validator.h revision 269257 
1/*
2 * validator/validator.h - secure validator DNS query response module
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains a module that performs validation of DNS queries.
40 * According to RFC 4034.
41 */
42
43#ifndef VALIDATOR_VALIDATOR_H
44#define VALIDATOR_VALIDATOR_H
45#include "util/module.h"
46#include "util/data/msgreply.h"
47#include "validator/val_utils.h"
48struct val_anchors;
49struct key_cache;
50struct key_entry_key;
51struct val_neg_cache;
52struct config_strlist;
53
54/**
55 * This is the TTL to use when a trust anchor fails to prime. A trust anchor
56 * will be primed no more often than this interval.  Used when harden-
57 * dnssec-stripped is off and the trust anchor fails.
58 */
59#define NULL_KEY_TTL	60 /* seconds */
60
61/**
62 * TTL for bogus key entries.  When a DS or DNSKEY fails in the chain of
63 * trust the entire zone for that name is blacked out for this TTL.
64 */
65#define BOGUS_KEY_TTL	60 /* seconds */
66
67/** max number of query restarts, number of IPs to probe */
68#define VAL_MAX_RESTART_COUNT 5
69
70/**
71 * Global state for the validator.
72 */
73struct val_env {
74	/** key cache; these are validated keys. trusted keys only
75	 * end up here after being primed. */
76	struct key_cache* kcache;
77
78	/** aggressive negative cache. index into NSECs in rrset cache. */
79	struct val_neg_cache* neg_cache;
80
81	/** for debug testing a fixed validation date can be entered.
82	 * if 0, current time is used for rrsig validation */
83	int32_t date_override;
84
85	/** clock skew min for signatures */
86	int32_t skew_min;
87
88	/** clock skew max for signatures */
89	int32_t skew_max;
90
91	/** TTL for bogus data; used instead of untrusted TTL from data.
92	 * Bogus data will not be verified more often than this interval.
93	 * seconds. */
94	uint32_t bogus_ttl;
95
96	/** If set, the validator should clean the additional section of
97	 * secure messages.
98	 */
99	int clean_additional;
100
101	/**
102	 * If set, the validator will not make messages bogus, instead
103	 * indeterminate is issued, so that no clients receive SERVFAIL.
104	 * This allows an operator to run validation 'shadow' without
105	 * hurting responses to clients.
106	 */
107	int permissive_mode;
108
109	/**
110	 * Number of entries in the NSEC3 maximum iteration count table.
111	 * Keep this table short, and sorted by size
112	 */
113	int nsec3_keyiter_count;
114
115	/**
116	 * NSEC3 maximum iteration count per signing key size.
117	 * This array contains key size values (in increasing order)
118	 */
119	size_t* nsec3_keysize;
120
121	/**
122	 * NSEC3 maximum iteration count per signing key size.
123	 * This array contains the maximum iteration count for the keysize
124	 * in the keysize array.
125	 */
126	size_t* nsec3_maxiter;
127
128	/** lock on bogus counter */
129	lock_basic_t bogus_lock;
130	/** number of times rrsets marked bogus */
131	size_t num_rrset_bogus;
132};
133
134/**
135 * State of the validator for a query.
136 */
137enum val_state {
138	/** initial state for validation */
139	VAL_INIT_STATE = 0,
140	/** find the proper keys for validation, follow trust chain */
141	VAL_FINDKEY_STATE,
142	/** validate the answer, using found key entry */
143	VAL_VALIDATE_STATE,
144	/** finish up */
145	VAL_FINISHED_STATE,
146	/** DLV lookup state, processing DLV queries */
147	VAL_DLVLOOKUP_STATE
148};
149
150/**
151 * Per query state for the validator module.
152 */
153struct val_qstate {
154	/**
155	 * State of the validator module.
156	 */
157	enum val_state state;
158
159	/**
160	 * The original message we have been given to validate.
161	 */
162	struct dns_msg* orig_msg;
163
164	/**
165	 * The query restart count
166	 */
167	int restart_count;
168	/** The blacklist saved for chainoftrust elements */
169	struct sock_list* chain_blacklist;
170
171	/**
172	 * The query name we have chased to; qname after following CNAMEs
173	 */
174	struct query_info qchase;
175
176	/**
177	 * The chased reply, extract from original message. Can be:
178	 * 	o CNAME
179	 * 	o DNAME + CNAME
180	 * 	o answer
181	 * 	plus authority, additional (nsecs) that have same signature.
182	 */
183	struct reply_info* chase_reply;
184
185	/**
186	 * The cname skip value; the number of rrsets that have been skipped
187	 * due to chasing cnames. This is the offset into the
188	 * orig_msg->rep->rrsets array, into the answer section.
189	 * starts at 0 - for the full original message.
190	 * if it is >0 - qchase followed the cname, chase_reply setup to be
191	 * that message and relevant authority rrsets.
192	 *
193	 * The skip is also used for referral messages, where it will
194	 * range from 0, over the answer, authority and additional sections.
195	 */
196	size_t rrset_skip;
197
198	/** trust anchor name */
199	uint8_t* trust_anchor_name;
200	/** trust anchor labels */
201	int trust_anchor_labs;
202	/** trust anchor length */
203	size_t trust_anchor_len;
204
205	/** the DS rrset */
206	struct ub_packed_rrset_key* ds_rrset;
207
208	/** domain name for empty nonterminal detection */
209	uint8_t* empty_DS_name;
210	/** length of empty_DS_name */
211	size_t empty_DS_len;
212
213	/** the current key entry */
214	struct key_entry_key* key_entry;
215
216	/** subtype */
217	enum val_classification subtype;
218
219	/** signer name */
220	uint8_t* signer_name;
221	/** length of signer_name */
222	size_t signer_len;
223
224	/** true if this state is waiting to prime a trust anchor */
225	int wait_prime_ta;
226
227	/** have we already checked the DLV? */
228	int dlv_checked;
229	/** The name for which the DLV is looked up. For the current message
230	 * or for the current RRset (for CNAME, REFERRAL types).
231	 * If there is signer name, that may be it, else a domain name */
232	uint8_t* dlv_lookup_name;
233	/** length of dlv lookup name */
234	size_t dlv_lookup_name_len;
235	/** Name at which chain of trust stopped with insecure, starting DLV
236	 * DLV must result in chain going further down */
237	uint8_t* dlv_insecure_at;
238	/** length of dlv insecure point name */
239	size_t dlv_insecure_at_len;
240	/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
241	enum dlv_status {
242		dlv_error, /* server failure */
243		dlv_success, /* got a DLV */
244		dlv_ask_higher, /* ask again */
245		dlv_there_is_no_dlv /* got no DLV, sure of it */
246	} dlv_status;
247};
248
249/**
250 * Get the validator function block.
251 * @return: function block with function pointers to validator methods.
252 */
253struct module_func_block* val_get_funcblock(void);
254
255/**
256 * Get validator state as a string
257 * @param state: to convert
258 * @return constant string that is printable.
259 */
260const char* val_state_to_string(enum val_state state);
261
262/** validator init */
263int val_init(struct module_env* env, int id);
264
265/** validator deinit */
266void val_deinit(struct module_env* env, int id);
267
268/** validator operate on a query */
269void val_operate(struct module_qstate* qstate, enum module_ev event, int id,
270        struct outbound_entry* outbound);
271
272/**
273 * inform validator super.
274 *
275 * @param qstate: query state that finished.
276 * @param id: module id.
277 * @param super: the qstate to inform.
278 */
279void val_inform_super(struct module_qstate* qstate, int id,
280	struct module_qstate* super);
281
282/** validator cleanup query state */
283void val_clear(struct module_qstate* qstate, int id);
284
285/**
286 * Debug helper routine that assists worker in determining memory in
287 * use.
288 * @param env: module environment
289 * @param id: module id.
290 * @return memory in use in bytes.
291 */
292size_t val_get_mem(struct module_env* env, int id);
293
294#endif /* VALIDATOR_VALIDATOR_H */
295