resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled

This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
author: Lennart Poettering <lennart@poettering.net> 2015-12-09 18:13:16 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-12-10 11:35:52 +0100
commit: 547973dea7abd6c124ff6c79fe2bbe322a7314ae (patch)
tree: c2e14c38c7f81d1b6f71cfd72f0f2a4bb4a39971 /src/resolve/resolved-dns-transaction.h
parent: aa89931749f081be8b1f90643c81ae2860257e53 (diff)
1 files changed, 26 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h
index af08b20e44..2328e7937c 100644
--- a/src/resolve/resolved-dns-transaction.h
+++ b/src/resolve/resolved-dns-transaction.h
@@ -28,6 +28,7 @@ typedef enum DnsTransactionSource DnsTransactionSource;
 enum DnsTransactionState {
         DNS_TRANSACTION_NULL,
         DNS_TRANSACTION_PENDING,
+        DNS_TRANSACTION_VALIDATING,
         DNS_TRANSACTION_FAILURE,
         DNS_TRANSACTION_SUCCESS,
         DNS_TRANSACTION_NO_SERVERS,
@@ -36,10 +37,13 @@ enum DnsTransactionState {
         DNS_TRANSACTION_INVALID_REPLY,
         DNS_TRANSACTION_RESOURCES,
         DNS_TRANSACTION_ABORTED,
+        DNS_TRANSACTION_DNSSEC_FAILED,
         _DNS_TRANSACTION_STATE_MAX,
         _DNS_TRANSACTION_STATE_INVALID = -1
 };
 
+#define DNS_TRANSACTION_IS_LIVE(state) IN_SET((state), DNS_TRANSACTION_NULL, DNS_TRANSACTION_PENDING, DNS_TRANSACTION_VALIDATING)
+
 enum DnsTransactionSource {
         DNS_TRANSACTION_NETWORK,
         DNS_TRANSACTION_CACHE,
@@ -60,6 +64,8 @@ struct DnsTransaction {
         DnsResourceKey *key;
 
         DnsTransactionState state;
+        DnssecResult dnssec_result;
+
         uint16_t id;
 
         bool initial_jitter_scheduled;
@@ -72,6 +78,9 @@ struct DnsTransaction {
         DnsTransactionSource answer_source;
         bool answer_authenticated;
 
+        /* Contains DS and DNSKEY RRs we already verified and need to authenticate this reply */
+        DnsAnswer *validated_keys;
+
         usec_t start_usec;
         usec_t next_attempt_after;
         sd_event_source *timeout_event_source;
@@ -83,7 +92,7 @@ struct DnsTransaction {
         /* The active server */
         DnsServer *server;
 
-        /* the features of the DNS server at time of transaction start */
+        /* The features of the DNS server at time of transaction start */
         DnsServerFeatureLevel current_features;
 
         /* TCP connection logic, if we need it */
@@ -92,11 +101,21 @@ struct DnsTransaction {
         /* Query candidates this transaction is referenced by and that
          * shall be notified about this specific transaction
          * completing. */
-        Set *query_candidates;
+        Set *notify_query_candidates;
 
         /* Zone items this transaction is referenced by and that shall
          * be notified about completion. */
-        Set *zone_items;
+        Set *notify_zone_items;
+
+        /* Other transactions that this transactions is referenced by
+         * and that shall be notified about completion. This is used
+         * when transactions want to validate their RRsets, but need
+         * another DNSKEY or DS RR to do so. */
+        Set *notify_transactions;
+
+        /* The opposite direction: the transactions this transaction
+         * created in order to request DNSKEY or DS RRs. */
+        Set *dnssec_transactions;
 
         unsigned block_gc;
 
@@ -112,6 +131,10 @@ int dns_transaction_go(DnsTransaction *t);
 void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p);
 void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state);
 
+void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source);
+int dns_transaction_validate_dnssec(DnsTransaction *t);
+int dns_transaction_request_dnssec_keys(DnsTransaction *t);
+
 const char* dns_transaction_state_to_string(DnsTransactionState p) _const_;
 DnsTransactionState dns_transaction_state_from_string(const char *s) _pure_;
author	Lennart Poettering <lennart@poettering.net>	2015-12-09 18:13:16 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-12-10 11:35:52 +0100
commit	547973dea7abd6c124ff6c79fe2bbe322a7314ae (patch)
tree	c2e14c38c7f81d1b6f71cfd72f0f2a4bb4a39971 /src/resolve/resolved-dns-transaction.h
parent	aa89931749f081be8b1f90643c81ae2860257e53 (diff)