pdns/nsec3dig.cc

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22 #ifdef HAVE_CONFIG_H
  23 #include "config.h"
  24 #endif
  25 #include "dnsparser.hh"
  26 #include "sstuff.hh"
  27 #include "misc.hh"
  28 #include "dnswriter.hh"
  29 #include "dnsrecords.hh"
  30 #include "statbag.hh"
  31 #include "base32.hh"
  32 #include "dnssecinfra.hh"
  33
  34
  35 StatBag S;
  36
  37 typedef std::pair<string,string> nsec3;
  38 typedef set<nsec3> nsec3set;
  39 typedef map<string, int> nsec3types;
  40
  41 static string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters)
  42 {
  43   NSEC3PARAMRecordContent ns3prc;
  44   ns3prc.d_iterations = iters;
  45   ns3prc.d_salt = salt;
  46   return toBase32Hex(hashQNameWithSalt(ns3prc, qname));
  47 }
  48
  49 static void proveOrDeny(const nsec3set &nsec3s, const nsec3types &nsec3t, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied)
  50 {
  51   string hashed = nsec3Hash(qname, salt, iters);
  52
  53   // cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl;
  54   // cerr<<"hashed: "<<hashed<<endl;
  55   for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) {
  56     string base=(*pos).first;
  57     string next=(*pos).second;
  58
  59     if(hashed == base)
  60     {
  61       proven.insert(qname);
  62       cout<<qname.toString()<<" ("<<hashed<<") proven by base ("<<nsec3t.at(base)<<" types) of "<<base<<".."<<next<<endl;
  63     }
  64     if(hashed == next)
  65     {
  66       proven.insert(qname);
  67       cout<<qname.toString()<<" ("<<hashed<<") proven by next of "<<base<<".."<<next<<endl;
  68     }
  69     if((hashed > base && hashed < next) ||
  70        (next < base && (hashed < next || hashed > base)))
  71     {
  72       denied.insert(qname);
  73       cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl;
  74     }
  75     if (base == next && base != hashed)
  76     {
  77       denied.insert(qname);
  78       cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl;
  79     }
  80   }
  81 }
  82
  83 static void usage() {
  84   cerr<<"nsec3dig"<<endl;
  85   cerr<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n";
  86 }
  87
  88 int main(int argc, char** argv)
  89 try
  90 {
  91   bool recurse=false;
  92
  93   reportAllTypes();
  94
  95   for (int i = 1; i < argc; i++) {
  96     if ((string) argv[i] == "--help") {
  97       usage();
  98       return EXIT_SUCCESS;
  99     }
 100
 101     if ((string) argv[i] == "--version") {
 102       cerr<<"nsec3dig "<<VERSION<<endl;
 103       return EXIT_SUCCESS;
 104     }
 105   }
 106
 107   if(argc < 5) {
 108     usage();
 109     exit(EXIT_FAILURE);
 110   }
 111
 112   if(argc > 5 && strcmp(argv[5], "recurse")==0)
 113   {
 114     recurse=true;
 115   }
 116
 117   vector<uint8_t> packet;
 118   DNSName qname(argv[3]);
 119   DNSPacketWriter pw(packet, qname, DNSRecordContent::TypeToNumber(argv[4]));
 120
 121   if(recurse)
 122   {
 123     pw.getHeader()->rd=true;
 124     pw.getHeader()->cd=true;
 125   }
 126
 127   pw.addOpt(2800, 0, EDNSOpts::DNSSECOK);
 128   pw.commit();
 129
 130
 131   ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
 132   Socket sock(dest.sin4.sin_family, SOCK_STREAM);
 133   sock.connect(dest);
 134   uint16_t len;
 135   len = htons(packet.size());
 136   if(sock.write((char *) &len, 2) != 2)
 137     throw PDNSException("tcp write failed");
 138
 139   sock.writen(string(packet.begin(), packet.end()));
 140
 141   if(sock.read((char *) &len, 2) != 2)
 142     throw PDNSException("tcp read failed");
 143
 144   len=ntohs(len);
 145   auto creply = std::make_unique<char[]>(len);
 146   int n=0;
 147   int numread;
 148   while(n<len) {
 149     numread=sock.read(creply.get()+n, len-n);
 150     if(numread<0)
 151       throw PDNSException("tcp read failed");
 152     n+=numread;
 153   }
 154
 155   string reply(creply.get(), len);
 156
 157   MOADNSParser mdp(false, reply);
 158   cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
 159   cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
 160   cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl;
 161
 162   set<DNSName> names;
 163   set<DNSName> namesseen;
 164   set<DNSName> namestocheck;
 165   nsec3set nsec3s;
 166   nsec3types nsec3t;
 167   string nsec3salt;
 168   int nsec3iters = 0;
 169   for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {
 170     if(i->first.d_type == QType::NSEC3)
 171     {
 172       // cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl;
 173       // cerr<<i->first.d_content->getZoneRepresentation()<<endl;
 174       const auto r = getRR<NSEC3RecordContent>(i->first);
 175       if (!r) {
 176         continue;
 177       }
 178       // nsec3.insert(new nsec3()
 179       // cerr<<toBase32Hex(r.d_nexthash)<<endl;
 180       nsec3s.emplace(toLower(i->first.d_name.getRawLabel(0)), toBase32Hex(r->d_nexthash));
 181       nsec3salt = r->d_salt;
 182       nsec3iters = r->d_iterations;
 183       nsec3t.emplace(toLower(i->first.d_name.getRawLabel(0)), r->numberOfTypesSet());
 184     }
 185     else
 186     {
 187       // cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl;
 188       names.insert(i->first.d_name);
 189       namesseen.insert(i->first.d_name);
 190     }
 191
 192     if(i->first.d_type == QType::CNAME)
 193     {
 194       namesseen.insert(DNSName(i->first.getContent()->getZoneRepresentation()));
 195     }
 196
 197     cout << i->first.d_place - 1 << "\t" << i->first.d_name.toString() << "\t" << i->first.d_ttl << "\tIN\t" << DNSRecordContent::NumberToType(i->first.d_type);
 198     cout << "\t" << i->first.getContent()->getZoneRepresentation() << "\n";
 199   }
 200
 201 #if 0
 202   cerr<<"got "<<names.size()<<" names"<<endl;
 203   for(set<string>::const_iterator pos=names.begin(); pos != names.end(); ++pos) {
 204     cerr<<"name: "<<*pos<<endl;
 205   }
 206   cerr<<"got "<<nsec3s.size()<<" names"<<endl;
 207   for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) {
 208     cerr<<"nsec3: "<<(*pos).first<<".."<<(*pos).second<<endl;
 209   }
 210 #endif
 211
 212   cout<<"== nsec3 prove/deny report follows =="<<endl;
 213   set<DNSName> proven;
 214   set<DNSName> denied;
 215   namesseen.insert(qname);
 216   for(const auto &name: namesseen)
 217   {
 218     DNSName shorter(name);
 219     do {
 220       namestocheck.insert(shorter);
 221     } while(shorter.chopOff());
 222   }
 223   for(const auto &name: namestocheck)
 224   {
 225     proveOrDeny(nsec3s, nsec3t, name, nsec3salt, nsec3iters, proven, denied);
 226     proveOrDeny(nsec3s, nsec3t, g_wildcarddnsname+name, nsec3salt, nsec3iters, proven, denied);
 227   }
 228
 229   if(names.count(qname))
 230   {
 231     cout<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl;
 232     // exit(EXIT_SUCCESS);
 233   }
 234   // cout<<"== qname not found in names, investigating denial"<<endl;
 235   if(proven.count(qname))
 236   {
 237     cout<<"qname found proven, NODATA response?"<<endl;
 238     exit(EXIT_SUCCESS);
 239   }
 240   DNSName shorter=qname;
 241   DNSName encloser;
 242   DNSName nextcloser;
 243   DNSName prev(qname);
 244   while(shorter.chopOff())
 245   {
 246     if(proven.count(shorter))
 247     {
 248       encloser=shorter;
 249       nextcloser=prev;
 250       cout<<"found closest encloser at "<<encloser.toString()<<endl;
 251       cout<<"next closer is "<<nextcloser.toString()<<endl;
 252       break;
 253     }
 254     prev=shorter;
 255   }
 256   if(encloser.countLabels() && nextcloser.countLabels())
 257   {
 258     if(denied.count(nextcloser))
 259     {
 260       cout<<"next closer ("<<nextcloser.toString()<<") is denied correctly"<<endl;
 261     }
 262     else
 263     {
 264       cout<<"next closer ("<<nextcloser.toString()<<") NOT denied"<<endl;
 265     }
 266     DNSName wcplusencloser=g_wildcarddnsname+encloser;
 267     if(denied.count(wcplusencloser))
 268     {
 269       cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is denied correctly"<<endl;
 270     }
 271     else if(proven.count(wcplusencloser))
 272     {
 273       cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is proven"<<endl;
 274     }
 275     else
 276     {
 277       cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is NOT denied or proven"<<endl;
 278     }
 279   }
 280   exit(EXIT_SUCCESS);
 281 }
 282 catch(std::exception &e)
 283 {
 284   cerr<<"Fatal: "<<e.what()<<endl;
 285 }
 286 catch(PDNSException &e)
 287 {
 288   cerr<<"Fatal: "<<e.reason<<endl;
 289 }