mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-29 13:38:26 +00:00
4173. [bug] dig +sigchase was not properly matching the trusted
key. [RT #40188]
This commit is contained in:
Mark Andrews
parent
151f1bcd5e
commit
efb028b6c8
3
CHANGES
3
CHANGES
@ -1,3 +1,6 @@
|
|||||||
|
4173. [bug] dig +sigchase was not properly matching the trusted
|
||||||
|
key. [RT #40188]
|
||||||
|
|
||||||
4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
|
4172. [bug] Named / named-checkconf didn't handle a view of CLASS0.
|
||||||
[RT #40265]
|
[RT #40265]
|
||||||
|
|
||||||
|
|||||||
@ -200,7 +200,7 @@ dig_lookup_t *current_lookup = NULL;
|
|||||||
|
|
||||||
#ifdef DIG_SIGCHASE
|
#ifdef DIG_SIGCHASE
|
||||||
|
|
||||||
isc_result_t get_trusted_key(isc_mem_t *mctx);
|
isc_result_t get_trusted_key(void);
|
||||||
dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type,
|
dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type,
|
||||||
dns_rdatatype_t covers,
|
dns_rdatatype_t covers,
|
||||||
isc_boolean_t *lookedup,
|
isc_boolean_t *lookedup,
|
||||||
@ -218,32 +218,26 @@ isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset,
|
|||||||
isc_result_t sigchase_verify_sig_key(dns_name_t *name,
|
isc_result_t sigchase_verify_sig_key(dns_name_t *name,
|
||||||
dns_rdataset_t *rdataset,
|
dns_rdataset_t *rdataset,
|
||||||
dst_key_t* dnsseckey,
|
dst_key_t* dnsseckey,
|
||||||
dns_rdataset_t *sigrdataset,
|
dns_rdataset_t *sigrdataset);
|
||||||
isc_mem_t *mctx);
|
|
||||||
isc_result_t sigchase_verify_sig(dns_name_t *name,
|
isc_result_t sigchase_verify_sig(dns_name_t *name,
|
||||||
dns_rdataset_t *rdataset,
|
dns_rdataset_t *rdataset,
|
||||||
dns_rdataset_t *keyrdataset,
|
dns_rdataset_t *keyrdataset,
|
||||||
dns_rdataset_t *sigrdataset,
|
dns_rdataset_t *sigrdataset);
|
||||||
isc_mem_t *mctx);
|
|
||||||
isc_result_t sigchase_verify_ds(dns_name_t *name,
|
isc_result_t sigchase_verify_ds(dns_name_t *name,
|
||||||
dns_rdataset_t *keyrdataset,
|
dns_rdataset_t *keyrdataset,
|
||||||
dns_rdataset_t *dsrdataset,
|
dns_rdataset_t *dsrdataset);
|
||||||
isc_mem_t *mctx);
|
|
||||||
void sigchase(dns_message_t *msg);
|
void sigchase(dns_message_t *msg);
|
||||||
void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
|
void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
|
||||||
void print_rdataset(dns_name_t *name,
|
void print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset);
|
||||||
dns_rdataset_t *rdataset, isc_mem_t *mctx);
|
void dup_name(dns_name_t *source, dns_name_t* target);
|
||||||
void dup_name(dns_name_t *source, dns_name_t* target,
|
void free_name(dns_name_t *name);
|
||||||
isc_mem_t *mctx);
|
|
||||||
void free_name(dns_name_t *name, isc_mem_t *mctx);
|
|
||||||
void dump_database(void);
|
void dump_database(void);
|
||||||
void dump_database_section(dns_message_t *msg, int section);
|
void dump_database_section(dns_message_t *msg, int section);
|
||||||
dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type,
|
dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type,
|
||||||
dns_rdatatype_t covers);
|
dns_rdatatype_t covers);
|
||||||
isc_result_t contains_trusted_key(dns_name_t *name,
|
isc_result_t contains_trusted_key(dns_name_t *name,
|
||||||
dns_rdataset_t *rdataset,
|
dns_rdataset_t *rdataset,
|
||||||
dns_rdataset_t *sigrdataset,
|
dns_rdataset_t *sigrdataset);
|
||||||
isc_mem_t *mctx);
|
|
||||||
void print_type(dns_rdatatype_t type);
|
void print_type(dns_rdatatype_t type);
|
||||||
isc_result_t prove_nx_domain(dns_message_t * msg,
|
isc_result_t prove_nx_domain(dns_message_t * msg,
|
||||||
dns_name_t * name,
|
dns_name_t * name,
|
||||||
@ -265,7 +259,7 @@ isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name,
|
|||||||
dns_rdataset_t ** sigrdataset);
|
dns_rdataset_t ** sigrdataset);
|
||||||
static void nameFromString(const char *str, dns_name_t *p_ret);
|
static void nameFromString(const char *str, dns_name_t *p_ret);
|
||||||
int inf_name(dns_name_t * name1, dns_name_t * name2);
|
int inf_name(dns_name_t * name1, dns_name_t * name2);
|
||||||
isc_result_t removetmpkey(isc_mem_t *mctx, const char *file);
|
isc_result_t removetmpkey(const char *file);
|
||||||
void clean_trustedkey(void);
|
void clean_trustedkey(void);
|
||||||
isc_result_t insert_trustedkey(void *arg, dns_name_t *name,
|
isc_result_t insert_trustedkey(void *arg, dns_name_t *name,
|
||||||
dns_rdataset_t *rdataset);
|
dns_rdataset_t *rdataset);
|
||||||
@ -1792,7 +1786,7 @@ start_lookup(void) {
|
|||||||
#if DIG_SIGCHASE_TD
|
#if DIG_SIGCHASE_TD
|
||||||
if (current_lookup->do_topdown &&
|
if (current_lookup->do_topdown &&
|
||||||
!current_lookup->rdtype_sigchaseset) {
|
!current_lookup->rdtype_sigchaseset) {
|
||||||
dst_key_t *trustedkey = NULL;
|
dst_key_t *dstkey = NULL;
|
||||||
isc_buffer_t *b = NULL;
|
isc_buffer_t *b = NULL;
|
||||||
isc_region_t r;
|
isc_region_t r;
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
@ -1800,7 +1794,7 @@ start_lookup(void) {
|
|||||||
dns_name_t *key_name;
|
dns_name_t *key_name;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
result = get_trusted_key(mctx);
|
result = get_trusted_key();
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
printf("\n;; No trusted key, "
|
printf("\n;; No trusted key, "
|
||||||
"+sigchase option is disabled\n");
|
"+sigchase option is disabled\n");
|
||||||
@ -1815,22 +1809,22 @@ start_lookup(void) {
|
|||||||
|
|
||||||
if (dns_name_issubdomain(&query_name,
|
if (dns_name_issubdomain(&query_name,
|
||||||
key_name) == ISC_TRUE)
|
key_name) == ISC_TRUE)
|
||||||
trustedkey = tk_list.key[i];
|
dstkey = tk_list.key[i];
|
||||||
/*
|
/*
|
||||||
* Verify temp is really the lowest
|
* Verify temp is really the lowest
|
||||||
* WARNING
|
* WARNING
|
||||||
*/
|
*/
|
||||||
}
|
}
|
||||||
if (trustedkey == NULL) {
|
if (dstkey == NULL) {
|
||||||
printf("\n;; The queried zone: ");
|
printf("\n;; The queried zone: ");
|
||||||
dns_name_print(&query_name, stdout);
|
dns_name_print(&query_name, stdout);
|
||||||
printf(" isn't a subdomain of any Trusted Keys"
|
printf(" isn't a subdomain of any Trusted Keys"
|
||||||
": +sigchase option is disable\n");
|
": +sigchase option is disable\n");
|
||||||
current_lookup->sigchase = ISC_FALSE;
|
current_lookup->sigchase = ISC_FALSE;
|
||||||
free_name(&query_name, mctx);
|
free_name(&query_name);
|
||||||
goto novalidation;
|
goto novalidation;
|
||||||
}
|
}
|
||||||
free_name(&query_name, mctx);
|
free_name(&query_name);
|
||||||
|
|
||||||
current_lookup->rdtype_sigchase
|
current_lookup->rdtype_sigchase
|
||||||
= current_lookup->rdtype;
|
= current_lookup->rdtype;
|
||||||
@ -1855,7 +1849,7 @@ start_lookup(void) {
|
|||||||
|
|
||||||
result = isc_buffer_allocate(mctx, &b, BUFSIZE);
|
result = isc_buffer_allocate(mctx, &b, BUFSIZE);
|
||||||
check_result(result, "isc_buffer_allocate");
|
check_result(result, "isc_buffer_allocate");
|
||||||
result = dns_name_totext(dst_key_name(trustedkey),
|
result = dns_name_totext(dst_key_name(dstkey),
|
||||||
ISC_FALSE, b);
|
ISC_FALSE, b);
|
||||||
check_result(result, "dns_name_totext");
|
check_result(result, "dns_name_totext");
|
||||||
isc_buffer_usedregion(b, &r);
|
isc_buffer_usedregion(b, &r);
|
||||||
@ -4361,16 +4355,16 @@ destroy_libs(void) {
|
|||||||
isc_mem_free(mctx, ptr);
|
isc_mem_free(mctx, ptr);
|
||||||
}
|
}
|
||||||
if (dns_name_dynamic(&chase_name))
|
if (dns_name_dynamic(&chase_name))
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
#if DIG_SIGCHASE_TD
|
#if DIG_SIGCHASE_TD
|
||||||
if (dns_name_dynamic(&chase_current_name))
|
if (dns_name_dynamic(&chase_current_name))
|
||||||
free_name(&chase_current_name, mctx);
|
free_name(&chase_current_name);
|
||||||
if (dns_name_dynamic(&chase_authority_name))
|
if (dns_name_dynamic(&chase_authority_name))
|
||||||
free_name(&chase_authority_name, mctx);
|
free_name(&chase_authority_name);
|
||||||
#endif
|
#endif
|
||||||
#if DIG_SIGCHASE_BU
|
#if DIG_SIGCHASE_BU
|
||||||
if (dns_name_dynamic(&chase_signame))
|
if (dns_name_dynamic(&chase_signame))
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
@ -4526,7 +4520,7 @@ dump_database_section(dns_message_t *msg, int section)
|
|||||||
rdataset = ISC_LIST_NEXT(rdataset, link)) {
|
rdataset = ISC_LIST_NEXT(rdataset, link)) {
|
||||||
dns_name_print(msg_name, stdout);
|
dns_name_print(msg_name, stdout);
|
||||||
printf("\n");
|
printf("\n");
|
||||||
print_rdataset(msg_name, rdataset, mctx);
|
print_rdataset(msg_name, rdataset);
|
||||||
printf("end\n");
|
printf("end\n");
|
||||||
}
|
}
|
||||||
msg_name = NULL;
|
msg_name = NULL;
|
||||||
@ -4706,7 +4700,7 @@ isc_result_t
|
|||||||
insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset)
|
insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset)
|
||||||
{
|
{
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
dst_key_t *key;
|
dst_key_t *dstkey;
|
||||||
|
|
||||||
UNUSED(arg);
|
UNUSED(arg);
|
||||||
|
|
||||||
@ -4724,11 +4718,11 @@ insert_trustedkey(void *arg, dns_name_t *name, dns_rdataset_t *rdataset)
|
|||||||
isc_buffer_add(&b, rdata.length);
|
isc_buffer_add(&b, rdata.length);
|
||||||
if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
|
if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
|
||||||
return (ISC_R_SUCCESS);
|
return (ISC_R_SUCCESS);
|
||||||
key = NULL;
|
dstkey = NULL;
|
||||||
result = dst_key_fromdns(name, rdata.rdclass, &b, mctx, &key);
|
result = dst_key_fromdns(name, rdata.rdclass, &b, mctx, &dstkey);
|
||||||
if (result != ISC_R_SUCCESS)
|
if (result != ISC_R_SUCCESS)
|
||||||
continue;
|
continue;
|
||||||
tk_list.key[tk_list.nb_tk++] = key;
|
tk_list.key[tk_list.nb_tk++] = dstkey;
|
||||||
}
|
}
|
||||||
return (ISC_R_SUCCESS);
|
return (ISC_R_SUCCESS);
|
||||||
}
|
}
|
||||||
@ -4753,7 +4747,7 @@ char alphnum[] =
|
|||||||
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
||||||
|
|
||||||
isc_result_t
|
isc_result_t
|
||||||
removetmpkey(isc_mem_t *mctx, const char *file)
|
removetmpkey(const char *file)
|
||||||
{
|
{
|
||||||
char *tempnamekey = NULL;
|
char *tempnamekey = NULL;
|
||||||
int tempnamekeylen;
|
int tempnamekeylen;
|
||||||
@ -4777,8 +4771,7 @@ removetmpkey(isc_mem_t *mctx, const char *file)
|
|||||||
}
|
}
|
||||||
|
|
||||||
isc_result_t
|
isc_result_t
|
||||||
get_trusted_key(isc_mem_t *mctx)
|
get_trusted_key(void) {
|
||||||
{
|
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
const char *filename = NULL;
|
const char *filename = NULL;
|
||||||
dns_rdatacallbacks_t callbacks;
|
dns_rdatacallbacks_t callbacks;
|
||||||
@ -4829,7 +4822,7 @@ nameFromString(const char *str, dns_name_t *p_ret) {
|
|||||||
check_result(result, "nameFromString");
|
check_result(result, "nameFromString");
|
||||||
|
|
||||||
if (dns_name_dynamic(p_ret))
|
if (dns_name_dynamic(p_ret))
|
||||||
free_name(p_ret, mctx);
|
free_name(p_ret);
|
||||||
|
|
||||||
result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
|
result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
|
||||||
check_result(result, "nameFromString");
|
check_result(result, "nameFromString");
|
||||||
@ -4878,7 +4871,6 @@ prepare_lookup(dns_name_t *name)
|
|||||||
#define __FOLLOW_GLUE__
|
#define __FOLLOW_GLUE__
|
||||||
#ifdef __FOLLOW_GLUE__
|
#ifdef __FOLLOW_GLUE__
|
||||||
isc_buffer_t *b = NULL;
|
isc_buffer_t *b = NULL;
|
||||||
isc_result_t result;
|
|
||||||
isc_region_t r;
|
isc_region_t r;
|
||||||
dns_rdataset_t *rdataset = NULL;
|
dns_rdataset_t *rdataset = NULL;
|
||||||
isc_boolean_t true = ISC_TRUE;
|
isc_boolean_t true = ISC_TRUE;
|
||||||
@ -4973,7 +4965,7 @@ prepare_lookup(dns_name_t *name)
|
|||||||
printf(" for zone: %s", lookup->textname);
|
printf(" for zone: %s", lookup->textname);
|
||||||
printf(" with nameservers:");
|
printf(" with nameservers:");
|
||||||
printf("\n");
|
printf("\n");
|
||||||
print_rdataset(name, chase_nsrdataset, mctx);
|
print_rdataset(name, chase_nsrdataset);
|
||||||
return (ISC_R_SUCCESS);
|
return (ISC_R_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5056,14 +5048,14 @@ initialization(dns_name_t *name)
|
|||||||
INSIST(chase_nsrdataset != NULL);
|
INSIST(chase_nsrdataset != NULL);
|
||||||
prepare_lookup(name);
|
prepare_lookup(name);
|
||||||
|
|
||||||
dup_name(name, &chase_current_name, mctx);
|
dup_name(name, &chase_current_name);
|
||||||
|
|
||||||
return (ISC_R_SUCCESS);
|
return (ISC_R_SUCCESS);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
void
|
void
|
||||||
print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
|
print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset)
|
||||||
{
|
{
|
||||||
isc_buffer_t *b = NULL;
|
isc_buffer_t *b = NULL;
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
@ -5085,17 +5077,17 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
|
|||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
|
dup_name(dns_name_t *source, dns_name_t *target) {
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
|
|
||||||
if (dns_name_dynamic(target))
|
if (dns_name_dynamic(target))
|
||||||
free_name(target, mctx);
|
free_name(target);
|
||||||
result = dns_name_dup(source, mctx, target);
|
result = dns_name_dup(source, mctx, target);
|
||||||
check_result(result, "dns_name_dup");
|
check_result(result, "dns_name_dup");
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
free_name(dns_name_t *name, isc_mem_t *mctx) {
|
free_name(dns_name_t *name) {
|
||||||
dns_name_free(name, mctx);
|
dns_name_free(name, mctx);
|
||||||
dns_name_init(name, NULL);
|
dns_name_init(name, NULL);
|
||||||
}
|
}
|
||||||
@ -5112,8 +5104,7 @@ free_name(dns_name_t *name, isc_mem_t *mctx) {
|
|||||||
*/
|
*/
|
||||||
isc_result_t
|
isc_result_t
|
||||||
contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
||||||
dns_rdataset_t *sigrdataset,
|
dns_rdataset_t *sigrdataset)
|
||||||
isc_mem_t *mctx)
|
|
||||||
{
|
{
|
||||||
dns_rdataset_t myrdataset;
|
dns_rdataset_t myrdataset;
|
||||||
dst_key_t *dnsseckey = NULL;
|
dst_key_t *dnsseckey = NULL;
|
||||||
@ -5149,8 +5140,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
|||||||
dst_key_id(dnsseckey));
|
dst_key_id(dnsseckey));
|
||||||
result = sigchase_verify_sig_key(name, rdataset,
|
result = sigchase_verify_sig_key(name, rdataset,
|
||||||
dnsseckey,
|
dnsseckey,
|
||||||
sigrdataset,
|
sigrdataset);
|
||||||
mctx);
|
|
||||||
if (result == ISC_R_SUCCESS)
|
if (result == ISC_R_SUCCESS)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
@ -5158,19 +5148,20 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
|||||||
dst_key_free(&dnsseckey);
|
dst_key_free(&dnsseckey);
|
||||||
} while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
|
} while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
|
||||||
|
|
||||||
|
result = ISC_R_NOTFOUND;
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
if (dnsseckey != NULL)
|
if (dnsseckey != NULL)
|
||||||
dst_key_free(&dnsseckey);
|
dst_key_free(&dnsseckey);
|
||||||
dns_rdataset_disassociate(&myrdataset);
|
dns_rdataset_disassociate(&myrdataset);
|
||||||
|
|
||||||
return (ISC_R_NOTFOUND);
|
return (result);
|
||||||
}
|
}
|
||||||
|
|
||||||
isc_result_t
|
isc_result_t
|
||||||
sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
|
sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
|
||||||
dns_rdataset_t *keyrdataset,
|
dns_rdataset_t *keyrdataset,
|
||||||
dns_rdataset_t *sigrdataset,
|
dns_rdataset_t *sigrdataset)
|
||||||
isc_mem_t *mctx)
|
|
||||||
{
|
{
|
||||||
dns_rdataset_t mykeyrdataset;
|
dns_rdataset_t mykeyrdataset;
|
||||||
dst_key_t *dnsseckey = NULL;
|
dst_key_t *dnsseckey = NULL;
|
||||||
@ -5193,7 +5184,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
|
|||||||
check_result(result, "dns_dnssec_keyfromrdata");
|
check_result(result, "dns_dnssec_keyfromrdata");
|
||||||
|
|
||||||
result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
|
result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
|
||||||
sigrdataset, mctx);
|
sigrdataset);
|
||||||
if (result == ISC_R_SUCCESS)
|
if (result == ISC_R_SUCCESS)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
dst_key_free(&dnsseckey);
|
dst_key_free(&dnsseckey);
|
||||||
@ -5211,8 +5202,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
|
|||||||
|
|
||||||
isc_result_t
|
isc_result_t
|
||||||
sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
||||||
dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
|
dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset)
|
||||||
isc_mem_t *mctx)
|
|
||||||
{
|
{
|
||||||
dns_rdata_sig_t siginfo;
|
dns_rdata_sig_t siginfo;
|
||||||
dns_rdataset_t myrdataset;
|
dns_rdataset_t myrdataset;
|
||||||
@ -5271,7 +5261,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
|
|||||||
|
|
||||||
isc_result_t
|
isc_result_t
|
||||||
sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
|
sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
|
||||||
dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
|
dns_rdataset_t *dsrdataset)
|
||||||
{
|
{
|
||||||
dns_rdata_ds_t dsinfo;
|
dns_rdata_ds_t dsinfo;
|
||||||
dns_rdataset_t mydsrdataset;
|
dns_rdataset_t mydsrdataset;
|
||||||
@ -5338,8 +5328,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
|
|||||||
result = sigchase_verify_sig_key(name,
|
result = sigchase_verify_sig_key(name,
|
||||||
keyrdataset,
|
keyrdataset,
|
||||||
dnsseckey,
|
dnsseckey,
|
||||||
chase_sigkeyrdataset,
|
chase_sigkeyrdataset);
|
||||||
mctx);
|
|
||||||
if (result == ISC_R_SUCCESS)
|
if (result == ISC_R_SUCCESS)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
} else {
|
} else {
|
||||||
@ -5445,7 +5434,7 @@ sigchase_td(dns_message_t *msg)
|
|||||||
dns_rdatatype_ns,
|
dns_rdatatype_ns,
|
||||||
dns_rdatatype_any,
|
dns_rdatatype_any,
|
||||||
DNS_SECTION_AUTHORITY);
|
DNS_SECTION_AUTHORITY);
|
||||||
dup_name(name, &chase_authority_name, mctx);
|
dup_name(name, &chase_authority_name);
|
||||||
if (chase_nsrdataset != NULL) {
|
if (chase_nsrdataset != NULL) {
|
||||||
have_delegation_ns = ISC_TRUE;
|
have_delegation_ns = ISC_TRUE;
|
||||||
printf("no response but there is a delegation"
|
printf("no response but there is a delegation"
|
||||||
@ -5463,7 +5452,7 @@ sigchase_td(dns_message_t *msg)
|
|||||||
} else {
|
} else {
|
||||||
printf(";; NO ANSWERS: %s\n",
|
printf(";; NO ANSWERS: %s\n",
|
||||||
isc_result_totext(result));
|
isc_result_totext(result));
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
clean_trustedkey();
|
clean_trustedkey();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -5495,7 +5484,7 @@ sigchase_td(dns_message_t *msg)
|
|||||||
return;
|
return;
|
||||||
INSIST(chase_keyrdataset != NULL);
|
INSIST(chase_keyrdataset != NULL);
|
||||||
printf("\n;; DNSKEYset:\n");
|
printf("\n;; DNSKEYset:\n");
|
||||||
print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
|
print_rdataset(&chase_current_name , chase_keyrdataset);
|
||||||
|
|
||||||
|
|
||||||
result = advanced_rrsearch(&chase_sigkeyrdataset,
|
result = advanced_rrsearch(&chase_sigkeyrdataset,
|
||||||
@ -5512,22 +5501,20 @@ sigchase_td(dns_message_t *msg)
|
|||||||
return;
|
return;
|
||||||
INSIST(chase_sigkeyrdataset != NULL);
|
INSIST(chase_sigkeyrdataset != NULL);
|
||||||
printf("\n;; RRSIG of the DNSKEYset:\n");
|
printf("\n;; RRSIG of the DNSKEYset:\n");
|
||||||
print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
|
print_rdataset(&chase_current_name , chase_sigkeyrdataset);
|
||||||
|
|
||||||
|
|
||||||
if (!chase_dslookedup && !chase_nslookedup) {
|
if (!chase_dslookedup && !chase_nslookedup) {
|
||||||
if (!delegation_follow) {
|
if (!delegation_follow) {
|
||||||
result = contains_trusted_key(&chase_current_name,
|
result = contains_trusted_key(&chase_current_name,
|
||||||
chase_keyrdataset,
|
chase_keyrdataset,
|
||||||
chase_sigkeyrdataset,
|
chase_sigkeyrdataset);
|
||||||
mctx);
|
|
||||||
} else {
|
} else {
|
||||||
INSIST(chase_dsrdataset != NULL);
|
INSIST(chase_dsrdataset != NULL);
|
||||||
INSIST(chase_sigdsrdataset != NULL);
|
INSIST(chase_sigdsrdataset != NULL);
|
||||||
result = sigchase_verify_ds(&chase_current_name,
|
result = sigchase_verify_ds(&chase_current_name,
|
||||||
chase_keyrdataset,
|
chase_keyrdataset,
|
||||||
chase_dsrdataset,
|
chase_dsrdataset);
|
||||||
mctx);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
@ -5586,8 +5573,8 @@ sigchase_td(dns_message_t *msg)
|
|||||||
result = child_of_zone(&chase_name, &chase_current_name,
|
result = child_of_zone(&chase_name, &chase_current_name,
|
||||||
&tmp_name);
|
&tmp_name);
|
||||||
if (dns_name_dynamic(&chase_authority_name))
|
if (dns_name_dynamic(&chase_authority_name))
|
||||||
free_name(&chase_authority_name, mctx);
|
free_name(&chase_authority_name);
|
||||||
dup_name(&tmp_name, &chase_authority_name, mctx);
|
dup_name(&tmp_name, &chase_authority_name);
|
||||||
printf(";; and we try to continue chain of trust"
|
printf(";; and we try to continue chain of trust"
|
||||||
" validation of the zone: ");
|
" validation of the zone: ");
|
||||||
dns_name_print(&chase_authority_name, stdout);
|
dns_name_print(&chase_authority_name, stdout);
|
||||||
@ -5632,7 +5619,7 @@ sigchase_td(dns_message_t *msg)
|
|||||||
return;
|
return;
|
||||||
INSIST(chase_dsrdataset != NULL);
|
INSIST(chase_dsrdataset != NULL);
|
||||||
printf("\n;; DSset:\n");
|
printf("\n;; DSset:\n");
|
||||||
print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
|
print_rdataset(&chase_authority_name , chase_dsrdataset);
|
||||||
|
|
||||||
result = advanced_rrsearch(&chase_sigdsrdataset,
|
result = advanced_rrsearch(&chase_sigdsrdataset,
|
||||||
&chase_authority_name,
|
&chase_authority_name,
|
||||||
@ -5645,14 +5632,13 @@ sigchase_td(dns_message_t *msg)
|
|||||||
goto cleanandgo;
|
goto cleanandgo;
|
||||||
}
|
}
|
||||||
printf("\n;; RRSIGset of DSset\n");
|
printf("\n;; RRSIGset of DSset\n");
|
||||||
print_rdataset(&chase_authority_name,
|
print_rdataset(&chase_authority_name, chase_sigdsrdataset);
|
||||||
chase_sigdsrdataset, mctx);
|
|
||||||
INSIST(chase_sigdsrdataset != NULL);
|
INSIST(chase_sigdsrdataset != NULL);
|
||||||
|
|
||||||
result = sigchase_verify_sig(&chase_authority_name,
|
result = sigchase_verify_sig(&chase_authority_name,
|
||||||
chase_dsrdataset,
|
chase_dsrdataset,
|
||||||
chase_keyrdataset,
|
chase_keyrdataset,
|
||||||
chase_sigdsrdataset, mctx);
|
chase_sigdsrdataset);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
printf("\n;; Impossible to verify the DSset:"
|
printf("\n;; Impossible to verify the DSset:"
|
||||||
" FAILED\n\n");
|
" FAILED\n\n");
|
||||||
@ -5668,8 +5654,8 @@ sigchase_td(dns_message_t *msg)
|
|||||||
have_delegation_ns = ISC_FALSE;
|
have_delegation_ns = ISC_FALSE;
|
||||||
delegation_follow = ISC_TRUE;
|
delegation_follow = ISC_TRUE;
|
||||||
error_message = NULL;
|
error_message = NULL;
|
||||||
dup_name(&chase_authority_name, &chase_current_name, mctx);
|
dup_name(&chase_authority_name, &chase_current_name);
|
||||||
free_name(&chase_authority_name, mctx);
|
free_name(&chase_authority_name);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5694,14 +5680,14 @@ sigchase_td(dns_message_t *msg)
|
|||||||
}
|
}
|
||||||
ret = sigchase_verify_sig(&rdata_name, rdataset,
|
ret = sigchase_verify_sig(&rdata_name, rdataset,
|
||||||
chase_keyrdataset,
|
chase_keyrdataset,
|
||||||
sigrdataset, mctx);
|
sigrdataset);
|
||||||
if (ret != ISC_R_SUCCESS) {
|
if (ret != ISC_R_SUCCESS) {
|
||||||
free_name(&rdata_name, mctx);
|
free_name(&rdata_name);
|
||||||
printf("\n;; Impossible to verify the NSEC RR to prove"
|
printf("\n;; Impossible to verify the NSEC RR to prove"
|
||||||
" the non-existence : FAILED\n\n");
|
" the non-existence : FAILED\n\n");
|
||||||
goto cleanandgo;
|
goto cleanandgo;
|
||||||
}
|
}
|
||||||
free_name(&rdata_name, mctx);
|
free_name(&rdata_name);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
printf("\n;; Impossible to verify the non-existence:"
|
printf("\n;; Impossible to verify the non-existence:"
|
||||||
" FAILED\n\n");
|
" FAILED\n\n");
|
||||||
@ -5716,9 +5702,9 @@ sigchase_td(dns_message_t *msg)
|
|||||||
cleanandgo:
|
cleanandgo:
|
||||||
printf(";; cleanandgo \n");
|
printf(";; cleanandgo \n");
|
||||||
if (dns_name_dynamic(&chase_current_name))
|
if (dns_name_dynamic(&chase_current_name))
|
||||||
free_name(&chase_current_name, mctx);
|
free_name(&chase_current_name);
|
||||||
if (dns_name_dynamic(&chase_authority_name))
|
if (dns_name_dynamic(&chase_authority_name))
|
||||||
free_name(&chase_authority_name, mctx);
|
free_name(&chase_authority_name);
|
||||||
clean_trustedkey();
|
clean_trustedkey();
|
||||||
return;
|
return;
|
||||||
|
|
||||||
@ -5734,22 +5720,22 @@ sigchase_td(dns_message_t *msg)
|
|||||||
}
|
}
|
||||||
result = sigchase_verify_sig(&chase_name, chase_rdataset,
|
result = sigchase_verify_sig(&chase_name, chase_rdataset,
|
||||||
chase_keyrdataset,
|
chase_keyrdataset,
|
||||||
chase_sigrdataset, mctx);
|
chase_sigrdataset);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
printf("\n;; Impossible to verify the RRset : FAILED\n\n");
|
printf("\n;; Impossible to verify the RRset : FAILED\n\n");
|
||||||
/*
|
/*
|
||||||
printf("RRset:\n");
|
printf("RRset:\n");
|
||||||
print_rdataset(&chase_name , chase_rdataset, mctx);
|
print_rdataset(&chase_name , chase_rdataset);
|
||||||
printf("DNSKEYset:\n");
|
printf("DNSKEYset:\n");
|
||||||
print_rdataset(&chase_name , chase_keyrdataset, mctx);
|
print_rdataset(&chase_name , chase_keyrdataset);
|
||||||
printf("RRSIG of RRset:\n");
|
printf("RRSIG of RRset:\n");
|
||||||
print_rdataset(&chase_name , chase_sigrdataset, mctx);
|
print_rdataset(&chase_name , chase_sigrdataset);
|
||||||
printf("\n");
|
printf("\n");
|
||||||
*/
|
*/
|
||||||
goto cleanandgo;
|
goto cleanandgo;
|
||||||
} else {
|
} else {
|
||||||
printf("\n;; The Answer:\n");
|
printf("\n;; The Answer:\n");
|
||||||
print_rdataset(&chase_name , chase_rdataset, mctx);
|
print_rdataset(&chase_name , chase_rdataset);
|
||||||
|
|
||||||
printf("\n;; FINISH : we have validate the DNSSEC chain"
|
printf("\n;; FINISH : we have validate the DNSSEC chain"
|
||||||
" of trust: SUCCESS\n\n");
|
" of trust: SUCCESS\n\n");
|
||||||
@ -5790,9 +5776,9 @@ getneededrr(dns_message_t *msg)
|
|||||||
printf("\n;; No Answers: Validation FAILED\n\n");
|
printf("\n;; No Answers: Validation FAILED\n\n");
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
dup_name(name, &chase_name, mctx);
|
dup_name(name, &chase_name);
|
||||||
printf(";; RRset to chase:\n");
|
printf(";; RRset to chase:\n");
|
||||||
print_rdataset(&chase_name, chase_rdataset, mctx);
|
print_rdataset(&chase_name, chase_rdataset);
|
||||||
}
|
}
|
||||||
INSIST(chase_rdataset != NULL);
|
INSIST(chase_rdataset != NULL);
|
||||||
|
|
||||||
@ -5806,14 +5792,14 @@ getneededrr(dns_message_t *msg)
|
|||||||
printf("\n;; RRSIG is missing for continue validation:"
|
printf("\n;; RRSIG is missing for continue validation:"
|
||||||
" FAILED\n\n");
|
" FAILED\n\n");
|
||||||
if (dns_name_dynamic(&chase_name))
|
if (dns_name_dynamic(&chase_name))
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
if (result == ISC_R_NOTFOUND) {
|
if (result == ISC_R_NOTFOUND) {
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
printf("\n;; RRSIG of the RRset to chase:\n");
|
printf("\n;; RRSIG of the RRset to chase:\n");
|
||||||
print_rdataset(&chase_name, chase_sigrdataset, mctx);
|
print_rdataset(&chase_name, chase_sigrdataset);
|
||||||
}
|
}
|
||||||
INSIST(chase_sigrdataset != NULL);
|
INSIST(chase_sigrdataset != NULL);
|
||||||
|
|
||||||
@ -5824,7 +5810,7 @@ getneededrr(dns_message_t *msg)
|
|||||||
dns_rdataset_current(chase_sigrdataset, &sigrdata);
|
dns_rdataset_current(chase_sigrdataset, &sigrdata);
|
||||||
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
|
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
|
||||||
check_result(result, "sigrdata tostruct siginfo");
|
check_result(result, "sigrdata tostruct siginfo");
|
||||||
dup_name(&siginfo.signer, &chase_signame, mctx);
|
dup_name(&siginfo.signer, &chase_signame);
|
||||||
dns_rdata_freestruct(&siginfo);
|
dns_rdata_freestruct(&siginfo);
|
||||||
dns_rdata_reset(&sigrdata);
|
dns_rdata_reset(&sigrdata);
|
||||||
|
|
||||||
@ -5838,17 +5824,17 @@ getneededrr(dns_message_t *msg)
|
|||||||
if (result == ISC_R_FAILURE) {
|
if (result == ISC_R_FAILURE) {
|
||||||
printf("\n;; DNSKEY is missing to continue validation:"
|
printf("\n;; DNSKEY is missing to continue validation:"
|
||||||
" FAILED\n\n");
|
" FAILED\n\n");
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
if (dns_name_dynamic(&chase_name))
|
if (dns_name_dynamic(&chase_name))
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
if (result == ISC_R_NOTFOUND) {
|
if (result == ISC_R_NOTFOUND) {
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
printf("\n;; DNSKEYset that signs the RRset to chase:\n");
|
printf("\n;; DNSKEYset that signs the RRset to chase:\n");
|
||||||
print_rdataset(&chase_signame, chase_keyrdataset, mctx);
|
print_rdataset(&chase_signame, chase_keyrdataset);
|
||||||
}
|
}
|
||||||
INSIST(chase_keyrdataset != NULL);
|
INSIST(chase_keyrdataset != NULL);
|
||||||
|
|
||||||
@ -5861,18 +5847,18 @@ getneededrr(dns_message_t *msg)
|
|||||||
if (result == ISC_R_FAILURE) {
|
if (result == ISC_R_FAILURE) {
|
||||||
printf("\n;; RRSIG for DNSKEY is missing to continue"
|
printf("\n;; RRSIG for DNSKEY is missing to continue"
|
||||||
" validation : FAILED\n\n");
|
" validation : FAILED\n\n");
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
if (dns_name_dynamic(&chase_name))
|
if (dns_name_dynamic(&chase_name))
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
if (result == ISC_R_NOTFOUND) {
|
if (result == ISC_R_NOTFOUND) {
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
printf("\n;; RRSIG of the DNSKEYset that signs the "
|
printf("\n;; RRSIG of the DNSKEYset that signs the "
|
||||||
"RRset to chase:\n");
|
"RRset to chase:\n");
|
||||||
print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
|
print_rdataset(&chase_signame, chase_sigkeyrdataset);
|
||||||
}
|
}
|
||||||
INSIST(chase_sigkeyrdataset != NULL);
|
INSIST(chase_sigkeyrdataset != NULL);
|
||||||
|
|
||||||
@ -5887,12 +5873,12 @@ getneededrr(dns_message_t *msg)
|
|||||||
printf("\n");
|
printf("\n");
|
||||||
}
|
}
|
||||||
if (result == ISC_R_NOTFOUND) {
|
if (result == ISC_R_NOTFOUND) {
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
return (ISC_R_NOTFOUND);
|
return (ISC_R_NOTFOUND);
|
||||||
}
|
}
|
||||||
if (chase_dsrdataset != NULL) {
|
if (chase_dsrdataset != NULL) {
|
||||||
printf("\n;; DSset of the DNSKEYset\n");
|
printf("\n;; DSset of the DNSKEYset\n");
|
||||||
print_rdataset(&chase_signame, chase_dsrdataset, mctx);
|
print_rdataset(&chase_signame, chase_dsrdataset);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5915,8 +5901,7 @@ getneededrr(dns_message_t *msg)
|
|||||||
chase_dsrdataset = NULL;
|
chase_dsrdataset = NULL;
|
||||||
} else {
|
} else {
|
||||||
printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
|
printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
|
||||||
print_rdataset(&chase_signame, chase_sigdsrdataset,
|
print_rdataset(&chase_signame, chase_sigdsrdataset);
|
||||||
mctx);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return (1);
|
return (1);
|
||||||
@ -5931,7 +5916,7 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (tk_list.nb_tk == 0) {
|
if (tk_list.nb_tk == 0) {
|
||||||
result = get_trusted_key(mctx);
|
result = get_trusted_key();
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
printf("No trusted keys present\n");
|
printf("No trusted keys present\n");
|
||||||
return;
|
return;
|
||||||
@ -5958,7 +5943,7 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
result = prove_nx(msg, &query_name, current_lookup->rdclass,
|
result = prove_nx(msg, &query_name, current_lookup->rdclass,
|
||||||
current_lookup->rdtype, &rdata_name,
|
current_lookup->rdtype, &rdata_name,
|
||||||
&rdataset, &sigrdataset);
|
&rdataset, &sigrdataset);
|
||||||
free_name(&query_name, mctx);
|
free_name(&query_name);
|
||||||
if (rdataset == NULL || sigrdataset == NULL ||
|
if (rdataset == NULL || sigrdataset == NULL ||
|
||||||
dns_name_countlabels(&rdata_name) == 0) {
|
dns_name_countlabels(&rdata_name) == 0) {
|
||||||
printf("\n;; Impossible to verify the Non-existence,"
|
printf("\n;; Impossible to verify the Non-existence,"
|
||||||
@ -5977,8 +5962,8 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
printf(";; An NSEC prove the non-existence of a answers,"
|
printf(";; An NSEC prove the non-existence of a answers,"
|
||||||
" Now we want validate this NSEC\n");
|
" Now we want validate this NSEC\n");
|
||||||
|
|
||||||
dup_name(&rdata_name, &chase_name, mctx);
|
dup_name(&rdata_name, &chase_name);
|
||||||
free_name(&rdata_name, mctx);
|
free_name(&rdata_name);
|
||||||
chase_rdataset = rdataset;
|
chase_rdataset = rdataset;
|
||||||
chase_sigrdataset = sigrdataset;
|
chase_sigrdataset = sigrdataset;
|
||||||
chase_keyrdataset = NULL;
|
chase_keyrdataset = NULL;
|
||||||
@ -5999,10 +5984,10 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
|
|
||||||
result = sigchase_verify_sig(&chase_name, chase_rdataset,
|
result = sigchase_verify_sig(&chase_name, chase_rdataset,
|
||||||
chase_keyrdataset,
|
chase_keyrdataset,
|
||||||
chase_sigrdataset, mctx);
|
chase_sigrdataset);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
printf(";; No DNSKEY is valid to check the RRSIG"
|
printf(";; No DNSKEY is valid to check the RRSIG"
|
||||||
" of the RRset: FAILED\n");
|
" of the RRset: FAILED\n");
|
||||||
clean_trustedkey();
|
clean_trustedkey();
|
||||||
@ -6011,10 +5996,10 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
|
printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
|
||||||
|
|
||||||
result = contains_trusted_key(&chase_signame, chase_keyrdataset,
|
result = contains_trusted_key(&chase_signame, chase_keyrdataset,
|
||||||
chase_sigkeyrdataset, mctx);
|
chase_sigkeyrdataset);
|
||||||
if (result == ISC_R_SUCCESS) {
|
if (result == ISC_R_SUCCESS) {
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
printf("\n;; Ok this DNSKEY is a Trusted Key,"
|
printf("\n;; Ok this DNSKEY is a Trusted Key,"
|
||||||
" DNSSEC validation is ok: SUCCESS\n\n");
|
" DNSSEC validation is ok: SUCCESS\n\n");
|
||||||
clean_trustedkey();
|
clean_trustedkey();
|
||||||
@ -6024,8 +6009,8 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
printf(";; Now, we are going to validate this DNSKEY by the DS\n");
|
printf(";; Now, we are going to validate this DNSKEY by the DS\n");
|
||||||
|
|
||||||
if (chase_dsrdataset == NULL) {
|
if (chase_dsrdataset == NULL) {
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
printf(";; the DNSKEY isn't trusted-key and there isn't"
|
printf(";; the DNSKEY isn't trusted-key and there isn't"
|
||||||
" DS to validate the DNSKEY: FAILED\n");
|
" DS to validate the DNSKEY: FAILED\n");
|
||||||
clean_trustedkey();
|
clean_trustedkey();
|
||||||
@ -6033,10 +6018,10 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
}
|
}
|
||||||
|
|
||||||
result = sigchase_verify_ds(&chase_signame, chase_keyrdataset,
|
result = sigchase_verify_ds(&chase_signame, chase_keyrdataset,
|
||||||
chase_dsrdataset, mctx);
|
chase_dsrdataset);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
free_name(&chase_name, mctx);
|
free_name(&chase_name);
|
||||||
printf(";; ERROR no DS validates a DNSKEY in the"
|
printf(";; ERROR no DS validates a DNSKEY in the"
|
||||||
" DNSKEY RRset: FAILED\n");
|
" DNSKEY RRset: FAILED\n");
|
||||||
clean_trustedkey();
|
clean_trustedkey();
|
||||||
@ -6047,8 +6032,8 @@ sigchase_bu(dns_message_t *msg)
|
|||||||
" the RRset\n");
|
" the RRset\n");
|
||||||
INSIST(chase_sigdsrdataset != NULL);
|
INSIST(chase_sigdsrdataset != NULL);
|
||||||
|
|
||||||
dup_name(&chase_signame, &chase_name, mctx);
|
dup_name(&chase_signame, &chase_name);
|
||||||
free_name(&chase_signame, mctx);
|
free_name(&chase_signame);
|
||||||
chase_rdataset = chase_dsrdataset;
|
chase_rdataset = chase_dsrdataset;
|
||||||
chase_sigrdataset = chase_sigdsrdataset;
|
chase_sigrdataset = chase_sigdsrdataset;
|
||||||
chase_keyrdataset = NULL;
|
chase_keyrdataset = NULL;
|
||||||
@ -6161,7 +6146,7 @@ prove_nx_domain(dns_message_t *msg,
|
|||||||
|
|
||||||
printf("There is a NSEC for this zone in the"
|
printf("There is a NSEC for this zone in the"
|
||||||
" AUTHORITY section:\n");
|
" AUTHORITY section:\n");
|
||||||
print_rdataset(nsecname, nsecset, mctx);
|
print_rdataset(nsecname, nsecset);
|
||||||
|
|
||||||
for (result = dns_rdataset_first(nsecset);
|
for (result = dns_rdataset_first(nsecset);
|
||||||
result == ISC_R_SUCCESS;
|
result == ISC_R_SUCCESS;
|
||||||
@ -6190,7 +6175,7 @@ prove_nx_domain(dns_message_t *msg,
|
|||||||
dns_rdata_freestruct(&nsecstruct);
|
dns_rdata_freestruct(&nsecstruct);
|
||||||
*rdataset = nsecset;
|
*rdataset = nsecset;
|
||||||
*sigrdataset = signsecset;
|
*sigrdataset = signsecset;
|
||||||
dup_name(nsecname, rdata_name, mctx);
|
dup_name(nsecname, rdata_name);
|
||||||
|
|
||||||
return (ISC_R_SUCCESS);
|
return (ISC_R_SUCCESS);
|
||||||
}
|
}
|
||||||
@ -6243,7 +6228,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
|
|||||||
printf("There isn't RRSIG NSEC for the zone \n");
|
printf("There isn't RRSIG NSEC for the zone \n");
|
||||||
return (ISC_R_FAILURE);
|
return (ISC_R_FAILURE);
|
||||||
}
|
}
|
||||||
dup_name(name, rdata_name, mctx);
|
dup_name(name, rdata_name);
|
||||||
*rdataset = nsecset;
|
*rdataset = nsecset;
|
||||||
*sigrdataset = signsecset;
|
*sigrdataset = signsecset;
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user