validator.c File Reference

This file contains a module that performs validation of DNS queries. More...

#include "config.h"
#include <ctype.h>
#include "validator/validator.h"
#include "validator/val_anchor.h"
#include "validator/val_kcache.h"
#include "validator/val_kentry.h"
#include "validator/val_utils.h"
#include "validator/val_nsec.h"
#include "validator/val_nsec3.h"
#include "validator/val_neg.h"
#include "validator/val_sigcrypt.h"
#include "validator/autotrust.h"
#include "services/cache/dns.h"
#include "services/cache/rrset.h"
#include "util/data/dname.h"
#include "util/module.h"
#include "util/log.h"
#include "util/net_help.h"
#include "util/regional.h"
#include "util/config_file.h"
#include "util/fptr_wlist.h"
#include "sldns/rrdef.h"
#include "sldns/wire2str.h"
#include "sldns/str2wire.h"

Macros

#define MAX_VALIDATE_AT_ONCE   8
 Max number of RRSIGs to validate at once, suspend query for later.
 
#define MAX_VALIDATION_SUSPENDS   16
 Max number of validation suspends allowed, error out otherwise.
 
#define MAX_LABEL_TAGS   (LDNS_MAX_LABELLEN-3)/5
 

Functions

static void process_ds_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct sock_list *origin, int *suspend, struct module_qstate *sub_qstate)
 Process DS response. More...
 
static void update_reason_bogus (struct reply_info *rep, sldns_ede_code reason_bogus)
 
static int fill_nsec3_iter (struct val_env *ve, char *s, int c)
 fill up nsec3 key iterations config entry
 
static int val_apply_cfg (struct module_env *env, struct val_env *val_env, struct config_file *cfg)
 apply config settings to validator
 
int val_init (struct module_env *env, int id)
 validator init
 
void val_deinit (struct module_env *env, int id)
 validator deinit
 
static struct val_qstateval_new_getmsg (struct module_qstate *qstate, struct val_qstate *vq)
 fill in message structure
 
static struct val_qstateval_new (struct module_qstate *qstate, int id)
 allocate new validator query state
 
static void val_restart (struct val_qstate *vq)
 reset validator query state for query restart
 
static int val_error (struct module_qstate *qstate, int id)
 Exit validation with an error status. More...
 
static int needs_validation (struct module_qstate *qstate, int ret_rc, struct dns_msg *ret_msg)
 Check to see if a given response needs to go through the validation process. More...
 
static int already_validated (struct dns_msg *ret_msg)
 Check to see if the response has already been validated. More...
 
static int generate_request (struct module_qstate *qstate, int id, uint8_t *name, size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags, struct module_qstate **newq, int detached)
 Generate a request for DNS data. More...
 
static int generate_keytag_query (struct module_qstate *qstate, int id, struct trust_anchor *ta)
 Generate, send and detach key tag signaling query. More...
 
static int sentinel_get_keytag (char *start, uint16_t *keytag)
 Get keytag as uint16_t from string. More...
 
static int prime_trust_anchor (struct module_qstate *qstate, struct val_qstate *vq, int id, struct trust_anchor *toprime)
 Prime trust anchor for use. More...
 
static int validate_msg_signatures (struct module_qstate *qstate, struct val_qstate *vq, struct module_env *env, struct val_env *ve, struct reply_info *chase_reply, struct key_entry_key *key_entry, int *suspend)
 Validate if the ANSWER and AUTHORITY sections contain valid rrsets. More...
 
void validate_suspend_timer_cb (void *arg)
 Timer callback for msg signatures continue timer.
 
static int validate_suspend_setup_timer (struct module_qstate *qstate, struct val_qstate *vq, int id, enum val_state resume_state)
 Setup timer to continue validation of msg signatures later.
 
static int detect_wrongly_truncated (struct reply_info *rep)
 Detect wrong truncated response (say from BIND 9.6.1 that is forwarding and saw the NS record without signatures from a referral). More...
 
static void remove_spurious_authority (struct reply_info *chase_reply, struct reply_info *orig_reply)
 For messages that are not referrals, if the chase reply contains an unsigned NS record in the authority section it could have been inserted by a (BIND) forwarder that thinks the zone is insecure, and that has an NS record without signatures in cache. More...
 
static void validate_positive_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend)
 Given a "positive" response – a response that contains an answer to the question, and no CNAME chain, validate this response. More...
 
static void validate_nodata_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend)
 Validate a NOERROR/NODATA signed response – a response that has a NOERROR Rcode but no ANSWER section RRsets. More...
 
static void validate_nameerror_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, int *rcode, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend)
 Validate a NAMEERROR signed response – a response that has a NXDOMAIN Rcode. More...
 
static void validate_referral_response (struct reply_info *chase_reply)
 Given a referral response, validate rrsets and take least trusted rrset as the current validation status. More...
 
static void validate_any_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend)
 Given an "ANY" response – a response that contains an answer to a qtype==ANY question, with answers. More...
 
static void validate_cname_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend)
 Validate CNAME response, or DNAME+CNAME. More...
 
static void validate_cname_noanswer_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend)
 Validate CNAME NOANSWER response, no more data after a CNAME chain. More...
 
static int processInit (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Process init state for validator. More...
 
static int processFindKey (struct module_qstate *qstate, struct val_qstate *vq, int id)
 Process the FINDKEY state. More...
 
static int processValidate (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Process the VALIDATE stage, the init and findkey stages are finished, and the right keys are available to validate the response. More...
 
static int processFinished (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 The Finished state. More...
 
static void val_handle (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Handle validator state. More...
 
void val_operate (struct module_qstate *qstate, enum module_ev event, int id, struct outbound_entry *outbound)
 validator operate on a query
 
static struct key_entry_keyprimeResponseToKE (struct ub_packed_rrset_key *dnskey_rrset, struct trust_anchor *ta, struct module_qstate *qstate, int id, struct module_qstate *sub_qstate)
 Evaluate the response to a priming request. More...
 
static int ds_response_to_ke (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct key_entry_key **ke, struct module_qstate *sub_qstate)
 In inform supers, with the resulting message and rcode and the current keyset in the super state, validate the DS response, returning a KeyEntry. More...
 
static void process_dnskey_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct sock_list *origin, struct module_qstate *sub_qstate)
 Process DNSKEY response. More...
 
static void process_prime_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct sock_list *origin, struct module_qstate *sub_qstate)
 Process prime response Sets the key entry in the state. More...
 
void val_inform_super (struct module_qstate *qstate, int id, struct module_qstate *super)
 inform validator super. More...
 
void val_clear (struct module_qstate *qstate, int id)
 validator cleanup query state
 
size_t val_get_mem (struct module_env *env, int id)
 Debug helper routine that assists worker in determining memory in use. More...
 
struct module_func_blockval_get_funcblock (void)
 Get the validator function block. More...
 
const char * val_state_to_string (enum val_state state)
 Get validator state as a string. More...
 

Variables

static struct module_func_block val_block
 The validator function block. More...
 

Detailed Description

This file contains a module that performs validation of DNS queries.

According to RFC 4034.

Function Documentation

◆ process_ds_response()

static void process_ds_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo,
struct sock_list origin,
int *  suspend,
struct module_qstate sub_qstate 
)
static

Process DS response.

Called from inform_supers. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.

Parameters
qstatequery state that is validating and asked for a DS.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.
originthe origin of msg.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.
sub_qstatethe sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. Can be NULL.

References val_qstate::chain_blacklist, val_qstate::chase_reply, ds_response_to_ke(), val_qstate::ds_rrset, val_qstate::empty_DS_len, val_qstate::empty_DS_name, module_qstate::env, module_qstate::errinf, errinf_dname(), errinf_origin(), val_qstate::key_entry, key_entry_get_rrset(), key_entry_isbad(), key_entry_isgood(), log_err(), val_env::max_restart, module_env::modinfo, query_info::qname, query_info::qname_len, module_qstate::region, regional_alloc_init(), val_qstate::restart_count, module_qstate::rpz_applied, sec_status_insecure, reply_info::security, val_qstate::state, val_blacklist(), VAL_FINISHED_STATE, VAL_VALIDATE_STATE, VERB_ALGO, and verbose().

Referenced by val_inform_super().

◆ val_error()

static int val_error ( struct module_qstate qstate,
int  id 
)
static

Exit validation with an error status.

Parameters
qstatequery state
idvalidator id.
Returns
false, for use by caller to return to stop processing.

References module_qstate::ext_state, module_error, and module_qstate::return_rcode.

Referenced by processInit(), and processValidate().

◆ needs_validation()

static int needs_validation ( struct module_qstate qstate,
int  ret_rc,
struct dns_msg ret_msg 
)
static

Check to see if a given response needs to go through the validation process.

Typical reasons for this routine to return false are: CD bit was on in the original request, or the response is a kind of message that is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)

Parameters
qstatequery state.
ret_rcrcode for this message (if noerror - examine ret_msg).
ret_msgreturn msg, can be NULL; look at rcode instead.
Returns
true if the response could use validation (although this does not mean we can actually validate this response).

References module_qstate::is_valrec, VERB_ALGO, and verbose().

Referenced by val_operate().

◆ already_validated()

static int already_validated ( struct dns_msg ret_msg)
static

Check to see if the response has already been validated.

Parameters
ret_msgreturn msg, can be NULL
Returns
true if the response has already been validated

References dns_msg::rep, sec_status_bogus, sec_status_to_string(), reply_info::security, VERB_ALGO, and verbose().

Referenced by val_operate().

◆ generate_request()

static int generate_request ( struct module_qstate qstate,
int  id,
uint8_t *  name,
size_t  namelen,
uint16_t  qtype,
uint16_t  qclass,
uint16_t  flags,
struct module_qstate **  newq,
int  detached 
)
static

Generate a request for DNS data.

Parameters
qstatequery state that is the parent.
idmodule id.
namewhat name to query for.
namelenlength of name.
qtypequery type.
qclassquery class.
flagsadditional flags, such as the CD bit (BIT_CD), or 0.
newqIf the subquery is newly created, it is returned, otherwise NULL is returned
detachedtrue if this qstate should not attach to the subquery
Returns
false on alloc failure.

References module_env::add_sub, module_env::attach_sub, BIT_RD, val_qstate::chain_blacklist, module_env::detect_cycle, module_qstate::env, module_qstate::ext_state, fptr_ok, fptr_whitelist_modenv_add_sub(), fptr_whitelist_modenv_attach_sub(), fptr_whitelist_modenv_detect_cycle(), log_err(), log_query_info(), module_qstate::minfo, module_wait_subquery, query_info::qname, sock_list_merge(), VERB_ALGO, and verbose().

Referenced by prime_trust_anchor(), and processFindKey().

◆ generate_keytag_query()

static int generate_keytag_query ( struct module_qstate qstate,
int  id,
struct trust_anchor ta 
)
static

Generate, send and detach key tag signaling query.

Parameters
qstatequery state.
idmodule id.
tatrust anchor, locked.
Returns
false on a processing error.

◆ sentinel_get_keytag()

static int sentinel_get_keytag ( char *  start,
uint16_t *  keytag 
)
static

Get keytag as uint16_t from string.

Parameters
startstart of string containing keytag
keytagpointer where to store the extracted keytag
Returns
: 1 if keytag was extracted, else 0.

References SENTINEL_KEYTAG_LEN.

◆ prime_trust_anchor()

static int prime_trust_anchor ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
struct trust_anchor toprime 
)
static

Prime trust anchor for use.

Generate and dispatch a priming query for the given trust anchor. The trust anchor can be DNSKEY or DS and does not have to be signed.

Parameters
qstatequery state.
vqvalidator query state.
idmodule id.
toprimewhat to prime.
Returns
false on a processing error.

References generate_request(), trust_anchor::name, and trust_anchor::namelen.

◆ validate_msg_signatures()

static int validate_msg_signatures ( struct module_qstate qstate,
struct val_qstate vq,
struct module_env env,
struct val_env ve,
struct reply_info chase_reply,
struct key_entry_key key_entry,
int *  suspend 
)
static

Validate if the ANSWER and AUTHORITY sections contain valid rrsets.

They must be validly signed with the given key. Tries to validate ADDITIONAL rrsets as well, but only to check them. Allows unsigned CNAME after a DNAME that expands the DNAME.

Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.

Parameters
qstatequery state.
vqvalidator query state.
envmodule env for verify.
vevalidator env for verify.
chase_replyanswer to validate.
key_entrythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.
Returns
false if any of the rrsets in the an or ns sections of the message fail to verify. The message is then set to bogus.

◆ detect_wrongly_truncated()

static int detect_wrongly_truncated ( struct reply_info rep)
static

Detect wrong truncated response (say from BIND 9.6.1 that is forwarding and saw the NS record without signatures from a referral).

The positive response has a mangled authority section. Remove that authority section and the additional section.

Parameters
repreply
Returns
true if a wrongly truncated response.

References reply_info::an_numrrsets, lruhash_entry::data, ub_packed_rrset_key::entry, LDNS_RR_TYPE_NS, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, sec_status_secure, packed_rrset_key::type, VERB_ALGO, and verbose().

◆ remove_spurious_authority()

static void remove_spurious_authority ( struct reply_info chase_reply,
struct reply_info orig_reply 
)
static

For messages that are not referrals, if the chase reply contains an unsigned NS record in the authority section it could have been inserted by a (BIND) forwarder that thinks the zone is insecure, and that has an NS record without signatures in cache.

Remove the NS record since the reply does not hinge on that record (in the authority section), but do not remove it if it removes the last record from the answer+authority sections.

Parameters
chase_replythe chased reply, we have a key for this contents, so we should have signatures for these rrsets and not having signatures means it will be bogus.
orig_replyoriginal reply, remove NS from there as well because we cannot mark the NS record as DNSSEC valid because it is not validated by signatures.

References reply_info::an_numrrsets, lruhash_entry::data, packed_rrset_key::dname, ub_packed_rrset_key::entry, LDNS_RR_TYPE_NS, log_rrset_key(), reply_info::ns_numrrsets, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_data::rrsig_count, packed_rrset_key::type, val_reply_remove_auth(), and VERB_ALGO.

◆ validate_positive_response()

static void validate_positive_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
struct module_qstate qstate,
struct val_qstate vq,
int *  nsec3_calculations,
int *  suspend 
)
static

Given a "positive" response – a response that contains an answer to the question, and no CNAME chain, validate this response.

The answer and authority RRsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
qstatequery state for the region.
vqvalidator state for the nsec3 cache table.
nsec3_calculationscurrent nsec3 hash calculations.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.

References reply_info::an_numrrsets, packed_rrset_key::dname, log_nametypeclass(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, reply_info::security, packed_rrset_key::type, val_rrset_wildcard(), and VERB_QUERY.

◆ validate_nodata_response()

static void validate_nodata_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
struct module_qstate qstate,
struct val_qstate vq,
int *  nsec3_calculations,
int *  suspend 
)
static

Validate a NOERROR/NODATA signed response – a response that has a NOERROR Rcode but no ANSWER section RRsets.

This consists of making certain that the authority section NSEC/NSEC3s proves that the qname does exist and the qtype doesn't.

The answer and authority RRsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
qstatequery state for the region.
vqvalidator state for the nsec3 cache table.
nsec3_calculationscurrent nsec3 hash calculations.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.

References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.

◆ validate_nameerror_response()

static void validate_nameerror_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
int *  rcode,
struct module_qstate qstate,
struct val_qstate vq,
int *  nsec3_calculations,
int *  suspend 
)
static

Validate a NAMEERROR signed response – a response that has a NXDOMAIN Rcode.

This consists of making certain that the authority section NSEC proves that the qname doesn't exist and the covering wildcard also doesn't exist..

The answer and authority RRsets must have already been verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
rcodeadjusted RCODE, in case of RCODE/proof mismatch leniency.
qstatequery state for the region.
vqvalidator state for the nsec3 cache table.
nsec3_calculationscurrent nsec3 hash calculations.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.

References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.

◆ validate_referral_response()

static void validate_referral_response ( struct reply_info chase_reply)
static

Given a referral response, validate rrsets and take least trusted rrset as the current validation status.

Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.

Parameters
chase_replyanswer to validate.

References lruhash_entry::data, ub_packed_rrset_key::entry, reply_info::rrset_count, reply_info::rrsets, sec_status_secure, sec_status_to_string(), reply_info::security, packed_rrset_data::security, VERB_ALGO, and verbose().

◆ validate_any_response()

static void validate_any_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
struct module_qstate qstate,
struct val_qstate vq,
int *  nsec3_calculations,
int *  suspend 
)
static

Given an "ANY" response – a response that contains an answer to a qtype==ANY question, with answers.

This does no checking that all types are present.

NOTE: it may be possible to get parent-side delegation point records here, which won't all be signed. Right now, this routine relies on the upstream iterative resolver to not return these responses – instead treating them as referrals.

NOTE: RFC 4035 is silent on this issue, so this may change upon clarification. Clarification draft -05 says to not check all types are present.

Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
qstatequery state for the region.
vqvalidator state for the nsec3 cache table.
nsec3_calculationscurrent nsec3 hash calculations.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.

References LDNS_RR_TYPE_ANY, log_err(), query_info::qtype, sec_status_bogus, and reply_info::security.

◆ validate_cname_response()

static void validate_cname_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
struct module_qstate qstate,
struct val_qstate vq,
int *  nsec3_calculations,
int *  suspend 
)
static

Validate CNAME response, or DNAME+CNAME.

This is just like a positive proof, except that this is about a DNAME+CNAME. Possible wildcard proof. Difference with positive proof is that this routine refuses wildcarded DNAMEs.

The answer and authority rrsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
qstatequery state for the region.
vqvalidator state for the nsec3 cache table.
nsec3_calculationscurrent nsec3 hash calculations.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.

References reply_info::an_numrrsets, packed_rrset_key::dname, log_nametypeclass(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, reply_info::security, packed_rrset_key::type, val_rrset_wildcard(), and VERB_QUERY.

◆ validate_cname_noanswer_response()

static void validate_cname_noanswer_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
struct module_qstate qstate,
struct val_qstate vq,
int *  nsec3_calculations,
int *  suspend 
)
static

Validate CNAME NOANSWER response, no more data after a CNAME chain.

This can be a NODATA or a NAME ERROR case, but not both at the same time. We don't know because the rcode has been set to NOERROR by the CNAME.

The answer and authority rrsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
qstatequery state for the region.
vqvalidator state for the nsec3 cache table.
nsec3_calculationscurrent nsec3 hash calculations.
suspendreturned true if the task takes too long and needs to suspend to continue the effort later.

References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.

◆ processInit()

static int processInit ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Process init state for validator.

Process the INIT state. First tier responses start in the INIT state. This is where they are vetted for validation suitability, and the initial key search is done.

Currently, events the come through this routine will be either promoted to FINISHED/CNAME_RESP (no validation needed), FINDKEY (next step to validation), or will be (temporarily) retired and a new priming request event will be generated.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References val_env::max_restart, val_qstate::orig_msg, val_qstate::qchase, module_qstate::qinfo, module_qstate::query_flags, dns_msg::rep, val_qstate::restart_count, val_qstate::rrset_skip, val_classify_response(), val_error(), VERB_ALGO, and verbose().

Referenced by val_handle().

◆ processFindKey()

static int processFindKey ( struct module_qstate qstate,
struct val_qstate vq,
int  id 
)
static

Process the FINDKEY state.

Generally this just calculates the next name to query and either issues a DS or a DNSKEY query. It will check to see if the correct key has already been reached, in which case it will advance the event to the next state.

Parameters
qstatequery state.
vqvalidator query state.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References packed_rrset_key::dname, packed_rrset_key::dname_len, val_qstate::ds_rrset, generate_request(), val_qstate::key_entry, key_entry_isbad(), key_entry_isnull(), log_assert, log_query_info(), val_qstate::qchase, ub_packed_rrset_key::rk, and VERB_ALGO.

Referenced by val_handle().

◆ processValidate()

static int processValidate ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Process the VALIDATE stage, the init and findkey stages are finished, and the right keys are available to validate the response.

Or, there are no keys available, in order to invalidate the response.

After validation, the status is recorded in the message and rrsets, and finished state is started.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References module_env::cfg, val_qstate::chase_reply, module_qstate::env, val_env::kcache, key_cache_insert(), val_qstate::key_entry, key_entry_isbad(), key_entry_isnull(), log_nametypeclass(), key_entry_key::name, module_env::rrset_cache, sec_status_insecure, reply_info::security, val_qstate::signer_name, val_qstate::state, val_error(), VAL_FINISHED_STATE, config_file::val_log_level, val_mark_insecure(), VERB_ALGO, VERB_DETAIL, and verbose().

Referenced by val_handle().

◆ processFinished()

static int processFinished ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

The Finished state.

The validation status (good or bad) has been determined.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References val_qstate::chase_reply, val_qstate::orig_msg, val_qstate::qchase, module_qstate::qinfo, module_qstate::query_flags, dns_msg::rep, val_qstate::rrset_skip, reply_info::security, and val_classify_response().

Referenced by val_handle().

◆ val_handle()

static void val_handle ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Handle validator state.

If a method returns true, the next state is started. If false, then processing will stop.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.

References log_warn(), processFindKey(), processFinished(), processInit(), processValidate(), val_qstate::state, VAL_FINDKEY_STATE, VAL_FINISHED_STATE, VAL_INIT_STATE, val_state_to_string(), VAL_VALIDATE_STATE, VERB_ALGO, and verbose().

◆ primeResponseToKE()

static struct key_entry_key* primeResponseToKE ( struct ub_packed_rrset_key dnskey_rrset,
struct trust_anchor ta,
struct module_qstate qstate,
int  id,
struct module_qstate sub_qstate 
)
static

Evaluate the response to a priming request.

Parameters
dnskey_rrsetDNSKEY rrset (can be NULL if none) in prime reply. (this rrset is allocated in the wrong region, not the qstate).
tatrust anchor.
qstateqstate that needs key.
idmodule id.
sub_qstatethe sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer.
Returns
new key entry or NULL on allocation failure. The key entry will either contain a validated DNSKEY rrset, or represent a Null key (query failed, but validation did not), or a Bad key (validation failed).

References module_qstate::env, module_env::modinfo, and sec_status_unchecked.

◆ ds_response_to_ke()

static int ds_response_to_ke ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo,
struct key_entry_key **  ke,
struct module_qstate sub_qstate 
)
static

In inform supers, with the resulting message and rcode and the current keyset in the super state, validate the DS response, returning a KeyEntry.

Parameters
qstatequery state that is validating and asked for a DS.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.
kethe key entry to return. It returns is_bad if the DS response fails to validate, is_null if the DS response indicated an end to secure space, is_good if the DS validated. It returns ke=NULL if the DS response indicated that the request wasn't a delegation point.
sub_qstatethe sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. Can be NULL.
Returns
0 on success, 1 on servfail error (malloc failure), 2 on NSEC3 suspend.

References module_qstate::env, and module_env::modinfo.

Referenced by process_ds_response().

◆ process_dnskey_response()

static void process_dnskey_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo,
struct sock_list origin,
struct module_qstate sub_qstate 
)
static

Process DNSKEY response.

Called from inform_supers. Sets the key entry in the state. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.

Parameters
qstatequery state that is validating and asked for a DNSKEY.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.
originthe origin of msg.
sub_qstatethe sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer.

References module_qstate::env, val_qstate::key_entry, and module_env::modinfo.

◆ process_prime_response()

static void process_prime_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct sock_list origin,
struct module_qstate sub_qstate 
)
static

Process prime response Sets the key entry in the state.

Parameters
qstatequery state that is validating and primed a trust anchor.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
originthe origin of msg.
sub_qstatethe sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer.

References anchor_find(), module_env::anchors, module_qstate::env, module_env::modinfo, val_qstate::qchase, query_info::qclass, val_qstate::state, val_qstate::trust_anchor_labs, val_qstate::trust_anchor_len, val_qstate::trust_anchor_name, VAL_INIT_STATE, and VAL_VALIDATE_STATE.

Referenced by val_inform_super().

◆ val_inform_super()

◆ val_get_mem()

size_t val_get_mem ( struct module_env env,
int  id 
)

Debug helper routine that assists worker in determining memory in use.

Parameters
envmodule environment
idmodule id.
Returns
memory in use in bytes.

Referenced by fptr_whitelist_mod_get_mem().

◆ val_get_funcblock()

struct module_func_block* val_get_funcblock ( void  )

Get the validator function block.

Returns
: function block with function pointers to validator methods.

References val_block.

Referenced by module_funcs_avail().

◆ val_state_to_string()

const char* val_state_to_string ( enum val_state  state)

Get validator state as a string.

Parameters
stateto convert
Returns
constant string that is printable.

References VAL_FINDKEY_STATE, VAL_FINISHED_STATE, VAL_INIT_STATE, and VAL_VALIDATE_STATE.

Referenced by val_handle().

Variable Documentation

◆ val_block

struct module_func_block val_block
static
Initial value:
= {
"validator",
}
void val_deinit(struct module_env *env, int id)
validator deinit
Definition: validator.c:225
void val_clear(struct module_qstate *qstate, int id)
validator cleanup query state
Definition: validator.c:3440
void val_operate(struct module_qstate *qstate, enum module_ev event, int id, struct outbound_entry *outbound)
validator operate on a query
Definition: validator.c:2625
int val_init(struct module_env *env, int id)
validator init
Definition: validator.c:189
size_t val_get_mem(struct module_env *env, int id)
Debug helper routine that assists worker in determining memory in use.
Definition: validator.c:3456
void val_inform_super(struct module_qstate *qstate, int id, struct module_qstate *super)
inform validator super.
Definition: validator.c:3391

The validator function block.

Referenced by val_get_funcblock().