Newer
Older
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <ctype.h>
#include <sys/time.h>
#include <libknot/descriptor.h>
#include <libknot/rrtype/rdname.h>
#include <libknot/rrtype/dnskey.h>
#include "lib/layer/iterate.h"
#include "lib/resolve.h"
#include "lib/rplan.h"
#include "lib/defines.h"
#include "lib/nsrep.h"
#include "lib/module.h"
#define DEBUG_MSG(fmt...) QRDEBUG(qry, "vldr", fmt)
/* Set resolution context and parameters. */
static int begin(knot_layer_t *ctx, void *module_param)
{
ctx->data = module_param;
return KNOT_STATE_PRODUCE;
}
static int secure_query(knot_layer_t *ctx, knot_pkt_t *pkt)
{
assert(pkt && ctx);
struct kr_request *req = ctx->data;
struct kr_query *query = kr_rplan_current(&req->rplan);
if (ctx->state & (KNOT_STATE_DONE|KNOT_STATE_FAIL)) {
return ctx->state;
}
if (query->zone_cut.key == NULL) {
/*
query->flags |= QUERY_AWAIT_TRUST;
DEBUG_MSG("%s() A002 '%s'\n", __func__, knot_pkt_qname(pkt));
struct knot_rrset *opt_rr = knot_rrset_copy(req->answer->opt_rr, &pkt->mm);
if (opt_rr == NULL) {
return KNOT_STATE_FAIL;
}
knot_pkt_clear(pkt);
int ret = knot_pkt_put_question(pkt, query->zone_cut.name, query->sclass, KNOT_RRTYPE_DNSKEY);
if (ret != KNOT_EOK) {
knot_rrset_free(&opt_rr, &pkt->mm);
return KNOT_STATE_FAIL;
}
knot_pkt_begin(pkt, KNOT_ADDITIONAL);
knot_pkt_put(pkt, KNOT_COMPR_HINT_NONE, opt_rr, KNOT_PF_FREE);
{
char name_str[KNOT_DNAME_MAXLEN], type_str[16];
knot_dname_to_str(name_str, knot_pkt_qname(pkt), sizeof(name_str));
knot_rrtype_to_string(knot_pkt_qtype(pkt), type_str, sizeof(type_str));
DEBUG_MSG("%s() A003 '%s %s'\n", __func__, name_str, type_str);
}
return KNOT_STATE_CONSUME;
*/
}
DEBUG_MSG("%s() A004\n", __func__);
#if 0
/* Copy query EDNS options and request DNSKEY for current cut. */
pkt->opt_rr = knot_rrset_copy(req->answer->opt_rr, &pkt->mm);
query->flags |= QUERY_AWAIT_TRUST;
#warning TODO: check if we already have valid DNSKEY in zone cut, otherwise request it from the resolver
#warning FLOW: since first query doesnt have it, resolve.c will catch this and issue subrequest for it
/* Write OPT to additional section */
knot_pkt_begin(pkt, KNOT_ADDITIONAL);
knot_pkt_put(pkt, KNOT_COMPR_HINT_NONE, pkt->opt_rr, KNOT_PF_FREE);
return KNOT_STATE_CONSUME;
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#endif
static int validate_records(struct kr_query *qry, knot_pkt_t *answer)
{
#warning TODO: validate RRSIGS (records with ZSK, keys with KSK), return FAIL if failed
if (!qry->zone_cut.key) {
DEBUG_MSG("<= no DNSKEY, can't validate\n");
}
DEBUG_MSG("!! validation not implemented\n");
return kr_error(ENOSYS);
}
static int validate_proof(struct kr_query *qry, knot_pkt_t *answer)
{
#warning TODO: validate NSECx proof, RRSIGs will be checked later if it matches
return kr_ok();
}
static int validate_keyset(struct kr_query *qry, knot_pkt_t *answer)
{
/* Merge DNSKEY records from answer */
const knot_pktsection_t *an = knot_pkt_section(answer, KNOT_ANSWER);
for (unsigned i = 0; i < an->count; ++i) {
const knot_rrset_t *rr = knot_pkt_rr(an, i);
if (rr->type == KNOT_RRTYPE_DNSKEY) {
DEBUG_MSG("+= DNSKEY flags: %hu algo: %x\n",
knot_dnskey_flags(&rr->rrs, 0),
0xff & knot_dnskey_alg(&rr->rrs, 0));
#warning TODO: merge with zone cut 'key' RRSet
}
}
/* Check if there's a key for current TA. */
#warning TODO: check if there is a DNSKEY we can trust (matching current TA)
return kr_ok();
}
static int update_delegation(struct kr_query *qry, knot_pkt_t *answer)
{
DEBUG_MSG("<= referral, checking DS\n");
#warning TODO: delegation, check DS record presence
return kr_ok();
}
static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
{
struct kr_query *qry = kr_rplan_current(&req->rplan);
if (ctx->state & KNOT_STATE_FAIL) {
return ctx->state;
}
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
/* Pass-through if user doesn't want secure answer. */
if (!(req->flags & KR_REQ_DNSSEC)) {
return ctx->state;
}
/* Server didn't copy back DO=1, this is okay if it doesn't have DS => insecure.
* If it has DS, it must be secured, fail it as bogus. */
if (!knot_pkt_has_dnssec(pkt)) {
DEBUG_MSG("<= asked with DO=1, got insecure response\n");
#warning TODO: fail and retry if it has TA, otherwise flag as INSECURE and continue
return KNOT_STATE_FAIL;
}
/* Validate non-existence proof if not positive answer. */
if (knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_NXDOMAIN) {
ret = validate_proof(qry, pkt);
if (ret != 0) {
DEBUG_MSG("<= bad NXDOMAIN proof\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
return KNOT_STATE_FAIL;
}
}
/* Check if this is a DNSKEY answer, check trust chain and store. */
uint16_t qtype = knot_pkt_qtype(pkt);
if (qtype == KNOT_RRTYPE_DNSKEY) {
ret = validate_keyset(qry, pkt);
if (ret != 0) {
DEBUG_MSG("<= bad keys, broken trust chain\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
return KNOT_STATE_FAIL;
}
/* Update trust anchor. */
} else if (qtype == KNOT_RRTYPE_NS) {
update_delegation(qry, pkt);
}
/* Validate all records, fail as bogus if it doesn't match. */
ret = validate_records(qry, pkt);
if (ret != 0) {
DEBUG_MSG("<= couldn't validate RRSIGs\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
return KNOT_STATE_FAIL;
}
DEBUG_MSG("<= answer valid, OK\n");
}
/** Module implementation. */
const knot_layer_api_t *validate_layer(struct kr_module *module)
{
static const knot_layer_api_t _layer = {
.begin = &begin,
.consume = &validate,
};
return &_layer;
}
KR_MODULE_EXPORT(validate)