val_utils.h File Reference

This file contains helper functions for the validator module. More...

#include "util/data/packed_rrset.h"
#include "sldns/pkthdr.h"
#include "sldns/rrdef.h"

Enumerations

enum  val_classification {
  VAL_CLASS_UNTYPED = 0 , VAL_CLASS_UNKNOWN , VAL_CLASS_POSITIVE , VAL_CLASS_CNAME ,
  VAL_CLASS_NODATA , VAL_CLASS_NAMEERROR , VAL_CLASS_CNAMENOANSWER , VAL_CLASS_REFERRAL ,
  VAL_CLASS_ANY
}
 Response classifications for the validator. More...
 

Functions

enum val_classification val_classify_response (uint16_t query_flags, struct query_info *origqinf, struct query_info *qinf, struct reply_info *rep, size_t skip)
 Given a response, classify ANSWER responses into a subtype. More...
 
void val_find_signer (enum val_classification subtype, struct query_info *qinf, struct reply_info *rep, size_t cname_skip, uint8_t **signer_name, size_t *signer_len)
 Given a response, determine the name of the "signer". More...
 
enum sec_status val_verify_rrset_entry (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct key_entry_key *kkey, char **reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate *qstate, int *verified, char *reasonbuf, size_t reasonlen)
 Verify RRset with keys from a keyset. More...
 
enum sec_status val_verify_DNSKEY_with_DS (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *dnskey_rrset, struct ub_packed_rrset_key *ds_rrset, uint8_t *sigalg, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen)
 Verify DNSKEYs with DS rrset. More...
 
enum sec_status val_verify_DNSKEY_with_TA (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *dnskey_rrset, struct ub_packed_rrset_key *ta_ds, struct ub_packed_rrset_key *ta_dnskey, uint8_t *sigalg, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen)
 Verify DNSKEYs with DS and DNSKEY rrset. More...
 
struct key_entry_keyval_verify_new_DNSKEYs (struct regional *region, struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *dnskey_rrset, struct ub_packed_rrset_key *ds_rrset, int downprot, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen)
 Verify new DNSKEYs with DS rrset. More...
 
struct key_entry_keyval_verify_new_DNSKEYs_with_ta (struct regional *region, struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *dnskey_rrset, struct ub_packed_rrset_key *ta_ds_rrset, struct ub_packed_rrset_key *ta_dnskey_rrset, int downprot, char **reason, sldns_ede_code *reason_bogus, struct module_qstate *qstate, char *reasonbuf, size_t reasonlen)
 Verify rrset with trust anchor: DS and DNSKEY rrset. More...
 
int val_dsset_isusable (struct ub_packed_rrset_key *ds_rrset)
 Determine if DS rrset is usable for validator or not. More...
 
int val_rrset_wildcard (struct ub_packed_rrset_key *rrset, uint8_t **wc, size_t *wc_len)
 Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion. More...
 
int val_chase_cname (struct query_info *qchase, struct reply_info *rep, size_t *cname_skip)
 Chase the cname to the next query name. More...
 
void val_fill_reply (struct reply_info *chase, struct reply_info *orig, size_t cname_skip, uint8_t *name, size_t len, uint8_t *signer)
 Fill up the chased reply with the content from the original reply; as pointers to those rrsets. More...
 
void val_reply_remove_auth (struct reply_info *rep, size_t index)
 Remove rrset with index from reply, from the authority section. More...
 
void val_check_nonsecure (struct module_env *env, struct reply_info *rep)
 Remove all unsigned or non-secure status rrsets from NS and AR sections. More...
 
void val_mark_indeterminate (struct reply_info *rep, struct val_anchors *anchors, struct rrset_cache *r, struct module_env *env)
 Mark all unchecked rrset entries not below a trust anchor as indeterminate. More...
 
void val_mark_insecure (struct reply_info *rep, uint8_t *kname, struct rrset_cache *r, struct module_env *env)
 Mark all unchecked rrset entries below a NULL key entry as insecure. More...
 
size_t val_next_unchecked (struct reply_info *rep, size_t skip)
 Find next unchecked rrset position, return it for skip. More...
 
void val_find_rrset_signer (struct ub_packed_rrset_key *rrset, uint8_t **sname, size_t *slen)
 Find the signer name for an RRset. More...
 
const char * val_classification_to_string (enum val_classification subtype)
 Get string to denote the classification result. More...
 
void val_blacklist (struct sock_list **blacklist, struct regional *region, struct sock_list *origin, int cross)
 Add existing list to blacklist. More...
 
int val_has_signed_nsecs (struct reply_info *rep, char **reason)
 check if has dnssec info, and if it has signed nsecs. More...
 
int val_favorite_ds_algo (struct ub_packed_rrset_key *ds_rrset)
 Return algo number for favorite (best) algorithm that we support in DS. More...
 
struct dns_msgval_find_DS (struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t c, struct regional *region, uint8_t *topname)
 Find DS denial message in cache. More...
 

Detailed Description

This file contains helper functions for the validator module.

Enumeration Type Documentation

◆ val_classification

Response classifications for the validator.

The different types of proofs.

Enumerator
VAL_CLASS_UNTYPED 

Not subtyped yet.

VAL_CLASS_UNKNOWN 

Not a recognized subtype.

VAL_CLASS_POSITIVE 

A positive, direct, response.

VAL_CLASS_CNAME 

A positive response, with a CNAME/DNAME chain.

VAL_CLASS_NODATA 

A NOERROR/NODATA response.

VAL_CLASS_NAMEERROR 

A NXDOMAIN response.

VAL_CLASS_CNAMENOANSWER 

A CNAME/DNAME chain, and the offset is at the end of it, but there is no answer here, it can be NAMEERROR or NODATA.

VAL_CLASS_REFERRAL 

A referral, from cache with a nonRD query.

VAL_CLASS_ANY 

A response to a qtype=ANY query.

Function Documentation

◆ val_classify_response()

enum val_classification val_classify_response ( uint16_t  query_flags,
struct query_info origqinf,
struct query_info qinf,
struct reply_info rep,
size_t  skip 
)

Given a response, classify ANSWER responses into a subtype.

Parameters
query_flagsquery flags for the original query.
origqinfquery info. The original query name.
qinfquery info. The chased query name.
represponse. The original response.
skipoffset into the original response answer section.
Returns
A subtype, all values possible except UNTYPED . Once CNAME type is returned you can increase skip. Then, another CNAME type, CNAME_NOANSWER or POSITIVE are possible.

Referenced by processFinished(), and processInit().

◆ val_find_signer()

void val_find_signer ( enum val_classification  subtype,
struct query_info qinf,
struct reply_info rep,
size_t  cname_skip,
uint8_t **  signer_name,
size_t *  signer_len 
)

Given a response, determine the name of the "signer".

This is primarily to determine if the response is, in fact, signed at all, and, if so, what is the name of the most pertinent keyset.

Parameters
subtypethe type from classify.
qinfquery, the chased query name.
represponse to that, original response.
cname_skiphow many answer rrsets have been skipped due to CNAME chains being chased around.
signer_namesigner name, if the response is signed (even partially), or null if the response isn't signed.
signer_lenlength of signer_name of 0 if signer_name is NULL.

References reply_info::an_numrrsets, cname_under_previous_dname(), packed_rrset_key::dname, dname_strict_subdomain_c(), LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DNAME, reply_info::ns_numrrsets, query_info::qname, query_info::qtype, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_key::type, VAL_CLASS_CNAME, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, and val_find_rrset_signer().

◆ val_verify_rrset_entry()

enum sec_status val_verify_rrset_entry ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct key_entry_key kkey,
char **  reason,
sldns_ede_code *  reason_bogus,
sldns_pkt_section  section,
struct module_qstate qstate,
int *  verified,
char *  reasonbuf,
size_t  reasonlen 
)

Verify RRset with keys from a keyset.

Parameters
envmodule environment (scratch buffer)
vevalidator environment (verification settings)
rrsetwhat to verify
kkeykey_entry to verify with.
reasonreason of failure. Fixed string or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
verifiedif not NULL, the number of RRSIG validations is returned.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.
Returns
security status of verification.

Referenced by nsec_verify_rrset().

◆ val_verify_DNSKEY_with_DS()

enum sec_status val_verify_DNSKEY_with_DS ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key dnskey_rrset,
struct ub_packed_rrset_key ds_rrset,
uint8_t *  sigalg,
char **  reason,
sldns_ede_code *  reason_bogus,
struct module_qstate qstate,
char *  reasonbuf,
size_t  reasonlen 
)

Verify DNSKEYs with DS rrset.

Like val_verify_new_DNSKEYs but returns a sec_status instead of a key_entry.

Parameters
envmodule environment (scratch buffer)
vevalidator environment (verification settings)
dnskey_rrsetDNSKEY rrset to verify
ds_rrsetDS rrset to verify with.
sigalgif nonNULL provide downgrade protection otherwise one algorithm is enough. The list of signalled algorithms is returned, must have enough space for ALGO_NEEDS_MAX+1.
reasonreason of failure. Fixed string or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
qstateqstate with region.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.
Returns
: sec_status_secure if a DS matches. sec_status_insecure if end of trust (i.e., unknown algorithms). sec_status_bogus if it fails.

Referenced by val_verify_DNSKEY_with_TA().

◆ val_verify_DNSKEY_with_TA()

enum sec_status val_verify_DNSKEY_with_TA ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key dnskey_rrset,
struct ub_packed_rrset_key ta_ds,
struct ub_packed_rrset_key ta_dnskey,
uint8_t *  sigalg,
char **  reason,
sldns_ede_code *  reason_bogus,
struct module_qstate qstate,
char *  reasonbuf,
size_t  reasonlen 
)

Verify DNSKEYs with DS and DNSKEY rrset.

Like val_verify_DNSKEY_with_DS but for a trust anchor.

Parameters
envmodule environment (scratch buffer)
vevalidator environment (verification settings)
dnskey_rrsetDNSKEY rrset to verify
ta_dsDS rrset to verify with.
ta_dnskeyDNSKEY rrset to verify with.
sigalgif nonNULL provide downgrade protection otherwise one algorithm is enough. The list of signalled algorithms is returned, must have enough space for ALGO_NEEDS_MAX+1.
reasonreason of failure. Fixed string or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
qstateqstate with region.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.
Returns
: sec_status_secure if a DS matches. sec_status_insecure if end of trust (i.e., unknown algorithms). sec_status_bogus if it fails.

References ALGO_NEEDS_MAX, packed_rrset_key::dname, packed_rrset_key::dname_len, key_entry_create_rrset(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, sec_status_secure, and val_verify_DNSKEY_with_DS().

Referenced by val_verify_new_DNSKEYs_with_ta(), and verify_dnskey().

◆ val_verify_new_DNSKEYs()

struct key_entry_key* val_verify_new_DNSKEYs ( struct regional region,
struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key dnskey_rrset,
struct ub_packed_rrset_key ds_rrset,
int  downprot,
char **  reason,
sldns_ede_code *  reason_bogus,
struct module_qstate qstate,
char *  reasonbuf,
size_t  reasonlen 
)

Verify new DNSKEYs with DS rrset.

The DS contains hash values that should match the DNSKEY keys. match the DS to a DNSKEY and verify the DNSKEY rrset with that key.

Parameters
regionwhere to allocate key entry result.
envmodule environment (scratch buffer)
vevalidator environment (verification settings)
dnskey_rrsetDNSKEY rrset to verify
ds_rrsetDS rrset to verify with.
downprotif true provide downgrade protection otherwise one algorithm is enough.
reasonreason of failure. Fixed string or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
qstateqstate with region.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.
Returns
a KeyEntry. This will either contain the now trusted dnskey_rrset, a "null" key entry indicating that this DS rrset/DNSKEY pair indicate an secure end to the island of trust (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey rrset fails to verify. Note that the "null" response should generally only occur in a private algorithm scenario: normally this sort of thing is checked before fetching the matching DNSKEY rrset. if downprot is set, a key entry with an algo list is made.

◆ val_verify_new_DNSKEYs_with_ta()

struct key_entry_key* val_verify_new_DNSKEYs_with_ta ( struct regional region,
struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key dnskey_rrset,
struct ub_packed_rrset_key ta_ds_rrset,
struct ub_packed_rrset_key ta_dnskey_rrset,
int  downprot,
char **  reason,
sldns_ede_code *  reason_bogus,
struct module_qstate qstate,
char *  reasonbuf,
size_t  reasonlen 
)

Verify rrset with trust anchor: DS and DNSKEY rrset.

Parameters
regionwhere to allocate key entry result.
envmodule environment (scratch buffer)
vevalidator environment (verification settings)
dnskey_rrsetDNSKEY rrset to verify
ta_ds_rrsetDS rrset to verify with.
ta_dnskey_rrsetthe DNSKEY rrset to verify with.
downprotif true provide downgrade protection otherwise one algorithm is enough.
reasonreason of failure. Fixed string or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
qstateqstate with region.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.
Returns
a KeyEntry. This will either contain the now trusted dnskey_rrset, a "null" key entry indicating that this DS rrset/DNSKEY pair indicate an secure end to the island of trust (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey rrset fails to verify. Note that the "null" response should generally only occur in a private algorithm scenario: normally this sort of thing is checked before fetching the matching DNSKEY rrset. if downprot is set, a key entry with an algo list is made.

References ALGO_NEEDS_MAX, packed_rrset_key::dname, packed_rrset_key::dname_len, key_entry_create_rrset(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, sec_status_secure, and val_verify_DNSKEY_with_TA().

◆ val_dsset_isusable()

int val_dsset_isusable ( struct ub_packed_rrset_key ds_rrset)

Determine if DS rrset is usable for validator or not.

Returns true if the algorithms for key and DShash are supported, for at least one RR.

Parameters
ds_rrsetthe newly received DS rrset.
Returns
true or false if not usable.

References ds_digest_algo_is_supported(), ds_get_digest_algo(), ds_get_key_algo(), ds_key_algo_is_supported(), rrset_get_count(), sldns_algorithms, sldns_hashes, sldns_lookup_by_id(), VERB_ALGO, verbose(), and verbosity.

◆ val_rrset_wildcard()

int val_rrset_wildcard ( struct ub_packed_rrset_key rrset,
uint8_t **  wc,
size_t *  wc_len 
)

Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion.

If so, return the name of the generating wildcard.

Parameters
rrsetThe rrset to check.
wcthe wildcard name, if the rrset was synthesized from a wildcard. unchanged if not. The wildcard name, without "*." in front, is returned. This is a pointer into the rrset owner name.
wc_lenthe length of the returned wildcard name.
Returns
false if the signatures are inconsistent in indicating the wildcard status; possible spoofing of wildcard response for other responses is being tried. We lost the status which rrsig was verified after the verification routine finished, so we simply check if the signatures are consistent; inserting a fake signature is a denial of service; but in that you could also have removed the real signature anyway.

References packed_rrset_data::count, packed_rrset_key::dname, dname_count_labels(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_labels(), ub_packed_rrset_key::rk, packed_rrset_data::rrsig_count, and rrsig_get_labcount().

Referenced by dns_cache_lookup(), validate_cname_response(), and validate_positive_response().

◆ val_chase_cname()

int val_chase_cname ( struct query_info qchase,
struct reply_info rep,
size_t *  cname_skip 
)

Chase the cname to the next query name.

Parameters
qchasethe current query name, updated to next target.
reporiginal message reply to look at CNAMEs.
cname_skipthe skip into the answer section. Updated to skip DNAME and CNAME to the next part of the answer.
Returns
false on error (bad rdata).

References reply_info::an_numrrsets, get_cname_target(), LDNS_RR_TYPE_CNAME, query_info::qname, query_info::qname_len, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.

◆ val_fill_reply()

void val_fill_reply ( struct reply_info chase,
struct reply_info orig,
size_t  cname_skip,
uint8_t *  name,
size_t  len,
uint8_t *  signer 
)

Fill up the chased reply with the content from the original reply; as pointers to those rrsets.

Select the part after the cname_skip into the answer section, NS and AR sections that are signed with same signer.

Parameters
chasechased reply, filled up.
origoriginal reply.
cname_skipwhich part of the answer section to skip. The skipped part contains CNAME(and DNAME)s that have been chased.
namethe signer name to look for.
lenlength of name.
signersigner name or NULL if an unsigned RRset is considered. If NULL, rrsets with the lookup name are copied over.

References reply_info::an_numrrsets, reply_info::ar_numrrsets, cname_under_previous_dname(), packed_rrset_key::dname, LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DNAME, reply_info::ns_numrrsets, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrset_count, rrset_has_signer(), reply_info::rrsets, and packed_rrset_key::type.

◆ val_reply_remove_auth()

void val_reply_remove_auth ( struct reply_info rep,
size_t  index 
)

Remove rrset with index from reply, from the authority section.

Parameters
repreply to remove it from.
indexrrset to remove, must be in the authority section.

References reply_info::an_numrrsets, log_assert, reply_info::ns_numrrsets, reply_info::rrset_count, and reply_info::rrsets.

Referenced by remove_spurious_authority().

◆ val_check_nonsecure()

void val_check_nonsecure ( struct module_env env,
struct reply_info rep 
)

Remove all unsigned or non-secure status rrsets from NS and AR sections.

So that unsigned data does not get let through to clients, when we have found the data to be secure.

Parameters
envenvironment with cleaning options.
repreply to dump all nonsecure stuff out of.

References reply_info::an_numrrsets, reply_info::ar_numrrsets, module_env::cfg, lruhash_entry::data, packed_rrset_key::dname, ub_packed_rrset_key::entry, LDNS_RR_TYPE_NS, log_nametypeclass(), reply_info::ns_numrrsets, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrset_count, reply_info::rrsets, sec_status_bogus, sec_status_secure, reply_info::security, packed_rrset_key::type, config_file::val_clean_additional, VERB_ALGO, VERB_QUERY, and verbose().

◆ val_mark_indeterminate()

void val_mark_indeterminate ( struct reply_info rep,
struct val_anchors anchors,
struct rrset_cache r,
struct module_env env 
)

Mark all unchecked rrset entries not below a trust anchor as indeterminate.

Only security==unchecked rrsets are updated.

Parameters
repthe reply with rrsets.
anchorsthe trust anchors.
rrrset cache to store updated security status into.
envmodule environment

References check_no_anchor(), lruhash_entry::data, packed_rrset_key::dname, packed_rrset_key::dname_len, ub_packed_rrset_key::entry, module_env::now, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrset_count, rrset_update_sec_status(), reply_info::rrsets, sec_status_indeterminate, sec_status_unchecked, and packed_rrset_data::security.

◆ val_mark_insecure()

void val_mark_insecure ( struct reply_info rep,
uint8_t *  kname,
struct rrset_cache r,
struct module_env env 
)

Mark all unchecked rrset entries below a NULL key entry as insecure.

Only security==unchecked rrsets are updated.

Parameters
repthe reply with rrsets.
knameend of secure space name.
rrrset cache to store updated security status into.
envmodule environment

References lruhash_entry::data, packed_rrset_key::dname, dname_subdomain_c(), ub_packed_rrset_key::entry, module_env::now, ub_packed_rrset_key::rk, reply_info::rrset_count, rrset_update_sec_status(), reply_info::rrsets, sec_status_insecure, sec_status_unchecked, and packed_rrset_data::security.

Referenced by processValidate().

◆ val_next_unchecked()

size_t val_next_unchecked ( struct reply_info rep,
size_t  skip 
)

Find next unchecked rrset position, return it for skip.

Parameters
repthe original reply to look into.
skipthe skip now.
Returns
new skip, which may be at the rep->rrset_count position to signal there are no unchecked items.

References lruhash_entry::data, ub_packed_rrset_key::entry, reply_info::rrset_count, reply_info::rrsets, sec_status_unchecked, and packed_rrset_data::security.

◆ val_find_rrset_signer()

void val_find_rrset_signer ( struct ub_packed_rrset_key rrset,
uint8_t **  sname,
size_t *  slen 
)

Find the signer name for an RRset.

Parameters
rrsetthe rrset.
snamesigner name is returned or NULL if not signed.
slenlength of sname (or 0).

References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rrsig_count, and rrsig_get_signer().

Referenced by iter_ds_toolow(), and val_find_signer().

◆ val_classification_to_string()

const char* val_classification_to_string ( enum val_classification  subtype)

Get string to denote the classification result.

Parameters
subtypefrom classification function.
Returns
static string to describe the classification.

References VAL_CLASS_ANY, VAL_CLASS_CNAME, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, VAL_CLASS_REFERRAL, VAL_CLASS_UNKNOWN, and VAL_CLASS_UNTYPED.

◆ val_blacklist()

void val_blacklist ( struct sock_list **  blacklist,
struct regional region,
struct sock_list origin,
int  cross 
)

Add existing list to blacklist.

Parameters
blacklistthe blacklist with result
regionthe region where blacklist is allocated. Allocation failures are logged.
originorigin list to add, if NULL, a cache-entry is added to the blacklist to stop cache from being used.
crossif true this is a cross-qstate copy, and the 'origin' list is not allocated in the same region as the blacklist.

References sock_list::next, sock_list_insert(), sock_list_logentry(), sock_list_merge(), sock_list_prepend(), VERB_ALGO, verbose(), and verbosity.

Referenced by process_ds_response().

◆ val_has_signed_nsecs()

int val_has_signed_nsecs ( struct reply_info rep,
char **  reason 
)

check if has dnssec info, and if it has signed nsecs.

gives error reason.

Parameters
repreply to check.
reasonreturned on fail.
Returns
false if message has no signed nsecs. Can not prove negatives.

References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.

◆ val_favorite_ds_algo()

int val_favorite_ds_algo ( struct ub_packed_rrset_key ds_rrset)

Return algo number for favorite (best) algorithm that we support in DS.

Parameters
ds_rrsetthe DSes in this rrset are inspected and best algo chosen.
Returns
algo number or 0 if none supported. 0 is unused as algo number.

References ds_digest_algo_is_supported(), ds_get_digest_algo(), ds_key_algo_is_supported(), and rrset_get_count().

Referenced by key_matches_a_ds().

◆ val_find_DS()

struct dns_msg* val_find_DS ( struct module_env env,
uint8_t *  nm,
size_t  nmlen,
uint16_t  c,
struct regional region,
uint8_t *  topname 
)

Find DS denial message in cache.

Saves new qstate allocation and allows the validator to use partial content which is not enough to construct a message for network (or user) consumption. Without SOA for example, which is a common occurrence in the unbound code since the referrals contain NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a full negative reply, but do allow synthesis of sufficient proof.

Parameters
envquery env with caches and time.
nmname of DS record sought.
nmlenlength of name.
cclass of DS RR.
regionwhere to allocate result.
topnamename of the key that is currently in use, that will get used to validate the result, and thus no higher entries from the negative cache need to be examined.
Returns
a dns_msg on success. NULL on failure.

References reply_info::an_numrrsets, module_env::cfg, dns_msg_create(), ub_packed_rrset_key::entry, LDNS_RR_TYPE_DS, query_info::local_alias, lruhash_entry::lock, module_env::neg_cache, module_env::now, packed_rrset_copy_region(), query_info::qclass, query_info::qname, query_info::qname_len, query_info::qtype, dns_msg::rep, module_env::rrset_cache, rrset_cache_lookup(), reply_info::rrset_count, reply_info::rrsets, module_env::scratch_buffer, and val_neg_getmsg().