 626 ldns_rr_list_print(stdout, dataset); 627 } else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) { 628 fprintf(stdout, "%s ", SELF); 629 ldns_rr_list_print(stdout, dataset); 630 } else { 631 result = 5; 632 fprintf(stdout, "%s ", BOGUS); 633 ldns_rr_list_print(stdout, dataset); 634 printf(";; Error: %s\n", ldns_get_errorstr_by_id(st)); 635 } 636 } else { 637 fprintf(stdout, "%s ", UNSIGNED); 638 ldns_rr_list_print(stdout, dataset); 639 } 640 ldns_rr_list_deep_free(dataset); 641 } else { 642 status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs); 643 if (status == LDNS_STATUS_OK) { 644 /* verify the nsec3 themselves*/ 645 if (verbosity >= 5) { 646 printf("NSEC(3) Records to verify:\n"); 647 ldns_rr_list_print(stdout, nsec_rrs); 648 printf("With signatures:\n"); 649 ldns_rr_list_print(stdout, nsec_rr_sigs); 650 printf("correct keys:\n"); 651 ldns_rr_list_print(stdout, correct_key_list); 652 /* 653 printf("trusted keys at %p:\n", trusted_keys); 654 ldns_rr_list_print(stdout, trusted_keys); 655 */ } 656 657 if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) { 658 fprintf(stdout, "%s ", TRUST); 659 fprintf(stdout, "Existence denied: "); 660 ldns_rdf_print(stdout, name); 661 if (descriptor && descriptor->_name) { 662 printf(" %s", descriptor->_name); 663 } else { 664 printf(" TYPE%u", t); 665 } 666 fprintf(stdout, "\n"); 667 } else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) { 668 fprintf(stdout, "%s ", SELF); 669 fprintf(stdout, "Existence denied: "); 670 ldns_rdf_print(stdout, name); 671 if (descriptor && descriptor->_name) { 672 printf(" %s", descriptor->_name); 673 } else { 674 printf(" TYPE%u", t); 675 } 676 fprintf(stdout, "\n"); 677 } else { 678 result = 6; 679 fprintf(stdout, "%s ", BOGUS); 680 printf("Error verifying denial of existence for "); 681 ldns_rdf_print(stdout, name); 682 printf(" type "); 683 if (descriptor && descriptor->_name) { 684 printf("%s", descriptor->_name); 685 } else { 686 printf("TYPE%u", t); 687 } 688 printf(": %s\n", ldns_get_errorstr_by_id(st)); 689 } 690 691 ldns_rr_list_deep_free(nsec_rrs); 692 ldns_rr_list_deep_free(nsec_rr_sigs); 693 } else { 694 /* 695 */ 696 if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { 697 printf("%s ", UNSIGNED); 698 printf("No data found for: "); 699 ldns_rdf_print(stdout, name); 700 printf(" type "); 701 if (descriptor && descriptor->_name) { 702 printf("%s", descriptor->_name); 703 } else { 704 printf("TYPE%u", t); 705 } 706 printf("\n"); 707 } else { 708 printf("[B] Unable to verify denial of existence for "); 709 ldns_rdf_print(stdout, name); 710 printf(" type "); 711 if (descriptor && descriptor->_name) { 712 printf("%s", descriptor->_name); 713 } else { 714 printf("TYPE%u", t); 715 } 716 printf("\n"); 717 } 718 719 } 720 } 721 ldns_pkt_free(p); 722 } 723 724 new_nss_aaaa = NULL; 725 new_nss_a = NULL; 726 new_nss = NULL; 727 ns_addr = NULL; 728 ldns_rr_list_deep_free(key_list); 729 key_list = NULL; 730 ldns_rr_list_deep_free(key_sig_list); 731 key_sig_list = NULL; 732 ds_list = NULL; 733 ldns_rr_list_deep_free(ds_sig_list); 734 ds_sig_list = NULL; 735 } 736 printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n"); 737 /* verbose mode? 738 printf("Trusted keys:\n"); 739 ldns_rr_list_print(stdout, trusted_keys); 740 printf("trusted dss:\n"); 741 ldns_rr_list_print(stdout, trusted_ds_rrs); 742 */ 743 744 done: 745 ldns_rr_list_deep_free(trusted_ds_rrs); 746 ldns_rr_list_deep_free(correct_key_list); 747 ldns_resolver_deep_free(res); 748 if (labels) { 749 for(i = 0 ; i < (ssize_t)labels_count + 2; i++) { 750 ldns_rdf_deep_free(labels[i]); 751 } 752 LDNS_FREE(labels); 753 } 754 return result; 755 } 756 #endif /* HAVE_SSL */ 757