1 /* 2 * validator/validator.h - secure validator DNS query response module 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that performs validation of DNS queries. 40 * According to RFC 4034. 41 */ 42 43 #ifndef VALIDATOR_VALIDATOR_H 44 #define VALIDATOR_VALIDATOR_H 45 #include "util/module.h" 46 #include "util/data/msgreply.h" 47 #include "validator/val_utils.h" 48 #include "validator/val_nsec3.h" 49 struct val_anchors; 50 struct key_cache; 51 struct key_entry_key; 52 struct val_neg_cache; 53 struct config_strlist; 54 struct comm_timer; 55 56 /** 57 * This is the TTL to use when a trust anchor fails to prime. A trust anchor 58 * will be primed no more often than this interval. Used when harden- 59 * dnssec-stripped is off and the trust anchor fails. 60 */ 61 #define NULL_KEY_TTL 60 /* seconds */ 62 63 /** 64 * TTL for bogus key entries. When a DS or DNSKEY fails in the chain of 65 * trust the entire zone for that name is blacked out for this TTL. 66 */ 67 #define BOGUS_KEY_TTL 60 /* seconds */ 68 69 /** Root key sentinel is ta preamble */ 70 #define SENTINEL_IS "root-key-sentinel-is-ta-" 71 /** Root key sentinel is not ta preamble */ 72 #define SENTINEL_NOT "root-key-sentinel-not-ta-" 73 /** Root key sentinel keytag length */ 74 #define SENTINEL_KEYTAG_LEN 5 75 76 /** 77 * Global state for the validator. 78 */ 79 struct val_env { 80 /** key cache; these are validated keys. trusted keys only 81 * end up here after being primed. */ 82 struct key_cache* kcache; 83 84 /** aggressive negative cache. index into NSECs in rrset cache. */ 85 struct val_neg_cache* neg_cache; 86 87 /** for debug testing a fixed validation date can be entered. 88 * if 0, current time is used for rrsig validation */ 89 int32_t date_override; 90 91 /** clock skew min for signatures */ 92 int32_t skew_min; 93 94 /** clock skew max for signatures */ 95 int32_t skew_max; 96 97 /** max number of query restarts, number of IPs to probe */ 98 int max_restart; 99 100 /** TTL for bogus data; used instead of untrusted TTL from data. 101 * Bogus data will not be verified more often than this interval. 102 * seconds. */ 103 uint32_t bogus_ttl; 104 105 /** 106 * Number of entries in the NSEC3 maximum iteration count table. 107 * Keep this table short, and sorted by size 108 */ 109 int nsec3_keyiter_count; 110 111 /** 112 * NSEC3 maximum iteration count per signing key size. 113 * This array contains key size values (in increasing order) 114 */ 115 size_t* nsec3_keysize; 116 117 /** 118 * NSEC3 maximum iteration count per signing key size. 119 * This array contains the maximum iteration count for the keysize 120 * in the keysize array. 121 */ 122 size_t* nsec3_maxiter; 123 124 /** lock on bogus counter */ 125 lock_basic_type bogus_lock; 126 /** number of times rrsets marked bogus */ 127 size_t num_rrset_bogus; 128 }; 129 130 /** 131 * State of the validator for a query. 132 */ 133 enum val_state { 134 /** initial state for validation */ 135 VAL_INIT_STATE = 0, 136 /** find the proper keys for validation, follow trust chain */ 137 VAL_FINDKEY_STATE, 138 /** validate the answer, using found key entry */ 139 VAL_VALIDATE_STATE, 140 /** finish up */ 141 VAL_FINISHED_STATE, 142 }; 143 144 /** 145 * Per query state for the validator module. 146 */ 147 struct val_qstate { 148 /** 149 * State of the validator module. 150 */ 151 enum val_state state; 152 153 /** 154 * The original message we have been given to validate. 155 */ 156 struct dns_msg* orig_msg; 157 158 /** 159 * The query restart count 160 */ 161 int restart_count; 162 /** The blacklist saved for chainoftrust elements */ 163 struct sock_list* chain_blacklist; 164 165 /** 166 * The query name we have chased to; qname after following CNAMEs 167 */ 168 struct query_info qchase; 169 170 /** 171 * The chased reply, extract from original message. Can be: 172 * o CNAME 173 * o DNAME + CNAME 174 * o answer 175 * plus authority, additional (nsecs) that have same signature. 176 */ 177 struct reply_info* chase_reply; 178 179 /** 180 * The cname skip value; the number of rrsets that have been skipped 181 * due to chasing cnames. This is the offset into the 182 * orig_msg->rep->rrsets array, into the answer section. 183 * starts at 0 - for the full original message. 184 * if it is >0 - qchase followed the cname, chase_reply setup to be 185 * that message and relevant authority rrsets. 186 * 187 * The skip is also used for referral messages, where it will 188 * range from 0, over the answer, authority and additional sections. 189 */ 190 size_t rrset_skip; 191 192 /** trust anchor name */ 193 uint8_t* trust_anchor_name; 194 /** trust anchor labels */ 195 int trust_anchor_labs; 196 /** trust anchor length */ 197 size_t trust_anchor_len; 198 199 /** the DS rrset */ 200 struct ub_packed_rrset_key* ds_rrset; 201 202 /** domain name for empty nonterminal detection */ 203 uint8_t* empty_DS_name; 204 /** length of empty_DS_name */ 205 size_t empty_DS_len; 206 207 /** the current key entry */ 208 struct key_entry_key* key_entry; 209 210 /** subtype */ 211 enum val_classification subtype; 212 213 /** signer name */ 214 uint8_t* signer_name; 215 /** length of signer_name */ 216 size_t signer_len; 217 218 /** true if this state is waiting to prime a trust anchor */ 219 int wait_prime_ta; 220 221 /** State to continue with RRSIG validation in a message later */ 222 int msg_signatures_state; 223 /** The rrset index for the msg signatures to continue from */ 224 size_t msg_signatures_index; 225 /** Cache table for NSEC3 hashes */ 226 struct nsec3_cache_table nsec3_cache_table; 227 /** DS message from sub if it got suspended from NSEC3 calculations */ 228 struct dns_msg* sub_ds_msg; 229 /** The timer to resume processing msg signatures */ 230 struct comm_timer* suspend_timer; 231 /** Number of suspends */ 232 int suspend_count; 233 }; 234 235 /** 236 * Get the validator function block. 237 * @return: function block with function pointers to validator methods. 238 */ 239 struct module_func_block* val_get_funcblock(void); 240 241 /** 242 * Get validator state as a string 243 * @param state: to convert 244 * @return constant string that is printable. 245 */ 246 const char* val_state_to_string(enum val_state state); 247 248 /** validator init */ 249 int val_init(struct module_env* env, int id); 250 251 /** validator deinit */ 252 void val_deinit(struct module_env* env, int id); 253 254 /** validator operate on a query */ 255 void val_operate(struct module_qstate* qstate, enum module_ev event, int id, 256 struct outbound_entry* outbound); 257 258 /** 259 * inform validator super. 260 * 261 * @param qstate: query state that finished. 262 * @param id: module id. 263 * @param super: the qstate to inform. 264 */ 265 void val_inform_super(struct module_qstate* qstate, int id, 266 struct module_qstate* super); 267 268 /** validator cleanup query state */ 269 void val_clear(struct module_qstate* qstate, int id); 270 271 /** 272 * Debug helper routine that assists worker in determining memory in 273 * use. 274 * @param env: module environment 275 * @param id: module id. 276 * @return memory in use in bytes. 277 */ 278 size_t val_get_mem(struct module_env* env, int id); 279 280 /** Timer callback for msg signatures continue timer */ 281 void validate_suspend_timer_cb(void* arg); 282 283 #endif /* VALIDATOR_VALIDATOR_H */ 284