2
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
2
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
3
3
* Copyright (C) 2000-2003 Internet Software Consortium.
5
5
* Permission to use, copy, modify, and/or distribute this software for any
843
843
* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
845
845
static isc_result_t
846
nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
846
nsecnoexistnodata(dns_validator_t *val, dns_name_t *name, dns_name_t *nsecname,
847
847
dns_rdataset_t *nsecset, isc_boolean_t *exists,
848
848
isc_boolean_t *data, dns_name_t *wild)
885
885
if (order == 0) {
887
* The names are the same.
887
* The names are the same. If we are validating "."
888
* then atparent should not be set as there is no parent.
889
atparent = dns_rdatatype_atparent(val->event->type);
890
atparent = (olabels != 1) &&
891
dns_rdatatype_atparent(val->event->type);
890
892
ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
891
893
soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
892
894
if (ns && !soa) {
1917
1919
isc_result_t result;
1918
1920
dns_fixedname_t fixed;
1919
1921
isc_boolean_t ignore = ISC_FALSE;
1921
1924
val->attributes |= VALATTR_TRIEDVERIFY;
1922
1925
dns_fixedname_init(&fixed);
1926
wild = dns_fixedname_name(&fixed);
1924
1928
result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1925
key, ignore, val->view->mctx, rdata,
1926
dns_fixedname_name(&fixed));
1927
if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
1929
key, ignore, val->view->mctx, rdata, wild);
1930
if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
1931
val->view->acceptexpired)
1928
1933
ignore = ISC_TRUE;
1933
1938
"accepted expired %sRRSIG (keyid=%u)",
1934
1939
(result == DNS_R_FROMWILDCARD) ?
1935
1940
"wildcard " : "", keyid);
1941
else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
1942
validator_log(val, ISC_LOG_INFO,
1943
"verify failed due to bad signature (keyid=%u): "
1944
"%s", keyid, isc_result_totext(result));
1937
1946
validator_log(val, ISC_LOG_DEBUG(3),
1938
1947
"verify rdataset (keyid=%u): %s",
1939
1948
keyid, isc_result_totext(result));
1940
1949
if (result == DNS_R_FROMWILDCARD) {
1941
if (!dns_name_equal(val->event->name,
1942
dns_fixedname_name(&fixed)))
1950
if (!dns_name_equal(val->event->name, wild)) {
1951
dns_name_t *closest;
1952
unsigned int labels;
1955
* Compute the closest encloser in case we need it
1956
* for the NSEC3 NOQNAME proof.
1958
closest = dns_fixedname_name(&val->closest);
1959
dns_name_copy(wild, closest, NULL);
1960
labels = dns_name_countlabels(closest) - 1;
1961
dns_name_getlabelsequence(closest, 1, labels, closest);
1943
1962
val->attributes |= VALATTR_NEEDNOQNAME;
1944
1964
result = ISC_R_SUCCESS;
1946
1966
return (result);
2052
2072
validator_log(val, ISC_LOG_DEBUG(3),
2053
2073
"failed to verify rdataset");
2056
2075
isc_stdtime_t now;
2058
2077
isc_stdtime_get(&now);
2059
ttl = ISC_MIN(event->rdataset->ttl,
2060
ISC_MIN(val->siginfo->originalttl,
2061
val->siginfo->timeexpire - now));
2062
event->rdataset->ttl = ttl;
2063
event->sigrdataset->ttl = ttl;
2078
dns_rdataset_trimttl(event->rdataset,
2081
val->view->acceptexpired);
2066
2084
if (val->keynode != NULL)
2865
2883
dns_name_t *name, tname;
2866
2884
isc_result_t result;
2867
2885
isc_boolean_t exists, data, optout, unknown;
2868
isc_boolean_t setclosest, setnearest;
2886
isc_boolean_t setclosest, setnearest, *setclosestp;
2869
2887
dns_fixedname_t fclosest, fnearest, fzonename;
2870
dns_name_t *closest, *nearest, *zonename;
2888
dns_name_t *closest, *nearest, *zonename, *closestp;
2871
2889
dns_name_t **proofs = val->event->proofs;
2872
2890
dns_rdataset_t *rdataset, trdataset;
2914
2932
if (dns_name_countlabels(zonename) == 0)
2915
2933
return (ISC_R_SUCCESS);
2936
* If the val->closest is set then we want to use it otherwise
2937
* we need to discover it.
2939
if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
2940
char namebuf[DNS_NAME_FORMATSIZE];
2942
dns_name_format(dns_fixedname_name(&val->closest),
2943
namebuf, sizeof(namebuf));
2944
validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
2945
"wildcard signature '%s'", namebuf);
2946
dns_name_copy(dns_fixedname_name(&val->closest), closest, NULL);
2951
setclosestp = &setclosest;
2917
2954
for (result = val_rdataset_first(val, &name, &rdataset);
2918
2955
result == ISC_R_SUCCESS;
2919
2956
result = val_rdataset_next(val, &name, &rdataset))
2931
2968
unknown = ISC_FALSE;
2932
2969
(void)nsec3noexistnodata(val, val->event->name, name, rdataset,
2933
2970
zonename, &exists, &data, &optout,
2934
&unknown, &setclosest, &setnearest,
2971
&unknown, setclosestp, &setnearest,
2936
2973
if (setclosest)
2937
2974
proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
3697
3734
result = ISC_R_SUCCESS;
3700
result = startfinddlvsep(val,
3701
dns_fixedname_name(&val->fname));
3737
return(startfinddlvsep(val,
3738
dns_fixedname_name(&val->fname)));