nsec3.c 20.6 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13
/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
14
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
15 16
 */

17 18 19 20 21 22 23
#include <assert.h>
#include <string.h>

#include <dnssec/binary.h>
#include <dnssec/error.h>
#include <dnssec/nsec.h>
#include <libknot/descriptor.h>
24
#include <contrib/base32hex.h>
25 26 27 28
#include <libknot/rrset.h>
#include <libknot/rrtype/nsec3.h>

#include "lib/defines.h"
29
#include "lib/dnssec/nsec.h"
30
#include "lib/dnssec/nsec3.h"
31 32 33

#define OPT_OUT_BIT 0x01

34 35 36 37 38 39
//#define FLG_CLOSEST_ENCLOSER (1 << 0)
#define FLG_CLOSEST_PROVABLE_ENCLOSER (1 << 1)
#define FLG_NAME_COVERED (1 << 2)
#define FLG_NAME_MATCHED (1 << 3)
#define FLG_TYPE_BIT_MISSING (1 << 4)
#define FLG_CNAME_BIT_MISSING (1 << 5)
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

/**
 * Obtains NSEC3 parameters from RR.
 * @param params NSEC3 parameters structure to be set.
 * @param nsec3  NSEC3 RR containing the parameters.
 * @return       0 or error code.
 */
static int nsec3_parameters(dnssec_nsec3_params_t *params, const knot_rrset_t *nsec3)
{
	assert(params && nsec3);

	const knot_rdata_t *rr = knot_rdataset_at(&nsec3->rrs, 0);
	assert(rr);

	/* Every NSEC3 RR contains data from NSEC3PARAMS. */
55
	const size_t SALT_OFFSET = 5; /* First 5 octets contain { Alg, Flags, Iterations, Salt length } */
56 57 58
	dnssec_binary_t rdata = {0, };
	rdata.size = SALT_OFFSET + (size_t) knot_nsec3_salt_length(&nsec3->rrs, 0);
	rdata.data = knot_rdata_data(rr);
59 60
	if (rdata.size > knot_rdata_rdlen(rr))
		return kr_error(EMSGSIZE);
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

	int ret = dnssec_nsec3_params_from_rdata(params, &rdata);
	if (ret != DNSSEC_EOK) {
		return kr_error(EINVAL);
	}

	return kr_ok();
}

/**
 * Computes a hash of a given domain name.
 * @param hash   Resulting hash, must be freed.
 * @param params NSEC3 parameters.
 * @param name   Domain name to be hashed.
 * @return       0 or error code.
 */
static int hash_name(dnssec_binary_t *hash, const dnssec_nsec3_params_t *params,
                     const knot_dname_t *name)
{
80 81 82
	assert(hash && params);
	if (!name)
		return kr_error(EINVAL);
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

	dnssec_binary_t dname = {0, };
	dname.size = knot_dname_size(name);
	dname.data = (uint8_t *) name;

	int ret = dnssec_nsec3_hash(&dname, params, hash);
	if (ret != DNSSEC_EOK) {
		return kr_error(EINVAL);
	}

	return kr_ok();
}

/**
 * Read hash from NSEC3 owner name and store its binary form.
 * @param hash          Buffer to be written.
 * @param max_hash_size Maximal has size.
 * @param nsec3         NSEC3 RR.
 * @return              0 or error code.
 */
static int read_owner_hash(dnssec_binary_t *hash, size_t max_hash_size, const knot_rrset_t *nsec3)
{
	assert(hash && nsec3);
	assert(hash->data);

	int32_t ret = base32hex_decode(nsec3->owner + 1, nsec3->owner[0], hash->data, max_hash_size);
	if (ret < 0) {
110
		return kr_error(EILSEQ);
111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146
	}
	hash->size = ret;

	return kr_ok();
}

#define MAX_HASH_BYTES 64
/**
 * Closest (provable) encloser match (RFC5155 7.2.1, bullet 1).
 * @param flags   Flags to be set according to check outcome.
 * @param nsec3   NSEC3 RR.
 * @param name    Name to be checked.
 * @param skipped Number of skipped labels to find closest (provable) match.
 * @return        0 or error code.
 */
static int closest_encloser_match(int *flags, const knot_rrset_t *nsec3,
                                  const knot_dname_t *name, unsigned *skipped)
{
	assert(flags && nsec3 && name && skipped);

	dnssec_binary_t owner_hash = {0, };
	uint8_t hash_data[MAX_HASH_BYTES] = {0, };
	owner_hash.data = hash_data;
	dnssec_nsec3_params_t params = {0, };
	dnssec_binary_t name_hash = {0, };

	int ret = read_owner_hash(&owner_hash, MAX_HASH_BYTES, nsec3);
	if (ret != 0) {
		goto fail;
	}

	ret = nsec3_parameters(&params, nsec3);
	if (ret != 0) {
		goto fail;
	}

147 148 149 150 151 152
	/* Root label has no encloser */
	if (!name[0]) {
		ret = kr_error(ENOENT);
		goto fail;
	}

153 154 155
	const knot_dname_t *encloser = knot_wire_next_label(name, NULL);
	*skipped = 1;

156
	while(encloser) {
157 158 159 160 161 162 163 164 165 166 167 168 169 170
		ret = hash_name(&name_hash, &params, encloser);
		if (ret != 0) {
			goto fail;
		}

		if ((owner_hash.size == name_hash.size) &&
		    (memcmp(owner_hash.data, name_hash.data, owner_hash.size) == 0)) {
			dnssec_binary_free(&name_hash);
			*flags |= FLG_CLOSEST_PROVABLE_ENCLOSER;
			break;
		}

		dnssec_binary_free(&name_hash);

171 172
		if (!encloser[0])
			break;
173 174
		encloser = knot_wire_next_label(encloser, NULL);
		++(*skipped);
175
	}
176 177 178 179 180 181 182 183 184 185 186 187 188 189

	ret = kr_ok();

fail:
	if (params.salt.data) {
		dnssec_nsec3_params_free(&params);
	}
	if (name_hash.data) {
		dnssec_binary_free(&name_hash);
	}
	return ret;
}

/**
190
 * Checks whether NSEC3 RR covers the supplied name (RFC5155 7.2.1, bullet 2).
191 192 193 194 195
 * @param flags Flags to be set according to check outcome.
 * @param nsec3 NSEC3 RR.
 * @param name  Name to be checked.
 * @return      0 or error code.
 */
196
static int covers_name(int *flags, const knot_rrset_t *nsec3, const knot_dname_t *name)
197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224
{
	assert(flags && nsec3 && name);

	dnssec_binary_t owner_hash = {0, };
	uint8_t hash_data[MAX_HASH_BYTES] = {0, };
	owner_hash.data = hash_data;
	dnssec_nsec3_params_t params = {0, };
	dnssec_binary_t name_hash = {0, };

	int ret = read_owner_hash(&owner_hash, MAX_HASH_BYTES, nsec3);
	if (ret != 0) {
		goto fail;
	}

	ret = nsec3_parameters(&params, nsec3);
	if (ret != 0) {
		goto fail;
	}

	ret = hash_name(&name_hash, &params, name);
	if (ret != 0) {
		goto fail;
	}

	uint8_t next_size = 0;
	uint8_t *next_hash = NULL;
	knot_nsec3_next_hashed(&nsec3->rrs, 0, &next_hash, &next_size);

225 226 227 228 229 230 231 232
	if ((owner_hash.size == next_size) && (name_hash.size == next_size)) {
		/* All hash lengths must be same. */
		const uint8_t *ownrd = owner_hash.data;
		const uint8_t *nextd = next_hash;
		int covered = 0;
		int greater_then_owner = (memcmp(ownrd, name_hash.data, next_size) < 0);
		int less_then_next = (memcmp(name_hash.data, nextd, next_size) < 0);
		if (memcmp(ownrd, nextd, next_size) < 0) {
233
			/*
234 235 236 237 238
			 * 0 (...) owner ... next (...) MAX
			 *                ^
			 *                name
			 * ==>
			 * (owner < name) && (name < next)
239
			 */
240 241
			covered = ((greater_then_owner) && (less_then_next));
		} else {
242
			/*
243 244 245 246 247
			 * owner ... MAX, 0 ... next
			 *        ^     ^    ^
			 *        name  name name
			 * =>
			 * (owner < name) || (name < next)
248
			 */
249
			covered = ((greater_then_owner) || (less_then_next));
250 251
		}

252 253
		if (covered) {
			*flags |= FLG_NAME_COVERED;
254

255 256 257 258 259 260 261 262
			uint8_t nsec3_flags = knot_nsec3_flags(&nsec3->rrs, 0);
			if (nsec3_flags & ~OPT_OUT_BIT) {
				/* RFC5155 3.1.2 */
				ret = kr_error(EINVAL);
			} else {
				ret = kr_ok();
			}
		}
263 264 265 266 267 268 269 270 271 272 273 274
	}

fail:
	if (params.salt.data) {
		dnssec_nsec3_params_free(&params);
	}
	if (name_hash.data) {
		dnssec_binary_free(&name_hash);
	}
	return ret;
}

275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296
/**
 * Checks whether NSEC3 RR has the opt-out bit set.
 * @param flags Flags to be set according to check outcome.
 * @param nsec3 NSEC3 RR.
 * @param name  Name to be checked.
 * @return      0 or error code.
 */
static bool has_optout(const knot_rrset_t *nsec3)
{
	if (!nsec3) {
		return false;
	}

	uint8_t nsec3_flags = knot_nsec3_flags(&nsec3->rrs, 0);
	if (nsec3_flags & ~OPT_OUT_BIT) {
		/* RFC5155 3.1.2 */
		return false;
	}

	return nsec3_flags & OPT_OUT_BIT;
}

297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328
/**
 * Checks whether NSEC3 RR matches the supplied name.
 * @param flags Flags to be set according to check outcome.
 * @param nsec3 NSEC3 RR.
 * @param name  Name to be checked.
 * @return      0 or error code.
 */
static int matches_name(int *flags, const knot_rrset_t *nsec3, const knot_dname_t *name)
{
	assert(flags && nsec3 && name);

	dnssec_binary_t owner_hash = {0, };
	uint8_t hash_data[MAX_HASH_BYTES] = {0, };
	owner_hash.data = hash_data;
	dnssec_nsec3_params_t params = {0, };
	dnssec_binary_t name_hash = {0, };

	int ret = read_owner_hash(&owner_hash, MAX_HASH_BYTES, nsec3);
	if (ret != 0) {
		goto fail;
	}

	ret = nsec3_parameters(&params, nsec3);
	if (ret != 0) {
		goto fail;
	}

	ret = hash_name(&name_hash, &params, name);
	if (ret != 0) {
		goto fail;
	}

329 330 331 332
	if ((owner_hash.size == name_hash.size) &&
	    (memcmp(owner_hash.data, name_hash.data, owner_hash.size) == 0)) {
		*flags |= FLG_NAME_MATCHED;
		ret = kr_ok();
333 334
	}

335 336 337 338 339 340 341 342 343 344 345
fail:
	if (params.salt.data) {
		dnssec_nsec3_params_free(&params);
	}
	if (name_hash.data) {
		dnssec_binary_free(&name_hash);
	}
	return ret;
}
#undef MAX_HASH_BYTES

346 347 348 349 350
/**
 * Prepends an asterisk label to given name.
 *
 * @param tgt  Target buffer to write domain name into.
 * @param name Name to be added to the asterisk.
351
 * @return     Size of the resulting name or error code.
352
 */
353
static int prepend_asterisk(uint8_t *tgt, size_t maxlen, const knot_dname_t *name)
354
{
355 356 357
	assert(maxlen >= 3);
	memcpy(tgt, "\1*", 3);
	return knot_dname_to_wire(tgt + 2, name, maxlen - 2);
358 359
}

360 361 362
/**
 * Closest encloser proof (RFC5155 7.2.1).
 * @note No RRSIGs are validated.
363 364 365 366 367 368 369
 * @param pkt                    Packet structure to be processed.
 * @param section_id             Packet section to be processed.
 * @param sname                  Name to be checked.
 * @param encloser_name          Returned matching encloser name, if found.
 * @param matching_ecloser_nsec3 Pointer to matching encloser NSEC RRSet.
 * @param covering_next_nsec3    Pointer to covering next closer NSEC3 RRSet.
 * @return                       0 or error code.
370 371
 */
static int closest_encloser_proof(const knot_pkt_t *pkt, knot_section_t section_id,
372 373
                                  const knot_dname_t *sname, const knot_dname_t **encloser_name,
                                  const knot_rrset_t **matching_ecloser_nsec3, const knot_rrset_t **covering_next_nsec3)
374 375
{
	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
376
	if (!sec || !sname) {
377 378 379
		return kr_error(EINVAL);
	}

380 381 382
	const knot_rrset_t *matching = NULL;
	const knot_rrset_t *covering = NULL;

383
	int flags = 0;
384 385 386 387 388 389 390 391
	const knot_dname_t *next_closer = NULL;
	for (unsigned i = 0; i < sec->count; ++i) {
		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
		if (rrset->type != KNOT_RRTYPE_NSEC3) {
			continue;
		}
		unsigned skipped = 0;
		flags = 0;
392
		int ret = closest_encloser_match(&flags, rrset, sname, &skipped);
393 394 395 396 397 398
		if (ret != 0) {
			return ret;
		}
		if (!(flags & FLG_CLOSEST_PROVABLE_ENCLOSER)) {
			continue;
		}
399
		matching = rrset;
400 401 402
		--skipped;
		next_closer = sname;
		for (unsigned j = 0; j < skipped; ++j) {
403
			assert(next_closer[0]);
404 405 406 407 408 409 410
			next_closer = knot_wire_next_label(next_closer, NULL);
		}
		for (unsigned j = 0; j < sec->count; ++j) {
			const knot_rrset_t *rrset = knot_pkt_rr(sec, j);
			if (rrset->type != KNOT_RRTYPE_NSEC3) {
				continue;
			}
411
			ret = covers_name(&flags, rrset, next_closer);
412 413 414
			if (ret != 0) {
				return ret;
			}
415
			if (flags & FLG_NAME_COVERED) {
416
				covering = rrset;
417 418 419
				break;
			}
		}
420
		if (flags & FLG_NAME_COVERED) {
421 422
			break;
		}
423
		flags = 0; //
424 425
	}

426
	if ((flags & FLG_CLOSEST_PROVABLE_ENCLOSER) && (flags & FLG_NAME_COVERED) && next_closer) {
427
		if (encloser_name && next_closer[0]) {
428
			*encloser_name = knot_wire_next_label(next_closer, NULL);
429
		}
430 431 432 433 434
		if (matching_ecloser_nsec3) {
			*matching_ecloser_nsec3 = matching;
		}
		if (covering_next_nsec3) {
			*covering_next_nsec3 = covering;
435
		}
436 437 438
		return kr_ok();
	}

439
	return kr_error(ENOENT);
440 441
}

442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480
/**
 * Check whether any NSEC3 RR covers a wildcard RR at the closer encloser.
 * @param pkt        Packet structure to be processed.
 * @param section_id Packet section to be processed.
 * @param encloser   Closest (provable) encloser domain name.
 * @return           0 or error code.
 */
static int covers_closest_encloser_wildcard(const knot_pkt_t *pkt, knot_section_t section_id,
                                            const knot_dname_t *encloser)
{
	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
	if (!sec || !encloser) {
		return kr_error(EINVAL);
	}

	uint8_t wildcard[KNOT_DNAME_MAXLEN];
	wildcard[0] = 1;
	wildcard[1] = '*';
	int encloser_len = knot_dname_size(encloser);
	if (encloser_len < 0) {
		return encloser_len;
	}
	memcpy(wildcard + 2, encloser, encloser_len);

	int flags = 0;
	for (unsigned i = 0; i < sec->count; ++i) {
		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
		if (rrset->type != KNOT_RRTYPE_NSEC3) {
			continue;
		}
		int ret = covers_name(&flags, rrset, wildcard);
		if (ret != 0) {
			return ret;
		}
		if (flags & FLG_NAME_COVERED) {
			return kr_ok();
		}
	}

481
	return kr_error(ENOENT);
482 483
}

484
int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
485
                                       const knot_dname_t *sname)
486 487
{
	const knot_dname_t *encloser = NULL;
488
	int ret = closest_encloser_proof(pkt, section_id, sname, &encloser, NULL, NULL);
489 490 491 492
	if (ret != 0) {
		return ret;
	}
	return covers_closest_encloser_wildcard(pkt, section_id, encloser);
493
}
494

495 496 497 498 499 500 501 502
/**
 * Checks whether supplied NSEC3 RR matches the supplied name and type.
 * @param flags Flags to be set according to check outcome.
 * @param nsec3 NSEC3 RR.
 * @param name  Name to be checked.
 * @param type  Type to be checked.
 * @return      0 or error code.
 */
503
static int matches_name_and_type(int *flags, const knot_rrset_t *nsec3,
504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524
                                const knot_dname_t *name, uint16_t type)
{
	assert(flags && nsec3 && name);

	int ret = matches_name(flags, nsec3, name);
	if (ret != 0) {
		return ret;
	}

	if (!(*flags & FLG_NAME_MATCHED)) {
		return kr_ok();
	}

	uint8_t *bm = NULL;
	uint16_t bm_size;
	knot_nsec3_bitmap(&nsec3->rrs, 0, &bm, &bm_size);
	if (!bm) {
		return kr_error(EINVAL);
	}

	if (!kr_nsec_bitmap_contains_type(bm, bm_size, type)) {
525 526 527 528 529 530 531 532 533
		*flags |= FLG_TYPE_BIT_MISSING;
		if (type == KNOT_RRTYPE_CNAME) {
			*flags |= FLG_CNAME_BIT_MISSING;
		}
	}

	if ((type != KNOT_RRTYPE_CNAME) &&
	    !kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_CNAME)) {
		*flags |= FLG_CNAME_BIT_MISSING;
534 535 536 537 538
	}

	return kr_ok();
}

539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562
/**
 * No data response check, no DS (RFC5155 7.2.3).
 * @param pkt        Packet structure to be processed.
 * @param section_id Packet section to be processed.
 * @param sname      Name to be checked.
 * @param stype      Type to be checked.
 * @return           0 or error code.
 */
static int no_data_response_no_ds(const knot_pkt_t *pkt, knot_section_t section_id,
                                  const knot_dname_t *sname, uint16_t stype)
{
	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
	if (!sec || !sname) {
		return kr_error(EINVAL);
	}

	int flags;
	for (unsigned i = 0; i < sec->count; ++i) {
		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
		if (rrset->type != KNOT_RRTYPE_NSEC3) {
			continue;
		}
		flags = 0;

563
		int ret = matches_name_and_type(&flags, rrset, sname, stype);
564 565 566 567
		if (ret != 0) {
			return ret;
		}

568 569 570
		if ((flags & FLG_NAME_MATCHED) &&
		    (flags & FLG_TYPE_BIT_MISSING) &&
		    (flags & FLG_CNAME_BIT_MISSING)) {
571
			return kr_ok();
572 573 574 575 576 577
		}
	}

	return kr_error(ENOENT);
}

578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594
/**
 * Check whether NSEC3 RR matches a wildcard at the closest encloser and has given type bit missing.
 * @param pkt        Packet structure to be processed.
 * @param section_id Packet section to be processed.
 * @param encloser   Closest (provable) encloser domain name.
 * @param stype      Type to be checked.
 * @return           0 or error code.
 */
static int matches_closest_encloser_wildcard(const knot_pkt_t *pkt, knot_section_t section_id,
                                             const knot_dname_t *encloser, uint16_t stype)
{
	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
	if (!sec || !encloser) {
		return kr_error(EINVAL);
	}

	uint8_t wildcard[KNOT_DNAME_MAXLEN];
595
	int ret = prepend_asterisk(wildcard, sizeof(wildcard), encloser);
596
	if (ret < 0) {
597
		return ret;
598
	}
599
	assert(ret >= 3);
600 601 602 603 604 605 606 607 608

	int flags;
	for (unsigned i = 0; i < sec->count; ++i) {
		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
		if (rrset->type != KNOT_RRTYPE_NSEC3) {
			continue;
		}
		flags = 0;

609
		int ret = matches_name_and_type(&flags, rrset, wildcard, stype);
610 611 612 613 614 615 616
		if (ret != 0) {
			return ret;
		}

		/* TODO -- The loop resembles no_data_response_no_ds() exept
		 * the following condition.
		 */
617 618 619 620
		if ((flags & FLG_NAME_MATCHED) &&
		    (flags & FLG_TYPE_BIT_MISSING) &&
		    (flags & FLG_CNAME_BIT_MISSING)) {
			/* rfc5155 8.7 */
621 622 623 624 625 626 627
			return kr_ok();
		}
	}

	return kr_error(ENOENT);
}

628 629 630 631 632 633 634 635 636 637
int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
                                            const knot_dname_t *sname, int trim_to_next)
{
	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
	if (!sec || !sname) {
		return kr_error(EINVAL);
	}

	/* Compute the next closer name. */
	for (int i = 0; i < trim_to_next; ++i) {
638
		assert(sname[0]);
639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658
		sname = knot_wire_next_label(sname, NULL);
	}

	int flags = 0;
	for (unsigned i = 0; i < sec->count; ++i) {
		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
		if (rrset->type != KNOT_RRTYPE_NSEC3) {
			continue;
		}
		int ret = covers_name(&flags, rrset, sname);
		if (ret != 0) {
			return ret;
		}
		if (flags & FLG_NAME_COVERED) {
			return kr_ok();
		}
	}

	return kr_error(ENOENT);
}
659

660

661
int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
662 663
                     const knot_dname_t *sname, uint16_t stype)
{
664
	/* DS record may be also matched by an existing NSEC3 RR. */
665 666
	int ret = no_data_response_no_ds(pkt, section_id, sname, stype);
	if (ret == 0) {
667
		/* Satisfies RFC5155 8.5 and 8.6, both first paragraph. */
668 669 670 671 672 673 674 675 676 677
		return ret;
	}

	/* Find closest provable encloser. */
	const knot_dname_t *encloser_name = NULL;
	const knot_rrset_t *covering_next_nsec3 = NULL;
	ret = closest_encloser_proof(pkt, section_id, sname, &encloser_name,
                                     NULL, &covering_next_nsec3);
	if (ret != 0) {
		return ret;
678 679
	}

680 681
	assert(encloser_name && covering_next_nsec3);
	ret = matches_closest_encloser_wildcard(pkt, section_id,
682
	                                         encloser_name, stype);
683 684 685 686 687
	if (ret == 0) {
		/* Satisfies RFC5155 8.7 */
		return ret;
	}

688 689 690 691
	if (!has_optout(covering_next_nsec3)) {
		/* Bogus */
		ret = kr_error(ENOENT);
	} else {
692
		/* 
693 694 695 696 697
		 * Satisfies RFC5155 8.6 (QTYPE == DS), 2nd paragraph.
		 * Also satisfies ERRATA 3441 8.5 (QTYPE != DS), 3rd paragraph.
		 * - (wildcard) empty nonterminal
		 * derived from unsecure delegation.
		 * Denial of existance can not be proven.
698 699
		 * Set error code to proceed unsecure.
		 */
700
		ret = kr_error(DNSSEC_NOT_FOUND);
701 702 703
	}
	
	return ret;
704
}
705

706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787
int kr_nsec3_ref_to_unsigned(const knot_pkt_t *pkt)
{
	int ret = kr_error(EINVAL);
	int flags = 0;
	uint8_t *bm = NULL;
	uint16_t bm_size = 0;
	const knot_pktsection_t *sec = knot_pkt_section(pkt, KNOT_AUTHORITY);
	if (!sec) {
		return kr_error(EINVAL);
	}
	for (unsigned i = 0; i < sec->count; ++i) {
		const knot_rrset_t *ns = knot_pkt_rr(sec, i);
		if (ns->type == KNOT_RRTYPE_DS) {
			return kr_error(EEXIST);
		}
		if (ns->type != KNOT_RRTYPE_NS) {
			continue;
		}
		flags = 0;
		for (unsigned j = 0; j < sec->count; ++j) {
			const knot_rrset_t *nsec3 = knot_pkt_rr(sec, j);
			if (nsec3->type == KNOT_RRTYPE_DS) {
				return kr_error(EEXIST);
			}
			if (nsec3->type != KNOT_RRTYPE_NSEC3) {
				continue;
			}
			/* nsec3 found, check if owner name matches
			 * the delegation name
			 */
			ret = matches_name(&flags, nsec3, ns->owner);
			if (ret != 0) {
				return kr_error(EINVAL);
			}
			if (!(flags & FLG_NAME_MATCHED)) {
				/* nsec3 owner name does not match
				 * the delegation name
				 */
				continue;
			}
			knot_nsec3_bitmap(&nsec3->rrs, 0, &bm, &bm_size);
			if (!bm) {
				return kr_error(EINVAL);
			}
			if (kr_nsec_bitmap_contains_type(bm, bm_size,
							  KNOT_RRTYPE_NS) &&
			    !kr_nsec_bitmap_contains_type(bm, bm_size,
							  KNOT_RRTYPE_DS) &&
			    !kr_nsec_bitmap_contains_type(bm, bm_size,
							  KNOT_RRTYPE_SOA)) {
				/* Satisfies rfc5155, 8.9. paragraph 2 */
				return kr_ok();
			}
		}
		if (flags & FLG_NAME_MATCHED) {
			/* nsec3 which owner matches
			 * the delegation name was found,
			 * but nsec3 type bitmap contains wrong types
			 */
			return kr_error(EINVAL);
		}
		/* nsec3 that matches the delegation was not found.
		 * Check rfc5155, 8.9. paragraph 4.
		 * Find closest provable encloser.
		 */
		const knot_dname_t *encloser_name = NULL;
		const knot_rrset_t *covering_next_nsec3 = NULL;
		ret = closest_encloser_proof(pkt, KNOT_AUTHORITY, ns->owner, &encloser_name,
                                     NULL, &covering_next_nsec3);
		if (ret != 0) {
			return kr_error(EINVAL);
		}

		if (has_optout(covering_next_nsec3)) {
			return kr_error(DNSSEC_NOT_FOUND);
		} else {
			return kr_error(EINVAL);
		}
	}
	return kr_error(EINVAL);
}