2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <boost/utility.hpp>
26 #include <boost/multi_index_container.hpp>
27 #include <boost/multi_index/ordered_index.hpp>
28 #include <boost/multi_index/hashed_index.hpp>
29 #include <boost/multi_index/key_extractors.hpp>
30 #include <boost/multi_index/sequenced_index.hpp>
32 using namespace ::boost::multi_index;
36 #include "dnsrecords.hh"
40 #include "validate.hh"
42 class AggressiveNSECCache
45 static constexpr uint8_t s_default_maxNSEC3CommonPrefix = 10;
46 static uint64_t s_nsec3DenialProofMaxCost;
47 static uint8_t s_maxNSEC3CommonPrefix;
49 AggressiveNSECCache(uint64_t entries) :
54 void setMaxEntries(uint64_t number)
56 d_maxEntries = number;
59 static bool nsec3Disabled()
61 return s_maxNSEC3CommonPrefix == 0;
64 void insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector<std::shared_ptr<const RRSIGRecordContent>>& signatures, bool nsec3);
65 bool getDenial(time_t, const DNSName& name, const QType& type, std::vector<DNSRecord>& ret, int& res, const ComboAddress& who, const boost::optional<std::string>& routingTag, bool doDNSSEC, pdns::validation::ValidationContext& validationContext, const OptLog& log = std::nullopt);
67 void removeZoneInfo(const DNSName& zone, bool subzones);
69 uint64_t getEntriesCount() const
71 return d_entriesCount;
74 uint64_t getNSECHits() const
79 uint64_t getNSEC3Hits() const
84 uint64_t getNSECWildcardHits() const
86 return d_nsecWildcardHits;
89 uint64_t getNSEC3WildcardHits() const
91 return d_nsec3WildcardHits;
94 // exported for unit test purposes
95 static bool isSmallCoveringNSEC3(const DNSName& owner, const std::string& nextHash);
97 void prune(time_t now);
98 size_t dumpToFile(std::unique_ptr<FILE, int (*)(FILE*)>& fp, const struct timeval& now);
103 ZoneEntry(const DNSName& zone) :
108 ZoneEntry(const DNSName& zone, const std::string& salt, uint16_t iterations, bool nsec3) :
109 d_zone(zone), d_salt(salt), d_iterations(iterations), d_nsec3(nsec3)
125 std::shared_ptr<const DNSRecordContent> d_record;
126 std::vector<std::shared_ptr<const RRSIGRecordContent>> d_signatures;
133 typedef multi_index_container<
136 ordered_unique<tag<OrderedTag>,
137 member<CacheEntry, const DNSName, &CacheEntry::d_owner>,
138 CanonDNSNameCompare>,
139 sequenced<tag<SequencedTag>>,
140 hashed_non_unique<tag<HashedTag>,
141 member<CacheEntry, const DNSName, &CacheEntry::d_owner>>>>
145 const DNSName d_zone;
147 uint16_t d_iterations{0};
151 std::shared_ptr<LockGuarded<ZoneEntry>> getZone(const DNSName& zone);
152 std::shared_ptr<LockGuarded<ZoneEntry>> getBestZone(const DNSName& zone);
153 bool getNSECBefore(time_t now, std::shared_ptr<LockGuarded<ZoneEntry>>& zoneEntry, const DNSName& name, ZoneEntry::CacheEntry& entry);
154 bool getNSEC3(time_t now, std::shared_ptr<LockGuarded<ZoneEntry>>& zoneEntry, const DNSName& name, ZoneEntry::CacheEntry& entry);
155 bool getNSEC3Denial(time_t now, std::shared_ptr<LockGuarded<ZoneEntry>>& zoneEntry, std::vector<DNSRecord>& soaSet, std::vector<std::shared_ptr<const RRSIGRecordContent>>& soaSignatures, const DNSName& name, const QType& type, std::vector<DNSRecord>& ret, int& res, bool doDNSSEC, const OptLog&, pdns::validation::ValidationContext& validationContext);
156 bool synthesizeFromNSEC3Wildcard(time_t now, const DNSName& name, const QType& type, std::vector<DNSRecord>& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nextCloser, const DNSName& wildcardName, const OptLog&);
157 bool synthesizeFromNSECWildcard(time_t now, const DNSName& name, const QType& type, std::vector<DNSRecord>& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nsec, const DNSName& wildcardName, const OptLog&);
159 /* slowly updates d_entriesCount */
160 void updateEntriesCount(SuffixMatchTree<std::shared_ptr<LockGuarded<ZoneEntry>>>& zones);
162 SharedLockGuarded<SuffixMatchTree<std::shared_ptr<LockGuarded<ZoneEntry>>>> d_zones;
163 pdns::stat_t d_nsecHits{0};
164 pdns::stat_t d_nsec3Hits{0};
165 pdns::stat_t d_nsecWildcardHits{0};
166 pdns::stat_t d_nsec3WildcardHits{0};
167 pdns::stat_t d_entriesCount{0};
168 std::atomic<uint64_t> d_maxEntries{0};
171 extern std::unique_ptr<AggressiveNSECCache> g_aggressiveNSECCache;