]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/rfc2136handler.cc
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add some notes explaining why some validations are not relevant in the dnstap case.
[thirdparty/pdns.git] / pdns / rfc2136handler.cc
CommitLineData
870a0fe4
AT		 1#ifdef HAVE_CONFIG_H
2#include "config.h"
3#endif
f1b59a55
RA		 4#include "packethandler.hh"
5#include "qtype.hh"
6#include "dnspacket.hh"
bf269e28
RG		 7#include "auth-caches.hh"
8#include "statbag.hh"
f1b59a55
RA		 9#include "dnsseckeeper.hh"
10#include "base64.hh"
11#include "base32.hh"
fa8fd4d2 12
f1b59a55
RA		 13#include "misc.hh"
14#include "arguments.hh"
b3148887
RA		 15#include "resolver.hh"
16#include "dns_random.hh"
7facf345 17#include "backends/gsql/ssql.hh"
4c5b6925 18#include "communicator.hh"
f1b59a55 19
276a5ce7 20extern StatBag S;
4c5b6925 21extern CommunicatorClass Communicator;
f1b59a55 22
ee9ef8f2
RA		 23pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER;
24
f1b59a55
RA		 25// Implement section 3.2.1 and 3.2.2 of RFC2136
26int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {
27 if (rr->d_ttl != 0)
28 return RCode::FormErr;
29
30 // 3.2.1 and 3.2.2 check content length.
31 if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)
32 return RCode::FormErr;
33
f1b59a55
RA		 34 bool foundRecord=false;
35 DNSResourceRecord rec;
3abd2f75 36 di->backend->lookup(QType(QType::ANY), rr->d_name, nullptr, di->id);
f1b59a55
RA		 37 while(di->backend->get(rec)) {
38 if (!rec.qtype.getCode())
39 continue;
40 if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY)
41 foundRecord=true;
42 }
43
914353ca
KM		 44 // Section 3.2.1
45 if (rr->d_class == QClass::ANY && !foundRecord) {
46 if (rr->d_type == QType::ANY)
f1b59a55
RA		 47 return RCode::NXDomain;
48 if (rr->d_type != QType::ANY)
49 return RCode::NXRRSet;
914353ca 50 }
f1b59a55
RA		 51
52 // Section 3.2.2
53 if (rr->d_class == QClass::NONE && foundRecord) {
54 if (rr->d_type == QType::ANY)
55 return RCode::YXDomain;
56 if (rr->d_type != QType::ANY)
57 return RCode::YXRRSet;
58 }
59
60 return RCode::NoError;
61}
62
63
64// Method implements section 3.4.1 of RFC2136
65int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {
66 // The RFC stats that d_class != ZCLASS, but we only support the IN class.
914353ca 67 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
f1b59a55
RA		 68 return RCode::FormErr;
69
70 QType qtype = QType(rr->d_type);
71
72 if (! qtype.isSupportedType())
73 return RCode::FormErr;
74
75 if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0)
76 return RCode::FormErr;
77
78 if (rr->d_class == QClass::ANY && rr->d_clen != 0)
79 return RCode::FormErr;
914353ca 80
f1b59a55
RA		 81 if (qtype.isMetadataType())
82 return RCode::FormErr;
83
84 if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY)
85 return RCode::FormErr;
86
87 return RCode::NoError;
88}
89
6a323f63 90
f1b59a55 91// Implements section 3.4.2 of RFC2136
d0d273cf 92uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {
968de8d0 93
dff32e09
RA		 94 QType rrType = QType(rr->d_type);
95
dff32e09 96 if (rrType == QType::NSEC || rrType == QType::NSEC3) {
e6a9dde5 97 g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl;
914353ca 98 return 0;
dff32e09
RA		 99 }
100
cc8df07f 101 if (!isPresigned && ((!::arg().mustDo("direct-dnskey") && rrType == QType::DNSKEY) || rrType == QType::RRSIG)) {
e6a9dde5 102 g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl;
dff32e09
RA		 103 return 0;
104 }
105
f809c028 106 if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone) {
e6a9dde5 107 g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl;
dff32e09
RA		 108 return 0;
109 }
110
968de8d0 111
d0d273cf 112 uint changedRecords = 0;
6a323f63
RA		 113 DNSResourceRecord rec;
114 vector<DNSResourceRecord> rrset, recordsToDelete;
675fa24c 115 set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records.
6a323f63 116
f1b59a55 117
6a323f63 118 if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update
e6a9dde5 119 DLOG(g_log<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.getName()<<endl);
f1b59a55 120
dff32e09 121 if (rrType == QType::NSEC3PARAM) {
e6a9dde5 122 g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;
f858f843 123
3343ad1f 124 NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
f858f843 125 *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
dff32e09 126 d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
8c9bde70
KM		 127
128 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
f858f843 129
dff32e09 130 vector<DNSResourceRecord> rrs;
561434a6 131 set<DNSName> qnames, nssets, dssets;
f858f843 132 di->backend->list(di->zone, di->id);
dff32e09 133 while (di->backend->get(rec)) {
8c9bde70 134 qnames.insert(rec.qname);
8de4e1d7 135 if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone)
8c9bde70
KM		 136 nssets.insert(rec.qname);
137 if(rec.qtype.getCode() == QType::DS)
138 dssets.insert(rec.qname);
dff32e09 139 }
f858f843 140
561434a6 141 DNSName shorter;
561434a6 142 for(const auto& qname: qnames) {
8c9bde70
KM		 143 shorter = qname;
144 int ddepth = 0;
145 do {
8de4e1d7 146 if(qname == di->zone)
f858f843 147 break;
8c9bde70
KM		 148 if(nssets.count(shorter))
149 ++ddepth;
561434a6 150 } while(shorter.chopOff());
8c9bde70 151
96e63d77 152 DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));
8c9bde70 153 if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
96e63d77 154 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0 ));
8c9bde70
KM		 155
156 if (nssets.count(qname)) {
157 if (ns3pr->d_flags)
96e63d77
KM		 158 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS );
159 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
160 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
f858f843 161 }
f858f843 162 } else {
96e63d77 163 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0));
f858f843 164 }
3343ad1f 165 if (ddepth == 1 || dssets.count(qname)) // FIXME400 && ?
96e63d77 166 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::DS);
dff32e09
RA		 167 }
168 return 1;
169 }
170
f858f843
RA		 171
172
6a323f63 173 bool foundRecord = false;
3abd2f75 174 di->backend->lookup(rrType, rr->d_name, nullptr, di->id);
f1b59a55 175 while (di->backend->get(rec)) {
dff32e09
RA		 176 rrset.push_back(rec);
177 foundRecord = true;
6a323f63 178 }
914353ca 179
6a323f63 180 if (foundRecord) {
73174643 181
dff32e09 182 if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current
f1b59a55 183 SOAData sdOld, sdUpdate;
6a323f63
RA		 184 DNSResourceRecord *oldRec = &rrset.front();
185 fillSOAData(oldRec->content, sdOld);
186 oldRec->setContent(rr->d_content->getZoneRepresentation());
187 fillSOAData(oldRec->content, sdUpdate);
f1b59a55 188 if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {
6a323f63 189 di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);
f1b59a55 190 *updatedSerial = true;
f5059bd3 191 changedRecords++;
e6a9dde5 192 g_log<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
73174643 193 } else {
e6a9dde5 194 g_log<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;
73174643 195 }
6a323f63
RA		 196
197 // It's not possible to have multiple CNAME's with the same NAME. So we always update.
198 } else if (rrType == QType::CNAME) {
73174643 199 int changedCNames = 0;
cb167afd
CHB		 200 for (auto& i : rrset) {
201 if (i.ttl != rr->d_ttl || i.content != rr->d_content->getZoneRepresentation()) {
202 i.ttl = rr->d_ttl;
203 i.setContent(rr->d_content->getZoneRepresentation());
73174643
RA		 204 changedCNames++;
205 }
206 }
207 if (changedCNames > 0) {
f809c028 208 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
e6a9dde5 209 g_log<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
73174643
RA		 210 changedRecords += changedCNames;
211 } else {
e6a9dde5 212 g_log<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
f1b59a55 213 }
6a323f63 214
518fc317 215 // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL)
6a323f63 216 } else {
73174643 217 int updateTTL=0;
6a323f63 218 foundRecord = false;
cb167afd 219 for (auto& i : rrset) {
6a323f63 220 string content = rr->d_content->getZoneRepresentation();
cb167afd 221 if (rrType == i.qtype.getCode() && i.getZoneRepresentation() == content) {
73174643 222 foundRecord=true;
cb167afd
CHB		 223 if (i.ttl != rr->d_ttl) {
224 i.ttl = rr->d_ttl;
73174643
RA		 225 updateTTL++;
226 }
6a323f63
RA		 227 }
228 }
73174643 229 if (updateTTL > 0) {
f809c028 230 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
e6a9dde5 231 g_log<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
73174643
RA		 232 changedRecords += updateTTL;
233 } else {
e6a9dde5 234 g_log<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
7facf345 235 }
f1b59a55 236 }
6e42cac2 237
73174643 238 // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records.
6e42cac2 239 // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.
73174643
RA		 240 if (changedRecords > 0) {
241 bool auth = rrset.front().auth;
242
243 if(*haveNSEC3) {
8de4e1d7 244 DNSName ordername;
73174643 245 if(! *narrow)
96e63d77 246 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
73174643
RA		 247
248 if (*narrow)
96e63d77 249 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
73174643 250 else
96e63d77 251 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
73174643 252 if(!auth || rrType == QType::DS) {
96e63d77
KM		 253 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
254 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
255 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
73174643 256 }
6e42cac2 257
73174643 258 } else { // NSEC
96e63d77 259 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth);
73174643 260 if(!auth || rrType == QType::DS) {
96e63d77
KM		 261 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
262 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
73174643 263 }
6e42cac2
RA		 264 }
265 }
266
267 } // if (foundRecord)
f1b59a55 268
6a323f63 269 // If we haven't found a record that matches, we must add it.
f1b59a55 270 if (! foundRecord) {
e6a9dde5 271 g_log<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
f809c028 272 delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record.
4950b140 273 auto newRec = DNSResourceRecord::fromWire(*rr);
f1b59a55 274 newRec.domain_id = di->id;
f809c028 275 newRec.auth = (rr->d_name == di->zone || rrType.getCode() != QType::NS);
c9b43446 276 di->backend->feedRecord(newRec, DNSName());
b0704e0d 277 changedRecords++;
6a323f63
RA		 278
279
280 // because we added a record, we need to fix DNSSEC data.
f809c028 281 DNSName shorter(rr->d_name);
163cb726 282 bool auth=newRec.auth;
6a82ce4a 283 bool fixDS = (rrType == QType::DS);
f1b59a55 284
8de4e1d7 285 if (di->zone != shorter) { // Everything at APEX is auth=1 && no ENT's
e70f2627 286 do {
6a82ce4a 287
8de4e1d7 288 if (di->zone == shorter)
f1b59a55 289 break;
914353ca 290
f1b59a55 291 bool foundShorter = false;
3abd2f75 292 di->backend->lookup(QType(QType::ANY), shorter, nullptr, di->id);
f1b59a55 293 while (di->backend->get(rec)) {
f809c028 294 if (rec.qname == rr->d_name && rec.qtype == QType::DS)
6a82ce4a 295 fixDS = true;
f809c028 296 if (shorter != rr->d_name)
e70f2627 297 foundShorter = true;
163cb726 298 if (rec.qtype == QType::NS) // are we inserting below a delegate?
f1b59a55
RA		 299 auth=false;
300 }
6a82ce4a 301
f809c028 302 if (!foundShorter && auth && shorter != rr->d_name) // haven't found any record at current level, insert ENT.
f1b59a55 303 insnonterm.insert(shorter);
e70f2627 304 if (foundShorter)
a95f897d 305 break; // if we find a shorter record, we can stop searching
675fa24c 306 } while(shorter.chopOff());
f1b59a55
RA		 307 }
308
dff32e09 309 if(*haveNSEC3)
f1b59a55 310 {
8de4e1d7 311 DNSName ordername;
914353ca 312 if(! *narrow)
96e63d77 313 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
914353ca 314
e70f2627 315 if (*narrow)
96e63d77 316 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
e70f2627 317 else
96e63d77 318 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
e70f2627 319
6a82ce4a 320 if (fixDS)
96e63d77 321 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
6a82ce4a 322
929eee6b 323 if(!auth)
f1b59a55 324 {
914353ca 325 if (ns3pr->d_flags)
96e63d77
KM		 326 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
327 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
328 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
f1b59a55
RA		 329 }
330 }
331 else // NSEC
332 {
96e63d77
KM		 333 DNSName ordername=rr->d_name.makeRelative(di->zone);
334 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
6a82ce4a 335 if (fixDS) {
96e63d77 336 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
6a82ce4a
RA		 337 }
338 if(!auth) {
96e63d77
KM		 339 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
340 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
f1b59a55
RA		 341 }
342 }
6a323f63
RA		 343
344
f1b59a55 345 // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.
f809c028 346 // Auth can only be false when the rr->d_name is not the zone
6a323f63 347 if (auth == false && rrType == QType::NS) {
e6a9dde5 348 DLOG(g_log<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl);
6a82ce4a 349 insnonterm.clear(); // No ENT's are needed below delegates (auth=0)
561434a6 350 vector<DNSName> qnames;
f809c028 351 di->backend->listSubZone(rr->d_name, di->id);
f1b59a55 352 while(di->backend->get(rec)) {
f809c028 353 if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record.
f1b59a55
RA		 354 qnames.push_back(rec.qname);
355 }
561434a6 356 for(vector<DNSName>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) {
dff32e09 357 if(*haveNSEC3) {
8de4e1d7 358 DNSName ordername;
914353ca 359 if(! *narrow)
96e63d77 360 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, *qname)));
914353ca 361
6a82ce4a 362 if (*narrow)
96e63d77 363 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); // FIXME400 no *qname here?
6a82ce4a 364 else
96e63d77 365 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, auth);
6a82ce4a 366
be40c2df 367 if (ns3pr->d_flags)
96e63d77
KM		 368 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::NS);
369 }
370 else { // NSEC
371 DNSName ordername=DNSName(*qname).makeRelative(di->zone);
372 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, false, QType::NS);
f1b59a55 373 }
f1b59a55 374
96e63d77
KM		 375 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::A);
376 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::AAAA);
f1b59a55
RA		 377 }
378 }
f1b59a55
RA		 379 }
380 } // rr->d_class == QClass::IN
381
914353ca 382
6a323f63
RA		 383 // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by
384 // the code that calls this performUpdate().
385 if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.
e6a9dde5 386 DLOG(g_log<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl);
dff32e09
RA		 387
388 if (rrType == QType::NSEC3PARAM) {
e6a9dde5 389 g_log<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;
dff32e09 390 if (rr->d_class == QClass::ANY)
f809c028 391 d_dk.unsetNSEC3PARAM(rr->d_name);
dff32e09 392 else if (rr->d_class == QClass::NONE) {
3343ad1f 393 NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
0bb68041 394 if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
f809c028 395 d_dk.unsetNSEC3PARAM(rr->d_name);
dff32e09
RA		 396 else
397 return 0;
914353ca 398 } else
dff32e09
RA		 399 return 0;
400
e3dc2b56
RA		 401 // We retrieve new values, other RR's in this update package might need it as well.
402 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
403
dff32e09 404 vector<DNSResourceRecord> rrs;
561434a6 405 set<DNSName> qnames, nssets, dssets, ents;
b48fe0e3 406 di->backend->list(di->zone, di->id);
b1ca7619 407 while (di->backend->get(rec)) {
b48fe0e3 408 qnames.insert(rec.qname);
8de4e1d7 409 if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone)
b48fe0e3
KM		 410 nssets.insert(rec.qname);
411 if(rec.qtype.getCode() == QType::DS)
412 dssets.insert(rec.qname);
413 if(!rec.qtype.getCode())
414 ents.insert(rec.qname);
b1ca7619 415 }
b48fe0e3 416
561434a6
PD		 417 DNSName shorter;
418 string hashed;
ef7cd021 419 for(const DNSName& qname : qnames) {
b48fe0e3
KM		 420 shorter = qname;
421 int ddepth = 0;
422 do {
8de4e1d7 423 if(qname == di->zone)
b48fe0e3
KM		 424 break;
425 if(nssets.count(shorter))
426 ++ddepth;
561434a6 427 } while(shorter.chopOff());
b48fe0e3 428
96e63d77 429 DNSName ordername=qname.makeRelative(di->zone);
b48fe0e3 430 if (!ents.count(qname) && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
96e63d77 431 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0));
b48fe0e3
KM		 432
433 if (nssets.count(qname)) {
96e63d77
KM		 434 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
435 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
b1ca7619 436 }
b48fe0e3 437 } else {
96e63d77 438 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0));
b1ca7619 439 }
b48fe0e3 440 if (ddepth == 1 || dssets.count(qname))
96e63d77 441 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, true, QType::DS);
dff32e09
RA		 442 }
443 return 1;
589563c0 444 } // end of NSEC3PARAM delete block
dff32e09
RA		 445
446
3abd2f75 447 di->backend->lookup(rrType, rr->d_name, nullptr, di->id);
6a323f63
RA		 448 while(di->backend->get(rec)) {
449 if (rr->d_class == QClass::ANY) { // 3.4.2.3
450 if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's
451 rrset.push_back(rec);
452 else
f1b59a55
RA		 453 recordsToDelete.push_back(rec);
454 }
6a323f63
RA		 455 if (rr->d_class == QClass::NONE) { // 3.4.2.4
456 if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation())
457 recordsToDelete.push_back(rec);
458 else
459 rrset.push_back(rec);
460 }
f1b59a55 461 }
589563c0
RA		 462
463 if (recordsToDelete.size()) {
f809c028 464 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
e6a9dde5 465 g_log<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
589563c0 466 changedRecords += recordsToDelete.size();
f1b59a55 467
f1b59a55 468
589563c0 469 // If we've removed a delegate, we need to reset ordername/auth for some records.
f809c028 470 if (rrType == QType::NS && rr->d_name != di->zone) {
675fa24c 471 vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;
f809c028 472 di->backend->listSubZone(rr->d_name, di->id);
f1b59a55 473 while (di->backend->get(rec)) {
7a0a9f8a 474 if (rec.qtype.getCode()) // skip ENT records, they are always auth=false
a95f897d 475 belowOldDelegate.push_back(rec.qname);
f809c028 476 if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name)
a95f897d 477 nsRecs.push_back(rec.qname);
f1b59a55 478 }
a95f897d 479
675fa24c 480 for(auto &belowOldDel: belowOldDelegate)
a95f897d
RA		 481 {
482 bool isBelowDelegate = false;
561434a6
PD		 483 for(const auto & ns: nsRecs) {
484 if (ns.isPartOf(belowOldDel)) {
a95f897d
RA		 485 isBelowDelegate=true;
486 break;
487 }
488 }
489 if (!isBelowDelegate)
561434a6 490 updateAuthFlag.push_back(belowOldDel);
a95f897d
RA		 491 }
492
561434a6 493 for (const auto &changeRec:updateAuthFlag) {
dff32e09 494 if(*haveNSEC3) {
8de4e1d7 495 DNSName ordername;
914353ca 496 if(! *narrow)
96e63d77 497 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)));
914353ca 498
96e63d77
KM		 499 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
500 }
501 else { // NSEC
502 DNSName ordername=changeRec.makeRelative(di->zone);
503 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
f1b59a55 504 }
f1b59a55
RA		 505 }
506 }
f1b59a55 507
6a323f63
RA		 508 // Fix ENT records.
509 // We must check if we have a record below the current level and if we removed the 'last' record
510 // on that level. If so, we must insert an ENT record.
fdf983eb 511 // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.
9353d244 512 bool foundDeeper = false, foundOtherWithSameName = false;
f809c028 513 di->backend->listSubZone(rr->d_name, di->id);
6a323f63 514 while (di->backend->get(rec)) {
f809c028 515 if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
9353d244 516 foundOtherWithSameName = true;
f809c028 517 if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT
6a323f63
RA		 518 foundDeeper = true;
519 }
f1b59a55 520
9353d244 521 if (foundDeeper && !foundOtherWithSameName) {
f809c028 522 insnonterm.insert(rr->d_name);
9353d244 523 } else if (!foundOtherWithSameName) {
6a323f63
RA		 524 // If we didn't have to insert an ENT, we might have deleted a record at very deep level
525 // and we must then clean up the ENT's above the deleted record.
f809c028 526 DNSName shorter(rr->d_name);
9353d244 527 while (shorter != di->zone) {
675fa24c 528 shorter.chopOff();
9353d244 529 bool foundRealRR = false;
a95f897d 530 bool foundEnt = false;
9353d244
RA		 531
532 // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch
6a323f63 533 // consider these non ENT-records:
9353d244
RA		 534 // b.c.d.e.test.com
535 // b.d.e.test.com
536 // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.
6a323f63
RA		 537 // At that point we can stop deleting ENT's because the tree is in tact again.
538 di->backend->listSubZone(shorter, di->id);
914353ca 539
9353d244
RA		 540 while (di->backend->get(rec)) {
541 if (rec.qtype.getCode())
542 foundRealRR = true;
a95f897d
RA		 543 else
544 foundEnt = true;
9353d244 545 }
3ab4cfca 546 if (!foundRealRR) {
a95f897d
RA		 547 if (foundEnt) // only delete the ENT if we actually found one.
548 delnonterm.insert(shorter);
3ab4cfca 549 } else
9353d244
RA		 550 break;
551 }
6a323f63 552 }
589563c0 553 } else { // if (recordsToDelete.size())
e6a9dde5 554 g_log<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but not found."<<endl;
f1b59a55 555 }
589563c0
RA		 556 } // (End of delete block d_class == ANY || d_class == NONE
557
f1b59a55 558
6a323f63
RA		 559
560 //Insert and delete ENT's
561 if (insnonterm.size() > 0 || delnonterm.size() > 0) {
e6a9dde5 562 DLOG(g_log<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);
96e63d77 563 di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false);
561434a6 564 for (const auto &i: insnonterm) {
6a323f63 565 string hashed;
8de4e1d7 566 if(*haveNSEC3)
6a323f63 567 {
8de4e1d7 568 DNSName ordername;
914353ca 569 if(! *narrow)
96e63d77
KM		 570 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));
571 di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true);
f1b59a55
RA		 572 }
573 }
574 }
575
589563c0 576 return changedRecords;
f1b59a55
RA		 577}
578
b3148887 579int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) {
e174b255 580 vector<string> forward;
71f758e0 581 B.getDomainMetadata(p->qdomain, "FORWARD-DNSUPDATE", forward);
e174b255 582
71f758e0 583 if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) {
e6a9dde5 584 g_log<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl;
d8293c79 585 return RCode::Refused;
e174b255
RA		 586 }
587
d622042f 588 for(const auto& remote : di->masters) {
9b0f144f 589 g_log<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<remote<<endl;
b3148887
RA		 590
591 ComboAddress local;
9d36589a 592 if (remote.sin4.sin_family == AF_INET && !::arg()["query-local-address"].empty()) {
cc456024 593 local = ComboAddress(::arg()["query-local-address"]);
9d36589a 594 } else if(remote.sin4.sin_family == AF_INET6 && !::arg()["query-local-address6"].empty()) {
cc456024 595 local = ComboAddress(::arg()["query-local-address6"]);
9d36589a
PL		 596 } else {
597 continue;
598 }
b3148887 599 int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.
34c513f9 600 if(sock < 0) {
e6a9dde5 601 g_log<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl;
34c513f9
RG		 602 continue;
603 }
b3148887
RA		 604
605 if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {
e6a9dde5 606 g_log<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;
a7b68ae7
RG		 607 try {
608 closesocket(sock);
609 }
610 catch(const PDNSException& e) {
e6a9dde5 611 g_log<<Logger::Error<<"Error closing master forwarding socket after connect() failed: "<<e.reason<<endl;
a7b68ae7 612 }
b3148887
RA		 613 continue;
614 }
615
616 DNSPacket forwardPacket(*p);
617 forwardPacket.setID(dns_random(0xffff));
618 forwardPacket.setRemote(&remote);
619 uint16_t len=htons(forwardPacket.getString().length());
620 string buffer((const char*)&len, 2);
621 buffer.append(forwardPacket.getString());
914353ca 622 if(write(sock, buffer.c_str(), buffer.length()) < 0) {
e6a9dde5 623 g_log<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 624 try {
625 closesocket(sock);
626 }
627 catch(const PDNSException& e) {
e6a9dde5 628 g_log<<Logger::Error<<"Error closing master forwarding socket after write() failed: "<<e.reason<<endl;
a7b68ae7 629 }
b3148887
RA		 630 continue;
631 }
632
633 int res = waitForData(sock, 10, 0);
634 if (!res) {
e6a9dde5 635 g_log<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl;
a7b68ae7
RG		 636 try {
637 closesocket(sock);
638 }
639 catch(const PDNSException& e) {
e6a9dde5 640 g_log<<Logger::Error<<"Error closing master forwarding socket after a timeout occured: "<<e.reason<<endl;
a7b68ae7 641 }
b3148887
RA		 642 continue;
643 }
644 if (res < 0) {
e6a9dde5 645 g_log<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 646 try {
647 closesocket(sock);
648 }
649 catch(const PDNSException& e) {
e6a9dde5 650 g_log<<Logger::Error<<"Error closing master forwarding socket after an error occured: "<<e.reason<<endl;
a7b68ae7 651 }
b3148887
RA		 652 continue;
653 }
654
f6a81077
RG		 655 unsigned char lenBuf[2];
656 ssize_t recvRes;
b3148887 657 recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);
f6a81077 658 if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) {
e6a9dde5 659 g_log<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 660 try {
661 closesocket(sock);
662 }
663 catch(const PDNSException& e) {
e6a9dde5 664 g_log<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl;
a7b68ae7 665 }
b3148887
RA		 666 continue;
667 }
f6a81077 668 size_t packetLen = lenBuf[0]*256+lenBuf[1];
b3148887 669
2c001eb6
RG		 670 buffer.resize(packetLen);
671 recvRes = recv(sock, &buffer.at(0), packetLen, 0);
b3148887 672 if (recvRes < 0) {
e6a9dde5 673 g_log<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 674 try {
675 closesocket(sock);
676 }
677 catch(const PDNSException& e) {
e6a9dde5 678 g_log<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl;
a7b68ae7 679 }
b3148887
RA		 680 continue;
681 }
a7b68ae7
RG		 682 try {
683 closesocket(sock);
684 }
685 catch(const PDNSException& e) {
e6a9dde5 686 g_log<<Logger::Error<<"Error closing master forwarding socket: "<<e.reason<<endl;
a7b68ae7 687 }
b3148887
RA		 688
689 try {
2c001eb6 690 MOADNSParser mdp(false, buffer.data(), static_cast<unsigned int>(recvRes));
e6a9dde5 691 g_log<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;
b3148887
RA		 692 return mdp.d_header.rcode;
693 }
694 catch (...) {
e6a9dde5 695 g_log<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl;
b3148887
RA		 696 continue;
697 }
698 }
e6a9dde5 699 g_log<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl;
b3148887
RA		 700 return RCode::ServFail;
701
702}
703
f1b59a55 704int PacketHandler::processUpdate(DNSPacket *p) {
d07bf7ff 705 if (! ::arg().mustDo("dnsupdate"))
f1b59a55 706 return RCode::Refused;
914353ca 707
ded6b08d 708 string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote().toString() + " for " + p->qdomain.toLogString() + ": ";
e6a9dde5 709 g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
f1b59a55 710
0ecc1158
AT		 711 // if there is policy, we delegate all checks to it
712 if (this->d_update_policy_lua == NULL) {
f1b59a55 713
0ecc1158
AT		 714 // Check permissions - IP based
715 vector<string> allowedRanges;
716 B.getDomainMetadata(p->qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges);
717 if (! ::arg()["allow-dnsupdate-from"].empty())
718 stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );
f1b59a55 719
0ecc1158 720 NetmaskGroup ng;
cb167afd
CHB		 721 for(const auto& i: allowedRanges) {
722 ng.addMask(i);
723 }
914353ca 724
0ecc1158 725 if ( ! ng.match(&p->d_remote)) {
e6a9dde5 726 g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;
f1b59a55
RA		 727 return RCode::Refused;
728 }
729
0ecc1158
AT		 730
731 // Check permissions - TSIG based.
732 vector<string> tsigKeys;
733 B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys);
734 if (tsigKeys.size() > 0) {
735 bool validKey = false;
736
737 TSIGRecordContent trc;
738 DNSName inputkey;
739 string message;
ea3816cf 740 if (! p->getTSIGDetails(&trc, &inputkey)) {
e6a9dde5 741 g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
0ecc1158 742 return RCode::Refused;
6917c321 743 }
0ecc1158
AT		 744
745 if (p->d_tsig_algo == TSIG_GSS) {
746 GssName inputname(p->d_peer_principal); // match against principal since GSS
cb167afd
CHB		 747 for(const auto& key: tsigKeys) {
748 if (inputname.match(key)) {
0ecc1158
AT		 749 validKey = true;
750 break;
751 }
752 }
753 } else {
cb167afd
CHB		 754 for(const auto& key: tsigKeys) {
755 if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
0ecc1158
AT		 756 validKey=true;
757 break;
758 }
6917c321
AT		 759 }
760 }
f1b59a55 761
0ecc1158 762 if (!validKey) {
e6a9dde5 763 g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;
0ecc1158
AT		 764 return RCode::Refused;
765 }
f1b59a55 766 }
f1b59a55 767
0ecc1158 768 if (tsigKeys.size() == 0 && p->d_havetsig)
e6a9dde5 769 g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;
0ecc1158
AT		 770
771 }
f1b59a55
RA		 772
773 // RFC2136 uses the same DNS Header and Message as defined in RFC1035.
914353ca 774 // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different
f1b59a55 775 // variable names during the use of our MOADNSParser.
27c0050c 776 MOADNSParser mdp(false, p->getString());
f1b59a55 777 if (mdp.d_header.qdcount != 1) {
e6a9dde5 778 g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;
f1b59a55 779 return RCode::FormErr;
914353ca 780 }
f1b59a55
RA		 781
782 if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
e6a9dde5 783 g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;
f1b59a55
RA		 784 return RCode::FormErr;
785 }
786
787 if (p->qclass != QClass::IN) {
e6a9dde5 788 g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;
f1b59a55
RA		 789 return RCode::NotAuth;
790 }
791
792 DomainInfo di;
793 di.backend=0;
794 if(!B.getDomainInfo(p->qdomain, di) || !di.backend) {
e6a9dde5 795 g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support DNS update operation)"<<endl;
f1b59a55
RA		 796 return RCode::NotAuth;
797 }
798
b3148887
RA		 799 if (di.kind == DomainInfo::Slave)
800 return forwardPacket(msgPrefix, p, &di);
f1b59a55 801
914353ca 802 // Check if all the records provided are within the zone
f1b59a55
RA		 803 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
804 const DNSRecord *rr = &i->first;
805 // Skip this check for other field types (like the TSIG - which is in the additional section)
dff32e09 806 // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.
e693ff5a 807 if (! (rr->d_place == DNSResourceRecord::ANSWER || rr->d_place == DNSResourceRecord::AUTHORITY))
f1b59a55
RA		 808 continue;
809
f809c028 810 if (!rr->d_name.isPartOf(di.zone)) {
e6a9dde5 811 g_log<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;
f1b59a55
RA		 812 return RCode::NotZone;
813 }
814 }
815
dff32e09
RA		 816
817 Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything
e6a9dde5 818 g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;
dff32e09 819 if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
e6a9dde5 820 g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl;
f1b59a55
RA		 821 return RCode::NotImp;
822 }
823
914353ca 824 // 3.2.1 and 3.2.2 - Prerequisite check
f1b59a55
RA		 825 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
826 const DNSRecord *rr = &i->first;
e693ff5a 827 if (rr->d_place == DNSResourceRecord::ANSWER) {
f1b59a55
RA		 828 int res = checkUpdatePrerequisites(rr, &di);
829 if (res>0) {
8355527f 830 g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check for "<<rr->d_name.toLogString()<<", returning "<<RCode::to_s(res)<<endl;
f1b59a55
RA		 831 di.backend->abortTransaction();
832 return res;
833 }
914353ca 834 }
f1b59a55
RA		 835 }
836
d3f46849 837 // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR.
561434a6 838 typedef pair<DNSName, QType> rrSetKey_t;
f1b59a55
RA		 839 typedef vector<DNSResourceRecord> rrVector_t;
840 typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;
841 RRsetMap_t preReqRRsets;
cb167afd 842 for(const auto& i: mdp.d_answers) {
4950b140 843 const DNSRecord* rr = &i.first;
e693ff5a 844 if (rr->d_place == DNSResourceRecord::ANSWER) {
f1b59a55 845 // Last line of 3.2.3
914353ca 846 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
f1b59a55
RA		 847 return RCode::FormErr;
848
849 if (rr->d_class == QClass::IN) {
f809c028 850 rrSetKey_t key = make_pair(rr->d_name, QType(rr->d_type));
f1b59a55 851 rrVector_t *vec = &preReqRRsets[key];
4950b140 852 vec->push_back(DNSResourceRecord::fromWire(*rr));
f1b59a55
RA		 853 }
854 }
855 }
856
857 if (preReqRRsets.size() > 0) {
858 RRsetMap_t zoneRRsets;
859 for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) {
860 rrSetKey_t rrSet=preRRSet->first;
861 rrVector_t *vec = &preRRSet->second;
862
863 DNSResourceRecord rec;
3abd2f75 864 di.backend->lookup(QType(QType::ANY), rrSet.first, nullptr, di.id);
f1b59a55
RA		 865 uint16_t foundRR=0, matchRR=0;
866 while (di.backend->get(rec)) {
867 if (rec.qtype == rrSet.second) {
868 foundRR++;
869 for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) {
870 rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.
914353ca 871 if (*rrItem == rec)
f1b59a55
RA		 872 matchRR++;
873 }
874 }
875 }
876 if (matchRR != foundRR || foundRR != vec->size()) {
e6a9dde5 877 g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check (RRs differ), returning NXRRSet"<<endl;
f1b59a55
RA		 878 di.backend->abortTransaction();
879 return RCode::NXRRSet;
880 }
881 }
882 }
883
884
885
0bb68041 886 // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block.
f1b59a55 887 try {
d0d273cf 888 uint changedRecords = 0;
f1b59a55
RA		 889 // 3.4.1 - Prescan section
890 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
891 const DNSRecord *rr = &i->first;
e693ff5a 892 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
f1b59a55
RA		 893 int res = checkUpdatePrescan(rr);
894 if (res>0) {
e6a9dde5 895 g_log<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;
f1b59a55
RA		 896 di.backend->abortTransaction();
897 return res;
898 }
899 }
900 }
901
902 bool updatedSerial=false;
903 NSEC3PARAMRecordContent ns3pr;
914353ca 904 bool narrow=false;
f1b59a55 905 bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);
dff32e09 906 bool isPresigned = d_dk.isPresigned(di.zone);
f1b59a55 907
f1b59a55
RA		 908 // 3.4.2 - Perform the updates.
909 // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)
7c696097 910 // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR.
f1b59a55 911 vector<const DNSRecord *> nsRRtoDelete;
6f604952
PL		 912
913 // Another special case is the addition of both a CNAME and a non-CNAME for the same name (#6270)
914 set<DNSName> cn, nocn;
915 for (const auto &rr : mdp.d_answers) {
916 if (rr.first.d_place == DNSResourceRecord::AUTHORITY && rr.first.d_class == QClass::IN && rr.first.d_ttl > 0) {
917 // Addition
918 if (rr.first.d_type == QType::CNAME) {
919 cn.insert(rr.first.d_name);
920 } else if (rr.first.d_type != QType::RRSIG) {
921 nocn.insert(rr.first.d_name);
922 }
923 }
924 }
925 for (auto const &n : cn) {
926 if (nocn.count(n) > 0) {
e6a9dde5 927 g_log<<Logger::Error<<msgPrefix<<"Refusing update, found CNAME and non-CNAME addition"<<endl;
6f604952
PL		 928 di.backend->abortTransaction();
929 return RCode::FormErr;
930 }
931 }
932
933 vector<const DNSRecord *> cnamesToAdd, nonCnamesToAdd;
f1b59a55
RA		 934 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
935 const DNSRecord *rr = &i->first;
e693ff5a 936 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
0ecc1158
AT		 937 /* see if it's permitted by policy */
938 if (this->d_update_policy_lua != NULL) {
939 if (this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, p) == false) {
e6a9dde5 940 g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Not permitted by policy"<<endl;
0ecc1158
AT		 941 continue;
942 } else {
e6a9dde5 943 g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Permitted by policy"<<endl;
0ecc1158
AT		 944 }
945 }
946
f809c028 947 if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && rr->d_name == di.zone)
f1b59a55 948 nsRRtoDelete.push_back(rr);
6f604952
PL		 949 else if (rr->d_class == QClass::IN && rr->d_ttl > 0) {
950 if (rr->d_type == QType::CNAME) {
951 cnamesToAdd.push_back(rr);
952 } else {
953 nonCnamesToAdd.push_back(rr);
954 }
955 }
f1b59a55 956 else
d0d273cf 957 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 958 }
959 }
6f604952
PL		 960 for (const auto &rr : cnamesToAdd) {
961 DNSResourceRecord rec;
3abd2f75 962 di.backend->lookup(QType(QType::ANY), rr->d_name, nullptr, di.id);
6f604952 963 while (di.backend->get(rec)) {
72a6f0d8 964 if (rec.qtype != QType::CNAME && rec.qtype != QType::ENT && rec.qtype != QType::RRSIG) {
e2136c35
PD		 965 // leave database handle in a consistent state
966 while (di.backend->get(rec))
967 ;
e6a9dde5 968 g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Data other than CNAME exists for the same name"<<endl;
6f604952
PL		 969 di.backend->abortTransaction();
970 return RCode::Refused;
971 }
972 }
973 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
974 }
975 for (const auto &rr : nonCnamesToAdd) {
976 DNSResourceRecord rec;
3abd2f75 977 di.backend->lookup(QType(QType::CNAME), rr->d_name, nullptr, di.id);
6f604952
PL		 978 while (di.backend->get(rec)) {
979 if (rec.qtype == QType::CNAME && rr->d_type != QType::RRSIG) {
e2136c35
PD		 980 // leave database handle in a consistent state
981 while (di.backend->get(rec))
982 ;
e6a9dde5 983 g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": CNAME exists for the same name"<<endl;
6f604952
PL		 984 di.backend->abortTransaction();
985 return RCode::Refused;
986 }
987 }
988 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
989 }
f1b59a55
RA		 990 if (nsRRtoDelete.size()) {
991 vector<DNSResourceRecord> nsRRInZone;
992 DNSResourceRecord rec;
3abd2f75 993 di.backend->lookup(QType(QType::NS), di.zone, nullptr, di.id);
f1b59a55
RA		 994 while (di.backend->get(rec)) {
995 nsRRInZone.push_back(rec);
996 }
997 if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)
cb167afd
CHB		 998 for (auto& inZone: nsRRInZone) {
999 for (auto& rr: nsRRtoDelete) {
1000 if (inZone.getZoneRepresentation() == (rr)->d_content->getZoneRepresentation())
1001 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 1002 }
1003 }
1004 }
1005 }
1006
f1b59a55 1007 // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message
d0d273cf 1008 if (changedRecords > 0 && !updatedSerial) {
166ac305 1009 increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr);
d0d273cf 1010 changedRecords++;
890c7124
RA		 1011 }
1012
d0d273cf 1013 if (changedRecords > 0) {
dce6b818 1014 if (!di.backend->commitTransaction()) {
e6a9dde5 1015 g_log<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl;
dce6b818
RA		 1016 return RCode::ServFail;
1017 }
914353ca 1018
71f758e0 1019 S.deposit("dnsupdate-changes", changedRecords);
7facf345 1020
dce6b818 1021 // Purge the records!
7abbc40f 1022 string zone(di.zone.toString());
dce6b818 1023 zone.append("$");
bf269e28 1024 purgeAuthCaches(zone);
0bb68041 1025
4c5b6925
KM		 1026 // Notify slaves
1027 if (di.kind == DomainInfo::Master) {
1028 vector<string> notify;
1029 B.getDomainMetadata(p->qdomain, "NOTIFY-DNSUPDATE", notify);
1030 if (!notify.empty() && notify.front() == "1") {
1031 Communicator.notifyDomain(di.zone);
1032 }
1033 }
1034
e6a9dde5 1035 g_log<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl;
dce6b818
RA		 1036 } else {
1037 //No change, no commit, we perform abort() because some backends might like this more.
e6a9dde5 1038 g_log<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl;
dce6b818
RA		 1039 di.backend->abortTransaction();
1040 }
0bb68041
RA		 1041 return RCode::NoError; //rfc 2136 3.4.2.5
1042 }
1043 catch (SSqlException &e) {
e6a9dde5 1044 g_log<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;
0bb68041
RA		 1045 di.backend->abortTransaction();
1046 return RCode::ServFail;
f1b59a55 1047 }
ee9ef8f2 1048 catch (DBException &e) {
e6a9dde5 1049 g_log<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;
ee9ef8f2
RA		 1050 di.backend->abortTransaction();
1051 return RCode::ServFail;
1052 }
05ff9dab 1053 catch (PDNSException &e) {
e6a9dde5 1054 g_log<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl;
f1b59a55
RA		 1055 di.backend->abortTransaction();
1056 return RCode::ServFail;
1057 }
28b66a94 1058 catch(std::exception &e) {
e6a9dde5 1059 g_log<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
28b66a94
KM		 1060 di.backend->abortTransaction();
1061 return RCode::ServFail;
1062 }
f1b59a55 1063 catch (...) {
e6a9dde5 1064 g_log<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
f1b59a55
RA		 1065 di.backend->abortTransaction();
1066 return RCode::ServFail;
1067 }
f1b59a55
RA		 1068}
1069
166ac305 1070void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
13f9e280 1071 SOAData sd;
76e1255a 1072 if (!di->backend->getSOA(di->zone, sd)) {
05ff9dab 1073 throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");
f1b59a55 1074 }
f1b59a55 1075
13f9e280 1076 uint32_t oldSerial = sd.serial;
e31f9680 1077
f1b59a55 1078 vector<string> soaEdit2136Setting;
71f758e0 1079 B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting);
f1b59a55
RA		 1080 string soaEdit2136 = "DEFAULT";
1081 string soaEdit;
1082 if (!soaEdit2136Setting.empty()) {
1083 soaEdit2136 = soaEdit2136Setting[0];
1084 if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
4192773a
KM		 1085 string soaEditSetting;
1086 d_dk.getSoaEdit(di->zone, soaEditSetting);
f1b59a55 1087 if (soaEditSetting.empty()) {
e6a9dde5 1088 g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone.toLogString() <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
f1b59a55
RA		 1089 soaEdit2136 = "DEFAULT";
1090 } else
4192773a 1091 soaEdit = soaEditSetting;
f1b59a55
RA		 1092 }
1093 }
1094
13f9e280
CH		 1095 DNSResourceRecord rr;
1096 if (makeIncreasedSOARecord(sd, soaEdit2136, soaEdit, rr)) {
1097 di->backend->replaceRRSet(di->id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr));
e6a9dde5 1098 g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl;
13f9e280
CH		 1099
1100 //Correct ordername + auth flag
1101 if (haveNSEC3) {
1102 DNSName ordername;
1103 if (!narrow)
1104 ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname)));
1105
1106 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true);
1107 } else { // NSEC
1108 DNSName ordername = rr.qname.makeRelative(di->zone);
1109 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true);
1110 }
166ac305 1111 }
166ac305 1112}
Unnamed repository; edit this file 'description' to name the repository.