]>
Commit | Line | Data |
---|---|---|
12471842 PL |
1 | /* |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
870a0fe4 AT |
22 | #ifdef HAVE_CONFIG_H |
23 | #include "config.h" | |
24 | #endif | |
54ebc117 PD |
25 | #include "dnsparser.hh" |
26 | #include "sstuff.hh" | |
27 | #include "misc.hh" | |
28 | #include "dnswriter.hh" | |
29 | #include "dnsrecords.hh" | |
30 | #include "statbag.hh" | |
31 | #include "base32.hh" | |
32 | #include "dnssecinfra.hh" | |
fa8fd4d2 | 33 | |
54ebc117 PD |
34 | |
35 | StatBag S; | |
36 | ||
37 | typedef std::pair<string,string> nsec3; | |
38 | typedef set<nsec3> nsec3set; | |
39 | ||
9d7fa327 | 40 | string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters) |
54ebc117 | 41 | { |
28e2e78e KM |
42 | NSEC3PARAMRecordContent ns3prc; |
43 | ns3prc.d_iterations = iters; | |
44 | ns3prc.d_salt = salt; | |
45 | return toBase32Hex(hashQNameWithSalt(ns3prc, qname)); | |
54ebc117 PD |
46 | } |
47 | ||
9d7fa327 | 48 | void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied) |
54ebc117 PD |
49 | { |
50 | string hashed = nsec3Hash(qname, salt, iters); | |
51 | ||
df69c422 | 52 | // cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl; |
54ebc117 PD |
53 | // cerr<<"hashed: "<<hashed<<endl; |
54 | for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) { | |
55 | string base=(*pos).first; | |
56 | string next=(*pos).second; | |
57 | ||
58 | if(hashed == base) | |
59 | { | |
d2a2bbe7 | 60 | proven.insert(qname); |
9d7fa327 | 61 | cout<<qname.toString()<<" ("<<hashed<<") proven by base of "<<base<<".."<<next<<endl; |
54ebc117 PD |
62 | } |
63 | if(hashed == next) | |
64 | { | |
d2a2bbe7 | 65 | proven.insert(qname); |
9d7fa327 | 66 | cout<<qname.toString()<<" ("<<hashed<<") proven by next of "<<base<<".."<<next<<endl; |
54ebc117 PD |
67 | } |
68 | if((hashed > base && hashed < next) || | |
69 | (next < base && (hashed < next || hashed > base))) | |
70 | { | |
d2a2bbe7 | 71 | denied.insert(qname); |
9d7fa327 | 72 | cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl; |
54ebc117 | 73 | } |
3e1cf1ed PD |
74 | if (base == next && base != hashed) |
75 | { | |
76 | denied.insert(qname); | |
9d7fa327 | 77 | cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl; |
3e1cf1ed | 78 | } |
54ebc117 | 79 | } |
54ebc117 PD |
80 | } |
81 | ||
7b7543ad PL |
82 | void usage() { |
83 | cerr<<"nsec3dig"<<endl; | |
84 | cerr<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n"; | |
85 | } | |
86 | ||
54ebc117 PD |
87 | int main(int argc, char** argv) |
88 | try | |
89 | { | |
90 | bool recurse=false; | |
91 | ||
92 | reportAllTypes(); | |
93 | ||
7b7543ad PL |
94 | for (int i = 1; i < argc; i++) { |
95 | if ((string) argv[i] == "--help") { | |
96 | usage(); | |
97 | return EXIT_SUCCESS; | |
98 | } | |
99 | ||
100 | if ((string) argv[i] == "--version") { | |
101 | cerr<<"nsec3dig "<<VERSION<<endl; | |
102 | return EXIT_SUCCESS; | |
103 | } | |
104 | } | |
105 | ||
54ebc117 | 106 | if(argc < 5) { |
7b7543ad | 107 | usage(); |
54ebc117 PD |
108 | exit(EXIT_FAILURE); |
109 | } | |
110 | ||
111 | // FIXME: turn recurse and dnssec into proper flags or something | |
112 | if(argc > 5 && strcmp(argv[5], "recurse")==0) | |
113 | { | |
114 | recurse=true; | |
115 | } | |
116 | ||
117 | vector<uint8_t> packet; | |
eaedd091 | 118 | DNSName qname(argv[3]); |
54ebc117 PD |
119 | DNSPacketWriter pw(packet, qname, DNSRecordContent::TypeToNumber(argv[4])); |
120 | ||
121 | if(recurse) | |
122 | { | |
123 | pw.getHeader()->rd=true; | |
7103fdd8 | 124 | pw.getHeader()->cd=true; |
54ebc117 PD |
125 | } |
126 | ||
127 | pw.addOpt(2800, 0, EDNSOpts::DNSSECOK); | |
128 | pw.commit(); | |
129 | ||
d4eba262 | 130 | |
54ebc117 | 131 | ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2])); |
d4eba262 | 132 | Socket sock(dest.sin4.sin_family, SOCK_STREAM); |
c5c4fbdc PD |
133 | sock.connect(dest); |
134 | uint16_t len; | |
135 | len = htons(packet.size()); | |
136 | if(sock.write((char *) &len, 2) != 2) | |
3f81d239 | 137 | throw PDNSException("tcp write failed"); |
c5c4fbdc PD |
138 | |
139 | sock.writen(string((char*)&*packet.begin(), (char*)&*packet.end())); | |
54ebc117 | 140 | |
c5c4fbdc | 141 | if(sock.read((char *) &len, 2) != 2) |
3f81d239 | 142 | throw PDNSException("tcp read failed"); |
c5c4fbdc PD |
143 | |
144 | len=ntohs(len); | |
145 | char *creply = new char[len]; | |
146 | int n=0; | |
147 | int numread; | |
148 | while(n<len) { | |
149 | numread=sock.read(creply+n, len-n); | |
150 | if(numread<0) | |
3f81d239 | 151 | throw PDNSException("tcp read failed"); |
c5c4fbdc PD |
152 | n+=numread; |
153 | } | |
154 | ||
155 | string reply(creply, len); | |
156 | delete[] creply; | |
54ebc117 PD |
157 | |
158 | MOADNSParser mdp(reply); | |
eaedd091 | 159 | cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl; |
54ebc117 PD |
160 | cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr; |
161 | cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl; | |
162 | ||
9d7fa327 PD |
163 | set<DNSName> names; |
164 | set<DNSName> namesseen; | |
165 | set<DNSName> namestocheck; | |
54ebc117 PD |
166 | nsec3set nsec3s; |
167 | string nsec3salt; | |
59c892fe | 168 | int nsec3iters = 0; |
54ebc117 PD |
169 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) { |
170 | if(i->first.d_type == QType::NSEC3) | |
171 | { | |
f809c028 | 172 | // cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl; |
54ebc117 PD |
173 | // cerr<<i->first.d_content->getZoneRepresentation()<<endl; |
174 | NSEC3RecordContent r = dynamic_cast<NSEC3RecordContent&> (*(i->first.d_content)); | |
175 | // nsec3.insert(new nsec3() | |
176 | // cerr<<toBase32Hex(r.d_nexthash)<<endl; | |
177 | vector<string> parts; | |
f809c028 | 178 | string sname=i->first.d_name.toString(); |
3343ad1f | 179 | boost::split(parts, sname /* FIXME400 */, boost::is_any_of(".")); |
1bad4190 | 180 | nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r.d_nexthash))); |
54ebc117 PD |
181 | nsec3salt = r.d_salt; |
182 | nsec3iters = r.d_iterations; | |
183 | } | |
184 | else | |
185 | { | |
f809c028 | 186 | // cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl; |
187 | names.insert(i->first.d_name); | |
188 | namesseen.insert(i->first.d_name); | |
c5c4fbdc PD |
189 | } |
190 | ||
191 | if(i->first.d_type == QType::CNAME) | |
192 | { | |
eaedd091 | 193 | namesseen.insert(DNSName(i->first.d_content->getZoneRepresentation())); |
54ebc117 PD |
194 | } |
195 | ||
f809c028 | 196 | cout<<i->first.d_place-1<<"\t"<<i->first.d_name.toString()<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type); |
54ebc117 PD |
197 | cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n"; |
198 | } | |
199 | ||
200 | #if 0 | |
201 | cerr<<"got "<<names.size()<<" names"<<endl; | |
202 | for(set<string>::const_iterator pos=names.begin(); pos != names.end(); ++pos) { | |
203 | cerr<<"name: "<<*pos<<endl; | |
204 | } | |
205 | cerr<<"got "<<nsec3s.size()<<" names"<<endl; | |
206 | for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) { | |
207 | cerr<<"nsec3: "<<(*pos).first<<".."<<(*pos).second<<endl; | |
208 | } | |
209 | #endif | |
210 | ||
211 | cout<<"== nsec3 prove/deny report follows =="<<endl; | |
9d7fa327 PD |
212 | set<DNSName> proven; |
213 | set<DNSName> denied; | |
eaedd091 | 214 | namesseen.insert(qname); |
9d7fa327 | 215 | for(const auto &n: namesseen) |
df69c422 | 216 | { |
9d7fa327 | 217 | DNSName shorter(n); |
df69c422 PD |
218 | do { |
219 | namestocheck.insert(shorter); | |
9d7fa327 | 220 | } while(shorter.chopOff()); |
df69c422 | 221 | } |
9d7fa327 | 222 | for(const auto &n: namestocheck) |
df69c422 PD |
223 | { |
224 | proveOrDeny(nsec3s, n, nsec3salt, nsec3iters, proven, denied); | |
eaedd091 | 225 | proveOrDeny(nsec3s, DNSName("*")+n, nsec3salt, nsec3iters, proven, denied); |
df69c422 | 226 | } |
d2a2bbe7 | 227 | |
eaedd091 | 228 | if(names.count(qname)) |
d2a2bbe7 | 229 | { |
75a89ce6 PD |
230 | cout<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl; |
231 | // exit(EXIT_SUCCESS); | |
d2a2bbe7 | 232 | } |
75a89ce6 | 233 | // cout<<"== qname not found in names, investigating denial"<<endl; |
d2a2bbe7 PD |
234 | if(proven.count(qname)) |
235 | { | |
236 | cout<<"qname found proven, NODATA response?"<<endl; | |
237 | exit(EXIT_SUCCESS); | |
238 | } | |
9d7fa327 PD |
239 | DNSName shorter=qname; |
240 | DNSName encloser; | |
241 | DNSName nextcloser; | |
242 | DNSName prev(qname); | |
243 | while(shorter.chopOff()) | |
d2a2bbe7 PD |
244 | { |
245 | if(proven.count(shorter)) | |
246 | { | |
247 | encloser=shorter; | |
248 | nextcloser=prev; | |
9d7fa327 PD |
249 | cout<<"found closest encloser at "<<encloser.toString()<<endl; |
250 | cout<<"next closer is "<<nextcloser.toString()<<endl; | |
d2a2bbe7 PD |
251 | break; |
252 | } | |
253 | prev=shorter; | |
254 | } | |
9d7fa327 | 255 | if(encloser.countLabels() && nextcloser.countLabels()) |
d2a2bbe7 PD |
256 | { |
257 | if(denied.count(nextcloser)) | |
258 | { | |
9d7fa327 | 259 | cout<<"next closer ("<<nextcloser.toString()<<") is denied correctly"<<endl; |
d2a2bbe7 PD |
260 | } |
261 | else | |
262 | { | |
9d7fa327 | 263 | cout<<"next closer ("<<nextcloser.toString()<<") NOT denied"<<endl; |
d2a2bbe7 | 264 | } |
9d7fa327 PD |
265 | DNSName wcplusencloser=DNSName("*")+encloser; |
266 | if(denied.count(wcplusencloser)) | |
d2a2bbe7 | 267 | { |
9d7fa327 | 268 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is denied correctly"<<endl; |
d2a2bbe7 | 269 | } |
9d7fa327 | 270 | else if(proven.count(wcplusencloser)) |
75a89ce6 | 271 | { |
9d7fa327 | 272 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is proven"<<endl; |
75a89ce6 | 273 | } |
d2a2bbe7 PD |
274 | else |
275 | { | |
9d7fa327 | 276 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is NOT denied or proven"<<endl; |
d2a2bbe7 PD |
277 | } |
278 | } | |
279 | exit(EXIT_SUCCESS); | |
54ebc117 PD |
280 | } |
281 | catch(std::exception &e) | |
282 | { | |
283 | cerr<<"Fatal: "<<e.what()<<endl; | |
284 | } | |
7e7c31aa PD |
285 | catch(PDNSException &e) |
286 | { | |
287 | cerr<<"Fatal: "<<e.reason<<endl; | |
288 | } |