Coverage Report

Created: 2024-07-23 06:08

/src/bind9/lib/dns/zone.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3
 *
4
 * SPDX-License-Identifier: MPL-2.0
5
 *
6
 * This Source Code Form is subject to the terms of the Mozilla Public
7
 * License, v. 2.0. If a copy of the MPL was not distributed with this
8
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
9
 *
10
 * See the COPYRIGHT file distributed with this work for additional
11
 * information regarding copyright ownership.
12
 */
13
14
/*! \file */
15
16
#include <errno.h>
17
#include <inttypes.h>
18
#include <stdbool.h>
19
20
#include <isc/async.h>
21
#include <isc/atomic.h>
22
#include <isc/file.h>
23
#include <isc/hash.h>
24
#include <isc/hashmap.h>
25
#include <isc/hex.h>
26
#include <isc/loop.h>
27
#include <isc/md.h>
28
#include <isc/mutex.h>
29
#include <isc/overflow.h>
30
#include <isc/random.h>
31
#include <isc/ratelimiter.h>
32
#include <isc/refcount.h>
33
#include <isc/result.h>
34
#include <isc/rwlock.h>
35
#include <isc/serial.h>
36
#include <isc/stats.h>
37
#include <isc/stdtime.h>
38
#include <isc/strerr.h>
39
#include <isc/string.h>
40
#include <isc/thread.h>
41
#include <isc/tid.h>
42
#include <isc/timer.h>
43
#include <isc/tls.h>
44
#include <isc/util.h>
45
46
#include <dns/acl.h>
47
#include <dns/adb.h>
48
#include <dns/callbacks.h>
49
#include <dns/catz.h>
50
#include <dns/db.h>
51
#include <dns/dbiterator.h>
52
#include <dns/dlz.h>
53
#include <dns/dnssec.h>
54
#include <dns/journal.h>
55
#include <dns/kasp.h>
56
#include <dns/keydata.h>
57
#include <dns/keymgr.h>
58
#include <dns/keytable.h>
59
#include <dns/keyvalues.h>
60
#include <dns/log.h>
61
#include <dns/master.h>
62
#include <dns/masterdump.h>
63
#include <dns/message.h>
64
#include <dns/name.h>
65
#include <dns/nsec.h>
66
#include <dns/nsec3.h>
67
#include <dns/opcode.h>
68
#include <dns/peer.h>
69
#include <dns/private.h>
70
#include <dns/rcode.h>
71
#include <dns/rdata.h>
72
#include <dns/rdataclass.h>
73
#include <dns/rdatalist.h>
74
#include <dns/rdataset.h>
75
#include <dns/rdatasetiter.h>
76
#include <dns/rdatastruct.h>
77
#include <dns/rdatatype.h>
78
#include <dns/remote.h>
79
#include <dns/request.h>
80
#include <dns/resolver.h>
81
#include <dns/rriterator.h>
82
#include <dns/soa.h>
83
#include <dns/ssu.h>
84
#include <dns/stats.h>
85
#include <dns/time.h>
86
#include <dns/tsig.h>
87
#include <dns/update.h>
88
#include <dns/xfrin.h>
89
#include <dns/zone.h>
90
#include <dns/zoneverify.h>
91
#include <dns/zt.h>
92
93
#include <dst/dst.h>
94
95
#include "zone_p.h"
96
97
2
#define ZONE_MAGIC       ISC_MAGIC('Z', 'O', 'N', 'E')
98
#define DNS_ZONE_VALID(zone) ISC_MAGIC_VALID(zone, ZONE_MAGIC)
99
100
0
#define NOTIFY_MAGIC     ISC_MAGIC('N', 't', 'f', 'y')
101
#define DNS_NOTIFY_VALID(notify) ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
102
103
0
#define CHECKDS_MAGIC      ISC_MAGIC('C', 'h', 'D', 'S')
104
#define DNS_CHECKDS_VALID(checkds) ISC_MAGIC_VALID(checkds, CHECKDS_MAGIC)
105
106
0
#define STUB_MAGIC       ISC_MAGIC('S', 't', 'u', 'b')
107
#define DNS_STUB_VALID(stub) ISC_MAGIC_VALID(stub, STUB_MAGIC)
108
109
0
#define ZONEMGR_MAGIC   ISC_MAGIC('Z', 'm', 'g', 'r')
110
#define DNS_ZONEMGR_VALID(stub) ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
111
112
0
#define FORWARD_MAGIC   ISC_MAGIC('F', 'o', 'r', 'w')
113
#define DNS_FORWARD_VALID(load) ISC_MAGIC_VALID(load, FORWARD_MAGIC)
114
115
#define IO_MAGIC     ISC_MAGIC('Z', 'm', 'I', 'O')
116
#define DNS_IO_VALID(load) ISC_MAGIC_VALID(load, IO_MAGIC)
117
118
0
#define KEYMGMT_MAGIC   ISC_MAGIC('M', 'g', 'm', 't')
119
#define DNS_KEYMGMT_VALID(load) ISC_MAGIC_VALID(load, KEYMGMT_MAGIC)
120
121
0
#define KEYFILEIO_MAGIC     ISC_MAGIC('K', 'y', 'I', 'O')
122
#define DNS_KEYFILEIO_VALID(kfio) ISC_MAGIC_VALID(kfio, KEYFILEIO_MAGIC)
123
124
/*%
125
 * Ensure 'a' is at least 'min' but not more than 'max'.
126
 */
127
6
#define RANGE(a, min, max) (((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
128
129
0
#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
130
131
/*%
132
 * Key flags
133
 */
134
0
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
135
0
#define KSK(x)    ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
136
0
#define ID(x)   dst_key_id(x)
137
0
#define ALG(x)    dst_key_alg(x)
138
139
/*%
140
 * KASP flags
141
 */
142
#define KASP_LOCK(k)                  \
143
0
  if ((k) != NULL) {            \
144
0
    LOCK((&((k)->lock))); \
145
0
  }
146
147
#define KASP_UNLOCK(k)                  \
148
0
  if ((k) != NULL) {              \
149
0
    UNLOCK((&((k)->lock))); \
150
0
  }
151
152
/*
153
 * Default values.
154
 */
155
2
#define DNS_DEFAULT_IDLEIN  3600       /*%< 1 hour */
156
2
#define DNS_DEFAULT_IDLEOUT 3600       /*%< 1 hour */
157
4
#define MAX_XFER_TIME     (2 * 3600) /*%< Documented default is 2 hours */
158
#define RESIGN_DELAY      3600       /*%< 1 hour */
159
160
#ifndef DNS_MAX_EXPIRE
161
#define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */
162
#endif        /* ifndef DNS_MAX_EXPIRE */
163
164
#ifndef DNS_DUMP_DELAY
165
0
#define DNS_DUMP_DELAY 900 /*%< 15 minutes */
166
#endif         /* ifndef DNS_DUMP_DELAY */
167
168
typedef struct dns_notify dns_notify_t;
169
typedef struct dns_checkds dns_checkds_t;
170
typedef struct dns_stub dns_stub_t;
171
typedef struct dns_load dns_load_t;
172
typedef struct dns_forward dns_forward_t;
173
typedef ISC_LIST(dns_forward_t) dns_forwardlist_t;
174
typedef struct dns_keymgmt dns_keymgmt_t;
175
typedef struct dns_signing dns_signing_t;
176
typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
177
typedef struct dns_nsec3chain dns_nsec3chain_t;
178
typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
179
typedef struct dns_nsfetch dns_nsfetch_t;
180
typedef struct dns_keyfetch dns_keyfetch_t;
181
typedef struct dns_asyncload dns_asyncload_t;
182
typedef struct dns_include dns_include_t;
183
184
#define DNS_ZONE_CHECKLOCK
185
#ifdef DNS_ZONE_CHECKLOCK
186
#define LOCK_ZONE(z)                  \
187
16
  do {                          \
188
16
    LOCK(&(z)->lock);     \
189
16
    INSIST(!(z)->locked); \
190
16
    (z)->locked = true;   \
191
16
  } while (0)
192
#define UNLOCK_ZONE(z)               \
193
16
  do {                         \
194
16
    (z)->locked = false; \
195
16
    UNLOCK(&(z)->lock);  \
196
16
  } while (0)
197
#define LOCKED_ZONE(z) ((z)->locked)
198
#define TRYLOCK_ZONE(result, z)                         \
199
0
  do {                                            \
200
0
    result = isc_mutex_trylock(&(z)->lock); \
201
0
    if (result == ISC_R_SUCCESS) {          \
202
0
      INSIST(!(z)->locked);           \
203
0
      (z)->locked = true;             \
204
0
    }                                       \
205
0
  } while (0)
206
#else /* ifdef DNS_ZONE_CHECKLOCK */
207
#define LOCK_ZONE(z)   LOCK(&(z)->lock)
208
#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
209
#define LOCKED_ZONE(z) true
210
#define TRYLOCK_ZONE(result, z)                         \
211
  do {                                            \
212
    result = isc_mutex_trylock(&(z)->lock); \
213
  } while (0)
214
#endif /* ifdef DNS_ZONE_CHECKLOCK */
215
216
2
#define ZONEDB_INITLOCK(l)    isc_rwlock_init((l))
217
0
#define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
218
175
#define ZONEDB_LOCK(l, t)     RWLOCK((l), (t))
219
175
#define ZONEDB_UNLOCK(l, t)   RWUNLOCK((l), (t))
220
221
#define RETERR(x)                            \
222
0
  do {                                 \
223
0
    result = (x);                \
224
0
    if (result != ISC_R_SUCCESS) \
225
0
      goto failure;        \
226
0
  } while (0)
227
228
#ifdef ENABLE_AFL
229
extern bool dns_fuzzing_resolver;
230
#endif /* ifdef ENABLE_AFL */
231
232
/*%
233
 *  Hold key file IO locks.
234
 */
235
typedef struct dns_keyfileio {
236
  unsigned int magic;
237
  isc_mutex_t lock;
238
  isc_refcount_t references;
239
  dns_name_t *name;
240
  dns_fixedname_t fname;
241
} dns_keyfileio_t;
242
243
struct dns_keymgmt {
244
  unsigned int magic;
245
  isc_rwlock_t lock;
246
  isc_mem_t *mctx;
247
  isc_hashmap_t *table;
248
};
249
250
/*
251
 * Initial size of the keymgmt hash table.
252
 */
253
0
#define DNS_KEYMGMT_HASH_BITS 12
254
255
struct dns_zone {
256
  /* Unlocked */
257
  unsigned int magic;
258
  isc_mutex_t lock;
259
#ifdef DNS_ZONE_CHECKLOCK
260
  bool locked;
261
#endif /* ifdef DNS_ZONE_CHECKLOCK */
262
  isc_mem_t *mctx;
263
  isc_refcount_t references;
264
265
  isc_rwlock_t dblock;
266
  dns_db_t *db; /* Locked by dblock */
267
268
  unsigned int tid;
269
270
  /* Locked */
271
  dns_zonemgr_t *zmgr;
272
  ISC_LINK(dns_zone_t) link; /* Used by zmgr. */
273
  isc_loop_t *loop;
274
  isc_timer_t *timer;
275
  isc_refcount_t irefs;
276
  dns_name_t origin;
277
  char *masterfile;
278
  const FILE *stream;        /* loading from a stream? */
279
  ISC_LIST(dns_include_t) includes;    /* Include files */
280
  ISC_LIST(dns_include_t) newincludes; /* Loading */
281
  unsigned int nincludes;
282
  dns_masterformat_t masterformat;
283
  const dns_master_style_t *masterstyle;
284
  char *journal;
285
  int32_t journalsize;
286
  dns_rdataclass_t rdclass;
287
  dns_zonetype_t type;
288
  atomic_uint_fast64_t flags;
289
  atomic_uint_fast64_t options;
290
  unsigned int db_argc;
291
  char **db_argv;
292
  isc_time_t expiretime;
293
  isc_time_t refreshtime;
294
  isc_time_t dumptime;
295
  isc_time_t loadtime;
296
  isc_time_t notifytime;
297
  isc_time_t resigntime;
298
  isc_time_t keywarntime;
299
  isc_time_t signingtime;
300
  isc_time_t nsec3chaintime;
301
  isc_time_t refreshkeytime;
302
  isc_time_t xfrintime;
303
  uint32_t refreshkeyinterval;
304
  uint32_t refreshkeycount;
305
  uint32_t refresh;
306
  uint32_t retry;
307
  uint32_t expire;
308
  uint32_t minimum;
309
  isc_stdtime_t key_expiry;
310
  isc_stdtime_t log_key_expired_timer;
311
  char *keydirectory;
312
  dns_keyfileio_t *kfio;
313
  dns_keystorelist_t *keystores;
314
315
  uint32_t maxrefresh;
316
  uint32_t minrefresh;
317
  uint32_t maxretry;
318
  uint32_t minretry;
319
320
  uint32_t maxrecords;
321
322
  dns_remote_t primaries;
323
324
  dns_remote_t parentals;
325
  dns_dnsseckeylist_t checkds_ok;
326
  dns_checkdstype_t checkdstype;
327
  uint32_t nsfetchcount;
328
  uint32_t parent_nscount;
329
330
  dns_remote_t notify;
331
  dns_notifytype_t notifytype;
332
  isc_sockaddr_t notifyfrom;
333
  isc_sockaddr_t notifysrc4;
334
  isc_sockaddr_t notifysrc6;
335
  isc_sockaddr_t parentalsrc4;
336
  isc_sockaddr_t parentalsrc6;
337
  isc_sockaddr_t xfrsource4;
338
  isc_sockaddr_t xfrsource6;
339
  isc_sockaddr_t sourceaddr;
340
  dns_xfrin_t *xfr;     /* loop locked */
341
  dns_tsigkey_t *tsigkey;     /* key used for xfr */
342
  dns_transport_t *transport; /* transport used for xfr */
343
  /* Access Control Lists */
344
  dns_acl_t *update_acl;
345
  dns_acl_t *forward_acl;
346
  dns_acl_t *notify_acl;
347
  dns_acl_t *query_acl;
348
  dns_acl_t *queryon_acl;
349
  dns_acl_t *xfr_acl;
350
  bool update_disabled;
351
  bool zero_no_soa_ttl;
352
  dns_severity_t check_names;
353
  ISC_LIST(dns_notify_t) notifies;
354
  ISC_LIST(dns_checkds_t) checkds_requests;
355
  dns_request_t *request;
356
  dns_loadctx_t *loadctx;
357
  dns_dumpctx_t *dumpctx;
358
  uint32_t maxxfrin;
359
  uint32_t maxxfrout;
360
  uint32_t idlein;
361
  uint32_t idleout;
362
  dns_ssutable_t *ssutable;
363
  uint32_t sigvalidityinterval;
364
  uint32_t keyvalidityinterval;
365
  uint32_t sigresigninginterval;
366
  dns_view_t *view;
367
  dns_view_t *prev_view;
368
  dns_kasp_t *kasp;
369
  dns_kasp_t *defaultkasp;
370
  dns_checkmxfunc_t checkmx;
371
  dns_checksrvfunc_t checksrv;
372
  dns_checknsfunc_t checkns;
373
  /*%
374
   * Zones in certain states such as "waiting for zone transfer"
375
   * or "zone transfer in progress" are kept on per-state linked lists
376
   * in the zone manager using the 'statelink' field.  The 'statelist'
377
   * field points at the list the zone is currently on.  It the zone
378
   * is not on any such list, statelist is NULL.
379
   */
380
  ISC_LINK(dns_zone_t) statelink;
381
  dns_zonelist_t *statelist;
382
  /*%
383
   * Statistics counters about zone management.
384
   */
385
  isc_stats_t *stats;
386
  /*%
387
   * Optional per-zone statistics counters.  Counted outside of this
388
   * module.
389
   */
390
  dns_zonestat_level_t statlevel;
391
  bool requeststats_on;
392
  isc_stats_t *requeststats;
393
  dns_stats_t *rcvquerystats;
394
  dns_stats_t *dnssecsignstats;
395
  uint32_t notifydelay;
396
  dns_isselffunc_t isself;
397
  void *isselfarg;
398
399
  char *strnamerd;
400
  char *strname;
401
  char *strrdclass;
402
  char *strviewname;
403
404
  /*%
405
   * Serial number for deferred journal compaction.
406
   */
407
  uint32_t compact_serial;
408
  /*%
409
   * Keys that are signing the zone for the first time.
410
   */
411
  dns_signinglist_t signing;
412
  dns_nsec3chainlist_t nsec3chain;
413
  /*%
414
   * List of outstanding NSEC3PARAM change requests.
415
   */
416
  ISC_LIST(struct np3) setnsec3param_queue;
417
  /*%
418
   * Signing / re-signing quantum stopping parameters.
419
   */
420
  uint32_t signatures;
421
  uint32_t nodes;
422
  dns_rdatatype_t privatetype;
423
424
  /*%
425
   * Autosigning/key-maintenance options
426
   */
427
  atomic_uint_fast64_t keyopts;
428
429
  /*%
430
   * True if added by "rndc addzone"
431
   */
432
  bool added;
433
434
  /*%
435
   * True if added by automatically by named.
436
   */
437
  bool automatic;
438
439
  /*%
440
   * response policy data to be relayed to the database
441
   */
442
  dns_rpz_zones_t *rpzs;
443
  dns_rpz_num_t rpz_num;
444
445
  /*%
446
   * catalog zone data
447
   */
448
  dns_catz_zones_t *catzs;
449
450
  /*%
451
   * parent catalog zone
452
   */
453
  dns_catz_zone_t *parentcatz;
454
455
  /*%
456
   * Serial number update method.
457
   */
458
  dns_updatemethod_t updatemethod;
459
460
  /*%
461
   * whether ixfr is requested
462
   */
463
  bool requestixfr;
464
  uint32_t ixfr_ratio;
465
466
  /*%
467
   * whether EDNS EXPIRE is requested
468
   */
469
  bool requestexpire;
470
471
  /*%
472
   * Outstanding forwarded UPDATE requests.
473
   */
474
  dns_forwardlist_t forwards;
475
476
  dns_zone_t *raw;
477
  dns_zone_t *secure;
478
479
  bool sourceserialset;
480
  uint32_t sourceserial;
481
482
  /*%
483
   * soa and maximum zone ttl
484
   */
485
  dns_ttl_t soattl;
486
  dns_ttl_t maxttl;
487
488
  /*
489
   * Inline zone signing state.
490
   */
491
  dns_diff_t rss_diff;
492
  dns_dbversion_t *rss_newver;
493
  dns_dbversion_t *rss_oldver;
494
  dns_db_t *rss_db;
495
  dns_zone_t *rss_raw;
496
  struct rss *rss;
497
  dns_update_state_t *rss_state;
498
499
  isc_stats_t *gluecachestats;
500
};
501
502
#define zonediff_init(z, d)                \
503
0
  do {                               \
504
0
    dns__zonediff_t *_z = (z); \
505
0
    (_z)->diff = (d);          \
506
0
    (_z)->offline = false;     \
507
0
  } while (0)
508
509
14
#define DNS_ZONE_FLAG(z, f)    ((atomic_load_relaxed(&(z)->flags) & (f)) != 0)
510
4
#define DNS_ZONE_SETFLAG(z, f) atomic_fetch_or(&(z)->flags, (f))
511
4
#define DNS_ZONE_CLRFLAG(z, f) atomic_fetch_and(&(z)->flags, ~(f))
512
typedef enum {
513
  DNS_ZONEFLG_REFRESH = 0x00000001U,     /*%< refresh check in progress */
514
  DNS_ZONEFLG_NEEDDUMP = 0x00000002U,    /*%< zone need consolidation */
515
  DNS_ZONEFLG_USEVC = 0x00000004U,       /*%< use tcp for refresh query */
516
  DNS_ZONEFLG_DUMPING = 0x00000008U,     /*%< a dump is in progress */
517
  DNS_ZONEFLG_HASINCLUDE = 0x00000010U,  /*%< $INCLUDE in zone file */
518
  DNS_ZONEFLG_LOADED = 0x00000020U,      /*%< database has loaded */
519
  DNS_ZONEFLG_EXITING = 0x00000040U,     /*%< zone is being destroyed */
520
  DNS_ZONEFLG_EXPIRED = 0x00000080U,     /*%< zone has expired */
521
  DNS_ZONEFLG_NEEDREFRESH = 0x00000100U, /*%< refresh check needed */
522
  DNS_ZONEFLG_UPTODATE = 0x00000200U,    /*%< zone contents are
523
            * up-to-date */
524
  DNS_ZONEFLG_NEEDNOTIFY = 0x00000400U,  /*%< need to send out notify
525
            * messages */
526
  DNS_ZONEFLG_FIXJOURNAL = 0x00000800U,  /*%< journal file had
527
            * recoverable error,
528
            * needs rewriting */
529
  DNS_ZONEFLG_NOPRIMARIES = 0x00001000U, /*%< an attempt to refresh a
530
            * zone with no primaries
531
            * occurred */
532
  DNS_ZONEFLG_LOADING = 0x00002000U,     /*%< load from disk in progress*/
533
  DNS_ZONEFLG_HAVETIMERS = 0x00004000U,  /*%< timer values have been set
534
            * from SOA (if not set, we
535
            * are still using
536
            * default timer values) */
537
  DNS_ZONEFLG_FORCEXFER = 0x00008000U,   /*%< Force a zone xfer */
538
  DNS_ZONEFLG_NOREFRESH = 0x00010000U,
539
  DNS_ZONEFLG_DIALNOTIFY = 0x00020000U,
540
  DNS_ZONEFLG_DIALREFRESH = 0x00040000U,
541
  DNS_ZONEFLG_SHUTDOWN = 0x00080000U,
542
  DNS_ZONEFLG_NOIXFR = 0x00100000U, /*%< IXFR failed, force AXFR */
543
  DNS_ZONEFLG_FLUSH = 0x00200000U,
544
  DNS_ZONEFLG_NOEDNS = 0x00400000U,
545
  DNS_ZONEFLG_USEALTXFRSRC = 0x00800000U, /*%< Obsoleted. */
546
  DNS_ZONEFLG_SOABEFOREAXFR = 0x01000000U,
547
  DNS_ZONEFLG_NEEDCOMPACT = 0x02000000U,
548
  DNS_ZONEFLG_REFRESHING = 0x04000000U, /*%< Refreshing keydata */
549
  DNS_ZONEFLG_THAW = 0x08000000U,
550
  DNS_ZONEFLG_LOADPENDING = 0x10000000U, /*%< Loading scheduled */
551
  DNS_ZONEFLG_NODELAY = 0x20000000U,
552
  DNS_ZONEFLG_SENDSECURE = 0x40000000U,
553
  DNS_ZONEFLG_NEEDSTARTUPNOTIFY = 0x80000000U, /*%< need to send out
554
                  * notify due to the zone
555
                  * just being loaded for
556
                  * the first time. */
557
  DNS_ZONEFLG_FIRSTREFRESH = 0x100000000U, /*%< First refresh pending */
558
  DNS_ZONEFLG___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
559
} dns_zoneflg_t;
560
561
32
#define DNS_ZONE_OPTION(z, o)  ((atomic_load_relaxed(&(z)->options) & (o)) != 0)
562
0
#define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o))
563
0
#define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o))
564
565
#define DNS_ZONEKEY_OPTION(z, o) \
566
2
  ((atomic_load_relaxed(&(z)->keyopts) & (o)) != 0)
567
0
#define DNS_ZONEKEY_SETOPTION(z, o) atomic_fetch_or(&(z)->keyopts, (o))
568
0
#define DNS_ZONEKEY_CLROPTION(z, o) atomic_fetch_and(&(z)->keyopts, ~(o))
569
570
/* Flags for zone_load() */
571
typedef enum {
572
  DNS_ZONELOADFLAG_NOSTAT = 0x00000001U, /* Do not stat() master files */
573
  DNS_ZONELOADFLAG_THAW = 0x00000002U,   /* Thaw the zone on successful
574
            * load. */
575
} dns_zoneloadflag_t;
576
577
0
#define UNREACH_CACHE_SIZE 10U
578
#define UNREACH_HOLD_TIME  600 /* 10 minutes */
579
580
#define CHECK(op)                            \
581
0
  do {                                 \
582
0
    result = (op);               \
583
0
    if (result != ISC_R_SUCCESS) \
584
0
      goto failure;        \
585
0
  } while (0)
586
587
struct dns_unreachable {
588
  isc_sockaddr_t remote;
589
  isc_sockaddr_t local;
590
  atomic_uint_fast32_t expire;
591
  atomic_uint_fast32_t last;
592
  uint32_t count;
593
};
594
595
struct dns_zonemgr {
596
  unsigned int magic;
597
  isc_mem_t *mctx;
598
  isc_refcount_t refs;
599
  isc_loopmgr_t *loopmgr;
600
  isc_nm_t *netmgr;
601
  uint32_t workers;
602
  isc_mem_t **mctxpool;
603
  isc_ratelimiter_t *checkdsrl;
604
  isc_ratelimiter_t *notifyrl;
605
  isc_ratelimiter_t *refreshrl;
606
  isc_ratelimiter_t *startupnotifyrl;
607
  isc_ratelimiter_t *startuprefreshrl;
608
  isc_rwlock_t rwlock;
609
  isc_rwlock_t urlock;
610
611
  /* Locked by rwlock. */
612
  dns_zonelist_t zones;
613
  dns_zonelist_t waiting_for_xfrin;
614
  dns_zonelist_t xfrin_in_progress;
615
616
  /* Configuration data. */
617
  uint32_t transfersin;
618
  uint32_t transfersperns;
619
  unsigned int checkdsrate;
620
  unsigned int notifyrate;
621
  unsigned int startupnotifyrate;
622
  unsigned int serialqueryrate;
623
  unsigned int startupserialqueryrate;
624
625
  /* Locked by urlock. */
626
  /* LRU cache */
627
  struct dns_unreachable unreachable[UNREACH_CACHE_SIZE];
628
629
  dns_keymgmt_t *keymgmt;
630
631
  isc_tlsctx_cache_t *tlsctx_cache;
632
  isc_rwlock_t tlsctx_cache_rwlock;
633
};
634
635
/*%
636
 * Hold notify state.
637
 */
638
struct dns_notify {
639
  unsigned int magic;
640
  unsigned int flags;
641
  isc_mem_t *mctx;
642
  dns_zone_t *zone;
643
  dns_adbfind_t *find;
644
  dns_request_t *request;
645
  dns_name_t ns;
646
  isc_sockaddr_t src;
647
  isc_sockaddr_t dst;
648
  dns_tsigkey_t *key;
649
  dns_transport_t *transport;
650
  ISC_LINK(dns_notify_t) link;
651
  isc_rlevent_t *rlevent;
652
};
653
654
typedef enum dns_notify_flags {
655
  DNS_NOTIFY_NOSOA = 1 << 0,
656
  DNS_NOTIFY_STARTUP = 1 << 1,
657
  DNS_NOTIFY_TCP = 1 << 2,
658
} dns_notify_flags_t;
659
660
/*%
661
 * Hold checkds state.
662
 */
663
struct dns_checkds {
664
  unsigned int magic;
665
  dns_notify_flags_t flags;
666
  isc_mem_t *mctx;
667
  dns_zone_t *zone;
668
  dns_adbfind_t *find;
669
  dns_request_t *request;
670
  dns_name_t ns;
671
  isc_sockaddr_t src;
672
  isc_sockaddr_t dst;
673
  dns_tsigkey_t *key;
674
  dns_transport_t *transport;
675
  ISC_LINK(dns_checkds_t) link;
676
  isc_rlevent_t *rlevent;
677
};
678
679
/*%
680
 *  dns_stub holds state while performing a 'stub' transfer.
681
 *  'db' is the zone's 'db' or a new one if this is the initial
682
 *  transfer.
683
 */
684
685
struct dns_stub {
686
  unsigned int magic;
687
  isc_mem_t *mctx;
688
  dns_zone_t *zone;
689
  dns_db_t *db;
690
  dns_dbversion_t *version;
691
  atomic_uint_fast32_t pending_requests;
692
};
693
694
/*%
695
 *  Hold load state.
696
 */
697
struct dns_load {
698
  dns_zone_t *zone;
699
  dns_db_t *db;
700
  isc_time_t loadtime;
701
  dns_rdatacallbacks_t callbacks;
702
};
703
704
/*%
705
 *  Hold forward state.
706
 */
707
struct dns_forward {
708
  unsigned int magic;
709
  isc_mem_t *mctx;
710
  dns_zone_t *zone;
711
  isc_buffer_t *msgbuf;
712
  dns_request_t *request;
713
  uint32_t which;
714
  isc_sockaddr_t addr;
715
  dns_transport_t *transport;
716
  dns_updatecallback_t callback;
717
  void *callback_arg;
718
  unsigned int options;
719
  ISC_LINK(dns_forward_t) link;
720
};
721
722
/*%
723
 *  Hold state for when we are signing a zone with a new
724
 *  DNSKEY as result of an update.
725
 */
726
struct dns_signing {
727
  unsigned int magic;
728
  dns_db_t *db;
729
  dns_dbiterator_t *dbiterator;
730
  dns_secalg_t algorithm;
731
  uint16_t keyid;
732
  bool deleteit;
733
  bool done;
734
  ISC_LINK(dns_signing_t) link;
735
};
736
737
struct dns_nsec3chain {
738
  unsigned int magic;
739
  dns_db_t *db;
740
  dns_dbiterator_t *dbiterator;
741
  dns_rdata_nsec3param_t nsec3param;
742
  unsigned char salt[255];
743
  bool done;
744
  bool seen_nsec;
745
  bool delete_nsec;
746
  bool save_delete_nsec;
747
  ISC_LINK(dns_nsec3chain_t) link;
748
};
749
750
/*%<
751
 * 'dbiterator' contains a iterator for the database.  If we are creating
752
 * a NSEC3 chain only the non-NSEC3 nodes will be iterated.  If we are
753
 * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
754
 * iterated.
755
 *
756
 * 'nsec3param' contains the parameters of the NSEC3 chain being created
757
 * or removed.
758
 *
759
 * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
760
 *
761
 * 'seen_nsec' will be set to true if, while iterating the zone to create a
762
 * NSEC3 chain, a NSEC record is seen.
763
 *
764
 * 'delete_nsec' will be set to true if, at the completion of the creation
765
 * of a NSEC3 chain, 'seen_nsec' is true.  If 'delete_nsec' is true then we
766
 * are in the process of deleting the NSEC chain.
767
 *
768
 * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
769
 * so it can be recovered in the event of a error.
770
 */
771
772
struct dns_keyfetch {
773
  isc_mem_t *mctx;
774
  dns_fixedname_t name;
775
  dns_rdataset_t keydataset;
776
  dns_rdataset_t dnskeyset;
777
  dns_rdataset_t dnskeysigset;
778
  dns_zone_t *zone;
779
  dns_db_t *db;
780
  dns_fetch_t *fetch;
781
};
782
783
struct dns_nsfetch {
784
  isc_mem_t *mctx;
785
  dns_fixedname_t name;
786
  dns_name_t pname;
787
  dns_rdataset_t nsrrset;
788
  dns_rdataset_t nssigset;
789
  dns_zone_t *zone;
790
  dns_fetch_t *fetch;
791
};
792
793
/*%
794
 * Hold state for an asynchronous load
795
 */
796
struct dns_asyncload {
797
  dns_zone_t *zone;
798
  unsigned int flags;
799
  dns_zt_callback_t *loaded;
800
  void *loaded_arg;
801
};
802
803
/*%
804
 * Reference to an include file encountered during loading
805
 */
806
struct dns_include {
807
  char *name;
808
  isc_time_t filetime;
809
  ISC_LINK(dns_include_t) link;
810
};
811
812
/*
813
 * These can be overridden by the -T mkeytimers option on the command
814
 * line, so that we can test with shorter periods than specified in
815
 * RFC 5011.
816
 */
817
#define HOUR  3600
818
#define DAY   (24 * HOUR)
819
#define MONTH (30 * DAY)
820
unsigned int dns_zone_mkey_hour = HOUR;
821
unsigned int dns_zone_mkey_day = DAY;
822
unsigned int dns_zone_mkey_month = MONTH;
823
824
0
#define SEND_BUFFER_SIZE 2048
825
826
static void
827
zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now);
828
829
typedef struct zone_settimer {
830
  dns_zone_t *zone;
831
  isc_time_t now;
832
} zone_settimer_t;
833
834
static void
835
zone_settimer(dns_zone_t *, isc_time_t *);
836
static void
837
cancel_refresh(dns_zone_t *);
838
static void
839
zone_debuglog(dns_zone_t *zone, const char *, int debuglevel, const char *msg,
840
        ...) ISC_FORMAT_PRINTF(4, 5);
841
static void
842
notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
843
  ISC_FORMAT_PRINTF(3, 4);
844
static void
845
dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...)
846
  ISC_FORMAT_PRINTF(3, 4);
847
static void
848
queue_xfrin(dns_zone_t *zone);
849
static isc_result_t
850
update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
851
        dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
852
        dns_rdata_t *rdata);
853
static void
854
zone_unload(dns_zone_t *zone);
855
static void
856
zone_expire(dns_zone_t *zone);
857
static void
858
zone_refresh(dns_zone_t *zone);
859
static void
860
zone_iattach(dns_zone_t *source, dns_zone_t **target);
861
static void
862
zone_idetach(dns_zone_t **zonep);
863
static isc_result_t
864
zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump);
865
static void
866
zone_attachdb(dns_zone_t *zone, dns_db_t *db);
867
static void
868
zone_detachdb(dns_zone_t *zone);
869
static void
870
zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
871
static void
872
zone_catz_disable(dns_zone_t *zone);
873
static isc_result_t
874
default_journal(dns_zone_t *zone);
875
static void
876
zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result);
877
static isc_result_t
878
zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
879
        isc_result_t result);
880
static void
881
zone_needdump(dns_zone_t *zone, unsigned int delay);
882
static void
883
zone_shutdown(void *arg);
884
static void
885
zone_loaddone(void *arg, isc_result_t result);
886
static isc_result_t
887
zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime);
888
static void
889
zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
890
static void
891
zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
892
static void
893
zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
894
static void
895
zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
896
static isc_result_t
897
zone_send_secureserial(dns_zone_t *zone, uint32_t serial);
898
static void
899
refresh_callback(void *arg);
900
static void
901
stub_callback(void *arg);
902
static void
903
queue_soa_query(dns_zone_t *zone);
904
static void
905
soa_query(void *arg);
906
static void
907
ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub);
908
static int
909
message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type);
910
static void
911
checkds_cancel(dns_zone_t *zone);
912
static void
913
checkds_find_address(dns_checkds_t *checkds);
914
static void
915
checkds_send(dns_zone_t *zone);
916
static void
917
checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep);
918
static void
919
checkds_done(void *arg);
920
static void
921
checkds_send_tons(dns_checkds_t *checkds);
922
static void
923
checkds_send_toaddr(void *arg);
924
static void
925
nsfetch_levelup(dns_nsfetch_t *nsfetch);
926
static void
927
notify_cancel(dns_zone_t *zone);
928
static void
929
notify_find_address(dns_notify_t *notify);
930
static void
931
notify_send(dns_notify_t *notify);
932
static isc_result_t
933
notify_createmessage(dns_zone_t *zone, unsigned int flags,
934
         dns_message_t **messagep);
935
static void
936
notify_done(void *arg);
937
static void
938
notify_send_toaddr(void *arg);
939
static isc_result_t
940
zone_dump(dns_zone_t *, bool);
941
static void
942
got_transfer_quota(void *arg);
943
static isc_result_t
944
zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone);
945
static void
946
zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi);
947
static void
948
zonemgr_free(dns_zonemgr_t *zmgr);
949
static void
950
rss_post(void *arg);
951
952
static isc_result_t
953
zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
954
     unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
955
     uint32_t *refresh, uint32_t *retry, uint32_t *expire,
956
     uint32_t *minimum, unsigned int *errors);
957
958
static void
959
zone_freedbargs(dns_zone_t *zone);
960
static void
961
forward_callback(void *arg);
962
static void
963
zone_saveunique(dns_zone_t *zone, const char *path, const char *templat);
964
static void
965
zone_maintenance(dns_zone_t *zone);
966
static void
967
zone_notify(dns_zone_t *zone, isc_time_t *now);
968
static void
969
dump_done(void *arg, isc_result_t result);
970
static isc_result_t
971
zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
972
     bool deleteit);
973
static isc_result_t
974
delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
975
      dns_name_t *name, dns_diff_t *diff);
976
static void
977
zone_rekey(dns_zone_t *zone);
978
static isc_result_t
979
zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
980
static dns_ttl_t
981
zone_nsecttl(dns_zone_t *zone);
982
static void
983
setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value);
984
static void
985
zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial);
986
static isc_result_t
987
zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
988
       bool *fixjournal);
989
static void
990
setnsec3param(void *arg);
991
992
static void
993
zmgr_tlsctx_attach(dns_zonemgr_t *zmgr, isc_tlsctx_cache_t **ptlsctx_cache);
994
/*%<
995
 *  Attach to TLS client context cache used for zone transfers via
996
 *  encrypted transports (e.g. XoT).
997
 *
998
 * The obtained reference needs to be detached by a call to
999
 * 'isc_tlsctx_cache_detach()' when not needed anymore.
1000
 *
1001
 * Requires:
1002
 *\li 'zmgr' is a valid zone manager.
1003
 *\li 'ptlsctx_cache' is not 'NULL' and points to 'NULL'.
1004
 */
1005
1006
4
#define ENTER zone_debuglog(zone, __func__, 1, "enter")
1007
1008
static const unsigned int dbargc_default = 1;
1009
static const char *dbargv_default[] = { ZONEDB_DEFAULT };
1010
1011
#define DNS_ZONE_JITTER_ADD(a, b, c)                                         \
1012
0
  do {                                                                 \
1013
0
    isc_interval_t _i;                                           \
1014
0
    uint32_t _j;                                                 \
1015
0
    _j = (b) - isc_random_uniform((b) / 4);                      \
1016
0
    isc_interval_set(&_i, _j, 0);                                \
1017
0
    if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) {          \
1018
0
      dns_zone_log(zone, ISC_LOG_WARNING,                  \
1019
0
             "epoch approaching: upgrade required: " \
1020
0
             "now + %s failed",                      \
1021
0
             #b);                                    \
1022
0
      isc_interval_set(&_i, _j / 2, 0);                    \
1023
0
      (void)isc_time_add((a), &_i, (c));                   \
1024
0
    }                                                            \
1025
0
  } while (0)
1026
1027
#define DNS_ZONE_TIME_ADD(a, b, c)                                           \
1028
0
  do {                                                                 \
1029
0
    isc_interval_t _i;                                           \
1030
0
    isc_interval_set(&_i, (b), 0);                               \
1031
0
    if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) {          \
1032
0
      dns_zone_log(zone, ISC_LOG_WARNING,                  \
1033
0
             "epoch approaching: upgrade required: " \
1034
0
             "now + %s failed",                      \
1035
0
             #b);                                    \
1036
0
      isc_interval_set(&_i, (b) / 2, 0);                   \
1037
0
      (void)isc_time_add((a), &_i, (c));                   \
1038
0
    }                                                            \
1039
0
  } while (0)
1040
1041
typedef struct nsec3param nsec3param_t;
1042
struct nsec3param {
1043
  dns_rdata_nsec3param_t rdata;
1044
  unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
1045
  unsigned int length;
1046
  bool nsec;
1047
  bool replace;
1048
  bool resalt;
1049
  bool lookup;
1050
  ISC_LINK(nsec3param_t) link;
1051
};
1052
typedef ISC_LIST(nsec3param_t) nsec3paramlist_t;
1053
1054
struct np3 {
1055
  dns_zone_t *zone;
1056
  nsec3param_t params;
1057
  ISC_LINK(struct np3) link;
1058
};
1059
1060
struct setserial {
1061
  dns_zone_t *zone;
1062
  uint32_t serial;
1063
};
1064
1065
struct stub_cb_args {
1066
  dns_stub_t *stub;
1067
  dns_tsigkey_t *tsig_key;
1068
  uint16_t udpsize;
1069
  int timeout;
1070
  bool reqnsid;
1071
};
1072
1073
struct stub_glue_request {
1074
  dns_request_t *request;
1075
  dns_name_t name;
1076
  struct stub_cb_args *args;
1077
  bool ipv4;
1078
};
1079
1080
/*%
1081
 * Increment resolver-related statistics counters.  Zone must be locked.
1082
 */
1083
static void
1084
0
inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
1085
0
  if (zone->stats != NULL) {
1086
0
    isc_stats_increment(zone->stats, counter);
1087
0
  }
1088
0
}
1089
1090
/***
1091
 ***  Public functions.
1092
 ***/
1093
1094
void
1095
2
dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) {
1096
2
  isc_time_t now;
1097
2
  dns_zone_t *zone = NULL;
1098
1099
2
  REQUIRE(zonep != NULL && *zonep == NULL);
1100
2
  REQUIRE(mctx != NULL);
1101
1102
2
  now = isc_time_now();
1103
2
  zone = isc_mem_get(mctx, sizeof(*zone));
1104
2
  *zone = (dns_zone_t){
1105
2
    .masterformat = dns_masterformat_none,
1106
2
    .journalsize = -1,
1107
2
    .rdclass = dns_rdataclass_none,
1108
2
    .type = dns_zone_none,
1109
2
    .refresh = DNS_ZONE_DEFAULTREFRESH,
1110
2
    .retry = DNS_ZONE_DEFAULTRETRY,
1111
2
    .maxrefresh = DNS_ZONE_MAXREFRESH,
1112
2
    .minrefresh = DNS_ZONE_MINREFRESH,
1113
2
    .maxretry = DNS_ZONE_MAXRETRY,
1114
2
    .minretry = DNS_ZONE_MINRETRY,
1115
2
    .checkdstype = dns_checkdstype_yes,
1116
2
    .notifytype = dns_notifytype_yes,
1117
2
    .zero_no_soa_ttl = true,
1118
2
    .check_names = dns_severity_ignore,
1119
2
    .idlein = DNS_DEFAULT_IDLEIN,
1120
2
    .idleout = DNS_DEFAULT_IDLEOUT,
1121
2
    .maxxfrin = MAX_XFER_TIME,
1122
2
    .maxxfrout = MAX_XFER_TIME,
1123
2
    .sigvalidityinterval = 30 * 24 * 3600,
1124
2
    .sigresigninginterval = 7 * 24 * 3600,
1125
2
    .statlevel = dns_zonestat_none,
1126
2
    .notifydelay = 5,
1127
2
    .signatures = 10,
1128
2
    .nodes = 100,
1129
2
    .privatetype = (dns_rdatatype_t)0xffffU,
1130
2
    .rpz_num = DNS_RPZ_INVALID_NUM,
1131
2
    .requestixfr = true,
1132
2
    .ixfr_ratio = 100,
1133
2
    .requestexpire = true,
1134
2
    .updatemethod = dns_updatemethod_increment,
1135
2
    .tid = tid,
1136
2
    .notifytime = now,
1137
2
    .newincludes = ISC_LIST_INITIALIZER,
1138
2
    .notifies = ISC_LIST_INITIALIZER,
1139
2
    .checkds_requests = ISC_LIST_INITIALIZER,
1140
2
    .signing = ISC_LIST_INITIALIZER,
1141
2
    .nsec3chain = ISC_LIST_INITIALIZER,
1142
2
    .setnsec3param_queue = ISC_LIST_INITIALIZER,
1143
2
    .forwards = ISC_LIST_INITIALIZER,
1144
2
    .link = ISC_LINK_INITIALIZER,
1145
2
    .statelink = ISC_LINK_INITIALIZER,
1146
2
  };
1147
2
  dns_remote_t r = {
1148
2
    .magic = DNS_REMOTE_MAGIC,
1149
2
  };
1150
1151
2
  isc_mem_attach(mctx, &zone->mctx);
1152
2
  isc_mutex_init(&zone->lock);
1153
2
  ZONEDB_INITLOCK(&zone->dblock);
1154
1155
2
  isc_refcount_init(&zone->references, 1);
1156
2
  isc_refcount_init(&zone->irefs, 0);
1157
2
  dns_name_init(&zone->origin, NULL);
1158
2
  isc_sockaddr_any(&zone->notifysrc4);
1159
2
  isc_sockaddr_any6(&zone->notifysrc6);
1160
2
  isc_sockaddr_any(&zone->parentalsrc4);
1161
2
  isc_sockaddr_any6(&zone->parentalsrc6);
1162
2
  isc_sockaddr_any(&zone->xfrsource4);
1163
2
  isc_sockaddr_any6(&zone->xfrsource6);
1164
1165
2
  zone->primaries = r;
1166
2
  zone->parentals = r;
1167
2
  zone->notify = r;
1168
2
  zone->defaultkasp = NULL;
1169
1170
2
  isc_stats_create(mctx, &zone->gluecachestats,
1171
2
       dns_gluecachestatscounter_max);
1172
1173
2
  zone->magic = ZONE_MAGIC;
1174
1175
  /* Must be after magic is set. */
1176
2
  dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
1177
1178
2
  *zonep = zone;
1179
2
}
1180
1181
static void
1182
0
clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
1183
0
  dns_dnsseckey_t *key;
1184
0
  while (!ISC_LIST_EMPTY(*list)) {
1185
0
    key = ISC_LIST_HEAD(*list);
1186
0
    ISC_LIST_UNLINK(*list, key, link);
1187
0
    dns_dnsseckey_destroy(mctx, &key);
1188
0
  }
1189
0
}
1190
1191
/*
1192
 * Free a zone.  Because we require that there be no more
1193
 * outstanding events or references, no locking is necessary.
1194
 */
1195
static void
1196
0
zone_free(dns_zone_t *zone) {
1197
0
  dns_signing_t *signing = NULL;
1198
0
  dns_nsec3chain_t *nsec3chain = NULL;
1199
0
  dns_include_t *include = NULL;
1200
1201
0
  REQUIRE(DNS_ZONE_VALID(zone));
1202
0
  REQUIRE(!LOCKED_ZONE(zone));
1203
0
  REQUIRE(zone->timer == NULL);
1204
0
  REQUIRE(zone->zmgr == NULL);
1205
1206
0
  isc_refcount_destroy(&zone->references);
1207
0
  isc_refcount_destroy(&zone->irefs);
1208
1209
  /*
1210
   * Managed objects.  Order is important.
1211
   */
1212
0
  if (zone->request != NULL) {
1213
0
    dns_request_destroy(&zone->request); /* XXXMPA */
1214
0
  }
1215
0
  INSIST(zone->statelist == NULL);
1216
0
  INSIST(zone->view == NULL);
1217
0
  INSIST(zone->prev_view == NULL);
1218
1219
  /* Unmanaged objects */
1220
0
  for (struct np3 *npe = ISC_LIST_HEAD(zone->setnsec3param_queue);
1221
0
       npe != NULL; npe = ISC_LIST_HEAD(zone->setnsec3param_queue))
1222
0
  {
1223
0
    ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link);
1224
0
    isc_mem_put(zone->mctx, npe, sizeof(*npe));
1225
0
  }
1226
1227
0
  for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
1228
0
       signing = ISC_LIST_HEAD(zone->signing))
1229
0
  {
1230
0
    ISC_LIST_UNLINK(zone->signing, signing, link);
1231
0
    dns_db_detach(&signing->db);
1232
0
    dns_dbiterator_destroy(&signing->dbiterator);
1233
0
    isc_mem_put(zone->mctx, signing, sizeof *signing);
1234
0
  }
1235
0
  for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
1236
0
       nsec3chain = ISC_LIST_HEAD(zone->nsec3chain))
1237
0
  {
1238
0
    ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
1239
0
    dns_db_detach(&nsec3chain->db);
1240
0
    dns_dbiterator_destroy(&nsec3chain->dbiterator);
1241
0
    isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
1242
0
  }
1243
0
  for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
1244
0
       include = ISC_LIST_HEAD(zone->includes))
1245
0
  {
1246
0
    ISC_LIST_UNLINK(zone->includes, include, link);
1247
0
    isc_mem_free(zone->mctx, include->name);
1248
0
    isc_mem_put(zone->mctx, include, sizeof *include);
1249
0
  }
1250
0
  for (include = ISC_LIST_HEAD(zone->newincludes); include != NULL;
1251
0
       include = ISC_LIST_HEAD(zone->newincludes))
1252
0
  {
1253
0
    ISC_LIST_UNLINK(zone->newincludes, include, link);
1254
0
    isc_mem_free(zone->mctx, include->name);
1255
0
    isc_mem_put(zone->mctx, include, sizeof *include);
1256
0
  }
1257
0
  if (zone->masterfile != NULL) {
1258
0
    isc_mem_free(zone->mctx, zone->masterfile);
1259
0
  }
1260
0
  zone->masterfile = NULL;
1261
0
  if (zone->keydirectory != NULL) {
1262
0
    isc_mem_free(zone->mctx, zone->keydirectory);
1263
0
  }
1264
0
  zone->keydirectory = NULL;
1265
0
  if (zone->kasp != NULL) {
1266
0
    dns_kasp_detach(&zone->kasp);
1267
0
  }
1268
0
  if (zone->defaultkasp != NULL) {
1269
0
    dns_kasp_detach(&zone->defaultkasp);
1270
0
  }
1271
0
  if (!ISC_LIST_EMPTY(zone->checkds_ok)) {
1272
0
    clear_keylist(&zone->checkds_ok, zone->mctx);
1273
0
  }
1274
1275
0
  zone->journalsize = -1;
1276
0
  if (zone->journal != NULL) {
1277
0
    isc_mem_free(zone->mctx, zone->journal);
1278
0
  }
1279
0
  zone->journal = NULL;
1280
0
  if (zone->stats != NULL) {
1281
0
    isc_stats_detach(&zone->stats);
1282
0
  }
1283
0
  if (zone->requeststats != NULL) {
1284
0
    isc_stats_detach(&zone->requeststats);
1285
0
  }
1286
0
  if (zone->rcvquerystats != NULL) {
1287
0
    dns_stats_detach(&zone->rcvquerystats);
1288
0
  }
1289
0
  if (zone->dnssecsignstats != NULL) {
1290
0
    dns_stats_detach(&zone->dnssecsignstats);
1291
0
  }
1292
0
  if (zone->db != NULL) {
1293
0
    zone_detachdb(zone);
1294
0
  }
1295
0
  if (zone->rpzs != NULL) {
1296
0
    REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones);
1297
0
    dns_rpz_zones_detach(&zone->rpzs);
1298
0
    zone->rpz_num = DNS_RPZ_INVALID_NUM;
1299
0
  }
1300
0
  if (zone->catzs != NULL) {
1301
0
    dns_catz_zones_detach(&zone->catzs);
1302
0
  }
1303
0
  zone_freedbargs(zone);
1304
1305
0
  dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0);
1306
0
  dns_zone_setprimaries(zone, NULL, NULL, NULL, NULL, 0);
1307
0
  dns_zone_setalsonotify(zone, NULL, NULL, NULL, NULL, 0);
1308
1309
0
  zone->check_names = dns_severity_ignore;
1310
0
  if (zone->update_acl != NULL) {
1311
0
    dns_acl_detach(&zone->update_acl);
1312
0
  }
1313
0
  if (zone->forward_acl != NULL) {
1314
0
    dns_acl_detach(&zone->forward_acl);
1315
0
  }
1316
0
  if (zone->notify_acl != NULL) {
1317
0
    dns_acl_detach(&zone->notify_acl);
1318
0
  }
1319
0
  if (zone->query_acl != NULL) {
1320
0
    dns_acl_detach(&zone->query_acl);
1321
0
  }
1322
0
  if (zone->queryon_acl != NULL) {
1323
0
    dns_acl_detach(&zone->queryon_acl);
1324
0
  }
1325
0
  if (zone->xfr_acl != NULL) {
1326
0
    dns_acl_detach(&zone->xfr_acl);
1327
0
  }
1328
0
  if (dns_name_dynamic(&zone->origin)) {
1329
0
    dns_name_free(&zone->origin, zone->mctx);
1330
0
  }
1331
0
  if (zone->strnamerd != NULL) {
1332
0
    isc_mem_free(zone->mctx, zone->strnamerd);
1333
0
  }
1334
0
  if (zone->strname != NULL) {
1335
0
    isc_mem_free(zone->mctx, zone->strname);
1336
0
  }
1337
0
  if (zone->strrdclass != NULL) {
1338
0
    isc_mem_free(zone->mctx, zone->strrdclass);
1339
0
  }
1340
0
  if (zone->strviewname != NULL) {
1341
0
    isc_mem_free(zone->mctx, zone->strviewname);
1342
0
  }
1343
0
  if (zone->ssutable != NULL) {
1344
0
    dns_ssutable_detach(&zone->ssutable);
1345
0
  }
1346
0
  if (zone->gluecachestats != NULL) {
1347
0
    isc_stats_detach(&zone->gluecachestats);
1348
0
  }
1349
1350
  /* last stuff */
1351
0
  ZONEDB_DESTROYLOCK(&zone->dblock);
1352
0
  isc_mutex_destroy(&zone->lock);
1353
0
  zone->magic = 0;
1354
0
  isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
1355
0
}
1356
1357
/*
1358
 * Returns true iff this the signed side of an inline-signing zone.
1359
 * Caller should hold zone lock.
1360
 */
1361
static bool
1362
20
inline_secure(dns_zone_t *zone) {
1363
20
  REQUIRE(DNS_ZONE_VALID(zone));
1364
20
  if (zone->raw != NULL) {
1365
0
    return (true);
1366
0
  }
1367
20
  return (false);
1368
20
}
1369
1370
/*
1371
 * Returns true iff this the unsigned side of an inline-signing zone
1372
 * Caller should hold zone lock.
1373
 */
1374
static bool
1375
12
inline_raw(dns_zone_t *zone) {
1376
12
  REQUIRE(DNS_ZONE_VALID(zone));
1377
12
  if (zone->secure != NULL) {
1378
0
    return (true);
1379
0
  }
1380
12
  return (false);
1381
12
}
1382
1383
/*
1384
 *  Single shot.
1385
 */
1386
void
1387
2
dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
1388
2
  char namebuf[1024];
1389
1390
2
  REQUIRE(DNS_ZONE_VALID(zone));
1391
2
  REQUIRE(rdclass != dns_rdataclass_none);
1392
1393
  /*
1394
   * Test and set.
1395
   */
1396
2
  LOCK_ZONE(zone);
1397
2
  INSIST(zone != zone->raw);
1398
2
  REQUIRE(zone->rdclass == dns_rdataclass_none ||
1399
2
    zone->rdclass == rdclass);
1400
2
  zone->rdclass = rdclass;
1401
1402
2
  if (zone->strnamerd != NULL) {
1403
2
    isc_mem_free(zone->mctx, zone->strnamerd);
1404
2
  }
1405
2
  if (zone->strrdclass != NULL) {
1406
0
    isc_mem_free(zone->mctx, zone->strrdclass);
1407
0
  }
1408
1409
2
  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1410
2
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1411
2
  zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
1412
2
  zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
1413
1414
2
  if (inline_secure(zone)) {
1415
0
    dns_zone_setclass(zone->raw, rdclass);
1416
0
  }
1417
2
  UNLOCK_ZONE(zone);
1418
2
}
1419
1420
dns_rdataclass_t
1421
0
dns_zone_getclass(dns_zone_t *zone) {
1422
0
  REQUIRE(DNS_ZONE_VALID(zone));
1423
1424
0
  return (zone->rdclass);
1425
0
}
1426
1427
void
1428
0
dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
1429
0
  REQUIRE(DNS_ZONE_VALID(zone));
1430
1431
0
  LOCK_ZONE(zone);
1432
0
  zone->notifytype = notifytype;
1433
0
  UNLOCK_ZONE(zone);
1434
0
}
1435
1436
void
1437
0
dns_zone_setcheckdstype(dns_zone_t *zone, dns_checkdstype_t checkdstype) {
1438
0
  REQUIRE(DNS_ZONE_VALID(zone));
1439
1440
0
  LOCK_ZONE(zone);
1441
0
  zone->checkdstype = checkdstype;
1442
0
  UNLOCK_ZONE(zone);
1443
0
}
1444
1445
isc_result_t
1446
0
dns_zone_getserial(dns_zone_t *zone, uint32_t *serialp) {
1447
0
  isc_result_t result;
1448
0
  unsigned int soacount;
1449
1450
0
  REQUIRE(DNS_ZONE_VALID(zone));
1451
0
  REQUIRE(serialp != NULL);
1452
1453
0
  LOCK_ZONE(zone);
1454
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
1455
0
  if (zone->db != NULL) {
1456
0
    result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
1457
0
            serialp, NULL, NULL, NULL, NULL,
1458
0
            NULL);
1459
0
    if (result == ISC_R_SUCCESS && soacount == 0) {
1460
0
      result = ISC_R_FAILURE;
1461
0
    }
1462
0
  } else {
1463
0
    result = DNS_R_NOTLOADED;
1464
0
  }
1465
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
1466
0
  UNLOCK_ZONE(zone);
1467
1468
0
  return (result);
1469
0
}
1470
1471
/*
1472
 *  Single shot.
1473
 */
1474
void
1475
2
dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
1476
2
  char namebuf[1024];
1477
1478
2
  REQUIRE(DNS_ZONE_VALID(zone));
1479
2
  REQUIRE(type != dns_zone_none);
1480
1481
  /*
1482
   * Test and set.
1483
   */
1484
2
  LOCK_ZONE(zone);
1485
2
  REQUIRE(zone->type == dns_zone_none || zone->type == type);
1486
2
  zone->type = type;
1487
1488
2
  if (zone->strnamerd != NULL) {
1489
2
    isc_mem_free(zone->mctx, zone->strnamerd);
1490
2
  }
1491
1492
2
  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1493
2
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1494
2
  UNLOCK_ZONE(zone);
1495
2
}
1496
1497
static void
1498
2
zone_freedbargs(dns_zone_t *zone) {
1499
2
  unsigned int i;
1500
1501
  /* Free the old database argument list. */
1502
2
  if (zone->db_argv != NULL) {
1503
0
    for (i = 0; i < zone->db_argc; i++) {
1504
0
      isc_mem_free(zone->mctx, zone->db_argv[i]);
1505
0
    }
1506
0
    isc_mem_cput(zone->mctx, zone->db_argv, zone->db_argc,
1507
0
           sizeof(*zone->db_argv));
1508
0
  }
1509
2
  zone->db_argc = 0;
1510
2
  zone->db_argv = NULL;
1511
2
}
1512
1513
isc_result_t
1514
0
dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
1515
0
  size_t size = 0;
1516
0
  unsigned int i;
1517
0
  isc_result_t result = ISC_R_SUCCESS;
1518
0
  void *mem;
1519
0
  char **tmp, *tmp2, *base;
1520
1521
0
  REQUIRE(DNS_ZONE_VALID(zone));
1522
0
  REQUIRE(argv != NULL && *argv == NULL);
1523
1524
0
  LOCK_ZONE(zone);
1525
0
  size = ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *));
1526
0
  for (i = 0; i < zone->db_argc; i++) {
1527
0
    size += strlen(zone->db_argv[i]) + 1;
1528
0
  }
1529
0
  mem = isc_mem_allocate(mctx, size);
1530
0
  {
1531
0
    tmp = mem;
1532
0
    tmp2 = mem;
1533
0
    base = mem;
1534
0
    tmp2 += ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *));
1535
0
    for (i = 0; i < zone->db_argc; i++) {
1536
0
      *tmp++ = tmp2;
1537
0
      strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base));
1538
0
      tmp2 += strlen(tmp2) + 1;
1539
0
    }
1540
0
    *tmp = NULL;
1541
0
  }
1542
0
  UNLOCK_ZONE(zone);
1543
0
  *argv = mem;
1544
0
  return (result);
1545
0
}
1546
1547
void
1548
dns_zone_setdbtype(dns_zone_t *zone, unsigned int dbargc,
1549
2
       const char *const *dbargv) {
1550
2
  char **argv = NULL;
1551
2
  unsigned int i;
1552
1553
2
  REQUIRE(DNS_ZONE_VALID(zone));
1554
2
  REQUIRE(dbargc >= 1);
1555
2
  REQUIRE(dbargv != NULL);
1556
1557
2
  LOCK_ZONE(zone);
1558
1559
  /* Set up a new database argument list. */
1560
2
  argv = isc_mem_cget(zone->mctx, dbargc, sizeof(*argv));
1561
4
  for (i = 0; i < dbargc; i++) {
1562
2
    argv[i] = NULL;
1563
2
  }
1564
4
  for (i = 0; i < dbargc; i++) {
1565
2
    argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
1566
2
  }
1567
1568
  /* Free the old list. */
1569
2
  zone_freedbargs(zone);
1570
1571
2
  zone->db_argc = dbargc;
1572
2
  zone->db_argv = argv;
1573
1574
2
  UNLOCK_ZONE(zone);
1575
2
}
1576
1577
static void
1578
2
dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) {
1579
2
  char namebuf[1024];
1580
1581
2
  if (zone->prev_view == NULL && zone->view != NULL) {
1582
0
    dns_view_weakattach(zone->view, &zone->prev_view);
1583
0
  }
1584
1585
2
  INSIST(zone != zone->raw);
1586
2
  if (zone->view != NULL) {
1587
0
    dns_view_sfd_del(zone->view, &zone->origin);
1588
0
    dns_view_weakdetach(&zone->view);
1589
0
  }
1590
2
  dns_view_weakattach(view, &zone->view);
1591
2
  dns_view_sfd_add(view, &zone->origin);
1592
1593
2
  if (zone->strviewname != NULL) {
1594
0
    isc_mem_free(zone->mctx, zone->strviewname);
1595
0
  }
1596
2
  if (zone->strnamerd != NULL) {
1597
2
    isc_mem_free(zone->mctx, zone->strnamerd);
1598
2
  }
1599
1600
2
  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1601
2
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1602
2
  zone_viewname_tostr(zone, namebuf, sizeof namebuf);
1603
2
  zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
1604
1605
2
  if (inline_secure(zone)) {
1606
0
    dns_zone_setview(zone->raw, view);
1607
0
  }
1608
2
}
1609
1610
void
1611
2
dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
1612
2
  REQUIRE(DNS_ZONE_VALID(zone));
1613
1614
2
  LOCK_ZONE(zone);
1615
2
  dns_zone_setview_helper(zone, view);
1616
2
  UNLOCK_ZONE(zone);
1617
2
}
1618
1619
dns_view_t *
1620
0
dns_zone_getview(dns_zone_t *zone) {
1621
0
  REQUIRE(DNS_ZONE_VALID(zone));
1622
1623
0
  return (zone->view);
1624
0
}
1625
1626
void
1627
0
dns_zone_setviewcommit(dns_zone_t *zone) {
1628
0
  REQUIRE(DNS_ZONE_VALID(zone));
1629
1630
0
  LOCK_ZONE(zone);
1631
0
  if (zone->prev_view != NULL) {
1632
0
    dns_view_weakdetach(&zone->prev_view);
1633
0
  }
1634
0
  if (inline_secure(zone)) {
1635
0
    dns_zone_setviewcommit(zone->raw);
1636
0
  }
1637
0
  UNLOCK_ZONE(zone);
1638
0
}
1639
1640
void
1641
0
dns_zone_setviewrevert(dns_zone_t *zone) {
1642
0
  REQUIRE(DNS_ZONE_VALID(zone));
1643
1644
0
  LOCK_ZONE(zone);
1645
0
  if (zone->prev_view != NULL) {
1646
0
    dns_zone_setview_helper(zone, zone->prev_view);
1647
0
    dns_view_weakdetach(&zone->prev_view);
1648
0
  }
1649
0
  if (zone->catzs != NULL) {
1650
0
    zone_catz_enable(zone, zone->catzs);
1651
0
  }
1652
0
  if (inline_secure(zone)) {
1653
0
    dns_zone_setviewrevert(zone->raw);
1654
0
  }
1655
0
  UNLOCK_ZONE(zone);
1656
0
}
1657
1658
isc_result_t
1659
2
dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
1660
2
  isc_result_t result = ISC_R_SUCCESS;
1661
2
  char namebuf[1024];
1662
1663
2
  REQUIRE(DNS_ZONE_VALID(zone));
1664
2
  REQUIRE(origin != NULL);
1665
1666
2
  LOCK_ZONE(zone);
1667
2
  INSIST(zone != zone->raw);
1668
2
  if (dns_name_dynamic(&zone->origin)) {
1669
0
    dns_name_free(&zone->origin, zone->mctx);
1670
0
    dns_name_init(&zone->origin, NULL);
1671
0
  }
1672
2
  dns_name_dup(origin, zone->mctx, &zone->origin);
1673
1674
2
  if (zone->strnamerd != NULL) {
1675
0
    isc_mem_free(zone->mctx, zone->strnamerd);
1676
0
  }
1677
2
  if (zone->strname != NULL) {
1678
0
    isc_mem_free(zone->mctx, zone->strname);
1679
0
  }
1680
1681
2
  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1682
2
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1683
2
  zone_name_tostr(zone, namebuf, sizeof namebuf);
1684
2
  zone->strname = isc_mem_strdup(zone->mctx, namebuf);
1685
1686
2
  if (inline_secure(zone)) {
1687
0
    result = dns_zone_setorigin(zone->raw, origin);
1688
0
  }
1689
2
  UNLOCK_ZONE(zone);
1690
2
  return (result);
1691
2
}
1692
1693
static isc_result_t
1694
6
dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
1695
6
  char *copy;
1696
1697
6
  if (value != NULL) {
1698
6
    copy = isc_mem_strdup(zone->mctx, value);
1699
6
  } else {
1700
0
    copy = NULL;
1701
0
  }
1702
1703
6
  if (*field != NULL) {
1704
0
    isc_mem_free(zone->mctx, *field);
1705
0
  }
1706
1707
6
  *field = copy;
1708
6
  return (ISC_R_SUCCESS);
1709
6
}
1710
1711
isc_result_t
1712
dns_zone_setfile(dns_zone_t *zone, const char *file, dns_masterformat_t format,
1713
2
     const dns_master_style_t *style) {
1714
2
  isc_result_t result = ISC_R_SUCCESS;
1715
1716
2
  REQUIRE(DNS_ZONE_VALID(zone));
1717
2
  REQUIRE(zone->stream == NULL);
1718
1719
2
  LOCK_ZONE(zone);
1720
2
  result = dns_zone_setstring(zone, &zone->masterfile, file);
1721
2
  if (result == ISC_R_SUCCESS) {
1722
2
    zone->masterformat = format;
1723
2
    if (format == dns_masterformat_text) {
1724
2
      zone->masterstyle = style;
1725
2
    }
1726
2
    result = default_journal(zone);
1727
2
  }
1728
2
  UNLOCK_ZONE(zone);
1729
1730
2
  return (result);
1731
2
}
1732
1733
const char *
1734
0
dns_zone_getfile(dns_zone_t *zone) {
1735
0
  REQUIRE(DNS_ZONE_VALID(zone));
1736
1737
0
  return (zone->masterfile);
1738
0
}
1739
1740
isc_result_t
1741
dns_zone_setstream(dns_zone_t *zone, const FILE *stream,
1742
0
       dns_masterformat_t format, const dns_master_style_t *style) {
1743
0
  isc_result_t result = ISC_R_SUCCESS;
1744
1745
0
  REQUIRE(DNS_ZONE_VALID(zone));
1746
0
  REQUIRE(stream != NULL);
1747
0
  REQUIRE(zone->masterfile == NULL);
1748
1749
0
  LOCK_ZONE(zone);
1750
0
  zone->stream = stream;
1751
0
  zone->masterformat = format;
1752
0
  if (format == dns_masterformat_text) {
1753
0
    zone->masterstyle = style;
1754
0
  }
1755
0
  result = default_journal(zone);
1756
0
  UNLOCK_ZONE(zone);
1757
1758
0
  return (result);
1759
0
}
1760
1761
dns_ttl_t
1762
0
dns_zone_getmaxttl(dns_zone_t *zone) {
1763
0
  REQUIRE(DNS_ZONE_VALID(zone));
1764
1765
0
  return (zone->maxttl);
1766
0
}
1767
1768
void
1769
0
dns_zone_setmaxttl(dns_zone_t *zone, dns_ttl_t maxttl) {
1770
0
  REQUIRE(DNS_ZONE_VALID(zone));
1771
1772
0
  LOCK_ZONE(zone);
1773
0
  if (maxttl != 0) {
1774
0
    DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_CHECKTTL);
1775
0
  } else {
1776
0
    DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_CHECKTTL);
1777
0
  }
1778
0
  zone->maxttl = maxttl;
1779
0
  UNLOCK_ZONE(zone);
1780
1781
0
  return;
1782
0
}
1783
1784
static isc_result_t
1785
2
default_journal(dns_zone_t *zone) {
1786
2
  isc_result_t result;
1787
2
  char *journal;
1788
1789
2
  REQUIRE(DNS_ZONE_VALID(zone));
1790
2
  REQUIRE(LOCKED_ZONE(zone));
1791
1792
2
  if (zone->masterfile != NULL) {
1793
    /* Calculate string length including '\0'. */
1794
2
    int len = strlen(zone->masterfile) + sizeof(".jnl");
1795
2
    journal = isc_mem_allocate(zone->mctx, len);
1796
2
    strlcpy(journal, zone->masterfile, len);
1797
2
    strlcat(journal, ".jnl", len);
1798
2
  } else {
1799
0
    journal = NULL;
1800
0
  }
1801
2
  result = dns_zone_setstring(zone, &zone->journal, journal);
1802
2
  if (journal != NULL) {
1803
2
    isc_mem_free(zone->mctx, journal);
1804
2
  }
1805
2
  return (result);
1806
2
}
1807
1808
isc_result_t
1809
0
dns_zone_setjournal(dns_zone_t *zone, const char *myjournal) {
1810
0
  isc_result_t result = ISC_R_SUCCESS;
1811
1812
0
  REQUIRE(DNS_ZONE_VALID(zone));
1813
1814
0
  LOCK_ZONE(zone);
1815
0
  result = dns_zone_setstring(zone, &zone->journal, myjournal);
1816
0
  UNLOCK_ZONE(zone);
1817
1818
0
  return (result);
1819
0
}
1820
1821
char *
1822
0
dns_zone_getjournal(dns_zone_t *zone) {
1823
0
  REQUIRE(DNS_ZONE_VALID(zone));
1824
1825
0
  return (zone->journal);
1826
0
}
1827
1828
/*
1829
 * Return true iff the zone is "dynamic", in the sense that the zone's
1830
 * master file (if any) is written by the server, rather than being
1831
 * updated manually and read by the server.
1832
 *
1833
 * This is true for secondary zones, mirror zones, stub zones, key zones,
1834
 * and zones that allow dynamic updates either by having an update
1835
 * policy ("ssutable") or an "allow-update" ACL with a value other than
1836
 * exactly "{ none; }".
1837
 */
1838
bool
1839
6
dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) {
1840
6
  REQUIRE(DNS_ZONE_VALID(zone));
1841
1842
6
  if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
1843
6
      zone->type == dns_zone_stub || zone->type == dns_zone_key ||
1844
6
      (zone->type == dns_zone_redirect &&
1845
6
       dns_remote_addresses(&zone->primaries) != NULL))
1846
0
  {
1847
0
    return (true);
1848
0
  }
1849
1850
  /* Inline zones are always dynamic. */
1851
6
  if (zone->type == dns_zone_primary && zone->raw != NULL) {
1852
0
    return (true);
1853
0
  }
1854
1855
  /* If !ignore_freeze, we need check whether updates are disabled.  */
1856
6
  if (zone->type == dns_zone_primary &&
1857
6
      (!zone->update_disabled || ignore_freeze) &&
1858
6
      ((zone->ssutable != NULL) ||
1859
6
       (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl))))
1860
0
  {
1861
0
    return (true);
1862
0
  }
1863
1864
6
  return (false);
1865
6
}
1866
1867
/*
1868
 * Set the response policy index and information for a zone.
1869
 */
1870
isc_result_t
1871
dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
1872
0
        dns_rpz_num_t rpz_num) {
1873
  /*
1874
   * This must happen only once or be redundant.
1875
   */
1876
0
  LOCK_ZONE(zone);
1877
0
  if (zone->rpzs != NULL) {
1878
0
    REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num);
1879
0
  } else {
1880
0
    REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM);
1881
0
    dns_rpz_zones_attach(rpzs, &zone->rpzs);
1882
0
    zone->rpz_num = rpz_num;
1883
0
  }
1884
0
  rpzs->defined |= DNS_RPZ_ZBIT(rpz_num);
1885
0
  UNLOCK_ZONE(zone);
1886
1887
0
  return (ISC_R_SUCCESS);
1888
0
}
1889
1890
dns_rpz_num_t
1891
0
dns_zone_get_rpz_num(dns_zone_t *zone) {
1892
0
  return (zone->rpz_num);
1893
0
}
1894
1895
/*
1896
 * If a zone is a response policy zone, mark its new database.
1897
 */
1898
void
1899
2
dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
1900
2
  if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
1901
2
    return;
1902
2
  }
1903
0
  REQUIRE(zone->rpzs != NULL);
1904
0
  dns_rpz_dbupdate_register(db, zone->rpzs->zones[zone->rpz_num]);
1905
0
}
1906
1907
static void
1908
0
dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
1909
0
  if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
1910
0
    return;
1911
0
  }
1912
0
  REQUIRE(zone->rpzs != NULL);
1913
0
  dns_rpz_dbupdate_unregister(db, zone->rpzs->zones[zone->rpz_num]);
1914
0
}
1915
1916
/*
1917
 * If a zone is a catalog zone, attach it to update notification in database.
1918
 */
1919
void
1920
2
dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
1921
2
  REQUIRE(DNS_ZONE_VALID(zone));
1922
2
  REQUIRE(db != NULL);
1923
1924
2
  if (zone->catzs != NULL) {
1925
0
    dns_catz_dbupdate_register(db, zone->catzs);
1926
0
  }
1927
2
}
1928
1929
static void
1930
0
dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) {
1931
0
  REQUIRE(DNS_ZONE_VALID(zone));
1932
0
  REQUIRE(db != NULL);
1933
1934
0
  if (zone->catzs != NULL) {
1935
0
    dns_catz_dbupdate_unregister(db, zone->catzs);
1936
0
  }
1937
0
}
1938
1939
static void
1940
0
zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
1941
0
  REQUIRE(DNS_ZONE_VALID(zone));
1942
0
  REQUIRE(catzs != NULL);
1943
1944
0
  INSIST(zone->catzs == NULL || zone->catzs == catzs);
1945
0
  dns_catz_catzs_set_view(catzs, zone->view);
1946
0
  if (zone->catzs == NULL) {
1947
0
    dns_catz_zones_attach(catzs, &zone->catzs);
1948
0
  }
1949
0
}
1950
1951
void
1952
0
dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
1953
0
  REQUIRE(DNS_ZONE_VALID(zone));
1954
1955
0
  LOCK_ZONE(zone);
1956
0
  zone_catz_enable(zone, catzs);
1957
0
  UNLOCK_ZONE(zone);
1958
0
}
1959
1960
static void
1961
0
zone_catz_disable(dns_zone_t *zone) {
1962
0
  REQUIRE(DNS_ZONE_VALID(zone));
1963
1964
0
  if (zone->catzs != NULL) {
1965
0
    if (zone->db != NULL) {
1966
0
      dns_zone_catz_disable_db(zone, zone->db);
1967
0
    }
1968
0
    dns_catz_zones_detach(&zone->catzs);
1969
0
  }
1970
0
}
1971
1972
void
1973
0
dns_zone_catz_disable(dns_zone_t *zone) {
1974
0
  REQUIRE(DNS_ZONE_VALID(zone));
1975
1976
0
  LOCK_ZONE(zone);
1977
0
  zone_catz_disable(zone);
1978
0
  UNLOCK_ZONE(zone);
1979
0
}
1980
1981
bool
1982
0
dns_zone_catz_is_enabled(dns_zone_t *zone) {
1983
0
  REQUIRE(DNS_ZONE_VALID(zone));
1984
1985
0
  return (zone->catzs != NULL);
1986
0
}
1987
1988
/*
1989
 * Set catalog zone ownership of the zone
1990
 */
1991
void
1992
0
dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz) {
1993
0
  REQUIRE(DNS_ZONE_VALID(zone));
1994
0
  REQUIRE(catz != NULL);
1995
0
  LOCK_ZONE(zone);
1996
0
  INSIST(zone->parentcatz == NULL || zone->parentcatz == catz);
1997
0
  zone->parentcatz = catz;
1998
0
  UNLOCK_ZONE(zone);
1999
0
}
2000
2001
dns_catz_zone_t *
2002
0
dns_zone_get_parentcatz(dns_zone_t *zone) {
2003
0
  REQUIRE(DNS_ZONE_VALID(zone));
2004
2005
0
  dns_catz_zone_t *parentcatz = NULL;
2006
2007
0
  LOCK_ZONE(zone);
2008
0
  parentcatz = zone->parentcatz;
2009
0
  UNLOCK_ZONE(zone);
2010
2011
0
  return (parentcatz);
2012
0
}
2013
2014
static bool
2015
0
zone_touched(dns_zone_t *zone) {
2016
0
  isc_result_t result;
2017
0
  isc_time_t modtime;
2018
0
  dns_include_t *include;
2019
2020
0
  REQUIRE(DNS_ZONE_VALID(zone));
2021
2022
0
  result = isc_file_getmodtime(zone->masterfile, &modtime);
2023
0
  if (result != ISC_R_SUCCESS ||
2024
0
      isc_time_compare(&modtime, &zone->loadtime) > 0)
2025
0
  {
2026
0
    return (true);
2027
0
  }
2028
2029
0
  for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
2030
0
       include = ISC_LIST_NEXT(include, link))
2031
0
  {
2032
0
    result = isc_file_getmodtime(include->name, &modtime);
2033
0
    if (result != ISC_R_SUCCESS ||
2034
0
        isc_time_compare(&modtime, &include->filetime) > 0)
2035
0
    {
2036
0
      return (true);
2037
0
    }
2038
0
  }
2039
2040
0
  return (false);
2041
0
}
2042
2043
/*
2044
 * Note: when dealing with inline-signed zones, external callers will always
2045
 * call zone_load() for the secure zone; zone_load() calls itself recursively
2046
 * in order to load the raw zone.
2047
 */
2048
static isc_result_t
2049
2
zone_load(dns_zone_t *zone, unsigned int flags, bool locked) {
2050
2
  isc_result_t result;
2051
2
  isc_time_t now;
2052
2
  isc_time_t loadtime;
2053
2
  dns_db_t *db = NULL;
2054
2
  bool rbt, hasraw, is_dynamic;
2055
2056
2
  REQUIRE(DNS_ZONE_VALID(zone));
2057
2058
2
  if (!locked) {
2059
2
    LOCK_ZONE(zone);
2060
2
  }
2061
2062
2
  INSIST(zone != zone->raw);
2063
2
  hasraw = inline_secure(zone);
2064
2
  if (hasraw) {
2065
    /*
2066
     * We are trying to load an inline-signed zone.  First call
2067
     * self recursively to try loading the raw version of the zone.
2068
     * Assuming the raw zone file is readable, there are two
2069
     * possibilities:
2070
     *
2071
     *  a) the raw zone was not yet loaded and thus it will be
2072
     *     loaded now, synchronously; if this succeeds, a
2073
     *     subsequent attempt to load the signed zone file will
2074
     *     take place and thus zone_postload() will be called
2075
     *     twice: first for the raw zone and then for the secure
2076
     *     zone; the latter call will take care of syncing the raw
2077
     *     version with the secure version,
2078
     *
2079
     *  b) the raw zone was already loaded and we are trying to
2080
     *     reload it, which will happen asynchronously; this means
2081
     *     zone_postload() will only be called for the raw zone
2082
     *     because "result" returned by the zone_load() call below
2083
     *     will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE;
2084
     *     zone_postload() called for the raw zone will take care
2085
     *     of syncing the raw version with the secure version.
2086
     */
2087
0
    result = zone_load(zone->raw, flags, false);
2088
0
    if (result != ISC_R_SUCCESS) {
2089
0
      if (!locked) {
2090
0
        UNLOCK_ZONE(zone);
2091
0
      }
2092
0
      return (result);
2093
0
    }
2094
0
    LOCK_ZONE(zone->raw);
2095
0
  }
2096
2097
2
  now = isc_time_now();
2098
2099
2
  INSIST(zone->type != dns_zone_none);
2100
2101
2
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
2102
0
    if ((flags & DNS_ZONELOADFLAG_THAW) != 0) {
2103
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
2104
0
    }
2105
0
    result = DNS_R_CONTINUE;
2106
0
    goto cleanup;
2107
0
  }
2108
2109
2
  INSIST(zone->db_argc >= 1);
2110
2111
2
  rbt = strcmp(zone->db_argv[0], ZONEDB_DEFAULT) == 0;
2112
2113
2
  if (zone->db != NULL && zone->masterfile == NULL && rbt) {
2114
    /*
2115
     * The zone has no master file configured.
2116
     */
2117
0
    result = ISC_R_SUCCESS;
2118
0
    goto cleanup;
2119
0
  }
2120
2121
2
  is_dynamic = dns_zone_isdynamic(zone, false);
2122
2
  if (zone->db != NULL && is_dynamic) {
2123
    /*
2124
     * This is a secondary, stub, or dynamically updated zone
2125
     * being reloaded.  Do nothing - the database we already
2126
     * have is guaranteed to be up-to-date.
2127
     */
2128
0
    if (zone->type == dns_zone_primary && !hasraw) {
2129
0
      result = DNS_R_DYNAMIC;
2130
0
    } else {
2131
0
      result = ISC_R_SUCCESS;
2132
0
    }
2133
0
    goto cleanup;
2134
0
  }
2135
2136
  /*
2137
   * Store the current time before the zone is loaded, so that if the
2138
   * file changes between the time of the load and the time that
2139
   * zone->loadtime is set, then the file will still be reloaded
2140
   * the next time dns_zone_load is called.
2141
   */
2142
2
  loadtime = isc_time_now();
2143
2144
  /*
2145
   * Don't do the load if the file that stores the zone is older
2146
   * than the last time the zone was loaded.  If the zone has not
2147
   * been loaded yet, zone->loadtime will be the epoch.
2148
   */
2149
2
  if (zone->masterfile != NULL) {
2150
2
    isc_time_t filetime;
2151
2152
    /*
2153
     * The file is already loaded.  If we are just doing a
2154
     * "rndc reconfig", we are done.
2155
     */
2156
2
    if (!isc_time_isepoch(&zone->loadtime) &&
2157
2
        (flags & DNS_ZONELOADFLAG_NOSTAT) != 0)
2158
0
    {
2159
0
      result = ISC_R_SUCCESS;
2160
0
      goto cleanup;
2161
0
    }
2162
2163
2
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
2164
2
        !zone_touched(zone))
2165
0
    {
2166
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2167
0
              ISC_LOG_DEBUG(1),
2168
0
              "skipping load: master file "
2169
0
              "older than last load");
2170
0
      result = DNS_R_UPTODATE;
2171
0
      goto cleanup;
2172
0
    }
2173
2174
    /*
2175
     * If the file modification time is in the past
2176
     * set loadtime to that value.
2177
     */
2178
2
    result = isc_file_getmodtime(zone->masterfile, &filetime);
2179
2
    if (result == ISC_R_SUCCESS &&
2180
2
        isc_time_compare(&loadtime, &filetime) > 0)
2181
1
    {
2182
1
      loadtime = filetime;
2183
1
    }
2184
2
  }
2185
2186
  /*
2187
   * Built in zones (with the exception of empty zones) don't need
2188
   * to be reloaded.
2189
   */
2190
2
  if (zone->type == dns_zone_primary &&
2191
2
      strcmp(zone->db_argv[0], "_builtin") == 0 &&
2192
2
      (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
2193
2
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
2194
0
  {
2195
0
    result = ISC_R_SUCCESS;
2196
0
    goto cleanup;
2197
0
  }
2198
2199
  /*
2200
   * Zones associated with a DLZ don't need to be loaded either,
2201
   * but we need to associate the database with the zone object.
2202
   */
2203
2
  if (strcmp(zone->db_argv[0], "dlz") == 0) {
2204
0
    dns_dlzdb_t *dlzdb;
2205
0
    dns_dlzfindzone_t findzone;
2206
2207
0
    for (dlzdb = ISC_LIST_HEAD(zone->view->dlz_unsearched);
2208
0
         dlzdb != NULL; dlzdb = ISC_LIST_NEXT(dlzdb, link))
2209
0
    {
2210
0
      INSIST(DNS_DLZ_VALID(dlzdb));
2211
0
      if (strcmp(zone->db_argv[1], dlzdb->dlzname) == 0) {
2212
0
        break;
2213
0
      }
2214
0
    }
2215
2216
0
    if (dlzdb == NULL) {
2217
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2218
0
              ISC_LOG_ERROR,
2219
0
              "DLZ %s does not exist or is set "
2220
0
              "to 'search yes;'",
2221
0
              zone->db_argv[1]);
2222
0
      result = ISC_R_NOTFOUND;
2223
0
      goto cleanup;
2224
0
    }
2225
2226
0
    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
2227
    /* ask SDLZ driver if the zone is supported */
2228
0
    findzone = dlzdb->implementation->methods->findzone;
2229
0
    result = (*findzone)(dlzdb->implementation->driverarg,
2230
0
             dlzdb->dbdata, dlzdb->mctx,
2231
0
             zone->view->rdclass, &zone->origin, NULL,
2232
0
             NULL, &db);
2233
0
    if (result != ISC_R_NOTFOUND) {
2234
0
      if (zone->db != NULL) {
2235
0
        zone_detachdb(zone);
2236
0
      }
2237
0
      zone_attachdb(zone, db);
2238
0
      dns_db_detach(&db);
2239
0
      result = ISC_R_SUCCESS;
2240
0
    }
2241
0
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
2242
2243
0
    if (result == ISC_R_SUCCESS) {
2244
0
      if (dlzdb->configure_callback == NULL) {
2245
0
        goto cleanup;
2246
0
      }
2247
2248
0
      result = (*dlzdb->configure_callback)(zone->view, dlzdb,
2249
0
                    zone);
2250
0
      if (result != ISC_R_SUCCESS) {
2251
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2252
0
                ISC_LOG_ERROR,
2253
0
                "DLZ configuration callback: %s",
2254
0
                isc_result_totext(result));
2255
0
      }
2256
0
    }
2257
0
    goto cleanup;
2258
0
  }
2259
2260
2
  if ((zone->type == dns_zone_secondary ||
2261
2
       zone->type == dns_zone_mirror || zone->type == dns_zone_stub ||
2262
2
       (zone->type == dns_zone_redirect &&
2263
2
        dns_remote_addresses(&zone->primaries) != NULL)) &&
2264
2
      rbt)
2265
0
  {
2266
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIRSTREFRESH);
2267
2268
0
    if (zone->stream == NULL &&
2269
0
        (zone->masterfile == NULL ||
2270
0
         !isc_file_exists(zone->masterfile)))
2271
0
    {
2272
0
      if (zone->masterfile != NULL) {
2273
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2274
0
                ISC_LOG_DEBUG(1),
2275
0
                "no master file");
2276
0
      }
2277
0
      zone->refreshtime = now;
2278
0
      if (zone->loop != NULL) {
2279
0
        zone_settimer(zone, &now);
2280
0
      }
2281
0
      result = ISC_R_SUCCESS;
2282
0
      goto cleanup;
2283
0
    }
2284
0
  }
2285
2286
2
  dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
2287
2
          "starting load");
2288
2289
2
  result = dns_zone_makedb(zone, &db);
2290
2
  if (result != ISC_R_SUCCESS) {
2291
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
2292
0
            "loading zone: creating database: %s",
2293
0
            isc_result_totext(result));
2294
0
    goto cleanup;
2295
0
  }
2296
2297
2
  if (!dns_db_ispersistent(db)) {
2298
2
    if (zone->masterfile != NULL || zone->stream != NULL) {
2299
2
      result = zone_startload(db, zone, loadtime);
2300
2
    } else {
2301
0
      result = DNS_R_NOMASTERFILE;
2302
0
      if (zone->type == dns_zone_primary ||
2303
0
          (zone->type == dns_zone_redirect &&
2304
0
           dns_remote_addresses(&zone->primaries) == NULL))
2305
0
      {
2306
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2307
0
                ISC_LOG_ERROR,
2308
0
                "loading zone: "
2309
0
                "no master file configured");
2310
0
        goto cleanup;
2311
0
      }
2312
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2313
0
              ISC_LOG_INFO,
2314
0
              "loading zone: "
2315
0
              "no master file configured: continuing");
2316
0
    }
2317
2
  }
2318
2319
2
  if (result == DNS_R_CONTINUE) {
2320
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
2321
0
    if ((flags & DNS_ZONELOADFLAG_THAW) != 0) {
2322
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
2323
0
    }
2324
0
    goto cleanup;
2325
0
  }
2326
2327
2
  result = zone_postload(zone, db, loadtime, result);
2328
2329
2
cleanup:
2330
2
  if (hasraw) {
2331
0
    UNLOCK_ZONE(zone->raw);
2332
0
  }
2333
2
  if (!locked) {
2334
2
    UNLOCK_ZONE(zone);
2335
2
  }
2336
2
  if (db != NULL) {
2337
2
    dns_db_detach(&db);
2338
2
  }
2339
2
  return (result);
2340
2
}
2341
2342
isc_result_t
2343
2
dns_zone_load(dns_zone_t *zone, bool newonly) {
2344
2
  return (zone_load(zone, newonly ? DNS_ZONELOADFLAG_NOSTAT : 0, false));
2345
2
}
2346
2347
static void
2348
0
zone_asyncload(void *arg) {
2349
0
  dns_asyncload_t *asl = arg;
2350
0
  dns_zone_t *zone = asl->zone;
2351
0
  isc_result_t result;
2352
2353
0
  REQUIRE(DNS_ZONE_VALID(zone));
2354
2355
0
  LOCK_ZONE(zone);
2356
0
  result = zone_load(zone, asl->flags, true);
2357
0
  if (result != DNS_R_CONTINUE) {
2358
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
2359
0
  }
2360
0
  UNLOCK_ZONE(zone);
2361
2362
  /* Inform the zone table we've finished loading */
2363
0
  if (asl->loaded != NULL) {
2364
0
    asl->loaded(asl->loaded_arg);
2365
0
  }
2366
2367
0
  isc_mem_put(zone->mctx, asl, sizeof(*asl));
2368
0
  dns_zone_idetach(&zone);
2369
0
}
2370
2371
isc_result_t
2372
dns_zone_asyncload(dns_zone_t *zone, bool newonly, dns_zt_callback_t *done,
2373
0
       void *arg) {
2374
0
  dns_asyncload_t *asl = NULL;
2375
2376
0
  REQUIRE(DNS_ZONE_VALID(zone));
2377
2378
0
  if (zone->zmgr == NULL) {
2379
0
    return (ISC_R_FAILURE);
2380
0
  }
2381
2382
  /* If we already have a load pending, stop now */
2383
0
  LOCK_ZONE(zone);
2384
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) {
2385
0
    UNLOCK_ZONE(zone);
2386
0
    return (ISC_R_ALREADYRUNNING);
2387
0
  }
2388
2389
0
  asl = isc_mem_get(zone->mctx, sizeof(*asl));
2390
2391
0
  asl->zone = NULL;
2392
0
  asl->flags = newonly ? DNS_ZONELOADFLAG_NOSTAT : 0;
2393
0
  asl->loaded = done;
2394
0
  asl->loaded_arg = arg;
2395
2396
0
  zone_iattach(zone, &asl->zone);
2397
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
2398
0
  isc_async_run(zone->loop, zone_asyncload, asl);
2399
0
  UNLOCK_ZONE(zone);
2400
2401
0
  return (ISC_R_SUCCESS);
2402
0
}
2403
2404
bool
2405
0
dns__zone_loadpending(dns_zone_t *zone) {
2406
0
  REQUIRE(DNS_ZONE_VALID(zone));
2407
2408
0
  return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING));
2409
0
}
2410
2411
isc_result_t
2412
0
dns_zone_loadandthaw(dns_zone_t *zone) {
2413
0
  isc_result_t result;
2414
2415
0
  if (inline_raw(zone)) {
2416
0
    result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW, false);
2417
0
  } else {
2418
    /*
2419
     * When thawing a zone, we don't know what changes
2420
     * have been made. If we do DNSSEC maintenance on this
2421
     * zone, schedule a full sign for this zone.
2422
     */
2423
0
    if (zone->type == dns_zone_primary &&
2424
0
        DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
2425
0
    {
2426
0
      DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
2427
0
    }
2428
0
    result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
2429
0
  }
2430
2431
0
  switch (result) {
2432
0
  case DNS_R_CONTINUE:
2433
    /* Deferred thaw. */
2434
0
    break;
2435
0
  case DNS_R_UPTODATE:
2436
0
  case ISC_R_SUCCESS:
2437
0
  case DNS_R_SEENINCLUDE:
2438
0
    zone->update_disabled = false;
2439
0
    break;
2440
0
  case DNS_R_NOMASTERFILE:
2441
0
    zone->update_disabled = false;
2442
0
    break;
2443
0
  default:
2444
    /* Error, remain in disabled state. */
2445
0
    break;
2446
0
  }
2447
0
  return (result);
2448
0
}
2449
2450
static unsigned int
2451
2
get_primary_options(dns_zone_t *zone) {
2452
2
  unsigned int options;
2453
2454
2
  options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN;
2455
2
  if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
2456
2
      (zone->type == dns_zone_redirect &&
2457
2
       dns_remote_addresses(&zone->primaries) == NULL))
2458
0
  {
2459
0
    options |= DNS_MASTER_SECONDARY;
2460
0
  }
2461
2
  if (zone->type == dns_zone_key) {
2462
0
    options |= DNS_MASTER_KEY;
2463
0
  }
2464
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) {
2465
0
    options |= DNS_MASTER_CHECKNS;
2466
0
  }
2467
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) {
2468
0
    options |= DNS_MASTER_FATALNS;
2469
0
  }
2470
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) {
2471
0
    options |= DNS_MASTER_CHECKNAMES;
2472
0
  }
2473
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
2474
0
    options |= DNS_MASTER_CHECKNAMESFAIL;
2475
0
  }
2476
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) {
2477
0
    options |= DNS_MASTER_CHECKMX;
2478
0
  }
2479
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
2480
0
    options |= DNS_MASTER_CHECKMXFAIL;
2481
0
  }
2482
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) {
2483
0
    options |= DNS_MASTER_CHECKWILDCARD;
2484
0
  }
2485
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) {
2486
0
    options |= DNS_MASTER_CHECKTTL;
2487
0
  }
2488
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSVCB)) {
2489
0
    options |= DNS_MASTER_CHECKSVCB;
2490
0
  }
2491
2492
2
  return (options);
2493
2
}
2494
2495
static void
2496
0
zone_registerinclude(const char *filename, void *arg) {
2497
0
  isc_result_t result;
2498
0
  dns_zone_t *zone = (dns_zone_t *)arg;
2499
0
  dns_include_t *inc = NULL;
2500
2501
0
  REQUIRE(DNS_ZONE_VALID(zone));
2502
2503
0
  if (filename == NULL) {
2504
0
    return;
2505
0
  }
2506
2507
  /*
2508
   * Suppress duplicates.
2509
   */
2510
0
  for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
2511
0
       inc = ISC_LIST_NEXT(inc, link))
2512
0
  {
2513
0
    if (strcmp(filename, inc->name) == 0) {
2514
0
      return;
2515
0
    }
2516
0
  }
2517
2518
0
  inc = isc_mem_get(zone->mctx, sizeof(dns_include_t));
2519
0
  inc->name = isc_mem_strdup(zone->mctx, filename);
2520
0
  ISC_LINK_INIT(inc, link);
2521
2522
0
  result = isc_file_getmodtime(filename, &inc->filetime);
2523
0
  if (result != ISC_R_SUCCESS) {
2524
0
    isc_time_settoepoch(&inc->filetime);
2525
0
  }
2526
2527
0
  ISC_LIST_APPEND(zone->newincludes, inc, link);
2528
0
}
2529
2530
static void
2531
0
get_raw_serial(dns_zone_t *raw, dns_masterrawheader_t *rawdata) {
2532
0
  isc_result_t result;
2533
0
  unsigned int soacount;
2534
2535
0
  LOCK(&raw->lock);
2536
0
  if (raw->db != NULL) {
2537
0
    result = zone_get_from_db(raw, raw->db, NULL, &soacount, NULL,
2538
0
            &rawdata->sourceserial, NULL, NULL,
2539
0
            NULL, NULL, NULL);
2540
0
    if (result == ISC_R_SUCCESS && soacount > 0U) {
2541
0
      rawdata->flags |= DNS_MASTERRAW_SOURCESERIALSET;
2542
0
    }
2543
0
  }
2544
0
  UNLOCK(&raw->lock);
2545
0
}
2546
2547
/*
2548
 * Save the raw serial number for inline-signing zones.
2549
 * (XXX: Other information from the header will be used
2550
 * for other purposes in the future, but for now this is
2551
 * all we're interested in.)
2552
 */
2553
static void
2554
0
zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
2555
0
  if ((header->flags & DNS_MASTERRAW_SOURCESERIALSET) == 0) {
2556
0
    return;
2557
0
  }
2558
2559
0
  zone->sourceserial = header->sourceserial;
2560
0
  zone->sourceserialset = true;
2561
0
}
2562
2563
void
2564
0
dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
2565
0
  if (zone == NULL) {
2566
0
    return;
2567
0
  }
2568
2569
0
  LOCK_ZONE(zone);
2570
0
  zone_setrawdata(zone, header);
2571
0
  UNLOCK_ZONE(zone);
2572
0
}
2573
2574
static isc_result_t
2575
2
zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
2576
2
  isc_result_t result;
2577
2
  isc_result_t tresult;
2578
2
  unsigned int options;
2579
2
  dns_load_t *load = isc_mem_get(zone->mctx, sizeof(*load));
2580
2581
2
  ENTER;
2582
2583
2
  *load = (dns_load_t){
2584
2
    .loadtime = loadtime,
2585
2
  };
2586
2587
2
  dns_zone_rpz_enable_db(zone, db);
2588
2
  dns_zone_catz_enable_db(zone, db);
2589
2590
2
  options = get_primary_options(zone);
2591
2
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) {
2592
0
    options |= DNS_MASTER_MANYERRORS;
2593
0
  }
2594
2595
2
  zone_iattach(zone, &load->zone);
2596
2
  dns_db_attach(db, &load->db);
2597
2598
2
  dns_rdatacallbacks_init(&load->callbacks);
2599
2
  load->callbacks.rawdata = zone_setrawdata;
2600
2
  zone_iattach(zone, &load->callbacks.zone);
2601
2602
2
  result = dns_db_beginload(db, &load->callbacks);
2603
2
  if (result != ISC_R_SUCCESS) {
2604
0
    goto cleanup;
2605
0
  }
2606
2607
2
  if (zone->zmgr != NULL && zone->db != NULL) {
2608
0
    result = dns_master_loadfileasync(
2609
0
      zone->masterfile, dns_db_origin(db), dns_db_origin(db),
2610
0
      zone->rdclass, options, 0, &load->callbacks, zone->loop,
2611
0
      zone_loaddone, load, &zone->loadctx,
2612
0
      zone_registerinclude, zone, zone->mctx,
2613
0
      zone->masterformat, zone->maxttl);
2614
0
    if (result != ISC_R_SUCCESS) {
2615
0
      goto cleanup;
2616
0
    }
2617
2618
0
    return (DNS_R_CONTINUE);
2619
2
  } else if (zone->stream != NULL) {
2620
0
    FILE *stream = UNCONST(zone->stream);
2621
0
    result = dns_master_loadstream(
2622
0
      stream, &zone->origin, &zone->origin, zone->rdclass,
2623
0
      options, &load->callbacks, zone->mctx);
2624
2
  } else {
2625
2
    result = dns_master_loadfile(
2626
2
      zone->masterfile, &zone->origin, &zone->origin,
2627
2
      zone->rdclass, options, 0, &load->callbacks,
2628
2
      zone_registerinclude, zone, zone->mctx,
2629
2
      zone->masterformat, zone->maxttl);
2630
2
  }
2631
2632
2
cleanup:
2633
2
  if (result != ISC_R_SUCCESS) {
2634
0
    dns_zone_rpz_disable_db(zone, load->db);
2635
0
    dns_zone_catz_disable_db(zone, load->db);
2636
0
  }
2637
2638
2
  tresult = dns_db_endload(db, &load->callbacks);
2639
2
  if (result == ISC_R_SUCCESS) {
2640
2
    result = tresult;
2641
2
  }
2642
2643
2
  zone_idetach(&load->callbacks.zone);
2644
2
  dns_db_detach(&load->db);
2645
2
  zone_idetach(&load->zone);
2646
2647
2
  isc_mem_put(zone->mctx, load, sizeof(*load));
2648
2
  return (result);
2649
2
}
2650
2651
static bool
2652
zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
2653
0
        dns_name_t *owner) {
2654
0
  isc_result_t result;
2655
0
  char ownerbuf[DNS_NAME_FORMATSIZE];
2656
0
  char namebuf[DNS_NAME_FORMATSIZE];
2657
0
  char altbuf[DNS_NAME_FORMATSIZE];
2658
0
  dns_fixedname_t fixed;
2659
0
  dns_name_t *foundname;
2660
0
  int level;
2661
2662
  /*
2663
   * "." means the services does not exist.
2664
   */
2665
0
  if (dns_name_equal(name, dns_rootname)) {
2666
0
    return (true);
2667
0
  }
2668
2669
  /*
2670
   * Outside of zone.
2671
   */
2672
0
  if (!dns_name_issubdomain(name, &zone->origin)) {
2673
0
    if (zone->checkmx != NULL) {
2674
0
      return ((zone->checkmx)(zone, name, owner));
2675
0
    }
2676
0
    return (true);
2677
0
  }
2678
2679
0
  if (zone->type == dns_zone_primary) {
2680
0
    level = ISC_LOG_ERROR;
2681
0
  } else {
2682
0
    level = ISC_LOG_WARNING;
2683
0
  }
2684
2685
0
  foundname = dns_fixedname_initname(&fixed);
2686
2687
0
  result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
2688
0
           foundname, NULL, NULL);
2689
0
  if (result == ISC_R_SUCCESS) {
2690
0
    return (true);
2691
0
  }
2692
2693
0
  if (result == DNS_R_NXRRSET) {
2694
0
    result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0,
2695
0
             NULL, foundname, NULL, NULL);
2696
0
    if (result == ISC_R_SUCCESS) {
2697
0
      return (true);
2698
0
    }
2699
0
  }
2700
2701
0
  dns_name_format(owner, ownerbuf, sizeof ownerbuf);
2702
0
  dns_name_format(name, namebuf, sizeof namebuf);
2703
0
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
2704
0
      result == DNS_R_EMPTYNAME)
2705
0
  {
2706
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
2707
0
      level = ISC_LOG_WARNING;
2708
0
    }
2709
0
    dns_zone_log(zone, level,
2710
0
           "%s/MX '%s' has no address records (A or AAAA)",
2711
0
           ownerbuf, namebuf);
2712
0
    return ((level == ISC_LOG_WARNING) ? true : false);
2713
0
  }
2714
2715
0
  if (result == DNS_R_CNAME) {
2716
0
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
2717
0
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
2718
0
    {
2719
0
      level = ISC_LOG_WARNING;
2720
0
    }
2721
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
2722
0
      dns_zone_log(zone, level,
2723
0
             "%s/MX '%s' is a CNAME (illegal)",
2724
0
             ownerbuf, namebuf);
2725
0
    }
2726
0
    return ((level == ISC_LOG_WARNING) ? true : false);
2727
0
  }
2728
2729
0
  if (result == DNS_R_DNAME) {
2730
0
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
2731
0
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
2732
0
    {
2733
0
      level = ISC_LOG_WARNING;
2734
0
    }
2735
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
2736
0
      dns_name_format(foundname, altbuf, sizeof altbuf);
2737
0
      dns_zone_log(zone, level,
2738
0
             "%s/MX '%s' is below a DNAME"
2739
0
             " '%s' (illegal)",
2740
0
             ownerbuf, namebuf, altbuf);
2741
0
    }
2742
0
    return ((level == ISC_LOG_WARNING) ? true : false);
2743
0
  }
2744
2745
0
  if (zone->checkmx != NULL && result == DNS_R_DELEGATION) {
2746
0
    return ((zone->checkmx)(zone, name, owner));
2747
0
  }
2748
2749
0
  return (true);
2750
0
}
2751
2752
static bool
2753
zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
2754
0
         dns_name_t *owner) {
2755
0
  isc_result_t result;
2756
0
  char ownerbuf[DNS_NAME_FORMATSIZE];
2757
0
  char namebuf[DNS_NAME_FORMATSIZE];
2758
0
  char altbuf[DNS_NAME_FORMATSIZE];
2759
0
  dns_fixedname_t fixed;
2760
0
  dns_name_t *foundname;
2761
0
  int level;
2762
2763
  /*
2764
   * "." means the services does not exist.
2765
   */
2766
0
  if (dns_name_equal(name, dns_rootname)) {
2767
0
    return (true);
2768
0
  }
2769
2770
  /*
2771
   * Outside of zone.
2772
   */
2773
0
  if (!dns_name_issubdomain(name, &zone->origin)) {
2774
0
    if (zone->checksrv != NULL) {
2775
0
      return ((zone->checksrv)(zone, name, owner));
2776
0
    }
2777
0
    return (true);
2778
0
  }
2779
2780
0
  if (zone->type == dns_zone_primary) {
2781
0
    level = ISC_LOG_ERROR;
2782
0
  } else {
2783
0
    level = ISC_LOG_WARNING;
2784
0
  }
2785
2786
0
  foundname = dns_fixedname_initname(&fixed);
2787
2788
0
  result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
2789
0
           foundname, NULL, NULL);
2790
0
  if (result == ISC_R_SUCCESS) {
2791
0
    return (true);
2792
0
  }
2793
2794
0
  if (result == DNS_R_NXRRSET) {
2795
0
    result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0,
2796
0
             NULL, foundname, NULL, NULL);
2797
0
    if (result == ISC_R_SUCCESS) {
2798
0
      return (true);
2799
0
    }
2800
0
  }
2801
2802
0
  dns_name_format(owner, ownerbuf, sizeof ownerbuf);
2803
0
  dns_name_format(name, namebuf, sizeof namebuf);
2804
0
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
2805
0
      result == DNS_R_EMPTYNAME)
2806
0
  {
2807
0
    dns_zone_log(zone, level,
2808
0
           "%s/SRV '%s' has no address records (A or AAAA)",
2809
0
           ownerbuf, namebuf);
2810
    /* XXX950 make fatal for 9.5.0. */
2811
0
    return (true);
2812
0
  }
2813
2814
0
  if (result == DNS_R_CNAME) {
2815
0
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
2816
0
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
2817
0
    {
2818
0
      level = ISC_LOG_WARNING;
2819
0
    }
2820
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
2821
0
      dns_zone_log(zone, level,
2822
0
             "%s/SRV '%s' is a CNAME (illegal)",
2823
0
             ownerbuf, namebuf);
2824
0
    }
2825
0
    return ((level == ISC_LOG_WARNING) ? true : false);
2826
0
  }
2827
2828
0
  if (result == DNS_R_DNAME) {
2829
0
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
2830
0
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
2831
0
    {
2832
0
      level = ISC_LOG_WARNING;
2833
0
    }
2834
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
2835
0
      dns_name_format(foundname, altbuf, sizeof altbuf);
2836
0
      dns_zone_log(zone, level,
2837
0
             "%s/SRV '%s' is below a "
2838
0
             "DNAME '%s' (illegal)",
2839
0
             ownerbuf, namebuf, altbuf);
2840
0
    }
2841
0
    return ((level == ISC_LOG_WARNING) ? true : false);
2842
0
  }
2843
2844
0
  if (zone->checksrv != NULL && result == DNS_R_DELEGATION) {
2845
0
    return ((zone->checksrv)(zone, name, owner));
2846
0
  }
2847
2848
0
  return (true);
2849
0
}
2850
2851
static bool
2852
zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
2853
0
    dns_name_t *owner) {
2854
0
  bool answer = true;
2855
0
  isc_result_t result, tresult;
2856
0
  char ownerbuf[DNS_NAME_FORMATSIZE];
2857
0
  char namebuf[DNS_NAME_FORMATSIZE];
2858
0
  char altbuf[DNS_NAME_FORMATSIZE];
2859
0
  dns_fixedname_t fixed;
2860
0
  dns_name_t *foundname;
2861
0
  dns_rdataset_t a;
2862
0
  dns_rdataset_t aaaa;
2863
0
  int level;
2864
2865
  /*
2866
   * Outside of zone.
2867
   */
2868
0
  if (!dns_name_issubdomain(name, &zone->origin)) {
2869
0
    if (zone->checkns != NULL) {
2870
0
      return ((zone->checkns)(zone, name, owner, NULL, NULL));
2871
0
    }
2872
0
    return (true);
2873
0
  }
2874
2875
0
  if (zone->type == dns_zone_primary) {
2876
0
    level = ISC_LOG_ERROR;
2877
0
  } else {
2878
0
    level = ISC_LOG_WARNING;
2879
0
  }
2880
2881
0
  foundname = dns_fixedname_initname(&fixed);
2882
0
  dns_rdataset_init(&a);
2883
0
  dns_rdataset_init(&aaaa);
2884
2885
  /*
2886
   * Perform a regular lookup to catch DNAME records then look
2887
   * for glue.
2888
   */
2889
0
  result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
2890
0
           foundname, &a, NULL);
2891
0
  switch (result) {
2892
0
  case ISC_R_SUCCESS:
2893
0
  case DNS_R_DNAME:
2894
0
  case DNS_R_CNAME:
2895
0
    break;
2896
0
  default:
2897
0
    if (dns_rdataset_isassociated(&a)) {
2898
0
      dns_rdataset_disassociate(&a);
2899
0
    }
2900
0
    result = dns_db_find(db, name, NULL, dns_rdatatype_a,
2901
0
             DNS_DBFIND_GLUEOK, 0, NULL, foundname, &a,
2902
0
             NULL);
2903
0
  }
2904
0
  if (result == ISC_R_SUCCESS) {
2905
0
    dns_rdataset_disassociate(&a);
2906
0
    return (true);
2907
0
  } else if (result == DNS_R_DELEGATION) {
2908
0
    dns_rdataset_disassociate(&a);
2909
0
  }
2910
2911
0
  if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
2912
0
      result == DNS_R_GLUE)
2913
0
  {
2914
0
    tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
2915
0
              DNS_DBFIND_GLUEOK, 0, NULL, foundname,
2916
0
              &aaaa, NULL);
2917
0
    if (tresult == ISC_R_SUCCESS) {
2918
0
      if (dns_rdataset_isassociated(&a)) {
2919
0
        dns_rdataset_disassociate(&a);
2920
0
      }
2921
0
      dns_rdataset_disassociate(&aaaa);
2922
0
      return (true);
2923
0
    }
2924
0
    if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME) {
2925
0
      dns_rdataset_disassociate(&aaaa);
2926
0
    }
2927
0
    if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
2928
      /*
2929
       * Check glue against child zone.
2930
       */
2931
0
      if (zone->checkns != NULL) {
2932
0
        answer = (zone->checkns)(zone, name, owner, &a,
2933
0
               &aaaa);
2934
0
      }
2935
0
      if (dns_rdataset_isassociated(&a)) {
2936
0
        dns_rdataset_disassociate(&a);
2937
0
      }
2938
0
      if (dns_rdataset_isassociated(&aaaa)) {
2939
0
        dns_rdataset_disassociate(&aaaa);
2940
0
      }
2941
0
      return (answer);
2942
0
    }
2943
0
  }
2944
2945
0
  dns_name_format(owner, ownerbuf, sizeof ownerbuf);
2946
0
  dns_name_format(name, namebuf, sizeof namebuf);
2947
0
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
2948
0
      result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION)
2949
0
  {
2950
0
    const char *what;
2951
0
    bool required = false;
2952
0
    if (dns_name_issubdomain(name, owner)) {
2953
0
      what = "REQUIRED GLUE ";
2954
0
      required = true;
2955
0
    } else if (result == DNS_R_DELEGATION) {
2956
0
      what = "SIBLING GLUE ";
2957
0
    } else {
2958
0
      what = "";
2959
0
    }
2960
2961
0
    if (result != DNS_R_DELEGATION || required ||
2962
0
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING))
2963
0
    {
2964
0
      dns_zone_log(zone, level,
2965
0
             "%s/NS '%s' has no %s"
2966
0
             "address records (A or AAAA)",
2967
0
             ownerbuf, namebuf, what);
2968
      /*
2969
       * Log missing address record.
2970
       */
2971
0
      if (result == DNS_R_DELEGATION && zone->checkns != NULL)
2972
0
      {
2973
0
        (void)(zone->checkns)(zone, name, owner, &a,
2974
0
                  &aaaa);
2975
0
      }
2976
      /* XXX950 make fatal for 9.5.0. */
2977
      /* answer = false; */
2978
0
    }
2979
0
  } else if (result == DNS_R_CNAME) {
2980
0
    dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
2981
0
           ownerbuf, namebuf);
2982
    /* XXX950 make fatal for 9.5.0. */
2983
    /* answer = false; */
2984
0
  } else if (result == DNS_R_DNAME) {
2985
0
    dns_name_format(foundname, altbuf, sizeof altbuf);
2986
0
    dns_zone_log(zone, level,
2987
0
           "%s/NS '%s' is below a DNAME '%s' (illegal)",
2988
0
           ownerbuf, namebuf, altbuf);
2989
    /* XXX950 make fatal for 9.5.0. */
2990
    /* answer = false; */
2991
0
  }
2992
2993
0
  if (dns_rdataset_isassociated(&a)) {
2994
0
    dns_rdataset_disassociate(&a);
2995
0
  }
2996
0
  if (dns_rdataset_isassociated(&aaaa)) {
2997
0
    dns_rdataset_disassociate(&aaaa);
2998
0
  }
2999
0
  return (answer);
3000
0
}
3001
3002
static bool
3003
zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
3004
0
         dns_rdataset_t *rdataset) {
3005
0
  dns_rdataset_t tmprdataset;
3006
0
  isc_result_t result;
3007
0
  bool answer = true;
3008
0
  bool format = true;
3009
0
  int level = ISC_LOG_WARNING;
3010
0
  char ownerbuf[DNS_NAME_FORMATSIZE];
3011
0
  char typebuf[DNS_RDATATYPE_FORMATSIZE];
3012
0
  unsigned int count1 = 0;
3013
3014
0
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL)) {
3015
0
    level = ISC_LOG_ERROR;
3016
0
  }
3017
3018
0
  dns_rdataset_init(&tmprdataset);
3019
0
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
3020
0
       result = dns_rdataset_next(rdataset))
3021
0
  {
3022
0
    dns_rdata_t rdata1 = DNS_RDATA_INIT;
3023
0
    unsigned int count2 = 0;
3024
3025
0
    count1++;
3026
0
    dns_rdataset_current(rdataset, &rdata1);
3027
0
    dns_rdataset_clone(rdataset, &tmprdataset);
3028
0
    for (result = dns_rdataset_first(&tmprdataset);
3029
0
         result == ISC_R_SUCCESS;
3030
0
         result = dns_rdataset_next(&tmprdataset))
3031
0
    {
3032
0
      dns_rdata_t rdata2 = DNS_RDATA_INIT;
3033
0
      count2++;
3034
0
      if (count1 >= count2) {
3035
0
        continue;
3036
0
      }
3037
0
      dns_rdataset_current(&tmprdataset, &rdata2);
3038
0
      if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
3039
0
        if (format) {
3040
0
          dns_name_format(owner, ownerbuf,
3041
0
              sizeof ownerbuf);
3042
0
          dns_rdatatype_format(rdata1.type,
3043
0
                   typebuf,
3044
0
                   sizeof(typebuf));
3045
0
          format = false;
3046
0
        }
3047
0
        dns_zone_log(zone, level,
3048
0
               "%s/%s has "
3049
0
               "semantically identical records",
3050
0
               ownerbuf, typebuf);
3051
0
        if (level == ISC_LOG_ERROR) {
3052
0
          answer = false;
3053
0
        }
3054
0
        break;
3055
0
      }
3056
0
    }
3057
0
    dns_rdataset_disassociate(&tmprdataset);
3058
0
    if (!format) {
3059
0
      break;
3060
0
    }
3061
0
  }
3062
0
  return (answer);
3063
0
}
3064
3065
static bool
3066
0
zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
3067
0
  dns_dbiterator_t *dbiterator = NULL;
3068
0
  dns_dbnode_t *node = NULL;
3069
0
  dns_fixedname_t fixed;
3070
0
  dns_name_t *name;
3071
0
  dns_rdataset_t rdataset;
3072
0
  dns_rdatasetiter_t *rdsit = NULL;
3073
0
  bool ok = true;
3074
0
  isc_result_t result;
3075
3076
0
  name = dns_fixedname_initname(&fixed);
3077
0
  dns_rdataset_init(&rdataset);
3078
3079
0
  result = dns_db_createiterator(db, 0, &dbiterator);
3080
0
  if (result != ISC_R_SUCCESS) {
3081
0
    return (true);
3082
0
  }
3083
3084
0
  for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
3085
0
       result = dns_dbiterator_next(dbiterator))
3086
0
  {
3087
0
    result = dns_dbiterator_current(dbiterator, &node, name);
3088
0
    if (result != ISC_R_SUCCESS) {
3089
0
      continue;
3090
0
    }
3091
3092
0
    result = dns_db_allrdatasets(db, node, NULL, 0, 0, &rdsit);
3093
0
    if (result != ISC_R_SUCCESS) {
3094
0
      continue;
3095
0
    }
3096
3097
0
    for (result = dns_rdatasetiter_first(rdsit);
3098
0
         result == ISC_R_SUCCESS;
3099
0
         result = dns_rdatasetiter_next(rdsit))
3100
0
    {
3101
0
      dns_rdatasetiter_current(rdsit, &rdataset);
3102
0
      if (!zone_rrset_check_dup(zone, name, &rdataset)) {
3103
0
        ok = false;
3104
0
      }
3105
0
      dns_rdataset_disassociate(&rdataset);
3106
0
    }
3107
0
    dns_rdatasetiter_destroy(&rdsit);
3108
0
    dns_db_detachnode(db, &node);
3109
0
  }
3110
3111
0
  if (node != NULL) {
3112
0
    dns_db_detachnode(db, &node);
3113
0
  }
3114
0
  dns_dbiterator_destroy(&dbiterator);
3115
3116
0
  return (ok);
3117
0
}
3118
3119
static bool
3120
0
isspf(const dns_rdata_t *rdata) {
3121
0
  char buf[1024];
3122
0
  const unsigned char *data = rdata->data;
3123
0
  unsigned int rdl = rdata->length, i = 0, tl, len;
3124
3125
0
  while (rdl > 0U) {
3126
0
    len = tl = *data;
3127
0
    ++data;
3128
0
    --rdl;
3129
0
    INSIST(tl <= rdl);
3130
0
    if (len > sizeof(buf) - i - 1) {
3131
0
      len = sizeof(buf) - i - 1;
3132
0
    }
3133
0
    memmove(buf + i, data, len);
3134
0
    i += len;
3135
0
    data += tl;
3136
0
    rdl -= tl;
3137
0
  }
3138
3139
0
  if (i < 6U) {
3140
0
    return (false);
3141
0
  }
3142
3143
0
  buf[i] = 0;
3144
0
  if (strncmp(buf, "v=spf1", 6) == 0 && (buf[6] == 0 || buf[6] == ' ')) {
3145
0
    return (true);
3146
0
  }
3147
0
  return (false);
3148
0
}
3149
3150
static bool
3151
0
integrity_checks(dns_zone_t *zone, dns_db_t *db) {
3152
0
  dns_dbiterator_t *dbiterator = NULL;
3153
0
  dns_dbnode_t *node = NULL;
3154
0
  dns_rdataset_t rdataset;
3155
0
  dns_fixedname_t fixed;
3156
0
  dns_fixedname_t fixedbottom;
3157
0
  dns_rdata_mx_t mx;
3158
0
  dns_rdata_ns_t ns;
3159
0
  dns_rdata_in_srv_t srv;
3160
0
  dns_rdata_t rdata;
3161
0
  dns_name_t *name;
3162
0
  dns_name_t *bottom;
3163
0
  isc_result_t result;
3164
0
  bool ok = true, have_spf, have_txt;
3165
0
  int level;
3166
0
  char namebuf[DNS_NAME_FORMATSIZE];
3167
3168
0
  name = dns_fixedname_initname(&fixed);
3169
0
  bottom = dns_fixedname_initname(&fixedbottom);
3170
0
  dns_rdataset_init(&rdataset);
3171
0
  dns_rdata_init(&rdata);
3172
3173
0
  result = dns_db_createiterator(db, 0, &dbiterator);
3174
0
  if (result != ISC_R_SUCCESS) {
3175
0
    return (true);
3176
0
  }
3177
3178
0
  result = dns_dbiterator_first(dbiterator);
3179
0
  while (result == ISC_R_SUCCESS) {
3180
0
    result = dns_dbiterator_current(dbiterator, &node, name);
3181
0
    if (result != ISC_R_SUCCESS) {
3182
0
      goto cleanup;
3183
0
    }
3184
3185
    /*
3186
     * Is this name visible in the zone?
3187
     */
3188
0
    if (!dns_name_issubdomain(name, &zone->origin) ||
3189
0
        (dns_name_countlabels(bottom) > 0 &&
3190
0
         dns_name_issubdomain(name, bottom)))
3191
0
    {
3192
0
      goto next;
3193
0
    }
3194
3195
0
    dns_dbiterator_pause(dbiterator);
3196
3197
    /*
3198
     * Don't check the NS records at the origin.
3199
     */
3200
0
    if (dns_name_equal(name, &zone->origin)) {
3201
0
      goto checkfords;
3202
0
    }
3203
3204
0
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
3205
0
               0, 0, &rdataset, NULL);
3206
0
    if (result != ISC_R_SUCCESS) {
3207
0
      goto checkfords;
3208
0
    }
3209
    /*
3210
     * Remember bottom of zone due to NS.
3211
     */
3212
0
    dns_name_copy(name, bottom);
3213
3214
0
    result = dns_rdataset_first(&rdataset);
3215
0
    while (result == ISC_R_SUCCESS) {
3216
0
      dns_rdataset_current(&rdataset, &rdata);
3217
0
      result = dns_rdata_tostruct(&rdata, &ns, NULL);
3218
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
3219
0
      if (!zone_check_glue(zone, db, &ns.name, name)) {
3220
0
        ok = false;
3221
0
      }
3222
0
      dns_rdata_reset(&rdata);
3223
0
      result = dns_rdataset_next(&rdataset);
3224
0
    }
3225
0
    dns_rdataset_disassociate(&rdataset);
3226
0
    goto next;
3227
3228
0
  checkfords:
3229
0
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
3230
0
               0, 0, &rdataset, NULL);
3231
0
    if (result != ISC_R_SUCCESS) {
3232
0
      goto checkfordname;
3233
0
    }
3234
0
    dns_rdataset_disassociate(&rdataset);
3235
3236
0
    if (zone->type == dns_zone_primary) {
3237
0
      level = ISC_LOG_ERROR;
3238
0
      ok = false;
3239
0
    } else {
3240
0
      level = ISC_LOG_WARNING;
3241
0
    }
3242
0
    dns_name_format(name, namebuf, sizeof(namebuf));
3243
0
    dns_zone_log(zone, level, "DS not at delegation point (%s)",
3244
0
           namebuf);
3245
3246
0
  checkfordname:
3247
0
    result = dns_db_findrdataset(db, node, NULL,
3248
0
               dns_rdatatype_dname, 0, 0,
3249
0
               &rdataset, NULL);
3250
0
    if (result == ISC_R_SUCCESS) {
3251
      /*
3252
       * Remember bottom of zone due to DNAME.
3253
       */
3254
0
      dns_name_copy(name, bottom);
3255
0
      dns_rdataset_disassociate(&rdataset);
3256
0
    }
3257
3258
0
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
3259
0
               0, 0, &rdataset, NULL);
3260
0
    if (result != ISC_R_SUCCESS) {
3261
0
      goto checksrv;
3262
0
    }
3263
0
    result = dns_rdataset_first(&rdataset);
3264
0
    while (result == ISC_R_SUCCESS) {
3265
0
      dns_rdataset_current(&rdataset, &rdata);
3266
0
      result = dns_rdata_tostruct(&rdata, &mx, NULL);
3267
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
3268
0
      if (!zone_check_mx(zone, db, &mx.mx, name)) {
3269
0
        ok = false;
3270
0
      }
3271
0
      dns_rdata_reset(&rdata);
3272
0
      result = dns_rdataset_next(&rdataset);
3273
0
    }
3274
0
    dns_rdataset_disassociate(&rdataset);
3275
3276
0
  checksrv:
3277
0
    if (zone->rdclass != dns_rdataclass_in) {
3278
0
      goto next;
3279
0
    }
3280
0
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv,
3281
0
               0, 0, &rdataset, NULL);
3282
0
    if (result != ISC_R_SUCCESS) {
3283
0
      goto checkspf;
3284
0
    }
3285
0
    result = dns_rdataset_first(&rdataset);
3286
0
    while (result == ISC_R_SUCCESS) {
3287
0
      dns_rdataset_current(&rdataset, &rdata);
3288
0
      result = dns_rdata_tostruct(&rdata, &srv, NULL);
3289
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
3290
0
      if (!zone_check_srv(zone, db, &srv.target, name)) {
3291
0
        ok = false;
3292
0
      }
3293
0
      dns_rdata_reset(&rdata);
3294
0
      result = dns_rdataset_next(&rdataset);
3295
0
    }
3296
0
    dns_rdataset_disassociate(&rdataset);
3297
3298
0
  checkspf:
3299
    /*
3300
     * Check if there is a type SPF record without an
3301
     * SPF-formatted type TXT record also being present.
3302
     */
3303
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF)) {
3304
0
      goto next;
3305
0
    }
3306
0
    if (zone->rdclass != dns_rdataclass_in) {
3307
0
      goto next;
3308
0
    }
3309
0
    have_spf = have_txt = false;
3310
0
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_spf,
3311
0
               0, 0, &rdataset, NULL);
3312
0
    if (result == ISC_R_SUCCESS) {
3313
0
      dns_rdataset_disassociate(&rdataset);
3314
0
      have_spf = true;
3315
0
    }
3316
0
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_txt,
3317
0
               0, 0, &rdataset, NULL);
3318
0
    if (result != ISC_R_SUCCESS) {
3319
0
      goto notxt;
3320
0
    }
3321
0
    result = dns_rdataset_first(&rdataset);
3322
0
    while (result == ISC_R_SUCCESS) {
3323
0
      dns_rdataset_current(&rdataset, &rdata);
3324
0
      have_txt = isspf(&rdata);
3325
0
      dns_rdata_reset(&rdata);
3326
0
      if (have_txt) {
3327
0
        break;
3328
0
      }
3329
0
      result = dns_rdataset_next(&rdataset);
3330
0
    }
3331
0
    dns_rdataset_disassociate(&rdataset);
3332
3333
0
  notxt:
3334
0
    if (have_spf && !have_txt) {
3335
0
      dns_name_format(name, namebuf, sizeof(namebuf));
3336
0
      dns_zone_log(zone, ISC_LOG_WARNING,
3337
0
             "'%s' found type "
3338
0
             "SPF record but no SPF TXT record found, "
3339
0
             "add matching type TXT record",
3340
0
             namebuf);
3341
0
    }
3342
3343
0
  next:
3344
0
    dns_db_detachnode(db, &node);
3345
0
    result = dns_dbiterator_next(dbiterator);
3346
0
  }
3347
3348
0
cleanup:
3349
0
  if (node != NULL) {
3350
0
    dns_db_detachnode(db, &node);
3351
0
  }
3352
0
  dns_dbiterator_destroy(&dbiterator);
3353
3354
0
  return (ok);
3355
0
}
3356
3357
/*
3358
 * OpenSSL verification of RSA keys with exponent 3 is known to be
3359
 * broken prior OpenSSL 0.9.8c/0.9.7k.  Look for such keys and warn
3360
 * if they are in use.
3361
 */
3362
static void
3363
2
zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
3364
2
  dns_dbnode_t *node = NULL;
3365
2
  dns_dbversion_t *version = NULL;
3366
2
  dns_rdata_dnskey_t dnskey;
3367
2
  dns_rdata_t rdata = DNS_RDATA_INIT;
3368
2
  dns_rdataset_t rdataset;
3369
2
  isc_result_t result;
3370
3371
2
  result = dns_db_findnode(db, &zone->origin, false, &node);
3372
2
  if (result != ISC_R_SUCCESS) {
3373
0
    goto cleanup;
3374
0
  }
3375
3376
2
  dns_db_currentversion(db, &version);
3377
2
  dns_rdataset_init(&rdataset);
3378
2
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
3379
2
             dns_rdatatype_none, 0, &rdataset, NULL);
3380
2
  if (result != ISC_R_SUCCESS) {
3381
2
    goto cleanup;
3382
2
  }
3383
3384
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
3385
0
       result = dns_rdataset_next(&rdataset))
3386
0
  {
3387
0
    dns_rdataset_current(&rdataset, &rdata);
3388
0
    result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
3389
0
    INSIST(result == ISC_R_SUCCESS);
3390
3391
    /*
3392
     * RFC 3110, section 4: Performance Considerations:
3393
     *
3394
     * A public exponent of 3 minimizes the effort needed to verify
3395
     * a signature.  Use of 3 as the public exponent is weak for
3396
     * confidentiality uses since, if the same data can be collected
3397
     * encrypted under three different keys with an exponent of 3
3398
     * then, using the Chinese Remainder Theorem [NETSEC], the
3399
     * original plain text can be easily recovered.  If a key is
3400
     * known to be used only for authentication, as is the case with
3401
     * DNSSEC, then an exponent of 3 is acceptable.  However other
3402
     * applications in the future may wish to leverage DNS
3403
     * distributed keys for applications that do require
3404
     * confidentiality.  For keys which might have such other uses,
3405
     * a more conservative choice would be 65537 (F4, the fourth
3406
     * fermat number).
3407
     */
3408
0
    if (dnskey.datalen > 1 && dnskey.data[0] == 1 &&
3409
0
        dnskey.data[1] == 3 &&
3410
0
        (dnskey.algorithm == DNS_KEYALG_RSAMD5 ||
3411
0
         dnskey.algorithm == DNS_KEYALG_RSASHA1 ||
3412
0
         dnskey.algorithm == DNS_KEYALG_NSEC3RSASHA1 ||
3413
0
         dnskey.algorithm == DNS_KEYALG_RSASHA256 ||
3414
0
         dnskey.algorithm == DNS_KEYALG_RSASHA512))
3415
0
    {
3416
0
      char algorithm[DNS_SECALG_FORMATSIZE];
3417
0
      isc_region_t r;
3418
3419
0
      dns_rdata_toregion(&rdata, &r);
3420
0
      dns_secalg_format(dnskey.algorithm, algorithm,
3421
0
            sizeof(algorithm));
3422
3423
0
      dnssec_log(zone, ISC_LOG_WARNING,
3424
0
           "weak %s (%u) key found (exponent=3, id=%u)",
3425
0
           algorithm, dnskey.algorithm,
3426
0
           dst_region_computeid(&r));
3427
0
    }
3428
0
    dns_rdata_reset(&rdata);
3429
0
  }
3430
0
  dns_rdataset_disassociate(&rdataset);
3431
3432
2
cleanup:
3433
2
  if (node != NULL) {
3434
2
    dns_db_detachnode(db, &node);
3435
2
  }
3436
2
  if (version != NULL) {
3437
2
    dns_db_closeversion(db, &version, false);
3438
2
  }
3439
2
}
3440
3441
static void
3442
0
resume_signingwithkey(dns_zone_t *zone) {
3443
0
  dns_dbnode_t *node = NULL;
3444
0
  dns_dbversion_t *version = NULL;
3445
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
3446
0
  dns_rdataset_t rdataset;
3447
0
  isc_result_t result;
3448
0
  dns_db_t *db = NULL;
3449
3450
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3451
0
  if (zone->db != NULL) {
3452
0
    dns_db_attach(zone->db, &db);
3453
0
  }
3454
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3455
0
  if (db == NULL) {
3456
0
    goto cleanup;
3457
0
  }
3458
3459
0
  result = dns_db_findnode(db, &zone->origin, false, &node);
3460
0
  if (result != ISC_R_SUCCESS) {
3461
0
    goto cleanup;
3462
0
  }
3463
3464
0
  dns_db_currentversion(db, &version);
3465
0
  dns_rdataset_init(&rdataset);
3466
0
  result = dns_db_findrdataset(db, node, version, zone->privatetype,
3467
0
             dns_rdatatype_none, 0, &rdataset, NULL);
3468
0
  if (result != ISC_R_SUCCESS) {
3469
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
3470
0
    goto cleanup;
3471
0
  }
3472
3473
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
3474
0
       result = dns_rdataset_next(&rdataset))
3475
0
  {
3476
0
    dns_rdataset_current(&rdataset, &rdata);
3477
0
    if (rdata.length != 5 || rdata.data[0] == 0 ||
3478
0
        rdata.data[4] != 0)
3479
0
    {
3480
0
      dns_rdata_reset(&rdata);
3481
0
      continue;
3482
0
    }
3483
3484
0
    result = zone_signwithkey(zone, rdata.data[0],
3485
0
            (rdata.data[1] << 8) | rdata.data[2],
3486
0
            rdata.data[3]);
3487
0
    if (result != ISC_R_SUCCESS) {
3488
0
      dnssec_log(zone, ISC_LOG_ERROR,
3489
0
           "zone_signwithkey failed: %s",
3490
0
           isc_result_totext(result));
3491
0
    }
3492
0
    dns_rdata_reset(&rdata);
3493
0
  }
3494
0
  dns_rdataset_disassociate(&rdataset);
3495
3496
0
cleanup:
3497
0
  if (db != NULL) {
3498
0
    if (node != NULL) {
3499
0
      dns_db_detachnode(db, &node);
3500
0
    }
3501
0
    if (version != NULL) {
3502
0
      dns_db_closeversion(db, &version, false);
3503
0
    }
3504
0
    dns_db_detach(&db);
3505
0
  }
3506
0
}
3507
3508
/*
3509
 * Initiate adding/removing NSEC3 records belonging to the chain defined by the
3510
 * supplied NSEC3PARAM RDATA.
3511
 *
3512
 * Zone must be locked by caller.
3513
 */
3514
static isc_result_t
3515
0
zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
3516
0
  dns_nsec3chain_t *nsec3chain, *current;
3517
0
  dns_dbversion_t *version = NULL;
3518
0
  bool nseconly = false, nsec3ok = false;
3519
0
  isc_result_t result;
3520
0
  isc_time_t now;
3521
0
  unsigned int options = 0;
3522
0
  char saltbuf[255 * 2 + 1];
3523
0
  char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
3524
0
  dns_db_t *db = NULL;
3525
3526
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3527
0
  if (zone->db != NULL) {
3528
0
    dns_db_attach(zone->db, &db);
3529
0
  }
3530
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3531
3532
0
  if (db == NULL) {
3533
0
    result = ISC_R_SUCCESS;
3534
0
    goto cleanup;
3535
0
  }
3536
3537
  /*
3538
   * If this zone is not NSEC3-capable, attempting to remove any NSEC3
3539
   * chain from it is pointless as it would not be possible for the
3540
   * latter to exist in the first place.
3541
   */
3542
0
  dns_db_currentversion(db, &version);
3543
0
  result = dns_nsec_nseconly(db, version, NULL, &nseconly);
3544
0
  nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
3545
0
  dns_db_closeversion(db, &version, false);
3546
0
  if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0) {
3547
0
    result = ISC_R_SUCCESS;
3548
0
    goto cleanup;
3549
0
  }
3550
3551
  /*
3552
   * Allocate and initialize structure preserving state of
3553
   * adding/removing records belonging to this NSEC3 chain between
3554
   * separate zone_nsec3chain() calls.
3555
   */
3556
0
  nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
3557
3558
0
  nsec3chain->magic = 0;
3559
0
  nsec3chain->done = false;
3560
0
  nsec3chain->db = NULL;
3561
0
  nsec3chain->dbiterator = NULL;
3562
0
  nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
3563
0
  nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
3564
0
  nsec3chain->nsec3param.hash = nsec3param->hash;
3565
0
  nsec3chain->nsec3param.iterations = nsec3param->iterations;
3566
0
  nsec3chain->nsec3param.flags = nsec3param->flags;
3567
0
  nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
3568
0
  memmove(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
3569
0
  nsec3chain->nsec3param.salt = nsec3chain->salt;
3570
0
  nsec3chain->seen_nsec = false;
3571
0
  nsec3chain->delete_nsec = false;
3572
0
  nsec3chain->save_delete_nsec = false;
3573
3574
  /*
3575
   * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
3576
   */
3577
0
  if (nsec3param->flags == 0) {
3578
0
    strlcpy(flags, "NONE", sizeof(flags));
3579
0
  } else {
3580
0
    flags[0] = '\0';
3581
0
    if ((nsec3param->flags & DNS_NSEC3FLAG_REMOVE) != 0) {
3582
0
      strlcat(flags, "REMOVE", sizeof(flags));
3583
0
    }
3584
0
    if ((nsec3param->flags & DNS_NSEC3FLAG_INITIAL) != 0) {
3585
0
      if (flags[0] == '\0') {
3586
0
        strlcpy(flags, "INITIAL", sizeof(flags));
3587
0
      } else {
3588
0
        strlcat(flags, "|INITIAL", sizeof(flags));
3589
0
      }
3590
0
    }
3591
0
    if ((nsec3param->flags & DNS_NSEC3FLAG_CREATE) != 0) {
3592
0
      if (flags[0] == '\0') {
3593
0
        strlcpy(flags, "CREATE", sizeof(flags));
3594
0
      } else {
3595
0
        strlcat(flags, "|CREATE", sizeof(flags));
3596
0
      }
3597
0
    }
3598
0
    if ((nsec3param->flags & DNS_NSEC3FLAG_NONSEC) != 0) {
3599
0
      if (flags[0] == '\0') {
3600
0
        strlcpy(flags, "NONSEC", sizeof(flags));
3601
0
      } else {
3602
0
        strlcat(flags, "|NONSEC", sizeof(flags));
3603
0
      }
3604
0
    }
3605
0
    if ((nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) != 0) {
3606
0
      if (flags[0] == '\0') {
3607
0
        strlcpy(flags, "OPTOUT", sizeof(flags));
3608
0
      } else {
3609
0
        strlcat(flags, "|OPTOUT", sizeof(flags));
3610
0
      }
3611
0
    }
3612
0
  }
3613
0
  result = dns_nsec3param_salttotext(nsec3param, saltbuf,
3614
0
             sizeof(saltbuf));
3615
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
3616
0
  dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)",
3617
0
       nsec3param->hash, flags, nsec3param->iterations, saltbuf);
3618
3619
  /*
3620
   * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
3621
   * currently being processed, interrupt its processing to avoid
3622
   * simultaneously adding and removing records for the same NSEC3 chain.
3623
   */
3624
0
  for (current = ISC_LIST_HEAD(zone->nsec3chain); current != NULL;
3625
0
       current = ISC_LIST_NEXT(current, link))
3626
0
  {
3627
0
    if ((current->db == db) &&
3628
0
        (current->nsec3param.hash == nsec3param->hash) &&
3629
0
        (current->nsec3param.iterations ==
3630
0
         nsec3param->iterations) &&
3631
0
        (current->nsec3param.salt_length ==
3632
0
         nsec3param->salt_length) &&
3633
0
        memcmp(current->nsec3param.salt, nsec3param->salt,
3634
0
         nsec3param->salt_length) == 0)
3635
0
    {
3636
0
      current->done = true;
3637
0
    }
3638
0
  }
3639
3640
  /*
3641
   * Attach zone database to the structure initialized above and create
3642
   * an iterator for it with appropriate options in order to avoid
3643
   * creating NSEC3 records for NSEC3 records.
3644
   */
3645
0
  dns_db_attach(db, &nsec3chain->db);
3646
0
  if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) {
3647
0
    options = DNS_DB_NONSEC3;
3648
0
  }
3649
0
  result = dns_db_createiterator(nsec3chain->db, options,
3650
0
               &nsec3chain->dbiterator);
3651
0
  if (result == ISC_R_SUCCESS) {
3652
0
    result = dns_dbiterator_first(nsec3chain->dbiterator);
3653
0
  }
3654
0
  if (result == ISC_R_SUCCESS) {
3655
    /*
3656
     * Database iterator initialization succeeded.  We are now
3657
     * ready to kick off adding/removing records belonging to this
3658
     * NSEC3 chain.  Append the structure initialized above to the
3659
     * "nsec3chain" list for the zone and set the appropriate zone
3660
     * timer so that zone_nsec3chain() is called as soon as
3661
     * possible.
3662
     */
3663
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
3664
0
    ISC_LIST_INITANDAPPEND(zone->nsec3chain, nsec3chain, link);
3665
0
    nsec3chain = NULL;
3666
0
    if (isc_time_isepoch(&zone->nsec3chaintime)) {
3667
0
      now = isc_time_now();
3668
0
      zone->nsec3chaintime = now;
3669
0
      if (zone->loop != NULL) {
3670
0
        zone_settimer(zone, &now);
3671
0
      }
3672
0
    }
3673
0
  }
3674
3675
0
  if (nsec3chain != NULL) {
3676
0
    if (nsec3chain->db != NULL) {
3677
0
      dns_db_detach(&nsec3chain->db);
3678
0
    }
3679
0
    if (nsec3chain->dbiterator != NULL) {
3680
0
      dns_dbiterator_destroy(&nsec3chain->dbiterator);
3681
0
    }
3682
0
    isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
3683
0
  }
3684
3685
0
cleanup:
3686
0
  if (db != NULL) {
3687
0
    dns_db_detach(&db);
3688
0
  }
3689
0
  return (result);
3690
0
}
3691
3692
/*
3693
 * Find private-type records at the zone apex which signal that an NSEC3 chain
3694
 * should be added or removed.  For each such record, extract NSEC3PARAM RDATA
3695
 * and pass it to zone_addnsec3chain().
3696
 *
3697
 * Zone must be locked by caller.
3698
 */
3699
static void
3700
0
resume_addnsec3chain(dns_zone_t *zone) {
3701
0
  dns_dbnode_t *node = NULL;
3702
0
  dns_dbversion_t *version = NULL;
3703
0
  dns_rdataset_t rdataset;
3704
0
  isc_result_t result;
3705
0
  dns_rdata_nsec3param_t nsec3param;
3706
0
  bool nseconly = false, nsec3ok = false;
3707
0
  dns_db_t *db = NULL;
3708
3709
0
  INSIST(LOCKED_ZONE(zone));
3710
3711
0
  if (zone->privatetype == 0) {
3712
0
    return;
3713
0
  }
3714
3715
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3716
0
  if (zone->db != NULL) {
3717
0
    dns_db_attach(zone->db, &db);
3718
0
  }
3719
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3720
0
  if (db == NULL) {
3721
0
    goto cleanup;
3722
0
  }
3723
3724
0
  result = dns_db_findnode(db, &zone->origin, false, &node);
3725
0
  if (result != ISC_R_SUCCESS) {
3726
0
    goto cleanup;
3727
0
  }
3728
3729
0
  dns_db_currentversion(db, &version);
3730
3731
  /*
3732
   * In order to create NSEC3 chains we need the DNSKEY RRset at zone
3733
   * apex to exist and contain no keys using NSEC-only algorithms.
3734
   */
3735
0
  result = dns_nsec_nseconly(db, version, NULL, &nseconly);
3736
0
  nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
3737
3738
  /*
3739
   * Get the RRset containing all private-type records at the zone apex.
3740
   */
3741
0
  dns_rdataset_init(&rdataset);
3742
0
  result = dns_db_findrdataset(db, node, version, zone->privatetype,
3743
0
             dns_rdatatype_none, 0, &rdataset, NULL);
3744
0
  if (result != ISC_R_SUCCESS) {
3745
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
3746
0
    goto cleanup;
3747
0
  }
3748
3749
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
3750
0
       result = dns_rdataset_next(&rdataset))
3751
0
  {
3752
0
    unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
3753
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
3754
0
    dns_rdata_t private = DNS_RDATA_INIT;
3755
3756
0
    dns_rdataset_current(&rdataset, &private);
3757
    /*
3758
     * Try extracting NSEC3PARAM RDATA from this private-type
3759
     * record.  Failure means this private-type record does not
3760
     * represent an NSEC3PARAM record, so skip it.
3761
     */
3762
0
    if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
3763
0
            sizeof(buf)))
3764
0
    {
3765
0
      continue;
3766
0
    }
3767
0
    result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
3768
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
3769
0
    if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
3770
0
        ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok))
3771
0
    {
3772
      /*
3773
       * Pass the NSEC3PARAM RDATA contained in this
3774
       * private-type record to zone_addnsec3chain() so that
3775
       * it can kick off adding or removing NSEC3 records.
3776
       */
3777
0
      result = zone_addnsec3chain(zone, &nsec3param);
3778
0
      if (result != ISC_R_SUCCESS) {
3779
0
        dnssec_log(zone, ISC_LOG_ERROR,
3780
0
             "zone_addnsec3chain failed: %s",
3781
0
             isc_result_totext(result));
3782
0
      }
3783
0
    }
3784
0
  }
3785
0
  dns_rdataset_disassociate(&rdataset);
3786
3787
0
cleanup:
3788
0
  if (db != NULL) {
3789
0
    if (node != NULL) {
3790
0
      dns_db_detachnode(db, &node);
3791
0
    }
3792
0
    if (version != NULL) {
3793
0
      dns_db_closeversion(db, &version, false);
3794
0
    }
3795
0
    dns_db_detach(&db);
3796
0
  }
3797
0
}
3798
3799
static void
3800
0
set_resigntime(dns_zone_t *zone) {
3801
0
  dns_fixedname_t fixed;
3802
0
  isc_stdtime_t resign;
3803
0
  isc_result_t result;
3804
0
  uint32_t nanosecs;
3805
0
  dns_db_t *db = NULL;
3806
0
  dns_typepair_t typepair;
3807
3808
0
  INSIST(LOCKED_ZONE(zone));
3809
3810
  /* We only re-sign zones that can be dynamically updated */
3811
0
  if (!dns_zone_isdynamic(zone, false)) {
3812
0
    return;
3813
0
  }
3814
3815
0
  if (inline_raw(zone)) {
3816
0
    return;
3817
0
  }
3818
3819
0
  dns_fixedname_init(&fixed);
3820
3821
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3822
0
  if (zone->db != NULL) {
3823
0
    dns_db_attach(zone->db, &db);
3824
0
  }
3825
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3826
0
  if (db == NULL) {
3827
0
    isc_time_settoepoch(&zone->resigntime);
3828
0
    return;
3829
0
  }
3830
3831
0
  result = dns_db_getsigningtime(db, &resign, dns_fixedname_name(&fixed),
3832
0
               &typepair);
3833
0
  if (result != ISC_R_SUCCESS) {
3834
0
    isc_time_settoepoch(&zone->resigntime);
3835
0
    goto cleanup;
3836
0
  }
3837
3838
0
  resign -= dns_zone_getsigresigninginterval(zone);
3839
0
  nanosecs = isc_random_uniform(1000000000);
3840
0
  isc_time_set(&zone->resigntime, resign, nanosecs);
3841
3842
0
cleanup:
3843
0
  dns_db_detach(&db);
3844
0
  return;
3845
0
}
3846
3847
static isc_result_t
3848
2
check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
3849
2
  bool ok = false;
3850
2
  dns_dbnode_t *node = NULL;
3851
2
  dns_dbversion_t *version = NULL;
3852
2
  dns_rdata_nsec3param_t nsec3param;
3853
2
  dns_rdataset_t rdataset;
3854
2
  isc_result_t result;
3855
2
  bool dynamic = (zone->type == dns_zone_primary)
3856
2
             ? dns_zone_isdynamic(zone, false)
3857
2
             : false;
3858
3859
2
  dns_rdataset_init(&rdataset);
3860
2
  result = dns_db_findnode(db, &zone->origin, false, &node);
3861
2
  if (result != ISC_R_SUCCESS) {
3862
0
    dns_zone_log(zone, ISC_LOG_ERROR,
3863
0
           "nsec3param lookup failure: %s",
3864
0
           isc_result_totext(result));
3865
0
    return (result);
3866
0
  }
3867
2
  dns_db_currentversion(db, &version);
3868
3869
2
  result = dns_db_findrdataset(db, node, version,
3870
2
             dns_rdatatype_nsec3param,
3871
2
             dns_rdatatype_none, 0, &rdataset, NULL);
3872
2
  if (result == ISC_R_NOTFOUND) {
3873
2
    INSIST(!dns_rdataset_isassociated(&rdataset));
3874
2
    result = ISC_R_SUCCESS;
3875
2
    goto cleanup;
3876
2
  }
3877
0
  if (result != ISC_R_SUCCESS) {
3878
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
3879
0
    dns_zone_log(zone, ISC_LOG_ERROR,
3880
0
           "nsec3param lookup failure: %s",
3881
0
           isc_result_totext(result));
3882
0
    goto cleanup;
3883
0
  }
3884
3885
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
3886
0
       result = dns_rdataset_next(&rdataset))
3887
0
  {
3888
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
3889
3890
0
    dns_rdataset_current(&rdataset, &rdata);
3891
0
    result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
3892
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
3893
3894
    /*
3895
     * For dynamic zones we must support every algorithm so we
3896
     * can regenerate all the NSEC3 chains.
3897
     * For non-dynamic zones we only need to find a supported
3898
     * algorithm.
3899
     */
3900
0
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
3901
0
        nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
3902
0
    {
3903
0
      dns_zone_log(zone, ISC_LOG_WARNING,
3904
0
             "nsec3 test \"unknown\" hash algorithm "
3905
0
             "found: %u",
3906
0
             nsec3param.hash);
3907
0
      ok = true;
3908
0
    } else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
3909
0
      if (dynamic) {
3910
0
        dns_zone_log(zone, ISC_LOG_ERROR,
3911
0
               "unsupported nsec3 hash algorithm"
3912
0
               " in dynamic zone: %u",
3913
0
               nsec3param.hash);
3914
0
        result = DNS_R_BADZONE;
3915
        /* Stop second error message. */
3916
0
        ok = true;
3917
0
        break;
3918
0
      } else {
3919
0
        dns_zone_log(zone, ISC_LOG_WARNING,
3920
0
               "unsupported nsec3 hash "
3921
0
               "algorithm: %u",
3922
0
               nsec3param.hash);
3923
0
      }
3924
0
    } else {
3925
0
      ok = true;
3926
0
    }
3927
3928
    /*
3929
     * Warn if the zone has excessive NSEC3 iterations.
3930
     */
3931
0
    if (nsec3param.iterations > dns_nsec3_maxiterations()) {
3932
0
      dnssec_log(zone, ISC_LOG_WARNING,
3933
0
           "excessive NSEC3PARAM iterations %u > %u",
3934
0
           nsec3param.iterations,
3935
0
           dns_nsec3_maxiterations());
3936
0
    }
3937
0
  }
3938
0
  if (result == ISC_R_NOMORE) {
3939
0
    result = ISC_R_SUCCESS;
3940
0
  }
3941
3942
0
  if (!ok) {
3943
0
    result = DNS_R_BADZONE;
3944
0
    dns_zone_log(zone, ISC_LOG_ERROR,
3945
0
           "no supported nsec3 hash algorithm");
3946
0
  }
3947
3948
2
cleanup:
3949
2
  if (dns_rdataset_isassociated(&rdataset)) {
3950
0
    dns_rdataset_disassociate(&rdataset);
3951
0
  }
3952
2
  dns_db_closeversion(db, &version, false);
3953
2
  dns_db_detachnode(db, &node);
3954
2
  return (result);
3955
0
}
3956
3957
/*
3958
 * Set the timer for refreshing the key zone to the soonest future time
3959
 * of the set (current timer, keydata->refresh, keydata->addhd,
3960
 * keydata->removehd).
3961
 */
3962
static void
3963
set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
3964
0
        isc_stdtime_t now, bool force) {
3965
0
  isc_stdtime_t then;
3966
0
  isc_time_t timenow, timethen;
3967
0
  char timebuf[80];
3968
3969
0
  ENTER;
3970
0
  then = key->refresh;
3971
0
  if (force) {
3972
0
    then = now;
3973
0
  }
3974
0
  if (key->addhd > now && key->addhd < then) {
3975
0
    then = key->addhd;
3976
0
  }
3977
0
  if (key->removehd > now && key->removehd < then) {
3978
0
    then = key->removehd;
3979
0
  }
3980
3981
0
  timenow = isc_time_now();
3982
0
  if (then > now) {
3983
0
    DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
3984
0
  } else {
3985
0
    timethen = timenow;
3986
0
  }
3987
0
  if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
3988
0
      isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
3989
0
  {
3990
0
    zone->refreshkeytime = timethen;
3991
0
  }
3992
3993
0
  isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
3994
0
  dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
3995
0
  zone_settimer(zone, &timenow);
3996
0
}
3997
3998
/*
3999
 * If keynode references a key or a DS rdataset, and if the key
4000
 * zone does not contain a KEYDATA record for the corresponding name,
4001
 * then create an empty KEYDATA and push it into the zone as a placeholder,
4002
 * then schedule a key refresh immediately. This new KEYDATA record will be
4003
 * updated during the refresh.
4004
 *
4005
 * If the key zone is changed, set '*changed' to true.
4006
 */
4007
static isc_result_t
4008
create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
4009
         dns_diff_t *diff, dns_keynode_t *keynode, dns_name_t *keyname,
4010
0
         bool *changed) {
4011
0
  isc_result_t result = ISC_R_SUCCESS;
4012
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
4013
0
  dns_rdata_keydata_t kd;
4014
0
  unsigned char rrdata[4096];
4015
0
  isc_buffer_t rrdatabuf;
4016
0
  isc_stdtime_t now = isc_stdtime_now();
4017
4018
0
  REQUIRE(keynode != NULL);
4019
4020
0
  ENTER;
4021
4022
  /*
4023
   * If the keynode has no trust anchor set, we shouldn't be here.
4024
   */
4025
0
  if (!dns_keynode_dsset(keynode, NULL)) {
4026
0
    return (ISC_R_FAILURE);
4027
0
  }
4028
4029
0
  memset(&kd, 0, sizeof(kd));
4030
0
  kd.common.rdclass = zone->rdclass;
4031
0
  kd.common.rdtype = dns_rdatatype_keydata;
4032
0
  ISC_LINK_INIT(&kd.common, link);
4033
4034
0
  isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
4035
4036
0
  CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass, dns_rdatatype_keydata,
4037
0
           &kd, &rrdatabuf));
4038
  /* Add rdata to zone. */
4039
0
  CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, keyname, 0, &rdata));
4040
0
  *changed = true;
4041
4042
  /* Refresh new keys from the zone apex as soon as possible. */
4043
0
  set_refreshkeytimer(zone, &kd, now, true);
4044
0
  return (ISC_R_SUCCESS);
4045
4046
0
failure:
4047
0
  return (result);
4048
0
}
4049
4050
/*
4051
 * Remove from the key zone all the KEYDATA records found in rdataset.
4052
 */
4053
static isc_result_t
4054
delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
4055
0
         dns_name_t *name, dns_rdataset_t *rdataset) {
4056
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
4057
0
  isc_result_t result, uresult;
4058
4059
0
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
4060
0
       result = dns_rdataset_next(rdataset))
4061
0
  {
4062
0
    dns_rdata_reset(&rdata);
4063
0
    dns_rdataset_current(rdataset, &rdata);
4064
0
    uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, 0,
4065
0
          &rdata);
4066
0
    if (uresult != ISC_R_SUCCESS) {
4067
0
      return (uresult);
4068
0
    }
4069
0
  }
4070
0
  if (result == ISC_R_NOMORE) {
4071
0
    result = ISC_R_SUCCESS;
4072
0
  }
4073
0
  return (result);
4074
0
}
4075
4076
/*
4077
 * Compute the DNSSEC key ID for a DNSKEY record.
4078
 */
4079
static isc_result_t
4080
compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
4081
0
      dns_keytag_t *tag) {
4082
0
  isc_result_t result;
4083
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
4084
0
  unsigned char data[4096];
4085
0
  isc_buffer_t buffer;
4086
0
  dst_key_t *dstkey = NULL;
4087
4088
0
  isc_buffer_init(&buffer, data, sizeof(data));
4089
0
  dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
4090
0
           dns_rdatatype_dnskey, dnskey, &buffer);
4091
4092
0
  result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
4093
0
  if (result == ISC_R_SUCCESS) {
4094
0
    *tag = dst_key_id(dstkey);
4095
0
    dst_key_free(&dstkey);
4096
0
  }
4097
4098
0
  return (result);
4099
0
}
4100
4101
/*
4102
 * Synth-from-dnssec callbacks to add/delete names from namespace tree.
4103
 */
4104
static void
4105
0
sfd_add(const dns_name_t *name, void *arg) {
4106
0
  if (arg != NULL) {
4107
0
    dns_view_sfd_add(arg, name);
4108
0
  }
4109
0
}
4110
4111
static void
4112
0
sfd_del(const dns_name_t *name, void *arg) {
4113
0
  if (arg != NULL) {
4114
0
    dns_view_sfd_del(arg, name);
4115
0
  }
4116
0
}
4117
4118
/*
4119
 * Add key to the security roots.
4120
 */
4121
static void
4122
trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey,
4123
0
    bool initial) {
4124
0
  isc_result_t result;
4125
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
4126
0
  unsigned char data[4096], digest[ISC_MAX_MD_SIZE];
4127
0
  isc_buffer_t buffer;
4128
0
  dns_keytable_t *sr = NULL;
4129
0
  dns_rdata_ds_t ds;
4130
4131
0
  result = dns_view_getsecroots(zone->view, &sr);
4132
0
  if (result != ISC_R_SUCCESS) {
4133
0
    return;
4134
0
  }
4135
4136
  /* Build DS record for key. */
4137
0
  isc_buffer_init(&buffer, data, sizeof(data));
4138
0
  dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
4139
0
           dns_rdatatype_dnskey, dnskey, &buffer);
4140
0
  CHECK(dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest,
4141
0
          &ds));
4142
0
  CHECK(dns_keytable_add(sr, true, initial, keyname, &ds, sfd_add,
4143
0
             zone->view));
4144
4145
0
  dns_keytable_detach(&sr);
4146
4147
0
failure:
4148
0
  if (sr != NULL) {
4149
0
    dns_keytable_detach(&sr);
4150
0
  }
4151
0
  return;
4152
0
}
4153
4154
/*
4155
 * Add a null key to the security roots for so that all queries
4156
 * to the zone will fail.
4157
 */
4158
static void
4159
0
fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
4160
0
  isc_result_t result;
4161
0
  dns_keytable_t *sr = NULL;
4162
4163
0
  result = dns_view_getsecroots(zone->view, &sr);
4164
0
  if (result == ISC_R_SUCCESS) {
4165
0
    dns_keytable_marksecure(sr, keyname);
4166
0
    dns_keytable_detach(&sr);
4167
0
  }
4168
0
}
4169
4170
/*
4171
 * Scan a set of KEYDATA records from the key zone.  The ones that are
4172
 * valid (i.e., the add holddown timer has expired) become trusted keys.
4173
 */
4174
static void
4175
0
load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
4176
0
  isc_result_t result;
4177
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
4178
0
  dns_rdata_keydata_t keydata;
4179
0
  dns_rdata_dnskey_t dnskey;
4180
0
  int trusted = 0, revoked = 0, pending = 0;
4181
0
  isc_stdtime_t now = isc_stdtime_now();
4182
0
  dns_keytable_t *sr = NULL;
4183
4184
0
  result = dns_view_getsecroots(zone->view, &sr);
4185
0
  if (result == ISC_R_SUCCESS) {
4186
0
    dns_keytable_delete(sr, name, sfd_del, zone->view);
4187
0
    dns_keytable_detach(&sr);
4188
0
  }
4189
4190
  /* Now insert all the accepted trust anchors from this keydata set. */
4191
0
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
4192
0
       result = dns_rdataset_next(rdataset))
4193
0
  {
4194
0
    dns_rdata_reset(&rdata);
4195
0
    dns_rdataset_current(rdataset, &rdata);
4196
4197
    /* Convert rdata to keydata. */
4198
0
    result = dns_rdata_tostruct(&rdata, &keydata, NULL);
4199
0
    if (result == ISC_R_NOTIMPLEMENTED) {
4200
0
      continue;
4201
0
    }
4202
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
4203
4204
    /* Set the key refresh timer to force a fast refresh. */
4205
0
    set_refreshkeytimer(zone, &keydata, now, true);
4206
4207
    /* If the removal timer is nonzero, this key was revoked. */
4208
0
    if (keydata.removehd != 0) {
4209
0
      revoked++;
4210
0
      continue;
4211
0
    }
4212
4213
    /*
4214
     * If the add timer is still pending, this key is not
4215
     * trusted yet.
4216
     */
4217
0
    if (now < keydata.addhd) {
4218
0
      pending++;
4219
0
      continue;
4220
0
    }
4221
4222
    /* Convert keydata to dnskey. */
4223
0
    dns_keydata_todnskey(&keydata, &dnskey, NULL);
4224
4225
    /* Add to keytables. */
4226
0
    trusted++;
4227
0
    trust_key(zone, name, &dnskey, (keydata.addhd == 0));
4228
0
  }
4229
4230
0
  if (trusted == 0 && pending != 0) {
4231
0
    char namebuf[DNS_NAME_FORMATSIZE];
4232
0
    dns_name_format(name, namebuf, sizeof namebuf);
4233
0
    dnssec_log(zone, ISC_LOG_ERROR,
4234
0
         "No valid trust anchors for '%s'!", namebuf);
4235
0
    dnssec_log(zone, ISC_LOG_ERROR,
4236
0
         "%d key(s) revoked, %d still pending", revoked,
4237
0
         pending);
4238
0
    dnssec_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail",
4239
0
         namebuf);
4240
0
    fail_secure(zone, name);
4241
0
  }
4242
0
}
4243
4244
static isc_result_t
4245
do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
4246
0
       dns_diff_t *diff) {
4247
0
  dns_diff_t temp_diff;
4248
0
  isc_result_t result;
4249
4250
  /*
4251
   * Create a singleton diff.
4252
   */
4253
0
  dns_diff_init(diff->mctx, &temp_diff);
4254
0
  ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
4255
4256
  /*
4257
   * Apply it to the database.
4258
   */
4259
0
  result = dns_diff_apply(&temp_diff, db, ver);
4260
0
  ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
4261
0
  if (result != ISC_R_SUCCESS) {
4262
0
    dns_difftuple_free(tuple);
4263
0
    return (result);
4264
0
  }
4265
4266
  /*
4267
   * Merge it into the current pending journal entry.
4268
   */
4269
0
  dns_diff_appendminimal(diff, tuple);
4270
4271
  /*
4272
   * Do not clear temp_diff.
4273
   */
4274
0
  return (ISC_R_SUCCESS);
4275
0
}
4276
4277
static isc_result_t
4278
update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
4279
        dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
4280
0
        dns_rdata_t *rdata) {
4281
0
  dns_difftuple_t *tuple = NULL;
4282
0
  isc_result_t result;
4283
0
  result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple);
4284
0
  if (result != ISC_R_SUCCESS) {
4285
0
    return (result);
4286
0
  }
4287
0
  return (do_one_tuple(&tuple, db, ver, diff));
4288
0
}
4289
4290
static isc_result_t
4291
update_soa_serial(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
4292
      dns_diff_t *diff, isc_mem_t *mctx,
4293
0
      dns_updatemethod_t method) {
4294
0
  dns_difftuple_t *deltuple = NULL;
4295
0
  dns_difftuple_t *addtuple = NULL;
4296
0
  uint32_t serial;
4297
0
  isc_result_t result;
4298
0
  dns_updatemethod_t used = dns_updatemethod_none;
4299
4300
0
  INSIST(method != dns_updatemethod_none);
4301
4302
0
  CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
4303
0
  CHECK(dns_difftuple_copy(deltuple, &addtuple));
4304
0
  addtuple->op = DNS_DIFFOP_ADD;
4305
4306
0
  serial = dns_soa_getserial(&addtuple->rdata);
4307
0
  serial = dns_update_soaserial(serial, method, &used);
4308
0
  if (method != used) {
4309
0
    dns_zone_log(zone, ISC_LOG_WARNING,
4310
0
           "update_soa_serial:new serial would be lower than "
4311
0
           "old serial, using increment method instead");
4312
0
  }
4313
0
  dns_soa_setserial(serial, &addtuple->rdata);
4314
0
  CHECK(do_one_tuple(&deltuple, db, ver, diff));
4315
0
  CHECK(do_one_tuple(&addtuple, db, ver, diff));
4316
0
  result = ISC_R_SUCCESS;
4317
4318
0
failure:
4319
0
  if (addtuple != NULL) {
4320
0
    dns_difftuple_free(&addtuple);
4321
0
  }
4322
0
  if (deltuple != NULL) {
4323
0
    dns_difftuple_free(&deltuple);
4324
0
  }
4325
0
  return (result);
4326
0
}
4327
4328
/*
4329
 * Write all transactions in 'diff' to the zone journal file.
4330
 */
4331
static isc_result_t
4332
zone_journal(dns_zone_t *zone, dns_diff_t *diff, uint32_t *sourceserial,
4333
0
       const char *caller) {
4334
0
  const char *journalfile;
4335
0
  isc_result_t result = ISC_R_SUCCESS;
4336
0
  dns_journal_t *journal = NULL;
4337
0
  unsigned int mode = DNS_JOURNAL_CREATE | DNS_JOURNAL_WRITE;
4338
4339
0
  ENTER;
4340
0
  journalfile = dns_zone_getjournal(zone);
4341
0
  if (journalfile != NULL) {
4342
0
    result = dns_journal_open(zone->mctx, journalfile, mode,
4343
0
            &journal);
4344
0
    if (result != ISC_R_SUCCESS) {
4345
0
      dns_zone_log(zone, ISC_LOG_ERROR,
4346
0
             "%s:dns_journal_open -> %s", caller,
4347
0
             isc_result_totext(result));
4348
0
      return (result);
4349
0
    }
4350
4351
0
    if (sourceserial != NULL) {
4352
0
      dns_journal_set_sourceserial(journal, *sourceserial);
4353
0
    }
4354
4355
0
    result = dns_journal_write_transaction(journal, diff);
4356
0
    if (result != ISC_R_SUCCESS) {
4357
0
      dns_zone_log(zone, ISC_LOG_ERROR,
4358
0
             "%s:dns_journal_write_transaction -> %s",
4359
0
             caller, isc_result_totext(result));
4360
0
    }
4361
0
    dns_journal_destroy(&journal);
4362
0
  }
4363
4364
0
  return (result);
4365
0
}
4366
4367
/*
4368
 * Create an SOA record for a newly-created zone
4369
 */
4370
static isc_result_t
4371
0
add_soa(dns_zone_t *zone, dns_db_t *db) {
4372
0
  isc_result_t result;
4373
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
4374
0
  unsigned char buf[DNS_SOA_BUFFERSIZE];
4375
0
  dns_dbversion_t *ver = NULL;
4376
0
  dns_diff_t diff;
4377
4378
0
  dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
4379
4380
0
  dns_diff_init(zone->mctx, &diff);
4381
0
  result = dns_db_newversion(db, &ver);
4382
0
  if (result != ISC_R_SUCCESS) {
4383
0
    dns_zone_log(zone, ISC_LOG_ERROR,
4384
0
           "add_soa:dns_db_newversion -> %s",
4385
0
           isc_result_totext(result));
4386
0
    goto failure;
4387
0
  }
4388
4389
  /* Build SOA record */
4390
0
  result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
4391
0
            0, 0, 0, 0, 0, buf, &rdata);
4392
0
  if (result != ISC_R_SUCCESS) {
4393
0
    dns_zone_log(zone, ISC_LOG_ERROR,
4394
0
           "add_soa:dns_soa_buildrdata -> %s",
4395
0
           isc_result_totext(result));
4396
0
    goto failure;
4397
0
  }
4398
4399
0
  result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD, &zone->origin, 0,
4400
0
             &rdata);
4401
4402
0
failure:
4403
0
  dns_diff_clear(&diff);
4404
0
  if (ver != NULL) {
4405
0
    dns_db_closeversion(db, &ver, (result == ISC_R_SUCCESS));
4406
0
  }
4407
4408
0
  INSIST(ver == NULL);
4409
4410
0
  return (result);
4411
0
}
4412
4413
struct addifmissing_arg {
4414
  dns_db_t *db;
4415
  dns_dbversion_t *ver;
4416
  dns_diff_t *diff;
4417
  dns_zone_t *zone;
4418
  bool *changed;
4419
  isc_result_t result;
4420
};
4421
4422
static void
4423
addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode,
4424
0
       dns_name_t *keyname, void *arg) {
4425
0
  dns_db_t *db = ((struct addifmissing_arg *)arg)->db;
4426
0
  dns_dbversion_t *ver = ((struct addifmissing_arg *)arg)->ver;
4427
0
  dns_diff_t *diff = ((struct addifmissing_arg *)arg)->diff;
4428
0
  dns_zone_t *zone = ((struct addifmissing_arg *)arg)->zone;
4429
0
  bool *changed = ((struct addifmissing_arg *)arg)->changed;
4430
0
  isc_result_t result;
4431
0
  dns_fixedname_t fname;
4432
4433
0
  UNUSED(keytable);
4434
4435
0
  if (((struct addifmissing_arg *)arg)->result != ISC_R_SUCCESS) {
4436
0
    return;
4437
0
  }
4438
4439
0
  if (!dns_keynode_managed(keynode)) {
4440
0
    return;
4441
0
  }
4442
4443
  /*
4444
   * If the keynode has no trust anchor set, return.
4445
   */
4446
0
  if (!dns_keynode_dsset(keynode, NULL)) {
4447
0
    return;
4448
0
  }
4449
4450
  /*
4451
   * Check whether there's already a KEYDATA entry for this name;
4452
   * if so, we don't need to add another.
4453
   */
4454
0
  dns_fixedname_init(&fname);
4455
0
  result = dns_db_find(db, keyname, ver, dns_rdatatype_keydata,
4456
0
           DNS_DBFIND_NOWILD, 0, NULL,
4457
0
           dns_fixedname_name(&fname), NULL, NULL);
4458
0
  if (result == ISC_R_SUCCESS) {
4459
0
    return;
4460
0
  }
4461
4462
  /*
4463
   * Create the keydata.
4464
   */
4465
0
  result = create_keydata(zone, db, ver, diff, keynode, keyname, changed);
4466
0
  if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
4467
0
    ((struct addifmissing_arg *)arg)->result = result;
4468
0
  }
4469
0
}
4470
4471
/*
4472
 * Synchronize the set of initializing keys found in managed-keys {}
4473
 * statements with the set of trust anchors found in the managed-keys.bind
4474
 * zone.  If a domain is no longer named in managed-keys, delete all keys
4475
 * from that domain from the key zone.  If a domain is configured as an
4476
 * initial-key in trust-anchors, but there are no references to it in the
4477
 * key zone, load the key zone with the initializing key(s) for that
4478
 * domain and schedule a key refresh. If a domain is configured as
4479
 * an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key
4480
 * zone with the matching key, and schedule a key refresh.
4481
 */
4482
static isc_result_t
4483
0
sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
4484
0
  isc_result_t result = ISC_R_SUCCESS;
4485
0
  bool changed = false;
4486
0
  bool commit = false;
4487
0
  dns_keynode_t *keynode = NULL;
4488
0
  dns_view_t *view = zone->view;
4489
0
  dns_keytable_t *sr = NULL;
4490
0
  dns_dbversion_t *ver = NULL;
4491
0
  dns_diff_t diff;
4492
0
  dns_rriterator_t rrit;
4493
0
  struct addifmissing_arg arg;
4494
4495
0
  dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
4496
4497
0
  dns_diff_init(zone->mctx, &diff);
4498
4499
0
  CHECK(dns_view_getsecroots(view, &sr));
4500
4501
0
  result = dns_db_newversion(db, &ver);
4502
0
  if (result != ISC_R_SUCCESS) {
4503
0
    dnssec_log(zone, ISC_LOG_ERROR,
4504
0
         "sync_keyzone:dns_db_newversion -> %s",
4505
0
         isc_result_totext(result));
4506
0
    goto failure;
4507
0
  }
4508
4509
  /*
4510
   * Walk the zone DB.  If we find any keys whose names are no longer
4511
   * in trust-anchors, or which have been changed from initial to static,
4512
   * (meaning they are permanent and not RFC5011-maintained), delete
4513
   * them from the zone.  Otherwise call load_secroots(), which
4514
   * loads keys into secroots as appropriate.
4515
   */
4516
0
  dns_rriterator_init(&rrit, db, ver, 0);
4517
0
  for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS;
4518
0
       result = dns_rriterator_nextrrset(&rrit))
4519
0
  {
4520
0
    dns_rdataset_t *rdataset = NULL;
4521
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
4522
0
    dns_rdata_keydata_t keydata;
4523
0
    isc_stdtime_t now = isc_stdtime_now();
4524
0
    bool load = true;
4525
0
    dns_name_t *rrname = NULL;
4526
0
    uint32_t ttl;
4527
4528
0
    dns_rriterator_current(&rrit, &rrname, &ttl, &rdataset, NULL);
4529
0
    if (!dns_rdataset_isassociated(rdataset)) {
4530
0
      dns_rriterator_destroy(&rrit);
4531
0
      goto failure;
4532
0
    }
4533
4534
0
    if (rdataset->type != dns_rdatatype_keydata) {
4535
0
      continue;
4536
0
    }
4537
4538
    /*
4539
     * The managed-keys zone can contain a placeholder instead of
4540
     * legitimate data, in which case we will not use it, and we
4541
     * will try to refresh it.
4542
     */
4543
0
    for (result = dns_rdataset_first(rdataset);
4544
0
         result == ISC_R_SUCCESS;
4545
0
         result = dns_rdataset_next(rdataset))
4546
0
    {
4547
0
      isc_result_t iresult;
4548
4549
0
      dns_rdata_reset(&rdata);
4550
0
      dns_rdataset_current(rdataset, &rdata);
4551
4552
0
      iresult = dns_rdata_tostruct(&rdata, &keydata, NULL);
4553
      /* Do we have a valid placeholder KEYDATA record? */
4554
0
      if (iresult == ISC_R_SUCCESS && keydata.flags == 0 &&
4555
0
          keydata.protocol == 0 && keydata.algorithm == 0)
4556
0
      {
4557
0
        set_refreshkeytimer(zone, &keydata, now, true);
4558
0
        load = false;
4559
0
      }
4560
0
    }
4561
4562
    /*
4563
     * Release db wrlock to prevent LOR reports against
4564
     * dns_keytable_forall() call below.
4565
     */
4566
0
    dns_rriterator_pause(&rrit);
4567
0
    result = dns_keytable_find(sr, rrname, &keynode);
4568
0
    if (result != ISC_R_SUCCESS || !dns_keynode_managed(keynode)) {
4569
0
      CHECK(delete_keydata(db, ver, &diff, rrname, rdataset));
4570
0
      changed = true;
4571
0
    } else if (load) {
4572
0
      load_secroots(zone, rrname, rdataset);
4573
0
    }
4574
4575
0
    if (keynode != NULL) {
4576
0
      dns_keynode_detach(&keynode);
4577
0
    }
4578
0
  }
4579
0
  dns_rriterator_destroy(&rrit);
4580
4581
  /*
4582
   * Walk secroots to find any initial keys that aren't in
4583
   * the zone.  If we find any, add them to the zone directly.
4584
   * If any DS-style initial keys are found, refresh the key
4585
   * zone so that they'll be looked up.
4586
   */
4587
0
  arg.db = db;
4588
0
  arg.ver = ver;
4589
0
  arg.result = ISC_R_SUCCESS;
4590
0
  arg.diff = &diff;
4591
0
  arg.zone = zone;
4592
0
  arg.changed = &changed;
4593
0
  dns_keytable_forall(sr, addifmissing, &arg);
4594
0
  result = arg.result;
4595
0
  if (changed) {
4596
    /* Write changes to journal file. */
4597
0
    CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
4598
0
          zone->updatemethod));
4599
0
    CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone"));
4600
4601
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
4602
0
    zone_needdump(zone, 30);
4603
0
    commit = true;
4604
0
  }
4605
4606
0
failure:
4607
0
  if (result != ISC_R_SUCCESS) {
4608
0
    dnssec_log(zone, ISC_LOG_ERROR,
4609
0
         "unable to synchronize managed keys: %s",
4610
0
         isc_result_totext(result));
4611
0
    isc_time_settoepoch(&zone->refreshkeytime);
4612
0
  }
4613
0
  if (keynode != NULL) {
4614
0
    dns_keynode_detach(&keynode);
4615
0
  }
4616
0
  if (sr != NULL) {
4617
0
    dns_keytable_detach(&sr);
4618
0
  }
4619
0
  if (ver != NULL) {
4620
0
    dns_db_closeversion(db, &ver, commit);
4621
0
  }
4622
0
  dns_diff_clear(&diff);
4623
4624
0
  INSIST(ver == NULL);
4625
4626
0
  return (result);
4627
0
}
4628
4629
isc_result_t
4630
0
dns_zone_synckeyzone(dns_zone_t *zone) {
4631
0
  isc_result_t result;
4632
0
  dns_db_t *db = NULL;
4633
4634
0
  if (zone->type != dns_zone_key) {
4635
0
    return (DNS_R_BADZONE);
4636
0
  }
4637
4638
0
  CHECK(dns_zone_getdb(zone, &db));
4639
4640
0
  LOCK_ZONE(zone);
4641
0
  result = sync_keyzone(zone, db);
4642
0
  UNLOCK_ZONE(zone);
4643
4644
0
failure:
4645
0
  if (db != NULL) {
4646
0
    dns_db_detach(&db);
4647
0
  }
4648
0
  return (result);
4649
0
}
4650
4651
static void
4652
0
maybe_send_secure(dns_zone_t *zone) {
4653
0
  isc_result_t result;
4654
4655
  /*
4656
   * We've finished loading, or else failed to load, an inline-signing
4657
   * 'secure' zone.  We now need information about the status of the
4658
   * 'raw' zone.  If we failed to load, then we need it to send a
4659
   * copy of its database; if we succeeded, we need it to send its
4660
   * serial number so that we can sync with it.  If it has not yet
4661
   * loaded, we set a flag so that it will send the necessary
4662
   * information when it has finished loading.
4663
   */
4664
0
  if (zone->raw->db != NULL) {
4665
0
    if (zone->db != NULL) {
4666
0
      uint32_t serial;
4667
0
      unsigned int soacount;
4668
4669
0
      result = zone_get_from_db(
4670
0
        zone->raw, zone->raw->db, NULL, &soacount, NULL,
4671
0
        &serial, NULL, NULL, NULL, NULL, NULL);
4672
0
      if (result == ISC_R_SUCCESS && soacount > 0U) {
4673
0
        zone_send_secureserial(zone->raw, serial);
4674
0
      }
4675
0
    } else {
4676
0
      zone_send_securedb(zone->raw, zone->raw->db);
4677
0
    }
4678
0
  } else {
4679
0
    DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
4680
0
  }
4681
0
}
4682
4683
static bool
4684
0
zone_unchanged(dns_db_t *db1, dns_db_t *db2, isc_mem_t *mctx) {
4685
0
  isc_result_t result;
4686
0
  bool answer = false;
4687
0
  dns_diff_t diff;
4688
4689
0
  dns_diff_init(mctx, &diff);
4690
0
  result = dns_db_diffx(&diff, db1, NULL, db2, NULL, NULL);
4691
0
  if (result == ISC_R_SUCCESS && ISC_LIST_EMPTY(diff.tuples)) {
4692
0
    answer = true;
4693
0
  }
4694
0
  dns_diff_clear(&diff);
4695
0
  return (answer);
4696
0
}
4697
4698
static void
4699
0
process_zone_setnsec3param(dns_zone_t *zone) {
4700
0
  struct np3 *npe = NULL;
4701
0
  while ((npe = ISC_LIST_HEAD(zone->setnsec3param_queue)) != NULL) {
4702
0
    ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link);
4703
0
    zone_iattach(zone, &npe->zone);
4704
0
    isc_async_run(zone->loop, setnsec3param, npe);
4705
0
  }
4706
0
}
4707
4708
/*
4709
 * The zone is presumed to be locked.
4710
 * If this is a inline_raw zone the secure version is also locked.
4711
 */
4712
static isc_result_t
4713
zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
4714
2
        isc_result_t result) {
4715
2
  unsigned int soacount = 0;
4716
2
  unsigned int nscount = 0;
4717
2
  unsigned int errors = 0;
4718
2
  uint32_t serial, oldserial, refresh, retry, expire, minimum, soattl;
4719
2
  isc_time_t now;
4720
2
  bool needdump = false;
4721
2
  bool fixjournal = false;
4722
2
  bool hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
4723
2
  bool noprimary = false;
4724
2
  bool had_db = false;
4725
2
  dns_include_t *inc;
4726
2
  bool is_dynamic = false;
4727
4728
2
  INSIST(LOCKED_ZONE(zone));
4729
2
  if (inline_raw(zone)) {
4730
0
    INSIST(LOCKED_ZONE(zone->secure));
4731
0
  }
4732
4733
2
  now = isc_time_now();
4734
4735
  /*
4736
   * Initiate zone transfer?  We may need a error code that
4737
   * indicates that the "permanent" form does not exist.
4738
   * XXX better error feedback to log.
4739
   */
4740
2
  if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
4741
0
    if (zone->type == dns_zone_secondary ||
4742
0
        zone->type == dns_zone_mirror ||
4743
0
        zone->type == dns_zone_stub ||
4744
0
        (zone->type == dns_zone_redirect &&
4745
0
         dns_remote_addresses(&zone->primaries) == NULL))
4746
0
    {
4747
0
      if (result == ISC_R_FILENOTFOUND) {
4748
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4749
0
                ISC_LOG_DEBUG(1),
4750
0
                "no master file");
4751
0
      } else if (result != DNS_R_NOMASTERFILE) {
4752
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4753
0
                ISC_LOG_ERROR,
4754
0
                "loading from master file %s "
4755
0
                "failed: %s",
4756
0
                zone->masterfile,
4757
0
                isc_result_totext(result));
4758
0
      }
4759
0
    } else if (zone->type == dns_zone_primary &&
4760
0
         inline_secure(zone) && result == ISC_R_FILENOTFOUND)
4761
0
    {
4762
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4763
0
              ISC_LOG_DEBUG(1),
4764
0
              "no master file, requesting db");
4765
0
      maybe_send_secure(zone);
4766
0
    } else {
4767
0
      int level = ISC_LOG_ERROR;
4768
0
      if (zone->type == dns_zone_key &&
4769
0
          result == ISC_R_FILENOTFOUND)
4770
0
      {
4771
0
        level = ISC_LOG_DEBUG(1);
4772
0
      }
4773
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, level,
4774
0
              "loading from master file %s failed: %s",
4775
0
              zone->masterfile,
4776
0
              isc_result_totext(result));
4777
0
      noprimary = true;
4778
0
    }
4779
4780
0
    if (zone->type != dns_zone_key) {
4781
0
      goto cleanup;
4782
0
    }
4783
0
  }
4784
4785
2
  dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2),
4786
2
          "number of nodes in database: %u",
4787
2
          dns_db_nodecount(db, dns_dbtree_main));
4788
4789
2
  if (result == DNS_R_SEENINCLUDE) {
4790
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
4791
2
  } else {
4792
2
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
4793
2
  }
4794
4795
  /*
4796
   * If there's no master file for a key zone, then the zone is new:
4797
   * create an SOA record.  (We do this now, instead of later, so that
4798
   * if there happens to be a journal file, we can roll forward from
4799
   * a sane starting point.)
4800
   */
4801
2
  if (noprimary && zone->type == dns_zone_key) {
4802
0
    result = add_soa(zone, db);
4803
0
    if (result != ISC_R_SUCCESS) {
4804
0
      goto cleanup;
4805
0
    }
4806
0
  }
4807
4808
  /*
4809
   * Apply update log, if any, on initial load.
4810
   */
4811
2
  if (zone->journal != NULL &&
4812
2
      !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
4813
2
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
4814
2
  {
4815
2
    result = zone_journal_rollforward(zone, db, &needdump,
4816
2
              &fixjournal);
4817
2
    if (result != ISC_R_SUCCESS) {
4818
0
      goto cleanup;
4819
0
    }
4820
2
  }
4821
4822
  /*
4823
   * Obtain ns, soa and cname counts for top of zone.
4824
   */
4825
2
  INSIST(db != NULL);
4826
2
  result = zone_get_from_db(zone, db, &nscount, &soacount, &soattl,
4827
2
          &serial, &refresh, &retry, &expire, &minimum,
4828
2
          &errors);
4829
2
  if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
4830
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
4831
0
            "could not find NS and/or SOA records");
4832
0
  }
4833
4834
  /*
4835
   * Process any queued NSEC3PARAM change requests. Only for dynamic
4836
   * zones, an inline-signing zone will perform this action when
4837
   * receiving the secure db (receive_secure_db).
4838
   */
4839
2
  is_dynamic = dns_zone_isdynamic(zone, true);
4840
2
  if (is_dynamic) {
4841
0
    process_zone_setnsec3param(zone);
4842
0
  }
4843
4844
  /*
4845
   * Check to make sure the journal is up to date, and remove the
4846
   * journal file if it isn't, as we wouldn't be able to apply
4847
   * updates otherwise.
4848
   */
4849
2
  if (zone->journal != NULL && is_dynamic &&
4850
2
      !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
4851
0
  {
4852
0
    uint32_t jserial;
4853
0
    dns_journal_t *journal = NULL;
4854
0
    bool empty = false;
4855
4856
0
    result = dns_journal_open(zone->mctx, zone->journal,
4857
0
            DNS_JOURNAL_READ, &journal);
4858
0
    if (result == ISC_R_SUCCESS) {
4859
0
      jserial = dns_journal_last_serial(journal);
4860
0
      empty = dns_journal_empty(journal);
4861
0
      dns_journal_destroy(&journal);
4862
0
    } else {
4863
0
      jserial = serial;
4864
0
      result = ISC_R_SUCCESS;
4865
0
    }
4866
4867
0
    if (jserial != serial) {
4868
0
      if (!empty) {
4869
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4870
0
                ISC_LOG_INFO,
4871
0
                "journal file is out of date: "
4872
0
                "removing journal file");
4873
0
      }
4874
0
      if (remove(zone->journal) < 0 && errno != ENOENT) {
4875
0
        char strbuf[ISC_STRERRORSIZE];
4876
0
        strerror_r(errno, strbuf, sizeof(strbuf));
4877
0
        isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
4878
0
                DNS_LOGMODULE_ZONE,
4879
0
                ISC_LOG_WARNING,
4880
0
                "unable to remove journal "
4881
0
                "'%s': '%s'",
4882
0
                zone->journal, strbuf);
4883
0
      }
4884
0
    }
4885
0
  }
4886
4887
2
  dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
4888
2
          "loaded; checking validity");
4889
4890
  /*
4891
   * Primary / Secondary / Mirror / Stub zones require both NS and SOA
4892
   * records at the top of the zone.
4893
   */
4894
4895
2
  switch (zone->type) {
4896
0
  case dns_zone_dlz:
4897
2
  case dns_zone_primary:
4898
2
  case dns_zone_secondary:
4899
2
  case dns_zone_mirror:
4900
2
  case dns_zone_stub:
4901
2
  case dns_zone_redirect:
4902
2
    if (soacount != 1) {
4903
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4904
0
              ISC_LOG_ERROR, "has %d SOA records",
4905
0
              soacount);
4906
0
      result = DNS_R_BADZONE;
4907
0
    }
4908
2
    if (nscount == 0) {
4909
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4910
0
              ISC_LOG_ERROR, "has no NS records");
4911
0
      result = DNS_R_BADZONE;
4912
0
    }
4913
2
    if (result != ISC_R_SUCCESS) {
4914
0
      goto cleanup;
4915
0
    }
4916
2
    if (zone->type == dns_zone_primary && errors != 0) {
4917
0
      result = DNS_R_BADZONE;
4918
0
      goto cleanup;
4919
0
    }
4920
2
    if (zone->type != dns_zone_stub &&
4921
2
        zone->type != dns_zone_redirect)
4922
2
    {
4923
2
      result = check_nsec3param(zone, db);
4924
2
      if (result != ISC_R_SUCCESS) {
4925
0
        goto cleanup;
4926
0
      }
4927
2
    }
4928
2
    if (zone->type == dns_zone_primary &&
4929
2
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
4930
2
        !integrity_checks(zone, db))
4931
0
    {
4932
0
      result = DNS_R_BADZONE;
4933
0
      goto cleanup;
4934
0
    }
4935
2
    if (zone->type == dns_zone_primary &&
4936
2
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
4937
2
        !zone_check_dup(zone, db))
4938
0
    {
4939
0
      result = DNS_R_BADZONE;
4940
0
      goto cleanup;
4941
0
    }
4942
4943
2
    if (zone->type == dns_zone_primary) {
4944
2
      result = dns_zone_cdscheck(zone, db, NULL);
4945
2
      if (result != ISC_R_SUCCESS) {
4946
0
        dns_zone_log(zone, ISC_LOG_ERROR,
4947
0
               "CDS/CDNSKEY consistency checks "
4948
0
               "failed");
4949
0
        goto cleanup;
4950
0
      }
4951
2
    }
4952
4953
2
    result = dns_zone_verifydb(zone, db, NULL);
4954
2
    if (result != ISC_R_SUCCESS) {
4955
0
      goto cleanup;
4956
0
    }
4957
4958
2
    if (zone->db != NULL) {
4959
0
      unsigned int oldsoacount;
4960
4961
      /*
4962
       * This is checked in zone_replacedb() for
4963
       * secondary zones as they don't reload from disk.
4964
       */
4965
0
      result = zone_get_from_db(
4966
0
        zone, zone->db, NULL, &oldsoacount, NULL,
4967
0
        &oldserial, NULL, NULL, NULL, NULL, NULL);
4968
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
4969
0
      RUNTIME_CHECK(oldsoacount > 0U);
4970
0
      if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
4971
0
          !isc_serial_gt(serial, oldserial))
4972
0
      {
4973
0
        uint32_t serialmin, serialmax;
4974
4975
0
        INSIST(zone->type == dns_zone_primary);
4976
0
        INSIST(zone->raw == NULL);
4977
4978
0
        if (serial == oldserial &&
4979
0
            zone_unchanged(zone->db, db, zone->mctx))
4980
0
        {
4981
0
          dns_zone_logc(zone,
4982
0
                  DNS_LOGCATEGORY_ZONELOAD,
4983
0
                  ISC_LOG_INFO,
4984
0
                  "ixfr-from-differences: "
4985
0
                  "unchanged");
4986
0
          zone->loadtime = loadtime;
4987
0
          goto done;
4988
0
        }
4989
4990
0
        serialmin = (oldserial + 1) & 0xffffffffU;
4991
0
        serialmax = (oldserial + 0x7fffffffU) &
4992
0
              0xffffffffU;
4993
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4994
0
                ISC_LOG_ERROR,
4995
0
                "ixfr-from-differences: "
4996
0
                "new serial (%u) out of range "
4997
0
                "[%u - %u]",
4998
0
                serial, serialmin, serialmax);
4999
0
        result = DNS_R_BADZONE;
5000
0
        goto cleanup;
5001
0
      } else if (!isc_serial_ge(serial, oldserial)) {
5002
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5003
0
                ISC_LOG_ERROR,
5004
0
                "zone serial (%u/%u) has gone "
5005
0
                "backwards",
5006
0
                serial, oldserial);
5007
0
      } else if (serial == oldserial && !hasinclude &&
5008
0
           strcmp(zone->db_argv[0], "_builtin") != 0)
5009
0
      {
5010
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5011
0
                ISC_LOG_ERROR,
5012
0
                "zone serial (%u) unchanged. "
5013
0
                "zone may fail to transfer "
5014
0
                "to secondaries.",
5015
0
                serial);
5016
0
      }
5017
0
    }
5018
5019
2
    if (zone->type == dns_zone_primary &&
5020
2
        (zone->update_acl != NULL || zone->ssutable != NULL) &&
5021
2
        dns_zone_getsigresigninginterval(zone) < (3 * refresh) &&
5022
2
        dns_db_issecure(db))
5023
0
    {
5024
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5025
0
              ISC_LOG_WARNING,
5026
0
              "sig-re-signing-interval less than "
5027
0
              "3 * refresh.");
5028
0
    }
5029
5030
2
    zone->refresh = RANGE(refresh, zone->minrefresh,
5031
2
              zone->maxrefresh);
5032
2
    zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
5033
2
    zone->expire = RANGE(expire, zone->refresh + zone->retry,
5034
2
             DNS_MAX_EXPIRE);
5035
2
    zone->soattl = soattl;
5036
2
    zone->minimum = minimum;
5037
2
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
5038
5039
2
    if (zone->type == dns_zone_secondary ||
5040
2
        zone->type == dns_zone_mirror ||
5041
2
        zone->type == dns_zone_stub ||
5042
2
        (zone->type == dns_zone_redirect &&
5043
2
         dns_remote_addresses(&zone->primaries) != NULL))
5044
0
    {
5045
0
      isc_time_t t;
5046
0
      uint32_t delay;
5047
5048
0
      result = isc_file_getmodtime(zone->journal, &t);
5049
0
      if (result != ISC_R_SUCCESS) {
5050
0
        result = isc_file_getmodtime(zone->masterfile,
5051
0
                   &t);
5052
0
      }
5053
0
      if (result == ISC_R_SUCCESS) {
5054
0
        DNS_ZONE_TIME_ADD(&t, zone->expire,
5055
0
              &zone->expiretime);
5056
0
      } else {
5057
0
        DNS_ZONE_TIME_ADD(&now, zone->retry,
5058
0
              &zone->expiretime);
5059
0
      }
5060
5061
0
      delay = (zone->retry -
5062
0
         isc_random_uniform((zone->retry * 3) / 4));
5063
0
      DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
5064
0
      if (isc_time_compare(&zone->refreshtime,
5065
0
               &zone->expiretime) >= 0)
5066
0
      {
5067
0
        DNS_ZONE_SETFLAG(zone,
5068
0
             DNS_ZONEFLG_FIRSTREFRESH);
5069
0
        zone->refreshtime = now;
5070
0
      } else {
5071
        /* The zone is up to date. */
5072
0
        DNS_ZONE_CLRFLAG(zone,
5073
0
             DNS_ZONEFLG_FIRSTREFRESH);
5074
0
      }
5075
0
    }
5076
5077
2
    break;
5078
5079
0
  case dns_zone_key:
5080
    /* Nothing needs to be done now */
5081
0
    break;
5082
5083
0
  default:
5084
0
    UNEXPECTED_ERROR("unexpected zone type %d", zone->type);
5085
0
    result = ISC_R_UNEXPECTED;
5086
0
    goto cleanup;
5087
2
  }
5088
5089
  /*
5090
   * Check for weak DNSKEY's.
5091
   */
5092
2
  if (zone->type == dns_zone_primary) {
5093
2
    zone_check_dnskeys(zone, db);
5094
2
  }
5095
5096
  /*
5097
   * Schedule DNSSEC key refresh.
5098
   */
5099
2
  if (zone->type == dns_zone_primary &&
5100
2
      DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
5101
0
  {
5102
0
    zone->refreshkeytime = now;
5103
0
  }
5104
5105
2
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
5106
2
  if (zone->db != NULL) {
5107
0
    had_db = true;
5108
0
    result = zone_replacedb(zone, db, false);
5109
0
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
5110
0
    if (result != ISC_R_SUCCESS) {
5111
0
      goto cleanup;
5112
0
    }
5113
2
  } else {
5114
2
    zone_attachdb(zone, db);
5115
2
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
5116
2
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED |
5117
2
                 DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
5118
2
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
5119
2
        inline_raw(zone))
5120
0
    {
5121
0
      if (zone->secure->db == NULL) {
5122
0
        zone_send_securedb(zone, db);
5123
0
      } else {
5124
0
        zone_send_secureserial(zone, serial);
5125
0
      }
5126
0
    }
5127
2
  }
5128
5129
  /*
5130
   * Finished loading inline-signing zone; need to get status
5131
   * from the raw side now.
5132
   */
5133
2
  if (zone->type == dns_zone_primary && inline_secure(zone)) {
5134
0
    maybe_send_secure(zone);
5135
0
  }
5136
5137
2
  result = ISC_R_SUCCESS;
5138
5139
2
  if (fixjournal) {
5140
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIXJOURNAL);
5141
0
    zone_journal_compact(zone, zone->db, 0);
5142
0
  }
5143
2
  if (needdump) {
5144
0
    if (zone->type == dns_zone_key) {
5145
0
      zone_needdump(zone, 30);
5146
0
    } else {
5147
0
      zone_needdump(zone, DNS_DUMP_DELAY);
5148
0
    }
5149
0
  }
5150
5151
2
  if (zone->loop != NULL) {
5152
0
    if (zone->type == dns_zone_primary) {
5153
0
      set_resigntime(zone);
5154
0
      resume_signingwithkey(zone);
5155
0
      resume_addnsec3chain(zone);
5156
0
    }
5157
5158
0
    is_dynamic = dns_zone_isdynamic(zone, false);
5159
0
    if (zone->type == dns_zone_primary && is_dynamic &&
5160
0
        dns_db_issecure(db) && !inline_raw(zone))
5161
0
    {
5162
0
      isc_stdtime_t resign;
5163
0
      dns_name_t *name;
5164
0
      dns_fixedname_t fixed;
5165
0
      dns_typepair_t typepair;
5166
5167
0
      name = dns_fixedname_initname(&fixed);
5168
5169
0
      result = dns_db_getsigningtime(db, &resign, name,
5170
0
                   &typepair);
5171
0
      if (result == ISC_R_SUCCESS) {
5172
0
        isc_stdtime_t timenow = isc_stdtime_now();
5173
0
        char namebuf[DNS_NAME_FORMATSIZE];
5174
0
        char typebuf[DNS_RDATATYPE_FORMATSIZE];
5175
5176
0
        dns_name_format(name, namebuf, sizeof(namebuf));
5177
0
        dns_rdatatype_format(
5178
0
          DNS_TYPEPAIR_COVERS(typepair), typebuf,
5179
0
          sizeof(typebuf));
5180
0
        dnssec_log(
5181
0
          zone, ISC_LOG_DEBUG(3),
5182
0
          "next resign: %s/%s "
5183
0
          "in %d seconds",
5184
0
          namebuf, typebuf,
5185
0
          resign - timenow -
5186
0
            dns_zone_getsigresigninginterval(
5187
0
              zone));
5188
0
      } else {
5189
0
        dnssec_log(zone, ISC_LOG_WARNING,
5190
0
             "signed dynamic zone has no "
5191
0
             "resign event scheduled");
5192
0
      }
5193
0
    }
5194
5195
0
    zone_settimer(zone, &now);
5196
0
  }
5197
5198
  /*
5199
   * Clear old include list.
5200
   */
5201
2
  for (inc = ISC_LIST_HEAD(zone->includes); inc != NULL;
5202
2
       inc = ISC_LIST_HEAD(zone->includes))
5203
0
  {
5204
0
    ISC_LIST_UNLINK(zone->includes, inc, link);
5205
0
    isc_mem_free(zone->mctx, inc->name);
5206
0
    isc_mem_put(zone->mctx, inc, sizeof(*inc));
5207
0
  }
5208
2
  zone->nincludes = 0;
5209
5210
  /*
5211
   * Transfer new include list.
5212
   */
5213
2
  for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
5214
2
       inc = ISC_LIST_HEAD(zone->newincludes))
5215
0
  {
5216
0
    ISC_LIST_UNLINK(zone->newincludes, inc, link);
5217
0
    ISC_LIST_APPEND(zone->includes, inc, link);
5218
0
    zone->nincludes++;
5219
0
  }
5220
5221
2
  if (!dns_db_ispersistent(db)) {
5222
2
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO,
5223
2
            "loaded serial %u%s", serial,
5224
2
            dns_db_issecure(db) ? " (DNSSEC signed)" : "");
5225
2
  }
5226
5227
2
  if (!had_db && zone->type == dns_zone_mirror) {
5228
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO,
5229
0
            "mirror zone is now in use");
5230
0
  }
5231
5232
2
  zone->loadtime = loadtime;
5233
2
  goto done;
5234
5235
0
cleanup:
5236
0
  if (result != ISC_R_SUCCESS) {
5237
0
    dns_zone_rpz_disable_db(zone, db);
5238
0
    dns_zone_catz_disable_db(zone, db);
5239
0
  }
5240
5241
0
  for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
5242
0
       inc = ISC_LIST_HEAD(zone->newincludes))
5243
0
  {
5244
0
    ISC_LIST_UNLINK(zone->newincludes, inc, link);
5245
0
    isc_mem_free(zone->mctx, inc->name);
5246
0
    isc_mem_put(zone->mctx, inc, sizeof(*inc));
5247
0
  }
5248
0
  if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
5249
0
      zone->type == dns_zone_stub || zone->type == dns_zone_key ||
5250
0
      (zone->type == dns_zone_redirect &&
5251
0
       dns_remote_addresses(&zone->primaries) != NULL))
5252
0
  {
5253
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIRSTREFRESH);
5254
5255
0
    if (result != ISC_R_NOMEMORY) {
5256
0
      if (zone->journal != NULL) {
5257
0
        zone_saveunique(zone, zone->journal,
5258
0
            "jn-XXXXXXXX");
5259
0
      }
5260
0
      if (zone->masterfile != NULL) {
5261
0
        zone_saveunique(zone, zone->masterfile,
5262
0
            "db-XXXXXXXX");
5263
0
      }
5264
0
    }
5265
5266
    /* Mark the zone for immediate refresh. */
5267
0
    zone->refreshtime = now;
5268
0
    if (zone->loop != NULL) {
5269
0
      zone_settimer(zone, &now);
5270
0
    }
5271
0
    result = ISC_R_SUCCESS;
5272
0
  } else if (zone->type == dns_zone_primary ||
5273
0
       zone->type == dns_zone_redirect)
5274
0
  {
5275
0
    if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND)) {
5276
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5277
0
              ISC_LOG_ERROR,
5278
0
              "not loaded due to errors.");
5279
0
    } else if (zone->type == dns_zone_primary) {
5280
0
      result = ISC_R_SUCCESS;
5281
0
    }
5282
0
  }
5283
5284
2
done:
5285
2
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
5286
  /*
5287
   * If this is an inline-signed zone and we were called for the raw
5288
   * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone
5289
   * as well, but only if this is a reload, not an initial zone load: in
5290
   * the former case, zone_postload() will not be run for the secure
5291
   * zone; in the latter case, it will be.  Check which case we are
5292
   * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the
5293
   * secure zone: if it is set, this must be a reload.
5294
   */
5295
2
  if (inline_raw(zone) && DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
5296
0
  {
5297
0
    DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
5298
    /*
5299
     * Re-start zone maintenance if it had been stalled
5300
     * due to DNS_ZONEFLG_LOADPENDING being set when
5301
     * zone_maintenance was called.
5302
     */
5303
0
    if (zone->secure->loop != NULL) {
5304
0
      zone_settimer(zone->secure, &now);
5305
0
    }
5306
0
  }
5307
5308
2
  zone_debuglog(zone, __func__, 99, "done");
5309
5310
2
  return (result);
5311
0
}
5312
5313
static bool
5314
0
exit_check(dns_zone_t *zone) {
5315
0
  REQUIRE(LOCKED_ZONE(zone));
5316
5317
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
5318
0
      isc_refcount_current(&zone->irefs) == 0)
5319
0
  {
5320
    /*
5321
     * DNS_ZONEFLG_SHUTDOWN can only be set if references == 0.
5322
     */
5323
0
    INSIST(isc_refcount_current(&zone->references) == 0);
5324
0
    return (true);
5325
0
  }
5326
0
  return (false);
5327
0
}
5328
5329
static bool
5330
zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
5331
0
        dns_name_t *name, bool logit) {
5332
0
  isc_result_t result;
5333
0
  char namebuf[DNS_NAME_FORMATSIZE];
5334
0
  char altbuf[DNS_NAME_FORMATSIZE];
5335
0
  dns_fixedname_t fixed;
5336
0
  dns_name_t *foundname;
5337
0
  int level;
5338
5339
0
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS)) {
5340
0
    return (true);
5341
0
  }
5342
5343
0
  if (zone->type == dns_zone_primary) {
5344
0
    level = ISC_LOG_ERROR;
5345
0
  } else {
5346
0
    level = ISC_LOG_WARNING;
5347
0
  }
5348
5349
0
  foundname = dns_fixedname_initname(&fixed);
5350
5351
0
  result = dns_db_find(db, name, version, dns_rdatatype_a, 0, 0, NULL,
5352
0
           foundname, NULL, NULL);
5353
0
  if (result == ISC_R_SUCCESS) {
5354
0
    return (true);
5355
0
  }
5356
5357
0
  if (result == DNS_R_NXRRSET) {
5358
0
    result = dns_db_find(db, name, version, dns_rdatatype_aaaa, 0,
5359
0
             0, NULL, foundname, NULL, NULL);
5360
0
    if (result == ISC_R_SUCCESS) {
5361
0
      return (true);
5362
0
    }
5363
0
  }
5364
5365
0
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
5366
0
      result == DNS_R_EMPTYNAME)
5367
0
  {
5368
0
    if (logit) {
5369
0
      dns_name_format(name, namebuf, sizeof namebuf);
5370
0
      dns_zone_log(zone, level,
5371
0
             "NS '%s' has no address "
5372
0
             "records (A or AAAA)",
5373
0
             namebuf);
5374
0
    }
5375
0
    return (false);
5376
0
  }
5377
5378
0
  if (result == DNS_R_CNAME) {
5379
0
    if (logit) {
5380
0
      dns_name_format(name, namebuf, sizeof namebuf);
5381
0
      dns_zone_log(zone, level,
5382
0
             "NS '%s' is a CNAME "
5383
0
             "(illegal)",
5384
0
             namebuf);
5385
0
    }
5386
0
    return (false);
5387
0
  }
5388
5389
0
  if (result == DNS_R_DNAME) {
5390
0
    if (logit) {
5391
0
      dns_name_format(name, namebuf, sizeof namebuf);
5392
0
      dns_name_format(foundname, altbuf, sizeof altbuf);
5393
0
      dns_zone_log(zone, level,
5394
0
             "NS '%s' is below a DNAME "
5395
0
             "'%s' (illegal)",
5396
0
             namebuf, altbuf);
5397
0
    }
5398
0
    return (false);
5399
0
  }
5400
5401
0
  return (true);
5402
0
}
5403
5404
static isc_result_t
5405
zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
5406
     dns_dbversion_t *version, unsigned int *nscount,
5407
2
     unsigned int *errors, bool logit) {
5408
2
  isc_result_t result;
5409
2
  unsigned int count = 0;
5410
2
  unsigned int ecount = 0;
5411
2
  dns_rdataset_t rdataset;
5412
2
  dns_rdata_t rdata;
5413
2
  dns_rdata_ns_t ns;
5414
5415
2
  dns_rdataset_init(&rdataset);
5416
2
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
5417
2
             dns_rdatatype_none, 0, &rdataset, NULL);
5418
2
  if (result == ISC_R_NOTFOUND) {
5419
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
5420
0
    goto success;
5421
0
  }
5422
2
  if (result != ISC_R_SUCCESS) {
5423
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
5424
0
    goto invalidate_rdataset;
5425
0
  }
5426
5427
2
  result = dns_rdataset_first(&rdataset);
5428
4
  while (result == ISC_R_SUCCESS) {
5429
2
    if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
5430
2
        (zone->type == dns_zone_primary ||
5431
2
         zone->type == dns_zone_secondary ||
5432
2
         zone->type == dns_zone_mirror))
5433
2
    {
5434
2
      dns_rdata_init(&rdata);
5435
2
      dns_rdataset_current(&rdataset, &rdata);
5436
2
      result = dns_rdata_tostruct(&rdata, &ns, NULL);
5437
2
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
5438
2
      if (dns_name_issubdomain(&ns.name, &zone->origin) &&
5439
2
          !zone_check_ns(zone, db, version, &ns.name, logit))
5440
0
      {
5441
0
        ecount++;
5442
0
      }
5443
2
    }
5444
2
    count++;
5445
2
    result = dns_rdataset_next(&rdataset);
5446
2
  }
5447
2
  dns_rdataset_disassociate(&rdataset);
5448
5449
2
success:
5450
2
  SET_IF_NOT_NULL(nscount, count);
5451
2
  SET_IF_NOT_NULL(errors, ecount);
5452
5453
2
  result = ISC_R_SUCCESS;
5454
5455
2
invalidate_rdataset:
5456
2
  dns_rdataset_invalidate(&rdataset);
5457
5458
2
  return (result);
5459
2
}
5460
5461
#define SET_SOA_VALUES(soattl_v, serial_v, refresh_v, retry_v, expire_v, \
5462
           minimum_v)                                        \
5463
4
  {                                                                \
5464
4
    SET_IF_NOT_NULL(soattl, soattl_v);                       \
5465
4
    SET_IF_NOT_NULL(serial, serial_v);                       \
5466
4
    SET_IF_NOT_NULL(refresh, refresh_v);                     \
5467
4
    SET_IF_NOT_NULL(retry, retry_v);                         \
5468
4
    SET_IF_NOT_NULL(expire, expire_v);                       \
5469
4
    SET_IF_NOT_NULL(minimum, minimum_v);                     \
5470
4
  }
5471
5472
#define CLR_SOA_VALUES()                          \
5473
2
  {                                         \
5474
2
    SET_SOA_VALUES(0, 0, 0, 0, 0, 0); \
5475
2
  }
5476
5477
static isc_result_t
5478
zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
5479
     unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
5480
     uint32_t *refresh, uint32_t *retry, uint32_t *expire,
5481
2
     uint32_t *minimum) {
5482
2
  isc_result_t result;
5483
2
  unsigned int count = 0;
5484
2
  dns_rdataset_t rdataset;
5485
2
  dns_rdata_t rdata = DNS_RDATA_INIT;
5486
5487
2
  dns_rdataset_init(&rdataset);
5488
2
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
5489
2
             dns_rdatatype_none, 0, &rdataset, NULL);
5490
2
  if (result == ISC_R_NOTFOUND) {
5491
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
5492
0
    result = ISC_R_SUCCESS;
5493
0
    goto invalidate_rdataset;
5494
0
  }
5495
2
  if (result != ISC_R_SUCCESS) {
5496
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
5497
0
    goto invalidate_rdataset;
5498
0
  }
5499
5500
2
  result = dns_rdataset_first(&rdataset);
5501
4
  while (result == ISC_R_SUCCESS) {
5502
2
    dns_rdata_init(&rdata);
5503
2
    dns_rdataset_current(&rdataset, &rdata);
5504
2
    count++;
5505
2
    if (count == 1) {
5506
2
      dns_rdata_soa_t soa;
5507
2
      result = dns_rdata_tostruct(&rdata, &soa, NULL);
5508
2
      SET_SOA_VALUES(rdataset.ttl, soa.serial, soa.refresh,
5509
2
               soa.retry, soa.expire, soa.minimum);
5510
2
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
5511
2
    }
5512
5513
2
    result = dns_rdataset_next(&rdataset);
5514
2
    dns_rdata_reset(&rdata);
5515
2
  }
5516
2
  dns_rdataset_disassociate(&rdataset);
5517
5518
2
  result = ISC_R_SUCCESS;
5519
5520
2
invalidate_rdataset:
5521
2
  SET_IF_NOT_NULL(soacount, count);
5522
2
  if (count == 0) {
5523
0
    CLR_SOA_VALUES();
5524
0
  }
5525
5526
2
  dns_rdataset_invalidate(&rdataset);
5527
5528
2
  return (result);
5529
2
}
5530
5531
/*
5532
 * zone must be locked.
5533
 */
5534
static isc_result_t
5535
zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
5536
     unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
5537
     uint32_t *refresh, uint32_t *retry, uint32_t *expire,
5538
2
     uint32_t *minimum, unsigned int *errors) {
5539
2
  isc_result_t result;
5540
2
  isc_result_t answer = ISC_R_SUCCESS;
5541
2
  dns_dbversion_t *version = NULL;
5542
2
  dns_dbnode_t *node;
5543
5544
2
  REQUIRE(db != NULL);
5545
2
  REQUIRE(zone != NULL);
5546
5547
2
  dns_db_currentversion(db, &version);
5548
5549
2
  SET_IF_NOT_NULL(nscount, 0);
5550
2
  SET_IF_NOT_NULL(soacount, 0);
5551
2
  SET_IF_NOT_NULL(errors, 0);
5552
2
  CLR_SOA_VALUES();
5553
5554
2
  node = NULL;
5555
2
  result = dns_db_findnode(db, &zone->origin, false, &node);
5556
2
  if (result != ISC_R_SUCCESS) {
5557
0
    answer = result;
5558
0
    goto closeversion;
5559
0
  }
5560
5561
2
  if (nscount != NULL || errors != NULL) {
5562
2
    result = zone_count_ns_rr(zone, db, node, version, nscount,
5563
2
            errors, true);
5564
2
    if (result != ISC_R_SUCCESS) {
5565
0
      answer = result;
5566
0
    }
5567
2
  }
5568
5569
2
  if (soacount != NULL || soattl != NULL || serial != NULL ||
5570
2
      refresh != NULL || retry != NULL || expire != NULL ||
5571
2
      minimum != NULL)
5572
2
  {
5573
2
    result = zone_load_soa_rr(db, node, version, soacount, soattl,
5574
2
            serial, refresh, retry, expire,
5575
2
            minimum);
5576
2
    if (result != ISC_R_SUCCESS) {
5577
0
      answer = result;
5578
0
    }
5579
2
  }
5580
5581
2
  dns_db_detachnode(db, &node);
5582
2
closeversion:
5583
2
  dns_db_closeversion(db, &version, false);
5584
5585
2
  return (answer);
5586
2
}
5587
5588
static void
5589
0
zone_destroy(dns_zone_t *zone) {
5590
  /*
5591
   * Stop things being restarted after we cancel them below.
5592
   */
5593
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
5594
0
  dns_zone_log(zone, ISC_LOG_DEBUG(1), "final reference detached");
5595
5596
0
  if (zone->loop == NULL) {
5597
    /*
5598
     * This zone is unmanaged; we're probably running in
5599
     * named-checkzone or a unit test. There's no loop, so we
5600
     * need to free it immediately.
5601
     */
5602
0
    zone_shutdown(zone);
5603
0
  } else {
5604
    /*
5605
     * This zone has a loop; it can clean
5606
     * itself up asynchronously.
5607
     */
5608
0
    isc_async_run(zone->loop, zone_shutdown, zone);
5609
0
  }
5610
0
}
5611
5612
#if DNS_ZONE_TRACE
5613
ISC_REFCOUNT_TRACE_IMPL(dns_zone, zone_destroy);
5614
#else
5615
ISC_REFCOUNT_IMPL(dns_zone, zone_destroy);
5616
#endif
5617
5618
void
5619
0
dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
5620
0
  REQUIRE(DNS_ZONE_VALID(source));
5621
5622
0
  LOCK_ZONE(source);
5623
0
  zone_iattach(source, target);
5624
0
  UNLOCK_ZONE(source);
5625
0
}
5626
5627
static void
5628
4
zone_iattach(dns_zone_t *source, dns_zone_t **target) {
5629
4
  REQUIRE(DNS_ZONE_VALID(source));
5630
4
  REQUIRE(LOCKED_ZONE(source));
5631
4
  REQUIRE(target != NULL && *target == NULL);
5632
4
  INSIST(isc_refcount_increment0(&source->irefs) +
5633
4
           isc_refcount_current(&source->references) >
5634
4
         0);
5635
4
  *target = source;
5636
4
}
5637
5638
static void
5639
4
zone_idetach(dns_zone_t **zonep) {
5640
4
  dns_zone_t *zone;
5641
5642
  /*
5643
   * 'zone' locked by caller.
5644
   */
5645
4
  REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
5646
4
  REQUIRE(LOCKED_ZONE(*zonep));
5647
5648
4
  zone = *zonep;
5649
4
  *zonep = NULL;
5650
5651
4
  INSIST(isc_refcount_decrement(&zone->irefs) - 1 +
5652
4
           isc_refcount_current(&zone->references) >
5653
4
         0);
5654
4
}
5655
5656
void
5657
0
dns_zone_idetach(dns_zone_t **zonep) {
5658
0
  dns_zone_t *zone;
5659
5660
0
  REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
5661
5662
0
  zone = *zonep;
5663
0
  *zonep = NULL;
5664
5665
0
  if (isc_refcount_decrement(&zone->irefs) == 1) {
5666
0
    bool free_needed;
5667
0
    LOCK_ZONE(zone);
5668
0
    free_needed = exit_check(zone);
5669
0
    UNLOCK_ZONE(zone);
5670
0
    if (free_needed) {
5671
0
      zone_free(zone);
5672
0
    }
5673
0
  }
5674
0
}
5675
5676
isc_mem_t *
5677
0
dns_zone_getmctx(dns_zone_t *zone) {
5678
0
  REQUIRE(DNS_ZONE_VALID(zone));
5679
5680
0
  return (zone->mctx);
5681
0
}
5682
5683
dns_zonemgr_t *
5684
0
dns_zone_getmgr(dns_zone_t *zone) {
5685
0
  REQUIRE(DNS_ZONE_VALID(zone));
5686
5687
0
  return (zone->zmgr);
5688
0
}
5689
5690
void
5691
0
dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
5692
0
  REQUIRE(DNS_ZONE_VALID(zone));
5693
5694
0
  LOCK_ZONE(zone);
5695
0
  if (zone->kasp != NULL) {
5696
0
    dns_kasp_detach(&zone->kasp);
5697
0
  }
5698
0
  if (kasp != NULL) {
5699
0
    dns_kasp_attach(kasp, &zone->kasp);
5700
0
  }
5701
0
  UNLOCK_ZONE(zone);
5702
0
}
5703
5704
void
5705
0
dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
5706
0
  REQUIRE(DNS_ZONE_VALID(zone));
5707
5708
0
  LOCK_ZONE(zone);
5709
0
  if (zone->defaultkasp != NULL) {
5710
0
    dns_kasp_detach(&zone->defaultkasp);
5711
0
  }
5712
0
  if (kasp != NULL) {
5713
0
    dns_kasp_attach(kasp, &zone->defaultkasp);
5714
0
  }
5715
0
  UNLOCK_ZONE(zone);
5716
0
}
5717
5718
dns_kasp_t *
5719
0
dns_zone_getkasp(dns_zone_t *zone) {
5720
0
  dns_kasp_t *kasp;
5721
5722
0
  REQUIRE(DNS_ZONE_VALID(zone));
5723
5724
0
  LOCK_ZONE(zone);
5725
0
  if (inline_raw(zone) && zone->secure != NULL) {
5726
0
    kasp = zone->secure->kasp;
5727
0
  } else {
5728
0
    kasp = zone->kasp;
5729
0
  }
5730
0
  UNLOCK_ZONE(zone);
5731
5732
0
  return (kasp);
5733
0
}
5734
5735
void
5736
0
dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
5737
0
  REQUIRE(DNS_ZONE_VALID(zone));
5738
5739
0
  if (value) {
5740
0
    DNS_ZONE_SETOPTION(zone, option);
5741
0
  } else {
5742
0
    DNS_ZONE_CLROPTION(zone, option);
5743
0
  }
5744
0
}
5745
5746
dns_zoneopt_t
5747
0
dns_zone_getoptions(dns_zone_t *zone) {
5748
0
  REQUIRE(DNS_ZONE_VALID(zone));
5749
5750
0
  return (atomic_load_relaxed(&zone->options));
5751
0
}
5752
5753
void
5754
0
dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value) {
5755
0
  REQUIRE(DNS_ZONE_VALID(zone));
5756
5757
0
  if (value) {
5758
0
    DNS_ZONEKEY_SETOPTION(zone, keyopt);
5759
0
  } else {
5760
0
    DNS_ZONEKEY_CLROPTION(zone, keyopt);
5761
0
  }
5762
0
}
5763
5764
unsigned int
5765
0
dns_zone_getkeyopts(dns_zone_t *zone) {
5766
0
  REQUIRE(DNS_ZONE_VALID(zone));
5767
5768
0
  return (atomic_load_relaxed(&zone->keyopts));
5769
0
}
5770
5771
isc_result_t
5772
0
dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
5773
0
  REQUIRE(DNS_ZONE_VALID(zone));
5774
5775
0
  LOCK_ZONE(zone);
5776
0
  zone->xfrsource4 = *xfrsource;
5777
0
  UNLOCK_ZONE(zone);
5778
5779
0
  return (ISC_R_SUCCESS);
5780
0
}
5781
5782
isc_sockaddr_t *
5783
0
dns_zone_getxfrsource4(dns_zone_t *zone) {
5784
0
  REQUIRE(DNS_ZONE_VALID(zone));
5785
0
  return (&zone->xfrsource4);
5786
0
}
5787
5788
isc_result_t
5789
0
dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
5790
0
  REQUIRE(DNS_ZONE_VALID(zone));
5791
5792
0
  LOCK_ZONE(zone);
5793
0
  zone->xfrsource6 = *xfrsource;
5794
0
  UNLOCK_ZONE(zone);
5795
5796
0
  return (ISC_R_SUCCESS);
5797
0
}
5798
5799
isc_sockaddr_t *
5800
0
dns_zone_getxfrsource6(dns_zone_t *zone) {
5801
0
  REQUIRE(DNS_ZONE_VALID(zone));
5802
0
  return (&zone->xfrsource6);
5803
0
}
5804
5805
isc_result_t
5806
0
dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
5807
0
  REQUIRE(DNS_ZONE_VALID(zone));
5808
5809
0
  LOCK_ZONE(zone);
5810
0
  zone->parentalsrc4 = *parentalsrc;
5811
0
  UNLOCK_ZONE(zone);
5812
5813
0
  return (ISC_R_SUCCESS);
5814
0
}
5815
5816
isc_sockaddr_t *
5817
0
dns_zone_getparentalsrc4(dns_zone_t *zone) {
5818
0
  REQUIRE(DNS_ZONE_VALID(zone));
5819
0
  return (&zone->parentalsrc4);
5820
0
}
5821
5822
isc_result_t
5823
0
dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
5824
0
  REQUIRE(DNS_ZONE_VALID(zone));
5825
5826
0
  LOCK_ZONE(zone);
5827
0
  zone->parentalsrc6 = *parentalsrc;
5828
0
  UNLOCK_ZONE(zone);
5829
5830
0
  return (ISC_R_SUCCESS);
5831
0
}
5832
5833
isc_sockaddr_t *
5834
0
dns_zone_getparentalsrc6(dns_zone_t *zone) {
5835
0
  REQUIRE(DNS_ZONE_VALID(zone));
5836
0
  return (&zone->parentalsrc6);
5837
0
}
5838
5839
isc_result_t
5840
0
dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
5841
0
  REQUIRE(DNS_ZONE_VALID(zone));
5842
5843
0
  LOCK_ZONE(zone);
5844
0
  zone->notifysrc4 = *notifysrc;
5845
0
  UNLOCK_ZONE(zone);
5846
5847
0
  return (ISC_R_SUCCESS);
5848
0
}
5849
5850
isc_sockaddr_t *
5851
0
dns_zone_getnotifysrc4(dns_zone_t *zone) {
5852
0
  REQUIRE(DNS_ZONE_VALID(zone));
5853
0
  return (&zone->notifysrc4);
5854
0
}
5855
5856
isc_result_t
5857
0
dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
5858
0
  REQUIRE(DNS_ZONE_VALID(zone));
5859
5860
0
  LOCK_ZONE(zone);
5861
0
  zone->notifysrc6 = *notifysrc;
5862
0
  UNLOCK_ZONE(zone);
5863
5864
0
  return (ISC_R_SUCCESS);
5865
0
}
5866
5867
isc_sockaddr_t *
5868
0
dns_zone_getnotifysrc6(dns_zone_t *zone) {
5869
0
  REQUIRE(DNS_ZONE_VALID(zone));
5870
0
  return (&zone->notifysrc6);
5871
0
}
5872
5873
void
5874
dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *addresses,
5875
           isc_sockaddr_t *sources, dns_name_t **keynames,
5876
0
           dns_name_t **tlsnames, uint32_t count) {
5877
0
  dns_remote_t remote;
5878
5879
0
  REQUIRE(DNS_ZONE_VALID(zone));
5880
5881
0
  LOCK_ZONE(zone);
5882
5883
0
  remote.magic = DNS_REMOTE_MAGIC;
5884
0
  remote.addresses = addresses;
5885
0
  remote.sources = sources;
5886
0
  remote.keynames = keynames;
5887
0
  remote.tlsnames = tlsnames;
5888
0
  remote.addrcnt = count;
5889
5890
0
  if (dns_remote_equal(&zone->notify, &remote)) {
5891
0
    goto unlock;
5892
0
  }
5893
5894
0
  dns_remote_clear(&zone->notify);
5895
5896
  /*
5897
   * If count == 0, don't allocate any space for servers to notify.
5898
   */
5899
0
  if (count == 0) {
5900
0
    goto unlock;
5901
0
  }
5902
5903
  /*
5904
   * Now set up the notify address and key lists.
5905
   */
5906
0
  dns_remote_init(&zone->notify, count, addresses, sources, keynames,
5907
0
      tlsnames, true, zone->mctx);
5908
5909
0
unlock:
5910
0
  UNLOCK_ZONE(zone);
5911
0
}
5912
5913
static bool
5914
0
has_pf(isc_sockaddr_t *addresses, size_t count, int pf) {
5915
0
  for (size_t i = 0; i < count; i++) {
5916
0
    if (isc_sockaddr_pf(&addresses[i]) == pf) {
5917
0
      return (true);
5918
0
    }
5919
0
  }
5920
0
  return (false);
5921
0
}
5922
5923
static void
5924
report_no_active_addresses(dns_zone_t *zone, isc_sockaddr_t *addresses,
5925
0
         size_t count, const char *what) {
5926
0
  if (isc_net_probeipv4() == ISC_R_DISABLED) {
5927
0
    if (!has_pf(addresses, count, AF_INET6)) {
5928
0
      dns_zone_log(zone, ISC_LOG_NOTICE,
5929
0
             "IPv4 disabled and no IPv6 %s", what);
5930
0
    }
5931
0
  } else if (isc_net_probeipv6() == ISC_R_DISABLED) {
5932
0
    if (!has_pf(addresses, count, AF_INET)) {
5933
0
      dns_zone_log(zone, ISC_LOG_NOTICE,
5934
0
             "IPv6 disabled and no IPv4 %s", what);
5935
0
    }
5936
0
  }
5937
0
}
5938
5939
void
5940
dns_zone_setprimaries(dns_zone_t *zone, isc_sockaddr_t *addresses,
5941
          isc_sockaddr_t *sources, dns_name_t **keynames,
5942
0
          dns_name_t **tlsnames, uint32_t count) {
5943
0
  dns_remote_t remote;
5944
5945
0
  REQUIRE(DNS_ZONE_VALID(zone));
5946
5947
0
  LOCK_ZONE(zone);
5948
5949
0
  remote.magic = DNS_REMOTE_MAGIC;
5950
0
  remote.addresses = addresses;
5951
0
  remote.sources = sources;
5952
0
  remote.keynames = keynames;
5953
0
  remote.tlsnames = tlsnames;
5954
0
  remote.addrcnt = count;
5955
5956
  /*
5957
   * The refresh code assumes that 'primaries' wouldn't change under it.
5958
   * If it will change then kill off any current refresh in progress
5959
   * and update the primaries info.  If it won't change then we can just
5960
   * unlock and exit.
5961
   */
5962
0
  if (!dns_remote_equal(&zone->primaries, &remote)) {
5963
0
    if (zone->request != NULL) {
5964
0
      dns_request_cancel(zone->request);
5965
0
    }
5966
0
  } else {
5967
0
    goto unlock;
5968
0
  }
5969
5970
0
  dns_remote_clear(&zone->primaries);
5971
5972
  /*
5973
   * If count == 0, don't allocate any space for primaries.
5974
   */
5975
0
  if (count == 0) {
5976
0
    goto unlock;
5977
0
  }
5978
5979
0
  report_no_active_addresses(zone, addresses, count, "primaries");
5980
5981
  /*
5982
   * Now set up the primaries and primary key lists.
5983
   */
5984
0
  dns_remote_init(&zone->primaries, count, addresses, sources, keynames,
5985
0
      tlsnames, true, zone->mctx);
5986
5987
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOPRIMARIES);
5988
5989
0
unlock:
5990
0
  UNLOCK_ZONE(zone);
5991
0
}
5992
5993
void
5994
dns_zone_setparentals(dns_zone_t *zone, isc_sockaddr_t *addresses,
5995
          isc_sockaddr_t *sources, dns_name_t **keynames,
5996
0
          dns_name_t **tlsnames, uint32_t count) {
5997
0
  dns_remote_t remote;
5998
5999
0
  REQUIRE(DNS_ZONE_VALID(zone));
6000
6001
0
  LOCK_ZONE(zone);
6002
6003
0
  remote.magic = DNS_REMOTE_MAGIC;
6004
0
  remote.addresses = addresses;
6005
0
  remote.sources = sources;
6006
0
  remote.keynames = keynames;
6007
0
  remote.tlsnames = tlsnames;
6008
0
  remote.addrcnt = count;
6009
6010
0
  if (dns_remote_equal(&zone->parentals, &remote)) {
6011
0
    goto unlock;
6012
0
  }
6013
6014
0
  dns_remote_clear(&zone->parentals);
6015
6016
  /*
6017
   * If count == 0, don't allocate any space for parentals.
6018
   */
6019
0
  if (count == 0) {
6020
0
    goto unlock;
6021
0
  }
6022
6023
0
  report_no_active_addresses(zone, addresses, count, "parental-agents");
6024
6025
  /*
6026
   * Now set up the parentals and parental key lists.
6027
   */
6028
0
  dns_remote_init(&zone->parentals, count, addresses, sources, keynames,
6029
0
      tlsnames, true, zone->mctx);
6030
6031
0
  dns_zone_log(zone, ISC_LOG_NOTICE, "checkds: set %u parentals", count);
6032
6033
0
unlock:
6034
0
  UNLOCK_ZONE(zone);
6035
0
}
6036
6037
isc_result_t
6038
173
dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
6039
173
  isc_result_t result = ISC_R_SUCCESS;
6040
6041
173
  REQUIRE(DNS_ZONE_VALID(zone));
6042
6043
173
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
6044
173
  if (zone->db == NULL) {
6045
0
    result = DNS_R_NOTLOADED;
6046
173
  } else {
6047
173
    dns_db_attach(zone->db, dpb);
6048
173
  }
6049
173
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
6050
6051
173
  return (result);
6052
173
}
6053
6054
void
6055
0
dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
6056
0
  REQUIRE(DNS_ZONE_VALID(zone));
6057
0
  REQUIRE(zone->type == dns_zone_staticstub);
6058
6059
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
6060
0
  REQUIRE(zone->db == NULL);
6061
0
  dns_db_attach(db, &zone->db);
6062
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
6063
0
}
6064
6065
static bool
6066
0
was_dumping(dns_zone_t *zone) {
6067
0
  REQUIRE(LOCKED_ZONE(zone));
6068
6069
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
6070
0
    return (true);
6071
0
  }
6072
6073
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
6074
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
6075
0
  isc_time_settoepoch(&zone->dumptime);
6076
0
  return (false);
6077
0
}
6078
6079
static isc_result_t
6080
keyfromfile(dns_zone_t *zone, dst_key_t *pubkey, isc_mem_t *mctx,
6081
0
      dst_key_t **key) {
6082
0
  const char *directory = zone->keydirectory;
6083
0
  dns_kasp_t *kasp = zone->kasp;
6084
0
  dst_key_t *foundkey = NULL;
6085
0
  isc_result_t result = ISC_R_NOTFOUND;
6086
6087
0
  if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) ||
6088
0
      (strcmp(dns_kasp_getname(kasp), "insecure") == 0))
6089
0
  {
6090
0
    result = dst_key_fromfile(
6091
0
      dst_key_name(pubkey), dst_key_id(pubkey),
6092
0
      dst_key_alg(pubkey),
6093
0
      (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE),
6094
0
      directory, mctx, &foundkey);
6095
0
  } else {
6096
0
    for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
6097
0
         kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
6098
0
    {
6099
0
      dns_keystore_t *ks = dns_kasp_key_keystore(kkey);
6100
0
      directory = dns_keystore_directory(ks,
6101
0
                 zone->keydirectory);
6102
6103
0
      result = dst_key_fromfile(
6104
0
        dst_key_name(pubkey), dst_key_id(pubkey),
6105
0
        dst_key_alg(pubkey),
6106
0
        (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
6107
0
         DST_TYPE_STATE),
6108
0
        directory, mctx, &foundkey);
6109
0
      if (result == ISC_R_SUCCESS) {
6110
0
        break;
6111
0
      }
6112
0
    }
6113
0
  }
6114
6115
0
  *key = foundkey;
6116
0
  return (result);
6117
0
}
6118
6119
#define is_zone_key(key) \
6120
0
  ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
6121
6122
static isc_result_t
6123
findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
6124
       dns_dbnode_t *node, const dns_name_t *name, isc_stdtime_t now,
6125
       isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys,
6126
0
       unsigned int *nkeys) {
6127
0
  dns_rdataset_t rdataset;
6128
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
6129
0
  isc_result_t result;
6130
0
  dst_key_t *pubkey = NULL;
6131
0
  unsigned int count = 0;
6132
6133
0
  *nkeys = 0;
6134
0
  memset(keys, 0, sizeof(*keys) * maxkeys);
6135
0
  dns_rdataset_init(&rdataset);
6136
0
  RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
6137
0
           &rdataset, NULL));
6138
0
  RETERR(dns_rdataset_first(&rdataset));
6139
0
  while (result == ISC_R_SUCCESS && count < maxkeys) {
6140
0
    pubkey = NULL;
6141
0
    dns_rdataset_current(&rdataset, &rdata);
6142
0
    RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
6143
0
    dst_key_setttl(pubkey, rdataset.ttl);
6144
6145
0
    if (!is_zone_key(pubkey) ||
6146
0
        (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
6147
0
    {
6148
0
      goto next;
6149
0
    }
6150
    /* Corrupted .key file? */
6151
0
    if (!dns_name_equal(name, dst_key_name(pubkey))) {
6152
0
      goto next;
6153
0
    }
6154
0
    keys[count] = NULL;
6155
0
    result = keyfromfile(zone, pubkey, mctx, &keys[count]);
6156
6157
    /*
6158
     * If the key was revoked and the private file
6159
     * doesn't exist, maybe it was revoked internally
6160
     * by named.  Try loading the unrevoked version.
6161
     */
6162
0
    if (result == ISC_R_FILENOTFOUND) {
6163
0
      uint32_t flags;
6164
0
      flags = dst_key_flags(pubkey);
6165
0
      if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
6166
0
        dst_key_setflags(pubkey,
6167
0
             flags & ~DNS_KEYFLAG_REVOKE);
6168
0
        result = keyfromfile(zone, pubkey, mctx,
6169
0
                 &keys[count]);
6170
0
        if (result == ISC_R_SUCCESS &&
6171
0
            dst_key_pubcompare(pubkey, keys[count],
6172
0
                   false))
6173
0
        {
6174
0
          dst_key_setflags(keys[count], flags);
6175
0
        }
6176
0
        dst_key_setflags(pubkey, flags);
6177
0
      }
6178
0
    }
6179
6180
0
    if (result != ISC_R_SUCCESS) {
6181
0
      char filename[DNS_NAME_FORMATSIZE +
6182
0
              DNS_SECALG_FORMATSIZE +
6183
0
              sizeof("key file for //65535")];
6184
0
      isc_result_t result2;
6185
0
      isc_buffer_t buf;
6186
6187
0
      isc_buffer_init(&buf, filename, sizeof(filename));
6188
0
      result2 = dst_key_getfilename(
6189
0
        dst_key_name(pubkey), dst_key_id(pubkey),
6190
0
        dst_key_alg(pubkey),
6191
0
        (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
6192
0
         DST_TYPE_STATE),
6193
0
        NULL, mctx, &buf);
6194
0
      if (result2 != ISC_R_SUCCESS) {
6195
0
        char namebuf[DNS_NAME_FORMATSIZE];
6196
0
        char algbuf[DNS_SECALG_FORMATSIZE];
6197
6198
0
        dns_name_format(dst_key_name(pubkey), namebuf,
6199
0
            sizeof(namebuf));
6200
0
        dns_secalg_format(dst_key_alg(pubkey), algbuf,
6201
0
              sizeof(algbuf));
6202
0
        snprintf(filename, sizeof(filename) - 1,
6203
0
           "key file for %s/%s/%d", namebuf,
6204
0
           algbuf, dst_key_id(pubkey));
6205
0
      }
6206
6207
0
      isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
6208
0
              DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
6209
0
              "dns_zone_findkeys: error reading %s: %s",
6210
0
              filename, isc_result_totext(result));
6211
0
    }
6212
6213
0
    if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
6214
0
      keys[count] = pubkey;
6215
0
      pubkey = NULL;
6216
0
      count++;
6217
0
      goto next;
6218
0
    }
6219
6220
0
    if (result != ISC_R_SUCCESS) {
6221
0
      goto failure;
6222
0
    }
6223
6224
    /*
6225
     * If a key is marked inactive, skip it
6226
     */
6227
0
    if (!dns_dnssec_keyactive(keys[count], now)) {
6228
0
      dst_key_setinactive(pubkey, true);
6229
0
      dst_key_free(&keys[count]);
6230
0
      keys[count] = pubkey;
6231
0
      pubkey = NULL;
6232
0
      count++;
6233
0
      goto next;
6234
0
    }
6235
6236
    /*
6237
     * Whatever the key's default TTL may have
6238
     * been, the rdataset TTL takes priority.
6239
     */
6240
0
    dst_key_setttl(keys[count], rdataset.ttl);
6241
6242
0
    if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
6243
      /* We should never get here. */
6244
0
      dst_key_free(&keys[count]);
6245
0
      goto next;
6246
0
    }
6247
0
    count++;
6248
0
  next:
6249
0
    if (pubkey != NULL) {
6250
0
      dst_key_free(&pubkey);
6251
0
    }
6252
0
    dns_rdata_reset(&rdata);
6253
0
    result = dns_rdataset_next(&rdataset);
6254
0
  }
6255
0
  if (result != ISC_R_NOMORE) {
6256
0
    goto failure;
6257
0
  }
6258
0
  if (count == 0) {
6259
0
    result = ISC_R_NOTFOUND;
6260
0
  } else {
6261
0
    result = ISC_R_SUCCESS;
6262
0
  }
6263
6264
0
failure:
6265
0
  if (dns_rdataset_isassociated(&rdataset)) {
6266
0
    dns_rdataset_disassociate(&rdataset);
6267
0
  }
6268
0
  if (pubkey != NULL) {
6269
0
    dst_key_free(&pubkey);
6270
0
  }
6271
0
  if (result != ISC_R_SUCCESS) {
6272
0
    while (count > 0) {
6273
0
      dst_key_free(&keys[--count]);
6274
0
    }
6275
0
  }
6276
0
  *nkeys = count;
6277
0
  return (result);
6278
0
}
6279
6280
/*%
6281
 * Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database
6282
 * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'.
6283
 * Only load the public part of a given key if it is not active at timestamp
6284
 * 'now'.  Store the number of keys found in 'nkeys'.
6285
 */
6286
isc_result_t
6287
dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
6288
      isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
6289
0
      dst_key_t **keys, unsigned int *nkeys) {
6290
0
  isc_result_t result;
6291
0
  dns_dbnode_t *node = NULL;
6292
6293
0
  REQUIRE(DNS_ZONE_VALID(zone));
6294
0
  REQUIRE(mctx != NULL);
6295
0
  REQUIRE(nkeys != NULL);
6296
0
  REQUIRE(keys != NULL);
6297
6298
0
  CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
6299
6300
0
  dns_zone_lock_keyfiles(zone);
6301
6302
0
  result = findzonekeys(zone, db, ver, node, dns_db_origin(db), now, mctx,
6303
0
            maxkeys, keys, nkeys);
6304
6305
0
  dns_zone_unlock_keyfiles(zone);
6306
6307
0
  if (result == ISC_R_NOTFOUND) {
6308
0
    result = ISC_R_SUCCESS;
6309
0
  }
6310
6311
0
failure:
6312
6313
0
  if (node != NULL) {
6314
0
    dns_db_detachnode(db, &node);
6315
0
  }
6316
0
  return (result);
6317
0
}
6318
6319
/*%
6320
 * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys
6321
 * into 'keys'. Requires KASP to be locked.
6322
 */
6323
isc_result_t
6324
dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
6325
0
           isc_stdtime_t now, dns_dnsseckeylist_t *keys) {
6326
0
  isc_result_t result;
6327
0
  const char *dir = dns_zone_getkeydirectory(zone);
6328
0
  dns_dbnode_t *node = NULL;
6329
0
  dns_dnsseckey_t *key, *key_next;
6330
0
  dns_dnsseckeylist_t dnskeys;
6331
0
  dns_name_t *origin = dns_zone_getorigin(zone);
6332
0
  dns_kasp_t *kasp = zone->kasp;
6333
0
  dns_rdataset_t keyset;
6334
6335
0
  REQUIRE(DNS_ZONE_VALID(zone));
6336
0
  REQUIRE(kasp != NULL);
6337
6338
0
  ISC_LIST_INIT(dnskeys);
6339
6340
0
  dns_rdataset_init(&keyset);
6341
6342
0
  CHECK(dns_db_findnode(db, origin, false, &node));
6343
6344
  /* Get keys from private key files. */
6345
0
  dns_zone_lock_keyfiles(zone);
6346
0
  result = dns_dnssec_findmatchingkeys(origin, kasp, dir, zone->keystores,
6347
0
               now, dns_zone_getmctx(zone), keys);
6348
0
  dns_zone_unlock_keyfiles(zone);
6349
6350
0
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
6351
0
    goto failure;
6352
0
  }
6353
6354
  /* Get public keys (dnskeys). */
6355
0
  dns_rdataset_init(&keyset);
6356
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
6357
0
             dns_rdatatype_none, 0, &keyset, NULL);
6358
0
  if (result == ISC_R_SUCCESS) {
6359
0
    CHECK(dns_dnssec_keylistfromrdataset(
6360
0
      origin, kasp, dir, dns_zone_getmctx(zone), &keyset,
6361
0
      NULL, NULL, false, false, &dnskeys));
6362
0
  } else if (result != ISC_R_NOTFOUND) {
6363
0
    CHECK(result);
6364
0
  }
6365
6366
  /* Add new 'dnskeys' to 'keys'. */
6367
0
  for (dns_dnsseckey_t *k1 = ISC_LIST_HEAD(dnskeys); k1 != NULL;
6368
0
       k1 = key_next)
6369
0
  {
6370
0
    dns_dnsseckey_t *k2 = NULL;
6371
0
    key_next = ISC_LIST_NEXT(k1, link);
6372
6373
0
    for (k2 = ISC_LIST_HEAD(*keys); k2 != NULL;
6374
0
         k2 = ISC_LIST_NEXT(k2, link))
6375
0
    {
6376
0
      if (dst_key_compare(k1->key, k2->key)) {
6377
0
        break;
6378
0
      }
6379
0
    }
6380
    /* No match found, add the new key. */
6381
0
    if (k2 == NULL) {
6382
0
      ISC_LIST_UNLINK(dnskeys, k1, link);
6383
0
      ISC_LIST_APPEND(*keys, k1, link);
6384
0
    }
6385
0
  }
6386
6387
0
failure:
6388
0
  if (dns_rdataset_isassociated(&keyset)) {
6389
0
    dns_rdataset_disassociate(&keyset);
6390
0
  }
6391
0
  if (node != NULL) {
6392
0
    dns_db_detachnode(db, &node);
6393
0
  }
6394
0
  while (!ISC_LIST_EMPTY(dnskeys)) {
6395
0
    key = ISC_LIST_HEAD(dnskeys);
6396
0
    ISC_LIST_UNLINK(dnskeys, key, link);
6397
0
    dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
6398
0
  }
6399
0
  return (result);
6400
0
}
6401
6402
static isc_result_t
6403
offline(dns_db_t *db, dns_dbversion_t *ver, dns__zonediff_t *zonediff,
6404
0
  dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
6405
0
  isc_result_t result;
6406
6407
0
  if ((rdata->flags & DNS_RDATA_OFFLINE) != 0) {
6408
0
    return (ISC_R_SUCCESS);
6409
0
  }
6410
0
  result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN,
6411
0
             name, ttl, rdata);
6412
0
  if (result != ISC_R_SUCCESS) {
6413
0
    return (result);
6414
0
  }
6415
0
  rdata->flags |= DNS_RDATA_OFFLINE;
6416
0
  result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_ADDRESIGN,
6417
0
             name, ttl, rdata);
6418
0
  zonediff->offline = true;
6419
0
  return (result);
6420
0
}
6421
6422
static void
6423
set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when,
6424
0
           isc_stdtime_t now) {
6425
0
  unsigned int delta;
6426
0
  char timebuf[80];
6427
6428
0
  LOCK_ZONE(zone);
6429
0
  zone->key_expiry = when;
6430
0
  if (when <= now) {
6431
0
    dns_zone_log(zone, ISC_LOG_ERROR,
6432
0
           "DNSKEY RRSIG(s) have expired");
6433
0
    isc_time_settoepoch(&zone->keywarntime);
6434
0
  } else if (when < now + 7 * 24 * 3600) {
6435
0
    isc_time_t t;
6436
0
    isc_time_set(&t, when, 0);
6437
0
    isc_time_formattimestamp(&t, timebuf, 80);
6438
0
    dns_zone_log(zone, ISC_LOG_WARNING,
6439
0
           "DNSKEY RRSIG(s) will expire within 7 days: %s",
6440
0
           timebuf);
6441
0
    delta = when - now;
6442
0
    delta--;      /* loop prevention */
6443
0
    delta /= 24 * 3600; /* to whole days */
6444
0
    delta *= 24 * 3600; /* to seconds */
6445
0
    isc_time_set(&zone->keywarntime, when - delta, 0);
6446
0
  } else {
6447
0
    isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
6448
0
    isc_time_formattimestamp(&zone->keywarntime, timebuf, 80);
6449
0
    dns_zone_log(zone, ISC_LOG_NOTICE, "setting keywarntime to %s",
6450
0
           timebuf);
6451
0
  }
6452
0
  UNLOCK_ZONE(zone);
6453
0
}
6454
6455
/*
6456
 * Helper function to del_sigs(). We don't want to delete RRSIGs that
6457
 * have no new key.
6458
 */
6459
static bool
6460
delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
6461
0
    bool kasp, bool *warn) {
6462
0
  unsigned int i = 0;
6463
0
  isc_result_t ret;
6464
0
  bool have_ksk = false, have_zsk = false;
6465
0
  bool have_pksk = false, have_pzsk = false;
6466
6467
0
  for (i = 0; i < nkeys; i++) {
6468
0
    bool ksk, zsk;
6469
6470
0
    if (have_pksk && have_ksk && have_pzsk && have_zsk) {
6471
0
      break;
6472
0
    }
6473
6474
0
    if (rrsig_ptr->algorithm != dst_key_alg(keys[i])) {
6475
0
      continue;
6476
0
    }
6477
6478
0
    ret = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
6479
0
    if (ret != ISC_R_SUCCESS) {
6480
0
      ksk = KSK(keys[i]);
6481
0
    }
6482
0
    ret = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk);
6483
0
    if (ret != ISC_R_SUCCESS) {
6484
0
      zsk = !KSK(keys[i]);
6485
0
    }
6486
6487
0
    if (ksk) {
6488
0
      have_ksk = true;
6489
0
      if (dst_key_isprivate(keys[i])) {
6490
0
        have_pksk = true;
6491
0
      }
6492
0
    }
6493
0
    if (zsk) {
6494
0
      have_zsk = true;
6495
0
      if (dst_key_isprivate(keys[i])) {
6496
0
        have_pzsk = true;
6497
0
      }
6498
0
    }
6499
0
  }
6500
6501
0
  if (have_zsk && have_ksk && !have_pzsk) {
6502
0
    *warn = true;
6503
0
  }
6504
6505
0
  if (have_pksk && have_pzsk) {
6506
0
    return (true);
6507
0
  }
6508
6509
  /*
6510
   * Deleting the SOA RRSIG is always okay.
6511
   */
6512
0
  if (rrsig_ptr->covered == dns_rdatatype_soa) {
6513
0
    return (true);
6514
0
  }
6515
6516
  /*
6517
   * It's okay to delete a signature if there is an active key with the
6518
   * same algorithm to replace it, unless that violates the DNSSEC
6519
   * policy.
6520
   */
6521
0
  if (have_pksk || have_pzsk) {
6522
0
    if (kasp && have_pzsk) {
6523
0
      return (true);
6524
0
    }
6525
0
    return (!kasp);
6526
0
  }
6527
6528
  /*
6529
   * Failing that, it is *not* okay to delete a signature
6530
   * if the associated public key is still in the DNSKEY RRset
6531
   */
6532
0
  for (i = 0; i < nkeys; i++) {
6533
0
    if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
6534
0
        (rrsig_ptr->keyid == dst_key_id(keys[i])))
6535
0
    {
6536
0
      return (false);
6537
0
    }
6538
0
  }
6539
6540
  /*
6541
   * But if the key is gone, then go ahead.
6542
   */
6543
0
  return (true);
6544
0
}
6545
6546
/*
6547
 * Delete expired RRsigs and any RRsigs we are about to re-sign.
6548
 * See also update.c:del_keysigs().
6549
 */
6550
static isc_result_t
6551
del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
6552
   dns_rdatatype_t type, dns__zonediff_t *zonediff, dst_key_t **keys,
6553
0
   unsigned int nkeys, isc_stdtime_t now, bool incremental) {
6554
0
  isc_result_t result;
6555
0
  dns_dbnode_t *node = NULL;
6556
0
  dns_rdataset_t rdataset;
6557
0
  unsigned int i;
6558
0
  dns_rdata_rrsig_t rrsig;
6559
0
  bool kasp = zone->kasp;
6560
0
  bool found;
6561
0
  int64_t timewarn = 0, timemaybe = 0;
6562
6563
0
  dns_rdataset_init(&rdataset);
6564
6565
0
  if (type == dns_rdatatype_nsec3) {
6566
0
    result = dns_db_findnsec3node(db, name, false, &node);
6567
0
  } else {
6568
0
    result = dns_db_findnode(db, name, false, &node);
6569
0
  }
6570
0
  if (result == ISC_R_NOTFOUND) {
6571
0
    return (ISC_R_SUCCESS);
6572
0
  }
6573
0
  if (result != ISC_R_SUCCESS) {
6574
0
    goto failure;
6575
0
  }
6576
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type,
6577
0
             (isc_stdtime_t)0, &rdataset, NULL);
6578
0
  dns_db_detachnode(db, &node);
6579
6580
0
  if (result == ISC_R_NOTFOUND) {
6581
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
6582
0
    return (ISC_R_SUCCESS);
6583
0
  }
6584
0
  if (result != ISC_R_SUCCESS) {
6585
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
6586
0
    goto failure;
6587
0
  }
6588
6589
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
6590
0
       result = dns_rdataset_next(&rdataset))
6591
0
  {
6592
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
6593
6594
0
    dns_rdataset_current(&rdataset, &rdata);
6595
0
    result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
6596
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
6597
6598
0
    if (!dns_rdatatype_iskeymaterial(type)) {
6599
0
      bool warn = false, deleted = false;
6600
0
      if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) {
6601
0
        result = update_one_rr(db, ver, zonediff->diff,
6602
0
                   DNS_DIFFOP_DELRESIGN,
6603
0
                   name, rdataset.ttl,
6604
0
                   &rdata);
6605
0
        if (result != ISC_R_SUCCESS) {
6606
0
          break;
6607
0
        }
6608
0
        deleted = true;
6609
0
      }
6610
0
      if (warn && !deleted) {
6611
        /*
6612
         * At this point, we've got an RRSIG,
6613
         * which is signed by an inactive key.
6614
         * An administrator needs to provide a new
6615
         * key/alg, but until that time, we want to
6616
         * keep the old RRSIG.  Marking the key as
6617
         * offline will prevent us spinning waiting
6618
         * for the private part.
6619
         */
6620
0
        if (incremental) {
6621
0
          result = offline(db, ver, zonediff,
6622
0
               name, rdataset.ttl,
6623
0
               &rdata);
6624
0
          if (result != ISC_R_SUCCESS) {
6625
0
            break;
6626
0
          }
6627
0
        }
6628
6629
        /*
6630
         * Log the key id and algorithm of
6631
         * the inactive key with no replacement
6632
         */
6633
0
        if (zone->log_key_expired_timer <= now) {
6634
0
          char origin[DNS_NAME_FORMATSIZE];
6635
0
          char algbuf[DNS_NAME_FORMATSIZE];
6636
0
          dns_name_format(&zone->origin, origin,
6637
0
              sizeof(origin));
6638
0
          dns_secalg_format(rrsig.algorithm,
6639
0
                algbuf,
6640
0
                sizeof(algbuf));
6641
0
          dns_zone_log(zone, ISC_LOG_WARNING,
6642
0
                 "Key %s/%s/%d "
6643
0
                 "missing or inactive "
6644
0
                 "and has no replacement: "
6645
0
                 "retaining signatures.",
6646
0
                 origin, algbuf,
6647
0
                 rrsig.keyid);
6648
0
          zone->log_key_expired_timer = now +
6649
0
                      3600;
6650
0
        }
6651
0
      }
6652
0
      continue;
6653
0
    }
6654
6655
    /*
6656
     * KSK RRSIGs requires special processing.
6657
     */
6658
0
    found = false;
6659
0
    for (i = 0; i < nkeys; i++) {
6660
0
      if (rrsig.algorithm == dst_key_alg(keys[i]) &&
6661
0
          rrsig.keyid == dst_key_id(keys[i]))
6662
0
      {
6663
0
        found = true;
6664
        /*
6665
         * Mark offline DNSKEY.
6666
         * We want the earliest offline expire time
6667
         * iff there is a new offline signature.
6668
         */
6669
0
        if (!dst_key_inactive(keys[i]) &&
6670
0
            !dst_key_isprivate(keys[i]))
6671
0
        {
6672
0
          int64_t timeexpire = dns_time64_from32(
6673
0
            rrsig.timeexpire);
6674
0
          if (timewarn != 0 &&
6675
0
              timewarn > timeexpire)
6676
0
          {
6677
0
            timewarn = timeexpire;
6678
0
          }
6679
0
          if (rdata.flags & DNS_RDATA_OFFLINE) {
6680
0
            if (timemaybe == 0 ||
6681
0
                timemaybe > timeexpire)
6682
0
            {
6683
0
              timemaybe = timeexpire;
6684
0
            }
6685
0
            break;
6686
0
          }
6687
0
          if (timewarn == 0) {
6688
0
            timewarn = timemaybe;
6689
0
          }
6690
0
          if (timewarn == 0 ||
6691
0
              timewarn > timeexpire)
6692
0
          {
6693
0
            timewarn = timeexpire;
6694
0
          }
6695
0
          result = offline(db, ver, zonediff,
6696
0
               name, rdataset.ttl,
6697
0
               &rdata);
6698
0
          break;
6699
0
        }
6700
0
        result = update_one_rr(db, ver, zonediff->diff,
6701
0
                   DNS_DIFFOP_DELRESIGN,
6702
0
                   name, rdataset.ttl,
6703
0
                   &rdata);
6704
0
        break;
6705
0
      }
6706
0
    }
6707
6708
    /*
6709
     * If there is not a matching DNSKEY then
6710
     * delete the RRSIG.
6711
     */
6712
0
    if (!found) {
6713
0
      result = update_one_rr(db, ver, zonediff->diff,
6714
0
                 DNS_DIFFOP_DELRESIGN, name,
6715
0
                 rdataset.ttl, &rdata);
6716
0
    }
6717
0
    if (result != ISC_R_SUCCESS) {
6718
0
      break;
6719
0
    }
6720
0
  }
6721
6722
0
  dns_rdataset_disassociate(&rdataset);
6723
0
  if (result == ISC_R_NOMORE) {
6724
0
    result = ISC_R_SUCCESS;
6725
0
  }
6726
0
  if (timewarn > 0) {
6727
0
    isc_stdtime_t stdwarn = (isc_stdtime_t)timewarn;
6728
0
    if (timewarn == stdwarn) {
6729
0
      set_key_expiry_warning(zone, (isc_stdtime_t)timewarn,
6730
0
                 now);
6731
0
    } else {
6732
0
      dns_zone_log(zone, ISC_LOG_ERROR,
6733
0
             "key expiry warning time out of range");
6734
0
    }
6735
0
  }
6736
0
failure:
6737
0
  if (node != NULL) {
6738
0
    dns_db_detachnode(db, &node);
6739
0
  }
6740
0
  return (result);
6741
0
}
6742
6743
static isc_result_t
6744
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
6745
   dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
6746
   unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t now,
6747
0
   isc_stdtime_t inception, isc_stdtime_t expire) {
6748
0
  isc_result_t result;
6749
0
  dns_dbnode_t *node = NULL;
6750
0
  dns_stats_t *dnssecsignstats;
6751
0
  dns_rdataset_t rdataset;
6752
0
  dns_rdata_t sig_rdata = DNS_RDATA_INIT;
6753
0
  unsigned char data[1024]; /* XXX */
6754
0
  isc_buffer_t buffer;
6755
0
  unsigned int i;
6756
0
  bool use_kasp = false;
6757
6758
0
  if (zone->kasp != NULL) {
6759
0
    use_kasp = true;
6760
0
  }
6761
6762
0
  dns_rdataset_init(&rdataset);
6763
0
  isc_buffer_init(&buffer, data, sizeof(data));
6764
6765
0
  if (type == dns_rdatatype_nsec3) {
6766
0
    result = dns_db_findnsec3node(db, name, false, &node);
6767
0
  } else {
6768
0
    result = dns_db_findnode(db, name, false, &node);
6769
0
  }
6770
0
  if (result == ISC_R_NOTFOUND) {
6771
0
    return (ISC_R_SUCCESS);
6772
0
  }
6773
0
  if (result != ISC_R_SUCCESS) {
6774
0
    goto failure;
6775
0
  }
6776
0
  result = dns_db_findrdataset(db, node, ver, type, 0, (isc_stdtime_t)0,
6777
0
             &rdataset, NULL);
6778
0
  dns_db_detachnode(db, &node);
6779
0
  if (result == ISC_R_NOTFOUND) {
6780
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
6781
0
    return (ISC_R_SUCCESS);
6782
0
  }
6783
0
  if (result != ISC_R_SUCCESS) {
6784
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
6785
0
    goto failure;
6786
0
  }
6787
6788
0
  for (i = 0; i < nkeys; i++) {
6789
    /* Don't add signatures for offline or inactive keys */
6790
0
    if (!dst_key_isprivate(keys[i])) {
6791
0
      continue;
6792
0
    }
6793
0
    if (dst_key_inactive(keys[i])) {
6794
0
      continue;
6795
0
    }
6796
6797
0
    if (use_kasp) {
6798
      /*
6799
       * A dnssec-policy is found. Check what RRsets this
6800
       * key should sign.
6801
       */
6802
0
      isc_result_t kresult;
6803
0
      isc_stdtime_t when;
6804
0
      bool ksk = false;
6805
0
      bool zsk = false;
6806
0
      bool have_zsk = false;
6807
6808
0
      kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
6809
0
      if (kresult != ISC_R_SUCCESS) {
6810
0
        if (KSK(keys[i])) {
6811
0
          ksk = true;
6812
0
        }
6813
0
      }
6814
0
      kresult = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk);
6815
0
      if (kresult != ISC_R_SUCCESS) {
6816
0
        if (!KSK(keys[i])) {
6817
0
          zsk = true;
6818
0
        }
6819
0
      }
6820
6821
      /*
6822
       * Don't consider inactive keys or offline keys.
6823
       */
6824
0
      (void)dst_key_have_ksk_and_zsk(keys, nkeys, i, true,
6825
0
                   ksk, zsk, NULL,
6826
0
                   &have_zsk);
6827
6828
0
      if (dns_rdatatype_iskeymaterial(type)) {
6829
        /*
6830
         * DNSKEY RRset is signed with KSK.
6831
         * CDS and CDNSKEY RRsets too (RFC 7344, 4.1).
6832
         */
6833
0
        if (!ksk) {
6834
0
          continue;
6835
0
        }
6836
0
      } else if (!zsk) {
6837
        /*
6838
         * Other RRsets are signed with ZSK.
6839
         */
6840
0
        if (type != dns_rdatatype_soa &&
6841
0
            type != zone->privatetype)
6842
0
        {
6843
0
          continue;
6844
0
        }
6845
0
        if (have_zsk) {
6846
0
          continue;
6847
0
        }
6848
0
      } else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
6849
0
                   now, &when))
6850
0
      {
6851
        /*
6852
         * This key is not active for zone-signing.
6853
         */
6854
0
        continue;
6855
0
      }
6856
0
    } else if (!REVOKE(keys[i])) {
6857
      /*
6858
       * Don't consider inactive keys, however the KSK may be
6859
       * temporary offline, so do consider keys which private
6860
       * key files are unavailable.
6861
       */
6862
0
      bool both = dst_key_have_ksk_and_zsk(
6863
0
        keys, nkeys, i, false, KSK(keys[i]),
6864
0
        !KSK(keys[i]), NULL, NULL);
6865
0
      if (both) {
6866
        /*
6867
         * CDS and CDNSKEY are signed with KSK (RFC
6868
         * 7344, 4.1).
6869
         */
6870
0
        if (dns_rdatatype_iskeymaterial(type)) {
6871
0
          if (!KSK(keys[i])) {
6872
0
            continue;
6873
0
          }
6874
0
        } else if (KSK(keys[i])) {
6875
0
          continue;
6876
0
        }
6877
0
      }
6878
0
    }
6879
6880
    /*
6881
     * If this key is revoked, it may only sign the DNSKEY RRset.
6882
     */
6883
0
    if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
6884
0
      continue;
6885
0
    }
6886
6887
    /* Calculate the signature, creating a RRSIG RDATA. */
6888
0
    isc_buffer_clear(&buffer);
6889
0
    CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception,
6890
0
              &expire, mctx, &buffer, &sig_rdata));
6891
6892
    /* Update the database and journal with the RRSIG. */
6893
    /* XXX inefficient - will cause dataset merging */
6894
0
    CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
6895
0
            rdataset.ttl, &sig_rdata));
6896
0
    dns_rdata_reset(&sig_rdata);
6897
0
    isc_buffer_init(&buffer, data, sizeof(data));
6898
6899
    /* Update DNSSEC sign statistics. */
6900
0
    dnssecsignstats = dns_zone_getdnssecsignstats(zone);
6901
0
    if (dnssecsignstats != NULL) {
6902
      /* Generated a new signature. */
6903
0
      dns_dnssecsignstats_increment(dnssecsignstats,
6904
0
                  ID(keys[i]),
6905
0
                  (uint8_t)ALG(keys[i]),
6906
0
                  dns_dnssecsignstats_sign);
6907
      /* This is a refresh. */
6908
0
      dns_dnssecsignstats_increment(
6909
0
        dnssecsignstats, ID(keys[i]),
6910
0
        (uint8_t)ALG(keys[i]),
6911
0
        dns_dnssecsignstats_refresh);
6912
0
    }
6913
0
  }
6914
6915
0
failure:
6916
0
  if (dns_rdataset_isassociated(&rdataset)) {
6917
0
    dns_rdataset_disassociate(&rdataset);
6918
0
  }
6919
0
  if (node != NULL) {
6920
0
    dns_db_detachnode(db, &node);
6921
0
  }
6922
0
  return (result);
6923
0
}
6924
6925
static void
6926
calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
6927
       isc_stdtime_t *inception, isc_stdtime_t *soaexpire,
6928
0
       isc_stdtime_t *expire, isc_stdtime_t *fullexpire) {
6929
0
  REQUIRE(inception != NULL);
6930
0
  REQUIRE(soaexpire != NULL);
6931
  /* expire and fullexpire are optional */
6932
6933
0
  isc_stdtime_t jitter = DEFAULT_JITTER;
6934
0
  isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
6935
0
  isc_stdtime_t shortjitter = 0, fulljitter = 0;
6936
6937
0
  if (zone->kasp != NULL) {
6938
0
    jitter = dns_kasp_sigjitter(zone->kasp);
6939
0
    sigvalidity = dns_kasp_sigvalidity(zone->kasp);
6940
0
    INSIST(jitter <= sigvalidity);
6941
0
  }
6942
6943
0
  if (jitter > sigvalidity) {
6944
0
    jitter = sigvalidity;
6945
0
  }
6946
6947
0
  *inception = now - 3600; /* Allow for clock skew. */
6948
0
  *soaexpire = now + sigvalidity;
6949
6950
  /*
6951
   * Spread out signatures over time if they happen to be
6952
   * clumped.  We don't do this for each add_sigs() call as
6953
   * we still want some clustering to occur.  In normal operations
6954
   * the records should be re-signed as they fall due and they should
6955
   * already be spread out.  However if the server is off for a
6956
   * period we need to ensure that the clusters don't become
6957
   * synchronised by using the full jitter range.
6958
   */
6959
0
  if (sigvalidity >= 3600U) {
6960
0
    if (sigvalidity > 7200U) {
6961
0
      shortjitter = isc_random_uniform(3600);
6962
0
      fulljitter = isc_random_uniform(jitter);
6963
0
    } else {
6964
0
      shortjitter = fulljitter = isc_random_uniform(1200);
6965
0
    }
6966
0
  }
6967
6968
0
  SET_IF_NOT_NULL(expire, *soaexpire - shortjitter - 1);
6969
0
  SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1);
6970
0
}
6971
6972
static void
6973
0
zone_resigninc(dns_zone_t *zone) {
6974
0
  dns_db_t *db = NULL;
6975
0
  dns_dbversion_t *version = NULL;
6976
0
  dns_diff_t _sig_diff;
6977
0
  dns__zonediff_t zonediff;
6978
0
  dns_fixedname_t fixed;
6979
0
  dns_name_t *name;
6980
0
  dns_typepair_t typepair;
6981
0
  dst_key_t *zone_keys[DNS_MAXZONEKEYS];
6982
0
  isc_result_t result;
6983
0
  isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop;
6984
0
  unsigned int i;
6985
0
  unsigned int nkeys = 0;
6986
0
  isc_stdtime_t resign;
6987
6988
0
  ENTER;
6989
6990
0
  dns_diff_init(zone->mctx, &_sig_diff);
6991
0
  zonediff_init(&zonediff, &_sig_diff);
6992
6993
  /*
6994
   * Zone is frozen. Pause for 5 minutes.
6995
   */
6996
0
  if (zone->update_disabled) {
6997
0
    result = ISC_R_FAILURE;
6998
0
    goto failure;
6999
0
  }
7000
7001
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
7002
0
  if (zone->db != NULL) {
7003
0
    dns_db_attach(zone->db, &db);
7004
0
  }
7005
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
7006
0
  if (db == NULL) {
7007
0
    result = ISC_R_FAILURE;
7008
0
    goto failure;
7009
0
  }
7010
7011
0
  result = dns_db_newversion(db, &version);
7012
0
  if (result != ISC_R_SUCCESS) {
7013
0
    dns_zone_log(zone, ISC_LOG_ERROR,
7014
0
           "zone_resigninc:dns_db_newversion -> %s",
7015
0
           isc_result_totext(result));
7016
0
    goto failure;
7017
0
  }
7018
7019
0
  now = isc_stdtime_now();
7020
7021
0
  result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
7022
0
           DNS_MAXZONEKEYS, zone_keys, &nkeys);
7023
0
  if (result != ISC_R_SUCCESS) {
7024
0
    dns_zone_log(zone, ISC_LOG_ERROR,
7025
0
           "zone_resigninc:dns_zone_findkeys -> %s",
7026
0
           isc_result_totext(result));
7027
0
    goto failure;
7028
0
  }
7029
7030
0
  calculate_rrsig_validity(zone, now, &inception, &soaexpire, &expire,
7031
0
         &fullexpire);
7032
7033
0
  stop = now + 5;
7034
7035
0
  name = dns_fixedname_initname(&fixed);
7036
0
  result = dns_db_getsigningtime(db, &resign, name, &typepair);
7037
0
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
7038
0
    dns_zone_log(zone, ISC_LOG_ERROR,
7039
0
           "zone_resigninc:dns_db_getsigningtime -> %s",
7040
0
           isc_result_totext(result));
7041
0
  }
7042
7043
0
  i = 0;
7044
0
  while (result == ISC_R_SUCCESS) {
7045
0
    dns_rdatatype_t covers = DNS_TYPEPAIR_COVERS(typepair);
7046
7047
0
    resign -= dns_zone_getsigresigninginterval(zone);
7048
7049
    /*
7050
     * Stop if we hit the SOA as that means we have walked the
7051
     * entire zone.  The SOA record should always be the most
7052
     * recent signature.
7053
     */
7054
    /* XXXMPA increase number of RRsets signed pre call */
7055
0
    if ((covers == dns_rdatatype_soa &&
7056
0
         dns_name_equal(name, &zone->origin)) ||
7057
0
        i++ > zone->signatures || resign > stop)
7058
0
    {
7059
0
      break;
7060
0
    }
7061
7062
0
    result = del_sigs(zone, db, version, name, covers, &zonediff,
7063
0
          zone_keys, nkeys, now, true);
7064
0
    if (result != ISC_R_SUCCESS) {
7065
0
      dns_zone_log(zone, ISC_LOG_ERROR,
7066
0
             "zone_resigninc:del_sigs -> %s",
7067
0
             isc_result_totext(result));
7068
0
      break;
7069
0
    }
7070
7071
    /*
7072
     * If re-signing is over 5 minutes late use 'fullexpire'
7073
     * to redistribute the signature over the complete
7074
     * re-signing window, otherwise only add a small amount
7075
     * of jitter.
7076
     */
7077
0
    result = add_sigs(db, version, name, zone, covers,
7078
0
          zonediff.diff, zone_keys, nkeys, zone->mctx,
7079
0
          now, inception,
7080
0
          resign > (now - 300) ? expire : fullexpire);
7081
0
    if (result != ISC_R_SUCCESS) {
7082
0
      dns_zone_log(zone, ISC_LOG_ERROR,
7083
0
             "zone_resigninc:add_sigs -> %s",
7084
0
             isc_result_totext(result));
7085
0
      break;
7086
0
    }
7087
0
    result = dns_db_getsigningtime(db, &resign, name, &typepair);
7088
0
    if (nkeys == 0 && result == ISC_R_NOTFOUND) {
7089
0
      result = ISC_R_SUCCESS;
7090
0
      break;
7091
0
    }
7092
0
    if (result != ISC_R_SUCCESS) {
7093
0
      dns_zone_log(zone, ISC_LOG_ERROR,
7094
0
             "zone_resigninc:dns_db_getsigningtime -> "
7095
0
             "%s",
7096
0
             isc_result_totext(result));
7097
0
    }
7098
0
  }
7099
7100
0
  if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS) {
7101
0
    goto failure;
7102
0
  }
7103
7104
0
  result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
7105
0
        &zonediff, zone_keys, nkeys, now, true);
7106
0
  if (result != ISC_R_SUCCESS) {
7107
0
    dns_zone_log(zone, ISC_LOG_ERROR,
7108
0
           "zone_resigninc:del_sigs -> %s",
7109
0
           isc_result_totext(result));
7110
0
    goto failure;
7111
0
  }
7112
7113
  /*
7114
   * Did we change anything in the zone?
7115
   */
7116
0
  if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
7117
    /*
7118
     * Commit the changes if any key has been marked as offline.
7119
     */
7120
0
    if (zonediff.offline) {
7121
0
      dns_db_closeversion(db, &version, true);
7122
0
    }
7123
0
    goto failure;
7124
0
  }
7125
7126
  /* Increment SOA serial if we have made changes */
7127
0
  result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
7128
0
           zone->updatemethod);
7129
0
  if (result != ISC_R_SUCCESS) {
7130
0
    dns_zone_log(zone, ISC_LOG_ERROR,
7131
0
           "zone_resigninc:update_soa_serial -> %s",
7132
0
           isc_result_totext(result));
7133
0
    goto failure;
7134
0
  }
7135
7136
  /*
7137
   * Generate maximum life time signatures so that the above loop
7138
   * termination is sensible.
7139
   */
7140
0
  result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
7141
0
        zonediff.diff, zone_keys, nkeys, zone->mctx, now,
7142
0
        inception, soaexpire);
7143
0
  if (result != ISC_R_SUCCESS) {
7144
0
    dns_zone_log(zone, ISC_LOG_ERROR,
7145
0
           "zone_resigninc:add_sigs -> %s",
7146
0
           isc_result_totext(result));
7147
0
    goto failure;
7148
0
  }
7149
7150
  /* Write changes to journal file. */
7151
0
  CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_resigninc"));
7152
7153
  /* Everything has succeeded. Commit the changes. */
7154
0
  dns_db_closeversion(db, &version, true);
7155
7156
0
failure:
7157
0
  dns_diff_clear(&_sig_diff);
7158
0
  for (i = 0; i < nkeys; i++) {
7159
0
    dst_key_free(&zone_keys[i]);
7160
0
  }
7161
0
  if (version != NULL) {
7162
0
    dns_db_closeversion(db, &version, false);
7163
0
    dns_db_detach(&db);
7164
0
  } else if (db != NULL) {
7165
0
    dns_db_detach(&db);
7166
0
  }
7167
7168
0
  LOCK_ZONE(zone);
7169
0
  if (result == ISC_R_SUCCESS) {
7170
0
    set_resigntime(zone);
7171
0
    zone_needdump(zone, DNS_DUMP_DELAY);
7172
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
7173
0
  } else {
7174
    /*
7175
     * Something failed.  Retry in 5 minutes.
7176
     */
7177
0
    isc_interval_t ival;
7178
0
    isc_interval_set(&ival, 300, 0);
7179
0
    isc_time_nowplusinterval(&zone->resigntime, &ival);
7180
0
  }
7181
0
  UNLOCK_ZONE(zone);
7182
7183
0
  INSIST(version == NULL);
7184
0
}
7185
7186
static isc_result_t
7187
next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
7188
0
      dns_name_t *newname, bool bottom) {
7189
0
  isc_result_t result;
7190
0
  dns_dbiterator_t *dbit = NULL;
7191
0
  dns_rdatasetiter_t *rdsit = NULL;
7192
0
  dns_dbnode_t *node = NULL;
7193
7194
0
  CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
7195
0
  CHECK(dns_dbiterator_seek(dbit, oldname));
7196
0
  do {
7197
0
    result = dns_dbiterator_next(dbit);
7198
0
    if (result == ISC_R_NOMORE) {
7199
0
      CHECK(dns_dbiterator_first(dbit));
7200
0
    }
7201
0
    CHECK(dns_dbiterator_current(dbit, &node, newname));
7202
0
    if (bottom && dns_name_issubdomain(newname, oldname) &&
7203
0
        !dns_name_equal(newname, oldname))
7204
0
    {
7205
0
      dns_db_detachnode(db, &node);
7206
0
      continue;
7207
0
    }
7208
    /*
7209
     * Is this node empty?
7210
     */
7211
0
    CHECK(dns_db_allrdatasets(db, node, version, 0, 0, &rdsit));
7212
0
    result = dns_rdatasetiter_first(rdsit);
7213
0
    dns_db_detachnode(db, &node);
7214
0
    dns_rdatasetiter_destroy(&rdsit);
7215
0
    if (result != ISC_R_NOMORE) {
7216
0
      break;
7217
0
    }
7218
0
  } while (1);
7219
0
failure:
7220
0
  if (node != NULL) {
7221
0
    dns_db_detachnode(db, &node);
7222
0
  }
7223
0
  if (dbit != NULL) {
7224
0
    dns_dbiterator_destroy(&dbit);
7225
0
  }
7226
0
  return (result);
7227
0
}
7228
7229
static bool
7230
signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
7231
         dns_dbversion_t *version, dns_rdatatype_t type,
7232
0
         dst_key_t *key) {
7233
0
  isc_result_t result;
7234
0
  dns_rdataset_t rdataset;
7235
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
7236
0
  dns_rdata_rrsig_t rrsig;
7237
0
  int count = 0;
7238
0
  dns_kasp_t *kasp = zone->kasp;
7239
7240
0
  dns_rdataset_init(&rdataset);
7241
0
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
7242
0
             type, 0, &rdataset, NULL);
7243
0
  if (result != ISC_R_SUCCESS) {
7244
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
7245
0
    return (false);
7246
0
  }
7247
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
7248
0
       result = dns_rdataset_next(&rdataset))
7249
0
  {
7250
0
    dns_rdataset_current(&rdataset, &rdata);
7251
0
    result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
7252
0
    INSIST(result == ISC_R_SUCCESS);
7253
0
    if (rrsig.algorithm == dst_key_alg(key) &&
7254
0
        rrsig.keyid == dst_key_id(key))
7255
0
    {
7256
0
      dns_rdataset_disassociate(&rdataset);
7257
0
      return (true);
7258
0
    }
7259
0
    if (rrsig.algorithm == dst_key_alg(key)) {
7260
0
      count++;
7261
0
    }
7262
0
    dns_rdata_reset(&rdata);
7263
0
  }
7264
7265
0
  if (zone->kasp != NULL) {
7266
0
    dns_kasp_key_t *kkey;
7267
0
    int zsk_count = 0;
7268
0
    bool approved;
7269
7270
0
    KASP_LOCK(kasp);
7271
0
    for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
7272
0
         kkey = ISC_LIST_NEXT(kkey, link))
7273
0
    {
7274
0
      if (dns_kasp_key_algorithm(kkey) != dst_key_alg(key)) {
7275
0
        continue;
7276
0
      }
7277
0
      if (dns_kasp_key_zsk(kkey)) {
7278
0
        zsk_count++;
7279
0
      }
7280
0
    }
7281
0
    KASP_UNLOCK(kasp);
7282
7283
0
    if (dns_rdatatype_iskeymaterial(type)) {
7284
      /*
7285
       * CDS and CDNSKEY are signed with KSK like DNSKEY.
7286
       * (RFC 7344, section 4.1 specifies that they must
7287
       * be signed with a key in the current DS RRset,
7288
       * which would only include KSK's.)
7289
       */
7290
0
      approved = false;
7291
0
    } else {
7292
0
      approved = (zsk_count == count);
7293
0
    }
7294
7295
0
    dns_rdataset_disassociate(&rdataset);
7296
0
    return (approved);
7297
0
  }
7298
7299
0
  dns_rdataset_disassociate(&rdataset);
7300
0
  return (false);
7301
0
}
7302
7303
static isc_result_t
7304
add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
7305
0
   dns_dbnode_t *node, dns_ttl_t ttl, bool bottom, dns_diff_t *diff) {
7306
0
  dns_fixedname_t fixed;
7307
0
  dns_name_t *next;
7308
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
7309
0
  isc_result_t result;
7310
0
  unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
7311
7312
0
  next = dns_fixedname_initname(&fixed);
7313
7314
0
  CHECK(next_active(db, version, name, next, bottom));
7315
0
  CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer, &rdata));
7316
0
  CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
7317
0
          &rdata));
7318
0
failure:
7319
0
  return (result);
7320
0
}
7321
7322
static isc_result_t
7323
check_if_bottom_of_zone(dns_db_t *db, dns_dbnode_t *node,
7324
0
      dns_dbversion_t *version, bool *is_bottom_of_zone) {
7325
0
  isc_result_t result;
7326
0
  dns_rdatasetiter_t *iterator = NULL;
7327
0
  dns_rdataset_t rdataset;
7328
0
  bool seen_soa = false, seen_ns = false, seen_dname = false;
7329
7330
0
  REQUIRE(is_bottom_of_zone != NULL);
7331
7332
0
  result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
7333
0
  if (result != ISC_R_SUCCESS) {
7334
0
    if (result == ISC_R_NOTFOUND) {
7335
0
      result = ISC_R_SUCCESS;
7336
0
    }
7337
0
    return (result);
7338
0
  }
7339
7340
0
  dns_rdataset_init(&rdataset);
7341
0
  for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS;
7342
0
       result = dns_rdatasetiter_next(iterator))
7343
0
  {
7344
0
    dns_rdatasetiter_current(iterator, &rdataset);
7345
0
    switch (rdataset.type) {
7346
0
    case dns_rdatatype_soa:
7347
0
      seen_soa = true;
7348
0
      break;
7349
0
    case dns_rdatatype_ns:
7350
0
      seen_ns = true;
7351
0
      break;
7352
0
    case dns_rdatatype_dname:
7353
0
      seen_dname = true;
7354
0
      break;
7355
0
    }
7356
0
    dns_rdataset_disassociate(&rdataset);
7357
0
  }
7358
0
  if (result != ISC_R_NOMORE) {
7359
0
    goto failure;
7360
0
  }
7361
0
  if ((seen_ns && !seen_soa) || seen_dname) {
7362
0
    *is_bottom_of_zone = true;
7363
0
  }
7364
0
  result = ISC_R_SUCCESS;
7365
7366
0
failure:
7367
0
  dns_rdatasetiter_destroy(&iterator);
7368
7369
0
  return (result);
7370
0
}
7371
7372
static isc_result_t
7373
sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
7374
      dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3,
7375
      bool build_nsec, dst_key_t *key, isc_stdtime_t now,
7376
      isc_stdtime_t inception, isc_stdtime_t expire, dns_ttl_t nsecttl,
7377
      bool both, bool is_ksk, bool is_zsk, bool is_bottom_of_zone,
7378
0
      dns_diff_t *diff, int32_t *signatures, isc_mem_t *mctx) {
7379
0
  isc_result_t result;
7380
0
  dns_rdatasetiter_t *iterator = NULL;
7381
0
  dns_rdataset_t rdataset;
7382
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
7383
0
  dns_stats_t *dnssecsignstats;
7384
7385
0
  isc_buffer_t buffer;
7386
0
  unsigned char data[1024];
7387
0
  bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds;
7388
7389
0
  result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
7390
0
  if (result != ISC_R_SUCCESS) {
7391
0
    if (result == ISC_R_NOTFOUND) {
7392
0
      result = ISC_R_SUCCESS;
7393
0
    }
7394
0
    return (result);
7395
0
  }
7396
7397
0
  dns_rdataset_init(&rdataset);
7398
0
  isc_buffer_init(&buffer, data, sizeof(data));
7399
0
  seen_rr = seen_soa = seen_ns = seen_nsec = seen_nsec3 = seen_ds = false;
7400
0
  for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS;
7401
0
       result = dns_rdatasetiter_next(iterator))
7402
0
  {
7403
0
    dns_rdatasetiter_current(iterator, &rdataset);
7404
0
    if (rdataset.type == dns_rdatatype_soa) {
7405
0
      seen_soa = true;
7406
0
    } else if (rdataset.type == dns_rdatatype_ns) {
7407
0
      seen_ns = true;
7408
0
    } else if (rdataset.type == dns_rdatatype_ds) {
7409
0
      seen_ds = true;
7410
0
    } else if (rdataset.type == dns_rdatatype_nsec) {
7411
0
      seen_nsec = true;
7412
0
    } else if (rdataset.type == dns_rdatatype_nsec3) {
7413
0
      seen_nsec3 = true;
7414
0
    }
7415
0
    if (rdataset.type != dns_rdatatype_rrsig) {
7416
0
      seen_rr = true;
7417
0
    }
7418
0
    dns_rdataset_disassociate(&rdataset);
7419
0
  }
7420
0
  if (result != ISC_R_NOMORE) {
7421
0
    goto failure;
7422
0
  }
7423
  /*
7424
   * Going from insecure to NSEC3.
7425
   * Don't generate NSEC3 records for NSEC3 records.
7426
   */
7427
0
  if (build_nsec3 && !seen_nsec3 && seen_rr) {
7428
0
    bool unsecure = !seen_ds && seen_ns && !seen_soa;
7429
0
    CHECK(dns_nsec3_addnsec3s(db, version, name, nsecttl, unsecure,
7430
0
            diff));
7431
0
    (*signatures)--;
7432
0
  }
7433
  /*
7434
   * Going from insecure to NSEC.
7435
   * Don't generate NSEC records for NSEC3 records.
7436
   */
7437
0
  if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
7438
    /*
7439
     * Build a NSEC record except at the origin.
7440
     */
7441
0
    if (!dns_name_equal(name, dns_db_origin(db))) {
7442
0
      CHECK(add_nsec(db, version, name, node, nsecttl,
7443
0
               is_bottom_of_zone, diff));
7444
      /* Count a NSEC generation as a signature generation. */
7445
0
      (*signatures)--;
7446
0
    }
7447
0
  }
7448
0
  result = dns_rdatasetiter_first(iterator);
7449
0
  while (result == ISC_R_SUCCESS) {
7450
0
    isc_stdtime_t when;
7451
7452
0
    dns_rdatasetiter_current(iterator, &rdataset);
7453
0
    if (rdataset.type == dns_rdatatype_soa ||
7454
0
        rdataset.type == dns_rdatatype_rrsig)
7455
0
    {
7456
0
      goto next_rdataset;
7457
0
    }
7458
0
    if (dns_rdatatype_iskeymaterial(rdataset.type)) {
7459
      /*
7460
       * CDS and CDNSKEY are signed with KSK like DNSKEY.
7461
       * (RFC 7344, section 4.1 specifies that they must
7462
       * be signed with a key in the current DS RRset,
7463
       * which would only include KSK's.)
7464
       */
7465
0
      if (!is_ksk && both) {
7466
0
        goto next_rdataset;
7467
0
      }
7468
0
    } else if (!is_zsk && both) {
7469
0
      goto next_rdataset;
7470
0
    } else if (is_zsk &&
7471
0
         !dst_key_is_signing(key, DST_BOOL_ZSK, now, &when))
7472
0
    {
7473
      /* Only applies to dnssec-policy. */
7474
0
      if (zone->kasp != NULL) {
7475
0
        goto next_rdataset;
7476
0
      }
7477
0
    }
7478
7479
0
    if (seen_ns && !seen_soa && rdataset.type != dns_rdatatype_ds &&
7480
0
        rdataset.type != dns_rdatatype_nsec)
7481
0
    {
7482
0
      goto next_rdataset;
7483
0
    }
7484
0
    if (signed_with_good_key(zone, db, node, version, rdataset.type,
7485
0
           key))
7486
0
    {
7487
0
      goto next_rdataset;
7488
0
    }
7489
7490
    /* Calculate the signature, creating a RRSIG RDATA. */
7491
0
    isc_buffer_clear(&buffer);
7492
0
    CHECK(dns_dnssec_sign(name, &rdataset, key, &inception, &expire,
7493
0
              mctx, &buffer, &rdata));
7494
    /* Update the database and journal with the RRSIG. */
7495
    /* XXX inefficient - will cause dataset merging */
7496
0
    CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
7497
0
            name, rdataset.ttl, &rdata));
7498
0
    dns_rdata_reset(&rdata);
7499
7500
    /* Update DNSSEC sign statistics. */
7501
0
    dnssecsignstats = dns_zone_getdnssecsignstats(zone);
7502
0
    if (dnssecsignstats != NULL) {
7503
      /* Generated a new signature. */
7504
0
      dns_dnssecsignstats_increment(dnssecsignstats, ID(key),
7505
0
                  ALG(key),
7506
0
                  dns_dnssecsignstats_sign);
7507
      /* This is a refresh. */
7508
0
      dns_dnssecsignstats_increment(
7509
0
        dnssecsignstats, ID(key), ALG(key),
7510
0
        dns_dnssecsignstats_refresh);
7511
0
    }
7512
7513
0
    (*signatures)--;
7514
0
  next_rdataset:
7515
0
    dns_rdataset_disassociate(&rdataset);
7516
0
    result = dns_rdatasetiter_next(iterator);
7517
0
  }
7518
0
  if (result == ISC_R_NOMORE) {
7519
0
    result = ISC_R_SUCCESS;
7520
0
  }
7521
0
failure:
7522
0
  if (dns_rdataset_isassociated(&rdataset)) {
7523
0
    dns_rdataset_disassociate(&rdataset);
7524
0
  }
7525
0
  if (iterator != NULL) {
7526
0
    dns_rdatasetiter_destroy(&iterator);
7527
0
  }
7528
0
  return (result);
7529
0
}
7530
7531
/*
7532
 * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
7533
 */
7534
static isc_result_t
7535
updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
7536
0
       dns_ttl_t nsecttl, bool update_only, dns_diff_t *diff) {
7537
0
  isc_result_t result;
7538
0
  dns_rdataset_t rdataset;
7539
0
  dns_dbnode_t *node = NULL;
7540
7541
0
  CHECK(dns_db_getoriginnode(db, &node));
7542
0
  if (update_only) {
7543
0
    dns_rdataset_init(&rdataset);
7544
0
    result = dns_db_findrdataset(
7545
0
      db, node, version, dns_rdatatype_nsec,
7546
0
      dns_rdatatype_none, 0, &rdataset, NULL);
7547
0
    if (dns_rdataset_isassociated(&rdataset)) {
7548
0
      dns_rdataset_disassociate(&rdataset);
7549
0
    }
7550
0
    if (result == ISC_R_NOTFOUND) {
7551
0
      goto success;
7552
0
    }
7553
0
    if (result != ISC_R_SUCCESS) {
7554
0
      goto failure;
7555
0
    }
7556
0
  }
7557
0
  CHECK(delete_nsec(db, version, node, name, diff));
7558
0
  CHECK(add_nsec(db, version, name, node, nsecttl, false, diff));
7559
0
success:
7560
0
  result = ISC_R_SUCCESS;
7561
0
failure:
7562
0
  if (node != NULL) {
7563
0
    dns_db_detachnode(db, &node);
7564
0
  }
7565
0
  return (result);
7566
0
}
7567
7568
static isc_result_t
7569
updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
7570
      dns_dbversion_t *version, bool build_nsec3, dns_ttl_t nsecttl,
7571
0
      dns_diff_t *diff) {
7572
0
  isc_result_t result;
7573
0
  dns_dbnode_t *node = NULL;
7574
0
  dns_rdataset_t rdataset;
7575
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
7576
0
  unsigned char data[5];
7577
0
  bool seen_done = false;
7578
0
  bool have_rr = false;
7579
7580
0
  dns_rdataset_init(&rdataset);
7581
0
  result = dns_db_getoriginnode(signing->db, &node);
7582
0
  if (result != ISC_R_SUCCESS) {
7583
0
    goto failure;
7584
0
  }
7585
7586
0
  result = dns_db_findrdataset(signing->db, node, version,
7587
0
             zone->privatetype, dns_rdatatype_none, 0,
7588
0
             &rdataset, NULL);
7589
0
  if (result == ISC_R_NOTFOUND) {
7590
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
7591
0
    result = ISC_R_SUCCESS;
7592
0
    goto failure;
7593
0
  }
7594
0
  if (result != ISC_R_SUCCESS) {
7595
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
7596
0
    goto failure;
7597
0
  }
7598
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
7599
0
       result = dns_rdataset_next(&rdataset))
7600
0
  {
7601
0
    dns_rdataset_current(&rdataset, &rdata);
7602
    /*
7603
     * If we don't match the algorithm or keyid skip the record.
7604
     */
7605
0
    if (rdata.length != 5 || rdata.data[0] != signing->algorithm ||
7606
0
        rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
7607
0
        rdata.data[2] != (signing->keyid & 0xff))
7608
0
    {
7609
0
      have_rr = true;
7610
0
      dns_rdata_reset(&rdata);
7611
0
      continue;
7612
0
    }
7613
    /*
7614
     * We have a match.  If we were signing (!signing->deleteit)
7615
     * and we already have a record indicating that we have
7616
     * finished signing (rdata.data[4] != 0) then keep it.
7617
     * Otherwise it needs to be deleted as we have removed all
7618
     * the signatures (signing->deleteit), so any record indicating
7619
     * completion is now out of date, or we have finished signing
7620
     * with the new record so we no longer need to remember that
7621
     * we need to sign the zone with the matching key across a
7622
     * nameserver re-start.
7623
     */
7624
0
    if (!signing->deleteit && rdata.data[4] != 0) {
7625
0
      seen_done = true;
7626
0
      have_rr = true;
7627
0
    } else {
7628
0
      CHECK(update_one_rr(signing->db, version, diff,
7629
0
              DNS_DIFFOP_DEL, &zone->origin,
7630
0
              rdataset.ttl, &rdata));
7631
0
    }
7632
0
    dns_rdata_reset(&rdata);
7633
0
  }
7634
0
  if (result == ISC_R_NOMORE) {
7635
0
    result = ISC_R_SUCCESS;
7636
0
  }
7637
0
  if (!signing->deleteit && !seen_done) {
7638
    /*
7639
     * If we were signing then we need to indicate that we have
7640
     * finished signing the zone with this key.  If it is already
7641
     * there we don't need to add it a second time.
7642
     */
7643
0
    data[0] = signing->algorithm;
7644
0
    data[1] = (signing->keyid >> 8) & 0xff;
7645
0
    data[2] = signing->keyid & 0xff;
7646
0
    data[3] = 0;
7647
0
    data[4] = 1;
7648
0
    rdata.length = sizeof(data);
7649
0
    rdata.data = data;
7650
0
    rdata.type = zone->privatetype;
7651
0
    rdata.rdclass = dns_db_class(signing->db);
7652
0
    CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
7653
0
            &zone->origin, rdataset.ttl, &rdata));
7654
0
  } else if (!have_rr) {
7655
0
    dns_name_t *origin = dns_db_origin(signing->db);
7656
    /*
7657
     * Rebuild the NSEC/NSEC3 record for the origin as we no
7658
     * longer have any private records.
7659
     */
7660
0
    if (build_nsec3) {
7661
0
      CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
7662
0
              nsecttl, false, diff));
7663
0
    }
7664
0
    CHECK(updatesecure(signing->db, version, origin, nsecttl, true,
7665
0
           diff));
7666
0
  }
7667
7668
0
failure:
7669
0
  if (dns_rdataset_isassociated(&rdataset)) {
7670
0
    dns_rdataset_disassociate(&rdataset);
7671
0
  }
7672
0
  if (node != NULL) {
7673
0
    dns_db_detachnode(signing->db, &node);
7674
0
  }
7675
0
  return (result);
7676
0
}
7677
7678
/*
7679
 * Called from zone_nsec3chain() in order to update zone records indicating
7680
 * processing status of given NSEC3 chain:
7681
 *
7682
 *   - If the supplied dns_nsec3chain_t structure has been fully processed
7683
 *     (which is indicated by "active" being set to false):
7684
 *
7685
 *       - remove all NSEC3PARAM records matching the relevant NSEC3 chain,
7686
 *
7687
 *       - remove all private-type records containing NSEC3PARAM RDATA matching
7688
 *         the relevant NSEC3 chain.
7689
 *
7690
 *   - If the supplied dns_nsec3chain_t structure has not been fully processed
7691
 *     (which is indicated by "active" being set to true), only remove the
7692
 *     NSEC3PARAM record which matches the relevant NSEC3 chain and has the
7693
 *     "flags" field set to 0.
7694
 *
7695
 *   - If given NSEC3 chain is being added, add an NSEC3PARAM record contained
7696
 *     in the relevant private-type record, but with the "flags" field set to
7697
 *     0, indicating that this NSEC3 chain is now complete for this zone.
7698
 *
7699
 * Note that this function is called at different processing stages for NSEC3
7700
 * chain additions vs. removals and needs to handle all cases properly.
7701
 */
7702
static isc_result_t
7703
fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
7704
0
     bool active, dns_rdatatype_t privatetype, dns_diff_t *diff) {
7705
0
  dns_dbnode_t *node = NULL;
7706
0
  dns_name_t *name = dns_db_origin(db);
7707
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
7708
0
  dns_rdataset_t rdataset;
7709
0
  dns_rdata_nsec3param_t nsec3param;
7710
0
  dns_rdata_soa_t soa;
7711
0
  isc_result_t result;
7712
0
  isc_buffer_t buffer;
7713
0
  unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
7714
0
  dns_ttl_t ttl = 0;
7715
0
  bool nseconly = false, nsec3ok = false;
7716
7717
0
  dns_rdataset_init(&rdataset);
7718
7719
0
  result = dns_db_getoriginnode(db, &node);
7720
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
7721
7722
  /* Default TTL is SOA MINIMUM */
7723
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0,
7724
0
             &rdataset, NULL);
7725
0
  if (result == ISC_R_SUCCESS) {
7726
0
    CHECK(dns_rdataset_first(&rdataset));
7727
0
    dns_rdataset_current(&rdataset, &rdata);
7728
0
    CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
7729
0
    ttl = soa.minimum;
7730
0
    dns_rdata_reset(&rdata);
7731
0
  }
7732
0
  if (dns_rdataset_isassociated(&rdataset)) {
7733
0
    dns_rdataset_disassociate(&rdataset);
7734
0
  }
7735
7736
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
7737
0
             0, &rdataset, NULL);
7738
0
  if (result == ISC_R_NOTFOUND) {
7739
0
    goto try_private;
7740
0
  }
7741
0
  if (result != ISC_R_SUCCESS) {
7742
0
    goto failure;
7743
0
  }
7744
7745
  /*
7746
   * Delete all NSEC3PARAM records which match that in nsec3chain.
7747
   */
7748
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
7749
0
       result = dns_rdataset_next(&rdataset))
7750
0
  {
7751
0
    dns_rdataset_current(&rdataset, &rdata);
7752
0
    CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
7753
7754
0
    if (nsec3param.hash != chain->nsec3param.hash ||
7755
0
        (active && nsec3param.flags != 0) ||
7756
0
        nsec3param.iterations != chain->nsec3param.iterations ||
7757
0
        nsec3param.salt_length != chain->nsec3param.salt_length ||
7758
0
        memcmp(nsec3param.salt, chain->nsec3param.salt,
7759
0
         nsec3param.salt_length))
7760
0
    {
7761
      /*
7762
       * If the SOA minimum is different to the current TTL,
7763
       * delete the record.  We will re-add it with the new
7764
       * TTL below.
7765
       */
7766
0
      if (rdataset.ttl != ttl) {
7767
0
        CHECK(update_one_rr(db, ver, diff,
7768
0
                DNS_DIFFOP_DEL, name,
7769
0
                rdataset.ttl, &rdata));
7770
0
      }
7771
0
      dns_rdata_reset(&rdata);
7772
0
      continue;
7773
0
    }
7774
7775
0
    CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
7776
0
            rdataset.ttl, &rdata));
7777
0
    dns_rdata_reset(&rdata);
7778
0
  }
7779
0
  if (result != ISC_R_NOMORE) {
7780
0
    goto failure;
7781
0
  }
7782
7783
  /*
7784
   * Restore any NSEC3PARAM records that we deleted to change the TTL.
7785
   */
7786
0
  if (rdataset.ttl != ttl) {
7787
0
    for (result = dns_rdataset_first(&rdataset);
7788
0
         result == ISC_R_SUCCESS;
7789
0
         result = dns_rdataset_next(&rdataset))
7790
0
    {
7791
0
      dns_rdataset_current(&rdataset, &rdata);
7792
0
      CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
7793
7794
0
      if (nsec3param.hash != chain->nsec3param.hash ||
7795
0
          (active && nsec3param.flags != 0) ||
7796
0
          nsec3param.iterations !=
7797
0
            chain->nsec3param.iterations ||
7798
0
          nsec3param.salt_length !=
7799
0
            chain->nsec3param.salt_length ||
7800
0
          memcmp(nsec3param.salt, chain->nsec3param.salt,
7801
0
           nsec3param.salt_length))
7802
0
      {
7803
0
        CHECK(update_one_rr(db, ver, diff,
7804
0
                DNS_DIFFOP_ADD, name, ttl,
7805
0
                &rdata));
7806
0
      }
7807
0
      dns_rdata_reset(&rdata);
7808
0
    }
7809
0
  }
7810
7811
0
  dns_rdataset_disassociate(&rdataset);
7812
7813
0
try_private:
7814
7815
0
  if (active) {
7816
0
    goto add;
7817
0
  }
7818
7819
0
  result = dns_nsec_nseconly(db, ver, diff, &nseconly);
7820
0
  nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
7821
7822
  /*
7823
   * Delete all private records which match that in nsec3chain.
7824
   */
7825
0
  result = dns_db_findrdataset(db, node, ver, privatetype, 0, 0,
7826
0
             &rdataset, NULL);
7827
0
  if (result == ISC_R_NOTFOUND) {
7828
0
    goto add;
7829
0
  }
7830
0
  if (result != ISC_R_SUCCESS) {
7831
0
    goto failure;
7832
0
  }
7833
7834
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
7835
0
       result = dns_rdataset_next(&rdataset))
7836
0
  {
7837
0
    dns_rdata_t private = DNS_RDATA_INIT;
7838
0
    unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
7839
7840
0
    dns_rdataset_current(&rdataset, &private);
7841
0
    if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
7842
0
            sizeof(buf)))
7843
0
    {
7844
0
      continue;
7845
0
    }
7846
0
    CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
7847
7848
0
    if ((!nsec3ok &&
7849
0
         (nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0) ||
7850
0
        nsec3param.hash != chain->nsec3param.hash ||
7851
0
        nsec3param.iterations != chain->nsec3param.iterations ||
7852
0
        nsec3param.salt_length != chain->nsec3param.salt_length ||
7853
0
        memcmp(nsec3param.salt, chain->nsec3param.salt,
7854
0
         nsec3param.salt_length))
7855
0
    {
7856
0
      dns_rdata_reset(&rdata);
7857
0
      continue;
7858
0
    }
7859
7860
0
    CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
7861
0
            rdataset.ttl, &private));
7862
0
    dns_rdata_reset(&rdata);
7863
0
  }
7864
0
  if (result != ISC_R_NOMORE) {
7865
0
    goto failure;
7866
0
  }
7867
7868
0
add:
7869
0
  if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
7870
0
    result = ISC_R_SUCCESS;
7871
0
    goto failure;
7872
0
  }
7873
7874
  /*
7875
   * Add a NSEC3PARAM record which matches that in nsec3chain but
7876
   * with all flags bits cleared.
7877
   *
7878
   * Note: we do not clear chain->nsec3param.flags as this change
7879
   * may be reversed.
7880
   */
7881
0
  isc_buffer_init(&buffer, &parambuf, sizeof(parambuf));
7882
0
  CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db),
7883
0
           dns_rdatatype_nsec3param, &chain->nsec3param,
7884
0
           &buffer));
7885
0
  rdata.data[1] = 0; /* Clear flag bits. */
7886
0
  CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata));
7887
7888
0
failure:
7889
0
  dns_db_detachnode(db, &node);
7890
0
  if (dns_rdataset_isassociated(&rdataset)) {
7891
0
    dns_rdataset_disassociate(&rdataset);
7892
0
  }
7893
0
  return (result);
7894
0
}
7895
7896
static isc_result_t
7897
delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
7898
0
      dns_name_t *name, dns_diff_t *diff) {
7899
0
  dns_rdataset_t rdataset;
7900
0
  isc_result_t result;
7901
7902
0
  dns_rdataset_init(&rdataset);
7903
7904
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0, 0,
7905
0
             &rdataset, NULL);
7906
0
  if (result == ISC_R_NOTFOUND) {
7907
0
    return (ISC_R_SUCCESS);
7908
0
  }
7909
0
  if (result != ISC_R_SUCCESS) {
7910
0
    return (result);
7911
0
  }
7912
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
7913
0
       result = dns_rdataset_next(&rdataset))
7914
0
  {
7915
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
7916
7917
0
    dns_rdataset_current(&rdataset, &rdata);
7918
0
    CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
7919
0
            rdataset.ttl, &rdata));
7920
0
  }
7921
0
  if (result == ISC_R_NOMORE) {
7922
0
    result = ISC_R_SUCCESS;
7923
0
  }
7924
0
failure:
7925
0
  dns_rdataset_disassociate(&rdataset);
7926
0
  return (result);
7927
0
}
7928
7929
static isc_result_t
7930
deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
7931
        dns_name_t *name, const dns_rdata_nsec3param_t *param,
7932
0
        dns_diff_t *diff) {
7933
0
  dns_rdataset_t rdataset;
7934
0
  dns_rdata_nsec3_t nsec3;
7935
0
  isc_result_t result;
7936
7937
0
  dns_rdataset_init(&rdataset);
7938
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3, 0, 0,
7939
0
             &rdataset, NULL);
7940
0
  if (result == ISC_R_NOTFOUND) {
7941
0
    return (ISC_R_SUCCESS);
7942
0
  }
7943
0
  if (result != ISC_R_SUCCESS) {
7944
0
    return (result);
7945
0
  }
7946
7947
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
7948
0
       result = dns_rdataset_next(&rdataset))
7949
0
  {
7950
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
7951
7952
0
    dns_rdataset_current(&rdataset, &rdata);
7953
0
    CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
7954
0
    if (nsec3.hash != param->hash ||
7955
0
        nsec3.iterations != param->iterations ||
7956
0
        nsec3.salt_length != param->salt_length ||
7957
0
        memcmp(nsec3.salt, param->salt, nsec3.salt_length))
7958
0
    {
7959
0
      continue;
7960
0
    }
7961
0
    CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
7962
0
            rdataset.ttl, &rdata));
7963
0
  }
7964
0
  if (result == ISC_R_NOMORE) {
7965
0
    result = ISC_R_SUCCESS;
7966
0
  }
7967
0
failure:
7968
0
  dns_rdataset_disassociate(&rdataset);
7969
0
  return (result);
7970
0
}
7971
7972
static isc_result_t
7973
need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
7974
0
    const dns_rdata_nsec3param_t *param, bool *answer) {
7975
0
  dns_dbnode_t *node = NULL;
7976
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
7977
0
  dns_rdata_nsec3param_t myparam;
7978
0
  dns_rdataset_t rdataset;
7979
0
  isc_result_t result;
7980
7981
0
  *answer = false;
7982
7983
0
  result = dns_db_getoriginnode(db, &node);
7984
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
7985
7986
0
  dns_rdataset_init(&rdataset);
7987
7988
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0, 0,
7989
0
             &rdataset, NULL);
7990
0
  if (result == ISC_R_SUCCESS) {
7991
0
    dns_rdataset_disassociate(&rdataset);
7992
0
    dns_db_detachnode(db, &node);
7993
0
    return (result);
7994
0
  }
7995
0
  if (result != ISC_R_NOTFOUND) {
7996
0
    dns_db_detachnode(db, &node);
7997
0
    return (result);
7998
0
  }
7999
8000
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
8001
0
             0, &rdataset, NULL);
8002
0
  if (result == ISC_R_NOTFOUND) {
8003
0
    *answer = true;
8004
0
    dns_db_detachnode(db, &node);
8005
0
    return (ISC_R_SUCCESS);
8006
0
  }
8007
0
  if (result != ISC_R_SUCCESS) {
8008
0
    dns_db_detachnode(db, &node);
8009
0
    return (result);
8010
0
  }
8011
8012
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
8013
0
       result = dns_rdataset_next(&rdataset))
8014
0
  {
8015
0
    dns_rdataset_current(&rdataset, &rdata);
8016
0
    CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL));
8017
0
    dns_rdata_reset(&rdata);
8018
    /*
8019
     * Ignore any NSEC3PARAM removals.
8020
     */
8021
0
    if (NSEC3REMOVE(myparam.flags)) {
8022
0
      continue;
8023
0
    }
8024
    /*
8025
     * Ignore the chain that we are in the process of deleting.
8026
     */
8027
0
    if (myparam.hash == param->hash &&
8028
0
        myparam.iterations == param->iterations &&
8029
0
        myparam.salt_length == param->salt_length &&
8030
0
        !memcmp(myparam.salt, param->salt, myparam.salt_length))
8031
0
    {
8032
0
      continue;
8033
0
    }
8034
    /*
8035
     * Found an active NSEC3 chain.
8036
     */
8037
0
    break;
8038
0
  }
8039
0
  if (result == ISC_R_NOMORE) {
8040
0
    *answer = true;
8041
0
    result = ISC_R_SUCCESS;
8042
0
  }
8043
8044
0
failure:
8045
0
  if (dns_rdataset_isassociated(&rdataset)) {
8046
0
    dns_rdataset_disassociate(&rdataset);
8047
0
  }
8048
0
  dns_db_detachnode(db, &node);
8049
0
  return (result);
8050
0
}
8051
8052
/*%
8053
 * Given a tuple which is part of a diff, return a pointer to the next tuple in
8054
 * that diff which has the same name and type (or NULL if no such tuple is
8055
 * found).
8056
 */
8057
static dns_difftuple_t *
8058
0
find_next_matching_tuple(dns_difftuple_t *cur) {
8059
0
  dns_difftuple_t *next = cur;
8060
8061
0
  while ((next = ISC_LIST_NEXT(next, link)) != NULL) {
8062
0
    if (cur->rdata.type == next->rdata.type &&
8063
0
        dns_name_equal(&cur->name, &next->name))
8064
0
    {
8065
0
      return (next);
8066
0
    }
8067
0
  }
8068
8069
0
  return (NULL);
8070
0
}
8071
8072
/*%
8073
 * Remove all tuples with the same name and type as 'cur' from 'src' and append
8074
 * them to 'dst'.
8075
 */
8076
static void
8077
0
move_matching_tuples(dns_difftuple_t *cur, dns_diff_t *src, dns_diff_t *dst) {
8078
0
  do {
8079
0
    dns_difftuple_t *next = find_next_matching_tuple(cur);
8080
0
    ISC_LIST_UNLINK(src->tuples, cur, link);
8081
0
    dns_diff_appendminimal(dst, &cur);
8082
0
    cur = next;
8083
0
  } while (cur != NULL);
8084
0
}
8085
8086
/*%
8087
 * Add/remove DNSSEC signatures for the list of "raw" zone changes supplied in
8088
 * 'diff'.  Gradually remove tuples from 'diff' and append them to 'zonediff'
8089
 * along with tuples representing relevant signature changes.
8090
 */
8091
isc_result_t
8092
dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
8093
         dst_key_t *zone_keys[], unsigned int nkeys,
8094
         dns_zone_t *zone, isc_stdtime_t inception,
8095
         isc_stdtime_t expire, isc_stdtime_t keyexpire,
8096
0
         isc_stdtime_t now, dns__zonediff_t *zonediff) {
8097
0
  dns_difftuple_t *tuple;
8098
0
  isc_result_t result;
8099
8100
0
  while ((tuple = ISC_LIST_HEAD(diff->tuples)) != NULL) {
8101
0
    isc_stdtime_t exp = expire;
8102
8103
0
    if (keyexpire != 0 &&
8104
0
        dns_rdatatype_iskeymaterial(tuple->rdata.type))
8105
0
    {
8106
0
      exp = keyexpire;
8107
0
    }
8108
8109
0
    result = del_sigs(zone, db, version, &tuple->name,
8110
0
          tuple->rdata.type, zonediff, zone_keys, nkeys,
8111
0
          now, false);
8112
0
    if (result != ISC_R_SUCCESS) {
8113
0
      dns_zone_log(zone, ISC_LOG_ERROR,
8114
0
             "dns__zone_updatesigs:del_sigs -> %s",
8115
0
             isc_result_totext(result));
8116
0
      return (result);
8117
0
    }
8118
0
    result = add_sigs(db, version, &tuple->name, zone,
8119
0
          tuple->rdata.type, zonediff->diff, zone_keys,
8120
0
          nkeys, zone->mctx, now, inception, exp);
8121
0
    if (result != ISC_R_SUCCESS) {
8122
0
      dns_zone_log(zone, ISC_LOG_ERROR,
8123
0
             "dns__zone_updatesigs:add_sigs -> %s",
8124
0
             isc_result_totext(result));
8125
0
      return (result);
8126
0
    }
8127
8128
    /*
8129
     * Signature changes for all RRs with name tuple->name and type
8130
     * tuple->rdata.type were appended to zonediff->diff.  Now we
8131
     * remove all the "raw" changes with the same name and type
8132
     * from diff (so that they are not processed by this loop
8133
     * again) and append them to zonediff so that they get applied.
8134
     */
8135
0
    move_matching_tuples(tuple, diff, zonediff->diff);
8136
0
  }
8137
0
  return (ISC_R_SUCCESS);
8138
0
}
8139
8140
/*
8141
 * Incrementally build and sign a new NSEC3 chain using the parameters
8142
 * requested.
8143
 */
8144
static void
8145
0
zone_nsec3chain(dns_zone_t *zone) {
8146
0
  dns_db_t *db = NULL;
8147
0
  dns_dbnode_t *node = NULL;
8148
0
  dns_dbversion_t *version = NULL;
8149
0
  dns_diff_t _sig_diff;
8150
0
  dns_diff_t nsec_diff;
8151
0
  dns_diff_t nsec3_diff;
8152
0
  dns_diff_t param_diff;
8153
0
  dns__zonediff_t zonediff;
8154
0
  dns_fixedname_t fixed;
8155
0
  dns_fixedname_t nextfixed;
8156
0
  dns_name_t *name, *nextname;
8157
0
  dns_rdataset_t rdataset;
8158
0
  dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain;
8159
0
  dns_nsec3chainlist_t cleanup;
8160
0
  dst_key_t *zone_keys[DNS_MAXZONEKEYS];
8161
0
  int32_t signatures;
8162
0
  bool delegation;
8163
0
  bool first;
8164
0
  isc_result_t result;
8165
0
  isc_stdtime_t now, inception, soaexpire, expire;
8166
0
  unsigned int i;
8167
0
  unsigned int nkeys = 0;
8168
0
  uint32_t nodes;
8169
0
  bool unsecure = false;
8170
0
  bool seen_soa, seen_ns, seen_dname, seen_ds;
8171
0
  bool seen_nsec, seen_nsec3, seen_rr;
8172
0
  dns_rdatasetiter_t *iterator = NULL;
8173
0
  bool buildnsecchain;
8174
0
  bool updatensec = false;
8175
0
  dns_rdatatype_t privatetype = zone->privatetype;
8176
8177
0
  ENTER;
8178
8179
0
  dns_rdataset_init(&rdataset);
8180
0
  name = dns_fixedname_initname(&fixed);
8181
0
  nextname = dns_fixedname_initname(&nextfixed);
8182
0
  dns_diff_init(zone->mctx, &param_diff);
8183
0
  dns_diff_init(zone->mctx, &nsec3_diff);
8184
0
  dns_diff_init(zone->mctx, &nsec_diff);
8185
0
  dns_diff_init(zone->mctx, &_sig_diff);
8186
0
  zonediff_init(&zonediff, &_sig_diff);
8187
0
  ISC_LIST_INIT(cleanup);
8188
8189
  /*
8190
   * Updates are disabled.  Pause for 5 minutes.
8191
   */
8192
0
  if (zone->update_disabled) {
8193
0
    result = ISC_R_FAILURE;
8194
0
    goto failure;
8195
0
  }
8196
8197
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
8198
  /*
8199
   * This function is called when zone timer fires, after the latter gets
8200
   * set by zone_addnsec3chain().  If the action triggering the call to
8201
   * zone_addnsec3chain() is closely followed by a zone deletion request,
8202
   * it might turn out that the timer thread will not be woken up until
8203
   * after the zone is deleted by rmzone(), which calls dns_db_detach()
8204
   * for zone->db, causing the latter to become NULL.  Return immediately
8205
   * if that happens.
8206
   */
8207
0
  if (zone->db != NULL) {
8208
0
    dns_db_attach(zone->db, &db);
8209
0
  }
8210
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
8211
0
  if (db == NULL) {
8212
0
    return;
8213
0
  }
8214
8215
0
  result = dns_db_newversion(db, &version);
8216
0
  if (result != ISC_R_SUCCESS) {
8217
0
    dnssec_log(zone, ISC_LOG_ERROR,
8218
0
         "zone_nsec3chain:dns_db_newversion -> %s",
8219
0
         isc_result_totext(result));
8220
0
    goto failure;
8221
0
  }
8222
8223
0
  now = isc_stdtime_now();
8224
8225
0
  result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
8226
0
           DNS_MAXZONEKEYS, zone_keys, &nkeys);
8227
0
  if (result != ISC_R_SUCCESS) {
8228
0
    dnssec_log(zone, ISC_LOG_ERROR,
8229
0
         "zone_nsec3chain:dns_zone_findkeys -> %s",
8230
0
         isc_result_totext(result));
8231
0
    goto failure;
8232
0
  }
8233
8234
0
  calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL,
8235
0
         &expire);
8236
8237
  /*
8238
   * We keep pulling nodes off each iterator in turn until
8239
   * we have no more nodes to pull off or we reach the limits
8240
   * for this quantum.
8241
   */
8242
0
  nodes = zone->nodes;
8243
0
  signatures = zone->signatures;
8244
0
  LOCK_ZONE(zone);
8245
0
  nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
8246
0
  UNLOCK_ZONE(zone);
8247
0
  first = true;
8248
8249
0
  if (nsec3chain != NULL) {
8250
0
    nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
8251
0
  }
8252
  /*
8253
   * Generate new NSEC3 chains first.
8254
   *
8255
   * The following while loop iterates over nodes in the zone database,
8256
   * updating the NSEC3 chain by calling dns_nsec3_addnsec3() for each of
8257
   * them.  Once all nodes are processed, the "delete_nsec" field is
8258
   * consulted to check whether we are supposed to remove NSEC records
8259
   * from the zone database; if so, the database iterator is reset to
8260
   * point to the first node and the loop traverses all of them again,
8261
   * this time removing NSEC records.  If we hit a node which is obscured
8262
   * by a delegation or a DNAME, nodes are skipped over until we find one
8263
   * that is not obscured by the same obscuring name and then normal
8264
   * processing is resumed.
8265
   *
8266
   * The above is repeated until all requested NSEC3 chain changes are
8267
   * applied or when we reach the limits for this quantum, whichever
8268
   * happens first.
8269
   *
8270
   * Note that the "signatures" variable is only used here to limit the
8271
   * amount of work performed.  Actual DNSSEC signatures are only
8272
   * generated by dns__zone_updatesigs() calls later in this function.
8273
   */
8274
0
  while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
8275
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8276
8277
0
    LOCK_ZONE(zone);
8278
0
    nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
8279
8280
0
    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
8281
0
    if (nsec3chain->done || nsec3chain->db != zone->db) {
8282
0
      ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
8283
0
      ISC_LIST_APPEND(cleanup, nsec3chain, link);
8284
0
    }
8285
0
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
8286
0
    UNLOCK_ZONE(zone);
8287
0
    if (ISC_LIST_TAIL(cleanup) == nsec3chain) {
8288
0
      goto next_addchain;
8289
0
    }
8290
8291
    /*
8292
     * Possible future db.
8293
     */
8294
0
    if (nsec3chain->db != db) {
8295
0
      goto next_addchain;
8296
0
    }
8297
8298
0
    if (NSEC3REMOVE(nsec3chain->nsec3param.flags)) {
8299
0
      goto next_addchain;
8300
0
    }
8301
8302
0
    dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
8303
8304
0
    if (nsec3chain->delete_nsec) {
8305
0
      delegation = false;
8306
0
      dns_dbiterator_pause(nsec3chain->dbiterator);
8307
0
      CHECK(delete_nsec(db, version, node, name, &nsec_diff));
8308
0
      goto next_addnode;
8309
0
    }
8310
    /*
8311
     * On the first pass we need to check if the current node
8312
     * has not been obscured.
8313
     */
8314
0
    delegation = false;
8315
0
    unsecure = false;
8316
0
    if (first) {
8317
0
      dns_fixedname_t ffound;
8318
0
      dns_name_t *found;
8319
0
      found = dns_fixedname_initname(&ffound);
8320
0
      result = dns_db_find(
8321
0
        db, name, version, dns_rdatatype_soa,
8322
0
        DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
8323
0
      if ((result == DNS_R_DELEGATION ||
8324
0
           result == DNS_R_DNAME) &&
8325
0
          !dns_name_equal(name, found))
8326
0
      {
8327
        /*
8328
         * Remember the obscuring name so that
8329
         * we skip all obscured names.
8330
         */
8331
0
        dns_name_copy(found, name);
8332
0
        delegation = true;
8333
0
        goto next_addnode;
8334
0
      }
8335
0
    }
8336
8337
    /*
8338
     * Check to see if this is a bottom of zone node.
8339
     */
8340
0
    result = dns_db_allrdatasets(db, node, version, 0, 0,
8341
0
               &iterator);
8342
0
    if (result == ISC_R_NOTFOUND) {
8343
      /* Empty node? */
8344
0
      goto next_addnode;
8345
0
    }
8346
0
    if (result != ISC_R_SUCCESS) {
8347
0
      goto failure;
8348
0
    }
8349
8350
0
    seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec = false;
8351
0
    for (result = dns_rdatasetiter_first(iterator);
8352
0
         result == ISC_R_SUCCESS;
8353
0
         result = dns_rdatasetiter_next(iterator))
8354
0
    {
8355
0
      dns_rdatasetiter_current(iterator, &rdataset);
8356
0
      INSIST(rdataset.type != dns_rdatatype_nsec3);
8357
0
      if (rdataset.type == dns_rdatatype_soa) {
8358
0
        seen_soa = true;
8359
0
      } else if (rdataset.type == dns_rdatatype_ns) {
8360
0
        seen_ns = true;
8361
0
      } else if (rdataset.type == dns_rdatatype_dname) {
8362
0
        seen_dname = true;
8363
0
      } else if (rdataset.type == dns_rdatatype_ds) {
8364
0
        seen_ds = true;
8365
0
      } else if (rdataset.type == dns_rdatatype_nsec) {
8366
0
        seen_nsec = true;
8367
0
      }
8368
0
      dns_rdataset_disassociate(&rdataset);
8369
0
    }
8370
0
    dns_rdatasetiter_destroy(&iterator);
8371
    /*
8372
     * Is there a NSEC chain than needs to be cleaned up?
8373
     */
8374
0
    if (seen_nsec) {
8375
0
      nsec3chain->seen_nsec = true;
8376
0
    }
8377
0
    if (seen_ns && !seen_soa && !seen_ds) {
8378
0
      unsecure = true;
8379
0
    }
8380
0
    if ((seen_ns && !seen_soa) || seen_dname) {
8381
0
      delegation = true;
8382
0
    }
8383
8384
    /*
8385
     * Process one node.
8386
     */
8387
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8388
0
    result = dns_nsec3_addnsec3(
8389
0
      db, version, name, &nsec3chain->nsec3param,
8390
0
      zone_nsecttl(zone), unsecure, &nsec3_diff);
8391
0
    if (result != ISC_R_SUCCESS) {
8392
0
      dnssec_log(zone, ISC_LOG_ERROR,
8393
0
           "zone_nsec3chain:"
8394
0
           "dns_nsec3_addnsec3 -> %s",
8395
0
           isc_result_totext(result));
8396
0
      goto failure;
8397
0
    }
8398
8399
    /*
8400
     * Treat each call to dns_nsec3_addnsec3() as if it's cost is
8401
     * two signatures.  Additionally there will, in general, be
8402
     * two signature generated below.
8403
     *
8404
     * If we are only changing the optout flag the cost is half
8405
     * that of the cost of generating a completely new chain.
8406
     */
8407
0
    signatures -= 4;
8408
8409
    /*
8410
     * Go onto next node.
8411
     */
8412
0
  next_addnode:
8413
0
    first = false;
8414
0
    dns_db_detachnode(db, &node);
8415
0
    do {
8416
0
      result = dns_dbiterator_next(nsec3chain->dbiterator);
8417
8418
0
      if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
8419
0
        dns_dbiterator_pause(nsec3chain->dbiterator);
8420
0
        CHECK(fixup_nsec3param(db, version, nsec3chain,
8421
0
                   false, privatetype,
8422
0
                   &param_diff));
8423
0
        LOCK_ZONE(zone);
8424
0
        ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
8425
0
            link);
8426
0
        UNLOCK_ZONE(zone);
8427
0
        ISC_LIST_APPEND(cleanup, nsec3chain, link);
8428
0
        goto next_addchain;
8429
0
      }
8430
0
      if (result == ISC_R_NOMORE) {
8431
0
        dns_dbiterator_pause(nsec3chain->dbiterator);
8432
0
        if (nsec3chain->seen_nsec) {
8433
0
          CHECK(fixup_nsec3param(
8434
0
            db, version, nsec3chain, true,
8435
0
            privatetype, &param_diff));
8436
0
          nsec3chain->delete_nsec = true;
8437
0
          goto same_addchain;
8438
0
        }
8439
0
        CHECK(fixup_nsec3param(db, version, nsec3chain,
8440
0
                   false, privatetype,
8441
0
                   &param_diff));
8442
0
        LOCK_ZONE(zone);
8443
0
        ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
8444
0
            link);
8445
0
        UNLOCK_ZONE(zone);
8446
0
        ISC_LIST_APPEND(cleanup, nsec3chain, link);
8447
0
        goto next_addchain;
8448
0
      } else if (result != ISC_R_SUCCESS) {
8449
0
        dnssec_log(zone, ISC_LOG_ERROR,
8450
0
             "zone_nsec3chain:"
8451
0
             "dns_dbiterator_next -> %s",
8452
0
             isc_result_totext(result));
8453
0
        goto failure;
8454
0
      } else if (delegation) {
8455
0
        dns_dbiterator_current(nsec3chain->dbiterator,
8456
0
                   &node, nextname);
8457
0
        dns_db_detachnode(db, &node);
8458
0
        if (!dns_name_issubdomain(nextname, name)) {
8459
0
          break;
8460
0
        }
8461
0
      } else {
8462
0
        break;
8463
0
      }
8464
0
    } while (1);
8465
0
    continue;
8466
8467
0
  same_addchain:
8468
0
    CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
8469
0
    first = true;
8470
0
    continue;
8471
8472
0
  next_addchain:
8473
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8474
0
    nsec3chain = nextnsec3chain;
8475
0
    first = true;
8476
0
    if (nsec3chain != NULL) {
8477
0
      nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
8478
0
    }
8479
0
  }
8480
8481
0
  if (nsec3chain != NULL) {
8482
0
    goto skip_removals;
8483
0
  }
8484
8485
  /*
8486
   * Process removals.
8487
   *
8488
   * This is a counterpart of the above while loop which takes care of
8489
   * removing an NSEC3 chain.  It starts with determining whether the
8490
   * zone needs to switch from NSEC3 to NSEC; if so, it first builds an
8491
   * NSEC chain by iterating over all nodes in the zone database and only
8492
   * then goes on to remove NSEC3 records be iterating over all nodes
8493
   * again and calling deletematchingnsec3() for each of them; otherwise,
8494
   * it starts removing NSEC3 records immediately.  Rules for processing
8495
   * obscured nodes and interrupting work are the same as for the while
8496
   * loop above.
8497
   */
8498
0
  LOCK_ZONE(zone);
8499
0
  nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
8500
0
  UNLOCK_ZONE(zone);
8501
0
  first = true;
8502
0
  buildnsecchain = false;
8503
0
  while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
8504
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8505
8506
0
    LOCK_ZONE(zone);
8507
0
    nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
8508
0
    UNLOCK_ZONE(zone);
8509
8510
0
    if (nsec3chain->db != db) {
8511
0
      goto next_removechain;
8512
0
    }
8513
8514
0
    if (!NSEC3REMOVE(nsec3chain->nsec3param.flags)) {
8515
0
      goto next_removechain;
8516
0
    }
8517
8518
    /*
8519
     * Work out if we need to build a NSEC chain as a consequence
8520
     * of removing this NSEC3 chain.
8521
     */
8522
0
    if (first && !updatensec &&
8523
0
        (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
8524
0
    {
8525
0
      result = need_nsec_chain(db, version,
8526
0
             &nsec3chain->nsec3param,
8527
0
             &buildnsecchain);
8528
0
      if (result != ISC_R_SUCCESS) {
8529
0
        dnssec_log(zone, ISC_LOG_ERROR,
8530
0
             "zone_nsec3chain:"
8531
0
             "need_nsec_chain -> %s",
8532
0
             isc_result_totext(result));
8533
0
        goto failure;
8534
0
      }
8535
0
    }
8536
8537
0
    if (first) {
8538
0
      dnssec_log(zone, ISC_LOG_DEBUG(3),
8539
0
           "zone_nsec3chain:buildnsecchain = %u\n",
8540
0
           buildnsecchain);
8541
0
    }
8542
8543
0
    dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
8544
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8545
0
    delegation = false;
8546
8547
0
    if (!buildnsecchain) {
8548
      /*
8549
       * Delete the NSEC3PARAM record matching this chain.
8550
       */
8551
0
      if (first) {
8552
0
        result = fixup_nsec3param(
8553
0
          db, version, nsec3chain, true,
8554
0
          privatetype, &param_diff);
8555
0
        if (result != ISC_R_SUCCESS) {
8556
0
          dnssec_log(zone, ISC_LOG_ERROR,
8557
0
               "zone_nsec3chain:"
8558
0
               "fixup_nsec3param -> %s",
8559
0
               isc_result_totext(result));
8560
0
          goto failure;
8561
0
        }
8562
0
      }
8563
8564
      /*
8565
       * Delete the NSEC3 records.
8566
       */
8567
0
      result = deletematchingnsec3(db, version, node, name,
8568
0
                 &nsec3chain->nsec3param,
8569
0
                 &nsec3_diff);
8570
0
      if (result != ISC_R_SUCCESS) {
8571
0
        dnssec_log(zone, ISC_LOG_ERROR,
8572
0
             "zone_nsec3chain:"
8573
0
             "deletematchingnsec3 -> %s",
8574
0
             isc_result_totext(result));
8575
0
        goto failure;
8576
0
      }
8577
0
      goto next_removenode;
8578
0
    }
8579
8580
0
    if (first) {
8581
0
      dns_fixedname_t ffound;
8582
0
      dns_name_t *found;
8583
0
      found = dns_fixedname_initname(&ffound);
8584
0
      result = dns_db_find(
8585
0
        db, name, version, dns_rdatatype_soa,
8586
0
        DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
8587
0
      if ((result == DNS_R_DELEGATION ||
8588
0
           result == DNS_R_DNAME) &&
8589
0
          !dns_name_equal(name, found))
8590
0
      {
8591
        /*
8592
         * Remember the obscuring name so that
8593
         * we skip all obscured names.
8594
         */
8595
0
        dns_name_copy(found, name);
8596
0
        delegation = true;
8597
0
        goto next_removenode;
8598
0
      }
8599
0
    }
8600
8601
    /*
8602
     * Check to see if this is a bottom of zone node.
8603
     */
8604
0
    result = dns_db_allrdatasets(db, node, version, 0, 0,
8605
0
               &iterator);
8606
0
    if (result == ISC_R_NOTFOUND) {
8607
      /* Empty node? */
8608
0
      goto next_removenode;
8609
0
    }
8610
0
    if (result != ISC_R_SUCCESS) {
8611
0
      goto failure;
8612
0
    }
8613
8614
0
    seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
8615
0
      seen_rr = false;
8616
0
    for (result = dns_rdatasetiter_first(iterator);
8617
0
         result == ISC_R_SUCCESS;
8618
0
         result = dns_rdatasetiter_next(iterator))
8619
0
    {
8620
0
      dns_rdatasetiter_current(iterator, &rdataset);
8621
0
      if (rdataset.type == dns_rdatatype_soa) {
8622
0
        seen_soa = true;
8623
0
      } else if (rdataset.type == dns_rdatatype_ns) {
8624
0
        seen_ns = true;
8625
0
      } else if (rdataset.type == dns_rdatatype_dname) {
8626
0
        seen_dname = true;
8627
0
      } else if (rdataset.type == dns_rdatatype_nsec) {
8628
0
        seen_nsec = true;
8629
0
      } else if (rdataset.type == dns_rdatatype_nsec3) {
8630
0
        seen_nsec3 = true;
8631
0
      } else if (rdataset.type != dns_rdatatype_rrsig) {
8632
0
        seen_rr = true;
8633
0
      }
8634
0
      dns_rdataset_disassociate(&rdataset);
8635
0
    }
8636
0
    dns_rdatasetiter_destroy(&iterator);
8637
8638
0
    if (!seen_rr || seen_nsec3 || seen_nsec) {
8639
0
      goto next_removenode;
8640
0
    }
8641
0
    if ((seen_ns && !seen_soa) || seen_dname) {
8642
0
      delegation = true;
8643
0
    }
8644
8645
    /*
8646
     * Add a NSEC record except at the origin.
8647
     */
8648
0
    if (!dns_name_equal(name, dns_db_origin(db))) {
8649
0
      dns_dbiterator_pause(nsec3chain->dbiterator);
8650
0
      CHECK(add_nsec(db, version, name, node,
8651
0
               zone_nsecttl(zone), delegation,
8652
0
               &nsec_diff));
8653
0
      signatures--;
8654
0
    }
8655
8656
0
  next_removenode:
8657
0
    first = false;
8658
0
    dns_db_detachnode(db, &node);
8659
0
    do {
8660
0
      result = dns_dbiterator_next(nsec3chain->dbiterator);
8661
0
      if (result == ISC_R_NOMORE && buildnsecchain) {
8662
        /*
8663
         * The NSEC chain should now be built.
8664
         * We can now remove the NSEC3 chain.
8665
         */
8666
0
        updatensec = true;
8667
0
        goto same_removechain;
8668
0
      }
8669
0
      if (result == ISC_R_NOMORE) {
8670
0
        dns_dbiterator_pause(nsec3chain->dbiterator);
8671
0
        LOCK_ZONE(zone);
8672
0
        ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
8673
0
            link);
8674
0
        UNLOCK_ZONE(zone);
8675
0
        ISC_LIST_APPEND(cleanup, nsec3chain, link);
8676
0
        result = fixup_nsec3param(
8677
0
          db, version, nsec3chain, false,
8678
0
          privatetype, &param_diff);
8679
0
        if (result != ISC_R_SUCCESS) {
8680
0
          dnssec_log(zone, ISC_LOG_ERROR,
8681
0
               "zone_nsec3chain:"
8682
0
               "fixup_nsec3param -> %s",
8683
0
               isc_result_totext(result));
8684
0
          goto failure;
8685
0
        }
8686
0
        goto next_removechain;
8687
0
      } else if (result != ISC_R_SUCCESS) {
8688
0
        dnssec_log(zone, ISC_LOG_ERROR,
8689
0
             "zone_nsec3chain:"
8690
0
             "dns_dbiterator_next -> %s",
8691
0
             isc_result_totext(result));
8692
0
        goto failure;
8693
0
      } else if (delegation) {
8694
0
        dns_dbiterator_current(nsec3chain->dbiterator,
8695
0
                   &node, nextname);
8696
0
        dns_db_detachnode(db, &node);
8697
0
        if (!dns_name_issubdomain(nextname, name)) {
8698
0
          break;
8699
0
        }
8700
0
      } else {
8701
0
        break;
8702
0
      }
8703
0
    } while (1);
8704
0
    continue;
8705
8706
0
  same_removechain:
8707
0
    CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
8708
0
    buildnsecchain = false;
8709
0
    first = true;
8710
0
    continue;
8711
8712
0
  next_removechain:
8713
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8714
0
    nsec3chain = nextnsec3chain;
8715
0
    first = true;
8716
0
  }
8717
8718
0
skip_removals:
8719
  /*
8720
   * We may need to update the NSEC/NSEC3 records for the zone apex.
8721
   */
8722
0
  if (!ISC_LIST_EMPTY(param_diff.tuples)) {
8723
0
    bool rebuild_nsec = false, rebuild_nsec3 = false;
8724
0
    result = dns_db_getoriginnode(db, &node);
8725
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
8726
0
    result = dns_db_allrdatasets(db, node, version, 0, 0,
8727
0
               &iterator);
8728
0
    if (result != ISC_R_SUCCESS) {
8729
0
      dnssec_log(zone, ISC_LOG_ERROR,
8730
0
           "zone_nsec3chain:dns_db_allrdatasets -> %s",
8731
0
           isc_result_totext(result));
8732
0
      goto failure;
8733
0
    }
8734
0
    for (result = dns_rdatasetiter_first(iterator);
8735
0
         result == ISC_R_SUCCESS;
8736
0
         result = dns_rdatasetiter_next(iterator))
8737
0
    {
8738
0
      dns_rdatasetiter_current(iterator, &rdataset);
8739
0
      if (rdataset.type == dns_rdatatype_nsec) {
8740
0
        rebuild_nsec = true;
8741
0
      } else if (rdataset.type == dns_rdatatype_nsec3param) {
8742
0
        rebuild_nsec3 = true;
8743
0
      }
8744
0
      dns_rdataset_disassociate(&rdataset);
8745
0
    }
8746
0
    dns_rdatasetiter_destroy(&iterator);
8747
0
    dns_db_detachnode(db, &node);
8748
8749
0
    if (rebuild_nsec) {
8750
0
      if (nsec3chain != NULL) {
8751
0
        dns_dbiterator_pause(nsec3chain->dbiterator);
8752
0
      }
8753
8754
0
      result = updatesecure(db, version, &zone->origin,
8755
0
                zone_nsecttl(zone), true,
8756
0
                &nsec_diff);
8757
0
      if (result != ISC_R_SUCCESS) {
8758
0
        dnssec_log(zone, ISC_LOG_ERROR,
8759
0
             "zone_nsec3chain:updatesecure -> %s",
8760
0
             isc_result_totext(result));
8761
0
        goto failure;
8762
0
      }
8763
0
    }
8764
8765
0
    if (rebuild_nsec3) {
8766
0
      if (nsec3chain != NULL) {
8767
0
        dns_dbiterator_pause(nsec3chain->dbiterator);
8768
0
      }
8769
8770
0
      result = dns_nsec3_addnsec3s(
8771
0
        db, version, dns_db_origin(db),
8772
0
        zone_nsecttl(zone), false, &nsec3_diff);
8773
0
      if (result != ISC_R_SUCCESS) {
8774
0
        dnssec_log(zone, ISC_LOG_ERROR,
8775
0
             "zone_nsec3chain:"
8776
0
             "dns_nsec3_addnsec3s -> %s",
8777
0
             isc_result_totext(result));
8778
0
        goto failure;
8779
0
      }
8780
0
    }
8781
0
  }
8782
8783
  /*
8784
   * Add / update signatures for the NSEC3 records.
8785
   */
8786
0
  if (nsec3chain != NULL) {
8787
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8788
0
  }
8789
0
  result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
8790
0
              nkeys, zone, inception, expire, 0, now,
8791
0
              &zonediff);
8792
0
  if (result != ISC_R_SUCCESS) {
8793
0
    dnssec_log(zone, ISC_LOG_ERROR,
8794
0
         "zone_nsec3chain:dns__zone_updatesigs -> %s",
8795
0
         isc_result_totext(result));
8796
0
    goto failure;
8797
0
  }
8798
8799
  /*
8800
   * We have changed the NSEC3PARAM or private RRsets
8801
   * above so we need to update the signatures.
8802
   */
8803
0
  result = dns__zone_updatesigs(&param_diff, db, version, zone_keys,
8804
0
              nkeys, zone, inception, expire, 0, now,
8805
0
              &zonediff);
8806
0
  if (result != ISC_R_SUCCESS) {
8807
0
    dnssec_log(zone, ISC_LOG_ERROR,
8808
0
         "zone_nsec3chain:dns__zone_updatesigs -> %s",
8809
0
         isc_result_totext(result));
8810
0
    goto failure;
8811
0
  }
8812
8813
0
  if (updatensec) {
8814
0
    result = updatesecure(db, version, &zone->origin,
8815
0
              zone_nsecttl(zone), false, &nsec_diff);
8816
0
    if (result != ISC_R_SUCCESS) {
8817
0
      dnssec_log(zone, ISC_LOG_ERROR,
8818
0
           "zone_nsec3chain:updatesecure -> %s",
8819
0
           isc_result_totext(result));
8820
0
      goto failure;
8821
0
    }
8822
0
  }
8823
8824
0
  result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys, nkeys,
8825
0
              zone, inception, expire, 0, now,
8826
0
              &zonediff);
8827
0
  if (result != ISC_R_SUCCESS) {
8828
0
    dnssec_log(zone, ISC_LOG_ERROR,
8829
0
         "zone_nsec3chain:dns__zone_updatesigs -> %s",
8830
0
         isc_result_totext(result));
8831
0
    goto failure;
8832
0
  }
8833
8834
  /*
8835
   * If we made no effective changes to the zone then we can just
8836
   * cleanup otherwise we need to increment the serial.
8837
   */
8838
0
  if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
8839
    /*
8840
     * No need to call dns_db_closeversion() here as it is
8841
     * called with commit = true below.
8842
     */
8843
0
    goto done;
8844
0
  }
8845
8846
0
  result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
8847
0
        &zonediff, zone_keys, nkeys, now, false);
8848
0
  if (result != ISC_R_SUCCESS) {
8849
0
    dnssec_log(zone, ISC_LOG_ERROR,
8850
0
         "zone_nsec3chain:del_sigs -> %s",
8851
0
         isc_result_totext(result));
8852
0
    goto failure;
8853
0
  }
8854
8855
0
  result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
8856
0
           zone->updatemethod);
8857
0
  if (result != ISC_R_SUCCESS) {
8858
0
    dnssec_log(zone, ISC_LOG_ERROR,
8859
0
         "zone_nsec3chain:update_soa_serial -> %s",
8860
0
         isc_result_totext(result));
8861
0
    goto failure;
8862
0
  }
8863
8864
0
  result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
8865
0
        zonediff.diff, zone_keys, nkeys, zone->mctx, now,
8866
0
        inception, soaexpire);
8867
0
  if (result != ISC_R_SUCCESS) {
8868
0
    dnssec_log(zone, ISC_LOG_ERROR,
8869
0
         "zone_nsec3chain:add_sigs -> %s",
8870
0
         isc_result_totext(result));
8871
0
    goto failure;
8872
0
  }
8873
8874
  /* Write changes to journal file. */
8875
0
  CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_nsec3chain"));
8876
8877
0
  LOCK_ZONE(zone);
8878
0
  zone_needdump(zone, DNS_DUMP_DELAY);
8879
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
8880
0
  UNLOCK_ZONE(zone);
8881
8882
0
done:
8883
  /*
8884
   * Pause all iterators so that dns_db_closeversion() can succeed.
8885
   */
8886
0
  LOCK_ZONE(zone);
8887
0
  for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
8888
0
       nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
8889
0
  {
8890
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8891
0
  }
8892
0
  UNLOCK_ZONE(zone);
8893
8894
  /*
8895
   * Everything has succeeded. Commit the changes.
8896
   * Unconditionally commit as zonediff.offline not checked above.
8897
   */
8898
0
  dns_db_closeversion(db, &version, true);
8899
8900
  /*
8901
   * Everything succeeded so we can clean these up now.
8902
   */
8903
0
  nsec3chain = ISC_LIST_HEAD(cleanup);
8904
0
  while (nsec3chain != NULL) {
8905
0
    ISC_LIST_UNLINK(cleanup, nsec3chain, link);
8906
0
    dns_db_detach(&nsec3chain->db);
8907
0
    dns_dbiterator_destroy(&nsec3chain->dbiterator);
8908
0
    isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
8909
0
    nsec3chain = ISC_LIST_HEAD(cleanup);
8910
0
  }
8911
8912
0
  LOCK_ZONE(zone);
8913
0
  set_resigntime(zone);
8914
0
  UNLOCK_ZONE(zone);
8915
8916
0
failure:
8917
0
  if (result != ISC_R_SUCCESS) {
8918
0
    dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
8919
0
         isc_result_totext(result));
8920
0
  }
8921
8922
  /*
8923
   * On error roll back the current nsec3chain.
8924
   */
8925
0
  if (result != ISC_R_SUCCESS && nsec3chain != NULL) {
8926
0
    if (nsec3chain->done) {
8927
0
      dns_db_detach(&nsec3chain->db);
8928
0
      dns_dbiterator_destroy(&nsec3chain->dbiterator);
8929
0
      isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
8930
0
    } else {
8931
0
      result = dns_dbiterator_first(nsec3chain->dbiterator);
8932
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
8933
0
      dns_dbiterator_pause(nsec3chain->dbiterator);
8934
0
      nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
8935
0
    }
8936
0
  }
8937
8938
  /*
8939
   * Rollback the cleanup list.
8940
   */
8941
0
  nsec3chain = ISC_LIST_TAIL(cleanup);
8942
0
  while (nsec3chain != NULL) {
8943
0
    ISC_LIST_UNLINK(cleanup, nsec3chain, link);
8944
0
    if (nsec3chain->done) {
8945
0
      dns_db_detach(&nsec3chain->db);
8946
0
      dns_dbiterator_destroy(&nsec3chain->dbiterator);
8947
0
      isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
8948
0
    } else {
8949
0
      LOCK_ZONE(zone);
8950
0
      ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
8951
0
      UNLOCK_ZONE(zone);
8952
0
      result = dns_dbiterator_first(nsec3chain->dbiterator);
8953
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
8954
0
      dns_dbiterator_pause(nsec3chain->dbiterator);
8955
0
      nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
8956
0
    }
8957
0
    nsec3chain = ISC_LIST_TAIL(cleanup);
8958
0
  }
8959
8960
0
  LOCK_ZONE(zone);
8961
0
  for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
8962
0
       nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
8963
0
  {
8964
0
    dns_dbiterator_pause(nsec3chain->dbiterator);
8965
0
  }
8966
0
  UNLOCK_ZONE(zone);
8967
8968
0
  dns_diff_clear(&param_diff);
8969
0
  dns_diff_clear(&nsec3_diff);
8970
0
  dns_diff_clear(&nsec_diff);
8971
0
  dns_diff_clear(&_sig_diff);
8972
8973
0
  if (iterator != NULL) {
8974
0
    dns_rdatasetiter_destroy(&iterator);
8975
0
  }
8976
8977
0
  for (i = 0; i < nkeys; i++) {
8978
0
    dst_key_free(&zone_keys[i]);
8979
0
  }
8980
8981
0
  if (node != NULL) {
8982
0
    dns_db_detachnode(db, &node);
8983
0
  }
8984
0
  if (version != NULL) {
8985
0
    dns_db_closeversion(db, &version, false);
8986
0
    dns_db_detach(&db);
8987
0
  } else if (db != NULL) {
8988
0
    dns_db_detach(&db);
8989
0
  }
8990
8991
0
  LOCK_ZONE(zone);
8992
0
  if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
8993
0
    isc_interval_t interval;
8994
0
    if (zone->update_disabled || result != ISC_R_SUCCESS) {
8995
0
      isc_interval_set(&interval, 60, 0); /* 1 minute */
8996
0
    } else {
8997
0
      isc_interval_set(&interval, 0, 10000000); /* 10 ms */
8998
0
    }
8999
0
    isc_time_nowplusinterval(&zone->nsec3chaintime, &interval);
9000
0
  } else {
9001
0
    isc_time_settoepoch(&zone->nsec3chaintime);
9002
0
  }
9003
0
  UNLOCK_ZONE(zone);
9004
9005
0
  INSIST(version == NULL);
9006
0
}
9007
9008
/*%
9009
 * Delete all RRSIG records with the given algorithm and keyid.
9010
 * Remove the NSEC record and RRSIGs if nkeys is zero.
9011
 * If all remaining RRsets are signed with the given algorithm
9012
 * set *has_algp to true.
9013
 */
9014
static isc_result_t
9015
del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
9016
  dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
9017
0
  uint16_t keyid, bool *has_algp, dns_diff_t *diff) {
9018
0
  dns_rdata_rrsig_t rrsig;
9019
0
  dns_rdataset_t rdataset;
9020
0
  dns_rdatasetiter_t *iterator = NULL;
9021
0
  isc_result_t result;
9022
0
  bool alg_missed = false;
9023
0
  bool alg_found = false;
9024
9025
0
  char namebuf[DNS_NAME_FORMATSIZE];
9026
0
  dns_name_format(name, namebuf, sizeof(namebuf));
9027
9028
0
  result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
9029
0
  if (result != ISC_R_SUCCESS) {
9030
0
    if (result == ISC_R_NOTFOUND) {
9031
0
      result = ISC_R_SUCCESS;
9032
0
    }
9033
0
    return (result);
9034
0
  }
9035
9036
0
  dns_rdataset_init(&rdataset);
9037
0
  for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS;
9038
0
       result = dns_rdatasetiter_next(iterator))
9039
0
  {
9040
0
    bool has_alg = false;
9041
0
    dns_rdatasetiter_current(iterator, &rdataset);
9042
0
    if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
9043
0
      for (result = dns_rdataset_first(&rdataset);
9044
0
           result == ISC_R_SUCCESS;
9045
0
           result = dns_rdataset_next(&rdataset))
9046
0
      {
9047
0
        dns_rdata_t rdata = DNS_RDATA_INIT;
9048
0
        dns_rdataset_current(&rdataset, &rdata);
9049
0
        CHECK(update_one_rr(db, version, diff,
9050
0
                DNS_DIFFOP_DEL, name,
9051
0
                rdataset.ttl, &rdata));
9052
0
      }
9053
0
      if (result != ISC_R_NOMORE) {
9054
0
        goto failure;
9055
0
      }
9056
0
      dns_rdataset_disassociate(&rdataset);
9057
0
      continue;
9058
0
    }
9059
0
    if (rdataset.type != dns_rdatatype_rrsig) {
9060
0
      dns_rdataset_disassociate(&rdataset);
9061
0
      continue;
9062
0
    }
9063
0
    for (result = dns_rdataset_first(&rdataset);
9064
0
         result == ISC_R_SUCCESS;
9065
0
         result = dns_rdataset_next(&rdataset))
9066
0
    {
9067
0
      dns_rdata_t rdata = DNS_RDATA_INIT;
9068
0
      dns_rdataset_current(&rdataset, &rdata);
9069
0
      CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
9070
0
      if (nkeys != 0 && (rrsig.algorithm != algorithm ||
9071
0
             rrsig.keyid != keyid))
9072
0
      {
9073
0
        if (rrsig.algorithm == algorithm) {
9074
0
          has_alg = true;
9075
0
        }
9076
0
        continue;
9077
0
      }
9078
0
      CHECK(update_one_rr(db, version, diff,
9079
0
              DNS_DIFFOP_DELRESIGN, name,
9080
0
              rdataset.ttl, &rdata));
9081
0
    }
9082
0
    dns_rdataset_disassociate(&rdataset);
9083
0
    if (result != ISC_R_NOMORE) {
9084
0
      break;
9085
0
    }
9086
9087
    /*
9088
     * After deleting, if there's still a signature for
9089
     * 'algorithm', set alg_found; if not, set alg_missed.
9090
     */
9091
0
    if (has_alg) {
9092
0
      alg_found = true;
9093
0
    } else {
9094
0
      alg_missed = true;
9095
0
    }
9096
0
  }
9097
0
  if (result == ISC_R_NOMORE) {
9098
0
    result = ISC_R_SUCCESS;
9099
0
  }
9100
9101
  /*
9102
   * Set `has_algp` if the algorithm was found in every RRset:
9103
   * i.e., found in at least one, and not missing from any.
9104
   */
9105
0
  *has_algp = (alg_found && !alg_missed);
9106
0
failure:
9107
0
  if (dns_rdataset_isassociated(&rdataset)) {
9108
0
    dns_rdataset_disassociate(&rdataset);
9109
0
  }
9110
0
  dns_rdatasetiter_destroy(&iterator);
9111
0
  return (result);
9112
0
}
9113
9114
/*
9115
 * Prevent the zone entering a inconsistent state where
9116
 * NSEC only DNSKEYs are present with NSEC3 chains.
9117
 */
9118
bool
9119
dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db,
9120
          dns_dbversion_t *ver, dns_diff_t *diff,
9121
0
          dst_key_t **keys, unsigned int numkeys) {
9122
0
  uint8_t alg;
9123
0
  dns_rdatatype_t privatetype;
9124
0
  ;
9125
0
  bool nseconly = false, nsec3 = false;
9126
0
  isc_result_t result;
9127
9128
0
  REQUIRE(DNS_ZONE_VALID(zone));
9129
0
  REQUIRE(db != NULL);
9130
9131
0
  privatetype = dns_zone_getprivatetype(zone);
9132
9133
  /* Scan the tuples for an NSEC-only DNSKEY */
9134
0
  if (diff != NULL) {
9135
0
    for (dns_difftuple_t *tuple = ISC_LIST_HEAD(diff->tuples);
9136
0
         tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link))
9137
0
    {
9138
0
      if (nseconly && nsec3) {
9139
0
        break;
9140
0
      }
9141
9142
0
      if (tuple->op != DNS_DIFFOP_ADD) {
9143
0
        continue;
9144
0
      }
9145
9146
0
      if (tuple->rdata.type == dns_rdatatype_nsec3param) {
9147
0
        nsec3 = true;
9148
0
      }
9149
9150
0
      if (tuple->rdata.type != dns_rdatatype_dnskey) {
9151
0
        continue;
9152
0
      }
9153
9154
0
      alg = tuple->rdata.data[3];
9155
0
      if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA ||
9156
0
          alg == DNS_KEYALG_RSASHA1)
9157
0
      {
9158
0
        nseconly = true;
9159
0
      }
9160
0
    }
9161
0
  }
9162
  /* Scan the zone keys for an NSEC-only DNSKEY */
9163
0
  if (keys != NULL && !nseconly) {
9164
0
    for (unsigned int i = 0; i < numkeys; i++) {
9165
0
      alg = dst_key_alg(keys[i]);
9166
0
      if (alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_DSA ||
9167
0
          alg == DNS_KEYALG_RSASHA1)
9168
0
      {
9169
0
        nseconly = true;
9170
0
        break;
9171
0
      }
9172
0
    }
9173
0
  }
9174
9175
  /* Check DB for NSEC-only DNSKEY */
9176
0
  if (!nseconly) {
9177
0
    result = dns_nsec_nseconly(db, ver, diff, &nseconly);
9178
    /*
9179
     * Adding an NSEC3PARAM record can proceed without a
9180
     * DNSKEY (it will trigger a delayed change), so we can
9181
     * ignore ISC_R_NOTFOUND here.
9182
     */
9183
0
    if (result == ISC_R_NOTFOUND) {
9184
0
      result = ISC_R_SUCCESS;
9185
0
    }
9186
0
    CHECK(result);
9187
0
  }
9188
9189
  /* Check existing DB for NSEC3 */
9190
0
  if (!nsec3) {
9191
0
    CHECK(dns_nsec3_activex(db, ver, false, privatetype, &nsec3));
9192
0
  }
9193
9194
  /* Check kasp for NSEC3PARAM settings */
9195
0
  if (!nsec3) {
9196
0
    dns_kasp_t *kasp = zone->kasp;
9197
0
    if (kasp != NULL) {
9198
0
      nsec3 = dns_kasp_nsec3(kasp);
9199
0
    }
9200
0
  }
9201
9202
  /* Refuse to allow NSEC3 with NSEC-only keys */
9203
0
  if (nseconly && nsec3) {
9204
0
    goto failure;
9205
0
  }
9206
9207
0
  return (true);
9208
9209
0
failure:
9210
0
  return (false);
9211
0
}
9212
9213
/*
9214
 * Incrementally sign the zone using the keys requested.
9215
 * Builds the NSEC chain if required.
9216
 */
9217
static void
9218
0
zone_sign(dns_zone_t *zone) {
9219
0
  dns_db_t *db = NULL;
9220
0
  dns_dbnode_t *node = NULL;
9221
0
  dns_dbversion_t *version = NULL;
9222
0
  dns_diff_t _sig_diff;
9223
0
  dns_diff_t post_diff;
9224
0
  dns__zonediff_t zonediff;
9225
0
  dns_fixedname_t fixed;
9226
0
  dns_fixedname_t nextfixed;
9227
0
  dns_kasp_t *kasp;
9228
0
  dns_name_t *name, *nextname;
9229
0
  dns_rdataset_t rdataset;
9230
0
  dns_signing_t *signing, *nextsigning;
9231
0
  dns_signinglist_t cleanup;
9232
0
  dst_key_t *zone_keys[DNS_MAXZONEKEYS];
9233
0
  int32_t signatures;
9234
0
  bool is_ksk, is_zsk;
9235
0
  bool with_ksk, with_zsk;
9236
0
  bool commit = false;
9237
0
  bool is_bottom_of_zone;
9238
0
  bool build_nsec = false;
9239
0
  bool build_nsec3 = false;
9240
0
  bool use_kasp = false;
9241
0
  bool first;
9242
0
  isc_result_t result;
9243
0
  isc_stdtime_t now, inception, soaexpire, expire;
9244
0
  unsigned int i, j;
9245
0
  unsigned int nkeys = 0;
9246
0
  uint32_t nodes;
9247
9248
0
  ENTER;
9249
9250
0
  dns_rdataset_init(&rdataset);
9251
0
  name = dns_fixedname_initname(&fixed);
9252
0
  nextname = dns_fixedname_initname(&nextfixed);
9253
0
  dns_diff_init(zone->mctx, &_sig_diff);
9254
0
  dns_diff_init(zone->mctx, &post_diff);
9255
0
  zonediff_init(&zonediff, &_sig_diff);
9256
0
  ISC_LIST_INIT(cleanup);
9257
9258
  /*
9259
   * Updates are disabled.  Pause for 1 minute.
9260
   */
9261
0
  if (zone->update_disabled) {
9262
0
    result = ISC_R_FAILURE;
9263
0
    goto cleanup;
9264
0
  }
9265
9266
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
9267
0
  if (zone->db != NULL) {
9268
0
    dns_db_attach(zone->db, &db);
9269
0
  }
9270
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
9271
0
  if (db == NULL) {
9272
0
    result = ISC_R_FAILURE;
9273
0
    goto cleanup;
9274
0
  }
9275
9276
0
  result = dns_db_newversion(db, &version);
9277
0
  if (result != ISC_R_SUCCESS) {
9278
0
    dnssec_log(zone, ISC_LOG_ERROR,
9279
0
         "zone_sign:dns_db_newversion -> %s",
9280
0
         isc_result_totext(result));
9281
0
    goto cleanup;
9282
0
  }
9283
9284
0
  now = isc_stdtime_now();
9285
9286
0
  result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
9287
0
           DNS_MAXZONEKEYS, zone_keys, &nkeys);
9288
0
  if (result != ISC_R_SUCCESS) {
9289
0
    dnssec_log(zone, ISC_LOG_ERROR,
9290
0
         "zone_sign:dns_zone_findkeys -> %s",
9291
0
         isc_result_totext(result));
9292
0
    goto cleanup;
9293
0
  }
9294
9295
0
  kasp = zone->kasp;
9296
9297
0
  calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL,
9298
0
         &expire);
9299
9300
  /*
9301
   * We keep pulling nodes off each iterator in turn until
9302
   * we have no more nodes to pull off or we reach the limits
9303
   * for this quantum.
9304
   */
9305
0
  nodes = zone->nodes;
9306
0
  signatures = zone->signatures;
9307
0
  signing = ISC_LIST_HEAD(zone->signing);
9308
0
  first = true;
9309
9310
0
  if (kasp != NULL) {
9311
0
    use_kasp = true;
9312
0
  }
9313
0
  dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s",
9314
0
       use_kasp ? "yes" : "no");
9315
9316
  /* Determine which type of chain to build */
9317
0
  CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
9318
0
         &build_nsec3));
9319
0
  if (!build_nsec && !build_nsec3) {
9320
0
    if (use_kasp) {
9321
0
      build_nsec3 = dns_kasp_nsec3(kasp);
9322
0
      if (!dns_zone_check_dnskey_nsec3(
9323
0
            zone, db, version, NULL,
9324
0
            (dst_key_t **)&zone_keys, nkeys))
9325
0
      {
9326
0
        dnssec_log(zone, ISC_LOG_INFO,
9327
0
             "wait building NSEC3 chain until "
9328
0
             "NSEC only DNSKEYs are removed");
9329
0
        build_nsec3 = false;
9330
0
      }
9331
0
      build_nsec = !build_nsec3;
9332
0
    } else {
9333
      /* If neither chain is found, default to NSEC */
9334
0
      build_nsec = true;
9335
0
    }
9336
0
  }
9337
9338
0
  while (signing != NULL && nodes-- > 0 && signatures > 0) {
9339
0
    bool has_alg = false;
9340
9341
0
    dns_dbiterator_pause(signing->dbiterator);
9342
0
    nextsigning = ISC_LIST_NEXT(signing, link);
9343
9344
0
    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
9345
0
    if (signing->done || signing->db != zone->db) {
9346
      /*
9347
       * The zone has been reloaded.  We will have to
9348
       * created new signings as part of the reload
9349
       * process so we can destroy this one.
9350
       */
9351
0
      ISC_LIST_UNLINK(zone->signing, signing, link);
9352
0
      ISC_LIST_APPEND(cleanup, signing, link);
9353
0
      ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
9354
0
      goto next_signing;
9355
0
    }
9356
0
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
9357
9358
0
    if (signing->db != db) {
9359
0
      goto next_signing;
9360
0
    }
9361
9362
0
    is_bottom_of_zone = false;
9363
9364
0
    if (first && signing->deleteit) {
9365
      /*
9366
       * Remove the key we are deleting from consideration.
9367
       */
9368
0
      for (i = 0, j = 0; i < nkeys; i++) {
9369
        /*
9370
         * Find the key we want to remove.
9371
         */
9372
0
        if (ALG(zone_keys[i]) == signing->algorithm &&
9373
0
            dst_key_id(zone_keys[i]) == signing->keyid)
9374
0
        {
9375
0
          dst_key_free(&zone_keys[i]);
9376
0
          continue;
9377
0
        }
9378
0
        zone_keys[j] = zone_keys[i];
9379
0
        j++;
9380
0
      }
9381
0
      for (i = j; i < nkeys; i++) {
9382
0
        zone_keys[i] = NULL;
9383
0
      }
9384
0
      nkeys = j;
9385
0
    }
9386
9387
0
    dns_dbiterator_current(signing->dbiterator, &node, name);
9388
9389
0
    if (signing->deleteit) {
9390
0
      dns_dbiterator_pause(signing->dbiterator);
9391
0
      CHECK(del_sig(db, version, name, node, nkeys,
9392
0
              signing->algorithm, signing->keyid,
9393
0
              &has_alg, zonediff.diff));
9394
0
    }
9395
9396
    /*
9397
     * On the first pass we need to check if the current node
9398
     * has not been obscured.
9399
     */
9400
0
    if (first) {
9401
0
      dns_fixedname_t ffound;
9402
0
      dns_name_t *found;
9403
0
      found = dns_fixedname_initname(&ffound);
9404
0
      result = dns_db_find(
9405
0
        db, name, version, dns_rdatatype_soa,
9406
0
        DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
9407
0
      if ((result == DNS_R_DELEGATION ||
9408
0
           result == DNS_R_DNAME) &&
9409
0
          !dns_name_equal(name, found))
9410
0
      {
9411
        /*
9412
         * Remember the obscuring name so that
9413
         * we skip all obscured names.
9414
         */
9415
0
        dns_name_copy(found, name);
9416
0
        is_bottom_of_zone = true;
9417
0
        goto next_node;
9418
0
      }
9419
0
    }
9420
9421
    /*
9422
     * Process one node.
9423
     */
9424
0
    with_ksk = false;
9425
0
    with_zsk = false;
9426
0
    dns_dbiterator_pause(signing->dbiterator);
9427
9428
0
    CHECK(check_if_bottom_of_zone(db, node, version,
9429
0
                &is_bottom_of_zone));
9430
9431
0
    for (i = 0; !has_alg && i < nkeys; i++) {
9432
0
      bool both = false;
9433
      /*
9434
       * Find the keys we want to sign with.
9435
       */
9436
0
      if (!dst_key_isprivate(zone_keys[i])) {
9437
0
        continue;
9438
0
      }
9439
0
      if (dst_key_inactive(zone_keys[i])) {
9440
0
        continue;
9441
0
      }
9442
9443
      /*
9444
       * When adding look for the specific key.
9445
       */
9446
0
      if (!signing->deleteit &&
9447
0
          (dst_key_alg(zone_keys[i]) != signing->algorithm ||
9448
0
           dst_key_id(zone_keys[i]) != signing->keyid))
9449
0
      {
9450
0
        continue;
9451
0
      }
9452
9453
      /*
9454
       * When deleting make sure we are properly signed
9455
       * with the algorithm that was being removed.
9456
       */
9457
0
      if (signing->deleteit &&
9458
0
          ALG(zone_keys[i]) != signing->algorithm)
9459
0
      {
9460
0
        continue;
9461
0
      }
9462
9463
      /*
9464
       * We do KSK processing.
9465
       */
9466
0
      if (use_kasp) {
9467
        /*
9468
         * A dnssec-policy is found. Check what
9469
         * RRsets this key can sign.
9470
         */
9471
0
        isc_result_t kresult;
9472
0
        is_ksk = false;
9473
0
        kresult = dst_key_getbool(
9474
0
          zone_keys[i], DST_BOOL_KSK, &is_ksk);
9475
0
        if (kresult != ISC_R_SUCCESS) {
9476
0
          if (KSK(zone_keys[i])) {
9477
0
            is_ksk = true;
9478
0
          }
9479
0
        }
9480
9481
0
        is_zsk = false;
9482
0
        kresult = dst_key_getbool(
9483
0
          zone_keys[i], DST_BOOL_ZSK, &is_zsk);
9484
0
        if (kresult != ISC_R_SUCCESS) {
9485
0
          if (!KSK(zone_keys[i])) {
9486
0
            is_zsk = true;
9487
0
          }
9488
0
        }
9489
0
        both = true;
9490
0
      } else {
9491
0
        is_ksk = KSK(zone_keys[i]);
9492
0
        is_zsk = !is_ksk;
9493
9494
        /*
9495
         * Don't consider inactive keys, however the key
9496
         * may be temporary offline, so do consider KSKs
9497
         * which private key files are unavailable.
9498
         */
9499
0
        both = dst_key_have_ksk_and_zsk(
9500
0
          zone_keys, nkeys, i, false, is_ksk,
9501
0
          is_zsk, NULL, NULL);
9502
0
        if (both || REVOKE(zone_keys[i])) {
9503
0
          is_ksk = KSK(zone_keys[i]);
9504
0
          is_zsk = !KSK(zone_keys[i]);
9505
0
        } else {
9506
0
          is_ksk = false;
9507
0
          is_zsk = false;
9508
0
        }
9509
0
      }
9510
9511
      /*
9512
       * If deleting signatures, we need to ensure that
9513
       * the RRset is still signed at least once by a
9514
       * KSK and a ZSK.
9515
       */
9516
0
      if (signing->deleteit && is_zsk && with_zsk) {
9517
0
        continue;
9518
0
      }
9519
9520
0
      if (signing->deleteit && is_ksk && with_ksk) {
9521
0
        continue;
9522
0
      }
9523
9524
0
      CHECK(sign_a_node(
9525
0
        db, zone, name, node, version, build_nsec3,
9526
0
        build_nsec, zone_keys[i], now, inception,
9527
0
        expire, zone_nsecttl(zone), both, is_ksk,
9528
0
        is_zsk, is_bottom_of_zone, zonediff.diff,
9529
0
        &signatures, zone->mctx));
9530
      /*
9531
       * If we are adding we are done.  Look for other keys
9532
       * of the same algorithm if deleting.
9533
       */
9534
0
      if (!signing->deleteit) {
9535
0
        break;
9536
0
      }
9537
0
      if (is_zsk) {
9538
0
        with_zsk = true;
9539
0
      }
9540
0
      if (is_ksk) {
9541
0
        with_ksk = true;
9542
0
      }
9543
0
    }
9544
9545
    /*
9546
     * Go onto next node.
9547
     */
9548
0
  next_node:
9549
0
    first = false;
9550
0
    dns_db_detachnode(db, &node);
9551
0
    do {
9552
0
      result = dns_dbiterator_next(signing->dbiterator);
9553
0
      if (result == ISC_R_NOMORE) {
9554
0
        ISC_LIST_UNLINK(zone->signing, signing, link);
9555
0
        ISC_LIST_APPEND(cleanup, signing, link);
9556
0
        dns_dbiterator_pause(signing->dbiterator);
9557
0
        if (nkeys != 0 && build_nsec) {
9558
          /*
9559
           * We have finished regenerating the
9560
           * zone with a zone signing key.
9561
           * The NSEC chain is now complete and
9562
           * there is a full set of signatures
9563
           * for the zone.  We can now clear the
9564
           * OPT bit from the NSEC record.
9565
           */
9566
0
          result = updatesecure(
9567
0
            db, version, &zone->origin,
9568
0
            zone_nsecttl(zone), false,
9569
0
            &post_diff);
9570
0
          if (result != ISC_R_SUCCESS) {
9571
0
            dnssec_log(zone, ISC_LOG_ERROR,
9572
0
                 "updatesecure -> %s",
9573
0
                 isc_result_totext(
9574
0
                   result));
9575
0
            goto cleanup;
9576
0
          }
9577
0
        }
9578
0
        result = updatesignwithkey(
9579
0
          zone, signing, version, build_nsec3,
9580
0
          zone_nsecttl(zone), &post_diff);
9581
0
        if (result != ISC_R_SUCCESS) {
9582
0
          dnssec_log(zone, ISC_LOG_ERROR,
9583
0
               "updatesignwithkey -> %s",
9584
0
               isc_result_totext(result));
9585
0
          goto cleanup;
9586
0
        }
9587
0
        build_nsec = false;
9588
0
        goto next_signing;
9589
0
      } else if (result != ISC_R_SUCCESS) {
9590
0
        dnssec_log(zone, ISC_LOG_ERROR,
9591
0
             "zone_sign:"
9592
0
             "dns_dbiterator_next -> %s",
9593
0
             isc_result_totext(result));
9594
0
        goto cleanup;
9595
0
      } else if (is_bottom_of_zone) {
9596
0
        dns_dbiterator_current(signing->dbiterator,
9597
0
                   &node, nextname);
9598
0
        dns_db_detachnode(db, &node);
9599
0
        if (!dns_name_issubdomain(nextname, name)) {
9600
0
          break;
9601
0
        }
9602
0
      } else {
9603
0
        break;
9604
0
      }
9605
0
    } while (1);
9606
0
    continue;
9607
9608
0
  next_signing:
9609
0
    dns_dbiterator_pause(signing->dbiterator);
9610
0
    signing = nextsigning;
9611
0
    first = true;
9612
0
  }
9613
9614
0
  if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
9615
0
    result = dns__zone_updatesigs(&post_diff, db, version,
9616
0
                zone_keys, nkeys, zone, inception,
9617
0
                expire, 0, now, &zonediff);
9618
0
    if (result != ISC_R_SUCCESS) {
9619
0
      dnssec_log(zone, ISC_LOG_ERROR,
9620
0
           "zone_sign:dns__zone_updatesigs -> %s",
9621
0
           isc_result_totext(result));
9622
0
      goto cleanup;
9623
0
    }
9624
0
  }
9625
9626
  /*
9627
   * Have we changed anything?
9628
   */
9629
0
  if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
9630
0
    if (zonediff.offline) {
9631
0
      commit = true;
9632
0
    }
9633
0
    result = ISC_R_SUCCESS;
9634
0
    goto pauseall;
9635
0
  }
9636
9637
0
  commit = true;
9638
9639
0
  result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
9640
0
        &zonediff, zone_keys, nkeys, now, false);
9641
0
  if (result != ISC_R_SUCCESS) {
9642
0
    dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s",
9643
0
         isc_result_totext(result));
9644
0
    goto cleanup;
9645
0
  }
9646
9647
0
  result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
9648
0
           zone->updatemethod);
9649
0
  if (result != ISC_R_SUCCESS) {
9650
0
    dnssec_log(zone, ISC_LOG_ERROR,
9651
0
         "zone_sign:update_soa_serial -> %s",
9652
0
         isc_result_totext(result));
9653
0
    goto cleanup;
9654
0
  }
9655
9656
  /*
9657
   * Generate maximum life time signatures so that the above loop
9658
   * termination is sensible.
9659
   */
9660
0
  result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
9661
0
        zonediff.diff, zone_keys, nkeys, zone->mctx, now,
9662
0
        inception, soaexpire);
9663
0
  if (result != ISC_R_SUCCESS) {
9664
0
    dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
9665
0
         isc_result_totext(result));
9666
0
    goto cleanup;
9667
0
  }
9668
9669
  /*
9670
   * Write changes to journal file.
9671
   */
9672
0
  CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_sign"));
9673
9674
0
pauseall:
9675
  /*
9676
   * Pause all iterators so that dns_db_closeversion() can succeed.
9677
   */
9678
0
  for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
9679
0
       signing = ISC_LIST_NEXT(signing, link))
9680
0
  {
9681
0
    dns_dbiterator_pause(signing->dbiterator);
9682
0
  }
9683
9684
0
  for (signing = ISC_LIST_HEAD(cleanup); signing != NULL;
9685
0
       signing = ISC_LIST_NEXT(signing, link))
9686
0
  {
9687
0
    dns_dbiterator_pause(signing->dbiterator);
9688
0
  }
9689
9690
  /*
9691
   * Everything has succeeded. Commit the changes.
9692
   */
9693
0
  dns_db_closeversion(db, &version, commit);
9694
9695
  /*
9696
   * Everything succeeded so we can clean these up now.
9697
   */
9698
0
  signing = ISC_LIST_HEAD(cleanup);
9699
0
  while (signing != NULL) {
9700
0
    ISC_LIST_UNLINK(cleanup, signing, link);
9701
0
    dns_db_detach(&signing->db);
9702
0
    dns_dbiterator_destroy(&signing->dbiterator);
9703
0
    isc_mem_put(zone->mctx, signing, sizeof *signing);
9704
0
    signing = ISC_LIST_HEAD(cleanup);
9705
0
  }
9706
9707
0
  LOCK_ZONE(zone);
9708
0
  set_resigntime(zone);
9709
0
  if (commit) {
9710
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
9711
0
    zone_needdump(zone, DNS_DUMP_DELAY);
9712
0
  }
9713
0
  UNLOCK_ZONE(zone);
9714
9715
0
failure:
9716
0
  if (result != ISC_R_SUCCESS) {
9717
0
    dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
9718
0
         isc_result_totext(result));
9719
0
  }
9720
9721
0
cleanup:
9722
  /*
9723
   * Pause all dbiterators.
9724
   */
9725
0
  for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
9726
0
       signing = ISC_LIST_NEXT(signing, link))
9727
0
  {
9728
0
    dns_dbiterator_pause(signing->dbiterator);
9729
0
  }
9730
9731
  /*
9732
   * Rollback the cleanup list.
9733
   */
9734
0
  signing = ISC_LIST_HEAD(cleanup);
9735
0
  while (signing != NULL) {
9736
0
    ISC_LIST_UNLINK(cleanup, signing, link);
9737
0
    ISC_LIST_PREPEND(zone->signing, signing, link);
9738
0
    dns_dbiterator_first(signing->dbiterator);
9739
0
    dns_dbiterator_pause(signing->dbiterator);
9740
0
    signing = ISC_LIST_HEAD(cleanup);
9741
0
  }
9742
9743
0
  dns_diff_clear(&_sig_diff);
9744
9745
0
  for (i = 0; i < nkeys; i++) {
9746
0
    dst_key_free(&zone_keys[i]);
9747
0
  }
9748
9749
0
  if (node != NULL) {
9750
0
    dns_db_detachnode(db, &node);
9751
0
  }
9752
9753
0
  if (version != NULL) {
9754
0
    dns_db_closeversion(db, &version, false);
9755
0
    dns_db_detach(&db);
9756
0
  } else if (db != NULL) {
9757
0
    dns_db_detach(&db);
9758
0
  }
9759
9760
0
  LOCK_ZONE(zone);
9761
0
  if (ISC_LIST_HEAD(zone->signing) != NULL) {
9762
0
    isc_interval_t interval;
9763
0
    if (zone->update_disabled || result != ISC_R_SUCCESS) {
9764
0
      isc_interval_set(&interval, 60, 0); /* 1 minute */
9765
0
    } else {
9766
0
      isc_interval_set(&interval, 0, 10000000); /* 10 ms */
9767
0
    }
9768
0
    isc_time_nowplusinterval(&zone->signingtime, &interval);
9769
0
  } else {
9770
0
    isc_time_settoepoch(&zone->signingtime);
9771
0
  }
9772
0
  UNLOCK_ZONE(zone);
9773
9774
0
  INSIST(version == NULL);
9775
0
}
9776
9777
static isc_result_t
9778
normalize_key(dns_rdata_t *rr, dns_rdata_t *target, unsigned char *data,
9779
0
        int size) {
9780
0
  dns_rdata_dnskey_t dnskey;
9781
0
  dns_rdata_keydata_t keydata;
9782
0
  isc_buffer_t buf;
9783
0
  isc_result_t result;
9784
9785
0
  dns_rdata_reset(target);
9786
0
  isc_buffer_init(&buf, data, size);
9787
9788
0
  switch (rr->type) {
9789
0
  case dns_rdatatype_dnskey:
9790
0
    result = dns_rdata_tostruct(rr, &dnskey, NULL);
9791
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
9792
0
    dnskey.flags &= ~DNS_KEYFLAG_REVOKE;
9793
0
    dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
9794
0
             &dnskey, &buf);
9795
0
    break;
9796
0
  case dns_rdatatype_keydata:
9797
0
    result = dns_rdata_tostruct(rr, &keydata, NULL);
9798
0
    if (result == ISC_R_UNEXPECTEDEND) {
9799
0
      return (result);
9800
0
    }
9801
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
9802
0
    dns_keydata_todnskey(&keydata, &dnskey, NULL);
9803
0
    dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
9804
0
             &dnskey, &buf);
9805
0
    break;
9806
0
  default:
9807
0
    UNREACHABLE();
9808
0
  }
9809
0
  return (ISC_R_SUCCESS);
9810
0
}
9811
9812
/*
9813
 * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
9814
 * a KEYDATA rdataset from the key zone.
9815
 *
9816
 * 'rr' contains either a DNSKEY record, or a KEYDATA record
9817
 *
9818
 * After normalizing keys to the same format (DNSKEY, with revoke bit
9819
 * cleared), return true if a key that matches 'rr' is found in
9820
 * 'rdset', or false if not.
9821
 */
9822
9823
static bool
9824
0
matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) {
9825
0
  unsigned char data1[4096], data2[4096];
9826
0
  dns_rdata_t rdata, rdata1, rdata2;
9827
0
  isc_result_t result;
9828
9829
0
  dns_rdata_init(&rdata);
9830
0
  dns_rdata_init(&rdata1);
9831
0
  dns_rdata_init(&rdata2);
9832
9833
0
  result = normalize_key(rr, &rdata1, data1, sizeof(data1));
9834
0
  if (result != ISC_R_SUCCESS) {
9835
0
    return (false);
9836
0
  }
9837
9838
0
  for (result = dns_rdataset_first(rdset); result == ISC_R_SUCCESS;
9839
0
       result = dns_rdataset_next(rdset))
9840
0
  {
9841
0
    dns_rdata_reset(&rdata);
9842
0
    dns_rdataset_current(rdset, &rdata);
9843
0
    result = normalize_key(&rdata, &rdata2, data2, sizeof(data2));
9844
0
    if (result != ISC_R_SUCCESS) {
9845
0
      continue;
9846
0
    }
9847
0
    if (dns_rdata_compare(&rdata1, &rdata2) == 0) {
9848
0
      return (true);
9849
0
    }
9850
0
  }
9851
9852
0
  return (false);
9853
0
}
9854
9855
/*
9856
 * Calculate the refresh interval for a keydata zone, per
9857
 * RFC5011: MAX(1 hr,
9858
 *    MIN(15 days,
9859
 *        1/2 * OrigTTL,
9860
 *        1/2 * RRSigExpirationInterval))
9861
 * or for retries: MAX(1 hr,
9862
 *           MIN(1 day,
9863
 *         1/10 * OrigTTL,
9864
 *         1/10 * RRSigExpirationInterval))
9865
 */
9866
static isc_stdtime_t
9867
0
refresh_time(dns_keyfetch_t *kfetch, bool retry) {
9868
0
  isc_result_t result;
9869
0
  uint32_t t;
9870
0
  dns_rdataset_t *rdset;
9871
0
  dns_rdata_t sigrr = DNS_RDATA_INIT;
9872
0
  dns_rdata_sig_t sig;
9873
0
  isc_stdtime_t now = isc_stdtime_now();
9874
9875
0
  if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
9876
0
    rdset = &kfetch->dnskeysigset;
9877
0
  } else {
9878
0
    return (now + dns_zone_mkey_hour);
9879
0
  }
9880
9881
0
  result = dns_rdataset_first(rdset);
9882
0
  if (result != ISC_R_SUCCESS) {
9883
0
    return (now + dns_zone_mkey_hour);
9884
0
  }
9885
9886
0
  dns_rdataset_current(rdset, &sigrr);
9887
0
  result = dns_rdata_tostruct(&sigrr, &sig, NULL);
9888
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
9889
9890
0
  if (!retry) {
9891
0
    t = sig.originalttl / 2;
9892
9893
0
    if (isc_serial_gt(sig.timeexpire, now)) {
9894
0
      uint32_t exp = (sig.timeexpire - now) / 2;
9895
0
      if (t > exp) {
9896
0
        t = exp;
9897
0
      }
9898
0
    }
9899
9900
0
    if (t > (15 * dns_zone_mkey_day)) {
9901
0
      t = (15 * dns_zone_mkey_day);
9902
0
    }
9903
9904
0
    if (t < dns_zone_mkey_hour) {
9905
0
      t = dns_zone_mkey_hour;
9906
0
    }
9907
0
  } else {
9908
0
    t = sig.originalttl / 10;
9909
9910
0
    if (isc_serial_gt(sig.timeexpire, now)) {
9911
0
      uint32_t exp = (sig.timeexpire - now) / 10;
9912
0
      if (t > exp) {
9913
0
        t = exp;
9914
0
      }
9915
0
    }
9916
9917
0
    if (t > dns_zone_mkey_day) {
9918
0
      t = dns_zone_mkey_day;
9919
0
    }
9920
9921
0
    if (t < dns_zone_mkey_hour) {
9922
0
      t = dns_zone_mkey_hour;
9923
0
    }
9924
0
  }
9925
9926
0
  return (now + t);
9927
0
}
9928
9929
/*
9930
 * This routine is called when no changes are needed in a KEYDATA
9931
 * record except to simply update the refresh timer.  Caller should
9932
 * hold zone lock.
9933
 */
9934
static isc_result_t
9935
0
minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff) {
9936
0
  isc_result_t result;
9937
0
  isc_buffer_t keyb;
9938
0
  unsigned char key_buf[4096];
9939
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
9940
0
  dns_rdata_keydata_t keydata;
9941
0
  dns_name_t *name;
9942
0
  dns_zone_t *zone = kfetch->zone;
9943
0
  isc_stdtime_t now = isc_stdtime_now();
9944
9945
0
  name = dns_fixedname_name(&kfetch->name);
9946
9947
0
  for (result = dns_rdataset_first(&kfetch->keydataset);
9948
0
       result == ISC_R_SUCCESS;
9949
0
       result = dns_rdataset_next(&kfetch->keydataset))
9950
0
  {
9951
0
    dns_rdata_reset(&rdata);
9952
0
    dns_rdataset_current(&kfetch->keydataset, &rdata);
9953
9954
    /* Delete old version */
9955
0
    CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL, name,
9956
0
            0, &rdata));
9957
9958
    /* Update refresh timer */
9959
0
    result = dns_rdata_tostruct(&rdata, &keydata, NULL);
9960
0
    if (result == ISC_R_UNEXPECTEDEND) {
9961
0
      continue;
9962
0
    }
9963
0
    if (result != ISC_R_SUCCESS) {
9964
0
      goto failure;
9965
0
    }
9966
0
    keydata.refresh = refresh_time(kfetch, true);
9967
0
    set_refreshkeytimer(zone, &keydata, now, false);
9968
9969
0
    dns_rdata_reset(&rdata);
9970
0
    isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
9971
0
    CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass,
9972
0
             dns_rdatatype_keydata, &keydata,
9973
0
             &keyb));
9974
9975
    /* Insert updated version */
9976
0
    CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD, name,
9977
0
            0, &rdata));
9978
0
  }
9979
0
  result = ISC_R_SUCCESS;
9980
0
failure:
9981
0
  return (result);
9982
0
}
9983
9984
/*
9985
 * Verify that DNSKEY set is signed by the key specified in 'keydata'.
9986
 */
9987
static bool
9988
0
revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
9989
0
  isc_result_t result;
9990
0
  dns_name_t *keyname;
9991
0
  isc_mem_t *mctx;
9992
0
  dns_rdata_t sigrr = DNS_RDATA_INIT;
9993
0
  dns_rdata_t rr = DNS_RDATA_INIT;
9994
0
  dns_rdata_rrsig_t sig;
9995
0
  dns_rdata_dnskey_t dnskey;
9996
0
  dst_key_t *dstkey = NULL;
9997
0
  unsigned char key_buf[4096];
9998
0
  isc_buffer_t keyb;
9999
0
  bool answer = false;
10000
10001
0
  REQUIRE(kfetch != NULL && keydata != NULL);
10002
0
  REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
10003
10004
0
  keyname = dns_fixedname_name(&kfetch->name);
10005
0
  mctx = kfetch->zone->view->mctx;
10006
10007
  /* Generate a key from keydata */
10008
0
  isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
10009
0
  dns_keydata_todnskey(keydata, &dnskey, NULL);
10010
0
  dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey,
10011
0
           &dnskey, &keyb);
10012
0
  result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
10013
0
  if (result != ISC_R_SUCCESS) {
10014
0
    return (false);
10015
0
  }
10016
10017
  /* See if that key generated any of the signatures */
10018
0
  for (result = dns_rdataset_first(&kfetch->dnskeysigset);
10019
0
       result == ISC_R_SUCCESS;
10020
0
       result = dns_rdataset_next(&kfetch->dnskeysigset))
10021
0
  {
10022
0
    dns_fixedname_t fixed;
10023
0
    dns_fixedname_init(&fixed);
10024
10025
0
    dns_rdata_reset(&sigrr);
10026
0
    dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
10027
0
    result = dns_rdata_tostruct(&sigrr, &sig, NULL);
10028
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
10029
10030
0
    if (dst_key_alg(dstkey) == sig.algorithm &&
10031
0
        dst_key_rid(dstkey) == sig.keyid)
10032
0
    {
10033
0
      result = dns_dnssec_verify(
10034
0
        keyname, &kfetch->dnskeyset, dstkey, false, 0,
10035
0
        mctx, &sigrr, dns_fixedname_name(&fixed));
10036
10037
0
      dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3),
10038
0
           "Confirm revoked DNSKEY is self-signed: %s",
10039
0
           isc_result_totext(result));
10040
10041
0
      if (result == ISC_R_SUCCESS) {
10042
0
        answer = true;
10043
0
        break;
10044
0
      }
10045
0
    }
10046
0
  }
10047
10048
0
  dst_key_free(&dstkey);
10049
0
  return (answer);
10050
0
}
10051
10052
/*
10053
 * A DNSKEY set has been fetched from the zone apex of a zone whose trust
10054
 * anchors are being managed; scan the keyset, and update the key zone and the
10055
 * local trust anchors according to RFC5011.
10056
 */
10057
static void
10058
0
keyfetch_done(void *arg) {
10059
0
  dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg;
10060
0
  isc_result_t result, eresult;
10061
0
  dns_keyfetch_t *kfetch = NULL;
10062
0
  dns_zone_t *zone = NULL;
10063
0
  isc_mem_t *mctx = NULL;
10064
0
  dns_keytable_t *secroots = NULL;
10065
0
  dns_dbversion_t *ver = NULL;
10066
0
  dns_diff_t diff;
10067
0
  bool alldone = false;
10068
0
  bool commit = false;
10069
0
  dns_name_t *keyname = NULL;
10070
0
  dns_rdata_t sigrr = DNS_RDATA_INIT;
10071
0
  dns_rdata_t dnskeyrr = DNS_RDATA_INIT;
10072
0
  dns_rdata_t keydatarr = DNS_RDATA_INIT;
10073
0
  dns_rdata_rrsig_t sig;
10074
0
  dns_rdata_dnskey_t dnskey;
10075
0
  dns_rdata_keydata_t keydata;
10076
0
  bool initializing;
10077
0
  char namebuf[DNS_NAME_FORMATSIZE];
10078
0
  unsigned char key_buf[4096];
10079
0
  isc_buffer_t keyb;
10080
0
  dst_key_t *dstkey = NULL;
10081
0
  isc_stdtime_t now;
10082
0
  int pending = 0;
10083
0
  bool secure = false, initial = false;
10084
0
  bool free_needed;
10085
0
  dns_keynode_t *keynode = NULL;
10086
0
  dns_rdataset_t *dnskeys = NULL, *dnskeysigs = NULL;
10087
0
  dns_rdataset_t *keydataset = NULL, dsset;
10088
10089
0
  INSIST(resp != NULL);
10090
10091
0
  kfetch = resp->arg;
10092
10093
0
  INSIST(kfetch != NULL);
10094
10095
0
  zone = kfetch->zone;
10096
0
  mctx = kfetch->mctx;
10097
0
  keyname = dns_fixedname_name(&kfetch->name);
10098
0
  dnskeys = &kfetch->dnskeyset;
10099
0
  dnskeysigs = &kfetch->dnskeysigset;
10100
0
  keydataset = &kfetch->keydataset;
10101
10102
0
  eresult = resp->result;
10103
10104
  /* Free resources which are not of interest */
10105
0
  if (resp->node != NULL) {
10106
0
    dns_db_detachnode(resp->db, &resp->node);
10107
0
  }
10108
0
  if (resp->db != NULL) {
10109
0
    dns_db_detach(&resp->db);
10110
0
  }
10111
10112
0
  dns_resolver_destroyfetch(&kfetch->fetch);
10113
10114
0
  LOCK_ZONE(zone);
10115
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) {
10116
0
    goto cleanup;
10117
0
  }
10118
10119
0
  now = isc_stdtime_now();
10120
0
  dns_name_format(keyname, namebuf, sizeof(namebuf));
10121
10122
0
  result = dns_view_getsecroots(zone->view, &secroots);
10123
0
  INSIST(result == ISC_R_SUCCESS);
10124
10125
0
  dns_diff_init(mctx, &diff);
10126
10127
0
  CHECK(dns_db_newversion(kfetch->db, &ver));
10128
10129
0
  zone->refreshkeycount--;
10130
0
  alldone = (zone->refreshkeycount == 0);
10131
10132
0
  if (alldone) {
10133
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
10134
0
  }
10135
10136
0
  dnssec_log(zone, ISC_LOG_DEBUG(3),
10137
0
       "Returned from key fetch in keyfetch_done() for '%s': %s",
10138
0
       namebuf, isc_result_totext(eresult));
10139
10140
  /* Fetch failed */
10141
0
  if (eresult != ISC_R_SUCCESS || !dns_rdataset_isassociated(dnskeys)) {
10142
0
    dnssec_log(zone, ISC_LOG_WARNING,
10143
0
         "Unable to fetch DNSKEY set '%s': %s", namebuf,
10144
0
         isc_result_totext(eresult));
10145
0
    CHECK(minimal_update(kfetch, ver, &diff));
10146
0
    goto done;
10147
0
  }
10148
10149
  /* No RRSIGs found */
10150
0
  if (!dns_rdataset_isassociated(dnskeysigs)) {
10151
0
    dnssec_log(zone, ISC_LOG_WARNING,
10152
0
         "No DNSKEY RRSIGs found for '%s': %s", namebuf,
10153
0
         isc_result_totext(eresult));
10154
0
    CHECK(minimal_update(kfetch, ver, &diff));
10155
0
    goto done;
10156
0
  }
10157
10158
  /*
10159
   * Clear any cached trust level, as we need to run validation
10160
   * over again; trusted keys might have changed.
10161
   */
10162
0
  dnskeys->trust = dnskeysigs->trust = dns_trust_none;
10163
10164
  /* Look up the trust anchor */
10165
0
  result = dns_keytable_find(secroots, keyname, &keynode);
10166
0
  if (result != ISC_R_SUCCESS) {
10167
0
    goto anchors_done;
10168
0
  }
10169
10170
  /*
10171
   * If the keynode has a DS trust anchor, use it for verification.
10172
   */
10173
0
  dns_rdataset_init(&dsset);
10174
0
  if (dns_keynode_dsset(keynode, &dsset)) {
10175
0
    for (result = dns_rdataset_first(dnskeysigs);
10176
0
         result == ISC_R_SUCCESS;
10177
0
         result = dns_rdataset_next(dnskeysigs))
10178
0
    {
10179
0
      isc_result_t tresult;
10180
0
      dns_rdata_t keyrdata = DNS_RDATA_INIT;
10181
10182
0
      dns_rdata_reset(&sigrr);
10183
0
      dns_rdataset_current(dnskeysigs, &sigrr);
10184
0
      result = dns_rdata_tostruct(&sigrr, &sig, NULL);
10185
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
10186
10187
0
      for (tresult = dns_rdataset_first(&dsset);
10188
0
           tresult == ISC_R_SUCCESS;
10189
0
           tresult = dns_rdataset_next(&dsset))
10190
0
      {
10191
0
        dns_rdata_t dsrdata = DNS_RDATA_INIT;
10192
0
        dns_rdata_ds_t ds;
10193
10194
0
        dns_rdata_reset(&dsrdata);
10195
0
        dns_rdataset_current(&dsset, &dsrdata);
10196
0
        tresult = dns_rdata_tostruct(&dsrdata, &ds,
10197
0
                   NULL);
10198
0
        RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
10199
10200
0
        if (ds.key_tag != sig.keyid ||
10201
0
            ds.algorithm != sig.algorithm)
10202
0
        {
10203
0
          continue;
10204
0
        }
10205
10206
0
        result = dns_dnssec_matchdskey(
10207
0
          keyname, &dsrdata, dnskeys, &keyrdata);
10208
0
        if (result == ISC_R_SUCCESS) {
10209
0
          break;
10210
0
        }
10211
0
      }
10212
10213
0
      if (tresult == ISC_R_NOMORE) {
10214
0
        continue;
10215
0
      }
10216
10217
0
      result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
10218
0
               mctx, &dstkey);
10219
0
      if (result != ISC_R_SUCCESS) {
10220
0
        continue;
10221
0
      }
10222
10223
0
      result = dns_dnssec_verify(keyname, dnskeys, dstkey,
10224
0
               false, 0, mctx, &sigrr,
10225
0
               NULL);
10226
0
      dst_key_free(&dstkey);
10227
10228
0
      dnssec_log(zone, ISC_LOG_DEBUG(3),
10229
0
           "Verifying DNSKEY set for zone "
10230
0
           "'%s' using DS %d/%d: %s",
10231
0
           namebuf, sig.keyid, sig.algorithm,
10232
0
           isc_result_totext(result));
10233
10234
0
      if (result == ISC_R_SUCCESS) {
10235
0
        dnskeys->trust = dns_trust_secure;
10236
0
        dnskeysigs->trust = dns_trust_secure;
10237
0
        initial = dns_keynode_initial(keynode);
10238
0
        dns_keynode_trust(keynode);
10239
0
        secure = true;
10240
0
        break;
10241
0
      }
10242
0
    }
10243
0
    dns_rdataset_disassociate(&dsset);
10244
0
  }
10245
10246
0
anchors_done:
10247
0
  if (keynode != NULL) {
10248
0
    dns_keynode_detach(&keynode);
10249
0
  }
10250
10251
  /*
10252
   * If we were not able to verify the answer using the current
10253
   * trusted keys then all we can do is look at any revoked keys.
10254
   */
10255
0
  if (!secure) {
10256
0
    dnssec_log(zone, ISC_LOG_INFO,
10257
0
         "DNSKEY set for zone '%s' could not be verified "
10258
0
         "with current keys",
10259
0
         namebuf);
10260
0
  }
10261
10262
  /*
10263
   * First scan keydataset to find keys that are not in dnskeyset
10264
   *   - Missing keys which are not scheduled for removal,
10265
   *     log a warning
10266
   *   - Missing keys which are scheduled for removal and
10267
   *     the remove hold-down timer has completed should
10268
   *     be removed from the key zone
10269
   *   - Missing keys whose acceptance timers have not yet
10270
   *     completed, log a warning and reset the acceptance
10271
   *     timer to 30 days in the future
10272
   *   - All keys not being removed have their refresh timers
10273
   *     updated
10274
   */
10275
0
  initializing = true;
10276
0
  for (result = dns_rdataset_first(keydataset); result == ISC_R_SUCCESS;
10277
0
       result = dns_rdataset_next(keydataset))
10278
0
  {
10279
0
    dns_keytag_t keytag;
10280
10281
0
    dns_rdata_reset(&keydatarr);
10282
0
    dns_rdataset_current(keydataset, &keydatarr);
10283
0
    result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
10284
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
10285
10286
0
    dns_keydata_todnskey(&keydata, &dnskey, NULL);
10287
0
    result = compute_tag(keyname, &dnskey, mctx, &keytag);
10288
0
    if (result != ISC_R_SUCCESS) {
10289
      /*
10290
       * Skip if we cannot compute the key tag.
10291
       * This may happen if the algorithm is unsupported
10292
       */
10293
0
      dns_zone_log(zone, ISC_LOG_ERROR,
10294
0
             "Cannot compute tag for key in zone %s: "
10295
0
             "%s "
10296
0
             "(skipping)",
10297
0
             namebuf, isc_result_totext(result));
10298
0
      continue;
10299
0
    }
10300
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
10301
10302
    /*
10303
     * If any keydata record has a nonzero add holddown, then
10304
     * there was a pre-existing trust anchor for this domain;
10305
     * that means we are *not* initializing it and shouldn't
10306
     * automatically trust all the keys we find at the zone apex.
10307
     */
10308
0
    initializing = initializing && (keydata.addhd == 0);
10309
10310
0
    if (!matchkey(dnskeys, &keydatarr)) {
10311
0
      bool deletekey = false;
10312
10313
0
      if (!secure) {
10314
0
        if (keydata.removehd != 0 &&
10315
0
            keydata.removehd <= now)
10316
0
        {
10317
0
          deletekey = true;
10318
0
        }
10319
0
      } else if (keydata.addhd == 0) {
10320
0
        deletekey = true;
10321
0
      } else if (keydata.addhd > now) {
10322
0
        dnssec_log(zone, ISC_LOG_INFO,
10323
0
             "Pending key %d for zone %s "
10324
0
             "unexpectedly missing from DNSKEY "
10325
0
             "RRset: restarting 30-day "
10326
0
             "acceptance timer",
10327
0
             keytag, namebuf);
10328
0
        if (keydata.addhd < now + dns_zone_mkey_month) {
10329
0
          keydata.addhd = now +
10330
0
              dns_zone_mkey_month;
10331
0
        }
10332
0
        keydata.refresh = refresh_time(kfetch, false);
10333
0
      } else if (keydata.removehd == 0) {
10334
0
        dnssec_log(zone, ISC_LOG_INFO,
10335
0
             "Active key %d for zone %s "
10336
0
             "unexpectedly missing from DNSKEY "
10337
0
             "RRset",
10338
0
             keytag, namebuf);
10339
0
        keydata.refresh = now + dns_zone_mkey_hour;
10340
0
      } else if (keydata.removehd <= now) {
10341
0
        deletekey = true;
10342
0
        dnssec_log(
10343
0
          zone, ISC_LOG_INFO,
10344
0
          "Revoked key %d for zone %s no longer "
10345
0
          "present in DNSKEY RRset: deleting "
10346
0
          "from managed keys database",
10347
0
          keytag, namebuf);
10348
0
      } else {
10349
0
        keydata.refresh = refresh_time(kfetch, false);
10350
0
      }
10351
10352
0
      if (secure || deletekey) {
10353
        /* Delete old version */
10354
0
        CHECK(update_one_rr(kfetch->db, ver, &diff,
10355
0
                DNS_DIFFOP_DEL, keyname, 0,
10356
0
                &keydatarr));
10357
0
      }
10358
10359
0
      if (!secure || deletekey) {
10360
0
        continue;
10361
0
      }
10362
10363
0
      dns_rdata_reset(&keydatarr);
10364
0
      isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
10365
0
      dns_rdata_fromstruct(&keydatarr, zone->rdclass,
10366
0
               dns_rdatatype_keydata, &keydata,
10367
0
               &keyb);
10368
10369
      /* Insert updated version */
10370
0
      CHECK(update_one_rr(kfetch->db, ver, &diff,
10371
0
              DNS_DIFFOP_ADD, keyname, 0,
10372
0
              &keydatarr));
10373
10374
0
      set_refreshkeytimer(zone, &keydata, now, false);
10375
0
    }
10376
0
  }
10377
10378
  /*
10379
   * Next scan dnskeyset:
10380
   *   - If new keys are found (i.e., lacking a match in keydataset)
10381
   *     add them to the key zone and set the acceptance timer
10382
   *     to 30 days in the future (or to immediately if we've
10383
   *     determined that we're initializing the zone for the
10384
   *     first time)
10385
   *   - Previously-known keys that have been revoked
10386
   *     must be scheduled for removal from the key zone (or,
10387
   *     if they hadn't been accepted as trust anchors yet
10388
   *     anyway, removed at once)
10389
   *   - Previously-known unrevoked keys whose acceptance timers
10390
   *     have completed are promoted to trust anchors
10391
   *   - All keys not being removed have their refresh
10392
   *     timers updated
10393
   */
10394
0
  for (result = dns_rdataset_first(dnskeys); result == ISC_R_SUCCESS;
10395
0
       result = dns_rdataset_next(dnskeys))
10396
0
  {
10397
0
    bool revoked = false;
10398
0
    bool newkey = false;
10399
0
    bool updatekey = false;
10400
0
    bool deletekey = false;
10401
0
    bool trustkey = false;
10402
0
    dns_keytag_t keytag;
10403
10404
0
    dns_rdata_reset(&dnskeyrr);
10405
0
    dns_rdataset_current(dnskeys, &dnskeyrr);
10406
0
    result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
10407
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
10408
10409
    /* Skip ZSK's */
10410
0
    if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) {
10411
0
      continue;
10412
0
    }
10413
10414
0
    result = compute_tag(keyname, &dnskey, mctx, &keytag);
10415
0
    if (result != ISC_R_SUCCESS) {
10416
      /*
10417
       * Skip if we cannot compute the key tag.
10418
       * This may happen if the algorithm is unsupported
10419
       */
10420
0
      dns_zone_log(zone, ISC_LOG_ERROR,
10421
0
             "Cannot compute tag for key in zone %s: "
10422
0
             "%s "
10423
0
             "(skipping)",
10424
0
             namebuf, isc_result_totext(result));
10425
0
      continue;
10426
0
    }
10427
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
10428
10429
0
    revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);
10430
10431
0
    if (matchkey(keydataset, &dnskeyrr)) {
10432
0
      dns_rdata_reset(&keydatarr);
10433
0
      dns_rdataset_current(keydataset, &keydatarr);
10434
0
      result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
10435
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
10436
10437
0
      if (revoked && revocable(kfetch, &keydata)) {
10438
0
        if (keydata.addhd > now) {
10439
          /*
10440
           * Key wasn't trusted yet, and now
10441
           * it's been revoked?  Just remove it
10442
           */
10443
0
          deletekey = true;
10444
0
          dnssec_log(zone, ISC_LOG_INFO,
10445
0
               "Pending key %d for "
10446
0
               "zone %s is now revoked: "
10447
0
               "deleting from the "
10448
0
               "managed keys database",
10449
0
               keytag, namebuf);
10450
0
        } else if (keydata.removehd == 0) {
10451
          /*
10452
           * Remove key from secroots.
10453
           */
10454
0
          dns_view_untrust(zone->view, keyname,
10455
0
               &dnskey);
10456
10457
          /* If initializing, delete now */
10458
0
          if (keydata.addhd == 0) {
10459
0
            deletekey = true;
10460
0
          } else {
10461
0
            keydata.removehd =
10462
0
              now +
10463
0
              dns_zone_mkey_month;
10464
0
            keydata.flags |=
10465
0
              DNS_KEYFLAG_REVOKE;
10466
0
          }
10467
10468
0
          dnssec_log(zone, ISC_LOG_INFO,
10469
0
               "Trusted key %d for "
10470
0
               "zone %s is now revoked",
10471
0
               keytag, namebuf);
10472
0
        } else if (keydata.removehd < now) {
10473
          /* Scheduled for removal */
10474
0
          deletekey = true;
10475
10476
0
          dnssec_log(zone, ISC_LOG_INFO,
10477
0
               "Revoked key %d for "
10478
0
               "zone %s removal timer "
10479
0
               "complete: deleting from "
10480
0
               "the managed keys database",
10481
0
               keytag, namebuf);
10482
0
        }
10483
0
      } else if (revoked && keydata.removehd == 0) {
10484
0
        dnssec_log(zone, ISC_LOG_WARNING,
10485
0
             "Active key %d for zone "
10486
0
             "%s is revoked but "
10487
0
             "did not self-sign; "
10488
0
             "ignoring",
10489
0
             keytag, namebuf);
10490
0
        continue;
10491
0
      } else if (secure) {
10492
0
        if (keydata.removehd != 0) {
10493
          /*
10494
           * Key isn't revoked--but it
10495
           * seems it used to be.
10496
           * Remove it now and add it
10497
           * back as if it were a fresh key,
10498
           * with a 30-day acceptance timer.
10499
           */
10500
0
          deletekey = true;
10501
0
          newkey = true;
10502
0
          keydata.removehd = 0;
10503
0
          keydata.addhd = now +
10504
0
              dns_zone_mkey_month;
10505
10506
0
          dnssec_log(zone, ISC_LOG_INFO,
10507
0
               "Revoked key %d for "
10508
0
               "zone %s has returned: "
10509
0
               "starting 30-day "
10510
0
               "acceptance timer",
10511
0
               keytag, namebuf);
10512
0
        } else if (keydata.addhd > now) {
10513
0
          pending++;
10514
0
        } else if (keydata.addhd == 0) {
10515
0
          keydata.addhd = now;
10516
0
        }
10517
10518
0
        if (keydata.addhd <= now) {
10519
0
          trustkey = true;
10520
0
          dnssec_log(zone, ISC_LOG_INFO,
10521
0
               "Key %d for zone %s "
10522
0
               "is now trusted (%s)",
10523
0
               keytag, namebuf,
10524
0
               initial ? "initializing key "
10525
0
                   "verified"
10526
0
                 : "acceptance timer "
10527
0
                   "complete");
10528
0
        }
10529
0
      } else if (keydata.addhd > now) {
10530
        /*
10531
         * Not secure, and key is pending:
10532
         * reset the acceptance timer
10533
         */
10534
0
        pending++;
10535
0
        keydata.addhd = now + dns_zone_mkey_month;
10536
0
        dnssec_log(zone, ISC_LOG_INFO,
10537
0
             "Pending key %d "
10538
0
             "for zone %s was "
10539
0
             "not validated: restarting "
10540
0
             "30-day acceptance timer",
10541
0
             keytag, namebuf);
10542
0
      }
10543
10544
0
      if (!deletekey && !newkey) {
10545
0
        updatekey = true;
10546
0
      }
10547
0
    } else if (secure) {
10548
      /*
10549
       * Key wasn't in the key zone but it's
10550
       * revoked now anyway, so just skip it
10551
       */
10552
0
      if (revoked) {
10553
0
        continue;
10554
0
      }
10555
10556
      /* Key wasn't in the key zone: add it */
10557
0
      newkey = true;
10558
10559
0
      if (initializing) {
10560
0
        dnssec_log(zone, ISC_LOG_WARNING,
10561
0
             "Initializing automatic trust "
10562
0
             "anchor management for zone '%s'; "
10563
0
             "DNSKEY ID %d is now trusted, "
10564
0
             "waiving the normal 30-day "
10565
0
             "waiting period.",
10566
0
             namebuf, keytag);
10567
0
        trustkey = true;
10568
0
      } else {
10569
0
        dnssec_log(zone, ISC_LOG_INFO,
10570
0
             "New key %d observed "
10571
0
             "for zone '%s': "
10572
0
             "starting 30-day "
10573
0
             "acceptance timer",
10574
0
             keytag, namebuf);
10575
0
      }
10576
0
    } else {
10577
      /*
10578
       * No previously known key, and the key is not
10579
       * secure, so skip it.
10580
       */
10581
0
      continue;
10582
0
    }
10583
10584
    /* Delete old version */
10585
0
    if (deletekey || !newkey) {
10586
0
      CHECK(update_one_rr(kfetch->db, ver, &diff,
10587
0
              DNS_DIFFOP_DEL, keyname, 0,
10588
0
              &keydatarr));
10589
0
    }
10590
10591
0
    if (updatekey) {
10592
      /* Set refresh timer */
10593
0
      keydata.refresh = refresh_time(kfetch, false);
10594
0
      dns_rdata_reset(&keydatarr);
10595
0
      isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
10596
0
      dns_rdata_fromstruct(&keydatarr, zone->rdclass,
10597
0
               dns_rdatatype_keydata, &keydata,
10598
0
               &keyb);
10599
10600
      /* Insert updated version */
10601
0
      CHECK(update_one_rr(kfetch->db, ver, &diff,
10602
0
              DNS_DIFFOP_ADD, keyname, 0,
10603
0
              &keydatarr));
10604
0
    } else if (newkey) {
10605
      /* Convert DNSKEY to KEYDATA */
10606
0
      result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
10607
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
10608
0
      dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0,
10609
0
                 NULL);
10610
0
      keydata.addhd = initializing
10611
0
            ? now
10612
0
            : now + dns_zone_mkey_month;
10613
0
      keydata.refresh = refresh_time(kfetch, false);
10614
0
      dns_rdata_reset(&keydatarr);
10615
0
      isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
10616
0
      dns_rdata_fromstruct(&keydatarr, zone->rdclass,
10617
0
               dns_rdatatype_keydata, &keydata,
10618
0
               &keyb);
10619
10620
      /* Insert into key zone */
10621
0
      CHECK(update_one_rr(kfetch->db, ver, &diff,
10622
0
              DNS_DIFFOP_ADD, keyname, 0,
10623
0
              &keydatarr));
10624
0
    }
10625
10626
0
    if (trustkey) {
10627
      /* Trust this key. */
10628
0
      result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
10629
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
10630
0
      trust_key(zone, keyname, &dnskey, false);
10631
0
    }
10632
10633
0
    if (secure && !deletekey) {
10634
0
      INSIST(newkey || updatekey);
10635
0
      set_refreshkeytimer(zone, &keydata, now, false);
10636
0
    }
10637
0
  }
10638
10639
  /*
10640
   * RFC5011 says, "A trust point that has all of its trust anchors
10641
   * revoked is considered deleted and is treated as if the trust
10642
   * point was never configured."  But if someone revoked their
10643
   * active key before the standby was trusted, that would mean the
10644
   * zone would suddenly be nonsecured.  We avoid this by checking to
10645
   * see if there's pending keydata.  If so, we put a null key in
10646
   * the security roots; then all queries to the zone will fail.
10647
   */
10648
0
  if (pending != 0) {
10649
0
    fail_secure(zone, keyname);
10650
0
  }
10651
10652
0
done:
10653
0
  if (!ISC_LIST_EMPTY(diff.tuples)) {
10654
    /* Write changes to journal file. */
10655
0
    CHECK(update_soa_serial(zone, kfetch->db, ver, &diff, mctx,
10656
0
          zone->updatemethod));
10657
0
    CHECK(zone_journal(zone, &diff, NULL, "keyfetch_done"));
10658
0
    commit = true;
10659
10660
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
10661
0
    zone_needdump(zone, 30);
10662
0
  } else if (result == ISC_R_NOMORE) {
10663
    /*
10664
     * If "updatekey" was true for all keys found in the DNSKEY
10665
     * response and the previous update of those keys happened
10666
     * during the same second (only possible if a key refresh was
10667
     * externally triggered), it may happen that all relevant
10668
     * update_one_rr() calls will return ISC_R_SUCCESS, but
10669
     * diff.tuples will remain empty.  Reset result to
10670
     * ISC_R_SUCCESS to prevent a bogus warning from being logged.
10671
     */
10672
0
    result = ISC_R_SUCCESS;
10673
0
  }
10674
10675
0
failure:
10676
0
  if (result != ISC_R_SUCCESS) {
10677
0
    dnssec_log(zone, ISC_LOG_ERROR,
10678
0
         "error during managed-keys processing (%s): "
10679
0
         "DNSSEC validation may be at risk",
10680
0
         isc_result_totext(result));
10681
0
  }
10682
0
  dns_diff_clear(&diff);
10683
0
  if (ver != NULL) {
10684
0
    dns_db_closeversion(kfetch->db, &ver, commit);
10685
0
  }
10686
10687
0
cleanup:
10688
0
  dns_db_detach(&kfetch->db);
10689
10690
0
  isc_refcount_decrement(&zone->irefs);
10691
10692
0
  if (dns_rdataset_isassociated(keydataset)) {
10693
0
    dns_rdataset_disassociate(keydataset);
10694
0
  }
10695
0
  if (dns_rdataset_isassociated(dnskeys)) {
10696
0
    dns_rdataset_disassociate(dnskeys);
10697
0
  }
10698
0
  if (dns_rdataset_isassociated(dnskeysigs)) {
10699
0
    dns_rdataset_disassociate(dnskeysigs);
10700
0
  }
10701
10702
0
  dns_name_free(keyname, mctx);
10703
0
  isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(dns_keyfetch_t));
10704
0
  isc_mem_putanddetach(&resp->mctx, resp, sizeof(*resp));
10705
10706
0
  if (secroots != NULL) {
10707
0
    dns_keytable_detach(&secroots);
10708
0
  }
10709
10710
0
  free_needed = exit_check(zone);
10711
0
  UNLOCK_ZONE(zone);
10712
10713
0
  if (free_needed) {
10714
0
    zone_free(zone);
10715
0
  }
10716
10717
0
  INSIST(ver == NULL);
10718
0
}
10719
10720
static void
10721
0
retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) {
10722
0
  isc_time_t timenow, timethen;
10723
0
  dns_zone_t *zone = kfetch->zone;
10724
0
  bool free_needed;
10725
0
  char namebuf[DNS_NAME_FORMATSIZE];
10726
10727
0
  dns_name_format(kname, namebuf, sizeof(namebuf));
10728
0
  dnssec_log(zone, ISC_LOG_WARNING,
10729
0
       "Failed to create fetch for %s DNSKEY update", namebuf);
10730
10731
  /*
10732
   * Error during a key fetch; cancel and retry in an hour.
10733
   */
10734
0
  LOCK_ZONE(zone);
10735
0
  zone->refreshkeycount--;
10736
0
  isc_refcount_decrement(&zone->irefs);
10737
0
  dns_db_detach(&kfetch->db);
10738
0
  dns_rdataset_disassociate(&kfetch->keydataset);
10739
0
  dns_name_free(kname, zone->mctx);
10740
0
  isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch));
10741
10742
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
10743
    /* Don't really retry if we are exiting */
10744
0
    char timebuf[80];
10745
10746
0
    timenow = isc_time_now();
10747
0
    DNS_ZONE_TIME_ADD(&timenow, dns_zone_mkey_hour, &timethen);
10748
0
    zone->refreshkeytime = timethen;
10749
0
    zone_settimer(zone, &timenow);
10750
10751
0
    isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
10752
0
    dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
10753
0
         timebuf);
10754
0
  }
10755
10756
0
  free_needed = exit_check(zone);
10757
0
  UNLOCK_ZONE(zone);
10758
10759
0
  if (free_needed) {
10760
0
    zone_free(zone);
10761
0
  }
10762
0
}
10763
10764
static void
10765
0
do_keyfetch(void *arg) {
10766
0
  isc_result_t result;
10767
0
  dns_keyfetch_t *kfetch = (dns_keyfetch_t *)arg;
10768
0
  dns_name_t *kname = dns_fixedname_name(&kfetch->name);
10769
0
  dns_resolver_t *resolver = NULL;
10770
0
  dns_zone_t *zone = kfetch->zone;
10771
0
  unsigned int options = DNS_FETCHOPT_NOVALIDATE | DNS_FETCHOPT_UNSHARED |
10772
0
             DNS_FETCHOPT_NOCACHED;
10773
10774
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
10775
0
    goto retry;
10776
0
  }
10777
10778
0
  result = dns_view_getresolver(zone->view, &resolver);
10779
0
  if (result != ISC_R_SUCCESS) {
10780
0
    goto retry;
10781
0
  }
10782
10783
  /*
10784
   * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is not
10785
   * set and the cache still holds a non-expired, validated version
10786
   * of the RRset being queried for by the time the response is
10787
   * received, the cached RRset will be passed to keyfetch_done()
10788
   * instead of the one received in the response as the latter will
10789
   * have a lower trust level due to not being validated until
10790
   * keyfetch_done() is called.
10791
   */
10792
0
  result = dns_resolver_createfetch(
10793
0
    resolver, kname, dns_rdatatype_dnskey, NULL, NULL, NULL, NULL,
10794
0
    0, options, 0, NULL, zone->loop, keyfetch_done, kfetch,
10795
0
    &kfetch->dnskeyset, &kfetch->dnskeysigset, &kfetch->fetch);
10796
10797
0
  dns_resolver_detach(&resolver);
10798
0
  if (result == ISC_R_SUCCESS) {
10799
0
    return;
10800
0
  }
10801
0
retry:
10802
0
  retry_keyfetch(kfetch, kname);
10803
0
}
10804
10805
/*
10806
 * Refresh the data in the key zone.  Initiate a fetch to look up
10807
 * DNSKEY records at the trust anchor name.
10808
 */
10809
static void
10810
0
zone_refreshkeys(dns_zone_t *zone) {
10811
0
  isc_result_t result;
10812
0
  dns_rriterator_t rrit;
10813
0
  dns_db_t *db = NULL;
10814
0
  dns_dbversion_t *ver = NULL;
10815
0
  dns_diff_t diff;
10816
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
10817
0
  dns_rdata_keydata_t kd;
10818
0
  isc_stdtime_t now = isc_stdtime_now();
10819
0
  bool commit = false;
10820
0
  bool fetching = false;
10821
0
  bool timerset = false;
10822
10823
0
  ENTER;
10824
0
  REQUIRE(zone->db != NULL);
10825
10826
0
  LOCK_ZONE(zone);
10827
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
10828
0
    isc_time_settoepoch(&zone->refreshkeytime);
10829
0
    UNLOCK_ZONE(zone);
10830
0
    return;
10831
0
  }
10832
10833
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
10834
0
  dns_db_attach(zone->db, &db);
10835
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
10836
10837
0
  dns_diff_init(zone->mctx, &diff);
10838
10839
0
  CHECK(dns_db_newversion(db, &ver));
10840
10841
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
10842
10843
0
  dns_rriterator_init(&rrit, db, ver, 0);
10844
0
  for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS;
10845
0
       result = dns_rriterator_nextrrset(&rrit))
10846
0
  {
10847
0
    isc_stdtime_t timer = 0xffffffff;
10848
0
    dns_name_t *name = NULL, *kname = NULL;
10849
0
    dns_rdataset_t *kdset = NULL;
10850
0
    uint32_t ttl;
10851
10852
0
    dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
10853
0
    if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
10854
0
        !dns_rdataset_isassociated(kdset))
10855
0
    {
10856
0
      continue;
10857
0
    }
10858
10859
    /*
10860
     * Scan the stored keys looking for ones that need
10861
     * removal or refreshing
10862
     */
10863
0
    for (result = dns_rdataset_first(kdset);
10864
0
         result == ISC_R_SUCCESS; result = dns_rdataset_next(kdset))
10865
0
    {
10866
0
      dns_rdata_reset(&rdata);
10867
0
      dns_rdataset_current(kdset, &rdata);
10868
0
      result = dns_rdata_tostruct(&rdata, &kd, NULL);
10869
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
10870
10871
      /* Removal timer expired? */
10872
0
      if (kd.removehd != 0 && kd.removehd < now) {
10873
0
        dns_rriterator_pause(&rrit);
10874
0
        CHECK(update_one_rr(db, ver, &diff,
10875
0
                DNS_DIFFOP_DEL, name, ttl,
10876
0
                &rdata));
10877
0
        continue;
10878
0
      }
10879
10880
      /* Acceptance timer expired? */
10881
0
      if (kd.addhd <= now) {
10882
0
        timer = kd.addhd;
10883
0
      }
10884
10885
      /* Or do we just need to refresh the keyset? */
10886
0
      if (timer > kd.refresh) {
10887
0
        timer = kd.refresh;
10888
0
      }
10889
10890
0
      dns_rriterator_pause(&rrit);
10891
0
      set_refreshkeytimer(zone, &kd, now, false);
10892
0
      timerset = true;
10893
0
    }
10894
10895
0
    if (timer > now) {
10896
0
      continue;
10897
0
    }
10898
10899
0
    dns_rriterator_pause(&rrit);
10900
10901
#ifdef ENABLE_AFL
10902
    if (!dns_fuzzing_resolver) {
10903
#endif /* ifdef ENABLE_AFL */
10904
0
      dns_keyfetch_t *kfetch = NULL;
10905
10906
0
      kfetch = isc_mem_get(zone->mctx,
10907
0
               sizeof(dns_keyfetch_t));
10908
0
      *kfetch = (dns_keyfetch_t){ .zone = zone };
10909
0
      isc_mem_attach(zone->mctx, &kfetch->mctx);
10910
10911
0
      zone->refreshkeycount++;
10912
0
      isc_refcount_increment0(&zone->irefs);
10913
0
      kname = dns_fixedname_initname(&kfetch->name);
10914
0
      dns_name_dup(name, zone->mctx, kname);
10915
0
      dns_rdataset_init(&kfetch->dnskeyset);
10916
0
      dns_rdataset_init(&kfetch->dnskeysigset);
10917
0
      dns_rdataset_init(&kfetch->keydataset);
10918
0
      dns_rdataset_clone(kdset, &kfetch->keydataset);
10919
0
      dns_db_attach(db, &kfetch->db);
10920
10921
0
      if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
10922
0
        char namebuf[DNS_NAME_FORMATSIZE];
10923
0
        dns_name_format(kname, namebuf,
10924
0
            sizeof(namebuf));
10925
0
        dnssec_log(zone, ISC_LOG_DEBUG(3),
10926
0
             "Creating key fetch in "
10927
0
             "zone_refreshkeys() for '%s'",
10928
0
             namebuf);
10929
0
      }
10930
10931
0
      isc_async_run(zone->loop, do_keyfetch, kfetch);
10932
0
      fetching = true;
10933
#ifdef ENABLE_AFL
10934
    }
10935
#endif /* ifdef ENABLE_AFL */
10936
0
  }
10937
0
  if (!ISC_LIST_EMPTY(diff.tuples)) {
10938
0
    CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
10939
0
          zone->updatemethod));
10940
0
    CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys"));
10941
0
    commit = true;
10942
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
10943
0
    zone_needdump(zone, 30);
10944
0
  }
10945
10946
0
failure:
10947
0
  if (!timerset) {
10948
0
    isc_time_settoepoch(&zone->refreshkeytime);
10949
0
  }
10950
10951
0
  if (!fetching) {
10952
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
10953
0
  }
10954
10955
0
  dns_diff_clear(&diff);
10956
0
  if (ver != NULL) {
10957
0
    dns_rriterator_destroy(&rrit);
10958
0
    dns_db_closeversion(db, &ver, commit);
10959
0
  }
10960
0
  dns_db_detach(&db);
10961
10962
0
  UNLOCK_ZONE(zone);
10963
10964
0
  INSIST(ver == NULL);
10965
0
}
10966
10967
static void
10968
0
zone_maintenance(dns_zone_t *zone) {
10969
0
  isc_time_t now;
10970
0
  isc_result_t result;
10971
0
  bool load_pending, exiting, dumping, viewok = false, notify;
10972
0
  bool refreshkeys, sign, resign, rekey, chain, warn_expire;
10973
10974
0
  REQUIRE(DNS_ZONE_VALID(zone));
10975
0
  ENTER;
10976
10977
  /*
10978
   * Are we pending load/reload, exiting, or unconfigured
10979
   * (e.g. because of a syntax failure in the config file)?
10980
   * If so, don't attempt maintenance.
10981
   */
10982
0
  LOCK_ZONE(zone);
10983
0
  load_pending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
10984
0
  exiting = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING);
10985
0
  if (!load_pending && !exiting && zone->view != NULL) {
10986
0
    dns_adb_t *adb = NULL;
10987
0
    dns_view_getadb(zone->view, &adb);
10988
0
    if (adb != NULL) {
10989
0
      dns_adb_detach(&adb);
10990
0
      viewok = true;
10991
0
    }
10992
0
  }
10993
0
  UNLOCK_ZONE(zone);
10994
10995
0
  if (load_pending || exiting || !viewok) {
10996
0
    return;
10997
0
  }
10998
10999
0
  now = isc_time_now();
11000
11001
  /*
11002
   * Expire check.
11003
   */
11004
0
  switch (zone->type) {
11005
0
  case dns_zone_redirect:
11006
0
    if (dns_remote_addresses(&zone->primaries) == NULL) {
11007
0
      break;
11008
0
    }
11009
0
    FALLTHROUGH;
11010
0
  case dns_zone_secondary:
11011
0
  case dns_zone_mirror:
11012
0
  case dns_zone_stub:
11013
0
    LOCK_ZONE(zone);
11014
0
    if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
11015
0
        DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
11016
0
    {
11017
0
      zone_expire(zone);
11018
0
      zone->refreshtime = now;
11019
0
    }
11020
0
    UNLOCK_ZONE(zone);
11021
0
    break;
11022
0
  default:
11023
0
    break;
11024
0
  }
11025
11026
  /*
11027
   * Up to date check.
11028
   */
11029
0
  switch (zone->type) {
11030
0
  case dns_zone_redirect:
11031
0
    if (dns_remote_addresses(&zone->primaries) == NULL) {
11032
0
      break;
11033
0
    }
11034
0
    FALLTHROUGH;
11035
0
  case dns_zone_secondary:
11036
0
  case dns_zone_mirror:
11037
0
  case dns_zone_stub:
11038
0
    LOCK_ZONE(zone);
11039
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
11040
0
        isc_time_compare(&now, &zone->refreshtime) >= 0)
11041
0
    {
11042
0
      zone_refresh(zone);
11043
0
    }
11044
0
    UNLOCK_ZONE(zone);
11045
0
    break;
11046
0
  default:
11047
0
    break;
11048
0
  }
11049
11050
  /*
11051
   * Secondaries send notifies before backing up to disk,
11052
   * primaries after.
11053
   */
11054
0
  LOCK_ZONE(zone);
11055
0
  notify = (zone->type == dns_zone_secondary ||
11056
0
      zone->type == dns_zone_mirror) &&
11057
0
     (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
11058
0
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
11059
0
     isc_time_compare(&now, &zone->notifytime) >= 0;
11060
0
  UNLOCK_ZONE(zone);
11061
11062
0
  if (notify) {
11063
0
    zone_notify(zone, &now);
11064
0
  }
11065
11066
  /*
11067
   * Do we need to consolidate the backing store?
11068
   */
11069
0
  switch (zone->type) {
11070
0
  case dns_zone_primary:
11071
0
  case dns_zone_secondary:
11072
0
  case dns_zone_mirror:
11073
0
  case dns_zone_key:
11074
0
  case dns_zone_redirect:
11075
0
  case dns_zone_stub:
11076
0
    LOCK_ZONE(zone);
11077
0
    if (zone->masterfile != NULL &&
11078
0
        isc_time_compare(&now, &zone->dumptime) >= 0 &&
11079
0
        DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
11080
0
        DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP))
11081
0
    {
11082
0
      dumping = was_dumping(zone);
11083
0
    } else {
11084
0
      dumping = true;
11085
0
    }
11086
0
    UNLOCK_ZONE(zone);
11087
0
    if (!dumping) {
11088
0
      result = zone_dump(zone, true); /* loop locked */
11089
0
      if (result != ISC_R_SUCCESS) {
11090
0
        dns_zone_log(zone, ISC_LOG_WARNING,
11091
0
               "dump failed: %s",
11092
0
               isc_result_totext(result));
11093
0
      }
11094
0
    }
11095
0
    break;
11096
0
  default:
11097
0
    break;
11098
0
  }
11099
11100
  /*
11101
   * Primary/redirect zones send notifies now, if needed
11102
   */
11103
0
  switch (zone->type) {
11104
0
  case dns_zone_primary:
11105
0
  case dns_zone_redirect:
11106
0
    LOCK_ZONE(zone);
11107
0
    notify = (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
11108
0
        DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
11109
0
       isc_time_compare(&now, &zone->notifytime) >= 0;
11110
0
    UNLOCK_ZONE(zone);
11111
0
    if (notify) {
11112
0
      zone_notify(zone, &now);
11113
0
    }
11114
0
  default:
11115
0
    break;
11116
0
  }
11117
11118
  /*
11119
   * Do we need to refresh keys?
11120
   */
11121
0
  switch (zone->type) {
11122
0
  case dns_zone_key:
11123
0
    LOCK_ZONE(zone);
11124
0
    refreshkeys = isc_time_compare(&now, &zone->refreshkeytime) >=
11125
0
              0 &&
11126
0
            DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
11127
0
            !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING);
11128
0
    UNLOCK_ZONE(zone);
11129
0
    if (refreshkeys) {
11130
0
      zone_refreshkeys(zone);
11131
0
    }
11132
0
    break;
11133
0
  case dns_zone_primary:
11134
0
    LOCK_ZONE(zone);
11135
0
    if (zone->rss != NULL) {
11136
0
      isc_time_settoepoch(&zone->refreshkeytime);
11137
0
      UNLOCK_ZONE(zone);
11138
0
      break;
11139
0
    }
11140
0
    rekey = (!isc_time_isepoch(&zone->refreshkeytime) &&
11141
0
       isc_time_compare(&now, &zone->refreshkeytime) >= 0);
11142
0
    UNLOCK_ZONE(zone);
11143
0
    if (rekey) {
11144
0
      zone_rekey(zone);
11145
0
    }
11146
0
  default:
11147
0
    break;
11148
0
  }
11149
11150
0
  switch (zone->type) {
11151
0
  case dns_zone_primary:
11152
0
  case dns_zone_redirect:
11153
0
  case dns_zone_secondary:
11154
    /*
11155
     * Do we need to sign/resign some RRsets?
11156
     */
11157
0
    LOCK_ZONE(zone);
11158
0
    if (zone->rss != NULL) {
11159
0
      isc_time_settoepoch(&zone->signingtime);
11160
0
      isc_time_settoepoch(&zone->resigntime);
11161
0
      isc_time_settoepoch(&zone->nsec3chaintime);
11162
0
      isc_time_settoepoch(&zone->keywarntime);
11163
0
      UNLOCK_ZONE(zone);
11164
0
      break;
11165
0
    }
11166
0
    sign = !isc_time_isepoch(&zone->signingtime) &&
11167
0
           isc_time_compare(&now, &zone->signingtime) >= 0;
11168
0
    resign = !isc_time_isepoch(&zone->resigntime) &&
11169
0
       isc_time_compare(&now, &zone->resigntime) >= 0;
11170
0
    chain = !isc_time_isepoch(&zone->nsec3chaintime) &&
11171
0
      isc_time_compare(&now, &zone->nsec3chaintime) >= 0;
11172
0
    warn_expire = !isc_time_isepoch(&zone->keywarntime) &&
11173
0
            isc_time_compare(&now, &zone->keywarntime) >= 0;
11174
0
    UNLOCK_ZONE(zone);
11175
11176
0
    if (sign) {
11177
0
      zone_sign(zone);
11178
0
    } else if (resign) {
11179
0
      zone_resigninc(zone);
11180
0
    } else if (chain) {
11181
0
      zone_nsec3chain(zone);
11182
0
    }
11183
11184
    /*
11185
     * Do we need to issue a key expiry warning?
11186
     */
11187
0
    if (warn_expire) {
11188
0
      set_key_expiry_warning(zone, zone->key_expiry,
11189
0
                 isc_time_seconds(&now));
11190
0
    }
11191
0
    break;
11192
11193
0
  default:
11194
0
    break;
11195
0
  }
11196
0
  LOCK_ZONE(zone);
11197
0
  zone_settimer(zone, &now);
11198
0
  UNLOCK_ZONE(zone);
11199
0
}
11200
11201
void
11202
0
dns_zone_markdirty(dns_zone_t *zone) {
11203
0
  uint32_t serial;
11204
0
  isc_result_t result = ISC_R_SUCCESS;
11205
0
  dns_zone_t *secure = NULL;
11206
11207
  /*
11208
   * Obtaining a lock on the zone->secure (see zone_send_secureserial)
11209
   * could result in a deadlock due to a LOR so we will spin if we
11210
   * can't obtain the both locks.
11211
   */
11212
0
again:
11213
0
  LOCK_ZONE(zone);
11214
0
  if (zone->type == dns_zone_primary) {
11215
0
    if (inline_raw(zone)) {
11216
0
      unsigned int soacount;
11217
0
      secure = zone->secure;
11218
0
      INSIST(secure != zone);
11219
0
      TRYLOCK_ZONE(result, secure);
11220
0
      if (result != ISC_R_SUCCESS) {
11221
0
        UNLOCK_ZONE(zone);
11222
0
        secure = NULL;
11223
0
        isc_thread_yield();
11224
0
        goto again;
11225
0
      }
11226
11227
0
      ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
11228
0
      if (zone->db != NULL) {
11229
0
        result = zone_get_from_db(
11230
0
          zone, zone->db, NULL, &soacount, NULL,
11231
0
          &serial, NULL, NULL, NULL, NULL, NULL);
11232
0
      } else {
11233
0
        result = DNS_R_NOTLOADED;
11234
0
      }
11235
0
      ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
11236
0
      if (result == ISC_R_SUCCESS && soacount > 0U) {
11237
0
        zone_send_secureserial(zone, serial);
11238
0
      }
11239
0
    }
11240
11241
    /* XXXMPA make separate call back */
11242
0
    if (result == ISC_R_SUCCESS) {
11243
0
      set_resigntime(zone);
11244
0
      if (zone->loop != NULL) {
11245
0
        isc_time_t now;
11246
0
        now = isc_time_now();
11247
0
        zone_settimer(zone, &now);
11248
0
      }
11249
0
    }
11250
0
  }
11251
0
  if (secure != NULL) {
11252
0
    UNLOCK_ZONE(secure);
11253
0
  }
11254
0
  zone_needdump(zone, DNS_DUMP_DELAY);
11255
0
  UNLOCK_ZONE(zone);
11256
0
}
11257
11258
void
11259
0
dns_zone_expire(dns_zone_t *zone) {
11260
0
  REQUIRE(DNS_ZONE_VALID(zone));
11261
11262
0
  LOCK_ZONE(zone);
11263
0
  zone_expire(zone);
11264
0
  UNLOCK_ZONE(zone);
11265
0
}
11266
11267
static void
11268
0
zone_expire(dns_zone_t *zone) {
11269
0
  dns_db_t *db = NULL;
11270
11271
  /*
11272
   * 'zone' locked by caller.
11273
   */
11274
11275
0
  REQUIRE(LOCKED_ZONE(zone));
11276
11277
0
  dns_zone_log(zone, ISC_LOG_WARNING, "expired");
11278
11279
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
11280
0
  zone->refresh = DNS_ZONE_DEFAULTREFRESH;
11281
0
  zone->retry = DNS_ZONE_DEFAULTRETRY;
11282
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
11283
11284
  /*
11285
   * An RPZ zone has expired; before unloading it, we must
11286
   * first remove it from the RPZ summary database. The
11287
   * easiest way to do this is "update" it with an empty
11288
   * database so that the update callback synchronizes
11289
   * the diff automatically.
11290
   */
11291
0
  if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) {
11292
0
    isc_result_t result;
11293
0
    dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num];
11294
11295
0
    CHECK(dns_db_create(zone->mctx, ZONEDB_DEFAULT, &zone->origin,
11296
0
            dns_dbtype_zone, zone->rdclass, 0, NULL,
11297
0
            &db));
11298
0
    CHECK(dns_rpz_dbupdate_callback(db, rpz));
11299
0
    dns_zone_log(zone, ISC_LOG_WARNING,
11300
0
           "response-policy zone expired; "
11301
0
           "policies unloaded");
11302
0
  }
11303
11304
0
failure:
11305
0
  if (db != NULL) {
11306
0
    dns_db_detach(&db);
11307
0
  }
11308
11309
0
  zone_unload(zone);
11310
0
}
11311
11312
static void
11313
0
zone_refresh(dns_zone_t *zone) {
11314
0
  isc_interval_t i;
11315
0
  uint32_t oldflags;
11316
0
  isc_result_t result;
11317
11318
0
  REQUIRE(DNS_ZONE_VALID(zone));
11319
0
  REQUIRE(LOCKED_ZONE(zone));
11320
11321
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
11322
0
    return;
11323
0
  }
11324
11325
  /*
11326
   * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
11327
   * in progress at a time.
11328
   */
11329
11330
0
  oldflags = atomic_load(&zone->flags);
11331
0
  if (dns_remote_addresses(&zone->primaries) == NULL) {
11332
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOPRIMARIES);
11333
0
    if ((oldflags & DNS_ZONEFLG_NOPRIMARIES) == 0) {
11334
0
      dns_zone_log(zone, ISC_LOG_ERROR,
11335
0
             "cannot refresh: no primaries");
11336
0
    }
11337
0
    return;
11338
0
  }
11339
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
11340
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
11341
0
  if ((oldflags & (DNS_ZONEFLG_REFRESH | DNS_ZONEFLG_LOADING)) != 0) {
11342
0
    return;
11343
0
  }
11344
11345
  /*
11346
   * Set the next refresh time as if refresh check has failed.
11347
   * Setting this to the retry time will do that.  XXXMLG
11348
   * If we are successful it will be reset using zone->refresh.
11349
   */
11350
0
  isc_interval_set(&i, zone->retry - isc_random_uniform(zone->retry / 4),
11351
0
       0);
11352
0
  result = isc_time_nowplusinterval(&zone->refreshtime, &i);
11353
0
  if (result != ISC_R_SUCCESS) {
11354
0
    dns_zone_log(zone, ISC_LOG_WARNING,
11355
0
           "isc_time_nowplusinterval() failed: %s",
11356
0
           isc_result_totext(result));
11357
0
  }
11358
11359
  /*
11360
   * When lacking user-specified timer values from the SOA,
11361
   * do exponential backoff of the retry time up to a
11362
   * maximum of six hours.
11363
   */
11364
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) {
11365
0
    zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
11366
0
  }
11367
11368
0
  dns_remote_reset(&zone->primaries, true);
11369
11370
  /* initiate soa query */
11371
0
  queue_soa_query(zone);
11372
0
}
11373
11374
void
11375
0
dns_zone_refresh(dns_zone_t *zone) {
11376
0
  LOCK_ZONE(zone);
11377
0
  zone_refresh(zone);
11378
0
  UNLOCK_ZONE(zone);
11379
0
}
11380
11381
static isc_result_t
11382
zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
11383
2
       bool *fixjournal) {
11384
2
  dns_journal_t *journal = NULL;
11385
2
  unsigned int options;
11386
2
  isc_result_t result;
11387
11388
2
  if (zone->type == dns_zone_primary &&
11389
2
      (inline_secure(zone) ||
11390
2
       (zone->update_acl != NULL || zone->ssutable != NULL)))
11391
0
  {
11392
0
    options = DNS_JOURNALOPT_RESIGN;
11393
2
  } else {
11394
2
    options = 0;
11395
2
  }
11396
11397
2
  result = dns_journal_open(zone->mctx, zone->journal, DNS_JOURNAL_READ,
11398
2
          &journal);
11399
2
  if (result == ISC_R_NOTFOUND) {
11400
2
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(3),
11401
2
            "no journal file, but that's OK ");
11402
2
    return (ISC_R_SUCCESS);
11403
2
  } else if (result != ISC_R_SUCCESS) {
11404
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
11405
0
            "journal open failed: %s",
11406
0
            isc_result_totext(result));
11407
0
    return (result);
11408
0
  }
11409
11410
0
  if (dns_journal_empty(journal)) {
11411
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
11412
0
            "journal empty");
11413
0
    dns_journal_destroy(&journal);
11414
0
    return (ISC_R_SUCCESS);
11415
0
  }
11416
11417
0
  result = dns_journal_rollforward(journal, db, options);
11418
0
  switch (result) {
11419
0
  case ISC_R_SUCCESS:
11420
0
    *needdump = true;
11421
0
    FALLTHROUGH;
11422
0
  case DNS_R_UPTODATE:
11423
0
    if (dns_journal_recovered(journal)) {
11424
0
      *fixjournal = true;
11425
0
      dns_zone_logc(
11426
0
        zone, DNS_LOGCATEGORY_ZONELOAD,
11427
0
        ISC_LOG_DEBUG(1),
11428
0
        "journal rollforward completed successfully "
11429
0
        "using old journal format: %s",
11430
0
        isc_result_totext(result));
11431
0
    } else {
11432
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
11433
0
              ISC_LOG_DEBUG(1),
11434
0
              "journal rollforward completed "
11435
0
              "successfully: %s",
11436
0
              isc_result_totext(result));
11437
0
    }
11438
11439
0
    dns_journal_destroy(&journal);
11440
0
    return (ISC_R_SUCCESS);
11441
0
  case ISC_R_NOTFOUND:
11442
0
  case ISC_R_RANGE:
11443
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
11444
0
            "journal rollforward failed: journal out of sync "
11445
0
            "with zone");
11446
0
    dns_journal_destroy(&journal);
11447
0
    return (result);
11448
0
  default:
11449
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
11450
0
            "journal rollforward failed: %s",
11451
0
            isc_result_totext(result));
11452
0
    dns_journal_destroy(&journal);
11453
0
    return (result);
11454
0
  }
11455
0
}
11456
11457
static void
11458
0
zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial) {
11459
0
  isc_result_t result;
11460
0
  int32_t journalsize;
11461
0
  dns_dbversion_t *ver = NULL;
11462
0
  uint64_t dbsize;
11463
0
  uint32_t options = 0;
11464
11465
0
  INSIST(LOCKED_ZONE(zone));
11466
0
  if (inline_raw(zone)) {
11467
0
    INSIST(LOCKED_ZONE(zone->secure));
11468
0
  }
11469
11470
0
  journalsize = zone->journalsize;
11471
0
  if (journalsize == -1) {
11472
0
    journalsize = DNS_JOURNAL_SIZE_MAX;
11473
0
    dns_db_currentversion(db, &ver);
11474
0
    result = dns_db_getsize(db, ver, NULL, &dbsize);
11475
0
    dns_db_closeversion(db, &ver, false);
11476
0
    if (result != ISC_R_SUCCESS) {
11477
0
      dns_zone_log(zone, ISC_LOG_ERROR,
11478
0
             "zone_journal_compact: "
11479
0
             "could not get zone size: %s",
11480
0
             isc_result_totext(result));
11481
0
    } else if (dbsize < DNS_JOURNAL_SIZE_MAX / 2) {
11482
0
      journalsize = (int32_t)dbsize * 2;
11483
0
    }
11484
0
  }
11485
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIXJOURNAL)) {
11486
0
    options |= DNS_JOURNAL_COMPACTALL;
11487
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FIXJOURNAL);
11488
0
    zone_debuglog(zone, __func__, 1, "repair full journal");
11489
0
  } else {
11490
0
    zone_debuglog(zone, __func__, 1, "target journal size %d",
11491
0
            journalsize);
11492
0
  }
11493
0
  result = dns_journal_compact(zone->mctx, zone->journal, serial, options,
11494
0
             journalsize);
11495
0
  switch (result) {
11496
0
  case ISC_R_SUCCESS:
11497
0
  case ISC_R_NOSPACE:
11498
0
  case ISC_R_NOTFOUND:
11499
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_journal_compact: %s",
11500
0
           isc_result_totext(result));
11501
0
    break;
11502
0
  default:
11503
0
    dns_zone_log(zone, ISC_LOG_ERROR,
11504
0
           "dns_journal_compact failed: %s",
11505
0
           isc_result_totext(result));
11506
0
    break;
11507
0
  }
11508
0
}
11509
11510
isc_result_t
11511
0
dns_zone_flush(dns_zone_t *zone) {
11512
0
  isc_result_t result = ISC_R_SUCCESS;
11513
0
  bool dumping;
11514
11515
0
  REQUIRE(DNS_ZONE_VALID(zone));
11516
11517
0
  LOCK_ZONE(zone);
11518
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
11519
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
11520
0
      zone->masterfile != NULL)
11521
0
  {
11522
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
11523
0
    result = ISC_R_ALREADYRUNNING;
11524
0
    dumping = was_dumping(zone);
11525
0
  } else {
11526
0
    dumping = true;
11527
0
  }
11528
0
  UNLOCK_ZONE(zone);
11529
0
  if (!dumping) {
11530
0
    result = zone_dump(zone, true);
11531
0
  }
11532
0
  return (result);
11533
0
}
11534
11535
isc_result_t
11536
0
dns_zone_dump(dns_zone_t *zone) {
11537
0
  isc_result_t result = ISC_R_ALREADYRUNNING;
11538
0
  bool dumping;
11539
11540
0
  REQUIRE(DNS_ZONE_VALID(zone));
11541
11542
0
  LOCK_ZONE(zone);
11543
0
  dumping = was_dumping(zone);
11544
0
  UNLOCK_ZONE(zone);
11545
0
  if (!dumping) {
11546
0
    result = zone_dump(zone, false);
11547
0
  }
11548
0
  return (result);
11549
0
}
11550
11551
static void
11552
0
zone_needdump(dns_zone_t *zone, unsigned int delay) {
11553
0
  isc_time_t dumptime;
11554
0
  isc_time_t now;
11555
11556
  /*
11557
   * 'zone' locked by caller
11558
   */
11559
11560
0
  REQUIRE(DNS_ZONE_VALID(zone));
11561
0
  REQUIRE(LOCKED_ZONE(zone));
11562
0
  ENTER;
11563
11564
  /*
11565
   * Do we have a place to dump to and are we loaded?
11566
   */
11567
0
  if (zone->masterfile == NULL ||
11568
0
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
11569
0
  {
11570
0
    return;
11571
0
  }
11572
11573
0
  now = isc_time_now();
11574
  /* add some noise */
11575
0
  DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
11576
11577
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
11578
0
  if (isc_time_isepoch(&zone->dumptime) ||
11579
0
      isc_time_compare(&zone->dumptime, &dumptime) > 0)
11580
0
  {
11581
0
    zone->dumptime = dumptime;
11582
0
  }
11583
0
  if (zone->loop != NULL) {
11584
0
    zone_settimer(zone, &now);
11585
0
  }
11586
0
}
11587
11588
static void
11589
0
dump_done(void *arg, isc_result_t result) {
11590
0
  dns_zone_t *zone = arg;
11591
0
  dns_zone_t *secure = NULL;
11592
0
  dns_db_t *db;
11593
0
  dns_dbversion_t *version;
11594
0
  bool again = false;
11595
0
  bool compact = false;
11596
0
  uint32_t serial;
11597
0
  isc_result_t tresult;
11598
11599
0
  REQUIRE(DNS_ZONE_VALID(zone));
11600
11601
0
  ENTER;
11602
11603
  /*
11604
   * Adjust modification time of zone file to preserve expire timing.
11605
   */
11606
0
  if ((zone->type == dns_zone_secondary ||
11607
0
       zone->type == dns_zone_mirror ||
11608
0
       zone->type == dns_zone_redirect) &&
11609
0
      result == ISC_R_SUCCESS)
11610
0
  {
11611
0
    LOCK_ZONE(zone);
11612
0
    isc_time_t when;
11613
0
    isc_interval_t i;
11614
0
    isc_interval_set(&i, zone->expire, 0);
11615
0
    result = isc_time_subtract(&zone->expiretime, &i, &when);
11616
0
    if (result == ISC_R_SUCCESS) {
11617
0
      (void)isc_file_settime(zone->masterfile, &when);
11618
0
    } else {
11619
0
      result = ISC_R_SUCCESS;
11620
0
    }
11621
0
    UNLOCK_ZONE(zone);
11622
0
  }
11623
11624
0
  if (result == ISC_R_SUCCESS && zone->journal != NULL) {
11625
    /*
11626
     * We don't own these, zone->dctx must stay valid.
11627
     */
11628
0
    db = dns_dumpctx_db(zone->dumpctx);
11629
0
    version = dns_dumpctx_version(zone->dumpctx);
11630
0
    tresult = dns_db_getsoaserial(db, version, &serial);
11631
11632
    /*
11633
     * Handle lock order inversion.
11634
     */
11635
0
  again:
11636
0
    LOCK_ZONE(zone);
11637
0
    if (inline_raw(zone)) {
11638
0
      secure = zone->secure;
11639
0
      INSIST(secure != zone);
11640
0
      TRYLOCK_ZONE(result, secure);
11641
0
      if (result != ISC_R_SUCCESS) {
11642
0
        UNLOCK_ZONE(zone);
11643
0
        secure = NULL;
11644
0
        isc_thread_yield();
11645
0
        goto again;
11646
0
      }
11647
0
    }
11648
11649
    /*
11650
     * If there is a secure version of this zone
11651
     * use its serial if it is less than ours.
11652
     */
11653
0
    if (tresult == ISC_R_SUCCESS && secure != NULL) {
11654
0
      uint32_t sserial;
11655
0
      isc_result_t mresult;
11656
11657
0
      ZONEDB_LOCK(&secure->dblock, isc_rwlocktype_read);
11658
0
      if (secure->db != NULL) {
11659
0
        mresult = dns_db_getsoaserial(zone->secure->db,
11660
0
                    NULL, &sserial);
11661
0
        if (mresult == ISC_R_SUCCESS &&
11662
0
            isc_serial_lt(sserial, serial))
11663
0
        {
11664
0
          serial = sserial;
11665
0
        }
11666
0
      }
11667
0
      ZONEDB_UNLOCK(&secure->dblock, isc_rwlocktype_read);
11668
0
    }
11669
0
    if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) {
11670
0
      dns_db_t *zdb = NULL;
11671
0
      if (dns_zone_getdb(zone, &zdb) == ISC_R_SUCCESS) {
11672
0
        zone_journal_compact(zone, zdb, serial);
11673
0
        dns_db_detach(&zdb);
11674
0
      }
11675
0
    } else if (tresult == ISC_R_SUCCESS) {
11676
0
      compact = true;
11677
0
      zone->compact_serial = serial;
11678
0
    }
11679
0
    if (secure != NULL) {
11680
0
      UNLOCK_ZONE(secure);
11681
0
    }
11682
0
    UNLOCK_ZONE(zone);
11683
0
  }
11684
11685
0
  LOCK_ZONE(zone);
11686
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
11687
0
  if (compact) {
11688
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
11689
0
  }
11690
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN)) {
11691
    /*
11692
     * If DNS_ZONEFLG_SHUTDOWN is set, all external references to
11693
     * the zone are gone, which means it is in the process of being
11694
     * cleaned up, so do not reschedule dumping.
11695
     *
11696
     * Detach from the raw version of the zone in case this
11697
     * operation has been deferred in zone_shutdown().
11698
     */
11699
0
    if (zone->raw != NULL) {
11700
0
      dns_zone_detach(&zone->raw);
11701
0
    }
11702
0
    if (result == ISC_R_SUCCESS) {
11703
0
      DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
11704
0
    }
11705
0
  } else if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
11706
    /*
11707
     * Try again in a short while.
11708
     */
11709
0
    zone_needdump(zone, DNS_DUMP_DELAY);
11710
0
  } else if (result == ISC_R_SUCCESS &&
11711
0
       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
11712
0
       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
11713
0
       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
11714
0
  {
11715
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
11716
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
11717
0
    isc_time_settoepoch(&zone->dumptime);
11718
0
    again = true;
11719
0
  } else if (result == ISC_R_SUCCESS) {
11720
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
11721
0
  }
11722
11723
0
  if (zone->dumpctx != NULL) {
11724
0
    dns_dumpctx_detach(&zone->dumpctx);
11725
0
  }
11726
0
  UNLOCK_ZONE(zone);
11727
0
  if (again) {
11728
0
    (void)zone_dump(zone, false);
11729
0
  }
11730
0
  dns_zone_idetach(&zone);
11731
0
}
11732
11733
static isc_result_t
11734
0
zone_dump(dns_zone_t *zone, bool compact) {
11735
0
  isc_result_t result;
11736
0
  dns_dbversion_t *version = NULL;
11737
0
  bool again = false;
11738
0
  dns_db_t *db = NULL;
11739
0
  char *masterfile = NULL;
11740
0
  dns_masterformat_t masterformat = dns_masterformat_none;
11741
0
  const dns_master_style_t *masterstyle = NULL;
11742
0
  dns_masterrawheader_t rawdata;
11743
11744
  /*
11745
   * 'compact' MUST only be set if we are loop locked.
11746
   */
11747
11748
0
  REQUIRE(DNS_ZONE_VALID(zone));
11749
0
  ENTER;
11750
11751
0
redo:
11752
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
11753
0
  if (zone->db != NULL) {
11754
0
    dns_db_attach(zone->db, &db);
11755
0
  }
11756
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
11757
0
  LOCK_ZONE(zone);
11758
0
  if (zone->masterfile != NULL) {
11759
0
    masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
11760
0
    masterformat = zone->masterformat;
11761
0
  }
11762
0
  if (zone->type == dns_zone_key) {
11763
0
    masterstyle = &dns_master_style_keyzone;
11764
0
  } else if (zone->masterstyle != NULL) {
11765
0
    masterstyle = zone->masterstyle;
11766
0
  } else {
11767
0
    masterstyle = &dns_master_style_default;
11768
0
  }
11769
0
  UNLOCK_ZONE(zone);
11770
0
  if (db == NULL) {
11771
0
    result = DNS_R_NOTLOADED;
11772
0
    goto fail;
11773
0
  }
11774
0
  if (masterfile == NULL) {
11775
0
    result = DNS_R_NOMASTERFILE;
11776
0
    goto fail;
11777
0
  }
11778
11779
0
  dns_db_currentversion(db, &version);
11780
11781
0
  dns_master_initrawheader(&rawdata);
11782
11783
0
  if (inline_secure(zone)) {
11784
0
    get_raw_serial(zone->raw, &rawdata);
11785
0
  }
11786
11787
0
  if (compact && zone->type != dns_zone_stub) {
11788
0
    LOCK_ZONE(zone);
11789
0
    zone_iattach(zone, &(dns_zone_t *){ NULL });
11790
11791
0
    INSIST(zone != zone->raw);
11792
11793
0
    result = dns_master_dumpasync(
11794
0
      zone->mctx, db, version, masterstyle, masterfile,
11795
0
      zone->loop, dump_done, zone, &zone->dumpctx,
11796
0
      masterformat, &rawdata);
11797
11798
0
    UNLOCK_ZONE(zone);
11799
0
    if (result != ISC_R_SUCCESS) {
11800
0
      dns_zone_idetach(&(dns_zone_t *){ zone });
11801
0
      goto fail;
11802
0
    }
11803
0
    result = DNS_R_CONTINUE;
11804
0
  } else {
11805
0
    result = dns_master_dump(zone->mctx, db, version, masterstyle,
11806
0
           masterfile, masterformat, &rawdata);
11807
0
    if ((zone->type == dns_zone_secondary ||
11808
0
         zone->type == dns_zone_mirror ||
11809
0
         zone->type == dns_zone_redirect) &&
11810
0
        result == ISC_R_SUCCESS)
11811
0
    {
11812
0
      isc_time_t when;
11813
0
      isc_interval_t i;
11814
0
      isc_interval_set(&i, zone->expire, 0);
11815
0
      result = isc_time_subtract(&zone->expiretime, &i,
11816
0
               &when);
11817
0
      if (result == ISC_R_SUCCESS) {
11818
0
        (void)isc_file_settime(zone->masterfile, &when);
11819
0
      } else {
11820
0
        result = ISC_R_SUCCESS;
11821
0
      }
11822
0
    }
11823
0
  }
11824
0
fail:
11825
0
  if (version != NULL) {
11826
0
    dns_db_closeversion(db, &version, false);
11827
0
  }
11828
0
  if (db != NULL) {
11829
0
    dns_db_detach(&db);
11830
0
  }
11831
0
  if (masterfile != NULL) {
11832
0
    isc_mem_free(zone->mctx, masterfile);
11833
0
    masterfile = NULL;
11834
0
  }
11835
11836
0
  if (result == DNS_R_CONTINUE) {
11837
    /*
11838
     * Asyncronous write is in progress.  Zone flags will get
11839
     * updated on completion.  Cleanup is complete.  We are done.
11840
     */
11841
0
    return (ISC_R_SUCCESS);
11842
0
  }
11843
11844
0
  again = false;
11845
0
  LOCK_ZONE(zone);
11846
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
11847
0
  if (result != ISC_R_SUCCESS) {
11848
    /*
11849
     * Try again in a short while.
11850
     */
11851
0
    zone_needdump(zone, DNS_DUMP_DELAY);
11852
0
  } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
11853
0
       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
11854
0
       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
11855
0
  {
11856
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
11857
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
11858
0
    isc_time_settoepoch(&zone->dumptime);
11859
0
    again = true;
11860
0
  } else {
11861
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
11862
0
  }
11863
0
  UNLOCK_ZONE(zone);
11864
0
  if (again) {
11865
0
    goto redo;
11866
0
  }
11867
11868
0
  return (result);
11869
0
}
11870
11871
static isc_result_t
11872
dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
11873
0
       dns_masterformat_t format, const uint32_t rawversion) {
11874
0
  isc_result_t result;
11875
0
  dns_dbversion_t *version = NULL;
11876
0
  dns_db_t *db = NULL;
11877
0
  dns_masterrawheader_t rawdata;
11878
11879
0
  REQUIRE(DNS_ZONE_VALID(zone));
11880
11881
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
11882
0
  if (zone->db != NULL) {
11883
0
    dns_db_attach(zone->db, &db);
11884
0
  }
11885
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
11886
0
  if (db == NULL) {
11887
0
    return (DNS_R_NOTLOADED);
11888
0
  }
11889
11890
0
  dns_db_currentversion(db, &version);
11891
0
  dns_master_initrawheader(&rawdata);
11892
0
  if (rawversion == 0) {
11893
0
    rawdata.flags |= DNS_MASTERRAW_COMPAT;
11894
0
  } else if (inline_secure(zone)) {
11895
0
    get_raw_serial(zone->raw, &rawdata);
11896
0
  } else if (zone->sourceserialset) {
11897
0
    rawdata.flags = DNS_MASTERRAW_SOURCESERIALSET;
11898
0
    rawdata.sourceserial = zone->sourceserial;
11899
0
  }
11900
0
  result = dns_master_dumptostream(zone->mctx, db, version, style, format,
11901
0
           &rawdata, fd);
11902
0
  dns_db_closeversion(db, &version, false);
11903
0
  dns_db_detach(&db);
11904
0
  return (result);
11905
0
}
11906
11907
isc_result_t
11908
dns_zone_dumptostream(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
11909
          const dns_master_style_t *style,
11910
0
          const uint32_t rawversion) {
11911
0
  return (dumptostream(zone, fd, style, format, rawversion));
11912
0
}
11913
11914
void
11915
0
dns_zone_unload(dns_zone_t *zone) {
11916
0
  REQUIRE(DNS_ZONE_VALID(zone));
11917
11918
0
  LOCK_ZONE(zone);
11919
0
  zone_unload(zone);
11920
0
  UNLOCK_ZONE(zone);
11921
0
}
11922
11923
static void
11924
0
notify_cancel(dns_zone_t *zone) {
11925
0
  dns_notify_t *notify;
11926
11927
  /*
11928
   * 'zone' locked by caller.
11929
   */
11930
11931
0
  REQUIRE(LOCKED_ZONE(zone));
11932
11933
0
  for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL;
11934
0
       notify = ISC_LIST_NEXT(notify, link))
11935
0
  {
11936
0
    if (notify->find != NULL) {
11937
0
      dns_adb_cancelfind(notify->find);
11938
0
    }
11939
0
    if (notify->request != NULL) {
11940
0
      dns_request_cancel(notify->request);
11941
0
    }
11942
0
  }
11943
0
}
11944
11945
static void
11946
0
checkds_cancel(dns_zone_t *zone) {
11947
0
  dns_checkds_t *checkds;
11948
11949
  /*
11950
   * 'zone' locked by caller.
11951
   */
11952
11953
0
  REQUIRE(LOCKED_ZONE(zone));
11954
11955
0
  for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL;
11956
0
       checkds = ISC_LIST_NEXT(checkds, link))
11957
0
  {
11958
0
    if (checkds->find != NULL) {
11959
0
      dns_adb_cancelfind(checkds->find);
11960
0
    }
11961
0
    if (checkds->request != NULL) {
11962
0
      dns_request_cancel(checkds->request);
11963
0
    }
11964
0
  }
11965
0
}
11966
11967
static void
11968
0
forward_cancel(dns_zone_t *zone) {
11969
0
  dns_forward_t *forward;
11970
11971
  /*
11972
   * 'zone' locked by caller.
11973
   */
11974
11975
0
  REQUIRE(LOCKED_ZONE(zone));
11976
11977
0
  for (forward = ISC_LIST_HEAD(zone->forwards); forward != NULL;
11978
0
       forward = ISC_LIST_NEXT(forward, link))
11979
0
  {
11980
0
    if (forward->request != NULL) {
11981
0
      dns_request_cancel(forward->request);
11982
0
    }
11983
0
  }
11984
0
}
11985
11986
static void
11987
0
zone_unload(dns_zone_t *zone) {
11988
  /*
11989
   * 'zone' locked by caller.
11990
   */
11991
11992
0
  REQUIRE(LOCKED_ZONE(zone));
11993
11994
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
11995
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
11996
0
  {
11997
0
    if (zone->dumpctx != NULL) {
11998
0
      dns_dumpctx_cancel(zone->dumpctx);
11999
0
    }
12000
0
  }
12001
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
12002
0
  zone_detachdb(zone);
12003
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
12004
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
12005
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
12006
12007
0
  if (zone->type == dns_zone_mirror) {
12008
0
    dns_zone_log(zone, ISC_LOG_INFO,
12009
0
           "mirror zone is no longer in use; "
12010
0
           "reverting to normal recursion");
12011
0
  }
12012
0
}
12013
12014
void
12015
0
dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val) {
12016
0
  REQUIRE(DNS_ZONE_VALID(zone));
12017
0
  REQUIRE(val > 0);
12018
12019
0
  zone->minrefresh = val;
12020
0
}
12021
12022
void
12023
0
dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val) {
12024
0
  REQUIRE(DNS_ZONE_VALID(zone));
12025
0
  REQUIRE(val > 0);
12026
12027
0
  zone->maxrefresh = val;
12028
0
}
12029
12030
void
12031
0
dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val) {
12032
0
  REQUIRE(DNS_ZONE_VALID(zone));
12033
0
  REQUIRE(val > 0);
12034
12035
0
  zone->minretry = val;
12036
0
}
12037
12038
void
12039
0
dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val) {
12040
0
  REQUIRE(DNS_ZONE_VALID(zone));
12041
0
  REQUIRE(val > 0);
12042
12043
0
  zone->maxretry = val;
12044
0
}
12045
12046
uint32_t
12047
0
dns_zone_getmaxrecords(dns_zone_t *zone) {
12048
0
  REQUIRE(DNS_ZONE_VALID(zone));
12049
12050
0
  return (zone->maxrecords);
12051
0
}
12052
12053
void
12054
0
dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t val) {
12055
0
  REQUIRE(DNS_ZONE_VALID(zone));
12056
12057
0
  zone->maxrecords = val;
12058
0
}
12059
12060
static bool
12061
notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
12062
    isc_sockaddr_t *addr, dns_tsigkey_t *key,
12063
0
    dns_transport_t *transport) {
12064
0
  dns_notify_t *notify;
12065
0
  dns_zonemgr_t *zmgr;
12066
0
  isc_result_t result;
12067
12068
0
  for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL;
12069
0
       notify = ISC_LIST_NEXT(notify, link))
12070
0
  {
12071
0
    if (notify->request != NULL) {
12072
0
      continue;
12073
0
    }
12074
0
    if (name != NULL && dns_name_dynamic(&notify->ns) &&
12075
0
        dns_name_equal(name, &notify->ns))
12076
0
    {
12077
0
      goto requeue;
12078
0
    }
12079
0
    if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst) &&
12080
0
        notify->key == key && notify->transport == transport)
12081
0
    {
12082
0
      goto requeue;
12083
0
    }
12084
0
  }
12085
0
  return (false);
12086
12087
0
requeue:
12088
  /*
12089
   * If we are enqueued on the startup ratelimiter and this is
12090
   * not a startup notify, re-enqueue on the normal notify
12091
   * ratelimiter.
12092
   */
12093
0
  if (notify->rlevent != NULL && (flags & DNS_NOTIFY_STARTUP) == 0 &&
12094
0
      (notify->flags & DNS_NOTIFY_STARTUP) != 0)
12095
0
  {
12096
0
    zmgr = notify->zone->zmgr;
12097
0
    result = isc_ratelimiter_dequeue(zmgr->startupnotifyrl,
12098
0
             &notify->rlevent);
12099
0
    if (result != ISC_R_SUCCESS) {
12100
0
      return (true);
12101
0
    }
12102
12103
0
    notify->flags &= ~DNS_NOTIFY_STARTUP;
12104
0
    result = isc_ratelimiter_enqueue(
12105
0
      notify->zone->zmgr->notifyrl, notify->zone->loop,
12106
0
      notify_send_toaddr, notify, &notify->rlevent);
12107
0
    if (result != ISC_R_SUCCESS) {
12108
0
      return (false);
12109
0
    }
12110
0
  }
12111
12112
0
  return (true);
12113
0
}
12114
12115
static bool
12116
0
notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
12117
0
  dns_tsigkey_t *key = NULL;
12118
0
  isc_sockaddr_t src;
12119
0
  isc_sockaddr_t any;
12120
0
  bool isself;
12121
0
  isc_netaddr_t dstaddr;
12122
0
  isc_result_t result;
12123
12124
0
  if (zone->view == NULL || zone->isself == NULL) {
12125
0
    return (false);
12126
0
  }
12127
12128
0
  switch (isc_sockaddr_pf(dst)) {
12129
0
  case PF_INET:
12130
0
    src = zone->notifysrc4;
12131
0
    isc_sockaddr_any(&any);
12132
0
    break;
12133
0
  case PF_INET6:
12134
0
    src = zone->notifysrc6;
12135
0
    isc_sockaddr_any6(&any);
12136
0
    break;
12137
0
  default:
12138
0
    return (false);
12139
0
  }
12140
12141
  /*
12142
   * When sending from any the kernel will assign a source address
12143
   * that matches the destination address.
12144
   */
12145
0
  if (isc_sockaddr_eqaddr(&any, &src)) {
12146
0
    src = *dst;
12147
0
  }
12148
12149
0
  isc_netaddr_fromsockaddr(&dstaddr, dst);
12150
0
  result = dns_view_getpeertsig(zone->view, &dstaddr, &key);
12151
0
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
12152
0
    return (false);
12153
0
  }
12154
0
  isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
12155
0
        zone->isselfarg);
12156
0
  if (key != NULL) {
12157
0
    dns_tsigkey_detach(&key);
12158
0
  }
12159
0
  return (isself);
12160
0
}
12161
12162
static void
12163
0
notify_destroy(dns_notify_t *notify, bool locked) {
12164
0
  isc_mem_t *mctx;
12165
12166
0
  REQUIRE(DNS_NOTIFY_VALID(notify));
12167
12168
0
  if (notify->zone != NULL) {
12169
0
    if (!locked) {
12170
0
      LOCK_ZONE(notify->zone);
12171
0
    }
12172
0
    REQUIRE(LOCKED_ZONE(notify->zone));
12173
0
    if (ISC_LINK_LINKED(notify, link)) {
12174
0
      ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
12175
0
    }
12176
0
    if (!locked) {
12177
0
      UNLOCK_ZONE(notify->zone);
12178
0
    }
12179
0
    if (locked) {
12180
0
      zone_idetach(&notify->zone);
12181
0
    } else {
12182
0
      dns_zone_idetach(&notify->zone);
12183
0
    }
12184
0
  }
12185
0
  if (notify->find != NULL) {
12186
0
    dns_adb_destroyfind(&notify->find);
12187
0
  }
12188
0
  if (notify->request != NULL) {
12189
0
    dns_request_destroy(&notify->request);
12190
0
  }
12191
0
  if (dns_name_dynamic(&notify->ns)) {
12192
0
    dns_name_free(&notify->ns, notify->mctx);
12193
0
  }
12194
0
  if (notify->key != NULL) {
12195
0
    dns_tsigkey_detach(&notify->key);
12196
0
  }
12197
0
  if (notify->transport != NULL) {
12198
0
    dns_transport_detach(&notify->transport);
12199
0
  }
12200
0
  mctx = notify->mctx;
12201
0
  isc_mem_put(notify->mctx, notify, sizeof(*notify));
12202
0
  isc_mem_detach(&mctx);
12203
0
}
12204
12205
static isc_result_t
12206
0
notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
12207
0
  dns_notify_t *notify;
12208
12209
0
  REQUIRE(notifyp != NULL && *notifyp == NULL);
12210
12211
0
  notify = isc_mem_get(mctx, sizeof(*notify));
12212
0
  *notify = (dns_notify_t){
12213
0
    .flags = flags,
12214
0
  };
12215
12216
0
  isc_mem_attach(mctx, &notify->mctx);
12217
0
  isc_sockaddr_any(&notify->src);
12218
0
  isc_sockaddr_any(&notify->dst);
12219
0
  dns_name_init(&notify->ns, NULL);
12220
0
  ISC_LINK_INIT(notify, link);
12221
0
  notify->magic = NOTIFY_MAGIC;
12222
0
  *notifyp = notify;
12223
0
  return (ISC_R_SUCCESS);
12224
0
}
12225
12226
/*
12227
 * XXXAG should check for DNS_ZONEFLG_EXITING
12228
 */
12229
static void
12230
0
process_notify_adb_event(void *arg) {
12231
0
  dns_adbfind_t *find = (dns_adbfind_t *)arg;
12232
0
  dns_notify_t *notify = (dns_notify_t *)find->cbarg;
12233
0
  dns_adbstatus_t astat = find->status;
12234
12235
0
  REQUIRE(DNS_NOTIFY_VALID(notify));
12236
0
  REQUIRE(find == notify->find);
12237
12238
0
  switch (astat) {
12239
0
  case DNS_ADB_MOREADDRESSES:
12240
0
    dns_adb_destroyfind(&notify->find);
12241
0
    notify_find_address(notify);
12242
0
    return;
12243
12244
0
  case DNS_ADB_NOMOREADDRESSES:
12245
0
    LOCK_ZONE(notify->zone);
12246
0
    notify_send(notify);
12247
0
    UNLOCK_ZONE(notify->zone);
12248
0
    break;
12249
12250
0
  default:
12251
0
    break;
12252
0
  }
12253
12254
0
  notify_destroy(notify, false);
12255
0
}
12256
12257
static void
12258
0
notify_find_address(dns_notify_t *notify) {
12259
0
  isc_result_t result;
12260
0
  unsigned int options;
12261
0
  dns_adb_t *adb = NULL;
12262
12263
0
  REQUIRE(DNS_NOTIFY_VALID(notify));
12264
12265
0
  options = DNS_ADBFIND_WANTEVENT;
12266
0
  if (isc_net_probeipv4() != ISC_R_DISABLED) {
12267
0
    options |= DNS_ADBFIND_INET;
12268
0
  }
12269
0
  if (isc_net_probeipv6() != ISC_R_DISABLED) {
12270
0
    options |= DNS_ADBFIND_INET6;
12271
0
  }
12272
12273
0
  dns_view_getadb(notify->zone->view, &adb);
12274
0
  if (adb == NULL) {
12275
0
    goto destroy;
12276
0
  }
12277
12278
0
  result = dns_adb_createfind(
12279
0
    adb, notify->zone->loop, process_notify_adb_event, notify,
12280
0
    &notify->ns, dns_rootname, 0, options, 0, NULL,
12281
0
    notify->zone->view->dstport, 0, NULL, &notify->find);
12282
0
  dns_adb_detach(&adb);
12283
12284
  /* Something failed? */
12285
0
  if (result != ISC_R_SUCCESS) {
12286
0
    goto destroy;
12287
0
  }
12288
12289
  /* More addresses pending? */
12290
0
  if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
12291
0
    return;
12292
0
  }
12293
12294
  /* We have as many addresses as we can get. */
12295
0
  LOCK_ZONE(notify->zone);
12296
0
  notify_send(notify);
12297
0
  UNLOCK_ZONE(notify->zone);
12298
12299
0
destroy:
12300
0
  notify_destroy(notify, false);
12301
0
}
12302
12303
static isc_result_t
12304
0
notify_send_queue(dns_notify_t *notify, bool startup) {
12305
0
  return (isc_ratelimiter_enqueue(
12306
0
    startup ? notify->zone->zmgr->startupnotifyrl
12307
0
      : notify->zone->zmgr->notifyrl,
12308
0
    notify->zone->loop, notify_send_toaddr, notify,
12309
0
    &notify->rlevent));
12310
0
}
12311
12312
static void
12313
0
notify_send_toaddr(void *arg) {
12314
0
  dns_notify_t *notify = (dns_notify_t *)arg;
12315
0
  isc_result_t result;
12316
0
  dns_message_t *message = NULL;
12317
0
  isc_netaddr_t dstip;
12318
0
  dns_tsigkey_t *key = NULL;
12319
0
  char addrbuf[ISC_SOCKADDR_FORMATSIZE];
12320
0
  isc_sockaddr_t src;
12321
0
  unsigned int options, timeout, udptimeout;
12322
0
  bool have_notifysource = false;
12323
12324
0
  REQUIRE(DNS_NOTIFY_VALID(notify));
12325
12326
0
  LOCK_ZONE(notify->zone);
12327
12328
0
  isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
12329
12330
0
  if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0 ||
12331
0
      notify->rlevent->canceled ||
12332
0
      DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
12333
0
      notify->zone->view->requestmgr == NULL || notify->zone->db == NULL)
12334
0
  {
12335
0
    result = ISC_R_CANCELED;
12336
0
    goto cleanup;
12337
0
  }
12338
12339
  /*
12340
   * The raw IPv4 address should also exist.  Don't send to the
12341
   * mapped form.
12342
   */
12343
0
  if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
12344
0
      IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr))
12345
0
  {
12346
0
    notify_log(notify->zone, ISC_LOG_DEBUG(3),
12347
0
         "notify: ignoring IPv6 mapped IPV4 address: %s",
12348
0
         addrbuf);
12349
0
    result = ISC_R_CANCELED;
12350
0
    goto cleanup;
12351
0
  }
12352
12353
0
  result = notify_createmessage(notify->zone, notify->flags, &message);
12354
0
  if (result != ISC_R_SUCCESS) {
12355
0
    goto cleanup;
12356
0
  }
12357
12358
0
  if (notify->key != NULL) {
12359
    /* Transfer ownership of key */
12360
0
    key = notify->key;
12361
0
    notify->key = NULL;
12362
0
  } else {
12363
0
    isc_netaddr_fromsockaddr(&dstip, &notify->dst);
12364
0
    result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
12365
0
    if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
12366
0
      notify_log(notify->zone, ISC_LOG_ERROR,
12367
0
           "NOTIFY to %s not sent. "
12368
0
           "Peer TSIG key lookup failure.",
12369
0
           addrbuf);
12370
0
      goto cleanup_message;
12371
0
    }
12372
0
  }
12373
12374
0
  if (key != NULL) {
12375
0
    char namebuf[DNS_NAME_FORMATSIZE];
12376
12377
0
    dns_name_format(key->name, namebuf, sizeof(namebuf));
12378
0
    notify_log(notify->zone, ISC_LOG_INFO,
12379
0
         "sending notify to %s : TSIG (%s)", addrbuf,
12380
0
         namebuf);
12381
0
  } else {
12382
0
    notify_log(notify->zone, ISC_LOG_INFO, "sending notify to %s",
12383
0
         addrbuf);
12384
0
  }
12385
0
  options = 0;
12386
0
  if (notify->zone->view->peers != NULL) {
12387
0
    dns_peer_t *peer = NULL;
12388
0
    bool usetcp = false;
12389
0
    result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
12390
0
             &dstip, &peer);
12391
0
    if (result == ISC_R_SUCCESS) {
12392
0
      result = dns_peer_getnotifysource(peer, &src);
12393
0
      if (result == ISC_R_SUCCESS) {
12394
0
        have_notifysource = true;
12395
0
      }
12396
0
      result = dns_peer_getforcetcp(peer, &usetcp);
12397
0
      if (result == ISC_R_SUCCESS && usetcp) {
12398
0
        options |= DNS_FETCHOPT_TCP;
12399
0
      }
12400
0
    }
12401
0
  }
12402
0
  switch (isc_sockaddr_pf(&notify->dst)) {
12403
0
  case PF_INET:
12404
0
    if (!have_notifysource) {
12405
0
      isc_sockaddr_t any;
12406
0
      isc_sockaddr_any(&any);
12407
12408
0
      src = notify->src;
12409
0
      if (isc_sockaddr_equal(&src, &any)) {
12410
0
        src = notify->zone->notifysrc4;
12411
0
      }
12412
0
    }
12413
0
    break;
12414
0
  case PF_INET6:
12415
0
    if (!have_notifysource) {
12416
0
      isc_sockaddr_t any;
12417
0
      isc_sockaddr_any6(&any);
12418
12419
0
      src = notify->src;
12420
0
      if (isc_sockaddr_equal(&src, &any)) {
12421
0
        src = notify->zone->notifysrc6;
12422
0
      }
12423
0
    }
12424
0
    break;
12425
0
  default:
12426
0
    result = ISC_R_NOTIMPLEMENTED;
12427
0
    goto cleanup_key;
12428
0
  }
12429
0
  udptimeout = 5;
12430
0
  if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY)) {
12431
0
    udptimeout = 30;
12432
0
  }
12433
0
  timeout = 3 * udptimeout + 1;
12434
0
again:
12435
0
  if ((notify->flags & DNS_NOTIFY_TCP) != 0) {
12436
0
    options |= DNS_REQUESTOPT_TCP;
12437
0
    udptimeout = 0;
12438
0
    timeout = 15;
12439
0
  }
12440
0
  result = dns_request_create(
12441
0
    notify->zone->view->requestmgr, message, &src, &notify->dst,
12442
0
    NULL, NULL, options, key, timeout, udptimeout, 2,
12443
0
    notify->zone->loop, notify_done, notify, &notify->request);
12444
0
  if (result == ISC_R_SUCCESS) {
12445
0
    if (isc_sockaddr_pf(&notify->dst) == AF_INET) {
12446
0
      inc_stats(notify->zone,
12447
0
          dns_zonestatscounter_notifyoutv4);
12448
0
    } else {
12449
0
      inc_stats(notify->zone,
12450
0
          dns_zonestatscounter_notifyoutv6);
12451
0
    }
12452
0
  } else if (result == ISC_R_SHUTTINGDOWN || result == ISC_R_CANCELED) {
12453
0
    goto cleanup_key;
12454
0
  } else if ((notify->flags & DNS_NOTIFY_TCP) == 0) {
12455
0
    notify_log(notify->zone, ISC_LOG_NOTICE,
12456
0
         "notify to %s failed: %s: retrying over TCP",
12457
0
         addrbuf, isc_result_totext(result));
12458
0
    notify->flags |= DNS_NOTIFY_TCP;
12459
0
    goto again;
12460
0
  }
12461
12462
0
cleanup_key:
12463
0
  if (key != NULL) {
12464
0
    dns_tsigkey_detach(&key);
12465
0
  }
12466
0
cleanup_message:
12467
0
  dns_message_detach(&message);
12468
0
cleanup:
12469
0
  UNLOCK_ZONE(notify->zone);
12470
0
  if (notify->rlevent != NULL) {
12471
0
    isc_rlevent_free(&notify->rlevent);
12472
0
  }
12473
12474
0
  if (result != ISC_R_SUCCESS) {
12475
0
    isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
12476
0
    notify_log(notify->zone, ISC_LOG_WARNING,
12477
0
         "notify to %s failed: %s", addrbuf,
12478
0
         isc_result_totext(result));
12479
0
    notify_destroy(notify, false);
12480
0
  }
12481
0
}
12482
12483
static void
12484
0
notify_send(dns_notify_t *notify) {
12485
0
  dns_adbaddrinfo_t *ai;
12486
0
  isc_sockaddr_t dst;
12487
0
  isc_result_t result;
12488
0
  dns_notify_t *newnotify = NULL;
12489
0
  unsigned int flags;
12490
0
  bool startup;
12491
12492
  /*
12493
   * Zone lock held by caller.
12494
   */
12495
0
  REQUIRE(DNS_NOTIFY_VALID(notify));
12496
0
  REQUIRE(LOCKED_ZONE(notify->zone));
12497
12498
0
  if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING)) {
12499
0
    return;
12500
0
  }
12501
12502
0
  for (ai = ISC_LIST_HEAD(notify->find->list); ai != NULL;
12503
0
       ai = ISC_LIST_NEXT(ai, publink))
12504
0
  {
12505
0
    dst = ai->sockaddr;
12506
0
    if (notify_isqueued(notify->zone, notify->flags, NULL, &dst,
12507
0
            NULL, NULL))
12508
0
    {
12509
0
      continue;
12510
0
    }
12511
0
    if (notify_isself(notify->zone, &dst)) {
12512
0
      continue;
12513
0
    }
12514
0
    newnotify = NULL;
12515
0
    flags = notify->flags & DNS_NOTIFY_NOSOA;
12516
0
    result = notify_create(notify->mctx, flags, &newnotify);
12517
0
    if (result != ISC_R_SUCCESS) {
12518
0
      goto cleanup;
12519
0
    }
12520
0
    zone_iattach(notify->zone, &newnotify->zone);
12521
0
    ISC_LIST_APPEND(newnotify->zone->notifies, newnotify, link);
12522
0
    newnotify->dst = dst;
12523
0
    if (isc_sockaddr_pf(&dst) == AF_INET6) {
12524
0
      isc_sockaddr_any6(&newnotify->src);
12525
0
    }
12526
0
    startup = ((notify->flags & DNS_NOTIFY_STARTUP) != 0);
12527
0
    result = notify_send_queue(newnotify, startup);
12528
0
    if (result != ISC_R_SUCCESS) {
12529
0
      goto cleanup;
12530
0
    }
12531
0
    newnotify = NULL;
12532
0
  }
12533
12534
0
cleanup:
12535
0
  if (newnotify != NULL) {
12536
0
    notify_destroy(newnotify, true);
12537
0
  }
12538
0
}
12539
12540
void
12541
0
dns_zone_notify(dns_zone_t *zone) {
12542
0
  isc_time_t now;
12543
12544
0
  REQUIRE(DNS_ZONE_VALID(zone));
12545
12546
0
  LOCK_ZONE(zone);
12547
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
12548
12549
0
  now = isc_time_now();
12550
0
  zone_settimer(zone, &now);
12551
0
  UNLOCK_ZONE(zone);
12552
0
}
12553
12554
static void
12555
0
zone_notify(dns_zone_t *zone, isc_time_t *now) {
12556
0
  dns_dbnode_t *node = NULL;
12557
0
  dns_db_t *zonedb = NULL;
12558
0
  dns_dbversion_t *version = NULL;
12559
0
  dns_name_t *origin = NULL;
12560
0
  dns_name_t primary;
12561
0
  dns_rdata_ns_t ns;
12562
0
  dns_rdata_soa_t soa;
12563
0
  uint32_t serial;
12564
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
12565
0
  dns_rdataset_t nsrdset;
12566
0
  dns_rdataset_t soardset;
12567
0
  isc_result_t result;
12568
0
  isc_sockaddr_t src;
12569
0
  isc_sockaddr_t dst;
12570
0
  bool isqueued;
12571
0
  dns_notifytype_t notifytype;
12572
0
  unsigned int flags = 0;
12573
0
  bool loggednotify = false;
12574
0
  bool startup;
12575
12576
0
  REQUIRE(DNS_ZONE_VALID(zone));
12577
12578
0
  LOCK_ZONE(zone);
12579
0
  startup = !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
12580
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
12581
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
12582
0
  notifytype = zone->notifytype;
12583
0
  DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
12584
0
  UNLOCK_ZONE(zone);
12585
12586
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
12587
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
12588
0
  {
12589
0
    return;
12590
0
  }
12591
12592
0
  if (notifytype == dns_notifytype_no) {
12593
0
    return;
12594
0
  }
12595
12596
0
  if (notifytype == dns_notifytype_masteronly &&
12597
0
      zone->type != dns_zone_primary)
12598
0
  {
12599
0
    return;
12600
0
  }
12601
12602
0
  origin = &zone->origin;
12603
12604
  /*
12605
   * If the zone is dialup we are done as we don't want to send
12606
   * the current soa so as to force a refresh query.
12607
   */
12608
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) {
12609
0
    flags |= DNS_NOTIFY_NOSOA;
12610
0
  }
12611
12612
  /*
12613
   * Record that this was a notify due to starting up.
12614
   */
12615
0
  if (startup) {
12616
0
    flags |= DNS_NOTIFY_STARTUP;
12617
0
  }
12618
12619
  /*
12620
   * Get SOA RRset.
12621
   */
12622
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
12623
0
  if (zone->db != NULL) {
12624
0
    dns_db_attach(zone->db, &zonedb);
12625
0
  }
12626
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
12627
0
  if (zonedb == NULL) {
12628
0
    return;
12629
0
  }
12630
0
  dns_db_currentversion(zonedb, &version);
12631
0
  result = dns_db_findnode(zonedb, origin, false, &node);
12632
0
  if (result != ISC_R_SUCCESS) {
12633
0
    goto cleanup1;
12634
0
  }
12635
12636
0
  dns_rdataset_init(&soardset);
12637
0
  result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
12638
0
             dns_rdatatype_none, 0, &soardset, NULL);
12639
0
  if (result != ISC_R_SUCCESS) {
12640
0
    goto cleanup2;
12641
0
  }
12642
12643
  /*
12644
   * Find serial and primary server's name.
12645
   */
12646
0
  dns_name_init(&primary, NULL);
12647
0
  result = dns_rdataset_first(&soardset);
12648
0
  if (result != ISC_R_SUCCESS) {
12649
0
    goto cleanup3;
12650
0
  }
12651
0
  dns_rdataset_current(&soardset, &rdata);
12652
0
  result = dns_rdata_tostruct(&rdata, &soa, NULL);
12653
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
12654
0
  dns_rdata_reset(&rdata);
12655
0
  dns_name_dup(&soa.origin, zone->mctx, &primary);
12656
0
  serial = soa.serial;
12657
0
  dns_rdataset_disassociate(&soardset);
12658
12659
  /*
12660
   * Enqueue notify requests for 'also-notify' servers.
12661
   */
12662
0
  LOCK_ZONE(zone);
12663
12664
0
  dns_remote_reset(&zone->notify, false);
12665
0
  while (!dns_remote_done(&zone->notify)) {
12666
0
    dns_tsigkey_t *key = NULL;
12667
0
    dns_transport_t *transport = NULL;
12668
0
    dns_notify_t *notify = NULL;
12669
0
    dns_view_t *view = dns_zone_getview(zone);
12670
12671
0
    if (dns_remote_keyname(&zone->notify) != NULL) {
12672
0
      dns_name_t *keyname = dns_remote_keyname(&zone->notify);
12673
0
      (void)dns_view_gettsig(view, keyname, &key);
12674
0
    }
12675
12676
0
    if (dns_remote_tlsname(&zone->notify) != NULL) {
12677
0
      dns_name_t *tlsname = dns_remote_tlsname(&zone->notify);
12678
0
      (void)dns_view_gettransport(view, DNS_TRANSPORT_TLS,
12679
0
                tlsname, &transport);
12680
12681
0
      dns_zone_logc(
12682
0
        zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
12683
0
        "got TLS configuration for zone transfer");
12684
0
    }
12685
12686
    /* TODO: glue the transport to the notify */
12687
12688
0
    dst = dns_remote_curraddr(&zone->notify);
12689
0
    src = dns_remote_sourceaddr(&zone->notify);
12690
0
    INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
12691
12692
0
    if (isc_sockaddr_disabled(&dst)) {
12693
0
      goto next;
12694
0
    }
12695
12696
0
    if (notify_isqueued(zone, flags, NULL, &dst, key, transport)) {
12697
0
      if (key != NULL) {
12698
0
        dns_tsigkey_detach(&key);
12699
0
      }
12700
0
      if (transport != NULL) {
12701
0
        dns_transport_detach(&transport);
12702
0
      }
12703
0
      goto next;
12704
0
    }
12705
12706
0
    result = notify_create(zone->mctx, flags, &notify);
12707
0
    if (result != ISC_R_SUCCESS) {
12708
0
      if (key != NULL) {
12709
0
        dns_tsigkey_detach(&key);
12710
0
      }
12711
0
      if (transport != NULL) {
12712
0
        dns_transport_detach(&transport);
12713
0
      }
12714
0
      goto next;
12715
0
    }
12716
12717
0
    zone_iattach(zone, &notify->zone);
12718
0
    notify->src = src;
12719
0
    notify->dst = dst;
12720
12721
0
    INSIST(notify->key == NULL);
12722
12723
0
    if (key != NULL) {
12724
0
      notify->key = key;
12725
0
      key = NULL;
12726
0
    }
12727
12728
0
    INSIST(notify->transport == NULL);
12729
0
    if (transport != NULL) {
12730
0
      notify->transport = transport;
12731
0
      transport = NULL;
12732
0
    }
12733
12734
0
    ISC_LIST_APPEND(zone->notifies, notify, link);
12735
0
    result = notify_send_queue(notify, startup);
12736
0
    if (result != ISC_R_SUCCESS) {
12737
0
      notify_destroy(notify, true);
12738
0
    }
12739
0
    if (!loggednotify) {
12740
0
      notify_log(zone, ISC_LOG_INFO,
12741
0
           "sending notifies (serial %u)", serial);
12742
0
      loggednotify = true;
12743
0
    }
12744
0
  next:
12745
0
    dns_remote_next(&zone->notify, false);
12746
0
  }
12747
0
  UNLOCK_ZONE(zone);
12748
12749
0
  if (notifytype == dns_notifytype_explicit) {
12750
0
    goto cleanup3;
12751
0
  }
12752
12753
  /*
12754
   * Process NS RRset to generate notifies.
12755
   */
12756
12757
0
  dns_rdataset_init(&nsrdset);
12758
0
  result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns,
12759
0
             dns_rdatatype_none, 0, &nsrdset, NULL);
12760
0
  if (result != ISC_R_SUCCESS) {
12761
0
    goto cleanup3;
12762
0
  }
12763
12764
0
  result = dns_rdataset_first(&nsrdset);
12765
0
  while (result == ISC_R_SUCCESS) {
12766
0
    dns_notify_t *notify = NULL;
12767
12768
0
    dns_rdataset_current(&nsrdset, &rdata);
12769
0
    result = dns_rdata_tostruct(&rdata, &ns, NULL);
12770
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
12771
0
    dns_rdata_reset(&rdata);
12772
    /*
12773
     * Don't notify the primary server unless explicitly
12774
     * configured to do so.
12775
     */
12776
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
12777
0
        dns_name_compare(&primary, &ns.name) == 0)
12778
0
    {
12779
0
      result = dns_rdataset_next(&nsrdset);
12780
0
      continue;
12781
0
    }
12782
12783
0
    if (!loggednotify) {
12784
0
      notify_log(zone, ISC_LOG_INFO,
12785
0
           "sending notifies (serial %u)", serial);
12786
0
      loggednotify = true;
12787
0
    }
12788
12789
0
    LOCK_ZONE(zone);
12790
0
    isqueued = notify_isqueued(zone, flags, &ns.name, NULL, NULL,
12791
0
             NULL);
12792
0
    UNLOCK_ZONE(zone);
12793
0
    if (isqueued) {
12794
0
      result = dns_rdataset_next(&nsrdset);
12795
0
      continue;
12796
0
    }
12797
0
    result = notify_create(zone->mctx, flags, &notify);
12798
0
    if (result != ISC_R_SUCCESS) {
12799
0
      continue;
12800
0
    }
12801
0
    dns_zone_iattach(zone, &notify->zone);
12802
0
    dns_name_dup(&ns.name, zone->mctx, &notify->ns);
12803
0
    LOCK_ZONE(zone);
12804
0
    ISC_LIST_APPEND(zone->notifies, notify, link);
12805
0
    UNLOCK_ZONE(zone);
12806
0
    notify_find_address(notify);
12807
0
    result = dns_rdataset_next(&nsrdset);
12808
0
  }
12809
0
  dns_rdataset_disassociate(&nsrdset);
12810
12811
0
cleanup3:
12812
0
  if (dns_name_dynamic(&primary)) {
12813
0
    dns_name_free(&primary, zone->mctx);
12814
0
  }
12815
0
cleanup2:
12816
0
  dns_db_detachnode(zonedb, &node);
12817
0
cleanup1:
12818
0
  dns_db_closeversion(zonedb, &version, false);
12819
0
  dns_db_detach(&zonedb);
12820
0
}
12821
12822
/***
12823
 *** Private
12824
 ***/
12825
static void
12826
create_query(dns_zone_t *zone, dns_rdatatype_t rdtype, dns_name_t *name,
12827
0
       dns_message_t **messagep) {
12828
0
  dns_message_t *message = NULL;
12829
0
  dns_name_t *qname = NULL;
12830
0
  dns_rdataset_t *qrdataset = NULL;
12831
12832
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER,
12833
0
         &message);
12834
12835
0
  message->opcode = dns_opcode_query;
12836
0
  message->rdclass = zone->rdclass;
12837
12838
0
  dns_message_gettempname(message, &qname);
12839
12840
0
  dns_message_gettemprdataset(message, &qrdataset);
12841
12842
  /*
12843
   * Make question.
12844
   */
12845
0
  dns_name_clone(name, qname);
12846
0
  dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
12847
0
  ISC_LIST_APPEND(qname->list, qrdataset, link);
12848
0
  dns_message_addname(message, qname, DNS_SECTION_QUESTION);
12849
12850
0
  *messagep = message;
12851
0
}
12852
12853
static isc_result_t
12854
add_opt(dns_message_t *message, uint16_t udpsize, bool reqnsid,
12855
0
  bool reqexpire) {
12856
0
  isc_result_t result;
12857
0
  dns_rdataset_t *rdataset = NULL;
12858
0
  dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
12859
0
  int count = 0;
12860
12861
  /* Set EDNS options if applicable. */
12862
0
  if (reqnsid) {
12863
0
    INSIST(count < DNS_EDNSOPTIONS);
12864
0
    ednsopts[count].code = DNS_OPT_NSID;
12865
0
    ednsopts[count].length = 0;
12866
0
    ednsopts[count].value = NULL;
12867
0
    count++;
12868
0
  }
12869
0
  if (reqexpire) {
12870
0
    INSIST(count < DNS_EDNSOPTIONS);
12871
0
    ednsopts[count].code = DNS_OPT_EXPIRE;
12872
0
    ednsopts[count].length = 0;
12873
0
    ednsopts[count].value = NULL;
12874
0
    count++;
12875
0
  }
12876
0
  result = dns_message_buildopt(message, &rdataset, 0, udpsize, 0,
12877
0
              ednsopts, count);
12878
0
  if (result != ISC_R_SUCCESS) {
12879
0
    return (result);
12880
0
  }
12881
12882
0
  return (dns_message_setopt(message, rdataset));
12883
0
}
12884
12885
/*
12886
 * Called when stub zone update is finished.
12887
 * Update zone refresh, retry, expire values accordingly with
12888
 * SOA received from primary, sync database to file, restart
12889
 * zone management timer.
12890
 */
12891
static void
12892
0
stub_finish_zone_update(dns_stub_t *stub, isc_time_t now) {
12893
0
  uint32_t refresh, retry, expire;
12894
0
  isc_result_t result;
12895
0
  isc_interval_t i;
12896
0
  unsigned int soacount;
12897
0
  dns_zone_t *zone = stub->zone;
12898
12899
  /*
12900
   * Tidy up.
12901
   */
12902
0
  dns_db_closeversion(stub->db, &stub->version, true);
12903
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
12904
0
  if (zone->db == NULL) {
12905
0
    zone_attachdb(zone, stub->db);
12906
0
  }
12907
0
  result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL, NULL,
12908
0
          &refresh, &retry, &expire, NULL, NULL);
12909
0
  if (result == ISC_R_SUCCESS && soacount > 0U) {
12910
0
    zone->refresh = RANGE(refresh, zone->minrefresh,
12911
0
              zone->maxrefresh);
12912
0
    zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
12913
0
    zone->expire = RANGE(expire, zone->refresh + zone->retry,
12914
0
             DNS_MAX_EXPIRE);
12915
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
12916
0
  }
12917
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
12918
0
  dns_db_detach(&stub->db);
12919
12920
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
12921
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
12922
0
  DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
12923
0
  isc_interval_set(&i, zone->expire, 0);
12924
0
  DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
12925
12926
0
  if (zone->masterfile != NULL) {
12927
0
    zone_needdump(zone, 0);
12928
0
  }
12929
12930
0
  zone_settimer(zone, &now);
12931
0
}
12932
12933
/*
12934
 * Process answers for A and AAAA queries when
12935
 * resolving nameserver addresses for which glue
12936
 * was missing in a previous answer for a NS query.
12937
 */
12938
static void
12939
0
stub_glue_response(void *arg) {
12940
0
  dns_request_t *request = (dns_request_t *)arg;
12941
0
  struct stub_glue_request *sgr = dns_request_getarg(request);
12942
0
  struct stub_cb_args *cb_args = sgr->args;
12943
0
  dns_stub_t *stub = cb_args->stub;
12944
0
  dns_message_t *msg = NULL;
12945
0
  dns_zone_t *zone = NULL;
12946
0
  char primary[ISC_SOCKADDR_FORMATSIZE];
12947
0
  char source[ISC_SOCKADDR_FORMATSIZE];
12948
0
  uint32_t addr_count, cnamecnt;
12949
0
  isc_result_t result;
12950
0
  isc_sockaddr_t curraddr;
12951
0
  isc_time_t now;
12952
0
  dns_rdataset_t *addr_rdataset = NULL;
12953
0
  dns_dbnode_t *node = NULL;
12954
12955
0
  INSIST(DNS_STUB_VALID(stub));
12956
12957
0
  zone = stub->zone;
12958
12959
0
  ENTER;
12960
12961
0
  now = isc_time_now();
12962
12963
0
  LOCK_ZONE(zone);
12964
12965
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
12966
0
    zone_debuglog(zone, __func__, 1, "exiting");
12967
0
    goto cleanup;
12968
0
  }
12969
12970
0
  curraddr = dns_remote_curraddr(&zone->primaries);
12971
0
  isc_sockaddr_format(&curraddr, primary, sizeof(primary));
12972
0
  isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
12973
12974
0
  if (dns_request_getresult(request) != ISC_R_SUCCESS) {
12975
0
    dns_zonemgr_unreachableadd(zone->zmgr, &curraddr,
12976
0
             &zone->sourceaddr, &now);
12977
0
    dns_zone_log(zone, ISC_LOG_INFO,
12978
0
           "could not refresh stub from primary %s"
12979
0
           " (source %s): %s",
12980
0
           primary, source,
12981
0
           isc_result_totext(dns_request_getresult(request)));
12982
0
    goto cleanup;
12983
0
  }
12984
12985
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
12986
0
         &msg);
12987
0
  result = dns_request_getresponse(request, msg, 0);
12988
0
  if (result != ISC_R_SUCCESS) {
12989
0
    dns_zone_log(zone, ISC_LOG_INFO,
12990
0
           "refreshing stub: unable to parse response (%s)",
12991
0
           isc_result_totext(result));
12992
0
    goto cleanup;
12993
0
  }
12994
12995
  /*
12996
   * Unexpected opcode.
12997
   */
12998
0
  if (msg->opcode != dns_opcode_query) {
12999
0
    char opcode[128];
13000
0
    isc_buffer_t rb;
13001
13002
0
    isc_buffer_init(&rb, opcode, sizeof(opcode));
13003
0
    (void)dns_opcode_totext(msg->opcode, &rb);
13004
13005
0
    dns_zone_log(zone, ISC_LOG_INFO,
13006
0
           "refreshing stub: "
13007
0
           "unexpected opcode (%.*s) from %s (source %s)",
13008
0
           (int)rb.used, opcode, primary, source);
13009
0
    goto cleanup;
13010
0
  }
13011
13012
  /*
13013
   * Unexpected rcode.
13014
   */
13015
0
  if (msg->rcode != dns_rcode_noerror) {
13016
0
    char rcode[128];
13017
0
    isc_buffer_t rb;
13018
13019
0
    isc_buffer_init(&rb, rcode, sizeof(rcode));
13020
0
    (void)dns_rcode_totext(msg->rcode, &rb);
13021
13022
0
    dns_zone_log(zone, ISC_LOG_INFO,
13023
0
           "refreshing stub: "
13024
0
           "unexpected rcode (%.*s) from %s (source %s)",
13025
0
           (int)rb.used, rcode, primary, source);
13026
0
    goto cleanup;
13027
0
  }
13028
13029
  /*
13030
   * We need complete messages.
13031
   */
13032
0
  if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
13033
0
    if (dns_request_usedtcp(request)) {
13034
0
      dns_zone_log(zone, ISC_LOG_INFO,
13035
0
             "refreshing stub: truncated TCP "
13036
0
             "response from primary %s (source %s)",
13037
0
             primary, source);
13038
0
    }
13039
0
    goto cleanup;
13040
0
  }
13041
13042
  /*
13043
   * If non-auth log.
13044
   */
13045
0
  if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
13046
0
    dns_zone_log(zone, ISC_LOG_INFO,
13047
0
           "refreshing stub: "
13048
0
           "non-authoritative answer from "
13049
0
           "primary %s (source %s)",
13050
0
           primary, source);
13051
0
    goto cleanup;
13052
0
  }
13053
13054
  /*
13055
   * Sanity checks.
13056
   */
13057
0
  cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
13058
0
  addr_count = message_count(msg, DNS_SECTION_ANSWER,
13059
0
           sgr->ipv4 ? dns_rdatatype_a
13060
0
               : dns_rdatatype_aaaa);
13061
13062
0
  if (cnamecnt != 0) {
13063
0
    dns_zone_log(zone, ISC_LOG_INFO,
13064
0
           "refreshing stub: unexpected CNAME response "
13065
0
           "from primary %s (source %s)",
13066
0
           primary, source);
13067
0
    goto cleanup;
13068
0
  }
13069
13070
0
  if (addr_count == 0) {
13071
0
    dns_zone_log(zone, ISC_LOG_INFO,
13072
0
           "refreshing stub: no %s records in response "
13073
0
           "from primary %s (source %s)",
13074
0
           sgr->ipv4 ? "A" : "AAAA", primary, source);
13075
0
    goto cleanup;
13076
0
  }
13077
  /*
13078
   * Extract A or AAAA RRset from message.
13079
   */
13080
0
  result = dns_message_findname(msg, DNS_SECTION_ANSWER, &sgr->name,
13081
0
              sgr->ipv4 ? dns_rdatatype_a
13082
0
            : dns_rdatatype_aaaa,
13083
0
              dns_rdatatype_none, NULL, &addr_rdataset);
13084
0
  if (result != ISC_R_SUCCESS) {
13085
0
    if (result != DNS_R_NXDOMAIN && result != DNS_R_NXRRSET) {
13086
0
      char namebuf[DNS_NAME_FORMATSIZE];
13087
0
      dns_name_format(&sgr->name, namebuf, sizeof(namebuf));
13088
0
      dns_zone_log(
13089
0
        zone, ISC_LOG_INFO,
13090
0
        "refreshing stub: dns_message_findname(%s/%s) "
13091
0
        "failed (%s)",
13092
0
        namebuf, sgr->ipv4 ? "A" : "AAAA",
13093
0
        isc_result_totext(result));
13094
0
    }
13095
0
    goto cleanup;
13096
0
  }
13097
13098
0
  result = dns_db_findnode(stub->db, &sgr->name, true, &node);
13099
0
  if (result != ISC_R_SUCCESS) {
13100
0
    dns_zone_log(zone, ISC_LOG_INFO,
13101
0
           "refreshing stub: "
13102
0
           "dns_db_findnode() failed: %s",
13103
0
           isc_result_totext(result));
13104
0
    goto cleanup;
13105
0
  }
13106
13107
0
  result = dns_db_addrdataset(stub->db, node, stub->version, 0,
13108
0
            addr_rdataset, 0, NULL);
13109
0
  if (result != ISC_R_SUCCESS) {
13110
0
    dns_zone_log(zone, ISC_LOG_INFO,
13111
0
           "refreshing stub: "
13112
0
           "dns_db_addrdataset() failed: %s",
13113
0
           isc_result_totext(result));
13114
0
  }
13115
0
  dns_db_detachnode(stub->db, &node);
13116
13117
0
cleanup:
13118
0
  if (msg != NULL) {
13119
0
    dns_message_detach(&msg);
13120
0
  }
13121
13122
0
  dns_name_free(&sgr->name, zone->mctx);
13123
0
  dns_request_destroy(&sgr->request);
13124
0
  isc_mem_put(zone->mctx, sgr, sizeof(*sgr));
13125
13126
  /* If last request, release all related resources */
13127
0
  if (atomic_fetch_sub_release(&stub->pending_requests, 1) == 1) {
13128
0
    isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13129
0
    stub_finish_zone_update(stub, now);
13130
0
    UNLOCK_ZONE(zone);
13131
0
    stub->magic = 0;
13132
0
    dns_zone_idetach(&stub->zone);
13133
0
    INSIST(stub->db == NULL);
13134
0
    INSIST(stub->version == NULL);
13135
0
    isc_mem_put(stub->mctx, stub, sizeof(*stub));
13136
0
  } else {
13137
0
    UNLOCK_ZONE(zone);
13138
0
  }
13139
0
}
13140
13141
/*
13142
 * Create and send an A or AAAA query to the primary
13143
 * server of the stub zone given.
13144
 */
13145
static isc_result_t
13146
stub_request_nameserver_address(struct stub_cb_args *args, bool ipv4,
13147
0
        const dns_name_t *name) {
13148
0
  dns_message_t *message = NULL;
13149
0
  dns_zone_t *zone;
13150
0
  isc_result_t result;
13151
0
  struct stub_glue_request *sgr;
13152
0
  isc_sockaddr_t curraddr;
13153
13154
0
  zone = args->stub->zone;
13155
0
  sgr = isc_mem_get(zone->mctx, sizeof(*sgr));
13156
0
  *sgr = (struct stub_glue_request){
13157
0
    .args = args,
13158
0
    .name = (dns_name_t)DNS_NAME_INITEMPTY,
13159
0
    .ipv4 = ipv4,
13160
0
  };
13161
13162
0
  dns_name_dup(name, zone->mctx, &sgr->name);
13163
13164
0
  create_query(zone, ipv4 ? dns_rdatatype_a : dns_rdatatype_aaaa,
13165
0
         &sgr->name, &message);
13166
13167
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
13168
0
    result = add_opt(message, args->udpsize, args->reqnsid, false);
13169
0
    if (result != ISC_R_SUCCESS) {
13170
0
      zone_debuglog(zone, __func__, 1,
13171
0
              "unable to add opt record: %s",
13172
0
              isc_result_totext(result));
13173
0
      goto fail;
13174
0
    }
13175
0
  }
13176
13177
0
  atomic_fetch_add_release(&args->stub->pending_requests, 1);
13178
13179
0
  curraddr = dns_remote_curraddr(&zone->primaries);
13180
0
  result = dns_request_create(
13181
0
    zone->view->requestmgr, message, &zone->sourceaddr, &curraddr,
13182
0
    NULL, NULL, DNS_REQUESTOPT_TCP, args->tsig_key,
13183
0
    args->timeout * 3, args->timeout, 2, zone->loop,
13184
0
    stub_glue_response, sgr, &sgr->request);
13185
13186
0
  if (result != ISC_R_SUCCESS) {
13187
0
    uint_fast32_t pr;
13188
0
    pr = atomic_fetch_sub_release(&args->stub->pending_requests, 1);
13189
0
    INSIST(pr > 1);
13190
0
    zone_debuglog(zone, __func__, 1,
13191
0
            "dns_request_create() failed: %s",
13192
0
            isc_result_totext(result));
13193
0
    goto fail;
13194
0
  }
13195
13196
0
  dns_message_detach(&message);
13197
13198
0
  return (ISC_R_SUCCESS);
13199
13200
0
fail:
13201
0
  dns_name_free(&sgr->name, zone->mctx);
13202
0
  isc_mem_put(zone->mctx, sgr, sizeof(*sgr));
13203
13204
0
  if (message != NULL) {
13205
0
    dns_message_detach(&message);
13206
0
  }
13207
13208
0
  return (result);
13209
0
}
13210
13211
static isc_result_t
13212
save_nsrrset(dns_message_t *message, dns_name_t *name,
13213
       struct stub_cb_args *cb_args, dns_db_t *db,
13214
0
       dns_dbversion_t *version) {
13215
0
  dns_rdataset_t *nsrdataset = NULL;
13216
0
  dns_rdataset_t *rdataset = NULL;
13217
0
  dns_dbnode_t *node = NULL;
13218
0
  dns_rdata_ns_t ns;
13219
0
  isc_result_t result;
13220
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
13221
0
  bool has_glue = false;
13222
0
  dns_name_t *ns_name;
13223
  /*
13224
   * List of NS entries in answer, keep names that will be used
13225
   * to resolve missing A/AAAA glue for each entry.
13226
   */
13227
0
  dns_namelist_t ns_list;
13228
0
  ISC_LIST_INIT(ns_list);
13229
13230
  /*
13231
   * Extract NS RRset from message.
13232
   */
13233
0
  result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
13234
0
              dns_rdatatype_ns, dns_rdatatype_none,
13235
0
              NULL, &nsrdataset);
13236
0
  if (result != ISC_R_SUCCESS) {
13237
0
    goto done;
13238
0
  }
13239
13240
  /*
13241
   * Add NS rdataset.
13242
   */
13243
0
  result = dns_db_findnode(db, name, true, &node);
13244
0
  if (result != ISC_R_SUCCESS) {
13245
0
    goto done;
13246
0
  }
13247
0
  result = dns_db_addrdataset(db, node, version, 0, nsrdataset, 0, NULL);
13248
0
  dns_db_detachnode(db, &node);
13249
0
  if (result != ISC_R_SUCCESS) {
13250
0
    goto done;
13251
0
  }
13252
  /*
13253
   * Add glue rdatasets.
13254
   */
13255
0
  for (result = dns_rdataset_first(nsrdataset); result == ISC_R_SUCCESS;
13256
0
       result = dns_rdataset_next(nsrdataset))
13257
0
  {
13258
0
    dns_rdataset_current(nsrdataset, &rdata);
13259
0
    result = dns_rdata_tostruct(&rdata, &ns, NULL);
13260
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
13261
0
    dns_rdata_reset(&rdata);
13262
13263
0
    if (!dns_name_issubdomain(&ns.name, name)) {
13264
0
      continue;
13265
0
    }
13266
0
    rdataset = NULL;
13267
0
    result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
13268
0
                &ns.name, dns_rdatatype_aaaa,
13269
0
                dns_rdatatype_none, NULL,
13270
0
                &rdataset);
13271
0
    if (result == ISC_R_SUCCESS) {
13272
0
      has_glue = true;
13273
0
      result = dns_db_findnode(db, &ns.name, true, &node);
13274
0
      if (result != ISC_R_SUCCESS) {
13275
0
        goto done;
13276
0
      }
13277
0
      result = dns_db_addrdataset(db, node, version, 0,
13278
0
                rdataset, 0, NULL);
13279
0
      dns_db_detachnode(db, &node);
13280
0
      if (result != ISC_R_SUCCESS) {
13281
0
        goto done;
13282
0
      }
13283
0
    }
13284
13285
0
    rdataset = NULL;
13286
0
    result = dns_message_findname(
13287
0
      message, DNS_SECTION_ADDITIONAL, &ns.name,
13288
0
      dns_rdatatype_a, dns_rdatatype_none, NULL, &rdataset);
13289
0
    if (result == ISC_R_SUCCESS) {
13290
0
      has_glue = true;
13291
0
      result = dns_db_findnode(db, &ns.name, true, &node);
13292
0
      if (result != ISC_R_SUCCESS) {
13293
0
        goto done;
13294
0
      }
13295
0
      result = dns_db_addrdataset(db, node, version, 0,
13296
0
                rdataset, 0, NULL);
13297
0
      dns_db_detachnode(db, &node);
13298
0
      if (result != ISC_R_SUCCESS) {
13299
0
        goto done;
13300
0
      }
13301
0
    }
13302
13303
    /*
13304
     * If no glue is found so far, we add the name to the list to
13305
     * resolve the A/AAAA glue later. If any glue is found in any
13306
     * iteration step, this list will be discarded and only the glue
13307
     * provided in this message will be used.
13308
     */
13309
0
    if (!has_glue && dns_name_issubdomain(&ns.name, name)) {
13310
0
      dns_name_t *tmp_name;
13311
0
      tmp_name = isc_mem_get(cb_args->stub->mctx,
13312
0
                 sizeof(*tmp_name));
13313
0
      dns_name_init(tmp_name, NULL);
13314
0
      dns_name_dup(&ns.name, cb_args->stub->mctx, tmp_name);
13315
0
      ISC_LIST_APPEND(ns_list, tmp_name, link);
13316
0
    }
13317
0
  }
13318
13319
0
  if (result != ISC_R_NOMORE) {
13320
0
    goto done;
13321
0
  }
13322
13323
  /*
13324
   * If no glue records were found, we attempt to resolve A/AAAA
13325
   * for each NS entry found in the answer.
13326
   */
13327
0
  if (!has_glue) {
13328
0
    for (ns_name = ISC_LIST_HEAD(ns_list); ns_name != NULL;
13329
0
         ns_name = ISC_LIST_NEXT(ns_name, link))
13330
0
    {
13331
      /*
13332
       * Resolve NS IPv4 address/A.
13333
       */
13334
0
      result = stub_request_nameserver_address(cb_args, true,
13335
0
                 ns_name);
13336
0
      if (result != ISC_R_SUCCESS) {
13337
0
        goto done;
13338
0
      }
13339
      /*
13340
       * Resolve NS IPv6 address/AAAA.
13341
       */
13342
0
      result = stub_request_nameserver_address(cb_args, false,
13343
0
                 ns_name);
13344
0
      if (result != ISC_R_SUCCESS) {
13345
0
        goto done;
13346
0
      }
13347
0
    }
13348
0
  }
13349
13350
0
  result = ISC_R_SUCCESS;
13351
13352
0
done:
13353
0
  while ((ns_name = ISC_LIST_HEAD(ns_list)) != NULL) {
13354
0
    ISC_LIST_UNLINK(ns_list, ns_name, link);
13355
0
    dns_name_free(ns_name, cb_args->stub->mctx);
13356
0
    isc_mem_put(cb_args->stub->mctx, ns_name, sizeof(*ns_name));
13357
0
  }
13358
0
  return (result);
13359
0
}
13360
13361
static void
13362
0
stub_callback(void *arg) {
13363
0
  dns_request_t *request = (dns_request_t *)arg;
13364
0
  struct stub_cb_args *cb_args = dns_request_getarg(request);
13365
0
  dns_stub_t *stub = cb_args->stub;
13366
0
  dns_message_t *msg = NULL;
13367
0
  dns_zone_t *zone = NULL;
13368
0
  char primary[ISC_SOCKADDR_FORMATSIZE];
13369
0
  char source[ISC_SOCKADDR_FORMATSIZE];
13370
0
  uint32_t nscnt, cnamecnt;
13371
0
  isc_result_t result;
13372
0
  isc_sockaddr_t curraddr;
13373
0
  isc_time_t now;
13374
0
  bool exiting = false;
13375
13376
0
  INSIST(DNS_STUB_VALID(stub));
13377
13378
0
  zone = stub->zone;
13379
13380
0
  ENTER;
13381
13382
0
  now = isc_time_now();
13383
13384
0
  LOCK_ZONE(zone);
13385
13386
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
13387
0
    goto exiting;
13388
0
  }
13389
13390
0
  curraddr = dns_remote_curraddr(&zone->primaries);
13391
0
  isc_sockaddr_format(&curraddr, primary, sizeof(primary));
13392
0
  isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
13393
13394
0
  result = dns_request_getresult(request);
13395
0
  switch (result) {
13396
0
  case ISC_R_SUCCESS:
13397
0
    break;
13398
0
  case ISC_R_SHUTTINGDOWN:
13399
0
    goto exiting;
13400
0
  case ISC_R_TIMEDOUT:
13401
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
13402
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13403
0
      dns_zone_log(zone, ISC_LOG_DEBUG(1),
13404
0
             "refreshing stub: timeout retrying "
13405
0
             "without EDNS primary %s (source %s)",
13406
0
             primary, source);
13407
0
      goto same_primary;
13408
0
    }
13409
0
    FALLTHROUGH;
13410
0
  default:
13411
0
    dns_zonemgr_unreachableadd(zone->zmgr, &curraddr,
13412
0
             &zone->sourceaddr, &now);
13413
0
    dns_zone_log(zone, ISC_LOG_INFO,
13414
0
           "could not refresh stub from primary "
13415
0
           "%s (source %s): %s",
13416
0
           primary, source, isc_result_totext(result));
13417
0
    goto next_primary;
13418
0
  }
13419
13420
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
13421
0
         &msg);
13422
13423
0
  result = dns_request_getresponse(request, msg, 0);
13424
0
  if (result != ISC_R_SUCCESS) {
13425
0
    goto next_primary;
13426
0
  }
13427
13428
  /*
13429
   * Unexpected opcode.
13430
   */
13431
0
  if (msg->opcode != dns_opcode_query) {
13432
0
    char opcode[128];
13433
0
    isc_buffer_t rb;
13434
13435
0
    isc_buffer_init(&rb, opcode, sizeof(opcode));
13436
0
    (void)dns_opcode_totext(msg->opcode, &rb);
13437
13438
0
    dns_zone_log(zone, ISC_LOG_INFO,
13439
0
           "refreshing stub: "
13440
0
           "unexpected opcode (%.*s) from %s (source %s)",
13441
0
           (int)rb.used, opcode, primary, source);
13442
0
    goto next_primary;
13443
0
  }
13444
13445
  /*
13446
   * Unexpected rcode.
13447
   */
13448
0
  if (msg->rcode != dns_rcode_noerror) {
13449
0
    char rcode[128];
13450
0
    isc_buffer_t rb;
13451
13452
0
    isc_buffer_init(&rb, rcode, sizeof(rcode));
13453
0
    (void)dns_rcode_totext(msg->rcode, &rb);
13454
13455
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
13456
0
        (msg->rcode == dns_rcode_servfail ||
13457
0
         msg->rcode == dns_rcode_notimp ||
13458
0
         (msg->rcode == dns_rcode_formerr && msg->opt == NULL)))
13459
0
    {
13460
0
      dns_zone_log(zone, ISC_LOG_DEBUG(1),
13461
0
             "refreshing stub: rcode (%.*s) retrying "
13462
0
             "without EDNS primary %s (source %s)",
13463
0
             (int)rb.used, rcode, primary, source);
13464
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13465
0
      goto same_primary;
13466
0
    }
13467
13468
0
    dns_zone_log(zone, ISC_LOG_INFO,
13469
0
           "refreshing stub: "
13470
0
           "unexpected rcode (%.*s) from %s (source %s)",
13471
0
           (int)rb.used, rcode, primary, source);
13472
0
    goto next_primary;
13473
0
  }
13474
13475
  /*
13476
   * We need complete messages.
13477
   */
13478
0
  if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
13479
0
    if (dns_request_usedtcp(request)) {
13480
0
      dns_zone_log(zone, ISC_LOG_INFO,
13481
0
             "refreshing stub: truncated TCP "
13482
0
             "response from primary %s (source %s)",
13483
0
             primary, source);
13484
0
      goto next_primary;
13485
0
    }
13486
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
13487
0
    goto same_primary;
13488
0
  }
13489
13490
  /*
13491
   * If non-auth log and next primary.
13492
   */
13493
0
  if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
13494
0
    dns_zone_log(zone, ISC_LOG_INFO,
13495
0
           "refreshing stub: "
13496
0
           "non-authoritative answer from "
13497
0
           "primary %s (source %s)",
13498
0
           primary, source);
13499
0
    goto next_primary;
13500
0
  }
13501
13502
  /*
13503
   * Sanity checks.
13504
   */
13505
0
  cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
13506
0
  nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
13507
13508
0
  if (cnamecnt != 0) {
13509
0
    dns_zone_log(zone, ISC_LOG_INFO,
13510
0
           "refreshing stub: unexpected CNAME response "
13511
0
           "from primary %s (source %s)",
13512
0
           primary, source);
13513
0
    goto next_primary;
13514
0
  }
13515
13516
0
  if (nscnt == 0) {
13517
0
    dns_zone_log(zone, ISC_LOG_INFO,
13518
0
           "refreshing stub: no NS records in response "
13519
0
           "from primary %s (source %s)",
13520
0
           primary, source);
13521
0
    goto next_primary;
13522
0
  }
13523
13524
0
  atomic_fetch_add(&stub->pending_requests, 1);
13525
13526
  /*
13527
   * Save answer.
13528
   */
13529
0
  result = save_nsrrset(msg, &zone->origin, cb_args, stub->db,
13530
0
            stub->version);
13531
0
  if (result != ISC_R_SUCCESS) {
13532
0
    dns_zone_log(zone, ISC_LOG_INFO,
13533
0
           "refreshing stub: unable to save NS records "
13534
0
           "from primary %s (source %s)",
13535
0
           primary, source);
13536
0
    goto next_primary;
13537
0
  }
13538
13539
0
  dns_message_detach(&msg);
13540
0
  dns_request_destroy(&zone->request);
13541
13542
  /*
13543
   * Check to see if there are no outstanding requests and
13544
   * finish off if that is so.
13545
   */
13546
0
  if (atomic_fetch_sub(&stub->pending_requests, 1) == 1) {
13547
0
    isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13548
0
    stub_finish_zone_update(stub, now);
13549
0
    goto free_stub;
13550
0
  }
13551
13552
0
  UNLOCK_ZONE(zone);
13553
0
  return;
13554
13555
0
exiting:
13556
0
  zone_debuglog(zone, __func__, 1, "exiting");
13557
0
  exiting = true;
13558
13559
0
next_primary:
13560
0
  isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13561
0
  if (stub->version != NULL) {
13562
0
    dns_db_closeversion(stub->db, &stub->version, false);
13563
0
  }
13564
0
  if (stub->db != NULL) {
13565
0
    dns_db_detach(&stub->db);
13566
0
  }
13567
0
  if (msg != NULL) {
13568
0
    dns_message_detach(&msg);
13569
0
  }
13570
0
  dns_request_destroy(&zone->request);
13571
  /*
13572
   * Skip to next failed / untried primary.
13573
   */
13574
0
  dns_remote_next(&zone->primaries, true);
13575
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
13576
0
  if (exiting || dns_remote_done(&zone->primaries)) {
13577
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
13578
0
    zone_settimer(zone, &now);
13579
0
    goto free_stub;
13580
0
  }
13581
0
  queue_soa_query(zone);
13582
0
  goto free_stub;
13583
13584
0
same_primary:
13585
0
  isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13586
0
  if (msg != NULL) {
13587
0
    dns_message_detach(&msg);
13588
0
  }
13589
0
  dns_request_destroy(&zone->request);
13590
0
  ns_query(zone, NULL, stub);
13591
0
  UNLOCK_ZONE(zone);
13592
0
  return;
13593
13594
0
free_stub:
13595
0
  UNLOCK_ZONE(zone);
13596
0
  stub->magic = 0;
13597
0
  dns_zone_idetach(&stub->zone);
13598
0
  INSIST(stub->db == NULL);
13599
0
  INSIST(stub->version == NULL);
13600
0
  isc_mem_put(stub->mctx, stub, sizeof(*stub));
13601
0
}
13602
13603
/*
13604
 * Get the EDNS EXPIRE option from the response and if it exists trim
13605
 * expire to be not more than it.
13606
 */
13607
static void
13608
0
get_edns_expire(dns_zone_t *zone, dns_message_t *message, uint32_t *expirep) {
13609
0
  isc_result_t result;
13610
0
  uint32_t expire;
13611
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
13612
0
  isc_buffer_t optbuf;
13613
0
  uint16_t optcode;
13614
0
  uint16_t optlen;
13615
13616
0
  REQUIRE(expirep != NULL);
13617
0
  REQUIRE(message != NULL);
13618
13619
0
  if (message->opt == NULL) {
13620
0
    return;
13621
0
  }
13622
13623
0
  result = dns_rdataset_first(message->opt);
13624
0
  if (result == ISC_R_SUCCESS) {
13625
0
    dns_rdataset_current(message->opt, &rdata);
13626
0
    isc_buffer_init(&optbuf, rdata.data, rdata.length);
13627
0
    isc_buffer_add(&optbuf, rdata.length);
13628
0
    while (isc_buffer_remaininglength(&optbuf) >= 4) {
13629
0
      optcode = isc_buffer_getuint16(&optbuf);
13630
0
      optlen = isc_buffer_getuint16(&optbuf);
13631
      /*
13632
       * A EDNS EXPIRE response has a length of 4.
13633
       */
13634
0
      if (optcode != DNS_OPT_EXPIRE || optlen != 4) {
13635
0
        isc_buffer_forward(&optbuf, optlen);
13636
0
        continue;
13637
0
      }
13638
0
      expire = isc_buffer_getuint32(&optbuf);
13639
0
      dns_zone_log(zone, ISC_LOG_DEBUG(1),
13640
0
             "got EDNS EXPIRE of %u", expire);
13641
      /*
13642
       * Trim *expirep?
13643
       */
13644
0
      if (expire < *expirep) {
13645
0
        *expirep = expire;
13646
0
      }
13647
0
      break;
13648
0
    }
13649
0
  }
13650
0
}
13651
13652
/*
13653
 * Set the file modification time zone->expire seconds before expiretime.
13654
 */
13655
static void
13656
0
setmodtime(dns_zone_t *zone, isc_time_t *expiretime) {
13657
0
  isc_result_t result;
13658
0
  isc_time_t when;
13659
0
  isc_interval_t i;
13660
13661
0
  isc_interval_set(&i, zone->expire, 0);
13662
0
  result = isc_time_subtract(expiretime, &i, &when);
13663
0
  if (result != ISC_R_SUCCESS) {
13664
0
    return;
13665
0
  }
13666
13667
0
  result = ISC_R_FAILURE;
13668
0
  if (zone->journal != NULL) {
13669
0
    result = isc_file_settime(zone->journal, &when);
13670
0
  }
13671
0
  if (result == ISC_R_SUCCESS &&
13672
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
13673
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
13674
0
  {
13675
0
    result = isc_file_settime(zone->masterfile, &when);
13676
0
  } else if (result != ISC_R_SUCCESS) {
13677
0
    result = isc_file_settime(zone->masterfile, &when);
13678
0
  }
13679
13680
  /*
13681
   * Someone removed the file from underneath us!
13682
   */
13683
0
  if (result == ISC_R_FILENOTFOUND) {
13684
0
    zone_needdump(zone, DNS_DUMP_DELAY);
13685
0
  } else if (result != ISC_R_SUCCESS) {
13686
0
    dns_zone_log(zone, ISC_LOG_ERROR,
13687
0
           "refresh: could not set "
13688
0
           "file modification time of '%s': %s",
13689
0
           zone->masterfile, isc_result_totext(result));
13690
0
  }
13691
0
}
13692
13693
/*
13694
 * An SOA query has finished (successfully or not).
13695
 */
13696
static void
13697
0
refresh_callback(void *arg) {
13698
0
  dns_request_t *request = (dns_request_t *)arg;
13699
0
  dns_zone_t *zone = dns_request_getarg(request);
13700
0
  dns_message_t *msg = NULL;
13701
0
  uint32_t soacnt, cnamecnt, soacount, nscount;
13702
0
  isc_time_t now;
13703
0
  char primary[ISC_SOCKADDR_FORMATSIZE];
13704
0
  char source[ISC_SOCKADDR_FORMATSIZE];
13705
0
  dns_rdataset_t *rdataset = NULL;
13706
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
13707
0
  dns_rdata_soa_t soa;
13708
0
  isc_result_t result;
13709
0
  isc_sockaddr_t curraddr;
13710
0
  uint32_t serial, oldserial = 0;
13711
0
  bool do_queue_xfrin = false;
13712
13713
0
  INSIST(DNS_ZONE_VALID(zone));
13714
13715
0
  ENTER;
13716
13717
0
  now = isc_time_now();
13718
13719
0
  LOCK_ZONE(zone);
13720
13721
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
13722
0
    goto exiting;
13723
0
  }
13724
13725
  /*
13726
   * If timeout, log and try the next primary
13727
   */
13728
0
  curraddr = dns_remote_curraddr(&zone->primaries);
13729
0
  isc_sockaddr_format(&curraddr, primary, sizeof(primary));
13730
0
  isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
13731
13732
0
  switch (dns_request_getresult(request)) {
13733
0
  case ISC_R_SUCCESS:
13734
0
    break;
13735
0
  case ISC_R_SHUTTINGDOWN:
13736
0
    goto exiting;
13737
0
  case ISC_R_TIMEDOUT:
13738
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
13739
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13740
0
      dns_zone_log(zone, ISC_LOG_DEBUG(1),
13741
0
             "refresh: timeout retrying without EDNS "
13742
0
             "primary %s (source %s)",
13743
0
             primary, source);
13744
0
      goto same_primary;
13745
0
    } else if (!dns_request_usedtcp(request)) {
13746
0
      dns_zone_log(zone, ISC_LOG_INFO,
13747
0
             "refresh: retry limit for "
13748
0
             "primary %s exceeded (source %s)",
13749
0
             primary, source);
13750
      /* Try with secondary with TCP. */
13751
0
      if ((zone->type == dns_zone_secondary ||
13752
0
           zone->type == dns_zone_mirror ||
13753
0
           zone->type == dns_zone_redirect) &&
13754
0
          DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH))
13755
0
      {
13756
0
        if (!dns_zonemgr_unreachable(
13757
0
              zone->zmgr, &curraddr,
13758
0
              &zone->sourceaddr, &now))
13759
0
        {
13760
0
          DNS_ZONE_SETFLAG(
13761
0
            zone,
13762
0
            DNS_ZONEFLG_SOABEFOREAXFR);
13763
0
          goto tcp_transfer;
13764
0
        }
13765
0
        dns_zone_log(zone, ISC_LOG_DEBUG(1),
13766
0
               "refresh: skipped tcp fallback "
13767
0
               "as primary %s (source %s) is "
13768
0
               "unreachable (cached)",
13769
0
               primary, source);
13770
0
      }
13771
0
      goto next_primary;
13772
0
    }
13773
0
    FALLTHROUGH;
13774
0
  default:
13775
0
    dns_zone_log(zone, ISC_LOG_INFO,
13776
0
           "refresh: failure trying primary "
13777
0
           "%s (source %s): %s",
13778
0
           primary, source,
13779
0
           isc_result_totext(dns_request_getresult(request)));
13780
0
    goto next_primary;
13781
0
  }
13782
13783
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
13784
0
         &msg);
13785
0
  result = dns_request_getresponse(request, msg, 0);
13786
0
  if (result != ISC_R_SUCCESS) {
13787
0
    dns_zone_log(zone, ISC_LOG_INFO,
13788
0
           "refresh: failure trying primary "
13789
0
           "%s (source %s): %s",
13790
0
           primary, source, isc_result_totext(result));
13791
0
    goto next_primary;
13792
0
  }
13793
13794
  /*
13795
   * Unexpected opcode.
13796
   */
13797
0
  if (msg->opcode != dns_opcode_query) {
13798
0
    char opcode[128];
13799
0
    isc_buffer_t rb;
13800
13801
0
    isc_buffer_init(&rb, opcode, sizeof(opcode));
13802
0
    (void)dns_opcode_totext(msg->opcode, &rb);
13803
13804
0
    dns_zone_log(zone, ISC_LOG_INFO,
13805
0
           "refresh: "
13806
0
           "unexpected opcode (%.*s) from %s (source %s)",
13807
0
           (int)rb.used, opcode, primary, source);
13808
0
    goto next_primary;
13809
0
  }
13810
13811
  /*
13812
   * Unexpected rcode.
13813
   */
13814
0
  if (msg->rcode != dns_rcode_noerror) {
13815
0
    char rcode[128];
13816
0
    isc_buffer_t rb;
13817
13818
0
    isc_buffer_init(&rb, rcode, sizeof(rcode));
13819
0
    (void)dns_rcode_totext(msg->rcode, &rb);
13820
13821
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
13822
0
        (msg->rcode == dns_rcode_servfail ||
13823
0
         msg->rcode == dns_rcode_notimp ||
13824
0
         (msg->rcode == dns_rcode_formerr && msg->opt == NULL)))
13825
0
    {
13826
0
      dns_zone_log(zone, ISC_LOG_DEBUG(1),
13827
0
             "refresh: rcode (%.*s) retrying without "
13828
0
             "EDNS primary %s (source %s)",
13829
0
             (int)rb.used, rcode, primary, source);
13830
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13831
0
      goto same_primary;
13832
0
    }
13833
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
13834
0
        msg->rcode == dns_rcode_badvers)
13835
0
    {
13836
0
      dns_zone_log(zone, ISC_LOG_DEBUG(1),
13837
0
             "refresh: rcode (%.*s) retrying without "
13838
0
             "EDNS EXPIRE OPTION primary %s "
13839
0
             "(source %s)",
13840
0
             (int)rb.used, rcode, primary, source);
13841
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13842
0
      goto same_primary;
13843
0
    }
13844
0
    dns_zone_log(zone, ISC_LOG_INFO,
13845
0
           "refresh: unexpected rcode (%.*s) from "
13846
0
           "primary %s (source %s)",
13847
0
           (int)rb.used, rcode, primary, source);
13848
    /*
13849
     * Perhaps AXFR/IXFR is allowed even if SOA queries aren't.
13850
     */
13851
0
    if (msg->rcode == dns_rcode_refused &&
13852
0
        (zone->type == dns_zone_secondary ||
13853
0
         zone->type == dns_zone_mirror ||
13854
0
         zone->type == dns_zone_redirect))
13855
0
    {
13856
0
      goto tcp_transfer;
13857
0
    }
13858
0
    goto next_primary;
13859
0
  }
13860
13861
  /*
13862
   * If truncated punt to zone transfer which will query again.
13863
   */
13864
0
  if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
13865
0
    if (zone->type == dns_zone_secondary ||
13866
0
        zone->type == dns_zone_mirror ||
13867
0
        zone->type == dns_zone_redirect)
13868
0
    {
13869
0
      dns_zone_log(zone, ISC_LOG_INFO,
13870
0
             "refresh: truncated UDP answer, "
13871
0
             "initiating TCP zone xfer "
13872
0
             "for primary %s (source %s)",
13873
0
             primary, source);
13874
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
13875
0
      goto tcp_transfer;
13876
0
    } else {
13877
0
      INSIST(zone->type == dns_zone_stub);
13878
0
      if (dns_request_usedtcp(request)) {
13879
0
        dns_zone_log(zone, ISC_LOG_INFO,
13880
0
               "refresh: truncated TCP response "
13881
0
               "from primary %s (source %s)",
13882
0
               primary, source);
13883
0
        goto next_primary;
13884
0
      }
13885
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
13886
0
      goto same_primary;
13887
0
    }
13888
0
  }
13889
13890
  /*
13891
   * If non-auth, log and try the next primary
13892
   */
13893
0
  if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
13894
0
    dns_zone_log(zone, ISC_LOG_INFO,
13895
0
           "refresh: non-authoritative answer from "
13896
0
           "primary %s (source %s)",
13897
0
           primary, source);
13898
0
    goto next_primary;
13899
0
  }
13900
13901
0
  cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
13902
0
  soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
13903
0
  nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
13904
0
  soacount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_soa);
13905
13906
  /*
13907
   * There should not be a CNAME record at top of zone.
13908
   */
13909
0
  if (cnamecnt != 0) {
13910
0
    dns_zone_log(zone, ISC_LOG_INFO,
13911
0
           "refresh: CNAME at top of zone "
13912
0
           "in primary %s (source %s)",
13913
0
           primary, source);
13914
0
    goto next_primary;
13915
0
  }
13916
13917
  /*
13918
   * If referral, log and try the next primary;
13919
   */
13920
0
  if (soacnt == 0 && soacount == 0 && nscount != 0) {
13921
0
    dns_zone_log(zone, ISC_LOG_INFO,
13922
0
           "refresh: referral response "
13923
0
           "from primary %s (source %s)",
13924
0
           primary, source);
13925
0
    goto next_primary;
13926
0
  }
13927
13928
  /*
13929
   * If nodata, log and try the next primary;
13930
   */
13931
0
  if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
13932
0
    dns_zone_log(zone, ISC_LOG_INFO,
13933
0
           "refresh: NODATA response "
13934
0
           "from primary %s (source %s)",
13935
0
           primary, source);
13936
0
    goto next_primary;
13937
0
  }
13938
13939
  /*
13940
   * Only one soa at top of zone.
13941
   */
13942
0
  if (soacnt != 1) {
13943
0
    dns_zone_log(zone, ISC_LOG_INFO,
13944
0
           "refresh: answer SOA count (%d) != 1 "
13945
0
           "from primary %s (source %s)",
13946
0
           soacnt, primary, source);
13947
0
    goto next_primary;
13948
0
  }
13949
13950
  /*
13951
   * Extract serial
13952
   */
13953
0
  rdataset = NULL;
13954
0
  result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
13955
0
              dns_rdatatype_soa, dns_rdatatype_none,
13956
0
              NULL, &rdataset);
13957
0
  if (result != ISC_R_SUCCESS) {
13958
0
    dns_zone_log(zone, ISC_LOG_INFO,
13959
0
           "refresh: unable to get SOA record "
13960
0
           "from primary %s (source %s)",
13961
0
           primary, source);
13962
0
    goto next_primary;
13963
0
  }
13964
13965
0
  result = dns_rdataset_first(rdataset);
13966
0
  if (result != ISC_R_SUCCESS) {
13967
0
    dns_zone_log(zone, ISC_LOG_INFO,
13968
0
           "refresh: dns_rdataset_first() failed");
13969
0
    goto next_primary;
13970
0
  }
13971
13972
0
  dns_rdataset_current(rdataset, &rdata);
13973
0
  result = dns_rdata_tostruct(&rdata, &soa, NULL);
13974
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
13975
13976
0
  serial = soa.serial;
13977
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
13978
0
    unsigned int dbsoacount;
13979
0
    result = zone_get_from_db(zone, zone->db, NULL, &dbsoacount,
13980
0
            NULL, &oldserial, NULL, NULL, NULL,
13981
0
            NULL, NULL);
13982
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
13983
0
    RUNTIME_CHECK(dbsoacount > 0U);
13984
0
    zone_debuglog(zone, __func__, 1, "serial: new %u, old %u",
13985
0
            serial, oldserial);
13986
0
  } else {
13987
0
    zone_debuglog(zone, __func__, 1,
13988
0
            "serial: new %u, old not loaded", serial);
13989
0
  }
13990
13991
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
13992
0
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
13993
0
      isc_serial_gt(serial, oldserial))
13994
0
  {
13995
0
    if (dns_zonemgr_unreachable(zone->zmgr, &curraddr,
13996
0
              &zone->sourceaddr, &now))
13997
0
    {
13998
0
      dns_zone_log(zone, ISC_LOG_INFO,
13999
0
             "refresh: skipping %s as primary %s "
14000
0
             "(source %s) is unreachable (cached)",
14001
0
             (zone->type == dns_zone_secondary ||
14002
0
              zone->type == dns_zone_mirror ||
14003
0
              zone->type == dns_zone_redirect)
14004
0
               ? "zone transfer"
14005
0
               : "NS query",
14006
0
             primary, source);
14007
0
      goto next_primary;
14008
0
    }
14009
0
  tcp_transfer:
14010
0
    dns_request_destroy(&zone->request);
14011
0
    if (zone->type == dns_zone_secondary ||
14012
0
        zone->type == dns_zone_mirror ||
14013
0
        zone->type == dns_zone_redirect)
14014
0
    {
14015
0
      do_queue_xfrin = true;
14016
0
    } else {
14017
0
      INSIST(zone->type == dns_zone_stub);
14018
0
      ns_query(zone, rdataset, NULL);
14019
0
    }
14020
0
    if (msg != NULL) {
14021
0
      dns_message_detach(&msg);
14022
0
    }
14023
0
  } else if (isc_serial_eq(soa.serial, oldserial)) {
14024
0
    isc_time_t expiretime;
14025
0
    uint32_t expire;
14026
14027
    /*
14028
     * Compute the new expire time based on this response.
14029
     */
14030
0
    expire = zone->expire;
14031
0
    get_edns_expire(zone, msg, &expire);
14032
0
    DNS_ZONE_TIME_ADD(&now, expire, &expiretime);
14033
14034
    /*
14035
     * Has the expire time improved?
14036
     */
14037
0
    if (isc_time_compare(&expiretime, &zone->expiretime) > 0) {
14038
0
      zone->expiretime = expiretime;
14039
0
      if (zone->masterfile != NULL) {
14040
0
        setmodtime(zone, &expiretime);
14041
0
      }
14042
0
    }
14043
14044
0
    DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
14045
0
    dns_remote_mark(&zone->primaries, true);
14046
0
    goto next_primary;
14047
0
  } else {
14048
0
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER)) {
14049
0
      dns_zone_log(zone, ISC_LOG_INFO,
14050
0
             "serial number (%u) "
14051
0
             "received from primary %s < ours (%u)",
14052
0
             soa.serial, primary, oldserial);
14053
0
    } else {
14054
0
      zone_debuglog(zone, __func__, 1, "ahead");
14055
0
    }
14056
0
    dns_remote_mark(&zone->primaries, true);
14057
0
    goto next_primary;
14058
0
  }
14059
0
  if (msg != NULL) {
14060
0
    dns_message_detach(&msg);
14061
0
  }
14062
0
  goto detach;
14063
14064
0
next_primary:
14065
0
  if (msg != NULL) {
14066
0
    dns_message_detach(&msg);
14067
0
  }
14068
0
  dns_request_destroy(&zone->request);
14069
  /*
14070
   * Skip to next failed / untried primary.
14071
   */
14072
0
  dns_remote_next(&zone->primaries, true);
14073
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
14074
0
  if (dns_remote_done(&zone->primaries)) {
14075
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
14076
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
14077
0
      DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
14078
0
      zone->refreshtime = now;
14079
0
    }
14080
0
    zone_settimer(zone, &now);
14081
0
    goto detach;
14082
0
  }
14083
14084
0
  queue_soa_query(zone);
14085
0
  goto detach;
14086
14087
0
exiting:
14088
0
  dns_request_destroy(&zone->request);
14089
0
  goto detach;
14090
14091
0
same_primary:
14092
0
  if (msg != NULL) {
14093
0
    dns_message_detach(&msg);
14094
0
  }
14095
0
  dns_request_destroy(&zone->request);
14096
0
  queue_soa_query(zone);
14097
14098
0
detach:
14099
0
  if (do_queue_xfrin) {
14100
    /* Shows in the statistics channel the duration of the step. */
14101
0
    zone->xfrintime = isc_time_now();
14102
0
  }
14103
0
  UNLOCK_ZONE(zone);
14104
0
  if (do_queue_xfrin) {
14105
0
    queue_xfrin(zone);
14106
0
  }
14107
0
  dns_zone_idetach(&zone);
14108
0
  return;
14109
0
}
14110
14111
struct soaquery {
14112
  dns_zone_t *zone;
14113
  isc_rlevent_t *rlevent;
14114
};
14115
14116
static void
14117
0
queue_soa_query(dns_zone_t *zone) {
14118
0
  isc_result_t result;
14119
0
  struct soaquery *sq = NULL;
14120
14121
0
  ENTER;
14122
  /*
14123
   * Locked by caller
14124
   */
14125
0
  REQUIRE(LOCKED_ZONE(zone));
14126
14127
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
14128
0
    cancel_refresh(zone);
14129
0
    return;
14130
0
  }
14131
14132
0
  sq = isc_mem_get(zone->mctx, sizeof(*sq));
14133
0
  *sq = (struct soaquery){ .zone = NULL };
14134
14135
  /* Shows in the statistics channel the duration of the current step. */
14136
0
  zone->xfrintime = isc_time_now();
14137
14138
  /*
14139
   * Attach so that we won't clean up until the event is delivered.
14140
   */
14141
0
  zone_iattach(zone, &sq->zone);
14142
0
  result = isc_ratelimiter_enqueue(zone->zmgr->refreshrl, zone->loop,
14143
0
           soa_query, sq, &sq->rlevent);
14144
0
  if (result != ISC_R_SUCCESS) {
14145
0
    zone_idetach(&sq->zone);
14146
0
    isc_mem_put(zone->mctx, sq, sizeof(*sq));
14147
0
    cancel_refresh(zone);
14148
0
  }
14149
0
}
14150
14151
static void
14152
0
soa_query(void *arg) {
14153
0
  struct soaquery *sq = (struct soaquery *)arg;
14154
0
  dns_zone_t *zone = sq->zone;
14155
0
  isc_result_t result = ISC_R_FAILURE;
14156
0
  dns_message_t *message = NULL;
14157
0
  isc_netaddr_t primaryip;
14158
0
  dns_tsigkey_t *key = NULL;
14159
0
  dns_transport_t *transport = NULL;
14160
0
  uint32_t options;
14161
0
  bool cancel = true;
14162
0
  int timeout;
14163
0
  bool have_xfrsource = false, reqnsid, reqexpire;
14164
0
  uint16_t udpsize = SEND_BUFFER_SIZE;
14165
0
  isc_sockaddr_t curraddr, sourceaddr;
14166
0
  bool do_queue_xfrin = false;
14167
14168
0
  REQUIRE(DNS_ZONE_VALID(zone));
14169
14170
0
  ENTER;
14171
14172
0
  LOCK_ZONE(zone);
14173
0
  if (sq->rlevent->canceled || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
14174
0
      zone->view->requestmgr == NULL)
14175
0
  {
14176
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
14177
0
      cancel = false;
14178
0
    }
14179
0
    goto cleanup;
14180
0
  }
14181
14182
0
again:
14183
0
  dns_zone_log(
14184
0
    zone, ISC_LOG_DEBUG(3),
14185
0
    "soa_query: remote server current address index %d count %d",
14186
0
    zone->primaries.curraddr, zone->primaries.addrcnt);
14187
0
  INSIST(dns_remote_count(&zone->primaries) > 0);
14188
0
  INSIST(!dns_remote_done(&zone->primaries));
14189
14190
0
  sourceaddr = dns_remote_sourceaddr(&zone->primaries);
14191
0
  curraddr = dns_remote_curraddr(&zone->primaries);
14192
0
  isc_netaddr_fromsockaddr(&primaryip, &curraddr);
14193
14194
0
  if (isc_sockaddr_disabled(&curraddr)) {
14195
0
    goto skip_primary;
14196
0
  }
14197
14198
  /*
14199
   * First, look for a tsig key in the primaries statement, then
14200
   * try for a server key.
14201
   */
14202
0
  if (dns_remote_keyname(&zone->primaries) != NULL) {
14203
0
    dns_view_t *view = dns_zone_getview(zone);
14204
0
    dns_name_t *keyname = dns_remote_keyname(&zone->primaries);
14205
0
    result = dns_view_gettsig(view, keyname, &key);
14206
0
    if (result != ISC_R_SUCCESS) {
14207
0
      char namebuf[DNS_NAME_FORMATSIZE];
14208
0
      dns_name_format(keyname, namebuf, sizeof(namebuf));
14209
0
      dns_zone_log(zone, ISC_LOG_ERROR,
14210
0
             "unable to find key: %s", namebuf);
14211
0
      goto skip_primary;
14212
0
    }
14213
0
  }
14214
0
  if (key == NULL) {
14215
0
    result = dns_view_getpeertsig(zone->view, &primaryip, &key);
14216
0
    if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
14217
0
      char addrbuf[ISC_NETADDR_FORMATSIZE];
14218
0
      isc_netaddr_format(&primaryip, addrbuf,
14219
0
             sizeof(addrbuf));
14220
0
      dns_zone_log(zone, ISC_LOG_ERROR,
14221
0
             "unable to find TSIG key for %s", addrbuf);
14222
0
      goto skip_primary;
14223
0
    }
14224
0
  }
14225
14226
0
  if (dns_remote_tlsname(&zone->primaries) != NULL) {
14227
0
    dns_view_t *view = dns_zone_getview(zone);
14228
0
    dns_name_t *tlsname = dns_remote_tlsname(&zone->primaries);
14229
0
    result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname,
14230
0
                 &transport);
14231
0
    if (result != ISC_R_SUCCESS) {
14232
0
      char namebuf[DNS_NAME_FORMATSIZE];
14233
0
      dns_name_format(tlsname, namebuf, sizeof(namebuf));
14234
0
      dns_zone_log(zone, ISC_LOG_ERROR,
14235
0
             "unable to find TLS configuration: %s",
14236
0
             namebuf);
14237
0
      goto skip_primary;
14238
0
    }
14239
0
  }
14240
14241
0
  options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ? DNS_REQUESTOPT_TCP
14242
0
               : 0;
14243
0
  reqnsid = zone->view->requestnsid;
14244
0
  reqexpire = zone->requestexpire;
14245
0
  if (zone->view->peers != NULL) {
14246
0
    dns_peer_t *peer = NULL;
14247
0
    bool edns, usetcp;
14248
0
    result = dns_peerlist_peerbyaddr(zone->view->peers, &primaryip,
14249
0
             &peer);
14250
0
    if (result == ISC_R_SUCCESS) {
14251
0
      result = dns_peer_getsupportedns(peer, &edns);
14252
0
      if (result == ISC_R_SUCCESS && !edns) {
14253
0
        DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
14254
0
      }
14255
0
      result = dns_peer_gettransfersource(peer,
14256
0
                  &zone->sourceaddr);
14257
0
      if (result == ISC_R_SUCCESS) {
14258
0
        have_xfrsource = true;
14259
0
      }
14260
0
      udpsize = dns_view_getudpsize(zone->view);
14261
0
      (void)dns_peer_getudpsize(peer, &udpsize);
14262
0
      (void)dns_peer_getrequestnsid(peer, &reqnsid);
14263
0
      (void)dns_peer_getrequestexpire(peer, &reqexpire);
14264
0
      result = dns_peer_getforcetcp(peer, &usetcp);
14265
0
      if (result == ISC_R_SUCCESS && usetcp) {
14266
0
        options |= DNS_REQUESTOPT_TCP;
14267
0
      }
14268
0
    }
14269
0
  }
14270
14271
0
  switch (isc_sockaddr_pf(&curraddr)) {
14272
0
  case PF_INET:
14273
0
    if (!have_xfrsource) {
14274
0
      isc_sockaddr_t any;
14275
0
      isc_sockaddr_any(&any);
14276
14277
0
      zone->sourceaddr = sourceaddr;
14278
0
      if (isc_sockaddr_equal(&sourceaddr, &any)) {
14279
0
        zone->sourceaddr = zone->xfrsource4;
14280
0
      }
14281
0
    }
14282
0
    break;
14283
0
  case PF_INET6:
14284
0
    if (!have_xfrsource) {
14285
0
      isc_sockaddr_t any;
14286
0
      isc_sockaddr_any6(&any);
14287
14288
0
      zone->sourceaddr = sourceaddr;
14289
0
      if (isc_sockaddr_equal(&zone->sourceaddr, &any)) {
14290
0
        zone->sourceaddr = zone->xfrsource6;
14291
0
      }
14292
0
    }
14293
0
    break;
14294
0
  default:
14295
0
    result = ISC_R_NOTIMPLEMENTED;
14296
0
    goto cleanup;
14297
0
  }
14298
14299
  /*
14300
   * FIXME(OS): This is a bit hackish, but it enforces the SOA query to go
14301
   * through the XFR channel instead of doing dns_request that doesn't
14302
   * have DoT support yet.
14303
   */
14304
0
  if (transport != NULL) {
14305
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
14306
0
    do_queue_xfrin = true;
14307
0
    cancel = false;
14308
0
    result = ISC_R_SUCCESS;
14309
0
    goto cleanup;
14310
0
  }
14311
14312
0
  create_query(zone, dns_rdatatype_soa, &zone->origin, &message);
14313
14314
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
14315
0
    result = add_opt(message, udpsize, reqnsid, reqexpire);
14316
0
    if (result != ISC_R_SUCCESS) {
14317
0
      zone_debuglog(zone, __func__, 1,
14318
0
              "unable to add opt record: %s",
14319
0
              isc_result_totext(result));
14320
0
    }
14321
0
  }
14322
14323
0
  zone_iattach(zone, &(dns_zone_t *){ NULL });
14324
0
  timeout = 5;
14325
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) {
14326
0
    timeout = 30;
14327
0
  }
14328
0
  result = dns_request_create(
14329
0
    zone->view->requestmgr, message, &zone->sourceaddr, &curraddr,
14330
0
    NULL, NULL, options, key, timeout * 3 + 1, timeout, 2,
14331
0
    zone->loop, refresh_callback, zone, &zone->request);
14332
0
  if (result != ISC_R_SUCCESS) {
14333
0
    zone_idetach(&(dns_zone_t *){ zone });
14334
0
    zone_debuglog(zone, __func__, 1,
14335
0
            "dns_request_create() failed: %s",
14336
0
            isc_result_totext(result));
14337
0
    goto skip_primary;
14338
0
  } else {
14339
    /* Shows in the statistics channel the duration of the query. */
14340
0
    zone->xfrintime = isc_time_now();
14341
14342
0
    if (isc_sockaddr_pf(&curraddr) == PF_INET) {
14343
0
      inc_stats(zone, dns_zonestatscounter_soaoutv4);
14344
0
    } else {
14345
0
      inc_stats(zone, dns_zonestatscounter_soaoutv6);
14346
0
    }
14347
0
  }
14348
0
  cancel = false;
14349
0
cleanup:
14350
0
  if (transport != NULL) {
14351
0
    dns_transport_detach(&transport);
14352
0
  }
14353
0
  if (key != NULL) {
14354
0
    dns_tsigkey_detach(&key);
14355
0
  }
14356
0
  if (result != ISC_R_SUCCESS) {
14357
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
14358
0
  }
14359
0
  if (message != NULL) {
14360
0
    dns_message_detach(&message);
14361
0
  }
14362
0
  if (cancel) {
14363
0
    cancel_refresh(zone);
14364
0
  }
14365
0
  if (do_queue_xfrin) {
14366
    /* Shows in the statistics channel the duration of the step. */
14367
0
    zone->xfrintime = isc_time_now();
14368
0
  }
14369
0
  UNLOCK_ZONE(zone);
14370
0
  if (do_queue_xfrin) {
14371
0
    queue_xfrin(zone);
14372
0
  }
14373
0
  isc_rlevent_free(&sq->rlevent);
14374
0
  isc_mem_put(zone->mctx, sq, sizeof(*sq));
14375
0
  dns_zone_idetach(&zone);
14376
0
  return;
14377
14378
0
skip_primary:
14379
0
  if (transport != NULL) {
14380
0
    dns_transport_detach(&transport);
14381
0
  }
14382
0
  if (key != NULL) {
14383
0
    dns_tsigkey_detach(&key);
14384
0
  }
14385
0
  if (message != NULL) {
14386
0
    dns_message_detach(&message);
14387
0
  }
14388
  /*
14389
   * Skip to next failed / untried primary.
14390
   */
14391
0
  dns_remote_next(&zone->primaries, true);
14392
0
  if (!dns_remote_done(&zone->primaries)) {
14393
0
    goto again;
14394
0
  }
14395
0
  dns_remote_reset(&zone->primaries, false);
14396
0
  goto cleanup;
14397
0
}
14398
14399
static void
14400
0
ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
14401
0
  isc_result_t result;
14402
0
  dns_message_t *message = NULL;
14403
0
  isc_netaddr_t primaryip;
14404
0
  dns_tsigkey_t *key = NULL;
14405
0
  dns_dbnode_t *node = NULL;
14406
0
  int timeout;
14407
0
  bool have_xfrsource = false;
14408
0
  bool reqnsid;
14409
0
  uint16_t udpsize = SEND_BUFFER_SIZE;
14410
0
  isc_sockaddr_t curraddr, sourceaddr;
14411
0
  struct stub_cb_args *cb_args;
14412
14413
0
  REQUIRE(DNS_ZONE_VALID(zone));
14414
0
  REQUIRE(LOCKED_ZONE(zone));
14415
0
  REQUIRE((soardataset != NULL && stub == NULL) ||
14416
0
    (soardataset == NULL && stub != NULL));
14417
0
  REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
14418
14419
0
  ENTER;
14420
14421
0
  if (stub == NULL) {
14422
0
    stub = isc_mem_get(zone->mctx, sizeof(*stub));
14423
0
    stub->magic = STUB_MAGIC;
14424
0
    stub->mctx = zone->mctx;
14425
0
    stub->zone = NULL;
14426
0
    stub->db = NULL;
14427
0
    stub->version = NULL;
14428
0
    atomic_init(&stub->pending_requests, 0);
14429
14430
    /*
14431
     * Attach so that the zone won't disappear from under us.
14432
     */
14433
0
    zone_iattach(zone, &stub->zone);
14434
14435
    /*
14436
     * If a db exists we will update it, otherwise we create a
14437
     * new one and attach it to the zone once we have the NS
14438
     * RRset and glue.
14439
     */
14440
0
    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
14441
0
    if (zone->db != NULL) {
14442
0
      dns_db_attach(zone->db, &stub->db);
14443
0
      ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
14444
0
    } else {
14445
0
      ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
14446
14447
0
      INSIST(zone->db_argc >= 1);
14448
0
      result = dns_db_create(zone->mctx, zone->db_argv[0],
14449
0
                 &zone->origin, dns_dbtype_stub,
14450
0
                 zone->rdclass, zone->db_argc - 1,
14451
0
                 zone->db_argv + 1, &stub->db);
14452
0
      if (result != ISC_R_SUCCESS) {
14453
0
        dns_zone_log(zone, ISC_LOG_ERROR,
14454
0
               "refreshing stub: "
14455
0
               "could not create "
14456
0
               "database: %s",
14457
0
               isc_result_totext(result));
14458
0
        goto cleanup;
14459
0
      }
14460
0
      dns_db_setloop(stub->db, zone->loop);
14461
0
    }
14462
14463
0
    result = dns_db_newversion(stub->db, &stub->version);
14464
0
    if (result != ISC_R_SUCCESS) {
14465
0
      dns_zone_log(zone, ISC_LOG_INFO,
14466
0
             "refreshing stub: "
14467
0
             "dns_db_newversion() failed: %s",
14468
0
             isc_result_totext(result));
14469
0
      goto cleanup;
14470
0
    }
14471
14472
    /*
14473
     * Update SOA record.
14474
     */
14475
0
    result = dns_db_findnode(stub->db, &zone->origin, true, &node);
14476
0
    if (result != ISC_R_SUCCESS) {
14477
0
      dns_zone_log(zone, ISC_LOG_INFO,
14478
0
             "refreshing stub: "
14479
0
             "dns_db_findnode() failed: %s",
14480
0
             isc_result_totext(result));
14481
0
      goto cleanup;
14482
0
    }
14483
14484
0
    result = dns_db_addrdataset(stub->db, node, stub->version, 0,
14485
0
              soardataset, 0, NULL);
14486
0
    dns_db_detachnode(stub->db, &node);
14487
0
    if (result != ISC_R_SUCCESS) {
14488
0
      dns_zone_log(zone, ISC_LOG_INFO,
14489
0
             "refreshing stub: "
14490
0
             "dns_db_addrdataset() failed: %s",
14491
0
             isc_result_totext(result));
14492
0
      goto cleanup;
14493
0
    }
14494
0
  }
14495
14496
  /*
14497
   * XXX Optimisation: Create message when zone is setup and reuse.
14498
   */
14499
0
  create_query(zone, dns_rdatatype_ns, &zone->origin, &message);
14500
14501
0
  INSIST(dns_remote_count(&zone->primaries) > 0);
14502
0
  INSIST(!dns_remote_done(&zone->primaries));
14503
14504
0
  sourceaddr = dns_remote_sourceaddr(&zone->primaries);
14505
0
  curraddr = dns_remote_curraddr(&zone->primaries);
14506
0
  isc_netaddr_fromsockaddr(&primaryip, &curraddr);
14507
  /*
14508
   * First, look for a tsig key in the primaries statement, then
14509
   * try for a server key.
14510
   */
14511
0
  if (dns_remote_keyname(&zone->primaries) != NULL) {
14512
0
    dns_view_t *view = dns_zone_getview(zone);
14513
0
    dns_name_t *keyname = dns_remote_keyname(&zone->primaries);
14514
0
    result = dns_view_gettsig(view, keyname, &key);
14515
0
    if (result != ISC_R_SUCCESS) {
14516
0
      char namebuf[DNS_NAME_FORMATSIZE];
14517
0
      dns_name_format(keyname, namebuf, sizeof(namebuf));
14518
0
      dns_zone_log(zone, ISC_LOG_ERROR,
14519
0
             "unable to find key: %s", namebuf);
14520
0
    }
14521
0
  }
14522
0
  if (key == NULL) {
14523
0
    (void)dns_view_getpeertsig(zone->view, &primaryip, &key);
14524
0
  }
14525
14526
  /* FIXME(OS): Do we need the transport here too? Most probably yes */
14527
14528
0
  reqnsid = zone->view->requestnsid;
14529
0
  if (zone->view->peers != NULL) {
14530
0
    dns_peer_t *peer = NULL;
14531
0
    bool edns;
14532
0
    result = dns_peerlist_peerbyaddr(zone->view->peers, &primaryip,
14533
0
             &peer);
14534
0
    if (result == ISC_R_SUCCESS) {
14535
0
      result = dns_peer_getsupportedns(peer, &edns);
14536
0
      if (result == ISC_R_SUCCESS && !edns) {
14537
0
        DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
14538
0
      }
14539
0
      result = dns_peer_gettransfersource(peer,
14540
0
                  &zone->sourceaddr);
14541
0
      if (result == ISC_R_SUCCESS) {
14542
0
        have_xfrsource = true;
14543
0
      }
14544
0
      udpsize = dns_view_getudpsize(zone->view);
14545
0
      (void)dns_peer_getudpsize(peer, &udpsize);
14546
0
      (void)dns_peer_getrequestnsid(peer, &reqnsid);
14547
0
    }
14548
0
  }
14549
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
14550
0
    result = add_opt(message, udpsize, reqnsid, false);
14551
0
    if (result != ISC_R_SUCCESS) {
14552
0
      zone_debuglog(zone, __func__, 1,
14553
0
              "unable to add opt record: %s",
14554
0
              isc_result_totext(result));
14555
0
    }
14556
0
  }
14557
14558
  /*
14559
   * Always use TCP so that we shouldn't truncate in additional section.
14560
   */
14561
0
  switch (isc_sockaddr_pf(&curraddr)) {
14562
0
  case PF_INET:
14563
0
    if (!have_xfrsource) {
14564
0
      isc_sockaddr_t any;
14565
0
      isc_sockaddr_any(&any);
14566
14567
0
      zone->sourceaddr = sourceaddr;
14568
0
      if (isc_sockaddr_equal(&zone->sourceaddr, &any)) {
14569
0
        zone->sourceaddr = zone->xfrsource4;
14570
0
      }
14571
0
    }
14572
0
    break;
14573
0
  case PF_INET6:
14574
0
    if (!have_xfrsource) {
14575
0
      isc_sockaddr_t any;
14576
0
      isc_sockaddr_any6(&any);
14577
14578
0
      zone->sourceaddr = sourceaddr;
14579
0
      if (isc_sockaddr_equal(&zone->sourceaddr, &any)) {
14580
0
        zone->sourceaddr = zone->xfrsource6;
14581
0
      }
14582
0
    }
14583
0
    break;
14584
0
  default:
14585
0
    result = ISC_R_NOTIMPLEMENTED;
14586
0
    POST(result);
14587
0
    goto cleanup;
14588
0
  }
14589
0
  timeout = 5;
14590
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) {
14591
0
    timeout = 30;
14592
0
  }
14593
14594
  /*
14595
   * Save request parameters so we can reuse them later on
14596
   * for resolving missing glue A/AAAA records.
14597
   */
14598
0
  cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args));
14599
0
  cb_args->stub = stub;
14600
0
  cb_args->tsig_key = key;
14601
0
  cb_args->udpsize = udpsize;
14602
0
  cb_args->timeout = timeout;
14603
0
  cb_args->reqnsid = reqnsid;
14604
14605
0
  result = dns_request_create(
14606
0
    zone->view->requestmgr, message, &zone->sourceaddr, &curraddr,
14607
0
    NULL, NULL, DNS_REQUESTOPT_TCP, key, timeout * 3 + 1, timeout,
14608
0
    2, zone->loop, stub_callback, cb_args, &zone->request);
14609
0
  if (result != ISC_R_SUCCESS) {
14610
0
    zone_debuglog(zone, __func__, 1,
14611
0
            "dns_request_create() failed: %s",
14612
0
            isc_result_totext(result));
14613
0
    goto cleanup;
14614
0
  }
14615
0
  dns_message_detach(&message);
14616
0
  goto unlock;
14617
14618
0
cleanup:
14619
0
  cancel_refresh(zone);
14620
0
  stub->magic = 0;
14621
0
  if (stub->version != NULL) {
14622
0
    dns_db_closeversion(stub->db, &stub->version, false);
14623
0
  }
14624
0
  if (stub->db != NULL) {
14625
0
    dns_db_detach(&stub->db);
14626
0
  }
14627
0
  if (stub->zone != NULL) {
14628
0
    zone_idetach(&stub->zone);
14629
0
  }
14630
0
  isc_mem_put(stub->mctx, stub, sizeof(*stub));
14631
0
  if (message != NULL) {
14632
0
    dns_message_detach(&message);
14633
0
  }
14634
0
unlock:
14635
0
  if (key != NULL) {
14636
0
    dns_tsigkey_detach(&key);
14637
0
  }
14638
0
  return;
14639
0
}
14640
14641
/*
14642
 * Shut the zone down.
14643
 */
14644
static void
14645
0
zone_shutdown(void *arg) {
14646
0
  dns_zone_t *zone = (dns_zone_t *)arg;
14647
0
  bool free_needed, linked = false;
14648
0
  dns_zone_t *raw = NULL, *secure = NULL;
14649
0
  dns_view_t *view = NULL, *prev_view = NULL;
14650
14651
0
  REQUIRE(DNS_ZONE_VALID(zone));
14652
0
  INSIST(isc_refcount_current(&zone->references) == 0);
14653
14654
0
  zone_debuglog(zone, __func__, 3, "shutting down");
14655
14656
  /*
14657
   * If we were waiting for xfrin quota, step out of
14658
   * the queue.
14659
   * If there's no zone manager, we can't be waiting for the
14660
   * xfrin quota
14661
   */
14662
0
  if (zone->zmgr != NULL) {
14663
0
    RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
14664
0
    if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
14665
0
      ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
14666
0
          statelink);
14667
0
      linked = true;
14668
0
      zone->statelist = NULL;
14669
0
    }
14670
0
    if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
14671
0
      ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone,
14672
0
          statelink);
14673
0
      zone->statelist = NULL;
14674
0
      zmgr_resume_xfrs(zone->zmgr, false);
14675
0
    }
14676
0
    RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
14677
0
  }
14678
14679
  /*
14680
   * In loop context, no locking required.  See zone_xfrdone().
14681
   */
14682
0
  if (zone->xfr != NULL) {
14683
    /* The final detach will happen in zone_xfrdone() */
14684
0
    dns_xfrin_shutdown(zone->xfr);
14685
0
  }
14686
14687
  /* Safe to release the zone now */
14688
0
  if (zone->zmgr != NULL) {
14689
0
    dns_zonemgr_releasezone(zone->zmgr, zone);
14690
0
  }
14691
14692
0
  LOCK_ZONE(zone);
14693
0
  INSIST(zone != zone->raw);
14694
14695
  /*
14696
   * Detach the views early, we don't need them anymore.  However, we need
14697
   * to detach them outside of the zone lock to break the lock loop
14698
   * between view, adb and zone locks.
14699
   */
14700
0
  view = zone->view;
14701
0
  zone->view = NULL;
14702
0
  prev_view = zone->prev_view;
14703
0
  zone->prev_view = NULL;
14704
14705
0
  if (linked) {
14706
0
    isc_refcount_decrement(&zone->irefs);
14707
0
  }
14708
0
  if (zone->request != NULL) {
14709
0
    dns_request_cancel(zone->request);
14710
0
  }
14711
14712
0
  if (zone->loadctx != NULL) {
14713
0
    dns_loadctx_cancel(zone->loadctx);
14714
0
  }
14715
14716
0
  if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
14717
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
14718
0
  {
14719
0
    if (zone->dumpctx != NULL) {
14720
0
      dns_dumpctx_cancel(zone->dumpctx);
14721
0
    }
14722
0
  }
14723
14724
0
  checkds_cancel(zone);
14725
14726
0
  notify_cancel(zone);
14727
14728
0
  forward_cancel(zone);
14729
14730
0
  if (zone->timer != NULL) {
14731
0
    isc_refcount_decrement(&zone->irefs);
14732
0
    isc_timer_destroy(&zone->timer);
14733
0
  }
14734
14735
  /*
14736
   * We have now canceled everything set the flag to allow exit_check()
14737
   * to succeed.  We must not unlock between setting this flag and
14738
   * calling exit_check().
14739
   */
14740
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
14741
0
  free_needed = exit_check(zone);
14742
  /*
14743
   * If a dump is in progress for the secure zone, defer detaching from
14744
   * the raw zone as it may prevent the unsigned serial number from being
14745
   * stored in the raw-format dump of the secure zone.  In this scenario,
14746
   * dump_done() takes care of cleaning up the zone->raw reference.
14747
   */
14748
0
  if (inline_secure(zone) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
14749
0
    raw = zone->raw;
14750
0
    zone->raw = NULL;
14751
0
  }
14752
0
  if (inline_raw(zone)) {
14753
0
    secure = zone->secure;
14754
0
    zone->secure = NULL;
14755
0
  }
14756
0
  UNLOCK_ZONE(zone);
14757
14758
0
  if (view != NULL) {
14759
0
    dns_view_weakdetach(&view);
14760
0
  }
14761
0
  if (prev_view != NULL) {
14762
0
    dns_view_weakdetach(&prev_view);
14763
0
  }
14764
14765
0
  if (raw != NULL) {
14766
0
    dns_zone_detach(&raw);
14767
0
  }
14768
0
  if (secure != NULL) {
14769
0
    dns_zone_idetach(&secure);
14770
0
  }
14771
0
  if (free_needed) {
14772
0
    zone_free(zone);
14773
0
  }
14774
0
}
14775
14776
static void
14777
0
zone_timer(void *arg) {
14778
0
  dns_zone_t *zone = (dns_zone_t *)arg;
14779
14780
0
  REQUIRE(DNS_ZONE_VALID(zone));
14781
14782
0
  zone_maintenance(zone);
14783
0
}
14784
14785
static void
14786
0
zone_timer_stop(dns_zone_t *zone) {
14787
0
  zone_debuglog(zone, __func__, 10, "stop zone timer");
14788
0
  if (zone->timer != NULL) {
14789
0
    isc_timer_stop(zone->timer);
14790
0
  }
14791
0
}
14792
14793
static void
14794
0
zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now) {
14795
0
  isc_interval_t interval;
14796
14797
0
  if (isc_time_compare(next, now) <= 0) {
14798
0
    isc_interval_set(&interval, 0, 0);
14799
0
  } else {
14800
0
    isc_time_subtract(next, now, &interval);
14801
0
  }
14802
14803
0
  if (zone->loop == NULL) {
14804
0
    zone_debuglog(zone, __func__, 10, "zone is not managed");
14805
0
  } else if (zone->timer == NULL) {
14806
0
    isc_refcount_increment0(&zone->irefs);
14807
0
    isc_timer_create(zone->loop, zone_timer, zone, &zone->timer);
14808
0
  }
14809
0
  if (zone->timer != NULL) {
14810
0
    isc_timer_start(zone->timer, isc_timertype_once, &interval);
14811
0
  }
14812
0
}
14813
14814
static void
14815
0
zone__settimer(void *arg) {
14816
0
  zone_settimer_t *data = arg;
14817
0
  dns_zone_t *zone = data->zone;
14818
0
  isc_time_t *now = &data->now;
14819
0
  isc_time_t next;
14820
0
  bool free_needed = false;
14821
14822
0
  REQUIRE(DNS_ZONE_VALID(zone));
14823
0
  ENTER;
14824
14825
0
  LOCK_ZONE(zone);
14826
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
14827
0
    goto free;
14828
0
  }
14829
0
  isc_time_settoepoch(&next);
14830
14831
0
  switch (zone->type) {
14832
0
  case dns_zone_redirect:
14833
0
    if (dns_remote_addresses(&zone->primaries) != NULL) {
14834
0
      goto treat_as_secondary;
14835
0
    }
14836
0
    FALLTHROUGH;
14837
0
  case dns_zone_primary:
14838
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
14839
0
        DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
14840
0
    {
14841
0
      next = zone->notifytime;
14842
0
    }
14843
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
14844
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
14845
0
    {
14846
0
      INSIST(!isc_time_isepoch(&zone->dumptime));
14847
0
      if (isc_time_isepoch(&next) ||
14848
0
          isc_time_compare(&zone->dumptime, &next) < 0)
14849
0
      {
14850
0
        next = zone->dumptime;
14851
0
      }
14852
0
    }
14853
0
    if (zone->type == dns_zone_redirect) {
14854
0
      break;
14855
0
    }
14856
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
14857
0
        !isc_time_isepoch(&zone->refreshkeytime))
14858
0
    {
14859
0
      if (isc_time_isepoch(&next) ||
14860
0
          isc_time_compare(&zone->refreshkeytime, &next) < 0)
14861
0
      {
14862
0
        next = zone->refreshkeytime;
14863
0
      }
14864
0
    }
14865
0
    if (!isc_time_isepoch(&zone->resigntime)) {
14866
0
      if (isc_time_isepoch(&next) ||
14867
0
          isc_time_compare(&zone->resigntime, &next) < 0)
14868
0
      {
14869
0
        next = zone->resigntime;
14870
0
      }
14871
0
    }
14872
0
    if (!isc_time_isepoch(&zone->keywarntime)) {
14873
0
      if (isc_time_isepoch(&next) ||
14874
0
          isc_time_compare(&zone->keywarntime, &next) < 0)
14875
0
      {
14876
0
        next = zone->keywarntime;
14877
0
      }
14878
0
    }
14879
0
    if (!isc_time_isepoch(&zone->signingtime)) {
14880
0
      if (isc_time_isepoch(&next) ||
14881
0
          isc_time_compare(&zone->signingtime, &next) < 0)
14882
0
      {
14883
0
        next = zone->signingtime;
14884
0
      }
14885
0
    }
14886
0
    if (!isc_time_isepoch(&zone->nsec3chaintime)) {
14887
0
      if (isc_time_isepoch(&next) ||
14888
0
          isc_time_compare(&zone->nsec3chaintime, &next) < 0)
14889
0
      {
14890
0
        next = zone->nsec3chaintime;
14891
0
      }
14892
0
    }
14893
0
    break;
14894
14895
0
  case dns_zone_secondary:
14896
0
  case dns_zone_mirror:
14897
0
  treat_as_secondary:
14898
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
14899
0
        DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
14900
0
    {
14901
0
      next = zone->notifytime;
14902
0
    }
14903
0
    FALLTHROUGH;
14904
0
  case dns_zone_stub:
14905
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
14906
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOPRIMARIES) &&
14907
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
14908
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING) &&
14909
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) &&
14910
0
        !isc_time_isepoch(&zone->refreshtime) &&
14911
0
        (isc_time_isepoch(&next) ||
14912
0
         isc_time_compare(&zone->refreshtime, &next) < 0))
14913
0
    {
14914
0
      next = zone->refreshtime;
14915
0
    }
14916
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
14917
0
        !isc_time_isepoch(&zone->expiretime))
14918
0
    {
14919
0
      if (isc_time_isepoch(&next) ||
14920
0
          isc_time_compare(&zone->expiretime, &next) < 0)
14921
0
      {
14922
0
        next = zone->expiretime;
14923
0
      }
14924
0
    }
14925
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
14926
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
14927
0
    {
14928
0
      INSIST(!isc_time_isepoch(&zone->dumptime));
14929
0
      if (isc_time_isepoch(&next) ||
14930
0
          isc_time_compare(&zone->dumptime, &next) < 0)
14931
0
      {
14932
0
        next = zone->dumptime;
14933
0
      }
14934
0
    }
14935
0
    break;
14936
14937
0
  case dns_zone_key:
14938
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
14939
0
        !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
14940
0
    {
14941
0
      INSIST(!isc_time_isepoch(&zone->dumptime));
14942
0
      if (isc_time_isepoch(&next) ||
14943
0
          isc_time_compare(&zone->dumptime, &next) < 0)
14944
0
      {
14945
0
        next = zone->dumptime;
14946
0
      }
14947
0
    }
14948
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
14949
0
      if (isc_time_isepoch(&next) ||
14950
0
          (!isc_time_isepoch(&zone->refreshkeytime) &&
14951
0
           isc_time_compare(&zone->refreshkeytime, &next) <
14952
0
             0))
14953
0
      {
14954
0
        next = zone->refreshkeytime;
14955
0
      }
14956
0
    }
14957
0
    break;
14958
14959
0
  default:
14960
0
    break;
14961
0
  }
14962
14963
0
  if (isc_time_isepoch(&next)) {
14964
0
    zone_timer_stop(zone);
14965
0
  } else {
14966
0
    zone_timer_set(zone, &next, now);
14967
0
  }
14968
14969
0
free:
14970
0
  isc_mem_put(zone->mctx, data, sizeof(*data));
14971
0
  isc_refcount_decrement(&zone->irefs);
14972
0
  free_needed = exit_check(zone);
14973
0
  UNLOCK_ZONE(zone);
14974
0
  if (free_needed) {
14975
0
    zone_free(zone);
14976
0
  }
14977
0
}
14978
14979
static void
14980
0
zone_settimer(dns_zone_t *zone, isc_time_t *now) {
14981
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
14982
0
    return;
14983
0
  }
14984
14985
0
  zone_settimer_t *arg = isc_mem_get(zone->mctx, sizeof(*arg));
14986
0
  *arg = (zone_settimer_t){
14987
0
    .zone = zone,
14988
0
    .now = *now,
14989
0
  };
14990
0
  isc_refcount_increment0(&zone->irefs);
14991
0
  isc_async_run(zone->loop, zone__settimer, arg);
14992
0
}
14993
14994
static void
14995
0
cancel_refresh(dns_zone_t *zone) {
14996
0
  isc_time_t now;
14997
14998
  /*
14999
   * 'zone' locked by caller.
15000
   */
15001
15002
0
  REQUIRE(DNS_ZONE_VALID(zone));
15003
0
  REQUIRE(LOCKED_ZONE(zone));
15004
15005
0
  ENTER;
15006
15007
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
15008
0
  now = isc_time_now();
15009
0
  zone_settimer(zone, &now);
15010
0
}
15011
15012
static isc_result_t
15013
notify_createmessage(dns_zone_t *zone, unsigned int flags,
15014
0
         dns_message_t **messagep) {
15015
0
  dns_db_t *zonedb = NULL;
15016
0
  dns_dbnode_t *node = NULL;
15017
0
  dns_dbversion_t *version = NULL;
15018
0
  dns_message_t *message = NULL;
15019
0
  dns_rdataset_t rdataset;
15020
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
15021
15022
0
  dns_name_t *tempname = NULL;
15023
0
  dns_rdata_t *temprdata = NULL;
15024
0
  dns_rdatalist_t *temprdatalist = NULL;
15025
0
  dns_rdataset_t *temprdataset = NULL;
15026
15027
0
  isc_result_t result;
15028
0
  isc_region_t r;
15029
0
  isc_buffer_t *b = NULL;
15030
15031
0
  REQUIRE(DNS_ZONE_VALID(zone));
15032
0
  REQUIRE(messagep != NULL && *messagep == NULL);
15033
15034
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER,
15035
0
         &message);
15036
15037
0
  message->opcode = dns_opcode_notify;
15038
0
  message->flags |= DNS_MESSAGEFLAG_AA;
15039
0
  message->rdclass = zone->rdclass;
15040
15041
0
  dns_message_gettempname(message, &tempname);
15042
15043
0
  dns_message_gettemprdataset(message, &temprdataset);
15044
15045
  /*
15046
   * Make question.
15047
   */
15048
0
  dns_name_clone(&zone->origin, tempname);
15049
0
  dns_rdataset_makequestion(temprdataset, zone->rdclass,
15050
0
          dns_rdatatype_soa);
15051
0
  ISC_LIST_APPEND(tempname->list, temprdataset, link);
15052
0
  dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
15053
0
  tempname = NULL;
15054
0
  temprdataset = NULL;
15055
15056
0
  if ((flags & DNS_NOTIFY_NOSOA) != 0) {
15057
0
    goto done;
15058
0
  }
15059
15060
0
  dns_message_gettempname(message, &tempname);
15061
0
  dns_message_gettemprdata(message, &temprdata);
15062
0
  dns_message_gettemprdataset(message, &temprdataset);
15063
0
  dns_message_gettemprdatalist(message, &temprdatalist);
15064
15065
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
15066
0
  INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
15067
0
  dns_db_attach(zone->db, &zonedb);
15068
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
15069
15070
0
  dns_name_clone(&zone->origin, tempname);
15071
0
  dns_db_currentversion(zonedb, &version);
15072
0
  result = dns_db_findnode(zonedb, tempname, false, &node);
15073
0
  if (result != ISC_R_SUCCESS) {
15074
0
    goto soa_cleanup;
15075
0
  }
15076
15077
0
  dns_rdataset_init(&rdataset);
15078
0
  result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
15079
0
             dns_rdatatype_none, 0, &rdataset, NULL);
15080
0
  if (result != ISC_R_SUCCESS) {
15081
0
    goto soa_cleanup;
15082
0
  }
15083
0
  result = dns_rdataset_first(&rdataset);
15084
0
  if (result != ISC_R_SUCCESS) {
15085
0
    goto soa_cleanup;
15086
0
  }
15087
0
  dns_rdataset_current(&rdataset, &rdata);
15088
0
  dns_rdata_toregion(&rdata, &r);
15089
0
  isc_buffer_allocate(zone->mctx, &b, r.length);
15090
0
  isc_buffer_putmem(b, r.base, r.length);
15091
0
  isc_buffer_usedregion(b, &r);
15092
0
  dns_rdata_init(temprdata);
15093
0
  dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
15094
0
  dns_message_takebuffer(message, &b);
15095
0
  result = dns_rdataset_next(&rdataset);
15096
0
  dns_rdataset_disassociate(&rdataset);
15097
0
  if (result != ISC_R_NOMORE) {
15098
0
    goto soa_cleanup;
15099
0
  }
15100
0
  temprdatalist->rdclass = rdata.rdclass;
15101
0
  temprdatalist->type = rdata.type;
15102
0
  temprdatalist->ttl = rdataset.ttl;
15103
0
  ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
15104
15105
0
  dns_rdatalist_tordataset(temprdatalist, temprdataset);
15106
15107
0
  ISC_LIST_APPEND(tempname->list, temprdataset, link);
15108
0
  dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
15109
0
  temprdatalist = NULL;
15110
0
  temprdataset = NULL;
15111
0
  temprdata = NULL;
15112
0
  tempname = NULL;
15113
15114
0
soa_cleanup:
15115
0
  if (node != NULL) {
15116
0
    dns_db_detachnode(zonedb, &node);
15117
0
  }
15118
0
  if (version != NULL) {
15119
0
    dns_db_closeversion(zonedb, &version, false);
15120
0
  }
15121
0
  if (zonedb != NULL) {
15122
0
    dns_db_detach(&zonedb);
15123
0
  }
15124
0
  if (tempname != NULL) {
15125
0
    dns_message_puttempname(message, &tempname);
15126
0
  }
15127
0
  if (temprdata != NULL) {
15128
0
    dns_message_puttemprdata(message, &temprdata);
15129
0
  }
15130
0
  if (temprdataset != NULL) {
15131
0
    dns_message_puttemprdataset(message, &temprdataset);
15132
0
  }
15133
0
  if (temprdatalist != NULL) {
15134
0
    dns_message_puttemprdatalist(message, &temprdatalist);
15135
0
  }
15136
15137
0
done:
15138
0
  *messagep = message;
15139
0
  return (ISC_R_SUCCESS);
15140
0
}
15141
15142
isc_result_t
15143
dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
15144
0
           isc_sockaddr_t *to, dns_message_t *msg) {
15145
0
  unsigned int i;
15146
0
  dns_rdata_soa_t soa;
15147
0
  dns_rdataset_t *rdataset = NULL;
15148
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
15149
0
  isc_result_t result;
15150
0
  char fromtext[ISC_SOCKADDR_FORMATSIZE];
15151
0
  int match = 0;
15152
0
  isc_netaddr_t netaddr;
15153
0
  uint32_t serial = 0;
15154
0
  bool have_serial = false;
15155
0
  dns_tsigkey_t *tsigkey;
15156
0
  const dns_name_t *tsig;
15157
15158
0
  REQUIRE(DNS_ZONE_VALID(zone));
15159
15160
  /*
15161
   * If type != T_SOA return DNS_R_NOTIMP.  We don't yet support
15162
   * ROLLOVER.
15163
   *
15164
   * SOA: RFC1996
15165
   * Check that 'from' is a valid notify source, (zone->primaries).
15166
   *  Return DNS_R_REFUSED if not.
15167
   *
15168
   * If the notify message contains a serial number check it
15169
   * against the zones serial and return if <= current serial
15170
   *
15171
   * If a refresh check is progress, if so just record the
15172
   * fact we received a NOTIFY and from where and return.
15173
   * We will perform a new refresh check when the current one
15174
   * completes. Return ISC_R_SUCCESS.
15175
   *
15176
   * Otherwise initiate a refresh check using 'from' as the
15177
   * first address to check.  Return ISC_R_SUCCESS.
15178
   */
15179
15180
0
  isc_sockaddr_format(from, fromtext, sizeof(fromtext));
15181
15182
  /*
15183
   * Notify messages are processed by the raw zone.
15184
   */
15185
0
  LOCK_ZONE(zone);
15186
0
  INSIST(zone != zone->raw);
15187
0
  if (inline_secure(zone)) {
15188
0
    result = dns_zone_notifyreceive(zone->raw, from, to, msg);
15189
0
    UNLOCK_ZONE(zone);
15190
0
    return (result);
15191
0
  }
15192
  /*
15193
   *  We only handle NOTIFY (SOA) at the present.
15194
   */
15195
0
  if (isc_sockaddr_pf(from) == PF_INET) {
15196
0
    inc_stats(zone, dns_zonestatscounter_notifyinv4);
15197
0
  } else {
15198
0
    inc_stats(zone, dns_zonestatscounter_notifyinv6);
15199
0
  }
15200
0
  if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
15201
0
      dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
15202
0
         dns_rdatatype_soa, dns_rdatatype_none, NULL,
15203
0
         NULL) != ISC_R_SUCCESS)
15204
0
  {
15205
0
    UNLOCK_ZONE(zone);
15206
0
    if (msg->counts[DNS_SECTION_QUESTION] == 0) {
15207
0
      dns_zone_log(zone, ISC_LOG_NOTICE,
15208
0
             "NOTIFY with no "
15209
0
             "question section from: %s",
15210
0
             fromtext);
15211
0
      return (DNS_R_FORMERR);
15212
0
    }
15213
0
    dns_zone_log(zone, ISC_LOG_NOTICE,
15214
0
           "NOTIFY zone does not match");
15215
0
    return (DNS_R_NOTIMP);
15216
0
  }
15217
15218
  /*
15219
   * If we are a primary zone just succeed.
15220
   */
15221
0
  if (zone->type == dns_zone_primary) {
15222
0
    UNLOCK_ZONE(zone);
15223
0
    return (ISC_R_SUCCESS);
15224
0
  }
15225
15226
0
  isc_netaddr_fromsockaddr(&netaddr, from);
15227
0
  for (i = 0; i < dns_remote_count(&zone->primaries); i++) {
15228
0
    isc_sockaddr_t sockaddr = dns_remote_addr(&zone->primaries, i);
15229
0
    if (isc_sockaddr_eqaddr(from, &sockaddr)) {
15230
0
      break;
15231
0
    }
15232
0
    if (zone->view->aclenv->match_mapped &&
15233
0
        IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
15234
0
        isc_sockaddr_pf(&sockaddr) == AF_INET)
15235
0
    {
15236
0
      isc_netaddr_t na1, na2;
15237
0
      isc_netaddr_fromv4mapped(&na1, &netaddr);
15238
0
      isc_netaddr_fromsockaddr(&na2, &sockaddr);
15239
0
      if (isc_netaddr_equal(&na1, &na2)) {
15240
0
        break;
15241
0
      }
15242
0
    }
15243
0
  }
15244
15245
  /*
15246
   * Accept notify requests from non primaries if they are on
15247
   * 'zone->notify_acl'.
15248
   */
15249
0
  tsigkey = dns_message_gettsigkey(msg);
15250
0
  tsig = dns_tsigkey_identity(tsigkey);
15251
0
  if (i >= dns_remote_count(&zone->primaries) &&
15252
0
      zone->notify_acl != NULL &&
15253
0
      (dns_acl_match(&netaddr, tsig, zone->notify_acl, zone->view->aclenv,
15254
0
         &match, NULL) == ISC_R_SUCCESS) &&
15255
0
      match > 0)
15256
0
  {
15257
    /* Accept notify. */
15258
0
  } else if (i >= dns_remote_count(&zone->primaries)) {
15259
0
    UNLOCK_ZONE(zone);
15260
0
    dns_zone_log(zone, ISC_LOG_INFO,
15261
0
           "refused notify from non-primary: %s", fromtext);
15262
0
    inc_stats(zone, dns_zonestatscounter_notifyrej);
15263
0
    return (DNS_R_REFUSED);
15264
0
  }
15265
15266
  /*
15267
   * If the zone is loaded and there are answers check the serial
15268
   * to see if we need to do a refresh.  Do not worry about this
15269
   * check if we are a dialup zone as we use the notify request
15270
   * to trigger a refresh check.
15271
   */
15272
0
  if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
15273
0
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
15274
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH))
15275
0
  {
15276
0
    result = dns_message_findname(
15277
0
      msg, DNS_SECTION_ANSWER, &zone->origin,
15278
0
      dns_rdatatype_soa, dns_rdatatype_none, NULL, &rdataset);
15279
0
    if (result == ISC_R_SUCCESS) {
15280
0
      result = dns_rdataset_first(rdataset);
15281
0
    }
15282
0
    if (result == ISC_R_SUCCESS) {
15283
0
      uint32_t oldserial;
15284
0
      unsigned int soacount;
15285
15286
0
      dns_rdataset_current(rdataset, &rdata);
15287
0
      result = dns_rdata_tostruct(&rdata, &soa, NULL);
15288
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
15289
0
      serial = soa.serial;
15290
0
      have_serial = true;
15291
      /*
15292
       * The following should safely be performed without DB
15293
       * lock and succeed in this context.
15294
       */
15295
0
      result = zone_get_from_db(zone, zone->db, NULL,
15296
0
              &soacount, NULL, &oldserial,
15297
0
              NULL, NULL, NULL, NULL, NULL);
15298
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
15299
0
      RUNTIME_CHECK(soacount > 0U);
15300
0
      if (isc_serial_le(serial, oldserial)) {
15301
0
        dns_zone_log(zone, ISC_LOG_INFO,
15302
0
               "notify from %s: "
15303
0
               "zone is up to date",
15304
0
               fromtext);
15305
0
        UNLOCK_ZONE(zone);
15306
0
        return (ISC_R_SUCCESS);
15307
0
      }
15308
0
    }
15309
0
  }
15310
15311
  /*
15312
   * If we got this far and there was a refresh in progress just
15313
   * let it complete.  Record where we got the notify from so we
15314
   * can perform a refresh check when the current one completes
15315
   */
15316
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
15317
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
15318
0
    zone->notifyfrom = *from;
15319
0
    UNLOCK_ZONE(zone);
15320
0
    if (have_serial) {
15321
0
      dns_zone_log(zone, ISC_LOG_INFO,
15322
0
             "notify from %s: serial %u: refresh in "
15323
0
             "progress, refresh check queued",
15324
0
             fromtext, serial);
15325
0
    } else {
15326
0
      dns_zone_log(zone, ISC_LOG_INFO,
15327
0
             "notify from %s: refresh in progress, "
15328
0
             "refresh check queued",
15329
0
             fromtext);
15330
0
    }
15331
0
    return (ISC_R_SUCCESS);
15332
0
  }
15333
0
  if (have_serial) {
15334
0
    dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: serial %u",
15335
0
           fromtext, serial);
15336
0
  } else {
15337
0
    dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: no serial",
15338
0
           fromtext);
15339
0
  }
15340
0
  zone->notifyfrom = *from;
15341
0
  UNLOCK_ZONE(zone);
15342
15343
0
  if (to != NULL) {
15344
0
    dns_zonemgr_unreachabledel(zone->zmgr, from, to);
15345
0
  }
15346
0
  dns_zone_refresh(zone);
15347
0
  return (ISC_R_SUCCESS);
15348
0
}
15349
15350
void
15351
0
dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
15352
0
  REQUIRE(DNS_ZONE_VALID(zone));
15353
15354
0
  LOCK_ZONE(zone);
15355
0
  if (zone->notify_acl != NULL) {
15356
0
    dns_acl_detach(&zone->notify_acl);
15357
0
  }
15358
0
  dns_acl_attach(acl, &zone->notify_acl);
15359
0
  UNLOCK_ZONE(zone);
15360
0
}
15361
15362
void
15363
0
dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
15364
0
  REQUIRE(DNS_ZONE_VALID(zone));
15365
15366
0
  LOCK_ZONE(zone);
15367
0
  if (zone->query_acl != NULL) {
15368
0
    dns_acl_detach(&zone->query_acl);
15369
0
  }
15370
0
  dns_acl_attach(acl, &zone->query_acl);
15371
0
  UNLOCK_ZONE(zone);
15372
0
}
15373
15374
void
15375
0
dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
15376
0
  REQUIRE(DNS_ZONE_VALID(zone));
15377
15378
0
  LOCK_ZONE(zone);
15379
0
  if (zone->queryon_acl != NULL) {
15380
0
    dns_acl_detach(&zone->queryon_acl);
15381
0
  }
15382
0
  dns_acl_attach(acl, &zone->queryon_acl);
15383
0
  UNLOCK_ZONE(zone);
15384
0
}
15385
15386
void
15387
0
dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
15388
0
  REQUIRE(DNS_ZONE_VALID(zone));
15389
15390
0
  LOCK_ZONE(zone);
15391
0
  if (zone->update_acl != NULL) {
15392
0
    dns_acl_detach(&zone->update_acl);
15393
0
  }
15394
0
  dns_acl_attach(acl, &zone->update_acl);
15395
0
  UNLOCK_ZONE(zone);
15396
0
}
15397
15398
void
15399
0
dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
15400
0
  REQUIRE(DNS_ZONE_VALID(zone));
15401
15402
0
  LOCK_ZONE(zone);
15403
0
  if (zone->forward_acl != NULL) {
15404
0
    dns_acl_detach(&zone->forward_acl);
15405
0
  }
15406
0
  dns_acl_attach(acl, &zone->forward_acl);
15407
0
  UNLOCK_ZONE(zone);
15408
0
}
15409
15410
void
15411
0
dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
15412
0
  REQUIRE(DNS_ZONE_VALID(zone));
15413
15414
0
  LOCK_ZONE(zone);
15415
0
  if (zone->xfr_acl != NULL) {
15416
0
    dns_acl_detach(&zone->xfr_acl);
15417
0
  }
15418
0
  dns_acl_attach(acl, &zone->xfr_acl);
15419
0
  UNLOCK_ZONE(zone);
15420
0
}
15421
15422
dns_acl_t *
15423
0
dns_zone_getnotifyacl(dns_zone_t *zone) {
15424
0
  REQUIRE(DNS_ZONE_VALID(zone));
15425
15426
0
  return (zone->notify_acl);
15427
0
}
15428
15429
dns_acl_t *
15430
0
dns_zone_getqueryacl(dns_zone_t *zone) {
15431
0
  REQUIRE(DNS_ZONE_VALID(zone));
15432
15433
0
  return (zone->query_acl);
15434
0
}
15435
15436
dns_acl_t *
15437
0
dns_zone_getqueryonacl(dns_zone_t *zone) {
15438
0
  REQUIRE(DNS_ZONE_VALID(zone));
15439
15440
0
  return (zone->queryon_acl);
15441
0
}
15442
15443
dns_acl_t *
15444
0
dns_zone_getupdateacl(dns_zone_t *zone) {
15445
0
  REQUIRE(DNS_ZONE_VALID(zone));
15446
15447
0
  return (zone->update_acl);
15448
0
}
15449
15450
dns_acl_t *
15451
0
dns_zone_getforwardacl(dns_zone_t *zone) {
15452
0
  REQUIRE(DNS_ZONE_VALID(zone));
15453
15454
0
  return (zone->forward_acl);
15455
0
}
15456
15457
dns_acl_t *
15458
0
dns_zone_getxfracl(dns_zone_t *zone) {
15459
0
  REQUIRE(DNS_ZONE_VALID(zone));
15460
15461
0
  return (zone->xfr_acl);
15462
0
}
15463
15464
void
15465
0
dns_zone_clearupdateacl(dns_zone_t *zone) {
15466
0
  REQUIRE(DNS_ZONE_VALID(zone));
15467
15468
0
  LOCK_ZONE(zone);
15469
0
  if (zone->update_acl != NULL) {
15470
0
    dns_acl_detach(&zone->update_acl);
15471
0
  }
15472
0
  UNLOCK_ZONE(zone);
15473
0
}
15474
15475
void
15476
0
dns_zone_clearforwardacl(dns_zone_t *zone) {
15477
0
  REQUIRE(DNS_ZONE_VALID(zone));
15478
15479
0
  LOCK_ZONE(zone);
15480
0
  if (zone->forward_acl != NULL) {
15481
0
    dns_acl_detach(&zone->forward_acl);
15482
0
  }
15483
0
  UNLOCK_ZONE(zone);
15484
0
}
15485
15486
void
15487
0
dns_zone_clearnotifyacl(dns_zone_t *zone) {
15488
0
  REQUIRE(DNS_ZONE_VALID(zone));
15489
15490
0
  LOCK_ZONE(zone);
15491
0
  if (zone->notify_acl != NULL) {
15492
0
    dns_acl_detach(&zone->notify_acl);
15493
0
  }
15494
0
  UNLOCK_ZONE(zone);
15495
0
}
15496
15497
void
15498
0
dns_zone_clearqueryacl(dns_zone_t *zone) {
15499
0
  REQUIRE(DNS_ZONE_VALID(zone));
15500
15501
0
  LOCK_ZONE(zone);
15502
0
  if (zone->query_acl != NULL) {
15503
0
    dns_acl_detach(&zone->query_acl);
15504
0
  }
15505
0
  UNLOCK_ZONE(zone);
15506
0
}
15507
15508
void
15509
0
dns_zone_clearqueryonacl(dns_zone_t *zone) {
15510
0
  REQUIRE(DNS_ZONE_VALID(zone));
15511
15512
0
  LOCK_ZONE(zone);
15513
0
  if (zone->queryon_acl != NULL) {
15514
0
    dns_acl_detach(&zone->queryon_acl);
15515
0
  }
15516
0
  UNLOCK_ZONE(zone);
15517
0
}
15518
15519
void
15520
0
dns_zone_clearxfracl(dns_zone_t *zone) {
15521
0
  REQUIRE(DNS_ZONE_VALID(zone));
15522
15523
0
  LOCK_ZONE(zone);
15524
0
  if (zone->xfr_acl != NULL) {
15525
0
    dns_acl_detach(&zone->xfr_acl);
15526
0
  }
15527
0
  UNLOCK_ZONE(zone);
15528
0
}
15529
15530
bool
15531
0
dns_zone_getupdatedisabled(dns_zone_t *zone) {
15532
0
  REQUIRE(DNS_ZONE_VALID(zone));
15533
0
  return (zone->update_disabled);
15534
0
}
15535
15536
void
15537
0
dns_zone_setupdatedisabled(dns_zone_t *zone, bool state) {
15538
0
  REQUIRE(DNS_ZONE_VALID(zone));
15539
0
  zone->update_disabled = state;
15540
0
}
15541
15542
bool
15543
0
dns_zone_getzeronosoattl(dns_zone_t *zone) {
15544
0
  REQUIRE(DNS_ZONE_VALID(zone));
15545
0
  return (zone->zero_no_soa_ttl);
15546
0
}
15547
15548
void
15549
0
dns_zone_setzeronosoattl(dns_zone_t *zone, bool state) {
15550
0
  REQUIRE(DNS_ZONE_VALID(zone));
15551
0
  zone->zero_no_soa_ttl = state;
15552
0
}
15553
15554
void
15555
0
dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
15556
0
  REQUIRE(DNS_ZONE_VALID(zone));
15557
15558
0
  zone->check_names = severity;
15559
0
}
15560
15561
dns_severity_t
15562
0
dns_zone_getchecknames(dns_zone_t *zone) {
15563
0
  REQUIRE(DNS_ZONE_VALID(zone));
15564
15565
0
  return (zone->check_names);
15566
0
}
15567
15568
void
15569
0
dns_zone_setjournalsize(dns_zone_t *zone, int32_t size) {
15570
0
  REQUIRE(DNS_ZONE_VALID(zone));
15571
15572
0
  zone->journalsize = size;
15573
0
}
15574
15575
int32_t
15576
0
dns_zone_getjournalsize(dns_zone_t *zone) {
15577
0
  REQUIRE(DNS_ZONE_VALID(zone));
15578
15579
0
  return (zone->journalsize);
15580
0
}
15581
15582
static void
15583
8
zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
15584
8
  isc_result_t result = ISC_R_FAILURE;
15585
8
  isc_buffer_t buffer;
15586
15587
8
  REQUIRE(buf != NULL);
15588
8
  REQUIRE(length > 1U);
15589
15590
  /*
15591
   * Leave space for terminating '\0'.
15592
   */
15593
8
  isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
15594
8
  if (zone->type != dns_zone_redirect && zone->type != dns_zone_key) {
15595
8
    if (dns_name_dynamic(&zone->origin)) {
15596
8
      result = dns_name_totext(
15597
8
        &zone->origin, DNS_NAME_OMITFINALDOT, &buffer);
15598
8
    }
15599
8
    if (result != ISC_R_SUCCESS &&
15600
8
        isc_buffer_availablelength(&buffer) >=
15601
0
          (sizeof("<UNKNOWN>") - 1))
15602
0
    {
15603
0
      isc_buffer_putstr(&buffer, "<UNKNOWN>");
15604
0
    }
15605
15606
8
    if (isc_buffer_availablelength(&buffer) > 0) {
15607
8
      isc_buffer_putstr(&buffer, "/");
15608
8
    }
15609
8
    (void)dns_rdataclass_totext(zone->rdclass, &buffer);
15610
8
  }
15611
15612
8
  if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
15613
8
      strcmp(zone->view->name, "_default") != 0 &&
15614
8
      strlen(zone->view->name) < isc_buffer_availablelength(&buffer))
15615
2
  {
15616
2
    isc_buffer_putstr(&buffer, "/");
15617
2
    isc_buffer_putstr(&buffer, zone->view->name);
15618
2
  }
15619
8
  if (inline_secure(zone) && 9U < isc_buffer_availablelength(&buffer)) {
15620
0
    isc_buffer_putstr(&buffer, " (signed)");
15621
0
  }
15622
8
  if (inline_raw(zone) && 11U < isc_buffer_availablelength(&buffer)) {
15623
0
    isc_buffer_putstr(&buffer, " (unsigned)");
15624
0
  }
15625
15626
8
  buf[isc_buffer_usedlength(&buffer)] = '\0';
15627
8
}
15628
15629
static void
15630
2
zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
15631
2
  isc_result_t result = ISC_R_FAILURE;
15632
2
  isc_buffer_t buffer;
15633
15634
2
  REQUIRE(buf != NULL);
15635
2
  REQUIRE(length > 1U);
15636
15637
  /*
15638
   * Leave space for terminating '\0'.
15639
   */
15640
2
  isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
15641
2
  if (dns_name_dynamic(&zone->origin)) {
15642
2
    result = dns_name_totext(&zone->origin, DNS_NAME_OMITFINALDOT,
15643
2
           &buffer);
15644
2
  }
15645
2
  if (result != ISC_R_SUCCESS &&
15646
2
      isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
15647
0
  {
15648
0
    isc_buffer_putstr(&buffer, "<UNKNOWN>");
15649
0
  }
15650
15651
2
  buf[isc_buffer_usedlength(&buffer)] = '\0';
15652
2
}
15653
15654
static void
15655
2
zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
15656
2
  isc_buffer_t buffer;
15657
15658
2
  REQUIRE(buf != NULL);
15659
2
  REQUIRE(length > 1U);
15660
15661
  /*
15662
   * Leave space for terminating '\0'.
15663
   */
15664
2
  isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
15665
2
  (void)dns_rdataclass_totext(zone->rdclass, &buffer);
15666
15667
2
  buf[isc_buffer_usedlength(&buffer)] = '\0';
15668
2
}
15669
15670
static void
15671
2
zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
15672
2
  isc_buffer_t buffer;
15673
15674
2
  REQUIRE(buf != NULL);
15675
2
  REQUIRE(length > 1U);
15676
15677
  /*
15678
   * Leave space for terminating '\0'.
15679
   */
15680
2
  isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
15681
15682
2
  if (zone->view == NULL) {
15683
0
    isc_buffer_putstr(&buffer, "_none");
15684
2
  } else if (strlen(zone->view->name) <
15685
2
       isc_buffer_availablelength(&buffer))
15686
2
  {
15687
2
    isc_buffer_putstr(&buffer, zone->view->name);
15688
2
  } else {
15689
0
    isc_buffer_putstr(&buffer, "_toolong");
15690
0
  }
15691
15692
2
  buf[isc_buffer_usedlength(&buffer)] = '\0';
15693
2
}
15694
15695
void
15696
0
dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
15697
0
  REQUIRE(DNS_ZONE_VALID(zone));
15698
0
  REQUIRE(buf != NULL);
15699
15700
0
  LOCK_ZONE(zone);
15701
0
  zone_namerd_tostr(zone, buf, length);
15702
0
  UNLOCK_ZONE(zone);
15703
0
}
15704
15705
void
15706
0
dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t length) {
15707
0
  REQUIRE(DNS_ZONE_VALID(zone));
15708
0
  REQUIRE(buf != NULL);
15709
0
  zone_name_tostr(zone, buf, length);
15710
0
}
15711
15712
void
15713
dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level,
15714
16
        const char *prefix, const char *fmt, va_list ap) {
15715
16
  char message[4096];
15716
16
  const char *zstr;
15717
15718
16
  REQUIRE(DNS_ZONE_VALID(zone));
15719
15720
16
  if (!isc_log_wouldlog(dns_lctx, level)) {
15721
16
    return;
15722
16
  }
15723
15724
0
  vsnprintf(message, sizeof(message), fmt, ap);
15725
15726
0
  switch (zone->type) {
15727
0
  case dns_zone_key:
15728
0
    zstr = "managed-keys-zone";
15729
0
    break;
15730
0
  case dns_zone_redirect:
15731
0
    zstr = "redirect-zone";
15732
0
    break;
15733
0
  default:
15734
0
    zstr = "zone ";
15735
0
  }
15736
15737
0
  isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE, level,
15738
0
          "%s%s%s%s: %s", (prefix != NULL ? prefix : ""),
15739
0
          (prefix != NULL ? ": " : ""), zstr, zone->strnamerd,
15740
0
          message);
15741
0
}
15742
15743
static void
15744
0
notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
15745
0
  va_list ap;
15746
15747
0
  va_start(ap, fmt);
15748
0
  dns_zone_logv(zone, DNS_LOGCATEGORY_NOTIFY, level, NULL, fmt, ap);
15749
0
  va_end(ap);
15750
0
}
15751
15752
void
15753
dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
15754
10
        const char *fmt, ...) {
15755
10
  va_list ap;
15756
15757
10
  va_start(ap, fmt);
15758
10
  dns_zone_logv(zone, category, level, NULL, fmt, ap);
15759
10
  va_end(ap);
15760
10
}
15761
15762
void
15763
0
dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
15764
0
  va_list ap;
15765
15766
0
  va_start(ap, fmt);
15767
0
  dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, NULL, fmt, ap);
15768
0
  va_end(ap);
15769
0
}
15770
15771
static void
15772
zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel, const char *fmt,
15773
6
        ...) {
15774
6
  int level = ISC_LOG_DEBUG(debuglevel);
15775
6
  va_list ap;
15776
15777
6
  va_start(ap, fmt);
15778
6
  dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, me, fmt, ap);
15779
6
  va_end(ap);
15780
6
}
15781
15782
static void
15783
0
dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) {
15784
0
  va_list ap;
15785
15786
0
  va_start(ap, fmt);
15787
0
  dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap);
15788
0
  va_end(ap);
15789
0
}
15790
15791
static int
15792
0
message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type) {
15793
0
  isc_result_t result;
15794
0
  dns_name_t *name;
15795
0
  dns_rdataset_t *curr;
15796
0
  int count = 0;
15797
15798
0
  result = dns_message_firstname(msg, section);
15799
0
  while (result == ISC_R_SUCCESS) {
15800
0
    name = NULL;
15801
0
    dns_message_currentname(msg, section, &name);
15802
15803
0
    for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
15804
0
         curr = ISC_LIST_PREV(curr, link))
15805
0
    {
15806
0
      if (curr->type == type) {
15807
0
        count++;
15808
0
      }
15809
0
    }
15810
0
    result = dns_message_nextname(msg, section);
15811
0
  }
15812
15813
0
  return (count);
15814
0
}
15815
15816
void
15817
0
dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin) {
15818
0
  REQUIRE(DNS_ZONE_VALID(zone));
15819
15820
0
  zone->maxxfrin = maxxfrin;
15821
0
}
15822
15823
uint32_t
15824
0
dns_zone_getmaxxfrin(dns_zone_t *zone) {
15825
0
  REQUIRE(DNS_ZONE_VALID(zone));
15826
15827
0
  return (zone->maxxfrin);
15828
0
}
15829
15830
void
15831
0
dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout) {
15832
0
  REQUIRE(DNS_ZONE_VALID(zone));
15833
0
  zone->maxxfrout = maxxfrout;
15834
0
}
15835
15836
uint32_t
15837
0
dns_zone_getmaxxfrout(dns_zone_t *zone) {
15838
0
  REQUIRE(DNS_ZONE_VALID(zone));
15839
15840
0
  return (zone->maxxfrout);
15841
0
}
15842
15843
dns_zonetype_t
15844
521
dns_zone_gettype(dns_zone_t *zone) {
15845
521
  REQUIRE(DNS_ZONE_VALID(zone));
15846
15847
521
  return (zone->type);
15848
521
}
15849
15850
const char *
15851
0
dns_zonetype_name(dns_zonetype_t type) {
15852
0
  switch (type) {
15853
0
  case dns_zone_none:
15854
0
    return ("none");
15855
0
  case dns_zone_primary:
15856
0
    return ("primary");
15857
0
  case dns_zone_secondary:
15858
0
    return ("secondary");
15859
0
  case dns_zone_mirror:
15860
0
    return ("mirror");
15861
0
  case dns_zone_stub:
15862
0
    return ("stub");
15863
0
  case dns_zone_staticstub:
15864
0
    return ("static-stub");
15865
0
  case dns_zone_key:
15866
0
    return ("key");
15867
0
  case dns_zone_dlz:
15868
0
    return ("dlz");
15869
0
  case dns_zone_redirect:
15870
0
    return ("redirect");
15871
0
  default:
15872
0
    return ("unknown");
15873
0
  }
15874
0
}
15875
15876
dns_zonetype_t
15877
0
dns_zone_getredirecttype(dns_zone_t *zone) {
15878
0
  REQUIRE(DNS_ZONE_VALID(zone));
15879
0
  REQUIRE(zone->type == dns_zone_redirect);
15880
15881
0
  return (dns_remote_addresses(&zone->primaries) == NULL
15882
0
      ? dns_zone_primary
15883
0
      : dns_zone_secondary);
15884
0
}
15885
15886
dns_name_t *
15887
346
dns_zone_getorigin(dns_zone_t *zone) {
15888
346
  REQUIRE(DNS_ZONE_VALID(zone));
15889
15890
346
  return (&zone->origin);
15891
346
}
15892
15893
void
15894
0
dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein) {
15895
0
  REQUIRE(DNS_ZONE_VALID(zone));
15896
15897
0
  if (idlein == 0) {
15898
0
    idlein = DNS_DEFAULT_IDLEIN;
15899
0
  }
15900
0
  zone->idlein = idlein;
15901
0
}
15902
15903
uint32_t
15904
0
dns_zone_getidlein(dns_zone_t *zone) {
15905
0
  REQUIRE(DNS_ZONE_VALID(zone));
15906
15907
0
  return (zone->idlein);
15908
0
}
15909
15910
void
15911
0
dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout) {
15912
0
  REQUIRE(DNS_ZONE_VALID(zone));
15913
15914
0
  zone->idleout = idleout;
15915
0
}
15916
15917
uint32_t
15918
0
dns_zone_getidleout(dns_zone_t *zone) {
15919
0
  REQUIRE(DNS_ZONE_VALID(zone));
15920
15921
0
  return (zone->idleout);
15922
0
}
15923
15924
static void
15925
0
notify_done(void *arg) {
15926
0
  dns_request_t *request = (dns_request_t *)arg;
15927
0
  dns_notify_t *notify = dns_request_getarg(request);
15928
0
  isc_result_t result;
15929
0
  dns_message_t *message = NULL;
15930
0
  isc_buffer_t buf;
15931
0
  char rcode[128];
15932
0
  char addrbuf[ISC_SOCKADDR_FORMATSIZE];
15933
15934
0
  REQUIRE(DNS_NOTIFY_VALID(notify));
15935
15936
0
  isc_buffer_init(&buf, rcode, sizeof(rcode));
15937
0
  isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
15938
0
  dns_message_create(notify->zone->mctx, NULL, NULL,
15939
0
         DNS_MESSAGE_INTENTPARSE, &message);
15940
15941
0
  result = dns_request_getresult(request);
15942
0
  if (result != ISC_R_SUCCESS) {
15943
0
    goto fail;
15944
0
  }
15945
15946
0
  result = dns_request_getresponse(request, message,
15947
0
           DNS_MESSAGEPARSE_PRESERVEORDER);
15948
0
  if (result != ISC_R_SUCCESS) {
15949
0
    goto fail;
15950
0
  }
15951
15952
0
  result = dns_rcode_totext(message->rcode, &buf);
15953
0
  if (result == ISC_R_SUCCESS) {
15954
0
    notify_log(notify->zone, ISC_LOG_DEBUG(3),
15955
0
         "notify response from %s: %.*s", addrbuf,
15956
0
         (int)buf.used, rcode);
15957
0
  }
15958
15959
0
fail:
15960
0
  dns_message_detach(&message);
15961
15962
0
  if (result == ISC_R_SUCCESS) {
15963
0
    notify_log(notify->zone, ISC_LOG_DEBUG(1),
15964
0
         "notify to %s successful", addrbuf);
15965
0
  } else if (result == ISC_R_SHUTTINGDOWN || result == ISC_R_CANCELED) {
15966
    /* just destroy the notify */
15967
0
  } else if ((notify->flags & DNS_NOTIFY_TCP) == 0) {
15968
0
    notify_log(notify->zone, ISC_LOG_NOTICE,
15969
0
         "notify to %s failed: %s: retrying over TCP",
15970
0
         addrbuf, isc_result_totext(result));
15971
0
    notify->flags |= DNS_NOTIFY_TCP;
15972
0
    dns_request_destroy(&notify->request);
15973
0
    notify_send_queue(notify, (notify->flags & DNS_NOTIFY_STARTUP));
15974
0
    return;
15975
0
  } else if (result == ISC_R_TIMEDOUT) {
15976
0
    notify_log(notify->zone, ISC_LOG_WARNING,
15977
0
         "notify to %s failed: %s: retries exceeded", addrbuf,
15978
0
         isc_result_totext(result));
15979
0
  } else {
15980
0
    notify_log(notify->zone, ISC_LOG_WARNING,
15981
0
         "notify to %s failed: %s", addrbuf,
15982
0
         isc_result_totext(result));
15983
0
  }
15984
0
  notify_destroy(notify, false);
15985
0
}
15986
15987
struct rss {
15988
  dns_zone_t *zone;
15989
  dns_db_t *db;
15990
  uint32_t serial;
15991
  ISC_LINK(struct rss) link;
15992
};
15993
15994
static void
15995
0
update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
15996
0
  UNUSED(arg);
15997
0
  dns_zone_log(zone, level, "%s", message);
15998
0
}
15999
16000
static isc_result_t
16001
dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, isc_mem_t *mctx,
16002
0
       dns_dnsseckeylist_t *keylist, bool *inuse) {
16003
0
  isc_result_t result;
16004
0
  dst_key_t *dstkey = NULL;
16005
16006
0
  result = dns_dnssec_keyfromrdata(dns_zone_getorigin(zone), rdata, mctx,
16007
0
           &dstkey);
16008
0
  if (result != ISC_R_SUCCESS) {
16009
0
    dns_zone_log(zone, ISC_LOG_ERROR,
16010
0
           "dns_dnssec_keyfromrdata() failed: %s",
16011
0
           isc_result_totext(result));
16012
0
    return (result);
16013
0
  }
16014
16015
0
  for (dns_dnsseckey_t *k = ISC_LIST_HEAD(*keylist); k != NULL;
16016
0
       k = ISC_LIST_NEXT(k, link))
16017
0
  {
16018
0
    if (dst_key_pubcompare(k->key, dstkey, false)) {
16019
0
      *inuse = true;
16020
0
      break;
16021
0
    }
16022
0
  }
16023
16024
0
  dst_key_free(&dstkey);
16025
0
  return (ISC_R_SUCCESS);
16026
0
}
16027
16028
static isc_result_t
16029
cdnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata,
16030
0
        dns_dnsseckeylist_t *keylist, bool *inuse) {
16031
0
  isc_result_t result;
16032
0
  dns_rdata_cdnskey_t cdnskey;
16033
16034
0
  result = dns_rdata_tostruct(rdata, &cdnskey, NULL);
16035
0
  if (result != ISC_R_SUCCESS) {
16036
0
    dns_zone_log(zone, ISC_LOG_ERROR,
16037
0
           "dns_rdata_tostruct(cdnskey) failed: %s",
16038
0
           isc_result_totext(result));
16039
0
    return (result);
16040
0
  }
16041
16042
0
  for (dns_dnsseckey_t *k = ISC_LIST_HEAD(*keylist); k != NULL;
16043
0
       k = ISC_LIST_NEXT(k, link))
16044
0
  {
16045
0
    dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
16046
0
    unsigned char keybuf[DST_KEY_MAXSIZE];
16047
16048
0
    result = dns_dnssec_make_dnskey(k->key, keybuf, sizeof(keybuf),
16049
0
            &cdnskeyrdata);
16050
0
    if (result != ISC_R_SUCCESS) {
16051
0
      dns_zone_log(zone, ISC_LOG_ERROR,
16052
0
             "dns_dnssec_make_dnskey() failed: %s",
16053
0
             isc_result_totext(result));
16054
0
      return (result);
16055
0
    }
16056
16057
0
    cdnskeyrdata.type = dns_rdatatype_cdnskey;
16058
0
    if (dns_rdata_compare(rdata, &cdnskeyrdata) == 0) {
16059
0
      *inuse = true;
16060
0
      break;
16061
0
    }
16062
0
  }
16063
16064
0
  return (ISC_R_SUCCESS);
16065
0
}
16066
16067
static isc_result_t
16068
cds_inuse(dns_zone_t *zone, dns_rdata_t *rdata, dns_dnsseckeylist_t *keylist,
16069
0
    bool *inuse) {
16070
0
  isc_result_t result;
16071
0
  dns_rdata_ds_t cds;
16072
16073
0
  result = dns_rdata_tostruct(rdata, &cds, NULL);
16074
0
  if (result != ISC_R_SUCCESS) {
16075
0
    dns_zone_log(zone, ISC_LOG_ERROR,
16076
0
           "dns_rdata_tostruct(cds) failed: %s",
16077
0
           isc_result_totext(result));
16078
0
    return (result);
16079
0
  }
16080
16081
0
  for (dns_dnsseckey_t *k = ISC_LIST_HEAD(*keylist); k != NULL;
16082
0
       k = ISC_LIST_NEXT(k, link))
16083
0
  {
16084
0
    dns_rdata_t dnskey = DNS_RDATA_INIT;
16085
0
    dns_rdata_t cdsrdata = DNS_RDATA_INIT;
16086
0
    unsigned char keybuf[DST_KEY_MAXSIZE];
16087
0
    unsigned char cdsbuf[DNS_DS_BUFFERSIZE];
16088
16089
0
    if (dst_key_id(k->key) != cds.key_tag ||
16090
0
        dst_key_alg(k->key) != cds.algorithm)
16091
0
    {
16092
0
      continue;
16093
0
    }
16094
0
    result = dns_dnssec_make_dnskey(k->key, keybuf, sizeof(keybuf),
16095
0
            &dnskey);
16096
0
    if (result != ISC_R_SUCCESS) {
16097
0
      dns_zone_log(zone, ISC_LOG_ERROR,
16098
0
             "dns_dnssec_make_dnskey() failed: %s",
16099
0
             isc_result_totext(result));
16100
0
      return (result);
16101
0
    }
16102
0
    result = dns_ds_buildrdata(dns_zone_getorigin(zone), &dnskey,
16103
0
             cds.digest_type, cdsbuf, &cdsrdata);
16104
0
    if (result != ISC_R_SUCCESS) {
16105
0
      dns_zone_log(zone, ISC_LOG_ERROR,
16106
0
             "dns_ds_buildrdata(keytag=%d, algo=%d, "
16107
0
             "digest=%d) failed: %s",
16108
0
             cds.key_tag, cds.algorithm,
16109
0
             cds.digest_type,
16110
0
             isc_result_totext(result));
16111
0
      return (result);
16112
0
    }
16113
16114
0
    cdsrdata.type = dns_rdatatype_cds;
16115
0
    if (dns_rdata_compare(rdata, &cdsrdata) == 0) {
16116
0
      *inuse = true;
16117
0
      break;
16118
0
    }
16119
0
  }
16120
16121
0
  return (ISC_R_SUCCESS);
16122
0
}
16123
16124
isc_result_t
16125
0
dns_zone_dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, bool *inuse) {
16126
0
  dns_dnsseckeylist_t keylist;
16127
0
  dns_dnsseckey_t *key = NULL;
16128
0
  isc_result_t result = ISC_R_SUCCESS;
16129
0
  isc_stdtime_t now = isc_stdtime_now();
16130
0
  isc_mem_t *mctx;
16131
0
  dns_kasp_t *kasp;
16132
0
  dns_keystorelist_t *keystores;
16133
0
  const char *keydir;
16134
16135
0
  REQUIRE(DNS_ZONE_VALID(zone));
16136
0
  REQUIRE(dns_rdatatype_iskeymaterial(rdata->type));
16137
16138
0
  mctx = zone->mctx;
16139
16140
0
  ISC_LIST_INIT(keylist);
16141
16142
0
  *inuse = false;
16143
16144
0
  kasp = dns_zone_getkasp(zone);
16145
0
  keydir = dns_zone_getkeydirectory(zone);
16146
0
  keystores = dns_zone_getkeystores(zone);
16147
16148
0
  dns_zone_lock_keyfiles(zone);
16149
0
  result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp,
16150
0
               keydir, keystores, now, mctx,
16151
0
               &keylist);
16152
0
  dns_zone_unlock_keyfiles(zone);
16153
0
  if (result == ISC_R_NOTFOUND) {
16154
0
    return (ISC_R_SUCCESS);
16155
0
  } else if (result != ISC_R_SUCCESS) {
16156
0
    dns_zone_log(zone, ISC_LOG_ERROR,
16157
0
           "dns_dnssec_findmatchingkeys() failed: %s",
16158
0
           isc_result_totext(result));
16159
0
    return (result);
16160
0
  }
16161
16162
0
  switch (rdata->type) {
16163
0
  case dns_rdatatype_dnskey:
16164
0
    result = dnskey_inuse(zone, rdata, mctx, &keylist, inuse);
16165
0
    break;
16166
0
  case dns_rdatatype_cdnskey:
16167
0
    result = cdnskey_inuse(zone, rdata, &keylist, inuse);
16168
0
    break;
16169
0
  case dns_rdatatype_cds:
16170
0
    result = cds_inuse(zone, rdata, &keylist, inuse);
16171
0
    break;
16172
0
  default:
16173
0
    UNREACHABLE();
16174
0
    break;
16175
0
  }
16176
16177
0
  while (!ISC_LIST_EMPTY(keylist)) {
16178
0
    key = ISC_LIST_HEAD(keylist);
16179
0
    ISC_LIST_UNLINK(keylist, key, link);
16180
0
    dns_dnsseckey_destroy(mctx, &key);
16181
0
  }
16182
0
  return (result);
16183
0
}
16184
16185
static isc_result_t
16186
sync_secure_journal(dns_zone_t *zone, dns_zone_t *raw, dns_journal_t *journal,
16187
        uint32_t start, uint32_t end, dns_difftuple_t **soatuplep,
16188
0
        dns_diff_t *diff) {
16189
0
  isc_result_t result;
16190
0
  dns_difftuple_t *tuple = NULL;
16191
0
  dns_diffop_t op = DNS_DIFFOP_ADD;
16192
0
  int n_soa = 0;
16193
16194
0
  REQUIRE(soatuplep != NULL);
16195
16196
0
  if (start == end) {
16197
0
    return (DNS_R_UNCHANGED);
16198
0
  }
16199
16200
0
  CHECK(dns_journal_iter_init(journal, start, end, NULL));
16201
0
  for (result = dns_journal_first_rr(journal); result == ISC_R_SUCCESS;
16202
0
       result = dns_journal_next_rr(journal))
16203
0
  {
16204
0
    dns_name_t *name = NULL;
16205
0
    uint32_t ttl;
16206
0
    dns_rdata_t *rdata = NULL;
16207
0
    dns_journal_current_rr(journal, &name, &ttl, &rdata);
16208
16209
0
    if (rdata->type == dns_rdatatype_soa) {
16210
0
      n_soa++;
16211
0
      if (n_soa == 2) {
16212
        /*
16213
         * Save the latest raw SOA record.
16214
         */
16215
0
        if (*soatuplep != NULL) {
16216
0
          dns_difftuple_free(soatuplep);
16217
0
        }
16218
0
        CHECK(dns_difftuple_create(
16219
0
          diff->mctx, DNS_DIFFOP_ADD, name, ttl,
16220
0
          rdata, soatuplep));
16221
0
      }
16222
0
      if (n_soa == 3) {
16223
0
        n_soa = 1;
16224
0
      }
16225
0
      continue;
16226
0
    }
16227
16228
    /* Sanity. */
16229
0
    if (n_soa == 0) {
16230
0
      dns_zone_log(raw, ISC_LOG_ERROR,
16231
0
             "corrupt journal file: '%s'\n",
16232
0
             raw->journal);
16233
0
      return (ISC_R_FAILURE);
16234
0
    }
16235
16236
0
    if (zone->privatetype != 0 && rdata->type == zone->privatetype)
16237
0
    {
16238
0
      continue;
16239
0
    }
16240
16241
    /*
16242
     * Skip DNSSEC records that BIND maintains with inline-signing.
16243
     */
16244
0
    if (rdata->type == dns_rdatatype_nsec ||
16245
0
        rdata->type == dns_rdatatype_rrsig ||
16246
0
        rdata->type == dns_rdatatype_nsec3 ||
16247
0
        rdata->type == dns_rdatatype_nsec3param)
16248
0
    {
16249
0
      continue;
16250
0
    }
16251
    /*
16252
     * Allow DNSKEY, CDNSKEY, CDS because users should be able to
16253
     * update the zone with these records from a different provider,
16254
     * but skip records that are under our control.
16255
     */
16256
0
    if (dns_rdatatype_iskeymaterial(rdata->type)) {
16257
0
      bool inuse = false;
16258
0
      isc_result_t r = dns_zone_dnskey_inuse(zone, rdata,
16259
0
                     &inuse);
16260
0
      if (r == ISC_R_SUCCESS && inuse) {
16261
0
        continue;
16262
0
      }
16263
0
    }
16264
16265
0
    op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
16266
16267
0
    CHECK(dns_difftuple_create(diff->mctx, op, name, ttl, rdata,
16268
0
             &tuple));
16269
0
    dns_diff_appendminimal(diff, &tuple);
16270
0
  }
16271
0
  if (result == ISC_R_NOMORE) {
16272
0
    result = ISC_R_SUCCESS;
16273
0
  }
16274
16275
0
failure:
16276
0
  return (result);
16277
0
}
16278
16279
/*
16280
 * Filter the key material preserving TTL changes.  If kasp in effect honour the
16281
 * existing ttl.  The lists returned by sync_secure_db/dns_db_diffx should be
16282
 * DNSSEC RRset order so we can process 'del' and 'add' in parallel rather than
16283
 * searching for TTL only changes first and processing them, then checking the
16284
 * 'in use' status on a subsequent pass.
16285
 */
16286
16287
static void
16288
filter_keymaterial(dns_zone_t *zone, dns_difftuplelist_t *del,
16289
0
       dns_difftuplelist_t *add, bool kasp, dns_ttl_t ttl) {
16290
0
  dns_difftuple_t *deltuple = ISC_LIST_HEAD(*del);
16291
0
  dns_difftuple_t *addtuple = ISC_LIST_HEAD(*add);
16292
0
  isc_result_t result;
16293
16294
0
  while (deltuple != NULL || addtuple != NULL) {
16295
0
    dns_difftuple_t *delnext = NULL, *addnext = NULL;
16296
0
    bool inuse = false;
16297
0
    if (deltuple != NULL) {
16298
0
      delnext = ISC_LIST_NEXT(deltuple, link);
16299
0
    }
16300
0
    if (addtuple != NULL) {
16301
0
      addnext = ISC_LIST_NEXT(addtuple, link);
16302
0
    }
16303
0
    if (deltuple != NULL && addtuple != NULL) {
16304
0
      int n = dns_rdata_compare(&deltuple->rdata,
16305
0
              &addtuple->rdata);
16306
0
      if (n == 0) {
16307
        /*
16308
         * If the rdata is equal then the only
16309
         * difference will be a TTL change.
16310
         */
16311
0
        if (kasp) {
16312
          /* TTL is managed by dnssec-policy */
16313
0
          ISC_LIST_UNLINK(*del, deltuple, link);
16314
0
          dns_difftuple_free(&deltuple);
16315
0
          ISC_LIST_UNLINK(*add, addtuple, link);
16316
0
          dns_difftuple_free(&addtuple);
16317
0
        }
16318
0
        deltuple = delnext;
16319
0
        addtuple = addnext;
16320
0
        continue;
16321
0
      }
16322
0
      if (n < 0) {
16323
0
        goto checkdel;
16324
0
      }
16325
0
      goto checkadd;
16326
0
    } else if (deltuple != NULL) {
16327
0
    checkdel:
16328
0
      result = dns_zone_dnskey_inuse(zone, &deltuple->rdata,
16329
0
                   &inuse);
16330
0
      if (result == ISC_R_SUCCESS && inuse) {
16331
0
        ISC_LIST_UNLINK(*del, deltuple, link);
16332
0
        dns_difftuple_free(&deltuple);
16333
0
      }
16334
0
      deltuple = delnext;
16335
0
    } else {
16336
0
    checkadd:
16337
0
      result = dns_zone_dnskey_inuse(zone, &addtuple->rdata,
16338
0
                   &inuse);
16339
0
      if (result == ISC_R_SUCCESS && inuse) {
16340
0
        ISC_LIST_UNLINK(*add, addtuple, link);
16341
0
        dns_difftuple_free(&addtuple);
16342
0
      } else if (kasp) {
16343
0
        addtuple->ttl = ttl;
16344
0
      }
16345
0
      addtuple = addnext;
16346
0
    }
16347
0
  }
16348
0
}
16349
16350
static isc_result_t
16351
sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
16352
         dns_dbversion_t *secver, dns_difftuple_t **soatuple,
16353
0
         dns_diff_t *diff) {
16354
0
  isc_result_t result;
16355
0
  dns_db_t *rawdb = NULL;
16356
0
  dns_dbversion_t *rawver = NULL;
16357
0
  dns_difftuple_t *tuple = NULL, *next;
16358
0
  dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
16359
0
  dns_rdata_soa_t oldsoa, newsoa;
16360
0
  dns_difftuplelist_t add = ISC_LIST_INITIALIZER;
16361
0
  dns_difftuplelist_t del = ISC_LIST_INITIALIZER;
16362
0
  dns_difftuplelist_t keyadd = ISC_LIST_INITIALIZER;
16363
0
  dns_difftuplelist_t keydel = ISC_LIST_INITIALIZER;
16364
0
  dns_difftuplelist_t ckeyadd = ISC_LIST_INITIALIZER;
16365
0
  dns_difftuplelist_t ckeydel = ISC_LIST_INITIALIZER;
16366
0
  dns_difftuplelist_t cdsadd = ISC_LIST_INITIALIZER;
16367
0
  dns_difftuplelist_t cdsdel = ISC_LIST_INITIALIZER;
16368
0
  dns_kasp_t *kasp = NULL;
16369
0
  dns_ttl_t keyttl = 0, ckeyttl = 0, cdsttl = 0;
16370
16371
0
  REQUIRE(DNS_ZONE_VALID(seczone));
16372
0
  REQUIRE(soatuple != NULL && *soatuple == NULL);
16373
16374
0
  if (!seczone->sourceserialset) {
16375
0
    return (DNS_R_UNCHANGED);
16376
0
  }
16377
16378
0
  dns_db_attach(raw->db, &rawdb);
16379
0
  dns_db_currentversion(rawdb, &rawver);
16380
0
  result = dns_db_diffx(diff, rawdb, rawver, secdb, secver, NULL);
16381
0
  dns_db_closeversion(rawdb, &rawver, false);
16382
0
  dns_db_detach(&rawdb);
16383
16384
0
  if (result != ISC_R_SUCCESS) {
16385
0
    return (result);
16386
0
  }
16387
16388
  /*
16389
   * If kasp is in effect honour the existing DNSKEY, CDNSKEY and CDS
16390
   * TTLs.
16391
   */
16392
0
  kasp = seczone->kasp;
16393
0
  if (kasp != NULL) {
16394
0
    dns_rdataset_t rdataset;
16395
0
    dns_dbnode_t *node = NULL;
16396
0
    dns_ttl_t ttl = dns_kasp_dnskeyttl(kasp);
16397
16398
0
    dns_rdataset_init(&rdataset);
16399
16400
0
    result = dns_db_getoriginnode(secdb, &node);
16401
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
16402
16403
0
    result = dns_db_findrdataset(
16404
0
      secdb, node, secver, dns_rdatatype_dnskey,
16405
0
      dns_rdatatype_none, 0, &rdataset, NULL);
16406
0
    keyttl = (result == ISC_R_SUCCESS) ? rdataset.ttl : ttl;
16407
0
    if (dns_rdataset_isassociated(&rdataset)) {
16408
0
      dns_rdataset_disassociate(&rdataset);
16409
0
    }
16410
16411
0
    result = dns_db_findrdataset(
16412
0
      secdb, node, secver, dns_rdatatype_cdnskey,
16413
0
      dns_rdatatype_none, 0, &rdataset, NULL);
16414
0
    ckeyttl = (result == ISC_R_SUCCESS) ? rdataset.ttl : ttl;
16415
0
    if (dns_rdataset_isassociated(&rdataset)) {
16416
0
      dns_rdataset_disassociate(&rdataset);
16417
0
    }
16418
16419
0
    result = dns_db_findrdataset(
16420
0
      secdb, node, secver, dns_rdatatype_cds,
16421
0
      dns_rdatatype_none, 0, &rdataset, NULL);
16422
0
    cdsttl = (result == ISC_R_SUCCESS) ? rdataset.ttl : ttl;
16423
0
    if (dns_rdataset_isassociated(&rdataset)) {
16424
0
      dns_rdataset_disassociate(&rdataset);
16425
0
    }
16426
0
    dns_db_detachnode(secdb, &node);
16427
0
  }
16428
16429
0
  for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) {
16430
0
    dns_difftuplelist_t *al = &add, *dl = &del;
16431
16432
0
    next = ISC_LIST_NEXT(tuple, link);
16433
16434
    /*
16435
     * Skip DNSSEC records that BIND maintains with inline-signing.
16436
     */
16437
0
    if (tuple->rdata.type == dns_rdatatype_nsec ||
16438
0
        tuple->rdata.type == dns_rdatatype_rrsig ||
16439
0
        tuple->rdata.type == dns_rdatatype_nsec3 ||
16440
0
        tuple->rdata.type == dns_rdatatype_nsec3param)
16441
0
    {
16442
0
      ISC_LIST_UNLINK(diff->tuples, tuple, link);
16443
0
      dns_difftuple_free(&tuple);
16444
0
      continue;
16445
0
    }
16446
16447
    /*
16448
     * Apex DNSKEY, CDNSKEY and CDS need special processing so
16449
     * split them out.
16450
     */
16451
0
    if (dns_rdatatype_iskeymaterial(tuple->rdata.type) &&
16452
0
        dns_name_equal(&tuple->name, &seczone->origin))
16453
0
    {
16454
0
      switch (tuple->rdata.type) {
16455
0
      case dns_rdatatype_dnskey:
16456
0
        al = &keyadd;
16457
0
        dl = &keydel;
16458
0
        break;
16459
0
      case dns_rdatatype_cdnskey:
16460
0
        al = &ckeyadd;
16461
0
        dl = &ckeydel;
16462
0
        break;
16463
0
      case dns_rdatatype_cds:
16464
0
        al = &cdsadd;
16465
0
        dl = &cdsdel;
16466
0
        break;
16467
0
      default:
16468
0
        UNREACHABLE();
16469
0
      }
16470
0
    }
16471
16472
0
    if (tuple->rdata.type == dns_rdatatype_soa) {
16473
0
      if (tuple->op == DNS_DIFFOP_DEL) {
16474
0
        INSIST(oldtuple == NULL);
16475
0
        oldtuple = tuple;
16476
0
      }
16477
0
      if (tuple->op == DNS_DIFFOP_ADD) {
16478
0
        INSIST(newtuple == NULL);
16479
0
        newtuple = tuple;
16480
0
      }
16481
0
    }
16482
16483
    /*
16484
     * Split into deletions and additions.
16485
     */
16486
0
    ISC_LIST_UNLINK(diff->tuples, tuple, link);
16487
0
    switch (tuple->op) {
16488
0
    case DNS_DIFFOP_DEL:
16489
0
    case DNS_DIFFOP_DELRESIGN:
16490
0
      ISC_LIST_APPEND(*dl, tuple, link);
16491
0
      break;
16492
0
    case DNS_DIFFOP_ADD:
16493
0
    case DNS_DIFFOP_ADDRESIGN:
16494
0
      ISC_LIST_APPEND(*al, tuple, link);
16495
0
      break;
16496
0
    default:
16497
0
      UNREACHABLE();
16498
0
    }
16499
0
  }
16500
16501
0
  if (oldtuple != NULL && newtuple != NULL) {
16502
0
    result = dns_rdata_tostruct(&oldtuple->rdata, &oldsoa, NULL);
16503
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
16504
16505
0
    result = dns_rdata_tostruct(&newtuple->rdata, &newsoa, NULL);
16506
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
16507
16508
    /*
16509
     * If the SOA records are the same except for the serial
16510
     * remove them from the diff.
16511
     */
16512
0
    if (oldtuple->ttl == newtuple->ttl &&
16513
0
        oldsoa.refresh == newsoa.refresh &&
16514
0
        oldsoa.retry == newsoa.retry &&
16515
0
        oldsoa.minimum == newsoa.minimum &&
16516
0
        oldsoa.expire == newsoa.expire &&
16517
0
        dns_name_equal(&oldsoa.origin, &newsoa.origin) &&
16518
0
        dns_name_equal(&oldsoa.contact, &newsoa.contact))
16519
0
    {
16520
0
      ISC_LIST_UNLINK(del, oldtuple, link);
16521
0
      dns_difftuple_free(&oldtuple);
16522
0
      ISC_LIST_UNLINK(add, newtuple, link);
16523
0
      dns_difftuple_free(&newtuple);
16524
0
    }
16525
0
  }
16526
16527
  /*
16528
   * Filter out keys we manage but still allow TTL changes.
16529
   */
16530
0
  filter_keymaterial(seczone, &keydel, &keyadd, kasp != NULL, keyttl);
16531
0
  filter_keymaterial(seczone, &ckeydel, &ckeyadd, kasp != NULL, ckeyttl);
16532
0
  filter_keymaterial(seczone, &cdsdel, &cdsadd, kasp != NULL, cdsttl);
16533
16534
  /*
16535
   * Rebuild the diff now that we have filtered it
16536
   */
16537
0
  ISC_LIST_APPENDLIST(diff->tuples, del, link);
16538
0
  ISC_LIST_APPENDLIST(diff->tuples, keydel, link);
16539
0
  ISC_LIST_APPENDLIST(diff->tuples, ckeydel, link);
16540
0
  ISC_LIST_APPENDLIST(diff->tuples, cdsdel, link);
16541
0
  ISC_LIST_APPENDLIST(diff->tuples, add, link);
16542
0
  ISC_LIST_APPENDLIST(diff->tuples, keyadd, link);
16543
0
  ISC_LIST_APPENDLIST(diff->tuples, ckeyadd, link);
16544
0
  ISC_LIST_APPENDLIST(diff->tuples, cdsadd, link);
16545
16546
0
  if (ISC_LIST_EMPTY(diff->tuples)) {
16547
0
    return (DNS_R_UNCHANGED);
16548
0
  }
16549
16550
  /*
16551
   * If there are still SOA records in the diff they can now be removed
16552
   * saving the new SOA record.
16553
   */
16554
0
  if (oldtuple != NULL) {
16555
0
    ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
16556
0
    dns_difftuple_free(&oldtuple);
16557
0
  }
16558
16559
0
  if (newtuple != NULL) {
16560
0
    ISC_LIST_UNLINK(diff->tuples, newtuple, link);
16561
0
    *soatuple = newtuple;
16562
0
  }
16563
16564
0
  return (ISC_R_SUCCESS);
16565
0
}
16566
16567
static void
16568
0
receive_secure_serial(void *arg) {
16569
0
  struct rss *rss = (struct rss *)arg;
16570
0
  dns_zone_t *zone = rss->zone;
16571
0
  isc_result_t result = ISC_R_SUCCESS;
16572
0
  dns_journal_t *rjournal = NULL;
16573
0
  dns_journal_t *sjournal = NULL;
16574
0
  uint32_t start, end = rss->serial;
16575
0
  dns_difftuple_t *tuple = NULL, *soatuple = NULL;
16576
0
  dns_update_log_t log = { update_log_cb, NULL };
16577
0
  uint32_t newserial = 0, desired = 0;
16578
0
  isc_time_t timenow;
16579
0
  int level = ISC_LOG_ERROR;
16580
16581
0
  ENTER;
16582
16583
0
  LOCK_ZONE(zone);
16584
16585
  /*
16586
   * The receive_secure_serial() is loop-serialized for the zone.  Make
16587
   * sure there's no processing currently running.
16588
   */
16589
16590
0
  INSIST(zone->rss == NULL || zone->rss == rss);
16591
16592
0
  if (zone->rss != NULL) {
16593
0
    INSIST(zone->rss == rss);
16594
0
    UNLOCK_ZONE(zone);
16595
0
  } else {
16596
0
    zone->rss = rss;
16597
0
    dns_diff_init(zone->mctx, &zone->rss_diff);
16598
16599
    /*
16600
     * zone->db may be NULL, if the load from disk failed.
16601
     */
16602
0
    result = ISC_R_SUCCESS;
16603
0
    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
16604
0
    if (zone->db != NULL) {
16605
0
      dns_db_attach(zone->db, &zone->rss_db);
16606
0
    } else {
16607
0
      result = ISC_R_FAILURE;
16608
0
    }
16609
0
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
16610
16611
0
    if (result == ISC_R_SUCCESS && zone->raw != NULL) {
16612
0
      dns_zone_attach(zone->raw, &zone->rss_raw);
16613
0
    } else {
16614
0
      result = ISC_R_FAILURE;
16615
0
    }
16616
16617
0
    UNLOCK_ZONE(zone);
16618
16619
0
    CHECK(result);
16620
16621
    /*
16622
     * We first attempt to sync the raw zone to the secure zone
16623
     * by using the raw zone's journal, applying all the deltas
16624
     * from the latest source-serial of the secure zone up to
16625
     * the current serial number of the raw zone.
16626
     *
16627
     * If that fails, then we'll fall back to a direct comparison
16628
     * between raw and secure zones.
16629
     */
16630
0
    CHECK(dns_journal_open(zone->rss_raw->mctx,
16631
0
               zone->rss_raw->journal,
16632
0
               DNS_JOURNAL_WRITE, &rjournal));
16633
16634
0
    result = dns_journal_open(zone->mctx, zone->journal,
16635
0
            DNS_JOURNAL_READ, &sjournal);
16636
0
    if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
16637
0
      goto failure;
16638
0
    }
16639
16640
0
    if (!dns_journal_get_sourceserial(rjournal, &start)) {
16641
0
      start = dns_journal_first_serial(rjournal);
16642
0
      dns_journal_set_sourceserial(rjournal, start);
16643
0
    }
16644
0
    if (sjournal != NULL) {
16645
0
      uint32_t serial;
16646
      /*
16647
       * We read the secure journal first, if that
16648
       * exists use its value provided it is greater
16649
       * that from the raw journal.
16650
       */
16651
0
      if (dns_journal_get_sourceserial(sjournal, &serial)) {
16652
0
        if (isc_serial_gt(serial, start)) {
16653
0
          start = serial;
16654
0
        }
16655
0
      }
16656
0
      dns_journal_destroy(&sjournal);
16657
0
    }
16658
16659
0
    dns_db_currentversion(zone->rss_db, &zone->rss_oldver);
16660
0
    CHECK(dns_db_newversion(zone->rss_db, &zone->rss_newver));
16661
16662
    /*
16663
     * Try to apply diffs from the raw zone's journal to the secure
16664
     * zone.  If that fails, we recover by syncing up the databases
16665
     * directly.
16666
     */
16667
0
    result = sync_secure_journal(zone, zone->rss_raw, rjournal,
16668
0
               start, end, &soatuple,
16669
0
               &zone->rss_diff);
16670
0
    if (result == DNS_R_UNCHANGED) {
16671
0
      goto failure;
16672
0
    } else if (result != ISC_R_SUCCESS) {
16673
0
      CHECK(sync_secure_db(zone, zone->rss_raw, zone->rss_db,
16674
0
               zone->rss_oldver, &soatuple,
16675
0
               &zone->rss_diff));
16676
0
    }
16677
16678
0
    CHECK(dns_diff_apply(&zone->rss_diff, zone->rss_db,
16679
0
             zone->rss_newver));
16680
16681
0
    if (soatuple != NULL) {
16682
0
      uint32_t oldserial;
16683
16684
0
      CHECK(dns_db_createsoatuple(
16685
0
        zone->rss_db, zone->rss_oldver,
16686
0
        zone->rss_diff.mctx, DNS_DIFFOP_DEL, &tuple));
16687
0
      oldserial = dns_soa_getserial(&tuple->rdata);
16688
0
      newserial = desired =
16689
0
        dns_soa_getserial(&soatuple->rdata);
16690
0
      if (!isc_serial_gt(newserial, oldserial)) {
16691
0
        newserial = oldserial + 1;
16692
0
        if (newserial == 0) {
16693
0
          newserial++;
16694
0
        }
16695
0
        dns_soa_setserial(newserial, &soatuple->rdata);
16696
0
      }
16697
0
      CHECK(do_one_tuple(&tuple, zone->rss_db,
16698
0
             zone->rss_newver, &zone->rss_diff));
16699
0
      CHECK(do_one_tuple(&soatuple, zone->rss_db,
16700
0
             zone->rss_newver, &zone->rss_diff));
16701
0
    } else {
16702
0
      CHECK(update_soa_serial(zone, zone->rss_db,
16703
0
            zone->rss_newver,
16704
0
            &zone->rss_diff, zone->mctx,
16705
0
            zone->updatemethod));
16706
0
    }
16707
0
  }
16708
0
  result = dns_update_signaturesinc(
16709
0
    &log, zone, zone->rss_db, zone->rss_oldver, zone->rss_newver,
16710
0
    &zone->rss_diff, zone->sigvalidityinterval, &zone->rss_state);
16711
0
  if (result == DNS_R_CONTINUE) {
16712
0
    if (rjournal != NULL) {
16713
0
      dns_journal_destroy(&rjournal);
16714
0
    }
16715
0
    isc_async_run(zone->loop, receive_secure_serial, rss);
16716
0
    return;
16717
0
  }
16718
16719
  /*
16720
   * If something went wrong while trying to update the secure zone and
16721
   * the latter was already signed before, do not apply raw zone deltas
16722
   * to it as that would break existing DNSSEC signatures.  However, if
16723
   * the secure zone was not yet signed (e.g. because no signing keys
16724
   * were created for it), commence applying raw zone deltas to it so
16725
   * that contents of the raw zone and the secure zone are kept in sync.
16726
   */
16727
0
  if (result != ISC_R_SUCCESS && dns_db_issecure(zone->rss_db)) {
16728
0
    goto failure;
16729
0
  }
16730
16731
0
  if (rjournal == NULL) {
16732
0
    CHECK(dns_journal_open(zone->rss_raw->mctx,
16733
0
               zone->rss_raw->journal,
16734
0
               DNS_JOURNAL_WRITE, &rjournal));
16735
0
  }
16736
0
  CHECK(zone_journal(zone, &zone->rss_diff, &end,
16737
0
         "receive_secure_serial"));
16738
16739
0
  dns_journal_set_sourceserial(rjournal, end);
16740
0
  dns_journal_commit(rjournal);
16741
16742
0
  LOCK_ZONE(zone);
16743
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
16744
16745
0
  zone->sourceserial = end;
16746
0
  zone->sourceserialset = true;
16747
0
  zone_needdump(zone, DNS_DUMP_DELAY);
16748
16749
  /*
16750
   * Set resign time to make sure it is set to the earliest
16751
   * signature expiration.
16752
   */
16753
0
  set_resigntime(zone);
16754
0
  timenow = isc_time_now();
16755
0
  zone_settimer(zone, &timenow);
16756
0
  UNLOCK_ZONE(zone);
16757
16758
0
  dns_db_closeversion(zone->rss_db, &zone->rss_oldver, false);
16759
0
  dns_db_closeversion(zone->rss_db, &zone->rss_newver, true);
16760
16761
0
  if (newserial != 0) {
16762
0
    dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)",
16763
0
           newserial, desired);
16764
0
  }
16765
16766
0
failure:
16767
0
  isc_mem_put(zone->mctx, rss, sizeof(*rss));
16768
0
  zone->rss = NULL;
16769
16770
0
  if (zone->rss_raw != NULL) {
16771
0
    dns_zone_detach(&zone->rss_raw);
16772
0
  }
16773
0
  if (result != ISC_R_SUCCESS) {
16774
0
    LOCK_ZONE(zone);
16775
0
    set_resigntime(zone);
16776
0
    timenow = isc_time_now();
16777
0
    zone_settimer(zone, &timenow);
16778
0
    UNLOCK_ZONE(zone);
16779
0
    if (result == DNS_R_UNCHANGED) {
16780
0
      level = ISC_LOG_INFO;
16781
0
    }
16782
0
    dns_zone_log(zone, level, "receive_secure_serial: %s",
16783
0
           isc_result_totext(result));
16784
0
  }
16785
0
  if (tuple != NULL) {
16786
0
    dns_difftuple_free(&tuple);
16787
0
  }
16788
0
  if (soatuple != NULL) {
16789
0
    dns_difftuple_free(&soatuple);
16790
0
  }
16791
0
  if (zone->rss_db != NULL) {
16792
0
    if (zone->rss_oldver != NULL) {
16793
0
      dns_db_closeversion(zone->rss_db, &zone->rss_oldver,
16794
0
              false);
16795
0
    }
16796
0
    if (zone->rss_newver != NULL) {
16797
0
      dns_db_closeversion(zone->rss_db, &zone->rss_newver,
16798
0
              false);
16799
0
    }
16800
0
    dns_db_detach(&zone->rss_db);
16801
0
  }
16802
0
  INSIST(zone->rss_oldver == NULL);
16803
0
  INSIST(zone->rss_newver == NULL);
16804
0
  if (rjournal != NULL) {
16805
0
    dns_journal_destroy(&rjournal);
16806
0
  }
16807
0
  dns_diff_clear(&zone->rss_diff);
16808
16809
0
  dns_zone_idetach(&zone);
16810
0
}
16811
16812
static isc_result_t
16813
0
zone_send_secureserial(dns_zone_t *zone, uint32_t serial) {
16814
0
  struct rss *rss = NULL;
16815
16816
0
  rss = isc_mem_get(zone->secure->mctx, sizeof(*rss));
16817
0
  *rss = (struct rss){
16818
0
    .serial = serial,
16819
0
    .link = ISC_LINK_INITIALIZER,
16820
0
  };
16821
16822
0
  INSIST(LOCKED_ZONE(zone->secure));
16823
0
  zone_iattach(zone->secure, &rss->zone);
16824
0
  isc_async_run(zone->secure->loop, receive_secure_serial, rss);
16825
16826
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
16827
0
  return (ISC_R_SUCCESS);
16828
0
}
16829
16830
static isc_result_t
16831
checkandaddsoa(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
16832
0
         dns_name_t *name, dns_rdataset_t *rdataset, uint32_t oldserial) {
16833
0
  dns_rdata_soa_t soa;
16834
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
16835
0
  dns_rdatalist_t temprdatalist;
16836
0
  dns_rdataset_t temprdataset;
16837
0
  isc_buffer_t b;
16838
0
  isc_result_t result;
16839
0
  unsigned char buf[DNS_SOA_BUFFERSIZE];
16840
16841
0
  result = dns_rdataset_first(rdataset);
16842
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
16843
0
  dns_rdataset_current(rdataset, &rdata);
16844
0
  result = dns_rdata_tostruct(&rdata, &soa, NULL);
16845
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
16846
16847
0
  if (isc_serial_gt(soa.serial, oldserial)) {
16848
0
    return (dns_db_addrdataset(db, node, version, 0, rdataset, 0,
16849
0
             NULL));
16850
0
  }
16851
  /*
16852
   * Always bump the serial.
16853
   */
16854
0
  oldserial++;
16855
0
  if (oldserial == 0) {
16856
0
    oldserial++;
16857
0
  }
16858
0
  soa.serial = oldserial;
16859
16860
  /*
16861
   * Construct a replacement rdataset.
16862
   */
16863
0
  dns_rdata_reset(&rdata);
16864
0
  isc_buffer_init(&b, buf, sizeof(buf));
16865
0
  result = dns_rdata_fromstruct(&rdata, rdataset->rdclass,
16866
0
              dns_rdatatype_soa, &soa, &b);
16867
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
16868
0
  dns_rdatalist_init(&temprdatalist);
16869
0
  temprdatalist.rdclass = rdata.rdclass;
16870
0
  temprdatalist.type = rdata.type;
16871
0
  temprdatalist.ttl = rdataset->ttl;
16872
0
  ISC_LIST_APPEND(temprdatalist.rdata, &rdata, link);
16873
16874
0
  dns_rdataset_init(&temprdataset);
16875
0
  dns_rdatalist_tordataset(&temprdatalist, &temprdataset);
16876
16877
0
  dns_rdataset_getownercase(rdataset, name);
16878
0
  dns_rdataset_setownercase(&temprdataset, name);
16879
0
  return (dns_db_addrdataset(db, node, version, 0, &temprdataset, 0,
16880
0
           NULL));
16881
0
}
16882
16883
/*
16884
 * This function should populate an nsec3paramlist_t with the
16885
 * nsecparam_t data from a zone.
16886
 */
16887
static isc_result_t
16888
0
save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) {
16889
0
  isc_result_t result;
16890
0
  dns_dbnode_t *node = NULL;
16891
0
  dns_rdataset_t rdataset, prdataset;
16892
0
  dns_dbversion_t *version = NULL;
16893
0
  nsec3param_t *nsec3param = NULL;
16894
0
  nsec3param_t *nsec3p = NULL;
16895
0
  nsec3param_t *next;
16896
0
  dns_db_t *db = NULL;
16897
0
  unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
16898
16899
0
  REQUIRE(DNS_ZONE_VALID(zone));
16900
0
  REQUIRE(nsec3list != NULL);
16901
0
  REQUIRE(ISC_LIST_EMPTY(*nsec3list));
16902
16903
0
  dns_rdataset_init(&rdataset);
16904
0
  dns_rdataset_init(&prdataset);
16905
16906
0
  dns_db_attach(zone->db, &db);
16907
0
  CHECK(dns_db_getoriginnode(db, &node));
16908
16909
0
  dns_db_currentversion(db, &version);
16910
0
  result = dns_db_findrdataset(db, node, version,
16911
0
             dns_rdatatype_nsec3param,
16912
0
             dns_rdatatype_none, 0, &rdataset, NULL);
16913
16914
0
  if (result != ISC_R_SUCCESS) {
16915
0
    goto getprivate;
16916
0
  }
16917
16918
  /*
16919
   * Walk nsec3param rdataset making a list of parameters (note that
16920
   * multiple simultaneous nsec3 chains are annoyingly legal -- this
16921
   * is why we use an nsec3list, even though we will usually only
16922
   * have one).
16923
   */
16924
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
16925
0
       result = dns_rdataset_next(&rdataset))
16926
0
  {
16927
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
16928
0
    dns_rdata_t private = DNS_RDATA_INIT;
16929
16930
0
    dns_rdataset_current(&rdataset, &rdata);
16931
0
    isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
16932
0
            DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
16933
0
            "looping through nsec3param data");
16934
0
    nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
16935
0
    ISC_LINK_INIT(nsec3param, link);
16936
16937
    /*
16938
     * now transfer the data from the rdata to
16939
     * the nsec3param
16940
     */
16941
0
    dns_nsec3param_toprivate(&rdata, &private, zone->privatetype,
16942
0
           nsec3param->data,
16943
0
           sizeof(nsec3param->data));
16944
0
    nsec3param->length = private.length;
16945
0
    ISC_LIST_APPEND(*nsec3list, nsec3param, link);
16946
0
  }
16947
16948
0
getprivate:
16949
0
  result = dns_db_findrdataset(db, node, version, zone->privatetype,
16950
0
             dns_rdatatype_none, 0, &prdataset, NULL);
16951
0
  if (result != ISC_R_SUCCESS) {
16952
0
    goto done;
16953
0
  }
16954
16955
  /*
16956
   * walk private type records, converting them to nsec3 parameters
16957
   * using dns_nsec3param_fromprivate(), do the right thing based on
16958
   * CREATE and REMOVE flags
16959
   */
16960
0
  for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS;
16961
0
       result = dns_rdataset_next(&prdataset))
16962
0
  {
16963
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
16964
0
    dns_rdata_t private = DNS_RDATA_INIT;
16965
16966
0
    dns_rdataset_current(&prdataset, &private);
16967
0
    isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
16968
0
            DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
16969
0
            "looping through nsec3param private data");
16970
16971
    /*
16972
     * Do we have a valid private record?
16973
     */
16974
0
    if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
16975
0
            sizeof(buf)))
16976
0
    {
16977
0
      continue;
16978
0
    }
16979
16980
    /*
16981
     * Remove any NSEC3PARAM records scheduled to be removed.
16982
     */
16983
0
    if (NSEC3REMOVE(rdata.data[1])) {
16984
      /*
16985
       * Zero out the flags.
16986
       */
16987
0
      rdata.data[1] = 0;
16988
16989
0
      for (nsec3p = ISC_LIST_HEAD(*nsec3list); nsec3p != NULL;
16990
0
           nsec3p = next)
16991
0
      {
16992
0
        next = ISC_LIST_NEXT(nsec3p, link);
16993
16994
0
        if (nsec3p->length == rdata.length + 1 &&
16995
0
            memcmp(rdata.data, nsec3p->data + 1,
16996
0
             nsec3p->length - 1) == 0)
16997
0
        {
16998
0
          ISC_LIST_UNLINK(*nsec3list, nsec3p,
16999
0
              link);
17000
0
          isc_mem_put(zone->mctx, nsec3p,
17001
0
                sizeof(nsec3param_t));
17002
0
        }
17003
0
      }
17004
0
      continue;
17005
0
    }
17006
17007
0
    nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
17008
0
    ISC_LINK_INIT(nsec3param, link);
17009
17010
    /*
17011
     * Copy the remaining private records so the nsec/nsec3
17012
     * chain gets created.
17013
     */
17014
0
    INSIST(private.length <= sizeof(nsec3param->data));
17015
0
    memmove(nsec3param->data, private.data, private.length);
17016
0
    nsec3param->length = private.length;
17017
0
    ISC_LIST_APPEND(*nsec3list, nsec3param, link);
17018
0
  }
17019
17020
0
done:
17021
0
  if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND) {
17022
0
    result = ISC_R_SUCCESS;
17023
0
  }
17024
17025
0
failure:
17026
0
  if (node != NULL) {
17027
0
    dns_db_detachnode(db, &node);
17028
0
  }
17029
0
  if (version != NULL) {
17030
0
    dns_db_closeversion(db, &version, false);
17031
0
  }
17032
0
  if (db != NULL) {
17033
0
    dns_db_detach(&db);
17034
0
  }
17035
0
  if (dns_rdataset_isassociated(&rdataset)) {
17036
0
    dns_rdataset_disassociate(&rdataset);
17037
0
  }
17038
0
  if (dns_rdataset_isassociated(&prdataset)) {
17039
0
    dns_rdataset_disassociate(&prdataset);
17040
0
  }
17041
0
  return (result);
17042
0
}
17043
17044
/*
17045
 * Populate new zone db with private type records found by save_nsec3param().
17046
 */
17047
static isc_result_t
17048
restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
17049
0
       nsec3paramlist_t *nsec3list) {
17050
0
  isc_result_t result = ISC_R_SUCCESS;
17051
0
  dns_diff_t diff;
17052
0
  dns_rdata_t rdata;
17053
0
  nsec3param_t *nsec3p = NULL;
17054
0
  nsec3param_t *next;
17055
17056
0
  REQUIRE(DNS_ZONE_VALID(zone));
17057
0
  REQUIRE(!ISC_LIST_EMPTY(*nsec3list));
17058
17059
0
  dns_diff_init(zone->mctx, &diff);
17060
17061
  /*
17062
   * Loop through the list of private-type records, set the INITIAL
17063
   * and CREATE flags, and the add the record to the apex of the tree
17064
   * in db.
17065
   */
17066
0
  for (nsec3p = ISC_LIST_HEAD(*nsec3list); nsec3p != NULL; nsec3p = next)
17067
0
  {
17068
0
    next = ISC_LIST_NEXT(nsec3p, link);
17069
0
    dns_rdata_init(&rdata);
17070
0
    nsec3p->data[2] = DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL;
17071
0
    rdata.length = nsec3p->length;
17072
0
    rdata.data = nsec3p->data;
17073
0
    rdata.type = zone->privatetype;
17074
0
    rdata.rdclass = zone->rdclass;
17075
0
    result = update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
17076
0
               &zone->origin, 0, &rdata);
17077
0
    if (result != ISC_R_SUCCESS) {
17078
0
      break;
17079
0
    }
17080
0
  }
17081
17082
0
  dns_diff_clear(&diff);
17083
0
  return (result);
17084
0
}
17085
17086
static isc_result_t
17087
copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
17088
0
      dns_dbiterator_t *dbiterator, unsigned int *oldserial) {
17089
0
  dns_dbnode_t *rawnode = NULL, *node = NULL;
17090
0
  dns_fixedname_t fixed;
17091
0
  dns_name_t *name = dns_fixedname_initname(&fixed);
17092
0
  dns_rdataset_t rdataset;
17093
0
  dns_rdatasetiter_t *rdsit = NULL;
17094
0
  isc_result_t result;
17095
17096
0
  result = dns_dbiterator_current(dbiterator, &rawnode, name);
17097
0
  if (result != ISC_R_SUCCESS) {
17098
0
    return (ISC_R_SUCCESS);
17099
0
  }
17100
17101
0
  dns_dbiterator_pause(dbiterator);
17102
17103
0
  result = dns_db_findnode(db, name, true, &node);
17104
0
  if (result != ISC_R_SUCCESS) {
17105
0
    goto cleanup;
17106
0
  }
17107
17108
0
  result = dns_db_allrdatasets(rawdb, rawnode, NULL, 0, 0, &rdsit);
17109
0
  if (result != ISC_R_SUCCESS) {
17110
0
    goto cleanup;
17111
0
  }
17112
17113
0
  dns_rdataset_init(&rdataset);
17114
17115
0
  for (result = dns_rdatasetiter_first(rdsit); result == ISC_R_SUCCESS;
17116
0
       result = dns_rdatasetiter_next(rdsit))
17117
0
  {
17118
0
    dns_rdatasetiter_current(rdsit, &rdataset);
17119
0
    if (rdataset.type == dns_rdatatype_nsec ||
17120
0
        rdataset.type == dns_rdatatype_rrsig ||
17121
0
        rdataset.type == dns_rdatatype_nsec3 ||
17122
0
        rdataset.type == dns_rdatatype_nsec3param)
17123
0
    {
17124
0
      dns_rdataset_disassociate(&rdataset);
17125
0
      continue;
17126
0
    }
17127
    /*
17128
     * Allow DNSKEY, CDNSKEY, CDS because users should be able to
17129
     * update the zone with these records from a different provider,
17130
     * and thus they may exist in the raw version of the zone.
17131
     */
17132
17133
0
    if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) {
17134
0
      result = checkandaddsoa(db, node, version, name,
17135
0
            &rdataset, *oldserial);
17136
0
    } else {
17137
0
      result = dns_db_addrdataset(db, node, version, 0,
17138
0
                &rdataset, 0, NULL);
17139
0
    }
17140
0
    dns_rdataset_disassociate(&rdataset);
17141
0
    if (result != ISC_R_SUCCESS) {
17142
0
      goto cleanup;
17143
0
    }
17144
0
  }
17145
0
  if (result == ISC_R_NOMORE) {
17146
0
    result = ISC_R_SUCCESS;
17147
0
  }
17148
17149
0
cleanup:
17150
0
  if (rdsit != NULL) {
17151
0
    dns_rdatasetiter_destroy(&rdsit);
17152
0
  }
17153
0
  if (rawnode) {
17154
0
    dns_db_detachnode(rawdb, &rawnode);
17155
0
  }
17156
0
  if (node) {
17157
0
    dns_db_detachnode(db, &node);
17158
0
  }
17159
0
  return (result);
17160
0
}
17161
17162
static void
17163
0
receive_secure_db(void *arg) {
17164
0
  isc_result_t result;
17165
0
  struct rss *rss = (struct rss *)arg;
17166
0
  dns_zone_t *zone = rss->zone;
17167
0
  dns_db_t *rawdb = rss->db, *db = NULL;
17168
0
  dns_dbiterator_t *dbiterator = NULL;
17169
0
  dns_dbversion_t *version = NULL;
17170
0
  isc_time_t loadtime;
17171
0
  unsigned int oldserial = 0, *oldserialp = NULL;
17172
0
  nsec3paramlist_t nsec3list;
17173
17174
0
  ISC_LIST_INIT(nsec3list);
17175
17176
0
  LOCK_ZONE(zone);
17177
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || !inline_secure(zone)) {
17178
0
    result = ISC_R_SHUTTINGDOWN;
17179
0
    goto failure;
17180
0
  }
17181
17182
0
  loadtime = isc_time_now();
17183
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
17184
0
  if (zone->db != NULL) {
17185
0
    result = dns_db_getsoaserial(zone->db, NULL, &oldserial);
17186
0
    if (result == ISC_R_SUCCESS) {
17187
0
      oldserialp = &oldserial;
17188
0
    }
17189
17190
    /*
17191
     * assemble nsec3parameters from the old zone, and set a flag
17192
     * if any are found
17193
     */
17194
0
    result = save_nsec3param(zone, &nsec3list);
17195
0
    if (result != ISC_R_SUCCESS) {
17196
0
      ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17197
0
      goto failure;
17198
0
    }
17199
0
  }
17200
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17201
17202
0
  result = dns_db_create(zone->mctx, zone->db_argv[0], &zone->origin,
17203
0
             dns_dbtype_zone, zone->rdclass,
17204
0
             zone->db_argc - 1, zone->db_argv + 1, &db);
17205
0
  if (result != ISC_R_SUCCESS) {
17206
0
    goto failure;
17207
0
  }
17208
17209
0
  result = dns_db_setgluecachestats(db, zone->gluecachestats);
17210
0
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
17211
0
    goto failure;
17212
0
  }
17213
17214
0
  result = dns_db_newversion(db, &version);
17215
0
  if (result != ISC_R_SUCCESS) {
17216
0
    goto failure;
17217
0
  }
17218
17219
0
  result = dns_db_createiterator(rawdb, DNS_DB_NONSEC3, &dbiterator);
17220
0
  if (result != ISC_R_SUCCESS) {
17221
0
    goto failure;
17222
0
  }
17223
17224
0
  for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
17225
0
       result = dns_dbiterator_next(dbiterator))
17226
0
  {
17227
0
    result = copy_non_dnssec_records(db, version, rawdb, dbiterator,
17228
0
             oldserialp);
17229
0
    if (result != ISC_R_SUCCESS) {
17230
0
      goto failure;
17231
0
    }
17232
0
  }
17233
0
  dns_dbiterator_destroy(&dbiterator);
17234
0
  if (result != ISC_R_NOMORE) {
17235
0
    goto failure;
17236
0
  }
17237
17238
  /*
17239
   * Call restore_nsec3param() to create private-type records from
17240
   * the old nsec3 parameters and insert them into db
17241
   */
17242
0
  if (!ISC_LIST_EMPTY(nsec3list)) {
17243
0
    result = restore_nsec3param(zone, db, version, &nsec3list);
17244
0
    if (result != ISC_R_SUCCESS) {
17245
0
      goto failure;
17246
0
    }
17247
0
  }
17248
17249
0
  dns_db_closeversion(db, &version, true);
17250
17251
  /*
17252
   * Lock hierarchy: zmgr, zone, raw.
17253
   */
17254
0
  INSIST(zone != zone->raw);
17255
0
  LOCK_ZONE(zone->raw);
17256
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
17257
0
  result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
17258
0
  zone_needdump(zone, 0); /* XXXMPA */
17259
0
  UNLOCK_ZONE(zone->raw);
17260
17261
  /*
17262
   * Process any queued NSEC3PARAM change requests.
17263
   */
17264
0
  process_zone_setnsec3param(zone);
17265
17266
0
failure:
17267
0
  UNLOCK_ZONE(zone);
17268
0
  if (dbiterator != NULL) {
17269
0
    dns_dbiterator_destroy(&dbiterator);
17270
0
  }
17271
0
  if (result != ISC_R_SUCCESS) {
17272
0
    dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_db: %s",
17273
0
           isc_result_totext(result));
17274
0
  }
17275
17276
0
  while (!ISC_LIST_EMPTY(nsec3list)) {
17277
0
    nsec3param_t *nsec3p;
17278
0
    nsec3p = ISC_LIST_HEAD(nsec3list);
17279
0
    ISC_LIST_UNLINK(nsec3list, nsec3p, link);
17280
0
    isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t));
17281
0
  }
17282
0
  if (db != NULL) {
17283
0
    if (version != NULL) {
17284
0
      dns_db_closeversion(db, &version, false);
17285
0
    }
17286
0
    dns_db_detach(&db);
17287
0
  }
17288
17289
0
  dns_db_detach(&rawdb);
17290
0
  isc_mem_put(zone->mctx, rss, sizeof(*rss));
17291
0
  dns_zone_idetach(&zone);
17292
17293
0
  INSIST(version == NULL);
17294
0
}
17295
17296
static isc_result_t
17297
0
zone_send_securedb(dns_zone_t *zone, dns_db_t *db) {
17298
0
  struct rss *rss = NULL;
17299
17300
0
  rss = isc_mem_get(zone->secure->mctx, sizeof(*rss));
17301
0
  *rss = (struct rss){ .link = ISC_LINK_INITIALIZER };
17302
17303
0
  INSIST(LOCKED_ZONE(zone->secure));
17304
0
  zone_iattach(zone->secure, &rss->zone);
17305
0
  dns_db_attach(db, &rss->db);
17306
0
  isc_async_run(zone->secure->loop, receive_secure_db, rss);
17307
17308
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
17309
0
  return (ISC_R_SUCCESS);
17310
0
}
17311
17312
isc_result_t
17313
0
dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
17314
0
  isc_result_t result;
17315
0
  dns_zone_t *secure = NULL;
17316
17317
0
  REQUIRE(DNS_ZONE_VALID(zone));
17318
0
again:
17319
0
  LOCK_ZONE(zone);
17320
0
  if (inline_raw(zone)) {
17321
0
    secure = zone->secure;
17322
0
    INSIST(secure != zone);
17323
0
    TRYLOCK_ZONE(result, secure);
17324
0
    if (result != ISC_R_SUCCESS) {
17325
0
      UNLOCK_ZONE(zone);
17326
0
      secure = NULL;
17327
0
      isc_thread_yield();
17328
0
      goto again;
17329
0
    }
17330
0
  }
17331
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
17332
0
  result = zone_replacedb(zone, db, dump);
17333
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
17334
0
  if (secure != NULL) {
17335
0
    UNLOCK_ZONE(secure);
17336
0
  }
17337
0
  UNLOCK_ZONE(zone);
17338
0
  return (result);
17339
0
}
17340
17341
static isc_result_t
17342
0
zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
17343
0
  dns_dbversion_t *ver;
17344
0
  isc_result_t result;
17345
0
  unsigned int soacount = 0;
17346
0
  unsigned int nscount = 0;
17347
17348
  /*
17349
   * 'zone' and 'zone->db' locked by caller.
17350
   */
17351
0
  REQUIRE(DNS_ZONE_VALID(zone));
17352
0
  REQUIRE(LOCKED_ZONE(zone));
17353
0
  if (inline_raw(zone)) {
17354
0
    REQUIRE(LOCKED_ZONE(zone->secure));
17355
0
  }
17356
17357
0
  result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL,
17358
0
          NULL, NULL, NULL, NULL, NULL);
17359
0
  if (result == ISC_R_SUCCESS) {
17360
0
    if (soacount != 1) {
17361
0
      dns_zone_log(zone, ISC_LOG_ERROR, "has %d SOA records",
17362
0
             soacount);
17363
0
      result = DNS_R_BADZONE;
17364
0
    }
17365
0
    if (nscount == 0 && zone->type != dns_zone_key) {
17366
0
      dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
17367
0
      result = DNS_R_BADZONE;
17368
0
    }
17369
0
    if (result != ISC_R_SUCCESS) {
17370
0
      return (result);
17371
0
    }
17372
0
  } else {
17373
0
    dns_zone_log(zone, ISC_LOG_ERROR,
17374
0
           "retrieving SOA and NS records failed: %s",
17375
0
           isc_result_totext(result));
17376
0
    return (result);
17377
0
  }
17378
17379
0
  result = check_nsec3param(zone, db);
17380
0
  if (result != ISC_R_SUCCESS) {
17381
0
    return (result);
17382
0
  }
17383
17384
0
  ver = NULL;
17385
0
  dns_db_currentversion(db, &ver);
17386
17387
  /*
17388
   * The initial version of a secondary zone is always dumped;
17389
   * subsequent versions may be journaled instead if this
17390
   * is enabled in the configuration.
17391
   */
17392
0
  if (zone->db != NULL && zone->journal != NULL &&
17393
0
      DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
17394
0
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER))
17395
0
  {
17396
0
    uint32_t serial, oldserial;
17397
17398
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
17399
17400
0
    result = dns_db_getsoaserial(db, ver, &serial);
17401
0
    if (result != ISC_R_SUCCESS) {
17402
0
      dns_zone_log(zone, ISC_LOG_ERROR,
17403
0
             "ixfr-from-differences: unable to get "
17404
0
             "new serial");
17405
0
      goto fail;
17406
0
    }
17407
17408
    /*
17409
     * This is checked in zone_postload() for primary zones.
17410
     */
17411
0
    result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
17412
0
            &oldserial, NULL, NULL, NULL, NULL,
17413
0
            NULL);
17414
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
17415
0
    RUNTIME_CHECK(soacount > 0U);
17416
0
    if ((zone->type == dns_zone_secondary ||
17417
0
         (zone->type == dns_zone_redirect &&
17418
0
          dns_remote_addresses(&zone->primaries) != NULL)) &&
17419
0
        !isc_serial_gt(serial, oldserial))
17420
0
    {
17421
0
      uint32_t serialmin, serialmax;
17422
0
      serialmin = (oldserial + 1) & 0xffffffffU;
17423
0
      serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU;
17424
0
      dns_zone_log(zone, ISC_LOG_ERROR,
17425
0
             "ixfr-from-differences: failed: "
17426
0
             "new serial (%u) out of range [%u - %u]",
17427
0
             serial, serialmin, serialmax);
17428
0
      result = ISC_R_RANGE;
17429
0
      goto fail;
17430
0
    }
17431
17432
0
    result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
17433
0
             zone->journal);
17434
0
    if (result != ISC_R_SUCCESS) {
17435
0
      char strbuf[ISC_STRERRORSIZE];
17436
0
      strerror_r(errno, strbuf, sizeof(strbuf));
17437
0
      dns_zone_log(zone, ISC_LOG_ERROR,
17438
0
             "ixfr-from-differences: failed: "
17439
0
             "%s",
17440
0
             strbuf);
17441
0
      goto fallback;
17442
0
    }
17443
0
    if (dump) {
17444
0
      zone_needdump(zone, DNS_DUMP_DELAY);
17445
0
    } else {
17446
0
      zone_journal_compact(zone, zone->db, serial);
17447
0
    }
17448
0
    if (zone->type == dns_zone_primary && inline_raw(zone)) {
17449
0
      zone_send_secureserial(zone, serial);
17450
0
    }
17451
0
  } else {
17452
0
  fallback:
17453
0
    if (dump && zone->masterfile != NULL) {
17454
      /*
17455
       * If DNS_ZONEFLG_FORCEXFER was set we don't want
17456
       * to keep the old masterfile.
17457
       */
17458
0
      if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
17459
0
          remove(zone->masterfile) < 0 && errno != ENOENT)
17460
0
      {
17461
0
        char strbuf[ISC_STRERRORSIZE];
17462
0
        strerror_r(errno, strbuf, sizeof(strbuf));
17463
0
        isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
17464
0
                DNS_LOGMODULE_ZONE,
17465
0
                ISC_LOG_WARNING,
17466
0
                "unable to remove masterfile "
17467
0
                "'%s': '%s'",
17468
0
                zone->masterfile, strbuf);
17469
0
      }
17470
0
      if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0) {
17471
0
        DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
17472
0
      } else {
17473
0
        zone_needdump(zone, 0);
17474
0
      }
17475
0
    }
17476
0
    if (dump && zone->journal != NULL) {
17477
      /*
17478
       * The in-memory database just changed, and
17479
       * because 'dump' is set, it didn't change by
17480
       * being loaded from disk.  Also, we have not
17481
       * journaled diffs for this change.
17482
       * Therefore, the on-disk journal is missing
17483
       * the deltas for this change.  Since it can
17484
       * no longer be used to bring the zone
17485
       * up-to-date, it is useless and should be
17486
       * removed.
17487
       */
17488
0
      isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
17489
0
              DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
17490
0
              "removing journal file");
17491
0
      if (remove(zone->journal) < 0 && errno != ENOENT) {
17492
0
        char strbuf[ISC_STRERRORSIZE];
17493
0
        strerror_r(errno, strbuf, sizeof(strbuf));
17494
0
        isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
17495
0
                DNS_LOGMODULE_ZONE,
17496
0
                ISC_LOG_WARNING,
17497
0
                "unable to remove journal "
17498
0
                "'%s': '%s'",
17499
0
                zone->journal, strbuf);
17500
0
      }
17501
0
    }
17502
17503
0
    if (inline_raw(zone)) {
17504
0
      zone_send_securedb(zone, db);
17505
0
    }
17506
0
  }
17507
17508
0
  dns_db_closeversion(db, &ver, false);
17509
17510
0
  dns_zone_log(zone, ISC_LOG_DEBUG(3), "replacing zone database");
17511
17512
0
  if (zone->db != NULL) {
17513
0
    zone_detachdb(zone);
17514
0
  }
17515
0
  zone_attachdb(zone, db);
17516
0
  dns_db_setloop(zone->db, zone->loop);
17517
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
17518
0
  return (ISC_R_SUCCESS);
17519
17520
0
fail:
17521
0
  dns_db_closeversion(db, &ver, false);
17522
0
  return (result);
17523
0
}
17524
17525
/* The caller must hold the dblock as a writer. */
17526
static void
17527
2
zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
17528
2
  REQUIRE(zone->db == NULL && db != NULL);
17529
17530
2
  dns_db_attach(db, &zone->db);
17531
2
}
17532
17533
/* The caller must hold the dblock as a writer. */
17534
static void
17535
0
zone_detachdb(dns_zone_t *zone) {
17536
0
  REQUIRE(zone->db != NULL);
17537
17538
0
  dns_zone_rpz_disable_db(zone, zone->db);
17539
0
  dns_zone_catz_disable_db(zone, zone->db);
17540
0
  dns_db_detach(&zone->db);
17541
0
}
17542
17543
static void
17544
0
zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result) {
17545
0
  isc_time_t now, expiretime;
17546
0
  bool again = false;
17547
0
  unsigned int soacount;
17548
0
  unsigned int nscount;
17549
0
  uint32_t serial, refresh, retry, expire, minimum, soattl, oldexpire;
17550
0
  isc_result_t xfrresult = result;
17551
0
  bool free_needed;
17552
0
  dns_zone_t *secure = NULL;
17553
17554
0
  REQUIRE(DNS_ZONE_VALID(zone));
17555
17556
0
  dns_zone_logc(
17557
0
    zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
17558
0
    expireopt == NULL ? "zone transfer finished: %s"
17559
0
          : "zone transfer finished: %s, expire=%u",
17560
0
    isc_result_totext(result), expireopt != NULL ? *expireopt : 0);
17561
17562
  /*
17563
   * Obtaining a lock on the zone->secure (see zone_send_secureserial)
17564
   * could result in a deadlock due to a LOR so we will spin if we
17565
   * can't obtain both locks.
17566
   */
17567
0
again:
17568
0
  LOCK_ZONE(zone);
17569
0
  if (inline_raw(zone)) {
17570
0
    secure = zone->secure;
17571
0
    INSIST(secure != zone);
17572
0
    TRYLOCK_ZONE(result, secure);
17573
0
    if (result != ISC_R_SUCCESS) {
17574
0
      UNLOCK_ZONE(zone);
17575
0
      secure = NULL;
17576
0
      isc_thread_yield();
17577
0
      goto again;
17578
0
    }
17579
0
  }
17580
17581
0
  INSIST(DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH));
17582
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
17583
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
17584
17585
0
  now = isc_time_now();
17586
0
  switch (xfrresult) {
17587
0
  case ISC_R_SUCCESS:
17588
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
17589
0
    FALLTHROUGH;
17590
0
  case DNS_R_UPTODATE:
17591
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER |
17592
0
                 DNS_ZONEFLG_FIRSTREFRESH);
17593
    /*
17594
     * Has the zone expired underneath us?
17595
     */
17596
0
    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
17597
0
    if (zone->db == NULL) {
17598
0
      ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17599
0
      goto same_primary;
17600
0
    }
17601
17602
0
    oldexpire = zone->expire;
17603
17604
    /*
17605
     * Update the zone structure's data from the actual
17606
     * SOA received.
17607
     */
17608
0
    nscount = 0;
17609
0
    soacount = 0;
17610
0
    INSIST(zone->db != NULL);
17611
0
    result = zone_get_from_db(zone, zone->db, &nscount, &soacount,
17612
0
            &soattl, &serial, &refresh, &retry,
17613
0
            &expire, &minimum, NULL);
17614
0
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17615
0
    if (result == ISC_R_SUCCESS) {
17616
0
      if (soacount != 1) {
17617
0
        dns_zone_log(zone, ISC_LOG_ERROR,
17618
0
               "transferred zone "
17619
0
               "has %d SOA records",
17620
0
               soacount);
17621
0
        if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
17622
0
        {
17623
0
          zone->refresh = DNS_ZONE_DEFAULTREFRESH;
17624
0
          zone->retry = DNS_ZONE_DEFAULTRETRY;
17625
0
        }
17626
0
        DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
17627
0
        zone_unload(zone);
17628
0
        goto next_primary;
17629
0
      }
17630
0
      if (nscount == 0) {
17631
0
        dns_zone_log(zone, ISC_LOG_ERROR,
17632
0
               "transferred zone "
17633
0
               "has no NS records");
17634
0
        if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
17635
0
        {
17636
0
          zone->refresh = DNS_ZONE_DEFAULTREFRESH;
17637
0
          zone->retry = DNS_ZONE_DEFAULTRETRY;
17638
0
        }
17639
0
        DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
17640
0
        zone_unload(zone);
17641
0
        goto next_primary;
17642
0
      }
17643
0
      zone->refresh = RANGE(refresh, zone->minrefresh,
17644
0
                zone->maxrefresh);
17645
0
      zone->retry = RANGE(retry, zone->minretry,
17646
0
              zone->maxretry);
17647
0
      zone->expire = RANGE(expire,
17648
0
               zone->refresh + zone->retry,
17649
0
               DNS_MAX_EXPIRE);
17650
0
      zone->soattl = soattl;
17651
0
      zone->minimum = minimum;
17652
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
17653
0
    }
17654
17655
    /*
17656
     * Set our next refresh time.
17657
     */
17658
0
    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
17659
0
      DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
17660
0
      zone->refreshtime = now;
17661
0
    } else {
17662
0
      DNS_ZONE_JITTER_ADD(&now, zone->refresh,
17663
0
              &zone->refreshtime);
17664
0
    }
17665
17666
    /*
17667
     * Set our next expire time. If the parent returned
17668
     * an EXPIRE option use that to update zone->expiretime.
17669
     */
17670
0
    expire = zone->expire;
17671
0
    if (expireopt != NULL && *expireopt < expire) {
17672
0
      expire = *expireopt;
17673
0
    }
17674
0
    DNS_ZONE_TIME_ADD(&now, expire, &expiretime);
17675
0
    if (oldexpire != zone->expire ||
17676
0
        isc_time_compare(&expiretime, &zone->expiretime) > 0)
17677
0
    {
17678
0
      zone->expiretime = expiretime;
17679
0
    }
17680
17681
    /*
17682
     * Set loadtime.
17683
     */
17684
0
    zone->loadtime = now;
17685
17686
0
    if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
17687
0
      char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
17688
0
      if (zone->tsigkey != NULL) {
17689
0
        char namebuf[DNS_NAME_FORMATSIZE];
17690
0
        dns_name_format(zone->tsigkey->name, namebuf,
17691
0
            sizeof(namebuf));
17692
0
        snprintf(buf, sizeof(buf), ": TSIG '%s'",
17693
0
           namebuf);
17694
0
      } else {
17695
0
        buf[0] = '\0';
17696
0
      }
17697
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
17698
0
              ISC_LOG_INFO, "transferred serial %u%s",
17699
0
              serial, buf);
17700
0
      if (inline_raw(zone)) {
17701
0
        zone_send_secureserial(zone, serial);
17702
0
      }
17703
0
    }
17704
17705
    /*
17706
     * This is not necessary if we just performed a AXFR
17707
     * however it is necessary for an IXFR / UPTODATE and
17708
     * won't hurt with an AXFR.
17709
     */
17710
0
    if (zone->masterfile != NULL || zone->journal != NULL) {
17711
0
      unsigned int delay = DNS_DUMP_DELAY;
17712
0
      isc_interval_t i;
17713
0
      isc_time_t when;
17714
17715
      /*
17716
       * Compute effective modification time.
17717
       */
17718
0
      isc_interval_set(&i, zone->expire, 0);
17719
0
      result = isc_time_subtract(&zone->expiretime, &i,
17720
0
               &when);
17721
0
      if (result != ISC_R_SUCCESS) {
17722
0
        when = now;
17723
0
      }
17724
17725
0
      result = ISC_R_FAILURE;
17726
0
      if (zone->journal != NULL) {
17727
0
        result = isc_file_settime(zone->journal, &when);
17728
0
      }
17729
0
      if (result != ISC_R_SUCCESS && zone->masterfile != NULL)
17730
0
      {
17731
0
        result = isc_file_settime(zone->masterfile,
17732
0
                &when);
17733
0
      }
17734
17735
0
      if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY) != 0) ||
17736
0
          result == ISC_R_FILENOTFOUND)
17737
0
      {
17738
0
        delay = 0;
17739
0
      }
17740
17741
0
      if ((result == ISC_R_SUCCESS ||
17742
0
           result == ISC_R_FILENOTFOUND) &&
17743
0
          zone->masterfile != NULL)
17744
0
      {
17745
0
        zone_needdump(zone, delay);
17746
0
      } else if (result != ISC_R_SUCCESS) {
17747
0
        dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
17748
0
                ISC_LOG_ERROR,
17749
0
                "transfer: could not set file "
17750
0
                "modification time of '%s': %s",
17751
0
                zone->masterfile,
17752
0
                isc_result_totext(result));
17753
0
      }
17754
0
    }
17755
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
17756
0
    inc_stats(zone, dns_zonestatscounter_xfrsuccess);
17757
0
    break;
17758
17759
0
  case DNS_R_BADIXFR:
17760
    /* Force retry with AXFR. */
17761
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOIXFR);
17762
0
    goto same_primary;
17763
17764
0
  case DNS_R_TOOMANYRECORDS:
17765
0
  case DNS_R_VERIFYFAILURE:
17766
0
    DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
17767
0
    inc_stats(zone, dns_zonestatscounter_xfrfail);
17768
0
    break;
17769
17770
0
  default:
17771
0
  next_primary:
17772
    /*
17773
     * Skip to next failed / untried primary.
17774
     */
17775
0
    dns_remote_next(&zone->primaries, true);
17776
0
  same_primary:
17777
0
    if (dns_remote_done(&zone->primaries)) {
17778
0
      dns_remote_reset(&zone->primaries, false);
17779
0
    } else {
17780
0
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
17781
0
      again = true;
17782
0
    }
17783
0
    inc_stats(zone, dns_zonestatscounter_xfrfail);
17784
0
    break;
17785
0
  }
17786
0
  zone_settimer(zone, &now);
17787
17788
  /*
17789
   * If creating the transfer object failed, zone->xfr is NULL.
17790
   * Otherwise, we are called as the done callback of a zone
17791
   * transfer object that just entered its shutting-down
17792
   * state.  Since we are no longer responsible for shutting
17793
   * it down, we can detach our reference.
17794
   */
17795
0
  if (zone->xfr != NULL) {
17796
0
    dns_xfrin_detach(&zone->xfr);
17797
0
  }
17798
17799
0
  if (zone->tsigkey != NULL) {
17800
0
    dns_tsigkey_detach(&zone->tsigkey);
17801
0
  }
17802
17803
0
  if (zone->transport != NULL) {
17804
0
    dns_transport_detach(&zone->transport);
17805
0
  }
17806
17807
  /*
17808
   * Handle any deferred journal compaction.
17809
   */
17810
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) {
17811
0
    dns_db_t *db = NULL;
17812
0
    if (dns_zone_getdb(zone, &db) == ISC_R_SUCCESS) {
17813
0
      zone_journal_compact(zone, db, zone->compact_serial);
17814
0
      dns_db_detach(&db);
17815
0
      DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
17816
0
    }
17817
0
  }
17818
17819
0
  if (secure != NULL) {
17820
0
    UNLOCK_ZONE(secure);
17821
0
  }
17822
  /*
17823
   * This transfer finishing freed up a transfer quota slot.
17824
   * Let any other zones waiting for quota have it.
17825
   */
17826
0
  if (zone->zmgr != NULL &&
17827
0
      zone->statelist == &zone->zmgr->xfrin_in_progress)
17828
0
  {
17829
0
    UNLOCK_ZONE(zone);
17830
0
    RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
17831
0
    ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
17832
0
    zone->statelist = NULL;
17833
0
    zmgr_resume_xfrs(zone->zmgr, false);
17834
0
    RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
17835
0
    LOCK_ZONE(zone);
17836
0
  }
17837
17838
  /*
17839
   * Retry with a different server if necessary.
17840
   */
17841
0
  if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
17842
0
    queue_soa_query(zone);
17843
0
  }
17844
17845
0
  isc_refcount_decrement(&zone->irefs);
17846
0
  free_needed = exit_check(zone);
17847
0
  UNLOCK_ZONE(zone);
17848
0
  if (free_needed) {
17849
0
    zone_free(zone);
17850
0
  }
17851
0
}
17852
17853
static void
17854
0
zone_loaddone(void *arg, isc_result_t result) {
17855
0
  dns_load_t *load = arg;
17856
0
  dns_zone_t *zone;
17857
0
  isc_result_t tresult;
17858
0
  dns_zone_t *secure = NULL;
17859
17860
0
  zone = load->zone;
17861
17862
0
  ENTER;
17863
17864
  /*
17865
   * If zone loading failed, remove the update db callbacks prior
17866
   * to calling the list of callbacks in the zone load structure.
17867
   */
17868
0
  if (result != ISC_R_SUCCESS) {
17869
0
    dns_zone_rpz_disable_db(zone, load->db);
17870
0
    dns_zone_catz_disable_db(zone, load->db);
17871
0
  }
17872
17873
0
  tresult = dns_db_endload(load->db, &load->callbacks);
17874
0
  if (tresult != ISC_R_SUCCESS &&
17875
0
      (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
17876
0
  {
17877
0
    result = tresult;
17878
0
  }
17879
17880
  /*
17881
   * Lock hierarchy: zmgr, zone, raw.
17882
   */
17883
0
again:
17884
0
  LOCK_ZONE(zone);
17885
0
  INSIST(zone != zone->raw);
17886
0
  if (inline_secure(zone)) {
17887
0
    LOCK_ZONE(zone->raw);
17888
0
  } else if (inline_raw(zone)) {
17889
0
    secure = zone->secure;
17890
0
    TRYLOCK_ZONE(tresult, secure);
17891
0
    if (tresult != ISC_R_SUCCESS) {
17892
0
      UNLOCK_ZONE(zone);
17893
0
      secure = NULL;
17894
0
      isc_thread_yield();
17895
0
      goto again;
17896
0
    }
17897
0
  }
17898
0
  (void)zone_postload(zone, load->db, load->loadtime, result);
17899
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADING);
17900
0
  zone_idetach(&load->callbacks.zone);
17901
  /*
17902
   * Leave the zone frozen if the reload fails.
17903
   */
17904
0
  if ((result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) &&
17905
0
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_THAW))
17906
0
  {
17907
0
    zone->update_disabled = false;
17908
0
  }
17909
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_THAW);
17910
0
  if (inline_secure(zone)) {
17911
0
    UNLOCK_ZONE(zone->raw);
17912
0
  } else if (secure != NULL) {
17913
0
    UNLOCK_ZONE(secure);
17914
0
  }
17915
0
  UNLOCK_ZONE(zone);
17916
17917
0
  dns_db_detach(&load->db);
17918
0
  if (zone->loadctx != NULL) {
17919
0
    dns_loadctx_detach(&zone->loadctx);
17920
0
  }
17921
0
  isc_mem_put(zone->mctx, load, sizeof(*load));
17922
17923
0
  dns_zone_idetach(&zone);
17924
0
}
17925
17926
void
17927
0
dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
17928
0
  REQUIRE(DNS_ZONE_VALID(zone));
17929
0
  REQUIRE(table != NULL);
17930
0
  REQUIRE(*table == NULL);
17931
17932
0
  LOCK_ZONE(zone);
17933
0
  if (zone->ssutable != NULL) {
17934
0
    dns_ssutable_attach(zone->ssutable, table);
17935
0
  }
17936
0
  UNLOCK_ZONE(zone);
17937
0
}
17938
17939
void
17940
0
dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
17941
0
  REQUIRE(DNS_ZONE_VALID(zone));
17942
17943
0
  LOCK_ZONE(zone);
17944
0
  if (zone->ssutable != NULL) {
17945
0
    dns_ssutable_detach(&zone->ssutable);
17946
0
  }
17947
0
  if (table != NULL) {
17948
0
    dns_ssutable_attach(table, &zone->ssutable);
17949
0
  }
17950
0
  UNLOCK_ZONE(zone);
17951
0
}
17952
17953
void
17954
0
dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval) {
17955
0
  REQUIRE(DNS_ZONE_VALID(zone));
17956
17957
0
  zone->sigvalidityinterval = interval;
17958
0
}
17959
17960
uint32_t
17961
0
dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
17962
0
  REQUIRE(DNS_ZONE_VALID(zone));
17963
17964
0
  return (zone->sigvalidityinterval);
17965
0
}
17966
17967
void
17968
0
dns_zone_setkeyvalidityinterval(dns_zone_t *zone, uint32_t interval) {
17969
0
  REQUIRE(DNS_ZONE_VALID(zone));
17970
17971
0
  zone->keyvalidityinterval = interval;
17972
0
}
17973
17974
uint32_t
17975
0
dns_zone_getkeyvalidityinterval(dns_zone_t *zone) {
17976
0
  REQUIRE(DNS_ZONE_VALID(zone));
17977
17978
0
  return (zone->keyvalidityinterval);
17979
0
}
17980
17981
void
17982
0
dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval) {
17983
0
  isc_time_t now;
17984
17985
0
  REQUIRE(DNS_ZONE_VALID(zone));
17986
17987
0
  LOCK_ZONE(zone);
17988
0
  zone->sigresigninginterval = interval;
17989
0
  set_resigntime(zone);
17990
0
  if (zone->loop != NULL) {
17991
0
    now = isc_time_now();
17992
0
    zone_settimer(zone, &now);
17993
0
  }
17994
0
  UNLOCK_ZONE(zone);
17995
0
}
17996
17997
uint32_t
17998
0
dns_zone_getsigresigninginterval(dns_zone_t *zone) {
17999
0
  REQUIRE(DNS_ZONE_VALID(zone));
18000
18001
0
  return (zone->sigresigninginterval);
18002
0
}
18003
18004
isc_sockaddr_t
18005
0
dns_zone_getsourceaddr(dns_zone_t *zone) {
18006
0
  isc_sockaddr_t sourceaddr;
18007
18008
0
  REQUIRE(DNS_ZONE_VALID(zone));
18009
18010
0
  LOCK_ZONE(zone);
18011
0
  INSIST(dns_remote_count(&zone->primaries) > 0);
18012
0
  sourceaddr = zone->sourceaddr;
18013
0
  UNLOCK_ZONE(zone);
18014
18015
0
  return (sourceaddr);
18016
0
}
18017
18018
isc_sockaddr_t
18019
0
dns_zone_getprimaryaddr(dns_zone_t *zone) {
18020
0
  isc_sockaddr_t curraddr;
18021
18022
0
  REQUIRE(DNS_ZONE_VALID(zone));
18023
18024
0
  LOCK_ZONE(zone);
18025
0
  INSIST(dns_remote_count(&zone->primaries) > 0);
18026
0
  curraddr = dns_remote_curraddr(&zone->primaries);
18027
0
  UNLOCK_ZONE(zone);
18028
18029
0
  return (curraddr);
18030
0
}
18031
18032
isc_time_t
18033
0
dns_zone_getxfrintime(const dns_zone_t *zone) {
18034
0
  REQUIRE(DNS_ZONE_VALID(zone));
18035
18036
0
  return (zone->xfrintime);
18037
0
}
18038
18039
static void
18040
0
queue_xfrin(dns_zone_t *zone) {
18041
0
  isc_result_t result;
18042
0
  dns_zonemgr_t *zmgr = zone->zmgr;
18043
18044
0
  ENTER;
18045
18046
0
  INSIST(zone->statelist == NULL);
18047
18048
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18049
0
  ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
18050
0
  isc_refcount_increment0(&zone->irefs);
18051
0
  zone->statelist = &zmgr->waiting_for_xfrin;
18052
0
  result = zmgr_start_xfrin_ifquota(zmgr, zone);
18053
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18054
18055
0
  if (result == ISC_R_QUOTA) {
18056
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
18057
0
            "zone transfer deferred due to quota");
18058
0
  } else if (result != ISC_R_SUCCESS) {
18059
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
18060
0
            "starting zone transfer: %s",
18061
0
            isc_result_totext(result));
18062
0
  }
18063
0
}
18064
18065
/*
18066
 * Get the transport type used for the SOA query to the current primary server
18067
 * before an ongoing incoming zone transfer.
18068
 *
18069
 * Requires:
18070
 *  The zone is locked by the caller.
18071
 */
18072
static dns_transport_type_t
18073
0
get_request_transport_type(dns_zone_t *zone) {
18074
0
  dns_transport_type_t transport_type = DNS_TRANSPORT_NONE;
18075
18076
0
  if (zone->transport != NULL) {
18077
0
    transport_type = dns_transport_get_type(zone->transport);
18078
0
  } else {
18079
0
    transport_type = (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC))
18080
0
           ? DNS_TRANSPORT_TCP
18081
0
           : DNS_TRANSPORT_UDP;
18082
18083
    /* Check if the peer is forced to always use TCP. */
18084
0
    if (transport_type != DNS_TRANSPORT_TCP) {
18085
0
      isc_result_t result;
18086
0
      isc_sockaddr_t primaryaddr;
18087
0
      isc_netaddr_t primaryip;
18088
0
      dns_peer_t *peer = NULL;
18089
18090
0
      primaryaddr = dns_remote_curraddr(&zone->primaries);
18091
0
      isc_netaddr_fromsockaddr(&primaryip, &primaryaddr);
18092
0
      result = dns_peerlist_peerbyaddr(zone->view->peers,
18093
0
               &primaryip, &peer);
18094
0
      if (result == ISC_R_SUCCESS && peer != NULL) {
18095
0
        bool usetcp;
18096
0
        result = dns_peer_getforcetcp(peer, &usetcp);
18097
0
        if (result == ISC_R_SUCCESS && usetcp) {
18098
0
          transport_type = DNS_TRANSPORT_TCP;
18099
0
        }
18100
0
      }
18101
0
    }
18102
0
  }
18103
18104
0
  return (transport_type);
18105
0
}
18106
18107
dns_transport_type_t
18108
0
dns_zone_getrequesttransporttype(dns_zone_t *zone) {
18109
0
  dns_transport_type_t transport_type;
18110
18111
0
  REQUIRE(DNS_ZONE_VALID(zone));
18112
18113
0
  LOCK_ZONE(zone);
18114
0
  transport_type = get_request_transport_type(zone);
18115
0
  UNLOCK_ZONE(zone);
18116
18117
0
  return (transport_type);
18118
0
}
18119
18120
/*
18121
 * This event callback is called when a zone has received
18122
 * any necessary zone transfer quota.  This is the time
18123
 * to go ahead and start the transfer.
18124
 */
18125
static void
18126
0
got_transfer_quota(void *arg) {
18127
0
  dns_zone_t *zone = (dns_zone_t *)arg;
18128
0
  isc_result_t result = ISC_R_SUCCESS;
18129
0
  dns_peer_t *peer = NULL;
18130
0
  char primary[ISC_SOCKADDR_FORMATSIZE];
18131
0
  char source[ISC_SOCKADDR_FORMATSIZE];
18132
0
  dns_rdatatype_t xfrtype;
18133
0
  isc_netaddr_t primaryip;
18134
0
  isc_sockaddr_t primaryaddr;
18135
0
  isc_sockaddr_t sourceaddr;
18136
0
  isc_time_t now;
18137
0
  dns_transport_type_t soa_transport_type = DNS_TRANSPORT_NONE;
18138
0
  const char *soa_before = "";
18139
0
  bool loaded;
18140
0
  isc_tlsctx_cache_t *zmgr_tlsctx_cache = NULL;
18141
18142
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
18143
0
    zone_xfrdone(zone, NULL, ISC_R_CANCELED);
18144
0
    return;
18145
0
  }
18146
18147
0
  now = isc_time_now();
18148
18149
0
  primaryaddr = dns_remote_curraddr(&zone->primaries);
18150
0
  isc_sockaddr_format(&primaryaddr, primary, sizeof(primary));
18151
0
  if (dns_zonemgr_unreachable(zone->zmgr, &primaryaddr, &zone->sourceaddr,
18152
0
            &now))
18153
0
  {
18154
0
    isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
18155
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
18156
0
            "got_transfer_quota: skipping zone transfer as "
18157
0
            "primary %s (source %s) is unreachable (cached)",
18158
0
            primary, source);
18159
0
    zone_xfrdone(zone, NULL, ISC_R_CANCELED);
18160
0
    return;
18161
0
  }
18162
18163
0
  isc_netaddr_fromsockaddr(&primaryip, &primaryaddr);
18164
0
  (void)dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, &peer);
18165
18166
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) {
18167
0
    soa_before = "SOA before ";
18168
0
  }
18169
  /*
18170
   * Decide whether we should request IXFR or AXFR.
18171
   */
18172
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
18173
0
  loaded = (zone->db != NULL);
18174
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
18175
18176
0
  if (!loaded) {
18177
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
18178
0
            "no database exists yet, requesting AXFR of "
18179
0
            "initial version from %s",
18180
0
            primary);
18181
0
    xfrtype = dns_rdatatype_axfr;
18182
0
  } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
18183
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
18184
0
            "forced reload, requesting AXFR of "
18185
0
            "initial version from %s",
18186
0
            primary);
18187
0
    xfrtype = dns_rdatatype_axfr;
18188
0
  } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOIXFR)) {
18189
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
18190
0
            "retrying with AXFR from %s due to "
18191
0
            "previous IXFR failure",
18192
0
            primary);
18193
0
    xfrtype = dns_rdatatype_axfr;
18194
0
    LOCK_ZONE(zone);
18195
0
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOIXFR);
18196
0
    UNLOCK_ZONE(zone);
18197
0
  } else {
18198
0
    bool use_ixfr = true;
18199
0
    if (peer != NULL) {
18200
0
      result = dns_peer_getrequestixfr(peer, &use_ixfr);
18201
0
    }
18202
0
    if (peer == NULL || result != ISC_R_SUCCESS) {
18203
0
      use_ixfr = zone->requestixfr;
18204
0
    }
18205
0
    if (!use_ixfr) {
18206
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
18207
0
              ISC_LOG_DEBUG(1),
18208
0
              "IXFR disabled, "
18209
0
              "requesting %sAXFR from %s",
18210
0
              soa_before, primary);
18211
0
      if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) {
18212
0
        xfrtype = dns_rdatatype_soa;
18213
0
      } else {
18214
0
        xfrtype = dns_rdatatype_axfr;
18215
0
      }
18216
0
    } else {
18217
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
18218
0
              ISC_LOG_DEBUG(1),
18219
0
              "requesting IXFR from %s", primary);
18220
0
      xfrtype = dns_rdatatype_ixfr;
18221
0
    }
18222
0
  }
18223
18224
  /*
18225
   * Determine if we should attempt to sign the request with TSIG.
18226
   */
18227
0
  result = ISC_R_NOTFOUND;
18228
18229
  /*
18230
   * First, look for a tsig key in the primaries statement, then
18231
   * try for a server key.
18232
   */
18233
0
  if (dns_remote_keyname(&zone->primaries) != NULL) {
18234
0
    dns_view_t *view = dns_zone_getview(zone);
18235
0
    dns_name_t *keyname = dns_remote_keyname(&zone->primaries);
18236
0
    result = dns_view_gettsig(view, keyname, &zone->tsigkey);
18237
0
  }
18238
0
  if (result != ISC_R_SUCCESS) {
18239
0
    INSIST(zone->tsigkey == NULL);
18240
0
    result = dns_view_getpeertsig(zone->view, &primaryip,
18241
0
                &zone->tsigkey);
18242
0
  }
18243
0
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
18244
0
    dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
18245
0
            "could not get TSIG key for zone transfer: %s",
18246
0
            isc_result_totext(result));
18247
0
  }
18248
18249
  /*
18250
   * Get the TLS transport for the primary, if configured.
18251
   */
18252
0
  if (dns_remote_tlsname(&zone->primaries) != NULL) {
18253
0
    dns_view_t *view = dns_zone_getview(zone);
18254
0
    dns_name_t *tlsname = dns_remote_tlsname(&zone->primaries);
18255
0
    result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname,
18256
0
                 &zone->transport);
18257
0
    if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
18258
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
18259
0
              ISC_LOG_ERROR,
18260
0
              "could not get TLS configuration for "
18261
0
              "zone transfer: %s",
18262
0
              isc_result_totext(result));
18263
0
    }
18264
0
  }
18265
18266
0
  LOCK_ZONE(zone);
18267
0
  if (xfrtype != dns_rdatatype_soa) {
18268
    /*
18269
     * If 'xfrtype' is dns_rdatatype_soa, then the SOA query will be
18270
     * performed by xfrin, otherwise, the SOA request performed by
18271
     * soa_query() was successful and we should inform the xfrin
18272
     * about the transport type used for that query, so that the
18273
     * information can be presented in the statistics channel.
18274
     */
18275
0
    soa_transport_type = get_request_transport_type(zone);
18276
0
  }
18277
0
  sourceaddr = zone->sourceaddr;
18278
0
  UNLOCK_ZONE(zone);
18279
18280
0
  INSIST(isc_sockaddr_pf(&primaryaddr) == isc_sockaddr_pf(&sourceaddr));
18281
18282
0
  if (zone->xfr != NULL) {
18283
0
    dns_xfrin_detach(&zone->xfr);
18284
0
  }
18285
18286
0
  zmgr_tlsctx_attach(zone->zmgr, &zmgr_tlsctx_cache);
18287
18288
0
  result = dns_xfrin_create(zone, xfrtype, &primaryaddr, &sourceaddr,
18289
0
          zone->tsigkey, soa_transport_type,
18290
0
          zone->transport, zmgr_tlsctx_cache,
18291
0
          zone->mctx, zone_xfrdone, &zone->xfr);
18292
18293
0
  isc_tlsctx_cache_detach(&zmgr_tlsctx_cache);
18294
18295
  /*
18296
   * Any failure in this function is handled like a failed
18297
   * zone transfer.  This ensures that we get removed from
18298
   * zmgr->xfrin_in_progress.
18299
   */
18300
0
  if (result != ISC_R_SUCCESS) {
18301
0
    zone_xfrdone(zone, NULL, result);
18302
0
    return;
18303
0
  }
18304
18305
0
  LOCK_ZONE(zone);
18306
0
  if (xfrtype == dns_rdatatype_axfr) {
18307
0
    if (isc_sockaddr_pf(&primaryaddr) == PF_INET) {
18308
0
      inc_stats(zone, dns_zonestatscounter_axfrreqv4);
18309
0
    } else {
18310
0
      inc_stats(zone, dns_zonestatscounter_axfrreqv6);
18311
0
    }
18312
0
  } else if (xfrtype == dns_rdatatype_ixfr) {
18313
0
    if (isc_sockaddr_pf(&primaryaddr) == PF_INET) {
18314
0
      inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
18315
0
    } else {
18316
0
      inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
18317
0
    }
18318
0
  }
18319
0
  UNLOCK_ZONE(zone);
18320
0
}
18321
18322
/*
18323
 * Update forwarding support.
18324
 */
18325
18326
static void
18327
0
forward_destroy(dns_forward_t *forward) {
18328
0
  forward->magic = 0;
18329
0
  if (forward->request != NULL) {
18330
0
    dns_request_destroy(&forward->request);
18331
0
  }
18332
0
  if (forward->msgbuf != NULL) {
18333
0
    isc_buffer_free(&forward->msgbuf);
18334
0
  }
18335
0
  if (forward->transport != NULL) {
18336
0
    dns_transport_detach(&forward->transport);
18337
0
  }
18338
0
  if (forward->zone != NULL) {
18339
0
    LOCK(&forward->zone->lock);
18340
0
    if (ISC_LINK_LINKED(forward, link)) {
18341
0
      ISC_LIST_UNLINK(forward->zone->forwards, forward, link);
18342
0
    }
18343
0
    UNLOCK(&forward->zone->lock);
18344
0
    dns_zone_idetach(&forward->zone);
18345
0
  }
18346
0
  isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
18347
0
}
18348
18349
static isc_result_t
18350
0
sendtoprimary(dns_forward_t *forward) {
18351
0
  isc_result_t result;
18352
0
  isc_sockaddr_t src, any;
18353
0
  dns_zone_t *zone = forward->zone;
18354
0
  bool tls_transport_invalid = false;
18355
0
  isc_tlsctx_cache_t *zmgr_tlsctx_cache = NULL;
18356
18357
0
  LOCK_ZONE(zone);
18358
18359
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
18360
0
    UNLOCK_ZONE(zone);
18361
0
    return (ISC_R_CANCELED);
18362
0
  }
18363
18364
0
next:
18365
0
  if (forward->which >= dns_remote_count(&forward->zone->primaries)) {
18366
0
    UNLOCK_ZONE(zone);
18367
0
    return (ISC_R_NOMORE);
18368
0
  }
18369
18370
0
  forward->addr = dns_remote_addr(&zone->primaries, forward->which);
18371
18372
0
  if (isc_sockaddr_disabled(&forward->addr)) {
18373
0
    forward->which++;
18374
0
    goto next;
18375
0
  }
18376
18377
  /*
18378
   * Always use TCP regardless of whether the original update
18379
   * used TCP.
18380
   * XXX The timeout may but a bit small if we are far down a
18381
   * transfer graph and have to try several primaries.
18382
   */
18383
0
  switch (isc_sockaddr_pf(&forward->addr)) {
18384
0
  case PF_INET:
18385
0
    isc_sockaddr_any(&any);
18386
0
    src = zone->primaries.sources[forward->which];
18387
0
    if (isc_sockaddr_equal(&src, &any)) {
18388
0
      src = zone->xfrsource4;
18389
0
    }
18390
0
    break;
18391
0
  case PF_INET6:
18392
0
    isc_sockaddr_any6(&any);
18393
0
    src = zone->primaries.sources[forward->which];
18394
0
    if (isc_sockaddr_equal(&src, &any)) {
18395
0
      src = zone->xfrsource6;
18396
0
    }
18397
0
    break;
18398
0
  default:
18399
0
    result = ISC_R_NOTIMPLEMENTED;
18400
0
    goto unlock;
18401
0
  }
18402
18403
0
  if (forward->transport != NULL) {
18404
0
    dns_transport_detach(&forward->transport);
18405
0
  }
18406
18407
0
  if (dns_remote_tlsname(&zone->primaries) != NULL &&
18408
0
      zone->primaries.tlsnames[forward->which] != NULL)
18409
0
  {
18410
0
    dns_view_t *view = dns_zone_getview(zone);
18411
0
    dns_name_t *tlsname = zone->primaries.tlsnames[forward->which];
18412
18413
0
    result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname,
18414
0
                 &forward->transport);
18415
18416
0
    if (result != ISC_R_SUCCESS) {
18417
      /* Log the error message when unlocked. */
18418
0
      tls_transport_invalid = true;
18419
0
      goto unlock;
18420
0
    }
18421
0
  }
18422
18423
0
  zmgr_tlsctx_attach(zone->zmgr, &zmgr_tlsctx_cache);
18424
18425
0
  result = dns_request_createraw(
18426
0
    forward->zone->view->requestmgr, forward->msgbuf, &src,
18427
0
    &forward->addr, forward->transport, zmgr_tlsctx_cache,
18428
0
    forward->options, 15 /* XXX */, 0, 0, forward->zone->loop,
18429
0
    forward_callback, forward, &forward->request);
18430
18431
0
  isc_tlsctx_cache_detach(&zmgr_tlsctx_cache);
18432
18433
0
  if (result == ISC_R_SUCCESS) {
18434
0
    if (!ISC_LINK_LINKED(forward, link)) {
18435
0
      ISC_LIST_APPEND(zone->forwards, forward, link);
18436
0
    }
18437
0
  }
18438
18439
0
unlock:
18440
0
  UNLOCK_ZONE(zone);
18441
18442
0
  if (tls_transport_invalid) {
18443
0
    dns_zone_log(zone, ISC_LOG_ERROR,
18444
0
           "could not get TLS configuration "
18445
0
           "for dynamic update: %s",
18446
0
           isc_result_totext(result));
18447
0
  }
18448
18449
0
  return (result);
18450
0
}
18451
18452
static void
18453
0
forward_callback(void *arg) {
18454
0
  dns_request_t *request = (dns_request_t *)arg;
18455
0
  dns_forward_t *forward = dns_request_getarg(request);
18456
0
  dns_message_t *msg = NULL;
18457
0
  char primary[ISC_SOCKADDR_FORMATSIZE];
18458
0
  isc_result_t result;
18459
0
  dns_zone_t *zone;
18460
18461
0
  INSIST(DNS_FORWARD_VALID(forward));
18462
0
  zone = forward->zone;
18463
0
  INSIST(DNS_ZONE_VALID(zone));
18464
18465
0
  ENTER;
18466
18467
0
  isc_sockaddr_format(&forward->addr, primary, sizeof(primary));
18468
18469
0
  result = dns_request_getresult(request);
18470
0
  if (result != ISC_R_SUCCESS) {
18471
0
    dns_zone_log(zone, ISC_LOG_INFO,
18472
0
           "could not forward dynamic update to %s: %s",
18473
0
           primary, isc_result_totext(result));
18474
0
    goto next_primary;
18475
0
  }
18476
18477
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
18478
0
         &msg);
18479
18480
0
  result = dns_request_getresponse(request, msg,
18481
0
           DNS_MESSAGEPARSE_PRESERVEORDER |
18482
0
             DNS_MESSAGEPARSE_CLONEBUFFER);
18483
0
  if (result != ISC_R_SUCCESS) {
18484
0
    goto next_primary;
18485
0
  }
18486
18487
  /*
18488
   * Unexpected opcode.
18489
   */
18490
0
  if (msg->opcode != dns_opcode_update) {
18491
0
    char opcode[128];
18492
0
    isc_buffer_t rb;
18493
18494
0
    isc_buffer_init(&rb, opcode, sizeof(opcode));
18495
0
    (void)dns_opcode_totext(msg->opcode, &rb);
18496
18497
0
    dns_zone_log(zone, ISC_LOG_INFO,
18498
0
           "forwarding dynamic update: "
18499
0
           "unexpected opcode (%.*s) from %s",
18500
0
           (int)rb.used, opcode, primary);
18501
0
    goto next_primary;
18502
0
  }
18503
18504
0
  switch (msg->rcode) {
18505
  /*
18506
   * Pass these rcodes back to client.
18507
   */
18508
0
  case dns_rcode_noerror:
18509
0
  case dns_rcode_yxdomain:
18510
0
  case dns_rcode_yxrrset:
18511
0
  case dns_rcode_nxrrset:
18512
0
  case dns_rcode_refused:
18513
0
  case dns_rcode_nxdomain: {
18514
0
    char rcode[128];
18515
0
    isc_buffer_t rb;
18516
18517
0
    isc_buffer_init(&rb, rcode, sizeof(rcode));
18518
0
    (void)dns_rcode_totext(msg->rcode, &rb);
18519
0
    dns_zone_log(zone, ISC_LOG_INFO,
18520
0
           "forwarded dynamic update: "
18521
0
           "primary %s returned: %.*s",
18522
0
           primary, (int)rb.used, rcode);
18523
0
    break;
18524
0
  }
18525
18526
  /* These should not occur if the primaries/zone are valid. */
18527
0
  case dns_rcode_notzone:
18528
0
  case dns_rcode_notauth: {
18529
0
    char rcode[128];
18530
0
    isc_buffer_t rb;
18531
18532
0
    isc_buffer_init(&rb, rcode, sizeof(rcode));
18533
0
    (void)dns_rcode_totext(msg->rcode, &rb);
18534
0
    dns_zone_log(zone, ISC_LOG_WARNING,
18535
0
           "forwarding dynamic update: "
18536
0
           "unexpected response: primary %s returned: %.*s",
18537
0
           primary, (int)rb.used, rcode);
18538
0
    goto next_primary;
18539
0
  }
18540
18541
  /* Try another server for these rcodes. */
18542
0
  case dns_rcode_formerr:
18543
0
  case dns_rcode_servfail:
18544
0
  case dns_rcode_notimp:
18545
0
  case dns_rcode_badvers:
18546
0
  default:
18547
0
    goto next_primary;
18548
0
  }
18549
18550
  /* call callback */
18551
0
  (forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
18552
0
  msg = NULL;
18553
0
  dns_request_destroy(&forward->request);
18554
0
  forward_destroy(forward);
18555
0
  return;
18556
18557
0
next_primary:
18558
0
  if (msg != NULL) {
18559
0
    dns_message_detach(&msg);
18560
0
  }
18561
0
  forward->which++;
18562
0
  dns_request_destroy(&forward->request);
18563
0
  result = sendtoprimary(forward);
18564
0
  if (result != ISC_R_SUCCESS) {
18565
    /* call callback */
18566
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3),
18567
0
           "exhausted dynamic update forwarder list");
18568
0
    (forward->callback)(forward->callback_arg, result, NULL);
18569
0
    forward_destroy(forward);
18570
0
  }
18571
0
}
18572
18573
isc_result_t
18574
dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
18575
0
           dns_updatecallback_t callback, void *callback_arg) {
18576
0
  dns_forward_t *forward;
18577
0
  isc_result_t result;
18578
0
  isc_region_t *mr;
18579
18580
0
  REQUIRE(DNS_ZONE_VALID(zone));
18581
0
  REQUIRE(msg != NULL);
18582
0
  REQUIRE(callback != NULL);
18583
18584
0
  forward = isc_mem_get(zone->mctx, sizeof(*forward));
18585
0
  *forward = (dns_forward_t){ .callback = callback,
18586
0
            .callback_arg = callback_arg,
18587
0
            .options = DNS_REQUESTOPT_TCP };
18588
0
  ISC_LINK_INIT(forward, link);
18589
0
  forward->magic = FORWARD_MAGIC;
18590
18591
  /*
18592
   * If we have a SIG(0) signed message we need to preserve the
18593
   * query id as that is included in the SIG(0) computation.
18594
   */
18595
0
  if (msg->sig0 != NULL) {
18596
0
    forward->options |= DNS_REQUESTOPT_FIXEDID;
18597
0
  }
18598
18599
0
  mr = dns_message_getrawmessage(msg);
18600
0
  if (mr == NULL) {
18601
0
    result = ISC_R_UNEXPECTEDEND;
18602
0
    goto cleanup;
18603
0
  }
18604
18605
0
  isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
18606
0
  result = isc_buffer_copyregion(forward->msgbuf, mr);
18607
0
  if (result != ISC_R_SUCCESS) {
18608
0
    goto cleanup;
18609
0
  }
18610
18611
0
  isc_mem_attach(zone->mctx, &forward->mctx);
18612
0
  dns_zone_iattach(zone, &forward->zone);
18613
0
  result = sendtoprimary(forward);
18614
18615
0
cleanup:
18616
0
  if (result != ISC_R_SUCCESS) {
18617
0
    forward_destroy(forward);
18618
0
  }
18619
0
  return (result);
18620
0
}
18621
18622
isc_result_t
18623
0
dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
18624
0
  REQUIRE(DNS_ZONE_VALID(zone));
18625
0
  REQUIRE(next != NULL && *next == NULL);
18626
18627
0
  *next = ISC_LIST_NEXT(zone, link);
18628
0
  if (*next == NULL) {
18629
0
    return (ISC_R_NOMORE);
18630
0
  } else {
18631
0
    return (ISC_R_SUCCESS);
18632
0
  }
18633
0
}
18634
18635
isc_result_t
18636
0
dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
18637
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18638
0
  REQUIRE(first != NULL && *first == NULL);
18639
18640
0
  *first = ISC_LIST_HEAD(zmgr->zones);
18641
0
  if (*first == NULL) {
18642
0
    return (ISC_R_NOMORE);
18643
0
  } else {
18644
0
    return (ISC_R_SUCCESS);
18645
0
  }
18646
0
}
18647
18648
/***
18649
 ***  Zone manager.
18650
 ***/
18651
18652
static void
18653
0
zonemgr_keymgmt_init(dns_zonemgr_t *zmgr) {
18654
0
  dns_keymgmt_t *mgmt = isc_mem_get(zmgr->mctx, sizeof(*mgmt));
18655
18656
0
  *mgmt = (dns_keymgmt_t){
18657
0
    .magic = KEYMGMT_MAGIC,
18658
0
  };
18659
18660
0
  isc_mem_attach(zmgr->mctx, &mgmt->mctx);
18661
0
  isc_rwlock_init(&mgmt->lock);
18662
0
  isc_hashmap_create(mgmt->mctx, DNS_KEYMGMT_HASH_BITS, &mgmt->table);
18663
18664
0
  zmgr->keymgmt = mgmt;
18665
0
}
18666
18667
static void
18668
0
zonemgr_keymgmt_destroy(dns_zonemgr_t *zmgr) {
18669
0
  dns_keymgmt_t *mgmt = zmgr->keymgmt;
18670
18671
0
  REQUIRE(DNS_KEYMGMT_VALID(mgmt));
18672
18673
0
  mgmt->magic = 0;
18674
18675
0
  RWLOCK(&mgmt->lock, isc_rwlocktype_write);
18676
0
  INSIST(isc_hashmap_count(mgmt->table) == 0);
18677
0
  RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
18678
0
  isc_hashmap_destroy(&mgmt->table);
18679
18680
0
  isc_rwlock_destroy(&mgmt->lock);
18681
0
  isc_mem_putanddetach(&mgmt->mctx, mgmt, sizeof(dns_keymgmt_t));
18682
0
}
18683
18684
static bool
18685
0
kfio_match(void *node, const void *key) {
18686
0
  const dns_keyfileio_t *kfio = node;
18687
18688
0
  return (dns_name_equal(kfio->name, key));
18689
0
}
18690
18691
static void
18692
zonemgr_keymgmt_add(dns_zonemgr_t *zmgr, dns_zone_t *zone,
18693
0
        dns_keyfileio_t **added) {
18694
0
  dns_keymgmt_t *mgmt = zmgr->keymgmt;
18695
0
  dns_keyfileio_t *kfio = NULL;
18696
0
  isc_result_t result;
18697
0
  dns_fixedname_t fname;
18698
0
  dns_name_t *name;
18699
18700
0
  REQUIRE(DNS_KEYMGMT_VALID(mgmt));
18701
0
  REQUIRE(added != NULL && *added == NULL);
18702
18703
0
  name = dns_fixedname_initname(&fname);
18704
0
  dns_name_downcase(&zone->origin, name, NULL);
18705
18706
0
  RWLOCK(&mgmt->lock, isc_rwlocktype_write);
18707
18708
0
  result = isc_hashmap_find(mgmt->table, dns_name_hash(name), kfio_match,
18709
0
          name, (void **)&kfio);
18710
0
  switch (result) {
18711
0
  case ISC_R_SUCCESS:
18712
0
    isc_refcount_increment(&kfio->references);
18713
0
    break;
18714
0
  case ISC_R_NOTFOUND:
18715
0
    kfio = isc_mem_get(mgmt->mctx, sizeof(*kfio));
18716
0
    *kfio = (dns_keyfileio_t){
18717
0
      .magic = KEYFILEIO_MAGIC,
18718
0
    };
18719
0
    isc_refcount_init(&kfio->references, 1);
18720
0
    kfio->name = dns_fixedname_initname(&kfio->fname);
18721
0
    dns_name_copy(name, kfio->name);
18722
18723
0
    isc_mutex_init(&kfio->lock);
18724
0
    result = isc_hashmap_add(mgmt->table, dns_name_hash(kfio->name),
18725
0
           kfio_match, kfio->name, kfio, NULL);
18726
0
    INSIST(result == ISC_R_SUCCESS);
18727
0
    break;
18728
0
  default:
18729
0
    UNREACHABLE();
18730
0
  }
18731
0
  *added = kfio;
18732
0
  RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
18733
0
}
18734
18735
static bool
18736
0
match_ptr(void *node, const void *key) {
18737
0
  return (node == key);
18738
0
}
18739
18740
static void
18741
0
zonemgr_keymgmt_delete(dns_zonemgr_t *zmgr, dns_keyfileio_t **deleted) {
18742
0
  REQUIRE(DNS_KEYMGMT_VALID(zmgr->keymgmt));
18743
0
  REQUIRE(deleted != NULL && DNS_KEYFILEIO_VALID(*deleted));
18744
18745
0
  dns_keymgmt_t *mgmt = zmgr->keymgmt;
18746
0
  dns_keyfileio_t *kfio = *deleted;
18747
0
  isc_result_t result;
18748
18749
0
  *deleted = NULL;
18750
18751
0
  RWLOCK(&mgmt->lock, isc_rwlocktype_write);
18752
18753
0
  if (isc_refcount_decrement(&kfio->references) == 1) {
18754
0
    isc_refcount_destroy(&kfio->references);
18755
0
    kfio->magic = 0;
18756
0
    isc_mutex_destroy(&kfio->lock);
18757
18758
0
    result = isc_hashmap_delete(mgmt->table,
18759
0
              dns_name_hash(kfio->name),
18760
0
              match_ptr, kfio);
18761
0
    INSIST(result == ISC_R_SUCCESS);
18762
18763
0
    isc_mem_put(mgmt->mctx, kfio, sizeof(*kfio));
18764
0
  }
18765
18766
0
  RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
18767
0
}
18768
18769
void
18770
0
dns_zonemgr_create(isc_mem_t *mctx, isc_nm_t *netmgr, dns_zonemgr_t **zmgrp) {
18771
0
  dns_zonemgr_t *zmgr = NULL;
18772
0
  isc_loop_t *loop = isc_loop();
18773
0
  isc_loopmgr_t *loopmgr = isc_loop_getloopmgr(loop);
18774
18775
0
  REQUIRE(mctx != NULL);
18776
0
  REQUIRE(netmgr != NULL);
18777
0
  REQUIRE(zmgrp != NULL && *zmgrp == NULL);
18778
18779
0
  zmgr = isc_mem_get(mctx, sizeof(*zmgr));
18780
18781
0
  *zmgr = (dns_zonemgr_t){
18782
0
    .loopmgr = loopmgr,
18783
0
    .netmgr = netmgr,
18784
0
    .workers = isc_loopmgr_nloops(loopmgr),
18785
0
    .transfersin = 10,
18786
0
    .transfersperns = 2,
18787
0
  };
18788
18789
0
  isc_refcount_init(&zmgr->refs, 1);
18790
0
  isc_mem_attach(mctx, &zmgr->mctx);
18791
18792
0
  ISC_LIST_INIT(zmgr->zones);
18793
0
  ISC_LIST_INIT(zmgr->waiting_for_xfrin);
18794
0
  ISC_LIST_INIT(zmgr->xfrin_in_progress);
18795
0
  memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
18796
0
  for (size_t i = 0; i < UNREACH_CACHE_SIZE; i++) {
18797
0
    atomic_init(&zmgr->unreachable[i].expire, 0);
18798
0
  }
18799
0
  isc_rwlock_init(&zmgr->rwlock);
18800
18801
  /* Unreachable lock. */
18802
0
  isc_rwlock_init(&zmgr->urlock);
18803
18804
0
  isc_ratelimiter_create(loop, &zmgr->checkdsrl);
18805
0
  isc_ratelimiter_create(loop, &zmgr->notifyrl);
18806
0
  isc_ratelimiter_create(loop, &zmgr->refreshrl);
18807
0
  isc_ratelimiter_create(loop, &zmgr->startupnotifyrl);
18808
0
  isc_ratelimiter_create(loop, &zmgr->startuprefreshrl);
18809
18810
0
  zmgr->mctxpool = isc_mem_cget(zmgr->mctx, zmgr->workers,
18811
0
              sizeof(zmgr->mctxpool[0]));
18812
0
  for (size_t i = 0; i < zmgr->workers; i++) {
18813
0
    isc_mem_create(&zmgr->mctxpool[i]);
18814
0
    isc_mem_setname(zmgr->mctxpool[i], "zonemgr-mctxpool");
18815
0
  }
18816
18817
  /* Key file I/O locks. */
18818
0
  zonemgr_keymgmt_init(zmgr);
18819
18820
  /* Default to 20 refresh queries / notifies / checkds per second. */
18821
0
  setrl(zmgr->checkdsrl, &zmgr->checkdsrate, 20);
18822
0
  setrl(zmgr->notifyrl, &zmgr->notifyrate, 20);
18823
0
  setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, 20);
18824
0
  setrl(zmgr->refreshrl, &zmgr->serialqueryrate, 20);
18825
0
  setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, 20);
18826
0
  isc_ratelimiter_setpushpop(zmgr->startupnotifyrl, true);
18827
0
  isc_ratelimiter_setpushpop(zmgr->startuprefreshrl, true);
18828
18829
0
  zmgr->tlsctx_cache = NULL;
18830
0
  isc_rwlock_init(&zmgr->tlsctx_cache_rwlock);
18831
18832
0
  zmgr->magic = ZONEMGR_MAGIC;
18833
18834
0
  *zmgrp = zmgr;
18835
0
}
18836
18837
isc_result_t
18838
0
dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep) {
18839
0
  isc_mem_t *mctx = NULL;
18840
0
  dns_zone_t *zone = NULL;
18841
0
  unsigned int tid;
18842
18843
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18844
0
  REQUIRE(zonep != NULL && *zonep == NULL);
18845
18846
0
  if (zmgr->mctxpool == NULL) {
18847
0
    return (ISC_R_FAILURE);
18848
0
  }
18849
18850
0
  tid = isc_random_uniform(zmgr->workers);
18851
18852
0
  mctx = zmgr->mctxpool[tid];
18853
0
  if (mctx == NULL) {
18854
0
    return (ISC_R_FAILURE);
18855
0
  }
18856
18857
0
  dns_zone_create(&zone, mctx, tid);
18858
18859
0
  *zonep = zone;
18860
18861
0
  return (ISC_R_SUCCESS);
18862
0
}
18863
18864
isc_result_t
18865
0
dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
18866
0
  REQUIRE(DNS_ZONE_VALID(zone));
18867
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18868
18869
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18870
0
  LOCK_ZONE(zone);
18871
0
  REQUIRE(zone->timer == NULL);
18872
0
  REQUIRE(zone->zmgr == NULL);
18873
18874
0
  isc_loop_t *loop = isc_loop_get(zmgr->loopmgr, zone->tid);
18875
0
  isc_loop_attach(loop, &zone->loop);
18876
18877
0
  zonemgr_keymgmt_add(zmgr, zone, &zone->kfio);
18878
0
  INSIST(zone->kfio != NULL);
18879
18880
0
  ISC_LIST_APPEND(zmgr->zones, zone, link);
18881
0
  zone->zmgr = zmgr;
18882
18883
0
  isc_refcount_increment(&zmgr->refs);
18884
18885
0
  UNLOCK_ZONE(zone);
18886
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18887
0
  return (ISC_R_SUCCESS);
18888
0
}
18889
18890
void
18891
0
dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
18892
0
  REQUIRE(DNS_ZONE_VALID(zone));
18893
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18894
0
  REQUIRE(zone->zmgr == zmgr);
18895
18896
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18897
0
  LOCK_ZONE(zone);
18898
18899
0
  ISC_LIST_UNLINK(zmgr->zones, zone, link);
18900
18901
0
  if (zone->kfio != NULL) {
18902
0
    zonemgr_keymgmt_delete(zmgr, &zone->kfio);
18903
0
    ENSURE(zone->kfio == NULL);
18904
0
  }
18905
18906
0
  if (zone->timer != NULL) {
18907
0
    isc_refcount_decrement(&zone->irefs);
18908
0
    isc_timer_destroy(&zone->timer);
18909
0
  }
18910
18911
0
  isc_loop_detach(&zone->loop);
18912
18913
  /* Detach below, outside of the write lock. */
18914
0
  zone->zmgr = NULL;
18915
18916
0
  UNLOCK_ZONE(zone);
18917
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18918
18919
0
  dns_zonemgr_detach(&zmgr);
18920
0
}
18921
18922
void
18923
0
dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
18924
0
  REQUIRE(DNS_ZONEMGR_VALID(source));
18925
0
  REQUIRE(target != NULL && *target == NULL);
18926
18927
0
  isc_refcount_increment(&source->refs);
18928
18929
0
  *target = source;
18930
0
}
18931
18932
void
18933
0
dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
18934
0
  dns_zonemgr_t *zmgr;
18935
18936
0
  REQUIRE(zmgrp != NULL);
18937
0
  zmgr = *zmgrp;
18938
0
  *zmgrp = NULL;
18939
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18940
18941
0
  if (isc_refcount_decrement(&zmgr->refs) == 1) {
18942
0
    zonemgr_free(zmgr);
18943
0
  }
18944
0
}
18945
18946
isc_result_t
18947
0
dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
18948
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18949
18950
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
18951
0
  for (dns_zone_t *zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
18952
0
       zone = ISC_LIST_NEXT(zone, link))
18953
0
  {
18954
0
    isc_time_t now;
18955
18956
0
    LOCK_ZONE(zone);
18957
0
    now = isc_time_now();
18958
0
    zone_settimer(zone, &now);
18959
0
    UNLOCK_ZONE(zone);
18960
0
  }
18961
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
18962
18963
  /*
18964
   * Recent configuration changes may have increased the
18965
   * amount of available transfers quota.  Make sure any
18966
   * transfers currently blocked on quota get started if
18967
   * possible.
18968
   */
18969
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18970
0
  zmgr_resume_xfrs(zmgr, true);
18971
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18972
0
  return (ISC_R_SUCCESS);
18973
0
}
18974
18975
void
18976
0
dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
18977
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18978
18979
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18980
0
  zmgr_resume_xfrs(zmgr, true);
18981
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
18982
0
}
18983
18984
void
18985
0
dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
18986
0
  dns_zone_t *zone;
18987
18988
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
18989
18990
0
  isc_ratelimiter_shutdown(zmgr->checkdsrl);
18991
0
  isc_ratelimiter_shutdown(zmgr->notifyrl);
18992
0
  isc_ratelimiter_shutdown(zmgr->refreshrl);
18993
0
  isc_ratelimiter_shutdown(zmgr->startupnotifyrl);
18994
0
  isc_ratelimiter_shutdown(zmgr->startuprefreshrl);
18995
18996
0
  for (size_t i = 0; i < zmgr->workers; i++) {
18997
0
    isc_mem_detach(&zmgr->mctxpool[i]);
18998
0
  }
18999
19000
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
19001
0
  for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19002
0
       zone = ISC_LIST_NEXT(zone, link))
19003
0
  {
19004
0
    LOCK_ZONE(zone);
19005
0
    forward_cancel(zone);
19006
0
    UNLOCK_ZONE(zone);
19007
0
  }
19008
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
19009
0
}
19010
19011
static void
19012
0
zonemgr_free(dns_zonemgr_t *zmgr) {
19013
0
  REQUIRE(ISC_LIST_EMPTY(zmgr->zones));
19014
19015
0
  zmgr->magic = 0;
19016
19017
0
  isc_refcount_destroy(&zmgr->refs);
19018
0
  isc_ratelimiter_detach(&zmgr->checkdsrl);
19019
0
  isc_ratelimiter_detach(&zmgr->notifyrl);
19020
0
  isc_ratelimiter_detach(&zmgr->refreshrl);
19021
0
  isc_ratelimiter_detach(&zmgr->startupnotifyrl);
19022
0
  isc_ratelimiter_detach(&zmgr->startuprefreshrl);
19023
19024
0
  isc_mem_cput(zmgr->mctx, zmgr->mctxpool, zmgr->workers,
19025
0
         sizeof(zmgr->mctxpool[0]));
19026
19027
0
  isc_rwlock_destroy(&zmgr->urlock);
19028
0
  isc_rwlock_destroy(&zmgr->rwlock);
19029
0
  isc_rwlock_destroy(&zmgr->tlsctx_cache_rwlock);
19030
19031
0
  zonemgr_keymgmt_destroy(zmgr);
19032
19033
0
  if (zmgr->tlsctx_cache != NULL) {
19034
0
    isc_tlsctx_cache_detach(&zmgr->tlsctx_cache);
19035
0
  }
19036
0
  isc_mem_putanddetach(&zmgr->mctx, zmgr, sizeof(*zmgr));
19037
0
}
19038
19039
void
19040
0
dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, uint32_t value) {
19041
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19042
19043
0
  zmgr->transfersin = value;
19044
0
}
19045
19046
uint32_t
19047
0
dns_zonemgr_gettransfersin(dns_zonemgr_t *zmgr) {
19048
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19049
19050
0
  return (zmgr->transfersin);
19051
0
}
19052
19053
void
19054
0
dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, uint32_t value) {
19055
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19056
19057
0
  zmgr->transfersperns = value;
19058
0
}
19059
19060
uint32_t
19061
0
dns_zonemgr_gettransfersperns(dns_zonemgr_t *zmgr) {
19062
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19063
19064
0
  return (zmgr->transfersperns);
19065
0
}
19066
19067
/*
19068
 * Try to start a new incoming zone transfer to fill a quota
19069
 * slot that was just vacated.
19070
 *
19071
 * Requires:
19072
 *  The zone manager is locked by the caller.
19073
 */
19074
static void
19075
0
zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi) {
19076
0
  dns_zone_t *zone;
19077
0
  dns_zone_t *next;
19078
19079
0
  for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin); zone != NULL;
19080
0
       zone = next)
19081
0
  {
19082
0
    isc_result_t result;
19083
0
    next = ISC_LIST_NEXT(zone, statelink);
19084
0
    result = zmgr_start_xfrin_ifquota(zmgr, zone);
19085
0
    if (result == ISC_R_SUCCESS) {
19086
0
      if (multi) {
19087
0
        continue;
19088
0
      }
19089
      /*
19090
       * We successfully filled the slot.  We're done.
19091
       */
19092
0
      break;
19093
0
    } else if (result == ISC_R_QUOTA) {
19094
      /*
19095
       * Not enough quota.  This is probably the per-server
19096
       * quota, because we usually get called when a unit of
19097
       * global quota has just been freed.  Try the next
19098
       * zone, it may succeed if it uses another primary.
19099
       */
19100
0
      continue;
19101
0
    } else {
19102
0
      dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
19103
0
              ISC_LOG_DEBUG(1),
19104
0
              "starting zone transfer: %s",
19105
0
              isc_result_totext(result));
19106
0
      break;
19107
0
    }
19108
0
  }
19109
0
}
19110
19111
/*
19112
 * Try to start an incoming zone transfer for 'zone', quota permitting.
19113
 *
19114
 * Requires:
19115
 *  The zone manager is locked by the caller.
19116
 *
19117
 * Returns:
19118
 *  ISC_R_SUCCESS There was enough quota and we attempted to
19119
 *      start a transfer.  zone_xfrdone() has been or will
19120
 *      be called.
19121
 *  ISC_R_QUOTA Not enough quota.
19122
 *  Others    Failure.
19123
 */
19124
static isc_result_t
19125
0
zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
19126
0
  dns_peer_t *peer = NULL;
19127
0
  isc_netaddr_t primaryip;
19128
0
  isc_sockaddr_t curraddr;
19129
0
  uint32_t nxfrsin, nxfrsperns;
19130
0
  dns_zone_t *x = NULL;
19131
0
  uint32_t maxtransfersin, maxtransfersperns;
19132
19133
  /*
19134
   * If we are exiting just pretend we got quota so the zone will
19135
   * be cleaned up in the zone's loop context.
19136
   */
19137
0
  LOCK_ZONE(zone);
19138
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
19139
0
    UNLOCK_ZONE(zone);
19140
0
    goto gotquota;
19141
0
  }
19142
19143
  /*
19144
   * Find any configured information about the server we'd
19145
   * like to transfer this zone from.
19146
   */
19147
0
  curraddr = dns_remote_curraddr(&zone->primaries);
19148
0
  isc_netaddr_fromsockaddr(&primaryip, &curraddr);
19149
0
  (void)dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, &peer);
19150
0
  UNLOCK_ZONE(zone);
19151
19152
  /*
19153
   * Determine the total maximum number of simultaneous
19154
   * transfers allowed, and the maximum for this specific
19155
   * primary.
19156
   */
19157
0
  maxtransfersin = zmgr->transfersin;
19158
0
  maxtransfersperns = zmgr->transfersperns;
19159
0
  if (peer != NULL) {
19160
0
    (void)dns_peer_gettransfers(peer, &maxtransfersperns);
19161
0
  }
19162
19163
  /*
19164
   * Count the total number of transfers that are in progress,
19165
   * and the number of transfers in progress from this primary.
19166
   * We linearly scan a list of all transfers; if this turns
19167
   * out to be too slow, we could hash on the primary address.
19168
   */
19169
0
  nxfrsin = nxfrsperns = 0;
19170
0
  for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress); x != NULL;
19171
0
       x = ISC_LIST_NEXT(x, statelink))
19172
0
  {
19173
0
    isc_netaddr_t xip;
19174
0
    isc_sockaddr_t xaddr;
19175
19176
0
    LOCK_ZONE(x);
19177
0
    xaddr = dns_remote_curraddr(&x->primaries);
19178
0
    isc_netaddr_fromsockaddr(&xip, &xaddr);
19179
0
    UNLOCK_ZONE(x);
19180
19181
0
    nxfrsin++;
19182
0
    if (isc_netaddr_equal(&xip, &primaryip)) {
19183
0
      nxfrsperns++;
19184
0
    }
19185
0
  }
19186
19187
  /* Enforce quota. */
19188
0
  if (nxfrsin >= maxtransfersin) {
19189
0
    return (ISC_R_QUOTA);
19190
0
  }
19191
19192
0
  if (nxfrsperns >= maxtransfersperns) {
19193
0
    return (ISC_R_QUOTA);
19194
0
  }
19195
19196
0
gotquota:
19197
  /*
19198
   * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
19199
   * list and start the actual transfer asynchronously.
19200
   */
19201
0
  LOCK_ZONE(zone);
19202
0
  INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
19203
0
  ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
19204
0
  ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
19205
0
  zone->statelist = &zmgr->xfrin_in_progress;
19206
0
  isc_async_run(zone->loop, got_transfer_quota, zone);
19207
0
  dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
19208
0
          "Transfer started.");
19209
0
  UNLOCK_ZONE(zone);
19210
19211
0
  return (ISC_R_SUCCESS);
19212
0
}
19213
19214
static void
19215
0
zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
19216
0
  char *buf;
19217
0
  int buflen;
19218
0
  isc_result_t result;
19219
19220
0
  buflen = strlen(path) + strlen(templat) + 2;
19221
19222
0
  buf = isc_mem_get(zone->mctx, buflen);
19223
19224
0
  result = isc_file_template(path, templat, buf, buflen);
19225
0
  if (result != ISC_R_SUCCESS) {
19226
0
    goto cleanup;
19227
0
  }
19228
19229
0
  result = isc_file_renameunique(path, buf);
19230
0
  if (result != ISC_R_SUCCESS) {
19231
0
    goto cleanup;
19232
0
  }
19233
19234
0
  dns_zone_log(zone, ISC_LOG_WARNING,
19235
0
         "unable to load from '%s'; "
19236
0
         "renaming file to '%s' for failure analysis and "
19237
0
         "retransferring.",
19238
0
         path, buf);
19239
19240
0
cleanup:
19241
0
  isc_mem_put(zone->mctx, buf, buflen);
19242
0
}
19243
19244
static void
19245
0
setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value) {
19246
0
  isc_interval_t interval;
19247
0
  uint32_t s, ns;
19248
0
  uint32_t pertic;
19249
19250
0
  if (value == 0) {
19251
0
    value = 1;
19252
0
  }
19253
19254
0
  if (value == 1) {
19255
0
    s = 1;
19256
0
    ns = 0;
19257
0
    pertic = 1;
19258
0
  } else if (value <= 10) {
19259
0
    s = 0;
19260
0
    ns = 1000000000 / value;
19261
0
    pertic = 1;
19262
0
  } else {
19263
0
    s = 0;
19264
0
    ns = (1000000000 / value) * 10;
19265
0
    pertic = 10;
19266
0
  }
19267
19268
0
  isc_interval_set(&interval, s, ns);
19269
19270
0
  isc_ratelimiter_setinterval(rl, &interval);
19271
0
  isc_ratelimiter_setpertic(rl, pertic);
19272
19273
0
  *rate = value;
19274
0
}
19275
19276
void
19277
0
dns_zonemgr_setcheckdsrate(dns_zonemgr_t *zmgr, unsigned int value) {
19278
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19279
19280
0
  setrl(zmgr->checkdsrl, &zmgr->checkdsrate, value);
19281
0
}
19282
19283
void
19284
0
dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
19285
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19286
19287
0
  setrl(zmgr->notifyrl, &zmgr->notifyrate, value);
19288
0
}
19289
19290
void
19291
0
dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
19292
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19293
19294
0
  setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, value);
19295
0
}
19296
19297
void
19298
0
dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
19299
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19300
19301
0
  setrl(zmgr->refreshrl, &zmgr->serialqueryrate, value);
19302
  /* XXXMPA separate out once we have the code to support this. */
19303
0
  setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, value);
19304
0
}
19305
19306
unsigned int
19307
0
dns_zonemgr_getnotifyrate(dns_zonemgr_t *zmgr) {
19308
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19309
19310
0
  return (zmgr->notifyrate);
19311
0
}
19312
19313
unsigned int
19314
0
dns_zonemgr_getstartupnotifyrate(dns_zonemgr_t *zmgr) {
19315
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19316
19317
0
  return (zmgr->startupnotifyrate);
19318
0
}
19319
19320
unsigned int
19321
0
dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
19322
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19323
19324
0
  return (zmgr->serialqueryrate);
19325
0
}
19326
19327
bool
19328
dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
19329
0
      isc_sockaddr_t *local, isc_time_t *now) {
19330
0
  unsigned int i;
19331
0
  uint32_t seconds = isc_time_seconds(now);
19332
0
  uint32_t count = 0;
19333
19334
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19335
19336
0
  RWLOCK(&zmgr->urlock, isc_rwlocktype_read);
19337
0
  for (i = 0; i < UNREACH_CACHE_SIZE; i++) {
19338
0
    if (atomic_load(&zmgr->unreachable[i].expire) >= seconds &&
19339
0
        isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
19340
0
        isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
19341
0
    {
19342
0
      atomic_store_relaxed(&zmgr->unreachable[i].last,
19343
0
               seconds);
19344
0
      count = zmgr->unreachable[i].count;
19345
0
      break;
19346
0
    }
19347
0
  }
19348
0
  RWUNLOCK(&zmgr->urlock, isc_rwlocktype_read);
19349
0
  return (i < UNREACH_CACHE_SIZE && count > 1U);
19350
0
}
19351
19352
void
19353
dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
19354
0
         isc_sockaddr_t *local) {
19355
0
  unsigned int i;
19356
0
  char primary[ISC_SOCKADDR_FORMATSIZE];
19357
0
  char source[ISC_SOCKADDR_FORMATSIZE];
19358
19359
0
  isc_sockaddr_format(remote, primary, sizeof(primary));
19360
0
  isc_sockaddr_format(local, source, sizeof(source));
19361
19362
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19363
19364
0
  RWLOCK(&zmgr->urlock, isc_rwlocktype_read);
19365
0
  for (i = 0; i < UNREACH_CACHE_SIZE; i++) {
19366
0
    if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
19367
0
        isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
19368
0
    {
19369
0
      atomic_store_relaxed(&zmgr->unreachable[i].expire, 0);
19370
0
      break;
19371
0
    }
19372
0
  }
19373
0
  RWUNLOCK(&zmgr->urlock, isc_rwlocktype_read);
19374
0
}
19375
19376
void
19377
dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
19378
0
         isc_sockaddr_t *local, isc_time_t *now) {
19379
0
  uint32_t seconds = isc_time_seconds(now);
19380
0
  uint32_t expire = 0, last = seconds;
19381
0
  unsigned int slot = UNREACH_CACHE_SIZE, oldest = 0;
19382
0
  bool update_entry = true;
19383
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19384
19385
0
  RWLOCK(&zmgr->urlock, isc_rwlocktype_write);
19386
0
  for (unsigned int i = 0; i < UNREACH_CACHE_SIZE; i++) {
19387
    /* Existing entry? */
19388
0
    if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
19389
0
        isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
19390
0
    {
19391
0
      update_entry = false;
19392
0
      slot = i;
19393
0
      expire = atomic_load_relaxed(
19394
0
        &zmgr->unreachable[i].expire);
19395
0
      break;
19396
0
    }
19397
    /* Pick first empty slot? */
19398
0
    if (atomic_load_relaxed(&zmgr->unreachable[i].expire) < seconds)
19399
0
    {
19400
0
      slot = i;
19401
0
      break;
19402
0
    }
19403
    /* The worst case, least recently used slot? */
19404
0
    if (atomic_load_relaxed(&zmgr->unreachable[i].last) < last) {
19405
0
      last = atomic_load_relaxed(&zmgr->unreachable[i].last);
19406
0
      oldest = i;
19407
0
    }
19408
0
  }
19409
19410
  /* We haven't found any existing or free slots, use the oldest */
19411
0
  if (slot == UNREACH_CACHE_SIZE) {
19412
0
    slot = oldest;
19413
0
  }
19414
19415
0
  if (expire < seconds) {
19416
    /* Expired or new entry, reset count to 1 */
19417
0
    zmgr->unreachable[slot].count = 1;
19418
0
  } else {
19419
0
    zmgr->unreachable[slot].count++;
19420
0
  }
19421
0
  atomic_store_relaxed(&zmgr->unreachable[slot].expire,
19422
0
           seconds + UNREACH_HOLD_TIME);
19423
0
  atomic_store_relaxed(&zmgr->unreachable[slot].last, seconds);
19424
0
  if (update_entry) {
19425
0
    zmgr->unreachable[slot].remote = *remote;
19426
0
    zmgr->unreachable[slot].local = *local;
19427
0
  }
19428
19429
0
  RWUNLOCK(&zmgr->urlock, isc_rwlocktype_write);
19430
0
}
19431
19432
void
19433
0
dns_zone_forcereload(dns_zone_t *zone) {
19434
0
  REQUIRE(DNS_ZONE_VALID(zone));
19435
19436
0
  if (zone->type == dns_zone_primary ||
19437
0
      (zone->type == dns_zone_redirect &&
19438
0
       dns_remote_addresses(&zone->primaries) == NULL))
19439
0
  {
19440
0
    return;
19441
0
  }
19442
19443
0
  LOCK_ZONE(zone);
19444
0
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
19445
0
  UNLOCK_ZONE(zone);
19446
0
  dns_zone_refresh(zone);
19447
0
}
19448
19449
bool
19450
0
dns_zone_isforced(dns_zone_t *zone) {
19451
0
  REQUIRE(DNS_ZONE_VALID(zone));
19452
19453
0
  return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
19454
0
}
19455
19456
isc_result_t
19457
0
dns_zone_setstatistics(dns_zone_t *zone, bool on) {
19458
  /*
19459
   * This function is obsoleted.
19460
   */
19461
0
  UNUSED(zone);
19462
0
  UNUSED(on);
19463
0
  return (ISC_R_NOTIMPLEMENTED);
19464
0
}
19465
19466
uint64_t *
19467
0
dns_zone_getstatscounters(dns_zone_t *zone) {
19468
  /*
19469
   * This function is obsoleted.
19470
   */
19471
0
  UNUSED(zone);
19472
0
  return (NULL);
19473
0
}
19474
19475
void
19476
0
dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
19477
0
  REQUIRE(DNS_ZONE_VALID(zone));
19478
0
  REQUIRE(zone->stats == NULL);
19479
19480
0
  LOCK_ZONE(zone);
19481
0
  zone->stats = NULL;
19482
0
  isc_stats_attach(stats, &zone->stats);
19483
0
  UNLOCK_ZONE(zone);
19484
0
}
19485
19486
void
19487
0
dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
19488
0
  REQUIRE(DNS_ZONE_VALID(zone));
19489
19490
0
  LOCK_ZONE(zone);
19491
0
  if (zone->requeststats_on && stats == NULL) {
19492
0
    zone->requeststats_on = false;
19493
0
  } else if (!zone->requeststats_on && stats != NULL) {
19494
0
    if (zone->requeststats == NULL) {
19495
0
      isc_stats_attach(stats, &zone->requeststats);
19496
0
    }
19497
0
    zone->requeststats_on = true;
19498
0
  }
19499
0
  UNLOCK_ZONE(zone);
19500
0
}
19501
19502
void
19503
0
dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats) {
19504
0
  REQUIRE(DNS_ZONE_VALID(zone));
19505
19506
0
  LOCK_ZONE(zone);
19507
0
  if (zone->requeststats_on && stats != NULL) {
19508
0
    if (zone->rcvquerystats == NULL) {
19509
0
      dns_stats_attach(stats, &zone->rcvquerystats);
19510
0
      zone->requeststats_on = true;
19511
0
    }
19512
0
  }
19513
0
  UNLOCK_ZONE(zone);
19514
0
}
19515
19516
void
19517
0
dns_zone_setdnssecsignstats(dns_zone_t *zone, dns_stats_t *stats) {
19518
0
  REQUIRE(DNS_ZONE_VALID(zone));
19519
19520
0
  LOCK_ZONE(zone);
19521
0
  if (stats != NULL && zone->dnssecsignstats == NULL) {
19522
0
    dns_stats_attach(stats, &zone->dnssecsignstats);
19523
0
  }
19524
0
  UNLOCK_ZONE(zone);
19525
0
}
19526
19527
dns_stats_t *
19528
0
dns_zone_getdnssecsignstats(dns_zone_t *zone) {
19529
0
  REQUIRE(DNS_ZONE_VALID(zone));
19530
19531
0
  return (zone->dnssecsignstats);
19532
0
}
19533
19534
isc_stats_t *
19535
0
dns_zone_getrequeststats(dns_zone_t *zone) {
19536
  /*
19537
   * We don't lock zone for efficiency reason.  This is not catastrophic
19538
   * because requeststats must always be valid when requeststats_on is
19539
   * true.
19540
   * Some counters may be incremented while requeststats_on is becoming
19541
   * false, or some cannot be incremented just after the statistics are
19542
   * installed, but it shouldn't matter much in practice.
19543
   */
19544
0
  if (zone->requeststats_on) {
19545
0
    return (zone->requeststats);
19546
0
  } else {
19547
0
    return (NULL);
19548
0
  }
19549
0
}
19550
19551
/*
19552
 * Return the received query stats bucket
19553
 * see note from dns_zone_getrequeststats()
19554
 */
19555
dns_stats_t *
19556
0
dns_zone_getrcvquerystats(dns_zone_t *zone) {
19557
0
  if (zone->requeststats_on) {
19558
0
    return (zone->rcvquerystats);
19559
0
  } else {
19560
0
    return (NULL);
19561
0
  }
19562
0
}
19563
19564
void
19565
0
dns_zone_dialup(dns_zone_t *zone) {
19566
0
  REQUIRE(DNS_ZONE_VALID(zone));
19567
19568
0
  zone_debuglog(zone, __func__, 3, "notify = %d, refresh = %d",
19569
0
          DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
19570
0
          DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
19571
19572
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) {
19573
0
    dns_zone_notify(zone);
19574
0
  }
19575
0
  if (zone->type != dns_zone_primary &&
19576
0
      dns_remote_addresses(&zone->primaries) != NULL &&
19577
0
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
19578
0
  {
19579
0
    dns_zone_refresh(zone);
19580
0
  }
19581
0
}
19582
19583
void
19584
0
dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
19585
0
  REQUIRE(DNS_ZONE_VALID(zone));
19586
19587
0
  LOCK_ZONE(zone);
19588
0
  DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
19589
0
               DNS_ZONEFLG_DIALREFRESH |
19590
0
               DNS_ZONEFLG_NOREFRESH);
19591
0
  switch (dialup) {
19592
0
  case dns_dialuptype_no:
19593
0
    break;
19594
0
  case dns_dialuptype_yes:
19595
0
    DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY |
19596
0
          DNS_ZONEFLG_DIALREFRESH |
19597
0
          DNS_ZONEFLG_NOREFRESH));
19598
0
    break;
19599
0
  case dns_dialuptype_notify:
19600
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19601
0
    break;
19602
0
  case dns_dialuptype_notifypassive:
19603
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19604
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19605
0
    break;
19606
0
  case dns_dialuptype_refresh:
19607
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
19608
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19609
0
    break;
19610
0
  case dns_dialuptype_passive:
19611
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19612
0
    break;
19613
0
  default:
19614
0
    UNREACHABLE();
19615
0
  }
19616
0
  UNLOCK_ZONE(zone);
19617
0
}
19618
19619
isc_result_t
19620
2
dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
19621
2
  isc_result_t result = ISC_R_SUCCESS;
19622
19623
2
  REQUIRE(DNS_ZONE_VALID(zone));
19624
19625
2
  LOCK_ZONE(zone);
19626
2
  result = dns_zone_setstring(zone, &zone->keydirectory, directory);
19627
2
  UNLOCK_ZONE(zone);
19628
19629
2
  return (result);
19630
2
}
19631
19632
const char *
19633
0
dns_zone_getkeydirectory(dns_zone_t *zone) {
19634
0
  REQUIRE(DNS_ZONE_VALID(zone));
19635
19636
0
  return (zone->keydirectory);
19637
0
}
19638
19639
void
19640
0
dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores) {
19641
0
  REQUIRE(DNS_ZONE_VALID(zone));
19642
19643
0
  LOCK_ZONE(zone);
19644
0
  zone->keystores = keystores;
19645
0
  UNLOCK_ZONE(zone);
19646
0
}
19647
19648
dns_keystorelist_t *
19649
0
dns_zone_getkeystores(dns_zone_t *zone) {
19650
0
  dns_keystorelist_t *ks = NULL;
19651
19652
0
  REQUIRE(DNS_ZONE_VALID(zone));
19653
19654
0
  LOCK_ZONE(zone);
19655
0
  if (inline_raw(zone) && zone->secure != NULL) {
19656
0
    ks = zone->secure->keystores;
19657
0
  } else {
19658
0
    ks = zone->keystores;
19659
0
  }
19660
0
  UNLOCK_ZONE(zone);
19661
19662
0
  return (ks);
19663
0
}
19664
19665
unsigned int
19666
0
dns_zonemgr_getcount(dns_zonemgr_t *zmgr, dns_zonestate_t state) {
19667
0
  dns_zone_t *zone;
19668
0
  unsigned int count = 0;
19669
19670
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
19671
19672
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
19673
0
  switch (state) {
19674
0
  case DNS_ZONESTATE_XFERRUNNING:
19675
0
    for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
19676
0
         zone != NULL; zone = ISC_LIST_NEXT(zone, statelink))
19677
0
    {
19678
0
      count++;
19679
0
    }
19680
0
    break;
19681
0
  case DNS_ZONESTATE_XFERDEFERRED:
19682
0
    for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
19683
0
         zone != NULL; zone = ISC_LIST_NEXT(zone, statelink))
19684
0
    {
19685
0
      count++;
19686
0
    }
19687
0
    break;
19688
0
  case DNS_ZONESTATE_XFERFIRSTREFRESH:
19689
0
    for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19690
0
         zone = ISC_LIST_NEXT(zone, link))
19691
0
    {
19692
0
      if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIRSTREFRESH)) {
19693
0
        count++;
19694
0
      }
19695
0
    }
19696
0
    break;
19697
0
  case DNS_ZONESTATE_SOAQUERY:
19698
0
    for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19699
0
         zone = ISC_LIST_NEXT(zone, link))
19700
0
    {
19701
0
      if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
19702
0
        count++;
19703
0
      }
19704
0
    }
19705
0
    break;
19706
0
  case DNS_ZONESTATE_ANY:
19707
0
    for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19708
0
         zone = ISC_LIST_NEXT(zone, link))
19709
0
    {
19710
0
      dns_view_t *view = zone->view;
19711
0
      if (view != NULL && strcmp(view->name, "_bind") == 0) {
19712
0
        continue;
19713
0
      }
19714
0
      count++;
19715
0
    }
19716
0
    break;
19717
0
  case DNS_ZONESTATE_AUTOMATIC:
19718
0
    for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19719
0
         zone = ISC_LIST_NEXT(zone, link))
19720
0
    {
19721
0
      dns_view_t *view = zone->view;
19722
0
      if (view != NULL && strcmp(view->name, "_bind") == 0) {
19723
0
        continue;
19724
0
      }
19725
0
      if (zone->automatic) {
19726
0
        count++;
19727
0
      }
19728
0
    }
19729
0
    break;
19730
0
  default:
19731
0
    UNREACHABLE();
19732
0
  }
19733
19734
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
19735
19736
0
  return (count);
19737
0
}
19738
19739
isc_result_t
19740
dns_zone_getxfr(dns_zone_t *zone, dns_xfrin_t **xfrp, bool *is_firstrefresh,
19741
    bool *is_running, bool *is_deferred, bool *is_presoa,
19742
0
    bool *is_pending, bool *needs_refresh) {
19743
0
  REQUIRE(DNS_ZONE_VALID(zone));
19744
0
  REQUIRE(xfrp != NULL && *xfrp == NULL);
19745
19746
0
  if (zone->zmgr == NULL) {
19747
0
    return (ISC_R_FAILURE);
19748
0
  }
19749
19750
  /* Reset. */
19751
0
  *is_firstrefresh = false;
19752
0
  *is_running = false;
19753
0
  *is_deferred = false;
19754
0
  *is_presoa = false;
19755
0
  *is_pending = false;
19756
0
  *needs_refresh = false;
19757
19758
0
  RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read);
19759
0
  LOCK_ZONE(zone);
19760
0
  *is_firstrefresh = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIRSTREFRESH);
19761
0
  if (zone->xfr != NULL) {
19762
0
    dns_xfrin_attach(zone->xfr, xfrp);
19763
0
  }
19764
0
  if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
19765
0
    *is_running = true;
19766
    /*
19767
     * The NEEDREFRESH flag is set only when a notify was received
19768
     * while the current zone transfer is running.
19769
     */
19770
0
    *needs_refresh = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
19771
0
  } else if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
19772
0
    *is_deferred = true;
19773
0
  } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
19774
0
    if (zone->request != NULL) {
19775
0
      *is_presoa = true;
19776
0
    } else {
19777
0
      *is_pending = true;
19778
0
    }
19779
0
  } else {
19780
    /*
19781
     * No operation is ongoing or pending, just check if the zone
19782
     * needs a refresh by looking at the refresh and expire times.
19783
     */
19784
0
    if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
19785
0
        (zone->type == dns_zone_secondary ||
19786
0
         zone->type == dns_zone_mirror ||
19787
0
         zone->type == dns_zone_stub))
19788
0
    {
19789
0
      isc_time_t now = isc_time_now();
19790
0
      if (isc_time_compare(&now, &zone->refreshtime) >= 0 ||
19791
0
          isc_time_compare(&now, &zone->expiretime) >= 0)
19792
0
      {
19793
0
        *needs_refresh = true;
19794
0
      }
19795
0
    }
19796
0
  }
19797
0
  UNLOCK_ZONE(zone);
19798
0
  RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read);
19799
19800
0
  return (ISC_R_SUCCESS);
19801
0
}
19802
19803
void
19804
0
dns_zone_lock_keyfiles(dns_zone_t *zone) {
19805
0
  REQUIRE(DNS_ZONE_VALID(zone));
19806
19807
0
  if (zone->kasp == NULL) {
19808
    /* No need to lock, nothing is writing key files. */
19809
0
    return;
19810
0
  }
19811
19812
0
  REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio));
19813
0
  isc_mutex_lock(&zone->kfio->lock);
19814
0
}
19815
19816
void
19817
0
dns_zone_unlock_keyfiles(dns_zone_t *zone) {
19818
0
  REQUIRE(DNS_ZONE_VALID(zone));
19819
19820
0
  if (zone->kasp == NULL) {
19821
    /* No need to lock, nothing is writing key files. */
19822
0
    return;
19823
0
  }
19824
19825
0
  REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio));
19826
0
  isc_mutex_unlock(&zone->kfio->lock);
19827
0
}
19828
19829
isc_result_t
19830
dns_zone_checknames(dns_zone_t *zone, const dns_name_t *name,
19831
0
        dns_rdata_t *rdata) {
19832
0
  bool ok = true;
19833
0
  bool fail = false;
19834
0
  char namebuf[DNS_NAME_FORMATSIZE];
19835
0
  char namebuf2[DNS_NAME_FORMATSIZE];
19836
0
  char typebuf[DNS_RDATATYPE_FORMATSIZE];
19837
0
  int level = ISC_LOG_WARNING;
19838
0
  dns_name_t bad;
19839
19840
0
  REQUIRE(DNS_ZONE_VALID(zone));
19841
19842
0
  if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES) &&
19843
0
      rdata->type != dns_rdatatype_nsec3)
19844
0
  {
19845
0
    return (ISC_R_SUCCESS);
19846
0
  }
19847
19848
0
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL) ||
19849
0
      rdata->type == dns_rdatatype_nsec3)
19850
0
  {
19851
0
    level = ISC_LOG_ERROR;
19852
0
    fail = true;
19853
0
  }
19854
19855
0
  ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, true);
19856
0
  if (!ok) {
19857
0
    dns_name_format(name, namebuf, sizeof(namebuf));
19858
0
    dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
19859
0
    dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
19860
0
           isc_result_totext(DNS_R_BADOWNERNAME));
19861
0
    if (fail) {
19862
0
      return (DNS_R_BADOWNERNAME);
19863
0
    }
19864
0
  }
19865
19866
0
  dns_name_init(&bad, NULL);
19867
0
  ok = dns_rdata_checknames(rdata, name, &bad);
19868
0
  if (!ok) {
19869
0
    dns_name_format(name, namebuf, sizeof(namebuf));
19870
0
    dns_name_format(&bad, namebuf2, sizeof(namebuf2));
19871
0
    dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
19872
0
    dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
19873
0
           namebuf2, isc_result_totext(DNS_R_BADNAME));
19874
0
    if (fail) {
19875
0
      return (DNS_R_BADNAME);
19876
0
    }
19877
0
  }
19878
19879
0
  return (ISC_R_SUCCESS);
19880
0
}
19881
19882
void
19883
0
dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
19884
0
  REQUIRE(DNS_ZONE_VALID(zone));
19885
0
  zone->checkmx = checkmx;
19886
0
}
19887
19888
void
19889
0
dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
19890
0
  REQUIRE(DNS_ZONE_VALID(zone));
19891
0
  zone->checksrv = checksrv;
19892
0
}
19893
19894
void
19895
0
dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
19896
0
  REQUIRE(DNS_ZONE_VALID(zone));
19897
0
  zone->checkns = checkns;
19898
0
}
19899
19900
void
19901
0
dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
19902
0
  REQUIRE(DNS_ZONE_VALID(zone));
19903
19904
0
  LOCK_ZONE(zone);
19905
0
  zone->isself = isself;
19906
0
  zone->isselfarg = arg;
19907
0
  UNLOCK_ZONE(zone);
19908
0
}
19909
19910
void
19911
0
dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay) {
19912
0
  REQUIRE(DNS_ZONE_VALID(zone));
19913
19914
0
  LOCK_ZONE(zone);
19915
0
  zone->notifydelay = delay;
19916
0
  UNLOCK_ZONE(zone);
19917
0
}
19918
19919
uint32_t
19920
0
dns_zone_getnotifydelay(dns_zone_t *zone) {
19921
0
  REQUIRE(DNS_ZONE_VALID(zone));
19922
19923
0
  return (zone->notifydelay);
19924
0
}
19925
19926
isc_result_t
19927
dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
19928
0
         bool deleteit) {
19929
0
  isc_result_t result;
19930
0
  REQUIRE(DNS_ZONE_VALID(zone));
19931
19932
0
  dnssec_log(zone, ISC_LOG_NOTICE,
19933
0
       "dns_zone_signwithkey(algorithm=%u, keyid=%u)", algorithm,
19934
0
       keyid);
19935
0
  LOCK_ZONE(zone);
19936
0
  result = zone_signwithkey(zone, algorithm, keyid, deleteit);
19937
0
  UNLOCK_ZONE(zone);
19938
19939
0
  return (result);
19940
0
}
19941
19942
/*
19943
 * Called when a dynamic update for an NSEC3PARAM record is received.
19944
 *
19945
 * If set, transform the NSEC3 salt into human-readable form so that it can be
19946
 * logged.  Then call zone_addnsec3chain(), passing NSEC3PARAM RDATA to it.
19947
 */
19948
isc_result_t
19949
0
dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
19950
0
  isc_result_t result;
19951
0
  char salt[255 * 2 + 1];
19952
19953
0
  REQUIRE(DNS_ZONE_VALID(zone));
19954
19955
0
  result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt));
19956
0
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
19957
0
  dnssec_log(zone, ISC_LOG_NOTICE,
19958
0
       "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
19959
0
       nsec3param->hash, nsec3param->iterations, salt);
19960
0
  LOCK_ZONE(zone);
19961
0
  result = zone_addnsec3chain(zone, nsec3param);
19962
0
  UNLOCK_ZONE(zone);
19963
19964
0
  return (result);
19965
0
}
19966
19967
void
19968
0
dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes) {
19969
0
  REQUIRE(DNS_ZONE_VALID(zone));
19970
19971
0
  if (nodes == 0) {
19972
0
    nodes = 1;
19973
0
  }
19974
0
  zone->nodes = nodes;
19975
0
}
19976
19977
void
19978
0
dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures) {
19979
0
  REQUIRE(DNS_ZONE_VALID(zone));
19980
19981
  /*
19982
   * We treat signatures as a signed value so explicitly
19983
   * limit its range here.
19984
   */
19985
0
  if (signatures > INT32_MAX) {
19986
0
    signatures = INT32_MAX;
19987
0
  } else if (signatures == 0) {
19988
0
    signatures = 1;
19989
0
  }
19990
0
  zone->signatures = signatures;
19991
0
}
19992
19993
uint32_t
19994
0
dns_zone_getsignatures(dns_zone_t *zone) {
19995
0
  REQUIRE(DNS_ZONE_VALID(zone));
19996
0
  return (zone->signatures);
19997
0
}
19998
19999
void
20000
0
dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
20001
0
  REQUIRE(DNS_ZONE_VALID(zone));
20002
0
  zone->privatetype = type;
20003
0
}
20004
20005
dns_rdatatype_t
20006
0
dns_zone_getprivatetype(dns_zone_t *zone) {
20007
0
  REQUIRE(DNS_ZONE_VALID(zone));
20008
0
  return (zone->privatetype);
20009
0
}
20010
20011
static isc_result_t
20012
zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
20013
0
     bool deleteit) {
20014
0
  dns_signing_t *signing;
20015
0
  dns_signing_t *current;
20016
0
  isc_result_t result = ISC_R_SUCCESS;
20017
0
  isc_time_t now;
20018
0
  dns_db_t *db = NULL;
20019
20020
0
  signing = isc_mem_get(zone->mctx, sizeof *signing);
20021
20022
0
  signing->magic = 0;
20023
0
  signing->db = NULL;
20024
0
  signing->dbiterator = NULL;
20025
0
  signing->algorithm = algorithm;
20026
0
  signing->keyid = keyid;
20027
0
  signing->deleteit = deleteit;
20028
0
  signing->done = false;
20029
20030
0
  now = isc_time_now();
20031
20032
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
20033
0
  if (zone->db != NULL) {
20034
0
    dns_db_attach(zone->db, &db);
20035
0
  }
20036
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
20037
20038
0
  if (db == NULL) {
20039
0
    result = ISC_R_NOTFOUND;
20040
0
    goto cleanup;
20041
0
  }
20042
20043
0
  dns_db_attach(db, &signing->db);
20044
20045
0
  for (current = ISC_LIST_HEAD(zone->signing); current != NULL;
20046
0
       current = ISC_LIST_NEXT(current, link))
20047
0
  {
20048
0
    if (current->db == signing->db &&
20049
0
        current->algorithm == signing->algorithm &&
20050
0
        current->keyid == signing->keyid)
20051
0
    {
20052
0
      if (current->deleteit != signing->deleteit) {
20053
0
        current->done = true;
20054
0
      } else {
20055
0
        goto cleanup;
20056
0
      }
20057
0
    }
20058
0
  }
20059
20060
0
  result = dns_db_createiterator(signing->db, 0, &signing->dbiterator);
20061
20062
0
  if (result == ISC_R_SUCCESS) {
20063
0
    result = dns_dbiterator_first(signing->dbiterator);
20064
0
  }
20065
0
  if (result == ISC_R_SUCCESS) {
20066
0
    dns_dbiterator_pause(signing->dbiterator);
20067
0
    ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
20068
0
    signing = NULL;
20069
0
    if (isc_time_isepoch(&zone->signingtime)) {
20070
0
      zone->signingtime = now;
20071
0
      if (zone->loop != NULL) {
20072
0
        zone_settimer(zone, &now);
20073
0
      }
20074
0
    }
20075
0
  }
20076
20077
0
cleanup:
20078
0
  if (signing != NULL) {
20079
0
    if (signing->db != NULL) {
20080
0
      dns_db_detach(&signing->db);
20081
0
    }
20082
0
    if (signing->dbiterator != NULL) {
20083
0
      dns_dbiterator_destroy(&signing->dbiterator);
20084
0
    }
20085
0
    isc_mem_put(zone->mctx, signing, sizeof *signing);
20086
0
  }
20087
0
  if (db != NULL) {
20088
0
    dns_db_detach(&db);
20089
0
  }
20090
0
  return (result);
20091
0
}
20092
20093
/* Called once; *timep should be set to the current time. */
20094
static isc_result_t
20095
0
next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
20096
0
  isc_result_t result;
20097
0
  isc_stdtime_t now, then = 0, event;
20098
0
  int i;
20099
20100
0
  now = *timep;
20101
20102
0
  for (i = 0; i <= DST_MAX_TIMES; i++) {
20103
0
    result = dst_key_gettime(key, i, &event);
20104
0
    if (result == ISC_R_SUCCESS && event > now &&
20105
0
        (then == 0 || event < then))
20106
0
    {
20107
0
      then = event;
20108
0
    }
20109
0
  }
20110
20111
0
  if (then != 0) {
20112
0
    *timep = then;
20113
0
    return (ISC_R_SUCCESS);
20114
0
  }
20115
20116
0
  return (ISC_R_NOTFOUND);
20117
0
}
20118
20119
static isc_result_t
20120
rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
20121
0
    const dns_rdata_t *rdata, bool *flag) {
20122
0
  dns_rdataset_t rdataset;
20123
0
  dns_dbnode_t *node = NULL;
20124
0
  isc_result_t result;
20125
20126
0
  dns_rdataset_init(&rdataset);
20127
0
  if (rdata->type == dns_rdatatype_nsec3) {
20128
0
    CHECK(dns_db_findnsec3node(db, name, false, &node));
20129
0
  } else {
20130
0
    CHECK(dns_db_findnode(db, name, false, &node));
20131
0
  }
20132
0
  result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
20133
0
             (isc_stdtime_t)0, &rdataset, NULL);
20134
0
  if (result == ISC_R_NOTFOUND) {
20135
0
    *flag = false;
20136
0
    result = ISC_R_SUCCESS;
20137
0
    goto failure;
20138
0
  }
20139
20140
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
20141
0
       result = dns_rdataset_next(&rdataset))
20142
0
  {
20143
0
    dns_rdata_t myrdata = DNS_RDATA_INIT;
20144
0
    dns_rdataset_current(&rdataset, &myrdata);
20145
0
    if (!dns_rdata_compare(&myrdata, rdata)) {
20146
0
      break;
20147
0
    }
20148
0
  }
20149
0
  dns_rdataset_disassociate(&rdataset);
20150
0
  if (result == ISC_R_SUCCESS) {
20151
0
    *flag = true;
20152
0
  } else if (result == ISC_R_NOMORE) {
20153
0
    *flag = false;
20154
0
    result = ISC_R_SUCCESS;
20155
0
  }
20156
20157
0
failure:
20158
0
  if (node != NULL) {
20159
0
    dns_db_detachnode(db, &node);
20160
0
  }
20161
0
  return (result);
20162
0
}
20163
20164
/*
20165
 * Add records to signal the state of signing or of key removal.
20166
 */
20167
static isc_result_t
20168
add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
20169
0
        dns_dbversion_t *ver, dns_diff_t *diff, bool sign_all) {
20170
0
  dns_difftuple_t *tuple = NULL, *newtuple = NULL, *next = NULL;
20171
0
  dns_difftuple_t *addtuple = NULL, *deltuple = NULL;
20172
0
  dns_rdata_dnskey_t dnskey;
20173
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
20174
0
  bool flag;
20175
0
  isc_region_t r;
20176
0
  isc_result_t result = ISC_R_SUCCESS;
20177
0
  uint16_t keyid;
20178
0
  unsigned char buf[5];
20179
0
  dns_name_t *name = dns_db_origin(db);
20180
0
  dns_difftuplelist_t add = ISC_LIST_INITIALIZER;
20181
0
  dns_difftuplelist_t del = ISC_LIST_INITIALIZER;
20182
0
  dns_difftuplelist_t tuples = ISC_LIST_INITIALIZER;
20183
20184
  /*
20185
   * Move non DNSKEY and not DNSSEC DNSKEY records to tuples
20186
   * and sort the remaining DNSKEY records to add and del.
20187
   */
20188
0
  for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
20189
0
       tuple = ISC_LIST_HEAD(diff->tuples))
20190
0
  {
20191
0
    if (tuple->rdata.type != dns_rdatatype_dnskey) {
20192
0
      ISC_LIST_UNLINK(diff->tuples, tuple, link);
20193
0
      ISC_LIST_APPEND(tuples, tuple, link);
20194
0
      continue;
20195
0
    }
20196
20197
0
    result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
20198
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
20199
0
    if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK |
20200
0
             DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE)
20201
0
    {
20202
0
      ISC_LIST_UNLINK(diff->tuples, tuple, link);
20203
0
      ISC_LIST_APPEND(tuples, tuple, link);
20204
0
      continue;
20205
0
    }
20206
20207
0
    ISC_LIST_UNLINK(diff->tuples, tuple, link);
20208
0
    switch (tuple->op) {
20209
0
    case DNS_DIFFOP_DEL:
20210
0
    case DNS_DIFFOP_DELRESIGN:
20211
0
      ISC_LIST_APPEND(del, tuple, link);
20212
0
      break;
20213
0
    case DNS_DIFFOP_ADD:
20214
0
    case DNS_DIFFOP_ADDRESIGN:
20215
0
      ISC_LIST_APPEND(add, tuple, link);
20216
0
      break;
20217
0
    default:
20218
0
      UNREACHABLE();
20219
0
    }
20220
0
  }
20221
20222
  /*
20223
   * Put the tuples that don't need more processing back onto
20224
   * diff->tuples.
20225
   */
20226
0
  ISC_LIST_APPENDLIST(diff->tuples, tuples, link);
20227
20228
  /*
20229
   * Filter out DNSKEY TTL changes and put them back onto diff->tuples.
20230
   */
20231
0
  for (deltuple = ISC_LIST_HEAD(del); deltuple != NULL; deltuple = next) {
20232
0
    next = ISC_LIST_NEXT(deltuple, link);
20233
0
    for (addtuple = ISC_LIST_HEAD(add); addtuple != NULL;
20234
0
         addtuple = ISC_LIST_NEXT(addtuple, link))
20235
0
    {
20236
0
      int n = dns_rdata_compare(&deltuple->rdata,
20237
0
              &addtuple->rdata);
20238
0
      if (n == 0) {
20239
0
        ISC_LIST_UNLINK(del, deltuple, link);
20240
0
        ISC_LIST_APPEND(diff->tuples, deltuple, link);
20241
0
        ISC_LIST_UNLINK(add, addtuple, link);
20242
0
        ISC_LIST_APPEND(diff->tuples, addtuple, link);
20243
0
        break;
20244
0
      }
20245
0
    }
20246
0
  }
20247
20248
  /*
20249
   * Combine any remaining DNSKEY changes together.
20250
   */
20251
0
  ISC_LIST_APPENDLIST(tuples, add, link);
20252
0
  ISC_LIST_APPENDLIST(tuples, del, link);
20253
20254
  /*
20255
   * Add private records for keys that have been removed
20256
   * or added.
20257
   */
20258
0
  for (tuple = ISC_LIST_HEAD(tuples); tuple != NULL;
20259
0
       tuple = ISC_LIST_NEXT(tuple, link))
20260
0
  {
20261
0
    dns_rdata_toregion(&tuple->rdata, &r);
20262
20263
0
    keyid = dst_region_computeid(&r);
20264
20265
0
    buf[0] = dnskey.algorithm;
20266
0
    buf[1] = (keyid & 0xff00) >> 8;
20267
0
    buf[2] = (keyid & 0xff);
20268
0
    buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
20269
0
    buf[4] = 0;
20270
0
    rdata.data = buf;
20271
0
    rdata.length = sizeof(buf);
20272
0
    rdata.type = privatetype;
20273
0
    rdata.rdclass = tuple->rdata.rdclass;
20274
20275
0
    if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
20276
0
      CHECK(rr_exists(db, ver, name, &rdata, &flag));
20277
0
      if (flag) {
20278
0
        continue;
20279
0
      }
20280
20281
0
      CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
20282
0
               name, 0, &rdata, &newtuple));
20283
0
      CHECK(do_one_tuple(&newtuple, db, ver, diff));
20284
0
      INSIST(newtuple == NULL);
20285
0
    }
20286
20287
    /*
20288
     * Remove any record which says this operation has already
20289
     * completed.
20290
     */
20291
0
    buf[4] = 1;
20292
0
    CHECK(rr_exists(db, ver, name, &rdata, &flag));
20293
0
    if (flag) {
20294
0
      CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
20295
0
               name, 0, &rdata, &newtuple));
20296
0
      CHECK(do_one_tuple(&newtuple, db, ver, diff));
20297
0
      INSIST(newtuple == NULL);
20298
0
    }
20299
0
  }
20300
20301
0
failure:
20302
  /*
20303
   * Put the DNSKEY changes we cared about back on diff->tuples.
20304
   */
20305
0
  ISC_LIST_APPENDLIST(diff->tuples, tuples, link);
20306
0
  INSIST(ISC_LIST_EMPTY(add));
20307
0
  INSIST(ISC_LIST_EMPTY(del));
20308
0
  INSIST(ISC_LIST_EMPTY(tuples));
20309
0
  return (result);
20310
0
}
20311
20312
/*
20313
 * See if dns__zone_updatesigs() will update signature for RRset 'rrtype' at
20314
 * the apex, and if not tickle them and cause to sign so that newly activated
20315
 * keys are used.
20316
 */
20317
static isc_result_t
20318
tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db,
20319
      dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff,
20320
      dns__zonediff_t *zonediff, dst_key_t **keys,
20321
      unsigned int nkeys, isc_stdtime_t inception,
20322
0
      isc_stdtime_t keyexpire) {
20323
0
  dns_difftuple_t *tuple;
20324
0
  isc_result_t result;
20325
20326
0
  for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
20327
0
       tuple = ISC_LIST_NEXT(tuple, link))
20328
0
  {
20329
0
    if (tuple->rdata.type == rrtype &&
20330
0
        dns_name_equal(&tuple->name, &zone->origin))
20331
0
    {
20332
0
      break;
20333
0
    }
20334
0
  }
20335
20336
0
  if (tuple == NULL) {
20337
0
    result = del_sigs(zone, db, ver, &zone->origin, rrtype,
20338
0
          zonediff, keys, nkeys, now, false);
20339
0
    if (result != ISC_R_SUCCESS) {
20340
0
      dnssec_log(zone, ISC_LOG_ERROR,
20341
0
           "sign_apex:del_sigs -> %s",
20342
0
           isc_result_totext(result));
20343
0
      return (result);
20344
0
    }
20345
0
    result = add_sigs(db, ver, &zone->origin, zone, rrtype,
20346
0
          zonediff->diff, keys, nkeys, zone->mctx, now,
20347
0
          inception, keyexpire);
20348
0
    if (result != ISC_R_SUCCESS) {
20349
0
      dnssec_log(zone, ISC_LOG_ERROR,
20350
0
           "sign_apex:add_sigs -> %s",
20351
0
           isc_result_totext(result));
20352
0
      return (result);
20353
0
    }
20354
0
  }
20355
20356
0
  return (ISC_R_SUCCESS);
20357
0
}
20358
20359
static isc_result_t
20360
sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
20361
0
    isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff) {
20362
0
  isc_result_t result;
20363
0
  isc_stdtime_t inception, soaexpire, keyexpire;
20364
0
  dst_key_t *zone_keys[DNS_MAXZONEKEYS];
20365
0
  unsigned int nkeys = 0, i;
20366
20367
0
  result = dns_zone_findkeys(zone, db, ver, now, zone->mctx,
20368
0
           DNS_MAXZONEKEYS, zone_keys, &nkeys);
20369
0
  if (result != ISC_R_SUCCESS) {
20370
0
    dnssec_log(zone, ISC_LOG_ERROR,
20371
0
         "sign_apex:dns_zone_findkeys -> %s",
20372
0
         isc_result_totext(result));
20373
0
    return (result);
20374
0
  }
20375
20376
0
  inception = now - 3600; /* Allow for clock skew. */
20377
0
  soaexpire = now + dns_zone_getsigvalidityinterval(zone);
20378
20379
0
  keyexpire = dns_zone_getkeyvalidityinterval(zone);
20380
0
  if (keyexpire == 0) {
20381
0
    keyexpire = soaexpire - 1;
20382
0
  } else {
20383
0
    keyexpire += now;
20384
0
  }
20385
20386
  /*
20387
   * See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY
20388
   * signature and if not cause them to sign so that newly activated
20389
   * keys are used.
20390
   */
20391
0
  result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now,
20392
0
           diff, zonediff, zone_keys, nkeys, inception,
20393
0
           keyexpire);
20394
0
  if (result != ISC_R_SUCCESS) {
20395
0
    goto failure;
20396
0
  }
20397
0
  result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff,
20398
0
           zonediff, zone_keys, nkeys, inception,
20399
0
           keyexpire);
20400
0
  if (result != ISC_R_SUCCESS) {
20401
0
    goto failure;
20402
0
  }
20403
0
  result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now,
20404
0
           diff, zonediff, zone_keys, nkeys, inception,
20405
0
           keyexpire);
20406
0
  if (result != ISC_R_SUCCESS) {
20407
0
    goto failure;
20408
0
  }
20409
20410
0
  result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
20411
0
              inception, soaexpire, keyexpire, now,
20412
0
              zonediff);
20413
20414
0
  if (result != ISC_R_SUCCESS) {
20415
0
    dnssec_log(zone, ISC_LOG_ERROR,
20416
0
         "sign_apex:dns__zone_updatesigs -> %s",
20417
0
         isc_result_totext(result));
20418
0
    goto failure;
20419
0
  }
20420
20421
0
failure:
20422
0
  for (i = 0; i < nkeys; i++) {
20423
0
    dst_key_free(&zone_keys[i]);
20424
0
  }
20425
0
  return (result);
20426
0
}
20427
20428
static isc_result_t
20429
clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
20430
0
     dns_diff_t *diff) {
20431
0
  isc_result_t result;
20432
0
  dns_dbnode_t *node = NULL;
20433
0
  dns_rdataset_t rdataset;
20434
20435
0
  dns_rdataset_init(&rdataset);
20436
0
  CHECK(dns_db_getoriginnode(db, &node));
20437
20438
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
20439
0
             dns_rdatatype_none, 0, &rdataset, NULL);
20440
0
  if (dns_rdataset_isassociated(&rdataset)) {
20441
0
    dns_rdataset_disassociate(&rdataset);
20442
0
  }
20443
0
  if (result != ISC_R_NOTFOUND) {
20444
0
    goto failure;
20445
0
  }
20446
20447
0
  result = dns_nsec3param_deletechains(db, ver, zone, true, diff);
20448
20449
0
failure:
20450
0
  if (node != NULL) {
20451
0
    dns_db_detachnode(db, &node);
20452
0
  }
20453
0
  return (result);
20454
0
}
20455
20456
/*
20457
 * Given an RRSIG rdataset and an algorithm, determine whether there
20458
 * are any signatures using that algorithm.
20459
 */
20460
static bool
20461
0
signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
20462
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
20463
0
  dns_rdata_rrsig_t rrsig;
20464
0
  isc_result_t result;
20465
20466
0
  REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
20467
0
  if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
20468
0
    return (false);
20469
0
  }
20470
20471
0
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
20472
0
       result = dns_rdataset_next(rdataset))
20473
0
  {
20474
0
    dns_rdataset_current(rdataset, &rdata);
20475
0
    result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
20476
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
20477
0
    dns_rdata_reset(&rdata);
20478
0
    if (rrsig.algorithm == alg) {
20479
0
      return (true);
20480
0
    }
20481
0
  }
20482
20483
0
  return (false);
20484
0
}
20485
20486
static isc_result_t
20487
add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
20488
0
     dns_diff_t *diff) {
20489
0
  dns_name_t *origin;
20490
0
  bool build_nsec3;
20491
0
  isc_result_t result;
20492
20493
0
  origin = dns_db_origin(db);
20494
0
  CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
20495
0
         &build_nsec3));
20496
0
  if (build_nsec3) {
20497
0
    CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone_nsecttl(zone),
20498
0
             false, zone->privatetype, diff));
20499
0
  }
20500
0
  CHECK(updatesecure(db, ver, origin, zone_nsecttl(zone), true, diff));
20501
20502
0
failure:
20503
0
  return (result);
20504
0
}
20505
20506
static void
20507
0
dnssec_report(const char *format, ...) {
20508
0
  va_list args;
20509
0
  va_start(args, format);
20510
0
  isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE,
20511
0
           ISC_LOG_INFO, format, args);
20512
0
  va_end(args);
20513
0
}
20514
20515
static void
20516
0
checkds_destroy(dns_checkds_t *checkds, bool locked) {
20517
0
  REQUIRE(DNS_CHECKDS_VALID(checkds));
20518
20519
0
  dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
20520
0
         "checkds: destroy DS query");
20521
20522
0
  if (checkds->zone != NULL) {
20523
0
    if (!locked) {
20524
0
      LOCK_ZONE(checkds->zone);
20525
0
    }
20526
0
    REQUIRE(LOCKED_ZONE(checkds->zone));
20527
0
    if (ISC_LINK_LINKED(checkds, link)) {
20528
0
      ISC_LIST_UNLINK(checkds->zone->checkds_requests,
20529
0
          checkds, link);
20530
0
    }
20531
0
    if (!locked) {
20532
0
      UNLOCK_ZONE(checkds->zone);
20533
0
    }
20534
0
    if (locked) {
20535
0
      zone_idetach(&checkds->zone);
20536
0
    } else {
20537
0
      dns_zone_idetach(&checkds->zone);
20538
0
    }
20539
0
  }
20540
0
  if (checkds->find != NULL) {
20541
0
    dns_adb_destroyfind(&checkds->find);
20542
0
  }
20543
0
  if (checkds->request != NULL) {
20544
0
    dns_request_destroy(&checkds->request);
20545
0
  }
20546
0
  if (dns_name_dynamic(&checkds->ns)) {
20547
0
    dns_name_free(&checkds->ns, checkds->mctx);
20548
0
  }
20549
0
  if (checkds->key != NULL) {
20550
0
    dns_tsigkey_detach(&checkds->key);
20551
0
  }
20552
0
  if (checkds->transport != NULL) {
20553
0
    dns_transport_detach(&checkds->transport);
20554
0
  }
20555
0
  INSIST(checkds->rlevent == NULL);
20556
0
  isc_mem_putanddetach(&checkds->mctx, checkds, sizeof(*checkds));
20557
0
}
20558
20559
static isc_result_t
20560
make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
20561
0
      dns_rdata_t *target) {
20562
0
  isc_result_t result;
20563
0
  isc_buffer_t b;
20564
0
  isc_region_t r;
20565
20566
0
  isc_buffer_init(&b, buf, bufsize);
20567
0
  result = dst_key_todns(key, &b);
20568
0
  if (result != ISC_R_SUCCESS) {
20569
0
    return (result);
20570
0
  }
20571
20572
0
  dns_rdata_reset(target);
20573
0
  isc_buffer_usedregion(&b, &r);
20574
0
  dns_rdata_fromregion(target, dst_key_class(key), dns_rdatatype_dnskey,
20575
0
           &r);
20576
0
  return (ISC_R_SUCCESS);
20577
0
}
20578
20579
static bool
20580
do_checkds(dns_zone_t *zone, dst_key_t *key, isc_stdtime_t now,
20581
0
     bool dspublish) {
20582
0
  dns_kasp_t *kasp = zone->kasp;
20583
0
  isc_result_t result;
20584
0
  uint32_t count = 0;
20585
0
  uint32_t num;
20586
20587
0
  switch (zone->checkdstype) {
20588
0
  case dns_checkdstype_yes:
20589
0
    num = zone->parent_nscount;
20590
0
    break;
20591
0
  case dns_checkdstype_explicit:
20592
0
    num = dns_remote_count(&zone->parentals);
20593
0
    break;
20594
0
  case dns_checkdstype_no:
20595
0
  default:
20596
0
    dns_zone_log(zone, ISC_LOG_WARNING,
20597
0
           "checkds: option is disabled");
20598
0
    return (false);
20599
0
  }
20600
20601
0
  if (dspublish) {
20602
0
    (void)dst_key_getnum(key, DST_NUM_DSPUBCOUNT, &count);
20603
0
    count += 1;
20604
0
    dst_key_setnum(key, DST_NUM_DSPUBCOUNT, count);
20605
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3),
20606
0
           "checkds: %u DS published "
20607
0
           "for key %u",
20608
0
           count, dst_key_id(key));
20609
20610
0
    if (count != num) {
20611
0
      return false;
20612
0
    }
20613
0
  } else {
20614
0
    (void)dst_key_getnum(key, DST_NUM_DSDELCOUNT, &count);
20615
0
    count += 1;
20616
0
    dst_key_setnum(key, DST_NUM_DSDELCOUNT, count);
20617
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3),
20618
0
           "checkds: %u DS withdrawn "
20619
0
           "for key %u",
20620
0
           count, dst_key_id(key));
20621
20622
0
    if (count != num) {
20623
0
      return false;
20624
0
    }
20625
0
  }
20626
20627
0
  dns_zone_log(zone, ISC_LOG_DEBUG(3),
20628
0
         "checkds: checkds %s for key "
20629
0
         "%u",
20630
0
         dspublish ? "published" : "withdrawn", dst_key_id(key));
20631
20632
0
  dns_zone_lock_keyfiles(zone);
20633
0
  result = dns_keymgr_checkds_id(kasp, &zone->checkds_ok, now, now,
20634
0
               dspublish, dst_key_id(key),
20635
0
               dst_key_alg(key));
20636
0
  dns_zone_unlock_keyfiles(zone);
20637
20638
0
  if (result != ISC_R_SUCCESS) {
20639
0
    dns_zone_log(zone, ISC_LOG_WARNING,
20640
0
           "checkds: checkds for key %u failed: %s",
20641
0
           dst_key_id(key), isc_result_totext(result));
20642
0
    return false;
20643
0
  }
20644
20645
0
  return true;
20646
0
}
20647
20648
static isc_result_t
20649
0
validate_ds(dns_zone_t *zone, dns_message_t *message) {
20650
0
  UNUSED(zone);
20651
0
  UNUSED(message);
20652
20653
  /* Get closest trust anchor */
20654
20655
  /* Check that trust anchor is (grand)parent of zone. */
20656
20657
  /* Find the DNSKEY signing the message. */
20658
20659
  /* Check that DNSKEY is in chain of trust. */
20660
20661
  /* Validate DS RRset. */
20662
20663
0
  return (ISC_R_SUCCESS);
20664
0
}
20665
20666
static void
20667
0
checkds_done(void *arg) {
20668
0
  dns_request_t *request = (dns_request_t *)arg;
20669
0
  dns_checkds_t *checkds = dns_request_getarg(request);
20670
0
  char addrbuf[ISC_SOCKADDR_FORMATSIZE];
20671
0
  char rcode[128];
20672
0
  dns_zone_t *zone = NULL;
20673
0
  dns_db_t *db = NULL;
20674
0
  dns_dbversion_t *version = NULL;
20675
0
  dns_dnsseckey_t *key = NULL;
20676
0
  dns_dnsseckeylist_t keys;
20677
0
  dns_kasp_t *kasp = NULL;
20678
0
  dns_message_t *message = NULL;
20679
0
  dns_rdataset_t *ds_rrset = NULL;
20680
0
  isc_buffer_t buf;
20681
0
  isc_result_t result;
20682
0
  isc_stdtime_t now;
20683
0
  isc_time_t timenow;
20684
0
  bool rekey = false;
20685
0
  bool empty = false;
20686
20687
0
  REQUIRE(DNS_CHECKDS_VALID(checkds));
20688
20689
0
  zone = checkds->zone;
20690
20691
0
  ISC_LIST_INIT(keys);
20692
20693
0
  kasp = zone->kasp;
20694
0
  INSIST(kasp != NULL);
20695
20696
0
  isc_buffer_init(&buf, rcode, sizeof(rcode));
20697
0
  isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf));
20698
20699
0
  dns_zone_log(zone, ISC_LOG_DEBUG(1), "checkds: DS query to %s: done",
20700
0
         addrbuf);
20701
20702
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
20703
0
         &message);
20704
0
  INSIST(message != NULL);
20705
20706
0
  CHECK(dns_request_getresult(request));
20707
0
  CHECK(dns_request_getresponse(request, message,
20708
0
              DNS_MESSAGEPARSE_PRESERVEORDER));
20709
0
  CHECK(dns_rcode_totext(message->rcode, &buf));
20710
20711
0
  dns_zone_log(zone, ISC_LOG_DEBUG(3),
20712
0
         "checkds: DS response from %s: %.*s", addrbuf,
20713
0
         (int)buf.used, rcode);
20714
20715
  /* Validate response. */
20716
0
  CHECK(validate_ds(zone, message));
20717
20718
  /* Check RCODE. */
20719
0
  if (message->rcode != dns_rcode_noerror) {
20720
0
    dns_zone_log(zone, ISC_LOG_NOTICE,
20721
0
           "checkds: bad DS response from %s: %.*s", addrbuf,
20722
0
           (int)buf.used, rcode);
20723
0
    goto failure;
20724
0
  }
20725
20726
  /* Make sure that either AA or RA bit is set. */
20727
0
  if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
20728
0
      (message->flags & DNS_MESSAGEFLAG_RA) == 0)
20729
0
  {
20730
0
    dns_zone_log(zone, ISC_LOG_NOTICE,
20731
0
           "checkds: bad DS response from %s: expected AA or "
20732
0
           "RA bit set",
20733
0
           addrbuf);
20734
0
    goto failure;
20735
0
  }
20736
20737
  /* Lookup DS RRset. */
20738
0
  result = dns_message_firstname(message, DNS_SECTION_ANSWER);
20739
0
  while (result == ISC_R_SUCCESS) {
20740
0
    dns_name_t *name = NULL;
20741
0
    dns_rdataset_t *rdataset;
20742
20743
0
    dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
20744
0
    if (dns_name_compare(&zone->origin, name) != 0) {
20745
0
      goto next;
20746
0
    }
20747
20748
0
    for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
20749
0
         rdataset = ISC_LIST_NEXT(rdataset, link))
20750
0
    {
20751
0
      if (rdataset->type != dns_rdatatype_ds) {
20752
0
        goto next;
20753
0
      }
20754
20755
0
      ds_rrset = rdataset;
20756
0
      break;
20757
0
    }
20758
20759
0
    if (ds_rrset != NULL) {
20760
0
      break;
20761
0
    }
20762
20763
0
  next:
20764
0
    result = dns_message_nextname(message, DNS_SECTION_ANSWER);
20765
0
  }
20766
20767
0
  if (ds_rrset == NULL) {
20768
0
    empty = true;
20769
0
    dns_zone_log(zone, ISC_LOG_NOTICE,
20770
0
           "checkds: empty DS response from %s", addrbuf);
20771
0
  }
20772
20773
0
  timenow = isc_time_now();
20774
0
  now = isc_time_seconds(&timenow);
20775
20776
0
  CHECK(dns_zone_getdb(zone, &db));
20777
0
  dns_db_currentversion(db, &version);
20778
20779
0
  KASP_LOCK(kasp);
20780
0
  LOCK_ZONE(zone);
20781
0
  for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL;
20782
0
       key = ISC_LIST_NEXT(key, link))
20783
0
  {
20784
0
    bool alldone = false, found = false;
20785
0
    bool checkdspub = false, checkdsdel = false, ksk = false;
20786
0
    dst_key_state_t ds_state = DST_KEY_STATE_NA;
20787
0
    isc_stdtime_t published = 0, withdrawn = 0;
20788
0
    isc_result_t ret = ISC_R_SUCCESS;
20789
20790
    /* Is this key have the KSK role? */
20791
0
    (void)dst_key_role(key->key, &ksk, NULL);
20792
0
    if (!ksk) {
20793
0
      continue;
20794
0
    }
20795
20796
    /* Do we need to check the DS RRset for this key? */
20797
0
    (void)dst_key_getstate(key->key, DST_KEY_DS, &ds_state);
20798
0
    (void)dst_key_gettime(key->key, DST_TIME_DSPUBLISH, &published);
20799
0
    (void)dst_key_gettime(key->key, DST_TIME_DSDELETE, &withdrawn);
20800
20801
0
    if (ds_state == DST_KEY_STATE_RUMOURED && published == 0) {
20802
0
      checkdspub = true;
20803
0
    } else if (ds_state == DST_KEY_STATE_UNRETENTIVE &&
20804
0
         withdrawn == 0)
20805
0
    {
20806
0
      checkdsdel = true;
20807
0
    }
20808
0
    if (!checkdspub && !checkdsdel) {
20809
0
      continue;
20810
0
    }
20811
20812
0
    if (empty) {
20813
0
      goto dswithdrawn;
20814
0
    }
20815
20816
    /* Find the appropriate DS record. */
20817
0
    ret = dns_rdataset_first(ds_rrset);
20818
0
    while (ret == ISC_R_SUCCESS) {
20819
0
      dns_rdata_ds_t ds;
20820
0
      dns_rdata_t dnskey = DNS_RDATA_INIT;
20821
0
      dns_rdata_t dsrdata = DNS_RDATA_INIT;
20822
0
      dns_rdata_t rdata = DNS_RDATA_INIT;
20823
0
      isc_result_t r;
20824
0
      unsigned char dsbuf[DNS_DS_BUFFERSIZE];
20825
0
      unsigned char keybuf[DST_KEY_MAXSIZE];
20826
20827
0
      dns_rdataset_current(ds_rrset, &rdata);
20828
0
      r = dns_rdata_tostruct(&rdata, &ds, NULL);
20829
0
      if (r != ISC_R_SUCCESS) {
20830
0
        goto nextds;
20831
0
      }
20832
      /* Check key tag and algorithm. */
20833
0
      if (dst_key_id(key->key) != ds.key_tag) {
20834
0
        goto nextds;
20835
0
      }
20836
0
      if (dst_key_alg(key->key) != ds.algorithm) {
20837
0
        goto nextds;
20838
0
      }
20839
      /* Derive DS from DNSKEY, see if the rdata is equal. */
20840
0
      make_dnskey(key->key, keybuf, sizeof(keybuf), &dnskey);
20841
0
      r = dns_ds_buildrdata(&zone->origin, &dnskey,
20842
0
                ds.digest_type, dsbuf, &dsrdata);
20843
0
      if (r != ISC_R_SUCCESS) {
20844
0
        goto nextds;
20845
0
      }
20846
0
      if (dns_rdata_compare(&rdata, &dsrdata) == 0) {
20847
0
        found = true;
20848
0
        if (checkdspub) {
20849
          /* DS Published. */
20850
0
          alldone = do_checkds(zone, key->key,
20851
0
                   now, true);
20852
0
          if (alldone) {
20853
0
            rekey = true;
20854
0
          }
20855
0
        }
20856
0
      }
20857
20858
0
    nextds:
20859
0
      ret = dns_rdataset_next(ds_rrset);
20860
0
    }
20861
20862
0
  dswithdrawn:
20863
    /* DS withdrawn. */
20864
0
    if (checkdsdel && !found) {
20865
0
      alldone = do_checkds(zone, key->key, now, false);
20866
0
      if (alldone) {
20867
0
        rekey = true;
20868
0
      }
20869
0
    }
20870
0
  }
20871
0
  UNLOCK_ZONE(zone);
20872
0
  KASP_UNLOCK(kasp);
20873
20874
  /* Rekey after checkds. */
20875
0
  if (rekey) {
20876
0
    dns_zone_rekey(zone, false);
20877
0
  }
20878
20879
0
failure:
20880
0
  if (result != ISC_R_SUCCESS) {
20881
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3),
20882
0
           "checkds: DS request failed: %s",
20883
0
           isc_result_totext(result));
20884
0
  }
20885
20886
0
  if (version != NULL) {
20887
0
    dns_db_closeversion(db, &version, false);
20888
0
  }
20889
0
  if (db != NULL) {
20890
0
    dns_db_detach(&db);
20891
0
  }
20892
20893
0
  while (!ISC_LIST_EMPTY(keys)) {
20894
0
    key = ISC_LIST_HEAD(keys);
20895
0
    ISC_LIST_UNLINK(keys, key, link);
20896
0
    dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
20897
0
  }
20898
20899
0
  checkds_destroy(checkds, false);
20900
0
  dns_message_detach(&message);
20901
0
}
20902
20903
static bool
20904
checkds_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr,
20905
0
     dns_tsigkey_t *key, dns_transport_t *transport) {
20906
0
  dns_checkds_t *checkds;
20907
20908
0
  for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL;
20909
0
       checkds = ISC_LIST_NEXT(checkds, link))
20910
0
  {
20911
0
    if (checkds->request != NULL) {
20912
0
      continue;
20913
0
    }
20914
0
    if (name != NULL && dns_name_equal(name, &checkds->ns)) {
20915
0
      return (true);
20916
0
    }
20917
0
    if (addr != NULL && isc_sockaddr_equal(addr, &checkds->dst) &&
20918
0
        checkds->key == key && checkds->transport == transport)
20919
0
    {
20920
0
      return (true);
20921
0
    }
20922
0
  }
20923
0
  return (false);
20924
0
}
20925
20926
static isc_result_t
20927
0
checkds_create(isc_mem_t *mctx, unsigned int flags, dns_checkds_t **checkdsp) {
20928
0
  dns_checkds_t *checkds;
20929
20930
0
  REQUIRE(checkdsp != NULL && *checkdsp == NULL);
20931
20932
0
  checkds = isc_mem_get(mctx, sizeof(*checkds));
20933
0
  *checkds = (dns_checkds_t){
20934
0
    .flags = flags,
20935
0
  };
20936
20937
0
  isc_mem_attach(mctx, &checkds->mctx);
20938
0
  isc_sockaddr_any(&checkds->dst);
20939
0
  dns_name_init(&checkds->ns, NULL);
20940
0
  ISC_LINK_INIT(checkds, link);
20941
0
  checkds->magic = CHECKDS_MAGIC;
20942
0
  *checkdsp = checkds;
20943
0
  return (ISC_R_SUCCESS);
20944
0
}
20945
20946
static void
20947
0
checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) {
20948
0
  dns_message_t *message = NULL;
20949
20950
0
  dns_name_t *tempname = NULL;
20951
0
  dns_rdataset_t *temprdataset = NULL;
20952
20953
0
  REQUIRE(DNS_ZONE_VALID(zone));
20954
0
  REQUIRE(messagep != NULL && *messagep == NULL);
20955
20956
0
  dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER,
20957
0
         &message);
20958
20959
0
  message->opcode = dns_opcode_query;
20960
0
  message->rdclass = zone->rdclass;
20961
0
  message->flags |= DNS_MESSAGEFLAG_RD;
20962
20963
0
  dns_message_gettempname(message, &tempname);
20964
20965
0
  dns_message_gettemprdataset(message, &temprdataset);
20966
20967
  /*
20968
   * Make question.
20969
   */
20970
0
  dns_name_init(tempname, NULL);
20971
0
  dns_name_clone(&zone->origin, tempname);
20972
0
  dns_rdataset_makequestion(temprdataset, zone->rdclass,
20973
0
          dns_rdatatype_ds);
20974
0
  ISC_LIST_APPEND(tempname->list, temprdataset, link);
20975
0
  dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
20976
0
  tempname = NULL;
20977
0
  temprdataset = NULL;
20978
20979
0
  *messagep = message;
20980
0
}
20981
20982
/*
20983
 * XXXAG should check for DNS_ZONEFLG_EXITING
20984
 */
20985
static void
20986
0
process_checkds_adb_event(void *arg) {
20987
0
  dns_adbfind_t *find = (dns_adbfind_t *)arg;
20988
0
  dns_checkds_t *checkds = (dns_checkds_t *)find->cbarg;
20989
0
  dns_adbstatus_t astat = find->status;
20990
20991
0
  REQUIRE(DNS_CHECKDS_VALID(checkds));
20992
0
  REQUIRE(find == checkds->find);
20993
20994
0
  switch (astat) {
20995
0
  case DNS_ADB_MOREADDRESSES:
20996
0
    dns_adb_destroyfind(&checkds->find);
20997
0
    checkds_find_address(checkds);
20998
0
    return;
20999
21000
0
  case DNS_ADB_NOMOREADDRESSES:
21001
0
    LOCK_ZONE(checkds->zone);
21002
0
    checkds_send_tons(checkds);
21003
0
    UNLOCK_ZONE(checkds->zone);
21004
0
    break;
21005
21006
0
  default:
21007
0
    break;
21008
0
  }
21009
21010
0
  checkds_destroy(checkds, false);
21011
0
}
21012
21013
static void
21014
0
checkds_find_address(dns_checkds_t *checkds) {
21015
0
  isc_result_t result;
21016
0
  unsigned int options;
21017
0
  dns_adb_t *adb = NULL;
21018
21019
0
  REQUIRE(DNS_CHECKDS_VALID(checkds));
21020
21021
0
  options = DNS_ADBFIND_WANTEVENT;
21022
0
  if (isc_net_probeipv4() != ISC_R_DISABLED) {
21023
0
    options |= DNS_ADBFIND_INET;
21024
0
  }
21025
0
  if (isc_net_probeipv6() != ISC_R_DISABLED) {
21026
0
    options |= DNS_ADBFIND_INET6;
21027
0
  }
21028
21029
0
  dns_view_getadb(checkds->zone->view, &adb);
21030
0
  if (adb == NULL) {
21031
0
    goto destroy;
21032
0
  }
21033
21034
0
  result = dns_adb_createfind(
21035
0
    adb, checkds->zone->loop, process_checkds_adb_event, checkds,
21036
0
    &checkds->ns, dns_rootname, 0, options, 0, NULL,
21037
0
    checkds->zone->view->dstport, 0, NULL, &checkds->find);
21038
0
  dns_adb_detach(&adb);
21039
21040
  /* Something failed? */
21041
0
  if (result != ISC_R_SUCCESS) {
21042
0
    goto destroy;
21043
0
  }
21044
21045
  /* More addresses pending? */
21046
0
  if ((checkds->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
21047
0
    return;
21048
0
  }
21049
21050
  /* We have as many addresses as we can get. */
21051
0
  LOCK_ZONE(checkds->zone);
21052
0
  checkds_send_tons(checkds);
21053
0
  UNLOCK_ZONE(checkds->zone);
21054
21055
0
destroy:
21056
0
  checkds_destroy(checkds, false);
21057
0
}
21058
21059
static void
21060
0
checkds_send_toaddr(void *arg) {
21061
0
  dns_checkds_t *checkds = (dns_checkds_t *)arg;
21062
0
  isc_result_t result;
21063
0
  dns_message_t *message = NULL;
21064
0
  isc_netaddr_t dstip;
21065
0
  dns_tsigkey_t *key = NULL;
21066
0
  char addrbuf[ISC_SOCKADDR_FORMATSIZE];
21067
0
  isc_sockaddr_t src;
21068
0
  unsigned int options, timeout;
21069
0
  bool have_checkdssource = false;
21070
0
  bool canceled = checkds->rlevent->canceled;
21071
21072
0
  REQUIRE(DNS_CHECKDS_VALID(checkds));
21073
21074
0
  isc_rlevent_free(&checkds->rlevent);
21075
21076
0
  LOCK_ZONE(checkds->zone);
21077
21078
0
  if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_LOADED) == 0 || canceled ||
21079
0
      DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING) ||
21080
0
      checkds->zone->view->requestmgr == NULL ||
21081
0
      checkds->zone->db == NULL)
21082
0
  {
21083
0
    result = ISC_R_CANCELED;
21084
0
    goto cleanup;
21085
0
  }
21086
21087
  /*
21088
   * The raw IPv4 address should also exist.  Don't send to the
21089
   * mapped form.
21090
   */
21091
0
  if (isc_sockaddr_pf(&checkds->dst) == PF_INET6 &&
21092
0
      IN6_IS_ADDR_V4MAPPED(&checkds->dst.type.sin6.sin6_addr))
21093
0
  {
21094
0
    isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf));
21095
0
    dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21096
0
           "checkds: ignoring IPv6 mapped IPV4 address: %s",
21097
0
           addrbuf);
21098
0
    result = ISC_R_CANCELED;
21099
0
    goto cleanup;
21100
0
  }
21101
21102
0
  checkds_createmessage(checkds->zone, &message);
21103
21104
0
  isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf));
21105
0
  if (checkds->key != NULL) {
21106
    /* Transfer ownership of key */
21107
0
    key = checkds->key;
21108
0
    checkds->key = NULL;
21109
0
  } else {
21110
0
    isc_netaddr_fromsockaddr(&dstip, &checkds->dst);
21111
0
    result = dns_view_getpeertsig(checkds->zone->view, &dstip,
21112
0
                &key);
21113
0
    if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
21114
0
      dns_zone_log(checkds->zone, ISC_LOG_ERROR,
21115
0
             "checkds: DS query to %s not sent. "
21116
0
             "Peer TSIG key lookup failure.",
21117
0
             addrbuf);
21118
0
      goto cleanup_message;
21119
0
    }
21120
0
  }
21121
21122
0
  if (key != NULL) {
21123
0
    char namebuf[DNS_NAME_FORMATSIZE];
21124
21125
0
    dns_name_format(key->name, namebuf, sizeof(namebuf));
21126
0
    dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21127
0
           "checkds: sending DS query to %s : TSIG (%s)",
21128
0
           addrbuf, namebuf);
21129
0
  } else {
21130
0
    dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21131
0
           "checkds: sending DS query to %s", addrbuf);
21132
0
  }
21133
0
  options = 0;
21134
0
  if (checkds->zone->view->peers != NULL) {
21135
0
    dns_peer_t *peer = NULL;
21136
0
    bool usetcp = false;
21137
0
    result = dns_peerlist_peerbyaddr(checkds->zone->view->peers,
21138
0
             &dstip, &peer);
21139
0
    if (result == ISC_R_SUCCESS) {
21140
0
      result = dns_peer_getquerysource(peer, &src);
21141
0
      if (result == ISC_R_SUCCESS) {
21142
0
        have_checkdssource = true;
21143
0
      }
21144
0
      result = dns_peer_getforcetcp(peer, &usetcp);
21145
0
      if (result == ISC_R_SUCCESS && usetcp) {
21146
0
        options |= DNS_FETCHOPT_TCP;
21147
0
      }
21148
0
    }
21149
0
  }
21150
0
  switch (isc_sockaddr_pf(&checkds->dst)) {
21151
0
  case PF_INET:
21152
0
    if (!have_checkdssource) {
21153
0
      isc_sockaddr_t any;
21154
0
      isc_sockaddr_any(&any);
21155
21156
0
      src = checkds->src;
21157
0
      if (isc_sockaddr_equal(&src, &any)) {
21158
0
        src = checkds->zone->parentalsrc4;
21159
0
      }
21160
0
    }
21161
0
    break;
21162
0
  case PF_INET6:
21163
0
    if (!have_checkdssource) {
21164
0
      isc_sockaddr_t any;
21165
0
      isc_sockaddr_any6(&any);
21166
21167
0
      src = checkds->src;
21168
0
      if (isc_sockaddr_equal(&src, &any)) {
21169
0
        src = checkds->zone->parentalsrc6;
21170
0
      }
21171
0
    }
21172
0
    break;
21173
0
  default:
21174
0
    result = ISC_R_NOTIMPLEMENTED;
21175
0
    goto cleanup_key;
21176
0
  }
21177
21178
0
  dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21179
0
         "checkds: create request for DS query to %s", addrbuf);
21180
21181
0
  timeout = 5;
21182
0
  options |= DNS_REQUESTOPT_TCP;
21183
0
  result = dns_request_create(
21184
0
    checkds->zone->view->requestmgr, message, &src, &checkds->dst,
21185
0
    NULL, NULL, options, key, timeout * 3 + 1, timeout, 2,
21186
0
    checkds->zone->loop, checkds_done, checkds, &checkds->request);
21187
0
  if (result != ISC_R_SUCCESS) {
21188
0
    dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21189
0
           "checkds: dns_request_create() to %s failed: %s",
21190
0
           addrbuf, isc_result_totext(result));
21191
0
  }
21192
21193
0
cleanup_key:
21194
0
  if (key != NULL) {
21195
0
    dns_tsigkey_detach(&key);
21196
0
  }
21197
0
cleanup_message:
21198
0
  dns_message_detach(&message);
21199
0
cleanup:
21200
0
  UNLOCK_ZONE(checkds->zone);
21201
0
  if (result != ISC_R_SUCCESS) {
21202
0
    checkds_destroy(checkds, false);
21203
0
  }
21204
0
}
21205
21206
static void
21207
0
checkds_send_tons(dns_checkds_t *checkds) {
21208
0
  dns_adbaddrinfo_t *ai;
21209
0
  isc_sockaddr_t dst;
21210
0
  isc_result_t result;
21211
0
  dns_checkds_t *newcheckds = NULL;
21212
0
  dns_zone_t *zone = NULL;
21213
21214
  /*
21215
   * Zone lock held by caller.
21216
   */
21217
0
  REQUIRE(DNS_CHECKDS_VALID(checkds));
21218
0
  REQUIRE(LOCKED_ZONE(checkds->zone));
21219
21220
0
  zone = checkds->zone;
21221
21222
0
  if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING)) {
21223
0
    return;
21224
0
  }
21225
21226
0
  for (ai = ISC_LIST_HEAD(checkds->find->list); ai != NULL;
21227
0
       ai = ISC_LIST_NEXT(ai, publink))
21228
0
  {
21229
0
    dst = ai->sockaddr;
21230
0
    if (checkds_isqueued(zone, NULL, &dst, NULL, NULL)) {
21231
0
      continue;
21232
0
    }
21233
21234
0
    newcheckds = NULL;
21235
0
    result = checkds_create(checkds->mctx, 0, &newcheckds);
21236
0
    if (result != ISC_R_SUCCESS) {
21237
0
      goto cleanup;
21238
0
    }
21239
0
    zone_iattach(zone, &newcheckds->zone);
21240
0
    ISC_LIST_APPEND(newcheckds->zone->checkds_requests, newcheckds,
21241
0
        link);
21242
0
    newcheckds->dst = dst;
21243
0
    dns_name_dup(&checkds->ns, checkds->mctx, &newcheckds->ns);
21244
0
    switch (isc_sockaddr_pf(&newcheckds->dst)) {
21245
0
    case PF_INET:
21246
0
      isc_sockaddr_any(&newcheckds->src);
21247
0
      break;
21248
0
    case PF_INET6:
21249
0
      isc_sockaddr_any6(&newcheckds->src);
21250
0
      break;
21251
0
    default:
21252
0
      UNREACHABLE();
21253
0
    }
21254
    /*
21255
     * XXXWMM: Should we attach key and transport here?
21256
     * Probably not, because we expect the name servers to be
21257
     * publicly available on the default transport protocol.
21258
     */
21259
21260
0
    result = isc_ratelimiter_enqueue(
21261
0
      newcheckds->zone->zmgr->checkdsrl,
21262
0
      newcheckds->zone->loop, checkds_send_toaddr, newcheckds,
21263
0
      &newcheckds->rlevent);
21264
0
    if (result != ISC_R_SUCCESS) {
21265
0
      goto cleanup;
21266
0
    }
21267
0
    newcheckds = NULL;
21268
0
  }
21269
21270
0
cleanup:
21271
0
  if (newcheckds != NULL) {
21272
0
    checkds_destroy(newcheckds, true);
21273
0
  }
21274
0
}
21275
21276
static void
21277
0
checkds_send(dns_zone_t *zone) {
21278
0
  dns_view_t *view = dns_zone_getview(zone);
21279
0
  isc_result_t result;
21280
0
  unsigned int flags = 0;
21281
0
  unsigned int i = 0;
21282
21283
  /*
21284
   * Zone lock held by caller.
21285
   */
21286
0
  REQUIRE(LOCKED_ZONE(zone));
21287
21288
0
  dns_zone_log(zone, ISC_LOG_DEBUG(3),
21289
0
         "checkds: start sending DS queries to %u parentals",
21290
0
         dns_remote_count(&zone->parentals));
21291
21292
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
21293
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3),
21294
0
           "checkds: abort, named exiting");
21295
0
    return;
21296
0
  }
21297
21298
0
  dns_remote_reset(&zone->parentals, false);
21299
0
  while (!dns_remote_done(&zone->parentals)) {
21300
0
    dns_tsigkey_t *key = NULL;
21301
0
    dns_transport_t *transport = NULL;
21302
0
    isc_sockaddr_t src, dst;
21303
0
    dns_checkds_t *checkds = NULL;
21304
21305
0
    i++;
21306
21307
0
    if (dns_remote_keyname(&zone->parentals) != NULL) {
21308
0
      dns_name_t *keyname =
21309
0
        dns_remote_keyname(&zone->parentals);
21310
0
      (void)dns_view_gettsig(view, keyname, &key);
21311
0
    }
21312
21313
0
    if (dns_remote_tlsname(&zone->parentals) != NULL) {
21314
0
      dns_name_t *tlsname =
21315
0
        dns_remote_tlsname(&zone->parentals);
21316
0
      (void)dns_view_gettransport(view, DNS_TRANSPORT_TLS,
21317
0
                tlsname, &transport);
21318
0
      dns_zone_logc(
21319
0
        zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
21320
0
        "got TLS configuration for zone transfer");
21321
0
    }
21322
21323
0
    dst = dns_remote_curraddr(&zone->parentals);
21324
0
    src = dns_remote_sourceaddr(&zone->parentals);
21325
0
    INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
21326
21327
0
    if (isc_sockaddr_disabled(&dst)) {
21328
0
      goto next;
21329
0
    }
21330
21331
    /* TODO: glue the transport to the checkds request */
21332
21333
0
    if (checkds_isqueued(zone, NULL, &dst, key, transport)) {
21334
0
      dns_zone_log(zone, ISC_LOG_DEBUG(3),
21335
0
             "checkds: DS query to parent "
21336
0
             "%d is queued",
21337
0
             i);
21338
0
      if (key != NULL) {
21339
0
        dns_tsigkey_detach(&key);
21340
0
      }
21341
0
      if (transport != NULL) {
21342
0
        dns_transport_detach(&transport);
21343
0
      }
21344
0
      goto next;
21345
0
    }
21346
21347
0
    dns_zone_log(zone, ISC_LOG_DEBUG(3),
21348
0
           "checkds: create DS query for "
21349
0
           "parent %d",
21350
0
           i);
21351
21352
0
    result = checkds_create(zone->mctx, flags, &checkds);
21353
0
    if (result != ISC_R_SUCCESS) {
21354
0
      dns_zone_log(zone, ISC_LOG_DEBUG(3),
21355
0
             "checkds: create DS query for "
21356
0
             "parent %d failed",
21357
0
             i);
21358
0
      goto next;
21359
0
    }
21360
0
    zone_iattach(zone, &checkds->zone);
21361
0
    dns_name_dup(dns_rootname, checkds->mctx, &checkds->ns);
21362
0
    checkds->src = src;
21363
0
    checkds->dst = dst;
21364
21365
0
    INSIST(checkds->key == NULL);
21366
0
    if (key != NULL) {
21367
0
      checkds->key = key;
21368
0
      key = NULL;
21369
0
    }
21370
21371
0
    INSIST(checkds->transport == NULL);
21372
0
    if (transport != NULL) {
21373
0
      checkds->transport = transport;
21374
0
      transport = NULL;
21375
0
    }
21376
21377
0
    ISC_LIST_APPEND(zone->checkds_requests, checkds, link);
21378
0
    result = isc_ratelimiter_enqueue(
21379
0
      checkds->zone->zmgr->checkdsrl, checkds->zone->loop,
21380
0
      checkds_send_toaddr, checkds, &checkds->rlevent);
21381
0
    if (result != ISC_R_SUCCESS) {
21382
0
      dns_zone_log(zone, ISC_LOG_DEBUG(3),
21383
0
             "checkds: send DS query to "
21384
0
             "parent %d failed",
21385
0
             i);
21386
0
      checkds_destroy(checkds, true);
21387
0
    }
21388
21389
0
  next:
21390
0
    dns_remote_next(&zone->parentals, false);
21391
0
  }
21392
0
}
21393
21394
/*
21395
 * An NS RRset has been fetched from the parent of a zone whose DS RRset needs
21396
 * to be checked; scan the RRset and start sending queries to the parental
21397
 * agents.
21398
 */
21399
static void
21400
0
nsfetch_done(void *arg) {
21401
0
  dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg;
21402
0
  isc_result_t result, eresult;
21403
0
  dns_nsfetch_t *nsfetch = NULL;
21404
0
  dns_zone_t *zone = NULL;
21405
0
  isc_mem_t *mctx = NULL;
21406
0
  dns_name_t *zname = NULL;
21407
0
  dns_name_t *pname = NULL;
21408
0
  char pnamebuf[DNS_NAME_FORMATSIZE];
21409
0
  bool free_needed, levelup = false;
21410
0
  dns_rdataset_t *nsrrset = NULL;
21411
0
  dns_rdataset_t *nssigset = NULL;
21412
21413
0
  INSIST(resp != NULL);
21414
21415
0
  nsfetch = resp->arg;
21416
21417
0
  INSIST(nsfetch != NULL);
21418
21419
0
  zone = nsfetch->zone;
21420
0
  mctx = nsfetch->mctx;
21421
0
  zname = dns_fixedname_name(&nsfetch->name);
21422
0
  pname = &nsfetch->pname;
21423
0
  nsrrset = &nsfetch->nsrrset;
21424
0
  nssigset = &nsfetch->nssigset;
21425
0
  eresult = resp->result;
21426
21427
  /* Free resources which are not of interest */
21428
0
  if (resp->node != NULL) {
21429
0
    dns_db_detachnode(resp->db, &resp->node);
21430
0
  }
21431
0
  if (resp->db != NULL) {
21432
0
    dns_db_detach(&resp->db);
21433
0
  }
21434
0
  dns_resolver_destroyfetch(&nsfetch->fetch);
21435
21436
0
  LOCK_ZONE(zone);
21437
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) {
21438
0
    goto cleanup;
21439
0
  }
21440
21441
0
  zone->nsfetchcount--;
21442
21443
0
  dns_name_format(pname, pnamebuf, sizeof(pnamebuf));
21444
0
  dnssec_log(zone, ISC_LOG_DEBUG(3),
21445
0
       "Returned from '%s' NS fetch in nsfetch_done(): %s",
21446
0
       pnamebuf, isc_result_totext(eresult));
21447
21448
0
  if (eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_NXRRSET) {
21449
0
    dnssec_log(zone, ISC_LOG_DEBUG(3),
21450
0
         "NODATA response for NS '%s', level up", pnamebuf);
21451
0
    levelup = true;
21452
0
    goto cleanup;
21453
21454
0
  } else if (eresult != ISC_R_SUCCESS) {
21455
0
    dnssec_log(zone, ISC_LOG_WARNING,
21456
0
         "Unable to fetch NS set '%s': %s", pnamebuf,
21457
0
         isc_result_totext(eresult));
21458
0
    result = eresult;
21459
0
    goto done;
21460
0
  }
21461
21462
  /* No NS records found */
21463
0
  if (!dns_rdataset_isassociated(nsrrset)) {
21464
0
    dnssec_log(zone, ISC_LOG_WARNING,
21465
0
         "No NS records found for '%s'", pnamebuf);
21466
0
    result = ISC_R_NOTFOUND;
21467
0
    goto done;
21468
0
  }
21469
21470
  /* No RRSIGs found */
21471
0
  if (!dns_rdataset_isassociated(nssigset)) {
21472
0
    dnssec_log(zone, ISC_LOG_WARNING, "No NS RRSIGs found for '%s'",
21473
0
         pnamebuf);
21474
0
    result = DNS_R_MUSTBESECURE;
21475
0
    goto done;
21476
0
  }
21477
21478
  /* Check trust level */
21479
0
  if (nsrrset->trust < dns_trust_secure) {
21480
0
    dnssec_log(zone, ISC_LOG_WARNING,
21481
0
         "Invalid NS RRset for '%s' trust level %u", pnamebuf,
21482
0
         nsrrset->trust);
21483
0
    result = DNS_R_MUSTBESECURE;
21484
0
    goto done;
21485
0
  }
21486
21487
  /* Record the number of NS records we found. */
21488
0
  zone->parent_nscount = dns_rdataset_count(nsrrset);
21489
21490
0
  UNLOCK_ZONE(zone);
21491
21492
  /* Look up the addresses for the found parental name servers. */
21493
0
  for (result = dns_rdataset_first(nsrrset); result == ISC_R_SUCCESS;
21494
0
       result = dns_rdataset_next(nsrrset))
21495
0
  {
21496
0
    dns_checkds_t *checkds = NULL;
21497
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
21498
0
    dns_rdata_ns_t ns;
21499
0
    bool isqueued;
21500
21501
0
    dns_rdataset_current(nsrrset, &rdata);
21502
0
    result = dns_rdata_tostruct(&rdata, &ns, NULL);
21503
0
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
21504
21505
0
    dns_rdata_reset(&rdata);
21506
21507
0
    LOCK_ZONE(zone);
21508
0
    isqueued = checkds_isqueued(zone, &ns.name, NULL, NULL, NULL);
21509
0
    UNLOCK_ZONE(zone);
21510
0
    if (isqueued) {
21511
0
      continue;
21512
0
    }
21513
0
    result = checkds_create(zone->mctx, 0, &checkds);
21514
0
    if (result != ISC_R_SUCCESS) {
21515
0
      dns_zone_log(zone, ISC_LOG_DEBUG(3),
21516
0
             "checkds: checkds_create() failed: %s",
21517
0
             isc_result_totext(result));
21518
0
      break;
21519
0
    }
21520
21521
0
    if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
21522
0
      char nsnamebuf[DNS_NAME_FORMATSIZE];
21523
0
      dns_name_format(&ns.name, nsnamebuf, sizeof(nsnamebuf));
21524
0
      dns_zone_log(zone, ISC_LOG_DEBUG(3),
21525
0
             "checkds: send DS query to NS %s",
21526
0
             nsnamebuf);
21527
0
    }
21528
21529
0
    LOCK_ZONE(zone);
21530
0
    zone_iattach(zone, &checkds->zone);
21531
0
    dns_name_dup(&ns.name, zone->mctx, &checkds->ns);
21532
0
    ISC_LIST_APPEND(zone->checkds_requests, checkds, link);
21533
0
    UNLOCK_ZONE(zone);
21534
21535
0
    checkds_find_address(checkds);
21536
0
  }
21537
0
  if (result == ISC_R_NOMORE) {
21538
0
    result = ISC_R_SUCCESS;
21539
0
  }
21540
21541
0
  LOCK_ZONE(zone);
21542
21543
0
done:
21544
0
  if (result != ISC_R_SUCCESS) {
21545
0
    dnssec_log(
21546
0
      zone, ISC_LOG_ERROR,
21547
0
      "checkds: error during parental-agents processing: %s",
21548
0
      isc_result_totext(result));
21549
0
  }
21550
21551
0
cleanup:
21552
0
  isc_refcount_decrement(&zone->irefs);
21553
21554
0
  if (dns_rdataset_isassociated(nsrrset)) {
21555
0
    dns_rdataset_disassociate(nsrrset);
21556
0
  }
21557
0
  if (dns_rdataset_isassociated(nssigset)) {
21558
0
    dns_rdataset_disassociate(nssigset);
21559
0
  }
21560
0
  isc_mem_putanddetach(&resp->mctx, resp, sizeof(*resp));
21561
21562
0
  if (levelup) {
21563
0
    UNLOCK_ZONE(zone);
21564
0
    nsfetch_levelup(nsfetch);
21565
0
    return;
21566
0
  }
21567
21568
0
  dns_name_free(zname, mctx);
21569
0
  isc_mem_putanddetach(&nsfetch->mctx, nsfetch, sizeof(dns_nsfetch_t));
21570
21571
0
  free_needed = exit_check(zone);
21572
0
  UNLOCK_ZONE(zone);
21573
21574
0
  if (free_needed) {
21575
0
    zone_free(zone);
21576
0
  }
21577
0
}
21578
21579
static void
21580
0
do_nsfetch(void *arg) {
21581
0
  dns_nsfetch_t *nsfetch = (dns_nsfetch_t *)arg;
21582
0
  isc_result_t result;
21583
0
  unsigned int nlabels = 1;
21584
0
  dns_resolver_t *resolver = NULL;
21585
0
  dns_zone_t *zone = nsfetch->zone;
21586
0
  unsigned int options = DNS_FETCHOPT_UNSHARED | DNS_FETCHOPT_NOCACHED;
21587
21588
0
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
21589
0
    result = ISC_R_SHUTTINGDOWN;
21590
0
    goto cleanup;
21591
0
  }
21592
21593
0
  result = dns_view_getresolver(zone->view, &resolver);
21594
0
  if (result != ISC_R_SUCCESS) {
21595
0
    goto cleanup;
21596
0
  }
21597
21598
0
  if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
21599
0
    char namebuf[DNS_NAME_FORMATSIZE];
21600
0
    dns_name_format(&nsfetch->pname, namebuf, sizeof(namebuf));
21601
0
    dnssec_log(zone, ISC_LOG_WARNING,
21602
0
         "Create fetch for '%s' NS request", namebuf);
21603
0
  }
21604
21605
  /* Derive parent domain. XXXWMM: Check for root domain */
21606
0
  dns_name_split(&nsfetch->pname,
21607
0
           dns_name_countlabels(&nsfetch->pname) - nlabels, NULL,
21608
0
           &nsfetch->pname);
21609
21610
  /*
21611
   * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is not
21612
   * set and the cache still holds a non-expired, validated version
21613
   * of the RRset being queried for by the time the response is
21614
   * received, the cached RRset will be passed to nsfetch_done()
21615
   * instead of the one received in the response as the latter will
21616
   * have a lower trust level due to not being validated until
21617
   * nsfetch_done() is called.
21618
   */
21619
0
  result = dns_resolver_createfetch(
21620
0
    resolver, &nsfetch->pname, dns_rdatatype_ns, NULL, NULL, NULL,
21621
0
    NULL, 0, options, 0, NULL, zone->loop, nsfetch_done, nsfetch,
21622
0
    &nsfetch->nsrrset, &nsfetch->nssigset, &nsfetch->fetch);
21623
21624
0
  dns_resolver_detach(&resolver);
21625
21626
0
cleanup:
21627
0
  if (result != ISC_R_SUCCESS) {
21628
0
    dns_name_t *zname = dns_fixedname_name(&nsfetch->name);
21629
0
    bool free_needed;
21630
0
    char namebuf[DNS_NAME_FORMATSIZE];
21631
0
    dns_name_format(&nsfetch->pname, namebuf, sizeof(namebuf));
21632
0
    dnssec_log(zone, ISC_LOG_WARNING,
21633
0
         "Failed to create fetch for '%s' NS request",
21634
0
         namebuf);
21635
0
    LOCK_ZONE(zone);
21636
0
    zone->nsfetchcount--;
21637
0
    isc_refcount_decrement(&zone->irefs);
21638
21639
0
    dns_name_free(zname, zone->mctx);
21640
0
    isc_mem_putanddetach(&nsfetch->mctx, nsfetch, sizeof(*nsfetch));
21641
21642
0
    free_needed = exit_check(zone);
21643
0
    UNLOCK_ZONE(zone);
21644
0
    if (free_needed) {
21645
0
      zone_free(zone);
21646
0
    }
21647
0
  }
21648
0
}
21649
21650
/*
21651
 * Retry an NS RRset lookup, one level up. In other words, this function should
21652
 * be called on an dns_nsfetch structure where the response yielded in a NODATA
21653
 * response. This must be because there is an empty non-terminal inbetween the
21654
 * child and parent zone.
21655
 */
21656
static void
21657
0
nsfetch_levelup(dns_nsfetch_t *nsfetch) {
21658
0
  dns_zone_t *zone = nsfetch->zone;
21659
21660
#ifdef ENABLE_AFL
21661
  if (!dns_fuzzing_resolver) {
21662
#endif /* ifdef ENABLE_AFL */
21663
0
    LOCK_ZONE(zone);
21664
0
    zone->nsfetchcount++;
21665
0
    isc_refcount_increment0(&zone->irefs);
21666
21667
0
    dns_rdataset_init(&nsfetch->nsrrset);
21668
0
    dns_rdataset_init(&nsfetch->nssigset);
21669
0
    if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
21670
0
      dnssec_log(zone, ISC_LOG_DEBUG(3),
21671
0
           "Creating parent NS fetch in "
21672
0
           "nsfetch_levelup()");
21673
0
    }
21674
0
    isc_async_run(zone->loop, do_nsfetch, nsfetch);
21675
0
    UNLOCK_ZONE(zone);
21676
#ifdef ENABLE_AFL
21677
  }
21678
#endif /* ifdef ENABLE_AFL */
21679
0
}
21680
21681
static void
21682
0
zone_checkds(dns_zone_t *zone) {
21683
0
  bool cdscheck = false;
21684
0
  dns_checkdstype_t checkdstype = zone->checkdstype;
21685
21686
0
  if (checkdstype == dns_checkdstype_no) {
21687
0
    return;
21688
0
  }
21689
21690
0
  for (dns_dnsseckey_t *key = ISC_LIST_HEAD(zone->checkds_ok);
21691
0
       key != NULL; key = ISC_LIST_NEXT(key, link))
21692
0
  {
21693
0
    dst_key_state_t ds_state = DST_KEY_STATE_NA;
21694
0
    bool ksk = false;
21695
0
    isc_stdtime_t published = 0, withdrawn = 0;
21696
21697
    /* Is this key have the KSK role? */
21698
0
    (void)dst_key_role(key->key, &ksk, NULL);
21699
0
    if (!ksk) {
21700
0
      continue;
21701
0
    }
21702
21703
    /* Do we need to check the DS RRset? */
21704
0
    (void)dst_key_getstate(key->key, DST_KEY_DS, &ds_state);
21705
0
    (void)dst_key_gettime(key->key, DST_TIME_DSPUBLISH, &published);
21706
0
    (void)dst_key_gettime(key->key, DST_TIME_DSDELETE, &withdrawn);
21707
21708
0
    if (ds_state == DST_KEY_STATE_RUMOURED && published == 0) {
21709
0
      dst_key_setnum(key->key, DST_NUM_DSPUBCOUNT, 0);
21710
0
      cdscheck = true;
21711
0
    } else if (ds_state == DST_KEY_STATE_UNRETENTIVE &&
21712
0
         withdrawn == 0)
21713
0
    {
21714
0
      dst_key_setnum(key->key, DST_NUM_DSDELCOUNT, 0);
21715
0
      cdscheck = true;
21716
0
    }
21717
0
  }
21718
21719
0
  if (!cdscheck) {
21720
0
    return;
21721
0
  }
21722
21723
0
  if (checkdstype == dns_checkdstype_explicit) {
21724
    /* Request the DS RRset. */
21725
0
    LOCK_ZONE(zone);
21726
0
    checkds_send(zone);
21727
0
    UNLOCK_ZONE(zone);
21728
0
    return;
21729
0
  }
21730
21731
0
  INSIST(checkdstype == dns_checkdstype_yes);
21732
21733
#ifdef ENABLE_AFL
21734
  if (!dns_fuzzing_resolver) {
21735
#endif /* ifdef ENABLE_AFL */
21736
0
    dns_nsfetch_t *nsfetch;
21737
0
    dns_name_t *name = NULL;
21738
21739
0
    nsfetch = isc_mem_get(zone->mctx, sizeof(dns_nsfetch_t));
21740
0
    *nsfetch = (dns_nsfetch_t){ .zone = zone };
21741
0
    isc_mem_attach(zone->mctx, &nsfetch->mctx);
21742
0
    LOCK_ZONE(zone);
21743
0
    zone->nsfetchcount++;
21744
0
    isc_refcount_increment0(&zone->irefs);
21745
0
    name = dns_fixedname_initname(&nsfetch->name);
21746
0
    dns_name_init(&nsfetch->pname, NULL);
21747
0
    dns_name_clone(&zone->origin, &nsfetch->pname);
21748
0
    dns_name_dup(&zone->origin, zone->mctx, name);
21749
0
    dns_rdataset_init(&nsfetch->nsrrset);
21750
0
    dns_rdataset_init(&nsfetch->nssigset);
21751
0
    if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
21752
0
      dnssec_log(
21753
0
        zone, ISC_LOG_DEBUG(3),
21754
0
        "Creating parent NS fetch in zone_checkds()");
21755
0
    }
21756
0
    isc_async_run(zone->loop, do_nsfetch, nsfetch);
21757
0
    UNLOCK_ZONE(zone);
21758
#ifdef ENABLE_AFL
21759
  }
21760
#endif /* ifdef ENABLE_AFL */
21761
0
}
21762
21763
static isc_result_t
21764
update_ttl(dns_rdataset_t *rdataset, dns_name_t *name, dns_ttl_t ttl,
21765
0
     dns_diff_t *diff) {
21766
0
  isc_result_t result;
21767
21768
  /*
21769
   * Delete everything using the existing TTL.
21770
   */
21771
0
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
21772
0
       result = dns_rdataset_next(rdataset))
21773
0
  {
21774
0
    dns_difftuple_t *tuple = NULL;
21775
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
21776
21777
0
    dns_rdataset_current(rdataset, &rdata);
21778
0
    result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name,
21779
0
                rdataset->ttl, &rdata, &tuple);
21780
0
    if (result != ISC_R_SUCCESS) {
21781
0
      return (result);
21782
0
    }
21783
0
    dns_diff_appendminimal(diff, &tuple);
21784
0
  }
21785
0
  if (result != ISC_R_NOMORE) {
21786
0
    return (result);
21787
0
  }
21788
21789
  /*
21790
   * Add everything using the new TTL.
21791
   */
21792
0
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
21793
0
       result = dns_rdataset_next(rdataset))
21794
0
  {
21795
0
    dns_difftuple_t *tuple = NULL;
21796
0
    dns_rdata_t rdata = DNS_RDATA_INIT;
21797
21798
0
    dns_rdataset_current(rdataset, &rdata);
21799
0
    result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
21800
0
                ttl, &rdata, &tuple);
21801
0
    if (result != ISC_R_SUCCESS) {
21802
0
      return (result);
21803
0
    }
21804
0
    dns_diff_appendminimal(diff, &tuple);
21805
0
  }
21806
0
  if (result != ISC_R_NOMORE) {
21807
0
    return (result);
21808
0
  }
21809
0
  return (ISC_R_SUCCESS);
21810
0
}
21811
21812
static void
21813
0
zone_rekey(dns_zone_t *zone) {
21814
0
  isc_result_t result;
21815
0
  dns_db_t *db = NULL;
21816
0
  dns_dbnode_t *node = NULL;
21817
0
  dns_dbversion_t *ver = NULL;
21818
0
  dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset;
21819
0
  dns_dnsseckeylist_t dnskeys, keys, rmkeys;
21820
0
  dns_dnsseckey_t *key = NULL;
21821
0
  dns_diff_t diff, _sig_diff;
21822
0
  dns_kasp_t *kasp;
21823
0
  dns__zonediff_t zonediff;
21824
0
  bool commit = false, newactive = false;
21825
0
  bool newalg = false;
21826
0
  bool fullsign;
21827
0
  dns_ttl_t ttl = 3600;
21828
0
  const char *dir = NULL;
21829
0
  isc_mem_t *mctx = NULL;
21830
0
  isc_stdtime_t now, nexttime = 0;
21831
0
  isc_time_t timenow;
21832
0
  isc_interval_t ival;
21833
0
  char timebuf[80];
21834
21835
0
  REQUIRE(DNS_ZONE_VALID(zone));
21836
21837
0
  ISC_LIST_INIT(dnskeys);
21838
0
  ISC_LIST_INIT(keys);
21839
0
  ISC_LIST_INIT(rmkeys);
21840
0
  dns_rdataset_init(&soaset);
21841
0
  dns_rdataset_init(&soasigs);
21842
0
  dns_rdataset_init(&keyset);
21843
0
  dns_rdataset_init(&keysigs);
21844
0
  dns_rdataset_init(&cdsset);
21845
0
  dns_rdataset_init(&cdnskeyset);
21846
0
  mctx = zone->mctx;
21847
0
  dns_diff_init(mctx, &diff);
21848
0
  dns_diff_init(mctx, &_sig_diff);
21849
0
  zonediff_init(&zonediff, &_sig_diff);
21850
21851
0
  CHECK(dns_zone_getdb(zone, &db));
21852
0
  CHECK(dns_db_newversion(db, &ver));
21853
0
  CHECK(dns_db_getoriginnode(db, &node));
21854
21855
0
  timenow = isc_time_now();
21856
0
  now = isc_time_seconds(&timenow);
21857
21858
0
  kasp = zone->kasp;
21859
0
  dir = dns_zone_getkeydirectory(zone);
21860
21861
0
  dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
21862
21863
  /* Get the SOA record's TTL */
21864
0
  CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
21865
0
          dns_rdatatype_none, 0, &soaset, &soasigs));
21866
0
  ttl = soaset.ttl;
21867
0
  dns_rdataset_disassociate(&soaset);
21868
21869
  /*
21870
   * Only update DNSKEY TTL if we have a policy.
21871
   */
21872
0
  if (kasp != NULL) {
21873
0
    ttl = dns_kasp_dnskeyttl(kasp);
21874
0
  }
21875
21876
  /* Get the DNSKEY rdataset */
21877
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
21878
0
             dns_rdatatype_none, 0, &keyset, &keysigs);
21879
0
  if (result == ISC_R_SUCCESS) {
21880
    /*
21881
     * If we don't have a policy then use the DNSKEY ttl
21882
     * if it exists.  Otherwise update the DNSKEY ttl if
21883
     * needed.
21884
     */
21885
0
    if (kasp == NULL) {
21886
0
      ttl = keyset.ttl;
21887
0
    } else if (ttl != keyset.ttl) {
21888
0
      result = update_ttl(&keyset, &zone->origin, ttl, &diff);
21889
0
      if (result != ISC_R_SUCCESS) {
21890
0
        dnssec_log(zone, ISC_LOG_ERROR,
21891
0
             "Updating DNSKEY TTL from %u to %u "
21892
0
             "failed: %s",
21893
0
             keyset.ttl, ttl,
21894
0
             isc_result_totext(result));
21895
0
        goto failure;
21896
0
      }
21897
0
      dnssec_log(zone, ISC_LOG_INFO,
21898
0
           "Updating DNSKEY TTL from %u to %u",
21899
0
           keyset.ttl, ttl);
21900
0
      keyset.ttl = ttl;
21901
0
    }
21902
21903
0
    dns_zone_lock_keyfiles(zone);
21904
21905
0
    result = dns_dnssec_keylistfromrdataset(
21906
0
      &zone->origin, kasp, dir, mctx, &keyset, &keysigs,
21907
0
      &soasigs, false, false, &dnskeys);
21908
21909
0
    dns_zone_unlock_keyfiles(zone);
21910
21911
0
    if (result != ISC_R_SUCCESS) {
21912
0
      goto failure;
21913
0
    }
21914
0
  } else if (result != ISC_R_NOTFOUND) {
21915
0
    goto failure;
21916
0
  }
21917
21918
  /* Get the CDS rdataset */
21919
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds,
21920
0
             dns_rdatatype_none, 0, &cdsset, NULL);
21921
0
  if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset)) {
21922
0
    dns_rdataset_disassociate(&cdsset);
21923
0
  } else if (result == ISC_R_SUCCESS && kasp != NULL && ttl != cdsset.ttl)
21924
0
  {
21925
0
    result = update_ttl(&cdsset, &zone->origin, ttl, &diff);
21926
0
    if (result != ISC_R_SUCCESS) {
21927
0
      dnssec_log(zone, ISC_LOG_ERROR,
21928
0
           "Updating CDS TTL from %u to %u failed: %s",
21929
0
           cdsset.ttl, ttl, isc_result_totext(result));
21930
0
      goto failure;
21931
0
    }
21932
0
    dnssec_log(zone, ISC_LOG_INFO, "Updating CDS TTL from %u to %u",
21933
0
         cdsset.ttl, ttl);
21934
0
    cdsset.ttl = ttl;
21935
0
  }
21936
21937
  /* Get the CDNSKEY rdataset */
21938
0
  result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey,
21939
0
             dns_rdatatype_none, 0, &cdnskeyset, NULL);
21940
0
  if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) {
21941
0
    dns_rdataset_disassociate(&cdnskeyset);
21942
0
  } else if (result == ISC_R_SUCCESS && kasp != NULL &&
21943
0
       ttl != cdnskeyset.ttl)
21944
0
  {
21945
0
    result = update_ttl(&cdnskeyset, &zone->origin, ttl, &diff);
21946
0
    if (result != ISC_R_SUCCESS) {
21947
0
      dnssec_log(
21948
0
        zone, ISC_LOG_ERROR,
21949
0
        "Updating CDNSKEY TTL from %u to %u failed: %s",
21950
0
        cdnskeyset.ttl, ttl, isc_result_totext(result));
21951
0
      goto failure;
21952
0
    }
21953
0
    dnssec_log(zone, ISC_LOG_INFO,
21954
0
         "Updating CDNSKEY TTL from %u to %u", cdnskeyset.ttl,
21955
0
         ttl);
21956
0
    cdnskeyset.ttl = ttl;
21957
0
  }
21958
21959
  /*
21960
   * True when called from "rndc sign".  Indicates the zone should be
21961
   * fully signed now.
21962
   */
21963
0
  fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
21964
21965
0
  KASP_LOCK(kasp);
21966
21967
0
  dns_zone_lock_keyfiles(zone);
21968
0
  result = dns_dnssec_findmatchingkeys(&zone->origin, kasp, dir,
21969
0
               zone->keystores, now, mctx, &keys);
21970
0
  dns_zone_unlock_keyfiles(zone);
21971
21972
0
  if (result != ISC_R_SUCCESS) {
21973
0
    dnssec_log(zone, ISC_LOG_DEBUG(1),
21974
0
         "zone_rekey:dns_dnssec_findmatchingkeys failed: %s",
21975
0
         isc_result_totext(result));
21976
0
  }
21977
21978
0
  if (kasp != NULL) {
21979
    /*
21980
     * Check DS at parental agents. Clear ongoing checks.
21981
     */
21982
0
    LOCK_ZONE(zone);
21983
0
    checkds_cancel(zone);
21984
0
    clear_keylist(&zone->checkds_ok, zone->mctx);
21985
0
    ISC_LIST_INIT(zone->checkds_ok);
21986
0
    UNLOCK_ZONE(zone);
21987
21988
0
    isc_result_t ret = dns_zone_getdnsseckeys(zone, db, ver, now,
21989
0
                &zone->checkds_ok);
21990
0
    if (ret == ISC_R_SUCCESS) {
21991
0
      zone_checkds(zone);
21992
0
    } else {
21993
0
      dnssec_log(zone,
21994
0
           (ret == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1)
21995
0
                 : ISC_LOG_ERROR,
21996
0
           "zone_rekey:dns_zone_getdnsseckeys failed: "
21997
0
           "%s",
21998
0
           isc_result_totext(ret));
21999
0
    }
22000
22001
    /* Run keymgr */
22002
0
    if (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND) {
22003
0
      dns_zone_lock_keyfiles(zone);
22004
0
      result = dns_keymgr_run(&zone->origin, zone->rdclass,
22005
0
            mctx, &keys, &dnskeys, dir,
22006
0
            kasp, now, &nexttime);
22007
0
      dns_zone_unlock_keyfiles(zone);
22008
22009
0
      if (result != ISC_R_SUCCESS) {
22010
0
        dnssec_log(zone, ISC_LOG_ERROR,
22011
0
             "zone_rekey:dns_dnssec_keymgr "
22012
0
             "failed: %s",
22013
0
             isc_result_totext(result));
22014
0
        KASP_UNLOCK(kasp);
22015
0
        goto failure;
22016
0
      }
22017
0
    }
22018
0
  }
22019
22020
0
  KASP_UNLOCK(kasp);
22021
22022
  /*
22023
   * Update CDS, CDNSKEY and DNSKEY record sets if the keymgr ran
22024
   * successfully (dns_keymgr_run returned ISC_R_SUCCESS), or in
22025
   * case of DNSSEC management without dnssec-policy if we have keys
22026
   * (dns_dnssec_findmatchingkeys returned ISC_R_SUCCESS).
22027
   */
22028
0
  if (result == ISC_R_SUCCESS) {
22029
0
    dns_kasp_digestlist_t digests;
22030
0
    bool cdsdel = false;
22031
0
    bool cdnskeydel = false;
22032
0
    bool cdnskeypub = true;
22033
0
    bool sane_diff, sane_dnskey;
22034
0
    isc_stdtime_t when;
22035
22036
    /*
22037
     * Publish CDS/CDNSKEY DELETE records if the zone is
22038
     * transitioning from secure to insecure.
22039
     */
22040
0
    if (kasp != NULL) {
22041
0
      if (strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
22042
0
        cdsdel = true;
22043
0
        cdnskeydel = true;
22044
0
      }
22045
0
      digests = dns_kasp_digests(kasp);
22046
0
      cdnskeypub = dns_kasp_cdnskey(kasp);
22047
0
    } else {
22048
      /* Check if there is a CDS DELETE record. */
22049
0
      if (dns_rdataset_isassociated(&cdsset)) {
22050
0
        for (result = dns_rdataset_first(&cdsset);
22051
0
             result == ISC_R_SUCCESS;
22052
0
             result = dns_rdataset_next(&cdsset))
22053
0
        {
22054
0
          dns_rdata_t crdata = DNS_RDATA_INIT;
22055
0
          dns_rdataset_current(&cdsset, &crdata);
22056
          /*
22057
           * CDS deletion record has this form
22058
           * "0 0 0 00" which is 5 zero octets.
22059
           */
22060
0
          if (crdata.length == 5U &&
22061
0
              memcmp(crdata.data,
22062
0
               (unsigned char[5]){ 0, 0, 0,
22063
0
                       0, 0 },
22064
0
               5) == 0)
22065
0
          {
22066
0
            cdsdel = true;
22067
0
            break;
22068
0
          }
22069
0
        }
22070
0
      }
22071
22072
      /* Check if there is a CDNSKEY DELETE record. */
22073
0
      if (dns_rdataset_isassociated(&cdnskeyset)) {
22074
0
        for (result = dns_rdataset_first(&cdnskeyset);
22075
0
             result == ISC_R_SUCCESS;
22076
0
             result = dns_rdataset_next(&cdnskeyset))
22077
0
        {
22078
0
          dns_rdata_t crdata = DNS_RDATA_INIT;
22079
0
          dns_rdataset_current(&cdnskeyset,
22080
0
                   &crdata);
22081
          /*
22082
           * CDNSKEY deletion record has this form
22083
           * "0 3 0 AA==" which is 2 zero octets,
22084
           * a 3, and 2 zero octets.
22085
           */
22086
0
          if (crdata.length == 5U &&
22087
0
              memcmp(crdata.data,
22088
0
               (unsigned char[5]){ 0, 0, 3,
22089
0
                       0, 0 },
22090
0
               5) == 0)
22091
0
          {
22092
0
            cdnskeydel = true;
22093
0
            break;
22094
0
          }
22095
0
        }
22096
0
      }
22097
22098
0
      digests = dns_kasp_digests(zone->defaultkasp);
22099
0
    }
22100
22101
0
    result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
22102
0
                 &zone->origin, ttl, &diff, mctx,
22103
0
                 dnssec_report);
22104
    /*
22105
     * Keys couldn't be updated for some reason;
22106
     * try again later.
22107
     */
22108
0
    if (result != ISC_R_SUCCESS) {
22109
0
      dnssec_log(zone, ISC_LOG_ERROR,
22110
0
           "zone_rekey:couldn't update zone keys: %s",
22111
0
           isc_result_totext(result));
22112
0
      goto failure;
22113
0
    }
22114
22115
    /*
22116
     * Update CDS / CDNSKEY records.
22117
     */
22118
0
    result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
22119
0
                 &cdnskeyset, now, &digests,
22120
0
                 cdnskeypub, ttl, &diff, mctx);
22121
0
    if (result != ISC_R_SUCCESS) {
22122
0
      dnssec_log(zone, ISC_LOG_ERROR,
22123
0
           "zone_rekey:couldn't update CDS/CDNSKEY: %s",
22124
0
           isc_result_totext(result));
22125
0
      goto failure;
22126
0
    }
22127
22128
0
    if (cdsdel || cdnskeydel) {
22129
      /*
22130
       * Only publish CDS/CDNSKEY DELETE records if there is
22131
       * a KSK that can be used to verify the RRset. This
22132
       * means there must be a key with the KSK role that is
22133
       * published and is used for signing.
22134
       */
22135
0
      bool allow = false;
22136
0
      for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
22137
0
           key = ISC_LIST_NEXT(key, link))
22138
0
      {
22139
0
        dst_key_t *dstk = key->key;
22140
22141
0
        if (dst_key_is_published(dstk, now, &when) &&
22142
0
            dst_key_is_signing(dstk, DST_BOOL_KSK, now,
22143
0
                   &when))
22144
0
        {
22145
0
          allow = true;
22146
0
          break;
22147
0
        }
22148
0
      }
22149
0
      if (cdsdel) {
22150
0
        cdsdel = allow;
22151
0
      }
22152
0
      if (cdnskeydel) {
22153
0
        cdnskeydel = allow;
22154
0
      }
22155
0
    }
22156
0
    result = dns_dnssec_syncdelete(
22157
0
      &cdsset, &cdnskeyset, &zone->origin, zone->rdclass, ttl,
22158
0
      &diff, mctx, cdsdel, cdnskeydel);
22159
0
    if (result != ISC_R_SUCCESS) {
22160
0
      dnssec_log(zone, ISC_LOG_ERROR,
22161
0
           "zone_rekey:couldn't update CDS/CDNSKEY "
22162
0
           "DELETE records: %s",
22163
0
           isc_result_totext(result));
22164
0
      goto failure;
22165
0
    }
22166
22167
    /*
22168
     * See if any pre-existing keys have newly become active;
22169
     * also, see if any new key is for a new algorithm, as in that
22170
     * event, we need to sign the zone fully.  (If there's a new
22171
     * key, but it's for an already-existing algorithm, then
22172
     * the zone signing can be handled incrementally.)
22173
     */
22174
0
    for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
22175
0
         key = ISC_LIST_NEXT(key, link))
22176
0
    {
22177
0
      if (!key->first_sign) {
22178
0
        continue;
22179
0
      }
22180
22181
0
      newactive = true;
22182
22183
0
      if (!dns_rdataset_isassociated(&keysigs)) {
22184
0
        newalg = true;
22185
0
        break;
22186
0
      }
22187
22188
0
      if (signed_with_alg(&keysigs, dst_key_alg(key->key))) {
22189
        /*
22190
         * This isn't a new algorithm; clear
22191
         * first_sign so we won't sign the
22192
         * whole zone with this key later.
22193
         */
22194
0
        key->first_sign = false;
22195
0
      } else {
22196
0
        newalg = true;
22197
0
        break;
22198
0
      }
22199
0
    }
22200
22201
    /*
22202
     * A sane diff is one that is not empty, and that does not
22203
     * introduce a zone with NSEC only DNSKEYs along with NSEC3
22204
     * chains.
22205
     */
22206
0
    sane_dnskey = dns_zone_check_dnskey_nsec3(zone, db, ver, &diff,
22207
0
                NULL, 0);
22208
0
    sane_diff = !ISC_LIST_EMPTY(diff.tuples) && sane_dnskey;
22209
0
    if (!sane_dnskey) {
22210
0
      dnssec_log(zone, ISC_LOG_ERROR,
22211
0
           "NSEC only DNSKEYs and NSEC3 chains not "
22212
0
           "allowed");
22213
0
    }
22214
22215
0
    if (newactive || fullsign || sane_diff) {
22216
0
      CHECK(dns_diff_apply(&diff, db, ver));
22217
0
      CHECK(clean_nsec3param(zone, db, ver, &diff));
22218
0
      CHECK(add_signing_records(db, zone->privatetype, ver,
22219
0
              &diff, (newalg || fullsign)));
22220
0
      CHECK(update_soa_serial(zone, db, ver, &diff, mctx,
22221
0
            zone->updatemethod));
22222
0
      CHECK(add_chains(zone, db, ver, &diff));
22223
0
      CHECK(sign_apex(zone, db, ver, now, &diff, &zonediff));
22224
0
      CHECK(zone_journal(zone, zonediff.diff, NULL,
22225
0
             "zone_rekey"));
22226
0
      commit = true;
22227
0
    }
22228
0
  }
22229
22230
0
  dns_db_closeversion(db, &ver, true);
22231
22232
0
  LOCK_ZONE(zone);
22233
22234
0
  if (commit) {
22235
0
    dns_difftuple_t *tuple;
22236
0
    dns_stats_t *dnssecsignstats =
22237
0
      dns_zone_getdnssecsignstats(zone);
22238
22239
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
22240
22241
0
    zone_needdump(zone, DNS_DUMP_DELAY);
22242
22243
0
    zone_settimer(zone, &timenow);
22244
22245
    /* Remove any signatures from removed keys.  */
22246
0
    if (!ISC_LIST_EMPTY(rmkeys)) {
22247
0
      for (key = ISC_LIST_HEAD(rmkeys); key != NULL;
22248
0
           key = ISC_LIST_NEXT(key, link))
22249
0
      {
22250
0
        result = zone_signwithkey(
22251
0
          zone, dst_key_alg(key->key),
22252
0
          dst_key_id(key->key), true);
22253
0
        if (result != ISC_R_SUCCESS) {
22254
0
          dnssec_log(zone, ISC_LOG_ERROR,
22255
0
               "zone_signwithkey failed: "
22256
0
               "%s",
22257
0
               isc_result_totext(result));
22258
0
        }
22259
22260
        /* Clear DNSSEC sign statistics. */
22261
0
        if (dnssecsignstats != NULL) {
22262
0
          dns_dnssecsignstats_clear(
22263
0
            dnssecsignstats,
22264
0
            dst_key_id(key->key),
22265
0
            dst_key_alg(key->key));
22266
          /*
22267
           * Also clear the dnssec-sign
22268
           * statistics of the revoked key id.
22269
           */
22270
0
          dns_dnssecsignstats_clear(
22271
0
            dnssecsignstats,
22272
0
            dst_key_rid(key->key),
22273
0
            dst_key_alg(key->key));
22274
0
        }
22275
0
      }
22276
0
    }
22277
22278
0
    if (fullsign) {
22279
      /*
22280
       * "rndc sign" was called, so we now sign the zone
22281
       * with all active keys, whether they're new or not.
22282
       */
22283
0
      for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
22284
0
           key = ISC_LIST_NEXT(key, link))
22285
0
      {
22286
0
        if (!key->force_sign && !key->hint_sign) {
22287
0
          continue;
22288
0
        }
22289
22290
0
        result = zone_signwithkey(
22291
0
          zone, dst_key_alg(key->key),
22292
0
          dst_key_id(key->key), false);
22293
0
        if (result != ISC_R_SUCCESS) {
22294
0
          dnssec_log(zone, ISC_LOG_ERROR,
22295
0
               "zone_signwithkey failed: "
22296
0
               "%s",
22297
0
               isc_result_totext(result));
22298
0
        }
22299
0
      }
22300
0
    } else if (newalg) {
22301
      /*
22302
       * We haven't been told to sign fully, but a new
22303
       * algorithm was added to the DNSKEY.  We sign
22304
       * the full zone, but only with newly active
22305
       * keys.
22306
       */
22307
0
      for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
22308
0
           key = ISC_LIST_NEXT(key, link))
22309
0
      {
22310
0
        if (!key->first_sign) {
22311
0
          continue;
22312
0
        }
22313
22314
0
        result = zone_signwithkey(
22315
0
          zone, dst_key_alg(key->key),
22316
0
          dst_key_id(key->key), false);
22317
0
        if (result != ISC_R_SUCCESS) {
22318
0
          dnssec_log(zone, ISC_LOG_ERROR,
22319
0
               "zone_signwithkey failed: "
22320
0
               "%s",
22321
0
               isc_result_totext(result));
22322
0
        }
22323
0
      }
22324
0
    }
22325
22326
    /*
22327
     * Clear fullsign flag, if it was set, so we don't do
22328
     * another full signing next time.
22329
     */
22330
0
    DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN);
22331
22332
    /*
22333
     * Cause the zone to add/delete NSEC3 chains for the
22334
     * deferred NSEC3PARAM changes.
22335
     */
22336
0
    for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples);
22337
0
         tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link))
22338
0
    {
22339
0
      unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
22340
0
      dns_rdata_t rdata = DNS_RDATA_INIT;
22341
0
      dns_rdata_nsec3param_t nsec3param;
22342
22343
0
      if (tuple->rdata.type != zone->privatetype ||
22344
0
          tuple->op != DNS_DIFFOP_ADD)
22345
0
      {
22346
0
        continue;
22347
0
      }
22348
22349
0
      if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
22350
0
              buf, sizeof(buf)))
22351
0
      {
22352
0
        continue;
22353
0
      }
22354
22355
0
      result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
22356
0
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
22357
0
      if (nsec3param.flags == 0) {
22358
0
        continue;
22359
0
      }
22360
22361
0
      result = zone_addnsec3chain(zone, &nsec3param);
22362
0
      if (result != ISC_R_SUCCESS) {
22363
0
        dnssec_log(zone, ISC_LOG_ERROR,
22364
0
             "zone_addnsec3chain failed: %s",
22365
0
             isc_result_totext(result));
22366
0
      }
22367
0
    }
22368
22369
    /*
22370
     * Activate any NSEC3 chain updates that may have
22371
     * been scheduled before this rekey.
22372
     */
22373
0
    if (fullsign || newalg) {
22374
0
      resume_addnsec3chain(zone);
22375
0
    }
22376
22377
    /*
22378
     * Schedule the next resigning event
22379
     */
22380
0
    set_resigntime(zone);
22381
0
  }
22382
22383
0
  isc_time_settoepoch(&zone->refreshkeytime);
22384
22385
  /*
22386
   * If keymgr provided a next time, use the calculated next rekey time.
22387
   */
22388
0
  if (kasp != NULL) {
22389
0
    isc_time_t timenext;
22390
0
    uint32_t nexttime_seconds;
22391
22392
    /*
22393
     * Set the key refresh timer to the next scheduled key event
22394
     * or to 'dnssec-loadkeys-interval' seconds in the future
22395
     * if no next key event is scheduled (nexttime == 0).
22396
     */
22397
0
    if (nexttime > 0) {
22398
0
      nexttime_seconds = nexttime - now;
22399
0
    } else {
22400
0
      nexttime_seconds = zone->refreshkeyinterval;
22401
0
    }
22402
22403
0
    DNS_ZONE_TIME_ADD(&timenow, nexttime_seconds, &timenext);
22404
0
    zone->refreshkeytime = timenext;
22405
0
    zone_settimer(zone, &timenow);
22406
0
    isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
22407
22408
0
    dnssec_log(zone, ISC_LOG_DEBUG(3),
22409
0
         "next key event in %u seconds", nexttime_seconds);
22410
0
    dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
22411
0
  }
22412
  /*
22413
   * If we're doing key maintenance, set the key refresh timer to
22414
   * the next scheduled key event or to 'dnssec-loadkeys-interval'
22415
   * seconds in the future, whichever is sooner.
22416
   */
22417
0
  else if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
22418
0
  {
22419
0
    isc_time_t timethen;
22420
0
    isc_stdtime_t then;
22421
22422
0
    DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
22423
0
          &timethen);
22424
0
    zone->refreshkeytime = timethen;
22425
22426
0
    for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
22427
0
         key = ISC_LIST_NEXT(key, link))
22428
0
    {
22429
0
      then = now;
22430
0
      result = next_keyevent(key->key, &then);
22431
0
      if (result != ISC_R_SUCCESS) {
22432
0
        continue;
22433
0
      }
22434
22435
0
      DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
22436
0
      if (isc_time_compare(&timethen, &zone->refreshkeytime) <
22437
0
          0)
22438
0
      {
22439
0
        zone->refreshkeytime = timethen;
22440
0
      }
22441
0
    }
22442
22443
0
    zone_settimer(zone, &timenow);
22444
22445
0
    isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
22446
0
    dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
22447
0
  }
22448
0
  UNLOCK_ZONE(zone);
22449
22450
0
  if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
22451
0
    for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
22452
0
         key = ISC_LIST_NEXT(key, link))
22453
0
    {
22454
      /* This debug log is used in the kasp system test */
22455
0
      char algbuf[DNS_SECALG_FORMATSIZE];
22456
0
      dns_secalg_format(dst_key_alg(key->key), algbuf,
22457
0
            sizeof(algbuf));
22458
0
      dnssec_log(zone, ISC_LOG_DEBUG(3),
22459
0
           "zone_rekey done: key %d/%s",
22460
0
           dst_key_id(key->key), algbuf);
22461
0
    }
22462
0
  }
22463
22464
0
  result = ISC_R_SUCCESS;
22465
22466
0
failure:
22467
0
  LOCK_ZONE(zone);
22468
0
  if (result != ISC_R_SUCCESS) {
22469
    /*
22470
     * Something went wrong; try again in ten minutes or
22471
     * after a key refresh interval, whichever is shorter.
22472
     */
22473
0
    dnssec_log(zone, ISC_LOG_DEBUG(3),
22474
0
         "zone_rekey failure: %s (retry in %u seconds)",
22475
0
         isc_result_totext(result),
22476
0
         ISC_MIN(zone->refreshkeyinterval, 600));
22477
0
    isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600),
22478
0
         0);
22479
0
    isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
22480
0
  }
22481
0
  UNLOCK_ZONE(zone);
22482
22483
0
  dns_diff_clear(&diff);
22484
0
  dns_diff_clear(&_sig_diff);
22485
22486
0
  clear_keylist(&dnskeys, mctx);
22487
0
  clear_keylist(&keys, mctx);
22488
0
  clear_keylist(&rmkeys, mctx);
22489
22490
0
  if (ver != NULL) {
22491
0
    dns_db_closeversion(db, &ver, false);
22492
0
  }
22493
0
  if (dns_rdataset_isassociated(&cdsset)) {
22494
0
    dns_rdataset_disassociate(&cdsset);
22495
0
  }
22496
0
  if (dns_rdataset_isassociated(&keyset)) {
22497
0
    dns_rdataset_disassociate(&keyset);
22498
0
  }
22499
0
  if (dns_rdataset_isassociated(&keysigs)) {
22500
0
    dns_rdataset_disassociate(&keysigs);
22501
0
  }
22502
0
  if (dns_rdataset_isassociated(&soasigs)) {
22503
0
    dns_rdataset_disassociate(&soasigs);
22504
0
  }
22505
0
  if (dns_rdataset_isassociated(&cdnskeyset)) {
22506
0
    dns_rdataset_disassociate(&cdnskeyset);
22507
0
  }
22508
0
  if (node != NULL) {
22509
0
    dns_db_detachnode(db, &node);
22510
0
  }
22511
0
  if (db != NULL) {
22512
0
    dns_db_detach(&db);
22513
0
  }
22514
22515
0
  INSIST(ver == NULL);
22516
0
}
22517
22518
void
22519
0
dns_zone_rekey(dns_zone_t *zone, bool fullsign) {
22520
0
  isc_time_t now;
22521
22522
0
  if (zone->type == dns_zone_primary && zone->loop != NULL) {
22523
0
    LOCK_ZONE(zone);
22524
22525
0
    if (fullsign) {
22526
0
      DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
22527
0
    }
22528
22529
0
    now = isc_time_now();
22530
0
    zone->refreshkeytime = now;
22531
0
    zone_settimer(zone, &now);
22532
22533
0
    UNLOCK_ZONE(zone);
22534
0
  }
22535
0
}
22536
22537
isc_result_t
22538
dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
22539
0
     unsigned int *errors) {
22540
0
  isc_result_t result;
22541
0
  dns_dbnode_t *node = NULL;
22542
22543
0
  REQUIRE(DNS_ZONE_VALID(zone));
22544
0
  REQUIRE(errors != NULL);
22545
22546
0
  result = dns_db_getoriginnode(db, &node);
22547
0
  if (result != ISC_R_SUCCESS) {
22548
0
    return (result);
22549
0
  }
22550
0
  result = zone_count_ns_rr(zone, db, node, version, NULL, errors, false);
22551
0
  dns_db_detachnode(db, &node);
22552
0
  return (result);
22553
0
}
22554
22555
isc_result_t
22556
2
dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
22557
2
  isc_result_t result;
22558
2
  dns_dbnode_t *node = NULL;
22559
2
  dns_rdataset_t dnskey, cds, cdnskey;
22560
2
  unsigned char algorithms[256];
22561
2
  unsigned int i;
22562
2
  bool empty = false;
22563
22564
2
  enum { notexpected = 0, expected = 1, found = 2 };
22565
22566
2
  REQUIRE(DNS_ZONE_VALID(zone));
22567
22568
2
  result = dns_db_getoriginnode(db, &node);
22569
2
  if (result != ISC_R_SUCCESS) {
22570
0
    return (result);
22571
0
  }
22572
22573
2
  dns_rdataset_init(&cds);
22574
2
  dns_rdataset_init(&dnskey);
22575
2
  dns_rdataset_init(&cdnskey);
22576
22577
2
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_cds,
22578
2
             dns_rdatatype_none, 0, &cds, NULL);
22579
2
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
22580
0
    goto failure;
22581
0
  }
22582
22583
2
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_cdnskey,
22584
2
             dns_rdatatype_none, 0, &cdnskey, NULL);
22585
2
  if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
22586
0
    goto failure;
22587
0
  }
22588
22589
2
  if (!dns_rdataset_isassociated(&cds) &&
22590
2
      !dns_rdataset_isassociated(&cdnskey))
22591
2
  {
22592
2
    result = ISC_R_SUCCESS;
22593
2
    goto failure;
22594
2
  }
22595
22596
0
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
22597
0
             dns_rdatatype_none, 0, &dnskey, NULL);
22598
0
  if (result == ISC_R_NOTFOUND) {
22599
0
    empty = true;
22600
0
  } else if (result != ISC_R_SUCCESS) {
22601
0
    goto failure;
22602
0
  }
22603
22604
  /*
22605
   * For each DNSSEC algorithm in the CDS RRset there must be
22606
   * a matching DNSKEY record with the exception of a CDS deletion
22607
   * record which must be by itself.
22608
   */
22609
0
  if (dns_rdataset_isassociated(&cds)) {
22610
0
    bool delete = false;
22611
0
    memset(algorithms, notexpected, sizeof(algorithms));
22612
0
    for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS;
22613
0
         result = dns_rdataset_next(&cds))
22614
0
    {
22615
0
      dns_rdata_t crdata = DNS_RDATA_INIT;
22616
0
      dns_rdata_cds_t structcds;
22617
22618
0
      dns_rdataset_current(&cds, &crdata);
22619
      /*
22620
       * CDS deletion record has this form "0 0 0 00" which
22621
       * is 5 zero octets.
22622
       */
22623
0
      if (crdata.length == 5U &&
22624
0
          memcmp(crdata.data,
22625
0
           (unsigned char[5]){ 0, 0, 0, 0, 0 }, 5) == 0)
22626
0
      {
22627
0
        delete = true;
22628
0
        continue;
22629
0
      }
22630
22631
0
      if (empty) {
22632
0
        result = DNS_R_BADCDS;
22633
0
        goto failure;
22634
0
      }
22635
22636
0
      CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
22637
0
      if (algorithms[structcds.algorithm] == 0) {
22638
0
        algorithms[structcds.algorithm] = expected;
22639
0
      }
22640
0
      for (result = dns_rdataset_first(&dnskey);
22641
0
           result == ISC_R_SUCCESS;
22642
0
           result = dns_rdataset_next(&dnskey))
22643
0
      {
22644
0
        dns_rdata_t rdata = DNS_RDATA_INIT;
22645
0
        dns_rdata_dnskey_t structdnskey;
22646
22647
0
        dns_rdataset_current(&dnskey, &rdata);
22648
0
        CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
22649
0
               NULL));
22650
22651
0
        if (structdnskey.algorithm ==
22652
0
            structcds.algorithm)
22653
0
        {
22654
0
          algorithms[structcds.algorithm] = found;
22655
0
        }
22656
0
      }
22657
0
      if (result != ISC_R_NOMORE) {
22658
0
        goto failure;
22659
0
      }
22660
0
    }
22661
0
    for (i = 0; i < sizeof(algorithms); i++) {
22662
0
      if (delete) {
22663
0
        if (algorithms[i] != notexpected) {
22664
0
          result = DNS_R_BADCDS;
22665
0
          goto failure;
22666
0
        }
22667
0
      } else if (algorithms[i] == expected) {
22668
0
        result = DNS_R_BADCDS;
22669
0
        goto failure;
22670
0
      }
22671
0
    }
22672
0
  }
22673
22674
  /*
22675
   * For each DNSSEC algorithm in the CDNSKEY RRset there must be
22676
   * a matching DNSKEY record with the exception of a CDNSKEY deletion
22677
   * record which must be by itself.
22678
   */
22679
0
  if (dns_rdataset_isassociated(&cdnskey)) {
22680
0
    bool delete = false;
22681
0
    memset(algorithms, notexpected, sizeof(algorithms));
22682
0
    for (result = dns_rdataset_first(&cdnskey);
22683
0
         result == ISC_R_SUCCESS;
22684
0
         result = dns_rdataset_next(&cdnskey))
22685
0
    {
22686
0
      dns_rdata_t crdata = DNS_RDATA_INIT;
22687
0
      dns_rdata_cdnskey_t structcdnskey;
22688
22689
0
      dns_rdataset_current(&cdnskey, &crdata);
22690
      /*
22691
       * CDNSKEY deletion record has this form
22692
       * "0 3 0 AA==" which is 2 zero octets, a 3,
22693
       * and 2 zero octets.
22694
       */
22695
0
      if (crdata.length == 5U &&
22696
0
          memcmp(crdata.data,
22697
0
           (unsigned char[5]){ 0, 0, 3, 0, 0 }, 5) == 0)
22698
0
      {
22699
0
        delete = true;
22700
0
        continue;
22701
0
      }
22702
22703
0
      if (empty) {
22704
0
        result = DNS_R_BADCDNSKEY;
22705
0
        goto failure;
22706
0
      }
22707
22708
0
      CHECK(dns_rdata_tostruct(&crdata, &structcdnskey,
22709
0
             NULL));
22710
0
      if (algorithms[structcdnskey.algorithm] == 0) {
22711
0
        algorithms[structcdnskey.algorithm] = expected;
22712
0
      }
22713
0
      for (result = dns_rdataset_first(&dnskey);
22714
0
           result == ISC_R_SUCCESS;
22715
0
           result = dns_rdataset_next(&dnskey))
22716
0
      {
22717
0
        dns_rdata_t rdata = DNS_RDATA_INIT;
22718
0
        dns_rdata_dnskey_t structdnskey;
22719
22720
0
        dns_rdataset_current(&dnskey, &rdata);
22721
0
        CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
22722
0
               NULL));
22723
22724
0
        if (structdnskey.algorithm ==
22725
0
            structcdnskey.algorithm)
22726
0
        {
22727
0
          algorithms[structcdnskey.algorithm] =
22728
0
            found;
22729
0
        }
22730
0
      }
22731
0
      if (result != ISC_R_NOMORE) {
22732
0
        goto failure;
22733
0
      }
22734
0
    }
22735
0
    for (i = 0; i < sizeof(algorithms); i++) {
22736
0
      if (delete) {
22737
0
        if (algorithms[i] != notexpected) {
22738
0
          result = DNS_R_BADCDNSKEY;
22739
0
          goto failure;
22740
0
        }
22741
0
      } else if (algorithms[i] == expected) {
22742
0
        result = DNS_R_BADCDNSKEY;
22743
0
        goto failure;
22744
0
      }
22745
0
    }
22746
0
  }
22747
0
  result = ISC_R_SUCCESS;
22748
22749
2
failure:
22750
2
  if (dns_rdataset_isassociated(&cds)) {
22751
0
    dns_rdataset_disassociate(&cds);
22752
0
  }
22753
2
  if (dns_rdataset_isassociated(&dnskey)) {
22754
0
    dns_rdataset_disassociate(&dnskey);
22755
0
  }
22756
2
  if (dns_rdataset_isassociated(&cdnskey)) {
22757
0
    dns_rdataset_disassociate(&cdnskey);
22758
0
  }
22759
2
  dns_db_detachnode(db, &node);
22760
2
  return (result);
22761
0
}
22762
22763
void
22764
0
dns_zone_setautomatic(dns_zone_t *zone, bool automatic) {
22765
0
  REQUIRE(DNS_ZONE_VALID(zone));
22766
22767
0
  LOCK_ZONE(zone);
22768
0
  zone->automatic = automatic;
22769
0
  UNLOCK_ZONE(zone);
22770
0
}
22771
22772
bool
22773
0
dns_zone_getautomatic(dns_zone_t *zone) {
22774
0
  REQUIRE(DNS_ZONE_VALID(zone));
22775
0
  return (zone->automatic);
22776
0
}
22777
22778
void
22779
0
dns_zone_setadded(dns_zone_t *zone, bool added) {
22780
0
  REQUIRE(DNS_ZONE_VALID(zone));
22781
22782
0
  LOCK_ZONE(zone);
22783
0
  zone->added = added;
22784
0
  UNLOCK_ZONE(zone);
22785
0
}
22786
22787
bool
22788
0
dns_zone_getadded(dns_zone_t *zone) {
22789
0
  REQUIRE(DNS_ZONE_VALID(zone));
22790
0
  return (zone->added);
22791
0
}
22792
22793
isc_result_t
22794
0
dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db) {
22795
0
  isc_time_t loadtime;
22796
0
  isc_result_t result;
22797
0
  dns_zone_t *secure = NULL;
22798
22799
0
  loadtime = isc_time_now();
22800
22801
  /*
22802
   * Lock hierarchy: zmgr, zone, raw.
22803
   */
22804
0
again:
22805
0
  LOCK_ZONE(zone);
22806
0
  INSIST(zone != zone->raw);
22807
0
  if (inline_secure(zone)) {
22808
0
    LOCK_ZONE(zone->raw);
22809
0
  } else if (inline_raw(zone)) {
22810
0
    secure = zone->secure;
22811
0
    TRYLOCK_ZONE(result, secure);
22812
0
    if (result != ISC_R_SUCCESS) {
22813
0
      UNLOCK_ZONE(zone);
22814
0
      secure = NULL;
22815
0
      isc_thread_yield();
22816
0
      goto again;
22817
0
    }
22818
0
  }
22819
0
  result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
22820
0
  if (inline_secure(zone)) {
22821
0
    UNLOCK_ZONE(zone->raw);
22822
0
  } else if (secure != NULL) {
22823
0
    UNLOCK_ZONE(secure);
22824
0
  }
22825
0
  UNLOCK_ZONE(zone);
22826
0
  return (result);
22827
0
}
22828
22829
isc_result_t
22830
0
dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval) {
22831
0
  REQUIRE(DNS_ZONE_VALID(zone));
22832
0
  if (interval == 0) {
22833
0
    return (ISC_R_RANGE);
22834
0
  }
22835
  /* Maximum value: 24 hours (3600 minutes) */
22836
0
  if (interval > (24 * 60)) {
22837
0
    interval = (24 * 60);
22838
0
  }
22839
  /* Multiply by 60 for seconds */
22840
0
  zone->refreshkeyinterval = interval * 60;
22841
0
  return (ISC_R_SUCCESS);
22842
0
}
22843
22844
void
22845
0
dns_zone_setrequestixfr(dns_zone_t *zone, bool flag) {
22846
0
  REQUIRE(DNS_ZONE_VALID(zone));
22847
0
  zone->requestixfr = flag;
22848
0
}
22849
22850
bool
22851
0
dns_zone_getrequestixfr(dns_zone_t *zone) {
22852
0
  REQUIRE(DNS_ZONE_VALID(zone));
22853
0
  return (zone->requestixfr);
22854
0
}
22855
22856
void
22857
0
dns_zone_setixfrratio(dns_zone_t *zone, uint32_t ratio) {
22858
0
  REQUIRE(DNS_ZONE_VALID(zone));
22859
0
  zone->ixfr_ratio = ratio;
22860
0
}
22861
22862
uint32_t
22863
0
dns_zone_getixfrratio(dns_zone_t *zone) {
22864
0
  REQUIRE(DNS_ZONE_VALID(zone));
22865
0
  return (zone->ixfr_ratio);
22866
0
}
22867
22868
void
22869
0
dns_zone_setrequestexpire(dns_zone_t *zone, bool flag) {
22870
0
  REQUIRE(DNS_ZONE_VALID(zone));
22871
0
  zone->requestexpire = flag;
22872
0
}
22873
22874
bool
22875
0
dns_zone_getrequestexpire(dns_zone_t *zone) {
22876
0
  REQUIRE(DNS_ZONE_VALID(zone));
22877
0
  return (zone->requestexpire);
22878
0
}
22879
22880
void
22881
0
dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method) {
22882
0
  REQUIRE(DNS_ZONE_VALID(zone));
22883
0
  zone->updatemethod = method;
22884
0
}
22885
22886
dns_updatemethod_t
22887
0
dns_zone_getserialupdatemethod(dns_zone_t *zone) {
22888
0
  REQUIRE(DNS_ZONE_VALID(zone));
22889
0
  return (zone->updatemethod);
22890
0
}
22891
22892
/*
22893
 * Lock hierarchy: zmgr, zone, raw.
22894
 */
22895
isc_result_t
22896
0
dns_zone_link(dns_zone_t *zone, dns_zone_t *raw) {
22897
0
  dns_zonemgr_t *zmgr;
22898
22899
0
  REQUIRE(DNS_ZONE_VALID(zone));
22900
0
  REQUIRE(zone->zmgr != NULL);
22901
0
  REQUIRE(zone->loop != NULL);
22902
0
  REQUIRE(zone->raw == NULL);
22903
22904
0
  REQUIRE(DNS_ZONE_VALID(raw));
22905
0
  REQUIRE(raw->zmgr == NULL);
22906
0
  REQUIRE(raw->loop == NULL);
22907
0
  REQUIRE(raw->secure == NULL);
22908
22909
0
  REQUIRE(zone != raw);
22910
22911
  /*
22912
   * Lock hierarchy: zmgr, zone, raw.
22913
   */
22914
0
  zmgr = zone->zmgr;
22915
0
  RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
22916
0
  LOCK_ZONE(zone);
22917
0
  LOCK_ZONE(raw);
22918
22919
0
  isc_loop_attach(zone->loop, &raw->loop);
22920
22921
  /* dns_zone_attach(raw, &zone->raw); */
22922
0
  isc_refcount_increment(&raw->references);
22923
0
  zone->raw = raw;
22924
22925
  /* dns_zone_iattach(zone, &raw->secure); */
22926
0
  zone_iattach(zone, &raw->secure);
22927
22928
0
  ISC_LIST_APPEND(zmgr->zones, raw, link);
22929
0
  raw->zmgr = zmgr;
22930
0
  isc_refcount_increment(&zmgr->refs);
22931
22932
0
  UNLOCK_ZONE(raw);
22933
0
  UNLOCK_ZONE(zone);
22934
0
  RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
22935
0
  return (ISC_R_SUCCESS);
22936
0
}
22937
22938
void
22939
0
dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
22940
0
  REQUIRE(DNS_ZONE_VALID(zone));
22941
0
  REQUIRE(raw != NULL && *raw == NULL);
22942
22943
0
  LOCK(&zone->lock);
22944
0
  INSIST(zone != zone->raw);
22945
0
  if (zone->raw != NULL) {
22946
0
    dns_zone_attach(zone->raw, raw);
22947
0
  }
22948
0
  UNLOCK(&zone->lock);
22949
0
}
22950
22951
bool
22952
0
dns_zone_israw(dns_zone_t *zone) {
22953
0
  bool israw;
22954
0
  REQUIRE(DNS_ZONE_VALID(zone));
22955
0
  LOCK(&zone->lock);
22956
0
  israw = zone->secure != NULL;
22957
0
  UNLOCK(&zone->lock);
22958
0
  return (israw);
22959
0
}
22960
22961
bool
22962
0
dns_zone_issecure(dns_zone_t *zone) {
22963
0
  bool issecure;
22964
0
  REQUIRE(DNS_ZONE_VALID(zone));
22965
0
  LOCK(&zone->lock);
22966
0
  issecure = zone->raw != NULL;
22967
0
  UNLOCK(&zone->lock);
22968
0
  return (issecure);
22969
0
}
22970
22971
struct keydone {
22972
  bool all;
22973
  unsigned char data[5];
22974
  dns_zone_t *zone;
22975
};
22976
22977
0
#define PENDINGFLAGS (DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL)
22978
22979
static void
22980
0
keydone(void *arg) {
22981
0
  bool commit = false;
22982
0
  isc_result_t result;
22983
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
22984
0
  dns_dbversion_t *oldver = NULL, *newver = NULL;
22985
0
  dns_db_t *db = NULL;
22986
0
  dns_dbnode_t *node = NULL;
22987
0
  dns_rdataset_t rdataset;
22988
0
  dns_diff_t diff;
22989
0
  struct keydone *kd = (struct keydone *)arg;
22990
0
  dns_zone_t *zone = kd->zone;
22991
0
  dns_update_log_t log = { update_log_cb, NULL };
22992
0
  bool clear_pending = false;
22993
22994
0
  INSIST(DNS_ZONE_VALID(zone));
22995
22996
0
  ENTER;
22997
22998
0
  dns_rdataset_init(&rdataset);
22999
0
  dns_diff_init(zone->mctx, &diff);
23000
23001
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23002
0
  if (zone->db != NULL) {
23003
0
    dns_db_attach(zone->db, &db);
23004
0
  }
23005
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23006
0
  if (db == NULL) {
23007
0
    goto failure;
23008
0
  }
23009
23010
0
  dns_db_currentversion(db, &oldver);
23011
0
  result = dns_db_newversion(db, &newver);
23012
0
  if (result != ISC_R_SUCCESS) {
23013
0
    dnssec_log(zone, ISC_LOG_ERROR,
23014
0
         "keydone:dns_db_newversion -> %s",
23015
0
         isc_result_totext(result));
23016
0
    goto failure;
23017
0
  }
23018
23019
0
  result = dns_db_getoriginnode(db, &node);
23020
0
  if (result != ISC_R_SUCCESS) {
23021
0
    goto failure;
23022
0
  }
23023
23024
0
  result = dns_db_findrdataset(db, node, newver, zone->privatetype,
23025
0
             dns_rdatatype_none, 0, &rdataset, NULL);
23026
0
  if (result == ISC_R_NOTFOUND) {
23027
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
23028
0
    goto failure;
23029
0
  }
23030
0
  if (result != ISC_R_SUCCESS) {
23031
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
23032
0
    goto failure;
23033
0
  }
23034
23035
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
23036
0
       result = dns_rdataset_next(&rdataset))
23037
0
  {
23038
0
    bool found = false;
23039
23040
0
    dns_rdataset_current(&rdataset, &rdata);
23041
23042
0
    if (kd->all) {
23043
0
      if (rdata.length == 5 && rdata.data[0] != 0 &&
23044
0
          rdata.data[3] == 0 && rdata.data[4] == 1)
23045
0
      {
23046
0
        found = true;
23047
0
      } else if (rdata.data[0] == 0 &&
23048
0
           (rdata.data[2] & PENDINGFLAGS) != 0)
23049
0
      {
23050
0
        found = true;
23051
0
        clear_pending = true;
23052
0
      }
23053
0
    } else if (rdata.length == 5 &&
23054
0
         memcmp(rdata.data, kd->data, 5) == 0)
23055
0
    {
23056
0
      found = true;
23057
0
    }
23058
23059
0
    if (found) {
23060
0
      CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
23061
0
              &zone->origin, rdataset.ttl,
23062
0
              &rdata));
23063
0
    }
23064
0
    dns_rdata_reset(&rdata);
23065
0
  }
23066
23067
0
  if (!ISC_LIST_EMPTY(diff.tuples)) {
23068
    /* Write changes to journal file. */
23069
0
    CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx,
23070
0
          zone->updatemethod));
23071
23072
0
    result = dns_update_signatures(&log, zone, db, oldver, newver,
23073
0
                 &diff,
23074
0
                 zone->sigvalidityinterval);
23075
0
    if (!clear_pending) {
23076
0
      CHECK(result);
23077
0
    }
23078
23079
0
    CHECK(zone_journal(zone, &diff, NULL, "keydone"));
23080
0
    commit = true;
23081
23082
0
    LOCK_ZONE(zone);
23083
0
    DNS_ZONE_SETFLAG(zone,
23084
0
         DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
23085
0
    zone_needdump(zone, 30);
23086
0
    UNLOCK_ZONE(zone);
23087
0
  }
23088
23089
0
failure:
23090
0
  if (dns_rdataset_isassociated(&rdataset)) {
23091
0
    dns_rdataset_disassociate(&rdataset);
23092
0
  }
23093
0
  if (db != NULL) {
23094
0
    if (node != NULL) {
23095
0
      dns_db_detachnode(db, &node);
23096
0
    }
23097
0
    if (oldver != NULL) {
23098
0
      dns_db_closeversion(db, &oldver, false);
23099
0
    }
23100
0
    if (newver != NULL) {
23101
0
      dns_db_closeversion(db, &newver, commit);
23102
0
    }
23103
0
    dns_db_detach(&db);
23104
0
  }
23105
0
  dns_diff_clear(&diff);
23106
0
  isc_mem_put(zone->mctx, kd, sizeof(*kd));
23107
0
  dns_zone_idetach(&zone);
23108
23109
0
  INSIST(oldver == NULL);
23110
0
  INSIST(newver == NULL);
23111
0
}
23112
23113
isc_result_t
23114
0
dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
23115
0
  isc_result_t result = ISC_R_SUCCESS;
23116
0
  struct keydone *kd = NULL;
23117
0
  isc_buffer_t b;
23118
23119
0
  REQUIRE(DNS_ZONE_VALID(zone));
23120
23121
0
  LOCK_ZONE(zone);
23122
23123
0
  kd = isc_mem_get(zone->mctx, sizeof(*kd));
23124
0
  *kd = (struct keydone){ .all = false };
23125
23126
0
  if (strcasecmp(keystr, "all") == 0) {
23127
0
    kd->all = true;
23128
0
  } else {
23129
0
    isc_textregion_t r;
23130
0
    const char *algstr = NULL;
23131
0
    dns_keytag_t keyid;
23132
0
    dns_secalg_t alg;
23133
0
    size_t n;
23134
23135
0
    n = sscanf(keystr, "%hu/", &keyid);
23136
0
    if (n == 0U) {
23137
0
      CHECK(ISC_R_FAILURE);
23138
0
    }
23139
23140
0
    algstr = strchr(keystr, '/');
23141
0
    if (algstr != NULL) {
23142
0
      algstr++;
23143
0
    } else {
23144
0
      CHECK(ISC_R_FAILURE);
23145
0
    }
23146
23147
0
    n = sscanf(algstr, "%hhu", &alg);
23148
0
    if (n == 0U) {
23149
0
      r.base = UNCONST(algstr);
23150
0
      r.length = strlen(algstr);
23151
0
      CHECK(dns_secalg_fromtext(&alg, &r));
23152
0
    }
23153
23154
    /* construct a private-type rdata */
23155
0
    isc_buffer_init(&b, kd->data, sizeof(kd->data));
23156
0
    isc_buffer_putuint8(&b, alg);
23157
0
    isc_buffer_putuint8(&b, (keyid & 0xff00) >> 8);
23158
0
    isc_buffer_putuint8(&b, (keyid & 0xff));
23159
0
    isc_buffer_putuint8(&b, 0);
23160
0
    isc_buffer_putuint8(&b, 1);
23161
0
  }
23162
23163
0
  zone_iattach(zone, &kd->zone);
23164
0
  isc_async_run(zone->loop, keydone, kd);
23165
0
  kd = NULL;
23166
23167
0
failure:
23168
0
  if (kd != NULL) {
23169
0
    isc_mem_put(zone->mctx, kd, sizeof(*kd));
23170
0
  }
23171
0
  UNLOCK_ZONE(zone);
23172
0
  return (result);
23173
0
}
23174
23175
/*
23176
 * Called from the zone loop's queue after the relevant event is posted by
23177
 * dns_zone_setnsec3param().
23178
 */
23179
static void
23180
0
setnsec3param(void *arg) {
23181
0
  struct np3 *npe = (struct np3 *)arg;
23182
0
  dns_zone_t *zone = npe->zone;
23183
0
  bool loadpending;
23184
23185
0
  INSIST(DNS_ZONE_VALID(zone));
23186
23187
0
  ENTER;
23188
23189
0
  LOCK_ZONE(zone);
23190
0
  loadpending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
23191
0
  UNLOCK_ZONE(zone);
23192
23193
  /*
23194
   * The receive_secure_serial() and setnsec3param() calls are
23195
   * loop-serialized for the zone. Make sure there's no processing
23196
   * currently running.
23197
   */
23198
0
  INSIST(zone->rss_newver == NULL);
23199
23200
0
  bool rescheduled = false;
23201
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23202
  /*
23203
   * The zone is not yet fully loaded. Reschedule the event to
23204
   * be picked up later. This turns this function into a busy
23205
   * wait, but it only happens at startup.
23206
   */
23207
0
  if (zone->db == NULL && loadpending) {
23208
0
    rescheduled = true;
23209
0
    isc_async_run(zone->loop, setnsec3param, npe);
23210
0
  }
23211
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23212
0
  if (rescheduled) {
23213
0
    return;
23214
0
  }
23215
23216
0
  rss_post(npe);
23217
23218
0
  dns_zone_idetach(&zone);
23219
0
}
23220
23221
static void
23222
salt2text(unsigned char *salt, uint8_t saltlen, unsigned char *text,
23223
0
    unsigned int textlen) {
23224
0
  isc_region_t r;
23225
0
  isc_buffer_t buf;
23226
0
  isc_result_t result;
23227
23228
0
  r.base = salt;
23229
0
  r.length = (unsigned int)saltlen;
23230
23231
0
  isc_buffer_init(&buf, text, textlen);
23232
0
  result = isc_hex_totext(&r, 2, "", &buf);
23233
0
  if (result == ISC_R_SUCCESS) {
23234
0
    text[saltlen * 2] = 0;
23235
0
  } else {
23236
0
    text[0] = 0;
23237
0
  }
23238
0
}
23239
23240
/*
23241
 * Check whether NSEC3 chain addition or removal specified by the private-type
23242
 * record passed with the event was already queued (or even fully performed).
23243
 * If not, modify the relevant private-type records at the zone apex and call
23244
 * resume_addnsec3chain().
23245
 */
23246
static void
23247
0
rss_post(void *arg) {
23248
0
  struct np3 *npe = (struct np3 *)arg;
23249
0
  dns_zone_t *zone = npe->zone;
23250
0
  nsec3param_t *np = &npe->params;
23251
0
  bool commit = false;
23252
0
  isc_result_t result;
23253
0
  dns_dbversion_t *oldver = NULL, *newver = NULL;
23254
0
  dns_db_t *db = NULL;
23255
0
  dns_dbnode_t *node = NULL;
23256
0
  dns_rdataset_t prdataset, nrdataset;
23257
0
  dns_diff_t diff;
23258
0
  dns_update_log_t log = { update_log_cb, NULL };
23259
0
  dns_rdata_t rdata;
23260
0
  bool nseconly;
23261
0
  bool exists = false;
23262
23263
0
  ENTER;
23264
23265
0
  dns_rdataset_init(&prdataset);
23266
0
  dns_rdataset_init(&nrdataset);
23267
0
  dns_diff_init(zone->mctx, &diff);
23268
23269
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23270
0
  if (zone->db != NULL) {
23271
0
    dns_db_attach(zone->db, &db);
23272
0
  }
23273
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23274
0
  if (db == NULL) {
23275
0
    goto failure;
23276
0
  }
23277
23278
0
  dns_db_currentversion(db, &oldver);
23279
0
  result = dns_db_newversion(db, &newver);
23280
0
  if (result != ISC_R_SUCCESS) {
23281
0
    dnssec_log(zone, ISC_LOG_ERROR,
23282
0
         "setnsec3param:dns_db_newversion -> %s",
23283
0
         isc_result_totext(result));
23284
0
    goto failure;
23285
0
  }
23286
23287
0
  CHECK(dns_db_getoriginnode(db, &node));
23288
23289
  /*
23290
   * Do we need to look up the NSEC3 parameters?
23291
   */
23292
0
  if (np->lookup) {
23293
0
    dns_rdata_nsec3param_t param;
23294
0
    dns_rdata_t nrdata = DNS_RDATA_INIT;
23295
0
    dns_rdata_t prdata = DNS_RDATA_INIT;
23296
0
    unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
23297
0
    unsigned char saltbuf[255];
23298
0
    isc_buffer_t b;
23299
23300
0
    param.salt = NULL;
23301
0
    result = dns__zone_lookup_nsec3param(zone, &np->rdata, &param,
23302
0
                 saltbuf, np->resalt);
23303
0
    if (result == ISC_R_SUCCESS) {
23304
      /*
23305
       * Success because the NSEC3PARAM already exists, but
23306
       * function returns void, so goto failure to clean up.
23307
       */
23308
0
      goto failure;
23309
0
    }
23310
0
    if (result != DNS_R_NSEC3RESALT && result != ISC_R_NOTFOUND) {
23311
0
      dnssec_log(zone, ISC_LOG_DEBUG(3),
23312
0
           "setnsec3param:lookup nsec3param -> %s",
23313
0
           isc_result_totext(result));
23314
0
      goto failure;
23315
0
    }
23316
23317
0
    INSIST(param.salt != NULL);
23318
23319
    /* Update NSEC3 parameters. */
23320
0
    np->rdata.hash = param.hash;
23321
0
    np->rdata.flags = param.flags;
23322
0
    np->rdata.iterations = param.iterations;
23323
0
    np->rdata.salt_length = param.salt_length;
23324
0
    np->rdata.salt = param.salt;
23325
23326
0
    isc_buffer_init(&b, nbuf, sizeof(nbuf));
23327
0
    CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
23328
0
             dns_rdatatype_nsec3param, &np->rdata,
23329
0
             &b));
23330
0
    dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype,
23331
0
           np->data, sizeof(np->data));
23332
0
    np->length = prdata.length;
23333
0
    np->nsec = false;
23334
0
  }
23335
23336
  /*
23337
   * Does a private-type record already exist for this chain?
23338
   */
23339
0
  result = dns_db_findrdataset(db, node, newver, zone->privatetype,
23340
0
             dns_rdatatype_none, 0, &prdataset, NULL);
23341
0
  if (result == ISC_R_SUCCESS) {
23342
0
    for (result = dns_rdataset_first(&prdataset);
23343
0
         result == ISC_R_SUCCESS;
23344
0
         result = dns_rdataset_next(&prdataset))
23345
0
    {
23346
0
      dns_rdata_init(&rdata);
23347
0
      dns_rdataset_current(&prdataset, &rdata);
23348
23349
0
      if (np->length == rdata.length &&
23350
0
          memcmp(rdata.data, np->data, np->length) == 0)
23351
0
      {
23352
0
        exists = true;
23353
0
        break;
23354
0
      }
23355
0
    }
23356
0
  } else if (result != ISC_R_NOTFOUND) {
23357
0
    INSIST(!dns_rdataset_isassociated(&prdataset));
23358
0
    goto failure;
23359
0
  }
23360
23361
  /*
23362
   * Does the chain already exist?
23363
   */
23364
0
  result = dns_db_findrdataset(db, node, newver, dns_rdatatype_nsec3param,
23365
0
             dns_rdatatype_none, 0, &nrdataset, NULL);
23366
0
  if (result == ISC_R_SUCCESS) {
23367
0
    for (result = dns_rdataset_first(&nrdataset);
23368
0
         result == ISC_R_SUCCESS;
23369
0
         result = dns_rdataset_next(&nrdataset))
23370
0
    {
23371
0
      dns_rdata_init(&rdata);
23372
0
      dns_rdataset_current(&nrdataset, &rdata);
23373
23374
0
      if (np->length == (rdata.length + 1) &&
23375
0
          memcmp(rdata.data, np->data + 1, np->length - 1) ==
23376
0
            0)
23377
0
      {
23378
0
        exists = true;
23379
0
        break;
23380
0
      }
23381
0
    }
23382
0
  } else if (result != ISC_R_NOTFOUND) {
23383
0
    INSIST(!dns_rdataset_isassociated(&nrdataset));
23384
0
    goto failure;
23385
0
  }
23386
23387
  /*
23388
   * We need to remove any existing NSEC3 chains if the supplied NSEC3
23389
   * parameters are supposed to replace the current ones or if we are
23390
   * switching to NSEC.
23391
   */
23392
0
  if (!exists && np->replace && (np->length != 0 || np->nsec)) {
23393
0
    CHECK(dns_nsec3param_deletechains(db, newver, zone, !np->nsec,
23394
0
              &diff));
23395
0
  }
23396
23397
0
  if (!exists && np->length != 0) {
23398
    /*
23399
     * We're creating an NSEC3 chain.  Add the private-type record
23400
     * passed in the event handler's argument to the zone apex.
23401
     *
23402
     * If the zone is not currently capable of supporting an NSEC3
23403
     * chain (due to the DNSKEY RRset at the zone apex not existing
23404
     * or containing at least one key using an NSEC-only
23405
     * algorithm), add the INITIAL flag, so these parameters can be
23406
     * used later when NSEC3 becomes available.
23407
     */
23408
0
    dns_rdata_init(&rdata);
23409
23410
0
    np->data[2] |= DNS_NSEC3FLAG_CREATE;
23411
0
    result = dns_nsec_nseconly(db, newver, NULL, &nseconly);
23412
0
    if (result == ISC_R_NOTFOUND || nseconly) {
23413
0
      np->data[2] |= DNS_NSEC3FLAG_INITIAL;
23414
0
    }
23415
23416
0
    rdata.length = np->length;
23417
0
    rdata.data = np->data;
23418
0
    rdata.type = zone->privatetype;
23419
0
    rdata.rdclass = zone->rdclass;
23420
0
    CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_ADD,
23421
0
            &zone->origin, 0, &rdata));
23422
0
  }
23423
23424
  /*
23425
   * If we changed anything in the zone, write changes to journal file
23426
   * and set commit to true so that resume_addnsec3chain() will be
23427
   * called below in order to kick off adding/removing relevant NSEC3
23428
   * records.
23429
   */
23430
0
  if (!ISC_LIST_EMPTY(diff.tuples)) {
23431
0
    CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx,
23432
0
          zone->updatemethod));
23433
0
    result = dns_update_signatures(&log, zone, db, oldver, newver,
23434
0
                 &diff,
23435
0
                 zone->sigvalidityinterval);
23436
0
    if (result != ISC_R_NOTFOUND) {
23437
0
      CHECK(result);
23438
0
    }
23439
0
    CHECK(zone_journal(zone, &diff, NULL, "setnsec3param"));
23440
0
    commit = true;
23441
23442
0
    LOCK_ZONE(zone);
23443
0
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
23444
0
    zone_needdump(zone, 30);
23445
0
    UNLOCK_ZONE(zone);
23446
0
  }
23447
23448
0
failure:
23449
0
  if (dns_rdataset_isassociated(&prdataset)) {
23450
0
    dns_rdataset_disassociate(&prdataset);
23451
0
  }
23452
0
  if (dns_rdataset_isassociated(&nrdataset)) {
23453
0
    dns_rdataset_disassociate(&nrdataset);
23454
0
  }
23455
0
  if (node != NULL) {
23456
0
    dns_db_detachnode(db, &node);
23457
0
  }
23458
0
  if (oldver != NULL) {
23459
0
    dns_db_closeversion(db, &oldver, false);
23460
0
  }
23461
0
  if (newver != NULL) {
23462
0
    dns_db_closeversion(db, &newver, commit);
23463
0
  }
23464
0
  if (db != NULL) {
23465
0
    dns_db_detach(&db);
23466
0
  }
23467
0
  if (commit) {
23468
0
    LOCK_ZONE(zone);
23469
0
    resume_addnsec3chain(zone);
23470
0
    UNLOCK_ZONE(zone);
23471
0
  }
23472
0
  dns_diff_clear(&diff);
23473
0
  isc_mem_put(zone->mctx, npe, sizeof(*npe));
23474
23475
0
  INSIST(oldver == NULL);
23476
0
  INSIST(newver == NULL);
23477
0
}
23478
23479
/*
23480
 * Check if zone has NSEC3PARAM (and thus a chain) with the right parameters.
23481
 *
23482
 * If 'salt' is NULL, a match is found if the salt has the requested length,
23483
 * otherwise the NSEC3 salt must match the requested salt value too.
23484
 *
23485
 * Returns  ISC_R_SUCCESS, if a match is found, or an error if no match is
23486
 * found, or if the db lookup failed.
23487
 */
23488
isc_result_t
23489
dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup,
23490
          dns_rdata_nsec3param_t *param,
23491
0
          unsigned char saltbuf[255], bool resalt) {
23492
0
  isc_result_t result = ISC_R_UNEXPECTED;
23493
0
  dns_dbnode_t *node = NULL;
23494
0
  dns_db_t *db = NULL;
23495
0
  dns_dbversion_t *version = NULL;
23496
0
  dns_rdataset_t rdataset;
23497
0
  dns_rdata_nsec3param_t nsec3param;
23498
0
  dns_rdata_t rdata = DNS_RDATA_INIT;
23499
23500
0
  REQUIRE(DNS_ZONE_VALID(zone));
23501
23502
0
  dns_rdataset_init(&rdataset);
23503
23504
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23505
0
  if (zone->db != NULL) {
23506
0
    dns_db_attach(zone->db, &db);
23507
0
  }
23508
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23509
0
  if (db == NULL) {
23510
0
    result = ISC_R_FAILURE;
23511
0
    goto setparam;
23512
0
  }
23513
23514
0
  result = dns_db_findnode(db, &zone->origin, false, &node);
23515
0
  if (result != ISC_R_SUCCESS) {
23516
0
    dns_zone_log(zone, ISC_LOG_ERROR,
23517
0
           "dns__zone_lookup_nsec3param:"
23518
0
           "dns_db_findnode -> %s",
23519
0
           isc_result_totext(result));
23520
0
    result = ISC_R_FAILURE;
23521
0
    goto setparam;
23522
0
  }
23523
0
  dns_db_currentversion(db, &version);
23524
23525
0
  result = dns_db_findrdataset(db, node, version,
23526
0
             dns_rdatatype_nsec3param,
23527
0
             dns_rdatatype_none, 0, &rdataset, NULL);
23528
0
  if (result != ISC_R_SUCCESS) {
23529
0
    INSIST(!dns_rdataset_isassociated(&rdataset));
23530
0
    if (result != ISC_R_NOTFOUND) {
23531
0
      dns_zone_log(zone, ISC_LOG_ERROR,
23532
0
             "dns__zone_lookup_nsec3param:"
23533
0
             "dns_db_findrdataset -> %s",
23534
0
             isc_result_totext(result));
23535
0
    }
23536
0
    goto setparam;
23537
0
  }
23538
23539
0
  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
23540
0
       result = dns_rdataset_next(&rdataset))
23541
0
  {
23542
0
    dns_rdataset_current(&rdataset, &rdata);
23543
0
    result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
23544
0
    INSIST(result == ISC_R_SUCCESS);
23545
0
    dns_rdata_reset(&rdata);
23546
23547
    /* Check parameters. */
23548
0
    if (nsec3param.hash != lookup->hash) {
23549
0
      continue;
23550
0
    }
23551
0
    if (nsec3param.iterations != lookup->iterations) {
23552
0
      continue;
23553
0
    }
23554
0
    if (nsec3param.salt_length != lookup->salt_length) {
23555
0
      continue;
23556
0
    }
23557
0
    if (lookup->salt != NULL) {
23558
0
      if (memcmp(nsec3param.salt, lookup->salt,
23559
0
           lookup->salt_length) != 0)
23560
0
      {
23561
0
        continue;
23562
0
      }
23563
0
    }
23564
    /* Found a match. */
23565
0
    result = ISC_R_SUCCESS;
23566
0
    param->hash = nsec3param.hash;
23567
0
    param->flags = nsec3param.flags;
23568
0
    param->iterations = nsec3param.iterations;
23569
0
    param->salt_length = nsec3param.salt_length;
23570
0
    param->salt = nsec3param.salt;
23571
0
    break;
23572
0
  }
23573
23574
0
  if (result == ISC_R_NOMORE) {
23575
0
    result = ISC_R_NOTFOUND;
23576
0
  }
23577
23578
0
setparam:
23579
0
  if (result != ISC_R_SUCCESS) {
23580
    /* Found no match. */
23581
0
    param->hash = lookup->hash;
23582
0
    param->flags = lookup->flags;
23583
0
    param->iterations = lookup->iterations;
23584
0
    param->salt_length = lookup->salt_length;
23585
0
    param->salt = lookup->salt;
23586
0
  }
23587
23588
0
  if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
23589
0
    goto failure;
23590
0
  }
23591
23592
0
  if (param->salt_length == 0) {
23593
0
    param->salt = (unsigned char *)"-";
23594
0
  } else if (resalt || param->salt == NULL) {
23595
0
    unsigned char *newsalt;
23596
0
    unsigned char salttext[255 * 2 + 1];
23597
0
    do {
23598
      /* Generate a new salt. */
23599
0
      result = dns_nsec3_generate_salt(saltbuf,
23600
0
               param->salt_length);
23601
0
      if (result != ISC_R_SUCCESS) {
23602
0
        break;
23603
0
      }
23604
0
      newsalt = saltbuf;
23605
0
      salt2text(newsalt, param->salt_length, salttext,
23606
0
          sizeof(salttext));
23607
0
      dnssec_log(zone, ISC_LOG_INFO, "generated salt: %s",
23608
0
           salttext);
23609
      /* Check for salt conflict. */
23610
0
      if (param->salt != NULL &&
23611
0
          memcmp(newsalt, param->salt, param->salt_length) ==
23612
0
            0)
23613
0
      {
23614
0
        result = ISC_R_SUCCESS;
23615
0
      } else {
23616
0
        param->salt = newsalt;
23617
0
        result = DNS_R_NSEC3RESALT;
23618
0
      }
23619
0
    } while (result == ISC_R_SUCCESS);
23620
23621
0
    INSIST(result != ISC_R_SUCCESS);
23622
0
  }
23623
23624
0
failure:
23625
0
  if (dns_rdataset_isassociated(&rdataset)) {
23626
0
    dns_rdataset_disassociate(&rdataset);
23627
0
  }
23628
0
  if (node != NULL) {
23629
0
    dns_db_detachnode(db, &node);
23630
0
  }
23631
0
  if (version != NULL) {
23632
0
    dns_db_closeversion(db, &version, false);
23633
0
  }
23634
0
  if (db != NULL) {
23635
0
    dns_db_detach(&db);
23636
0
  }
23637
23638
0
  return (result);
23639
0
}
23640
23641
/*
23642
 * Called when an "rndc signing -nsec3param ..." command is received, or the
23643
 * 'dnssec-policy' has changed.
23644
 *
23645
 * Allocate and prepare an nsec3param_t structure which holds information about
23646
 * the NSEC3 changes requested for the zone:
23647
 *
23648
 *   - if NSEC3 is to be disabled ("-nsec3param none"), only set the "nsec"
23649
 *     field of the structure to true and the "replace" field to the value
23650
 *     of the "replace" argument, leaving other fields initialized to zeros, to
23651
 *     signal that the zone should be signed using NSEC instead of NSEC3,
23652
 *
23653
 *   - otherwise, prepare NSEC3PARAM RDATA that will eventually be inserted at
23654
 *     the zone apex, convert it to a private-type record and store the latter
23655
 *     in the "data" field of the nsec3param_t structure.
23656
 *
23657
 * Once the nsec3param_t structure is prepared, post an event to the zone's
23658
 * loop which will cause setnsec3param() to be called with the prepared
23659
 * structure passed as an argument.
23660
 */
23661
isc_result_t
23662
dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
23663
           uint16_t iter, uint8_t saltlen, unsigned char *salt,
23664
0
           bool replace, bool resalt) {
23665
0
  isc_result_t result = ISC_R_SUCCESS;
23666
0
  dns_rdata_nsec3param_t param, lookup;
23667
0
  dns_rdata_t nrdata = DNS_RDATA_INIT;
23668
0
  dns_rdata_t prdata = DNS_RDATA_INIT;
23669
0
  unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
23670
0
  unsigned char saltbuf[255];
23671
0
  struct np3 *npe = NULL;
23672
0
  nsec3param_t *np = NULL;
23673
0
  isc_buffer_t b;
23674
0
  bool do_lookup = false;
23675
23676
0
  REQUIRE(DNS_ZONE_VALID(zone));
23677
23678
0
  LOCK_ZONE(zone);
23679
23680
  /*
23681
   * First check if the requested NSEC3 parameters are already
23682
   * set, if so, no need to set again.
23683
   */
23684
0
  if (hash != 0) {
23685
0
    lookup.hash = hash;
23686
0
    lookup.flags = flags;
23687
0
    lookup.iterations = iter;
23688
0
    lookup.salt_length = saltlen;
23689
0
    lookup.salt = salt;
23690
0
    param.salt = NULL;
23691
0
    result = dns__zone_lookup_nsec3param(zone, &lookup, &param,
23692
0
                 saltbuf, resalt);
23693
0
    if (result == ISC_R_SUCCESS) {
23694
0
      UNLOCK_ZONE(zone);
23695
0
      return (ISC_R_SUCCESS);
23696
0
    }
23697
    /*
23698
     * Schedule lookup if lookup above failed (may happen if
23699
     * zone db is NULL for example).
23700
     */
23701
0
    do_lookup = (param.salt == NULL) ? true : false;
23702
0
  }
23703
23704
0
  npe = isc_mem_get(zone->mctx, sizeof(*npe));
23705
0
  *npe = (struct np3){
23706
0
    .link = ISC_LINK_INITIALIZER,
23707
0
  };
23708
23709
0
  np = &npe->params;
23710
0
  *np = (struct nsec3param){
23711
0
    .replace = replace,
23712
0
    .resalt = resalt,
23713
0
    .lookup = do_lookup,
23714
0
  };
23715
23716
0
  if (hash == 0) {
23717
0
    np->nsec = true;
23718
0
    dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec");
23719
0
  } else {
23720
0
    param.common.rdclass = zone->rdclass;
23721
0
    param.common.rdtype = dns_rdatatype_nsec3param;
23722
0
    ISC_LINK_INIT(&param.common, link);
23723
0
    param.mctx = NULL;
23724
    /*
23725
     * nsec3 specific param set in
23726
     * dns__zone_lookup_nsec3param()
23727
     */
23728
0
    isc_buffer_init(&b, nbuf, sizeof(nbuf));
23729
23730
0
    if (param.salt != NULL) {
23731
0
      CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
23732
0
               dns_rdatatype_nsec3param,
23733
0
               &param, &b));
23734
0
      dns_nsec3param_toprivate(&nrdata, &prdata,
23735
0
             zone->privatetype, np->data,
23736
0
             sizeof(np->data));
23737
0
      np->length = prdata.length;
23738
0
    }
23739
23740
0
    np->rdata = param;
23741
23742
0
    if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
23743
0
      unsigned char salttext[255 * 2 + 1];
23744
0
      if (param.salt != NULL) {
23745
0
        salt2text(param.salt, param.salt_length,
23746
0
            salttext, sizeof(salttext));
23747
0
      }
23748
0
      dnssec_log(zone, ISC_LOG_DEBUG(3),
23749
0
           "setnsec3param:nsec3 %u %u %u %u:%s",
23750
0
           param.hash, param.flags, param.iterations,
23751
0
           param.salt_length,
23752
0
           param.salt == NULL ? "unknown"
23753
0
                  : (char *)salttext);
23754
0
    }
23755
0
  }
23756
23757
  /*
23758
   * setnsec3param() will silently return early if the zone does
23759
   * not yet have a database.  Prevent that by queueing the event
23760
   * up if zone->db is NULL.  All events queued here are
23761
   * subsequently processed by receive_secure_db() if it ever gets
23762
   * called or simply freed by zone_free() otherwise.
23763
   */
23764
23765
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23766
0
  if (zone->db != NULL) {
23767
0
    zone_iattach(zone, &npe->zone);
23768
0
    isc_async_run(zone->loop, setnsec3param, npe);
23769
0
  } else {
23770
0
    ISC_LIST_APPEND(zone->setnsec3param_queue, npe, link);
23771
0
  }
23772
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23773
23774
0
  result = ISC_R_SUCCESS;
23775
23776
0
failure:
23777
0
  UNLOCK_ZONE(zone);
23778
0
  return (result);
23779
0
}
23780
23781
isc_result_t
23782
0
dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime) {
23783
0
  REQUIRE(DNS_ZONE_VALID(zone));
23784
0
  REQUIRE(loadtime != NULL);
23785
23786
0
  LOCK_ZONE(zone);
23787
0
  *loadtime = zone->loadtime;
23788
0
  UNLOCK_ZONE(zone);
23789
0
  return (ISC_R_SUCCESS);
23790
0
}
23791
23792
isc_result_t
23793
0
dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime) {
23794
0
  REQUIRE(DNS_ZONE_VALID(zone));
23795
0
  REQUIRE(expiretime != NULL);
23796
23797
0
  LOCK_ZONE(zone);
23798
0
  *expiretime = zone->expiretime;
23799
0
  UNLOCK_ZONE(zone);
23800
0
  return (ISC_R_SUCCESS);
23801
0
}
23802
23803
isc_result_t
23804
0
dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime) {
23805
0
  REQUIRE(DNS_ZONE_VALID(zone));
23806
0
  REQUIRE(refreshtime != NULL);
23807
23808
0
  LOCK_ZONE(zone);
23809
0
  *refreshtime = zone->refreshtime;
23810
0
  UNLOCK_ZONE(zone);
23811
0
  return (ISC_R_SUCCESS);
23812
0
}
23813
23814
isc_result_t
23815
0
dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime) {
23816
0
  REQUIRE(DNS_ZONE_VALID(zone));
23817
0
  REQUIRE(refreshkeytime != NULL);
23818
23819
0
  LOCK_ZONE(zone);
23820
0
  *refreshkeytime = zone->refreshkeytime;
23821
0
  UNLOCK_ZONE(zone);
23822
0
  return (ISC_R_SUCCESS);
23823
0
}
23824
23825
unsigned int
23826
0
dns_zone_getincludes(dns_zone_t *zone, char ***includesp) {
23827
0
  dns_include_t *include;
23828
0
  char **array = NULL;
23829
0
  unsigned int n = 0;
23830
23831
0
  REQUIRE(DNS_ZONE_VALID(zone));
23832
0
  REQUIRE(includesp != NULL && *includesp == NULL);
23833
23834
0
  LOCK_ZONE(zone);
23835
0
  if (zone->nincludes == 0) {
23836
0
    goto done;
23837
0
  }
23838
23839
0
  array = isc_mem_allocate(zone->mctx, sizeof(char *) * zone->nincludes);
23840
0
  for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
23841
0
       include = ISC_LIST_NEXT(include, link))
23842
0
  {
23843
0
    INSIST(n < zone->nincludes);
23844
0
    array[n++] = isc_mem_strdup(zone->mctx, include->name);
23845
0
  }
23846
0
  INSIST(n == zone->nincludes);
23847
0
  *includesp = array;
23848
23849
0
done:
23850
0
  UNLOCK_ZONE(zone);
23851
0
  return (n);
23852
0
}
23853
23854
void
23855
0
dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level) {
23856
0
  REQUIRE(DNS_ZONE_VALID(zone));
23857
23858
0
  zone->statlevel = level;
23859
0
}
23860
23861
dns_zonestat_level_t
23862
0
dns_zone_getstatlevel(dns_zone_t *zone) {
23863
0
  REQUIRE(DNS_ZONE_VALID(zone));
23864
23865
0
  return (zone->statlevel);
23866
0
}
23867
23868
static void
23869
0
setserial(void *arg) {
23870
0
  uint32_t oldserial, desired;
23871
0
  bool commit = false;
23872
0
  isc_result_t result;
23873
0
  dns_dbversion_t *oldver = NULL, *newver = NULL;
23874
0
  dns_db_t *db = NULL;
23875
0
  dns_diff_t diff;
23876
0
  struct setserial *sse = (struct setserial *)arg;
23877
0
  dns_zone_t *zone = sse->zone;
23878
0
  dns_update_log_t log = { update_log_cb, NULL };
23879
0
  dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
23880
23881
0
  INSIST(DNS_ZONE_VALID(zone));
23882
23883
0
  ENTER;
23884
23885
0
  if (zone->update_disabled) {
23886
0
    goto disabled;
23887
0
  }
23888
23889
0
  desired = sse->serial;
23890
23891
0
  dns_diff_init(zone->mctx, &diff);
23892
23893
0
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23894
0
  if (zone->db != NULL) {
23895
0
    dns_db_attach(zone->db, &db);
23896
0
  }
23897
0
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23898
0
  if (db == NULL) {
23899
0
    goto failure;
23900
0
  }
23901
23902
0
  dns_db_currentversion(db, &oldver);
23903
0
  result = dns_db_newversion(db, &newver);
23904
0
  if (result != ISC_R_SUCCESS) {
23905
0
    dns_zone_log(zone, ISC_LOG_ERROR,
23906
0
           "setserial:dns_db_newversion -> %s",
23907
0
           isc_result_totext(result));
23908
0
    goto failure;
23909
0
  }
23910
23911
0
  CHECK(dns_db_createsoatuple(db, oldver, diff.mctx, DNS_DIFFOP_DEL,
23912
0
            &oldtuple));
23913
0
  CHECK(dns_difftuple_copy(oldtuple, &newtuple));
23914
0
  newtuple->op = DNS_DIFFOP_ADD;
23915
23916
0
  oldserial = dns_soa_getserial(&oldtuple->rdata);
23917
0
  if (desired == 0U) {
23918
0
    desired = 1;
23919
0
  }
23920
0
  if (!isc_serial_gt(desired, oldserial)) {
23921
0
    if (desired != oldserial) {
23922
0
      dns_zone_log(zone, ISC_LOG_INFO,
23923
0
             "setserial: desired serial (%u) "
23924
0
             "out of range (%u-%u)",
23925
0
             desired, oldserial + 1,
23926
0
             (oldserial + 0x7fffffff));
23927
0
    }
23928
0
    goto failure;
23929
0
  }
23930
23931
0
  dns_soa_setserial(desired, &newtuple->rdata);
23932
0
  CHECK(do_one_tuple(&oldtuple, db, newver, &diff));
23933
0
  CHECK(do_one_tuple(&newtuple, db, newver, &diff));
23934
0
  result = dns_update_signatures(&log, zone, db, oldver, newver, &diff,
23935
0
               zone->sigvalidityinterval);
23936
0
  if (result != ISC_R_NOTFOUND) {
23937
0
    CHECK(result);
23938
0
  }
23939
23940
  /* Write changes to journal file. */
23941
0
  CHECK(zone_journal(zone, &diff, NULL, "setserial"));
23942
0
  commit = true;
23943
23944
0
  LOCK_ZONE(zone);
23945
0
  zone_needdump(zone, 30);
23946
0
  UNLOCK_ZONE(zone);
23947
23948
0
failure:
23949
0
  if (oldtuple != NULL) {
23950
0
    dns_difftuple_free(&oldtuple);
23951
0
  }
23952
0
  if (newtuple != NULL) {
23953
0
    dns_difftuple_free(&newtuple);
23954
0
  }
23955
0
  if (oldver != NULL) {
23956
0
    dns_db_closeversion(db, &oldver, false);
23957
0
  }
23958
0
  if (newver != NULL) {
23959
0
    dns_db_closeversion(db, &newver, commit);
23960
0
  }
23961
0
  if (db != NULL) {
23962
0
    dns_db_detach(&db);
23963
0
  }
23964
0
  dns_diff_clear(&diff);
23965
23966
0
disabled:
23967
0
  isc_mem_put(zone->mctx, sse, sizeof(*sse));
23968
0
  dns_zone_idetach(&zone);
23969
23970
0
  INSIST(oldver == NULL);
23971
0
  INSIST(newver == NULL);
23972
0
}
23973
23974
isc_result_t
23975
0
dns_zone_setserial(dns_zone_t *zone, uint32_t serial) {
23976
0
  isc_result_t result = ISC_R_SUCCESS;
23977
0
  struct setserial *sse = NULL;
23978
23979
0
  REQUIRE(DNS_ZONE_VALID(zone));
23980
23981
0
  LOCK_ZONE(zone);
23982
23983
0
  if (!inline_secure(zone)) {
23984
0
    if (!dns_zone_isdynamic(zone, true)) {
23985
0
      result = DNS_R_NOTDYNAMIC;
23986
0
      goto failure;
23987
0
    }
23988
0
  }
23989
23990
0
  if (zone->update_disabled) {
23991
0
    result = DNS_R_FROZEN;
23992
0
    goto failure;
23993
0
  }
23994
23995
0
  sse = isc_mem_get(zone->mctx, sizeof(*sse));
23996
0
  *sse = (struct setserial){ .serial = serial };
23997
0
  zone_iattach(zone, &sse->zone);
23998
0
  isc_async_run(zone->loop, setserial, sse);
23999
24000
0
failure:
24001
0
  UNLOCK_ZONE(zone);
24002
0
  return (result);
24003
0
}
24004
24005
isc_stats_t *
24006
0
dns_zone_getgluecachestats(dns_zone_t *zone) {
24007
0
  REQUIRE(DNS_ZONE_VALID(zone));
24008
24009
0
  return (zone->gluecachestats);
24010
0
}
24011
24012
bool
24013
0
dns_zone_isloaded(dns_zone_t *zone) {
24014
0
  REQUIRE(DNS_ZONE_VALID(zone));
24015
24016
0
  return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED));
24017
0
}
24018
24019
isc_result_t
24020
2
dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
24021
2
  dns_dbversion_t *version = NULL;
24022
2
  dns_keytable_t *secroots = NULL;
24023
2
  isc_result_t result;
24024
2
  dns_name_t *origin;
24025
24026
2
  REQUIRE(DNS_ZONE_VALID(zone));
24027
2
  REQUIRE(db != NULL);
24028
24029
2
  ENTER;
24030
24031
2
  if (dns_zone_gettype(zone) != dns_zone_mirror) {
24032
2
    return (ISC_R_SUCCESS);
24033
2
  }
24034
24035
0
  if (ver == NULL) {
24036
0
    dns_db_currentversion(db, &version);
24037
0
  } else {
24038
0
    version = ver;
24039
0
  }
24040
24041
0
  if (zone->view != NULL) {
24042
0
    result = dns_view_getsecroots(zone->view, &secroots);
24043
0
    if (result != ISC_R_SUCCESS) {
24044
0
      goto done;
24045
0
    }
24046
0
  }
24047
24048
0
  origin = dns_db_origin(db);
24049
0
  result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
24050
0
               zone->mctx, true, false, dnssec_report);
24051
24052
0
done:
24053
0
  if (secroots != NULL) {
24054
0
    dns_keytable_detach(&secroots);
24055
0
  }
24056
24057
0
  if (ver == NULL) {
24058
0
    dns_db_closeversion(db, &version, false);
24059
0
  }
24060
24061
0
  if (result != ISC_R_SUCCESS) {
24062
0
    dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s",
24063
0
         isc_result_totext(result));
24064
0
    result = DNS_R_VERIFYFAILURE;
24065
0
  }
24066
24067
0
  return (result);
24068
0
}
24069
24070
static dns_ttl_t
24071
0
zone_nsecttl(dns_zone_t *zone) {
24072
0
  REQUIRE(DNS_ZONE_VALID(zone));
24073
24074
0
  return (ISC_MIN(zone->minimum, zone->soattl));
24075
0
}
24076
24077
void
24078
dns_zonemgr_set_tlsctx_cache(dns_zonemgr_t *zmgr,
24079
0
           isc_tlsctx_cache_t *tlsctx_cache) {
24080
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
24081
0
  REQUIRE(tlsctx_cache != NULL);
24082
24083
0
  RWLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_write);
24084
24085
0
  if (zmgr->tlsctx_cache != NULL) {
24086
0
    isc_tlsctx_cache_detach(&zmgr->tlsctx_cache);
24087
0
  }
24088
24089
0
  isc_tlsctx_cache_attach(tlsctx_cache, &zmgr->tlsctx_cache);
24090
24091
0
  RWUNLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_write);
24092
0
}
24093
24094
static void
24095
0
zmgr_tlsctx_attach(dns_zonemgr_t *zmgr, isc_tlsctx_cache_t **ptlsctx_cache) {
24096
0
  REQUIRE(DNS_ZONEMGR_VALID(zmgr));
24097
0
  REQUIRE(ptlsctx_cache != NULL && *ptlsctx_cache == NULL);
24098
24099
0
  RWLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_read);
24100
24101
0
  INSIST(zmgr->tlsctx_cache != NULL);
24102
0
  isc_tlsctx_cache_attach(zmgr->tlsctx_cache, ptlsctx_cache);
24103
24104
0
  RWUNLOCK(&zmgr->tlsctx_cache_rwlock, isc_rwlocktype_read);
24105
0
}
24106
24107
isc_mem_t *
24108
0
dns_zone_getmem(dns_zone_t *zone) {
24109
0
  return (zone->mctx);
24110
0
}
24111
24112
unsigned int
24113
0
dns_zone_gettid(dns_zone_t *zone) {
24114
0
  return (zone->tid);
24115
0
}
24116
24117
isc_loop_t *
24118
0
dns_zone_getloop(dns_zone_t *zone) {
24119
0
  return (zone->loop);
24120
0
}
24121
24122
isc_result_t
24123
2
dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) {
24124
2
  REQUIRE(DNS_ZONE_VALID(zone));
24125
2
  REQUIRE(dbp != NULL && *dbp == NULL);
24126
24127
2
  dns_db_t *db = NULL;
24128
24129
2
  isc_result_t result = dns_db_create(
24130
2
    zone->mctx, zone->db_argv[0], &zone->origin,
24131
2
    (zone->type == dns_zone_stub) ? dns_dbtype_stub
24132
2
                : dns_dbtype_zone,
24133
2
    zone->rdclass, zone->db_argc - 1, zone->db_argv + 1, &db);
24134
2
  if (result != ISC_R_SUCCESS) {
24135
0
    return (result);
24136
0
  }
24137
24138
2
  switch (zone->type) {
24139
2
  case dns_zone_primary:
24140
2
  case dns_zone_secondary:
24141
2
  case dns_zone_mirror:
24142
2
    result = dns_db_setgluecachestats(db, zone->gluecachestats);
24143
2
    if (result == ISC_R_NOTIMPLEMENTED) {
24144
0
      result = ISC_R_SUCCESS;
24145
0
    }
24146
2
    if (result != ISC_R_SUCCESS) {
24147
0
      dns_db_detach(&db);
24148
0
      return (result);
24149
0
    }
24150
2
    break;
24151
2
  default:
24152
0
    break;
24153
2
  }
24154
24155
2
  dns_db_setloop(db, zone->loop);
24156
24157
2
  *dbp = db;
24158
24159
2
  return (ISC_R_SUCCESS);
24160
2
}