Functions | Variables
validator.c File Reference

This file contains a module that performs validation of DNS queries. More...

#include "config.h"
#include "validator/validator.h"
#include "validator/val_anchor.h"
#include "validator/val_kcache.h"
#include "validator/val_kentry.h"
#include "validator/val_utils.h"
#include "validator/val_nsec.h"
#include "validator/val_nsec3.h"
#include "validator/val_neg.h"
#include "validator/val_sigcrypt.h"
#include "validator/autotrust.h"
#include "services/cache/dns.h"
#include "util/data/dname.h"
#include "util/module.h"
#include "util/log.h"
#include "util/net_help.h"
#include "util/regional.h"
#include "util/config_file.h"
#include "util/fptr_wlist.h"
#include "ldns/rrdef.h"
#include "ldns/wire2str.h"

Functions

static void process_ds_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct sock_list *origin)
 Process DS response. More...
 
static int fill_nsec3_iter (struct val_env *ve, char *s, int c)
 fill up nsec3 key iterations config entry
 
static int val_apply_cfg (struct module_env *env, struct val_env *val_env, struct config_file *cfg)
 apply config settings to validator
 
int val_init (struct module_env *env, int id)
 validator init
 
void val_deinit (struct module_env *env, int id)
 validator deinit
 
static struct val_qstateval_new_getmsg (struct module_qstate *qstate, struct val_qstate *vq)
 fill in message structure
 
static struct val_qstateval_new (struct module_qstate *qstate, int id)
 allocate new validator query state
 
static int val_error (struct module_qstate *qstate, int id)
 Exit validation with an error status. More...
 
static int needs_validation (struct module_qstate *qstate, int ret_rc, struct dns_msg *ret_msg)
 Check to see if a given response needs to go through the validation process. More...
 
static int already_validated (struct dns_msg *ret_msg)
 Check to see if the response has already been validated. More...
 
static int generate_request (struct module_qstate *qstate, int id, uint8_t *name, size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
 Generate a request for DNS data. More...
 
static int prime_trust_anchor (struct module_qstate *qstate, struct val_qstate *vq, int id, struct trust_anchor *toprime)
 Prime trust anchor for use. More...
 
static int validate_msg_signatures (struct module_qstate *qstate, struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *key_entry)
 Validate if the ANSWER and AUTHORITY sections contain valid rrsets. More...
 
static int detect_wrongly_truncated (struct reply_info *rep)
 Detect wrong truncated response (say from BIND 9.6.1 that is forwarding and saw the NS record without signatures from a referral). More...
 
static void validate_positive_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey)
 Given a "positive" response – a response that contains an answer to the question, and no CNAME chain, validate this response. More...
 
static void validate_nodata_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey)
 Validate a NOERROR/NODATA signed response – a response that has a NOERROR Rcode but no ANSWER section RRsets. More...
 
static void validate_nameerror_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey, int *rcode)
 Validate a NAMEERROR signed response – a response that has a NXDOMAIN Rcode. More...
 
static void validate_referral_response (struct reply_info *chase_reply)
 Given a referral response, validate rrsets and take least trusted rrset as the current validation status. More...
 
static void validate_any_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey)
 Given an "ANY" response – a response that contains an answer to a qtype==ANY question, with answers. More...
 
static void validate_cname_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey)
 Validate CNAME response, or DNAME+CNAME. More...
 
static void validate_cname_noanswer_response (struct module_env *env, struct val_env *ve, struct query_info *qchase, struct reply_info *chase_reply, struct key_entry_key *kkey)
 Validate CNAME NOANSWER response, no more data after a CNAME chain. More...
 
static int processInit (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Process init state for validator. More...
 
static int processFindKey (struct module_qstate *qstate, struct val_qstate *vq, int id)
 Process the FINDKEY state. More...
 
static int processValidate (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Process the VALIDATE stage, the init and findkey stages are finished, and the right keys are available to validate the response. More...
 
static int val_dlv_init (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Init DLV check. More...
 
static int processFinished (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 The Finished state. More...
 
static int processDLVLookup (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 The DLVLookup state. More...
 
static void val_handle (struct module_qstate *qstate, struct val_qstate *vq, struct val_env *ve, int id)
 Handle validator state. More...
 
void val_operate (struct module_qstate *qstate, enum module_ev event, int id, struct outbound_entry *outbound)
 validator operate on a query
 
static struct key_entry_keyprimeResponseToKE (struct ub_packed_rrset_key *dnskey_rrset, struct trust_anchor *ta, struct module_qstate *qstate, int id)
 Evaluate the response to a priming request. More...
 
static int ds_response_to_ke (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct key_entry_key **ke)
 In inform supers, with the resulting message and rcode and the current keyset in the super state, validate the DS response, returning a KeyEntry. More...
 
static void process_dnskey_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo, struct sock_list *origin)
 Process DNSKEY response. More...
 
static void process_prime_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct sock_list *origin)
 Process prime response Sets the key entry in the state. More...
 
static void process_dlv_response (struct module_qstate *qstate, struct val_qstate *vq, int id, int rcode, struct dns_msg *msg, struct query_info *qinfo)
 Process DLV response. More...
 
void val_inform_super (struct module_qstate *qstate, int id, struct module_qstate *super)
 inform validator super. More...
 
void val_clear (struct module_qstate *qstate, int id)
 validator cleanup query state
 
size_t val_get_mem (struct module_env *env, int id)
 Debug helper routine that assists worker in determining memory in use. More...
 
struct module_func_blockval_get_funcblock (void)
 Get the validator function block. More...
 
const char * val_state_to_string (enum val_state state)
 Get validator state as a string. More...
 

Variables

static struct module_func_block val_block
 The validator function block. More...
 

Detailed Description

This file contains a module that performs validation of DNS queries.

According to RFC 4034.

Function Documentation

static void process_ds_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo,
struct sock_list origin 
)
static

Process DS response.

Called from inform_supers. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.

Parameters
qstatequery state that is validating and asked for a DS.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.
originthe origin of msg.

References val_qstate::chain_blacklist, ds_response_to_ke(), val_qstate::ds_rrset, val_qstate::empty_DS_len, val_qstate::empty_DS_name, module_qstate::errinf, errinf_dname(), errinf_origin(), val_qstate::key_entry, key_entry_get_rrset(), key_entry_isbad(), key_entry_isgood(), log_err(), query_info::qname, query_info::qname_len, module_qstate::region, regional_alloc_init(), val_qstate::restart_count, val_qstate::state, val_blacklist(), VAL_MAX_RESTART_COUNT, and VAL_VALIDATE_STATE.

Referenced by processFindKey(), and val_inform_super().

static int val_error ( struct module_qstate qstate,
int  id 
)
static

Exit validation with an error status.

Parameters
qstatequery state
idvalidator id.
Returns
false, for use by caller to return to stop processing.

References module_qstate::ext_state, module_error, and module_qstate::return_rcode.

Referenced by processDLVLookup(), processFindKey(), processInit(), processValidate(), and val_dlv_init().

static int needs_validation ( struct module_qstate qstate,
int  ret_rc,
struct dns_msg ret_msg 
)
static

Check to see if a given response needs to go through the validation process.

Typical reasons for this routine to return false are: CD bit was on in the original request, or the response is a kind of message that is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)

Parameters
qstatequery state.
ret_rcrcode for this message (if noerror - examine ret_msg).
ret_msgreturn msg, can be NULL; look at rcode instead.
Returns
true if the response could use validation (although this does not mean we can actually validate this response).

References reply_info::an_numrrsets, BIT_CD, reply_info::flags, FLAGS_GET_RCODE, LDNS_RR_TYPE_RRSIG, module_qstate::qinfo, query_info::qtype, module_qstate::query_flags, dns_msg::rep, sldns_wire2str_rcode_buf(), VERB_ALGO, verbose(), and verbosity.

Referenced by val_operate().

static int already_validated ( struct dns_msg ret_msg)
static

Check to see if the response has already been validated.

Parameters
ret_msgreturn msg, can be NULL
Returns
true if the response has already been validated

References dns_msg::rep, sec_status_bogus, sec_status_to_string(), reply_info::security, VERB_ALGO, and verbose().

Referenced by val_operate().

static int generate_request ( struct module_qstate qstate,
int  id,
uint8_t *  name,
size_t  namelen,
uint16_t  qtype,
uint16_t  qclass,
uint16_t  flags 
)
static

Generate a request for DNS data.

Parameters
qstatequery state that is the parent.
idmodule id.
namewhat name to query for.
namelenlength of name.
qtypequery type.
qclassquery class.
flagsadditional flags, such as the CD bit (BIT_CD), or 0.
Returns
false on alloc failure.

References module_env::attach_sub, BIT_RD, val_qstate::chain_blacklist, module_qstate::env, module_qstate::ext_state, fptr_ok, fptr_whitelist_modenv_attach_sub(), log_err(), log_query_info(), module_qstate::minfo, module_wait_subquery, query_info::qname, sock_list_merge(), and VERB_ALGO.

Referenced by prime_trust_anchor(), processDLVLookup(), processFindKey(), and val_dlv_init().

static int prime_trust_anchor ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
struct trust_anchor toprime 
)
static

Prime trust anchor for use.

Generate and dispatch a priming query for the given trust anchor. The trust anchor can be DNSKEY or DS and does not have to be signed.

Parameters
qstatequery state.
vqvalidator query state.
idmodule id.
toprimewhat to prime.
Returns
false on a processing error.

References BIT_CD, trust_anchor::dclass, generate_request(), log_err(), trust_anchor::name, trust_anchor::namelabs, trust_anchor::namelen, module_qstate::region, regional_alloc_init(), val_qstate::trust_anchor_labs, val_qstate::trust_anchor_len, val_qstate::trust_anchor_name, and val_qstate::wait_prime_ta.

Referenced by processInit().

static int validate_msg_signatures ( struct module_qstate qstate,
struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key key_entry 
)
static

Validate if the ANSWER and AUTHORITY sections contain valid rrsets.

They must be validly signed with the given key. Tries to validate ADDITIONAL rrsets as well, but only to check them. Allows unsigned CNAME after a DNAME that expands the DNAME.

Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.

Parameters
qstatequery state.
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to validate.
key_entrythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
Returns
false if any of the rrsets in the an or ns sections of the message fail to verify. The message is then set to bogus.

References reply_info::an_numrrsets, val_env::clean_additional, lruhash_entry::data, packed_rrset_key::dname, ub_packed_rrset_key::entry, errinf(), errinf_origin(), errinf_rrset(), LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DNAME, log_nametypeclass(), key_entry_key::name, reply_info::ns_numrrsets, query_info::qtype, query_dname_compare(), module_qstate::reply_origin, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, rrset_trust_validated, reply_info::rrsets, sec_status_bogus, sec_status_secure, reply_info::security, packed_rrset_key::type, val_find_rrset_signer(), val_verify_rrset_entry(), and VERB_QUERY.

Referenced by processValidate().

static int detect_wrongly_truncated ( struct reply_info rep)
static

Detect wrong truncated response (say from BIND 9.6.1 that is forwarding and saw the NS record without signatures from a referral).

The positive response has a mangled authority section. Remove that authority section and the additional section.

Parameters
repreply
Returns
true if a wrongly truncated response.

References reply_info::an_numrrsets, lruhash_entry::data, ub_packed_rrset_key::entry, LDNS_RR_TYPE_NS, reply_info::ns_numrrsets, ub_packed_rrset_key::rk, reply_info::rrsets, sec_status_secure, packed_rrset_key::type, VERB_ALGO, and verbose().

Referenced by processValidate().

static void validate_positive_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey 
)
static

Given a "positive" response – a response that contains an answer to the question, and no CNAME chain, validate this response.

The answer and authority RRsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().

References reply_info::an_numrrsets, packed_rrset_key::dname, log_nametypeclass(), reply_info::ns_numrrsets, nsec3_prove_wildcard(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, reply_info::security, packed_rrset_key::type, val_nsec_proves_positive_wildcard(), val_rrset_wildcard(), VERB_ALGO, VERB_QUERY, and verbose().

Referenced by processValidate().

static void validate_nodata_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey 
)
static

Validate a NOERROR/NODATA signed response – a response that has a NOERROR Rcode but no ANSWER section RRsets.

This consists of making certain that the authority section NSEC/NSEC3s proves that the qname does exist and the qtype doesn't.

The answer and authority RRsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().

References reply_info::an_numrrsets, log_dns_msg(), reply_info::ns_numrrsets, nsec3_prove_nodata(), nsec_closest_encloser(), nsec_proves_nodata(), query_info::qname, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, reply_info::security, packed_rrset_key::type, val_nsec_proves_insecuredelegation(), val_nsec_proves_name_error(), VERB_ALGO, VERB_QUERY, verbose(), and verbosity.

Referenced by processValidate(), and validate_nameerror_response().

static void validate_nameerror_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey,
int *  rcode 
)
static

Validate a NAMEERROR signed response – a response that has a NXDOMAIN Rcode.

This consists of making certain that the authority section NSEC proves that the qname doesn't exist and the covering wildcard also doesn't exist..

The answer and authority RRsets must have already been verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().
rcodeadjusted RCODE, in case of RCODE/proof mismatch leniency.

References reply_info::an_numrrsets, reply_info::ns_numrrsets, nsec3_prove_nameerror(), query_info::qname, query_info::qname_len, ub_packed_rrset_key::rk, reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, sec_status_to_string(), reply_info::security, packed_rrset_key::type, val_nsec_proves_insecuredelegation(), val_nsec_proves_name_error(), val_nsec_proves_no_wc(), validate_nodata_response(), VERB_ALGO, VERB_QUERY, and verbose().

Referenced by processValidate().

static void validate_referral_response ( struct reply_info chase_reply)
static

Given a referral response, validate rrsets and take least trusted rrset as the current validation status.

Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.

Parameters
chase_replyanswer to validate.

References lruhash_entry::data, ub_packed_rrset_key::entry, reply_info::rrset_count, reply_info::rrsets, sec_status_secure, sec_status_to_string(), reply_info::security, packed_rrset_data::security, VERB_ALGO, and verbose().

Referenced by processValidate().

static void validate_any_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey 
)
static

Given an "ANY" response – a response that contains an answer to a qtype==ANY question, with answers.

This does no checking that all types are present.

NOTE: it may be possible to get parent-side delegation point records here, which won't all be signed. Right now, this routine relies on the upstream iterative resolver to not return these responses – instead treating them as referrals.

NOTE: RFC 4035 is silent on this issue, so this may change upon clarification. Clarification draft -05 says to not check all types are present.

Note that by the time this method is called, the process of finding the trusted DNSKEY rrset that signs this response must already have been completed.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().

References reply_info::an_numrrsets, packed_rrset_key::dname, LDNS_RR_TYPE_ANY, log_err(), log_nametypeclass(), reply_info::ns_numrrsets, nsec3_prove_wildcard(), query_info::qtype, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, reply_info::security, packed_rrset_key::type, val_nsec_proves_positive_wildcard(), val_rrset_wildcard(), VERB_ALGO, VERB_QUERY, and verbose().

Referenced by processValidate().

static void validate_cname_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey 
)
static

Validate CNAME response, or DNAME+CNAME.

This is just like a positive proof, except that this is about a DNAME+CNAME. Possible wildcard proof. Difference with positive proof is that this routine refuses wildcarded DNAMEs.

The answer and authority rrsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().

References reply_info::an_numrrsets, packed_rrset_key::dname, LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DNAME, log_nametypeclass(), reply_info::ns_numrrsets, nsec3_prove_wildcard(), query_info::qtype, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, reply_info::security, packed_rrset_key::type, val_nsec_proves_positive_wildcard(), val_rrset_wildcard(), VERB_ALGO, VERB_QUERY, and verbose().

Referenced by processValidate().

static void validate_cname_noanswer_response ( struct module_env env,
struct val_env ve,
struct query_info qchase,
struct reply_info chase_reply,
struct key_entry_key kkey 
)
static

Validate CNAME NOANSWER response, no more data after a CNAME chain.

This can be a NODATA or a NAME ERROR case, but not both at the same time. We don't know because the rcode has been set to NOERROR by the CNAME.

The answer and authority rrsets must already be verified as secure.

Parameters
envmodule env for verify.
vevalidator env for verify.
qchasequery that was made.
chase_replyanswer to that query to validate.
kkeythe key entry, which is trusted, and which matches the signer of the answer. The key entry isgood().

References reply_info::an_numrrsets, log_dns_msg(), reply_info::ns_numrrsets, nsec3_prove_nxornodata(), nsec_closest_encloser(), nsec_proves_nodata(), query_info::qname, query_info::qname_len, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, reply_info::security, packed_rrset_key::type, val_nsec_proves_insecuredelegation(), val_nsec_proves_name_error(), val_nsec_proves_no_wc(), VERB_ALGO, VERB_QUERY, verbose(), and verbosity.

Referenced by processValidate().

static int processInit ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Process init state for validator.

Process the INIT state. First tier responses start in the INIT state. This is where they are vetted for validation suitability, and the initial key search is done.

Currently, events the come through this routine will be either promoted to FINISHED/CNAME_RESP (no validation needed), FINDKEY (next step to validation), or will be (temporarily) retired and a new priming request event will be generated.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References module_env::anchors, anchors_lookup(), val_qstate::chase_reply, val_qstate::dlv_checked, dname_remove_label(), dname_strict_subdomain_c(), dname_subdomain_c(), val_qstate::ds_rrset, val_qstate::empty_DS_name, module_qstate::env, errinf(), errinf_dname(), val_env::kcache, key_cache_obtain(), val_qstate::key_entry, key_entry_get_reason(), key_entry_isbad(), key_entry_isnull(), LDNS_RR_TYPE_DS, trust_anchor::lock, log_dns_msg(), log_nametypeclass(), key_entry_key::name, trust_anchor::name, module_env::now, trust_anchor::numDNSKEY, trust_anchor::numDS, val_qstate::orig_msg, PACKED_RRSET_NSEC_AT_APEX, prime_trust_anchor(), val_qstate::qchase, query_info::qclass, module_qstate::qinfo, query_info::qname, query_info::qname_len, query_info::qtype, query_dname_compare(), module_qstate::query_flags, module_qstate::region, dns_msg::rep, val_qstate::restart_count, ub_packed_rrset_key::rk, module_env::rrset_cache, reply_info::rrset_count, val_qstate::rrset_skip, reply_info::rrsets, sec_status_bogus, sec_status_indeterminate, sec_status_insecure, reply_info::security, val_qstate::signer_len, val_qstate::signer_name, val_qstate::state, packed_rrset_key::type, VAL_CLASS_CNAME, VAL_CLASS_NAMEERROR, VAL_CLASS_POSITIVE, VAL_CLASS_REFERRAL, val_classification_to_string(), val_classify_response(), val_error(), val_fill_reply(), val_find_signer(), VAL_FINDKEY_STATE, VAL_FINISHED_STATE, val_mark_indeterminate(), val_mark_insecure(), VAL_MAX_RESTART_COUNT, VERB_ALGO, VERB_DETAIL, VERB_QUERY, verbose(), and verbosity.

Referenced by val_handle().

static int processFindKey ( struct module_qstate qstate,
struct val_qstate vq,
int  id 
)
static
static int processValidate ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Process the VALIDATE stage, the init and findkey stages are finished, and the right keys are available to validate the response.

Or, there are no keys available, in order to invalidate the response.

After validation, the status is recorded in the message and rrsets, and finished state is started.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References reply_info::an_numrrsets, reply_info::ar_numrrsets, val_qstate::chase_reply, detect_wrongly_truncated(), module_qstate::env, module_qstate::errinf, errinf(), errinf_origin(), reply_info::flags, FLAGS_GET_RCODE, FLAGS_SET_RCODE, val_env::kcache, key_cache_insert(), key_entry_key::key_class, val_qstate::key_entry, key_entry_isbad(), key_entry_isnull(), log_err(), log_nametypeclass(), log_query_info(), key_entry_key::name, reply_info::ns_numrrsets, val_qstate::orig_msg, val_qstate::qchase, module_qstate::qinfo, module_qstate::query_flags, dns_msg::rep, module_qstate::reply_origin, val_qstate::restart_count, module_env::rrset_cache, reply_info::rrset_count, val_qstate::rrset_skip, sec_status_bogus, sec_status_insecure, sec_status_to_string(), reply_info::security, val_qstate::signer_name, val_qstate::state, VAL_CLASS_ANY, VAL_CLASS_CNAME, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, VAL_CLASS_REFERRAL, val_classification_to_string(), val_classify_response(), val_error(), VAL_FINISHED_STATE, val_mark_insecure(), VAL_MAX_RESTART_COUNT, validate_any_response(), validate_cname_noanswer_response(), validate_cname_response(), validate_msg_signatures(), validate_nameerror_response(), validate_nodata_response(), validate_positive_response(), validate_referral_response(), VERB_ALGO, VERB_DETAIL, and verbose().

Referenced by val_handle().

static int val_dlv_init ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Init DLV check.

Called when a query is determined by other trust anchors to be insecure (or indeterminate). Then we look if there is a key in the DLV. Performs aggressive negative cache check to see if there is no key. Otherwise, spawns a DLV query, and changes to the DLV wait state.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if there is no DLV. false: processing is finished for the validator operate(). This function may exit in three ways: o no DLV (agressive cache), so insecure. (true) o error - stop processing (false) o DLV lookup was started, stop processing (false)

References module_env::anchors, val_anchors::dlv_anchor, val_qstate::dlv_checked, val_qstate::dlv_insecure_at, val_qstate::dlv_insecure_at_len, val_qstate::dlv_lookup_name, val_qstate::dlv_lookup_name_len, dname_remove_label(), dname_subdomain_c(), module_qstate::env, generate_request(), val_qstate::key_entry, key_entry_isnull(), LDNS_RR_TYPE_DS, log_assert, log_err(), log_nametypeclass(), key_entry_key::name, trust_anchor::name, key_entry_key::namelen, trust_anchor::namelen, val_env::neg_cache, module_env::now, val_qstate::qchase, query_info::qclass, query_info::qname, query_info::qname_len, query_info::qtype, module_qstate::region, regional_alloc(), module_env::rrset_cache, val_qstate::signer_len, val_qstate::signer_name, val_qstate::state, VAL_DLVLOOKUP_STATE, val_error(), val_neg_dlvlookup(), VERB_ALGO, and verbose().

Referenced by processFinished().

static int processFinished ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

The Finished state.

The validation status (good or bad) has been determined.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.
Returns
true if the event should be processed further on return, false if not.

References reply_info::an_numrrsets, module_env::anchors, BIT_RD, module_qstate::blacklist, val_env::bogus_ttl, module_env::cfg, val_qstate::chase_reply, val_anchors::dlv_anchor, val_qstate::dlv_checked, dns_cache_store(), module_qstate::env, module_qstate::errinf, errinf_to_str(), module_qstate::ext_state, log_err(), log_info(), log_query_info(), module_finished, module_restart_next, reply_info::ns_numrrsets, val_qstate::orig_msg, val_env::permissive_mode, module_qstate::prefetch_leeway, reply_info::prefetch_ttl, PREFETCH_TTL_CALC, val_qstate::qchase, dns_msg::qinfo, module_qstate::qinfo, module_qstate::query_flags, module_qstate::region, dns_msg::rep, module_qstate::reply_origin, val_qstate::restart_count, module_qstate::return_msg, module_qstate::return_rcode, reply_info::rrset_count, val_qstate::rrset_skip, sec_status_bogus, sec_status_indeterminate, sec_status_insecure, sec_status_secure, sec_status_unchecked, reply_info::security, val_qstate::state, reply_info::ttl, val_blacklist(), val_chase_cname(), val_check_nonsecure(), VAL_CLASS_CNAME, VAL_CLASS_REFERRAL, val_classify_response(), val_dlv_init(), VAL_INIT_STATE, config_file::val_log_level, config_file::val_log_squelch, VAL_MAX_RESTART_COUNT, val_next_unchecked(), VERB_ALGO, VERB_DETAIL, and verbose().

Referenced by val_handle().

static int processDLVLookup ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static
static void val_handle ( struct module_qstate qstate,
struct val_qstate vq,
struct val_env ve,
int  id 
)
static

Handle validator state.

If a method returns true, the next state is started. If false, then processing will stop.

Parameters
qstatequery state.
vqvalidator query state.
vevalidator shared global environment.
idmodule id.

References log_warn(), processDLVLookup(), processFindKey(), processFinished(), processInit(), processValidate(), val_qstate::state, VAL_DLVLOOKUP_STATE, VAL_FINDKEY_STATE, VAL_FINISHED_STATE, VAL_INIT_STATE, val_state_to_string(), VAL_VALIDATE_STATE, VERB_ALGO, and verbose().

Referenced by val_operate().

static struct key_entry_key* primeResponseToKE ( struct ub_packed_rrset_key dnskey_rrset,
struct trust_anchor ta,
struct module_qstate qstate,
int  id 
)
static

Evaluate the response to a priming request.

Parameters
dnskey_rrsetDNSKEY rrset (can be NULL if none) in prime reply. (this rrset is allocated in the wrong region, not the qstate).
tatrust anchor.
qstateqstate that needs key.
idmodule id.
Returns
new key entry or NULL on allocation failure. The key entry will either contain a validated DNSKEY rrset, or represent a Null key (query failed, but validation did not), or a Bad key (validation failed).

References BOGUS_KEY_TTL, module_env::cfg, trust_anchor::dclass, trust_anchor::dnskey_rrset, trust_anchor::ds_rrset, module_qstate::env, errinf(), config_file::harden_dnssec_stripped, key_entry_create_bad(), key_entry_create_null(), key_entry_isgood(), log_err(), log_nametypeclass(), module_env::modinfo, trust_anchor::name, trust_anchor::namelen, module_env::now, NULL_KEY_TTL, module_qstate::region, sec_status_bogus, sec_status_secure, sec_status_to_string(), sec_status_unchecked, val_verify_new_DNSKEYs_with_ta(), VERB_DETAIL, VERB_OPS, and verbose().

Referenced by process_prime_response().

static int ds_response_to_ke ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo,
struct key_entry_key **  ke 
)
static

In inform supers, with the resulting message and rcode and the current keyset in the super state, validate the DS response, returning a KeyEntry.

Parameters
qstatequery state that is validating and asked for a DS.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.
kethe key entry to return. It returns is_bad if the DS response fails to validate, is_null if the DS response indicated an end to secure space, is_good if the DS validated. It returns ke=NULL if the DS response indicated that the request wasn't a delegation point.
Returns
0 on servfail error (malloc failure).

References reply_info::an_numrrsets, BIT_RD, BOGUS_KEY_TTL, lruhash_entry::data, ub_packed_rrset_key::entry, module_qstate::env, errinf(), reply_info::flags, FLAGS_GET_RCODE, val_qstate::key_entry, key_entry_create_bad(), key_entry_create_null(), key_entry_create_rrset(), LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DNAME, log_query_info(), log_warn(), module_env::modinfo, module_env::now, reply_info::ns_numrrsets, nsec3_prove_nods(), query_info::qclass, query_info::qname, query_info::qname_len, module_qstate::region, dns_msg::rep, reply_find_answer_rrset(), reply_find_rrset_section_an(), reply_info::rrsets, sec_status_bogus, sec_status_indeterminate, sec_status_insecure, sec_status_secure, sec_status_unchecked, sldns_wire2str_rcode_buf(), ub_packed_rrset_ttl(), VAL_CLASS_CNAME, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, val_classification_to_string(), val_classify_response(), val_dsset_isusable(), val_has_signed_nsecs(), val_nsec_prove_nodata_dsreply(), val_verify_rrset_entry(), VERB_ALGO, VERB_DETAIL, VERB_QUERY, and verbose().

Referenced by process_ds_response().

static void process_dnskey_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo,
struct sock_list origin 
)
static

Process DNSKEY response.

Called from inform_supers. Sets the key entry in the state. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.

Parameters
qstatequery state that is validating and asked for a DNSKEY.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.
originthe origin of msg.

References BOGUS_KEY_TTL, val_qstate::chain_blacklist, val_qstate::ds_rrset, module_qstate::env, module_qstate::errinf, errinf(), errinf_dname(), errinf_origin(), val_env::kcache, key_cache_insert(), val_qstate::key_entry, key_entry_create_bad(), key_entry_isbad(), key_entry_isgood(), log_err(), log_query_info(), module_env::modinfo, module_env::now, query_info::qclass, query_info::qname, query_info::qname_len, module_qstate::region, dns_msg::rep, reply_find_answer_rrset(), val_qstate::restart_count, val_qstate::state, val_blacklist(), VAL_MAX_RESTART_COUNT, VAL_VALIDATE_STATE, val_verify_new_DNSKEYs(), VERB_DETAIL, and verbose().

Referenced by val_inform_super().

static void process_prime_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct sock_list origin 
)
static
static void process_dlv_response ( struct module_qstate qstate,
struct val_qstate vq,
int  id,
int  rcode,
struct dns_msg msg,
struct query_info qinfo 
)
static

Process DLV response.

Called from inform_supers. Because it is in inform_supers, the mesh itself is busy doing callbacks for a state that is to be deleted soon; don't touch the mesh; instead set a state in the super, as the super will be reactivated soon. Perform processing to determine what state to set in the super.

Parameters
qstatequery state that is validating and asked for a DLV.
vqvalidator query state
idmodule id.
rcodercode result value.
msgresult message (if rcode is OK).
qinfofrom the sub query state, query info.

References reply_info::an_numrrsets, module_env::anchors, lruhash_entry::data, val_anchors::dlv_anchor, val_qstate::dlv_lookup_name, val_qstate::dlv_lookup_name_len, packed_rrset_key::dname, packed_rrset_key::dname_len, dname_subdomain_c(), val_qstate::ds_rrset, ub_packed_rrset_key::entry, module_qstate::env, reply_info::flags, FLAGS_GET_RCODE, lruhash_entry::key, log_err(), module_env::modinfo, trust_anchor::name, val_env::neg_cache, packed_rrset_ptr_fixup(), packed_rrset_sizeof(), query_info::qclass, query_dname_compare(), module_qstate::region, regional_alloc_init(), dns_msg::rep, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrsets, sec_status_secure, sec_status_to_string(), reply_info::security, packed_rrset_key::type, val_neg_addreply(), val_nsec_check_dlv(), VERB_ALGO, and verbose().

Referenced by val_inform_super().

void val_inform_super ( struct module_qstate qstate,
int  id,
struct module_qstate super 
)
size_t val_get_mem ( struct module_env env,
int  id 
)

Debug helper routine that assists worker in determining memory in use.

Parameters
envmodule environment
idmodule id.
Returns
memory in use in bytes.

References val_env::kcache, key_cache_get_mem(), module_env::modinfo, val_env::neg_cache, val_env::nsec3_keyiter_count, and val_neg_get_mem().

Referenced by fptr_whitelist_mod_get_mem().

struct module_func_block* val_get_funcblock ( void  )

Get the validator function block.

Returns
: function block with function pointers to validator methods.

References val_block.

Referenced by checkconf(), and module_funcs_avail().

const char* val_state_to_string ( enum val_state  state)

Get validator state as a string.

Parameters
stateto convert
Returns
constant string that is printable.

References VAL_DLVLOOKUP_STATE, VAL_FINDKEY_STATE, VAL_FINISHED_STATE, VAL_INIT_STATE, and VAL_VALIDATE_STATE.

Referenced by val_handle().

Variable Documentation

struct module_func_block val_block
static
Initial value:
= {
"validator",
}
void val_inform_super(struct module_qstate *qstate, int id, struct module_qstate *super)
inform validator super.
Definition: validator.c:2903
void val_operate(struct module_qstate *qstate, enum module_ev event, int id, struct outbound_entry *outbound)
validator operate on a query
Definition: validator.c:2179
size_t val_get_mem(struct module_env *env, int id)
Debug helper routine that assists worker in determining memory in use.
Definition: validator.c:2948
void val_deinit(struct module_env *env, int id)
validator deinit
Definition: validator.c:182
int val_init(struct module_env *env, int id)
validator init
Definition: validator.c:160
void val_clear(struct module_qstate *qstate, int id)
validator cleanup query state
Definition: validator.c:2939

The validator function block.

Referenced by val_get_funcblock().