1libval(3)                     Programmer's Manual                    libval(3)
2
3
4

NAME

6       val_create_context() val_free_context() - manage validator context
7
8       val_resolve_and_check(), val_free_result_chain() - query and validate
9       answers from a DNS name server
10
11       val_istrusted() - check if status value corresponds to that of a trust‐
12       worthy answer
13
14       val_isvalidated() - check if status value represents an answer that
15       cryptographically chains down from a configured trust anchor
16
17       val_does_not_exist() - check if status value represents one of the
18       non-existence types
19
20       p_val_status(), p_ac_status(), p_val_error() - display validation sta‐
21       tus, authentication chain status and error information
22
23       val_log_add_optarg - control log message verbosity and output location
24

SYNOPSIS

26         #include <validator.h>
27
28         int val_create_context(const char *label, val_context_t **newcontext);
29
30         int val_resolve_and_check(val_context_t *context,
31                                const char *domain_name,
32                                int class,
33                                int type,
34                                unsigned int  flags,
35                                struct val_result_chain  **results);
36
37         char *p_val_status(val_status_t valerrno);
38
39         char *p_ac_status(val_astatus_t auth_chain_status);
40
41         char *p_val_error(int err);
42
43         int val_istrusted(val_status_t val_status);
44
45         int val_isvalidated(val_status_t val_status);
46
47         int val_does_not_exist(val_status_t status);
48
49         val_log_t *val_log_add_optarg(const char *args, int use_stderr);
50
51         void val_free_result_chain(struct val_result_chain *results);
52
53         void val_free_context(val_context_t *context);
54

DESCRIPTION

56       The val_resolve_and_check() function queries a set of name servers for
57       the <domain_name, type, class> tuple and to verifies and validates the
58       response.  Verification involves checking the RRSIGs, and validation is
59       verification of an authentication chain from a configured trust anchor.
60
61       The flags parameter can be used to control the results of validation.
62       The following values, which may be ORed together, are currently defined
63       for this field:
64
65       VAL_QUERY_DONT_VALIDATE
66           causes the validator to disable validation for this query.
67
68       VAL_QUERY_AC_DETAIL
69           causes the validator to copy the authentication chain details into
70           the val_rc_answer member within the returned val_result_chain
71           structure.
72
73       VAL_QUERY_ASYNC
74           enables asynchronous query resolution for that lookup.
75
76       VAL_QUERY_NO_DLV
77           causes the validator to disable DLV processing for this query.
78           This is only available if the libval(3) library has been compiled
79           with DLV support.
80
81       VAL_QUERY_NO_EDNS0_FALLBACK In querying various name servers, libsres
82       will also attempt multiple EDNS0 sizes, ending with a query that has
83       EDNS0 disabled (i.e. no CD bit set). This option causes libval to dis‐
84       able EDNS0 fallback for the query.
85       VAL_QUERY_RECURSE forces libval to recursively answer the query by
86       iteratively querying various name servers in the delegation hierarchy,
87       instead of requesting this information from any caching name server
88       that may be configured in dnsval.conf
89       VAL_QUERY_REFRESH_QCACHE forces libval to fetch lookup information from
90       other name servers instead of looking for this data in its local cache.
91
92       The first parameter to val_resolve_and_check() is the validator con‐
93       text.  Applications can create a new validator context using the
94       val_create_context() function.  This function parses the resolver and
95       validator configuration files and creates the handle newcontext to this
96       parsed information.  Information stored as part of validator context
97       includes the validation policy and resolver policy.
98
99       Validator and resolver policies are read from the /etc/dnsval.conf and
100       /etc/resolv.conf files by default.  /etc/root.hints provides bootstrap‐
101       ping information for the validator when it functions as a full resolver
102       (see dnsval.conf(3)). These defaults may be different if any other
103       value was specified at library configure time. If the default resolver
104       configuration file is not found at the specified location, libval will
105       also try to fallback to /etc/resolv.conf as a last resort.
106
107       Answers returned by val_resolve_and_check() are made available in the
108       *results linked list.  Each answer corresponds to a distinct RRset;
109       multiple RRs within the RRset are part of the same answer.  Multiple
110       answers are possible when type is ns_t_any or ns_t_rrsig.
111
112       Individual elements in *results point to val_authentication_chain
113       linked lists.  The authentication chain elements in val_authentica‐
114       tion_chain contain the actual RRsets returned by  the name server in
115       response to the query.
116
117       Validation result values returned in val_result_chain and authentica‐
118       tion chain status values returned in each element of the val_authenti‐
119       cation_chain linked list can be can be converted into ASCII format
120       using the p_val_status() and p_ac_status() functions respectively.
121
122       While some applications such as DNSSEC troubleshooting utilities and
123       packet inspection tools may look at individual authentication chain
124       elements to identify the actual reasons for validation error, most
125       applications will only be interested in a single error code for deter‐
126       mining the authenticity of data.
127
128       val_isvalidated() identifies if a given validation result status value
129       corresponds to an answer that was cryptographically verified and vali‐
130       dated using a locally configured trust anchor.
131
132       val_istrusted() identifies if a given validator status value is
133       trusted.  An answer may be locally trusted without being validated.
134
135       val_does_not_exist() identifies if a given validator status value cor‐
136       responds to one of the non-existence types.
137
138       The libval library internally allocates memory for *results and this
139       must be freed by the invoking application using the free_result_chain()
140       interface.
141

DATA STRUCTURES

143       struct val_result_chain
144             struct val_result_chain
145             {
146                 val_status_t                     val_rc_status;
147                 char                            *val_rc_alias;
148                 struct val_rrset_rec            *val_rc_rrset;
149                 struct val_authentication_chain *val_rc_answer;
150                 int                              val_rc_proof_count;
151                 struct val_authentication_chain *val_rc_proofs[MAX_PROOFS];
152                 struct val_result_chain         *val_rc_next;
153             };
154
155           val_rc_answer
156               Authentication chain for a given RRset.
157
158           val_rc_next
159               Pointer to the next RRset in the set of answers returned for a
160               query.
161
162           val_rc_proofs
163               Pointer to authentication chains for any proof of non-existence
164               that were returned for the query.
165
166           val_rc_proof_count
167               Number of proof elements stored in val_rc_proofs. The number
168               cannot exceed MAX_PROOFS.
169
170           val_rc_alias
171               For an val_result_chain element that points to a name alias,
172               this field contains the target value.
173
174           val_rc_rrset
175               For an val_result_chain element that contains a valid (not
176               NULL) val_rc_answer field, the val_rc_rrset field points to the
177               top-most val_rrset_rec element in the val_rc_answer authentica‐
178               tion chain.
179
180           val_rc_status
181               Validation status for a given RRset.  This can be one of the
182               following:
183
184                   VAL_SUCCESS
185                       Answer received and validated successfully.
186
187                   VAL_NONEXISTENT_NAME
188                       No name was present and a valid proof of non-
189                           existence confirming the missing name (NSEC or
190                           NSEC3 span) was returned. The components of
191                           the proof were also individually validated.
192
193                   VAL_NONEXISTENT_TYPE
194                       No type exists for the name and a valid proof
195                       of non-existence confirming the missing name
196                       was returned.  The components of the proof
197                       were also individually validated.
198
199                   VAL_NONEXISTENT_NAME_NOCHAIN
200                       No name was present and a valid proof of non-
201                           existence confirming the missing name was
202                           returned. The components of the proof were also
203                           identified to be trustworthy, but they were
204                           not individually validated.
205
206                   VAL_NONEXISTENT_TYPE_NOCHAIN
207                       No type exists for the name and a valid proof
208                       of non-existence confirming the missing name
209                       (NSEC or NSEC3 span) was returned.  The
210                       components of the proof were also identified
211                       to be trustworthy, but they were not
212                       individually validated.
213
214                   VAL_PINSECURE
215                       The record or some ancestor of the record in
216                       the authentication chain towards the trust
217                       anchor was known to be provably insecure.
218
219                   VAL_PINSECURE_UNTRUSTED
220                       The record or some ancestor of the record in the
221                       authentication chain towards the trust anchor was
222                       known to be provably insecure. But the provably
223                       insecure condition was configured as untrustworthy.
224
225                   VAL_BARE_RRSIG
226                       No DNSSEC validation possible, query was
227                       for an RRSIG.
228
229                   VAL_IGNORE_VALIDATION
230                       Local policy was configured to ignore validation
231                       for the zone from which this data was received.
232
233                   VAL_UNTRUSTED_ZONE
234                       Local policy was configured to reject
235                       any data received from the given zone.
236
237                   VAL_OOB_ANSWER
238                       Answer was obtained using some Out of Band
239                       method, such as a local configuration file.
240
241                   VAL_BOGUS
242                       Response could not be validated due to signature
243                       verification failures or the inability to verify
244                       proofs for an indeterminate number of components
245                       in the authentication chain.
246
247                   VAL_DNS_ERROR
248                       Some error was encountered during DNS processing.
249
250                   VAL_NOTRUST
251                       All available components in the authentication
252                       chain verified properly, but there was no trust
253                       anchor available.
254
255               Status values in val_status_t returned by the validator can be
256               displayed in ASCII format using p_val_status().
257
258       struct val_authentication_chain
259             struct val_authentication_chain
260             {
261                 val_astatus_t                    val_ac_status;
262                 struct val_rrset_rec                *val_ac_rrset;
263                 struct val_authentication_chain *val_ac_trust;
264             };
265
266           val_ac_status
267               Validation state of the authentication chain element.  This
268               field will contain the status code for the given component in
269               the authentication chain.  This field may contain one of the
270               following values:
271
272                   VAL_AC_UNSET
273                       The status could not be determined.
274
275                   VAL_AC_IGNORE_VALIDATION
276                       Validation for the given resource record was ignored,
277                       either because of some local policy directive or
278                       because of some protocol-specific behavior.
279
280                   VAL_AC_UNTRUSTED_ZONE
281                       Local policy defined a given zone as untrusted,
282                       with no further validation being deemed necessary.
283
284                   VAL_AC_PINSECURE
285                       The authentication chain from a trust anchor to a
286                       given zone could not be constructed due to the
287                       provable absence of a DS record for this zone in
288                       the parent.
289
290                   VAL_AC_BARE_RRSIG
291                       The response was for a query of type RRSIG.  RRSIGs
292                       contain the cryptographic signatures for other DNS
293                       data and cannot themselves be validated.
294
295                   VAL_AC_NO_LINK
296                       There was no trust anchor configured for a given
297                       authentication chain or the chain didn't link up.
298
299                   VAL_AC_TRUST
300                       At least one of the signatures covering the given
301                       DNSKEY RRset was directly verified using a key that was
302                       configured as a DNSSEC trust anchor.
303
304                   VAL_AC_RRSIG_MISSING
305                       RRSIG data could not be retrieved for a
306                       resource record.
307
308                   VAL_AC_DNSKEY_MISSING
309                       The DNSKEY for an RRSIG covering a resource
310                       record could not be retrieved.
311
312                   VAL_AC_DS_MISSING
313                       The DS record covering a DNSKEY record was
314                       not available.
315
316                   VAL_AC_DATA_MISSING
317                       No data were returned for a query and the
318                       DNS did not indicate an error.
319
320                   VAL_AC_DNS_ERROR
321                       Some error was encountered during DNS processing.
322
323                   VAL_AC_NOT_VERIFIED
324                       All RRSIGs covering the RRset could not
325                       be verified.
326
327                   VAL_AC_VERIFIED
328                       At least one RRSIG covering a resource
329                       record had a status of VAL_AC_RRSIG_VERIFIED.
330
331           val_ac_rrset
332               Pointer to an RRset of type struct val_rrset_rec obtained from
333               the DNS response.
334
335           val_ac_trust
336               Pointer to an authentication chain element that either contains
337               a DNSKEY RRset that can be used to verify RRSIGs over the cur‐
338               rent record, or contains a DS RRset that can be used to build
339               the chain-of-trust towards a trust anchor.
340
341       struct val_rrset_rec
342             struct val_rrset_rec
343             {
344                 int    val_rrset_rcode;
345                 char   *val_rrset_name;
346                 int    val_rrset_class;
347                 int    val_rrset_type;
348                 long   val_rrset_ttl;
349                 int    val_rrset_section;
350                 struct sockaddr *val_rrset_server;
351                 struct val_rr_rec *val_rrset_data;
352                 struct val_rr_rec *val_rrset_sig;
353             };
354
355           val_rrset_rcode
356               The rcode on the response header for this rrset.
357
358           val_rrset_name
359               Owner name of the RRset.
360
361           val_rrset_class
362               Class of the RRset.
363
364           val_val_rrset_type
365               Type of the RRset.
366
367           val_rrset_ttl
368               TTL of the RRset.
369
370           val_rrset_section
371               Section in which the RRset was received.  This value may be
372               VAL_FROM_ANSWER, VAL_FROM_AUTHORITY, or VAL_FROM_ADDITIONAL.
373
374           val_rrset_server
375               The name server that returned this reponse.
376
377           val_rrset_data
378               Response RDATA.
379
380           val_rrset_sig
381               Any associated RRSIGs for the RDATA returned in val_rrset_data.
382
383           struct val_rr_rec
384                 struct val_rr_rec
385                 {
386                     size_t            rr_rdata_length;
387                     unsigned char     *rr_rdata;
388                     struct val_rr_rec *rr_next;
389                     val_astatus_t     rr_status;
390                 };
391
392               rr_rdata_length_h
393                   Length of data stored in rr_rdata.
394
395               rr_rdata
396                   RDATA bytes.
397
398               rr_status
399                   For each signature val_rr_rec member within the authentica‐
400                   tion chain val_ac_rrset, the validation status stored in
401                   the variable rr_status can return one of the following val‐
402                   ues:
403
404                       VAL_AC_RRSIG_VERIFIED
405                           The RRSIG verified successfully.
406
407                       VAL_AC_WCARD_VERIFIED
408                           A given RRSIG covering a resource record shows
409                           that the record was wildcard expanded.
410
411                       VAL_AC_RRSIG_VERIFIED_SKEW
412                           The RRSIG verified successfully after clock
413                           skew was taken into account.
414
415                       VAL_AC_WCARD_VERIFIED_SKEW
416                           A given RRSIG covering a resource record shows that
417                           the record was wildcard expanded, but it was verified
418                           only after clock skew was taken into account.
419
420                       VAL_AC_WRONG_LABEL_COUNT
421                           The number of labels on the signature was greater
422                           than the count given in the RRSIG RDATA.
423
424                       VAL_AC_INVALID_RRSIG
425                           The RRSIG could not be parsed.
426
427                       VAL_AC_RRSIG_NOTYETACTIVE
428                           The RRSIG's inception time is in the future.
429
430                       VAL_AC_RRSIG_EXPIRED
431                           The RRSIG had expired.
432
433                       VAL_AC_ALGORITHM_NOT_SUPPORTED
434                           The RRSIG algorithm was not supported.
435
436                       VAL_AC_RRSIG_VERIFY_FAILED
437                           A given RRSIG covering an RRset was bogus.
438
439                       VAL_AC_RRSIG_ALGORITHM_MISMATCH
440                           The keytag referenced in the RRSIG matched a
441                           DNSKEY but the algorithms were different.
442
443                       VAL_AC_DNSKEY_NOMATCH
444                           An RRSIG was created by a DNSKEY that did not
445                           exist in the apex keyset.
446
447                   For each val_rr_rec member of type DNSKEY (or DS, where
448                   relevant) within the authentication chain val_ac_rrset, the
449                   validation status is stored in the variable rr_status and
450                   can return one of the following values:
451
452                       VAL_AC_TRUST_POINT
453                       The given DNSKEY or a DS record was configured
454                       as a DNSSEC trust anchor.
455
456                       VAL_AC_SIGNING_KEY
457                           This DNSKEY was used to create an RRSIG for
458                           the resource record set.
459
460                       VAL_AC_VERIFIED_LINK
461                           This DNSKEY provided the link in the authentication
462                           chain from the trust anchor to the signed record.
463
464                       VAL_AC_UNKNOWN_ALGORITHM_LINK
465                           This DNSKEY provided the link in the authentication
466                           chain from the trust anchor to the signed record,
467                           but the DNSKEY algorithm was unknown.
468
469                       VAL_AC_UNKNOWN_DNSKEY_PROTOCOL
470                           The DNSKEY protocol number was unrecognized.
471
472                       VAL_AC_ALGORITHM_NOT_SUPPORTED
473                           The DNSKEY or DS algorithm was not supported.
474
475                       VAL_AC_DS_NOMATCH
476                           An RRSIG was created with a key that did not
477                           exist in the parent DS record set.
478
479                       VAL_AC_INVALID_KEY
480                           The key used to verify the RRSIG was not a valid
481                           DNSKEY.
482
483                       VAL_AC_INVALID_DS
484                           The DS used to validatate the DNSKEY could not be
485                       parsed
486                   =back
487
488               rr_next
489                   Points to the next resource record in the RRset.
490

LOGGING

492       libval provides the val_log_add_optarg() function for controlling the
493       verbosity and location of log message output.
494
495       The val_log_add_optarg() function takes two arguments: the first argu‐
496       ment args is a character string value that specifies the location and
497       verbosity, the second argument, use_stderr, if set to a value greater
498       than 0 allows libval to send log messages to stderr.
499
500       The character string that specifies log target location and verbosity
501       has a specific format:
502
503           <debug-level>:<dest-type>[:<dest-options>]
504
505       where
506           <debug-level> is 1-7, for increasing levels of verbosity
507           <dest-type> is one of file, net, syslog, stderr, stdout
508           <dest-options> depends on <dest-type>
509               file:<file-name>   (opened in append mode)
510               net[:<host-name>:<host-port>] (127.0.0.1:1053)
511               syslog[:facility] (0-23 (default 1 USER))
512
513       The log levels can be roughly translated into different types of log
514       messages as follows (the messages returned for each level in this list
515       subsumes the messages returned for the level above it):
516
517           3 : Error : errror encountered
518           4 : Warning : recovering from error
519           5 : Notice : gives final validation results for a query
520                        and details on policy files and labels used
521           6 : Info : gives details on authentication chains
522           7 : Debug : gives debug level information
523

RETURN VALUES

525       Return values for various functions are given below. These values can
526       be displayed in ASCII format using the p_val_error() function.
527
528       VAL_NO_ERROR
529           No error was encountered.
530
531       VAL_NOT_IMPLEMENTED
532           Functionality not yet implemented.
533
534       VAL_RESOURCE_UNAVAILABLE
535           Some resource (crypto possibly) was unavailable.  Currently not
536           implemented.
537
538       VAL_BAD_ARGUMENT
539           Bad arguments passed as parameters.
540
541       VAL_INTERNAL_ERROR
542           Encountered some internal error.
543
544       VAL_NO_PERMISSION
545           No permission to perform operation.  Currently not implemented.
546
547       VAL_CONF_PARSE_ERROR
548           Error in parsing some configuration file.
549
550       VAL_CONF_NOT_FOUND
551           A configuration file was not available.
552
553       VAL_NO_POLICY
554           The policy identifier being referenced was invalid.
555

FILES

557       The validator library reads configuration information from two files,
558       resolv.conf and dnsval.conf.
559
560       See dnsval.conf(5) for a description of syntax for these files.
561
563       Copyright 2004-2011 SPARTA, Inc.  All rights reserved.  See the COPYING
564       file included with the dnssec-tools package for details.
565

AUTHORS

567       Suresh Krishnaswamy, Robert Story
568

SEE ALSO

570       libsres(3)
571
572       dnsval.conf(5)
573
574       http://dnssec-tools.sourceforge.net
575
576
577
578perl v5.8.9                       2011-06-28                         libval(3)
Impressum