]>
Commit | Line | Data |
---|---|---|
d040cb86 | 1 | #include "dnswriter.hh" |
870a0fe4 AT |
2 | #ifdef HAVE_CONFIG_H |
3 | #include "config.h" | |
4 | #endif | |
f1b59a55 RA |
5 | #include "packethandler.hh" |
6 | #include "qtype.hh" | |
7 | #include "dnspacket.hh" | |
bf269e28 RG |
8 | #include "auth-caches.hh" |
9 | #include "statbag.hh" | |
f1b59a55 RA |
10 | #include "dnsseckeeper.hh" |
11 | #include "base64.hh" | |
12 | #include "base32.hh" | |
fa8fd4d2 | 13 | |
f1b59a55 RA |
14 | #include "misc.hh" |
15 | #include "arguments.hh" | |
b3148887 RA |
16 | #include "resolver.hh" |
17 | #include "dns_random.hh" | |
7facf345 | 18 | #include "backends/gsql/ssql.hh" |
4c5b6925 | 19 | #include "communicator.hh" |
20829585 | 20 | #include "query-local-address.hh" |
15e39ee4 | 21 | #include "gss_context.hh" |
fd7bbdb7 | 22 | #include "auth-main.hh" |
f1b59a55 | 23 | |
276a5ce7 | 24 | extern StatBag S; |
4c5b6925 | 25 | extern CommunicatorClass Communicator; |
f1b59a55 | 26 | |
0ddde5fb | 27 | std::mutex PacketHandler::s_rfc2136lock; |
ee9ef8f2 | 28 | |
f1b59a55 RA |
29 | // Implement section 3.2.1 and 3.2.2 of RFC2136 |
30 | int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) { | |
31 | if (rr->d_ttl != 0) | |
32 | return RCode::FormErr; | |
33 | ||
34 | // 3.2.1 and 3.2.2 check content length. | |
35 | if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0) | |
36 | return RCode::FormErr; | |
37 | ||
f1b59a55 RA |
38 | bool foundRecord=false; |
39 | DNSResourceRecord rec; | |
acb61e0a | 40 | di->backend->lookup(QType(QType::ANY), rr->d_name, di->id); |
f1b59a55 RA |
41 | while(di->backend->get(rec)) { |
42 | if (!rec.qtype.getCode()) | |
43 | continue; | |
44 | if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY) | |
45 | foundRecord=true; | |
46 | } | |
47 | ||
914353ca KM |
48 | // Section 3.2.1 |
49 | if (rr->d_class == QClass::ANY && !foundRecord) { | |
50 | if (rr->d_type == QType::ANY) | |
f1b59a55 RA |
51 | return RCode::NXDomain; |
52 | if (rr->d_type != QType::ANY) | |
53 | return RCode::NXRRSet; | |
914353ca | 54 | } |
f1b59a55 RA |
55 | |
56 | // Section 3.2.2 | |
57 | if (rr->d_class == QClass::NONE && foundRecord) { | |
58 | if (rr->d_type == QType::ANY) | |
59 | return RCode::YXDomain; | |
60 | if (rr->d_type != QType::ANY) | |
61 | return RCode::YXRRSet; | |
62 | } | |
63 | ||
64 | return RCode::NoError; | |
65 | } | |
66 | ||
67 | ||
68 | // Method implements section 3.4.1 of RFC2136 | |
69 | int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) { | |
70 | // The RFC stats that d_class != ZCLASS, but we only support the IN class. | |
2e63e431 | 71 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) { |
f1b59a55 | 72 | return RCode::FormErr; |
2e63e431 | 73 | } |
f1b59a55 RA |
74 | |
75 | QType qtype = QType(rr->d_type); | |
76 | ||
2e63e431 | 77 | if (!qtype.isSupportedType()) { |
f1b59a55 | 78 | return RCode::FormErr; |
2e63e431 | 79 | } |
f1b59a55 | 80 | |
2e63e431 | 81 | if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) { |
f1b59a55 | 82 | return RCode::FormErr; |
2e63e431 | 83 | } |
f1b59a55 | 84 | |
2e63e431 | 85 | if (rr->d_class == QClass::ANY && rr->d_clen != 0) { |
f1b59a55 | 86 | return RCode::FormErr; |
2e63e431 | 87 | } |
914353ca | 88 | |
2e63e431 RG |
89 | if (qtype.isMetadataType()) { |
90 | return RCode::FormErr; | |
91 | } | |
f1b59a55 | 92 | |
2e63e431 | 93 | if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) { |
f1b59a55 | 94 | return RCode::FormErr; |
2e63e431 | 95 | } |
f1b59a55 RA |
96 | |
97 | return RCode::NoError; | |
98 | } | |
99 | ||
6a323f63 | 100 | |
f1b59a55 | 101 | // Implements section 3.4.2 of RFC2136 |
d0d273cf | 102 | uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) { |
968de8d0 | 103 | |
dff32e09 RA |
104 | QType rrType = QType(rr->d_type); |
105 | ||
dff32e09 | 106 | if (rrType == QType::NSEC || rrType == QType::NSEC3) { |
d5fcd583 | 107 | g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<". These are generated records, ignoring!"<<endl; |
914353ca | 108 | return 0; |
dff32e09 RA |
109 | } |
110 | ||
959e72e3 | 111 | if (!isPresigned && rrType == QType::RRSIG) { |
d5fcd583 | 112 | g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<" in non-presigned zone, ignoring!"<<endl; |
dff32e09 RA |
113 | return 0; |
114 | } | |
115 | ||
f809c028 | 116 | if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone) { |
d5fcd583 | 117 | g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<", "<<rrType.toString()<<" must be at zone apex, ignoring!"<<endl; |
dff32e09 RA |
118 | return 0; |
119 | } | |
120 | ||
968de8d0 | 121 | |
d0d273cf | 122 | uint changedRecords = 0; |
6a323f63 RA |
123 | DNSResourceRecord rec; |
124 | vector<DNSResourceRecord> rrset, recordsToDelete; | |
675fa24c | 125 | set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records. |
6a323f63 | 126 | |
f1b59a55 | 127 | |
6a323f63 | 128 | if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update |
d5fcd583 | 129 | DLOG(g_log<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.toString()<<endl); |
f1b59a55 | 130 | |
dff32e09 | 131 | if (rrType == QType::NSEC3PARAM) { |
e6a9dde5 | 132 | g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl; |
f858f843 | 133 | |
d06dcda4 | 134 | *ns3pr = NSEC3PARAMRecordContent(rr->getContent()->getZoneRepresentation(), di->zone); |
f858f843 | 135 | *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record |
b163cc0e KM |
136 | d_dk.setNSEC3PARAM(di->zone, *ns3pr, (*narrow)); |
137 | *haveNSEC3 = true; | |
f858f843 | 138 | |
adf1a785 KM |
139 | string error; |
140 | string info; | |
141 | if (!d_dk.rectifyZone(di->zone, error, info, false)) { | |
142 | throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error); | |
dff32e09 RA |
143 | } |
144 | return 1; | |
145 | } | |
146 | ||
f858f843 RA |
147 | |
148 | ||
6a323f63 | 149 | bool foundRecord = false; |
acb61e0a | 150 | di->backend->lookup(rrType, rr->d_name, di->id); |
f1b59a55 | 151 | while (di->backend->get(rec)) { |
dff32e09 RA |
152 | rrset.push_back(rec); |
153 | foundRecord = true; | |
6a323f63 | 154 | } |
914353ca | 155 | |
6a323f63 | 156 | if (foundRecord) { |
73174643 | 157 | |
dff32e09 | 158 | if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current |
f1b59a55 | 159 | SOAData sdOld, sdUpdate; |
6a323f63 RA |
160 | DNSResourceRecord *oldRec = &rrset.front(); |
161 | fillSOAData(oldRec->content, sdOld); | |
d06dcda4 | 162 | oldRec->setContent(rr->getContent()->getZoneRepresentation()); |
6a323f63 | 163 | fillSOAData(oldRec->content, sdUpdate); |
f1b59a55 | 164 | if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) { |
6a323f63 | 165 | di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset); |
f1b59a55 | 166 | *updatedSerial = true; |
f5059bd3 | 167 | changedRecords++; |
c712ec02 | 168 | g_log<<Logger::Notice<<msgPrefix<<"Replacing SOA record "<<rr->d_name<<"|"<<rrType.toString()<<endl; |
73174643 | 169 | } else { |
e6a9dde5 | 170 | g_log<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl; |
73174643 | 171 | } |
6a323f63 RA |
172 | |
173 | // It's not possible to have multiple CNAME's with the same NAME. So we always update. | |
174 | } else if (rrType == QType::CNAME) { | |
73174643 | 175 | int changedCNames = 0; |
cb167afd | 176 | for (auto& i : rrset) { |
d06dcda4 | 177 | if (i.ttl != rr->d_ttl || i.content != rr->getContent()->getZoneRepresentation()) { |
cb167afd | 178 | i.ttl = rr->d_ttl; |
d06dcda4 | 179 | i.setContent(rr->getContent()->getZoneRepresentation()); |
73174643 RA |
180 | changedCNames++; |
181 | } | |
182 | } | |
183 | if (changedCNames > 0) { | |
f809c028 | 184 | di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset); |
c712ec02 | 185 | g_log<<Logger::Notice<<msgPrefix<<"Replacing CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<endl; |
73174643 RA |
186 | changedRecords += changedCNames; |
187 | } else { | |
c712ec02 | 188 | g_log<<Logger::Notice<<msgPrefix<<"Replace for CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl; |
f1b59a55 | 189 | } |
6a323f63 | 190 | |
518fc317 | 191 | // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL) |
6a323f63 | 192 | } else { |
73174643 | 193 | int updateTTL=0; |
6a323f63 | 194 | foundRecord = false; |
bcdf6537 PD |
195 | bool lowerCase = false; |
196 | if (rrType.getCode() == QType::PTR || | |
197 | rrType.getCode() == QType::MX || | |
198 | rrType.getCode() == QType::SRV) { | |
199 | lowerCase = true; | |
200 | } | |
d06dcda4 | 201 | string content = rr->getContent()->getZoneRepresentation(); |
bcdf6537 | 202 | if (lowerCase) content = toLower(content); |
cb167afd | 203 | for (auto& i : rrset) { |
bcdf6537 PD |
204 | string icontent = i.getZoneRepresentation(); |
205 | if (lowerCase) icontent = toLower(icontent); | |
a7258792 PD |
206 | if (rrType == i.qtype.getCode()) { |
207 | if (icontent == content) { | |
208 | foundRecord=true; | |
209 | } | |
cb167afd CHB |
210 | if (i.ttl != rr->d_ttl) { |
211 | i.ttl = rr->d_ttl; | |
73174643 RA |
212 | updateTTL++; |
213 | } | |
6a323f63 RA |
214 | } |
215 | } | |
73174643 | 216 | if (updateTTL > 0) { |
f809c028 | 217 | di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset); |
a7258792 | 218 | g_log<<Logger::Notice<<msgPrefix<<"Updating TTLs for "<<rr->d_name<<"|"<<rrType.toString()<<endl; |
73174643 RA |
219 | changedRecords += updateTTL; |
220 | } else { | |
a7258792 | 221 | g_log<<Logger::Notice<<msgPrefix<<"Replace for recordset "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl; |
7facf345 | 222 | } |
f1b59a55 | 223 | } |
6e42cac2 | 224 | |
73174643 | 225 | // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records. |
6e42cac2 | 226 | // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be. |
73174643 RA |
227 | if (changedRecords > 0) { |
228 | bool auth = rrset.front().auth; | |
229 | ||
230 | if(*haveNSEC3) { | |
8de4e1d7 | 231 | DNSName ordername; |
73174643 | 232 | if(! *narrow) |
96e63d77 | 233 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); |
73174643 RA |
234 | |
235 | if (*narrow) | |
96e63d77 | 236 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); |
73174643 | 237 | else |
96e63d77 | 238 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); |
73174643 | 239 | if(!auth || rrType == QType::DS) { |
96e63d77 KM |
240 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS); |
241 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); | |
242 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
73174643 | 243 | } |
6e42cac2 | 244 | |
73174643 | 245 | } else { // NSEC |
96e63d77 | 246 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth); |
73174643 | 247 | if(!auth || rrType == QType::DS) { |
96e63d77 KM |
248 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); |
249 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
73174643 | 250 | } |
6e42cac2 RA |
251 | } |
252 | } | |
253 | ||
254 | } // if (foundRecord) | |
f1b59a55 | 255 | |
6a323f63 | 256 | // If we haven't found a record that matches, we must add it. |
f1b59a55 | 257 | if (! foundRecord) { |
d5fcd583 | 258 | g_log<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.toString()<<endl; |
f809c028 | 259 | delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record. |
4950b140 | 260 | auto newRec = DNSResourceRecord::fromWire(*rr); |
f1b59a55 | 261 | newRec.domain_id = di->id; |
f809c028 | 262 | newRec.auth = (rr->d_name == di->zone || rrType.getCode() != QType::NS); |
c9b43446 | 263 | di->backend->feedRecord(newRec, DNSName()); |
b0704e0d | 264 | changedRecords++; |
6a323f63 RA |
265 | |
266 | ||
267 | // because we added a record, we need to fix DNSSEC data. | |
f809c028 | 268 | DNSName shorter(rr->d_name); |
163cb726 | 269 | bool auth=newRec.auth; |
6a82ce4a | 270 | bool fixDS = (rrType == QType::DS); |
f1b59a55 | 271 | |
8de4e1d7 | 272 | if (di->zone != shorter) { // Everything at APEX is auth=1 && no ENT's |
e70f2627 | 273 | do { |
6a82ce4a | 274 | |
8de4e1d7 | 275 | if (di->zone == shorter) |
f1b59a55 | 276 | break; |
914353ca | 277 | |
f1b59a55 | 278 | bool foundShorter = false; |
acb61e0a | 279 | di->backend->lookup(QType(QType::ANY), shorter, di->id); |
f1b59a55 | 280 | while (di->backend->get(rec)) { |
f809c028 | 281 | if (rec.qname == rr->d_name && rec.qtype == QType::DS) |
6a82ce4a | 282 | fixDS = true; |
f809c028 | 283 | if (shorter != rr->d_name) |
e70f2627 | 284 | foundShorter = true; |
163cb726 | 285 | if (rec.qtype == QType::NS) // are we inserting below a delegate? |
f1b59a55 RA |
286 | auth=false; |
287 | } | |
6a82ce4a | 288 | |
f809c028 | 289 | if (!foundShorter && auth && shorter != rr->d_name) // haven't found any record at current level, insert ENT. |
f1b59a55 | 290 | insnonterm.insert(shorter); |
e70f2627 | 291 | if (foundShorter) |
a95f897d | 292 | break; // if we find a shorter record, we can stop searching |
675fa24c | 293 | } while(shorter.chopOff()); |
f1b59a55 RA |
294 | } |
295 | ||
dff32e09 | 296 | if(*haveNSEC3) |
f1b59a55 | 297 | { |
8de4e1d7 | 298 | DNSName ordername; |
914353ca | 299 | if(! *narrow) |
96e63d77 | 300 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); |
914353ca | 301 | |
e70f2627 | 302 | if (*narrow) |
96e63d77 | 303 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); |
e70f2627 | 304 | else |
96e63d77 | 305 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); |
e70f2627 | 306 | |
6a82ce4a | 307 | if (fixDS) |
96e63d77 | 308 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS); |
6a82ce4a | 309 | |
929eee6b | 310 | if(!auth) |
f1b59a55 | 311 | { |
914353ca | 312 | if (ns3pr->d_flags) |
96e63d77 KM |
313 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS); |
314 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); | |
315 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
f1b59a55 RA |
316 | } |
317 | } | |
318 | else // NSEC | |
319 | { | |
96e63d77 KM |
320 | DNSName ordername=rr->d_name.makeRelative(di->zone); |
321 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); | |
6a82ce4a | 322 | if (fixDS) { |
96e63d77 | 323 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS); |
6a82ce4a RA |
324 | } |
325 | if(!auth) { | |
96e63d77 KM |
326 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); |
327 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
f1b59a55 RA |
328 | } |
329 | } | |
6a323f63 RA |
330 | |
331 | ||
f1b59a55 | 332 | // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate. |
f809c028 | 333 | // Auth can only be false when the rr->d_name is not the zone |
6a323f63 | 334 | if (auth == false && rrType == QType::NS) { |
e6a9dde5 | 335 | DLOG(g_log<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl); |
6a82ce4a | 336 | insnonterm.clear(); // No ENT's are needed below delegates (auth=0) |
561434a6 | 337 | vector<DNSName> qnames; |
f809c028 | 338 | di->backend->listSubZone(rr->d_name, di->id); |
f1b59a55 | 339 | while(di->backend->get(rec)) { |
f809c028 | 340 | if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record. |
f1b59a55 RA |
341 | qnames.push_back(rec.qname); |
342 | } | |
d7f67000 | 343 | for(const auto & qname : qnames) { |
dff32e09 | 344 | if(*haveNSEC3) { |
8de4e1d7 | 345 | DNSName ordername; |
914353ca | 346 | if(! *narrow) |
d7f67000 | 347 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname))); |
914353ca | 348 | |
6a82ce4a | 349 | if (*narrow) |
d7f67000 | 350 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth); |
6a82ce4a | 351 | else |
d7f67000 | 352 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth); |
6a82ce4a | 353 | |
be40c2df | 354 | if (ns3pr->d_flags) |
d7f67000 | 355 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS); |
96e63d77 KM |
356 | } |
357 | else { // NSEC | |
d7f67000 RP |
358 | DNSName ordername=DNSName(qname).makeRelative(di->zone); |
359 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS); | |
f1b59a55 | 360 | } |
f1b59a55 | 361 | |
d7f67000 RP |
362 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A); |
363 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA); | |
f1b59a55 RA |
364 | } |
365 | } | |
f1b59a55 RA |
366 | } |
367 | } // rr->d_class == QClass::IN | |
368 | ||
914353ca | 369 | |
6a323f63 RA |
370 | // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by |
371 | // the code that calls this performUpdate(). | |
372 | if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA. | |
d5fcd583 | 373 | DLOG(g_log<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.toString()<<endl); |
dff32e09 RA |
374 | |
375 | if (rrType == QType::NSEC3PARAM) { | |
e6a9dde5 | 376 | g_log<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl; |
dff32e09 | 377 | if (rr->d_class == QClass::ANY) |
f809c028 | 378 | d_dk.unsetNSEC3PARAM(rr->d_name); |
dff32e09 | 379 | else if (rr->d_class == QClass::NONE) { |
d06dcda4 | 380 | NSEC3PARAMRecordContent nsec3rr(rr->getContent()->getZoneRepresentation(), di->zone); |
b163cc0e | 381 | if (*haveNSEC3 && ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation()) |
f809c028 | 382 | d_dk.unsetNSEC3PARAM(rr->d_name); |
dff32e09 RA |
383 | else |
384 | return 0; | |
914353ca | 385 | } else |
dff32e09 RA |
386 | return 0; |
387 | ||
b163cc0e KM |
388 | // Update NSEC3 variables, other RR's in this update package might need them as well. |
389 | *haveNSEC3 = false; | |
390 | *narrow = false; | |
e3dc2b56 | 391 | |
adf1a785 KM |
392 | string error; |
393 | string info; | |
394 | if (!d_dk.rectifyZone(di->zone, error, info, false)) { | |
395 | throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error); | |
dff32e09 RA |
396 | } |
397 | return 1; | |
589563c0 | 398 | } // end of NSEC3PARAM delete block |
dff32e09 RA |
399 | |
400 | ||
acb61e0a | 401 | di->backend->lookup(rrType, rr->d_name, di->id); |
6a323f63 RA |
402 | while(di->backend->get(rec)) { |
403 | if (rr->d_class == QClass::ANY) { // 3.4.2.3 | |
404 | if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's | |
405 | rrset.push_back(rec); | |
406 | else | |
f1b59a55 RA |
407 | recordsToDelete.push_back(rec); |
408 | } | |
6a323f63 | 409 | if (rr->d_class == QClass::NONE) { // 3.4.2.4 |
d040cb86 PD |
410 | auto repr = rec.getZoneRepresentation(); |
411 | if (rec.qtype == QType::TXT) { | |
412 | DLOG(g_log<<msgPrefix<<"Adjusting TXT content from ["<<repr<<"]"<<endl); | |
d525b58b | 413 | auto drc = DNSRecordContent::make(rec.qtype.getCode(), QClass::IN, repr); |
d040cb86 PD |
414 | auto ser = drc->serialize(rec.qname, true, true); |
415 | auto rc = DNSRecordContent::deserialize(rec.qname, rec.qtype.getCode(), ser); | |
416 | repr = rc->getZoneRepresentation(true); | |
417 | DLOG(g_log<<msgPrefix<<"Adjusted TXT content to ["<<repr<<"]"<<endl); | |
418 | } | |
d06dcda4 RG |
419 | DLOG(g_log<<msgPrefix<<"Matching RR in RRset - (adjusted) representation from request=["<<repr<<"], rr->getContent()->getZoneRepresentation()=["<<rr->getContent()->getZoneRepresentation()<<"]"<<endl); |
420 | if (rrType == rec.qtype && repr == rr->getContent()->getZoneRepresentation()) | |
6a323f63 RA |
421 | recordsToDelete.push_back(rec); |
422 | else | |
423 | rrset.push_back(rec); | |
424 | } | |
f1b59a55 | 425 | } |
589563c0 RA |
426 | |
427 | if (recordsToDelete.size()) { | |
f809c028 | 428 | di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset); |
d5fcd583 | 429 | g_log<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.toString()<<endl; |
589563c0 | 430 | changedRecords += recordsToDelete.size(); |
f1b59a55 | 431 | |
f1b59a55 | 432 | |
589563c0 | 433 | // If we've removed a delegate, we need to reset ordername/auth for some records. |
f809c028 | 434 | if (rrType == QType::NS && rr->d_name != di->zone) { |
675fa24c | 435 | vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag; |
f809c028 | 436 | di->backend->listSubZone(rr->d_name, di->id); |
f1b59a55 | 437 | while (di->backend->get(rec)) { |
7a0a9f8a | 438 | if (rec.qtype.getCode()) // skip ENT records, they are always auth=false |
a95f897d | 439 | belowOldDelegate.push_back(rec.qname); |
f809c028 | 440 | if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name) |
a95f897d | 441 | nsRecs.push_back(rec.qname); |
f1b59a55 | 442 | } |
a95f897d | 443 | |
675fa24c | 444 | for(auto &belowOldDel: belowOldDelegate) |
a95f897d RA |
445 | { |
446 | bool isBelowDelegate = false; | |
561434a6 PD |
447 | for(const auto & ns: nsRecs) { |
448 | if (ns.isPartOf(belowOldDel)) { | |
a95f897d RA |
449 | isBelowDelegate=true; |
450 | break; | |
451 | } | |
452 | } | |
453 | if (!isBelowDelegate) | |
561434a6 | 454 | updateAuthFlag.push_back(belowOldDel); |
a95f897d RA |
455 | } |
456 | ||
561434a6 | 457 | for (const auto &changeRec:updateAuthFlag) { |
dff32e09 | 458 | if(*haveNSEC3) { |
8de4e1d7 | 459 | DNSName ordername; |
914353ca | 460 | if(! *narrow) |
96e63d77 | 461 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec))); |
914353ca | 462 | |
96e63d77 KM |
463 | di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true); |
464 | } | |
465 | else { // NSEC | |
466 | DNSName ordername=changeRec.makeRelative(di->zone); | |
467 | di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true); | |
f1b59a55 | 468 | } |
f1b59a55 RA |
469 | } |
470 | } | |
f1b59a55 | 471 | |
6a323f63 RA |
472 | // Fix ENT records. |
473 | // We must check if we have a record below the current level and if we removed the 'last' record | |
474 | // on that level. If so, we must insert an ENT record. | |
fdf983eb | 475 | // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit. |
9353d244 | 476 | bool foundDeeper = false, foundOtherWithSameName = false; |
f809c028 | 477 | di->backend->listSubZone(rr->d_name, di->id); |
6a323f63 | 478 | while (di->backend->get(rec)) { |
f809c028 | 479 | if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec)) |
9353d244 | 480 | foundOtherWithSameName = true; |
f809c028 | 481 | if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT |
6a323f63 RA |
482 | foundDeeper = true; |
483 | } | |
f1b59a55 | 484 | |
9353d244 | 485 | if (foundDeeper && !foundOtherWithSameName) { |
f809c028 | 486 | insnonterm.insert(rr->d_name); |
9353d244 | 487 | } else if (!foundOtherWithSameName) { |
6a323f63 RA |
488 | // If we didn't have to insert an ENT, we might have deleted a record at very deep level |
489 | // and we must then clean up the ENT's above the deleted record. | |
f809c028 | 490 | DNSName shorter(rr->d_name); |
9353d244 | 491 | while (shorter != di->zone) { |
675fa24c | 492 | shorter.chopOff(); |
9353d244 | 493 | bool foundRealRR = false; |
a95f897d | 494 | bool foundEnt = false; |
9353d244 RA |
495 | |
496 | // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch | |
6a323f63 | 497 | // consider these non ENT-records: |
9353d244 RA |
498 | // b.c.d.e.test.com |
499 | // b.d.e.test.com | |
500 | // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com. | |
6a323f63 RA |
501 | // At that point we can stop deleting ENT's because the tree is in tact again. |
502 | di->backend->listSubZone(shorter, di->id); | |
914353ca | 503 | |
9353d244 RA |
504 | while (di->backend->get(rec)) { |
505 | if (rec.qtype.getCode()) | |
506 | foundRealRR = true; | |
a95f897d RA |
507 | else |
508 | foundEnt = true; | |
9353d244 | 509 | } |
3ab4cfca | 510 | if (!foundRealRR) { |
a95f897d RA |
511 | if (foundEnt) // only delete the ENT if we actually found one. |
512 | delnonterm.insert(shorter); | |
3ab4cfca | 513 | } else |
9353d244 RA |
514 | break; |
515 | } | |
6a323f63 | 516 | } |
589563c0 | 517 | } else { // if (recordsToDelete.size()) |
d5fcd583 | 518 | g_log<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but not found."<<endl; |
f1b59a55 | 519 | } |
589563c0 RA |
520 | } // (End of delete block d_class == ANY || d_class == NONE |
521 | ||
f1b59a55 | 522 | |
6a323f63 RA |
523 | |
524 | //Insert and delete ENT's | |
525 | if (insnonterm.size() > 0 || delnonterm.size() > 0) { | |
e6a9dde5 | 526 | DLOG(g_log<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl); |
96e63d77 | 527 | di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false); |
561434a6 | 528 | for (const auto &i: insnonterm) { |
6a323f63 | 529 | string hashed; |
8de4e1d7 | 530 | if(*haveNSEC3) |
6a323f63 | 531 | { |
8de4e1d7 | 532 | DNSName ordername; |
914353ca | 533 | if(! *narrow) |
96e63d77 KM |
534 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i))); |
535 | di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true); | |
f1b59a55 RA |
536 | } |
537 | } | |
538 | } | |
539 | ||
589563c0 | 540 | return changedRecords; |
f1b59a55 RA |
541 | } |
542 | ||
c2826d2e | 543 | int PacketHandler::forwardPacket(const string &msgPrefix, const DNSPacket& p, const DomainInfo& di) { |
e174b255 | 544 | vector<string> forward; |
c2826d2e | 545 | B.getDomainMetadata(p.qdomain, "FORWARD-DNSUPDATE", forward); |
e174b255 | 546 | |
71f758e0 | 547 | if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) { |
d525b58b | 548 | g_log << Logger::Notice << msgPrefix << "Not configured to forward to primary, returning Refused." << endl; |
d8293c79 | 549 | return RCode::Refused; |
e174b255 RA |
550 | } |
551 | ||
d525b58b KM |
552 | for (const auto& remote : di.primaries) { |
553 | g_log << Logger::Notice << msgPrefix << "Forwarding packet to primary " << remote << endl; | |
b3148887 | 554 | |
20829585 | 555 | if (!pdns::isQueryLocalAddressFamilyEnabled(remote.sin4.sin_family)) { |
9d36589a PL |
556 | continue; |
557 | } | |
20829585 | 558 | auto local = pdns::getQueryLocalAddress(remote.sin4.sin_family, 0); |
b3148887 | 559 | int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this. |
34c513f9 | 560 | if(sock < 0) { |
e6a9dde5 | 561 | g_log<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl; |
34c513f9 RG |
562 | continue; |
563 | } | |
b3148887 RA |
564 | |
565 | if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) { | |
e6a9dde5 | 566 | g_log<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl; |
a7b68ae7 RG |
567 | try { |
568 | closesocket(sock); | |
569 | } | |
570 | catch(const PDNSException& e) { | |
d525b58b | 571 | g_log << Logger::Error << "Error closing primary forwarding socket after connect() failed: " << e.reason << endl; |
a7b68ae7 | 572 | } |
b3148887 RA |
573 | continue; |
574 | } | |
575 | ||
02abfb19 AT |
576 | DNSPacket l_forwardPacket(p); |
577 | l_forwardPacket.setID(dns_random_uint16()); | |
578 | l_forwardPacket.setRemote(&remote); | |
579 | uint16_t len=htons(l_forwardPacket.getString().length()); | |
b3148887 | 580 | string buffer((const char*)&len, 2); |
02abfb19 | 581 | buffer.append(l_forwardPacket.getString()); |
914353ca | 582 | if(write(sock, buffer.c_str(), buffer.length()) < 0) { |
e6a9dde5 | 583 | g_log<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; |
a7b68ae7 RG |
584 | try { |
585 | closesocket(sock); | |
586 | } | |
587 | catch(const PDNSException& e) { | |
d525b58b | 588 | g_log << Logger::Error << "Error closing primary forwarding socket after write() failed: " << e.reason << endl; |
a7b68ae7 | 589 | } |
b3148887 RA |
590 | continue; |
591 | } | |
592 | ||
593 | int res = waitForData(sock, 10, 0); | |
594 | if (!res) { | |
d525b58b | 595 | g_log << Logger::Error << msgPrefix << "Timeout waiting for reply from primary at " << remote.toStringWithPort() << endl; |
a7b68ae7 RG |
596 | try { |
597 | closesocket(sock); | |
598 | } | |
599 | catch(const PDNSException& e) { | |
d525b58b | 600 | g_log << Logger::Error << "Error closing primary forwarding socket after a timeout occurred: " << e.reason << endl; |
a7b68ae7 | 601 | } |
b3148887 RA |
602 | continue; |
603 | } | |
604 | if (res < 0) { | |
d525b58b | 605 | g_log << Logger::Error << msgPrefix << "Error waiting for answer from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl; |
a7b68ae7 RG |
606 | try { |
607 | closesocket(sock); | |
608 | } | |
609 | catch(const PDNSException& e) { | |
d525b58b | 610 | g_log << Logger::Error << "Error closing primary forwarding socket after an error occurred: " << e.reason << endl; |
a7b68ae7 | 611 | } |
b3148887 RA |
612 | continue; |
613 | } | |
614 | ||
f6a81077 RG |
615 | unsigned char lenBuf[2]; |
616 | ssize_t recvRes; | |
b3148887 | 617 | recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0); |
f6a81077 | 618 | if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) { |
d525b58b | 619 | g_log << Logger::Error << msgPrefix << "Could not receive data (length) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl; |
a7b68ae7 RG |
620 | try { |
621 | closesocket(sock); | |
622 | } | |
623 | catch(const PDNSException& e) { | |
d525b58b | 624 | g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl; |
a7b68ae7 | 625 | } |
b3148887 RA |
626 | continue; |
627 | } | |
f6a81077 | 628 | size_t packetLen = lenBuf[0]*256+lenBuf[1]; |
b3148887 | 629 | |
2c001eb6 RG |
630 | buffer.resize(packetLen); |
631 | recvRes = recv(sock, &buffer.at(0), packetLen, 0); | |
b3148887 | 632 | if (recvRes < 0) { |
d525b58b | 633 | g_log << Logger::Error << msgPrefix << "Could not receive data (dnspacket) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl; |
a7b68ae7 RG |
634 | try { |
635 | closesocket(sock); | |
636 | } | |
637 | catch(const PDNSException& e) { | |
d525b58b | 638 | g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl; |
a7b68ae7 | 639 | } |
b3148887 RA |
640 | continue; |
641 | } | |
a7b68ae7 RG |
642 | try { |
643 | closesocket(sock); | |
644 | } | |
645 | catch(const PDNSException& e) { | |
d525b58b | 646 | g_log << Logger::Error << "Error closing primary forwarding socket: " << e.reason << endl; |
a7b68ae7 | 647 | } |
b3148887 RA |
648 | |
649 | try { | |
2c001eb6 | 650 | MOADNSParser mdp(false, buffer.data(), static_cast<unsigned int>(recvRes)); |
e6a9dde5 | 651 | g_log<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl; |
b3148887 RA |
652 | return mdp.d_header.rcode; |
653 | } | |
654 | catch (...) { | |
d525b58b | 655 | g_log << Logger::Error << msgPrefix << "Failed to parse response packet from primary at " << remote.toStringWithPort() << endl; |
b3148887 RA |
656 | continue; |
657 | } | |
658 | } | |
d525b58b | 659 | g_log << Logger::Error << msgPrefix << "Failed to forward packet to primary(s). Returning ServFail." << endl; |
b3148887 RA |
660 | return RCode::ServFail; |
661 | ||
662 | } | |
663 | ||
4ec1794d | 664 | int PacketHandler::processUpdate(DNSPacket& packet) { // NOLINT(readability-function-cognitive-complexity) |
d07bf7ff | 665 | if (! ::arg().mustDo("dnsupdate")) |
f1b59a55 | 666 | return RCode::Refused; |
914353ca | 667 | |
4ec1794d | 668 | string msgPrefix="UPDATE (" + std::to_string(packet.d.id) + ") from " + packet.getRemoteString() + " for " + packet.qdomain.toLogString() + ": "; |
e6a9dde5 | 669 | g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl; |
f1b59a55 | 670 | |
0ecc1158 | 671 | // if there is policy, we delegate all checks to it |
4646277d | 672 | if (this->d_update_policy_lua == nullptr) { |
f1b59a55 | 673 | |
0ecc1158 AT |
674 | // Check permissions - IP based |
675 | vector<string> allowedRanges; | |
4ec1794d | 676 | B.getDomainMetadata(packet.qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges); |
0ecc1158 AT |
677 | if (! ::arg()["allow-dnsupdate-from"].empty()) |
678 | stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" ); | |
f1b59a55 | 679 | |
0ecc1158 | 680 | NetmaskGroup ng; |
cb167afd CHB |
681 | for(const auto& i: allowedRanges) { |
682 | ng.addMask(i); | |
683 | } | |
914353ca | 684 | |
4ec1794d | 685 | if ( ! ng.match(packet.getInnerRemote())) { |
e6a9dde5 | 686 | g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl; |
f1b59a55 RA |
687 | return RCode::Refused; |
688 | } | |
689 | ||
0ecc1158 AT |
690 | |
691 | // Check permissions - TSIG based. | |
692 | vector<string> tsigKeys; | |
4ec1794d | 693 | B.getDomainMetadata(packet.qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys); |
0ecc1158 AT |
694 | if (tsigKeys.size() > 0) { |
695 | bool validKey = false; | |
696 | ||
697 | TSIGRecordContent trc; | |
698 | DNSName inputkey; | |
699 | string message; | |
4ec1794d | 700 | if (! packet.getTSIGDetails(&trc, &inputkey)) { |
e6a9dde5 | 701 | g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl; |
0ecc1158 | 702 | return RCode::Refused; |
6917c321 | 703 | } |
c113acc3 | 704 | #ifdef ENABLE_GSS_TSIG |
4ec1794d PD |
705 | if (g_doGssTSIG && packet.d_tsig_algo == TSIG_GSS) { |
706 | GssName inputname(packet.d_peer_principal); // match against principal since GSS requires that | |
b08f1315 OM |
707 | for(const auto& key: tsigKeys) { |
708 | if (inputname.match(key)) { | |
709 | validKey = true; | |
710 | break; | |
711 | } | |
712 | } | |
c113acc3 OM |
713 | } |
714 | else | |
715 | #endif | |
716 | { | |
b08f1315 | 717 | for(const auto& key: tsigKeys) { |
5e8d94f1 | 718 | if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid. |
b08f1315 OM |
719 | validKey=true; |
720 | break; | |
721 | } | |
6917c321 AT |
722 | } |
723 | } | |
f1b59a55 | 724 | |
0ecc1158 | 725 | if (!validKey) { |
e6a9dde5 | 726 | g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl; |
0ecc1158 AT |
727 | return RCode::Refused; |
728 | } | |
006dac60 EE |
729 | } else if(::arg().mustDo("dnsupdate-require-tsig")) { |
730 | g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but domain is not secured with TSIG. Sending REFUSED"<<endl; | |
731 | return RCode::Refused; | |
f1b59a55 | 732 | } |
f1b59a55 | 733 | |
f831a2e8 | 734 | if (tsigKeys.empty() && packet.d_havetsig) { |
e6a9dde5 | 735 | g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl; |
f831a2e8 | 736 | } |
0ecc1158 AT |
737 | |
738 | } | |
f1b59a55 RA |
739 | |
740 | // RFC2136 uses the same DNS Header and Message as defined in RFC1035. | |
914353ca | 741 | // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different |
f1b59a55 | 742 | // variable names during the use of our MOADNSParser. |
4ec1794d | 743 | MOADNSParser mdp(false, packet.getString()); |
f1b59a55 | 744 | if (mdp.d_header.qdcount != 1) { |
e6a9dde5 | 745 | g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl; |
f1b59a55 | 746 | return RCode::FormErr; |
914353ca | 747 | } |
f1b59a55 | 748 | |
4ec1794d | 749 | if (packet.qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA |
e6a9dde5 | 750 | g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl; |
f1b59a55 RA |
751 | return RCode::FormErr; |
752 | } | |
753 | ||
4ec1794d | 754 | if (packet.qclass != QClass::IN) { |
e6a9dde5 | 755 | g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl; |
f1b59a55 RA |
756 | return RCode::NotAuth; |
757 | } | |
758 | ||
759 | DomainInfo di; | |
4646277d | 760 | di.backend=nullptr; |
f831a2e8 | 761 | if(!B.getDomainInfo(packet.qdomain, di) || (di.backend == nullptr)) { |
4ec1794d | 762 | g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<packet.qdomain<<"' (or backend does not support DNS update operation)"<<endl; |
f1b59a55 RA |
763 | return RCode::NotAuth; |
764 | } | |
765 | ||
c02c999b | 766 | if (di.kind == DomainInfo::Secondary) |
4ec1794d | 767 | return forwardPacket(msgPrefix, packet, di); |
f1b59a55 | 768 | |
914353ca | 769 | // Check if all the records provided are within the zone |
f80ebc05 O |
770 | for(const auto & answer : mdp.d_answers) { |
771 | const DNSRecord *rr = &answer.first; | |
f1b59a55 | 772 | // Skip this check for other field types (like the TSIG - which is in the additional section) |
dff32e09 | 773 | // For a TSIG, the label is the dnskey, so it does not pass the endOn validation. |
e693ff5a | 774 | if (! (rr->d_place == DNSResourceRecord::ANSWER || rr->d_place == DNSResourceRecord::AUTHORITY)) |
f1b59a55 RA |
775 | continue; |
776 | ||
f809c028 | 777 | if (!rr->d_name.isPartOf(di.zone)) { |
e6a9dde5 | 778 | g_log<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl; |
f1b59a55 RA |
779 | return RCode::NotZone; |
780 | } | |
781 | } | |
782 | ||
dff32e09 | 783 | |
0ddde5fb | 784 | std::lock_guard<std::mutex> l(s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything |
e6a9dde5 | 785 | g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl; |
4ec1794d PD |
786 | if (!di.backend->startTransaction(packet.qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records. |
787 | g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<packet.qdomain<<" does not support transaction. Can't do Update packet."<<endl; | |
f1b59a55 RA |
788 | return RCode::NotImp; |
789 | } | |
790 | ||
914353ca | 791 | // 3.2.1 and 3.2.2 - Prerequisite check |
f80ebc05 O |
792 | for(const auto & answer : mdp.d_answers) { |
793 | const DNSRecord *rr = &answer.first; | |
e693ff5a | 794 | if (rr->d_place == DNSResourceRecord::ANSWER) { |
f1b59a55 RA |
795 | int res = checkUpdatePrerequisites(rr, &di); |
796 | if (res>0) { | |
3f4073ec | 797 | g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check for "<<rr->d_name<<", returning "<<RCode::to_s(res)<<endl; |
f1b59a55 RA |
798 | di.backend->abortTransaction(); |
799 | return res; | |
800 | } | |
914353ca | 801 | } |
f1b59a55 RA |
802 | } |
803 | ||
d3f46849 | 804 | // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR. |
561434a6 | 805 | typedef pair<DNSName, QType> rrSetKey_t; |
f1b59a55 RA |
806 | typedef vector<DNSResourceRecord> rrVector_t; |
807 | typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t; | |
808 | RRsetMap_t preReqRRsets; | |
cb167afd | 809 | for(const auto& i: mdp.d_answers) { |
4950b140 | 810 | const DNSRecord* rr = &i.first; |
e693ff5a | 811 | if (rr->d_place == DNSResourceRecord::ANSWER) { |
f1b59a55 | 812 | // Last line of 3.2.3 |
914353ca | 813 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) |
f1b59a55 RA |
814 | return RCode::FormErr; |
815 | ||
816 | if (rr->d_class == QClass::IN) { | |
e32a8d46 | 817 | rrSetKey_t key = {rr->d_name, QType(rr->d_type)}; |
f1b59a55 | 818 | rrVector_t *vec = &preReqRRsets[key]; |
4950b140 | 819 | vec->push_back(DNSResourceRecord::fromWire(*rr)); |
f1b59a55 RA |
820 | } |
821 | } | |
822 | } | |
823 | ||
824 | if (preReqRRsets.size() > 0) { | |
825 | RRsetMap_t zoneRRsets; | |
d7f67000 RP |
826 | for (auto & preReqRRset : preReqRRsets) { |
827 | rrSetKey_t rrSet=preReqRRset.first; | |
828 | rrVector_t *vec = &preReqRRset.second; | |
f1b59a55 RA |
829 | |
830 | DNSResourceRecord rec; | |
acb61e0a | 831 | di.backend->lookup(QType(QType::ANY), rrSet.first, di.id); |
f1b59a55 RA |
832 | uint16_t foundRR=0, matchRR=0; |
833 | while (di.backend->get(rec)) { | |
834 | if (rec.qtype == rrSet.second) { | |
835 | foundRR++; | |
d7f67000 RP |
836 | for(auto & rrItem : *vec) { |
837 | rrItem.ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks. | |
838 | if (rrItem == rec) | |
f1b59a55 RA |
839 | matchRR++; |
840 | } | |
841 | } | |
842 | } | |
843 | if (matchRR != foundRR || foundRR != vec->size()) { | |
e6a9dde5 | 844 | g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check (RRs differ), returning NXRRSet"<<endl; |
f1b59a55 RA |
845 | di.backend->abortTransaction(); |
846 | return RCode::NXRRSet; | |
847 | } | |
848 | } | |
849 | } | |
850 | ||
851 | ||
852 | ||
0bb68041 | 853 | // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block. |
f1b59a55 | 854 | try { |
d0d273cf | 855 | uint changedRecords = 0; |
f1b59a55 | 856 | // 3.4.1 - Prescan section |
f80ebc05 O |
857 | for(const auto & answer : mdp.d_answers) { |
858 | const DNSRecord *rr = &answer.first; | |
e693ff5a | 859 | if (rr->d_place == DNSResourceRecord::AUTHORITY) { |
f1b59a55 RA |
860 | int res = checkUpdatePrescan(rr); |
861 | if (res>0) { | |
e6a9dde5 | 862 | g_log<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl; |
f1b59a55 RA |
863 | di.backend->abortTransaction(); |
864 | return res; | |
865 | } | |
866 | } | |
867 | } | |
868 | ||
869 | bool updatedSerial=false; | |
870 | NSEC3PARAMRecordContent ns3pr; | |
914353ca | 871 | bool narrow=false; |
f1b59a55 | 872 | bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow); |
dff32e09 | 873 | bool isPresigned = d_dk.isPresigned(di.zone); |
b163cc0e KM |
874 | string soaEditSetting; |
875 | d_dk.getSoaEdit(di.zone, soaEditSetting); | |
f1b59a55 | 876 | |
f1b59a55 RA |
877 | // 3.4.2 - Perform the updates. |
878 | // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4) | |
7c696097 | 879 | // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR. |
f1b59a55 | 880 | vector<const DNSRecord *> nsRRtoDelete; |
6f604952 PL |
881 | |
882 | // Another special case is the addition of both a CNAME and a non-CNAME for the same name (#6270) | |
883 | set<DNSName> cn, nocn; | |
884 | for (const auto &rr : mdp.d_answers) { | |
885 | if (rr.first.d_place == DNSResourceRecord::AUTHORITY && rr.first.d_class == QClass::IN && rr.first.d_ttl > 0) { | |
886 | // Addition | |
887 | if (rr.first.d_type == QType::CNAME) { | |
888 | cn.insert(rr.first.d_name); | |
889 | } else if (rr.first.d_type != QType::RRSIG) { | |
890 | nocn.insert(rr.first.d_name); | |
891 | } | |
892 | } | |
893 | } | |
894 | for (auto const &n : cn) { | |
895 | if (nocn.count(n) > 0) { | |
e6a9dde5 | 896 | g_log<<Logger::Error<<msgPrefix<<"Refusing update, found CNAME and non-CNAME addition"<<endl; |
6f604952 PL |
897 | di.backend->abortTransaction(); |
898 | return RCode::FormErr; | |
899 | } | |
900 | } | |
901 | ||
902 | vector<const DNSRecord *> cnamesToAdd, nonCnamesToAdd; | |
f80ebc05 O |
903 | for(const auto & answer : mdp.d_answers) { |
904 | const DNSRecord *rr = &answer.first; | |
e693ff5a | 905 | if (rr->d_place == DNSResourceRecord::AUTHORITY) { |
0ecc1158 | 906 | /* see if it's permitted by policy */ |
4646277d | 907 | if (this->d_update_policy_lua != nullptr) { |
f831a2e8 | 908 | if (!this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, packet)) { |
d5fcd583 | 909 | g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Not permitted by policy"<<endl; |
0ecc1158 AT |
910 | continue; |
911 | } else { | |
d5fcd583 | 912 | g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Permitted by policy"<<endl; |
0ecc1158 AT |
913 | } |
914 | } | |
915 | ||
f809c028 | 916 | if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && rr->d_name == di.zone) |
f1b59a55 | 917 | nsRRtoDelete.push_back(rr); |
6f604952 PL |
918 | else if (rr->d_class == QClass::IN && rr->d_ttl > 0) { |
919 | if (rr->d_type == QType::CNAME) { | |
920 | cnamesToAdd.push_back(rr); | |
921 | } else { | |
922 | nonCnamesToAdd.push_back(rr); | |
923 | } | |
924 | } | |
f1b59a55 | 925 | else |
d0d273cf | 926 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
927 | } |
928 | } | |
6f604952 PL |
929 | for (const auto &rr : cnamesToAdd) { |
930 | DNSResourceRecord rec; | |
acb61e0a | 931 | di.backend->lookup(QType(QType::ANY), rr->d_name, di.id); |
6f604952 | 932 | while (di.backend->get(rec)) { |
72a6f0d8 | 933 | if (rec.qtype != QType::CNAME && rec.qtype != QType::ENT && rec.qtype != QType::RRSIG) { |
e2136c35 PD |
934 | // leave database handle in a consistent state |
935 | while (di.backend->get(rec)) | |
936 | ; | |
d5fcd583 | 937 | g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Data other than CNAME exists for the same name"<<endl; |
6f604952 PL |
938 | di.backend->abortTransaction(); |
939 | return RCode::Refused; | |
940 | } | |
941 | } | |
942 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); | |
943 | } | |
944 | for (const auto &rr : nonCnamesToAdd) { | |
945 | DNSResourceRecord rec; | |
acb61e0a | 946 | di.backend->lookup(QType(QType::CNAME), rr->d_name, di.id); |
6f604952 PL |
947 | while (di.backend->get(rec)) { |
948 | if (rec.qtype == QType::CNAME && rr->d_type != QType::RRSIG) { | |
e2136c35 PD |
949 | // leave database handle in a consistent state |
950 | while (di.backend->get(rec)) | |
951 | ; | |
d5fcd583 | 952 | g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": CNAME exists for the same name"<<endl; |
6f604952 PL |
953 | di.backend->abortTransaction(); |
954 | return RCode::Refused; | |
955 | } | |
956 | } | |
957 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); | |
958 | } | |
f1b59a55 RA |
959 | if (nsRRtoDelete.size()) { |
960 | vector<DNSResourceRecord> nsRRInZone; | |
961 | DNSResourceRecord rec; | |
acb61e0a | 962 | di.backend->lookup(QType(QType::NS), di.zone, di.id); |
f1b59a55 RA |
963 | while (di.backend->get(rec)) { |
964 | nsRRInZone.push_back(rec); | |
965 | } | |
966 | if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4) | |
cb167afd CHB |
967 | for (auto& inZone: nsRRInZone) { |
968 | for (auto& rr: nsRRtoDelete) { | |
d06dcda4 | 969 | if (inZone.getZoneRepresentation() == (rr)->getContent()->getZoneRepresentation()) |
cb167afd | 970 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
971 | } |
972 | } | |
973 | } | |
974 | } | |
975 | ||
f1b59a55 | 976 | // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message |
d0d273cf | 977 | if (changedRecords > 0 && !updatedSerial) { |
b163cc0e | 978 | increaseSerial(msgPrefix, &di, soaEditSetting, haveNSEC3, narrow, &ns3pr); |
d0d273cf | 979 | changedRecords++; |
890c7124 RA |
980 | } |
981 | ||
d0d273cf | 982 | if (changedRecords > 0) { |
dce6b818 | 983 | if (!di.backend->commitTransaction()) { |
e6a9dde5 | 984 | g_log<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl; |
dce6b818 RA |
985 | return RCode::ServFail; |
986 | } | |
914353ca | 987 | |
71f758e0 | 988 | S.deposit("dnsupdate-changes", changedRecords); |
7facf345 | 989 | |
b163cc0e | 990 | d_dk.clearMetaCache(di.zone); |
dce6b818 | 991 | // Purge the records! |
7abbc40f | 992 | string zone(di.zone.toString()); |
dce6b818 | 993 | zone.append("$"); |
bf269e28 | 994 | purgeAuthCaches(zone); |
0bb68041 | 995 | |
c02c999b | 996 | // Notify secondaries |
d525b58b | 997 | if (di.kind == DomainInfo::Primary) { |
4c5b6925 | 998 | vector<string> notify; |
4ec1794d | 999 | B.getDomainMetadata(packet.qdomain, "NOTIFY-DNSUPDATE", notify); |
4c5b6925 | 1000 | if (!notify.empty() && notify.front() == "1") { |
3497eb18 | 1001 | Communicator.notifyDomain(di.zone, &B); |
4c5b6925 KM |
1002 | } |
1003 | } | |
1004 | ||
e6a9dde5 | 1005 | g_log<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl; |
dce6b818 RA |
1006 | } else { |
1007 | //No change, no commit, we perform abort() because some backends might like this more. | |
e6a9dde5 | 1008 | g_log<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl; |
dce6b818 RA |
1009 | di.backend->abortTransaction(); |
1010 | } | |
0bb68041 RA |
1011 | return RCode::NoError; //rfc 2136 3.4.2.5 |
1012 | } | |
1013 | catch (SSqlException &e) { | |
e6a9dde5 | 1014 | g_log<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl; |
0bb68041 RA |
1015 | di.backend->abortTransaction(); |
1016 | return RCode::ServFail; | |
f1b59a55 | 1017 | } |
ee9ef8f2 | 1018 | catch (DBException &e) { |
e6a9dde5 | 1019 | g_log<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl; |
ee9ef8f2 RA |
1020 | di.backend->abortTransaction(); |
1021 | return RCode::ServFail; | |
1022 | } | |
05ff9dab | 1023 | catch (PDNSException &e) { |
e6a9dde5 | 1024 | g_log<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl; |
f1b59a55 RA |
1025 | di.backend->abortTransaction(); |
1026 | return RCode::ServFail; | |
1027 | } | |
28b66a94 | 1028 | catch(std::exception &e) { |
e6a9dde5 | 1029 | g_log<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl; |
28b66a94 KM |
1030 | di.backend->abortTransaction(); |
1031 | return RCode::ServFail; | |
1032 | } | |
f1b59a55 | 1033 | catch (...) { |
e6a9dde5 | 1034 | g_log<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl; |
f1b59a55 RA |
1035 | di.backend->abortTransaction(); |
1036 | return RCode::ServFail; | |
1037 | } | |
f1b59a55 RA |
1038 | } |
1039 | ||
b163cc0e | 1040 | void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, const string& soaEditSetting, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) { |
13f9e280 | 1041 | SOAData sd; |
76e1255a | 1042 | if (!di->backend->getSOA(di->zone, sd)) { |
05ff9dab | 1043 | throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie."); |
f1b59a55 | 1044 | } |
f1b59a55 | 1045 | |
13f9e280 | 1046 | uint32_t oldSerial = sd.serial; |
e31f9680 | 1047 | |
f1b59a55 | 1048 | vector<string> soaEdit2136Setting; |
71f758e0 | 1049 | B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting); |
f1b59a55 RA |
1050 | string soaEdit2136 = "DEFAULT"; |
1051 | string soaEdit; | |
1052 | if (!soaEdit2136Setting.empty()) { | |
1053 | soaEdit2136 = soaEdit2136Setting[0]; | |
1054 | if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){ | |
f1b59a55 | 1055 | if (soaEditSetting.empty()) { |
3f4073ec | 1056 | g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl; |
f1b59a55 RA |
1057 | soaEdit2136 = "DEFAULT"; |
1058 | } else | |
4192773a | 1059 | soaEdit = soaEditSetting; |
f1b59a55 RA |
1060 | } |
1061 | } | |
1062 | ||
13f9e280 CH |
1063 | DNSResourceRecord rr; |
1064 | if (makeIncreasedSOARecord(sd, soaEdit2136, soaEdit, rr)) { | |
1065 | di->backend->replaceRRSet(di->id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr)); | |
e6a9dde5 | 1066 | g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl; |
13f9e280 CH |
1067 | |
1068 | //Correct ordername + auth flag | |
1069 | if (haveNSEC3) { | |
1070 | DNSName ordername; | |
1071 | if (!narrow) | |
1072 | ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname))); | |
1073 | ||
1074 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true); | |
1075 | } else { // NSEC | |
1076 | DNSName ordername = rr.qname.makeRelative(di->zone); | |
1077 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true); | |
1078 | } | |
166ac305 | 1079 | } |
166ac305 | 1080 | } |