unbound/validator/val_utils.c

   1 /*
   2  * validator/val_utils.c - validator utility functions.
   3  *
   4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
   5  *
   6  * This software is open source.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * Redistributions of source code must retain the above copyright notice,
  13  * this list of conditions and the following disclaimer.
  14  *
  15  * Redistributions in binary form must reproduce the above copyright notice,
  16  * this list of conditions and the following disclaimer in the documentation
  17  * and/or other materials provided with the distribution.
  18  *
  19  * Neither the name of the NLNET LABS nor the names of its contributors may
  20  * be used to endorse or promote products derived from this software without
  21  * specific prior written permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  34  */
  35
  36 /**
  37  * \file
  38  *
  39  * This file contains helper functions for the validator module.
  40  */
  41 #include "config.h"
  42 #include "validator/val_utils.h"
  43 #include "validator/validator.h"
  44 #include "validator/val_kentry.h"
  45 #include "validator/val_sigcrypt.h"
  46 #include "validator/val_anchor.h"
  47 #include "validator/val_nsec.h"
  48 #include "validator/val_neg.h"
  49 #include "services/cache/rrset.h"
  50 #include "services/cache/dns.h"
  51 #include "util/data/msgreply.h"
  52 #include "util/data/packed_rrset.h"
  53 #include "util/data/dname.h"
  54 #include "util/net_help.h"
  55 #include "util/module.h"
  56 #include "util/regional.h"
  57
  58 enum val_classification
  59 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
  60         struct query_info* qinf, struct reply_info* rep, size_t skip)
  61 {
  62         int rcode = (int)FLAGS_GET_RCODE(rep->flags);
  63         size_t i;
  64
  65         /* Normal Name Error's are easy to detect -- but don't mistake a CNAME
  66          * chain ending in NXDOMAIN. */
  67         if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
  68                 return VAL_CLASS_NAMEERROR;
  69
  70         /* check for referral: nonRD query and it looks like a nodata */
  71         if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
  72                 rcode == LDNS_RCODE_NOERROR) {
  73                 /* SOA record in auth indicates it is NODATA instead.
  74                  * All validation requiring NODATA messages have SOA in
  75                  * authority section. */
  76                 /* uses fact that answer section is empty */
  77                 int saw_ns = 0;
  78                 for(i=0; i<rep->ns_numrrsets; i++) {
  79                         if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
  80                                 return VAL_CLASS_NODATA;
  81                         if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
  82                                 return VAL_CLASS_REFERRAL;
  83                         if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
  84                                 saw_ns = 1;
  85                 }
  86                 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
  87         }
  88         /* root referral where NS set is in the answer section */
  89         if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
  90                 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
  91                 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
  92                 query_dname_compare(rep->rrsets[0]->rk.dname,
  93                         origqinf->qname) != 0)
  94                 return VAL_CLASS_REFERRAL;
  95
  96         /* dump bad messages */
  97         if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
  98                 return VAL_CLASS_UNKNOWN;
  99         /* next check if the skip into the answer section shows no answer */
 100         if(skip>0 && rep->an_numrrsets <= skip)
 101                 return VAL_CLASS_CNAMENOANSWER;
 102
 103         /* Next is NODATA */
 104         if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
 105                 return VAL_CLASS_NODATA;
 106
 107         /* We distinguish between CNAME response and other positive/negative
 108          * responses because CNAME answers require extra processing. */
 109
 110         /* We distinguish between ANY and CNAME or POSITIVE because
 111          * ANY responses are validated differently. */
 112         if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
 113                 return VAL_CLASS_ANY;
 114
 115         /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
 116          * qtype=CNAME, this will yield a CNAME response. */
 117         for(i=skip; i<rep->an_numrrsets; i++) {
 118                 if(rcode == LDNS_RCODE_NOERROR &&
 119                         ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
 120                         return VAL_CLASS_POSITIVE;
 121                 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
 122                         return VAL_CLASS_CNAME;
 123         }
 124         log_dns_msg("validator: error. failed to classify response message: ",
 125                 qinf, rep);
 126         return VAL_CLASS_UNKNOWN;
 127 }
 128
 129 /** Get signer name from RRSIG */
 130 static void
 131 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
 132 {
 133         /* RRSIG rdata is not allowed to be compressed, it is stored
 134          * uncompressed in memory as well, so return a ptr to the name */
 135         if(len < 21) {
 136                 /* too short RRSig:
 137                  * short, byte, byte, long, long, long, short, "." is
 138                  * 2    1       1       4       4  4    2       1 = 19
 139                  *                      and a skip of 18 bytes to the name.
 140                  * +2 for the rdatalen is 21 bytes len for root label */
 141                 *sname = NULL;
 142                 *slen = 0;
 143                 return;
 144         }
 145         data += 20; /* skip the fixed size bits */
 146         len -= 20;
 147         *slen = dname_valid(data, len);
 148         if(!*slen) {
 149                 /* bad dname in this rrsig. */
 150                 *sname = NULL;
 151                 return;
 152         }
 153         *sname = data;
 154 }
 155
 156 void
 157 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
 158         size_t* slen)
 159 {
 160         struct packed_rrset_data* d = (struct packed_rrset_data*)
 161                 rrset->entry.data;
 162         /* return signer for first signature, or NULL */
 163         if(d->rrsig_count == 0) {
 164                 *sname = NULL;
 165                 *slen = 0;
 166                 return;
 167         }
 168         /* get rrsig signer name out of the signature */
 169         rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
 170                 sname, slen);
 171 }
 172
 173 /**
 174  * Find best signer name in this set of rrsigs.
 175  * @param rrset: which rrsigs to look through.
 176  * @param qinf: the query name that needs validation.
 177  * @param signer_name: the best signer_name. Updated if a better one is found.
 178  * @param signer_len: length of signer name.
 179  * @param matchcount: count of current best name (starts at 0 for no match).
 180  *      Updated if match is improved.
 181  */
 182 static void
 183 val_find_best_signer(struct ub_packed_rrset_key* rrset,
 184         struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
 185         int* matchcount)
 186 {
 187         struct packed_rrset_data* d = (struct packed_rrset_data*)
 188                 rrset->entry.data;
 189         uint8_t* sign;
 190         size_t i;
 191         int m;
 192         for(i=d->count; i<d->count+d->rrsig_count; i++) {
 193                 sign = d->rr_data[i]+2+18;
 194                 /* look at signatures that are valid (long enough),
 195                  * and have a signer name that is a superdomain of qname,
 196                  * and then check the number of labels in the shared topdomain
 197                  * improve the match if possible */
 198                 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/
 199                         dname_subdomain_c(qinf->qname, sign)) {
 200                         (void)dname_lab_cmp(qinf->qname,
 201                                 dname_count_labels(qinf->qname),
 202                                 sign, dname_count_labels(sign), &m);
 203                         if(m > *matchcount) {
 204                                 *matchcount = m;
 205                                 *signer_name = sign;
 206                                 (void)dname_count_size_labels(*signer_name,
 207                                         signer_len);
 208                         }
 209                 }
 210         }
 211 }
 212
 213 void
 214 val_find_signer(enum val_classification subtype, struct query_info* qinf,
 215         struct reply_info* rep, size_t skip, uint8_t** signer_name,
 216         size_t* signer_len)
 217 {
 218         size_t i;
 219
 220         if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) {
 221                 /* check for the answer rrset */
 222                 for(i=skip; i<rep->an_numrrsets; i++) {
 223                         if(query_dname_compare(qinf->qname,
 224                                 rep->rrsets[i]->rk.dname) == 0) {
 225                                 val_find_rrset_signer(rep->rrsets[i],
 226                                         signer_name, signer_len);
 227                                 return;
 228                         }
 229                 }
 230                 *signer_name = NULL;
 231                 *signer_len = 0;
 232         } else if(subtype == VAL_CLASS_CNAME) {
 233                 /* check for the first signed cname/dname rrset */
 234                 for(i=skip; i<rep->an_numrrsets; i++) {
 235                         val_find_rrset_signer(rep->rrsets[i],
 236                                 signer_name, signer_len);
 237                         if(*signer_name)
 238                                 return;
 239                         if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
 240                                 break; /* only check CNAME after a DNAME */
 241                 }
 242                 *signer_name = NULL;
 243                 *signer_len = 0;
 244         } else if(subtype == VAL_CLASS_NAMEERROR
 245                 || subtype == VAL_CLASS_NODATA) {
 246                 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/
 247                 for(i=rep->an_numrrsets; i<
 248                         rep->an_numrrsets+rep->ns_numrrsets; i++) {
 249                         if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
 250                                 || ntohs(rep->rrsets[i]->rk.type) ==
 251                                 LDNS_RR_TYPE_NSEC3) {
 252                                 val_find_rrset_signer(rep->rrsets[i],
 253                                         signer_name, signer_len);
 254                                 return;
 255                         }
 256                 }
 257         } else if(subtype == VAL_CLASS_CNAMENOANSWER) {
 258                 /* find closest superdomain signer name in authority section
 259                  * NSEC and NSEC3s */
 260                 int matchcount = 0;
 261                 *signer_name = NULL;
 262                 *signer_len = 0;
 263                 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
 264                         ns_numrrsets; i++) {
 265                         if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
 266                                 || ntohs(rep->rrsets[i]->rk.type) ==
 267                                 LDNS_RR_TYPE_NSEC3) {
 268                                 val_find_best_signer(rep->rrsets[i], qinf,
 269                                         signer_name, signer_len, &matchcount);
 270                         }
 271                 }
 272         } else if(subtype == VAL_CLASS_REFERRAL) {
 273                 /* find keys for the item at skip */
 274                 if(skip < rep->rrset_count) {
 275                         val_find_rrset_signer(rep->rrsets[skip],
 276                                 signer_name, signer_len);
 277                         return;
 278                 }
 279                 *signer_name = NULL;
 280                 *signer_len = 0;
 281         } else {
 282                 verbose(VERB_QUERY, "find_signer: could not find signer name"
 283                         " for unknown type response");
 284                 *signer_name = NULL;
 285                 *signer_len = 0;
 286         }
 287 }
 288
 289 /** return number of rrs in an rrset */
 290 static size_t
 291 rrset_get_count(struct ub_packed_rrset_key* rrset)
 292 {
 293         struct packed_rrset_data* d = (struct packed_rrset_data*)
 294                 rrset->entry.data;
 295         if(!d) return 0;
 296         return d->count;
 297 }
 298
 299 /** return TTL of rrset */
 300 static uint32_t
 301 rrset_get_ttl(struct ub_packed_rrset_key* rrset)
 302 {
 303         struct packed_rrset_data* d = (struct packed_rrset_data*)
 304                 rrset->entry.data;
 305         if(!d) return 0;
 306         return d->ttl;
 307 }
 308
 309 enum sec_status
 310 val_verify_rrset(struct module_env* env, struct val_env* ve,
 311         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
 312         uint8_t* sigalg, char** reason)
 313 {
 314         enum sec_status sec;
 315         struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
 316                 entry.data;
 317         if(d->security == sec_status_secure) {
 318                 /* re-verify all other statuses, because keyset may change*/
 319                 log_nametypeclass(VERB_ALGO, "verify rrset cached",
 320                         rrset->rk.dname, ntohs(rrset->rk.type),
 321                         ntohs(rrset->rk.rrset_class));
 322                 return d->security;
 323         }
 324         /* check in the cache if verification has already been done */
 325         rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
 326         if(d->security == sec_status_secure) {
 327                 log_nametypeclass(VERB_ALGO, "verify rrset from cache",
 328                         rrset->rk.dname, ntohs(rrset->rk.type),
 329                         ntohs(rrset->rk.rrset_class));
 330                 return d->security;
 331         }
 332         log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
 333                 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
 334         sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
 335         verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
 336         regional_free_all(env->scratch);
 337
 338         /* update rrset security status
 339          * only improves security status
 340          * and bogus is set only once, even if we rechecked the status */
 341         if(sec > d->security) {
 342                 d->security = sec;
 343                 if(sec == sec_status_secure)
 344                         d->trust = rrset_trust_validated;
 345                 else if(sec == sec_status_bogus) {
 346                         size_t i;
 347                         /* update ttl for rrset to fixed value. */
 348                         d->ttl = ve->bogus_ttl;
 349                         for(i=0; i<d->count+d->rrsig_count; i++)
 350                                 d->rr_ttl[i] = ve->bogus_ttl;
 351                         /* leave RR specific TTL: not used for determine
 352                          * if RRset timed out and clients see proper value. */
 353                         lock_basic_lock(&ve->bogus_lock);
 354                         ve->num_rrset_bogus++;
 355                         lock_basic_unlock(&ve->bogus_lock);
 356                 }
 357                 /* if status updated - store in cache for reuse */
 358                 rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
 359         }
 360
 361         return sec;
 362 }
 363
 364 enum sec_status
 365 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
 366         struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
 367         char** reason)
 368 {
 369         /* temporary dnskey rrset-key */
 370         struct ub_packed_rrset_key dnskey;
 371         struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
 372         enum sec_status sec;
 373         dnskey.rk.type = htons(kd->rrset_type);
 374         dnskey.rk.rrset_class = htons(kkey->key_class);
 375         dnskey.rk.flags = 0;
 376         dnskey.rk.dname = kkey->name;
 377         dnskey.rk.dname_len = kkey->namelen;
 378         dnskey.entry.key = &dnskey;
 379         dnskey.entry.data = kd->rrset_data;
 380         sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
 381         return sec;
 382 }
 383
 384 /** verify that a DS RR hashes to a key and that key signs the set */
 385 static enum sec_status
 386 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
 387         struct ub_packed_rrset_key* dnskey_rrset,
 388         struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
 389 {
 390         enum sec_status sec = sec_status_bogus;
 391         size_t i, num, numchecked = 0, numhashok = 0;
 392         num = rrset_get_count(dnskey_rrset);
 393         for(i=0; i<num; i++) {
 394                 /* Skip DNSKEYs that don't match the basic criteria. */
 395                 if(ds_get_key_algo(ds_rrset, ds_idx)
 396                    != dnskey_get_algo(dnskey_rrset, i)
 397                    || dnskey_calc_keytag(dnskey_rrset, i)
 398                    != ds_get_keytag(ds_rrset, ds_idx)) {
 399                         continue;
 400                 }
 401                 numchecked++;
 402                 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
 403                         ds_get_key_algo(ds_rrset, ds_idx),
 404                         ds_get_keytag(ds_rrset, ds_idx));
 405
 406                 /* Convert the candidate DNSKEY into a hash using the
 407                  * same DS hash algorithm. */
 408                 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
 409                         ds_idx)) {
 410                         verbose(VERB_ALGO, "DS match attempt failed");
 411                         continue;
 412                 }
 413                 numhashok++;
 414                 verbose(VERB_ALGO, "DS match digest ok, trying signature");
 415
 416                 /* Otherwise, we have a match! Make sure that the DNSKEY
 417                  * verifies *with this key*  */
 418                 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
 419                         dnskey_rrset, i, reason);
 420                 if(sec == sec_status_secure) {
 421                         return sec;
 422                 }
 423                 /* If it didn't validate with the DNSKEY, try the next one! */
 424         }
 425         if(numchecked == 0)
 426                 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
 427                         reason, "no keys have a DS");
 428         else if(numhashok == 0)
 429                 *reason = "DS hash mismatches key";
 430         else if(!*reason)
 431                 *reason = "keyset not secured by DNSKEY that matches DS";
 432         return sec_status_bogus;
 433 }
 434
 435 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
 436 {
 437         size_t i, num = rrset_get_count(ds_rrset);
 438         int d, digest_algo = 0; /* DS digest algo 0 is not used. */
 439         /* find favorite algo, for now, highest number supported */
 440         for(i=0; i<num; i++) {
 441                 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
 442                         !ds_key_algo_is_supported(ds_rrset, i)) {
 443                         continue;
 444                 }
 445                 d = ds_get_digest_algo(ds_rrset, i);
 446                 if(d > digest_algo)
 447                         digest_algo = d;
 448         }
 449         return digest_algo;
 450 }
 451
 452 enum sec_status
 453 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 454         struct ub_packed_rrset_key* dnskey_rrset,
 455         struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
 456 {
 457         /* as long as this is false, we can consider this DS rrset to be
 458          * equivalent to no DS rrset. */
 459         int has_useful_ds = 0, digest_algo, alg;
 460         struct algo_needs needs;
 461         size_t i, num;
 462         enum sec_status sec;
 463
 464         if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
 465                 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
 466                 != 0) {
 467                 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
 468                         "by name");
 469                 *reason = "DNSKEY RRset did not match DS RRset by name";
 470                 return sec_status_bogus;
 471         }
 472
 473         digest_algo = val_favorite_ds_algo(ds_rrset);
 474         if(sigalg)
 475                 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
 476         num = rrset_get_count(ds_rrset);
 477         for(i=0; i<num; i++) {
 478                 /* Check to see if we can understand this DS.
 479                  * And check it is the strongest digest */
 480                 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
 481                         !ds_key_algo_is_supported(ds_rrset, i) ||
 482                         ds_get_digest_algo(ds_rrset, i) != digest_algo) {
 483                         continue;
 484                 }
 485
 486                 /* Once we see a single DS with a known digestID and
 487                  * algorithm, we cannot return INSECURE (with a
 488                  * "null" KeyEntry). */
 489                 has_useful_ds = 1;
 490
 491                 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
 492                         ds_rrset, i, reason);
 493                 if(sec == sec_status_secure) {
 494                         if(!sigalg || algo_needs_set_secure(&needs,
 495                                 (uint8_t)ds_get_key_algo(ds_rrset, i))) {
 496                                 verbose(VERB_ALGO, "DS matched DNSKEY.");
 497                                 return sec_status_secure;
 498                         }
 499                 } else if(sigalg && sec == sec_status_bogus) {
 500                         algo_needs_set_bogus(&needs,
 501                                 (uint8_t)ds_get_key_algo(ds_rrset, i));
 502                 }
 503         }
 504
 505         /* None of the DS's worked out. */
 506
 507         /* If no DSs were understandable, then this is OK. */
 508         if(!has_useful_ds) {
 509                 verbose(VERB_ALGO, "No usable DS records were found -- "
 510                         "treating as insecure.");
 511                 return sec_status_insecure;
 512         }
 513         /* If any were understandable, then it is bad. */
 514         verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
 515         if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
 516                 algo_needs_reason(env, alg, reason, "missing verification of "
 517                         "DNSKEY signature");
 518         }
 519         return sec_status_bogus;
 520 }
 521
 522 struct key_entry_key*
 523 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
 524         struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
 525         struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
 526 {
 527         uint8_t sigalg[ALGO_NEEDS_MAX+1];
 528         enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
 529                 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
 530
 531         if(sec == sec_status_secure) {
 532                 return key_entry_create_rrset(region,
 533                         ds_rrset->rk.dname, ds_rrset->rk.dname_len,
 534                         ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
 535                         downprot?sigalg:NULL, *env->now);
 536         } else if(sec == sec_status_insecure) {
 537                 return key_entry_create_null(region, ds_rrset->rk.dname,
 538                         ds_rrset->rk.dname_len,
 539                         ntohs(ds_rrset->rk.rrset_class),
 540                         rrset_get_ttl(ds_rrset), *env->now);
 541         }
 542         return key_entry_create_bad(region, ds_rrset->rk.dname,
 543                 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
 544                 BOGUS_KEY_TTL, *env->now);
 545 }
 546
 547 enum sec_status
 548 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 549         struct ub_packed_rrset_key* dnskey_rrset,
 550         struct ub_packed_rrset_key* ta_ds,
 551         struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
 552 {
 553         /* as long as this is false, we can consider this anchor to be
 554          * equivalent to no anchor. */
 555         int has_useful_ta = 0, digest_algo = 0, alg;
 556         struct algo_needs needs;
 557         size_t i, num;
 558         enum sec_status sec;
 559
 560         if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
 561                 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
 562                 != 0)) {
 563                 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
 564                         "by name");
 565                 *reason = "DNSKEY RRset did not match DS RRset by name";
 566                 return sec_status_bogus;
 567         }
 568         if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
 569              || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
 570                 != 0)) {
 571                 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
 572                         "by name");
 573                 *reason = "DNSKEY RRset did not match anchor RRset by name";
 574                 return sec_status_bogus;
 575         }
 576
 577         if(ta_ds)
 578                 digest_algo = val_favorite_ds_algo(ta_ds);
 579         if(sigalg) {
 580                 if(ta_ds)
 581                         algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
 582                 else    memset(&needs, 0, sizeof(needs));
 583                 if(ta_dnskey)
 584                         algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
 585         }
 586         if(ta_ds) {
 587             num = rrset_get_count(ta_ds);
 588             for(i=0; i<num; i++) {
 589                 /* Check to see if we can understand this DS.
 590                  * And check it is the strongest digest */
 591                 if(!ds_digest_algo_is_supported(ta_ds, i) ||
 592                         !ds_key_algo_is_supported(ta_ds, i) ||
 593                         ds_get_digest_algo(ta_ds, i) != digest_algo)
 594                         continue;
 595
 596                 /* Once we see a single DS with a known digestID and
 597                  * algorithm, we cannot return INSECURE (with a
 598                  * "null" KeyEntry). */
 599                 has_useful_ta = 1;
 600
 601                 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
 602                         ta_ds, i, reason);
 603                 if(sec == sec_status_secure) {
 604                         if(!sigalg || algo_needs_set_secure(&needs,
 605                                 (uint8_t)ds_get_key_algo(ta_ds, i))) {
 606                                 verbose(VERB_ALGO, "DS matched DNSKEY.");
 607                                 return sec_status_secure;
 608                         }
 609                 } else if(sigalg && sec == sec_status_bogus) {
 610                         algo_needs_set_bogus(&needs,
 611                                 (uint8_t)ds_get_key_algo(ta_ds, i));
 612                 }
 613             }
 614         }
 615
 616         /* None of the DS's worked out: check the DNSKEYs. */
 617         if(ta_dnskey) {
 618             num = rrset_get_count(ta_dnskey);
 619             for(i=0; i<num; i++) {
 620                 /* Check to see if we can understand this DNSKEY */
 621                 if(!dnskey_algo_is_supported(ta_dnskey, i))
 622                         continue;
 623
 624                 /* we saw a useful TA */
 625                 has_useful_ta = 1;
 626
 627                 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
 628                         ta_dnskey, i, reason);
 629                 if(sec == sec_status_secure) {
 630                         if(!sigalg || algo_needs_set_secure(&needs,
 631                                 (uint8_t)dnskey_get_algo(ta_dnskey, i))) {
 632                                 verbose(VERB_ALGO, "anchor matched DNSKEY.");
 633                                 return sec_status_secure;
 634                         }
 635                 } else if(sigalg && sec == sec_status_bogus) {
 636                         algo_needs_set_bogus(&needs,
 637                                 (uint8_t)dnskey_get_algo(ta_dnskey, i));
 638                 }
 639             }
 640         }
 641
 642         /* If no DSs were understandable, then this is OK. */
 643         if(!has_useful_ta) {
 644                 verbose(VERB_ALGO, "No usable trust anchors were found -- "
 645                         "treating as insecure.");
 646                 return sec_status_insecure;
 647         }
 648         /* If any were understandable, then it is bad. */
 649         verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
 650         if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
 651                 algo_needs_reason(env, alg, reason, "missing verification of "
 652                         "DNSKEY signature");
 653         }
 654         return sec_status_bogus;
 655 }
 656
 657 struct key_entry_key*
 658 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
 659         struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
 660         struct ub_packed_rrset_key* ta_ds_rrset,
 661         struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
 662         char** reason)
 663 {
 664         uint8_t sigalg[ALGO_NEEDS_MAX+1];
 665         enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
 666                 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
 667                 downprot?sigalg:NULL, reason);
 668
 669         if(sec == sec_status_secure) {
 670                 return key_entry_create_rrset(region,
 671                         dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
 672                         ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
 673                         downprot?sigalg:NULL, *env->now);
 674         } else if(sec == sec_status_insecure) {
 675                 return key_entry_create_null(region, dnskey_rrset->rk.dname,
 676                         dnskey_rrset->rk.dname_len,
 677                         ntohs(dnskey_rrset->rk.rrset_class),
 678                         rrset_get_ttl(dnskey_rrset), *env->now);
 679         }
 680         return key_entry_create_bad(region, dnskey_rrset->rk.dname,
 681                 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
 682                 BOGUS_KEY_TTL, *env->now);
 683 }
 684
 685 int
 686 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
 687 {
 688         size_t i;
 689         for(i=0; i<rrset_get_count(ds_rrset); i++) {
 690                 if(ds_digest_algo_is_supported(ds_rrset, i) &&
 691                         ds_key_algo_is_supported(ds_rrset, i))
 692                         return 1;
 693         }
 694         return 0;
 695 }
 696
 697 /** get label count for a signature */
 698 static uint8_t
 699 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
 700 {
 701         if(d->rr_len[sig] < 2+4)
 702                 return 0; /* bad sig length */
 703         return d->rr_data[sig][2+3];
 704 }
 705
 706 int
 707 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc)
 708 {
 709         struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
 710                 entry.data;
 711         uint8_t labcount;
 712         int labdiff;
 713         uint8_t* wn;
 714         size_t i, wl;
 715         if(d->rrsig_count == 0) {
 716                 return 1;
 717         }
 718         labcount = rrsig_get_labcount(d, d->count + 0);
 719         /* check rest of signatures identical */
 720         for(i=1; i<d->rrsig_count; i++) {
 721                 if(labcount != rrsig_get_labcount(d, d->count + i)) {
 722                         return 0;
 723                 }
 724         }
 725         /* OK the rrsigs check out */
 726         /* if the RRSIG label count is shorter than the number of actual
 727          * labels, then this rrset was synthesized from a wildcard.
 728          * Note that the RRSIG label count doesn't count the root label. */
 729         wn = rrset->rk.dname;
 730         wl = rrset->rk.dname_len;
 731         /* skip a leading wildcard label in the dname (RFC4035 2.2) */
 732         if(dname_is_wild(wn)) {
 733                 wn += 2;
 734                 wl -= 2;
 735         }
 736         labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
 737         if(labdiff > 0) {
 738                 *wc = wn;
 739                 dname_remove_labels(wc, &wl, labdiff);
 740                 return 1;
 741         }
 742         return 1;
 743 }
 744
 745 int
 746 val_chase_cname(struct query_info* qchase, struct reply_info* rep,
 747         size_t* cname_skip) {
 748         size_t i;
 749         /* skip any DNAMEs, go to the CNAME for next part */
 750         for(i = *cname_skip; i < rep->an_numrrsets; i++) {
 751                 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
 752                         query_dname_compare(qchase->qname, rep->rrsets[i]->
 753                                 rk.dname) == 0) {
 754                         qchase->qname = NULL;
 755                         get_cname_target(rep->rrsets[i], &qchase->qname,
 756                                 &qchase->qname_len);
 757                         if(!qchase->qname)
 758                                 return 0; /* bad CNAME rdata */
 759                         (*cname_skip) = i+1;
 760                         return 1;
 761                 }
 762         }
 763         return 0; /* CNAME classified but no matching CNAME ?! */
 764 }
 765
 766 /** see if rrset has signer name as one of the rrsig signers */
 767 static int
 768 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
 769 {
 770         struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
 771                 entry.data;
 772         size_t i;
 773         for(i = d->count; i< d->count+d->rrsig_count; i++) {
 774                 if(d->rr_len[i] > 2+18+len) {
 775                         /* at least rdatalen + signature + signame (+1 sig)*/
 776                         if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
 777                                 continue;
 778                         if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
 779                         {
 780                                 return 1;
 781                         }
 782                 }
 783         }
 784         return 0;
 785 }
 786
 787 void
 788 val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 789         size_t skip, uint8_t* name, size_t len, uint8_t* signer)
 790 {
 791         size_t i;
 792         int seen_dname = 0;
 793         chase->rrset_count = 0;
 794         chase->an_numrrsets = 0;
 795         chase->ns_numrrsets = 0;
 796         chase->ar_numrrsets = 0;
 797         /* ANSWER section */
 798         for(i=skip; i<orig->an_numrrsets; i++) {
 799                 if(!signer) {
 800                         if(query_dname_compare(name,
 801                                 orig->rrsets[i]->rk.dname) == 0)
 802                                 chase->rrsets[chase->an_numrrsets++] =
 803                                         orig->rrsets[i];
 804                 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
 805                         LDNS_RR_TYPE_CNAME) {
 806                         chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
 807                         seen_dname = 0;
 808                 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 809                         chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
 810                         if(ntohs(orig->rrsets[i]->rk.type) ==
 811                                 LDNS_RR_TYPE_DNAME) {
 812                                         seen_dname = 1;
 813                         }
 814                 }
 815         }
 816         /* AUTHORITY section */
 817         for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
 818                 i<orig->an_numrrsets+orig->ns_numrrsets;
 819                 i++) {
 820                 if(!signer) {
 821                         if(query_dname_compare(name,
 822                                 orig->rrsets[i]->rk.dname) == 0)
 823                                 chase->rrsets[chase->an_numrrsets+
 824                                     chase->ns_numrrsets++] = orig->rrsets[i];
 825                 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 826                         chase->rrsets[chase->an_numrrsets+
 827                                 chase->ns_numrrsets++] = orig->rrsets[i];
 828                 }
 829         }
 830         /* ADDITIONAL section */
 831         for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
 832                 skip:orig->an_numrrsets+orig->ns_numrrsets;
 833                 i<orig->rrset_count; i++) {
 834                 if(!signer) {
 835                         if(query_dname_compare(name,
 836                                 orig->rrsets[i]->rk.dname) == 0)
 837                             chase->rrsets[chase->an_numrrsets
 838                                 +orig->ns_numrrsets+chase->ar_numrrsets++]
 839                                 = orig->rrsets[i];
 840                 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 841                         chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
 842                                 chase->ar_numrrsets++] = orig->rrsets[i];
 843                 }
 844         }
 845         chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
 846                 chase->ar_numrrsets;
 847 }
 848
 849 void
 850 val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
 851 {
 852         size_t i;
 853         /* authority */
 854         for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
 855                 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
 856                         ->security != sec_status_secure) {
 857                         /* because we want to return the authentic original
 858                          * message when presented with CD-flagged queries,
 859                          * we need to preserve AUTHORITY section data.
 860                          * However, this rrset is not signed or signed
 861                          * with the wrong keys. Validation has tried to
 862                          * verify this rrset with the keysets of import.
 863                          * But this rrset did not verify.
 864                          * Therefore the message is bogus.
 865                          */
 866
 867                         /* check if authority consists of only an NS record
 868                          * which is bad, and there is an answer section with
 869                          * data.  In that case, delete NS and additional to
 870                          * be lenient and make a minimal response */
 871                         if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 &&
 872                                 ntohs(rep->rrsets[i]->rk.type)
 873                                 == LDNS_RR_TYPE_NS) {
 874                                 verbose(VERB_ALGO, "truncate to minimal");
 875                                 rep->ns_numrrsets = 0;
 876                                 rep->ar_numrrsets = 0;
 877                                 rep->rrset_count = rep->an_numrrsets;
 878                                 return;
 879                         }
 880
 881                         log_nametypeclass(VERB_QUERY, "message is bogus, "
 882                                 "non secure rrset",
 883                                 rep->rrsets[i]->rk.dname,
 884                                 ntohs(rep->rrsets[i]->rk.type),
 885                                 ntohs(rep->rrsets[i]->rk.rrset_class));
 886                         rep->security = sec_status_bogus;
 887                         return;
 888                 }
 889         }
 890         /* additional */
 891         if(!ve->clean_additional)
 892                 return;
 893         for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
 894                 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
 895                         ->security != sec_status_secure) {
 896                         /* This does not cause message invalidation. It was
 897                          * simply unsigned data in the additional. The
 898                          * RRSIG must have been truncated off the message.
 899                          *
 900                          * However, we do not want to return possible bogus
 901                          * data to clients that rely on this service for
 902                          * their authentication.
 903                          */
 904                         /* remove this unneeded additional rrset */
 905                         memmove(rep->rrsets+i, rep->rrsets+i+1,
 906                                 sizeof(struct ub_packed_rrset_key*)*
 907                                 (rep->rrset_count - i - 1));
 908                         rep->ar_numrrsets--;
 909                         rep->rrset_count--;
 910                         i--;
 911                 }
 912         }
 913 }
 914
 915 /** check no anchor and unlock */
 916 static int
 917 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
 918 {
 919         struct trust_anchor* ta;
 920         if((ta=anchors_lookup(anchors, nm, l, c))) {
 921                 lock_basic_unlock(&ta->lock);
 922         }
 923         return !ta;
 924 }
 925
 926 void
 927 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
 928         struct rrset_cache* r, struct module_env* env)
 929 {
 930         size_t i;
 931         struct packed_rrset_data* d;
 932         for(i=0; i<rep->rrset_count; i++) {
 933                 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
 934                 if(d->security == sec_status_unchecked &&
 935                    check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
 936                         rep->rrsets[i]->rk.dname_len,
 937                         ntohs(rep->rrsets[i]->rk.rrset_class)))
 938                 {
 939                         /* mark as indeterminate */
 940                         d->security = sec_status_indeterminate;
 941                         rrset_update_sec_status(r, rep->rrsets[i], *env->now);
 942                 }
 943         }
 944 }
 945
 946 void
 947 val_mark_insecure(struct reply_info* rep, uint8_t* kname,
 948         struct rrset_cache* r, struct module_env* env)
 949 {
 950         size_t i;
 951         struct packed_rrset_data* d;
 952         for(i=0; i<rep->rrset_count; i++) {
 953                 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
 954                 if(d->security == sec_status_unchecked &&
 955                    dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
 956                         /* mark as insecure */
 957                         d->security = sec_status_insecure;
 958                         rrset_update_sec_status(r, rep->rrsets[i], *env->now);
 959                 }
 960         }
 961 }
 962
 963 size_t
 964 val_next_unchecked(struct reply_info* rep, size_t skip)
 965 {
 966         size_t i;
 967         struct packed_rrset_data* d;
 968         for(i=skip+1; i<rep->rrset_count; i++) {
 969                 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
 970                 if(d->security == sec_status_unchecked) {
 971                         return i;
 972                 }
 973         }
 974         return rep->rrset_count;
 975 }
 976
 977 const char*
 978 val_classification_to_string(enum val_classification subtype)
 979 {
 980         switch(subtype) {
 981                 case VAL_CLASS_UNTYPED:         return "untyped";
 982                 case VAL_CLASS_UNKNOWN:         return "unknown";
 983                 case VAL_CLASS_POSITIVE:        return "positive";
 984                 case VAL_CLASS_CNAME:           return "cname";
 985                 case VAL_CLASS_NODATA:          return "nodata";
 986                 case VAL_CLASS_NAMEERROR:       return "nameerror";
 987                 case VAL_CLASS_CNAMENOANSWER:   return "cnamenoanswer";
 988                 case VAL_CLASS_REFERRAL:        return "referral";
 989                 case VAL_CLASS_ANY:             return "qtype_any";
 990                 default:
 991                         return "bad_val_classification";
 992         }
 993 }
 994
 995 /** log a sock_list entry */
 996 static void
 997 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
 998 {
 999         if(p->len)
1000                 log_addr(v, s, &p->addr, p->len);
1001         else    verbose(v, "%s cache", s);
1002 }
1003
1004 void val_blacklist(struct sock_list** blacklist, struct regional* region,
1005         struct sock_list* origin, int cross)
1006 {
1007         /* debug printout */
1008         if(verbosity >= VERB_ALGO) {
1009                 struct sock_list* p;
1010                 for(p=*blacklist; p; p=p->next)
1011                         sock_list_logentry(VERB_ALGO, "blacklist", p);
1012                 if(!origin)
1013                         verbose(VERB_ALGO, "blacklist add: cache");
1014                 for(p=origin; p; p=p->next)
1015                         sock_list_logentry(VERB_ALGO, "blacklist add", p);
1016         }
1017         /* blacklist the IPs or the cache */
1018         if(!origin) {
1019                 /* only add if nothing there. anything else also stops cache*/
1020                 if(!*blacklist)
1021                         sock_list_insert(blacklist, NULL, 0, region);
1022         } else if(!cross)
1023                 sock_list_prepend(blacklist, origin);
1024         else    sock_list_merge(blacklist, region, origin);
1025 }
1026
1027 int val_has_signed_nsecs(struct reply_info* rep, char** reason)
1028 {
1029         size_t i, num_nsec = 0, num_nsec3 = 0;
1030         struct packed_rrset_data* d;
1031         for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
1032                 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
1033                         num_nsec++;
1034                 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
1035                         num_nsec3++;
1036                 else continue;
1037                 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1038                 if(d && d->rrsig_count != 0) {
1039                         return 1;
1040                 }
1041         }
1042         if(num_nsec == 0 && num_nsec3 == 0)
1043                 *reason = "no DNSSEC records";
1044         else if(num_nsec != 0)
1045                 *reason = "no signatures over NSECs";
1046         else    *reason = "no signatures over NSEC3s";
1047         return 0;
1048 }
1049
1050 struct dns_msg*
1051 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
1052         struct regional* region, uint8_t* topname)
1053 {
1054         struct dns_msg* msg;
1055         struct query_info qinfo;
1056         struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
1057                 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
1058                 *env->now, 0);
1059         if(rrset) {
1060                 /* DS rrset exists. Return it to the validator immediately*/
1061                 struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
1062                         rrset, region, *env->now);
1063                 lock_rw_unlock(&rrset->entry.lock);
1064                 if(!copy)
1065                         return NULL;
1066                 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
1067                 if(!msg)
1068                         return NULL;
1069                 msg->rep->rrsets[0] = copy;
1070                 msg->rep->rrset_count++;
1071                 msg->rep->an_numrrsets++;
1072                 return msg;
1073         }
1074         /* lookup in rrset and negative cache for NSEC/NSEC3 */
1075         qinfo.qname = nm;
1076         qinfo.qname_len = nmlen;
1077         qinfo.qtype = LDNS_RR_TYPE_DS;
1078         qinfo.qclass = c;
1079         /* do not add SOA to reply message, it is going to be used internal */
1080         msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
1081                 env->scratch_buffer, *env->now, 0, topname);
1082         return msg;
1083 }