[thirdparty/pdns.git] / pdns / nsec3dig.cc

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "dnsparser.hh"
#include "sstuff.hh"
#include "misc.hh"
#include "dnswriter.hh"
#include "dnsrecords.hh"
#include "statbag.hh"
#include "base32.hh"
#include "dnssecinfra.hh"


StatBag S;

typedef std::pair<string,string> nsec3;
typedef set<nsec3> nsec3set;

string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters)
{
  NSEC3PARAMRecordContent ns3prc;
  ns3prc.d_iterations = iters;
  ns3prc.d_salt = salt;
  return toBase32Hex(hashQNameWithSalt(ns3prc, qname));
}

void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied)
{
  string hashed = nsec3Hash(qname, salt, iters);

  // cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl;
  // cerr<<"hashed: "<<hashed<<endl;
  for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) {
    string base=(*pos).first;
    string next=(*pos).second;

    if(hashed == base)
    {
      proven.insert(qname);
      cout<<qname.toString()<<" ("<<hashed<<") proven by base of "<<base<<".."<<next<<endl;
    }
    if(hashed == next)
    {
      proven.insert(qname);
      cout<<qname.toString()<<" ("<<hashed<<") proven by next of "<<base<<".."<<next<<endl;
    }
    if((hashed > base && hashed < next) ||
       (next < base && (hashed < next || hashed > base)))
    {
      denied.insert(qname);
      cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl;
    }
    if (base == next && base != hashed)
    {
      denied.insert(qname);
      cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl;
    }
  }
}

void usage() {
  cerr<<"nsec3dig"<<endl;
  cerr<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n";
}

int main(int argc, char** argv)
try
{
  bool recurse=false;

  reportAllTypes();

  for (int i = 1; i < argc; i++) {
    if ((string) argv[i] == "--help") {
      usage();
      return EXIT_SUCCESS;
    }

    if ((string) argv[i] == "--version") {
      cerr<<"nsec3dig "<<VERSION<<endl;
      return EXIT_SUCCESS;
    }
  }

  if(argc < 5) {
    usage();
    exit(EXIT_FAILURE);
  }

  // FIXME: turn recurse and dnssec into proper flags or something
  if(argc > 5 && strcmp(argv[5], "recurse")==0)
  {
    recurse=true;
  }

  vector<uint8_t> packet;
  DNSName qname(argv[3]);
  DNSPacketWriter pw(packet, qname, DNSRecordContent::TypeToNumber(argv[4]));

  if(recurse)
  {
    pw.getHeader()->rd=true;
    pw.getHeader()->cd=true;
  }

  pw.addOpt(2800, 0, EDNSOpts::DNSSECOK);
  pw.commit();


  ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
  Socket sock(dest.sin4.sin_family, SOCK_STREAM);  
  sock.connect(dest);
  uint16_t len;
  len = htons(packet.size());
  if(sock.write((char *) &len, 2) != 2)
    throw PDNSException("tcp write failed");

  sock.writen(string(packet.begin(), packet.end()));
  
  if(sock.read((char *) &len, 2) != 2)
    throw PDNSException("tcp read failed");

  len=ntohs(len);
  char *creply = new char[len];
  int n=0;
  int numread;
  while(n<len) {
    numread=sock.read(creply+n, len-n);
    if(numread<0)
      throw PDNSException("tcp read failed");
    n+=numread;
  }

  string reply(creply, len);
  delete[] creply;

  MOADNSParser mdp(false, reply);
  cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
  cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
  cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl;

  set<DNSName> names;
  set<DNSName> namesseen;
  set<DNSName> namestocheck;
  nsec3set nsec3s;
  string nsec3salt;
  int nsec3iters = 0;
  for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {     
    if(i->first.d_type == QType::NSEC3)
    {
      // cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl;
      // cerr<<i->first.d_content->getZoneRepresentation()<<endl;
      const auto r = std::dynamic_pointer_cast<NSEC3RecordContent>(i->first.d_content);
      if (!r) {
        continue;
      }
      // nsec3.insert(new nsec3()
      // cerr<<toBase32Hex(r.d_nexthash)<<endl;
      vector<string> parts;
      string sname=i->first.d_name.toString();
      boost::split(parts, sname /* FIXME400 */, boost::is_any_of("."));
      nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r->d_nexthash)));
      nsec3salt = r->d_salt;
      nsec3iters = r->d_iterations;
    }
    else
    {
      // cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl;
      names.insert(i->first.d_name);
      namesseen.insert(i->first.d_name);
    }

    if(i->first.d_type == QType::CNAME)
    {
      namesseen.insert(DNSName(i->first.d_content->getZoneRepresentation()));
    }

    cout<<i->first.d_place-1<<"\t"<<i->first.d_name.toString()<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type);
    cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n";
  }

#if 0
  cerr<<"got "<<names.size()<<" names"<<endl;
  for(set<string>::const_iterator pos=names.begin(); pos != names.end(); ++pos) {
    cerr<<"name: "<<*pos<<endl;
  }
  cerr<<"got "<<nsec3s.size()<<" names"<<endl;
  for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) {
    cerr<<"nsec3: "<<(*pos).first<<".."<<(*pos).second<<endl;
  }
#endif

  cout<<"== nsec3 prove/deny report follows =="<<endl;
  set<DNSName> proven;
  set<DNSName> denied;
  namesseen.insert(qname);
  for(const auto &name: namesseen)
  {
    DNSName shorter(name);
    do {
      namestocheck.insert(shorter);
    } while(shorter.chopOff());
  }
  for(const auto &name: namestocheck)
  {
    proveOrDeny(nsec3s, name, nsec3salt, nsec3iters, proven, denied);
    proveOrDeny(nsec3s, g_wildcarddnsname+name, nsec3salt, nsec3iters, proven, denied);
  }

  if(names.count(qname))
  {
    cout<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl;
    // exit(EXIT_SUCCESS);
  }
  // cout<<"== qname not found in names, investigating denial"<<endl;
  if(proven.count(qname))
  {
    cout<<"qname found proven, NODATA response?"<<endl;
    exit(EXIT_SUCCESS);
  }
  DNSName shorter=qname;
  DNSName encloser;
  DNSName nextcloser;
  DNSName prev(qname);
  while(shorter.chopOff())
  {
    if(proven.count(shorter))
    {
      encloser=shorter;
      nextcloser=prev;
      cout<<"found closest encloser at "<<encloser.toString()<<endl;
      cout<<"next closer is "<<nextcloser.toString()<<endl;
      break;
    }
    prev=shorter;
  }
  if(encloser.countLabels() && nextcloser.countLabels())
  {
    if(denied.count(nextcloser))
    {
      cout<<"next closer ("<<nextcloser.toString()<<") is denied correctly"<<endl;
    }
    else
    {
      cout<<"next closer ("<<nextcloser.toString()<<") NOT denied"<<endl;
    }
    DNSName wcplusencloser=g_wildcarddnsname+encloser;
    if(denied.count(wcplusencloser))
    {
      cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is denied correctly"<<endl;
    }
    else if(proven.count(wcplusencloser))
    {
      cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is proven"<<endl;
    }
    else
    {
      cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is NOT denied or proven"<<endl;
    }
  }
  exit(EXIT_SUCCESS);
}
catch(std::exception &e)
{
  cerr<<"Fatal: "<<e.what()<<endl;
}
catch(PDNSException &e)
{
  cerr<<"Fatal: "<<e.reason<<endl;
}
Commit	Line	Data
12471842 PL	1	/*
	2	* This file is part of PowerDNS or dnsdist.
	3	* Copyright -- PowerDNS.COM B.V. and its contributors
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of version 2 of the GNU General Public License as
	7	* published by the Free Software Foundation.
	8	*
	9	* In addition, for the avoidance of any doubt, permission is granted to
	10	* link this program with OpenSSL and to (re)distribute the binaries
	11	* produced as the result of such linking.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	21	*/
870a0fe4 AT	22	#ifdef HAVE_CONFIG_H
	23	#include "config.h"
	24	#endif
54ebc117 PD	25	#include "dnsparser.hh"
	26	#include "sstuff.hh"
	27	#include "misc.hh"
	28	#include "dnswriter.hh"
	29	#include "dnsrecords.hh"
	30	#include "statbag.hh"
	31	#include "base32.hh"
	32	#include "dnssecinfra.hh"
fa8fd4d2	33
54ebc117 PD	34
	35	StatBag S;
	36
	37	typedef std::pair<string,string> nsec3;
	38	typedef set<nsec3> nsec3set;
	39
9d7fa327	40	string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters)
54ebc117	41	{
28e2e78e KM	42	NSEC3PARAMRecordContent ns3prc;
	43	ns3prc.d_iterations = iters;
	44	ns3prc.d_salt = salt;
	45	return toBase32Hex(hashQNameWithSalt(ns3prc, qname));
54ebc117 PD	46	}
54ebc117 PD	47
9d7fa327	48	void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied)
54ebc117 PD	49	{
	50	string hashed = nsec3Hash(qname, salt, iters);
	51
df69c422	52	// cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl;
54ebc117 PD	53	// cerr<<"hashed: "<<hashed<<endl;
	54	for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) {
	55	string base=(*pos).first;
	56	string next=(*pos).second;
	57
	58	if(hashed == base)
	59	{
d2a2bbe7	60	proven.insert(qname);
9d7fa327	61	cout<<qname.toString()<<" ("<<hashed<<") proven by base of "<<base<<".."<<next<<endl;
54ebc117 PD	62	}
	63	if(hashed == next)
	64	{
d2a2bbe7	65	proven.insert(qname);
9d7fa327	66	cout<<qname.toString()<<" ("<<hashed<<") proven by next of "<<base<<".."<<next<<endl;
54ebc117 PD	67	}
	68	if((hashed > base && hashed < next) \|\|
	69	(next < base && (hashed < next \|\| hashed > base)))
	70	{
d2a2bbe7	71	denied.insert(qname);
9d7fa327	72	cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl;
54ebc117	73	}
3e1cf1ed PD	74	if (base == next && base != hashed)
	75	{
	76	denied.insert(qname);
9d7fa327	77	cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl;
3e1cf1ed	78	}
54ebc117	79	}
54ebc117 PD	80	}
54ebc117 PD	81
7b7543ad PL	82	void usage() {
	83	cerr<<"nsec3dig"<<endl;
	84	cerr<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n";
	85	}
	86
54ebc117 PD	87	int main(int argc, char** argv)
	88	try
	89	{
	90	bool recurse=false;
	91
	92	reportAllTypes();
	93
7b7543ad PL	94	for (int i = 1; i < argc; i++) {
	95	if ((string) argv[i] == "--help") {
	96	usage();
	97	return EXIT_SUCCESS;
	98	}
	99
	100	if ((string) argv[i] == "--version") {
	101	cerr<<"nsec3dig "<<VERSION<<endl;
	102	return EXIT_SUCCESS;
	103	}
	104	}
	105
54ebc117	106	if(argc < 5) {
7b7543ad	107	usage();
54ebc117 PD	108	exit(EXIT_FAILURE);
	109	}
	110
	111	// FIXME: turn recurse and dnssec into proper flags or something
	112	if(argc > 5 && strcmp(argv[5], "recurse")==0)
	113	{
	114	recurse=true;
	115	}
	116
	117	vector<uint8_t> packet;
eaedd091	118	DNSName qname(argv[3]);
54ebc117 PD	119	DNSPacketWriter pw(packet, qname, DNSRecordContent::TypeToNumber(argv[4]));
	120
	121	if(recurse)
	122	{
	123	pw.getHeader()->rd=true;
7103fdd8	124	pw.getHeader()->cd=true;
54ebc117 PD	125	}
	126
	127	pw.addOpt(2800, 0, EDNSOpts::DNSSECOK);
	128	pw.commit();
	129
d4eba262	130
54ebc117	131	ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
d4eba262	132	Socket sock(dest.sin4.sin_family, SOCK_STREAM);
c5c4fbdc PD	133	sock.connect(dest);
	134	uint16_t len;
	135	len = htons(packet.size());
	136	if(sock.write((char *) &len, 2) != 2)
3f81d239	137	throw PDNSException("tcp write failed");
c5c4fbdc	138
16657041	139	sock.writen(string(packet.begin(), packet.end()));
54ebc117	140
c5c4fbdc	141	if(sock.read((char *) &len, 2) != 2)
3f81d239	142	throw PDNSException("tcp read failed");
c5c4fbdc PD	143
	144	len=ntohs(len);
	145	char *creply = new char[len];
	146	int n=0;
	147	int numread;
	148	while(n<len) {
	149	numread=sock.read(creply+n, len-n);
	150	if(numread<0)
3f81d239	151	throw PDNSException("tcp read failed");
c5c4fbdc PD	152	n+=numread;
	153	}
	154
	155	string reply(creply, len);
	156	delete[] creply;
54ebc117	157
27c0050c	158	MOADNSParser mdp(false, reply);
eaedd091	159	cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
54ebc117 PD	160	cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
	161	cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl;
	162
9d7fa327 PD	163	set<DNSName> names;
	164	set<DNSName> namesseen;
	165	set<DNSName> namestocheck;
54ebc117 PD	166	nsec3set nsec3s;
54ebc117 PD	167	string nsec3salt;
59c892fe	168	int nsec3iters = 0;
54ebc117 PD	169	for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {
	170	if(i->first.d_type == QType::NSEC3)
	171	{
f809c028	172	// cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl;
54ebc117	173	// cerr<<i->first.d_content->getZoneRepresentation()<<endl;
27d4a65b RG	174	const auto r = std::dynamic_pointer_cast<NSEC3RecordContent>(i->first.d_content);
	175	if (!r) {
	176	continue;
	177	}
54ebc117 PD	178	// nsec3.insert(new nsec3()
	179	// cerr<<toBase32Hex(r.d_nexthash)<<endl;
	180	vector<string> parts;
f809c028	181	string sname=i->first.d_name.toString();
3343ad1f	182	boost::split(parts, sname /* FIXME400 */, boost::is_any_of("."));
27d4a65b RG	183	nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r->d_nexthash)));
	184	nsec3salt = r->d_salt;
	185	nsec3iters = r->d_iterations;
54ebc117 PD	186	}
	187	else
	188	{
f809c028	189	// cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl;
	190	names.insert(i->first.d_name);
	191	namesseen.insert(i->first.d_name);
c5c4fbdc PD	192	}
	193
	194	if(i->first.d_type == QType::CNAME)
	195	{
eaedd091	196	namesseen.insert(DNSName(i->first.d_content->getZoneRepresentation()));
54ebc117 PD	197	}
54ebc117 PD	198
f809c028	199	cout<<i->first.d_place-1<<"\t"<<i->first.d_name.toString()<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type);
54ebc117 PD	200	cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n";
	201	}
	202
	203	#if 0
	204	cerr<<"got "<<names.size()<<" names"<<endl;
	205	for(set<string>::const_iterator pos=names.begin(); pos != names.end(); ++pos) {
	206	cerr<<"name: "<<*pos<<endl;
	207	}
	208	cerr<<"got "<<nsec3s.size()<<" names"<<endl;
	209	for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) {
	210	cerr<<"nsec3: "<<(pos).first<<".."<<(pos).second<<endl;
	211	}
	212	#endif
	213
	214	cout<<"== nsec3 prove/deny report follows =="<<endl;
9d7fa327 PD	215	set<DNSName> proven;
9d7fa327 PD	216	set<DNSName> denied;
eaedd091	217	namesseen.insert(qname);
2010ac95	218	for(const auto &name: namesseen)
df69c422	219	{
2010ac95	220	DNSName shorter(name);
df69c422 PD	221	do {
df69c422 PD	222	namestocheck.insert(shorter);
9d7fa327	223	} while(shorter.chopOff());
df69c422	224	}
2010ac95	225	for(const auto &name: namestocheck)
df69c422	226	{
2010ac95 RG	227	proveOrDeny(nsec3s, name, nsec3salt, nsec3iters, proven, denied);
2010ac95 RG	228	proveOrDeny(nsec3s, g_wildcarddnsname+name, nsec3salt, nsec3iters, proven, denied);
df69c422	229	}
d2a2bbe7	230
eaedd091	231	if(names.count(qname))
d2a2bbe7	232	{
75a89ce6 PD	233	cout<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl;
75a89ce6 PD	234	// exit(EXIT_SUCCESS);
d2a2bbe7	235	}
75a89ce6	236	// cout<<"== qname not found in names, investigating denial"<<endl;
d2a2bbe7 PD	237	if(proven.count(qname))
	238	{
	239	cout<<"qname found proven, NODATA response?"<<endl;
	240	exit(EXIT_SUCCESS);
	241	}
9d7fa327 PD	242	DNSName shorter=qname;
	243	DNSName encloser;
	244	DNSName nextcloser;
	245	DNSName prev(qname);
	246	while(shorter.chopOff())
d2a2bbe7 PD	247	{
	248	if(proven.count(shorter))
	249	{
	250	encloser=shorter;
	251	nextcloser=prev;
9d7fa327 PD	252	cout<<"found closest encloser at "<<encloser.toString()<<endl;
9d7fa327 PD	253	cout<<"next closer is "<<nextcloser.toString()<<endl;
d2a2bbe7 PD	254	break;
	255	}
	256	prev=shorter;
	257	}
9d7fa327	258	if(encloser.countLabels() && nextcloser.countLabels())
d2a2bbe7 PD	259	{
	260	if(denied.count(nextcloser))
	261	{
9d7fa327	262	cout<<"next closer ("<<nextcloser.toString()<<") is denied correctly"<<endl;
d2a2bbe7 PD	263	}
	264	else
	265	{
9d7fa327	266	cout<<"next closer ("<<nextcloser.toString()<<") NOT denied"<<endl;
d2a2bbe7	267	}
12c06211	268	DNSName wcplusencloser=g_wildcarddnsname+encloser;
9d7fa327	269	if(denied.count(wcplusencloser))
d2a2bbe7	270	{
9d7fa327	271	cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is denied correctly"<<endl;
d2a2bbe7	272	}
9d7fa327	273	else if(proven.count(wcplusencloser))
75a89ce6	274	{
9d7fa327	275	cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is proven"<<endl;
75a89ce6	276	}
d2a2bbe7 PD	277	else
d2a2bbe7 PD	278	{
9d7fa327	279	cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is NOT denied or proven"<<endl;
d2a2bbe7 PD	280	}
	281	}
	282	exit(EXIT_SUCCESS);
54ebc117 PD	283	}
	284	catch(std::exception &e)
	285	{
	286	cerr<<"Fatal: "<<e.what()<<endl;
	287	}
7e7c31aa PD	288	catch(PDNSException &e)
	289	{
	290	cerr<<"Fatal: "<<e.reason<<endl;
	291	}