From c5acb3769b3267c515b939de067189a1226f57bd Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 6 Jul 2017 21:28:34 +0200
Subject: [PATCH 1/4] Exit with error when answers were bogus

---
 src/tools/getdns_query.c | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c
index 58fb70c6..f237585c 100644
--- a/src/tools/getdns_query.c
+++ b/src/tools/getdns_query.c
@@ -81,6 +81,8 @@ static uint16_t request_type = GETDNS_RRTYPE_NS;
 static int timeout, edns0_size, padding_blocksize;
 static int async = 0, interactive = 0;
 static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL;
+static int bogus_answers = 0;
+static int check_dnssec = 0;
 
 static int get_rrtype(const char *t)
 {
@@ -317,6 +319,7 @@ static getdns_return_t validate_chain(getdns_dict *response)
 		break;
 	case GETDNS_DNSSEC_BOGUS:
 		if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n");
+		bogus_answers += 1;
 		break;
 	case GETDNS_DNSSEC_INDETERMINATE:
 		if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n");
@@ -346,6 +349,7 @@ static getdns_return_t validate_chain(getdns_dict *response)
 			break;
 		case GETDNS_DNSSEC_BOGUS:
 			if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n");
+			bogus_answers += 1;
 			break;
 		case GETDNS_DNSSEC_INDETERMINATE:
 			if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n");
@@ -389,6 +393,14 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type,
 	if (callback_type == GETDNS_CALLBACK_COMPLETE) {
 		if (verbosity) printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64"  was successful.\n",
 			trans_id);
+		if (check_dnssec) {
+			uint32_t dnssec_status = GETDNS_DNSSEC_SECURE;
+
+	    		(void )getdns_dict_get_int(response,
+			    "/replies_tree/0/dnssec_status", &dnssec_status);
+			if (dnssec_status == GETDNS_DNSSEC_BOGUS)
+				bogus_answers += 1;
+		}
 
 	} else if (callback_type == GETDNS_CALLBACK_CANCEL)
 		fprintf(stderr,
@@ -403,7 +415,6 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type,
 			getdns_get_errorstr_by_id(callback_type));
 	}
 	getdns_dict_destroy(response);
-	response = NULL;
 }
 
 #define CONTINUE ((getdns_return_t)-2)
@@ -578,6 +589,9 @@ getdns_return_t parse_args(int argc, char **argv)
 			continue;
 
 		} else if (arg[0] == '+') {
+			if (strncmp(arg+1, "dnssec_", 7) == 0)
+				check_dnssec = 1;
+
 			if (arg[1] == 's' && arg[2] == 'i' && arg[3] == 't' &&
 			   (arg[4] == '=' || arg[4] == '\0')) {
 				if ((r = set_cookie(extensions, arg+4))) {
@@ -1196,6 +1210,7 @@ getdns_return_t do_the_call(void)
 
 				fprintf( stdout, "%s\n", response_str);
 				if (verbosity) fprintf( stdout, "SYNC call completed.\n");
+
 				validate_chain(response);
 				free(response_str);
 			} else {
@@ -1208,8 +1223,18 @@ getdns_return_t do_the_call(void)
 		if (verbosity)
 			fprintf(stdout, "Response code was: GOOD. Status was: %s\n", 
 			 getdns_get_errorstr_by_id(status));
-		if (response)
+		if (response) {
+			if (check_dnssec) {
+				uint32_t dnssec_status = GETDNS_DNSSEC_SECURE;
+
+				(void )getdns_dict_get_int(response,
+				    "/replies_tree/0/dnssec_status",
+				    &dnssec_status);
+				if (dnssec_status == GETDNS_DNSSEC_BOGUS)
+					bogus_answers += 1;
+			}
 			getdns_dict_destroy(response);
+		}
 	}
 	getdns_dict_destroy(address);
 	return r;
@@ -1790,5 +1815,7 @@ done_destroy_context:
 	if (!i_am_stubby && verbosity)
 		fprintf(stdout, "\nAll done.\n");
 
-	return r;
+	return             r ? r 
+	     : bogus_answers ? GETDNS_DNSSEC_BOGUS
+	     : GETDNS_RETURN_GOOD;
 }

From bceb6c8c87487561bf0632ca78db29c87fe3007f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sat, 15 Jul 2017 11:14:35 +0200
Subject: [PATCH 2/4] Resubmit netreqs when roadblocks need to be avoided

---
 src/dnssec.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index fbbc966d..0a1133dc 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3043,6 +3043,37 @@ static void check_chain_complete(chain_head *chain)
 			netreq->owner = dnsreq;
 			r = _getdns_submit_netreq(netreq, &now_ms);
 		}
+		if (!dnsreq->dnssec_return_validation_chain)
+			return;
+
+		for ( head = chain; head ; head = next ) {
+			next = head->next;
+			for ( node_count = head->node_count
+			    , node = head->parent
+			    ; node_count
+			    ; node_count--, node = node->parent ) {
+
+				if (node->dnskey_req) {
+					_getdns_netreq_change_state(
+					    node->dnskey_req,
+					    NET_REQ_NOT_SENT);
+					node->dnskey_req->owner->
+					    avoid_dnssec_roadblocks = 1;
+					r = _getdns_submit_netreq(
+					    node->dnskey_req, &now_ms);
+				}
+				if (node->ds_req) {
+					_getdns_netreq_change_state(
+					    node->ds_req, NET_REQ_NOT_SENT);
+					node->ds_req->owner->
+					    avoid_dnssec_roadblocks = 1;
+					r = _getdns_submit_netreq(
+					    node->ds_req, &now_ms);
+				}
+			}
+		}
+		DEBUG_SEC("Outstanding requests: %d\n",
+		    (int)count_outstanding_requests(chain));
 		return;
 	}
 #endif

From 84430e02cdae5bae3b128351ec9ca470ad7cdb9f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sat, 15 Jul 2017 17:48:24 +0200
Subject: [PATCH 3/4] Actually working roadblocks and getting validation chains

---
 src/dnssec.c  | 42 +++++++++++++++++++++++++++++++++++-------
 src/general.c |  7 +++++++
 2 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 0a1133dc..d694775a 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -550,11 +550,26 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
 		/* Also, try to prevent adding double rrsets */
 		if (   rrset->rr_class == head->rrset.rr_class
 		    && rrset->rr_type  == head->rrset.rr_type
-		    && rrset->pkt      == head->rrset.pkt
-		    && rrset->pkt_len  == head->rrset.pkt_len
-		    && _dname_equal(rrset->name, head->rrset.name))
-			return NULL;
+		    && _dname_equal(rrset->name, head->rrset.name)) {
 
+			if (rrset->pkt == head->rrset.pkt &&
+			    rrset->pkt_len == head->rrset.pkt_len)
+				return NULL;
+			else {
+				/* Anticipate resubmissions due to
+				 * roadblock avoidance */
+				head->rrset.pkt = rrset->pkt;
+				head->rrset.pkt_len = rrset->pkt_len;
+				return head;
+			}
+		}
+
+		if (   rrset->rr_class == head->rrset.rr_class
+		    && rrset->rr_type  == head->rrset.rr_type
+		    && rrset->pkt      != head->rrset.pkt
+		    && _dname_equal(rrset->name, head->rrset.name)) {
+			return NULL;
+		}
 		for (label = labels; label < last_label; label++) {
 			if (! _dname_is_parent(*label, head->rrset.name))
 				break;
@@ -2416,6 +2431,7 @@ static int key_proves_nonexistance(
 	 * ========================+
 	 * First find the closest encloser.
 	 */
+	if (*rrset->name)
 	for ( nc_name = rrset->name, ce_name = rrset->name + *rrset->name + 1
 	    ; *ce_name ; nc_name = ce_name, ce_name += *ce_name + 1) {
 
@@ -3034,14 +3050,18 @@ static void check_chain_complete(chain_head *chain)
 		uint64_t now_ms = 0;
 
 		dnsreq->avoid_dnssec_roadblocks = 1;
+		dnsreq->chain->lock += 1;
 
 		for ( netreq_p = dnsreq->netreqs
-		    ; !r && (netreq = *netreq_p)
+		    ; (netreq = *netreq_p)
 		    ; netreq_p++) {
 
 			_getdns_netreq_change_state(netreq, NET_REQ_NOT_SENT);
+			netreq->dnssec_status = 
+				GETDNS_DNSSEC_INDETERMINATE;
 			netreq->owner = dnsreq;
 			r = _getdns_submit_netreq(netreq, &now_ms);
+			DEBUG_SEC("Resubmitting main netreq returned: %d\n", r);
 		}
 		if (!dnsreq->dnssec_return_validation_chain)
 			return;
@@ -3216,11 +3236,16 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq)
 	getdns_network_req *netreq, **netreq_p;
 	chain_head *chain = NULL, *chain_p;
 
-	if (dnsreq->validating)
+	if (dnsreq->avoid_dnssec_roadblocks) {
+		chain = dnsreq->chain;
+
+	} else if (dnsreq->validating)
 		return;
 	dnsreq->validating = 1;
 
-	for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) {
+	if (dnsreq->avoid_dnssec_roadblocks && chain->lock == 0)
+		; /* pass */
+	else for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) {
 		if (!  netreq->response
 		    || netreq->response_len < GLDNS_HEADER_SIZE
 		    || ( GLDNS_RCODE_WIRE(netreq->response)
@@ -3248,6 +3273,9 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq)
 			if (chain_p->lock) chain_p->lock--;
 		}
 		dnsreq->chain = chain;
+		if (dnsreq->avoid_dnssec_roadblocks && chain->lock)
+			chain->lock -= 1;
+
 		check_chain_complete(chain);
 	} else {
 		dnsreq->validating = 0;
diff --git a/src/general.c b/src/general.c
index 280df08d..2420a47c 100644
--- a/src/general.c
+++ b/src/general.c
@@ -59,6 +59,9 @@ void _getdns_call_user_callback(getdns_dns_req *dnsreq, getdns_dict *response)
 {
 	_getdns_context_clear_outbound_request(dnsreq);
 
+#if defined(REQ_DEBUG) && REQ_DEBUG
+	debug_req(__FUNC__, *dnsreq->netreqs);
+#endif
 	if (dnsreq->user_callback) {
 		dnsreq->context->processing = 1;
 		dnsreq->user_callback(dnsreq->context,
@@ -211,6 +214,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 
 #ifdef STUB_NATIVE_DNSSEC
 	    || (dns_req->context->resolution_type == GETDNS_RESOLUTION_STUB
+	        && !dns_req->avoid_dnssec_roadblocks
 	        && (dns_req->dnssec_return_status ||
 	            dns_req->dnssec_return_only_secure ||
 	            dns_req->dnssec_return_all_statuses
@@ -228,6 +232,9 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 		    NULL, NULL, (getdns_eventloop_callback)
 		    _getdns_validation_chain_timeout));
 
+#if defined(REQ_DEBUG) && REQ_DEBUG
+		debug_req("getting validation chain for ", *dns_req->netreqs);
+#endif
 		_getdns_get_validation_chain(dns_req);
 	} else
 		_getdns_call_user_callback(

From e11dc92df1d76f840a2928fbe06b253bae3abdc4 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sat, 15 Jul 2017 18:38:31 +0200
Subject: [PATCH 4/4] Hopefully the last warning

---
 src/dnssec.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index d694775a..e9962852 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3045,7 +3045,6 @@ static void check_chain_complete(chain_head *chain)
 	    && !dnsreq->avoid_dnssec_roadblocks
 	    &&  dnsreq->netreqs[0]->dnssec_status == GETDNS_DNSSEC_BOGUS) {
 
-		int r = GETDNS_RETURN_GOOD;
 		getdns_network_req **netreq_p, *netreq;
 		uint64_t now_ms = 0;
 
@@ -3060,8 +3059,7 @@ static void check_chain_complete(chain_head *chain)
 			netreq->dnssec_status = 
 				GETDNS_DNSSEC_INDETERMINATE;
 			netreq->owner = dnsreq;
-			r = _getdns_submit_netreq(netreq, &now_ms);
-			DEBUG_SEC("Resubmitting main netreq returned: %d\n", r);
+			(void) _getdns_submit_netreq(netreq, &now_ms);
 		}
 		if (!dnsreq->dnssec_return_validation_chain)
 			return;
@@ -3079,7 +3077,7 @@ static void check_chain_complete(chain_head *chain)
 					    NET_REQ_NOT_SENT);
 					node->dnskey_req->owner->
 					    avoid_dnssec_roadblocks = 1;
-					r = _getdns_submit_netreq(
+					(void) _getdns_submit_netreq(
 					    node->dnskey_req, &now_ms);
 				}
 				if (node->ds_req) {
@@ -3087,13 +3085,11 @@ static void check_chain_complete(chain_head *chain)
 					    node->ds_req, NET_REQ_NOT_SENT);
 					node->ds_req->owner->
 					    avoid_dnssec_roadblocks = 1;
-					r = _getdns_submit_netreq(
+					(void) _getdns_submit_netreq(
 					    node->ds_req, &now_ms);
 				}
 			}
 		}
-		DEBUG_SEC("Outstanding requests: %d\n",
-		    (int)count_outstanding_requests(chain));
 		return;
 	}
 #endif