2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include "dnsparser.hh"
28 #include "dnswriter.hh"
29 #include "dnsrecords.hh"
32 #include "dnssecinfra.hh"
37 typedef std::pair
<string
,string
> nsec3
;
38 typedef set
<nsec3
> nsec3set
;
40 string
nsec3Hash(const DNSName
&qname
, const string
&salt
, unsigned int iters
)
42 NSEC3PARAMRecordContent ns3prc
;
43 ns3prc
.d_iterations
= iters
;
45 return toBase32Hex(hashQNameWithSalt(ns3prc
, qname
));
48 void proveOrDeny(const nsec3set
&nsec3s
, const DNSName
&qname
, const string
&salt
, unsigned int iters
, set
<DNSName
> &proven
, set
<DNSName
> &denied
)
50 string hashed
= nsec3Hash(qname
, salt
, iters
);
52 // cerr<<"proveOrDeny(.., '"<<qname<<"', ..)"<<endl;
53 // cerr<<"hashed: "<<hashed<<endl;
54 for(nsec3set::const_iterator pos
=nsec3s
.begin(); pos
!= nsec3s
.end(); ++pos
) {
55 string base
=(*pos
).first
;
56 string next
=(*pos
).second
;
61 cout
<<qname
.toString()<<" ("<<hashed
<<") proven by base of "<<base
<<".."<<next
<<endl
;
66 cout
<<qname
.toString()<<" ("<<hashed
<<") proven by next of "<<base
<<".."<<next
<<endl
;
68 if((hashed
> base
&& hashed
< next
) ||
69 (next
< base
&& (hashed
< next
|| hashed
> base
)))
72 cout
<<qname
.toString()<<" ("<<hashed
<<") denied by "<<base
<<".."<<next
<<endl
;
74 if (base
== next
&& base
!= hashed
)
77 cout
<<qname
.toString()<<" ("<<hashed
<<") denied by "<<base
<<".."<<next
<<endl
;
83 cerr
<<"nsec3dig"<<endl
;
84 cerr
<<"Syntax: nsec3dig IP-ADDRESS PORT QUESTION QUESTION-TYPE [recurse]\n";
87 int main(int argc
, char** argv
)
94 for (int i
= 1; i
< argc
; i
++) {
95 if ((string
) argv
[i
] == "--help") {
100 if ((string
) argv
[i
] == "--version") {
101 cerr
<<"nsec3dig "<<VERSION
<<endl
;
111 // FIXME: turn recurse and dnssec into proper flags or something
112 if(argc
> 5 && strcmp(argv
[5], "recurse")==0)
117 vector
<uint8_t> packet
;
118 DNSName
qname(argv
[3]);
119 DNSPacketWriter
pw(packet
, qname
, DNSRecordContent::TypeToNumber(argv
[4]));
123 pw
.getHeader()->rd
=true;
124 pw
.getHeader()->cd
=true;
127 pw
.addOpt(2800, 0, EDNSOpts::DNSSECOK
);
131 ComboAddress
dest(argv
[1] + (*argv
[1]=='@'), atoi(argv
[2]));
132 Socket
sock(dest
.sin4
.sin_family
, SOCK_STREAM
);
135 len
= htons(packet
.size());
136 if(sock
.write((char *) &len
, 2) != 2)
137 throw PDNSException("tcp write failed");
139 sock
.writen(string(packet
.begin(), packet
.end()));
141 if(sock
.read((char *) &len
, 2) != 2)
142 throw PDNSException("tcp read failed");
145 char *creply
= new char[len
];
149 numread
=sock
.read(creply
+n
, len
-n
);
151 throw PDNSException("tcp read failed");
155 string
reply(creply
, len
);
158 MOADNSParser
mdp(false, reply
);
159 cout
<<"Reply to question for qname='"<<mdp
.d_qname
<<"', qtype="<<DNSRecordContent::NumberToType(mdp
.d_qtype
)<<endl
;
160 cout
<<"Rcode: "<<mdp
.d_header
.rcode
<<", RD: "<<mdp
.d_header
.rd
<<", QR: "<<mdp
.d_header
.qr
;
161 cout
<<", TC: "<<mdp
.d_header
.tc
<<", AA: "<<mdp
.d_header
.aa
<<", opcode: "<<mdp
.d_header
.opcode
<<endl
;
164 set
<DNSName
> namesseen
;
165 set
<DNSName
> namestocheck
;
169 for(MOADNSParser::answers_t::const_iterator i
=mdp
.d_answers
.begin(); i
!=mdp
.d_answers
.end(); ++i
) {
170 if(i
->first
.d_type
== QType::NSEC3
)
172 // cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl;
173 // cerr<<i->first.d_content->getZoneRepresentation()<<endl;
174 const auto r
= std::dynamic_pointer_cast
<NSEC3RecordContent
>(i
->first
.d_content
);
178 // nsec3.insert(new nsec3()
179 // cerr<<toBase32Hex(r.d_nexthash)<<endl;
180 vector
<string
> parts
;
181 string sname
=i
->first
.d_name
.toString();
182 boost::split(parts
, sname
/* FIXME400 */, boost::is_any_of("."));
183 nsec3s
.insert(make_pair(toLower(parts
[0]), toBase32Hex(r
->d_nexthash
)));
184 nsec3salt
= r
->d_salt
;
185 nsec3iters
= r
->d_iterations
;
189 // cerr<<"namesseen.insert('"<<i->first.d_name<<"')"<<endl;
190 names
.insert(i
->first
.d_name
);
191 namesseen
.insert(i
->first
.d_name
);
194 if(i
->first
.d_type
== QType::CNAME
)
196 namesseen
.insert(DNSName(i
->first
.d_content
->getZoneRepresentation()));
199 cout
<<i
->first
.d_place
-1<<"\t"<<i
->first
.d_name
.toString()<<"\tIN\t"<<DNSRecordContent::NumberToType(i
->first
.d_type
);
200 cout
<<"\t"<<i
->first
.d_ttl
<<"\t"<< i
->first
.d_content
->getZoneRepresentation()<<"\n";
204 cerr
<<"got "<<names
.size()<<" names"<<endl
;
205 for(set
<string
>::const_iterator pos
=names
.begin(); pos
!= names
.end(); ++pos
) {
206 cerr
<<"name: "<<*pos
<<endl
;
208 cerr
<<"got "<<nsec3s
.size()<<" names"<<endl
;
209 for(nsec3set::const_iterator pos
=nsec3s
.begin(); pos
!= nsec3s
.end(); ++pos
) {
210 cerr
<<"nsec3: "<<(*pos
).first
<<".."<<(*pos
).second
<<endl
;
214 cout
<<"== nsec3 prove/deny report follows =="<<endl
;
217 namesseen
.insert(qname
);
218 for(const auto &name
: namesseen
)
220 DNSName
shorter(name
);
222 namestocheck
.insert(shorter
);
223 } while(shorter
.chopOff());
225 for(const auto &name
: namestocheck
)
227 proveOrDeny(nsec3s
, name
, nsec3salt
, nsec3iters
, proven
, denied
);
228 proveOrDeny(nsec3s
, g_wildcarddnsname
+name
, nsec3salt
, nsec3iters
, proven
, denied
);
231 if(names
.count(qname
))
233 cout
<<"== qname found in names, investigating NSEC3s in case it's a wildcard"<<endl
;
234 // exit(EXIT_SUCCESS);
236 // cout<<"== qname not found in names, investigating denial"<<endl;
237 if(proven
.count(qname
))
239 cout
<<"qname found proven, NODATA response?"<<endl
;
242 DNSName shorter
=qname
;
246 while(shorter
.chopOff())
248 if(proven
.count(shorter
))
252 cout
<<"found closest encloser at "<<encloser
.toString()<<endl
;
253 cout
<<"next closer is "<<nextcloser
.toString()<<endl
;
258 if(encloser
.countLabels() && nextcloser
.countLabels())
260 if(denied
.count(nextcloser
))
262 cout
<<"next closer ("<<nextcloser
.toString()<<") is denied correctly"<<endl
;
266 cout
<<"next closer ("<<nextcloser
.toString()<<") NOT denied"<<endl
;
268 DNSName wcplusencloser
=g_wildcarddnsname
+encloser
;
269 if(denied
.count(wcplusencloser
))
271 cout
<<"wildcard at encloser ("<<wcplusencloser
.toString()<<") is denied correctly"<<endl
;
273 else if(proven
.count(wcplusencloser
))
275 cout
<<"wildcard at encloser ("<<wcplusencloser
.toString()<<") is proven"<<endl
;
279 cout
<<"wildcard at encloser ("<<wcplusencloser
.toString()<<") is NOT denied or proven"<<endl
;
284 catch(std::exception
&e
)
286 cerr
<<"Fatal: "<<e
.what()<<endl
;
288 catch(PDNSException
&e
)
290 cerr
<<"Fatal: "<<e
.reason
<<endl
;