Changeset View
Changeset View
Standalone View
Standalone View
contrib/ldns/drill/securetrace.c
Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines | do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t, | ||||
/* dnssec */ | /* dnssec */ | ||||
ldns_rr_list *key_list; | ldns_rr_list *key_list; | ||||
ldns_rr_list *key_sig_list; | ldns_rr_list *key_sig_list; | ||||
ldns_rr_list *ds_list; | ldns_rr_list *ds_list; | ||||
ldns_rr_list *ds_sig_list; | ldns_rr_list *ds_sig_list; | ||||
ldns_rr_list *correct_key_list; | ldns_rr_list *correct_key_list; | ||||
ldns_rr_list *trusted_ds_rrs; | ldns_rr_list *trusted_ds_rrs; | ||||
bool new_keys_trusted = false; | bool new_keys_trusted = false; | ||||
ldns_rr_list *current_correct_keys; | ldns_rr_list *current_correct_keys = NULL; | ||||
ldns_rr_list *dataset; | ldns_rr_list *dataset; | ||||
ldns_rr_list *nsec_rrs = NULL; | ldns_rr_list *nsec_rrs = NULL; | ||||
ldns_rr_list *nsec_rr_sigs = NULL; | ldns_rr_list *nsec_rr_sigs = NULL; | ||||
/* empty non-terminal check */ | /* empty non-terminal check */ | ||||
bool ent; | bool ent; | ||||
ldns_rr *nsecrr; /* The nsec that proofs the non-terminal */ | ldns_rr *nsecrr; /* The nsec that proofs the non-terminal */ | ||||
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines | if (ldns_dname_is_subdomain(name, start_name)) { | ||||
fprintf(stderr, "Error; "); | fprintf(stderr, "Error; "); | ||||
ldns_rdf_print(stderr, name); | ldns_rdf_print(stderr, name); | ||||
fprintf(stderr, " is not a subdomain of "); | fprintf(stderr, " is not a subdomain of "); | ||||
ldns_rdf_print(stderr, start_name); | ldns_rdf_print(stderr, start_name); | ||||
fprintf(stderr, "\n"); | fprintf(stderr, "\n"); | ||||
goto done; | goto done; | ||||
} | } | ||||
} | } | ||||
labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2); | labels = LDNS_CALLOC(ldns_rdf*, labels_count + 2); | ||||
if (!labels) { | if (!labels) { | ||||
goto done; | goto done; | ||||
} | } | ||||
labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); | labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR); | ||||
labels[1] = ldns_rdf_clone(name); | labels[1] = ldns_rdf_clone(name); | ||||
for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { | for(i = 2 ; i < (ssize_t)labels_count + 2; i++) { | ||||
labels[i] = ldns_dname_left_chop(labels[i - 1]); | labels[i] = ldns_dname_left_chop(labels[i - 1]); | ||||
} | } | ||||
/* get the nameserver for the label | /* get the nameserver for the label | ||||
* ask: dnskey and ds for the label | * ask: dnskey and ds for the label | ||||
*/ | */ | ||||
for(i = (ssize_t)labels_count + 1; i > 0; i--) { | for(i = (ssize_t)labels_count + 1; i > 0; i--) { | ||||
status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); | status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0); | ||||
if (status != LDNS_STATUS_OK) { | |||||
fprintf(stderr, "Error sending query: %s\n", ldns_get_errorstr_by_id(status)); | |||||
result = status; | |||||
goto done; | |||||
} | |||||
/* TODO: handle status */ | |||||
if (verbosity >= 5) { | if (verbosity >= 5) { | ||||
ldns_pkt_print(stdout, local_p); | ldns_pkt_print(stdout, local_p); | ||||
} | } | ||||
new_nss = ldns_pkt_rr_list_by_type(local_p, | new_nss = ldns_pkt_rr_list_by_type(local_p, | ||||
LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); | LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); | ||||
if (!new_nss) { | if (!new_nss) { | ||||
/* if it's a delegation, servers put them in the auth section */ | /* if it's a delegation, servers put them in the auth section */ | ||||
▲ Show 20 Lines • Show All 224 Lines • ▼ Show 20 Lines | */ printf("NS: %s\n", ldns_get_errorstr_by_id(st)); | ||||
ldns_rr_list_deep_free(key_sig_list); | ldns_rr_list_deep_free(key_sig_list); | ||||
key_sig_list = NULL; | key_sig_list = NULL; | ||||
/* check the DS records for the next child domain */ | /* check the DS records for the next child domain */ | ||||
if (i > 1) { | if (i > 1) { | ||||
p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); | p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS); | ||||
(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); | (void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list); | ||||
if (!ds_list) { | if (!ds_list) { | ||||
ldns_rr_list_deep_free(ds_sig_list); | |||||
(void) get_dnssec_rr( p, labels[i-1] | |||||
, LDNS_RR_TYPE_CNAME | |||||
, &ds_list, &ds_sig_list); | |||||
if (ds_list) { | |||||
st = ldns_verify( ds_list, ds_sig_list | |||||
, correct_key_list | |||||
, current_correct_keys); | |||||
if (st == LDNS_STATUS_OK) { | |||||
printf(";; No DS record found " | |||||
"for "); | |||||
ldns_rdf_print(stdout, | |||||
labels[i-1]); | |||||
printf(", but valid CNAME"); | |||||
} else { | |||||
printf(BOGUS " Unable to verify " | |||||
"denial of existence for "); | |||||
ldns_rdf_print(stdout, | |||||
labels[i-1]); | |||||
printf(", because of BOGUS CNAME"); | |||||
} | |||||
printf("\n"); | |||||
ldns_rr_list_deep_free(ds_sig_list); | |||||
ldns_pkt_free(p); | ldns_pkt_free(p); | ||||
if (ds_sig_list) { | ldns_rr_list_deep_free(ds_list); | ||||
ds_list = NULL; | |||||
ds_sig_list = NULL; | |||||
p = NULL; | |||||
} else { | |||||
ldns_rr_list_deep_free(ds_sig_list); | ldns_rr_list_deep_free(ds_sig_list); | ||||
ldns_pkt_free(p); | |||||
p = get_dnssec_pkt(res, name, | |||||
LDNS_RR_TYPE_DNSKEY); | |||||
(void) get_ds(p, NULL | |||||
, &ds_list, &ds_sig_list); | |||||
} | } | ||||
p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY); | |||||
(void) get_ds(p, NULL, &ds_list, &ds_sig_list); | |||||
} | } | ||||
if (ds_sig_list) { | if (ds_sig_list) { | ||||
if (ds_list) { | if (ds_list) { | ||||
if (verbosity >= 4) { | if (verbosity >= 4) { | ||||
printf("VERIFYING:\n"); | printf("VERIFYING:\n"); | ||||
printf("DS LIST:\n"); | printf("DS LIST:\n"); | ||||
ldns_rr_list_print(stdout, ds_list); | ldns_rr_list_print(stdout, ds_list); | ||||
printf("SIGS:\n"); | printf("SIGS:\n"); | ||||
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines | if (i > 1) { | ||||
} | } | ||||
} else { | } else { | ||||
if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { | if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) { | ||||
printf(";; No DS for "); | printf(";; No DS for "); | ||||
ldns_rdf_print(stdout, labels[i - 1]); | ldns_rdf_print(stdout, labels[i - 1]); | ||||
} else { | } else { | ||||
printf("[B] Unable to verify denial of existence for "); | printf(BOGUS " Unable to verify denial of existence for "); | ||||
ldns_rdf_print(stdout, labels[i - 1]); | ldns_rdf_print(stdout, labels[i - 1]); | ||||
printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); | printf(" DS: %s\n", ldns_get_errorstr_by_id(status)); | ||||
} | } | ||||
} | } | ||||
if (verbosity >= 2) { | if (verbosity >= 2) { | ||||
printf(";; No ds record for delegation\n"); | printf(";; No ds record for delegation\n"); | ||||
} | } | ||||
} | } | ||||
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines | */ | ||||
printf(" type "); | printf(" type "); | ||||
if (descriptor && descriptor->_name) { | if (descriptor && descriptor->_name) { | ||||
printf("%s", descriptor->_name); | printf("%s", descriptor->_name); | ||||
} else { | } else { | ||||
printf("TYPE%u", t); | printf("TYPE%u", t); | ||||
} | } | ||||
printf("\n"); | printf("\n"); | ||||
} else { | } else { | ||||
printf("[B] Unable to verify denial of existence for "); | printf(BOGUS " Unable to verify denial of existence for "); | ||||
ldns_rdf_print(stdout, name); | ldns_rdf_print(stdout, name); | ||||
printf(" type "); | printf(" type "); | ||||
if (descriptor && descriptor->_name) { | if (descriptor && descriptor->_name) { | ||||
printf("%s", descriptor->_name); | printf("%s", descriptor->_name); | ||||
} else { | } else { | ||||
printf("TYPE%u", t); | printf("TYPE%u", t); | ||||
} | } | ||||
printf("\n"); | printf("\n"); | ||||
Show All 9 Lines | */ | ||||
ldns_rr_list_deep_free(key_list); | ldns_rr_list_deep_free(key_list); | ||||
key_list = NULL; | key_list = NULL; | ||||
ldns_rr_list_deep_free(key_sig_list); | ldns_rr_list_deep_free(key_sig_list); | ||||
key_sig_list = NULL; | key_sig_list = NULL; | ||||
ds_list = NULL; | ds_list = NULL; | ||||
ldns_rr_list_deep_free(ds_sig_list); | ldns_rr_list_deep_free(ds_sig_list); | ||||
ds_sig_list = NULL; | ds_sig_list = NULL; | ||||
} | } | ||||
printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n"); | printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted; " UNSIGNED " unsigned\n"); | ||||
/* verbose mode? | /* verbose mode? | ||||
printf("Trusted keys:\n"); | printf("Trusted keys:\n"); | ||||
ldns_rr_list_print(stdout, trusted_keys); | ldns_rr_list_print(stdout, trusted_keys); | ||||
printf("trusted dss:\n"); | printf("trusted dss:\n"); | ||||
ldns_rr_list_print(stdout, trusted_ds_rrs); | ldns_rr_list_print(stdout, trusted_ds_rrs); | ||||
*/ | */ | ||||
done: | done: | ||||
Show All 12 Lines |