]>
Commit | Line | Data |
---|---|---|
12471842 PL |
1 | /* |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
870a0fe4 AT |
22 | #ifdef HAVE_CONFIG_H |
23 | #include "config.h" | |
24 | #endif | |
54ebc117 PD |
25 | #include "dnsparser.hh" |
26 | #include "sstuff.hh" | |
27 | #include "misc.hh" | |
28 | #include "dnswriter.hh" | |
29 | #include "dnsrecords.hh" | |
30 | #include "statbag.hh" | |
31 | #include "base32.hh" | |
32 | #include "dnssecinfra.hh" | |
fa8fd4d2 | 33 | |
54ebc117 PD |
34 | |
35 | StatBag S; | |
36 | ||
37 | typedef std::pair<string,string> nsec3; | |
38 | typedef set<nsec3> nsec3set; | |
39 | ||
9d7fa327 | 40 | string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters) |
54ebc117 | 41 | { |
28e2e78e KM |
42 | NSEC3PARAMRecordContent ns3prc; |
43 | ns3prc.d_iterations = iters; | |
44 | ns3prc.d_salt = salt; | |
45 | return toBase32Hex(hashQNameWithSalt(ns3prc, qname)); | |
54ebc117 PD |
46 | } |
47 | ||
9d7fa327 | 48 | void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied) |
54ebc117 PD |
49 | { |
50 | string hashed = nsec3Hash(qname, salt, iters); | |
51 | ||
df69c422 | 52 | // cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl; |
54ebc117 PD |
53 | // cerr<<"hashed: "<<hashed<<endl; |
54 | for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) { | |
55 | string base=(*pos).first; | |
56 | string next=(*pos).second; | |
57 | ||
58 | if(hashed == base) | |
59 | { | |
d2a2bbe7 | 60 | proven.insert(qname); |
9d7fa327 | 61 | cout<<qname.toString()<<" ("<<hashed<<") proven by base of "<<base<<".."<<next<<endl; |
54ebc117 PD |
62 | } |
63 | if(hashed == next) | |
64 | { | |
d2a2bbe7 | 65 | proven.insert(qname); |
9d7fa327 | 66 | cout<<qname.toString()<<" ("<<hashed<<") proven by next of "<<base<<".."<<next<<endl; |
54ebc117 PD |
67 | } |
68 | if((hashed > base && hashed < next) || | |
69 | (next < base && (hashed < next || hashed > base))) | |
70 | { | |
d2a2bbe7 | 71 | denied.insert(qname); |
9d7fa327 | 72 | cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl; |
54ebc117 | 73 | } |
3e1cf1ed PD |
74 | if (base == next && base != hashed) |
75 | { | |
76 | denied.insert(qname); | |
9d7fa327 | 77 | cout<<qname.toString()<<" ("<<hashed<<") denied by "<<base<<".."<<next<<endl; |
3e1cf1ed | 78 | } |
54ebc117 | 79 | } |
54ebc117 PD |
80 | } |
81 | ||
7b7543ad PL |
82 | void usage() { |
83 | cerr<<"nsec3dig"<<endl; | |
84 | cerr<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n"; | |
85 | } | |
86 | ||
54ebc117 PD |
87 | int main(int argc, char** argv) |
88 | try | |
89 | { | |
90 | bool recurse=false; | |
91 | ||
92 | reportAllTypes(); | |
93 | ||
7b7543ad PL |
94 | for (int i = 1; i < argc; i++) { |
95 | if ((string) argv[i] == "--help") { | |
96 | usage(); | |
97 | return EXIT_SUCCESS; | |
98 | } | |
99 | ||
100 | if ((string) argv[i] == "--version") { | |
101 | cerr<<"nsec3dig "<<VERSION<<endl; | |
102 | return EXIT_SUCCESS; | |
103 | } | |
104 | } | |
105 | ||
54ebc117 | 106 | if(argc < 5) { |
7b7543ad | 107 | usage(); |
54ebc117 PD |
108 | exit(EXIT_FAILURE); |
109 | } | |
110 | ||
111 | // FIXME: turn recurse and dnssec into proper flags or something | |
112 | if(argc > 5 && strcmp(argv[5], "recurse")==0) | |
113 | { | |
114 | recurse=true; | |
115 | } | |
116 | ||
117 | vector<uint8_t> packet; | |
eaedd091 | 118 | DNSName qname(argv[3]); |
54ebc117 PD |
119 | DNSPacketWriter pw(packet, qname, DNSRecordContent::TypeToNumber(argv[4])); |
120 | ||
121 | if(recurse) | |
122 | { | |
123 | pw.getHeader()->rd=true; | |
7103fdd8 | 124 | pw.getHeader()->cd=true; |
54ebc117 PD |
125 | } |
126 | ||
127 | pw.addOpt(2800, 0, EDNSOpts::DNSSECOK); | |
128 | pw.commit(); | |
129 | ||
d4eba262 | 130 | |
54ebc117 | 131 | ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2])); |
d4eba262 | 132 | Socket sock(dest.sin4.sin_family, SOCK_STREAM); |
c5c4fbdc PD |
133 | sock.connect(dest); |
134 | uint16_t len; | |
135 | len = htons(packet.size()); | |
136 | if(sock.write((char *) &len, 2) != 2) | |
3f81d239 | 137 | throw PDNSException("tcp write failed"); |
c5c4fbdc | 138 | |
16657041 | 139 | sock.writen(string(packet.begin(), packet.end())); |
54ebc117 | 140 | |
c5c4fbdc | 141 | if(sock.read((char *) &len, 2) != 2) |
3f81d239 | 142 | throw PDNSException("tcp read failed"); |
c5c4fbdc PD |
143 | |
144 | len=ntohs(len); | |
145 | char *creply = new char[len]; | |
146 | int n=0; | |
147 | int numread; | |
148 | while(n<len) { | |
149 | numread=sock.read(creply+n, len-n); | |
150 | if(numread<0) | |
3f81d239 | 151 | throw PDNSException("tcp read failed"); |
c5c4fbdc PD |
152 | n+=numread; |
153 | } | |
154 | ||
155 | string reply(creply, len); | |
156 | delete[] creply; | |
54ebc117 | 157 | |
27c0050c | 158 | MOADNSParser mdp(false, reply); |
eaedd091 | 159 | cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl; |
54ebc117 PD |
160 | cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr; |
161 | cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl; | |
162 | ||
9d7fa327 PD |
163 | set<DNSName> names; |
164 | set<DNSName> namesseen; | |
165 | set<DNSName> namestocheck; | |
54ebc117 PD |
166 | nsec3set nsec3s; |
167 | string nsec3salt; | |
59c892fe | 168 | int nsec3iters = 0; |
54ebc117 PD |
169 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) { |
170 | if(i->first.d_type == QType::NSEC3) | |
171 | { | |
f809c028 | 172 | // cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl; |
54ebc117 | 173 | // cerr<<i->first.d_content->getZoneRepresentation()<<endl; |
27d4a65b RG |
174 | const auto r = std::dynamic_pointer_cast<NSEC3RecordContent>(i->first.d_content); |
175 | if (!r) { | |
176 | continue; | |
177 | } | |
54ebc117 PD |
178 | // nsec3.insert(new nsec3() |
179 | // cerr<<toBase32Hex(r.d_nexthash)<<endl; | |
180 | vector<string> parts; | |
f809c028 | 181 | string sname=i->first.d_name.toString(); |
3343ad1f | 182 | boost::split(parts, sname /* FIXME400 */, boost::is_any_of(".")); |
27d4a65b RG |
183 | nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r->d_nexthash))); |
184 | nsec3salt = r->d_salt; | |
185 | nsec3iters = r->d_iterations; | |
54ebc117 PD |
186 | } |
187 | else | |
188 | { | |
f809c028 | 189 | // cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl; |
190 | names.insert(i->first.d_name); | |
191 | namesseen.insert(i->first.d_name); | |
c5c4fbdc PD |
192 | } |
193 | ||
194 | if(i->first.d_type == QType::CNAME) | |
195 | { | |
eaedd091 | 196 | namesseen.insert(DNSName(i->first.d_content->getZoneRepresentation())); |
54ebc117 PD |
197 | } |
198 | ||
f809c028 | 199 | cout<<i->first.d_place-1<<"\t"<<i->first.d_name.toString()<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type); |
54ebc117 PD |
200 | cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n"; |
201 | } | |
202 | ||
203 | #if 0 | |
204 | cerr<<"got "<<names.size()<<" names"<<endl; | |
205 | for(set<string>::const_iterator pos=names.begin(); pos != names.end(); ++pos) { | |
206 | cerr<<"name: "<<*pos<<endl; | |
207 | } | |
208 | cerr<<"got "<<nsec3s.size()<<" names"<<endl; | |
209 | for(nsec3set::const_iterator pos=nsec3s.begin(); pos != nsec3s.end(); ++pos) { | |
210 | cerr<<"nsec3: "<<(*pos).first<<".."<<(*pos).second<<endl; | |
211 | } | |
212 | #endif | |
213 | ||
214 | cout<<"== nsec3 prove/deny report follows =="<<endl; | |
9d7fa327 PD |
215 | set<DNSName> proven; |
216 | set<DNSName> denied; | |
eaedd091 | 217 | namesseen.insert(qname); |
2010ac95 | 218 | for(const auto &name: namesseen) |
df69c422 | 219 | { |
2010ac95 | 220 | DNSName shorter(name); |
df69c422 PD |
221 | do { |
222 | namestocheck.insert(shorter); | |
9d7fa327 | 223 | } while(shorter.chopOff()); |
df69c422 | 224 | } |
2010ac95 | 225 | for(const auto &name: namestocheck) |
df69c422 | 226 | { |
2010ac95 RG |
227 | proveOrDeny(nsec3s, name, nsec3salt, nsec3iters, proven, denied); |
228 | proveOrDeny(nsec3s, g_wildcarddnsname+name, nsec3salt, nsec3iters, proven, denied); | |
df69c422 | 229 | } |
d2a2bbe7 | 230 | |
eaedd091 | 231 | if(names.count(qname)) |
d2a2bbe7 | 232 | { |
75a89ce6 PD |
233 | cout<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl; |
234 | // exit(EXIT_SUCCESS); | |
d2a2bbe7 | 235 | } |
75a89ce6 | 236 | // cout<<"== qname not found in names, investigating denial"<<endl; |
d2a2bbe7 PD |
237 | if(proven.count(qname)) |
238 | { | |
239 | cout<<"qname found proven, NODATA response?"<<endl; | |
240 | exit(EXIT_SUCCESS); | |
241 | } | |
9d7fa327 PD |
242 | DNSName shorter=qname; |
243 | DNSName encloser; | |
244 | DNSName nextcloser; | |
245 | DNSName prev(qname); | |
246 | while(shorter.chopOff()) | |
d2a2bbe7 PD |
247 | { |
248 | if(proven.count(shorter)) | |
249 | { | |
250 | encloser=shorter; | |
251 | nextcloser=prev; | |
9d7fa327 PD |
252 | cout<<"found closest encloser at "<<encloser.toString()<<endl; |
253 | cout<<"next closer is "<<nextcloser.toString()<<endl; | |
d2a2bbe7 PD |
254 | break; |
255 | } | |
256 | prev=shorter; | |
257 | } | |
9d7fa327 | 258 | if(encloser.countLabels() && nextcloser.countLabels()) |
d2a2bbe7 PD |
259 | { |
260 | if(denied.count(nextcloser)) | |
261 | { | |
9d7fa327 | 262 | cout<<"next closer ("<<nextcloser.toString()<<") is denied correctly"<<endl; |
d2a2bbe7 PD |
263 | } |
264 | else | |
265 | { | |
9d7fa327 | 266 | cout<<"next closer ("<<nextcloser.toString()<<") NOT denied"<<endl; |
d2a2bbe7 | 267 | } |
12c06211 | 268 | DNSName wcplusencloser=g_wildcarddnsname+encloser; |
9d7fa327 | 269 | if(denied.count(wcplusencloser)) |
d2a2bbe7 | 270 | { |
9d7fa327 | 271 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is denied correctly"<<endl; |
d2a2bbe7 | 272 | } |
9d7fa327 | 273 | else if(proven.count(wcplusencloser)) |
75a89ce6 | 274 | { |
9d7fa327 | 275 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is proven"<<endl; |
75a89ce6 | 276 | } |
d2a2bbe7 PD |
277 | else |
278 | { | |
9d7fa327 | 279 | cout<<"wildcard at encloser ("<<wcplusencloser.toString()<<") is NOT denied or proven"<<endl; |
d2a2bbe7 PD |
280 | } |
281 | } | |
282 | exit(EXIT_SUCCESS); | |
54ebc117 PD |
283 | } |
284 | catch(std::exception &e) | |
285 | { | |
286 | cerr<<"Fatal: "<<e.what()<<endl; | |
287 | } | |
7e7c31aa PD |
288 | catch(PDNSException &e) |
289 | { | |
290 | cerr<<"Fatal: "<<e.reason<<endl; | |
291 | } |