This file contains helper functions for the validator module. More...
#include "util/data/packed_rrset.h"
Functions | |
enum sec_status | val_nsec_prove_nodata_dsreply (struct module_env *env, struct val_env *ve, struct query_info *qinfo, struct reply_info *rep, struct key_entry_key *kkey, uint32_t *proof_ttl, char **reason) |
Check DS absence. | |
int | nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. | |
int | nsec_has_type (struct ub_packed_rrset_key *nsec, uint16_t type) |
Check if type is present in the NSEC typemap. | |
int | nsec_proves_nodata (struct ub_packed_rrset_key *nsec, struct query_info *qinfo, uint8_t **wc) |
Determine if a NSEC proves the NOERROR/NODATA conditions. | |
int | val_nsec_proves_name_error (struct ub_packed_rrset_key *nsec, uint8_t *qname) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname. | |
int | val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key *nsec, struct query_info *qinf, uint8_t *wc) |
Determine if the given NSEC proves a positive wildcard response. | |
uint8_t * | nsec_closest_encloser (uint8_t *qname, struct ub_packed_rrset_key *nsec) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it). | |
int | val_nsec_proves_no_wc (struct ub_packed_rrset_key *nsec, uint8_t *qname, size_t qnamelen) |
Determine if the given NSEC proves that a wildcard match does not exist. | |
int | val_nsec_check_dlv (struct query_info *qinfo, struct reply_info *rep, uint8_t **nm, size_t *nm_len) |
Determine the DLV result, what to do with NSEC DLV reply. |
This file contains helper functions for the validator module.
The functions help with NSEC checking, the different NSEC proofs for denial of existance, and proofs for presence of types.
enum sec_status val_nsec_prove_nodata_dsreply | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct query_info * | qinfo, | |||
struct reply_info * | rep, | |||
struct key_entry_key * | kkey, | |||
uint32_t * | proof_ttl, | |||
char ** | reason | |||
) |
Check DS absence.
There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or sucessfully prove that there is no DS. Or this fails.
env,: | module env for rrsig verification routines. | |
ve,: | validator env for rrsig verification routines. | |
qinfo,: | the DS queried for. | |
rep,: | reply received. | |
kkey,: | key entry to use for verification of signatures. | |
proof_ttl,: | if secure, the TTL of how long this proof lasts. | |
reason,: | string explaining why bogus. |
References reply_info::an_numrrsets, packed_rrset_key::dname, dname_is_wild(), reply_info::ns_numrrsets, nsec_closest_encloser(), nsec_proves_nodata(), query_info::qclass, query_info::qname, query_info::qname_len, query_dname_compare(), reply_find_rrset_section_ns(), ub_packed_rrset_key::rk, rrset_get_ttl(), reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, ub_packed_rrset_ttl(), val_nsec_proves_name_error(), val_nsec_proves_no_ds(), val_verify_rrset_entry(), VERB_ALGO, and verbose().
Referenced by ds_response_to_ke().
int nsecbitmap_has_type_rdata | ( | uint8_t * | bitmap, | |
size_t | len, | |||
uint16_t | type | |||
) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
bitmap,: | pointer to the bitmap part of wireformat rdata. | |
len,: | length of the bitmap, in bytes. | |
type,: | the type (in host order) to check for. |
Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().
int nsec_has_type | ( | struct ub_packed_rrset_key * | nsec, | |
uint16_t | type | |||
) |
Check if type is present in the NSEC typemap.
nsec,: | the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node. | |
type,: | type to check for, host order. |
References packed_rrset_data::count, dname_valid(), nsecbitmap_has_type_rdata(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by find_add_ds(), grab_nsec(), nsec_proves_nodata(), val_nsec_check_dlv(), val_nsec_proves_name_error(), and val_nsec_proves_no_ds().
int nsec_proves_nodata | ( | struct ub_packed_rrset_key * | nsec, | |
struct query_info * | qinfo, | |||
uint8_t ** | wc | |||
) |
Determine if a NSEC proves the NOERROR/NODATA conditions.
This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.
nsec,: | the nsec record to check against. | |
qinfo,: | the query info. | |
wc,: | if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_neg_dlvlookup(), val_nsec_prove_nodata_dsreply(), validate_cname_noanswer_response(), and validate_nodata_response().
int val_nsec_proves_name_error | ( | struct ub_packed_rrset_key * | nsec, | |
uint8_t * | qname | |||
) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
nsec,: | the nsec to check | |
qname,: | what was queried. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_strict_subdomain_c(), dname_subdomain_c(), nsec_get_next(), nsec_has_type(), query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_neg_dlvlookup(), val_nsec_check_dlv(), val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), validate_nameerror_response(), and validate_nodata_response().
int val_nsec_proves_positive_wildcard | ( | struct ub_packed_rrset_key * | nsec, | |
struct query_info * | qinf, | |||
uint8_t * | wc | |||
) |
Determine if the given NSEC proves a positive wildcard response.
nsec,: | the nsec to check | |
qinf,: | what was queried. | |
wc,: | wildcard (without *. label) |
References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().
Referenced by validate_any_response(), validate_cname_response(), and validate_positive_response().
uint8_t* nsec_closest_encloser | ( | uint8_t * | qname, | |
struct ub_packed_rrset_key * | nsec | |||
) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).
A name error must have been proven already, otherwise this will be invalid.
qname,: | the name queried for. | |
nsec,: | the nsec RRset. |
References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), and validate_nodata_response().
int val_nsec_proves_no_wc | ( | struct ub_packed_rrset_key * | nsec, | |
uint8_t * | qname, | |||
size_t | qnamelen | |||
) |
Determine if the given NSEC proves that a wildcard match does not exist.
nsec,: | the nsec RRset. | |
qname,: | the name queried for. | |
qnamelen,: | length of qname. |
References dname_count_labels(), dname_remove_labels(), nsec_closest_encloser(), and val_nsec_proves_name_error().
Referenced by validate_cname_noanswer_response(), and validate_nameerror_response().
int val_nsec_check_dlv | ( | struct query_info * | qinfo, | |
struct reply_info * | rep, | |||
uint8_t ** | nm, | |||
size_t * | nm_len | |||
) |
Determine the DLV result, what to do with NSEC DLV reply.
qinfo,: | what was queried for. | |
rep,: | the nonpositive reply. | |
nm,: | dlv lookup name, to adjust for new lookup name (if needed). | |
nm_len,: | length of lookup name. |
References reply_info::an_numrrsets, dlv_topdomain(), packed_rrset_key::dname, dname_canonical_compare(), dname_remove_label(), dname_strict_subdomain_c(), reply_info::flags, FLAGS_GET_RCODE, log_nametypeclass(), reply_info::ns_numrrsets, nsec_get_next(), nsec_has_type(), query_info::qname, ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_key::type, val_nsec_proves_name_error(), and VERB_ALGO.
Referenced by process_dlv_response().