[thirdparty/pdns.git] / pdns / dbdnsseckeeper.cc

/*
    PowerDNS Versatile Database Driven Nameserver
    Copyright (C) 2001 - 2012  PowerDNS.COM BV

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License version 2 as 
    published by the Free Software Foundation

    Additionally, the license of this program contains a special
    exception which allows to distribute the program in binary form when
    it is linked against OpenSSL.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "dnsseckeeper.hh"
#include "dnssecinfra.hh"
#include "ueberbackend.hh"
#include "statbag.hh"
#include <iostream>
#include <boost/foreach.hpp>
#include <sys/stat.h>
#include <sys/types.h>
#include <fstream>
#include <boost/algorithm/string.hpp>
#include <boost/format.hpp>
#include <boost/assign/std/vector.hpp> // for 'operator+=()'
#include <boost/assign/list_inserter.hpp>
#include "base64.hh"
#include "cachecleaner.hh"
#include "arguments.hh"


using namespace boost::assign;
#include "namespaces.hh"


DNSSECKeeper::keycache_t DNSSECKeeper::s_keycache;
DNSSECKeeper::metacache_t DNSSECKeeper::s_metacache;
pthread_rwlock_t DNSSECKeeper::s_metacachelock = PTHREAD_RWLOCK_INITIALIZER;
pthread_rwlock_t DNSSECKeeper::s_keycachelock = PTHREAD_RWLOCK_INITIALIZER;
AtomicCounter DNSSECKeeper::s_ops;
time_t DNSSECKeeper::s_last_prune;

bool DNSSECKeeper::isSecuredZone(const DNSName& zone) 
{
  if(isPresigned(zone))
    return true;

  keyset_t keys = getKeys(zone); // does the cache

  BOOST_FOREACH(keyset_t::value_type& val, keys) {
    if(val.second.active) {
      return true;
    }
  }
  return false;
}

bool DNSSECKeeper::isPresigned(const DNSName& name)
{
  string meta;
  getFromMeta(name, "PRESIGNED", meta);
  return meta=="1";
}

bool DNSSECKeeper::addKey(const DNSName& name, bool keyOrZone, int algorithm, int bits, bool active)
{
  if(!bits) {
    if(algorithm <= 10)
      bits = keyOrZone ? 2048 : 1024;
    else {
      if(algorithm == 12 || algorithm == 13 || algorithm == 250) // ECDSA, GOST, ED25519
        bits = 256;
      else if(algorithm == 14)
        bits = 384;
      else {
        throw runtime_error("Can't guess key size for algorithm "+lexical_cast<string>(algorithm));
      }
    }
  }
  DNSSECPrivateKey dspk;
  shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm)); // defaults to RSA for now, could be smart w/algorithm! XXX FIXME
  dpk->create(bits);
  dspk.setKey(dpk);
  dspk.d_algorithm = algorithm;
  dspk.d_flags = keyOrZone ? 257 : 256;
  return addKey(name, dspk, active);
}

void DNSSECKeeper::clearAllCaches() {
  {
    WriteLock l(&s_keycachelock);
    s_keycache.clear();
  }
  WriteLock l(&s_metacachelock);
  s_metacache.clear();
}

void DNSSECKeeper::clearCaches(const DNSName& name)
{
  {
    WriteLock l(&s_keycachelock);
    s_keycache.erase(name); 
  }
  WriteLock l(&s_metacachelock);
  pair<metacache_t::iterator, metacache_t::iterator> range = s_metacache.equal_range(tie(name));
  while(range.first != range.second)
    s_metacache.erase(range.first++);
}


bool DNSSECKeeper::addKey(const DNSName& name, const DNSSECPrivateKey& dpk, bool active)
{
  clearCaches(name);
  DNSBackend::KeyData kd;
  kd.flags = dpk.d_flags; // the dpk doesn't get stored, only they key part
  kd.active = active;
  kd.content = dpk.getKey()->convertToISC();
 // now store it
  return d_keymetadb->addDomainKey(name, kd) >= 0; // >= 0 == s
}


static bool keyCompareByKindAndID(const DNSSECKeeper::keyset_t::value_type& a, const DNSSECKeeper::keyset_t::value_type& b)
{
  return make_pair(!a.second.keyOrZone, a.second.id) <
         make_pair(!b.second.keyOrZone, b.second.id);
}

DNSSECPrivateKey DNSSECKeeper::getKeyById(const DNSName& zname, unsigned int id)
{  
  vector<DNSBackend::KeyData> keys;
  d_keymetadb->getDomainKeys(zname, 0, keys);
  BOOST_FOREACH(const DNSBackend::KeyData& kd, keys) {
    if(kd.id != id) 
      continue;
    
    DNSSECPrivateKey dpk;
    DNSKEYRecordContent dkrc;
    dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
    dpk.d_flags = kd.flags;
    dpk.d_algorithm = dkrc.d_algorithm;
    
    if(dpk.d_algorithm == 5 && getNSEC3PARAM(zname)) {
      dpk.d_algorithm += 2;
    }
    
    return dpk;    
  }
  throw runtime_error("Can't find a key with id "+lexical_cast<string>(id)+" for zone '"+zname.toString()+"'");
}


bool DNSSECKeeper::removeKey(const DNSName& zname, unsigned int id)
{
  clearCaches(zname);
  return d_keymetadb->removeDomainKey(zname, id);
}

bool DNSSECKeeper::deactivateKey(const DNSName& zname, unsigned int id)
{
  clearCaches(zname);
  return d_keymetadb->deactivateDomainKey(zname, id);
}

bool DNSSECKeeper::activateKey(const DNSName& zname, unsigned int id)
{
  clearCaches(zname);
  return d_keymetadb->activateDomainKey(zname, id);
}


void DNSSECKeeper::getFromMeta(const DNSName& zname, const std::string& key, std::string& value)
{
  value.clear();
  unsigned int now = time(0);

  if(!((++s_ops) % 100000)) {
    cleanup();
  }

  {
    ReadLock l(&s_metacachelock); 
    
    metacache_t::const_iterator iter = s_metacache.find(tie(zname, key));
    if(iter != s_metacache.end() && iter->d_ttd > now) {
      value = iter->d_value;
      return;
    }
  }
  vector<string> meta;
  d_keymetadb->getDomainMetadata(zname, key, meta);
  if(!meta.empty())
    value=*meta.begin();
    
  METACacheEntry nce;
  nce.d_domain=zname;
  nce.d_ttd = now+60;
  nce.d_key= key;
  nce.d_value = value;
  { 
    WriteLock l(&s_metacachelock);
    replacing_insert(s_metacache, nce);
  }
}

uint64_t DNSSECKeeper::dbdnssecCacheSizes(const std::string& str)
{
  if(str=="meta-cache-size") {
    ReadLock l(&s_metacachelock); 
    return s_metacache.size();
  }
  else if(str=="key-cache-size") {
    ReadLock l(&s_keycachelock);
    return s_keycache.size();
  }
  return (uint64_t)-1;
}

bool DNSSECKeeper::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p, bool* narrow)
{
  string value;
  getFromMeta(zname, "NSEC3PARAM", value);
  if(value.empty()) { // "no NSEC3"
    return false;
  }

  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
  if(ns3p) {
    NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
    *ns3p = *tmp;
    delete tmp;
    if (ns3p->d_iterations > maxNSEC3Iterations) {
      ns3p->d_iterations = maxNSEC3Iterations;
      L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname.toString()<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
    }
  }
  if(narrow) {
    getFromMeta(zname, "NSEC3NARROW", value);
    *narrow = (value=="1");
  }
  return true;
}

bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
{
  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
  if (ns3p.d_iterations > maxNSEC3Iterations)
    throw runtime_error("Can't set NSEC3PARAM for zone '"+zname.toString()+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");

  clearCaches(zname);
  string descr = ns3p.getZoneRepresentation();
  vector<string> meta;
  meta.push_back(descr);
  if (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", meta)) {
    meta.clear();
    
    if(narrow)
      meta.push_back("1");
    
    return d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", meta);
  }
  return false;
}

bool DNSSECKeeper::unsetNSEC3PARAM(const DNSName& zname)
{
  clearCaches(zname);
  return (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", vector<string>()) && d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", vector<string>()));
}


bool DNSSECKeeper::setPresigned(const DNSName& zname)
{
  clearCaches(zname);
  vector<string> meta;
  meta.push_back("1");
  return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", meta);
}

bool DNSSECKeeper::unsetPresigned(const DNSName& zname)
{
  clearCaches(zname);
  return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", vector<string>());
}


DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, boost::tribool allOrKeyOrZone, bool useCache)
{
  unsigned int now = time(0);

  if(!((++s_ops) % 100000)) {
    cleanup();
  }

  if (useCache) {
    ReadLock l(&s_keycachelock);
    keycache_t::const_iterator iter = s_keycache.find(zone);
      
    if(iter != s_keycache.end() && iter->d_ttd > now) { 
      keyset_t ret;
      BOOST_FOREACH(const keyset_t::value_type& value, iter->d_keys) {
        if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == value.second.keyOrZone)
          ret.push_back(value);
      }
      return ret;
    }
  }    
  keyset_t retkeyset, allkeyset;
  vector<DNSBackend::KeyData> dbkeyset;
  
  d_keymetadb->getDomainKeys(zone, 0, dbkeyset);
  
  BOOST_FOREACH(DNSBackend::KeyData& kd, dbkeyset)
  {
    DNSSECPrivateKey dpk;

    DNSKEYRecordContent dkrc;
    
    dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
    
    dpk.d_flags = kd.flags;
    dpk.d_algorithm = dkrc.d_algorithm;
    if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone))
      dpk.d_algorithm+=2;
    
    KeyMetaData kmd;

    kmd.active = kd.active;
    kmd.keyOrZone = (kd.flags == 257);
    kmd.id = kd.id;
    
    if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == kmd.keyOrZone)
      retkeyset.push_back(make_pair(dpk, kmd));
    allkeyset.push_back(make_pair(dpk, kmd));
  }
  sort(retkeyset.begin(), retkeyset.end(), keyCompareByKindAndID);
  sort(allkeyset.begin(), allkeyset.end(), keyCompareByKindAndID);
  
  KeyCacheEntry kce;
  kce.d_domain=zone;
  kce.d_keys = allkeyset;
  kce.d_ttd = now + 30;
  {
    WriteLock l(&s_keycachelock);
    replacing_insert(s_keycache, kce);
  }
  
  return retkeyset;
}

bool DNSSECKeeper::secureZone(const DNSName& name, int algorithm, int size)
{
  clearCaches(name); // just to be sure ;)
  return addKey(name, true, algorithm, size);
}

bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname,
        const DNSName& wildcardname, const QType& qtype,
        DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
{
  vector<DNSResourceRecord> sigs;
  if(db.getDirectRRSIGs(signer, wildcardname.countLabels() ? wildcardname : qname, qtype, sigs)) {
    BOOST_FOREACH(DNSResourceRecord &rr, sigs) {
      rr.d_place = (DNSResourceRecord::Place)signPlace;
      rr.ttl = signTTL;
      rrsigs.push_back(rr);
    }
    return true;
  }

  // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
        SOAData sd;
        if(!db.getSOAUncached(signer, sd)) {
                DLOG(L<<"Could not get SOA for domain"<<endl);
                return false;
        }
        db.lookup(QType(QType::RRSIG), wildcardname.countLabels() ? wildcardname : qname, NULL, sd.domain_id);
        DNSResourceRecord rr;
        while(db.get(rr)) { 
                // cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
                vector<string> parts;
                stringtok(parts, rr.content);
                if(parts[0] == qtype.getName() && DNSName(parts[7])==signer) {
                        // cerr<<"Got it"<<endl;
                        if (wildcardname.countLabels())
                                rr.qname = qname;
                        rr.d_place = (DNSResourceRecord::Place)signPlace;
                        rr.ttl = signTTL;
                        rrsigs.push_back(rr);
                }
                // else cerr<<"Skipping!"<<endl;
        }
        return true;
}

bool DNSSECKeeper::TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname)
{
  vector<string> allowed;
  
  d_keymetadb->getDomainMetadata(zone, "TSIG-ALLOW-AXFR", allowed);
  
  BOOST_FOREACH(const string& dbkey, allowed) {
    if(DNSName(dbkey)==keyname)
      return true;
  }
  return false;
}

bool DNSSECKeeper::getTSIGForAccess(const DNSName& zone, const string& master, DNSName* keyname)
{
  vector<string> keynames;
  d_keymetadb->getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames);
  keyname->trimToLabels(0);
  
  // XXX FIXME this should check for a specific master!
  BOOST_FOREACH(const string& dbkey, keynames) {
    *keyname=DNSName(dbkey);
    return true;
  }
  return false;
}

void DNSSECKeeper::cleanup()
{
  struct timeval now;
  Utility::gettimeofday(&now, 0);

  if(now.tv_sec - s_last_prune > (time_t)(30)) {
    {
        WriteLock l(&s_metacachelock);
        pruneCollection(s_metacache, ::arg().asNum("max-cache-entries"));
    }
    {
        WriteLock l(&s_keycachelock);
        pruneCollection(s_keycache, ::arg().asNum("max-cache-entries"));
    }
    s_last_prune=time(0);
  }
}
Commit	Line	Data
882358c8 BH	1	/*
882358c8 BH	2	PowerDNS Versatile Database Driven Nameserver
ccc3f9ed	3	Copyright (C) 2001 - 2012 PowerDNS.COM BV
882358c8 BH	4
	5	This program is free software; you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License version 2 as
	7	published by the Free Software Foundation
	8
f782fe38 MH	9	Additionally, the license of this program contains a special
	10	exception which allows to distribute the program in binary form when
	11	it is linked against OpenSSL.
	12
882358c8 BH	13	This program is distributed in the hope that it will be useful,
	14	but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	GNU General Public License for more details.
	17
	18	You should have received a copy of the GNU General Public License
	19	along with this program; if not, write to the Free Software
	20	Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	21	*/
	22
870a0fe4 AT	23	#ifdef HAVE_CONFIG_H
	24	#include "config.h"
	25	#endif
c0273500 BH	26	#include "dnsseckeeper.hh"
	27	#include "dnssecinfra.hh"
	28	#include "ueberbackend.hh"
	29	#include "statbag.hh"
	30	#include <iostream>
c0273500 BH	31	#include <boost/foreach.hpp>
	32	#include <sys/stat.h>
	33	#include <sys/types.h>
	34	#include <fstream>
	35	#include <boost/algorithm/string.hpp>
	36	#include <boost/format.hpp>
	37	#include <boost/assign/std/vector.hpp> // for 'operator+=()'
	38	#include <boost/assign/list_inserter.hpp>
78bcb858	39	#include "base64.hh"
157f806e PD	40	#include "cachecleaner.hh"
157f806e PD	41	#include "arguments.hh"
d473cb9a BH	42
d473cb9a BH	43
c0273500	44	using namespace boost::assign;
9cb28241	45	#include "namespaces.hh"
de43ec0f	46
c0273500	47
40fe813d	48	DNSSECKeeper::keycache_t DNSSECKeeper::s_keycache;
d6f3dcdc	49	DNSSECKeeper::metacache_t DNSSECKeeper::s_metacache;
18a144ef BH	50	pthread_rwlock_t DNSSECKeeper::s_metacachelock = PTHREAD_RWLOCK_INITIALIZER;
18a144ef BH	51	pthread_rwlock_t DNSSECKeeper::s_keycachelock = PTHREAD_RWLOCK_INITIALIZER;
16f7d28d	52	AtomicCounter DNSSECKeeper::s_ops;
157f806e	53	time_t DNSSECKeeper::s_last_prune;
d473cb9a	54
675fa24c	55	bool DNSSECKeeper::isSecuredZone(const DNSName& zone)
c0273500	56	{
d3e7090c	57	if(isPresigned(zone))
d6f3dcdc	58	return true;
157f806e	59
8a95b04c KM	60	keyset_t keys = getKeys(zone); // does the cache
8a95b04c KM	61
ade1b1e9 BH	62	BOOST_FOREACH(keyset_t::value_type& val, keys) {
	63	if(val.second.active) {
	64	return true;
	65	}
c0273500	66	}
ade1b1e9	67	return false;
c0273500 BH	68	}
c0273500 BH	69
675fa24c	70	bool DNSSECKeeper::isPresigned(const DNSName& name)
d3e7090c	71	{
9cb28241 BH	72	string meta;
	73	getFromMeta(name, "PRESIGNED", meta);
	74	return meta=="1";
d3e7090c	75	}
c0273500	76
675fa24c	77	bool DNSSECKeeper::addKey(const DNSName& name, bool keyOrZone, int algorithm, int bits, bool active)
c0273500	78	{
022e5e0b BH	79	if(!bits) {
	80	if(algorithm <= 10)
	81	bits = keyOrZone ? 2048 : 1024;
	82	else {
59d84dc2	83	if(algorithm == 12 \|\| algorithm == 13 \|\| algorithm == 250) // ECDSA, GOST, ED25519
022e5e0b BH	84	bits = 256;
	85	else if(algorithm == 14)
	86	bits = 384;
	87	else {
0f4b0d97	88	throw runtime_error("Can't guess key size for algorithm "+lexical_cast<string>(algorithm));
022e5e0b BH	89	}
	90	}
	91	}
699e6e37	92	DNSSECPrivateKey dspk;
8d9f38f2	93	shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm)); // defaults to RSA for now, could be smart w/algorithm! XXX FIXME
699e6e37 BH	94	dpk->create(bits);
	95	dspk.setKey(dpk);
	96	dspk.d_algorithm = algorithm;
	97	dspk.d_flags = keyOrZone ? 257 : 256;
40fe813d	98	return addKey(name, dspk, active);
f7bcc763 BH	99	}
f7bcc763 BH	100
627d2ca2 PD	101	void DNSSECKeeper::clearAllCaches() {
627d2ca2 PD	102	{
18a144ef	103	WriteLock l(&s_keycachelock);
627d2ca2 PD	104	s_keycache.clear();
627d2ca2 PD	105	}
18a144ef	106	WriteLock l(&s_metacachelock);
627d2ca2 PD	107	s_metacache.clear();
	108	}
	109
675fa24c	110	void DNSSECKeeper::clearCaches(const DNSName& name)
5e91adff	111	{
40fe813d	112	{
18a144ef	113	WriteLock l(&s_keycachelock);
40fe813d BH	114	s_keycache.erase(name);
40fe813d BH	115	}
18a144ef	116	WriteLock l(&s_metacachelock);
0b7d7191	117	pair<metacache_t::iterator, metacache_t::iterator> range = s_metacache.equal_range(tie(name));
d6f3dcdc BH	118	while(range.first != range.second)
d6f3dcdc BH	119	s_metacache.erase(range.first++);
5e91adff BH	120	}
	121
	122
675fa24c	123	bool DNSSECKeeper::addKey(const DNSName& name, const DNSSECPrivateKey& dpk, bool active)
f7bcc763	124	{
5e91adff	125	clearCaches(name);
c0273500	126	DNSBackend::KeyData kd;
7ddd79a7	127	kd.flags = dpk.d_flags; // the dpk doesn't get stored, only they key part
c0273500	128	kd.active = active;
189bb9d2	129	kd.content = dpk.getKey()->convertToISC();
c0273500	130	// now store it
936eb34a	131	return d_keymetadb->addDomainKey(name, kd) >= 0; // >= 0 == s
c0273500 BH	132	}
	133
	134
	135	static bool keyCompareByKindAndID(const DNSSECKeeper::keyset_t::value_type& a, const DNSSECKeeper::keyset_t::value_type& b)
	136	{
	137	return make_pair(!a.second.keyOrZone, a.second.id) <
	138	make_pair(!b.second.keyOrZone, b.second.id);
	139	}
	140
675fa24c	141	DNSSECPrivateKey DNSSECKeeper::getKeyById(const DNSName& zname, unsigned int id)
c0273500	142	{
c0273500	143	vector<DNSBackend::KeyData> keys;
936eb34a	144	d_keymetadb->getDomainKeys(zname, 0, keys);
c0273500 BH	145	BOOST_FOREACH(const DNSBackend::KeyData& kd, keys) {
	146	if(kd.id != id)
	147	continue;
	148
	149	DNSSECPrivateKey dpk;
699e6e37	150	DNSKEYRecordContent dkrc;
8d9f38f2	151	dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
c0273500	152	dpk.d_flags = kd.flags;
a254438f	153	dpk.d_algorithm = dkrc.d_algorithm;
c0273500	154
a254438f BH	155	if(dpk.d_algorithm == 5 && getNSEC3PARAM(zname)) {
	156	dpk.d_algorithm += 2;
	157	}
c0273500 BH	158
	159	return dpk;
	160	}
675fa24c	161	throw runtime_error("Can't find a key with id "+lexical_cast<string>(id)+" for zone '"+zname.toString()+"'");
c0273500 BH	162	}
	163
	164
675fa24c	165	bool DNSSECKeeper::removeKey(const DNSName& zname, unsigned int id)
c0273500	166	{
5e91adff	167	clearCaches(zname);
a84a8203	168	return d_keymetadb->removeDomainKey(zname, id);
c0273500 BH	169	}
c0273500 BH	170
675fa24c	171	bool DNSSECKeeper::deactivateKey(const DNSName& zname, unsigned int id)
c0273500	172	{
5e91adff	173	clearCaches(zname);
a84a8203	174	return d_keymetadb->deactivateDomainKey(zname, id);
c0273500 BH	175	}
c0273500 BH	176
675fa24c	177	bool DNSSECKeeper::activateKey(const DNSName& zname, unsigned int id)
c0273500	178	{
5e91adff	179	clearCaches(zname);
a84a8203	180	return d_keymetadb->activateDomainKey(zname, id);
c0273500 BH	181	}
c0273500 BH	182
d6f3dcdc	183
675fa24c	184	void DNSSECKeeper::getFromMeta(const DNSName& zname, const std::string& key, std::string& value)
c0273500	185	{
d6f3dcdc	186	value.clear();
5e91adff	187	unsigned int now = time(0);
157f806e	188
16f7d28d	189	if(!((++s_ops) % 100000)) {
157f806e PD	190	cleanup();
	191	}
	192
d473cb9a	193	{
18a144ef	194	ReadLock l(&s_metacachelock);
d473cb9a	195
d6f3dcdc BH	196	metacache_t::const_iterator iter = s_metacache.find(tie(zname, key));
	197	if(iter != s_metacache.end() && iter->d_ttd > now) {
	198	value = iter->d_value;
	199	return;
d473cb9a	200	}
22c5aa60	201	}
d473cb9a	202	vector<string> meta;
936eb34a	203	d_keymetadb->getDomainMetadata(zname, key, meta);
d6f3dcdc BH	204	if(!meta.empty())
	205	value=*meta.begin();
	206
	207	METACacheEntry nce;
d473cb9a BH	208	nce.d_domain=zname;
d473cb9a BH	209	nce.d_ttd = now+60;
d6f3dcdc BH	210	nce.d_key= key;
	211	nce.d_value = value;
	212	{
18a144ef	213	WriteLock l(&s_metacachelock);
d6f3dcdc	214	replacing_insert(s_metacache, nce);
d473cb9a	215	}
d6f3dcdc BH	216	}
d6f3dcdc BH	217
e903706d	218	uint64_t DNSSECKeeper::dbdnssecCacheSizes(const std::string& str)
	219	{
	220	if(str=="meta-cache-size") {
	221	ReadLock l(&s_metacachelock);
	222	return s_metacache.size();
	223	}
	224	else if(str=="key-cache-size") {
	225	ReadLock l(&s_keycachelock);
	226	return s_keycache.size();
	227	}
	228	return (uint64_t)-1;
	229	}
	230
675fa24c	231	bool DNSSECKeeper::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p, bool* narrow)
d6f3dcdc BH	232	{
	233	string value;
	234	getFromMeta(zname, "NSEC3PARAM", value);
5935cede	235	if(value.empty()) { // "no NSEC3"
d6f3dcdc	236	return false;
5935cede	237	}
28b66a94 KM	238
28b66a94 KM	239	static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
c0273500	240	if(ns3p) {
d6f3dcdc	241	NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
c0273500 BH	242	ns3p = tmp;
c0273500 BH	243	delete tmp;
28b66a94 KM	244	if (ns3p->d_iterations > maxNSEC3Iterations) {
28b66a94 KM	245	ns3p->d_iterations = maxNSEC3Iterations;
675fa24c	246	L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname.toString()<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
28b66a94	247	}
c0273500	248	}
d6f3dcdc BH	249	if(narrow) {
	250	getFromMeta(zname, "NSEC3NARROW", value);
	251	*narrow = (value=="1");
	252	}
c0273500 BH	253	return true;
	254	}
	255
675fa24c	256	bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
c0273500	257	{
28b66a94 KM	258	static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
28b66a94 KM	259	if (ns3p.d_iterations > maxNSEC3Iterations)
675fa24c	260	throw runtime_error("Can't set NSEC3PARAM for zone '"+zname.toString()+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");
28b66a94	261
5e91adff	262	clearCaches(zname);
c0273500 BH	263	string descr = ns3p.getZoneRepresentation();
	264	vector<string> meta;
	265	meta.push_back(descr);
a84a8203 PD	266	if (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", meta)) {
	267	meta.clear();
	268
	269	if(narrow)
	270	meta.push_back("1");
	271
	272	return d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", meta);
	273	}
	274	return false;
c0273500 BH	275	}
c0273500 BH	276
675fa24c	277	bool DNSSECKeeper::unsetNSEC3PARAM(const DNSName& zname)
c0273500	278	{
5e91adff	279	clearCaches(zname);
a84a8203	280	return (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", vector<string>()) && d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", vector<string>()));
c0273500 BH	281	}
	282
	283
675fa24c	284	bool DNSSECKeeper::setPresigned(const DNSName& zname)
d3e7090c BH	285	{
	286	clearCaches(zname);
	287	vector<string> meta;
	288	meta.push_back("1");
a84a8203	289	return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", meta);
d3e7090c BH	290	}
d3e7090c BH	291
675fa24c	292	bool DNSSECKeeper::unsetPresigned(const DNSName& zname)
d3e7090c BH	293	{
d3e7090c BH	294	clearCaches(zname);
a84a8203	295	return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", vector<string>());
d3e7090c BH	296	}
	297
	298
675fa24c	299	DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, boost::tribool allOrKeyOrZone, bool useCache)
c0273500	300	{
5e91adff	301	unsigned int now = time(0);
157f806e	302
16f7d28d	303	if(!((++s_ops) % 100000)) {
157f806e PD	304	cleanup();
	305	}
	306
d8455c78	307	if (useCache) {
18a144ef	308	ReadLock l(&s_keycachelock);
40fe813d BH	309	keycache_t::const_iterator iter = s_keycache.find(zone);
	310
	311	if(iter != s_keycache.end() && iter->d_ttd > now) {
	312	keyset_t ret;
	313	BOOST_FOREACH(const keyset_t::value_type& value, iter->d_keys) {
	314	if(boost::indeterminate(allOrKeyOrZone) \|\| allOrKeyOrZone == value.second.keyOrZone)
	315	ret.push_back(value);
	316	}
	317	return ret;
7aff7ead	318	}
40fe813d	319	}
7aff7ead	320	keyset_t retkeyset, allkeyset;
3971cf53	321	vector<DNSBackend::KeyData> dbkeyset;
c0273500	322
936eb34a	323	d_keymetadb->getDomainKeys(zone, 0, dbkeyset);
d473cb9a	324
3971cf53	325	BOOST_FOREACH(DNSBackend::KeyData& kd, dbkeyset)
c0273500 BH	326	{
	327	DNSSECPrivateKey dpk;
	328
699e6e37	329	DNSKEYRecordContent dkrc;
7df3258b	330
8d9f38f2	331	dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
7df3258b	332
c0273500	333	dpk.d_flags = kd.flags;
a254438f BH	334	dpk.d_algorithm = dkrc.d_algorithm;
	335	if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone))
	336	dpk.d_algorithm+=2;
c0273500 BH	337
	338	KeyMetaData kmd;
	339
	340	kmd.active = kd.active;
	341	kmd.keyOrZone = (kd.flags == 257);
	342	kmd.id = kd.id;
	343
	344	if(boost::indeterminate(allOrKeyOrZone) \|\| allOrKeyOrZone == kmd.keyOrZone)
7aff7ead BH	345	retkeyset.push_back(make_pair(dpk, kmd));
7aff7ead BH	346	allkeyset.push_back(make_pair(dpk, kmd));
c0273500	347	}
7aff7ead BH	348	sort(retkeyset.begin(), retkeyset.end(), keyCompareByKindAndID);
7aff7ead BH	349	sort(allkeyset.begin(), allkeyset.end(), keyCompareByKindAndID);
d473cb9a BH	350
	351	KeyCacheEntry kce;
	352	kce.d_domain=zone;
7aff7ead BH	353	kce.d_keys = allkeyset;
7aff7ead BH	354	kce.d_ttd = now + 30;
40fe813d	355	{
18a144ef	356	WriteLock l(&s_keycachelock);
40fe813d BH	357	replacing_insert(s_keycache, kce);
40fe813d BH	358	}
d473cb9a	359
7aff7ead	360	return retkeyset;
c0273500 BH	361	}
c0273500 BH	362
675fa24c	363	bool DNSSECKeeper::secureZone(const DNSName& name, int algorithm, int size)
c0273500	364	{
5e91adff	365	clearCaches(name); // just to be sure ;)
36758d25	366	return addKey(name, true, algorithm, size);
c0273500	367	}
d3e7090c	368
675fa24c PD	369	bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname,
675fa24c PD	370	const DNSName& wildcardname, const QType& qtype,
232f0877	371	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
d3e7090c	372	{
461a0401	373	vector<DNSResourceRecord> sigs;
675fa24c	374	if(db.getDirectRRSIGs(signer, wildcardname.countLabels() ? wildcardname : qname, qtype, sigs)) {
461a0401	375	BOOST_FOREACH(DNSResourceRecord &rr, sigs) {
461a0401 KM	376	rr.d_place = (DNSResourceRecord::Place)signPlace;
	377	rr.ttl = signTTL;
	378	rrsigs.push_back(rr);
	379	}
	380	return true;
	381	}
	382
f1485b68	383	// cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
232f0877	384	SOAData sd;
79ba7763	385	if(!db.getSOAUncached(signer, sd)) {
232f0877 CH	386	DLOG(L<<"Could not get SOA for domain"<<endl);
	387	return false;
	388	}
675fa24c	389	db.lookup(QType(QType::RRSIG), wildcardname.countLabels() ? wildcardname : qname, NULL, sd.domain_id);
232f0877 CH	390	DNSResourceRecord rr;
	391	while(db.get(rr)) {
	392	// cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
	393	vector<string> parts;
	394	stringtok(parts, rr.content);
675fa24c	395	if(parts[0] == qtype.getName() && DNSName(parts[7])==signer) {
232f0877	396	// cerr<<"Got it"<<endl;
675fa24c	397	if (wildcardname.countLabels())
232f0877 CH	398	rr.qname = qname;
	399	rr.d_place = (DNSResourceRecord::Place)signPlace;
	400	rr.ttl = signTTL;
	401	rrsigs.push_back(rr);
	402	}
e125fc69	403	// else cerr<<"Skipping!"<<endl;
232f0877 CH	404	}
232f0877 CH	405	return true;
d3e7090c	406	}
78bcb858	407
675fa24c	408	bool DNSSECKeeper::TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname)
78bcb858 BH	409	{
	410	vector<string> allowed;
	411
936eb34a	412	d_keymetadb->getDomainMetadata(zone, "TSIG-ALLOW-AXFR", allowed);
78bcb858 BH	413
78bcb858 BH	414	BOOST_FOREACH(const string& dbkey, allowed) {
675fa24c	415	if(DNSName(dbkey)==keyname)
78bcb858 BH	416	return true;
	417	}
	418	return false;
	419	}
29b92d6f	420
675fa24c	421	bool DNSSECKeeper::getTSIGForAccess(const DNSName& zone, const string& master, DNSName* keyname)
29b92d6f BH	422	{
29b92d6f BH	423	vector<string> keynames;
936eb34a	424	d_keymetadb->getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames);
675fa24c	425	keyname->trimToLabels(0);
29b92d6f BH	426
	427	// XXX FIXME this should check for a specific master!
	428	BOOST_FOREACH(const string& dbkey, keynames) {
675fa24c	429	*keyname=DNSName(dbkey);
29b92d6f BH	430	return true;
	431	}
	432	return false;
	433	}
157f806e PD	434
	435	void DNSSECKeeper::cleanup()
	436	{
	437	struct timeval now;
	438	Utility::gettimeofday(&now, 0);
	439
	440	if(now.tv_sec - s_last_prune > (time_t)(30)) {
	441	{
18a144ef	442	WriteLock l(&s_metacachelock);
157f806e PD	443	pruneCollection(s_metacache, ::arg().asNum("max-cache-entries"));
	444	}
	445	{
18a144ef	446	WriteLock l(&s_keycachelock);
157f806e PD	447	pruneCollection(s_keycache, ::arg().asNum("max-cache-entries"));
	448	}
	449	s_last_prune=time(0);
	450	}
627d2ca2	451	}