]> git.ipfire.org Git - thirdparty/pdns.git/blob - pdns/rfc2136handler.cc
projects / thirdparty / pdns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
rec: Don't account chained queries more than once
[thirdparty/pdns.git] / pdns / rfc2136handler.cc
1 #ifdef HAVE_CONFIG_H
2 #include "config.h"
3 #endif
4 #include "packethandler.hh"
5 #include "qtype.hh"
6 #include "dnspacket.hh"
7 #include "auth-caches.hh"
8 #include "statbag.hh"
9 #include "dnsseckeeper.hh"
10 #include "base64.hh"
11 #include "base32.hh"
12
13 #include "misc.hh"
14 #include "arguments.hh"
15 #include "resolver.hh"
16 #include "dns_random.hh"
17 #include "backends/gsql/ssql.hh"
18 #include "communicator.hh"
19
20 extern StatBag S;
21 extern CommunicatorClass Communicator;
22
23 pthread_mutex_t PacketHandler::s_rfc2136lock=PTHREAD_MUTEX_INITIALIZER;
24
25 // Implement section 3.2.1 and 3.2.2 of RFC2136
26 int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {
27 if (rr->d_ttl != 0)
28 return RCode::FormErr;
29
30 // 3.2.1 and 3.2.2 check content length.
31 if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)
32 return RCode::FormErr;
33
34 bool foundRecord=false;
35 DNSResourceRecord rec;
36 di->backend->lookup(QType(QType::ANY), rr->d_name);
37 while(di->backend->get(rec)) {
38 if (!rec.qtype.getCode())
39 continue;
40 if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY)
41 foundRecord=true;
42 }
43
44 // Section 3.2.1
45 if (rr->d_class == QClass::ANY && !foundRecord) {
46 if (rr->d_type == QType::ANY)
47 return RCode::NXDomain;
48 if (rr->d_type != QType::ANY)
49 return RCode::NXRRSet;
50 }
51
52 // Section 3.2.2
53 if (rr->d_class == QClass::NONE && foundRecord) {
54 if (rr->d_type == QType::ANY)
55 return RCode::YXDomain;
56 if (rr->d_type != QType::ANY)
57 return RCode::YXRRSet;
58 }
59
60 return RCode::NoError;
61 }
62
63
64 // Method implements section 3.4.1 of RFC2136
65 int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {
66 // The RFC stats that d_class != ZCLASS, but we only support the IN class.
67 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
68 return RCode::FormErr;
69
70 QType qtype = QType(rr->d_type);
71
72 if (! qtype.isSupportedType())
73 return RCode::FormErr;
74
75 if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0)
76 return RCode::FormErr;
77
78 if (rr->d_class == QClass::ANY && rr->d_clen != 0)
79 return RCode::FormErr;
80
81 if (qtype.isMetadataType())
82 return RCode::FormErr;
83
84 if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY)
85 return RCode::FormErr;
86
87 return RCode::NoError;
88 }
89
90
91 // Implements section 3.4.2 of RFC2136
92 uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {
93
94 QType rrType = QType(rr->d_type);
95
96 if (rrType == QType::NSEC || rrType == QType::NSEC3) {
97 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl;
98 return 0;
99 }
100
101 if (!isPresigned && ((!::arg().mustDo("direct-dnskey") && rrType == QType::DNSKEY) || rrType == QType::RRSIG)) {
102 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl;
103 return 0;
104 }
105
106 if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone) {
107 L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl;
108 return 0;
109 }
110
111
112 uint changedRecords = 0;
113 DNSResourceRecord rec;
114 vector<DNSResourceRecord> rrset, recordsToDelete;
115 set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records.
116
117
118 if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update
119 DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.getName()<<endl);
120
121 if (rrType == QType::NSEC3PARAM) {
122 L<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;
123
124 NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
125 *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
126 d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
127
128 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
129
130 vector<DNSResourceRecord> rrs;
131 set<DNSName> qnames, nssets, dssets;
132 di->backend->list(di->zone, di->id);
133 while (di->backend->get(rec)) {
134 qnames.insert(rec.qname);
135 if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone)
136 nssets.insert(rec.qname);
137 if(rec.qtype.getCode() == QType::DS)
138 dssets.insert(rec.qname);
139 }
140
141 DNSName shorter;
142 for(const auto& qname: qnames) {
143 shorter = qname;
144 int ddepth = 0;
145 do {
146 if(qname == di->zone)
147 break;
148 if(nssets.count(shorter))
149 ++ddepth;
150 } while(shorter.chopOff());
151
152 DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));
153 if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
154 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0 ));
155
156 if (nssets.count(qname)) {
157 if (ns3pr->d_flags)
158 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS );
159 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
160 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
161 }
162 } else {
163 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0));
164 }
165 if (ddepth == 1 || dssets.count(qname)) // FIXME400 && ?
166 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::DS);
167 }
168 return 1;
169 }
170
171
172
173 bool foundRecord = false;
174 di->backend->lookup(rrType, rr->d_name);
175 while (di->backend->get(rec)) {
176 rrset.push_back(rec);
177 foundRecord = true;
178 }
179
180 if (foundRecord) {
181
182 if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current
183 SOAData sdOld, sdUpdate;
184 DNSResourceRecord *oldRec = &rrset.front();
185 fillSOAData(oldRec->content, sdOld);
186 oldRec->setContent(rr->d_content->getZoneRepresentation());
187 fillSOAData(oldRec->content, sdUpdate);
188 if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {
189 di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);
190 *updatedSerial = true;
191 changedRecords++;
192 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
193 } else {
194 L<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;
195 }
196
197 // It's not possible to have multiple CNAME's with the same NAME. So we always update.
198 } else if (rrType == QType::CNAME) {
199 int changedCNames = 0;
200 for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) {
201 if (i->ttl != rr->d_ttl || i->content != rr->d_content->getZoneRepresentation()) {
202 i->ttl = rr->d_ttl;
203 i->setContent(rr->d_content->getZoneRepresentation());
204 changedCNames++;
205 }
206 }
207 if (changedCNames > 0) {
208 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
209 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
210 changedRecords += changedCNames;
211 } else {
212 L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
213 }
214
215 // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL)
216 } else {
217 int updateTTL=0;
218 foundRecord = false;
219 for (vector<DNSResourceRecord>::iterator i = rrset.begin(); i != rrset.end(); i++) {
220 string content = rr->d_content->getZoneRepresentation();
221 if (rrType == i->qtype.getCode() && i->getZoneRepresentation() == content) {
222 foundRecord=true;
223 if (i->ttl != rr->d_ttl) {
224 i->ttl = rr->d_ttl;
225 updateTTL++;
226 }
227 }
228 }
229 if (updateTTL > 0) {
230 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
231 L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
232 changedRecords += updateTTL;
233 } else {
234 L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
235 }
236 }
237
238 // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records.
239 // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.
240 if (changedRecords > 0) {
241 bool auth = rrset.front().auth;
242
243 if(*haveNSEC3) {
244 DNSName ordername;
245 if(! *narrow)
246 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
247
248 if (*narrow)
249 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
250 else
251 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
252 if(!auth || rrType == QType::DS) {
253 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
254 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
255 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
256 }
257
258 } else { // NSEC
259 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth);
260 if(!auth || rrType == QType::DS) {
261 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
262 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
263 }
264 }
265 }
266
267 } // if (foundRecord)
268
269 // If we haven't found a record that matches, we must add it.
270 if (! foundRecord) {
271 L<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
272 delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record.
273 auto newRec = DNSResourceRecord::fromWire(*rr);
274 newRec.domain_id = di->id;
275 newRec.auth = (rr->d_name == di->zone || rrType.getCode() != QType::NS);
276 di->backend->feedRecord(newRec, DNSName());
277 changedRecords++;
278
279
280 // because we added a record, we need to fix DNSSEC data.
281 DNSName shorter(rr->d_name);
282 bool auth=newRec.auth;
283 bool fixDS = (rrType == QType::DS);
284
285 if (di->zone != shorter) { // Everything at APEX is auth=1 && no ENT's
286 do {
287
288 if (di->zone == shorter)
289 break;
290
291 bool foundShorter = false;
292 di->backend->lookup(QType(QType::ANY), shorter);
293 while (di->backend->get(rec)) {
294 if (rec.qname == rr->d_name && rec.qtype == QType::DS)
295 fixDS = true;
296 if (shorter != rr->d_name)
297 foundShorter = true;
298 if (rec.qtype == QType::NS) // are we inserting below a delegate?
299 auth=false;
300 }
301
302 if (!foundShorter && auth && shorter != rr->d_name) // haven't found any record at current level, insert ENT.
303 insnonterm.insert(shorter);
304 if (foundShorter)
305 break; // if we find a shorter record, we can stop searching
306 } while(shorter.chopOff());
307 }
308
309 if(*haveNSEC3)
310 {
311 DNSName ordername;
312 if(! *narrow)
313 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
314
315 if (*narrow)
316 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
317 else
318 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
319
320 if (fixDS)
321 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
322
323 if(!auth)
324 {
325 if (ns3pr->d_flags)
326 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
327 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
328 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
329 }
330 }
331 else // NSEC
332 {
333 DNSName ordername=rr->d_name.makeRelative(di->zone);
334 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
335 if (fixDS) {
336 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
337 }
338 if(!auth) {
339 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
340 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
341 }
342 }
343
344
345 // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.
346 // Auth can only be false when the rr->d_name is not the zone
347 if (auth == false && rrType == QType::NS) {
348 DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl);
349 insnonterm.clear(); // No ENT's are needed below delegates (auth=0)
350 vector<DNSName> qnames;
351 di->backend->listSubZone(rr->d_name, di->id);
352 while(di->backend->get(rec)) {
353 if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record.
354 qnames.push_back(rec.qname);
355 }
356 for(vector<DNSName>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) {
357 if(*haveNSEC3) {
358 DNSName ordername;
359 if(! *narrow)
360 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, *qname)));
361
362 if (*narrow)
363 di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); // FIXME400 no *qname here?
364 else
365 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, auth);
366
367 if (ns3pr->d_flags)
368 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::NS);
369 }
370 else { // NSEC
371 DNSName ordername=DNSName(*qname).makeRelative(di->zone);
372 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, ordername, false, QType::NS);
373 }
374
375 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::A);
376 di->backend->updateDNSSECOrderNameAndAuth(di->id, *qname, DNSName(), false, QType::AAAA);
377 }
378 }
379 }
380 } // rr->d_class == QClass::IN
381
382
383 // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by
384 // the code that calls this performUpdate().
385 if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.
386 DLOG(L<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl);
387
388 if (rrType == QType::NSEC3PARAM) {
389 L<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;
390 if (rr->d_class == QClass::ANY)
391 d_dk.unsetNSEC3PARAM(rr->d_name);
392 else if (rr->d_class == QClass::NONE) {
393 NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
394 if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
395 d_dk.unsetNSEC3PARAM(rr->d_name);
396 else
397 return 0;
398 } else
399 return 0;
400
401 // We retrieve new values, other RR's in this update package might need it as well.
402 *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
403
404 vector<DNSResourceRecord> rrs;
405 set<DNSName> qnames, nssets, dssets, ents;
406 di->backend->list(di->zone, di->id);
407 while (di->backend->get(rec)) {
408 qnames.insert(rec.qname);
409 if(rec.qtype.getCode() == QType::NS && rec.qname != di->zone)
410 nssets.insert(rec.qname);
411 if(rec.qtype.getCode() == QType::DS)
412 dssets.insert(rec.qname);
413 if(!rec.qtype.getCode())
414 ents.insert(rec.qname);
415 }
416
417 DNSName shorter;
418 string hashed;
419 for(const DNSName& qname : qnames) {
420 shorter = qname;
421 int ddepth = 0;
422 do {
423 if(qname == di->zone)
424 break;
425 if(nssets.count(shorter))
426 ++ddepth;
427 } while(shorter.chopOff());
428
429 DNSName ordername=qname.makeRelative(di->zone);
430 if (!ents.count(qname) && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
431 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, (ddepth == 0));
432
433 if (nssets.count(qname)) {
434 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
435 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
436 }
437 } else {
438 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), (ddepth == 0));
439 }
440 if (ddepth == 1 || dssets.count(qname))
441 di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, true, QType::DS);
442 }
443 return 1;
444 } // end of NSEC3PARAM delete block
445
446
447 di->backend->lookup(rrType, rr->d_name);
448 while(di->backend->get(rec)) {
449 if (rr->d_class == QClass::ANY) { // 3.4.2.3
450 if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's
451 rrset.push_back(rec);
452 else
453 recordsToDelete.push_back(rec);
454 }
455 if (rr->d_class == QClass::NONE) { // 3.4.2.4
456 if (rrType == rec.qtype && rec.getZoneRepresentation() == rr->d_content->getZoneRepresentation())
457 recordsToDelete.push_back(rec);
458 else
459 rrset.push_back(rec);
460 }
461 }
462
463 if (recordsToDelete.size()) {
464 di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);
465 L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.getName()<<endl;
466 changedRecords += recordsToDelete.size();
467
468
469 // If we've removed a delegate, we need to reset ordername/auth for some records.
470 if (rrType == QType::NS && rr->d_name != di->zone) {
471 vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;
472 di->backend->listSubZone(rr->d_name, di->id);
473 while (di->backend->get(rec)) {
474 if (rec.qtype.getCode()) // skip ENT records, they are always auth=false
475 belowOldDelegate.push_back(rec.qname);
476 if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name)
477 nsRecs.push_back(rec.qname);
478 }
479
480 for(auto &belowOldDel: belowOldDelegate)
481 {
482 bool isBelowDelegate = false;
483 for(const auto & ns: nsRecs) {
484 if (ns.isPartOf(belowOldDel)) {
485 isBelowDelegate=true;
486 break;
487 }
488 }
489 if (!isBelowDelegate)
490 updateAuthFlag.push_back(belowOldDel);
491 }
492
493 for (const auto &changeRec:updateAuthFlag) {
494 if(*haveNSEC3) {
495 DNSName ordername;
496 if(! *narrow)
497 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)));
498
499 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
500 }
501 else { // NSEC
502 DNSName ordername=changeRec.makeRelative(di->zone);
503 di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
504 }
505 }
506 }
507
508 // Fix ENT records.
509 // We must check if we have a record below the current level and if we removed the 'last' record
510 // on that level. If so, we must insert an ENT record.
511 // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.
512 bool foundDeeper = false, foundOtherWithSameName = false;
513 di->backend->listSubZone(rr->d_name, di->id);
514 while (di->backend->get(rec)) {
515 if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
516 foundOtherWithSameName = true;
517 if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT
518 foundDeeper = true;
519 }
520
521 if (foundDeeper && !foundOtherWithSameName) {
522 insnonterm.insert(rr->d_name);
523 } else if (!foundOtherWithSameName) {
524 // If we didn't have to insert an ENT, we might have deleted a record at very deep level
525 // and we must then clean up the ENT's above the deleted record.
526 DNSName shorter(rr->d_name);
527 while (shorter != di->zone) {
528 shorter.chopOff();
529 bool foundRealRR = false;
530 bool foundEnt = false;
531
532 // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch
533 // consider these non ENT-records:
534 // b.c.d.e.test.com
535 // b.d.e.test.com
536 // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.
537 // At that point we can stop deleting ENT's because the tree is in tact again.
538 di->backend->listSubZone(shorter, di->id);
539
540 while (di->backend->get(rec)) {
541 if (rec.qtype.getCode())
542 foundRealRR = true;
543 else
544 foundEnt = true;
545 }
546 if (!foundRealRR) {
547 if (foundEnt) // only delete the ENT if we actually found one.
548 delnonterm.insert(shorter);
549 } else
550 break;
551 }
552 }
553 } else { // if (recordsToDelete.size())
554 L<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.getName()<<" requested, but not found."<<endl;
555 }
556 } // (End of delete block d_class == ANY || d_class == NONE
557
558
559
560 //Insert and delete ENT's
561 if (insnonterm.size() > 0 || delnonterm.size() > 0) {
562 DLOG(L<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);
563 di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false);
564 for (const auto &i: insnonterm) {
565 string hashed;
566 if(*haveNSEC3)
567 {
568 DNSName ordername;
569 if(! *narrow)
570 ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));
571 di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true);
572 }
573 }
574 }
575
576 return changedRecords;
577 }
578
579 int PacketHandler::forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di) {
580 vector<string> forward;
581 B.getDomainMetadata(p->qdomain, "FORWARD-DNSUPDATE", forward);
582
583 if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) {
584 L<<Logger::Notice<<msgPrefix<<"Not configured to forward to master, returning Refused."<<endl;
585 return RCode::Refused;
586 }
587
588 for(vector<string>::const_iterator master=di->masters.begin(); master != di->masters.end(); master++) {
589 L<<Logger::Notice<<msgPrefix<<"Forwarding packet to master "<<*master<<endl;
590 ComboAddress remote;
591 try {
592 remote = ComboAddress(*master, 53);
593 }
594 catch (...) {
595 L<<Logger::Error<<msgPrefix<<"Failed to parse "<<*master<<" as valid remote."<<endl;
596 continue;
597 }
598
599 ComboAddress local;
600 if(remote.sin4.sin_family == AF_INET)
601 local = ComboAddress(::arg()["query-local-address"]);
602 else if(!::arg()["query-local-address6"].empty())
603 local = ComboAddress(::arg()["query-local-address6"]);
604 else
605 local = ComboAddress("::");
606 int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.
607 if(sock < 0) {
608 L<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl;
609 continue;
610 }
611
612 if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {
613 L<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;
614 try {
615 closesocket(sock);
616 }
617 catch(const PDNSException& e) {
618 L<<Logger::Error<<"Error closing master forwarding socket after connect() failed: "<<e.reason<<endl;
619 }
620 continue;
621 }
622
623 DNSPacket forwardPacket(*p);
624 forwardPacket.setID(dns_random(0xffff));
625 forwardPacket.setRemote(&remote);
626 uint16_t len=htons(forwardPacket.getString().length());
627 string buffer((const char*)&len, 2);
628 buffer.append(forwardPacket.getString());
629 if(write(sock, buffer.c_str(), buffer.length()) < 0) {
630 L<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
631 try {
632 closesocket(sock);
633 }
634 catch(const PDNSException& e) {
635 L<<Logger::Error<<"Error closing master forwarding socket after write() failed: "<<e.reason<<endl;
636 }
637 continue;
638 }
639
640 int res = waitForData(sock, 10, 0);
641 if (!res) {
642 L<<Logger::Error<<msgPrefix<<"Timeout waiting for reply from master at "<<remote.toStringWithPort()<<endl;
643 try {
644 closesocket(sock);
645 }
646 catch(const PDNSException& e) {
647 L<<Logger::Error<<"Error closing master forwarding socket after a timeout occured: "<<e.reason<<endl;
648 }
649 continue;
650 }
651 if (res < 0) {
652 L<<Logger::Error<<msgPrefix<<"Error waiting for answer from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
653 try {
654 closesocket(sock);
655 }
656 catch(const PDNSException& e) {
657 L<<Logger::Error<<"Error closing master forwarding socket after an error occured: "<<e.reason<<endl;
658 }
659 continue;
660 }
661
662 unsigned char lenBuf[2];
663 ssize_t recvRes;
664 recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);
665 if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) {
666 L<<Logger::Error<<msgPrefix<<"Could not receive data (length) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
667 try {
668 closesocket(sock);
669 }
670 catch(const PDNSException& e) {
671 L<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl;
672 }
673 continue;
674 }
675 size_t packetLen = lenBuf[0]*256+lenBuf[1];
676
677 char buf[packetLen];
678 recvRes = recv(sock, &buf, packetLen, 0);
679 if (recvRes < 0) {
680 L<<Logger::Error<<msgPrefix<<"Could not receive data (dnspacket) from master at "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;
681 try {
682 closesocket(sock);
683 }
684 catch(const PDNSException& e) {
685 L<<Logger::Error<<"Error closing master forwarding socket after recv() failed: "<<e.reason<<endl;
686 }
687 continue;
688 }
689 try {
690 closesocket(sock);
691 }
692 catch(const PDNSException& e) {
693 L<<Logger::Error<<"Error closing master forwarding socket: "<<e.reason<<endl;
694 }
695
696 try {
697 MOADNSParser mdp(false, buf, static_cast<unsigned int>(recvRes));
698 L<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;
699 return mdp.d_header.rcode;
700 }
701 catch (...) {
702 L<<Logger::Error<<msgPrefix<<"Failed to parse response packet from master at "<<remote.toStringWithPort()<<endl;
703 continue;
704 }
705 }
706 L<<Logger::Error<<msgPrefix<<"Failed to forward packet to master(s). Returning ServFail."<<endl;
707 return RCode::ServFail;
708
709 }
710
711 int PacketHandler::processUpdate(DNSPacket *p) {
712 if (! ::arg().mustDo("dnsupdate"))
713 return RCode::Refused;
714
715 string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote().toString() + " for " + p->qdomain.toLogString() + ": ";
716 L<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
717
718 // if there is policy, we delegate all checks to it
719 if (this->d_update_policy_lua == NULL) {
720
721 // Check permissions - IP based
722 vector<string> allowedRanges;
723 B.getDomainMetadata(p->qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges);
724 if (! ::arg()["allow-dnsupdate-from"].empty())
725 stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );
726
727 NetmaskGroup ng;
728 for(vector<string>::const_iterator i=allowedRanges.begin(); i != allowedRanges.end(); i++)
729 ng.addMask(*i);
730
731 if ( ! ng.match(&p->d_remote)) {
732 L<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;
733 return RCode::Refused;
734 }
735
736
737 // Check permissions - TSIG based.
738 vector<string> tsigKeys;
739 B.getDomainMetadata(p->qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys);
740 if (tsigKeys.size() > 0) {
741 bool validKey = false;
742
743 TSIGRecordContent trc;
744 DNSName inputkey;
745 string message;
746 if (! p->getTSIGDetails(&trc, &inputkey)) {
747 L<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
748 return RCode::Refused;
749 }
750
751 if (p->d_tsig_algo == TSIG_GSS) {
752 GssName inputname(p->d_peer_principal); // match against principal since GSS
753 for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
754 if (inputname.match(*key)) {
755 validKey = true;
756 break;
757 }
758 }
759 } else {
760 for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
761 if (inputkey == DNSName(*key)) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
762 validKey=true;
763 break;
764 }
765 }
766 }
767
768 if (!validKey) {
769 L<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;
770 return RCode::Refused;
771 }
772 }
773
774 if (tsigKeys.size() == 0 && p->d_havetsig)
775 L<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;
776
777 }
778
779 // RFC2136 uses the same DNS Header and Message as defined in RFC1035.
780 // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different
781 // variable names during the use of our MOADNSParser.
782 MOADNSParser mdp(false, p->getString());
783 if (mdp.d_header.qdcount != 1) {
784 L<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;
785 return RCode::FormErr;
786 }
787
788 if (p->qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
789 L<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;
790 return RCode::FormErr;
791 }
792
793 if (p->qclass != QClass::IN) {
794 L<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;
795 return RCode::NotAuth;
796 }
797
798 DomainInfo di;
799 di.backend=0;
800 if(!B.getDomainInfo(p->qdomain, di) || !di.backend) {
801 L<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p->qdomain<<"' (or backend does not support DNS update operation)"<<endl;
802 return RCode::NotAuth;
803 }
804
805 if (di.kind == DomainInfo::Slave)
806 return forwardPacket(msgPrefix, p, &di);
807
808 // Check if all the records provided are within the zone
809 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
810 const DNSRecord *rr = &i->first;
811 // Skip this check for other field types (like the TSIG - which is in the additional section)
812 // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.
813 if (! (rr->d_place == DNSResourceRecord::ANSWER || rr->d_place == DNSResourceRecord::AUTHORITY))
814 continue;
815
816 if (!rr->d_name.isPartOf(di.zone)) {
817 L<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;
818 return RCode::NotZone;
819 }
820 }
821
822
823 Lock l(&s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything
824 L<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;
825 if (!di.backend->startTransaction(p->qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
826 L<<Logger::Error<<msgPrefix<<"Backend for domain "<<p->qdomain<<" does not support transaction. Can't do Update packet."<<endl;
827 return RCode::NotImp;
828 }
829
830 // 3.2.1 and 3.2.2 - Prerequisite check
831 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
832 const DNSRecord *rr = &i->first;
833 if (rr->d_place == DNSResourceRecord::ANSWER) {
834 int res = checkUpdatePrerequisites(rr, &di);
835 if (res>0) {
836 L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning "<<res<<endl;
837 di.backend->abortTransaction();
838 return res;
839 }
840 }
841 }
842
843 // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR.
844 typedef pair<DNSName, QType> rrSetKey_t;
845 typedef vector<DNSResourceRecord> rrVector_t;
846 typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;
847 RRsetMap_t preReqRRsets;
848 for(const auto& i : mdp.d_answers) {
849 const DNSRecord* rr = &i.first;
850 if (rr->d_place == DNSResourceRecord::ANSWER) {
851 // Last line of 3.2.3
852 if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY)
853 return RCode::FormErr;
854
855 if (rr->d_class == QClass::IN) {
856 rrSetKey_t key = make_pair(rr->d_name, QType(rr->d_type));
857 rrVector_t *vec = &preReqRRsets[key];
858 vec->push_back(DNSResourceRecord::fromWire(*rr));
859 }
860 }
861 }
862
863 if (preReqRRsets.size() > 0) {
864 RRsetMap_t zoneRRsets;
865 for (RRsetMap_t::iterator preRRSet = preReqRRsets.begin(); preRRSet != preReqRRsets.end(); ++preRRSet) {
866 rrSetKey_t rrSet=preRRSet->first;
867 rrVector_t *vec = &preRRSet->second;
868
869 DNSResourceRecord rec;
870 di.backend->lookup(QType(QType::ANY), rrSet.first);
871 uint16_t foundRR=0, matchRR=0;
872 while (di.backend->get(rec)) {
873 if (rec.qtype == rrSet.second) {
874 foundRR++;
875 for(rrVector_t::iterator rrItem=vec->begin(); rrItem != vec->end(); ++rrItem) {
876 rrItem->ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.
877 if (*rrItem == rec)
878 matchRR++;
879 }
880 }
881 }
882 if (matchRR != foundRR || foundRR != vec->size()) {
883 L<<Logger::Error<<msgPrefix<<"Failed PreRequisites check, returning NXRRSet"<<endl;
884 di.backend->abortTransaction();
885 return RCode::NXRRSet;
886 }
887 }
888 }
889
890
891
892 // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block.
893 try {
894 uint changedRecords = 0;
895 // 3.4.1 - Prescan section
896 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
897 const DNSRecord *rr = &i->first;
898 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
899 int res = checkUpdatePrescan(rr);
900 if (res>0) {
901 L<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;
902 di.backend->abortTransaction();
903 return res;
904 }
905 }
906 }
907
908 bool updatedSerial=false;
909 NSEC3PARAMRecordContent ns3pr;
910 bool narrow=false;
911 bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);
912 bool isPresigned = d_dk.isPresigned(di.zone);
913
914 // 3.4.2 - Perform the updates.
915 // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)
916 // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR.
917 vector<const DNSRecord *> nsRRtoDelete;
918 for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) {
919 const DNSRecord *rr = &i->first;
920 if (rr->d_place == DNSResourceRecord::AUTHORITY) {
921 /* see if it's permitted by policy */
922 if (this->d_update_policy_lua != NULL) {
923 if (this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, p) == false) {
924 L<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Not permitted by policy"<<endl;
925 continue;
926 } else {
927 L<<Logger::Debug<<msgPrefix<<"Accepting update for " << rr->d_name << "/" << QType(rr->d_type).getName() << ": Permitted by policy"<<endl;
928 }
929 }
930
931 if (rr->d_class == QClass::NONE && rr->d_type == QType::NS && rr->d_name == di.zone)
932 nsRRtoDelete.push_back(rr);
933 else
934 changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
935 }
936 }
937 if (nsRRtoDelete.size()) {
938 vector<DNSResourceRecord> nsRRInZone;
939 DNSResourceRecord rec;
940 di.backend->lookup(QType(QType::NS), di.zone);
941 while (di.backend->get(rec)) {
942 nsRRInZone.push_back(rec);
943 }
944 if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)
945 for (vector<DNSResourceRecord>::iterator inZone=nsRRInZone.begin(); inZone != nsRRInZone.end(); inZone++) {
946 for (vector<const DNSRecord *>::iterator rr=nsRRtoDelete.begin(); rr != nsRRtoDelete.end(); rr++) {
947 if (inZone->getZoneRepresentation() == (*rr)->d_content->getZoneRepresentation())
948 changedRecords += performUpdate(msgPrefix, *rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);
949 }
950 }
951 }
952 }
953
954 // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message
955 if (changedRecords > 0 && !updatedSerial) {
956 increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr);
957 changedRecords++;
958 }
959
960 if (changedRecords > 0) {
961 if (!di.backend->commitTransaction()) {
962 L<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl;
963 return RCode::ServFail;
964 }
965
966 S.deposit("dnsupdate-changes", changedRecords);
967
968 // Purge the records!
969 string zone(di.zone.toString());
970 zone.append("$");
971 purgeAuthCaches(zone);
972
973 // Notify slaves
974 if (di.kind == DomainInfo::Master) {
975 vector<string> notify;
976 B.getDomainMetadata(p->qdomain, "NOTIFY-DNSUPDATE", notify);
977 if (!notify.empty() && notify.front() == "1") {
978 Communicator.notifyDomain(di.zone);
979 }
980 }
981
982 L<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl;
983 } else {
984 //No change, no commit, we perform abort() because some backends might like this more.
985 L<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl;
986 di.backend->abortTransaction();
987 }
988 return RCode::NoError; //rfc 2136 3.4.2.5
989 }
990 catch (SSqlException &e) {
991 L<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;
992 di.backend->abortTransaction();
993 return RCode::ServFail;
994 }
995 catch (DBException &e) {
996 L<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;
997 di.backend->abortTransaction();
998 return RCode::ServFail;
999 }
1000 catch (PDNSException &e) {
1001 L<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl;
1002 di.backend->abortTransaction();
1003 return RCode::ServFail;
1004 }
1005 catch(std::exception &e) {
1006 L<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
1007 di.backend->abortTransaction();
1008 return RCode::ServFail;
1009 }
1010 catch (...) {
1011 L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
1012 di.backend->abortTransaction();
1013 return RCode::ServFail;
1014 }
1015 }
1016
1017 void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
1018 DNSResourceRecord rec, newRec;
1019 di->backend->lookup(QType(QType::SOA), di->zone);
1020 bool foundSOA=false;
1021 while (di->backend->get(rec)) {
1022 newRec = rec;
1023 foundSOA=true;
1024 }
1025 if (!foundSOA) {
1026 throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");
1027 }
1028 SOAData soa2Update;
1029 fillSOAData(rec.content, soa2Update);
1030 uint32_t oldSerial = soa2Update.serial;
1031
1032 if (oldSerial == 0) { // using Autoserial, leave the serial alone.
1033 L<<Logger::Notice<<msgPrefix<<"AutoSerial being used, not updating SOA serial."<<endl;
1034 return;
1035 }
1036
1037 vector<string> soaEdit2136Setting;
1038 B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting);
1039 string soaEdit2136 = "DEFAULT";
1040 string soaEdit;
1041 if (!soaEdit2136Setting.empty()) {
1042 soaEdit2136 = soaEdit2136Setting[0];
1043 if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
1044 string soaEditSetting;
1045 d_dk.getSoaEdit(di->zone, soaEditSetting);
1046 if (soaEditSetting.empty()) {
1047 L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
1048 soaEdit2136 = "DEFAULT";
1049 } else
1050 soaEdit = soaEditSetting;
1051 }
1052 }
1053
1054 soa2Update.serial = calculateIncreaseSOA(soa2Update, soaEdit2136, soaEdit);
1055
1056 newRec.content = serializeSOAData(soa2Update);
1057 vector<DNSResourceRecord> rrset;
1058 rrset.push_back(newRec);
1059 di->backend->replaceRRSet(di->id, newRec.qname, newRec.qtype, rrset);
1060 L<<Logger::Notice<<msgPrefix<<"Increasing SOA serial ("<<oldSerial<<" -> "<<soa2Update.serial<<")"<<endl;
1061
1062 //Correct ordername + auth flag
1063 if (haveNSEC3 && narrow)
1064 di->backend->updateDNSSECOrderNameAndAuth(di->id, newRec.qname, DNSName(), true);
1065 else if (haveNSEC3) {
1066 DNSName ordername;
1067 if (!narrow)
1068 ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, newRec.qname)));
1069
1070 di->backend->updateDNSSECOrderNameAndAuth(di->id, newRec.qname, ordername, true);
1071 }
1072 else { // NSEC
1073 DNSName ordername=newRec.qname.makeRelative(di->zone);
1074 di->backend->updateDNSSECOrderNameAndAuth(di->id, newRec.qname, ordername, true);
1075 }
1076 }
Unnamed repository; edit this file 'description' to name the repository.