[getdns-users] getdns_validate_dnssec() Example?

Willem Toorop willem at nlnetlabs.nl
Wed May 6 14:14:31 CEST 2015


Scott,

why is this data of type string?  Shouldn't those be array's in php?
But the actual content of those strings are indeed the lists (array's)
that should be used as parameters with getdns_validate_dnssec yes.

The bug is in getdns_validate_dnssec itself.  Currently it cannot handle
compressed dname's.  NS records do have compressed dname's and the
records you try to validate in this case actually do contain compressed
dname's too.

Look for example to the rdata_raw in the first RR-dict in the answer:

  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "nsdname": <bindata of "getdnsapi.net.">,
      "rdata_raw": <bindata of 0xc00c>
    },
    "ttl": 450,
    "type": GETDNS_RRTYPE_NS
  },

It has the compression pointer bits set (first byte, 0xC0 has bits 8 and
7 set) and points to 0x000C, so position 12 which is directly after the
12 bytes DNS header, so it points to the query name.

The presence of this RR-dict alone is enough trigger the
getdns_validate_dnssec bug.

Although not displayed, the third RR-dict in the answer must have a
compression pointer too for ".nl", because the rdata_raw attribute is
not expanded to a dname rendering.

As I said, fixing this bug is on top of my TODO list, because native
stub DNSSEC validation (without relying on libunbound to perform the
DNSSEC queries) is dependent on it.

Besides this fixable bug, using getdns_validate_dnssec also has the
shortcoming that it cannot recognize insecure delegations, so it should
never be used blindly to determine the DNSSEC status of answers received
with the dnssec_return_validation_chain extension.
Actual real-life DNSSEC validation needs a more intelligent approach
than getdns_validate_dnssec can offer with the current API's prototype.

-- Willem

Op 06-05-15 om 13:02 schreef Hollenbeck, Scott:
> Thanks, Willem. This all sounds like where I am right now. One more question below.
> 
> Scott
> 
>> -----Original Message-----
>> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem
>> Toorop
>> Sent: Wednesday, May 06, 2015 6:42 AM
>> To: users at getdnsapi.net
>> Subject: Re: [getdns-users] getdns_validate_dnssec() Example?
>>
>> Hi Scott,
>>
>> I suppose the API could be a bit more clear on the input of this
>> function yes.
>>
>> getdns_return_t getdns_validate_dnssec(
>> 	getdns_list *record_to_validate,
>> 	getdns_list *bundle_of_support_records,
>> 	getdns_list *trust_anchor_records
>> );
>>
>> - record_to_validate is a list of RR-dicts with companion RRSIG-RR-
>> dicts
>> which will be validated.
>>
>> - trust_anchor_records is the list of trusted DNSKEYs or DS'es RR-
>> dicts.
>> They do *not* need companion RRSIG-RR-dicts, as they are already
>> trusted. You can get the system default trusted keys with the
>> getdns_root_trust_anchor() function.
>>
>> - bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
>> RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
>> trust_anchors to the RR-dicts to validate.
>>
>> If you would do a query with the "dnssec_return_validation_chain"
>> extension, you can use the "validation_chain" key in the response dict
>> as the bundle_of_support_records parameter ro getdns_validate_dnssec.
>> You can use a "answer" section of a reply as the record_to_validate
>> parameter;  Or the "authority" section in case of NXDOMAIN.
>>
>> Note however, that the record_to_validate list MUST have companion
>> RRSIG-RR-dicts for all its RR-dicts.  getdns_validate_dnssec does not
>> know the zone-cuts and thus cannot handle insecure delegations!  It
>> cannot determine if missing RRSIGs are sound (by way of insecure
>> delegation: GETDNS_DNSSEC_INSECURE) or not (GETDNS_DNSSEC_BOGUS)!
>>
>> Also, building the wireformat data from RR-dicts doesn't work all that
>> well currently.  getdns_validate_dnssec can now validate only RR-dicts,
>> that came from the wire and have a sound "rdata_raw" attribute.  But,
>> if
>> the name contains compressed names (like with NS, MX and CNAME records)
>> then the "rdata_raw" is not usable either, and getdns_validate_dnssec
>> simply does not work!
> 
> I've been able to get a positive result by doing an address query for www.getdnsapi.net. The test case that failed is doing an NS query for getdnsapi.net with this data:
> 
> The answer to be validated:
> 
> string(1342) "[
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "nsdname": <bindata of "getdnsapi.net.">,
>       "rdata_raw": <bindata of 0xc00c>
>     },
>     "ttl": 450,
>     "type": GETDNS_RRTYPE_NS
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "nsdname": <bindata of "mcvax.nlnet.nl.">,
>       "rdata_raw": <bindata of "mcvax.nlnet.nl.">
>     },
>     "ttl": 450,
>     "type": GETDNS_RRTYPE_NS
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "nsdname": <bindata of "dicht.nlnetlabs.nl.">,
>       "rdata_raw": <bindata of 0x056469636874096e6c6e65746c616273...>
>     },
>     "ttl": 450,
>     "type": GETDNS_RRTYPE_NS
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "key_tag": 6273,
>       "labels": 2,
>       "original_ttl": 450,
>       "rdata_raw": <bindata of 0x00020702000001c255594460553d99fb...>,
>       "signature": <bindata of 0x4d9a240392e5bf642dc0fdf7da98c7b3...>,
>       "signature_expiration": 1431913568,
>       "signature_inception": 1430100475,
>       "signers_name": <bindata of "getdnsapi.net.">,
>       "type_covered": GETDNS_RRTYPE_NS
>     },
>     "ttl": 450,
>     "type": GETDNS_RRTYPE_RRSIG
>   }
> ]"
> 
> The support records:
> 
> string(6593) "[
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata for .>,
>     "rdata":
>     {
>       "algorithm": 8,
>       "flags": 256,
>       "protocol": 3,
>       "public_key": <bindata of 0x030100019c88902c0461e1b6f4d57ee1...>,
>       "rdata_raw": <bindata of 0x01000308030100019c88902c0461e1b6...>
>     },
>     "ttl": 172800,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata for .>,
>     "rdata":
>     {
>       "algorithm": 8,
>       "flags": 257,
>       "protocol": 3,
>       "public_key": <bindata of 0x03010001a80020a95566ba42e886bb80...>,
>       "rdata_raw": <bindata of 0x0101030803010001a80020a95566ba42...>
>     },
>     "ttl": 172800,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata for .>,
>     "rdata":
>     {
>       "algorithm": 8,
>       "key_tag": 19036,
>       "labels": 0,
>       "original_ttl": 172800,
>       "rdata_raw": <bindata of 0x003008000002a3005556887f5542c200...>,
>       "signature": <bindata of 0x09332fb21c62ff39ee958560839c7356...>,
>       "signature_expiration": 1431734399,
>       "signature_inception": 1430438400,
>       "signers_name": <bindata for .>,
>       "type_covered": GETDNS_RRTYPE_DNSKEY
>     },
>     "ttl": 172800,
>     "type": GETDNS_RRTYPE_RRSIG
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "flags": 257,
>       "protocol": 3,
>       "public_key": <bindata of 0x03010001c55b9f4c2dc6620017dc487c...>,
>       "rdata_raw": <bindata of 0x0101030703010001c55b9f4c2dc66200...>
>     },
>     "ttl": 3600,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "flags": 257,
>       "protocol": 3,
>       "public_key": <bindata of 0x03010001bb86527f2d50505bad6eddf3...>,
>       "rdata_raw": <bindata of 0x0101030703010001bb86527f2d50505b...>
>     },
>     "ttl": 3600,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "flags": 256,
>       "protocol": 3,
>       "public_key": <bindata of 0x0301000197d8b003b3b84ae4ff311ade...>,
>       "rdata_raw": <bindata of 0x010003070301000197d8b003b3b84ae4...>
>     },
>     "ttl": 3600,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "key_tag": 26203,
>       "labels": 2,
>       "original_ttl": 3600,
>       "rdata_raw": <bindata of 0x0030070200000e10555ee9aa5542a7bb...>,
>       "signature": <bindata of 0x371538689c8e3933aedb0c4966198eae...>,
>       "signature_expiration": 1432283562,
>       "signature_inception": 1430431675,
>       "signers_name": <bindata of "getdnsapi.net.">,
>       "type_covered": GETDNS_RRTYPE_DNSKEY
>     },
>     "ttl": 3600,
>     "type": GETDNS_RRTYPE_RRSIG
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "key_tag": 64869,
>       "labels": 2,
>       "original_ttl": 3600,
>       "rdata_raw": <bindata of 0x0030070200000e10555ee9aa5542a7bb...>,
>       "signature": <bindata of 0x6ced44f9c0363fe20d48b3b707febbf2...>,
>       "signature_expiration": 1432283562,
>       "signature_inception": 1430431675,
>       "signers_name": <bindata of "getdnsapi.net.">,
>       "type_covered": GETDNS_RRTYPE_DNSKEY
>     },
>     "ttl": 3600,
>     "type": GETDNS_RRTYPE_RRSIG
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 7,
>       "digest": <bindata of 0x5544ec53e01f38bb848a29258c1a768e...>,
>       "digest_type": 1,
>       "key_tag": 26203,
>       "rdata_raw": <bindata of 0x665b07015544ec53e01f38bb848a2925...>
>     },
>     "ttl": 86400,
>     "type": GETDNS_RRTYPE_DS
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "getdnsapi.net.">,
>     "rdata":
>     {
>       "algorithm": 8,
>       "key_tag": 48497,
>       "labels": 2,
>       "original_ttl": 86400,
>       "rdata_raw": <bindata of 0x002b080200015180554eec385545a150...>,
>       "signature": <bindata of 0x9800f1b314c8173985ad90e22cee3f75...>,
>       "signature_expiration": 1431235640,
>       "signature_inception": 1430626640,
>       "signers_name": <bindata of "net.">,
>       "type_covered": GETDNS_RRTYPE_DS
>     },
>     "ttl": 86400,
>     "type": GETDNS_RRTYPE_RRSIG
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "net.">,
>     "rdata":
>     {
>       "algorithm": 8,
>       "flags": 257,
>       "protocol": 3,
>       "public_key": <bindata of 0x010398067cea5972048fa9a58178382d...>,
>       "rdata_raw": <bindata of 0x01010308010398067cea5972048fa9a5...>
>     },
>     "ttl": 86400,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "net.">,
>     "rdata":
>     {
>       "algorithm": 8,
>       "flags": 256,
>       "protocol": 3,
>       "public_key": <bindata of 0x0103a379a44c688ee5266bd676283010...>,
>       "rdata_raw": <bindata of 0x010003080103a379a44c688ee5266bd6...>
>     },
>     "ttl": 86400,
>     "type": GETDNS_RRTYPE_DNSKEY
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "net.">,
>     "rdata":
>     {
>       "algorithm": 8,
>       "key_tag": 35886,
>       "labels": 1,
>       "original_ttl": 86400,
>       "rdata_raw": <bindata of 0x00300801000151805550db2155479f75...>,
>       "signature": <bindata of 0x5628f72d43536f645317376dbb15d548...>,
>       "signature_expiration": 1431362337,
>       "signature_inception": 1430757237,
>       "signers_name": <bindata of "net.">,
>       "type_covered": GETDNS_RRTYPE_DNSKEY
>     },
>     "ttl": 86400,
>     "type": GETDNS_RRTYPE_RRSIG
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "net.">,
>     "rdata":
>     {
>       "algorithm": 8,
>       "digest": <bindata of 0x7862b27f5f516ebe19680444d4ce5e76...>,
>       "digest_type": 2,
>       "key_tag": 35886,
>       "rdata_raw": <bindata of 0x8c2e08027862b27f5f516ebe19680444...>
>     },
>     "ttl": 86399,
>     "type": GETDNS_RRTYPE_DS
>   },
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata of "net.">,
>     "rdata":
>     {
>       "algorithm": 8,
>       "key_tag": 48613,
>       "labels": 1,
>       "original_ttl": 86400,
>       "rdata_raw": <bindata of 0x002b080100015180555626105548e900...>,
>       "signature": <bindata of 0x4fa9c17e53f8a5397d67c16508f03aeb...>,
>       "signature_expiration": 1431709200,
>       "signature_inception": 1430841600,
>       "signers_name": <bindata for .>,
>       "type_covered": GETDNS_RRTYPE_DS
>     },
>     "ttl": 86399,
>     "type": GETDNS_RRTYPE_RRSIG
>   }
> ]"
> 
> The trust anchor:
> 
> string(355) "[
>   {
>     "class": GETDNS_RRCLASS_IN,
>     "name": <bindata for .>,
>     "rdata":
>     {
>       "algorithm": 8,
>       "flags": 257,
>       "protocol": 3,
>       "public_key": <bindata of 0x03010001a80020a95566ba42e886bb80...>,
>       "rdata_raw": <bindata of 0x0101030803010001a80020a95566ba42...>
>     },
>     "ttl": 172800,
>     "type": GETDNS_RRTYPE_DNSKEY
>   }
> ]"
> 
> Based on everything you wrote above, does this look correct?
> 
> Scott
> 
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
> 



More information about the Users mailing list