1
/*
2
 * securechasetrace.c
3
 * Where all the hard work concerning secure tracing is done
4
 *
5
 * (c) 2005, 2006 NLnet Labs
6
 *
7
 * See the file LICENSE for the license
8
 *
9
 */
10

11
#include "drill.h"
12
#include <ldns/ldns.h>
13

14
#define SELF "[S]"  /* self sig ok */
15
#define TRUST "[T]" /* chain from parent */
16
#define BOGUS "[B]" /* bogus */
17
#define UNSIGNED "[U]" /* no relevant dnssec data found */
18

19
#if 0
20
/* See if there is a key/ds in trusted that matches
21
 * a ds in *ds. 
22
 */
23
static ldns_rr_list *
24
ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
25
{
26
	size_t i, j;
27
	bool match;
28
	ldns_rr *rr_i, *rr_j;
29
	ldns_rr_list *keys;
30

31
	if (!trusted || !ds) {
32
		return NULL;
33
	}
34

35
	match = false;
36
	keys = ldns_rr_list_new();
37
	if (!keys) {
38
		return NULL;
39
	}
40

41
	if (!ds || !trusted) {
42
		return NULL;
43
	}
44

45
	for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
46
		rr_i = ldns_rr_list_rr(trusted, i);
47
		for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
48

49
			rr_j = ldns_rr_list_rr(ds, j);
50
			if (ldns_rr_compare_ds(rr_i, rr_j)) {
51
				match = true;
52
				/* only allow unique RRs to match */
53
				ldns_rr_set_push_rr(keys, rr_i); 
54
			}
55
		}
56
	}
57
	if (match) {
58
		return keys;
59
	} else {
60
		return NULL;
61
	}
62
}
63
#endif
64

65
static ldns_pkt *
66
get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t) 
67
{
68
	ldns_pkt *p = NULL;
69
	p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0); 
70
	if (!p) {
71
		return NULL;
72
	} else {
73
		if (verbosity >= 5) {
74
			ldns_pkt_print(stdout, p);
75
		}
76
		return p;
77
	}
78
}
79

80
#ifdef HAVE_SSL
81
/* 
82
 * retrieve keys for this zone
83
 */
84
static ldns_pkt_type
85
get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
86
{
87
	return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
88
}
89

90
/*
91
 * check to see if we can find a DS rrset here which we can then follow
92
 */
93
static ldns_pkt_type
94
get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
95
{
96
	return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
97
}
98
#endif /* HAVE_SSL */
99

100
static void
101
remove_resolver_nameservers(ldns_resolver *res)
102
{
103
	ldns_rdf *pop;
104
	
105
	/* remove the old nameserver from the resolver */
106
	while((pop = ldns_resolver_pop_nameserver(res))) {
107
		ldns_rdf_deep_free(pop);
108
	}
109

110
}
111

112
/*ldns_pkt **/
113
#ifdef HAVE_SSL
114
int
115
do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
116
                ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
117
               )
118
{
119
	ldns_resolver *res;
120
	ldns_pkt *p, *local_p;
121
	ldns_rr_list *new_nss;
122
	ldns_rr_list *ns_addr;
123
	ldns_rdf *pop;
124
	ldns_rdf **labels = NULL;
125
	ldns_status status, st;
126
	ssize_t i;
127
	size_t j;
128
	size_t k;
129
	size_t l;
130
	uint8_t labels_count = 0;
131

132
	/* dnssec */
133
	ldns_rr_list *key_list;
134
	ldns_rr_list *key_sig_list;
135
	ldns_rr_list *ds_list;
136
	ldns_rr_list *ds_sig_list;
137
	ldns_rr_list *correct_key_list;
138
	ldns_rr_list *trusted_ds_rrs;
139
	bool new_keys_trusted = false;
140
	ldns_rr_list *current_correct_keys = NULL;
141
	ldns_rr_list *dataset;
142

143
	ldns_rr_list *nsec_rrs = NULL;
144
	ldns_rr_list *nsec_rr_sigs = NULL;
145

146
	/* empty non-terminal check */
147
	bool ent;
148
	ldns_rr  *nsecrr;      /* The nsec that proofs the non-terminal */
149
	ldns_rdf *hashed_name; /* The query hashed with nsec3 params */
150
	ldns_rdf *label0;      /* The first label of an nsec3 owner name */
151

152
	/* glue handling */
153
	ldns_rr_list *new_ns_addr;
154
	ldns_rr_list *old_ns_addr;
155
	ldns_rr *ns_rr;
156

157
	int result = 0;
158

159
	/* printing niceness */
160
	const ldns_rr_descriptor *descriptor;
161

162
	descriptor = ldns_rr_descript(t);
163

164
	new_nss = NULL;
165
	ns_addr = NULL;
166
	key_list = NULL;
167
	ds_list = NULL;
168

169
	p = NULL;
170
	local_p = NULL;
171
	res = ldns_resolver_new();
172
	key_sig_list = NULL;
173
	ds_sig_list = NULL;
174

175
	if (!res) {
176
		error("Memory allocation failed");
177
		result = -1;
178
		return result;
179
	}
180

181
	correct_key_list = ldns_rr_list_new();
182
	if (!correct_key_list) {
183
		error("Memory allocation failed");
184
		result = -1;
185
		return result;
186
	}
187

188
	trusted_ds_rrs = ldns_rr_list_new();
189
	if (!trusted_ds_rrs) {
190
		error("Memory allocation failed");
191
		result = -1;
192
		return result;
193
	}
194
        /* Add all preset trusted DS signatures to the list of trusted DS RRs. */
195
        for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
196
            ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
197
            if (ldns_rr_get_type(one_rr)  == LDNS_RR_TYPE_DS) {
198
                ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
199
            }
200
        }
201

202
	/* transfer some properties of local_res to res */
203
	ldns_resolver_set_ip6(res,
204
			ldns_resolver_ip6(local_res));
205
	ldns_resolver_set_port(res,
206
			ldns_resolver_port(local_res));
207
	ldns_resolver_set_debug(res,
208
			ldns_resolver_debug(local_res));
209
	ldns_resolver_set_fail(res,
210
			ldns_resolver_fail(local_res));
211
	ldns_resolver_set_usevc(res,
212
			ldns_resolver_usevc(local_res));
213
	ldns_resolver_set_random(res,
214
			ldns_resolver_random(local_res));
215
	ldns_resolver_set_source(res,
216
			ldns_resolver_source(local_res));
217
	ldns_resolver_set_recursive(local_res, true);
218

219
	ldns_resolver_set_recursive(res, false);
220
	ldns_resolver_set_dnssec_cd(res, false);
221
	ldns_resolver_set_dnssec(res, true);
222

223
	/* setup the root nameserver in the new resolver */
224
	status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
225
	if (status != LDNS_STATUS_OK) {
226
		printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
227
		ldns_rr_list_print(stdout, global_dns_root);
228
		result = status;
229
		goto done;
230
	}
231
	labels_count = ldns_dname_label_count(name);
232
	if (start_name) {
233
		if (ldns_dname_is_subdomain(name, start_name)) {
234
			labels_count -= ldns_dname_label_count(start_name);
235
		} else {
236
			fprintf(stderr, "Error; ");
237
			ldns_rdf_print(stderr, name);
238
			fprintf(stderr, " is not a subdomain of ");
239
			ldns_rdf_print(stderr, start_name);
240
			fprintf(stderr, "\n");
241
			goto done;
242
		}
243
	}
244
	labels = LDNS_CALLOC(ldns_rdf*, labels_count + 2);
245
	if (!labels) {
246
		goto done;
247
	}
248
	labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
249
	labels[1] = ldns_rdf_clone(name);
250
	for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
251
		labels[i] = ldns_dname_left_chop(labels[i - 1]);
252
	}
253

254
	/* get the nameserver for the label
255
	 * ask: dnskey and ds for the label
256
	 */
257
	for(i = (ssize_t)labels_count + 1; i > 0; i--) {
258
		status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
259
		if (status != LDNS_STATUS_OK) {
260
			fprintf(stderr, "Error sending query: %s\n", ldns_get_errorstr_by_id(status));
261
			result = status;
262
			goto done;
263
		}
264

265
		/* TODO: handle status */
266

267
		if (verbosity >= 5) {
268
			ldns_pkt_print(stdout, local_p);
269
		}
270

271
		new_nss = ldns_pkt_rr_list_by_type(local_p,
272
					LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
273
 		if (!new_nss) {
274
			/* if it's a delegation, servers put them in the auth section */
275
			new_nss = ldns_pkt_rr_list_by_type(local_p,
276
					LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
277
		}
278

279
		/* if this is the final step there might not be nameserver records
280
		   of course if the data is in the apex, there are, so cover both
281
		   cases */
282
		if (new_nss || i > 1) {
283
			for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
284
				ns_rr = ldns_rr_list_rr(new_nss, j);
285
				pop = ldns_rr_rdf(ns_rr, 0);
286
				if (!pop) {
287
					printf("nopo\n");
288
					break;
289
				}
290
				/* retrieve it's addresses */
291
				/* trust glue? */
292
				new_ns_addr = NULL;
293
				if (ldns_dname_is_subdomain(pop, labels[i])) {
294
					new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
295
				}
296
				if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
297
					new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
298
				}
299
				if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
300
					new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
301
				}
302

303
				if (new_ns_addr) {
304
					old_ns_addr = ns_addr;
305
					ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
306
					ldns_rr_list_deep_free(old_ns_addr);
307
				}
308
				ldns_rr_list_deep_free(new_ns_addr);
309
			}
310
			ldns_rr_list_deep_free(new_nss);
311

312
			if (ns_addr) {
313
				remove_resolver_nameservers(res);
314

315
				if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
316
						LDNS_STATUS_OK) {
317
					error("Error adding new nameservers");
318
					ldns_pkt_free(local_p);
319
					goto done;
320
				}
321
				ldns_rr_list_deep_free(ns_addr);
322
			} else {
323
				status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
324

325
				/* verify the nsec3 themselves*/
326
				if (verbosity >= 4) {
327
					printf("NSEC(3) Records to verify:\n");
328
					ldns_rr_list_print(stdout, nsec_rrs);
329
					printf("With signatures:\n");
330
					ldns_rr_list_print(stdout, nsec_rr_sigs);
331
					printf("correct keys:\n");
332
					ldns_rr_list_print(stdout, correct_key_list);
333
				}
334

335
				if (status == LDNS_STATUS_OK) {
336
					if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
337
						fprintf(stdout, "%s ", TRUST);
338
						fprintf(stdout, "Existence denied: ");
339
						ldns_rdf_print(stdout, labels[i]);
340
	/*
341
						if (descriptor && descriptor->_name) {
342
							printf(" %s", descriptor->_name);
343
						} else {
344
							printf(" TYPE%u", t);
345
						}
346
	*/					fprintf(stdout, " NS\n");
347
					} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
348
						fprintf(stdout, "%s ", SELF);
349
						fprintf(stdout, "Existence denied: ");
350
						ldns_rdf_print(stdout, labels[i]);
351
	/*
352
						if (descriptor && descriptor->_name) {
353
							printf(" %s", descriptor->_name);
354
						} else {
355
							printf(" TYPE%u", t);
356
						}
357
	*/
358
						fprintf(stdout, " NS\n");
359
					} else {
360
						fprintf(stdout, "%s ", BOGUS);
361
						result = 1;
362
						printf(";; Error verifying denial of existence for name ");
363
						ldns_rdf_print(stdout, labels[i]);
364
	/*
365
						printf(" type ");
366
						if (descriptor && descriptor->_name) {
367
							printf("%s", descriptor->_name);
368
						} else {
369
							printf("TYPE%u", t);
370
						}
371
	*/					printf("NS: %s\n", ldns_get_errorstr_by_id(st));
372
					}
373
				} else {
374
					fprintf(stdout, "%s ", BOGUS);
375
					result = 1;
376
					printf(";; Error verifying denial of existence for name ");
377
					ldns_rdf_print(stdout, labels[i]);
378
					printf("NS: %s\n", ldns_get_errorstr_by_id(status));
379
				}
380

381
				/* there might be an empty non-terminal, in which case we need to continue */
382
				ent = false;
383
				for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
384
					nsecrr = ldns_rr_list_rr(nsec_rrs, j);
385
					/* For NSEC when the next name is a subdomain of the question */
386
					if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC &&
387
							ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) {
388
						ent = true;
389

390
					/* For NSEC3, the hash matches the name and the type bitmap is empty*/
391
					} else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) {
392
						hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]);
393
						label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0);
394
						if (hashed_name && label0 &&
395
								ldns_dname_compare(hashed_name, label0) == 0 &&
396
								ldns_nsec3_bitmap(nsecrr) == NULL) {
397
							ent = true;
398
						}
399
						if (label0) {
400
							LDNS_FREE(label0);
401
						}
402
						if (hashed_name) {
403
							LDNS_FREE(hashed_name);
404
						}
405
					}
406
				}
407
				if (!ent) {
408
					ldns_rr_list_deep_free(nsec_rrs);
409
					ldns_rr_list_deep_free(nsec_rr_sigs);
410
					ldns_pkt_free(local_p);
411
					goto done;
412
				} else {
413
					printf(";; There is an empty non-terminal here, continue\n");
414
					continue;
415
				}
416
			}
417

418
			if (ldns_resolver_nameserver_count(res) == 0) {
419
				error("No nameservers found for this node");
420
				goto done;
421
			}
422
		}
423
		ldns_pkt_free(local_p);
424

425
		fprintf(stdout, ";; Domain: ");
426
		ldns_rdf_print(stdout, labels[i]);
427
		fprintf(stdout, "\n");
428

429
		/* retrieve keys for current domain, and verify them
430
		   if they match an already trusted DS, or if one of the
431
		   keys used to sign these is trusted, add the keys to
432
		   the trusted list */
433
		p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
434
		(void) get_key(p, labels[i], &key_list, &key_sig_list);
435
		if (key_sig_list) {
436
			if (key_list) {
437
				current_correct_keys = ldns_rr_list_new();
438
				if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
439
						LDNS_STATUS_OK) {
440
					/* add all signed keys (don't just add current_correct, you'd miss
441
					 * the zsk's then */
442
					for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
443
						ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
444
					}
445

446
					/* check whether these keys were signed
447
					 * by a trusted keys. if so, these
448
					 * keys are also trusted */
449
					new_keys_trusted = false;
450
					for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
451
						for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
452
							if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
453
								    ldns_rr_list_rr(trusted_ds_rrs, j))) {
454
								new_keys_trusted = true;
455
							}
456
						}
457
					}
458

459
					/* also all keys are trusted if one of the current correct keys is trusted */
460
					for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
461
						for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
462
							if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
463
								            ldns_rr_list_rr(trusted_keys, j)) == 0) {
464
								            new_keys_trusted = true;
465
							}
466
						}
467
					}
468

469

470
					if (new_keys_trusted) {
471
						ldns_rr_list_push_rr_list(trusted_keys, key_list);
472
						print_rr_list_abbr(stdout, key_list, TRUST);
473
						ldns_rr_list_free(key_list);
474
						key_list = NULL;
475
					} else {
476
						if (verbosity >= 2) {
477
							printf(";; Signature ok but no chain to a trusted key or ds record\n");
478
						}
479
						print_rr_list_abbr(stdout, key_list, SELF);
480
						ldns_rr_list_deep_free(key_list);
481
						key_list = NULL;
482
					}
483
				} else {
484
					print_rr_list_abbr(stdout, key_list, BOGUS);
485
					result = 2;
486
					ldns_rr_list_deep_free(key_list);
487
					key_list = NULL;
488
				}
489
				ldns_rr_list_free(current_correct_keys);
490
				current_correct_keys = NULL;
491
			} else {
492
				printf(";; No DNSKEY record found for ");
493
				ldns_rdf_print(stdout, labels[i]);
494
				printf("\n");
495
			}
496
		}
497

498
		ldns_pkt_free(p);
499
		ldns_rr_list_deep_free(key_sig_list);
500
		key_sig_list = NULL;
501

502
		/* check the DS records for the next child domain */
503
		if (i > 1) {
504
			p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
505
			(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
506
			if (!ds_list) {
507
				ldns_rr_list_deep_free(ds_sig_list);
508
				(void) get_dnssec_rr( p, labels[i-1]
509
				                    , LDNS_RR_TYPE_CNAME
510
				                    , &ds_list, &ds_sig_list);
511
				if (ds_list) {
512
					st = ldns_verify( ds_list, ds_sig_list
513
					                , correct_key_list
514
					                , current_correct_keys);
515

516
					if (st == LDNS_STATUS_OK) {
517
						printf(";; No DS record found "
518
						       "for ");
519
						ldns_rdf_print(stdout,
520
							labels[i-1]);
521
						printf(", but valid CNAME");
522
					} else {
523
						printf(BOGUS " Unable to verify "
524
						       "denial of existence for ");
525
						ldns_rdf_print(stdout,
526
							labels[i-1]);
527
						printf(", because of BOGUS CNAME");
528
					}
529
					printf("\n");
530
					ldns_rr_list_deep_free(ds_sig_list);
531
					ldns_pkt_free(p);
532
					ldns_rr_list_deep_free(ds_list);
533
					ds_list = NULL;
534
					ds_sig_list = NULL;
535
					p = NULL;
536
				} else {
537
					ldns_rr_list_deep_free(ds_sig_list);
538
					ldns_pkt_free(p);
539
					p = get_dnssec_pkt(res, name,
540
							LDNS_RR_TYPE_DNSKEY);
541
					(void) get_ds(p, NULL
542
					             , &ds_list, &ds_sig_list); 
543
				}
544
			}
545
			if (ds_sig_list) {
546
				if (ds_list) {
547
					if (verbosity >= 4) {
548
						printf("VERIFYING:\n");
549
						printf("DS LIST:\n");
550
						ldns_rr_list_print(stdout, ds_list);
551
						printf("SIGS:\n");
552
						ldns_rr_list_print(stdout, ds_sig_list);
553
						printf("KEYS:\n");
554
						ldns_rr_list_print(stdout, correct_key_list);
555
					}
556

557
					current_correct_keys = ldns_rr_list_new();
558

559
					if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
560
							LDNS_STATUS_OK) {
561
						/* if the ds is signed by a trusted key and a key from correct keys
562
						   matches that ds, add that key to the trusted keys */
563
						new_keys_trusted = false;
564
						if (verbosity >= 2) {
565
							printf("Checking if signing key is trusted:\n");
566
						}
567
						for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
568
							if (verbosity >= 2) {
569
								printf("New key: ");
570
								ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
571
							}
572
							for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
573
								if (verbosity >= 2) {
574
									printf("\tTrusted key: ");
575
									ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
576
								}
577
								if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
578
								    ldns_rr_list_rr(trusted_keys, k)) == 0) {
579
								    	if (verbosity >= 2) {
580
								    		printf("Key is now trusted!\n");
581
									}
582
									for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
583
										ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
584
										new_keys_trusted = true;
585
									}
586
								}
587
							}
588
						}
589
						if (new_keys_trusted) {
590
							print_rr_list_abbr(stdout, ds_list, TRUST);
591
						} else {
592
							print_rr_list_abbr(stdout, ds_list, SELF);
593
						}
594
					} else {
595
						result = 3;
596
						print_rr_list_abbr(stdout, ds_list, BOGUS);
597
					}
598

599
					ldns_rr_list_free(current_correct_keys);
600
					current_correct_keys = NULL;
601
				} else {
602
					/* wait apparently there were no keys either, go back to the ds packet */
603
					ldns_pkt_free(p);
604
					ldns_rr_list_deep_free(ds_sig_list);
605
					p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
606
					(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
607
					
608
					status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
609

610
					if (verbosity >= 4) {
611
						printf("NSEC(3) Records to verify:\n");
612
						ldns_rr_list_print(stdout, nsec_rrs);
613
						printf("With signatures:\n");
614
						ldns_rr_list_print(stdout, nsec_rr_sigs);
615
						printf("correct keys:\n");
616
						ldns_rr_list_print(stdout, correct_key_list);
617
					}
618

619
					if (status == LDNS_STATUS_OK) {
620
						if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
621
							fprintf(stdout, "%s ", TRUST);
622
							fprintf(stdout, "Existence denied: ");
623
							ldns_rdf_print(stdout, labels[i-1]);
624
							printf(" DS");
625
							fprintf(stdout, "\n");
626
						} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
627
							fprintf(stdout, "%s ", SELF);
628
							fprintf(stdout, "Existence denied: ");
629
							ldns_rdf_print(stdout, labels[i-1]);
630
							printf(" DS");
631
							fprintf(stdout, "\n");
632
						} else {
633
							result = 4;
634
							fprintf(stdout, "%s ", BOGUS);
635
							printf("Error verifying denial of existence for ");
636
							ldns_rdf_print(stdout, labels[i-1]);
637
							printf(" DS");
638
							printf(": %s\n", ldns_get_errorstr_by_id(st));
639
						}
640
						
641
					
642
					} else {
643
						if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
644
							printf(";; No DS for ");
645
							ldns_rdf_print(stdout, labels[i - 1]);
646
						} else {
647
							printf(BOGUS " Unable to verify denial of existence for ");
648
							ldns_rdf_print(stdout, labels[i - 1]);
649
							printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
650
						}
651
					}
652
					if (verbosity >= 2) {
653
						printf(";; No ds record for delegation\n");
654
					}
655
				}
656
			}
657
			ldns_rr_list_deep_free(ds_list);
658
			ldns_pkt_free(p);
659
		} else {
660
			/* if this is the last label, just verify the data and stop */
661
			p = get_dnssec_pkt(res, labels[i], t);
662
			(void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
663
			if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
664
				if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
665

666
					/* If this is a wildcard, you must be able to deny exact match */
667
					if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
668
						fprintf(stdout, "%s ", TRUST);
669
						ldns_rr_list_print(stdout, dataset);
670
					} else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
671
						fprintf(stdout, "%s ", SELF);
672
						ldns_rr_list_print(stdout, dataset);
673
					} else {
674
						result = 5;
675
						fprintf(stdout, "%s ", BOGUS);
676
						ldns_rr_list_print(stdout, dataset);
677
						printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
678
					}
679
				} else {
680
					fprintf(stdout, "%s ", UNSIGNED);
681
					ldns_rr_list_print(stdout, dataset);
682
				}
683
				ldns_rr_list_deep_free(dataset);
684
			} else {
685
				status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
686
				if (status == LDNS_STATUS_OK) {
687
					/* verify the nsec3 themselves*/
688
					if (verbosity >= 5) {
689
						printf("NSEC(3) Records to verify:\n");
690
						ldns_rr_list_print(stdout, nsec_rrs);
691
						printf("With signatures:\n");
692
						ldns_rr_list_print(stdout, nsec_rr_sigs);
693
						printf("correct keys:\n");
694
						ldns_rr_list_print(stdout, correct_key_list);
695
/*
696
						printf("trusted keys at %p:\n", trusted_keys);
697
						ldns_rr_list_print(stdout, trusted_keys);
698
*/					}
699
					
700
					if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
701
						fprintf(stdout, "%s ", TRUST);
702
						fprintf(stdout, "Existence denied: ");
703
						ldns_rdf_print(stdout, name);
704
						if (descriptor && descriptor->_name) {
705
							printf(" %s", descriptor->_name);
706
						} else {
707
							printf(" TYPE%u", t);
708
						}
709
						fprintf(stdout, "\n");
710
					} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
711
						fprintf(stdout, "%s ", SELF);
712
						fprintf(stdout, "Existence denied: ");
713
						ldns_rdf_print(stdout, name);
714
						if (descriptor && descriptor->_name) {
715
							printf(" %s", descriptor->_name);
716
						} else {
717
							printf(" TYPE%u", t);
718
						}
719
						fprintf(stdout, "\n");
720
					} else {
721
						result = 6;
722
						fprintf(stdout, "%s ", BOGUS);
723
						printf("Error verifying denial of existence for ");
724
						ldns_rdf_print(stdout, name);
725
						printf(" type ");
726
						if (descriptor && descriptor->_name) {
727
							printf("%s", descriptor->_name);
728
						} else {
729
							printf("TYPE%u", t);
730
						}
731
						printf(": %s\n", ldns_get_errorstr_by_id(st));
732
					}
733
					
734
					ldns_rr_list_deep_free(nsec_rrs);
735
					ldns_rr_list_deep_free(nsec_rr_sigs);
736
				} else {
737
/*
738
*/
739
					if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
740
						printf("%s ", UNSIGNED);
741
						printf("No data found for: ");
742
						ldns_rdf_print(stdout, name);
743
						printf(" type ");
744
						if (descriptor && descriptor->_name) {
745
							printf("%s", descriptor->_name);
746
						} else {
747
							printf("TYPE%u", t);
748
						}
749
						printf("\n");
750
					} else {
751
						printf(BOGUS " Unable to verify denial of existence for ");
752
						ldns_rdf_print(stdout, name);
753
						printf(" type ");
754
						if (descriptor && descriptor->_name) {
755
							printf("%s", descriptor->_name);
756
						} else {
757
							printf("TYPE%u", t);
758
						}
759
						printf("\n");
760
					}
761
				
762
				}
763
			}
764
			ldns_pkt_free(p);
765
		}
766

767
		new_nss = NULL;
768
		ns_addr = NULL;
769
		ldns_rr_list_deep_free(key_list);
770
		key_list = NULL;
771
		ldns_rr_list_deep_free(key_sig_list);
772
		key_sig_list = NULL;
773
		ds_list = NULL;
774
		ldns_rr_list_deep_free(ds_sig_list);
775
		ds_sig_list = NULL;
776
	}
777
	printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted; " UNSIGNED " unsigned\n");
778
	/* verbose mode?
779
	printf("Trusted keys:\n");
780
	ldns_rr_list_print(stdout, trusted_keys);
781
	printf("trusted dss:\n");
782
	ldns_rr_list_print(stdout, trusted_ds_rrs);
783
	*/
784

785
	done:
786
	ldns_rr_list_deep_free(trusted_ds_rrs);
787
	ldns_rr_list_deep_free(correct_key_list);
788
	ldns_resolver_deep_free(res);
789
	if (labels) {
790
		for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
791
			ldns_rdf_deep_free(labels[i]);
792
		}
793
		LDNS_FREE(labels);
794
	}
795
	return result;
796
}
797
#endif /* HAVE_SSL */
798

799