1 /* 2 * Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC") 3 * Copyright (C) 2000-2003 Internet Software Consortium. 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 * PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* $Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp $ */ 19 20 #ifndef DNS_VALIDATOR_H 21 #define DNS_VALIDATOR_H 1 22 23 /***** 24 ***** Module Info 25 *****/ 26 27 /*! \file dns/validator.h 28 * 29 * \brief 30 * DNS Validator 31 * This is the BIND 9 validator, the module responsible for validating the 32 * rdatasets and negative responses (messages). It makes use of zones in 33 * the view and may fetch RRset to complete trust chains. It implements 34 * DNSSEC as specified in RFC 4033, 4034 and 4035. 35 * 36 * It can also optionally implement ISC's DNSSEC look-aside validation. 37 * 38 * Correct operation is critical to preventing spoofed answers from secure 39 * zones being accepted. 40 * 41 * MP: 42 *\li The module ensures appropriate synchronization of data structures it 43 * creates and manipulates. 44 * 45 * Reliability: 46 *\li No anticipated impact. 47 * 48 * Resources: 49 *\li TBS 50 * 51 * Security: 52 *\li No anticipated impact. 53 * 54 * Standards: 55 *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035. 56 */ 57 58 #include <isc/lang.h> 59 #include <isc/event.h> 60 #include <isc/mutex.h> 61 62 #include <dns/fixedname.h> 63 #include <dns/types.h> 64 #include <dns/rdataset.h> 65 #include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */ 66 67 #include <dst/dst.h> 68 69 /*% 70 * A dns_validatorevent_t is sent when a 'validation' completes. 71 * \brief 72 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were 73 * supplied when dns_validator_create() was called. They are returned to the 74 * caller so that they may be freed. 75 * 76 * If the RESULT is ISC_R_SUCCESS and the answer is secure then 77 * proofs[] will contain the names of the NSEC records that hold the 78 * various proofs. Note the same name may appear multiple times. 79 */ 80 typedef struct dns_validatorevent { 81 ISC_EVENT_COMMON(struct dns_validatorevent); 82 dns_validator_t * validator; 83 isc_result_t result; 84 /* 85 * Name and type of the response to be validated. 86 */ 87 dns_name_t * name; 88 dns_rdatatype_t type; 89 /* 90 * Rdata and RRSIG (if any) for positive responses. 91 */ 92 dns_rdataset_t * rdataset; 93 dns_rdataset_t * sigrdataset; 94 /* 95 * The full response. Required for negative responses. 96 * Also required for positive wildcard responses. 97 */ 98 dns_message_t * message; 99 /* 100 * Proofs to be cached. 101 */ 102 dns_name_t * proofs[4]; 103 /* 104 * Optout proof seen. 105 */ 106 isc_boolean_t optout; 107 /* 108 * Answer is secure. 109 */ 110 isc_boolean_t secure; 111 } dns_validatorevent_t; 112 113 #define DNS_VALIDATOR_NOQNAMEPROOF 0 114 #define DNS_VALIDATOR_NODATAPROOF 1 115 #define DNS_VALIDATOR_NOWILDCARDPROOF 2 116 #define DNS_VALIDATOR_CLOSESTENCLOSER 3 117 118 /*% 119 * A validator object represents a validation in progress. 120 * \brief 121 * Clients are strongly discouraged from using this type directly, with 122 * the exception of the 'link' field, which may be used directly for 123 * whatever purpose the client desires. 124 */ 125 struct dns_validator { 126 /* Unlocked. */ 127 unsigned int magic; 128 isc_mutex_t lock; 129 dns_view_t * view; 130 /* Locked by lock. */ 131 unsigned int options; 132 unsigned int attributes; 133 dns_validatorevent_t * event; 134 dns_fetch_t * fetch; 135 dns_validator_t * subvalidator; 136 dns_validator_t * parent; 137 dns_keytable_t * keytable; 138 dns_keynode_t * keynode; 139 dst_key_t * key; 140 dns_rdata_rrsig_t * siginfo; 141 isc_task_t * task; 142 isc_taskaction_t action; 143 void * arg; 144 unsigned int labels; 145 dns_rdataset_t * currentset; 146 isc_boolean_t seensig; 147 dns_rdataset_t * keyset; 148 dns_rdataset_t * dsset; 149 dns_rdataset_t * soaset; 150 dns_rdataset_t * nsecset; 151 dns_rdataset_t * nsec3set; 152 dns_name_t * soaname; 153 dns_rdataset_t frdataset; 154 dns_rdataset_t fsigrdataset; 155 dns_fixedname_t fname; 156 dns_fixedname_t wild; 157 dns_fixedname_t nearest; 158 dns_fixedname_t closest; 159 ISC_LINK(dns_validator_t) link; 160 dns_rdataset_t dlv; 161 dns_fixedname_t dlvsep; 162 isc_boolean_t havedlvsep; 163 isc_boolean_t mustbesecure; 164 unsigned int dlvlabels; 165 unsigned int depth; 166 unsigned int authcount; 167 unsigned int authfail; 168 }; 169 170 /*% 171 * dns_validator_create() options. 172 */ 173 #define DNS_VALIDATOR_DLV 1U 174 #define DNS_VALIDATOR_DEFER 2U 175 176 ISC_LANG_BEGINDECLS 177 178 isc_result_t 179 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, 180 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 181 dns_message_t *message, unsigned int options, 182 isc_task_t *task, isc_taskaction_t action, void *arg, 183 dns_validator_t **validatorp); 184 /*%< 185 * Start a DNSSEC validation. 186 * 187 * This validates a response to the question given by 188 * 'name' and 'type'. 189 * 190 * To validate a positive response, the response data is 191 * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' 192 * is NULL, the data is presumed insecure and an attempt 193 * is made to prove its insecurity by finding the appropriate 194 * null key. 195 * 196 * The complete response message may be given in 'message', 197 * to make available any authority section NSECs that may be 198 * needed for validation of a response resulting from a 199 * wildcard expansion (though no such wildcard validation 200 * is implemented yet). If the complete response message 201 * is not available, 'message' is NULL. 202 * 203 * To validate a negative response, the complete negative response 204 * message is given in 'message'. The 'rdataset', and 205 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type' 206 * arguments must be provided. 207 * 208 * The validation is performed in the context of 'view'. 209 * 210 * When the validation finishes, a dns_validatorevent_t with 211 * the given 'action' and 'arg' are sent to 'task'. 212 * Its 'result' field will be ISC_R_SUCCESS iff the 213 * response was successfully proven to be either secure or 214 * part of a known insecure domain. 215 * 216 * options: 217 * If DNS_VALIDATOR_DLV is set the caller knows there is not a 218 * trusted key and the validator should immediately attempt to validate 219 * the answer by looking for an appropriate DLV RRset. 220 */ 221 222 void 223 dns_validator_send(dns_validator_t *validator); 224 /*%< 225 * Send a deferred validation request 226 * 227 * Requires: 228 * 'validator' to points to a valid DNSSEC validator. 229 */ 230 231 void 232 dns_validator_cancel(dns_validator_t *validator); 233 /*%< 234 * Cancel a DNSSEC validation in progress. 235 * 236 * Requires: 237 *\li 'validator' points to a valid DNSSEC validator, which 238 * may or may not already have completed. 239 * 240 * Ensures: 241 *\li It the validator has not already sent its completion 242 * event, it will send it with result code ISC_R_CANCELED. 243 */ 244 245 void 246 dns_validator_destroy(dns_validator_t **validatorp); 247 /*%< 248 * Destroy a DNSSEC validator. 249 * 250 * Requires: 251 *\li '*validatorp' points to a valid DNSSEC validator. 252 * \li The validator must have completed and sent its completion 253 * event. 254 * 255 * Ensures: 256 *\li All resources used by the validator are freed. 257 */ 258 259 ISC_LANG_ENDDECLS 260 261 #endif /* DNS_VALIDATOR_H */ 262