From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Wed, 7 Jan 2015 21:55:43 +0000 Subject: DNSSEC: do top-down search for limit of secure delegation. --- CHANGELOG | 9 ++ src/dnsmasq.h | 11 +- src/dnssec.c | 91 +++++++++------- src/forward.c | 327 +++++++++++++++++++++++++++++++++------------------------- 4 files changed, 260 insertions(+), 178 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 2b6356b..e8bf80f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -31,7 +31,16 @@ version 2.73 request for certain domains, before the correct answer can arrive. Thanks to Glen Huang for the patch. + Revisit the part of DNSSEC validation which determines if an + unsigned answer is legit, or is in some part of the DNS + tree which should be signed. Dnsmasq now works from the + DNS root downward looking for the limit of signed + delegations, rather than working bottom up. This is + both more correct, and less likely to trip over broken + nameservers in the unsigned parts of the DNS tree + which don't respond well to DNSSEC queries. + version 2.72 Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 7bc982d..2f45972 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -569,8 +569,9 @@ struct hostsfile { #define STAT_SECURE_WILDCARD 7 #define STAT_NO_SIG 8 #define STAT_NO_DS 9 -#define STAT_NEED_DS_NEG 10 -#define STAT_CHASE_CNAME 11 +#define STAT_NO_NS 10 +#define STAT_NEED_DS_NEG 11 +#define STAT_CHASE_CNAME 12 #define FREC_NOREBIND 1 #define FREC_CHECKING_DISABLED 2 @@ -604,7 +605,9 @@ struct frec { #ifdef HAVE_DNSSEC int class, work_counter; struct blockdata *stash; /* Saved reply, whilst we validate */ - size_t stash_len; + struct blockdata *orig_domain; /* domain of original query, whilst + we're seeing is if in unsigned domain */ + size_t stash_len, name_start, name_len; struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */ struct frec *blocking_query; /* Query which is blocking us. */ #endif @@ -1126,7 +1129,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut); size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr); int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class); int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); -int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer); +int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons); int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); size_t filter_rrsigs(struct dns_header *header, size_t plen); diff --git a/src/dnssec.c b/src/dnssec.c index 026794b..8f27677 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -875,8 +875,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in /* The DNS packet is expected to contain the answer to a DNSKEY query. Put all DNSKEYs in the answer which are valid into the cache. return codes: - STAT_INSECURE No DNSKEYs in reply. - STAT_SECURE At least one valid DNSKEY found and in cache. + STAT_SECURE At least one valid DNSKEY found and in cache. STAT_BOGUS No DNSKEYs found, which can be validated with DS, or self-sign for DNSKEY RRset is not valid, bad packet. STAT_NEED_DS DS records to validate a key not found, name in keyname @@ -896,11 +895,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch GETSHORT(qtype, p); GETSHORT(qclass, p); - if (qtype != T_DNSKEY || qclass != class) + if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0) return STAT_BOGUS; - - if (ntohs(header->ancount) == 0) - return STAT_INSECURE; /* See if we have cached a DS record which validates this key */ if (!(crecp = cache_find_by_name(NULL, name, now, F_DS))) @@ -1103,17 +1099,17 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch /* The DNS packet is expected to contain the answer to a DS query Put all DSs in the answer which are valid into the cache. return codes: - STAT_INSECURE no DS in reply or not signed. STAT_SECURE At least one valid DS found and in cache. STAT_NO_DS It's proved there's no DS here. - STAT_BOGUS At least one DS found, which fails validation, bad packet. + STAT_NO_NS It's proved there's no DS _or_ NS here. + STAT_BOGUS no DS in reply or not signed, fails validation, bad packet. STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname */ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) { unsigned char *p = (unsigned char *)(header+1); - int qtype, qclass, val, i, neganswer; + int qtype, qclass, val, i, neganswer, nons; if (ntohs(header->qdcount) != 1 || !(p = skip_name(p, header, plen, 4))) @@ -1125,32 +1121,39 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char if (qtype != T_DS || qclass != class) val = STAT_BOGUS; else - val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer); - - if (val == STAT_NO_SIG) - val = STAT_INSECURE; + val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons); + /* Note dnssec_validate_reply() will have cached positive answers */ + + if (val == STAT_NO_SIG || val == STAT_INSECURE) + val = STAT_BOGUS; p = (unsigned char *)(header+1); extract_name(header, plen, &p, name, 1, 4); p += 4; /* qtype, qclass */ if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) - return STAT_BOGUS; + val = STAT_BOGUS; if (val == STAT_BOGUS) - log_query(F_UPSTREAM, name, NULL, "BOGUS DS"); - - if ((val == STAT_SECURE || val == STAT_INSECURE) && neganswer) { - int rdlen, flags = F_FORWARD | F_DS | F_NEG; + log_query(F_UPSTREAM, name, NULL, "BOGUS DS"); + return STAT_BOGUS; + } + + /* By here, the answer is proved secure, and a positive answer has been cached. */ + if (val == STAT_SECURE && neganswer) + { + int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; unsigned long ttl, minttl = ULONG_MAX; struct all_addr a; if (RCODE(header) == NXDOMAIN) flags |= F_NXDOMAIN; - if (val == STAT_SECURE) - flags |= F_DNSSECOK; + /* We only cache validated DS records, DNSSECOK flag hijacked + to store presence/absence of NS. */ + if (nons) + flags &= ~F_DNSSECOK; for (i = ntohs(header->nscount); i != 0; i--) { @@ -1196,10 +1199,12 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char a.addr.dnssec.class = class; cache_insert(name, &a, now, ttl, flags); - cache_end_insert(); + cache_end_insert(); + + log_query(F_UPSTREAM, name, NULL, nons ? "no delegation" : "no DS"); } - return (val == STAT_SECURE) ? STAT_NO_DS : STAT_INSECURE; + return nons ? STAT_NO_NS : STAT_NO_DS; } return val; @@ -1323,12 +1328,15 @@ static int find_nsec_records(struct dns_header *header, size_t plen, unsigned ch } static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, - char *workspace1, char *workspace2, char *name, int type) + char *workspace1, char *workspace2, char *name, int type, int *nons) { int i, rc, rdlen; unsigned char *p, *psave; int offset = (type & 0xff) >> 3; int mask = 0x80 >> (type & 0x07); + + if (nons) + *nons = 0; /* Find NSEC record that proves name doesn't exist */ for (i = 0; i < nsec_count; i++) @@ -1355,6 +1363,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi rdlen -= p - psave; /* rdlen is now length of type map, and p points to it */ + /* If we can prove that there's no NS record, return that information. */ + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) + *nons = 1; + while (rdlen >= 2) { if (!CHECK_LEN(header, p, plen, rdlen)) @@ -1456,7 +1468,7 @@ static int base32_decode(char *in, unsigned char *out) } static int check_nsec3_coverage(struct dns_header *header, size_t plen, int digest_len, unsigned char *digest, int type, - char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count) + char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count, int *nons) { int i, hash_len, salt_len, base32_len, rdlen; unsigned char *p, *psave; @@ -1497,6 +1509,10 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige if (!CHECK_LEN(header, p, plen, rdlen)) return 0; + /* If we can prove that there's no NS record, return that information. */ + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) + *nons = 1; + while (rdlen >= 2) { if (p[0] == type >> 8) @@ -1533,13 +1549,16 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige } static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, - char *workspace1, char *workspace2, char *name, int type, char *wildname) + char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons) { unsigned char *salt, *p, *digest; int digest_len, i, iterations, salt_len, base32_len, algo = 0; struct nettle_hash const *hash; char *closest_encloser, *next_closest, *wildcard; - + + if (nons) + *nons = 0; + /* Look though the NSEC3 records to find the first one with an algorithm we support (currently only algo == 1). @@ -1612,7 +1631,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0) return STAT_BOGUS; - if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count)) + if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons)) return STAT_SECURE; /* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3" @@ -1657,7 +1676,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0) return STAT_BOGUS; - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count)) + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) return STAT_BOGUS; /* Finally, check that there's no seat of wildcard synthesis */ @@ -1672,7 +1691,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0) return STAT_BOGUS; - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count)) + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) return STAT_BOGUS; } @@ -1681,7 +1700,8 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns /* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */ /* Returns are the same as validate_rrset, plus the class if the missing key is in *class */ -int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer) +int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, + int *class, int *neganswer, int *nons) { unsigned char *ans_start, *qname, *p1, *p2, **nsecs; int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype; @@ -1811,10 +1831,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch return STAT_BOGUS; /* No NSECs or bad packet */ if (nsec_type == T_NSEC) - rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1); + rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); else - rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, wildname); - + rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, + keyname, name, type1, wildname, NULL); + if (rc != STAT_SECURE) return rc; } @@ -1937,9 +1958,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch return STAT_BOGUS; if (nsec_type == T_NSEC) - return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype); + return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); else - return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL); + return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); } /* Chase the CNAME chain in the packet until the first record which _doesn't validate. diff --git a/src/forward.c b/src/forward.c index f28c7d5..ee8d7b5 100644 --- a/src/forward.c +++ b/src/forward.c @@ -26,8 +26,9 @@ static void free_frec(struct frec *f); #ifdef HAVE_DNSSEC static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, int class, char *name, char *keyname, struct server *server, int *keycount); -static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); -static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname); +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, + char *name, char *keyname); #endif @@ -815,18 +816,22 @@ void reply_query(int fd, int family, time_t now) else if (forward->flags & FREC_DS_QUERY) { status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); - if (status == STAT_NO_DS) - status = STAT_INSECURE; + if (status == STAT_NO_DS || status == STAT_NO_NS) + status = STAT_BOGUS; } else if (forward->flags & FREC_CHECK_NOSIGN) - status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + { + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + if (status != STAT_NEED_KEY) + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); + } else { - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL); + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); if (status == STAT_NO_SIG) { if (option_bool(OPT_DNSSEC_NO_SIGN)) - status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname); + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); else status = STAT_INSECURE; } @@ -861,6 +866,7 @@ void reply_query(int fd, int family, time_t now) new->blocking_query = NULL; new->sentto = server; new->rfd4 = NULL; + new->orig_domain = NULL; #ifdef HAVE_IPV6 new->rfd6 = NULL; #endif @@ -889,7 +895,9 @@ void reply_query(int fd, int family, time_t now) new->new_id = get_id(); header->id = htons(new->new_id); /* Save query for retransmission */ - new->stash = blockdata_alloc((char *)header, nn); + if (!(new->stash = blockdata_alloc((char *)header, nn))) + return; + new->stash_len = nn; /* Don't resend this. */ @@ -946,18 +954,22 @@ void reply_query(int fd, int family, time_t now) else if (forward->flags & FREC_DS_QUERY) { status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); - if (status == STAT_NO_DS) - status = STAT_INSECURE; + if (status == STAT_NO_DS || status == STAT_NO_NS) + status = STAT_BOGUS; } else if (forward->flags & FREC_CHECK_NOSIGN) - status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + { + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + if (status != STAT_NEED_KEY) + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); + } else { - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL); + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); if (status == STAT_NO_SIG) { if (option_bool(OPT_DNSSEC_NO_SIGN)) - status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname); + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); else status = STAT_INSECURE; } @@ -1319,70 +1331,80 @@ void receive_query(struct listener *listen, time_t now) /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or STAT_NEED_DS_NEG and keyname if we need to do the query. */ -static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname) +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, + char *name, char *keyname) { - struct crec *crecp; - char *name_start = name; int status = dnssec_chase_cname(now, header, plen, name, keyname); if (status != STAT_INSECURE) return status; + /* Store the domain we're trying to check. */ + forward->name_start = strlen(name); + forward->name_len = forward->name_start + 1; + if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len))) + return STAT_BOGUS; + + return do_check_sign(forward, 0, now, name, keyname); +} + +/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */ +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname) +{ + /* get domain we're checking back from blockdata store, it's stored on the original query. */ + while (forward->dependent) + forward = forward->dependent; + + blockdata_retrieve(forward->orig_domain, forward->name_len, name); + while (1) { - crecp = cache_find_by_name(NULL, name_start, now, F_DS); - - if (crecp && (crecp->flags & F_DNSSECOK)) - return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS; - - if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.'))) + char *p; + + if (status == 0) { - name_start++; /* chop a label off and try again */ - continue; + struct crec *crecp; + + /* Haven't received answer, see if in cache */ + if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS))) + { + /* put name of DS record we're missing into keyname */ + strcpy(keyname, &name[forward->name_start]); + /* and wait for reply to arrive */ + return STAT_NEED_DS_NEG; + } + + /* F_DNSSECOK misused in DS cache records to non-existance of NS record */ + if (!(crecp->flags & F_NEG)) + status = STAT_SECURE; + else if (crecp->flags & F_DNSSECOK) + status = STAT_NO_DS; + else + status = STAT_NO_NS; } + + /* Have entered non-signed part of DNS tree. */ + if (status == STAT_NO_DS) + return STAT_INSECURE; - /* Reached the root */ - if (!name_start) + if (status == STAT_BOGUS) return STAT_BOGUS; - strcpy(keyname, name_start); - return STAT_NEED_DS_NEG; - } -} - -/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */ -static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) - -{ - char *name_start; - unsigned char *p; - int status; + /* There's a proven DS record, or we're within a zone, where there doesn't need + to be a DS record. Add a name and try again. + If we've already tried the whole name, then fail */ - /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a - suitable NSEC reply to DS queries. */ - if (RCODE(header) != SERVFAIL) - { - status = dnssec_validate_ds(now, header, plen, name, keyname, class); + if (forward->name_start == 0) + return STAT_BOGUS; - if (status != STAT_INSECURE) - { - if (status == STAT_NO_DS) - status = STAT_INSECURE; - return status; - } - } - - p = (unsigned char *)(header+1); - - if (extract_name(header, plen, &p, name, 1, 4) && - (name_start = strchr(name, '.'))) - { - name_start++; /* chop a label off and try again */ - strcpy(keyname, name_start); - return STAT_NEED_DS_NEG; + for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--); + + if (p != name) + p++; + + forward->name_start = p - name; + status = 0; /* force to cache when we iterate. */ } - - return STAT_BOGUS; } /* Move toward the root, until we find a signed non-existance of a DS, in which case @@ -1395,8 +1417,10 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s unsigned char *packet, *payload; u16 *length; unsigned char *p = (unsigned char *)(header+1); - int status; - char *name_start = name; + int status, name_len; + struct blockdata *block; + + char *name_start; /* Get first insecure entry in CNAME chain */ status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount); @@ -1409,95 +1433,113 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s payload = &packet[2]; header = (struct dns_header *)payload; length = (u16 *)packet; + + /* Stash the name away, since the buffer will be trashed when we recurse */ + name_len = strlen(name) + 1; + name_start = name + name_len - 1; + if (!(block = blockdata_alloc(name, name_len))) + { + free(packet); + return STAT_BOGUS; + } + while (1) { - unsigned char *newhash, hash[HASH_SIZE]; unsigned char c1, c2; - struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS); - + struct crec *crecp; + if (--(*keycount) == 0) { free(packet); + blockdata_free(block); return STAT_BOGUS; } - - if (crecp && (crecp->flags & F_DNSSECOK)) - { - free(packet); - return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS; - } - /* If we have cached insecurely that a DS doesn't exist, - ise that is a hit for where to start looking for the secure one */ - if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.'))) - { - name_start++; /* chop a label off and try again */ - continue; - } - - /* reached the root */ - if (!name_start) - { - free(packet); - return STAT_BOGUS; + while (crecp = cache_find_by_name(NULL, name_start, now, F_DS)) + { + if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)) + { + /* Found a secure denial of DS - delegation is indeed insecure */ + free(packet); + blockdata_free(block); + return STAT_INSECURE; + } + + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. + Add another label and continue. */ + + if (name_start == name) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; /* run out of labels */ + } + + name_start -= 2; + while (*name_start != '.' && name_start != name) + name_start--; + if (name_start != name) + name_start++; } + + /* Can't find it in the cache, have to send a query */ m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr); - /* We rely on the question section coming back unchanged, ensure it is with the hash. */ - if ((newhash = hash_questions(header, (unsigned int)m, name))) - { - memcpy(hash, newhash, HASH_SIZE); + *length = htons(m); - *length = htons(m); + if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && + read_write(server->tcpfd, &c1, 1, 1) && + read_write(server->tcpfd, &c2, 1, 1) && + read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) + { + m = (c1 << 8) | c2; + + /* Note this trashes all three name workspaces */ + status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); - if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && - read_write(server->tcpfd, &c1, 1, 1) && - read_write(server->tcpfd, &c2, 1, 1) && - read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) + if (status == STAT_NO_DS) { - m = (c1 << 8) | c2; - - newhash = hash_questions(header, (unsigned int)m, name); - if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0) - { - /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a - suitable NSEC reply to DS queries. */ - if (RCODE(header) == SERVFAIL) - status = STAT_INSECURE; - else - /* Note this trashes all three name workspaces */ - status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); - - /* We've found a DS which proves the bit of the DNS where the - original query is, is unsigned, so the answer is OK, - if unvalidated. */ - if (status == STAT_NO_DS) - { - free(packet); - return STAT_INSECURE; - } - - /* No DS, not got to DNSSEC-land yet, go up. */ - if (status == STAT_INSECURE) - { - p = (unsigned char *)(header+1); - - if (extract_name(header, plen, &p, name, 1, 4) && - (name_start = strchr(name, '.'))) - { - name_start++; /* chop a label off and try again */ - continue; - } - } - } + /* Found a secure denial of DS - delegation is indeed insecure */ + free(packet); + blockdata_free(block); + return STAT_INSECURE; + } + + if (status == STAT_BOGUS) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; + } + + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. + Add another label and continue. */ + + /* Get name we're checking back. */ + blockdata_retrieve(block, name_len, name); + + if (name_start == name) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; /* run out of labels */ } + + name_start -= 2; + while (*name_start != '.' && name_start != name) + name_start--; + if (name_start != name) + name_start++; + } + else + { + /* IO failure */ + free(packet); + blockdata_free(block); + return STAT_BOGUS; /* run out of labels */ } - - free(packet); - - return STAT_BOGUS; } } @@ -1516,14 +1558,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) { new_status = dnssec_validate_ds(now, header, n, name, keyname, class); - if (status == STAT_NEED_DS && new_status == STAT_NO_DS) - new_status = STAT_INSECURE; + if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS)) + new_status = STAT_BOGUS; } else if (status == STAT_CHASE_CNAME) new_status = dnssec_chase_cname(now, header, n, name, keyname); else { - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL); + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); if (new_status == STAT_NO_SIG) { @@ -1576,14 +1618,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) { new_status = dnssec_validate_ds(now, header, n, name, keyname, class); - if (status == STAT_NEED_DS && new_status == STAT_NO_DS) - new_status = STAT_INSECURE; /* Validated no DS */ + if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS)) + new_status = STAT_BOGUS; /* Validated no DS */ } else if (status == STAT_CHASE_CNAME) new_status = dnssec_chase_cname(now, header, n, name, keyname); else { - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL); + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); if (new_status == STAT_NO_SIG) { @@ -1961,6 +2003,7 @@ static struct frec *allocate_frec(time_t now) f->dependent = NULL; f->blocking_query = NULL; f->stash = NULL; + f->orig_domain = NULL; #endif daemon->frec_list = f; } @@ -2029,6 +2072,12 @@ static void free_frec(struct frec *f) f->stash = NULL; } + if (f->orig_domain) + { + blockdata_free(f->orig_domain); + f->orig_domain = NULL; + } + /* Anything we're waiting on is pointless now, too */ if (f->blocking_query) free_frec(f->blocking_query); -- cgit v1.2.1