]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/rfc2136handler.cc
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rec: mention rust compiler in compiling docs
[thirdparty/pdns.git] / pdns / rfc2136handler.cc
CommitLineData
d040cb86 1#include "dnswriter.hh"
870a0fe4
AT		 2#ifdef HAVE_CONFIG_H
3#include "config.h"
4#endif
f1b59a55
RA		 5#include "packethandler.hh"
6#include "qtype.hh"
7#include "dnspacket.hh"
bf269e28
RG		 8#include "auth-caches.hh"
9#include "statbag.hh"
f1b59a55
RA		 10#include "dnsseckeeper.hh"
11#include "base64.hh"
12#include "base32.hh"
fa8fd4d2 13
f1b59a55
RA		 14#include "misc.hh"
15#include "arguments.hh"
b3148887
RA		 16#include "resolver.hh"
17#include "dns_random.hh"
7facf345 18#include "backends/gsql/ssql.hh"
4c5b6925 19#include "communicator.hh"
20829585 20#include "query-local-address.hh"
15e39ee4 21#include "gss_context.hh"
fd7bbdb7 22#include "auth-main.hh"
f1b59a55 23
276a5ce7 24extern StatBag S;
4c5b6925 25extern CommunicatorClass Communicator;
f1b59a55 26
0ddde5fb 27std::mutex PacketHandler::s_rfc2136lock;
ee9ef8f2 28
f1b59a55
RA		 29// Implement section 3.2.1 and 3.2.2 of RFC2136
30int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {
31 if (rr->d_ttl != 0)
32 return RCode::FormErr;
33
34 // 3.2.1 and 3.2.2 check content length.
35 if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)
36 return RCode::FormErr;
37
f1b59a55
RA		 38 bool foundRecord=false;
39 DNSResourceRecord rec;
acb61e0a 40 di->backend->lookup(QType(QType::ANY), rr->d_name, di->id);
f1b59a55
RA		 41 while(di->backend->get(rec)) {
42 if (!rec.qtype.getCode())
43 continue;
44 if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY)
45 foundRecord=true;
46 }
47
914353ca
KM		 48 // Section 3.2.1
49 if (rr->d_class == QClass::ANY && !foundRecord) {
50 if (rr->d_type == QType::ANY)
f1b59a55
RA		 51 return RCode::NXDomain;
52 if (rr->d_type != QType::ANY)
53 return RCode::NXRRSet;
914353ca 54 }
f1b59a55
RA		 55
56 // Section 3.2.2
57 if (rr->d_class == QClass::NONE && foundRecord) {
58 if (rr->d_type == QType::ANY)
59 return RCode::YXDomain;
60 if (rr->d_type != QType::ANY)
61 return RCode::YXRRSet;
62 }
63
64 return RCode::NoError;
65}
66
67
68// Method implements section 3.4.1 of RFC2136
69int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {
70 // The RFC stats that d_class != ZCLASS, but we only support the IN class.
2e63e431 71 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) {
f1b59a55 72 return RCode::FormErr;
2e63e431 73 }
f1b59a55
RA		 74
75 QType qtype = QType(rr->d_type);
76
2e63e431 77 if (!qtype.isSupportedType()) {
f1b59a55 78 return RCode::FormErr;
2e63e431 79 }
f1b59a55 80
2e63e431 81 if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) {
f1b59a55 82 return RCode::FormErr;
2e63e431 83 }
f1b59a55 84
2e63e431 85 if (rr->d_class == QClass::ANY && rr->d_clen != 0) {
f1b59a55 86 return RCode::FormErr;
2e63e431 87 }
914353ca 88
2e63e431
RG		 89 if (qtype.isMetadataType()) {
90 return RCode::FormErr;
91 }
f1b59a55 92
2e63e431 93 if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) {
f1b59a55 94 return RCode::FormErr;
2e63e431 95 }
f1b59a55
RA		 96
97 return RCode::NoError;
98}
99
6a323f63 100
f1b59a55 101// Implements section 3.4.2 of RFC2136
d0d273cf 102uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {
968de8d0 103
dff32e09
RA		 104 QType rrType = QType(rr->d_type);
105
dff32e09 106 if (rrType == QType::NSEC || rrType == QType::NSEC3) {
d5fcd583 107 g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<". These are generated records, ignoring!"<<endl;
914353ca 108 return 0;
dff32e09
RA		 109 }
110
959e72e3 111 if (!isPresigned && rrType == QType::RRSIG) {
d5fcd583 112 g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<" in non-presigned zone, ignoring!"<<endl;
dff32e09
RA		 113 return 0;
114 }
115
f809c028 116 if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone) {
d5fcd583 117 g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<", "<<rrType.toString()<<" must be at zone apex, ignoring!"<<endl;
dff32e09
RA		 118 return 0;
119 }
120
968de8d0 121
d0d273cf 122 uint changedRecords = 0;
6a323f63
RA		 123 DNSResourceRecord rec;
124 vector<DNSResourceRecord> rrset, recordsToDelete;
675fa24c 125 set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records.
6a323f63 126
f1b59a55 127
6a323f63 128 if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update
d5fcd583 129 DLOG(g_log<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.toString()<<endl);
f1b59a55 130
dff32e09 131 if (rrType == QType::NSEC3PARAM) {
e6a9dde5 132 g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;
f858f843 133
d06dcda4 134 *ns3pr = NSEC3PARAMRecordContent(rr->getContent()->getZoneRepresentation(), di->zone);
f858f843 135 *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
b163cc0e
KM		 136 d_dk.setNSEC3PARAM(di->zone, *ns3pr, (*narrow));
137 *haveNSEC3 = true;
f858f843 138
adf1a785
KM		 139 string error;
140 string info;
141 if (!d_dk.rectifyZone(di->zone, error, info, false)) {
142 throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error);
dff32e09
RA		 143 }
144 return 1;
145 }
146
f858f843
RA		 147
148
6a323f63 149 bool foundRecord = false;
acb61e0a 150 di->backend->lookup(rrType, rr->d_name, di->id);
f1b59a55 151 while (di->backend->get(rec)) {
dff32e09
RA		 152 rrset.push_back(rec);
153 foundRecord = true;
6a323f63 154 }
914353ca 155
6a323f63 156 if (foundRecord) {
73174643 157
dff32e09 158 if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current
f1b59a55 159 SOAData sdOld, sdUpdate;
6a323f63
RA		 160 DNSResourceRecord *oldRec = &rrset.front();
161 fillSOAData(oldRec->content, sdOld);
d06dcda4 162 oldRec->setContent(rr->getContent()->getZoneRepresentation());
6a323f63 163 fillSOAData(oldRec->content, sdUpdate);
f1b59a55 164 if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {
6a323f63 165 di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);
f1b59a55 166 *updatedSerial = true;
f5059bd3 167 changedRecords++;
c712ec02 168 g_log<<Logger::Notice<<msgPrefix<<"Replacing SOA record "<<rr->d_name<<"|"<<rrType.toString()<<endl;
73174643 169 } else {
e6a9dde5 170 g_log<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;
73174643 171 }
6a323f63
RA		 172
173 // It's not possible to have multiple CNAME's with the same NAME. So we always update.
174 } else if (rrType == QType::CNAME) {
73174643 175 int changedCNames = 0;
cb167afd 176 for (auto& i : rrset) {
d06dcda4 177 if (i.ttl != rr->d_ttl || i.content != rr->getContent()->getZoneRepresentation()) {
cb167afd 178 i.ttl = rr->d_ttl;
d06dcda4 179 i.setContent(rr->getContent()->getZoneRepresentation());
73174643
RA		 180 changedCNames++;
181 }
182 }
183 if (changedCNames > 0) {
f809c028 184 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
c712ec02 185 g_log<<Logger::Notice<<msgPrefix<<"Replacing CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<endl;
73174643
RA		 186 changedRecords += changedCNames;
187 } else {
c712ec02 188 g_log<<Logger::Notice<<msgPrefix<<"Replace for CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl;
f1b59a55 189 }
6a323f63 190
518fc317 191 // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL)
6a323f63 192 } else {
73174643 193 int updateTTL=0;
6a323f63 194 foundRecord = false;
bcdf6537
PD		 195 bool lowerCase = false;
196 if (rrType.getCode() == QType::PTR ||
197 rrType.getCode() == QType::MX ||
198 rrType.getCode() == QType::SRV) {
199 lowerCase = true;
200 }
d06dcda4 201 string content = rr->getContent()->getZoneRepresentation();
bcdf6537 202 if (lowerCase) content = toLower(content);
cb167afd 203 for (auto& i : rrset) {
bcdf6537
PD		 204 string icontent = i.getZoneRepresentation();
205 if (lowerCase) icontent = toLower(icontent);
a7258792
PD		 206 if (rrType == i.qtype.getCode()) {
207 if (icontent == content) {
208 foundRecord=true;
209 }
cb167afd
CHB		 210 if (i.ttl != rr->d_ttl) {
211 i.ttl = rr->d_ttl;
73174643
RA		 212 updateTTL++;
213 }
6a323f63
RA		 214 }
215 }
73174643 216 if (updateTTL > 0) {
f809c028 217 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
a7258792 218 g_log<<Logger::Notice<<msgPrefix<<"Updating TTLs for "<<rr->d_name<<"|"<<rrType.toString()<<endl;
73174643
RA		 219 changedRecords += updateTTL;
220 } else {
a7258792 221 g_log<<Logger::Notice<<msgPrefix<<"Replace for recordset "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl;
7facf345 222 }
f1b59a55 223 }
6e42cac2 224
73174643 225 // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records.
6e42cac2 226 // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.
73174643
RA		 227 if (changedRecords > 0) {
228 bool auth = rrset.front().auth;
229
230 if(*haveNSEC3) {
8de4e1d7 231 DNSName ordername;
73174643 232 if(! *narrow)
96e63d77 233 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
73174643
RA		 234
235 if (*narrow)
96e63d77 236 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
73174643 237 else
96e63d77 238 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
73174643 239 if(!auth || rrType == QType::DS) {
96e63d77
KM		 240 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
241 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
242 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
73174643 243 }
6e42cac2 244
73174643 245 } else { // NSEC
96e63d77 246 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth);
73174643 247 if(!auth || rrType == QType::DS) {
96e63d77
KM		 248 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
249 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
73174643 250 }
6e42cac2
RA		 251 }
252 }
253
254 } // if (foundRecord)
f1b59a55 255
6a323f63 256 // If we haven't found a record that matches, we must add it.
f1b59a55 257 if (! foundRecord) {
d5fcd583 258 g_log<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.toString()<<endl;
f809c028 259 delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record.
4950b140 260 auto newRec = DNSResourceRecord::fromWire(*rr);
f1b59a55 261 newRec.domain_id = di->id;
f809c028 262 newRec.auth = (rr->d_name == di->zone || rrType.getCode() != QType::NS);
c9b43446 263 di->backend->feedRecord(newRec, DNSName());
b0704e0d 264 changedRecords++;
6a323f63
RA		 265
266
267 // because we added a record, we need to fix DNSSEC data.
f809c028 268 DNSName shorter(rr->d_name);
163cb726 269 bool auth=newRec.auth;
6a82ce4a 270 bool fixDS = (rrType == QType::DS);
f1b59a55 271
8de4e1d7 272 if (di->zone != shorter) { // Everything at APEX is auth=1 && no ENT's
e70f2627 273 do {
6a82ce4a 274
8de4e1d7 275 if (di->zone == shorter)
f1b59a55 276 break;
914353ca 277
f1b59a55 278 bool foundShorter = false;
acb61e0a 279 di->backend->lookup(QType(QType::ANY), shorter, di->id);
f1b59a55 280 while (di->backend->get(rec)) {
f809c028 281 if (rec.qname == rr->d_name && rec.qtype == QType::DS)
6a82ce4a 282 fixDS = true;
f809c028 283 if (shorter != rr->d_name)
e70f2627 284 foundShorter = true;
163cb726 285 if (rec.qtype == QType::NS) // are we inserting below a delegate?
f1b59a55
RA		 286 auth=false;
287 }
6a82ce4a 288
f809c028 289 if (!foundShorter && auth && shorter != rr->d_name) // haven't found any record at current level, insert ENT.
f1b59a55 290 insnonterm.insert(shorter);
e70f2627 291 if (foundShorter)
a95f897d 292 break; // if we find a shorter record, we can stop searching
675fa24c 293 } while(shorter.chopOff());
f1b59a55
RA		 294 }
295
dff32e09 296 if(*haveNSEC3)
f1b59a55 297 {
8de4e1d7 298 DNSName ordername;
914353ca 299 if(! *narrow)
96e63d77 300 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
914353ca 301
e70f2627 302 if (*narrow)
96e63d77 303 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
e70f2627 304 else
96e63d77 305 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
e70f2627 306
6a82ce4a 307 if (fixDS)
96e63d77 308 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
6a82ce4a 309
929eee6b 310 if(!auth)
f1b59a55 311 {
914353ca 312 if (ns3pr->d_flags)
96e63d77
KM		 313 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
314 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
315 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
f1b59a55
RA		 316 }
317 }
318 else // NSEC
319 {
96e63d77
KM		 320 DNSName ordername=rr->d_name.makeRelative(di->zone);
321 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
6a82ce4a 322 if (fixDS) {
96e63d77 323 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
6a82ce4a
RA		 324 }
325 if(!auth) {
96e63d77
KM		 326 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
327 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
f1b59a55
RA		 328 }
329 }
6a323f63
RA		 330
331
f1b59a55 332 // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.
f809c028 333 // Auth can only be false when the rr->d_name is not the zone
6a323f63 334 if (auth == false && rrType == QType::NS) {
e6a9dde5 335 DLOG(g_log<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl);
6a82ce4a 336 insnonterm.clear(); // No ENT's are needed below delegates (auth=0)
561434a6 337 vector<DNSName> qnames;
f809c028 338 di->backend->listSubZone(rr->d_name, di->id);
f1b59a55 339 while(di->backend->get(rec)) {
f809c028 340 if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record.
f1b59a55
RA		 341 qnames.push_back(rec.qname);
342 }
d7f67000 343 for(const auto & qname : qnames) {
dff32e09 344 if(*haveNSEC3) {
8de4e1d7 345 DNSName ordername;
914353ca 346 if(! *narrow)
d7f67000 347 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));
914353ca 348
6a82ce4a 349 if (*narrow)
d7f67000 350 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth);
6a82ce4a 351 else
d7f67000 352 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth);
6a82ce4a 353
be40c2df 354 if (ns3pr->d_flags)
d7f67000 355 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS);
96e63d77
KM		 356 }
357 else { // NSEC
d7f67000
RP		 358 DNSName ordername=DNSName(qname).makeRelative(di->zone);
359 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS);
f1b59a55 360 }
f1b59a55 361
d7f67000
RP		 362 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
363 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
f1b59a55
RA		 364 }
365 }
f1b59a55
RA		 366 }
367 } // rr->d_class == QClass::IN
368
914353ca 369
6a323f63
RA		 370 // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by
371 // the code that calls this performUpdate().
372 if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.
d5fcd583 373 DLOG(g_log<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.toString()<<endl);
dff32e09
RA		 374
375 if (rrType == QType::NSEC3PARAM) {
e6a9dde5 376 g_log<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;
dff32e09 377 if (rr->d_class == QClass::ANY)
f809c028 378 d_dk.unsetNSEC3PARAM(rr->d_name);
dff32e09 379 else if (rr->d_class == QClass::NONE) {
d06dcda4 380 NSEC3PARAMRecordContent nsec3rr(rr->getContent()->getZoneRepresentation(), di->zone);
b163cc0e 381 if (*haveNSEC3 && ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
f809c028 382 d_dk.unsetNSEC3PARAM(rr->d_name);
dff32e09
RA		 383 else
384 return 0;
914353ca 385 } else
dff32e09
RA		 386 return 0;
387
b163cc0e
KM		 388 // Update NSEC3 variables, other RR's in this update package might need them as well.
389 *haveNSEC3 = false;
390 *narrow = false;
e3dc2b56 391
adf1a785
KM		 392 string error;
393 string info;
394 if (!d_dk.rectifyZone(di->zone, error, info, false)) {
395 throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error);
dff32e09
RA		 396 }
397 return 1;
589563c0 398 } // end of NSEC3PARAM delete block
dff32e09
RA		 399
400
acb61e0a 401 di->backend->lookup(rrType, rr->d_name, di->id);
6a323f63
RA		 402 while(di->backend->get(rec)) {
403 if (rr->d_class == QClass::ANY) { // 3.4.2.3
404 if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's
405 rrset.push_back(rec);
406 else
f1b59a55
RA		 407 recordsToDelete.push_back(rec);
408 }
6a323f63 409 if (rr->d_class == QClass::NONE) { // 3.4.2.4
d040cb86
PD		 410 auto repr = rec.getZoneRepresentation();
411 if (rec.qtype == QType::TXT) {
412 DLOG(g_log<<msgPrefix<<"Adjusting TXT content from ["<<repr<<"]"<<endl);
d525b58b 413 auto drc = DNSRecordContent::make(rec.qtype.getCode(), QClass::IN, repr);
d040cb86
PD		 414 auto ser = drc->serialize(rec.qname, true, true);
415 auto rc = DNSRecordContent::deserialize(rec.qname, rec.qtype.getCode(), ser);
416 repr = rc->getZoneRepresentation(true);
417 DLOG(g_log<<msgPrefix<<"Adjusted TXT content to ["<<repr<<"]"<<endl);
418 }
d06dcda4
RG		 419 DLOG(g_log<<msgPrefix<<"Matching RR in RRset - (adjusted) representation from request=["<<repr<<"], rr->getContent()->getZoneRepresentation()=["<<rr->getContent()->getZoneRepresentation()<<"]"<<endl);
420 if (rrType == rec.qtype && repr == rr->getContent()->getZoneRepresentation())
6a323f63
RA		 421 recordsToDelete.push_back(rec);
422 else
423 rrset.push_back(rec);
424 }
f1b59a55 425 }
589563c0
RA		 426
427 if (recordsToDelete.size()) {
f809c028 428 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
d5fcd583 429 g_log<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.toString()<<endl;
589563c0 430 changedRecords += recordsToDelete.size();
f1b59a55 431
f1b59a55 432
589563c0 433 // If we've removed a delegate, we need to reset ordername/auth for some records.
f809c028 434 if (rrType == QType::NS && rr->d_name != di->zone) {
675fa24c 435 vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;
f809c028 436 di->backend->listSubZone(rr->d_name, di->id);
f1b59a55 437 while (di->backend->get(rec)) {
7a0a9f8a 438 if (rec.qtype.getCode()) // skip ENT records, they are always auth=false
a95f897d 439 belowOldDelegate.push_back(rec.qname);
f809c028 440 if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name)
a95f897d 441 nsRecs.push_back(rec.qname);
f1b59a55 442 }
a95f897d 443
675fa24c 444 for(auto &belowOldDel: belowOldDelegate)
a95f897d
RA		 445 {
446 bool isBelowDelegate = false;
561434a6
PD		 447 for(const auto & ns: nsRecs) {
448 if (ns.isPartOf(belowOldDel)) {
a95f897d
RA		 449 isBelowDelegate=true;
450 break;
451 }
452 }
453 if (!isBelowDelegate)
561434a6 454 updateAuthFlag.push_back(belowOldDel);
a95f897d
RA		 455 }
456
561434a6 457 for (const auto &changeRec:updateAuthFlag) {
dff32e09 458 if(*haveNSEC3) {
8de4e1d7 459 DNSName ordername;
914353ca 460 if(! *narrow)
96e63d77 461 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)));
914353ca 462
96e63d77
KM		 463 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
464 }
465 else { // NSEC
466 DNSName ordername=changeRec.makeRelative(di->zone);
467 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
f1b59a55 468 }
f1b59a55
RA		 469 }
470 }
f1b59a55 471
6a323f63
RA		 472 // Fix ENT records.
473 // We must check if we have a record below the current level and if we removed the 'last' record
474 // on that level. If so, we must insert an ENT record.
fdf983eb 475 // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.
9353d244 476 bool foundDeeper = false, foundOtherWithSameName = false;
f809c028 477 di->backend->listSubZone(rr->d_name, di->id);
6a323f63 478 while (di->backend->get(rec)) {
f809c028 479 if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
9353d244 480 foundOtherWithSameName = true;
f809c028 481 if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT
6a323f63
RA		 482 foundDeeper = true;
483 }
f1b59a55 484
9353d244 485 if (foundDeeper && !foundOtherWithSameName) {
f809c028 486 insnonterm.insert(rr->d_name);
9353d244 487 } else if (!foundOtherWithSameName) {
6a323f63
RA		 488 // If we didn't have to insert an ENT, we might have deleted a record at very deep level
489 // and we must then clean up the ENT's above the deleted record.
f809c028 490 DNSName shorter(rr->d_name);
9353d244 491 while (shorter != di->zone) {
675fa24c 492 shorter.chopOff();
9353d244 493 bool foundRealRR = false;
a95f897d 494 bool foundEnt = false;
9353d244
RA		 495
496 // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch
6a323f63 497 // consider these non ENT-records:
9353d244
RA		 498 // b.c.d.e.test.com
499 // b.d.e.test.com
500 // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.
6a323f63
RA		 501 // At that point we can stop deleting ENT's because the tree is in tact again.
502 di->backend->listSubZone(shorter, di->id);
914353ca 503
9353d244
RA		 504 while (di->backend->get(rec)) {
505 if (rec.qtype.getCode())
506 foundRealRR = true;
a95f897d
RA		 507 else
508 foundEnt = true;
9353d244 509 }
3ab4cfca 510 if (!foundRealRR) {
a95f897d
RA		 511 if (foundEnt) // only delete the ENT if we actually found one.
512 delnonterm.insert(shorter);
3ab4cfca 513 } else
9353d244
RA		 514 break;
515 }
6a323f63 516 }
589563c0 517 } else { // if (recordsToDelete.size())
d5fcd583 518 g_log<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but not found."<<endl;
f1b59a55 519 }
589563c0
RA		 520 } // (End of delete block d_class == ANY || d_class == NONE
521
f1b59a55 522
6a323f63
RA		 523
524 //Insert and delete ENT's
525 if (insnonterm.size() > 0 || delnonterm.size() > 0) {
e6a9dde5 526 DLOG(g_log<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);
96e63d77 527 di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false);
561434a6 528 for (const auto &i: insnonterm) {
6a323f63 529 string hashed;
8de4e1d7 530 if(*haveNSEC3)
6a323f63 531 {
8de4e1d7 532 DNSName ordername;
914353ca 533 if(! *narrow)
96e63d77
KM		 534 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));
535 di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true);
f1b59a55
RA		 536 }
537 }
538 }
539
589563c0 540 return changedRecords;
f1b59a55
RA		 541}
542
c2826d2e 543int PacketHandler::forwardPacket(const string &msgPrefix, const DNSPacket& p, const DomainInfo& di) {
e174b255 544 vector<string> forward;
c2826d2e 545 B.getDomainMetadata(p.qdomain, "FORWARD-DNSUPDATE", forward);
e174b255 546
71f758e0 547 if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) {
d525b58b 548 g_log << Logger::Notice << msgPrefix << "Not configured to forward to primary, returning Refused." << endl;
d8293c79 549 return RCode::Refused;
e174b255
RA		 550 }
551
d525b58b
KM		 552 for (const auto& remote : di.primaries) {
553 g_log << Logger::Notice << msgPrefix << "Forwarding packet to primary " << remote << endl;
b3148887 554
20829585 555 if (!pdns::isQueryLocalAddressFamilyEnabled(remote.sin4.sin_family)) {
9d36589a
PL		 556 continue;
557 }
20829585 558 auto local = pdns::getQueryLocalAddress(remote.sin4.sin_family, 0);
b3148887 559 int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.
34c513f9 560 if(sock < 0) {
e6a9dde5 561 g_log<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl;
34c513f9
RG		 562 continue;
563 }
b3148887
RA		 564
565 if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {
e6a9dde5 566 g_log<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;
a7b68ae7
RG		 567 try {
568 closesocket(sock);
569 }
570 catch(const PDNSException& e) {
d525b58b 571 g_log << Logger::Error << "Error closing primary forwarding socket after connect() failed: " << e.reason << endl;
a7b68ae7 572 }
b3148887
RA		 573 continue;
574 }
575
02abfb19
AT		 576 DNSPacket l_forwardPacket(p);
577 l_forwardPacket.setID(dns_random_uint16());
578 l_forwardPacket.setRemote(&remote);
579 uint16_t len=htons(l_forwardPacket.getString().length());
b3148887 580 string buffer((const char*)&len, 2);
02abfb19 581 buffer.append(l_forwardPacket.getString());
914353ca 582 if(write(sock, buffer.c_str(), buffer.length()) < 0) {
e6a9dde5 583 g_log<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 584 try {
585 closesocket(sock);
586 }
587 catch(const PDNSException& e) {
d525b58b 588 g_log << Logger::Error << "Error closing primary forwarding socket after write() failed: " << e.reason << endl;
a7b68ae7 589 }
b3148887
RA		 590 continue;
591 }
592
593 int res = waitForData(sock, 10, 0);
594 if (!res) {
d525b58b 595 g_log << Logger::Error << msgPrefix << "Timeout waiting for reply from primary at " << remote.toStringWithPort() << endl;
a7b68ae7
RG		 596 try {
597 closesocket(sock);
598 }
599 catch(const PDNSException& e) {
d525b58b 600 g_log << Logger::Error << "Error closing primary forwarding socket after a timeout occurred: " << e.reason << endl;
a7b68ae7 601 }
b3148887
RA		 602 continue;
603 }
604 if (res < 0) {
d525b58b 605 g_log << Logger::Error << msgPrefix << "Error waiting for answer from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;
a7b68ae7
RG		 606 try {
607 closesocket(sock);
608 }
609 catch(const PDNSException& e) {
d525b58b 610 g_log << Logger::Error << "Error closing primary forwarding socket after an error occurred: " << e.reason << endl;
a7b68ae7 611 }
b3148887
RA		 612 continue;
613 }
614
f6a81077
RG		 615 unsigned char lenBuf[2];
616 ssize_t recvRes;
b3148887 617 recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);
f6a81077 618 if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) {
d525b58b 619 g_log << Logger::Error << msgPrefix << "Could not receive data (length) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;
a7b68ae7
RG		 620 try {
621 closesocket(sock);
622 }
623 catch(const PDNSException& e) {
d525b58b 624 g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl;
a7b68ae7 625 }
b3148887
RA		 626 continue;
627 }
f6a81077 628 size_t packetLen = lenBuf[0]*256+lenBuf[1];
b3148887 629
2c001eb6
RG		 630 buffer.resize(packetLen);
631 recvRes = recv(sock, &buffer.at(0), packetLen, 0);
b3148887 632 if (recvRes < 0) {
d525b58b 633 g_log << Logger::Error << msgPrefix << "Could not receive data (dnspacket) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;
a7b68ae7
RG		 634 try {
635 closesocket(sock);
636 }
637 catch(const PDNSException& e) {
d525b58b 638 g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl;
a7b68ae7 639 }
b3148887
RA		 640 continue;
641 }
a7b68ae7
RG		 642 try {
643 closesocket(sock);
644 }
645 catch(const PDNSException& e) {
d525b58b 646 g_log << Logger::Error << "Error closing primary forwarding socket: " << e.reason << endl;
a7b68ae7 647 }
b3148887
RA		 648
649 try {
2c001eb6 650 MOADNSParser mdp(false, buffer.data(), static_cast<unsigned int>(recvRes));
e6a9dde5 651 g_log<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;
b3148887
RA		 652 return mdp.d_header.rcode;
653 }
654 catch (...) {
d525b58b 655 g_log << Logger::Error << msgPrefix << "Failed to parse response packet from primary at " << remote.toStringWithPort() << endl;
b3148887
RA		 656 continue;
657 }
658 }
d525b58b 659 g_log << Logger::Error << msgPrefix << "Failed to forward packet to primary(s). Returning ServFail." << endl;
b3148887
RA		 660 return RCode::ServFail;
661
662}
663
4ec1794d 664int PacketHandler::processUpdate(DNSPacket& packet) { // NOLINT(readability-function-cognitive-complexity)
d07bf7ff 665 if (! ::arg().mustDo("dnsupdate"))
f1b59a55 666 return RCode::Refused;
914353ca 667
4ec1794d 668 string msgPrefix="UPDATE (" + std::to_string(packet.d.id) + ") from " + packet.getRemoteString() + " for " + packet.qdomain.toLogString() + ": ";
e6a9dde5 669 g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
f1b59a55 670
0ecc1158 671 // if there is policy, we delegate all checks to it
4646277d 672 if (this->d_update_policy_lua == nullptr) {
f1b59a55 673
0ecc1158
AT		 674 // Check permissions - IP based
675 vector<string> allowedRanges;
4ec1794d 676 B.getDomainMetadata(packet.qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges);
0ecc1158
AT		 677 if (! ::arg()["allow-dnsupdate-from"].empty())
678 stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );
f1b59a55 679
0ecc1158 680 NetmaskGroup ng;
cb167afd
CHB		 681 for(const auto& i: allowedRanges) {
682 ng.addMask(i);
683 }
914353ca 684
4ec1794d 685 if ( ! ng.match(packet.getInnerRemote())) {
e6a9dde5 686 g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;
f1b59a55
RA		 687 return RCode::Refused;
688 }
689
0ecc1158
AT		 690
691 // Check permissions - TSIG based.
692 vector<string> tsigKeys;
4ec1794d 693 B.getDomainMetadata(packet.qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys);
0ecc1158
AT		 694 if (tsigKeys.size() > 0) {
695 bool validKey = false;
696
697 TSIGRecordContent trc;
698 DNSName inputkey;
699 string message;
4ec1794d 700 if (! packet.getTSIGDetails(&trc, &inputkey)) {
e6a9dde5 701 g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
0ecc1158 702 return RCode::Refused;
6917c321 703 }
c113acc3 704#ifdef ENABLE_GSS_TSIG
4ec1794d
PD		 705 if (g_doGssTSIG && packet.d_tsig_algo == TSIG_GSS) {
706 GssName inputname(packet.d_peer_principal); // match against principal since GSS requires that
b08f1315
OM		 707 for(const auto& key: tsigKeys) {
708 if (inputname.match(key)) {
709 validKey = true;
710 break;
711 }
712 }
c113acc3
OM		 713 }
714 else
715#endif
716 {
b08f1315 717 for(const auto& key: tsigKeys) {
5e8d94f1 718 if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid.
b08f1315
OM		 719 validKey=true;
720 break;
721 }
6917c321
AT		 722 }
723 }
f1b59a55 724
0ecc1158 725 if (!validKey) {
e6a9dde5 726 g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;
0ecc1158
AT		 727 return RCode::Refused;
728 }
006dac60
EE		 729 } else if(::arg().mustDo("dnsupdate-require-tsig")) {
730 g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but domain is not secured with TSIG. Sending REFUSED"<<endl;
731 return RCode::Refused;
f1b59a55 732 }
f1b59a55 733
f831a2e8 734 if (tsigKeys.empty() && packet.d_havetsig) {
e6a9dde5 735 g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;
f831a2e8 736 }
0ecc1158
AT		 737
738 }
f1b59a55
RA		 739
740 // RFC2136 uses the same DNS Header and Message as defined in RFC1035.
914353ca 741 // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different
f1b59a55 742 // variable names during the use of our MOADNSParser.
4ec1794d 743 MOADNSParser mdp(false, packet.getString());
f1b59a55 744 if (mdp.d_header.qdcount != 1) {
e6a9dde5 745 g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;
f1b59a55 746 return RCode::FormErr;
914353ca 747 }
f1b59a55 748
4ec1794d 749 if (packet.qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
e6a9dde5 750 g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;
f1b59a55
RA		 751 return RCode::FormErr;
752 }
753
4ec1794d 754 if (packet.qclass != QClass::IN) {
e6a9dde5 755 g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;
f1b59a55
RA		 756 return RCode::NotAuth;
757 }
758
759 DomainInfo di;
4646277d 760 di.backend=nullptr;
f831a2e8 761 if(!B.getDomainInfo(packet.qdomain, di) || (di.backend == nullptr)) {
4ec1794d 762 g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<packet.qdomain<<"' (or backend does not support DNS update operation)"<<endl;
f1b59a55
RA		 763 return RCode::NotAuth;
764 }
765
c02c999b 766 if (di.kind == DomainInfo::Secondary)
4ec1794d 767 return forwardPacket(msgPrefix, packet, di);
f1b59a55 768
914353ca 769 // Check if all the records provided are within the zone
f80ebc05
O		 770 for(const auto & answer : mdp.d_answers) {
771 const DNSRecord *rr = &answer.first;
f1b59a55 772 // Skip this check for other field types (like the TSIG - which is in the additional section)
dff32e09 773 // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.
e693ff5a 774 if (! (rr->d_place == DNSResourceRecord::ANSWER || rr->d_place == DNSResourceRecord::AUTHORITY))
f1b59a55
RA		 775 continue;
776
f809c028 777 if (!rr->d_name.isPartOf(di.zone)) {
e6a9dde5 778 g_log<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;
f1b59a55
RA		 779 return RCode::NotZone;
780 }
781 }
782
dff32e09 783
0ddde5fb 784 std::lock_guard<std::mutex> l(s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything
e6a9dde5 785 g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;
4ec1794d
PD		 786 if (!di.backend->startTransaction(packet.qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
787 g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<packet.qdomain<<" does not support transaction. Can't do Update packet."<<endl;
f1b59a55
RA		 788 return RCode::NotImp;
789 }
790
914353ca 791 // 3.2.1 and 3.2.2 - Prerequisite check
f80ebc05
O		 792 for(const auto & answer : mdp.d_answers) {
793 const DNSRecord *rr = &answer.first;
e693ff5a 794 if (rr->d_place == DNSResourceRecord::ANSWER) {
f1b59a55
RA		 795 int res = checkUpdatePrerequisites(rr, &di);
796 if (res>0) {
3f4073ec 797 g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check for "<<rr->d_name<<", returning "<<RCode::to_s(res)<<endl;
f1b59a55
RA		 798 di.backend->abortTransaction();
799 return res;
800 }
914353ca 801 }
f1b59a55
RA		 802 }
803
d3f46849 804 // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR.
561434a6 805 typedef pair<DNSName, QType> rrSetKey_t;
f1b59a55
RA		 806 typedef vector<DNSResourceRecord> rrVector_t;
807 typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;
808 RRsetMap_t preReqRRsets;
cb167afd 809 for(const auto& i: mdp.d_answers) {
4950b140 810 const DNSRecord* rr = &i.first;
e693ff5a 811 if (rr->d_place == DNSResourceRecord::ANSWER) {
f1b59a55 812 // Last line of 3.2.3
914353ca 813 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
f1b59a55
RA		 814 return RCode::FormErr;
815
816 if (rr->d_class == QClass::IN) {
e32a8d46 817 rrSetKey_t key = {rr->d_name, QType(rr->d_type)};
f1b59a55 818 rrVector_t *vec = &preReqRRsets[key];
4950b140 819 vec->push_back(DNSResourceRecord::fromWire(*rr));
f1b59a55
RA		 820 }
821 }
822 }
823
824 if (preReqRRsets.size() > 0) {
825 RRsetMap_t zoneRRsets;
d7f67000
RP		 826 for (auto & preReqRRset : preReqRRsets) {
827 rrSetKey_t rrSet=preReqRRset.first;
828 rrVector_t *vec = &preReqRRset.second;
f1b59a55
RA		 829
830 DNSResourceRecord rec;
acb61e0a 831 di.backend->lookup(QType(QType::ANY), rrSet.first, di.id);
f1b59a55
RA		 832 uint16_t foundRR=0, matchRR=0;
833 while (di.backend->get(rec)) {
834 if (rec.qtype == rrSet.second) {
835 foundRR++;
d7f67000
RP		 836 for(auto & rrItem : *vec) {
837 rrItem.ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.
838 if (rrItem == rec)
f1b59a55
RA		 839 matchRR++;
840 }
841 }
842 }
843 if (matchRR != foundRR || foundRR != vec->size()) {
e6a9dde5 844 g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check (RRs differ), returning NXRRSet"<<endl;
f1b59a55
RA		 845 di.backend->abortTransaction();
846 return RCode::NXRRSet;
847 }
848 }
849 }
850
851
852
0bb68041 853 // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block.
f1b59a55 854 try {
d0d273cf 855 uint changedRecords = 0;
f1b59a55 856 // 3.4.1 - Prescan section
f80ebc05
O		 857 for(const auto & answer : mdp.d_answers) {
858 const DNSRecord *rr = &answer.first;
e693ff5a 859 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
f1b59a55
RA		 860 int res = checkUpdatePrescan(rr);
861 if (res>0) {
e6a9dde5 862 g_log<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;
f1b59a55
RA		 863 di.backend->abortTransaction();
864 return res;
865 }
866 }
867 }
868
869 bool updatedSerial=false;
870 NSEC3PARAMRecordContent ns3pr;
914353ca 871 bool narrow=false;
f1b59a55 872 bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);
dff32e09 873 bool isPresigned = d_dk.isPresigned(di.zone);
b163cc0e
KM		 874 string soaEditSetting;
875 d_dk.getSoaEdit(di.zone, soaEditSetting);
f1b59a55 876
f1b59a55
RA		 877 // 3.4.2 - Perform the updates.
878 // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)
7c696097 879 // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR.
f1b59a55 880 vector<const DNSRecord *> nsRRtoDelete;
6f604952
PL		 881
882 // Another special case is the addition of both a CNAME and a non-CNAME for the same name (#6270)
883 set<DNSName> cn, nocn;
884 for (const auto &rr : mdp.d_answers) {
885 if (rr.first.d_place == DNSResourceRecord::AUTHORITY && rr.first.d_class == QClass::IN && rr.first.d_ttl > 0) {
886 // Addition
887 if (rr.first.d_type == QType::CNAME) {
888 cn.insert(rr.first.d_name);
889 } else if (rr.first.d_type != QType::RRSIG) {
890 nocn.insert(rr.first.d_name);
891 }
892 }
893 }
894 for (auto const &n : cn) {
895 if (nocn.count(n) > 0) {
e6a9dde5 896 g_log<<Logger::Error<<msgPrefix<<"Refusing update, found CNAME and non-CNAME addition"<<endl;
6f604952
PL		 897 di.backend->abortTransaction();
898 return RCode::FormErr;
899 }
900 }
901
902 vector<const DNSRecord *> cnamesToAdd, nonCnamesToAdd;
f80ebc05
O		 903 for(const auto & answer : mdp.d_answers) {
904 const DNSRecord *rr = &answer.first;
e693ff5a 905 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
0ecc1158 906 /* see if it's permitted by policy */
4646277d 907 if (this->d_update_policy_lua != nullptr) {
f831a2e8 908 if (!this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, packet)) {
d5fcd583 909 g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Not permitted by policy"<<endl;
0ecc1158
AT		 910 continue;
911 } else {
d5fcd583 912 g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Permitted by policy"<<endl;
0ecc1158
AT		 913 }
914 }
915
f809c028 916 if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && rr->d_name == di.zone)
f1b59a55 917 nsRRtoDelete.push_back(rr);
6f604952
PL		 918 else if (rr->d_class == QClass::IN && rr->d_ttl > 0) {
919 if (rr->d_type == QType::CNAME) {
920 cnamesToAdd.push_back(rr);
921 } else {
922 nonCnamesToAdd.push_back(rr);
923 }
924 }
f1b59a55 925 else
d0d273cf 926 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 927 }
928 }
6f604952
PL		 929 for (const auto &rr : cnamesToAdd) {
930 DNSResourceRecord rec;
acb61e0a 931 di.backend->lookup(QType(QType::ANY), rr->d_name, di.id);
6f604952 932 while (di.backend->get(rec)) {
72a6f0d8 933 if (rec.qtype != QType::CNAME && rec.qtype != QType::ENT && rec.qtype != QType::RRSIG) {
e2136c35
PD		 934 // leave database handle in a consistent state
935 while (di.backend->get(rec))
936 ;
d5fcd583 937 g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Data other than CNAME exists for the same name"<<endl;
6f604952
PL		 938 di.backend->abortTransaction();
939 return RCode::Refused;
940 }
941 }
942 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
943 }
944 for (const auto &rr : nonCnamesToAdd) {
945 DNSResourceRecord rec;
acb61e0a 946 di.backend->lookup(QType(QType::CNAME), rr->d_name, di.id);
6f604952
PL		 947 while (di.backend->get(rec)) {
948 if (rec.qtype == QType::CNAME && rr->d_type != QType::RRSIG) {
e2136c35
PD		 949 // leave database handle in a consistent state
950 while (di.backend->get(rec))
951 ;
d5fcd583 952 g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": CNAME exists for the same name"<<endl;
6f604952
PL		 953 di.backend->abortTransaction();
954 return RCode::Refused;
955 }
956 }
957 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
958 }
f1b59a55
RA		 959 if (nsRRtoDelete.size()) {
960 vector<DNSResourceRecord> nsRRInZone;
961 DNSResourceRecord rec;
acb61e0a 962 di.backend->lookup(QType(QType::NS), di.zone, di.id);
f1b59a55
RA		 963 while (di.backend->get(rec)) {
964 nsRRInZone.push_back(rec);
965 }
966 if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)
cb167afd
CHB		 967 for (auto& inZone: nsRRInZone) {
968 for (auto& rr: nsRRtoDelete) {
d06dcda4 969 if (inZone.getZoneRepresentation() == (rr)->getContent()->getZoneRepresentation())
cb167afd 970 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 971 }
972 }
973 }
974 }
975
f1b59a55 976 // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message
d0d273cf 977 if (changedRecords > 0 && !updatedSerial) {
b163cc0e 978 increaseSerial(msgPrefix, &di, soaEditSetting, haveNSEC3, narrow, &ns3pr);
d0d273cf 979 changedRecords++;
890c7124
RA		 980 }
981
d0d273cf 982 if (changedRecords > 0) {
dce6b818 983 if (!di.backend->commitTransaction()) {
e6a9dde5 984 g_log<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl;
dce6b818
RA		 985 return RCode::ServFail;
986 }
914353ca 987
71f758e0 988 S.deposit("dnsupdate-changes", changedRecords);
7facf345 989
b163cc0e 990 d_dk.clearMetaCache(di.zone);
dce6b818 991 // Purge the records!
7abbc40f 992 string zone(di.zone.toString());
dce6b818 993 zone.append("$");
bf269e28 994 purgeAuthCaches(zone);
0bb68041 995
c02c999b 996 // Notify secondaries
d525b58b 997 if (di.kind == DomainInfo::Primary) {
4c5b6925 998 vector<string> notify;
4ec1794d 999 B.getDomainMetadata(packet.qdomain, "NOTIFY-DNSUPDATE", notify);
4c5b6925 1000 if (!notify.empty() && notify.front() == "1") {
3497eb18 1001 Communicator.notifyDomain(di.zone, &B);
4c5b6925
KM		 1002 }
1003 }
1004
e6a9dde5 1005 g_log<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl;
dce6b818
RA		 1006 } else {
1007 //No change, no commit, we perform abort() because some backends might like this more.
e6a9dde5 1008 g_log<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl;
dce6b818
RA		 1009 di.backend->abortTransaction();
1010 }
0bb68041
RA		 1011 return RCode::NoError; //rfc 2136 3.4.2.5
1012 }
1013 catch (SSqlException &e) {
e6a9dde5 1014 g_log<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;
0bb68041
RA		 1015 di.backend->abortTransaction();
1016 return RCode::ServFail;
f1b59a55 1017 }
ee9ef8f2 1018 catch (DBException &e) {
e6a9dde5 1019 g_log<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;
ee9ef8f2
RA		 1020 di.backend->abortTransaction();
1021 return RCode::ServFail;
1022 }
05ff9dab 1023 catch (PDNSException &e) {
e6a9dde5 1024 g_log<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl;
f1b59a55
RA		 1025 di.backend->abortTransaction();
1026 return RCode::ServFail;
1027 }
28b66a94 1028 catch(std::exception &e) {
e6a9dde5 1029 g_log<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
28b66a94
KM		 1030 di.backend->abortTransaction();
1031 return RCode::ServFail;
1032 }
f1b59a55 1033 catch (...) {
e6a9dde5 1034 g_log<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
f1b59a55
RA		 1035 di.backend->abortTransaction();
1036 return RCode::ServFail;
1037 }
f1b59a55
RA		 1038}
1039
b163cc0e 1040void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, const string& soaEditSetting, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
13f9e280 1041 SOAData sd;
76e1255a 1042 if (!di->backend->getSOA(di->zone, sd)) {
05ff9dab 1043 throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");
f1b59a55 1044 }
f1b59a55 1045
13f9e280 1046 uint32_t oldSerial = sd.serial;
e31f9680 1047
f1b59a55 1048 vector<string> soaEdit2136Setting;
71f758e0 1049 B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting);
f1b59a55
RA		 1050 string soaEdit2136 = "DEFAULT";
1051 string soaEdit;
1052 if (!soaEdit2136Setting.empty()) {
1053 soaEdit2136 = soaEdit2136Setting[0];
1054 if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
f1b59a55 1055 if (soaEditSetting.empty()) {
3f4073ec 1056 g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
f1b59a55
RA		 1057 soaEdit2136 = "DEFAULT";
1058 } else
4192773a 1059 soaEdit = soaEditSetting;
f1b59a55
RA		 1060 }
1061 }
1062
13f9e280
CH		 1063 DNSResourceRecord rr;
1064 if (makeIncreasedSOARecord(sd, soaEdit2136, soaEdit, rr)) {
1065 di->backend->replaceRRSet(di->id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr));
e6a9dde5 1066 g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl;
13f9e280
CH		 1067
1068 //Correct ordername + auth flag
1069 if (haveNSEC3) {
1070 DNSName ordername;
1071 if (!narrow)
1072 ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname)));
1073
1074 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true);
1075 } else { // NSEC
1076 DNSName ordername = rr.qname.makeRelative(di->zone);
1077 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true);
1078 }
166ac305 1079 }
166ac305 1080}
Unnamed repository; edit this file 'description' to name the repository.