]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
22 | #ifdef HAVE_CONFIG_H | |
23 | #include "config.h" | |
24 | #endif | |
25 | #include "dnsparser.hh" | |
26 | #include "sstuff.hh" | |
27 | #include "misc.hh" | |
28 | #include "dnswriter.hh" | |
29 | #include "dnsrecords.hh" | |
30 | #include "statbag.hh" | |
31 | #include "base32.hh" | |
32 | #include "dnssecinfra.hh" | |
33 | ||
34 | ||
35 | StatBag S; | |
36 | ||
37 | typedef std::pair<string,string> nsec3; | |
38 | typedef set<nsec3> nsec3set; | |
39 | ||
40 | string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters) | |
41 | { | |
42 | NSEC3PARAMRecordContent ns3prc; | |
43 | ns3prc.d_iterations = iters; | |
44 | ns3prc.d_salt = salt; | |
45 | return toBase32Hex(hashQNameWithSalt(ns3prc, qname)); | |
46 | } | |
47 | ||
48 | void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied) | |
49 | { | |
50 | string hashed = nsec3Hash(qname, salt, iters); | |
51 | ||
52 | // cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl; | |
53 | // cerr<<"hashed: "<<hashed<<endl; | |
54 | for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) { | |
55 | string base=(*pos).first; | |
56 | string next=(*pos).second; | |
57 | ||
58 | if(hashed == base) | |
59 | { | |
60 | proven.insert(qname); | |
61 | cout<<qname.toString()<<" ("<<hashed<<") proven by base of "<<base<<".."<<next<<endl; | |
62 | } | |
63 | if(hashed == next) | |
64 | { | |
65 | proven.insert(qname); | |
66 | cout<<qname.toString()<<" ("<<hashed<<") proven by next of "<<base<<".."<<next<<endl; | |
67 | } | |
68 | if((hashed > base && hashed < next) || | |
69 | (next < base && (hashed < next || hashed > base))) | |
70 | { | |
71 | denied.insert(qname); | |
72 | cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl; | |
73 | } | |
74 | if (base == next && base != hashed) | |
75 | { | |
76 | denied.insert(qname); | |
77 | cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl; | |
78 | } | |
79 | } | |
80 | } | |
81 | ||
82 | void usage() { | |
83 | cerr<<"nsec3dig"<<endl; | |
84 | cerr<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n"; | |
85 | } | |
86 | ||
87 | int main(int argc, char** argv) | |
88 | try | |
89 | { | |
90 | bool recurse=false; | |
91 | ||
92 | reportAllTypes(); | |
93 | ||
94 | for (int i = 1; i < argc; i++) { | |
95 | if ((string) argv[i] == "--help") { | |
96 | usage(); | |
97 | return EXIT_SUCCESS; | |
98 | } | |
99 | ||
100 | if ((string) argv[i] == "--version") { | |
101 | cerr<<"nsec3dig "<<VERSION<<endl; | |
102 | return EXIT_SUCCESS; | |
103 | } | |
104 | } | |
105 | ||
106 | if(argc < 5) { | |
107 | usage(); | |
108 | exit(EXIT_FAILURE); | |
109 | } | |
110 | ||
111 | // FIXME: turn recurse and dnssec into proper flags or something | |
112 | if(argc > 5 && strcmp(argv[5], "recurse")==0) | |
113 | { | |
114 | recurse=true; | |
115 | } | |
116 | ||
117 | vector<uint8_t> packet; | |
118 | DNSName qname(argv[3]); | |
119 | DNSPacketWriter pw(packet, qname, DNSRecordContent::TypeToNumber(argv[4])); | |
120 | ||
121 | if(recurse) | |
122 | { | |
123 | pw.getHeader()->rd=true; | |
124 | pw.getHeader()->cd=true; | |
125 | } | |
126 | ||
127 | pw.addOpt(2800, 0, EDNSOpts::DNSSECOK); | |
128 | pw.commit(); | |
129 | ||
130 | ||
131 | ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2])); | |
132 | Socket sock(dest.sin4.sin_family, SOCK_STREAM); | |
133 | sock.connect(dest); | |
134 | uint16_t len; | |
135 | len = htons(packet.size()); | |
136 | if(sock.write((char *) &len, 2) != 2) | |
137 | throw PDNSException("tcp write failed"); | |
138 | ||
139 | sock.writen(string(packet.begin(), packet.end())); | |
140 | ||
141 | if(sock.read((char *) &len, 2) != 2) | |
142 | throw PDNSException("tcp read failed"); | |
143 | ||
144 | len=ntohs(len); | |
145 | char *creply = new char[len]; | |
146 | int n=0; | |
147 | int numread; | |
148 | while(n<len) { | |
149 | numread=sock.read(creply+n, len-n); | |
150 | if(numread<0) | |
151 | throw PDNSException("tcp read failed"); | |
152 | n+=numread; | |
153 | } | |
154 | ||
155 | string reply(creply, len); | |
156 | delete[] creply; | |
157 | ||
158 | MOADNSParser mdp(false, reply); | |
159 | cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl; | |
160 | cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr; | |
161 | cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl; | |
162 | ||
163 | set<DNSName> names; | |
164 | set<DNSName> namesseen; | |
165 | set<DNSName> namestocheck; | |
166 | nsec3set nsec3s; | |
167 | string nsec3salt; | |
168 | int nsec3iters = 0; | |
169 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) { | |
170 | if(i->first.d_type == QType::NSEC3) | |
171 | { | |
172 | // cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl; | |
173 | // cerr<<i->first.d_content->getZoneRepresentation()<<endl; | |
174 | const auto r = std::dynamic_pointer_cast<NSEC3RecordContent>(i->first.d_content); | |
175 | if (!r) { | |
176 | continue; | |
177 | } | |
178 | // nsec3.insert(new nsec3() | |
179 | // cerr<<toBase32Hex(r.d_nexthash)<<endl; | |
180 | vector<string> parts; | |
181 | string sname=i->first.d_name.toString(); | |
182 | boost::split(parts, sname /* FIXME400 */, boost::is_any_of(".")); | |
183 | nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r->d_nexthash))); | |
184 | nsec3salt = r->d_salt; | |
185 | nsec3iters = r->d_iterations; | |
186 | } | |
187 | else | |
188 | { | |
189 | // cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl; | |
190 | names.insert(i->first.d_name); | |
191 | namesseen.insert(i->first.d_name); | |
192 | } | |
193 | ||
194 | if(i->first.d_type == QType::CNAME) | |
195 | { | |
196 | namesseen.insert(DNSName(i->first.d_content->getZoneRepresentation())); | |
197 | } | |
198 | ||
199 | cout<<i->first.d_place-1<<"\t"<<i->first.d_name.toString()<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type); | |
200 | cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n"; | |
201 | } | |
202 | ||
203 | #if 0 | |
204 | cerr<<"got "<<names.size()<<" names"<<endl; | |
205 | for(set<string>::const_iterator pos=names.begin(); pos != names.end(); ++pos) { | |
206 | cerr<<"name: "<<*pos<<endl; | |
207 | } | |
208 | cerr<<"got "<<nsec3s.size()<<" names"<<endl; | |
209 | for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) { | |
210 | cerr<<"nsec3: "<<(*pos).first<<".."<<(*pos).second<<endl; | |
211 | } | |
212 | #endif | |
213 | ||
214 | cout<<"== nsec3 prove/deny report follows =="<<endl; | |
215 | set<DNSName> proven; | |
216 | set<DNSName> denied; | |
217 | namesseen.insert(qname); | |
218 | for(const auto &name: namesseen) | |
219 | { | |
220 | DNSName shorter(name); | |
221 | do { | |
222 | namestocheck.insert(shorter); | |
223 | } while(shorter.chopOff()); | |
224 | } | |
225 | for(const auto &name: namestocheck) | |
226 | { | |
227 | proveOrDeny(nsec3s, name, nsec3salt, nsec3iters, proven, denied); | |
228 | proveOrDeny(nsec3s, g_wildcarddnsname+name, nsec3salt, nsec3iters, proven, denied); | |
229 | } | |
230 | ||
231 | if(names.count(qname)) | |
232 | { | |
233 | cout<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl; | |
234 | // exit(EXIT_SUCCESS); | |
235 | } | |
236 | // cout<<"== qname not found in names, investigating denial"<<endl; | |
237 | if(proven.count(qname)) | |
238 | { | |
239 | cout<<"qname found proven, NODATA response?"<<endl; | |
240 | exit(EXIT_SUCCESS); | |
241 | } | |
242 | DNSName shorter=qname; | |
243 | DNSName encloser; | |
244 | DNSName nextcloser; | |
245 | DNSName prev(qname); | |
246 | while(shorter.chopOff()) | |
247 | { | |
248 | if(proven.count(shorter)) | |
249 | { | |
250 | encloser=shorter; | |
251 | nextcloser=prev; | |
252 | cout<<"found closest encloser at "<<encloser.toString()<<endl; | |
253 | cout<<"next closer is "<<nextcloser.toString()<<endl; | |
254 | break; | |
255 | } | |
256 | prev=shorter; | |
257 | } | |
258 | if(encloser.countLabels() && nextcloser.countLabels()) | |
259 | { | |
260 | if(denied.count(nextcloser)) | |
261 | { | |
262 | cout<<"next closer ("<<nextcloser.toString()<<") is denied correctly"<<endl; | |
263 | } | |
264 | else | |
265 | { | |
266 | cout<<"next closer ("<<nextcloser.toString()<<") NOT denied"<<endl; | |
267 | } | |
268 | DNSName wcplusencloser=g_wildcarddnsname+encloser; | |
269 | if(denied.count(wcplusencloser)) | |
270 | { | |
271 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is denied correctly"<<endl; | |
272 | } | |
273 | else if(proven.count(wcplusencloser)) | |
274 | { | |
275 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is proven"<<endl; | |
276 | } | |
277 | else | |
278 | { | |
279 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is NOT denied or proven"<<endl; | |
280 | } | |
281 | } | |
282 | exit(EXIT_SUCCESS); | |
283 | } | |
284 | catch(std::exception &e) | |
285 | { | |
286 | cerr<<"Fatal: "<<e.what()<<endl; | |
287 | } | |
288 | catch(PDNSException &e) | |
289 | { | |
290 | cerr<<"Fatal: "<<e.reason<<endl; | |
291 | } |