/*
* validator/validator.h - secure validator DNS query response module
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file contains a module that performs validation of DNS queries.
* According to RFC 4034.
*/
#ifndef VALIDATOR_VALIDATOR_H
#define VALIDATOR_VALIDATOR_H
#include "util/module.h"
#include "util/data/msgreply.h"
#include "validator/val_utils.h"
struct val_anchors;
struct key_cache;
struct key_entry_key;
struct val_neg_cache;
struct config_strlist;
/**
* This is the TTL to use when a trust anchor fails to prime. A trust anchor
* will be primed no more often than this interval. Used when harden-
* dnssec-stripped is off and the trust anchor fails.
*/
#define NULL_KEY_TTL 60 /* seconds */
/**
* TTL for bogus key entries. When a DS or DNSKEY fails in the chain of
* trust the entire zone for that name is blacked out for this TTL.
*/
#define BOGUS_KEY_TTL 60 /* seconds */
/** max number of query restarts, number of IPs to probe */
#define VAL_MAX_RESTART_COUNT 5
/**
* Global state for the validator.
*/
struct val_env {
/** key cache; these are validated keys. trusted keys only
* end up here after being primed. */
struct key_cache* kcache;
/** aggressive negative cache. index into NSECs in rrset cache. */
struct val_neg_cache* neg_cache;
/** for debug testing a fixed validation date can be entered.
* if 0, current time is used for rrsig validation */
int32_t date_override;
/** clock skew min for signatures */
int32_t skew_min;
/** clock skew max for signatures */
int32_t skew_max;
/** TTL for bogus data; used instead of untrusted TTL from data.
* Bogus data will not be verified more often than this interval.
* seconds. */
uint32_t bogus_ttl;
/** If set, the validator should clean the additional section of
* secure messages.
*/
int clean_additional;
/**
* If set, the validator will not make messages bogus, instead
* indeterminate is issued, so that no clients receive SERVFAIL.
* This allows an operator to run validation 'shadow' without
* hurting responses to clients.
*/
int permissive_mode;
/**
* Number of entries in the NSEC3 maximum iteration count table.
* Keep this table short, and sorted by size
*/
int nsec3_keyiter_count;
/**
* NSEC3 maximum iteration count per signing key size.
* This array contains key size values (in increasing order)
*/
size_t* nsec3_keysize;
/**
* NSEC3 maximum iteration count per signing key size.
* This array contains the maximum iteration count for the keysize
* in the keysize array.
*/
size_t* nsec3_maxiter;
/** lock on bogus counter */
lock_basic_t bogus_lock;
/** number of times rrsets marked bogus */
size_t num_rrset_bogus;
};
/**
* State of the validator for a query.
*/
enum val_state {
/** initial state for validation */
VAL_INIT_STATE = 0,
/** find the proper keys for validation, follow trust chain */
VAL_FINDKEY_STATE,
/** validate the answer, using found key entry */
VAL_VALIDATE_STATE,
/** finish up */
VAL_FINISHED_STATE,
/** DLV lookup state, processing DLV queries */
VAL_DLVLOOKUP_STATE
};
/**
* Per query state for the validator module.
*/
struct val_qstate {
/**
* State of the validator module.
*/
enum val_state state;
/**
* The original message we have been given to validate.
*/
struct dns_msg* orig_msg;
/**
* The query restart count
*/
int restart_count;
/** The blacklist saved for chainoftrust elements */
struct sock_list* chain_blacklist;
/**
* The query name we have chased to; qname after following CNAMEs
*/
struct query_info qchase;
/**
* The chased reply, extract from original message. Can be:
* o CNAME
* o DNAME + CNAME
* o answer
* plus authority, additional (nsecs) that have same signature.
*/
struct reply_info* chase_reply;
/**
* The cname skip value; the number of rrsets that have been skipped
* due to chasing cnames. This is the offset into the
* orig_msg->rep->rrsets array, into the answer section.
* starts at 0 - for the full original message.
* if it is >0 - qchase followed the cname, chase_reply setup to be
* that message and relevant authority rrsets.
*
* The skip is also used for referral messages, where it will
* range from 0, over the answer, authority and additional sections.
*/
size_t rrset_skip;
/** trust anchor name */
uint8_t* trust_anchor_name;
/** trust anchor labels */
int trust_anchor_labs;
/** trust anchor length */
size_t trust_anchor_len;
/** the DS rrset */
struct ub_packed_rrset_key* ds_rrset;
/** domain name for empty nonterminal detection */
uint8_t* empty_DS_name;
/** length of empty_DS_name */
size_t empty_DS_len;
/** the current key entry */
struct key_entry_key* key_entry;
/** subtype */
enum val_classification subtype;
/** signer name */
uint8_t* signer_name;
/** length of signer_name */
size_t signer_len;
/** true if this state is waiting to prime a trust anchor */
int wait_prime_ta;
/** have we already checked the DLV? */
int dlv_checked;
/** The name for which the DLV is looked up. For the current message
* or for the current RRset (for CNAME, REFERRAL types).
* If there is signer name, that may be it, else a domain name */
uint8_t* dlv_lookup_name;
/** length of dlv lookup name */
size_t dlv_lookup_name_len;
/** Name at which chain of trust stopped with insecure, starting DLV
* DLV must result in chain going further down */
uint8_t* dlv_insecure_at;
/** length of dlv insecure point name */
size_t dlv_insecure_at_len;
/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
enum dlv_status {
dlv_error, /* server failure */
dlv_success, /* got a DLV */
dlv_ask_higher, /* ask again */
dlv_there_is_no_dlv /* got no DLV, sure of it */
} dlv_status;
};
/**
* Get the validator function block.
* @return: function block with function pointers to validator methods.
*/
struct module_func_block* val_get_funcblock(void);
/**
* Get validator state as a string
* @param state: to convert
* @return constant string that is printable.
*/
const char* val_state_to_string(enum val_state state);
/** validator init */
int val_init(struct module_env* env, int id);
/** validator deinit */
void val_deinit(struct module_env* env, int id);
/** validator operate on a query */
void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
struct outbound_entry* outbound);
/**
* inform validator super.
*
* @param qstate: query state that finished.
* @param id: module id.
* @param super: the qstate to inform.
*/
void val_inform_super(struct module_qstate* qstate, int id,
struct module_qstate* super);
/** validator cleanup query state */
void val_clear(struct module_qstate* qstate, int id);
/**
* Debug helper routine that assists worker in determining memory in
* use.
* @param env: module environment
* @param id: module id.
* @return memory in use in bytes.
*/
size_t val_get_mem(struct module_env* env, int id);
#endif /* VALIDATOR_VALIDATOR_H */