Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
D
Dnsmasq
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Locked Files
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Security & Compliance
Security & Compliance
Dependency List
License Compliance
Packages
Packages
List
Container Registry
Analytics
Analytics
CI / CD
Code Review
Insights
Issues
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nanahira
Dnsmasq
Commits
424c4a8a
Commit
424c4a8a
authored
Jan 07, 2015
by
Simon Kelley
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'unsigned'
parents
d8dbd903
97e618a0
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
260 additions
and
179 deletions
+260
-179
CHANGELOG
CHANGELOG
+9
-0
src/dnsmasq.h
src/dnsmasq.h
+7
-4
src/dnssec.c
src/dnssec.c
+56
-35
src/forward.c
src/forward.c
+188
-140
No files found.
CHANGELOG
View file @
424c4a8a
...
...
@@ -31,6 +31,15 @@ version 2.73
request for certain domains, before the correct answer can
arrive. Thanks to Glen Huang for the patch.
Revisit the part of DNSSEC validation which determines if an
unsigned answer is legit, or is in some part of the DNS
tree which should be signed. Dnsmasq now works from the
DNS root downward looking for the limit of signed
delegations, rather than working bottom up. This is
both more correct, and less likely to trip over broken
nameservers in the unsigned parts of the DNS tree
which don't respond well to DNSSEC queries.
version 2.72
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
...
...
src/dnsmasq.h
View file @
424c4a8a
...
...
@@ -569,8 +569,9 @@ struct hostsfile {
#define STAT_SECURE_WILDCARD 7
#define STAT_NO_SIG 8
#define STAT_NO_DS 9
#define STAT_NEED_DS_NEG 10
#define STAT_CHASE_CNAME 11
#define STAT_NO_NS 10
#define STAT_NEED_DS_NEG 11
#define STAT_CHASE_CNAME 12
#define FREC_NOREBIND 1
#define FREC_CHECKING_DISABLED 2
...
...
@@ -604,7 +605,9 @@ struct frec {
#ifdef HAVE_DNSSEC
int
class
,
work_counter
;
struct
blockdata
*
stash
;
/* Saved reply, whilst we validate */
size_t
stash_len
;
struct
blockdata
*
orig_domain
;
/* domain of original query, whilst
we're seeing is if in unsigned domain */
size_t
stash_len
,
name_start
,
name_len
;
struct
frec
*
dependent
;
/* Query awaiting internally-generated DNSKEY or DS query */
struct
frec
*
blocking_query
;
/* Query which is blocking us. */
#endif
...
...
@@ -1126,7 +1129,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
size_t
dnssec_generate_query
(
struct
dns_header
*
header
,
char
*
end
,
char
*
name
,
int
class
,
int
type
,
union
mysockaddr
*
addr
);
int
dnssec_validate_by_ds
(
time_t
now
,
struct
dns_header
*
header
,
size_t
n
,
char
*
name
,
char
*
keyname
,
int
class
);
int
dnssec_validate_ds
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
class
);
int
dnssec_validate_reply
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
*
class
,
int
*
neganswer
);
int
dnssec_validate_reply
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
*
class
,
int
*
neganswer
,
int
*
nons
);
int
dnssec_chase_cname
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
);
int
dnskey_keytag
(
int
alg
,
int
flags
,
unsigned
char
*
rdata
,
int
rdlen
);
size_t
filter_rrsigs
(
struct
dns_header
*
header
,
size_t
plen
);
...
...
src/dnssec.c
View file @
424c4a8a
...
...
@@ -875,7 +875,6 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
/* The DNS packet is expected to contain the answer to a DNSKEY query.
Put all DNSKEYs in the answer which are valid into the cache.
return codes:
STAT_INSECURE No DNSKEYs in reply.
STAT_SECURE At least one valid DNSKEY found and in cache.
STAT_BOGUS No DNSKEYs found, which can be validated with DS,
or self-sign for DNSKEY RRset is not valid, bad packet.
...
...
@@ -896,12 +895,9 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
GETSHORT
(
qtype
,
p
);
GETSHORT
(
qclass
,
p
);
if
(
qtype
!=
T_DNSKEY
||
qclass
!=
class
)
if
(
qtype
!=
T_DNSKEY
||
qclass
!=
class
||
ntohs
(
header
->
ancount
)
==
0
)
return
STAT_BOGUS
;
if
(
ntohs
(
header
->
ancount
)
==
0
)
return
STAT_INSECURE
;
/* See if we have cached a DS record which validates this key */
if
(
!
(
crecp
=
cache_find_by_name
(
NULL
,
name
,
now
,
F_DS
)))
{
...
...
@@ -1103,17 +1099,17 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
/* The DNS packet is expected to contain the answer to a DS query
Put all DSs in the answer which are valid into the cache.
return codes:
STAT_INSECURE no DS in reply or not signed.
STAT_SECURE At least one valid DS found and in cache.
STAT_NO_DS It's proved there's no DS here.
STAT_BOGUS At least one DS found, which fails validation, bad packet.
STAT_NO_NS It's proved there's no DS _or_ NS here.
STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname
*/
int
dnssec_validate_ds
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
class
)
{
unsigned
char
*
p
=
(
unsigned
char
*
)(
header
+
1
);
int
qtype
,
qclass
,
val
,
i
,
neganswer
;
int
qtype
,
qclass
,
val
,
i
,
neganswer
,
nons
;
if
(
ntohs
(
header
->
qdcount
)
!=
1
||
!
(
p
=
skip_name
(
p
,
header
,
plen
,
4
)))
...
...
@@ -1125,32 +1121,39 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if
(
qtype
!=
T_DS
||
qclass
!=
class
)
val
=
STAT_BOGUS
;
else
val
=
dnssec_validate_reply
(
now
,
header
,
plen
,
name
,
keyname
,
NULL
,
&
neganswer
);
val
=
dnssec_validate_reply
(
now
,
header
,
plen
,
name
,
keyname
,
NULL
,
&
neganswer
,
&
nons
);
/* Note dnssec_validate_reply() will have cached positive answers */
if
(
val
==
STAT_NO_SIG
)
val
=
STAT_
INSECURE
;
if
(
val
==
STAT_NO_SIG
||
val
==
STAT_INSECURE
)
val
=
STAT_
BOGUS
;
p
=
(
unsigned
char
*
)(
header
+
1
);
extract_name
(
header
,
plen
,
&
p
,
name
,
1
,
4
);
p
+=
4
;
/* qtype, qclass */
if
(
!
(
p
=
skip_section
(
p
,
ntohs
(
header
->
ancount
),
header
,
plen
)))
return
STAT_BOGUS
;
val
=
STAT_BOGUS
;
if
(
val
==
STAT_BOGUS
)
{
log_query
(
F_UPSTREAM
,
name
,
NULL
,
"BOGUS DS"
);
return
STAT_BOGUS
;
}
if
((
val
==
STAT_SECURE
||
val
==
STAT_INSECURE
)
&&
neganswer
)
/* By here, the answer is proved secure, and a positive answer has been cached. */
if
(
val
==
STAT_SECURE
&&
neganswer
)
{
int
rdlen
,
flags
=
F_FORWARD
|
F_DS
|
F_NEG
;
int
rdlen
,
flags
=
F_FORWARD
|
F_DS
|
F_NEG
|
F_DNSSECOK
;
unsigned
long
ttl
,
minttl
=
ULONG_MAX
;
struct
all_addr
a
;
if
(
RCODE
(
header
)
==
NXDOMAIN
)
flags
|=
F_NXDOMAIN
;
if
(
val
==
STAT_SECURE
)
flags
|=
F_DNSSECOK
;
/* We only cache validated DS records, DNSSECOK flag hijacked
to store presence/absence of NS. */
if
(
nons
)
flags
&=
~
F_DNSSECOK
;
for
(
i
=
ntohs
(
header
->
nscount
);
i
!=
0
;
i
--
)
{
...
...
@@ -1197,9 +1200,11 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
cache_insert
(
name
,
&
a
,
now
,
ttl
,
flags
);
cache_end_insert
();
log_query
(
F_UPSTREAM
,
name
,
NULL
,
nons
?
"no delegation"
:
"no DS"
);
}
return
(
val
==
STAT_SECURE
)
?
STAT_NO_DS
:
STAT_INSECURE
;
return
nons
?
STAT_NO_NS
:
STAT_NO_DS
;
}
return
val
;
...
...
@@ -1323,13 +1328,16 @@ static int find_nsec_records(struct dns_header *header, size_t plen, unsigned ch
}
static
int
prove_non_existence_nsec
(
struct
dns_header
*
header
,
size_t
plen
,
unsigned
char
**
nsecs
,
int
nsec_count
,
char
*
workspace1
,
char
*
workspace2
,
char
*
name
,
int
type
)
char
*
workspace1
,
char
*
workspace2
,
char
*
name
,
int
type
,
int
*
nons
)
{
int
i
,
rc
,
rdlen
;
unsigned
char
*
p
,
*
psave
;
int
offset
=
(
type
&
0xff
)
>>
3
;
int
mask
=
0x80
>>
(
type
&
0x07
);
if
(
nons
)
*
nons
=
0
;
/* Find NSEC record that proves name doesn't exist */
for
(
i
=
0
;
i
<
nsec_count
;
i
++
)
{
...
...
@@ -1355,6 +1363,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
rdlen
-=
p
-
psave
;
/* rdlen is now length of type map, and p points to it */
/* If we can prove that there's no NS record, return that information. */
if
(
nons
&&
rdlen
>=
2
&&
p
[
0
]
==
0
&&
(
p
[
2
]
&
(
0x80
>>
T_NS
))
==
0
)
*
nons
=
1
;
while
(
rdlen
>=
2
)
{
if
(
!
CHECK_LEN
(
header
,
p
,
plen
,
rdlen
))
...
...
@@ -1456,7 +1468,7 @@ static int base32_decode(char *in, unsigned char *out)
}
static
int
check_nsec3_coverage
(
struct
dns_header
*
header
,
size_t
plen
,
int
digest_len
,
unsigned
char
*
digest
,
int
type
,
char
*
workspace1
,
char
*
workspace2
,
unsigned
char
**
nsecs
,
int
nsec_count
)
char
*
workspace1
,
char
*
workspace2
,
unsigned
char
**
nsecs
,
int
nsec_count
,
int
*
nons
)
{
int
i
,
hash_len
,
salt_len
,
base32_len
,
rdlen
;
unsigned
char
*
p
,
*
psave
;
...
...
@@ -1497,6 +1509,10 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
if
(
!
CHECK_LEN
(
header
,
p
,
plen
,
rdlen
))
return
0
;
/* If we can prove that there's no NS record, return that information. */
if
(
nons
&&
rdlen
>=
2
&&
p
[
0
]
==
0
&&
(
p
[
2
]
&
(
0x80
>>
T_NS
))
==
0
)
*
nons
=
1
;
while
(
rdlen
>=
2
)
{
if
(
p
[
0
]
==
type
>>
8
)
...
...
@@ -1533,13 +1549,16 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
}
static
int
prove_non_existence_nsec3
(
struct
dns_header
*
header
,
size_t
plen
,
unsigned
char
**
nsecs
,
int
nsec_count
,
char
*
workspace1
,
char
*
workspace2
,
char
*
name
,
int
type
,
char
*
wildname
)
char
*
workspace1
,
char
*
workspace2
,
char
*
name
,
int
type
,
char
*
wildname
,
int
*
nons
)
{
unsigned
char
*
salt
,
*
p
,
*
digest
;
int
digest_len
,
i
,
iterations
,
salt_len
,
base32_len
,
algo
=
0
;
struct
nettle_hash
const
*
hash
;
char
*
closest_encloser
,
*
next_closest
,
*
wildcard
;
if
(
nons
)
*
nons
=
0
;
/* Look though the NSEC3 records to find the first one with
an algorithm we support (currently only algo == 1).
...
...
@@ -1612,7 +1631,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
if
((
digest_len
=
hash_name
(
name
,
&
digest
,
hash
,
salt
,
salt_len
,
iterations
))
==
0
)
return
STAT_BOGUS
;
if
(
check_nsec3_coverage
(
header
,
plen
,
digest_len
,
digest
,
type
,
workspace1
,
workspace2
,
nsecs
,
nsec_count
))
if
(
check_nsec3_coverage
(
header
,
plen
,
digest_len
,
digest
,
type
,
workspace1
,
workspace2
,
nsecs
,
nsec_count
,
nons
))
return
STAT_SECURE
;
/* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3"
...
...
@@ -1657,7 +1676,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
if
((
digest_len
=
hash_name
(
next_closest
,
&
digest
,
hash
,
salt
,
salt_len
,
iterations
))
==
0
)
return
STAT_BOGUS
;
if
(
!
check_nsec3_coverage
(
header
,
plen
,
digest_len
,
digest
,
type
,
workspace1
,
workspace2
,
nsecs
,
nsec_count
))
if
(
!
check_nsec3_coverage
(
header
,
plen
,
digest_len
,
digest
,
type
,
workspace1
,
workspace2
,
nsecs
,
nsec_count
,
NULL
))
return
STAT_BOGUS
;
/* Finally, check that there's no seat of wildcard synthesis */
...
...
@@ -1672,7 +1691,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
if
((
digest_len
=
hash_name
(
wildcard
,
&
digest
,
hash
,
salt
,
salt_len
,
iterations
))
==
0
)
return
STAT_BOGUS
;
if
(
!
check_nsec3_coverage
(
header
,
plen
,
digest_len
,
digest
,
type
,
workspace1
,
workspace2
,
nsecs
,
nsec_count
))
if
(
!
check_nsec3_coverage
(
header
,
plen
,
digest_len
,
digest
,
type
,
workspace1
,
workspace2
,
nsecs
,
nsec_count
,
NULL
))
return
STAT_BOGUS
;
}
...
...
@@ -1681,7 +1700,8 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
/* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */
/* Returns are the same as validate_rrset, plus the class if the missing key is in *class */
int
dnssec_validate_reply
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
*
class
,
int
*
neganswer
)
int
dnssec_validate_reply
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
*
class
,
int
*
neganswer
,
int
*
nons
)
{
unsigned
char
*
ans_start
,
*
qname
,
*
p1
,
*
p2
,
**
nsecs
;
int
type1
,
class1
,
rdlen1
,
type2
,
class2
,
rdlen2
,
qclass
,
qtype
;
...
...
@@ -1811,9 +1831,10 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
return
STAT_BOGUS
;
/* No NSECs or bad packet */
if
(
nsec_type
==
T_NSEC
)
rc
=
prove_non_existence_nsec
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
type1
);
rc
=
prove_non_existence_nsec
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
type1
,
NULL
);
else
rc
=
prove_non_existence_nsec3
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
type1
,
wildname
);
rc
=
prove_non_existence_nsec3
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
type1
,
wildname
,
NULL
);
if
(
rc
!=
STAT_SECURE
)
return
rc
;
...
...
@@ -1937,9 +1958,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
return
STAT_BOGUS
;
if
(
nsec_type
==
T_NSEC
)
return
prove_non_existence_nsec
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
qtype
);
return
prove_non_existence_nsec
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
qtype
,
nons
);
else
return
prove_non_existence_nsec3
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
qtype
,
NULL
);
return
prove_non_existence_nsec3
(
header
,
plen
,
nsecs
,
nsec_count
,
daemon
->
workspacename
,
keyname
,
name
,
qtype
,
NULL
,
nons
);
}
/* Chase the CNAME chain in the packet until the first record which _doesn't validate.
...
...
src/forward.c
View file @
424c4a8a
...
...
@@ -26,8 +26,9 @@ static void free_frec(struct frec *f);
#ifdef HAVE_DNSSEC
static
int
tcp_key_recurse
(
time_t
now
,
int
status
,
struct
dns_header
*
header
,
size_t
n
,
int
class
,
char
*
name
,
char
*
keyname
,
struct
server
*
server
,
int
*
keycount
);
static
int
do_check_sign
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
class
);
static
int
send_check_sign
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
);
static
int
do_check_sign
(
struct
frec
*
forward
,
int
status
,
time_t
now
,
char
*
name
,
char
*
keyname
);
static
int
send_check_sign
(
struct
frec
*
forward
,
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
);
#endif
...
...
@@ -815,18 +816,22 @@ void reply_query(int fd, int family, time_t now)
else
if
(
forward
->
flags
&
FREC_DS_QUERY
)
{
status
=
dnssec_validate_ds
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
forward
->
class
);
if
(
status
==
STAT_NO_DS
)
status
=
STAT_
INSECURE
;
if
(
status
==
STAT_NO_DS
||
status
==
STAT_NO_NS
)
status
=
STAT_
BOGUS
;
}
else
if
(
forward
->
flags
&
FREC_CHECK_NOSIGN
)
status
=
do_check_sign
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
forward
->
class
);
{
status
=
dnssec_validate_ds
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
forward
->
class
);
if
(
status
!=
STAT_NEED_KEY
)
status
=
do_check_sign
(
forward
,
status
,
now
,
daemon
->
namebuff
,
daemon
->
keyname
);
}
else
{
status
=
dnssec_validate_reply
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
&
forward
->
class
,
NULL
);
status
=
dnssec_validate_reply
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
&
forward
->
class
,
NULL
,
NULL
);
if
(
status
==
STAT_NO_SIG
)
{
if
(
option_bool
(
OPT_DNSSEC_NO_SIGN
))
status
=
send_check_sign
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
);
status
=
send_check_sign
(
forward
,
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
);
else
status
=
STAT_INSECURE
;
}
...
...
@@ -861,6 +866,7 @@ void reply_query(int fd, int family, time_t now)
new
->
blocking_query
=
NULL
;
new
->
sentto
=
server
;
new
->
rfd4
=
NULL
;
new
->
orig_domain
=
NULL
;
#ifdef HAVE_IPV6
new
->
rfd6
=
NULL
;
#endif
...
...
@@ -889,7 +895,9 @@ void reply_query(int fd, int family, time_t now)
new
->
new_id
=
get_id
();
header
->
id
=
htons
(
new
->
new_id
);
/* Save query for retransmission */
new
->
stash
=
blockdata_alloc
((
char
*
)
header
,
nn
);
if
(
!
(
new
->
stash
=
blockdata_alloc
((
char
*
)
header
,
nn
)))
return
;
new
->
stash_len
=
nn
;
/* Don't resend this. */
...
...
@@ -946,18 +954,22 @@ void reply_query(int fd, int family, time_t now)
else
if
(
forward
->
flags
&
FREC_DS_QUERY
)
{
status
=
dnssec_validate_ds
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
forward
->
class
);
if
(
status
==
STAT_NO_DS
)
status
=
STAT_
INSECURE
;
if
(
status
==
STAT_NO_DS
||
status
==
STAT_NO_NS
)
status
=
STAT_
BOGUS
;
}
else
if
(
forward
->
flags
&
FREC_CHECK_NOSIGN
)
status
=
do_check_sign
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
forward
->
class
);
{
status
=
dnssec_validate_ds
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
forward
->
class
);
if
(
status
!=
STAT_NEED_KEY
)
status
=
do_check_sign
(
forward
,
status
,
now
,
daemon
->
namebuff
,
daemon
->
keyname
);
}
else
{
status
=
dnssec_validate_reply
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
&
forward
->
class
,
NULL
);
status
=
dnssec_validate_reply
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
,
&
forward
->
class
,
NULL
,
NULL
);
if
(
status
==
STAT_NO_SIG
)
{
if
(
option_bool
(
OPT_DNSSEC_NO_SIGN
))
status
=
send_check_sign
(
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
);
status
=
send_check_sign
(
forward
,
now
,
header
,
n
,
daemon
->
namebuff
,
daemon
->
keyname
);
else
status
=
STAT_INSECURE
;
}
...
...
@@ -1319,70 +1331,80 @@ void receive_query(struct listener *listen, time_t now)
/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
STAT_NEED_DS_NEG and keyname if we need to do the query. */
static
int
send_check_sign
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
)
static
int
send_check_sign
(
struct
frec
*
forward
,
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
)
{
struct
crec
*
crecp
;
char
*
name_start
=
name
;
int
status
=
dnssec_chase_cname
(
now
,
header
,
plen
,
name
,
keyname
);
if
(
status
!=
STAT_INSECURE
)
return
status
;
while
(
1
)
{
crecp
=
cache_find_by_name
(
NULL
,
name_start
,
now
,
F_DS
);
if
(
crecp
&&
(
crecp
->
flags
&
F_DNSSECOK
))
return
(
crecp
->
flags
&
F_NEG
)
?
STAT_INSECURE
:
STAT_BOGUS
;
if
(
crecp
&&
(
crecp
->
flags
&
F_NEG
)
&&
(
name_start
=
strchr
(
name_start
,
'.'
)))
{
name_start
++
;
/* chop a label off and try again */
continue
;
}
/* Reached the root */
if
(
!
name_start
)
/* Store the domain we're trying to check. */
forward
->
name_start
=
strlen
(
name
);
forward
->
name_len
=
forward
->
name_start
+
1
;
if
(
!
(
forward
->
orig_domain
=
blockdata_alloc
(
name
,
forward
->
name_len
)))
return
STAT_BOGUS
;
strcpy
(
keyname
,
name_start
);
return
STAT_NEED_DS_NEG
;
}
return
do_check_sign
(
forward
,
0
,
now
,
name
,
keyname
);
}
/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
static
int
do_check_sign
(
time_t
now
,
struct
dns_header
*
header
,
size_t
plen
,
char
*
name
,
char
*
keyname
,
int
class
)
/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
static
int
do_check_sign
(
struct
frec
*
forward
,
int
status
,
time_t
now
,
char
*
name
,
char
*
keyname
)
{
char
*
name_start
;
unsigned
char
*
p
;
int
status
;
/* get domain we're checking back from blockdata store, it's stored on the original query. */
while
(
forward
->
dependent
)
forward
=
forward
->
dependent
;
/* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
suitable NSEC reply to DS queries. */
if
(
RCODE
(
header
)
!=
SERVFAIL
)
{
status
=
dnssec_validate_ds
(
now
,
header
,
plen
,
name
,
keyname
,
class
);
blockdata_retrieve
(
forward
->
orig_domain
,
forward
->
name_len
,
name
);
if
(
status
!=
STAT_INSECURE
)
while
(
1
)
{
if
(
status
==
STAT_NO_DS
)
status
=
STAT_INSECURE
;
return
status
;
}
}
char
*
p
;
p
=
(
unsigned
char
*
)(
header
+
1
);
if
(
status
==
0
)
{
struct
crec
*
crecp
;
if
(
extract_name
(
header
,
plen
,
&
p
,
name
,
1
,
4
)
&&
(
name_start
=
strchr
(
name
,
'.'
)))
/* Haven't received answer, see if in cache */
if
(
!
(
crecp
=
cache_find_by_name
(
NULL
,
&
name
[
forward
->
name_start
],
now
,
F_DS
)))
{
name_start
++
;
/* chop a label off and try again */
strcpy
(
keyname
,
name_start
);
/* put name of DS record we're missing into keyname */
strcpy
(
keyname
,
&
name
[
forward
->
name_start
]);
/* and wait for reply to arrive */
return
STAT_NEED_DS_NEG
;
}
/* F_DNSSECOK misused in DS cache records to non-existance of NS record */
if
(
!
(
crecp
->
flags
&
F_NEG
))
status
=
STAT_SECURE
;
else
if
(
crecp
->
flags
&
F_DNSSECOK
)
status
=
STAT_NO_DS
;
else
status
=
STAT_NO_NS
;
}
/* Have entered non-signed part of DNS tree. */
if
(
status
==
STAT_NO_DS
)
return
STAT_INSECURE
;
if
(
status
==
STAT_BOGUS
)
return
STAT_BOGUS
;
/* There's a proven DS record, or we're within a zone, where there doesn't need
to be a DS record. Add a name and try again.
If we've already tried the whole name, then fail */
if
(
forward
->
name_start
==
0
)
return
STAT_BOGUS
;
for
(
p
=
&
name
[
forward
->
name_start
-
2
];
(
*
p
!=
'.'
)
&&
(
p
!=
name
);
p
--
);
if
(
p
!=
name
)
p
++
;
forward
->
name_start
=
p
-
name
;
status
=
0
;
/* force to cache when we iterate. */
}
}
/* Move toward the root, until we find a signed non-existance of a DS, in which case
...
...
@@ -1394,9 +1416,10 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
size_t
m
;
unsigned
char
*
packet
,
*
payload
;
u16
*
length
;
unsigned
char
*
p
=
(
unsigned
char
*
)(
header
+
1
);
int
status
;
char
*
name_start
=
name
;
int
status
,
name_len
;
struct
blockdata
*
block
;
char
*
name_start
;
/* Get first insecure entry in CNAME chain */
status
=
tcp_key_recurse
(
now
,
STAT_CHASE_CNAME
,
header
,
plen
,
class
,
name
,
keyname
,
server
,
keycount
);
...
...
@@ -1410,45 +1433,58 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
header
=
(
struct
dns_header
*
)
payload
;
length
=
(
u16
*
)
packet
;
/* Stash the name away, since the buffer will be trashed when we recurse */
name_len
=
strlen
(
name
)
+
1
;
name_start
=
name
+
name_len
-
1
;
if
(
!
(
block
=
blockdata_alloc
(
name
,
name_len
)))
{
free
(
packet
);
return
STAT_BOGUS
;
}
while
(
1
)
{
unsigned
char
*
newhash
,
hash
[
HASH_SIZE
];
unsigned
char
c1
,
c2
;
struct
crec
*
crecp
=
cache_find_by_name
(
NULL
,
name_start
,
now
,
F_DS
)
;
struct
crec
*
crecp
;
if
(
--
(
*
keycount
)
==
0
)
{
free
(
packet
);
blockdata_free
(
block
);
return
STAT_BOGUS
;
}
if
(
crecp
&&
(
crecp
->
flags
&
F_DNSSECOK
))
while
((
crecp
=
cache_find_by_name
(
NULL
,
name_start
,
now
,
F_DS
)))
{
if
((
crecp
->
flags
&
F_NEG
)
&&
(
crecp
->
flags
&
F_DNSSECOK
))
{
/* Found a secure denial of DS - delegation is indeed insecure */
free
(
packet
);
return
(
crecp
->
flags
&
F_NEG
)
?
STAT_INSECURE
:
STAT_BOGUS
;
blockdata_free
(
block
);
return
STAT_INSECURE
;
}
/* If we have cached insecurely that a DS doesn't exist,
ise that is a hit for where to start looking for the secure one */
if
(
crecp
&&
(
crecp
->
flags
&
F_NEG
)
&&
(
name_start
=
strchr
(
name_start
,
'.'
)))
{
name_start
++
;
/* chop a label off and try again */
continue
;
}
/* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
Add another label and continue. */
/* reached the root */
if
(
!
name_start
)
if
(
name_start
==
name
)
{
free
(
packet
);
return
STAT_BOGUS
;
blockdata_free
(
block
);
return
STAT_BOGUS
;
/* run out of labels */
}
m
=
dnssec_generate_query
(
header
,
((
char
*
)
header
)
+
65536
,
name_start
,
class
,
T_DS
,
&
server
->
addr
);
name_start
-=
2
;
while
(
*
name_start
!=
'.'
&&
name_start
!=
name
)
name_start
--
;
if
(
name_start
!=
name
)
name_start
++
;
}
/* We rely on the question section coming back unchanged, ensure it is with the hash. */
if
((
newhash
=
hash_questions
(
header
,
(
unsigned
int
)
m
,
name
)))
{
memcpy
(
hash
,
newhash
,
HASH_SIZE
);
/* Can't find it in the cache, have to send a query */
m
=
dnssec_generate_query
(
header
,
((
char
*
)
header
)
+
65536
,
name_start
,
class
,
T_DS
,
&
server
->
addr
);
*
length
=
htons
(
m
);
...
...
@@ -1459,45 +1495,50 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
{
m
=
(
c1
<<
8
)
|
c2
;
newhash
=
hash_questions
(
header
,
(
unsigned
int
)
m
,
name
);
if
(
newhash
&&
memcmp
(
hash
,
newhash
,
HASH_SIZE
)
==
0
)
{
/* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
suitable NSEC reply to DS queries. */
if
(
RCODE
(
header
)
==
SERVFAIL
)
status
=
STAT_INSECURE
;
else
/* Note this trashes all three name workspaces */
status
=
tcp_key_recurse
(
now
,
STAT_NEED_DS_NEG
,
header
,
m
,
class
,
name
,
keyname
,
server
,
keycount
);
/* We've found a DS which proves the bit of the DNS where the
original query is, is unsigned, so the answer is OK,
if unvalidated. */
if
(
status
==
STAT_NO_DS
)
{
/* Found a secure denial of DS - delegation is indeed insecure */
free
(
packet
);
blockdata_free
(
block
);
return
STAT_INSECURE
;
}
/* No DS, not got to DNSSEC-land yet, go up. */
if
(
status
==
STAT_INSECURE
)
if
(
status
==
STAT_BOGUS
)
{
p
=
(
unsigned
char
*
)(
header
+
1
);
free
(
packet
);
blockdata_free
(
block
);
return
STAT_BOGUS
;
}
if
(
extract_name
(
header
,
plen
,
&
p
,
name
,
1
,
4
)
&&
(
name_start
=
strchr
(
name
,
'.'
)))
/* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
Add another label and continue. */
/* Get name we're checking back. */
blockdata_retrieve
(
block
,
name_len
,
name
);
if
(
name_start
==
name
)
{
name_start
++
;
/* chop a label off and try again */
continue
;
}
}
}
}
free
(
packet
);
blockdata_free
(
block
);
return
STAT_BOGUS
;
/* run out of labels */
}
name_start
-=
2
;
while
(
*
name_start
!=
'.'
&&
name_start
!=
name
)
name_start
--
;
if
(
name_start
!=
name
)
name_start
++
;
}
else
{
/* IO failure */
free
(
packet
);
return
STAT_BOGUS
;
blockdata_free
(
block
);
return
STAT_BOGUS
;
/* run out of labels */
}
}
}
...
...
@@ -1516,14 +1557,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
else
if
(
status
==
STAT_NEED_DS
||
status
==
STAT_NEED_DS_NEG
)
{
new_status
=
dnssec_validate_ds
(
now
,
header
,
n
,
name
,
keyname
,
class
);
if
(
status
==
STAT_NEED_DS
&&
new_status
==
STAT_NO_DS
)
new_status
=
STAT_
INSECURE
;
if
(
status
==
STAT_NEED_DS
&&
(
new_status
==
STAT_NO_DS
||
new_status
==
STAT_NO_NS
)
)
new_status
=
STAT_
BOGUS
;
}
else
if
(
status
==
STAT_CHASE_CNAME
)
new_status
=
dnssec_chase_cname
(
now
,
header
,
n
,
name
,
keyname
);
else
{
new_status
=
dnssec_validate_reply
(
now
,
header
,
n
,
name
,
keyname
,
&
class
,
NULL
);
new_status
=
dnssec_validate_reply
(
now
,
header
,
n
,
name
,
keyname
,
&
class
,
NULL
,
NULL
);
if
(
new_status
==
STAT_NO_SIG
)
{
...
...
@@ -1576,14 +1617,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
else
if
(
status
==
STAT_NEED_DS
||
status
==
STAT_NEED_DS_NEG
)
{
new_status
=
dnssec_validate_ds
(
now
,
header
,
n
,
name
,
keyname
,
class
);
if
(
status
==
STAT_NEED_DS
&&
new_status
==
STAT_NO_DS
)
new_status
=
STAT_
INSECURE
;
/* Validated no DS */
if
(
status
==
STAT_NEED_DS
&&
(
new_status
==
STAT_NO_DS
||
new_status
==
STAT_NO_NS
)
)
new_status
=
STAT_
BOGUS
;
/* Validated no DS */
}
else
if
(
status
==
STAT_CHASE_CNAME
)
new_status
=
dnssec_chase_cname
(
now
,
header
,
n
,
name
,
keyname
);
else
{
new_status
=
dnssec_validate_reply
(
now
,
header
,
n
,
name
,
keyname
,
&
class
,
NULL
);
new_status
=
dnssec_validate_reply
(
now
,
header
,
n
,
name
,
keyname
,
&
class
,
NULL
,
NULL
);
if
(
new_status
==
STAT_NO_SIG
)
{
...
...
@@ -1961,6 +2002,7 @@ static struct frec *allocate_frec(time_t now)
f
->
dependent
=
NULL
;
f
->
blocking_query
=
NULL
;
f
->
stash
=
NULL
;
f
->
orig_domain
=
NULL
;
#endif
daemon
->
frec_list
=
f
;
}
...
...
@@ -2029,6 +2071,12 @@ static void free_frec(struct frec *f)
f
->
stash
=
NULL
;
}
if
(
f
->
orig_domain
)
{
blockdata_free
(
f
->
orig_domain
);
f
->
orig_domain
=
NULL
;
}
/* Anything we're waiting on is pointless now, too */
if
(
f
->
blocking_query
)
free_frec
(
f
->
blocking_query
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment