- Keep EDE information for keys close to key creation.
- Fix inconsistencies between reply and cached EDEs.
- Incorporate EDE caching checks in EDE tests.
- Fix some EDE cases where missing DNSKEY was wrongly reported.
}
static inline int
-mesh_is_udp(struct mesh_reply const* r) {
+mesh_is_udp(struct mesh_reply const* r)
+{
return r->query_reply.c->type == comm_udp;
}
static inline void
mesh_find_and_attach_ede_and_reason(struct mesh_state* m,
- struct reply_info* rep, struct mesh_reply* r) {
- char *reason = m->s.env->cfg->val_log_level >= 2
- ? errinf_to_str_bogus(&m->s) : NULL;
-
- /* During validation the EDE code can be received via two
+ struct reply_info* rep, struct mesh_reply* r)
+{
+ /* OLD note:
+ * During validation the EDE code can be received via two
* code paths. One code path fills the reply_info EDE, and
* the other fills it in the errinf_strlist. These paths
* intersect at some points, but where is opaque due to
* the complexity of the validator. At the time of writing
* we make the choice to prefer the EDE from errinf_strlist
* but a compelling reason to do otherwise is just as valid
+ * NEW note:
+ * The compelling reason is that with caching support, the value
+ * in the * reply_info is cached.
+ * The reason members of the reply_info struct should be
+ * updated as they are already cached. No reason to
+ * try and find the EDE information in errinf anymore.
*/
- sldns_ede_code reason_bogus = errinf_to_reason_bogus(&m->s);
- if ((reason_bogus == LDNS_EDE_DNSSEC_BOGUS &&
- rep->reason_bogus != LDNS_EDE_NONE) ||
- reason_bogus == LDNS_EDE_NONE) {
- reason_bogus = rep->reason_bogus;
- }
-
- if(reason_bogus != LDNS_EDE_NONE) {
+ if(rep->reason_bogus != LDNS_EDE_NONE) {
edns_opt_list_append_ede(&r->edns.opt_list_out,
- m->s.region, reason_bogus, reason);
+ m->s.region, rep->reason_bogus, rep->reason_bogus_str);
}
- free(reason);
}
/**
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 21 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 22 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 21 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 22 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 121 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ftp.sub.example.com. IN A
+ENTRY_END
+
+STEP 122 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ftp.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 121 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ftp.sub.example.com. IN A
+ENTRY_END
+
+STEP 122 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ftp.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
www.example.com. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
STEP 100 TIME_PASSES ELAPSE 10
; second query should not result in going to the network.
ftp.example.com. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 121 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ftp.example.com. IN A
+ENTRY_END
+
+STEP 122 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ftp.example.com. IN A
+ENTRY_END
+
SCENARIO_END
+++ /dev/null
-; @TODO decide if we want to keep this, or change the original test(s)
-; This test is a copy of autotrust_probefail, where the query is executed twide
-
-
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- log-time-ascii: yes
- fake-sha1: yes
- trust-anchor-signaling: no
- ede: yes
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-AUTOTRUST_FILE example.com
-; autotrust trust anchor file
-;;id: example.com. 1
-;;last_queried: 1258962400 ;;Mon Nov 23 08:46:40 2009
-;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009
-;;next_probe_time: 1258967360 ;;Mon Nov 23 10:09:20 2009
-;;query_failed: 0
-;;query_interval: 5400
-;;retry_time: 3600
-example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
-example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
-AUTOTRUST_END
-CONFIG_END
-
-SCENARIO_BEGIN Test autotrust with probe failure
-
-; K-ROOT
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id copy_query
-REPLY QR AA
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS k.root-servers.net.
-SECTION ADDITIONAL
-k.root-servers.net IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.4
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA SERVFAIL
-SECTION QUESTION
-ns.example.com. IN AAAA
-SECTION ANSWER
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA
-SECTION QUESTION
-ns.example.com. IN A
-SECTION ANSWER
-ns.example.com. 3600 IN A 1.2.3.4
-ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
-SECTION AUTHORITY
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
-SECTION ADDITIONAL
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA SERVFAIL
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-
-; revoked keys
-example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b}
-example.com. 10800 IN DNSKEY 385 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16614 (ksk), size = 512b}
-; signatures
-example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 55710 example.com. zOSlB1iwtlP2lum1RK0WoDQrMVj0JKwk2E5Mu1okzV38hAx3Xm9IGMK6WrNkVVLmx4OkhYmdPVA95jVsFpwLMw== ;{id = 55710}
-example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 16614 example.com. qP49cCYP3lvNnLBYty/JxAwHqBIGjpup5zQ7qpjPnaZpBb/TlpOhY17LBZrqD86VvBbEVz5tkxC9UrCy85ePDQ== ;{id = 16614}
-
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-RANGE_END
-
-; set date/time to Mon Nov 23 09:46:40 2009
-STEP 5 TIME_PASSES EVAL ${1258962400 + 7200}
-STEP 6 TRAFFIC ; do the probe
-STEP 7 ASSIGN t0 = ${time}
-STEP 8 ASSIGN probe0 = ${range 3200 ${timeout} 3600}
-STEP 9 ASSIGN tp = ${1258962400}
-
-; the auto probing should have been done now.
-STEP 11 CHECK_AUTOTRUST example.com
-FILE_BEGIN
-; autotrust trust anchor file
-;;id: example.com. 1
-;;last_queried: 1258962400 ;;Mon Nov 23 08:46:40 2009
-;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009
-;;next_probe_time: 1258967360 ;;Mon Nov 23 10:09:20 2009
-;;query_failed: 0
-;;query_interval: 5400
-;;retry_time: 3600
-example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
-example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
-FILE_END
-
-STEP 20 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-STEP 30 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all ede=9
-REPLY QR RD RA DO SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 40 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-STEP 50 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all ede=9
-REPLY QR RD RA DO SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
minimal-responses: no
nsid: "ascii_hopsa kidee"
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
HEX_EDNSDATA_END
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 03 ; Opcode NSID (3)
+ 00 00 ; Length 0
+ HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 03 ; Opcode NSID (3)
+ 00 0b ; Length 11
+ 68 6F 70 73 61 20 ; "hopsa "
+ 6B 69 64 65 65 ; "kidee"
+ HEX_EDNSDATA_END
+ENTRY_END
+
SCENARIO_END
target-fetch-policy: "0 0 0 0 0"
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 23 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+root-key-sentinel-not-ta-19036. IN A
+ENTRY_END
+
+STEP 24 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+root-key-sentinel-not-ta-19036. IN A
+ENTRY_END
+
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD DO
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 34 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+root-key-sentinel-is-ta-20326. IN A
+ENTRY_END
+
+STEP 35 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+root-key-sentinel-is-ta-20326. IN A
+ENTRY_END
+
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD DO
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
forward-zone:
name: "."
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all ede=9
+MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN AAAA
+ENTRY_END
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+foo.www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+foo.www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
www.example.com. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test.
- ; ns.example.com.
-RANGE_BEGIN 0 100
+ ; ns.example.com.
+RANGE_BEGIN 0 100
ADDRESS 185.49.140.60
; response to DNSKEY priming query
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
-; example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
-; example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
-; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
-; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
-; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
-; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
+ENTRY_END
+
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+a.c.x.w.example. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+a.c.x.w.example. IN A
+SECTION ANSWER
+SECTION AUTHORITY
ENTRY_END
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ns1.example. IN MX
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=12
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ns1.example. IN MX
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ent.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ent.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN TXT
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
www.sub.example.com. IN A
ENTRY_END
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
SCENARIO_END
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all ede=9
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
const char* str, sldns_ede_code reason_bogus)
{
struct errinf_strlist* p;
- if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str)
+ if(!str || (qstate->env->cfg->val_log_level < 2 &&
+ !qstate->env->cfg->log_servfail)) {
return;
+ }
p = (struct errinf_strlist*)regional_alloc(qstate->region, sizeof(*p));
if(!p) {
log_err("malloc failure in validator-error-info string");
return p;
}
+/* Try to find the latest (most specific) dnssec failure */
sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate)
{
struct errinf_strlist* s;
+ sldns_ede_code ede = LDNS_EDE_NONE;
for(s=qstate->errinf; s; s=s->next) {
- if (s->reason_bogus != LDNS_EDE_NONE) {
- return s->reason_bogus;
- }
+ if(s->reason_bogus == LDNS_EDE_NONE) continue;
+ if(ede != LDNS_EDE_NONE
+ && ede != LDNS_EDE_DNSSEC_BOGUS
+ && s->reason_bogus == LDNS_EDE_DNSSEC_BOGUS) continue;
+ ede = s->reason_bogus;
}
- return LDNS_EDE_NONE;
+ return ede;
}
char* errinf_to_str_servfail(struct module_qstate* qstate)
void
key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
- struct module_qstate* qstate)
+ int copy_reason)
{
- struct key_entry_key* k = key_entry_copy(kkey);
+ struct key_entry_key* k = key_entry_copy(kkey, copy_reason);
if(!k)
return;
- if(key_entry_isbad(k) && qstate->errinf &&
- qstate->env->cfg->val_log_level >= 2) {
- /* on malloc failure there is simply no reason string */
- key_entry_set_reason(k, errinf_to_str_bogus(qstate));
- key_entry_set_reason_bogus(k, errinf_to_reason_bogus(qstate));
- }
key_entry_hash(k);
slabhash_insert(kcache->slab, k->entry.hash, &k->entry,
k->entry.data, NULL);
* @param kcache: the key cache.
* @param kkey: key entry key, assumed malloced in a region, is copied
* to perform update or insertion. Its data pointer is also copied.
- * @param qstate: store errinf reason in case its bad.
+ * @param copy_reason: if the reason string needs to be copied (allocated).
*/
void key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
- struct module_qstate* qstate);
+ int copy_reason);
/**
* Remove an entry from the key cache.
}
struct key_entry_key*
-key_entry_copy(struct key_entry_key* kkey)
+key_entry_copy(struct key_entry_key* kkey, int copy_reason)
{
struct key_entry_key* newk;
if(!kkey)
}
packed_rrset_ptr_fixup(newd->rrset_data);
}
- if(d->reason) {
+ if(copy_reason && d->reason && *d->reason != 0) {
newd->reason = strdup(d->reason);
if(!newd->reason) {
free(newd->rrset_data);
free(newk);
return NULL;
}
+ } else {
+ newd->reason = NULL;
}
if(d->algo) {
newd->algo = (uint8_t*)strdup((char*)d->algo);
return (int)(d->isbad);
}
-void
-key_entry_set_reason(struct key_entry_key* kkey, char* reason)
-{
- struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data;
- d->reason = reason;
-}
-
-void
-key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede)
-{
- struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data;
- if (ede != LDNS_EDE_NONE) { /* reason_bogus init is LDNS_EDE_NONE already */
- d->reason_bogus = ede;
- }
-}
-
char*
key_entry_get_reason(struct key_entry_key* kkey)
{
struct key_entry_key*
key_entry_create_null(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
+ sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
return NULL;
d->ttl = now + ttl;
d->isbad = 0;
- d->reason = NULL;
- d->reason_bogus = LDNS_EDE_NONE;
+ d->reason = (!reason || *reason == 0)
+ ?NULL :(char*)regional_strdup(region, reason);
+ /* On allocation error we don't store the reason string */
+ d->reason_bogus = reason_bogus;
d->rrset_type = LDNS_RR_TYPE_DNSKEY;
d->rrset_data = NULL;
d->algo = NULL;
struct key_entry_key*
key_entry_create_rrset(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass,
- struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now)
+ struct ub_packed_rrset_key* rrset, uint8_t* sigalg,
+ sldns_ede_code reason_bogus, const char* reason,
+ time_t now)
{
struct key_entry_key* k;
struct key_entry_data* d;
return NULL;
d->ttl = rd->ttl + now;
d->isbad = 0;
- d->reason = NULL;
- d->reason_bogus = LDNS_EDE_NONE;
+ d->reason = (!reason || *reason == 0)
+ ?NULL :(char*)regional_strdup(region, reason);
+ /* On allocation error we don't store the reason string */
+ d->reason_bogus = reason_bogus;
d->rrset_type = ntohs(rrset->rk.type);
d->rrset_data = (struct packed_rrset_data*)regional_alloc_init(region,
rd, packed_rrset_sizeof(rd));
struct key_entry_key*
key_entry_create_bad(struct regional* region,
- uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
+ uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
+ sldns_ede_code reason_bogus, const char* reason,
time_t now)
{
struct key_entry_key* k;
return NULL;
d->ttl = now + ttl;
d->isbad = 1;
- d->reason = NULL;
- d->reason_bogus = LDNS_EDE_NONE;
+ d->reason = (!reason || *reason == 0)
+ ?NULL :(char*)regional_strdup(region, reason);
+ /* On allocation error we don't store the reason string */
+ d->reason_bogus = reason_bogus;
d->rrset_type = LDNS_RR_TYPE_DNSKEY;
d->rrset_data = NULL;
d->algo = NULL;
/**
* Copy a key entry, malloced.
* @param kkey: the key entry key (and data pointer) to copy.
+ * @param copy_reason: if the reason string needs to be copied (allocated).
* @return newly allocated entry or NULL on a failure to allocate memory.
*/
-struct key_entry_key* key_entry_copy(struct key_entry_key* kkey);
+struct key_entry_key* key_entry_copy(struct key_entry_key* kkey,
+ int copy_reason);
/**
* See if this is a null entry. Does not do locking.
*/
int key_entry_isbad(struct key_entry_key* kkey);
-/**
- * Set reason why a key is bad.
- * @param kkey: bad key.
- * @param reason: string to attach, you must allocate it.
- * Not safe to call twice unless you deallocate it yourself.
- */
-void key_entry_set_reason(struct key_entry_key* kkey, char* reason);
-
-/**
- * Set the EDE (RFC8914) code why the key is bad, if it
- * exists (so not LDNS_EDE_NONE).
- * @param kkey: bad key.
- * @param ede: EDE code to attach to this key.
- */
-void key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede);
-
-
/**
* Get reason why a key is bad.
* @param kkey: bad key
* @param namelen: length of name
* @param dclass: class of key entry. (host order);
* @param ttl: what ttl should the key have. relative.
+ * @param reason_bogus: accompanying EDE code.
+ * @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl).
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_null(struct regional* region,
- uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
+ uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
+ sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**
* @param dclass: class of key entry. (host order);
* @param rrset: data for key entry. This is copied to the region.
* @param sigalg: signalled algorithm list (or NULL).
+ * @param reason_bogus: accompanying EDE code (usually LDNS_EDE_NONE).
+ * @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl of rrset)
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_rrset(struct regional* region,
- uint8_t* name, size_t namelen, uint16_t dclass,
- struct ub_packed_rrset_key* rrset, uint8_t* sigalg, time_t now);
+ uint8_t* name, size_t namelen, uint16_t dclass,
+ struct ub_packed_rrset_key* rrset, uint8_t* sigalg,
+ sldns_ede_code reason_bogus, const char* reason,
+ time_t now);
/**
* Create a bad entry, in the given region.
* @param namelen: length of name
* @param dclass: class of key entry. (host order);
* @param ttl: what ttl should the key have. relative.
+ * @param reason_bogus: accompanying EDE code.
+ * @param reason: accompanying NULL-terminated EDE string (or NULL).
* @param now: current time (added to ttl).
* @return new key entry or NULL on alloc failure
*/
struct key_entry_key* key_entry_create_bad(struct regional* region,
uint8_t* name, size_t namelen, uint16_t dclass, time_t ttl,
+ sldns_ede_code reason_bogus, const char* reason,
time_t now);
/**
/** check security status from cache or verify rrset, returns true if secure */
static int
-nsec_verify_rrset(struct module_env* env, struct val_env* ve,
- struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
- char** reason, struct module_qstate* qstate)
+nsec_verify_rrset(struct module_env* env, struct val_env* ve,
+ struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
+ char** reason, sldns_ede_code* reason_bogus,
+ struct module_qstate* qstate)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
if(d->security == sec_status_secure)
return 1;
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
- NULL, LDNS_SECTION_AUTHORITY, qstate);
+ reason_bogus, LDNS_SECTION_AUTHORITY, qstate);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
- struct module_qstate* qstate)
+ sldns_ede_code* reason_bogus, struct module_qstate* qstate)
{
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
- if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
+ if(!nsec_verify_rrset(env, ve, nsec, kkey, reason,
+ reason_bogus, qstate)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
if(sec == sec_status_bogus) {
/* something was wrong. */
*reason = "NSEC does not prove absence of DS";
+ *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
return sec;
} else if(sec == sec_status_insecure) {
/* this wasn't a delegation point. */
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
- qstate)) {
+ reason_bogus, qstate)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
+ *reason = "NSEC for empty non-terminal "
+ "did not verify.";
return sec_status_bogus;
}
if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
#ifndef VALIDATOR_VAL_NSEC_H
#define VALIDATOR_VAL_NSEC_H
#include "util/data/packed_rrset.h"
+#include "sldns/rrdef.h"
struct val_env;
struct module_env;
struct module_qstate;
* @param kkey: key entry to use for verification of signatures.
* @param proof_ttl: if secure, the TTL of how long this proof lasts.
* @param reason: string explaining why bogus.
+ * @param reason_bogus: relevant EDE code for validation failure.
* @param qstate: qstate with region.
* @return security status.
* SECURE: proved absence of DS.
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
struct val_env* ve, struct query_info* qinfo,
struct reply_info* rep, struct key_entry_key* kkey,
- time_t* proof_ttl, char** reason, struct module_qstate* qstate);
+ time_t* proof_ttl, char** reason, sldns_ede_code* reason_bogus,
+ struct module_qstate* qstate);
/**
* nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) {
- *reason = "signature missing";
+ *reason = "signatures bogus";
if(reason_bogus)
- *reason_bogus = LDNS_EDE_RRSIGS_MISSING;
+ *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
} else if(numchecked == numindeterminate) {
verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
"refusal by cryptolib");
return key_entry_create_rrset(region,
ds_rrset->rk.dname, ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
- downprot?sigalg:NULL, *env->now);
+ downprot?sigalg:NULL, LDNS_EDE_NONE, NULL,
+ *env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, ds_rrset->rk.dname,
- ds_rrset->rk.dname_len,
+ ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class),
- rrset_get_ttl(ds_rrset), *env->now);
+ rrset_get_ttl(ds_rrset), *reason_bogus, *reason,
+ *env->now);
}
return key_entry_create_bad(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
- BOGUS_KEY_TTL, *env->now);
+ BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
enum sec_status
has_useful_ta = 1;
sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
- ta_dnskey, i, reason, NULL, LDNS_SECTION_ANSWER, qstate);
+ ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
return key_entry_create_rrset(region,
dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
- downprot?sigalg:NULL, *env->now);
+ downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class),
- rrset_get_ttl(dnskey_rrset), *env->now);
+ rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason,
+ *env->now);
}
return key_entry_create_bad(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
- BOGUS_KEY_TTL, *env->now);
+ BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
int
struct query_info* qinfo, struct sock_list* origin);
-/* Updates the suplied EDE (RFC8914) code selectively so we don't loose
- * a more specific code
- */
+/* Updates the suplied EDE (RFC8914) code selectively so we don't lose
+ * a more specific code */
static void
update_reason_bogus(struct reply_info* rep, sldns_ede_code reason_bogus)
{
- if (rep->reason_bogus == LDNS_EDE_DNSSEC_BOGUS ||
- rep->reason_bogus == LDNS_EDE_NONE) {
- rep->reason_bogus = reason_bogus;
- }
+ if(reason_bogus == LDNS_EDE_NONE) return;
+ if(reason_bogus == LDNS_EDE_DNSSEC_BOGUS
+ && rep->reason_bogus != LDNS_EDE_NONE
+ && rep->reason_bogus != LDNS_EDE_DNSSEC_BOGUS) return;
+ rep->reason_bogus = reason_bogus;
}
vq->state = VAL_FINISHED_STATE;
return 1;
} else if(key_entry_isbad(vq->key_entry)) {
- sldns_ede_code ede = LDNS_EDE_DNSSEC_BOGUS;
-
- /* the key could have a more spefic EDE than just bogus */
- if(key_entry_get_reason_bogus(vq->key_entry) != LDNS_EDE_NONE) {
- ede = key_entry_get_reason_bogus(vq->key_entry);
- }
-
+ /* Bad keys should have the relevant EDE code and text */
+ sldns_ede_code ede = key_entry_get_reason_bogus(vq->key_entry);
/* key is bad, chain is bad, reply is bogus */
errinf_dname(qstate, "key for validation", vq->key_entry->name);
errinf_ede(qstate, "is marked as invalid", ede);
- if(key_entry_get_reason(vq->key_entry)) {
- errinf(qstate, "because of a previous");
- errinf(qstate, key_entry_get_reason(vq->key_entry));
- }
+ errinf(qstate, "because of a previous");
+ errinf(qstate, key_entry_get_reason(vq->key_entry));
/* no retries, stop bothering the authority until timeout */
vq->restart_count = ve->max_restart;
vq->chase_reply->security = sec_status_insecure;
val_mark_insecure(vq->chase_reply, vq->key_entry->name,
qstate->env->rrset_cache, qstate->env);
- key_cache_insert(ve->kcache, vq->key_entry, qstate);
+ key_cache_insert(ve->kcache, vq->key_entry,
+ qstate->env->cfg->val_log_level >= 2);
return 1;
}
"of trust to keys for", vq->key_entry->name,
LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
vq->chase_reply->security = sec_status_bogus;
-
- update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSKEY_MISSING);
+ update_reason_bogus(vq->chase_reply,
+ key_entry_get_reason_bogus(vq->key_entry));
errinf_ede(qstate, "while building chain of trust",
- LDNS_EDE_DNSKEY_MISSING);
+ key_entry_get_reason_bogus(vq->key_entry));
if(vq->restart_count >= ve->max_restart)
- key_cache_insert(ve->kcache, vq->key_entry, qstate);
+ key_cache_insert(ve->kcache, vq->key_entry,
+ qstate->env->cfg->val_log_level >= 2);
return 1;
}
size_t err_str_len = strlen(err_str);
log_info("%s", err_str);
/* allocate space and store the error
- * string; */
+ * string */
vq->orig_msg->rep->reason_bogus_str = regional_alloc(
qstate->region,
sizeof(char) * (err_str_len+1));
}
}
+ /* Update rep->reason_bogus as it is the one being cached */
+ update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate));
/* store results in cache */
if(qstate->query_flags&BIT_RD) {
/* if secure, this will override cache anyway, no need
log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- "
"could not fetch DNSKEY rrset",
ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
+ reason_bogus = LDNS_EDE_DNSKEY_MISSING;
+ reason = "no DNSKEY rrset";
if(qstate->env->cfg->harden_dnssec_stripped) {
- errinf_ede(qstate, "no DNSKEY rrset", LDNS_EDE_DNSKEY_MISSING);
+ errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
+ reason_bogus, reason,
*qstate->env->now);
} else kkey = key_entry_create_null(qstate->region, ta->name,
ta->namelen, ta->dclass, NULL_KEY_TTL,
+ reason_bogus, reason,
*qstate->env->now);
if(!kkey) {
log_err("out of memory: allocate fail prime key");
errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
+ reason_bogus, reason,
*qstate->env->now);
} else kkey = key_entry_create_null(qstate->region, ta->name,
ta->namelen, ta->dclass, NULL_KEY_TTL,
+ reason_bogus, reason,
*qstate->env->now);
if(!kkey) {
log_err("out of memory: allocate null prime key");
/* errors here pretty much break validation */
verbose(VERB_DETAIL, "DS response was error, thus bogus");
errinf(qstate, rc);
- errinf_ede(qstate, "no DS", LDNS_EDE_NETWORK_ERROR);
-
+ reason = "no DS";
+ reason_bogus = LDNS_EDE_NETWORK_ERROR;
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
if(!ds) {
log_warn("internal error: POSITIVE DS response was "
"missing DS.");
- errinf_ede(qstate, "no DS record", LDNS_EDE_DNSSEC_BOGUS);
+ reason = "no DS record";
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
/* Verify only returns BOGUS or SECURE. If the rrset is
if(!val_dsset_isusable(ds)) {
/* If they aren't usable, then we treat it like
* there was no DS. */
-
- /* TODO add EDE Unsupported DS Digest Type; this needs
- * EDE to be added on non SERVFAIL answers. */
-
- *ke = key_entry_create_null(qstate->region,
- qinfo->qname, qinfo->qname_len, qinfo->qclass,
- ub_packed_rrset_ttl(ds), *qstate->env->now);
+ *ke = key_entry_create_null(qstate->region,
+ qinfo->qname, qinfo->qname_len, qinfo->qclass,
+ ub_packed_rrset_ttl(ds),
+ LDNS_EDE_UNSUPPORTED_DS_DIGEST, NULL,
+ *qstate->env->now);
return (*ke) != NULL;
}
log_query_info(VERB_DETAIL, "validated DS", qinfo);
*ke = key_entry_create_rrset(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass, ds,
- NULL, *qstate->env->now);
+ NULL, LDNS_EDE_NONE, NULL, *qstate->env->now);
return (*ke) != NULL;
} else if(subtype == VAL_CLASS_NODATA ||
subtype == VAL_CLASS_NAMEERROR) {
/* make sure there are NSECs or NSEC3s with signatures */
if(!val_has_signed_nsecs(msg->rep, &reason)) {
verbose(VERB_ALGO, "no NSECs: %s", reason);
- errinf_ede(qstate, reason, LDNS_EDE_NSEC_MISSING);
+ reason_bogus = LDNS_EDE_NSEC_MISSING;
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
/* Try to prove absence of the DS with NSEC */
sec = val_nsec_prove_nodata_dsreply(
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
- &proof_ttl, &reason, qstate);
+ &proof_ttl, &reason, &reason_bogus, qstate);
switch(sec) {
case sec_status_secure:
verbose(VERB_DETAIL, "NSEC RRset for the "
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len,
qinfo->qclass, proof_ttl,
+ LDNS_EDE_NONE, NULL,
*qstate->env->now);
return (*ke) != NULL;
case sec_status_insecure:
*ke = key_entry_create_null(qstate->region,
qinfo->qname, qinfo->qname_len,
qinfo->qclass, proof_ttl,
+ LDNS_EDE_NONE, NULL,
*qstate->env->now);
return (*ke) != NULL;
case sec_status_indeterminate:
* this is BOGUS. */
verbose(VERB_DETAIL, "DS %s ran out of options, so return "
"bogus", val_classification_to_string(subtype));
- errinf(qstate, "no DS but also no proof of that");
+ reason = "no DS but also no proof of that";
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
} else if(subtype == VAL_CLASS_CNAME ||
subtype == VAL_CLASS_CNAMENOANSWER) {
cname = reply_find_rrset_section_an(msg->rep, qinfo->qname,
qinfo->qname_len, LDNS_RR_TYPE_CNAME, qinfo->qclass);
if(!cname) {
- errinf(qstate, "validator classified CNAME but no "
- "CNAME of the queried name for DS");
+ reason = "validator classified CNAME but no "
+ "CNAME of the queried name for DS";
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
if(((struct packed_rrset_data*)cname->entry.data)->rrsig_count
== 0) {
if(msg->rep->an_numrrsets != 0 && ntohs(msg->rep->
rrsets[0]->rk.type)==LDNS_RR_TYPE_DNAME) {
- errinf(qstate, "DS got DNAME answer");
+ reason = "DS got DNAME answer";
} else {
- errinf(qstate, "DS got unsigned CNAME answer");
+ reason = "DS got unsigned CNAME answer";
}
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
}
- sec = val_verify_rrset_entry(qstate->env, ve, cname,
- vq->key_entry, &reason, NULL, LDNS_SECTION_ANSWER, qstate);
+ sec = val_verify_rrset_entry(qstate->env, ve, cname,
+ vq->key_entry, &reason, &reason_bogus,
+ LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
verbose(VERB_ALGO, "CNAME validated, "
"proof that DS does not exist");
return 1;
}
errinf(qstate, "CNAME in DS response was not secure.");
- errinf(qstate, reason);
+ errinf_ede(qstate, reason, reason_bogus);
goto return_bogus;
} else {
verbose(VERB_QUERY, "Encountered an unhandled type of "
"DS response, thus bogus.");
errinf(qstate, "no DS and");
+ reason = "no DS";
if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) {
char rc[16];
rc[0]=0;
}
return_bogus:
*ke = key_entry_create_bad(qstate->region, qinfo->qname,
- qinfo->qname_len, qinfo->qclass,
- BOGUS_KEY_TTL, *qstate->env->now);
+ qinfo->qname_len, qinfo->qclass, BOGUS_KEY_TTL,
+ reason_bogus, reason, *qstate->env->now);
return (*ke) != NULL;
}
vq->restart_count++;
return;
}
- vq->key_entry = key_entry_create_bad(qstate->region,
+ reason = "No DNSKEY record";
+ reason_bogus = LDNS_EDE_DNSKEY_MISSING;
+ vq->key_entry = key_entry_create_bad(qstate->region,
qinfo->qname, qinfo->qname_len, qinfo->qclass,
- BOGUS_KEY_TTL, *qstate->env->now);
+ BOGUS_KEY_TTL, reason_bogus, reason,
+ *qstate->env->now);
if(!vq->key_entry) {
log_err("alloc failure in missing dnskey response");
/* key_entry is NULL for failure in Validate */
}
- errinf_ede(qstate, "No DNSKEY record", LDNS_EDE_DNSKEY_MISSING);
+ errinf_ede(qstate, reason, reason_bogus);
errinf_origin(qstate, origin);
errinf_dname(qstate, "for key", qinfo->qname);
vq->state = VAL_VALIDATE_STATE;
qstate->errinf = NULL;
/* The DNSKEY validated, so cache it as a trusted key rrset. */
- key_cache_insert(ve->kcache, vq->key_entry, qstate);
+ key_cache_insert(ve->kcache, vq->key_entry,
+ qstate->env->cfg->val_log_level >= 2);
/* If good, we stay in the FINDKEY state. */
log_query_info(VERB_DETAIL, "validated DNSKEY", qinfo);
errinf_origin(qstate, origin);
errinf_dname(qstate, "for trust anchor", ta->name);
/* store the freshly primed entry in the cache */
- key_cache_insert(ve->kcache, vq->key_entry, qstate);
+ key_cache_insert(ve->kcache, vq->key_entry,
+ qstate->env->cfg->val_log_level >= 2);
}
/* If the result of the prime is a null key, skip the FINDKEY state.*/
projects / thirdparty / unbound.git / commitdiff
