2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "dnsparser.hh"
27 #include "namespaces.hh"
28 #include "dnsrecords.hh"
29 #include "dnssecinfra.hh"
32 extern time_t g_signatureInceptionSkew;
33 extern uint16_t g_maxNSEC3Iterations;
34 extern uint16_t g_maxRRSIGsPerRecordToConsider;
35 extern uint16_t g_maxNSEC3sPerRecordToConsider;
36 extern uint16_t g_maxDNSKEYsToConsider;
37 extern uint16_t g_maxDSsToConsider;
40 enum class vState : uint8_t { Indeterminate, Insecure, Secure, NTA, TA, BogusNoValidDNSKEY, BogusInvalidDenial, BogusUnableToGetDSs, BogusUnableToGetDNSKEYs, BogusSelfSignedDS, BogusNoRRSIG, BogusNoValidRRSIG, BogusMissingNegativeIndication, BogusSignatureNotYetValid, BogusSignatureExpired, BogusUnsupportedDNSKEYAlgo, BogusUnsupportedDSDigestType, BogusNoZoneKeyBitSet, BogusRevokedDNSKEY, BogusInvalidDNSKEYProtocol };
41 const std::string& vStateToString(vState state);
42 inline bool vStateIsBogus(vState state)
44 return state >= vState::BogusNoValidDNSKEY;
48 enum class dState : uint8_t { NODENIAL, INCONCLUSIVE, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
50 std::ostream& operator<<(std::ostream &, vState);
51 std::ostream& operator<<(std::ostream &, dState);
56 virtual ~DNSRecordOracle() = default;
57 DNSRecordOracle(const DNSRecordOracle&) = default;
58 DNSRecordOracle(DNSRecordOracle&&) = default;
59 DNSRecordOracle& operator=(const DNSRecordOracle&) = default;
60 DNSRecordOracle& operator=(DNSRecordOracle&&) = default;
61 virtual std::vector<DNSRecord> get(const DNSName& qname, uint16_t qtype) = 0;
67 sortedRecords_t records;
68 vector<shared_ptr<const RRSIGRecordContent>> signatures;
69 // ponder adding a validate method that accepts a key
71 using cspmap_t = map<pair<DNSName, uint16_t>, ContentSigPair>;
72 using dsmap_t = std::set<DSRecordContent>;
74 struct sharedDNSKeyRecordContentCompare
76 bool operator() (const shared_ptr<const DNSKEYRecordContent>& lhs, const shared_ptr<const DNSKEYRecordContent>& rhs) const
82 using skeyset_t = set<shared_ptr<const DNSKEYRecordContent>, sharedDNSKeyRecordContentCompare>;
84 namespace pdns::validation
86 using Nsec3HashesCache = std::map<std::tuple<DNSName, std::string, uint16_t>, std::string>;
88 struct ValidationContext
90 Nsec3HashesCache d_nsec3Cache;
91 unsigned int d_validationsCounter{0};
92 unsigned int d_nsec3IterationsRemainingQuota{0};
95 class TooManySEC3IterationsException : public std::runtime_error
98 TooManySEC3IterationsException(): std::runtime_error("Too many NSEC3 hash computations per query")
105 vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& signatures, const skeyset_t& keys, const OptLog& log, pdns::validation::ValidationContext& context, bool validateAllSigs=true);
106 bool isCoveredByNSEC(const DNSName& name, const DNSName& begin, const DNSName& next);
107 bool isCoveredByNSEC3Hash(const std::string& hash, const std::string& beginHash, const std::string& nextHash);
108 bool isCoveredByNSEC3Hash(const DNSName& name, const DNSName& beginHash, const DNSName& nextHash);
109 cspmap_t harvestCSPFromRecs(const vector<DNSRecord>& recs);
110 bool getTrustAnchor(const map<DNSName,dsmap_t>& anchors, const DNSName& zone, dsmap_t &res);
111 bool haveNegativeTrustAnchor(const map<DNSName,std::string>& negAnchors, const DNSName& zone, std::string& reason);
112 vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& sigs, skeyset_t& validkeys, const OptLog&, pdns::validation::ValidationContext& context);
113 dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, pdns::validation::ValidationContext& context, const OptLog& log = std::nullopt, bool needWildcardProof=true, unsigned int wildcardLabelsCount=0);
114 bool isSupportedDS(const DSRecordContent& dsRecordContent, const OptLog&);
115 DNSName getSigner(const std::vector<std::shared_ptr<const RRSIGRecordContent> >& signatures);
116 bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords, pdns::validation::ValidationContext& context);
117 bool isRRSIGNotExpired(time_t now, const RRSIGRecordContent& sig);
118 bool isRRSIGIncepted(time_t now, const RRSIGRecordContent& sig);
119 bool isWildcardExpanded(unsigned int labelCount, const RRSIGRecordContent& sign);
120 bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const RRSIGRecordContent& sign);
121 void updateDNSSECValidationState(vState& state, vState stateUpdate);
123 dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner, const NSECRecordContent& nsec, const std::vector<std::shared_ptr<const RRSIGRecordContent>>& signatures, const OptLog&);
125 bool isNSEC3AncestorDelegation(const DNSName& signer, const DNSName& owner, const NSEC3RecordContent& nsec3);
126 DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector<std::shared_ptr<const RRSIGRecordContent> >& signatures);
127 DNSName getClosestEncloserFromNSEC(const DNSName& name, const DNSName& owner, const DNSName& next);
128 [[nodiscard]] uint64_t getNSEC3DenialProofWorstCaseIterationsCount(uint8_t maxLabels, uint16_t iterations, size_t saltLength);
129 [[nodiscard]] std::string getHashFromNSEC3(const DNSName& qname, uint16_t iterations, const std::string& salt, pdns::validation::ValidationContext& context);
131 template <typename NSEC> bool isTypeDenied(const NSEC& nsec, const QType& type)
133 if (nsec.isSet(type.getCode())) {
137 /* RFC 6840 section 4.3 */
138 if (nsec.isSet(QType::CNAME)) {