You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

91 lines
4.3 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #pragma once
  23. #include "dnsparser.hh"
  24. #include "dnsname.hh"
  25. #include <vector>
  26. #include "namespaces.hh"
  27. #include "dnsrecords.hh"
  28. #include "dnssecinfra.hh"
  29. extern bool g_dnssecLOG;
  30. extern time_t g_signatureInceptionSkew;
  31. extern uint16_t g_maxNSEC3Iterations;
  32. // 4033 5
  33. enum class vState : uint8_t { Indeterminate, Insecure, Secure, NTA, TA, BogusNoValidDNSKEY, BogusInvalidDenial, BogusUnableToGetDSs, BogusUnableToGetDNSKEYs, BogusSelfSignedDS, BogusNoRRSIG, BogusNoValidRRSIG, BogusMissingNegativeIndication, BogusSignatureNotYetValid, BogusSignatureExpired, BogusUnsupportedDNSKEYAlgo, BogusUnsupportedDSDigestType, BogusNoZoneKeyBitSet, BogusRevokedDNSKEY, BogusInvalidDNSKEYProtocol };
  34. const std::string& vStateToString(vState state);
  35. inline bool vStateIsBogus(vState state)
  36. {
  37. return state >= vState::BogusNoValidDNSKEY;
  38. }
  39. // NSEC(3) results
  40. enum class dState : uint8_t { NODENIAL, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
  41. std::ostream& operator<<(std::ostream &os, const vState d);
  42. std::ostream& operator<<(std::ostream &os, const dState d);
  43. class DNSRecordOracle
  44. {
  45. public:
  46. virtual std::vector<DNSRecord> get(const DNSName& qname, uint16_t qtype)=0;
  47. };
  48. struct ContentSigPair
  49. {
  50. sortedRecords_t records;
  51. vector<shared_ptr<RRSIGRecordContent>> signatures;
  52. // ponder adding a validate method that accepts a key
  53. };
  54. typedef map<pair<DNSName,uint16_t>, ContentSigPair> cspmap_t;
  55. typedef std::set<DSRecordContent> dsmap_t;
  56. struct sharedDNSKeyRecordContentCompare
  57. {
  58. bool operator() (const shared_ptr<DNSKEYRecordContent>& a, const shared_ptr<DNSKEYRecordContent>& b) const
  59. {
  60. return *a < *b;
  61. }
  62. };
  63. typedef set<shared_ptr<DNSKEYRecordContent>, sharedDNSKeyRecordContentCompare > skeyset_t;
  64. vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& records, const vector<shared_ptr<RRSIGRecordContent> >& signatures, const skeyset_t& keys, bool validateAllSigs=true);
  65. void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const skeyset_t& keys);
  66. cspmap_t harvestCSPFromRecs(const vector<DNSRecord>& recs);
  67. vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, skeyset_t& keyset);
  68. bool getTrustAnchor(const map<DNSName,dsmap_t>& anchors, const DNSName& zone, dsmap_t &res);
  69. bool haveNegativeTrustAnchor(const map<DNSName,std::string>& negAnchors, const DNSName& zone, std::string& reason);
  70. vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<RRSIGRecordContent> >& sigs, skeyset_t& validkeys);
  71. dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, bool needsWildcardProof=true, unsigned int wildcardLabelsCount=0);
  72. bool isSupportedDS(const DSRecordContent& ds);
  73. DNSName getSigner(const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
  74. bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords);
  75. bool isRRSIGNotExpired(const time_t now, const std::shared_ptr<RRSIGRecordContent>& sig);
  76. bool isRRSIGIncepted(const time_t now, const shared_ptr<RRSIGRecordContent>& sig);
  77. bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
  78. bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
  79. void updateDNSSECValidationState(vState& state, const vState stateUpdate);