]>
Commit | Line | Data |
---|---|---|
f1b59a55 RA |
1 | #include "packethandler.hh" |
2 | #include "qtype.hh" | |
3 | #include "dnspacket.hh" | |
4 | #include "packetcache.hh" | |
5 | #include "dnsseckeeper.hh" | |
6 | #include "base64.hh" | |
7 | #include "base32.hh" | |
8 | #include "misc.hh" | |
9 | #include "arguments.hh" | |
b3148887 RA |
10 | #include "resolver.hh" |
11 | #include "dns_random.hh" | |
7facf345 | 12 | #include "backends/gsql/ssql.hh" |
f1b59a55 RA |
13 | |
14 | extern PacketCache PC; | |
276a5ce7 | 15 | extern StatBag S; |
f1b59a55 | 16 | |
ee9ef8f2 RA |
17 | pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER; |
18 | ||
f1b59a55 RA |
19 | // Implement section 3.2.1 and 3.2.2 of RFC2136 |
20 | int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) { | |
21 | if (rr->d_ttl != 0) | |
22 | return RCode::FormErr; | |
23 | ||
24 | // 3.2.1 and 3.2.2 check content length. | |
25 | if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0) | |
26 | return RCode::FormErr; | |
27 | ||
6a323f63 | 28 | string rrLabel = stripDot(rr->d_label); |
f1b59a55 RA |
29 | |
30 | bool foundRecord=false; | |
31 | DNSResourceRecord rec; | |
6a323f63 | 32 | di->backend->lookup(QType(QType::ANY), rrLabel); |
f1b59a55 RA |
33 | while(di->backend->get(rec)) { |
34 | if (!rec.qtype.getCode()) | |
35 | continue; | |
36 | if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY) | |
37 | foundRecord=true; | |
38 | } | |
39 | ||
40 | // Section 3.2.1 | |
41 | if (rr->d_class == QClass::ANY && !foundRecord) { | |
42 | if (rr->d_type == QType::ANY) | |
43 | return RCode::NXDomain; | |
44 | if (rr->d_type != QType::ANY) | |
45 | return RCode::NXRRSet; | |
46 | } | |
47 | ||
48 | // Section 3.2.2 | |
49 | if (rr->d_class == QClass::NONE && foundRecord) { | |
50 | if (rr->d_type == QType::ANY) | |
51 | return RCode::YXDomain; | |
52 | if (rr->d_type != QType::ANY) | |
53 | return RCode::YXRRSet; | |
54 | } | |
55 | ||
56 | return RCode::NoError; | |
57 | } | |
58 | ||
59 | ||
60 | // Method implements section 3.4.1 of RFC2136 | |
61 | int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) { | |
62 | // The RFC stats that d_class != ZCLASS, but we only support the IN class. | |
63 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) | |
64 | return RCode::FormErr; | |
65 | ||
66 | QType qtype = QType(rr->d_type); | |
67 | ||
68 | if (! qtype.isSupportedType()) | |
69 | return RCode::FormErr; | |
70 | ||
71 | if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) | |
72 | return RCode::FormErr; | |
73 | ||
74 | if (rr->d_class == QClass::ANY && rr->d_clen != 0) | |
75 | return RCode::FormErr; | |
76 | ||
77 | if (qtype.isMetadataType()) | |
78 | return RCode::FormErr; | |
79 | ||
80 | if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) | |
81 | return RCode::FormErr; | |
82 | ||
83 | return RCode::NoError; | |
84 | } | |
85 | ||
6a323f63 | 86 | |
f1b59a55 | 87 | // Implements section 3.4.2 of RFC2136 |
dff32e09 RA |
88 | uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) { |
89 | string rrLabel = stripDot(rr->d_label); | |
90 | rrLabel = toLower(rrLabel); | |
91 | QType rrType = QType(rr->d_type); | |
92 | ||
93 | ||
94 | if (rrType == QType::NSEC || rrType == QType::NSEC3) { | |
95 | L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl; | |
96 | return 0; | |
97 | } | |
98 | ||
99 | if (!isPresigned && (rrType == QType::RRSIG || rrType == QType::DNSKEY) ) { | |
100 | L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl; | |
101 | return 0; | |
102 | } | |
103 | ||
104 | if (rrType == QType::NSEC3PARAM && rrLabel != di->zone) { | |
105 | L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|NSEC3PARAM, NSEC3PARAM must be at zone apex, ignoring!"<<endl; | |
106 | return 0; | |
107 | } | |
108 | ||
109 | ||
b0704e0d | 110 | uint16_t changedRecords = 0; |
6a323f63 RA |
111 | DNSResourceRecord rec; |
112 | vector<DNSResourceRecord> rrset, recordsToDelete; | |
113 | set<string> delnonterm, insnonterm; // used to (at the end) fix ENT records. | |
114 | ||
f1b59a55 | 115 | |
6a323f63 RA |
116 | if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update |
117 | DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl); | |
f1b59a55 | 118 | |
dff32e09 RA |
119 | if (rrType == QType::NSEC3PARAM) { |
120 | L<<Logger::Notice<<msgPrefix<<"Setting NSEC3PARAM for zone, resetting ordernames."<<endl; | |
121 | NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone); | |
122 | d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow)); | |
123 | *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); | |
124 | di->backend->list(di->zone, di->id); | |
125 | vector<DNSResourceRecord> rrs; | |
126 | while (di->backend->get(rec)) { | |
127 | rrs.push_back(rec); | |
128 | } | |
129 | for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) { | |
130 | if (*narrow) { | |
131 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth); | |
132 | } else { | |
133 | string hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname))); | |
134 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth); | |
135 | } | |
136 | } | |
137 | return 1; | |
138 | } | |
139 | ||
6a323f63 RA |
140 | bool foundRecord = false; |
141 | di->backend->lookup(rrType, rrLabel); | |
f1b59a55 | 142 | while (di->backend->get(rec)) { |
dff32e09 RA |
143 | rrset.push_back(rec); |
144 | foundRecord = true; | |
6a323f63 | 145 | } |
6a323f63 RA |
146 | |
147 | if (foundRecord) { | |
dff32e09 | 148 | if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current |
f1b59a55 | 149 | SOAData sdOld, sdUpdate; |
6a323f63 RA |
150 | DNSResourceRecord *oldRec = &rrset.front(); |
151 | fillSOAData(oldRec->content, sdOld); | |
152 | oldRec->setContent(rr->d_content->getZoneRepresentation()); | |
153 | fillSOAData(oldRec->content, sdUpdate); | |
f1b59a55 | 154 | if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) { |
b0704e0d | 155 | changedRecords++; |
6a323f63 | 156 | di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset); |
f1b59a55 | 157 | *updatedSerial = true; |
7facf345 | 158 | L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
f1b59a55 RA |
159 | } |
160 | else | |
161 | L<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl; | |
6a323f63 RA |
162 | |
163 | // It's not possible to have multiple CNAME's with the same NAME. So we always update. | |
164 | } else if (rrType == QType::CNAME) { | |
165 | for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) { | |
166 | i->ttl = rr->d_ttl; | |
167 | i->setContent(rr->d_content->getZoneRepresentation()); | |
b0704e0d | 168 | changedRecords++; |
f1b59a55 | 169 | } |
6a323f63 | 170 | di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset); |
7facf345 | 171 | L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
6a323f63 RA |
172 | |
173 | // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectily means a update of TTL) | |
174 | } else { | |
175 | foundRecord = false; | |
176 | for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) { | |
177 | string content = rr->d_content->getZoneRepresentation(); | |
178 | if (rrType == i->qtype.getCode() && i->getZoneRepresentation() == content) { | |
179 | foundRecord = true; | |
180 | i->ttl = rr->d_ttl; | |
b0704e0d | 181 | changedRecords++; |
6a323f63 RA |
182 | } |
183 | } | |
7facf345 | 184 | if (foundRecord) { |
6a323f63 | 185 | di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset); |
7facf345 RA |
186 | L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
187 | } | |
f1b59a55 | 188 | } |
6e42cac2 RA |
189 | |
190 | // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it. | |
191 | // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be. | |
192 | bool auth = rrset.front().auth; | |
dff32e09 | 193 | if(*haveNSEC3) { |
6e42cac2 | 194 | string hashed; |
dff32e09 | 195 | if(! *narrow) |
6e42cac2 RA |
196 | hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel))); |
197 | ||
198 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth); | |
199 | if(!auth || rrType == QType::DS) { | |
200 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS"); | |
201 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); | |
202 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
203 | } | |
204 | ||
205 | } else { // NSEC | |
206 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth); | |
207 | if(!auth || rrType == QType::DS) { | |
208 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); | |
209 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
210 | } | |
211 | } | |
212 | ||
213 | } // if (foundRecord) | |
f1b59a55 | 214 | |
6a323f63 | 215 | // If we haven't found a record that matches, we must add it. |
f1b59a55 | 216 | if (! foundRecord) { |
6a323f63 RA |
217 | L<<Logger::Notice<<msgPrefix<<"Adding record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
218 | delnonterm.insert(rrLabel); // always remove any ENT's in the place where we're going to add a record. | |
f1b59a55 RA |
219 | DNSResourceRecord newRec(*rr); |
220 | newRec.domain_id = di->id; | |
f1b59a55 | 221 | di->backend->feedRecord(newRec); |
b0704e0d | 222 | changedRecords++; |
6a323f63 RA |
223 | |
224 | ||
225 | // because we added a record, we need to fix DNSSEC data. | |
226 | string shorter(rrLabel); | |
f1b59a55 RA |
227 | bool auth=true; |
228 | ||
229 | set<string> insnonterm; | |
6a323f63 | 230 | if (shorter != di->zone && rrType != QType::DS) { |
f1b59a55 RA |
231 | do { |
232 | if (shorter == di->zone) | |
233 | break; | |
234 | ||
235 | bool foundShorter = false; | |
236 | di->backend->lookup(QType(QType::ANY), shorter); | |
237 | while (di->backend->get(rec)) { | |
6a323f63 | 238 | if (rec.qname != rrLabel) |
f1b59a55 RA |
239 | foundShorter = true; |
240 | if (rec.qtype == QType::NS) | |
241 | auth=false; | |
242 | } | |
6a323f63 | 243 | if (!foundShorter && shorter != rrLabel && shorter != di->zone) |
f1b59a55 RA |
244 | insnonterm.insert(shorter); |
245 | ||
246 | } while(chopOff(shorter)); | |
247 | } | |
248 | ||
dff32e09 | 249 | if(*haveNSEC3) |
f1b59a55 RA |
250 | { |
251 | string hashed; | |
dff32e09 | 252 | if(! *narrow) |
6a323f63 | 253 | hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel))); |
f1b59a55 | 254 | |
6a323f63 RA |
255 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth); |
256 | if(!auth || rrType == QType::DS) | |
f1b59a55 | 257 | { |
6a323f63 RA |
258 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS"); |
259 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); | |
260 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
f1b59a55 RA |
261 | } |
262 | } | |
263 | else // NSEC | |
264 | { | |
6a323f63 RA |
265 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth); |
266 | if(!auth || rrType == QType::DS) | |
f1b59a55 | 267 | { |
6a323f63 RA |
268 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); |
269 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
f1b59a55 RA |
270 | } |
271 | } | |
6a323f63 RA |
272 | |
273 | ||
f1b59a55 | 274 | // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate. |
6a323f63 RA |
275 | // Auth can only be false when the rrLabel is not the zone |
276 | if (auth == false && rrType == QType::NS) { | |
277 | DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rrLabel<<endl); | |
f1b59a55 | 278 | vector<string> qnames; |
6a323f63 | 279 | di->backend->listSubZone(rrLabel, di->id); |
f1b59a55 RA |
280 | while(di->backend->get(rec)) { |
281 | if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS) // Skip ENT and DS records. | |
282 | qnames.push_back(rec.qname); | |
283 | } | |
284 | for(vector<string>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) { | |
dff32e09 | 285 | if(*haveNSEC3) { |
f1b59a55 | 286 | string hashed; |
dff32e09 | 287 | if(! *narrow) |
f1b59a55 RA |
288 | hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname))); |
289 | ||
290 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *qname, hashed, auth); | |
291 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "NS"); | |
292 | } | |
293 | else // NSEC | |
294 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *qname, auth); | |
295 | ||
296 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "AAAA"); | |
297 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "A"); | |
298 | } | |
299 | } | |
f1b59a55 RA |
300 | } |
301 | } // rr->d_class == QClass::IN | |
302 | ||
6a323f63 RA |
303 | |
304 | // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by | |
305 | // the code that calls this performUpdate(). | |
306 | if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA. | |
fdf983eb | 307 | DLOG(L<<msgPrefix<<"Deleting records: "<<rrLabel<<"; QClasse:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl); |
dff32e09 RA |
308 | |
309 | if (rrType == QType::NSEC3PARAM) { | |
310 | L<<Logger::Notice<<msgPrefix<<"Removing NSEC3PARAM from zone, resetting ordernames."<<endl; | |
311 | if (rr->d_class == QClass::ANY) | |
312 | d_dk.unsetNSEC3PARAM(rrLabel); | |
313 | else if (rr->d_class == QClass::NONE) { | |
314 | NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone); | |
315 | if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation()) | |
316 | d_dk.unsetNSEC3PARAM(rrLabel); | |
317 | else | |
318 | return 0; | |
319 | } else | |
320 | return 0; | |
321 | ||
322 | *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); | |
323 | di->backend->list(di->zone, di->id); | |
324 | vector<DNSResourceRecord> rrs; | |
325 | while (di->backend->get(rec)) { | |
326 | rrs.push_back(rec); | |
327 | } | |
328 | for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) { | |
329 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, i->qname, i->auth); | |
330 | } | |
331 | return 1; | |
332 | } | |
333 | ||
334 | ||
6a323f63 RA |
335 | di->backend->lookup(rrType, rrLabel); |
336 | while(di->backend->get(rec)) { | |
337 | if (rr->d_class == QClass::ANY) { // 3.4.2.3 | |
338 | if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's | |
339 | rrset.push_back(rec); | |
340 | else | |
f1b59a55 RA |
341 | recordsToDelete.push_back(rec); |
342 | } | |
6a323f63 RA |
343 | if (rr->d_class == QClass::NONE) { // 3.4.2.4 |
344 | if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation()) | |
345 | recordsToDelete.push_back(rec); | |
346 | else | |
347 | rrset.push_back(rec); | |
348 | } | |
f1b59a55 | 349 | |
f1b59a55 | 350 | } |
6a323f63 | 351 | di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset); |
7facf345 | 352 | L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
f1b59a55 | 353 | |
f1b59a55 | 354 | |
6a323f63 RA |
355 | if (recordsToDelete.size()) { |
356 | // If we remove an NS which is not at apex of the zone, we need to make everthing below it auth=true as those now are not delegated anymore. | |
357 | if (rrType == QType::NS && rrLabel != di->zone) { | |
f1b59a55 | 358 | vector<string> changeAuth; |
6a323f63 | 359 | di->backend->listSubZone(rrLabel, di->id); |
f1b59a55 | 360 | while (di->backend->get(rec)) { |
6a323f63 | 361 | if (rec.qtype.getCode()) // skip ENT records, they are always false. |
f1b59a55 RA |
362 | changeAuth.push_back(rec.qname); |
363 | } | |
364 | for (vector<string>::const_iterator changeRec=changeAuth.begin(); changeRec!=changeAuth.end(); ++changeRec) { | |
dff32e09 | 365 | if(*haveNSEC3) { |
f1b59a55 | 366 | string hashed; |
dff32e09 | 367 | if(! *narrow) |
f1b59a55 RA |
368 | hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *changeRec))); |
369 | ||
370 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *changeRec, hashed, true); | |
371 | } | |
372 | else // NSEC | |
373 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *changeRec, true); | |
374 | } | |
375 | } | |
f1b59a55 | 376 | |
6a323f63 RA |
377 | // Fix ENT records. |
378 | // We must check if we have a record below the current level and if we removed the 'last' record | |
379 | // on that level. If so, we must insert an ENT record. | |
fdf983eb | 380 | // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit. |
9353d244 | 381 | bool foundDeeper = false, foundOtherWithSameName = false; |
6a323f63 RA |
382 | di->backend->listSubZone(rrLabel, di->id); |
383 | while (di->backend->get(rec)) { | |
384 | if (rec.qname == rrLabel && !count(recordsToDelete.begin(), recordsToDelete.end(), rec)) | |
9353d244 | 385 | foundOtherWithSameName = true; |
6a323f63 RA |
386 | if (rec.qname != rrLabel) |
387 | foundDeeper = true; | |
388 | } | |
f1b59a55 | 389 | |
9353d244 | 390 | if (foundDeeper && !foundOtherWithSameName) { |
6a323f63 | 391 | insnonterm.insert(rrLabel); |
9353d244 | 392 | } else if (!foundOtherWithSameName) { |
6a323f63 RA |
393 | // If we didn't have to insert an ENT, we might have deleted a record at very deep level |
394 | // and we must then clean up the ENT's above the deleted record. | |
395 | string shorter(rrLabel); | |
9353d244 RA |
396 | while (shorter != di->zone) { |
397 | chopOff(shorter); | |
398 | bool foundRealRR = false; | |
399 | ||
400 | // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch | |
6a323f63 | 401 | // consider these non ENT-records: |
9353d244 RA |
402 | // b.c.d.e.test.com |
403 | // b.d.e.test.com | |
404 | // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com. | |
6a323f63 RA |
405 | // At that point we can stop deleting ENT's because the tree is in tact again. |
406 | di->backend->listSubZone(shorter, di->id); | |
9353d244 RA |
407 | while (di->backend->get(rec)) { |
408 | if (rec.qtype.getCode()) | |
409 | foundRealRR = true; | |
410 | } | |
411 | if (!foundRealRR) | |
412 | delnonterm.insert(shorter); | |
413 | else | |
414 | break; | |
415 | } | |
416 | ||
417 | /* do { | |
418 | bool foundRealRR=false; | |
419 | if (shorter == di->zone) | |
420 | break; //we're at the top. | |
421 | ||
422 | di->backend->lookup(QType(QType::ANY), shorter); | |
6a323f63 RA |
423 | while (di->backend->get(rec)) { |
424 | if (rec.qtype.getCode()) | |
425 | foundRealRR=true; | |
426 | } | |
427 | if (!foundRealRR) | |
428 | delnonterm.insert(shorter); | |
429 | else | |
430 | break; // we found a real record - tree is ok again. | |
9353d244 | 431 | }while(chopOff(shorter));*/ |
6a323f63 | 432 | } |
f1b59a55 | 433 | } |
6a323f63 | 434 | } |
f1b59a55 | 435 | |
6a323f63 RA |
436 | |
437 | //Insert and delete ENT's | |
438 | if (insnonterm.size() > 0 || delnonterm.size() > 0) { | |
439 | DLOG(L<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl); | |
440 | di->backend->updateEmptyNonTerminals(di->id, di->zone, insnonterm, delnonterm, false); | |
441 | for (set<string>::const_iterator i=insnonterm.begin(); i!=insnonterm.end(); i++) { | |
442 | string hashed; | |
dff32e09 | 443 | if(*haveNSEC3) |
6a323f63 | 444 | { |
f1b59a55 | 445 | string hashed; |
dff32e09 | 446 | if(! *narrow) |
6a323f63 RA |
447 | hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *i))); |
448 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *i, hashed, false); | |
f1b59a55 RA |
449 | } |
450 | } | |
451 | } | |
452 | ||
b0704e0d | 453 | return recordsToDelete.size() + changedRecords; |
f1b59a55 RA |
454 | } |
455 | ||
b3148887 | 456 | int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) { |
e174b255 RA |
457 | vector<string> forward; |
458 | B.getDomainMetadata(p->qdomain, "FORWARD-2136", forward); | |
459 | ||
460 | if (forward.size() == 0 && ! ::arg().mustDo("forward-2136")) { | |
d8293c79 RA |
461 | L<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl; |
462 | return RCode::Refused; | |
e174b255 RA |
463 | } |
464 | ||
b3148887 | 465 | for(vector<string>::const_iterator master=di->masters.begin(); master != di->masters.end(); master++) { |
dff32e09 | 466 | L<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<*master<<endl; |
b3148887 RA |
467 | ComboAddress remote; |
468 | try { | |
cc456024 | 469 | remote = ComboAddress(*master, 53); |
b3148887 RA |
470 | } |
471 | catch (...) { | |
472 | L<<Logger::Error<<msgPrefix<<"Failed to parse "<<*master<<" as valid remote."<<endl; | |
473 | continue; | |
474 | } | |
475 | ||
476 | ComboAddress local; | |
477 | if(remote.sin4.sin_family == AF_INET) | |
cc456024 | 478 | local = ComboAddress(::arg()["query-local-address"]); |
b3148887 | 479 | else if(!::arg()["query-local-address6"].empty()) |
cc456024 | 480 | local = ComboAddress(::arg()["query-local-address6"]); |
b3148887 | 481 | else |
cc456024 | 482 | local = ComboAddress("::"); |
b3148887 RA |
483 | int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this. |
484 | ||
485 | if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) { | |
486 | L<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl; | |
487 | Utility::closesocket(sock); | |
488 | continue; | |
489 | } | |
490 | ||
491 | DNSPacket forwardPacket(*p); | |
492 | forwardPacket.setID(dns_random(0xffff)); | |
493 | forwardPacket.setRemote(&remote); | |
494 | uint16_t len=htons(forwardPacket.getString().length()); | |
495 | string buffer((const char*)&len, 2); | |
496 | buffer.append(forwardPacket.getString()); | |
497 | if(write(sock, buffer.c_str(), buffer.length()) < 0) { | |
498 | L<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
499 | continue; | |
500 | } | |
501 | ||
502 | int res = waitForData(sock, 10, 0); | |
503 | if (!res) { | |
cc456024 | 504 | L<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl; |
b3148887 RA |
505 | Utility::closesocket(sock); |
506 | continue; | |
507 | } | |
508 | if (res < 0) { | |
509 | L<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
510 | Utility::closesocket(sock); | |
511 | continue; | |
512 | } | |
513 | ||
514 | char lenBuf[2]; | |
515 | int recvRes; | |
516 | recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0); | |
517 | if (recvRes < 0) { | |
518 | L<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
519 | Utility::closesocket(sock); | |
520 | continue; | |
521 | } | |
522 | int packetLen = lenBuf[0]*256+lenBuf[1]; | |
523 | ||
524 | ||
525 | char buf[packetLen]; | |
526 | recvRes = recv(sock, &buf, packetLen, 0); | |
527 | if (recvRes < 0) { | |
528 | L<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
529 | Utility::closesocket(sock); | |
530 | continue; | |
531 | } | |
532 | Utility::closesocket(sock); | |
533 | ||
534 | try { | |
b3148887 RA |
535 | MOADNSParser mdp(buf, recvRes); |
536 | L<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl; | |
537 | return mdp.d_header.rcode; | |
538 | } | |
539 | catch (...) { | |
540 | L<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl; | |
541 | continue; | |
542 | } | |
543 | } | |
544 | L<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl; | |
545 | return RCode::ServFail; | |
546 | ||
547 | } | |
548 | ||
f1b59a55 | 549 | int PacketHandler::processUpdate(DNSPacket *p) { |
629e6103 | 550 | if (! ::arg().mustDo("experimental-rfc2136")) |
f1b59a55 RA |
551 | return RCode::Refused; |
552 | ||
7facf345 | 553 | string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote() + " for " + p->qdomain + ": "; |
f1b59a55 RA |
554 | L<<Logger::Info<<msgPrefix<<"Processing started."<<endl; |
555 | ||
556 | // Check permissions - IP based | |
557 | vector<string> allowedRanges; | |
558 | B.getDomainMetadata(p->qdomain, "ALLOW-2136-FROM", allowedRanges); | |
559 | if (! ::arg()["allow-2136-from"].empty()) | |
560 | stringtok(allowedRanges, ::arg()["allow-2136-from"], ", \t" ); | |
561 | ||
562 | NetmaskGroup ng; | |
563 | for(vector<string>::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++) | |
564 | ng.addMask(*i); | |
565 | ||
566 | if ( ! ng.match(&p->d_remote)) { | |
567 | L<<Logger::Error<<msgPrefix<<"Remote not listed in allow-2136-from or domainmetadata. Sending REFUSED"<<endl; | |
568 | return RCode::Refused; | |
569 | } | |
570 | ||
571 | ||
572 | // Check permissions - TSIG based. | |
573 | vector<string> tsigKeys; | |
574 | B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-2136", tsigKeys); | |
575 | if (tsigKeys.size() > 0) { | |
576 | bool validKey = false; | |
577 | ||
578 | TSIGRecordContent trc; | |
579 | string inputkey, message; | |
580 | if (! p->getTSIGDetails(&trc, &inputkey, &message)) { | |
581 | L<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl; | |
582 | return RCode::Refused; | |
583 | } | |
584 | ||
585 | for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) { | |
586 | if (inputkey == *key) // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid. | |
587 | validKey=true; | |
588 | } | |
589 | ||
590 | if (!validKey) { | |
591 | L<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl; | |
592 | return RCode::Refused; | |
593 | } | |
594 | } | |
595 | ||
596 | if (tsigKeys.size() == 0 && p->d_havetsig) | |
597 | L<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl; | |
598 | ||
599 | // RFC2136 uses the same DNS Header and Message as defined in RFC1035. | |
600 | // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different | |
601 | // variable names during the use of our MOADNSParser. | |
602 | MOADNSParser mdp(p->getString()); | |
603 | if (mdp.d_header.qdcount != 1) { | |
604 | L<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl; | |
605 | return RCode::FormErr; | |
606 | } | |
607 | ||
608 | if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA | |
609 | L<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl; | |
610 | return RCode::FormErr; | |
611 | } | |
612 | ||
613 | if (p->qclass != QClass::IN) { | |
614 | L<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl; | |
615 | return RCode::NotAuth; | |
616 | } | |
617 | ||
618 | DomainInfo di; | |
619 | di.backend=0; | |
620 | if(!B.getDomainInfo(p->qdomain, di) || !di.backend) { | |
621 | L<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support RFC2136 operation)"<<endl; | |
622 | return RCode::NotAuth; | |
623 | } | |
624 | ||
b3148887 RA |
625 | if (di.kind == DomainInfo::Slave) |
626 | return forwardPacket(msgPrefix, p, &di); | |
f1b59a55 RA |
627 | |
628 | // Check if all the records provided are within the zone | |
629 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
630 | const DNSRecord *rr = &i->first; | |
631 | // Skip this check for other field types (like the TSIG - which is in the additional section) | |
dff32e09 | 632 | // For a TSIG, the label is the dnskey, so it does not pass the endOn validation. |
f1b59a55 RA |
633 | if (! (rr->d_place == DNSRecord::Answer || rr->d_place == DNSRecord::Nameserver)) |
634 | continue; | |
635 | ||
636 | string label = stripDot(rr->d_label); | |
637 | ||
638 | if (!endsOn(label, di.zone)) { | |
639 | L<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl; | |
640 | return RCode::NotZone; | |
641 | } | |
642 | } | |
643 | ||
dff32e09 RA |
644 | |
645 | Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything | |
f1b59a55 | 646 | L<<Logger::Info<<msgPrefix<<"starting transaction."<<endl; |
dff32e09 | 647 | if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records. |
f1b59a55 RA |
648 | L<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl; |
649 | return RCode::NotImp; | |
650 | } | |
651 | ||
652 | // 3.2.1 and 3.2.2 - Prerequisite check | |
653 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
654 | const DNSRecord *rr = &i->first; | |
655 | if (rr->d_place == DNSRecord::Answer) { | |
656 | int res = checkUpdatePrerequisites(rr, &di); | |
657 | if (res>0) { | |
658 | L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning "<<res<<endl; | |
659 | di.backend->abortTransaction(); | |
660 | return res; | |
661 | } | |
662 | } | |
663 | } | |
664 | ||
665 | // 3.2.3 - Prerequisite check - this is outside of updatePrequisitesCheck because we check an RRSet and not the RR. | |
666 | typedef pair<string, QType> rrSetKey_t; | |
667 | typedef vector<DNSResourceRecord> rrVector_t; | |
668 | typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t; | |
669 | RRsetMap_t preReqRRsets; | |
670 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
671 | const DNSRecord *rr = &i->first; | |
672 | if (rr->d_place == DNSRecord::Answer) { | |
673 | // Last line of 3.2.3 | |
674 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) | |
675 | return RCode::FormErr; | |
676 | ||
677 | if (rr->d_class == QClass::IN) { | |
678 | rrSetKey_t key = make_pair(stripDot(rr->d_label), rr->d_type); | |
679 | rrVector_t *vec = &preReqRRsets[key]; | |
680 | vec->push_back(DNSResourceRecord(*rr)); | |
681 | } | |
682 | } | |
683 | } | |
684 | ||
685 | if (preReqRRsets.size() > 0) { | |
686 | RRsetMap_t zoneRRsets; | |
687 | for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) { | |
688 | rrSetKey_t rrSet=preRRSet->first; | |
689 | rrVector_t *vec = &preRRSet->second; | |
690 | ||
691 | DNSResourceRecord rec; | |
692 | di.backend->lookup(QType(QType::ANY), rrSet.first); | |
693 | uint16_t foundRR=0, matchRR=0; | |
694 | while (di.backend->get(rec)) { | |
695 | if (rec.qtype == rrSet.second) { | |
696 | foundRR++; | |
697 | for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) { | |
698 | rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks. | |
699 | if (*rrItem == rec) | |
700 | matchRR++; | |
701 | } | |
702 | } | |
703 | } | |
704 | if (matchRR != foundRR || foundRR != vec->size()) { | |
705 | L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning NXRRSet"<<endl; | |
706 | di.backend->abortTransaction(); | |
707 | return RCode::NXRRSet; | |
708 | } | |
709 | } | |
710 | } | |
711 | ||
712 | ||
713 | ||
714 | // 3.4 - Prescan & Add/Update/Delete records | |
715 | uint16_t changedRecords = 0; | |
716 | try { | |
717 | ||
718 | // 3.4.1 - Prescan section | |
719 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
720 | const DNSRecord *rr = &i->first; | |
721 | if (rr->d_place == DNSRecord::Nameserver) { | |
722 | int res = checkUpdatePrescan(rr); | |
723 | if (res>0) { | |
724 | L<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl; | |
725 | di.backend->abortTransaction(); | |
726 | return res; | |
727 | } | |
728 | } | |
729 | } | |
730 | ||
731 | bool updatedSerial=false; | |
732 | NSEC3PARAMRecordContent ns3pr; | |
dff32e09 | 733 | bool narrow=false; |
f1b59a55 | 734 | bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow); |
dff32e09 | 735 | bool isPresigned = d_dk.isPresigned(di.zone); |
f1b59a55 RA |
736 | |
737 | // We get all the before/after fields before doing anything to the db. | |
738 | // We can't do this inside performUpdate() because when we remove a delegate, the before/after result is different to what it should be | |
739 | // to purge the cache correctly - One update/delete might cause a before/after to be created which is before/after the original before/after. | |
740 | vector< pair<string, string> > beforeAfterSet; | |
6a323f63 | 741 | /*if (!haveNSEC3) { |
f1b59a55 RA |
742 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { |
743 | const DNSRecord *rr = &i->first; | |
744 | if (rr->d_place == DNSRecord::Nameserver) { | |
745 | string before, after; | |
6a323f63 | 746 | di.backend->getBeforeAndAfterNames(di.id, di.zone, stripDot(rr->d_label), before, after, (rr->d_class != QClass::IN)); |
f1b59a55 RA |
747 | beforeAfterSet.push_back(make_pair(before, after)); |
748 | } | |
749 | } | |
6a323f63 | 750 | }*/ |
f1b59a55 RA |
751 | |
752 | // 3.4.2 - Perform the updates. | |
753 | // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4) | |
754 | // This means we must do it outside the normal performUpdate() because that focusses only on a seperate RR. | |
755 | vector<const DNSRecord *> nsRRtoDelete; | |
756 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
757 | const DNSRecord *rr = &i->first; | |
758 | if (rr->d_place == DNSRecord::Nameserver) { | |
759 | if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && stripDot(rr->d_label) == di.zone) | |
760 | nsRRtoDelete.push_back(rr); | |
761 | else | |
dff32e09 | 762 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
763 | } |
764 | } | |
765 | if (nsRRtoDelete.size()) { | |
766 | vector<DNSResourceRecord> nsRRInZone; | |
767 | DNSResourceRecord rec; | |
768 | di.backend->lookup(QType(QType::NS), di.zone); | |
769 | while (di.backend->get(rec)) { | |
770 | nsRRInZone.push_back(rec); | |
771 | } | |
772 | if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4) | |
773 | for (vector<DNSResourceRecord>::iterator inZone=nsRRInZone.begin(); inZone != nsRRInZone.end(); inZone++) { | |
774 | for (vector<const DNSRecord *>::iterator rr=nsRRtoDelete.begin(); rr != nsRRtoDelete.end(); rr++) { | |
775 | if (inZone->getZoneRepresentation() == (*rr)->d_content->getZoneRepresentation()) | |
dff32e09 | 776 | changedRecords += performUpdate(msgPrefix, *rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
777 | } |
778 | } | |
779 | } | |
780 | } | |
781 | ||
f1b59a55 | 782 | // Purge the records! |
6a323f63 RA |
783 | string zone(di.zone); |
784 | zone.append("$"); | |
785 | PC.purge(zone); // For NSEC3, nuke the complete zone. | |
786 | /* | |
f1b59a55 RA |
787 | if (changedRecords > 0) { |
788 | if (haveNSEC3) { | |
789 | string zone(di.zone); | |
790 | zone.append("$"); | |
791 | PC.purge(zone); // For NSEC3, nuke the complete zone. | |
792 | } else { | |
793 | //for(vector< pair<string, string> >::const_iterator i=beforeAfterSet.begin(); i != beforeAfterSet.end(); i++) | |
794 | //PC.purgeRange(i->first, i->second, di.zone); | |
795 | } | |
796 | } | |
6a323f63 | 797 | */ |
f1b59a55 | 798 | // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message |
890c7124 | 799 | if (changedRecords > 0 && !updatedSerial) { |
166ac305 | 800 | increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr); |
890c7124 RA |
801 | changedRecords++; |
802 | } | |
803 | ||
276a5ce7 | 804 | S.deposit("rfc2136-changes", changedRecords); |
7facf345 | 805 | |
f1b59a55 | 806 | } |
ee9ef8f2 RA |
807 | catch (DBException &e) { |
808 | L<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl; | |
809 | di.backend->abortTransaction(); | |
810 | return RCode::ServFail; | |
811 | } | |
f1b59a55 RA |
812 | catch (AhuException &e) { |
813 | L<<Logger::Error<<msgPrefix<<"Caught AhuException: "<<e.reason<<"; Sending ServFail!"<<endl; | |
814 | di.backend->abortTransaction(); | |
815 | return RCode::ServFail; | |
816 | } | |
ee9ef8f2 RA |
817 | catch (SSqlException &e) { |
818 | L<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl; | |
819 | di.backend->abortTransaction(); | |
820 | return RCode::ServFail; | |
821 | } | |
f1b59a55 RA |
822 | catch (...) { |
823 | L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl; | |
824 | di.backend->abortTransaction(); | |
825 | return RCode::ServFail; | |
826 | } | |
827 | ||
828 | if (!di.backend->commitTransaction()) { | |
829 | L<<Logger::Error<<msgPrefix<<"Failed to commit update for domain "<<di.zone<<"!"<<endl; | |
830 | return RCode::ServFail; | |
831 | } | |
832 | ||
833 | L<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records commited."<<endl; | |
834 | return RCode::NoError; //rfc 2136 3.4.2.5 | |
835 | } | |
836 | ||
166ac305 | 837 | void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) { |
f1b59a55 | 838 | DNSResourceRecord rec, newRec; |
166ac305 | 839 | di->backend->lookup(QType(QType::SOA), di->zone); |
f1b59a55 | 840 | bool foundSOA=false; |
166ac305 | 841 | while (di->backend->get(rec)) { |
f1b59a55 RA |
842 | newRec = rec; |
843 | foundSOA=true; | |
844 | } | |
845 | if (!foundSOA) { | |
846 | throw AhuException("SOA-Serial update failed because there was no SOA. Wowie."); | |
847 | } | |
848 | SOAData soa2Update; | |
849 | fillSOAData(rec.content, soa2Update); | |
890c7124 | 850 | int oldSerial = soa2Update.serial; |
f1b59a55 RA |
851 | |
852 | vector<string> soaEdit2136Setting; | |
166ac305 | 853 | B.getDomainMetadata(di->zone, "SOA-EDIT-2136", soaEdit2136Setting); |
f1b59a55 RA |
854 | string soaEdit2136 = "DEFAULT"; |
855 | string soaEdit; | |
856 | if (!soaEdit2136Setting.empty()) { | |
857 | soaEdit2136 = soaEdit2136Setting[0]; | |
858 | if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){ | |
859 | vector<string> soaEditSetting; | |
166ac305 | 860 | B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting); |
f1b59a55 RA |
861 | if (soaEditSetting.empty()) { |
862 | L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-2136 increase on RFC2136, but SOA-EDIT is not set for domain. Using DEFAULT for SOA-EDIT-2136"<<endl; | |
863 | soaEdit2136 = "DEFAULT"; | |
864 | } else | |
865 | soaEdit = soaEditSetting[0]; | |
866 | } | |
867 | } | |
868 | ||
869 | ||
870 | if (pdns_iequals(soaEdit2136, "INCREASE")) | |
871 | soa2Update.serial++; | |
872 | else if (pdns_iequals(soaEdit2136, "SOA-EDIT-INCREASE")) { | |
873 | uint32_t newSer = calculateEditSOA(soa2Update, soaEdit); | |
874 | if (newSer <= soa2Update.serial) | |
875 | soa2Update.serial++; | |
876 | else | |
877 | soa2Update.serial = newSer; | |
878 | } else if (pdns_iequals(soaEdit2136, "SOA-EDIT")) | |
879 | soa2Update.serial = calculateEditSOA(soa2Update, soaEdit); | |
880 | else if (pdns_iequals(soaEdit2136, "EPOCH")) | |
881 | soa2Update.serial = time(0); | |
882 | else { | |
883 | time_t now = time(0); | |
884 | struct tm tm; | |
885 | localtime_r(&now, &tm); | |
886 | boost::format fmt("%04d%02d%02d%02d"); | |
887 | string newserdate=(fmt % (tm.tm_year+1900) % (tm.tm_mon +1 )% tm.tm_mday % 1).str(); | |
888 | uint32_t newser = atol(newserdate.c_str()); | |
889 | if (newser <= soa2Update.serial) | |
890 | soa2Update.serial++; | |
891 | else | |
892 | soa2Update.serial = newser; | |
893 | } | |
894 | ||
895 | ||
896 | newRec.content = serializeSOAData(soa2Update); | |
3e0ab216 RA |
897 | vector<DNSResourceRecord> rrset; |
898 | rrset.push_back(newRec); | |
166ac305 | 899 | di->backend->replaceRRSet(di->id, newRec.qname, newRec.qtype, rrset); |
dff32e09 | 900 | L<<Logger::Notice<<msgPrefix<<"Increasing SOA serial ("<<oldSerial<<" -> "<<soa2Update.serial<<")"<<endl; |
166ac305 RA |
901 | |
902 | //Correct ordername + auth flag | |
903 | if(haveNSEC3) { | |
904 | string hashed; | |
905 | if(!narrow) | |
906 | hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, newRec.qname))); | |
907 | ||
908 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, newRec.qname, hashed, true); | |
909 | } | |
910 | else // NSEC | |
911 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, newRec.qname, true); | |
912 | ||
913 | // purge the cache for the SOA record. | |
f1b59a55 | 914 | PC.purge(newRec.qname); |
166ac305 | 915 | } |