#include "util/data/packed_rrset.h"

Functions
enum sec_status	val_nsec_prove_nodata_dsreply (struct module_env env, struct val_env ve, struct query_info qinfo, struct reply_info rep, struct key_entry_key kkey, time_t proof_ttl, char *reason, struct module_qstate qstate)
	Check DS absence. More...

int	nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type)
	nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. More...

int	nsec_has_type (struct ub_packed_rrset_key *nsec, uint16_t type)
	Check if type is present in the NSEC typemap. More...

int	nsec_proves_nodata (struct ub_packed_rrset_key nsec, struct query_info qinfo, uint8_t **wc)
	Determine if a NSEC proves the NOERROR/NODATA conditions. More...

int	val_nsec_proves_name_error (struct ub_packed_rrset_key nsec, uint8_t qname)
	Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname. More...

int	val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key nsec, struct query_info qinf, uint8_t *wc)
	Determine if the given NSEC proves a positive wildcard response. More...

uint8_t *	nsec_closest_encloser (uint8_t qname, struct ub_packed_rrset_key nsec)
	Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it). More...

int	val_nsec_proves_no_wc (struct ub_packed_rrset_key nsec, uint8_t qname, size_t qnamelen)
	Determine if the given NSEC proves that a wildcard match does not exist. More...

int	val_nsec_check_dlv (struct query_info qinfo, struct reply_info rep, uint8_t *nm, size_t nm_len)
	Determine the DLV result, what to do with NSEC DLV reply. More...

int	val_nsec_proves_insecuredelegation (struct ub_packed_rrset_key nsec, struct query_info qinfo)
	Determine if an nsec proves an insecure delegation towards the qname. More...

Detailed Description

This file contains helper functions for the validator module. The functions help with NSEC checking, the different NSEC proofs for denial of existence, and proofs for presence of types.

Function Documentation

◆ val_nsec_prove_nodata_dsreply()

enum sec_status val_nsec_prove_nodata_dsreply	(	struct module_env *	env,
		struct val_env *	ve,
		struct query_info *	qinfo,
		struct reply_info *	rep,
		struct key_entry_key *	kkey,
		time_t *	proof_ttl,
		char **	reason,
		struct module_qstate *	qstate
	)

Check DS absence.

There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or successfully prove that there is no DS. Or this fails.

Parameters

env	module env for rrsig verification routines.
ve	validator env for rrsig verification routines.
qinfo	the DS queried for.
rep	reply received.
kkey	key entry to use for verification of signatures.
proof_ttl	if secure, the TTL of how long this proof lasts.
reason	string explaining why bogus.
qstate	qstate with region.

Returns: security status. SECURE: proved absence of DS. INSECURE: proved that this was not a delegation point. BOGUS: crypto bad, or no absence of DS proven. UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).

References lruhash_entry::data, ub_packed_rrset_key::entry, module_env::now, module_env::rrset_cache, rrset_check_sec_status(), sec_status_secure, packed_rrset_data::security, and val_verify_rrset_entry().

◆ nsecbitmap_has_type_rdata()

int nsecbitmap_has_type_rdata	(	uint8_t *	bitmap,
		size_t	len,
		uint16_t	type
	)

nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.

Parameters

bitmap	pointer to the bitmap part of wireformat rdata.
len	length of the bitmap, in bytes.
type	the type (in host order) to check for.

Returns: true if the type bit was set in the bitmap. false if not, or if the bitmap was malformed in some way.

Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().

◆ nsec_has_type()

int nsec_has_type	(	struct ub_packed_rrset_key *	nsec,
		uint16_t	type
	)

Check if type is present in the NSEC typemap.

Parameters

nsec	the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node.
type	type to check for, host order.

Returns: true if present

References packed_rrset_data::count, dname_valid(), nsecbitmap_has_type_rdata(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.

Referenced by nsec_proves_nodata(), val_nsec_proves_insecuredelegation(), and val_nsec_proves_name_error().

◆ nsec_proves_nodata()

int nsec_proves_nodata	(	struct ub_packed_rrset_key *	nsec,
		struct query_info *	qinfo,
		uint8_t **	wc
	)

Determine if a NSEC proves the NOERROR/NODATA conditions.

This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.

Parameters

nsec	the nsec record to check against.
qinfo	the query info.
wc	if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname.

Returns: true if NSEC proves this.

References packed_rrset_key::dname, dname_canonical_compare(), dname_is_root(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_CNAME, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.

◆ val_nsec_proves_name_error()

int val_nsec_proves_name_error	(	struct ub_packed_rrset_key *	nsec,
		uint8_t *	qname
	)

Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.

Parameters

nsec	the nsec to check
qname	what was queried.

Returns: true if proven.

References packed_rrset_key::dname, dname_canonical_compare(), dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, nsec_get_next(), nsec_has_type(), query_dname_compare(), and ub_packed_rrset_key::rk.

Referenced by val_nsec_proves_no_wc(), and val_nsec_proves_positive_wildcard().

◆ val_nsec_proves_positive_wildcard()

int val_nsec_proves_positive_wildcard	(	struct ub_packed_rrset_key *	nsec,
		struct query_info *	qinf,
		uint8_t *	wc
	)

Determine if the given NSEC proves a positive wildcard response.

Parameters

nsec	the nsec to check
qinf	what was queried.
wc	wildcard (without *. label)

Returns: true if proven.

References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().

◆ nsec_closest_encloser()

uint8_t* nsec_closest_encloser	(	uint8_t *	qname,
		struct ub_packed_rrset_key *	nsec
	)

Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).

A name error must have been proven already, otherwise this will be invalid.

Parameters

qname	the name queried for.
nsec	the nsec RRset.

Returns: closest encloser dname or NULL on error (bad nsec RRset).

References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.

Referenced by val_nsec_proves_no_wc(), and val_nsec_proves_positive_wildcard().

◆ val_nsec_proves_no_wc()

int val_nsec_proves_no_wc	(	struct ub_packed_rrset_key *	nsec,
		uint8_t *	qname,
		size_t	qnamelen
	)

Determine if the given NSEC proves that a wildcard match does not exist.

Parameters

nsec	the nsec RRset.
qname	the name queried for.
qnamelen	length of qname.

Returns: true if proven.

References dname_count_labels(), dname_remove_labels(), LDNS_MAX_DOMAINLEN, nsec_closest_encloser(), and val_nsec_proves_name_error().

◆ val_nsec_check_dlv()

int val_nsec_check_dlv	(	struct query_info *	qinfo,
		struct reply_info *	rep,
		uint8_t **	nm,
		size_t *	nm_len
	)

Determine the DLV result, what to do with NSEC DLV reply.

Parameters

qinfo	what was queried for.
rep	the nonpositive reply.
nm	dlv lookup name, to adjust for new lookup name (if needed).
nm_len	length of lookup name.

Returns: 0 on error, 1 if a higher point is found. If the higher point is above the dlv repo anchor, the qname does not exist.

References reply_info::an_numrrsets, reply_info::flags, and FLAGS_GET_RCODE.

◆ val_nsec_proves_insecuredelegation()

int val_nsec_proves_insecuredelegation	(	struct ub_packed_rrset_key *	nsec,
		struct query_info *	qinfo
	)

Determine if an nsec proves an insecure delegation towards the qname.

Parameters

nsec	nsec rrset.
qinfo	what was queries for.

Returns: 0 if not, 1 if an NSEC that signals an insecure delegation to the qname.

References packed_rrset_key::dname, dname_strict_subdomain_c(), dname_subdomain_c(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, nsec_has_type(), query_info::qname, query_info::qtype, and ub_packed_rrset_key::rk.

Functions

Detailed Description

Function Documentation

◆ val_nsec_prove_nodata_dsreply()

◆ nsecbitmap_has_type_rdata()

◆ nsec_has_type()

◆ nsec_proves_nodata()

◆ val_nsec_proves_name_error()

◆ val_nsec_proves_positive_wildcard()

◆ nsec_closest_encloser()

◆ val_nsec_proves_no_wc()

◆ val_nsec_check_dlv()

◆ val_nsec_proves_insecuredelegation()