[thirdparty/pdns.git] / pdns / dbdnsseckeeper.cc

/*
    PowerDNS Versatile Database Driven Nameserver
    Copyright (C) 2001 - 2012  PowerDNS.COM BV

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License version 2 as 
    published by the Free Software Foundation

    Additionally, the license of this program contains a special
    exception which allows to distribute the program in binary form when
    it is linked against OpenSSL.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/

#include "dnsseckeeper.hh"
#include "dnssecinfra.hh"
#include "ueberbackend.hh"
#include "statbag.hh"
#include <iostream>
#include <boost/foreach.hpp>
#include <sys/stat.h>
#include <sys/types.h>
#include <fstream>
#include <boost/algorithm/string.hpp>
#include <boost/format.hpp>
#include <boost/assign/std/vector.hpp> // for 'operator+=()'
#include <boost/assign/list_inserter.hpp>
#include "base64.hh"
#include "cachecleaner.hh"
#include "arguments.hh"


using namespace boost::assign;
#include "namespaces.hh"


DNSSECKeeper::keycache_t DNSSECKeeper::s_keycache;
DNSSECKeeper::metacache_t DNSSECKeeper::s_metacache;
pthread_rwlock_t DNSSECKeeper::s_metacachelock = PTHREAD_RWLOCK_INITIALIZER;
pthread_rwlock_t DNSSECKeeper::s_keycachelock = PTHREAD_RWLOCK_INITIALIZER;
AtomicCounter DNSSECKeeper::s_ops;
time_t DNSSECKeeper::s_last_prune;

bool DNSSECKeeper::isSecuredZone(const std::string& zone) 
{
  if(isPresigned(zone))
    return true;
  
  if(!((++s_ops) % 100000)) {
    cleanup();
  }

  {
    ReadLock l(&s_keycachelock);
    keycache_t::const_iterator iter = s_keycache.find(zone);
    if(iter != s_keycache.end() && iter->d_ttd > (unsigned int)time(0)) { 
      if(iter->d_keys.empty())
        return false;
      else
        return true;
    }
    else
      ; 
  }  
  keyset_t keys = getKeys(zone, true); // does the cache
  
  BOOST_FOREACH(keyset_t::value_type& val, keys) {
    if(val.second.active) {
      return true;
    }
  }
  return false;
}

bool DNSSECKeeper::isPresigned(const std::string& name)
{
  string meta;
  getFromMeta(name, "PRESIGNED", meta);
  return meta=="1";
}

bool DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm, int bits, bool active)
{
  if(!bits) {
    if(algorithm <= 10)
      bits = keyOrZone ? 2048 : 1024;
    else {
      if(algorithm == 12 || algorithm == 13 || algorithm == 250) // ECDSA, GOST, ED25519
        bits = 256;
      else if(algorithm == 14)
        bits = 384;
      else {
        throw runtime_error("Can't guess key size for algorithm "+lexical_cast<string>(algorithm));
      }
    }
  }
  DNSSECPrivateKey dspk;
  shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm)); // defaults to RSA for now, could be smart w/algorithm! XXX FIXME
  dpk->create(bits);
  dspk.setKey(dpk);
  dspk.d_algorithm = algorithm;
  dspk.d_flags = keyOrZone ? 257 : 256;
  return addKey(name, dspk, active);
}

void DNSSECKeeper::clearAllCaches() {
  {
    WriteLock l(&s_keycachelock);
    s_keycache.clear();
  }
  WriteLock l(&s_metacachelock);
  s_metacache.clear();
}

void DNSSECKeeper::clearCaches(const std::string& name)
{
  {
    WriteLock l(&s_keycachelock);
    s_keycache.erase(name); 
  }
  WriteLock l(&s_metacachelock);
  pair<metacache_t::iterator, metacache_t::iterator> range = s_metacache.equal_range(name);
  while(range.first != range.second)
    s_metacache.erase(range.first++);
}


bool DNSSECKeeper::addKey(const std::string& name, const DNSSECPrivateKey& dpk, bool active)
{
  clearCaches(name);
  DNSBackend::KeyData kd;
  kd.flags = dpk.d_flags; // the dpk doesn't get stored, only they key part
  kd.active = active;
  kd.content = dpk.getKey()->convertToISC();
 // now store it
  return d_keymetadb->addDomainKey(name, kd) >= 0; // >= 0 == s
}


static bool keyCompareByKindAndID(const DNSSECKeeper::keyset_t::value_type& a, const DNSSECKeeper::keyset_t::value_type& b)
{
  return make_pair(!a.second.keyOrZone, a.second.id) <
         make_pair(!b.second.keyOrZone, b.second.id);
}

DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int id)
{  
  vector<DNSBackend::KeyData> keys;
  d_keymetadb->getDomainKeys(zname, 0, keys);
  BOOST_FOREACH(const DNSBackend::KeyData& kd, keys) {
    if(kd.id != id) 
      continue;
    
    DNSSECPrivateKey dpk;
    DNSKEYRecordContent dkrc;
    dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
    dpk.d_flags = kd.flags;
    dpk.d_algorithm = dkrc.d_algorithm;
    
    if(dpk.d_algorithm == 5 && getNSEC3PARAM(zname)) {
      dpk.d_algorithm += 2;
    }
    
    return dpk;    
  }
  throw runtime_error("Can't find a key with id "+lexical_cast<string>(id)+" for zone '"+zname+"'");
}


bool DNSSECKeeper::removeKey(const std::string& zname, unsigned int id)
{
  clearCaches(zname);
  return d_keymetadb->removeDomainKey(zname, id);
}

bool DNSSECKeeper::deactivateKey(const std::string& zname, unsigned int id)
{
  clearCaches(zname);
  return d_keymetadb->deactivateDomainKey(zname, id);
}

bool DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
{
  clearCaches(zname);
  return d_keymetadb->activateDomainKey(zname, id);
}


void DNSSECKeeper::getFromMeta(const std::string& zname, const std::string& key, std::string& value)
{
  value.clear();
  unsigned int now = time(0);

  if(!((++s_ops) % 100000)) {
    cleanup();
  }

  {
    ReadLock l(&s_metacachelock); 
    
    metacache_t::const_iterator iter = s_metacache.find(tie(zname, key));
    if(iter != s_metacache.end() && iter->d_ttd > now) {
      value = iter->d_value;
      return;
    }
  }
  vector<string> meta;
  d_keymetadb->getDomainMetadata(zname, key, meta);
  if(!meta.empty())
    value=*meta.begin();
    
  METACacheEntry nce;
  nce.d_domain=zname;
  nce.d_ttd = now+60;
  nce.d_key= key;
  nce.d_value = value;
  { 
    WriteLock l(&s_metacachelock);
    replacing_insert(s_metacache, nce);
  }
}

bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p, bool* narrow)
{
  string value;
  getFromMeta(zname, "NSEC3PARAM", value);
  if(value.empty()) { // "no NSEC3"
    return false;
  }
     
  if(ns3p) {
    NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
    *ns3p = *tmp;
    delete tmp;
  }
  if(narrow) {
    getFromMeta(zname, "NSEC3NARROW", value);
    *narrow = (value=="1");
  }
  return true;
}

bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
{
  clearCaches(zname);
  string descr = ns3p.getZoneRepresentation();
  vector<string> meta;
  meta.push_back(descr);
  if (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", meta)) {
    meta.clear();
    
    if(narrow)
      meta.push_back("1");
    
    return d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", meta);
  }
  return false;
}

bool DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname)
{
  clearCaches(zname);
  return (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", vector<string>()) && d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", vector<string>()));
}


bool DNSSECKeeper::setPresigned(const std::string& zname)
{
  clearCaches(zname);
  vector<string> meta;
  meta.push_back("1");
  return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", meta);
}

bool DNSSECKeeper::unsetPresigned(const std::string& zname)
{
  clearCaches(zname);
  return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", vector<string>());
}


DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tribool allOrKeyOrZone) 
{
  unsigned int now = time(0);

  if(!((++s_ops) % 100000)) {
    cleanup();
  }

  {
    ReadLock l(&s_keycachelock);
    keycache_t::const_iterator iter = s_keycache.find(zone);
      
    if(iter != s_keycache.end() && iter->d_ttd > now) { 
      keyset_t ret;
      BOOST_FOREACH(const keyset_t::value_type& value, iter->d_keys) {
        if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == value.second.keyOrZone)
          ret.push_back(value);
      }
      return ret;
    }
  }    
  keyset_t retkeyset, allkeyset;
  vector<UeberBackend::KeyData> dbkeyset;
  
  d_keymetadb->getDomainKeys(zone, 0, dbkeyset);
  
  BOOST_FOREACH(UeberBackend::KeyData& kd, dbkeyset) 
  {
    DNSSECPrivateKey dpk;

    DNSKEYRecordContent dkrc;
    
    dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
    
    dpk.d_flags = kd.flags;
    dpk.d_algorithm = dkrc.d_algorithm;
    if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone))
      dpk.d_algorithm+=2;
    
    KeyMetaData kmd;

    kmd.active = kd.active;
    kmd.keyOrZone = (kd.flags == 257);
    kmd.id = kd.id;
    
    if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == kmd.keyOrZone)
      retkeyset.push_back(make_pair(dpk, kmd));
    allkeyset.push_back(make_pair(dpk, kmd));
  }
  sort(retkeyset.begin(), retkeyset.end(), keyCompareByKindAndID);
  sort(allkeyset.begin(), allkeyset.end(), keyCompareByKindAndID);
  
  KeyCacheEntry kce;
  kce.d_domain=zone;
  kce.d_keys = allkeyset;
  kce.d_ttd = now + 30;
  {
    WriteLock l(&s_keycachelock);
    replacing_insert(s_keycache, kce);
  }
  
  return retkeyset;
}

bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
{
  clearCaches(name); // just to be sure ;)
  return addKey(name, true, algorithm, size);
}

bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, 
	const std::string& wildcardname, const QType& qtype, 
	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
{
  // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
	SOAData sd;
	sd.db=(DNSBackend *)-1; // force uncached answer
	if(!db.getSOA(signer, sd)) {
		DLOG(L<<"Could not get SOA for domain"<<endl);
		return false;
	}
	db.lookup(QType(QType::RRSIG), wildcardname.empty() ? qname : wildcardname, NULL, sd.domain_id);
	DNSResourceRecord rr;
	while(db.get(rr)) { 
		// cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
		vector<string> parts;
		stringtok(parts, rr.content);
		if(parts[0] == qtype.getName() && pdns_iequals(parts[7], signer+".")) {
			// cerr<<"Got it"<<endl;
			if (!wildcardname.empty())
				rr.qname = qname;
			rr.d_place = (DNSResourceRecord::Place)signPlace;
			rr.ttl = signTTL;
			rrsigs.push_back(rr);
		}
		else ; // cerr<<"Skipping!"<<endl;
	}
	return true;
}

bool DNSSECKeeper::TSIGGrantsAccess(const string& zone, const string& keyname, const string& algorithm)
{
  vector<string> allowed;
  
  d_keymetadb->getDomainMetadata(zone, "TSIG-ALLOW-AXFR", allowed);
  
  BOOST_FOREACH(const string& dbkey, allowed) {
    if(pdns_iequals(dbkey, keyname))
      return true;
  }
  return false;
}

bool DNSSECKeeper::getTSIGForAccess(const string& zone, const string& master, string* keyname)
{
  vector<string> keynames;
  d_keymetadb->getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames);
  keyname->clear();
  
  // XXX FIXME this should check for a specific master!
  BOOST_FOREACH(const string& dbkey, keynames) {
    *keyname=dbkey;
    return true;
  }
  return false;
}

void DNSSECKeeper::cleanup()
{
  struct timeval now;
  Utility::gettimeofday(&now, 0);

  if(now.tv_sec - s_last_prune > (time_t)(30)) {
    {
        WriteLock l(&s_metacachelock);
        pruneCollection(s_metacache, ::arg().asNum("max-cache-entries"));
    }
    {
        WriteLock l(&s_keycachelock);
        pruneCollection(s_keycache, ::arg().asNum("max-cache-entries"));
    }
    s_last_prune=time(0);
  }
}
Commit	Line	Data
882358c8 BH	1	/*
882358c8 BH	2	PowerDNS Versatile Database Driven Nameserver
ccc3f9ed	3	Copyright (C) 2001 - 2012 PowerDNS.COM BV
882358c8 BH	4
	5	This program is free software; you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License version 2 as
	7	published by the Free Software Foundation
	8
f782fe38 MH	9	Additionally, the license of this program contains a special
	10	exception which allows to distribute the program in binary form when
	11	it is linked against OpenSSL.
	12
882358c8 BH	13	This program is distributed in the hope that it will be useful,
	14	but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	GNU General Public License for more details.
	17
	18	You should have received a copy of the GNU General Public License
	19	along with this program; if not, write to the Free Software
	20	Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	21	*/
	22
c0273500 BH	23	#include "dnsseckeeper.hh"
	24	#include "dnssecinfra.hh"
	25	#include "ueberbackend.hh"
	26	#include "statbag.hh"
	27	#include <iostream>
c0273500 BH	28	#include <boost/foreach.hpp>
	29	#include <sys/stat.h>
	30	#include <sys/types.h>
	31	#include <fstream>
	32	#include <boost/algorithm/string.hpp>
	33	#include <boost/format.hpp>
	34	#include <boost/assign/std/vector.hpp> // for 'operator+=()'
	35	#include <boost/assign/list_inserter.hpp>
78bcb858	36	#include "base64.hh"
157f806e PD	37	#include "cachecleaner.hh"
157f806e PD	38	#include "arguments.hh"
d473cb9a BH	39
d473cb9a BH	40
c0273500	41	using namespace boost::assign;
9cb28241	42	#include "namespaces.hh"
de43ec0f	43
c0273500	44
40fe813d	45	DNSSECKeeper::keycache_t DNSSECKeeper::s_keycache;
d6f3dcdc	46	DNSSECKeeper::metacache_t DNSSECKeeper::s_metacache;
18a144ef BH	47	pthread_rwlock_t DNSSECKeeper::s_metacachelock = PTHREAD_RWLOCK_INITIALIZER;
18a144ef BH	48	pthread_rwlock_t DNSSECKeeper::s_keycachelock = PTHREAD_RWLOCK_INITIALIZER;
16f7d28d	49	AtomicCounter DNSSECKeeper::s_ops;
157f806e	50	time_t DNSSECKeeper::s_last_prune;
d473cb9a	51
d3e7090c	52	bool DNSSECKeeper::isSecuredZone(const std::string& zone)
c0273500	53	{
d3e7090c	54	if(isPresigned(zone))
d6f3dcdc	55	return true;
631580dd	56
16f7d28d	57	if(!((++s_ops) % 100000)) {
157f806e PD	58	cleanup();
	59	}
	60
40fe813d	61	{
18a144ef	62	ReadLock l(&s_keycachelock);
40fe813d BH	63	keycache_t::const_iterator iter = s_keycache.find(zone);
	64	if(iter != s_keycache.end() && iter->d_ttd > (unsigned int)time(0)) {
	65	if(iter->d_keys.empty())
	66	return false;
	67	else
	68	return true;
	69	}
	70	else
	71	;
	72	}
7df3258b	73	keyset_t keys = getKeys(zone, true); // does the cache
d473cb9a	74
ade1b1e9 BH	75	BOOST_FOREACH(keyset_t::value_type& val, keys) {
	76	if(val.second.active) {
	77	return true;
	78	}
c0273500	79	}
ade1b1e9	80	return false;
c0273500 BH	81	}
c0273500 BH	82
d3e7090c BH	83	bool DNSSECKeeper::isPresigned(const std::string& name)
d3e7090c BH	84	{
9cb28241 BH	85	string meta;
	86	getFromMeta(name, "PRESIGNED", meta);
	87	return meta=="1";
d3e7090c	88	}
c0273500	89
40fe813d	90	bool DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm, int bits, bool active)
c0273500	91	{
022e5e0b BH	92	if(!bits) {
	93	if(algorithm <= 10)
	94	bits = keyOrZone ? 2048 : 1024;
	95	else {
59d84dc2	96	if(algorithm == 12 \|\| algorithm == 13 \|\| algorithm == 250) // ECDSA, GOST, ED25519
022e5e0b BH	97	bits = 256;
	98	else if(algorithm == 14)
	99	bits = 384;
	100	else {
0f4b0d97	101	throw runtime_error("Can't guess key size for algorithm "+lexical_cast<string>(algorithm));
022e5e0b BH	102	}
	103	}
	104	}
699e6e37	105	DNSSECPrivateKey dspk;
8d9f38f2	106	shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm)); // defaults to RSA for now, could be smart w/algorithm! XXX FIXME
699e6e37 BH	107	dpk->create(bits);
	108	dspk.setKey(dpk);
	109	dspk.d_algorithm = algorithm;
	110	dspk.d_flags = keyOrZone ? 257 : 256;
40fe813d	111	return addKey(name, dspk, active);
f7bcc763 BH	112	}
f7bcc763 BH	113
627d2ca2 PD	114	void DNSSECKeeper::clearAllCaches() {
627d2ca2 PD	115	{
18a144ef	116	WriteLock l(&s_keycachelock);
627d2ca2 PD	117	s_keycache.clear();
627d2ca2 PD	118	}
18a144ef	119	WriteLock l(&s_metacachelock);
627d2ca2 PD	120	s_metacache.clear();
	121	}
	122
5e91adff BH	123	void DNSSECKeeper::clearCaches(const std::string& name)
5e91adff BH	124	{
40fe813d	125	{
18a144ef	126	WriteLock l(&s_keycachelock);
40fe813d BH	127	s_keycache.erase(name);
40fe813d BH	128	}
18a144ef	129	WriteLock l(&s_metacachelock);
d6f3dcdc BH	130	pair<metacache_t::iterator, metacache_t::iterator> range = s_metacache.equal_range(name);
	131	while(range.first != range.second)
	132	s_metacache.erase(range.first++);
5e91adff BH	133	}
	134
	135
40fe813d	136	bool DNSSECKeeper::addKey(const std::string& name, const DNSSECPrivateKey& dpk, bool active)
f7bcc763	137	{
5e91adff	138	clearCaches(name);
c0273500	139	DNSBackend::KeyData kd;
7ddd79a7	140	kd.flags = dpk.d_flags; // the dpk doesn't get stored, only they key part
c0273500	141	kd.active = active;
189bb9d2	142	kd.content = dpk.getKey()->convertToISC();
c0273500	143	// now store it
936eb34a	144	return d_keymetadb->addDomainKey(name, kd) >= 0; // >= 0 == s
c0273500 BH	145	}
	146
	147
	148	static bool keyCompareByKindAndID(const DNSSECKeeper::keyset_t::value_type& a, const DNSSECKeeper::keyset_t::value_type& b)
	149	{
	150	return make_pair(!a.second.keyOrZone, a.second.id) <
	151	make_pair(!b.second.keyOrZone, b.second.id);
	152	}
	153
	154	DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int id)
	155	{
c0273500	156	vector<DNSBackend::KeyData> keys;
936eb34a	157	d_keymetadb->getDomainKeys(zname, 0, keys);
c0273500 BH	158	BOOST_FOREACH(const DNSBackend::KeyData& kd, keys) {
	159	if(kd.id != id)
	160	continue;
	161
	162	DNSSECPrivateKey dpk;
699e6e37	163	DNSKEYRecordContent dkrc;
8d9f38f2	164	dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
c0273500	165	dpk.d_flags = kd.flags;
a254438f	166	dpk.d_algorithm = dkrc.d_algorithm;
c0273500	167
a254438f BH	168	if(dpk.d_algorithm == 5 && getNSEC3PARAM(zname)) {
	169	dpk.d_algorithm += 2;
	170	}
c0273500 BH	171
	172	return dpk;
	173	}
	174	throw runtime_error("Can't find a key with id "+lexical_cast<string>(id)+" for zone '"+zname+"'");
c0273500 BH	175	}
	176
	177
a84a8203	178	bool DNSSECKeeper::removeKey(const std::string& zname, unsigned int id)
c0273500	179	{
5e91adff	180	clearCaches(zname);
a84a8203	181	return d_keymetadb->removeDomainKey(zname, id);
c0273500 BH	182	}
c0273500 BH	183
a84a8203	184	bool DNSSECKeeper::deactivateKey(const std::string& zname, unsigned int id)
c0273500	185	{
5e91adff	186	clearCaches(zname);
a84a8203	187	return d_keymetadb->deactivateDomainKey(zname, id);
c0273500 BH	188	}
c0273500 BH	189
a84a8203	190	bool DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
c0273500	191	{
5e91adff	192	clearCaches(zname);
a84a8203	193	return d_keymetadb->activateDomainKey(zname, id);
c0273500 BH	194	}
c0273500 BH	195
d6f3dcdc BH	196
d6f3dcdc BH	197	void DNSSECKeeper::getFromMeta(const std::string& zname, const std::string& key, std::string& value)
c0273500	198	{
d6f3dcdc	199	value.clear();
5e91adff	200	unsigned int now = time(0);
157f806e	201
16f7d28d	202	if(!((++s_ops) % 100000)) {
157f806e PD	203	cleanup();
	204	}
	205
d473cb9a	206	{
18a144ef	207	ReadLock l(&s_metacachelock);
d473cb9a	208
d6f3dcdc BH	209	metacache_t::const_iterator iter = s_metacache.find(tie(zname, key));
	210	if(iter != s_metacache.end() && iter->d_ttd > now) {
	211	value = iter->d_value;
	212	return;
d473cb9a	213	}
22c5aa60	214	}
d473cb9a	215	vector<string> meta;
936eb34a	216	d_keymetadb->getDomainMetadata(zname, key, meta);
d6f3dcdc BH	217	if(!meta.empty())
	218	value=*meta.begin();
	219
	220	METACacheEntry nce;
d473cb9a BH	221	nce.d_domain=zname;
d473cb9a BH	222	nce.d_ttd = now+60;
d6f3dcdc BH	223	nce.d_key= key;
	224	nce.d_value = value;
	225	{
18a144ef	226	WriteLock l(&s_metacachelock);
d6f3dcdc	227	replacing_insert(s_metacache, nce);
d473cb9a	228	}
d6f3dcdc BH	229	}
	230
	231	bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p, bool* narrow)
	232	{
	233	string value;
	234	getFromMeta(zname, "NSEC3PARAM", value);
5935cede	235	if(value.empty()) { // "no NSEC3"
d6f3dcdc	236	return false;
5935cede	237	}
d6f3dcdc	238
c0273500	239	if(ns3p) {
d6f3dcdc	240	NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
c0273500 BH	241	ns3p = tmp;
	242	delete tmp;
	243	}
d6f3dcdc BH	244	if(narrow) {
	245	getFromMeta(zname, "NSEC3NARROW", value);
	246	*narrow = (value=="1");
	247	}
c0273500 BH	248	return true;
	249	}
	250
a84a8203	251	bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
c0273500	252	{
5e91adff	253	clearCaches(zname);
c0273500 BH	254	string descr = ns3p.getZoneRepresentation();
	255	vector<string> meta;
	256	meta.push_back(descr);
a84a8203 PD	257	if (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", meta)) {
	258	meta.clear();
	259
	260	if(narrow)
	261	meta.push_back("1");
	262
	263	return d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", meta);
	264	}
	265	return false;
c0273500 BH	266	}
c0273500 BH	267
a84a8203	268	bool DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname)
c0273500	269	{
5e91adff	270	clearCaches(zname);
a84a8203	271	return (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", vector<string>()) && d_keymetadb->setDomainMetadata(zname, "NSEC3NARROW", vector<string>()));
c0273500 BH	272	}
	273
	274
a84a8203	275	bool DNSSECKeeper::setPresigned(const std::string& zname)
d3e7090c BH	276	{
	277	clearCaches(zname);
	278	vector<string> meta;
	279	meta.push_back("1");
a84a8203	280	return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", meta);
d3e7090c BH	281	}
d3e7090c BH	282
a84a8203	283	bool DNSSECKeeper::unsetPresigned(const std::string& zname)
d3e7090c BH	284	{
d3e7090c BH	285	clearCaches(zname);
a84a8203	286	return d_keymetadb->setDomainMetadata(zname, "PRESIGNED", vector<string>());
d3e7090c BH	287	}
	288
	289
e0d84497	290	DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tribool allOrKeyOrZone)
c0273500	291	{
5e91adff	292	unsigned int now = time(0);
157f806e	293
16f7d28d	294	if(!((++s_ops) % 100000)) {
157f806e PD	295	cleanup();
	296	}
	297
40fe813d	298	{
18a144ef	299	ReadLock l(&s_keycachelock);
40fe813d BH	300	keycache_t::const_iterator iter = s_keycache.find(zone);
	301
	302	if(iter != s_keycache.end() && iter->d_ttd > now) {
	303	keyset_t ret;
	304	BOOST_FOREACH(const keyset_t::value_type& value, iter->d_keys) {
	305	if(boost::indeterminate(allOrKeyOrZone) \|\| allOrKeyOrZone == value.second.keyOrZone)
	306	ret.push_back(value);
	307	}
	308	return ret;
7aff7ead	309	}
40fe813d	310	}
7aff7ead	311	keyset_t retkeyset, allkeyset;
c0273500 BH	312	vector<UeberBackend::KeyData> dbkeyset;
c0273500 BH	313
936eb34a	314	d_keymetadb->getDomainKeys(zone, 0, dbkeyset);
d473cb9a	315
c0273500 BH	316	BOOST_FOREACH(UeberBackend::KeyData& kd, dbkeyset)
	317	{
	318	DNSSECPrivateKey dpk;
	319
699e6e37	320	DNSKEYRecordContent dkrc;
7df3258b	321
8d9f38f2	322	dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)));
7df3258b	323
c0273500	324	dpk.d_flags = kd.flags;
a254438f BH	325	dpk.d_algorithm = dkrc.d_algorithm;
	326	if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone))
	327	dpk.d_algorithm+=2;
c0273500 BH	328
	329	KeyMetaData kmd;
	330
	331	kmd.active = kd.active;
	332	kmd.keyOrZone = (kd.flags == 257);
	333	kmd.id = kd.id;
	334
	335	if(boost::indeterminate(allOrKeyOrZone) \|\| allOrKeyOrZone == kmd.keyOrZone)
7aff7ead BH	336	retkeyset.push_back(make_pair(dpk, kmd));
7aff7ead BH	337	allkeyset.push_back(make_pair(dpk, kmd));
c0273500	338	}
7aff7ead BH	339	sort(retkeyset.begin(), retkeyset.end(), keyCompareByKindAndID);
7aff7ead BH	340	sort(allkeyset.begin(), allkeyset.end(), keyCompareByKindAndID);
d473cb9a BH	341
	342	KeyCacheEntry kce;
	343	kce.d_domain=zone;
7aff7ead BH	344	kce.d_keys = allkeyset;
7aff7ead BH	345	kce.d_ttd = now + 30;
40fe813d	346	{
18a144ef	347	WriteLock l(&s_keycachelock);
40fe813d BH	348	replacing_insert(s_keycache, kce);
40fe813d BH	349	}
d473cb9a	350
7aff7ead	351	return retkeyset;
c0273500 BH	352	}
c0273500 BH	353
36758d25	354	bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size)
c0273500	355	{
5e91adff	356	clearCaches(name); // just to be sure ;)
36758d25	357	return addKey(name, true, algorithm, size);
c0273500	358	}
d3e7090c	359
f1485b68 PD	360	bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname,
f1485b68 PD	361	const std::string& wildcardname, const QType& qtype,
794c2f92	362	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
d3e7090c	363	{
f1485b68	364	// cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
b563f71b PD	365	SOAData sd;
	366	sd.db=(DNSBackend *)-1; // force uncached answer
	367	if(!db.getSOA(signer, sd)) {
	368	DLOG(L<<"Could not get SOA for domain"<<endl);
	369	return false;
	370	}
	371	db.lookup(QType(QType::RRSIG), wildcardname.empty() ? qname : wildcardname, NULL, sd.domain_id);
d3e7090c	372	DNSResourceRecord rr;
51a3a4d4 BH	373	while(db.get(rr)) {
51a3a4d4 BH	374	// cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
794c2f92 PD	375	vector<string> parts;
	376	stringtok(parts, rr.content);
	377	if(parts[0] == qtype.getName() && pdns_iequals(parts[7], signer+".")) {
51a3a4d4	378	// cerr<<"Got it"<<endl;
f1485b68 PD	379	if (!wildcardname.empty())
f1485b68 PD	380	rr.qname = qname;
d3e7090c	381	rr.d_place = (DNSResourceRecord::Place)signPlace;
b563f71b	382	rr.ttl = signTTL;
d3e7090c BH	383	rrsigs.push_back(rr);
d3e7090c BH	384	}
51a3a4d4	385	else ; // cerr<<"Skipping!"<<endl;
d3e7090c BH	386	}
	387	return true;
	388	}
78bcb858 BH	389
	390	bool DNSSECKeeper::TSIGGrantsAccess(const string& zone, const string& keyname, const string& algorithm)
	391	{
	392	vector<string> allowed;
	393
936eb34a	394	d_keymetadb->getDomainMetadata(zone, "TSIG-ALLOW-AXFR", allowed);
78bcb858 BH	395
	396	BOOST_FOREACH(const string& dbkey, allowed) {
	397	if(pdns_iequals(dbkey, keyname))
	398	return true;
	399	}
	400	return false;
	401	}
29b92d6f	402
7597b3cf	403	bool DNSSECKeeper::getTSIGForAccess(const string& zone, const string& master, string* keyname)
29b92d6f BH	404	{
29b92d6f BH	405	vector<string> keynames;
936eb34a	406	d_keymetadb->getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames);
29b92d6f BH	407	keyname->clear();
	408
	409	// XXX FIXME this should check for a specific master!
	410	BOOST_FOREACH(const string& dbkey, keynames) {
	411	*keyname=dbkey;
29b92d6f BH	412	return true;
	413	}
	414	return false;
	415	}
157f806e PD	416
	417	void DNSSECKeeper::cleanup()
	418	{
	419	struct timeval now;
	420	Utility::gettimeofday(&now, 0);
	421
	422	if(now.tv_sec - s_last_prune > (time_t)(30)) {
	423	{
18a144ef	424	WriteLock l(&s_metacachelock);
157f806e PD	425	pruneCollection(s_metacache, ::arg().asNum("max-cache-entries"));
	426	}
	427	{
18a144ef	428	WriteLock l(&s_keycachelock);
157f806e PD	429	pruneCollection(s_keycache, ::arg().asNum("max-cache-entries"));
	430	}
	431	s_last_prune=time(0);
	432	}
627d2ca2	433	}