]>
Commit | Line | Data |
---|---|---|
870a0fe4 AT |
1 | #ifdef HAVE_CONFIG_H |
2 | #include "config.h" | |
3 | #endif | |
f1b59a55 RA |
4 | #include "packethandler.hh" |
5 | #include "qtype.hh" | |
6 | #include "dnspacket.hh" | |
7 | #include "packetcache.hh" | |
8 | #include "dnsseckeeper.hh" | |
9 | #include "base64.hh" | |
10 | #include "base32.hh" | |
8c9bde70 | 11 | #include <boost/foreach.hpp> |
f1b59a55 RA |
12 | #include "misc.hh" |
13 | #include "arguments.hh" | |
b3148887 RA |
14 | #include "resolver.hh" |
15 | #include "dns_random.hh" | |
7facf345 | 16 | #include "backends/gsql/ssql.hh" |
f1b59a55 RA |
17 | |
18 | extern PacketCache PC; | |
276a5ce7 | 19 | extern StatBag S; |
f1b59a55 | 20 | |
ee9ef8f2 RA |
21 | pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER; |
22 | ||
f1b59a55 RA |
23 | // Implement section 3.2.1 and 3.2.2 of RFC2136 |
24 | int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) { | |
25 | if (rr->d_ttl != 0) | |
26 | return RCode::FormErr; | |
27 | ||
28 | // 3.2.1 and 3.2.2 check content length. | |
29 | if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0) | |
30 | return RCode::FormErr; | |
31 | ||
6a323f63 | 32 | string rrLabel = stripDot(rr->d_label); |
f1b59a55 RA |
33 | |
34 | bool foundRecord=false; | |
35 | DNSResourceRecord rec; | |
6a323f63 | 36 | di->backend->lookup(QType(QType::ANY), rrLabel); |
f1b59a55 RA |
37 | while(di->backend->get(rec)) { |
38 | if (!rec.qtype.getCode()) | |
39 | continue; | |
40 | if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY) | |
41 | foundRecord=true; | |
42 | } | |
43 | ||
914353ca KM |
44 | // Section 3.2.1 |
45 | if (rr->d_class == QClass::ANY && !foundRecord) { | |
46 | if (rr->d_type == QType::ANY) | |
f1b59a55 RA |
47 | return RCode::NXDomain; |
48 | if (rr->d_type != QType::ANY) | |
49 | return RCode::NXRRSet; | |
914353ca | 50 | } |
f1b59a55 RA |
51 | |
52 | // Section 3.2.2 | |
53 | if (rr->d_class == QClass::NONE && foundRecord) { | |
54 | if (rr->d_type == QType::ANY) | |
55 | return RCode::YXDomain; | |
56 | if (rr->d_type != QType::ANY) | |
57 | return RCode::YXRRSet; | |
58 | } | |
59 | ||
60 | return RCode::NoError; | |
61 | } | |
62 | ||
63 | ||
64 | // Method implements section 3.4.1 of RFC2136 | |
65 | int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) { | |
66 | // The RFC stats that d_class != ZCLASS, but we only support the IN class. | |
914353ca | 67 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) |
f1b59a55 RA |
68 | return RCode::FormErr; |
69 | ||
70 | QType qtype = QType(rr->d_type); | |
71 | ||
72 | if (! qtype.isSupportedType()) | |
73 | return RCode::FormErr; | |
74 | ||
75 | if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) | |
76 | return RCode::FormErr; | |
77 | ||
78 | if (rr->d_class == QClass::ANY && rr->d_clen != 0) | |
79 | return RCode::FormErr; | |
914353ca | 80 | |
f1b59a55 RA |
81 | if (qtype.isMetadataType()) |
82 | return RCode::FormErr; | |
83 | ||
84 | if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) | |
85 | return RCode::FormErr; | |
86 | ||
87 | return RCode::NoError; | |
88 | } | |
89 | ||
6a323f63 | 90 | |
f1b59a55 | 91 | // Implements section 3.4.2 of RFC2136 |
d0d273cf | 92 | uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) { |
968de8d0 | 93 | |
dff32e09 RA |
94 | string rrLabel = stripDot(rr->d_label); |
95 | rrLabel = toLower(rrLabel); | |
96 | QType rrType = QType(rr->d_type); | |
97 | ||
dff32e09 RA |
98 | if (rrType == QType::NSEC || rrType == QType::NSEC3) { |
99 | L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl; | |
914353ca | 100 | return 0; |
dff32e09 RA |
101 | } |
102 | ||
cc8df07f | 103 | if (!isPresigned && ((!::arg().mustDo("direct-dnskey") && rrType == QType::DNSKEY) || rrType == QType::RRSIG)) { |
dff32e09 RA |
104 | L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl; |
105 | return 0; | |
106 | } | |
107 | ||
968de8d0 KM |
108 | if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rrLabel != di->zone) { |
109 | L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl; | |
dff32e09 RA |
110 | return 0; |
111 | } | |
112 | ||
968de8d0 | 113 | |
d0d273cf | 114 | uint changedRecords = 0; |
6a323f63 RA |
115 | DNSResourceRecord rec; |
116 | vector<DNSResourceRecord> rrset, recordsToDelete; | |
675fa24c | 117 | set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records. |
6a323f63 | 118 | |
f1b59a55 | 119 | |
6a323f63 RA |
120 | if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update |
121 | DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl); | |
f1b59a55 | 122 | |
dff32e09 | 123 | if (rrType == QType::NSEC3PARAM) { |
8c9bde70 | 124 | L<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl; |
f858f843 | 125 | |
dff32e09 | 126 | NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone); |
f858f843 | 127 | *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record |
dff32e09 | 128 | d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow)); |
8c9bde70 KM |
129 | |
130 | *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); | |
f858f843 | 131 | |
dff32e09 | 132 | vector<DNSResourceRecord> rrs; |
8c9bde70 | 133 | set<string> qnames, nssets, dssets; |
f858f843 | 134 | di->backend->list(di->zone, di->id); |
dff32e09 | 135 | while (di->backend->get(rec)) { |
8c9bde70 KM |
136 | qnames.insert(rec.qname); |
137 | if(rec.qtype.getCode() == QType::NS && !pdns_iequals(rec.qname, di->zone)) | |
138 | nssets.insert(rec.qname); | |
139 | if(rec.qtype.getCode() == QType::DS) | |
140 | dssets.insert(rec.qname); | |
dff32e09 | 141 | } |
f858f843 | 142 | |
8c9bde70 KM |
143 | string shorter, hashed; |
144 | BOOST_FOREACH(const string& qname, qnames) { | |
145 | shorter = qname; | |
146 | int ddepth = 0; | |
147 | do { | |
148 | if(pdns_iequals(qname, di->zone)) | |
f858f843 | 149 | break; |
8c9bde70 KM |
150 | if(nssets.count(shorter)) |
151 | ++ddepth; | |
152 | } while(chopOff(shorter)); | |
153 | ||
154 | if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) { | |
1bad4190 | 155 | hashed = toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, qname)); |
8c9bde70 KM |
156 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, qname, hashed, (ddepth == 0)); |
157 | ||
158 | if (nssets.count(qname)) { | |
159 | if (ns3pr->d_flags) | |
160 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, qname, "NS"); | |
161 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, qname, "A"); | |
162 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, qname, "AAAA"); | |
f858f843 | 163 | } |
f858f843 | 164 | } else { |
8c9bde70 | 165 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, qname, (ddepth == 0)); |
f858f843 | 166 | } |
8c9bde70 KM |
167 | if (ddepth == 1 || dssets.count(qname)) |
168 | di->backend->setDNSSECAuthOnDsRecord(di->id, qname); | |
dff32e09 RA |
169 | } |
170 | return 1; | |
171 | } | |
172 | ||
f858f843 RA |
173 | |
174 | ||
6a323f63 RA |
175 | bool foundRecord = false; |
176 | di->backend->lookup(rrType, rrLabel); | |
f1b59a55 | 177 | while (di->backend->get(rec)) { |
dff32e09 RA |
178 | rrset.push_back(rec); |
179 | foundRecord = true; | |
6a323f63 | 180 | } |
914353ca | 181 | |
6a323f63 | 182 | if (foundRecord) { |
73174643 | 183 | |
dff32e09 | 184 | if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current |
f1b59a55 | 185 | SOAData sdOld, sdUpdate; |
6a323f63 RA |
186 | DNSResourceRecord *oldRec = &rrset.front(); |
187 | fillSOAData(oldRec->content, sdOld); | |
188 | oldRec->setContent(rr->d_content->getZoneRepresentation()); | |
189 | fillSOAData(oldRec->content, sdUpdate); | |
f1b59a55 | 190 | if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) { |
6a323f63 | 191 | di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset); |
f1b59a55 | 192 | *updatedSerial = true; |
f5059bd3 | 193 | changedRecords++; |
7facf345 | 194 | L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
73174643 | 195 | } else { |
f1b59a55 | 196 | L<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl; |
73174643 | 197 | } |
6a323f63 RA |
198 | |
199 | // It's not possible to have multiple CNAME's with the same NAME. So we always update. | |
200 | } else if (rrType == QType::CNAME) { | |
73174643 | 201 | int changedCNames = 0; |
6a323f63 | 202 | for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) { |
73174643 RA |
203 | if (i->ttl != rr->d_ttl || i->content != rr->d_content->getZoneRepresentation()) { |
204 | i->ttl = rr->d_ttl; | |
205 | i->setContent(rr->d_content->getZoneRepresentation()); | |
206 | changedCNames++; | |
207 | } | |
208 | } | |
209 | if (changedCNames > 0) { | |
210 | di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset); | |
211 | L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl; | |
212 | changedRecords += changedCNames; | |
213 | } else { | |
214 | L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rrLabel<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl; | |
f1b59a55 | 215 | } |
6a323f63 RA |
216 | |
217 | // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectily means a update of TTL) | |
218 | } else { | |
73174643 | 219 | int updateTTL=0; |
6a323f63 RA |
220 | foundRecord = false; |
221 | for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) { | |
222 | string content = rr->d_content->getZoneRepresentation(); | |
223 | if (rrType == i->qtype.getCode() && i->getZoneRepresentation() == content) { | |
73174643 RA |
224 | foundRecord=true; |
225 | if (i->ttl != rr->d_ttl) { | |
226 | i->ttl = rr->d_ttl; | |
227 | updateTTL++; | |
228 | } | |
6a323f63 RA |
229 | } |
230 | } | |
73174643 | 231 | if (updateTTL > 0) { |
6a323f63 | 232 | di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset); |
7facf345 | 233 | L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
73174643 RA |
234 | changedRecords += updateTTL; |
235 | } else { | |
236 | L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rrLabel<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl; | |
7facf345 | 237 | } |
f1b59a55 | 238 | } |
6e42cac2 | 239 | |
73174643 | 240 | // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records. |
6e42cac2 | 241 | // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be. |
73174643 RA |
242 | if (changedRecords > 0) { |
243 | bool auth = rrset.front().auth; | |
244 | ||
245 | if(*haveNSEC3) { | |
246 | string hashed; | |
247 | if(! *narrow) | |
1bad4190 | 248 | hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel)); |
73174643 RA |
249 | |
250 | if (*narrow) | |
251 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth); | |
252 | else | |
253 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth); | |
254 | if(!auth || rrType == QType::DS) { | |
255 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS"); | |
256 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); | |
257 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
258 | } | |
6e42cac2 | 259 | |
73174643 RA |
260 | } else { // NSEC |
261 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth); | |
262 | if(!auth || rrType == QType::DS) { | |
263 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); | |
264 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
265 | } | |
6e42cac2 RA |
266 | } |
267 | } | |
268 | ||
269 | } // if (foundRecord) | |
f1b59a55 | 270 | |
6a323f63 | 271 | // If we haven't found a record that matches, we must add it. |
f1b59a55 | 272 | if (! foundRecord) { |
6a323f63 RA |
273 | L<<Logger::Notice<<msgPrefix<<"Adding record "<<rrLabel<<"|"<<rrType.getName()<<endl; |
274 | delnonterm.insert(rrLabel); // always remove any ENT's in the place where we're going to add a record. | |
f1b59a55 RA |
275 | DNSResourceRecord newRec(*rr); |
276 | newRec.domain_id = di->id; | |
f48c7915 | 277 | newRec.auth = (rrLabel == di->zone || rrType.getCode() != QType::NS); |
f1b59a55 | 278 | di->backend->feedRecord(newRec); |
b0704e0d | 279 | changedRecords++; |
6a323f63 RA |
280 | |
281 | ||
282 | // because we added a record, we need to fix DNSSEC data. | |
675fa24c | 283 | DNSName shorter(rrLabel); |
163cb726 | 284 | bool auth=newRec.auth; |
6a82ce4a | 285 | bool fixDS = (rrType == QType::DS); |
f1b59a55 | 286 | |
6a82ce4a | 287 | if ( ! pdns_iequals(di->zone, shorter)) { // Everything at APEX is auth=1 && no ENT's |
e70f2627 | 288 | do { |
6a82ce4a | 289 | |
e70f2627 | 290 | if (pdns_iequals(di->zone, shorter)) |
f1b59a55 | 291 | break; |
914353ca | 292 | |
f1b59a55 RA |
293 | bool foundShorter = false; |
294 | di->backend->lookup(QType(QType::ANY), shorter); | |
295 | while (di->backend->get(rec)) { | |
6a82ce4a RA |
296 | if (pdns_iequals(rec.qname, rrLabel) && rec.qtype == QType::DS) |
297 | fixDS = true; | |
e70f2627 RA |
298 | if ( ! pdns_iequals(shorter, rrLabel) ) |
299 | foundShorter = true; | |
163cb726 | 300 | if (rec.qtype == QType::NS) // are we inserting below a delegate? |
f1b59a55 RA |
301 | auth=false; |
302 | } | |
6a82ce4a | 303 | |
e70f2627 | 304 | if (!foundShorter && auth && !pdns_iequals(shorter, rrLabel)) // haven't found any record at current level, insert ENT. |
f1b59a55 | 305 | insnonterm.insert(shorter); |
e70f2627 | 306 | if (foundShorter) |
a95f897d | 307 | break; // if we find a shorter record, we can stop searching |
675fa24c | 308 | } while(shorter.chopOff()); |
f1b59a55 RA |
309 | } |
310 | ||
dff32e09 | 311 | if(*haveNSEC3) |
f1b59a55 RA |
312 | { |
313 | string hashed; | |
914353ca | 314 | if(! *narrow) |
1bad4190 | 315 | hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel)); |
914353ca | 316 | |
e70f2627 RA |
317 | if (*narrow) |
318 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth); | |
319 | else | |
320 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth); | |
321 | ||
6a82ce4a RA |
322 | if (fixDS) |
323 | di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel); | |
324 | ||
929eee6b | 325 | if(!auth) |
f1b59a55 | 326 | { |
914353ca | 327 | if (ns3pr->d_flags) |
be40c2df | 328 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS"); |
6a323f63 RA |
329 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); |
330 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
f1b59a55 RA |
331 | } |
332 | } | |
333 | else // NSEC | |
334 | { | |
6a323f63 | 335 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth); |
6a82ce4a | 336 | if (fixDS) { |
929eee6b | 337 | di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel); |
6a82ce4a RA |
338 | } |
339 | if(!auth) { | |
340 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); | |
341 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); | |
f1b59a55 RA |
342 | } |
343 | } | |
6a323f63 RA |
344 | |
345 | ||
f1b59a55 | 346 | // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate. |
914353ca | 347 | // Auth can only be false when the rrLabel is not the zone |
6a323f63 RA |
348 | if (auth == false && rrType == QType::NS) { |
349 | DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rrLabel<<endl); | |
6a82ce4a | 350 | insnonterm.clear(); // No ENT's are needed below delegates (auth=0) |
f1b59a55 | 351 | vector<string> qnames; |
6a323f63 | 352 | di->backend->listSubZone(rrLabel, di->id); |
f1b59a55 | 353 | while(di->backend->get(rec)) { |
6a82ce4a | 354 | if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && !pdns_iequals(rrLabel, rec.qname)) // Skip ENT, DS and our already corrected record. |
f1b59a55 RA |
355 | qnames.push_back(rec.qname); |
356 | } | |
357 | for(vector<string>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) { | |
dff32e09 | 358 | if(*haveNSEC3) { |
f1b59a55 | 359 | string hashed; |
914353ca | 360 | if(! *narrow) |
1bad4190 | 361 | hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname)); |
914353ca | 362 | |
6a82ce4a RA |
363 | if (*narrow) |
364 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth); | |
365 | else | |
366 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *qname, hashed, auth); | |
367 | ||
be40c2df RA |
368 | if (ns3pr->d_flags) |
369 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "NS"); | |
f1b59a55 RA |
370 | } |
371 | else // NSEC | |
372 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *qname, auth); | |
373 | ||
374 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "AAAA"); | |
375 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "A"); | |
376 | } | |
377 | } | |
f1b59a55 RA |
378 | } |
379 | } // rr->d_class == QClass::IN | |
380 | ||
914353ca | 381 | |
6a323f63 RA |
382 | // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by |
383 | // the code that calls this performUpdate(). | |
384 | if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA. | |
fdf983eb | 385 | DLOG(L<<msgPrefix<<"Deleting records: "<<rrLabel<<"; QClasse:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl); |
dff32e09 RA |
386 | |
387 | if (rrType == QType::NSEC3PARAM) { | |
914353ca | 388 | L<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl; |
dff32e09 RA |
389 | if (rr->d_class == QClass::ANY) |
390 | d_dk.unsetNSEC3PARAM(rrLabel); | |
391 | else if (rr->d_class == QClass::NONE) { | |
392 | NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone); | |
0bb68041 | 393 | if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation()) |
dff32e09 RA |
394 | d_dk.unsetNSEC3PARAM(rrLabel); |
395 | else | |
396 | return 0; | |
914353ca | 397 | } else |
dff32e09 RA |
398 | return 0; |
399 | ||
e3dc2b56 RA |
400 | // We retrieve new values, other RR's in this update package might need it as well. |
401 | *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); | |
402 | ||
dff32e09 | 403 | vector<DNSResourceRecord> rrs; |
b48fe0e3 KM |
404 | set<string> qnames, nssets, dssets, ents; |
405 | di->backend->list(di->zone, di->id); | |
b1ca7619 | 406 | while (di->backend->get(rec)) { |
b48fe0e3 KM |
407 | qnames.insert(rec.qname); |
408 | if(rec.qtype.getCode() == QType::NS && !pdns_iequals(rec.qname, di->zone)) | |
409 | nssets.insert(rec.qname); | |
410 | if(rec.qtype.getCode() == QType::DS) | |
411 | dssets.insert(rec.qname); | |
412 | if(!rec.qtype.getCode()) | |
413 | ents.insert(rec.qname); | |
b1ca7619 | 414 | } |
b48fe0e3 KM |
415 | |
416 | string shorter, hashed; | |
417 | BOOST_FOREACH(const string& qname, qnames) { | |
418 | shorter = qname; | |
419 | int ddepth = 0; | |
420 | do { | |
421 | if(pdns_iequals(qname, di->zone)) | |
422 | break; | |
423 | if(nssets.count(shorter)) | |
424 | ++ddepth; | |
425 | } while(chopOff(shorter)); | |
426 | ||
427 | if (!ents.count(qname) && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) { | |
428 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, qname, (ddepth == 0)); | |
429 | ||
430 | if (nssets.count(qname)) { | |
431 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, qname, "A"); | |
432 | di->backend->nullifyDNSSECOrderNameAndAuth(di->id, qname, "AAAA"); | |
b1ca7619 | 433 | } |
b48fe0e3 KM |
434 | } else { |
435 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, qname, (ddepth == 0)); | |
b1ca7619 | 436 | } |
b48fe0e3 KM |
437 | if (ddepth == 1 || dssets.count(qname)) |
438 | di->backend->setDNSSECAuthOnDsRecord(di->id, qname); | |
dff32e09 RA |
439 | } |
440 | return 1; | |
589563c0 | 441 | } // end of NSEC3PARAM delete block |
dff32e09 RA |
442 | |
443 | ||
6a323f63 RA |
444 | di->backend->lookup(rrType, rrLabel); |
445 | while(di->backend->get(rec)) { | |
446 | if (rr->d_class == QClass::ANY) { // 3.4.2.3 | |
447 | if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's | |
448 | rrset.push_back(rec); | |
449 | else | |
f1b59a55 RA |
450 | recordsToDelete.push_back(rec); |
451 | } | |
6a323f63 RA |
452 | if (rr->d_class == QClass::NONE) { // 3.4.2.4 |
453 | if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation()) | |
454 | recordsToDelete.push_back(rec); | |
455 | else | |
456 | rrset.push_back(rec); | |
457 | } | |
f1b59a55 | 458 | } |
589563c0 RA |
459 | |
460 | if (recordsToDelete.size()) { | |
461 | di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset); | |
462 | L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rrLabel<<"|"<<rrType.getName()<<endl; | |
463 | changedRecords += recordsToDelete.size(); | |
f1b59a55 | 464 | |
f1b59a55 | 465 | |
589563c0 RA |
466 | // If we've removed a delegate, we need to reset ordername/auth for some records. |
467 | if (rrType == QType::NS && rrLabel != di->zone) { | |
675fa24c | 468 | vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag; |
6a323f63 | 469 | di->backend->listSubZone(rrLabel, di->id); |
f1b59a55 | 470 | while (di->backend->get(rec)) { |
7a0a9f8a | 471 | if (rec.qtype.getCode()) // skip ENT records, they are always auth=false |
a95f897d RA |
472 | belowOldDelegate.push_back(rec.qname); |
473 | if (rec.qtype.getCode() == QType::NS && rec.qname != rrLabel) | |
474 | nsRecs.push_back(rec.qname); | |
f1b59a55 | 475 | } |
a95f897d | 476 | |
675fa24c | 477 | for(auto &belowOldDel: belowOldDelegate) |
a95f897d RA |
478 | { |
479 | bool isBelowDelegate = false; | |
88bffdda | 480 | for(vector<string>::const_iterator ns=nsRecs.begin(); ns!= nsRecs.end(); ns++) { |
a95f897d RA |
481 | if (endsOn(*ns, *belowOldDel)) { |
482 | isBelowDelegate=true; | |
483 | break; | |
484 | } | |
485 | } | |
486 | if (!isBelowDelegate) | |
487 | updateAuthFlag.push_back(*belowOldDel); | |
488 | } | |
489 | ||
490 | for (vector<string>::const_iterator changeRec=updateAuthFlag.begin(); changeRec!=updateAuthFlag.end(); ++changeRec) { | |
dff32e09 | 491 | if(*haveNSEC3) { |
f1b59a55 | 492 | string hashed; |
914353ca | 493 | if(! *narrow) |
1bad4190 | 494 | hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *changeRec)); |
914353ca | 495 | |
f1b59a55 RA |
496 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *changeRec, hashed, true); |
497 | } | |
498 | else // NSEC | |
499 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *changeRec, true); | |
500 | } | |
501 | } | |
f1b59a55 | 502 | |
6a323f63 RA |
503 | // Fix ENT records. |
504 | // We must check if we have a record below the current level and if we removed the 'last' record | |
505 | // on that level. If so, we must insert an ENT record. | |
fdf983eb | 506 | // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit. |
9353d244 | 507 | bool foundDeeper = false, foundOtherWithSameName = false; |
6a323f63 RA |
508 | di->backend->listSubZone(rrLabel, di->id); |
509 | while (di->backend->get(rec)) { | |
510 | if (rec.qname == rrLabel && !count(recordsToDelete.begin(), recordsToDelete.end(), rec)) | |
9353d244 | 511 | foundOtherWithSameName = true; |
7a0a9f8a | 512 | if (rec.qname != rrLabel && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT |
6a323f63 RA |
513 | foundDeeper = true; |
514 | } | |
f1b59a55 | 515 | |
9353d244 | 516 | if (foundDeeper && !foundOtherWithSameName) { |
6a323f63 | 517 | insnonterm.insert(rrLabel); |
9353d244 | 518 | } else if (!foundOtherWithSameName) { |
6a323f63 RA |
519 | // If we didn't have to insert an ENT, we might have deleted a record at very deep level |
520 | // and we must then clean up the ENT's above the deleted record. | |
675fa24c | 521 | DNSName shorter(rrLabel); |
9353d244 | 522 | while (shorter != di->zone) { |
675fa24c | 523 | shorter.chopOff(); |
9353d244 | 524 | bool foundRealRR = false; |
a95f897d | 525 | bool foundEnt = false; |
9353d244 RA |
526 | |
527 | // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch | |
6a323f63 | 528 | // consider these non ENT-records: |
9353d244 RA |
529 | // b.c.d.e.test.com |
530 | // b.d.e.test.com | |
531 | // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com. | |
6a323f63 RA |
532 | // At that point we can stop deleting ENT's because the tree is in tact again. |
533 | di->backend->listSubZone(shorter, di->id); | |
914353ca | 534 | |
9353d244 RA |
535 | while (di->backend->get(rec)) { |
536 | if (rec.qtype.getCode()) | |
537 | foundRealRR = true; | |
a95f897d RA |
538 | else |
539 | foundEnt = true; | |
9353d244 | 540 | } |
3ab4cfca | 541 | if (!foundRealRR) { |
a95f897d RA |
542 | if (foundEnt) // only delete the ENT if we actually found one. |
543 | delnonterm.insert(shorter); | |
3ab4cfca | 544 | } else |
9353d244 RA |
545 | break; |
546 | } | |
6a323f63 | 547 | } |
589563c0 RA |
548 | } else { // if (recordsToDelete.size()) |
549 | L<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rrLabel<<"|"<<rrType.getName()<<" requested, but not found."<<endl; | |
f1b59a55 | 550 | } |
589563c0 RA |
551 | } // (End of delete block d_class == ANY || d_class == NONE |
552 | ||
f1b59a55 | 553 | |
6a323f63 RA |
554 | |
555 | //Insert and delete ENT's | |
556 | if (insnonterm.size() > 0 || delnonterm.size() > 0) { | |
557 | DLOG(L<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl); | |
558 | di->backend->updateEmptyNonTerminals(di->id, di->zone, insnonterm, delnonterm, false); | |
559 | for (set<string>::const_iterator i=insnonterm.begin(); i!=insnonterm.end(); i++) { | |
560 | string hashed; | |
dff32e09 | 561 | if(*haveNSEC3) |
6a323f63 | 562 | { |
f1b59a55 | 563 | string hashed; |
914353ca | 564 | if(! *narrow) |
1bad4190 | 565 | hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *i)); |
0c72fa99 | 566 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *i, hashed, true); |
f1b59a55 RA |
567 | } |
568 | } | |
569 | } | |
570 | ||
589563c0 | 571 | return changedRecords; |
f1b59a55 RA |
572 | } |
573 | ||
b3148887 | 574 | int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) { |
e174b255 | 575 | vector<string> forward; |
71f758e0 | 576 | B.getDomainMetadata(p->qdomain, "FORWARD-DNSUPDATE", forward); |
e174b255 | 577 | |
71f758e0 | 578 | if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) { |
d8293c79 RA |
579 | L<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl; |
580 | return RCode::Refused; | |
e174b255 RA |
581 | } |
582 | ||
b3148887 | 583 | for(vector<string>::const_iterator master=di->masters.begin(); master != di->masters.end(); master++) { |
dff32e09 | 584 | L<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<*master<<endl; |
b3148887 RA |
585 | ComboAddress remote; |
586 | try { | |
cc456024 | 587 | remote = ComboAddress(*master, 53); |
b3148887 RA |
588 | } |
589 | catch (...) { | |
590 | L<<Logger::Error<<msgPrefix<<"Failed to parse "<<*master<<" as valid remote."<<endl; | |
591 | continue; | |
592 | } | |
593 | ||
594 | ComboAddress local; | |
595 | if(remote.sin4.sin_family == AF_INET) | |
cc456024 | 596 | local = ComboAddress(::arg()["query-local-address"]); |
b3148887 | 597 | else if(!::arg()["query-local-address6"].empty()) |
cc456024 | 598 | local = ComboAddress(::arg()["query-local-address6"]); |
b3148887 | 599 | else |
cc456024 | 600 | local = ComboAddress("::"); |
b3148887 RA |
601 | int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this. |
602 | ||
603 | if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) { | |
604 | L<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl; | |
3897b9e1 | 605 | closesocket(sock); |
b3148887 RA |
606 | continue; |
607 | } | |
608 | ||
609 | DNSPacket forwardPacket(*p); | |
610 | forwardPacket.setID(dns_random(0xffff)); | |
611 | forwardPacket.setRemote(&remote); | |
612 | uint16_t len=htons(forwardPacket.getString().length()); | |
613 | string buffer((const char*)&len, 2); | |
614 | buffer.append(forwardPacket.getString()); | |
914353ca | 615 | if(write(sock, buffer.c_str(), buffer.length()) < 0) { |
b3148887 | 616 | L<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; |
3897b9e1 | 617 | closesocket(sock); |
b3148887 RA |
618 | continue; |
619 | } | |
620 | ||
621 | int res = waitForData(sock, 10, 0); | |
622 | if (!res) { | |
cc456024 | 623 | L<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl; |
3897b9e1 | 624 | closesocket(sock); |
b3148887 RA |
625 | continue; |
626 | } | |
627 | if (res < 0) { | |
628 | L<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
3897b9e1 | 629 | closesocket(sock); |
b3148887 RA |
630 | continue; |
631 | } | |
632 | ||
633 | char lenBuf[2]; | |
634 | int recvRes; | |
635 | recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0); | |
636 | if (recvRes < 0) { | |
637 | L<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
3897b9e1 | 638 | closesocket(sock); |
b3148887 RA |
639 | continue; |
640 | } | |
641 | int packetLen = lenBuf[0]*256+lenBuf[1]; | |
642 | ||
643 | ||
644 | char buf[packetLen]; | |
645 | recvRes = recv(sock, &buf, packetLen, 0); | |
646 | if (recvRes < 0) { | |
647 | L<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl; | |
3897b9e1 | 648 | closesocket(sock); |
b3148887 RA |
649 | continue; |
650 | } | |
3897b9e1 | 651 | closesocket(sock); |
b3148887 RA |
652 | |
653 | try { | |
b3148887 RA |
654 | MOADNSParser mdp(buf, recvRes); |
655 | L<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl; | |
656 | return mdp.d_header.rcode; | |
657 | } | |
658 | catch (...) { | |
659 | L<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl; | |
660 | continue; | |
661 | } | |
662 | } | |
663 | L<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl; | |
664 | return RCode::ServFail; | |
665 | ||
666 | } | |
667 | ||
f1b59a55 | 668 | int PacketHandler::processUpdate(DNSPacket *p) { |
71f758e0 | 669 | if (! ::arg().mustDo("experimental-dnsupdate")) |
f1b59a55 | 670 | return RCode::Refused; |
914353ca | 671 | |
7facf345 | 672 | string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote() + " for " + p->qdomain + ": "; |
f1b59a55 RA |
673 | L<<Logger::Info<<msgPrefix<<"Processing started."<<endl; |
674 | ||
675 | // Check permissions - IP based | |
676 | vector<string> allowedRanges; | |
71f758e0 KM |
677 | B.getDomainMetadata(p->qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges); |
678 | if (! ::arg()["allow-dnsupdate-from"].empty()) | |
679 | stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" ); | |
f1b59a55 RA |
680 | |
681 | NetmaskGroup ng; | |
682 | for(vector<string>::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++) | |
683 | ng.addMask(*i); | |
914353ca | 684 | |
f1b59a55 | 685 | if ( ! ng.match(&p->d_remote)) { |
71f758e0 | 686 | L<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl; |
f1b59a55 RA |
687 | return RCode::Refused; |
688 | } | |
689 | ||
690 | ||
691 | // Check permissions - TSIG based. | |
692 | vector<string> tsigKeys; | |
71f758e0 | 693 | B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys); |
f1b59a55 RA |
694 | if (tsigKeys.size() > 0) { |
695 | bool validKey = false; | |
914353ca | 696 | |
f1b59a55 RA |
697 | TSIGRecordContent trc; |
698 | string inputkey, message; | |
cbd17382 | 699 | if (! p->getTSIGDetails(&trc, &inputkey, 0)) { |
f1b59a55 RA |
700 | L<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl; |
701 | return RCode::Refused; | |
702 | } | |
703 | ||
6917c321 AT |
704 | if (p->d_tsig_algo == TSIG_GSS) { |
705 | GssName inputname(p->d_peer_principal); // match against principal since GSS | |
706 | for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) { | |
707 | if (inputname.match(*key)) { | |
708 | validKey = true; | |
709 | break; | |
710 | } | |
711 | } | |
712 | } else { | |
713 | for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) { | |
714 | if (inputkey == *key) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid. | |
715 | validKey=true; | |
716 | break; | |
717 | } | |
718 | } | |
f1b59a55 RA |
719 | } |
720 | ||
721 | if (!validKey) { | |
722 | L<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl; | |
723 | return RCode::Refused; | |
724 | } | |
725 | } | |
726 | ||
727 | if (tsigKeys.size() == 0 && p->d_havetsig) | |
728 | L<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl; | |
729 | ||
730 | // RFC2136 uses the same DNS Header and Message as defined in RFC1035. | |
914353ca | 731 | // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different |
f1b59a55 RA |
732 | // variable names during the use of our MOADNSParser. |
733 | MOADNSParser mdp(p->getString()); | |
734 | if (mdp.d_header.qdcount != 1) { | |
735 | L<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl; | |
736 | return RCode::FormErr; | |
914353ca | 737 | } |
f1b59a55 RA |
738 | |
739 | if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA | |
740 | L<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl; | |
741 | return RCode::FormErr; | |
742 | } | |
743 | ||
744 | if (p->qclass != QClass::IN) { | |
745 | L<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl; | |
746 | return RCode::NotAuth; | |
747 | } | |
748 | ||
749 | DomainInfo di; | |
750 | di.backend=0; | |
751 | if(!B.getDomainInfo(p->qdomain, di) || !di.backend) { | |
71f758e0 | 752 | L<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support DNS update operation)"<<endl; |
f1b59a55 RA |
753 | return RCode::NotAuth; |
754 | } | |
755 | ||
b3148887 RA |
756 | if (di.kind == DomainInfo::Slave) |
757 | return forwardPacket(msgPrefix, p, &di); | |
f1b59a55 | 758 | |
914353ca | 759 | // Check if all the records provided are within the zone |
f1b59a55 RA |
760 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { |
761 | const DNSRecord *rr = &i->first; | |
762 | // Skip this check for other field types (like the TSIG - which is in the additional section) | |
dff32e09 | 763 | // For a TSIG, the label is the dnskey, so it does not pass the endOn validation. |
914353ca | 764 | if (! (rr->d_place == DNSRecord::Answer || rr->d_place == DNSRecord::Nameserver)) |
f1b59a55 RA |
765 | continue; |
766 | ||
767 | string label = stripDot(rr->d_label); | |
768 | ||
769 | if (!endsOn(label, di.zone)) { | |
770 | L<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl; | |
771 | return RCode::NotZone; | |
772 | } | |
773 | } | |
774 | ||
dff32e09 RA |
775 | |
776 | Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything | |
f1b59a55 | 777 | L<<Logger::Info<<msgPrefix<<"starting transaction."<<endl; |
dff32e09 | 778 | if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records. |
f1b59a55 RA |
779 | L<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl; |
780 | return RCode::NotImp; | |
781 | } | |
782 | ||
914353ca | 783 | // 3.2.1 and 3.2.2 - Prerequisite check |
f1b59a55 RA |
784 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { |
785 | const DNSRecord *rr = &i->first; | |
786 | if (rr->d_place == DNSRecord::Answer) { | |
787 | int res = checkUpdatePrerequisites(rr, &di); | |
788 | if (res>0) { | |
789 | L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning "<<res<<endl; | |
790 | di.backend->abortTransaction(); | |
791 | return res; | |
792 | } | |
914353ca | 793 | } |
f1b59a55 RA |
794 | } |
795 | ||
796 | // 3.2.3 - Prerequisite check - this is outside of updatePrequisitesCheck because we check an RRSet and not the RR. | |
797 | typedef pair<string, QType> rrSetKey_t; | |
798 | typedef vector<DNSResourceRecord> rrVector_t; | |
799 | typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t; | |
800 | RRsetMap_t preReqRRsets; | |
801 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
802 | const DNSRecord *rr = &i->first; | |
803 | if (rr->d_place == DNSRecord::Answer) { | |
804 | // Last line of 3.2.3 | |
914353ca | 805 | if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) |
f1b59a55 RA |
806 | return RCode::FormErr; |
807 | ||
808 | if (rr->d_class == QClass::IN) { | |
a09f956a | 809 | rrSetKey_t key = make_pair(stripDot(rr->d_label), QType(rr->d_type)); |
f1b59a55 RA |
810 | rrVector_t *vec = &preReqRRsets[key]; |
811 | vec->push_back(DNSResourceRecord(*rr)); | |
812 | } | |
813 | } | |
814 | } | |
815 | ||
816 | if (preReqRRsets.size() > 0) { | |
817 | RRsetMap_t zoneRRsets; | |
818 | for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) { | |
819 | rrSetKey_t rrSet=preRRSet->first; | |
820 | rrVector_t *vec = &preRRSet->second; | |
821 | ||
822 | DNSResourceRecord rec; | |
823 | di.backend->lookup(QType(QType::ANY), rrSet.first); | |
824 | uint16_t foundRR=0, matchRR=0; | |
825 | while (di.backend->get(rec)) { | |
826 | if (rec.qtype == rrSet.second) { | |
827 | foundRR++; | |
828 | for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) { | |
829 | rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks. | |
914353ca | 830 | if (*rrItem == rec) |
f1b59a55 RA |
831 | matchRR++; |
832 | } | |
833 | } | |
834 | } | |
835 | if (matchRR != foundRR || foundRR != vec->size()) { | |
836 | L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning NXRRSet"<<endl; | |
837 | di.backend->abortTransaction(); | |
838 | return RCode::NXRRSet; | |
839 | } | |
840 | } | |
841 | } | |
842 | ||
843 | ||
844 | ||
0bb68041 | 845 | // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block. |
f1b59a55 | 846 | try { |
d0d273cf | 847 | uint changedRecords = 0; |
f1b59a55 RA |
848 | // 3.4.1 - Prescan section |
849 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
850 | const DNSRecord *rr = &i->first; | |
851 | if (rr->d_place == DNSRecord::Nameserver) { | |
852 | int res = checkUpdatePrescan(rr); | |
853 | if (res>0) { | |
854 | L<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl; | |
855 | di.backend->abortTransaction(); | |
856 | return res; | |
857 | } | |
858 | } | |
859 | } | |
860 | ||
861 | bool updatedSerial=false; | |
862 | NSEC3PARAMRecordContent ns3pr; | |
914353ca | 863 | bool narrow=false; |
f1b59a55 | 864 | bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow); |
dff32e09 | 865 | bool isPresigned = d_dk.isPresigned(di.zone); |
f1b59a55 | 866 | |
f1b59a55 RA |
867 | // 3.4.2 - Perform the updates. |
868 | // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4) | |
7c696097 | 869 | // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR. |
f1b59a55 RA |
870 | vector<const DNSRecord *> nsRRtoDelete; |
871 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
872 | const DNSRecord *rr = &i->first; | |
873 | if (rr->d_place == DNSRecord::Nameserver) { | |
874 | if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && stripDot(rr->d_label) == di.zone) | |
875 | nsRRtoDelete.push_back(rr); | |
876 | else | |
d0d273cf | 877 | changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
878 | } |
879 | } | |
880 | if (nsRRtoDelete.size()) { | |
881 | vector<DNSResourceRecord> nsRRInZone; | |
882 | DNSResourceRecord rec; | |
883 | di.backend->lookup(QType(QType::NS), di.zone); | |
884 | while (di.backend->get(rec)) { | |
885 | nsRRInZone.push_back(rec); | |
886 | } | |
887 | if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4) | |
888 | for (vector<DNSResourceRecord>::iterator inZone=nsRRInZone.begin(); inZone != nsRRInZone.end(); inZone++) { | |
889 | for (vector<const DNSRecord *>::iterator rr=nsRRtoDelete.begin(); rr != nsRRtoDelete.end(); rr++) { | |
890 | if (inZone->getZoneRepresentation() == (*rr)->d_content->getZoneRepresentation()) | |
d0d273cf | 891 | changedRecords += performUpdate(msgPrefix, *rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial); |
f1b59a55 RA |
892 | } |
893 | } | |
894 | } | |
895 | } | |
896 | ||
f1b59a55 | 897 | // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message |
d0d273cf | 898 | if (changedRecords > 0 && !updatedSerial) { |
166ac305 | 899 | increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr); |
d0d273cf | 900 | changedRecords++; |
890c7124 RA |
901 | } |
902 | ||
d0d273cf | 903 | if (changedRecords > 0) { |
dce6b818 RA |
904 | if (!di.backend->commitTransaction()) { |
905 | L<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl; | |
906 | return RCode::ServFail; | |
907 | } | |
914353ca | 908 | |
71f758e0 | 909 | S.deposit("dnsupdate-changes", changedRecords); |
7facf345 | 910 | |
dce6b818 RA |
911 | // Purge the records! |
912 | string zone(di.zone); | |
913 | zone.append("$"); | |
914 | PC.purge(zone); | |
0bb68041 | 915 | |
7c696097 | 916 | L<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl; |
dce6b818 RA |
917 | } else { |
918 | //No change, no commit, we perform abort() because some backends might like this more. | |
919 | L<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl; | |
920 | di.backend->abortTransaction(); | |
921 | } | |
0bb68041 RA |
922 | return RCode::NoError; //rfc 2136 3.4.2.5 |
923 | } | |
924 | catch (SSqlException &e) { | |
925 | L<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl; | |
926 | di.backend->abortTransaction(); | |
927 | return RCode::ServFail; | |
f1b59a55 | 928 | } |
ee9ef8f2 RA |
929 | catch (DBException &e) { |
930 | L<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl; | |
931 | di.backend->abortTransaction(); | |
932 | return RCode::ServFail; | |
933 | } | |
05ff9dab RA |
934 | catch (PDNSException &e) { |
935 | L<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl; | |
f1b59a55 RA |
936 | di.backend->abortTransaction(); |
937 | return RCode::ServFail; | |
938 | } | |
28b66a94 KM |
939 | catch(std::exception &e) { |
940 | L<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl; | |
941 | di.backend->abortTransaction(); | |
942 | return RCode::ServFail; | |
943 | } | |
f1b59a55 RA |
944 | catch (...) { |
945 | L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl; | |
946 | di.backend->abortTransaction(); | |
947 | return RCode::ServFail; | |
948 | } | |
f1b59a55 RA |
949 | } |
950 | ||
166ac305 | 951 | void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) { |
f1b59a55 | 952 | DNSResourceRecord rec, newRec; |
166ac305 | 953 | di->backend->lookup(QType(QType::SOA), di->zone); |
f1b59a55 | 954 | bool foundSOA=false; |
166ac305 | 955 | while (di->backend->get(rec)) { |
f1b59a55 RA |
956 | newRec = rec; |
957 | foundSOA=true; | |
958 | } | |
959 | if (!foundSOA) { | |
05ff9dab | 960 | throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie."); |
f1b59a55 RA |
961 | } |
962 | SOAData soa2Update; | |
963 | fillSOAData(rec.content, soa2Update); | |
890c7124 | 964 | int oldSerial = soa2Update.serial; |
f1b59a55 | 965 | |
e31f9680 RA |
966 | if (oldSerial == 0) { // using Autoserial, leave the serial alone. |
967 | L<<Logger::Notice<<msgPrefix<<"AutoSerial being used, not updating SOA serial."<<endl; | |
968 | return; | |
969 | } | |
970 | ||
f1b59a55 | 971 | vector<string> soaEdit2136Setting; |
71f758e0 | 972 | B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting); |
f1b59a55 RA |
973 | string soaEdit2136 = "DEFAULT"; |
974 | string soaEdit; | |
975 | if (!soaEdit2136Setting.empty()) { | |
976 | soaEdit2136 = soaEdit2136Setting[0]; | |
977 | if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){ | |
978 | vector<string> soaEditSetting; | |
166ac305 | 979 | B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting); |
f1b59a55 | 980 | if (soaEditSetting.empty()) { |
a6448d95 | 981 | L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl; |
f1b59a55 RA |
982 | soaEdit2136 = "DEFAULT"; |
983 | } else | |
984 | soaEdit = soaEditSetting[0]; | |
985 | } | |
986 | } | |
987 | ||
effecfa7 | 988 | soa2Update.serial = calculateIncreaseSOA(soa2Update, soaEdit2136, soaEdit); |
f1b59a55 RA |
989 | |
990 | newRec.content = serializeSOAData(soa2Update); | |
3e0ab216 RA |
991 | vector<DNSResourceRecord> rrset; |
992 | rrset.push_back(newRec); | |
166ac305 | 993 | di->backend->replaceRRSet(di->id, newRec.qname, newRec.qtype, rrset); |
dff32e09 | 994 | L<<Logger::Notice<<msgPrefix<<"Increasing SOA serial ("<<oldSerial<<" -> "<<soa2Update.serial<<")"<<endl; |
166ac305 RA |
995 | |
996 | //Correct ordername + auth flag | |
c1c3e5a4 RA |
997 | if (haveNSEC3 && narrow) |
998 | di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, newRec.qname, true); | |
999 | else if (haveNSEC3) { | |
166ac305 | 1000 | string hashed; |
c1c3e5a4 | 1001 | if (!narrow) |
1bad4190 | 1002 | hashed = toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, newRec.qname)); |
c1c3e5a4 | 1003 | |
166ac305 RA |
1004 | di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, newRec.qname, hashed, true); |
1005 | } | |
1006 | else // NSEC | |
1007 | di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, newRec.qname, true); | |
166ac305 | 1008 | } |