}
/** verify that a DS RR hashes to a key and that key signs the set */
+#if 0
static enum sec_status
verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
struct module_qstate* qstate)
+{
+ return verify_dnskeys_with_ds_rr_ede( env, ve, dnskey_rrset, ds_rrset,
+ ds_idx, reason, NULL, qstate);
+}
+#endif
+
+static enum sec_status
+verify_dnskeys_with_ds_rr_ede(struct module_env* env, struct val_env* ve,
+ struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate)
{
enum sec_status sec = sec_status_bogus;
size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
/* Otherwise, we have a match! Make sure that the DNSKEY
* verifies *with this key* */
- sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
- dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate);
+ sec = dnskey_verify_rrset_ede(env, ve, dnskey_rrset, dnskey_rrset,
+ i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
return sec;
}
return digest_algo;
}
-enum sec_status
+// @TODO change the use of this function to _ede function in authzone.c:8111
+enum sec_status
val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
struct module_qstate* qstate)
+{
+ return val_verify_DNSKEY_with_DS_ede(env, ve, dnskey_rrset, ds_rrset,
+ sigalg, reason, NULL, qstate);
+}
+
+enum sec_status
+val_verify_DNSKEY_with_DS_ede(struct module_env* env, struct val_env* ve,
+ struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate)
{
/* as long as this is false, we can consider this DS rrset to be
* equivalent to no DS rrset. */
continue;
}
- sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
- ds_rrset, i, reason, qstate);
+ sec = verify_dnskeys_with_ds_rr_ede(env, ve, dnskey_rrset,
+ ds_rrset, i, reason, reason_bogus, qstate);
if(sec == sec_status_insecure)
continue;
return sec_status_bogus;
}
-struct key_entry_key*
+struct key_entry_key*
val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
struct module_qstate* qstate)
{
+ return val_verify_new_DNSKEYs_ede(region, env, ve,dnskey_rrset, ds_rrset,
+ downprot, reason, NULL, qstate);
+}
+
+struct key_entry_key*
+val_verify_new_DNSKEYs_ede(struct regional* region, struct module_env* env,
+ struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate)
+{
uint8_t sigalg[ALGO_NEEDS_MAX+1];
- enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
- dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate);
+ enum sec_status sec = val_verify_DNSKEY_with_DS_ede(env, ve,
+ dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason,
+ reason_bogus, qstate);
if(sec == sec_status_secure) {
return key_entry_create_rrset(region,
BOGUS_KEY_TTL, *env->now);
}
-enum sec_status
+enum sec_status
val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ta_ds,
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
struct module_qstate* qstate)
+{
+ return val_verify_DNSKEY_with_TA_ede(env, ve, dnskey_rrset, ta_ds,
+ ta_dnskey, sigalg, reason, NULL, qstate);
+}
+
+enum sec_status
+val_verify_DNSKEY_with_TA_ede(struct module_env* env, struct val_env* ve,
+ struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ta_ds,
+ struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate)
{
/* as long as this is false, we can consider this anchor to be
* equivalent to no anchor. */
verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
"by name");
*reason = "DNSKEY RRset did not match DS RRset by name";
+ if (reason_bogus)
+ *reason_bogus = LDNS_EDE_DNSKEY_MISSING;
return sec_status_bogus;
}
if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
"by name");
*reason = "DNSKEY RRset did not match anchor RRset by name";
+ if (reason_bogus)
+ *reason_bogus = LDNS_EDE_DNSKEY_MISSING;
return sec_status_bogus;
}
ds_get_digest_algo(ta_ds, i) != digest_algo)
continue;
- sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
- ta_ds, i, reason, qstate);
+ sec = verify_dnskeys_with_ds_rr_ede(env, ve, dnskey_rrset,
+ ta_ds, i, reason, reason_bogus, qstate);
if(sec == sec_status_insecure)
continue;
return sec_status_bogus;
}
+#if 0
struct key_entry_key*
val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ta_ds_rrset,
struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
char** reason, struct module_qstate* qstate)
+{
+ return val_verify_rrset_entry_ede(region, env, ve, dnskey_rrset,
+ ta_ds_rrset, ta_dnskey_rrset,downprot, reason, NULL, qstate);
+}
+#endif
+
+struct key_entry_key*
+val_verify_new_DNSKEYs_with_ta_ede(struct regional* region, struct module_env* env,
+ struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ta_ds_rrset,
+ struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
+ char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate)
{
uint8_t sigalg[ALGO_NEEDS_MAX+1];
- enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
+ enum sec_status sec = val_verify_DNSKEY_with_TA_ede(env, ve,
dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
- downprot?sigalg:NULL, reason, qstate);
+ downprot?sigalg:NULL, reason, reason_bogus, qstate);
if(sec == sec_status_secure) {
- return key_entry_create_rrset(region,
+ return key_entry_create_rrset(region,
dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, *env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, dnskey_rrset->rk.dname,
- dnskey_rrset->rk.dname_len,
+ dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class),
rrset_get_ttl(dnskey_rrset), *env->now);
}
BOGUS_KEY_TTL, *env->now);
}
-int
+int
val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
{
size_t i;
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
struct module_qstate* qstate);
+enum sec_status val_verify_DNSKEY_with_DS_ede(struct module_env* env,
+ struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate);
+
/**
* Verify DNSKEYs with DS and DNSKEY rrset. Like val_verify_DNSKEY_with_DS
* but for a trust anchor.
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
struct module_qstate* qstate);
+enum sec_status val_verify_DNSKEY_with_TA_ede(struct module_env* env,
+ struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ta_ds,
+ struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate);
+
/**
* Verify new DNSKEYs with DS rrset. The DS contains hash values that should
* match the DNSKEY keys.
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
struct module_qstate* qstate);
+struct key_entry_key* val_verify_new_DNSKEYs_ede(struct regional* region,
+ struct module_env* env, struct val_env* ve,
+ struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
+ sldns_ede_code *reason_bogus, struct module_qstate* qstate);
/**
* Verify rrset with trust anchor: DS and DNSKEY rrset.
struct ub_packed_rrset_key* ta_dnskey_rrset,
int downprot, char** reason, struct module_qstate* qstate);
+struct key_entry_key* val_verify_new_DNSKEYs_with_ta_ede(struct regional* region,
+ struct module_env* env, struct val_env* ve,
+ struct ub_packed_rrset_key* dnskey_rrset,
+ struct ub_packed_rrset_key* ta_ds_rrset,
+ struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
+ char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate);
+
/**
* Determine if DS rrset is usable for validator or not.
* Returns true if the algorithms for key and DShash are supported,
vq->chase_reply->reason_bogus = LDNS_EDE_RRSIGS_MISSING;
errinf_origin(qstate, qstate->reply_origin);
vq->chase_reply->security = sec_status_bogus;
+ // @TODO add EDE 10 - RRSIGs Missing
vq->state = VAL_FINISHED_STATE;
return 1;
}
struct key_entry_key* kkey = NULL;
enum sec_status sec = sec_status_unchecked;
char* reason = NULL;
+ sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
int downprot = qstate->env->cfg->harden_algo_downgrade;
if(!dnskey_rrset) {
return kkey;
}
/* attempt to verify with trust anchor DS and DNSKEY */
- kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve,
+ kkey = val_verify_new_DNSKEYs_with_ta_ede(qstate->region, qstate->env, ve,
dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot,
- &reason, qstate);
+ &reason, &reason_bogus, qstate);
if(!kkey) {
log_err("out of memory: verifying prime TA");
return NULL;
/* NOTE: in this case, we should probably reject the trust
* anchor for longer, perhaps forever. */
if(qstate->env->cfg->harden_dnssec_stripped) {
- errinf(qstate, reason);
+ // errinf(qstate, reason);
+ errinf_ede(qstate, reason, reason_bogus);
kkey = key_entry_create_bad(qstate->region, ta->name,
ta->namelen, ta->dclass, BOGUS_KEY_TTL,
*qstate->env->now);
/* bad response */
verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to "
"DNSKEY query.");
+
+ // @TODO add EDE 9 - DNSKEY Missing
+
if(vq->restart_count < ve->max_restart) {
val_blacklist(&vq->chain_blacklist, qstate->region,
origin, 1);
return;
}
downprot = qstate->env->cfg->harden_algo_downgrade;
+ // @TODO add _ede
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
ve, dnskey, vq->ds_rrset, downprot, &reason, qstate);
projects / thirdparty / unbound.git / commitdiff
