]>
Commit | Line | Data |
---|---|---|
870a0fe4 AT |
1 | #ifdef HAVE_CONFIG_H |
2 | #include "config.h" | |
3 | #endif | |
f1b59a55 RA |
4 | #include "packethandler.hh" |
5 | #include "qtype.hh" | |
6 | #include "dnspacket.hh" | |
bf269e28 RG |
7 | #include "auth-caches.hh" |
8 | #include "statbag.hh" | |
f1b59a55 RA |
9 | #include "dnsseckeeper.hh" |
10 | #include "base64.hh" | |
11 | #include "base32.hh" | |
fa8fd4d2 | 12 | |
f1b59a55 RA |
13 | #include "misc.hh" |
14 | #include "arguments.hh" | |
b3148887 RA |
15 | #include "resolver.hh" |
16 | #include "dns_random.hh" | |
7facf345 | 17 | #include "backends/gsql/ssql.hh" |
4c5b6925 | 18 | #include "communicator.hh" |
f1b59a55 | 19 | |
276a5ce7 | 20 | extern StatBag S; |
4c5b6925 | 21 | extern CommunicatorClass Communicator; |
f1b59a55 | 22 | |
ee9ef8f2 RA |
23 | pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER; |
24 | ||
f1b59a55 RA |
25 | // Implement section 3.2.1 and 3.2.2 of RFC2136 |
26 | int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) { | |
27 | if (rr->d_ttl != 0) | |
28 | return RCode::FormErr; | |
29 | ||
30 | // 3.2.1 and 3.2.2 check content length. | |
31 | if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0) | |
32 | return RCode::FormErr; | |
33 | ||
f1b59a55 RA |
34 | bool foundRecord=false; |
35 | DNSResourceRecord rec; | |
f809c028 | 36 | di->backend->lookup(QType(QType::ANY), rr->d_name); |
f1b59a55 RA |
37 | while(di->backend->get(rec)) { |
38 | if (!rec.qtype.getCode()) | |
39 | continue; | |
40 | if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY) | |
41 | foundRecord=true; | |
42 | } | |
43 | ||
914353ca KM |
44 | // Section 3.2.1 |
45 | if (rr->d_class == QClass::ANY && !foundRecord) { | |
46 | if (rr->d_type == QType::ANY) | |
f1b59a55 RA |
47 | return RCode::NXDomain; |
48 | if (rr->d_type != QType::ANY) | |
49 | return RCode::NXRRSet; | |
914353ca | 50 | } |
f1b59a55 RA |
51 | |
52 | // Section 3.2.2 | |
53 | if (rr->d_class == QClass::NONE && foundRecord) { | |
54 | if (rr->d_type == QType::ANY) | |
55 | return RCode::YXDomain; | |
56 | if (rr->d_type != QType::ANY) | |
57 | return RCode::YXRRSet; | |
58 | } | |
59 | ||
60 | return RCode::NoError; | |
61 | } | |
62 | ||
63 | ||
64 | // Method implements section 3.4.1 of RFC2136 | |
65 | int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) { | |
66 | // The RFC stats that d_class != ZCLASS, but we only support the IN class. | |
914353ca | 67 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) |
f1b59a55 RA |
68 | return RCode::FormErr; |
69 | ||
70 | QType qtype = QType(rr->d_type); | |
71 | ||
72 | if (! qtype.isSupportedType()) | |
73 | return RCode::FormErr; | |
74 | ||
75 | if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) | |
76 | return RCode::FormErr; | |
77 | ||
78 | if (rr->d_class == QClass::ANY && rr->d_clen != 0) | |
79 | return RCode::FormErr; | |
914353ca | 80 | |
f1b59a55 RA |
81 | if (qtype.isMetadataType()) |
82 | return RCode::FormErr; | |
83 | ||
84 | if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) | |
85 | return RCode::FormErr; | |
86 | ||
87 | return RCode::NoError; | |
88 | } | |
89 | ||
6a323f63 | 90 | |
f1b59a55 | 91 | // Implements section 3.4.2 of RFC2136 |
d0d273cf | 92 | uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) { |
968de8d0 | 93 | |
dff32e09 RA |
94 | QType rrType = QType(rr->d_type); |
95 | ||
dff32e09 | 96 | if (rrType == QType::NSEC || rrType == QType::NSEC3) { |
e6a9dde5 | 97 | g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl; |
914353ca | 98 | return 0; |
dff32e09 RA |
99 | } |
100 | ||
cc8df07f | 101 | if (!isPresigned && ((!::arg().mustDo("direct-dnskey") && rrType == QType::DNSKEY) || rrType == QType::RRSIG)) { |
e6a9dde5 | 102 | g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl; |
dff32e09 RA |
103 | return 0; |
104 | } | |
105 | ||
f809c028 | 106 | if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone) { |
e6a9dde5 | 107 | g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl; |
dff32e09 RA |
108 | return 0; |
109 | } | |
110 | ||
968de8d0 | 111 | |
d0d273cf | 112 | uint changedRecords = 0; |
6a323f63 RA |
113 | DNSResourceRecord rec; |
114 | vector<DNSResourceRecord> rrset, recordsToDelete; | |
675fa24c | 115 | set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records. |
6a323f63 | 116 | |
f1b59a55 | 117 | |
6a323f63 | 118 | if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update |
e6a9dde5 | 119 | DLOG(g_log<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.getName()<<endl); |
f1b59a55 | 120 | |
dff32e09 | 121 | if (rrType == QType::NSEC3PARAM) { |
e6a9dde5 | 122 | g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl; |
f858f843 | 123 | |
3343ad1f | 124 | NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */); |
f858f843 | 125 | *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record |
dff32e09 | 126 | d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow)); |
8c9bde70 KM |
127 | |
128 | *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); | |
f858f843 | 129 | |
dff32e09 | 130 | vector<DNSResourceRecord> rrs; |
561434a6 | 131 | set<DNSName> qnames, nssets, dssets; |
f858f843 | 132 | di->backend->list(di->zone, di->id); |
dff32e09 | 133 | while (di->backend->get(rec)) { |
8c9bde70 | 134 | qnames.insert(rec.qname); |
8de4e1d7 | 135 | if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone) |
8c9bde70 KM |
136 | nssets.insert(rec.qname); |
137 | if(rec.qtype.getCode() == QType::DS) | |
138 | dssets.insert(rec.qname); | |
dff32e09 | 139 | } |
f858f843 | 140 | |
561434a6 | 141 | DNSName shorter; |
561434a6 | 142 | for(const auto& qname: qnames) { |
8c9bde70 KM |
143 | shorter = qname; |
144 | int ddepth = 0; | |
145 | do { | |
8de4e1d7 | 146 | if(qname == di->zone) |
f858f843 | 147 | break; |
8c9bde70 KM |
148 | if(nssets.count(shorter)) |
149 | ++ddepth; | |
561434a6 | 150 | } while(shorter.chopOff()); |
8c9bde70 | 151 | |
96e63d77 | 152 | DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname))); |
8c9bde70 | 153 | if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) { |
96e63d77 | 154 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0 )); |
8c9bde70 KM |
155 | |
156 | if (nssets.count(qname)) { | |
157 | if (ns3pr->d_flags) | |
96e63d77 KM |
158 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS ); |
159 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A); | |
160 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA); | |
f858f843 | 161 | } |
f858f843 | 162 | } else { |
96e63d77 | 163 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0)); |
f858f843 | 164 | } |
3343ad1f | 165 | if (ddepth == 1 || dssets.count(qname)) // FIXME400 && ? |
96e63d77 | 166 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::DS); |
dff32e09 RA |
167 | } |
168 | return 1; | |
169 | } | |
170 | ||
f858f843 RA |
171 | |
172 | ||
6a323f63 | 173 | bool foundRecord = false; |
f809c028 | 174 | di->backend->lookup(rrType, rr->d_name); |
f1b59a55 | 175 | while (di->backend->get(rec)) { |
dff32e09 RA |
176 | rrset.push_back(rec); |
177 | foundRecord = true; | |
6a323f63 | 178 | } |
914353ca | 179 | |
6a323f63 | 180 | if (foundRecord) { |
73174643 | 181 | |
dff32e09 | 182 | if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current |
f1b59a55 | 183 | SOAData sdOld, sdUpdate; |
6a323f63 RA |
184 | DNSResourceRecord *oldRec = &rrset.front(); |
185 | fillSOAData(oldRec->content, sdOld); | |
186 | oldRec->setContent(rr->d_content->getZoneRepresentation()); | |
187 | fillSOAData(oldRec->content, sdUpdate); | |
f1b59a55 | 188 | if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) { |
6a323f63 | 189 | di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset); |
f1b59a55 | 190 | *updatedSerial = true; |
f5059bd3 | 191 | changedRecords++; |
e6a9dde5 | 192 | g_log<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl; |
73174643 | 193 | } else { |
e6a9dde5 | 194 | g_log<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl; |
73174643 | 195 | } |
6a323f63 RA |
196 | |
197 | // It's not possible to have multiple CNAME's with the same NAME. So we always update. | |
198 | } else if (rrType == QType::CNAME) { | |
73174643 | 199 | int changedCNames = 0; |
6a323f63 | 200 | for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) { |
73174643 RA |
201 | if (i->ttl != rr->d_ttl || i->content != rr->d_content->getZoneRepresentation()) { |
202 | i->ttl = rr->d_ttl; | |
203 | i->setContent(rr->d_content->getZoneRepresentation()); | |
204 | changedCNames++; | |
205 | } | |
206 | } | |
207 | if (changedCNames > 0) { | |
f809c028 | 208 | di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset); |
e6a9dde5 | 209 | g_log<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl; |
73174643 RA |
210 | changedRecords += changedCNames; |
211 | } else { | |
e6a9dde5 | 212 | g_log<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl; |
f1b59a55 | 213 | } |
6a323f63 | 214 | |
518fc317 | 215 | // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL) |
6a323f63 | 216 | } else { |
73174643 | 217 | int updateTTL=0; |
6a323f63 RA |
218 | foundRecord = false; |
219 | for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) { | |
220 | string content = rr->d_content->getZoneRepresentation(); | |
221 | if (rrType == i->qtype.getCode() && i->getZoneRepresentation() == content) { | |
73174643 RA |
222 | foundRecord=true; |
223 | if (i->ttl != rr->d_ttl) { | |
224 | i->ttl = rr->d_ttl; | |
225 | updateTTL++; | |
226 | } | |
6a323f63 RA |
227 | } |
228 | } | |
73174643 | 229 | if (updateTTL > 0) { |
f809c028 | 230 | di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset); |
e6a9dde5 | 231 | g_log<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl; |
73174643 RA |
232 | changedRecords += updateTTL; |
233 | } else { | |
e6a9dde5 | 234 | g_log<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl; |
7facf345 | 235 | } |
f1b59a55 | 236 | } |
6e42cac2 | 237 | |
73174643 | 238 | // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records. |
6e42cac2 | 239 | // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be. |
73174643 RA |
240 | if (changedRecords > 0) { |
241 | bool auth = rrset.front().auth; | |
242 | ||
243 | if(*haveNSEC3) { | |
8de4e1d7 | 244 | DNSName ordername; |
73174643 | 245 | if(! *narrow) |
96e63d77 | 246 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); |
73174643 RA |
247 | |
248 | if (*narrow) | |
96e63d77 | 249 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); |
73174643 | 250 | else |
96e63d77 | 251 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); |
73174643 | 252 | if(!auth || rrType == QType::DS) { |
96e63d77 KM |
253 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS); |
254 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); | |
255 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
73174643 | 256 | } |
6e42cac2 | 257 | |
73174643 | 258 | } else { // NSEC |
96e63d77 | 259 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth); |
73174643 | 260 | if(!auth || rrType == QType::DS) { |
96e63d77 KM |
261 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); |
262 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
73174643 | 263 | } |
6e42cac2 RA |
264 | } |
265 | } | |
266 | ||
267 | } // if (foundRecord) | |
f1b59a55 | 268 | |
6a323f63 | 269 | // If we haven't found a record that matches, we must add it. |
f1b59a55 | 270 | if (! foundRecord) { |
e6a9dde5 | 271 | g_log<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.getName()<<endl; |
f809c028 | 272 | delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record. |
4950b140 | 273 | auto newRec = DNSResourceRecord::fromWire(*rr); |
f1b59a55 | 274 | newRec.domain_id = di->id; |
f809c028 | 275 | newRec.auth = (rr->d_name == di->zone || rrType.getCode() != QType::NS); |
c9b43446 | 276 | di->backend->feedRecord(newRec, DNSName()); |
b0704e0d | 277 | changedRecords++; |
6a323f63 RA |
278 | |
279 | ||
280 | // because we added a record, we need to fix DNSSEC data. | |
f809c028 | 281 | DNSName shorter(rr->d_name); |
163cb726 | 282 | bool auth=newRec.auth; |
6a82ce4a | 283 | bool fixDS = (rrType == QType::DS); |
f1b59a55 | 284 | |
8de4e1d7 | 285 | if (di->zone != shorter) { // Everything at APEX is auth=1 && no ENT's |
e70f2627 | 286 | do { |
6a82ce4a | 287 | |
8de4e1d7 | 288 | if (di->zone == shorter) |
f1b59a55 | 289 | break; |
914353ca | 290 | |
f1b59a55 RA |
291 | bool foundShorter = false; |
292 | di->backend->lookup(QType(QType::ANY), shorter); | |
293 | while (di->backend->get(rec)) { | |
f809c028 | 294 | if (rec.qname == rr->d_name && rec.qtype == QType::DS) |
6a82ce4a | 295 | fixDS = true; |
f809c028 | 296 | if (shorter != rr->d_name) |
e70f2627 | 297 | foundShorter = true; |
163cb726 | 298 | if (rec.qtype == QType::NS) // are we inserting below a delegate? |
f1b59a55 RA |
299 | auth=false; |
300 | } | |
6a82ce4a | 301 | |
f809c028 | 302 | if (!foundShorter && auth && shorter != rr->d_name) // haven't found any record at current level, insert ENT. |
f1b59a55 | 303 | insnonterm.insert(shorter); |
e70f2627 | 304 | if (foundShorter) |
a95f897d | 305 | break; // if we find a shorter record, we can stop searching |
675fa24c | 306 | } while(shorter.chopOff()); |
f1b59a55 RA |
307 | } |
308 | ||
dff32e09 | 309 | if(*haveNSEC3) |
f1b59a55 | 310 | { |
8de4e1d7 | 311 | DNSName ordername; |
914353ca | 312 | if(! *narrow) |
96e63d77 | 313 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); |
914353ca | 314 | |
e70f2627 | 315 | if (*narrow) |
96e63d77 | 316 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); |
e70f2627 | 317 | else |
96e63d77 | 318 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); |
e70f2627 | 319 | |
6a82ce4a | 320 | if (fixDS) |
96e63d77 | 321 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS); |
6a82ce4a | 322 | |
929eee6b | 323 | if(!auth) |
f1b59a55 | 324 | { |
914353ca | 325 | if (ns3pr->d_flags) |
96e63d77 KM |
326 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS); |
327 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); | |
328 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
f1b59a55 RA |
329 | } |
330 | } | |
331 | else // NSEC | |
332 | { | |
96e63d77 KM |
333 | DNSName ordername=rr->d_name.makeRelative(di->zone); |
334 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); | |
6a82ce4a | 335 | if (fixDS) { |
96e63d77 | 336 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS); |
6a82ce4a RA |
337 | } |
338 | if(!auth) { | |
96e63d77 KM |
339 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); |
340 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); | |
f1b59a55 RA |
341 | } |
342 | } | |
6a323f63 RA |
343 | |
344 | ||
f1b59a55 | 345 | // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate. |
f809c028 | 346 | // Auth can only be false when the rr->d_name is not the zone |
6a323f63 | 347 | if (auth == false && rrType == QType::NS) { |
e6a9dde5 | 348 | DLOG(g_log<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl); |
6a82ce4a | 349 | insnonterm.clear(); // No ENT's are needed below delegates (auth=0) |
561434a6 | 350 | vector<DNSName> qnames; |
f809c028 | 351 | di->backend->listSubZone(rr->d_name, di->id); |
f1b59a55 | 352 | while(di->backend->get(rec)) { |
f809c028 | 353 | if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record. |
f1b59a55 RA |
354 | qnames.push_back(rec.qname); |
355 | } | |
561434a6 | 356 | for(vector<DNSName>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) { |
dff32e09 | 357 | if(*haveNSEC3) { |
8de4e1d7 | 358 | DNSName ordername; |
914353ca | 359 | if(! *narrow) |
96e63d77 | 360 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, *qname))); |
914353ca | 361 | |
6a82ce4a | 362 | if (*narrow) |
96e63d77 | 363 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); // FIXME400 no *qname here? |
6a82ce4a | 364 | else |
96e63d77 | 365 | di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, auth); |
6a82ce4a | 366 | |
be40c2df | 367 | if (ns3pr->d_flags) |
96e63d77 KM |
368 | di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::NS); |
369 | } | |
370 | else { // NSEC | |
371 | DNSName ordername=DNSName(*qname).makeRelative(di->zone); | |
372 | di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, false, QType::NS); | |
f1b59a55 | 373 | } |
f1b59a55 | 374 | |
96e63d77 KM |
375 | di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::A); |
376 | di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::AAAA); | |
f1b59a55 RA |
377 | } |
378 | } | |
f1b59a55 RA |
379 | } |
380 | } // rr->d_class == QClass::IN | |
381 | ||
914353ca | 382 | |
6a323f63 RA |
383 | // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by |
384 | // the code that calls this performUpdate(). | |
385 | if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA. | |
e6a9dde5 | 386 | DLOG(g_log<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl); |
dff32e09 RA |
387 | |
388 | if (rrType == QType::NSEC3PARAM) { | |
e6a9dde5 | 389 | g_log<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl; |
dff32e09 | 390 | if (rr->d_class == QClass::ANY) |
f809c028 | 391 | d_dk.unsetNSEC3PARAM(rr->d_name); |
dff32e09 | 392 | else if (rr->d_class == QClass::NONE) { |
3343ad1f | 393 | NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */); |
0bb68041 | 394 | if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation()) |
f809c028 | 395 | d_dk.unsetNSEC3PARAM(rr->d_name); |
dff32e09 RA |
396 | else |
397 | return 0; | |
914353ca | 398 | } else |
dff32e09 RA |
399 | return 0; |
400 | ||
e3dc2b56 RA |
401 | // We retrieve new values, other RR's in this update package might need it as well. |
402 | *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); | |
403 | ||
dff32e09 | 404 | vector<DNSResourceRecord> rrs; |
561434a6 | 405 | set<DNSName> qnames, nssets, dssets, ents; |
b48fe0e3 | 406 | di->backend->list(di->zone, di->id); |
b1ca7619 | 407 | while (di->backend->get(rec)) { |
b48fe0e3 | 408 | qnames.insert(rec.qname); |
8de4e1d7 | 409 | if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone) |
b48fe0e3 KM |
410 | nssets.insert(rec.qname); |
411 | if(rec.qtype.getCode() == QType::DS) | |
412 | dssets.insert(rec.qname); | |
413 | if(!rec.qtype.getCode()) | |
414 | ents.insert(rec.qname); | |
b1ca7619 | 415 | } |
b48fe0e3 | 416 | |
561434a6 PD |
417 | DNSName shorter; |
418 | string hashed; | |
ef7cd021 | 419 | for(const DNSName& qname : qnames) { |
b48fe0e3 KM |
420 | shorter = qname; |
421 | int ddepth = 0; | |
422 | do { | |
8de4e1d7 | 423 | if(qname == di->zone) |
b48fe0e3 KM |
424 | break; |
425 | if(nssets.count(shorter)) | |
426 | ++ddepth; | |
561434a6 | 427 | } while(shorter.chopOff()); |
b48fe0e3 | 428 | |
96e63d77 | 429 | DNSName ordername=qname.makeRelative(di->zone); |
b48fe0e3 | 430 | if (!ents.count(qname) && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) { |
96e63d77 | 431 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0)); |
b48fe0e3 KM |
432 | |
433 | if (nssets.count(qname)) { | |
96e63d77 KM |
434 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A); |
435 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA); | |
b1ca7619 | 436 | } |
b48fe0e3 | 437 | } else { |
96e63d77 | 438 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0)); |
b1ca7619 | 439 | } |
b48fe0e3 | 440 | if (ddepth == 1 || dssets.count(qname)) |
96e63d77 | 441 | di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, true, QType::DS); |
dff32e09 RA |
442 | } |
443 | return 1; | |
589563c0 | 444 | } // end of NSEC3PARAM delete block |
dff32e09 RA |
445 | |
446 | ||
f809c028 | 447 | di->backend->lookup(rrType, rr->d_name); |
6a323f63 RA |
448 | while(di->backend->get(rec)) { |
449 | if (rr->d_class == QClass::ANY) { // 3.4.2.3 | |
450 | if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's | |
451 | rrset.push_back(rec); | |
452 | else | |
f1b59a55 RA |
453 | recordsToDelete.push_back(rec); |
454 | } | |
6a323f63 RA |
455 | if (rr->d_class == QClass::NONE) { // 3.4.2.4 |
456 | if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation()) | |
457 | recordsToDelete.push_back(rec); | |
458 | else | |
459 | rrset.push_back(rec); | |
460 | } | |
f1b59a55 | 461 | } |
589563c0 RA |
462 | |
463 | if (recordsToDelete.size()) { | |
f809c028 | 464 | di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset); |
e6a9dde5 | 465 | g_log<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.getName()<<endl; |
589563c0 | 466 | changedRecords += recordsToDelete.size(); |
f1b59a55 | 467 | |
f1b59a55 | 468 | |
589563c0 | 469 | // If we've removed a delegate, we need to reset ordername/auth for some records. |
f809c028 | 470 | if (rrType == QType::NS && rr->d_name != di->zone) { |
675fa24c | 471 | vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag; |
f809c028 | 472 | di->backend->listSubZone(rr->d_name, di->id); |
f1b59a55 | 473 | while (di->backend->get(rec)) { |
7a0a9f8a | 474 | if (rec.qtype.getCode()) // skip ENT records, they are always auth=false |
a95f897d | 475 | belowOldDelegate.push_back(rec.qname); |
f809c028 | 476 | if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name) |
a95f897d | 477 | nsRecs.push_back(rec.qname); |
f1b59a55 | 478 | } |
a95f897d | 479 | |
675fa24c | 480 | for(auto &belowOldDel: belowOldDelegate) |
a95f897d RA |
481 | { |
482 | bool isBelowDelegate = false; | |
561434a6 PD |
483 | for(const auto & ns: nsRecs) { |
484 | if (ns.isPartOf(belowOldDel)) { | |
a95f897d RA |
485 | isBelowDelegate=true; |
486 | break; | |
487 | } | |
488 | } | |
489 | if (!isBelowDelegate) | |
561434a6 | 490 | updateAuthFlag.push_back(belowOldDel); |
a95f897d RA |
491 | } |
492 | ||
561434a6 | 493 | for (const auto &changeRec:updateAuthFlag) { |
dff32e09 | 494 | if(*haveNSEC3) { |
8de4e1d7 | 495 | DNSName ordername; |
914353ca | 496 | if(! *narrow) |
96e63d77 | 497 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec))); |
914353ca | 498 | |
96e63d77 KM |
499 | di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true); |
500 | } | |
501 | else { // NSEC | |
502 | DNSName ordername=changeRec.makeRelative(di->zone); | |
503 | di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true); | |
f1b59a55 | 504 | } |
f1b59a55 RA |
505 | } |
506 | } | |
f1b59a55 | 507 | |
6a323f63 RA |
508 | // Fix ENT records. |
509 | // We must check if we have a record below the current level and if we removed the 'last' record | |
510 | // on that level. If so, we must insert an ENT record. | |
fdf983eb | 511 | // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit. |
9353d244 | 512 | bool foundDeeper = false, foundOtherWithSameName = false; |
f809c028 | 513 | di->backend->listSubZone(rr->d_name, di->id); |
6a323f63 | 514 | while (di->backend->get(rec)) { |
f809c028 | 515 | if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec)) |
9353d244 | 516 | foundOtherWithSameName = true; |
f809c028 | 517 | if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT |
6a323f63 RA |
518 | foundDeeper = true; |
519 | } | |
f1b59a55 | 520 | |
9353d244 | 521 | if (foundDeeper && !foundOtherWithSameName) { |
f809c028 | 522 | insnonterm.insert(rr->d_name); |
9353d244 | 523 | } else if (!foundOtherWithSameName) { |
6a323f63 RA |
524 | // If we didn't have to insert an ENT, we might have deleted a record at very deep level |
525 | // and we must then clean up the ENT's above the deleted record. | |
f809c028 | 526 | DNSName shorter(rr->d_name); |
9353d244 | 527 | while (shorter != di->zone) { |
675fa24c | 528 | shorter.chopOff(); |
9353d244 | 529 | bool foundRealRR = false; |
a95f897d | 530 | bool foundEnt = false; |
9353d244 RA |
531 | |
532 | // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch | |
6a323f63 | 533 | // consider these non ENT-records: |
9353d244 RA |
534 | // b.c.d.e.test.com |
535 | // b.d.e.test.com | |
536 | // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com. | |
6a323f63 RA |
537 | // At that point we can stop deleting ENT's because the tree is in tact again. |
538 | di->backend->listSubZone(shorter, di->id); | |
914353ca | 539 | |
9353d244 RA |
540 | while (di->backend->get(rec)) { |
541 | if (rec.qtype.getCode()) | |
542 | foundRealRR = true; | |
a95f897d RA |
543 | else |
544 | foundEnt = true; | |
9353d244 | 545 | } |
3ab4cfca | 546 | if (!foundRealRR) { |
a95f897d RA |
547 | if (foundEnt) // only delete the ENT if we actually found one. |
548 | delnonterm.insert(shorter); | |
3ab4cfca | 549 | } else |
9353d244 RA |
550 | break; |
551 | } | |
6a323f63 | 552 | } |
589563c0 | 553 | } else { // if (recordsToDelete.size()) |
e6a9dde5 | 554 | g_log<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but not found."<<endl; |
f1b59a55 | 555 | } |
589563c0 RA |
556 | } // (End of delete block d_class == ANY || d_class == NONE |
557 | ||
f1b59a55 | 558 | |
6a323f63 RA |
559 | |
560 | //Insert and delete ENT's | |
561 | if (insnonterm.size() > 0 || delnonterm.size() > 0) { | |
e6a9dde5 | 562 | DLOG(g_log<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl); |
96e63d77 | 563 | di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false); |
561434a6 | 564 | for (const auto &i: insnonterm) { |
6a323f63 | 565 | string hashed; |
8de4e1d7 | 566 | if(*haveNSEC3) |
6a323f63 | 567 | { |
8de4e1d7 | 568 | DNSName ordername; |
914353ca | 569 | if(! *narrow) |
96e63d77 KM |
570 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i))); |
571 | di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true); | |
f1b59a55 RA |
572 | } |
573 | } | |
574 | } | |
575 | ||
589563c0 | 576 | return changedRecords; |
f1b59a55 RA |
577 | } |
578 | ||
b3148887 | 579 | int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) { |
e174b255 | 580 | vector<string> forward; |
71f758e0 | 581 | B.getDomainMetadata(p->qdomain, "FORWARD-DNSUPDATE", forward); |
e174b255 | 582 | |
71f758e0 | 583 | if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) { |
e6a9dde5 | 584 | g_log<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl; |
d8293c79 | 585 | return RCode::Refused; |
e174b255 RA |
586 | } |
587 | ||
d622042f | 588 | for(const auto& remote : di->masters) { |
9b0f144f | 589 | g_log<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<remote<<endl; |
b3148887 RA |
590 | |
591 | ComboAddress local; | |
9d36589a | 592 | if (remote.sin4.sin_family == AF_INET && !::arg()["query-local-address"].empty()) { |
cc456024 | 593 | local = ComboAddress(::arg()["query-local-address"]); |
9d36589a | 594 | } else if(remote.sin4.sin_family == AF_INET6 && !::arg()["query-local-address6"].empty()) { |
cc456024 | 595 | local = ComboAddress(::arg()["query-local-address6"]); |
9d36589a PL |
596 | } else { |
597 | continue; | |
598 | } | |
b3148887 | 599 | int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this. |
34c513f9 | 600 | if(sock < 0) { |
e6a9dde5 | 601 | g_log<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl; |
34c513f9 RG |
602 | continue; |
603 | } | |
b3148887 RA |
604 | |
605 | if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) { | |
e6a9dde5 | 606 | g_log<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl; |
a7b68ae7 RG |
607 | try { |
608 | closesocket(sock); | |
609 | } | |
610 | catch(const PDNSException& e) { | |
e6a9dde5 | 611 | g_log<<Logger::Error<<"Error closing master forwarding socket after connect() failed: "<<e.reason<<endl; |
a7b68ae7 | 612 | } |
b3148887 RA |
613 | continue; |
614 | } | |
615 | ||
616 | DNSPacket forwardPacket(*p); | |
617 | forwardPacket.setID(dns_random(0xffff)); | |
618 | forwardPacket.setRemote(&remote); | |
619 | uint16_t len=htons(forwardPacket.getString().length()); | |
620 | string buffer((const char*)&len, 2); | |
621 | buffer.append(forwardPacket.getString()); | |
914353ca | 622 | if(write(sock, buffer.c_str(), buffer.length()) < 0) { |
e6a9dde5 | 623 | g_log<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; |
a7b68ae7 RG |
624 | try { |
625 | closesocket(sock); | |
626 | } | |
627 | catch(const PDNSException& e) { | |
e6a9dde5 | 628 | g_log<<Logger::Error<<"Error closing master forwarding socket after write() failed: "<<e.reason<<endl; |
a7b68ae7 | 629 | } |
b3148887 RA |
630 | continue; |
631 | } | |
632 | ||
633 | int res = waitForData(sock, 10, 0); | |
634 | if (!res) { | |
e6a9dde5 | 635 | g_log<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl; |
a7b68ae7 RG |
636 | try { |
637 | closesocket(sock); | |
638 | } | |
639 | catch(const PDNSException& e) { | |
e6a9dde5 | 640 | g_log<<Logger::Error<<"Error closing master forwarding socket after a timeout occured: "<<e.reason<<endl; |
a7b68ae7 | 641 | } |
b3148887 RA |
642 | continue; |
643 | } | |
644 | if (res < 0) { | |
e6a9dde5 | 645 | g_log<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; |
a7b68ae7 RG |
646 | try { |
647 | closesocket(sock); | |
648 | } | |
649 | catch(const PDNSException& e) { | |
e6a9dde5 | 650 | g_log<<Logger::Error<<"Error closing master forwarding socket after an error occured: "<<e.reason<<endl; |
a7b68ae7 | 651 | } |
b3148887 RA |
652 | continue; |
653 | } | |
654 | ||
f6a81077 RG |
655 | unsigned char lenBuf[2]; |
656 | ssize_t recvRes; | |
b3148887 | 657 | recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0); |
f6a81077 | 658 | if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) { |
e6a9dde5 | 659 | g_log<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; |
a7b68ae7 RG |
660 | try { |
661 | closesocket(sock); | |
662 | } | |
663 | catch(const PDNSException& e) { | |
e6a9dde5 | 664 | g_log<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl; |
a7b68ae7 | 665 | } |
b3148887 RA |
666 | continue; |
667 | } | |
f6a81077 | 668 | size_t packetLen = lenBuf[0]*256+lenBuf[1]; |
b3148887 | 669 | |
2c001eb6 RG |
670 | buffer.resize(packetLen); |
671 | recvRes = recv(sock, &buffer.at(0), packetLen, 0); | |
b3148887 | 672 | if (recvRes < 0) { |
e6a9dde5 | 673 | g_log<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; |
a7b68ae7 RG |
674 | try { |
675 | closesocket(sock); | |
676 | } | |
677 | catch(const PDNSException& e) { | |
e6a9dde5 | 678 | g_log<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl; |
a7b68ae7 | 679 | } |
b3148887 RA |
680 | continue; |
681 | } | |
a7b68ae7 RG |
682 | try { |
683 | closesocket(sock); | |
684 | } | |
685 | catch(const PDNSException& e) { | |
e6a9dde5 | 686 | g_log<<Logger::Error<<"Error closing master forwarding socket: "<<e.reason<<endl; |
a7b68ae7 | 687 | } |
b3148887 RA |
688 | |
689 | try { | |
2c001eb6 | 690 | MOADNSParser mdp(false, buffer.data(), static_cast<unsigned int>(recvRes)); |
e6a9dde5 | 691 | g_log<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl; |
b3148887 RA |
692 | return mdp.d_header.rcode; |
693 | } | |
694 | catch (...) { | |
e6a9dde5 | 695 | g_log<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl; |
b3148887 RA |
696 | continue; |
697 | } | |
698 | } | |
e6a9dde5 | 699 | g_log<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl; |
b3148887 RA |
700 | return RCode::ServFail; |
701 | ||
702 | } | |
703 | ||
f1b59a55 | 704 | int PacketHandler::processUpdate(DNSPacket *p) { |
d07bf7ff | 705 | if (! ::arg().mustDo("dnsupdate")) |
f1b59a55 | 706 | return RCode::Refused; |
914353ca | 707 | |
ded6b08d | 708 | string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote().toString() + " for " + p->qdomain.toLogString() + ": "; |
e6a9dde5 | 709 | g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl; |
f1b59a55 | 710 | |
0ecc1158 AT |
711 | // if there is policy, we delegate all checks to it |
712 | if (this->d_update_policy_lua == NULL) { | |
f1b59a55 | 713 | |
0ecc1158 AT |
714 | // Check permissions - IP based |
715 | vector<string> allowedRanges; | |
716 | B.getDomainMetadata(p->qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges); | |
717 | if (! ::arg()["allow-dnsupdate-from"].empty()) | |
718 | stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" ); | |
f1b59a55 | 719 | |
0ecc1158 AT |
720 | NetmaskGroup ng; |
721 | for(vector<string>::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++) | |
722 | ng.addMask(*i); | |
914353ca | 723 | |
0ecc1158 | 724 | if ( ! ng.match(&p->d_remote)) { |
e6a9dde5 | 725 | g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl; |
f1b59a55 RA |
726 | return RCode::Refused; |
727 | } | |
728 | ||
0ecc1158 AT |
729 | |
730 | // Check permissions - TSIG based. | |
731 | vector<string> tsigKeys; | |
732 | B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys); | |
733 | if (tsigKeys.size() > 0) { | |
734 | bool validKey = false; | |
735 | ||
736 | TSIGRecordContent trc; | |
737 | DNSName inputkey; | |
738 | string message; | |
ea3816cf | 739 | if (! p->getTSIGDetails(&trc, &inputkey)) { |
e6a9dde5 | 740 | g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl; |
0ecc1158 | 741 | return RCode::Refused; |
6917c321 | 742 | } |
0ecc1158 AT |
743 | |
744 | if (p->d_tsig_algo == TSIG_GSS) { | |
745 | GssName inputname(p->d_peer_principal); // match against principal since GSS | |
746 | for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) { | |
747 | if (inputname.match(*key)) { | |
748 | validKey = true; | |
749 | break; | |
750 | } | |
751 | } | |
752 | } else { | |
753 | for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) { | |
754 | if (inputkey == DNSName(*key)) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid. | |
755 | validKey=true; | |
756 | break; | |
757 | } | |
6917c321 AT |
758 | } |
759 | } | |
f1b59a55 | 760 | |
0ecc1158 | 761 | if (!validKey) { |
e6a9dde5 | 762 | g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl; |
0ecc1158 AT |
763 | return RCode::Refused; |
764 | } | |
f1b59a55 | 765 | } |
f1b59a55 | 766 | |
0ecc1158 | 767 | if (tsigKeys.size() == 0 && p->d_havetsig) |
e6a9dde5 | 768 | g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl; |
0ecc1158 AT |
769 | |
770 | } | |
f1b59a55 RA |
771 | |
772 | // RFC2136 uses the same DNS Header and Message as defined in RFC1035. | |
914353ca | 773 | // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different |
f1b59a55 | 774 | // variable names during the use of our MOADNSParser. |
27c0050c | 775 | MOADNSParser mdp(false, p->getString()); |
f1b59a55 | 776 | if (mdp.d_header.qdcount != 1) { |
e6a9dde5 | 777 | g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl; |
f1b59a55 | 778 | return RCode::FormErr; |
914353ca | 779 | } |
f1b59a55 RA |
780 | |
781 | if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA | |
e6a9dde5 | 782 | g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl; |
f1b59a55 RA |
783 | return RCode::FormErr; |
784 | } | |
785 | ||
786 | if (p->qclass != QClass::IN) { | |
e6a9dde5 | 787 | g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl; |
f1b59a55 RA |
788 | return RCode::NotAuth; |
789 | } | |
790 | ||
791 | DomainInfo di; | |
792 | di.backend=0; | |
793 | if(!B.getDomainInfo(p->qdomain, di) || !di.backend) { | |
e6a9dde5 | 794 | g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support DNS update operation)"<<endl; |
f1b59a55 RA |
795 | return RCode::NotAuth; |
796 | } | |
797 | ||
b3148887 RA |
798 | if (di.kind == DomainInfo::Slave) |
799 | return forwardPacket(msgPrefix, p, &di); | |
f1b59a55 | 800 | |
914353ca | 801 | // Check if all the records provided are within the zone |
f1b59a55 RA |
802 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { |
803 | const DNSRecord *rr = &i->first; | |
804 | // Skip this check for other field types (like the TSIG - which is in the additional section) | |
dff32e09 | 805 | // For a TSIG, the label is the dnskey, so it does not pass the endOn validation. |
e693ff5a | 806 | if (! (rr->d_place == DNSResourceRecord::ANSWER || rr->d_place == DNSResourceRecord::AUTHORITY)) |
f1b59a55 RA |
807 | continue; |
808 | ||
f809c028 | 809 | if (!rr->d_name.isPartOf(di.zone)) { |
e6a9dde5 | 810 | g_log<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl; |
f1b59a55 RA |
811 | return RCode::NotZone; |
812 | } | |
813 | } | |
814 | ||
dff32e09 RA |
815 | |
816 | Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything | |
e6a9dde5 | 817 | g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl; |
dff32e09 | 818 | if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records. |
e6a9dde5 | 819 | g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl; |
f1b59a55 RA |
820 | return RCode::NotImp; |
821 | } | |
822 | ||
914353ca | 823 | // 3.2.1 and 3.2.2 - Prerequisite check |
f1b59a55 RA |
824 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { |
825 | const DNSRecord *rr = &i->first; | |
e693ff5a | 826 | if (rr->d_place == DNSResourceRecord::ANSWER) { |
f1b59a55 RA |
827 | int res = checkUpdatePrerequisites(rr, &di); |
828 | if (res>0) { | |
e6a9dde5 | 829 | g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning "<<RCode::to_s(res)<<endl; |
f1b59a55 RA |
830 | di.backend->abortTransaction(); |
831 | return res; | |
832 | } | |
914353ca | 833 | } |
f1b59a55 RA |
834 | } |
835 | ||
d3f46849 | 836 | // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR. |
561434a6 | 837 | typedef pair<DNSName, QType> rrSetKey_t; |
f1b59a55 RA |
838 | typedef vector<DNSResourceRecord> rrVector_t; |
839 | typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t; | |
840 | RRsetMap_t preReqRRsets; | |
4950b140 CH |
841 | for(const auto& i : mdp.d_answers) { |
842 | const DNSRecord* rr = &i.first; | |
e693ff5a | 843 | if (rr->d_place == DNSResourceRecord::ANSWER) { |
f1b59a55 | 844 | // Last line of 3.2.3 |
914353ca | 845 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) |
f1b59a55 RA |
846 | return RCode::FormErr; |
847 | ||
848 | if (rr->d_class == QClass::IN) { | |
f809c028 | 849 | rrSetKey_t key = make_pair(rr->d_name, QType(rr->d_type)); |
f1b59a55 | 850 | rrVector_t *vec = &preReqRRsets[key]; |
4950b140 | 851 | vec->push_back(DNSResourceRecord::fromWire(*rr)); |
f1b59a55 RA |
852 | } |
853 | } | |
854 | } | |
855 | ||
856 | if (preReqRRsets.size() > 0) { | |
857 | RRsetMap_t zoneRRsets; | |
858 | for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) { | |
859 | rrSetKey_t rrSet=preRRSet->first; | |
860 | rrVector_t *vec = &preRRSet->second; | |
861 | ||
862 | DNSResourceRecord rec; | |
863 | di.backend->lookup(QType(QType::ANY), rrSet.first); | |
864 | uint16_t foundRR=0, matchRR=0; | |
865 | while (di.backend->get(rec)) { | |
866 | if (rec.qtype == rrSet.second) { | |
867 | foundRR++; | |
868 | for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) { | |
869 | rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks. | |
914353ca | 870 | if (*rrItem == rec) |
f1b59a55 RA |
871 | matchRR++; |
872 | } | |
873 | } | |
874 | } | |
875 | if (matchRR != foundRR || foundRR != vec->size()) { | |
e6a9dde5 | 876 | g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check (RRs differ), returning NXRRSet"<<endl; |
f1b59a55 RA |
877 | di.backend->abortTransaction(); |
878 | return RCode::NXRRSet; | |
879 | } | |
880 | } | |
881 | } | |
882 | ||
883 | ||
884 | ||
0bb68041 | 885 | // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block. |
f1b59a55 | 886 | try { |
d0d273cf | 887 | uint changedRecords = 0; |
f1b59a55 RA |
888 | // 3.4.1 - Prescan section |
889 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
890 | const DNSRecord *rr = &i->first; | |
e693ff5a | 891 | if (rr->d_place == DNSResourceRecord::AUTHORITY) { |
f1b59a55 RA |
892 | int res = checkUpdatePrescan(rr); |
893 | if (res>0) { | |
e6a9dde5 | 894 | g_log<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl; |
f1b59a55 RA |
895 | di.backend->abortTransaction(); |
896 | return res; | |
897 | } | |
898 | } | |
899 | } | |
900 | ||
901 | bool updatedSerial=false; | |
902 | NSEC3PARAMRecordContent ns3pr; | |
914353ca | 903 | bool narrow=false; |
f1b59a55 | 904 | bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow); |
dff32e09 | 905 | bool isPresigned = d_dk.isPresigned(di.zone); |
f1b59a55 | 906 | |
f1b59a55 RA |
907 | // 3.4.2 - Perform the updates. |
908 | // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4) | |
7c696097 | 909 | // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR. |
f1b59a55 | 910 | vector<const DNSRecord *> nsRRtoDelete; |
6f604952 PL |
911 | |
912 | // Another special case is the addition of both a CNAME and a non-CNAME for the same name (#6270) | |
913 | set<DNSName> cn, nocn; | |
914 | for (const auto &rr : mdp.d_answers) { | |
915 | if (rr.first.d_place == DNSResourceRecord::AUTHORITY && rr.first.d_class == QClass::IN && rr.first.d_ttl > 0) { | |
916 | // Addition | |
917 | if (rr.first.d_type == QType::CNAME) { | |
918 | cn.insert(rr.first.d_name); | |
919 | } else if (rr.first.d_type != QType::RRSIG) { | |
920 | nocn.insert(rr.first.d_name); | |
921 | } | |
922 | } | |
923 | } | |
924 | for (auto const &n : cn) { | |
925 | if (nocn.count(n) > 0) { | |
e6a9dde5 | 926 | g_log<<Logger::Error<<msgPrefix<<"Refusing update, found CNAME and non-CNAME addition"<<endl; |
6f604952 PL |
927 | di.backend->abortTransaction(); |
928 | return RCode::FormErr; | |
929 | } | |
930 | } | |
931 | ||
932 | vector<const DNSRecord *> cnamesToAdd, nonCnamesToAdd; | |
f1b59a55 RA |
933 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { |
934 | const DNSRecord *rr = &i->first; | |
e693ff5a | 935 | if (rr->d_place == DNSResourceRecord::AUTHORITY) { |
0ecc1158 AT |
936 | /* see if it's permitted by policy */ |
937 | if (this->d_update_policy_lua != NULL) { | |
938 | if (this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, p) == false) { | |
e6a9dde5 | 939 | g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Not permitted by policy"<<endl; |
0ecc1158 AT |
940 | continue; |
941 | } else { | |
e6a9dde5 | 942 | g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Permitted by policy"<<endl; |
0ecc1158 AT |
943 | } |
944 | } | |
945 | ||
f809c028 | 946 | if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && rr->d_name == di.zone) |
f1b59a55 | 947 | nsRRtoDelete.push_back(rr); |
6f604952 PL |
948 | else if (rr->d_class == QClass::IN && rr->d_ttl > 0) { |
949 | if (rr->d_type == QType::CNAME) { | |
950 | cnamesToAdd.push_back(rr); | |
951 | } else { | |
952 | nonCnamesToAdd.push_back(rr); | |
953 | } | |
954 | } | |
f1b59a55 | 955 | else |
d0d273cf | 956 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
957 | } |
958 | } | |
6f604952 PL |
959 | for (const auto &rr : cnamesToAdd) { |
960 | DNSResourceRecord rec; | |
961 | di.backend->lookup(QType(QType::ANY), rr->d_name); | |
962 | while (di.backend->get(rec)) { | |
963 | if (rec.qtype != QType::CNAME && rec.qtype != QType::RRSIG) { | |
e6a9dde5 | 964 | g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Data other than CNAME exists for the same name"<<endl; |
6f604952 PL |
965 | di.backend->abortTransaction(); |
966 | return RCode::Refused; | |
967 | } | |
968 | } | |
969 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); | |
970 | } | |
971 | for (const auto &rr : nonCnamesToAdd) { | |
972 | DNSResourceRecord rec; | |
973 | di.backend->lookup(QType(QType::CNAME), rr->d_name); | |
974 | while (di.backend->get(rec)) { | |
975 | if (rec.qtype == QType::CNAME && rr->d_type != QType::RRSIG) { | |
e6a9dde5 | 976 | g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": CNAME exists for the same name"<<endl; |
6f604952 PL |
977 | di.backend->abortTransaction(); |
978 | return RCode::Refused; | |
979 | } | |
980 | } | |
981 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); | |
982 | } | |
f1b59a55 RA |
983 | if (nsRRtoDelete.size()) { |
984 | vector<DNSResourceRecord> nsRRInZone; | |
985 | DNSResourceRecord rec; | |
986 | di.backend->lookup(QType(QType::NS), di.zone); | |
987 | while (di.backend->get(rec)) { | |
988 | nsRRInZone.push_back(rec); | |
989 | } | |
990 | if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4) | |
991 | for (vector<DNSResourceRecord>::iterator inZone=nsRRInZone.begin(); inZone != nsRRInZone.end(); inZone++) { | |
992 | for (vector<const DNSRecord *>::iterator rr=nsRRtoDelete.begin(); rr != nsRRtoDelete.end(); rr++) { | |
993 | if (inZone->getZoneRepresentation() == (*rr)->d_content->getZoneRepresentation()) | |
d0d273cf | 994 | changedRecords += performUpdate(msgPrefix, *rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
995 | } |
996 | } | |
997 | } | |
998 | } | |
999 | ||
f1b59a55 | 1000 | // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message |
d0d273cf | 1001 | if (changedRecords > 0 && !updatedSerial) { |
166ac305 | 1002 | increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr); |
d0d273cf | 1003 | changedRecords++; |
890c7124 RA |
1004 | } |
1005 | ||
d0d273cf | 1006 | if (changedRecords > 0) { |
dce6b818 | 1007 | if (!di.backend->commitTransaction()) { |
e6a9dde5 | 1008 | g_log<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl; |
dce6b818 RA |
1009 | return RCode::ServFail; |
1010 | } | |
914353ca | 1011 | |
71f758e0 | 1012 | S.deposit("dnsupdate-changes", changedRecords); |
7facf345 | 1013 | |
dce6b818 | 1014 | // Purge the records! |
7abbc40f | 1015 | string zone(di.zone.toString()); |
dce6b818 | 1016 | zone.append("$"); |
bf269e28 | 1017 | purgeAuthCaches(zone); |
0bb68041 | 1018 | |
4c5b6925 KM |
1019 | // Notify slaves |
1020 | if (di.kind == DomainInfo::Master) { | |
1021 | vector<string> notify; | |
1022 | B.getDomainMetadata(p->qdomain, "NOTIFY-DNSUPDATE", notify); | |
1023 | if (!notify.empty() && notify.front() == "1") { | |
1024 | Communicator.notifyDomain(di.zone); | |
1025 | } | |
1026 | } | |
1027 | ||
e6a9dde5 | 1028 | g_log<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl; |
dce6b818 RA |
1029 | } else { |
1030 | //No change, no commit, we perform abort() because some backends might like this more. | |
e6a9dde5 | 1031 | g_log<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl; |
dce6b818 RA |
1032 | di.backend->abortTransaction(); |
1033 | } | |
0bb68041 RA |
1034 | return RCode::NoError; //rfc 2136 3.4.2.5 |
1035 | } | |
1036 | catch (SSqlException &e) { | |
e6a9dde5 | 1037 | g_log<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl; |
0bb68041 RA |
1038 | di.backend->abortTransaction(); |
1039 | return RCode::ServFail; | |
f1b59a55 | 1040 | } |
ee9ef8f2 | 1041 | catch (DBException &e) { |
e6a9dde5 | 1042 | g_log<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl; |
ee9ef8f2 RA |
1043 | di.backend->abortTransaction(); |
1044 | return RCode::ServFail; | |
1045 | } | |
05ff9dab | 1046 | catch (PDNSException &e) { |
e6a9dde5 | 1047 | g_log<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl; |
f1b59a55 RA |
1048 | di.backend->abortTransaction(); |
1049 | return RCode::ServFail; | |
1050 | } | |
28b66a94 | 1051 | catch(std::exception &e) { |
e6a9dde5 | 1052 | g_log<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl; |
28b66a94 KM |
1053 | di.backend->abortTransaction(); |
1054 | return RCode::ServFail; | |
1055 | } | |
f1b59a55 | 1056 | catch (...) { |
e6a9dde5 | 1057 | g_log<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl; |
f1b59a55 RA |
1058 | di.backend->abortTransaction(); |
1059 | return RCode::ServFail; | |
1060 | } | |
f1b59a55 RA |
1061 | } |
1062 | ||
166ac305 | 1063 | void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) { |
13f9e280 CH |
1064 | SOAData sd; |
1065 | if (!di->backend->getSOA(di->zone, sd, true)) { | |
05ff9dab | 1066 | throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie."); |
f1b59a55 | 1067 | } |
f1b59a55 | 1068 | |
13f9e280 | 1069 | uint32_t oldSerial = sd.serial; |
e31f9680 | 1070 | if (oldSerial == 0) { // using Autoserial, leave the serial alone. |
e6a9dde5 | 1071 | g_log<<Logger::Notice<<msgPrefix<<"AutoSerial in use in domain \""<<di->zone.toLogString()<<"\", not updating SOA serial."<<endl; |
e31f9680 RA |
1072 | return; |
1073 | } | |
1074 | ||
f1b59a55 | 1075 | vector<string> soaEdit2136Setting; |
71f758e0 | 1076 | B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting); |
f1b59a55 RA |
1077 | string soaEdit2136 = "DEFAULT"; |
1078 | string soaEdit; | |
1079 | if (!soaEdit2136Setting.empty()) { | |
1080 | soaEdit2136 = soaEdit2136Setting[0]; | |
1081 | if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){ | |
4192773a KM |
1082 | string soaEditSetting; |
1083 | d_dk.getSoaEdit(di->zone, soaEditSetting); | |
f1b59a55 | 1084 | if (soaEditSetting.empty()) { |
e6a9dde5 | 1085 | g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone.toLogString() <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl; |
f1b59a55 RA |
1086 | soaEdit2136 = "DEFAULT"; |
1087 | } else | |
4192773a | 1088 | soaEdit = soaEditSetting; |
f1b59a55 RA |
1089 | } |
1090 | } | |
1091 | ||
13f9e280 CH |
1092 | DNSResourceRecord rr; |
1093 | if (makeIncreasedSOARecord(sd, soaEdit2136, soaEdit, rr)) { | |
1094 | di->backend->replaceRRSet(di->id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr)); | |
e6a9dde5 | 1095 | g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl; |
13f9e280 CH |
1096 | |
1097 | //Correct ordername + auth flag | |
1098 | if (haveNSEC3) { | |
1099 | DNSName ordername; | |
1100 | if (!narrow) | |
1101 | ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname))); | |
1102 | ||
1103 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true); | |
1104 | } else { // NSEC | |
1105 | DNSName ordername = rr.qname.makeRelative(di->zone); | |
1106 | di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true); | |
1107 | } | |
166ac305 | 1108 | } |
166ac305 | 1109 | } |