Findings from release candidate

- With drill:
	- Read default key only when DNSSEC tracing or chasing
- With ldns-dane:
	- When performing as stub resolver with DNSSEC enabled,
	  interpret SERVFAIL as BOGUS.
	- Just discard bogus address records (instead of quiting all together)
- Don't release on the stack rdf data in ldns_pkt_verify_time

diff --git a/dnssec.c b/dnssec.c
index 37fd6e97d6e3c3951634d94acc794964de5d47df..fac1bca3905fc7cff5b1fde267788c60c78d866b 100644 (file)
--- a/dnssec.c
+++ b/dnssec.c
@@ -1467,7 +1467,7 @@ ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
        rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder);
 
        sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
-       ldns_rdf_deep_free(rdf_t);
+       ldns_rdf_free(rdf_t);
        if (! sigs_covered) {
                if (! s) {
                        ldns_rr_list_deep_free(sigs);

diff --git a/drill/drill.1.in b/drill/drill.1.in
index b49dfb4c6b6731ccfa04b80635546cd7024cbaba..15b15a425333c665a732418925c98ea923150aca 100644 (file)
--- a/drill/drill.1.in
+++ b/drill/drill.1.in
@@ -161,7 +161,8 @@ given \fBdrill\fR tries to validate the current answer with this
 key. No chasing is done. When \fBdrill\fR is doing a secure trace, this
 key will be used as trust anchor. Can contain a DNSKEY or a DS record.
 
-Alternatively, if \fB-k\fR is not specified, and a default trust anchor
+Alternatively, when DNSSEC enabled tracing (\fB-TD\fR) or signature
+chasing (\fB-S\fR), if \fB-k\fR is not specified, and a default trust anchor
 (@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
 it will be used as the trust anchor.
 

diff --git a/drill/drill.c b/drill/drill.c
index f24405be00154b7d4fc8925576c0523709ceae32..574c8b98c856c5867901d40b023c783c75ff9a17 100644 (file)
--- a/drill/drill.c
+++ b/drill/drill.c
@@ -49,11 +49,11 @@ usage(FILE *stream, const char *progname)
        fprintf(stream, "\t-b <bufsize>\tuse <bufsize> as the buffer size (defaults to 512 b)\n");
        fprintf(stream, "\t-c <file>\tuse file for rescursive nameserver configuration"
                        "\n\t\t\t(/etc/resolv.conf)\n");
-       fprintf(stream, "\t-k <file>\tspecify a file that contains a trusted DNSSEC key"
-                       "\n\t\t\t(DNSKEY|DS) [**]\n");
-       fprintf(stream, "\t\t\tused to verify any signatures in the current answer\n");
-       fprintf(stream, "\t\t\tIf DNSSEC is enabled and no key files are given, keys\n"
-                       "\t\t\tare read from %s\n",
+       fprintf(stream, "\t-k <file>\tspecify a file that contains a trusted DNSSEC key [**]\n");
+       fprintf(stream, "\t\t\tUsed to verify any signatures in the current answer.\n");
+       fprintf(stream, "\t\t\tWhen DNSSEC enabled tracing (-TD) or signature\n"
+                       "\t\t\tchasing (-S) and no key files are given, keys are read\n"
+                       "\t\t\tfrom: %s\n",
                        LDNS_TRUST_ANCHOR_FILE);
        fprintf(stream, "\t-o <mnemonic>\tset flags to:"
                        "\n\t\t\t[QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n");
@@ -404,7 +404,7 @@ main(int argc, char *argv[])
        argc -= optind;
        argv += optind;
 
-       if ((qdnssec || PURPOSE == DRILL_CHASE) &&
+       if ((PURPOSE == DRILL_CHASE || (PURPOSE == DRILL_TRACE && qdnssec)) &&
                        ldns_rr_list_rr_count(key_list) == 0) {
 
                (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, key_list, true);

diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 371bfa4ccdf9a352ff5683bca220ca681e419fdd..6802482086f23aab69e970288ee016e576b791ec 100644 (file)
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -577,16 +577,31 @@ dane_query(ldns_rr_list** rrs, ldns_resolver* r,
                return LDNS_STATUS_MEM_ERR;
        }
        *rrs = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANSWER);
-       if (ldns_rr_list_rr_count(*rrs) == 0 /* *rrs will actually be NULL then! */
-                       || ! ldns_resolver_dnssec(r)) {
+
+       if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitely disabled,
+                                           anything goes */
                ldns_pkt_free(p);
                return LDNS_STATUS_OK;
        }
+       if (ldns_rr_list_rr_count(*rrs) == 0) { /* assert(*rrs == NULL) */
+
+               if (ldns_pkt_get_rcode(p) == LDNS_RCODE_SERVFAIL) {
+
+                       ldns_pkt_free(p);
+                       return LDNS_STATUS_DANE_BOGUS;
+               } else {
+                       ldns_pkt_free(p);
+                       return LDNS_STATUS_OK;
+               }
+       }
        /* We have answers and we have dnssec. */
 
        if (! ldns_pkt_cd(p)) { /* we act as stub resolver (no sigchase) */
+
                if (! ldns_pkt_ad(p)) { /* Not secure */
-                       goto insecure;
+
+                       ldns_pkt_free(p);
+                       return LDNS_STATUS_DANE_INSECURE;
                }
                ldns_pkt_free(p);
                return LDNS_STATUS_OK;
@@ -670,7 +685,15 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
 
                if (s == LDNS_STATUS_DANE_INSECURE &&
                        ldns_rr_list_rr_count(as) > 0) {
-                       fprintf(stderr, "Warning! Insecure IPv4 addresses\n");
+                       fprintf(stderr, "Warning! Insecure IPv4 addresses. "
+                                       "Continuing with them...\n");
+
+               } else if (s == LDNS_STATUS_DANE_BOGUS ||
+                               LDNS_STATUS_CRYPTO_BOGUS == s) {
+                       fprintf(stderr, "Warning! Bogus IPv4 addresses. "
+                                       "Discarding...\n");
+                       ldns_rr_list_deep_free(as);
+                       as = ldns_rr_list_new();
 
                } else if (s != LDNS_STATUS_OK) {
                        LDNS_ERR(s, "dane_query");
@@ -688,7 +711,15 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname,
 
                if (s == LDNS_STATUS_DANE_INSECURE &&
                        ldns_rr_list_rr_count(aaas) > 0) {
-                       fprintf(stderr, "Warning! Insecure IPv6 addresses\n");
+                       fprintf(stderr, "Warning! Insecure IPv6 addresses. "
+                                       "Continuing with them...\n");
+
+               } else if (s == LDNS_STATUS_DANE_BOGUS ||
+                               LDNS_STATUS_CRYPTO_BOGUS == s) {
+                       fprintf(stderr, "Warning! Bogus IPv4 addresses. "
+                                       "Discarding...\n");
+                       ldns_rr_list_deep_free(aaas);
+                       aaas = ldns_rr_list_new();
 
                } else if (s != LDNS_STATUS_OK) {
                        LDNS_ERR(s, "dane_query");
@@ -1216,7 +1247,7 @@ main(int argc, char* const* argv)
                        transport = LDNS_DANE_TRANSPORT_UDP;
                        break;
                case 'v':
-                       printf("verify-zone version %s (ldns version %s)\n",
+                       printf("ldns-dane version %s (ldns version %s)\n",
                                        LDNS_VERSION, ldns_version());
                        exit(EXIT_SUCCESS);
                        break;