/src/bind9/lib/dns/zone.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) Internet Systems Consortium, Inc. ("ISC") |
3 | | * |
4 | | * SPDX-License-Identifier: MPL-2.0 |
5 | | * |
6 | | * This Source Code Form is subject to the terms of the Mozilla Public |
7 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 | | * file, you can obtain one at https://mozilla.org/MPL/2.0/. |
9 | | * |
10 | | * See the COPYRIGHT file distributed with this work for additional |
11 | | * information regarding copyright ownership. |
12 | | */ |
13 | | |
14 | | /*! \file */ |
15 | | |
16 | | #include <errno.h> |
17 | | #include <inttypes.h> |
18 | | #include <stdbool.h> |
19 | | |
20 | | #include <isc/async.h> |
21 | | #include <isc/atomic.h> |
22 | | #include <isc/file.h> |
23 | | #include <isc/hash.h> |
24 | | #include <isc/hashmap.h> |
25 | | #include <isc/hex.h> |
26 | | #include <isc/loop.h> |
27 | | #include <isc/md.h> |
28 | | #include <isc/mutex.h> |
29 | | #include <isc/overflow.h> |
30 | | #include <isc/random.h> |
31 | | #include <isc/ratelimiter.h> |
32 | | #include <isc/refcount.h> |
33 | | #include <isc/result.h> |
34 | | #include <isc/rwlock.h> |
35 | | #include <isc/serial.h> |
36 | | #include <isc/stats.h> |
37 | | #include <isc/stdtime.h> |
38 | | #include <isc/strerr.h> |
39 | | #include <isc/string.h> |
40 | | #include <isc/thread.h> |
41 | | #include <isc/tid.h> |
42 | | #include <isc/timer.h> |
43 | | #include <isc/tls.h> |
44 | | #include <isc/util.h> |
45 | | |
46 | | #include <dns/acl.h> |
47 | | #include <dns/adb.h> |
48 | | #include <dns/callbacks.h> |
49 | | #include <dns/catz.h> |
50 | | #include <dns/db.h> |
51 | | #include <dns/dbiterator.h> |
52 | | #include <dns/dlz.h> |
53 | | #include <dns/dnssec.h> |
54 | | #include <dns/journal.h> |
55 | | #include <dns/kasp.h> |
56 | | #include <dns/keydata.h> |
57 | | #include <dns/keymgr.h> |
58 | | #include <dns/keytable.h> |
59 | | #include <dns/keyvalues.h> |
60 | | #include <dns/log.h> |
61 | | #include <dns/master.h> |
62 | | #include <dns/masterdump.h> |
63 | | #include <dns/message.h> |
64 | | #include <dns/name.h> |
65 | | #include <dns/nsec.h> |
66 | | #include <dns/nsec3.h> |
67 | | #include <dns/opcode.h> |
68 | | #include <dns/peer.h> |
69 | | #include <dns/private.h> |
70 | | #include <dns/rcode.h> |
71 | | #include <dns/rdata.h> |
72 | | #include <dns/rdataclass.h> |
73 | | #include <dns/rdatalist.h> |
74 | | #include <dns/rdataset.h> |
75 | | #include <dns/rdatasetiter.h> |
76 | | #include <dns/rdatastruct.h> |
77 | | #include <dns/rdatatype.h> |
78 | | #include <dns/remote.h> |
79 | | #include <dns/request.h> |
80 | | #include <dns/resolver.h> |
81 | | #include <dns/rriterator.h> |
82 | | #include <dns/soa.h> |
83 | | #include <dns/ssu.h> |
84 | | #include <dns/stats.h> |
85 | | #include <dns/time.h> |
86 | | #include <dns/tsig.h> |
87 | | #include <dns/update.h> |
88 | | #include <dns/xfrin.h> |
89 | | #include <dns/zone.h> |
90 | | #include <dns/zoneverify.h> |
91 | | #include <dns/zt.h> |
92 | | |
93 | | #include <dst/dst.h> |
94 | | |
95 | | #include "zone_p.h" |
96 | | |
97 | 2 | #define ZONE_MAGIC ISC_MAGIC('Z', 'O', 'N', 'E') |
98 | | #define DNS_ZONE_VALID(zone) ISC_MAGIC_VALID(zone, ZONE_MAGIC) |
99 | | |
100 | 0 | #define NOTIFY_MAGIC ISC_MAGIC('N', 't', 'f', 'y') |
101 | | #define DNS_NOTIFY_VALID(notify) ISC_MAGIC_VALID(notify, NOTIFY_MAGIC) |
102 | | |
103 | 0 | #define CHECKDS_MAGIC ISC_MAGIC('C', 'h', 'D', 'S') |
104 | | #define DNS_CHECKDS_VALID(checkds) ISC_MAGIC_VALID(checkds, CHECKDS_MAGIC) |
105 | | |
106 | 0 | #define STUB_MAGIC ISC_MAGIC('S', 't', 'u', 'b') |
107 | | #define DNS_STUB_VALID(stub) ISC_MAGIC_VALID(stub, STUB_MAGIC) |
108 | | |
109 | 0 | #define ZONEMGR_MAGIC ISC_MAGIC('Z', 'm', 'g', 'r') |
110 | | #define DNS_ZONEMGR_VALID(stub) ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC) |
111 | | |
112 | 0 | #define FORWARD_MAGIC ISC_MAGIC('F', 'o', 'r', 'w') |
113 | | #define DNS_FORWARD_VALID(load) ISC_MAGIC_VALID(load, FORWARD_MAGIC) |
114 | | |
115 | | #define IO_MAGIC ISC_MAGIC('Z', 'm', 'I', 'O') |
116 | | #define DNS_IO_VALID(load) ISC_MAGIC_VALID(load, IO_MAGIC) |
117 | | |
118 | 0 | #define KEYMGMT_MAGIC ISC_MAGIC('M', 'g', 'm', 't') |
119 | | #define DNS_KEYMGMT_VALID(load) ISC_MAGIC_VALID(load, KEYMGMT_MAGIC) |
120 | | |
121 | 0 | #define KEYFILEIO_MAGIC ISC_MAGIC('K', 'y', 'I', 'O') |
122 | | #define DNS_KEYFILEIO_VALID(kfio) ISC_MAGIC_VALID(kfio, KEYFILEIO_MAGIC) |
123 | | |
124 | | /*% |
125 | | * Ensure 'a' is at least 'min' but not more than 'max'. |
126 | | */ |
127 | 6 | #define RANGE(a, min, max) (((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max))) |
128 | | |
129 | 0 | #define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) |
130 | | |
131 | | /*% |
132 | | * Key flags |
133 | | */ |
134 | 0 | #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) |
135 | 0 | #define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) |
136 | 0 | #define ID(x) dst_key_id(x) |
137 | 0 | #define ALG(x) dst_key_alg(x) |
138 | | |
139 | | /*% |
140 | | * KASP flags |
141 | | */ |
142 | | #define KASP_LOCK(k) \ |
143 | 0 | if ((k) != NULL) { \ |
144 | 0 | LOCK((&((k)->lock))); \ |
145 | 0 | } |
146 | | |
147 | | #define KASP_UNLOCK(k) \ |
148 | 0 | if ((k) != NULL) { \ |
149 | 0 | UNLOCK((&((k)->lock))); \ |
150 | 0 | } |
151 | | |
152 | | /* |
153 | | * Default values. |
154 | | */ |
155 | 2 | #define DNS_DEFAULT_IDLEIN 3600 /*%< 1 hour */ |
156 | 2 | #define DNS_DEFAULT_IDLEOUT 3600 /*%< 1 hour */ |
157 | 4 | #define MAX_XFER_TIME (2 * 3600) /*%< Documented default is 2 hours */ |
158 | | #define RESIGN_DELAY 3600 /*%< 1 hour */ |
159 | | |
160 | | #ifndef DNS_MAX_EXPIRE |
161 | | #define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */ |
162 | | #endif /* ifndef DNS_MAX_EXPIRE */ |
163 | | |
164 | | #ifndef DNS_DUMP_DELAY |
165 | 0 | #define DNS_DUMP_DELAY 900 /*%< 15 minutes */ |
166 | | #endif /* ifndef DNS_DUMP_DELAY */ |
167 | | |
168 | | typedef struct dns_notify dns_notify_t; |
169 | | typedef struct dns_checkds dns_checkds_t; |
170 | | typedef struct dns_stub dns_stub_t; |
171 | | typedef struct dns_load dns_load_t; |
172 | | typedef struct dns_forward dns_forward_t; |
173 | | typedef ISC_LIST(dns_forward_t) dns_forwardlist_t; |
174 | | typedef struct dns_keymgmt dns_keymgmt_t; |
175 | | typedef struct dns_signing dns_signing_t; |
176 | | typedef ISC_LIST(dns_signing_t) dns_signinglist_t; |
177 | | typedef struct dns_nsec3chain dns_nsec3chain_t; |
178 | | typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t; |
179 | | typedef struct dns_nsfetch dns_nsfetch_t; |
180 | | typedef struct dns_keyfetch dns_keyfetch_t; |
181 | | typedef struct dns_asyncload dns_asyncload_t; |
182 | | typedef struct dns_include dns_include_t; |
183 | | |
184 | | #define DNS_ZONE_CHECKLOCK |
185 | | #ifdef DNS_ZONE_CHECKLOCK |
186 | | #define LOCK_ZONE(z) \ |
187 | 16 | do { \ |
188 | 16 | LOCK(&(z)->lock); \ |
189 | 16 | INSIST(!(z)->locked); \ |
190 | 16 | (z)->locked = true; \ |
191 | 16 | } while (0) |
192 | | #define UNLOCK_ZONE(z) \ |
193 | 16 | do { \ |
194 | 16 | (z)->locked = false; \ |
195 | 16 | UNLOCK(&(z)->lock); \ |
196 | 16 | } while (0) |
197 | | #define LOCKED_ZONE(z) ((z)->locked) |
198 | | #define TRYLOCK_ZONE(result, z) \ |
199 | 0 | do { \ |
200 | 0 | result = isc_mutex_trylock(&(z)->lock); \ |
201 | 0 | if (result == ISC_R_SUCCESS) { \ |
202 | 0 | INSIST(!(z)->locked); \ |
203 | 0 | (z)->locked = true; \ |
204 | 0 | } \ |
205 | 0 | } while (0) |
206 | | #else /* ifdef DNS_ZONE_CHECKLOCK */ |
207 | | #define LOCK_ZONE(z) LOCK(&(z)->lock) |
208 | | #define UNLOCK_ZONE(z) UNLOCK(&(z)->lock) |
209 | | #define LOCKED_ZONE(z) true |
210 | | #define TRYLOCK_ZONE(result, z) \ |
211 | | do { \ |
212 | | result = isc_mutex_trylock(&(z)->lock); \ |
213 | | } while (0) |
214 | | #endif /* ifdef DNS_ZONE_CHECKLOCK */ |
215 | | |
216 | 2 | #define ZONEDB_INITLOCK(l) isc_rwlock_init((l)) |
217 | 0 | #define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l) |
218 | 175 | #define ZONEDB_LOCK(l, t) RWLOCK((l), (t)) |
219 | 175 | #define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t)) |
220 | | |
221 | | #define RETERR(x) \ |
222 | 0 | do { \ |
223 | 0 | result = (x); \ |
224 | 0 | if (result != ISC_R_SUCCESS) \ |
225 | 0 | goto failure; \ |
226 | 0 | } while (0) |
227 | | |
228 | | #ifdef ENABLE_AFL |
229 | | extern bool dns_fuzzing_resolver; |
230 | | #endif /* ifdef ENABLE_AFL */ |
231 | | |
232 | | /*% |
233 | | * Hold key file IO locks. |
234 | | */ |
235 | | typedef struct dns_keyfileio { |
236 | | unsigned int magic; |
237 | | isc_mutex_t lock; |
238 | | isc_refcount_t references; |
239 | | dns_name_t *name; |
240 | | dns_fixedname_t fname; |
241 | | } dns_keyfileio_t; |
242 | | |
243 | | struct dns_keymgmt { |
244 | | unsigned int magic; |
245 | | isc_rwlock_t lock; |
246 | | isc_mem_t *mctx; |
247 | | isc_hashmap_t *table; |
248 | | }; |
249 | | |
250 | | /* |
251 | | * Initial size of the keymgmt hash table. |
252 | | */ |
253 | 0 | #define DNS_KEYMGMT_HASH_BITS 12 |
254 | | |
255 | | struct dns_zone { |
256 | | /* Unlocked */ |
257 | | unsigned int magic; |
258 | | isc_mutex_t lock; |
259 | | #ifdef DNS_ZONE_CHECKLOCK |
260 | | bool locked; |
261 | | #endif /* ifdef DNS_ZONE_CHECKLOCK */ |
262 | | isc_mem_t *mctx; |
263 | | isc_refcount_t references; |
264 | | |
265 | | isc_rwlock_t dblock; |
266 | | dns_db_t *db; /* Locked by dblock */ |
267 | | |
268 | | unsigned int tid; |
269 | | |
270 | | /* Locked */ |
271 | | dns_zonemgr_t *zmgr; |
272 | | ISC_LINK(dns_zone_t) link; /* Used by zmgr. */ |
273 | | isc_loop_t *loop; |
274 | | isc_timer_t *timer; |
275 | | isc_refcount_t irefs; |
276 | | dns_name_t origin; |
277 | | char *masterfile; |
278 | | const FILE *stream; /* loading from a stream? */ |
279 | | ISC_LIST(dns_include_t) includes; /* Include files */ |
280 | | ISC_LIST(dns_include_t) newincludes; /* Loading */ |
281 | | unsigned int nincludes; |
282 | | dns_masterformat_t masterformat; |
283 | | const dns_master_style_t *masterstyle; |
284 | | char *journal; |
285 | | int32_t journalsize; |
286 | | dns_rdataclass_t rdclass; |
287 | | dns_zonetype_t type; |
288 | | atomic_uint_fast64_t flags; |
289 | | atomic_uint_fast64_t options; |
290 | | unsigned int db_argc; |
291 | | char **db_argv; |
292 | | isc_time_t expiretime; |
293 | | isc_time_t refreshtime; |
294 | | isc_time_t dumptime; |
295 | | isc_time_t loadtime; |
296 | | isc_time_t notifytime; |
297 | | isc_time_t resigntime; |
298 | | isc_time_t keywarntime; |
299 | | isc_time_t signingtime; |
300 | | isc_time_t nsec3chaintime; |
301 | | isc_time_t refreshkeytime; |
302 | | isc_time_t xfrintime; |
303 | | uint32_t refreshkeyinterval; |
304 | | uint32_t refreshkeycount; |
305 | | uint32_t refresh; |
306 | | uint32_t retry; |
307 | | uint32_t expire; |
308 | | uint32_t minimum; |
309 | | isc_stdtime_t key_expiry; |
310 | | isc_stdtime_t log_key_expired_timer; |
311 | | char *keydirectory; |
312 | | dns_keyfileio_t *kfio; |
313 | | dns_keystorelist_t *keystores; |
314 | | |
315 | | uint32_t maxrefresh; |
316 | | uint32_t minrefresh; |
317 | | uint32_t maxretry; |
318 | | uint32_t minretry; |
319 | | |
320 | | uint32_t maxrecords; |
321 | | |
322 | | dns_remote_t primaries; |
323 | | |
324 | | dns_remote_t parentals; |
325 | | dns_dnsseckeylist_t checkds_ok; |
326 | | dns_checkdstype_t checkdstype; |
327 | | uint32_t nsfetchcount; |
328 | | uint32_t parent_nscount; |
329 | | |
330 | | dns_remote_t notify; |
331 | | dns_notifytype_t notifytype; |
332 | | isc_sockaddr_t notifyfrom; |
333 | | isc_sockaddr_t notifysrc4; |
334 | | isc_sockaddr_t notifysrc6; |
335 | | isc_sockaddr_t parentalsrc4; |
336 | | isc_sockaddr_t parentalsrc6; |
337 | | isc_sockaddr_t xfrsource4; |
338 | | isc_sockaddr_t xfrsource6; |
339 | | isc_sockaddr_t sourceaddr; |
340 | | dns_xfrin_t *xfr; /* loop locked */ |
341 | | dns_tsigkey_t *tsigkey; /* key used for xfr */ |
342 | | dns_transport_t *transport; /* transport used for xfr */ |
343 | | /* Access Control Lists */ |
344 | | dns_acl_t *update_acl; |
345 | | dns_acl_t *forward_acl; |
346 | | dns_acl_t *notify_acl; |
347 | | dns_acl_t *query_acl; |
348 | | dns_acl_t *queryon_acl; |
349 | | dns_acl_t *xfr_acl; |
350 | | bool update_disabled; |
351 | | bool zero_no_soa_ttl; |
352 | | dns_severity_t check_names; |
353 | | ISC_LIST(dns_notify_t) notifies; |
354 | | ISC_LIST(dns_checkds_t) checkds_requests; |
355 | | dns_request_t *request; |
356 | | dns_loadctx_t *loadctx; |
357 | | dns_dumpctx_t *dumpctx; |
358 | | uint32_t maxxfrin; |
359 | | uint32_t maxxfrout; |
360 | | uint32_t idlein; |
361 | | uint32_t idleout; |
362 | | dns_ssutable_t *ssutable; |
363 | | uint32_t sigvalidityinterval; |
364 | | uint32_t keyvalidityinterval; |
365 | | uint32_t sigresigninginterval; |
366 | | dns_view_t *view; |
367 | | dns_view_t *prev_view; |
368 | | dns_kasp_t *kasp; |
369 | | dns_kasp_t *defaultkasp; |
370 | | dns_checkmxfunc_t checkmx; |
371 | | dns_checksrvfunc_t checksrv; |
372 | | dns_checknsfunc_t checkns; |
373 | | /*% |
374 | | * Zones in certain states such as "waiting for zone transfer" |
375 | | * or "zone transfer in progress" are kept on per-state linked lists |
376 | | * in the zone manager using the 'statelink' field. The 'statelist' |
377 | | * field points at the list the zone is currently on. It the zone |
378 | | * is not on any such list, statelist is NULL. |
379 | | */ |
380 | | ISC_LINK(dns_zone_t) statelink; |
381 | | dns_zonelist_t *statelist; |
382 | | /*% |
383 | | * Statistics counters about zone management. |
384 | | */ |
385 | | isc_stats_t *stats; |
386 | | /*% |
387 | | * Optional per-zone statistics counters. Counted outside of this |
388 | | * module. |
389 | | */ |
390 | | dns_zonestat_level_t statlevel; |
391 | | bool requeststats_on; |
392 | | isc_stats_t *requeststats; |
393 | | dns_stats_t *rcvquerystats; |
394 | | dns_stats_t *dnssecsignstats; |
395 | | uint32_t notifydelay; |
396 | | dns_isselffunc_t isself; |
397 | | void *isselfarg; |
398 | | |
399 | | char *strnamerd; |
400 | | char *strname; |
401 | | char *strrdclass; |
402 | | char *strviewname; |
403 | | |
404 | | /*% |
405 | | * Serial number for deferred journal compaction. |
406 | | */ |
407 | | uint32_t compact_serial; |
408 | | /*% |
409 | | * Keys that are signing the zone for the first time. |
410 | | */ |
411 | | dns_signinglist_t signing; |
412 | | dns_nsec3chainlist_t nsec3chain; |
413 | | /*% |
414 | | * List of outstanding NSEC3PARAM change requests. |
415 | | */ |
416 | | ISC_LIST(struct np3) setnsec3param_queue; |
417 | | /*% |
418 | | * Signing / re-signing quantum stopping parameters. |
419 | | */ |
420 | | uint32_t signatures; |
421 | | uint32_t nodes; |
422 | | dns_rdatatype_t privatetype; |
423 | | |
424 | | /*% |
425 | | * Autosigning/key-maintenance options |
426 | | */ |
427 | | atomic_uint_fast64_t keyopts; |
428 | | |
429 | | /*% |
430 | | * True if added by "rndc addzone" |
431 | | */ |
432 | | bool added; |
433 | | |
434 | | /*% |
435 | | * True if added by automatically by named. |
436 | | */ |
437 | | bool automatic; |
438 | | |
439 | | /*% |
440 | | * response policy data to be relayed to the database |
441 | | */ |
442 | | dns_rpz_zones_t *rpzs; |
443 | | dns_rpz_num_t rpz_num; |
444 | | |
445 | | /*% |
446 | | * catalog zone data |
447 | | */ |
448 | | dns_catz_zones_t *catzs; |
449 | | |
450 | | /*% |
451 | | * parent catalog zone |
452 | | */ |
453 | | dns_catz_zone_t *parentcatz; |
454 | | |
455 | | /*% |
456 | | * Serial number update method. |
457 | | */ |
458 | | dns_updatemethod_t updatemethod; |
459 | | |
460 | | /*% |
461 | | * whether ixfr is requested |
462 | | */ |
463 | | bool requestixfr; |
464 | | uint32_t ixfr_ratio; |
465 | | |
466 | | /*% |
467 | | * whether EDNS EXPIRE is requested |
468 | | */ |
469 | | bool requestexpire; |
470 | | |
471 | | /*% |
472 | | * Outstanding forwarded UPDATE requests. |
473 | | */ |
474 | | dns_forwardlist_t forwards; |
475 | | |
476 | | dns_zone_t *raw; |
477 | | dns_zone_t *secure; |
478 | | |
479 | | bool sourceserialset; |
480 | | uint32_t sourceserial; |
481 | | |
482 | | /*% |
483 | | * soa and maximum zone ttl |
484 | | */ |
485 | | dns_ttl_t soattl; |
486 | | dns_ttl_t maxttl; |
487 | | |
488 | | /* |
489 | | * Inline zone signing state. |
490 | | */ |
491 | | dns_diff_t rss_diff; |
492 | | dns_dbversion_t *rss_newver; |
493 | | dns_dbversion_t *rss_oldver; |
494 | | dns_db_t *rss_db; |
495 | | dns_zone_t *rss_raw; |
496 | | struct rss *rss; |
497 | | dns_update_state_t *rss_state; |
498 | | |
499 | | isc_stats_t *gluecachestats; |
500 | | }; |
501 | | |
502 | | #define zonediff_init(z, d) \ |
503 | 0 | do { \ |
504 | 0 | dns__zonediff_t *_z = (z); \ |
505 | 0 | (_z)->diff = (d); \ |
506 | 0 | (_z)->offline = false; \ |
507 | 0 | } while (0) |
508 | | |
509 | 14 | #define DNS_ZONE_FLAG(z, f) ((atomic_load_relaxed(&(z)->flags) & (f)) != 0) |
510 | 4 | #define DNS_ZONE_SETFLAG(z, f) atomic_fetch_or(&(z)->flags, (f)) |
511 | 4 | #define DNS_ZONE_CLRFLAG(z, f) atomic_fetch_and(&(z)->flags, ~(f)) |
512 | | typedef enum { |
513 | | DNS_ZONEFLG_REFRESH = 0x00000001U, /*%< refresh check in progress */ |
514 | | DNS_ZONEFLG_NEEDDUMP = 0x00000002U, /*%< zone need consolidation */ |
515 | | DNS_ZONEFLG_USEVC = 0x00000004U, /*%< use tcp for refresh query */ |
516 | | DNS_ZONEFLG_DUMPING = 0x00000008U, /*%< a dump is in progress */ |
517 | | DNS_ZONEFLG_HASINCLUDE = 0x00000010U, /*%< $INCLUDE in zone file */ |
518 | | DNS_ZONEFLG_LOADED = 0x00000020U, /*%< database has loaded */ |
519 | | DNS_ZONEFLG_EXITING = 0x00000040U, /*%< zone is being destroyed */ |
520 | | DNS_ZONEFLG_EXPIRED = 0x00000080U, /*%< zone has expired */ |
521 | | DNS_ZONEFLG_NEEDREFRESH = 0x00000100U, /*%< refresh check needed */ |
522 | | DNS_ZONEFLG_UPTODATE = 0x00000200U, /*%< zone contents are |
523 | | * up-to-date */ |
524 | | DNS_ZONEFLG_NEEDNOTIFY = 0x00000400U, /*%< need to send out notify |
525 | | * messages */ |
526 | | DNS_ZONEFLG_FIXJOURNAL = 0x00000800U, /*%< journal file had |
527 | | * recoverable error, |
528 | | * needs rewriting */ |
529 | | DNS_ZONEFLG_NOPRIMARIES = 0x00001000U, /*%< an attempt to refresh a |
530 | | * zone with no primaries |
531 | | * occurred */ |
532 | | DNS_ZONEFLG_LOADING = 0x00002000U, /*%< load from disk in progress*/ |
533 | | DNS_ZONEFLG_HAVETIMERS = 0x00004000U, /*%< timer values have been set |
534 | | * from SOA (if not set, we |
535 | | * are still using |
536 | | * default timer values) */ |
537 | | DNS_ZONEFLG_FORCEXFER = 0x00008000U, /*%< Force a zone xfer */ |
538 | | DNS_ZONEFLG_NOREFRESH = 0x00010000U, |
539 | | DNS_ZONEFLG_DIALNOTIFY = 0x00020000U, |
540 | | DNS_ZONEFLG_DIALREFRESH = 0x00040000U, |
541 | | DNS_ZONEFLG_SHUTDOWN = 0x00080000U, |
542 | | DNS_ZONEFLG_NOIXFR = 0x00100000U, /*%< IXFR failed, force AXFR */ |
543 | | DNS_ZONEFLG_FLUSH = 0x00200000U, |
544 | | DNS_ZONEFLG_NOEDNS = 0x00400000U, |
545 | | DNS_ZONEFLG_USEALTXFRSRC = 0x00800000U, /*%< Obsoleted. */ |
546 | | DNS_ZONEFLG_SOABEFOREAXFR = 0x01000000U, |
547 | | DNS_ZONEFLG_NEEDCOMPACT = 0x02000000U, |
548 | | DNS_ZONEFLG_REFRESHING = 0x04000000U, /*%< Refreshing keydata */ |
549 | | DNS_ZONEFLG_THAW = 0x08000000U, |
550 | | DNS_ZONEFLG_LOADPENDING = 0x10000000U, /*%< Loading scheduled */ |
551 | | DNS_ZONEFLG_NODELAY = 0x20000000U, |
552 | | DNS_ZONEFLG_SENDSECURE = 0x40000000U, |
553 | | DNS_ZONEFLG_NEEDSTARTUPNOTIFY = 0x80000000U, /*%< need to send out |
554 | | * notify due to the zone |
555 | | * just being loaded for |
556 | | * the first time. */ |
557 | | DNS_ZONEFLG_FIRSTREFRESH = 0x100000000U, /*%< First refresh pending */ |
558 | | DNS_ZONEFLG___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */ |
559 | | } dns_zoneflg_t; |
560 | | |
561 | 32 | #define DNS_ZONE_OPTION(z, o) ((atomic_load_relaxed(&(z)->options) & (o)) != 0) |
562 | 0 | #define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o)) |
563 | 0 | #define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o)) |
564 | | |
565 | | #define DNS_ZONEKEY_OPTION(z, o) \ |
566 | 2 | ((atomic_load_relaxed(&(z)->keyopts) & (o)) != 0) |
567 | 0 | #define DNS_ZONEKEY_SETOPTION(z, o) atomic_fetch_or(&(z)->keyopts, (o)) |
568 | 0 | #define DNS_ZONEKEY_CLROPTION(z, o) atomic_fetch_and(&(z)->keyopts, ~(o)) |
569 | | |
570 | | /* Flags for zone_load() */ |
571 | | typedef enum { |
572 | | DNS_ZONELOADFLAG_NOSTAT = 0x00000001U, /* Do not stat() master files */ |
573 | | DNS_ZONELOADFLAG_THAW = 0x00000002U, /* Thaw the zone on successful |
574 | | * load. */ |
575 | | } dns_zoneloadflag_t; |
576 | | |
577 | 0 | #define UNREACH_CACHE_SIZE 10U |
578 | | #define UNREACH_HOLD_TIME 600 /* 10 minutes */ |
579 | | |
580 | | #define CHECK(op) \ |
581 | 0 | do { \ |
582 | 0 | result = (op); \ |
583 | 0 | if (result != ISC_R_SUCCESS) \ |
584 | 0 | goto failure; \ |
585 | 0 | } while (0) |
586 | | |
587 | | struct dns_unreachable { |
588 | | isc_sockaddr_t remote; |
589 | | isc_sockaddr_t local; |
590 | | atomic_uint_fast32_t expire; |
591 | | atomic_uint_fast32_t last; |
592 | | uint32_t count; |
593 | | }; |
594 | | |
595 | | struct dns_zonemgr { |
596 | | unsigned int magic; |
597 | | isc_mem_t *mctx; |
598 | | isc_refcount_t refs; |
599 | | isc_loopmgr_t *loopmgr; |
600 | | isc_nm_t *netmgr; |
601 | | uint32_t workers; |
602 | | isc_mem_t **mctxpool; |
603 | | isc_ratelimiter_t *checkdsrl; |
604 | | isc_ratelimiter_t *notifyrl; |
605 | | isc_ratelimiter_t *refreshrl; |
606 | | isc_ratelimiter_t *startupnotifyrl; |
607 | | isc_ratelimiter_t *startuprefreshrl; |
608 | | isc_rwlock_t rwlock; |
609 | | isc_rwlock_t urlock; |
610 | | |
611 | | /* Locked by rwlock. */ |
612 | | dns_zonelist_t zones; |
613 | | dns_zonelist_t waiting_for_xfrin; |
614 | | dns_zonelist_t xfrin_in_progress; |
615 | | |
616 | | /* Configuration data. */ |
617 | | uint32_t transfersin; |
618 | | uint32_t transfersperns; |
619 | | unsigned int checkdsrate; |
620 | | unsigned int notifyrate; |
621 | | unsigned int startupnotifyrate; |
622 | | unsigned int serialqueryrate; |
623 | | unsigned int startupserialqueryrate; |
624 | | |
625 | | /* Locked by urlock. */ |
626 | | /* LRU cache */ |
627 | | struct dns_unreachable unreachable[UNREACH_CACHE_SIZE]; |
628 | | |
629 | | dns_keymgmt_t *keymgmt; |
630 | | |
631 | | isc_tlsctx_cache_t *tlsctx_cache; |
632 | | isc_rwlock_t tlsctx_cache_rwlock; |
633 | | }; |
634 | | |
635 | | /*% |
636 | | * Hold notify state. |
637 | | */ |
638 | | struct dns_notify { |
639 | | unsigned int magic; |
640 | | unsigned int flags; |
641 | | isc_mem_t *mctx; |
642 | | dns_zone_t *zone; |
643 | | dns_adbfind_t *find; |
644 | | dns_request_t *request; |
645 | | dns_name_t ns; |
646 | | isc_sockaddr_t src; |
647 | | isc_sockaddr_t dst; |
648 | | dns_tsigkey_t *key; |
649 | | dns_transport_t *transport; |
650 | | ISC_LINK(dns_notify_t) link; |
651 | | isc_rlevent_t *rlevent; |
652 | | }; |
653 | | |
654 | | typedef enum dns_notify_flags { |
655 | | DNS_NOTIFY_NOSOA = 1 << 0, |
656 | | DNS_NOTIFY_STARTUP = 1 << 1, |
657 | | DNS_NOTIFY_TCP = 1 << 2, |
658 | | } dns_notify_flags_t; |
659 | | |
660 | | /*% |
661 | | * Hold checkds state. |
662 | | */ |
663 | | struct dns_checkds { |
664 | | unsigned int magic; |
665 | | dns_notify_flags_t flags; |
666 | | isc_mem_t *mctx; |
667 | | dns_zone_t *zone; |
668 | | dns_adbfind_t *find; |
669 | | dns_request_t *request; |
670 | | dns_name_t ns; |
671 | | isc_sockaddr_t src; |
672 | | isc_sockaddr_t dst; |
673 | | dns_tsigkey_t *key; |
674 | | dns_transport_t *transport; |
675 | | ISC_LINK(dns_checkds_t) link; |
676 | | isc_rlevent_t *rlevent; |
677 | | }; |
678 | | |
679 | | /*% |
680 | | * dns_stub holds state while performing a 'stub' transfer. |
681 | | * 'db' is the zone's 'db' or a new one if this is the initial |
682 | | * transfer. |
683 | | */ |
684 | | |
685 | | struct dns_stub { |
686 | | unsigned int magic; |
687 | | isc_mem_t *mctx; |
688 | | dns_zone_t *zone; |
689 | | dns_db_t *db; |
690 | | dns_dbversion_t *version; |
691 | | atomic_uint_fast32_t pending_requests; |
692 | | }; |
693 | | |
694 | | /*% |
695 | | * Hold load state. |
696 | | */ |
697 | | struct dns_load { |
698 | | dns_zone_t *zone; |
699 | | dns_db_t *db; |
700 | | isc_time_t loadtime; |
701 | | dns_rdatacallbacks_t callbacks; |
702 | | }; |
703 | | |
704 | | /*% |
705 | | * Hold forward state. |
706 | | */ |
707 | | struct dns_forward { |
708 | | unsigned int magic; |
709 | | isc_mem_t *mctx; |
710 | | dns_zone_t *zone; |
711 | | isc_buffer_t *msgbuf; |
712 | | dns_request_t *request; |
713 | | uint32_t which; |
714 | | isc_sockaddr_t addr; |
715 | | dns_transport_t *transport; |
716 | | dns_updatecallback_t callback; |
717 | | void *callback_arg; |
718 | | unsigned int options; |
719 | | ISC_LINK(dns_forward_t) link; |
720 | | }; |
721 | | |
722 | | /*% |
723 | | * Hold state for when we are signing a zone with a new |
724 | | * DNSKEY as result of an update. |
725 | | */ |
726 | | struct dns_signing { |
727 | | unsigned int magic; |
728 | | dns_db_t *db; |
729 | | dns_dbiterator_t *dbiterator; |
730 | | dns_secalg_t algorithm; |
731 | | uint16_t keyid; |
732 | | bool deleteit; |
733 | | bool done; |
734 | | ISC_LINK(dns_signing_t) link; |
735 | | }; |
736 | | |
737 | | struct dns_nsec3chain { |
738 | | unsigned int magic; |
739 | | dns_db_t *db; |
740 | | dns_dbiterator_t *dbiterator; |
741 | | dns_rdata_nsec3param_t nsec3param; |
742 | | unsigned char salt[255]; |
743 | | bool done; |
744 | | bool seen_nsec; |
745 | | bool delete_nsec; |
746 | | bool save_delete_nsec; |
747 | | ISC_LINK(dns_nsec3chain_t) link; |
748 | | }; |
749 | | |
750 | | /*%< |
751 | | * 'dbiterator' contains a iterator for the database. If we are creating |
752 | | * a NSEC3 chain only the non-NSEC3 nodes will be iterated. If we are |
753 | | * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be |
754 | | * iterated. |
755 | | * |
756 | | * 'nsec3param' contains the parameters of the NSEC3 chain being created |
757 | | * or removed. |
758 | | * |
759 | | * 'salt' is buffer space and is referenced via 'nsec3param.salt'. |
760 | | * |
761 | | * 'seen_nsec' will be set to true if, while iterating the zone to create a |
762 | | * NSEC3 chain, a NSEC record is seen. |
763 | | * |
764 | | * 'delete_nsec' will be set to true if, at the completion of the creation |
765 | | * of a NSEC3 chain, 'seen_nsec' is true. If 'delete_nsec' is true then we |
766 | | * are in the process of deleting the NSEC chain. |
767 | | * |
768 | | * 'save_delete_nsec' is used to store the initial state of 'delete_nsec' |
769 | | * so it can be recovered in the event of a error. |
770 | | */ |
771 | | |
772 | | struct dns_keyfetch { |
773 | | isc_mem_t *mctx; |
774 | | dns_fixedname_t name; |
775 | | dns_rdataset_t keydataset; |
776 | | dns_rdataset_t dnskeyset; |
777 | | dns_rdataset_t dnskeysigset; |
778 | | dns_zone_t *zone; |
779 | | dns_db_t *db; |
780 | | dns_fetch_t *fetch; |
781 | | }; |
782 | | |
783 | | struct dns_nsfetch { |
784 | | isc_mem_t *mctx; |
785 | | dns_fixedname_t name; |
786 | | dns_name_t pname; |
787 | | dns_rdataset_t nsrrset; |
788 | | dns_rdataset_t nssigset; |
789 | | dns_zone_t *zone; |
790 | | dns_fetch_t *fetch; |
791 | | }; |
792 | | |
793 | | /*% |
794 | | * Hold state for an asynchronous load |
795 | | */ |
796 | | struct dns_asyncload { |
797 | | dns_zone_t *zone; |
798 | | unsigned int flags; |
799 | | dns_zt_callback_t *loaded; |
800 | | void *loaded_arg; |
801 | | }; |
802 | | |
803 | | /*% |
804 | | * Reference to an include file encountered during loading |
805 | | */ |
806 | | struct dns_include { |
807 | | char *name; |
808 | | isc_time_t filetime; |
809 | | ISC_LINK(dns_include_t) link; |
810 | | }; |
811 | | |
812 | | /* |
813 | | * These can be overridden by the -T mkeytimers option on the command |
814 | | * line, so that we can test with shorter periods than specified in |
815 | | * RFC 5011. |
816 | | */ |
817 | | #define HOUR 3600 |
818 | | #define DAY (24 * HOUR) |
819 | | #define MONTH (30 * DAY) |
820 | | unsigned int dns_zone_mkey_hour = HOUR; |
821 | | unsigned int dns_zone_mkey_day = DAY; |
822 | | unsigned int dns_zone_mkey_month = MONTH; |
823 | | |
824 | 0 | #define SEND_BUFFER_SIZE 2048 |
825 | | |
826 | | static void |
827 | | zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now); |
828 | | |
829 | | typedef struct zone_settimer { |
830 | | dns_zone_t *zone; |
831 | | isc_time_t now; |
832 | | } zone_settimer_t; |
833 | | |
834 | | static void |
835 | | zone_settimer(dns_zone_t *, isc_time_t *); |
836 | | static void |
837 | | cancel_refresh(dns_zone_t *); |
838 | | static void |
839 | | zone_debuglog(dns_zone_t *zone, const char *, int debuglevel, const char *msg, |
840 | | ...) ISC_FORMAT_PRINTF(4, 5); |
841 | | static void |
842 | | notify_log(dns_zone_t *zone, int level, const char *fmt, ...) |
843 | | ISC_FORMAT_PRINTF(3, 4); |
844 | | static void |
845 | | dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) |
846 | | ISC_FORMAT_PRINTF(3, 4); |
847 | | static void |
848 | | queue_xfrin(dns_zone_t *zone); |
849 | | static isc_result_t |
850 | | update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, |
851 | | dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl, |
852 | | dns_rdata_t *rdata); |
853 | | static void |
854 | | zone_unload(dns_zone_t *zone); |
855 | | static void |
856 | | zone_expire(dns_zone_t *zone); |
857 | | static void |
858 | | zone_refresh(dns_zone_t *zone); |
859 | | static void |
860 | | zone_iattach(dns_zone_t *source, dns_zone_t **target); |
861 | | static void |
862 | | zone_idetach(dns_zone_t **zonep); |
863 | | static isc_result_t |
864 | | zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump); |
865 | | static void |
866 | | zone_attachdb(dns_zone_t *zone, dns_db_t *db); |
867 | | static void |
868 | | zone_detachdb(dns_zone_t *zone); |
869 | | static void |
870 | | zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); |
871 | | static void |
872 | | zone_catz_disable(dns_zone_t *zone); |
873 | | static isc_result_t |
874 | | default_journal(dns_zone_t *zone); |
875 | | static void |
876 | | zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result); |
877 | | static isc_result_t |
878 | | zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, |
879 | | isc_result_t result); |
880 | | static void |
881 | | zone_needdump(dns_zone_t *zone, unsigned int delay); |
882 | | static void |
883 | | zone_shutdown(void *arg); |
884 | | static void |
885 | | zone_loaddone(void *arg, isc_result_t result); |
886 | | static isc_result_t |
887 | | zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime); |
888 | | static void |
889 | | zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length); |
890 | | static void |
891 | | zone_name_tostr(dns_zone_t *zone, char *buf, size_t length); |
892 | | static void |
893 | | zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length); |
894 | | static void |
895 | | zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length); |
896 | | static isc_result_t |
897 | | zone_send_secureserial(dns_zone_t *zone, uint32_t serial); |
898 | | static void |
899 | | refresh_callback(void *arg); |
900 | | static void |
901 | | stub_callback(void *arg); |
902 | | static void |
903 | | queue_soa_query(dns_zone_t *zone); |
904 | | static void |
905 | | soa_query(void *arg); |
906 | | static void |
907 | | ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub); |
908 | | static int |
909 | | message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type); |
910 | | static void |
911 | | checkds_cancel(dns_zone_t *zone); |
912 | | static void |
913 | | checkds_find_address(dns_checkds_t *checkds); |
914 | | static void |
915 | | checkds_send(dns_zone_t *zone); |
916 | | static void |
917 | | checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep); |
918 | | static void |
919 | | checkds_done(void *arg); |
920 | | static void |
921 | | checkds_send_tons(dns_checkds_t *checkds); |
922 | | static void |
923 | | checkds_send_toaddr(void *arg); |
924 | | static void |
925 | | nsfetch_levelup(dns_nsfetch_t *nsfetch); |
926 | | static void |
927 | | notify_cancel(dns_zone_t *zone); |
928 | | static void |
929 | | notify_find_address(dns_notify_t *notify); |
930 | | static void |
931 | | notify_send(dns_notify_t *notify); |
932 | | static isc_result_t |
933 | | notify_createmessage(dns_zone_t *zone, unsigned int flags, |
934 | | dns_message_t **messagep); |
935 | | static void |
936 | | notify_done(void *arg); |
937 | | static void |
938 | | notify_send_toaddr(void *arg); |
939 | | static isc_result_t |
940 | | zone_dump(dns_zone_t *, bool); |
941 | | static void |
942 | | got_transfer_quota(void *arg); |
943 | | static isc_result_t |
944 | | zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone); |
945 | | static void |
946 | | zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi); |
947 | | static void |
948 | | zonemgr_free(dns_zonemgr_t *zmgr); |
949 | | static void |
950 | | rss_post(void *arg); |
951 | | |
952 | | static isc_result_t |
953 | | zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount, |
954 | | unsigned int *soacount, uint32_t *soattl, uint32_t *serial, |
955 | | uint32_t *refresh, uint32_t *retry, uint32_t *expire, |
956 | | uint32_t *minimum, unsigned int *errors); |
957 | | |
958 | | static void |
959 | | zone_freedbargs(dns_zone_t *zone); |
960 | | static void |
961 | | forward_callback(void *arg); |
962 | | static void |
963 | | zone_saveunique(dns_zone_t *zone, const char *path, const char *templat); |
964 | | static void |
965 | | zone_maintenance(dns_zone_t *zone); |
966 | | static void |
967 | | zone_notify(dns_zone_t *zone, isc_time_t *now); |
968 | | static void |
969 | | dump_done(void *arg, isc_result_t result); |
970 | | static isc_result_t |
971 | | zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid, |
972 | | bool deleteit); |
973 | | static isc_result_t |
974 | | delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, |
975 | | dns_name_t *name, dns_diff_t *diff); |
976 | | static void |
977 | | zone_rekey(dns_zone_t *zone); |
978 | | static isc_result_t |
979 | | zone_send_securedb(dns_zone_t *zone, dns_db_t *db); |
980 | | static dns_ttl_t |
981 | | zone_nsecttl(dns_zone_t *zone); |
982 | | static void |
983 | | setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value); |
984 | | static void |
985 | | zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial); |
986 | | static isc_result_t |
987 | | zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump, |
988 | | bool *fixjournal); |
989 | | static void |
990 | | setnsec3param(void *arg); |
991 | | |
992 | | static void |
993 | | zmgr_tlsctx_attach(dns_zonemgr_t *zmgr, isc_tlsctx_cache_t **ptlsctx_cache); |
994 | | /*%< |
995 | | * Attach to TLS client context cache used for zone transfers via |
996 | | * encrypted transports (e.g. XoT). |
997 | | * |
998 | | * The obtained reference needs to be detached by a call to |
999 | | * 'isc_tlsctx_cache_detach()' when not needed anymore. |
1000 | | * |
1001 | | * Requires: |
1002 | | *\li 'zmgr' is a valid zone manager. |
1003 | | *\li 'ptlsctx_cache' is not 'NULL' and points to 'NULL'. |
1004 | | */ |
1005 | | |
1006 | 4 | #define ENTER zone_debuglog(zone, __func__, 1, "enter") |
1007 | | |
1008 | | static const unsigned int dbargc_default = 1; |
1009 | | static const char *dbargv_default[] = { ZONEDB_DEFAULT }; |
1010 | | |
1011 | | #define DNS_ZONE_JITTER_ADD(a, b, c) \ |
1012 | 0 | do { \ |
1013 | 0 | isc_interval_t _i; \ |
1014 | 0 | uint32_t _j; \ |
1015 | 0 | _j = (b) - isc_random_uniform((b) / 4); \ |
1016 | 0 | isc_interval_set(&_i, _j, 0); \ |
1017 | 0 | if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \ |
1018 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, \ |
1019 | 0 | "epoch approaching: upgrade required: " \ |
1020 | 0 | "now + %s failed", \ |
1021 | 0 | #b); \ |
1022 | 0 | isc_interval_set(&_i, _j / 2, 0); \ |
1023 | 0 | (void)isc_time_add((a), &_i, (c)); \ |
1024 | 0 | } \ |
1025 | 0 | } while (0) |
1026 | | |
1027 | | #define DNS_ZONE_TIME_ADD(a, b, c) \ |
1028 | 0 | do { \ |
1029 | 0 | isc_interval_t _i; \ |
1030 | 0 | isc_interval_set(&_i, (b), 0); \ |
1031 | 0 | if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \ |
1032 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, \ |
1033 | 0 | "epoch approaching: upgrade required: " \ |
1034 | 0 | "now + %s failed", \ |
1035 | 0 | #b); \ |
1036 | 0 | isc_interval_set(&_i, (b) / 2, 0); \ |
1037 | 0 | (void)isc_time_add((a), &_i, (c)); \ |
1038 | 0 | } \ |
1039 | 0 | } while (0) |
1040 | | |
1041 | | typedef struct nsec3param nsec3param_t; |
1042 | | struct nsec3param { |
1043 | | dns_rdata_nsec3param_t rdata; |
1044 | | unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1]; |
1045 | | unsigned int length; |
1046 | | bool nsec; |
1047 | | bool replace; |
1048 | | bool resalt; |
1049 | | bool lookup; |
1050 | | ISC_LINK(nsec3param_t) link; |
1051 | | }; |
1052 | | typedef ISC_LIST(nsec3param_t) nsec3paramlist_t; |
1053 | | |
1054 | | struct np3 { |
1055 | | dns_zone_t *zone; |
1056 | | nsec3param_t params; |
1057 | | ISC_LINK(struct np3) link; |
1058 | | }; |
1059 | | |
1060 | | struct setserial { |
1061 | | dns_zone_t *zone; |
1062 | | uint32_t serial; |
1063 | | }; |
1064 | | |
1065 | | struct stub_cb_args { |
1066 | | dns_stub_t *stub; |
1067 | | dns_tsigkey_t *tsig_key; |
1068 | | uint16_t udpsize; |
1069 | | int timeout; |
1070 | | bool reqnsid; |
1071 | | }; |
1072 | | |
1073 | | struct stub_glue_request { |
1074 | | dns_request_t *request; |
1075 | | dns_name_t name; |
1076 | | struct stub_cb_args *args; |
1077 | | bool ipv4; |
1078 | | }; |
1079 | | |
1080 | | /*% |
1081 | | * Increment resolver-related statistics counters. Zone must be locked. |
1082 | | */ |
1083 | | static void |
1084 | 0 | inc_stats(dns_zone_t *zone, isc_statscounter_t counter) { |
1085 | 0 | if (zone->stats != NULL) { |
1086 | 0 | isc_stats_increment(zone->stats, counter); |
1087 | 0 | } |
1088 | 0 | } |
1089 | | |
1090 | | /*** |
1091 | | *** Public functions. |
1092 | | ***/ |
1093 | | |
1094 | | void |
1095 | 2 | dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) { |
1096 | 2 | isc_time_t now; |
1097 | 2 | dns_zone_t *zone = NULL; |
1098 | | |
1099 | 2 | REQUIRE(zonep != NULL && *zonep == NULL); |
1100 | 2 | REQUIRE(mctx != NULL); |
1101 | | |
1102 | 2 | now = isc_time_now(); |
1103 | 2 | zone = isc_mem_get(mctx, sizeof(*zone)); |
1104 | 2 | *zone = (dns_zone_t){ |
1105 | 2 | .masterformat = dns_masterformat_none, |
1106 | 2 | .journalsize = -1, |
1107 | 2 | .rdclass = dns_rdataclass_none, |
1108 | 2 | .type = dns_zone_none, |
1109 | 2 | .refresh = DNS_ZONE_DEFAULTREFRESH, |
1110 | 2 | .retry = DNS_ZONE_DEFAULTRETRY, |
1111 | 2 | .maxrefresh = DNS_ZONE_MAXREFRESH, |
1112 | 2 | .minrefresh = DNS_ZONE_MINREFRESH, |
1113 | 2 | .maxretry = DNS_ZONE_MAXRETRY, |
1114 | 2 | .minretry = DNS_ZONE_MINRETRY, |
1115 | 2 | .checkdstype = dns_checkdstype_yes, |
1116 | 2 | .notifytype = dns_notifytype_yes, |
1117 | 2 | .zero_no_soa_ttl = true, |
1118 | 2 | .check_names = dns_severity_ignore, |
1119 | 2 | .idlein = DNS_DEFAULT_IDLEIN, |
1120 | 2 | .idleout = DNS_DEFAULT_IDLEOUT, |
1121 | 2 | .maxxfrin = MAX_XFER_TIME, |
1122 | 2 | .maxxfrout = MAX_XFER_TIME, |
1123 | 2 | .sigvalidityinterval = 30 * 24 * 3600, |
1124 | 2 | .sigresigninginterval = 7 * 24 * 3600, |
1125 | 2 | .statlevel = dns_zonestat_none, |
1126 | 2 | .notifydelay = 5, |
1127 | 2 | .signatures = 10, |
1128 | 2 | .nodes = 100, |
1129 | 2 | .privatetype = (dns_rdatatype_t)0xffffU, |
1130 | 2 | .rpz_num = DNS_RPZ_INVALID_NUM, |
1131 | 2 | .requestixfr = true, |
1132 | 2 | .ixfr_ratio = 100, |
1133 | 2 | .requestexpire = true, |
1134 | 2 | .updatemethod = dns_updatemethod_increment, |
1135 | 2 | .tid = tid, |
1136 | 2 | .notifytime = now, |
1137 | 2 | .newincludes = ISC_LIST_INITIALIZER, |
1138 | 2 | .notifies = ISC_LIST_INITIALIZER, |
1139 | 2 | .checkds_requests = ISC_LIST_INITIALIZER, |
1140 | 2 | .signing = ISC_LIST_INITIALIZER, |
1141 | 2 | .nsec3chain = ISC_LIST_INITIALIZER, |
1142 | 2 | .setnsec3param_queue = ISC_LIST_INITIALIZER, |
1143 | 2 | .forwards = ISC_LIST_INITIALIZER, |
1144 | 2 | .link = ISC_LINK_INITIALIZER, |
1145 | 2 | .statelink = ISC_LINK_INITIALIZER, |
1146 | 2 | }; |
1147 | 2 | dns_remote_t r = { |
1148 | 2 | .magic = DNS_REMOTE_MAGIC, |
1149 | 2 | }; |
1150 | | |
1151 | 2 | isc_mem_attach(mctx, &zone->mctx); |
1152 | 2 | isc_mutex_init(&zone->lock); |
1153 | 2 | ZONEDB_INITLOCK(&zone->dblock); |
1154 | | |
1155 | 2 | isc_refcount_init(&zone->references, 1); |
1156 | 2 | isc_refcount_init(&zone->irefs, 0); |
1157 | 2 | dns_name_init(&zone->origin, NULL); |
1158 | 2 | isc_sockaddr_any(&zone->notifysrc4); |
1159 | 2 | isc_sockaddr_any6(&zone->notifysrc6); |
1160 | 2 | isc_sockaddr_any(&zone->parentalsrc4); |
1161 | 2 | isc_sockaddr_any6(&zone->parentalsrc6); |
1162 | 2 | isc_sockaddr_any(&zone->xfrsource4); |
1163 | 2 | isc_sockaddr_any6(&zone->xfrsource6); |
1164 | | |
1165 | 2 | zone->primaries = r; |
1166 | 2 | zone->parentals = r; |
1167 | 2 | zone->notify = r; |
1168 | 2 | zone->defaultkasp = NULL; |
1169 | | |
1170 | 2 | isc_stats_create(mctx, &zone->gluecachestats, |
1171 | 2 | dns_gluecachestatscounter_max); |
1172 | | |
1173 | 2 | zone->magic = ZONE_MAGIC; |
1174 | | |
1175 | | /* Must be after magic is set. */ |
1176 | 2 | dns_zone_setdbtype(zone, dbargc_default, dbargv_default); |
1177 | | |
1178 | 2 | *zonep = zone; |
1179 | 2 | } |
1180 | | |
1181 | | static void |
1182 | 0 | clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) { |
1183 | 0 | dns_dnsseckey_t *key; |
1184 | 0 | while (!ISC_LIST_EMPTY(*list)) { |
1185 | 0 | key = ISC_LIST_HEAD(*list); |
1186 | 0 | ISC_LIST_UNLINK(*list, key, link); |
1187 | 0 | dns_dnsseckey_destroy(mctx, &key); |
1188 | 0 | } |
1189 | 0 | } |
1190 | | |
1191 | | /* |
1192 | | * Free a zone. Because we require that there be no more |
1193 | | * outstanding events or references, no locking is necessary. |
1194 | | */ |
1195 | | static void |
1196 | 0 | zone_free(dns_zone_t *zone) { |
1197 | 0 | dns_signing_t *signing = NULL; |
1198 | 0 | dns_nsec3chain_t *nsec3chain = NULL; |
1199 | 0 | dns_include_t *include = NULL; |
1200 | |
|
1201 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1202 | 0 | REQUIRE(!LOCKED_ZONE(zone)); |
1203 | 0 | REQUIRE(zone->timer == NULL); |
1204 | 0 | REQUIRE(zone->zmgr == NULL); |
1205 | |
|
1206 | 0 | isc_refcount_destroy(&zone->references); |
1207 | 0 | isc_refcount_destroy(&zone->irefs); |
1208 | | |
1209 | | /* |
1210 | | * Managed objects. Order is important. |
1211 | | */ |
1212 | 0 | if (zone->request != NULL) { |
1213 | 0 | dns_request_destroy(&zone->request); /* XXXMPA */ |
1214 | 0 | } |
1215 | 0 | INSIST(zone->statelist == NULL); |
1216 | 0 | INSIST(zone->view == NULL); |
1217 | 0 | INSIST(zone->prev_view == NULL); |
1218 | | |
1219 | | /* Unmanaged objects */ |
1220 | 0 | for (struct np3 *npe = ISC_LIST_HEAD(zone->setnsec3param_queue); |
1221 | 0 | npe != NULL; npe = ISC_LIST_HEAD(zone->setnsec3param_queue)) |
1222 | 0 | { |
1223 | 0 | ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link); |
1224 | 0 | isc_mem_put(zone->mctx, npe, sizeof(*npe)); |
1225 | 0 | } |
1226 | |
|
1227 | 0 | for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL; |
1228 | 0 | signing = ISC_LIST_HEAD(zone->signing)) |
1229 | 0 | { |
1230 | 0 | ISC_LIST_UNLINK(zone->signing, signing, link); |
1231 | 0 | dns_db_detach(&signing->db); |
1232 | 0 | dns_dbiterator_destroy(&signing->dbiterator); |
1233 | 0 | isc_mem_put(zone->mctx, signing, sizeof *signing); |
1234 | 0 | } |
1235 | 0 | for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL; |
1236 | 0 | nsec3chain = ISC_LIST_HEAD(zone->nsec3chain)) |
1237 | 0 | { |
1238 | 0 | ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link); |
1239 | 0 | dns_db_detach(&nsec3chain->db); |
1240 | 0 | dns_dbiterator_destroy(&nsec3chain->dbiterator); |
1241 | 0 | isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain); |
1242 | 0 | } |
1243 | 0 | for (include = ISC_LIST_HEAD(zone->includes); include != NULL; |
1244 | 0 | include = ISC_LIST_HEAD(zone->includes)) |
1245 | 0 | { |
1246 | 0 | ISC_LIST_UNLINK(zone->includes, include, link); |
1247 | 0 | isc_mem_free(zone->mctx, include->name); |
1248 | 0 | isc_mem_put(zone->mctx, include, sizeof *include); |
1249 | 0 | } |
1250 | 0 | for (include = ISC_LIST_HEAD(zone->newincludes); include != NULL; |
1251 | 0 | include = ISC_LIST_HEAD(zone->newincludes)) |
1252 | 0 | { |
1253 | 0 | ISC_LIST_UNLINK(zone->newincludes, include, link); |
1254 | 0 | isc_mem_free(zone->mctx, include->name); |
1255 | 0 | isc_mem_put(zone->mctx, include, sizeof *include); |
1256 | 0 | } |
1257 | 0 | if (zone->masterfile != NULL) { |
1258 | 0 | isc_mem_free(zone->mctx, zone->masterfile); |
1259 | 0 | } |
1260 | 0 | zone->masterfile = NULL; |
1261 | 0 | if (zone->keydirectory != NULL) { |
1262 | 0 | isc_mem_free(zone->mctx, zone->keydirectory); |
1263 | 0 | } |
1264 | 0 | zone->keydirectory = NULL; |
1265 | 0 | if (zone->kasp != NULL) { |
1266 | 0 | dns_kasp_detach(&zone->kasp); |
1267 | 0 | } |
1268 | 0 | if (zone->defaultkasp != NULL) { |
1269 | 0 | dns_kasp_detach(&zone->defaultkasp); |
1270 | 0 | } |
1271 | 0 | if (!ISC_LIST_EMPTY(zone->checkds_ok)) { |
1272 | 0 | clear_keylist(&zone->checkds_ok, zone->mctx); |
1273 | 0 | } |
1274 | |
|
1275 | 0 | zone->journalsize = -1; |
1276 | 0 | if (zone->journal != NULL) { |
1277 | 0 | isc_mem_free(zone->mctx, zone->journal); |
1278 | 0 | } |
1279 | 0 | zone->journal = NULL; |
1280 | 0 | if (zone->stats != NULL) { |
1281 | 0 | isc_stats_detach(&zone->stats); |
1282 | 0 | } |
1283 | 0 | if (zone->requeststats != NULL) { |
1284 | 0 | isc_stats_detach(&zone->requeststats); |
1285 | 0 | } |
1286 | 0 | if (zone->rcvquerystats != NULL) { |
1287 | 0 | dns_stats_detach(&zone->rcvquerystats); |
1288 | 0 | } |
1289 | 0 | if (zone->dnssecsignstats != NULL) { |
1290 | 0 | dns_stats_detach(&zone->dnssecsignstats); |
1291 | 0 | } |
1292 | 0 | if (zone->db != NULL) { |
1293 | 0 | zone_detachdb(zone); |
1294 | 0 | } |
1295 | 0 | if (zone->rpzs != NULL) { |
1296 | 0 | REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones); |
1297 | 0 | dns_rpz_zones_detach(&zone->rpzs); |
1298 | 0 | zone->rpz_num = DNS_RPZ_INVALID_NUM; |
1299 | 0 | } |
1300 | 0 | if (zone->catzs != NULL) { |
1301 | 0 | dns_catz_zones_detach(&zone->catzs); |
1302 | 0 | } |
1303 | 0 | zone_freedbargs(zone); |
1304 | |
|
1305 | 0 | dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0); |
1306 | 0 | dns_zone_setprimaries(zone, NULL, NULL, NULL, NULL, 0); |
1307 | 0 | dns_zone_setalsonotify(zone, NULL, NULL, NULL, NULL, 0); |
1308 | |
|
1309 | 0 | zone->check_names = dns_severity_ignore; |
1310 | 0 | if (zone->update_acl != NULL) { |
1311 | 0 | dns_acl_detach(&zone->update_acl); |
1312 | 0 | } |
1313 | 0 | if (zone->forward_acl != NULL) { |
1314 | 0 | dns_acl_detach(&zone->forward_acl); |
1315 | 0 | } |
1316 | 0 | if (zone->notify_acl != NULL) { |
1317 | 0 | dns_acl_detach(&zone->notify_acl); |
1318 | 0 | } |
1319 | 0 | if (zone->query_acl != NULL) { |
1320 | 0 | dns_acl_detach(&zone->query_acl); |
1321 | 0 | } |
1322 | 0 | if (zone->queryon_acl != NULL) { |
1323 | 0 | dns_acl_detach(&zone->queryon_acl); |
1324 | 0 | } |
1325 | 0 | if (zone->xfr_acl != NULL) { |
1326 | 0 | dns_acl_detach(&zone->xfr_acl); |
1327 | 0 | } |
1328 | 0 | if (dns_name_dynamic(&zone->origin)) { |
1329 | 0 | dns_name_free(&zone->origin, zone->mctx); |
1330 | 0 | } |
1331 | 0 | if (zone->strnamerd != NULL) { |
1332 | 0 | isc_mem_free(zone->mctx, zone->strnamerd); |
1333 | 0 | } |
1334 | 0 | if (zone->strname != NULL) { |
1335 | 0 | isc_mem_free(zone->mctx, zone->strname); |
1336 | 0 | } |
1337 | 0 | if (zone->strrdclass != NULL) { |
1338 | 0 | isc_mem_free(zone->mctx, zone->strrdclass); |
1339 | 0 | } |
1340 | 0 | if (zone->strviewname != NULL) { |
1341 | 0 | isc_mem_free(zone->mctx, zone->strviewname); |
1342 | 0 | } |
1343 | 0 | if (zone->ssutable != NULL) { |
1344 | 0 | dns_ssutable_detach(&zone->ssutable); |
1345 | 0 | } |
1346 | 0 | if (zone->gluecachestats != NULL) { |
1347 | 0 | isc_stats_detach(&zone->gluecachestats); |
1348 | 0 | } |
1349 | | |
1350 | | /* last stuff */ |
1351 | 0 | ZONEDB_DESTROYLOCK(&zone->dblock); |
1352 | 0 | isc_mutex_destroy(&zone->lock); |
1353 | 0 | zone->magic = 0; |
1354 | 0 | isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone)); |
1355 | 0 | } |
1356 | | |
1357 | | /* |
1358 | | * Returns true iff this the signed side of an inline-signing zone. |
1359 | | * Caller should hold zone lock. |
1360 | | */ |
1361 | | static bool |
1362 | 20 | inline_secure(dns_zone_t *zone) { |
1363 | 20 | REQUIRE(DNS_ZONE_VALID(zone)); |
1364 | 20 | if (zone->raw != NULL) { |
1365 | 0 | return (true); |
1366 | 0 | } |
1367 | 20 | return (false); |
1368 | 20 | } |
1369 | | |
1370 | | /* |
1371 | | * Returns true iff this the unsigned side of an inline-signing zone |
1372 | | * Caller should hold zone lock. |
1373 | | */ |
1374 | | static bool |
1375 | 12 | inline_raw(dns_zone_t *zone) { |
1376 | 12 | REQUIRE(DNS_ZONE_VALID(zone)); |
1377 | 12 | if (zone->secure != NULL) { |
1378 | 0 | return (true); |
1379 | 0 | } |
1380 | 12 | return (false); |
1381 | 12 | } |
1382 | | |
1383 | | /* |
1384 | | * Single shot. |
1385 | | */ |
1386 | | void |
1387 | 2 | dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) { |
1388 | 2 | char namebuf[1024]; |
1389 | | |
1390 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1391 | 2 | REQUIRE(rdclass != dns_rdataclass_none); |
1392 | | |
1393 | | /* |
1394 | | * Test and set. |
1395 | | */ |
1396 | 2 | LOCK_ZONE(zone); |
1397 | 2 | INSIST(zone != zone->raw); |
1398 | 2 | REQUIRE(zone->rdclass == dns_rdataclass_none || |
1399 | 2 | zone->rdclass == rdclass); |
1400 | 2 | zone->rdclass = rdclass; |
1401 | | |
1402 | 2 | if (zone->strnamerd != NULL) { |
1403 | 2 | isc_mem_free(zone->mctx, zone->strnamerd); |
1404 | 2 | } |
1405 | 2 | if (zone->strrdclass != NULL) { |
1406 | 0 | isc_mem_free(zone->mctx, zone->strrdclass); |
1407 | 0 | } |
1408 | | |
1409 | 2 | zone_namerd_tostr(zone, namebuf, sizeof namebuf); |
1410 | 2 | zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf); |
1411 | 2 | zone_rdclass_tostr(zone, namebuf, sizeof namebuf); |
1412 | 2 | zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf); |
1413 | | |
1414 | 2 | if (inline_secure(zone)) { |
1415 | 0 | dns_zone_setclass(zone->raw, rdclass); |
1416 | 0 | } |
1417 | 2 | UNLOCK_ZONE(zone); |
1418 | 2 | } |
1419 | | |
1420 | | dns_rdataclass_t |
1421 | 0 | dns_zone_getclass(dns_zone_t *zone) { |
1422 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1423 | |
|
1424 | 0 | return (zone->rdclass); |
1425 | 0 | } |
1426 | | |
1427 | | void |
1428 | 0 | dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) { |
1429 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1430 | |
|
1431 | 0 | LOCK_ZONE(zone); |
1432 | 0 | zone->notifytype = notifytype; |
1433 | 0 | UNLOCK_ZONE(zone); |
1434 | 0 | } |
1435 | | |
1436 | | void |
1437 | 0 | dns_zone_setcheckdstype(dns_zone_t *zone, dns_checkdstype_t checkdstype) { |
1438 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1439 | |
|
1440 | 0 | LOCK_ZONE(zone); |
1441 | 0 | zone->checkdstype = checkdstype; |
1442 | 0 | UNLOCK_ZONE(zone); |
1443 | 0 | } |
1444 | | |
1445 | | isc_result_t |
1446 | 0 | dns_zone_getserial(dns_zone_t *zone, uint32_t *serialp) { |
1447 | 0 | isc_result_t result; |
1448 | 0 | unsigned int soacount; |
1449 | |
|
1450 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1451 | 0 | REQUIRE(serialp != NULL); |
1452 | |
|
1453 | 0 | LOCK_ZONE(zone); |
1454 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
1455 | 0 | if (zone->db != NULL) { |
1456 | 0 | result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL, |
1457 | 0 | serialp, NULL, NULL, NULL, NULL, |
1458 | 0 | NULL); |
1459 | 0 | if (result == ISC_R_SUCCESS && soacount == 0) { |
1460 | 0 | result = ISC_R_FAILURE; |
1461 | 0 | } |
1462 | 0 | } else { |
1463 | 0 | result = DNS_R_NOTLOADED; |
1464 | 0 | } |
1465 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
1466 | 0 | UNLOCK_ZONE(zone); |
1467 | |
|
1468 | 0 | return (result); |
1469 | 0 | } |
1470 | | |
1471 | | /* |
1472 | | * Single shot. |
1473 | | */ |
1474 | | void |
1475 | 2 | dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) { |
1476 | 2 | char namebuf[1024]; |
1477 | | |
1478 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1479 | 2 | REQUIRE(type != dns_zone_none); |
1480 | | |
1481 | | /* |
1482 | | * Test and set. |
1483 | | */ |
1484 | 2 | LOCK_ZONE(zone); |
1485 | 2 | REQUIRE(zone->type == dns_zone_none || zone->type == type); |
1486 | 2 | zone->type = type; |
1487 | | |
1488 | 2 | if (zone->strnamerd != NULL) { |
1489 | 2 | isc_mem_free(zone->mctx, zone->strnamerd); |
1490 | 2 | } |
1491 | | |
1492 | 2 | zone_namerd_tostr(zone, namebuf, sizeof namebuf); |
1493 | 2 | zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf); |
1494 | 2 | UNLOCK_ZONE(zone); |
1495 | 2 | } |
1496 | | |
1497 | | static void |
1498 | 2 | zone_freedbargs(dns_zone_t *zone) { |
1499 | 2 | unsigned int i; |
1500 | | |
1501 | | /* Free the old database argument list. */ |
1502 | 2 | if (zone->db_argv != NULL) { |
1503 | 0 | for (i = 0; i < zone->db_argc; i++) { |
1504 | 0 | isc_mem_free(zone->mctx, zone->db_argv[i]); |
1505 | 0 | } |
1506 | 0 | isc_mem_cput(zone->mctx, zone->db_argv, zone->db_argc, |
1507 | 0 | sizeof(*zone->db_argv)); |
1508 | 0 | } |
1509 | 2 | zone->db_argc = 0; |
1510 | 2 | zone->db_argv = NULL; |
1511 | 2 | } |
1512 | | |
1513 | | isc_result_t |
1514 | 0 | dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) { |
1515 | 0 | size_t size = 0; |
1516 | 0 | unsigned int i; |
1517 | 0 | isc_result_t result = ISC_R_SUCCESS; |
1518 | 0 | void *mem; |
1519 | 0 | char **tmp, *tmp2, *base; |
1520 | |
|
1521 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1522 | 0 | REQUIRE(argv != NULL && *argv == NULL); |
1523 | |
|
1524 | 0 | LOCK_ZONE(zone); |
1525 | 0 | size = ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *)); |
1526 | 0 | for (i = 0; i < zone->db_argc; i++) { |
1527 | 0 | size += strlen(zone->db_argv[i]) + 1; |
1528 | 0 | } |
1529 | 0 | mem = isc_mem_allocate(mctx, size); |
1530 | 0 | { |
1531 | 0 | tmp = mem; |
1532 | 0 | tmp2 = mem; |
1533 | 0 | base = mem; |
1534 | 0 | tmp2 += ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *)); |
1535 | 0 | for (i = 0; i < zone->db_argc; i++) { |
1536 | 0 | *tmp++ = tmp2; |
1537 | 0 | strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base)); |
1538 | 0 | tmp2 += strlen(tmp2) + 1; |
1539 | 0 | } |
1540 | 0 | *tmp = NULL; |
1541 | 0 | } |
1542 | 0 | UNLOCK_ZONE(zone); |
1543 | 0 | *argv = mem; |
1544 | 0 | return (result); |
1545 | 0 | } |
1546 | | |
1547 | | void |
1548 | | dns_zone_setdbtype(dns_zone_t *zone, unsigned int dbargc, |
1549 | 2 | const char *const *dbargv) { |
1550 | 2 | char **argv = NULL; |
1551 | 2 | unsigned int i; |
1552 | | |
1553 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1554 | 2 | REQUIRE(dbargc >= 1); |
1555 | 2 | REQUIRE(dbargv != NULL); |
1556 | | |
1557 | 2 | LOCK_ZONE(zone); |
1558 | | |
1559 | | /* Set up a new database argument list. */ |
1560 | 2 | argv = isc_mem_cget(zone->mctx, dbargc, sizeof(*argv)); |
1561 | 4 | for (i = 0; i < dbargc; i++) { |
1562 | 2 | argv[i] = NULL; |
1563 | 2 | } |
1564 | 4 | for (i = 0; i < dbargc; i++) { |
1565 | 2 | argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]); |
1566 | 2 | } |
1567 | | |
1568 | | /* Free the old list. */ |
1569 | 2 | zone_freedbargs(zone); |
1570 | | |
1571 | 2 | zone->db_argc = dbargc; |
1572 | 2 | zone->db_argv = argv; |
1573 | | |
1574 | 2 | UNLOCK_ZONE(zone); |
1575 | 2 | } |
1576 | | |
1577 | | static void |
1578 | 2 | dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) { |
1579 | 2 | char namebuf[1024]; |
1580 | | |
1581 | 2 | if (zone->prev_view == NULL && zone->view != NULL) { |
1582 | 0 | dns_view_weakattach(zone->view, &zone->prev_view); |
1583 | 0 | } |
1584 | | |
1585 | 2 | INSIST(zone != zone->raw); |
1586 | 2 | if (zone->view != NULL) { |
1587 | 0 | dns_view_sfd_del(zone->view, &zone->origin); |
1588 | 0 | dns_view_weakdetach(&zone->view); |
1589 | 0 | } |
1590 | 2 | dns_view_weakattach(view, &zone->view); |
1591 | 2 | dns_view_sfd_add(view, &zone->origin); |
1592 | | |
1593 | 2 | if (zone->strviewname != NULL) { |
1594 | 0 | isc_mem_free(zone->mctx, zone->strviewname); |
1595 | 0 | } |
1596 | 2 | if (zone->strnamerd != NULL) { |
1597 | 2 | isc_mem_free(zone->mctx, zone->strnamerd); |
1598 | 2 | } |
1599 | | |
1600 | 2 | zone_namerd_tostr(zone, namebuf, sizeof namebuf); |
1601 | 2 | zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf); |
1602 | 2 | zone_viewname_tostr(zone, namebuf, sizeof namebuf); |
1603 | 2 | zone->strviewname = isc_mem_strdup(zone->mctx, namebuf); |
1604 | | |
1605 | 2 | if (inline_secure(zone)) { |
1606 | 0 | dns_zone_setview(zone->raw, view); |
1607 | 0 | } |
1608 | 2 | } |
1609 | | |
1610 | | void |
1611 | 2 | dns_zone_setview(dns_zone_t *zone, dns_view_t *view) { |
1612 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1613 | | |
1614 | 2 | LOCK_ZONE(zone); |
1615 | 2 | dns_zone_setview_helper(zone, view); |
1616 | 2 | UNLOCK_ZONE(zone); |
1617 | 2 | } |
1618 | | |
1619 | | dns_view_t * |
1620 | 0 | dns_zone_getview(dns_zone_t *zone) { |
1621 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1622 | |
|
1623 | 0 | return (zone->view); |
1624 | 0 | } |
1625 | | |
1626 | | void |
1627 | 0 | dns_zone_setviewcommit(dns_zone_t *zone) { |
1628 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1629 | |
|
1630 | 0 | LOCK_ZONE(zone); |
1631 | 0 | if (zone->prev_view != NULL) { |
1632 | 0 | dns_view_weakdetach(&zone->prev_view); |
1633 | 0 | } |
1634 | 0 | if (inline_secure(zone)) { |
1635 | 0 | dns_zone_setviewcommit(zone->raw); |
1636 | 0 | } |
1637 | 0 | UNLOCK_ZONE(zone); |
1638 | 0 | } |
1639 | | |
1640 | | void |
1641 | 0 | dns_zone_setviewrevert(dns_zone_t *zone) { |
1642 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1643 | |
|
1644 | 0 | LOCK_ZONE(zone); |
1645 | 0 | if (zone->prev_view != NULL) { |
1646 | 0 | dns_zone_setview_helper(zone, zone->prev_view); |
1647 | 0 | dns_view_weakdetach(&zone->prev_view); |
1648 | 0 | } |
1649 | 0 | if (zone->catzs != NULL) { |
1650 | 0 | zone_catz_enable(zone, zone->catzs); |
1651 | 0 | } |
1652 | 0 | if (inline_secure(zone)) { |
1653 | 0 | dns_zone_setviewrevert(zone->raw); |
1654 | 0 | } |
1655 | 0 | UNLOCK_ZONE(zone); |
1656 | 0 | } |
1657 | | |
1658 | | isc_result_t |
1659 | 2 | dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) { |
1660 | 2 | isc_result_t result = ISC_R_SUCCESS; |
1661 | 2 | char namebuf[1024]; |
1662 | | |
1663 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1664 | 2 | REQUIRE(origin != NULL); |
1665 | | |
1666 | 2 | LOCK_ZONE(zone); |
1667 | 2 | INSIST(zone != zone->raw); |
1668 | 2 | if (dns_name_dynamic(&zone->origin)) { |
1669 | 0 | dns_name_free(&zone->origin, zone->mctx); |
1670 | 0 | dns_name_init(&zone->origin, NULL); |
1671 | 0 | } |
1672 | 2 | dns_name_dup(origin, zone->mctx, &zone->origin); |
1673 | | |
1674 | 2 | if (zone->strnamerd != NULL) { |
1675 | 0 | isc_mem_free(zone->mctx, zone->strnamerd); |
1676 | 0 | } |
1677 | 2 | if (zone->strname != NULL) { |
1678 | 0 | isc_mem_free(zone->mctx, zone->strname); |
1679 | 0 | } |
1680 | | |
1681 | 2 | zone_namerd_tostr(zone, namebuf, sizeof namebuf); |
1682 | 2 | zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf); |
1683 | 2 | zone_name_tostr(zone, namebuf, sizeof namebuf); |
1684 | 2 | zone->strname = isc_mem_strdup(zone->mctx, namebuf); |
1685 | | |
1686 | 2 | if (inline_secure(zone)) { |
1687 | 0 | result = dns_zone_setorigin(zone->raw, origin); |
1688 | 0 | } |
1689 | 2 | UNLOCK_ZONE(zone); |
1690 | 2 | return (result); |
1691 | 2 | } |
1692 | | |
1693 | | static isc_result_t |
1694 | 6 | dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) { |
1695 | 6 | char *copy; |
1696 | | |
1697 | 6 | if (value != NULL) { |
1698 | 6 | copy = isc_mem_strdup(zone->mctx, value); |
1699 | 6 | } else { |
1700 | 0 | copy = NULL; |
1701 | 0 | } |
1702 | | |
1703 | 6 | if (*field != NULL) { |
1704 | 0 | isc_mem_free(zone->mctx, *field); |
1705 | 0 | } |
1706 | | |
1707 | 6 | *field = copy; |
1708 | 6 | return (ISC_R_SUCCESS); |
1709 | 6 | } |
1710 | | |
1711 | | isc_result_t |
1712 | | dns_zone_setfile(dns_zone_t *zone, const char *file, dns_masterformat_t format, |
1713 | 2 | const dns_master_style_t *style) { |
1714 | 2 | isc_result_t result = ISC_R_SUCCESS; |
1715 | | |
1716 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1717 | 2 | REQUIRE(zone->stream == NULL); |
1718 | | |
1719 | 2 | LOCK_ZONE(zone); |
1720 | 2 | result = dns_zone_setstring(zone, &zone->masterfile, file); |
1721 | 2 | if (result == ISC_R_SUCCESS) { |
1722 | 2 | zone->masterformat = format; |
1723 | 2 | if (format == dns_masterformat_text) { |
1724 | 2 | zone->masterstyle = style; |
1725 | 2 | } |
1726 | 2 | result = default_journal(zone); |
1727 | 2 | } |
1728 | 2 | UNLOCK_ZONE(zone); |
1729 | | |
1730 | 2 | return (result); |
1731 | 2 | } |
1732 | | |
1733 | | const char * |
1734 | 0 | dns_zone_getfile(dns_zone_t *zone) { |
1735 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1736 | |
|
1737 | 0 | return (zone->masterfile); |
1738 | 0 | } |
1739 | | |
1740 | | isc_result_t |
1741 | | dns_zone_setstream(dns_zone_t *zone, const FILE *stream, |
1742 | 0 | dns_masterformat_t format, const dns_master_style_t *style) { |
1743 | 0 | isc_result_t result = ISC_R_SUCCESS; |
1744 | |
|
1745 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1746 | 0 | REQUIRE(stream != NULL); |
1747 | 0 | REQUIRE(zone->masterfile == NULL); |
1748 | |
|
1749 | 0 | LOCK_ZONE(zone); |
1750 | 0 | zone->stream = stream; |
1751 | 0 | zone->masterformat = format; |
1752 | 0 | if (format == dns_masterformat_text) { |
1753 | 0 | zone->masterstyle = style; |
1754 | 0 | } |
1755 | 0 | result = default_journal(zone); |
1756 | 0 | UNLOCK_ZONE(zone); |
1757 | |
|
1758 | 0 | return (result); |
1759 | 0 | } |
1760 | | |
1761 | | dns_ttl_t |
1762 | 0 | dns_zone_getmaxttl(dns_zone_t *zone) { |
1763 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1764 | |
|
1765 | 0 | return (zone->maxttl); |
1766 | 0 | } |
1767 | | |
1768 | | void |
1769 | 0 | dns_zone_setmaxttl(dns_zone_t *zone, dns_ttl_t maxttl) { |
1770 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1771 | |
|
1772 | 0 | LOCK_ZONE(zone); |
1773 | 0 | if (maxttl != 0) { |
1774 | 0 | DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_CHECKTTL); |
1775 | 0 | } else { |
1776 | 0 | DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_CHECKTTL); |
1777 | 0 | } |
1778 | 0 | zone->maxttl = maxttl; |
1779 | 0 | UNLOCK_ZONE(zone); |
1780 | |
|
1781 | 0 | return; |
1782 | 0 | } |
1783 | | |
1784 | | static isc_result_t |
1785 | 2 | default_journal(dns_zone_t *zone) { |
1786 | 2 | isc_result_t result; |
1787 | 2 | char *journal; |
1788 | | |
1789 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1790 | 2 | REQUIRE(LOCKED_ZONE(zone)); |
1791 | | |
1792 | 2 | if (zone->masterfile != NULL) { |
1793 | | /* Calculate string length including '\0'. */ |
1794 | 2 | int len = strlen(zone->masterfile) + sizeof(".jnl"); |
1795 | 2 | journal = isc_mem_allocate(zone->mctx, len); |
1796 | 2 | strlcpy(journal, zone->masterfile, len); |
1797 | 2 | strlcat(journal, ".jnl", len); |
1798 | 2 | } else { |
1799 | 0 | journal = NULL; |
1800 | 0 | } |
1801 | 2 | result = dns_zone_setstring(zone, &zone->journal, journal); |
1802 | 2 | if (journal != NULL) { |
1803 | 2 | isc_mem_free(zone->mctx, journal); |
1804 | 2 | } |
1805 | 2 | return (result); |
1806 | 2 | } |
1807 | | |
1808 | | isc_result_t |
1809 | 0 | dns_zone_setjournal(dns_zone_t *zone, const char *myjournal) { |
1810 | 0 | isc_result_t result = ISC_R_SUCCESS; |
1811 | |
|
1812 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1813 | |
|
1814 | 0 | LOCK_ZONE(zone); |
1815 | 0 | result = dns_zone_setstring(zone, &zone->journal, myjournal); |
1816 | 0 | UNLOCK_ZONE(zone); |
1817 | |
|
1818 | 0 | return (result); |
1819 | 0 | } |
1820 | | |
1821 | | char * |
1822 | 0 | dns_zone_getjournal(dns_zone_t *zone) { |
1823 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1824 | |
|
1825 | 0 | return (zone->journal); |
1826 | 0 | } |
1827 | | |
1828 | | /* |
1829 | | * Return true iff the zone is "dynamic", in the sense that the zone's |
1830 | | * master file (if any) is written by the server, rather than being |
1831 | | * updated manually and read by the server. |
1832 | | * |
1833 | | * This is true for secondary zones, mirror zones, stub zones, key zones, |
1834 | | * and zones that allow dynamic updates either by having an update |
1835 | | * policy ("ssutable") or an "allow-update" ACL with a value other than |
1836 | | * exactly "{ none; }". |
1837 | | */ |
1838 | | bool |
1839 | 6 | dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) { |
1840 | 6 | REQUIRE(DNS_ZONE_VALID(zone)); |
1841 | | |
1842 | 6 | if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror || |
1843 | 6 | zone->type == dns_zone_stub || zone->type == dns_zone_key || |
1844 | 6 | (zone->type == dns_zone_redirect && |
1845 | 6 | dns_remote_addresses(&zone->primaries) != NULL)) |
1846 | 0 | { |
1847 | 0 | return (true); |
1848 | 0 | } |
1849 | | |
1850 | | /* Inline zones are always dynamic. */ |
1851 | 6 | if (zone->type == dns_zone_primary && zone->raw != NULL) { |
1852 | 0 | return (true); |
1853 | 0 | } |
1854 | | |
1855 | | /* If !ignore_freeze, we need check whether updates are disabled. */ |
1856 | 6 | if (zone->type == dns_zone_primary && |
1857 | 6 | (!zone->update_disabled || ignore_freeze) && |
1858 | 6 | ((zone->ssutable != NULL) || |
1859 | 6 | (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl)))) |
1860 | 0 | { |
1861 | 0 | return (true); |
1862 | 0 | } |
1863 | | |
1864 | 6 | return (false); |
1865 | 6 | } |
1866 | | |
1867 | | /* |
1868 | | * Set the response policy index and information for a zone. |
1869 | | */ |
1870 | | isc_result_t |
1871 | | dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, |
1872 | 0 | dns_rpz_num_t rpz_num) { |
1873 | | /* |
1874 | | * This must happen only once or be redundant. |
1875 | | */ |
1876 | 0 | LOCK_ZONE(zone); |
1877 | 0 | if (zone->rpzs != NULL) { |
1878 | 0 | REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num); |
1879 | 0 | } else { |
1880 | 0 | REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM); |
1881 | 0 | dns_rpz_zones_attach(rpzs, &zone->rpzs); |
1882 | 0 | zone->rpz_num = rpz_num; |
1883 | 0 | } |
1884 | 0 | rpzs->defined |= DNS_RPZ_ZBIT(rpz_num); |
1885 | 0 | UNLOCK_ZONE(zone); |
1886 | |
|
1887 | 0 | return (ISC_R_SUCCESS); |
1888 | 0 | } |
1889 | | |
1890 | | dns_rpz_num_t |
1891 | 0 | dns_zone_get_rpz_num(dns_zone_t *zone) { |
1892 | 0 | return (zone->rpz_num); |
1893 | 0 | } |
1894 | | |
1895 | | /* |
1896 | | * If a zone is a response policy zone, mark its new database. |
1897 | | */ |
1898 | | void |
1899 | 2 | dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) { |
1900 | 2 | if (zone->rpz_num == DNS_RPZ_INVALID_NUM) { |
1901 | 2 | return; |
1902 | 2 | } |
1903 | 0 | REQUIRE(zone->rpzs != NULL); |
1904 | 0 | dns_rpz_dbupdate_register(db, zone->rpzs->zones[zone->rpz_num]); |
1905 | 0 | } |
1906 | | |
1907 | | static void |
1908 | 0 | dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) { |
1909 | 0 | if (zone->rpz_num == DNS_RPZ_INVALID_NUM) { |
1910 | 0 | return; |
1911 | 0 | } |
1912 | 0 | REQUIRE(zone->rpzs != NULL); |
1913 | 0 | dns_rpz_dbupdate_unregister(db, zone->rpzs->zones[zone->rpz_num]); |
1914 | 0 | } |
1915 | | |
1916 | | /* |
1917 | | * If a zone is a catalog zone, attach it to update notification in database. |
1918 | | */ |
1919 | | void |
1920 | 2 | dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) { |
1921 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
1922 | 2 | REQUIRE(db != NULL); |
1923 | | |
1924 | 2 | if (zone->catzs != NULL) { |
1925 | 0 | dns_catz_dbupdate_register(db, zone->catzs); |
1926 | 0 | } |
1927 | 2 | } |
1928 | | |
1929 | | static void |
1930 | 0 | dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) { |
1931 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1932 | 0 | REQUIRE(db != NULL); |
1933 | |
|
1934 | 0 | if (zone->catzs != NULL) { |
1935 | 0 | dns_catz_dbupdate_unregister(db, zone->catzs); |
1936 | 0 | } |
1937 | 0 | } |
1938 | | |
1939 | | static void |
1940 | 0 | zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { |
1941 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1942 | 0 | REQUIRE(catzs != NULL); |
1943 | |
|
1944 | 0 | INSIST(zone->catzs == NULL || zone->catzs == catzs); |
1945 | 0 | dns_catz_catzs_set_view(catzs, zone->view); |
1946 | 0 | if (zone->catzs == NULL) { |
1947 | 0 | dns_catz_zones_attach(catzs, &zone->catzs); |
1948 | 0 | } |
1949 | 0 | } |
1950 | | |
1951 | | void |
1952 | 0 | dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { |
1953 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1954 | |
|
1955 | 0 | LOCK_ZONE(zone); |
1956 | 0 | zone_catz_enable(zone, catzs); |
1957 | 0 | UNLOCK_ZONE(zone); |
1958 | 0 | } |
1959 | | |
1960 | | static void |
1961 | 0 | zone_catz_disable(dns_zone_t *zone) { |
1962 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1963 | |
|
1964 | 0 | if (zone->catzs != NULL) { |
1965 | 0 | if (zone->db != NULL) { |
1966 | 0 | dns_zone_catz_disable_db(zone, zone->db); |
1967 | 0 | } |
1968 | 0 | dns_catz_zones_detach(&zone->catzs); |
1969 | 0 | } |
1970 | 0 | } |
1971 | | |
1972 | | void |
1973 | 0 | dns_zone_catz_disable(dns_zone_t *zone) { |
1974 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1975 | |
|
1976 | 0 | LOCK_ZONE(zone); |
1977 | 0 | zone_catz_disable(zone); |
1978 | 0 | UNLOCK_ZONE(zone); |
1979 | 0 | } |
1980 | | |
1981 | | bool |
1982 | 0 | dns_zone_catz_is_enabled(dns_zone_t *zone) { |
1983 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1984 | |
|
1985 | 0 | return (zone->catzs != NULL); |
1986 | 0 | } |
1987 | | |
1988 | | /* |
1989 | | * Set catalog zone ownership of the zone |
1990 | | */ |
1991 | | void |
1992 | 0 | dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz) { |
1993 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
1994 | 0 | REQUIRE(catz != NULL); |
1995 | 0 | LOCK_ZONE(zone); |
1996 | 0 | INSIST(zone->parentcatz == NULL || zone->parentcatz == catz); |
1997 | 0 | zone->parentcatz = catz; |
1998 | 0 | UNLOCK_ZONE(zone); |
1999 | 0 | } |
2000 | | |
2001 | | dns_catz_zone_t * |
2002 | 0 | dns_zone_get_parentcatz(dns_zone_t *zone) { |
2003 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
2004 | |
|
2005 | 0 | dns_catz_zone_t *parentcatz = NULL; |
2006 | |
|
2007 | 0 | LOCK_ZONE(zone); |
2008 | 0 | parentcatz = zone->parentcatz; |
2009 | 0 | UNLOCK_ZONE(zone); |
2010 | |
|
2011 | 0 | return (parentcatz); |
2012 | 0 | } |
2013 | | |
2014 | | static bool |
2015 | 0 | zone_touched(dns_zone_t *zone) { |
2016 | 0 | isc_result_t result; |
2017 | 0 | isc_time_t modtime; |
2018 | 0 | dns_include_t *include; |
2019 | |
|
2020 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
2021 | |
|
2022 | 0 | result = isc_file_getmodtime(zone->masterfile, &modtime); |
2023 | 0 | if (result != ISC_R_SUCCESS || |
2024 | 0 | isc_time_compare(&modtime, &zone->loadtime) > 0) |
2025 | 0 | { |
2026 | 0 | return (true); |
2027 | 0 | } |
2028 | | |
2029 | 0 | for (include = ISC_LIST_HEAD(zone->includes); include != NULL; |
2030 | 0 | include = ISC_LIST_NEXT(include, link)) |
2031 | 0 | { |
2032 | 0 | result = isc_file_getmodtime(include->name, &modtime); |
2033 | 0 | if (result != ISC_R_SUCCESS || |
2034 | 0 | isc_time_compare(&modtime, &include->filetime) > 0) |
2035 | 0 | { |
2036 | 0 | return (true); |
2037 | 0 | } |
2038 | 0 | } |
2039 | | |
2040 | 0 | return (false); |
2041 | 0 | } |
2042 | | |
2043 | | /* |
2044 | | * Note: when dealing with inline-signed zones, external callers will always |
2045 | | * call zone_load() for the secure zone; zone_load() calls itself recursively |
2046 | | * in order to load the raw zone. |
2047 | | */ |
2048 | | static isc_result_t |
2049 | 2 | zone_load(dns_zone_t *zone, unsigned int flags, bool locked) { |
2050 | 2 | isc_result_t result; |
2051 | 2 | isc_time_t now; |
2052 | 2 | isc_time_t loadtime; |
2053 | 2 | dns_db_t *db = NULL; |
2054 | 2 | bool rbt, hasraw, is_dynamic; |
2055 | | |
2056 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
2057 | | |
2058 | 2 | if (!locked) { |
2059 | 2 | LOCK_ZONE(zone); |
2060 | 2 | } |
2061 | | |
2062 | 2 | INSIST(zone != zone->raw); |
2063 | 2 | hasraw = inline_secure(zone); |
2064 | 2 | if (hasraw) { |
2065 | | /* |
2066 | | * We are trying to load an inline-signed zone. First call |
2067 | | * self recursively to try loading the raw version of the zone. |
2068 | | * Assuming the raw zone file is readable, there are two |
2069 | | * possibilities: |
2070 | | * |
2071 | | * a) the raw zone was not yet loaded and thus it will be |
2072 | | * loaded now, synchronously; if this succeeds, a |
2073 | | * subsequent attempt to load the signed zone file will |
2074 | | * take place and thus zone_postload() will be called |
2075 | | * twice: first for the raw zone and then for the secure |
2076 | | * zone; the latter call will take care of syncing the raw |
2077 | | * version with the secure version, |
2078 | | * |
2079 | | * b) the raw zone was already loaded and we are trying to |
2080 | | * reload it, which will happen asynchronously; this means |
2081 | | * zone_postload() will only be called for the raw zone |
2082 | | * because "result" returned by the zone_load() call below |
2083 | | * will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE; |
2084 | | * zone_postload() called for the raw zone will take care |
2085 | | * of syncing the raw version with the secure version. |
2086 | | */ |
2087 | 0 | result = zone_load(zone->raw, flags, false); |
2088 | 0 | if (result != ISC_R_SUCCESS) { |
2089 | 0 | if (!locked) { |
2090 | 0 | UNLOCK_ZONE(zone); |
2091 | 0 | } |
2092 | 0 | return (result); |
2093 | 0 | } |
2094 | 0 | LOCK_ZONE(zone->raw); |
2095 | 0 | } |
2096 | | |
2097 | 2 | now = isc_time_now(); |
2098 | | |
2099 | 2 | INSIST(zone->type != dns_zone_none); |
2100 | | |
2101 | 2 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) { |
2102 | 0 | if ((flags & DNS_ZONELOADFLAG_THAW) != 0) { |
2103 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW); |
2104 | 0 | } |
2105 | 0 | result = DNS_R_CONTINUE; |
2106 | 0 | goto cleanup; |
2107 | 0 | } |
2108 | | |
2109 | 2 | INSIST(zone->db_argc >= 1); |
2110 | | |
2111 | 2 | rbt = strcmp(zone->db_argv[0], ZONEDB_DEFAULT) == 0; |
2112 | | |
2113 | 2 | if (zone->db != NULL && zone->masterfile == NULL && rbt) { |
2114 | | /* |
2115 | | * The zone has no master file configured. |
2116 | | */ |
2117 | 0 | result = ISC_R_SUCCESS; |
2118 | 0 | goto cleanup; |
2119 | 0 | } |
2120 | | |
2121 | 2 | is_dynamic = dns_zone_isdynamic(zone, false); |
2122 | 2 | if (zone->db != NULL && is_dynamic) { |
2123 | | /* |
2124 | | * This is a secondary, stub, or dynamically updated zone |
2125 | | * being reloaded. Do nothing - the database we already |
2126 | | * have is guaranteed to be up-to-date. |
2127 | | */ |
2128 | 0 | if (zone->type == dns_zone_primary && !hasraw) { |
2129 | 0 | result = DNS_R_DYNAMIC; |
2130 | 0 | } else { |
2131 | 0 | result = ISC_R_SUCCESS; |
2132 | 0 | } |
2133 | 0 | goto cleanup; |
2134 | 0 | } |
2135 | | |
2136 | | /* |
2137 | | * Store the current time before the zone is loaded, so that if the |
2138 | | * file changes between the time of the load and the time that |
2139 | | * zone->loadtime is set, then the file will still be reloaded |
2140 | | * the next time dns_zone_load is called. |
2141 | | */ |
2142 | 2 | loadtime = isc_time_now(); |
2143 | | |
2144 | | /* |
2145 | | * Don't do the load if the file that stores the zone is older |
2146 | | * than the last time the zone was loaded. If the zone has not |
2147 | | * been loaded yet, zone->loadtime will be the epoch. |
2148 | | */ |
2149 | 2 | if (zone->masterfile != NULL) { |
2150 | 2 | isc_time_t filetime; |
2151 | | |
2152 | | /* |
2153 | | * The file is already loaded. If we are just doing a |
2154 | | * "rndc reconfig", we are done. |
2155 | | */ |
2156 | 2 | if (!isc_time_isepoch(&zone->loadtime) && |
2157 | 2 | (flags & DNS_ZONELOADFLAG_NOSTAT) != 0) |
2158 | 0 | { |
2159 | 0 | result = ISC_R_SUCCESS; |
2160 | 0 | goto cleanup; |
2161 | 0 | } |
2162 | | |
2163 | 2 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && |
2164 | 2 | !zone_touched(zone)) |
2165 | 0 | { |
2166 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
2167 | 0 | ISC_LOG_DEBUG(1), |
2168 | 0 | "skipping load: master file " |
2169 | 0 | "older than last load"); |
2170 | 0 | result = DNS_R_UPTODATE; |
2171 | 0 | goto cleanup; |
2172 | 0 | } |
2173 | | |
2174 | | /* |
2175 | | * If the file modification time is in the past |
2176 | | * set loadtime to that value. |
2177 | | */ |
2178 | 2 | result = isc_file_getmodtime(zone->masterfile, &filetime); |
2179 | 2 | if (result == ISC_R_SUCCESS && |
2180 | 2 | isc_time_compare(&loadtime, &filetime) > 0) |
2181 | 1 | { |
2182 | 1 | loadtime = filetime; |
2183 | 1 | } |
2184 | 2 | } |
2185 | | |
2186 | | /* |
2187 | | * Built in zones (with the exception of empty zones) don't need |
2188 | | * to be reloaded. |
2189 | | */ |
2190 | 2 | if (zone->type == dns_zone_primary && |
2191 | 2 | strcmp(zone->db_argv[0], "_builtin") == 0 && |
2192 | 2 | (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) && |
2193 | 2 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) |
2194 | 0 | { |
2195 | 0 | result = ISC_R_SUCCESS; |
2196 | 0 | goto cleanup; |
2197 | 0 | } |
2198 | | |
2199 | | /* |
2200 | | * Zones associated with a DLZ don't need to be loaded either, |
2201 | | * but we need to associate the database with the zone object. |
2202 | | */ |
2203 | 2 | if (strcmp(zone->db_argv[0], "dlz") == 0) { |
2204 | 0 | dns_dlzdb_t *dlzdb; |
2205 | 0 | dns_dlzfindzone_t findzone; |
2206 | |
|
2207 | 0 | for (dlzdb = ISC_LIST_HEAD(zone->view->dlz_unsearched); |
2208 | 0 | dlzdb != NULL; dlzdb = ISC_LIST_NEXT(dlzdb, link)) |
2209 | 0 | { |
2210 | 0 | INSIST(DNS_DLZ_VALID(dlzdb)); |
2211 | 0 | if (strcmp(zone->db_argv[1], dlzdb->dlzname) == 0) { |
2212 | 0 | break; |
2213 | 0 | } |
2214 | 0 | } |
2215 | |
|
2216 | 0 | if (dlzdb == NULL) { |
2217 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
2218 | 0 | ISC_LOG_ERROR, |
2219 | 0 | "DLZ %s does not exist or is set " |
2220 | 0 | "to 'search yes;'", |
2221 | 0 | zone->db_argv[1]); |
2222 | 0 | result = ISC_R_NOTFOUND; |
2223 | 0 | goto cleanup; |
2224 | 0 | } |
2225 | | |
2226 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); |
2227 | | /* ask SDLZ driver if the zone is supported */ |
2228 | 0 | findzone = dlzdb->implementation->methods->findzone; |
2229 | 0 | result = (*findzone)(dlzdb->implementation->driverarg, |
2230 | 0 | dlzdb->dbdata, dlzdb->mctx, |
2231 | 0 | zone->view->rdclass, &zone->origin, NULL, |
2232 | 0 | NULL, &db); |
2233 | 0 | if (result != ISC_R_NOTFOUND) { |
2234 | 0 | if (zone->db != NULL) { |
2235 | 0 | zone_detachdb(zone); |
2236 | 0 | } |
2237 | 0 | zone_attachdb(zone, db); |
2238 | 0 | dns_db_detach(&db); |
2239 | 0 | result = ISC_R_SUCCESS; |
2240 | 0 | } |
2241 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
2242 | |
|
2243 | 0 | if (result == ISC_R_SUCCESS) { |
2244 | 0 | if (dlzdb->configure_callback == NULL) { |
2245 | 0 | goto cleanup; |
2246 | 0 | } |
2247 | | |
2248 | 0 | result = (*dlzdb->configure_callback)(zone->view, dlzdb, |
2249 | 0 | zone); |
2250 | 0 | if (result != ISC_R_SUCCESS) { |
2251 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
2252 | 0 | ISC_LOG_ERROR, |
2253 | 0 | "DLZ configuration callback: %s", |
2254 | 0 | isc_result_totext(result)); |
2255 | 0 | } |
2256 | 0 | } |
2257 | 0 | goto cleanup; |
2258 | 0 | } |
2259 | | |
2260 | 2 | if ((zone->type == dns_zone_secondary || |
2261 | 2 | zone->type == dns_zone_mirror || zone->type == dns_zone_stub || |
2262 | 2 | (zone->type == dns_zone_redirect && |
2263 | 2 | dns_remote_addresses(&zone->primaries) != NULL)) && |
2264 | 2 | rbt) |
2265 | 0 | { |
2266 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIRSTREFRESH); |
2267 | |
|
2268 | 0 | if (zone->stream == NULL && |
2269 | 0 | (zone->masterfile == NULL || |
2270 | 0 | !isc_file_exists(zone->masterfile))) |
2271 | 0 | { |
2272 | 0 | if (zone->masterfile != NULL) { |
2273 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
2274 | 0 | ISC_LOG_DEBUG(1), |
2275 | 0 | "no master file"); |
2276 | 0 | } |
2277 | 0 | zone->refreshtime = now; |
2278 | 0 | if (zone->loop != NULL) { |
2279 | 0 | zone_settimer(zone, &now); |
2280 | 0 | } |
2281 | 0 | result = ISC_R_SUCCESS; |
2282 | 0 | goto cleanup; |
2283 | 0 | } |
2284 | 0 | } |
2285 | | |
2286 | 2 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1), |
2287 | 2 | "starting load"); |
2288 | | |
2289 | 2 | result = dns_zone_makedb(zone, &db); |
2290 | 2 | if (result != ISC_R_SUCCESS) { |
2291 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, |
2292 | 0 | "loading zone: creating database: %s", |
2293 | 0 | isc_result_totext(result)); |
2294 | 0 | goto cleanup; |
2295 | 0 | } |
2296 | | |
2297 | 2 | if (!dns_db_ispersistent(db)) { |
2298 | 2 | if (zone->masterfile != NULL || zone->stream != NULL) { |
2299 | 2 | result = zone_startload(db, zone, loadtime); |
2300 | 2 | } else { |
2301 | 0 | result = DNS_R_NOMASTERFILE; |
2302 | 0 | if (zone->type == dns_zone_primary || |
2303 | 0 | (zone->type == dns_zone_redirect && |
2304 | 0 | dns_remote_addresses(&zone->primaries) == NULL)) |
2305 | 0 | { |
2306 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
2307 | 0 | ISC_LOG_ERROR, |
2308 | 0 | "loading zone: " |
2309 | 0 | "no master file configured"); |
2310 | 0 | goto cleanup; |
2311 | 0 | } |
2312 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
2313 | 0 | ISC_LOG_INFO, |
2314 | 0 | "loading zone: " |
2315 | 0 | "no master file configured: continuing"); |
2316 | 0 | } |
2317 | 2 | } |
2318 | | |
2319 | 2 | if (result == DNS_R_CONTINUE) { |
2320 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING); |
2321 | 0 | if ((flags & DNS_ZONELOADFLAG_THAW) != 0) { |
2322 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW); |
2323 | 0 | } |
2324 | 0 | goto cleanup; |
2325 | 0 | } |
2326 | | |
2327 | 2 | result = zone_postload(zone, db, loadtime, result); |
2328 | | |
2329 | 2 | cleanup: |
2330 | 2 | if (hasraw) { |
2331 | 0 | UNLOCK_ZONE(zone->raw); |
2332 | 0 | } |
2333 | 2 | if (!locked) { |
2334 | 2 | UNLOCK_ZONE(zone); |
2335 | 2 | } |
2336 | 2 | if (db != NULL) { |
2337 | 2 | dns_db_detach(&db); |
2338 | 2 | } |
2339 | 2 | return (result); |
2340 | 2 | } |
2341 | | |
2342 | | isc_result_t |
2343 | 2 | dns_zone_load(dns_zone_t *zone, bool newonly) { |
2344 | 2 | return (zone_load(zone, newonly ? DNS_ZONELOADFLAG_NOSTAT : 0, false)); |
2345 | 2 | } |
2346 | | |
2347 | | static void |
2348 | 0 | zone_asyncload(void *arg) { |
2349 | 0 | dns_asyncload_t *asl = arg; |
2350 | 0 | dns_zone_t *zone = asl->zone; |
2351 | 0 | isc_result_t result; |
2352 | |
|
2353 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
2354 | |
|
2355 | 0 | LOCK_ZONE(zone); |
2356 | 0 | result = zone_load(zone, asl->flags, true); |
2357 | 0 | if (result != DNS_R_CONTINUE) { |
2358 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING); |
2359 | 0 | } |
2360 | 0 | UNLOCK_ZONE(zone); |
2361 | | |
2362 | | /* Inform the zone table we've finished loading */ |
2363 | 0 | if (asl->loaded != NULL) { |
2364 | 0 | asl->loaded(asl->loaded_arg); |
2365 | 0 | } |
2366 | |
|
2367 | 0 | isc_mem_put(zone->mctx, asl, sizeof(*asl)); |
2368 | 0 | dns_zone_idetach(&zone); |
2369 | 0 | } |
2370 | | |
2371 | | isc_result_t |
2372 | | dns_zone_asyncload(dns_zone_t *zone, bool newonly, dns_zt_callback_t *done, |
2373 | 0 | void *arg) { |
2374 | 0 | dns_asyncload_t *asl = NULL; |
2375 | |
|
2376 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
2377 | |
|
2378 | 0 | if (zone->zmgr == NULL) { |
2379 | 0 | return (ISC_R_FAILURE); |
2380 | 0 | } |
2381 | | |
2382 | | /* If we already have a load pending, stop now */ |
2383 | 0 | LOCK_ZONE(zone); |
2384 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) { |
2385 | 0 | UNLOCK_ZONE(zone); |
2386 | 0 | return (ISC_R_ALREADYRUNNING); |
2387 | 0 | } |
2388 | | |
2389 | 0 | asl = isc_mem_get(zone->mctx, sizeof(*asl)); |
2390 | |
|
2391 | 0 | asl->zone = NULL; |
2392 | 0 | asl->flags = newonly ? DNS_ZONELOADFLAG_NOSTAT : 0; |
2393 | 0 | asl->loaded = done; |
2394 | 0 | asl->loaded_arg = arg; |
2395 | |
|
2396 | 0 | zone_iattach(zone, &asl->zone); |
2397 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING); |
2398 | 0 | isc_async_run(zone->loop, zone_asyncload, asl); |
2399 | 0 | UNLOCK_ZONE(zone); |
2400 | |
|
2401 | 0 | return (ISC_R_SUCCESS); |
2402 | 0 | } |
2403 | | |
2404 | | bool |
2405 | 0 | dns__zone_loadpending(dns_zone_t *zone) { |
2406 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
2407 | |
|
2408 | 0 | return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)); |
2409 | 0 | } |
2410 | | |
2411 | | isc_result_t |
2412 | 0 | dns_zone_loadandthaw(dns_zone_t *zone) { |
2413 | 0 | isc_result_t result; |
2414 | |
|
2415 | 0 | if (inline_raw(zone)) { |
2416 | 0 | result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW, false); |
2417 | 0 | } else { |
2418 | | /* |
2419 | | * When thawing a zone, we don't know what changes |
2420 | | * have been made. If we do DNSSEC maintenance on this |
2421 | | * zone, schedule a full sign for this zone. |
2422 | | */ |
2423 | 0 | if (zone->type == dns_zone_primary && |
2424 | 0 | DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) |
2425 | 0 | { |
2426 | 0 | DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN); |
2427 | 0 | } |
2428 | 0 | result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false); |
2429 | 0 | } |
2430 | |
|
2431 | 0 | switch (result) { |
2432 | 0 | case DNS_R_CONTINUE: |
2433 | | /* Deferred thaw. */ |
2434 | 0 | break; |
2435 | 0 | case DNS_R_UPTODATE: |
2436 | 0 | case ISC_R_SUCCESS: |
2437 | 0 | case DNS_R_SEENINCLUDE: |
2438 | 0 | zone->update_disabled = false; |
2439 | 0 | break; |
2440 | 0 | case DNS_R_NOMASTERFILE: |
2441 | 0 | zone->update_disabled = false; |
2442 | 0 | break; |
2443 | 0 | default: |
2444 | | /* Error, remain in disabled state. */ |
2445 | 0 | break; |
2446 | 0 | } |
2447 | 0 | return (result); |
2448 | 0 | } |
2449 | | |
2450 | | static unsigned int |
2451 | 2 | get_primary_options(dns_zone_t *zone) { |
2452 | 2 | unsigned int options; |
2453 | | |
2454 | 2 | options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN; |
2455 | 2 | if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror || |
2456 | 2 | (zone->type == dns_zone_redirect && |
2457 | 2 | dns_remote_addresses(&zone->primaries) == NULL)) |
2458 | 0 | { |
2459 | 0 | options |= DNS_MASTER_SECONDARY; |
2460 | 0 | } |
2461 | 2 | if (zone->type == dns_zone_key) { |
2462 | 0 | options |= DNS_MASTER_KEY; |
2463 | 0 | } |
2464 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) { |
2465 | 0 | options |= DNS_MASTER_CHECKNS; |
2466 | 0 | } |
2467 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) { |
2468 | 0 | options |= DNS_MASTER_FATALNS; |
2469 | 0 | } |
2470 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) { |
2471 | 0 | options |= DNS_MASTER_CHECKNAMES; |
2472 | 0 | } |
2473 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) { |
2474 | 0 | options |= DNS_MASTER_CHECKNAMESFAIL; |
2475 | 0 | } |
2476 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) { |
2477 | 0 | options |= DNS_MASTER_CHECKMX; |
2478 | 0 | } |
2479 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) { |
2480 | 0 | options |= DNS_MASTER_CHECKMXFAIL; |
2481 | 0 | } |
2482 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) { |
2483 | 0 | options |= DNS_MASTER_CHECKWILDCARD; |
2484 | 0 | } |
2485 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) { |
2486 | 0 | options |= DNS_MASTER_CHECKTTL; |
2487 | 0 | } |
2488 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSVCB)) { |
2489 | 0 | options |= DNS_MASTER_CHECKSVCB; |
2490 | 0 | } |
2491 | | |
2492 | 2 | return (options); |
2493 | 2 | } |
2494 | | |
2495 | | static void |
2496 | 0 | zone_registerinclude(const char *filename, void *arg) { |
2497 | 0 | isc_result_t result; |
2498 | 0 | dns_zone_t *zone = (dns_zone_t *)arg; |
2499 | 0 | dns_include_t *inc = NULL; |
2500 | |
|
2501 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
2502 | |
|
2503 | 0 | if (filename == NULL) { |
2504 | 0 | return; |
2505 | 0 | } |
2506 | | |
2507 | | /* |
2508 | | * Suppress duplicates. |
2509 | | */ |
2510 | 0 | for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL; |
2511 | 0 | inc = ISC_LIST_NEXT(inc, link)) |
2512 | 0 | { |
2513 | 0 | if (strcmp(filename, inc->name) == 0) { |
2514 | 0 | return; |
2515 | 0 | } |
2516 | 0 | } |
2517 | | |
2518 | 0 | inc = isc_mem_get(zone->mctx, sizeof(dns_include_t)); |
2519 | 0 | inc->name = isc_mem_strdup(zone->mctx, filename); |
2520 | 0 | ISC_LINK_INIT(inc, link); |
2521 | |
|
2522 | 0 | result = isc_file_getmodtime(filename, &inc->filetime); |
2523 | 0 | if (result != ISC_R_SUCCESS) { |
2524 | 0 | isc_time_settoepoch(&inc->filetime); |
2525 | 0 | } |
2526 | |
|
2527 | 0 | ISC_LIST_APPEND(zone->newincludes, inc, link); |
2528 | 0 | } |
2529 | | |
2530 | | static void |
2531 | 0 | get_raw_serial(dns_zone_t *raw, dns_masterrawheader_t *rawdata) { |
2532 | 0 | isc_result_t result; |
2533 | 0 | unsigned int soacount; |
2534 | |
|
2535 | 0 | LOCK(&raw->lock); |
2536 | 0 | if (raw->db != NULL) { |
2537 | 0 | result = zone_get_from_db(raw, raw->db, NULL, &soacount, NULL, |
2538 | 0 | &rawdata->sourceserial, NULL, NULL, |
2539 | 0 | NULL, NULL, NULL); |
2540 | 0 | if (result == ISC_R_SUCCESS && soacount > 0U) { |
2541 | 0 | rawdata->flags |= DNS_MASTERRAW_SOURCESERIALSET; |
2542 | 0 | } |
2543 | 0 | } |
2544 | 0 | UNLOCK(&raw->lock); |
2545 | 0 | } |
2546 | | |
2547 | | /* |
2548 | | * Save the raw serial number for inline-signing zones. |
2549 | | * (XXX: Other information from the header will be used |
2550 | | * for other purposes in the future, but for now this is |
2551 | | * all we're interested in.) |
2552 | | */ |
2553 | | static void |
2554 | 0 | zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) { |
2555 | 0 | if ((header->flags & DNS_MASTERRAW_SOURCESERIALSET) == 0) { |
2556 | 0 | return; |
2557 | 0 | } |
2558 | | |
2559 | 0 | zone->sourceserial = header->sourceserial; |
2560 | 0 | zone->sourceserialset = true; |
2561 | 0 | } |
2562 | | |
2563 | | void |
2564 | 0 | dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) { |
2565 | 0 | if (zone == NULL) { |
2566 | 0 | return; |
2567 | 0 | } |
2568 | | |
2569 | 0 | LOCK_ZONE(zone); |
2570 | 0 | zone_setrawdata(zone, header); |
2571 | 0 | UNLOCK_ZONE(zone); |
2572 | 0 | } |
2573 | | |
2574 | | static isc_result_t |
2575 | 2 | zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) { |
2576 | 2 | isc_result_t result; |
2577 | 2 | isc_result_t tresult; |
2578 | 2 | unsigned int options; |
2579 | 2 | dns_load_t *load = isc_mem_get(zone->mctx, sizeof(*load)); |
2580 | | |
2581 | 2 | ENTER; |
2582 | | |
2583 | 2 | *load = (dns_load_t){ |
2584 | 2 | .loadtime = loadtime, |
2585 | 2 | }; |
2586 | | |
2587 | 2 | dns_zone_rpz_enable_db(zone, db); |
2588 | 2 | dns_zone_catz_enable_db(zone, db); |
2589 | | |
2590 | 2 | options = get_primary_options(zone); |
2591 | 2 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) { |
2592 | 0 | options |= DNS_MASTER_MANYERRORS; |
2593 | 0 | } |
2594 | | |
2595 | 2 | zone_iattach(zone, &load->zone); |
2596 | 2 | dns_db_attach(db, &load->db); |
2597 | | |
2598 | 2 | dns_rdatacallbacks_init(&load->callbacks); |
2599 | 2 | load->callbacks.rawdata = zone_setrawdata; |
2600 | 2 | zone_iattach(zone, &load->callbacks.zone); |
2601 | | |
2602 | 2 | result = dns_db_beginload(db, &load->callbacks); |
2603 | 2 | if (result != ISC_R_SUCCESS) { |
2604 | 0 | goto cleanup; |
2605 | 0 | } |
2606 | | |
2607 | 2 | if (zone->zmgr != NULL && zone->db != NULL) { |
2608 | 0 | result = dns_master_loadfileasync( |
2609 | 0 | zone->masterfile, dns_db_origin(db), dns_db_origin(db), |
2610 | 0 | zone->rdclass, options, 0, &load->callbacks, zone->loop, |
2611 | 0 | zone_loaddone, load, &zone->loadctx, |
2612 | 0 | zone_registerinclude, zone, zone->mctx, |
2613 | 0 | zone->masterformat, zone->maxttl); |
2614 | 0 | if (result != ISC_R_SUCCESS) { |
2615 | 0 | goto cleanup; |
2616 | 0 | } |
2617 | | |
2618 | 0 | return (DNS_R_CONTINUE); |
2619 | 2 | } else if (zone->stream != NULL) { |
2620 | 0 | FILE *stream = UNCONST(zone->stream); |
2621 | 0 | result = dns_master_loadstream( |
2622 | 0 | stream, &zone->origin, &zone->origin, zone->rdclass, |
2623 | 0 | options, &load->callbacks, zone->mctx); |
2624 | 2 | } else { |
2625 | 2 | result = dns_master_loadfile( |
2626 | 2 | zone->masterfile, &zone->origin, &zone->origin, |
2627 | 2 | zone->rdclass, options, 0, &load->callbacks, |
2628 | 2 | zone_registerinclude, zone, zone->mctx, |
2629 | 2 | zone->masterformat, zone->maxttl); |
2630 | 2 | } |
2631 | | |
2632 | 2 | cleanup: |
2633 | 2 | if (result != ISC_R_SUCCESS) { |
2634 | 0 | dns_zone_rpz_disable_db(zone, load->db); |
2635 | 0 | dns_zone_catz_disable_db(zone, load->db); |
2636 | 0 | } |
2637 | | |
2638 | 2 | tresult = dns_db_endload(db, &load->callbacks); |
2639 | 2 | if (result == ISC_R_SUCCESS) { |
2640 | 2 | result = tresult; |
2641 | 2 | } |
2642 | | |
2643 | 2 | zone_idetach(&load->callbacks.zone); |
2644 | 2 | dns_db_detach(&load->db); |
2645 | 2 | zone_idetach(&load->zone); |
2646 | | |
2647 | 2 | isc_mem_put(zone->mctx, load, sizeof(*load)); |
2648 | 2 | return (result); |
2649 | 2 | } |
2650 | | |
2651 | | static bool |
2652 | | zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, |
2653 | 0 | dns_name_t *owner) { |
2654 | 0 | isc_result_t result; |
2655 | 0 | char ownerbuf[DNS_NAME_FORMATSIZE]; |
2656 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
2657 | 0 | char altbuf[DNS_NAME_FORMATSIZE]; |
2658 | 0 | dns_fixedname_t fixed; |
2659 | 0 | dns_name_t *foundname; |
2660 | 0 | int level; |
2661 | | |
2662 | | /* |
2663 | | * "." means the services does not exist. |
2664 | | */ |
2665 | 0 | if (dns_name_equal(name, dns_rootname)) { |
2666 | 0 | return (true); |
2667 | 0 | } |
2668 | | |
2669 | | /* |
2670 | | * Outside of zone. |
2671 | | */ |
2672 | 0 | if (!dns_name_issubdomain(name, &zone->origin)) { |
2673 | 0 | if (zone->checkmx != NULL) { |
2674 | 0 | return ((zone->checkmx)(zone, name, owner)); |
2675 | 0 | } |
2676 | 0 | return (true); |
2677 | 0 | } |
2678 | | |
2679 | 0 | if (zone->type == dns_zone_primary) { |
2680 | 0 | level = ISC_LOG_ERROR; |
2681 | 0 | } else { |
2682 | 0 | level = ISC_LOG_WARNING; |
2683 | 0 | } |
2684 | |
|
2685 | 0 | foundname = dns_fixedname_initname(&fixed); |
2686 | |
|
2687 | 0 | result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL, |
2688 | 0 | foundname, NULL, NULL); |
2689 | 0 | if (result == ISC_R_SUCCESS) { |
2690 | 0 | return (true); |
2691 | 0 | } |
2692 | | |
2693 | 0 | if (result == DNS_R_NXRRSET) { |
2694 | 0 | result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0, |
2695 | 0 | NULL, foundname, NULL, NULL); |
2696 | 0 | if (result == ISC_R_SUCCESS) { |
2697 | 0 | return (true); |
2698 | 0 | } |
2699 | 0 | } |
2700 | | |
2701 | 0 | dns_name_format(owner, ownerbuf, sizeof ownerbuf); |
2702 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
2703 | 0 | if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN || |
2704 | 0 | result == DNS_R_EMPTYNAME) |
2705 | 0 | { |
2706 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) { |
2707 | 0 | level = ISC_LOG_WARNING; |
2708 | 0 | } |
2709 | 0 | dns_zone_log(zone, level, |
2710 | 0 | "%s/MX '%s' has no address records (A or AAAA)", |
2711 | 0 | ownerbuf, namebuf); |
2712 | 0 | return ((level == ISC_LOG_WARNING) ? true : false); |
2713 | 0 | } |
2714 | | |
2715 | 0 | if (result == DNS_R_CNAME) { |
2716 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) || |
2717 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) |
2718 | 0 | { |
2719 | 0 | level = ISC_LOG_WARNING; |
2720 | 0 | } |
2721 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) { |
2722 | 0 | dns_zone_log(zone, level, |
2723 | 0 | "%s/MX '%s' is a CNAME (illegal)", |
2724 | 0 | ownerbuf, namebuf); |
2725 | 0 | } |
2726 | 0 | return ((level == ISC_LOG_WARNING) ? true : false); |
2727 | 0 | } |
2728 | | |
2729 | 0 | if (result == DNS_R_DNAME) { |
2730 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) || |
2731 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) |
2732 | 0 | { |
2733 | 0 | level = ISC_LOG_WARNING; |
2734 | 0 | } |
2735 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) { |
2736 | 0 | dns_name_format(foundname, altbuf, sizeof altbuf); |
2737 | 0 | dns_zone_log(zone, level, |
2738 | 0 | "%s/MX '%s' is below a DNAME" |
2739 | 0 | " '%s' (illegal)", |
2740 | 0 | ownerbuf, namebuf, altbuf); |
2741 | 0 | } |
2742 | 0 | return ((level == ISC_LOG_WARNING) ? true : false); |
2743 | 0 | } |
2744 | | |
2745 | 0 | if (zone->checkmx != NULL && result == DNS_R_DELEGATION) { |
2746 | 0 | return ((zone->checkmx)(zone, name, owner)); |
2747 | 0 | } |
2748 | | |
2749 | 0 | return (true); |
2750 | 0 | } |
2751 | | |
2752 | | static bool |
2753 | | zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, |
2754 | 0 | dns_name_t *owner) { |
2755 | 0 | isc_result_t result; |
2756 | 0 | char ownerbuf[DNS_NAME_FORMATSIZE]; |
2757 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
2758 | 0 | char altbuf[DNS_NAME_FORMATSIZE]; |
2759 | 0 | dns_fixedname_t fixed; |
2760 | 0 | dns_name_t *foundname; |
2761 | 0 | int level; |
2762 | | |
2763 | | /* |
2764 | | * "." means the services does not exist. |
2765 | | */ |
2766 | 0 | if (dns_name_equal(name, dns_rootname)) { |
2767 | 0 | return (true); |
2768 | 0 | } |
2769 | | |
2770 | | /* |
2771 | | * Outside of zone. |
2772 | | */ |
2773 | 0 | if (!dns_name_issubdomain(name, &zone->origin)) { |
2774 | 0 | if (zone->checksrv != NULL) { |
2775 | 0 | return ((zone->checksrv)(zone, name, owner)); |
2776 | 0 | } |
2777 | 0 | return (true); |
2778 | 0 | } |
2779 | | |
2780 | 0 | if (zone->type == dns_zone_primary) { |
2781 | 0 | level = ISC_LOG_ERROR; |
2782 | 0 | } else { |
2783 | 0 | level = ISC_LOG_WARNING; |
2784 | 0 | } |
2785 | |
|
2786 | 0 | foundname = dns_fixedname_initname(&fixed); |
2787 | |
|
2788 | 0 | result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL, |
2789 | 0 | foundname, NULL, NULL); |
2790 | 0 | if (result == ISC_R_SUCCESS) { |
2791 | 0 | return (true); |
2792 | 0 | } |
2793 | | |
2794 | 0 | if (result == DNS_R_NXRRSET) { |
2795 | 0 | result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0, |
2796 | 0 | NULL, foundname, NULL, NULL); |
2797 | 0 | if (result == ISC_R_SUCCESS) { |
2798 | 0 | return (true); |
2799 | 0 | } |
2800 | 0 | } |
2801 | | |
2802 | 0 | dns_name_format(owner, ownerbuf, sizeof ownerbuf); |
2803 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
2804 | 0 | if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN || |
2805 | 0 | result == DNS_R_EMPTYNAME) |
2806 | 0 | { |
2807 | 0 | dns_zone_log(zone, level, |
2808 | 0 | "%s/SRV '%s' has no address records (A or AAAA)", |
2809 | 0 | ownerbuf, namebuf); |
2810 | | /* XXX950 make fatal for 9.5.0. */ |
2811 | 0 | return (true); |
2812 | 0 | } |
2813 | | |
2814 | 0 | if (result == DNS_R_CNAME) { |
2815 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) || |
2816 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) |
2817 | 0 | { |
2818 | 0 | level = ISC_LOG_WARNING; |
2819 | 0 | } |
2820 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) { |
2821 | 0 | dns_zone_log(zone, level, |
2822 | 0 | "%s/SRV '%s' is a CNAME (illegal)", |
2823 | 0 | ownerbuf, namebuf); |
2824 | 0 | } |
2825 | 0 | return ((level == ISC_LOG_WARNING) ? true : false); |
2826 | 0 | } |
2827 | | |
2828 | 0 | if (result == DNS_R_DNAME) { |
2829 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) || |
2830 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) |
2831 | 0 | { |
2832 | 0 | level = ISC_LOG_WARNING; |
2833 | 0 | } |
2834 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) { |
2835 | 0 | dns_name_format(foundname, altbuf, sizeof altbuf); |
2836 | 0 | dns_zone_log(zone, level, |
2837 | 0 | "%s/SRV '%s' is below a " |
2838 | 0 | "DNAME '%s' (illegal)", |
2839 | 0 | ownerbuf, namebuf, altbuf); |
2840 | 0 | } |
2841 | 0 | return ((level == ISC_LOG_WARNING) ? true : false); |
2842 | 0 | } |
2843 | | |
2844 | 0 | if (zone->checksrv != NULL && result == DNS_R_DELEGATION) { |
2845 | 0 | return ((zone->checksrv)(zone, name, owner)); |
2846 | 0 | } |
2847 | | |
2848 | 0 | return (true); |
2849 | 0 | } |
2850 | | |
2851 | | static bool |
2852 | | zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, |
2853 | 0 | dns_name_t *owner) { |
2854 | 0 | bool answer = true; |
2855 | 0 | isc_result_t result, tresult; |
2856 | 0 | char ownerbuf[DNS_NAME_FORMATSIZE]; |
2857 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
2858 | 0 | char altbuf[DNS_NAME_FORMATSIZE]; |
2859 | 0 | dns_fixedname_t fixed; |
2860 | 0 | dns_name_t *foundname; |
2861 | 0 | dns_rdataset_t a; |
2862 | 0 | dns_rdataset_t aaaa; |
2863 | 0 | int level; |
2864 | | |
2865 | | /* |
2866 | | * Outside of zone. |
2867 | | */ |
2868 | 0 | if (!dns_name_issubdomain(name, &zone->origin)) { |
2869 | 0 | if (zone->checkns != NULL) { |
2870 | 0 | return ((zone->checkns)(zone, name, owner, NULL, NULL)); |
2871 | 0 | } |
2872 | 0 | return (true); |
2873 | 0 | } |
2874 | | |
2875 | 0 | if (zone->type == dns_zone_primary) { |
2876 | 0 | level = ISC_LOG_ERROR; |
2877 | 0 | } else { |
2878 | 0 | level = ISC_LOG_WARNING; |
2879 | 0 | } |
2880 | |
|
2881 | 0 | foundname = dns_fixedname_initname(&fixed); |
2882 | 0 | dns_rdataset_init(&a); |
2883 | 0 | dns_rdataset_init(&aaaa); |
2884 | | |
2885 | | /* |
2886 | | * Perform a regular lookup to catch DNAME records then look |
2887 | | * for glue. |
2888 | | */ |
2889 | 0 | result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL, |
2890 | 0 | foundname, &a, NULL); |
2891 | 0 | switch (result) { |
2892 | 0 | case ISC_R_SUCCESS: |
2893 | 0 | case DNS_R_DNAME: |
2894 | 0 | case DNS_R_CNAME: |
2895 | 0 | break; |
2896 | 0 | default: |
2897 | 0 | if (dns_rdataset_isassociated(&a)) { |
2898 | 0 | dns_rdataset_disassociate(&a); |
2899 | 0 | } |
2900 | 0 | result = dns_db_find(db, name, NULL, dns_rdatatype_a, |
2901 | 0 | DNS_DBFIND_GLUEOK, 0, NULL, foundname, &a, |
2902 | 0 | NULL); |
2903 | 0 | } |
2904 | 0 | if (result == ISC_R_SUCCESS) { |
2905 | 0 | dns_rdataset_disassociate(&a); |
2906 | 0 | return (true); |
2907 | 0 | } else if (result == DNS_R_DELEGATION) { |
2908 | 0 | dns_rdataset_disassociate(&a); |
2909 | 0 | } |
2910 | | |
2911 | 0 | if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION || |
2912 | 0 | result == DNS_R_GLUE) |
2913 | 0 | { |
2914 | 0 | tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, |
2915 | 0 | DNS_DBFIND_GLUEOK, 0, NULL, foundname, |
2916 | 0 | &aaaa, NULL); |
2917 | 0 | if (tresult == ISC_R_SUCCESS) { |
2918 | 0 | if (dns_rdataset_isassociated(&a)) { |
2919 | 0 | dns_rdataset_disassociate(&a); |
2920 | 0 | } |
2921 | 0 | dns_rdataset_disassociate(&aaaa); |
2922 | 0 | return (true); |
2923 | 0 | } |
2924 | 0 | if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME) { |
2925 | 0 | dns_rdataset_disassociate(&aaaa); |
2926 | 0 | } |
2927 | 0 | if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) { |
2928 | | /* |
2929 | | * Check glue against child zone. |
2930 | | */ |
2931 | 0 | if (zone->checkns != NULL) { |
2932 | 0 | answer = (zone->checkns)(zone, name, owner, &a, |
2933 | 0 | &aaaa); |
2934 | 0 | } |
2935 | 0 | if (dns_rdataset_isassociated(&a)) { |
2936 | 0 | dns_rdataset_disassociate(&a); |
2937 | 0 | } |
2938 | 0 | if (dns_rdataset_isassociated(&aaaa)) { |
2939 | 0 | dns_rdataset_disassociate(&aaaa); |
2940 | 0 | } |
2941 | 0 | return (answer); |
2942 | 0 | } |
2943 | 0 | } |
2944 | | |
2945 | 0 | dns_name_format(owner, ownerbuf, sizeof ownerbuf); |
2946 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
2947 | 0 | if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN || |
2948 | 0 | result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION) |
2949 | 0 | { |
2950 | 0 | const char *what; |
2951 | 0 | bool required = false; |
2952 | 0 | if (dns_name_issubdomain(name, owner)) { |
2953 | 0 | what = "REQUIRED GLUE "; |
2954 | 0 | required = true; |
2955 | 0 | } else if (result == DNS_R_DELEGATION) { |
2956 | 0 | what = "SIBLING GLUE "; |
2957 | 0 | } else { |
2958 | 0 | what = ""; |
2959 | 0 | } |
2960 | |
|
2961 | 0 | if (result != DNS_R_DELEGATION || required || |
2962 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING)) |
2963 | 0 | { |
2964 | 0 | dns_zone_log(zone, level, |
2965 | 0 | "%s/NS '%s' has no %s" |
2966 | 0 | "address records (A or AAAA)", |
2967 | 0 | ownerbuf, namebuf, what); |
2968 | | /* |
2969 | | * Log missing address record. |
2970 | | */ |
2971 | 0 | if (result == DNS_R_DELEGATION && zone->checkns != NULL) |
2972 | 0 | { |
2973 | 0 | (void)(zone->checkns)(zone, name, owner, &a, |
2974 | 0 | &aaaa); |
2975 | 0 | } |
2976 | | /* XXX950 make fatal for 9.5.0. */ |
2977 | | /* answer = false; */ |
2978 | 0 | } |
2979 | 0 | } else if (result == DNS_R_CNAME) { |
2980 | 0 | dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)", |
2981 | 0 | ownerbuf, namebuf); |
2982 | | /* XXX950 make fatal for 9.5.0. */ |
2983 | | /* answer = false; */ |
2984 | 0 | } else if (result == DNS_R_DNAME) { |
2985 | 0 | dns_name_format(foundname, altbuf, sizeof altbuf); |
2986 | 0 | dns_zone_log(zone, level, |
2987 | 0 | "%s/NS '%s' is below a DNAME '%s' (illegal)", |
2988 | 0 | ownerbuf, namebuf, altbuf); |
2989 | | /* XXX950 make fatal for 9.5.0. */ |
2990 | | /* answer = false; */ |
2991 | 0 | } |
2992 | |
|
2993 | 0 | if (dns_rdataset_isassociated(&a)) { |
2994 | 0 | dns_rdataset_disassociate(&a); |
2995 | 0 | } |
2996 | 0 | if (dns_rdataset_isassociated(&aaaa)) { |
2997 | 0 | dns_rdataset_disassociate(&aaaa); |
2998 | 0 | } |
2999 | 0 | return (answer); |
3000 | 0 | } |
3001 | | |
3002 | | static bool |
3003 | | zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner, |
3004 | 0 | dns_rdataset_t *rdataset) { |
3005 | 0 | dns_rdataset_t tmprdataset; |
3006 | 0 | isc_result_t result; |
3007 | 0 | bool answer = true; |
3008 | 0 | bool format = true; |
3009 | 0 | int level = ISC_LOG_WARNING; |
3010 | 0 | char ownerbuf[DNS_NAME_FORMATSIZE]; |
3011 | 0 | char typebuf[DNS_RDATATYPE_FORMATSIZE]; |
3012 | 0 | unsigned int count1 = 0; |
3013 | |
|
3014 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL)) { |
3015 | 0 | level = ISC_LOG_ERROR; |
3016 | 0 | } |
3017 | |
|
3018 | 0 | dns_rdataset_init(&tmprdataset); |
3019 | 0 | for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; |
3020 | 0 | result = dns_rdataset_next(rdataset)) |
3021 | 0 | { |
3022 | 0 | dns_rdata_t rdata1 = DNS_RDATA_INIT; |
3023 | 0 | unsigned int count2 = 0; |
3024 | |
|
3025 | 0 | count1++; |
3026 | 0 | dns_rdataset_current(rdataset, &rdata1); |
3027 | 0 | dns_rdataset_clone(rdataset, &tmprdataset); |
3028 | 0 | for (result = dns_rdataset_first(&tmprdataset); |
3029 | 0 | result == ISC_R_SUCCESS; |
3030 | 0 | result = dns_rdataset_next(&tmprdataset)) |
3031 | 0 | { |
3032 | 0 | dns_rdata_t rdata2 = DNS_RDATA_INIT; |
3033 | 0 | count2++; |
3034 | 0 | if (count1 >= count2) { |
3035 | 0 | continue; |
3036 | 0 | } |
3037 | 0 | dns_rdataset_current(&tmprdataset, &rdata2); |
3038 | 0 | if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) { |
3039 | 0 | if (format) { |
3040 | 0 | dns_name_format(owner, ownerbuf, |
3041 | 0 | sizeof ownerbuf); |
3042 | 0 | dns_rdatatype_format(rdata1.type, |
3043 | 0 | typebuf, |
3044 | 0 | sizeof(typebuf)); |
3045 | 0 | format = false; |
3046 | 0 | } |
3047 | 0 | dns_zone_log(zone, level, |
3048 | 0 | "%s/%s has " |
3049 | 0 | "semantically identical records", |
3050 | 0 | ownerbuf, typebuf); |
3051 | 0 | if (level == ISC_LOG_ERROR) { |
3052 | 0 | answer = false; |
3053 | 0 | } |
3054 | 0 | break; |
3055 | 0 | } |
3056 | 0 | } |
3057 | 0 | dns_rdataset_disassociate(&tmprdataset); |
3058 | 0 | if (!format) { |
3059 | 0 | break; |
3060 | 0 | } |
3061 | 0 | } |
3062 | 0 | return (answer); |
3063 | 0 | } |
3064 | | |
3065 | | static bool |
3066 | 0 | zone_check_dup(dns_zone_t *zone, dns_db_t *db) { |
3067 | 0 | dns_dbiterator_t *dbiterator = NULL; |
3068 | 0 | dns_dbnode_t *node = NULL; |
3069 | 0 | dns_fixedname_t fixed; |
3070 | 0 | dns_name_t *name; |
3071 | 0 | dns_rdataset_t rdataset; |
3072 | 0 | dns_rdatasetiter_t *rdsit = NULL; |
3073 | 0 | bool ok = true; |
3074 | 0 | isc_result_t result; |
3075 | |
|
3076 | 0 | name = dns_fixedname_initname(&fixed); |
3077 | 0 | dns_rdataset_init(&rdataset); |
3078 | |
|
3079 | 0 | result = dns_db_createiterator(db, 0, &dbiterator); |
3080 | 0 | if (result != ISC_R_SUCCESS) { |
3081 | 0 | return (true); |
3082 | 0 | } |
3083 | | |
3084 | 0 | for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS; |
3085 | 0 | result = dns_dbiterator_next(dbiterator)) |
3086 | 0 | { |
3087 | 0 | result = dns_dbiterator_current(dbiterator, &node, name); |
3088 | 0 | if (result != ISC_R_SUCCESS) { |
3089 | 0 | continue; |
3090 | 0 | } |
3091 | | |
3092 | 0 | result = dns_db_allrdatasets(db, node, NULL, 0, 0, &rdsit); |
3093 | 0 | if (result != ISC_R_SUCCESS) { |
3094 | 0 | continue; |
3095 | 0 | } |
3096 | | |
3097 | 0 | for (result = dns_rdatasetiter_first(rdsit); |
3098 | 0 | result == ISC_R_SUCCESS; |
3099 | 0 | result = dns_rdatasetiter_next(rdsit)) |
3100 | 0 | { |
3101 | 0 | dns_rdatasetiter_current(rdsit, &rdataset); |
3102 | 0 | if (!zone_rrset_check_dup(zone, name, &rdataset)) { |
3103 | 0 | ok = false; |
3104 | 0 | } |
3105 | 0 | dns_rdataset_disassociate(&rdataset); |
3106 | 0 | } |
3107 | 0 | dns_rdatasetiter_destroy(&rdsit); |
3108 | 0 | dns_db_detachnode(db, &node); |
3109 | 0 | } |
3110 | |
|
3111 | 0 | if (node != NULL) { |
3112 | 0 | dns_db_detachnode(db, &node); |
3113 | 0 | } |
3114 | 0 | dns_dbiterator_destroy(&dbiterator); |
3115 | |
|
3116 | 0 | return (ok); |
3117 | 0 | } |
3118 | | |
3119 | | static bool |
3120 | 0 | isspf(const dns_rdata_t *rdata) { |
3121 | 0 | char buf[1024]; |
3122 | 0 | const unsigned char *data = rdata->data; |
3123 | 0 | unsigned int rdl = rdata->length, i = 0, tl, len; |
3124 | |
|
3125 | 0 | while (rdl > 0U) { |
3126 | 0 | len = tl = *data; |
3127 | 0 | ++data; |
3128 | 0 | --rdl; |
3129 | 0 | INSIST(tl <= rdl); |
3130 | 0 | if (len > sizeof(buf) - i - 1) { |
3131 | 0 | len = sizeof(buf) - i - 1; |
3132 | 0 | } |
3133 | 0 | memmove(buf + i, data, len); |
3134 | 0 | i += len; |
3135 | 0 | data += tl; |
3136 | 0 | rdl -= tl; |
3137 | 0 | } |
3138 | |
|
3139 | 0 | if (i < 6U) { |
3140 | 0 | return (false); |
3141 | 0 | } |
3142 | | |
3143 | 0 | buf[i] = 0; |
3144 | 0 | if (strncmp(buf, "v=spf1", 6) == 0 && (buf[6] == 0 || buf[6] == ' ')) { |
3145 | 0 | return (true); |
3146 | 0 | } |
3147 | 0 | return (false); |
3148 | 0 | } |
3149 | | |
3150 | | static bool |
3151 | 0 | integrity_checks(dns_zone_t *zone, dns_db_t *db) { |
3152 | 0 | dns_dbiterator_t *dbiterator = NULL; |
3153 | 0 | dns_dbnode_t *node = NULL; |
3154 | 0 | dns_rdataset_t rdataset; |
3155 | 0 | dns_fixedname_t fixed; |
3156 | 0 | dns_fixedname_t fixedbottom; |
3157 | 0 | dns_rdata_mx_t mx; |
3158 | 0 | dns_rdata_ns_t ns; |
3159 | 0 | dns_rdata_in_srv_t srv; |
3160 | 0 | dns_rdata_t rdata; |
3161 | 0 | dns_name_t *name; |
3162 | 0 | dns_name_t *bottom; |
3163 | 0 | isc_result_t result; |
3164 | 0 | bool ok = true, have_spf, have_txt; |
3165 | 0 | int level; |
3166 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
3167 | |
|
3168 | 0 | name = dns_fixedname_initname(&fixed); |
3169 | 0 | bottom = dns_fixedname_initname(&fixedbottom); |
3170 | 0 | dns_rdataset_init(&rdataset); |
3171 | 0 | dns_rdata_init(&rdata); |
3172 | |
|
3173 | 0 | result = dns_db_createiterator(db, 0, &dbiterator); |
3174 | 0 | if (result != ISC_R_SUCCESS) { |
3175 | 0 | return (true); |
3176 | 0 | } |
3177 | | |
3178 | 0 | result = dns_dbiterator_first(dbiterator); |
3179 | 0 | while (result == ISC_R_SUCCESS) { |
3180 | 0 | result = dns_dbiterator_current(dbiterator, &node, name); |
3181 | 0 | if (result != ISC_R_SUCCESS) { |
3182 | 0 | goto cleanup; |
3183 | 0 | } |
3184 | | |
3185 | | /* |
3186 | | * Is this name visible in the zone? |
3187 | | */ |
3188 | 0 | if (!dns_name_issubdomain(name, &zone->origin) || |
3189 | 0 | (dns_name_countlabels(bottom) > 0 && |
3190 | 0 | dns_name_issubdomain(name, bottom))) |
3191 | 0 | { |
3192 | 0 | goto next; |
3193 | 0 | } |
3194 | | |
3195 | 0 | dns_dbiterator_pause(dbiterator); |
3196 | | |
3197 | | /* |
3198 | | * Don't check the NS records at the origin. |
3199 | | */ |
3200 | 0 | if (dns_name_equal(name, &zone->origin)) { |
3201 | 0 | goto checkfords; |
3202 | 0 | } |
3203 | | |
3204 | 0 | result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns, |
3205 | 0 | 0, 0, &rdataset, NULL); |
3206 | 0 | if (result != ISC_R_SUCCESS) { |
3207 | 0 | goto checkfords; |
3208 | 0 | } |
3209 | | /* |
3210 | | * Remember bottom of zone due to NS. |
3211 | | */ |
3212 | 0 | dns_name_copy(name, bottom); |
3213 | |
|
3214 | 0 | result = dns_rdataset_first(&rdataset); |
3215 | 0 | while (result == ISC_R_SUCCESS) { |
3216 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3217 | 0 | result = dns_rdata_tostruct(&rdata, &ns, NULL); |
3218 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
3219 | 0 | if (!zone_check_glue(zone, db, &ns.name, name)) { |
3220 | 0 | ok = false; |
3221 | 0 | } |
3222 | 0 | dns_rdata_reset(&rdata); |
3223 | 0 | result = dns_rdataset_next(&rdataset); |
3224 | 0 | } |
3225 | 0 | dns_rdataset_disassociate(&rdataset); |
3226 | 0 | goto next; |
3227 | | |
3228 | 0 | checkfords: |
3229 | 0 | result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, |
3230 | 0 | 0, 0, &rdataset, NULL); |
3231 | 0 | if (result != ISC_R_SUCCESS) { |
3232 | 0 | goto checkfordname; |
3233 | 0 | } |
3234 | 0 | dns_rdataset_disassociate(&rdataset); |
3235 | |
|
3236 | 0 | if (zone->type == dns_zone_primary) { |
3237 | 0 | level = ISC_LOG_ERROR; |
3238 | 0 | ok = false; |
3239 | 0 | } else { |
3240 | 0 | level = ISC_LOG_WARNING; |
3241 | 0 | } |
3242 | 0 | dns_name_format(name, namebuf, sizeof(namebuf)); |
3243 | 0 | dns_zone_log(zone, level, "DS not at delegation point (%s)", |
3244 | 0 | namebuf); |
3245 | |
|
3246 | 0 | checkfordname: |
3247 | 0 | result = dns_db_findrdataset(db, node, NULL, |
3248 | 0 | dns_rdatatype_dname, 0, 0, |
3249 | 0 | &rdataset, NULL); |
3250 | 0 | if (result == ISC_R_SUCCESS) { |
3251 | | /* |
3252 | | * Remember bottom of zone due to DNAME. |
3253 | | */ |
3254 | 0 | dns_name_copy(name, bottom); |
3255 | 0 | dns_rdataset_disassociate(&rdataset); |
3256 | 0 | } |
3257 | |
|
3258 | 0 | result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx, |
3259 | 0 | 0, 0, &rdataset, NULL); |
3260 | 0 | if (result != ISC_R_SUCCESS) { |
3261 | 0 | goto checksrv; |
3262 | 0 | } |
3263 | 0 | result = dns_rdataset_first(&rdataset); |
3264 | 0 | while (result == ISC_R_SUCCESS) { |
3265 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3266 | 0 | result = dns_rdata_tostruct(&rdata, &mx, NULL); |
3267 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
3268 | 0 | if (!zone_check_mx(zone, db, &mx.mx, name)) { |
3269 | 0 | ok = false; |
3270 | 0 | } |
3271 | 0 | dns_rdata_reset(&rdata); |
3272 | 0 | result = dns_rdataset_next(&rdataset); |
3273 | 0 | } |
3274 | 0 | dns_rdataset_disassociate(&rdataset); |
3275 | |
|
3276 | 0 | checksrv: |
3277 | 0 | if (zone->rdclass != dns_rdataclass_in) { |
3278 | 0 | goto next; |
3279 | 0 | } |
3280 | 0 | result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv, |
3281 | 0 | 0, 0, &rdataset, NULL); |
3282 | 0 | if (result != ISC_R_SUCCESS) { |
3283 | 0 | goto checkspf; |
3284 | 0 | } |
3285 | 0 | result = dns_rdataset_first(&rdataset); |
3286 | 0 | while (result == ISC_R_SUCCESS) { |
3287 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3288 | 0 | result = dns_rdata_tostruct(&rdata, &srv, NULL); |
3289 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
3290 | 0 | if (!zone_check_srv(zone, db, &srv.target, name)) { |
3291 | 0 | ok = false; |
3292 | 0 | } |
3293 | 0 | dns_rdata_reset(&rdata); |
3294 | 0 | result = dns_rdataset_next(&rdataset); |
3295 | 0 | } |
3296 | 0 | dns_rdataset_disassociate(&rdataset); |
3297 | |
|
3298 | 0 | checkspf: |
3299 | | /* |
3300 | | * Check if there is a type SPF record without an |
3301 | | * SPF-formatted type TXT record also being present. |
3302 | | */ |
3303 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF)) { |
3304 | 0 | goto next; |
3305 | 0 | } |
3306 | 0 | if (zone->rdclass != dns_rdataclass_in) { |
3307 | 0 | goto next; |
3308 | 0 | } |
3309 | 0 | have_spf = have_txt = false; |
3310 | 0 | result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_spf, |
3311 | 0 | 0, 0, &rdataset, NULL); |
3312 | 0 | if (result == ISC_R_SUCCESS) { |
3313 | 0 | dns_rdataset_disassociate(&rdataset); |
3314 | 0 | have_spf = true; |
3315 | 0 | } |
3316 | 0 | result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_txt, |
3317 | 0 | 0, 0, &rdataset, NULL); |
3318 | 0 | if (result != ISC_R_SUCCESS) { |
3319 | 0 | goto notxt; |
3320 | 0 | } |
3321 | 0 | result = dns_rdataset_first(&rdataset); |
3322 | 0 | while (result == ISC_R_SUCCESS) { |
3323 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3324 | 0 | have_txt = isspf(&rdata); |
3325 | 0 | dns_rdata_reset(&rdata); |
3326 | 0 | if (have_txt) { |
3327 | 0 | break; |
3328 | 0 | } |
3329 | 0 | result = dns_rdataset_next(&rdataset); |
3330 | 0 | } |
3331 | 0 | dns_rdataset_disassociate(&rdataset); |
3332 | |
|
3333 | 0 | notxt: |
3334 | 0 | if (have_spf && !have_txt) { |
3335 | 0 | dns_name_format(name, namebuf, sizeof(namebuf)); |
3336 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
3337 | 0 | "'%s' found type " |
3338 | 0 | "SPF record but no SPF TXT record found, " |
3339 | 0 | "add matching type TXT record", |
3340 | 0 | namebuf); |
3341 | 0 | } |
3342 | |
|
3343 | 0 | next: |
3344 | 0 | dns_db_detachnode(db, &node); |
3345 | 0 | result = dns_dbiterator_next(dbiterator); |
3346 | 0 | } |
3347 | | |
3348 | 0 | cleanup: |
3349 | 0 | if (node != NULL) { |
3350 | 0 | dns_db_detachnode(db, &node); |
3351 | 0 | } |
3352 | 0 | dns_dbiterator_destroy(&dbiterator); |
3353 | |
|
3354 | 0 | return (ok); |
3355 | 0 | } |
3356 | | |
3357 | | /* |
3358 | | * OpenSSL verification of RSA keys with exponent 3 is known to be |
3359 | | * broken prior OpenSSL 0.9.8c/0.9.7k. Look for such keys and warn |
3360 | | * if they are in use. |
3361 | | */ |
3362 | | static void |
3363 | 2 | zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { |
3364 | 2 | dns_dbnode_t *node = NULL; |
3365 | 2 | dns_dbversion_t *version = NULL; |
3366 | 2 | dns_rdata_dnskey_t dnskey; |
3367 | 2 | dns_rdata_t rdata = DNS_RDATA_INIT; |
3368 | 2 | dns_rdataset_t rdataset; |
3369 | 2 | isc_result_t result; |
3370 | | |
3371 | 2 | result = dns_db_findnode(db, &zone->origin, false, &node); |
3372 | 2 | if (result != ISC_R_SUCCESS) { |
3373 | 0 | goto cleanup; |
3374 | 0 | } |
3375 | | |
3376 | 2 | dns_db_currentversion(db, &version); |
3377 | 2 | dns_rdataset_init(&rdataset); |
3378 | 2 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, |
3379 | 2 | dns_rdatatype_none, 0, &rdataset, NULL); |
3380 | 2 | if (result != ISC_R_SUCCESS) { |
3381 | 2 | goto cleanup; |
3382 | 2 | } |
3383 | | |
3384 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
3385 | 0 | result = dns_rdataset_next(&rdataset)) |
3386 | 0 | { |
3387 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3388 | 0 | result = dns_rdata_tostruct(&rdata, &dnskey, NULL); |
3389 | 0 | INSIST(result == ISC_R_SUCCESS); |
3390 | | |
3391 | | /* |
3392 | | * RFC 3110, section 4: Performance Considerations: |
3393 | | * |
3394 | | * A public exponent of 3 minimizes the effort needed to verify |
3395 | | * a signature. Use of 3 as the public exponent is weak for |
3396 | | * confidentiality uses since, if the same data can be collected |
3397 | | * encrypted under three different keys with an exponent of 3 |
3398 | | * then, using the Chinese Remainder Theorem [NETSEC], the |
3399 | | * original plain text can be easily recovered. If a key is |
3400 | | * known to be used only for authentication, as is the case with |
3401 | | * DNSSEC, then an exponent of 3 is acceptable. However other |
3402 | | * applications in the future may wish to leverage DNS |
3403 | | * distributed keys for applications that do require |
3404 | | * confidentiality. For keys which might have such other uses, |
3405 | | * a more conservative choice would be 65537 (F4, the fourth |
3406 | | * fermat number). |
3407 | | */ |
3408 | 0 | if (dnskey.datalen > 1 && dnskey.data[0] == 1 && |
3409 | 0 | dnskey.data[1] == 3 && |
3410 | 0 | (dnskey.algorithm == DNS_KEYALG_RSAMD5 || |
3411 | 0 | dnskey.algorithm == DNS_KEYALG_RSASHA1 || |
3412 | 0 | dnskey.algorithm == DNS_KEYALG_NSEC3RSASHA1 || |
3413 | 0 | dnskey.algorithm == DNS_KEYALG_RSASHA256 || |
3414 | 0 | dnskey.algorithm == DNS_KEYALG_RSASHA512)) |
3415 | 0 | { |
3416 | 0 | char algorithm[DNS_SECALG_FORMATSIZE]; |
3417 | 0 | isc_region_t r; |
3418 | |
|
3419 | 0 | dns_rdata_toregion(&rdata, &r); |
3420 | 0 | dns_secalg_format(dnskey.algorithm, algorithm, |
3421 | 0 | sizeof(algorithm)); |
3422 | |
|
3423 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
3424 | 0 | "weak %s (%u) key found (exponent=3, id=%u)", |
3425 | 0 | algorithm, dnskey.algorithm, |
3426 | 0 | dst_region_computeid(&r)); |
3427 | 0 | } |
3428 | 0 | dns_rdata_reset(&rdata); |
3429 | 0 | } |
3430 | 0 | dns_rdataset_disassociate(&rdataset); |
3431 | |
|
3432 | 2 | cleanup: |
3433 | 2 | if (node != NULL) { |
3434 | 2 | dns_db_detachnode(db, &node); |
3435 | 2 | } |
3436 | 2 | if (version != NULL) { |
3437 | 2 | dns_db_closeversion(db, &version, false); |
3438 | 2 | } |
3439 | 2 | } |
3440 | | |
3441 | | static void |
3442 | 0 | resume_signingwithkey(dns_zone_t *zone) { |
3443 | 0 | dns_dbnode_t *node = NULL; |
3444 | 0 | dns_dbversion_t *version = NULL; |
3445 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
3446 | 0 | dns_rdataset_t rdataset; |
3447 | 0 | isc_result_t result; |
3448 | 0 | dns_db_t *db = NULL; |
3449 | |
|
3450 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
3451 | 0 | if (zone->db != NULL) { |
3452 | 0 | dns_db_attach(zone->db, &db); |
3453 | 0 | } |
3454 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
3455 | 0 | if (db == NULL) { |
3456 | 0 | goto cleanup; |
3457 | 0 | } |
3458 | | |
3459 | 0 | result = dns_db_findnode(db, &zone->origin, false, &node); |
3460 | 0 | if (result != ISC_R_SUCCESS) { |
3461 | 0 | goto cleanup; |
3462 | 0 | } |
3463 | | |
3464 | 0 | dns_db_currentversion(db, &version); |
3465 | 0 | dns_rdataset_init(&rdataset); |
3466 | 0 | result = dns_db_findrdataset(db, node, version, zone->privatetype, |
3467 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
3468 | 0 | if (result != ISC_R_SUCCESS) { |
3469 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
3470 | 0 | goto cleanup; |
3471 | 0 | } |
3472 | | |
3473 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
3474 | 0 | result = dns_rdataset_next(&rdataset)) |
3475 | 0 | { |
3476 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3477 | 0 | if (rdata.length != 5 || rdata.data[0] == 0 || |
3478 | 0 | rdata.data[4] != 0) |
3479 | 0 | { |
3480 | 0 | dns_rdata_reset(&rdata); |
3481 | 0 | continue; |
3482 | 0 | } |
3483 | | |
3484 | 0 | result = zone_signwithkey(zone, rdata.data[0], |
3485 | 0 | (rdata.data[1] << 8) | rdata.data[2], |
3486 | 0 | rdata.data[3]); |
3487 | 0 | if (result != ISC_R_SUCCESS) { |
3488 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
3489 | 0 | "zone_signwithkey failed: %s", |
3490 | 0 | isc_result_totext(result)); |
3491 | 0 | } |
3492 | 0 | dns_rdata_reset(&rdata); |
3493 | 0 | } |
3494 | 0 | dns_rdataset_disassociate(&rdataset); |
3495 | |
|
3496 | 0 | cleanup: |
3497 | 0 | if (db != NULL) { |
3498 | 0 | if (node != NULL) { |
3499 | 0 | dns_db_detachnode(db, &node); |
3500 | 0 | } |
3501 | 0 | if (version != NULL) { |
3502 | 0 | dns_db_closeversion(db, &version, false); |
3503 | 0 | } |
3504 | 0 | dns_db_detach(&db); |
3505 | 0 | } |
3506 | 0 | } |
3507 | | |
3508 | | /* |
3509 | | * Initiate adding/removing NSEC3 records belonging to the chain defined by the |
3510 | | * supplied NSEC3PARAM RDATA. |
3511 | | * |
3512 | | * Zone must be locked by caller. |
3513 | | */ |
3514 | | static isc_result_t |
3515 | 0 | zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { |
3516 | 0 | dns_nsec3chain_t *nsec3chain, *current; |
3517 | 0 | dns_dbversion_t *version = NULL; |
3518 | 0 | bool nseconly = false, nsec3ok = false; |
3519 | 0 | isc_result_t result; |
3520 | 0 | isc_time_t now; |
3521 | 0 | unsigned int options = 0; |
3522 | 0 | char saltbuf[255 * 2 + 1]; |
3523 | 0 | char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")]; |
3524 | 0 | dns_db_t *db = NULL; |
3525 | |
|
3526 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
3527 | 0 | if (zone->db != NULL) { |
3528 | 0 | dns_db_attach(zone->db, &db); |
3529 | 0 | } |
3530 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
3531 | |
|
3532 | 0 | if (db == NULL) { |
3533 | 0 | result = ISC_R_SUCCESS; |
3534 | 0 | goto cleanup; |
3535 | 0 | } |
3536 | | |
3537 | | /* |
3538 | | * If this zone is not NSEC3-capable, attempting to remove any NSEC3 |
3539 | | * chain from it is pointless as it would not be possible for the |
3540 | | * latter to exist in the first place. |
3541 | | */ |
3542 | 0 | dns_db_currentversion(db, &version); |
3543 | 0 | result = dns_nsec_nseconly(db, version, NULL, &nseconly); |
3544 | 0 | nsec3ok = (result == ISC_R_SUCCESS && !nseconly); |
3545 | 0 | dns_db_closeversion(db, &version, false); |
3546 | 0 | if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0) { |
3547 | 0 | result = ISC_R_SUCCESS; |
3548 | 0 | goto cleanup; |
3549 | 0 | } |
3550 | | |
3551 | | /* |
3552 | | * Allocate and initialize structure preserving state of |
3553 | | * adding/removing records belonging to this NSEC3 chain between |
3554 | | * separate zone_nsec3chain() calls. |
3555 | | */ |
3556 | 0 | nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain); |
3557 | |
|
3558 | 0 | nsec3chain->magic = 0; |
3559 | 0 | nsec3chain->done = false; |
3560 | 0 | nsec3chain->db = NULL; |
3561 | 0 | nsec3chain->dbiterator = NULL; |
3562 | 0 | nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass; |
3563 | 0 | nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype; |
3564 | 0 | nsec3chain->nsec3param.hash = nsec3param->hash; |
3565 | 0 | nsec3chain->nsec3param.iterations = nsec3param->iterations; |
3566 | 0 | nsec3chain->nsec3param.flags = nsec3param->flags; |
3567 | 0 | nsec3chain->nsec3param.salt_length = nsec3param->salt_length; |
3568 | 0 | memmove(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length); |
3569 | 0 | nsec3chain->nsec3param.salt = nsec3chain->salt; |
3570 | 0 | nsec3chain->seen_nsec = false; |
3571 | 0 | nsec3chain->delete_nsec = false; |
3572 | 0 | nsec3chain->save_delete_nsec = false; |
3573 | | |
3574 | | /* |
3575 | | * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA. |
3576 | | */ |
3577 | 0 | if (nsec3param->flags == 0) { |
3578 | 0 | strlcpy(flags, "NONE", sizeof(flags)); |
3579 | 0 | } else { |
3580 | 0 | flags[0] = '\0'; |
3581 | 0 | if ((nsec3param->flags & DNS_NSEC3FLAG_REMOVE) != 0) { |
3582 | 0 | strlcat(flags, "REMOVE", sizeof(flags)); |
3583 | 0 | } |
3584 | 0 | if ((nsec3param->flags & DNS_NSEC3FLAG_INITIAL) != 0) { |
3585 | 0 | if (flags[0] == '\0') { |
3586 | 0 | strlcpy(flags, "INITIAL", sizeof(flags)); |
3587 | 0 | } else { |
3588 | 0 | strlcat(flags, "|INITIAL", sizeof(flags)); |
3589 | 0 | } |
3590 | 0 | } |
3591 | 0 | if ((nsec3param->flags & DNS_NSEC3FLAG_CREATE) != 0) { |
3592 | 0 | if (flags[0] == '\0') { |
3593 | 0 | strlcpy(flags, "CREATE", sizeof(flags)); |
3594 | 0 | } else { |
3595 | 0 | strlcat(flags, "|CREATE", sizeof(flags)); |
3596 | 0 | } |
3597 | 0 | } |
3598 | 0 | if ((nsec3param->flags & DNS_NSEC3FLAG_NONSEC) != 0) { |
3599 | 0 | if (flags[0] == '\0') { |
3600 | 0 | strlcpy(flags, "NONSEC", sizeof(flags)); |
3601 | 0 | } else { |
3602 | 0 | strlcat(flags, "|NONSEC", sizeof(flags)); |
3603 | 0 | } |
3604 | 0 | } |
3605 | 0 | if ((nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) != 0) { |
3606 | 0 | if (flags[0] == '\0') { |
3607 | 0 | strlcpy(flags, "OPTOUT", sizeof(flags)); |
3608 | 0 | } else { |
3609 | 0 | strlcat(flags, "|OPTOUT", sizeof(flags)); |
3610 | 0 | } |
3611 | 0 | } |
3612 | 0 | } |
3613 | 0 | result = dns_nsec3param_salttotext(nsec3param, saltbuf, |
3614 | 0 | sizeof(saltbuf)); |
3615 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
3616 | 0 | dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)", |
3617 | 0 | nsec3param->hash, flags, nsec3param->iterations, saltbuf); |
3618 | | |
3619 | | /* |
3620 | | * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is |
3621 | | * currently being processed, interrupt its processing to avoid |
3622 | | * simultaneously adding and removing records for the same NSEC3 chain. |
3623 | | */ |
3624 | 0 | for (current = ISC_LIST_HEAD(zone->nsec3chain); current != NULL; |
3625 | 0 | current = ISC_LIST_NEXT(current, link)) |
3626 | 0 | { |
3627 | 0 | if ((current->db == db) && |
3628 | 0 | (current->nsec3param.hash == nsec3param->hash) && |
3629 | 0 | (current->nsec3param.iterations == |
3630 | 0 | nsec3param->iterations) && |
3631 | 0 | (current->nsec3param.salt_length == |
3632 | 0 | nsec3param->salt_length) && |
3633 | 0 | memcmp(current->nsec3param.salt, nsec3param->salt, |
3634 | 0 | nsec3param->salt_length) == 0) |
3635 | 0 | { |
3636 | 0 | current->done = true; |
3637 | 0 | } |
3638 | 0 | } |
3639 | | |
3640 | | /* |
3641 | | * Attach zone database to the structure initialized above and create |
3642 | | * an iterator for it with appropriate options in order to avoid |
3643 | | * creating NSEC3 records for NSEC3 records. |
3644 | | */ |
3645 | 0 | dns_db_attach(db, &nsec3chain->db); |
3646 | 0 | if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) { |
3647 | 0 | options = DNS_DB_NONSEC3; |
3648 | 0 | } |
3649 | 0 | result = dns_db_createiterator(nsec3chain->db, options, |
3650 | 0 | &nsec3chain->dbiterator); |
3651 | 0 | if (result == ISC_R_SUCCESS) { |
3652 | 0 | result = dns_dbiterator_first(nsec3chain->dbiterator); |
3653 | 0 | } |
3654 | 0 | if (result == ISC_R_SUCCESS) { |
3655 | | /* |
3656 | | * Database iterator initialization succeeded. We are now |
3657 | | * ready to kick off adding/removing records belonging to this |
3658 | | * NSEC3 chain. Append the structure initialized above to the |
3659 | | * "nsec3chain" list for the zone and set the appropriate zone |
3660 | | * timer so that zone_nsec3chain() is called as soon as |
3661 | | * possible. |
3662 | | */ |
3663 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
3664 | 0 | ISC_LIST_INITANDAPPEND(zone->nsec3chain, nsec3chain, link); |
3665 | 0 | nsec3chain = NULL; |
3666 | 0 | if (isc_time_isepoch(&zone->nsec3chaintime)) { |
3667 | 0 | now = isc_time_now(); |
3668 | 0 | zone->nsec3chaintime = now; |
3669 | 0 | if (zone->loop != NULL) { |
3670 | 0 | zone_settimer(zone, &now); |
3671 | 0 | } |
3672 | 0 | } |
3673 | 0 | } |
3674 | |
|
3675 | 0 | if (nsec3chain != NULL) { |
3676 | 0 | if (nsec3chain->db != NULL) { |
3677 | 0 | dns_db_detach(&nsec3chain->db); |
3678 | 0 | } |
3679 | 0 | if (nsec3chain->dbiterator != NULL) { |
3680 | 0 | dns_dbiterator_destroy(&nsec3chain->dbiterator); |
3681 | 0 | } |
3682 | 0 | isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain); |
3683 | 0 | } |
3684 | |
|
3685 | 0 | cleanup: |
3686 | 0 | if (db != NULL) { |
3687 | 0 | dns_db_detach(&db); |
3688 | 0 | } |
3689 | 0 | return (result); |
3690 | 0 | } |
3691 | | |
3692 | | /* |
3693 | | * Find private-type records at the zone apex which signal that an NSEC3 chain |
3694 | | * should be added or removed. For each such record, extract NSEC3PARAM RDATA |
3695 | | * and pass it to zone_addnsec3chain(). |
3696 | | * |
3697 | | * Zone must be locked by caller. |
3698 | | */ |
3699 | | static void |
3700 | 0 | resume_addnsec3chain(dns_zone_t *zone) { |
3701 | 0 | dns_dbnode_t *node = NULL; |
3702 | 0 | dns_dbversion_t *version = NULL; |
3703 | 0 | dns_rdataset_t rdataset; |
3704 | 0 | isc_result_t result; |
3705 | 0 | dns_rdata_nsec3param_t nsec3param; |
3706 | 0 | bool nseconly = false, nsec3ok = false; |
3707 | 0 | dns_db_t *db = NULL; |
3708 | |
|
3709 | 0 | INSIST(LOCKED_ZONE(zone)); |
3710 | |
|
3711 | 0 | if (zone->privatetype == 0) { |
3712 | 0 | return; |
3713 | 0 | } |
3714 | | |
3715 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
3716 | 0 | if (zone->db != NULL) { |
3717 | 0 | dns_db_attach(zone->db, &db); |
3718 | 0 | } |
3719 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
3720 | 0 | if (db == NULL) { |
3721 | 0 | goto cleanup; |
3722 | 0 | } |
3723 | | |
3724 | 0 | result = dns_db_findnode(db, &zone->origin, false, &node); |
3725 | 0 | if (result != ISC_R_SUCCESS) { |
3726 | 0 | goto cleanup; |
3727 | 0 | } |
3728 | | |
3729 | 0 | dns_db_currentversion(db, &version); |
3730 | | |
3731 | | /* |
3732 | | * In order to create NSEC3 chains we need the DNSKEY RRset at zone |
3733 | | * apex to exist and contain no keys using NSEC-only algorithms. |
3734 | | */ |
3735 | 0 | result = dns_nsec_nseconly(db, version, NULL, &nseconly); |
3736 | 0 | nsec3ok = (result == ISC_R_SUCCESS && !nseconly); |
3737 | | |
3738 | | /* |
3739 | | * Get the RRset containing all private-type records at the zone apex. |
3740 | | */ |
3741 | 0 | dns_rdataset_init(&rdataset); |
3742 | 0 | result = dns_db_findrdataset(db, node, version, zone->privatetype, |
3743 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
3744 | 0 | if (result != ISC_R_SUCCESS) { |
3745 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
3746 | 0 | goto cleanup; |
3747 | 0 | } |
3748 | | |
3749 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
3750 | 0 | result = dns_rdataset_next(&rdataset)) |
3751 | 0 | { |
3752 | 0 | unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; |
3753 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
3754 | 0 | dns_rdata_t private = DNS_RDATA_INIT; |
3755 | |
|
3756 | 0 | dns_rdataset_current(&rdataset, &private); |
3757 | | /* |
3758 | | * Try extracting NSEC3PARAM RDATA from this private-type |
3759 | | * record. Failure means this private-type record does not |
3760 | | * represent an NSEC3PARAM record, so skip it. |
3761 | | */ |
3762 | 0 | if (!dns_nsec3param_fromprivate(&private, &rdata, buf, |
3763 | 0 | sizeof(buf))) |
3764 | 0 | { |
3765 | 0 | continue; |
3766 | 0 | } |
3767 | 0 | result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); |
3768 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
3769 | 0 | if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) || |
3770 | 0 | ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok)) |
3771 | 0 | { |
3772 | | /* |
3773 | | * Pass the NSEC3PARAM RDATA contained in this |
3774 | | * private-type record to zone_addnsec3chain() so that |
3775 | | * it can kick off adding or removing NSEC3 records. |
3776 | | */ |
3777 | 0 | result = zone_addnsec3chain(zone, &nsec3param); |
3778 | 0 | if (result != ISC_R_SUCCESS) { |
3779 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
3780 | 0 | "zone_addnsec3chain failed: %s", |
3781 | 0 | isc_result_totext(result)); |
3782 | 0 | } |
3783 | 0 | } |
3784 | 0 | } |
3785 | 0 | dns_rdataset_disassociate(&rdataset); |
3786 | |
|
3787 | 0 | cleanup: |
3788 | 0 | if (db != NULL) { |
3789 | 0 | if (node != NULL) { |
3790 | 0 | dns_db_detachnode(db, &node); |
3791 | 0 | } |
3792 | 0 | if (version != NULL) { |
3793 | 0 | dns_db_closeversion(db, &version, false); |
3794 | 0 | } |
3795 | 0 | dns_db_detach(&db); |
3796 | 0 | } |
3797 | 0 | } |
3798 | | |
3799 | | static void |
3800 | 0 | set_resigntime(dns_zone_t *zone) { |
3801 | 0 | dns_fixedname_t fixed; |
3802 | 0 | isc_stdtime_t resign; |
3803 | 0 | isc_result_t result; |
3804 | 0 | uint32_t nanosecs; |
3805 | 0 | dns_db_t *db = NULL; |
3806 | 0 | dns_typepair_t typepair; |
3807 | |
|
3808 | 0 | INSIST(LOCKED_ZONE(zone)); |
3809 | | |
3810 | | /* We only re-sign zones that can be dynamically updated */ |
3811 | 0 | if (!dns_zone_isdynamic(zone, false)) { |
3812 | 0 | return; |
3813 | 0 | } |
3814 | | |
3815 | 0 | if (inline_raw(zone)) { |
3816 | 0 | return; |
3817 | 0 | } |
3818 | | |
3819 | 0 | dns_fixedname_init(&fixed); |
3820 | |
|
3821 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
3822 | 0 | if (zone->db != NULL) { |
3823 | 0 | dns_db_attach(zone->db, &db); |
3824 | 0 | } |
3825 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
3826 | 0 | if (db == NULL) { |
3827 | 0 | isc_time_settoepoch(&zone->resigntime); |
3828 | 0 | return; |
3829 | 0 | } |
3830 | | |
3831 | 0 | result = dns_db_getsigningtime(db, &resign, dns_fixedname_name(&fixed), |
3832 | 0 | &typepair); |
3833 | 0 | if (result != ISC_R_SUCCESS) { |
3834 | 0 | isc_time_settoepoch(&zone->resigntime); |
3835 | 0 | goto cleanup; |
3836 | 0 | } |
3837 | | |
3838 | 0 | resign -= dns_zone_getsigresigninginterval(zone); |
3839 | 0 | nanosecs = isc_random_uniform(1000000000); |
3840 | 0 | isc_time_set(&zone->resigntime, resign, nanosecs); |
3841 | |
|
3842 | 0 | cleanup: |
3843 | 0 | dns_db_detach(&db); |
3844 | 0 | return; |
3845 | 0 | } |
3846 | | |
3847 | | static isc_result_t |
3848 | 2 | check_nsec3param(dns_zone_t *zone, dns_db_t *db) { |
3849 | 2 | bool ok = false; |
3850 | 2 | dns_dbnode_t *node = NULL; |
3851 | 2 | dns_dbversion_t *version = NULL; |
3852 | 2 | dns_rdata_nsec3param_t nsec3param; |
3853 | 2 | dns_rdataset_t rdataset; |
3854 | 2 | isc_result_t result; |
3855 | 2 | bool dynamic = (zone->type == dns_zone_primary) |
3856 | 2 | ? dns_zone_isdynamic(zone, false) |
3857 | 2 | : false; |
3858 | | |
3859 | 2 | dns_rdataset_init(&rdataset); |
3860 | 2 | result = dns_db_findnode(db, &zone->origin, false, &node); |
3861 | 2 | if (result != ISC_R_SUCCESS) { |
3862 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
3863 | 0 | "nsec3param lookup failure: %s", |
3864 | 0 | isc_result_totext(result)); |
3865 | 0 | return (result); |
3866 | 0 | } |
3867 | 2 | dns_db_currentversion(db, &version); |
3868 | | |
3869 | 2 | result = dns_db_findrdataset(db, node, version, |
3870 | 2 | dns_rdatatype_nsec3param, |
3871 | 2 | dns_rdatatype_none, 0, &rdataset, NULL); |
3872 | 2 | if (result == ISC_R_NOTFOUND) { |
3873 | 2 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
3874 | 2 | result = ISC_R_SUCCESS; |
3875 | 2 | goto cleanup; |
3876 | 2 | } |
3877 | 0 | if (result != ISC_R_SUCCESS) { |
3878 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
3879 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
3880 | 0 | "nsec3param lookup failure: %s", |
3881 | 0 | isc_result_totext(result)); |
3882 | 0 | goto cleanup; |
3883 | 0 | } |
3884 | | |
3885 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
3886 | 0 | result = dns_rdataset_next(&rdataset)) |
3887 | 0 | { |
3888 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
3889 | |
|
3890 | 0 | dns_rdataset_current(&rdataset, &rdata); |
3891 | 0 | result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); |
3892 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
3893 | | |
3894 | | /* |
3895 | | * For dynamic zones we must support every algorithm so we |
3896 | | * can regenerate all the NSEC3 chains. |
3897 | | * For non-dynamic zones we only need to find a supported |
3898 | | * algorithm. |
3899 | | */ |
3900 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) && |
3901 | 0 | nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic) |
3902 | 0 | { |
3903 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
3904 | 0 | "nsec3 test \"unknown\" hash algorithm " |
3905 | 0 | "found: %u", |
3906 | 0 | nsec3param.hash); |
3907 | 0 | ok = true; |
3908 | 0 | } else if (!dns_nsec3_supportedhash(nsec3param.hash)) { |
3909 | 0 | if (dynamic) { |
3910 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
3911 | 0 | "unsupported nsec3 hash algorithm" |
3912 | 0 | " in dynamic zone: %u", |
3913 | 0 | nsec3param.hash); |
3914 | 0 | result = DNS_R_BADZONE; |
3915 | | /* Stop second error message. */ |
3916 | 0 | ok = true; |
3917 | 0 | break; |
3918 | 0 | } else { |
3919 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
3920 | 0 | "unsupported nsec3 hash " |
3921 | 0 | "algorithm: %u", |
3922 | 0 | nsec3param.hash); |
3923 | 0 | } |
3924 | 0 | } else { |
3925 | 0 | ok = true; |
3926 | 0 | } |
3927 | | |
3928 | | /* |
3929 | | * Warn if the zone has excessive NSEC3 iterations. |
3930 | | */ |
3931 | 0 | if (nsec3param.iterations > dns_nsec3_maxiterations()) { |
3932 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
3933 | 0 | "excessive NSEC3PARAM iterations %u > %u", |
3934 | 0 | nsec3param.iterations, |
3935 | 0 | dns_nsec3_maxiterations()); |
3936 | 0 | } |
3937 | 0 | } |
3938 | 0 | if (result == ISC_R_NOMORE) { |
3939 | 0 | result = ISC_R_SUCCESS; |
3940 | 0 | } |
3941 | |
|
3942 | 0 | if (!ok) { |
3943 | 0 | result = DNS_R_BADZONE; |
3944 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
3945 | 0 | "no supported nsec3 hash algorithm"); |
3946 | 0 | } |
3947 | |
|
3948 | 2 | cleanup: |
3949 | 2 | if (dns_rdataset_isassociated(&rdataset)) { |
3950 | 0 | dns_rdataset_disassociate(&rdataset); |
3951 | 0 | } |
3952 | 2 | dns_db_closeversion(db, &version, false); |
3953 | 2 | dns_db_detachnode(db, &node); |
3954 | 2 | return (result); |
3955 | 0 | } |
3956 | | |
3957 | | /* |
3958 | | * Set the timer for refreshing the key zone to the soonest future time |
3959 | | * of the set (current timer, keydata->refresh, keydata->addhd, |
3960 | | * keydata->removehd). |
3961 | | */ |
3962 | | static void |
3963 | | set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key, |
3964 | 0 | isc_stdtime_t now, bool force) { |
3965 | 0 | isc_stdtime_t then; |
3966 | 0 | isc_time_t timenow, timethen; |
3967 | 0 | char timebuf[80]; |
3968 | |
|
3969 | 0 | ENTER; |
3970 | 0 | then = key->refresh; |
3971 | 0 | if (force) { |
3972 | 0 | then = now; |
3973 | 0 | } |
3974 | 0 | if (key->addhd > now && key->addhd < then) { |
3975 | 0 | then = key->addhd; |
3976 | 0 | } |
3977 | 0 | if (key->removehd > now && key->removehd < then) { |
3978 | 0 | then = key->removehd; |
3979 | 0 | } |
3980 | |
|
3981 | 0 | timenow = isc_time_now(); |
3982 | 0 | if (then > now) { |
3983 | 0 | DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen); |
3984 | 0 | } else { |
3985 | 0 | timethen = timenow; |
3986 | 0 | } |
3987 | 0 | if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 || |
3988 | 0 | isc_time_compare(&timethen, &zone->refreshkeytime) < 0) |
3989 | 0 | { |
3990 | 0 | zone->refreshkeytime = timethen; |
3991 | 0 | } |
3992 | |
|
3993 | 0 | isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); |
3994 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf); |
3995 | 0 | zone_settimer(zone, &timenow); |
3996 | 0 | } |
3997 | | |
3998 | | /* |
3999 | | * If keynode references a key or a DS rdataset, and if the key |
4000 | | * zone does not contain a KEYDATA record for the corresponding name, |
4001 | | * then create an empty KEYDATA and push it into the zone as a placeholder, |
4002 | | * then schedule a key refresh immediately. This new KEYDATA record will be |
4003 | | * updated during the refresh. |
4004 | | * |
4005 | | * If the key zone is changed, set '*changed' to true. |
4006 | | */ |
4007 | | static isc_result_t |
4008 | | create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
4009 | | dns_diff_t *diff, dns_keynode_t *keynode, dns_name_t *keyname, |
4010 | 0 | bool *changed) { |
4011 | 0 | isc_result_t result = ISC_R_SUCCESS; |
4012 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4013 | 0 | dns_rdata_keydata_t kd; |
4014 | 0 | unsigned char rrdata[4096]; |
4015 | 0 | isc_buffer_t rrdatabuf; |
4016 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
4017 | |
|
4018 | 0 | REQUIRE(keynode != NULL); |
4019 | |
|
4020 | 0 | ENTER; |
4021 | | |
4022 | | /* |
4023 | | * If the keynode has no trust anchor set, we shouldn't be here. |
4024 | | */ |
4025 | 0 | if (!dns_keynode_dsset(keynode, NULL)) { |
4026 | 0 | return (ISC_R_FAILURE); |
4027 | 0 | } |
4028 | | |
4029 | 0 | memset(&kd, 0, sizeof(kd)); |
4030 | 0 | kd.common.rdclass = zone->rdclass; |
4031 | 0 | kd.common.rdtype = dns_rdatatype_keydata; |
4032 | 0 | ISC_LINK_INIT(&kd.common, link); |
4033 | |
|
4034 | 0 | isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata)); |
4035 | |
|
4036 | 0 | CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass, dns_rdatatype_keydata, |
4037 | 0 | &kd, &rrdatabuf)); |
4038 | | /* Add rdata to zone. */ |
4039 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, keyname, 0, &rdata)); |
4040 | 0 | *changed = true; |
4041 | | |
4042 | | /* Refresh new keys from the zone apex as soon as possible. */ |
4043 | 0 | set_refreshkeytimer(zone, &kd, now, true); |
4044 | 0 | return (ISC_R_SUCCESS); |
4045 | | |
4046 | 0 | failure: |
4047 | 0 | return (result); |
4048 | 0 | } |
4049 | | |
4050 | | /* |
4051 | | * Remove from the key zone all the KEYDATA records found in rdataset. |
4052 | | */ |
4053 | | static isc_result_t |
4054 | | delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, |
4055 | 0 | dns_name_t *name, dns_rdataset_t *rdataset) { |
4056 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4057 | 0 | isc_result_t result, uresult; |
4058 | |
|
4059 | 0 | for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; |
4060 | 0 | result = dns_rdataset_next(rdataset)) |
4061 | 0 | { |
4062 | 0 | dns_rdata_reset(&rdata); |
4063 | 0 | dns_rdataset_current(rdataset, &rdata); |
4064 | 0 | uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, 0, |
4065 | 0 | &rdata); |
4066 | 0 | if (uresult != ISC_R_SUCCESS) { |
4067 | 0 | return (uresult); |
4068 | 0 | } |
4069 | 0 | } |
4070 | 0 | if (result == ISC_R_NOMORE) { |
4071 | 0 | result = ISC_R_SUCCESS; |
4072 | 0 | } |
4073 | 0 | return (result); |
4074 | 0 | } |
4075 | | |
4076 | | /* |
4077 | | * Compute the DNSSEC key ID for a DNSKEY record. |
4078 | | */ |
4079 | | static isc_result_t |
4080 | | compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, |
4081 | 0 | dns_keytag_t *tag) { |
4082 | 0 | isc_result_t result; |
4083 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4084 | 0 | unsigned char data[4096]; |
4085 | 0 | isc_buffer_t buffer; |
4086 | 0 | dst_key_t *dstkey = NULL; |
4087 | |
|
4088 | 0 | isc_buffer_init(&buffer, data, sizeof(data)); |
4089 | 0 | dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, |
4090 | 0 | dns_rdatatype_dnskey, dnskey, &buffer); |
4091 | |
|
4092 | 0 | result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); |
4093 | 0 | if (result == ISC_R_SUCCESS) { |
4094 | 0 | *tag = dst_key_id(dstkey); |
4095 | 0 | dst_key_free(&dstkey); |
4096 | 0 | } |
4097 | |
|
4098 | 0 | return (result); |
4099 | 0 | } |
4100 | | |
4101 | | /* |
4102 | | * Synth-from-dnssec callbacks to add/delete names from namespace tree. |
4103 | | */ |
4104 | | static void |
4105 | 0 | sfd_add(const dns_name_t *name, void *arg) { |
4106 | 0 | if (arg != NULL) { |
4107 | 0 | dns_view_sfd_add(arg, name); |
4108 | 0 | } |
4109 | 0 | } |
4110 | | |
4111 | | static void |
4112 | 0 | sfd_del(const dns_name_t *name, void *arg) { |
4113 | 0 | if (arg != NULL) { |
4114 | 0 | dns_view_sfd_del(arg, name); |
4115 | 0 | } |
4116 | 0 | } |
4117 | | |
4118 | | /* |
4119 | | * Add key to the security roots. |
4120 | | */ |
4121 | | static void |
4122 | | trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey, |
4123 | 0 | bool initial) { |
4124 | 0 | isc_result_t result; |
4125 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4126 | 0 | unsigned char data[4096], digest[ISC_MAX_MD_SIZE]; |
4127 | 0 | isc_buffer_t buffer; |
4128 | 0 | dns_keytable_t *sr = NULL; |
4129 | 0 | dns_rdata_ds_t ds; |
4130 | |
|
4131 | 0 | result = dns_view_getsecroots(zone->view, &sr); |
4132 | 0 | if (result != ISC_R_SUCCESS) { |
4133 | 0 | return; |
4134 | 0 | } |
4135 | | |
4136 | | /* Build DS record for key. */ |
4137 | 0 | isc_buffer_init(&buffer, data, sizeof(data)); |
4138 | 0 | dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, |
4139 | 0 | dns_rdatatype_dnskey, dnskey, &buffer); |
4140 | 0 | CHECK(dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest, |
4141 | 0 | &ds)); |
4142 | 0 | CHECK(dns_keytable_add(sr, true, initial, keyname, &ds, sfd_add, |
4143 | 0 | zone->view)); |
4144 | | |
4145 | 0 | dns_keytable_detach(&sr); |
4146 | |
|
4147 | 0 | failure: |
4148 | 0 | if (sr != NULL) { |
4149 | 0 | dns_keytable_detach(&sr); |
4150 | 0 | } |
4151 | 0 | return; |
4152 | 0 | } |
4153 | | |
4154 | | /* |
4155 | | * Add a null key to the security roots for so that all queries |
4156 | | * to the zone will fail. |
4157 | | */ |
4158 | | static void |
4159 | 0 | fail_secure(dns_zone_t *zone, dns_name_t *keyname) { |
4160 | 0 | isc_result_t result; |
4161 | 0 | dns_keytable_t *sr = NULL; |
4162 | |
|
4163 | 0 | result = dns_view_getsecroots(zone->view, &sr); |
4164 | 0 | if (result == ISC_R_SUCCESS) { |
4165 | 0 | dns_keytable_marksecure(sr, keyname); |
4166 | 0 | dns_keytable_detach(&sr); |
4167 | 0 | } |
4168 | 0 | } |
4169 | | |
4170 | | /* |
4171 | | * Scan a set of KEYDATA records from the key zone. The ones that are |
4172 | | * valid (i.e., the add holddown timer has expired) become trusted keys. |
4173 | | */ |
4174 | | static void |
4175 | 0 | load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { |
4176 | 0 | isc_result_t result; |
4177 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4178 | 0 | dns_rdata_keydata_t keydata; |
4179 | 0 | dns_rdata_dnskey_t dnskey; |
4180 | 0 | int trusted = 0, revoked = 0, pending = 0; |
4181 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
4182 | 0 | dns_keytable_t *sr = NULL; |
4183 | |
|
4184 | 0 | result = dns_view_getsecroots(zone->view, &sr); |
4185 | 0 | if (result == ISC_R_SUCCESS) { |
4186 | 0 | dns_keytable_delete(sr, name, sfd_del, zone->view); |
4187 | 0 | dns_keytable_detach(&sr); |
4188 | 0 | } |
4189 | | |
4190 | | /* Now insert all the accepted trust anchors from this keydata set. */ |
4191 | 0 | for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; |
4192 | 0 | result = dns_rdataset_next(rdataset)) |
4193 | 0 | { |
4194 | 0 | dns_rdata_reset(&rdata); |
4195 | 0 | dns_rdataset_current(rdataset, &rdata); |
4196 | | |
4197 | | /* Convert rdata to keydata. */ |
4198 | 0 | result = dns_rdata_tostruct(&rdata, &keydata, NULL); |
4199 | 0 | if (result == ISC_R_NOTIMPLEMENTED) { |
4200 | 0 | continue; |
4201 | 0 | } |
4202 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
4203 | | |
4204 | | /* Set the key refresh timer to force a fast refresh. */ |
4205 | 0 | set_refreshkeytimer(zone, &keydata, now, true); |
4206 | | |
4207 | | /* If the removal timer is nonzero, this key was revoked. */ |
4208 | 0 | if (keydata.removehd != 0) { |
4209 | 0 | revoked++; |
4210 | 0 | continue; |
4211 | 0 | } |
4212 | | |
4213 | | /* |
4214 | | * If the add timer is still pending, this key is not |
4215 | | * trusted yet. |
4216 | | */ |
4217 | 0 | if (now < keydata.addhd) { |
4218 | 0 | pending++; |
4219 | 0 | continue; |
4220 | 0 | } |
4221 | | |
4222 | | /* Convert keydata to dnskey. */ |
4223 | 0 | dns_keydata_todnskey(&keydata, &dnskey, NULL); |
4224 | | |
4225 | | /* Add to keytables. */ |
4226 | 0 | trusted++; |
4227 | 0 | trust_key(zone, name, &dnskey, (keydata.addhd == 0)); |
4228 | 0 | } |
4229 | |
|
4230 | 0 | if (trusted == 0 && pending != 0) { |
4231 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
4232 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
4233 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
4234 | 0 | "No valid trust anchors for '%s'!", namebuf); |
4235 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
4236 | 0 | "%d key(s) revoked, %d still pending", revoked, |
4237 | 0 | pending); |
4238 | 0 | dnssec_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail", |
4239 | 0 | namebuf); |
4240 | 0 | fail_secure(zone, name); |
4241 | 0 | } |
4242 | 0 | } |
4243 | | |
4244 | | static isc_result_t |
4245 | | do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, |
4246 | 0 | dns_diff_t *diff) { |
4247 | 0 | dns_diff_t temp_diff; |
4248 | 0 | isc_result_t result; |
4249 | | |
4250 | | /* |
4251 | | * Create a singleton diff. |
4252 | | */ |
4253 | 0 | dns_diff_init(diff->mctx, &temp_diff); |
4254 | 0 | ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); |
4255 | | |
4256 | | /* |
4257 | | * Apply it to the database. |
4258 | | */ |
4259 | 0 | result = dns_diff_apply(&temp_diff, db, ver); |
4260 | 0 | ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); |
4261 | 0 | if (result != ISC_R_SUCCESS) { |
4262 | 0 | dns_difftuple_free(tuple); |
4263 | 0 | return (result); |
4264 | 0 | } |
4265 | | |
4266 | | /* |
4267 | | * Merge it into the current pending journal entry. |
4268 | | */ |
4269 | 0 | dns_diff_appendminimal(diff, tuple); |
4270 | | |
4271 | | /* |
4272 | | * Do not clear temp_diff. |
4273 | | */ |
4274 | 0 | return (ISC_R_SUCCESS); |
4275 | 0 | } |
4276 | | |
4277 | | static isc_result_t |
4278 | | update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, |
4279 | | dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl, |
4280 | 0 | dns_rdata_t *rdata) { |
4281 | 0 | dns_difftuple_t *tuple = NULL; |
4282 | 0 | isc_result_t result; |
4283 | 0 | result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple); |
4284 | 0 | if (result != ISC_R_SUCCESS) { |
4285 | 0 | return (result); |
4286 | 0 | } |
4287 | 0 | return (do_one_tuple(&tuple, db, ver, diff)); |
4288 | 0 | } |
4289 | | |
4290 | | static isc_result_t |
4291 | | update_soa_serial(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
4292 | | dns_diff_t *diff, isc_mem_t *mctx, |
4293 | 0 | dns_updatemethod_t method) { |
4294 | 0 | dns_difftuple_t *deltuple = NULL; |
4295 | 0 | dns_difftuple_t *addtuple = NULL; |
4296 | 0 | uint32_t serial; |
4297 | 0 | isc_result_t result; |
4298 | 0 | dns_updatemethod_t used = dns_updatemethod_none; |
4299 | |
|
4300 | 0 | INSIST(method != dns_updatemethod_none); |
4301 | |
|
4302 | 0 | CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple)); |
4303 | 0 | CHECK(dns_difftuple_copy(deltuple, &addtuple)); |
4304 | 0 | addtuple->op = DNS_DIFFOP_ADD; |
4305 | |
|
4306 | 0 | serial = dns_soa_getserial(&addtuple->rdata); |
4307 | 0 | serial = dns_update_soaserial(serial, method, &used); |
4308 | 0 | if (method != used) { |
4309 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
4310 | 0 | "update_soa_serial:new serial would be lower than " |
4311 | 0 | "old serial, using increment method instead"); |
4312 | 0 | } |
4313 | 0 | dns_soa_setserial(serial, &addtuple->rdata); |
4314 | 0 | CHECK(do_one_tuple(&deltuple, db, ver, diff)); |
4315 | 0 | CHECK(do_one_tuple(&addtuple, db, ver, diff)); |
4316 | 0 | result = ISC_R_SUCCESS; |
4317 | |
|
4318 | 0 | failure: |
4319 | 0 | if (addtuple != NULL) { |
4320 | 0 | dns_difftuple_free(&addtuple); |
4321 | 0 | } |
4322 | 0 | if (deltuple != NULL) { |
4323 | 0 | dns_difftuple_free(&deltuple); |
4324 | 0 | } |
4325 | 0 | return (result); |
4326 | 0 | } |
4327 | | |
4328 | | /* |
4329 | | * Write all transactions in 'diff' to the zone journal file. |
4330 | | */ |
4331 | | static isc_result_t |
4332 | | zone_journal(dns_zone_t *zone, dns_diff_t *diff, uint32_t *sourceserial, |
4333 | 0 | const char *caller) { |
4334 | 0 | const char *journalfile; |
4335 | 0 | isc_result_t result = ISC_R_SUCCESS; |
4336 | 0 | dns_journal_t *journal = NULL; |
4337 | 0 | unsigned int mode = DNS_JOURNAL_CREATE | DNS_JOURNAL_WRITE; |
4338 | |
|
4339 | 0 | ENTER; |
4340 | 0 | journalfile = dns_zone_getjournal(zone); |
4341 | 0 | if (journalfile != NULL) { |
4342 | 0 | result = dns_journal_open(zone->mctx, journalfile, mode, |
4343 | 0 | &journal); |
4344 | 0 | if (result != ISC_R_SUCCESS) { |
4345 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
4346 | 0 | "%s:dns_journal_open -> %s", caller, |
4347 | 0 | isc_result_totext(result)); |
4348 | 0 | return (result); |
4349 | 0 | } |
4350 | | |
4351 | 0 | if (sourceserial != NULL) { |
4352 | 0 | dns_journal_set_sourceserial(journal, *sourceserial); |
4353 | 0 | } |
4354 | |
|
4355 | 0 | result = dns_journal_write_transaction(journal, diff); |
4356 | 0 | if (result != ISC_R_SUCCESS) { |
4357 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
4358 | 0 | "%s:dns_journal_write_transaction -> %s", |
4359 | 0 | caller, isc_result_totext(result)); |
4360 | 0 | } |
4361 | 0 | dns_journal_destroy(&journal); |
4362 | 0 | } |
4363 | | |
4364 | 0 | return (result); |
4365 | 0 | } |
4366 | | |
4367 | | /* |
4368 | | * Create an SOA record for a newly-created zone |
4369 | | */ |
4370 | | static isc_result_t |
4371 | 0 | add_soa(dns_zone_t *zone, dns_db_t *db) { |
4372 | 0 | isc_result_t result; |
4373 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4374 | 0 | unsigned char buf[DNS_SOA_BUFFERSIZE]; |
4375 | 0 | dns_dbversion_t *ver = NULL; |
4376 | 0 | dns_diff_t diff; |
4377 | |
|
4378 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA"); |
4379 | |
|
4380 | 0 | dns_diff_init(zone->mctx, &diff); |
4381 | 0 | result = dns_db_newversion(db, &ver); |
4382 | 0 | if (result != ISC_R_SUCCESS) { |
4383 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
4384 | 0 | "add_soa:dns_db_newversion -> %s", |
4385 | 0 | isc_result_totext(result)); |
4386 | 0 | goto failure; |
4387 | 0 | } |
4388 | | |
4389 | | /* Build SOA record */ |
4390 | 0 | result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass, |
4391 | 0 | 0, 0, 0, 0, 0, buf, &rdata); |
4392 | 0 | if (result != ISC_R_SUCCESS) { |
4393 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
4394 | 0 | "add_soa:dns_soa_buildrdata -> %s", |
4395 | 0 | isc_result_totext(result)); |
4396 | 0 | goto failure; |
4397 | 0 | } |
4398 | | |
4399 | 0 | result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD, &zone->origin, 0, |
4400 | 0 | &rdata); |
4401 | |
|
4402 | 0 | failure: |
4403 | 0 | dns_diff_clear(&diff); |
4404 | 0 | if (ver != NULL) { |
4405 | 0 | dns_db_closeversion(db, &ver, (result == ISC_R_SUCCESS)); |
4406 | 0 | } |
4407 | |
|
4408 | 0 | INSIST(ver == NULL); |
4409 | |
|
4410 | 0 | return (result); |
4411 | 0 | } |
4412 | | |
4413 | | struct addifmissing_arg { |
4414 | | dns_db_t *db; |
4415 | | dns_dbversion_t *ver; |
4416 | | dns_diff_t *diff; |
4417 | | dns_zone_t *zone; |
4418 | | bool *changed; |
4419 | | isc_result_t result; |
4420 | | }; |
4421 | | |
4422 | | static void |
4423 | | addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode, |
4424 | 0 | dns_name_t *keyname, void *arg) { |
4425 | 0 | dns_db_t *db = ((struct addifmissing_arg *)arg)->db; |
4426 | 0 | dns_dbversion_t *ver = ((struct addifmissing_arg *)arg)->ver; |
4427 | 0 | dns_diff_t *diff = ((struct addifmissing_arg *)arg)->diff; |
4428 | 0 | dns_zone_t *zone = ((struct addifmissing_arg *)arg)->zone; |
4429 | 0 | bool *changed = ((struct addifmissing_arg *)arg)->changed; |
4430 | 0 | isc_result_t result; |
4431 | 0 | dns_fixedname_t fname; |
4432 | |
|
4433 | 0 | UNUSED(keytable); |
4434 | |
|
4435 | 0 | if (((struct addifmissing_arg *)arg)->result != ISC_R_SUCCESS) { |
4436 | 0 | return; |
4437 | 0 | } |
4438 | | |
4439 | 0 | if (!dns_keynode_managed(keynode)) { |
4440 | 0 | return; |
4441 | 0 | } |
4442 | | |
4443 | | /* |
4444 | | * If the keynode has no trust anchor set, return. |
4445 | | */ |
4446 | 0 | if (!dns_keynode_dsset(keynode, NULL)) { |
4447 | 0 | return; |
4448 | 0 | } |
4449 | | |
4450 | | /* |
4451 | | * Check whether there's already a KEYDATA entry for this name; |
4452 | | * if so, we don't need to add another. |
4453 | | */ |
4454 | 0 | dns_fixedname_init(&fname); |
4455 | 0 | result = dns_db_find(db, keyname, ver, dns_rdatatype_keydata, |
4456 | 0 | DNS_DBFIND_NOWILD, 0, NULL, |
4457 | 0 | dns_fixedname_name(&fname), NULL, NULL); |
4458 | 0 | if (result == ISC_R_SUCCESS) { |
4459 | 0 | return; |
4460 | 0 | } |
4461 | | |
4462 | | /* |
4463 | | * Create the keydata. |
4464 | | */ |
4465 | 0 | result = create_keydata(zone, db, ver, diff, keynode, keyname, changed); |
4466 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) { |
4467 | 0 | ((struct addifmissing_arg *)arg)->result = result; |
4468 | 0 | } |
4469 | 0 | } |
4470 | | |
4471 | | /* |
4472 | | * Synchronize the set of initializing keys found in managed-keys {} |
4473 | | * statements with the set of trust anchors found in the managed-keys.bind |
4474 | | * zone. If a domain is no longer named in managed-keys, delete all keys |
4475 | | * from that domain from the key zone. If a domain is configured as an |
4476 | | * initial-key in trust-anchors, but there are no references to it in the |
4477 | | * key zone, load the key zone with the initializing key(s) for that |
4478 | | * domain and schedule a key refresh. If a domain is configured as |
4479 | | * an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key |
4480 | | * zone with the matching key, and schedule a key refresh. |
4481 | | */ |
4482 | | static isc_result_t |
4483 | 0 | sync_keyzone(dns_zone_t *zone, dns_db_t *db) { |
4484 | 0 | isc_result_t result = ISC_R_SUCCESS; |
4485 | 0 | bool changed = false; |
4486 | 0 | bool commit = false; |
4487 | 0 | dns_keynode_t *keynode = NULL; |
4488 | 0 | dns_view_t *view = zone->view; |
4489 | 0 | dns_keytable_t *sr = NULL; |
4490 | 0 | dns_dbversion_t *ver = NULL; |
4491 | 0 | dns_diff_t diff; |
4492 | 0 | dns_rriterator_t rrit; |
4493 | 0 | struct addifmissing_arg arg; |
4494 | |
|
4495 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys"); |
4496 | |
|
4497 | 0 | dns_diff_init(zone->mctx, &diff); |
4498 | |
|
4499 | 0 | CHECK(dns_view_getsecroots(view, &sr)); |
4500 | | |
4501 | 0 | result = dns_db_newversion(db, &ver); |
4502 | 0 | if (result != ISC_R_SUCCESS) { |
4503 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
4504 | 0 | "sync_keyzone:dns_db_newversion -> %s", |
4505 | 0 | isc_result_totext(result)); |
4506 | 0 | goto failure; |
4507 | 0 | } |
4508 | | |
4509 | | /* |
4510 | | * Walk the zone DB. If we find any keys whose names are no longer |
4511 | | * in trust-anchors, or which have been changed from initial to static, |
4512 | | * (meaning they are permanent and not RFC5011-maintained), delete |
4513 | | * them from the zone. Otherwise call load_secroots(), which |
4514 | | * loads keys into secroots as appropriate. |
4515 | | */ |
4516 | 0 | dns_rriterator_init(&rrit, db, ver, 0); |
4517 | 0 | for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS; |
4518 | 0 | result = dns_rriterator_nextrrset(&rrit)) |
4519 | 0 | { |
4520 | 0 | dns_rdataset_t *rdataset = NULL; |
4521 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
4522 | 0 | dns_rdata_keydata_t keydata; |
4523 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
4524 | 0 | bool load = true; |
4525 | 0 | dns_name_t *rrname = NULL; |
4526 | 0 | uint32_t ttl; |
4527 | |
|
4528 | 0 | dns_rriterator_current(&rrit, &rrname, &ttl, &rdataset, NULL); |
4529 | 0 | if (!dns_rdataset_isassociated(rdataset)) { |
4530 | 0 | dns_rriterator_destroy(&rrit); |
4531 | 0 | goto failure; |
4532 | 0 | } |
4533 | | |
4534 | 0 | if (rdataset->type != dns_rdatatype_keydata) { |
4535 | 0 | continue; |
4536 | 0 | } |
4537 | | |
4538 | | /* |
4539 | | * The managed-keys zone can contain a placeholder instead of |
4540 | | * legitimate data, in which case we will not use it, and we |
4541 | | * will try to refresh it. |
4542 | | */ |
4543 | 0 | for (result = dns_rdataset_first(rdataset); |
4544 | 0 | result == ISC_R_SUCCESS; |
4545 | 0 | result = dns_rdataset_next(rdataset)) |
4546 | 0 | { |
4547 | 0 | isc_result_t iresult; |
4548 | |
|
4549 | 0 | dns_rdata_reset(&rdata); |
4550 | 0 | dns_rdataset_current(rdataset, &rdata); |
4551 | |
|
4552 | 0 | iresult = dns_rdata_tostruct(&rdata, &keydata, NULL); |
4553 | | /* Do we have a valid placeholder KEYDATA record? */ |
4554 | 0 | if (iresult == ISC_R_SUCCESS && keydata.flags == 0 && |
4555 | 0 | keydata.protocol == 0 && keydata.algorithm == 0) |
4556 | 0 | { |
4557 | 0 | set_refreshkeytimer(zone, &keydata, now, true); |
4558 | 0 | load = false; |
4559 | 0 | } |
4560 | 0 | } |
4561 | | |
4562 | | /* |
4563 | | * Release db wrlock to prevent LOR reports against |
4564 | | * dns_keytable_forall() call below. |
4565 | | */ |
4566 | 0 | dns_rriterator_pause(&rrit); |
4567 | 0 | result = dns_keytable_find(sr, rrname, &keynode); |
4568 | 0 | if (result != ISC_R_SUCCESS || !dns_keynode_managed(keynode)) { |
4569 | 0 | CHECK(delete_keydata(db, ver, &diff, rrname, rdataset)); |
4570 | 0 | changed = true; |
4571 | 0 | } else if (load) { |
4572 | 0 | load_secroots(zone, rrname, rdataset); |
4573 | 0 | } |
4574 | | |
4575 | 0 | if (keynode != NULL) { |
4576 | 0 | dns_keynode_detach(&keynode); |
4577 | 0 | } |
4578 | 0 | } |
4579 | 0 | dns_rriterator_destroy(&rrit); |
4580 | | |
4581 | | /* |
4582 | | * Walk secroots to find any initial keys that aren't in |
4583 | | * the zone. If we find any, add them to the zone directly. |
4584 | | * If any DS-style initial keys are found, refresh the key |
4585 | | * zone so that they'll be looked up. |
4586 | | */ |
4587 | 0 | arg.db = db; |
4588 | 0 | arg.ver = ver; |
4589 | 0 | arg.result = ISC_R_SUCCESS; |
4590 | 0 | arg.diff = &diff; |
4591 | 0 | arg.zone = zone; |
4592 | 0 | arg.changed = &changed; |
4593 | 0 | dns_keytable_forall(sr, addifmissing, &arg); |
4594 | 0 | result = arg.result; |
4595 | 0 | if (changed) { |
4596 | | /* Write changes to journal file. */ |
4597 | 0 | CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx, |
4598 | 0 | zone->updatemethod)); |
4599 | 0 | CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone")); |
4600 | | |
4601 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); |
4602 | 0 | zone_needdump(zone, 30); |
4603 | 0 | commit = true; |
4604 | 0 | } |
4605 | | |
4606 | 0 | failure: |
4607 | 0 | if (result != ISC_R_SUCCESS) { |
4608 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
4609 | 0 | "unable to synchronize managed keys: %s", |
4610 | 0 | isc_result_totext(result)); |
4611 | 0 | isc_time_settoepoch(&zone->refreshkeytime); |
4612 | 0 | } |
4613 | 0 | if (keynode != NULL) { |
4614 | 0 | dns_keynode_detach(&keynode); |
4615 | 0 | } |
4616 | 0 | if (sr != NULL) { |
4617 | 0 | dns_keytable_detach(&sr); |
4618 | 0 | } |
4619 | 0 | if (ver != NULL) { |
4620 | 0 | dns_db_closeversion(db, &ver, commit); |
4621 | 0 | } |
4622 | 0 | dns_diff_clear(&diff); |
4623 | |
|
4624 | 0 | INSIST(ver == NULL); |
4625 | |
|
4626 | 0 | return (result); |
4627 | 0 | } |
4628 | | |
4629 | | isc_result_t |
4630 | 0 | dns_zone_synckeyzone(dns_zone_t *zone) { |
4631 | 0 | isc_result_t result; |
4632 | 0 | dns_db_t *db = NULL; |
4633 | |
|
4634 | 0 | if (zone->type != dns_zone_key) { |
4635 | 0 | return (DNS_R_BADZONE); |
4636 | 0 | } |
4637 | | |
4638 | 0 | CHECK(dns_zone_getdb(zone, &db)); |
4639 | | |
4640 | 0 | LOCK_ZONE(zone); |
4641 | 0 | result = sync_keyzone(zone, db); |
4642 | 0 | UNLOCK_ZONE(zone); |
4643 | |
|
4644 | 0 | failure: |
4645 | 0 | if (db != NULL) { |
4646 | 0 | dns_db_detach(&db); |
4647 | 0 | } |
4648 | 0 | return (result); |
4649 | 0 | } |
4650 | | |
4651 | | static void |
4652 | 0 | maybe_send_secure(dns_zone_t *zone) { |
4653 | 0 | isc_result_t result; |
4654 | | |
4655 | | /* |
4656 | | * We've finished loading, or else failed to load, an inline-signing |
4657 | | * 'secure' zone. We now need information about the status of the |
4658 | | * 'raw' zone. If we failed to load, then we need it to send a |
4659 | | * copy of its database; if we succeeded, we need it to send its |
4660 | | * serial number so that we can sync with it. If it has not yet |
4661 | | * loaded, we set a flag so that it will send the necessary |
4662 | | * information when it has finished loading. |
4663 | | */ |
4664 | 0 | if (zone->raw->db != NULL) { |
4665 | 0 | if (zone->db != NULL) { |
4666 | 0 | uint32_t serial; |
4667 | 0 | unsigned int soacount; |
4668 | |
|
4669 | 0 | result = zone_get_from_db( |
4670 | 0 | zone->raw, zone->raw->db, NULL, &soacount, NULL, |
4671 | 0 | &serial, NULL, NULL, NULL, NULL, NULL); |
4672 | 0 | if (result == ISC_R_SUCCESS && soacount > 0U) { |
4673 | 0 | zone_send_secureserial(zone->raw, serial); |
4674 | 0 | } |
4675 | 0 | } else { |
4676 | 0 | zone_send_securedb(zone->raw, zone->raw->db); |
4677 | 0 | } |
4678 | 0 | } else { |
4679 | 0 | DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE); |
4680 | 0 | } |
4681 | 0 | } |
4682 | | |
4683 | | static bool |
4684 | 0 | zone_unchanged(dns_db_t *db1, dns_db_t *db2, isc_mem_t *mctx) { |
4685 | 0 | isc_result_t result; |
4686 | 0 | bool answer = false; |
4687 | 0 | dns_diff_t diff; |
4688 | |
|
4689 | 0 | dns_diff_init(mctx, &diff); |
4690 | 0 | result = dns_db_diffx(&diff, db1, NULL, db2, NULL, NULL); |
4691 | 0 | if (result == ISC_R_SUCCESS && ISC_LIST_EMPTY(diff.tuples)) { |
4692 | 0 | answer = true; |
4693 | 0 | } |
4694 | 0 | dns_diff_clear(&diff); |
4695 | 0 | return (answer); |
4696 | 0 | } |
4697 | | |
4698 | | static void |
4699 | 0 | process_zone_setnsec3param(dns_zone_t *zone) { |
4700 | 0 | struct np3 *npe = NULL; |
4701 | 0 | while ((npe = ISC_LIST_HEAD(zone->setnsec3param_queue)) != NULL) { |
4702 | 0 | ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link); |
4703 | 0 | zone_iattach(zone, &npe->zone); |
4704 | 0 | isc_async_run(zone->loop, setnsec3param, npe); |
4705 | 0 | } |
4706 | 0 | } |
4707 | | |
4708 | | /* |
4709 | | * The zone is presumed to be locked. |
4710 | | * If this is a inline_raw zone the secure version is also locked. |
4711 | | */ |
4712 | | static isc_result_t |
4713 | | zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, |
4714 | 2 | isc_result_t result) { |
4715 | 2 | unsigned int soacount = 0; |
4716 | 2 | unsigned int nscount = 0; |
4717 | 2 | unsigned int errors = 0; |
4718 | 2 | uint32_t serial, oldserial, refresh, retry, expire, minimum, soattl; |
4719 | 2 | isc_time_t now; |
4720 | 2 | bool needdump = false; |
4721 | 2 | bool fixjournal = false; |
4722 | 2 | bool hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE); |
4723 | 2 | bool noprimary = false; |
4724 | 2 | bool had_db = false; |
4725 | 2 | dns_include_t *inc; |
4726 | 2 | bool is_dynamic = false; |
4727 | | |
4728 | 2 | INSIST(LOCKED_ZONE(zone)); |
4729 | 2 | if (inline_raw(zone)) { |
4730 | 0 | INSIST(LOCKED_ZONE(zone->secure)); |
4731 | 0 | } |
4732 | | |
4733 | 2 | now = isc_time_now(); |
4734 | | |
4735 | | /* |
4736 | | * Initiate zone transfer? We may need a error code that |
4737 | | * indicates that the "permanent" form does not exist. |
4738 | | * XXX better error feedback to log. |
4739 | | */ |
4740 | 2 | if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) { |
4741 | 0 | if (zone->type == dns_zone_secondary || |
4742 | 0 | zone->type == dns_zone_mirror || |
4743 | 0 | zone->type == dns_zone_stub || |
4744 | 0 | (zone->type == dns_zone_redirect && |
4745 | 0 | dns_remote_addresses(&zone->primaries) == NULL)) |
4746 | 0 | { |
4747 | 0 | if (result == ISC_R_FILENOTFOUND) { |
4748 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4749 | 0 | ISC_LOG_DEBUG(1), |
4750 | 0 | "no master file"); |
4751 | 0 | } else if (result != DNS_R_NOMASTERFILE) { |
4752 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4753 | 0 | ISC_LOG_ERROR, |
4754 | 0 | "loading from master file %s " |
4755 | 0 | "failed: %s", |
4756 | 0 | zone->masterfile, |
4757 | 0 | isc_result_totext(result)); |
4758 | 0 | } |
4759 | 0 | } else if (zone->type == dns_zone_primary && |
4760 | 0 | inline_secure(zone) && result == ISC_R_FILENOTFOUND) |
4761 | 0 | { |
4762 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4763 | 0 | ISC_LOG_DEBUG(1), |
4764 | 0 | "no master file, requesting db"); |
4765 | 0 | maybe_send_secure(zone); |
4766 | 0 | } else { |
4767 | 0 | int level = ISC_LOG_ERROR; |
4768 | 0 | if (zone->type == dns_zone_key && |
4769 | 0 | result == ISC_R_FILENOTFOUND) |
4770 | 0 | { |
4771 | 0 | level = ISC_LOG_DEBUG(1); |
4772 | 0 | } |
4773 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, level, |
4774 | 0 | "loading from master file %s failed: %s", |
4775 | 0 | zone->masterfile, |
4776 | 0 | isc_result_totext(result)); |
4777 | 0 | noprimary = true; |
4778 | 0 | } |
4779 | |
|
4780 | 0 | if (zone->type != dns_zone_key) { |
4781 | 0 | goto cleanup; |
4782 | 0 | } |
4783 | 0 | } |
4784 | | |
4785 | 2 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2), |
4786 | 2 | "number of nodes in database: %u", |
4787 | 2 | dns_db_nodecount(db, dns_dbtree_main)); |
4788 | | |
4789 | 2 | if (result == DNS_R_SEENINCLUDE) { |
4790 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE); |
4791 | 2 | } else { |
4792 | 2 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE); |
4793 | 2 | } |
4794 | | |
4795 | | /* |
4796 | | * If there's no master file for a key zone, then the zone is new: |
4797 | | * create an SOA record. (We do this now, instead of later, so that |
4798 | | * if there happens to be a journal file, we can roll forward from |
4799 | | * a sane starting point.) |
4800 | | */ |
4801 | 2 | if (noprimary && zone->type == dns_zone_key) { |
4802 | 0 | result = add_soa(zone, db); |
4803 | 0 | if (result != ISC_R_SUCCESS) { |
4804 | 0 | goto cleanup; |
4805 | 0 | } |
4806 | 0 | } |
4807 | | |
4808 | | /* |
4809 | | * Apply update log, if any, on initial load. |
4810 | | */ |
4811 | 2 | if (zone->journal != NULL && |
4812 | 2 | !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) && |
4813 | 2 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) |
4814 | 2 | { |
4815 | 2 | result = zone_journal_rollforward(zone, db, &needdump, |
4816 | 2 | &fixjournal); |
4817 | 2 | if (result != ISC_R_SUCCESS) { |
4818 | 0 | goto cleanup; |
4819 | 0 | } |
4820 | 2 | } |
4821 | | |
4822 | | /* |
4823 | | * Obtain ns, soa and cname counts for top of zone. |
4824 | | */ |
4825 | 2 | INSIST(db != NULL); |
4826 | 2 | result = zone_get_from_db(zone, db, &nscount, &soacount, &soattl, |
4827 | 2 | &serial, &refresh, &retry, &expire, &minimum, |
4828 | 2 | &errors); |
4829 | 2 | if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) { |
4830 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, |
4831 | 0 | "could not find NS and/or SOA records"); |
4832 | 0 | } |
4833 | | |
4834 | | /* |
4835 | | * Process any queued NSEC3PARAM change requests. Only for dynamic |
4836 | | * zones, an inline-signing zone will perform this action when |
4837 | | * receiving the secure db (receive_secure_db). |
4838 | | */ |
4839 | 2 | is_dynamic = dns_zone_isdynamic(zone, true); |
4840 | 2 | if (is_dynamic) { |
4841 | 0 | process_zone_setnsec3param(zone); |
4842 | 0 | } |
4843 | | |
4844 | | /* |
4845 | | * Check to make sure the journal is up to date, and remove the |
4846 | | * journal file if it isn't, as we wouldn't be able to apply |
4847 | | * updates otherwise. |
4848 | | */ |
4849 | 2 | if (zone->journal != NULL && is_dynamic && |
4850 | 2 | !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) |
4851 | 0 | { |
4852 | 0 | uint32_t jserial; |
4853 | 0 | dns_journal_t *journal = NULL; |
4854 | 0 | bool empty = false; |
4855 | |
|
4856 | 0 | result = dns_journal_open(zone->mctx, zone->journal, |
4857 | 0 | DNS_JOURNAL_READ, &journal); |
4858 | 0 | if (result == ISC_R_SUCCESS) { |
4859 | 0 | jserial = dns_journal_last_serial(journal); |
4860 | 0 | empty = dns_journal_empty(journal); |
4861 | 0 | dns_journal_destroy(&journal); |
4862 | 0 | } else { |
4863 | 0 | jserial = serial; |
4864 | 0 | result = ISC_R_SUCCESS; |
4865 | 0 | } |
4866 | |
|
4867 | 0 | if (jserial != serial) { |
4868 | 0 | if (!empty) { |
4869 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4870 | 0 | ISC_LOG_INFO, |
4871 | 0 | "journal file is out of date: " |
4872 | 0 | "removing journal file"); |
4873 | 0 | } |
4874 | 0 | if (remove(zone->journal) < 0 && errno != ENOENT) { |
4875 | 0 | char strbuf[ISC_STRERRORSIZE]; |
4876 | 0 | strerror_r(errno, strbuf, sizeof(strbuf)); |
4877 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
4878 | 0 | DNS_LOGMODULE_ZONE, |
4879 | 0 | ISC_LOG_WARNING, |
4880 | 0 | "unable to remove journal " |
4881 | 0 | "'%s': '%s'", |
4882 | 0 | zone->journal, strbuf); |
4883 | 0 | } |
4884 | 0 | } |
4885 | 0 | } |
4886 | | |
4887 | 2 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1), |
4888 | 2 | "loaded; checking validity"); |
4889 | | |
4890 | | /* |
4891 | | * Primary / Secondary / Mirror / Stub zones require both NS and SOA |
4892 | | * records at the top of the zone. |
4893 | | */ |
4894 | | |
4895 | 2 | switch (zone->type) { |
4896 | 0 | case dns_zone_dlz: |
4897 | 2 | case dns_zone_primary: |
4898 | 2 | case dns_zone_secondary: |
4899 | 2 | case dns_zone_mirror: |
4900 | 2 | case dns_zone_stub: |
4901 | 2 | case dns_zone_redirect: |
4902 | 2 | if (soacount != 1) { |
4903 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4904 | 0 | ISC_LOG_ERROR, "has %d SOA records", |
4905 | 0 | soacount); |
4906 | 0 | result = DNS_R_BADZONE; |
4907 | 0 | } |
4908 | 2 | if (nscount == 0) { |
4909 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4910 | 0 | ISC_LOG_ERROR, "has no NS records"); |
4911 | 0 | result = DNS_R_BADZONE; |
4912 | 0 | } |
4913 | 2 | if (result != ISC_R_SUCCESS) { |
4914 | 0 | goto cleanup; |
4915 | 0 | } |
4916 | 2 | if (zone->type == dns_zone_primary && errors != 0) { |
4917 | 0 | result = DNS_R_BADZONE; |
4918 | 0 | goto cleanup; |
4919 | 0 | } |
4920 | 2 | if (zone->type != dns_zone_stub && |
4921 | 2 | zone->type != dns_zone_redirect) |
4922 | 2 | { |
4923 | 2 | result = check_nsec3param(zone, db); |
4924 | 2 | if (result != ISC_R_SUCCESS) { |
4925 | 0 | goto cleanup; |
4926 | 0 | } |
4927 | 2 | } |
4928 | 2 | if (zone->type == dns_zone_primary && |
4929 | 2 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) && |
4930 | 2 | !integrity_checks(zone, db)) |
4931 | 0 | { |
4932 | 0 | result = DNS_R_BADZONE; |
4933 | 0 | goto cleanup; |
4934 | 0 | } |
4935 | 2 | if (zone->type == dns_zone_primary && |
4936 | 2 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) && |
4937 | 2 | !zone_check_dup(zone, db)) |
4938 | 0 | { |
4939 | 0 | result = DNS_R_BADZONE; |
4940 | 0 | goto cleanup; |
4941 | 0 | } |
4942 | | |
4943 | 2 | if (zone->type == dns_zone_primary) { |
4944 | 2 | result = dns_zone_cdscheck(zone, db, NULL); |
4945 | 2 | if (result != ISC_R_SUCCESS) { |
4946 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
4947 | 0 | "CDS/CDNSKEY consistency checks " |
4948 | 0 | "failed"); |
4949 | 0 | goto cleanup; |
4950 | 0 | } |
4951 | 2 | } |
4952 | | |
4953 | 2 | result = dns_zone_verifydb(zone, db, NULL); |
4954 | 2 | if (result != ISC_R_SUCCESS) { |
4955 | 0 | goto cleanup; |
4956 | 0 | } |
4957 | | |
4958 | 2 | if (zone->db != NULL) { |
4959 | 0 | unsigned int oldsoacount; |
4960 | | |
4961 | | /* |
4962 | | * This is checked in zone_replacedb() for |
4963 | | * secondary zones as they don't reload from disk. |
4964 | | */ |
4965 | 0 | result = zone_get_from_db( |
4966 | 0 | zone, zone->db, NULL, &oldsoacount, NULL, |
4967 | 0 | &oldserial, NULL, NULL, NULL, NULL, NULL); |
4968 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
4969 | 0 | RUNTIME_CHECK(oldsoacount > 0U); |
4970 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) && |
4971 | 0 | !isc_serial_gt(serial, oldserial)) |
4972 | 0 | { |
4973 | 0 | uint32_t serialmin, serialmax; |
4974 | |
|
4975 | 0 | INSIST(zone->type == dns_zone_primary); |
4976 | 0 | INSIST(zone->raw == NULL); |
4977 | |
|
4978 | 0 | if (serial == oldserial && |
4979 | 0 | zone_unchanged(zone->db, db, zone->mctx)) |
4980 | 0 | { |
4981 | 0 | dns_zone_logc(zone, |
4982 | 0 | DNS_LOGCATEGORY_ZONELOAD, |
4983 | 0 | ISC_LOG_INFO, |
4984 | 0 | "ixfr-from-differences: " |
4985 | 0 | "unchanged"); |
4986 | 0 | zone->loadtime = loadtime; |
4987 | 0 | goto done; |
4988 | 0 | } |
4989 | | |
4990 | 0 | serialmin = (oldserial + 1) & 0xffffffffU; |
4991 | 0 | serialmax = (oldserial + 0x7fffffffU) & |
4992 | 0 | 0xffffffffU; |
4993 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
4994 | 0 | ISC_LOG_ERROR, |
4995 | 0 | "ixfr-from-differences: " |
4996 | 0 | "new serial (%u) out of range " |
4997 | 0 | "[%u - %u]", |
4998 | 0 | serial, serialmin, serialmax); |
4999 | 0 | result = DNS_R_BADZONE; |
5000 | 0 | goto cleanup; |
5001 | 0 | } else if (!isc_serial_ge(serial, oldserial)) { |
5002 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
5003 | 0 | ISC_LOG_ERROR, |
5004 | 0 | "zone serial (%u/%u) has gone " |
5005 | 0 | "backwards", |
5006 | 0 | serial, oldserial); |
5007 | 0 | } else if (serial == oldserial && !hasinclude && |
5008 | 0 | strcmp(zone->db_argv[0], "_builtin") != 0) |
5009 | 0 | { |
5010 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
5011 | 0 | ISC_LOG_ERROR, |
5012 | 0 | "zone serial (%u) unchanged. " |
5013 | 0 | "zone may fail to transfer " |
5014 | 0 | "to secondaries.", |
5015 | 0 | serial); |
5016 | 0 | } |
5017 | 0 | } |
5018 | | |
5019 | 2 | if (zone->type == dns_zone_primary && |
5020 | 2 | (zone->update_acl != NULL || zone->ssutable != NULL) && |
5021 | 2 | dns_zone_getsigresigninginterval(zone) < (3 * refresh) && |
5022 | 2 | dns_db_issecure(db)) |
5023 | 0 | { |
5024 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
5025 | 0 | ISC_LOG_WARNING, |
5026 | 0 | "sig-re-signing-interval less than " |
5027 | 0 | "3 * refresh."); |
5028 | 0 | } |
5029 | | |
5030 | 2 | zone->refresh = RANGE(refresh, zone->minrefresh, |
5031 | 2 | zone->maxrefresh); |
5032 | 2 | zone->retry = RANGE(retry, zone->minretry, zone->maxretry); |
5033 | 2 | zone->expire = RANGE(expire, zone->refresh + zone->retry, |
5034 | 2 | DNS_MAX_EXPIRE); |
5035 | 2 | zone->soattl = soattl; |
5036 | 2 | zone->minimum = minimum; |
5037 | 2 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS); |
5038 | | |
5039 | 2 | if (zone->type == dns_zone_secondary || |
5040 | 2 | zone->type == dns_zone_mirror || |
5041 | 2 | zone->type == dns_zone_stub || |
5042 | 2 | (zone->type == dns_zone_redirect && |
5043 | 2 | dns_remote_addresses(&zone->primaries) != NULL)) |
5044 | 0 | { |
5045 | 0 | isc_time_t t; |
5046 | 0 | uint32_t delay; |
5047 | |
|
5048 | 0 | result = isc_file_getmodtime(zone->journal, &t); |
5049 | 0 | if (result != ISC_R_SUCCESS) { |
5050 | 0 | result = isc_file_getmodtime(zone->masterfile, |
5051 | 0 | &t); |
5052 | 0 | } |
5053 | 0 | if (result == ISC_R_SUCCESS) { |
5054 | 0 | DNS_ZONE_TIME_ADD(&t, zone->expire, |
5055 | 0 | &zone->expiretime); |
5056 | 0 | } else { |
5057 | 0 | DNS_ZONE_TIME_ADD(&now, zone->retry, |
5058 | 0 | &zone->expiretime); |
5059 | 0 | } |
5060 | |
|
5061 | 0 | delay = (zone->retry - |
5062 | 0 | isc_random_uniform((zone->retry * 3) / 4)); |
5063 | 0 | DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime); |
5064 | 0 | if (isc_time_compare(&zone->refreshtime, |
5065 | 0 | &zone->expiretime) >= 0) |
5066 | 0 | { |
5067 | 0 | DNS_ZONE_SETFLAG(zone, |
5068 | 0 | DNS_ZONEFLG_FIRSTREFRESH); |
5069 | 0 | zone->refreshtime = now; |
5070 | 0 | } else { |
5071 | | /* The zone is up to date. */ |
5072 | 0 | DNS_ZONE_CLRFLAG(zone, |
5073 | 0 | DNS_ZONEFLG_FIRSTREFRESH); |
5074 | 0 | } |
5075 | 0 | } |
5076 | | |
5077 | 2 | break; |
5078 | | |
5079 | 0 | case dns_zone_key: |
5080 | | /* Nothing needs to be done now */ |
5081 | 0 | break; |
5082 | | |
5083 | 0 | default: |
5084 | 0 | UNEXPECTED_ERROR("unexpected zone type %d", zone->type); |
5085 | 0 | result = ISC_R_UNEXPECTED; |
5086 | 0 | goto cleanup; |
5087 | 2 | } |
5088 | | |
5089 | | /* |
5090 | | * Check for weak DNSKEY's. |
5091 | | */ |
5092 | 2 | if (zone->type == dns_zone_primary) { |
5093 | 2 | zone_check_dnskeys(zone, db); |
5094 | 2 | } |
5095 | | |
5096 | | /* |
5097 | | * Schedule DNSSEC key refresh. |
5098 | | */ |
5099 | 2 | if (zone->type == dns_zone_primary && |
5100 | 2 | DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) |
5101 | 0 | { |
5102 | 0 | zone->refreshkeytime = now; |
5103 | 0 | } |
5104 | | |
5105 | 2 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); |
5106 | 2 | if (zone->db != NULL) { |
5107 | 0 | had_db = true; |
5108 | 0 | result = zone_replacedb(zone, db, false); |
5109 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
5110 | 0 | if (result != ISC_R_SUCCESS) { |
5111 | 0 | goto cleanup; |
5112 | 0 | } |
5113 | 2 | } else { |
5114 | 2 | zone_attachdb(zone, db); |
5115 | 2 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
5116 | 2 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | |
5117 | 2 | DNS_ZONEFLG_NEEDSTARTUPNOTIFY); |
5118 | 2 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) && |
5119 | 2 | inline_raw(zone)) |
5120 | 0 | { |
5121 | 0 | if (zone->secure->db == NULL) { |
5122 | 0 | zone_send_securedb(zone, db); |
5123 | 0 | } else { |
5124 | 0 | zone_send_secureserial(zone, serial); |
5125 | 0 | } |
5126 | 0 | } |
5127 | 2 | } |
5128 | | |
5129 | | /* |
5130 | | * Finished loading inline-signing zone; need to get status |
5131 | | * from the raw side now. |
5132 | | */ |
5133 | 2 | if (zone->type == dns_zone_primary && inline_secure(zone)) { |
5134 | 0 | maybe_send_secure(zone); |
5135 | 0 | } |
5136 | | |
5137 | 2 | result = ISC_R_SUCCESS; |
5138 | | |
5139 | 2 | if (fixjournal) { |
5140 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIXJOURNAL); |
5141 | 0 | zone_journal_compact(zone, zone->db, 0); |
5142 | 0 | } |
5143 | 2 | if (needdump) { |
5144 | 0 | if (zone->type == dns_zone_key) { |
5145 | 0 | zone_needdump(zone, 30); |
5146 | 0 | } else { |
5147 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
5148 | 0 | } |
5149 | 0 | } |
5150 | | |
5151 | 2 | if (zone->loop != NULL) { |
5152 | 0 | if (zone->type == dns_zone_primary) { |
5153 | 0 | set_resigntime(zone); |
5154 | 0 | resume_signingwithkey(zone); |
5155 | 0 | resume_addnsec3chain(zone); |
5156 | 0 | } |
5157 | |
|
5158 | 0 | is_dynamic = dns_zone_isdynamic(zone, false); |
5159 | 0 | if (zone->type == dns_zone_primary && is_dynamic && |
5160 | 0 | dns_db_issecure(db) && !inline_raw(zone)) |
5161 | 0 | { |
5162 | 0 | isc_stdtime_t resign; |
5163 | 0 | dns_name_t *name; |
5164 | 0 | dns_fixedname_t fixed; |
5165 | 0 | dns_typepair_t typepair; |
5166 | |
|
5167 | 0 | name = dns_fixedname_initname(&fixed); |
5168 | |
|
5169 | 0 | result = dns_db_getsigningtime(db, &resign, name, |
5170 | 0 | &typepair); |
5171 | 0 | if (result == ISC_R_SUCCESS) { |
5172 | 0 | isc_stdtime_t timenow = isc_stdtime_now(); |
5173 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
5174 | 0 | char typebuf[DNS_RDATATYPE_FORMATSIZE]; |
5175 | |
|
5176 | 0 | dns_name_format(name, namebuf, sizeof(namebuf)); |
5177 | 0 | dns_rdatatype_format( |
5178 | 0 | DNS_TYPEPAIR_COVERS(typepair), typebuf, |
5179 | 0 | sizeof(typebuf)); |
5180 | 0 | dnssec_log( |
5181 | 0 | zone, ISC_LOG_DEBUG(3), |
5182 | 0 | "next resign: %s/%s " |
5183 | 0 | "in %d seconds", |
5184 | 0 | namebuf, typebuf, |
5185 | 0 | resign - timenow - |
5186 | 0 | dns_zone_getsigresigninginterval( |
5187 | 0 | zone)); |
5188 | 0 | } else { |
5189 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
5190 | 0 | "signed dynamic zone has no " |
5191 | 0 | "resign event scheduled"); |
5192 | 0 | } |
5193 | 0 | } |
5194 | |
|
5195 | 0 | zone_settimer(zone, &now); |
5196 | 0 | } |
5197 | | |
5198 | | /* |
5199 | | * Clear old include list. |
5200 | | */ |
5201 | 2 | for (inc = ISC_LIST_HEAD(zone->includes); inc != NULL; |
5202 | 2 | inc = ISC_LIST_HEAD(zone->includes)) |
5203 | 0 | { |
5204 | 0 | ISC_LIST_UNLINK(zone->includes, inc, link); |
5205 | 0 | isc_mem_free(zone->mctx, inc->name); |
5206 | 0 | isc_mem_put(zone->mctx, inc, sizeof(*inc)); |
5207 | 0 | } |
5208 | 2 | zone->nincludes = 0; |
5209 | | |
5210 | | /* |
5211 | | * Transfer new include list. |
5212 | | */ |
5213 | 2 | for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL; |
5214 | 2 | inc = ISC_LIST_HEAD(zone->newincludes)) |
5215 | 0 | { |
5216 | 0 | ISC_LIST_UNLINK(zone->newincludes, inc, link); |
5217 | 0 | ISC_LIST_APPEND(zone->includes, inc, link); |
5218 | 0 | zone->nincludes++; |
5219 | 0 | } |
5220 | | |
5221 | 2 | if (!dns_db_ispersistent(db)) { |
5222 | 2 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO, |
5223 | 2 | "loaded serial %u%s", serial, |
5224 | 2 | dns_db_issecure(db) ? " (DNSSEC signed)" : ""); |
5225 | 2 | } |
5226 | | |
5227 | 2 | if (!had_db && zone->type == dns_zone_mirror) { |
5228 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO, |
5229 | 0 | "mirror zone is now in use"); |
5230 | 0 | } |
5231 | | |
5232 | 2 | zone->loadtime = loadtime; |
5233 | 2 | goto done; |
5234 | | |
5235 | 0 | cleanup: |
5236 | 0 | if (result != ISC_R_SUCCESS) { |
5237 | 0 | dns_zone_rpz_disable_db(zone, db); |
5238 | 0 | dns_zone_catz_disable_db(zone, db); |
5239 | 0 | } |
5240 | |
|
5241 | 0 | for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL; |
5242 | 0 | inc = ISC_LIST_HEAD(zone->newincludes)) |
5243 | 0 | { |
5244 | 0 | ISC_LIST_UNLINK(zone->newincludes, inc, link); |
5245 | 0 | isc_mem_free(zone->mctx, inc->name); |
5246 | 0 | isc_mem_put(zone->mctx, inc, sizeof(*inc)); |
5247 | 0 | } |
5248 | 0 | if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror || |
5249 | 0 | zone->type == dns_zone_stub || zone->type == dns_zone_key || |
5250 | 0 | (zone->type == dns_zone_redirect && |
5251 | 0 | dns_remote_addresses(&zone->primaries) != NULL)) |
5252 | 0 | { |
5253 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIRSTREFRESH); |
5254 | |
|
5255 | 0 | if (result != ISC_R_NOMEMORY) { |
5256 | 0 | if (zone->journal != NULL) { |
5257 | 0 | zone_saveunique(zone, zone->journal, |
5258 | 0 | "jn-XXXXXXXX"); |
5259 | 0 | } |
5260 | 0 | if (zone->masterfile != NULL) { |
5261 | 0 | zone_saveunique(zone, zone->masterfile, |
5262 | 0 | "db-XXXXXXXX"); |
5263 | 0 | } |
5264 | 0 | } |
5265 | | |
5266 | | /* Mark the zone for immediate refresh. */ |
5267 | 0 | zone->refreshtime = now; |
5268 | 0 | if (zone->loop != NULL) { |
5269 | 0 | zone_settimer(zone, &now); |
5270 | 0 | } |
5271 | 0 | result = ISC_R_SUCCESS; |
5272 | 0 | } else if (zone->type == dns_zone_primary || |
5273 | 0 | zone->type == dns_zone_redirect) |
5274 | 0 | { |
5275 | 0 | if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND)) { |
5276 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
5277 | 0 | ISC_LOG_ERROR, |
5278 | 0 | "not loaded due to errors."); |
5279 | 0 | } else if (zone->type == dns_zone_primary) { |
5280 | 0 | result = ISC_R_SUCCESS; |
5281 | 0 | } |
5282 | 0 | } |
5283 | |
|
5284 | 2 | done: |
5285 | 2 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING); |
5286 | | /* |
5287 | | * If this is an inline-signed zone and we were called for the raw |
5288 | | * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone |
5289 | | * as well, but only if this is a reload, not an initial zone load: in |
5290 | | * the former case, zone_postload() will not be run for the secure |
5291 | | * zone; in the latter case, it will be. Check which case we are |
5292 | | * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the |
5293 | | * secure zone: if it is set, this must be a reload. |
5294 | | */ |
5295 | 2 | if (inline_raw(zone) && DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED)) |
5296 | 0 | { |
5297 | 0 | DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING); |
5298 | | /* |
5299 | | * Re-start zone maintenance if it had been stalled |
5300 | | * due to DNS_ZONEFLG_LOADPENDING being set when |
5301 | | * zone_maintenance was called. |
5302 | | */ |
5303 | 0 | if (zone->secure->loop != NULL) { |
5304 | 0 | zone_settimer(zone->secure, &now); |
5305 | 0 | } |
5306 | 0 | } |
5307 | | |
5308 | 2 | zone_debuglog(zone, __func__, 99, "done"); |
5309 | | |
5310 | 2 | return (result); |
5311 | 0 | } |
5312 | | |
5313 | | static bool |
5314 | 0 | exit_check(dns_zone_t *zone) { |
5315 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
5316 | |
|
5317 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) && |
5318 | 0 | isc_refcount_current(&zone->irefs) == 0) |
5319 | 0 | { |
5320 | | /* |
5321 | | * DNS_ZONEFLG_SHUTDOWN can only be set if references == 0. |
5322 | | */ |
5323 | 0 | INSIST(isc_refcount_current(&zone->references) == 0); |
5324 | 0 | return (true); |
5325 | 0 | } |
5326 | 0 | return (false); |
5327 | 0 | } |
5328 | | |
5329 | | static bool |
5330 | | zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, |
5331 | 0 | dns_name_t *name, bool logit) { |
5332 | 0 | isc_result_t result; |
5333 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
5334 | 0 | char altbuf[DNS_NAME_FORMATSIZE]; |
5335 | 0 | dns_fixedname_t fixed; |
5336 | 0 | dns_name_t *foundname; |
5337 | 0 | int level; |
5338 | |
|
5339 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS)) { |
5340 | 0 | return (true); |
5341 | 0 | } |
5342 | | |
5343 | 0 | if (zone->type == dns_zone_primary) { |
5344 | 0 | level = ISC_LOG_ERROR; |
5345 | 0 | } else { |
5346 | 0 | level = ISC_LOG_WARNING; |
5347 | 0 | } |
5348 | |
|
5349 | 0 | foundname = dns_fixedname_initname(&fixed); |
5350 | |
|
5351 | 0 | result = dns_db_find(db, name, version, dns_rdatatype_a, 0, 0, NULL, |
5352 | 0 | foundname, NULL, NULL); |
5353 | 0 | if (result == ISC_R_SUCCESS) { |
5354 | 0 | return (true); |
5355 | 0 | } |
5356 | | |
5357 | 0 | if (result == DNS_R_NXRRSET) { |
5358 | 0 | result = dns_db_find(db, name, version, dns_rdatatype_aaaa, 0, |
5359 | 0 | 0, NULL, foundname, NULL, NULL); |
5360 | 0 | if (result == ISC_R_SUCCESS) { |
5361 | 0 | return (true); |
5362 | 0 | } |
5363 | 0 | } |
5364 | | |
5365 | 0 | if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN || |
5366 | 0 | result == DNS_R_EMPTYNAME) |
5367 | 0 | { |
5368 | 0 | if (logit) { |
5369 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
5370 | 0 | dns_zone_log(zone, level, |
5371 | 0 | "NS '%s' has no address " |
5372 | 0 | "records (A or AAAA)", |
5373 | 0 | namebuf); |
5374 | 0 | } |
5375 | 0 | return (false); |
5376 | 0 | } |
5377 | | |
5378 | 0 | if (result == DNS_R_CNAME) { |
5379 | 0 | if (logit) { |
5380 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
5381 | 0 | dns_zone_log(zone, level, |
5382 | 0 | "NS '%s' is a CNAME " |
5383 | 0 | "(illegal)", |
5384 | 0 | namebuf); |
5385 | 0 | } |
5386 | 0 | return (false); |
5387 | 0 | } |
5388 | | |
5389 | 0 | if (result == DNS_R_DNAME) { |
5390 | 0 | if (logit) { |
5391 | 0 | dns_name_format(name, namebuf, sizeof namebuf); |
5392 | 0 | dns_name_format(foundname, altbuf, sizeof altbuf); |
5393 | 0 | dns_zone_log(zone, level, |
5394 | 0 | "NS '%s' is below a DNAME " |
5395 | 0 | "'%s' (illegal)", |
5396 | 0 | namebuf, altbuf); |
5397 | 0 | } |
5398 | 0 | return (false); |
5399 | 0 | } |
5400 | | |
5401 | 0 | return (true); |
5402 | 0 | } |
5403 | | |
5404 | | static isc_result_t |
5405 | | zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, |
5406 | | dns_dbversion_t *version, unsigned int *nscount, |
5407 | 2 | unsigned int *errors, bool logit) { |
5408 | 2 | isc_result_t result; |
5409 | 2 | unsigned int count = 0; |
5410 | 2 | unsigned int ecount = 0; |
5411 | 2 | dns_rdataset_t rdataset; |
5412 | 2 | dns_rdata_t rdata; |
5413 | 2 | dns_rdata_ns_t ns; |
5414 | | |
5415 | 2 | dns_rdataset_init(&rdataset); |
5416 | 2 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns, |
5417 | 2 | dns_rdatatype_none, 0, &rdataset, NULL); |
5418 | 2 | if (result == ISC_R_NOTFOUND) { |
5419 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
5420 | 0 | goto success; |
5421 | 0 | } |
5422 | 2 | if (result != ISC_R_SUCCESS) { |
5423 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
5424 | 0 | goto invalidate_rdataset; |
5425 | 0 | } |
5426 | | |
5427 | 2 | result = dns_rdataset_first(&rdataset); |
5428 | 4 | while (result == ISC_R_SUCCESS) { |
5429 | 2 | if (errors != NULL && zone->rdclass == dns_rdataclass_in && |
5430 | 2 | (zone->type == dns_zone_primary || |
5431 | 2 | zone->type == dns_zone_secondary || |
5432 | 2 | zone->type == dns_zone_mirror)) |
5433 | 2 | { |
5434 | 2 | dns_rdata_init(&rdata); |
5435 | 2 | dns_rdataset_current(&rdataset, &rdata); |
5436 | 2 | result = dns_rdata_tostruct(&rdata, &ns, NULL); |
5437 | 2 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
5438 | 2 | if (dns_name_issubdomain(&ns.name, &zone->origin) && |
5439 | 2 | !zone_check_ns(zone, db, version, &ns.name, logit)) |
5440 | 0 | { |
5441 | 0 | ecount++; |
5442 | 0 | } |
5443 | 2 | } |
5444 | 2 | count++; |
5445 | 2 | result = dns_rdataset_next(&rdataset); |
5446 | 2 | } |
5447 | 2 | dns_rdataset_disassociate(&rdataset); |
5448 | | |
5449 | 2 | success: |
5450 | 2 | SET_IF_NOT_NULL(nscount, count); |
5451 | 2 | SET_IF_NOT_NULL(errors, ecount); |
5452 | | |
5453 | 2 | result = ISC_R_SUCCESS; |
5454 | | |
5455 | 2 | invalidate_rdataset: |
5456 | 2 | dns_rdataset_invalidate(&rdataset); |
5457 | | |
5458 | 2 | return (result); |
5459 | 2 | } |
5460 | | |
5461 | | #define SET_SOA_VALUES(soattl_v, serial_v, refresh_v, retry_v, expire_v, \ |
5462 | | minimum_v) \ |
5463 | 4 | { \ |
5464 | 4 | SET_IF_NOT_NULL(soattl, soattl_v); \ |
5465 | 4 | SET_IF_NOT_NULL(serial, serial_v); \ |
5466 | 4 | SET_IF_NOT_NULL(refresh, refresh_v); \ |
5467 | 4 | SET_IF_NOT_NULL(retry, retry_v); \ |
5468 | 4 | SET_IF_NOT_NULL(expire, expire_v); \ |
5469 | 4 | SET_IF_NOT_NULL(minimum, minimum_v); \ |
5470 | 4 | } |
5471 | | |
5472 | | #define CLR_SOA_VALUES() \ |
5473 | 2 | { \ |
5474 | 2 | SET_SOA_VALUES(0, 0, 0, 0, 0, 0); \ |
5475 | 2 | } |
5476 | | |
5477 | | static isc_result_t |
5478 | | zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, |
5479 | | unsigned int *soacount, uint32_t *soattl, uint32_t *serial, |
5480 | | uint32_t *refresh, uint32_t *retry, uint32_t *expire, |
5481 | 2 | uint32_t *minimum) { |
5482 | 2 | isc_result_t result; |
5483 | 2 | unsigned int count = 0; |
5484 | 2 | dns_rdataset_t rdataset; |
5485 | 2 | dns_rdata_t rdata = DNS_RDATA_INIT; |
5486 | | |
5487 | 2 | dns_rdataset_init(&rdataset); |
5488 | 2 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, |
5489 | 2 | dns_rdatatype_none, 0, &rdataset, NULL); |
5490 | 2 | if (result == ISC_R_NOTFOUND) { |
5491 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
5492 | 0 | result = ISC_R_SUCCESS; |
5493 | 0 | goto invalidate_rdataset; |
5494 | 0 | } |
5495 | 2 | if (result != ISC_R_SUCCESS) { |
5496 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
5497 | 0 | goto invalidate_rdataset; |
5498 | 0 | } |
5499 | | |
5500 | 2 | result = dns_rdataset_first(&rdataset); |
5501 | 4 | while (result == ISC_R_SUCCESS) { |
5502 | 2 | dns_rdata_init(&rdata); |
5503 | 2 | dns_rdataset_current(&rdataset, &rdata); |
5504 | 2 | count++; |
5505 | 2 | if (count == 1) { |
5506 | 2 | dns_rdata_soa_t soa; |
5507 | 2 | result = dns_rdata_tostruct(&rdata, &soa, NULL); |
5508 | 2 | SET_SOA_VALUES(rdataset.ttl, soa.serial, soa.refresh, |
5509 | 2 | soa.retry, soa.expire, soa.minimum); |
5510 | 2 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
5511 | 2 | } |
5512 | | |
5513 | 2 | result = dns_rdataset_next(&rdataset); |
5514 | 2 | dns_rdata_reset(&rdata); |
5515 | 2 | } |
5516 | 2 | dns_rdataset_disassociate(&rdataset); |
5517 | | |
5518 | 2 | result = ISC_R_SUCCESS; |
5519 | | |
5520 | 2 | invalidate_rdataset: |
5521 | 2 | SET_IF_NOT_NULL(soacount, count); |
5522 | 2 | if (count == 0) { |
5523 | 0 | CLR_SOA_VALUES(); |
5524 | 0 | } |
5525 | | |
5526 | 2 | dns_rdataset_invalidate(&rdataset); |
5527 | | |
5528 | 2 | return (result); |
5529 | 2 | } |
5530 | | |
5531 | | /* |
5532 | | * zone must be locked. |
5533 | | */ |
5534 | | static isc_result_t |
5535 | | zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount, |
5536 | | unsigned int *soacount, uint32_t *soattl, uint32_t *serial, |
5537 | | uint32_t *refresh, uint32_t *retry, uint32_t *expire, |
5538 | 2 | uint32_t *minimum, unsigned int *errors) { |
5539 | 2 | isc_result_t result; |
5540 | 2 | isc_result_t answer = ISC_R_SUCCESS; |
5541 | 2 | dns_dbversion_t *version = NULL; |
5542 | 2 | dns_dbnode_t *node; |
5543 | | |
5544 | 2 | REQUIRE(db != NULL); |
5545 | 2 | REQUIRE(zone != NULL); |
5546 | | |
5547 | 2 | dns_db_currentversion(db, &version); |
5548 | | |
5549 | 2 | SET_IF_NOT_NULL(nscount, 0); |
5550 | 2 | SET_IF_NOT_NULL(soacount, 0); |
5551 | 2 | SET_IF_NOT_NULL(errors, 0); |
5552 | 2 | CLR_SOA_VALUES(); |
5553 | | |
5554 | 2 | node = NULL; |
5555 | 2 | result = dns_db_findnode(db, &zone->origin, false, &node); |
5556 | 2 | if (result != ISC_R_SUCCESS) { |
5557 | 0 | answer = result; |
5558 | 0 | goto closeversion; |
5559 | 0 | } |
5560 | | |
5561 | 2 | if (nscount != NULL || errors != NULL) { |
5562 | 2 | result = zone_count_ns_rr(zone, db, node, version, nscount, |
5563 | 2 | errors, true); |
5564 | 2 | if (result != ISC_R_SUCCESS) { |
5565 | 0 | answer = result; |
5566 | 0 | } |
5567 | 2 | } |
5568 | | |
5569 | 2 | if (soacount != NULL || soattl != NULL || serial != NULL || |
5570 | 2 | refresh != NULL || retry != NULL || expire != NULL || |
5571 | 2 | minimum != NULL) |
5572 | 2 | { |
5573 | 2 | result = zone_load_soa_rr(db, node, version, soacount, soattl, |
5574 | 2 | serial, refresh, retry, expire, |
5575 | 2 | minimum); |
5576 | 2 | if (result != ISC_R_SUCCESS) { |
5577 | 0 | answer = result; |
5578 | 0 | } |
5579 | 2 | } |
5580 | | |
5581 | 2 | dns_db_detachnode(db, &node); |
5582 | 2 | closeversion: |
5583 | 2 | dns_db_closeversion(db, &version, false); |
5584 | | |
5585 | 2 | return (answer); |
5586 | 2 | } |
5587 | | |
5588 | | static void |
5589 | 0 | zone_destroy(dns_zone_t *zone) { |
5590 | | /* |
5591 | | * Stop things being restarted after we cancel them below. |
5592 | | */ |
5593 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING); |
5594 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), "final reference detached"); |
5595 | |
|
5596 | 0 | if (zone->loop == NULL) { |
5597 | | /* |
5598 | | * This zone is unmanaged; we're probably running in |
5599 | | * named-checkzone or a unit test. There's no loop, so we |
5600 | | * need to free it immediately. |
5601 | | */ |
5602 | 0 | zone_shutdown(zone); |
5603 | 0 | } else { |
5604 | | /* |
5605 | | * This zone has a loop; it can clean |
5606 | | * itself up asynchronously. |
5607 | | */ |
5608 | 0 | isc_async_run(zone->loop, zone_shutdown, zone); |
5609 | 0 | } |
5610 | 0 | } |
5611 | | |
5612 | | #if DNS_ZONE_TRACE |
5613 | | ISC_REFCOUNT_TRACE_IMPL(dns_zone, zone_destroy); |
5614 | | #else |
5615 | | ISC_REFCOUNT_IMPL(dns_zone, zone_destroy); |
5616 | | #endif |
5617 | | |
5618 | | void |
5619 | 0 | dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) { |
5620 | 0 | REQUIRE(DNS_ZONE_VALID(source)); |
5621 | |
|
5622 | 0 | LOCK_ZONE(source); |
5623 | 0 | zone_iattach(source, target); |
5624 | 0 | UNLOCK_ZONE(source); |
5625 | 0 | } |
5626 | | |
5627 | | static void |
5628 | 4 | zone_iattach(dns_zone_t *source, dns_zone_t **target) { |
5629 | 4 | REQUIRE(DNS_ZONE_VALID(source)); |
5630 | 4 | REQUIRE(LOCKED_ZONE(source)); |
5631 | 4 | REQUIRE(target != NULL && *target == NULL); |
5632 | 4 | INSIST(isc_refcount_increment0(&source->irefs) + |
5633 | 4 | isc_refcount_current(&source->references) > |
5634 | 4 | 0); |
5635 | 4 | *target = source; |
5636 | 4 | } |
5637 | | |
5638 | | static void |
5639 | 4 | zone_idetach(dns_zone_t **zonep) { |
5640 | 4 | dns_zone_t *zone; |
5641 | | |
5642 | | /* |
5643 | | * 'zone' locked by caller. |
5644 | | */ |
5645 | 4 | REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep)); |
5646 | 4 | REQUIRE(LOCKED_ZONE(*zonep)); |
5647 | | |
5648 | 4 | zone = *zonep; |
5649 | 4 | *zonep = NULL; |
5650 | | |
5651 | 4 | INSIST(isc_refcount_decrement(&zone->irefs) - 1 + |
5652 | 4 | isc_refcount_current(&zone->references) > |
5653 | 4 | 0); |
5654 | 4 | } |
5655 | | |
5656 | | void |
5657 | 0 | dns_zone_idetach(dns_zone_t **zonep) { |
5658 | 0 | dns_zone_t *zone; |
5659 | |
|
5660 | 0 | REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep)); |
5661 | |
|
5662 | 0 | zone = *zonep; |
5663 | 0 | *zonep = NULL; |
5664 | |
|
5665 | 0 | if (isc_refcount_decrement(&zone->irefs) == 1) { |
5666 | 0 | bool free_needed; |
5667 | 0 | LOCK_ZONE(zone); |
5668 | 0 | free_needed = exit_check(zone); |
5669 | 0 | UNLOCK_ZONE(zone); |
5670 | 0 | if (free_needed) { |
5671 | 0 | zone_free(zone); |
5672 | 0 | } |
5673 | 0 | } |
5674 | 0 | } |
5675 | | |
5676 | | isc_mem_t * |
5677 | 0 | dns_zone_getmctx(dns_zone_t *zone) { |
5678 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5679 | |
|
5680 | 0 | return (zone->mctx); |
5681 | 0 | } |
5682 | | |
5683 | | dns_zonemgr_t * |
5684 | 0 | dns_zone_getmgr(dns_zone_t *zone) { |
5685 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5686 | |
|
5687 | 0 | return (zone->zmgr); |
5688 | 0 | } |
5689 | | |
5690 | | void |
5691 | 0 | dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) { |
5692 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5693 | |
|
5694 | 0 | LOCK_ZONE(zone); |
5695 | 0 | if (zone->kasp != NULL) { |
5696 | 0 | dns_kasp_detach(&zone->kasp); |
5697 | 0 | } |
5698 | 0 | if (kasp != NULL) { |
5699 | 0 | dns_kasp_attach(kasp, &zone->kasp); |
5700 | 0 | } |
5701 | 0 | UNLOCK_ZONE(zone); |
5702 | 0 | } |
5703 | | |
5704 | | void |
5705 | 0 | dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) { |
5706 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5707 | |
|
5708 | 0 | LOCK_ZONE(zone); |
5709 | 0 | if (zone->defaultkasp != NULL) { |
5710 | 0 | dns_kasp_detach(&zone->defaultkasp); |
5711 | 0 | } |
5712 | 0 | if (kasp != NULL) { |
5713 | 0 | dns_kasp_attach(kasp, &zone->defaultkasp); |
5714 | 0 | } |
5715 | 0 | UNLOCK_ZONE(zone); |
5716 | 0 | } |
5717 | | |
5718 | | dns_kasp_t * |
5719 | 0 | dns_zone_getkasp(dns_zone_t *zone) { |
5720 | 0 | dns_kasp_t *kasp; |
5721 | |
|
5722 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5723 | |
|
5724 | 0 | LOCK_ZONE(zone); |
5725 | 0 | if (inline_raw(zone) && zone->secure != NULL) { |
5726 | 0 | kasp = zone->secure->kasp; |
5727 | 0 | } else { |
5728 | 0 | kasp = zone->kasp; |
5729 | 0 | } |
5730 | 0 | UNLOCK_ZONE(zone); |
5731 | |
|
5732 | 0 | return (kasp); |
5733 | 0 | } |
5734 | | |
5735 | | void |
5736 | 0 | dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) { |
5737 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5738 | |
|
5739 | 0 | if (value) { |
5740 | 0 | DNS_ZONE_SETOPTION(zone, option); |
5741 | 0 | } else { |
5742 | 0 | DNS_ZONE_CLROPTION(zone, option); |
5743 | 0 | } |
5744 | 0 | } |
5745 | | |
5746 | | dns_zoneopt_t |
5747 | 0 | dns_zone_getoptions(dns_zone_t *zone) { |
5748 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5749 | |
|
5750 | 0 | return (atomic_load_relaxed(&zone->options)); |
5751 | 0 | } |
5752 | | |
5753 | | void |
5754 | 0 | dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value) { |
5755 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5756 | |
|
5757 | 0 | if (value) { |
5758 | 0 | DNS_ZONEKEY_SETOPTION(zone, keyopt); |
5759 | 0 | } else { |
5760 | 0 | DNS_ZONEKEY_CLROPTION(zone, keyopt); |
5761 | 0 | } |
5762 | 0 | } |
5763 | | |
5764 | | unsigned int |
5765 | 0 | dns_zone_getkeyopts(dns_zone_t *zone) { |
5766 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5767 | |
|
5768 | 0 | return (atomic_load_relaxed(&zone->keyopts)); |
5769 | 0 | } |
5770 | | |
5771 | | isc_result_t |
5772 | 0 | dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) { |
5773 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5774 | |
|
5775 | 0 | LOCK_ZONE(zone); |
5776 | 0 | zone->xfrsource4 = *xfrsource; |
5777 | 0 | UNLOCK_ZONE(zone); |
5778 | |
|
5779 | 0 | return (ISC_R_SUCCESS); |
5780 | 0 | } |
5781 | | |
5782 | | isc_sockaddr_t * |
5783 | 0 | dns_zone_getxfrsource4(dns_zone_t *zone) { |
5784 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5785 | 0 | return (&zone->xfrsource4); |
5786 | 0 | } |
5787 | | |
5788 | | isc_result_t |
5789 | 0 | dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) { |
5790 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5791 | |
|
5792 | 0 | LOCK_ZONE(zone); |
5793 | 0 | zone->xfrsource6 = *xfrsource; |
5794 | 0 | UNLOCK_ZONE(zone); |
5795 | |
|
5796 | 0 | return (ISC_R_SUCCESS); |
5797 | 0 | } |
5798 | | |
5799 | | isc_sockaddr_t * |
5800 | 0 | dns_zone_getxfrsource6(dns_zone_t *zone) { |
5801 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5802 | 0 | return (&zone->xfrsource6); |
5803 | 0 | } |
5804 | | |
5805 | | isc_result_t |
5806 | 0 | dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) { |
5807 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5808 | |
|
5809 | 0 | LOCK_ZONE(zone); |
5810 | 0 | zone->parentalsrc4 = *parentalsrc; |
5811 | 0 | UNLOCK_ZONE(zone); |
5812 | |
|
5813 | 0 | return (ISC_R_SUCCESS); |
5814 | 0 | } |
5815 | | |
5816 | | isc_sockaddr_t * |
5817 | 0 | dns_zone_getparentalsrc4(dns_zone_t *zone) { |
5818 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5819 | 0 | return (&zone->parentalsrc4); |
5820 | 0 | } |
5821 | | |
5822 | | isc_result_t |
5823 | 0 | dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) { |
5824 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5825 | |
|
5826 | 0 | LOCK_ZONE(zone); |
5827 | 0 | zone->parentalsrc6 = *parentalsrc; |
5828 | 0 | UNLOCK_ZONE(zone); |
5829 | |
|
5830 | 0 | return (ISC_R_SUCCESS); |
5831 | 0 | } |
5832 | | |
5833 | | isc_sockaddr_t * |
5834 | 0 | dns_zone_getparentalsrc6(dns_zone_t *zone) { |
5835 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5836 | 0 | return (&zone->parentalsrc6); |
5837 | 0 | } |
5838 | | |
5839 | | isc_result_t |
5840 | 0 | dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) { |
5841 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5842 | |
|
5843 | 0 | LOCK_ZONE(zone); |
5844 | 0 | zone->notifysrc4 = *notifysrc; |
5845 | 0 | UNLOCK_ZONE(zone); |
5846 | |
|
5847 | 0 | return (ISC_R_SUCCESS); |
5848 | 0 | } |
5849 | | |
5850 | | isc_sockaddr_t * |
5851 | 0 | dns_zone_getnotifysrc4(dns_zone_t *zone) { |
5852 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5853 | 0 | return (&zone->notifysrc4); |
5854 | 0 | } |
5855 | | |
5856 | | isc_result_t |
5857 | 0 | dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) { |
5858 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5859 | |
|
5860 | 0 | LOCK_ZONE(zone); |
5861 | 0 | zone->notifysrc6 = *notifysrc; |
5862 | 0 | UNLOCK_ZONE(zone); |
5863 | |
|
5864 | 0 | return (ISC_R_SUCCESS); |
5865 | 0 | } |
5866 | | |
5867 | | isc_sockaddr_t * |
5868 | 0 | dns_zone_getnotifysrc6(dns_zone_t *zone) { |
5869 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5870 | 0 | return (&zone->notifysrc6); |
5871 | 0 | } |
5872 | | |
5873 | | void |
5874 | | dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *addresses, |
5875 | | isc_sockaddr_t *sources, dns_name_t **keynames, |
5876 | 0 | dns_name_t **tlsnames, uint32_t count) { |
5877 | 0 | dns_remote_t remote; |
5878 | |
|
5879 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5880 | |
|
5881 | 0 | LOCK_ZONE(zone); |
5882 | |
|
5883 | 0 | remote.magic = DNS_REMOTE_MAGIC; |
5884 | 0 | remote.addresses = addresses; |
5885 | 0 | remote.sources = sources; |
5886 | 0 | remote.keynames = keynames; |
5887 | 0 | remote.tlsnames = tlsnames; |
5888 | 0 | remote.addrcnt = count; |
5889 | |
|
5890 | 0 | if (dns_remote_equal(&zone->notify, &remote)) { |
5891 | 0 | goto unlock; |
5892 | 0 | } |
5893 | | |
5894 | 0 | dns_remote_clear(&zone->notify); |
5895 | | |
5896 | | /* |
5897 | | * If count == 0, don't allocate any space for servers to notify. |
5898 | | */ |
5899 | 0 | if (count == 0) { |
5900 | 0 | goto unlock; |
5901 | 0 | } |
5902 | | |
5903 | | /* |
5904 | | * Now set up the notify address and key lists. |
5905 | | */ |
5906 | 0 | dns_remote_init(&zone->notify, count, addresses, sources, keynames, |
5907 | 0 | tlsnames, true, zone->mctx); |
5908 | |
|
5909 | 0 | unlock: |
5910 | 0 | UNLOCK_ZONE(zone); |
5911 | 0 | } |
5912 | | |
5913 | | static bool |
5914 | 0 | has_pf(isc_sockaddr_t *addresses, size_t count, int pf) { |
5915 | 0 | for (size_t i = 0; i < count; i++) { |
5916 | 0 | if (isc_sockaddr_pf(&addresses[i]) == pf) { |
5917 | 0 | return (true); |
5918 | 0 | } |
5919 | 0 | } |
5920 | 0 | return (false); |
5921 | 0 | } |
5922 | | |
5923 | | static void |
5924 | | report_no_active_addresses(dns_zone_t *zone, isc_sockaddr_t *addresses, |
5925 | 0 | size_t count, const char *what) { |
5926 | 0 | if (isc_net_probeipv4() == ISC_R_DISABLED) { |
5927 | 0 | if (!has_pf(addresses, count, AF_INET6)) { |
5928 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
5929 | 0 | "IPv4 disabled and no IPv6 %s", what); |
5930 | 0 | } |
5931 | 0 | } else if (isc_net_probeipv6() == ISC_R_DISABLED) { |
5932 | 0 | if (!has_pf(addresses, count, AF_INET)) { |
5933 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
5934 | 0 | "IPv6 disabled and no IPv4 %s", what); |
5935 | 0 | } |
5936 | 0 | } |
5937 | 0 | } |
5938 | | |
5939 | | void |
5940 | | dns_zone_setprimaries(dns_zone_t *zone, isc_sockaddr_t *addresses, |
5941 | | isc_sockaddr_t *sources, dns_name_t **keynames, |
5942 | 0 | dns_name_t **tlsnames, uint32_t count) { |
5943 | 0 | dns_remote_t remote; |
5944 | |
|
5945 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
5946 | |
|
5947 | 0 | LOCK_ZONE(zone); |
5948 | |
|
5949 | 0 | remote.magic = DNS_REMOTE_MAGIC; |
5950 | 0 | remote.addresses = addresses; |
5951 | 0 | remote.sources = sources; |
5952 | 0 | remote.keynames = keynames; |
5953 | 0 | remote.tlsnames = tlsnames; |
5954 | 0 | remote.addrcnt = count; |
5955 | | |
5956 | | /* |
5957 | | * The refresh code assumes that 'primaries' wouldn't change under it. |
5958 | | * If it will change then kill off any current refresh in progress |
5959 | | * and update the primaries info. If it won't change then we can just |
5960 | | * unlock and exit. |
5961 | | */ |
5962 | 0 | if (!dns_remote_equal(&zone->primaries, &remote)) { |
5963 | 0 | if (zone->request != NULL) { |
5964 | 0 | dns_request_cancel(zone->request); |
5965 | 0 | } |
5966 | 0 | } else { |
5967 | 0 | goto unlock; |
5968 | 0 | } |
5969 | | |
5970 | 0 | dns_remote_clear(&zone->primaries); |
5971 | | |
5972 | | /* |
5973 | | * If count == 0, don't allocate any space for primaries. |
5974 | | */ |
5975 | 0 | if (count == 0) { |
5976 | 0 | goto unlock; |
5977 | 0 | } |
5978 | | |
5979 | 0 | report_no_active_addresses(zone, addresses, count, "primaries"); |
5980 | | |
5981 | | /* |
5982 | | * Now set up the primaries and primary key lists. |
5983 | | */ |
5984 | 0 | dns_remote_init(&zone->primaries, count, addresses, sources, keynames, |
5985 | 0 | tlsnames, true, zone->mctx); |
5986 | |
|
5987 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOPRIMARIES); |
5988 | |
|
5989 | 0 | unlock: |
5990 | 0 | UNLOCK_ZONE(zone); |
5991 | 0 | } |
5992 | | |
5993 | | void |
5994 | | dns_zone_setparentals(dns_zone_t *zone, isc_sockaddr_t *addresses, |
5995 | | isc_sockaddr_t *sources, dns_name_t **keynames, |
5996 | 0 | dns_name_t **tlsnames, uint32_t count) { |
5997 | 0 | dns_remote_t remote; |
5998 | |
|
5999 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
6000 | |
|
6001 | 0 | LOCK_ZONE(zone); |
6002 | |
|
6003 | 0 | remote.magic = DNS_REMOTE_MAGIC; |
6004 | 0 | remote.addresses = addresses; |
6005 | 0 | remote.sources = sources; |
6006 | 0 | remote.keynames = keynames; |
6007 | 0 | remote.tlsnames = tlsnames; |
6008 | 0 | remote.addrcnt = count; |
6009 | |
|
6010 | 0 | if (dns_remote_equal(&zone->parentals, &remote)) { |
6011 | 0 | goto unlock; |
6012 | 0 | } |
6013 | | |
6014 | 0 | dns_remote_clear(&zone->parentals); |
6015 | | |
6016 | | /* |
6017 | | * If count == 0, don't allocate any space for parentals. |
6018 | | */ |
6019 | 0 | if (count == 0) { |
6020 | 0 | goto unlock; |
6021 | 0 | } |
6022 | | |
6023 | 0 | report_no_active_addresses(zone, addresses, count, "parental-agents"); |
6024 | | |
6025 | | /* |
6026 | | * Now set up the parentals and parental key lists. |
6027 | | */ |
6028 | 0 | dns_remote_init(&zone->parentals, count, addresses, sources, keynames, |
6029 | 0 | tlsnames, true, zone->mctx); |
6030 | |
|
6031 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, "checkds: set %u parentals", count); |
6032 | |
|
6033 | 0 | unlock: |
6034 | 0 | UNLOCK_ZONE(zone); |
6035 | 0 | } |
6036 | | |
6037 | | isc_result_t |
6038 | 173 | dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) { |
6039 | 173 | isc_result_t result = ISC_R_SUCCESS; |
6040 | | |
6041 | 173 | REQUIRE(DNS_ZONE_VALID(zone)); |
6042 | | |
6043 | 173 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
6044 | 173 | if (zone->db == NULL) { |
6045 | 0 | result = DNS_R_NOTLOADED; |
6046 | 173 | } else { |
6047 | 173 | dns_db_attach(zone->db, dpb); |
6048 | 173 | } |
6049 | 173 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
6050 | | |
6051 | 173 | return (result); |
6052 | 173 | } |
6053 | | |
6054 | | void |
6055 | 0 | dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) { |
6056 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
6057 | 0 | REQUIRE(zone->type == dns_zone_staticstub); |
6058 | |
|
6059 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); |
6060 | 0 | REQUIRE(zone->db == NULL); |
6061 | 0 | dns_db_attach(db, &zone->db); |
6062 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
6063 | 0 | } |
6064 | | |
6065 | | static bool |
6066 | 0 | was_dumping(dns_zone_t *zone) { |
6067 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
6068 | |
|
6069 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) { |
6070 | 0 | return (true); |
6071 | 0 | } |
6072 | | |
6073 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING); |
6074 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP); |
6075 | 0 | isc_time_settoepoch(&zone->dumptime); |
6076 | 0 | return (false); |
6077 | 0 | } |
6078 | | |
6079 | | static isc_result_t |
6080 | | keyfromfile(dns_zone_t *zone, dst_key_t *pubkey, isc_mem_t *mctx, |
6081 | 0 | dst_key_t **key) { |
6082 | 0 | const char *directory = zone->keydirectory; |
6083 | 0 | dns_kasp_t *kasp = zone->kasp; |
6084 | 0 | dst_key_t *foundkey = NULL; |
6085 | 0 | isc_result_t result = ISC_R_NOTFOUND; |
6086 | |
|
6087 | 0 | if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) || |
6088 | 0 | (strcmp(dns_kasp_getname(kasp), "insecure") == 0)) |
6089 | 0 | { |
6090 | 0 | result = dst_key_fromfile( |
6091 | 0 | dst_key_name(pubkey), dst_key_id(pubkey), |
6092 | 0 | dst_key_alg(pubkey), |
6093 | 0 | (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE), |
6094 | 0 | directory, mctx, &foundkey); |
6095 | 0 | } else { |
6096 | 0 | for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); |
6097 | 0 | kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) |
6098 | 0 | { |
6099 | 0 | dns_keystore_t *ks = dns_kasp_key_keystore(kkey); |
6100 | 0 | directory = dns_keystore_directory(ks, |
6101 | 0 | zone->keydirectory); |
6102 | |
|
6103 | 0 | result = dst_key_fromfile( |
6104 | 0 | dst_key_name(pubkey), dst_key_id(pubkey), |
6105 | 0 | dst_key_alg(pubkey), |
6106 | 0 | (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | |
6107 | 0 | DST_TYPE_STATE), |
6108 | 0 | directory, mctx, &foundkey); |
6109 | 0 | if (result == ISC_R_SUCCESS) { |
6110 | 0 | break; |
6111 | 0 | } |
6112 | 0 | } |
6113 | 0 | } |
6114 | |
|
6115 | 0 | *key = foundkey; |
6116 | 0 | return (result); |
6117 | 0 | } |
6118 | | |
6119 | | #define is_zone_key(key) \ |
6120 | 0 | ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE) |
6121 | | |
6122 | | static isc_result_t |
6123 | | findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
6124 | | dns_dbnode_t *node, const dns_name_t *name, isc_stdtime_t now, |
6125 | | isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, |
6126 | 0 | unsigned int *nkeys) { |
6127 | 0 | dns_rdataset_t rdataset; |
6128 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
6129 | 0 | isc_result_t result; |
6130 | 0 | dst_key_t *pubkey = NULL; |
6131 | 0 | unsigned int count = 0; |
6132 | |
|
6133 | 0 | *nkeys = 0; |
6134 | 0 | memset(keys, 0, sizeof(*keys) * maxkeys); |
6135 | 0 | dns_rdataset_init(&rdataset); |
6136 | 0 | RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, |
6137 | 0 | &rdataset, NULL)); |
6138 | 0 | RETERR(dns_rdataset_first(&rdataset)); |
6139 | 0 | while (result == ISC_R_SUCCESS && count < maxkeys) { |
6140 | 0 | pubkey = NULL; |
6141 | 0 | dns_rdataset_current(&rdataset, &rdata); |
6142 | 0 | RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); |
6143 | 0 | dst_key_setttl(pubkey, rdataset.ttl); |
6144 | |
|
6145 | 0 | if (!is_zone_key(pubkey) || |
6146 | 0 | (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) |
6147 | 0 | { |
6148 | 0 | goto next; |
6149 | 0 | } |
6150 | | /* Corrupted .key file? */ |
6151 | 0 | if (!dns_name_equal(name, dst_key_name(pubkey))) { |
6152 | 0 | goto next; |
6153 | 0 | } |
6154 | 0 | keys[count] = NULL; |
6155 | 0 | result = keyfromfile(zone, pubkey, mctx, &keys[count]); |
6156 | | |
6157 | | /* |
6158 | | * If the key was revoked and the private file |
6159 | | * doesn't exist, maybe it was revoked internally |
6160 | | * by named. Try loading the unrevoked version. |
6161 | | */ |
6162 | 0 | if (result == ISC_R_FILENOTFOUND) { |
6163 | 0 | uint32_t flags; |
6164 | 0 | flags = dst_key_flags(pubkey); |
6165 | 0 | if ((flags & DNS_KEYFLAG_REVOKE) != 0) { |
6166 | 0 | dst_key_setflags(pubkey, |
6167 | 0 | flags & ~DNS_KEYFLAG_REVOKE); |
6168 | 0 | result = keyfromfile(zone, pubkey, mctx, |
6169 | 0 | &keys[count]); |
6170 | 0 | if (result == ISC_R_SUCCESS && |
6171 | 0 | dst_key_pubcompare(pubkey, keys[count], |
6172 | 0 | false)) |
6173 | 0 | { |
6174 | 0 | dst_key_setflags(keys[count], flags); |
6175 | 0 | } |
6176 | 0 | dst_key_setflags(pubkey, flags); |
6177 | 0 | } |
6178 | 0 | } |
6179 | |
|
6180 | 0 | if (result != ISC_R_SUCCESS) { |
6181 | 0 | char filename[DNS_NAME_FORMATSIZE + |
6182 | 0 | DNS_SECALG_FORMATSIZE + |
6183 | 0 | sizeof("key file for //65535")]; |
6184 | 0 | isc_result_t result2; |
6185 | 0 | isc_buffer_t buf; |
6186 | |
|
6187 | 0 | isc_buffer_init(&buf, filename, sizeof(filename)); |
6188 | 0 | result2 = dst_key_getfilename( |
6189 | 0 | dst_key_name(pubkey), dst_key_id(pubkey), |
6190 | 0 | dst_key_alg(pubkey), |
6191 | 0 | (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | |
6192 | 0 | DST_TYPE_STATE), |
6193 | 0 | NULL, mctx, &buf); |
6194 | 0 | if (result2 != ISC_R_SUCCESS) { |
6195 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
6196 | 0 | char algbuf[DNS_SECALG_FORMATSIZE]; |
6197 | |
|
6198 | 0 | dns_name_format(dst_key_name(pubkey), namebuf, |
6199 | 0 | sizeof(namebuf)); |
6200 | 0 | dns_secalg_format(dst_key_alg(pubkey), algbuf, |
6201 | 0 | sizeof(algbuf)); |
6202 | 0 | snprintf(filename, sizeof(filename) - 1, |
6203 | 0 | "key file for %s/%s/%d", namebuf, |
6204 | 0 | algbuf, dst_key_id(pubkey)); |
6205 | 0 | } |
6206 | |
|
6207 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
6208 | 0 | DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING, |
6209 | 0 | "dns_zone_findkeys: error reading %s: %s", |
6210 | 0 | filename, isc_result_totext(result)); |
6211 | 0 | } |
6212 | |
|
6213 | 0 | if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) { |
6214 | 0 | keys[count] = pubkey; |
6215 | 0 | pubkey = NULL; |
6216 | 0 | count++; |
6217 | 0 | goto next; |
6218 | 0 | } |
6219 | | |
6220 | 0 | if (result != ISC_R_SUCCESS) { |
6221 | 0 | goto failure; |
6222 | 0 | } |
6223 | | |
6224 | | /* |
6225 | | * If a key is marked inactive, skip it |
6226 | | */ |
6227 | 0 | if (!dns_dnssec_keyactive(keys[count], now)) { |
6228 | 0 | dst_key_setinactive(pubkey, true); |
6229 | 0 | dst_key_free(&keys[count]); |
6230 | 0 | keys[count] = pubkey; |
6231 | 0 | pubkey = NULL; |
6232 | 0 | count++; |
6233 | 0 | goto next; |
6234 | 0 | } |
6235 | | |
6236 | | /* |
6237 | | * Whatever the key's default TTL may have |
6238 | | * been, the rdataset TTL takes priority. |
6239 | | */ |
6240 | 0 | dst_key_setttl(keys[count], rdataset.ttl); |
6241 | |
|
6242 | 0 | if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { |
6243 | | /* We should never get here. */ |
6244 | 0 | dst_key_free(&keys[count]); |
6245 | 0 | goto next; |
6246 | 0 | } |
6247 | 0 | count++; |
6248 | 0 | next: |
6249 | 0 | if (pubkey != NULL) { |
6250 | 0 | dst_key_free(&pubkey); |
6251 | 0 | } |
6252 | 0 | dns_rdata_reset(&rdata); |
6253 | 0 | result = dns_rdataset_next(&rdataset); |
6254 | 0 | } |
6255 | 0 | if (result != ISC_R_NOMORE) { |
6256 | 0 | goto failure; |
6257 | 0 | } |
6258 | 0 | if (count == 0) { |
6259 | 0 | result = ISC_R_NOTFOUND; |
6260 | 0 | } else { |
6261 | 0 | result = ISC_R_SUCCESS; |
6262 | 0 | } |
6263 | |
|
6264 | 0 | failure: |
6265 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
6266 | 0 | dns_rdataset_disassociate(&rdataset); |
6267 | 0 | } |
6268 | 0 | if (pubkey != NULL) { |
6269 | 0 | dst_key_free(&pubkey); |
6270 | 0 | } |
6271 | 0 | if (result != ISC_R_SUCCESS) { |
6272 | 0 | while (count > 0) { |
6273 | 0 | dst_key_free(&keys[--count]); |
6274 | 0 | } |
6275 | 0 | } |
6276 | 0 | *nkeys = count; |
6277 | 0 | return (result); |
6278 | 0 | } |
6279 | | |
6280 | | /*% |
6281 | | * Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database |
6282 | | * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'. |
6283 | | * Only load the public part of a given key if it is not active at timestamp |
6284 | | * 'now'. Store the number of keys found in 'nkeys'. |
6285 | | */ |
6286 | | isc_result_t |
6287 | | dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
6288 | | isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys, |
6289 | 0 | dst_key_t **keys, unsigned int *nkeys) { |
6290 | 0 | isc_result_t result; |
6291 | 0 | dns_dbnode_t *node = NULL; |
6292 | |
|
6293 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
6294 | 0 | REQUIRE(mctx != NULL); |
6295 | 0 | REQUIRE(nkeys != NULL); |
6296 | 0 | REQUIRE(keys != NULL); |
6297 | |
|
6298 | 0 | CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node)); |
6299 | | |
6300 | 0 | dns_zone_lock_keyfiles(zone); |
6301 | |
|
6302 | 0 | result = findzonekeys(zone, db, ver, node, dns_db_origin(db), now, mctx, |
6303 | 0 | maxkeys, keys, nkeys); |
6304 | |
|
6305 | 0 | dns_zone_unlock_keyfiles(zone); |
6306 | |
|
6307 | 0 | if (result == ISC_R_NOTFOUND) { |
6308 | 0 | result = ISC_R_SUCCESS; |
6309 | 0 | } |
6310 | |
|
6311 | 0 | failure: |
6312 | |
|
6313 | 0 | if (node != NULL) { |
6314 | 0 | dns_db_detachnode(db, &node); |
6315 | 0 | } |
6316 | 0 | return (result); |
6317 | 0 | } |
6318 | | |
6319 | | /*% |
6320 | | * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys |
6321 | | * into 'keys'. Requires KASP to be locked. |
6322 | | */ |
6323 | | isc_result_t |
6324 | | dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
6325 | 0 | isc_stdtime_t now, dns_dnsseckeylist_t *keys) { |
6326 | 0 | isc_result_t result; |
6327 | 0 | const char *dir = dns_zone_getkeydirectory(zone); |
6328 | 0 | dns_dbnode_t *node = NULL; |
6329 | 0 | dns_dnsseckey_t *key, *key_next; |
6330 | 0 | dns_dnsseckeylist_t dnskeys; |
6331 | 0 | dns_name_t *origin = dns_zone_getorigin(zone); |
6332 | 0 | dns_kasp_t *kasp = zone->kasp; |
6333 | 0 | dns_rdataset_t keyset; |
6334 | |
|
6335 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
6336 | 0 | REQUIRE(kasp != NULL); |
6337 | |
|
6338 | 0 | ISC_LIST_INIT(dnskeys); |
6339 | |
|
6340 | 0 | dns_rdataset_init(&keyset); |
6341 | |
|
6342 | 0 | CHECK(dns_db_findnode(db, origin, false, &node)); |
6343 | | |
6344 | | /* Get keys from private key files. */ |
6345 | 0 | dns_zone_lock_keyfiles(zone); |
6346 | 0 | result = dns_dnssec_findmatchingkeys(origin, kasp, dir, zone->keystores, |
6347 | 0 | now, dns_zone_getmctx(zone), keys); |
6348 | 0 | dns_zone_unlock_keyfiles(zone); |
6349 | |
|
6350 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
6351 | 0 | goto failure; |
6352 | 0 | } |
6353 | | |
6354 | | /* Get public keys (dnskeys). */ |
6355 | 0 | dns_rdataset_init(&keyset); |
6356 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, |
6357 | 0 | dns_rdatatype_none, 0, &keyset, NULL); |
6358 | 0 | if (result == ISC_R_SUCCESS) { |
6359 | 0 | CHECK(dns_dnssec_keylistfromrdataset( |
6360 | 0 | origin, kasp, dir, dns_zone_getmctx(zone), &keyset, |
6361 | 0 | NULL, NULL, false, false, &dnskeys)); |
6362 | 0 | } else if (result != ISC_R_NOTFOUND) { |
6363 | 0 | CHECK(result); |
6364 | 0 | } |
6365 | | |
6366 | | /* Add new 'dnskeys' to 'keys'. */ |
6367 | 0 | for (dns_dnsseckey_t *k1 = ISC_LIST_HEAD(dnskeys); k1 != NULL; |
6368 | 0 | k1 = key_next) |
6369 | 0 | { |
6370 | 0 | dns_dnsseckey_t *k2 = NULL; |
6371 | 0 | key_next = ISC_LIST_NEXT(k1, link); |
6372 | |
|
6373 | 0 | for (k2 = ISC_LIST_HEAD(*keys); k2 != NULL; |
6374 | 0 | k2 = ISC_LIST_NEXT(k2, link)) |
6375 | 0 | { |
6376 | 0 | if (dst_key_compare(k1->key, k2->key)) { |
6377 | 0 | break; |
6378 | 0 | } |
6379 | 0 | } |
6380 | | /* No match found, add the new key. */ |
6381 | 0 | if (k2 == NULL) { |
6382 | 0 | ISC_LIST_UNLINK(dnskeys, k1, link); |
6383 | 0 | ISC_LIST_APPEND(*keys, k1, link); |
6384 | 0 | } |
6385 | 0 | } |
6386 | |
|
6387 | 0 | failure: |
6388 | 0 | if (dns_rdataset_isassociated(&keyset)) { |
6389 | 0 | dns_rdataset_disassociate(&keyset); |
6390 | 0 | } |
6391 | 0 | if (node != NULL) { |
6392 | 0 | dns_db_detachnode(db, &node); |
6393 | 0 | } |
6394 | 0 | while (!ISC_LIST_EMPTY(dnskeys)) { |
6395 | 0 | key = ISC_LIST_HEAD(dnskeys); |
6396 | 0 | ISC_LIST_UNLINK(dnskeys, key, link); |
6397 | 0 | dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key); |
6398 | 0 | } |
6399 | 0 | return (result); |
6400 | 0 | } |
6401 | | |
6402 | | static isc_result_t |
6403 | | offline(dns_db_t *db, dns_dbversion_t *ver, dns__zonediff_t *zonediff, |
6404 | 0 | dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) { |
6405 | 0 | isc_result_t result; |
6406 | |
|
6407 | 0 | if ((rdata->flags & DNS_RDATA_OFFLINE) != 0) { |
6408 | 0 | return (ISC_R_SUCCESS); |
6409 | 0 | } |
6410 | 0 | result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN, |
6411 | 0 | name, ttl, rdata); |
6412 | 0 | if (result != ISC_R_SUCCESS) { |
6413 | 0 | return (result); |
6414 | 0 | } |
6415 | 0 | rdata->flags |= DNS_RDATA_OFFLINE; |
6416 | 0 | result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_ADDRESIGN, |
6417 | 0 | name, ttl, rdata); |
6418 | 0 | zonediff->offline = true; |
6419 | 0 | return (result); |
6420 | 0 | } |
6421 | | |
6422 | | static void |
6423 | | set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, |
6424 | 0 | isc_stdtime_t now) { |
6425 | 0 | unsigned int delta; |
6426 | 0 | char timebuf[80]; |
6427 | |
|
6428 | 0 | LOCK_ZONE(zone); |
6429 | 0 | zone->key_expiry = when; |
6430 | 0 | if (when <= now) { |
6431 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
6432 | 0 | "DNSKEY RRSIG(s) have expired"); |
6433 | 0 | isc_time_settoepoch(&zone->keywarntime); |
6434 | 0 | } else if (when < now + 7 * 24 * 3600) { |
6435 | 0 | isc_time_t t; |
6436 | 0 | isc_time_set(&t, when, 0); |
6437 | 0 | isc_time_formattimestamp(&t, timebuf, 80); |
6438 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
6439 | 0 | "DNSKEY RRSIG(s) will expire within 7 days: %s", |
6440 | 0 | timebuf); |
6441 | 0 | delta = when - now; |
6442 | 0 | delta--; /* loop prevention */ |
6443 | 0 | delta /= 24 * 3600; /* to whole days */ |
6444 | 0 | delta *= 24 * 3600; /* to seconds */ |
6445 | 0 | isc_time_set(&zone->keywarntime, when - delta, 0); |
6446 | 0 | } else { |
6447 | 0 | isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0); |
6448 | 0 | isc_time_formattimestamp(&zone->keywarntime, timebuf, 80); |
6449 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, "setting keywarntime to %s", |
6450 | 0 | timebuf); |
6451 | 0 | } |
6452 | 0 | UNLOCK_ZONE(zone); |
6453 | 0 | } |
6454 | | |
6455 | | /* |
6456 | | * Helper function to del_sigs(). We don't want to delete RRSIGs that |
6457 | | * have no new key. |
6458 | | */ |
6459 | | static bool |
6460 | | delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys, |
6461 | 0 | bool kasp, bool *warn) { |
6462 | 0 | unsigned int i = 0; |
6463 | 0 | isc_result_t ret; |
6464 | 0 | bool have_ksk = false, have_zsk = false; |
6465 | 0 | bool have_pksk = false, have_pzsk = false; |
6466 | |
|
6467 | 0 | for (i = 0; i < nkeys; i++) { |
6468 | 0 | bool ksk, zsk; |
6469 | |
|
6470 | 0 | if (have_pksk && have_ksk && have_pzsk && have_zsk) { |
6471 | 0 | break; |
6472 | 0 | } |
6473 | | |
6474 | 0 | if (rrsig_ptr->algorithm != dst_key_alg(keys[i])) { |
6475 | 0 | continue; |
6476 | 0 | } |
6477 | | |
6478 | 0 | ret = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk); |
6479 | 0 | if (ret != ISC_R_SUCCESS) { |
6480 | 0 | ksk = KSK(keys[i]); |
6481 | 0 | } |
6482 | 0 | ret = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk); |
6483 | 0 | if (ret != ISC_R_SUCCESS) { |
6484 | 0 | zsk = !KSK(keys[i]); |
6485 | 0 | } |
6486 | |
|
6487 | 0 | if (ksk) { |
6488 | 0 | have_ksk = true; |
6489 | 0 | if (dst_key_isprivate(keys[i])) { |
6490 | 0 | have_pksk = true; |
6491 | 0 | } |
6492 | 0 | } |
6493 | 0 | if (zsk) { |
6494 | 0 | have_zsk = true; |
6495 | 0 | if (dst_key_isprivate(keys[i])) { |
6496 | 0 | have_pzsk = true; |
6497 | 0 | } |
6498 | 0 | } |
6499 | 0 | } |
6500 | |
|
6501 | 0 | if (have_zsk && have_ksk && !have_pzsk) { |
6502 | 0 | *warn = true; |
6503 | 0 | } |
6504 | |
|
6505 | 0 | if (have_pksk && have_pzsk) { |
6506 | 0 | return (true); |
6507 | 0 | } |
6508 | | |
6509 | | /* |
6510 | | * Deleting the SOA RRSIG is always okay. |
6511 | | */ |
6512 | 0 | if (rrsig_ptr->covered == dns_rdatatype_soa) { |
6513 | 0 | return (true); |
6514 | 0 | } |
6515 | | |
6516 | | /* |
6517 | | * It's okay to delete a signature if there is an active key with the |
6518 | | * same algorithm to replace it, unless that violates the DNSSEC |
6519 | | * policy. |
6520 | | */ |
6521 | 0 | if (have_pksk || have_pzsk) { |
6522 | 0 | if (kasp && have_pzsk) { |
6523 | 0 | return (true); |
6524 | 0 | } |
6525 | 0 | return (!kasp); |
6526 | 0 | } |
6527 | | |
6528 | | /* |
6529 | | * Failing that, it is *not* okay to delete a signature |
6530 | | * if the associated public key is still in the DNSKEY RRset |
6531 | | */ |
6532 | 0 | for (i = 0; i < nkeys; i++) { |
6533 | 0 | if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) && |
6534 | 0 | (rrsig_ptr->keyid == dst_key_id(keys[i]))) |
6535 | 0 | { |
6536 | 0 | return (false); |
6537 | 0 | } |
6538 | 0 | } |
6539 | | |
6540 | | /* |
6541 | | * But if the key is gone, then go ahead. |
6542 | | */ |
6543 | 0 | return (true); |
6544 | 0 | } |
6545 | | |
6546 | | /* |
6547 | | * Delete expired RRsigs and any RRsigs we are about to re-sign. |
6548 | | * See also update.c:del_keysigs(). |
6549 | | */ |
6550 | | static isc_result_t |
6551 | | del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, |
6552 | | dns_rdatatype_t type, dns__zonediff_t *zonediff, dst_key_t **keys, |
6553 | 0 | unsigned int nkeys, isc_stdtime_t now, bool incremental) { |
6554 | 0 | isc_result_t result; |
6555 | 0 | dns_dbnode_t *node = NULL; |
6556 | 0 | dns_rdataset_t rdataset; |
6557 | 0 | unsigned int i; |
6558 | 0 | dns_rdata_rrsig_t rrsig; |
6559 | 0 | bool kasp = zone->kasp; |
6560 | 0 | bool found; |
6561 | 0 | int64_t timewarn = 0, timemaybe = 0; |
6562 | |
|
6563 | 0 | dns_rdataset_init(&rdataset); |
6564 | |
|
6565 | 0 | if (type == dns_rdatatype_nsec3) { |
6566 | 0 | result = dns_db_findnsec3node(db, name, false, &node); |
6567 | 0 | } else { |
6568 | 0 | result = dns_db_findnode(db, name, false, &node); |
6569 | 0 | } |
6570 | 0 | if (result == ISC_R_NOTFOUND) { |
6571 | 0 | return (ISC_R_SUCCESS); |
6572 | 0 | } |
6573 | 0 | if (result != ISC_R_SUCCESS) { |
6574 | 0 | goto failure; |
6575 | 0 | } |
6576 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type, |
6577 | 0 | (isc_stdtime_t)0, &rdataset, NULL); |
6578 | 0 | dns_db_detachnode(db, &node); |
6579 | |
|
6580 | 0 | if (result == ISC_R_NOTFOUND) { |
6581 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
6582 | 0 | return (ISC_R_SUCCESS); |
6583 | 0 | } |
6584 | 0 | if (result != ISC_R_SUCCESS) { |
6585 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
6586 | 0 | goto failure; |
6587 | 0 | } |
6588 | | |
6589 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
6590 | 0 | result = dns_rdataset_next(&rdataset)) |
6591 | 0 | { |
6592 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
6593 | |
|
6594 | 0 | dns_rdataset_current(&rdataset, &rdata); |
6595 | 0 | result = dns_rdata_tostruct(&rdata, &rrsig, NULL); |
6596 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
6597 | |
|
6598 | 0 | if (!dns_rdatatype_iskeymaterial(type)) { |
6599 | 0 | bool warn = false, deleted = false; |
6600 | 0 | if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) { |
6601 | 0 | result = update_one_rr(db, ver, zonediff->diff, |
6602 | 0 | DNS_DIFFOP_DELRESIGN, |
6603 | 0 | name, rdataset.ttl, |
6604 | 0 | &rdata); |
6605 | 0 | if (result != ISC_R_SUCCESS) { |
6606 | 0 | break; |
6607 | 0 | } |
6608 | 0 | deleted = true; |
6609 | 0 | } |
6610 | 0 | if (warn && !deleted) { |
6611 | | /* |
6612 | | * At this point, we've got an RRSIG, |
6613 | | * which is signed by an inactive key. |
6614 | | * An administrator needs to provide a new |
6615 | | * key/alg, but until that time, we want to |
6616 | | * keep the old RRSIG. Marking the key as |
6617 | | * offline will prevent us spinning waiting |
6618 | | * for the private part. |
6619 | | */ |
6620 | 0 | if (incremental) { |
6621 | 0 | result = offline(db, ver, zonediff, |
6622 | 0 | name, rdataset.ttl, |
6623 | 0 | &rdata); |
6624 | 0 | if (result != ISC_R_SUCCESS) { |
6625 | 0 | break; |
6626 | 0 | } |
6627 | 0 | } |
6628 | | |
6629 | | /* |
6630 | | * Log the key id and algorithm of |
6631 | | * the inactive key with no replacement |
6632 | | */ |
6633 | 0 | if (zone->log_key_expired_timer <= now) { |
6634 | 0 | char origin[DNS_NAME_FORMATSIZE]; |
6635 | 0 | char algbuf[DNS_NAME_FORMATSIZE]; |
6636 | 0 | dns_name_format(&zone->origin, origin, |
6637 | 0 | sizeof(origin)); |
6638 | 0 | dns_secalg_format(rrsig.algorithm, |
6639 | 0 | algbuf, |
6640 | 0 | sizeof(algbuf)); |
6641 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
6642 | 0 | "Key %s/%s/%d " |
6643 | 0 | "missing or inactive " |
6644 | 0 | "and has no replacement: " |
6645 | 0 | "retaining signatures.", |
6646 | 0 | origin, algbuf, |
6647 | 0 | rrsig.keyid); |
6648 | 0 | zone->log_key_expired_timer = now + |
6649 | 0 | 3600; |
6650 | 0 | } |
6651 | 0 | } |
6652 | 0 | continue; |
6653 | 0 | } |
6654 | | |
6655 | | /* |
6656 | | * KSK RRSIGs requires special processing. |
6657 | | */ |
6658 | 0 | found = false; |
6659 | 0 | for (i = 0; i < nkeys; i++) { |
6660 | 0 | if (rrsig.algorithm == dst_key_alg(keys[i]) && |
6661 | 0 | rrsig.keyid == dst_key_id(keys[i])) |
6662 | 0 | { |
6663 | 0 | found = true; |
6664 | | /* |
6665 | | * Mark offline DNSKEY. |
6666 | | * We want the earliest offline expire time |
6667 | | * iff there is a new offline signature. |
6668 | | */ |
6669 | 0 | if (!dst_key_inactive(keys[i]) && |
6670 | 0 | !dst_key_isprivate(keys[i])) |
6671 | 0 | { |
6672 | 0 | int64_t timeexpire = dns_time64_from32( |
6673 | 0 | rrsig.timeexpire); |
6674 | 0 | if (timewarn != 0 && |
6675 | 0 | timewarn > timeexpire) |
6676 | 0 | { |
6677 | 0 | timewarn = timeexpire; |
6678 | 0 | } |
6679 | 0 | if (rdata.flags & DNS_RDATA_OFFLINE) { |
6680 | 0 | if (timemaybe == 0 || |
6681 | 0 | timemaybe > timeexpire) |
6682 | 0 | { |
6683 | 0 | timemaybe = timeexpire; |
6684 | 0 | } |
6685 | 0 | break; |
6686 | 0 | } |
6687 | 0 | if (timewarn == 0) { |
6688 | 0 | timewarn = timemaybe; |
6689 | 0 | } |
6690 | 0 | if (timewarn == 0 || |
6691 | 0 | timewarn > timeexpire) |
6692 | 0 | { |
6693 | 0 | timewarn = timeexpire; |
6694 | 0 | } |
6695 | 0 | result = offline(db, ver, zonediff, |
6696 | 0 | name, rdataset.ttl, |
6697 | 0 | &rdata); |
6698 | 0 | break; |
6699 | 0 | } |
6700 | 0 | result = update_one_rr(db, ver, zonediff->diff, |
6701 | 0 | DNS_DIFFOP_DELRESIGN, |
6702 | 0 | name, rdataset.ttl, |
6703 | 0 | &rdata); |
6704 | 0 | break; |
6705 | 0 | } |
6706 | 0 | } |
6707 | | |
6708 | | /* |
6709 | | * If there is not a matching DNSKEY then |
6710 | | * delete the RRSIG. |
6711 | | */ |
6712 | 0 | if (!found) { |
6713 | 0 | result = update_one_rr(db, ver, zonediff->diff, |
6714 | 0 | DNS_DIFFOP_DELRESIGN, name, |
6715 | 0 | rdataset.ttl, &rdata); |
6716 | 0 | } |
6717 | 0 | if (result != ISC_R_SUCCESS) { |
6718 | 0 | break; |
6719 | 0 | } |
6720 | 0 | } |
6721 | |
|
6722 | 0 | dns_rdataset_disassociate(&rdataset); |
6723 | 0 | if (result == ISC_R_NOMORE) { |
6724 | 0 | result = ISC_R_SUCCESS; |
6725 | 0 | } |
6726 | 0 | if (timewarn > 0) { |
6727 | 0 | isc_stdtime_t stdwarn = (isc_stdtime_t)timewarn; |
6728 | 0 | if (timewarn == stdwarn) { |
6729 | 0 | set_key_expiry_warning(zone, (isc_stdtime_t)timewarn, |
6730 | 0 | now); |
6731 | 0 | } else { |
6732 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
6733 | 0 | "key expiry warning time out of range"); |
6734 | 0 | } |
6735 | 0 | } |
6736 | 0 | failure: |
6737 | 0 | if (node != NULL) { |
6738 | 0 | dns_db_detachnode(db, &node); |
6739 | 0 | } |
6740 | 0 | return (result); |
6741 | 0 | } |
6742 | | |
6743 | | static isc_result_t |
6744 | | add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, |
6745 | | dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, |
6746 | | unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t now, |
6747 | 0 | isc_stdtime_t inception, isc_stdtime_t expire) { |
6748 | 0 | isc_result_t result; |
6749 | 0 | dns_dbnode_t *node = NULL; |
6750 | 0 | dns_stats_t *dnssecsignstats; |
6751 | 0 | dns_rdataset_t rdataset; |
6752 | 0 | dns_rdata_t sig_rdata = DNS_RDATA_INIT; |
6753 | 0 | unsigned char data[1024]; /* XXX */ |
6754 | 0 | isc_buffer_t buffer; |
6755 | 0 | unsigned int i; |
6756 | 0 | bool use_kasp = false; |
6757 | |
|
6758 | 0 | if (zone->kasp != NULL) { |
6759 | 0 | use_kasp = true; |
6760 | 0 | } |
6761 | |
|
6762 | 0 | dns_rdataset_init(&rdataset); |
6763 | 0 | isc_buffer_init(&buffer, data, sizeof(data)); |
6764 | |
|
6765 | 0 | if (type == dns_rdatatype_nsec3) { |
6766 | 0 | result = dns_db_findnsec3node(db, name, false, &node); |
6767 | 0 | } else { |
6768 | 0 | result = dns_db_findnode(db, name, false, &node); |
6769 | 0 | } |
6770 | 0 | if (result == ISC_R_NOTFOUND) { |
6771 | 0 | return (ISC_R_SUCCESS); |
6772 | 0 | } |
6773 | 0 | if (result != ISC_R_SUCCESS) { |
6774 | 0 | goto failure; |
6775 | 0 | } |
6776 | 0 | result = dns_db_findrdataset(db, node, ver, type, 0, (isc_stdtime_t)0, |
6777 | 0 | &rdataset, NULL); |
6778 | 0 | dns_db_detachnode(db, &node); |
6779 | 0 | if (result == ISC_R_NOTFOUND) { |
6780 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
6781 | 0 | return (ISC_R_SUCCESS); |
6782 | 0 | } |
6783 | 0 | if (result != ISC_R_SUCCESS) { |
6784 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
6785 | 0 | goto failure; |
6786 | 0 | } |
6787 | | |
6788 | 0 | for (i = 0; i < nkeys; i++) { |
6789 | | /* Don't add signatures for offline or inactive keys */ |
6790 | 0 | if (!dst_key_isprivate(keys[i])) { |
6791 | 0 | continue; |
6792 | 0 | } |
6793 | 0 | if (dst_key_inactive(keys[i])) { |
6794 | 0 | continue; |
6795 | 0 | } |
6796 | | |
6797 | 0 | if (use_kasp) { |
6798 | | /* |
6799 | | * A dnssec-policy is found. Check what RRsets this |
6800 | | * key should sign. |
6801 | | */ |
6802 | 0 | isc_result_t kresult; |
6803 | 0 | isc_stdtime_t when; |
6804 | 0 | bool ksk = false; |
6805 | 0 | bool zsk = false; |
6806 | 0 | bool have_zsk = false; |
6807 | |
|
6808 | 0 | kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk); |
6809 | 0 | if (kresult != ISC_R_SUCCESS) { |
6810 | 0 | if (KSK(keys[i])) { |
6811 | 0 | ksk = true; |
6812 | 0 | } |
6813 | 0 | } |
6814 | 0 | kresult = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk); |
6815 | 0 | if (kresult != ISC_R_SUCCESS) { |
6816 | 0 | if (!KSK(keys[i])) { |
6817 | 0 | zsk = true; |
6818 | 0 | } |
6819 | 0 | } |
6820 | | |
6821 | | /* |
6822 | | * Don't consider inactive keys or offline keys. |
6823 | | */ |
6824 | 0 | (void)dst_key_have_ksk_and_zsk(keys, nkeys, i, true, |
6825 | 0 | ksk, zsk, NULL, |
6826 | 0 | &have_zsk); |
6827 | |
|
6828 | 0 | if (dns_rdatatype_iskeymaterial(type)) { |
6829 | | /* |
6830 | | * DNSKEY RRset is signed with KSK. |
6831 | | * CDS and CDNSKEY RRsets too (RFC 7344, 4.1). |
6832 | | */ |
6833 | 0 | if (!ksk) { |
6834 | 0 | continue; |
6835 | 0 | } |
6836 | 0 | } else if (!zsk) { |
6837 | | /* |
6838 | | * Other RRsets are signed with ZSK. |
6839 | | */ |
6840 | 0 | if (type != dns_rdatatype_soa && |
6841 | 0 | type != zone->privatetype) |
6842 | 0 | { |
6843 | 0 | continue; |
6844 | 0 | } |
6845 | 0 | if (have_zsk) { |
6846 | 0 | continue; |
6847 | 0 | } |
6848 | 0 | } else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK, |
6849 | 0 | now, &when)) |
6850 | 0 | { |
6851 | | /* |
6852 | | * This key is not active for zone-signing. |
6853 | | */ |
6854 | 0 | continue; |
6855 | 0 | } |
6856 | 0 | } else if (!REVOKE(keys[i])) { |
6857 | | /* |
6858 | | * Don't consider inactive keys, however the KSK may be |
6859 | | * temporary offline, so do consider keys which private |
6860 | | * key files are unavailable. |
6861 | | */ |
6862 | 0 | bool both = dst_key_have_ksk_and_zsk( |
6863 | 0 | keys, nkeys, i, false, KSK(keys[i]), |
6864 | 0 | !KSK(keys[i]), NULL, NULL); |
6865 | 0 | if (both) { |
6866 | | /* |
6867 | | * CDS and CDNSKEY are signed with KSK (RFC |
6868 | | * 7344, 4.1). |
6869 | | */ |
6870 | 0 | if (dns_rdatatype_iskeymaterial(type)) { |
6871 | 0 | if (!KSK(keys[i])) { |
6872 | 0 | continue; |
6873 | 0 | } |
6874 | 0 | } else if (KSK(keys[i])) { |
6875 | 0 | continue; |
6876 | 0 | } |
6877 | 0 | } |
6878 | 0 | } |
6879 | | |
6880 | | /* |
6881 | | * If this key is revoked, it may only sign the DNSKEY RRset. |
6882 | | */ |
6883 | 0 | if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { |
6884 | 0 | continue; |
6885 | 0 | } |
6886 | | |
6887 | | /* Calculate the signature, creating a RRSIG RDATA. */ |
6888 | 0 | isc_buffer_clear(&buffer); |
6889 | 0 | CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, |
6890 | 0 | &expire, mctx, &buffer, &sig_rdata)); |
6891 | | |
6892 | | /* Update the database and journal with the RRSIG. */ |
6893 | | /* XXX inefficient - will cause dataset merging */ |
6894 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, |
6895 | 0 | rdataset.ttl, &sig_rdata)); |
6896 | 0 | dns_rdata_reset(&sig_rdata); |
6897 | 0 | isc_buffer_init(&buffer, data, sizeof(data)); |
6898 | | |
6899 | | /* Update DNSSEC sign statistics. */ |
6900 | 0 | dnssecsignstats = dns_zone_getdnssecsignstats(zone); |
6901 | 0 | if (dnssecsignstats != NULL) { |
6902 | | /* Generated a new signature. */ |
6903 | 0 | dns_dnssecsignstats_increment(dnssecsignstats, |
6904 | 0 | ID(keys[i]), |
6905 | 0 | (uint8_t)ALG(keys[i]), |
6906 | 0 | dns_dnssecsignstats_sign); |
6907 | | /* This is a refresh. */ |
6908 | 0 | dns_dnssecsignstats_increment( |
6909 | 0 | dnssecsignstats, ID(keys[i]), |
6910 | 0 | (uint8_t)ALG(keys[i]), |
6911 | 0 | dns_dnssecsignstats_refresh); |
6912 | 0 | } |
6913 | 0 | } |
6914 | | |
6915 | 0 | failure: |
6916 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
6917 | 0 | dns_rdataset_disassociate(&rdataset); |
6918 | 0 | } |
6919 | 0 | if (node != NULL) { |
6920 | 0 | dns_db_detachnode(db, &node); |
6921 | 0 | } |
6922 | 0 | return (result); |
6923 | 0 | } |
6924 | | |
6925 | | static void |
6926 | | calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now, |
6927 | | isc_stdtime_t *inception, isc_stdtime_t *soaexpire, |
6928 | 0 | isc_stdtime_t *expire, isc_stdtime_t *fullexpire) { |
6929 | 0 | REQUIRE(inception != NULL); |
6930 | 0 | REQUIRE(soaexpire != NULL); |
6931 | | /* expire and fullexpire are optional */ |
6932 | |
|
6933 | 0 | isc_stdtime_t jitter = DEFAULT_JITTER; |
6934 | 0 | isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone); |
6935 | 0 | isc_stdtime_t shortjitter = 0, fulljitter = 0; |
6936 | |
|
6937 | 0 | if (zone->kasp != NULL) { |
6938 | 0 | jitter = dns_kasp_sigjitter(zone->kasp); |
6939 | 0 | sigvalidity = dns_kasp_sigvalidity(zone->kasp); |
6940 | 0 | INSIST(jitter <= sigvalidity); |
6941 | 0 | } |
6942 | |
|
6943 | 0 | if (jitter > sigvalidity) { |
6944 | 0 | jitter = sigvalidity; |
6945 | 0 | } |
6946 | |
|
6947 | 0 | *inception = now - 3600; /* Allow for clock skew. */ |
6948 | 0 | *soaexpire = now + sigvalidity; |
6949 | | |
6950 | | /* |
6951 | | * Spread out signatures over time if they happen to be |
6952 | | * clumped. We don't do this for each add_sigs() call as |
6953 | | * we still want some clustering to occur. In normal operations |
6954 | | * the records should be re-signed as they fall due and they should |
6955 | | * already be spread out. However if the server is off for a |
6956 | | * period we need to ensure that the clusters don't become |
6957 | | * synchronised by using the full jitter range. |
6958 | | */ |
6959 | 0 | if (sigvalidity >= 3600U) { |
6960 | 0 | if (sigvalidity > 7200U) { |
6961 | 0 | shortjitter = isc_random_uniform(3600); |
6962 | 0 | fulljitter = isc_random_uniform(jitter); |
6963 | 0 | } else { |
6964 | 0 | shortjitter = fulljitter = isc_random_uniform(1200); |
6965 | 0 | } |
6966 | 0 | } |
6967 | |
|
6968 | 0 | SET_IF_NOT_NULL(expire, *soaexpire - shortjitter - 1); |
6969 | 0 | SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1); |
6970 | 0 | } |
6971 | | |
6972 | | static void |
6973 | 0 | zone_resigninc(dns_zone_t *zone) { |
6974 | 0 | dns_db_t *db = NULL; |
6975 | 0 | dns_dbversion_t *version = NULL; |
6976 | 0 | dns_diff_t _sig_diff; |
6977 | 0 | dns__zonediff_t zonediff; |
6978 | 0 | dns_fixedname_t fixed; |
6979 | 0 | dns_name_t *name; |
6980 | 0 | dns_typepair_t typepair; |
6981 | 0 | dst_key_t *zone_keys[DNS_MAXZONEKEYS]; |
6982 | 0 | isc_result_t result; |
6983 | 0 | isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop; |
6984 | 0 | unsigned int i; |
6985 | 0 | unsigned int nkeys = 0; |
6986 | 0 | isc_stdtime_t resign; |
6987 | |
|
6988 | 0 | ENTER; |
6989 | |
|
6990 | 0 | dns_diff_init(zone->mctx, &_sig_diff); |
6991 | 0 | zonediff_init(&zonediff, &_sig_diff); |
6992 | | |
6993 | | /* |
6994 | | * Zone is frozen. Pause for 5 minutes. |
6995 | | */ |
6996 | 0 | if (zone->update_disabled) { |
6997 | 0 | result = ISC_R_FAILURE; |
6998 | 0 | goto failure; |
6999 | 0 | } |
7000 | | |
7001 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
7002 | 0 | if (zone->db != NULL) { |
7003 | 0 | dns_db_attach(zone->db, &db); |
7004 | 0 | } |
7005 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
7006 | 0 | if (db == NULL) { |
7007 | 0 | result = ISC_R_FAILURE; |
7008 | 0 | goto failure; |
7009 | 0 | } |
7010 | | |
7011 | 0 | result = dns_db_newversion(db, &version); |
7012 | 0 | if (result != ISC_R_SUCCESS) { |
7013 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7014 | 0 | "zone_resigninc:dns_db_newversion -> %s", |
7015 | 0 | isc_result_totext(result)); |
7016 | 0 | goto failure; |
7017 | 0 | } |
7018 | | |
7019 | 0 | now = isc_stdtime_now(); |
7020 | |
|
7021 | 0 | result = dns_zone_findkeys(zone, db, version, now, zone->mctx, |
7022 | 0 | DNS_MAXZONEKEYS, zone_keys, &nkeys); |
7023 | 0 | if (result != ISC_R_SUCCESS) { |
7024 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7025 | 0 | "zone_resigninc:dns_zone_findkeys -> %s", |
7026 | 0 | isc_result_totext(result)); |
7027 | 0 | goto failure; |
7028 | 0 | } |
7029 | | |
7030 | 0 | calculate_rrsig_validity(zone, now, &inception, &soaexpire, &expire, |
7031 | 0 | &fullexpire); |
7032 | |
|
7033 | 0 | stop = now + 5; |
7034 | |
|
7035 | 0 | name = dns_fixedname_initname(&fixed); |
7036 | 0 | result = dns_db_getsigningtime(db, &resign, name, &typepair); |
7037 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
7038 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7039 | 0 | "zone_resigninc:dns_db_getsigningtime -> %s", |
7040 | 0 | isc_result_totext(result)); |
7041 | 0 | } |
7042 | |
|
7043 | 0 | i = 0; |
7044 | 0 | while (result == ISC_R_SUCCESS) { |
7045 | 0 | dns_rdatatype_t covers = DNS_TYPEPAIR_COVERS(typepair); |
7046 | |
|
7047 | 0 | resign -= dns_zone_getsigresigninginterval(zone); |
7048 | | |
7049 | | /* |
7050 | | * Stop if we hit the SOA as that means we have walked the |
7051 | | * entire zone. The SOA record should always be the most |
7052 | | * recent signature. |
7053 | | */ |
7054 | | /* XXXMPA increase number of RRsets signed pre call */ |
7055 | 0 | if ((covers == dns_rdatatype_soa && |
7056 | 0 | dns_name_equal(name, &zone->origin)) || |
7057 | 0 | i++ > zone->signatures || resign > stop) |
7058 | 0 | { |
7059 | 0 | break; |
7060 | 0 | } |
7061 | | |
7062 | 0 | result = del_sigs(zone, db, version, name, covers, &zonediff, |
7063 | 0 | zone_keys, nkeys, now, true); |
7064 | 0 | if (result != ISC_R_SUCCESS) { |
7065 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7066 | 0 | "zone_resigninc:del_sigs -> %s", |
7067 | 0 | isc_result_totext(result)); |
7068 | 0 | break; |
7069 | 0 | } |
7070 | | |
7071 | | /* |
7072 | | * If re-signing is over 5 minutes late use 'fullexpire' |
7073 | | * to redistribute the signature over the complete |
7074 | | * re-signing window, otherwise only add a small amount |
7075 | | * of jitter. |
7076 | | */ |
7077 | 0 | result = add_sigs(db, version, name, zone, covers, |
7078 | 0 | zonediff.diff, zone_keys, nkeys, zone->mctx, |
7079 | 0 | now, inception, |
7080 | 0 | resign > (now - 300) ? expire : fullexpire); |
7081 | 0 | if (result != ISC_R_SUCCESS) { |
7082 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7083 | 0 | "zone_resigninc:add_sigs -> %s", |
7084 | 0 | isc_result_totext(result)); |
7085 | 0 | break; |
7086 | 0 | } |
7087 | 0 | result = dns_db_getsigningtime(db, &resign, name, &typepair); |
7088 | 0 | if (nkeys == 0 && result == ISC_R_NOTFOUND) { |
7089 | 0 | result = ISC_R_SUCCESS; |
7090 | 0 | break; |
7091 | 0 | } |
7092 | 0 | if (result != ISC_R_SUCCESS) { |
7093 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7094 | 0 | "zone_resigninc:dns_db_getsigningtime -> " |
7095 | 0 | "%s", |
7096 | 0 | isc_result_totext(result)); |
7097 | 0 | } |
7098 | 0 | } |
7099 | |
|
7100 | 0 | if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS) { |
7101 | 0 | goto failure; |
7102 | 0 | } |
7103 | | |
7104 | 0 | result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, |
7105 | 0 | &zonediff, zone_keys, nkeys, now, true); |
7106 | 0 | if (result != ISC_R_SUCCESS) { |
7107 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7108 | 0 | "zone_resigninc:del_sigs -> %s", |
7109 | 0 | isc_result_totext(result)); |
7110 | 0 | goto failure; |
7111 | 0 | } |
7112 | | |
7113 | | /* |
7114 | | * Did we change anything in the zone? |
7115 | | */ |
7116 | 0 | if (ISC_LIST_EMPTY(zonediff.diff->tuples)) { |
7117 | | /* |
7118 | | * Commit the changes if any key has been marked as offline. |
7119 | | */ |
7120 | 0 | if (zonediff.offline) { |
7121 | 0 | dns_db_closeversion(db, &version, true); |
7122 | 0 | } |
7123 | 0 | goto failure; |
7124 | 0 | } |
7125 | | |
7126 | | /* Increment SOA serial if we have made changes */ |
7127 | 0 | result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx, |
7128 | 0 | zone->updatemethod); |
7129 | 0 | if (result != ISC_R_SUCCESS) { |
7130 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7131 | 0 | "zone_resigninc:update_soa_serial -> %s", |
7132 | 0 | isc_result_totext(result)); |
7133 | 0 | goto failure; |
7134 | 0 | } |
7135 | | |
7136 | | /* |
7137 | | * Generate maximum life time signatures so that the above loop |
7138 | | * termination is sensible. |
7139 | | */ |
7140 | 0 | result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, |
7141 | 0 | zonediff.diff, zone_keys, nkeys, zone->mctx, now, |
7142 | 0 | inception, soaexpire); |
7143 | 0 | if (result != ISC_R_SUCCESS) { |
7144 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
7145 | 0 | "zone_resigninc:add_sigs -> %s", |
7146 | 0 | isc_result_totext(result)); |
7147 | 0 | goto failure; |
7148 | 0 | } |
7149 | | |
7150 | | /* Write changes to journal file. */ |
7151 | 0 | CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_resigninc")); |
7152 | | |
7153 | | /* Everything has succeeded. Commit the changes. */ |
7154 | 0 | dns_db_closeversion(db, &version, true); |
7155 | |
|
7156 | 0 | failure: |
7157 | 0 | dns_diff_clear(&_sig_diff); |
7158 | 0 | for (i = 0; i < nkeys; i++) { |
7159 | 0 | dst_key_free(&zone_keys[i]); |
7160 | 0 | } |
7161 | 0 | if (version != NULL) { |
7162 | 0 | dns_db_closeversion(db, &version, false); |
7163 | 0 | dns_db_detach(&db); |
7164 | 0 | } else if (db != NULL) { |
7165 | 0 | dns_db_detach(&db); |
7166 | 0 | } |
7167 | |
|
7168 | 0 | LOCK_ZONE(zone); |
7169 | 0 | if (result == ISC_R_SUCCESS) { |
7170 | 0 | set_resigntime(zone); |
7171 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
7172 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
7173 | 0 | } else { |
7174 | | /* |
7175 | | * Something failed. Retry in 5 minutes. |
7176 | | */ |
7177 | 0 | isc_interval_t ival; |
7178 | 0 | isc_interval_set(&ival, 300, 0); |
7179 | 0 | isc_time_nowplusinterval(&zone->resigntime, &ival); |
7180 | 0 | } |
7181 | 0 | UNLOCK_ZONE(zone); |
7182 | |
|
7183 | 0 | INSIST(version == NULL); |
7184 | 0 | } |
7185 | | |
7186 | | static isc_result_t |
7187 | | next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname, |
7188 | 0 | dns_name_t *newname, bool bottom) { |
7189 | 0 | isc_result_t result; |
7190 | 0 | dns_dbiterator_t *dbit = NULL; |
7191 | 0 | dns_rdatasetiter_t *rdsit = NULL; |
7192 | 0 | dns_dbnode_t *node = NULL; |
7193 | |
|
7194 | 0 | CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit)); |
7195 | 0 | CHECK(dns_dbiterator_seek(dbit, oldname)); |
7196 | 0 | do { |
7197 | 0 | result = dns_dbiterator_next(dbit); |
7198 | 0 | if (result == ISC_R_NOMORE) { |
7199 | 0 | CHECK(dns_dbiterator_first(dbit)); |
7200 | 0 | } |
7201 | 0 | CHECK(dns_dbiterator_current(dbit, &node, newname)); |
7202 | 0 | if (bottom && dns_name_issubdomain(newname, oldname) && |
7203 | 0 | !dns_name_equal(newname, oldname)) |
7204 | 0 | { |
7205 | 0 | dns_db_detachnode(db, &node); |
7206 | 0 | continue; |
7207 | 0 | } |
7208 | | /* |
7209 | | * Is this node empty? |
7210 | | */ |
7211 | 0 | CHECK(dns_db_allrdatasets(db, node, version, 0, 0, &rdsit)); |
7212 | 0 | result = dns_rdatasetiter_first(rdsit); |
7213 | 0 | dns_db_detachnode(db, &node); |
7214 | 0 | dns_rdatasetiter_destroy(&rdsit); |
7215 | 0 | if (result != ISC_R_NOMORE) { |
7216 | 0 | break; |
7217 | 0 | } |
7218 | 0 | } while (1); |
7219 | 0 | failure: |
7220 | 0 | if (node != NULL) { |
7221 | 0 | dns_db_detachnode(db, &node); |
7222 | 0 | } |
7223 | 0 | if (dbit != NULL) { |
7224 | 0 | dns_dbiterator_destroy(&dbit); |
7225 | 0 | } |
7226 | 0 | return (result); |
7227 | 0 | } |
7228 | | |
7229 | | static bool |
7230 | | signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, |
7231 | | dns_dbversion_t *version, dns_rdatatype_t type, |
7232 | 0 | dst_key_t *key) { |
7233 | 0 | isc_result_t result; |
7234 | 0 | dns_rdataset_t rdataset; |
7235 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7236 | 0 | dns_rdata_rrsig_t rrsig; |
7237 | 0 | int count = 0; |
7238 | 0 | dns_kasp_t *kasp = zone->kasp; |
7239 | |
|
7240 | 0 | dns_rdataset_init(&rdataset); |
7241 | 0 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig, |
7242 | 0 | type, 0, &rdataset, NULL); |
7243 | 0 | if (result != ISC_R_SUCCESS) { |
7244 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
7245 | 0 | return (false); |
7246 | 0 | } |
7247 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
7248 | 0 | result = dns_rdataset_next(&rdataset)) |
7249 | 0 | { |
7250 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7251 | 0 | result = dns_rdata_tostruct(&rdata, &rrsig, NULL); |
7252 | 0 | INSIST(result == ISC_R_SUCCESS); |
7253 | 0 | if (rrsig.algorithm == dst_key_alg(key) && |
7254 | 0 | rrsig.keyid == dst_key_id(key)) |
7255 | 0 | { |
7256 | 0 | dns_rdataset_disassociate(&rdataset); |
7257 | 0 | return (true); |
7258 | 0 | } |
7259 | 0 | if (rrsig.algorithm == dst_key_alg(key)) { |
7260 | 0 | count++; |
7261 | 0 | } |
7262 | 0 | dns_rdata_reset(&rdata); |
7263 | 0 | } |
7264 | | |
7265 | 0 | if (zone->kasp != NULL) { |
7266 | 0 | dns_kasp_key_t *kkey; |
7267 | 0 | int zsk_count = 0; |
7268 | 0 | bool approved; |
7269 | |
|
7270 | 0 | KASP_LOCK(kasp); |
7271 | 0 | for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL; |
7272 | 0 | kkey = ISC_LIST_NEXT(kkey, link)) |
7273 | 0 | { |
7274 | 0 | if (dns_kasp_key_algorithm(kkey) != dst_key_alg(key)) { |
7275 | 0 | continue; |
7276 | 0 | } |
7277 | 0 | if (dns_kasp_key_zsk(kkey)) { |
7278 | 0 | zsk_count++; |
7279 | 0 | } |
7280 | 0 | } |
7281 | 0 | KASP_UNLOCK(kasp); |
7282 | |
|
7283 | 0 | if (dns_rdatatype_iskeymaterial(type)) { |
7284 | | /* |
7285 | | * CDS and CDNSKEY are signed with KSK like DNSKEY. |
7286 | | * (RFC 7344, section 4.1 specifies that they must |
7287 | | * be signed with a key in the current DS RRset, |
7288 | | * which would only include KSK's.) |
7289 | | */ |
7290 | 0 | approved = false; |
7291 | 0 | } else { |
7292 | 0 | approved = (zsk_count == count); |
7293 | 0 | } |
7294 | |
|
7295 | 0 | dns_rdataset_disassociate(&rdataset); |
7296 | 0 | return (approved); |
7297 | 0 | } |
7298 | | |
7299 | 0 | dns_rdataset_disassociate(&rdataset); |
7300 | 0 | return (false); |
7301 | 0 | } |
7302 | | |
7303 | | static isc_result_t |
7304 | | add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, |
7305 | 0 | dns_dbnode_t *node, dns_ttl_t ttl, bool bottom, dns_diff_t *diff) { |
7306 | 0 | dns_fixedname_t fixed; |
7307 | 0 | dns_name_t *next; |
7308 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7309 | 0 | isc_result_t result; |
7310 | 0 | unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE]; |
7311 | |
|
7312 | 0 | next = dns_fixedname_initname(&fixed); |
7313 | |
|
7314 | 0 | CHECK(next_active(db, version, name, next, bottom)); |
7315 | 0 | CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer, &rdata)); |
7316 | 0 | CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl, |
7317 | 0 | &rdata)); |
7318 | 0 | failure: |
7319 | 0 | return (result); |
7320 | 0 | } |
7321 | | |
7322 | | static isc_result_t |
7323 | | check_if_bottom_of_zone(dns_db_t *db, dns_dbnode_t *node, |
7324 | 0 | dns_dbversion_t *version, bool *is_bottom_of_zone) { |
7325 | 0 | isc_result_t result; |
7326 | 0 | dns_rdatasetiter_t *iterator = NULL; |
7327 | 0 | dns_rdataset_t rdataset; |
7328 | 0 | bool seen_soa = false, seen_ns = false, seen_dname = false; |
7329 | |
|
7330 | 0 | REQUIRE(is_bottom_of_zone != NULL); |
7331 | |
|
7332 | 0 | result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator); |
7333 | 0 | if (result != ISC_R_SUCCESS) { |
7334 | 0 | if (result == ISC_R_NOTFOUND) { |
7335 | 0 | result = ISC_R_SUCCESS; |
7336 | 0 | } |
7337 | 0 | return (result); |
7338 | 0 | } |
7339 | | |
7340 | 0 | dns_rdataset_init(&rdataset); |
7341 | 0 | for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; |
7342 | 0 | result = dns_rdatasetiter_next(iterator)) |
7343 | 0 | { |
7344 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
7345 | 0 | switch (rdataset.type) { |
7346 | 0 | case dns_rdatatype_soa: |
7347 | 0 | seen_soa = true; |
7348 | 0 | break; |
7349 | 0 | case dns_rdatatype_ns: |
7350 | 0 | seen_ns = true; |
7351 | 0 | break; |
7352 | 0 | case dns_rdatatype_dname: |
7353 | 0 | seen_dname = true; |
7354 | 0 | break; |
7355 | 0 | } |
7356 | 0 | dns_rdataset_disassociate(&rdataset); |
7357 | 0 | } |
7358 | 0 | if (result != ISC_R_NOMORE) { |
7359 | 0 | goto failure; |
7360 | 0 | } |
7361 | 0 | if ((seen_ns && !seen_soa) || seen_dname) { |
7362 | 0 | *is_bottom_of_zone = true; |
7363 | 0 | } |
7364 | 0 | result = ISC_R_SUCCESS; |
7365 | |
|
7366 | 0 | failure: |
7367 | 0 | dns_rdatasetiter_destroy(&iterator); |
7368 | |
|
7369 | 0 | return (result); |
7370 | 0 | } |
7371 | | |
7372 | | static isc_result_t |
7373 | | sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, |
7374 | | dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3, |
7375 | | bool build_nsec, dst_key_t *key, isc_stdtime_t now, |
7376 | | isc_stdtime_t inception, isc_stdtime_t expire, dns_ttl_t nsecttl, |
7377 | | bool both, bool is_ksk, bool is_zsk, bool is_bottom_of_zone, |
7378 | 0 | dns_diff_t *diff, int32_t *signatures, isc_mem_t *mctx) { |
7379 | 0 | isc_result_t result; |
7380 | 0 | dns_rdatasetiter_t *iterator = NULL; |
7381 | 0 | dns_rdataset_t rdataset; |
7382 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7383 | 0 | dns_stats_t *dnssecsignstats; |
7384 | |
|
7385 | 0 | isc_buffer_t buffer; |
7386 | 0 | unsigned char data[1024]; |
7387 | 0 | bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds; |
7388 | |
|
7389 | 0 | result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator); |
7390 | 0 | if (result != ISC_R_SUCCESS) { |
7391 | 0 | if (result == ISC_R_NOTFOUND) { |
7392 | 0 | result = ISC_R_SUCCESS; |
7393 | 0 | } |
7394 | 0 | return (result); |
7395 | 0 | } |
7396 | | |
7397 | 0 | dns_rdataset_init(&rdataset); |
7398 | 0 | isc_buffer_init(&buffer, data, sizeof(data)); |
7399 | 0 | seen_rr = seen_soa = seen_ns = seen_nsec = seen_nsec3 = seen_ds = false; |
7400 | 0 | for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; |
7401 | 0 | result = dns_rdatasetiter_next(iterator)) |
7402 | 0 | { |
7403 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
7404 | 0 | if (rdataset.type == dns_rdatatype_soa) { |
7405 | 0 | seen_soa = true; |
7406 | 0 | } else if (rdataset.type == dns_rdatatype_ns) { |
7407 | 0 | seen_ns = true; |
7408 | 0 | } else if (rdataset.type == dns_rdatatype_ds) { |
7409 | 0 | seen_ds = true; |
7410 | 0 | } else if (rdataset.type == dns_rdatatype_nsec) { |
7411 | 0 | seen_nsec = true; |
7412 | 0 | } else if (rdataset.type == dns_rdatatype_nsec3) { |
7413 | 0 | seen_nsec3 = true; |
7414 | 0 | } |
7415 | 0 | if (rdataset.type != dns_rdatatype_rrsig) { |
7416 | 0 | seen_rr = true; |
7417 | 0 | } |
7418 | 0 | dns_rdataset_disassociate(&rdataset); |
7419 | 0 | } |
7420 | 0 | if (result != ISC_R_NOMORE) { |
7421 | 0 | goto failure; |
7422 | 0 | } |
7423 | | /* |
7424 | | * Going from insecure to NSEC3. |
7425 | | * Don't generate NSEC3 records for NSEC3 records. |
7426 | | */ |
7427 | 0 | if (build_nsec3 && !seen_nsec3 && seen_rr) { |
7428 | 0 | bool unsecure = !seen_ds && seen_ns && !seen_soa; |
7429 | 0 | CHECK(dns_nsec3_addnsec3s(db, version, name, nsecttl, unsecure, |
7430 | 0 | diff)); |
7431 | 0 | (*signatures)--; |
7432 | 0 | } |
7433 | | /* |
7434 | | * Going from insecure to NSEC. |
7435 | | * Don't generate NSEC records for NSEC3 records. |
7436 | | */ |
7437 | 0 | if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) { |
7438 | | /* |
7439 | | * Build a NSEC record except at the origin. |
7440 | | */ |
7441 | 0 | if (!dns_name_equal(name, dns_db_origin(db))) { |
7442 | 0 | CHECK(add_nsec(db, version, name, node, nsecttl, |
7443 | 0 | is_bottom_of_zone, diff)); |
7444 | | /* Count a NSEC generation as a signature generation. */ |
7445 | 0 | (*signatures)--; |
7446 | 0 | } |
7447 | 0 | } |
7448 | 0 | result = dns_rdatasetiter_first(iterator); |
7449 | 0 | while (result == ISC_R_SUCCESS) { |
7450 | 0 | isc_stdtime_t when; |
7451 | |
|
7452 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
7453 | 0 | if (rdataset.type == dns_rdatatype_soa || |
7454 | 0 | rdataset.type == dns_rdatatype_rrsig) |
7455 | 0 | { |
7456 | 0 | goto next_rdataset; |
7457 | 0 | } |
7458 | 0 | if (dns_rdatatype_iskeymaterial(rdataset.type)) { |
7459 | | /* |
7460 | | * CDS and CDNSKEY are signed with KSK like DNSKEY. |
7461 | | * (RFC 7344, section 4.1 specifies that they must |
7462 | | * be signed with a key in the current DS RRset, |
7463 | | * which would only include KSK's.) |
7464 | | */ |
7465 | 0 | if (!is_ksk && both) { |
7466 | 0 | goto next_rdataset; |
7467 | 0 | } |
7468 | 0 | } else if (!is_zsk && both) { |
7469 | 0 | goto next_rdataset; |
7470 | 0 | } else if (is_zsk && |
7471 | 0 | !dst_key_is_signing(key, DST_BOOL_ZSK, now, &when)) |
7472 | 0 | { |
7473 | | /* Only applies to dnssec-policy. */ |
7474 | 0 | if (zone->kasp != NULL) { |
7475 | 0 | goto next_rdataset; |
7476 | 0 | } |
7477 | 0 | } |
7478 | | |
7479 | 0 | if (seen_ns && !seen_soa && rdataset.type != dns_rdatatype_ds && |
7480 | 0 | rdataset.type != dns_rdatatype_nsec) |
7481 | 0 | { |
7482 | 0 | goto next_rdataset; |
7483 | 0 | } |
7484 | 0 | if (signed_with_good_key(zone, db, node, version, rdataset.type, |
7485 | 0 | key)) |
7486 | 0 | { |
7487 | 0 | goto next_rdataset; |
7488 | 0 | } |
7489 | | |
7490 | | /* Calculate the signature, creating a RRSIG RDATA. */ |
7491 | 0 | isc_buffer_clear(&buffer); |
7492 | 0 | CHECK(dns_dnssec_sign(name, &rdataset, key, &inception, &expire, |
7493 | 0 | mctx, &buffer, &rdata)); |
7494 | | /* Update the database and journal with the RRSIG. */ |
7495 | | /* XXX inefficient - will cause dataset merging */ |
7496 | 0 | CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN, |
7497 | 0 | name, rdataset.ttl, &rdata)); |
7498 | 0 | dns_rdata_reset(&rdata); |
7499 | | |
7500 | | /* Update DNSSEC sign statistics. */ |
7501 | 0 | dnssecsignstats = dns_zone_getdnssecsignstats(zone); |
7502 | 0 | if (dnssecsignstats != NULL) { |
7503 | | /* Generated a new signature. */ |
7504 | 0 | dns_dnssecsignstats_increment(dnssecsignstats, ID(key), |
7505 | 0 | ALG(key), |
7506 | 0 | dns_dnssecsignstats_sign); |
7507 | | /* This is a refresh. */ |
7508 | 0 | dns_dnssecsignstats_increment( |
7509 | 0 | dnssecsignstats, ID(key), ALG(key), |
7510 | 0 | dns_dnssecsignstats_refresh); |
7511 | 0 | } |
7512 | |
|
7513 | 0 | (*signatures)--; |
7514 | 0 | next_rdataset: |
7515 | 0 | dns_rdataset_disassociate(&rdataset); |
7516 | 0 | result = dns_rdatasetiter_next(iterator); |
7517 | 0 | } |
7518 | 0 | if (result == ISC_R_NOMORE) { |
7519 | 0 | result = ISC_R_SUCCESS; |
7520 | 0 | } |
7521 | 0 | failure: |
7522 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
7523 | 0 | dns_rdataset_disassociate(&rdataset); |
7524 | 0 | } |
7525 | 0 | if (iterator != NULL) { |
7526 | 0 | dns_rdatasetiter_destroy(&iterator); |
7527 | 0 | } |
7528 | 0 | return (result); |
7529 | 0 | } |
7530 | | |
7531 | | /* |
7532 | | * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist. |
7533 | | */ |
7534 | | static isc_result_t |
7535 | | updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, |
7536 | 0 | dns_ttl_t nsecttl, bool update_only, dns_diff_t *diff) { |
7537 | 0 | isc_result_t result; |
7538 | 0 | dns_rdataset_t rdataset; |
7539 | 0 | dns_dbnode_t *node = NULL; |
7540 | |
|
7541 | 0 | CHECK(dns_db_getoriginnode(db, &node)); |
7542 | 0 | if (update_only) { |
7543 | 0 | dns_rdataset_init(&rdataset); |
7544 | 0 | result = dns_db_findrdataset( |
7545 | 0 | db, node, version, dns_rdatatype_nsec, |
7546 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
7547 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
7548 | 0 | dns_rdataset_disassociate(&rdataset); |
7549 | 0 | } |
7550 | 0 | if (result == ISC_R_NOTFOUND) { |
7551 | 0 | goto success; |
7552 | 0 | } |
7553 | 0 | if (result != ISC_R_SUCCESS) { |
7554 | 0 | goto failure; |
7555 | 0 | } |
7556 | 0 | } |
7557 | 0 | CHECK(delete_nsec(db, version, node, name, diff)); |
7558 | 0 | CHECK(add_nsec(db, version, name, node, nsecttl, false, diff)); |
7559 | 0 | success: |
7560 | 0 | result = ISC_R_SUCCESS; |
7561 | 0 | failure: |
7562 | 0 | if (node != NULL) { |
7563 | 0 | dns_db_detachnode(db, &node); |
7564 | 0 | } |
7565 | 0 | return (result); |
7566 | 0 | } |
7567 | | |
7568 | | static isc_result_t |
7569 | | updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing, |
7570 | | dns_dbversion_t *version, bool build_nsec3, dns_ttl_t nsecttl, |
7571 | 0 | dns_diff_t *diff) { |
7572 | 0 | isc_result_t result; |
7573 | 0 | dns_dbnode_t *node = NULL; |
7574 | 0 | dns_rdataset_t rdataset; |
7575 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7576 | 0 | unsigned char data[5]; |
7577 | 0 | bool seen_done = false; |
7578 | 0 | bool have_rr = false; |
7579 | |
|
7580 | 0 | dns_rdataset_init(&rdataset); |
7581 | 0 | result = dns_db_getoriginnode(signing->db, &node); |
7582 | 0 | if (result != ISC_R_SUCCESS) { |
7583 | 0 | goto failure; |
7584 | 0 | } |
7585 | | |
7586 | 0 | result = dns_db_findrdataset(signing->db, node, version, |
7587 | 0 | zone->privatetype, dns_rdatatype_none, 0, |
7588 | 0 | &rdataset, NULL); |
7589 | 0 | if (result == ISC_R_NOTFOUND) { |
7590 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
7591 | 0 | result = ISC_R_SUCCESS; |
7592 | 0 | goto failure; |
7593 | 0 | } |
7594 | 0 | if (result != ISC_R_SUCCESS) { |
7595 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
7596 | 0 | goto failure; |
7597 | 0 | } |
7598 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
7599 | 0 | result = dns_rdataset_next(&rdataset)) |
7600 | 0 | { |
7601 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7602 | | /* |
7603 | | * If we don't match the algorithm or keyid skip the record. |
7604 | | */ |
7605 | 0 | if (rdata.length != 5 || rdata.data[0] != signing->algorithm || |
7606 | 0 | rdata.data[1] != ((signing->keyid >> 8) & 0xff) || |
7607 | 0 | rdata.data[2] != (signing->keyid & 0xff)) |
7608 | 0 | { |
7609 | 0 | have_rr = true; |
7610 | 0 | dns_rdata_reset(&rdata); |
7611 | 0 | continue; |
7612 | 0 | } |
7613 | | /* |
7614 | | * We have a match. If we were signing (!signing->deleteit) |
7615 | | * and we already have a record indicating that we have |
7616 | | * finished signing (rdata.data[4] != 0) then keep it. |
7617 | | * Otherwise it needs to be deleted as we have removed all |
7618 | | * the signatures (signing->deleteit), so any record indicating |
7619 | | * completion is now out of date, or we have finished signing |
7620 | | * with the new record so we no longer need to remember that |
7621 | | * we need to sign the zone with the matching key across a |
7622 | | * nameserver re-start. |
7623 | | */ |
7624 | 0 | if (!signing->deleteit && rdata.data[4] != 0) { |
7625 | 0 | seen_done = true; |
7626 | 0 | have_rr = true; |
7627 | 0 | } else { |
7628 | 0 | CHECK(update_one_rr(signing->db, version, diff, |
7629 | 0 | DNS_DIFFOP_DEL, &zone->origin, |
7630 | 0 | rdataset.ttl, &rdata)); |
7631 | 0 | } |
7632 | 0 | dns_rdata_reset(&rdata); |
7633 | 0 | } |
7634 | 0 | if (result == ISC_R_NOMORE) { |
7635 | 0 | result = ISC_R_SUCCESS; |
7636 | 0 | } |
7637 | 0 | if (!signing->deleteit && !seen_done) { |
7638 | | /* |
7639 | | * If we were signing then we need to indicate that we have |
7640 | | * finished signing the zone with this key. If it is already |
7641 | | * there we don't need to add it a second time. |
7642 | | */ |
7643 | 0 | data[0] = signing->algorithm; |
7644 | 0 | data[1] = (signing->keyid >> 8) & 0xff; |
7645 | 0 | data[2] = signing->keyid & 0xff; |
7646 | 0 | data[3] = 0; |
7647 | 0 | data[4] = 1; |
7648 | 0 | rdata.length = sizeof(data); |
7649 | 0 | rdata.data = data; |
7650 | 0 | rdata.type = zone->privatetype; |
7651 | 0 | rdata.rdclass = dns_db_class(signing->db); |
7652 | 0 | CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD, |
7653 | 0 | &zone->origin, rdataset.ttl, &rdata)); |
7654 | 0 | } else if (!have_rr) { |
7655 | 0 | dns_name_t *origin = dns_db_origin(signing->db); |
7656 | | /* |
7657 | | * Rebuild the NSEC/NSEC3 record for the origin as we no |
7658 | | * longer have any private records. |
7659 | | */ |
7660 | 0 | if (build_nsec3) { |
7661 | 0 | CHECK(dns_nsec3_addnsec3s(signing->db, version, origin, |
7662 | 0 | nsecttl, false, diff)); |
7663 | 0 | } |
7664 | 0 | CHECK(updatesecure(signing->db, version, origin, nsecttl, true, |
7665 | 0 | diff)); |
7666 | 0 | } |
7667 | | |
7668 | 0 | failure: |
7669 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
7670 | 0 | dns_rdataset_disassociate(&rdataset); |
7671 | 0 | } |
7672 | 0 | if (node != NULL) { |
7673 | 0 | dns_db_detachnode(signing->db, &node); |
7674 | 0 | } |
7675 | 0 | return (result); |
7676 | 0 | } |
7677 | | |
7678 | | /* |
7679 | | * Called from zone_nsec3chain() in order to update zone records indicating |
7680 | | * processing status of given NSEC3 chain: |
7681 | | * |
7682 | | * - If the supplied dns_nsec3chain_t structure has been fully processed |
7683 | | * (which is indicated by "active" being set to false): |
7684 | | * |
7685 | | * - remove all NSEC3PARAM records matching the relevant NSEC3 chain, |
7686 | | * |
7687 | | * - remove all private-type records containing NSEC3PARAM RDATA matching |
7688 | | * the relevant NSEC3 chain. |
7689 | | * |
7690 | | * - If the supplied dns_nsec3chain_t structure has not been fully processed |
7691 | | * (which is indicated by "active" being set to true), only remove the |
7692 | | * NSEC3PARAM record which matches the relevant NSEC3 chain and has the |
7693 | | * "flags" field set to 0. |
7694 | | * |
7695 | | * - If given NSEC3 chain is being added, add an NSEC3PARAM record contained |
7696 | | * in the relevant private-type record, but with the "flags" field set to |
7697 | | * 0, indicating that this NSEC3 chain is now complete for this zone. |
7698 | | * |
7699 | | * Note that this function is called at different processing stages for NSEC3 |
7700 | | * chain additions vs. removals and needs to handle all cases properly. |
7701 | | */ |
7702 | | static isc_result_t |
7703 | | fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain, |
7704 | 0 | bool active, dns_rdatatype_t privatetype, dns_diff_t *diff) { |
7705 | 0 | dns_dbnode_t *node = NULL; |
7706 | 0 | dns_name_t *name = dns_db_origin(db); |
7707 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7708 | 0 | dns_rdataset_t rdataset; |
7709 | 0 | dns_rdata_nsec3param_t nsec3param; |
7710 | 0 | dns_rdata_soa_t soa; |
7711 | 0 | isc_result_t result; |
7712 | 0 | isc_buffer_t buffer; |
7713 | 0 | unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE]; |
7714 | 0 | dns_ttl_t ttl = 0; |
7715 | 0 | bool nseconly = false, nsec3ok = false; |
7716 | |
|
7717 | 0 | dns_rdataset_init(&rdataset); |
7718 | |
|
7719 | 0 | result = dns_db_getoriginnode(db, &node); |
7720 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
7721 | | |
7722 | | /* Default TTL is SOA MINIMUM */ |
7723 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0, |
7724 | 0 | &rdataset, NULL); |
7725 | 0 | if (result == ISC_R_SUCCESS) { |
7726 | 0 | CHECK(dns_rdataset_first(&rdataset)); |
7727 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7728 | 0 | CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); |
7729 | 0 | ttl = soa.minimum; |
7730 | 0 | dns_rdata_reset(&rdata); |
7731 | 0 | } |
7732 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
7733 | 0 | dns_rdataset_disassociate(&rdataset); |
7734 | 0 | } |
7735 | |
|
7736 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, |
7737 | 0 | 0, &rdataset, NULL); |
7738 | 0 | if (result == ISC_R_NOTFOUND) { |
7739 | 0 | goto try_private; |
7740 | 0 | } |
7741 | 0 | if (result != ISC_R_SUCCESS) { |
7742 | 0 | goto failure; |
7743 | 0 | } |
7744 | | |
7745 | | /* |
7746 | | * Delete all NSEC3PARAM records which match that in nsec3chain. |
7747 | | */ |
7748 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
7749 | 0 | result = dns_rdataset_next(&rdataset)) |
7750 | 0 | { |
7751 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7752 | 0 | CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); |
7753 | | |
7754 | 0 | if (nsec3param.hash != chain->nsec3param.hash || |
7755 | 0 | (active && nsec3param.flags != 0) || |
7756 | 0 | nsec3param.iterations != chain->nsec3param.iterations || |
7757 | 0 | nsec3param.salt_length != chain->nsec3param.salt_length || |
7758 | 0 | memcmp(nsec3param.salt, chain->nsec3param.salt, |
7759 | 0 | nsec3param.salt_length)) |
7760 | 0 | { |
7761 | | /* |
7762 | | * If the SOA minimum is different to the current TTL, |
7763 | | * delete the record. We will re-add it with the new |
7764 | | * TTL below. |
7765 | | */ |
7766 | 0 | if (rdataset.ttl != ttl) { |
7767 | 0 | CHECK(update_one_rr(db, ver, diff, |
7768 | 0 | DNS_DIFFOP_DEL, name, |
7769 | 0 | rdataset.ttl, &rdata)); |
7770 | 0 | } |
7771 | 0 | dns_rdata_reset(&rdata); |
7772 | 0 | continue; |
7773 | 0 | } |
7774 | | |
7775 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, |
7776 | 0 | rdataset.ttl, &rdata)); |
7777 | 0 | dns_rdata_reset(&rdata); |
7778 | 0 | } |
7779 | 0 | if (result != ISC_R_NOMORE) { |
7780 | 0 | goto failure; |
7781 | 0 | } |
7782 | | |
7783 | | /* |
7784 | | * Restore any NSEC3PARAM records that we deleted to change the TTL. |
7785 | | */ |
7786 | 0 | if (rdataset.ttl != ttl) { |
7787 | 0 | for (result = dns_rdataset_first(&rdataset); |
7788 | 0 | result == ISC_R_SUCCESS; |
7789 | 0 | result = dns_rdataset_next(&rdataset)) |
7790 | 0 | { |
7791 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7792 | 0 | CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); |
7793 | | |
7794 | 0 | if (nsec3param.hash != chain->nsec3param.hash || |
7795 | 0 | (active && nsec3param.flags != 0) || |
7796 | 0 | nsec3param.iterations != |
7797 | 0 | chain->nsec3param.iterations || |
7798 | 0 | nsec3param.salt_length != |
7799 | 0 | chain->nsec3param.salt_length || |
7800 | 0 | memcmp(nsec3param.salt, chain->nsec3param.salt, |
7801 | 0 | nsec3param.salt_length)) |
7802 | 0 | { |
7803 | 0 | CHECK(update_one_rr(db, ver, diff, |
7804 | 0 | DNS_DIFFOP_ADD, name, ttl, |
7805 | 0 | &rdata)); |
7806 | 0 | } |
7807 | 0 | dns_rdata_reset(&rdata); |
7808 | 0 | } |
7809 | 0 | } |
7810 | | |
7811 | 0 | dns_rdataset_disassociate(&rdataset); |
7812 | |
|
7813 | 0 | try_private: |
7814 | |
|
7815 | 0 | if (active) { |
7816 | 0 | goto add; |
7817 | 0 | } |
7818 | | |
7819 | 0 | result = dns_nsec_nseconly(db, ver, diff, &nseconly); |
7820 | 0 | nsec3ok = (result == ISC_R_SUCCESS && !nseconly); |
7821 | | |
7822 | | /* |
7823 | | * Delete all private records which match that in nsec3chain. |
7824 | | */ |
7825 | 0 | result = dns_db_findrdataset(db, node, ver, privatetype, 0, 0, |
7826 | 0 | &rdataset, NULL); |
7827 | 0 | if (result == ISC_R_NOTFOUND) { |
7828 | 0 | goto add; |
7829 | 0 | } |
7830 | 0 | if (result != ISC_R_SUCCESS) { |
7831 | 0 | goto failure; |
7832 | 0 | } |
7833 | | |
7834 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
7835 | 0 | result = dns_rdataset_next(&rdataset)) |
7836 | 0 | { |
7837 | 0 | dns_rdata_t private = DNS_RDATA_INIT; |
7838 | 0 | unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; |
7839 | |
|
7840 | 0 | dns_rdataset_current(&rdataset, &private); |
7841 | 0 | if (!dns_nsec3param_fromprivate(&private, &rdata, buf, |
7842 | 0 | sizeof(buf))) |
7843 | 0 | { |
7844 | 0 | continue; |
7845 | 0 | } |
7846 | 0 | CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); |
7847 | | |
7848 | 0 | if ((!nsec3ok && |
7849 | 0 | (nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0) || |
7850 | 0 | nsec3param.hash != chain->nsec3param.hash || |
7851 | 0 | nsec3param.iterations != chain->nsec3param.iterations || |
7852 | 0 | nsec3param.salt_length != chain->nsec3param.salt_length || |
7853 | 0 | memcmp(nsec3param.salt, chain->nsec3param.salt, |
7854 | 0 | nsec3param.salt_length)) |
7855 | 0 | { |
7856 | 0 | dns_rdata_reset(&rdata); |
7857 | 0 | continue; |
7858 | 0 | } |
7859 | | |
7860 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, |
7861 | 0 | rdataset.ttl, &private)); |
7862 | 0 | dns_rdata_reset(&rdata); |
7863 | 0 | } |
7864 | 0 | if (result != ISC_R_NOMORE) { |
7865 | 0 | goto failure; |
7866 | 0 | } |
7867 | | |
7868 | 0 | add: |
7869 | 0 | if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { |
7870 | 0 | result = ISC_R_SUCCESS; |
7871 | 0 | goto failure; |
7872 | 0 | } |
7873 | | |
7874 | | /* |
7875 | | * Add a NSEC3PARAM record which matches that in nsec3chain but |
7876 | | * with all flags bits cleared. |
7877 | | * |
7878 | | * Note: we do not clear chain->nsec3param.flags as this change |
7879 | | * may be reversed. |
7880 | | */ |
7881 | 0 | isc_buffer_init(&buffer, ¶mbuf, sizeof(parambuf)); |
7882 | 0 | CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), |
7883 | 0 | dns_rdatatype_nsec3param, &chain->nsec3param, |
7884 | 0 | &buffer)); |
7885 | 0 | rdata.data[1] = 0; /* Clear flag bits. */ |
7886 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata)); |
7887 | | |
7888 | 0 | failure: |
7889 | 0 | dns_db_detachnode(db, &node); |
7890 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
7891 | 0 | dns_rdataset_disassociate(&rdataset); |
7892 | 0 | } |
7893 | 0 | return (result); |
7894 | 0 | } |
7895 | | |
7896 | | static isc_result_t |
7897 | | delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, |
7898 | 0 | dns_name_t *name, dns_diff_t *diff) { |
7899 | 0 | dns_rdataset_t rdataset; |
7900 | 0 | isc_result_t result; |
7901 | |
|
7902 | 0 | dns_rdataset_init(&rdataset); |
7903 | |
|
7904 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0, 0, |
7905 | 0 | &rdataset, NULL); |
7906 | 0 | if (result == ISC_R_NOTFOUND) { |
7907 | 0 | return (ISC_R_SUCCESS); |
7908 | 0 | } |
7909 | 0 | if (result != ISC_R_SUCCESS) { |
7910 | 0 | return (result); |
7911 | 0 | } |
7912 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
7913 | 0 | result = dns_rdataset_next(&rdataset)) |
7914 | 0 | { |
7915 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7916 | |
|
7917 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7918 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, |
7919 | 0 | rdataset.ttl, &rdata)); |
7920 | 0 | } |
7921 | 0 | if (result == ISC_R_NOMORE) { |
7922 | 0 | result = ISC_R_SUCCESS; |
7923 | 0 | } |
7924 | 0 | failure: |
7925 | 0 | dns_rdataset_disassociate(&rdataset); |
7926 | 0 | return (result); |
7927 | 0 | } |
7928 | | |
7929 | | static isc_result_t |
7930 | | deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, |
7931 | | dns_name_t *name, const dns_rdata_nsec3param_t *param, |
7932 | 0 | dns_diff_t *diff) { |
7933 | 0 | dns_rdataset_t rdataset; |
7934 | 0 | dns_rdata_nsec3_t nsec3; |
7935 | 0 | isc_result_t result; |
7936 | |
|
7937 | 0 | dns_rdataset_init(&rdataset); |
7938 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3, 0, 0, |
7939 | 0 | &rdataset, NULL); |
7940 | 0 | if (result == ISC_R_NOTFOUND) { |
7941 | 0 | return (ISC_R_SUCCESS); |
7942 | 0 | } |
7943 | 0 | if (result != ISC_R_SUCCESS) { |
7944 | 0 | return (result); |
7945 | 0 | } |
7946 | | |
7947 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
7948 | 0 | result = dns_rdataset_next(&rdataset)) |
7949 | 0 | { |
7950 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7951 | |
|
7952 | 0 | dns_rdataset_current(&rdataset, &rdata); |
7953 | 0 | CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL)); |
7954 | 0 | if (nsec3.hash != param->hash || |
7955 | 0 | nsec3.iterations != param->iterations || |
7956 | 0 | nsec3.salt_length != param->salt_length || |
7957 | 0 | memcmp(nsec3.salt, param->salt, nsec3.salt_length)) |
7958 | 0 | { |
7959 | 0 | continue; |
7960 | 0 | } |
7961 | 0 | CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, |
7962 | 0 | rdataset.ttl, &rdata)); |
7963 | 0 | } |
7964 | 0 | if (result == ISC_R_NOMORE) { |
7965 | 0 | result = ISC_R_SUCCESS; |
7966 | 0 | } |
7967 | 0 | failure: |
7968 | 0 | dns_rdataset_disassociate(&rdataset); |
7969 | 0 | return (result); |
7970 | 0 | } |
7971 | | |
7972 | | static isc_result_t |
7973 | | need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver, |
7974 | 0 | const dns_rdata_nsec3param_t *param, bool *answer) { |
7975 | 0 | dns_dbnode_t *node = NULL; |
7976 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
7977 | 0 | dns_rdata_nsec3param_t myparam; |
7978 | 0 | dns_rdataset_t rdataset; |
7979 | 0 | isc_result_t result; |
7980 | |
|
7981 | 0 | *answer = false; |
7982 | |
|
7983 | 0 | result = dns_db_getoriginnode(db, &node); |
7984 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
7985 | |
|
7986 | 0 | dns_rdataset_init(&rdataset); |
7987 | |
|
7988 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0, 0, |
7989 | 0 | &rdataset, NULL); |
7990 | 0 | if (result == ISC_R_SUCCESS) { |
7991 | 0 | dns_rdataset_disassociate(&rdataset); |
7992 | 0 | dns_db_detachnode(db, &node); |
7993 | 0 | return (result); |
7994 | 0 | } |
7995 | 0 | if (result != ISC_R_NOTFOUND) { |
7996 | 0 | dns_db_detachnode(db, &node); |
7997 | 0 | return (result); |
7998 | 0 | } |
7999 | | |
8000 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, |
8001 | 0 | 0, &rdataset, NULL); |
8002 | 0 | if (result == ISC_R_NOTFOUND) { |
8003 | 0 | *answer = true; |
8004 | 0 | dns_db_detachnode(db, &node); |
8005 | 0 | return (ISC_R_SUCCESS); |
8006 | 0 | } |
8007 | 0 | if (result != ISC_R_SUCCESS) { |
8008 | 0 | dns_db_detachnode(db, &node); |
8009 | 0 | return (result); |
8010 | 0 | } |
8011 | | |
8012 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
8013 | 0 | result = dns_rdataset_next(&rdataset)) |
8014 | 0 | { |
8015 | 0 | dns_rdataset_current(&rdataset, &rdata); |
8016 | 0 | CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL)); |
8017 | 0 | dns_rdata_reset(&rdata); |
8018 | | /* |
8019 | | * Ignore any NSEC3PARAM removals. |
8020 | | */ |
8021 | 0 | if (NSEC3REMOVE(myparam.flags)) { |
8022 | 0 | continue; |
8023 | 0 | } |
8024 | | /* |
8025 | | * Ignore the chain that we are in the process of deleting. |
8026 | | */ |
8027 | 0 | if (myparam.hash == param->hash && |
8028 | 0 | myparam.iterations == param->iterations && |
8029 | 0 | myparam.salt_length == param->salt_length && |
8030 | 0 | !memcmp(myparam.salt, param->salt, myparam.salt_length)) |
8031 | 0 | { |
8032 | 0 | continue; |
8033 | 0 | } |
8034 | | /* |
8035 | | * Found an active NSEC3 chain. |
8036 | | */ |
8037 | 0 | break; |
8038 | 0 | } |
8039 | 0 | if (result == ISC_R_NOMORE) { |
8040 | 0 | *answer = true; |
8041 | 0 | result = ISC_R_SUCCESS; |
8042 | 0 | } |
8043 | |
|
8044 | 0 | failure: |
8045 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
8046 | 0 | dns_rdataset_disassociate(&rdataset); |
8047 | 0 | } |
8048 | 0 | dns_db_detachnode(db, &node); |
8049 | 0 | return (result); |
8050 | 0 | } |
8051 | | |
8052 | | /*% |
8053 | | * Given a tuple which is part of a diff, return a pointer to the next tuple in |
8054 | | * that diff which has the same name and type (or NULL if no such tuple is |
8055 | | * found). |
8056 | | */ |
8057 | | static dns_difftuple_t * |
8058 | 0 | find_next_matching_tuple(dns_difftuple_t *cur) { |
8059 | 0 | dns_difftuple_t *next = cur; |
8060 | |
|
8061 | 0 | while ((next = ISC_LIST_NEXT(next, link)) != NULL) { |
8062 | 0 | if (cur->rdata.type == next->rdata.type && |
8063 | 0 | dns_name_equal(&cur->name, &next->name)) |
8064 | 0 | { |
8065 | 0 | return (next); |
8066 | 0 | } |
8067 | 0 | } |
8068 | | |
8069 | 0 | return (NULL); |
8070 | 0 | } |
8071 | | |
8072 | | /*% |
8073 | | * Remove all tuples with the same name and type as 'cur' from 'src' and append |
8074 | | * them to 'dst'. |
8075 | | */ |
8076 | | static void |
8077 | 0 | move_matching_tuples(dns_difftuple_t *cur, dns_diff_t *src, dns_diff_t *dst) { |
8078 | 0 | do { |
8079 | 0 | dns_difftuple_t *next = find_next_matching_tuple(cur); |
8080 | 0 | ISC_LIST_UNLINK(src->tuples, cur, link); |
8081 | 0 | dns_diff_appendminimal(dst, &cur); |
8082 | 0 | cur = next; |
8083 | 0 | } while (cur != NULL); |
8084 | 0 | } |
8085 | | |
8086 | | /*% |
8087 | | * Add/remove DNSSEC signatures for the list of "raw" zone changes supplied in |
8088 | | * 'diff'. Gradually remove tuples from 'diff' and append them to 'zonediff' |
8089 | | * along with tuples representing relevant signature changes. |
8090 | | */ |
8091 | | isc_result_t |
8092 | | dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, |
8093 | | dst_key_t *zone_keys[], unsigned int nkeys, |
8094 | | dns_zone_t *zone, isc_stdtime_t inception, |
8095 | | isc_stdtime_t expire, isc_stdtime_t keyexpire, |
8096 | 0 | isc_stdtime_t now, dns__zonediff_t *zonediff) { |
8097 | 0 | dns_difftuple_t *tuple; |
8098 | 0 | isc_result_t result; |
8099 | |
|
8100 | 0 | while ((tuple = ISC_LIST_HEAD(diff->tuples)) != NULL) { |
8101 | 0 | isc_stdtime_t exp = expire; |
8102 | |
|
8103 | 0 | if (keyexpire != 0 && |
8104 | 0 | dns_rdatatype_iskeymaterial(tuple->rdata.type)) |
8105 | 0 | { |
8106 | 0 | exp = keyexpire; |
8107 | 0 | } |
8108 | |
|
8109 | 0 | result = del_sigs(zone, db, version, &tuple->name, |
8110 | 0 | tuple->rdata.type, zonediff, zone_keys, nkeys, |
8111 | 0 | now, false); |
8112 | 0 | if (result != ISC_R_SUCCESS) { |
8113 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
8114 | 0 | "dns__zone_updatesigs:del_sigs -> %s", |
8115 | 0 | isc_result_totext(result)); |
8116 | 0 | return (result); |
8117 | 0 | } |
8118 | 0 | result = add_sigs(db, version, &tuple->name, zone, |
8119 | 0 | tuple->rdata.type, zonediff->diff, zone_keys, |
8120 | 0 | nkeys, zone->mctx, now, inception, exp); |
8121 | 0 | if (result != ISC_R_SUCCESS) { |
8122 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
8123 | 0 | "dns__zone_updatesigs:add_sigs -> %s", |
8124 | 0 | isc_result_totext(result)); |
8125 | 0 | return (result); |
8126 | 0 | } |
8127 | | |
8128 | | /* |
8129 | | * Signature changes for all RRs with name tuple->name and type |
8130 | | * tuple->rdata.type were appended to zonediff->diff. Now we |
8131 | | * remove all the "raw" changes with the same name and type |
8132 | | * from diff (so that they are not processed by this loop |
8133 | | * again) and append them to zonediff so that they get applied. |
8134 | | */ |
8135 | 0 | move_matching_tuples(tuple, diff, zonediff->diff); |
8136 | 0 | } |
8137 | 0 | return (ISC_R_SUCCESS); |
8138 | 0 | } |
8139 | | |
8140 | | /* |
8141 | | * Incrementally build and sign a new NSEC3 chain using the parameters |
8142 | | * requested. |
8143 | | */ |
8144 | | static void |
8145 | 0 | zone_nsec3chain(dns_zone_t *zone) { |
8146 | 0 | dns_db_t *db = NULL; |
8147 | 0 | dns_dbnode_t *node = NULL; |
8148 | 0 | dns_dbversion_t *version = NULL; |
8149 | 0 | dns_diff_t _sig_diff; |
8150 | 0 | dns_diff_t nsec_diff; |
8151 | 0 | dns_diff_t nsec3_diff; |
8152 | 0 | dns_diff_t param_diff; |
8153 | 0 | dns__zonediff_t zonediff; |
8154 | 0 | dns_fixedname_t fixed; |
8155 | 0 | dns_fixedname_t nextfixed; |
8156 | 0 | dns_name_t *name, *nextname; |
8157 | 0 | dns_rdataset_t rdataset; |
8158 | 0 | dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain; |
8159 | 0 | dns_nsec3chainlist_t cleanup; |
8160 | 0 | dst_key_t *zone_keys[DNS_MAXZONEKEYS]; |
8161 | 0 | int32_t signatures; |
8162 | 0 | bool delegation; |
8163 | 0 | bool first; |
8164 | 0 | isc_result_t result; |
8165 | 0 | isc_stdtime_t now, inception, soaexpire, expire; |
8166 | 0 | unsigned int i; |
8167 | 0 | unsigned int nkeys = 0; |
8168 | 0 | uint32_t nodes; |
8169 | 0 | bool unsecure = false; |
8170 | 0 | bool seen_soa, seen_ns, seen_dname, seen_ds; |
8171 | 0 | bool seen_nsec, seen_nsec3, seen_rr; |
8172 | 0 | dns_rdatasetiter_t *iterator = NULL; |
8173 | 0 | bool buildnsecchain; |
8174 | 0 | bool updatensec = false; |
8175 | 0 | dns_rdatatype_t privatetype = zone->privatetype; |
8176 | |
|
8177 | 0 | ENTER; |
8178 | |
|
8179 | 0 | dns_rdataset_init(&rdataset); |
8180 | 0 | name = dns_fixedname_initname(&fixed); |
8181 | 0 | nextname = dns_fixedname_initname(&nextfixed); |
8182 | 0 | dns_diff_init(zone->mctx, ¶m_diff); |
8183 | 0 | dns_diff_init(zone->mctx, &nsec3_diff); |
8184 | 0 | dns_diff_init(zone->mctx, &nsec_diff); |
8185 | 0 | dns_diff_init(zone->mctx, &_sig_diff); |
8186 | 0 | zonediff_init(&zonediff, &_sig_diff); |
8187 | 0 | ISC_LIST_INIT(cleanup); |
8188 | | |
8189 | | /* |
8190 | | * Updates are disabled. Pause for 5 minutes. |
8191 | | */ |
8192 | 0 | if (zone->update_disabled) { |
8193 | 0 | result = ISC_R_FAILURE; |
8194 | 0 | goto failure; |
8195 | 0 | } |
8196 | | |
8197 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
8198 | | /* |
8199 | | * This function is called when zone timer fires, after the latter gets |
8200 | | * set by zone_addnsec3chain(). If the action triggering the call to |
8201 | | * zone_addnsec3chain() is closely followed by a zone deletion request, |
8202 | | * it might turn out that the timer thread will not be woken up until |
8203 | | * after the zone is deleted by rmzone(), which calls dns_db_detach() |
8204 | | * for zone->db, causing the latter to become NULL. Return immediately |
8205 | | * if that happens. |
8206 | | */ |
8207 | 0 | if (zone->db != NULL) { |
8208 | 0 | dns_db_attach(zone->db, &db); |
8209 | 0 | } |
8210 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
8211 | 0 | if (db == NULL) { |
8212 | 0 | return; |
8213 | 0 | } |
8214 | | |
8215 | 0 | result = dns_db_newversion(db, &version); |
8216 | 0 | if (result != ISC_R_SUCCESS) { |
8217 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8218 | 0 | "zone_nsec3chain:dns_db_newversion -> %s", |
8219 | 0 | isc_result_totext(result)); |
8220 | 0 | goto failure; |
8221 | 0 | } |
8222 | | |
8223 | 0 | now = isc_stdtime_now(); |
8224 | |
|
8225 | 0 | result = dns_zone_findkeys(zone, db, version, now, zone->mctx, |
8226 | 0 | DNS_MAXZONEKEYS, zone_keys, &nkeys); |
8227 | 0 | if (result != ISC_R_SUCCESS) { |
8228 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8229 | 0 | "zone_nsec3chain:dns_zone_findkeys -> %s", |
8230 | 0 | isc_result_totext(result)); |
8231 | 0 | goto failure; |
8232 | 0 | } |
8233 | | |
8234 | 0 | calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL, |
8235 | 0 | &expire); |
8236 | | |
8237 | | /* |
8238 | | * We keep pulling nodes off each iterator in turn until |
8239 | | * we have no more nodes to pull off or we reach the limits |
8240 | | * for this quantum. |
8241 | | */ |
8242 | 0 | nodes = zone->nodes; |
8243 | 0 | signatures = zone->signatures; |
8244 | 0 | LOCK_ZONE(zone); |
8245 | 0 | nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); |
8246 | 0 | UNLOCK_ZONE(zone); |
8247 | 0 | first = true; |
8248 | |
|
8249 | 0 | if (nsec3chain != NULL) { |
8250 | 0 | nsec3chain->save_delete_nsec = nsec3chain->delete_nsec; |
8251 | 0 | } |
8252 | | /* |
8253 | | * Generate new NSEC3 chains first. |
8254 | | * |
8255 | | * The following while loop iterates over nodes in the zone database, |
8256 | | * updating the NSEC3 chain by calling dns_nsec3_addnsec3() for each of |
8257 | | * them. Once all nodes are processed, the "delete_nsec" field is |
8258 | | * consulted to check whether we are supposed to remove NSEC records |
8259 | | * from the zone database; if so, the database iterator is reset to |
8260 | | * point to the first node and the loop traverses all of them again, |
8261 | | * this time removing NSEC records. If we hit a node which is obscured |
8262 | | * by a delegation or a DNAME, nodes are skipped over until we find one |
8263 | | * that is not obscured by the same obscuring name and then normal |
8264 | | * processing is resumed. |
8265 | | * |
8266 | | * The above is repeated until all requested NSEC3 chain changes are |
8267 | | * applied or when we reach the limits for this quantum, whichever |
8268 | | * happens first. |
8269 | | * |
8270 | | * Note that the "signatures" variable is only used here to limit the |
8271 | | * amount of work performed. Actual DNSSEC signatures are only |
8272 | | * generated by dns__zone_updatesigs() calls later in this function. |
8273 | | */ |
8274 | 0 | while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) { |
8275 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8276 | |
|
8277 | 0 | LOCK_ZONE(zone); |
8278 | 0 | nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link); |
8279 | |
|
8280 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
8281 | 0 | if (nsec3chain->done || nsec3chain->db != zone->db) { |
8282 | 0 | ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link); |
8283 | 0 | ISC_LIST_APPEND(cleanup, nsec3chain, link); |
8284 | 0 | } |
8285 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
8286 | 0 | UNLOCK_ZONE(zone); |
8287 | 0 | if (ISC_LIST_TAIL(cleanup) == nsec3chain) { |
8288 | 0 | goto next_addchain; |
8289 | 0 | } |
8290 | | |
8291 | | /* |
8292 | | * Possible future db. |
8293 | | */ |
8294 | 0 | if (nsec3chain->db != db) { |
8295 | 0 | goto next_addchain; |
8296 | 0 | } |
8297 | | |
8298 | 0 | if (NSEC3REMOVE(nsec3chain->nsec3param.flags)) { |
8299 | 0 | goto next_addchain; |
8300 | 0 | } |
8301 | | |
8302 | 0 | dns_dbiterator_current(nsec3chain->dbiterator, &node, name); |
8303 | |
|
8304 | 0 | if (nsec3chain->delete_nsec) { |
8305 | 0 | delegation = false; |
8306 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8307 | 0 | CHECK(delete_nsec(db, version, node, name, &nsec_diff)); |
8308 | 0 | goto next_addnode; |
8309 | 0 | } |
8310 | | /* |
8311 | | * On the first pass we need to check if the current node |
8312 | | * has not been obscured. |
8313 | | */ |
8314 | 0 | delegation = false; |
8315 | 0 | unsecure = false; |
8316 | 0 | if (first) { |
8317 | 0 | dns_fixedname_t ffound; |
8318 | 0 | dns_name_t *found; |
8319 | 0 | found = dns_fixedname_initname(&ffound); |
8320 | 0 | result = dns_db_find( |
8321 | 0 | db, name, version, dns_rdatatype_soa, |
8322 | 0 | DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL); |
8323 | 0 | if ((result == DNS_R_DELEGATION || |
8324 | 0 | result == DNS_R_DNAME) && |
8325 | 0 | !dns_name_equal(name, found)) |
8326 | 0 | { |
8327 | | /* |
8328 | | * Remember the obscuring name so that |
8329 | | * we skip all obscured names. |
8330 | | */ |
8331 | 0 | dns_name_copy(found, name); |
8332 | 0 | delegation = true; |
8333 | 0 | goto next_addnode; |
8334 | 0 | } |
8335 | 0 | } |
8336 | | |
8337 | | /* |
8338 | | * Check to see if this is a bottom of zone node. |
8339 | | */ |
8340 | 0 | result = dns_db_allrdatasets(db, node, version, 0, 0, |
8341 | 0 | &iterator); |
8342 | 0 | if (result == ISC_R_NOTFOUND) { |
8343 | | /* Empty node? */ |
8344 | 0 | goto next_addnode; |
8345 | 0 | } |
8346 | 0 | if (result != ISC_R_SUCCESS) { |
8347 | 0 | goto failure; |
8348 | 0 | } |
8349 | | |
8350 | 0 | seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec = false; |
8351 | 0 | for (result = dns_rdatasetiter_first(iterator); |
8352 | 0 | result == ISC_R_SUCCESS; |
8353 | 0 | result = dns_rdatasetiter_next(iterator)) |
8354 | 0 | { |
8355 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
8356 | 0 | INSIST(rdataset.type != dns_rdatatype_nsec3); |
8357 | 0 | if (rdataset.type == dns_rdatatype_soa) { |
8358 | 0 | seen_soa = true; |
8359 | 0 | } else if (rdataset.type == dns_rdatatype_ns) { |
8360 | 0 | seen_ns = true; |
8361 | 0 | } else if (rdataset.type == dns_rdatatype_dname) { |
8362 | 0 | seen_dname = true; |
8363 | 0 | } else if (rdataset.type == dns_rdatatype_ds) { |
8364 | 0 | seen_ds = true; |
8365 | 0 | } else if (rdataset.type == dns_rdatatype_nsec) { |
8366 | 0 | seen_nsec = true; |
8367 | 0 | } |
8368 | 0 | dns_rdataset_disassociate(&rdataset); |
8369 | 0 | } |
8370 | 0 | dns_rdatasetiter_destroy(&iterator); |
8371 | | /* |
8372 | | * Is there a NSEC chain than needs to be cleaned up? |
8373 | | */ |
8374 | 0 | if (seen_nsec) { |
8375 | 0 | nsec3chain->seen_nsec = true; |
8376 | 0 | } |
8377 | 0 | if (seen_ns && !seen_soa && !seen_ds) { |
8378 | 0 | unsecure = true; |
8379 | 0 | } |
8380 | 0 | if ((seen_ns && !seen_soa) || seen_dname) { |
8381 | 0 | delegation = true; |
8382 | 0 | } |
8383 | | |
8384 | | /* |
8385 | | * Process one node. |
8386 | | */ |
8387 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8388 | 0 | result = dns_nsec3_addnsec3( |
8389 | 0 | db, version, name, &nsec3chain->nsec3param, |
8390 | 0 | zone_nsecttl(zone), unsecure, &nsec3_diff); |
8391 | 0 | if (result != ISC_R_SUCCESS) { |
8392 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8393 | 0 | "zone_nsec3chain:" |
8394 | 0 | "dns_nsec3_addnsec3 -> %s", |
8395 | 0 | isc_result_totext(result)); |
8396 | 0 | goto failure; |
8397 | 0 | } |
8398 | | |
8399 | | /* |
8400 | | * Treat each call to dns_nsec3_addnsec3() as if it's cost is |
8401 | | * two signatures. Additionally there will, in general, be |
8402 | | * two signature generated below. |
8403 | | * |
8404 | | * If we are only changing the optout flag the cost is half |
8405 | | * that of the cost of generating a completely new chain. |
8406 | | */ |
8407 | 0 | signatures -= 4; |
8408 | | |
8409 | | /* |
8410 | | * Go onto next node. |
8411 | | */ |
8412 | 0 | next_addnode: |
8413 | 0 | first = false; |
8414 | 0 | dns_db_detachnode(db, &node); |
8415 | 0 | do { |
8416 | 0 | result = dns_dbiterator_next(nsec3chain->dbiterator); |
8417 | |
|
8418 | 0 | if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) { |
8419 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8420 | 0 | CHECK(fixup_nsec3param(db, version, nsec3chain, |
8421 | 0 | false, privatetype, |
8422 | 0 | ¶m_diff)); |
8423 | 0 | LOCK_ZONE(zone); |
8424 | 0 | ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, |
8425 | 0 | link); |
8426 | 0 | UNLOCK_ZONE(zone); |
8427 | 0 | ISC_LIST_APPEND(cleanup, nsec3chain, link); |
8428 | 0 | goto next_addchain; |
8429 | 0 | } |
8430 | 0 | if (result == ISC_R_NOMORE) { |
8431 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8432 | 0 | if (nsec3chain->seen_nsec) { |
8433 | 0 | CHECK(fixup_nsec3param( |
8434 | 0 | db, version, nsec3chain, true, |
8435 | 0 | privatetype, ¶m_diff)); |
8436 | 0 | nsec3chain->delete_nsec = true; |
8437 | 0 | goto same_addchain; |
8438 | 0 | } |
8439 | 0 | CHECK(fixup_nsec3param(db, version, nsec3chain, |
8440 | 0 | false, privatetype, |
8441 | 0 | ¶m_diff)); |
8442 | 0 | LOCK_ZONE(zone); |
8443 | 0 | ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, |
8444 | 0 | link); |
8445 | 0 | UNLOCK_ZONE(zone); |
8446 | 0 | ISC_LIST_APPEND(cleanup, nsec3chain, link); |
8447 | 0 | goto next_addchain; |
8448 | 0 | } else if (result != ISC_R_SUCCESS) { |
8449 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8450 | 0 | "zone_nsec3chain:" |
8451 | 0 | "dns_dbiterator_next -> %s", |
8452 | 0 | isc_result_totext(result)); |
8453 | 0 | goto failure; |
8454 | 0 | } else if (delegation) { |
8455 | 0 | dns_dbiterator_current(nsec3chain->dbiterator, |
8456 | 0 | &node, nextname); |
8457 | 0 | dns_db_detachnode(db, &node); |
8458 | 0 | if (!dns_name_issubdomain(nextname, name)) { |
8459 | 0 | break; |
8460 | 0 | } |
8461 | 0 | } else { |
8462 | 0 | break; |
8463 | 0 | } |
8464 | 0 | } while (1); |
8465 | 0 | continue; |
8466 | | |
8467 | 0 | same_addchain: |
8468 | 0 | CHECK(dns_dbiterator_first(nsec3chain->dbiterator)); |
8469 | 0 | first = true; |
8470 | 0 | continue; |
8471 | | |
8472 | 0 | next_addchain: |
8473 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8474 | 0 | nsec3chain = nextnsec3chain; |
8475 | 0 | first = true; |
8476 | 0 | if (nsec3chain != NULL) { |
8477 | 0 | nsec3chain->save_delete_nsec = nsec3chain->delete_nsec; |
8478 | 0 | } |
8479 | 0 | } |
8480 | | |
8481 | 0 | if (nsec3chain != NULL) { |
8482 | 0 | goto skip_removals; |
8483 | 0 | } |
8484 | | |
8485 | | /* |
8486 | | * Process removals. |
8487 | | * |
8488 | | * This is a counterpart of the above while loop which takes care of |
8489 | | * removing an NSEC3 chain. It starts with determining whether the |
8490 | | * zone needs to switch from NSEC3 to NSEC; if so, it first builds an |
8491 | | * NSEC chain by iterating over all nodes in the zone database and only |
8492 | | * then goes on to remove NSEC3 records be iterating over all nodes |
8493 | | * again and calling deletematchingnsec3() for each of them; otherwise, |
8494 | | * it starts removing NSEC3 records immediately. Rules for processing |
8495 | | * obscured nodes and interrupting work are the same as for the while |
8496 | | * loop above. |
8497 | | */ |
8498 | 0 | LOCK_ZONE(zone); |
8499 | 0 | nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); |
8500 | 0 | UNLOCK_ZONE(zone); |
8501 | 0 | first = true; |
8502 | 0 | buildnsecchain = false; |
8503 | 0 | while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) { |
8504 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8505 | |
|
8506 | 0 | LOCK_ZONE(zone); |
8507 | 0 | nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link); |
8508 | 0 | UNLOCK_ZONE(zone); |
8509 | |
|
8510 | 0 | if (nsec3chain->db != db) { |
8511 | 0 | goto next_removechain; |
8512 | 0 | } |
8513 | | |
8514 | 0 | if (!NSEC3REMOVE(nsec3chain->nsec3param.flags)) { |
8515 | 0 | goto next_removechain; |
8516 | 0 | } |
8517 | | |
8518 | | /* |
8519 | | * Work out if we need to build a NSEC chain as a consequence |
8520 | | * of removing this NSEC3 chain. |
8521 | | */ |
8522 | 0 | if (first && !updatensec && |
8523 | 0 | (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0) |
8524 | 0 | { |
8525 | 0 | result = need_nsec_chain(db, version, |
8526 | 0 | &nsec3chain->nsec3param, |
8527 | 0 | &buildnsecchain); |
8528 | 0 | if (result != ISC_R_SUCCESS) { |
8529 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8530 | 0 | "zone_nsec3chain:" |
8531 | 0 | "need_nsec_chain -> %s", |
8532 | 0 | isc_result_totext(result)); |
8533 | 0 | goto failure; |
8534 | 0 | } |
8535 | 0 | } |
8536 | | |
8537 | 0 | if (first) { |
8538 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
8539 | 0 | "zone_nsec3chain:buildnsecchain = %u\n", |
8540 | 0 | buildnsecchain); |
8541 | 0 | } |
8542 | |
|
8543 | 0 | dns_dbiterator_current(nsec3chain->dbiterator, &node, name); |
8544 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8545 | 0 | delegation = false; |
8546 | |
|
8547 | 0 | if (!buildnsecchain) { |
8548 | | /* |
8549 | | * Delete the NSEC3PARAM record matching this chain. |
8550 | | */ |
8551 | 0 | if (first) { |
8552 | 0 | result = fixup_nsec3param( |
8553 | 0 | db, version, nsec3chain, true, |
8554 | 0 | privatetype, ¶m_diff); |
8555 | 0 | if (result != ISC_R_SUCCESS) { |
8556 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8557 | 0 | "zone_nsec3chain:" |
8558 | 0 | "fixup_nsec3param -> %s", |
8559 | 0 | isc_result_totext(result)); |
8560 | 0 | goto failure; |
8561 | 0 | } |
8562 | 0 | } |
8563 | | |
8564 | | /* |
8565 | | * Delete the NSEC3 records. |
8566 | | */ |
8567 | 0 | result = deletematchingnsec3(db, version, node, name, |
8568 | 0 | &nsec3chain->nsec3param, |
8569 | 0 | &nsec3_diff); |
8570 | 0 | if (result != ISC_R_SUCCESS) { |
8571 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8572 | 0 | "zone_nsec3chain:" |
8573 | 0 | "deletematchingnsec3 -> %s", |
8574 | 0 | isc_result_totext(result)); |
8575 | 0 | goto failure; |
8576 | 0 | } |
8577 | 0 | goto next_removenode; |
8578 | 0 | } |
8579 | | |
8580 | 0 | if (first) { |
8581 | 0 | dns_fixedname_t ffound; |
8582 | 0 | dns_name_t *found; |
8583 | 0 | found = dns_fixedname_initname(&ffound); |
8584 | 0 | result = dns_db_find( |
8585 | 0 | db, name, version, dns_rdatatype_soa, |
8586 | 0 | DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL); |
8587 | 0 | if ((result == DNS_R_DELEGATION || |
8588 | 0 | result == DNS_R_DNAME) && |
8589 | 0 | !dns_name_equal(name, found)) |
8590 | 0 | { |
8591 | | /* |
8592 | | * Remember the obscuring name so that |
8593 | | * we skip all obscured names. |
8594 | | */ |
8595 | 0 | dns_name_copy(found, name); |
8596 | 0 | delegation = true; |
8597 | 0 | goto next_removenode; |
8598 | 0 | } |
8599 | 0 | } |
8600 | | |
8601 | | /* |
8602 | | * Check to see if this is a bottom of zone node. |
8603 | | */ |
8604 | 0 | result = dns_db_allrdatasets(db, node, version, 0, 0, |
8605 | 0 | &iterator); |
8606 | 0 | if (result == ISC_R_NOTFOUND) { |
8607 | | /* Empty node? */ |
8608 | 0 | goto next_removenode; |
8609 | 0 | } |
8610 | 0 | if (result != ISC_R_SUCCESS) { |
8611 | 0 | goto failure; |
8612 | 0 | } |
8613 | | |
8614 | 0 | seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec = |
8615 | 0 | seen_rr = false; |
8616 | 0 | for (result = dns_rdatasetiter_first(iterator); |
8617 | 0 | result == ISC_R_SUCCESS; |
8618 | 0 | result = dns_rdatasetiter_next(iterator)) |
8619 | 0 | { |
8620 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
8621 | 0 | if (rdataset.type == dns_rdatatype_soa) { |
8622 | 0 | seen_soa = true; |
8623 | 0 | } else if (rdataset.type == dns_rdatatype_ns) { |
8624 | 0 | seen_ns = true; |
8625 | 0 | } else if (rdataset.type == dns_rdatatype_dname) { |
8626 | 0 | seen_dname = true; |
8627 | 0 | } else if (rdataset.type == dns_rdatatype_nsec) { |
8628 | 0 | seen_nsec = true; |
8629 | 0 | } else if (rdataset.type == dns_rdatatype_nsec3) { |
8630 | 0 | seen_nsec3 = true; |
8631 | 0 | } else if (rdataset.type != dns_rdatatype_rrsig) { |
8632 | 0 | seen_rr = true; |
8633 | 0 | } |
8634 | 0 | dns_rdataset_disassociate(&rdataset); |
8635 | 0 | } |
8636 | 0 | dns_rdatasetiter_destroy(&iterator); |
8637 | |
|
8638 | 0 | if (!seen_rr || seen_nsec3 || seen_nsec) { |
8639 | 0 | goto next_removenode; |
8640 | 0 | } |
8641 | 0 | if ((seen_ns && !seen_soa) || seen_dname) { |
8642 | 0 | delegation = true; |
8643 | 0 | } |
8644 | | |
8645 | | /* |
8646 | | * Add a NSEC record except at the origin. |
8647 | | */ |
8648 | 0 | if (!dns_name_equal(name, dns_db_origin(db))) { |
8649 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8650 | 0 | CHECK(add_nsec(db, version, name, node, |
8651 | 0 | zone_nsecttl(zone), delegation, |
8652 | 0 | &nsec_diff)); |
8653 | 0 | signatures--; |
8654 | 0 | } |
8655 | | |
8656 | 0 | next_removenode: |
8657 | 0 | first = false; |
8658 | 0 | dns_db_detachnode(db, &node); |
8659 | 0 | do { |
8660 | 0 | result = dns_dbiterator_next(nsec3chain->dbiterator); |
8661 | 0 | if (result == ISC_R_NOMORE && buildnsecchain) { |
8662 | | /* |
8663 | | * The NSEC chain should now be built. |
8664 | | * We can now remove the NSEC3 chain. |
8665 | | */ |
8666 | 0 | updatensec = true; |
8667 | 0 | goto same_removechain; |
8668 | 0 | } |
8669 | 0 | if (result == ISC_R_NOMORE) { |
8670 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8671 | 0 | LOCK_ZONE(zone); |
8672 | 0 | ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, |
8673 | 0 | link); |
8674 | 0 | UNLOCK_ZONE(zone); |
8675 | 0 | ISC_LIST_APPEND(cleanup, nsec3chain, link); |
8676 | 0 | result = fixup_nsec3param( |
8677 | 0 | db, version, nsec3chain, false, |
8678 | 0 | privatetype, ¶m_diff); |
8679 | 0 | if (result != ISC_R_SUCCESS) { |
8680 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8681 | 0 | "zone_nsec3chain:" |
8682 | 0 | "fixup_nsec3param -> %s", |
8683 | 0 | isc_result_totext(result)); |
8684 | 0 | goto failure; |
8685 | 0 | } |
8686 | 0 | goto next_removechain; |
8687 | 0 | } else if (result != ISC_R_SUCCESS) { |
8688 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8689 | 0 | "zone_nsec3chain:" |
8690 | 0 | "dns_dbiterator_next -> %s", |
8691 | 0 | isc_result_totext(result)); |
8692 | 0 | goto failure; |
8693 | 0 | } else if (delegation) { |
8694 | 0 | dns_dbiterator_current(nsec3chain->dbiterator, |
8695 | 0 | &node, nextname); |
8696 | 0 | dns_db_detachnode(db, &node); |
8697 | 0 | if (!dns_name_issubdomain(nextname, name)) { |
8698 | 0 | break; |
8699 | 0 | } |
8700 | 0 | } else { |
8701 | 0 | break; |
8702 | 0 | } |
8703 | 0 | } while (1); |
8704 | 0 | continue; |
8705 | | |
8706 | 0 | same_removechain: |
8707 | 0 | CHECK(dns_dbiterator_first(nsec3chain->dbiterator)); |
8708 | 0 | buildnsecchain = false; |
8709 | 0 | first = true; |
8710 | 0 | continue; |
8711 | | |
8712 | 0 | next_removechain: |
8713 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8714 | 0 | nsec3chain = nextnsec3chain; |
8715 | 0 | first = true; |
8716 | 0 | } |
8717 | | |
8718 | 0 | skip_removals: |
8719 | | /* |
8720 | | * We may need to update the NSEC/NSEC3 records for the zone apex. |
8721 | | */ |
8722 | 0 | if (!ISC_LIST_EMPTY(param_diff.tuples)) { |
8723 | 0 | bool rebuild_nsec = false, rebuild_nsec3 = false; |
8724 | 0 | result = dns_db_getoriginnode(db, &node); |
8725 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
8726 | 0 | result = dns_db_allrdatasets(db, node, version, 0, 0, |
8727 | 0 | &iterator); |
8728 | 0 | if (result != ISC_R_SUCCESS) { |
8729 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8730 | 0 | "zone_nsec3chain:dns_db_allrdatasets -> %s", |
8731 | 0 | isc_result_totext(result)); |
8732 | 0 | goto failure; |
8733 | 0 | } |
8734 | 0 | for (result = dns_rdatasetiter_first(iterator); |
8735 | 0 | result == ISC_R_SUCCESS; |
8736 | 0 | result = dns_rdatasetiter_next(iterator)) |
8737 | 0 | { |
8738 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
8739 | 0 | if (rdataset.type == dns_rdatatype_nsec) { |
8740 | 0 | rebuild_nsec = true; |
8741 | 0 | } else if (rdataset.type == dns_rdatatype_nsec3param) { |
8742 | 0 | rebuild_nsec3 = true; |
8743 | 0 | } |
8744 | 0 | dns_rdataset_disassociate(&rdataset); |
8745 | 0 | } |
8746 | 0 | dns_rdatasetiter_destroy(&iterator); |
8747 | 0 | dns_db_detachnode(db, &node); |
8748 | |
|
8749 | 0 | if (rebuild_nsec) { |
8750 | 0 | if (nsec3chain != NULL) { |
8751 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8752 | 0 | } |
8753 | |
|
8754 | 0 | result = updatesecure(db, version, &zone->origin, |
8755 | 0 | zone_nsecttl(zone), true, |
8756 | 0 | &nsec_diff); |
8757 | 0 | if (result != ISC_R_SUCCESS) { |
8758 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8759 | 0 | "zone_nsec3chain:updatesecure -> %s", |
8760 | 0 | isc_result_totext(result)); |
8761 | 0 | goto failure; |
8762 | 0 | } |
8763 | 0 | } |
8764 | | |
8765 | 0 | if (rebuild_nsec3) { |
8766 | 0 | if (nsec3chain != NULL) { |
8767 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8768 | 0 | } |
8769 | |
|
8770 | 0 | result = dns_nsec3_addnsec3s( |
8771 | 0 | db, version, dns_db_origin(db), |
8772 | 0 | zone_nsecttl(zone), false, &nsec3_diff); |
8773 | 0 | if (result != ISC_R_SUCCESS) { |
8774 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8775 | 0 | "zone_nsec3chain:" |
8776 | 0 | "dns_nsec3_addnsec3s -> %s", |
8777 | 0 | isc_result_totext(result)); |
8778 | 0 | goto failure; |
8779 | 0 | } |
8780 | 0 | } |
8781 | 0 | } |
8782 | | |
8783 | | /* |
8784 | | * Add / update signatures for the NSEC3 records. |
8785 | | */ |
8786 | 0 | if (nsec3chain != NULL) { |
8787 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8788 | 0 | } |
8789 | 0 | result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys, |
8790 | 0 | nkeys, zone, inception, expire, 0, now, |
8791 | 0 | &zonediff); |
8792 | 0 | if (result != ISC_R_SUCCESS) { |
8793 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8794 | 0 | "zone_nsec3chain:dns__zone_updatesigs -> %s", |
8795 | 0 | isc_result_totext(result)); |
8796 | 0 | goto failure; |
8797 | 0 | } |
8798 | | |
8799 | | /* |
8800 | | * We have changed the NSEC3PARAM or private RRsets |
8801 | | * above so we need to update the signatures. |
8802 | | */ |
8803 | 0 | result = dns__zone_updatesigs(¶m_diff, db, version, zone_keys, |
8804 | 0 | nkeys, zone, inception, expire, 0, now, |
8805 | 0 | &zonediff); |
8806 | 0 | if (result != ISC_R_SUCCESS) { |
8807 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8808 | 0 | "zone_nsec3chain:dns__zone_updatesigs -> %s", |
8809 | 0 | isc_result_totext(result)); |
8810 | 0 | goto failure; |
8811 | 0 | } |
8812 | | |
8813 | 0 | if (updatensec) { |
8814 | 0 | result = updatesecure(db, version, &zone->origin, |
8815 | 0 | zone_nsecttl(zone), false, &nsec_diff); |
8816 | 0 | if (result != ISC_R_SUCCESS) { |
8817 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8818 | 0 | "zone_nsec3chain:updatesecure -> %s", |
8819 | 0 | isc_result_totext(result)); |
8820 | 0 | goto failure; |
8821 | 0 | } |
8822 | 0 | } |
8823 | | |
8824 | 0 | result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys, nkeys, |
8825 | 0 | zone, inception, expire, 0, now, |
8826 | 0 | &zonediff); |
8827 | 0 | if (result != ISC_R_SUCCESS) { |
8828 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8829 | 0 | "zone_nsec3chain:dns__zone_updatesigs -> %s", |
8830 | 0 | isc_result_totext(result)); |
8831 | 0 | goto failure; |
8832 | 0 | } |
8833 | | |
8834 | | /* |
8835 | | * If we made no effective changes to the zone then we can just |
8836 | | * cleanup otherwise we need to increment the serial. |
8837 | | */ |
8838 | 0 | if (ISC_LIST_EMPTY(zonediff.diff->tuples)) { |
8839 | | /* |
8840 | | * No need to call dns_db_closeversion() here as it is |
8841 | | * called with commit = true below. |
8842 | | */ |
8843 | 0 | goto done; |
8844 | 0 | } |
8845 | | |
8846 | 0 | result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, |
8847 | 0 | &zonediff, zone_keys, nkeys, now, false); |
8848 | 0 | if (result != ISC_R_SUCCESS) { |
8849 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8850 | 0 | "zone_nsec3chain:del_sigs -> %s", |
8851 | 0 | isc_result_totext(result)); |
8852 | 0 | goto failure; |
8853 | 0 | } |
8854 | | |
8855 | 0 | result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx, |
8856 | 0 | zone->updatemethod); |
8857 | 0 | if (result != ISC_R_SUCCESS) { |
8858 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8859 | 0 | "zone_nsec3chain:update_soa_serial -> %s", |
8860 | 0 | isc_result_totext(result)); |
8861 | 0 | goto failure; |
8862 | 0 | } |
8863 | | |
8864 | 0 | result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, |
8865 | 0 | zonediff.diff, zone_keys, nkeys, zone->mctx, now, |
8866 | 0 | inception, soaexpire); |
8867 | 0 | if (result != ISC_R_SUCCESS) { |
8868 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
8869 | 0 | "zone_nsec3chain:add_sigs -> %s", |
8870 | 0 | isc_result_totext(result)); |
8871 | 0 | goto failure; |
8872 | 0 | } |
8873 | | |
8874 | | /* Write changes to journal file. */ |
8875 | 0 | CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_nsec3chain")); |
8876 | | |
8877 | 0 | LOCK_ZONE(zone); |
8878 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
8879 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
8880 | 0 | UNLOCK_ZONE(zone); |
8881 | |
|
8882 | 0 | done: |
8883 | | /* |
8884 | | * Pause all iterators so that dns_db_closeversion() can succeed. |
8885 | | */ |
8886 | 0 | LOCK_ZONE(zone); |
8887 | 0 | for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL; |
8888 | 0 | nsec3chain = ISC_LIST_NEXT(nsec3chain, link)) |
8889 | 0 | { |
8890 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8891 | 0 | } |
8892 | 0 | UNLOCK_ZONE(zone); |
8893 | | |
8894 | | /* |
8895 | | * Everything has succeeded. Commit the changes. |
8896 | | * Unconditionally commit as zonediff.offline not checked above. |
8897 | | */ |
8898 | 0 | dns_db_closeversion(db, &version, true); |
8899 | | |
8900 | | /* |
8901 | | * Everything succeeded so we can clean these up now. |
8902 | | */ |
8903 | 0 | nsec3chain = ISC_LIST_HEAD(cleanup); |
8904 | 0 | while (nsec3chain != NULL) { |
8905 | 0 | ISC_LIST_UNLINK(cleanup, nsec3chain, link); |
8906 | 0 | dns_db_detach(&nsec3chain->db); |
8907 | 0 | dns_dbiterator_destroy(&nsec3chain->dbiterator); |
8908 | 0 | isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain); |
8909 | 0 | nsec3chain = ISC_LIST_HEAD(cleanup); |
8910 | 0 | } |
8911 | |
|
8912 | 0 | LOCK_ZONE(zone); |
8913 | 0 | set_resigntime(zone); |
8914 | 0 | UNLOCK_ZONE(zone); |
8915 | |
|
8916 | 0 | failure: |
8917 | 0 | if (result != ISC_R_SUCCESS) { |
8918 | 0 | dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s", |
8919 | 0 | isc_result_totext(result)); |
8920 | 0 | } |
8921 | | |
8922 | | /* |
8923 | | * On error roll back the current nsec3chain. |
8924 | | */ |
8925 | 0 | if (result != ISC_R_SUCCESS && nsec3chain != NULL) { |
8926 | 0 | if (nsec3chain->done) { |
8927 | 0 | dns_db_detach(&nsec3chain->db); |
8928 | 0 | dns_dbiterator_destroy(&nsec3chain->dbiterator); |
8929 | 0 | isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain); |
8930 | 0 | } else { |
8931 | 0 | result = dns_dbiterator_first(nsec3chain->dbiterator); |
8932 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
8933 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8934 | 0 | nsec3chain->delete_nsec = nsec3chain->save_delete_nsec; |
8935 | 0 | } |
8936 | 0 | } |
8937 | | |
8938 | | /* |
8939 | | * Rollback the cleanup list. |
8940 | | */ |
8941 | 0 | nsec3chain = ISC_LIST_TAIL(cleanup); |
8942 | 0 | while (nsec3chain != NULL) { |
8943 | 0 | ISC_LIST_UNLINK(cleanup, nsec3chain, link); |
8944 | 0 | if (nsec3chain->done) { |
8945 | 0 | dns_db_detach(&nsec3chain->db); |
8946 | 0 | dns_dbiterator_destroy(&nsec3chain->dbiterator); |
8947 | 0 | isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain); |
8948 | 0 | } else { |
8949 | 0 | LOCK_ZONE(zone); |
8950 | 0 | ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link); |
8951 | 0 | UNLOCK_ZONE(zone); |
8952 | 0 | result = dns_dbiterator_first(nsec3chain->dbiterator); |
8953 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
8954 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8955 | 0 | nsec3chain->delete_nsec = nsec3chain->save_delete_nsec; |
8956 | 0 | } |
8957 | 0 | nsec3chain = ISC_LIST_TAIL(cleanup); |
8958 | 0 | } |
8959 | |
|
8960 | 0 | LOCK_ZONE(zone); |
8961 | 0 | for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL; |
8962 | 0 | nsec3chain = ISC_LIST_NEXT(nsec3chain, link)) |
8963 | 0 | { |
8964 | 0 | dns_dbiterator_pause(nsec3chain->dbiterator); |
8965 | 0 | } |
8966 | 0 | UNLOCK_ZONE(zone); |
8967 | |
|
8968 | 0 | dns_diff_clear(¶m_diff); |
8969 | 0 | dns_diff_clear(&nsec3_diff); |
8970 | 0 | dns_diff_clear(&nsec_diff); |
8971 | 0 | dns_diff_clear(&_sig_diff); |
8972 | |
|
8973 | 0 | if (iterator != NULL) { |
8974 | 0 | dns_rdatasetiter_destroy(&iterator); |
8975 | 0 | } |
8976 | |
|
8977 | 0 | for (i = 0; i < nkeys; i++) { |
8978 | 0 | dst_key_free(&zone_keys[i]); |
8979 | 0 | } |
8980 | |
|
8981 | 0 | if (node != NULL) { |
8982 | 0 | dns_db_detachnode(db, &node); |
8983 | 0 | } |
8984 | 0 | if (version != NULL) { |
8985 | 0 | dns_db_closeversion(db, &version, false); |
8986 | 0 | dns_db_detach(&db); |
8987 | 0 | } else if (db != NULL) { |
8988 | 0 | dns_db_detach(&db); |
8989 | 0 | } |
8990 | |
|
8991 | 0 | LOCK_ZONE(zone); |
8992 | 0 | if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) { |
8993 | 0 | isc_interval_t interval; |
8994 | 0 | if (zone->update_disabled || result != ISC_R_SUCCESS) { |
8995 | 0 | isc_interval_set(&interval, 60, 0); /* 1 minute */ |
8996 | 0 | } else { |
8997 | 0 | isc_interval_set(&interval, 0, 10000000); /* 10 ms */ |
8998 | 0 | } |
8999 | 0 | isc_time_nowplusinterval(&zone->nsec3chaintime, &interval); |
9000 | 0 | } else { |
9001 | 0 | isc_time_settoepoch(&zone->nsec3chaintime); |
9002 | 0 | } |
9003 | 0 | UNLOCK_ZONE(zone); |
9004 | |
|
9005 | 0 | INSIST(version == NULL); |
9006 | 0 | } |
9007 | | |
9008 | | /*% |
9009 | | * Delete all RRSIG records with the given algorithm and keyid. |
9010 | | * Remove the NSEC record and RRSIGs if nkeys is zero. |
9011 | | * If all remaining RRsets are signed with the given algorithm |
9012 | | * set *has_algp to true. |
9013 | | */ |
9014 | | static isc_result_t |
9015 | | del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, |
9016 | | dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm, |
9017 | 0 | uint16_t keyid, bool *has_algp, dns_diff_t *diff) { |
9018 | 0 | dns_rdata_rrsig_t rrsig; |
9019 | 0 | dns_rdataset_t rdataset; |
9020 | 0 | dns_rdatasetiter_t *iterator = NULL; |
9021 | 0 | isc_result_t result; |
9022 | 0 | bool alg_missed = false; |
9023 | 0 | bool alg_found = false; |
9024 | |
|
9025 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
9026 | 0 | dns_name_format(name, namebuf, sizeof(namebuf)); |
9027 | |
|
9028 | 0 | result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator); |
9029 | 0 | if (result != ISC_R_SUCCESS) { |
9030 | 0 | if (result == ISC_R_NOTFOUND) { |
9031 | 0 | result = ISC_R_SUCCESS; |
9032 | 0 | } |
9033 | 0 | return (result); |
9034 | 0 | } |
9035 | | |
9036 | 0 | dns_rdataset_init(&rdataset); |
9037 | 0 | for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; |
9038 | 0 | result = dns_rdatasetiter_next(iterator)) |
9039 | 0 | { |
9040 | 0 | bool has_alg = false; |
9041 | 0 | dns_rdatasetiter_current(iterator, &rdataset); |
9042 | 0 | if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) { |
9043 | 0 | for (result = dns_rdataset_first(&rdataset); |
9044 | 0 | result == ISC_R_SUCCESS; |
9045 | 0 | result = dns_rdataset_next(&rdataset)) |
9046 | 0 | { |
9047 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
9048 | 0 | dns_rdataset_current(&rdataset, &rdata); |
9049 | 0 | CHECK(update_one_rr(db, version, diff, |
9050 | 0 | DNS_DIFFOP_DEL, name, |
9051 | 0 | rdataset.ttl, &rdata)); |
9052 | 0 | } |
9053 | 0 | if (result != ISC_R_NOMORE) { |
9054 | 0 | goto failure; |
9055 | 0 | } |
9056 | 0 | dns_rdataset_disassociate(&rdataset); |
9057 | 0 | continue; |
9058 | 0 | } |
9059 | 0 | if (rdataset.type != dns_rdatatype_rrsig) { |
9060 | 0 | dns_rdataset_disassociate(&rdataset); |
9061 | 0 | continue; |
9062 | 0 | } |
9063 | 0 | for (result = dns_rdataset_first(&rdataset); |
9064 | 0 | result == ISC_R_SUCCESS; |
9065 | 0 | result = dns_rdataset_next(&rdataset)) |
9066 | 0 | { |
9067 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
9068 | 0 | dns_rdataset_current(&rdataset, &rdata); |
9069 | 0 | CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL)); |
9070 | 0 | if (nkeys != 0 && (rrsig.algorithm != algorithm || |
9071 | 0 | rrsig.keyid != keyid)) |
9072 | 0 | { |
9073 | 0 | if (rrsig.algorithm == algorithm) { |
9074 | 0 | has_alg = true; |
9075 | 0 | } |
9076 | 0 | continue; |
9077 | 0 | } |
9078 | 0 | CHECK(update_one_rr(db, version, diff, |
9079 | 0 | DNS_DIFFOP_DELRESIGN, name, |
9080 | 0 | rdataset.ttl, &rdata)); |
9081 | 0 | } |
9082 | 0 | dns_rdataset_disassociate(&rdataset); |
9083 | 0 | if (result != ISC_R_NOMORE) { |
9084 | 0 | break; |
9085 | 0 | } |
9086 | | |
9087 | | /* |
9088 | | * After deleting, if there's still a signature for |
9089 | | * 'algorithm', set alg_found; if not, set alg_missed. |
9090 | | */ |
9091 | 0 | if (has_alg) { |
9092 | 0 | alg_found = true; |
9093 | 0 | } else { |
9094 | 0 | alg_missed = true; |
9095 | 0 | } |
9096 | 0 | } |
9097 | 0 | if (result == ISC_R_NOMORE) { |
9098 | 0 | result = ISC_R_SUCCESS; |
9099 | 0 | } |
9100 | | |
9101 | | /* |
9102 | | * Set `has_algp` if the algorithm was found in every RRset: |
9103 | | * i.e., found in at least one, and not missing from any. |
9104 | | */ |
9105 | 0 | *has_algp = (alg_found && !alg_missed); |
9106 | 0 | failure: |
9107 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
9108 | 0 | dns_rdataset_disassociate(&rdataset); |
9109 | 0 | } |
9110 | 0 | dns_rdatasetiter_destroy(&iterator); |
9111 | 0 | return (result); |
9112 | 0 | } |
9113 | | |
9114 | | /* |
9115 | | * Prevent the zone entering a inconsistent state where |
9116 | | * NSEC only DNSKEYs are present with NSEC3 chains. |
9117 | | */ |
9118 | | bool |
9119 | | dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db, |
9120 | | dns_dbversion_t *ver, dns_diff_t *diff, |
9121 | 0 | dst_key_t **keys, unsigned int numkeys) { |
9122 | 0 | uint8_t alg; |
9123 | 0 | dns_rdatatype_t privatetype; |
9124 | 0 | ; |
9125 | 0 | bool nseconly = false, nsec3 = false; |
9126 | 0 | isc_result_t result; |
9127 | |
|
9128 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
9129 | 0 | REQUIRE(db != NULL); |
9130 | |
|
9131 | 0 | privatetype = dns_zone_getprivatetype(zone); |
9132 | | |
9133 | | /* Scan the tuples for an NSEC-only DNSKEY */ |
9134 | 0 | if (diff != NULL) { |
9135 | 0 | for (dns_difftuple_t *tuple = ISC_LIST_HEAD(diff->tuples); |
9136 | 0 | tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) |
9137 | 0 | { |
9138 | 0 | if (nseconly && nsec3) { |
9139 | 0 | break; |
9140 | 0 | } |
9141 | | |
9142 | 0 | if (tuple->op != DNS_DIFFOP_ADD) { |
9143 | 0 | continue; |
9144 | 0 | } |
9145 | | |
9146 | 0 | if (tuple->rdata.type == dns_rdatatype_nsec3param) { |
9147 | 0 | nsec3 = true; |
9148 | 0 | } |
9149 | |
|
9150 | 0 | if (tuple->rdata.type != dns_rdatatype_dnskey) { |
9151 | 0 | continue; |
9152 | 0 | } |
9153 | | |
9154 | 0 | alg = tuple->rdata.data[3]; |
9155 | 0 | if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA || |
9156 | 0 | alg == DNS_KEYALG_RSASHA1) |
9157 | 0 | { |
9158 | 0 | nseconly = true; |
9159 | 0 | } |
9160 | 0 | } |
9161 | 0 | } |
9162 | | /* Scan the zone keys for an NSEC-only DNSKEY */ |
9163 | 0 | if (keys != NULL && !nseconly) { |
9164 | 0 | for (unsigned int i = 0; i < numkeys; i++) { |
9165 | 0 | alg = dst_key_alg(keys[i]); |
9166 | 0 | if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA || |
9167 | 0 | alg == DNS_KEYALG_RSASHA1) |
9168 | 0 | { |
9169 | 0 | nseconly = true; |
9170 | 0 | break; |
9171 | 0 | } |
9172 | 0 | } |
9173 | 0 | } |
9174 | | |
9175 | | /* Check DB for NSEC-only DNSKEY */ |
9176 | 0 | if (!nseconly) { |
9177 | 0 | result = dns_nsec_nseconly(db, ver, diff, &nseconly); |
9178 | | /* |
9179 | | * Adding an NSEC3PARAM record can proceed without a |
9180 | | * DNSKEY (it will trigger a delayed change), so we can |
9181 | | * ignore ISC_R_NOTFOUND here. |
9182 | | */ |
9183 | 0 | if (result == ISC_R_NOTFOUND) { |
9184 | 0 | result = ISC_R_SUCCESS; |
9185 | 0 | } |
9186 | 0 | CHECK(result); |
9187 | 0 | } |
9188 | | |
9189 | | /* Check existing DB for NSEC3 */ |
9190 | 0 | if (!nsec3) { |
9191 | 0 | CHECK(dns_nsec3_activex(db, ver, false, privatetype, &nsec3)); |
9192 | 0 | } |
9193 | | |
9194 | | /* Check kasp for NSEC3PARAM settings */ |
9195 | 0 | if (!nsec3) { |
9196 | 0 | dns_kasp_t *kasp = zone->kasp; |
9197 | 0 | if (kasp != NULL) { |
9198 | 0 | nsec3 = dns_kasp_nsec3(kasp); |
9199 | 0 | } |
9200 | 0 | } |
9201 | | |
9202 | | /* Refuse to allow NSEC3 with NSEC-only keys */ |
9203 | 0 | if (nseconly && nsec3) { |
9204 | 0 | goto failure; |
9205 | 0 | } |
9206 | | |
9207 | 0 | return (true); |
9208 | | |
9209 | 0 | failure: |
9210 | 0 | return (false); |
9211 | 0 | } |
9212 | | |
9213 | | /* |
9214 | | * Incrementally sign the zone using the keys requested. |
9215 | | * Builds the NSEC chain if required. |
9216 | | */ |
9217 | | static void |
9218 | 0 | zone_sign(dns_zone_t *zone) { |
9219 | 0 | dns_db_t *db = NULL; |
9220 | 0 | dns_dbnode_t *node = NULL; |
9221 | 0 | dns_dbversion_t *version = NULL; |
9222 | 0 | dns_diff_t _sig_diff; |
9223 | 0 | dns_diff_t post_diff; |
9224 | 0 | dns__zonediff_t zonediff; |
9225 | 0 | dns_fixedname_t fixed; |
9226 | 0 | dns_fixedname_t nextfixed; |
9227 | 0 | dns_kasp_t *kasp; |
9228 | 0 | dns_name_t *name, *nextname; |
9229 | 0 | dns_rdataset_t rdataset; |
9230 | 0 | dns_signing_t *signing, *nextsigning; |
9231 | 0 | dns_signinglist_t cleanup; |
9232 | 0 | dst_key_t *zone_keys[DNS_MAXZONEKEYS]; |
9233 | 0 | int32_t signatures; |
9234 | 0 | bool is_ksk, is_zsk; |
9235 | 0 | bool with_ksk, with_zsk; |
9236 | 0 | bool commit = false; |
9237 | 0 | bool is_bottom_of_zone; |
9238 | 0 | bool build_nsec = false; |
9239 | 0 | bool build_nsec3 = false; |
9240 | 0 | bool use_kasp = false; |
9241 | 0 | bool first; |
9242 | 0 | isc_result_t result; |
9243 | 0 | isc_stdtime_t now, inception, soaexpire, expire; |
9244 | 0 | unsigned int i, j; |
9245 | 0 | unsigned int nkeys = 0; |
9246 | 0 | uint32_t nodes; |
9247 | |
|
9248 | 0 | ENTER; |
9249 | |
|
9250 | 0 | dns_rdataset_init(&rdataset); |
9251 | 0 | name = dns_fixedname_initname(&fixed); |
9252 | 0 | nextname = dns_fixedname_initname(&nextfixed); |
9253 | 0 | dns_diff_init(zone->mctx, &_sig_diff); |
9254 | 0 | dns_diff_init(zone->mctx, &post_diff); |
9255 | 0 | zonediff_init(&zonediff, &_sig_diff); |
9256 | 0 | ISC_LIST_INIT(cleanup); |
9257 | | |
9258 | | /* |
9259 | | * Updates are disabled. Pause for 1 minute. |
9260 | | */ |
9261 | 0 | if (zone->update_disabled) { |
9262 | 0 | result = ISC_R_FAILURE; |
9263 | 0 | goto cleanup; |
9264 | 0 | } |
9265 | | |
9266 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
9267 | 0 | if (zone->db != NULL) { |
9268 | 0 | dns_db_attach(zone->db, &db); |
9269 | 0 | } |
9270 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
9271 | 0 | if (db == NULL) { |
9272 | 0 | result = ISC_R_FAILURE; |
9273 | 0 | goto cleanup; |
9274 | 0 | } |
9275 | | |
9276 | 0 | result = dns_db_newversion(db, &version); |
9277 | 0 | if (result != ISC_R_SUCCESS) { |
9278 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9279 | 0 | "zone_sign:dns_db_newversion -> %s", |
9280 | 0 | isc_result_totext(result)); |
9281 | 0 | goto cleanup; |
9282 | 0 | } |
9283 | | |
9284 | 0 | now = isc_stdtime_now(); |
9285 | |
|
9286 | 0 | result = dns_zone_findkeys(zone, db, version, now, zone->mctx, |
9287 | 0 | DNS_MAXZONEKEYS, zone_keys, &nkeys); |
9288 | 0 | if (result != ISC_R_SUCCESS) { |
9289 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9290 | 0 | "zone_sign:dns_zone_findkeys -> %s", |
9291 | 0 | isc_result_totext(result)); |
9292 | 0 | goto cleanup; |
9293 | 0 | } |
9294 | | |
9295 | 0 | kasp = zone->kasp; |
9296 | |
|
9297 | 0 | calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL, |
9298 | 0 | &expire); |
9299 | | |
9300 | | /* |
9301 | | * We keep pulling nodes off each iterator in turn until |
9302 | | * we have no more nodes to pull off or we reach the limits |
9303 | | * for this quantum. |
9304 | | */ |
9305 | 0 | nodes = zone->nodes; |
9306 | 0 | signatures = zone->signatures; |
9307 | 0 | signing = ISC_LIST_HEAD(zone->signing); |
9308 | 0 | first = true; |
9309 | |
|
9310 | 0 | if (kasp != NULL) { |
9311 | 0 | use_kasp = true; |
9312 | 0 | } |
9313 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s", |
9314 | 0 | use_kasp ? "yes" : "no"); |
9315 | | |
9316 | | /* Determine which type of chain to build */ |
9317 | 0 | CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec, |
9318 | 0 | &build_nsec3)); |
9319 | 0 | if (!build_nsec && !build_nsec3) { |
9320 | 0 | if (use_kasp) { |
9321 | 0 | build_nsec3 = dns_kasp_nsec3(kasp); |
9322 | 0 | if (!dns_zone_check_dnskey_nsec3( |
9323 | 0 | zone, db, version, NULL, |
9324 | 0 | (dst_key_t **)&zone_keys, nkeys)) |
9325 | 0 | { |
9326 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
9327 | 0 | "wait building NSEC3 chain until " |
9328 | 0 | "NSEC only DNSKEYs are removed"); |
9329 | 0 | build_nsec3 = false; |
9330 | 0 | } |
9331 | 0 | build_nsec = !build_nsec3; |
9332 | 0 | } else { |
9333 | | /* If neither chain is found, default to NSEC */ |
9334 | 0 | build_nsec = true; |
9335 | 0 | } |
9336 | 0 | } |
9337 | |
|
9338 | 0 | while (signing != NULL && nodes-- > 0 && signatures > 0) { |
9339 | 0 | bool has_alg = false; |
9340 | |
|
9341 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9342 | 0 | nextsigning = ISC_LIST_NEXT(signing, link); |
9343 | |
|
9344 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
9345 | 0 | if (signing->done || signing->db != zone->db) { |
9346 | | /* |
9347 | | * The zone has been reloaded. We will have to |
9348 | | * created new signings as part of the reload |
9349 | | * process so we can destroy this one. |
9350 | | */ |
9351 | 0 | ISC_LIST_UNLINK(zone->signing, signing, link); |
9352 | 0 | ISC_LIST_APPEND(cleanup, signing, link); |
9353 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
9354 | 0 | goto next_signing; |
9355 | 0 | } |
9356 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
9357 | |
|
9358 | 0 | if (signing->db != db) { |
9359 | 0 | goto next_signing; |
9360 | 0 | } |
9361 | | |
9362 | 0 | is_bottom_of_zone = false; |
9363 | |
|
9364 | 0 | if (first && signing->deleteit) { |
9365 | | /* |
9366 | | * Remove the key we are deleting from consideration. |
9367 | | */ |
9368 | 0 | for (i = 0, j = 0; i < nkeys; i++) { |
9369 | | /* |
9370 | | * Find the key we want to remove. |
9371 | | */ |
9372 | 0 | if (ALG(zone_keys[i]) == signing->algorithm && |
9373 | 0 | dst_key_id(zone_keys[i]) == signing->keyid) |
9374 | 0 | { |
9375 | 0 | dst_key_free(&zone_keys[i]); |
9376 | 0 | continue; |
9377 | 0 | } |
9378 | 0 | zone_keys[j] = zone_keys[i]; |
9379 | 0 | j++; |
9380 | 0 | } |
9381 | 0 | for (i = j; i < nkeys; i++) { |
9382 | 0 | zone_keys[i] = NULL; |
9383 | 0 | } |
9384 | 0 | nkeys = j; |
9385 | 0 | } |
9386 | |
|
9387 | 0 | dns_dbiterator_current(signing->dbiterator, &node, name); |
9388 | |
|
9389 | 0 | if (signing->deleteit) { |
9390 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9391 | 0 | CHECK(del_sig(db, version, name, node, nkeys, |
9392 | 0 | signing->algorithm, signing->keyid, |
9393 | 0 | &has_alg, zonediff.diff)); |
9394 | 0 | } |
9395 | | |
9396 | | /* |
9397 | | * On the first pass we need to check if the current node |
9398 | | * has not been obscured. |
9399 | | */ |
9400 | 0 | if (first) { |
9401 | 0 | dns_fixedname_t ffound; |
9402 | 0 | dns_name_t *found; |
9403 | 0 | found = dns_fixedname_initname(&ffound); |
9404 | 0 | result = dns_db_find( |
9405 | 0 | db, name, version, dns_rdatatype_soa, |
9406 | 0 | DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL); |
9407 | 0 | if ((result == DNS_R_DELEGATION || |
9408 | 0 | result == DNS_R_DNAME) && |
9409 | 0 | !dns_name_equal(name, found)) |
9410 | 0 | { |
9411 | | /* |
9412 | | * Remember the obscuring name so that |
9413 | | * we skip all obscured names. |
9414 | | */ |
9415 | 0 | dns_name_copy(found, name); |
9416 | 0 | is_bottom_of_zone = true; |
9417 | 0 | goto next_node; |
9418 | 0 | } |
9419 | 0 | } |
9420 | | |
9421 | | /* |
9422 | | * Process one node. |
9423 | | */ |
9424 | 0 | with_ksk = false; |
9425 | 0 | with_zsk = false; |
9426 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9427 | |
|
9428 | 0 | CHECK(check_if_bottom_of_zone(db, node, version, |
9429 | 0 | &is_bottom_of_zone)); |
9430 | | |
9431 | 0 | for (i = 0; !has_alg && i < nkeys; i++) { |
9432 | 0 | bool both = false; |
9433 | | /* |
9434 | | * Find the keys we want to sign with. |
9435 | | */ |
9436 | 0 | if (!dst_key_isprivate(zone_keys[i])) { |
9437 | 0 | continue; |
9438 | 0 | } |
9439 | 0 | if (dst_key_inactive(zone_keys[i])) { |
9440 | 0 | continue; |
9441 | 0 | } |
9442 | | |
9443 | | /* |
9444 | | * When adding look for the specific key. |
9445 | | */ |
9446 | 0 | if (!signing->deleteit && |
9447 | 0 | (dst_key_alg(zone_keys[i]) != signing->algorithm || |
9448 | 0 | dst_key_id(zone_keys[i]) != signing->keyid)) |
9449 | 0 | { |
9450 | 0 | continue; |
9451 | 0 | } |
9452 | | |
9453 | | /* |
9454 | | * When deleting make sure we are properly signed |
9455 | | * with the algorithm that was being removed. |
9456 | | */ |
9457 | 0 | if (signing->deleteit && |
9458 | 0 | ALG(zone_keys[i]) != signing->algorithm) |
9459 | 0 | { |
9460 | 0 | continue; |
9461 | 0 | } |
9462 | | |
9463 | | /* |
9464 | | * We do KSK processing. |
9465 | | */ |
9466 | 0 | if (use_kasp) { |
9467 | | /* |
9468 | | * A dnssec-policy is found. Check what |
9469 | | * RRsets this key can sign. |
9470 | | */ |
9471 | 0 | isc_result_t kresult; |
9472 | 0 | is_ksk = false; |
9473 | 0 | kresult = dst_key_getbool( |
9474 | 0 | zone_keys[i], DST_BOOL_KSK, &is_ksk); |
9475 | 0 | if (kresult != ISC_R_SUCCESS) { |
9476 | 0 | if (KSK(zone_keys[i])) { |
9477 | 0 | is_ksk = true; |
9478 | 0 | } |
9479 | 0 | } |
9480 | |
|
9481 | 0 | is_zsk = false; |
9482 | 0 | kresult = dst_key_getbool( |
9483 | 0 | zone_keys[i], DST_BOOL_ZSK, &is_zsk); |
9484 | 0 | if (kresult != ISC_R_SUCCESS) { |
9485 | 0 | if (!KSK(zone_keys[i])) { |
9486 | 0 | is_zsk = true; |
9487 | 0 | } |
9488 | 0 | } |
9489 | 0 | both = true; |
9490 | 0 | } else { |
9491 | 0 | is_ksk = KSK(zone_keys[i]); |
9492 | 0 | is_zsk = !is_ksk; |
9493 | | |
9494 | | /* |
9495 | | * Don't consider inactive keys, however the key |
9496 | | * may be temporary offline, so do consider KSKs |
9497 | | * which private key files are unavailable. |
9498 | | */ |
9499 | 0 | both = dst_key_have_ksk_and_zsk( |
9500 | 0 | zone_keys, nkeys, i, false, is_ksk, |
9501 | 0 | is_zsk, NULL, NULL); |
9502 | 0 | if (both || REVOKE(zone_keys[i])) { |
9503 | 0 | is_ksk = KSK(zone_keys[i]); |
9504 | 0 | is_zsk = !KSK(zone_keys[i]); |
9505 | 0 | } else { |
9506 | 0 | is_ksk = false; |
9507 | 0 | is_zsk = false; |
9508 | 0 | } |
9509 | 0 | } |
9510 | | |
9511 | | /* |
9512 | | * If deleting signatures, we need to ensure that |
9513 | | * the RRset is still signed at least once by a |
9514 | | * KSK and a ZSK. |
9515 | | */ |
9516 | 0 | if (signing->deleteit && is_zsk && with_zsk) { |
9517 | 0 | continue; |
9518 | 0 | } |
9519 | | |
9520 | 0 | if (signing->deleteit && is_ksk && with_ksk) { |
9521 | 0 | continue; |
9522 | 0 | } |
9523 | | |
9524 | 0 | CHECK(sign_a_node( |
9525 | 0 | db, zone, name, node, version, build_nsec3, |
9526 | 0 | build_nsec, zone_keys[i], now, inception, |
9527 | 0 | expire, zone_nsecttl(zone), both, is_ksk, |
9528 | 0 | is_zsk, is_bottom_of_zone, zonediff.diff, |
9529 | 0 | &signatures, zone->mctx)); |
9530 | | /* |
9531 | | * If we are adding we are done. Look for other keys |
9532 | | * of the same algorithm if deleting. |
9533 | | */ |
9534 | 0 | if (!signing->deleteit) { |
9535 | 0 | break; |
9536 | 0 | } |
9537 | 0 | if (is_zsk) { |
9538 | 0 | with_zsk = true; |
9539 | 0 | } |
9540 | 0 | if (is_ksk) { |
9541 | 0 | with_ksk = true; |
9542 | 0 | } |
9543 | 0 | } |
9544 | | |
9545 | | /* |
9546 | | * Go onto next node. |
9547 | | */ |
9548 | 0 | next_node: |
9549 | 0 | first = false; |
9550 | 0 | dns_db_detachnode(db, &node); |
9551 | 0 | do { |
9552 | 0 | result = dns_dbiterator_next(signing->dbiterator); |
9553 | 0 | if (result == ISC_R_NOMORE) { |
9554 | 0 | ISC_LIST_UNLINK(zone->signing, signing, link); |
9555 | 0 | ISC_LIST_APPEND(cleanup, signing, link); |
9556 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9557 | 0 | if (nkeys != 0 && build_nsec) { |
9558 | | /* |
9559 | | * We have finished regenerating the |
9560 | | * zone with a zone signing key. |
9561 | | * The NSEC chain is now complete and |
9562 | | * there is a full set of signatures |
9563 | | * for the zone. We can now clear the |
9564 | | * OPT bit from the NSEC record. |
9565 | | */ |
9566 | 0 | result = updatesecure( |
9567 | 0 | db, version, &zone->origin, |
9568 | 0 | zone_nsecttl(zone), false, |
9569 | 0 | &post_diff); |
9570 | 0 | if (result != ISC_R_SUCCESS) { |
9571 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9572 | 0 | "updatesecure -> %s", |
9573 | 0 | isc_result_totext( |
9574 | 0 | result)); |
9575 | 0 | goto cleanup; |
9576 | 0 | } |
9577 | 0 | } |
9578 | 0 | result = updatesignwithkey( |
9579 | 0 | zone, signing, version, build_nsec3, |
9580 | 0 | zone_nsecttl(zone), &post_diff); |
9581 | 0 | if (result != ISC_R_SUCCESS) { |
9582 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9583 | 0 | "updatesignwithkey -> %s", |
9584 | 0 | isc_result_totext(result)); |
9585 | 0 | goto cleanup; |
9586 | 0 | } |
9587 | 0 | build_nsec = false; |
9588 | 0 | goto next_signing; |
9589 | 0 | } else if (result != ISC_R_SUCCESS) { |
9590 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9591 | 0 | "zone_sign:" |
9592 | 0 | "dns_dbiterator_next -> %s", |
9593 | 0 | isc_result_totext(result)); |
9594 | 0 | goto cleanup; |
9595 | 0 | } else if (is_bottom_of_zone) { |
9596 | 0 | dns_dbiterator_current(signing->dbiterator, |
9597 | 0 | &node, nextname); |
9598 | 0 | dns_db_detachnode(db, &node); |
9599 | 0 | if (!dns_name_issubdomain(nextname, name)) { |
9600 | 0 | break; |
9601 | 0 | } |
9602 | 0 | } else { |
9603 | 0 | break; |
9604 | 0 | } |
9605 | 0 | } while (1); |
9606 | 0 | continue; |
9607 | | |
9608 | 0 | next_signing: |
9609 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9610 | 0 | signing = nextsigning; |
9611 | 0 | first = true; |
9612 | 0 | } |
9613 | | |
9614 | 0 | if (ISC_LIST_HEAD(post_diff.tuples) != NULL) { |
9615 | 0 | result = dns__zone_updatesigs(&post_diff, db, version, |
9616 | 0 | zone_keys, nkeys, zone, inception, |
9617 | 0 | expire, 0, now, &zonediff); |
9618 | 0 | if (result != ISC_R_SUCCESS) { |
9619 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9620 | 0 | "zone_sign:dns__zone_updatesigs -> %s", |
9621 | 0 | isc_result_totext(result)); |
9622 | 0 | goto cleanup; |
9623 | 0 | } |
9624 | 0 | } |
9625 | | |
9626 | | /* |
9627 | | * Have we changed anything? |
9628 | | */ |
9629 | 0 | if (ISC_LIST_EMPTY(zonediff.diff->tuples)) { |
9630 | 0 | if (zonediff.offline) { |
9631 | 0 | commit = true; |
9632 | 0 | } |
9633 | 0 | result = ISC_R_SUCCESS; |
9634 | 0 | goto pauseall; |
9635 | 0 | } |
9636 | | |
9637 | 0 | commit = true; |
9638 | |
|
9639 | 0 | result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, |
9640 | 0 | &zonediff, zone_keys, nkeys, now, false); |
9641 | 0 | if (result != ISC_R_SUCCESS) { |
9642 | 0 | dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s", |
9643 | 0 | isc_result_totext(result)); |
9644 | 0 | goto cleanup; |
9645 | 0 | } |
9646 | | |
9647 | 0 | result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx, |
9648 | 0 | zone->updatemethod); |
9649 | 0 | if (result != ISC_R_SUCCESS) { |
9650 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
9651 | 0 | "zone_sign:update_soa_serial -> %s", |
9652 | 0 | isc_result_totext(result)); |
9653 | 0 | goto cleanup; |
9654 | 0 | } |
9655 | | |
9656 | | /* |
9657 | | * Generate maximum life time signatures so that the above loop |
9658 | | * termination is sensible. |
9659 | | */ |
9660 | 0 | result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, |
9661 | 0 | zonediff.diff, zone_keys, nkeys, zone->mctx, now, |
9662 | 0 | inception, soaexpire); |
9663 | 0 | if (result != ISC_R_SUCCESS) { |
9664 | 0 | dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s", |
9665 | 0 | isc_result_totext(result)); |
9666 | 0 | goto cleanup; |
9667 | 0 | } |
9668 | | |
9669 | | /* |
9670 | | * Write changes to journal file. |
9671 | | */ |
9672 | 0 | CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_sign")); |
9673 | | |
9674 | 0 | pauseall: |
9675 | | /* |
9676 | | * Pause all iterators so that dns_db_closeversion() can succeed. |
9677 | | */ |
9678 | 0 | for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL; |
9679 | 0 | signing = ISC_LIST_NEXT(signing, link)) |
9680 | 0 | { |
9681 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9682 | 0 | } |
9683 | |
|
9684 | 0 | for (signing = ISC_LIST_HEAD(cleanup); signing != NULL; |
9685 | 0 | signing = ISC_LIST_NEXT(signing, link)) |
9686 | 0 | { |
9687 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9688 | 0 | } |
9689 | | |
9690 | | /* |
9691 | | * Everything has succeeded. Commit the changes. |
9692 | | */ |
9693 | 0 | dns_db_closeversion(db, &version, commit); |
9694 | | |
9695 | | /* |
9696 | | * Everything succeeded so we can clean these up now. |
9697 | | */ |
9698 | 0 | signing = ISC_LIST_HEAD(cleanup); |
9699 | 0 | while (signing != NULL) { |
9700 | 0 | ISC_LIST_UNLINK(cleanup, signing, link); |
9701 | 0 | dns_db_detach(&signing->db); |
9702 | 0 | dns_dbiterator_destroy(&signing->dbiterator); |
9703 | 0 | isc_mem_put(zone->mctx, signing, sizeof *signing); |
9704 | 0 | signing = ISC_LIST_HEAD(cleanup); |
9705 | 0 | } |
9706 | |
|
9707 | 0 | LOCK_ZONE(zone); |
9708 | 0 | set_resigntime(zone); |
9709 | 0 | if (commit) { |
9710 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
9711 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
9712 | 0 | } |
9713 | 0 | UNLOCK_ZONE(zone); |
9714 | |
|
9715 | 0 | failure: |
9716 | 0 | if (result != ISC_R_SUCCESS) { |
9717 | 0 | dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s", |
9718 | 0 | isc_result_totext(result)); |
9719 | 0 | } |
9720 | |
|
9721 | 0 | cleanup: |
9722 | | /* |
9723 | | * Pause all dbiterators. |
9724 | | */ |
9725 | 0 | for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL; |
9726 | 0 | signing = ISC_LIST_NEXT(signing, link)) |
9727 | 0 | { |
9728 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9729 | 0 | } |
9730 | | |
9731 | | /* |
9732 | | * Rollback the cleanup list. |
9733 | | */ |
9734 | 0 | signing = ISC_LIST_HEAD(cleanup); |
9735 | 0 | while (signing != NULL) { |
9736 | 0 | ISC_LIST_UNLINK(cleanup, signing, link); |
9737 | 0 | ISC_LIST_PREPEND(zone->signing, signing, link); |
9738 | 0 | dns_dbiterator_first(signing->dbiterator); |
9739 | 0 | dns_dbiterator_pause(signing->dbiterator); |
9740 | 0 | signing = ISC_LIST_HEAD(cleanup); |
9741 | 0 | } |
9742 | |
|
9743 | 0 | dns_diff_clear(&_sig_diff); |
9744 | |
|
9745 | 0 | for (i = 0; i < nkeys; i++) { |
9746 | 0 | dst_key_free(&zone_keys[i]); |
9747 | 0 | } |
9748 | |
|
9749 | 0 | if (node != NULL) { |
9750 | 0 | dns_db_detachnode(db, &node); |
9751 | 0 | } |
9752 | |
|
9753 | 0 | if (version != NULL) { |
9754 | 0 | dns_db_closeversion(db, &version, false); |
9755 | 0 | dns_db_detach(&db); |
9756 | 0 | } else if (db != NULL) { |
9757 | 0 | dns_db_detach(&db); |
9758 | 0 | } |
9759 | |
|
9760 | 0 | LOCK_ZONE(zone); |
9761 | 0 | if (ISC_LIST_HEAD(zone->signing) != NULL) { |
9762 | 0 | isc_interval_t interval; |
9763 | 0 | if (zone->update_disabled || result != ISC_R_SUCCESS) { |
9764 | 0 | isc_interval_set(&interval, 60, 0); /* 1 minute */ |
9765 | 0 | } else { |
9766 | 0 | isc_interval_set(&interval, 0, 10000000); /* 10 ms */ |
9767 | 0 | } |
9768 | 0 | isc_time_nowplusinterval(&zone->signingtime, &interval); |
9769 | 0 | } else { |
9770 | 0 | isc_time_settoepoch(&zone->signingtime); |
9771 | 0 | } |
9772 | 0 | UNLOCK_ZONE(zone); |
9773 | |
|
9774 | 0 | INSIST(version == NULL); |
9775 | 0 | } |
9776 | | |
9777 | | static isc_result_t |
9778 | | normalize_key(dns_rdata_t *rr, dns_rdata_t *target, unsigned char *data, |
9779 | 0 | int size) { |
9780 | 0 | dns_rdata_dnskey_t dnskey; |
9781 | 0 | dns_rdata_keydata_t keydata; |
9782 | 0 | isc_buffer_t buf; |
9783 | 0 | isc_result_t result; |
9784 | |
|
9785 | 0 | dns_rdata_reset(target); |
9786 | 0 | isc_buffer_init(&buf, data, size); |
9787 | |
|
9788 | 0 | switch (rr->type) { |
9789 | 0 | case dns_rdatatype_dnskey: |
9790 | 0 | result = dns_rdata_tostruct(rr, &dnskey, NULL); |
9791 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
9792 | 0 | dnskey.flags &= ~DNS_KEYFLAG_REVOKE; |
9793 | 0 | dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey, |
9794 | 0 | &dnskey, &buf); |
9795 | 0 | break; |
9796 | 0 | case dns_rdatatype_keydata: |
9797 | 0 | result = dns_rdata_tostruct(rr, &keydata, NULL); |
9798 | 0 | if (result == ISC_R_UNEXPECTEDEND) { |
9799 | 0 | return (result); |
9800 | 0 | } |
9801 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
9802 | 0 | dns_keydata_todnskey(&keydata, &dnskey, NULL); |
9803 | 0 | dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey, |
9804 | 0 | &dnskey, &buf); |
9805 | 0 | break; |
9806 | 0 | default: |
9807 | 0 | UNREACHABLE(); |
9808 | 0 | } |
9809 | 0 | return (ISC_R_SUCCESS); |
9810 | 0 | } |
9811 | | |
9812 | | /* |
9813 | | * 'rdset' contains either a DNSKEY rdataset from the zone apex, or |
9814 | | * a KEYDATA rdataset from the key zone. |
9815 | | * |
9816 | | * 'rr' contains either a DNSKEY record, or a KEYDATA record |
9817 | | * |
9818 | | * After normalizing keys to the same format (DNSKEY, with revoke bit |
9819 | | * cleared), return true if a key that matches 'rr' is found in |
9820 | | * 'rdset', or false if not. |
9821 | | */ |
9822 | | |
9823 | | static bool |
9824 | 0 | matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) { |
9825 | 0 | unsigned char data1[4096], data2[4096]; |
9826 | 0 | dns_rdata_t rdata, rdata1, rdata2; |
9827 | 0 | isc_result_t result; |
9828 | |
|
9829 | 0 | dns_rdata_init(&rdata); |
9830 | 0 | dns_rdata_init(&rdata1); |
9831 | 0 | dns_rdata_init(&rdata2); |
9832 | |
|
9833 | 0 | result = normalize_key(rr, &rdata1, data1, sizeof(data1)); |
9834 | 0 | if (result != ISC_R_SUCCESS) { |
9835 | 0 | return (false); |
9836 | 0 | } |
9837 | | |
9838 | 0 | for (result = dns_rdataset_first(rdset); result == ISC_R_SUCCESS; |
9839 | 0 | result = dns_rdataset_next(rdset)) |
9840 | 0 | { |
9841 | 0 | dns_rdata_reset(&rdata); |
9842 | 0 | dns_rdataset_current(rdset, &rdata); |
9843 | 0 | result = normalize_key(&rdata, &rdata2, data2, sizeof(data2)); |
9844 | 0 | if (result != ISC_R_SUCCESS) { |
9845 | 0 | continue; |
9846 | 0 | } |
9847 | 0 | if (dns_rdata_compare(&rdata1, &rdata2) == 0) { |
9848 | 0 | return (true); |
9849 | 0 | } |
9850 | 0 | } |
9851 | | |
9852 | 0 | return (false); |
9853 | 0 | } |
9854 | | |
9855 | | /* |
9856 | | * Calculate the refresh interval for a keydata zone, per |
9857 | | * RFC5011: MAX(1 hr, |
9858 | | * MIN(15 days, |
9859 | | * 1/2 * OrigTTL, |
9860 | | * 1/2 * RRSigExpirationInterval)) |
9861 | | * or for retries: MAX(1 hr, |
9862 | | * MIN(1 day, |
9863 | | * 1/10 * OrigTTL, |
9864 | | * 1/10 * RRSigExpirationInterval)) |
9865 | | */ |
9866 | | static isc_stdtime_t |
9867 | 0 | refresh_time(dns_keyfetch_t *kfetch, bool retry) { |
9868 | 0 | isc_result_t result; |
9869 | 0 | uint32_t t; |
9870 | 0 | dns_rdataset_t *rdset; |
9871 | 0 | dns_rdata_t sigrr = DNS_RDATA_INIT; |
9872 | 0 | dns_rdata_sig_t sig; |
9873 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
9874 | |
|
9875 | 0 | if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) { |
9876 | 0 | rdset = &kfetch->dnskeysigset; |
9877 | 0 | } else { |
9878 | 0 | return (now + dns_zone_mkey_hour); |
9879 | 0 | } |
9880 | | |
9881 | 0 | result = dns_rdataset_first(rdset); |
9882 | 0 | if (result != ISC_R_SUCCESS) { |
9883 | 0 | return (now + dns_zone_mkey_hour); |
9884 | 0 | } |
9885 | | |
9886 | 0 | dns_rdataset_current(rdset, &sigrr); |
9887 | 0 | result = dns_rdata_tostruct(&sigrr, &sig, NULL); |
9888 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
9889 | |
|
9890 | 0 | if (!retry) { |
9891 | 0 | t = sig.originalttl / 2; |
9892 | |
|
9893 | 0 | if (isc_serial_gt(sig.timeexpire, now)) { |
9894 | 0 | uint32_t exp = (sig.timeexpire - now) / 2; |
9895 | 0 | if (t > exp) { |
9896 | 0 | t = exp; |
9897 | 0 | } |
9898 | 0 | } |
9899 | |
|
9900 | 0 | if (t > (15 * dns_zone_mkey_day)) { |
9901 | 0 | t = (15 * dns_zone_mkey_day); |
9902 | 0 | } |
9903 | |
|
9904 | 0 | if (t < dns_zone_mkey_hour) { |
9905 | 0 | t = dns_zone_mkey_hour; |
9906 | 0 | } |
9907 | 0 | } else { |
9908 | 0 | t = sig.originalttl / 10; |
9909 | |
|
9910 | 0 | if (isc_serial_gt(sig.timeexpire, now)) { |
9911 | 0 | uint32_t exp = (sig.timeexpire - now) / 10; |
9912 | 0 | if (t > exp) { |
9913 | 0 | t = exp; |
9914 | 0 | } |
9915 | 0 | } |
9916 | |
|
9917 | 0 | if (t > dns_zone_mkey_day) { |
9918 | 0 | t = dns_zone_mkey_day; |
9919 | 0 | } |
9920 | |
|
9921 | 0 | if (t < dns_zone_mkey_hour) { |
9922 | 0 | t = dns_zone_mkey_hour; |
9923 | 0 | } |
9924 | 0 | } |
9925 | |
|
9926 | 0 | return (now + t); |
9927 | 0 | } |
9928 | | |
9929 | | /* |
9930 | | * This routine is called when no changes are needed in a KEYDATA |
9931 | | * record except to simply update the refresh timer. Caller should |
9932 | | * hold zone lock. |
9933 | | */ |
9934 | | static isc_result_t |
9935 | 0 | minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff) { |
9936 | 0 | isc_result_t result; |
9937 | 0 | isc_buffer_t keyb; |
9938 | 0 | unsigned char key_buf[4096]; |
9939 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
9940 | 0 | dns_rdata_keydata_t keydata; |
9941 | 0 | dns_name_t *name; |
9942 | 0 | dns_zone_t *zone = kfetch->zone; |
9943 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
9944 | |
|
9945 | 0 | name = dns_fixedname_name(&kfetch->name); |
9946 | |
|
9947 | 0 | for (result = dns_rdataset_first(&kfetch->keydataset); |
9948 | 0 | result == ISC_R_SUCCESS; |
9949 | 0 | result = dns_rdataset_next(&kfetch->keydataset)) |
9950 | 0 | { |
9951 | 0 | dns_rdata_reset(&rdata); |
9952 | 0 | dns_rdataset_current(&kfetch->keydataset, &rdata); |
9953 | | |
9954 | | /* Delete old version */ |
9955 | 0 | CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL, name, |
9956 | 0 | 0, &rdata)); |
9957 | | |
9958 | | /* Update refresh timer */ |
9959 | 0 | result = dns_rdata_tostruct(&rdata, &keydata, NULL); |
9960 | 0 | if (result == ISC_R_UNEXPECTEDEND) { |
9961 | 0 | continue; |
9962 | 0 | } |
9963 | 0 | if (result != ISC_R_SUCCESS) { |
9964 | 0 | goto failure; |
9965 | 0 | } |
9966 | 0 | keydata.refresh = refresh_time(kfetch, true); |
9967 | 0 | set_refreshkeytimer(zone, &keydata, now, false); |
9968 | |
|
9969 | 0 | dns_rdata_reset(&rdata); |
9970 | 0 | isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); |
9971 | 0 | CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass, |
9972 | 0 | dns_rdatatype_keydata, &keydata, |
9973 | 0 | &keyb)); |
9974 | | |
9975 | | /* Insert updated version */ |
9976 | 0 | CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD, name, |
9977 | 0 | 0, &rdata)); |
9978 | 0 | } |
9979 | 0 | result = ISC_R_SUCCESS; |
9980 | 0 | failure: |
9981 | 0 | return (result); |
9982 | 0 | } |
9983 | | |
9984 | | /* |
9985 | | * Verify that DNSKEY set is signed by the key specified in 'keydata'. |
9986 | | */ |
9987 | | static bool |
9988 | 0 | revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) { |
9989 | 0 | isc_result_t result; |
9990 | 0 | dns_name_t *keyname; |
9991 | 0 | isc_mem_t *mctx; |
9992 | 0 | dns_rdata_t sigrr = DNS_RDATA_INIT; |
9993 | 0 | dns_rdata_t rr = DNS_RDATA_INIT; |
9994 | 0 | dns_rdata_rrsig_t sig; |
9995 | 0 | dns_rdata_dnskey_t dnskey; |
9996 | 0 | dst_key_t *dstkey = NULL; |
9997 | 0 | unsigned char key_buf[4096]; |
9998 | 0 | isc_buffer_t keyb; |
9999 | 0 | bool answer = false; |
10000 | |
|
10001 | 0 | REQUIRE(kfetch != NULL && keydata != NULL); |
10002 | 0 | REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset)); |
10003 | |
|
10004 | 0 | keyname = dns_fixedname_name(&kfetch->name); |
10005 | 0 | mctx = kfetch->zone->view->mctx; |
10006 | | |
10007 | | /* Generate a key from keydata */ |
10008 | 0 | isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); |
10009 | 0 | dns_keydata_todnskey(keydata, &dnskey, NULL); |
10010 | 0 | dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey, |
10011 | 0 | &dnskey, &keyb); |
10012 | 0 | result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey); |
10013 | 0 | if (result != ISC_R_SUCCESS) { |
10014 | 0 | return (false); |
10015 | 0 | } |
10016 | | |
10017 | | /* See if that key generated any of the signatures */ |
10018 | 0 | for (result = dns_rdataset_first(&kfetch->dnskeysigset); |
10019 | 0 | result == ISC_R_SUCCESS; |
10020 | 0 | result = dns_rdataset_next(&kfetch->dnskeysigset)) |
10021 | 0 | { |
10022 | 0 | dns_fixedname_t fixed; |
10023 | 0 | dns_fixedname_init(&fixed); |
10024 | |
|
10025 | 0 | dns_rdata_reset(&sigrr); |
10026 | 0 | dns_rdataset_current(&kfetch->dnskeysigset, &sigrr); |
10027 | 0 | result = dns_rdata_tostruct(&sigrr, &sig, NULL); |
10028 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10029 | |
|
10030 | 0 | if (dst_key_alg(dstkey) == sig.algorithm && |
10031 | 0 | dst_key_rid(dstkey) == sig.keyid) |
10032 | 0 | { |
10033 | 0 | result = dns_dnssec_verify( |
10034 | 0 | keyname, &kfetch->dnskeyset, dstkey, false, 0, |
10035 | 0 | mctx, &sigrr, dns_fixedname_name(&fixed)); |
10036 | |
|
10037 | 0 | dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3), |
10038 | 0 | "Confirm revoked DNSKEY is self-signed: %s", |
10039 | 0 | isc_result_totext(result)); |
10040 | |
|
10041 | 0 | if (result == ISC_R_SUCCESS) { |
10042 | 0 | answer = true; |
10043 | 0 | break; |
10044 | 0 | } |
10045 | 0 | } |
10046 | 0 | } |
10047 | |
|
10048 | 0 | dst_key_free(&dstkey); |
10049 | 0 | return (answer); |
10050 | 0 | } |
10051 | | |
10052 | | /* |
10053 | | * A DNSKEY set has been fetched from the zone apex of a zone whose trust |
10054 | | * anchors are being managed; scan the keyset, and update the key zone and the |
10055 | | * local trust anchors according to RFC5011. |
10056 | | */ |
10057 | | static void |
10058 | 0 | keyfetch_done(void *arg) { |
10059 | 0 | dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg; |
10060 | 0 | isc_result_t result, eresult; |
10061 | 0 | dns_keyfetch_t *kfetch = NULL; |
10062 | 0 | dns_zone_t *zone = NULL; |
10063 | 0 | isc_mem_t *mctx = NULL; |
10064 | 0 | dns_keytable_t *secroots = NULL; |
10065 | 0 | dns_dbversion_t *ver = NULL; |
10066 | 0 | dns_diff_t diff; |
10067 | 0 | bool alldone = false; |
10068 | 0 | bool commit = false; |
10069 | 0 | dns_name_t *keyname = NULL; |
10070 | 0 | dns_rdata_t sigrr = DNS_RDATA_INIT; |
10071 | 0 | dns_rdata_t dnskeyrr = DNS_RDATA_INIT; |
10072 | 0 | dns_rdata_t keydatarr = DNS_RDATA_INIT; |
10073 | 0 | dns_rdata_rrsig_t sig; |
10074 | 0 | dns_rdata_dnskey_t dnskey; |
10075 | 0 | dns_rdata_keydata_t keydata; |
10076 | 0 | bool initializing; |
10077 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
10078 | 0 | unsigned char key_buf[4096]; |
10079 | 0 | isc_buffer_t keyb; |
10080 | 0 | dst_key_t *dstkey = NULL; |
10081 | 0 | isc_stdtime_t now; |
10082 | 0 | int pending = 0; |
10083 | 0 | bool secure = false, initial = false; |
10084 | 0 | bool free_needed; |
10085 | 0 | dns_keynode_t *keynode = NULL; |
10086 | 0 | dns_rdataset_t *dnskeys = NULL, *dnskeysigs = NULL; |
10087 | 0 | dns_rdataset_t *keydataset = NULL, dsset; |
10088 | |
|
10089 | 0 | INSIST(resp != NULL); |
10090 | |
|
10091 | 0 | kfetch = resp->arg; |
10092 | |
|
10093 | 0 | INSIST(kfetch != NULL); |
10094 | |
|
10095 | 0 | zone = kfetch->zone; |
10096 | 0 | mctx = kfetch->mctx; |
10097 | 0 | keyname = dns_fixedname_name(&kfetch->name); |
10098 | 0 | dnskeys = &kfetch->dnskeyset; |
10099 | 0 | dnskeysigs = &kfetch->dnskeysigset; |
10100 | 0 | keydataset = &kfetch->keydataset; |
10101 | |
|
10102 | 0 | eresult = resp->result; |
10103 | | |
10104 | | /* Free resources which are not of interest */ |
10105 | 0 | if (resp->node != NULL) { |
10106 | 0 | dns_db_detachnode(resp->db, &resp->node); |
10107 | 0 | } |
10108 | 0 | if (resp->db != NULL) { |
10109 | 0 | dns_db_detach(&resp->db); |
10110 | 0 | } |
10111 | |
|
10112 | 0 | dns_resolver_destroyfetch(&kfetch->fetch); |
10113 | |
|
10114 | 0 | LOCK_ZONE(zone); |
10115 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) { |
10116 | 0 | goto cleanup; |
10117 | 0 | } |
10118 | | |
10119 | 0 | now = isc_stdtime_now(); |
10120 | 0 | dns_name_format(keyname, namebuf, sizeof(namebuf)); |
10121 | |
|
10122 | 0 | result = dns_view_getsecroots(zone->view, &secroots); |
10123 | 0 | INSIST(result == ISC_R_SUCCESS); |
10124 | |
|
10125 | 0 | dns_diff_init(mctx, &diff); |
10126 | |
|
10127 | 0 | CHECK(dns_db_newversion(kfetch->db, &ver)); |
10128 | | |
10129 | 0 | zone->refreshkeycount--; |
10130 | 0 | alldone = (zone->refreshkeycount == 0); |
10131 | |
|
10132 | 0 | if (alldone) { |
10133 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); |
10134 | 0 | } |
10135 | |
|
10136 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
10137 | 0 | "Returned from key fetch in keyfetch_done() for '%s': %s", |
10138 | 0 | namebuf, isc_result_totext(eresult)); |
10139 | | |
10140 | | /* Fetch failed */ |
10141 | 0 | if (eresult != ISC_R_SUCCESS || !dns_rdataset_isassociated(dnskeys)) { |
10142 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
10143 | 0 | "Unable to fetch DNSKEY set '%s': %s", namebuf, |
10144 | 0 | isc_result_totext(eresult)); |
10145 | 0 | CHECK(minimal_update(kfetch, ver, &diff)); |
10146 | 0 | goto done; |
10147 | 0 | } |
10148 | | |
10149 | | /* No RRSIGs found */ |
10150 | 0 | if (!dns_rdataset_isassociated(dnskeysigs)) { |
10151 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
10152 | 0 | "No DNSKEY RRSIGs found for '%s': %s", namebuf, |
10153 | 0 | isc_result_totext(eresult)); |
10154 | 0 | CHECK(minimal_update(kfetch, ver, &diff)); |
10155 | 0 | goto done; |
10156 | 0 | } |
10157 | | |
10158 | | /* |
10159 | | * Clear any cached trust level, as we need to run validation |
10160 | | * over again; trusted keys might have changed. |
10161 | | */ |
10162 | 0 | dnskeys->trust = dnskeysigs->trust = dns_trust_none; |
10163 | | |
10164 | | /* Look up the trust anchor */ |
10165 | 0 | result = dns_keytable_find(secroots, keyname, &keynode); |
10166 | 0 | if (result != ISC_R_SUCCESS) { |
10167 | 0 | goto anchors_done; |
10168 | 0 | } |
10169 | | |
10170 | | /* |
10171 | | * If the keynode has a DS trust anchor, use it for verification. |
10172 | | */ |
10173 | 0 | dns_rdataset_init(&dsset); |
10174 | 0 | if (dns_keynode_dsset(keynode, &dsset)) { |
10175 | 0 | for (result = dns_rdataset_first(dnskeysigs); |
10176 | 0 | result == ISC_R_SUCCESS; |
10177 | 0 | result = dns_rdataset_next(dnskeysigs)) |
10178 | 0 | { |
10179 | 0 | isc_result_t tresult; |
10180 | 0 | dns_rdata_t keyrdata = DNS_RDATA_INIT; |
10181 | |
|
10182 | 0 | dns_rdata_reset(&sigrr); |
10183 | 0 | dns_rdataset_current(dnskeysigs, &sigrr); |
10184 | 0 | result = dns_rdata_tostruct(&sigrr, &sig, NULL); |
10185 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10186 | |
|
10187 | 0 | for (tresult = dns_rdataset_first(&dsset); |
10188 | 0 | tresult == ISC_R_SUCCESS; |
10189 | 0 | tresult = dns_rdataset_next(&dsset)) |
10190 | 0 | { |
10191 | 0 | dns_rdata_t dsrdata = DNS_RDATA_INIT; |
10192 | 0 | dns_rdata_ds_t ds; |
10193 | |
|
10194 | 0 | dns_rdata_reset(&dsrdata); |
10195 | 0 | dns_rdataset_current(&dsset, &dsrdata); |
10196 | 0 | tresult = dns_rdata_tostruct(&dsrdata, &ds, |
10197 | 0 | NULL); |
10198 | 0 | RUNTIME_CHECK(tresult == ISC_R_SUCCESS); |
10199 | |
|
10200 | 0 | if (ds.key_tag != sig.keyid || |
10201 | 0 | ds.algorithm != sig.algorithm) |
10202 | 0 | { |
10203 | 0 | continue; |
10204 | 0 | } |
10205 | | |
10206 | 0 | result = dns_dnssec_matchdskey( |
10207 | 0 | keyname, &dsrdata, dnskeys, &keyrdata); |
10208 | 0 | if (result == ISC_R_SUCCESS) { |
10209 | 0 | break; |
10210 | 0 | } |
10211 | 0 | } |
10212 | |
|
10213 | 0 | if (tresult == ISC_R_NOMORE) { |
10214 | 0 | continue; |
10215 | 0 | } |
10216 | | |
10217 | 0 | result = dns_dnssec_keyfromrdata(keyname, &keyrdata, |
10218 | 0 | mctx, &dstkey); |
10219 | 0 | if (result != ISC_R_SUCCESS) { |
10220 | 0 | continue; |
10221 | 0 | } |
10222 | | |
10223 | 0 | result = dns_dnssec_verify(keyname, dnskeys, dstkey, |
10224 | 0 | false, 0, mctx, &sigrr, |
10225 | 0 | NULL); |
10226 | 0 | dst_key_free(&dstkey); |
10227 | |
|
10228 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
10229 | 0 | "Verifying DNSKEY set for zone " |
10230 | 0 | "'%s' using DS %d/%d: %s", |
10231 | 0 | namebuf, sig.keyid, sig.algorithm, |
10232 | 0 | isc_result_totext(result)); |
10233 | |
|
10234 | 0 | if (result == ISC_R_SUCCESS) { |
10235 | 0 | dnskeys->trust = dns_trust_secure; |
10236 | 0 | dnskeysigs->trust = dns_trust_secure; |
10237 | 0 | initial = dns_keynode_initial(keynode); |
10238 | 0 | dns_keynode_trust(keynode); |
10239 | 0 | secure = true; |
10240 | 0 | break; |
10241 | 0 | } |
10242 | 0 | } |
10243 | 0 | dns_rdataset_disassociate(&dsset); |
10244 | 0 | } |
10245 | |
|
10246 | 0 | anchors_done: |
10247 | 0 | if (keynode != NULL) { |
10248 | 0 | dns_keynode_detach(&keynode); |
10249 | 0 | } |
10250 | | |
10251 | | /* |
10252 | | * If we were not able to verify the answer using the current |
10253 | | * trusted keys then all we can do is look at any revoked keys. |
10254 | | */ |
10255 | 0 | if (!secure) { |
10256 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10257 | 0 | "DNSKEY set for zone '%s' could not be verified " |
10258 | 0 | "with current keys", |
10259 | 0 | namebuf); |
10260 | 0 | } |
10261 | | |
10262 | | /* |
10263 | | * First scan keydataset to find keys that are not in dnskeyset |
10264 | | * - Missing keys which are not scheduled for removal, |
10265 | | * log a warning |
10266 | | * - Missing keys which are scheduled for removal and |
10267 | | * the remove hold-down timer has completed should |
10268 | | * be removed from the key zone |
10269 | | * - Missing keys whose acceptance timers have not yet |
10270 | | * completed, log a warning and reset the acceptance |
10271 | | * timer to 30 days in the future |
10272 | | * - All keys not being removed have their refresh timers |
10273 | | * updated |
10274 | | */ |
10275 | 0 | initializing = true; |
10276 | 0 | for (result = dns_rdataset_first(keydataset); result == ISC_R_SUCCESS; |
10277 | 0 | result = dns_rdataset_next(keydataset)) |
10278 | 0 | { |
10279 | 0 | dns_keytag_t keytag; |
10280 | |
|
10281 | 0 | dns_rdata_reset(&keydatarr); |
10282 | 0 | dns_rdataset_current(keydataset, &keydatarr); |
10283 | 0 | result = dns_rdata_tostruct(&keydatarr, &keydata, NULL); |
10284 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10285 | |
|
10286 | 0 | dns_keydata_todnskey(&keydata, &dnskey, NULL); |
10287 | 0 | result = compute_tag(keyname, &dnskey, mctx, &keytag); |
10288 | 0 | if (result != ISC_R_SUCCESS) { |
10289 | | /* |
10290 | | * Skip if we cannot compute the key tag. |
10291 | | * This may happen if the algorithm is unsupported |
10292 | | */ |
10293 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
10294 | 0 | "Cannot compute tag for key in zone %s: " |
10295 | 0 | "%s " |
10296 | 0 | "(skipping)", |
10297 | 0 | namebuf, isc_result_totext(result)); |
10298 | 0 | continue; |
10299 | 0 | } |
10300 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10301 | | |
10302 | | /* |
10303 | | * If any keydata record has a nonzero add holddown, then |
10304 | | * there was a pre-existing trust anchor for this domain; |
10305 | | * that means we are *not* initializing it and shouldn't |
10306 | | * automatically trust all the keys we find at the zone apex. |
10307 | | */ |
10308 | 0 | initializing = initializing && (keydata.addhd == 0); |
10309 | |
|
10310 | 0 | if (!matchkey(dnskeys, &keydatarr)) { |
10311 | 0 | bool deletekey = false; |
10312 | |
|
10313 | 0 | if (!secure) { |
10314 | 0 | if (keydata.removehd != 0 && |
10315 | 0 | keydata.removehd <= now) |
10316 | 0 | { |
10317 | 0 | deletekey = true; |
10318 | 0 | } |
10319 | 0 | } else if (keydata.addhd == 0) { |
10320 | 0 | deletekey = true; |
10321 | 0 | } else if (keydata.addhd > now) { |
10322 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10323 | 0 | "Pending key %d for zone %s " |
10324 | 0 | "unexpectedly missing from DNSKEY " |
10325 | 0 | "RRset: restarting 30-day " |
10326 | 0 | "acceptance timer", |
10327 | 0 | keytag, namebuf); |
10328 | 0 | if (keydata.addhd < now + dns_zone_mkey_month) { |
10329 | 0 | keydata.addhd = now + |
10330 | 0 | dns_zone_mkey_month; |
10331 | 0 | } |
10332 | 0 | keydata.refresh = refresh_time(kfetch, false); |
10333 | 0 | } else if (keydata.removehd == 0) { |
10334 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10335 | 0 | "Active key %d for zone %s " |
10336 | 0 | "unexpectedly missing from DNSKEY " |
10337 | 0 | "RRset", |
10338 | 0 | keytag, namebuf); |
10339 | 0 | keydata.refresh = now + dns_zone_mkey_hour; |
10340 | 0 | } else if (keydata.removehd <= now) { |
10341 | 0 | deletekey = true; |
10342 | 0 | dnssec_log( |
10343 | 0 | zone, ISC_LOG_INFO, |
10344 | 0 | "Revoked key %d for zone %s no longer " |
10345 | 0 | "present in DNSKEY RRset: deleting " |
10346 | 0 | "from managed keys database", |
10347 | 0 | keytag, namebuf); |
10348 | 0 | } else { |
10349 | 0 | keydata.refresh = refresh_time(kfetch, false); |
10350 | 0 | } |
10351 | |
|
10352 | 0 | if (secure || deletekey) { |
10353 | | /* Delete old version */ |
10354 | 0 | CHECK(update_one_rr(kfetch->db, ver, &diff, |
10355 | 0 | DNS_DIFFOP_DEL, keyname, 0, |
10356 | 0 | &keydatarr)); |
10357 | 0 | } |
10358 | | |
10359 | 0 | if (!secure || deletekey) { |
10360 | 0 | continue; |
10361 | 0 | } |
10362 | | |
10363 | 0 | dns_rdata_reset(&keydatarr); |
10364 | 0 | isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); |
10365 | 0 | dns_rdata_fromstruct(&keydatarr, zone->rdclass, |
10366 | 0 | dns_rdatatype_keydata, &keydata, |
10367 | 0 | &keyb); |
10368 | | |
10369 | | /* Insert updated version */ |
10370 | 0 | CHECK(update_one_rr(kfetch->db, ver, &diff, |
10371 | 0 | DNS_DIFFOP_ADD, keyname, 0, |
10372 | 0 | &keydatarr)); |
10373 | | |
10374 | 0 | set_refreshkeytimer(zone, &keydata, now, false); |
10375 | 0 | } |
10376 | 0 | } |
10377 | | |
10378 | | /* |
10379 | | * Next scan dnskeyset: |
10380 | | * - If new keys are found (i.e., lacking a match in keydataset) |
10381 | | * add them to the key zone and set the acceptance timer |
10382 | | * to 30 days in the future (or to immediately if we've |
10383 | | * determined that we're initializing the zone for the |
10384 | | * first time) |
10385 | | * - Previously-known keys that have been revoked |
10386 | | * must be scheduled for removal from the key zone (or, |
10387 | | * if they hadn't been accepted as trust anchors yet |
10388 | | * anyway, removed at once) |
10389 | | * - Previously-known unrevoked keys whose acceptance timers |
10390 | | * have completed are promoted to trust anchors |
10391 | | * - All keys not being removed have their refresh |
10392 | | * timers updated |
10393 | | */ |
10394 | 0 | for (result = dns_rdataset_first(dnskeys); result == ISC_R_SUCCESS; |
10395 | 0 | result = dns_rdataset_next(dnskeys)) |
10396 | 0 | { |
10397 | 0 | bool revoked = false; |
10398 | 0 | bool newkey = false; |
10399 | 0 | bool updatekey = false; |
10400 | 0 | bool deletekey = false; |
10401 | 0 | bool trustkey = false; |
10402 | 0 | dns_keytag_t keytag; |
10403 | |
|
10404 | 0 | dns_rdata_reset(&dnskeyrr); |
10405 | 0 | dns_rdataset_current(dnskeys, &dnskeyrr); |
10406 | 0 | result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); |
10407 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10408 | | |
10409 | | /* Skip ZSK's */ |
10410 | 0 | if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) { |
10411 | 0 | continue; |
10412 | 0 | } |
10413 | | |
10414 | 0 | result = compute_tag(keyname, &dnskey, mctx, &keytag); |
10415 | 0 | if (result != ISC_R_SUCCESS) { |
10416 | | /* |
10417 | | * Skip if we cannot compute the key tag. |
10418 | | * This may happen if the algorithm is unsupported |
10419 | | */ |
10420 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
10421 | 0 | "Cannot compute tag for key in zone %s: " |
10422 | 0 | "%s " |
10423 | 0 | "(skipping)", |
10424 | 0 | namebuf, isc_result_totext(result)); |
10425 | 0 | continue; |
10426 | 0 | } |
10427 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10428 | |
|
10429 | 0 | revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0); |
10430 | |
|
10431 | 0 | if (matchkey(keydataset, &dnskeyrr)) { |
10432 | 0 | dns_rdata_reset(&keydatarr); |
10433 | 0 | dns_rdataset_current(keydataset, &keydatarr); |
10434 | 0 | result = dns_rdata_tostruct(&keydatarr, &keydata, NULL); |
10435 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10436 | |
|
10437 | 0 | if (revoked && revocable(kfetch, &keydata)) { |
10438 | 0 | if (keydata.addhd > now) { |
10439 | | /* |
10440 | | * Key wasn't trusted yet, and now |
10441 | | * it's been revoked? Just remove it |
10442 | | */ |
10443 | 0 | deletekey = true; |
10444 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10445 | 0 | "Pending key %d for " |
10446 | 0 | "zone %s is now revoked: " |
10447 | 0 | "deleting from the " |
10448 | 0 | "managed keys database", |
10449 | 0 | keytag, namebuf); |
10450 | 0 | } else if (keydata.removehd == 0) { |
10451 | | /* |
10452 | | * Remove key from secroots. |
10453 | | */ |
10454 | 0 | dns_view_untrust(zone->view, keyname, |
10455 | 0 | &dnskey); |
10456 | | |
10457 | | /* If initializing, delete now */ |
10458 | 0 | if (keydata.addhd == 0) { |
10459 | 0 | deletekey = true; |
10460 | 0 | } else { |
10461 | 0 | keydata.removehd = |
10462 | 0 | now + |
10463 | 0 | dns_zone_mkey_month; |
10464 | 0 | keydata.flags |= |
10465 | 0 | DNS_KEYFLAG_REVOKE; |
10466 | 0 | } |
10467 | |
|
10468 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10469 | 0 | "Trusted key %d for " |
10470 | 0 | "zone %s is now revoked", |
10471 | 0 | keytag, namebuf); |
10472 | 0 | } else if (keydata.removehd < now) { |
10473 | | /* Scheduled for removal */ |
10474 | 0 | deletekey = true; |
10475 | |
|
10476 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10477 | 0 | "Revoked key %d for " |
10478 | 0 | "zone %s removal timer " |
10479 | 0 | "complete: deleting from " |
10480 | 0 | "the managed keys database", |
10481 | 0 | keytag, namebuf); |
10482 | 0 | } |
10483 | 0 | } else if (revoked && keydata.removehd == 0) { |
10484 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
10485 | 0 | "Active key %d for zone " |
10486 | 0 | "%s is revoked but " |
10487 | 0 | "did not self-sign; " |
10488 | 0 | "ignoring", |
10489 | 0 | keytag, namebuf); |
10490 | 0 | continue; |
10491 | 0 | } else if (secure) { |
10492 | 0 | if (keydata.removehd != 0) { |
10493 | | /* |
10494 | | * Key isn't revoked--but it |
10495 | | * seems it used to be. |
10496 | | * Remove it now and add it |
10497 | | * back as if it were a fresh key, |
10498 | | * with a 30-day acceptance timer. |
10499 | | */ |
10500 | 0 | deletekey = true; |
10501 | 0 | newkey = true; |
10502 | 0 | keydata.removehd = 0; |
10503 | 0 | keydata.addhd = now + |
10504 | 0 | dns_zone_mkey_month; |
10505 | |
|
10506 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10507 | 0 | "Revoked key %d for " |
10508 | 0 | "zone %s has returned: " |
10509 | 0 | "starting 30-day " |
10510 | 0 | "acceptance timer", |
10511 | 0 | keytag, namebuf); |
10512 | 0 | } else if (keydata.addhd > now) { |
10513 | 0 | pending++; |
10514 | 0 | } else if (keydata.addhd == 0) { |
10515 | 0 | keydata.addhd = now; |
10516 | 0 | } |
10517 | |
|
10518 | 0 | if (keydata.addhd <= now) { |
10519 | 0 | trustkey = true; |
10520 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10521 | 0 | "Key %d for zone %s " |
10522 | 0 | "is now trusted (%s)", |
10523 | 0 | keytag, namebuf, |
10524 | 0 | initial ? "initializing key " |
10525 | 0 | "verified" |
10526 | 0 | : "acceptance timer " |
10527 | 0 | "complete"); |
10528 | 0 | } |
10529 | 0 | } else if (keydata.addhd > now) { |
10530 | | /* |
10531 | | * Not secure, and key is pending: |
10532 | | * reset the acceptance timer |
10533 | | */ |
10534 | 0 | pending++; |
10535 | 0 | keydata.addhd = now + dns_zone_mkey_month; |
10536 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10537 | 0 | "Pending key %d " |
10538 | 0 | "for zone %s was " |
10539 | 0 | "not validated: restarting " |
10540 | 0 | "30-day acceptance timer", |
10541 | 0 | keytag, namebuf); |
10542 | 0 | } |
10543 | | |
10544 | 0 | if (!deletekey && !newkey) { |
10545 | 0 | updatekey = true; |
10546 | 0 | } |
10547 | 0 | } else if (secure) { |
10548 | | /* |
10549 | | * Key wasn't in the key zone but it's |
10550 | | * revoked now anyway, so just skip it |
10551 | | */ |
10552 | 0 | if (revoked) { |
10553 | 0 | continue; |
10554 | 0 | } |
10555 | | |
10556 | | /* Key wasn't in the key zone: add it */ |
10557 | 0 | newkey = true; |
10558 | |
|
10559 | 0 | if (initializing) { |
10560 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
10561 | 0 | "Initializing automatic trust " |
10562 | 0 | "anchor management for zone '%s'; " |
10563 | 0 | "DNSKEY ID %d is now trusted, " |
10564 | 0 | "waiving the normal 30-day " |
10565 | 0 | "waiting period.", |
10566 | 0 | namebuf, keytag); |
10567 | 0 | trustkey = true; |
10568 | 0 | } else { |
10569 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
10570 | 0 | "New key %d observed " |
10571 | 0 | "for zone '%s': " |
10572 | 0 | "starting 30-day " |
10573 | 0 | "acceptance timer", |
10574 | 0 | keytag, namebuf); |
10575 | 0 | } |
10576 | 0 | } else { |
10577 | | /* |
10578 | | * No previously known key, and the key is not |
10579 | | * secure, so skip it. |
10580 | | */ |
10581 | 0 | continue; |
10582 | 0 | } |
10583 | | |
10584 | | /* Delete old version */ |
10585 | 0 | if (deletekey || !newkey) { |
10586 | 0 | CHECK(update_one_rr(kfetch->db, ver, &diff, |
10587 | 0 | DNS_DIFFOP_DEL, keyname, 0, |
10588 | 0 | &keydatarr)); |
10589 | 0 | } |
10590 | | |
10591 | 0 | if (updatekey) { |
10592 | | /* Set refresh timer */ |
10593 | 0 | keydata.refresh = refresh_time(kfetch, false); |
10594 | 0 | dns_rdata_reset(&keydatarr); |
10595 | 0 | isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); |
10596 | 0 | dns_rdata_fromstruct(&keydatarr, zone->rdclass, |
10597 | 0 | dns_rdatatype_keydata, &keydata, |
10598 | 0 | &keyb); |
10599 | | |
10600 | | /* Insert updated version */ |
10601 | 0 | CHECK(update_one_rr(kfetch->db, ver, &diff, |
10602 | 0 | DNS_DIFFOP_ADD, keyname, 0, |
10603 | 0 | &keydatarr)); |
10604 | 0 | } else if (newkey) { |
10605 | | /* Convert DNSKEY to KEYDATA */ |
10606 | 0 | result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); |
10607 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10608 | 0 | dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0, |
10609 | 0 | NULL); |
10610 | 0 | keydata.addhd = initializing |
10611 | 0 | ? now |
10612 | 0 | : now + dns_zone_mkey_month; |
10613 | 0 | keydata.refresh = refresh_time(kfetch, false); |
10614 | 0 | dns_rdata_reset(&keydatarr); |
10615 | 0 | isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); |
10616 | 0 | dns_rdata_fromstruct(&keydatarr, zone->rdclass, |
10617 | 0 | dns_rdatatype_keydata, &keydata, |
10618 | 0 | &keyb); |
10619 | | |
10620 | | /* Insert into key zone */ |
10621 | 0 | CHECK(update_one_rr(kfetch->db, ver, &diff, |
10622 | 0 | DNS_DIFFOP_ADD, keyname, 0, |
10623 | 0 | &keydatarr)); |
10624 | 0 | } |
10625 | | |
10626 | 0 | if (trustkey) { |
10627 | | /* Trust this key. */ |
10628 | 0 | result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); |
10629 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10630 | 0 | trust_key(zone, keyname, &dnskey, false); |
10631 | 0 | } |
10632 | |
|
10633 | 0 | if (secure && !deletekey) { |
10634 | 0 | INSIST(newkey || updatekey); |
10635 | 0 | set_refreshkeytimer(zone, &keydata, now, false); |
10636 | 0 | } |
10637 | 0 | } |
10638 | | |
10639 | | /* |
10640 | | * RFC5011 says, "A trust point that has all of its trust anchors |
10641 | | * revoked is considered deleted and is treated as if the trust |
10642 | | * point was never configured." But if someone revoked their |
10643 | | * active key before the standby was trusted, that would mean the |
10644 | | * zone would suddenly be nonsecured. We avoid this by checking to |
10645 | | * see if there's pending keydata. If so, we put a null key in |
10646 | | * the security roots; then all queries to the zone will fail. |
10647 | | */ |
10648 | 0 | if (pending != 0) { |
10649 | 0 | fail_secure(zone, keyname); |
10650 | 0 | } |
10651 | |
|
10652 | 0 | done: |
10653 | 0 | if (!ISC_LIST_EMPTY(diff.tuples)) { |
10654 | | /* Write changes to journal file. */ |
10655 | 0 | CHECK(update_soa_serial(zone, kfetch->db, ver, &diff, mctx, |
10656 | 0 | zone->updatemethod)); |
10657 | 0 | CHECK(zone_journal(zone, &diff, NULL, "keyfetch_done")); |
10658 | 0 | commit = true; |
10659 | |
|
10660 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); |
10661 | 0 | zone_needdump(zone, 30); |
10662 | 0 | } else if (result == ISC_R_NOMORE) { |
10663 | | /* |
10664 | | * If "updatekey" was true for all keys found in the DNSKEY |
10665 | | * response and the previous update of those keys happened |
10666 | | * during the same second (only possible if a key refresh was |
10667 | | * externally triggered), it may happen that all relevant |
10668 | | * update_one_rr() calls will return ISC_R_SUCCESS, but |
10669 | | * diff.tuples will remain empty. Reset result to |
10670 | | * ISC_R_SUCCESS to prevent a bogus warning from being logged. |
10671 | | */ |
10672 | 0 | result = ISC_R_SUCCESS; |
10673 | 0 | } |
10674 | | |
10675 | 0 | failure: |
10676 | 0 | if (result != ISC_R_SUCCESS) { |
10677 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
10678 | 0 | "error during managed-keys processing (%s): " |
10679 | 0 | "DNSSEC validation may be at risk", |
10680 | 0 | isc_result_totext(result)); |
10681 | 0 | } |
10682 | 0 | dns_diff_clear(&diff); |
10683 | 0 | if (ver != NULL) { |
10684 | 0 | dns_db_closeversion(kfetch->db, &ver, commit); |
10685 | 0 | } |
10686 | |
|
10687 | 0 | cleanup: |
10688 | 0 | dns_db_detach(&kfetch->db); |
10689 | |
|
10690 | 0 | isc_refcount_decrement(&zone->irefs); |
10691 | |
|
10692 | 0 | if (dns_rdataset_isassociated(keydataset)) { |
10693 | 0 | dns_rdataset_disassociate(keydataset); |
10694 | 0 | } |
10695 | 0 | if (dns_rdataset_isassociated(dnskeys)) { |
10696 | 0 | dns_rdataset_disassociate(dnskeys); |
10697 | 0 | } |
10698 | 0 | if (dns_rdataset_isassociated(dnskeysigs)) { |
10699 | 0 | dns_rdataset_disassociate(dnskeysigs); |
10700 | 0 | } |
10701 | |
|
10702 | 0 | dns_name_free(keyname, mctx); |
10703 | 0 | isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(dns_keyfetch_t)); |
10704 | 0 | isc_mem_putanddetach(&resp->mctx, resp, sizeof(*resp)); |
10705 | |
|
10706 | 0 | if (secroots != NULL) { |
10707 | 0 | dns_keytable_detach(&secroots); |
10708 | 0 | } |
10709 | |
|
10710 | 0 | free_needed = exit_check(zone); |
10711 | 0 | UNLOCK_ZONE(zone); |
10712 | |
|
10713 | 0 | if (free_needed) { |
10714 | 0 | zone_free(zone); |
10715 | 0 | } |
10716 | |
|
10717 | 0 | INSIST(ver == NULL); |
10718 | 0 | } |
10719 | | |
10720 | | static void |
10721 | 0 | retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) { |
10722 | 0 | isc_time_t timenow, timethen; |
10723 | 0 | dns_zone_t *zone = kfetch->zone; |
10724 | 0 | bool free_needed; |
10725 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
10726 | |
|
10727 | 0 | dns_name_format(kname, namebuf, sizeof(namebuf)); |
10728 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
10729 | 0 | "Failed to create fetch for %s DNSKEY update", namebuf); |
10730 | | |
10731 | | /* |
10732 | | * Error during a key fetch; cancel and retry in an hour. |
10733 | | */ |
10734 | 0 | LOCK_ZONE(zone); |
10735 | 0 | zone->refreshkeycount--; |
10736 | 0 | isc_refcount_decrement(&zone->irefs); |
10737 | 0 | dns_db_detach(&kfetch->db); |
10738 | 0 | dns_rdataset_disassociate(&kfetch->keydataset); |
10739 | 0 | dns_name_free(kname, zone->mctx); |
10740 | 0 | isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch)); |
10741 | |
|
10742 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
10743 | | /* Don't really retry if we are exiting */ |
10744 | 0 | char timebuf[80]; |
10745 | |
|
10746 | 0 | timenow = isc_time_now(); |
10747 | 0 | DNS_ZONE_TIME_ADD(&timenow, dns_zone_mkey_hour, &timethen); |
10748 | 0 | zone->refreshkeytime = timethen; |
10749 | 0 | zone_settimer(zone, &timenow); |
10750 | |
|
10751 | 0 | isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); |
10752 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s", |
10753 | 0 | timebuf); |
10754 | 0 | } |
10755 | |
|
10756 | 0 | free_needed = exit_check(zone); |
10757 | 0 | UNLOCK_ZONE(zone); |
10758 | |
|
10759 | 0 | if (free_needed) { |
10760 | 0 | zone_free(zone); |
10761 | 0 | } |
10762 | 0 | } |
10763 | | |
10764 | | static void |
10765 | 0 | do_keyfetch(void *arg) { |
10766 | 0 | isc_result_t result; |
10767 | 0 | dns_keyfetch_t *kfetch = (dns_keyfetch_t *)arg; |
10768 | 0 | dns_name_t *kname = dns_fixedname_name(&kfetch->name); |
10769 | 0 | dns_resolver_t *resolver = NULL; |
10770 | 0 | dns_zone_t *zone = kfetch->zone; |
10771 | 0 | unsigned int options = DNS_FETCHOPT_NOVALIDATE | DNS_FETCHOPT_UNSHARED | |
10772 | 0 | DNS_FETCHOPT_NOCACHED; |
10773 | |
|
10774 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
10775 | 0 | goto retry; |
10776 | 0 | } |
10777 | | |
10778 | 0 | result = dns_view_getresolver(zone->view, &resolver); |
10779 | 0 | if (result != ISC_R_SUCCESS) { |
10780 | 0 | goto retry; |
10781 | 0 | } |
10782 | | |
10783 | | /* |
10784 | | * Use of DNS_FETCHOPT_NOCACHED is essential here. If it is not |
10785 | | * set and the cache still holds a non-expired, validated version |
10786 | | * of the RRset being queried for by the time the response is |
10787 | | * received, the cached RRset will be passed to keyfetch_done() |
10788 | | * instead of the one received in the response as the latter will |
10789 | | * have a lower trust level due to not being validated until |
10790 | | * keyfetch_done() is called. |
10791 | | */ |
10792 | 0 | result = dns_resolver_createfetch( |
10793 | 0 | resolver, kname, dns_rdatatype_dnskey, NULL, NULL, NULL, NULL, |
10794 | 0 | 0, options, 0, NULL, zone->loop, keyfetch_done, kfetch, |
10795 | 0 | &kfetch->dnskeyset, &kfetch->dnskeysigset, &kfetch->fetch); |
10796 | |
|
10797 | 0 | dns_resolver_detach(&resolver); |
10798 | 0 | if (result == ISC_R_SUCCESS) { |
10799 | 0 | return; |
10800 | 0 | } |
10801 | 0 | retry: |
10802 | 0 | retry_keyfetch(kfetch, kname); |
10803 | 0 | } |
10804 | | |
10805 | | /* |
10806 | | * Refresh the data in the key zone. Initiate a fetch to look up |
10807 | | * DNSKEY records at the trust anchor name. |
10808 | | */ |
10809 | | static void |
10810 | 0 | zone_refreshkeys(dns_zone_t *zone) { |
10811 | 0 | isc_result_t result; |
10812 | 0 | dns_rriterator_t rrit; |
10813 | 0 | dns_db_t *db = NULL; |
10814 | 0 | dns_dbversion_t *ver = NULL; |
10815 | 0 | dns_diff_t diff; |
10816 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
10817 | 0 | dns_rdata_keydata_t kd; |
10818 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
10819 | 0 | bool commit = false; |
10820 | 0 | bool fetching = false; |
10821 | 0 | bool timerset = false; |
10822 | |
|
10823 | 0 | ENTER; |
10824 | 0 | REQUIRE(zone->db != NULL); |
10825 | |
|
10826 | 0 | LOCK_ZONE(zone); |
10827 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
10828 | 0 | isc_time_settoepoch(&zone->refreshkeytime); |
10829 | 0 | UNLOCK_ZONE(zone); |
10830 | 0 | return; |
10831 | 0 | } |
10832 | | |
10833 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
10834 | 0 | dns_db_attach(zone->db, &db); |
10835 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
10836 | |
|
10837 | 0 | dns_diff_init(zone->mctx, &diff); |
10838 | |
|
10839 | 0 | CHECK(dns_db_newversion(db, &ver)); |
10840 | | |
10841 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING); |
10842 | |
|
10843 | 0 | dns_rriterator_init(&rrit, db, ver, 0); |
10844 | 0 | for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS; |
10845 | 0 | result = dns_rriterator_nextrrset(&rrit)) |
10846 | 0 | { |
10847 | 0 | isc_stdtime_t timer = 0xffffffff; |
10848 | 0 | dns_name_t *name = NULL, *kname = NULL; |
10849 | 0 | dns_rdataset_t *kdset = NULL; |
10850 | 0 | uint32_t ttl; |
10851 | |
|
10852 | 0 | dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL); |
10853 | 0 | if (kdset == NULL || kdset->type != dns_rdatatype_keydata || |
10854 | 0 | !dns_rdataset_isassociated(kdset)) |
10855 | 0 | { |
10856 | 0 | continue; |
10857 | 0 | } |
10858 | | |
10859 | | /* |
10860 | | * Scan the stored keys looking for ones that need |
10861 | | * removal or refreshing |
10862 | | */ |
10863 | 0 | for (result = dns_rdataset_first(kdset); |
10864 | 0 | result == ISC_R_SUCCESS; result = dns_rdataset_next(kdset)) |
10865 | 0 | { |
10866 | 0 | dns_rdata_reset(&rdata); |
10867 | 0 | dns_rdataset_current(kdset, &rdata); |
10868 | 0 | result = dns_rdata_tostruct(&rdata, &kd, NULL); |
10869 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
10870 | | |
10871 | | /* Removal timer expired? */ |
10872 | 0 | if (kd.removehd != 0 && kd.removehd < now) { |
10873 | 0 | dns_rriterator_pause(&rrit); |
10874 | 0 | CHECK(update_one_rr(db, ver, &diff, |
10875 | 0 | DNS_DIFFOP_DEL, name, ttl, |
10876 | 0 | &rdata)); |
10877 | 0 | continue; |
10878 | 0 | } |
10879 | | |
10880 | | /* Acceptance timer expired? */ |
10881 | 0 | if (kd.addhd <= now) { |
10882 | 0 | timer = kd.addhd; |
10883 | 0 | } |
10884 | | |
10885 | | /* Or do we just need to refresh the keyset? */ |
10886 | 0 | if (timer > kd.refresh) { |
10887 | 0 | timer = kd.refresh; |
10888 | 0 | } |
10889 | |
|
10890 | 0 | dns_rriterator_pause(&rrit); |
10891 | 0 | set_refreshkeytimer(zone, &kd, now, false); |
10892 | 0 | timerset = true; |
10893 | 0 | } |
10894 | | |
10895 | 0 | if (timer > now) { |
10896 | 0 | continue; |
10897 | 0 | } |
10898 | | |
10899 | 0 | dns_rriterator_pause(&rrit); |
10900 | |
|
10901 | | #ifdef ENABLE_AFL |
10902 | | if (!dns_fuzzing_resolver) { |
10903 | | #endif /* ifdef ENABLE_AFL */ |
10904 | 0 | dns_keyfetch_t *kfetch = NULL; |
10905 | |
|
10906 | 0 | kfetch = isc_mem_get(zone->mctx, |
10907 | 0 | sizeof(dns_keyfetch_t)); |
10908 | 0 | *kfetch = (dns_keyfetch_t){ .zone = zone }; |
10909 | 0 | isc_mem_attach(zone->mctx, &kfetch->mctx); |
10910 | |
|
10911 | 0 | zone->refreshkeycount++; |
10912 | 0 | isc_refcount_increment0(&zone->irefs); |
10913 | 0 | kname = dns_fixedname_initname(&kfetch->name); |
10914 | 0 | dns_name_dup(name, zone->mctx, kname); |
10915 | 0 | dns_rdataset_init(&kfetch->dnskeyset); |
10916 | 0 | dns_rdataset_init(&kfetch->dnskeysigset); |
10917 | 0 | dns_rdataset_init(&kfetch->keydataset); |
10918 | 0 | dns_rdataset_clone(kdset, &kfetch->keydataset); |
10919 | 0 | dns_db_attach(db, &kfetch->db); |
10920 | |
|
10921 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
10922 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
10923 | 0 | dns_name_format(kname, namebuf, |
10924 | 0 | sizeof(namebuf)); |
10925 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
10926 | 0 | "Creating key fetch in " |
10927 | 0 | "zone_refreshkeys() for '%s'", |
10928 | 0 | namebuf); |
10929 | 0 | } |
10930 | |
|
10931 | 0 | isc_async_run(zone->loop, do_keyfetch, kfetch); |
10932 | 0 | fetching = true; |
10933 | | #ifdef ENABLE_AFL |
10934 | | } |
10935 | | #endif /* ifdef ENABLE_AFL */ |
10936 | 0 | } |
10937 | 0 | if (!ISC_LIST_EMPTY(diff.tuples)) { |
10938 | 0 | CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx, |
10939 | 0 | zone->updatemethod)); |
10940 | 0 | CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys")); |
10941 | 0 | commit = true; |
10942 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); |
10943 | 0 | zone_needdump(zone, 30); |
10944 | 0 | } |
10945 | | |
10946 | 0 | failure: |
10947 | 0 | if (!timerset) { |
10948 | 0 | isc_time_settoepoch(&zone->refreshkeytime); |
10949 | 0 | } |
10950 | |
|
10951 | 0 | if (!fetching) { |
10952 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); |
10953 | 0 | } |
10954 | |
|
10955 | 0 | dns_diff_clear(&diff); |
10956 | 0 | if (ver != NULL) { |
10957 | 0 | dns_rriterator_destroy(&rrit); |
10958 | 0 | dns_db_closeversion(db, &ver, commit); |
10959 | 0 | } |
10960 | 0 | dns_db_detach(&db); |
10961 | |
|
10962 | 0 | UNLOCK_ZONE(zone); |
10963 | |
|
10964 | 0 | INSIST(ver == NULL); |
10965 | 0 | } |
10966 | | |
10967 | | static void |
10968 | 0 | zone_maintenance(dns_zone_t *zone) { |
10969 | 0 | isc_time_t now; |
10970 | 0 | isc_result_t result; |
10971 | 0 | bool load_pending, exiting, dumping, viewok = false, notify; |
10972 | 0 | bool refreshkeys, sign, resign, rekey, chain, warn_expire; |
10973 | |
|
10974 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
10975 | 0 | ENTER; |
10976 | | |
10977 | | /* |
10978 | | * Are we pending load/reload, exiting, or unconfigured |
10979 | | * (e.g. because of a syntax failure in the config file)? |
10980 | | * If so, don't attempt maintenance. |
10981 | | */ |
10982 | 0 | LOCK_ZONE(zone); |
10983 | 0 | load_pending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING); |
10984 | 0 | exiting = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING); |
10985 | 0 | if (!load_pending && !exiting && zone->view != NULL) { |
10986 | 0 | dns_adb_t *adb = NULL; |
10987 | 0 | dns_view_getadb(zone->view, &adb); |
10988 | 0 | if (adb != NULL) { |
10989 | 0 | dns_adb_detach(&adb); |
10990 | 0 | viewok = true; |
10991 | 0 | } |
10992 | 0 | } |
10993 | 0 | UNLOCK_ZONE(zone); |
10994 | |
|
10995 | 0 | if (load_pending || exiting || !viewok) { |
10996 | 0 | return; |
10997 | 0 | } |
10998 | | |
10999 | 0 | now = isc_time_now(); |
11000 | | |
11001 | | /* |
11002 | | * Expire check. |
11003 | | */ |
11004 | 0 | switch (zone->type) { |
11005 | 0 | case dns_zone_redirect: |
11006 | 0 | if (dns_remote_addresses(&zone->primaries) == NULL) { |
11007 | 0 | break; |
11008 | 0 | } |
11009 | 0 | FALLTHROUGH; |
11010 | 0 | case dns_zone_secondary: |
11011 | 0 | case dns_zone_mirror: |
11012 | 0 | case dns_zone_stub: |
11013 | 0 | LOCK_ZONE(zone); |
11014 | 0 | if (isc_time_compare(&now, &zone->expiretime) >= 0 && |
11015 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) |
11016 | 0 | { |
11017 | 0 | zone_expire(zone); |
11018 | 0 | zone->refreshtime = now; |
11019 | 0 | } |
11020 | 0 | UNLOCK_ZONE(zone); |
11021 | 0 | break; |
11022 | 0 | default: |
11023 | 0 | break; |
11024 | 0 | } |
11025 | | |
11026 | | /* |
11027 | | * Up to date check. |
11028 | | */ |
11029 | 0 | switch (zone->type) { |
11030 | 0 | case dns_zone_redirect: |
11031 | 0 | if (dns_remote_addresses(&zone->primaries) == NULL) { |
11032 | 0 | break; |
11033 | 0 | } |
11034 | 0 | FALLTHROUGH; |
11035 | 0 | case dns_zone_secondary: |
11036 | 0 | case dns_zone_mirror: |
11037 | 0 | case dns_zone_stub: |
11038 | 0 | LOCK_ZONE(zone); |
11039 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) && |
11040 | 0 | isc_time_compare(&now, &zone->refreshtime) >= 0) |
11041 | 0 | { |
11042 | 0 | zone_refresh(zone); |
11043 | 0 | } |
11044 | 0 | UNLOCK_ZONE(zone); |
11045 | 0 | break; |
11046 | 0 | default: |
11047 | 0 | break; |
11048 | 0 | } |
11049 | | |
11050 | | /* |
11051 | | * Secondaries send notifies before backing up to disk, |
11052 | | * primaries after. |
11053 | | */ |
11054 | 0 | LOCK_ZONE(zone); |
11055 | 0 | notify = (zone->type == dns_zone_secondary || |
11056 | 0 | zone->type == dns_zone_mirror) && |
11057 | 0 | (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || |
11058 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) && |
11059 | 0 | isc_time_compare(&now, &zone->notifytime) >= 0; |
11060 | 0 | UNLOCK_ZONE(zone); |
11061 | |
|
11062 | 0 | if (notify) { |
11063 | 0 | zone_notify(zone, &now); |
11064 | 0 | } |
11065 | | |
11066 | | /* |
11067 | | * Do we need to consolidate the backing store? |
11068 | | */ |
11069 | 0 | switch (zone->type) { |
11070 | 0 | case dns_zone_primary: |
11071 | 0 | case dns_zone_secondary: |
11072 | 0 | case dns_zone_mirror: |
11073 | 0 | case dns_zone_key: |
11074 | 0 | case dns_zone_redirect: |
11075 | 0 | case dns_zone_stub: |
11076 | 0 | LOCK_ZONE(zone); |
11077 | 0 | if (zone->masterfile != NULL && |
11078 | 0 | isc_time_compare(&now, &zone->dumptime) >= 0 && |
11079 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && |
11080 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) |
11081 | 0 | { |
11082 | 0 | dumping = was_dumping(zone); |
11083 | 0 | } else { |
11084 | 0 | dumping = true; |
11085 | 0 | } |
11086 | 0 | UNLOCK_ZONE(zone); |
11087 | 0 | if (!dumping) { |
11088 | 0 | result = zone_dump(zone, true); /* loop locked */ |
11089 | 0 | if (result != ISC_R_SUCCESS) { |
11090 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
11091 | 0 | "dump failed: %s", |
11092 | 0 | isc_result_totext(result)); |
11093 | 0 | } |
11094 | 0 | } |
11095 | 0 | break; |
11096 | 0 | default: |
11097 | 0 | break; |
11098 | 0 | } |
11099 | | |
11100 | | /* |
11101 | | * Primary/redirect zones send notifies now, if needed |
11102 | | */ |
11103 | 0 | switch (zone->type) { |
11104 | 0 | case dns_zone_primary: |
11105 | 0 | case dns_zone_redirect: |
11106 | 0 | LOCK_ZONE(zone); |
11107 | 0 | notify = (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || |
11108 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) && |
11109 | 0 | isc_time_compare(&now, &zone->notifytime) >= 0; |
11110 | 0 | UNLOCK_ZONE(zone); |
11111 | 0 | if (notify) { |
11112 | 0 | zone_notify(zone, &now); |
11113 | 0 | } |
11114 | 0 | default: |
11115 | 0 | break; |
11116 | 0 | } |
11117 | | |
11118 | | /* |
11119 | | * Do we need to refresh keys? |
11120 | | */ |
11121 | 0 | switch (zone->type) { |
11122 | 0 | case dns_zone_key: |
11123 | 0 | LOCK_ZONE(zone); |
11124 | 0 | refreshkeys = isc_time_compare(&now, &zone->refreshkeytime) >= |
11125 | 0 | 0 && |
11126 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && |
11127 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING); |
11128 | 0 | UNLOCK_ZONE(zone); |
11129 | 0 | if (refreshkeys) { |
11130 | 0 | zone_refreshkeys(zone); |
11131 | 0 | } |
11132 | 0 | break; |
11133 | 0 | case dns_zone_primary: |
11134 | 0 | LOCK_ZONE(zone); |
11135 | 0 | if (zone->rss != NULL) { |
11136 | 0 | isc_time_settoepoch(&zone->refreshkeytime); |
11137 | 0 | UNLOCK_ZONE(zone); |
11138 | 0 | break; |
11139 | 0 | } |
11140 | 0 | rekey = (!isc_time_isepoch(&zone->refreshkeytime) && |
11141 | 0 | isc_time_compare(&now, &zone->refreshkeytime) >= 0); |
11142 | 0 | UNLOCK_ZONE(zone); |
11143 | 0 | if (rekey) { |
11144 | 0 | zone_rekey(zone); |
11145 | 0 | } |
11146 | 0 | default: |
11147 | 0 | break; |
11148 | 0 | } |
11149 | | |
11150 | 0 | switch (zone->type) { |
11151 | 0 | case dns_zone_primary: |
11152 | 0 | case dns_zone_redirect: |
11153 | 0 | case dns_zone_secondary: |
11154 | | /* |
11155 | | * Do we need to sign/resign some RRsets? |
11156 | | */ |
11157 | 0 | LOCK_ZONE(zone); |
11158 | 0 | if (zone->rss != NULL) { |
11159 | 0 | isc_time_settoepoch(&zone->signingtime); |
11160 | 0 | isc_time_settoepoch(&zone->resigntime); |
11161 | 0 | isc_time_settoepoch(&zone->nsec3chaintime); |
11162 | 0 | isc_time_settoepoch(&zone->keywarntime); |
11163 | 0 | UNLOCK_ZONE(zone); |
11164 | 0 | break; |
11165 | 0 | } |
11166 | 0 | sign = !isc_time_isepoch(&zone->signingtime) && |
11167 | 0 | isc_time_compare(&now, &zone->signingtime) >= 0; |
11168 | 0 | resign = !isc_time_isepoch(&zone->resigntime) && |
11169 | 0 | isc_time_compare(&now, &zone->resigntime) >= 0; |
11170 | 0 | chain = !isc_time_isepoch(&zone->nsec3chaintime) && |
11171 | 0 | isc_time_compare(&now, &zone->nsec3chaintime) >= 0; |
11172 | 0 | warn_expire = !isc_time_isepoch(&zone->keywarntime) && |
11173 | 0 | isc_time_compare(&now, &zone->keywarntime) >= 0; |
11174 | 0 | UNLOCK_ZONE(zone); |
11175 | |
|
11176 | 0 | if (sign) { |
11177 | 0 | zone_sign(zone); |
11178 | 0 | } else if (resign) { |
11179 | 0 | zone_resigninc(zone); |
11180 | 0 | } else if (chain) { |
11181 | 0 | zone_nsec3chain(zone); |
11182 | 0 | } |
11183 | | |
11184 | | /* |
11185 | | * Do we need to issue a key expiry warning? |
11186 | | */ |
11187 | 0 | if (warn_expire) { |
11188 | 0 | set_key_expiry_warning(zone, zone->key_expiry, |
11189 | 0 | isc_time_seconds(&now)); |
11190 | 0 | } |
11191 | 0 | break; |
11192 | | |
11193 | 0 | default: |
11194 | 0 | break; |
11195 | 0 | } |
11196 | 0 | LOCK_ZONE(zone); |
11197 | 0 | zone_settimer(zone, &now); |
11198 | 0 | UNLOCK_ZONE(zone); |
11199 | 0 | } |
11200 | | |
11201 | | void |
11202 | 0 | dns_zone_markdirty(dns_zone_t *zone) { |
11203 | 0 | uint32_t serial; |
11204 | 0 | isc_result_t result = ISC_R_SUCCESS; |
11205 | 0 | dns_zone_t *secure = NULL; |
11206 | | |
11207 | | /* |
11208 | | * Obtaining a lock on the zone->secure (see zone_send_secureserial) |
11209 | | * could result in a deadlock due to a LOR so we will spin if we |
11210 | | * can't obtain the both locks. |
11211 | | */ |
11212 | 0 | again: |
11213 | 0 | LOCK_ZONE(zone); |
11214 | 0 | if (zone->type == dns_zone_primary) { |
11215 | 0 | if (inline_raw(zone)) { |
11216 | 0 | unsigned int soacount; |
11217 | 0 | secure = zone->secure; |
11218 | 0 | INSIST(secure != zone); |
11219 | 0 | TRYLOCK_ZONE(result, secure); |
11220 | 0 | if (result != ISC_R_SUCCESS) { |
11221 | 0 | UNLOCK_ZONE(zone); |
11222 | 0 | secure = NULL; |
11223 | 0 | isc_thread_yield(); |
11224 | 0 | goto again; |
11225 | 0 | } |
11226 | | |
11227 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
11228 | 0 | if (zone->db != NULL) { |
11229 | 0 | result = zone_get_from_db( |
11230 | 0 | zone, zone->db, NULL, &soacount, NULL, |
11231 | 0 | &serial, NULL, NULL, NULL, NULL, NULL); |
11232 | 0 | } else { |
11233 | 0 | result = DNS_R_NOTLOADED; |
11234 | 0 | } |
11235 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
11236 | 0 | if (result == ISC_R_SUCCESS && soacount > 0U) { |
11237 | 0 | zone_send_secureserial(zone, serial); |
11238 | 0 | } |
11239 | 0 | } |
11240 | | |
11241 | | /* XXXMPA make separate call back */ |
11242 | 0 | if (result == ISC_R_SUCCESS) { |
11243 | 0 | set_resigntime(zone); |
11244 | 0 | if (zone->loop != NULL) { |
11245 | 0 | isc_time_t now; |
11246 | 0 | now = isc_time_now(); |
11247 | 0 | zone_settimer(zone, &now); |
11248 | 0 | } |
11249 | 0 | } |
11250 | 0 | } |
11251 | 0 | if (secure != NULL) { |
11252 | 0 | UNLOCK_ZONE(secure); |
11253 | 0 | } |
11254 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
11255 | 0 | UNLOCK_ZONE(zone); |
11256 | 0 | } |
11257 | | |
11258 | | void |
11259 | 0 | dns_zone_expire(dns_zone_t *zone) { |
11260 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11261 | |
|
11262 | 0 | LOCK_ZONE(zone); |
11263 | 0 | zone_expire(zone); |
11264 | 0 | UNLOCK_ZONE(zone); |
11265 | 0 | } |
11266 | | |
11267 | | static void |
11268 | 0 | zone_expire(dns_zone_t *zone) { |
11269 | 0 | dns_db_t *db = NULL; |
11270 | | |
11271 | | /* |
11272 | | * 'zone' locked by caller. |
11273 | | */ |
11274 | |
|
11275 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11276 | |
|
11277 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, "expired"); |
11278 | |
|
11279 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED); |
11280 | 0 | zone->refresh = DNS_ZONE_DEFAULTREFRESH; |
11281 | 0 | zone->retry = DNS_ZONE_DEFAULTRETRY; |
11282 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS); |
11283 | | |
11284 | | /* |
11285 | | * An RPZ zone has expired; before unloading it, we must |
11286 | | * first remove it from the RPZ summary database. The |
11287 | | * easiest way to do this is "update" it with an empty |
11288 | | * database so that the update callback synchronizes |
11289 | | * the diff automatically. |
11290 | | */ |
11291 | 0 | if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) { |
11292 | 0 | isc_result_t result; |
11293 | 0 | dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num]; |
11294 | |
|
11295 | 0 | CHECK(dns_db_create(zone->mctx, ZONEDB_DEFAULT, &zone->origin, |
11296 | 0 | dns_dbtype_zone, zone->rdclass, 0, NULL, |
11297 | 0 | &db)); |
11298 | 0 | CHECK(dns_rpz_dbupdate_callback(db, rpz)); |
11299 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
11300 | 0 | "response-policy zone expired; " |
11301 | 0 | "policies unloaded"); |
11302 | 0 | } |
11303 | | |
11304 | 0 | failure: |
11305 | 0 | if (db != NULL) { |
11306 | 0 | dns_db_detach(&db); |
11307 | 0 | } |
11308 | |
|
11309 | 0 | zone_unload(zone); |
11310 | 0 | } |
11311 | | |
11312 | | static void |
11313 | 0 | zone_refresh(dns_zone_t *zone) { |
11314 | 0 | isc_interval_t i; |
11315 | 0 | uint32_t oldflags; |
11316 | 0 | isc_result_t result; |
11317 | |
|
11318 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11319 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11320 | |
|
11321 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
11322 | 0 | return; |
11323 | 0 | } |
11324 | | |
11325 | | /* |
11326 | | * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation |
11327 | | * in progress at a time. |
11328 | | */ |
11329 | | |
11330 | 0 | oldflags = atomic_load(&zone->flags); |
11331 | 0 | if (dns_remote_addresses(&zone->primaries) == NULL) { |
11332 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOPRIMARIES); |
11333 | 0 | if ((oldflags & DNS_ZONEFLG_NOPRIMARIES) == 0) { |
11334 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
11335 | 0 | "cannot refresh: no primaries"); |
11336 | 0 | } |
11337 | 0 | return; |
11338 | 0 | } |
11339 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH); |
11340 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS); |
11341 | 0 | if ((oldflags & (DNS_ZONEFLG_REFRESH | DNS_ZONEFLG_LOADING)) != 0) { |
11342 | 0 | return; |
11343 | 0 | } |
11344 | | |
11345 | | /* |
11346 | | * Set the next refresh time as if refresh check has failed. |
11347 | | * Setting this to the retry time will do that. XXXMLG |
11348 | | * If we are successful it will be reset using zone->refresh. |
11349 | | */ |
11350 | 0 | isc_interval_set(&i, zone->retry - isc_random_uniform(zone->retry / 4), |
11351 | 0 | 0); |
11352 | 0 | result = isc_time_nowplusinterval(&zone->refreshtime, &i); |
11353 | 0 | if (result != ISC_R_SUCCESS) { |
11354 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
11355 | 0 | "isc_time_nowplusinterval() failed: %s", |
11356 | 0 | isc_result_totext(result)); |
11357 | 0 | } |
11358 | | |
11359 | | /* |
11360 | | * When lacking user-specified timer values from the SOA, |
11361 | | * do exponential backoff of the retry time up to a |
11362 | | * maximum of six hours. |
11363 | | */ |
11364 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) { |
11365 | 0 | zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600); |
11366 | 0 | } |
11367 | |
|
11368 | 0 | dns_remote_reset(&zone->primaries, true); |
11369 | | |
11370 | | /* initiate soa query */ |
11371 | 0 | queue_soa_query(zone); |
11372 | 0 | } |
11373 | | |
11374 | | void |
11375 | 0 | dns_zone_refresh(dns_zone_t *zone) { |
11376 | 0 | LOCK_ZONE(zone); |
11377 | 0 | zone_refresh(zone); |
11378 | 0 | UNLOCK_ZONE(zone); |
11379 | 0 | } |
11380 | | |
11381 | | static isc_result_t |
11382 | | zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump, |
11383 | 2 | bool *fixjournal) { |
11384 | 2 | dns_journal_t *journal = NULL; |
11385 | 2 | unsigned int options; |
11386 | 2 | isc_result_t result; |
11387 | | |
11388 | 2 | if (zone->type == dns_zone_primary && |
11389 | 2 | (inline_secure(zone) || |
11390 | 2 | (zone->update_acl != NULL || zone->ssutable != NULL))) |
11391 | 0 | { |
11392 | 0 | options = DNS_JOURNALOPT_RESIGN; |
11393 | 2 | } else { |
11394 | 2 | options = 0; |
11395 | 2 | } |
11396 | | |
11397 | 2 | result = dns_journal_open(zone->mctx, zone->journal, DNS_JOURNAL_READ, |
11398 | 2 | &journal); |
11399 | 2 | if (result == ISC_R_NOTFOUND) { |
11400 | 2 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(3), |
11401 | 2 | "no journal file, but that's OK "); |
11402 | 2 | return (ISC_R_SUCCESS); |
11403 | 2 | } else if (result != ISC_R_SUCCESS) { |
11404 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, |
11405 | 0 | "journal open failed: %s", |
11406 | 0 | isc_result_totext(result)); |
11407 | 0 | return (result); |
11408 | 0 | } |
11409 | | |
11410 | 0 | if (dns_journal_empty(journal)) { |
11411 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1), |
11412 | 0 | "journal empty"); |
11413 | 0 | dns_journal_destroy(&journal); |
11414 | 0 | return (ISC_R_SUCCESS); |
11415 | 0 | } |
11416 | | |
11417 | 0 | result = dns_journal_rollforward(journal, db, options); |
11418 | 0 | switch (result) { |
11419 | 0 | case ISC_R_SUCCESS: |
11420 | 0 | *needdump = true; |
11421 | 0 | FALLTHROUGH; |
11422 | 0 | case DNS_R_UPTODATE: |
11423 | 0 | if (dns_journal_recovered(journal)) { |
11424 | 0 | *fixjournal = true; |
11425 | 0 | dns_zone_logc( |
11426 | 0 | zone, DNS_LOGCATEGORY_ZONELOAD, |
11427 | 0 | ISC_LOG_DEBUG(1), |
11428 | 0 | "journal rollforward completed successfully " |
11429 | 0 | "using old journal format: %s", |
11430 | 0 | isc_result_totext(result)); |
11431 | 0 | } else { |
11432 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, |
11433 | 0 | ISC_LOG_DEBUG(1), |
11434 | 0 | "journal rollforward completed " |
11435 | 0 | "successfully: %s", |
11436 | 0 | isc_result_totext(result)); |
11437 | 0 | } |
11438 | |
|
11439 | 0 | dns_journal_destroy(&journal); |
11440 | 0 | return (ISC_R_SUCCESS); |
11441 | 0 | case ISC_R_NOTFOUND: |
11442 | 0 | case ISC_R_RANGE: |
11443 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, |
11444 | 0 | "journal rollforward failed: journal out of sync " |
11445 | 0 | "with zone"); |
11446 | 0 | dns_journal_destroy(&journal); |
11447 | 0 | return (result); |
11448 | 0 | default: |
11449 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, |
11450 | 0 | "journal rollforward failed: %s", |
11451 | 0 | isc_result_totext(result)); |
11452 | 0 | dns_journal_destroy(&journal); |
11453 | 0 | return (result); |
11454 | 0 | } |
11455 | 0 | } |
11456 | | |
11457 | | static void |
11458 | 0 | zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial) { |
11459 | 0 | isc_result_t result; |
11460 | 0 | int32_t journalsize; |
11461 | 0 | dns_dbversion_t *ver = NULL; |
11462 | 0 | uint64_t dbsize; |
11463 | 0 | uint32_t options = 0; |
11464 | |
|
11465 | 0 | INSIST(LOCKED_ZONE(zone)); |
11466 | 0 | if (inline_raw(zone)) { |
11467 | 0 | INSIST(LOCKED_ZONE(zone->secure)); |
11468 | 0 | } |
11469 | |
|
11470 | 0 | journalsize = zone->journalsize; |
11471 | 0 | if (journalsize == -1) { |
11472 | 0 | journalsize = DNS_JOURNAL_SIZE_MAX; |
11473 | 0 | dns_db_currentversion(db, &ver); |
11474 | 0 | result = dns_db_getsize(db, ver, NULL, &dbsize); |
11475 | 0 | dns_db_closeversion(db, &ver, false); |
11476 | 0 | if (result != ISC_R_SUCCESS) { |
11477 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
11478 | 0 | "zone_journal_compact: " |
11479 | 0 | "could not get zone size: %s", |
11480 | 0 | isc_result_totext(result)); |
11481 | 0 | } else if (dbsize < DNS_JOURNAL_SIZE_MAX / 2) { |
11482 | 0 | journalsize = (int32_t)dbsize * 2; |
11483 | 0 | } |
11484 | 0 | } |
11485 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIXJOURNAL)) { |
11486 | 0 | options |= DNS_JOURNAL_COMPACTALL; |
11487 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FIXJOURNAL); |
11488 | 0 | zone_debuglog(zone, __func__, 1, "repair full journal"); |
11489 | 0 | } else { |
11490 | 0 | zone_debuglog(zone, __func__, 1, "target journal size %d", |
11491 | 0 | journalsize); |
11492 | 0 | } |
11493 | 0 | result = dns_journal_compact(zone->mctx, zone->journal, serial, options, |
11494 | 0 | journalsize); |
11495 | 0 | switch (result) { |
11496 | 0 | case ISC_R_SUCCESS: |
11497 | 0 | case ISC_R_NOSPACE: |
11498 | 0 | case ISC_R_NOTFOUND: |
11499 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_journal_compact: %s", |
11500 | 0 | isc_result_totext(result)); |
11501 | 0 | break; |
11502 | 0 | default: |
11503 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
11504 | 0 | "dns_journal_compact failed: %s", |
11505 | 0 | isc_result_totext(result)); |
11506 | 0 | break; |
11507 | 0 | } |
11508 | 0 | } |
11509 | | |
11510 | | isc_result_t |
11511 | 0 | dns_zone_flush(dns_zone_t *zone) { |
11512 | 0 | isc_result_t result = ISC_R_SUCCESS; |
11513 | 0 | bool dumping; |
11514 | |
|
11515 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11516 | |
|
11517 | 0 | LOCK_ZONE(zone); |
11518 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH); |
11519 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
11520 | 0 | zone->masterfile != NULL) |
11521 | 0 | { |
11522 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT); |
11523 | 0 | result = ISC_R_ALREADYRUNNING; |
11524 | 0 | dumping = was_dumping(zone); |
11525 | 0 | } else { |
11526 | 0 | dumping = true; |
11527 | 0 | } |
11528 | 0 | UNLOCK_ZONE(zone); |
11529 | 0 | if (!dumping) { |
11530 | 0 | result = zone_dump(zone, true); |
11531 | 0 | } |
11532 | 0 | return (result); |
11533 | 0 | } |
11534 | | |
11535 | | isc_result_t |
11536 | 0 | dns_zone_dump(dns_zone_t *zone) { |
11537 | 0 | isc_result_t result = ISC_R_ALREADYRUNNING; |
11538 | 0 | bool dumping; |
11539 | |
|
11540 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11541 | |
|
11542 | 0 | LOCK_ZONE(zone); |
11543 | 0 | dumping = was_dumping(zone); |
11544 | 0 | UNLOCK_ZONE(zone); |
11545 | 0 | if (!dumping) { |
11546 | 0 | result = zone_dump(zone, false); |
11547 | 0 | } |
11548 | 0 | return (result); |
11549 | 0 | } |
11550 | | |
11551 | | static void |
11552 | 0 | zone_needdump(dns_zone_t *zone, unsigned int delay) { |
11553 | 0 | isc_time_t dumptime; |
11554 | 0 | isc_time_t now; |
11555 | | |
11556 | | /* |
11557 | | * 'zone' locked by caller |
11558 | | */ |
11559 | |
|
11560 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11561 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11562 | 0 | ENTER; |
11563 | | |
11564 | | /* |
11565 | | * Do we have a place to dump to and are we loaded? |
11566 | | */ |
11567 | 0 | if (zone->masterfile == NULL || |
11568 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0) |
11569 | 0 | { |
11570 | 0 | return; |
11571 | 0 | } |
11572 | | |
11573 | 0 | now = isc_time_now(); |
11574 | | /* add some noise */ |
11575 | 0 | DNS_ZONE_JITTER_ADD(&now, delay, &dumptime); |
11576 | |
|
11577 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP); |
11578 | 0 | if (isc_time_isepoch(&zone->dumptime) || |
11579 | 0 | isc_time_compare(&zone->dumptime, &dumptime) > 0) |
11580 | 0 | { |
11581 | 0 | zone->dumptime = dumptime; |
11582 | 0 | } |
11583 | 0 | if (zone->loop != NULL) { |
11584 | 0 | zone_settimer(zone, &now); |
11585 | 0 | } |
11586 | 0 | } |
11587 | | |
11588 | | static void |
11589 | 0 | dump_done(void *arg, isc_result_t result) { |
11590 | 0 | dns_zone_t *zone = arg; |
11591 | 0 | dns_zone_t *secure = NULL; |
11592 | 0 | dns_db_t *db; |
11593 | 0 | dns_dbversion_t *version; |
11594 | 0 | bool again = false; |
11595 | 0 | bool compact = false; |
11596 | 0 | uint32_t serial; |
11597 | 0 | isc_result_t tresult; |
11598 | |
|
11599 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11600 | |
|
11601 | 0 | ENTER; |
11602 | | |
11603 | | /* |
11604 | | * Adjust modification time of zone file to preserve expire timing. |
11605 | | */ |
11606 | 0 | if ((zone->type == dns_zone_secondary || |
11607 | 0 | zone->type == dns_zone_mirror || |
11608 | 0 | zone->type == dns_zone_redirect) && |
11609 | 0 | result == ISC_R_SUCCESS) |
11610 | 0 | { |
11611 | 0 | LOCK_ZONE(zone); |
11612 | 0 | isc_time_t when; |
11613 | 0 | isc_interval_t i; |
11614 | 0 | isc_interval_set(&i, zone->expire, 0); |
11615 | 0 | result = isc_time_subtract(&zone->expiretime, &i, &when); |
11616 | 0 | if (result == ISC_R_SUCCESS) { |
11617 | 0 | (void)isc_file_settime(zone->masterfile, &when); |
11618 | 0 | } else { |
11619 | 0 | result = ISC_R_SUCCESS; |
11620 | 0 | } |
11621 | 0 | UNLOCK_ZONE(zone); |
11622 | 0 | } |
11623 | |
|
11624 | 0 | if (result == ISC_R_SUCCESS && zone->journal != NULL) { |
11625 | | /* |
11626 | | * We don't own these, zone->dctx must stay valid. |
11627 | | */ |
11628 | 0 | db = dns_dumpctx_db(zone->dumpctx); |
11629 | 0 | version = dns_dumpctx_version(zone->dumpctx); |
11630 | 0 | tresult = dns_db_getsoaserial(db, version, &serial); |
11631 | | |
11632 | | /* |
11633 | | * Handle lock order inversion. |
11634 | | */ |
11635 | 0 | again: |
11636 | 0 | LOCK_ZONE(zone); |
11637 | 0 | if (inline_raw(zone)) { |
11638 | 0 | secure = zone->secure; |
11639 | 0 | INSIST(secure != zone); |
11640 | 0 | TRYLOCK_ZONE(result, secure); |
11641 | 0 | if (result != ISC_R_SUCCESS) { |
11642 | 0 | UNLOCK_ZONE(zone); |
11643 | 0 | secure = NULL; |
11644 | 0 | isc_thread_yield(); |
11645 | 0 | goto again; |
11646 | 0 | } |
11647 | 0 | } |
11648 | | |
11649 | | /* |
11650 | | * If there is a secure version of this zone |
11651 | | * use its serial if it is less than ours. |
11652 | | */ |
11653 | 0 | if (tresult == ISC_R_SUCCESS && secure != NULL) { |
11654 | 0 | uint32_t sserial; |
11655 | 0 | isc_result_t mresult; |
11656 | |
|
11657 | 0 | ZONEDB_LOCK(&secure->dblock, isc_rwlocktype_read); |
11658 | 0 | if (secure->db != NULL) { |
11659 | 0 | mresult = dns_db_getsoaserial(zone->secure->db, |
11660 | 0 | NULL, &sserial); |
11661 | 0 | if (mresult == ISC_R_SUCCESS && |
11662 | 0 | isc_serial_lt(sserial, serial)) |
11663 | 0 | { |
11664 | 0 | serial = sserial; |
11665 | 0 | } |
11666 | 0 | } |
11667 | 0 | ZONEDB_UNLOCK(&secure->dblock, isc_rwlocktype_read); |
11668 | 0 | } |
11669 | 0 | if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) { |
11670 | 0 | dns_db_t *zdb = NULL; |
11671 | 0 | if (dns_zone_getdb(zone, &zdb) == ISC_R_SUCCESS) { |
11672 | 0 | zone_journal_compact(zone, zdb, serial); |
11673 | 0 | dns_db_detach(&zdb); |
11674 | 0 | } |
11675 | 0 | } else if (tresult == ISC_R_SUCCESS) { |
11676 | 0 | compact = true; |
11677 | 0 | zone->compact_serial = serial; |
11678 | 0 | } |
11679 | 0 | if (secure != NULL) { |
11680 | 0 | UNLOCK_ZONE(secure); |
11681 | 0 | } |
11682 | 0 | UNLOCK_ZONE(zone); |
11683 | 0 | } |
11684 | | |
11685 | 0 | LOCK_ZONE(zone); |
11686 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING); |
11687 | 0 | if (compact) { |
11688 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT); |
11689 | 0 | } |
11690 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN)) { |
11691 | | /* |
11692 | | * If DNS_ZONEFLG_SHUTDOWN is set, all external references to |
11693 | | * the zone are gone, which means it is in the process of being |
11694 | | * cleaned up, so do not reschedule dumping. |
11695 | | * |
11696 | | * Detach from the raw version of the zone in case this |
11697 | | * operation has been deferred in zone_shutdown(). |
11698 | | */ |
11699 | 0 | if (zone->raw != NULL) { |
11700 | 0 | dns_zone_detach(&zone->raw); |
11701 | 0 | } |
11702 | 0 | if (result == ISC_R_SUCCESS) { |
11703 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH); |
11704 | 0 | } |
11705 | 0 | } else if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) { |
11706 | | /* |
11707 | | * Try again in a short while. |
11708 | | */ |
11709 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
11710 | 0 | } else if (result == ISC_R_SUCCESS && |
11711 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) && |
11712 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
11713 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) |
11714 | 0 | { |
11715 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP); |
11716 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING); |
11717 | 0 | isc_time_settoepoch(&zone->dumptime); |
11718 | 0 | again = true; |
11719 | 0 | } else if (result == ISC_R_SUCCESS) { |
11720 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH); |
11721 | 0 | } |
11722 | |
|
11723 | 0 | if (zone->dumpctx != NULL) { |
11724 | 0 | dns_dumpctx_detach(&zone->dumpctx); |
11725 | 0 | } |
11726 | 0 | UNLOCK_ZONE(zone); |
11727 | 0 | if (again) { |
11728 | 0 | (void)zone_dump(zone, false); |
11729 | 0 | } |
11730 | 0 | dns_zone_idetach(&zone); |
11731 | 0 | } |
11732 | | |
11733 | | static isc_result_t |
11734 | 0 | zone_dump(dns_zone_t *zone, bool compact) { |
11735 | 0 | isc_result_t result; |
11736 | 0 | dns_dbversion_t *version = NULL; |
11737 | 0 | bool again = false; |
11738 | 0 | dns_db_t *db = NULL; |
11739 | 0 | char *masterfile = NULL; |
11740 | 0 | dns_masterformat_t masterformat = dns_masterformat_none; |
11741 | 0 | const dns_master_style_t *masterstyle = NULL; |
11742 | 0 | dns_masterrawheader_t rawdata; |
11743 | | |
11744 | | /* |
11745 | | * 'compact' MUST only be set if we are loop locked. |
11746 | | */ |
11747 | |
|
11748 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11749 | 0 | ENTER; |
11750 | |
|
11751 | 0 | redo: |
11752 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
11753 | 0 | if (zone->db != NULL) { |
11754 | 0 | dns_db_attach(zone->db, &db); |
11755 | 0 | } |
11756 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
11757 | 0 | LOCK_ZONE(zone); |
11758 | 0 | if (zone->masterfile != NULL) { |
11759 | 0 | masterfile = isc_mem_strdup(zone->mctx, zone->masterfile); |
11760 | 0 | masterformat = zone->masterformat; |
11761 | 0 | } |
11762 | 0 | if (zone->type == dns_zone_key) { |
11763 | 0 | masterstyle = &dns_master_style_keyzone; |
11764 | 0 | } else if (zone->masterstyle != NULL) { |
11765 | 0 | masterstyle = zone->masterstyle; |
11766 | 0 | } else { |
11767 | 0 | masterstyle = &dns_master_style_default; |
11768 | 0 | } |
11769 | 0 | UNLOCK_ZONE(zone); |
11770 | 0 | if (db == NULL) { |
11771 | 0 | result = DNS_R_NOTLOADED; |
11772 | 0 | goto fail; |
11773 | 0 | } |
11774 | 0 | if (masterfile == NULL) { |
11775 | 0 | result = DNS_R_NOMASTERFILE; |
11776 | 0 | goto fail; |
11777 | 0 | } |
11778 | | |
11779 | 0 | dns_db_currentversion(db, &version); |
11780 | |
|
11781 | 0 | dns_master_initrawheader(&rawdata); |
11782 | |
|
11783 | 0 | if (inline_secure(zone)) { |
11784 | 0 | get_raw_serial(zone->raw, &rawdata); |
11785 | 0 | } |
11786 | |
|
11787 | 0 | if (compact && zone->type != dns_zone_stub) { |
11788 | 0 | LOCK_ZONE(zone); |
11789 | 0 | zone_iattach(zone, &(dns_zone_t *){ NULL }); |
11790 | |
|
11791 | 0 | INSIST(zone != zone->raw); |
11792 | |
|
11793 | 0 | result = dns_master_dumpasync( |
11794 | 0 | zone->mctx, db, version, masterstyle, masterfile, |
11795 | 0 | zone->loop, dump_done, zone, &zone->dumpctx, |
11796 | 0 | masterformat, &rawdata); |
11797 | |
|
11798 | 0 | UNLOCK_ZONE(zone); |
11799 | 0 | if (result != ISC_R_SUCCESS) { |
11800 | 0 | dns_zone_idetach(&(dns_zone_t *){ zone }); |
11801 | 0 | goto fail; |
11802 | 0 | } |
11803 | 0 | result = DNS_R_CONTINUE; |
11804 | 0 | } else { |
11805 | 0 | result = dns_master_dump(zone->mctx, db, version, masterstyle, |
11806 | 0 | masterfile, masterformat, &rawdata); |
11807 | 0 | if ((zone->type == dns_zone_secondary || |
11808 | 0 | zone->type == dns_zone_mirror || |
11809 | 0 | zone->type == dns_zone_redirect) && |
11810 | 0 | result == ISC_R_SUCCESS) |
11811 | 0 | { |
11812 | 0 | isc_time_t when; |
11813 | 0 | isc_interval_t i; |
11814 | 0 | isc_interval_set(&i, zone->expire, 0); |
11815 | 0 | result = isc_time_subtract(&zone->expiretime, &i, |
11816 | 0 | &when); |
11817 | 0 | if (result == ISC_R_SUCCESS) { |
11818 | 0 | (void)isc_file_settime(zone->masterfile, &when); |
11819 | 0 | } else { |
11820 | 0 | result = ISC_R_SUCCESS; |
11821 | 0 | } |
11822 | 0 | } |
11823 | 0 | } |
11824 | 0 | fail: |
11825 | 0 | if (version != NULL) { |
11826 | 0 | dns_db_closeversion(db, &version, false); |
11827 | 0 | } |
11828 | 0 | if (db != NULL) { |
11829 | 0 | dns_db_detach(&db); |
11830 | 0 | } |
11831 | 0 | if (masterfile != NULL) { |
11832 | 0 | isc_mem_free(zone->mctx, masterfile); |
11833 | 0 | masterfile = NULL; |
11834 | 0 | } |
11835 | |
|
11836 | 0 | if (result == DNS_R_CONTINUE) { |
11837 | | /* |
11838 | | * Asyncronous write is in progress. Zone flags will get |
11839 | | * updated on completion. Cleanup is complete. We are done. |
11840 | | */ |
11841 | 0 | return (ISC_R_SUCCESS); |
11842 | 0 | } |
11843 | | |
11844 | 0 | again = false; |
11845 | 0 | LOCK_ZONE(zone); |
11846 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING); |
11847 | 0 | if (result != ISC_R_SUCCESS) { |
11848 | | /* |
11849 | | * Try again in a short while. |
11850 | | */ |
11851 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
11852 | 0 | } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) && |
11853 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
11854 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) |
11855 | 0 | { |
11856 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP); |
11857 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING); |
11858 | 0 | isc_time_settoepoch(&zone->dumptime); |
11859 | 0 | again = true; |
11860 | 0 | } else { |
11861 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH); |
11862 | 0 | } |
11863 | 0 | UNLOCK_ZONE(zone); |
11864 | 0 | if (again) { |
11865 | 0 | goto redo; |
11866 | 0 | } |
11867 | | |
11868 | 0 | return (result); |
11869 | 0 | } |
11870 | | |
11871 | | static isc_result_t |
11872 | | dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style, |
11873 | 0 | dns_masterformat_t format, const uint32_t rawversion) { |
11874 | 0 | isc_result_t result; |
11875 | 0 | dns_dbversion_t *version = NULL; |
11876 | 0 | dns_db_t *db = NULL; |
11877 | 0 | dns_masterrawheader_t rawdata; |
11878 | |
|
11879 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11880 | |
|
11881 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
11882 | 0 | if (zone->db != NULL) { |
11883 | 0 | dns_db_attach(zone->db, &db); |
11884 | 0 | } |
11885 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
11886 | 0 | if (db == NULL) { |
11887 | 0 | return (DNS_R_NOTLOADED); |
11888 | 0 | } |
11889 | | |
11890 | 0 | dns_db_currentversion(db, &version); |
11891 | 0 | dns_master_initrawheader(&rawdata); |
11892 | 0 | if (rawversion == 0) { |
11893 | 0 | rawdata.flags |= DNS_MASTERRAW_COMPAT; |
11894 | 0 | } else if (inline_secure(zone)) { |
11895 | 0 | get_raw_serial(zone->raw, &rawdata); |
11896 | 0 | } else if (zone->sourceserialset) { |
11897 | 0 | rawdata.flags = DNS_MASTERRAW_SOURCESERIALSET; |
11898 | 0 | rawdata.sourceserial = zone->sourceserial; |
11899 | 0 | } |
11900 | 0 | result = dns_master_dumptostream(zone->mctx, db, version, style, format, |
11901 | 0 | &rawdata, fd); |
11902 | 0 | dns_db_closeversion(db, &version, false); |
11903 | 0 | dns_db_detach(&db); |
11904 | 0 | return (result); |
11905 | 0 | } |
11906 | | |
11907 | | isc_result_t |
11908 | | dns_zone_dumptostream(dns_zone_t *zone, FILE *fd, dns_masterformat_t format, |
11909 | | const dns_master_style_t *style, |
11910 | 0 | const uint32_t rawversion) { |
11911 | 0 | return (dumptostream(zone, fd, style, format, rawversion)); |
11912 | 0 | } |
11913 | | |
11914 | | void |
11915 | 0 | dns_zone_unload(dns_zone_t *zone) { |
11916 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
11917 | |
|
11918 | 0 | LOCK_ZONE(zone); |
11919 | 0 | zone_unload(zone); |
11920 | 0 | UNLOCK_ZONE(zone); |
11921 | 0 | } |
11922 | | |
11923 | | static void |
11924 | 0 | notify_cancel(dns_zone_t *zone) { |
11925 | 0 | dns_notify_t *notify; |
11926 | | |
11927 | | /* |
11928 | | * 'zone' locked by caller. |
11929 | | */ |
11930 | |
|
11931 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11932 | |
|
11933 | 0 | for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL; |
11934 | 0 | notify = ISC_LIST_NEXT(notify, link)) |
11935 | 0 | { |
11936 | 0 | if (notify->find != NULL) { |
11937 | 0 | dns_adb_cancelfind(notify->find); |
11938 | 0 | } |
11939 | 0 | if (notify->request != NULL) { |
11940 | 0 | dns_request_cancel(notify->request); |
11941 | 0 | } |
11942 | 0 | } |
11943 | 0 | } |
11944 | | |
11945 | | static void |
11946 | 0 | checkds_cancel(dns_zone_t *zone) { |
11947 | 0 | dns_checkds_t *checkds; |
11948 | | |
11949 | | /* |
11950 | | * 'zone' locked by caller. |
11951 | | */ |
11952 | |
|
11953 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11954 | |
|
11955 | 0 | for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL; |
11956 | 0 | checkds = ISC_LIST_NEXT(checkds, link)) |
11957 | 0 | { |
11958 | 0 | if (checkds->find != NULL) { |
11959 | 0 | dns_adb_cancelfind(checkds->find); |
11960 | 0 | } |
11961 | 0 | if (checkds->request != NULL) { |
11962 | 0 | dns_request_cancel(checkds->request); |
11963 | 0 | } |
11964 | 0 | } |
11965 | 0 | } |
11966 | | |
11967 | | static void |
11968 | 0 | forward_cancel(dns_zone_t *zone) { |
11969 | 0 | dns_forward_t *forward; |
11970 | | |
11971 | | /* |
11972 | | * 'zone' locked by caller. |
11973 | | */ |
11974 | |
|
11975 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11976 | |
|
11977 | 0 | for (forward = ISC_LIST_HEAD(zone->forwards); forward != NULL; |
11978 | 0 | forward = ISC_LIST_NEXT(forward, link)) |
11979 | 0 | { |
11980 | 0 | if (forward->request != NULL) { |
11981 | 0 | dns_request_cancel(forward->request); |
11982 | 0 | } |
11983 | 0 | } |
11984 | 0 | } |
11985 | | |
11986 | | static void |
11987 | 0 | zone_unload(dns_zone_t *zone) { |
11988 | | /* |
11989 | | * 'zone' locked by caller. |
11990 | | */ |
11991 | |
|
11992 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
11993 | |
|
11994 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) || |
11995 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) |
11996 | 0 | { |
11997 | 0 | if (zone->dumpctx != NULL) { |
11998 | 0 | dns_dumpctx_cancel(zone->dumpctx); |
11999 | 0 | } |
12000 | 0 | } |
12001 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); |
12002 | 0 | zone_detachdb(zone); |
12003 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
12004 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED); |
12005 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP); |
12006 | |
|
12007 | 0 | if (zone->type == dns_zone_mirror) { |
12008 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
12009 | 0 | "mirror zone is no longer in use; " |
12010 | 0 | "reverting to normal recursion"); |
12011 | 0 | } |
12012 | 0 | } |
12013 | | |
12014 | | void |
12015 | 0 | dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val) { |
12016 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12017 | 0 | REQUIRE(val > 0); |
12018 | |
|
12019 | 0 | zone->minrefresh = val; |
12020 | 0 | } |
12021 | | |
12022 | | void |
12023 | 0 | dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val) { |
12024 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12025 | 0 | REQUIRE(val > 0); |
12026 | |
|
12027 | 0 | zone->maxrefresh = val; |
12028 | 0 | } |
12029 | | |
12030 | | void |
12031 | 0 | dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val) { |
12032 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12033 | 0 | REQUIRE(val > 0); |
12034 | |
|
12035 | 0 | zone->minretry = val; |
12036 | 0 | } |
12037 | | |
12038 | | void |
12039 | 0 | dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val) { |
12040 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12041 | 0 | REQUIRE(val > 0); |
12042 | |
|
12043 | 0 | zone->maxretry = val; |
12044 | 0 | } |
12045 | | |
12046 | | uint32_t |
12047 | 0 | dns_zone_getmaxrecords(dns_zone_t *zone) { |
12048 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12049 | |
|
12050 | 0 | return (zone->maxrecords); |
12051 | 0 | } |
12052 | | |
12053 | | void |
12054 | 0 | dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t val) { |
12055 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12056 | |
|
12057 | 0 | zone->maxrecords = val; |
12058 | 0 | } |
12059 | | |
12060 | | static bool |
12061 | | notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name, |
12062 | | isc_sockaddr_t *addr, dns_tsigkey_t *key, |
12063 | 0 | dns_transport_t *transport) { |
12064 | 0 | dns_notify_t *notify; |
12065 | 0 | dns_zonemgr_t *zmgr; |
12066 | 0 | isc_result_t result; |
12067 | |
|
12068 | 0 | for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL; |
12069 | 0 | notify = ISC_LIST_NEXT(notify, link)) |
12070 | 0 | { |
12071 | 0 | if (notify->request != NULL) { |
12072 | 0 | continue; |
12073 | 0 | } |
12074 | 0 | if (name != NULL && dns_name_dynamic(¬ify->ns) && |
12075 | 0 | dns_name_equal(name, ¬ify->ns)) |
12076 | 0 | { |
12077 | 0 | goto requeue; |
12078 | 0 | } |
12079 | 0 | if (addr != NULL && isc_sockaddr_equal(addr, ¬ify->dst) && |
12080 | 0 | notify->key == key && notify->transport == transport) |
12081 | 0 | { |
12082 | 0 | goto requeue; |
12083 | 0 | } |
12084 | 0 | } |
12085 | 0 | return (false); |
12086 | | |
12087 | 0 | requeue: |
12088 | | /* |
12089 | | * If we are enqueued on the startup ratelimiter and this is |
12090 | | * not a startup notify, re-enqueue on the normal notify |
12091 | | * ratelimiter. |
12092 | | */ |
12093 | 0 | if (notify->rlevent != NULL && (flags & DNS_NOTIFY_STARTUP) == 0 && |
12094 | 0 | (notify->flags & DNS_NOTIFY_STARTUP) != 0) |
12095 | 0 | { |
12096 | 0 | zmgr = notify->zone->zmgr; |
12097 | 0 | result = isc_ratelimiter_dequeue(zmgr->startupnotifyrl, |
12098 | 0 | ¬ify->rlevent); |
12099 | 0 | if (result != ISC_R_SUCCESS) { |
12100 | 0 | return (true); |
12101 | 0 | } |
12102 | | |
12103 | 0 | notify->flags &= ~DNS_NOTIFY_STARTUP; |
12104 | 0 | result = isc_ratelimiter_enqueue( |
12105 | 0 | notify->zone->zmgr->notifyrl, notify->zone->loop, |
12106 | 0 | notify_send_toaddr, notify, ¬ify->rlevent); |
12107 | 0 | if (result != ISC_R_SUCCESS) { |
12108 | 0 | return (false); |
12109 | 0 | } |
12110 | 0 | } |
12111 | | |
12112 | 0 | return (true); |
12113 | 0 | } |
12114 | | |
12115 | | static bool |
12116 | 0 | notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) { |
12117 | 0 | dns_tsigkey_t *key = NULL; |
12118 | 0 | isc_sockaddr_t src; |
12119 | 0 | isc_sockaddr_t any; |
12120 | 0 | bool isself; |
12121 | 0 | isc_netaddr_t dstaddr; |
12122 | 0 | isc_result_t result; |
12123 | |
|
12124 | 0 | if (zone->view == NULL || zone->isself == NULL) { |
12125 | 0 | return (false); |
12126 | 0 | } |
12127 | | |
12128 | 0 | switch (isc_sockaddr_pf(dst)) { |
12129 | 0 | case PF_INET: |
12130 | 0 | src = zone->notifysrc4; |
12131 | 0 | isc_sockaddr_any(&any); |
12132 | 0 | break; |
12133 | 0 | case PF_INET6: |
12134 | 0 | src = zone->notifysrc6; |
12135 | 0 | isc_sockaddr_any6(&any); |
12136 | 0 | break; |
12137 | 0 | default: |
12138 | 0 | return (false); |
12139 | 0 | } |
12140 | | |
12141 | | /* |
12142 | | * When sending from any the kernel will assign a source address |
12143 | | * that matches the destination address. |
12144 | | */ |
12145 | 0 | if (isc_sockaddr_eqaddr(&any, &src)) { |
12146 | 0 | src = *dst; |
12147 | 0 | } |
12148 | |
|
12149 | 0 | isc_netaddr_fromsockaddr(&dstaddr, dst); |
12150 | 0 | result = dns_view_getpeertsig(zone->view, &dstaddr, &key); |
12151 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
12152 | 0 | return (false); |
12153 | 0 | } |
12154 | 0 | isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass, |
12155 | 0 | zone->isselfarg); |
12156 | 0 | if (key != NULL) { |
12157 | 0 | dns_tsigkey_detach(&key); |
12158 | 0 | } |
12159 | 0 | return (isself); |
12160 | 0 | } |
12161 | | |
12162 | | static void |
12163 | 0 | notify_destroy(dns_notify_t *notify, bool locked) { |
12164 | 0 | isc_mem_t *mctx; |
12165 | |
|
12166 | 0 | REQUIRE(DNS_NOTIFY_VALID(notify)); |
12167 | |
|
12168 | 0 | if (notify->zone != NULL) { |
12169 | 0 | if (!locked) { |
12170 | 0 | LOCK_ZONE(notify->zone); |
12171 | 0 | } |
12172 | 0 | REQUIRE(LOCKED_ZONE(notify->zone)); |
12173 | 0 | if (ISC_LINK_LINKED(notify, link)) { |
12174 | 0 | ISC_LIST_UNLINK(notify->zone->notifies, notify, link); |
12175 | 0 | } |
12176 | 0 | if (!locked) { |
12177 | 0 | UNLOCK_ZONE(notify->zone); |
12178 | 0 | } |
12179 | 0 | if (locked) { |
12180 | 0 | zone_idetach(¬ify->zone); |
12181 | 0 | } else { |
12182 | 0 | dns_zone_idetach(¬ify->zone); |
12183 | 0 | } |
12184 | 0 | } |
12185 | 0 | if (notify->find != NULL) { |
12186 | 0 | dns_adb_destroyfind(¬ify->find); |
12187 | 0 | } |
12188 | 0 | if (notify->request != NULL) { |
12189 | 0 | dns_request_destroy(¬ify->request); |
12190 | 0 | } |
12191 | 0 | if (dns_name_dynamic(¬ify->ns)) { |
12192 | 0 | dns_name_free(¬ify->ns, notify->mctx); |
12193 | 0 | } |
12194 | 0 | if (notify->key != NULL) { |
12195 | 0 | dns_tsigkey_detach(¬ify->key); |
12196 | 0 | } |
12197 | 0 | if (notify->transport != NULL) { |
12198 | 0 | dns_transport_detach(¬ify->transport); |
12199 | 0 | } |
12200 | 0 | mctx = notify->mctx; |
12201 | 0 | isc_mem_put(notify->mctx, notify, sizeof(*notify)); |
12202 | 0 | isc_mem_detach(&mctx); |
12203 | 0 | } |
12204 | | |
12205 | | static isc_result_t |
12206 | 0 | notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) { |
12207 | 0 | dns_notify_t *notify; |
12208 | |
|
12209 | 0 | REQUIRE(notifyp != NULL && *notifyp == NULL); |
12210 | |
|
12211 | 0 | notify = isc_mem_get(mctx, sizeof(*notify)); |
12212 | 0 | *notify = (dns_notify_t){ |
12213 | 0 | .flags = flags, |
12214 | 0 | }; |
12215 | |
|
12216 | 0 | isc_mem_attach(mctx, ¬ify->mctx); |
12217 | 0 | isc_sockaddr_any(¬ify->src); |
12218 | 0 | isc_sockaddr_any(¬ify->dst); |
12219 | 0 | dns_name_init(¬ify->ns, NULL); |
12220 | 0 | ISC_LINK_INIT(notify, link); |
12221 | 0 | notify->magic = NOTIFY_MAGIC; |
12222 | 0 | *notifyp = notify; |
12223 | 0 | return (ISC_R_SUCCESS); |
12224 | 0 | } |
12225 | | |
12226 | | /* |
12227 | | * XXXAG should check for DNS_ZONEFLG_EXITING |
12228 | | */ |
12229 | | static void |
12230 | 0 | process_notify_adb_event(void *arg) { |
12231 | 0 | dns_adbfind_t *find = (dns_adbfind_t *)arg; |
12232 | 0 | dns_notify_t *notify = (dns_notify_t *)find->cbarg; |
12233 | 0 | dns_adbstatus_t astat = find->status; |
12234 | |
|
12235 | 0 | REQUIRE(DNS_NOTIFY_VALID(notify)); |
12236 | 0 | REQUIRE(find == notify->find); |
12237 | |
|
12238 | 0 | switch (astat) { |
12239 | 0 | case DNS_ADB_MOREADDRESSES: |
12240 | 0 | dns_adb_destroyfind(¬ify->find); |
12241 | 0 | notify_find_address(notify); |
12242 | 0 | return; |
12243 | | |
12244 | 0 | case DNS_ADB_NOMOREADDRESSES: |
12245 | 0 | LOCK_ZONE(notify->zone); |
12246 | 0 | notify_send(notify); |
12247 | 0 | UNLOCK_ZONE(notify->zone); |
12248 | 0 | break; |
12249 | | |
12250 | 0 | default: |
12251 | 0 | break; |
12252 | 0 | } |
12253 | | |
12254 | 0 | notify_destroy(notify, false); |
12255 | 0 | } |
12256 | | |
12257 | | static void |
12258 | 0 | notify_find_address(dns_notify_t *notify) { |
12259 | 0 | isc_result_t result; |
12260 | 0 | unsigned int options; |
12261 | 0 | dns_adb_t *adb = NULL; |
12262 | |
|
12263 | 0 | REQUIRE(DNS_NOTIFY_VALID(notify)); |
12264 | |
|
12265 | 0 | options = DNS_ADBFIND_WANTEVENT; |
12266 | 0 | if (isc_net_probeipv4() != ISC_R_DISABLED) { |
12267 | 0 | options |= DNS_ADBFIND_INET; |
12268 | 0 | } |
12269 | 0 | if (isc_net_probeipv6() != ISC_R_DISABLED) { |
12270 | 0 | options |= DNS_ADBFIND_INET6; |
12271 | 0 | } |
12272 | |
|
12273 | 0 | dns_view_getadb(notify->zone->view, &adb); |
12274 | 0 | if (adb == NULL) { |
12275 | 0 | goto destroy; |
12276 | 0 | } |
12277 | | |
12278 | 0 | result = dns_adb_createfind( |
12279 | 0 | adb, notify->zone->loop, process_notify_adb_event, notify, |
12280 | 0 | ¬ify->ns, dns_rootname, 0, options, 0, NULL, |
12281 | 0 | notify->zone->view->dstport, 0, NULL, ¬ify->find); |
12282 | 0 | dns_adb_detach(&adb); |
12283 | | |
12284 | | /* Something failed? */ |
12285 | 0 | if (result != ISC_R_SUCCESS) { |
12286 | 0 | goto destroy; |
12287 | 0 | } |
12288 | | |
12289 | | /* More addresses pending? */ |
12290 | 0 | if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0) { |
12291 | 0 | return; |
12292 | 0 | } |
12293 | | |
12294 | | /* We have as many addresses as we can get. */ |
12295 | 0 | LOCK_ZONE(notify->zone); |
12296 | 0 | notify_send(notify); |
12297 | 0 | UNLOCK_ZONE(notify->zone); |
12298 | |
|
12299 | 0 | destroy: |
12300 | 0 | notify_destroy(notify, false); |
12301 | 0 | } |
12302 | | |
12303 | | static isc_result_t |
12304 | 0 | notify_send_queue(dns_notify_t *notify, bool startup) { |
12305 | 0 | return (isc_ratelimiter_enqueue( |
12306 | 0 | startup ? notify->zone->zmgr->startupnotifyrl |
12307 | 0 | : notify->zone->zmgr->notifyrl, |
12308 | 0 | notify->zone->loop, notify_send_toaddr, notify, |
12309 | 0 | ¬ify->rlevent)); |
12310 | 0 | } |
12311 | | |
12312 | | static void |
12313 | 0 | notify_send_toaddr(void *arg) { |
12314 | 0 | dns_notify_t *notify = (dns_notify_t *)arg; |
12315 | 0 | isc_result_t result; |
12316 | 0 | dns_message_t *message = NULL; |
12317 | 0 | isc_netaddr_t dstip; |
12318 | 0 | dns_tsigkey_t *key = NULL; |
12319 | 0 | char addrbuf[ISC_SOCKADDR_FORMATSIZE]; |
12320 | 0 | isc_sockaddr_t src; |
12321 | 0 | unsigned int options, timeout, udptimeout; |
12322 | 0 | bool have_notifysource = false; |
12323 | |
|
12324 | 0 | REQUIRE(DNS_NOTIFY_VALID(notify)); |
12325 | |
|
12326 | 0 | LOCK_ZONE(notify->zone); |
12327 | |
|
12328 | 0 | isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf)); |
12329 | |
|
12330 | 0 | if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0 || |
12331 | 0 | notify->rlevent->canceled || |
12332 | 0 | DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) || |
12333 | 0 | notify->zone->view->requestmgr == NULL || notify->zone->db == NULL) |
12334 | 0 | { |
12335 | 0 | result = ISC_R_CANCELED; |
12336 | 0 | goto cleanup; |
12337 | 0 | } |
12338 | | |
12339 | | /* |
12340 | | * The raw IPv4 address should also exist. Don't send to the |
12341 | | * mapped form. |
12342 | | */ |
12343 | 0 | if (isc_sockaddr_pf(¬ify->dst) == PF_INET6 && |
12344 | 0 | IN6_IS_ADDR_V4MAPPED(¬ify->dst.type.sin6.sin6_addr)) |
12345 | 0 | { |
12346 | 0 | notify_log(notify->zone, ISC_LOG_DEBUG(3), |
12347 | 0 | "notify: ignoring IPv6 mapped IPV4 address: %s", |
12348 | 0 | addrbuf); |
12349 | 0 | result = ISC_R_CANCELED; |
12350 | 0 | goto cleanup; |
12351 | 0 | } |
12352 | | |
12353 | 0 | result = notify_createmessage(notify->zone, notify->flags, &message); |
12354 | 0 | if (result != ISC_R_SUCCESS) { |
12355 | 0 | goto cleanup; |
12356 | 0 | } |
12357 | | |
12358 | 0 | if (notify->key != NULL) { |
12359 | | /* Transfer ownership of key */ |
12360 | 0 | key = notify->key; |
12361 | 0 | notify->key = NULL; |
12362 | 0 | } else { |
12363 | 0 | isc_netaddr_fromsockaddr(&dstip, ¬ify->dst); |
12364 | 0 | result = dns_view_getpeertsig(notify->zone->view, &dstip, &key); |
12365 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
12366 | 0 | notify_log(notify->zone, ISC_LOG_ERROR, |
12367 | 0 | "NOTIFY to %s not sent. " |
12368 | 0 | "Peer TSIG key lookup failure.", |
12369 | 0 | addrbuf); |
12370 | 0 | goto cleanup_message; |
12371 | 0 | } |
12372 | 0 | } |
12373 | | |
12374 | 0 | if (key != NULL) { |
12375 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
12376 | |
|
12377 | 0 | dns_name_format(key->name, namebuf, sizeof(namebuf)); |
12378 | 0 | notify_log(notify->zone, ISC_LOG_INFO, |
12379 | 0 | "sending notify to %s : TSIG (%s)", addrbuf, |
12380 | 0 | namebuf); |
12381 | 0 | } else { |
12382 | 0 | notify_log(notify->zone, ISC_LOG_INFO, "sending notify to %s", |
12383 | 0 | addrbuf); |
12384 | 0 | } |
12385 | 0 | options = 0; |
12386 | 0 | if (notify->zone->view->peers != NULL) { |
12387 | 0 | dns_peer_t *peer = NULL; |
12388 | 0 | bool usetcp = false; |
12389 | 0 | result = dns_peerlist_peerbyaddr(notify->zone->view->peers, |
12390 | 0 | &dstip, &peer); |
12391 | 0 | if (result == ISC_R_SUCCESS) { |
12392 | 0 | result = dns_peer_getnotifysource(peer, &src); |
12393 | 0 | if (result == ISC_R_SUCCESS) { |
12394 | 0 | have_notifysource = true; |
12395 | 0 | } |
12396 | 0 | result = dns_peer_getforcetcp(peer, &usetcp); |
12397 | 0 | if (result == ISC_R_SUCCESS && usetcp) { |
12398 | 0 | options |= DNS_FETCHOPT_TCP; |
12399 | 0 | } |
12400 | 0 | } |
12401 | 0 | } |
12402 | 0 | switch (isc_sockaddr_pf(¬ify->dst)) { |
12403 | 0 | case PF_INET: |
12404 | 0 | if (!have_notifysource) { |
12405 | 0 | isc_sockaddr_t any; |
12406 | 0 | isc_sockaddr_any(&any); |
12407 | |
|
12408 | 0 | src = notify->src; |
12409 | 0 | if (isc_sockaddr_equal(&src, &any)) { |
12410 | 0 | src = notify->zone->notifysrc4; |
12411 | 0 | } |
12412 | 0 | } |
12413 | 0 | break; |
12414 | 0 | case PF_INET6: |
12415 | 0 | if (!have_notifysource) { |
12416 | 0 | isc_sockaddr_t any; |
12417 | 0 | isc_sockaddr_any6(&any); |
12418 | |
|
12419 | 0 | src = notify->src; |
12420 | 0 | if (isc_sockaddr_equal(&src, &any)) { |
12421 | 0 | src = notify->zone->notifysrc6; |
12422 | 0 | } |
12423 | 0 | } |
12424 | 0 | break; |
12425 | 0 | default: |
12426 | 0 | result = ISC_R_NOTIMPLEMENTED; |
12427 | 0 | goto cleanup_key; |
12428 | 0 | } |
12429 | 0 | udptimeout = 5; |
12430 | 0 | if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY)) { |
12431 | 0 | udptimeout = 30; |
12432 | 0 | } |
12433 | 0 | timeout = 3 * udptimeout + 1; |
12434 | 0 | again: |
12435 | 0 | if ((notify->flags & DNS_NOTIFY_TCP) != 0) { |
12436 | 0 | options |= DNS_REQUESTOPT_TCP; |
12437 | 0 | udptimeout = 0; |
12438 | 0 | timeout = 15; |
12439 | 0 | } |
12440 | 0 | result = dns_request_create( |
12441 | 0 | notify->zone->view->requestmgr, message, &src, ¬ify->dst, |
12442 | 0 | NULL, NULL, options, key, timeout, udptimeout, 2, |
12443 | 0 | notify->zone->loop, notify_done, notify, ¬ify->request); |
12444 | 0 | if (result == ISC_R_SUCCESS) { |
12445 | 0 | if (isc_sockaddr_pf(¬ify->dst) == AF_INET) { |
12446 | 0 | inc_stats(notify->zone, |
12447 | 0 | dns_zonestatscounter_notifyoutv4); |
12448 | 0 | } else { |
12449 | 0 | inc_stats(notify->zone, |
12450 | 0 | dns_zonestatscounter_notifyoutv6); |
12451 | 0 | } |
12452 | 0 | } else if (result == ISC_R_SHUTTINGDOWN || result == ISC_R_CANCELED) { |
12453 | 0 | goto cleanup_key; |
12454 | 0 | } else if ((notify->flags & DNS_NOTIFY_TCP) == 0) { |
12455 | 0 | notify_log(notify->zone, ISC_LOG_NOTICE, |
12456 | 0 | "notify to %s failed: %s: retrying over TCP", |
12457 | 0 | addrbuf, isc_result_totext(result)); |
12458 | 0 | notify->flags |= DNS_NOTIFY_TCP; |
12459 | 0 | goto again; |
12460 | 0 | } |
12461 | | |
12462 | 0 | cleanup_key: |
12463 | 0 | if (key != NULL) { |
12464 | 0 | dns_tsigkey_detach(&key); |
12465 | 0 | } |
12466 | 0 | cleanup_message: |
12467 | 0 | dns_message_detach(&message); |
12468 | 0 | cleanup: |
12469 | 0 | UNLOCK_ZONE(notify->zone); |
12470 | 0 | if (notify->rlevent != NULL) { |
12471 | 0 | isc_rlevent_free(¬ify->rlevent); |
12472 | 0 | } |
12473 | |
|
12474 | 0 | if (result != ISC_R_SUCCESS) { |
12475 | 0 | isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf)); |
12476 | 0 | notify_log(notify->zone, ISC_LOG_WARNING, |
12477 | 0 | "notify to %s failed: %s", addrbuf, |
12478 | 0 | isc_result_totext(result)); |
12479 | 0 | notify_destroy(notify, false); |
12480 | 0 | } |
12481 | 0 | } |
12482 | | |
12483 | | static void |
12484 | 0 | notify_send(dns_notify_t *notify) { |
12485 | 0 | dns_adbaddrinfo_t *ai; |
12486 | 0 | isc_sockaddr_t dst; |
12487 | 0 | isc_result_t result; |
12488 | 0 | dns_notify_t *newnotify = NULL; |
12489 | 0 | unsigned int flags; |
12490 | 0 | bool startup; |
12491 | | |
12492 | | /* |
12493 | | * Zone lock held by caller. |
12494 | | */ |
12495 | 0 | REQUIRE(DNS_NOTIFY_VALID(notify)); |
12496 | 0 | REQUIRE(LOCKED_ZONE(notify->zone)); |
12497 | |
|
12498 | 0 | if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING)) { |
12499 | 0 | return; |
12500 | 0 | } |
12501 | | |
12502 | 0 | for (ai = ISC_LIST_HEAD(notify->find->list); ai != NULL; |
12503 | 0 | ai = ISC_LIST_NEXT(ai, publink)) |
12504 | 0 | { |
12505 | 0 | dst = ai->sockaddr; |
12506 | 0 | if (notify_isqueued(notify->zone, notify->flags, NULL, &dst, |
12507 | 0 | NULL, NULL)) |
12508 | 0 | { |
12509 | 0 | continue; |
12510 | 0 | } |
12511 | 0 | if (notify_isself(notify->zone, &dst)) { |
12512 | 0 | continue; |
12513 | 0 | } |
12514 | 0 | newnotify = NULL; |
12515 | 0 | flags = notify->flags & DNS_NOTIFY_NOSOA; |
12516 | 0 | result = notify_create(notify->mctx, flags, &newnotify); |
12517 | 0 | if (result != ISC_R_SUCCESS) { |
12518 | 0 | goto cleanup; |
12519 | 0 | } |
12520 | 0 | zone_iattach(notify->zone, &newnotify->zone); |
12521 | 0 | ISC_LIST_APPEND(newnotify->zone->notifies, newnotify, link); |
12522 | 0 | newnotify->dst = dst; |
12523 | 0 | if (isc_sockaddr_pf(&dst) == AF_INET6) { |
12524 | 0 | isc_sockaddr_any6(&newnotify->src); |
12525 | 0 | } |
12526 | 0 | startup = ((notify->flags & DNS_NOTIFY_STARTUP) != 0); |
12527 | 0 | result = notify_send_queue(newnotify, startup); |
12528 | 0 | if (result != ISC_R_SUCCESS) { |
12529 | 0 | goto cleanup; |
12530 | 0 | } |
12531 | 0 | newnotify = NULL; |
12532 | 0 | } |
12533 | | |
12534 | 0 | cleanup: |
12535 | 0 | if (newnotify != NULL) { |
12536 | 0 | notify_destroy(newnotify, true); |
12537 | 0 | } |
12538 | 0 | } |
12539 | | |
12540 | | void |
12541 | 0 | dns_zone_notify(dns_zone_t *zone) { |
12542 | 0 | isc_time_t now; |
12543 | |
|
12544 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12545 | |
|
12546 | 0 | LOCK_ZONE(zone); |
12547 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
12548 | |
|
12549 | 0 | now = isc_time_now(); |
12550 | 0 | zone_settimer(zone, &now); |
12551 | 0 | UNLOCK_ZONE(zone); |
12552 | 0 | } |
12553 | | |
12554 | | static void |
12555 | 0 | zone_notify(dns_zone_t *zone, isc_time_t *now) { |
12556 | 0 | dns_dbnode_t *node = NULL; |
12557 | 0 | dns_db_t *zonedb = NULL; |
12558 | 0 | dns_dbversion_t *version = NULL; |
12559 | 0 | dns_name_t *origin = NULL; |
12560 | 0 | dns_name_t primary; |
12561 | 0 | dns_rdata_ns_t ns; |
12562 | 0 | dns_rdata_soa_t soa; |
12563 | 0 | uint32_t serial; |
12564 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
12565 | 0 | dns_rdataset_t nsrdset; |
12566 | 0 | dns_rdataset_t soardset; |
12567 | 0 | isc_result_t result; |
12568 | 0 | isc_sockaddr_t src; |
12569 | 0 | isc_sockaddr_t dst; |
12570 | 0 | bool isqueued; |
12571 | 0 | dns_notifytype_t notifytype; |
12572 | 0 | unsigned int flags = 0; |
12573 | 0 | bool loggednotify = false; |
12574 | 0 | bool startup; |
12575 | |
|
12576 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
12577 | |
|
12578 | 0 | LOCK_ZONE(zone); |
12579 | 0 | startup = !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
12580 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
12581 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY); |
12582 | 0 | notifytype = zone->notifytype; |
12583 | 0 | DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime); |
12584 | 0 | UNLOCK_ZONE(zone); |
12585 | |
|
12586 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || |
12587 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) |
12588 | 0 | { |
12589 | 0 | return; |
12590 | 0 | } |
12591 | | |
12592 | 0 | if (notifytype == dns_notifytype_no) { |
12593 | 0 | return; |
12594 | 0 | } |
12595 | | |
12596 | 0 | if (notifytype == dns_notifytype_masteronly && |
12597 | 0 | zone->type != dns_zone_primary) |
12598 | 0 | { |
12599 | 0 | return; |
12600 | 0 | } |
12601 | | |
12602 | 0 | origin = &zone->origin; |
12603 | | |
12604 | | /* |
12605 | | * If the zone is dialup we are done as we don't want to send |
12606 | | * the current soa so as to force a refresh query. |
12607 | | */ |
12608 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) { |
12609 | 0 | flags |= DNS_NOTIFY_NOSOA; |
12610 | 0 | } |
12611 | | |
12612 | | /* |
12613 | | * Record that this was a notify due to starting up. |
12614 | | */ |
12615 | 0 | if (startup) { |
12616 | 0 | flags |= DNS_NOTIFY_STARTUP; |
12617 | 0 | } |
12618 | | |
12619 | | /* |
12620 | | * Get SOA RRset. |
12621 | | */ |
12622 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
12623 | 0 | if (zone->db != NULL) { |
12624 | 0 | dns_db_attach(zone->db, &zonedb); |
12625 | 0 | } |
12626 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
12627 | 0 | if (zonedb == NULL) { |
12628 | 0 | return; |
12629 | 0 | } |
12630 | 0 | dns_db_currentversion(zonedb, &version); |
12631 | 0 | result = dns_db_findnode(zonedb, origin, false, &node); |
12632 | 0 | if (result != ISC_R_SUCCESS) { |
12633 | 0 | goto cleanup1; |
12634 | 0 | } |
12635 | | |
12636 | 0 | dns_rdataset_init(&soardset); |
12637 | 0 | result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa, |
12638 | 0 | dns_rdatatype_none, 0, &soardset, NULL); |
12639 | 0 | if (result != ISC_R_SUCCESS) { |
12640 | 0 | goto cleanup2; |
12641 | 0 | } |
12642 | | |
12643 | | /* |
12644 | | * Find serial and primary server's name. |
12645 | | */ |
12646 | 0 | dns_name_init(&primary, NULL); |
12647 | 0 | result = dns_rdataset_first(&soardset); |
12648 | 0 | if (result != ISC_R_SUCCESS) { |
12649 | 0 | goto cleanup3; |
12650 | 0 | } |
12651 | 0 | dns_rdataset_current(&soardset, &rdata); |
12652 | 0 | result = dns_rdata_tostruct(&rdata, &soa, NULL); |
12653 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
12654 | 0 | dns_rdata_reset(&rdata); |
12655 | 0 | dns_name_dup(&soa.origin, zone->mctx, &primary); |
12656 | 0 | serial = soa.serial; |
12657 | 0 | dns_rdataset_disassociate(&soardset); |
12658 | | |
12659 | | /* |
12660 | | * Enqueue notify requests for 'also-notify' servers. |
12661 | | */ |
12662 | 0 | LOCK_ZONE(zone); |
12663 | |
|
12664 | 0 | dns_remote_reset(&zone->notify, false); |
12665 | 0 | while (!dns_remote_done(&zone->notify)) { |
12666 | 0 | dns_tsigkey_t *key = NULL; |
12667 | 0 | dns_transport_t *transport = NULL; |
12668 | 0 | dns_notify_t *notify = NULL; |
12669 | 0 | dns_view_t *view = dns_zone_getview(zone); |
12670 | |
|
12671 | 0 | if (dns_remote_keyname(&zone->notify) != NULL) { |
12672 | 0 | dns_name_t *keyname = dns_remote_keyname(&zone->notify); |
12673 | 0 | (void)dns_view_gettsig(view, keyname, &key); |
12674 | 0 | } |
12675 | |
|
12676 | 0 | if (dns_remote_tlsname(&zone->notify) != NULL) { |
12677 | 0 | dns_name_t *tlsname = dns_remote_tlsname(&zone->notify); |
12678 | 0 | (void)dns_view_gettransport(view, DNS_TRANSPORT_TLS, |
12679 | 0 | tlsname, &transport); |
12680 | |
|
12681 | 0 | dns_zone_logc( |
12682 | 0 | zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, |
12683 | 0 | "got TLS configuration for zone transfer"); |
12684 | 0 | } |
12685 | | |
12686 | | /* TODO: glue the transport to the notify */ |
12687 | |
|
12688 | 0 | dst = dns_remote_curraddr(&zone->notify); |
12689 | 0 | src = dns_remote_sourceaddr(&zone->notify); |
12690 | 0 | INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst)); |
12691 | |
|
12692 | 0 | if (isc_sockaddr_disabled(&dst)) { |
12693 | 0 | goto next; |
12694 | 0 | } |
12695 | | |
12696 | 0 | if (notify_isqueued(zone, flags, NULL, &dst, key, transport)) { |
12697 | 0 | if (key != NULL) { |
12698 | 0 | dns_tsigkey_detach(&key); |
12699 | 0 | } |
12700 | 0 | if (transport != NULL) { |
12701 | 0 | dns_transport_detach(&transport); |
12702 | 0 | } |
12703 | 0 | goto next; |
12704 | 0 | } |
12705 | | |
12706 | 0 | result = notify_create(zone->mctx, flags, ¬ify); |
12707 | 0 | if (result != ISC_R_SUCCESS) { |
12708 | 0 | if (key != NULL) { |
12709 | 0 | dns_tsigkey_detach(&key); |
12710 | 0 | } |
12711 | 0 | if (transport != NULL) { |
12712 | 0 | dns_transport_detach(&transport); |
12713 | 0 | } |
12714 | 0 | goto next; |
12715 | 0 | } |
12716 | | |
12717 | 0 | zone_iattach(zone, ¬ify->zone); |
12718 | 0 | notify->src = src; |
12719 | 0 | notify->dst = dst; |
12720 | |
|
12721 | 0 | INSIST(notify->key == NULL); |
12722 | |
|
12723 | 0 | if (key != NULL) { |
12724 | 0 | notify->key = key; |
12725 | 0 | key = NULL; |
12726 | 0 | } |
12727 | |
|
12728 | 0 | INSIST(notify->transport == NULL); |
12729 | 0 | if (transport != NULL) { |
12730 | 0 | notify->transport = transport; |
12731 | 0 | transport = NULL; |
12732 | 0 | } |
12733 | |
|
12734 | 0 | ISC_LIST_APPEND(zone->notifies, notify, link); |
12735 | 0 | result = notify_send_queue(notify, startup); |
12736 | 0 | if (result != ISC_R_SUCCESS) { |
12737 | 0 | notify_destroy(notify, true); |
12738 | 0 | } |
12739 | 0 | if (!loggednotify) { |
12740 | 0 | notify_log(zone, ISC_LOG_INFO, |
12741 | 0 | "sending notifies (serial %u)", serial); |
12742 | 0 | loggednotify = true; |
12743 | 0 | } |
12744 | 0 | next: |
12745 | 0 | dns_remote_next(&zone->notify, false); |
12746 | 0 | } |
12747 | 0 | UNLOCK_ZONE(zone); |
12748 | |
|
12749 | 0 | if (notifytype == dns_notifytype_explicit) { |
12750 | 0 | goto cleanup3; |
12751 | 0 | } |
12752 | | |
12753 | | /* |
12754 | | * Process NS RRset to generate notifies. |
12755 | | */ |
12756 | | |
12757 | 0 | dns_rdataset_init(&nsrdset); |
12758 | 0 | result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns, |
12759 | 0 | dns_rdatatype_none, 0, &nsrdset, NULL); |
12760 | 0 | if (result != ISC_R_SUCCESS) { |
12761 | 0 | goto cleanup3; |
12762 | 0 | } |
12763 | | |
12764 | 0 | result = dns_rdataset_first(&nsrdset); |
12765 | 0 | while (result == ISC_R_SUCCESS) { |
12766 | 0 | dns_notify_t *notify = NULL; |
12767 | |
|
12768 | 0 | dns_rdataset_current(&nsrdset, &rdata); |
12769 | 0 | result = dns_rdata_tostruct(&rdata, &ns, NULL); |
12770 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
12771 | 0 | dns_rdata_reset(&rdata); |
12772 | | /* |
12773 | | * Don't notify the primary server unless explicitly |
12774 | | * configured to do so. |
12775 | | */ |
12776 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) && |
12777 | 0 | dns_name_compare(&primary, &ns.name) == 0) |
12778 | 0 | { |
12779 | 0 | result = dns_rdataset_next(&nsrdset); |
12780 | 0 | continue; |
12781 | 0 | } |
12782 | | |
12783 | 0 | if (!loggednotify) { |
12784 | 0 | notify_log(zone, ISC_LOG_INFO, |
12785 | 0 | "sending notifies (serial %u)", serial); |
12786 | 0 | loggednotify = true; |
12787 | 0 | } |
12788 | |
|
12789 | 0 | LOCK_ZONE(zone); |
12790 | 0 | isqueued = notify_isqueued(zone, flags, &ns.name, NULL, NULL, |
12791 | 0 | NULL); |
12792 | 0 | UNLOCK_ZONE(zone); |
12793 | 0 | if (isqueued) { |
12794 | 0 | result = dns_rdataset_next(&nsrdset); |
12795 | 0 | continue; |
12796 | 0 | } |
12797 | 0 | result = notify_create(zone->mctx, flags, ¬ify); |
12798 | 0 | if (result != ISC_R_SUCCESS) { |
12799 | 0 | continue; |
12800 | 0 | } |
12801 | 0 | dns_zone_iattach(zone, ¬ify->zone); |
12802 | 0 | dns_name_dup(&ns.name, zone->mctx, ¬ify->ns); |
12803 | 0 | LOCK_ZONE(zone); |
12804 | 0 | ISC_LIST_APPEND(zone->notifies, notify, link); |
12805 | 0 | UNLOCK_ZONE(zone); |
12806 | 0 | notify_find_address(notify); |
12807 | 0 | result = dns_rdataset_next(&nsrdset); |
12808 | 0 | } |
12809 | 0 | dns_rdataset_disassociate(&nsrdset); |
12810 | |
|
12811 | 0 | cleanup3: |
12812 | 0 | if (dns_name_dynamic(&primary)) { |
12813 | 0 | dns_name_free(&primary, zone->mctx); |
12814 | 0 | } |
12815 | 0 | cleanup2: |
12816 | 0 | dns_db_detachnode(zonedb, &node); |
12817 | 0 | cleanup1: |
12818 | 0 | dns_db_closeversion(zonedb, &version, false); |
12819 | 0 | dns_db_detach(&zonedb); |
12820 | 0 | } |
12821 | | |
12822 | | /*** |
12823 | | *** Private |
12824 | | ***/ |
12825 | | static void |
12826 | | create_query(dns_zone_t *zone, dns_rdatatype_t rdtype, dns_name_t *name, |
12827 | 0 | dns_message_t **messagep) { |
12828 | 0 | dns_message_t *message = NULL; |
12829 | 0 | dns_name_t *qname = NULL; |
12830 | 0 | dns_rdataset_t *qrdataset = NULL; |
12831 | |
|
12832 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER, |
12833 | 0 | &message); |
12834 | |
|
12835 | 0 | message->opcode = dns_opcode_query; |
12836 | 0 | message->rdclass = zone->rdclass; |
12837 | |
|
12838 | 0 | dns_message_gettempname(message, &qname); |
12839 | |
|
12840 | 0 | dns_message_gettemprdataset(message, &qrdataset); |
12841 | | |
12842 | | /* |
12843 | | * Make question. |
12844 | | */ |
12845 | 0 | dns_name_clone(name, qname); |
12846 | 0 | dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype); |
12847 | 0 | ISC_LIST_APPEND(qname->list, qrdataset, link); |
12848 | 0 | dns_message_addname(message, qname, DNS_SECTION_QUESTION); |
12849 | |
|
12850 | 0 | *messagep = message; |
12851 | 0 | } |
12852 | | |
12853 | | static isc_result_t |
12854 | | add_opt(dns_message_t *message, uint16_t udpsize, bool reqnsid, |
12855 | 0 | bool reqexpire) { |
12856 | 0 | isc_result_t result; |
12857 | 0 | dns_rdataset_t *rdataset = NULL; |
12858 | 0 | dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS]; |
12859 | 0 | int count = 0; |
12860 | | |
12861 | | /* Set EDNS options if applicable. */ |
12862 | 0 | if (reqnsid) { |
12863 | 0 | INSIST(count < DNS_EDNSOPTIONS); |
12864 | 0 | ednsopts[count].code = DNS_OPT_NSID; |
12865 | 0 | ednsopts[count].length = 0; |
12866 | 0 | ednsopts[count].value = NULL; |
12867 | 0 | count++; |
12868 | 0 | } |
12869 | 0 | if (reqexpire) { |
12870 | 0 | INSIST(count < DNS_EDNSOPTIONS); |
12871 | 0 | ednsopts[count].code = DNS_OPT_EXPIRE; |
12872 | 0 | ednsopts[count].length = 0; |
12873 | 0 | ednsopts[count].value = NULL; |
12874 | 0 | count++; |
12875 | 0 | } |
12876 | 0 | result = dns_message_buildopt(message, &rdataset, 0, udpsize, 0, |
12877 | 0 | ednsopts, count); |
12878 | 0 | if (result != ISC_R_SUCCESS) { |
12879 | 0 | return (result); |
12880 | 0 | } |
12881 | | |
12882 | 0 | return (dns_message_setopt(message, rdataset)); |
12883 | 0 | } |
12884 | | |
12885 | | /* |
12886 | | * Called when stub zone update is finished. |
12887 | | * Update zone refresh, retry, expire values accordingly with |
12888 | | * SOA received from primary, sync database to file, restart |
12889 | | * zone management timer. |
12890 | | */ |
12891 | | static void |
12892 | 0 | stub_finish_zone_update(dns_stub_t *stub, isc_time_t now) { |
12893 | 0 | uint32_t refresh, retry, expire; |
12894 | 0 | isc_result_t result; |
12895 | 0 | isc_interval_t i; |
12896 | 0 | unsigned int soacount; |
12897 | 0 | dns_zone_t *zone = stub->zone; |
12898 | | |
12899 | | /* |
12900 | | * Tidy up. |
12901 | | */ |
12902 | 0 | dns_db_closeversion(stub->db, &stub->version, true); |
12903 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); |
12904 | 0 | if (zone->db == NULL) { |
12905 | 0 | zone_attachdb(zone, stub->db); |
12906 | 0 | } |
12907 | 0 | result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL, NULL, |
12908 | 0 | &refresh, &retry, &expire, NULL, NULL); |
12909 | 0 | if (result == ISC_R_SUCCESS && soacount > 0U) { |
12910 | 0 | zone->refresh = RANGE(refresh, zone->minrefresh, |
12911 | 0 | zone->maxrefresh); |
12912 | 0 | zone->retry = RANGE(retry, zone->minretry, zone->maxretry); |
12913 | 0 | zone->expire = RANGE(expire, zone->refresh + zone->retry, |
12914 | 0 | DNS_MAX_EXPIRE); |
12915 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS); |
12916 | 0 | } |
12917 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
12918 | 0 | dns_db_detach(&stub->db); |
12919 | |
|
12920 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); |
12921 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); |
12922 | 0 | DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime); |
12923 | 0 | isc_interval_set(&i, zone->expire, 0); |
12924 | 0 | DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime); |
12925 | |
|
12926 | 0 | if (zone->masterfile != NULL) { |
12927 | 0 | zone_needdump(zone, 0); |
12928 | 0 | } |
12929 | |
|
12930 | 0 | zone_settimer(zone, &now); |
12931 | 0 | } |
12932 | | |
12933 | | /* |
12934 | | * Process answers for A and AAAA queries when |
12935 | | * resolving nameserver addresses for which glue |
12936 | | * was missing in a previous answer for a NS query. |
12937 | | */ |
12938 | | static void |
12939 | 0 | stub_glue_response(void *arg) { |
12940 | 0 | dns_request_t *request = (dns_request_t *)arg; |
12941 | 0 | struct stub_glue_request *sgr = dns_request_getarg(request); |
12942 | 0 | struct stub_cb_args *cb_args = sgr->args; |
12943 | 0 | dns_stub_t *stub = cb_args->stub; |
12944 | 0 | dns_message_t *msg = NULL; |
12945 | 0 | dns_zone_t *zone = NULL; |
12946 | 0 | char primary[ISC_SOCKADDR_FORMATSIZE]; |
12947 | 0 | char source[ISC_SOCKADDR_FORMATSIZE]; |
12948 | 0 | uint32_t addr_count, cnamecnt; |
12949 | 0 | isc_result_t result; |
12950 | 0 | isc_sockaddr_t curraddr; |
12951 | 0 | isc_time_t now; |
12952 | 0 | dns_rdataset_t *addr_rdataset = NULL; |
12953 | 0 | dns_dbnode_t *node = NULL; |
12954 | |
|
12955 | 0 | INSIST(DNS_STUB_VALID(stub)); |
12956 | |
|
12957 | 0 | zone = stub->zone; |
12958 | |
|
12959 | 0 | ENTER; |
12960 | |
|
12961 | 0 | now = isc_time_now(); |
12962 | |
|
12963 | 0 | LOCK_ZONE(zone); |
12964 | |
|
12965 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
12966 | 0 | zone_debuglog(zone, __func__, 1, "exiting"); |
12967 | 0 | goto cleanup; |
12968 | 0 | } |
12969 | | |
12970 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
12971 | 0 | isc_sockaddr_format(&curraddr, primary, sizeof(primary)); |
12972 | 0 | isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source)); |
12973 | |
|
12974 | 0 | if (dns_request_getresult(request) != ISC_R_SUCCESS) { |
12975 | 0 | dns_zonemgr_unreachableadd(zone->zmgr, &curraddr, |
12976 | 0 | &zone->sourceaddr, &now); |
12977 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
12978 | 0 | "could not refresh stub from primary %s" |
12979 | 0 | " (source %s): %s", |
12980 | 0 | primary, source, |
12981 | 0 | isc_result_totext(dns_request_getresult(request))); |
12982 | 0 | goto cleanup; |
12983 | 0 | } |
12984 | | |
12985 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE, |
12986 | 0 | &msg); |
12987 | 0 | result = dns_request_getresponse(request, msg, 0); |
12988 | 0 | if (result != ISC_R_SUCCESS) { |
12989 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
12990 | 0 | "refreshing stub: unable to parse response (%s)", |
12991 | 0 | isc_result_totext(result)); |
12992 | 0 | goto cleanup; |
12993 | 0 | } |
12994 | | |
12995 | | /* |
12996 | | * Unexpected opcode. |
12997 | | */ |
12998 | 0 | if (msg->opcode != dns_opcode_query) { |
12999 | 0 | char opcode[128]; |
13000 | 0 | isc_buffer_t rb; |
13001 | |
|
13002 | 0 | isc_buffer_init(&rb, opcode, sizeof(opcode)); |
13003 | 0 | (void)dns_opcode_totext(msg->opcode, &rb); |
13004 | |
|
13005 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13006 | 0 | "refreshing stub: " |
13007 | 0 | "unexpected opcode (%.*s) from %s (source %s)", |
13008 | 0 | (int)rb.used, opcode, primary, source); |
13009 | 0 | goto cleanup; |
13010 | 0 | } |
13011 | | |
13012 | | /* |
13013 | | * Unexpected rcode. |
13014 | | */ |
13015 | 0 | if (msg->rcode != dns_rcode_noerror) { |
13016 | 0 | char rcode[128]; |
13017 | 0 | isc_buffer_t rb; |
13018 | |
|
13019 | 0 | isc_buffer_init(&rb, rcode, sizeof(rcode)); |
13020 | 0 | (void)dns_rcode_totext(msg->rcode, &rb); |
13021 | |
|
13022 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13023 | 0 | "refreshing stub: " |
13024 | 0 | "unexpected rcode (%.*s) from %s (source %s)", |
13025 | 0 | (int)rb.used, rcode, primary, source); |
13026 | 0 | goto cleanup; |
13027 | 0 | } |
13028 | | |
13029 | | /* |
13030 | | * We need complete messages. |
13031 | | */ |
13032 | 0 | if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) { |
13033 | 0 | if (dns_request_usedtcp(request)) { |
13034 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13035 | 0 | "refreshing stub: truncated TCP " |
13036 | 0 | "response from primary %s (source %s)", |
13037 | 0 | primary, source); |
13038 | 0 | } |
13039 | 0 | goto cleanup; |
13040 | 0 | } |
13041 | | |
13042 | | /* |
13043 | | * If non-auth log. |
13044 | | */ |
13045 | 0 | if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) { |
13046 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13047 | 0 | "refreshing stub: " |
13048 | 0 | "non-authoritative answer from " |
13049 | 0 | "primary %s (source %s)", |
13050 | 0 | primary, source); |
13051 | 0 | goto cleanup; |
13052 | 0 | } |
13053 | | |
13054 | | /* |
13055 | | * Sanity checks. |
13056 | | */ |
13057 | 0 | cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname); |
13058 | 0 | addr_count = message_count(msg, DNS_SECTION_ANSWER, |
13059 | 0 | sgr->ipv4 ? dns_rdatatype_a |
13060 | 0 | : dns_rdatatype_aaaa); |
13061 | |
|
13062 | 0 | if (cnamecnt != 0) { |
13063 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13064 | 0 | "refreshing stub: unexpected CNAME response " |
13065 | 0 | "from primary %s (source %s)", |
13066 | 0 | primary, source); |
13067 | 0 | goto cleanup; |
13068 | 0 | } |
13069 | | |
13070 | 0 | if (addr_count == 0) { |
13071 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13072 | 0 | "refreshing stub: no %s records in response " |
13073 | 0 | "from primary %s (source %s)", |
13074 | 0 | sgr->ipv4 ? "A" : "AAAA", primary, source); |
13075 | 0 | goto cleanup; |
13076 | 0 | } |
13077 | | /* |
13078 | | * Extract A or AAAA RRset from message. |
13079 | | */ |
13080 | 0 | result = dns_message_findname(msg, DNS_SECTION_ANSWER, &sgr->name, |
13081 | 0 | sgr->ipv4 ? dns_rdatatype_a |
13082 | 0 | : dns_rdatatype_aaaa, |
13083 | 0 | dns_rdatatype_none, NULL, &addr_rdataset); |
13084 | 0 | if (result != ISC_R_SUCCESS) { |
13085 | 0 | if (result != DNS_R_NXDOMAIN && result != DNS_R_NXRRSET) { |
13086 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
13087 | 0 | dns_name_format(&sgr->name, namebuf, sizeof(namebuf)); |
13088 | 0 | dns_zone_log( |
13089 | 0 | zone, ISC_LOG_INFO, |
13090 | 0 | "refreshing stub: dns_message_findname(%s/%s) " |
13091 | 0 | "failed (%s)", |
13092 | 0 | namebuf, sgr->ipv4 ? "A" : "AAAA", |
13093 | 0 | isc_result_totext(result)); |
13094 | 0 | } |
13095 | 0 | goto cleanup; |
13096 | 0 | } |
13097 | | |
13098 | 0 | result = dns_db_findnode(stub->db, &sgr->name, true, &node); |
13099 | 0 | if (result != ISC_R_SUCCESS) { |
13100 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13101 | 0 | "refreshing stub: " |
13102 | 0 | "dns_db_findnode() failed: %s", |
13103 | 0 | isc_result_totext(result)); |
13104 | 0 | goto cleanup; |
13105 | 0 | } |
13106 | | |
13107 | 0 | result = dns_db_addrdataset(stub->db, node, stub->version, 0, |
13108 | 0 | addr_rdataset, 0, NULL); |
13109 | 0 | if (result != ISC_R_SUCCESS) { |
13110 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13111 | 0 | "refreshing stub: " |
13112 | 0 | "dns_db_addrdataset() failed: %s", |
13113 | 0 | isc_result_totext(result)); |
13114 | 0 | } |
13115 | 0 | dns_db_detachnode(stub->db, &node); |
13116 | |
|
13117 | 0 | cleanup: |
13118 | 0 | if (msg != NULL) { |
13119 | 0 | dns_message_detach(&msg); |
13120 | 0 | } |
13121 | |
|
13122 | 0 | dns_name_free(&sgr->name, zone->mctx); |
13123 | 0 | dns_request_destroy(&sgr->request); |
13124 | 0 | isc_mem_put(zone->mctx, sgr, sizeof(*sgr)); |
13125 | | |
13126 | | /* If last request, release all related resources */ |
13127 | 0 | if (atomic_fetch_sub_release(&stub->pending_requests, 1) == 1) { |
13128 | 0 | isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args)); |
13129 | 0 | stub_finish_zone_update(stub, now); |
13130 | 0 | UNLOCK_ZONE(zone); |
13131 | 0 | stub->magic = 0; |
13132 | 0 | dns_zone_idetach(&stub->zone); |
13133 | 0 | INSIST(stub->db == NULL); |
13134 | 0 | INSIST(stub->version == NULL); |
13135 | 0 | isc_mem_put(stub->mctx, stub, sizeof(*stub)); |
13136 | 0 | } else { |
13137 | 0 | UNLOCK_ZONE(zone); |
13138 | 0 | } |
13139 | 0 | } |
13140 | | |
13141 | | /* |
13142 | | * Create and send an A or AAAA query to the primary |
13143 | | * server of the stub zone given. |
13144 | | */ |
13145 | | static isc_result_t |
13146 | | stub_request_nameserver_address(struct stub_cb_args *args, bool ipv4, |
13147 | 0 | const dns_name_t *name) { |
13148 | 0 | dns_message_t *message = NULL; |
13149 | 0 | dns_zone_t *zone; |
13150 | 0 | isc_result_t result; |
13151 | 0 | struct stub_glue_request *sgr; |
13152 | 0 | isc_sockaddr_t curraddr; |
13153 | |
|
13154 | 0 | zone = args->stub->zone; |
13155 | 0 | sgr = isc_mem_get(zone->mctx, sizeof(*sgr)); |
13156 | 0 | *sgr = (struct stub_glue_request){ |
13157 | 0 | .args = args, |
13158 | 0 | .name = (dns_name_t)DNS_NAME_INITEMPTY, |
13159 | 0 | .ipv4 = ipv4, |
13160 | 0 | }; |
13161 | |
|
13162 | 0 | dns_name_dup(name, zone->mctx, &sgr->name); |
13163 | |
|
13164 | 0 | create_query(zone, ipv4 ? dns_rdatatype_a : dns_rdatatype_aaaa, |
13165 | 0 | &sgr->name, &message); |
13166 | |
|
13167 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) { |
13168 | 0 | result = add_opt(message, args->udpsize, args->reqnsid, false); |
13169 | 0 | if (result != ISC_R_SUCCESS) { |
13170 | 0 | zone_debuglog(zone, __func__, 1, |
13171 | 0 | "unable to add opt record: %s", |
13172 | 0 | isc_result_totext(result)); |
13173 | 0 | goto fail; |
13174 | 0 | } |
13175 | 0 | } |
13176 | | |
13177 | 0 | atomic_fetch_add_release(&args->stub->pending_requests, 1); |
13178 | |
|
13179 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
13180 | 0 | result = dns_request_create( |
13181 | 0 | zone->view->requestmgr, message, &zone->sourceaddr, &curraddr, |
13182 | 0 | NULL, NULL, DNS_REQUESTOPT_TCP, args->tsig_key, |
13183 | 0 | args->timeout * 3, args->timeout, 2, zone->loop, |
13184 | 0 | stub_glue_response, sgr, &sgr->request); |
13185 | |
|
13186 | 0 | if (result != ISC_R_SUCCESS) { |
13187 | 0 | uint_fast32_t pr; |
13188 | 0 | pr = atomic_fetch_sub_release(&args->stub->pending_requests, 1); |
13189 | 0 | INSIST(pr > 1); |
13190 | 0 | zone_debuglog(zone, __func__, 1, |
13191 | 0 | "dns_request_create() failed: %s", |
13192 | 0 | isc_result_totext(result)); |
13193 | 0 | goto fail; |
13194 | 0 | } |
13195 | | |
13196 | 0 | dns_message_detach(&message); |
13197 | |
|
13198 | 0 | return (ISC_R_SUCCESS); |
13199 | | |
13200 | 0 | fail: |
13201 | 0 | dns_name_free(&sgr->name, zone->mctx); |
13202 | 0 | isc_mem_put(zone->mctx, sgr, sizeof(*sgr)); |
13203 | |
|
13204 | 0 | if (message != NULL) { |
13205 | 0 | dns_message_detach(&message); |
13206 | 0 | } |
13207 | |
|
13208 | 0 | return (result); |
13209 | 0 | } |
13210 | | |
13211 | | static isc_result_t |
13212 | | save_nsrrset(dns_message_t *message, dns_name_t *name, |
13213 | | struct stub_cb_args *cb_args, dns_db_t *db, |
13214 | 0 | dns_dbversion_t *version) { |
13215 | 0 | dns_rdataset_t *nsrdataset = NULL; |
13216 | 0 | dns_rdataset_t *rdataset = NULL; |
13217 | 0 | dns_dbnode_t *node = NULL; |
13218 | 0 | dns_rdata_ns_t ns; |
13219 | 0 | isc_result_t result; |
13220 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
13221 | 0 | bool has_glue = false; |
13222 | 0 | dns_name_t *ns_name; |
13223 | | /* |
13224 | | * List of NS entries in answer, keep names that will be used |
13225 | | * to resolve missing A/AAAA glue for each entry. |
13226 | | */ |
13227 | 0 | dns_namelist_t ns_list; |
13228 | 0 | ISC_LIST_INIT(ns_list); |
13229 | | |
13230 | | /* |
13231 | | * Extract NS RRset from message. |
13232 | | */ |
13233 | 0 | result = dns_message_findname(message, DNS_SECTION_ANSWER, name, |
13234 | 0 | dns_rdatatype_ns, dns_rdatatype_none, |
13235 | 0 | NULL, &nsrdataset); |
13236 | 0 | if (result != ISC_R_SUCCESS) { |
13237 | 0 | goto done; |
13238 | 0 | } |
13239 | | |
13240 | | /* |
13241 | | * Add NS rdataset. |
13242 | | */ |
13243 | 0 | result = dns_db_findnode(db, name, true, &node); |
13244 | 0 | if (result != ISC_R_SUCCESS) { |
13245 | 0 | goto done; |
13246 | 0 | } |
13247 | 0 | result = dns_db_addrdataset(db, node, version, 0, nsrdataset, 0, NULL); |
13248 | 0 | dns_db_detachnode(db, &node); |
13249 | 0 | if (result != ISC_R_SUCCESS) { |
13250 | 0 | goto done; |
13251 | 0 | } |
13252 | | /* |
13253 | | * Add glue rdatasets. |
13254 | | */ |
13255 | 0 | for (result = dns_rdataset_first(nsrdataset); result == ISC_R_SUCCESS; |
13256 | 0 | result = dns_rdataset_next(nsrdataset)) |
13257 | 0 | { |
13258 | 0 | dns_rdataset_current(nsrdataset, &rdata); |
13259 | 0 | result = dns_rdata_tostruct(&rdata, &ns, NULL); |
13260 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
13261 | 0 | dns_rdata_reset(&rdata); |
13262 | |
|
13263 | 0 | if (!dns_name_issubdomain(&ns.name, name)) { |
13264 | 0 | continue; |
13265 | 0 | } |
13266 | 0 | rdataset = NULL; |
13267 | 0 | result = dns_message_findname(message, DNS_SECTION_ADDITIONAL, |
13268 | 0 | &ns.name, dns_rdatatype_aaaa, |
13269 | 0 | dns_rdatatype_none, NULL, |
13270 | 0 | &rdataset); |
13271 | 0 | if (result == ISC_R_SUCCESS) { |
13272 | 0 | has_glue = true; |
13273 | 0 | result = dns_db_findnode(db, &ns.name, true, &node); |
13274 | 0 | if (result != ISC_R_SUCCESS) { |
13275 | 0 | goto done; |
13276 | 0 | } |
13277 | 0 | result = dns_db_addrdataset(db, node, version, 0, |
13278 | 0 | rdataset, 0, NULL); |
13279 | 0 | dns_db_detachnode(db, &node); |
13280 | 0 | if (result != ISC_R_SUCCESS) { |
13281 | 0 | goto done; |
13282 | 0 | } |
13283 | 0 | } |
13284 | | |
13285 | 0 | rdataset = NULL; |
13286 | 0 | result = dns_message_findname( |
13287 | 0 | message, DNS_SECTION_ADDITIONAL, &ns.name, |
13288 | 0 | dns_rdatatype_a, dns_rdatatype_none, NULL, &rdataset); |
13289 | 0 | if (result == ISC_R_SUCCESS) { |
13290 | 0 | has_glue = true; |
13291 | 0 | result = dns_db_findnode(db, &ns.name, true, &node); |
13292 | 0 | if (result != ISC_R_SUCCESS) { |
13293 | 0 | goto done; |
13294 | 0 | } |
13295 | 0 | result = dns_db_addrdataset(db, node, version, 0, |
13296 | 0 | rdataset, 0, NULL); |
13297 | 0 | dns_db_detachnode(db, &node); |
13298 | 0 | if (result != ISC_R_SUCCESS) { |
13299 | 0 | goto done; |
13300 | 0 | } |
13301 | 0 | } |
13302 | | |
13303 | | /* |
13304 | | * If no glue is found so far, we add the name to the list to |
13305 | | * resolve the A/AAAA glue later. If any glue is found in any |
13306 | | * iteration step, this list will be discarded and only the glue |
13307 | | * provided in this message will be used. |
13308 | | */ |
13309 | 0 | if (!has_glue && dns_name_issubdomain(&ns.name, name)) { |
13310 | 0 | dns_name_t *tmp_name; |
13311 | 0 | tmp_name = isc_mem_get(cb_args->stub->mctx, |
13312 | 0 | sizeof(*tmp_name)); |
13313 | 0 | dns_name_init(tmp_name, NULL); |
13314 | 0 | dns_name_dup(&ns.name, cb_args->stub->mctx, tmp_name); |
13315 | 0 | ISC_LIST_APPEND(ns_list, tmp_name, link); |
13316 | 0 | } |
13317 | 0 | } |
13318 | | |
13319 | 0 | if (result != ISC_R_NOMORE) { |
13320 | 0 | goto done; |
13321 | 0 | } |
13322 | | |
13323 | | /* |
13324 | | * If no glue records were found, we attempt to resolve A/AAAA |
13325 | | * for each NS entry found in the answer. |
13326 | | */ |
13327 | 0 | if (!has_glue) { |
13328 | 0 | for (ns_name = ISC_LIST_HEAD(ns_list); ns_name != NULL; |
13329 | 0 | ns_name = ISC_LIST_NEXT(ns_name, link)) |
13330 | 0 | { |
13331 | | /* |
13332 | | * Resolve NS IPv4 address/A. |
13333 | | */ |
13334 | 0 | result = stub_request_nameserver_address(cb_args, true, |
13335 | 0 | ns_name); |
13336 | 0 | if (result != ISC_R_SUCCESS) { |
13337 | 0 | goto done; |
13338 | 0 | } |
13339 | | /* |
13340 | | * Resolve NS IPv6 address/AAAA. |
13341 | | */ |
13342 | 0 | result = stub_request_nameserver_address(cb_args, false, |
13343 | 0 | ns_name); |
13344 | 0 | if (result != ISC_R_SUCCESS) { |
13345 | 0 | goto done; |
13346 | 0 | } |
13347 | 0 | } |
13348 | 0 | } |
13349 | | |
13350 | 0 | result = ISC_R_SUCCESS; |
13351 | |
|
13352 | 0 | done: |
13353 | 0 | while ((ns_name = ISC_LIST_HEAD(ns_list)) != NULL) { |
13354 | 0 | ISC_LIST_UNLINK(ns_list, ns_name, link); |
13355 | 0 | dns_name_free(ns_name, cb_args->stub->mctx); |
13356 | 0 | isc_mem_put(cb_args->stub->mctx, ns_name, sizeof(*ns_name)); |
13357 | 0 | } |
13358 | 0 | return (result); |
13359 | 0 | } |
13360 | | |
13361 | | static void |
13362 | 0 | stub_callback(void *arg) { |
13363 | 0 | dns_request_t *request = (dns_request_t *)arg; |
13364 | 0 | struct stub_cb_args *cb_args = dns_request_getarg(request); |
13365 | 0 | dns_stub_t *stub = cb_args->stub; |
13366 | 0 | dns_message_t *msg = NULL; |
13367 | 0 | dns_zone_t *zone = NULL; |
13368 | 0 | char primary[ISC_SOCKADDR_FORMATSIZE]; |
13369 | 0 | char source[ISC_SOCKADDR_FORMATSIZE]; |
13370 | 0 | uint32_t nscnt, cnamecnt; |
13371 | 0 | isc_result_t result; |
13372 | 0 | isc_sockaddr_t curraddr; |
13373 | 0 | isc_time_t now; |
13374 | 0 | bool exiting = false; |
13375 | |
|
13376 | 0 | INSIST(DNS_STUB_VALID(stub)); |
13377 | |
|
13378 | 0 | zone = stub->zone; |
13379 | |
|
13380 | 0 | ENTER; |
13381 | |
|
13382 | 0 | now = isc_time_now(); |
13383 | |
|
13384 | 0 | LOCK_ZONE(zone); |
13385 | |
|
13386 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
13387 | 0 | goto exiting; |
13388 | 0 | } |
13389 | | |
13390 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
13391 | 0 | isc_sockaddr_format(&curraddr, primary, sizeof(primary)); |
13392 | 0 | isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source)); |
13393 | |
|
13394 | 0 | result = dns_request_getresult(request); |
13395 | 0 | switch (result) { |
13396 | 0 | case ISC_R_SUCCESS: |
13397 | 0 | break; |
13398 | 0 | case ISC_R_SHUTTINGDOWN: |
13399 | 0 | goto exiting; |
13400 | 0 | case ISC_R_TIMEDOUT: |
13401 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) { |
13402 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
13403 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13404 | 0 | "refreshing stub: timeout retrying " |
13405 | 0 | "without EDNS primary %s (source %s)", |
13406 | 0 | primary, source); |
13407 | 0 | goto same_primary; |
13408 | 0 | } |
13409 | 0 | FALLTHROUGH; |
13410 | 0 | default: |
13411 | 0 | dns_zonemgr_unreachableadd(zone->zmgr, &curraddr, |
13412 | 0 | &zone->sourceaddr, &now); |
13413 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13414 | 0 | "could not refresh stub from primary " |
13415 | 0 | "%s (source %s): %s", |
13416 | 0 | primary, source, isc_result_totext(result)); |
13417 | 0 | goto next_primary; |
13418 | 0 | } |
13419 | | |
13420 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE, |
13421 | 0 | &msg); |
13422 | |
|
13423 | 0 | result = dns_request_getresponse(request, msg, 0); |
13424 | 0 | if (result != ISC_R_SUCCESS) { |
13425 | 0 | goto next_primary; |
13426 | 0 | } |
13427 | | |
13428 | | /* |
13429 | | * Unexpected opcode. |
13430 | | */ |
13431 | 0 | if (msg->opcode != dns_opcode_query) { |
13432 | 0 | char opcode[128]; |
13433 | 0 | isc_buffer_t rb; |
13434 | |
|
13435 | 0 | isc_buffer_init(&rb, opcode, sizeof(opcode)); |
13436 | 0 | (void)dns_opcode_totext(msg->opcode, &rb); |
13437 | |
|
13438 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13439 | 0 | "refreshing stub: " |
13440 | 0 | "unexpected opcode (%.*s) from %s (source %s)", |
13441 | 0 | (int)rb.used, opcode, primary, source); |
13442 | 0 | goto next_primary; |
13443 | 0 | } |
13444 | | |
13445 | | /* |
13446 | | * Unexpected rcode. |
13447 | | */ |
13448 | 0 | if (msg->rcode != dns_rcode_noerror) { |
13449 | 0 | char rcode[128]; |
13450 | 0 | isc_buffer_t rb; |
13451 | |
|
13452 | 0 | isc_buffer_init(&rb, rcode, sizeof(rcode)); |
13453 | 0 | (void)dns_rcode_totext(msg->rcode, &rb); |
13454 | |
|
13455 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) && |
13456 | 0 | (msg->rcode == dns_rcode_servfail || |
13457 | 0 | msg->rcode == dns_rcode_notimp || |
13458 | 0 | (msg->rcode == dns_rcode_formerr && msg->opt == NULL))) |
13459 | 0 | { |
13460 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13461 | 0 | "refreshing stub: rcode (%.*s) retrying " |
13462 | 0 | "without EDNS primary %s (source %s)", |
13463 | 0 | (int)rb.used, rcode, primary, source); |
13464 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
13465 | 0 | goto same_primary; |
13466 | 0 | } |
13467 | | |
13468 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13469 | 0 | "refreshing stub: " |
13470 | 0 | "unexpected rcode (%.*s) from %s (source %s)", |
13471 | 0 | (int)rb.used, rcode, primary, source); |
13472 | 0 | goto next_primary; |
13473 | 0 | } |
13474 | | |
13475 | | /* |
13476 | | * We need complete messages. |
13477 | | */ |
13478 | 0 | if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) { |
13479 | 0 | if (dns_request_usedtcp(request)) { |
13480 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13481 | 0 | "refreshing stub: truncated TCP " |
13482 | 0 | "response from primary %s (source %s)", |
13483 | 0 | primary, source); |
13484 | 0 | goto next_primary; |
13485 | 0 | } |
13486 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC); |
13487 | 0 | goto same_primary; |
13488 | 0 | } |
13489 | | |
13490 | | /* |
13491 | | * If non-auth log and next primary. |
13492 | | */ |
13493 | 0 | if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) { |
13494 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13495 | 0 | "refreshing stub: " |
13496 | 0 | "non-authoritative answer from " |
13497 | 0 | "primary %s (source %s)", |
13498 | 0 | primary, source); |
13499 | 0 | goto next_primary; |
13500 | 0 | } |
13501 | | |
13502 | | /* |
13503 | | * Sanity checks. |
13504 | | */ |
13505 | 0 | cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname); |
13506 | 0 | nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns); |
13507 | |
|
13508 | 0 | if (cnamecnt != 0) { |
13509 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13510 | 0 | "refreshing stub: unexpected CNAME response " |
13511 | 0 | "from primary %s (source %s)", |
13512 | 0 | primary, source); |
13513 | 0 | goto next_primary; |
13514 | 0 | } |
13515 | | |
13516 | 0 | if (nscnt == 0) { |
13517 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13518 | 0 | "refreshing stub: no NS records in response " |
13519 | 0 | "from primary %s (source %s)", |
13520 | 0 | primary, source); |
13521 | 0 | goto next_primary; |
13522 | 0 | } |
13523 | | |
13524 | 0 | atomic_fetch_add(&stub->pending_requests, 1); |
13525 | | |
13526 | | /* |
13527 | | * Save answer. |
13528 | | */ |
13529 | 0 | result = save_nsrrset(msg, &zone->origin, cb_args, stub->db, |
13530 | 0 | stub->version); |
13531 | 0 | if (result != ISC_R_SUCCESS) { |
13532 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13533 | 0 | "refreshing stub: unable to save NS records " |
13534 | 0 | "from primary %s (source %s)", |
13535 | 0 | primary, source); |
13536 | 0 | goto next_primary; |
13537 | 0 | } |
13538 | | |
13539 | 0 | dns_message_detach(&msg); |
13540 | 0 | dns_request_destroy(&zone->request); |
13541 | | |
13542 | | /* |
13543 | | * Check to see if there are no outstanding requests and |
13544 | | * finish off if that is so. |
13545 | | */ |
13546 | 0 | if (atomic_fetch_sub(&stub->pending_requests, 1) == 1) { |
13547 | 0 | isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args)); |
13548 | 0 | stub_finish_zone_update(stub, now); |
13549 | 0 | goto free_stub; |
13550 | 0 | } |
13551 | | |
13552 | 0 | UNLOCK_ZONE(zone); |
13553 | 0 | return; |
13554 | | |
13555 | 0 | exiting: |
13556 | 0 | zone_debuglog(zone, __func__, 1, "exiting"); |
13557 | 0 | exiting = true; |
13558 | |
|
13559 | 0 | next_primary: |
13560 | 0 | isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args)); |
13561 | 0 | if (stub->version != NULL) { |
13562 | 0 | dns_db_closeversion(stub->db, &stub->version, false); |
13563 | 0 | } |
13564 | 0 | if (stub->db != NULL) { |
13565 | 0 | dns_db_detach(&stub->db); |
13566 | 0 | } |
13567 | 0 | if (msg != NULL) { |
13568 | 0 | dns_message_detach(&msg); |
13569 | 0 | } |
13570 | 0 | dns_request_destroy(&zone->request); |
13571 | | /* |
13572 | | * Skip to next failed / untried primary. |
13573 | | */ |
13574 | 0 | dns_remote_next(&zone->primaries, true); |
13575 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS); |
13576 | 0 | if (exiting || dns_remote_done(&zone->primaries)) { |
13577 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); |
13578 | 0 | zone_settimer(zone, &now); |
13579 | 0 | goto free_stub; |
13580 | 0 | } |
13581 | 0 | queue_soa_query(zone); |
13582 | 0 | goto free_stub; |
13583 | | |
13584 | 0 | same_primary: |
13585 | 0 | isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args)); |
13586 | 0 | if (msg != NULL) { |
13587 | 0 | dns_message_detach(&msg); |
13588 | 0 | } |
13589 | 0 | dns_request_destroy(&zone->request); |
13590 | 0 | ns_query(zone, NULL, stub); |
13591 | 0 | UNLOCK_ZONE(zone); |
13592 | 0 | return; |
13593 | | |
13594 | 0 | free_stub: |
13595 | 0 | UNLOCK_ZONE(zone); |
13596 | 0 | stub->magic = 0; |
13597 | 0 | dns_zone_idetach(&stub->zone); |
13598 | 0 | INSIST(stub->db == NULL); |
13599 | 0 | INSIST(stub->version == NULL); |
13600 | 0 | isc_mem_put(stub->mctx, stub, sizeof(*stub)); |
13601 | 0 | } |
13602 | | |
13603 | | /* |
13604 | | * Get the EDNS EXPIRE option from the response and if it exists trim |
13605 | | * expire to be not more than it. |
13606 | | */ |
13607 | | static void |
13608 | 0 | get_edns_expire(dns_zone_t *zone, dns_message_t *message, uint32_t *expirep) { |
13609 | 0 | isc_result_t result; |
13610 | 0 | uint32_t expire; |
13611 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
13612 | 0 | isc_buffer_t optbuf; |
13613 | 0 | uint16_t optcode; |
13614 | 0 | uint16_t optlen; |
13615 | |
|
13616 | 0 | REQUIRE(expirep != NULL); |
13617 | 0 | REQUIRE(message != NULL); |
13618 | |
|
13619 | 0 | if (message->opt == NULL) { |
13620 | 0 | return; |
13621 | 0 | } |
13622 | | |
13623 | 0 | result = dns_rdataset_first(message->opt); |
13624 | 0 | if (result == ISC_R_SUCCESS) { |
13625 | 0 | dns_rdataset_current(message->opt, &rdata); |
13626 | 0 | isc_buffer_init(&optbuf, rdata.data, rdata.length); |
13627 | 0 | isc_buffer_add(&optbuf, rdata.length); |
13628 | 0 | while (isc_buffer_remaininglength(&optbuf) >= 4) { |
13629 | 0 | optcode = isc_buffer_getuint16(&optbuf); |
13630 | 0 | optlen = isc_buffer_getuint16(&optbuf); |
13631 | | /* |
13632 | | * A EDNS EXPIRE response has a length of 4. |
13633 | | */ |
13634 | 0 | if (optcode != DNS_OPT_EXPIRE || optlen != 4) { |
13635 | 0 | isc_buffer_forward(&optbuf, optlen); |
13636 | 0 | continue; |
13637 | 0 | } |
13638 | 0 | expire = isc_buffer_getuint32(&optbuf); |
13639 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13640 | 0 | "got EDNS EXPIRE of %u", expire); |
13641 | | /* |
13642 | | * Trim *expirep? |
13643 | | */ |
13644 | 0 | if (expire < *expirep) { |
13645 | 0 | *expirep = expire; |
13646 | 0 | } |
13647 | 0 | break; |
13648 | 0 | } |
13649 | 0 | } |
13650 | 0 | } |
13651 | | |
13652 | | /* |
13653 | | * Set the file modification time zone->expire seconds before expiretime. |
13654 | | */ |
13655 | | static void |
13656 | 0 | setmodtime(dns_zone_t *zone, isc_time_t *expiretime) { |
13657 | 0 | isc_result_t result; |
13658 | 0 | isc_time_t when; |
13659 | 0 | isc_interval_t i; |
13660 | |
|
13661 | 0 | isc_interval_set(&i, zone->expire, 0); |
13662 | 0 | result = isc_time_subtract(expiretime, &i, &when); |
13663 | 0 | if (result != ISC_R_SUCCESS) { |
13664 | 0 | return; |
13665 | 0 | } |
13666 | | |
13667 | 0 | result = ISC_R_FAILURE; |
13668 | 0 | if (zone->journal != NULL) { |
13669 | 0 | result = isc_file_settime(zone->journal, &when); |
13670 | 0 | } |
13671 | 0 | if (result == ISC_R_SUCCESS && |
13672 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
13673 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) |
13674 | 0 | { |
13675 | 0 | result = isc_file_settime(zone->masterfile, &when); |
13676 | 0 | } else if (result != ISC_R_SUCCESS) { |
13677 | 0 | result = isc_file_settime(zone->masterfile, &when); |
13678 | 0 | } |
13679 | | |
13680 | | /* |
13681 | | * Someone removed the file from underneath us! |
13682 | | */ |
13683 | 0 | if (result == ISC_R_FILENOTFOUND) { |
13684 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
13685 | 0 | } else if (result != ISC_R_SUCCESS) { |
13686 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
13687 | 0 | "refresh: could not set " |
13688 | 0 | "file modification time of '%s': %s", |
13689 | 0 | zone->masterfile, isc_result_totext(result)); |
13690 | 0 | } |
13691 | 0 | } |
13692 | | |
13693 | | /* |
13694 | | * An SOA query has finished (successfully or not). |
13695 | | */ |
13696 | | static void |
13697 | 0 | refresh_callback(void *arg) { |
13698 | 0 | dns_request_t *request = (dns_request_t *)arg; |
13699 | 0 | dns_zone_t *zone = dns_request_getarg(request); |
13700 | 0 | dns_message_t *msg = NULL; |
13701 | 0 | uint32_t soacnt, cnamecnt, soacount, nscount; |
13702 | 0 | isc_time_t now; |
13703 | 0 | char primary[ISC_SOCKADDR_FORMATSIZE]; |
13704 | 0 | char source[ISC_SOCKADDR_FORMATSIZE]; |
13705 | 0 | dns_rdataset_t *rdataset = NULL; |
13706 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
13707 | 0 | dns_rdata_soa_t soa; |
13708 | 0 | isc_result_t result; |
13709 | 0 | isc_sockaddr_t curraddr; |
13710 | 0 | uint32_t serial, oldserial = 0; |
13711 | 0 | bool do_queue_xfrin = false; |
13712 | |
|
13713 | 0 | INSIST(DNS_ZONE_VALID(zone)); |
13714 | |
|
13715 | 0 | ENTER; |
13716 | |
|
13717 | 0 | now = isc_time_now(); |
13718 | |
|
13719 | 0 | LOCK_ZONE(zone); |
13720 | |
|
13721 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
13722 | 0 | goto exiting; |
13723 | 0 | } |
13724 | | |
13725 | | /* |
13726 | | * If timeout, log and try the next primary |
13727 | | */ |
13728 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
13729 | 0 | isc_sockaddr_format(&curraddr, primary, sizeof(primary)); |
13730 | 0 | isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source)); |
13731 | |
|
13732 | 0 | switch (dns_request_getresult(request)) { |
13733 | 0 | case ISC_R_SUCCESS: |
13734 | 0 | break; |
13735 | 0 | case ISC_R_SHUTTINGDOWN: |
13736 | 0 | goto exiting; |
13737 | 0 | case ISC_R_TIMEDOUT: |
13738 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) { |
13739 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
13740 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13741 | 0 | "refresh: timeout retrying without EDNS " |
13742 | 0 | "primary %s (source %s)", |
13743 | 0 | primary, source); |
13744 | 0 | goto same_primary; |
13745 | 0 | } else if (!dns_request_usedtcp(request)) { |
13746 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13747 | 0 | "refresh: retry limit for " |
13748 | 0 | "primary %s exceeded (source %s)", |
13749 | 0 | primary, source); |
13750 | | /* Try with secondary with TCP. */ |
13751 | 0 | if ((zone->type == dns_zone_secondary || |
13752 | 0 | zone->type == dns_zone_mirror || |
13753 | 0 | zone->type == dns_zone_redirect) && |
13754 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) |
13755 | 0 | { |
13756 | 0 | if (!dns_zonemgr_unreachable( |
13757 | 0 | zone->zmgr, &curraddr, |
13758 | 0 | &zone->sourceaddr, &now)) |
13759 | 0 | { |
13760 | 0 | DNS_ZONE_SETFLAG( |
13761 | 0 | zone, |
13762 | 0 | DNS_ZONEFLG_SOABEFOREAXFR); |
13763 | 0 | goto tcp_transfer; |
13764 | 0 | } |
13765 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13766 | 0 | "refresh: skipped tcp fallback " |
13767 | 0 | "as primary %s (source %s) is " |
13768 | 0 | "unreachable (cached)", |
13769 | 0 | primary, source); |
13770 | 0 | } |
13771 | 0 | goto next_primary; |
13772 | 0 | } |
13773 | 0 | FALLTHROUGH; |
13774 | 0 | default: |
13775 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13776 | 0 | "refresh: failure trying primary " |
13777 | 0 | "%s (source %s): %s", |
13778 | 0 | primary, source, |
13779 | 0 | isc_result_totext(dns_request_getresult(request))); |
13780 | 0 | goto next_primary; |
13781 | 0 | } |
13782 | | |
13783 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE, |
13784 | 0 | &msg); |
13785 | 0 | result = dns_request_getresponse(request, msg, 0); |
13786 | 0 | if (result != ISC_R_SUCCESS) { |
13787 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13788 | 0 | "refresh: failure trying primary " |
13789 | 0 | "%s (source %s): %s", |
13790 | 0 | primary, source, isc_result_totext(result)); |
13791 | 0 | goto next_primary; |
13792 | 0 | } |
13793 | | |
13794 | | /* |
13795 | | * Unexpected opcode. |
13796 | | */ |
13797 | 0 | if (msg->opcode != dns_opcode_query) { |
13798 | 0 | char opcode[128]; |
13799 | 0 | isc_buffer_t rb; |
13800 | |
|
13801 | 0 | isc_buffer_init(&rb, opcode, sizeof(opcode)); |
13802 | 0 | (void)dns_opcode_totext(msg->opcode, &rb); |
13803 | |
|
13804 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13805 | 0 | "refresh: " |
13806 | 0 | "unexpected opcode (%.*s) from %s (source %s)", |
13807 | 0 | (int)rb.used, opcode, primary, source); |
13808 | 0 | goto next_primary; |
13809 | 0 | } |
13810 | | |
13811 | | /* |
13812 | | * Unexpected rcode. |
13813 | | */ |
13814 | 0 | if (msg->rcode != dns_rcode_noerror) { |
13815 | 0 | char rcode[128]; |
13816 | 0 | isc_buffer_t rb; |
13817 | |
|
13818 | 0 | isc_buffer_init(&rb, rcode, sizeof(rcode)); |
13819 | 0 | (void)dns_rcode_totext(msg->rcode, &rb); |
13820 | |
|
13821 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) && |
13822 | 0 | (msg->rcode == dns_rcode_servfail || |
13823 | 0 | msg->rcode == dns_rcode_notimp || |
13824 | 0 | (msg->rcode == dns_rcode_formerr && msg->opt == NULL))) |
13825 | 0 | { |
13826 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13827 | 0 | "refresh: rcode (%.*s) retrying without " |
13828 | 0 | "EDNS primary %s (source %s)", |
13829 | 0 | (int)rb.used, rcode, primary, source); |
13830 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
13831 | 0 | goto same_primary; |
13832 | 0 | } |
13833 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) && |
13834 | 0 | msg->rcode == dns_rcode_badvers) |
13835 | 0 | { |
13836 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), |
13837 | 0 | "refresh: rcode (%.*s) retrying without " |
13838 | 0 | "EDNS EXPIRE OPTION primary %s " |
13839 | 0 | "(source %s)", |
13840 | 0 | (int)rb.used, rcode, primary, source); |
13841 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
13842 | 0 | goto same_primary; |
13843 | 0 | } |
13844 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13845 | 0 | "refresh: unexpected rcode (%.*s) from " |
13846 | 0 | "primary %s (source %s)", |
13847 | 0 | (int)rb.used, rcode, primary, source); |
13848 | | /* |
13849 | | * Perhaps AXFR/IXFR is allowed even if SOA queries aren't. |
13850 | | */ |
13851 | 0 | if (msg->rcode == dns_rcode_refused && |
13852 | 0 | (zone->type == dns_zone_secondary || |
13853 | 0 | zone->type == dns_zone_mirror || |
13854 | 0 | zone->type == dns_zone_redirect)) |
13855 | 0 | { |
13856 | 0 | goto tcp_transfer; |
13857 | 0 | } |
13858 | 0 | goto next_primary; |
13859 | 0 | } |
13860 | | |
13861 | | /* |
13862 | | * If truncated punt to zone transfer which will query again. |
13863 | | */ |
13864 | 0 | if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) { |
13865 | 0 | if (zone->type == dns_zone_secondary || |
13866 | 0 | zone->type == dns_zone_mirror || |
13867 | 0 | zone->type == dns_zone_redirect) |
13868 | 0 | { |
13869 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13870 | 0 | "refresh: truncated UDP answer, " |
13871 | 0 | "initiating TCP zone xfer " |
13872 | 0 | "for primary %s (source %s)", |
13873 | 0 | primary, source); |
13874 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); |
13875 | 0 | goto tcp_transfer; |
13876 | 0 | } else { |
13877 | 0 | INSIST(zone->type == dns_zone_stub); |
13878 | 0 | if (dns_request_usedtcp(request)) { |
13879 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13880 | 0 | "refresh: truncated TCP response " |
13881 | 0 | "from primary %s (source %s)", |
13882 | 0 | primary, source); |
13883 | 0 | goto next_primary; |
13884 | 0 | } |
13885 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC); |
13886 | 0 | goto same_primary; |
13887 | 0 | } |
13888 | 0 | } |
13889 | | |
13890 | | /* |
13891 | | * If non-auth, log and try the next primary |
13892 | | */ |
13893 | 0 | if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) { |
13894 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13895 | 0 | "refresh: non-authoritative answer from " |
13896 | 0 | "primary %s (source %s)", |
13897 | 0 | primary, source); |
13898 | 0 | goto next_primary; |
13899 | 0 | } |
13900 | | |
13901 | 0 | cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname); |
13902 | 0 | soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa); |
13903 | 0 | nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns); |
13904 | 0 | soacount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_soa); |
13905 | | |
13906 | | /* |
13907 | | * There should not be a CNAME record at top of zone. |
13908 | | */ |
13909 | 0 | if (cnamecnt != 0) { |
13910 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13911 | 0 | "refresh: CNAME at top of zone " |
13912 | 0 | "in primary %s (source %s)", |
13913 | 0 | primary, source); |
13914 | 0 | goto next_primary; |
13915 | 0 | } |
13916 | | |
13917 | | /* |
13918 | | * If referral, log and try the next primary; |
13919 | | */ |
13920 | 0 | if (soacnt == 0 && soacount == 0 && nscount != 0) { |
13921 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13922 | 0 | "refresh: referral response " |
13923 | 0 | "from primary %s (source %s)", |
13924 | 0 | primary, source); |
13925 | 0 | goto next_primary; |
13926 | 0 | } |
13927 | | |
13928 | | /* |
13929 | | * If nodata, log and try the next primary; |
13930 | | */ |
13931 | 0 | if (soacnt == 0 && (nscount == 0 || soacount != 0)) { |
13932 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13933 | 0 | "refresh: NODATA response " |
13934 | 0 | "from primary %s (source %s)", |
13935 | 0 | primary, source); |
13936 | 0 | goto next_primary; |
13937 | 0 | } |
13938 | | |
13939 | | /* |
13940 | | * Only one soa at top of zone. |
13941 | | */ |
13942 | 0 | if (soacnt != 1) { |
13943 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13944 | 0 | "refresh: answer SOA count (%d) != 1 " |
13945 | 0 | "from primary %s (source %s)", |
13946 | 0 | soacnt, primary, source); |
13947 | 0 | goto next_primary; |
13948 | 0 | } |
13949 | | |
13950 | | /* |
13951 | | * Extract serial |
13952 | | */ |
13953 | 0 | rdataset = NULL; |
13954 | 0 | result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin, |
13955 | 0 | dns_rdatatype_soa, dns_rdatatype_none, |
13956 | 0 | NULL, &rdataset); |
13957 | 0 | if (result != ISC_R_SUCCESS) { |
13958 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13959 | 0 | "refresh: unable to get SOA record " |
13960 | 0 | "from primary %s (source %s)", |
13961 | 0 | primary, source); |
13962 | 0 | goto next_primary; |
13963 | 0 | } |
13964 | | |
13965 | 0 | result = dns_rdataset_first(rdataset); |
13966 | 0 | if (result != ISC_R_SUCCESS) { |
13967 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13968 | 0 | "refresh: dns_rdataset_first() failed"); |
13969 | 0 | goto next_primary; |
13970 | 0 | } |
13971 | | |
13972 | 0 | dns_rdataset_current(rdataset, &rdata); |
13973 | 0 | result = dns_rdata_tostruct(&rdata, &soa, NULL); |
13974 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
13975 | |
|
13976 | 0 | serial = soa.serial; |
13977 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) { |
13978 | 0 | unsigned int dbsoacount; |
13979 | 0 | result = zone_get_from_db(zone, zone->db, NULL, &dbsoacount, |
13980 | 0 | NULL, &oldserial, NULL, NULL, NULL, |
13981 | 0 | NULL, NULL); |
13982 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
13983 | 0 | RUNTIME_CHECK(dbsoacount > 0U); |
13984 | 0 | zone_debuglog(zone, __func__, 1, "serial: new %u, old %u", |
13985 | 0 | serial, oldserial); |
13986 | 0 | } else { |
13987 | 0 | zone_debuglog(zone, __func__, 1, |
13988 | 0 | "serial: new %u, old not loaded", serial); |
13989 | 0 | } |
13990 | |
|
13991 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) || |
13992 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) || |
13993 | 0 | isc_serial_gt(serial, oldserial)) |
13994 | 0 | { |
13995 | 0 | if (dns_zonemgr_unreachable(zone->zmgr, &curraddr, |
13996 | 0 | &zone->sourceaddr, &now)) |
13997 | 0 | { |
13998 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
13999 | 0 | "refresh: skipping %s as primary %s " |
14000 | 0 | "(source %s) is unreachable (cached)", |
14001 | 0 | (zone->type == dns_zone_secondary || |
14002 | 0 | zone->type == dns_zone_mirror || |
14003 | 0 | zone->type == dns_zone_redirect) |
14004 | 0 | ? "zone transfer" |
14005 | 0 | : "NS query", |
14006 | 0 | primary, source); |
14007 | 0 | goto next_primary; |
14008 | 0 | } |
14009 | 0 | tcp_transfer: |
14010 | 0 | dns_request_destroy(&zone->request); |
14011 | 0 | if (zone->type == dns_zone_secondary || |
14012 | 0 | zone->type == dns_zone_mirror || |
14013 | 0 | zone->type == dns_zone_redirect) |
14014 | 0 | { |
14015 | 0 | do_queue_xfrin = true; |
14016 | 0 | } else { |
14017 | 0 | INSIST(zone->type == dns_zone_stub); |
14018 | 0 | ns_query(zone, rdataset, NULL); |
14019 | 0 | } |
14020 | 0 | if (msg != NULL) { |
14021 | 0 | dns_message_detach(&msg); |
14022 | 0 | } |
14023 | 0 | } else if (isc_serial_eq(soa.serial, oldserial)) { |
14024 | 0 | isc_time_t expiretime; |
14025 | 0 | uint32_t expire; |
14026 | | |
14027 | | /* |
14028 | | * Compute the new expire time based on this response. |
14029 | | */ |
14030 | 0 | expire = zone->expire; |
14031 | 0 | get_edns_expire(zone, msg, &expire); |
14032 | 0 | DNS_ZONE_TIME_ADD(&now, expire, &expiretime); |
14033 | | |
14034 | | /* |
14035 | | * Has the expire time improved? |
14036 | | */ |
14037 | 0 | if (isc_time_compare(&expiretime, &zone->expiretime) > 0) { |
14038 | 0 | zone->expiretime = expiretime; |
14039 | 0 | if (zone->masterfile != NULL) { |
14040 | 0 | setmodtime(zone, &expiretime); |
14041 | 0 | } |
14042 | 0 | } |
14043 | |
|
14044 | 0 | DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime); |
14045 | 0 | dns_remote_mark(&zone->primaries, true); |
14046 | 0 | goto next_primary; |
14047 | 0 | } else { |
14048 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER)) { |
14049 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
14050 | 0 | "serial number (%u) " |
14051 | 0 | "received from primary %s < ours (%u)", |
14052 | 0 | soa.serial, primary, oldserial); |
14053 | 0 | } else { |
14054 | 0 | zone_debuglog(zone, __func__, 1, "ahead"); |
14055 | 0 | } |
14056 | 0 | dns_remote_mark(&zone->primaries, true); |
14057 | 0 | goto next_primary; |
14058 | 0 | } |
14059 | 0 | if (msg != NULL) { |
14060 | 0 | dns_message_detach(&msg); |
14061 | 0 | } |
14062 | 0 | goto detach; |
14063 | | |
14064 | 0 | next_primary: |
14065 | 0 | if (msg != NULL) { |
14066 | 0 | dns_message_detach(&msg); |
14067 | 0 | } |
14068 | 0 | dns_request_destroy(&zone->request); |
14069 | | /* |
14070 | | * Skip to next failed / untried primary. |
14071 | | */ |
14072 | 0 | dns_remote_next(&zone->primaries, true); |
14073 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS); |
14074 | 0 | if (dns_remote_done(&zone->primaries)) { |
14075 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); |
14076 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) { |
14077 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH); |
14078 | 0 | zone->refreshtime = now; |
14079 | 0 | } |
14080 | 0 | zone_settimer(zone, &now); |
14081 | 0 | goto detach; |
14082 | 0 | } |
14083 | | |
14084 | 0 | queue_soa_query(zone); |
14085 | 0 | goto detach; |
14086 | | |
14087 | 0 | exiting: |
14088 | 0 | dns_request_destroy(&zone->request); |
14089 | 0 | goto detach; |
14090 | | |
14091 | 0 | same_primary: |
14092 | 0 | if (msg != NULL) { |
14093 | 0 | dns_message_detach(&msg); |
14094 | 0 | } |
14095 | 0 | dns_request_destroy(&zone->request); |
14096 | 0 | queue_soa_query(zone); |
14097 | |
|
14098 | 0 | detach: |
14099 | 0 | if (do_queue_xfrin) { |
14100 | | /* Shows in the statistics channel the duration of the step. */ |
14101 | 0 | zone->xfrintime = isc_time_now(); |
14102 | 0 | } |
14103 | 0 | UNLOCK_ZONE(zone); |
14104 | 0 | if (do_queue_xfrin) { |
14105 | 0 | queue_xfrin(zone); |
14106 | 0 | } |
14107 | 0 | dns_zone_idetach(&zone); |
14108 | 0 | return; |
14109 | 0 | } |
14110 | | |
14111 | | struct soaquery { |
14112 | | dns_zone_t *zone; |
14113 | | isc_rlevent_t *rlevent; |
14114 | | }; |
14115 | | |
14116 | | static void |
14117 | 0 | queue_soa_query(dns_zone_t *zone) { |
14118 | 0 | isc_result_t result; |
14119 | 0 | struct soaquery *sq = NULL; |
14120 | |
|
14121 | 0 | ENTER; |
14122 | | /* |
14123 | | * Locked by caller |
14124 | | */ |
14125 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
14126 | |
|
14127 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
14128 | 0 | cancel_refresh(zone); |
14129 | 0 | return; |
14130 | 0 | } |
14131 | | |
14132 | 0 | sq = isc_mem_get(zone->mctx, sizeof(*sq)); |
14133 | 0 | *sq = (struct soaquery){ .zone = NULL }; |
14134 | | |
14135 | | /* Shows in the statistics channel the duration of the current step. */ |
14136 | 0 | zone->xfrintime = isc_time_now(); |
14137 | | |
14138 | | /* |
14139 | | * Attach so that we won't clean up until the event is delivered. |
14140 | | */ |
14141 | 0 | zone_iattach(zone, &sq->zone); |
14142 | 0 | result = isc_ratelimiter_enqueue(zone->zmgr->refreshrl, zone->loop, |
14143 | 0 | soa_query, sq, &sq->rlevent); |
14144 | 0 | if (result != ISC_R_SUCCESS) { |
14145 | 0 | zone_idetach(&sq->zone); |
14146 | 0 | isc_mem_put(zone->mctx, sq, sizeof(*sq)); |
14147 | 0 | cancel_refresh(zone); |
14148 | 0 | } |
14149 | 0 | } |
14150 | | |
14151 | | static void |
14152 | 0 | soa_query(void *arg) { |
14153 | 0 | struct soaquery *sq = (struct soaquery *)arg; |
14154 | 0 | dns_zone_t *zone = sq->zone; |
14155 | 0 | isc_result_t result = ISC_R_FAILURE; |
14156 | 0 | dns_message_t *message = NULL; |
14157 | 0 | isc_netaddr_t primaryip; |
14158 | 0 | dns_tsigkey_t *key = NULL; |
14159 | 0 | dns_transport_t *transport = NULL; |
14160 | 0 | uint32_t options; |
14161 | 0 | bool cancel = true; |
14162 | 0 | int timeout; |
14163 | 0 | bool have_xfrsource = false, reqnsid, reqexpire; |
14164 | 0 | uint16_t udpsize = SEND_BUFFER_SIZE; |
14165 | 0 | isc_sockaddr_t curraddr, sourceaddr; |
14166 | 0 | bool do_queue_xfrin = false; |
14167 | |
|
14168 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
14169 | |
|
14170 | 0 | ENTER; |
14171 | |
|
14172 | 0 | LOCK_ZONE(zone); |
14173 | 0 | if (sq->rlevent->canceled || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || |
14174 | 0 | zone->view->requestmgr == NULL) |
14175 | 0 | { |
14176 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
14177 | 0 | cancel = false; |
14178 | 0 | } |
14179 | 0 | goto cleanup; |
14180 | 0 | } |
14181 | | |
14182 | 0 | again: |
14183 | 0 | dns_zone_log( |
14184 | 0 | zone, ISC_LOG_DEBUG(3), |
14185 | 0 | "soa_query: remote server current address index %d count %d", |
14186 | 0 | zone->primaries.curraddr, zone->primaries.addrcnt); |
14187 | 0 | INSIST(dns_remote_count(&zone->primaries) > 0); |
14188 | 0 | INSIST(!dns_remote_done(&zone->primaries)); |
14189 | |
|
14190 | 0 | sourceaddr = dns_remote_sourceaddr(&zone->primaries); |
14191 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
14192 | 0 | isc_netaddr_fromsockaddr(&primaryip, &curraddr); |
14193 | |
|
14194 | 0 | if (isc_sockaddr_disabled(&curraddr)) { |
14195 | 0 | goto skip_primary; |
14196 | 0 | } |
14197 | | |
14198 | | /* |
14199 | | * First, look for a tsig key in the primaries statement, then |
14200 | | * try for a server key. |
14201 | | */ |
14202 | 0 | if (dns_remote_keyname(&zone->primaries) != NULL) { |
14203 | 0 | dns_view_t *view = dns_zone_getview(zone); |
14204 | 0 | dns_name_t *keyname = dns_remote_keyname(&zone->primaries); |
14205 | 0 | result = dns_view_gettsig(view, keyname, &key); |
14206 | 0 | if (result != ISC_R_SUCCESS) { |
14207 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
14208 | 0 | dns_name_format(keyname, namebuf, sizeof(namebuf)); |
14209 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
14210 | 0 | "unable to find key: %s", namebuf); |
14211 | 0 | goto skip_primary; |
14212 | 0 | } |
14213 | 0 | } |
14214 | 0 | if (key == NULL) { |
14215 | 0 | result = dns_view_getpeertsig(zone->view, &primaryip, &key); |
14216 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
14217 | 0 | char addrbuf[ISC_NETADDR_FORMATSIZE]; |
14218 | 0 | isc_netaddr_format(&primaryip, addrbuf, |
14219 | 0 | sizeof(addrbuf)); |
14220 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
14221 | 0 | "unable to find TSIG key for %s", addrbuf); |
14222 | 0 | goto skip_primary; |
14223 | 0 | } |
14224 | 0 | } |
14225 | | |
14226 | 0 | if (dns_remote_tlsname(&zone->primaries) != NULL) { |
14227 | 0 | dns_view_t *view = dns_zone_getview(zone); |
14228 | 0 | dns_name_t *tlsname = dns_remote_tlsname(&zone->primaries); |
14229 | 0 | result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname, |
14230 | 0 | &transport); |
14231 | 0 | if (result != ISC_R_SUCCESS) { |
14232 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
14233 | 0 | dns_name_format(tlsname, namebuf, sizeof(namebuf)); |
14234 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
14235 | 0 | "unable to find TLS configuration: %s", |
14236 | 0 | namebuf); |
14237 | 0 | goto skip_primary; |
14238 | 0 | } |
14239 | 0 | } |
14240 | | |
14241 | 0 | options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ? DNS_REQUESTOPT_TCP |
14242 | 0 | : 0; |
14243 | 0 | reqnsid = zone->view->requestnsid; |
14244 | 0 | reqexpire = zone->requestexpire; |
14245 | 0 | if (zone->view->peers != NULL) { |
14246 | 0 | dns_peer_t *peer = NULL; |
14247 | 0 | bool edns, usetcp; |
14248 | 0 | result = dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, |
14249 | 0 | &peer); |
14250 | 0 | if (result == ISC_R_SUCCESS) { |
14251 | 0 | result = dns_peer_getsupportedns(peer, &edns); |
14252 | 0 | if (result == ISC_R_SUCCESS && !edns) { |
14253 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
14254 | 0 | } |
14255 | 0 | result = dns_peer_gettransfersource(peer, |
14256 | 0 | &zone->sourceaddr); |
14257 | 0 | if (result == ISC_R_SUCCESS) { |
14258 | 0 | have_xfrsource = true; |
14259 | 0 | } |
14260 | 0 | udpsize = dns_view_getudpsize(zone->view); |
14261 | 0 | (void)dns_peer_getudpsize(peer, &udpsize); |
14262 | 0 | (void)dns_peer_getrequestnsid(peer, &reqnsid); |
14263 | 0 | (void)dns_peer_getrequestexpire(peer, &reqexpire); |
14264 | 0 | result = dns_peer_getforcetcp(peer, &usetcp); |
14265 | 0 | if (result == ISC_R_SUCCESS && usetcp) { |
14266 | 0 | options |= DNS_REQUESTOPT_TCP; |
14267 | 0 | } |
14268 | 0 | } |
14269 | 0 | } |
14270 | |
|
14271 | 0 | switch (isc_sockaddr_pf(&curraddr)) { |
14272 | 0 | case PF_INET: |
14273 | 0 | if (!have_xfrsource) { |
14274 | 0 | isc_sockaddr_t any; |
14275 | 0 | isc_sockaddr_any(&any); |
14276 | |
|
14277 | 0 | zone->sourceaddr = sourceaddr; |
14278 | 0 | if (isc_sockaddr_equal(&sourceaddr, &any)) { |
14279 | 0 | zone->sourceaddr = zone->xfrsource4; |
14280 | 0 | } |
14281 | 0 | } |
14282 | 0 | break; |
14283 | 0 | case PF_INET6: |
14284 | 0 | if (!have_xfrsource) { |
14285 | 0 | isc_sockaddr_t any; |
14286 | 0 | isc_sockaddr_any6(&any); |
14287 | |
|
14288 | 0 | zone->sourceaddr = sourceaddr; |
14289 | 0 | if (isc_sockaddr_equal(&zone->sourceaddr, &any)) { |
14290 | 0 | zone->sourceaddr = zone->xfrsource6; |
14291 | 0 | } |
14292 | 0 | } |
14293 | 0 | break; |
14294 | 0 | default: |
14295 | 0 | result = ISC_R_NOTIMPLEMENTED; |
14296 | 0 | goto cleanup; |
14297 | 0 | } |
14298 | | |
14299 | | /* |
14300 | | * FIXME(OS): This is a bit hackish, but it enforces the SOA query to go |
14301 | | * through the XFR channel instead of doing dns_request that doesn't |
14302 | | * have DoT support yet. |
14303 | | */ |
14304 | 0 | if (transport != NULL) { |
14305 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); |
14306 | 0 | do_queue_xfrin = true; |
14307 | 0 | cancel = false; |
14308 | 0 | result = ISC_R_SUCCESS; |
14309 | 0 | goto cleanup; |
14310 | 0 | } |
14311 | | |
14312 | 0 | create_query(zone, dns_rdatatype_soa, &zone->origin, &message); |
14313 | |
|
14314 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) { |
14315 | 0 | result = add_opt(message, udpsize, reqnsid, reqexpire); |
14316 | 0 | if (result != ISC_R_SUCCESS) { |
14317 | 0 | zone_debuglog(zone, __func__, 1, |
14318 | 0 | "unable to add opt record: %s", |
14319 | 0 | isc_result_totext(result)); |
14320 | 0 | } |
14321 | 0 | } |
14322 | |
|
14323 | 0 | zone_iattach(zone, &(dns_zone_t *){ NULL }); |
14324 | 0 | timeout = 5; |
14325 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) { |
14326 | 0 | timeout = 30; |
14327 | 0 | } |
14328 | 0 | result = dns_request_create( |
14329 | 0 | zone->view->requestmgr, message, &zone->sourceaddr, &curraddr, |
14330 | 0 | NULL, NULL, options, key, timeout * 3 + 1, timeout, 2, |
14331 | 0 | zone->loop, refresh_callback, zone, &zone->request); |
14332 | 0 | if (result != ISC_R_SUCCESS) { |
14333 | 0 | zone_idetach(&(dns_zone_t *){ zone }); |
14334 | 0 | zone_debuglog(zone, __func__, 1, |
14335 | 0 | "dns_request_create() failed: %s", |
14336 | 0 | isc_result_totext(result)); |
14337 | 0 | goto skip_primary; |
14338 | 0 | } else { |
14339 | | /* Shows in the statistics channel the duration of the query. */ |
14340 | 0 | zone->xfrintime = isc_time_now(); |
14341 | |
|
14342 | 0 | if (isc_sockaddr_pf(&curraddr) == PF_INET) { |
14343 | 0 | inc_stats(zone, dns_zonestatscounter_soaoutv4); |
14344 | 0 | } else { |
14345 | 0 | inc_stats(zone, dns_zonestatscounter_soaoutv6); |
14346 | 0 | } |
14347 | 0 | } |
14348 | 0 | cancel = false; |
14349 | 0 | cleanup: |
14350 | 0 | if (transport != NULL) { |
14351 | 0 | dns_transport_detach(&transport); |
14352 | 0 | } |
14353 | 0 | if (key != NULL) { |
14354 | 0 | dns_tsigkey_detach(&key); |
14355 | 0 | } |
14356 | 0 | if (result != ISC_R_SUCCESS) { |
14357 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); |
14358 | 0 | } |
14359 | 0 | if (message != NULL) { |
14360 | 0 | dns_message_detach(&message); |
14361 | 0 | } |
14362 | 0 | if (cancel) { |
14363 | 0 | cancel_refresh(zone); |
14364 | 0 | } |
14365 | 0 | if (do_queue_xfrin) { |
14366 | | /* Shows in the statistics channel the duration of the step. */ |
14367 | 0 | zone->xfrintime = isc_time_now(); |
14368 | 0 | } |
14369 | 0 | UNLOCK_ZONE(zone); |
14370 | 0 | if (do_queue_xfrin) { |
14371 | 0 | queue_xfrin(zone); |
14372 | 0 | } |
14373 | 0 | isc_rlevent_free(&sq->rlevent); |
14374 | 0 | isc_mem_put(zone->mctx, sq, sizeof(*sq)); |
14375 | 0 | dns_zone_idetach(&zone); |
14376 | 0 | return; |
14377 | | |
14378 | 0 | skip_primary: |
14379 | 0 | if (transport != NULL) { |
14380 | 0 | dns_transport_detach(&transport); |
14381 | 0 | } |
14382 | 0 | if (key != NULL) { |
14383 | 0 | dns_tsigkey_detach(&key); |
14384 | 0 | } |
14385 | 0 | if (message != NULL) { |
14386 | 0 | dns_message_detach(&message); |
14387 | 0 | } |
14388 | | /* |
14389 | | * Skip to next failed / untried primary. |
14390 | | */ |
14391 | 0 | dns_remote_next(&zone->primaries, true); |
14392 | 0 | if (!dns_remote_done(&zone->primaries)) { |
14393 | 0 | goto again; |
14394 | 0 | } |
14395 | 0 | dns_remote_reset(&zone->primaries, false); |
14396 | 0 | goto cleanup; |
14397 | 0 | } |
14398 | | |
14399 | | static void |
14400 | 0 | ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { |
14401 | 0 | isc_result_t result; |
14402 | 0 | dns_message_t *message = NULL; |
14403 | 0 | isc_netaddr_t primaryip; |
14404 | 0 | dns_tsigkey_t *key = NULL; |
14405 | 0 | dns_dbnode_t *node = NULL; |
14406 | 0 | int timeout; |
14407 | 0 | bool have_xfrsource = false; |
14408 | 0 | bool reqnsid; |
14409 | 0 | uint16_t udpsize = SEND_BUFFER_SIZE; |
14410 | 0 | isc_sockaddr_t curraddr, sourceaddr; |
14411 | 0 | struct stub_cb_args *cb_args; |
14412 | |
|
14413 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
14414 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
14415 | 0 | REQUIRE((soardataset != NULL && stub == NULL) || |
14416 | 0 | (soardataset == NULL && stub != NULL)); |
14417 | 0 | REQUIRE(stub == NULL || DNS_STUB_VALID(stub)); |
14418 | |
|
14419 | 0 | ENTER; |
14420 | |
|
14421 | 0 | if (stub == NULL) { |
14422 | 0 | stub = isc_mem_get(zone->mctx, sizeof(*stub)); |
14423 | 0 | stub->magic = STUB_MAGIC; |
14424 | 0 | stub->mctx = zone->mctx; |
14425 | 0 | stub->zone = NULL; |
14426 | 0 | stub->db = NULL; |
14427 | 0 | stub->version = NULL; |
14428 | 0 | atomic_init(&stub->pending_requests, 0); |
14429 | | |
14430 | | /* |
14431 | | * Attach so that the zone won't disappear from under us. |
14432 | | */ |
14433 | 0 | zone_iattach(zone, &stub->zone); |
14434 | | |
14435 | | /* |
14436 | | * If a db exists we will update it, otherwise we create a |
14437 | | * new one and attach it to the zone once we have the NS |
14438 | | * RRset and glue. |
14439 | | */ |
14440 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
14441 | 0 | if (zone->db != NULL) { |
14442 | 0 | dns_db_attach(zone->db, &stub->db); |
14443 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
14444 | 0 | } else { |
14445 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
14446 | |
|
14447 | 0 | INSIST(zone->db_argc >= 1); |
14448 | 0 | result = dns_db_create(zone->mctx, zone->db_argv[0], |
14449 | 0 | &zone->origin, dns_dbtype_stub, |
14450 | 0 | zone->rdclass, zone->db_argc - 1, |
14451 | 0 | zone->db_argv + 1, &stub->db); |
14452 | 0 | if (result != ISC_R_SUCCESS) { |
14453 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
14454 | 0 | "refreshing stub: " |
14455 | 0 | "could not create " |
14456 | 0 | "database: %s", |
14457 | 0 | isc_result_totext(result)); |
14458 | 0 | goto cleanup; |
14459 | 0 | } |
14460 | 0 | dns_db_setloop(stub->db, zone->loop); |
14461 | 0 | } |
14462 | | |
14463 | 0 | result = dns_db_newversion(stub->db, &stub->version); |
14464 | 0 | if (result != ISC_R_SUCCESS) { |
14465 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
14466 | 0 | "refreshing stub: " |
14467 | 0 | "dns_db_newversion() failed: %s", |
14468 | 0 | isc_result_totext(result)); |
14469 | 0 | goto cleanup; |
14470 | 0 | } |
14471 | | |
14472 | | /* |
14473 | | * Update SOA record. |
14474 | | */ |
14475 | 0 | result = dns_db_findnode(stub->db, &zone->origin, true, &node); |
14476 | 0 | if (result != ISC_R_SUCCESS) { |
14477 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
14478 | 0 | "refreshing stub: " |
14479 | 0 | "dns_db_findnode() failed: %s", |
14480 | 0 | isc_result_totext(result)); |
14481 | 0 | goto cleanup; |
14482 | 0 | } |
14483 | | |
14484 | 0 | result = dns_db_addrdataset(stub->db, node, stub->version, 0, |
14485 | 0 | soardataset, 0, NULL); |
14486 | 0 | dns_db_detachnode(stub->db, &node); |
14487 | 0 | if (result != ISC_R_SUCCESS) { |
14488 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
14489 | 0 | "refreshing stub: " |
14490 | 0 | "dns_db_addrdataset() failed: %s", |
14491 | 0 | isc_result_totext(result)); |
14492 | 0 | goto cleanup; |
14493 | 0 | } |
14494 | 0 | } |
14495 | | |
14496 | | /* |
14497 | | * XXX Optimisation: Create message when zone is setup and reuse. |
14498 | | */ |
14499 | 0 | create_query(zone, dns_rdatatype_ns, &zone->origin, &message); |
14500 | |
|
14501 | 0 | INSIST(dns_remote_count(&zone->primaries) > 0); |
14502 | 0 | INSIST(!dns_remote_done(&zone->primaries)); |
14503 | |
|
14504 | 0 | sourceaddr = dns_remote_sourceaddr(&zone->primaries); |
14505 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
14506 | 0 | isc_netaddr_fromsockaddr(&primaryip, &curraddr); |
14507 | | /* |
14508 | | * First, look for a tsig key in the primaries statement, then |
14509 | | * try for a server key. |
14510 | | */ |
14511 | 0 | if (dns_remote_keyname(&zone->primaries) != NULL) { |
14512 | 0 | dns_view_t *view = dns_zone_getview(zone); |
14513 | 0 | dns_name_t *keyname = dns_remote_keyname(&zone->primaries); |
14514 | 0 | result = dns_view_gettsig(view, keyname, &key); |
14515 | 0 | if (result != ISC_R_SUCCESS) { |
14516 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
14517 | 0 | dns_name_format(keyname, namebuf, sizeof(namebuf)); |
14518 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
14519 | 0 | "unable to find key: %s", namebuf); |
14520 | 0 | } |
14521 | 0 | } |
14522 | 0 | if (key == NULL) { |
14523 | 0 | (void)dns_view_getpeertsig(zone->view, &primaryip, &key); |
14524 | 0 | } |
14525 | | |
14526 | | /* FIXME(OS): Do we need the transport here too? Most probably yes */ |
14527 | |
|
14528 | 0 | reqnsid = zone->view->requestnsid; |
14529 | 0 | if (zone->view->peers != NULL) { |
14530 | 0 | dns_peer_t *peer = NULL; |
14531 | 0 | bool edns; |
14532 | 0 | result = dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, |
14533 | 0 | &peer); |
14534 | 0 | if (result == ISC_R_SUCCESS) { |
14535 | 0 | result = dns_peer_getsupportedns(peer, &edns); |
14536 | 0 | if (result == ISC_R_SUCCESS && !edns) { |
14537 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS); |
14538 | 0 | } |
14539 | 0 | result = dns_peer_gettransfersource(peer, |
14540 | 0 | &zone->sourceaddr); |
14541 | 0 | if (result == ISC_R_SUCCESS) { |
14542 | 0 | have_xfrsource = true; |
14543 | 0 | } |
14544 | 0 | udpsize = dns_view_getudpsize(zone->view); |
14545 | 0 | (void)dns_peer_getudpsize(peer, &udpsize); |
14546 | 0 | (void)dns_peer_getrequestnsid(peer, &reqnsid); |
14547 | 0 | } |
14548 | 0 | } |
14549 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) { |
14550 | 0 | result = add_opt(message, udpsize, reqnsid, false); |
14551 | 0 | if (result != ISC_R_SUCCESS) { |
14552 | 0 | zone_debuglog(zone, __func__, 1, |
14553 | 0 | "unable to add opt record: %s", |
14554 | 0 | isc_result_totext(result)); |
14555 | 0 | } |
14556 | 0 | } |
14557 | | |
14558 | | /* |
14559 | | * Always use TCP so that we shouldn't truncate in additional section. |
14560 | | */ |
14561 | 0 | switch (isc_sockaddr_pf(&curraddr)) { |
14562 | 0 | case PF_INET: |
14563 | 0 | if (!have_xfrsource) { |
14564 | 0 | isc_sockaddr_t any; |
14565 | 0 | isc_sockaddr_any(&any); |
14566 | |
|
14567 | 0 | zone->sourceaddr = sourceaddr; |
14568 | 0 | if (isc_sockaddr_equal(&zone->sourceaddr, &any)) { |
14569 | 0 | zone->sourceaddr = zone->xfrsource4; |
14570 | 0 | } |
14571 | 0 | } |
14572 | 0 | break; |
14573 | 0 | case PF_INET6: |
14574 | 0 | if (!have_xfrsource) { |
14575 | 0 | isc_sockaddr_t any; |
14576 | 0 | isc_sockaddr_any6(&any); |
14577 | |
|
14578 | 0 | zone->sourceaddr = sourceaddr; |
14579 | 0 | if (isc_sockaddr_equal(&zone->sourceaddr, &any)) { |
14580 | 0 | zone->sourceaddr = zone->xfrsource6; |
14581 | 0 | } |
14582 | 0 | } |
14583 | 0 | break; |
14584 | 0 | default: |
14585 | 0 | result = ISC_R_NOTIMPLEMENTED; |
14586 | 0 | POST(result); |
14587 | 0 | goto cleanup; |
14588 | 0 | } |
14589 | 0 | timeout = 5; |
14590 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) { |
14591 | 0 | timeout = 30; |
14592 | 0 | } |
14593 | | |
14594 | | /* |
14595 | | * Save request parameters so we can reuse them later on |
14596 | | * for resolving missing glue A/AAAA records. |
14597 | | */ |
14598 | 0 | cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args)); |
14599 | 0 | cb_args->stub = stub; |
14600 | 0 | cb_args->tsig_key = key; |
14601 | 0 | cb_args->udpsize = udpsize; |
14602 | 0 | cb_args->timeout = timeout; |
14603 | 0 | cb_args->reqnsid = reqnsid; |
14604 | |
|
14605 | 0 | result = dns_request_create( |
14606 | 0 | zone->view->requestmgr, message, &zone->sourceaddr, &curraddr, |
14607 | 0 | NULL, NULL, DNS_REQUESTOPT_TCP, key, timeout * 3 + 1, timeout, |
14608 | 0 | 2, zone->loop, stub_callback, cb_args, &zone->request); |
14609 | 0 | if (result != ISC_R_SUCCESS) { |
14610 | 0 | zone_debuglog(zone, __func__, 1, |
14611 | 0 | "dns_request_create() failed: %s", |
14612 | 0 | isc_result_totext(result)); |
14613 | 0 | goto cleanup; |
14614 | 0 | } |
14615 | 0 | dns_message_detach(&message); |
14616 | 0 | goto unlock; |
14617 | | |
14618 | 0 | cleanup: |
14619 | 0 | cancel_refresh(zone); |
14620 | 0 | stub->magic = 0; |
14621 | 0 | if (stub->version != NULL) { |
14622 | 0 | dns_db_closeversion(stub->db, &stub->version, false); |
14623 | 0 | } |
14624 | 0 | if (stub->db != NULL) { |
14625 | 0 | dns_db_detach(&stub->db); |
14626 | 0 | } |
14627 | 0 | if (stub->zone != NULL) { |
14628 | 0 | zone_idetach(&stub->zone); |
14629 | 0 | } |
14630 | 0 | isc_mem_put(stub->mctx, stub, sizeof(*stub)); |
14631 | 0 | if (message != NULL) { |
14632 | 0 | dns_message_detach(&message); |
14633 | 0 | } |
14634 | 0 | unlock: |
14635 | 0 | if (key != NULL) { |
14636 | 0 | dns_tsigkey_detach(&key); |
14637 | 0 | } |
14638 | 0 | return; |
14639 | 0 | } |
14640 | | |
14641 | | /* |
14642 | | * Shut the zone down. |
14643 | | */ |
14644 | | static void |
14645 | 0 | zone_shutdown(void *arg) { |
14646 | 0 | dns_zone_t *zone = (dns_zone_t *)arg; |
14647 | 0 | bool free_needed, linked = false; |
14648 | 0 | dns_zone_t *raw = NULL, *secure = NULL; |
14649 | 0 | dns_view_t *view = NULL, *prev_view = NULL; |
14650 | |
|
14651 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
14652 | 0 | INSIST(isc_refcount_current(&zone->references) == 0); |
14653 | |
|
14654 | 0 | zone_debuglog(zone, __func__, 3, "shutting down"); |
14655 | | |
14656 | | /* |
14657 | | * If we were waiting for xfrin quota, step out of |
14658 | | * the queue. |
14659 | | * If there's no zone manager, we can't be waiting for the |
14660 | | * xfrin quota |
14661 | | */ |
14662 | 0 | if (zone->zmgr != NULL) { |
14663 | 0 | RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); |
14664 | 0 | if (zone->statelist == &zone->zmgr->waiting_for_xfrin) { |
14665 | 0 | ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone, |
14666 | 0 | statelink); |
14667 | 0 | linked = true; |
14668 | 0 | zone->statelist = NULL; |
14669 | 0 | } |
14670 | 0 | if (zone->statelist == &zone->zmgr->xfrin_in_progress) { |
14671 | 0 | ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, |
14672 | 0 | statelink); |
14673 | 0 | zone->statelist = NULL; |
14674 | 0 | zmgr_resume_xfrs(zone->zmgr, false); |
14675 | 0 | } |
14676 | 0 | RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); |
14677 | 0 | } |
14678 | | |
14679 | | /* |
14680 | | * In loop context, no locking required. See zone_xfrdone(). |
14681 | | */ |
14682 | 0 | if (zone->xfr != NULL) { |
14683 | | /* The final detach will happen in zone_xfrdone() */ |
14684 | 0 | dns_xfrin_shutdown(zone->xfr); |
14685 | 0 | } |
14686 | | |
14687 | | /* Safe to release the zone now */ |
14688 | 0 | if (zone->zmgr != NULL) { |
14689 | 0 | dns_zonemgr_releasezone(zone->zmgr, zone); |
14690 | 0 | } |
14691 | |
|
14692 | 0 | LOCK_ZONE(zone); |
14693 | 0 | INSIST(zone != zone->raw); |
14694 | | |
14695 | | /* |
14696 | | * Detach the views early, we don't need them anymore. However, we need |
14697 | | * to detach them outside of the zone lock to break the lock loop |
14698 | | * between view, adb and zone locks. |
14699 | | */ |
14700 | 0 | view = zone->view; |
14701 | 0 | zone->view = NULL; |
14702 | 0 | prev_view = zone->prev_view; |
14703 | 0 | zone->prev_view = NULL; |
14704 | |
|
14705 | 0 | if (linked) { |
14706 | 0 | isc_refcount_decrement(&zone->irefs); |
14707 | 0 | } |
14708 | 0 | if (zone->request != NULL) { |
14709 | 0 | dns_request_cancel(zone->request); |
14710 | 0 | } |
14711 | |
|
14712 | 0 | if (zone->loadctx != NULL) { |
14713 | 0 | dns_loadctx_cancel(zone->loadctx); |
14714 | 0 | } |
14715 | |
|
14716 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) || |
14717 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) |
14718 | 0 | { |
14719 | 0 | if (zone->dumpctx != NULL) { |
14720 | 0 | dns_dumpctx_cancel(zone->dumpctx); |
14721 | 0 | } |
14722 | 0 | } |
14723 | |
|
14724 | 0 | checkds_cancel(zone); |
14725 | |
|
14726 | 0 | notify_cancel(zone); |
14727 | |
|
14728 | 0 | forward_cancel(zone); |
14729 | |
|
14730 | 0 | if (zone->timer != NULL) { |
14731 | 0 | isc_refcount_decrement(&zone->irefs); |
14732 | 0 | isc_timer_destroy(&zone->timer); |
14733 | 0 | } |
14734 | | |
14735 | | /* |
14736 | | * We have now canceled everything set the flag to allow exit_check() |
14737 | | * to succeed. We must not unlock between setting this flag and |
14738 | | * calling exit_check(). |
14739 | | */ |
14740 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN); |
14741 | 0 | free_needed = exit_check(zone); |
14742 | | /* |
14743 | | * If a dump is in progress for the secure zone, defer detaching from |
14744 | | * the raw zone as it may prevent the unsigned serial number from being |
14745 | | * stored in the raw-format dump of the secure zone. In this scenario, |
14746 | | * dump_done() takes care of cleaning up the zone->raw reference. |
14747 | | */ |
14748 | 0 | if (inline_secure(zone) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) { |
14749 | 0 | raw = zone->raw; |
14750 | 0 | zone->raw = NULL; |
14751 | 0 | } |
14752 | 0 | if (inline_raw(zone)) { |
14753 | 0 | secure = zone->secure; |
14754 | 0 | zone->secure = NULL; |
14755 | 0 | } |
14756 | 0 | UNLOCK_ZONE(zone); |
14757 | |
|
14758 | 0 | if (view != NULL) { |
14759 | 0 | dns_view_weakdetach(&view); |
14760 | 0 | } |
14761 | 0 | if (prev_view != NULL) { |
14762 | 0 | dns_view_weakdetach(&prev_view); |
14763 | 0 | } |
14764 | |
|
14765 | 0 | if (raw != NULL) { |
14766 | 0 | dns_zone_detach(&raw); |
14767 | 0 | } |
14768 | 0 | if (secure != NULL) { |
14769 | 0 | dns_zone_idetach(&secure); |
14770 | 0 | } |
14771 | 0 | if (free_needed) { |
14772 | 0 | zone_free(zone); |
14773 | 0 | } |
14774 | 0 | } |
14775 | | |
14776 | | static void |
14777 | 0 | zone_timer(void *arg) { |
14778 | 0 | dns_zone_t *zone = (dns_zone_t *)arg; |
14779 | |
|
14780 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
14781 | |
|
14782 | 0 | zone_maintenance(zone); |
14783 | 0 | } |
14784 | | |
14785 | | static void |
14786 | 0 | zone_timer_stop(dns_zone_t *zone) { |
14787 | 0 | zone_debuglog(zone, __func__, 10, "stop zone timer"); |
14788 | 0 | if (zone->timer != NULL) { |
14789 | 0 | isc_timer_stop(zone->timer); |
14790 | 0 | } |
14791 | 0 | } |
14792 | | |
14793 | | static void |
14794 | 0 | zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now) { |
14795 | 0 | isc_interval_t interval; |
14796 | |
|
14797 | 0 | if (isc_time_compare(next, now) <= 0) { |
14798 | 0 | isc_interval_set(&interval, 0, 0); |
14799 | 0 | } else { |
14800 | 0 | isc_time_subtract(next, now, &interval); |
14801 | 0 | } |
14802 | |
|
14803 | 0 | if (zone->loop == NULL) { |
14804 | 0 | zone_debuglog(zone, __func__, 10, "zone is not managed"); |
14805 | 0 | } else if (zone->timer == NULL) { |
14806 | 0 | isc_refcount_increment0(&zone->irefs); |
14807 | 0 | isc_timer_create(zone->loop, zone_timer, zone, &zone->timer); |
14808 | 0 | } |
14809 | 0 | if (zone->timer != NULL) { |
14810 | 0 | isc_timer_start(zone->timer, isc_timertype_once, &interval); |
14811 | 0 | } |
14812 | 0 | } |
14813 | | |
14814 | | static void |
14815 | 0 | zone__settimer(void *arg) { |
14816 | 0 | zone_settimer_t *data = arg; |
14817 | 0 | dns_zone_t *zone = data->zone; |
14818 | 0 | isc_time_t *now = &data->now; |
14819 | 0 | isc_time_t next; |
14820 | 0 | bool free_needed = false; |
14821 | |
|
14822 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
14823 | 0 | ENTER; |
14824 | |
|
14825 | 0 | LOCK_ZONE(zone); |
14826 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
14827 | 0 | goto free; |
14828 | 0 | } |
14829 | 0 | isc_time_settoepoch(&next); |
14830 | |
|
14831 | 0 | switch (zone->type) { |
14832 | 0 | case dns_zone_redirect: |
14833 | 0 | if (dns_remote_addresses(&zone->primaries) != NULL) { |
14834 | 0 | goto treat_as_secondary; |
14835 | 0 | } |
14836 | 0 | FALLTHROUGH; |
14837 | 0 | case dns_zone_primary: |
14838 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || |
14839 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) |
14840 | 0 | { |
14841 | 0 | next = zone->notifytime; |
14842 | 0 | } |
14843 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
14844 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) |
14845 | 0 | { |
14846 | 0 | INSIST(!isc_time_isepoch(&zone->dumptime)); |
14847 | 0 | if (isc_time_isepoch(&next) || |
14848 | 0 | isc_time_compare(&zone->dumptime, &next) < 0) |
14849 | 0 | { |
14850 | 0 | next = zone->dumptime; |
14851 | 0 | } |
14852 | 0 | } |
14853 | 0 | if (zone->type == dns_zone_redirect) { |
14854 | 0 | break; |
14855 | 0 | } |
14856 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) && |
14857 | 0 | !isc_time_isepoch(&zone->refreshkeytime)) |
14858 | 0 | { |
14859 | 0 | if (isc_time_isepoch(&next) || |
14860 | 0 | isc_time_compare(&zone->refreshkeytime, &next) < 0) |
14861 | 0 | { |
14862 | 0 | next = zone->refreshkeytime; |
14863 | 0 | } |
14864 | 0 | } |
14865 | 0 | if (!isc_time_isepoch(&zone->resigntime)) { |
14866 | 0 | if (isc_time_isepoch(&next) || |
14867 | 0 | isc_time_compare(&zone->resigntime, &next) < 0) |
14868 | 0 | { |
14869 | 0 | next = zone->resigntime; |
14870 | 0 | } |
14871 | 0 | } |
14872 | 0 | if (!isc_time_isepoch(&zone->keywarntime)) { |
14873 | 0 | if (isc_time_isepoch(&next) || |
14874 | 0 | isc_time_compare(&zone->keywarntime, &next) < 0) |
14875 | 0 | { |
14876 | 0 | next = zone->keywarntime; |
14877 | 0 | } |
14878 | 0 | } |
14879 | 0 | if (!isc_time_isepoch(&zone->signingtime)) { |
14880 | 0 | if (isc_time_isepoch(&next) || |
14881 | 0 | isc_time_compare(&zone->signingtime, &next) < 0) |
14882 | 0 | { |
14883 | 0 | next = zone->signingtime; |
14884 | 0 | } |
14885 | 0 | } |
14886 | 0 | if (!isc_time_isepoch(&zone->nsec3chaintime)) { |
14887 | 0 | if (isc_time_isepoch(&next) || |
14888 | 0 | isc_time_compare(&zone->nsec3chaintime, &next) < 0) |
14889 | 0 | { |
14890 | 0 | next = zone->nsec3chaintime; |
14891 | 0 | } |
14892 | 0 | } |
14893 | 0 | break; |
14894 | | |
14895 | 0 | case dns_zone_secondary: |
14896 | 0 | case dns_zone_mirror: |
14897 | 0 | treat_as_secondary: |
14898 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || |
14899 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) |
14900 | 0 | { |
14901 | 0 | next = zone->notifytime; |
14902 | 0 | } |
14903 | 0 | FALLTHROUGH; |
14904 | 0 | case dns_zone_stub: |
14905 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) && |
14906 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOPRIMARIES) && |
14907 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) && |
14908 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING) && |
14909 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) && |
14910 | 0 | !isc_time_isepoch(&zone->refreshtime) && |
14911 | 0 | (isc_time_isepoch(&next) || |
14912 | 0 | isc_time_compare(&zone->refreshtime, &next) < 0)) |
14913 | 0 | { |
14914 | 0 | next = zone->refreshtime; |
14915 | 0 | } |
14916 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && |
14917 | 0 | !isc_time_isepoch(&zone->expiretime)) |
14918 | 0 | { |
14919 | 0 | if (isc_time_isepoch(&next) || |
14920 | 0 | isc_time_compare(&zone->expiretime, &next) < 0) |
14921 | 0 | { |
14922 | 0 | next = zone->expiretime; |
14923 | 0 | } |
14924 | 0 | } |
14925 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
14926 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) |
14927 | 0 | { |
14928 | 0 | INSIST(!isc_time_isepoch(&zone->dumptime)); |
14929 | 0 | if (isc_time_isepoch(&next) || |
14930 | 0 | isc_time_compare(&zone->dumptime, &next) < 0) |
14931 | 0 | { |
14932 | 0 | next = zone->dumptime; |
14933 | 0 | } |
14934 | 0 | } |
14935 | 0 | break; |
14936 | | |
14937 | 0 | case dns_zone_key: |
14938 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) && |
14939 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) |
14940 | 0 | { |
14941 | 0 | INSIST(!isc_time_isepoch(&zone->dumptime)); |
14942 | 0 | if (isc_time_isepoch(&next) || |
14943 | 0 | isc_time_compare(&zone->dumptime, &next) < 0) |
14944 | 0 | { |
14945 | 0 | next = zone->dumptime; |
14946 | 0 | } |
14947 | 0 | } |
14948 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) { |
14949 | 0 | if (isc_time_isepoch(&next) || |
14950 | 0 | (!isc_time_isepoch(&zone->refreshkeytime) && |
14951 | 0 | isc_time_compare(&zone->refreshkeytime, &next) < |
14952 | 0 | 0)) |
14953 | 0 | { |
14954 | 0 | next = zone->refreshkeytime; |
14955 | 0 | } |
14956 | 0 | } |
14957 | 0 | break; |
14958 | | |
14959 | 0 | default: |
14960 | 0 | break; |
14961 | 0 | } |
14962 | | |
14963 | 0 | if (isc_time_isepoch(&next)) { |
14964 | 0 | zone_timer_stop(zone); |
14965 | 0 | } else { |
14966 | 0 | zone_timer_set(zone, &next, now); |
14967 | 0 | } |
14968 | |
|
14969 | 0 | free: |
14970 | 0 | isc_mem_put(zone->mctx, data, sizeof(*data)); |
14971 | 0 | isc_refcount_decrement(&zone->irefs); |
14972 | 0 | free_needed = exit_check(zone); |
14973 | 0 | UNLOCK_ZONE(zone); |
14974 | 0 | if (free_needed) { |
14975 | 0 | zone_free(zone); |
14976 | 0 | } |
14977 | 0 | } |
14978 | | |
14979 | | static void |
14980 | 0 | zone_settimer(dns_zone_t *zone, isc_time_t *now) { |
14981 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
14982 | 0 | return; |
14983 | 0 | } |
14984 | | |
14985 | 0 | zone_settimer_t *arg = isc_mem_get(zone->mctx, sizeof(*arg)); |
14986 | 0 | *arg = (zone_settimer_t){ |
14987 | 0 | .zone = zone, |
14988 | 0 | .now = *now, |
14989 | 0 | }; |
14990 | 0 | isc_refcount_increment0(&zone->irefs); |
14991 | 0 | isc_async_run(zone->loop, zone__settimer, arg); |
14992 | 0 | } |
14993 | | |
14994 | | static void |
14995 | 0 | cancel_refresh(dns_zone_t *zone) { |
14996 | 0 | isc_time_t now; |
14997 | | |
14998 | | /* |
14999 | | * 'zone' locked by caller. |
15000 | | */ |
15001 | |
|
15002 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15003 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
15004 | |
|
15005 | 0 | ENTER; |
15006 | |
|
15007 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); |
15008 | 0 | now = isc_time_now(); |
15009 | 0 | zone_settimer(zone, &now); |
15010 | 0 | } |
15011 | | |
15012 | | static isc_result_t |
15013 | | notify_createmessage(dns_zone_t *zone, unsigned int flags, |
15014 | 0 | dns_message_t **messagep) { |
15015 | 0 | dns_db_t *zonedb = NULL; |
15016 | 0 | dns_dbnode_t *node = NULL; |
15017 | 0 | dns_dbversion_t *version = NULL; |
15018 | 0 | dns_message_t *message = NULL; |
15019 | 0 | dns_rdataset_t rdataset; |
15020 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
15021 | |
|
15022 | 0 | dns_name_t *tempname = NULL; |
15023 | 0 | dns_rdata_t *temprdata = NULL; |
15024 | 0 | dns_rdatalist_t *temprdatalist = NULL; |
15025 | 0 | dns_rdataset_t *temprdataset = NULL; |
15026 | |
|
15027 | 0 | isc_result_t result; |
15028 | 0 | isc_region_t r; |
15029 | 0 | isc_buffer_t *b = NULL; |
15030 | |
|
15031 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15032 | 0 | REQUIRE(messagep != NULL && *messagep == NULL); |
15033 | |
|
15034 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER, |
15035 | 0 | &message); |
15036 | |
|
15037 | 0 | message->opcode = dns_opcode_notify; |
15038 | 0 | message->flags |= DNS_MESSAGEFLAG_AA; |
15039 | 0 | message->rdclass = zone->rdclass; |
15040 | |
|
15041 | 0 | dns_message_gettempname(message, &tempname); |
15042 | |
|
15043 | 0 | dns_message_gettemprdataset(message, &temprdataset); |
15044 | | |
15045 | | /* |
15046 | | * Make question. |
15047 | | */ |
15048 | 0 | dns_name_clone(&zone->origin, tempname); |
15049 | 0 | dns_rdataset_makequestion(temprdataset, zone->rdclass, |
15050 | 0 | dns_rdatatype_soa); |
15051 | 0 | ISC_LIST_APPEND(tempname->list, temprdataset, link); |
15052 | 0 | dns_message_addname(message, tempname, DNS_SECTION_QUESTION); |
15053 | 0 | tempname = NULL; |
15054 | 0 | temprdataset = NULL; |
15055 | |
|
15056 | 0 | if ((flags & DNS_NOTIFY_NOSOA) != 0) { |
15057 | 0 | goto done; |
15058 | 0 | } |
15059 | | |
15060 | 0 | dns_message_gettempname(message, &tempname); |
15061 | 0 | dns_message_gettemprdata(message, &temprdata); |
15062 | 0 | dns_message_gettemprdataset(message, &temprdataset); |
15063 | 0 | dns_message_gettemprdatalist(message, &temprdatalist); |
15064 | |
|
15065 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
15066 | 0 | INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */ |
15067 | 0 | dns_db_attach(zone->db, &zonedb); |
15068 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
15069 | |
|
15070 | 0 | dns_name_clone(&zone->origin, tempname); |
15071 | 0 | dns_db_currentversion(zonedb, &version); |
15072 | 0 | result = dns_db_findnode(zonedb, tempname, false, &node); |
15073 | 0 | if (result != ISC_R_SUCCESS) { |
15074 | 0 | goto soa_cleanup; |
15075 | 0 | } |
15076 | | |
15077 | 0 | dns_rdataset_init(&rdataset); |
15078 | 0 | result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa, |
15079 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
15080 | 0 | if (result != ISC_R_SUCCESS) { |
15081 | 0 | goto soa_cleanup; |
15082 | 0 | } |
15083 | 0 | result = dns_rdataset_first(&rdataset); |
15084 | 0 | if (result != ISC_R_SUCCESS) { |
15085 | 0 | goto soa_cleanup; |
15086 | 0 | } |
15087 | 0 | dns_rdataset_current(&rdataset, &rdata); |
15088 | 0 | dns_rdata_toregion(&rdata, &r); |
15089 | 0 | isc_buffer_allocate(zone->mctx, &b, r.length); |
15090 | 0 | isc_buffer_putmem(b, r.base, r.length); |
15091 | 0 | isc_buffer_usedregion(b, &r); |
15092 | 0 | dns_rdata_init(temprdata); |
15093 | 0 | dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r); |
15094 | 0 | dns_message_takebuffer(message, &b); |
15095 | 0 | result = dns_rdataset_next(&rdataset); |
15096 | 0 | dns_rdataset_disassociate(&rdataset); |
15097 | 0 | if (result != ISC_R_NOMORE) { |
15098 | 0 | goto soa_cleanup; |
15099 | 0 | } |
15100 | 0 | temprdatalist->rdclass = rdata.rdclass; |
15101 | 0 | temprdatalist->type = rdata.type; |
15102 | 0 | temprdatalist->ttl = rdataset.ttl; |
15103 | 0 | ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link); |
15104 | |
|
15105 | 0 | dns_rdatalist_tordataset(temprdatalist, temprdataset); |
15106 | |
|
15107 | 0 | ISC_LIST_APPEND(tempname->list, temprdataset, link); |
15108 | 0 | dns_message_addname(message, tempname, DNS_SECTION_ANSWER); |
15109 | 0 | temprdatalist = NULL; |
15110 | 0 | temprdataset = NULL; |
15111 | 0 | temprdata = NULL; |
15112 | 0 | tempname = NULL; |
15113 | |
|
15114 | 0 | soa_cleanup: |
15115 | 0 | if (node != NULL) { |
15116 | 0 | dns_db_detachnode(zonedb, &node); |
15117 | 0 | } |
15118 | 0 | if (version != NULL) { |
15119 | 0 | dns_db_closeversion(zonedb, &version, false); |
15120 | 0 | } |
15121 | 0 | if (zonedb != NULL) { |
15122 | 0 | dns_db_detach(&zonedb); |
15123 | 0 | } |
15124 | 0 | if (tempname != NULL) { |
15125 | 0 | dns_message_puttempname(message, &tempname); |
15126 | 0 | } |
15127 | 0 | if (temprdata != NULL) { |
15128 | 0 | dns_message_puttemprdata(message, &temprdata); |
15129 | 0 | } |
15130 | 0 | if (temprdataset != NULL) { |
15131 | 0 | dns_message_puttemprdataset(message, &temprdataset); |
15132 | 0 | } |
15133 | 0 | if (temprdatalist != NULL) { |
15134 | 0 | dns_message_puttemprdatalist(message, &temprdatalist); |
15135 | 0 | } |
15136 | |
|
15137 | 0 | done: |
15138 | 0 | *messagep = message; |
15139 | 0 | return (ISC_R_SUCCESS); |
15140 | 0 | } |
15141 | | |
15142 | | isc_result_t |
15143 | | dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from, |
15144 | 0 | isc_sockaddr_t *to, dns_message_t *msg) { |
15145 | 0 | unsigned int i; |
15146 | 0 | dns_rdata_soa_t soa; |
15147 | 0 | dns_rdataset_t *rdataset = NULL; |
15148 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
15149 | 0 | isc_result_t result; |
15150 | 0 | char fromtext[ISC_SOCKADDR_FORMATSIZE]; |
15151 | 0 | int match = 0; |
15152 | 0 | isc_netaddr_t netaddr; |
15153 | 0 | uint32_t serial = 0; |
15154 | 0 | bool have_serial = false; |
15155 | 0 | dns_tsigkey_t *tsigkey; |
15156 | 0 | const dns_name_t *tsig; |
15157 | |
|
15158 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15159 | | |
15160 | | /* |
15161 | | * If type != T_SOA return DNS_R_NOTIMP. We don't yet support |
15162 | | * ROLLOVER. |
15163 | | * |
15164 | | * SOA: RFC1996 |
15165 | | * Check that 'from' is a valid notify source, (zone->primaries). |
15166 | | * Return DNS_R_REFUSED if not. |
15167 | | * |
15168 | | * If the notify message contains a serial number check it |
15169 | | * against the zones serial and return if <= current serial |
15170 | | * |
15171 | | * If a refresh check is progress, if so just record the |
15172 | | * fact we received a NOTIFY and from where and return. |
15173 | | * We will perform a new refresh check when the current one |
15174 | | * completes. Return ISC_R_SUCCESS. |
15175 | | * |
15176 | | * Otherwise initiate a refresh check using 'from' as the |
15177 | | * first address to check. Return ISC_R_SUCCESS. |
15178 | | */ |
15179 | |
|
15180 | 0 | isc_sockaddr_format(from, fromtext, sizeof(fromtext)); |
15181 | | |
15182 | | /* |
15183 | | * Notify messages are processed by the raw zone. |
15184 | | */ |
15185 | 0 | LOCK_ZONE(zone); |
15186 | 0 | INSIST(zone != zone->raw); |
15187 | 0 | if (inline_secure(zone)) { |
15188 | 0 | result = dns_zone_notifyreceive(zone->raw, from, to, msg); |
15189 | 0 | UNLOCK_ZONE(zone); |
15190 | 0 | return (result); |
15191 | 0 | } |
15192 | | /* |
15193 | | * We only handle NOTIFY (SOA) at the present. |
15194 | | */ |
15195 | 0 | if (isc_sockaddr_pf(from) == PF_INET) { |
15196 | 0 | inc_stats(zone, dns_zonestatscounter_notifyinv4); |
15197 | 0 | } else { |
15198 | 0 | inc_stats(zone, dns_zonestatscounter_notifyinv6); |
15199 | 0 | } |
15200 | 0 | if (msg->counts[DNS_SECTION_QUESTION] == 0 || |
15201 | 0 | dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin, |
15202 | 0 | dns_rdatatype_soa, dns_rdatatype_none, NULL, |
15203 | 0 | NULL) != ISC_R_SUCCESS) |
15204 | 0 | { |
15205 | 0 | UNLOCK_ZONE(zone); |
15206 | 0 | if (msg->counts[DNS_SECTION_QUESTION] == 0) { |
15207 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
15208 | 0 | "NOTIFY with no " |
15209 | 0 | "question section from: %s", |
15210 | 0 | fromtext); |
15211 | 0 | return (DNS_R_FORMERR); |
15212 | 0 | } |
15213 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
15214 | 0 | "NOTIFY zone does not match"); |
15215 | 0 | return (DNS_R_NOTIMP); |
15216 | 0 | } |
15217 | | |
15218 | | /* |
15219 | | * If we are a primary zone just succeed. |
15220 | | */ |
15221 | 0 | if (zone->type == dns_zone_primary) { |
15222 | 0 | UNLOCK_ZONE(zone); |
15223 | 0 | return (ISC_R_SUCCESS); |
15224 | 0 | } |
15225 | | |
15226 | 0 | isc_netaddr_fromsockaddr(&netaddr, from); |
15227 | 0 | for (i = 0; i < dns_remote_count(&zone->primaries); i++) { |
15228 | 0 | isc_sockaddr_t sockaddr = dns_remote_addr(&zone->primaries, i); |
15229 | 0 | if (isc_sockaddr_eqaddr(from, &sockaddr)) { |
15230 | 0 | break; |
15231 | 0 | } |
15232 | 0 | if (zone->view->aclenv->match_mapped && |
15233 | 0 | IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) && |
15234 | 0 | isc_sockaddr_pf(&sockaddr) == AF_INET) |
15235 | 0 | { |
15236 | 0 | isc_netaddr_t na1, na2; |
15237 | 0 | isc_netaddr_fromv4mapped(&na1, &netaddr); |
15238 | 0 | isc_netaddr_fromsockaddr(&na2, &sockaddr); |
15239 | 0 | if (isc_netaddr_equal(&na1, &na2)) { |
15240 | 0 | break; |
15241 | 0 | } |
15242 | 0 | } |
15243 | 0 | } |
15244 | | |
15245 | | /* |
15246 | | * Accept notify requests from non primaries if they are on |
15247 | | * 'zone->notify_acl'. |
15248 | | */ |
15249 | 0 | tsigkey = dns_message_gettsigkey(msg); |
15250 | 0 | tsig = dns_tsigkey_identity(tsigkey); |
15251 | 0 | if (i >= dns_remote_count(&zone->primaries) && |
15252 | 0 | zone->notify_acl != NULL && |
15253 | 0 | (dns_acl_match(&netaddr, tsig, zone->notify_acl, zone->view->aclenv, |
15254 | 0 | &match, NULL) == ISC_R_SUCCESS) && |
15255 | 0 | match > 0) |
15256 | 0 | { |
15257 | | /* Accept notify. */ |
15258 | 0 | } else if (i >= dns_remote_count(&zone->primaries)) { |
15259 | 0 | UNLOCK_ZONE(zone); |
15260 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
15261 | 0 | "refused notify from non-primary: %s", fromtext); |
15262 | 0 | inc_stats(zone, dns_zonestatscounter_notifyrej); |
15263 | 0 | return (DNS_R_REFUSED); |
15264 | 0 | } |
15265 | | |
15266 | | /* |
15267 | | * If the zone is loaded and there are answers check the serial |
15268 | | * to see if we need to do a refresh. Do not worry about this |
15269 | | * check if we are a dialup zone as we use the notify request |
15270 | | * to trigger a refresh check. |
15271 | | */ |
15272 | 0 | if (msg->counts[DNS_SECTION_ANSWER] > 0 && |
15273 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && |
15274 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH)) |
15275 | 0 | { |
15276 | 0 | result = dns_message_findname( |
15277 | 0 | msg, DNS_SECTION_ANSWER, &zone->origin, |
15278 | 0 | dns_rdatatype_soa, dns_rdatatype_none, NULL, &rdataset); |
15279 | 0 | if (result == ISC_R_SUCCESS) { |
15280 | 0 | result = dns_rdataset_first(rdataset); |
15281 | 0 | } |
15282 | 0 | if (result == ISC_R_SUCCESS) { |
15283 | 0 | uint32_t oldserial; |
15284 | 0 | unsigned int soacount; |
15285 | |
|
15286 | 0 | dns_rdataset_current(rdataset, &rdata); |
15287 | 0 | result = dns_rdata_tostruct(&rdata, &soa, NULL); |
15288 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
15289 | 0 | serial = soa.serial; |
15290 | 0 | have_serial = true; |
15291 | | /* |
15292 | | * The following should safely be performed without DB |
15293 | | * lock and succeed in this context. |
15294 | | */ |
15295 | 0 | result = zone_get_from_db(zone, zone->db, NULL, |
15296 | 0 | &soacount, NULL, &oldserial, |
15297 | 0 | NULL, NULL, NULL, NULL, NULL); |
15298 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
15299 | 0 | RUNTIME_CHECK(soacount > 0U); |
15300 | 0 | if (isc_serial_le(serial, oldserial)) { |
15301 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
15302 | 0 | "notify from %s: " |
15303 | 0 | "zone is up to date", |
15304 | 0 | fromtext); |
15305 | 0 | UNLOCK_ZONE(zone); |
15306 | 0 | return (ISC_R_SUCCESS); |
15307 | 0 | } |
15308 | 0 | } |
15309 | 0 | } |
15310 | | |
15311 | | /* |
15312 | | * If we got this far and there was a refresh in progress just |
15313 | | * let it complete. Record where we got the notify from so we |
15314 | | * can perform a refresh check when the current one completes |
15315 | | */ |
15316 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) { |
15317 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH); |
15318 | 0 | zone->notifyfrom = *from; |
15319 | 0 | UNLOCK_ZONE(zone); |
15320 | 0 | if (have_serial) { |
15321 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
15322 | 0 | "notify from %s: serial %u: refresh in " |
15323 | 0 | "progress, refresh check queued", |
15324 | 0 | fromtext, serial); |
15325 | 0 | } else { |
15326 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
15327 | 0 | "notify from %s: refresh in progress, " |
15328 | 0 | "refresh check queued", |
15329 | 0 | fromtext); |
15330 | 0 | } |
15331 | 0 | return (ISC_R_SUCCESS); |
15332 | 0 | } |
15333 | 0 | if (have_serial) { |
15334 | 0 | dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: serial %u", |
15335 | 0 | fromtext, serial); |
15336 | 0 | } else { |
15337 | 0 | dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: no serial", |
15338 | 0 | fromtext); |
15339 | 0 | } |
15340 | 0 | zone->notifyfrom = *from; |
15341 | 0 | UNLOCK_ZONE(zone); |
15342 | |
|
15343 | 0 | if (to != NULL) { |
15344 | 0 | dns_zonemgr_unreachabledel(zone->zmgr, from, to); |
15345 | 0 | } |
15346 | 0 | dns_zone_refresh(zone); |
15347 | 0 | return (ISC_R_SUCCESS); |
15348 | 0 | } |
15349 | | |
15350 | | void |
15351 | 0 | dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) { |
15352 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15353 | |
|
15354 | 0 | LOCK_ZONE(zone); |
15355 | 0 | if (zone->notify_acl != NULL) { |
15356 | 0 | dns_acl_detach(&zone->notify_acl); |
15357 | 0 | } |
15358 | 0 | dns_acl_attach(acl, &zone->notify_acl); |
15359 | 0 | UNLOCK_ZONE(zone); |
15360 | 0 | } |
15361 | | |
15362 | | void |
15363 | 0 | dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) { |
15364 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15365 | |
|
15366 | 0 | LOCK_ZONE(zone); |
15367 | 0 | if (zone->query_acl != NULL) { |
15368 | 0 | dns_acl_detach(&zone->query_acl); |
15369 | 0 | } |
15370 | 0 | dns_acl_attach(acl, &zone->query_acl); |
15371 | 0 | UNLOCK_ZONE(zone); |
15372 | 0 | } |
15373 | | |
15374 | | void |
15375 | 0 | dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) { |
15376 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15377 | |
|
15378 | 0 | LOCK_ZONE(zone); |
15379 | 0 | if (zone->queryon_acl != NULL) { |
15380 | 0 | dns_acl_detach(&zone->queryon_acl); |
15381 | 0 | } |
15382 | 0 | dns_acl_attach(acl, &zone->queryon_acl); |
15383 | 0 | UNLOCK_ZONE(zone); |
15384 | 0 | } |
15385 | | |
15386 | | void |
15387 | 0 | dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) { |
15388 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15389 | |
|
15390 | 0 | LOCK_ZONE(zone); |
15391 | 0 | if (zone->update_acl != NULL) { |
15392 | 0 | dns_acl_detach(&zone->update_acl); |
15393 | 0 | } |
15394 | 0 | dns_acl_attach(acl, &zone->update_acl); |
15395 | 0 | UNLOCK_ZONE(zone); |
15396 | 0 | } |
15397 | | |
15398 | | void |
15399 | 0 | dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) { |
15400 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15401 | |
|
15402 | 0 | LOCK_ZONE(zone); |
15403 | 0 | if (zone->forward_acl != NULL) { |
15404 | 0 | dns_acl_detach(&zone->forward_acl); |
15405 | 0 | } |
15406 | 0 | dns_acl_attach(acl, &zone->forward_acl); |
15407 | 0 | UNLOCK_ZONE(zone); |
15408 | 0 | } |
15409 | | |
15410 | | void |
15411 | 0 | dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) { |
15412 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15413 | |
|
15414 | 0 | LOCK_ZONE(zone); |
15415 | 0 | if (zone->xfr_acl != NULL) { |
15416 | 0 | dns_acl_detach(&zone->xfr_acl); |
15417 | 0 | } |
15418 | 0 | dns_acl_attach(acl, &zone->xfr_acl); |
15419 | 0 | UNLOCK_ZONE(zone); |
15420 | 0 | } |
15421 | | |
15422 | | dns_acl_t * |
15423 | 0 | dns_zone_getnotifyacl(dns_zone_t *zone) { |
15424 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15425 | |
|
15426 | 0 | return (zone->notify_acl); |
15427 | 0 | } |
15428 | | |
15429 | | dns_acl_t * |
15430 | 0 | dns_zone_getqueryacl(dns_zone_t *zone) { |
15431 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15432 | |
|
15433 | 0 | return (zone->query_acl); |
15434 | 0 | } |
15435 | | |
15436 | | dns_acl_t * |
15437 | 0 | dns_zone_getqueryonacl(dns_zone_t *zone) { |
15438 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15439 | |
|
15440 | 0 | return (zone->queryon_acl); |
15441 | 0 | } |
15442 | | |
15443 | | dns_acl_t * |
15444 | 0 | dns_zone_getupdateacl(dns_zone_t *zone) { |
15445 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15446 | |
|
15447 | 0 | return (zone->update_acl); |
15448 | 0 | } |
15449 | | |
15450 | | dns_acl_t * |
15451 | 0 | dns_zone_getforwardacl(dns_zone_t *zone) { |
15452 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15453 | |
|
15454 | 0 | return (zone->forward_acl); |
15455 | 0 | } |
15456 | | |
15457 | | dns_acl_t * |
15458 | 0 | dns_zone_getxfracl(dns_zone_t *zone) { |
15459 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15460 | |
|
15461 | 0 | return (zone->xfr_acl); |
15462 | 0 | } |
15463 | | |
15464 | | void |
15465 | 0 | dns_zone_clearupdateacl(dns_zone_t *zone) { |
15466 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15467 | |
|
15468 | 0 | LOCK_ZONE(zone); |
15469 | 0 | if (zone->update_acl != NULL) { |
15470 | 0 | dns_acl_detach(&zone->update_acl); |
15471 | 0 | } |
15472 | 0 | UNLOCK_ZONE(zone); |
15473 | 0 | } |
15474 | | |
15475 | | void |
15476 | 0 | dns_zone_clearforwardacl(dns_zone_t *zone) { |
15477 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15478 | |
|
15479 | 0 | LOCK_ZONE(zone); |
15480 | 0 | if (zone->forward_acl != NULL) { |
15481 | 0 | dns_acl_detach(&zone->forward_acl); |
15482 | 0 | } |
15483 | 0 | UNLOCK_ZONE(zone); |
15484 | 0 | } |
15485 | | |
15486 | | void |
15487 | 0 | dns_zone_clearnotifyacl(dns_zone_t *zone) { |
15488 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15489 | |
|
15490 | 0 | LOCK_ZONE(zone); |
15491 | 0 | if (zone->notify_acl != NULL) { |
15492 | 0 | dns_acl_detach(&zone->notify_acl); |
15493 | 0 | } |
15494 | 0 | UNLOCK_ZONE(zone); |
15495 | 0 | } |
15496 | | |
15497 | | void |
15498 | 0 | dns_zone_clearqueryacl(dns_zone_t *zone) { |
15499 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15500 | |
|
15501 | 0 | LOCK_ZONE(zone); |
15502 | 0 | if (zone->query_acl != NULL) { |
15503 | 0 | dns_acl_detach(&zone->query_acl); |
15504 | 0 | } |
15505 | 0 | UNLOCK_ZONE(zone); |
15506 | 0 | } |
15507 | | |
15508 | | void |
15509 | 0 | dns_zone_clearqueryonacl(dns_zone_t *zone) { |
15510 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15511 | |
|
15512 | 0 | LOCK_ZONE(zone); |
15513 | 0 | if (zone->queryon_acl != NULL) { |
15514 | 0 | dns_acl_detach(&zone->queryon_acl); |
15515 | 0 | } |
15516 | 0 | UNLOCK_ZONE(zone); |
15517 | 0 | } |
15518 | | |
15519 | | void |
15520 | 0 | dns_zone_clearxfracl(dns_zone_t *zone) { |
15521 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15522 | |
|
15523 | 0 | LOCK_ZONE(zone); |
15524 | 0 | if (zone->xfr_acl != NULL) { |
15525 | 0 | dns_acl_detach(&zone->xfr_acl); |
15526 | 0 | } |
15527 | 0 | UNLOCK_ZONE(zone); |
15528 | 0 | } |
15529 | | |
15530 | | bool |
15531 | 0 | dns_zone_getupdatedisabled(dns_zone_t *zone) { |
15532 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15533 | 0 | return (zone->update_disabled); |
15534 | 0 | } |
15535 | | |
15536 | | void |
15537 | 0 | dns_zone_setupdatedisabled(dns_zone_t *zone, bool state) { |
15538 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15539 | 0 | zone->update_disabled = state; |
15540 | 0 | } |
15541 | | |
15542 | | bool |
15543 | 0 | dns_zone_getzeronosoattl(dns_zone_t *zone) { |
15544 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15545 | 0 | return (zone->zero_no_soa_ttl); |
15546 | 0 | } |
15547 | | |
15548 | | void |
15549 | 0 | dns_zone_setzeronosoattl(dns_zone_t *zone, bool state) { |
15550 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15551 | 0 | zone->zero_no_soa_ttl = state; |
15552 | 0 | } |
15553 | | |
15554 | | void |
15555 | 0 | dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) { |
15556 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15557 | |
|
15558 | 0 | zone->check_names = severity; |
15559 | 0 | } |
15560 | | |
15561 | | dns_severity_t |
15562 | 0 | dns_zone_getchecknames(dns_zone_t *zone) { |
15563 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15564 | |
|
15565 | 0 | return (zone->check_names); |
15566 | 0 | } |
15567 | | |
15568 | | void |
15569 | 0 | dns_zone_setjournalsize(dns_zone_t *zone, int32_t size) { |
15570 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15571 | |
|
15572 | 0 | zone->journalsize = size; |
15573 | 0 | } |
15574 | | |
15575 | | int32_t |
15576 | 0 | dns_zone_getjournalsize(dns_zone_t *zone) { |
15577 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15578 | |
|
15579 | 0 | return (zone->journalsize); |
15580 | 0 | } |
15581 | | |
15582 | | static void |
15583 | 8 | zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) { |
15584 | 8 | isc_result_t result = ISC_R_FAILURE; |
15585 | 8 | isc_buffer_t buffer; |
15586 | | |
15587 | 8 | REQUIRE(buf != NULL); |
15588 | 8 | REQUIRE(length > 1U); |
15589 | | |
15590 | | /* |
15591 | | * Leave space for terminating '\0'. |
15592 | | */ |
15593 | 8 | isc_buffer_init(&buffer, buf, (unsigned int)length - 1); |
15594 | 8 | if (zone->type != dns_zone_redirect && zone->type != dns_zone_key) { |
15595 | 8 | if (dns_name_dynamic(&zone->origin)) { |
15596 | 8 | result = dns_name_totext( |
15597 | 8 | &zone->origin, DNS_NAME_OMITFINALDOT, &buffer); |
15598 | 8 | } |
15599 | 8 | if (result != ISC_R_SUCCESS && |
15600 | 8 | isc_buffer_availablelength(&buffer) >= |
15601 | 0 | (sizeof("<UNKNOWN>") - 1)) |
15602 | 0 | { |
15603 | 0 | isc_buffer_putstr(&buffer, "<UNKNOWN>"); |
15604 | 0 | } |
15605 | | |
15606 | 8 | if (isc_buffer_availablelength(&buffer) > 0) { |
15607 | 8 | isc_buffer_putstr(&buffer, "/"); |
15608 | 8 | } |
15609 | 8 | (void)dns_rdataclass_totext(zone->rdclass, &buffer); |
15610 | 8 | } |
15611 | | |
15612 | 8 | if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 && |
15613 | 8 | strcmp(zone->view->name, "_default") != 0 && |
15614 | 8 | strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) |
15615 | 2 | { |
15616 | 2 | isc_buffer_putstr(&buffer, "/"); |
15617 | 2 | isc_buffer_putstr(&buffer, zone->view->name); |
15618 | 2 | } |
15619 | 8 | if (inline_secure(zone) && 9U < isc_buffer_availablelength(&buffer)) { |
15620 | 0 | isc_buffer_putstr(&buffer, " (signed)"); |
15621 | 0 | } |
15622 | 8 | if (inline_raw(zone) && 11U < isc_buffer_availablelength(&buffer)) { |
15623 | 0 | isc_buffer_putstr(&buffer, " (unsigned)"); |
15624 | 0 | } |
15625 | | |
15626 | 8 | buf[isc_buffer_usedlength(&buffer)] = '\0'; |
15627 | 8 | } |
15628 | | |
15629 | | static void |
15630 | 2 | zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) { |
15631 | 2 | isc_result_t result = ISC_R_FAILURE; |
15632 | 2 | isc_buffer_t buffer; |
15633 | | |
15634 | 2 | REQUIRE(buf != NULL); |
15635 | 2 | REQUIRE(length > 1U); |
15636 | | |
15637 | | /* |
15638 | | * Leave space for terminating '\0'. |
15639 | | */ |
15640 | 2 | isc_buffer_init(&buffer, buf, (unsigned int)length - 1); |
15641 | 2 | if (dns_name_dynamic(&zone->origin)) { |
15642 | 2 | result = dns_name_totext(&zone->origin, DNS_NAME_OMITFINALDOT, |
15643 | 2 | &buffer); |
15644 | 2 | } |
15645 | 2 | if (result != ISC_R_SUCCESS && |
15646 | 2 | isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1)) |
15647 | 0 | { |
15648 | 0 | isc_buffer_putstr(&buffer, "<UNKNOWN>"); |
15649 | 0 | } |
15650 | | |
15651 | 2 | buf[isc_buffer_usedlength(&buffer)] = '\0'; |
15652 | 2 | } |
15653 | | |
15654 | | static void |
15655 | 2 | zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) { |
15656 | 2 | isc_buffer_t buffer; |
15657 | | |
15658 | 2 | REQUIRE(buf != NULL); |
15659 | 2 | REQUIRE(length > 1U); |
15660 | | |
15661 | | /* |
15662 | | * Leave space for terminating '\0'. |
15663 | | */ |
15664 | 2 | isc_buffer_init(&buffer, buf, (unsigned int)length - 1); |
15665 | 2 | (void)dns_rdataclass_totext(zone->rdclass, &buffer); |
15666 | | |
15667 | 2 | buf[isc_buffer_usedlength(&buffer)] = '\0'; |
15668 | 2 | } |
15669 | | |
15670 | | static void |
15671 | 2 | zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) { |
15672 | 2 | isc_buffer_t buffer; |
15673 | | |
15674 | 2 | REQUIRE(buf != NULL); |
15675 | 2 | REQUIRE(length > 1U); |
15676 | | |
15677 | | /* |
15678 | | * Leave space for terminating '\0'. |
15679 | | */ |
15680 | 2 | isc_buffer_init(&buffer, buf, (unsigned int)length - 1); |
15681 | | |
15682 | 2 | if (zone->view == NULL) { |
15683 | 0 | isc_buffer_putstr(&buffer, "_none"); |
15684 | 2 | } else if (strlen(zone->view->name) < |
15685 | 2 | isc_buffer_availablelength(&buffer)) |
15686 | 2 | { |
15687 | 2 | isc_buffer_putstr(&buffer, zone->view->name); |
15688 | 2 | } else { |
15689 | 0 | isc_buffer_putstr(&buffer, "_toolong"); |
15690 | 0 | } |
15691 | | |
15692 | 2 | buf[isc_buffer_usedlength(&buffer)] = '\0'; |
15693 | 2 | } |
15694 | | |
15695 | | void |
15696 | 0 | dns_zone_name(dns_zone_t *zone, char *buf, size_t length) { |
15697 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15698 | 0 | REQUIRE(buf != NULL); |
15699 | |
|
15700 | 0 | LOCK_ZONE(zone); |
15701 | 0 | zone_namerd_tostr(zone, buf, length); |
15702 | 0 | UNLOCK_ZONE(zone); |
15703 | 0 | } |
15704 | | |
15705 | | void |
15706 | 0 | dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t length) { |
15707 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15708 | 0 | REQUIRE(buf != NULL); |
15709 | 0 | zone_name_tostr(zone, buf, length); |
15710 | 0 | } |
15711 | | |
15712 | | void |
15713 | | dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level, |
15714 | 16 | const char *prefix, const char *fmt, va_list ap) { |
15715 | 16 | char message[4096]; |
15716 | 16 | const char *zstr; |
15717 | | |
15718 | 16 | REQUIRE(DNS_ZONE_VALID(zone)); |
15719 | | |
15720 | 16 | if (!isc_log_wouldlog(dns_lctx, level)) { |
15721 | 16 | return; |
15722 | 16 | } |
15723 | | |
15724 | 0 | vsnprintf(message, sizeof(message), fmt, ap); |
15725 | |
|
15726 | 0 | switch (zone->type) { |
15727 | 0 | case dns_zone_key: |
15728 | 0 | zstr = "managed-keys-zone"; |
15729 | 0 | break; |
15730 | 0 | case dns_zone_redirect: |
15731 | 0 | zstr = "redirect-zone"; |
15732 | 0 | break; |
15733 | 0 | default: |
15734 | 0 | zstr = "zone "; |
15735 | 0 | } |
15736 | | |
15737 | 0 | isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE, level, |
15738 | 0 | "%s%s%s%s: %s", (prefix != NULL ? prefix : ""), |
15739 | 0 | (prefix != NULL ? ": " : ""), zstr, zone->strnamerd, |
15740 | 0 | message); |
15741 | 0 | } |
15742 | | |
15743 | | static void |
15744 | 0 | notify_log(dns_zone_t *zone, int level, const char *fmt, ...) { |
15745 | 0 | va_list ap; |
15746 | |
|
15747 | 0 | va_start(ap, fmt); |
15748 | 0 | dns_zone_logv(zone, DNS_LOGCATEGORY_NOTIFY, level, NULL, fmt, ap); |
15749 | 0 | va_end(ap); |
15750 | 0 | } |
15751 | | |
15752 | | void |
15753 | | dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level, |
15754 | 10 | const char *fmt, ...) { |
15755 | 10 | va_list ap; |
15756 | | |
15757 | 10 | va_start(ap, fmt); |
15758 | 10 | dns_zone_logv(zone, category, level, NULL, fmt, ap); |
15759 | 10 | va_end(ap); |
15760 | 10 | } |
15761 | | |
15762 | | void |
15763 | 0 | dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) { |
15764 | 0 | va_list ap; |
15765 | |
|
15766 | 0 | va_start(ap, fmt); |
15767 | 0 | dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, NULL, fmt, ap); |
15768 | 0 | va_end(ap); |
15769 | 0 | } |
15770 | | |
15771 | | static void |
15772 | | zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel, const char *fmt, |
15773 | 6 | ...) { |
15774 | 6 | int level = ISC_LOG_DEBUG(debuglevel); |
15775 | 6 | va_list ap; |
15776 | | |
15777 | 6 | va_start(ap, fmt); |
15778 | 6 | dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, me, fmt, ap); |
15779 | 6 | va_end(ap); |
15780 | 6 | } |
15781 | | |
15782 | | static void |
15783 | 0 | dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) { |
15784 | 0 | va_list ap; |
15785 | |
|
15786 | 0 | va_start(ap, fmt); |
15787 | 0 | dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap); |
15788 | 0 | va_end(ap); |
15789 | 0 | } |
15790 | | |
15791 | | static int |
15792 | 0 | message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type) { |
15793 | 0 | isc_result_t result; |
15794 | 0 | dns_name_t *name; |
15795 | 0 | dns_rdataset_t *curr; |
15796 | 0 | int count = 0; |
15797 | |
|
15798 | 0 | result = dns_message_firstname(msg, section); |
15799 | 0 | while (result == ISC_R_SUCCESS) { |
15800 | 0 | name = NULL; |
15801 | 0 | dns_message_currentname(msg, section, &name); |
15802 | |
|
15803 | 0 | for (curr = ISC_LIST_TAIL(name->list); curr != NULL; |
15804 | 0 | curr = ISC_LIST_PREV(curr, link)) |
15805 | 0 | { |
15806 | 0 | if (curr->type == type) { |
15807 | 0 | count++; |
15808 | 0 | } |
15809 | 0 | } |
15810 | 0 | result = dns_message_nextname(msg, section); |
15811 | 0 | } |
15812 | |
|
15813 | 0 | return (count); |
15814 | 0 | } |
15815 | | |
15816 | | void |
15817 | 0 | dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin) { |
15818 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15819 | |
|
15820 | 0 | zone->maxxfrin = maxxfrin; |
15821 | 0 | } |
15822 | | |
15823 | | uint32_t |
15824 | 0 | dns_zone_getmaxxfrin(dns_zone_t *zone) { |
15825 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15826 | |
|
15827 | 0 | return (zone->maxxfrin); |
15828 | 0 | } |
15829 | | |
15830 | | void |
15831 | 0 | dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout) { |
15832 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15833 | 0 | zone->maxxfrout = maxxfrout; |
15834 | 0 | } |
15835 | | |
15836 | | uint32_t |
15837 | 0 | dns_zone_getmaxxfrout(dns_zone_t *zone) { |
15838 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15839 | |
|
15840 | 0 | return (zone->maxxfrout); |
15841 | 0 | } |
15842 | | |
15843 | | dns_zonetype_t |
15844 | 521 | dns_zone_gettype(dns_zone_t *zone) { |
15845 | 521 | REQUIRE(DNS_ZONE_VALID(zone)); |
15846 | | |
15847 | 521 | return (zone->type); |
15848 | 521 | } |
15849 | | |
15850 | | const char * |
15851 | 0 | dns_zonetype_name(dns_zonetype_t type) { |
15852 | 0 | switch (type) { |
15853 | 0 | case dns_zone_none: |
15854 | 0 | return ("none"); |
15855 | 0 | case dns_zone_primary: |
15856 | 0 | return ("primary"); |
15857 | 0 | case dns_zone_secondary: |
15858 | 0 | return ("secondary"); |
15859 | 0 | case dns_zone_mirror: |
15860 | 0 | return ("mirror"); |
15861 | 0 | case dns_zone_stub: |
15862 | 0 | return ("stub"); |
15863 | 0 | case dns_zone_staticstub: |
15864 | 0 | return ("static-stub"); |
15865 | 0 | case dns_zone_key: |
15866 | 0 | return ("key"); |
15867 | 0 | case dns_zone_dlz: |
15868 | 0 | return ("dlz"); |
15869 | 0 | case dns_zone_redirect: |
15870 | 0 | return ("redirect"); |
15871 | 0 | default: |
15872 | 0 | return ("unknown"); |
15873 | 0 | } |
15874 | 0 | } |
15875 | | |
15876 | | dns_zonetype_t |
15877 | 0 | dns_zone_getredirecttype(dns_zone_t *zone) { |
15878 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15879 | 0 | REQUIRE(zone->type == dns_zone_redirect); |
15880 | |
|
15881 | 0 | return (dns_remote_addresses(&zone->primaries) == NULL |
15882 | 0 | ? dns_zone_primary |
15883 | 0 | : dns_zone_secondary); |
15884 | 0 | } |
15885 | | |
15886 | | dns_name_t * |
15887 | 346 | dns_zone_getorigin(dns_zone_t *zone) { |
15888 | 346 | REQUIRE(DNS_ZONE_VALID(zone)); |
15889 | | |
15890 | 346 | return (&zone->origin); |
15891 | 346 | } |
15892 | | |
15893 | | void |
15894 | 0 | dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein) { |
15895 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15896 | |
|
15897 | 0 | if (idlein == 0) { |
15898 | 0 | idlein = DNS_DEFAULT_IDLEIN; |
15899 | 0 | } |
15900 | 0 | zone->idlein = idlein; |
15901 | 0 | } |
15902 | | |
15903 | | uint32_t |
15904 | 0 | dns_zone_getidlein(dns_zone_t *zone) { |
15905 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15906 | |
|
15907 | 0 | return (zone->idlein); |
15908 | 0 | } |
15909 | | |
15910 | | void |
15911 | 0 | dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout) { |
15912 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15913 | |
|
15914 | 0 | zone->idleout = idleout; |
15915 | 0 | } |
15916 | | |
15917 | | uint32_t |
15918 | 0 | dns_zone_getidleout(dns_zone_t *zone) { |
15919 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
15920 | |
|
15921 | 0 | return (zone->idleout); |
15922 | 0 | } |
15923 | | |
15924 | | static void |
15925 | 0 | notify_done(void *arg) { |
15926 | 0 | dns_request_t *request = (dns_request_t *)arg; |
15927 | 0 | dns_notify_t *notify = dns_request_getarg(request); |
15928 | 0 | isc_result_t result; |
15929 | 0 | dns_message_t *message = NULL; |
15930 | 0 | isc_buffer_t buf; |
15931 | 0 | char rcode[128]; |
15932 | 0 | char addrbuf[ISC_SOCKADDR_FORMATSIZE]; |
15933 | |
|
15934 | 0 | REQUIRE(DNS_NOTIFY_VALID(notify)); |
15935 | |
|
15936 | 0 | isc_buffer_init(&buf, rcode, sizeof(rcode)); |
15937 | 0 | isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf)); |
15938 | 0 | dns_message_create(notify->zone->mctx, NULL, NULL, |
15939 | 0 | DNS_MESSAGE_INTENTPARSE, &message); |
15940 | |
|
15941 | 0 | result = dns_request_getresult(request); |
15942 | 0 | if (result != ISC_R_SUCCESS) { |
15943 | 0 | goto fail; |
15944 | 0 | } |
15945 | | |
15946 | 0 | result = dns_request_getresponse(request, message, |
15947 | 0 | DNS_MESSAGEPARSE_PRESERVEORDER); |
15948 | 0 | if (result != ISC_R_SUCCESS) { |
15949 | 0 | goto fail; |
15950 | 0 | } |
15951 | | |
15952 | 0 | result = dns_rcode_totext(message->rcode, &buf); |
15953 | 0 | if (result == ISC_R_SUCCESS) { |
15954 | 0 | notify_log(notify->zone, ISC_LOG_DEBUG(3), |
15955 | 0 | "notify response from %s: %.*s", addrbuf, |
15956 | 0 | (int)buf.used, rcode); |
15957 | 0 | } |
15958 | |
|
15959 | 0 | fail: |
15960 | 0 | dns_message_detach(&message); |
15961 | |
|
15962 | 0 | if (result == ISC_R_SUCCESS) { |
15963 | 0 | notify_log(notify->zone, ISC_LOG_DEBUG(1), |
15964 | 0 | "notify to %s successful", addrbuf); |
15965 | 0 | } else if (result == ISC_R_SHUTTINGDOWN || result == ISC_R_CANCELED) { |
15966 | | /* just destroy the notify */ |
15967 | 0 | } else if ((notify->flags & DNS_NOTIFY_TCP) == 0) { |
15968 | 0 | notify_log(notify->zone, ISC_LOG_NOTICE, |
15969 | 0 | "notify to %s failed: %s: retrying over TCP", |
15970 | 0 | addrbuf, isc_result_totext(result)); |
15971 | 0 | notify->flags |= DNS_NOTIFY_TCP; |
15972 | 0 | dns_request_destroy(¬ify->request); |
15973 | 0 | notify_send_queue(notify, (notify->flags & DNS_NOTIFY_STARTUP)); |
15974 | 0 | return; |
15975 | 0 | } else if (result == ISC_R_TIMEDOUT) { |
15976 | 0 | notify_log(notify->zone, ISC_LOG_WARNING, |
15977 | 0 | "notify to %s failed: %s: retries exceeded", addrbuf, |
15978 | 0 | isc_result_totext(result)); |
15979 | 0 | } else { |
15980 | 0 | notify_log(notify->zone, ISC_LOG_WARNING, |
15981 | 0 | "notify to %s failed: %s", addrbuf, |
15982 | 0 | isc_result_totext(result)); |
15983 | 0 | } |
15984 | 0 | notify_destroy(notify, false); |
15985 | 0 | } |
15986 | | |
15987 | | struct rss { |
15988 | | dns_zone_t *zone; |
15989 | | dns_db_t *db; |
15990 | | uint32_t serial; |
15991 | | ISC_LINK(struct rss) link; |
15992 | | }; |
15993 | | |
15994 | | static void |
15995 | 0 | update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) { |
15996 | 0 | UNUSED(arg); |
15997 | 0 | dns_zone_log(zone, level, "%s", message); |
15998 | 0 | } |
15999 | | |
16000 | | static isc_result_t |
16001 | | dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, isc_mem_t *mctx, |
16002 | 0 | dns_dnsseckeylist_t *keylist, bool *inuse) { |
16003 | 0 | isc_result_t result; |
16004 | 0 | dst_key_t *dstkey = NULL; |
16005 | |
|
16006 | 0 | result = dns_dnssec_keyfromrdata(dns_zone_getorigin(zone), rdata, mctx, |
16007 | 0 | &dstkey); |
16008 | 0 | if (result != ISC_R_SUCCESS) { |
16009 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16010 | 0 | "dns_dnssec_keyfromrdata() failed: %s", |
16011 | 0 | isc_result_totext(result)); |
16012 | 0 | return (result); |
16013 | 0 | } |
16014 | | |
16015 | 0 | for (dns_dnsseckey_t *k = ISC_LIST_HEAD(*keylist); k != NULL; |
16016 | 0 | k = ISC_LIST_NEXT(k, link)) |
16017 | 0 | { |
16018 | 0 | if (dst_key_pubcompare(k->key, dstkey, false)) { |
16019 | 0 | *inuse = true; |
16020 | 0 | break; |
16021 | 0 | } |
16022 | 0 | } |
16023 | |
|
16024 | 0 | dst_key_free(&dstkey); |
16025 | 0 | return (ISC_R_SUCCESS); |
16026 | 0 | } |
16027 | | |
16028 | | static isc_result_t |
16029 | | cdnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, |
16030 | 0 | dns_dnsseckeylist_t *keylist, bool *inuse) { |
16031 | 0 | isc_result_t result; |
16032 | 0 | dns_rdata_cdnskey_t cdnskey; |
16033 | |
|
16034 | 0 | result = dns_rdata_tostruct(rdata, &cdnskey, NULL); |
16035 | 0 | if (result != ISC_R_SUCCESS) { |
16036 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16037 | 0 | "dns_rdata_tostruct(cdnskey) failed: %s", |
16038 | 0 | isc_result_totext(result)); |
16039 | 0 | return (result); |
16040 | 0 | } |
16041 | | |
16042 | 0 | for (dns_dnsseckey_t *k = ISC_LIST_HEAD(*keylist); k != NULL; |
16043 | 0 | k = ISC_LIST_NEXT(k, link)) |
16044 | 0 | { |
16045 | 0 | dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT; |
16046 | 0 | unsigned char keybuf[DST_KEY_MAXSIZE]; |
16047 | |
|
16048 | 0 | result = dns_dnssec_make_dnskey(k->key, keybuf, sizeof(keybuf), |
16049 | 0 | &cdnskeyrdata); |
16050 | 0 | if (result != ISC_R_SUCCESS) { |
16051 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16052 | 0 | "dns_dnssec_make_dnskey() failed: %s", |
16053 | 0 | isc_result_totext(result)); |
16054 | 0 | return (result); |
16055 | 0 | } |
16056 | | |
16057 | 0 | cdnskeyrdata.type = dns_rdatatype_cdnskey; |
16058 | 0 | if (dns_rdata_compare(rdata, &cdnskeyrdata) == 0) { |
16059 | 0 | *inuse = true; |
16060 | 0 | break; |
16061 | 0 | } |
16062 | 0 | } |
16063 | | |
16064 | 0 | return (ISC_R_SUCCESS); |
16065 | 0 | } |
16066 | | |
16067 | | static isc_result_t |
16068 | | cds_inuse(dns_zone_t *zone, dns_rdata_t *rdata, dns_dnsseckeylist_t *keylist, |
16069 | 0 | bool *inuse) { |
16070 | 0 | isc_result_t result; |
16071 | 0 | dns_rdata_ds_t cds; |
16072 | |
|
16073 | 0 | result = dns_rdata_tostruct(rdata, &cds, NULL); |
16074 | 0 | if (result != ISC_R_SUCCESS) { |
16075 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16076 | 0 | "dns_rdata_tostruct(cds) failed: %s", |
16077 | 0 | isc_result_totext(result)); |
16078 | 0 | return (result); |
16079 | 0 | } |
16080 | | |
16081 | 0 | for (dns_dnsseckey_t *k = ISC_LIST_HEAD(*keylist); k != NULL; |
16082 | 0 | k = ISC_LIST_NEXT(k, link)) |
16083 | 0 | { |
16084 | 0 | dns_rdata_t dnskey = DNS_RDATA_INIT; |
16085 | 0 | dns_rdata_t cdsrdata = DNS_RDATA_INIT; |
16086 | 0 | unsigned char keybuf[DST_KEY_MAXSIZE]; |
16087 | 0 | unsigned char cdsbuf[DNS_DS_BUFFERSIZE]; |
16088 | |
|
16089 | 0 | if (dst_key_id(k->key) != cds.key_tag || |
16090 | 0 | dst_key_alg(k->key) != cds.algorithm) |
16091 | 0 | { |
16092 | 0 | continue; |
16093 | 0 | } |
16094 | 0 | result = dns_dnssec_make_dnskey(k->key, keybuf, sizeof(keybuf), |
16095 | 0 | &dnskey); |
16096 | 0 | if (result != ISC_R_SUCCESS) { |
16097 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16098 | 0 | "dns_dnssec_make_dnskey() failed: %s", |
16099 | 0 | isc_result_totext(result)); |
16100 | 0 | return (result); |
16101 | 0 | } |
16102 | 0 | result = dns_ds_buildrdata(dns_zone_getorigin(zone), &dnskey, |
16103 | 0 | cds.digest_type, cdsbuf, &cdsrdata); |
16104 | 0 | if (result != ISC_R_SUCCESS) { |
16105 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16106 | 0 | "dns_ds_buildrdata(keytag=%d, algo=%d, " |
16107 | 0 | "digest=%d) failed: %s", |
16108 | 0 | cds.key_tag, cds.algorithm, |
16109 | 0 | cds.digest_type, |
16110 | 0 | isc_result_totext(result)); |
16111 | 0 | return (result); |
16112 | 0 | } |
16113 | | |
16114 | 0 | cdsrdata.type = dns_rdatatype_cds; |
16115 | 0 | if (dns_rdata_compare(rdata, &cdsrdata) == 0) { |
16116 | 0 | *inuse = true; |
16117 | 0 | break; |
16118 | 0 | } |
16119 | 0 | } |
16120 | | |
16121 | 0 | return (ISC_R_SUCCESS); |
16122 | 0 | } |
16123 | | |
16124 | | isc_result_t |
16125 | 0 | dns_zone_dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, bool *inuse) { |
16126 | 0 | dns_dnsseckeylist_t keylist; |
16127 | 0 | dns_dnsseckey_t *key = NULL; |
16128 | 0 | isc_result_t result = ISC_R_SUCCESS; |
16129 | 0 | isc_stdtime_t now = isc_stdtime_now(); |
16130 | 0 | isc_mem_t *mctx; |
16131 | 0 | dns_kasp_t *kasp; |
16132 | 0 | dns_keystorelist_t *keystores; |
16133 | 0 | const char *keydir; |
16134 | |
|
16135 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
16136 | 0 | REQUIRE(dns_rdatatype_iskeymaterial(rdata->type)); |
16137 | |
|
16138 | 0 | mctx = zone->mctx; |
16139 | |
|
16140 | 0 | ISC_LIST_INIT(keylist); |
16141 | |
|
16142 | 0 | *inuse = false; |
16143 | |
|
16144 | 0 | kasp = dns_zone_getkasp(zone); |
16145 | 0 | keydir = dns_zone_getkeydirectory(zone); |
16146 | 0 | keystores = dns_zone_getkeystores(zone); |
16147 | |
|
16148 | 0 | dns_zone_lock_keyfiles(zone); |
16149 | 0 | result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp, |
16150 | 0 | keydir, keystores, now, mctx, |
16151 | 0 | &keylist); |
16152 | 0 | dns_zone_unlock_keyfiles(zone); |
16153 | 0 | if (result == ISC_R_NOTFOUND) { |
16154 | 0 | return (ISC_R_SUCCESS); |
16155 | 0 | } else if (result != ISC_R_SUCCESS) { |
16156 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
16157 | 0 | "dns_dnssec_findmatchingkeys() failed: %s", |
16158 | 0 | isc_result_totext(result)); |
16159 | 0 | return (result); |
16160 | 0 | } |
16161 | | |
16162 | 0 | switch (rdata->type) { |
16163 | 0 | case dns_rdatatype_dnskey: |
16164 | 0 | result = dnskey_inuse(zone, rdata, mctx, &keylist, inuse); |
16165 | 0 | break; |
16166 | 0 | case dns_rdatatype_cdnskey: |
16167 | 0 | result = cdnskey_inuse(zone, rdata, &keylist, inuse); |
16168 | 0 | break; |
16169 | 0 | case dns_rdatatype_cds: |
16170 | 0 | result = cds_inuse(zone, rdata, &keylist, inuse); |
16171 | 0 | break; |
16172 | 0 | default: |
16173 | 0 | UNREACHABLE(); |
16174 | 0 | break; |
16175 | 0 | } |
16176 | | |
16177 | 0 | while (!ISC_LIST_EMPTY(keylist)) { |
16178 | 0 | key = ISC_LIST_HEAD(keylist); |
16179 | 0 | ISC_LIST_UNLINK(keylist, key, link); |
16180 | 0 | dns_dnsseckey_destroy(mctx, &key); |
16181 | 0 | } |
16182 | 0 | return (result); |
16183 | 0 | } |
16184 | | |
16185 | | static isc_result_t |
16186 | | sync_secure_journal(dns_zone_t *zone, dns_zone_t *raw, dns_journal_t *journal, |
16187 | | uint32_t start, uint32_t end, dns_difftuple_t **soatuplep, |
16188 | 0 | dns_diff_t *diff) { |
16189 | 0 | isc_result_t result; |
16190 | 0 | dns_difftuple_t *tuple = NULL; |
16191 | 0 | dns_diffop_t op = DNS_DIFFOP_ADD; |
16192 | 0 | int n_soa = 0; |
16193 | |
|
16194 | 0 | REQUIRE(soatuplep != NULL); |
16195 | |
|
16196 | 0 | if (start == end) { |
16197 | 0 | return (DNS_R_UNCHANGED); |
16198 | 0 | } |
16199 | | |
16200 | 0 | CHECK(dns_journal_iter_init(journal, start, end, NULL)); |
16201 | 0 | for (result = dns_journal_first_rr(journal); result == ISC_R_SUCCESS; |
16202 | 0 | result = dns_journal_next_rr(journal)) |
16203 | 0 | { |
16204 | 0 | dns_name_t *name = NULL; |
16205 | 0 | uint32_t ttl; |
16206 | 0 | dns_rdata_t *rdata = NULL; |
16207 | 0 | dns_journal_current_rr(journal, &name, &ttl, &rdata); |
16208 | |
|
16209 | 0 | if (rdata->type == dns_rdatatype_soa) { |
16210 | 0 | n_soa++; |
16211 | 0 | if (n_soa == 2) { |
16212 | | /* |
16213 | | * Save the latest raw SOA record. |
16214 | | */ |
16215 | 0 | if (*soatuplep != NULL) { |
16216 | 0 | dns_difftuple_free(soatuplep); |
16217 | 0 | } |
16218 | 0 | CHECK(dns_difftuple_create( |
16219 | 0 | diff->mctx, DNS_DIFFOP_ADD, name, ttl, |
16220 | 0 | rdata, soatuplep)); |
16221 | 0 | } |
16222 | 0 | if (n_soa == 3) { |
16223 | 0 | n_soa = 1; |
16224 | 0 | } |
16225 | 0 | continue; |
16226 | 0 | } |
16227 | | |
16228 | | /* Sanity. */ |
16229 | 0 | if (n_soa == 0) { |
16230 | 0 | dns_zone_log(raw, ISC_LOG_ERROR, |
16231 | 0 | "corrupt journal file: '%s'\n", |
16232 | 0 | raw->journal); |
16233 | 0 | return (ISC_R_FAILURE); |
16234 | 0 | } |
16235 | | |
16236 | 0 | if (zone->privatetype != 0 && rdata->type == zone->privatetype) |
16237 | 0 | { |
16238 | 0 | continue; |
16239 | 0 | } |
16240 | | |
16241 | | /* |
16242 | | * Skip DNSSEC records that BIND maintains with inline-signing. |
16243 | | */ |
16244 | 0 | if (rdata->type == dns_rdatatype_nsec || |
16245 | 0 | rdata->type == dns_rdatatype_rrsig || |
16246 | 0 | rdata->type == dns_rdatatype_nsec3 || |
16247 | 0 | rdata->type == dns_rdatatype_nsec3param) |
16248 | 0 | { |
16249 | 0 | continue; |
16250 | 0 | } |
16251 | | /* |
16252 | | * Allow DNSKEY, CDNSKEY, CDS because users should be able to |
16253 | | * update the zone with these records from a different provider, |
16254 | | * but skip records that are under our control. |
16255 | | */ |
16256 | 0 | if (dns_rdatatype_iskeymaterial(rdata->type)) { |
16257 | 0 | bool inuse = false; |
16258 | 0 | isc_result_t r = dns_zone_dnskey_inuse(zone, rdata, |
16259 | 0 | &inuse); |
16260 | 0 | if (r == ISC_R_SUCCESS && inuse) { |
16261 | 0 | continue; |
16262 | 0 | } |
16263 | 0 | } |
16264 | | |
16265 | 0 | op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD; |
16266 | |
|
16267 | 0 | CHECK(dns_difftuple_create(diff->mctx, op, name, ttl, rdata, |
16268 | 0 | &tuple)); |
16269 | 0 | dns_diff_appendminimal(diff, &tuple); |
16270 | 0 | } |
16271 | 0 | if (result == ISC_R_NOMORE) { |
16272 | 0 | result = ISC_R_SUCCESS; |
16273 | 0 | } |
16274 | |
|
16275 | 0 | failure: |
16276 | 0 | return (result); |
16277 | 0 | } |
16278 | | |
16279 | | /* |
16280 | | * Filter the key material preserving TTL changes. If kasp in effect honour the |
16281 | | * existing ttl. The lists returned by sync_secure_db/dns_db_diffx should be |
16282 | | * DNSSEC RRset order so we can process 'del' and 'add' in parallel rather than |
16283 | | * searching for TTL only changes first and processing them, then checking the |
16284 | | * 'in use' status on a subsequent pass. |
16285 | | */ |
16286 | | |
16287 | | static void |
16288 | | filter_keymaterial(dns_zone_t *zone, dns_difftuplelist_t *del, |
16289 | 0 | dns_difftuplelist_t *add, bool kasp, dns_ttl_t ttl) { |
16290 | 0 | dns_difftuple_t *deltuple = ISC_LIST_HEAD(*del); |
16291 | 0 | dns_difftuple_t *addtuple = ISC_LIST_HEAD(*add); |
16292 | 0 | isc_result_t result; |
16293 | |
|
16294 | 0 | while (deltuple != NULL || addtuple != NULL) { |
16295 | 0 | dns_difftuple_t *delnext = NULL, *addnext = NULL; |
16296 | 0 | bool inuse = false; |
16297 | 0 | if (deltuple != NULL) { |
16298 | 0 | delnext = ISC_LIST_NEXT(deltuple, link); |
16299 | 0 | } |
16300 | 0 | if (addtuple != NULL) { |
16301 | 0 | addnext = ISC_LIST_NEXT(addtuple, link); |
16302 | 0 | } |
16303 | 0 | if (deltuple != NULL && addtuple != NULL) { |
16304 | 0 | int n = dns_rdata_compare(&deltuple->rdata, |
16305 | 0 | &addtuple->rdata); |
16306 | 0 | if (n == 0) { |
16307 | | /* |
16308 | | * If the rdata is equal then the only |
16309 | | * difference will be a TTL change. |
16310 | | */ |
16311 | 0 | if (kasp) { |
16312 | | /* TTL is managed by dnssec-policy */ |
16313 | 0 | ISC_LIST_UNLINK(*del, deltuple, link); |
16314 | 0 | dns_difftuple_free(&deltuple); |
16315 | 0 | ISC_LIST_UNLINK(*add, addtuple, link); |
16316 | 0 | dns_difftuple_free(&addtuple); |
16317 | 0 | } |
16318 | 0 | deltuple = delnext; |
16319 | 0 | addtuple = addnext; |
16320 | 0 | continue; |
16321 | 0 | } |
16322 | 0 | if (n < 0) { |
16323 | 0 | goto checkdel; |
16324 | 0 | } |
16325 | 0 | goto checkadd; |
16326 | 0 | } else if (deltuple != NULL) { |
16327 | 0 | checkdel: |
16328 | 0 | result = dns_zone_dnskey_inuse(zone, &deltuple->rdata, |
16329 | 0 | &inuse); |
16330 | 0 | if (result == ISC_R_SUCCESS && inuse) { |
16331 | 0 | ISC_LIST_UNLINK(*del, deltuple, link); |
16332 | 0 | dns_difftuple_free(&deltuple); |
16333 | 0 | } |
16334 | 0 | deltuple = delnext; |
16335 | 0 | } else { |
16336 | 0 | checkadd: |
16337 | 0 | result = dns_zone_dnskey_inuse(zone, &addtuple->rdata, |
16338 | 0 | &inuse); |
16339 | 0 | if (result == ISC_R_SUCCESS && inuse) { |
16340 | 0 | ISC_LIST_UNLINK(*add, addtuple, link); |
16341 | 0 | dns_difftuple_free(&addtuple); |
16342 | 0 | } else if (kasp) { |
16343 | 0 | addtuple->ttl = ttl; |
16344 | 0 | } |
16345 | 0 | addtuple = addnext; |
16346 | 0 | } |
16347 | 0 | } |
16348 | 0 | } |
16349 | | |
16350 | | static isc_result_t |
16351 | | sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb, |
16352 | | dns_dbversion_t *secver, dns_difftuple_t **soatuple, |
16353 | 0 | dns_diff_t *diff) { |
16354 | 0 | isc_result_t result; |
16355 | 0 | dns_db_t *rawdb = NULL; |
16356 | 0 | dns_dbversion_t *rawver = NULL; |
16357 | 0 | dns_difftuple_t *tuple = NULL, *next; |
16358 | 0 | dns_difftuple_t *oldtuple = NULL, *newtuple = NULL; |
16359 | 0 | dns_rdata_soa_t oldsoa, newsoa; |
16360 | 0 | dns_difftuplelist_t add = ISC_LIST_INITIALIZER; |
16361 | 0 | dns_difftuplelist_t del = ISC_LIST_INITIALIZER; |
16362 | 0 | dns_difftuplelist_t keyadd = ISC_LIST_INITIALIZER; |
16363 | 0 | dns_difftuplelist_t keydel = ISC_LIST_INITIALIZER; |
16364 | 0 | dns_difftuplelist_t ckeyadd = ISC_LIST_INITIALIZER; |
16365 | 0 | dns_difftuplelist_t ckeydel = ISC_LIST_INITIALIZER; |
16366 | 0 | dns_difftuplelist_t cdsadd = ISC_LIST_INITIALIZER; |
16367 | 0 | dns_difftuplelist_t cdsdel = ISC_LIST_INITIALIZER; |
16368 | 0 | dns_kasp_t *kasp = NULL; |
16369 | 0 | dns_ttl_t keyttl = 0, ckeyttl = 0, cdsttl = 0; |
16370 | |
|
16371 | 0 | REQUIRE(DNS_ZONE_VALID(seczone)); |
16372 | 0 | REQUIRE(soatuple != NULL && *soatuple == NULL); |
16373 | |
|
16374 | 0 | if (!seczone->sourceserialset) { |
16375 | 0 | return (DNS_R_UNCHANGED); |
16376 | 0 | } |
16377 | | |
16378 | 0 | dns_db_attach(raw->db, &rawdb); |
16379 | 0 | dns_db_currentversion(rawdb, &rawver); |
16380 | 0 | result = dns_db_diffx(diff, rawdb, rawver, secdb, secver, NULL); |
16381 | 0 | dns_db_closeversion(rawdb, &rawver, false); |
16382 | 0 | dns_db_detach(&rawdb); |
16383 | |
|
16384 | 0 | if (result != ISC_R_SUCCESS) { |
16385 | 0 | return (result); |
16386 | 0 | } |
16387 | | |
16388 | | /* |
16389 | | * If kasp is in effect honour the existing DNSKEY, CDNSKEY and CDS |
16390 | | * TTLs. |
16391 | | */ |
16392 | 0 | kasp = seczone->kasp; |
16393 | 0 | if (kasp != NULL) { |
16394 | 0 | dns_rdataset_t rdataset; |
16395 | 0 | dns_dbnode_t *node = NULL; |
16396 | 0 | dns_ttl_t ttl = dns_kasp_dnskeyttl(kasp); |
16397 | |
|
16398 | 0 | dns_rdataset_init(&rdataset); |
16399 | |
|
16400 | 0 | result = dns_db_getoriginnode(secdb, &node); |
16401 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
16402 | |
|
16403 | 0 | result = dns_db_findrdataset( |
16404 | 0 | secdb, node, secver, dns_rdatatype_dnskey, |
16405 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
16406 | 0 | keyttl = (result == ISC_R_SUCCESS) ? rdataset.ttl : ttl; |
16407 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
16408 | 0 | dns_rdataset_disassociate(&rdataset); |
16409 | 0 | } |
16410 | |
|
16411 | 0 | result = dns_db_findrdataset( |
16412 | 0 | secdb, node, secver, dns_rdatatype_cdnskey, |
16413 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
16414 | 0 | ckeyttl = (result == ISC_R_SUCCESS) ? rdataset.ttl : ttl; |
16415 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
16416 | 0 | dns_rdataset_disassociate(&rdataset); |
16417 | 0 | } |
16418 | |
|
16419 | 0 | result = dns_db_findrdataset( |
16420 | 0 | secdb, node, secver, dns_rdatatype_cds, |
16421 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
16422 | 0 | cdsttl = (result == ISC_R_SUCCESS) ? rdataset.ttl : ttl; |
16423 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
16424 | 0 | dns_rdataset_disassociate(&rdataset); |
16425 | 0 | } |
16426 | 0 | dns_db_detachnode(secdb, &node); |
16427 | 0 | } |
16428 | |
|
16429 | 0 | for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) { |
16430 | 0 | dns_difftuplelist_t *al = &add, *dl = &del; |
16431 | |
|
16432 | 0 | next = ISC_LIST_NEXT(tuple, link); |
16433 | | |
16434 | | /* |
16435 | | * Skip DNSSEC records that BIND maintains with inline-signing. |
16436 | | */ |
16437 | 0 | if (tuple->rdata.type == dns_rdatatype_nsec || |
16438 | 0 | tuple->rdata.type == dns_rdatatype_rrsig || |
16439 | 0 | tuple->rdata.type == dns_rdatatype_nsec3 || |
16440 | 0 | tuple->rdata.type == dns_rdatatype_nsec3param) |
16441 | 0 | { |
16442 | 0 | ISC_LIST_UNLINK(diff->tuples, tuple, link); |
16443 | 0 | dns_difftuple_free(&tuple); |
16444 | 0 | continue; |
16445 | 0 | } |
16446 | | |
16447 | | /* |
16448 | | * Apex DNSKEY, CDNSKEY and CDS need special processing so |
16449 | | * split them out. |
16450 | | */ |
16451 | 0 | if (dns_rdatatype_iskeymaterial(tuple->rdata.type) && |
16452 | 0 | dns_name_equal(&tuple->name, &seczone->origin)) |
16453 | 0 | { |
16454 | 0 | switch (tuple->rdata.type) { |
16455 | 0 | case dns_rdatatype_dnskey: |
16456 | 0 | al = &keyadd; |
16457 | 0 | dl = &keydel; |
16458 | 0 | break; |
16459 | 0 | case dns_rdatatype_cdnskey: |
16460 | 0 | al = &ckeyadd; |
16461 | 0 | dl = &ckeydel; |
16462 | 0 | break; |
16463 | 0 | case dns_rdatatype_cds: |
16464 | 0 | al = &cdsadd; |
16465 | 0 | dl = &cdsdel; |
16466 | 0 | break; |
16467 | 0 | default: |
16468 | 0 | UNREACHABLE(); |
16469 | 0 | } |
16470 | 0 | } |
16471 | | |
16472 | 0 | if (tuple->rdata.type == dns_rdatatype_soa) { |
16473 | 0 | if (tuple->op == DNS_DIFFOP_DEL) { |
16474 | 0 | INSIST(oldtuple == NULL); |
16475 | 0 | oldtuple = tuple; |
16476 | 0 | } |
16477 | 0 | if (tuple->op == DNS_DIFFOP_ADD) { |
16478 | 0 | INSIST(newtuple == NULL); |
16479 | 0 | newtuple = tuple; |
16480 | 0 | } |
16481 | 0 | } |
16482 | | |
16483 | | /* |
16484 | | * Split into deletions and additions. |
16485 | | */ |
16486 | 0 | ISC_LIST_UNLINK(diff->tuples, tuple, link); |
16487 | 0 | switch (tuple->op) { |
16488 | 0 | case DNS_DIFFOP_DEL: |
16489 | 0 | case DNS_DIFFOP_DELRESIGN: |
16490 | 0 | ISC_LIST_APPEND(*dl, tuple, link); |
16491 | 0 | break; |
16492 | 0 | case DNS_DIFFOP_ADD: |
16493 | 0 | case DNS_DIFFOP_ADDRESIGN: |
16494 | 0 | ISC_LIST_APPEND(*al, tuple, link); |
16495 | 0 | break; |
16496 | 0 | default: |
16497 | 0 | UNREACHABLE(); |
16498 | 0 | } |
16499 | 0 | } |
16500 | | |
16501 | 0 | if (oldtuple != NULL && newtuple != NULL) { |
16502 | 0 | result = dns_rdata_tostruct(&oldtuple->rdata, &oldsoa, NULL); |
16503 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
16504 | |
|
16505 | 0 | result = dns_rdata_tostruct(&newtuple->rdata, &newsoa, NULL); |
16506 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
16507 | | |
16508 | | /* |
16509 | | * If the SOA records are the same except for the serial |
16510 | | * remove them from the diff. |
16511 | | */ |
16512 | 0 | if (oldtuple->ttl == newtuple->ttl && |
16513 | 0 | oldsoa.refresh == newsoa.refresh && |
16514 | 0 | oldsoa.retry == newsoa.retry && |
16515 | 0 | oldsoa.minimum == newsoa.minimum && |
16516 | 0 | oldsoa.expire == newsoa.expire && |
16517 | 0 | dns_name_equal(&oldsoa.origin, &newsoa.origin) && |
16518 | 0 | dns_name_equal(&oldsoa.contact, &newsoa.contact)) |
16519 | 0 | { |
16520 | 0 | ISC_LIST_UNLINK(del, oldtuple, link); |
16521 | 0 | dns_difftuple_free(&oldtuple); |
16522 | 0 | ISC_LIST_UNLINK(add, newtuple, link); |
16523 | 0 | dns_difftuple_free(&newtuple); |
16524 | 0 | } |
16525 | 0 | } |
16526 | | |
16527 | | /* |
16528 | | * Filter out keys we manage but still allow TTL changes. |
16529 | | */ |
16530 | 0 | filter_keymaterial(seczone, &keydel, &keyadd, kasp != NULL, keyttl); |
16531 | 0 | filter_keymaterial(seczone, &ckeydel, &ckeyadd, kasp != NULL, ckeyttl); |
16532 | 0 | filter_keymaterial(seczone, &cdsdel, &cdsadd, kasp != NULL, cdsttl); |
16533 | | |
16534 | | /* |
16535 | | * Rebuild the diff now that we have filtered it |
16536 | | */ |
16537 | 0 | ISC_LIST_APPENDLIST(diff->tuples, del, link); |
16538 | 0 | ISC_LIST_APPENDLIST(diff->tuples, keydel, link); |
16539 | 0 | ISC_LIST_APPENDLIST(diff->tuples, ckeydel, link); |
16540 | 0 | ISC_LIST_APPENDLIST(diff->tuples, cdsdel, link); |
16541 | 0 | ISC_LIST_APPENDLIST(diff->tuples, add, link); |
16542 | 0 | ISC_LIST_APPENDLIST(diff->tuples, keyadd, link); |
16543 | 0 | ISC_LIST_APPENDLIST(diff->tuples, ckeyadd, link); |
16544 | 0 | ISC_LIST_APPENDLIST(diff->tuples, cdsadd, link); |
16545 | |
|
16546 | 0 | if (ISC_LIST_EMPTY(diff->tuples)) { |
16547 | 0 | return (DNS_R_UNCHANGED); |
16548 | 0 | } |
16549 | | |
16550 | | /* |
16551 | | * If there are still SOA records in the diff they can now be removed |
16552 | | * saving the new SOA record. |
16553 | | */ |
16554 | 0 | if (oldtuple != NULL) { |
16555 | 0 | ISC_LIST_UNLINK(diff->tuples, oldtuple, link); |
16556 | 0 | dns_difftuple_free(&oldtuple); |
16557 | 0 | } |
16558 | |
|
16559 | 0 | if (newtuple != NULL) { |
16560 | 0 | ISC_LIST_UNLINK(diff->tuples, newtuple, link); |
16561 | 0 | *soatuple = newtuple; |
16562 | 0 | } |
16563 | |
|
16564 | 0 | return (ISC_R_SUCCESS); |
16565 | 0 | } |
16566 | | |
16567 | | static void |
16568 | 0 | receive_secure_serial(void *arg) { |
16569 | 0 | struct rss *rss = (struct rss *)arg; |
16570 | 0 | dns_zone_t *zone = rss->zone; |
16571 | 0 | isc_result_t result = ISC_R_SUCCESS; |
16572 | 0 | dns_journal_t *rjournal = NULL; |
16573 | 0 | dns_journal_t *sjournal = NULL; |
16574 | 0 | uint32_t start, end = rss->serial; |
16575 | 0 | dns_difftuple_t *tuple = NULL, *soatuple = NULL; |
16576 | 0 | dns_update_log_t log = { update_log_cb, NULL }; |
16577 | 0 | uint32_t newserial = 0, desired = 0; |
16578 | 0 | isc_time_t timenow; |
16579 | 0 | int level = ISC_LOG_ERROR; |
16580 | |
|
16581 | 0 | ENTER; |
16582 | |
|
16583 | 0 | LOCK_ZONE(zone); |
16584 | | |
16585 | | /* |
16586 | | * The receive_secure_serial() is loop-serialized for the zone. Make |
16587 | | * sure there's no processing currently running. |
16588 | | */ |
16589 | |
|
16590 | 0 | INSIST(zone->rss == NULL || zone->rss == rss); |
16591 | |
|
16592 | 0 | if (zone->rss != NULL) { |
16593 | 0 | INSIST(zone->rss == rss); |
16594 | 0 | UNLOCK_ZONE(zone); |
16595 | 0 | } else { |
16596 | 0 | zone->rss = rss; |
16597 | 0 | dns_diff_init(zone->mctx, &zone->rss_diff); |
16598 | | |
16599 | | /* |
16600 | | * zone->db may be NULL, if the load from disk failed. |
16601 | | */ |
16602 | 0 | result = ISC_R_SUCCESS; |
16603 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
16604 | 0 | if (zone->db != NULL) { |
16605 | 0 | dns_db_attach(zone->db, &zone->rss_db); |
16606 | 0 | } else { |
16607 | 0 | result = ISC_R_FAILURE; |
16608 | 0 | } |
16609 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
16610 | |
|
16611 | 0 | if (result == ISC_R_SUCCESS && zone->raw != NULL) { |
16612 | 0 | dns_zone_attach(zone->raw, &zone->rss_raw); |
16613 | 0 | } else { |
16614 | 0 | result = ISC_R_FAILURE; |
16615 | 0 | } |
16616 | |
|
16617 | 0 | UNLOCK_ZONE(zone); |
16618 | |
|
16619 | 0 | CHECK(result); |
16620 | | |
16621 | | /* |
16622 | | * We first attempt to sync the raw zone to the secure zone |
16623 | | * by using the raw zone's journal, applying all the deltas |
16624 | | * from the latest source-serial of the secure zone up to |
16625 | | * the current serial number of the raw zone. |
16626 | | * |
16627 | | * If that fails, then we'll fall back to a direct comparison |
16628 | | * between raw and secure zones. |
16629 | | */ |
16630 | 0 | CHECK(dns_journal_open(zone->rss_raw->mctx, |
16631 | 0 | zone->rss_raw->journal, |
16632 | 0 | DNS_JOURNAL_WRITE, &rjournal)); |
16633 | | |
16634 | 0 | result = dns_journal_open(zone->mctx, zone->journal, |
16635 | 0 | DNS_JOURNAL_READ, &sjournal); |
16636 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
16637 | 0 | goto failure; |
16638 | 0 | } |
16639 | | |
16640 | 0 | if (!dns_journal_get_sourceserial(rjournal, &start)) { |
16641 | 0 | start = dns_journal_first_serial(rjournal); |
16642 | 0 | dns_journal_set_sourceserial(rjournal, start); |
16643 | 0 | } |
16644 | 0 | if (sjournal != NULL) { |
16645 | 0 | uint32_t serial; |
16646 | | /* |
16647 | | * We read the secure journal first, if that |
16648 | | * exists use its value provided it is greater |
16649 | | * that from the raw journal. |
16650 | | */ |
16651 | 0 | if (dns_journal_get_sourceserial(sjournal, &serial)) { |
16652 | 0 | if (isc_serial_gt(serial, start)) { |
16653 | 0 | start = serial; |
16654 | 0 | } |
16655 | 0 | } |
16656 | 0 | dns_journal_destroy(&sjournal); |
16657 | 0 | } |
16658 | |
|
16659 | 0 | dns_db_currentversion(zone->rss_db, &zone->rss_oldver); |
16660 | 0 | CHECK(dns_db_newversion(zone->rss_db, &zone->rss_newver)); |
16661 | | |
16662 | | /* |
16663 | | * Try to apply diffs from the raw zone's journal to the secure |
16664 | | * zone. If that fails, we recover by syncing up the databases |
16665 | | * directly. |
16666 | | */ |
16667 | 0 | result = sync_secure_journal(zone, zone->rss_raw, rjournal, |
16668 | 0 | start, end, &soatuple, |
16669 | 0 | &zone->rss_diff); |
16670 | 0 | if (result == DNS_R_UNCHANGED) { |
16671 | 0 | goto failure; |
16672 | 0 | } else if (result != ISC_R_SUCCESS) { |
16673 | 0 | CHECK(sync_secure_db(zone, zone->rss_raw, zone->rss_db, |
16674 | 0 | zone->rss_oldver, &soatuple, |
16675 | 0 | &zone->rss_diff)); |
16676 | 0 | } |
16677 | | |
16678 | 0 | CHECK(dns_diff_apply(&zone->rss_diff, zone->rss_db, |
16679 | 0 | zone->rss_newver)); |
16680 | | |
16681 | 0 | if (soatuple != NULL) { |
16682 | 0 | uint32_t oldserial; |
16683 | |
|
16684 | 0 | CHECK(dns_db_createsoatuple( |
16685 | 0 | zone->rss_db, zone->rss_oldver, |
16686 | 0 | zone->rss_diff.mctx, DNS_DIFFOP_DEL, &tuple)); |
16687 | 0 | oldserial = dns_soa_getserial(&tuple->rdata); |
16688 | 0 | newserial = desired = |
16689 | 0 | dns_soa_getserial(&soatuple->rdata); |
16690 | 0 | if (!isc_serial_gt(newserial, oldserial)) { |
16691 | 0 | newserial = oldserial + 1; |
16692 | 0 | if (newserial == 0) { |
16693 | 0 | newserial++; |
16694 | 0 | } |
16695 | 0 | dns_soa_setserial(newserial, &soatuple->rdata); |
16696 | 0 | } |
16697 | 0 | CHECK(do_one_tuple(&tuple, zone->rss_db, |
16698 | 0 | zone->rss_newver, &zone->rss_diff)); |
16699 | 0 | CHECK(do_one_tuple(&soatuple, zone->rss_db, |
16700 | 0 | zone->rss_newver, &zone->rss_diff)); |
16701 | 0 | } else { |
16702 | 0 | CHECK(update_soa_serial(zone, zone->rss_db, |
16703 | 0 | zone->rss_newver, |
16704 | 0 | &zone->rss_diff, zone->mctx, |
16705 | 0 | zone->updatemethod)); |
16706 | 0 | } |
16707 | 0 | } |
16708 | 0 | result = dns_update_signaturesinc( |
16709 | 0 | &log, zone, zone->rss_db, zone->rss_oldver, zone->rss_newver, |
16710 | 0 | &zone->rss_diff, zone->sigvalidityinterval, &zone->rss_state); |
16711 | 0 | if (result == DNS_R_CONTINUE) { |
16712 | 0 | if (rjournal != NULL) { |
16713 | 0 | dns_journal_destroy(&rjournal); |
16714 | 0 | } |
16715 | 0 | isc_async_run(zone->loop, receive_secure_serial, rss); |
16716 | 0 | return; |
16717 | 0 | } |
16718 | | |
16719 | | /* |
16720 | | * If something went wrong while trying to update the secure zone and |
16721 | | * the latter was already signed before, do not apply raw zone deltas |
16722 | | * to it as that would break existing DNSSEC signatures. However, if |
16723 | | * the secure zone was not yet signed (e.g. because no signing keys |
16724 | | * were created for it), commence applying raw zone deltas to it so |
16725 | | * that contents of the raw zone and the secure zone are kept in sync. |
16726 | | */ |
16727 | 0 | if (result != ISC_R_SUCCESS && dns_db_issecure(zone->rss_db)) { |
16728 | 0 | goto failure; |
16729 | 0 | } |
16730 | | |
16731 | 0 | if (rjournal == NULL) { |
16732 | 0 | CHECK(dns_journal_open(zone->rss_raw->mctx, |
16733 | 0 | zone->rss_raw->journal, |
16734 | 0 | DNS_JOURNAL_WRITE, &rjournal)); |
16735 | 0 | } |
16736 | 0 | CHECK(zone_journal(zone, &zone->rss_diff, &end, |
16737 | 0 | "receive_secure_serial")); |
16738 | | |
16739 | 0 | dns_journal_set_sourceserial(rjournal, end); |
16740 | 0 | dns_journal_commit(rjournal); |
16741 | |
|
16742 | 0 | LOCK_ZONE(zone); |
16743 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
16744 | |
|
16745 | 0 | zone->sourceserial = end; |
16746 | 0 | zone->sourceserialset = true; |
16747 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
16748 | | |
16749 | | /* |
16750 | | * Set resign time to make sure it is set to the earliest |
16751 | | * signature expiration. |
16752 | | */ |
16753 | 0 | set_resigntime(zone); |
16754 | 0 | timenow = isc_time_now(); |
16755 | 0 | zone_settimer(zone, &timenow); |
16756 | 0 | UNLOCK_ZONE(zone); |
16757 | |
|
16758 | 0 | dns_db_closeversion(zone->rss_db, &zone->rss_oldver, false); |
16759 | 0 | dns_db_closeversion(zone->rss_db, &zone->rss_newver, true); |
16760 | |
|
16761 | 0 | if (newserial != 0) { |
16762 | 0 | dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)", |
16763 | 0 | newserial, desired); |
16764 | 0 | } |
16765 | |
|
16766 | 0 | failure: |
16767 | 0 | isc_mem_put(zone->mctx, rss, sizeof(*rss)); |
16768 | 0 | zone->rss = NULL; |
16769 | |
|
16770 | 0 | if (zone->rss_raw != NULL) { |
16771 | 0 | dns_zone_detach(&zone->rss_raw); |
16772 | 0 | } |
16773 | 0 | if (result != ISC_R_SUCCESS) { |
16774 | 0 | LOCK_ZONE(zone); |
16775 | 0 | set_resigntime(zone); |
16776 | 0 | timenow = isc_time_now(); |
16777 | 0 | zone_settimer(zone, &timenow); |
16778 | 0 | UNLOCK_ZONE(zone); |
16779 | 0 | if (result == DNS_R_UNCHANGED) { |
16780 | 0 | level = ISC_LOG_INFO; |
16781 | 0 | } |
16782 | 0 | dns_zone_log(zone, level, "receive_secure_serial: %s", |
16783 | 0 | isc_result_totext(result)); |
16784 | 0 | } |
16785 | 0 | if (tuple != NULL) { |
16786 | 0 | dns_difftuple_free(&tuple); |
16787 | 0 | } |
16788 | 0 | if (soatuple != NULL) { |
16789 | 0 | dns_difftuple_free(&soatuple); |
16790 | 0 | } |
16791 | 0 | if (zone->rss_db != NULL) { |
16792 | 0 | if (zone->rss_oldver != NULL) { |
16793 | 0 | dns_db_closeversion(zone->rss_db, &zone->rss_oldver, |
16794 | 0 | false); |
16795 | 0 | } |
16796 | 0 | if (zone->rss_newver != NULL) { |
16797 | 0 | dns_db_closeversion(zone->rss_db, &zone->rss_newver, |
16798 | 0 | false); |
16799 | 0 | } |
16800 | 0 | dns_db_detach(&zone->rss_db); |
16801 | 0 | } |
16802 | 0 | INSIST(zone->rss_oldver == NULL); |
16803 | 0 | INSIST(zone->rss_newver == NULL); |
16804 | 0 | if (rjournal != NULL) { |
16805 | 0 | dns_journal_destroy(&rjournal); |
16806 | 0 | } |
16807 | 0 | dns_diff_clear(&zone->rss_diff); |
16808 | |
|
16809 | 0 | dns_zone_idetach(&zone); |
16810 | 0 | } |
16811 | | |
16812 | | static isc_result_t |
16813 | 0 | zone_send_secureserial(dns_zone_t *zone, uint32_t serial) { |
16814 | 0 | struct rss *rss = NULL; |
16815 | |
|
16816 | 0 | rss = isc_mem_get(zone->secure->mctx, sizeof(*rss)); |
16817 | 0 | *rss = (struct rss){ |
16818 | 0 | .serial = serial, |
16819 | 0 | .link = ISC_LINK_INITIALIZER, |
16820 | 0 | }; |
16821 | |
|
16822 | 0 | INSIST(LOCKED_ZONE(zone->secure)); |
16823 | 0 | zone_iattach(zone->secure, &rss->zone); |
16824 | 0 | isc_async_run(zone->secure->loop, receive_secure_serial, rss); |
16825 | |
|
16826 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE); |
16827 | 0 | return (ISC_R_SUCCESS); |
16828 | 0 | } |
16829 | | |
16830 | | static isc_result_t |
16831 | | checkandaddsoa(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, |
16832 | 0 | dns_name_t *name, dns_rdataset_t *rdataset, uint32_t oldserial) { |
16833 | 0 | dns_rdata_soa_t soa; |
16834 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
16835 | 0 | dns_rdatalist_t temprdatalist; |
16836 | 0 | dns_rdataset_t temprdataset; |
16837 | 0 | isc_buffer_t b; |
16838 | 0 | isc_result_t result; |
16839 | 0 | unsigned char buf[DNS_SOA_BUFFERSIZE]; |
16840 | |
|
16841 | 0 | result = dns_rdataset_first(rdataset); |
16842 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
16843 | 0 | dns_rdataset_current(rdataset, &rdata); |
16844 | 0 | result = dns_rdata_tostruct(&rdata, &soa, NULL); |
16845 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
16846 | |
|
16847 | 0 | if (isc_serial_gt(soa.serial, oldserial)) { |
16848 | 0 | return (dns_db_addrdataset(db, node, version, 0, rdataset, 0, |
16849 | 0 | NULL)); |
16850 | 0 | } |
16851 | | /* |
16852 | | * Always bump the serial. |
16853 | | */ |
16854 | 0 | oldserial++; |
16855 | 0 | if (oldserial == 0) { |
16856 | 0 | oldserial++; |
16857 | 0 | } |
16858 | 0 | soa.serial = oldserial; |
16859 | | |
16860 | | /* |
16861 | | * Construct a replacement rdataset. |
16862 | | */ |
16863 | 0 | dns_rdata_reset(&rdata); |
16864 | 0 | isc_buffer_init(&b, buf, sizeof(buf)); |
16865 | 0 | result = dns_rdata_fromstruct(&rdata, rdataset->rdclass, |
16866 | 0 | dns_rdatatype_soa, &soa, &b); |
16867 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
16868 | 0 | dns_rdatalist_init(&temprdatalist); |
16869 | 0 | temprdatalist.rdclass = rdata.rdclass; |
16870 | 0 | temprdatalist.type = rdata.type; |
16871 | 0 | temprdatalist.ttl = rdataset->ttl; |
16872 | 0 | ISC_LIST_APPEND(temprdatalist.rdata, &rdata, link); |
16873 | |
|
16874 | 0 | dns_rdataset_init(&temprdataset); |
16875 | 0 | dns_rdatalist_tordataset(&temprdatalist, &temprdataset); |
16876 | |
|
16877 | 0 | dns_rdataset_getownercase(rdataset, name); |
16878 | 0 | dns_rdataset_setownercase(&temprdataset, name); |
16879 | 0 | return (dns_db_addrdataset(db, node, version, 0, &temprdataset, 0, |
16880 | 0 | NULL)); |
16881 | 0 | } |
16882 | | |
16883 | | /* |
16884 | | * This function should populate an nsec3paramlist_t with the |
16885 | | * nsecparam_t data from a zone. |
16886 | | */ |
16887 | | static isc_result_t |
16888 | 0 | save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) { |
16889 | 0 | isc_result_t result; |
16890 | 0 | dns_dbnode_t *node = NULL; |
16891 | 0 | dns_rdataset_t rdataset, prdataset; |
16892 | 0 | dns_dbversion_t *version = NULL; |
16893 | 0 | nsec3param_t *nsec3param = NULL; |
16894 | 0 | nsec3param_t *nsec3p = NULL; |
16895 | 0 | nsec3param_t *next; |
16896 | 0 | dns_db_t *db = NULL; |
16897 | 0 | unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; |
16898 | |
|
16899 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
16900 | 0 | REQUIRE(nsec3list != NULL); |
16901 | 0 | REQUIRE(ISC_LIST_EMPTY(*nsec3list)); |
16902 | |
|
16903 | 0 | dns_rdataset_init(&rdataset); |
16904 | 0 | dns_rdataset_init(&prdataset); |
16905 | |
|
16906 | 0 | dns_db_attach(zone->db, &db); |
16907 | 0 | CHECK(dns_db_getoriginnode(db, &node)); |
16908 | | |
16909 | 0 | dns_db_currentversion(db, &version); |
16910 | 0 | result = dns_db_findrdataset(db, node, version, |
16911 | 0 | dns_rdatatype_nsec3param, |
16912 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
16913 | |
|
16914 | 0 | if (result != ISC_R_SUCCESS) { |
16915 | 0 | goto getprivate; |
16916 | 0 | } |
16917 | | |
16918 | | /* |
16919 | | * Walk nsec3param rdataset making a list of parameters (note that |
16920 | | * multiple simultaneous nsec3 chains are annoyingly legal -- this |
16921 | | * is why we use an nsec3list, even though we will usually only |
16922 | | * have one). |
16923 | | */ |
16924 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
16925 | 0 | result = dns_rdataset_next(&rdataset)) |
16926 | 0 | { |
16927 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
16928 | 0 | dns_rdata_t private = DNS_RDATA_INIT; |
16929 | |
|
16930 | 0 | dns_rdataset_current(&rdataset, &rdata); |
16931 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
16932 | 0 | DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3), |
16933 | 0 | "looping through nsec3param data"); |
16934 | 0 | nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t)); |
16935 | 0 | ISC_LINK_INIT(nsec3param, link); |
16936 | | |
16937 | | /* |
16938 | | * now transfer the data from the rdata to |
16939 | | * the nsec3param |
16940 | | */ |
16941 | 0 | dns_nsec3param_toprivate(&rdata, &private, zone->privatetype, |
16942 | 0 | nsec3param->data, |
16943 | 0 | sizeof(nsec3param->data)); |
16944 | 0 | nsec3param->length = private.length; |
16945 | 0 | ISC_LIST_APPEND(*nsec3list, nsec3param, link); |
16946 | 0 | } |
16947 | |
|
16948 | 0 | getprivate: |
16949 | 0 | result = dns_db_findrdataset(db, node, version, zone->privatetype, |
16950 | 0 | dns_rdatatype_none, 0, &prdataset, NULL); |
16951 | 0 | if (result != ISC_R_SUCCESS) { |
16952 | 0 | goto done; |
16953 | 0 | } |
16954 | | |
16955 | | /* |
16956 | | * walk private type records, converting them to nsec3 parameters |
16957 | | * using dns_nsec3param_fromprivate(), do the right thing based on |
16958 | | * CREATE and REMOVE flags |
16959 | | */ |
16960 | 0 | for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS; |
16961 | 0 | result = dns_rdataset_next(&prdataset)) |
16962 | 0 | { |
16963 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
16964 | 0 | dns_rdata_t private = DNS_RDATA_INIT; |
16965 | |
|
16966 | 0 | dns_rdataset_current(&prdataset, &private); |
16967 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
16968 | 0 | DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3), |
16969 | 0 | "looping through nsec3param private data"); |
16970 | | |
16971 | | /* |
16972 | | * Do we have a valid private record? |
16973 | | */ |
16974 | 0 | if (!dns_nsec3param_fromprivate(&private, &rdata, buf, |
16975 | 0 | sizeof(buf))) |
16976 | 0 | { |
16977 | 0 | continue; |
16978 | 0 | } |
16979 | | |
16980 | | /* |
16981 | | * Remove any NSEC3PARAM records scheduled to be removed. |
16982 | | */ |
16983 | 0 | if (NSEC3REMOVE(rdata.data[1])) { |
16984 | | /* |
16985 | | * Zero out the flags. |
16986 | | */ |
16987 | 0 | rdata.data[1] = 0; |
16988 | |
|
16989 | 0 | for (nsec3p = ISC_LIST_HEAD(*nsec3list); nsec3p != NULL; |
16990 | 0 | nsec3p = next) |
16991 | 0 | { |
16992 | 0 | next = ISC_LIST_NEXT(nsec3p, link); |
16993 | |
|
16994 | 0 | if (nsec3p->length == rdata.length + 1 && |
16995 | 0 | memcmp(rdata.data, nsec3p->data + 1, |
16996 | 0 | nsec3p->length - 1) == 0) |
16997 | 0 | { |
16998 | 0 | ISC_LIST_UNLINK(*nsec3list, nsec3p, |
16999 | 0 | link); |
17000 | 0 | isc_mem_put(zone->mctx, nsec3p, |
17001 | 0 | sizeof(nsec3param_t)); |
17002 | 0 | } |
17003 | 0 | } |
17004 | 0 | continue; |
17005 | 0 | } |
17006 | | |
17007 | 0 | nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t)); |
17008 | 0 | ISC_LINK_INIT(nsec3param, link); |
17009 | | |
17010 | | /* |
17011 | | * Copy the remaining private records so the nsec/nsec3 |
17012 | | * chain gets created. |
17013 | | */ |
17014 | 0 | INSIST(private.length <= sizeof(nsec3param->data)); |
17015 | 0 | memmove(nsec3param->data, private.data, private.length); |
17016 | 0 | nsec3param->length = private.length; |
17017 | 0 | ISC_LIST_APPEND(*nsec3list, nsec3param, link); |
17018 | 0 | } |
17019 | |
|
17020 | 0 | done: |
17021 | 0 | if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND) { |
17022 | 0 | result = ISC_R_SUCCESS; |
17023 | 0 | } |
17024 | |
|
17025 | 0 | failure: |
17026 | 0 | if (node != NULL) { |
17027 | 0 | dns_db_detachnode(db, &node); |
17028 | 0 | } |
17029 | 0 | if (version != NULL) { |
17030 | 0 | dns_db_closeversion(db, &version, false); |
17031 | 0 | } |
17032 | 0 | if (db != NULL) { |
17033 | 0 | dns_db_detach(&db); |
17034 | 0 | } |
17035 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
17036 | 0 | dns_rdataset_disassociate(&rdataset); |
17037 | 0 | } |
17038 | 0 | if (dns_rdataset_isassociated(&prdataset)) { |
17039 | 0 | dns_rdataset_disassociate(&prdataset); |
17040 | 0 | } |
17041 | 0 | return (result); |
17042 | 0 | } |
17043 | | |
17044 | | /* |
17045 | | * Populate new zone db with private type records found by save_nsec3param(). |
17046 | | */ |
17047 | | static isc_result_t |
17048 | | restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, |
17049 | 0 | nsec3paramlist_t *nsec3list) { |
17050 | 0 | isc_result_t result = ISC_R_SUCCESS; |
17051 | 0 | dns_diff_t diff; |
17052 | 0 | dns_rdata_t rdata; |
17053 | 0 | nsec3param_t *nsec3p = NULL; |
17054 | 0 | nsec3param_t *next; |
17055 | |
|
17056 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17057 | 0 | REQUIRE(!ISC_LIST_EMPTY(*nsec3list)); |
17058 | |
|
17059 | 0 | dns_diff_init(zone->mctx, &diff); |
17060 | | |
17061 | | /* |
17062 | | * Loop through the list of private-type records, set the INITIAL |
17063 | | * and CREATE flags, and the add the record to the apex of the tree |
17064 | | * in db. |
17065 | | */ |
17066 | 0 | for (nsec3p = ISC_LIST_HEAD(*nsec3list); nsec3p != NULL; nsec3p = next) |
17067 | 0 | { |
17068 | 0 | next = ISC_LIST_NEXT(nsec3p, link); |
17069 | 0 | dns_rdata_init(&rdata); |
17070 | 0 | nsec3p->data[2] = DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL; |
17071 | 0 | rdata.length = nsec3p->length; |
17072 | 0 | rdata.data = nsec3p->data; |
17073 | 0 | rdata.type = zone->privatetype; |
17074 | 0 | rdata.rdclass = zone->rdclass; |
17075 | 0 | result = update_one_rr(db, version, &diff, DNS_DIFFOP_ADD, |
17076 | 0 | &zone->origin, 0, &rdata); |
17077 | 0 | if (result != ISC_R_SUCCESS) { |
17078 | 0 | break; |
17079 | 0 | } |
17080 | 0 | } |
17081 | |
|
17082 | 0 | dns_diff_clear(&diff); |
17083 | 0 | return (result); |
17084 | 0 | } |
17085 | | |
17086 | | static isc_result_t |
17087 | | copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb, |
17088 | 0 | dns_dbiterator_t *dbiterator, unsigned int *oldserial) { |
17089 | 0 | dns_dbnode_t *rawnode = NULL, *node = NULL; |
17090 | 0 | dns_fixedname_t fixed; |
17091 | 0 | dns_name_t *name = dns_fixedname_initname(&fixed); |
17092 | 0 | dns_rdataset_t rdataset; |
17093 | 0 | dns_rdatasetiter_t *rdsit = NULL; |
17094 | 0 | isc_result_t result; |
17095 | |
|
17096 | 0 | result = dns_dbiterator_current(dbiterator, &rawnode, name); |
17097 | 0 | if (result != ISC_R_SUCCESS) { |
17098 | 0 | return (ISC_R_SUCCESS); |
17099 | 0 | } |
17100 | | |
17101 | 0 | dns_dbiterator_pause(dbiterator); |
17102 | |
|
17103 | 0 | result = dns_db_findnode(db, name, true, &node); |
17104 | 0 | if (result != ISC_R_SUCCESS) { |
17105 | 0 | goto cleanup; |
17106 | 0 | } |
17107 | | |
17108 | 0 | result = dns_db_allrdatasets(rawdb, rawnode, NULL, 0, 0, &rdsit); |
17109 | 0 | if (result != ISC_R_SUCCESS) { |
17110 | 0 | goto cleanup; |
17111 | 0 | } |
17112 | | |
17113 | 0 | dns_rdataset_init(&rdataset); |
17114 | |
|
17115 | 0 | for (result = dns_rdatasetiter_first(rdsit); result == ISC_R_SUCCESS; |
17116 | 0 | result = dns_rdatasetiter_next(rdsit)) |
17117 | 0 | { |
17118 | 0 | dns_rdatasetiter_current(rdsit, &rdataset); |
17119 | 0 | if (rdataset.type == dns_rdatatype_nsec || |
17120 | 0 | rdataset.type == dns_rdatatype_rrsig || |
17121 | 0 | rdataset.type == dns_rdatatype_nsec3 || |
17122 | 0 | rdataset.type == dns_rdatatype_nsec3param) |
17123 | 0 | { |
17124 | 0 | dns_rdataset_disassociate(&rdataset); |
17125 | 0 | continue; |
17126 | 0 | } |
17127 | | /* |
17128 | | * Allow DNSKEY, CDNSKEY, CDS because users should be able to |
17129 | | * update the zone with these records from a different provider, |
17130 | | * and thus they may exist in the raw version of the zone. |
17131 | | */ |
17132 | | |
17133 | 0 | if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) { |
17134 | 0 | result = checkandaddsoa(db, node, version, name, |
17135 | 0 | &rdataset, *oldserial); |
17136 | 0 | } else { |
17137 | 0 | result = dns_db_addrdataset(db, node, version, 0, |
17138 | 0 | &rdataset, 0, NULL); |
17139 | 0 | } |
17140 | 0 | dns_rdataset_disassociate(&rdataset); |
17141 | 0 | if (result != ISC_R_SUCCESS) { |
17142 | 0 | goto cleanup; |
17143 | 0 | } |
17144 | 0 | } |
17145 | 0 | if (result == ISC_R_NOMORE) { |
17146 | 0 | result = ISC_R_SUCCESS; |
17147 | 0 | } |
17148 | |
|
17149 | 0 | cleanup: |
17150 | 0 | if (rdsit != NULL) { |
17151 | 0 | dns_rdatasetiter_destroy(&rdsit); |
17152 | 0 | } |
17153 | 0 | if (rawnode) { |
17154 | 0 | dns_db_detachnode(rawdb, &rawnode); |
17155 | 0 | } |
17156 | 0 | if (node) { |
17157 | 0 | dns_db_detachnode(db, &node); |
17158 | 0 | } |
17159 | 0 | return (result); |
17160 | 0 | } |
17161 | | |
17162 | | static void |
17163 | 0 | receive_secure_db(void *arg) { |
17164 | 0 | isc_result_t result; |
17165 | 0 | struct rss *rss = (struct rss *)arg; |
17166 | 0 | dns_zone_t *zone = rss->zone; |
17167 | 0 | dns_db_t *rawdb = rss->db, *db = NULL; |
17168 | 0 | dns_dbiterator_t *dbiterator = NULL; |
17169 | 0 | dns_dbversion_t *version = NULL; |
17170 | 0 | isc_time_t loadtime; |
17171 | 0 | unsigned int oldserial = 0, *oldserialp = NULL; |
17172 | 0 | nsec3paramlist_t nsec3list; |
17173 | |
|
17174 | 0 | ISC_LIST_INIT(nsec3list); |
17175 | |
|
17176 | 0 | LOCK_ZONE(zone); |
17177 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || !inline_secure(zone)) { |
17178 | 0 | result = ISC_R_SHUTTINGDOWN; |
17179 | 0 | goto failure; |
17180 | 0 | } |
17181 | | |
17182 | 0 | loadtime = isc_time_now(); |
17183 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
17184 | 0 | if (zone->db != NULL) { |
17185 | 0 | result = dns_db_getsoaserial(zone->db, NULL, &oldserial); |
17186 | 0 | if (result == ISC_R_SUCCESS) { |
17187 | 0 | oldserialp = &oldserial; |
17188 | 0 | } |
17189 | | |
17190 | | /* |
17191 | | * assemble nsec3parameters from the old zone, and set a flag |
17192 | | * if any are found |
17193 | | */ |
17194 | 0 | result = save_nsec3param(zone, &nsec3list); |
17195 | 0 | if (result != ISC_R_SUCCESS) { |
17196 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
17197 | 0 | goto failure; |
17198 | 0 | } |
17199 | 0 | } |
17200 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
17201 | |
|
17202 | 0 | result = dns_db_create(zone->mctx, zone->db_argv[0], &zone->origin, |
17203 | 0 | dns_dbtype_zone, zone->rdclass, |
17204 | 0 | zone->db_argc - 1, zone->db_argv + 1, &db); |
17205 | 0 | if (result != ISC_R_SUCCESS) { |
17206 | 0 | goto failure; |
17207 | 0 | } |
17208 | | |
17209 | 0 | result = dns_db_setgluecachestats(db, zone->gluecachestats); |
17210 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) { |
17211 | 0 | goto failure; |
17212 | 0 | } |
17213 | | |
17214 | 0 | result = dns_db_newversion(db, &version); |
17215 | 0 | if (result != ISC_R_SUCCESS) { |
17216 | 0 | goto failure; |
17217 | 0 | } |
17218 | | |
17219 | 0 | result = dns_db_createiterator(rawdb, DNS_DB_NONSEC3, &dbiterator); |
17220 | 0 | if (result != ISC_R_SUCCESS) { |
17221 | 0 | goto failure; |
17222 | 0 | } |
17223 | | |
17224 | 0 | for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS; |
17225 | 0 | result = dns_dbiterator_next(dbiterator)) |
17226 | 0 | { |
17227 | 0 | result = copy_non_dnssec_records(db, version, rawdb, dbiterator, |
17228 | 0 | oldserialp); |
17229 | 0 | if (result != ISC_R_SUCCESS) { |
17230 | 0 | goto failure; |
17231 | 0 | } |
17232 | 0 | } |
17233 | 0 | dns_dbiterator_destroy(&dbiterator); |
17234 | 0 | if (result != ISC_R_NOMORE) { |
17235 | 0 | goto failure; |
17236 | 0 | } |
17237 | | |
17238 | | /* |
17239 | | * Call restore_nsec3param() to create private-type records from |
17240 | | * the old nsec3 parameters and insert them into db |
17241 | | */ |
17242 | 0 | if (!ISC_LIST_EMPTY(nsec3list)) { |
17243 | 0 | result = restore_nsec3param(zone, db, version, &nsec3list); |
17244 | 0 | if (result != ISC_R_SUCCESS) { |
17245 | 0 | goto failure; |
17246 | 0 | } |
17247 | 0 | } |
17248 | | |
17249 | 0 | dns_db_closeversion(db, &version, true); |
17250 | | |
17251 | | /* |
17252 | | * Lock hierarchy: zmgr, zone, raw. |
17253 | | */ |
17254 | 0 | INSIST(zone != zone->raw); |
17255 | 0 | LOCK_ZONE(zone->raw); |
17256 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
17257 | 0 | result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS); |
17258 | 0 | zone_needdump(zone, 0); /* XXXMPA */ |
17259 | 0 | UNLOCK_ZONE(zone->raw); |
17260 | | |
17261 | | /* |
17262 | | * Process any queued NSEC3PARAM change requests. |
17263 | | */ |
17264 | 0 | process_zone_setnsec3param(zone); |
17265 | |
|
17266 | 0 | failure: |
17267 | 0 | UNLOCK_ZONE(zone); |
17268 | 0 | if (dbiterator != NULL) { |
17269 | 0 | dns_dbiterator_destroy(&dbiterator); |
17270 | 0 | } |
17271 | 0 | if (result != ISC_R_SUCCESS) { |
17272 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_db: %s", |
17273 | 0 | isc_result_totext(result)); |
17274 | 0 | } |
17275 | |
|
17276 | 0 | while (!ISC_LIST_EMPTY(nsec3list)) { |
17277 | 0 | nsec3param_t *nsec3p; |
17278 | 0 | nsec3p = ISC_LIST_HEAD(nsec3list); |
17279 | 0 | ISC_LIST_UNLINK(nsec3list, nsec3p, link); |
17280 | 0 | isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t)); |
17281 | 0 | } |
17282 | 0 | if (db != NULL) { |
17283 | 0 | if (version != NULL) { |
17284 | 0 | dns_db_closeversion(db, &version, false); |
17285 | 0 | } |
17286 | 0 | dns_db_detach(&db); |
17287 | 0 | } |
17288 | |
|
17289 | 0 | dns_db_detach(&rawdb); |
17290 | 0 | isc_mem_put(zone->mctx, rss, sizeof(*rss)); |
17291 | 0 | dns_zone_idetach(&zone); |
17292 | |
|
17293 | 0 | INSIST(version == NULL); |
17294 | 0 | } |
17295 | | |
17296 | | static isc_result_t |
17297 | 0 | zone_send_securedb(dns_zone_t *zone, dns_db_t *db) { |
17298 | 0 | struct rss *rss = NULL; |
17299 | |
|
17300 | 0 | rss = isc_mem_get(zone->secure->mctx, sizeof(*rss)); |
17301 | 0 | *rss = (struct rss){ .link = ISC_LINK_INITIALIZER }; |
17302 | |
|
17303 | 0 | INSIST(LOCKED_ZONE(zone->secure)); |
17304 | 0 | zone_iattach(zone->secure, &rss->zone); |
17305 | 0 | dns_db_attach(db, &rss->db); |
17306 | 0 | isc_async_run(zone->secure->loop, receive_secure_db, rss); |
17307 | |
|
17308 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE); |
17309 | 0 | return (ISC_R_SUCCESS); |
17310 | 0 | } |
17311 | | |
17312 | | isc_result_t |
17313 | 0 | dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) { |
17314 | 0 | isc_result_t result; |
17315 | 0 | dns_zone_t *secure = NULL; |
17316 | |
|
17317 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17318 | 0 | again: |
17319 | 0 | LOCK_ZONE(zone); |
17320 | 0 | if (inline_raw(zone)) { |
17321 | 0 | secure = zone->secure; |
17322 | 0 | INSIST(secure != zone); |
17323 | 0 | TRYLOCK_ZONE(result, secure); |
17324 | 0 | if (result != ISC_R_SUCCESS) { |
17325 | 0 | UNLOCK_ZONE(zone); |
17326 | 0 | secure = NULL; |
17327 | 0 | isc_thread_yield(); |
17328 | 0 | goto again; |
17329 | 0 | } |
17330 | 0 | } |
17331 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); |
17332 | 0 | result = zone_replacedb(zone, db, dump); |
17333 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); |
17334 | 0 | if (secure != NULL) { |
17335 | 0 | UNLOCK_ZONE(secure); |
17336 | 0 | } |
17337 | 0 | UNLOCK_ZONE(zone); |
17338 | 0 | return (result); |
17339 | 0 | } |
17340 | | |
17341 | | static isc_result_t |
17342 | 0 | zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) { |
17343 | 0 | dns_dbversion_t *ver; |
17344 | 0 | isc_result_t result; |
17345 | 0 | unsigned int soacount = 0; |
17346 | 0 | unsigned int nscount = 0; |
17347 | | |
17348 | | /* |
17349 | | * 'zone' and 'zone->db' locked by caller. |
17350 | | */ |
17351 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17352 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
17353 | 0 | if (inline_raw(zone)) { |
17354 | 0 | REQUIRE(LOCKED_ZONE(zone->secure)); |
17355 | 0 | } |
17356 | |
|
17357 | 0 | result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL, |
17358 | 0 | NULL, NULL, NULL, NULL, NULL); |
17359 | 0 | if (result == ISC_R_SUCCESS) { |
17360 | 0 | if (soacount != 1) { |
17361 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, "has %d SOA records", |
17362 | 0 | soacount); |
17363 | 0 | result = DNS_R_BADZONE; |
17364 | 0 | } |
17365 | 0 | if (nscount == 0 && zone->type != dns_zone_key) { |
17366 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records"); |
17367 | 0 | result = DNS_R_BADZONE; |
17368 | 0 | } |
17369 | 0 | if (result != ISC_R_SUCCESS) { |
17370 | 0 | return (result); |
17371 | 0 | } |
17372 | 0 | } else { |
17373 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
17374 | 0 | "retrieving SOA and NS records failed: %s", |
17375 | 0 | isc_result_totext(result)); |
17376 | 0 | return (result); |
17377 | 0 | } |
17378 | | |
17379 | 0 | result = check_nsec3param(zone, db); |
17380 | 0 | if (result != ISC_R_SUCCESS) { |
17381 | 0 | return (result); |
17382 | 0 | } |
17383 | | |
17384 | 0 | ver = NULL; |
17385 | 0 | dns_db_currentversion(db, &ver); |
17386 | | |
17387 | | /* |
17388 | | * The initial version of a secondary zone is always dumped; |
17389 | | * subsequent versions may be journaled instead if this |
17390 | | * is enabled in the configuration. |
17391 | | */ |
17392 | 0 | if (zone->db != NULL && zone->journal != NULL && |
17393 | 0 | DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) && |
17394 | 0 | !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) |
17395 | 0 | { |
17396 | 0 | uint32_t serial, oldserial; |
17397 | |
|
17398 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs"); |
17399 | |
|
17400 | 0 | result = dns_db_getsoaserial(db, ver, &serial); |
17401 | 0 | if (result != ISC_R_SUCCESS) { |
17402 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
17403 | 0 | "ixfr-from-differences: unable to get " |
17404 | 0 | "new serial"); |
17405 | 0 | goto fail; |
17406 | 0 | } |
17407 | | |
17408 | | /* |
17409 | | * This is checked in zone_postload() for primary zones. |
17410 | | */ |
17411 | 0 | result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL, |
17412 | 0 | &oldserial, NULL, NULL, NULL, NULL, |
17413 | 0 | NULL); |
17414 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
17415 | 0 | RUNTIME_CHECK(soacount > 0U); |
17416 | 0 | if ((zone->type == dns_zone_secondary || |
17417 | 0 | (zone->type == dns_zone_redirect && |
17418 | 0 | dns_remote_addresses(&zone->primaries) != NULL)) && |
17419 | 0 | !isc_serial_gt(serial, oldserial)) |
17420 | 0 | { |
17421 | 0 | uint32_t serialmin, serialmax; |
17422 | 0 | serialmin = (oldserial + 1) & 0xffffffffU; |
17423 | 0 | serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU; |
17424 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
17425 | 0 | "ixfr-from-differences: failed: " |
17426 | 0 | "new serial (%u) out of range [%u - %u]", |
17427 | 0 | serial, serialmin, serialmax); |
17428 | 0 | result = ISC_R_RANGE; |
17429 | 0 | goto fail; |
17430 | 0 | } |
17431 | | |
17432 | 0 | result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL, |
17433 | 0 | zone->journal); |
17434 | 0 | if (result != ISC_R_SUCCESS) { |
17435 | 0 | char strbuf[ISC_STRERRORSIZE]; |
17436 | 0 | strerror_r(errno, strbuf, sizeof(strbuf)); |
17437 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
17438 | 0 | "ixfr-from-differences: failed: " |
17439 | 0 | "%s", |
17440 | 0 | strbuf); |
17441 | 0 | goto fallback; |
17442 | 0 | } |
17443 | 0 | if (dump) { |
17444 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
17445 | 0 | } else { |
17446 | 0 | zone_journal_compact(zone, zone->db, serial); |
17447 | 0 | } |
17448 | 0 | if (zone->type == dns_zone_primary && inline_raw(zone)) { |
17449 | 0 | zone_send_secureserial(zone, serial); |
17450 | 0 | } |
17451 | 0 | } else { |
17452 | 0 | fallback: |
17453 | 0 | if (dump && zone->masterfile != NULL) { |
17454 | | /* |
17455 | | * If DNS_ZONEFLG_FORCEXFER was set we don't want |
17456 | | * to keep the old masterfile. |
17457 | | */ |
17458 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) && |
17459 | 0 | remove(zone->masterfile) < 0 && errno != ENOENT) |
17460 | 0 | { |
17461 | 0 | char strbuf[ISC_STRERRORSIZE]; |
17462 | 0 | strerror_r(errno, strbuf, sizeof(strbuf)); |
17463 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
17464 | 0 | DNS_LOGMODULE_ZONE, |
17465 | 0 | ISC_LOG_WARNING, |
17466 | 0 | "unable to remove masterfile " |
17467 | 0 | "'%s': '%s'", |
17468 | 0 | zone->masterfile, strbuf); |
17469 | 0 | } |
17470 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0) { |
17471 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY); |
17472 | 0 | } else { |
17473 | 0 | zone_needdump(zone, 0); |
17474 | 0 | } |
17475 | 0 | } |
17476 | 0 | if (dump && zone->journal != NULL) { |
17477 | | /* |
17478 | | * The in-memory database just changed, and |
17479 | | * because 'dump' is set, it didn't change by |
17480 | | * being loaded from disk. Also, we have not |
17481 | | * journaled diffs for this change. |
17482 | | * Therefore, the on-disk journal is missing |
17483 | | * the deltas for this change. Since it can |
17484 | | * no longer be used to bring the zone |
17485 | | * up-to-date, it is useless and should be |
17486 | | * removed. |
17487 | | */ |
17488 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
17489 | 0 | DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3), |
17490 | 0 | "removing journal file"); |
17491 | 0 | if (remove(zone->journal) < 0 && errno != ENOENT) { |
17492 | 0 | char strbuf[ISC_STRERRORSIZE]; |
17493 | 0 | strerror_r(errno, strbuf, sizeof(strbuf)); |
17494 | 0 | isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, |
17495 | 0 | DNS_LOGMODULE_ZONE, |
17496 | 0 | ISC_LOG_WARNING, |
17497 | 0 | "unable to remove journal " |
17498 | 0 | "'%s': '%s'", |
17499 | 0 | zone->journal, strbuf); |
17500 | 0 | } |
17501 | 0 | } |
17502 | |
|
17503 | 0 | if (inline_raw(zone)) { |
17504 | 0 | zone_send_securedb(zone, db); |
17505 | 0 | } |
17506 | 0 | } |
17507 | | |
17508 | 0 | dns_db_closeversion(db, &ver, false); |
17509 | |
|
17510 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), "replacing zone database"); |
17511 | |
|
17512 | 0 | if (zone->db != NULL) { |
17513 | 0 | zone_detachdb(zone); |
17514 | 0 | } |
17515 | 0 | zone_attachdb(zone, db); |
17516 | 0 | dns_db_setloop(zone->db, zone->loop); |
17517 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY); |
17518 | 0 | return (ISC_R_SUCCESS); |
17519 | | |
17520 | 0 | fail: |
17521 | 0 | dns_db_closeversion(db, &ver, false); |
17522 | 0 | return (result); |
17523 | 0 | } |
17524 | | |
17525 | | /* The caller must hold the dblock as a writer. */ |
17526 | | static void |
17527 | 2 | zone_attachdb(dns_zone_t *zone, dns_db_t *db) { |
17528 | 2 | REQUIRE(zone->db == NULL && db != NULL); |
17529 | | |
17530 | 2 | dns_db_attach(db, &zone->db); |
17531 | 2 | } |
17532 | | |
17533 | | /* The caller must hold the dblock as a writer. */ |
17534 | | static void |
17535 | 0 | zone_detachdb(dns_zone_t *zone) { |
17536 | 0 | REQUIRE(zone->db != NULL); |
17537 | |
|
17538 | 0 | dns_zone_rpz_disable_db(zone, zone->db); |
17539 | 0 | dns_zone_catz_disable_db(zone, zone->db); |
17540 | 0 | dns_db_detach(&zone->db); |
17541 | 0 | } |
17542 | | |
17543 | | static void |
17544 | 0 | zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result) { |
17545 | 0 | isc_time_t now, expiretime; |
17546 | 0 | bool again = false; |
17547 | 0 | unsigned int soacount; |
17548 | 0 | unsigned int nscount; |
17549 | 0 | uint32_t serial, refresh, retry, expire, minimum, soattl, oldexpire; |
17550 | 0 | isc_result_t xfrresult = result; |
17551 | 0 | bool free_needed; |
17552 | 0 | dns_zone_t *secure = NULL; |
17553 | |
|
17554 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17555 | |
|
17556 | 0 | dns_zone_logc( |
17557 | 0 | zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1), |
17558 | 0 | expireopt == NULL ? "zone transfer finished: %s" |
17559 | 0 | : "zone transfer finished: %s, expire=%u", |
17560 | 0 | isc_result_totext(result), expireopt != NULL ? *expireopt : 0); |
17561 | | |
17562 | | /* |
17563 | | * Obtaining a lock on the zone->secure (see zone_send_secureserial) |
17564 | | * could result in a deadlock due to a LOR so we will spin if we |
17565 | | * can't obtain both locks. |
17566 | | */ |
17567 | 0 | again: |
17568 | 0 | LOCK_ZONE(zone); |
17569 | 0 | if (inline_raw(zone)) { |
17570 | 0 | secure = zone->secure; |
17571 | 0 | INSIST(secure != zone); |
17572 | 0 | TRYLOCK_ZONE(result, secure); |
17573 | 0 | if (result != ISC_R_SUCCESS) { |
17574 | 0 | UNLOCK_ZONE(zone); |
17575 | 0 | secure = NULL; |
17576 | 0 | isc_thread_yield(); |
17577 | 0 | goto again; |
17578 | 0 | } |
17579 | 0 | } |
17580 | | |
17581 | 0 | INSIST(DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)); |
17582 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); |
17583 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); |
17584 | |
|
17585 | 0 | now = isc_time_now(); |
17586 | 0 | switch (xfrresult) { |
17587 | 0 | case ISC_R_SUCCESS: |
17588 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
17589 | 0 | FALLTHROUGH; |
17590 | 0 | case DNS_R_UPTODATE: |
17591 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER | |
17592 | 0 | DNS_ZONEFLG_FIRSTREFRESH); |
17593 | | /* |
17594 | | * Has the zone expired underneath us? |
17595 | | */ |
17596 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
17597 | 0 | if (zone->db == NULL) { |
17598 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
17599 | 0 | goto same_primary; |
17600 | 0 | } |
17601 | | |
17602 | 0 | oldexpire = zone->expire; |
17603 | | |
17604 | | /* |
17605 | | * Update the zone structure's data from the actual |
17606 | | * SOA received. |
17607 | | */ |
17608 | 0 | nscount = 0; |
17609 | 0 | soacount = 0; |
17610 | 0 | INSIST(zone->db != NULL); |
17611 | 0 | result = zone_get_from_db(zone, zone->db, &nscount, &soacount, |
17612 | 0 | &soattl, &serial, &refresh, &retry, |
17613 | 0 | &expire, &minimum, NULL); |
17614 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
17615 | 0 | if (result == ISC_R_SUCCESS) { |
17616 | 0 | if (soacount != 1) { |
17617 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
17618 | 0 | "transferred zone " |
17619 | 0 | "has %d SOA records", |
17620 | 0 | soacount); |
17621 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) |
17622 | 0 | { |
17623 | 0 | zone->refresh = DNS_ZONE_DEFAULTREFRESH; |
17624 | 0 | zone->retry = DNS_ZONE_DEFAULTRETRY; |
17625 | 0 | } |
17626 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS); |
17627 | 0 | zone_unload(zone); |
17628 | 0 | goto next_primary; |
17629 | 0 | } |
17630 | 0 | if (nscount == 0) { |
17631 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
17632 | 0 | "transferred zone " |
17633 | 0 | "has no NS records"); |
17634 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) |
17635 | 0 | { |
17636 | 0 | zone->refresh = DNS_ZONE_DEFAULTREFRESH; |
17637 | 0 | zone->retry = DNS_ZONE_DEFAULTRETRY; |
17638 | 0 | } |
17639 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS); |
17640 | 0 | zone_unload(zone); |
17641 | 0 | goto next_primary; |
17642 | 0 | } |
17643 | 0 | zone->refresh = RANGE(refresh, zone->minrefresh, |
17644 | 0 | zone->maxrefresh); |
17645 | 0 | zone->retry = RANGE(retry, zone->minretry, |
17646 | 0 | zone->maxretry); |
17647 | 0 | zone->expire = RANGE(expire, |
17648 | 0 | zone->refresh + zone->retry, |
17649 | 0 | DNS_MAX_EXPIRE); |
17650 | 0 | zone->soattl = soattl; |
17651 | 0 | zone->minimum = minimum; |
17652 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS); |
17653 | 0 | } |
17654 | | |
17655 | | /* |
17656 | | * Set our next refresh time. |
17657 | | */ |
17658 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) { |
17659 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH); |
17660 | 0 | zone->refreshtime = now; |
17661 | 0 | } else { |
17662 | 0 | DNS_ZONE_JITTER_ADD(&now, zone->refresh, |
17663 | 0 | &zone->refreshtime); |
17664 | 0 | } |
17665 | | |
17666 | | /* |
17667 | | * Set our next expire time. If the parent returned |
17668 | | * an EXPIRE option use that to update zone->expiretime. |
17669 | | */ |
17670 | 0 | expire = zone->expire; |
17671 | 0 | if (expireopt != NULL && *expireopt < expire) { |
17672 | 0 | expire = *expireopt; |
17673 | 0 | } |
17674 | 0 | DNS_ZONE_TIME_ADD(&now, expire, &expiretime); |
17675 | 0 | if (oldexpire != zone->expire || |
17676 | 0 | isc_time_compare(&expiretime, &zone->expiretime) > 0) |
17677 | 0 | { |
17678 | 0 | zone->expiretime = expiretime; |
17679 | 0 | } |
17680 | | |
17681 | | /* |
17682 | | * Set loadtime. |
17683 | | */ |
17684 | 0 | zone->loadtime = now; |
17685 | |
|
17686 | 0 | if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) { |
17687 | 0 | char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")]; |
17688 | 0 | if (zone->tsigkey != NULL) { |
17689 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
17690 | 0 | dns_name_format(zone->tsigkey->name, namebuf, |
17691 | 0 | sizeof(namebuf)); |
17692 | 0 | snprintf(buf, sizeof(buf), ": TSIG '%s'", |
17693 | 0 | namebuf); |
17694 | 0 | } else { |
17695 | 0 | buf[0] = '\0'; |
17696 | 0 | } |
17697 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, |
17698 | 0 | ISC_LOG_INFO, "transferred serial %u%s", |
17699 | 0 | serial, buf); |
17700 | 0 | if (inline_raw(zone)) { |
17701 | 0 | zone_send_secureserial(zone, serial); |
17702 | 0 | } |
17703 | 0 | } |
17704 | | |
17705 | | /* |
17706 | | * This is not necessary if we just performed a AXFR |
17707 | | * however it is necessary for an IXFR / UPTODATE and |
17708 | | * won't hurt with an AXFR. |
17709 | | */ |
17710 | 0 | if (zone->masterfile != NULL || zone->journal != NULL) { |
17711 | 0 | unsigned int delay = DNS_DUMP_DELAY; |
17712 | 0 | isc_interval_t i; |
17713 | 0 | isc_time_t when; |
17714 | | |
17715 | | /* |
17716 | | * Compute effective modification time. |
17717 | | */ |
17718 | 0 | isc_interval_set(&i, zone->expire, 0); |
17719 | 0 | result = isc_time_subtract(&zone->expiretime, &i, |
17720 | 0 | &when); |
17721 | 0 | if (result != ISC_R_SUCCESS) { |
17722 | 0 | when = now; |
17723 | 0 | } |
17724 | |
|
17725 | 0 | result = ISC_R_FAILURE; |
17726 | 0 | if (zone->journal != NULL) { |
17727 | 0 | result = isc_file_settime(zone->journal, &when); |
17728 | 0 | } |
17729 | 0 | if (result != ISC_R_SUCCESS && zone->masterfile != NULL) |
17730 | 0 | { |
17731 | 0 | result = isc_file_settime(zone->masterfile, |
17732 | 0 | &when); |
17733 | 0 | } |
17734 | |
|
17735 | 0 | if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY) != 0) || |
17736 | 0 | result == ISC_R_FILENOTFOUND) |
17737 | 0 | { |
17738 | 0 | delay = 0; |
17739 | 0 | } |
17740 | |
|
17741 | 0 | if ((result == ISC_R_SUCCESS || |
17742 | 0 | result == ISC_R_FILENOTFOUND) && |
17743 | 0 | zone->masterfile != NULL) |
17744 | 0 | { |
17745 | 0 | zone_needdump(zone, delay); |
17746 | 0 | } else if (result != ISC_R_SUCCESS) { |
17747 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, |
17748 | 0 | ISC_LOG_ERROR, |
17749 | 0 | "transfer: could not set file " |
17750 | 0 | "modification time of '%s': %s", |
17751 | 0 | zone->masterfile, |
17752 | 0 | isc_result_totext(result)); |
17753 | 0 | } |
17754 | 0 | } |
17755 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY); |
17756 | 0 | inc_stats(zone, dns_zonestatscounter_xfrsuccess); |
17757 | 0 | break; |
17758 | | |
17759 | 0 | case DNS_R_BADIXFR: |
17760 | | /* Force retry with AXFR. */ |
17761 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOIXFR); |
17762 | 0 | goto same_primary; |
17763 | | |
17764 | 0 | case DNS_R_TOOMANYRECORDS: |
17765 | 0 | case DNS_R_VERIFYFAILURE: |
17766 | 0 | DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime); |
17767 | 0 | inc_stats(zone, dns_zonestatscounter_xfrfail); |
17768 | 0 | break; |
17769 | | |
17770 | 0 | default: |
17771 | 0 | next_primary: |
17772 | | /* |
17773 | | * Skip to next failed / untried primary. |
17774 | | */ |
17775 | 0 | dns_remote_next(&zone->primaries, true); |
17776 | 0 | same_primary: |
17777 | 0 | if (dns_remote_done(&zone->primaries)) { |
17778 | 0 | dns_remote_reset(&zone->primaries, false); |
17779 | 0 | } else { |
17780 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH); |
17781 | 0 | again = true; |
17782 | 0 | } |
17783 | 0 | inc_stats(zone, dns_zonestatscounter_xfrfail); |
17784 | 0 | break; |
17785 | 0 | } |
17786 | 0 | zone_settimer(zone, &now); |
17787 | | |
17788 | | /* |
17789 | | * If creating the transfer object failed, zone->xfr is NULL. |
17790 | | * Otherwise, we are called as the done callback of a zone |
17791 | | * transfer object that just entered its shutting-down |
17792 | | * state. Since we are no longer responsible for shutting |
17793 | | * it down, we can detach our reference. |
17794 | | */ |
17795 | 0 | if (zone->xfr != NULL) { |
17796 | 0 | dns_xfrin_detach(&zone->xfr); |
17797 | 0 | } |
17798 | |
|
17799 | 0 | if (zone->tsigkey != NULL) { |
17800 | 0 | dns_tsigkey_detach(&zone->tsigkey); |
17801 | 0 | } |
17802 | |
|
17803 | 0 | if (zone->transport != NULL) { |
17804 | 0 | dns_transport_detach(&zone->transport); |
17805 | 0 | } |
17806 | | |
17807 | | /* |
17808 | | * Handle any deferred journal compaction. |
17809 | | */ |
17810 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) { |
17811 | 0 | dns_db_t *db = NULL; |
17812 | 0 | if (dns_zone_getdb(zone, &db) == ISC_R_SUCCESS) { |
17813 | 0 | zone_journal_compact(zone, db, zone->compact_serial); |
17814 | 0 | dns_db_detach(&db); |
17815 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT); |
17816 | 0 | } |
17817 | 0 | } |
17818 | |
|
17819 | 0 | if (secure != NULL) { |
17820 | 0 | UNLOCK_ZONE(secure); |
17821 | 0 | } |
17822 | | /* |
17823 | | * This transfer finishing freed up a transfer quota slot. |
17824 | | * Let any other zones waiting for quota have it. |
17825 | | */ |
17826 | 0 | if (zone->zmgr != NULL && |
17827 | 0 | zone->statelist == &zone->zmgr->xfrin_in_progress) |
17828 | 0 | { |
17829 | 0 | UNLOCK_ZONE(zone); |
17830 | 0 | RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); |
17831 | 0 | ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink); |
17832 | 0 | zone->statelist = NULL; |
17833 | 0 | zmgr_resume_xfrs(zone->zmgr, false); |
17834 | 0 | RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); |
17835 | 0 | LOCK_ZONE(zone); |
17836 | 0 | } |
17837 | | |
17838 | | /* |
17839 | | * Retry with a different server if necessary. |
17840 | | */ |
17841 | 0 | if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
17842 | 0 | queue_soa_query(zone); |
17843 | 0 | } |
17844 | |
|
17845 | 0 | isc_refcount_decrement(&zone->irefs); |
17846 | 0 | free_needed = exit_check(zone); |
17847 | 0 | UNLOCK_ZONE(zone); |
17848 | 0 | if (free_needed) { |
17849 | 0 | zone_free(zone); |
17850 | 0 | } |
17851 | 0 | } |
17852 | | |
17853 | | static void |
17854 | 0 | zone_loaddone(void *arg, isc_result_t result) { |
17855 | 0 | dns_load_t *load = arg; |
17856 | 0 | dns_zone_t *zone; |
17857 | 0 | isc_result_t tresult; |
17858 | 0 | dns_zone_t *secure = NULL; |
17859 | |
|
17860 | 0 | zone = load->zone; |
17861 | |
|
17862 | 0 | ENTER; |
17863 | | |
17864 | | /* |
17865 | | * If zone loading failed, remove the update db callbacks prior |
17866 | | * to calling the list of callbacks in the zone load structure. |
17867 | | */ |
17868 | 0 | if (result != ISC_R_SUCCESS) { |
17869 | 0 | dns_zone_rpz_disable_db(zone, load->db); |
17870 | 0 | dns_zone_catz_disable_db(zone, load->db); |
17871 | 0 | } |
17872 | |
|
17873 | 0 | tresult = dns_db_endload(load->db, &load->callbacks); |
17874 | 0 | if (tresult != ISC_R_SUCCESS && |
17875 | 0 | (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE)) |
17876 | 0 | { |
17877 | 0 | result = tresult; |
17878 | 0 | } |
17879 | | |
17880 | | /* |
17881 | | * Lock hierarchy: zmgr, zone, raw. |
17882 | | */ |
17883 | 0 | again: |
17884 | 0 | LOCK_ZONE(zone); |
17885 | 0 | INSIST(zone != zone->raw); |
17886 | 0 | if (inline_secure(zone)) { |
17887 | 0 | LOCK_ZONE(zone->raw); |
17888 | 0 | } else if (inline_raw(zone)) { |
17889 | 0 | secure = zone->secure; |
17890 | 0 | TRYLOCK_ZONE(tresult, secure); |
17891 | 0 | if (tresult != ISC_R_SUCCESS) { |
17892 | 0 | UNLOCK_ZONE(zone); |
17893 | 0 | secure = NULL; |
17894 | 0 | isc_thread_yield(); |
17895 | 0 | goto again; |
17896 | 0 | } |
17897 | 0 | } |
17898 | 0 | (void)zone_postload(zone, load->db, load->loadtime, result); |
17899 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADING); |
17900 | 0 | zone_idetach(&load->callbacks.zone); |
17901 | | /* |
17902 | | * Leave the zone frozen if the reload fails. |
17903 | | */ |
17904 | 0 | if ((result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) && |
17905 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_THAW)) |
17906 | 0 | { |
17907 | 0 | zone->update_disabled = false; |
17908 | 0 | } |
17909 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_THAW); |
17910 | 0 | if (inline_secure(zone)) { |
17911 | 0 | UNLOCK_ZONE(zone->raw); |
17912 | 0 | } else if (secure != NULL) { |
17913 | 0 | UNLOCK_ZONE(secure); |
17914 | 0 | } |
17915 | 0 | UNLOCK_ZONE(zone); |
17916 | |
|
17917 | 0 | dns_db_detach(&load->db); |
17918 | 0 | if (zone->loadctx != NULL) { |
17919 | 0 | dns_loadctx_detach(&zone->loadctx); |
17920 | 0 | } |
17921 | 0 | isc_mem_put(zone->mctx, load, sizeof(*load)); |
17922 | |
|
17923 | 0 | dns_zone_idetach(&zone); |
17924 | 0 | } |
17925 | | |
17926 | | void |
17927 | 0 | dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) { |
17928 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17929 | 0 | REQUIRE(table != NULL); |
17930 | 0 | REQUIRE(*table == NULL); |
17931 | |
|
17932 | 0 | LOCK_ZONE(zone); |
17933 | 0 | if (zone->ssutable != NULL) { |
17934 | 0 | dns_ssutable_attach(zone->ssutable, table); |
17935 | 0 | } |
17936 | 0 | UNLOCK_ZONE(zone); |
17937 | 0 | } |
17938 | | |
17939 | | void |
17940 | 0 | dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) { |
17941 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17942 | |
|
17943 | 0 | LOCK_ZONE(zone); |
17944 | 0 | if (zone->ssutable != NULL) { |
17945 | 0 | dns_ssutable_detach(&zone->ssutable); |
17946 | 0 | } |
17947 | 0 | if (table != NULL) { |
17948 | 0 | dns_ssutable_attach(table, &zone->ssutable); |
17949 | 0 | } |
17950 | 0 | UNLOCK_ZONE(zone); |
17951 | 0 | } |
17952 | | |
17953 | | void |
17954 | 0 | dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval) { |
17955 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17956 | |
|
17957 | 0 | zone->sigvalidityinterval = interval; |
17958 | 0 | } |
17959 | | |
17960 | | uint32_t |
17961 | 0 | dns_zone_getsigvalidityinterval(dns_zone_t *zone) { |
17962 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17963 | |
|
17964 | 0 | return (zone->sigvalidityinterval); |
17965 | 0 | } |
17966 | | |
17967 | | void |
17968 | 0 | dns_zone_setkeyvalidityinterval(dns_zone_t *zone, uint32_t interval) { |
17969 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17970 | |
|
17971 | 0 | zone->keyvalidityinterval = interval; |
17972 | 0 | } |
17973 | | |
17974 | | uint32_t |
17975 | 0 | dns_zone_getkeyvalidityinterval(dns_zone_t *zone) { |
17976 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17977 | |
|
17978 | 0 | return (zone->keyvalidityinterval); |
17979 | 0 | } |
17980 | | |
17981 | | void |
17982 | 0 | dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval) { |
17983 | 0 | isc_time_t now; |
17984 | |
|
17985 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
17986 | |
|
17987 | 0 | LOCK_ZONE(zone); |
17988 | 0 | zone->sigresigninginterval = interval; |
17989 | 0 | set_resigntime(zone); |
17990 | 0 | if (zone->loop != NULL) { |
17991 | 0 | now = isc_time_now(); |
17992 | 0 | zone_settimer(zone, &now); |
17993 | 0 | } |
17994 | 0 | UNLOCK_ZONE(zone); |
17995 | 0 | } |
17996 | | |
17997 | | uint32_t |
17998 | 0 | dns_zone_getsigresigninginterval(dns_zone_t *zone) { |
17999 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18000 | |
|
18001 | 0 | return (zone->sigresigninginterval); |
18002 | 0 | } |
18003 | | |
18004 | | isc_sockaddr_t |
18005 | 0 | dns_zone_getsourceaddr(dns_zone_t *zone) { |
18006 | 0 | isc_sockaddr_t sourceaddr; |
18007 | |
|
18008 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18009 | |
|
18010 | 0 | LOCK_ZONE(zone); |
18011 | 0 | INSIST(dns_remote_count(&zone->primaries) > 0); |
18012 | 0 | sourceaddr = zone->sourceaddr; |
18013 | 0 | UNLOCK_ZONE(zone); |
18014 | |
|
18015 | 0 | return (sourceaddr); |
18016 | 0 | } |
18017 | | |
18018 | | isc_sockaddr_t |
18019 | 0 | dns_zone_getprimaryaddr(dns_zone_t *zone) { |
18020 | 0 | isc_sockaddr_t curraddr; |
18021 | |
|
18022 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18023 | |
|
18024 | 0 | LOCK_ZONE(zone); |
18025 | 0 | INSIST(dns_remote_count(&zone->primaries) > 0); |
18026 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
18027 | 0 | UNLOCK_ZONE(zone); |
18028 | |
|
18029 | 0 | return (curraddr); |
18030 | 0 | } |
18031 | | |
18032 | | isc_time_t |
18033 | 0 | dns_zone_getxfrintime(const dns_zone_t *zone) { |
18034 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18035 | |
|
18036 | 0 | return (zone->xfrintime); |
18037 | 0 | } |
18038 | | |
18039 | | static void |
18040 | 0 | queue_xfrin(dns_zone_t *zone) { |
18041 | 0 | isc_result_t result; |
18042 | 0 | dns_zonemgr_t *zmgr = zone->zmgr; |
18043 | |
|
18044 | 0 | ENTER; |
18045 | |
|
18046 | 0 | INSIST(zone->statelist == NULL); |
18047 | |
|
18048 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18049 | 0 | ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink); |
18050 | 0 | isc_refcount_increment0(&zone->irefs); |
18051 | 0 | zone->statelist = &zmgr->waiting_for_xfrin; |
18052 | 0 | result = zmgr_start_xfrin_ifquota(zmgr, zone); |
18053 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18054 | |
|
18055 | 0 | if (result == ISC_R_QUOTA) { |
18056 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, |
18057 | 0 | "zone transfer deferred due to quota"); |
18058 | 0 | } else if (result != ISC_R_SUCCESS) { |
18059 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR, |
18060 | 0 | "starting zone transfer: %s", |
18061 | 0 | isc_result_totext(result)); |
18062 | 0 | } |
18063 | 0 | } |
18064 | | |
18065 | | /* |
18066 | | * Get the transport type used for the SOA query to the current primary server |
18067 | | * before an ongoing incoming zone transfer. |
18068 | | * |
18069 | | * Requires: |
18070 | | * The zone is locked by the caller. |
18071 | | */ |
18072 | | static dns_transport_type_t |
18073 | 0 | get_request_transport_type(dns_zone_t *zone) { |
18074 | 0 | dns_transport_type_t transport_type = DNS_TRANSPORT_NONE; |
18075 | |
|
18076 | 0 | if (zone->transport != NULL) { |
18077 | 0 | transport_type = dns_transport_get_type(zone->transport); |
18078 | 0 | } else { |
18079 | 0 | transport_type = (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC)) |
18080 | 0 | ? DNS_TRANSPORT_TCP |
18081 | 0 | : DNS_TRANSPORT_UDP; |
18082 | | |
18083 | | /* Check if the peer is forced to always use TCP. */ |
18084 | 0 | if (transport_type != DNS_TRANSPORT_TCP) { |
18085 | 0 | isc_result_t result; |
18086 | 0 | isc_sockaddr_t primaryaddr; |
18087 | 0 | isc_netaddr_t primaryip; |
18088 | 0 | dns_peer_t *peer = NULL; |
18089 | |
|
18090 | 0 | primaryaddr = dns_remote_curraddr(&zone->primaries); |
18091 | 0 | isc_netaddr_fromsockaddr(&primaryip, &primaryaddr); |
18092 | 0 | result = dns_peerlist_peerbyaddr(zone->view->peers, |
18093 | 0 | &primaryip, &peer); |
18094 | 0 | if (result == ISC_R_SUCCESS && peer != NULL) { |
18095 | 0 | bool usetcp; |
18096 | 0 | result = dns_peer_getforcetcp(peer, &usetcp); |
18097 | 0 | if (result == ISC_R_SUCCESS && usetcp) { |
18098 | 0 | transport_type = DNS_TRANSPORT_TCP; |
18099 | 0 | } |
18100 | 0 | } |
18101 | 0 | } |
18102 | 0 | } |
18103 | |
|
18104 | 0 | return (transport_type); |
18105 | 0 | } |
18106 | | |
18107 | | dns_transport_type_t |
18108 | 0 | dns_zone_getrequesttransporttype(dns_zone_t *zone) { |
18109 | 0 | dns_transport_type_t transport_type; |
18110 | |
|
18111 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18112 | |
|
18113 | 0 | LOCK_ZONE(zone); |
18114 | 0 | transport_type = get_request_transport_type(zone); |
18115 | 0 | UNLOCK_ZONE(zone); |
18116 | |
|
18117 | 0 | return (transport_type); |
18118 | 0 | } |
18119 | | |
18120 | | /* |
18121 | | * This event callback is called when a zone has received |
18122 | | * any necessary zone transfer quota. This is the time |
18123 | | * to go ahead and start the transfer. |
18124 | | */ |
18125 | | static void |
18126 | 0 | got_transfer_quota(void *arg) { |
18127 | 0 | dns_zone_t *zone = (dns_zone_t *)arg; |
18128 | 0 | isc_result_t result = ISC_R_SUCCESS; |
18129 | 0 | dns_peer_t *peer = NULL; |
18130 | 0 | char primary[ISC_SOCKADDR_FORMATSIZE]; |
18131 | 0 | char source[ISC_SOCKADDR_FORMATSIZE]; |
18132 | 0 | dns_rdatatype_t xfrtype; |
18133 | 0 | isc_netaddr_t primaryip; |
18134 | 0 | isc_sockaddr_t primaryaddr; |
18135 | 0 | isc_sockaddr_t sourceaddr; |
18136 | 0 | isc_time_t now; |
18137 | 0 | dns_transport_type_t soa_transport_type = DNS_TRANSPORT_NONE; |
18138 | 0 | const char *soa_before = ""; |
18139 | 0 | bool loaded; |
18140 | 0 | isc_tlsctx_cache_t *zmgr_tlsctx_cache = NULL; |
18141 | |
|
18142 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
18143 | 0 | zone_xfrdone(zone, NULL, ISC_R_CANCELED); |
18144 | 0 | return; |
18145 | 0 | } |
18146 | | |
18147 | 0 | now = isc_time_now(); |
18148 | |
|
18149 | 0 | primaryaddr = dns_remote_curraddr(&zone->primaries); |
18150 | 0 | isc_sockaddr_format(&primaryaddr, primary, sizeof(primary)); |
18151 | 0 | if (dns_zonemgr_unreachable(zone->zmgr, &primaryaddr, &zone->sourceaddr, |
18152 | 0 | &now)) |
18153 | 0 | { |
18154 | 0 | isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source)); |
18155 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, |
18156 | 0 | "got_transfer_quota: skipping zone transfer as " |
18157 | 0 | "primary %s (source %s) is unreachable (cached)", |
18158 | 0 | primary, source); |
18159 | 0 | zone_xfrdone(zone, NULL, ISC_R_CANCELED); |
18160 | 0 | return; |
18161 | 0 | } |
18162 | | |
18163 | 0 | isc_netaddr_fromsockaddr(&primaryip, &primaryaddr); |
18164 | 0 | (void)dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, &peer); |
18165 | |
|
18166 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) { |
18167 | 0 | soa_before = "SOA before "; |
18168 | 0 | } |
18169 | | /* |
18170 | | * Decide whether we should request IXFR or AXFR. |
18171 | | */ |
18172 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
18173 | 0 | loaded = (zone->db != NULL); |
18174 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
18175 | |
|
18176 | 0 | if (!loaded) { |
18177 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1), |
18178 | 0 | "no database exists yet, requesting AXFR of " |
18179 | 0 | "initial version from %s", |
18180 | 0 | primary); |
18181 | 0 | xfrtype = dns_rdatatype_axfr; |
18182 | 0 | } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) { |
18183 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1), |
18184 | 0 | "forced reload, requesting AXFR of " |
18185 | 0 | "initial version from %s", |
18186 | 0 | primary); |
18187 | 0 | xfrtype = dns_rdatatype_axfr; |
18188 | 0 | } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOIXFR)) { |
18189 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1), |
18190 | 0 | "retrying with AXFR from %s due to " |
18191 | 0 | "previous IXFR failure", |
18192 | 0 | primary); |
18193 | 0 | xfrtype = dns_rdatatype_axfr; |
18194 | 0 | LOCK_ZONE(zone); |
18195 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOIXFR); |
18196 | 0 | UNLOCK_ZONE(zone); |
18197 | 0 | } else { |
18198 | 0 | bool use_ixfr = true; |
18199 | 0 | if (peer != NULL) { |
18200 | 0 | result = dns_peer_getrequestixfr(peer, &use_ixfr); |
18201 | 0 | } |
18202 | 0 | if (peer == NULL || result != ISC_R_SUCCESS) { |
18203 | 0 | use_ixfr = zone->requestixfr; |
18204 | 0 | } |
18205 | 0 | if (!use_ixfr) { |
18206 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, |
18207 | 0 | ISC_LOG_DEBUG(1), |
18208 | 0 | "IXFR disabled, " |
18209 | 0 | "requesting %sAXFR from %s", |
18210 | 0 | soa_before, primary); |
18211 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) { |
18212 | 0 | xfrtype = dns_rdatatype_soa; |
18213 | 0 | } else { |
18214 | 0 | xfrtype = dns_rdatatype_axfr; |
18215 | 0 | } |
18216 | 0 | } else { |
18217 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, |
18218 | 0 | ISC_LOG_DEBUG(1), |
18219 | 0 | "requesting IXFR from %s", primary); |
18220 | 0 | xfrtype = dns_rdatatype_ixfr; |
18221 | 0 | } |
18222 | 0 | } |
18223 | | |
18224 | | /* |
18225 | | * Determine if we should attempt to sign the request with TSIG. |
18226 | | */ |
18227 | 0 | result = ISC_R_NOTFOUND; |
18228 | | |
18229 | | /* |
18230 | | * First, look for a tsig key in the primaries statement, then |
18231 | | * try for a server key. |
18232 | | */ |
18233 | 0 | if (dns_remote_keyname(&zone->primaries) != NULL) { |
18234 | 0 | dns_view_t *view = dns_zone_getview(zone); |
18235 | 0 | dns_name_t *keyname = dns_remote_keyname(&zone->primaries); |
18236 | 0 | result = dns_view_gettsig(view, keyname, &zone->tsigkey); |
18237 | 0 | } |
18238 | 0 | if (result != ISC_R_SUCCESS) { |
18239 | 0 | INSIST(zone->tsigkey == NULL); |
18240 | 0 | result = dns_view_getpeertsig(zone->view, &primaryip, |
18241 | 0 | &zone->tsigkey); |
18242 | 0 | } |
18243 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
18244 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR, |
18245 | 0 | "could not get TSIG key for zone transfer: %s", |
18246 | 0 | isc_result_totext(result)); |
18247 | 0 | } |
18248 | | |
18249 | | /* |
18250 | | * Get the TLS transport for the primary, if configured. |
18251 | | */ |
18252 | 0 | if (dns_remote_tlsname(&zone->primaries) != NULL) { |
18253 | 0 | dns_view_t *view = dns_zone_getview(zone); |
18254 | 0 | dns_name_t *tlsname = dns_remote_tlsname(&zone->primaries); |
18255 | 0 | result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname, |
18256 | 0 | &zone->transport); |
18257 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
18258 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, |
18259 | 0 | ISC_LOG_ERROR, |
18260 | 0 | "could not get TLS configuration for " |
18261 | 0 | "zone transfer: %s", |
18262 | 0 | isc_result_totext(result)); |
18263 | 0 | } |
18264 | 0 | } |
18265 | |
|
18266 | 0 | LOCK_ZONE(zone); |
18267 | 0 | if (xfrtype != dns_rdatatype_soa) { |
18268 | | /* |
18269 | | * If 'xfrtype' is dns_rdatatype_soa, then the SOA query will be |
18270 | | * performed by xfrin, otherwise, the SOA request performed by |
18271 | | * soa_query() was successful and we should inform the xfrin |
18272 | | * about the transport type used for that query, so that the |
18273 | | * information can be presented in the statistics channel. |
18274 | | */ |
18275 | 0 | soa_transport_type = get_request_transport_type(zone); |
18276 | 0 | } |
18277 | 0 | sourceaddr = zone->sourceaddr; |
18278 | 0 | UNLOCK_ZONE(zone); |
18279 | |
|
18280 | 0 | INSIST(isc_sockaddr_pf(&primaryaddr) == isc_sockaddr_pf(&sourceaddr)); |
18281 | |
|
18282 | 0 | if (zone->xfr != NULL) { |
18283 | 0 | dns_xfrin_detach(&zone->xfr); |
18284 | 0 | } |
18285 | |
|
18286 | 0 | zmgr_tlsctx_attach(zone->zmgr, &zmgr_tlsctx_cache); |
18287 | |
|
18288 | 0 | result = dns_xfrin_create(zone, xfrtype, &primaryaddr, &sourceaddr, |
18289 | 0 | zone->tsigkey, soa_transport_type, |
18290 | 0 | zone->transport, zmgr_tlsctx_cache, |
18291 | 0 | zone->mctx, zone_xfrdone, &zone->xfr); |
18292 | |
|
18293 | 0 | isc_tlsctx_cache_detach(&zmgr_tlsctx_cache); |
18294 | | |
18295 | | /* |
18296 | | * Any failure in this function is handled like a failed |
18297 | | * zone transfer. This ensures that we get removed from |
18298 | | * zmgr->xfrin_in_progress. |
18299 | | */ |
18300 | 0 | if (result != ISC_R_SUCCESS) { |
18301 | 0 | zone_xfrdone(zone, NULL, result); |
18302 | 0 | return; |
18303 | 0 | } |
18304 | | |
18305 | 0 | LOCK_ZONE(zone); |
18306 | 0 | if (xfrtype == dns_rdatatype_axfr) { |
18307 | 0 | if (isc_sockaddr_pf(&primaryaddr) == PF_INET) { |
18308 | 0 | inc_stats(zone, dns_zonestatscounter_axfrreqv4); |
18309 | 0 | } else { |
18310 | 0 | inc_stats(zone, dns_zonestatscounter_axfrreqv6); |
18311 | 0 | } |
18312 | 0 | } else if (xfrtype == dns_rdatatype_ixfr) { |
18313 | 0 | if (isc_sockaddr_pf(&primaryaddr) == PF_INET) { |
18314 | 0 | inc_stats(zone, dns_zonestatscounter_ixfrreqv4); |
18315 | 0 | } else { |
18316 | 0 | inc_stats(zone, dns_zonestatscounter_ixfrreqv6); |
18317 | 0 | } |
18318 | 0 | } |
18319 | 0 | UNLOCK_ZONE(zone); |
18320 | 0 | } |
18321 | | |
18322 | | /* |
18323 | | * Update forwarding support. |
18324 | | */ |
18325 | | |
18326 | | static void |
18327 | 0 | forward_destroy(dns_forward_t *forward) { |
18328 | 0 | forward->magic = 0; |
18329 | 0 | if (forward->request != NULL) { |
18330 | 0 | dns_request_destroy(&forward->request); |
18331 | 0 | } |
18332 | 0 | if (forward->msgbuf != NULL) { |
18333 | 0 | isc_buffer_free(&forward->msgbuf); |
18334 | 0 | } |
18335 | 0 | if (forward->transport != NULL) { |
18336 | 0 | dns_transport_detach(&forward->transport); |
18337 | 0 | } |
18338 | 0 | if (forward->zone != NULL) { |
18339 | 0 | LOCK(&forward->zone->lock); |
18340 | 0 | if (ISC_LINK_LINKED(forward, link)) { |
18341 | 0 | ISC_LIST_UNLINK(forward->zone->forwards, forward, link); |
18342 | 0 | } |
18343 | 0 | UNLOCK(&forward->zone->lock); |
18344 | 0 | dns_zone_idetach(&forward->zone); |
18345 | 0 | } |
18346 | 0 | isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward)); |
18347 | 0 | } |
18348 | | |
18349 | | static isc_result_t |
18350 | 0 | sendtoprimary(dns_forward_t *forward) { |
18351 | 0 | isc_result_t result; |
18352 | 0 | isc_sockaddr_t src, any; |
18353 | 0 | dns_zone_t *zone = forward->zone; |
18354 | 0 | bool tls_transport_invalid = false; |
18355 | 0 | isc_tlsctx_cache_t *zmgr_tlsctx_cache = NULL; |
18356 | |
|
18357 | 0 | LOCK_ZONE(zone); |
18358 | |
|
18359 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
18360 | 0 | UNLOCK_ZONE(zone); |
18361 | 0 | return (ISC_R_CANCELED); |
18362 | 0 | } |
18363 | | |
18364 | 0 | next: |
18365 | 0 | if (forward->which >= dns_remote_count(&forward->zone->primaries)) { |
18366 | 0 | UNLOCK_ZONE(zone); |
18367 | 0 | return (ISC_R_NOMORE); |
18368 | 0 | } |
18369 | | |
18370 | 0 | forward->addr = dns_remote_addr(&zone->primaries, forward->which); |
18371 | |
|
18372 | 0 | if (isc_sockaddr_disabled(&forward->addr)) { |
18373 | 0 | forward->which++; |
18374 | 0 | goto next; |
18375 | 0 | } |
18376 | | |
18377 | | /* |
18378 | | * Always use TCP regardless of whether the original update |
18379 | | * used TCP. |
18380 | | * XXX The timeout may but a bit small if we are far down a |
18381 | | * transfer graph and have to try several primaries. |
18382 | | */ |
18383 | 0 | switch (isc_sockaddr_pf(&forward->addr)) { |
18384 | 0 | case PF_INET: |
18385 | 0 | isc_sockaddr_any(&any); |
18386 | 0 | src = zone->primaries.sources[forward->which]; |
18387 | 0 | if (isc_sockaddr_equal(&src, &any)) { |
18388 | 0 | src = zone->xfrsource4; |
18389 | 0 | } |
18390 | 0 | break; |
18391 | 0 | case PF_INET6: |
18392 | 0 | isc_sockaddr_any6(&any); |
18393 | 0 | src = zone->primaries.sources[forward->which]; |
18394 | 0 | if (isc_sockaddr_equal(&src, &any)) { |
18395 | 0 | src = zone->xfrsource6; |
18396 | 0 | } |
18397 | 0 | break; |
18398 | 0 | default: |
18399 | 0 | result = ISC_R_NOTIMPLEMENTED; |
18400 | 0 | goto unlock; |
18401 | 0 | } |
18402 | | |
18403 | 0 | if (forward->transport != NULL) { |
18404 | 0 | dns_transport_detach(&forward->transport); |
18405 | 0 | } |
18406 | |
|
18407 | 0 | if (dns_remote_tlsname(&zone->primaries) != NULL && |
18408 | 0 | zone->primaries.tlsnames[forward->which] != NULL) |
18409 | 0 | { |
18410 | 0 | dns_view_t *view = dns_zone_getview(zone); |
18411 | 0 | dns_name_t *tlsname = zone->primaries.tlsnames[forward->which]; |
18412 | |
|
18413 | 0 | result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname, |
18414 | 0 | &forward->transport); |
18415 | |
|
18416 | 0 | if (result != ISC_R_SUCCESS) { |
18417 | | /* Log the error message when unlocked. */ |
18418 | 0 | tls_transport_invalid = true; |
18419 | 0 | goto unlock; |
18420 | 0 | } |
18421 | 0 | } |
18422 | | |
18423 | 0 | zmgr_tlsctx_attach(zone->zmgr, &zmgr_tlsctx_cache); |
18424 | |
|
18425 | 0 | result = dns_request_createraw( |
18426 | 0 | forward->zone->view->requestmgr, forward->msgbuf, &src, |
18427 | 0 | &forward->addr, forward->transport, zmgr_tlsctx_cache, |
18428 | 0 | forward->options, 15 /* XXX */, 0, 0, forward->zone->loop, |
18429 | 0 | forward_callback, forward, &forward->request); |
18430 | |
|
18431 | 0 | isc_tlsctx_cache_detach(&zmgr_tlsctx_cache); |
18432 | |
|
18433 | 0 | if (result == ISC_R_SUCCESS) { |
18434 | 0 | if (!ISC_LINK_LINKED(forward, link)) { |
18435 | 0 | ISC_LIST_APPEND(zone->forwards, forward, link); |
18436 | 0 | } |
18437 | 0 | } |
18438 | |
|
18439 | 0 | unlock: |
18440 | 0 | UNLOCK_ZONE(zone); |
18441 | |
|
18442 | 0 | if (tls_transport_invalid) { |
18443 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
18444 | 0 | "could not get TLS configuration " |
18445 | 0 | "for dynamic update: %s", |
18446 | 0 | isc_result_totext(result)); |
18447 | 0 | } |
18448 | |
|
18449 | 0 | return (result); |
18450 | 0 | } |
18451 | | |
18452 | | static void |
18453 | 0 | forward_callback(void *arg) { |
18454 | 0 | dns_request_t *request = (dns_request_t *)arg; |
18455 | 0 | dns_forward_t *forward = dns_request_getarg(request); |
18456 | 0 | dns_message_t *msg = NULL; |
18457 | 0 | char primary[ISC_SOCKADDR_FORMATSIZE]; |
18458 | 0 | isc_result_t result; |
18459 | 0 | dns_zone_t *zone; |
18460 | |
|
18461 | 0 | INSIST(DNS_FORWARD_VALID(forward)); |
18462 | 0 | zone = forward->zone; |
18463 | 0 | INSIST(DNS_ZONE_VALID(zone)); |
18464 | |
|
18465 | 0 | ENTER; |
18466 | |
|
18467 | 0 | isc_sockaddr_format(&forward->addr, primary, sizeof(primary)); |
18468 | |
|
18469 | 0 | result = dns_request_getresult(request); |
18470 | 0 | if (result != ISC_R_SUCCESS) { |
18471 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
18472 | 0 | "could not forward dynamic update to %s: %s", |
18473 | 0 | primary, isc_result_totext(result)); |
18474 | 0 | goto next_primary; |
18475 | 0 | } |
18476 | | |
18477 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE, |
18478 | 0 | &msg); |
18479 | |
|
18480 | 0 | result = dns_request_getresponse(request, msg, |
18481 | 0 | DNS_MESSAGEPARSE_PRESERVEORDER | |
18482 | 0 | DNS_MESSAGEPARSE_CLONEBUFFER); |
18483 | 0 | if (result != ISC_R_SUCCESS) { |
18484 | 0 | goto next_primary; |
18485 | 0 | } |
18486 | | |
18487 | | /* |
18488 | | * Unexpected opcode. |
18489 | | */ |
18490 | 0 | if (msg->opcode != dns_opcode_update) { |
18491 | 0 | char opcode[128]; |
18492 | 0 | isc_buffer_t rb; |
18493 | |
|
18494 | 0 | isc_buffer_init(&rb, opcode, sizeof(opcode)); |
18495 | 0 | (void)dns_opcode_totext(msg->opcode, &rb); |
18496 | |
|
18497 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
18498 | 0 | "forwarding dynamic update: " |
18499 | 0 | "unexpected opcode (%.*s) from %s", |
18500 | 0 | (int)rb.used, opcode, primary); |
18501 | 0 | goto next_primary; |
18502 | 0 | } |
18503 | | |
18504 | 0 | switch (msg->rcode) { |
18505 | | /* |
18506 | | * Pass these rcodes back to client. |
18507 | | */ |
18508 | 0 | case dns_rcode_noerror: |
18509 | 0 | case dns_rcode_yxdomain: |
18510 | 0 | case dns_rcode_yxrrset: |
18511 | 0 | case dns_rcode_nxrrset: |
18512 | 0 | case dns_rcode_refused: |
18513 | 0 | case dns_rcode_nxdomain: { |
18514 | 0 | char rcode[128]; |
18515 | 0 | isc_buffer_t rb; |
18516 | |
|
18517 | 0 | isc_buffer_init(&rb, rcode, sizeof(rcode)); |
18518 | 0 | (void)dns_rcode_totext(msg->rcode, &rb); |
18519 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
18520 | 0 | "forwarded dynamic update: " |
18521 | 0 | "primary %s returned: %.*s", |
18522 | 0 | primary, (int)rb.used, rcode); |
18523 | 0 | break; |
18524 | 0 | } |
18525 | | |
18526 | | /* These should not occur if the primaries/zone are valid. */ |
18527 | 0 | case dns_rcode_notzone: |
18528 | 0 | case dns_rcode_notauth: { |
18529 | 0 | char rcode[128]; |
18530 | 0 | isc_buffer_t rb; |
18531 | |
|
18532 | 0 | isc_buffer_init(&rb, rcode, sizeof(rcode)); |
18533 | 0 | (void)dns_rcode_totext(msg->rcode, &rb); |
18534 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
18535 | 0 | "forwarding dynamic update: " |
18536 | 0 | "unexpected response: primary %s returned: %.*s", |
18537 | 0 | primary, (int)rb.used, rcode); |
18538 | 0 | goto next_primary; |
18539 | 0 | } |
18540 | | |
18541 | | /* Try another server for these rcodes. */ |
18542 | 0 | case dns_rcode_formerr: |
18543 | 0 | case dns_rcode_servfail: |
18544 | 0 | case dns_rcode_notimp: |
18545 | 0 | case dns_rcode_badvers: |
18546 | 0 | default: |
18547 | 0 | goto next_primary; |
18548 | 0 | } |
18549 | | |
18550 | | /* call callback */ |
18551 | 0 | (forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg); |
18552 | 0 | msg = NULL; |
18553 | 0 | dns_request_destroy(&forward->request); |
18554 | 0 | forward_destroy(forward); |
18555 | 0 | return; |
18556 | | |
18557 | 0 | next_primary: |
18558 | 0 | if (msg != NULL) { |
18559 | 0 | dns_message_detach(&msg); |
18560 | 0 | } |
18561 | 0 | forward->which++; |
18562 | 0 | dns_request_destroy(&forward->request); |
18563 | 0 | result = sendtoprimary(forward); |
18564 | 0 | if (result != ISC_R_SUCCESS) { |
18565 | | /* call callback */ |
18566 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
18567 | 0 | "exhausted dynamic update forwarder list"); |
18568 | 0 | (forward->callback)(forward->callback_arg, result, NULL); |
18569 | 0 | forward_destroy(forward); |
18570 | 0 | } |
18571 | 0 | } |
18572 | | |
18573 | | isc_result_t |
18574 | | dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg, |
18575 | 0 | dns_updatecallback_t callback, void *callback_arg) { |
18576 | 0 | dns_forward_t *forward; |
18577 | 0 | isc_result_t result; |
18578 | 0 | isc_region_t *mr; |
18579 | |
|
18580 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18581 | 0 | REQUIRE(msg != NULL); |
18582 | 0 | REQUIRE(callback != NULL); |
18583 | |
|
18584 | 0 | forward = isc_mem_get(zone->mctx, sizeof(*forward)); |
18585 | 0 | *forward = (dns_forward_t){ .callback = callback, |
18586 | 0 | .callback_arg = callback_arg, |
18587 | 0 | .options = DNS_REQUESTOPT_TCP }; |
18588 | 0 | ISC_LINK_INIT(forward, link); |
18589 | 0 | forward->magic = FORWARD_MAGIC; |
18590 | | |
18591 | | /* |
18592 | | * If we have a SIG(0) signed message we need to preserve the |
18593 | | * query id as that is included in the SIG(0) computation. |
18594 | | */ |
18595 | 0 | if (msg->sig0 != NULL) { |
18596 | 0 | forward->options |= DNS_REQUESTOPT_FIXEDID; |
18597 | 0 | } |
18598 | |
|
18599 | 0 | mr = dns_message_getrawmessage(msg); |
18600 | 0 | if (mr == NULL) { |
18601 | 0 | result = ISC_R_UNEXPECTEDEND; |
18602 | 0 | goto cleanup; |
18603 | 0 | } |
18604 | | |
18605 | 0 | isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length); |
18606 | 0 | result = isc_buffer_copyregion(forward->msgbuf, mr); |
18607 | 0 | if (result != ISC_R_SUCCESS) { |
18608 | 0 | goto cleanup; |
18609 | 0 | } |
18610 | | |
18611 | 0 | isc_mem_attach(zone->mctx, &forward->mctx); |
18612 | 0 | dns_zone_iattach(zone, &forward->zone); |
18613 | 0 | result = sendtoprimary(forward); |
18614 | |
|
18615 | 0 | cleanup: |
18616 | 0 | if (result != ISC_R_SUCCESS) { |
18617 | 0 | forward_destroy(forward); |
18618 | 0 | } |
18619 | 0 | return (result); |
18620 | 0 | } |
18621 | | |
18622 | | isc_result_t |
18623 | 0 | dns_zone_next(dns_zone_t *zone, dns_zone_t **next) { |
18624 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18625 | 0 | REQUIRE(next != NULL && *next == NULL); |
18626 | |
|
18627 | 0 | *next = ISC_LIST_NEXT(zone, link); |
18628 | 0 | if (*next == NULL) { |
18629 | 0 | return (ISC_R_NOMORE); |
18630 | 0 | } else { |
18631 | 0 | return (ISC_R_SUCCESS); |
18632 | 0 | } |
18633 | 0 | } |
18634 | | |
18635 | | isc_result_t |
18636 | 0 | dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) { |
18637 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18638 | 0 | REQUIRE(first != NULL && *first == NULL); |
18639 | |
|
18640 | 0 | *first = ISC_LIST_HEAD(zmgr->zones); |
18641 | 0 | if (*first == NULL) { |
18642 | 0 | return (ISC_R_NOMORE); |
18643 | 0 | } else { |
18644 | 0 | return (ISC_R_SUCCESS); |
18645 | 0 | } |
18646 | 0 | } |
18647 | | |
18648 | | /*** |
18649 | | *** Zone manager. |
18650 | | ***/ |
18651 | | |
18652 | | static void |
18653 | 0 | zonemgr_keymgmt_init(dns_zonemgr_t *zmgr) { |
18654 | 0 | dns_keymgmt_t *mgmt = isc_mem_get(zmgr->mctx, sizeof(*mgmt)); |
18655 | |
|
18656 | 0 | *mgmt = (dns_keymgmt_t){ |
18657 | 0 | .magic = KEYMGMT_MAGIC, |
18658 | 0 | }; |
18659 | |
|
18660 | 0 | isc_mem_attach(zmgr->mctx, &mgmt->mctx); |
18661 | 0 | isc_rwlock_init(&mgmt->lock); |
18662 | 0 | isc_hashmap_create(mgmt->mctx, DNS_KEYMGMT_HASH_BITS, &mgmt->table); |
18663 | |
|
18664 | 0 | zmgr->keymgmt = mgmt; |
18665 | 0 | } |
18666 | | |
18667 | | static void |
18668 | 0 | zonemgr_keymgmt_destroy(dns_zonemgr_t *zmgr) { |
18669 | 0 | dns_keymgmt_t *mgmt = zmgr->keymgmt; |
18670 | |
|
18671 | 0 | REQUIRE(DNS_KEYMGMT_VALID(mgmt)); |
18672 | |
|
18673 | 0 | mgmt->magic = 0; |
18674 | |
|
18675 | 0 | RWLOCK(&mgmt->lock, isc_rwlocktype_write); |
18676 | 0 | INSIST(isc_hashmap_count(mgmt->table) == 0); |
18677 | 0 | RWUNLOCK(&mgmt->lock, isc_rwlocktype_write); |
18678 | 0 | isc_hashmap_destroy(&mgmt->table); |
18679 | |
|
18680 | 0 | isc_rwlock_destroy(&mgmt->lock); |
18681 | 0 | isc_mem_putanddetach(&mgmt->mctx, mgmt, sizeof(dns_keymgmt_t)); |
18682 | 0 | } |
18683 | | |
18684 | | static bool |
18685 | 0 | kfio_match(void *node, const void *key) { |
18686 | 0 | const dns_keyfileio_t *kfio = node; |
18687 | |
|
18688 | 0 | return (dns_name_equal(kfio->name, key)); |
18689 | 0 | } |
18690 | | |
18691 | | static void |
18692 | | zonemgr_keymgmt_add(dns_zonemgr_t *zmgr, dns_zone_t *zone, |
18693 | 0 | dns_keyfileio_t **added) { |
18694 | 0 | dns_keymgmt_t *mgmt = zmgr->keymgmt; |
18695 | 0 | dns_keyfileio_t *kfio = NULL; |
18696 | 0 | isc_result_t result; |
18697 | 0 | dns_fixedname_t fname; |
18698 | 0 | dns_name_t *name; |
18699 | |
|
18700 | 0 | REQUIRE(DNS_KEYMGMT_VALID(mgmt)); |
18701 | 0 | REQUIRE(added != NULL && *added == NULL); |
18702 | |
|
18703 | 0 | name = dns_fixedname_initname(&fname); |
18704 | 0 | dns_name_downcase(&zone->origin, name, NULL); |
18705 | |
|
18706 | 0 | RWLOCK(&mgmt->lock, isc_rwlocktype_write); |
18707 | |
|
18708 | 0 | result = isc_hashmap_find(mgmt->table, dns_name_hash(name), kfio_match, |
18709 | 0 | name, (void **)&kfio); |
18710 | 0 | switch (result) { |
18711 | 0 | case ISC_R_SUCCESS: |
18712 | 0 | isc_refcount_increment(&kfio->references); |
18713 | 0 | break; |
18714 | 0 | case ISC_R_NOTFOUND: |
18715 | 0 | kfio = isc_mem_get(mgmt->mctx, sizeof(*kfio)); |
18716 | 0 | *kfio = (dns_keyfileio_t){ |
18717 | 0 | .magic = KEYFILEIO_MAGIC, |
18718 | 0 | }; |
18719 | 0 | isc_refcount_init(&kfio->references, 1); |
18720 | 0 | kfio->name = dns_fixedname_initname(&kfio->fname); |
18721 | 0 | dns_name_copy(name, kfio->name); |
18722 | |
|
18723 | 0 | isc_mutex_init(&kfio->lock); |
18724 | 0 | result = isc_hashmap_add(mgmt->table, dns_name_hash(kfio->name), |
18725 | 0 | kfio_match, kfio->name, kfio, NULL); |
18726 | 0 | INSIST(result == ISC_R_SUCCESS); |
18727 | 0 | break; |
18728 | 0 | default: |
18729 | 0 | UNREACHABLE(); |
18730 | 0 | } |
18731 | 0 | *added = kfio; |
18732 | 0 | RWUNLOCK(&mgmt->lock, isc_rwlocktype_write); |
18733 | 0 | } |
18734 | | |
18735 | | static bool |
18736 | 0 | match_ptr(void *node, const void *key) { |
18737 | 0 | return (node == key); |
18738 | 0 | } |
18739 | | |
18740 | | static void |
18741 | 0 | zonemgr_keymgmt_delete(dns_zonemgr_t *zmgr, dns_keyfileio_t **deleted) { |
18742 | 0 | REQUIRE(DNS_KEYMGMT_VALID(zmgr->keymgmt)); |
18743 | 0 | REQUIRE(deleted != NULL && DNS_KEYFILEIO_VALID(*deleted)); |
18744 | |
|
18745 | 0 | dns_keymgmt_t *mgmt = zmgr->keymgmt; |
18746 | 0 | dns_keyfileio_t *kfio = *deleted; |
18747 | 0 | isc_result_t result; |
18748 | |
|
18749 | 0 | *deleted = NULL; |
18750 | |
|
18751 | 0 | RWLOCK(&mgmt->lock, isc_rwlocktype_write); |
18752 | |
|
18753 | 0 | if (isc_refcount_decrement(&kfio->references) == 1) { |
18754 | 0 | isc_refcount_destroy(&kfio->references); |
18755 | 0 | kfio->magic = 0; |
18756 | 0 | isc_mutex_destroy(&kfio->lock); |
18757 | |
|
18758 | 0 | result = isc_hashmap_delete(mgmt->table, |
18759 | 0 | dns_name_hash(kfio->name), |
18760 | 0 | match_ptr, kfio); |
18761 | 0 | INSIST(result == ISC_R_SUCCESS); |
18762 | |
|
18763 | 0 | isc_mem_put(mgmt->mctx, kfio, sizeof(*kfio)); |
18764 | 0 | } |
18765 | |
|
18766 | 0 | RWUNLOCK(&mgmt->lock, isc_rwlocktype_write); |
18767 | 0 | } |
18768 | | |
18769 | | void |
18770 | 0 | dns_zonemgr_create(isc_mem_t *mctx, isc_nm_t *netmgr, dns_zonemgr_t **zmgrp) { |
18771 | 0 | dns_zonemgr_t *zmgr = NULL; |
18772 | 0 | isc_loop_t *loop = isc_loop(); |
18773 | 0 | isc_loopmgr_t *loopmgr = isc_loop_getloopmgr(loop); |
18774 | |
|
18775 | 0 | REQUIRE(mctx != NULL); |
18776 | 0 | REQUIRE(netmgr != NULL); |
18777 | 0 | REQUIRE(zmgrp != NULL && *zmgrp == NULL); |
18778 | |
|
18779 | 0 | zmgr = isc_mem_get(mctx, sizeof(*zmgr)); |
18780 | |
|
18781 | 0 | *zmgr = (dns_zonemgr_t){ |
18782 | 0 | .loopmgr = loopmgr, |
18783 | 0 | .netmgr = netmgr, |
18784 | 0 | .workers = isc_loopmgr_nloops(loopmgr), |
18785 | 0 | .transfersin = 10, |
18786 | 0 | .transfersperns = 2, |
18787 | 0 | }; |
18788 | |
|
18789 | 0 | isc_refcount_init(&zmgr->refs, 1); |
18790 | 0 | isc_mem_attach(mctx, &zmgr->mctx); |
18791 | |
|
18792 | 0 | ISC_LIST_INIT(zmgr->zones); |
18793 | 0 | ISC_LIST_INIT(zmgr->waiting_for_xfrin); |
18794 | 0 | ISC_LIST_INIT(zmgr->xfrin_in_progress); |
18795 | 0 | memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable)); |
18796 | 0 | for (size_t i = 0; i < UNREACH_CACHE_SIZE; i++) { |
18797 | 0 | atomic_init(&zmgr->unreachable[i].expire, 0); |
18798 | 0 | } |
18799 | 0 | isc_rwlock_init(&zmgr->rwlock); |
18800 | | |
18801 | | /* Unreachable lock. */ |
18802 | 0 | isc_rwlock_init(&zmgr->urlock); |
18803 | |
|
18804 | 0 | isc_ratelimiter_create(loop, &zmgr->checkdsrl); |
18805 | 0 | isc_ratelimiter_create(loop, &zmgr->notifyrl); |
18806 | 0 | isc_ratelimiter_create(loop, &zmgr->refreshrl); |
18807 | 0 | isc_ratelimiter_create(loop, &zmgr->startupnotifyrl); |
18808 | 0 | isc_ratelimiter_create(loop, &zmgr->startuprefreshrl); |
18809 | |
|
18810 | 0 | zmgr->mctxpool = isc_mem_cget(zmgr->mctx, zmgr->workers, |
18811 | 0 | sizeof(zmgr->mctxpool[0])); |
18812 | 0 | for (size_t i = 0; i < zmgr->workers; i++) { |
18813 | 0 | isc_mem_create(&zmgr->mctxpool[i]); |
18814 | 0 | isc_mem_setname(zmgr->mctxpool[i], "zonemgr-mctxpool"); |
18815 | 0 | } |
18816 | | |
18817 | | /* Key file I/O locks. */ |
18818 | 0 | zonemgr_keymgmt_init(zmgr); |
18819 | | |
18820 | | /* Default to 20 refresh queries / notifies / checkds per second. */ |
18821 | 0 | setrl(zmgr->checkdsrl, &zmgr->checkdsrate, 20); |
18822 | 0 | setrl(zmgr->notifyrl, &zmgr->notifyrate, 20); |
18823 | 0 | setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, 20); |
18824 | 0 | setrl(zmgr->refreshrl, &zmgr->serialqueryrate, 20); |
18825 | 0 | setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, 20); |
18826 | 0 | isc_ratelimiter_setpushpop(zmgr->startupnotifyrl, true); |
18827 | 0 | isc_ratelimiter_setpushpop(zmgr->startuprefreshrl, true); |
18828 | |
|
18829 | 0 | zmgr->tlsctx_cache = NULL; |
18830 | 0 | isc_rwlock_init(&zmgr->tlsctx_cache_rwlock); |
18831 | |
|
18832 | 0 | zmgr->magic = ZONEMGR_MAGIC; |
18833 | |
|
18834 | 0 | *zmgrp = zmgr; |
18835 | 0 | } |
18836 | | |
18837 | | isc_result_t |
18838 | 0 | dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep) { |
18839 | 0 | isc_mem_t *mctx = NULL; |
18840 | 0 | dns_zone_t *zone = NULL; |
18841 | 0 | unsigned int tid; |
18842 | |
|
18843 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18844 | 0 | REQUIRE(zonep != NULL && *zonep == NULL); |
18845 | |
|
18846 | 0 | if (zmgr->mctxpool == NULL) { |
18847 | 0 | return (ISC_R_FAILURE); |
18848 | 0 | } |
18849 | | |
18850 | 0 | tid = isc_random_uniform(zmgr->workers); |
18851 | |
|
18852 | 0 | mctx = zmgr->mctxpool[tid]; |
18853 | 0 | if (mctx == NULL) { |
18854 | 0 | return (ISC_R_FAILURE); |
18855 | 0 | } |
18856 | | |
18857 | 0 | dns_zone_create(&zone, mctx, tid); |
18858 | |
|
18859 | 0 | *zonep = zone; |
18860 | |
|
18861 | 0 | return (ISC_R_SUCCESS); |
18862 | 0 | } |
18863 | | |
18864 | | isc_result_t |
18865 | 0 | dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) { |
18866 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18867 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18868 | |
|
18869 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18870 | 0 | LOCK_ZONE(zone); |
18871 | 0 | REQUIRE(zone->timer == NULL); |
18872 | 0 | REQUIRE(zone->zmgr == NULL); |
18873 | |
|
18874 | 0 | isc_loop_t *loop = isc_loop_get(zmgr->loopmgr, zone->tid); |
18875 | 0 | isc_loop_attach(loop, &zone->loop); |
18876 | |
|
18877 | 0 | zonemgr_keymgmt_add(zmgr, zone, &zone->kfio); |
18878 | 0 | INSIST(zone->kfio != NULL); |
18879 | |
|
18880 | 0 | ISC_LIST_APPEND(zmgr->zones, zone, link); |
18881 | 0 | zone->zmgr = zmgr; |
18882 | |
|
18883 | 0 | isc_refcount_increment(&zmgr->refs); |
18884 | |
|
18885 | 0 | UNLOCK_ZONE(zone); |
18886 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18887 | 0 | return (ISC_R_SUCCESS); |
18888 | 0 | } |
18889 | | |
18890 | | void |
18891 | 0 | dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) { |
18892 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
18893 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18894 | 0 | REQUIRE(zone->zmgr == zmgr); |
18895 | |
|
18896 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18897 | 0 | LOCK_ZONE(zone); |
18898 | |
|
18899 | 0 | ISC_LIST_UNLINK(zmgr->zones, zone, link); |
18900 | |
|
18901 | 0 | if (zone->kfio != NULL) { |
18902 | 0 | zonemgr_keymgmt_delete(zmgr, &zone->kfio); |
18903 | 0 | ENSURE(zone->kfio == NULL); |
18904 | 0 | } |
18905 | |
|
18906 | 0 | if (zone->timer != NULL) { |
18907 | 0 | isc_refcount_decrement(&zone->irefs); |
18908 | 0 | isc_timer_destroy(&zone->timer); |
18909 | 0 | } |
18910 | |
|
18911 | 0 | isc_loop_detach(&zone->loop); |
18912 | | |
18913 | | /* Detach below, outside of the write lock. */ |
18914 | 0 | zone->zmgr = NULL; |
18915 | |
|
18916 | 0 | UNLOCK_ZONE(zone); |
18917 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18918 | |
|
18919 | 0 | dns_zonemgr_detach(&zmgr); |
18920 | 0 | } |
18921 | | |
18922 | | void |
18923 | 0 | dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) { |
18924 | 0 | REQUIRE(DNS_ZONEMGR_VALID(source)); |
18925 | 0 | REQUIRE(target != NULL && *target == NULL); |
18926 | |
|
18927 | 0 | isc_refcount_increment(&source->refs); |
18928 | |
|
18929 | 0 | *target = source; |
18930 | 0 | } |
18931 | | |
18932 | | void |
18933 | 0 | dns_zonemgr_detach(dns_zonemgr_t **zmgrp) { |
18934 | 0 | dns_zonemgr_t *zmgr; |
18935 | |
|
18936 | 0 | REQUIRE(zmgrp != NULL); |
18937 | 0 | zmgr = *zmgrp; |
18938 | 0 | *zmgrp = NULL; |
18939 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18940 | |
|
18941 | 0 | if (isc_refcount_decrement(&zmgr->refs) == 1) { |
18942 | 0 | zonemgr_free(zmgr); |
18943 | 0 | } |
18944 | 0 | } |
18945 | | |
18946 | | isc_result_t |
18947 | 0 | dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) { |
18948 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18949 | |
|
18950 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_read); |
18951 | 0 | for (dns_zone_t *zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL; |
18952 | 0 | zone = ISC_LIST_NEXT(zone, link)) |
18953 | 0 | { |
18954 | 0 | isc_time_t now; |
18955 | |
|
18956 | 0 | LOCK_ZONE(zone); |
18957 | 0 | now = isc_time_now(); |
18958 | 0 | zone_settimer(zone, &now); |
18959 | 0 | UNLOCK_ZONE(zone); |
18960 | 0 | } |
18961 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read); |
18962 | | |
18963 | | /* |
18964 | | * Recent configuration changes may have increased the |
18965 | | * amount of available transfers quota. Make sure any |
18966 | | * transfers currently blocked on quota get started if |
18967 | | * possible. |
18968 | | */ |
18969 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18970 | 0 | zmgr_resume_xfrs(zmgr, true); |
18971 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18972 | 0 | return (ISC_R_SUCCESS); |
18973 | 0 | } |
18974 | | |
18975 | | void |
18976 | 0 | dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) { |
18977 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18978 | |
|
18979 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18980 | 0 | zmgr_resume_xfrs(zmgr, true); |
18981 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
18982 | 0 | } |
18983 | | |
18984 | | void |
18985 | 0 | dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) { |
18986 | 0 | dns_zone_t *zone; |
18987 | |
|
18988 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
18989 | |
|
18990 | 0 | isc_ratelimiter_shutdown(zmgr->checkdsrl); |
18991 | 0 | isc_ratelimiter_shutdown(zmgr->notifyrl); |
18992 | 0 | isc_ratelimiter_shutdown(zmgr->refreshrl); |
18993 | 0 | isc_ratelimiter_shutdown(zmgr->startupnotifyrl); |
18994 | 0 | isc_ratelimiter_shutdown(zmgr->startuprefreshrl); |
18995 | |
|
18996 | 0 | for (size_t i = 0; i < zmgr->workers; i++) { |
18997 | 0 | isc_mem_detach(&zmgr->mctxpool[i]); |
18998 | 0 | } |
18999 | |
|
19000 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_read); |
19001 | 0 | for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL; |
19002 | 0 | zone = ISC_LIST_NEXT(zone, link)) |
19003 | 0 | { |
19004 | 0 | LOCK_ZONE(zone); |
19005 | 0 | forward_cancel(zone); |
19006 | 0 | UNLOCK_ZONE(zone); |
19007 | 0 | } |
19008 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read); |
19009 | 0 | } |
19010 | | |
19011 | | static void |
19012 | 0 | zonemgr_free(dns_zonemgr_t *zmgr) { |
19013 | 0 | REQUIRE(ISC_LIST_EMPTY(zmgr->zones)); |
19014 | |
|
19015 | 0 | zmgr->magic = 0; |
19016 | |
|
19017 | 0 | isc_refcount_destroy(&zmgr->refs); |
19018 | 0 | isc_ratelimiter_detach(&zmgr->checkdsrl); |
19019 | 0 | isc_ratelimiter_detach(&zmgr->notifyrl); |
19020 | 0 | isc_ratelimiter_detach(&zmgr->refreshrl); |
19021 | 0 | isc_ratelimiter_detach(&zmgr->startupnotifyrl); |
19022 | 0 | isc_ratelimiter_detach(&zmgr->startuprefreshrl); |
19023 | |
|
19024 | 0 | isc_mem_cput(zmgr->mctx, zmgr->mctxpool, zmgr->workers, |
19025 | 0 | sizeof(zmgr->mctxpool[0])); |
19026 | |
|
19027 | 0 | isc_rwlock_destroy(&zmgr->urlock); |
19028 | 0 | isc_rwlock_destroy(&zmgr->rwlock); |
19029 | 0 | isc_rwlock_destroy(&zmgr->tlsctx_cache_rwlock); |
19030 | |
|
19031 | 0 | zonemgr_keymgmt_destroy(zmgr); |
19032 | |
|
19033 | 0 | if (zmgr->tlsctx_cache != NULL) { |
19034 | 0 | isc_tlsctx_cache_detach(&zmgr->tlsctx_cache); |
19035 | 0 | } |
19036 | 0 | isc_mem_putanddetach(&zmgr->mctx, zmgr, sizeof(*zmgr)); |
19037 | 0 | } |
19038 | | |
19039 | | void |
19040 | 0 | dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, uint32_t value) { |
19041 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19042 | |
|
19043 | 0 | zmgr->transfersin = value; |
19044 | 0 | } |
19045 | | |
19046 | | uint32_t |
19047 | 0 | dns_zonemgr_gettransfersin(dns_zonemgr_t *zmgr) { |
19048 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19049 | |
|
19050 | 0 | return (zmgr->transfersin); |
19051 | 0 | } |
19052 | | |
19053 | | void |
19054 | 0 | dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, uint32_t value) { |
19055 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19056 | |
|
19057 | 0 | zmgr->transfersperns = value; |
19058 | 0 | } |
19059 | | |
19060 | | uint32_t |
19061 | 0 | dns_zonemgr_gettransfersperns(dns_zonemgr_t *zmgr) { |
19062 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19063 | |
|
19064 | 0 | return (zmgr->transfersperns); |
19065 | 0 | } |
19066 | | |
19067 | | /* |
19068 | | * Try to start a new incoming zone transfer to fill a quota |
19069 | | * slot that was just vacated. |
19070 | | * |
19071 | | * Requires: |
19072 | | * The zone manager is locked by the caller. |
19073 | | */ |
19074 | | static void |
19075 | 0 | zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi) { |
19076 | 0 | dns_zone_t *zone; |
19077 | 0 | dns_zone_t *next; |
19078 | |
|
19079 | 0 | for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin); zone != NULL; |
19080 | 0 | zone = next) |
19081 | 0 | { |
19082 | 0 | isc_result_t result; |
19083 | 0 | next = ISC_LIST_NEXT(zone, statelink); |
19084 | 0 | result = zmgr_start_xfrin_ifquota(zmgr, zone); |
19085 | 0 | if (result == ISC_R_SUCCESS) { |
19086 | 0 | if (multi) { |
19087 | 0 | continue; |
19088 | 0 | } |
19089 | | /* |
19090 | | * We successfully filled the slot. We're done. |
19091 | | */ |
19092 | 0 | break; |
19093 | 0 | } else if (result == ISC_R_QUOTA) { |
19094 | | /* |
19095 | | * Not enough quota. This is probably the per-server |
19096 | | * quota, because we usually get called when a unit of |
19097 | | * global quota has just been freed. Try the next |
19098 | | * zone, it may succeed if it uses another primary. |
19099 | | */ |
19100 | 0 | continue; |
19101 | 0 | } else { |
19102 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, |
19103 | 0 | ISC_LOG_DEBUG(1), |
19104 | 0 | "starting zone transfer: %s", |
19105 | 0 | isc_result_totext(result)); |
19106 | 0 | break; |
19107 | 0 | } |
19108 | 0 | } |
19109 | 0 | } |
19110 | | |
19111 | | /* |
19112 | | * Try to start an incoming zone transfer for 'zone', quota permitting. |
19113 | | * |
19114 | | * Requires: |
19115 | | * The zone manager is locked by the caller. |
19116 | | * |
19117 | | * Returns: |
19118 | | * ISC_R_SUCCESS There was enough quota and we attempted to |
19119 | | * start a transfer. zone_xfrdone() has been or will |
19120 | | * be called. |
19121 | | * ISC_R_QUOTA Not enough quota. |
19122 | | * Others Failure. |
19123 | | */ |
19124 | | static isc_result_t |
19125 | 0 | zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) { |
19126 | 0 | dns_peer_t *peer = NULL; |
19127 | 0 | isc_netaddr_t primaryip; |
19128 | 0 | isc_sockaddr_t curraddr; |
19129 | 0 | uint32_t nxfrsin, nxfrsperns; |
19130 | 0 | dns_zone_t *x = NULL; |
19131 | 0 | uint32_t maxtransfersin, maxtransfersperns; |
19132 | | |
19133 | | /* |
19134 | | * If we are exiting just pretend we got quota so the zone will |
19135 | | * be cleaned up in the zone's loop context. |
19136 | | */ |
19137 | 0 | LOCK_ZONE(zone); |
19138 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
19139 | 0 | UNLOCK_ZONE(zone); |
19140 | 0 | goto gotquota; |
19141 | 0 | } |
19142 | | |
19143 | | /* |
19144 | | * Find any configured information about the server we'd |
19145 | | * like to transfer this zone from. |
19146 | | */ |
19147 | 0 | curraddr = dns_remote_curraddr(&zone->primaries); |
19148 | 0 | isc_netaddr_fromsockaddr(&primaryip, &curraddr); |
19149 | 0 | (void)dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, &peer); |
19150 | 0 | UNLOCK_ZONE(zone); |
19151 | | |
19152 | | /* |
19153 | | * Determine the total maximum number of simultaneous |
19154 | | * transfers allowed, and the maximum for this specific |
19155 | | * primary. |
19156 | | */ |
19157 | 0 | maxtransfersin = zmgr->transfersin; |
19158 | 0 | maxtransfersperns = zmgr->transfersperns; |
19159 | 0 | if (peer != NULL) { |
19160 | 0 | (void)dns_peer_gettransfers(peer, &maxtransfersperns); |
19161 | 0 | } |
19162 | | |
19163 | | /* |
19164 | | * Count the total number of transfers that are in progress, |
19165 | | * and the number of transfers in progress from this primary. |
19166 | | * We linearly scan a list of all transfers; if this turns |
19167 | | * out to be too slow, we could hash on the primary address. |
19168 | | */ |
19169 | 0 | nxfrsin = nxfrsperns = 0; |
19170 | 0 | for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress); x != NULL; |
19171 | 0 | x = ISC_LIST_NEXT(x, statelink)) |
19172 | 0 | { |
19173 | 0 | isc_netaddr_t xip; |
19174 | 0 | isc_sockaddr_t xaddr; |
19175 | |
|
19176 | 0 | LOCK_ZONE(x); |
19177 | 0 | xaddr = dns_remote_curraddr(&x->primaries); |
19178 | 0 | isc_netaddr_fromsockaddr(&xip, &xaddr); |
19179 | 0 | UNLOCK_ZONE(x); |
19180 | |
|
19181 | 0 | nxfrsin++; |
19182 | 0 | if (isc_netaddr_equal(&xip, &primaryip)) { |
19183 | 0 | nxfrsperns++; |
19184 | 0 | } |
19185 | 0 | } |
19186 | | |
19187 | | /* Enforce quota. */ |
19188 | 0 | if (nxfrsin >= maxtransfersin) { |
19189 | 0 | return (ISC_R_QUOTA); |
19190 | 0 | } |
19191 | | |
19192 | 0 | if (nxfrsperns >= maxtransfersperns) { |
19193 | 0 | return (ISC_R_QUOTA); |
19194 | 0 | } |
19195 | | |
19196 | 0 | gotquota: |
19197 | | /* |
19198 | | * We have sufficient quota. Move the zone to the "xfrin_in_progress" |
19199 | | * list and start the actual transfer asynchronously. |
19200 | | */ |
19201 | 0 | LOCK_ZONE(zone); |
19202 | 0 | INSIST(zone->statelist == &zmgr->waiting_for_xfrin); |
19203 | 0 | ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink); |
19204 | 0 | ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink); |
19205 | 0 | zone->statelist = &zmgr->xfrin_in_progress; |
19206 | 0 | isc_async_run(zone->loop, got_transfer_quota, zone); |
19207 | 0 | dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, |
19208 | 0 | "Transfer started."); |
19209 | 0 | UNLOCK_ZONE(zone); |
19210 | |
|
19211 | 0 | return (ISC_R_SUCCESS); |
19212 | 0 | } |
19213 | | |
19214 | | static void |
19215 | 0 | zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) { |
19216 | 0 | char *buf; |
19217 | 0 | int buflen; |
19218 | 0 | isc_result_t result; |
19219 | |
|
19220 | 0 | buflen = strlen(path) + strlen(templat) + 2; |
19221 | |
|
19222 | 0 | buf = isc_mem_get(zone->mctx, buflen); |
19223 | |
|
19224 | 0 | result = isc_file_template(path, templat, buf, buflen); |
19225 | 0 | if (result != ISC_R_SUCCESS) { |
19226 | 0 | goto cleanup; |
19227 | 0 | } |
19228 | | |
19229 | 0 | result = isc_file_renameunique(path, buf); |
19230 | 0 | if (result != ISC_R_SUCCESS) { |
19231 | 0 | goto cleanup; |
19232 | 0 | } |
19233 | | |
19234 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
19235 | 0 | "unable to load from '%s'; " |
19236 | 0 | "renaming file to '%s' for failure analysis and " |
19237 | 0 | "retransferring.", |
19238 | 0 | path, buf); |
19239 | |
|
19240 | 0 | cleanup: |
19241 | 0 | isc_mem_put(zone->mctx, buf, buflen); |
19242 | 0 | } |
19243 | | |
19244 | | static void |
19245 | 0 | setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value) { |
19246 | 0 | isc_interval_t interval; |
19247 | 0 | uint32_t s, ns; |
19248 | 0 | uint32_t pertic; |
19249 | |
|
19250 | 0 | if (value == 0) { |
19251 | 0 | value = 1; |
19252 | 0 | } |
19253 | |
|
19254 | 0 | if (value == 1) { |
19255 | 0 | s = 1; |
19256 | 0 | ns = 0; |
19257 | 0 | pertic = 1; |
19258 | 0 | } else if (value <= 10) { |
19259 | 0 | s = 0; |
19260 | 0 | ns = 1000000000 / value; |
19261 | 0 | pertic = 1; |
19262 | 0 | } else { |
19263 | 0 | s = 0; |
19264 | 0 | ns = (1000000000 / value) * 10; |
19265 | 0 | pertic = 10; |
19266 | 0 | } |
19267 | |
|
19268 | 0 | isc_interval_set(&interval, s, ns); |
19269 | |
|
19270 | 0 | isc_ratelimiter_setinterval(rl, &interval); |
19271 | 0 | isc_ratelimiter_setpertic(rl, pertic); |
19272 | |
|
19273 | 0 | *rate = value; |
19274 | 0 | } |
19275 | | |
19276 | | void |
19277 | 0 | dns_zonemgr_setcheckdsrate(dns_zonemgr_t *zmgr, unsigned int value) { |
19278 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19279 | |
|
19280 | 0 | setrl(zmgr->checkdsrl, &zmgr->checkdsrate, value); |
19281 | 0 | } |
19282 | | |
19283 | | void |
19284 | 0 | dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) { |
19285 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19286 | |
|
19287 | 0 | setrl(zmgr->notifyrl, &zmgr->notifyrate, value); |
19288 | 0 | } |
19289 | | |
19290 | | void |
19291 | 0 | dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) { |
19292 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19293 | |
|
19294 | 0 | setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, value); |
19295 | 0 | } |
19296 | | |
19297 | | void |
19298 | 0 | dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) { |
19299 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19300 | |
|
19301 | 0 | setrl(zmgr->refreshrl, &zmgr->serialqueryrate, value); |
19302 | | /* XXXMPA separate out once we have the code to support this. */ |
19303 | 0 | setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, value); |
19304 | 0 | } |
19305 | | |
19306 | | unsigned int |
19307 | 0 | dns_zonemgr_getnotifyrate(dns_zonemgr_t *zmgr) { |
19308 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19309 | |
|
19310 | 0 | return (zmgr->notifyrate); |
19311 | 0 | } |
19312 | | |
19313 | | unsigned int |
19314 | 0 | dns_zonemgr_getstartupnotifyrate(dns_zonemgr_t *zmgr) { |
19315 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19316 | |
|
19317 | 0 | return (zmgr->startupnotifyrate); |
19318 | 0 | } |
19319 | | |
19320 | | unsigned int |
19321 | 0 | dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) { |
19322 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19323 | |
|
19324 | 0 | return (zmgr->serialqueryrate); |
19325 | 0 | } |
19326 | | |
19327 | | bool |
19328 | | dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote, |
19329 | 0 | isc_sockaddr_t *local, isc_time_t *now) { |
19330 | 0 | unsigned int i; |
19331 | 0 | uint32_t seconds = isc_time_seconds(now); |
19332 | 0 | uint32_t count = 0; |
19333 | |
|
19334 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19335 | |
|
19336 | 0 | RWLOCK(&zmgr->urlock, isc_rwlocktype_read); |
19337 | 0 | for (i = 0; i < UNREACH_CACHE_SIZE; i++) { |
19338 | 0 | if (atomic_load(&zmgr->unreachable[i].expire) >= seconds && |
19339 | 0 | isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) && |
19340 | 0 | isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) |
19341 | 0 | { |
19342 | 0 | atomic_store_relaxed(&zmgr->unreachable[i].last, |
19343 | 0 | seconds); |
19344 | 0 | count = zmgr->unreachable[i].count; |
19345 | 0 | break; |
19346 | 0 | } |
19347 | 0 | } |
19348 | 0 | RWUNLOCK(&zmgr->urlock, isc_rwlocktype_read); |
19349 | 0 | return (i < UNREACH_CACHE_SIZE && count > 1U); |
19350 | 0 | } |
19351 | | |
19352 | | void |
19353 | | dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote, |
19354 | 0 | isc_sockaddr_t *local) { |
19355 | 0 | unsigned int i; |
19356 | 0 | char primary[ISC_SOCKADDR_FORMATSIZE]; |
19357 | 0 | char source[ISC_SOCKADDR_FORMATSIZE]; |
19358 | |
|
19359 | 0 | isc_sockaddr_format(remote, primary, sizeof(primary)); |
19360 | 0 | isc_sockaddr_format(local, source, sizeof(source)); |
19361 | |
|
19362 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19363 | |
|
19364 | 0 | RWLOCK(&zmgr->urlock, isc_rwlocktype_read); |
19365 | 0 | for (i = 0; i < UNREACH_CACHE_SIZE; i++) { |
19366 | 0 | if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) && |
19367 | 0 | isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) |
19368 | 0 | { |
19369 | 0 | atomic_store_relaxed(&zmgr->unreachable[i].expire, 0); |
19370 | 0 | break; |
19371 | 0 | } |
19372 | 0 | } |
19373 | 0 | RWUNLOCK(&zmgr->urlock, isc_rwlocktype_read); |
19374 | 0 | } |
19375 | | |
19376 | | void |
19377 | | dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote, |
19378 | 0 | isc_sockaddr_t *local, isc_time_t *now) { |
19379 | 0 | uint32_t seconds = isc_time_seconds(now); |
19380 | 0 | uint32_t expire = 0, last = seconds; |
19381 | 0 | unsigned int slot = UNREACH_CACHE_SIZE, oldest = 0; |
19382 | 0 | bool update_entry = true; |
19383 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19384 | |
|
19385 | 0 | RWLOCK(&zmgr->urlock, isc_rwlocktype_write); |
19386 | 0 | for (unsigned int i = 0; i < UNREACH_CACHE_SIZE; i++) { |
19387 | | /* Existing entry? */ |
19388 | 0 | if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) && |
19389 | 0 | isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) |
19390 | 0 | { |
19391 | 0 | update_entry = false; |
19392 | 0 | slot = i; |
19393 | 0 | expire = atomic_load_relaxed( |
19394 | 0 | &zmgr->unreachable[i].expire); |
19395 | 0 | break; |
19396 | 0 | } |
19397 | | /* Pick first empty slot? */ |
19398 | 0 | if (atomic_load_relaxed(&zmgr->unreachable[i].expire) < seconds) |
19399 | 0 | { |
19400 | 0 | slot = i; |
19401 | 0 | break; |
19402 | 0 | } |
19403 | | /* The worst case, least recently used slot? */ |
19404 | 0 | if (atomic_load_relaxed(&zmgr->unreachable[i].last) < last) { |
19405 | 0 | last = atomic_load_relaxed(&zmgr->unreachable[i].last); |
19406 | 0 | oldest = i; |
19407 | 0 | } |
19408 | 0 | } |
19409 | | |
19410 | | /* We haven't found any existing or free slots, use the oldest */ |
19411 | 0 | if (slot == UNREACH_CACHE_SIZE) { |
19412 | 0 | slot = oldest; |
19413 | 0 | } |
19414 | |
|
19415 | 0 | if (expire < seconds) { |
19416 | | /* Expired or new entry, reset count to 1 */ |
19417 | 0 | zmgr->unreachable[slot].count = 1; |
19418 | 0 | } else { |
19419 | 0 | zmgr->unreachable[slot].count++; |
19420 | 0 | } |
19421 | 0 | atomic_store_relaxed(&zmgr->unreachable[slot].expire, |
19422 | 0 | seconds + UNREACH_HOLD_TIME); |
19423 | 0 | atomic_store_relaxed(&zmgr->unreachable[slot].last, seconds); |
19424 | 0 | if (update_entry) { |
19425 | 0 | zmgr->unreachable[slot].remote = *remote; |
19426 | 0 | zmgr->unreachable[slot].local = *local; |
19427 | 0 | } |
19428 | |
|
19429 | 0 | RWUNLOCK(&zmgr->urlock, isc_rwlocktype_write); |
19430 | 0 | } |
19431 | | |
19432 | | void |
19433 | 0 | dns_zone_forcereload(dns_zone_t *zone) { |
19434 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19435 | |
|
19436 | 0 | if (zone->type == dns_zone_primary || |
19437 | 0 | (zone->type == dns_zone_redirect && |
19438 | 0 | dns_remote_addresses(&zone->primaries) == NULL)) |
19439 | 0 | { |
19440 | 0 | return; |
19441 | 0 | } |
19442 | | |
19443 | 0 | LOCK_ZONE(zone); |
19444 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER); |
19445 | 0 | UNLOCK_ZONE(zone); |
19446 | 0 | dns_zone_refresh(zone); |
19447 | 0 | } |
19448 | | |
19449 | | bool |
19450 | 0 | dns_zone_isforced(dns_zone_t *zone) { |
19451 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19452 | |
|
19453 | 0 | return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)); |
19454 | 0 | } |
19455 | | |
19456 | | isc_result_t |
19457 | 0 | dns_zone_setstatistics(dns_zone_t *zone, bool on) { |
19458 | | /* |
19459 | | * This function is obsoleted. |
19460 | | */ |
19461 | 0 | UNUSED(zone); |
19462 | 0 | UNUSED(on); |
19463 | 0 | return (ISC_R_NOTIMPLEMENTED); |
19464 | 0 | } |
19465 | | |
19466 | | uint64_t * |
19467 | 0 | dns_zone_getstatscounters(dns_zone_t *zone) { |
19468 | | /* |
19469 | | * This function is obsoleted. |
19470 | | */ |
19471 | 0 | UNUSED(zone); |
19472 | 0 | return (NULL); |
19473 | 0 | } |
19474 | | |
19475 | | void |
19476 | 0 | dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) { |
19477 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19478 | 0 | REQUIRE(zone->stats == NULL); |
19479 | |
|
19480 | 0 | LOCK_ZONE(zone); |
19481 | 0 | zone->stats = NULL; |
19482 | 0 | isc_stats_attach(stats, &zone->stats); |
19483 | 0 | UNLOCK_ZONE(zone); |
19484 | 0 | } |
19485 | | |
19486 | | void |
19487 | 0 | dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) { |
19488 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19489 | |
|
19490 | 0 | LOCK_ZONE(zone); |
19491 | 0 | if (zone->requeststats_on && stats == NULL) { |
19492 | 0 | zone->requeststats_on = false; |
19493 | 0 | } else if (!zone->requeststats_on && stats != NULL) { |
19494 | 0 | if (zone->requeststats == NULL) { |
19495 | 0 | isc_stats_attach(stats, &zone->requeststats); |
19496 | 0 | } |
19497 | 0 | zone->requeststats_on = true; |
19498 | 0 | } |
19499 | 0 | UNLOCK_ZONE(zone); |
19500 | 0 | } |
19501 | | |
19502 | | void |
19503 | 0 | dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats) { |
19504 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19505 | |
|
19506 | 0 | LOCK_ZONE(zone); |
19507 | 0 | if (zone->requeststats_on && stats != NULL) { |
19508 | 0 | if (zone->rcvquerystats == NULL) { |
19509 | 0 | dns_stats_attach(stats, &zone->rcvquerystats); |
19510 | 0 | zone->requeststats_on = true; |
19511 | 0 | } |
19512 | 0 | } |
19513 | 0 | UNLOCK_ZONE(zone); |
19514 | 0 | } |
19515 | | |
19516 | | void |
19517 | 0 | dns_zone_setdnssecsignstats(dns_zone_t *zone, dns_stats_t *stats) { |
19518 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19519 | |
|
19520 | 0 | LOCK_ZONE(zone); |
19521 | 0 | if (stats != NULL && zone->dnssecsignstats == NULL) { |
19522 | 0 | dns_stats_attach(stats, &zone->dnssecsignstats); |
19523 | 0 | } |
19524 | 0 | UNLOCK_ZONE(zone); |
19525 | 0 | } |
19526 | | |
19527 | | dns_stats_t * |
19528 | 0 | dns_zone_getdnssecsignstats(dns_zone_t *zone) { |
19529 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19530 | |
|
19531 | 0 | return (zone->dnssecsignstats); |
19532 | 0 | } |
19533 | | |
19534 | | isc_stats_t * |
19535 | 0 | dns_zone_getrequeststats(dns_zone_t *zone) { |
19536 | | /* |
19537 | | * We don't lock zone for efficiency reason. This is not catastrophic |
19538 | | * because requeststats must always be valid when requeststats_on is |
19539 | | * true. |
19540 | | * Some counters may be incremented while requeststats_on is becoming |
19541 | | * false, or some cannot be incremented just after the statistics are |
19542 | | * installed, but it shouldn't matter much in practice. |
19543 | | */ |
19544 | 0 | if (zone->requeststats_on) { |
19545 | 0 | return (zone->requeststats); |
19546 | 0 | } else { |
19547 | 0 | return (NULL); |
19548 | 0 | } |
19549 | 0 | } |
19550 | | |
19551 | | /* |
19552 | | * Return the received query stats bucket |
19553 | | * see note from dns_zone_getrequeststats() |
19554 | | */ |
19555 | | dns_stats_t * |
19556 | 0 | dns_zone_getrcvquerystats(dns_zone_t *zone) { |
19557 | 0 | if (zone->requeststats_on) { |
19558 | 0 | return (zone->rcvquerystats); |
19559 | 0 | } else { |
19560 | 0 | return (NULL); |
19561 | 0 | } |
19562 | 0 | } |
19563 | | |
19564 | | void |
19565 | 0 | dns_zone_dialup(dns_zone_t *zone) { |
19566 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19567 | |
|
19568 | 0 | zone_debuglog(zone, __func__, 3, "notify = %d, refresh = %d", |
19569 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY), |
19570 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)); |
19571 | |
|
19572 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) { |
19573 | 0 | dns_zone_notify(zone); |
19574 | 0 | } |
19575 | 0 | if (zone->type != dns_zone_primary && |
19576 | 0 | dns_remote_addresses(&zone->primaries) != NULL && |
19577 | 0 | DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) |
19578 | 0 | { |
19579 | 0 | dns_zone_refresh(zone); |
19580 | 0 | } |
19581 | 0 | } |
19582 | | |
19583 | | void |
19584 | 0 | dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) { |
19585 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19586 | |
|
19587 | 0 | LOCK_ZONE(zone); |
19588 | 0 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY | |
19589 | 0 | DNS_ZONEFLG_DIALREFRESH | |
19590 | 0 | DNS_ZONEFLG_NOREFRESH); |
19591 | 0 | switch (dialup) { |
19592 | 0 | case dns_dialuptype_no: |
19593 | 0 | break; |
19594 | 0 | case dns_dialuptype_yes: |
19595 | 0 | DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY | |
19596 | 0 | DNS_ZONEFLG_DIALREFRESH | |
19597 | 0 | DNS_ZONEFLG_NOREFRESH)); |
19598 | 0 | break; |
19599 | 0 | case dns_dialuptype_notify: |
19600 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY); |
19601 | 0 | break; |
19602 | 0 | case dns_dialuptype_notifypassive: |
19603 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY); |
19604 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH); |
19605 | 0 | break; |
19606 | 0 | case dns_dialuptype_refresh: |
19607 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH); |
19608 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH); |
19609 | 0 | break; |
19610 | 0 | case dns_dialuptype_passive: |
19611 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH); |
19612 | 0 | break; |
19613 | 0 | default: |
19614 | 0 | UNREACHABLE(); |
19615 | 0 | } |
19616 | 0 | UNLOCK_ZONE(zone); |
19617 | 0 | } |
19618 | | |
19619 | | isc_result_t |
19620 | 2 | dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) { |
19621 | 2 | isc_result_t result = ISC_R_SUCCESS; |
19622 | | |
19623 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
19624 | | |
19625 | 2 | LOCK_ZONE(zone); |
19626 | 2 | result = dns_zone_setstring(zone, &zone->keydirectory, directory); |
19627 | 2 | UNLOCK_ZONE(zone); |
19628 | | |
19629 | 2 | return (result); |
19630 | 2 | } |
19631 | | |
19632 | | const char * |
19633 | 0 | dns_zone_getkeydirectory(dns_zone_t *zone) { |
19634 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19635 | |
|
19636 | 0 | return (zone->keydirectory); |
19637 | 0 | } |
19638 | | |
19639 | | void |
19640 | 0 | dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores) { |
19641 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19642 | |
|
19643 | 0 | LOCK_ZONE(zone); |
19644 | 0 | zone->keystores = keystores; |
19645 | 0 | UNLOCK_ZONE(zone); |
19646 | 0 | } |
19647 | | |
19648 | | dns_keystorelist_t * |
19649 | 0 | dns_zone_getkeystores(dns_zone_t *zone) { |
19650 | 0 | dns_keystorelist_t *ks = NULL; |
19651 | |
|
19652 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19653 | |
|
19654 | 0 | LOCK_ZONE(zone); |
19655 | 0 | if (inline_raw(zone) && zone->secure != NULL) { |
19656 | 0 | ks = zone->secure->keystores; |
19657 | 0 | } else { |
19658 | 0 | ks = zone->keystores; |
19659 | 0 | } |
19660 | 0 | UNLOCK_ZONE(zone); |
19661 | |
|
19662 | 0 | return (ks); |
19663 | 0 | } |
19664 | | |
19665 | | unsigned int |
19666 | 0 | dns_zonemgr_getcount(dns_zonemgr_t *zmgr, dns_zonestate_t state) { |
19667 | 0 | dns_zone_t *zone; |
19668 | 0 | unsigned int count = 0; |
19669 | |
|
19670 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
19671 | |
|
19672 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_read); |
19673 | 0 | switch (state) { |
19674 | 0 | case DNS_ZONESTATE_XFERRUNNING: |
19675 | 0 | for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress); |
19676 | 0 | zone != NULL; zone = ISC_LIST_NEXT(zone, statelink)) |
19677 | 0 | { |
19678 | 0 | count++; |
19679 | 0 | } |
19680 | 0 | break; |
19681 | 0 | case DNS_ZONESTATE_XFERDEFERRED: |
19682 | 0 | for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin); |
19683 | 0 | zone != NULL; zone = ISC_LIST_NEXT(zone, statelink)) |
19684 | 0 | { |
19685 | 0 | count++; |
19686 | 0 | } |
19687 | 0 | break; |
19688 | 0 | case DNS_ZONESTATE_XFERFIRSTREFRESH: |
19689 | 0 | for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL; |
19690 | 0 | zone = ISC_LIST_NEXT(zone, link)) |
19691 | 0 | { |
19692 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIRSTREFRESH)) { |
19693 | 0 | count++; |
19694 | 0 | } |
19695 | 0 | } |
19696 | 0 | break; |
19697 | 0 | case DNS_ZONESTATE_SOAQUERY: |
19698 | 0 | for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL; |
19699 | 0 | zone = ISC_LIST_NEXT(zone, link)) |
19700 | 0 | { |
19701 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) { |
19702 | 0 | count++; |
19703 | 0 | } |
19704 | 0 | } |
19705 | 0 | break; |
19706 | 0 | case DNS_ZONESTATE_ANY: |
19707 | 0 | for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL; |
19708 | 0 | zone = ISC_LIST_NEXT(zone, link)) |
19709 | 0 | { |
19710 | 0 | dns_view_t *view = zone->view; |
19711 | 0 | if (view != NULL && strcmp(view->name, "_bind") == 0) { |
19712 | 0 | continue; |
19713 | 0 | } |
19714 | 0 | count++; |
19715 | 0 | } |
19716 | 0 | break; |
19717 | 0 | case DNS_ZONESTATE_AUTOMATIC: |
19718 | 0 | for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL; |
19719 | 0 | zone = ISC_LIST_NEXT(zone, link)) |
19720 | 0 | { |
19721 | 0 | dns_view_t *view = zone->view; |
19722 | 0 | if (view != NULL && strcmp(view->name, "_bind") == 0) { |
19723 | 0 | continue; |
19724 | 0 | } |
19725 | 0 | if (zone->automatic) { |
19726 | 0 | count++; |
19727 | 0 | } |
19728 | 0 | } |
19729 | 0 | break; |
19730 | 0 | default: |
19731 | 0 | UNREACHABLE(); |
19732 | 0 | } |
19733 | | |
19734 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read); |
19735 | |
|
19736 | 0 | return (count); |
19737 | 0 | } |
19738 | | |
19739 | | isc_result_t |
19740 | | dns_zone_getxfr(dns_zone_t *zone, dns_xfrin_t **xfrp, bool *is_firstrefresh, |
19741 | | bool *is_running, bool *is_deferred, bool *is_presoa, |
19742 | 0 | bool *is_pending, bool *needs_refresh) { |
19743 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19744 | 0 | REQUIRE(xfrp != NULL && *xfrp == NULL); |
19745 | |
|
19746 | 0 | if (zone->zmgr == NULL) { |
19747 | 0 | return (ISC_R_FAILURE); |
19748 | 0 | } |
19749 | | |
19750 | | /* Reset. */ |
19751 | 0 | *is_firstrefresh = false; |
19752 | 0 | *is_running = false; |
19753 | 0 | *is_deferred = false; |
19754 | 0 | *is_presoa = false; |
19755 | 0 | *is_pending = false; |
19756 | 0 | *needs_refresh = false; |
19757 | |
|
19758 | 0 | RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read); |
19759 | 0 | LOCK_ZONE(zone); |
19760 | 0 | *is_firstrefresh = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIRSTREFRESH); |
19761 | 0 | if (zone->xfr != NULL) { |
19762 | 0 | dns_xfrin_attach(zone->xfr, xfrp); |
19763 | 0 | } |
19764 | 0 | if (zone->statelist == &zone->zmgr->xfrin_in_progress) { |
19765 | 0 | *is_running = true; |
19766 | | /* |
19767 | | * The NEEDREFRESH flag is set only when a notify was received |
19768 | | * while the current zone transfer is running. |
19769 | | */ |
19770 | 0 | *needs_refresh = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH); |
19771 | 0 | } else if (zone->statelist == &zone->zmgr->waiting_for_xfrin) { |
19772 | 0 | *is_deferred = true; |
19773 | 0 | } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) { |
19774 | 0 | if (zone->request != NULL) { |
19775 | 0 | *is_presoa = true; |
19776 | 0 | } else { |
19777 | 0 | *is_pending = true; |
19778 | 0 | } |
19779 | 0 | } else { |
19780 | | /* |
19781 | | * No operation is ongoing or pending, just check if the zone |
19782 | | * needs a refresh by looking at the refresh and expire times. |
19783 | | */ |
19784 | 0 | if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) && |
19785 | 0 | (zone->type == dns_zone_secondary || |
19786 | 0 | zone->type == dns_zone_mirror || |
19787 | 0 | zone->type == dns_zone_stub)) |
19788 | 0 | { |
19789 | 0 | isc_time_t now = isc_time_now(); |
19790 | 0 | if (isc_time_compare(&now, &zone->refreshtime) >= 0 || |
19791 | 0 | isc_time_compare(&now, &zone->expiretime) >= 0) |
19792 | 0 | { |
19793 | 0 | *needs_refresh = true; |
19794 | 0 | } |
19795 | 0 | } |
19796 | 0 | } |
19797 | 0 | UNLOCK_ZONE(zone); |
19798 | 0 | RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read); |
19799 | |
|
19800 | 0 | return (ISC_R_SUCCESS); |
19801 | 0 | } |
19802 | | |
19803 | | void |
19804 | 0 | dns_zone_lock_keyfiles(dns_zone_t *zone) { |
19805 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19806 | |
|
19807 | 0 | if (zone->kasp == NULL) { |
19808 | | /* No need to lock, nothing is writing key files. */ |
19809 | 0 | return; |
19810 | 0 | } |
19811 | | |
19812 | 0 | REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio)); |
19813 | 0 | isc_mutex_lock(&zone->kfio->lock); |
19814 | 0 | } |
19815 | | |
19816 | | void |
19817 | 0 | dns_zone_unlock_keyfiles(dns_zone_t *zone) { |
19818 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19819 | |
|
19820 | 0 | if (zone->kasp == NULL) { |
19821 | | /* No need to lock, nothing is writing key files. */ |
19822 | 0 | return; |
19823 | 0 | } |
19824 | | |
19825 | 0 | REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio)); |
19826 | 0 | isc_mutex_unlock(&zone->kfio->lock); |
19827 | 0 | } |
19828 | | |
19829 | | isc_result_t |
19830 | | dns_zone_checknames(dns_zone_t *zone, const dns_name_t *name, |
19831 | 0 | dns_rdata_t *rdata) { |
19832 | 0 | bool ok = true; |
19833 | 0 | bool fail = false; |
19834 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
19835 | 0 | char namebuf2[DNS_NAME_FORMATSIZE]; |
19836 | 0 | char typebuf[DNS_RDATATYPE_FORMATSIZE]; |
19837 | 0 | int level = ISC_LOG_WARNING; |
19838 | 0 | dns_name_t bad; |
19839 | |
|
19840 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19841 | |
|
19842 | 0 | if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES) && |
19843 | 0 | rdata->type != dns_rdatatype_nsec3) |
19844 | 0 | { |
19845 | 0 | return (ISC_R_SUCCESS); |
19846 | 0 | } |
19847 | | |
19848 | 0 | if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL) || |
19849 | 0 | rdata->type == dns_rdatatype_nsec3) |
19850 | 0 | { |
19851 | 0 | level = ISC_LOG_ERROR; |
19852 | 0 | fail = true; |
19853 | 0 | } |
19854 | |
|
19855 | 0 | ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, true); |
19856 | 0 | if (!ok) { |
19857 | 0 | dns_name_format(name, namebuf, sizeof(namebuf)); |
19858 | 0 | dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf)); |
19859 | 0 | dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf, |
19860 | 0 | isc_result_totext(DNS_R_BADOWNERNAME)); |
19861 | 0 | if (fail) { |
19862 | 0 | return (DNS_R_BADOWNERNAME); |
19863 | 0 | } |
19864 | 0 | } |
19865 | | |
19866 | 0 | dns_name_init(&bad, NULL); |
19867 | 0 | ok = dns_rdata_checknames(rdata, name, &bad); |
19868 | 0 | if (!ok) { |
19869 | 0 | dns_name_format(name, namebuf, sizeof(namebuf)); |
19870 | 0 | dns_name_format(&bad, namebuf2, sizeof(namebuf2)); |
19871 | 0 | dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf)); |
19872 | 0 | dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf, |
19873 | 0 | namebuf2, isc_result_totext(DNS_R_BADNAME)); |
19874 | 0 | if (fail) { |
19875 | 0 | return (DNS_R_BADNAME); |
19876 | 0 | } |
19877 | 0 | } |
19878 | | |
19879 | 0 | return (ISC_R_SUCCESS); |
19880 | 0 | } |
19881 | | |
19882 | | void |
19883 | 0 | dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) { |
19884 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19885 | 0 | zone->checkmx = checkmx; |
19886 | 0 | } |
19887 | | |
19888 | | void |
19889 | 0 | dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) { |
19890 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19891 | 0 | zone->checksrv = checksrv; |
19892 | 0 | } |
19893 | | |
19894 | | void |
19895 | 0 | dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) { |
19896 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19897 | 0 | zone->checkns = checkns; |
19898 | 0 | } |
19899 | | |
19900 | | void |
19901 | 0 | dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) { |
19902 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19903 | |
|
19904 | 0 | LOCK_ZONE(zone); |
19905 | 0 | zone->isself = isself; |
19906 | 0 | zone->isselfarg = arg; |
19907 | 0 | UNLOCK_ZONE(zone); |
19908 | 0 | } |
19909 | | |
19910 | | void |
19911 | 0 | dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay) { |
19912 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19913 | |
|
19914 | 0 | LOCK_ZONE(zone); |
19915 | 0 | zone->notifydelay = delay; |
19916 | 0 | UNLOCK_ZONE(zone); |
19917 | 0 | } |
19918 | | |
19919 | | uint32_t |
19920 | 0 | dns_zone_getnotifydelay(dns_zone_t *zone) { |
19921 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19922 | |
|
19923 | 0 | return (zone->notifydelay); |
19924 | 0 | } |
19925 | | |
19926 | | isc_result_t |
19927 | | dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid, |
19928 | 0 | bool deleteit) { |
19929 | 0 | isc_result_t result; |
19930 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19931 | |
|
19932 | 0 | dnssec_log(zone, ISC_LOG_NOTICE, |
19933 | 0 | "dns_zone_signwithkey(algorithm=%u, keyid=%u)", algorithm, |
19934 | 0 | keyid); |
19935 | 0 | LOCK_ZONE(zone); |
19936 | 0 | result = zone_signwithkey(zone, algorithm, keyid, deleteit); |
19937 | 0 | UNLOCK_ZONE(zone); |
19938 | |
|
19939 | 0 | return (result); |
19940 | 0 | } |
19941 | | |
19942 | | /* |
19943 | | * Called when a dynamic update for an NSEC3PARAM record is received. |
19944 | | * |
19945 | | * If set, transform the NSEC3 salt into human-readable form so that it can be |
19946 | | * logged. Then call zone_addnsec3chain(), passing NSEC3PARAM RDATA to it. |
19947 | | */ |
19948 | | isc_result_t |
19949 | 0 | dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { |
19950 | 0 | isc_result_t result; |
19951 | 0 | char salt[255 * 2 + 1]; |
19952 | |
|
19953 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19954 | |
|
19955 | 0 | result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt)); |
19956 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
19957 | 0 | dnssec_log(zone, ISC_LOG_NOTICE, |
19958 | 0 | "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)", |
19959 | 0 | nsec3param->hash, nsec3param->iterations, salt); |
19960 | 0 | LOCK_ZONE(zone); |
19961 | 0 | result = zone_addnsec3chain(zone, nsec3param); |
19962 | 0 | UNLOCK_ZONE(zone); |
19963 | |
|
19964 | 0 | return (result); |
19965 | 0 | } |
19966 | | |
19967 | | void |
19968 | 0 | dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes) { |
19969 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19970 | |
|
19971 | 0 | if (nodes == 0) { |
19972 | 0 | nodes = 1; |
19973 | 0 | } |
19974 | 0 | zone->nodes = nodes; |
19975 | 0 | } |
19976 | | |
19977 | | void |
19978 | 0 | dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures) { |
19979 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19980 | | |
19981 | | /* |
19982 | | * We treat signatures as a signed value so explicitly |
19983 | | * limit its range here. |
19984 | | */ |
19985 | 0 | if (signatures > INT32_MAX) { |
19986 | 0 | signatures = INT32_MAX; |
19987 | 0 | } else if (signatures == 0) { |
19988 | 0 | signatures = 1; |
19989 | 0 | } |
19990 | 0 | zone->signatures = signatures; |
19991 | 0 | } |
19992 | | |
19993 | | uint32_t |
19994 | 0 | dns_zone_getsignatures(dns_zone_t *zone) { |
19995 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
19996 | 0 | return (zone->signatures); |
19997 | 0 | } |
19998 | | |
19999 | | void |
20000 | 0 | dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) { |
20001 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
20002 | 0 | zone->privatetype = type; |
20003 | 0 | } |
20004 | | |
20005 | | dns_rdatatype_t |
20006 | 0 | dns_zone_getprivatetype(dns_zone_t *zone) { |
20007 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
20008 | 0 | return (zone->privatetype); |
20009 | 0 | } |
20010 | | |
20011 | | static isc_result_t |
20012 | | zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid, |
20013 | 0 | bool deleteit) { |
20014 | 0 | dns_signing_t *signing; |
20015 | 0 | dns_signing_t *current; |
20016 | 0 | isc_result_t result = ISC_R_SUCCESS; |
20017 | 0 | isc_time_t now; |
20018 | 0 | dns_db_t *db = NULL; |
20019 | |
|
20020 | 0 | signing = isc_mem_get(zone->mctx, sizeof *signing); |
20021 | |
|
20022 | 0 | signing->magic = 0; |
20023 | 0 | signing->db = NULL; |
20024 | 0 | signing->dbiterator = NULL; |
20025 | 0 | signing->algorithm = algorithm; |
20026 | 0 | signing->keyid = keyid; |
20027 | 0 | signing->deleteit = deleteit; |
20028 | 0 | signing->done = false; |
20029 | |
|
20030 | 0 | now = isc_time_now(); |
20031 | |
|
20032 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
20033 | 0 | if (zone->db != NULL) { |
20034 | 0 | dns_db_attach(zone->db, &db); |
20035 | 0 | } |
20036 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
20037 | |
|
20038 | 0 | if (db == NULL) { |
20039 | 0 | result = ISC_R_NOTFOUND; |
20040 | 0 | goto cleanup; |
20041 | 0 | } |
20042 | | |
20043 | 0 | dns_db_attach(db, &signing->db); |
20044 | |
|
20045 | 0 | for (current = ISC_LIST_HEAD(zone->signing); current != NULL; |
20046 | 0 | current = ISC_LIST_NEXT(current, link)) |
20047 | 0 | { |
20048 | 0 | if (current->db == signing->db && |
20049 | 0 | current->algorithm == signing->algorithm && |
20050 | 0 | current->keyid == signing->keyid) |
20051 | 0 | { |
20052 | 0 | if (current->deleteit != signing->deleteit) { |
20053 | 0 | current->done = true; |
20054 | 0 | } else { |
20055 | 0 | goto cleanup; |
20056 | 0 | } |
20057 | 0 | } |
20058 | 0 | } |
20059 | | |
20060 | 0 | result = dns_db_createiterator(signing->db, 0, &signing->dbiterator); |
20061 | |
|
20062 | 0 | if (result == ISC_R_SUCCESS) { |
20063 | 0 | result = dns_dbiterator_first(signing->dbiterator); |
20064 | 0 | } |
20065 | 0 | if (result == ISC_R_SUCCESS) { |
20066 | 0 | dns_dbiterator_pause(signing->dbiterator); |
20067 | 0 | ISC_LIST_INITANDAPPEND(zone->signing, signing, link); |
20068 | 0 | signing = NULL; |
20069 | 0 | if (isc_time_isepoch(&zone->signingtime)) { |
20070 | 0 | zone->signingtime = now; |
20071 | 0 | if (zone->loop != NULL) { |
20072 | 0 | zone_settimer(zone, &now); |
20073 | 0 | } |
20074 | 0 | } |
20075 | 0 | } |
20076 | |
|
20077 | 0 | cleanup: |
20078 | 0 | if (signing != NULL) { |
20079 | 0 | if (signing->db != NULL) { |
20080 | 0 | dns_db_detach(&signing->db); |
20081 | 0 | } |
20082 | 0 | if (signing->dbiterator != NULL) { |
20083 | 0 | dns_dbiterator_destroy(&signing->dbiterator); |
20084 | 0 | } |
20085 | 0 | isc_mem_put(zone->mctx, signing, sizeof *signing); |
20086 | 0 | } |
20087 | 0 | if (db != NULL) { |
20088 | 0 | dns_db_detach(&db); |
20089 | 0 | } |
20090 | 0 | return (result); |
20091 | 0 | } |
20092 | | |
20093 | | /* Called once; *timep should be set to the current time. */ |
20094 | | static isc_result_t |
20095 | 0 | next_keyevent(dst_key_t *key, isc_stdtime_t *timep) { |
20096 | 0 | isc_result_t result; |
20097 | 0 | isc_stdtime_t now, then = 0, event; |
20098 | 0 | int i; |
20099 | |
|
20100 | 0 | now = *timep; |
20101 | |
|
20102 | 0 | for (i = 0; i <= DST_MAX_TIMES; i++) { |
20103 | 0 | result = dst_key_gettime(key, i, &event); |
20104 | 0 | if (result == ISC_R_SUCCESS && event > now && |
20105 | 0 | (then == 0 || event < then)) |
20106 | 0 | { |
20107 | 0 | then = event; |
20108 | 0 | } |
20109 | 0 | } |
20110 | |
|
20111 | 0 | if (then != 0) { |
20112 | 0 | *timep = then; |
20113 | 0 | return (ISC_R_SUCCESS); |
20114 | 0 | } |
20115 | | |
20116 | 0 | return (ISC_R_NOTFOUND); |
20117 | 0 | } |
20118 | | |
20119 | | static isc_result_t |
20120 | | rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, |
20121 | 0 | const dns_rdata_t *rdata, bool *flag) { |
20122 | 0 | dns_rdataset_t rdataset; |
20123 | 0 | dns_dbnode_t *node = NULL; |
20124 | 0 | isc_result_t result; |
20125 | |
|
20126 | 0 | dns_rdataset_init(&rdataset); |
20127 | 0 | if (rdata->type == dns_rdatatype_nsec3) { |
20128 | 0 | CHECK(dns_db_findnsec3node(db, name, false, &node)); |
20129 | 0 | } else { |
20130 | 0 | CHECK(dns_db_findnode(db, name, false, &node)); |
20131 | 0 | } |
20132 | 0 | result = dns_db_findrdataset(db, node, ver, rdata->type, 0, |
20133 | 0 | (isc_stdtime_t)0, &rdataset, NULL); |
20134 | 0 | if (result == ISC_R_NOTFOUND) { |
20135 | 0 | *flag = false; |
20136 | 0 | result = ISC_R_SUCCESS; |
20137 | 0 | goto failure; |
20138 | 0 | } |
20139 | | |
20140 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
20141 | 0 | result = dns_rdataset_next(&rdataset)) |
20142 | 0 | { |
20143 | 0 | dns_rdata_t myrdata = DNS_RDATA_INIT; |
20144 | 0 | dns_rdataset_current(&rdataset, &myrdata); |
20145 | 0 | if (!dns_rdata_compare(&myrdata, rdata)) { |
20146 | 0 | break; |
20147 | 0 | } |
20148 | 0 | } |
20149 | 0 | dns_rdataset_disassociate(&rdataset); |
20150 | 0 | if (result == ISC_R_SUCCESS) { |
20151 | 0 | *flag = true; |
20152 | 0 | } else if (result == ISC_R_NOMORE) { |
20153 | 0 | *flag = false; |
20154 | 0 | result = ISC_R_SUCCESS; |
20155 | 0 | } |
20156 | |
|
20157 | 0 | failure: |
20158 | 0 | if (node != NULL) { |
20159 | 0 | dns_db_detachnode(db, &node); |
20160 | 0 | } |
20161 | 0 | return (result); |
20162 | 0 | } |
20163 | | |
20164 | | /* |
20165 | | * Add records to signal the state of signing or of key removal. |
20166 | | */ |
20167 | | static isc_result_t |
20168 | | add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, |
20169 | 0 | dns_dbversion_t *ver, dns_diff_t *diff, bool sign_all) { |
20170 | 0 | dns_difftuple_t *tuple = NULL, *newtuple = NULL, *next = NULL; |
20171 | 0 | dns_difftuple_t *addtuple = NULL, *deltuple = NULL; |
20172 | 0 | dns_rdata_dnskey_t dnskey; |
20173 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
20174 | 0 | bool flag; |
20175 | 0 | isc_region_t r; |
20176 | 0 | isc_result_t result = ISC_R_SUCCESS; |
20177 | 0 | uint16_t keyid; |
20178 | 0 | unsigned char buf[5]; |
20179 | 0 | dns_name_t *name = dns_db_origin(db); |
20180 | 0 | dns_difftuplelist_t add = ISC_LIST_INITIALIZER; |
20181 | 0 | dns_difftuplelist_t del = ISC_LIST_INITIALIZER; |
20182 | 0 | dns_difftuplelist_t tuples = ISC_LIST_INITIALIZER; |
20183 | | |
20184 | | /* |
20185 | | * Move non DNSKEY and not DNSSEC DNSKEY records to tuples |
20186 | | * and sort the remaining DNSKEY records to add and del. |
20187 | | */ |
20188 | 0 | for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; |
20189 | 0 | tuple = ISC_LIST_HEAD(diff->tuples)) |
20190 | 0 | { |
20191 | 0 | if (tuple->rdata.type != dns_rdatatype_dnskey) { |
20192 | 0 | ISC_LIST_UNLINK(diff->tuples, tuple, link); |
20193 | 0 | ISC_LIST_APPEND(tuples, tuple, link); |
20194 | 0 | continue; |
20195 | 0 | } |
20196 | | |
20197 | 0 | result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); |
20198 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
20199 | 0 | if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK | |
20200 | 0 | DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) |
20201 | 0 | { |
20202 | 0 | ISC_LIST_UNLINK(diff->tuples, tuple, link); |
20203 | 0 | ISC_LIST_APPEND(tuples, tuple, link); |
20204 | 0 | continue; |
20205 | 0 | } |
20206 | | |
20207 | 0 | ISC_LIST_UNLINK(diff->tuples, tuple, link); |
20208 | 0 | switch (tuple->op) { |
20209 | 0 | case DNS_DIFFOP_DEL: |
20210 | 0 | case DNS_DIFFOP_DELRESIGN: |
20211 | 0 | ISC_LIST_APPEND(del, tuple, link); |
20212 | 0 | break; |
20213 | 0 | case DNS_DIFFOP_ADD: |
20214 | 0 | case DNS_DIFFOP_ADDRESIGN: |
20215 | 0 | ISC_LIST_APPEND(add, tuple, link); |
20216 | 0 | break; |
20217 | 0 | default: |
20218 | 0 | UNREACHABLE(); |
20219 | 0 | } |
20220 | 0 | } |
20221 | | |
20222 | | /* |
20223 | | * Put the tuples that don't need more processing back onto |
20224 | | * diff->tuples. |
20225 | | */ |
20226 | 0 | ISC_LIST_APPENDLIST(diff->tuples, tuples, link); |
20227 | | |
20228 | | /* |
20229 | | * Filter out DNSKEY TTL changes and put them back onto diff->tuples. |
20230 | | */ |
20231 | 0 | for (deltuple = ISC_LIST_HEAD(del); deltuple != NULL; deltuple = next) { |
20232 | 0 | next = ISC_LIST_NEXT(deltuple, link); |
20233 | 0 | for (addtuple = ISC_LIST_HEAD(add); addtuple != NULL; |
20234 | 0 | addtuple = ISC_LIST_NEXT(addtuple, link)) |
20235 | 0 | { |
20236 | 0 | int n = dns_rdata_compare(&deltuple->rdata, |
20237 | 0 | &addtuple->rdata); |
20238 | 0 | if (n == 0) { |
20239 | 0 | ISC_LIST_UNLINK(del, deltuple, link); |
20240 | 0 | ISC_LIST_APPEND(diff->tuples, deltuple, link); |
20241 | 0 | ISC_LIST_UNLINK(add, addtuple, link); |
20242 | 0 | ISC_LIST_APPEND(diff->tuples, addtuple, link); |
20243 | 0 | break; |
20244 | 0 | } |
20245 | 0 | } |
20246 | 0 | } |
20247 | | |
20248 | | /* |
20249 | | * Combine any remaining DNSKEY changes together. |
20250 | | */ |
20251 | 0 | ISC_LIST_APPENDLIST(tuples, add, link); |
20252 | 0 | ISC_LIST_APPENDLIST(tuples, del, link); |
20253 | | |
20254 | | /* |
20255 | | * Add private records for keys that have been removed |
20256 | | * or added. |
20257 | | */ |
20258 | 0 | for (tuple = ISC_LIST_HEAD(tuples); tuple != NULL; |
20259 | 0 | tuple = ISC_LIST_NEXT(tuple, link)) |
20260 | 0 | { |
20261 | 0 | dns_rdata_toregion(&tuple->rdata, &r); |
20262 | |
|
20263 | 0 | keyid = dst_region_computeid(&r); |
20264 | |
|
20265 | 0 | buf[0] = dnskey.algorithm; |
20266 | 0 | buf[1] = (keyid & 0xff00) >> 8; |
20267 | 0 | buf[2] = (keyid & 0xff); |
20268 | 0 | buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1; |
20269 | 0 | buf[4] = 0; |
20270 | 0 | rdata.data = buf; |
20271 | 0 | rdata.length = sizeof(buf); |
20272 | 0 | rdata.type = privatetype; |
20273 | 0 | rdata.rdclass = tuple->rdata.rdclass; |
20274 | |
|
20275 | 0 | if (sign_all || tuple->op == DNS_DIFFOP_DEL) { |
20276 | 0 | CHECK(rr_exists(db, ver, name, &rdata, &flag)); |
20277 | 0 | if (flag) { |
20278 | 0 | continue; |
20279 | 0 | } |
20280 | | |
20281 | 0 | CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, |
20282 | 0 | name, 0, &rdata, &newtuple)); |
20283 | 0 | CHECK(do_one_tuple(&newtuple, db, ver, diff)); |
20284 | 0 | INSIST(newtuple == NULL); |
20285 | 0 | } |
20286 | | |
20287 | | /* |
20288 | | * Remove any record which says this operation has already |
20289 | | * completed. |
20290 | | */ |
20291 | 0 | buf[4] = 1; |
20292 | 0 | CHECK(rr_exists(db, ver, name, &rdata, &flag)); |
20293 | 0 | if (flag) { |
20294 | 0 | CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, |
20295 | 0 | name, 0, &rdata, &newtuple)); |
20296 | 0 | CHECK(do_one_tuple(&newtuple, db, ver, diff)); |
20297 | 0 | INSIST(newtuple == NULL); |
20298 | 0 | } |
20299 | 0 | } |
20300 | | |
20301 | 0 | failure: |
20302 | | /* |
20303 | | * Put the DNSKEY changes we cared about back on diff->tuples. |
20304 | | */ |
20305 | 0 | ISC_LIST_APPENDLIST(diff->tuples, tuples, link); |
20306 | 0 | INSIST(ISC_LIST_EMPTY(add)); |
20307 | 0 | INSIST(ISC_LIST_EMPTY(del)); |
20308 | 0 | INSIST(ISC_LIST_EMPTY(tuples)); |
20309 | 0 | return (result); |
20310 | 0 | } |
20311 | | |
20312 | | /* |
20313 | | * See if dns__zone_updatesigs() will update signature for RRset 'rrtype' at |
20314 | | * the apex, and if not tickle them and cause to sign so that newly activated |
20315 | | * keys are used. |
20316 | | */ |
20317 | | static isc_result_t |
20318 | | tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db, |
20319 | | dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff, |
20320 | | dns__zonediff_t *zonediff, dst_key_t **keys, |
20321 | | unsigned int nkeys, isc_stdtime_t inception, |
20322 | 0 | isc_stdtime_t keyexpire) { |
20323 | 0 | dns_difftuple_t *tuple; |
20324 | 0 | isc_result_t result; |
20325 | |
|
20326 | 0 | for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; |
20327 | 0 | tuple = ISC_LIST_NEXT(tuple, link)) |
20328 | 0 | { |
20329 | 0 | if (tuple->rdata.type == rrtype && |
20330 | 0 | dns_name_equal(&tuple->name, &zone->origin)) |
20331 | 0 | { |
20332 | 0 | break; |
20333 | 0 | } |
20334 | 0 | } |
20335 | |
|
20336 | 0 | if (tuple == NULL) { |
20337 | 0 | result = del_sigs(zone, db, ver, &zone->origin, rrtype, |
20338 | 0 | zonediff, keys, nkeys, now, false); |
20339 | 0 | if (result != ISC_R_SUCCESS) { |
20340 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
20341 | 0 | "sign_apex:del_sigs -> %s", |
20342 | 0 | isc_result_totext(result)); |
20343 | 0 | return (result); |
20344 | 0 | } |
20345 | 0 | result = add_sigs(db, ver, &zone->origin, zone, rrtype, |
20346 | 0 | zonediff->diff, keys, nkeys, zone->mctx, now, |
20347 | 0 | inception, keyexpire); |
20348 | 0 | if (result != ISC_R_SUCCESS) { |
20349 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
20350 | 0 | "sign_apex:add_sigs -> %s", |
20351 | 0 | isc_result_totext(result)); |
20352 | 0 | return (result); |
20353 | 0 | } |
20354 | 0 | } |
20355 | | |
20356 | 0 | return (ISC_R_SUCCESS); |
20357 | 0 | } |
20358 | | |
20359 | | static isc_result_t |
20360 | | sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
20361 | 0 | isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff) { |
20362 | 0 | isc_result_t result; |
20363 | 0 | isc_stdtime_t inception, soaexpire, keyexpire; |
20364 | 0 | dst_key_t *zone_keys[DNS_MAXZONEKEYS]; |
20365 | 0 | unsigned int nkeys = 0, i; |
20366 | |
|
20367 | 0 | result = dns_zone_findkeys(zone, db, ver, now, zone->mctx, |
20368 | 0 | DNS_MAXZONEKEYS, zone_keys, &nkeys); |
20369 | 0 | if (result != ISC_R_SUCCESS) { |
20370 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
20371 | 0 | "sign_apex:dns_zone_findkeys -> %s", |
20372 | 0 | isc_result_totext(result)); |
20373 | 0 | return (result); |
20374 | 0 | } |
20375 | | |
20376 | 0 | inception = now - 3600; /* Allow for clock skew. */ |
20377 | 0 | soaexpire = now + dns_zone_getsigvalidityinterval(zone); |
20378 | |
|
20379 | 0 | keyexpire = dns_zone_getkeyvalidityinterval(zone); |
20380 | 0 | if (keyexpire == 0) { |
20381 | 0 | keyexpire = soaexpire - 1; |
20382 | 0 | } else { |
20383 | 0 | keyexpire += now; |
20384 | 0 | } |
20385 | | |
20386 | | /* |
20387 | | * See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY |
20388 | | * signature and if not cause them to sign so that newly activated |
20389 | | * keys are used. |
20390 | | */ |
20391 | 0 | result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now, |
20392 | 0 | diff, zonediff, zone_keys, nkeys, inception, |
20393 | 0 | keyexpire); |
20394 | 0 | if (result != ISC_R_SUCCESS) { |
20395 | 0 | goto failure; |
20396 | 0 | } |
20397 | 0 | result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff, |
20398 | 0 | zonediff, zone_keys, nkeys, inception, |
20399 | 0 | keyexpire); |
20400 | 0 | if (result != ISC_R_SUCCESS) { |
20401 | 0 | goto failure; |
20402 | 0 | } |
20403 | 0 | result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now, |
20404 | 0 | diff, zonediff, zone_keys, nkeys, inception, |
20405 | 0 | keyexpire); |
20406 | 0 | if (result != ISC_R_SUCCESS) { |
20407 | 0 | goto failure; |
20408 | 0 | } |
20409 | | |
20410 | 0 | result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone, |
20411 | 0 | inception, soaexpire, keyexpire, now, |
20412 | 0 | zonediff); |
20413 | |
|
20414 | 0 | if (result != ISC_R_SUCCESS) { |
20415 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
20416 | 0 | "sign_apex:dns__zone_updatesigs -> %s", |
20417 | 0 | isc_result_totext(result)); |
20418 | 0 | goto failure; |
20419 | 0 | } |
20420 | | |
20421 | 0 | failure: |
20422 | 0 | for (i = 0; i < nkeys; i++) { |
20423 | 0 | dst_key_free(&zone_keys[i]); |
20424 | 0 | } |
20425 | 0 | return (result); |
20426 | 0 | } |
20427 | | |
20428 | | static isc_result_t |
20429 | | clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
20430 | 0 | dns_diff_t *diff) { |
20431 | 0 | isc_result_t result; |
20432 | 0 | dns_dbnode_t *node = NULL; |
20433 | 0 | dns_rdataset_t rdataset; |
20434 | |
|
20435 | 0 | dns_rdataset_init(&rdataset); |
20436 | 0 | CHECK(dns_db_getoriginnode(db, &node)); |
20437 | | |
20438 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, |
20439 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
20440 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
20441 | 0 | dns_rdataset_disassociate(&rdataset); |
20442 | 0 | } |
20443 | 0 | if (result != ISC_R_NOTFOUND) { |
20444 | 0 | goto failure; |
20445 | 0 | } |
20446 | | |
20447 | 0 | result = dns_nsec3param_deletechains(db, ver, zone, true, diff); |
20448 | |
|
20449 | 0 | failure: |
20450 | 0 | if (node != NULL) { |
20451 | 0 | dns_db_detachnode(db, &node); |
20452 | 0 | } |
20453 | 0 | return (result); |
20454 | 0 | } |
20455 | | |
20456 | | /* |
20457 | | * Given an RRSIG rdataset and an algorithm, determine whether there |
20458 | | * are any signatures using that algorithm. |
20459 | | */ |
20460 | | static bool |
20461 | 0 | signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) { |
20462 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
20463 | 0 | dns_rdata_rrsig_t rrsig; |
20464 | 0 | isc_result_t result; |
20465 | |
|
20466 | 0 | REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig); |
20467 | 0 | if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) { |
20468 | 0 | return (false); |
20469 | 0 | } |
20470 | | |
20471 | 0 | for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; |
20472 | 0 | result = dns_rdataset_next(rdataset)) |
20473 | 0 | { |
20474 | 0 | dns_rdataset_current(rdataset, &rdata); |
20475 | 0 | result = dns_rdata_tostruct(&rdata, &rrsig, NULL); |
20476 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
20477 | 0 | dns_rdata_reset(&rdata); |
20478 | 0 | if (rrsig.algorithm == alg) { |
20479 | 0 | return (true); |
20480 | 0 | } |
20481 | 0 | } |
20482 | | |
20483 | 0 | return (false); |
20484 | 0 | } |
20485 | | |
20486 | | static isc_result_t |
20487 | | add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, |
20488 | 0 | dns_diff_t *diff) { |
20489 | 0 | dns_name_t *origin; |
20490 | 0 | bool build_nsec3; |
20491 | 0 | isc_result_t result; |
20492 | |
|
20493 | 0 | origin = dns_db_origin(db); |
20494 | 0 | CHECK(dns_private_chains(db, ver, zone->privatetype, NULL, |
20495 | 0 | &build_nsec3)); |
20496 | 0 | if (build_nsec3) { |
20497 | 0 | CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone_nsecttl(zone), |
20498 | 0 | false, zone->privatetype, diff)); |
20499 | 0 | } |
20500 | 0 | CHECK(updatesecure(db, ver, origin, zone_nsecttl(zone), true, diff)); |
20501 | | |
20502 | 0 | failure: |
20503 | 0 | return (result); |
20504 | 0 | } |
20505 | | |
20506 | | static void |
20507 | 0 | dnssec_report(const char *format, ...) { |
20508 | 0 | va_list args; |
20509 | 0 | va_start(args, format); |
20510 | 0 | isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE, |
20511 | 0 | ISC_LOG_INFO, format, args); |
20512 | 0 | va_end(args); |
20513 | 0 | } |
20514 | | |
20515 | | static void |
20516 | 0 | checkds_destroy(dns_checkds_t *checkds, bool locked) { |
20517 | 0 | REQUIRE(DNS_CHECKDS_VALID(checkds)); |
20518 | |
|
20519 | 0 | dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), |
20520 | 0 | "checkds: destroy DS query"); |
20521 | |
|
20522 | 0 | if (checkds->zone != NULL) { |
20523 | 0 | if (!locked) { |
20524 | 0 | LOCK_ZONE(checkds->zone); |
20525 | 0 | } |
20526 | 0 | REQUIRE(LOCKED_ZONE(checkds->zone)); |
20527 | 0 | if (ISC_LINK_LINKED(checkds, link)) { |
20528 | 0 | ISC_LIST_UNLINK(checkds->zone->checkds_requests, |
20529 | 0 | checkds, link); |
20530 | 0 | } |
20531 | 0 | if (!locked) { |
20532 | 0 | UNLOCK_ZONE(checkds->zone); |
20533 | 0 | } |
20534 | 0 | if (locked) { |
20535 | 0 | zone_idetach(&checkds->zone); |
20536 | 0 | } else { |
20537 | 0 | dns_zone_idetach(&checkds->zone); |
20538 | 0 | } |
20539 | 0 | } |
20540 | 0 | if (checkds->find != NULL) { |
20541 | 0 | dns_adb_destroyfind(&checkds->find); |
20542 | 0 | } |
20543 | 0 | if (checkds->request != NULL) { |
20544 | 0 | dns_request_destroy(&checkds->request); |
20545 | 0 | } |
20546 | 0 | if (dns_name_dynamic(&checkds->ns)) { |
20547 | 0 | dns_name_free(&checkds->ns, checkds->mctx); |
20548 | 0 | } |
20549 | 0 | if (checkds->key != NULL) { |
20550 | 0 | dns_tsigkey_detach(&checkds->key); |
20551 | 0 | } |
20552 | 0 | if (checkds->transport != NULL) { |
20553 | 0 | dns_transport_detach(&checkds->transport); |
20554 | 0 | } |
20555 | 0 | INSIST(checkds->rlevent == NULL); |
20556 | 0 | isc_mem_putanddetach(&checkds->mctx, checkds, sizeof(*checkds)); |
20557 | 0 | } |
20558 | | |
20559 | | static isc_result_t |
20560 | | make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize, |
20561 | 0 | dns_rdata_t *target) { |
20562 | 0 | isc_result_t result; |
20563 | 0 | isc_buffer_t b; |
20564 | 0 | isc_region_t r; |
20565 | |
|
20566 | 0 | isc_buffer_init(&b, buf, bufsize); |
20567 | 0 | result = dst_key_todns(key, &b); |
20568 | 0 | if (result != ISC_R_SUCCESS) { |
20569 | 0 | return (result); |
20570 | 0 | } |
20571 | | |
20572 | 0 | dns_rdata_reset(target); |
20573 | 0 | isc_buffer_usedregion(&b, &r); |
20574 | 0 | dns_rdata_fromregion(target, dst_key_class(key), dns_rdatatype_dnskey, |
20575 | 0 | &r); |
20576 | 0 | return (ISC_R_SUCCESS); |
20577 | 0 | } |
20578 | | |
20579 | | static bool |
20580 | | do_checkds(dns_zone_t *zone, dst_key_t *key, isc_stdtime_t now, |
20581 | 0 | bool dspublish) { |
20582 | 0 | dns_kasp_t *kasp = zone->kasp; |
20583 | 0 | isc_result_t result; |
20584 | 0 | uint32_t count = 0; |
20585 | 0 | uint32_t num; |
20586 | |
|
20587 | 0 | switch (zone->checkdstype) { |
20588 | 0 | case dns_checkdstype_yes: |
20589 | 0 | num = zone->parent_nscount; |
20590 | 0 | break; |
20591 | 0 | case dns_checkdstype_explicit: |
20592 | 0 | num = dns_remote_count(&zone->parentals); |
20593 | 0 | break; |
20594 | 0 | case dns_checkdstype_no: |
20595 | 0 | default: |
20596 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
20597 | 0 | "checkds: option is disabled"); |
20598 | 0 | return (false); |
20599 | 0 | } |
20600 | | |
20601 | 0 | if (dspublish) { |
20602 | 0 | (void)dst_key_getnum(key, DST_NUM_DSPUBCOUNT, &count); |
20603 | 0 | count += 1; |
20604 | 0 | dst_key_setnum(key, DST_NUM_DSPUBCOUNT, count); |
20605 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
20606 | 0 | "checkds: %u DS published " |
20607 | 0 | "for key %u", |
20608 | 0 | count, dst_key_id(key)); |
20609 | |
|
20610 | 0 | if (count != num) { |
20611 | 0 | return false; |
20612 | 0 | } |
20613 | 0 | } else { |
20614 | 0 | (void)dst_key_getnum(key, DST_NUM_DSDELCOUNT, &count); |
20615 | 0 | count += 1; |
20616 | 0 | dst_key_setnum(key, DST_NUM_DSDELCOUNT, count); |
20617 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
20618 | 0 | "checkds: %u DS withdrawn " |
20619 | 0 | "for key %u", |
20620 | 0 | count, dst_key_id(key)); |
20621 | |
|
20622 | 0 | if (count != num) { |
20623 | 0 | return false; |
20624 | 0 | } |
20625 | 0 | } |
20626 | | |
20627 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
20628 | 0 | "checkds: checkds %s for key " |
20629 | 0 | "%u", |
20630 | 0 | dspublish ? "published" : "withdrawn", dst_key_id(key)); |
20631 | |
|
20632 | 0 | dns_zone_lock_keyfiles(zone); |
20633 | 0 | result = dns_keymgr_checkds_id(kasp, &zone->checkds_ok, now, now, |
20634 | 0 | dspublish, dst_key_id(key), |
20635 | 0 | dst_key_alg(key)); |
20636 | 0 | dns_zone_unlock_keyfiles(zone); |
20637 | |
|
20638 | 0 | if (result != ISC_R_SUCCESS) { |
20639 | 0 | dns_zone_log(zone, ISC_LOG_WARNING, |
20640 | 0 | "checkds: checkds for key %u failed: %s", |
20641 | 0 | dst_key_id(key), isc_result_totext(result)); |
20642 | 0 | return false; |
20643 | 0 | } |
20644 | | |
20645 | 0 | return true; |
20646 | 0 | } |
20647 | | |
20648 | | static isc_result_t |
20649 | 0 | validate_ds(dns_zone_t *zone, dns_message_t *message) { |
20650 | 0 | UNUSED(zone); |
20651 | 0 | UNUSED(message); |
20652 | | |
20653 | | /* Get closest trust anchor */ |
20654 | | |
20655 | | /* Check that trust anchor is (grand)parent of zone. */ |
20656 | | |
20657 | | /* Find the DNSKEY signing the message. */ |
20658 | | |
20659 | | /* Check that DNSKEY is in chain of trust. */ |
20660 | | |
20661 | | /* Validate DS RRset. */ |
20662 | |
|
20663 | 0 | return (ISC_R_SUCCESS); |
20664 | 0 | } |
20665 | | |
20666 | | static void |
20667 | 0 | checkds_done(void *arg) { |
20668 | 0 | dns_request_t *request = (dns_request_t *)arg; |
20669 | 0 | dns_checkds_t *checkds = dns_request_getarg(request); |
20670 | 0 | char addrbuf[ISC_SOCKADDR_FORMATSIZE]; |
20671 | 0 | char rcode[128]; |
20672 | 0 | dns_zone_t *zone = NULL; |
20673 | 0 | dns_db_t *db = NULL; |
20674 | 0 | dns_dbversion_t *version = NULL; |
20675 | 0 | dns_dnsseckey_t *key = NULL; |
20676 | 0 | dns_dnsseckeylist_t keys; |
20677 | 0 | dns_kasp_t *kasp = NULL; |
20678 | 0 | dns_message_t *message = NULL; |
20679 | 0 | dns_rdataset_t *ds_rrset = NULL; |
20680 | 0 | isc_buffer_t buf; |
20681 | 0 | isc_result_t result; |
20682 | 0 | isc_stdtime_t now; |
20683 | 0 | isc_time_t timenow; |
20684 | 0 | bool rekey = false; |
20685 | 0 | bool empty = false; |
20686 | |
|
20687 | 0 | REQUIRE(DNS_CHECKDS_VALID(checkds)); |
20688 | |
|
20689 | 0 | zone = checkds->zone; |
20690 | |
|
20691 | 0 | ISC_LIST_INIT(keys); |
20692 | |
|
20693 | 0 | kasp = zone->kasp; |
20694 | 0 | INSIST(kasp != NULL); |
20695 | |
|
20696 | 0 | isc_buffer_init(&buf, rcode, sizeof(rcode)); |
20697 | 0 | isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf)); |
20698 | |
|
20699 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(1), "checkds: DS query to %s: done", |
20700 | 0 | addrbuf); |
20701 | |
|
20702 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE, |
20703 | 0 | &message); |
20704 | 0 | INSIST(message != NULL); |
20705 | |
|
20706 | 0 | CHECK(dns_request_getresult(request)); |
20707 | 0 | CHECK(dns_request_getresponse(request, message, |
20708 | 0 | DNS_MESSAGEPARSE_PRESERVEORDER)); |
20709 | 0 | CHECK(dns_rcode_totext(message->rcode, &buf)); |
20710 | | |
20711 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
20712 | 0 | "checkds: DS response from %s: %.*s", addrbuf, |
20713 | 0 | (int)buf.used, rcode); |
20714 | | |
20715 | | /* Validate response. */ |
20716 | 0 | CHECK(validate_ds(zone, message)); |
20717 | | |
20718 | | /* Check RCODE. */ |
20719 | 0 | if (message->rcode != dns_rcode_noerror) { |
20720 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
20721 | 0 | "checkds: bad DS response from %s: %.*s", addrbuf, |
20722 | 0 | (int)buf.used, rcode); |
20723 | 0 | goto failure; |
20724 | 0 | } |
20725 | | |
20726 | | /* Make sure that either AA or RA bit is set. */ |
20727 | 0 | if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 && |
20728 | 0 | (message->flags & DNS_MESSAGEFLAG_RA) == 0) |
20729 | 0 | { |
20730 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
20731 | 0 | "checkds: bad DS response from %s: expected AA or " |
20732 | 0 | "RA bit set", |
20733 | 0 | addrbuf); |
20734 | 0 | goto failure; |
20735 | 0 | } |
20736 | | |
20737 | | /* Lookup DS RRset. */ |
20738 | 0 | result = dns_message_firstname(message, DNS_SECTION_ANSWER); |
20739 | 0 | while (result == ISC_R_SUCCESS) { |
20740 | 0 | dns_name_t *name = NULL; |
20741 | 0 | dns_rdataset_t *rdataset; |
20742 | |
|
20743 | 0 | dns_message_currentname(message, DNS_SECTION_ANSWER, &name); |
20744 | 0 | if (dns_name_compare(&zone->origin, name) != 0) { |
20745 | 0 | goto next; |
20746 | 0 | } |
20747 | | |
20748 | 0 | for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; |
20749 | 0 | rdataset = ISC_LIST_NEXT(rdataset, link)) |
20750 | 0 | { |
20751 | 0 | if (rdataset->type != dns_rdatatype_ds) { |
20752 | 0 | goto next; |
20753 | 0 | } |
20754 | | |
20755 | 0 | ds_rrset = rdataset; |
20756 | 0 | break; |
20757 | 0 | } |
20758 | | |
20759 | 0 | if (ds_rrset != NULL) { |
20760 | 0 | break; |
20761 | 0 | } |
20762 | | |
20763 | 0 | next: |
20764 | 0 | result = dns_message_nextname(message, DNS_SECTION_ANSWER); |
20765 | 0 | } |
20766 | | |
20767 | 0 | if (ds_rrset == NULL) { |
20768 | 0 | empty = true; |
20769 | 0 | dns_zone_log(zone, ISC_LOG_NOTICE, |
20770 | 0 | "checkds: empty DS response from %s", addrbuf); |
20771 | 0 | } |
20772 | |
|
20773 | 0 | timenow = isc_time_now(); |
20774 | 0 | now = isc_time_seconds(&timenow); |
20775 | |
|
20776 | 0 | CHECK(dns_zone_getdb(zone, &db)); |
20777 | 0 | dns_db_currentversion(db, &version); |
20778 | |
|
20779 | 0 | KASP_LOCK(kasp); |
20780 | 0 | LOCK_ZONE(zone); |
20781 | 0 | for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL; |
20782 | 0 | key = ISC_LIST_NEXT(key, link)) |
20783 | 0 | { |
20784 | 0 | bool alldone = false, found = false; |
20785 | 0 | bool checkdspub = false, checkdsdel = false, ksk = false; |
20786 | 0 | dst_key_state_t ds_state = DST_KEY_STATE_NA; |
20787 | 0 | isc_stdtime_t published = 0, withdrawn = 0; |
20788 | 0 | isc_result_t ret = ISC_R_SUCCESS; |
20789 | | |
20790 | | /* Is this key have the KSK role? */ |
20791 | 0 | (void)dst_key_role(key->key, &ksk, NULL); |
20792 | 0 | if (!ksk) { |
20793 | 0 | continue; |
20794 | 0 | } |
20795 | | |
20796 | | /* Do we need to check the DS RRset for this key? */ |
20797 | 0 | (void)dst_key_getstate(key->key, DST_KEY_DS, &ds_state); |
20798 | 0 | (void)dst_key_gettime(key->key, DST_TIME_DSPUBLISH, &published); |
20799 | 0 | (void)dst_key_gettime(key->key, DST_TIME_DSDELETE, &withdrawn); |
20800 | |
|
20801 | 0 | if (ds_state == DST_KEY_STATE_RUMOURED && published == 0) { |
20802 | 0 | checkdspub = true; |
20803 | 0 | } else if (ds_state == DST_KEY_STATE_UNRETENTIVE && |
20804 | 0 | withdrawn == 0) |
20805 | 0 | { |
20806 | 0 | checkdsdel = true; |
20807 | 0 | } |
20808 | 0 | if (!checkdspub && !checkdsdel) { |
20809 | 0 | continue; |
20810 | 0 | } |
20811 | | |
20812 | 0 | if (empty) { |
20813 | 0 | goto dswithdrawn; |
20814 | 0 | } |
20815 | | |
20816 | | /* Find the appropriate DS record. */ |
20817 | 0 | ret = dns_rdataset_first(ds_rrset); |
20818 | 0 | while (ret == ISC_R_SUCCESS) { |
20819 | 0 | dns_rdata_ds_t ds; |
20820 | 0 | dns_rdata_t dnskey = DNS_RDATA_INIT; |
20821 | 0 | dns_rdata_t dsrdata = DNS_RDATA_INIT; |
20822 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
20823 | 0 | isc_result_t r; |
20824 | 0 | unsigned char dsbuf[DNS_DS_BUFFERSIZE]; |
20825 | 0 | unsigned char keybuf[DST_KEY_MAXSIZE]; |
20826 | |
|
20827 | 0 | dns_rdataset_current(ds_rrset, &rdata); |
20828 | 0 | r = dns_rdata_tostruct(&rdata, &ds, NULL); |
20829 | 0 | if (r != ISC_R_SUCCESS) { |
20830 | 0 | goto nextds; |
20831 | 0 | } |
20832 | | /* Check key tag and algorithm. */ |
20833 | 0 | if (dst_key_id(key->key) != ds.key_tag) { |
20834 | 0 | goto nextds; |
20835 | 0 | } |
20836 | 0 | if (dst_key_alg(key->key) != ds.algorithm) { |
20837 | 0 | goto nextds; |
20838 | 0 | } |
20839 | | /* Derive DS from DNSKEY, see if the rdata is equal. */ |
20840 | 0 | make_dnskey(key->key, keybuf, sizeof(keybuf), &dnskey); |
20841 | 0 | r = dns_ds_buildrdata(&zone->origin, &dnskey, |
20842 | 0 | ds.digest_type, dsbuf, &dsrdata); |
20843 | 0 | if (r != ISC_R_SUCCESS) { |
20844 | 0 | goto nextds; |
20845 | 0 | } |
20846 | 0 | if (dns_rdata_compare(&rdata, &dsrdata) == 0) { |
20847 | 0 | found = true; |
20848 | 0 | if (checkdspub) { |
20849 | | /* DS Published. */ |
20850 | 0 | alldone = do_checkds(zone, key->key, |
20851 | 0 | now, true); |
20852 | 0 | if (alldone) { |
20853 | 0 | rekey = true; |
20854 | 0 | } |
20855 | 0 | } |
20856 | 0 | } |
20857 | |
|
20858 | 0 | nextds: |
20859 | 0 | ret = dns_rdataset_next(ds_rrset); |
20860 | 0 | } |
20861 | | |
20862 | 0 | dswithdrawn: |
20863 | | /* DS withdrawn. */ |
20864 | 0 | if (checkdsdel && !found) { |
20865 | 0 | alldone = do_checkds(zone, key->key, now, false); |
20866 | 0 | if (alldone) { |
20867 | 0 | rekey = true; |
20868 | 0 | } |
20869 | 0 | } |
20870 | 0 | } |
20871 | 0 | UNLOCK_ZONE(zone); |
20872 | 0 | KASP_UNLOCK(kasp); |
20873 | | |
20874 | | /* Rekey after checkds. */ |
20875 | 0 | if (rekey) { |
20876 | 0 | dns_zone_rekey(zone, false); |
20877 | 0 | } |
20878 | |
|
20879 | 0 | failure: |
20880 | 0 | if (result != ISC_R_SUCCESS) { |
20881 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
20882 | 0 | "checkds: DS request failed: %s", |
20883 | 0 | isc_result_totext(result)); |
20884 | 0 | } |
20885 | |
|
20886 | 0 | if (version != NULL) { |
20887 | 0 | dns_db_closeversion(db, &version, false); |
20888 | 0 | } |
20889 | 0 | if (db != NULL) { |
20890 | 0 | dns_db_detach(&db); |
20891 | 0 | } |
20892 | |
|
20893 | 0 | while (!ISC_LIST_EMPTY(keys)) { |
20894 | 0 | key = ISC_LIST_HEAD(keys); |
20895 | 0 | ISC_LIST_UNLINK(keys, key, link); |
20896 | 0 | dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key); |
20897 | 0 | } |
20898 | |
|
20899 | 0 | checkds_destroy(checkds, false); |
20900 | 0 | dns_message_detach(&message); |
20901 | 0 | } |
20902 | | |
20903 | | static bool |
20904 | | checkds_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr, |
20905 | 0 | dns_tsigkey_t *key, dns_transport_t *transport) { |
20906 | 0 | dns_checkds_t *checkds; |
20907 | |
|
20908 | 0 | for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL; |
20909 | 0 | checkds = ISC_LIST_NEXT(checkds, link)) |
20910 | 0 | { |
20911 | 0 | if (checkds->request != NULL) { |
20912 | 0 | continue; |
20913 | 0 | } |
20914 | 0 | if (name != NULL && dns_name_equal(name, &checkds->ns)) { |
20915 | 0 | return (true); |
20916 | 0 | } |
20917 | 0 | if (addr != NULL && isc_sockaddr_equal(addr, &checkds->dst) && |
20918 | 0 | checkds->key == key && checkds->transport == transport) |
20919 | 0 | { |
20920 | 0 | return (true); |
20921 | 0 | } |
20922 | 0 | } |
20923 | 0 | return (false); |
20924 | 0 | } |
20925 | | |
20926 | | static isc_result_t |
20927 | 0 | checkds_create(isc_mem_t *mctx, unsigned int flags, dns_checkds_t **checkdsp) { |
20928 | 0 | dns_checkds_t *checkds; |
20929 | |
|
20930 | 0 | REQUIRE(checkdsp != NULL && *checkdsp == NULL); |
20931 | |
|
20932 | 0 | checkds = isc_mem_get(mctx, sizeof(*checkds)); |
20933 | 0 | *checkds = (dns_checkds_t){ |
20934 | 0 | .flags = flags, |
20935 | 0 | }; |
20936 | |
|
20937 | 0 | isc_mem_attach(mctx, &checkds->mctx); |
20938 | 0 | isc_sockaddr_any(&checkds->dst); |
20939 | 0 | dns_name_init(&checkds->ns, NULL); |
20940 | 0 | ISC_LINK_INIT(checkds, link); |
20941 | 0 | checkds->magic = CHECKDS_MAGIC; |
20942 | 0 | *checkdsp = checkds; |
20943 | 0 | return (ISC_R_SUCCESS); |
20944 | 0 | } |
20945 | | |
20946 | | static void |
20947 | 0 | checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) { |
20948 | 0 | dns_message_t *message = NULL; |
20949 | |
|
20950 | 0 | dns_name_t *tempname = NULL; |
20951 | 0 | dns_rdataset_t *temprdataset = NULL; |
20952 | |
|
20953 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
20954 | 0 | REQUIRE(messagep != NULL && *messagep == NULL); |
20955 | |
|
20956 | 0 | dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER, |
20957 | 0 | &message); |
20958 | |
|
20959 | 0 | message->opcode = dns_opcode_query; |
20960 | 0 | message->rdclass = zone->rdclass; |
20961 | 0 | message->flags |= DNS_MESSAGEFLAG_RD; |
20962 | |
|
20963 | 0 | dns_message_gettempname(message, &tempname); |
20964 | |
|
20965 | 0 | dns_message_gettemprdataset(message, &temprdataset); |
20966 | | |
20967 | | /* |
20968 | | * Make question. |
20969 | | */ |
20970 | 0 | dns_name_init(tempname, NULL); |
20971 | 0 | dns_name_clone(&zone->origin, tempname); |
20972 | 0 | dns_rdataset_makequestion(temprdataset, zone->rdclass, |
20973 | 0 | dns_rdatatype_ds); |
20974 | 0 | ISC_LIST_APPEND(tempname->list, temprdataset, link); |
20975 | 0 | dns_message_addname(message, tempname, DNS_SECTION_QUESTION); |
20976 | 0 | tempname = NULL; |
20977 | 0 | temprdataset = NULL; |
20978 | |
|
20979 | 0 | *messagep = message; |
20980 | 0 | } |
20981 | | |
20982 | | /* |
20983 | | * XXXAG should check for DNS_ZONEFLG_EXITING |
20984 | | */ |
20985 | | static void |
20986 | 0 | process_checkds_adb_event(void *arg) { |
20987 | 0 | dns_adbfind_t *find = (dns_adbfind_t *)arg; |
20988 | 0 | dns_checkds_t *checkds = (dns_checkds_t *)find->cbarg; |
20989 | 0 | dns_adbstatus_t astat = find->status; |
20990 | |
|
20991 | 0 | REQUIRE(DNS_CHECKDS_VALID(checkds)); |
20992 | 0 | REQUIRE(find == checkds->find); |
20993 | |
|
20994 | 0 | switch (astat) { |
20995 | 0 | case DNS_ADB_MOREADDRESSES: |
20996 | 0 | dns_adb_destroyfind(&checkds->find); |
20997 | 0 | checkds_find_address(checkds); |
20998 | 0 | return; |
20999 | | |
21000 | 0 | case DNS_ADB_NOMOREADDRESSES: |
21001 | 0 | LOCK_ZONE(checkds->zone); |
21002 | 0 | checkds_send_tons(checkds); |
21003 | 0 | UNLOCK_ZONE(checkds->zone); |
21004 | 0 | break; |
21005 | | |
21006 | 0 | default: |
21007 | 0 | break; |
21008 | 0 | } |
21009 | | |
21010 | 0 | checkds_destroy(checkds, false); |
21011 | 0 | } |
21012 | | |
21013 | | static void |
21014 | 0 | checkds_find_address(dns_checkds_t *checkds) { |
21015 | 0 | isc_result_t result; |
21016 | 0 | unsigned int options; |
21017 | 0 | dns_adb_t *adb = NULL; |
21018 | |
|
21019 | 0 | REQUIRE(DNS_CHECKDS_VALID(checkds)); |
21020 | |
|
21021 | 0 | options = DNS_ADBFIND_WANTEVENT; |
21022 | 0 | if (isc_net_probeipv4() != ISC_R_DISABLED) { |
21023 | 0 | options |= DNS_ADBFIND_INET; |
21024 | 0 | } |
21025 | 0 | if (isc_net_probeipv6() != ISC_R_DISABLED) { |
21026 | 0 | options |= DNS_ADBFIND_INET6; |
21027 | 0 | } |
21028 | |
|
21029 | 0 | dns_view_getadb(checkds->zone->view, &adb); |
21030 | 0 | if (adb == NULL) { |
21031 | 0 | goto destroy; |
21032 | 0 | } |
21033 | | |
21034 | 0 | result = dns_adb_createfind( |
21035 | 0 | adb, checkds->zone->loop, process_checkds_adb_event, checkds, |
21036 | 0 | &checkds->ns, dns_rootname, 0, options, 0, NULL, |
21037 | 0 | checkds->zone->view->dstport, 0, NULL, &checkds->find); |
21038 | 0 | dns_adb_detach(&adb); |
21039 | | |
21040 | | /* Something failed? */ |
21041 | 0 | if (result != ISC_R_SUCCESS) { |
21042 | 0 | goto destroy; |
21043 | 0 | } |
21044 | | |
21045 | | /* More addresses pending? */ |
21046 | 0 | if ((checkds->find->options & DNS_ADBFIND_WANTEVENT) != 0) { |
21047 | 0 | return; |
21048 | 0 | } |
21049 | | |
21050 | | /* We have as many addresses as we can get. */ |
21051 | 0 | LOCK_ZONE(checkds->zone); |
21052 | 0 | checkds_send_tons(checkds); |
21053 | 0 | UNLOCK_ZONE(checkds->zone); |
21054 | |
|
21055 | 0 | destroy: |
21056 | 0 | checkds_destroy(checkds, false); |
21057 | 0 | } |
21058 | | |
21059 | | static void |
21060 | 0 | checkds_send_toaddr(void *arg) { |
21061 | 0 | dns_checkds_t *checkds = (dns_checkds_t *)arg; |
21062 | 0 | isc_result_t result; |
21063 | 0 | dns_message_t *message = NULL; |
21064 | 0 | isc_netaddr_t dstip; |
21065 | 0 | dns_tsigkey_t *key = NULL; |
21066 | 0 | char addrbuf[ISC_SOCKADDR_FORMATSIZE]; |
21067 | 0 | isc_sockaddr_t src; |
21068 | 0 | unsigned int options, timeout; |
21069 | 0 | bool have_checkdssource = false; |
21070 | 0 | bool canceled = checkds->rlevent->canceled; |
21071 | |
|
21072 | 0 | REQUIRE(DNS_CHECKDS_VALID(checkds)); |
21073 | |
|
21074 | 0 | isc_rlevent_free(&checkds->rlevent); |
21075 | |
|
21076 | 0 | LOCK_ZONE(checkds->zone); |
21077 | |
|
21078 | 0 | if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_LOADED) == 0 || canceled || |
21079 | 0 | DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING) || |
21080 | 0 | checkds->zone->view->requestmgr == NULL || |
21081 | 0 | checkds->zone->db == NULL) |
21082 | 0 | { |
21083 | 0 | result = ISC_R_CANCELED; |
21084 | 0 | goto cleanup; |
21085 | 0 | } |
21086 | | |
21087 | | /* |
21088 | | * The raw IPv4 address should also exist. Don't send to the |
21089 | | * mapped form. |
21090 | | */ |
21091 | 0 | if (isc_sockaddr_pf(&checkds->dst) == PF_INET6 && |
21092 | 0 | IN6_IS_ADDR_V4MAPPED(&checkds->dst.type.sin6.sin6_addr)) |
21093 | 0 | { |
21094 | 0 | isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf)); |
21095 | 0 | dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), |
21096 | 0 | "checkds: ignoring IPv6 mapped IPV4 address: %s", |
21097 | 0 | addrbuf); |
21098 | 0 | result = ISC_R_CANCELED; |
21099 | 0 | goto cleanup; |
21100 | 0 | } |
21101 | | |
21102 | 0 | checkds_createmessage(checkds->zone, &message); |
21103 | |
|
21104 | 0 | isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf)); |
21105 | 0 | if (checkds->key != NULL) { |
21106 | | /* Transfer ownership of key */ |
21107 | 0 | key = checkds->key; |
21108 | 0 | checkds->key = NULL; |
21109 | 0 | } else { |
21110 | 0 | isc_netaddr_fromsockaddr(&dstip, &checkds->dst); |
21111 | 0 | result = dns_view_getpeertsig(checkds->zone->view, &dstip, |
21112 | 0 | &key); |
21113 | 0 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
21114 | 0 | dns_zone_log(checkds->zone, ISC_LOG_ERROR, |
21115 | 0 | "checkds: DS query to %s not sent. " |
21116 | 0 | "Peer TSIG key lookup failure.", |
21117 | 0 | addrbuf); |
21118 | 0 | goto cleanup_message; |
21119 | 0 | } |
21120 | 0 | } |
21121 | | |
21122 | 0 | if (key != NULL) { |
21123 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
21124 | |
|
21125 | 0 | dns_name_format(key->name, namebuf, sizeof(namebuf)); |
21126 | 0 | dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), |
21127 | 0 | "checkds: sending DS query to %s : TSIG (%s)", |
21128 | 0 | addrbuf, namebuf); |
21129 | 0 | } else { |
21130 | 0 | dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), |
21131 | 0 | "checkds: sending DS query to %s", addrbuf); |
21132 | 0 | } |
21133 | 0 | options = 0; |
21134 | 0 | if (checkds->zone->view->peers != NULL) { |
21135 | 0 | dns_peer_t *peer = NULL; |
21136 | 0 | bool usetcp = false; |
21137 | 0 | result = dns_peerlist_peerbyaddr(checkds->zone->view->peers, |
21138 | 0 | &dstip, &peer); |
21139 | 0 | if (result == ISC_R_SUCCESS) { |
21140 | 0 | result = dns_peer_getquerysource(peer, &src); |
21141 | 0 | if (result == ISC_R_SUCCESS) { |
21142 | 0 | have_checkdssource = true; |
21143 | 0 | } |
21144 | 0 | result = dns_peer_getforcetcp(peer, &usetcp); |
21145 | 0 | if (result == ISC_R_SUCCESS && usetcp) { |
21146 | 0 | options |= DNS_FETCHOPT_TCP; |
21147 | 0 | } |
21148 | 0 | } |
21149 | 0 | } |
21150 | 0 | switch (isc_sockaddr_pf(&checkds->dst)) { |
21151 | 0 | case PF_INET: |
21152 | 0 | if (!have_checkdssource) { |
21153 | 0 | isc_sockaddr_t any; |
21154 | 0 | isc_sockaddr_any(&any); |
21155 | |
|
21156 | 0 | src = checkds->src; |
21157 | 0 | if (isc_sockaddr_equal(&src, &any)) { |
21158 | 0 | src = checkds->zone->parentalsrc4; |
21159 | 0 | } |
21160 | 0 | } |
21161 | 0 | break; |
21162 | 0 | case PF_INET6: |
21163 | 0 | if (!have_checkdssource) { |
21164 | 0 | isc_sockaddr_t any; |
21165 | 0 | isc_sockaddr_any6(&any); |
21166 | |
|
21167 | 0 | src = checkds->src; |
21168 | 0 | if (isc_sockaddr_equal(&src, &any)) { |
21169 | 0 | src = checkds->zone->parentalsrc6; |
21170 | 0 | } |
21171 | 0 | } |
21172 | 0 | break; |
21173 | 0 | default: |
21174 | 0 | result = ISC_R_NOTIMPLEMENTED; |
21175 | 0 | goto cleanup_key; |
21176 | 0 | } |
21177 | | |
21178 | 0 | dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), |
21179 | 0 | "checkds: create request for DS query to %s", addrbuf); |
21180 | |
|
21181 | 0 | timeout = 5; |
21182 | 0 | options |= DNS_REQUESTOPT_TCP; |
21183 | 0 | result = dns_request_create( |
21184 | 0 | checkds->zone->view->requestmgr, message, &src, &checkds->dst, |
21185 | 0 | NULL, NULL, options, key, timeout * 3 + 1, timeout, 2, |
21186 | 0 | checkds->zone->loop, checkds_done, checkds, &checkds->request); |
21187 | 0 | if (result != ISC_R_SUCCESS) { |
21188 | 0 | dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), |
21189 | 0 | "checkds: dns_request_create() to %s failed: %s", |
21190 | 0 | addrbuf, isc_result_totext(result)); |
21191 | 0 | } |
21192 | |
|
21193 | 0 | cleanup_key: |
21194 | 0 | if (key != NULL) { |
21195 | 0 | dns_tsigkey_detach(&key); |
21196 | 0 | } |
21197 | 0 | cleanup_message: |
21198 | 0 | dns_message_detach(&message); |
21199 | 0 | cleanup: |
21200 | 0 | UNLOCK_ZONE(checkds->zone); |
21201 | 0 | if (result != ISC_R_SUCCESS) { |
21202 | 0 | checkds_destroy(checkds, false); |
21203 | 0 | } |
21204 | 0 | } |
21205 | | |
21206 | | static void |
21207 | 0 | checkds_send_tons(dns_checkds_t *checkds) { |
21208 | 0 | dns_adbaddrinfo_t *ai; |
21209 | 0 | isc_sockaddr_t dst; |
21210 | 0 | isc_result_t result; |
21211 | 0 | dns_checkds_t *newcheckds = NULL; |
21212 | 0 | dns_zone_t *zone = NULL; |
21213 | | |
21214 | | /* |
21215 | | * Zone lock held by caller. |
21216 | | */ |
21217 | 0 | REQUIRE(DNS_CHECKDS_VALID(checkds)); |
21218 | 0 | REQUIRE(LOCKED_ZONE(checkds->zone)); |
21219 | |
|
21220 | 0 | zone = checkds->zone; |
21221 | |
|
21222 | 0 | if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING)) { |
21223 | 0 | return; |
21224 | 0 | } |
21225 | | |
21226 | 0 | for (ai = ISC_LIST_HEAD(checkds->find->list); ai != NULL; |
21227 | 0 | ai = ISC_LIST_NEXT(ai, publink)) |
21228 | 0 | { |
21229 | 0 | dst = ai->sockaddr; |
21230 | 0 | if (checkds_isqueued(zone, NULL, &dst, NULL, NULL)) { |
21231 | 0 | continue; |
21232 | 0 | } |
21233 | | |
21234 | 0 | newcheckds = NULL; |
21235 | 0 | result = checkds_create(checkds->mctx, 0, &newcheckds); |
21236 | 0 | if (result != ISC_R_SUCCESS) { |
21237 | 0 | goto cleanup; |
21238 | 0 | } |
21239 | 0 | zone_iattach(zone, &newcheckds->zone); |
21240 | 0 | ISC_LIST_APPEND(newcheckds->zone->checkds_requests, newcheckds, |
21241 | 0 | link); |
21242 | 0 | newcheckds->dst = dst; |
21243 | 0 | dns_name_dup(&checkds->ns, checkds->mctx, &newcheckds->ns); |
21244 | 0 | switch (isc_sockaddr_pf(&newcheckds->dst)) { |
21245 | 0 | case PF_INET: |
21246 | 0 | isc_sockaddr_any(&newcheckds->src); |
21247 | 0 | break; |
21248 | 0 | case PF_INET6: |
21249 | 0 | isc_sockaddr_any6(&newcheckds->src); |
21250 | 0 | break; |
21251 | 0 | default: |
21252 | 0 | UNREACHABLE(); |
21253 | 0 | } |
21254 | | /* |
21255 | | * XXXWMM: Should we attach key and transport here? |
21256 | | * Probably not, because we expect the name servers to be |
21257 | | * publicly available on the default transport protocol. |
21258 | | */ |
21259 | | |
21260 | 0 | result = isc_ratelimiter_enqueue( |
21261 | 0 | newcheckds->zone->zmgr->checkdsrl, |
21262 | 0 | newcheckds->zone->loop, checkds_send_toaddr, newcheckds, |
21263 | 0 | &newcheckds->rlevent); |
21264 | 0 | if (result != ISC_R_SUCCESS) { |
21265 | 0 | goto cleanup; |
21266 | 0 | } |
21267 | 0 | newcheckds = NULL; |
21268 | 0 | } |
21269 | | |
21270 | 0 | cleanup: |
21271 | 0 | if (newcheckds != NULL) { |
21272 | 0 | checkds_destroy(newcheckds, true); |
21273 | 0 | } |
21274 | 0 | } |
21275 | | |
21276 | | static void |
21277 | 0 | checkds_send(dns_zone_t *zone) { |
21278 | 0 | dns_view_t *view = dns_zone_getview(zone); |
21279 | 0 | isc_result_t result; |
21280 | 0 | unsigned int flags = 0; |
21281 | 0 | unsigned int i = 0; |
21282 | | |
21283 | | /* |
21284 | | * Zone lock held by caller. |
21285 | | */ |
21286 | 0 | REQUIRE(LOCKED_ZONE(zone)); |
21287 | |
|
21288 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21289 | 0 | "checkds: start sending DS queries to %u parentals", |
21290 | 0 | dns_remote_count(&zone->parentals)); |
21291 | |
|
21292 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
21293 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21294 | 0 | "checkds: abort, named exiting"); |
21295 | 0 | return; |
21296 | 0 | } |
21297 | | |
21298 | 0 | dns_remote_reset(&zone->parentals, false); |
21299 | 0 | while (!dns_remote_done(&zone->parentals)) { |
21300 | 0 | dns_tsigkey_t *key = NULL; |
21301 | 0 | dns_transport_t *transport = NULL; |
21302 | 0 | isc_sockaddr_t src, dst; |
21303 | 0 | dns_checkds_t *checkds = NULL; |
21304 | |
|
21305 | 0 | i++; |
21306 | |
|
21307 | 0 | if (dns_remote_keyname(&zone->parentals) != NULL) { |
21308 | 0 | dns_name_t *keyname = |
21309 | 0 | dns_remote_keyname(&zone->parentals); |
21310 | 0 | (void)dns_view_gettsig(view, keyname, &key); |
21311 | 0 | } |
21312 | |
|
21313 | 0 | if (dns_remote_tlsname(&zone->parentals) != NULL) { |
21314 | 0 | dns_name_t *tlsname = |
21315 | 0 | dns_remote_tlsname(&zone->parentals); |
21316 | 0 | (void)dns_view_gettransport(view, DNS_TRANSPORT_TLS, |
21317 | 0 | tlsname, &transport); |
21318 | 0 | dns_zone_logc( |
21319 | 0 | zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, |
21320 | 0 | "got TLS configuration for zone transfer"); |
21321 | 0 | } |
21322 | |
|
21323 | 0 | dst = dns_remote_curraddr(&zone->parentals); |
21324 | 0 | src = dns_remote_sourceaddr(&zone->parentals); |
21325 | 0 | INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst)); |
21326 | |
|
21327 | 0 | if (isc_sockaddr_disabled(&dst)) { |
21328 | 0 | goto next; |
21329 | 0 | } |
21330 | | |
21331 | | /* TODO: glue the transport to the checkds request */ |
21332 | | |
21333 | 0 | if (checkds_isqueued(zone, NULL, &dst, key, transport)) { |
21334 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21335 | 0 | "checkds: DS query to parent " |
21336 | 0 | "%d is queued", |
21337 | 0 | i); |
21338 | 0 | if (key != NULL) { |
21339 | 0 | dns_tsigkey_detach(&key); |
21340 | 0 | } |
21341 | 0 | if (transport != NULL) { |
21342 | 0 | dns_transport_detach(&transport); |
21343 | 0 | } |
21344 | 0 | goto next; |
21345 | 0 | } |
21346 | | |
21347 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21348 | 0 | "checkds: create DS query for " |
21349 | 0 | "parent %d", |
21350 | 0 | i); |
21351 | |
|
21352 | 0 | result = checkds_create(zone->mctx, flags, &checkds); |
21353 | 0 | if (result != ISC_R_SUCCESS) { |
21354 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21355 | 0 | "checkds: create DS query for " |
21356 | 0 | "parent %d failed", |
21357 | 0 | i); |
21358 | 0 | goto next; |
21359 | 0 | } |
21360 | 0 | zone_iattach(zone, &checkds->zone); |
21361 | 0 | dns_name_dup(dns_rootname, checkds->mctx, &checkds->ns); |
21362 | 0 | checkds->src = src; |
21363 | 0 | checkds->dst = dst; |
21364 | |
|
21365 | 0 | INSIST(checkds->key == NULL); |
21366 | 0 | if (key != NULL) { |
21367 | 0 | checkds->key = key; |
21368 | 0 | key = NULL; |
21369 | 0 | } |
21370 | |
|
21371 | 0 | INSIST(checkds->transport == NULL); |
21372 | 0 | if (transport != NULL) { |
21373 | 0 | checkds->transport = transport; |
21374 | 0 | transport = NULL; |
21375 | 0 | } |
21376 | |
|
21377 | 0 | ISC_LIST_APPEND(zone->checkds_requests, checkds, link); |
21378 | 0 | result = isc_ratelimiter_enqueue( |
21379 | 0 | checkds->zone->zmgr->checkdsrl, checkds->zone->loop, |
21380 | 0 | checkds_send_toaddr, checkds, &checkds->rlevent); |
21381 | 0 | if (result != ISC_R_SUCCESS) { |
21382 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21383 | 0 | "checkds: send DS query to " |
21384 | 0 | "parent %d failed", |
21385 | 0 | i); |
21386 | 0 | checkds_destroy(checkds, true); |
21387 | 0 | } |
21388 | |
|
21389 | 0 | next: |
21390 | 0 | dns_remote_next(&zone->parentals, false); |
21391 | 0 | } |
21392 | 0 | } |
21393 | | |
21394 | | /* |
21395 | | * An NS RRset has been fetched from the parent of a zone whose DS RRset needs |
21396 | | * to be checked; scan the RRset and start sending queries to the parental |
21397 | | * agents. |
21398 | | */ |
21399 | | static void |
21400 | 0 | nsfetch_done(void *arg) { |
21401 | 0 | dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg; |
21402 | 0 | isc_result_t result, eresult; |
21403 | 0 | dns_nsfetch_t *nsfetch = NULL; |
21404 | 0 | dns_zone_t *zone = NULL; |
21405 | 0 | isc_mem_t *mctx = NULL; |
21406 | 0 | dns_name_t *zname = NULL; |
21407 | 0 | dns_name_t *pname = NULL; |
21408 | 0 | char pnamebuf[DNS_NAME_FORMATSIZE]; |
21409 | 0 | bool free_needed, levelup = false; |
21410 | 0 | dns_rdataset_t *nsrrset = NULL; |
21411 | 0 | dns_rdataset_t *nssigset = NULL; |
21412 | |
|
21413 | 0 | INSIST(resp != NULL); |
21414 | |
|
21415 | 0 | nsfetch = resp->arg; |
21416 | |
|
21417 | 0 | INSIST(nsfetch != NULL); |
21418 | |
|
21419 | 0 | zone = nsfetch->zone; |
21420 | 0 | mctx = nsfetch->mctx; |
21421 | 0 | zname = dns_fixedname_name(&nsfetch->name); |
21422 | 0 | pname = &nsfetch->pname; |
21423 | 0 | nsrrset = &nsfetch->nsrrset; |
21424 | 0 | nssigset = &nsfetch->nssigset; |
21425 | 0 | eresult = resp->result; |
21426 | | |
21427 | | /* Free resources which are not of interest */ |
21428 | 0 | if (resp->node != NULL) { |
21429 | 0 | dns_db_detachnode(resp->db, &resp->node); |
21430 | 0 | } |
21431 | 0 | if (resp->db != NULL) { |
21432 | 0 | dns_db_detach(&resp->db); |
21433 | 0 | } |
21434 | 0 | dns_resolver_destroyfetch(&nsfetch->fetch); |
21435 | |
|
21436 | 0 | LOCK_ZONE(zone); |
21437 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) { |
21438 | 0 | goto cleanup; |
21439 | 0 | } |
21440 | | |
21441 | 0 | zone->nsfetchcount--; |
21442 | |
|
21443 | 0 | dns_name_format(pname, pnamebuf, sizeof(pnamebuf)); |
21444 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
21445 | 0 | "Returned from '%s' NS fetch in nsfetch_done(): %s", |
21446 | 0 | pnamebuf, isc_result_totext(eresult)); |
21447 | |
|
21448 | 0 | if (eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_NXRRSET) { |
21449 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
21450 | 0 | "NODATA response for NS '%s', level up", pnamebuf); |
21451 | 0 | levelup = true; |
21452 | 0 | goto cleanup; |
21453 | |
|
21454 | 0 | } else if (eresult != ISC_R_SUCCESS) { |
21455 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
21456 | 0 | "Unable to fetch NS set '%s': %s", pnamebuf, |
21457 | 0 | isc_result_totext(eresult)); |
21458 | 0 | result = eresult; |
21459 | 0 | goto done; |
21460 | 0 | } |
21461 | | |
21462 | | /* No NS records found */ |
21463 | 0 | if (!dns_rdataset_isassociated(nsrrset)) { |
21464 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
21465 | 0 | "No NS records found for '%s'", pnamebuf); |
21466 | 0 | result = ISC_R_NOTFOUND; |
21467 | 0 | goto done; |
21468 | 0 | } |
21469 | | |
21470 | | /* No RRSIGs found */ |
21471 | 0 | if (!dns_rdataset_isassociated(nssigset)) { |
21472 | 0 | dnssec_log(zone, ISC_LOG_WARNING, "No NS RRSIGs found for '%s'", |
21473 | 0 | pnamebuf); |
21474 | 0 | result = DNS_R_MUSTBESECURE; |
21475 | 0 | goto done; |
21476 | 0 | } |
21477 | | |
21478 | | /* Check trust level */ |
21479 | 0 | if (nsrrset->trust < dns_trust_secure) { |
21480 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
21481 | 0 | "Invalid NS RRset for '%s' trust level %u", pnamebuf, |
21482 | 0 | nsrrset->trust); |
21483 | 0 | result = DNS_R_MUSTBESECURE; |
21484 | 0 | goto done; |
21485 | 0 | } |
21486 | | |
21487 | | /* Record the number of NS records we found. */ |
21488 | 0 | zone->parent_nscount = dns_rdataset_count(nsrrset); |
21489 | |
|
21490 | 0 | UNLOCK_ZONE(zone); |
21491 | | |
21492 | | /* Look up the addresses for the found parental name servers. */ |
21493 | 0 | for (result = dns_rdataset_first(nsrrset); result == ISC_R_SUCCESS; |
21494 | 0 | result = dns_rdataset_next(nsrrset)) |
21495 | 0 | { |
21496 | 0 | dns_checkds_t *checkds = NULL; |
21497 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
21498 | 0 | dns_rdata_ns_t ns; |
21499 | 0 | bool isqueued; |
21500 | |
|
21501 | 0 | dns_rdataset_current(nsrrset, &rdata); |
21502 | 0 | result = dns_rdata_tostruct(&rdata, &ns, NULL); |
21503 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
21504 | |
|
21505 | 0 | dns_rdata_reset(&rdata); |
21506 | |
|
21507 | 0 | LOCK_ZONE(zone); |
21508 | 0 | isqueued = checkds_isqueued(zone, &ns.name, NULL, NULL, NULL); |
21509 | 0 | UNLOCK_ZONE(zone); |
21510 | 0 | if (isqueued) { |
21511 | 0 | continue; |
21512 | 0 | } |
21513 | 0 | result = checkds_create(zone->mctx, 0, &checkds); |
21514 | 0 | if (result != ISC_R_SUCCESS) { |
21515 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21516 | 0 | "checkds: checkds_create() failed: %s", |
21517 | 0 | isc_result_totext(result)); |
21518 | 0 | break; |
21519 | 0 | } |
21520 | | |
21521 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
21522 | 0 | char nsnamebuf[DNS_NAME_FORMATSIZE]; |
21523 | 0 | dns_name_format(&ns.name, nsnamebuf, sizeof(nsnamebuf)); |
21524 | 0 | dns_zone_log(zone, ISC_LOG_DEBUG(3), |
21525 | 0 | "checkds: send DS query to NS %s", |
21526 | 0 | nsnamebuf); |
21527 | 0 | } |
21528 | |
|
21529 | 0 | LOCK_ZONE(zone); |
21530 | 0 | zone_iattach(zone, &checkds->zone); |
21531 | 0 | dns_name_dup(&ns.name, zone->mctx, &checkds->ns); |
21532 | 0 | ISC_LIST_APPEND(zone->checkds_requests, checkds, link); |
21533 | 0 | UNLOCK_ZONE(zone); |
21534 | |
|
21535 | 0 | checkds_find_address(checkds); |
21536 | 0 | } |
21537 | 0 | if (result == ISC_R_NOMORE) { |
21538 | 0 | result = ISC_R_SUCCESS; |
21539 | 0 | } |
21540 | |
|
21541 | 0 | LOCK_ZONE(zone); |
21542 | |
|
21543 | 0 | done: |
21544 | 0 | if (result != ISC_R_SUCCESS) { |
21545 | 0 | dnssec_log( |
21546 | 0 | zone, ISC_LOG_ERROR, |
21547 | 0 | "checkds: error during parental-agents processing: %s", |
21548 | 0 | isc_result_totext(result)); |
21549 | 0 | } |
21550 | |
|
21551 | 0 | cleanup: |
21552 | 0 | isc_refcount_decrement(&zone->irefs); |
21553 | |
|
21554 | 0 | if (dns_rdataset_isassociated(nsrrset)) { |
21555 | 0 | dns_rdataset_disassociate(nsrrset); |
21556 | 0 | } |
21557 | 0 | if (dns_rdataset_isassociated(nssigset)) { |
21558 | 0 | dns_rdataset_disassociate(nssigset); |
21559 | 0 | } |
21560 | 0 | isc_mem_putanddetach(&resp->mctx, resp, sizeof(*resp)); |
21561 | |
|
21562 | 0 | if (levelup) { |
21563 | 0 | UNLOCK_ZONE(zone); |
21564 | 0 | nsfetch_levelup(nsfetch); |
21565 | 0 | return; |
21566 | 0 | } |
21567 | | |
21568 | 0 | dns_name_free(zname, mctx); |
21569 | 0 | isc_mem_putanddetach(&nsfetch->mctx, nsfetch, sizeof(dns_nsfetch_t)); |
21570 | |
|
21571 | 0 | free_needed = exit_check(zone); |
21572 | 0 | UNLOCK_ZONE(zone); |
21573 | |
|
21574 | 0 | if (free_needed) { |
21575 | 0 | zone_free(zone); |
21576 | 0 | } |
21577 | 0 | } |
21578 | | |
21579 | | static void |
21580 | 0 | do_nsfetch(void *arg) { |
21581 | 0 | dns_nsfetch_t *nsfetch = (dns_nsfetch_t *)arg; |
21582 | 0 | isc_result_t result; |
21583 | 0 | unsigned int nlabels = 1; |
21584 | 0 | dns_resolver_t *resolver = NULL; |
21585 | 0 | dns_zone_t *zone = nsfetch->zone; |
21586 | 0 | unsigned int options = DNS_FETCHOPT_UNSHARED | DNS_FETCHOPT_NOCACHED; |
21587 | |
|
21588 | 0 | if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { |
21589 | 0 | result = ISC_R_SHUTTINGDOWN; |
21590 | 0 | goto cleanup; |
21591 | 0 | } |
21592 | | |
21593 | 0 | result = dns_view_getresolver(zone->view, &resolver); |
21594 | 0 | if (result != ISC_R_SUCCESS) { |
21595 | 0 | goto cleanup; |
21596 | 0 | } |
21597 | | |
21598 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
21599 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
21600 | 0 | dns_name_format(&nsfetch->pname, namebuf, sizeof(namebuf)); |
21601 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
21602 | 0 | "Create fetch for '%s' NS request", namebuf); |
21603 | 0 | } |
21604 | | |
21605 | | /* Derive parent domain. XXXWMM: Check for root domain */ |
21606 | 0 | dns_name_split(&nsfetch->pname, |
21607 | 0 | dns_name_countlabels(&nsfetch->pname) - nlabels, NULL, |
21608 | 0 | &nsfetch->pname); |
21609 | | |
21610 | | /* |
21611 | | * Use of DNS_FETCHOPT_NOCACHED is essential here. If it is not |
21612 | | * set and the cache still holds a non-expired, validated version |
21613 | | * of the RRset being queried for by the time the response is |
21614 | | * received, the cached RRset will be passed to nsfetch_done() |
21615 | | * instead of the one received in the response as the latter will |
21616 | | * have a lower trust level due to not being validated until |
21617 | | * nsfetch_done() is called. |
21618 | | */ |
21619 | 0 | result = dns_resolver_createfetch( |
21620 | 0 | resolver, &nsfetch->pname, dns_rdatatype_ns, NULL, NULL, NULL, |
21621 | 0 | NULL, 0, options, 0, NULL, zone->loop, nsfetch_done, nsfetch, |
21622 | 0 | &nsfetch->nsrrset, &nsfetch->nssigset, &nsfetch->fetch); |
21623 | |
|
21624 | 0 | dns_resolver_detach(&resolver); |
21625 | |
|
21626 | 0 | cleanup: |
21627 | 0 | if (result != ISC_R_SUCCESS) { |
21628 | 0 | dns_name_t *zname = dns_fixedname_name(&nsfetch->name); |
21629 | 0 | bool free_needed; |
21630 | 0 | char namebuf[DNS_NAME_FORMATSIZE]; |
21631 | 0 | dns_name_format(&nsfetch->pname, namebuf, sizeof(namebuf)); |
21632 | 0 | dnssec_log(zone, ISC_LOG_WARNING, |
21633 | 0 | "Failed to create fetch for '%s' NS request", |
21634 | 0 | namebuf); |
21635 | 0 | LOCK_ZONE(zone); |
21636 | 0 | zone->nsfetchcount--; |
21637 | 0 | isc_refcount_decrement(&zone->irefs); |
21638 | |
|
21639 | 0 | dns_name_free(zname, zone->mctx); |
21640 | 0 | isc_mem_putanddetach(&nsfetch->mctx, nsfetch, sizeof(*nsfetch)); |
21641 | |
|
21642 | 0 | free_needed = exit_check(zone); |
21643 | 0 | UNLOCK_ZONE(zone); |
21644 | 0 | if (free_needed) { |
21645 | 0 | zone_free(zone); |
21646 | 0 | } |
21647 | 0 | } |
21648 | 0 | } |
21649 | | |
21650 | | /* |
21651 | | * Retry an NS RRset lookup, one level up. In other words, this function should |
21652 | | * be called on an dns_nsfetch structure where the response yielded in a NODATA |
21653 | | * response. This must be because there is an empty non-terminal inbetween the |
21654 | | * child and parent zone. |
21655 | | */ |
21656 | | static void |
21657 | 0 | nsfetch_levelup(dns_nsfetch_t *nsfetch) { |
21658 | 0 | dns_zone_t *zone = nsfetch->zone; |
21659 | |
|
21660 | | #ifdef ENABLE_AFL |
21661 | | if (!dns_fuzzing_resolver) { |
21662 | | #endif /* ifdef ENABLE_AFL */ |
21663 | 0 | LOCK_ZONE(zone); |
21664 | 0 | zone->nsfetchcount++; |
21665 | 0 | isc_refcount_increment0(&zone->irefs); |
21666 | |
|
21667 | 0 | dns_rdataset_init(&nsfetch->nsrrset); |
21668 | 0 | dns_rdataset_init(&nsfetch->nssigset); |
21669 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
21670 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
21671 | 0 | "Creating parent NS fetch in " |
21672 | 0 | "nsfetch_levelup()"); |
21673 | 0 | } |
21674 | 0 | isc_async_run(zone->loop, do_nsfetch, nsfetch); |
21675 | 0 | UNLOCK_ZONE(zone); |
21676 | | #ifdef ENABLE_AFL |
21677 | | } |
21678 | | #endif /* ifdef ENABLE_AFL */ |
21679 | 0 | } |
21680 | | |
21681 | | static void |
21682 | 0 | zone_checkds(dns_zone_t *zone) { |
21683 | 0 | bool cdscheck = false; |
21684 | 0 | dns_checkdstype_t checkdstype = zone->checkdstype; |
21685 | |
|
21686 | 0 | if (checkdstype == dns_checkdstype_no) { |
21687 | 0 | return; |
21688 | 0 | } |
21689 | | |
21690 | 0 | for (dns_dnsseckey_t *key = ISC_LIST_HEAD(zone->checkds_ok); |
21691 | 0 | key != NULL; key = ISC_LIST_NEXT(key, link)) |
21692 | 0 | { |
21693 | 0 | dst_key_state_t ds_state = DST_KEY_STATE_NA; |
21694 | 0 | bool ksk = false; |
21695 | 0 | isc_stdtime_t published = 0, withdrawn = 0; |
21696 | | |
21697 | | /* Is this key have the KSK role? */ |
21698 | 0 | (void)dst_key_role(key->key, &ksk, NULL); |
21699 | 0 | if (!ksk) { |
21700 | 0 | continue; |
21701 | 0 | } |
21702 | | |
21703 | | /* Do we need to check the DS RRset? */ |
21704 | 0 | (void)dst_key_getstate(key->key, DST_KEY_DS, &ds_state); |
21705 | 0 | (void)dst_key_gettime(key->key, DST_TIME_DSPUBLISH, &published); |
21706 | 0 | (void)dst_key_gettime(key->key, DST_TIME_DSDELETE, &withdrawn); |
21707 | |
|
21708 | 0 | if (ds_state == DST_KEY_STATE_RUMOURED && published == 0) { |
21709 | 0 | dst_key_setnum(key->key, DST_NUM_DSPUBCOUNT, 0); |
21710 | 0 | cdscheck = true; |
21711 | 0 | } else if (ds_state == DST_KEY_STATE_UNRETENTIVE && |
21712 | 0 | withdrawn == 0) |
21713 | 0 | { |
21714 | 0 | dst_key_setnum(key->key, DST_NUM_DSDELCOUNT, 0); |
21715 | 0 | cdscheck = true; |
21716 | 0 | } |
21717 | 0 | } |
21718 | |
|
21719 | 0 | if (!cdscheck) { |
21720 | 0 | return; |
21721 | 0 | } |
21722 | | |
21723 | 0 | if (checkdstype == dns_checkdstype_explicit) { |
21724 | | /* Request the DS RRset. */ |
21725 | 0 | LOCK_ZONE(zone); |
21726 | 0 | checkds_send(zone); |
21727 | 0 | UNLOCK_ZONE(zone); |
21728 | 0 | return; |
21729 | 0 | } |
21730 | | |
21731 | 0 | INSIST(checkdstype == dns_checkdstype_yes); |
21732 | |
|
21733 | | #ifdef ENABLE_AFL |
21734 | | if (!dns_fuzzing_resolver) { |
21735 | | #endif /* ifdef ENABLE_AFL */ |
21736 | 0 | dns_nsfetch_t *nsfetch; |
21737 | 0 | dns_name_t *name = NULL; |
21738 | |
|
21739 | 0 | nsfetch = isc_mem_get(zone->mctx, sizeof(dns_nsfetch_t)); |
21740 | 0 | *nsfetch = (dns_nsfetch_t){ .zone = zone }; |
21741 | 0 | isc_mem_attach(zone->mctx, &nsfetch->mctx); |
21742 | 0 | LOCK_ZONE(zone); |
21743 | 0 | zone->nsfetchcount++; |
21744 | 0 | isc_refcount_increment0(&zone->irefs); |
21745 | 0 | name = dns_fixedname_initname(&nsfetch->name); |
21746 | 0 | dns_name_init(&nsfetch->pname, NULL); |
21747 | 0 | dns_name_clone(&zone->origin, &nsfetch->pname); |
21748 | 0 | dns_name_dup(&zone->origin, zone->mctx, name); |
21749 | 0 | dns_rdataset_init(&nsfetch->nsrrset); |
21750 | 0 | dns_rdataset_init(&nsfetch->nssigset); |
21751 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
21752 | 0 | dnssec_log( |
21753 | 0 | zone, ISC_LOG_DEBUG(3), |
21754 | 0 | "Creating parent NS fetch in zone_checkds()"); |
21755 | 0 | } |
21756 | 0 | isc_async_run(zone->loop, do_nsfetch, nsfetch); |
21757 | 0 | UNLOCK_ZONE(zone); |
21758 | | #ifdef ENABLE_AFL |
21759 | | } |
21760 | | #endif /* ifdef ENABLE_AFL */ |
21761 | 0 | } |
21762 | | |
21763 | | static isc_result_t |
21764 | | update_ttl(dns_rdataset_t *rdataset, dns_name_t *name, dns_ttl_t ttl, |
21765 | 0 | dns_diff_t *diff) { |
21766 | 0 | isc_result_t result; |
21767 | | |
21768 | | /* |
21769 | | * Delete everything using the existing TTL. |
21770 | | */ |
21771 | 0 | for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; |
21772 | 0 | result = dns_rdataset_next(rdataset)) |
21773 | 0 | { |
21774 | 0 | dns_difftuple_t *tuple = NULL; |
21775 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
21776 | |
|
21777 | 0 | dns_rdataset_current(rdataset, &rdata); |
21778 | 0 | result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name, |
21779 | 0 | rdataset->ttl, &rdata, &tuple); |
21780 | 0 | if (result != ISC_R_SUCCESS) { |
21781 | 0 | return (result); |
21782 | 0 | } |
21783 | 0 | dns_diff_appendminimal(diff, &tuple); |
21784 | 0 | } |
21785 | 0 | if (result != ISC_R_NOMORE) { |
21786 | 0 | return (result); |
21787 | 0 | } |
21788 | | |
21789 | | /* |
21790 | | * Add everything using the new TTL. |
21791 | | */ |
21792 | 0 | for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; |
21793 | 0 | result = dns_rdataset_next(rdataset)) |
21794 | 0 | { |
21795 | 0 | dns_difftuple_t *tuple = NULL; |
21796 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
21797 | |
|
21798 | 0 | dns_rdataset_current(rdataset, &rdata); |
21799 | 0 | result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, |
21800 | 0 | ttl, &rdata, &tuple); |
21801 | 0 | if (result != ISC_R_SUCCESS) { |
21802 | 0 | return (result); |
21803 | 0 | } |
21804 | 0 | dns_diff_appendminimal(diff, &tuple); |
21805 | 0 | } |
21806 | 0 | if (result != ISC_R_NOMORE) { |
21807 | 0 | return (result); |
21808 | 0 | } |
21809 | 0 | return (ISC_R_SUCCESS); |
21810 | 0 | } |
21811 | | |
21812 | | static void |
21813 | 0 | zone_rekey(dns_zone_t *zone) { |
21814 | 0 | isc_result_t result; |
21815 | 0 | dns_db_t *db = NULL; |
21816 | 0 | dns_dbnode_t *node = NULL; |
21817 | 0 | dns_dbversion_t *ver = NULL; |
21818 | 0 | dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset; |
21819 | 0 | dns_dnsseckeylist_t dnskeys, keys, rmkeys; |
21820 | 0 | dns_dnsseckey_t *key = NULL; |
21821 | 0 | dns_diff_t diff, _sig_diff; |
21822 | 0 | dns_kasp_t *kasp; |
21823 | 0 | dns__zonediff_t zonediff; |
21824 | 0 | bool commit = false, newactive = false; |
21825 | 0 | bool newalg = false; |
21826 | 0 | bool fullsign; |
21827 | 0 | dns_ttl_t ttl = 3600; |
21828 | 0 | const char *dir = NULL; |
21829 | 0 | isc_mem_t *mctx = NULL; |
21830 | 0 | isc_stdtime_t now, nexttime = 0; |
21831 | 0 | isc_time_t timenow; |
21832 | 0 | isc_interval_t ival; |
21833 | 0 | char timebuf[80]; |
21834 | |
|
21835 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
21836 | |
|
21837 | 0 | ISC_LIST_INIT(dnskeys); |
21838 | 0 | ISC_LIST_INIT(keys); |
21839 | 0 | ISC_LIST_INIT(rmkeys); |
21840 | 0 | dns_rdataset_init(&soaset); |
21841 | 0 | dns_rdataset_init(&soasigs); |
21842 | 0 | dns_rdataset_init(&keyset); |
21843 | 0 | dns_rdataset_init(&keysigs); |
21844 | 0 | dns_rdataset_init(&cdsset); |
21845 | 0 | dns_rdataset_init(&cdnskeyset); |
21846 | 0 | mctx = zone->mctx; |
21847 | 0 | dns_diff_init(mctx, &diff); |
21848 | 0 | dns_diff_init(mctx, &_sig_diff); |
21849 | 0 | zonediff_init(&zonediff, &_sig_diff); |
21850 | |
|
21851 | 0 | CHECK(dns_zone_getdb(zone, &db)); |
21852 | 0 | CHECK(dns_db_newversion(db, &ver)); |
21853 | 0 | CHECK(dns_db_getoriginnode(db, &node)); |
21854 | | |
21855 | 0 | timenow = isc_time_now(); |
21856 | 0 | now = isc_time_seconds(&timenow); |
21857 | |
|
21858 | 0 | kasp = zone->kasp; |
21859 | 0 | dir = dns_zone_getkeydirectory(zone); |
21860 | |
|
21861 | 0 | dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys"); |
21862 | | |
21863 | | /* Get the SOA record's TTL */ |
21864 | 0 | CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, |
21865 | 0 | dns_rdatatype_none, 0, &soaset, &soasigs)); |
21866 | 0 | ttl = soaset.ttl; |
21867 | 0 | dns_rdataset_disassociate(&soaset); |
21868 | | |
21869 | | /* |
21870 | | * Only update DNSKEY TTL if we have a policy. |
21871 | | */ |
21872 | 0 | if (kasp != NULL) { |
21873 | 0 | ttl = dns_kasp_dnskeyttl(kasp); |
21874 | 0 | } |
21875 | | |
21876 | | /* Get the DNSKEY rdataset */ |
21877 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, |
21878 | 0 | dns_rdatatype_none, 0, &keyset, &keysigs); |
21879 | 0 | if (result == ISC_R_SUCCESS) { |
21880 | | /* |
21881 | | * If we don't have a policy then use the DNSKEY ttl |
21882 | | * if it exists. Otherwise update the DNSKEY ttl if |
21883 | | * needed. |
21884 | | */ |
21885 | 0 | if (kasp == NULL) { |
21886 | 0 | ttl = keyset.ttl; |
21887 | 0 | } else if (ttl != keyset.ttl) { |
21888 | 0 | result = update_ttl(&keyset, &zone->origin, ttl, &diff); |
21889 | 0 | if (result != ISC_R_SUCCESS) { |
21890 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
21891 | 0 | "Updating DNSKEY TTL from %u to %u " |
21892 | 0 | "failed: %s", |
21893 | 0 | keyset.ttl, ttl, |
21894 | 0 | isc_result_totext(result)); |
21895 | 0 | goto failure; |
21896 | 0 | } |
21897 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
21898 | 0 | "Updating DNSKEY TTL from %u to %u", |
21899 | 0 | keyset.ttl, ttl); |
21900 | 0 | keyset.ttl = ttl; |
21901 | 0 | } |
21902 | | |
21903 | 0 | dns_zone_lock_keyfiles(zone); |
21904 | |
|
21905 | 0 | result = dns_dnssec_keylistfromrdataset( |
21906 | 0 | &zone->origin, kasp, dir, mctx, &keyset, &keysigs, |
21907 | 0 | &soasigs, false, false, &dnskeys); |
21908 | |
|
21909 | 0 | dns_zone_unlock_keyfiles(zone); |
21910 | |
|
21911 | 0 | if (result != ISC_R_SUCCESS) { |
21912 | 0 | goto failure; |
21913 | 0 | } |
21914 | 0 | } else if (result != ISC_R_NOTFOUND) { |
21915 | 0 | goto failure; |
21916 | 0 | } |
21917 | | |
21918 | | /* Get the CDS rdataset */ |
21919 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds, |
21920 | 0 | dns_rdatatype_none, 0, &cdsset, NULL); |
21921 | 0 | if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset)) { |
21922 | 0 | dns_rdataset_disassociate(&cdsset); |
21923 | 0 | } else if (result == ISC_R_SUCCESS && kasp != NULL && ttl != cdsset.ttl) |
21924 | 0 | { |
21925 | 0 | result = update_ttl(&cdsset, &zone->origin, ttl, &diff); |
21926 | 0 | if (result != ISC_R_SUCCESS) { |
21927 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
21928 | 0 | "Updating CDS TTL from %u to %u failed: %s", |
21929 | 0 | cdsset.ttl, ttl, isc_result_totext(result)); |
21930 | 0 | goto failure; |
21931 | 0 | } |
21932 | 0 | dnssec_log(zone, ISC_LOG_INFO, "Updating CDS TTL from %u to %u", |
21933 | 0 | cdsset.ttl, ttl); |
21934 | 0 | cdsset.ttl = ttl; |
21935 | 0 | } |
21936 | | |
21937 | | /* Get the CDNSKEY rdataset */ |
21938 | 0 | result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey, |
21939 | 0 | dns_rdatatype_none, 0, &cdnskeyset, NULL); |
21940 | 0 | if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) { |
21941 | 0 | dns_rdataset_disassociate(&cdnskeyset); |
21942 | 0 | } else if (result == ISC_R_SUCCESS && kasp != NULL && |
21943 | 0 | ttl != cdnskeyset.ttl) |
21944 | 0 | { |
21945 | 0 | result = update_ttl(&cdnskeyset, &zone->origin, ttl, &diff); |
21946 | 0 | if (result != ISC_R_SUCCESS) { |
21947 | 0 | dnssec_log( |
21948 | 0 | zone, ISC_LOG_ERROR, |
21949 | 0 | "Updating CDNSKEY TTL from %u to %u failed: %s", |
21950 | 0 | cdnskeyset.ttl, ttl, isc_result_totext(result)); |
21951 | 0 | goto failure; |
21952 | 0 | } |
21953 | 0 | dnssec_log(zone, ISC_LOG_INFO, |
21954 | 0 | "Updating CDNSKEY TTL from %u to %u", cdnskeyset.ttl, |
21955 | 0 | ttl); |
21956 | 0 | cdnskeyset.ttl = ttl; |
21957 | 0 | } |
21958 | | |
21959 | | /* |
21960 | | * True when called from "rndc sign". Indicates the zone should be |
21961 | | * fully signed now. |
21962 | | */ |
21963 | 0 | fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN); |
21964 | |
|
21965 | 0 | KASP_LOCK(kasp); |
21966 | |
|
21967 | 0 | dns_zone_lock_keyfiles(zone); |
21968 | 0 | result = dns_dnssec_findmatchingkeys(&zone->origin, kasp, dir, |
21969 | 0 | zone->keystores, now, mctx, &keys); |
21970 | 0 | dns_zone_unlock_keyfiles(zone); |
21971 | |
|
21972 | 0 | if (result != ISC_R_SUCCESS) { |
21973 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(1), |
21974 | 0 | "zone_rekey:dns_dnssec_findmatchingkeys failed: %s", |
21975 | 0 | isc_result_totext(result)); |
21976 | 0 | } |
21977 | |
|
21978 | 0 | if (kasp != NULL) { |
21979 | | /* |
21980 | | * Check DS at parental agents. Clear ongoing checks. |
21981 | | */ |
21982 | 0 | LOCK_ZONE(zone); |
21983 | 0 | checkds_cancel(zone); |
21984 | 0 | clear_keylist(&zone->checkds_ok, zone->mctx); |
21985 | 0 | ISC_LIST_INIT(zone->checkds_ok); |
21986 | 0 | UNLOCK_ZONE(zone); |
21987 | |
|
21988 | 0 | isc_result_t ret = dns_zone_getdnsseckeys(zone, db, ver, now, |
21989 | 0 | &zone->checkds_ok); |
21990 | 0 | if (ret == ISC_R_SUCCESS) { |
21991 | 0 | zone_checkds(zone); |
21992 | 0 | } else { |
21993 | 0 | dnssec_log(zone, |
21994 | 0 | (ret == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1) |
21995 | 0 | : ISC_LOG_ERROR, |
21996 | 0 | "zone_rekey:dns_zone_getdnsseckeys failed: " |
21997 | 0 | "%s", |
21998 | 0 | isc_result_totext(ret)); |
21999 | 0 | } |
22000 | | |
22001 | | /* Run keymgr */ |
22002 | 0 | if (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND) { |
22003 | 0 | dns_zone_lock_keyfiles(zone); |
22004 | 0 | result = dns_keymgr_run(&zone->origin, zone->rdclass, |
22005 | 0 | mctx, &keys, &dnskeys, dir, |
22006 | 0 | kasp, now, &nexttime); |
22007 | 0 | dns_zone_unlock_keyfiles(zone); |
22008 | |
|
22009 | 0 | if (result != ISC_R_SUCCESS) { |
22010 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22011 | 0 | "zone_rekey:dns_dnssec_keymgr " |
22012 | 0 | "failed: %s", |
22013 | 0 | isc_result_totext(result)); |
22014 | 0 | KASP_UNLOCK(kasp); |
22015 | 0 | goto failure; |
22016 | 0 | } |
22017 | 0 | } |
22018 | 0 | } |
22019 | | |
22020 | 0 | KASP_UNLOCK(kasp); |
22021 | | |
22022 | | /* |
22023 | | * Update CDS, CDNSKEY and DNSKEY record sets if the keymgr ran |
22024 | | * successfully (dns_keymgr_run returned ISC_R_SUCCESS), or in |
22025 | | * case of DNSSEC management without dnssec-policy if we have keys |
22026 | | * (dns_dnssec_findmatchingkeys returned ISC_R_SUCCESS). |
22027 | | */ |
22028 | 0 | if (result == ISC_R_SUCCESS) { |
22029 | 0 | dns_kasp_digestlist_t digests; |
22030 | 0 | bool cdsdel = false; |
22031 | 0 | bool cdnskeydel = false; |
22032 | 0 | bool cdnskeypub = true; |
22033 | 0 | bool sane_diff, sane_dnskey; |
22034 | 0 | isc_stdtime_t when; |
22035 | | |
22036 | | /* |
22037 | | * Publish CDS/CDNSKEY DELETE records if the zone is |
22038 | | * transitioning from secure to insecure. |
22039 | | */ |
22040 | 0 | if (kasp != NULL) { |
22041 | 0 | if (strcmp(dns_kasp_getname(kasp), "insecure") == 0) { |
22042 | 0 | cdsdel = true; |
22043 | 0 | cdnskeydel = true; |
22044 | 0 | } |
22045 | 0 | digests = dns_kasp_digests(kasp); |
22046 | 0 | cdnskeypub = dns_kasp_cdnskey(kasp); |
22047 | 0 | } else { |
22048 | | /* Check if there is a CDS DELETE record. */ |
22049 | 0 | if (dns_rdataset_isassociated(&cdsset)) { |
22050 | 0 | for (result = dns_rdataset_first(&cdsset); |
22051 | 0 | result == ISC_R_SUCCESS; |
22052 | 0 | result = dns_rdataset_next(&cdsset)) |
22053 | 0 | { |
22054 | 0 | dns_rdata_t crdata = DNS_RDATA_INIT; |
22055 | 0 | dns_rdataset_current(&cdsset, &crdata); |
22056 | | /* |
22057 | | * CDS deletion record has this form |
22058 | | * "0 0 0 00" which is 5 zero octets. |
22059 | | */ |
22060 | 0 | if (crdata.length == 5U && |
22061 | 0 | memcmp(crdata.data, |
22062 | 0 | (unsigned char[5]){ 0, 0, 0, |
22063 | 0 | 0, 0 }, |
22064 | 0 | 5) == 0) |
22065 | 0 | { |
22066 | 0 | cdsdel = true; |
22067 | 0 | break; |
22068 | 0 | } |
22069 | 0 | } |
22070 | 0 | } |
22071 | | |
22072 | | /* Check if there is a CDNSKEY DELETE record. */ |
22073 | 0 | if (dns_rdataset_isassociated(&cdnskeyset)) { |
22074 | 0 | for (result = dns_rdataset_first(&cdnskeyset); |
22075 | 0 | result == ISC_R_SUCCESS; |
22076 | 0 | result = dns_rdataset_next(&cdnskeyset)) |
22077 | 0 | { |
22078 | 0 | dns_rdata_t crdata = DNS_RDATA_INIT; |
22079 | 0 | dns_rdataset_current(&cdnskeyset, |
22080 | 0 | &crdata); |
22081 | | /* |
22082 | | * CDNSKEY deletion record has this form |
22083 | | * "0 3 0 AA==" which is 2 zero octets, |
22084 | | * a 3, and 2 zero octets. |
22085 | | */ |
22086 | 0 | if (crdata.length == 5U && |
22087 | 0 | memcmp(crdata.data, |
22088 | 0 | (unsigned char[5]){ 0, 0, 3, |
22089 | 0 | 0, 0 }, |
22090 | 0 | 5) == 0) |
22091 | 0 | { |
22092 | 0 | cdnskeydel = true; |
22093 | 0 | break; |
22094 | 0 | } |
22095 | 0 | } |
22096 | 0 | } |
22097 | |
|
22098 | 0 | digests = dns_kasp_digests(zone->defaultkasp); |
22099 | 0 | } |
22100 | |
|
22101 | 0 | result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys, |
22102 | 0 | &zone->origin, ttl, &diff, mctx, |
22103 | 0 | dnssec_report); |
22104 | | /* |
22105 | | * Keys couldn't be updated for some reason; |
22106 | | * try again later. |
22107 | | */ |
22108 | 0 | if (result != ISC_R_SUCCESS) { |
22109 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22110 | 0 | "zone_rekey:couldn't update zone keys: %s", |
22111 | 0 | isc_result_totext(result)); |
22112 | 0 | goto failure; |
22113 | 0 | } |
22114 | | |
22115 | | /* |
22116 | | * Update CDS / CDNSKEY records. |
22117 | | */ |
22118 | 0 | result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset, |
22119 | 0 | &cdnskeyset, now, &digests, |
22120 | 0 | cdnskeypub, ttl, &diff, mctx); |
22121 | 0 | if (result != ISC_R_SUCCESS) { |
22122 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22123 | 0 | "zone_rekey:couldn't update CDS/CDNSKEY: %s", |
22124 | 0 | isc_result_totext(result)); |
22125 | 0 | goto failure; |
22126 | 0 | } |
22127 | | |
22128 | 0 | if (cdsdel || cdnskeydel) { |
22129 | | /* |
22130 | | * Only publish CDS/CDNSKEY DELETE records if there is |
22131 | | * a KSK that can be used to verify the RRset. This |
22132 | | * means there must be a key with the KSK role that is |
22133 | | * published and is used for signing. |
22134 | | */ |
22135 | 0 | bool allow = false; |
22136 | 0 | for (key = ISC_LIST_HEAD(dnskeys); key != NULL; |
22137 | 0 | key = ISC_LIST_NEXT(key, link)) |
22138 | 0 | { |
22139 | 0 | dst_key_t *dstk = key->key; |
22140 | |
|
22141 | 0 | if (dst_key_is_published(dstk, now, &when) && |
22142 | 0 | dst_key_is_signing(dstk, DST_BOOL_KSK, now, |
22143 | 0 | &when)) |
22144 | 0 | { |
22145 | 0 | allow = true; |
22146 | 0 | break; |
22147 | 0 | } |
22148 | 0 | } |
22149 | 0 | if (cdsdel) { |
22150 | 0 | cdsdel = allow; |
22151 | 0 | } |
22152 | 0 | if (cdnskeydel) { |
22153 | 0 | cdnskeydel = allow; |
22154 | 0 | } |
22155 | 0 | } |
22156 | 0 | result = dns_dnssec_syncdelete( |
22157 | 0 | &cdsset, &cdnskeyset, &zone->origin, zone->rdclass, ttl, |
22158 | 0 | &diff, mctx, cdsdel, cdnskeydel); |
22159 | 0 | if (result != ISC_R_SUCCESS) { |
22160 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22161 | 0 | "zone_rekey:couldn't update CDS/CDNSKEY " |
22162 | 0 | "DELETE records: %s", |
22163 | 0 | isc_result_totext(result)); |
22164 | 0 | goto failure; |
22165 | 0 | } |
22166 | | |
22167 | | /* |
22168 | | * See if any pre-existing keys have newly become active; |
22169 | | * also, see if any new key is for a new algorithm, as in that |
22170 | | * event, we need to sign the zone fully. (If there's a new |
22171 | | * key, but it's for an already-existing algorithm, then |
22172 | | * the zone signing can be handled incrementally.) |
22173 | | */ |
22174 | 0 | for (key = ISC_LIST_HEAD(dnskeys); key != NULL; |
22175 | 0 | key = ISC_LIST_NEXT(key, link)) |
22176 | 0 | { |
22177 | 0 | if (!key->first_sign) { |
22178 | 0 | continue; |
22179 | 0 | } |
22180 | | |
22181 | 0 | newactive = true; |
22182 | |
|
22183 | 0 | if (!dns_rdataset_isassociated(&keysigs)) { |
22184 | 0 | newalg = true; |
22185 | 0 | break; |
22186 | 0 | } |
22187 | | |
22188 | 0 | if (signed_with_alg(&keysigs, dst_key_alg(key->key))) { |
22189 | | /* |
22190 | | * This isn't a new algorithm; clear |
22191 | | * first_sign so we won't sign the |
22192 | | * whole zone with this key later. |
22193 | | */ |
22194 | 0 | key->first_sign = false; |
22195 | 0 | } else { |
22196 | 0 | newalg = true; |
22197 | 0 | break; |
22198 | 0 | } |
22199 | 0 | } |
22200 | | |
22201 | | /* |
22202 | | * A sane diff is one that is not empty, and that does not |
22203 | | * introduce a zone with NSEC only DNSKEYs along with NSEC3 |
22204 | | * chains. |
22205 | | */ |
22206 | 0 | sane_dnskey = dns_zone_check_dnskey_nsec3(zone, db, ver, &diff, |
22207 | 0 | NULL, 0); |
22208 | 0 | sane_diff = !ISC_LIST_EMPTY(diff.tuples) && sane_dnskey; |
22209 | 0 | if (!sane_dnskey) { |
22210 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22211 | 0 | "NSEC only DNSKEYs and NSEC3 chains not " |
22212 | 0 | "allowed"); |
22213 | 0 | } |
22214 | |
|
22215 | 0 | if (newactive || fullsign || sane_diff) { |
22216 | 0 | CHECK(dns_diff_apply(&diff, db, ver)); |
22217 | 0 | CHECK(clean_nsec3param(zone, db, ver, &diff)); |
22218 | 0 | CHECK(add_signing_records(db, zone->privatetype, ver, |
22219 | 0 | &diff, (newalg || fullsign))); |
22220 | 0 | CHECK(update_soa_serial(zone, db, ver, &diff, mctx, |
22221 | 0 | zone->updatemethod)); |
22222 | 0 | CHECK(add_chains(zone, db, ver, &diff)); |
22223 | 0 | CHECK(sign_apex(zone, db, ver, now, &diff, &zonediff)); |
22224 | 0 | CHECK(zone_journal(zone, zonediff.diff, NULL, |
22225 | 0 | "zone_rekey")); |
22226 | 0 | commit = true; |
22227 | 0 | } |
22228 | 0 | } |
22229 | | |
22230 | 0 | dns_db_closeversion(db, &ver, true); |
22231 | |
|
22232 | 0 | LOCK_ZONE(zone); |
22233 | |
|
22234 | 0 | if (commit) { |
22235 | 0 | dns_difftuple_t *tuple; |
22236 | 0 | dns_stats_t *dnssecsignstats = |
22237 | 0 | dns_zone_getdnssecsignstats(zone); |
22238 | |
|
22239 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); |
22240 | |
|
22241 | 0 | zone_needdump(zone, DNS_DUMP_DELAY); |
22242 | |
|
22243 | 0 | zone_settimer(zone, &timenow); |
22244 | | |
22245 | | /* Remove any signatures from removed keys. */ |
22246 | 0 | if (!ISC_LIST_EMPTY(rmkeys)) { |
22247 | 0 | for (key = ISC_LIST_HEAD(rmkeys); key != NULL; |
22248 | 0 | key = ISC_LIST_NEXT(key, link)) |
22249 | 0 | { |
22250 | 0 | result = zone_signwithkey( |
22251 | 0 | zone, dst_key_alg(key->key), |
22252 | 0 | dst_key_id(key->key), true); |
22253 | 0 | if (result != ISC_R_SUCCESS) { |
22254 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22255 | 0 | "zone_signwithkey failed: " |
22256 | 0 | "%s", |
22257 | 0 | isc_result_totext(result)); |
22258 | 0 | } |
22259 | | |
22260 | | /* Clear DNSSEC sign statistics. */ |
22261 | 0 | if (dnssecsignstats != NULL) { |
22262 | 0 | dns_dnssecsignstats_clear( |
22263 | 0 | dnssecsignstats, |
22264 | 0 | dst_key_id(key->key), |
22265 | 0 | dst_key_alg(key->key)); |
22266 | | /* |
22267 | | * Also clear the dnssec-sign |
22268 | | * statistics of the revoked key id. |
22269 | | */ |
22270 | 0 | dns_dnssecsignstats_clear( |
22271 | 0 | dnssecsignstats, |
22272 | 0 | dst_key_rid(key->key), |
22273 | 0 | dst_key_alg(key->key)); |
22274 | 0 | } |
22275 | 0 | } |
22276 | 0 | } |
22277 | |
|
22278 | 0 | if (fullsign) { |
22279 | | /* |
22280 | | * "rndc sign" was called, so we now sign the zone |
22281 | | * with all active keys, whether they're new or not. |
22282 | | */ |
22283 | 0 | for (key = ISC_LIST_HEAD(dnskeys); key != NULL; |
22284 | 0 | key = ISC_LIST_NEXT(key, link)) |
22285 | 0 | { |
22286 | 0 | if (!key->force_sign && !key->hint_sign) { |
22287 | 0 | continue; |
22288 | 0 | } |
22289 | | |
22290 | 0 | result = zone_signwithkey( |
22291 | 0 | zone, dst_key_alg(key->key), |
22292 | 0 | dst_key_id(key->key), false); |
22293 | 0 | if (result != ISC_R_SUCCESS) { |
22294 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22295 | 0 | "zone_signwithkey failed: " |
22296 | 0 | "%s", |
22297 | 0 | isc_result_totext(result)); |
22298 | 0 | } |
22299 | 0 | } |
22300 | 0 | } else if (newalg) { |
22301 | | /* |
22302 | | * We haven't been told to sign fully, but a new |
22303 | | * algorithm was added to the DNSKEY. We sign |
22304 | | * the full zone, but only with newly active |
22305 | | * keys. |
22306 | | */ |
22307 | 0 | for (key = ISC_LIST_HEAD(dnskeys); key != NULL; |
22308 | 0 | key = ISC_LIST_NEXT(key, link)) |
22309 | 0 | { |
22310 | 0 | if (!key->first_sign) { |
22311 | 0 | continue; |
22312 | 0 | } |
22313 | | |
22314 | 0 | result = zone_signwithkey( |
22315 | 0 | zone, dst_key_alg(key->key), |
22316 | 0 | dst_key_id(key->key), false); |
22317 | 0 | if (result != ISC_R_SUCCESS) { |
22318 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22319 | 0 | "zone_signwithkey failed: " |
22320 | 0 | "%s", |
22321 | 0 | isc_result_totext(result)); |
22322 | 0 | } |
22323 | 0 | } |
22324 | 0 | } |
22325 | | |
22326 | | /* |
22327 | | * Clear fullsign flag, if it was set, so we don't do |
22328 | | * another full signing next time. |
22329 | | */ |
22330 | 0 | DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN); |
22331 | | |
22332 | | /* |
22333 | | * Cause the zone to add/delete NSEC3 chains for the |
22334 | | * deferred NSEC3PARAM changes. |
22335 | | */ |
22336 | 0 | for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples); |
22337 | 0 | tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) |
22338 | 0 | { |
22339 | 0 | unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; |
22340 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
22341 | 0 | dns_rdata_nsec3param_t nsec3param; |
22342 | |
|
22343 | 0 | if (tuple->rdata.type != zone->privatetype || |
22344 | 0 | tuple->op != DNS_DIFFOP_ADD) |
22345 | 0 | { |
22346 | 0 | continue; |
22347 | 0 | } |
22348 | | |
22349 | 0 | if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata, |
22350 | 0 | buf, sizeof(buf))) |
22351 | 0 | { |
22352 | 0 | continue; |
22353 | 0 | } |
22354 | | |
22355 | 0 | result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); |
22356 | 0 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
22357 | 0 | if (nsec3param.flags == 0) { |
22358 | 0 | continue; |
22359 | 0 | } |
22360 | | |
22361 | 0 | result = zone_addnsec3chain(zone, &nsec3param); |
22362 | 0 | if (result != ISC_R_SUCCESS) { |
22363 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
22364 | 0 | "zone_addnsec3chain failed: %s", |
22365 | 0 | isc_result_totext(result)); |
22366 | 0 | } |
22367 | 0 | } |
22368 | | |
22369 | | /* |
22370 | | * Activate any NSEC3 chain updates that may have |
22371 | | * been scheduled before this rekey. |
22372 | | */ |
22373 | 0 | if (fullsign || newalg) { |
22374 | 0 | resume_addnsec3chain(zone); |
22375 | 0 | } |
22376 | | |
22377 | | /* |
22378 | | * Schedule the next resigning event |
22379 | | */ |
22380 | 0 | set_resigntime(zone); |
22381 | 0 | } |
22382 | |
|
22383 | 0 | isc_time_settoepoch(&zone->refreshkeytime); |
22384 | | |
22385 | | /* |
22386 | | * If keymgr provided a next time, use the calculated next rekey time. |
22387 | | */ |
22388 | 0 | if (kasp != NULL) { |
22389 | 0 | isc_time_t timenext; |
22390 | 0 | uint32_t nexttime_seconds; |
22391 | | |
22392 | | /* |
22393 | | * Set the key refresh timer to the next scheduled key event |
22394 | | * or to 'dnssec-loadkeys-interval' seconds in the future |
22395 | | * if no next key event is scheduled (nexttime == 0). |
22396 | | */ |
22397 | 0 | if (nexttime > 0) { |
22398 | 0 | nexttime_seconds = nexttime - now; |
22399 | 0 | } else { |
22400 | 0 | nexttime_seconds = zone->refreshkeyinterval; |
22401 | 0 | } |
22402 | |
|
22403 | 0 | DNS_ZONE_TIME_ADD(&timenow, nexttime_seconds, &timenext); |
22404 | 0 | zone->refreshkeytime = timenext; |
22405 | 0 | zone_settimer(zone, &timenow); |
22406 | 0 | isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); |
22407 | |
|
22408 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
22409 | 0 | "next key event in %u seconds", nexttime_seconds); |
22410 | 0 | dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); |
22411 | 0 | } |
22412 | | /* |
22413 | | * If we're doing key maintenance, set the key refresh timer to |
22414 | | * the next scheduled key event or to 'dnssec-loadkeys-interval' |
22415 | | * seconds in the future, whichever is sooner. |
22416 | | */ |
22417 | 0 | else if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) |
22418 | 0 | { |
22419 | 0 | isc_time_t timethen; |
22420 | 0 | isc_stdtime_t then; |
22421 | |
|
22422 | 0 | DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval, |
22423 | 0 | &timethen); |
22424 | 0 | zone->refreshkeytime = timethen; |
22425 | |
|
22426 | 0 | for (key = ISC_LIST_HEAD(dnskeys); key != NULL; |
22427 | 0 | key = ISC_LIST_NEXT(key, link)) |
22428 | 0 | { |
22429 | 0 | then = now; |
22430 | 0 | result = next_keyevent(key->key, &then); |
22431 | 0 | if (result != ISC_R_SUCCESS) { |
22432 | 0 | continue; |
22433 | 0 | } |
22434 | | |
22435 | 0 | DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen); |
22436 | 0 | if (isc_time_compare(&timethen, &zone->refreshkeytime) < |
22437 | 0 | 0) |
22438 | 0 | { |
22439 | 0 | zone->refreshkeytime = timethen; |
22440 | 0 | } |
22441 | 0 | } |
22442 | |
|
22443 | 0 | zone_settimer(zone, &timenow); |
22444 | |
|
22445 | 0 | isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); |
22446 | 0 | dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); |
22447 | 0 | } |
22448 | 0 | UNLOCK_ZONE(zone); |
22449 | |
|
22450 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
22451 | 0 | for (key = ISC_LIST_HEAD(dnskeys); key != NULL; |
22452 | 0 | key = ISC_LIST_NEXT(key, link)) |
22453 | 0 | { |
22454 | | /* This debug log is used in the kasp system test */ |
22455 | 0 | char algbuf[DNS_SECALG_FORMATSIZE]; |
22456 | 0 | dns_secalg_format(dst_key_alg(key->key), algbuf, |
22457 | 0 | sizeof(algbuf)); |
22458 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
22459 | 0 | "zone_rekey done: key %d/%s", |
22460 | 0 | dst_key_id(key->key), algbuf); |
22461 | 0 | } |
22462 | 0 | } |
22463 | |
|
22464 | 0 | result = ISC_R_SUCCESS; |
22465 | |
|
22466 | 0 | failure: |
22467 | 0 | LOCK_ZONE(zone); |
22468 | 0 | if (result != ISC_R_SUCCESS) { |
22469 | | /* |
22470 | | * Something went wrong; try again in ten minutes or |
22471 | | * after a key refresh interval, whichever is shorter. |
22472 | | */ |
22473 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
22474 | 0 | "zone_rekey failure: %s (retry in %u seconds)", |
22475 | 0 | isc_result_totext(result), |
22476 | 0 | ISC_MIN(zone->refreshkeyinterval, 600)); |
22477 | 0 | isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), |
22478 | 0 | 0); |
22479 | 0 | isc_time_nowplusinterval(&zone->refreshkeytime, &ival); |
22480 | 0 | } |
22481 | 0 | UNLOCK_ZONE(zone); |
22482 | |
|
22483 | 0 | dns_diff_clear(&diff); |
22484 | 0 | dns_diff_clear(&_sig_diff); |
22485 | |
|
22486 | 0 | clear_keylist(&dnskeys, mctx); |
22487 | 0 | clear_keylist(&keys, mctx); |
22488 | 0 | clear_keylist(&rmkeys, mctx); |
22489 | |
|
22490 | 0 | if (ver != NULL) { |
22491 | 0 | dns_db_closeversion(db, &ver, false); |
22492 | 0 | } |
22493 | 0 | if (dns_rdataset_isassociated(&cdsset)) { |
22494 | 0 | dns_rdataset_disassociate(&cdsset); |
22495 | 0 | } |
22496 | 0 | if (dns_rdataset_isassociated(&keyset)) { |
22497 | 0 | dns_rdataset_disassociate(&keyset); |
22498 | 0 | } |
22499 | 0 | if (dns_rdataset_isassociated(&keysigs)) { |
22500 | 0 | dns_rdataset_disassociate(&keysigs); |
22501 | 0 | } |
22502 | 0 | if (dns_rdataset_isassociated(&soasigs)) { |
22503 | 0 | dns_rdataset_disassociate(&soasigs); |
22504 | 0 | } |
22505 | 0 | if (dns_rdataset_isassociated(&cdnskeyset)) { |
22506 | 0 | dns_rdataset_disassociate(&cdnskeyset); |
22507 | 0 | } |
22508 | 0 | if (node != NULL) { |
22509 | 0 | dns_db_detachnode(db, &node); |
22510 | 0 | } |
22511 | 0 | if (db != NULL) { |
22512 | 0 | dns_db_detach(&db); |
22513 | 0 | } |
22514 | |
|
22515 | 0 | INSIST(ver == NULL); |
22516 | 0 | } |
22517 | | |
22518 | | void |
22519 | 0 | dns_zone_rekey(dns_zone_t *zone, bool fullsign) { |
22520 | 0 | isc_time_t now; |
22521 | |
|
22522 | 0 | if (zone->type == dns_zone_primary && zone->loop != NULL) { |
22523 | 0 | LOCK_ZONE(zone); |
22524 | |
|
22525 | 0 | if (fullsign) { |
22526 | 0 | DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN); |
22527 | 0 | } |
22528 | |
|
22529 | 0 | now = isc_time_now(); |
22530 | 0 | zone->refreshkeytime = now; |
22531 | 0 | zone_settimer(zone, &now); |
22532 | |
|
22533 | 0 | UNLOCK_ZONE(zone); |
22534 | 0 | } |
22535 | 0 | } |
22536 | | |
22537 | | isc_result_t |
22538 | | dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, |
22539 | 0 | unsigned int *errors) { |
22540 | 0 | isc_result_t result; |
22541 | 0 | dns_dbnode_t *node = NULL; |
22542 | |
|
22543 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22544 | 0 | REQUIRE(errors != NULL); |
22545 | |
|
22546 | 0 | result = dns_db_getoriginnode(db, &node); |
22547 | 0 | if (result != ISC_R_SUCCESS) { |
22548 | 0 | return (result); |
22549 | 0 | } |
22550 | 0 | result = zone_count_ns_rr(zone, db, node, version, NULL, errors, false); |
22551 | 0 | dns_db_detachnode(db, &node); |
22552 | 0 | return (result); |
22553 | 0 | } |
22554 | | |
22555 | | isc_result_t |
22556 | 2 | dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) { |
22557 | 2 | isc_result_t result; |
22558 | 2 | dns_dbnode_t *node = NULL; |
22559 | 2 | dns_rdataset_t dnskey, cds, cdnskey; |
22560 | 2 | unsigned char algorithms[256]; |
22561 | 2 | unsigned int i; |
22562 | 2 | bool empty = false; |
22563 | | |
22564 | 2 | enum { notexpected = 0, expected = 1, found = 2 }; |
22565 | | |
22566 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
22567 | | |
22568 | 2 | result = dns_db_getoriginnode(db, &node); |
22569 | 2 | if (result != ISC_R_SUCCESS) { |
22570 | 0 | return (result); |
22571 | 0 | } |
22572 | | |
22573 | 2 | dns_rdataset_init(&cds); |
22574 | 2 | dns_rdataset_init(&dnskey); |
22575 | 2 | dns_rdataset_init(&cdnskey); |
22576 | | |
22577 | 2 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_cds, |
22578 | 2 | dns_rdatatype_none, 0, &cds, NULL); |
22579 | 2 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
22580 | 0 | goto failure; |
22581 | 0 | } |
22582 | | |
22583 | 2 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_cdnskey, |
22584 | 2 | dns_rdatatype_none, 0, &cdnskey, NULL); |
22585 | 2 | if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { |
22586 | 0 | goto failure; |
22587 | 0 | } |
22588 | | |
22589 | 2 | if (!dns_rdataset_isassociated(&cds) && |
22590 | 2 | !dns_rdataset_isassociated(&cdnskey)) |
22591 | 2 | { |
22592 | 2 | result = ISC_R_SUCCESS; |
22593 | 2 | goto failure; |
22594 | 2 | } |
22595 | | |
22596 | 0 | result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, |
22597 | 0 | dns_rdatatype_none, 0, &dnskey, NULL); |
22598 | 0 | if (result == ISC_R_NOTFOUND) { |
22599 | 0 | empty = true; |
22600 | 0 | } else if (result != ISC_R_SUCCESS) { |
22601 | 0 | goto failure; |
22602 | 0 | } |
22603 | | |
22604 | | /* |
22605 | | * For each DNSSEC algorithm in the CDS RRset there must be |
22606 | | * a matching DNSKEY record with the exception of a CDS deletion |
22607 | | * record which must be by itself. |
22608 | | */ |
22609 | 0 | if (dns_rdataset_isassociated(&cds)) { |
22610 | 0 | bool delete = false; |
22611 | 0 | memset(algorithms, notexpected, sizeof(algorithms)); |
22612 | 0 | for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS; |
22613 | 0 | result = dns_rdataset_next(&cds)) |
22614 | 0 | { |
22615 | 0 | dns_rdata_t crdata = DNS_RDATA_INIT; |
22616 | 0 | dns_rdata_cds_t structcds; |
22617 | |
|
22618 | 0 | dns_rdataset_current(&cds, &crdata); |
22619 | | /* |
22620 | | * CDS deletion record has this form "0 0 0 00" which |
22621 | | * is 5 zero octets. |
22622 | | */ |
22623 | 0 | if (crdata.length == 5U && |
22624 | 0 | memcmp(crdata.data, |
22625 | 0 | (unsigned char[5]){ 0, 0, 0, 0, 0 }, 5) == 0) |
22626 | 0 | { |
22627 | 0 | delete = true; |
22628 | 0 | continue; |
22629 | 0 | } |
22630 | | |
22631 | 0 | if (empty) { |
22632 | 0 | result = DNS_R_BADCDS; |
22633 | 0 | goto failure; |
22634 | 0 | } |
22635 | | |
22636 | 0 | CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL)); |
22637 | 0 | if (algorithms[structcds.algorithm] == 0) { |
22638 | 0 | algorithms[structcds.algorithm] = expected; |
22639 | 0 | } |
22640 | 0 | for (result = dns_rdataset_first(&dnskey); |
22641 | 0 | result == ISC_R_SUCCESS; |
22642 | 0 | result = dns_rdataset_next(&dnskey)) |
22643 | 0 | { |
22644 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
22645 | 0 | dns_rdata_dnskey_t structdnskey; |
22646 | |
|
22647 | 0 | dns_rdataset_current(&dnskey, &rdata); |
22648 | 0 | CHECK(dns_rdata_tostruct(&rdata, &structdnskey, |
22649 | 0 | NULL)); |
22650 | | |
22651 | 0 | if (structdnskey.algorithm == |
22652 | 0 | structcds.algorithm) |
22653 | 0 | { |
22654 | 0 | algorithms[structcds.algorithm] = found; |
22655 | 0 | } |
22656 | 0 | } |
22657 | 0 | if (result != ISC_R_NOMORE) { |
22658 | 0 | goto failure; |
22659 | 0 | } |
22660 | 0 | } |
22661 | 0 | for (i = 0; i < sizeof(algorithms); i++) { |
22662 | 0 | if (delete) { |
22663 | 0 | if (algorithms[i] != notexpected) { |
22664 | 0 | result = DNS_R_BADCDS; |
22665 | 0 | goto failure; |
22666 | 0 | } |
22667 | 0 | } else if (algorithms[i] == expected) { |
22668 | 0 | result = DNS_R_BADCDS; |
22669 | 0 | goto failure; |
22670 | 0 | } |
22671 | 0 | } |
22672 | 0 | } |
22673 | | |
22674 | | /* |
22675 | | * For each DNSSEC algorithm in the CDNSKEY RRset there must be |
22676 | | * a matching DNSKEY record with the exception of a CDNSKEY deletion |
22677 | | * record which must be by itself. |
22678 | | */ |
22679 | 0 | if (dns_rdataset_isassociated(&cdnskey)) { |
22680 | 0 | bool delete = false; |
22681 | 0 | memset(algorithms, notexpected, sizeof(algorithms)); |
22682 | 0 | for (result = dns_rdataset_first(&cdnskey); |
22683 | 0 | result == ISC_R_SUCCESS; |
22684 | 0 | result = dns_rdataset_next(&cdnskey)) |
22685 | 0 | { |
22686 | 0 | dns_rdata_t crdata = DNS_RDATA_INIT; |
22687 | 0 | dns_rdata_cdnskey_t structcdnskey; |
22688 | |
|
22689 | 0 | dns_rdataset_current(&cdnskey, &crdata); |
22690 | | /* |
22691 | | * CDNSKEY deletion record has this form |
22692 | | * "0 3 0 AA==" which is 2 zero octets, a 3, |
22693 | | * and 2 zero octets. |
22694 | | */ |
22695 | 0 | if (crdata.length == 5U && |
22696 | 0 | memcmp(crdata.data, |
22697 | 0 | (unsigned char[5]){ 0, 0, 3, 0, 0 }, 5) == 0) |
22698 | 0 | { |
22699 | 0 | delete = true; |
22700 | 0 | continue; |
22701 | 0 | } |
22702 | | |
22703 | 0 | if (empty) { |
22704 | 0 | result = DNS_R_BADCDNSKEY; |
22705 | 0 | goto failure; |
22706 | 0 | } |
22707 | | |
22708 | 0 | CHECK(dns_rdata_tostruct(&crdata, &structcdnskey, |
22709 | 0 | NULL)); |
22710 | 0 | if (algorithms[structcdnskey.algorithm] == 0) { |
22711 | 0 | algorithms[structcdnskey.algorithm] = expected; |
22712 | 0 | } |
22713 | 0 | for (result = dns_rdataset_first(&dnskey); |
22714 | 0 | result == ISC_R_SUCCESS; |
22715 | 0 | result = dns_rdataset_next(&dnskey)) |
22716 | 0 | { |
22717 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
22718 | 0 | dns_rdata_dnskey_t structdnskey; |
22719 | |
|
22720 | 0 | dns_rdataset_current(&dnskey, &rdata); |
22721 | 0 | CHECK(dns_rdata_tostruct(&rdata, &structdnskey, |
22722 | 0 | NULL)); |
22723 | | |
22724 | 0 | if (structdnskey.algorithm == |
22725 | 0 | structcdnskey.algorithm) |
22726 | 0 | { |
22727 | 0 | algorithms[structcdnskey.algorithm] = |
22728 | 0 | found; |
22729 | 0 | } |
22730 | 0 | } |
22731 | 0 | if (result != ISC_R_NOMORE) { |
22732 | 0 | goto failure; |
22733 | 0 | } |
22734 | 0 | } |
22735 | 0 | for (i = 0; i < sizeof(algorithms); i++) { |
22736 | 0 | if (delete) { |
22737 | 0 | if (algorithms[i] != notexpected) { |
22738 | 0 | result = DNS_R_BADCDNSKEY; |
22739 | 0 | goto failure; |
22740 | 0 | } |
22741 | 0 | } else if (algorithms[i] == expected) { |
22742 | 0 | result = DNS_R_BADCDNSKEY; |
22743 | 0 | goto failure; |
22744 | 0 | } |
22745 | 0 | } |
22746 | 0 | } |
22747 | 0 | result = ISC_R_SUCCESS; |
22748 | |
|
22749 | 2 | failure: |
22750 | 2 | if (dns_rdataset_isassociated(&cds)) { |
22751 | 0 | dns_rdataset_disassociate(&cds); |
22752 | 0 | } |
22753 | 2 | if (dns_rdataset_isassociated(&dnskey)) { |
22754 | 0 | dns_rdataset_disassociate(&dnskey); |
22755 | 0 | } |
22756 | 2 | if (dns_rdataset_isassociated(&cdnskey)) { |
22757 | 0 | dns_rdataset_disassociate(&cdnskey); |
22758 | 0 | } |
22759 | 2 | dns_db_detachnode(db, &node); |
22760 | 2 | return (result); |
22761 | 0 | } |
22762 | | |
22763 | | void |
22764 | 0 | dns_zone_setautomatic(dns_zone_t *zone, bool automatic) { |
22765 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22766 | |
|
22767 | 0 | LOCK_ZONE(zone); |
22768 | 0 | zone->automatic = automatic; |
22769 | 0 | UNLOCK_ZONE(zone); |
22770 | 0 | } |
22771 | | |
22772 | | bool |
22773 | 0 | dns_zone_getautomatic(dns_zone_t *zone) { |
22774 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22775 | 0 | return (zone->automatic); |
22776 | 0 | } |
22777 | | |
22778 | | void |
22779 | 0 | dns_zone_setadded(dns_zone_t *zone, bool added) { |
22780 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22781 | |
|
22782 | 0 | LOCK_ZONE(zone); |
22783 | 0 | zone->added = added; |
22784 | 0 | UNLOCK_ZONE(zone); |
22785 | 0 | } |
22786 | | |
22787 | | bool |
22788 | 0 | dns_zone_getadded(dns_zone_t *zone) { |
22789 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22790 | 0 | return (zone->added); |
22791 | 0 | } |
22792 | | |
22793 | | isc_result_t |
22794 | 0 | dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db) { |
22795 | 0 | isc_time_t loadtime; |
22796 | 0 | isc_result_t result; |
22797 | 0 | dns_zone_t *secure = NULL; |
22798 | |
|
22799 | 0 | loadtime = isc_time_now(); |
22800 | | |
22801 | | /* |
22802 | | * Lock hierarchy: zmgr, zone, raw. |
22803 | | */ |
22804 | 0 | again: |
22805 | 0 | LOCK_ZONE(zone); |
22806 | 0 | INSIST(zone != zone->raw); |
22807 | 0 | if (inline_secure(zone)) { |
22808 | 0 | LOCK_ZONE(zone->raw); |
22809 | 0 | } else if (inline_raw(zone)) { |
22810 | 0 | secure = zone->secure; |
22811 | 0 | TRYLOCK_ZONE(result, secure); |
22812 | 0 | if (result != ISC_R_SUCCESS) { |
22813 | 0 | UNLOCK_ZONE(zone); |
22814 | 0 | secure = NULL; |
22815 | 0 | isc_thread_yield(); |
22816 | 0 | goto again; |
22817 | 0 | } |
22818 | 0 | } |
22819 | 0 | result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS); |
22820 | 0 | if (inline_secure(zone)) { |
22821 | 0 | UNLOCK_ZONE(zone->raw); |
22822 | 0 | } else if (secure != NULL) { |
22823 | 0 | UNLOCK_ZONE(secure); |
22824 | 0 | } |
22825 | 0 | UNLOCK_ZONE(zone); |
22826 | 0 | return (result); |
22827 | 0 | } |
22828 | | |
22829 | | isc_result_t |
22830 | 0 | dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval) { |
22831 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22832 | 0 | if (interval == 0) { |
22833 | 0 | return (ISC_R_RANGE); |
22834 | 0 | } |
22835 | | /* Maximum value: 24 hours (3600 minutes) */ |
22836 | 0 | if (interval > (24 * 60)) { |
22837 | 0 | interval = (24 * 60); |
22838 | 0 | } |
22839 | | /* Multiply by 60 for seconds */ |
22840 | 0 | zone->refreshkeyinterval = interval * 60; |
22841 | 0 | return (ISC_R_SUCCESS); |
22842 | 0 | } |
22843 | | |
22844 | | void |
22845 | 0 | dns_zone_setrequestixfr(dns_zone_t *zone, bool flag) { |
22846 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22847 | 0 | zone->requestixfr = flag; |
22848 | 0 | } |
22849 | | |
22850 | | bool |
22851 | 0 | dns_zone_getrequestixfr(dns_zone_t *zone) { |
22852 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22853 | 0 | return (zone->requestixfr); |
22854 | 0 | } |
22855 | | |
22856 | | void |
22857 | 0 | dns_zone_setixfrratio(dns_zone_t *zone, uint32_t ratio) { |
22858 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22859 | 0 | zone->ixfr_ratio = ratio; |
22860 | 0 | } |
22861 | | |
22862 | | uint32_t |
22863 | 0 | dns_zone_getixfrratio(dns_zone_t *zone) { |
22864 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22865 | 0 | return (zone->ixfr_ratio); |
22866 | 0 | } |
22867 | | |
22868 | | void |
22869 | 0 | dns_zone_setrequestexpire(dns_zone_t *zone, bool flag) { |
22870 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22871 | 0 | zone->requestexpire = flag; |
22872 | 0 | } |
22873 | | |
22874 | | bool |
22875 | 0 | dns_zone_getrequestexpire(dns_zone_t *zone) { |
22876 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22877 | 0 | return (zone->requestexpire); |
22878 | 0 | } |
22879 | | |
22880 | | void |
22881 | 0 | dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method) { |
22882 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22883 | 0 | zone->updatemethod = method; |
22884 | 0 | } |
22885 | | |
22886 | | dns_updatemethod_t |
22887 | 0 | dns_zone_getserialupdatemethod(dns_zone_t *zone) { |
22888 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22889 | 0 | return (zone->updatemethod); |
22890 | 0 | } |
22891 | | |
22892 | | /* |
22893 | | * Lock hierarchy: zmgr, zone, raw. |
22894 | | */ |
22895 | | isc_result_t |
22896 | 0 | dns_zone_link(dns_zone_t *zone, dns_zone_t *raw) { |
22897 | 0 | dns_zonemgr_t *zmgr; |
22898 | |
|
22899 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22900 | 0 | REQUIRE(zone->zmgr != NULL); |
22901 | 0 | REQUIRE(zone->loop != NULL); |
22902 | 0 | REQUIRE(zone->raw == NULL); |
22903 | |
|
22904 | 0 | REQUIRE(DNS_ZONE_VALID(raw)); |
22905 | 0 | REQUIRE(raw->zmgr == NULL); |
22906 | 0 | REQUIRE(raw->loop == NULL); |
22907 | 0 | REQUIRE(raw->secure == NULL); |
22908 | |
|
22909 | 0 | REQUIRE(zone != raw); |
22910 | | |
22911 | | /* |
22912 | | * Lock hierarchy: zmgr, zone, raw. |
22913 | | */ |
22914 | 0 | zmgr = zone->zmgr; |
22915 | 0 | RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
22916 | 0 | LOCK_ZONE(zone); |
22917 | 0 | LOCK_ZONE(raw); |
22918 | |
|
22919 | 0 | isc_loop_attach(zone->loop, &raw->loop); |
22920 | | |
22921 | | /* dns_zone_attach(raw, &zone->raw); */ |
22922 | 0 | isc_refcount_increment(&raw->references); |
22923 | 0 | zone->raw = raw; |
22924 | | |
22925 | | /* dns_zone_iattach(zone, &raw->secure); */ |
22926 | 0 | zone_iattach(zone, &raw->secure); |
22927 | |
|
22928 | 0 | ISC_LIST_APPEND(zmgr->zones, raw, link); |
22929 | 0 | raw->zmgr = zmgr; |
22930 | 0 | isc_refcount_increment(&zmgr->refs); |
22931 | |
|
22932 | 0 | UNLOCK_ZONE(raw); |
22933 | 0 | UNLOCK_ZONE(zone); |
22934 | 0 | RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); |
22935 | 0 | return (ISC_R_SUCCESS); |
22936 | 0 | } |
22937 | | |
22938 | | void |
22939 | 0 | dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) { |
22940 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22941 | 0 | REQUIRE(raw != NULL && *raw == NULL); |
22942 | |
|
22943 | 0 | LOCK(&zone->lock); |
22944 | 0 | INSIST(zone != zone->raw); |
22945 | 0 | if (zone->raw != NULL) { |
22946 | 0 | dns_zone_attach(zone->raw, raw); |
22947 | 0 | } |
22948 | 0 | UNLOCK(&zone->lock); |
22949 | 0 | } |
22950 | | |
22951 | | bool |
22952 | 0 | dns_zone_israw(dns_zone_t *zone) { |
22953 | 0 | bool israw; |
22954 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22955 | 0 | LOCK(&zone->lock); |
22956 | 0 | israw = zone->secure != NULL; |
22957 | 0 | UNLOCK(&zone->lock); |
22958 | 0 | return (israw); |
22959 | 0 | } |
22960 | | |
22961 | | bool |
22962 | 0 | dns_zone_issecure(dns_zone_t *zone) { |
22963 | 0 | bool issecure; |
22964 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
22965 | 0 | LOCK(&zone->lock); |
22966 | 0 | issecure = zone->raw != NULL; |
22967 | 0 | UNLOCK(&zone->lock); |
22968 | 0 | return (issecure); |
22969 | 0 | } |
22970 | | |
22971 | | struct keydone { |
22972 | | bool all; |
22973 | | unsigned char data[5]; |
22974 | | dns_zone_t *zone; |
22975 | | }; |
22976 | | |
22977 | 0 | #define PENDINGFLAGS (DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL) |
22978 | | |
22979 | | static void |
22980 | 0 | keydone(void *arg) { |
22981 | 0 | bool commit = false; |
22982 | 0 | isc_result_t result; |
22983 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
22984 | 0 | dns_dbversion_t *oldver = NULL, *newver = NULL; |
22985 | 0 | dns_db_t *db = NULL; |
22986 | 0 | dns_dbnode_t *node = NULL; |
22987 | 0 | dns_rdataset_t rdataset; |
22988 | 0 | dns_diff_t diff; |
22989 | 0 | struct keydone *kd = (struct keydone *)arg; |
22990 | 0 | dns_zone_t *zone = kd->zone; |
22991 | 0 | dns_update_log_t log = { update_log_cb, NULL }; |
22992 | 0 | bool clear_pending = false; |
22993 | |
|
22994 | 0 | INSIST(DNS_ZONE_VALID(zone)); |
22995 | |
|
22996 | 0 | ENTER; |
22997 | |
|
22998 | 0 | dns_rdataset_init(&rdataset); |
22999 | 0 | dns_diff_init(zone->mctx, &diff); |
23000 | |
|
23001 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
23002 | 0 | if (zone->db != NULL) { |
23003 | 0 | dns_db_attach(zone->db, &db); |
23004 | 0 | } |
23005 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
23006 | 0 | if (db == NULL) { |
23007 | 0 | goto failure; |
23008 | 0 | } |
23009 | | |
23010 | 0 | dns_db_currentversion(db, &oldver); |
23011 | 0 | result = dns_db_newversion(db, &newver); |
23012 | 0 | if (result != ISC_R_SUCCESS) { |
23013 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
23014 | 0 | "keydone:dns_db_newversion -> %s", |
23015 | 0 | isc_result_totext(result)); |
23016 | 0 | goto failure; |
23017 | 0 | } |
23018 | | |
23019 | 0 | result = dns_db_getoriginnode(db, &node); |
23020 | 0 | if (result != ISC_R_SUCCESS) { |
23021 | 0 | goto failure; |
23022 | 0 | } |
23023 | | |
23024 | 0 | result = dns_db_findrdataset(db, node, newver, zone->privatetype, |
23025 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
23026 | 0 | if (result == ISC_R_NOTFOUND) { |
23027 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
23028 | 0 | goto failure; |
23029 | 0 | } |
23030 | 0 | if (result != ISC_R_SUCCESS) { |
23031 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
23032 | 0 | goto failure; |
23033 | 0 | } |
23034 | | |
23035 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
23036 | 0 | result = dns_rdataset_next(&rdataset)) |
23037 | 0 | { |
23038 | 0 | bool found = false; |
23039 | |
|
23040 | 0 | dns_rdataset_current(&rdataset, &rdata); |
23041 | |
|
23042 | 0 | if (kd->all) { |
23043 | 0 | if (rdata.length == 5 && rdata.data[0] != 0 && |
23044 | 0 | rdata.data[3] == 0 && rdata.data[4] == 1) |
23045 | 0 | { |
23046 | 0 | found = true; |
23047 | 0 | } else if (rdata.data[0] == 0 && |
23048 | 0 | (rdata.data[2] & PENDINGFLAGS) != 0) |
23049 | 0 | { |
23050 | 0 | found = true; |
23051 | 0 | clear_pending = true; |
23052 | 0 | } |
23053 | 0 | } else if (rdata.length == 5 && |
23054 | 0 | memcmp(rdata.data, kd->data, 5) == 0) |
23055 | 0 | { |
23056 | 0 | found = true; |
23057 | 0 | } |
23058 | |
|
23059 | 0 | if (found) { |
23060 | 0 | CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL, |
23061 | 0 | &zone->origin, rdataset.ttl, |
23062 | 0 | &rdata)); |
23063 | 0 | } |
23064 | 0 | dns_rdata_reset(&rdata); |
23065 | 0 | } |
23066 | | |
23067 | 0 | if (!ISC_LIST_EMPTY(diff.tuples)) { |
23068 | | /* Write changes to journal file. */ |
23069 | 0 | CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx, |
23070 | 0 | zone->updatemethod)); |
23071 | | |
23072 | 0 | result = dns_update_signatures(&log, zone, db, oldver, newver, |
23073 | 0 | &diff, |
23074 | 0 | zone->sigvalidityinterval); |
23075 | 0 | if (!clear_pending) { |
23076 | 0 | CHECK(result); |
23077 | 0 | } |
23078 | | |
23079 | 0 | CHECK(zone_journal(zone, &diff, NULL, "keydone")); |
23080 | 0 | commit = true; |
23081 | |
|
23082 | 0 | LOCK_ZONE(zone); |
23083 | 0 | DNS_ZONE_SETFLAG(zone, |
23084 | 0 | DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY); |
23085 | 0 | zone_needdump(zone, 30); |
23086 | 0 | UNLOCK_ZONE(zone); |
23087 | 0 | } |
23088 | | |
23089 | 0 | failure: |
23090 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
23091 | 0 | dns_rdataset_disassociate(&rdataset); |
23092 | 0 | } |
23093 | 0 | if (db != NULL) { |
23094 | 0 | if (node != NULL) { |
23095 | 0 | dns_db_detachnode(db, &node); |
23096 | 0 | } |
23097 | 0 | if (oldver != NULL) { |
23098 | 0 | dns_db_closeversion(db, &oldver, false); |
23099 | 0 | } |
23100 | 0 | if (newver != NULL) { |
23101 | 0 | dns_db_closeversion(db, &newver, commit); |
23102 | 0 | } |
23103 | 0 | dns_db_detach(&db); |
23104 | 0 | } |
23105 | 0 | dns_diff_clear(&diff); |
23106 | 0 | isc_mem_put(zone->mctx, kd, sizeof(*kd)); |
23107 | 0 | dns_zone_idetach(&zone); |
23108 | |
|
23109 | 0 | INSIST(oldver == NULL); |
23110 | 0 | INSIST(newver == NULL); |
23111 | 0 | } |
23112 | | |
23113 | | isc_result_t |
23114 | 0 | dns_zone_keydone(dns_zone_t *zone, const char *keystr) { |
23115 | 0 | isc_result_t result = ISC_R_SUCCESS; |
23116 | 0 | struct keydone *kd = NULL; |
23117 | 0 | isc_buffer_t b; |
23118 | |
|
23119 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23120 | |
|
23121 | 0 | LOCK_ZONE(zone); |
23122 | |
|
23123 | 0 | kd = isc_mem_get(zone->mctx, sizeof(*kd)); |
23124 | 0 | *kd = (struct keydone){ .all = false }; |
23125 | |
|
23126 | 0 | if (strcasecmp(keystr, "all") == 0) { |
23127 | 0 | kd->all = true; |
23128 | 0 | } else { |
23129 | 0 | isc_textregion_t r; |
23130 | 0 | const char *algstr = NULL; |
23131 | 0 | dns_keytag_t keyid; |
23132 | 0 | dns_secalg_t alg; |
23133 | 0 | size_t n; |
23134 | |
|
23135 | 0 | n = sscanf(keystr, "%hu/", &keyid); |
23136 | 0 | if (n == 0U) { |
23137 | 0 | CHECK(ISC_R_FAILURE); |
23138 | 0 | } |
23139 | | |
23140 | 0 | algstr = strchr(keystr, '/'); |
23141 | 0 | if (algstr != NULL) { |
23142 | 0 | algstr++; |
23143 | 0 | } else { |
23144 | 0 | CHECK(ISC_R_FAILURE); |
23145 | 0 | } |
23146 | | |
23147 | 0 | n = sscanf(algstr, "%hhu", &alg); |
23148 | 0 | if (n == 0U) { |
23149 | 0 | r.base = UNCONST(algstr); |
23150 | 0 | r.length = strlen(algstr); |
23151 | 0 | CHECK(dns_secalg_fromtext(&alg, &r)); |
23152 | 0 | } |
23153 | | |
23154 | | /* construct a private-type rdata */ |
23155 | 0 | isc_buffer_init(&b, kd->data, sizeof(kd->data)); |
23156 | 0 | isc_buffer_putuint8(&b, alg); |
23157 | 0 | isc_buffer_putuint8(&b, (keyid & 0xff00) >> 8); |
23158 | 0 | isc_buffer_putuint8(&b, (keyid & 0xff)); |
23159 | 0 | isc_buffer_putuint8(&b, 0); |
23160 | 0 | isc_buffer_putuint8(&b, 1); |
23161 | 0 | } |
23162 | | |
23163 | 0 | zone_iattach(zone, &kd->zone); |
23164 | 0 | isc_async_run(zone->loop, keydone, kd); |
23165 | 0 | kd = NULL; |
23166 | |
|
23167 | 0 | failure: |
23168 | 0 | if (kd != NULL) { |
23169 | 0 | isc_mem_put(zone->mctx, kd, sizeof(*kd)); |
23170 | 0 | } |
23171 | 0 | UNLOCK_ZONE(zone); |
23172 | 0 | return (result); |
23173 | 0 | } |
23174 | | |
23175 | | /* |
23176 | | * Called from the zone loop's queue after the relevant event is posted by |
23177 | | * dns_zone_setnsec3param(). |
23178 | | */ |
23179 | | static void |
23180 | 0 | setnsec3param(void *arg) { |
23181 | 0 | struct np3 *npe = (struct np3 *)arg; |
23182 | 0 | dns_zone_t *zone = npe->zone; |
23183 | 0 | bool loadpending; |
23184 | |
|
23185 | 0 | INSIST(DNS_ZONE_VALID(zone)); |
23186 | |
|
23187 | 0 | ENTER; |
23188 | |
|
23189 | 0 | LOCK_ZONE(zone); |
23190 | 0 | loadpending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING); |
23191 | 0 | UNLOCK_ZONE(zone); |
23192 | | |
23193 | | /* |
23194 | | * The receive_secure_serial() and setnsec3param() calls are |
23195 | | * loop-serialized for the zone. Make sure there's no processing |
23196 | | * currently running. |
23197 | | */ |
23198 | 0 | INSIST(zone->rss_newver == NULL); |
23199 | |
|
23200 | 0 | bool rescheduled = false; |
23201 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
23202 | | /* |
23203 | | * The zone is not yet fully loaded. Reschedule the event to |
23204 | | * be picked up later. This turns this function into a busy |
23205 | | * wait, but it only happens at startup. |
23206 | | */ |
23207 | 0 | if (zone->db == NULL && loadpending) { |
23208 | 0 | rescheduled = true; |
23209 | 0 | isc_async_run(zone->loop, setnsec3param, npe); |
23210 | 0 | } |
23211 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
23212 | 0 | if (rescheduled) { |
23213 | 0 | return; |
23214 | 0 | } |
23215 | | |
23216 | 0 | rss_post(npe); |
23217 | |
|
23218 | 0 | dns_zone_idetach(&zone); |
23219 | 0 | } |
23220 | | |
23221 | | static void |
23222 | | salt2text(unsigned char *salt, uint8_t saltlen, unsigned char *text, |
23223 | 0 | unsigned int textlen) { |
23224 | 0 | isc_region_t r; |
23225 | 0 | isc_buffer_t buf; |
23226 | 0 | isc_result_t result; |
23227 | |
|
23228 | 0 | r.base = salt; |
23229 | 0 | r.length = (unsigned int)saltlen; |
23230 | |
|
23231 | 0 | isc_buffer_init(&buf, text, textlen); |
23232 | 0 | result = isc_hex_totext(&r, 2, "", &buf); |
23233 | 0 | if (result == ISC_R_SUCCESS) { |
23234 | 0 | text[saltlen * 2] = 0; |
23235 | 0 | } else { |
23236 | 0 | text[0] = 0; |
23237 | 0 | } |
23238 | 0 | } |
23239 | | |
23240 | | /* |
23241 | | * Check whether NSEC3 chain addition or removal specified by the private-type |
23242 | | * record passed with the event was already queued (or even fully performed). |
23243 | | * If not, modify the relevant private-type records at the zone apex and call |
23244 | | * resume_addnsec3chain(). |
23245 | | */ |
23246 | | static void |
23247 | 0 | rss_post(void *arg) { |
23248 | 0 | struct np3 *npe = (struct np3 *)arg; |
23249 | 0 | dns_zone_t *zone = npe->zone; |
23250 | 0 | nsec3param_t *np = &npe->params; |
23251 | 0 | bool commit = false; |
23252 | 0 | isc_result_t result; |
23253 | 0 | dns_dbversion_t *oldver = NULL, *newver = NULL; |
23254 | 0 | dns_db_t *db = NULL; |
23255 | 0 | dns_dbnode_t *node = NULL; |
23256 | 0 | dns_rdataset_t prdataset, nrdataset; |
23257 | 0 | dns_diff_t diff; |
23258 | 0 | dns_update_log_t log = { update_log_cb, NULL }; |
23259 | 0 | dns_rdata_t rdata; |
23260 | 0 | bool nseconly; |
23261 | 0 | bool exists = false; |
23262 | |
|
23263 | 0 | ENTER; |
23264 | |
|
23265 | 0 | dns_rdataset_init(&prdataset); |
23266 | 0 | dns_rdataset_init(&nrdataset); |
23267 | 0 | dns_diff_init(zone->mctx, &diff); |
23268 | |
|
23269 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
23270 | 0 | if (zone->db != NULL) { |
23271 | 0 | dns_db_attach(zone->db, &db); |
23272 | 0 | } |
23273 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
23274 | 0 | if (db == NULL) { |
23275 | 0 | goto failure; |
23276 | 0 | } |
23277 | | |
23278 | 0 | dns_db_currentversion(db, &oldver); |
23279 | 0 | result = dns_db_newversion(db, &newver); |
23280 | 0 | if (result != ISC_R_SUCCESS) { |
23281 | 0 | dnssec_log(zone, ISC_LOG_ERROR, |
23282 | 0 | "setnsec3param:dns_db_newversion -> %s", |
23283 | 0 | isc_result_totext(result)); |
23284 | 0 | goto failure; |
23285 | 0 | } |
23286 | | |
23287 | 0 | CHECK(dns_db_getoriginnode(db, &node)); |
23288 | | |
23289 | | /* |
23290 | | * Do we need to look up the NSEC3 parameters? |
23291 | | */ |
23292 | 0 | if (np->lookup) { |
23293 | 0 | dns_rdata_nsec3param_t param; |
23294 | 0 | dns_rdata_t nrdata = DNS_RDATA_INIT; |
23295 | 0 | dns_rdata_t prdata = DNS_RDATA_INIT; |
23296 | 0 | unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE]; |
23297 | 0 | unsigned char saltbuf[255]; |
23298 | 0 | isc_buffer_t b; |
23299 | |
|
23300 | 0 | param.salt = NULL; |
23301 | 0 | result = dns__zone_lookup_nsec3param(zone, &np->rdata, ¶m, |
23302 | 0 | saltbuf, np->resalt); |
23303 | 0 | if (result == ISC_R_SUCCESS) { |
23304 | | /* |
23305 | | * Success because the NSEC3PARAM already exists, but |
23306 | | * function returns void, so goto failure to clean up. |
23307 | | */ |
23308 | 0 | goto failure; |
23309 | 0 | } |
23310 | 0 | if (result != DNS_R_NSEC3RESALT && result != ISC_R_NOTFOUND) { |
23311 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
23312 | 0 | "setnsec3param:lookup nsec3param -> %s", |
23313 | 0 | isc_result_totext(result)); |
23314 | 0 | goto failure; |
23315 | 0 | } |
23316 | | |
23317 | 0 | INSIST(param.salt != NULL); |
23318 | | |
23319 | | /* Update NSEC3 parameters. */ |
23320 | 0 | np->rdata.hash = param.hash; |
23321 | 0 | np->rdata.flags = param.flags; |
23322 | 0 | np->rdata.iterations = param.iterations; |
23323 | 0 | np->rdata.salt_length = param.salt_length; |
23324 | 0 | np->rdata.salt = param.salt; |
23325 | |
|
23326 | 0 | isc_buffer_init(&b, nbuf, sizeof(nbuf)); |
23327 | 0 | CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass, |
23328 | 0 | dns_rdatatype_nsec3param, &np->rdata, |
23329 | 0 | &b)); |
23330 | 0 | dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype, |
23331 | 0 | np->data, sizeof(np->data)); |
23332 | 0 | np->length = prdata.length; |
23333 | 0 | np->nsec = false; |
23334 | 0 | } |
23335 | | |
23336 | | /* |
23337 | | * Does a private-type record already exist for this chain? |
23338 | | */ |
23339 | 0 | result = dns_db_findrdataset(db, node, newver, zone->privatetype, |
23340 | 0 | dns_rdatatype_none, 0, &prdataset, NULL); |
23341 | 0 | if (result == ISC_R_SUCCESS) { |
23342 | 0 | for (result = dns_rdataset_first(&prdataset); |
23343 | 0 | result == ISC_R_SUCCESS; |
23344 | 0 | result = dns_rdataset_next(&prdataset)) |
23345 | 0 | { |
23346 | 0 | dns_rdata_init(&rdata); |
23347 | 0 | dns_rdataset_current(&prdataset, &rdata); |
23348 | |
|
23349 | 0 | if (np->length == rdata.length && |
23350 | 0 | memcmp(rdata.data, np->data, np->length) == 0) |
23351 | 0 | { |
23352 | 0 | exists = true; |
23353 | 0 | break; |
23354 | 0 | } |
23355 | 0 | } |
23356 | 0 | } else if (result != ISC_R_NOTFOUND) { |
23357 | 0 | INSIST(!dns_rdataset_isassociated(&prdataset)); |
23358 | 0 | goto failure; |
23359 | 0 | } |
23360 | | |
23361 | | /* |
23362 | | * Does the chain already exist? |
23363 | | */ |
23364 | 0 | result = dns_db_findrdataset(db, node, newver, dns_rdatatype_nsec3param, |
23365 | 0 | dns_rdatatype_none, 0, &nrdataset, NULL); |
23366 | 0 | if (result == ISC_R_SUCCESS) { |
23367 | 0 | for (result = dns_rdataset_first(&nrdataset); |
23368 | 0 | result == ISC_R_SUCCESS; |
23369 | 0 | result = dns_rdataset_next(&nrdataset)) |
23370 | 0 | { |
23371 | 0 | dns_rdata_init(&rdata); |
23372 | 0 | dns_rdataset_current(&nrdataset, &rdata); |
23373 | |
|
23374 | 0 | if (np->length == (rdata.length + 1) && |
23375 | 0 | memcmp(rdata.data, np->data + 1, np->length - 1) == |
23376 | 0 | 0) |
23377 | 0 | { |
23378 | 0 | exists = true; |
23379 | 0 | break; |
23380 | 0 | } |
23381 | 0 | } |
23382 | 0 | } else if (result != ISC_R_NOTFOUND) { |
23383 | 0 | INSIST(!dns_rdataset_isassociated(&nrdataset)); |
23384 | 0 | goto failure; |
23385 | 0 | } |
23386 | | |
23387 | | /* |
23388 | | * We need to remove any existing NSEC3 chains if the supplied NSEC3 |
23389 | | * parameters are supposed to replace the current ones or if we are |
23390 | | * switching to NSEC. |
23391 | | */ |
23392 | 0 | if (!exists && np->replace && (np->length != 0 || np->nsec)) { |
23393 | 0 | CHECK(dns_nsec3param_deletechains(db, newver, zone, !np->nsec, |
23394 | 0 | &diff)); |
23395 | 0 | } |
23396 | | |
23397 | 0 | if (!exists && np->length != 0) { |
23398 | | /* |
23399 | | * We're creating an NSEC3 chain. Add the private-type record |
23400 | | * passed in the event handler's argument to the zone apex. |
23401 | | * |
23402 | | * If the zone is not currently capable of supporting an NSEC3 |
23403 | | * chain (due to the DNSKEY RRset at the zone apex not existing |
23404 | | * or containing at least one key using an NSEC-only |
23405 | | * algorithm), add the INITIAL flag, so these parameters can be |
23406 | | * used later when NSEC3 becomes available. |
23407 | | */ |
23408 | 0 | dns_rdata_init(&rdata); |
23409 | |
|
23410 | 0 | np->data[2] |= DNS_NSEC3FLAG_CREATE; |
23411 | 0 | result = dns_nsec_nseconly(db, newver, NULL, &nseconly); |
23412 | 0 | if (result == ISC_R_NOTFOUND || nseconly) { |
23413 | 0 | np->data[2] |= DNS_NSEC3FLAG_INITIAL; |
23414 | 0 | } |
23415 | |
|
23416 | 0 | rdata.length = np->length; |
23417 | 0 | rdata.data = np->data; |
23418 | 0 | rdata.type = zone->privatetype; |
23419 | 0 | rdata.rdclass = zone->rdclass; |
23420 | 0 | CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_ADD, |
23421 | 0 | &zone->origin, 0, &rdata)); |
23422 | 0 | } |
23423 | | |
23424 | | /* |
23425 | | * If we changed anything in the zone, write changes to journal file |
23426 | | * and set commit to true so that resume_addnsec3chain() will be |
23427 | | * called below in order to kick off adding/removing relevant NSEC3 |
23428 | | * records. |
23429 | | */ |
23430 | 0 | if (!ISC_LIST_EMPTY(diff.tuples)) { |
23431 | 0 | CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx, |
23432 | 0 | zone->updatemethod)); |
23433 | 0 | result = dns_update_signatures(&log, zone, db, oldver, newver, |
23434 | 0 | &diff, |
23435 | 0 | zone->sigvalidityinterval); |
23436 | 0 | if (result != ISC_R_NOTFOUND) { |
23437 | 0 | CHECK(result); |
23438 | 0 | } |
23439 | 0 | CHECK(zone_journal(zone, &diff, NULL, "setnsec3param")); |
23440 | 0 | commit = true; |
23441 | |
|
23442 | 0 | LOCK_ZONE(zone); |
23443 | 0 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); |
23444 | 0 | zone_needdump(zone, 30); |
23445 | 0 | UNLOCK_ZONE(zone); |
23446 | 0 | } |
23447 | | |
23448 | 0 | failure: |
23449 | 0 | if (dns_rdataset_isassociated(&prdataset)) { |
23450 | 0 | dns_rdataset_disassociate(&prdataset); |
23451 | 0 | } |
23452 | 0 | if (dns_rdataset_isassociated(&nrdataset)) { |
23453 | 0 | dns_rdataset_disassociate(&nrdataset); |
23454 | 0 | } |
23455 | 0 | if (node != NULL) { |
23456 | 0 | dns_db_detachnode(db, &node); |
23457 | 0 | } |
23458 | 0 | if (oldver != NULL) { |
23459 | 0 | dns_db_closeversion(db, &oldver, false); |
23460 | 0 | } |
23461 | 0 | if (newver != NULL) { |
23462 | 0 | dns_db_closeversion(db, &newver, commit); |
23463 | 0 | } |
23464 | 0 | if (db != NULL) { |
23465 | 0 | dns_db_detach(&db); |
23466 | 0 | } |
23467 | 0 | if (commit) { |
23468 | 0 | LOCK_ZONE(zone); |
23469 | 0 | resume_addnsec3chain(zone); |
23470 | 0 | UNLOCK_ZONE(zone); |
23471 | 0 | } |
23472 | 0 | dns_diff_clear(&diff); |
23473 | 0 | isc_mem_put(zone->mctx, npe, sizeof(*npe)); |
23474 | |
|
23475 | 0 | INSIST(oldver == NULL); |
23476 | 0 | INSIST(newver == NULL); |
23477 | 0 | } |
23478 | | |
23479 | | /* |
23480 | | * Check if zone has NSEC3PARAM (and thus a chain) with the right parameters. |
23481 | | * |
23482 | | * If 'salt' is NULL, a match is found if the salt has the requested length, |
23483 | | * otherwise the NSEC3 salt must match the requested salt value too. |
23484 | | * |
23485 | | * Returns ISC_R_SUCCESS, if a match is found, or an error if no match is |
23486 | | * found, or if the db lookup failed. |
23487 | | */ |
23488 | | isc_result_t |
23489 | | dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup, |
23490 | | dns_rdata_nsec3param_t *param, |
23491 | 0 | unsigned char saltbuf[255], bool resalt) { |
23492 | 0 | isc_result_t result = ISC_R_UNEXPECTED; |
23493 | 0 | dns_dbnode_t *node = NULL; |
23494 | 0 | dns_db_t *db = NULL; |
23495 | 0 | dns_dbversion_t *version = NULL; |
23496 | 0 | dns_rdataset_t rdataset; |
23497 | 0 | dns_rdata_nsec3param_t nsec3param; |
23498 | 0 | dns_rdata_t rdata = DNS_RDATA_INIT; |
23499 | |
|
23500 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23501 | |
|
23502 | 0 | dns_rdataset_init(&rdataset); |
23503 | |
|
23504 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
23505 | 0 | if (zone->db != NULL) { |
23506 | 0 | dns_db_attach(zone->db, &db); |
23507 | 0 | } |
23508 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
23509 | 0 | if (db == NULL) { |
23510 | 0 | result = ISC_R_FAILURE; |
23511 | 0 | goto setparam; |
23512 | 0 | } |
23513 | | |
23514 | 0 | result = dns_db_findnode(db, &zone->origin, false, &node); |
23515 | 0 | if (result != ISC_R_SUCCESS) { |
23516 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
23517 | 0 | "dns__zone_lookup_nsec3param:" |
23518 | 0 | "dns_db_findnode -> %s", |
23519 | 0 | isc_result_totext(result)); |
23520 | 0 | result = ISC_R_FAILURE; |
23521 | 0 | goto setparam; |
23522 | 0 | } |
23523 | 0 | dns_db_currentversion(db, &version); |
23524 | |
|
23525 | 0 | result = dns_db_findrdataset(db, node, version, |
23526 | 0 | dns_rdatatype_nsec3param, |
23527 | 0 | dns_rdatatype_none, 0, &rdataset, NULL); |
23528 | 0 | if (result != ISC_R_SUCCESS) { |
23529 | 0 | INSIST(!dns_rdataset_isassociated(&rdataset)); |
23530 | 0 | if (result != ISC_R_NOTFOUND) { |
23531 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
23532 | 0 | "dns__zone_lookup_nsec3param:" |
23533 | 0 | "dns_db_findrdataset -> %s", |
23534 | 0 | isc_result_totext(result)); |
23535 | 0 | } |
23536 | 0 | goto setparam; |
23537 | 0 | } |
23538 | | |
23539 | 0 | for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; |
23540 | 0 | result = dns_rdataset_next(&rdataset)) |
23541 | 0 | { |
23542 | 0 | dns_rdataset_current(&rdataset, &rdata); |
23543 | 0 | result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); |
23544 | 0 | INSIST(result == ISC_R_SUCCESS); |
23545 | 0 | dns_rdata_reset(&rdata); |
23546 | | |
23547 | | /* Check parameters. */ |
23548 | 0 | if (nsec3param.hash != lookup->hash) { |
23549 | 0 | continue; |
23550 | 0 | } |
23551 | 0 | if (nsec3param.iterations != lookup->iterations) { |
23552 | 0 | continue; |
23553 | 0 | } |
23554 | 0 | if (nsec3param.salt_length != lookup->salt_length) { |
23555 | 0 | continue; |
23556 | 0 | } |
23557 | 0 | if (lookup->salt != NULL) { |
23558 | 0 | if (memcmp(nsec3param.salt, lookup->salt, |
23559 | 0 | lookup->salt_length) != 0) |
23560 | 0 | { |
23561 | 0 | continue; |
23562 | 0 | } |
23563 | 0 | } |
23564 | | /* Found a match. */ |
23565 | 0 | result = ISC_R_SUCCESS; |
23566 | 0 | param->hash = nsec3param.hash; |
23567 | 0 | param->flags = nsec3param.flags; |
23568 | 0 | param->iterations = nsec3param.iterations; |
23569 | 0 | param->salt_length = nsec3param.salt_length; |
23570 | 0 | param->salt = nsec3param.salt; |
23571 | 0 | break; |
23572 | 0 | } |
23573 | |
|
23574 | 0 | if (result == ISC_R_NOMORE) { |
23575 | 0 | result = ISC_R_NOTFOUND; |
23576 | 0 | } |
23577 | |
|
23578 | 0 | setparam: |
23579 | 0 | if (result != ISC_R_SUCCESS) { |
23580 | | /* Found no match. */ |
23581 | 0 | param->hash = lookup->hash; |
23582 | 0 | param->flags = lookup->flags; |
23583 | 0 | param->iterations = lookup->iterations; |
23584 | 0 | param->salt_length = lookup->salt_length; |
23585 | 0 | param->salt = lookup->salt; |
23586 | 0 | } |
23587 | |
|
23588 | 0 | if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) { |
23589 | 0 | goto failure; |
23590 | 0 | } |
23591 | | |
23592 | 0 | if (param->salt_length == 0) { |
23593 | 0 | param->salt = (unsigned char *)"-"; |
23594 | 0 | } else if (resalt || param->salt == NULL) { |
23595 | 0 | unsigned char *newsalt; |
23596 | 0 | unsigned char salttext[255 * 2 + 1]; |
23597 | 0 | do { |
23598 | | /* Generate a new salt. */ |
23599 | 0 | result = dns_nsec3_generate_salt(saltbuf, |
23600 | 0 | param->salt_length); |
23601 | 0 | if (result != ISC_R_SUCCESS) { |
23602 | 0 | break; |
23603 | 0 | } |
23604 | 0 | newsalt = saltbuf; |
23605 | 0 | salt2text(newsalt, param->salt_length, salttext, |
23606 | 0 | sizeof(salttext)); |
23607 | 0 | dnssec_log(zone, ISC_LOG_INFO, "generated salt: %s", |
23608 | 0 | salttext); |
23609 | | /* Check for salt conflict. */ |
23610 | 0 | if (param->salt != NULL && |
23611 | 0 | memcmp(newsalt, param->salt, param->salt_length) == |
23612 | 0 | 0) |
23613 | 0 | { |
23614 | 0 | result = ISC_R_SUCCESS; |
23615 | 0 | } else { |
23616 | 0 | param->salt = newsalt; |
23617 | 0 | result = DNS_R_NSEC3RESALT; |
23618 | 0 | } |
23619 | 0 | } while (result == ISC_R_SUCCESS); |
23620 | | |
23621 | 0 | INSIST(result != ISC_R_SUCCESS); |
23622 | 0 | } |
23623 | | |
23624 | 0 | failure: |
23625 | 0 | if (dns_rdataset_isassociated(&rdataset)) { |
23626 | 0 | dns_rdataset_disassociate(&rdataset); |
23627 | 0 | } |
23628 | 0 | if (node != NULL) { |
23629 | 0 | dns_db_detachnode(db, &node); |
23630 | 0 | } |
23631 | 0 | if (version != NULL) { |
23632 | 0 | dns_db_closeversion(db, &version, false); |
23633 | 0 | } |
23634 | 0 | if (db != NULL) { |
23635 | 0 | dns_db_detach(&db); |
23636 | 0 | } |
23637 | |
|
23638 | 0 | return (result); |
23639 | 0 | } |
23640 | | |
23641 | | /* |
23642 | | * Called when an "rndc signing -nsec3param ..." command is received, or the |
23643 | | * 'dnssec-policy' has changed. |
23644 | | * |
23645 | | * Allocate and prepare an nsec3param_t structure which holds information about |
23646 | | * the NSEC3 changes requested for the zone: |
23647 | | * |
23648 | | * - if NSEC3 is to be disabled ("-nsec3param none"), only set the "nsec" |
23649 | | * field of the structure to true and the "replace" field to the value |
23650 | | * of the "replace" argument, leaving other fields initialized to zeros, to |
23651 | | * signal that the zone should be signed using NSEC instead of NSEC3, |
23652 | | * |
23653 | | * - otherwise, prepare NSEC3PARAM RDATA that will eventually be inserted at |
23654 | | * the zone apex, convert it to a private-type record and store the latter |
23655 | | * in the "data" field of the nsec3param_t structure. |
23656 | | * |
23657 | | * Once the nsec3param_t structure is prepared, post an event to the zone's |
23658 | | * loop which will cause setnsec3param() to be called with the prepared |
23659 | | * structure passed as an argument. |
23660 | | */ |
23661 | | isc_result_t |
23662 | | dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags, |
23663 | | uint16_t iter, uint8_t saltlen, unsigned char *salt, |
23664 | 0 | bool replace, bool resalt) { |
23665 | 0 | isc_result_t result = ISC_R_SUCCESS; |
23666 | 0 | dns_rdata_nsec3param_t param, lookup; |
23667 | 0 | dns_rdata_t nrdata = DNS_RDATA_INIT; |
23668 | 0 | dns_rdata_t prdata = DNS_RDATA_INIT; |
23669 | 0 | unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE]; |
23670 | 0 | unsigned char saltbuf[255]; |
23671 | 0 | struct np3 *npe = NULL; |
23672 | 0 | nsec3param_t *np = NULL; |
23673 | 0 | isc_buffer_t b; |
23674 | 0 | bool do_lookup = false; |
23675 | |
|
23676 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23677 | |
|
23678 | 0 | LOCK_ZONE(zone); |
23679 | | |
23680 | | /* |
23681 | | * First check if the requested NSEC3 parameters are already |
23682 | | * set, if so, no need to set again. |
23683 | | */ |
23684 | 0 | if (hash != 0) { |
23685 | 0 | lookup.hash = hash; |
23686 | 0 | lookup.flags = flags; |
23687 | 0 | lookup.iterations = iter; |
23688 | 0 | lookup.salt_length = saltlen; |
23689 | 0 | lookup.salt = salt; |
23690 | 0 | param.salt = NULL; |
23691 | 0 | result = dns__zone_lookup_nsec3param(zone, &lookup, ¶m, |
23692 | 0 | saltbuf, resalt); |
23693 | 0 | if (result == ISC_R_SUCCESS) { |
23694 | 0 | UNLOCK_ZONE(zone); |
23695 | 0 | return (ISC_R_SUCCESS); |
23696 | 0 | } |
23697 | | /* |
23698 | | * Schedule lookup if lookup above failed (may happen if |
23699 | | * zone db is NULL for example). |
23700 | | */ |
23701 | 0 | do_lookup = (param.salt == NULL) ? true : false; |
23702 | 0 | } |
23703 | | |
23704 | 0 | npe = isc_mem_get(zone->mctx, sizeof(*npe)); |
23705 | 0 | *npe = (struct np3){ |
23706 | 0 | .link = ISC_LINK_INITIALIZER, |
23707 | 0 | }; |
23708 | |
|
23709 | 0 | np = &npe->params; |
23710 | 0 | *np = (struct nsec3param){ |
23711 | 0 | .replace = replace, |
23712 | 0 | .resalt = resalt, |
23713 | 0 | .lookup = do_lookup, |
23714 | 0 | }; |
23715 | |
|
23716 | 0 | if (hash == 0) { |
23717 | 0 | np->nsec = true; |
23718 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec"); |
23719 | 0 | } else { |
23720 | 0 | param.common.rdclass = zone->rdclass; |
23721 | 0 | param.common.rdtype = dns_rdatatype_nsec3param; |
23722 | 0 | ISC_LINK_INIT(¶m.common, link); |
23723 | 0 | param.mctx = NULL; |
23724 | | /* |
23725 | | * nsec3 specific param set in |
23726 | | * dns__zone_lookup_nsec3param() |
23727 | | */ |
23728 | 0 | isc_buffer_init(&b, nbuf, sizeof(nbuf)); |
23729 | |
|
23730 | 0 | if (param.salt != NULL) { |
23731 | 0 | CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass, |
23732 | 0 | dns_rdatatype_nsec3param, |
23733 | 0 | ¶m, &b)); |
23734 | 0 | dns_nsec3param_toprivate(&nrdata, &prdata, |
23735 | 0 | zone->privatetype, np->data, |
23736 | 0 | sizeof(np->data)); |
23737 | 0 | np->length = prdata.length; |
23738 | 0 | } |
23739 | | |
23740 | 0 | np->rdata = param; |
23741 | |
|
23742 | 0 | if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { |
23743 | 0 | unsigned char salttext[255 * 2 + 1]; |
23744 | 0 | if (param.salt != NULL) { |
23745 | 0 | salt2text(param.salt, param.salt_length, |
23746 | 0 | salttext, sizeof(salttext)); |
23747 | 0 | } |
23748 | 0 | dnssec_log(zone, ISC_LOG_DEBUG(3), |
23749 | 0 | "setnsec3param:nsec3 %u %u %u %u:%s", |
23750 | 0 | param.hash, param.flags, param.iterations, |
23751 | 0 | param.salt_length, |
23752 | 0 | param.salt == NULL ? "unknown" |
23753 | 0 | : (char *)salttext); |
23754 | 0 | } |
23755 | 0 | } |
23756 | | |
23757 | | /* |
23758 | | * setnsec3param() will silently return early if the zone does |
23759 | | * not yet have a database. Prevent that by queueing the event |
23760 | | * up if zone->db is NULL. All events queued here are |
23761 | | * subsequently processed by receive_secure_db() if it ever gets |
23762 | | * called or simply freed by zone_free() otherwise. |
23763 | | */ |
23764 | | |
23765 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
23766 | 0 | if (zone->db != NULL) { |
23767 | 0 | zone_iattach(zone, &npe->zone); |
23768 | 0 | isc_async_run(zone->loop, setnsec3param, npe); |
23769 | 0 | } else { |
23770 | 0 | ISC_LIST_APPEND(zone->setnsec3param_queue, npe, link); |
23771 | 0 | } |
23772 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
23773 | |
|
23774 | 0 | result = ISC_R_SUCCESS; |
23775 | |
|
23776 | 0 | failure: |
23777 | 0 | UNLOCK_ZONE(zone); |
23778 | 0 | return (result); |
23779 | 0 | } |
23780 | | |
23781 | | isc_result_t |
23782 | 0 | dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime) { |
23783 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23784 | 0 | REQUIRE(loadtime != NULL); |
23785 | |
|
23786 | 0 | LOCK_ZONE(zone); |
23787 | 0 | *loadtime = zone->loadtime; |
23788 | 0 | UNLOCK_ZONE(zone); |
23789 | 0 | return (ISC_R_SUCCESS); |
23790 | 0 | } |
23791 | | |
23792 | | isc_result_t |
23793 | 0 | dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime) { |
23794 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23795 | 0 | REQUIRE(expiretime != NULL); |
23796 | |
|
23797 | 0 | LOCK_ZONE(zone); |
23798 | 0 | *expiretime = zone->expiretime; |
23799 | 0 | UNLOCK_ZONE(zone); |
23800 | 0 | return (ISC_R_SUCCESS); |
23801 | 0 | } |
23802 | | |
23803 | | isc_result_t |
23804 | 0 | dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime) { |
23805 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23806 | 0 | REQUIRE(refreshtime != NULL); |
23807 | |
|
23808 | 0 | LOCK_ZONE(zone); |
23809 | 0 | *refreshtime = zone->refreshtime; |
23810 | 0 | UNLOCK_ZONE(zone); |
23811 | 0 | return (ISC_R_SUCCESS); |
23812 | 0 | } |
23813 | | |
23814 | | isc_result_t |
23815 | 0 | dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime) { |
23816 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23817 | 0 | REQUIRE(refreshkeytime != NULL); |
23818 | |
|
23819 | 0 | LOCK_ZONE(zone); |
23820 | 0 | *refreshkeytime = zone->refreshkeytime; |
23821 | 0 | UNLOCK_ZONE(zone); |
23822 | 0 | return (ISC_R_SUCCESS); |
23823 | 0 | } |
23824 | | |
23825 | | unsigned int |
23826 | 0 | dns_zone_getincludes(dns_zone_t *zone, char ***includesp) { |
23827 | 0 | dns_include_t *include; |
23828 | 0 | char **array = NULL; |
23829 | 0 | unsigned int n = 0; |
23830 | |
|
23831 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23832 | 0 | REQUIRE(includesp != NULL && *includesp == NULL); |
23833 | |
|
23834 | 0 | LOCK_ZONE(zone); |
23835 | 0 | if (zone->nincludes == 0) { |
23836 | 0 | goto done; |
23837 | 0 | } |
23838 | | |
23839 | 0 | array = isc_mem_allocate(zone->mctx, sizeof(char *) * zone->nincludes); |
23840 | 0 | for (include = ISC_LIST_HEAD(zone->includes); include != NULL; |
23841 | 0 | include = ISC_LIST_NEXT(include, link)) |
23842 | 0 | { |
23843 | 0 | INSIST(n < zone->nincludes); |
23844 | 0 | array[n++] = isc_mem_strdup(zone->mctx, include->name); |
23845 | 0 | } |
23846 | 0 | INSIST(n == zone->nincludes); |
23847 | 0 | *includesp = array; |
23848 | |
|
23849 | 0 | done: |
23850 | 0 | UNLOCK_ZONE(zone); |
23851 | 0 | return (n); |
23852 | 0 | } |
23853 | | |
23854 | | void |
23855 | 0 | dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level) { |
23856 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23857 | |
|
23858 | 0 | zone->statlevel = level; |
23859 | 0 | } |
23860 | | |
23861 | | dns_zonestat_level_t |
23862 | 0 | dns_zone_getstatlevel(dns_zone_t *zone) { |
23863 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23864 | |
|
23865 | 0 | return (zone->statlevel); |
23866 | 0 | } |
23867 | | |
23868 | | static void |
23869 | 0 | setserial(void *arg) { |
23870 | 0 | uint32_t oldserial, desired; |
23871 | 0 | bool commit = false; |
23872 | 0 | isc_result_t result; |
23873 | 0 | dns_dbversion_t *oldver = NULL, *newver = NULL; |
23874 | 0 | dns_db_t *db = NULL; |
23875 | 0 | dns_diff_t diff; |
23876 | 0 | struct setserial *sse = (struct setserial *)arg; |
23877 | 0 | dns_zone_t *zone = sse->zone; |
23878 | 0 | dns_update_log_t log = { update_log_cb, NULL }; |
23879 | 0 | dns_difftuple_t *oldtuple = NULL, *newtuple = NULL; |
23880 | |
|
23881 | 0 | INSIST(DNS_ZONE_VALID(zone)); |
23882 | |
|
23883 | 0 | ENTER; |
23884 | |
|
23885 | 0 | if (zone->update_disabled) { |
23886 | 0 | goto disabled; |
23887 | 0 | } |
23888 | | |
23889 | 0 | desired = sse->serial; |
23890 | |
|
23891 | 0 | dns_diff_init(zone->mctx, &diff); |
23892 | |
|
23893 | 0 | ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); |
23894 | 0 | if (zone->db != NULL) { |
23895 | 0 | dns_db_attach(zone->db, &db); |
23896 | 0 | } |
23897 | 0 | ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); |
23898 | 0 | if (db == NULL) { |
23899 | 0 | goto failure; |
23900 | 0 | } |
23901 | | |
23902 | 0 | dns_db_currentversion(db, &oldver); |
23903 | 0 | result = dns_db_newversion(db, &newver); |
23904 | 0 | if (result != ISC_R_SUCCESS) { |
23905 | 0 | dns_zone_log(zone, ISC_LOG_ERROR, |
23906 | 0 | "setserial:dns_db_newversion -> %s", |
23907 | 0 | isc_result_totext(result)); |
23908 | 0 | goto failure; |
23909 | 0 | } |
23910 | | |
23911 | 0 | CHECK(dns_db_createsoatuple(db, oldver, diff.mctx, DNS_DIFFOP_DEL, |
23912 | 0 | &oldtuple)); |
23913 | 0 | CHECK(dns_difftuple_copy(oldtuple, &newtuple)); |
23914 | 0 | newtuple->op = DNS_DIFFOP_ADD; |
23915 | |
|
23916 | 0 | oldserial = dns_soa_getserial(&oldtuple->rdata); |
23917 | 0 | if (desired == 0U) { |
23918 | 0 | desired = 1; |
23919 | 0 | } |
23920 | 0 | if (!isc_serial_gt(desired, oldserial)) { |
23921 | 0 | if (desired != oldserial) { |
23922 | 0 | dns_zone_log(zone, ISC_LOG_INFO, |
23923 | 0 | "setserial: desired serial (%u) " |
23924 | 0 | "out of range (%u-%u)", |
23925 | 0 | desired, oldserial + 1, |
23926 | 0 | (oldserial + 0x7fffffff)); |
23927 | 0 | } |
23928 | 0 | goto failure; |
23929 | 0 | } |
23930 | | |
23931 | 0 | dns_soa_setserial(desired, &newtuple->rdata); |
23932 | 0 | CHECK(do_one_tuple(&oldtuple, db, newver, &diff)); |
23933 | 0 | CHECK(do_one_tuple(&newtuple, db, newver, &diff)); |
23934 | 0 | result = dns_update_signatures(&log, zone, db, oldver, newver, &diff, |
23935 | 0 | zone->sigvalidityinterval); |
23936 | 0 | if (result != ISC_R_NOTFOUND) { |
23937 | 0 | CHECK(result); |
23938 | 0 | } |
23939 | | |
23940 | | /* Write changes to journal file. */ |
23941 | 0 | CHECK(zone_journal(zone, &diff, NULL, "setserial")); |
23942 | 0 | commit = true; |
23943 | |
|
23944 | 0 | LOCK_ZONE(zone); |
23945 | 0 | zone_needdump(zone, 30); |
23946 | 0 | UNLOCK_ZONE(zone); |
23947 | |
|
23948 | 0 | failure: |
23949 | 0 | if (oldtuple != NULL) { |
23950 | 0 | dns_difftuple_free(&oldtuple); |
23951 | 0 | } |
23952 | 0 | if (newtuple != NULL) { |
23953 | 0 | dns_difftuple_free(&newtuple); |
23954 | 0 | } |
23955 | 0 | if (oldver != NULL) { |
23956 | 0 | dns_db_closeversion(db, &oldver, false); |
23957 | 0 | } |
23958 | 0 | if (newver != NULL) { |
23959 | 0 | dns_db_closeversion(db, &newver, commit); |
23960 | 0 | } |
23961 | 0 | if (db != NULL) { |
23962 | 0 | dns_db_detach(&db); |
23963 | 0 | } |
23964 | 0 | dns_diff_clear(&diff); |
23965 | |
|
23966 | 0 | disabled: |
23967 | 0 | isc_mem_put(zone->mctx, sse, sizeof(*sse)); |
23968 | 0 | dns_zone_idetach(&zone); |
23969 | |
|
23970 | 0 | INSIST(oldver == NULL); |
23971 | 0 | INSIST(newver == NULL); |
23972 | 0 | } |
23973 | | |
23974 | | isc_result_t |
23975 | 0 | dns_zone_setserial(dns_zone_t *zone, uint32_t serial) { |
23976 | 0 | isc_result_t result = ISC_R_SUCCESS; |
23977 | 0 | struct setserial *sse = NULL; |
23978 | |
|
23979 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
23980 | |
|
23981 | 0 | LOCK_ZONE(zone); |
23982 | |
|
23983 | 0 | if (!inline_secure(zone)) { |
23984 | 0 | if (!dns_zone_isdynamic(zone, true)) { |
23985 | 0 | result = DNS_R_NOTDYNAMIC; |
23986 | 0 | goto failure; |
23987 | 0 | } |
23988 | 0 | } |
23989 | | |
23990 | 0 | if (zone->update_disabled) { |
23991 | 0 | result = DNS_R_FROZEN; |
23992 | 0 | goto failure; |
23993 | 0 | } |
23994 | | |
23995 | 0 | sse = isc_mem_get(zone->mctx, sizeof(*sse)); |
23996 | 0 | *sse = (struct setserial){ .serial = serial }; |
23997 | 0 | zone_iattach(zone, &sse->zone); |
23998 | 0 | isc_async_run(zone->loop, setserial, sse); |
23999 | |
|
24000 | 0 | failure: |
24001 | 0 | UNLOCK_ZONE(zone); |
24002 | 0 | return (result); |
24003 | 0 | } |
24004 | | |
24005 | | isc_stats_t * |
24006 | 0 | dns_zone_getgluecachestats(dns_zone_t *zone) { |
24007 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
24008 | |
|
24009 | 0 | return (zone->gluecachestats); |
24010 | 0 | } |
24011 | | |
24012 | | bool |
24013 | 0 | dns_zone_isloaded(dns_zone_t *zone) { |
24014 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
24015 | |
|
24016 | 0 | return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)); |
24017 | 0 | } |
24018 | | |
24019 | | isc_result_t |
24020 | 2 | dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { |
24021 | 2 | dns_dbversion_t *version = NULL; |
24022 | 2 | dns_keytable_t *secroots = NULL; |
24023 | 2 | isc_result_t result; |
24024 | 2 | dns_name_t *origin; |
24025 | | |
24026 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
24027 | 2 | REQUIRE(db != NULL); |
24028 | | |
24029 | 2 | ENTER; |
24030 | | |
24031 | 2 | if (dns_zone_gettype(zone) != dns_zone_mirror) { |
24032 | 2 | return (ISC_R_SUCCESS); |
24033 | 2 | } |
24034 | | |
24035 | 0 | if (ver == NULL) { |
24036 | 0 | dns_db_currentversion(db, &version); |
24037 | 0 | } else { |
24038 | 0 | version = ver; |
24039 | 0 | } |
24040 | |
|
24041 | 0 | if (zone->view != NULL) { |
24042 | 0 | result = dns_view_getsecroots(zone->view, &secroots); |
24043 | 0 | if (result != ISC_R_SUCCESS) { |
24044 | 0 | goto done; |
24045 | 0 | } |
24046 | 0 | } |
24047 | | |
24048 | 0 | origin = dns_db_origin(db); |
24049 | 0 | result = dns_zoneverify_dnssec(zone, db, version, origin, secroots, |
24050 | 0 | zone->mctx, true, false, dnssec_report); |
24051 | |
|
24052 | 0 | done: |
24053 | 0 | if (secroots != NULL) { |
24054 | 0 | dns_keytable_detach(&secroots); |
24055 | 0 | } |
24056 | |
|
24057 | 0 | if (ver == NULL) { |
24058 | 0 | dns_db_closeversion(db, &version, false); |
24059 | 0 | } |
24060 | |
|
24061 | 0 | if (result != ISC_R_SUCCESS) { |
24062 | 0 | dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s", |
24063 | 0 | isc_result_totext(result)); |
24064 | 0 | result = DNS_R_VERIFYFAILURE; |
24065 | 0 | } |
24066 | |
|
24067 | 0 | return (result); |
24068 | 0 | } |
24069 | | |
24070 | | static dns_ttl_t |
24071 | 0 | zone_nsecttl(dns_zone_t *zone) { |
24072 | 0 | REQUIRE(DNS_ZONE_VALID(zone)); |
24073 | |
|
24074 | 0 | return (ISC_MIN(zone->minimum, zone->soattl)); |
24075 | 0 | } |
24076 | | |
24077 | | void |
24078 | | dns_zonemgr_set_tlsctx_cache(dns_zonemgr_t *zmgr, |
24079 | 0 | isc_tlsctx_cache_t *tlsctx_cache) { |
24080 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
24081 | 0 | REQUIRE(tlsctx_cache != NULL); |
24082 | |
|
24083 | 0 | RWLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_write); |
24084 | |
|
24085 | 0 | if (zmgr->tlsctx_cache != NULL) { |
24086 | 0 | isc_tlsctx_cache_detach(&zmgr->tlsctx_cache); |
24087 | 0 | } |
24088 | |
|
24089 | 0 | isc_tlsctx_cache_attach(tlsctx_cache, &zmgr->tlsctx_cache); |
24090 | |
|
24091 | 0 | RWUNLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_write); |
24092 | 0 | } |
24093 | | |
24094 | | static void |
24095 | 0 | zmgr_tlsctx_attach(dns_zonemgr_t *zmgr, isc_tlsctx_cache_t **ptlsctx_cache) { |
24096 | 0 | REQUIRE(DNS_ZONEMGR_VALID(zmgr)); |
24097 | 0 | REQUIRE(ptlsctx_cache != NULL && *ptlsctx_cache == NULL); |
24098 | |
|
24099 | 0 | RWLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_read); |
24100 | |
|
24101 | 0 | INSIST(zmgr->tlsctx_cache != NULL); |
24102 | 0 | isc_tlsctx_cache_attach(zmgr->tlsctx_cache, ptlsctx_cache); |
24103 | |
|
24104 | 0 | RWUNLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_read); |
24105 | 0 | } |
24106 | | |
24107 | | isc_mem_t * |
24108 | 0 | dns_zone_getmem(dns_zone_t *zone) { |
24109 | 0 | return (zone->mctx); |
24110 | 0 | } |
24111 | | |
24112 | | unsigned int |
24113 | 0 | dns_zone_gettid(dns_zone_t *zone) { |
24114 | 0 | return (zone->tid); |
24115 | 0 | } |
24116 | | |
24117 | | isc_loop_t * |
24118 | 0 | dns_zone_getloop(dns_zone_t *zone) { |
24119 | 0 | return (zone->loop); |
24120 | 0 | } |
24121 | | |
24122 | | isc_result_t |
24123 | 2 | dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) { |
24124 | 2 | REQUIRE(DNS_ZONE_VALID(zone)); |
24125 | 2 | REQUIRE(dbp != NULL && *dbp == NULL); |
24126 | | |
24127 | 2 | dns_db_t *db = NULL; |
24128 | | |
24129 | 2 | isc_result_t result = dns_db_create( |
24130 | 2 | zone->mctx, zone->db_argv[0], &zone->origin, |
24131 | 2 | (zone->type == dns_zone_stub) ? dns_dbtype_stub |
24132 | 2 | : dns_dbtype_zone, |
24133 | 2 | zone->rdclass, zone->db_argc - 1, zone->db_argv + 1, &db); |
24134 | 2 | if (result != ISC_R_SUCCESS) { |
24135 | 0 | return (result); |
24136 | 0 | } |
24137 | | |
24138 | 2 | switch (zone->type) { |
24139 | 2 | case dns_zone_primary: |
24140 | 2 | case dns_zone_secondary: |
24141 | 2 | case dns_zone_mirror: |
24142 | 2 | result = dns_db_setgluecachestats(db, zone->gluecachestats); |
24143 | 2 | if (result == ISC_R_NOTIMPLEMENTED) { |
24144 | 0 | result = ISC_R_SUCCESS; |
24145 | 0 | } |
24146 | 2 | if (result != ISC_R_SUCCESS) { |
24147 | 0 | dns_db_detach(&db); |
24148 | 0 | return (result); |
24149 | 0 | } |
24150 | 2 | break; |
24151 | 2 | default: |
24152 | 0 | break; |
24153 | 2 | } |
24154 | | |
24155 | 2 | dns_db_setloop(db, zone->loop); |
24156 | | |
24157 | 2 | *dbp = db; |
24158 | | |
24159 | 2 | return (ISC_R_SUCCESS); |
24160 | 2 | } |