From: Willem Toorop Date: Fri, 19 Oct 2012 12:03:05 +0000 (+0000) Subject: Findings from release candidate X-Git-Tag: release-1.6.17rc1~187 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae401e21ff99d58a0057201abbc8a74bf081c834;p=thirdparty%2Fldns.git Findings from release candidate - With drill: - Read default key only when DNSSEC tracing or chasing - With ldns-dane: - When performing as stub resolver with DNSSEC enabled, interpret SERVFAIL as BOGUS. - Just discard bogus address records (instead of quiting all together) - Don't release on the stack rdf data in ldns_pkt_verify_time --- diff --git a/dnssec.c b/dnssec.c index 37fd6e97..fac1bca3 100644 --- a/dnssec.c +++ b/dnssec.c @@ -1467,7 +1467,7 @@ ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder); sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0); - ldns_rdf_deep_free(rdf_t); + ldns_rdf_free(rdf_t); if (! sigs_covered) { if (! s) { ldns_rr_list_deep_free(sigs); diff --git a/drill/drill.1.in b/drill/drill.1.in index b49dfb4c..15b15a42 100644 --- a/drill/drill.1.in +++ b/drill/drill.1.in @@ -161,7 +161,8 @@ given \fBdrill\fR tries to validate the current answer with this key. No chasing is done. When \fBdrill\fR is doing a secure trace, this key will be used as trust anchor. Can contain a DNSKEY or a DS record. -Alternatively, if \fB-k\fR is not specified, and a default trust anchor +Alternatively, when DNSSEC enabled tracing (\fB-TD\fR) or signature +chasing (\fB-S\fR), if \fB-k\fR is not specified, and a default trust anchor (@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record, it will be used as the trust anchor. diff --git a/drill/drill.c b/drill/drill.c index f24405be..574c8b98 100644 --- a/drill/drill.c +++ b/drill/drill.c @@ -49,11 +49,11 @@ usage(FILE *stream, const char *progname) fprintf(stream, "\t-b \tuse as the buffer size (defaults to 512 b)\n"); fprintf(stream, "\t-c \tuse file for rescursive nameserver configuration" "\n\t\t\t(/etc/resolv.conf)\n"); - fprintf(stream, "\t-k \tspecify a file that contains a trusted DNSSEC key" - "\n\t\t\t(DNSKEY|DS) [**]\n"); - fprintf(stream, "\t\t\tused to verify any signatures in the current answer\n"); - fprintf(stream, "\t\t\tIf DNSSEC is enabled and no key files are given, keys\n" - "\t\t\tare read from %s\n", + fprintf(stream, "\t-k \tspecify a file that contains a trusted DNSSEC key [**]\n"); + fprintf(stream, "\t\t\tUsed to verify any signatures in the current answer.\n"); + fprintf(stream, "\t\t\tWhen DNSSEC enabled tracing (-TD) or signature\n" + "\t\t\tchasing (-S) and no key files are given, keys are read\n" + "\t\t\tfrom: %s\n", LDNS_TRUST_ANCHOR_FILE); fprintf(stream, "\t-o \tset flags to:" "\n\t\t\t[QR|qr][AA|aa][TC|tc][RD|rd][CD|cd][RA|ra][AD|ad]\n"); @@ -404,7 +404,7 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; - if ((qdnssec || PURPOSE == DRILL_CHASE) && + if ((PURPOSE == DRILL_CHASE || (PURPOSE == DRILL_TRACE && qdnssec)) && ldns_rr_list_rr_count(key_list) == 0) { (void) read_key_file(LDNS_TRUST_ANCHOR_FILE, key_list, true); diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c index 371bfa4c..68024820 100644 --- a/examples/ldns-dane.c +++ b/examples/ldns-dane.c @@ -577,16 +577,31 @@ dane_query(ldns_rr_list** rrs, ldns_resolver* r, return LDNS_STATUS_MEM_ERR; } *rrs = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANSWER); - if (ldns_rr_list_rr_count(*rrs) == 0 /* *rrs will actually be NULL then! */ - || ! ldns_resolver_dnssec(r)) { + + if (! ldns_resolver_dnssec(r)) { /* DNSSEC explicitely disabled, + anything goes */ ldns_pkt_free(p); return LDNS_STATUS_OK; } + if (ldns_rr_list_rr_count(*rrs) == 0) { /* assert(*rrs == NULL) */ + + if (ldns_pkt_get_rcode(p) == LDNS_RCODE_SERVFAIL) { + + ldns_pkt_free(p); + return LDNS_STATUS_DANE_BOGUS; + } else { + ldns_pkt_free(p); + return LDNS_STATUS_OK; + } + } /* We have answers and we have dnssec. */ if (! ldns_pkt_cd(p)) { /* we act as stub resolver (no sigchase) */ + if (! ldns_pkt_ad(p)) { /* Not secure */ - goto insecure; + + ldns_pkt_free(p); + return LDNS_STATUS_DANE_INSECURE; } ldns_pkt_free(p); return LDNS_STATUS_OK; @@ -670,7 +685,15 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname, if (s == LDNS_STATUS_DANE_INSECURE && ldns_rr_list_rr_count(as) > 0) { - fprintf(stderr, "Warning! Insecure IPv4 addresses\n"); + fprintf(stderr, "Warning! Insecure IPv4 addresses. " + "Continuing with them...\n"); + + } else if (s == LDNS_STATUS_DANE_BOGUS || + LDNS_STATUS_CRYPTO_BOGUS == s) { + fprintf(stderr, "Warning! Bogus IPv4 addresses. " + "Discarding...\n"); + ldns_rr_list_deep_free(as); + as = ldns_rr_list_new(); } else if (s != LDNS_STATUS_OK) { LDNS_ERR(s, "dane_query"); @@ -688,7 +711,15 @@ dane_lookup_addresses(ldns_resolver* res, ldns_rdf* dname, if (s == LDNS_STATUS_DANE_INSECURE && ldns_rr_list_rr_count(aaas) > 0) { - fprintf(stderr, "Warning! Insecure IPv6 addresses\n"); + fprintf(stderr, "Warning! Insecure IPv6 addresses. " + "Continuing with them...\n"); + + } else if (s == LDNS_STATUS_DANE_BOGUS || + LDNS_STATUS_CRYPTO_BOGUS == s) { + fprintf(stderr, "Warning! Bogus IPv4 addresses. " + "Discarding...\n"); + ldns_rr_list_deep_free(aaas); + aaas = ldns_rr_list_new(); } else if (s != LDNS_STATUS_OK) { LDNS_ERR(s, "dane_query"); @@ -1216,7 +1247,7 @@ main(int argc, char* const* argv) transport = LDNS_DANE_TRANSPORT_UDP; break; case 'v': - printf("verify-zone version %s (ldns version %s)\n", + printf("ldns-dane version %s (ldns version %s)\n", LDNS_VERSION, ldns_version()); exit(EXIT_SUCCESS); break;