]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/rfc2136handler.cc
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Small optimization in deletion of 'deep' record
[thirdparty/pdns.git] / pdns / rfc2136handler.cc
CommitLineData
f1b59a55
RA		 1#include "packethandler.hh"
2#include "qtype.hh"
3#include "dnspacket.hh"
4#include "packetcache.hh"
5#include "dnsseckeeper.hh"
6#include "base64.hh"
7#include "base32.hh"
8#include "misc.hh"
9#include "arguments.hh"
b3148887
RA		 10#include "resolver.hh"
11#include "dns_random.hh"
7facf345 12#include "backends/gsql/ssql.hh"
f1b59a55
RA		 13
14extern PacketCache PC;
276a5ce7 15extern StatBag S;
f1b59a55 16
ee9ef8f2
RA		 17pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER;
18
f1b59a55
RA		 19// Implement section 3.2.1 and 3.2.2 of RFC2136
20int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {
21 if (rr->d_ttl != 0)
22 return RCode::FormErr;
23
24 // 3.2.1 and 3.2.2 check content length.
25 if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)
26 return RCode::FormErr;
27
6a323f63 28 string rrLabel = stripDot(rr->d_label);
f1b59a55
RA		 29
30 bool foundRecord=false;
31 DNSResourceRecord rec;
6a323f63 32 di->backend->lookup(QType(QType::ANY), rrLabel);
f1b59a55
RA		 33 while(di->backend->get(rec)) {
34 if (!rec.qtype.getCode())
35 continue;
36 if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY)
37 foundRecord=true;
38 }
39
40 // Section 3.2.1
41 if (rr->d_class == QClass::ANY && !foundRecord) {
42 if (rr->d_type == QType::ANY)
43 return RCode::NXDomain;
44 if (rr->d_type != QType::ANY)
45 return RCode::NXRRSet;
46 }
47
48 // Section 3.2.2
49 if (rr->d_class == QClass::NONE && foundRecord) {
50 if (rr->d_type == QType::ANY)
51 return RCode::YXDomain;
52 if (rr->d_type != QType::ANY)
53 return RCode::YXRRSet;
54 }
55
56 return RCode::NoError;
57}
58
59
60// Method implements section 3.4.1 of RFC2136
61int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {
62 // The RFC stats that d_class != ZCLASS, but we only support the IN class.
63 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
64 return RCode::FormErr;
65
66 QType qtype = QType(rr->d_type);
67
68 if (! qtype.isSupportedType())
69 return RCode::FormErr;
70
71 if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0)
72 return RCode::FormErr;
73
74 if (rr->d_class == QClass::ANY && rr->d_clen != 0)
75 return RCode::FormErr;
76
77 if (qtype.isMetadataType())
78 return RCode::FormErr;
79
80 if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY)
81 return RCode::FormErr;
82
83 return RCode::NoError;
84}
85
6a323f63 86
f1b59a55 87// Implements section 3.4.2 of RFC2136
dff32e09
RA		 88uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {
89 string rrLabel = stripDot(rr->d_label);
90 rrLabel = toLower(rrLabel);
91 QType rrType = QType(rr->d_type);
92
93
94 if (rrType == QType::NSEC || rrType == QType::NSEC3) {
95 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl;
96 return 0;
97 }
98
99 if (!isPresigned && (rrType == QType::RRSIG || rrType == QType::DNSKEY) ) {
100 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl;
101 return 0;
102 }
103
104 if (rrType == QType::NSEC3PARAM && rrLabel != di->zone) {
105 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|NSEC3PARAM, NSEC3PARAM must be at zone apex, ignoring!"<<endl;
106 return 0;
107 }
108
109
b0704e0d 110 uint16_t changedRecords = 0;
6a323f63
RA		 111 DNSResourceRecord rec;
112 vector<DNSResourceRecord> rrset, recordsToDelete;
113 set<string> delnonterm, insnonterm; // used to (at the end) fix ENT records.
114
f1b59a55 115
6a323f63
RA		 116 if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update
117 DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl);
f1b59a55 118
dff32e09
RA		 119 if (rrType == QType::NSEC3PARAM) {
120 L<<Logger::Notice<<msgPrefix<<"Setting NSEC3PARAM for zone, resetting ordernames."<<endl;
121 NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone);
122 d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
123 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
124 di->backend->list(di->zone, di->id);
125 vector<DNSResourceRecord> rrs;
126 while (di->backend->get(rec)) {
127 rrs.push_back(rec);
128 }
129 for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
130 if (*narrow) {
131 di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
132 } else {
133 string hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
134 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
135 }
136 }
137 return 1;
138 }
139
6a323f63
RA		 140 bool foundRecord = false;
141 di->backend->lookup(rrType, rrLabel);
f1b59a55 142 while (di->backend->get(rec)) {
dff32e09
RA		 143 rrset.push_back(rec);
144 foundRecord = true;
6a323f63 145 }
6a323f63
RA		 146
147 if (foundRecord) {
dff32e09 148 if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current
f1b59a55 149 SOAData sdOld, sdUpdate;
6a323f63
RA		 150 DNSResourceRecord *oldRec = &rrset.front();
151 fillSOAData(oldRec->content, sdOld);
152 oldRec->setContent(rr->d_content->getZoneRepresentation());
153 fillSOAData(oldRec->content, sdUpdate);
f1b59a55 154 if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {
b0704e0d 155 changedRecords++;
6a323f63 156 di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);
f1b59a55 157 *updatedSerial = true;
7facf345 158 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl;
f1b59a55
RA		 159 }
160 else
161 L<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;
6a323f63
RA		 162
163 // It's not possible to have multiple CNAME's with the same NAME. So we always update.
164 } else if (rrType == QType::CNAME) {
165 for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) {
166 i->ttl = rr->d_ttl;
167 i->setContent(rr->d_content->getZoneRepresentation());
b0704e0d 168 changedRecords++;
f1b59a55 169 }
6a323f63 170 di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset);
7facf345 171 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl;
6a323f63
RA		 172
173 // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectily means a update of TTL)
174 } else {
175 foundRecord = false;
176 for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) {
177 string content = rr->d_content->getZoneRepresentation();
178 if (rrType == i->qtype.getCode() && i->getZoneRepresentation() == content) {
179 foundRecord = true;
180 i->ttl = rr->d_ttl;
b0704e0d 181 changedRecords++;
6a323f63
RA		 182 }
183 }
7facf345 184 if (foundRecord) {
6a323f63 185 di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset);
7facf345
RA		 186 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl;
187 }
f1b59a55 188 }
6e42cac2
RA		 189
190 // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it.
191 // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.
192 bool auth = rrset.front().auth;
dff32e09 193 if(*haveNSEC3) {
6e42cac2 194 string hashed;
dff32e09 195 if(! *narrow)
6e42cac2
RA		 196 hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel)));
197
198 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth);
199 if(!auth || rrType == QType::DS) {
200 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS");
201 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
202 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
203 }
204
205 } else { // NSEC
206 di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth);
207 if(!auth || rrType == QType::DS) {
208 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
209 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
210 }
211 }
212
213 } // if (foundRecord)
f1b59a55 214
6a323f63 215 // If we haven't found a record that matches, we must add it.
f1b59a55 216 if (! foundRecord) {
6a323f63
RA		 217 L<<Logger::Notice<<msgPrefix<<"Adding record "<<rrLabel<<"|"<<rrType.getName()<<endl;
218 delnonterm.insert(rrLabel); // always remove any ENT's in the place where we're going to add a record.
f1b59a55
RA		 219 DNSResourceRecord newRec(*rr);
220 newRec.domain_id = di->id;
f1b59a55 221 di->backend->feedRecord(newRec);
b0704e0d 222 changedRecords++;
6a323f63
RA		 223
224
225 // because we added a record, we need to fix DNSSEC data.
226 string shorter(rrLabel);
f1b59a55
RA		 227 bool auth=true;
228
229 set<string> insnonterm;
6a323f63 230 if (shorter != di->zone && rrType != QType::DS) {
f1b59a55
RA		 231 do {
232 if (shorter == di->zone)
233 break;
234
235 bool foundShorter = false;
236 di->backend->lookup(QType(QType::ANY), shorter);
237 while (di->backend->get(rec)) {
6a323f63 238 if (rec.qname != rrLabel)
f1b59a55
RA		 239 foundShorter = true;
240 if (rec.qtype == QType::NS)
241 auth=false;
242 }
6a323f63 243 if (!foundShorter && shorter != rrLabel && shorter != di->zone)
f1b59a55
RA		 244 insnonterm.insert(shorter);
245
246 } while(chopOff(shorter));
247 }
248
dff32e09 249 if(*haveNSEC3)
f1b59a55
RA		 250 {
251 string hashed;
dff32e09 252 if(! *narrow)
6a323f63 253 hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel)));
f1b59a55 254
6a323f63
RA		 255 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth);
256 if(!auth || rrType == QType::DS)
f1b59a55 257 {
6a323f63
RA		 258 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS");
259 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
260 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
f1b59a55
RA		 261 }
262 }
263 else // NSEC
264 {
6a323f63
RA		 265 di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth);
266 if(!auth || rrType == QType::DS)
f1b59a55 267 {
6a323f63
RA		 268 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
269 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
f1b59a55
RA		 270 }
271 }
6a323f63
RA		 272
273
f1b59a55 274 // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.
6a323f63
RA		 275 // Auth can only be false when the rrLabel is not the zone
276 if (auth == false && rrType == QType::NS) {
277 DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rrLabel<<endl);
f1b59a55 278 vector<string> qnames;
6a323f63 279 di->backend->listSubZone(rrLabel, di->id);
f1b59a55
RA		 280 while(di->backend->get(rec)) {
281 if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS) // Skip ENT and DS records.
282 qnames.push_back(rec.qname);
283 }
284 for(vector<string>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) {
dff32e09 285 if(*haveNSEC3) {
f1b59a55 286 string hashed;
dff32e09 287 if(! *narrow)
f1b59a55
RA		 288 hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname)));
289
290 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *qname, hashed, auth);
291 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "NS");
292 }
293 else // NSEC
294 di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *qname, auth);
295
296 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "AAAA");
297 di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "A");
298 }
299 }
f1b59a55
RA		 300 }
301 } // rr->d_class == QClass::IN
302
6a323f63
RA		 303
304 // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by
305 // the code that calls this performUpdate().
306 if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.
fdf983eb 307 DLOG(L<<msgPrefix<<"Deleting records: "<<rrLabel<<"; QClasse:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl);
dff32e09
RA		 308
309 if (rrType == QType::NSEC3PARAM) {
310 L<<Logger::Notice<<msgPrefix<<"Removing NSEC3PARAM from zone, resetting ordernames."<<endl;
311 if (rr->d_class == QClass::ANY)
312 d_dk.unsetNSEC3PARAM(rrLabel);
313 else if (rr->d_class == QClass::NONE) {
314 NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone);
315 if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
316 d_dk.unsetNSEC3PARAM(rrLabel);
317 else
318 return 0;
319 } else
320 return 0;
321
322 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
323 di->backend->list(di->zone, di->id);
324 vector<DNSResourceRecord> rrs;
325 while (di->backend->get(rec)) {
326 rrs.push_back(rec);
327 }
328 for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
329 di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, i->qname, i->auth);
330 }
331 return 1;
332 }
333
334
6a323f63
RA		 335 di->backend->lookup(rrType, rrLabel);
336 while(di->backend->get(rec)) {
337 if (rr->d_class == QClass::ANY) { // 3.4.2.3
338 if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's
339 rrset.push_back(rec);
340 else
f1b59a55
RA		 341 recordsToDelete.push_back(rec);
342 }
6a323f63
RA		 343 if (rr->d_class == QClass::NONE) { // 3.4.2.4
344 if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation())
345 recordsToDelete.push_back(rec);
346 else
347 rrset.push_back(rec);
348 }
f1b59a55 349
f1b59a55 350 }
6a323f63 351 di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset);
7facf345 352 L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rrLabel<<"|"<<rrType.getName()<<endl;
f1b59a55 353
f1b59a55 354
6a323f63
RA		 355 if (recordsToDelete.size()) {
356 // If we remove an NS which is not at apex of the zone, we need to make everthing below it auth=true as those now are not delegated anymore.
357 if (rrType == QType::NS && rrLabel != di->zone) {
f1b59a55 358 vector<string> changeAuth;
6a323f63 359 di->backend->listSubZone(rrLabel, di->id);
f1b59a55 360 while (di->backend->get(rec)) {
6a323f63 361 if (rec.qtype.getCode()) // skip ENT records, they are always false.
f1b59a55
RA		 362 changeAuth.push_back(rec.qname);
363 }
364 for (vector<string>::const_iterator changeRec=changeAuth.begin(); changeRec!=changeAuth.end(); ++changeRec) {
dff32e09 365 if(*haveNSEC3) {
f1b59a55 366 string hashed;
dff32e09 367 if(! *narrow)
f1b59a55
RA		 368 hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *changeRec)));
369
370 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *changeRec, hashed, true);
371 }
372 else // NSEC
373 di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *changeRec, true);
374 }
375 }
f1b59a55 376
6a323f63
RA		 377 // Fix ENT records.
378 // We must check if we have a record below the current level and if we removed the 'last' record
379 // on that level. If so, we must insert an ENT record.
fdf983eb 380 // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.
9353d244 381 bool foundDeeper = false, foundOtherWithSameName = false;
6a323f63
RA		 382 di->backend->listSubZone(rrLabel, di->id);
383 while (di->backend->get(rec)) {
384 if (rec.qname == rrLabel && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
9353d244 385 foundOtherWithSameName = true;
6a323f63
RA		 386 if (rec.qname != rrLabel)
387 foundDeeper = true;
388 }
f1b59a55 389
9353d244 390 if (foundDeeper && !foundOtherWithSameName) {
6a323f63 391 insnonterm.insert(rrLabel);
9353d244 392 } else if (!foundOtherWithSameName) {
6a323f63
RA		 393 // If we didn't have to insert an ENT, we might have deleted a record at very deep level
394 // and we must then clean up the ENT's above the deleted record.
395 string shorter(rrLabel);
9353d244
RA		 396 while (shorter != di->zone) {
397 chopOff(shorter);
398 bool foundRealRR = false;
399
400 // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch
6a323f63 401 // consider these non ENT-records:
9353d244
RA		 402 // b.c.d.e.test.com
403 // b.d.e.test.com
404 // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.
6a323f63
RA		 405 // At that point we can stop deleting ENT's because the tree is in tact again.
406 di->backend->listSubZone(shorter, di->id);
9353d244
RA		 407 while (di->backend->get(rec)) {
408 if (rec.qtype.getCode())
409 foundRealRR = true;
410 }
411 if (!foundRealRR)
412 delnonterm.insert(shorter);
413 else
414 break;
415 }
416
417/* do {
418 bool foundRealRR=false;
419 if (shorter == di->zone)
420 break; //we're at the top.
421
422 di->backend->lookup(QType(QType::ANY), shorter);
6a323f63
RA		 423 while (di->backend->get(rec)) {
424 if (rec.qtype.getCode())
425 foundRealRR=true;
426 }
427 if (!foundRealRR)
428 delnonterm.insert(shorter);
429 else
430 break; // we found a real record - tree is ok again.
9353d244 431 }while(chopOff(shorter));*/
6a323f63 432 }
f1b59a55 433 }
6a323f63 434 }
f1b59a55 435
6a323f63
RA		 436
437 //Insert and delete ENT's
438 if (insnonterm.size() > 0 || delnonterm.size() > 0) {
439 DLOG(L<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);
440 di->backend->updateEmptyNonTerminals(di->id, di->zone, insnonterm, delnonterm, false);
441 for (set<string>::const_iterator i=insnonterm.begin(); i!=insnonterm.end(); i++) {
442 string hashed;
dff32e09 443 if(*haveNSEC3)
6a323f63 444 {
f1b59a55 445 string hashed;
dff32e09 446 if(! *narrow)
6a323f63
RA		 447 hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *i)));
448 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *i, hashed, false);
f1b59a55
RA		 449 }
450 }
451 }
452
b0704e0d 453 return recordsToDelete.size() + changedRecords;
f1b59a55
RA		 454}
455
b3148887 456int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) {
e174b255
RA		 457 vector<string> forward;
458 B.getDomainMetadata(p->qdomain, "FORWARD-2136", forward);
459
460 if (forward.size() == 0 && ! ::arg().mustDo("forward-2136")) {
d8293c79
RA		 461 L<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl;
462 return RCode::Refused;
e174b255
RA		 463 }
464
b3148887 465 for(vector<string>::const_iterator master=di->masters.begin(); master != di->masters.end(); master++) {
dff32e09 466 L<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<*master<<endl;
b3148887
RA		 467 ComboAddress remote;
468 try {
cc456024 469 remote = ComboAddress(*master, 53);
b3148887
RA		 470 }
471 catch (...) {
472 L<<Logger::Error<<msgPrefix<<"Failed to parse "<<*master<<" as valid remote."<<endl;
473 continue;
474 }
475
476 ComboAddress local;
477 if(remote.sin4.sin_family == AF_INET)
cc456024 478 local = ComboAddress(::arg()["query-local-address"]);
b3148887 479 else if(!::arg()["query-local-address6"].empty())
cc456024 480 local = ComboAddress(::arg()["query-local-address6"]);
b3148887 481 else
cc456024 482 local = ComboAddress("::");
b3148887
RA		 483 int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.
484
485 if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {
486 L<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;
487 Utility::closesocket(sock);
488 continue;
489 }
490
491 DNSPacket forwardPacket(*p);
492 forwardPacket.setID(dns_random(0xffff));
493 forwardPacket.setRemote(&remote);
494 uint16_t len=htons(forwardPacket.getString().length());
495 string buffer((const char*)&len, 2);
496 buffer.append(forwardPacket.getString());
497 if(write(sock, buffer.c_str(), buffer.length()) < 0) {
498 L<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
499 continue;
500 }
501
502 int res = waitForData(sock, 10, 0);
503 if (!res) {
cc456024 504 L<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl;
b3148887
RA		 505 Utility::closesocket(sock);
506 continue;
507 }
508 if (res < 0) {
509 L<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
510 Utility::closesocket(sock);
511 continue;
512 }
513
514 char lenBuf[2];
515 int recvRes;
516 recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);
517 if (recvRes < 0) {
518 L<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
519 Utility::closesocket(sock);
520 continue;
521 }
522 int packetLen = lenBuf[0]*256+lenBuf[1];
523
524
525 char buf[packetLen];
526 recvRes = recv(sock, &buf, packetLen, 0);
527 if (recvRes < 0) {
528 L<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
529 Utility::closesocket(sock);
530 continue;
531 }
532 Utility::closesocket(sock);
533
534 try {
b3148887
RA		 535 MOADNSParser mdp(buf, recvRes);
536 L<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;
537 return mdp.d_header.rcode;
538 }
539 catch (...) {
540 L<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl;
541 continue;
542 }
543 }
544 L<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl;
545 return RCode::ServFail;
546
547}
548
f1b59a55 549int PacketHandler::processUpdate(DNSPacket *p) {
629e6103 550 if (! ::arg().mustDo("experimental-rfc2136"))
f1b59a55
RA		 551 return RCode::Refused;
552
7facf345 553 string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote() + " for " + p->qdomain + ": ";
f1b59a55
RA		 554 L<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
555
556 // Check permissions - IP based
557 vector<string> allowedRanges;
558 B.getDomainMetadata(p->qdomain, "ALLOW-2136-FROM", allowedRanges);
559 if (! ::arg()["allow-2136-from"].empty())
560 stringtok(allowedRanges, ::arg()["allow-2136-from"], ", \t" );
561
562 NetmaskGroup ng;
563 for(vector<string>::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++)
564 ng.addMask(*i);
565
566 if ( ! ng.match(&p->d_remote)) {
567 L<<Logger::Error<<msgPrefix<<"Remote not listed in allow-2136-from or domainmetadata. Sending REFUSED"<<endl;
568 return RCode::Refused;
569 }
570
571
572 // Check permissions - TSIG based.
573 vector<string> tsigKeys;
574 B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-2136", tsigKeys);
575 if (tsigKeys.size() > 0) {
576 bool validKey = false;
577
578 TSIGRecordContent trc;
579 string inputkey, message;
580 if (! p->getTSIGDetails(&trc, &inputkey, &message)) {
581 L<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
582 return RCode::Refused;
583 }
584
585 for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
586 if (inputkey == *key) // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
587 validKey=true;
588 }
589
590 if (!validKey) {
591 L<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;
592 return RCode::Refused;
593 }
594 }
595
596 if (tsigKeys.size() == 0 && p->d_havetsig)
597 L<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;
598
599 // RFC2136 uses the same DNS Header and Message as defined in RFC1035.
600 // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different
601 // variable names during the use of our MOADNSParser.
602 MOADNSParser mdp(p->getString());
603 if (mdp.d_header.qdcount != 1) {
604 L<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;
605 return RCode::FormErr;
606 }
607
608 if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
609 L<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;
610 return RCode::FormErr;
611 }
612
613 if (p->qclass != QClass::IN) {
614 L<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;
615 return RCode::NotAuth;
616 }
617
618 DomainInfo di;
619 di.backend=0;
620 if(!B.getDomainInfo(p->qdomain, di) || !di.backend) {
621 L<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support RFC2136 operation)"<<endl;
622 return RCode::NotAuth;
623 }
624
b3148887
RA		 625 if (di.kind == DomainInfo::Slave)
626 return forwardPacket(msgPrefix, p, &di);
f1b59a55
RA		 627
628 // Check if all the records provided are within the zone
629 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
630 const DNSRecord *rr = &i->first;
631 // Skip this check for other field types (like the TSIG - which is in the additional section)
dff32e09 632 // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.
f1b59a55
RA		 633 if (! (rr->d_place == DNSRecord::Answer || rr->d_place == DNSRecord::Nameserver))
634 continue;
635
636 string label = stripDot(rr->d_label);
637
638 if (!endsOn(label, di.zone)) {
639 L<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;
640 return RCode::NotZone;
641 }
642 }
643
dff32e09
RA		 644
645 Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything
f1b59a55 646 L<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;
dff32e09 647 if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
f1b59a55
RA		 648 L<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl;
649 return RCode::NotImp;
650 }
651
652 // 3.2.1 and 3.2.2 - Prerequisite check
653 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
654 const DNSRecord *rr = &i->first;
655 if (rr->d_place == DNSRecord::Answer) {
656 int res = checkUpdatePrerequisites(rr, &di);
657 if (res>0) {
658 L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning "<<res<<endl;
659 di.backend->abortTransaction();
660 return res;
661 }
662 }
663 }
664
665 // 3.2.3 - Prerequisite check - this is outside of updatePrequisitesCheck because we check an RRSet and not the RR.
666 typedef pair<string, QType> rrSetKey_t;
667 typedef vector<DNSResourceRecord> rrVector_t;
668 typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;
669 RRsetMap_t preReqRRsets;
670 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
671 const DNSRecord *rr = &i->first;
672 if (rr->d_place == DNSRecord::Answer) {
673 // Last line of 3.2.3
674 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
675 return RCode::FormErr;
676
677 if (rr->d_class == QClass::IN) {
678 rrSetKey_t key = make_pair(stripDot(rr->d_label), rr->d_type);
679 rrVector_t *vec = &preReqRRsets[key];
680 vec->push_back(DNSResourceRecord(*rr));
681 }
682 }
683 }
684
685 if (preReqRRsets.size() > 0) {
686 RRsetMap_t zoneRRsets;
687 for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) {
688 rrSetKey_t rrSet=preRRSet->first;
689 rrVector_t *vec = &preRRSet->second;
690
691 DNSResourceRecord rec;
692 di.backend->lookup(QType(QType::ANY), rrSet.first);
693 uint16_t foundRR=0, matchRR=0;
694 while (di.backend->get(rec)) {
695 if (rec.qtype == rrSet.second) {
696 foundRR++;
697 for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) {
698 rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.
699 if (*rrItem == rec)
700 matchRR++;
701 }
702 }
703 }
704 if (matchRR != foundRR || foundRR != vec->size()) {
705 L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning NXRRSet"<<endl;
706 di.backend->abortTransaction();
707 return RCode::NXRRSet;
708 }
709 }
710 }
711
712
713
714 // 3.4 - Prescan & Add/Update/Delete records
715 uint16_t changedRecords = 0;
716 try {
717
718 // 3.4.1 - Prescan section
719 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
720 const DNSRecord *rr = &i->first;
721 if (rr->d_place == DNSRecord::Nameserver) {
722 int res = checkUpdatePrescan(rr);
723 if (res>0) {
724 L<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;
725 di.backend->abortTransaction();
726 return res;
727 }
728 }
729 }
730
731 bool updatedSerial=false;
732 NSEC3PARAMRecordContent ns3pr;
dff32e09 733 bool narrow=false;
f1b59a55 734 bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);
dff32e09 735 bool isPresigned = d_dk.isPresigned(di.zone);
f1b59a55
RA		 736
737 // We get all the before/after fields before doing anything to the db.
738 // We can't do this inside performUpdate() because when we remove a delegate, the before/after result is different to what it should be
739 // to purge the cache correctly - One update/delete might cause a before/after to be created which is before/after the original before/after.
740 vector< pair<string, string> > beforeAfterSet;
6a323f63 741 /*if (!haveNSEC3) {
f1b59a55
RA		 742 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
743 const DNSRecord *rr = &i->first;
744 if (rr->d_place == DNSRecord::Nameserver) {
745 string before, after;
6a323f63 746 di.backend->getBeforeAndAfterNames(di.id, di.zone, stripDot(rr->d_label), before, after, (rr->d_class != QClass::IN));
f1b59a55
RA		 747 beforeAfterSet.push_back(make_pair(before, after));
748 }
749 }
6a323f63 750 }*/
f1b59a55
RA		 751
752 // 3.4.2 - Perform the updates.
753 // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)
754 // This means we must do it outside the normal performUpdate() because that focusses only on a seperate RR.
755 vector<const DNSRecord *> nsRRtoDelete;
756 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
757 const DNSRecord *rr = &i->first;
758 if (rr->d_place == DNSRecord::Nameserver) {
759 if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && stripDot(rr->d_label) == di.zone)
760 nsRRtoDelete.push_back(rr);
761 else
dff32e09 762 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 763 }
764 }
765 if (nsRRtoDelete.size()) {
766 vector<DNSResourceRecord> nsRRInZone;
767 DNSResourceRecord rec;
768 di.backend->lookup(QType(QType::NS), di.zone);
769 while (di.backend->get(rec)) {
770 nsRRInZone.push_back(rec);
771 }
772 if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)
773 for (vector<DNSResourceRecord>::iterator inZone=nsRRInZone.begin(); inZone != nsRRInZone.end(); inZone++) {
774 for (vector<const DNSRecord *>::iterator rr=nsRRtoDelete.begin(); rr != nsRRtoDelete.end(); rr++) {
775 if (inZone->getZoneRepresentation() == (*rr)->d_content->getZoneRepresentation())
dff32e09 776 changedRecords += performUpdate(msgPrefix, *rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
f1b59a55
RA		 777 }
778 }
779 }
780 }
781
f1b59a55 782 // Purge the records!
6a323f63
RA		 783 string zone(di.zone);
784 zone.append("$");
785 PC.purge(zone); // For NSEC3, nuke the complete zone.
786/*
f1b59a55
RA		 787 if (changedRecords > 0) {
788 if (haveNSEC3) {
789 string zone(di.zone);
790 zone.append("$");
791 PC.purge(zone); // For NSEC3, nuke the complete zone.
792 } else {
793 //for(vector< pair<string, string> >::const_iterator i=beforeAfterSet.begin(); i != beforeAfterSet.end(); i++)
794 //PC.purgeRange(i->first, i->second, di.zone);
795 }
796 }
6a323f63 797*/
f1b59a55 798 // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message
890c7124 799 if (changedRecords > 0 && !updatedSerial) {
166ac305 800 increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr);
890c7124
RA		 801 changedRecords++;
802 }
803
276a5ce7 804 S.deposit("rfc2136-changes", changedRecords);
7facf345 805
f1b59a55 806 }
ee9ef8f2
RA		 807 catch (DBException &e) {
808 L<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;
809 di.backend->abortTransaction();
810 return RCode::ServFail;
811 }
f1b59a55
RA		 812 catch (AhuException &e) {
813 L<<Logger::Error<<msgPrefix<<"Caught AhuException: "<<e.reason<<"; Sending ServFail!"<<endl;
814 di.backend->abortTransaction();
815 return RCode::ServFail;
816 }
ee9ef8f2
RA		 817 catch (SSqlException &e) {
818 L<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;
819 di.backend->abortTransaction();
820 return RCode::ServFail;
821 }
f1b59a55
RA		 822 catch (...) {
823 L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
824 di.backend->abortTransaction();
825 return RCode::ServFail;
826 }
827
828 if (!di.backend->commitTransaction()) {
829 L<<Logger::Error<<msgPrefix<<"Failed to commit update for domain "<<di.zone<<"!"<<endl;
830 return RCode::ServFail;
831 }
832
833 L<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records commited."<<endl;
834 return RCode::NoError; //rfc 2136 3.4.2.5
835}
836
166ac305 837void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
f1b59a55 838 DNSResourceRecord rec, newRec;
166ac305 839 di->backend->lookup(QType(QType::SOA), di->zone);
f1b59a55 840 bool foundSOA=false;
166ac305 841 while (di->backend->get(rec)) {
f1b59a55
RA		 842 newRec = rec;
843 foundSOA=true;
844 }
845 if (!foundSOA) {
846 throw AhuException("SOA-Serial update failed because there was no SOA. Wowie.");
847 }
848 SOAData soa2Update;
849 fillSOAData(rec.content, soa2Update);
890c7124 850 int oldSerial = soa2Update.serial;
f1b59a55
RA		 851
852 vector<string> soaEdit2136Setting;
166ac305 853 B.getDomainMetadata(di->zone, "SOA-EDIT-2136", soaEdit2136Setting);
f1b59a55
RA		 854 string soaEdit2136 = "DEFAULT";
855 string soaEdit;
856 if (!soaEdit2136Setting.empty()) {
857 soaEdit2136 = soaEdit2136Setting[0];
858 if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
859 vector<string> soaEditSetting;
166ac305 860 B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting);
f1b59a55
RA		 861 if (soaEditSetting.empty()) {
862 L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-2136 increase on RFC2136, but SOA-EDIT is not set for domain. Using DEFAULT for SOA-EDIT-2136"<<endl;
863 soaEdit2136 = "DEFAULT";
864 } else
865 soaEdit = soaEditSetting[0];
866 }
867 }
868
869
870 if (pdns_iequals(soaEdit2136, "INCREASE"))
871 soa2Update.serial++;
872 else if (pdns_iequals(soaEdit2136, "SOA-EDIT-INCREASE")) {
873 uint32_t newSer = calculateEditSOA(soa2Update, soaEdit);
874 if (newSer <= soa2Update.serial)
875 soa2Update.serial++;
876 else
877 soa2Update.serial = newSer;
878 } else if (pdns_iequals(soaEdit2136, "SOA-EDIT"))
879 soa2Update.serial = calculateEditSOA(soa2Update, soaEdit);
880 else if (pdns_iequals(soaEdit2136, "EPOCH"))
881 soa2Update.serial = time(0);
882 else {
883 time_t now = time(0);
884 struct tm tm;
885 localtime_r(&now, &tm);
886 boost::format fmt("%04d%02d%02d%02d");
887 string newserdate=(fmt % (tm.tm_year+1900) % (tm.tm_mon +1 )% tm.tm_mday % 1).str();
888 uint32_t newser = atol(newserdate.c_str());
889 if (newser <= soa2Update.serial)
890 soa2Update.serial++;
891 else
892 soa2Update.serial = newser;
893 }
894
895
896 newRec.content = serializeSOAData(soa2Update);
3e0ab216
RA		 897 vector<DNSResourceRecord> rrset;
898 rrset.push_back(newRec);
166ac305 899 di->backend->replaceRRSet(di->id, newRec.qname, newRec.qtype, rrset);
dff32e09 900 L<<Logger::Notice<<msgPrefix<<"Increasing SOA serial ("<<oldSerial<<" -> "<<soa2Update.serial<<")"<<endl;
166ac305
RA		 901
902 //Correct ordername + auth flag
903 if(haveNSEC3) {
904 string hashed;
905 if(!narrow)
906 hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, newRec.qname)));
907
908 di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, newRec.qname, hashed, true);
909 }
910 else // NSEC
911 di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, newRec.qname, true);
912
913 // purge the cache for the SOA record.
f1b59a55 914 PC.purge(newRec.qname);
166ac305 915}
Unnamed repository; edit this file 'description' to name the repository.