SortList sortlist;
DNSFilterEngine dfe;
TrustAnchorFileInfo trustAnchorFileInfo; // Used to update the Trust Anchors from file periodically
- map<DNSName, dsmap_t> dsAnchors;
+ map<DNSName, dsset_t> dsAnchors;
map<DNSName, std::string> negAnchors;
map<DNSName, RecZoneToCache::Config> ztcConfigs;
std::map<QType, std::pair<std::set<QType>, AdditionalMode>> allowAdditionalQTypes;
SLOG(g_log << Logger::Debug << "Refreshing Trust Anchors from file" << endl,
log->info(Logr::Debug, "Refreshing Trust Anchors from file"));
try {
- map<DNSName, dsmap_t> dsAnchors;
+ map<DNSName, dsset_t> dsAnchors;
if (updateTrustAnchorsFromFile(luaconfsLocal->trustAnchorFileInfo.fname, dsAnchors, log)) {
g_luaconfs.modify([&dsAnchors](LuaConfigItems& lci) {
lci.dsAnchors = dsAnchors;
resolver.setDoDNSSEC(true);
resolver.setDNSSECValidationRequested(true);
- dsmap_t dsmap; // Actually a set
- vState dsState = resolver.getDSRecords(d_zone, dsmap, false, 0, "");
+ dsset_t dsset;
+ vState dsState = resolver.getDSRecords(d_zone, dsset, false, 0, "");
if (dsState != vState::Secure) {
return dsState;
}
}
skeyset_t validKeys;
- vState dnsKeyState = validateDNSKeysAgainstDS(d_now, d_zone, dsmap, dnsKeys, records, zonemd.getRRSIGs(QType::DNSKEY), validKeys, std::nullopt, validationContext);
+ vState dnsKeyState = validateDNSKeysAgainstDS(d_now, d_zone, dsset, dnsKeys, records, zonemd.getRRSIGs(QType::DNSKEY), validKeys, std::nullopt, validationContext);
if (dnsKeyState != vState::Secure) {
return dnsKeyState;
}
LOG(", validation state is now " << state << endl);
}
-vState SyncRes::getTA(const DNSName& zone, dsmap_t& dsMap, const string& prefix)
+vState SyncRes::getTA(const DNSName& zone, dsset_t& dsSet, const string& prefix)
{
auto luaLocal = g_luaconfs.getLocal();
return vState::NTA;
}
- if (getTrustAnchor(luaLocal->dsAnchors, zone, dsMap)) {
+ if (getTrustAnchor(luaLocal->dsAnchors, zone, dsSet)) {
if (!zone.isRoot()) {
LOG(prefix << zone << ": Got TA" << endl);
}
return vState::Indeterminate;
}
-size_t SyncRes::countSupportedDS(const dsmap_t& dsmap, const string& prefix)
+size_t SyncRes::countSupportedDS(const dsset_t& dsset, const string& prefix)
{
size_t count = 0;
- for (const auto& dsRecordContent : dsmap) {
+ for (const auto& dsRecordContent : dsset) {
if (isSupportedDS(dsRecordContent, LogObject(prefix))) {
count++;
}
{
DNSName zone(from);
do {
- dsmap_t dsMap;
- vState result = getTA(zone, dsMap, prefix);
+ dsset_t dsSet;
+ vState result = getTA(zone, dsSet, prefix);
if (result != vState::Indeterminate) {
if (result == vState::TA) {
- if (countSupportedDS(dsMap, prefix) == 0) {
- dsMap.clear();
+ if (countSupportedDS(dsSet, prefix) == 0) {
+ dsSet.clear();
result = vState::Insecure;
}
else {
} while (zone.chopOff());
}
-vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD, bool* foundCut)
+vState SyncRes::getDSRecords(const DNSName& zone, dsset_t& dsSet, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD, bool* foundCut)
{
- vState result = getTA(zone, dsMap, prefix);
+ vState result = getTA(zone, dsSet, prefix);
if (result != vState::Indeterminate || onlyTA) {
if (foundCut != nullptr) {
}
if (result == vState::TA) {
- if (countSupportedDS(dsMap, prefix) == 0) {
- dsMap.clear();
+ if (countSupportedDS(dsSet, prefix) == 0) {
+ dsSet.clear();
result = vState::Insecure;
}
else {
if (dscontent->d_digesttype > bestDigestType || (bestDigestType == DNSSECKeeper::DIGEST_GOST && dscontent->d_digesttype == DNSSECKeeper::DIGEST_SHA256)) {
bestDigestType = dscontent->d_digesttype;
}
- dsMap.insert(*dscontent);
+ dsSet.insert(*dscontent);
}
}
else if (record.d_type == QType::CNAME && record.d_name == zone) {
* digests if DS RRs with SHA-256 digests are present in the DS RRset."
* We interpret that as: do not use SHA-1 if SHA-256 or SHA-384 is available
*/
- for (auto dsrec = dsMap.begin(); dsrec != dsMap.end();) {
+ for (auto dsrec = dsSet.begin(); dsrec != dsSet.end();) {
if (dsrec->d_digesttype == DNSSECKeeper::DIGEST_SHA1 && dsrec->d_digesttype != bestDigestType) {
- dsrec = dsMap.erase(dsrec);
+ dsrec = dsSet.erase(dsrec);
}
else {
++dsrec;
}
if (rcode == RCode::NoError) {
- if (dsMap.empty()) {
+ if (dsSet.empty()) {
/* we have no DS, it's either:
- a delegation to a non-DNSSEC signed zone
- no delegation, we stay in the same zone
LOG(prefix << name << ": - Looking for a DS at " << dsName << endl);
bool foundCut = false;
- dsmap_t results;
+ dsset_t results;
vState dsState = getDSRecords(dsName, results, false, depth, prefix, false, &foundCut);
if (foundCut) {
vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<const RRSIGRecordContent>>& signatures, unsigned int depth, const string& prefix)
{
- dsmap_t dsMap;
+ dsset_t dsSet;
if (signatures.empty()) {
LOG(prefix << zone << ": We have " << std::to_string(dnskeys.size()) << " DNSKEYs but no signature, going Bogus!" << endl);
return vState::BogusNoRRSIG;
DNSName signer = getSigner(signatures);
if (!signer.empty() && zone.isPartOf(signer)) {
- vState state = getDSRecords(signer, dsMap, false, depth, prefix);
+ vState state = getDSRecords(signer, dsSet, false, depth, prefix);
if (state != vState::Secure) {
return state;
}
}
- LOG(prefix << zone << ": Trying to validate " << std::to_string(tentativeKeys.size()) << " DNSKEYs with " << std::to_string(dsMap.size()) << " DS" << endl);
+ LOG(prefix << zone << ": Trying to validate " << std::to_string(tentativeKeys.size()) << " DNSKEYs with " << std::to_string(dsSet.size()) << " DS" << endl);
skeyset_t validatedKeys;
- auto state = validateDNSKeysAgainstDS(d_now.tv_sec, zone, dsMap, tentativeKeys, toSign, signatures, validatedKeys, LogObject(prefix), d_validationContext);
+ auto state = validateDNSKeysAgainstDS(d_now.tv_sec, zone, dsSet, tentativeKeys, toSign, signatures, validatedKeys, LogObject(prefix), d_validationContext);
if (s_maxvalidationsperq != 0 && d_validationContext.d_validationsCounter > s_maxvalidationsperq) {
throw ImmediateServFailException("Server Failure while validating DNSKEYs, too many signature validations for this query");
or more likely NSEC(3)s proving that it does not exist, we have a problem.
In that case let's see if the DS does exist, and if it does let's go Bogus
*/
- dsmap_t results;
+ dsset_t results;
vState dsState = getDSRecords(signer, results, false, depth, prefix, true);
if (vStateIsBogus(dsState) || dsState == vState::Insecure) {
state = dsState;
vState state{vState::Indeterminate};
};
- vState getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD = true, bool* foundCut = nullptr);
+ vState getDSRecords(const DNSName& zone, dsset_t& dsSet, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD = true, bool* foundCut = nullptr);
class AuthDomain
{
dState getDenialValidationState(const NegCache::NegCacheEntry& negEntry, dState expectedState, bool referralToUnsigned, const string& prefix);
void updateDenialValidationState(const DNSName& qname, vState& neValidationState, const DNSName& neName, vState& state, dState denialState, dState expectedState, bool isDS, unsigned int depth, const string& prefix);
void computeNegCacheValidationStatus(const NegCache::NegCacheEntry& negEntry, const DNSName& qname, QType qtype, int res, vState& state, unsigned int depth, const string& prefix);
- vState getTA(const DNSName& zone, dsmap_t& dsMap, const string& prefix);
+ vState getTA(const DNSName& zone, dsset_t& dsSet, const string& prefix);
vState getValidationStatus(const DNSName& name, bool wouldBeValid, bool typeIsDS, unsigned int depth, const string& prefix);
void updateValidationStatusInCache(const DNSName& qname, QType qtype, bool aaFlag, vState newState) const;
void initZoneCutsFromTA(const DNSName& from, const string& prefix);
- size_t countSupportedDS(const dsmap_t& dsmap, const string& prefix);
+ size_t countSupportedDS(const dsset_t& dsSet, const string& prefix);
void handleNewTarget(const std::string& prefix, const DNSName& qname, const DNSName& newtarget, QType qtype, std::vector<DNSRecord>& ret, int& rcode, unsigned int depth, const std::vector<DNSRecord>& recordsFromAnswer, vState& state);
keys[name] = std::pair<DNSSECPrivateKey, DSRecordContent>(dpk, ds);
}
-void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName, dsmap_t>& dsAnchors)
+void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName, dsset_t>& dsAnchors)
{
generateKeyMaterial(name, algo, digest, keys);
dsAnchors[name].insert(keys[name].second);
void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys);
-void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName, dsmap_t>& dsAnchors);
+void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName, dsset_t>& dsAnchors);
LWResult::Result genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut = true, boost::optional<time_t> now = boost::none, bool nsec3 = false, bool optOut = false);
return LWResult::Result::Timeout;
});
- dsmap_t ds;
+ dsset_t ds;
auto state = sr->getDSRecords(target, ds, false, 0, "", false);
BOOST_CHECK_EQUAL(state, vState::Secure);
BOOST_REQUIRE_EQUAL(ds.size(), 1U);
return LWResult::Result::Timeout;
});
- dsmap_t ds;
+ dsset_t ds;
auto state = sr->getDSRecords(target, ds, false, 0, "", false);
BOOST_CHECK_EQUAL(state, vState::Secure);
BOOST_REQUIRE_EQUAL(ds.size(), 2U);
return LWResult::Result::Timeout;
});
- dsmap_t ds;
+ dsset_t ds;
auto state = sr->getDSRecords(target, ds, false, 0, "", false);
BOOST_CHECK_EQUAL(state, vState::Secure);
BOOST_REQUIRE_EQUAL(ds.size(), 2U);
}
// Returns true if dsAnchors were modified
-bool updateTrustAnchorsFromFile(const std::string& fname, map<DNSName, dsmap_t>& dsAnchors, Logr::log_t log)
+bool updateTrustAnchorsFromFile(const std::string& fname, map<DNSName, dsset_t>& dsAnchors, Logr::log_t log)
{
- map<DNSName, dsmap_t> newDSAnchors;
+ map<DNSName, dsset_t> newDSAnchors;
try {
auto zoneParser = ZoneParserTNG(fname);
zoneParser.disableGenerate();
bool warnIfDNSSECDisabled(const string& msg);
vState increaseDNSSECStateCounter(const vState& state);
vState increaseXDNSSECStateCounter(const vState& state);
-bool updateTrustAnchorsFromFile(const std::string& fname, map<DNSName, dsmap_t>& dsAnchors, Logr::log_t);
+bool updateTrustAnchorsFromFile(const std::string& fname, map<DNSName, dsset_t>& dsAnchors, Logr::log_t);
return vState::BogusNoValidRRSIG;
}
-bool getTrustAnchor(const map<DNSName,dsmap_t>& anchors, const DNSName& zone, dsmap_t &res)
+bool getTrustAnchor(const map<DNSName,dsset_t>& anchors, const DNSName& zone, dsset_t &res)
{
const auto& iter = anchors.find(zone);
return true;
}
-vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) // NOLINT(readability-function-cognitive-complexity): FIXME
+vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsset_t& dsset, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context)
{
/*
* Check all DNSKEY records against all DS records and place all DNSKEY records
* that have DS records (that we support the algo for) in the tentative key storage
*/
uint16_t dssConsidered = 0;
- for (const auto& dsrc : dsmap) {
+ for (const auto& dsrc : dsset) {
if (g_maxDSsToConsider > 0 && dssConsidered > g_maxDSsToConsider) {
VLOG(log, zone << ": We have already considered "<<std::to_string(dssConsidered)<<" DS"<<addS(dssConsidered)<<", not considering the remaining ones"<<endl;);
return vState::BogusNoValidDNSKEY;
bool dnskeyAlgoSupported = false;
bool dsDigestSupported = false;
- for (const auto& dsrc : dsmap)
+ for (const auto& dsrc : dsset)
{
if (DNSCryptoKeyEngine::isAlgorithmSupported(dsrc.d_algorithm)) {
dnskeyAlgoSupported = true;
// ponder adding a validate method that accepts a key
};
using cspmap_t = map<pair<DNSName, uint16_t>, ContentSigPair>;
-using dsmap_t = std::set<DSRecordContent>;
+using dsset_t = std::set<DSRecordContent>;
struct sharedDNSKeyRecordContentCompare
{
bool isCoveredByNSEC(const DNSName& name, const DNSName& begin, const DNSName& next);
bool isCoveredByNSEC3Hash(const std::string& hash, const std::string& beginHash, const std::string& nextHash);
bool isCoveredByNSEC3Hash(const DNSName& name, const DNSName& beginHash, const DNSName& nextHash);
-bool getTrustAnchor(const map<DNSName,dsmap_t>& anchors, const DNSName& zone, dsmap_t &res);
+bool getTrustAnchor(const map<DNSName,dsset_t>& anchors, const DNSName& zone, dsset_t &res);
bool haveNegativeTrustAnchor(const map<DNSName,std::string>& negAnchors, const DNSName& zone, std::string& reason);
-vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& sigs, skeyset_t& validkeys, const OptLog&, pdns::validation::ValidationContext& context);
+vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsset_t& dsset, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& sigs, skeyset_t& validkeys, const OptLog&, pdns::validation::ValidationContext& context);
dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, pdns::validation::ValidationContext& context, const OptLog& log = std::nullopt, bool needWildcardProof=true, unsigned int wildcardLabelsCount=0);
bool isSupportedDS(const DSRecordContent& dsRecordContent, const OptLog&);
DNSName getSigner(const std::vector<std::shared_ptr<const RRSIGRecordContent> >& signatures);
projects / thirdparty / pdns.git / commitdiff
