This file contains a module that performs validation of DNS queries. More...
#include "config.h"#include <ctype.h>#include "validator/validator.h"#include "validator/val_anchor.h"#include "validator/val_kcache.h"#include "validator/val_kentry.h"#include "validator/val_utils.h"#include "validator/val_nsec.h"#include "validator/val_nsec3.h"#include "validator/val_neg.h"#include "validator/val_sigcrypt.h"#include "validator/autotrust.h"#include "services/cache/dns.h"#include "services/cache/rrset.h"#include "util/data/dname.h"#include "util/module.h"#include "util/log.h"#include "util/net_help.h"#include "util/regional.h"#include "util/config_file.h"#include "util/fptr_wlist.h"#include "sldns/rrdef.h"#include "sldns/wire2str.h"#include "sldns/str2wire.h"Macros | |
| #define | MAX_VALIDATE_AT_ONCE 8 |
| Max number of RRSIGs to validate at once, suspend query for later. | |
| #define | MAX_VALIDATION_SUSPENDS 16 |
| Max number of validation suspends allowed, error out otherwise. | |
| #define | MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5 |
Functions | |
| static void | process_ds_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct sock_list *origin, int *suspend, struct module_qstate *sub_qstate) |
| Process DS response. More... | |
| static void | update_reason_bogus (struct reply_info *rep, sldns_ede_code reason_bogus) |
| static int | fill_nsec3_iter (struct val_env *ve, char *s, int c) |
| fill up nsec3 key iterations config entry | |
| static int | val_apply_cfg (struct module_env *env, struct val_env *val_env, struct config_file *cfg) |
| apply config settings to validator | |
| int | val_init (struct module_env *env, int id) |
| validator init | |
| void | val_deinit (struct module_env *env, int id) |
| validator deinit | |
| static struct val_qstate * | val_new_getmsg (struct module_qstate *qstate, struct val_qstate *vq) |
| fill in message structure | |
| static struct val_qstate * | val_new (struct module_qstate *qstate, int id) |
| allocate new validator query state | |
| static void | val_restart (struct val_qstate *vq) |
| reset validator query state for query restart | |
| static int | val_error (struct module_qstate *qstate, int id) |
| Exit validation with an error status. More... | |
| static int | needs_validation (struct module_qstate *qstate, int ret_rc, struct dns_msg *ret_msg) |
| Check to see if a given response needs to go through the validation process. More... | |
| static int | already_validated (struct dns_msg *ret_msg) |
| Check to see if the response has already been validated. More... | |
| static int | generate_request (struct module_qstate *qstate, int id, uint8_t *name, size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags, struct module_qstate **newq, int detached) |
| Generate a request for DNS data. More... | |
| static int | generate_keytag_query (struct module_qstate *qstate, int id, struct trust_anchor *ta) |
| Generate, send and detach key tag signaling query. More... | |
| static int | sentinel_get_keytag (char *start, uint16_t *keytag) |
| Get keytag as uint16_t from string. More... | |
| static int | prime_trust_anchor (struct module_qstate *qstate, struct val_qstate *vq, int id, struct trust_anchor *toprime) |
| Prime trust anchor for use. More... | |
| static int | validate_msg_signatures (struct module_qstate *qstate, struct val_qstate *vq, struct module_env *env, struct val_env *ve, struct reply_info *chase_reply, struct key_entry_key *key_entry, int *suspend) |
| Validate if the ANSWER and AUTHORITY sections contain valid rrsets. More... | |
| void | validate_suspend_timer_cb (void *arg) |
| Timer callback for msg signatures continue timer. | |
| static int | validate_suspend_setup_timer (struct module_qstate *qstate, struct val_qstate *vq, int id, enum val_state resume_state) |
| Setup timer to continue validation of msg signatures later. | |
| static int | detect_wrongly_truncated (struct reply_info *rep) |
| Detect wrong truncated response (say from BIND 9.6.1 that is forwarding and saw the NS record without signatures from a referral). More... | |
| static void | remove_spurious_authority (struct reply_info *chase_reply, struct reply_info *orig_reply) |
| For messages that are not referrals, if the chase reply contains an unsigned NS record in the authority section it could have been inserted by a (BIND) forwarder that thinks the zone is insecure, and that has an NS record without signatures in cache. More... | |
| static void | validate_positive_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend) |
| Given a "positive" response – a response that contains an answer to the question, and no CNAME chain, validate this response. More... | |
| static void | validate_nodata_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend) |
| Validate a NOERROR/NODATA signed response – a response that has a NOERROR Rcode but no ANSWER section RRsets. More... | |
| static void | validate_nameerror_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, int *rcode, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend) |
| Validate a NAMEERROR signed response – a response that has a NXDOMAIN Rcode. More... | |
| static void | validate_referral_response (struct reply_info *chase_reply) |
| Given a referral response, validate rrsets and take least trusted rrset as the current validation status. More... | |
| static void | validate_any_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend) |
| Given an "ANY" response – a response that contains an answer to a qtype==ANY question, with answers. More... | |
| static void | validate_cname_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend) |
| Validate CNAME response, or DNAME+CNAME. More... | |
| static void | validate_cname_noanswer_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, struct module_qstate *qstate, struct val_qstate *vq, int *nsec3_calculations, int *suspend) |
| Validate CNAME NOANSWER response, no more data after a CNAME chain. More... | |
| static int | processInit (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id) |
| Process init state for validator. More... | |
| static int | processFindKey (struct module_qstate *qstate, struct val_qstate *vq, int id) |
| Process the FINDKEY state. More... | |
| static int | processValidate (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id) |
| Process the VALIDATE stage, the init and findkey stages are finished, and the right keys are available to validate the response. More... | |
| static int | processFinished (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id) |
| The Finished state. More... | |
| static void | val_handle (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id) |
| Handle validator state. More... | |
| void | val_operate (struct module_qstate *qstate, enum module_ev event, int id, struct outbound_entry *outbound) |
| validator operate on a query | |
| static struct key_entry_key * | primeResponseToKE (struct ub_packed_rrset_key *dnskey_rrset, struct trust_anchor *ta, struct module_qstate *qstate, int id, struct module_qstate *sub_qstate) |
| Evaluate the response to a priming request. More... | |
| static int | ds_response_to_ke (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct key_entry_key **ke, struct module_qstate *sub_qstate) |
| In inform supers, with the resulting message and rcode and the current keyset in the super state, validate the DS response, returning a KeyEntry. More... | |
| static void | process_dnskey_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct sock_list *origin, struct module_qstate *sub_qstate) |
| Process DNSKEY response. More... | |
| static void | process_prime_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct sock_list *origin, struct module_qstate *sub_qstate) |
| Process prime response Sets the key entry in the state. More... | |
| void | val_inform_super (struct module_qstate *qstate, int id, struct module_qstate *super) |
| inform validator super. More... | |
| void | val_clear (struct module_qstate *qstate, int id) |
| validator cleanup query state | |
| size_t | val_get_mem (struct module_env *env, int id) |
| Debug helper routine that assists worker in determining memory in use. More... | |
| struct module_func_block * | val_get_funcblock (void) |
| Get the validator function block. More... | |
| const char * | val_state_to_string (enum val_state state) |
| Get validator state as a string. More... | |
Variables | |
| static struct module_func_block | val_block |
| The validator function block. More... | |
This file contains a module that performs validation of DNS queries.
According to RFC 4034.
|
static |
Process DS response.
Called from inform_supers. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.
| qstate | query state that is validating and asked for a DS. |
| vq | validator query state |
| id | module id. |
| rcode | rcode result value. |
| msg | result message (if rcode is OK). |
| qinfo | from the sub query state, query info. |
| origin | the origin of msg. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
| sub_qstate | the sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. Can be NULL. |
References val_qstate::chain_blacklist, val_qstate::chase_reply, ds_response_to_ke(), val_qstate::ds_rrset, val_qstate::empty_DS_len, val_qstate::empty_DS_name, module_qstate::env, module_qstate::errinf, errinf_dname(), errinf_origin(), val_qstate::key_entry, key_entry_get_rrset(), key_entry_isbad(), key_entry_isgood(), log_err(), val_env::max_restart, module_env::modinfo, query_info::qname, query_info::qname_len, module_qstate::region, regional_alloc_init(), val_qstate::restart_count, module_qstate::rpz_applied, sec_status_insecure, reply_info::security, val_qstate::state, val_blacklist(), VAL_FINISHED_STATE, VAL_VALIDATE_STATE, VERB_ALGO, and verbose().
Referenced by val_inform_super().
|
static |
Exit validation with an error status.
| qstate | query state |
| id | validator id. |
References module_qstate::ext_state, module_error, and module_qstate::return_rcode.
Referenced by processInit(), and processValidate().
|
static |
Check to see if a given response needs to go through the validation process.
Typical reasons for this routine to return false are: CD bit was on in the original request, or the response is a kind of message that is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
| qstate | query state. |
| ret_rc | rcode for this message (if noerror - examine ret_msg). |
| ret_msg | return msg, can be NULL; look at rcode instead. |
References module_qstate::is_valrec, VERB_ALGO, and verbose().
Referenced by val_operate().
|
static |
Check to see if the response has already been validated.
| ret_msg | return msg, can be NULL |
References dns_msg::rep, sec_status_bogus, sec_status_to_string(), reply_info::security, VERB_ALGO, and verbose().
Referenced by val_operate().
|
static |
Generate a request for DNS data.
| qstate | query state that is the parent. |
| id | module id. |
| name | what name to query for. |
| namelen | length of name. |
| qtype | query type. |
| qclass | query class. |
| flags | additional flags, such as the CD bit (BIT_CD), or 0. |
| newq | If the subquery is newly created, it is returned, otherwise NULL is returned |
| detached | true if this qstate should not attach to the subquery |
References module_env::add_sub, module_env::attach_sub, BIT_RD, val_qstate::chain_blacklist, module_env::detect_cycle, module_qstate::env, module_qstate::ext_state, fptr_ok, fptr_whitelist_modenv_add_sub(), fptr_whitelist_modenv_attach_sub(), fptr_whitelist_modenv_detect_cycle(), log_err(), log_query_info(), module_qstate::minfo, module_wait_subquery, query_info::qname, sock_list_merge(), VERB_ALGO, and verbose().
Referenced by prime_trust_anchor(), and processFindKey().
|
static |
Generate, send and detach key tag signaling query.
| qstate | query state. |
| id | module id. |
| ta | trust anchor, locked. |
|
static |
Get keytag as uint16_t from string.
| start | start of string containing keytag |
| keytag | pointer where to store the extracted keytag |
References SENTINEL_KEYTAG_LEN.
|
static |
Prime trust anchor for use.
Generate and dispatch a priming query for the given trust anchor. The trust anchor can be DNSKEY or DS and does not have to be signed.
| qstate | query state. |
| vq | validator query state. |
| id | module id. |
| toprime | what to prime. |
References generate_request(), trust_anchor::name, and trust_anchor::namelen.
|
static |
Validate if the ANSWER and AUTHORITY sections contain valid rrsets.
They must be validly signed with the given key. Tries to validate ADDITIONAL rrsets as well, but only to check them. Allows unsigned CNAME after a DNAME that expands the DNAME.
Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.
| qstate | query state. |
| vq | validator query state. |
| env | module env for verify. |
| ve | validator env for verify. |
| chase_reply | answer to validate. |
| key_entry | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
|
static |
Detect wrong truncated response (say from BIND 9.6.1 that is forwarding and saw the NS record without signatures from a referral).
The positive response has a mangled authority section. Remove that authority section and the additional section.
| rep | reply |
References reply_info::an_numrrsets, lruhash_entry::data, ub_packed_rrset_key::entry, LDNS_RR_TYPE_NS, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, sec_status_secure, packed_rrset_key::type, VERB_ALGO, and verbose().
|
static |
For messages that are not referrals, if the chase reply contains an unsigned NS record in the authority section it could have been inserted by a (BIND) forwarder that thinks the zone is insecure, and that has an NS record without signatures in cache.
Remove the NS record since the reply does not hinge on that record (in the authority section), but do not remove it if it removes the last record from the answer+authority sections.
| chase_reply | the chased reply, we have a key for this contents, so we should have signatures for these rrsets and not having signatures means it will be bogus. |
| orig_reply | original reply, remove NS from there as well because we cannot mark the NS record as DNSSEC valid because it is not validated by signatures. |
References reply_info::an_numrrsets, lruhash_entry::data, packed_rrset_key::dname, ub_packed_rrset_key::entry, LDNS_RR_TYPE_NS, log_rrset_key(), reply_info::ns_numrrsets, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_data::rrsig_count, packed_rrset_key::type, val_reply_remove_auth(), and VERB_ALGO.
|
static |
Given a "positive" response – a response that contains an answer to the question, and no CNAME chain, validate this response.
The answer and authority RRsets must already be verified as secure.
| env | module env for verify. |
| ve | validator env for verify. |
| qchase | query that was made. |
| chase_reply | answer to that query to validate. |
| kkey | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| qstate | query state for the region. |
| vq | validator state for the nsec3 cache table. |
| nsec3_calculations | current nsec3 hash calculations. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
References reply_info::an_numrrsets, packed_rrset_key::dname, log_nametypeclass(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, reply_info::security, packed_rrset_key::type, val_rrset_wildcard(), and VERB_QUERY.
|
static |
Validate a NOERROR/NODATA signed response – a response that has a NOERROR Rcode but no ANSWER section RRsets.
This consists of making certain that the authority section NSEC/NSEC3s proves that the qname does exist and the qtype doesn't.
The answer and authority RRsets must already be verified as secure.
| env | module env for verify. |
| ve | validator env for verify. |
| qchase | query that was made. |
| chase_reply | answer to that query to validate. |
| kkey | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| qstate | query state for the region. |
| vq | validator state for the nsec3 cache table. |
| nsec3_calculations | current nsec3 hash calculations. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.
|
static |
Validate a NAMEERROR signed response – a response that has a NXDOMAIN Rcode.
This consists of making certain that the authority section NSEC proves that the qname doesn't exist and the covering wildcard also doesn't exist..
The answer and authority RRsets must have already been verified as secure.
| env | module env for verify. |
| ve | validator env for verify. |
| qchase | query that was made. |
| chase_reply | answer to that query to validate. |
| kkey | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| rcode | adjusted RCODE, in case of RCODE/proof mismatch leniency. |
| qstate | query state for the region. |
| vq | validator state for the nsec3 cache table. |
| nsec3_calculations | current nsec3 hash calculations. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.
|
static |
Given a referral response, validate rrsets and take least trusted rrset as the current validation status.
Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.
| chase_reply | answer to validate. |
References lruhash_entry::data, ub_packed_rrset_key::entry, reply_info::rrset_count, reply_info::rrsets, sec_status_secure, sec_status_to_string(), reply_info::security, packed_rrset_data::security, VERB_ALGO, and verbose().
|
static |
Given an "ANY" response – a response that contains an answer to a qtype==ANY question, with answers.
This does no checking that all types are present.
NOTE: it may be possible to get parent-side delegation point records here, which won't all be signed. Right now, this routine relies on the upstream iterative resolver to not return these responses – instead treating them as referrals.
NOTE: RFC 4035 is silent on this issue, so this may change upon clarification. Clarification draft -05 says to not check all types are present.
Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.
| env | module env for verify. |
| ve | validator env for verify. |
| qchase | query that was made. |
| chase_reply | answer to that query to validate. |
| kkey | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| qstate | query state for the region. |
| vq | validator state for the nsec3 cache table. |
| nsec3_calculations | current nsec3 hash calculations. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
References LDNS_RR_TYPE_ANY, log_err(), query_info::qtype, sec_status_bogus, and reply_info::security.
|
static |
Validate CNAME response, or DNAME+CNAME.
This is just like a positive proof, except that this is about a DNAME+CNAME. Possible wildcard proof. Difference with positive proof is that this routine refuses wildcarded DNAMEs.
The answer and authority rrsets must already be verified as secure.
| env | module env for verify. |
| ve | validator env for verify. |
| qchase | query that was made. |
| chase_reply | answer to that query to validate. |
| kkey | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| qstate | query state for the region. |
| vq | validator state for the nsec3 cache table. |
| nsec3_calculations | current nsec3 hash calculations. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
References reply_info::an_numrrsets, packed_rrset_key::dname, log_nametypeclass(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, reply_info::security, packed_rrset_key::type, val_rrset_wildcard(), and VERB_QUERY.
|
static |
Validate CNAME NOANSWER response, no more data after a CNAME chain.
This can be a NODATA or a NAME ERROR case, but not both at the same time. We don't know because the rcode has been set to NOERROR by the CNAME.
The answer and authority rrsets must already be verified as secure.
| env | module env for verify. |
| ve | validator env for verify. |
| qchase | query that was made. |
| chase_reply | answer to that query to validate. |
| kkey | the key entry, which is trusted, and which matches the signer of the answer. The key entry isgood(). |
| qstate | query state for the region. |
| vq | validator state for the nsec3 cache table. |
| nsec3_calculations | current nsec3 hash calculations. |
| suspend | returned true if the task takes too long and needs to suspend to continue the effort later. |
References reply_info::an_numrrsets, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.
|
static |
Process init state for validator.
Process the INIT state. First tier responses start in the INIT state. This is where they are vetted for validation suitability, and the initial key search is done.
Currently, events the come through this routine will be either promoted to FINISHED/CNAME_RESP (no validation needed), FINDKEY (next step to validation), or will be (temporarily) retired and a new priming request event will be generated.
| qstate | query state. |
| vq | validator query state. |
| ve | validator shared global environment. |
| id | module id. |
References val_env::max_restart, val_qstate::orig_msg, val_qstate::qchase, module_qstate::qinfo, module_qstate::query_flags, dns_msg::rep, val_qstate::restart_count, val_qstate::rrset_skip, val_classify_response(), val_error(), VERB_ALGO, and verbose().
Referenced by val_handle().
|
static |
Process the FINDKEY state.
Generally this just calculates the next name to query and either issues a DS or a DNSKEY query. It will check to see if the correct key has already been reached, in which case it will advance the event to the next state.
| qstate | query state. |
| vq | validator query state. |
| id | module id. |
References packed_rrset_key::dname, packed_rrset_key::dname_len, val_qstate::ds_rrset, generate_request(), val_qstate::key_entry, key_entry_isbad(), key_entry_isnull(), log_assert, log_query_info(), val_qstate::qchase, ub_packed_rrset_key::rk, and VERB_ALGO.
Referenced by val_handle().
|
static |
Process the VALIDATE stage, the init and findkey stages are finished, and the right keys are available to validate the response.
Or, there are no keys available, in order to invalidate the response.
After validation, the status is recorded in the message and rrsets, and finished state is started.
| qstate | query state. |
| vq | validator query state. |
| ve | validator shared global environment. |
| id | module id. |
References module_env::cfg, val_qstate::chase_reply, module_qstate::env, val_env::kcache, key_cache_insert(), val_qstate::key_entry, key_entry_isbad(), key_entry_isnull(), log_nametypeclass(), key_entry_key::name, module_env::rrset_cache, sec_status_insecure, reply_info::security, val_qstate::signer_name, val_qstate::state, val_error(), VAL_FINISHED_STATE, config_file::val_log_level, val_mark_insecure(), VERB_ALGO, VERB_DETAIL, and verbose().
Referenced by val_handle().
|
static |
The Finished state.
The validation status (good or bad) has been determined.
| qstate | query state. |
| vq | validator query state. |
| ve | validator shared global environment. |
| id | module id. |
References val_qstate::chase_reply, val_qstate::orig_msg, val_qstate::qchase, module_qstate::qinfo, module_qstate::query_flags, dns_msg::rep, val_qstate::rrset_skip, reply_info::security, and val_classify_response().
Referenced by val_handle().
|
static |
Handle validator state.
If a method returns true, the next state is started. If false, then processing will stop.
| qstate | query state. |
| vq | validator query state. |
| ve | validator shared global environment. |
| id | module id. |
References log_warn(), processFindKey(), processFinished(), processInit(), processValidate(), val_qstate::state, VAL_FINDKEY_STATE, VAL_FINISHED_STATE, VAL_INIT_STATE, val_state_to_string(), VAL_VALIDATE_STATE, VERB_ALGO, and verbose().
|
static |
Evaluate the response to a priming request.
| dnskey_rrset | DNSKEY rrset (can be NULL if none) in prime reply. (this rrset is allocated in the wrong region, not the qstate). |
| ta | trust anchor. |
| qstate | qstate that needs key. |
| id | module id. |
| sub_qstate | the sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. |
References module_qstate::env, module_env::modinfo, and sec_status_unchecked.
|
static |
In inform supers, with the resulting message and rcode and the current keyset in the super state, validate the DS response, returning a KeyEntry.
| qstate | query state that is validating and asked for a DS. |
| vq | validator query state |
| id | module id. |
| rcode | rcode result value. |
| msg | result message (if rcode is OK). |
| qinfo | from the sub query state, query info. |
| ke | the key entry to return. It returns is_bad if the DS response fails to validate, is_null if the DS response indicated an end to secure space, is_good if the DS validated. It returns ke=NULL if the DS response indicated that the request wasn't a delegation point. |
| sub_qstate | the sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. Can be NULL. |
References module_qstate::env, and module_env::modinfo.
Referenced by process_ds_response().
|
static |
Process DNSKEY response.
Called from inform_supers. Sets the key entry in the state. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.
| qstate | query state that is validating and asked for a DNSKEY. |
| vq | validator query state |
| id | module id. |
| rcode | rcode result value. |
| msg | result message (if rcode is OK). |
| qinfo | from the sub query state, query info. |
| origin | the origin of msg. |
| sub_qstate | the sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. |
References module_qstate::env, val_qstate::key_entry, and module_env::modinfo.
|
static |
Process prime response Sets the key entry in the state.
| qstate | query state that is validating and primed a trust anchor. |
| vq | validator query state |
| id | module id. |
| rcode | rcode result value. |
| msg | result message (if rcode is OK). |
| origin | the origin of msg. |
| sub_qstate | the sub query state, that is the lookup that fetched the trust anchor data, it contains error information for the answer. |
References anchor_find(), module_env::anchors, module_qstate::env, module_env::modinfo, val_qstate::qchase, query_info::qclass, val_qstate::state, val_qstate::trust_anchor_labs, val_qstate::trust_anchor_len, val_qstate::trust_anchor_name, VAL_INIT_STATE, and VAL_VALIDATE_STATE.
Referenced by val_inform_super().
| void val_inform_super | ( | struct module_qstate * | qstate, |
| int | id, | ||
| struct module_qstate * | super | ||
| ) |
inform validator super.
| qstate | query state that finished. |
| id | module id. |
| super | the qstate to inform. |
References dns_msg_deepcopy_region(), LDNS_RR_TYPE_DS, log_query_info(), module_qstate::minfo, val_qstate::nsec3_cache_table, process_ds_response(), process_prime_response(), module_qstate::qinfo, query_info::qtype, module_qstate::region, module_qstate::reply_origin, module_qstate::return_msg, module_qstate::return_rcode, val_qstate::sub_ds_msg, VERB_ALGO, verbose(), and val_qstate::wait_prime_ta.
Referenced by fptr_whitelist_mod_inform_super().
| size_t val_get_mem | ( | struct module_env * | env, |
| int | id | ||
| ) |
Debug helper routine that assists worker in determining memory in use.
| env | module environment |
| id | module id. |
Referenced by fptr_whitelist_mod_get_mem().
| struct module_func_block* val_get_funcblock | ( | void | ) |
Get the validator function block.
References val_block.
Referenced by module_funcs_avail().
| const char* val_state_to_string | ( | enum val_state | state | ) |
Get validator state as a string.
| state | to convert |
References VAL_FINDKEY_STATE, VAL_FINISHED_STATE, VAL_INIT_STATE, and VAL_VALIDATE_STATE.
Referenced by val_handle().
|
static |
The validator function block.
Referenced by val_get_funcblock().