val_nsec.c File Reference

This file contains helper functions for the validator module. More...

#include "config.h"
#include "validator/val_nsec.h"
#include "validator/val_utils.h"
#include "util/data/msgreply.h"
#include "util/data/dname.h"
#include "util/net_help.h"
#include "util/module.h"
#include "services/cache/rrset.h"

Functions
static uint32_t	rrset_get_ttl (struct ub_packed_rrset_key *k)
	get ttl of rrset
int	nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type)
	nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
int	nsec_has_type (struct ub_packed_rrset_key *nsec, uint16_t type)
	Check if type is present in the NSEC typemap.
static int	nsec_get_next (struct ub_packed_rrset_key *nsec, uint8_t **nm, size_t *ln)
	Get next owner name from nsec record.
static enum sec_status	val_nsec_proves_no_ds (struct ub_packed_rrset_key *nsec, struct query_info *qinfo)
	For an NSEC that matches the DS queried for, check absence of DS type.
static int	nsec_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *nsec, struct key_entry_key *kkey, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen)
	check security status from cache or verify rrset, returns true if secure
enum sec_status	val_nsec_prove_nodata_dsreply (struct module_env *env, struct val_env *ve, struct query_info *qinfo, struct reply_info *rep, struct key_entry_key *kkey, time_t *proof_ttl, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen)
	Check DS absence.
int	nsec_proves_nodata (struct ub_packed_rrset_key *nsec, struct query_info *qinfo, uint8_t **wc)
	Determine if a NSEC proves the NOERROR/NODATA conditions.
int	val_nsec_proves_name_error (struct ub_packed_rrset_key *nsec, uint8_t *qname)
	Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
int	val_nsec_proves_insecuredelegation (struct ub_packed_rrset_key *nsec, struct query_info *qinfo)
	Determine if an nsec proves an insecure delegation towards the qname.
uint8_t *	nsec_closest_encloser (uint8_t *qname, struct ub_packed_rrset_key *nsec)
	Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).
int	val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key *nsec, struct query_info *qinf, uint8_t *wc)
	Determine if the given NSEC proves a positive wildcard response.
int	val_nsec_proves_no_wc (struct ub_packed_rrset_key *nsec, uint8_t *qname, size_t qnamelen)
	Determine if the given NSEC proves that a wildcard match does not exist.

Detailed Description

This file contains helper functions for the validator module.

The functions help with NSEC checking, the different NSEC proofs for denial of existence, and proofs for presence of types.

Function Documentation

nsecbitmap_has_type_rdata()

int nsecbitmap_has_type_rdata	(	uint8_t *	bitmap,
		size_t	len,
		uint16_t	type
	)

nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.

Parameters

bitmap	pointer to the bitmap part of wireformat rdata.
len	length of the bitmap, in bytes.
type	the type (in host order) to check for.

Returns

true if the type bit was set in the bitmap. false if not, or if the bitmap was malformed in some way.

Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().

nsec_has_type()

int nsec_has_type	(	struct ub_packed_rrset_key *	nsec,
		uint16_t	type
	)

Check if type is present in the NSEC typemap.

Parameters

nsec	the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node.
type	type to check for, host order.

Returns

true if present

References packed_rrset_data::count, dname_valid(), nsecbitmap_has_type_rdata(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.

Referenced by find_add_ds(), grab_nsec(), nsec_proves_nodata(), val_nsec_proves_insecuredelegation(), val_nsec_proves_name_error(), val_nsec_proves_no_ds(), and zonemd_check_dnssec_absence().

nsec_get_next()

static int nsec_get_next ( struct ub_packed_rrset_key *  nsec, uint8_t **  nm, size_t *  ln  )

static

Get next owner name from nsec record.

Parameters

nsec	the nsec RRset. If there are multiple RRs, then this will only return one of them.
nm	the next name is returned.
ln	length of nm is returned.

Returns

false on a bad NSEC RR (too short, malformed dname).

References packed_rrset_data::count, dname_valid(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.

Referenced by nsec_closest_encloser(), nsec_proves_nodata(), and val_nsec_proves_name_error().

val_nsec_proves_no_ds()

static enum sec_status val_nsec_proves_no_ds ( struct ub_packed_rrset_key *  nsec, struct query_info *  qinfo  )

static

For an NSEC that matches the DS queried for, check absence of DS type.

Parameters

nsec	NSEC for proof, must be trusted.
qinfo	what is queried for.

Returns

if secure the nsec proves that no DS is present, or insecure if it proves it is not a delegation point. or bogus if something was wrong.

References LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, log_assert, nsec_has_type(), query_info::qname_len, query_info::qtype, ub_packed_rrset_key::rk, sec_status_bogus, sec_status_insecure, sec_status_secure, and packed_rrset_key::type.

Referenced by val_nsec_prove_nodata_dsreply().

val_nsec_prove_nodata_dsreply()

enum sec_status val_nsec_prove_nodata_dsreply	(	struct module_env *	env,
		struct val_env *	ve,
		struct query_info *	qinfo,
		struct reply_info *	rep,
		struct key_entry_key *	kkey,
		time_t *	proof_ttl,
		char **	reason,
		sldns_ede_code *	reason_bogus,
		struct module_qstate *	qstate,
		char *	reasonbuf,
		size_t	reasonlen
	)

Check DS absence.

There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or successfully prove that there is no DS. Or this fails.

Parameters

env	module env for rrsig verification routines.
ve	validator env for rrsig verification routines.
qinfo	the DS queried for.
rep	reply received.
kkey	key entry to use for verification of signatures.
proof_ttl	if secure, the TTL of how long this proof lasts.
reason	string explaining why bogus.
reason_bogus	relevant EDE code for validation failure.
qstate	qstate with region.
reasonbuf	buffer to use for fail reason string print.
reasonlen	length of reasonbuf.

Returns

security status. SECURE: proved absence of DS. INSECURE: proved that this was not a delegation point. BOGUS: crypto bad, or no absence of DS proven. UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).

References reply_info::an_numrrsets, packed_rrset_key::dname, dname_is_wild(), reply_info::ns_numrrsets, nsec_closest_encloser(), nsec_proves_nodata(), nsec_verify_rrset(), query_info::qclass, query_info::qname, query_info::qname_len, query_dname_compare(), reply_find_rrset_section_ns(), ub_packed_rrset_key::rk, rrset_get_ttl(), reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, ub_packed_rrset_ttl(), val_nsec_proves_name_error(), val_nsec_proves_no_ds(), VERB_ALGO, and verbose().

Referenced by ds_response_to_ke().

nsec_proves_nodata()

int nsec_proves_nodata	(	struct ub_packed_rrset_key *	nsec,
		struct query_info *	qinfo,
		uint8_t **	wc
	)

Determine if a NSEC proves the NOERROR/NODATA conditions.

This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.

Parameters

nsec	the nsec record to check against.
qinfo	the query info.
wc	if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname.

Returns

true if NSEC proves this.

References packed_rrset_key::dname, dname_canonical_compare(), dname_is_root(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.

Referenced by val_neg_getmsg(), val_nsec_prove_nodata_dsreply(), validate_cname_noanswer_response(), and validate_nodata_response().

val_nsec_proves_name_error()

int val_nsec_proves_name_error	(	struct ub_packed_rrset_key *	nsec,
		uint8_t *	qname
	)

Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.

Parameters

nsec	the nsec to check
qname	what was queried.

Returns

true if proven.

References packed_rrset_key::dname, dname_canonical_compare(), dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, nsec_get_next(), nsec_has_type(), query_dname_compare(), and ub_packed_rrset_key::rk.

Referenced by val_neg_getmsg(), val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), validate_nameerror_response(), and validate_nodata_response().

val_nsec_proves_insecuredelegation()

int val_nsec_proves_insecuredelegation	(	struct ub_packed_rrset_key *	nsec,
		struct query_info *	qinfo
	)

Determine if an nsec proves an insecure delegation towards the qname.

Parameters

nsec	nsec rrset.
qinfo	what was queries for.

Returns

0 if not, 1 if an NSEC that signals an insecure delegation to the qname.

References packed_rrset_key::dname, dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, nsec_has_type(), query_info::qname, query_info::qtype, and ub_packed_rrset_key::rk.

Referenced by validate_cname_noanswer_response(), validate_nameerror_response(), and validate_nodata_response().

nsec_closest_encloser()

uint8_t * nsec_closest_encloser	(	uint8_t *	qname,
		struct ub_packed_rrset_key *	nsec
	)

Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).

A name error must have been proven already, otherwise this will be invalid.

Parameters

qname	the name queried for.
nsec	the nsec RRset.

Returns

closest encloser dname or NULL on error (bad nsec RRset).

References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.

Referenced by val_neg_getmsg(), val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), validate_nameerror_response(), and validate_nodata_response().

val_nsec_proves_positive_wildcard()

int val_nsec_proves_positive_wildcard	(	struct ub_packed_rrset_key *	nsec,
		struct query_info *	qinf,
		uint8_t *	wc
	)

Determine if the given NSEC proves a positive wildcard response.

Parameters

nsec	the nsec to check
qinf	what was queried.
wc	wildcard (without *. label)

Returns

true if proven.

References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().

Referenced by validate_any_response(), validate_cname_response(), and validate_positive_response().

val_nsec_proves_no_wc()

int val_nsec_proves_no_wc	(	struct ub_packed_rrset_key *	nsec,
		uint8_t *	qname,
		size_t	qnamelen
	)

Determine if the given NSEC proves that a wildcard match does not exist.

Parameters

nsec	the nsec RRset.
qname	the name queried for.
qnamelen	length of qname.

Returns

true if proven.

References dname_count_labels(), dname_remove_labels(), LDNS_MAX_DOMAINLEN, nsec_closest_encloser(), and val_nsec_proves_name_error().

Referenced by validate_cname_noanswer_response(), and validate_nameerror_response().