From: Miek Gieben <miekg@NLnetLabs.nl>
Date: Wed, 31 May 2006 13:46:42 +0000 (+0000)
Subject: test selfsignedness
X-Git-Tag: release-1.1.0~105
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=101b465456dfacf59a2c567e334b60b70fa70930;p=thirdparty%2Fldns.git

test selfsignedness

I have been  fighting caches all day and still sometimes
queries fail for some reason...
---

diff --git a/drill/securetrace.c b/drill/securetrace.c
index 97a67701..5a59f013 100644
--- a/drill/securetrace.c
+++ b/drill/securetrace.c
@@ -11,9 +11,9 @@
 #include "drill.h"
 #include <ldns/dns.h>
 
-#define SELF "[SELF]"  /* self sig ok */
-#define TRUST "[TRUST]"  /* self sig ok */
-#define CHAIN "[CHAIN]" /* chain from parent */
+#define OK "[OK]"  /* self sig ok */
+#define TRUST "[TR]" /* chain from parent */
+#define BOGUS "[BO]" /* bogus */
 
 #if 0
 /* See if there is a key/ds in trusted that matches
@@ -136,7 +136,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 		ldns_rr_class c, ldns_rr_list *trusted_keys)
 {
 	ldns_resolver *res;
-	ldns_pkt *p;
+	ldns_pkt *p, *local_p;
 	ldns_rr_list *new_nss_a;
 	ldns_rr_list *new_nss_aaaa;
 	ldns_rr_list *new_nss;
@@ -144,7 +144,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 	uint16_t loop_count;
 	ldns_rdf *pop; 
 	ldns_rdf **labels;
-	ldns_status status;
+	ldns_status status, st;
 	ssize_t i;
 	size_t j;
 	uint8_t labels_count;
@@ -166,6 +166,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 	pt = LDNS_PACKET_UNKNOWN;
 
 	p = ldns_pkt_new();
+	local_p = ldns_pkt_new();
 	res = ldns_resolver_new();
 	key_sig_list = ldns_rr_list_new();
 	ds_sig_list = ldns_rr_list_new();
@@ -189,7 +190,8 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 	ldns_resolver_set_random(res, 
 			ldns_resolver_random(local_res));
 	ldns_resolver_set_recursive(res, false);
-	ldns_resolver_set_dnssec_cd(res, true);
+	ldns_resolver_set_dnssec_cd(res, false);
+	ldns_resolver_set_dnssec(res, true);
 	ldns_resolver_set_recursive(local_res, false);
 
 	labels_count = ldns_dname_label_count(name);
@@ -209,17 +211,17 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 	for(i = (ssize_t)labels_count + 1; i > 0; i--) {
 
 		/* get the nameserver for this label */
-		status = ldns_resolver_send(&p, local_res, labels[i], LDNS_RR_TYPE_NS, c, 0);
+		status = ldns_resolver_send(&local_p, local_res, labels[i], LDNS_RR_TYPE_NS, c, 0);
 		/* ldns_pkt_print(stdout, p); */
-		new_nss_a = ldns_pkt_rr_list_by_type(p,
+		new_nss_a = ldns_pkt_rr_list_by_type(local_p,
 				LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
-		new_nss_aaaa = ldns_pkt_rr_list_by_type(p,
+		new_nss_aaaa = ldns_pkt_rr_list_by_type(local_p,
 				LDNS_RR_TYPE_AAAA, LDNS_SECTION_ADDITIONAL);
-		new_nss = ldns_pkt_rr_list_by_type(p,
+		new_nss = ldns_pkt_rr_list_by_type(local_p,
 				LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
 		if (!new_nss) {
 			/* sometimes they are hidden in the answer section */
-			new_nss = ldns_pkt_rr_list_by_type(p,
+			new_nss = ldns_pkt_rr_list_by_type(local_p,
 					LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
 		}
 
@@ -273,36 +275,52 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 			error("No nameservers found for this node\n");
 			return NULL;
 		}
-		ldns_rr_list_print(stdout, new_nss);
+		ldns_rdf_print(stdout, labels[i]); puts("");
 
 		p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
 		pt = get_key(p, labels[i], &key_list, &key_sig_list);
-		if (key_list) {
-			ldns_rr_list_print(stdout, key_list);
+/*		ldns_pkt_print(stdout, p);*/
+		if (key_sig_list) {
+			if (key_list) {
+				if ((st = ldns_verify(key_list, key_sig_list, key_list, NULL)) ==
+						LDNS_STATUS_OK) {
+					print_rr_list_abbr(stdout, key_list, OK);
+				} else {
+					print_rr_list_abbr(stdout, key_list, BOGUS);
+				}
+			} else {
+				mesg("No DNSKEY");
+			}
 		}
 
 		p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DS);
 		pt = get_ds(p, labels[i], &ds_list, &ds_sig_list);
-		if (ds_list) {
-			ldns_rr_list_print(stdout, ds_list);
+		if (!ds_list) {
+			/* we might get lucky and get a DS referral wehn
+			 * asking for the key of the query name */
+			p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
+			pt = get_ds(p, NULL, &ds_list, &ds_sig_list); 
 		}
-		ds_list = NULL;
-
-		/* we might get lucky and get a DS referral wehn
-		 * asking for the key of the query name */
-		p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
-		pt = get_ds(p, NULL, &ds_list, &ds_sig_list); 
-		if (ds_list) {
-			ldns_rr_list_print(stdout, ds_list);
+		if (ds_sig_list) {
+			if (ds_list) {
+				if ((st = ldns_verify(ds_list, ds_sig_list, key_list, NULL)) ==
+						LDNS_STATUS_OK) {
+					print_rr_list_abbr(stdout, ds_list, OK);
+				} else {
+					print_rr_list_abbr(stdout, ds_list, BOGUS);
+				}
+			} else {
+				mesg("No DS");
+			}
 		}
-		ds_list = NULL;
 
+		ds_list = NULL;
 		new_nss_aaaa = NULL;
 		new_nss_a = NULL;
 		new_nss = NULL;
 		ns_addr = NULL;
 		key_list = NULL;
-		while((pop = ldns_resolver_pop_nameserver(res))) { /* do it */ }
+		while((ldns_resolver_pop_nameserver(res))) { /* remove it */ }
 		
 		puts("");
 	}