This file contains helper functions for the validator module. More...
Functions | |
| enum sec_status | val_nsec_prove_nodata_dsreply (struct module_env *env, struct val_env *ve, struct query_info *qinfo, struct reply_info *rep, struct key_entry_key *kkey, time_t *proof_ttl, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen) |
| Check DS absence. More... | |
| int | nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type) |
| nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. More... | |
| int | nsec_has_type (struct ub_packed_rrset_key *nsec, uint16_t type) |
| Check if type is present in the NSEC typemap. More... | |
| int | nsec_proves_nodata (struct ub_packed_rrset_key *nsec, struct query_info *qinfo, uint8_t **wc) |
| Determine if a NSEC proves the NOERROR/NODATA conditions. More... | |
| int | val_nsec_proves_name_error (struct ub_packed_rrset_key *nsec, uint8_t *qname) |
| Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname. More... | |
| int | val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key *nsec, struct query_info *qinf, uint8_t *wc) |
| Determine if the given NSEC proves a positive wildcard response. More... | |
| uint8_t * | nsec_closest_encloser (uint8_t *qname, struct ub_packed_rrset_key *nsec) |
| Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it). More... | |
| int | val_nsec_proves_no_wc (struct ub_packed_rrset_key *nsec, uint8_t *qname, size_t qnamelen) |
| Determine if the given NSEC proves that a wildcard match does not exist. More... | |
| int | val_nsec_proves_insecuredelegation (struct ub_packed_rrset_key *nsec, struct query_info *qinfo) |
| Determine if an nsec proves an insecure delegation towards the qname. More... | |
This file contains helper functions for the validator module.
The functions help with NSEC checking, the different NSEC proofs for denial of existence, and proofs for presence of types.
| enum sec_status val_nsec_prove_nodata_dsreply | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct query_info * | qinfo, | ||
| struct reply_info * | rep, | ||
| struct key_entry_key * | kkey, | ||
| time_t * | proof_ttl, | ||
| char ** | reason, | ||
| sldns_ede_code * | reason_bogus, | ||
| struct module_qstate * | qstate, | ||
| char * | reasonbuf, | ||
| size_t | reasonlen | ||
| ) |
Check DS absence.
There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or successfully prove that there is no DS. Or this fails.
| env | module env for rrsig verification routines. |
| ve | validator env for rrsig verification routines. |
| qinfo | the DS queried for. |
| rep | reply received. |
| kkey | key entry to use for verification of signatures. |
| proof_ttl | if secure, the TTL of how long this proof lasts. |
| reason | string explaining why bogus. |
| reason_bogus | relevant EDE code for validation failure. |
| qstate | qstate with region. |
| reasonbuf | buffer to use for fail reason string print. |
| reasonlen | length of reasonbuf. |
| int nsecbitmap_has_type_rdata | ( | uint8_t * | bitmap, |
| size_t | len, | ||
| uint16_t | type | ||
| ) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
| bitmap | pointer to the bitmap part of wireformat rdata. |
| len | length of the bitmap, in bytes. |
| type | the type (in host order) to check for. |
Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().
| int nsec_has_type | ( | struct ub_packed_rrset_key * | nsec, |
| uint16_t | type | ||
| ) |
Check if type is present in the NSEC typemap.
| nsec | the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node. |
| type | type to check for, host order. |
References packed_rrset_data::count, dname_valid(), nsecbitmap_has_type_rdata(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by nsec_proves_nodata(), val_nsec_proves_insecuredelegation(), and val_nsec_proves_name_error().
| int nsec_proves_nodata | ( | struct ub_packed_rrset_key * | nsec, |
| struct query_info * | qinfo, | ||
| uint8_t ** | wc | ||
| ) |
Determine if a NSEC proves the NOERROR/NODATA conditions.
This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.
| nsec | the nsec record to check against. |
| qinfo | the query info. |
| wc | if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_is_root(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.
| int val_nsec_proves_name_error | ( | struct ub_packed_rrset_key * | nsec, |
| uint8_t * | qname | ||
| ) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
| nsec | the nsec to check |
| qname | what was queried. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, nsec_get_next(), nsec_has_type(), query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_proves_no_wc(), and val_nsec_proves_positive_wildcard().
| int val_nsec_proves_positive_wildcard | ( | struct ub_packed_rrset_key * | nsec, |
| struct query_info * | qinf, | ||
| uint8_t * | wc | ||
| ) |
Determine if the given NSEC proves a positive wildcard response.
| nsec | the nsec to check |
| qinf | what was queried. |
| wc | wildcard (without *. label) |
References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().
| uint8_t* nsec_closest_encloser | ( | uint8_t * | qname, |
| struct ub_packed_rrset_key * | nsec | ||
| ) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).
A name error must have been proven already, otherwise this will be invalid.
| qname | the name queried for. |
| nsec | the nsec RRset. |
References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_proves_no_wc(), and val_nsec_proves_positive_wildcard().
| int val_nsec_proves_no_wc | ( | struct ub_packed_rrset_key * | nsec, |
| uint8_t * | qname, | ||
| size_t | qnamelen | ||
| ) |
Determine if the given NSEC proves that a wildcard match does not exist.
| nsec | the nsec RRset. |
| qname | the name queried for. |
| qnamelen | length of qname. |
References dname_count_labels(), dname_remove_labels(), LDNS_MAX_DOMAINLEN, nsec_closest_encloser(), and val_nsec_proves_name_error().
| int val_nsec_proves_insecuredelegation | ( | struct ub_packed_rrset_key * | nsec, |
| struct query_info * | qinfo | ||
| ) |
Determine if an nsec proves an insecure delegation towards the qname.
| nsec | nsec rrset. |
| qinfo | what was queries for. |
References packed_rrset_key::dname, dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, nsec_has_type(), query_info::qname, query_info::qtype, and ub_packed_rrset_key::rk.