--- /dev/null
+package com.verisign.cl;
+
+import java.util.*;
+
+import org.xbill.DNS.*;
+import com.verisign.tat.dnssec.CaptiveValidator;
+
+public class DNSSECReconciler {
+
+ /**
+ * Invoke with java -jar dnssecreconciler.jar server=127.0.0.1 \
+ * query_file=queries.txt dnskey_query=net dnskey_query=edu
+ */
+ private CaptiveValidator validator;
+
+ // Options
+ public String server;
+ public String query;
+ public String queryFile;
+ public String dnskeyFile;
+ public List<String> dnskeyNames;
+
+ DNSSECReconciler() {
+ validator = new CaptiveValidator();
+ }
+
+ public void execute() {
+
+ }
+
+ private static void usage() {
+ System.err.println("usage: java -jar dnssecreconiler.jar [..options..]");
+ System.err.println(" server: the DNS server to query.");
+ System.err.println(" query: a name [type [flags]] string.");
+ System.err.println(" query_file: a list of queries, one query per line.");
+ System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust.");
+ System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat");
+ }
+
+ public static int main(String[] argv) {
+
+ DNSSECReconciler dr = new DNSSECReconciler();
+
+ try {
+ // Parse the command line options
+ for (String arg : argv) {
+
+ if (arg.indexOf('=') < 0) {
+ System.err.println("Unrecognized option: " + arg);
+ usage();
+ return 1;
+ }
+
+ String[] split_arg = arg.split("[ \t]*=[ \t]*", 2);
+ String opt = split_arg[0];
+ String optarg = split_arg[1];
+
+ if (opt.equals("server")) {
+ dr.server = optarg;
+ } else if (opt.equals("query_file")) {
+ dr.queryFile = optarg;
+ } else if (opt.equals("dnskey_file")) {
+ dr.dnskeyFile = optarg;
+ } else if (opt.equals("dnskey_query")) {
+ if (dr.dnskeyNames == null) {
+ dr.dnskeyNames = new ArrayList<String>();
+ }
+ dr.dnskeyNames.add(optarg);
+ } else {
+ System.err.println("Unrecognized option: " + opt);
+ usage();
+ return 1;
+ }
+ }
+
+ // Check for minimum usage
+ if (dr.server == null) {
+ System.err.println("'server' must be specified");
+ usage();
+ return 1;
+ }
+ if (dr.query == null && dr.queryFile == null) {
+ System.err.println("Either 'query' or 'query_file' must be specified");
+ usage();
+ return 1;
+ }
+ if (dr.dnskeyFile == null && dr.dnskeyNames == null) {
+ System.err.println("Either 'dnskey_file' or 'dnskey_query' must be specified");
+ usage();
+ return 1;
+ }
+
+
+ // Execute the job
+ dr.execute();
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ return 1;
+ }
+
+ return 0;
+ }
+}
private DnsSecVerifier mVerifier;
private Logger log = Logger.getLogger(this.getClass());
+ private List<String> mErrorList;
+
public CaptiveValidator() {
- mVerifier = new DnsSecVerifier();
- mValUtils = new ValUtils(mVerifier);
- mTrustedKeys = new TrustAnchorStore();
+ mVerifier = new DnsSecVerifier();
+ mValUtils = new ValUtils(mVerifier);
+ mTrustedKeys = new TrustAnchorStore();
+ mErrorList = new ArrayList<String>();
}
// ---------------- Module Initialization -------------------
// Follow the CNAME chain.
if (type == Type.CNAME) {
if (rrset.size() > 1) {
- log.debug("Found CNAME rrset with size > 1: " + rrset);
+ mErrorList.add("Found CNAME rrset with size > 1: " + rrset);
m.setStatus(SecurityStatus.INVALID);
return m;
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed ANSWER rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed ANSWER rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If anything in the authority section fails to be secure, we have
- // a
- // bad message.
+ // a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
if (!wc.equals(nsec_wc)) {
- // log.debug("Positive wildcard response wasn't generated "
- // + "by the correct wildcard");
+ mErrorList.add("Positive wildcard response wasn't generated by the correct wildcard");
m.setStatus(SecurityStatus.BOGUS);
return;
// records.
if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
- wc)) {
+ wc, mErrorList)) {
wcNSEC_ok = true;
}
}
// have
// a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
// Now to check to see if we have a valid combination of things.
if (delegation == null) {
// somehow we have a referral without an NS rrset.
+ mErrorList.add("Apparent referral does not contain NS RRset");
m.setStatus(SecurityStatus.BOGUS);
return;
if (secure_delegation) {
if ((nsec != null) || ((nsec3s != null) && (nsec3s.size() > 0))) {
// we found both a DS rrset *and* NSEC/NSEC3 rrsets!
+ mErrorList.add("Referral contains both DS and NSEC/NSEC3 RRsets");
m.setStatus(SecurityStatus.BOGUS);
return;
if (status != SecurityStatus.SECURE) {
// The NSEC *must* prove that there was no DS record. The
// INSECURE state here is still bogus.
+ mErrorList.add("Referral does not contain a NSEC record proving no DS");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (nsec3s.size() > 0) {
- byte status = NSEC3ValUtils
- .proveNoDS(nsec3s, delegation, nsec3zone);
+ byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone, mErrorList);
if (status != SecurityStatus.SECURE) {
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
// actually bogus
+ mErrorList.add("Referral does not contain NSEC3 record(s) proving no DS");
m.setStatus(SecurityStatus.BOGUS);
return;
}
// failed to find proof either way.
+ mErrorList.add("Referral does not contain proof of no DS");
m.setStatus(SecurityStatus.BOGUS);
}
- private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
- }
+ // FIXME: write CNAME validation code.
+ private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
/**
* Given an "ANY" response -- a response that contains an answer to a
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed ANSWER rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed ANSWER rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
// If anything in the authority section fails to be secure, we have
- // a
- // bad message.
+ // a bad message.
if (status != SecurityStatus.SECURE) {
- log.debug("Positive response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("Positive response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
* @param key_rrset
* The trusted DNSKEY rrset that signs this response.
*/
- private void validateNodataResponse(SMessage message, SRRset key_rrset) {
- Name qname = message.getQName();
- int qtype = message.getQType();
+ private void validateNodataResponse(SMessage message, SRRset key_rrset, List<String> errorList) {
+ Name qname = message.getQName();
+ int qtype = message.getQType();
SMessage m = message;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("NODATA response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("NODATA response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
// try to prove NODATA with our NSEC3 record(s)
hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
- nsec3Signer);
+ nsec3Signer, errorList);
}
if (!hasValidNSEC) {
log.debug("NODATA response failed to prove NODATA "
+ "status with NSEC/NSEC3");
log.trace("Failed NODATA:\n" + m);
+ mErrorList.add("NODATA response failed to prove NODATA status with NSEC/NSEC3");
m.setStatus(SecurityStatus.BOGUS);
return;
SMessage m = message;
if (message.getCount(Section.ANSWER) > 0) {
- log
- .warn("NAME ERROR response contained records in the ANSWER SECTION");
+ log.warn(
+ "NameError response contained records in the ANSWER SECTION");
+ mErrorList.add("NameError response contained records in the ANSWER SECTION");
message.setStatus(SecurityStatus.INVALID);
return;
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
- log.debug("NameError response has failed AUTHORITY rrset: "
- + rrsets[i]);
+ mErrorList.add("NameError response has failed AUTHORITY rrset: " +
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
return;
}
- hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
- nsec3Signer);
+ hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
+ nsec3Signer, mErrorList);
// Note that we assume that the NSEC3ValUtils proofs encompass the
// wildcard part of the proof.
// If the message fails to prove either condition, it is bogus.
if (!hasValidNSEC) {
- log.debug("NameError response has failed to prove: "
- + "qname does not exist");
+ mErrorList.add("NameError response has failed to prove qname does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (!hasValidWCNSEC) {
- log.debug("NameError response has failed to prove: "
- + "covering wildcard does not exist");
+ mErrorList.add("NameError response has failed to prove covering wildcard does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
public byte validateMessage(SMessage message, Name zone) {
+ mErrorList.clear();
if (!zone.isAbsolute()) {
try {
zone = Name.concatenate(zone, Name.root);
SRRset key_rrset = findKeys(message);
if (key_rrset == null) {
+ mErrorList.add("Failed to find matching DNSKEYs for the response");
return SecurityStatus.BOGUS;
}
break;
- case NODATA:
- log.trace("Validating a NODATA response");
- validateNodataResponse(message, key_rrset);
+ case NODATA:
+ log.trace("Validating a NODATA response");
+ validateNodataResponse(message, key_rrset, mErrorList);
break;
public List<String> listTrustedKeys() {
return mTrustedKeys.listTrustAnchors();
}
-}
+
+ public List<String> getErrorList() {
+ return mErrorList;
+ }
+ }
* An already allocated comparator. This may be null.
* @return True if the NSEC3Record covers the hash.
*/
- private static boolean nsec3Covers(NSEC3Record nsec3, byte[] hash,
- ByteArrayComparator bac) {
- byte[] owner = hash(nsec3.getName(), nsec3);
- byte[] next = nsec3.getNext();
+ private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash,
+ ByteArrayComparator bac) {
+ Name ownerName = nsec3.getName();
+ byte [] owner = b32.fromString(ownerName.getLabelString(0));
+ byte [] next = nsec3.getNext();
// This is the "normal case: owner < next and owner < hash < next
if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) {
return true;
}
-
// this is the end of zone case: next < owner && hash > owner || hash <
// next
if ((bac.compare(next, owner) <= 0)
// FIXME: modify so that the NSEC3 matching the zone apex need not be
// present.
while (n.labels() >= zonename.labels()) {
- nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s,
- params, bac);
+ nsec3 = findMatchingNSEC3(hash(n, params), zonename,
+ nsec3s, params, bac);
if (nsec3 != null) {
return new CEResponse(n, nsec3);
* that matches it.
*/
private static CEResponse proveClosestEncloser(Name qname, Name zonename,
- List<NSEC3Record> nsec3s, NSEC3Parameters params,
- ByteArrayComparator bac, boolean proveDoesNotExist) {
+ List<NSEC3Record> nsec3s, NSEC3Parameters params,
+ ByteArrayComparator bac, boolean proveDoesNotExist, List<String> errorList) {
CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
params, bac);
if (candidate == null) {
- st_log.debug("proveClosestEncloser: could not find a "
- + "candidate for the closest encloser.");
+ errorList.add("Could not find a candidate for the closest encloser");
+ st_log.debug("proveClosestEncloser: could not find a " +
+ "candidate for the closest encloser.");
return null;
}
if (candidate.closestEncloser.equals(qname)) {
if (proveDoesNotExist) {
- st_log
- .debug("proveClosestEncloser: proved that qname existed!");
+ errorList.add("Proven closest encloser proved that the qname existed and should not have");
+ st_log.debug("proveClosestEncloser: proved that qname existed!");
return null;
}
// should have been a referral. If it is a DNAME, then it should have
// been
// a DNAME response.
- if (candidate.ce_nsec3.hasType(Type.NS)
- && !candidate.ce_nsec3.hasType(Type.SOA)) {
- st_log.debug("proveClosestEncloser: closest encloser "
- + "was a delegation!");
+ if (candidate.ce_nsec3.hasType(Type.NS) &&
+ !candidate.ce_nsec3.hasType(Type.SOA)) {
+ errorList.add("Proven closest encloser was a delegation");
+ st_log.debug("proveClosestEncloser: closest encloser " +
+ "was a delegation!");
return null;
}
if (candidate.ce_nsec3.hasType(Type.DNAME)) {
+ errorList.add("Proven closest encloser was a DNAME");
st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
return null;
params, bac);
if (candidate.nc_nsec3 == null) {
- st_log.debug("Could not find proof that the "
- + "closest encloser was the closest encloser");
+ errorList.add("Could not find proof that the closest encloser was the closest encloser");
+ errorList.add("hash " + hashName(nc_hash, zonename) + " is not covered by any NSEC3 RRs");
+ st_log.debug("Could not find proof that the " +
+ "closest encloser was the closest encloser");
return null;
}
* ignored.
*/
public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
- Name zonename) {
+ Name zonename, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log.debug("Could not find a single set of "
- + "NSEC3 parameters (multiple parameters present).");
+ errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present");
+ st_log.debug("Could not find a single set of " +
+ "NSEC3 parameters (multiple parameters present).");
return false;
}
// First locate and prove the closest encloser to qname. We will use the
// variant that fails if the closest encloser turns out to be qname.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true);
+ nsec3params, bac, true, errorList);
if (ce == null) {
+ errorList.add("Failed to find the closest encloser as part of the NSEC3 proof");
st_log.debug("proveNameError: failed to prove a closest encloser.");
return false;
nsec3params, bac);
if (nsec3 == null) {
- st_log.debug("proveNameError: could not prove that the "
- + "applicable wildcard did not exist.");
+ errorList.add("Failed to prove that the applicable wildcard did not exist");
+ st_log.debug("proveNameError: could not prove that the " +
+ "applicable wildcard did not exist.");
return false;
}
* @return true if the NSEC3s prove the proposition.
*/
public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
- int qtype, Name zonename) {
+ int qtype, Name zonename, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
// match qname. Although, at this point, we know that it won't since we
// just checked that.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true);
+ nsec3params, bac, true, errorList);
// At this point, not finding a match or a proven closest encloser is a
// problem.
* @return true if the NSEC3 records prove this case.
*/
public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
- Name zonename, Name wildcard) {
+ Name zonename, Name wildcard, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log
- .debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
+ errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)");
+ st_log.debug(
+ "couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false;
}
zonename, nsec3s, nsec3params, bac);
if (candidate.nc_nsec3 == null) {
- st_log.debug("proveWildcard: did not find a covering NSEC3 "
- + "that covered the next closer name to " + qname
- + " from " + candidate.closestEncloser
- + " (derived from wildcard " + wildcard + ")");
+ errorList.add("Did not find a NSEC3 that covered the next closer name to '" +
+ qname + "' from '" + candidate.closestEncloser + "' (derived from the wildcard: " +
+ wildcard + ")");
+ st_log.debug("proveWildcard: did not find a covering NSEC3 " +
+ "that covered the next closer name to " + qname + " from " +
+ candidate.closestEncloser + " (derived from wildcard " +
+ wildcard + ")");
return false;
}
* work out.
*/
public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname,
- Name zonename) {
+ Name zonename, List<String> errorList) {
if ((nsec3s == null) || (nsec3s.size() == 0)) {
return SecurityStatus.BOGUS;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
- st_log.debug("couldn't find a single set of "
- + "NSEC3 parameters (multiple parameters present).");
+ errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)");
+ st_log.debug("couldn't find a single set of " +
+ "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS;
}
// zone (the child instead of the parent). If it has the DS bit set,
// then we were lied to.
if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
+ errorList.add("Matching NSEC3 is incorrectly from the child instead of the parent (SOA or DS bit set)");
return SecurityStatus.BOGUS;
}
// Otherwise, we are probably in the opt-in case.
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
- nsec3params, bac, true);
+ nsec3params, bac, true, errorList);
if (ce == null) {
+ errorList.add("Failed to prove the closest encloser as part of a 'No DS' proof");
return SecurityStatus.BOGUS;
}
return SecurityStatus.SECURE;
}
+ errorList.add("Failed to find a covering NSEC3 for 'No DS' proof");
return SecurityStatus.BOGUS;
}