]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/rfc2136handler.cc
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
spelling: distinguishing
[thirdparty/pdns.git] / pdns / rfc2136handler.cc
CommitLineData
870a0fe4
AT		 1#ifdef HAVE_CONFIG_H
2#include "config.h"
3#endif
f1b59a55
RA		 4#include "packethandler.hh"
5#include "qtype.hh"
6#include "dnspacket.hh"
7#include "packetcache.hh"
8#include "dnsseckeeper.hh"
9#include "base64.hh"
10#include "base32.hh"
fa8fd4d2 11
f1b59a55
RA		 12#include "misc.hh"
13#include "arguments.hh"
b3148887
RA		 14#include "resolver.hh"
15#include "dns_random.hh"
7facf345 16#include "backends/gsql/ssql.hh"
f1b59a55
RA		 17
18extern PacketCache PC;
276a5ce7 19extern StatBag S;
f1b59a55 20
ee9ef8f2
RA		 21pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER;
22
f1b59a55
RA		 23// Implement section 3.2.1 and 3.2.2 of RFC2136
24int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {
25 if (rr->d_ttl != 0)
26 return RCode::FormErr;
27
28 // 3.2.1 and 3.2.2 check content length.
29 if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)
30 return RCode::FormErr;
31
f1b59a55
RA		 32 bool foundRecord=false;
33 DNSResourceRecord rec;
f809c028 34 di->backend->lookup(QType(QType::ANY), rr->d_name);
f1b59a55
RA		 35 while(di->backend->get(rec)) {
36 if (!rec.qtype.getCode())
37 continue;
38 if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY)
39 foundRecord=true;
40 }
41
914353ca
KM		 42 // Section 3.2.1
43 if (rr->d_class == QClass::ANY && !foundRecord) {
44 if (rr->d_type == QType::ANY)
f1b59a55
RA		 45 return RCode::NXDomain;
46 if (rr->d_type != QType::ANY)
47 return RCode::NXRRSet;
914353ca 48 }
f1b59a55
RA		 49
50 // Section 3.2.2
51 if (rr->d_class == QClass::NONE && foundRecord) {
52 if (rr->d_type == QType::ANY)
53 return RCode::YXDomain;
54 if (rr->d_type != QType::ANY)
55 return RCode::YXRRSet;
56 }
57
58 return RCode::NoError;
59}
60
61
62// Method implements section 3.4.1 of RFC2136
63int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {
64 // The RFC stats that d_class != ZCLASS, but we only support the IN class.
914353ca 65 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
f1b59a55
RA		 66 return RCode::FormErr;
67
68 QType qtype = QType(rr->d_type);
69
70 if (! qtype.isSupportedType())
71 return RCode::FormErr;
72
73 if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0)
74 return RCode::FormErr;
75
76 if (rr->d_class == QClass::ANY && rr->d_clen != 0)
77 return RCode::FormErr;
914353ca 78
f1b59a55
RA		 79 if (qtype.isMetadataType())
80 return RCode::FormErr;
81
82 if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY)
83 return RCode::FormErr;
84
85 return RCode::NoError;
86}
87
6a323f63 88
f1b59a55 89// Implements section 3.4.2 of RFC2136
d0d273cf 90uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {
968de8d0 91
dff32e09
RA		 92 QType rrType = QType(rr->d_type);
93
dff32e09 94 if (rrType == QType::NSEC || rrType == QType::NSEC3) {
f809c028 95 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl;
914353ca 96 return 0;
dff32e09
RA		 97 }
98
cc8df07f 99 if (!isPresigned && ((!::arg().mustDo("direct-dnskey") && rrType == QType::DNSKEY) || rrType == QType::RRSIG)) {
f809c028 100 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl;
dff32e09
RA		 101 return 0;
102 }
103
f809c028 104 if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone) {
105 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl;
dff32e09
RA		 106 return 0;
107 }
108
968de8d0 109
d0d273cf 110 uint changedRecords = 0;
6a323f63
RA		 111 DNSResourceRecord rec;
112 vector<DNSResourceRecord> rrset, recordsToDelete;
675fa24c 113 set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records.
6a323f63 114
f1b59a55 115
6a323f63 116 if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update
f809c028 117 DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.getName()<<endl);
f1b59a55 118
dff32e09 119 if (rrType == QType::NSEC3PARAM) {
8c9bde70 120 L<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;
f858f843 121
3343ad1f 122 NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
f858f843 123 *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
dff32e09 124 d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
8c9bde70
KM		 125
126 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
f858f843 127
dff32e09 128 vector<DNSResourceRecord> rrs;
561434a6 129 set<DNSName> qnames, nssets, dssets;
f858f843 130 di->backend->list(di->zone, di->id);
dff32e09 131 while (di->backend->get(rec)) {
8c9bde70 132 qnames.insert(rec.qname);
8de4e1d7 133 if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone)
8c9bde70
KM		 134 nssets.insert(rec.qname);
135 if(rec.qtype.getCode() == QType::DS)
136 dssets.insert(rec.qname);
dff32e09 137 }
f858f843 138
561434a6 139 DNSName shorter;
561434a6 140 for(const auto& qname: qnames) {
8c9bde70
KM		 141 shorter = qname;
142 int ddepth = 0;
143 do {
8de4e1d7 144 if(qname == di->zone)
f858f843 145 break;
8c9bde70
KM		 146 if(nssets.count(shorter))
147 ++ddepth;
561434a6 148 } while(shorter.chopOff());
8c9bde70 149
96e63d77 150 DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));
8c9bde70 151 if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
96e63d77 152 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0 ));
8c9bde70
KM		 153
154 if (nssets.count(qname)) {
155 if (ns3pr->d_flags)
96e63d77
KM		 156 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS );
157 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
158 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
f858f843 159 }
f858f843 160 } else {
96e63d77 161 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0));
f858f843 162 }
3343ad1f 163 if (ddepth == 1 || dssets.count(qname)) // FIXME400 && ?
96e63d77 164 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::DS);
dff32e09
RA		 165 }
166 return 1;
167 }
168
f858f843
RA		 169
170
6a323f63 171 bool foundRecord = false;
f809c028 172 di->backend->lookup(rrType, rr->d_name);
f1b59a55 173 while (di->backend->get(rec)) {
dff32e09
RA		 174 rrset.push_back(rec);
175 foundRecord = true;
6a323f63 176 }
914353ca 177
6a323f63 178 if (foundRecord) {
73174643 179
dff32e09 180 if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current
f1b59a55 181 SOAData sdOld, sdUpdate;
6a323f63
RA		 182 DNSResourceRecord *oldRec = &rrset.front();
183 fillSOAData(oldRec->content, sdOld);
184 oldRec->setContent(rr->d_content->getZoneRepresentation());
185 fillSOAData(oldRec->content, sdUpdate);
f1b59a55 186 if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {
6a323f63 187 di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);
f1b59a55 188 *updatedSerial = true;
f5059bd3 189 changedRecords++;
f809c028 190 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
73174643 191 } else {
f1b59a55 192 L<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;
73174643 193 }
6a323f63
RA		 194
195 // It's not possible to have multiple CNAME's with the same NAME. So we always update.
196 } else if (rrType == QType::CNAME) {
73174643 197 int changedCNames = 0;
6a323f63 198 for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) {
73174643
RA		 199 if (i->ttl != rr->d_ttl || i->content != rr->d_content->getZoneRepresentation()) {
200 i->ttl = rr->d_ttl;
201 i->setContent(rr->d_content->getZoneRepresentation());
202 changedCNames++;
203 }
204 }
205 if (changedCNames > 0) {
f809c028 206 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
207 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
73174643
RA		 208 changedRecords += changedCNames;
209 } else {
f809c028 210 L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
f1b59a55 211 }
6a323f63
RA		 212
213 // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectily means a update of TTL)
214 } else {
73174643 215 int updateTTL=0;
6a323f63
RA		 216 foundRecord = false;
217 for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) {
218 string content = rr->d_content->getZoneRepresentation();
219 if (rrType == i->qtype.getCode() && i->getZoneRepresentation() == content) {
73174643
RA		 220 foundRecord=true;
221 if (i->ttl != rr->d_ttl) {
222 i->ttl = rr->d_ttl;
223 updateTTL++;
224 }
6a323f63
RA		 225 }
226 }
73174643 227 if (updateTTL > 0) {
f809c028 228 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
229 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
73174643
RA		 230 changedRecords += updateTTL;
231 } else {
f809c028 232 L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
7facf345 233 }
f1b59a55 234 }
6e42cac2 235
73174643 236 // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records.
6e42cac2 237 // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.
73174643
RA		 238 if (changedRecords > 0) {
239 bool auth = rrset.front().auth;
240
241 if(*haveNSEC3) {
8de4e1d7 242 DNSName ordername;
73174643 243 if(! *narrow)
96e63d77 244 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
73174643
RA		 245
246 if (*narrow)
96e63d77 247 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
73174643 248 else
96e63d77 249 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
73174643 250 if(!auth || rrType == QType::DS) {
96e63d77
KM		 251 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
252 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
253 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
73174643 254 }
6e42cac2 255
73174643 256 } else { // NSEC
96e63d77 257 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth);
73174643 258 if(!auth || rrType == QType::DS) {
96e63d77
KM		 259 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
260 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
73174643 261 }
6e42cac2
RA		 262 }
263 }
264
265 } // if (foundRecord)
f1b59a55 266
6a323f63 267 // If we haven't found a record that matches, we must add it.
f1b59a55 268 if (! foundRecord) {
f809c028 269 L<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
270 delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record.
f1b59a55
RA		 271 DNSResourceRecord newRec(*rr);
272 newRec.domain_id = di->id;
f809c028 273 newRec.auth = (rr->d_name == di->zone || rrType.getCode() != QType::NS);
f1b59a55 274 di->backend->feedRecord(newRec);
b0704e0d 275 changedRecords++;
6a323f63
RA		 276
277
278 // because we added a record, we need to fix DNSSEC data.
f809c028 279 DNSName shorter(rr->d_name);
163cb726 280 bool auth=newRec.auth;
6a82ce4a 281 bool fixDS = (rrType == QType::DS);
f1b59a55 282
8de4e1d7 283 if (di->zone != shorter) { // Everything at APEX is auth=1 && no ENT's
e70f2627 284 do {
6a82ce4a 285
8de4e1d7 286 if (di->zone == shorter)
f1b59a55 287 break;
914353ca 288
f1b59a55
RA		 289 bool foundShorter = false;
290 di->backend->lookup(QType(QType::ANY), shorter);
291 while (di->backend->get(rec)) {
f809c028 292 if (rec.qname == rr->d_name && rec.qtype == QType::DS)
6a82ce4a 293 fixDS = true;
f809c028 294 if (shorter != rr->d_name)
e70f2627 295 foundShorter = true;
163cb726 296 if (rec.qtype == QType::NS) // are we inserting below a delegate?
f1b59a55
RA		 297 auth=false;
298 }
6a82ce4a 299
f809c028 300 if (!foundShorter && auth && shorter != rr->d_name) // haven't found any record at current level, insert ENT.
f1b59a55 301 insnonterm.insert(shorter);
e70f2627 302 if (foundShorter)
a95f897d 303 break; // if we find a shorter record, we can stop searching
675fa24c 304 } while(shorter.chopOff());
f1b59a55
RA		 305 }
306
dff32e09 307 if(*haveNSEC3)
f1b59a55 308 {
8de4e1d7 309 DNSName ordername;
914353ca 310 if(! *narrow)
96e63d77 311 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
914353ca 312
e70f2627 313 if (*narrow)
96e63d77 314 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
e70f2627 315 else
96e63d77 316 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
e70f2627 317
6a82ce4a 318 if (fixDS)
96e63d77 319 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
6a82ce4a 320
929eee6b 321 if(!auth)
f1b59a55 322 {
914353ca 323 if (ns3pr->d_flags)
96e63d77
KM		 324 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
325 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
326 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
f1b59a55
RA		 327 }
328 }
329 else // NSEC
330 {
96e63d77
KM		 331 DNSName ordername=rr->d_name.makeRelative(di->zone);
332 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
6a82ce4a 333 if (fixDS) {
96e63d77 334 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
6a82ce4a
RA		 335 }
336 if(!auth) {
96e63d77
KM		 337 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
338 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
f1b59a55
RA		 339 }
340 }
6a323f63
RA		 341
342
f1b59a55 343 // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.
f809c028 344 // Auth can only be false when the rr->d_name is not the zone
6a323f63 345 if (auth == false && rrType == QType::NS) {
f809c028 346 DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl);
6a82ce4a 347 insnonterm.clear(); // No ENT's are needed below delegates (auth=0)
561434a6 348 vector<DNSName> qnames;
f809c028 349 di->backend->listSubZone(rr->d_name, di->id);
f1b59a55 350 while(di->backend->get(rec)) {
f809c028 351 if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record.
f1b59a55
RA		 352 qnames.push_back(rec.qname);
353 }
561434a6 354 for(vector<DNSName>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) {
dff32e09 355 if(*haveNSEC3) {
8de4e1d7 356 DNSName ordername;
914353ca 357 if(! *narrow)
96e63d77 358 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, *qname)));
914353ca 359
6a82ce4a 360 if (*narrow)
96e63d77 361 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); // FIXME400 no *qname here?
6a82ce4a 362 else
96e63d77 363 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, auth);
6a82ce4a 364
be40c2df 365 if (ns3pr->d_flags)
96e63d77
KM		 366 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::NS);
367 }
368 else { // NSEC
369 DNSName ordername=DNSName(*qname).makeRelative(di->zone);
370 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, false, QType::NS);
f1b59a55 371 }
f1b59a55 372
96e63d77
KM		 373 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::A);
374 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::AAAA);
f1b59a55
RA		 375 }
376 }
f1b59a55
RA		 377 }
378 } // rr->d_class == QClass::IN
379
914353ca 380
6a323f63
RA		 381 // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by
382 // the code that calls this performUpdate().
383 if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.
f809c028 384 DLOG(L<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClasse:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl);
dff32e09
RA		 385
386 if (rrType == QType::NSEC3PARAM) {
914353ca 387 L<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;
dff32e09 388 if (rr->d_class == QClass::ANY)
f809c028 389 d_dk.unsetNSEC3PARAM(rr->d_name);
dff32e09 390 else if (rr->d_class == QClass::NONE) {
3343ad1f 391 NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
0bb68041 392 if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
f809c028 393 d_dk.unsetNSEC3PARAM(rr->d_name);
dff32e09
RA		 394 else
395 return 0;
914353ca 396 } else
dff32e09
RA		 397 return 0;
398
e3dc2b56
RA		 399 // We retrieve new values, other RR's in this update package might need it as well.
400 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
401
dff32e09 402 vector<DNSResourceRecord> rrs;
561434a6 403 set<DNSName> qnames, nssets, dssets, ents;
b48fe0e3 404 di->backend->list(di->zone, di->id);
b1ca7619 405 while (di->backend->get(rec)) {
b48fe0e3 406 qnames.insert(rec.qname);
8de4e1d7 407 if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone)
b48fe0e3
KM		 408 nssets.insert(rec.qname);
409 if(rec.qtype.getCode() == QType::DS)
410 dssets.insert(rec.qname);
411 if(!rec.qtype.getCode())
412 ents.insert(rec.qname);
b1ca7619 413 }
b48fe0e3 414
561434a6
PD		 415 DNSName shorter;
416 string hashed;
ef7cd021 417 for(const DNSName& qname : qnames) {
b48fe0e3
KM		 418 shorter = qname;
419 int ddepth = 0;
420 do {
8de4e1d7 421 if(qname == di->zone)
b48fe0e3
KM		 422 break;
423 if(nssets.count(shorter))
424 ++ddepth;
561434a6 425 } while(shorter.chopOff());
b48fe0e3 426
96e63d77 427 DNSName ordername=qname.makeRelative(di->zone);
b48fe0e3 428 if (!ents.count(qname) && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
96e63d77 429 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0));
b48fe0e3
KM		 430
431 if (nssets.count(qname)) {
96e63d77
KM		 432 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
433 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
b1ca7619 434 }
b48fe0e3 435 } else {
96e63d77 436 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0));
b1ca7619 437 }
b48fe0e3 438 if (ddepth == 1 || dssets.count(qname))
96e63d77 439 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, true, QType::DS);
dff32e09
RA		 440 }
441 return 1;
589563c0 442 } // end of NSEC3PARAM delete block
dff32e09
RA		 443
444
f809c028 445 di->backend->lookup(rrType, rr->d_name);
6a323f63
RA		 446 while(di->backend->get(rec)) {
447 if (rr->d_class == QClass::ANY) { // 3.4.2.3
448 if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's
449 rrset.push_back(rec);
450 else
f1b59a55
RA		 451 recordsToDelete.push_back(rec);
452 }
6a323f63
RA		 453 if (rr->d_class == QClass::NONE) { // 3.4.2.4
454 if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation())
455 recordsToDelete.push_back(rec);
456 else
457 rrset.push_back(rec);
458 }
f1b59a55 459 }
589563c0
RA		 460
461 if (recordsToDelete.size()) {
f809c028 462 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
463 L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
589563c0 464 changedRecords += recordsToDelete.size();
f1b59a55 465
f1b59a55 466
589563c0 467 // If we've removed a delegate, we need to reset ordername/auth for some records.
f809c028 468 if (rrType == QType::NS && rr->d_name != di->zone) {
675fa24c 469 vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;
f809c028 470 di->backend->listSubZone(rr->d_name, di->id);
f1b59a55 471 while (di->backend->get(rec)) {
7a0a9f8a 472 if (rec.qtype.getCode()) // skip ENT records, they are always auth=false
a95f897d 473 belowOldDelegate.push_back(rec.qname);
f809c028 474 if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name)
a95f897d 475 nsRecs.push_back(rec.qname);
f1b59a55 476 }
a95f897d 477
675fa24c 478 for(auto &belowOldDel: belowOldDelegate)
a95f897d
RA		 479 {
480 bool isBelowDelegate = false;
561434a6
PD		 481 for(const auto & ns: nsRecs) {
482 if (ns.isPartOf(belowOldDel)) {
a95f897d
RA		 483 isBelowDelegate=true;
484 break;
485 }
486 }
487 if (!isBelowDelegate)
561434a6 488 updateAuthFlag.push_back(belowOldDel);
a95f897d
RA		 489 }
490
561434a6 491 for (const auto &changeRec:updateAuthFlag) {
dff32e09 492 if(*haveNSEC3) {
8de4e1d7 493 DNSName ordername;
914353ca 494 if(! *narrow)
96e63d77 495 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)));
914353ca 496
96e63d77
KM		 497 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
498 }
499 else { // NSEC
500 DNSName ordername=changeRec.makeRelative(di->zone);
501 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
f1b59a55 502 }
f1b59a55
RA		 503 }
504 }
f1b59a55 505
6a323f63
RA		 506 // Fix ENT records.
507 // We must check if we have a record below the current level and if we removed the 'last' record
508 // on that level. If so, we must insert an ENT record.
fdf983eb 509 // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.
9353d244 510 bool foundDeeper = false, foundOtherWithSameName = false;
f809c028 511 di->backend->listSubZone(rr->d_name, di->id);
6a323f63 512 while (di->backend->get(rec)) {
f809c028 513 if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
9353d244 514 foundOtherWithSameName = true;
f809c028 515 if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT
6a323f63
RA		 516 foundDeeper = true;
517 }
f1b59a55 518
9353d244 519 if (foundDeeper && !foundOtherWithSameName) {
f809c028 520 insnonterm.insert(rr->d_name);
9353d244 521 } else if (!foundOtherWithSameName) {
6a323f63
RA		 522 // If we didn't have to insert an ENT, we might have deleted a record at very deep level
523 // and we must then clean up the ENT's above the deleted record.
f809c028 524 DNSName shorter(rr->d_name);
9353d244 525 while (shorter != di->zone) {
675fa24c 526 shorter.chopOff();
9353d244 527 bool foundRealRR = false;
a95f897d 528 bool foundEnt = false;
9353d244
RA		 529
530 // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch
6a323f63 531 // consider these non ENT-records:
9353d244
RA		 532 // b.c.d.e.test.com
533 // b.d.e.test.com
534 // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.
6a323f63
RA		 535 // At that point we can stop deleting ENT's because the tree is in tact again.
536 di->backend->listSubZone(shorter, di->id);
914353ca 537
9353d244
RA		 538 while (di->backend->get(rec)) {
539 if (rec.qtype.getCode())
540 foundRealRR = true;
a95f897d
RA		 541 else
542 foundEnt = true;
9353d244 543 }
3ab4cfca 544 if (!foundRealRR) {
a95f897d
RA		 545 if (foundEnt) // only delete the ENT if we actually found one.
546 delnonterm.insert(shorter);
3ab4cfca 547 } else
9353d244
RA		 548 break;
549 }
6a323f63 550 }
589563c0 551 } else { // if (recordsToDelete.size())
f809c028 552 L<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but not found."<<endl;
f1b59a55 553 }
589563c0
RA		 554 } // (End of delete block d_class == ANY || d_class == NONE
555
f1b59a55 556
6a323f63
RA		 557
558 //Insert and delete ENT's
559 if (insnonterm.size() > 0 || delnonterm.size() > 0) {
560 DLOG(L<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);
96e63d77 561 di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false);
561434a6 562 for (const auto &i: insnonterm) {
6a323f63 563 string hashed;
8de4e1d7 564 if(*haveNSEC3)
6a323f63 565 {
8de4e1d7 566 DNSName ordername;
914353ca 567 if(! *narrow)
96e63d77
KM		 568 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));
569 di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true);
f1b59a55
RA		 570 }
571 }
572 }
573
589563c0 574 return changedRecords;
f1b59a55
RA		 575}
576
b3148887 577int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) {
e174b255 578 vector<string> forward;
71f758e0 579 B.getDomainMetadata(p->qdomain, "FORWARD-DNSUPDATE", forward);
e174b255 580
71f758e0 581 if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) {
d8293c79
RA		 582 L<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl;
583 return RCode::Refused;
e174b255
RA		 584 }
585
b3148887 586 for(vector<string>::const_iterator master=di->masters.begin(); master != di->masters.end(); master++) {
dff32e09 587 L<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<*master<<endl;
b3148887
RA		 588 ComboAddress remote;
589 try {
cc456024 590 remote = ComboAddress(*master, 53);
b3148887
RA		 591 }
592 catch (...) {
593 L<<Logger::Error<<msgPrefix<<"Failed to parse "<<*master<<" as valid remote."<<endl;
594 continue;
595 }
596
597 ComboAddress local;
598 if(remote.sin4.sin_family == AF_INET)
cc456024 599 local = ComboAddress(::arg()["query-local-address"]);
b3148887 600 else if(!::arg()["query-local-address6"].empty())
cc456024 601 local = ComboAddress(::arg()["query-local-address6"]);
b3148887 602 else
cc456024 603 local = ComboAddress("::");
b3148887 604 int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.
34c513f9
RG		 605 if(sock < 0) {
606 L<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl;
607 continue;
608 }
b3148887
RA		 609
610 if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {
611 L<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;
a7b68ae7
RG		 612 try {
613 closesocket(sock);
614 }
615 catch(const PDNSException& e) {
616 L<<Logger::Error<<"Error closing master forwarding socket after connect() failed: "<<e.reason<<endl;
617 }
b3148887
RA		 618 continue;
619 }
620
621 DNSPacket forwardPacket(*p);
622 forwardPacket.setID(dns_random(0xffff));
623 forwardPacket.setRemote(&remote);
624 uint16_t len=htons(forwardPacket.getString().length());
625 string buffer((const char*)&len, 2);
626 buffer.append(forwardPacket.getString());
914353ca 627 if(write(sock, buffer.c_str(), buffer.length()) < 0) {
b3148887 628 L<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 629 try {
630 closesocket(sock);
631 }
632 catch(const PDNSException& e) {
633 L<<Logger::Error<<"Error closing master forwarding socket after write() failed: "<<e.reason<<endl;
634 }
b3148887
RA		 635 continue;
636 }
637
638 int res = waitForData(sock, 10, 0);
639 if (!res) {
cc456024 640 L<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl;
a7b68ae7
RG		 641 try {
642 closesocket(sock);
643 }
644 catch(const PDNSException& e) {
645 L<<Logger::Error<<"Error closing master forwarding socket after a timeout occured: "<<e.reason<<endl;
646 }
b3148887
RA		 647 continue;
648 }
649 if (res < 0) {
650 L<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 651 try {
652 closesocket(sock);
653 }
654 catch(const PDNSException& e) {
655 L<<Logger::Error<<"Error closing master forwarding socket after an error occured: "<<e.reason<<endl;
656 }
b3148887
RA		 657 continue;
658 }
659
660 char lenBuf[2];
661 int recvRes;
662 recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);
663 if (recvRes < 0) {
664 L<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 665 try {
666 closesocket(sock);
667 }
668 catch(const PDNSException& e) {
669 L<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl;
670 }
b3148887
RA		 671 continue;
672 }
673 int packetLen = lenBuf[0]*256+lenBuf[1];
674
675
676 char buf[packetLen];
677 recvRes = recv(sock, &buf, packetLen, 0);
678 if (recvRes < 0) {
679 L<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
a7b68ae7
RG		 680 try {
681 closesocket(sock);
682 }
683 catch(const PDNSException& e) {
684 L<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl;
685 }
b3148887
RA		 686 continue;
687 }
a7b68ae7
RG		 688 try {
689 closesocket(sock);
690 }
691 catch(const PDNSException& e) {
692 L<<Logger::Error<<"Error closing master forwarding socket: "<<e.reason<<endl;
693 }
b3148887
RA		 694
695 try {
27c0050c 696 MOADNSParser mdp(false, buf, recvRes);
b3148887
RA		 697 L<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;
698 return mdp.d_header.rcode;
699 }
700 catch (...) {
701 L<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl;
702 continue;
703 }
704 }
705 L<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl;
706 return RCode::ServFail;
707
708}
709
f1b59a55 710int PacketHandler::processUpdate(DNSPacket *p) {
d07bf7ff 711 if (! ::arg().mustDo("dnsupdate"))
f1b59a55 712 return RCode::Refused;
914353ca 713
ded6b08d 714 string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote().toString() + " for " + p->qdomain.toLogString() + ": ";
f1b59a55
RA		 715 L<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
716
0ecc1158
AT		 717 // if there is policy, we delegate all checks to it
718 if (this->d_update_policy_lua == NULL) {
f1b59a55 719
0ecc1158
AT		 720 // Check permissions - IP based
721 vector<string> allowedRanges;
722 B.getDomainMetadata(p->qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges);
723 if (! ::arg()["allow-dnsupdate-from"].empty())
724 stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );
f1b59a55 725
0ecc1158
AT		 726 NetmaskGroup ng;
727 for(vector<string>::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++)
728 ng.addMask(*i);
914353ca 729
0ecc1158
AT		 730 if ( ! ng.match(&p->d_remote)) {
731 L<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;
f1b59a55
RA		 732 return RCode::Refused;
733 }
734
0ecc1158
AT		 735
736 // Check permissions - TSIG based.
737 vector<string> tsigKeys;
738 B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys);
739 if (tsigKeys.size() > 0) {
740 bool validKey = false;
741
742 TSIGRecordContent trc;
743 DNSName inputkey;
744 string message;
745 if (! p->getTSIGDetails(&trc, &inputkey, 0)) {
746 L<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
747 return RCode::Refused;
6917c321 748 }
0ecc1158
AT		 749
750 if (p->d_tsig_algo == TSIG_GSS) {
751 GssName inputname(p->d_peer_principal); // match against principal since GSS
752 for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
753 if (inputname.match(*key)) {
754 validKey = true;
755 break;
756 }
757 }
758 } else {
759 for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
760 if (inputkey == DNSName(*key)) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
761 validKey=true;
762 break;
763 }
6917c321
AT		 764 }
765 }
f1b59a55 766
0ecc1158
AT		 767 if (!validKey) {
768 L<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;
769 return RCode::Refused;
770 }
f1b59a55 771 }
f1b59a55 772
0ecc1158
AT		 773 if (tsigKeys.size() == 0 && p->d_havetsig)
774 L<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;
775
776 }
f1b59a55
RA		 777
778 // RFC2136 uses the same DNS Header and Message as defined in RFC1035.
914353ca 779 // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different
f1b59a55 780 // variable names during the use of our MOADNSParser.
27c0050c 781 MOADNSParser mdp(false, p->getString());
f1b59a55
RA		 782 if (mdp.d_header.qdcount != 1) {
783 L<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;
784 return RCode::FormErr;
914353ca 785 }
f1b59a55
RA		 786
787 if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
788 L<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;
789 return RCode::FormErr;
790 }
791
792 if (p->qclass != QClass::IN) {
793 L<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;
794 return RCode::NotAuth;
795 }
796
797 DomainInfo di;
798 di.backend=0;
799 if(!B.getDomainInfo(p->qdomain, di) || !di.backend) {
f43c4448 800 L<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support DNS update operation)"<<endl;
f1b59a55
RA		 801 return RCode::NotAuth;
802 }
803
b3148887
RA		 804 if (di.kind == DomainInfo::Slave)
805 return forwardPacket(msgPrefix, p, &di);
f1b59a55 806
914353ca 807 // Check if all the records provided are within the zone
f1b59a55
RA		 808 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
809 const DNSRecord *rr = &i->first;
810 // Skip this check for other field types (like the TSIG - which is in the additional section)
dff32e09 811 // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.
e693ff5a 812 if (! (rr->d_place == DNSResourceRecord::ANSWER || rr->d_place == DNSResourceRecord::AUTHORITY))
f1b59a55
RA		 813 continue;
814
f809c028 815 if (!rr->d_name.isPartOf(di.zone)) {
f1b59a55
RA		 816 L<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;
817 return RCode::NotZone;
818 }
819 }
820
dff32e09
RA		 821
822 Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything
f1b59a55 823 L<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;
dff32e09 824 if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
f43c4448 825 L<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl;
f1b59a55
RA		 826 return RCode::NotImp;
827 }
828
914353ca 829 // 3.2.1 and 3.2.2 - Prerequisite check
f1b59a55
RA		 830 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
831 const DNSRecord *rr = &i->first;
e693ff5a 832 if (rr->d_place == DNSResourceRecord::ANSWER) {
f1b59a55
RA		 833 int res = checkUpdatePrerequisites(rr, &di);
834 if (res>0) {
835 L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning "<<res<<endl;
836 di.backend->abortTransaction();
837 return res;
838 }
914353ca 839 }
f1b59a55
RA		 840 }
841
842 // 3.2.3 - Prerequisite check - this is outside of updatePrequisitesCheck because we check an RRSet and not the RR.
561434a6 843 typedef pair<DNSName, QType> rrSetKey_t;
f1b59a55
RA		 844 typedef vector<DNSResourceRecord> rrVector_t;
845 typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;
846 RRsetMap_t preReqRRsets;
847 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
848 const DNSRecord *rr = &i->first;
e693ff5a 849 if (rr->d_place == DNSResourceRecord::ANSWER) {
f1b59a55 850 // Last line of 3.2.3
914353ca 851 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
f1b59a55
RA		 852 return RCode::FormErr;
853
854 if (rr->d_class == QClass::IN) {
f809c028 855 rrSetKey_t key = make_pair(rr->d_name, QType(rr->d_type));
f1b59a55
RA		 856 rrVector_t *vec = &preReqRRsets[key];
857 vec->push_back(DNSResourceRecord(*rr));
858 }
859 }
860 }
861
862 if (preReqRRsets.size() > 0) {
863 RRsetMap_t zoneRRsets;
864 for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) {
865 rrSetKey_t rrSet=preRRSet->first;
866 rrVector_t *vec = &preRRSet->second;
867
868 DNSResourceRecord rec;
869 di.backend->lookup(QType(QType::ANY), rrSet.first);
870 uint16_t foundRR=0, matchRR=0;
871 while (di.backend->get(rec)) {
872 if (rec.qtype == rrSet.second) {
873 foundRR++;
874 for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) {
875 rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.
914353ca 876 if (*rrItem == rec)
f1b59a55
RA		 877 matchRR++;
878 }
879 }
880 }
881 if (matchRR != foundRR || foundRR != vec->size()) {
882 L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning NXRRSet"<<endl;
883 di.backend->abortTransaction();
884 return RCode::NXRRSet;
885 }
886 }
887 }
888
889
890
0bb68041 891 // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block.
f1b59a55 892 try {
d0d273cf 893 uint changedRecords = 0;
f1b59a55
RA		 894 // 3.4.1 - Prescan section
895 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
896 const DNSRecord *rr = &i->first;
e693ff5a 897 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
f1b59a55
RA		 898 int res = checkUpdatePrescan(rr);
899 if (res>0) {
900 L<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;
901 di.backend->abortTransaction();
902 return res;
903 }
904 }
905 }
906
907 bool updatedSerial=false;
908 NSEC3PARAMRecordContent ns3pr;
914353ca 909 bool narrow=false;
f1b59a55 910 bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);
dff32e09 911 bool isPresigned = d_dk.isPresigned(di.zone);
f1b59a55 912
f1b59a55
RA		 913 // 3.4.2 - Perform the updates.
914 // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)
7c696097 915 // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR.
f1b59a55
RA		 916 vector<const DNSRecord *> nsRRtoDelete;
917 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
918 const DNSRecord *rr = &i->first;
e693ff5a 919 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
0ecc1158
AT		 920 /* see if it's permitted by policy */
921 if (this->d_update_policy_lua != NULL) {
922 if (this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, p) == false) {
923 L<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Not permitted by policy"<<endl;
924 continue;
925 } else {
926 L<<Logger::Debug<<msgPrefix<<"Accepting update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Permitted by policy"<<endl;
927 }
928 }
929
f809c028 930 if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && rr->d_name == di.zone)
f1b59a55
RA		 931 nsRRtoDelete.push_back(rr);
932 else
d0d273cf 933 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 934 }
935 }
936 if (nsRRtoDelete.size()) {
937 vector<DNSResourceRecord> nsRRInZone;
938 DNSResourceRecord rec;
939 di.backend->lookup(QType(QType::NS), di.zone);
940 while (di.backend->get(rec)) {
941 nsRRInZone.push_back(rec);
942 }
943 if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)
944 for (vector<DNSResourceRecord>::iterator inZone=nsRRInZone.begin(); inZone != nsRRInZone.end(); inZone++) {
945 for (vector<const DNSRecord *>::iterator rr=nsRRtoDelete.begin(); rr != nsRRtoDelete.end(); rr++) {
946 if (inZone->getZoneRepresentation() == (*rr)->d_content->getZoneRepresentation())
d0d273cf 947 changedRecords += performUpdate(msgPrefix, *rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 948 }
949 }
950 }
951 }
952
f1b59a55 953 // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message
d0d273cf 954 if (changedRecords > 0 && !updatedSerial) {
166ac305 955 increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr);
d0d273cf 956 changedRecords++;
890c7124
RA		 957 }
958
d0d273cf 959 if (changedRecords > 0) {
dce6b818
RA		 960 if (!di.backend->commitTransaction()) {
961 L<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl;
962 return RCode::ServFail;
963 }
914353ca 964
71f758e0 965 S.deposit("dnsupdate-changes", changedRecords);
7facf345 966
dce6b818 967 // Purge the records!
7abbc40f 968 string zone(di.zone.toString());
dce6b818
RA		 969 zone.append("$");
970 PC.purge(zone);
0bb68041 971
7c696097 972 L<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl;
dce6b818
RA		 973 } else {
974 //No change, no commit, we perform abort() because some backends might like this more.
975 L<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl;
976 di.backend->abortTransaction();
977 }
0bb68041
RA		 978 return RCode::NoError; //rfc 2136 3.4.2.5
979 }
980 catch (SSqlException &e) {
981 L<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;
982 di.backend->abortTransaction();
983 return RCode::ServFail;
f1b59a55 984 }
ee9ef8f2
RA		 985 catch (DBException &e) {
986 L<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;
987 di.backend->abortTransaction();
988 return RCode::ServFail;
989 }
05ff9dab
RA		 990 catch (PDNSException &e) {
991 L<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl;
f1b59a55
RA		 992 di.backend->abortTransaction();
993 return RCode::ServFail;
994 }
28b66a94
KM		 995 catch(std::exception &e) {
996 L<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
997 di.backend->abortTransaction();
998 return RCode::ServFail;
999 }
f1b59a55
RA		 1000 catch (...) {
1001 L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
1002 di.backend->abortTransaction();
1003 return RCode::ServFail;
1004 }
f1b59a55
RA		 1005}
1006
166ac305 1007void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
f1b59a55 1008 DNSResourceRecord rec, newRec;
166ac305 1009 di->backend->lookup(QType(QType::SOA), di->zone);
f1b59a55 1010 bool foundSOA=false;
166ac305 1011 while (di->backend->get(rec)) {
f1b59a55
RA		 1012 newRec = rec;
1013 foundSOA=true;
1014 }
1015 if (!foundSOA) {
05ff9dab 1016 throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");
f1b59a55
RA		 1017 }
1018 SOAData soa2Update;
1019 fillSOAData(rec.content, soa2Update);
cd9ec356 1020 uint32_t oldSerial = soa2Update.serial;
f1b59a55 1021
e31f9680
RA		 1022 if (oldSerial == 0) { // using Autoserial, leave the serial alone.
1023 L<<Logger::Notice<<msgPrefix<<"AutoSerial being used, not updating SOA serial."<<endl;
1024 return;
1025 }
1026
f1b59a55 1027 vector<string> soaEdit2136Setting;
71f758e0 1028 B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting);
f1b59a55
RA		 1029 string soaEdit2136 = "DEFAULT";
1030 string soaEdit;
1031 if (!soaEdit2136Setting.empty()) {
1032 soaEdit2136 = soaEdit2136Setting[0];
1033 if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
4192773a
KM		 1034 string soaEditSetting;
1035 d_dk.getSoaEdit(di->zone, soaEditSetting);
f1b59a55 1036 if (soaEditSetting.empty()) {
fc721f52 1037 L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
f1b59a55
RA		 1038 soaEdit2136 = "DEFAULT";
1039 } else
4192773a 1040 soaEdit = soaEditSetting;
f1b59a55
RA		 1041 }
1042 }
1043
effecfa7 1044 soa2Update.serial = calculateIncreaseSOA(soa2Update, soaEdit2136, soaEdit);
f1b59a55
RA		 1045
1046 newRec.content = serializeSOAData(soa2Update);
3e0ab216
RA		 1047 vector<DNSResourceRecord> rrset;
1048 rrset.push_back(newRec);
166ac305 1049 di->backend->replaceRRSet(di->id, newRec.qname, newRec.qtype, rrset);
dff32e09 1050 L<<Logger::Notice<<msgPrefix<<"Increasing SOA serial ("<<oldSerial<<" -> "<<soa2Update.serial<<")"<<endl;
166ac305
RA		 1051
1052 //Correct ordername + auth flag
c1c3e5a4 1053 if (haveNSEC3 && narrow)
96e63d77 1054 di->backend->updateDNSSECOrderNameAndAuth(di->id, newRec.qname, DNSName(), true);
c1c3e5a4 1055 else if (haveNSEC3) {
8de4e1d7 1056 DNSName ordername;
c1c3e5a4 1057 if (!narrow)
96e63d77 1058 ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, newRec.qname)));
c1c3e5a4 1059
96e63d77
KM		 1060 di->backend->updateDNSSECOrderNameAndAuth(di->id, newRec.qname, ordername, true);
1061 }
1062 else { // NSEC
1063 DNSName ordername=newRec.qname.makeRelative(di->zone);
1064 di->backend->updateDNSSECOrderNameAndAuth(di->id, newRec.qname, ordername, true);
166ac305 1065 }
166ac305 1066}
Unnamed repository; edit this file 'description' to name the repository.