]>
Commit | Line | Data |
---|---|---|
12c86877 BH |
1 | /* |
2 | PowerDNS Versatile Database Driven Nameserver | |
2e7834cb | 3 | Copyright (C) 2002-2012 PowerDNS.COM BV |
12c86877 BH |
4 | |
5 | This program is free software; you can redistribute it and/or modify | |
22dc646a BH |
6 | it under the terms of the GNU General Public License version 2 |
7 | as published by the Free Software Foundation | |
f782fe38 MH |
8 | |
9 | Additionally, the license of this program contains a special | |
10 | exception which allows to distribute the program in binary form when | |
11 | it is linked against OpenSSL. | |
12 | ||
12c86877 BH |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | GNU General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with this program; if not, write to the Free Software | |
06bd9ccf | 20 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
12c86877 | 21 | */ |
870a0fe4 AT |
22 | #ifdef HAVE_CONFIG_H |
23 | #include "config.h" | |
24 | #endif | |
379ab445 | 25 | #include "packetcache.hh" |
1258abe0 | 26 | #include "utility.hh" |
add640c0 | 27 | #include "dnssecinfra.hh" |
4c1474f3 | 28 | #include "dnsseckeeper.hh" |
12c86877 | 29 | #include <cstdio> |
4888e4b2 | 30 | #include "base32.hh" |
12c86877 BH |
31 | #include <cstring> |
32 | #include <cstdlib> | |
33 | #include <sys/types.h> | |
34 | #include <iostream> | |
35 | #include <string> | |
36 | #include "tcpreceiver.hh" | |
67d74e49 | 37 | #include "sstuff.hh" |
fa8fd4d2 | 38 | |
12c86877 BH |
39 | #include <errno.h> |
40 | #include <signal.h> | |
78bcb858 | 41 | #include "base64.hh" |
12c86877 BH |
42 | #include "ueberbackend.hh" |
43 | #include "dnspacket.hh" | |
44 | #include "nameserver.hh" | |
45 | #include "distributor.hh" | |
46 | #include "lock.hh" | |
47 | #include "logger.hh" | |
48 | #include "arguments.hh" | |
379ab445 | 49 | |
3e8216c8 | 50 | #include "common_startup.hh" |
12c86877 BH |
51 | #include "packethandler.hh" |
52 | #include "statbag.hh" | |
53 | #include "resolver.hh" | |
54 | #include "communicator.hh" | |
61b26744 | 55 | #include "namespaces.hh" |
8e9b7d99 | 56 | #include "signingpipe.hh" |
273d88b2 | 57 | #include "stubresolver.hh" |
12c86877 BH |
58 | extern PacketCache PC; |
59 | extern StatBag S; | |
60 | ||
61 | /** | |
62 | \file tcpreceiver.cc | |
63 | \brief This file implements the tcpreceiver that receives and answers questions over TCP/IP | |
64 | */ | |
65 | ||
ac2bb9e7 | 66 | pthread_mutex_t TCPNameserver::s_plock = PTHREAD_MUTEX_INITIALIZER; |
12c86877 BH |
67 | Semaphore *TCPNameserver::d_connectionroom_sem; |
68 | PacketHandler *TCPNameserver::s_P; | |
9f1d5826 | 69 | NetmaskGroup TCPNameserver::d_ng; |
12c86877 | 70 | |
12c86877 BH |
71 | void TCPNameserver::go() |
72 | { | |
73 | L<<Logger::Error<<"Creating backend connection for TCP"<<endl; | |
74 | s_P=0; | |
75 | try { | |
76 | s_P=new PacketHandler; | |
77 | } | |
3f81d239 | 78 | catch(PDNSException &ae) { |
fd8bc993 | 79 | L<<Logger::Error<<"TCP server is unable to launch backends - will try again when questions come in: "<<ae.reason<<endl; |
12c86877 BH |
80 | } |
81 | pthread_create(&d_tid, 0, launcher, static_cast<void *>(this)); | |
82 | } | |
83 | ||
84 | void *TCPNameserver::launcher(void *data) | |
85 | { | |
86 | static_cast<TCPNameserver *>(data)->thread(); | |
87 | return 0; | |
88 | } | |
89 | ||
3f81d239 | 90 | // throws PDNSException if things didn't go according to plan, returns 0 if really 0 bytes were read |
6a3e5d1a | 91 | int readnWithTimeout(int fd, void* buffer, unsigned int n, bool throwOnEOF=true) |
12c86877 | 92 | { |
6a3e5d1a BH |
93 | unsigned int bytes=n; |
94 | char *ptr = (char*)buffer; | |
95 | int ret; | |
96 | while(bytes) { | |
97 | ret=read(fd, ptr, bytes); | |
98 | if(ret < 0) { | |
99 | if(errno==EAGAIN) { | |
4957a608 BH |
100 | ret=waitForData(fd, 5); |
101 | if(ret < 0) | |
102 | throw NetworkError("Waiting for data read"); | |
103 | if(!ret) | |
104 | throw NetworkError("Timeout reading data"); | |
105 | continue; | |
6a3e5d1a BH |
106 | } |
107 | else | |
4957a608 | 108 | throw NetworkError("Reading data: "+stringerror()); |
6a3e5d1a BH |
109 | } |
110 | if(!ret) { | |
111 | if(!throwOnEOF && n == bytes) | |
4957a608 | 112 | return 0; |
6a3e5d1a | 113 | else |
4957a608 | 114 | throw NetworkError("Did not fulfill read from TCP due to EOF"); |
6a3e5d1a BH |
115 | } |
116 | ||
117 | ptr += ret; | |
118 | bytes -= ret; | |
119 | } | |
120 | return n; | |
121 | } | |
12c86877 | 122 | |
6a3e5d1a BH |
123 | // ditto |
124 | void writenWithTimeout(int fd, const void *buffer, unsigned int n) | |
125 | { | |
126 | unsigned int bytes=n; | |
127 | const char *ptr = (char*)buffer; | |
128 | int ret; | |
129 | while(bytes) { | |
130 | ret=write(fd, ptr, bytes); | |
131 | if(ret < 0) { | |
132 | if(errno==EAGAIN) { | |
4957a608 BH |
133 | ret=waitForRWData(fd, false, 5, 0); |
134 | if(ret < 0) | |
135 | throw NetworkError("Waiting for data write"); | |
136 | if(!ret) | |
137 | throw NetworkError("Timeout writing data"); | |
138 | continue; | |
6a3e5d1a BH |
139 | } |
140 | else | |
4957a608 | 141 | throw NetworkError("Writing data: "+stringerror()); |
6a3e5d1a | 142 | } |
12c86877 | 143 | if(!ret) { |
67d74e49 | 144 | throw NetworkError("Did not fulfill TCP write due to EOF"); |
12c86877 | 145 | } |
6a3e5d1a BH |
146 | |
147 | ptr += ret; | |
148 | bytes -= ret; | |
12c86877 | 149 | } |
12c86877 BH |
150 | } |
151 | ||
6a3e5d1a | 152 | void connectWithTimeout(int fd, struct sockaddr* remote, size_t socklen) |
12c86877 | 153 | { |
6a3e5d1a BH |
154 | int err; |
155 | Utility::socklen_t len=sizeof(err); | |
156 | ||
76473b92 | 157 | if((err=connect(fd, remote, socklen))<0 && errno!=EINPROGRESS) |
67d74e49 | 158 | throw NetworkError("connect: "+stringerror()); |
6a3e5d1a BH |
159 | |
160 | if(!err) | |
161 | goto done; | |
162 | ||
163 | err=waitForRWData(fd, false, 5, 0); | |
164 | if(err == 0) | |
67d74e49 | 165 | throw NetworkError("Timeout connecting to remote"); |
6a3e5d1a | 166 | if(err < 0) |
67d74e49 | 167 | throw NetworkError("Error connecting to remote"); |
12c86877 | 168 | |
6a3e5d1a | 169 | if(getsockopt(fd, SOL_SOCKET,SO_ERROR,(char *)&err,&len)<0) |
67d74e49 | 170 | throw NetworkError("Error connecting to remote: "+stringerror()); // Solaris |
6a3e5d1a BH |
171 | |
172 | if(err) | |
67d74e49 | 173 | throw NetworkError("Error connecting to remote: "+string(strerror(err))); |
6a3e5d1a BH |
174 | |
175 | done: | |
176 | ; | |
177 | } | |
12c86877 | 178 | |
6a3e5d1a BH |
179 | void TCPNameserver::sendPacket(shared_ptr<DNSPacket> p, int outsock) |
180 | { | |
b552d7b1 | 181 | g_rs.submitResponse(*p, false); |
9951e2d0 | 182 | |
fbaa5e09 BH |
183 | uint16_t len=htons(p->getString().length()); |
184 | string buffer((const char*)&len, 2); | |
185 | buffer.append(p->getString()); | |
78bcb858 | 186 | writenWithTimeout(outsock, buffer.c_str(), buffer.length()); |
6a3e5d1a BH |
187 | } |
188 | ||
189 | ||
190 | void TCPNameserver::getQuestion(int fd, char *mesg, int pktlen, const ComboAddress &remote) | |
191 | try | |
192 | { | |
193 | readnWithTimeout(fd, mesg, pktlen); | |
194 | } | |
67d74e49 BH |
195 | catch(NetworkError& ae) { |
196 | throw NetworkError("Error reading DNS data from TCP client "+remote.toString()+": "+ae.what()); | |
12c86877 BH |
197 | } |
198 | ||
ff76e8b4 BH |
199 | static void proxyQuestion(shared_ptr<DNSPacket> packet) |
200 | { | |
201 | int sock=socket(AF_INET, SOCK_STREAM, 0); | |
326484be | 202 | |
3897b9e1 | 203 | setCloseOnExec(sock); |
ff76e8b4 | 204 | if(sock < 0) |
67d74e49 | 205 | throw NetworkError("Error making TCP connection socket to recursor: "+stringerror()); |
ff76e8b4 | 206 | |
3897b9e1 | 207 | setNonBlocking(sock); |
6a3e5d1a BH |
208 | ServiceTuple st; |
209 | st.port=53; | |
379ab445 | 210 | parseService(::arg()["recursor"],st); |
6a3e5d1a | 211 | |
ff76e8b4 | 212 | try { |
ff76e8b4 | 213 | ComboAddress recursor(st.host, st.port); |
6a3e5d1a | 214 | connectWithTimeout(sock, (struct sockaddr*)&recursor, recursor.getSocklen()); |
ff76e8b4 BH |
215 | const string &buffer=packet->getString(); |
216 | ||
217 | uint16_t len=htons(buffer.length()), slen; | |
218 | ||
6a3e5d1a BH |
219 | writenWithTimeout(sock, &len, 2); |
220 | writenWithTimeout(sock, buffer.c_str(), buffer.length()); | |
ff76e8b4 | 221 | |
c20eca2b | 222 | readnWithTimeout(sock, &len, 2); |
ff76e8b4 BH |
223 | len=ntohs(len); |
224 | ||
225 | char answer[len]; | |
c20eca2b | 226 | readnWithTimeout(sock, answer, len); |
ff76e8b4 BH |
227 | |
228 | slen=htons(len); | |
6a3e5d1a | 229 | writenWithTimeout(packet->getSocket(), &slen, 2); |
ff76e8b4 | 230 | |
6a3e5d1a | 231 | writenWithTimeout(packet->getSocket(), answer, len); |
ff76e8b4 | 232 | } |
67d74e49 | 233 | catch(NetworkError& ae) { |
ff76e8b4 | 234 | close(sock); |
67d74e49 | 235 | throw NetworkError("While proxying a question to recursor "+st.host+": " +ae.what()); |
ff76e8b4 BH |
236 | } |
237 | close(sock); | |
238 | return; | |
239 | } | |
240 | ||
5fd567ec | 241 | |
242 | static void incTCPAnswerCount(const ComboAddress& remote) | |
243 | { | |
244 | S.inc("tcp-answers"); | |
245 | if(remote.sin4.sin_family == AF_INET6) | |
246 | S.inc("tcp6-answers"); | |
247 | else | |
248 | S.inc("tcp4-answers"); | |
249 | } | |
12c86877 BH |
250 | void *TCPNameserver::doConnection(void *data) |
251 | { | |
ff76e8b4 | 252 | shared_ptr<DNSPacket> packet; |
b014ad98 BH |
253 | // Fix gcc-4.0 error (on AMD64) |
254 | int fd=(int)(long)data; // gotta love C (generates a harmless warning on opteron) | |
4f5e7925 | 255 | ComboAddress remote; |
256 | socklen_t remotelen=sizeof(remote); | |
257 | ||
12c86877 | 258 | pthread_detach(pthread_self()); |
4f5e7925 | 259 | if(getpeername(fd, (struct sockaddr *)&remote, &remotelen) < 0) { |
260 | L<<Logger::Warning<<"Received question from socket which had no remote address, dropping ("<<stringerror()<<")"<<endl; | |
261 | d_connectionroom_sem->post(); | |
262 | closesocket(fd); | |
263 | return 0; | |
264 | } | |
265 | ||
3897b9e1 | 266 | setNonBlocking(fd); |
12c86877 | 267 | try { |
c2b4ccc0 | 268 | int mesgsize=65535; |
269 | scoped_array<char> mesg(new char[mesgsize]); | |
12c86877 BH |
270 | |
271 | DLOG(L<<"TCP Connection accepted on fd "<<fd<<endl); | |
21a303f3 | 272 | bool logDNSQueries= ::arg().mustDo("log-dns-queries"); |
12c86877 | 273 | for(;;) { |
6a3e5d1a BH |
274 | |
275 | uint16_t pktlen; | |
276 | if(!readnWithTimeout(fd, &pktlen, 2, false)) | |
4957a608 | 277 | break; |
6a3e5d1a | 278 | else |
4957a608 | 279 | pktlen=ntohs(pktlen); |
12c86877 | 280 | |
366e1e5e AT |
281 | // this check will always be false *if* no one touches |
282 | // the mesg array. pktlen can be maximum of 65535 as | |
283 | // it is 2 byte unsigned variable. In getQuestion, we | |
284 | // write to 0 up to pktlen-1 so 65535 is just right. | |
285 | ||
286 | // do not remove this check as it will catch if someone | |
287 | // decreases the mesg buffer size for some reason. | |
c2b4ccc0 | 288 | if(pktlen > mesgsize) { |
c223d5e8 | 289 | L<<Logger::Warning<<"Received an overly large question from "<<remote.toString()<<", dropping"<<endl; |
4957a608 | 290 | break; |
12c86877 BH |
291 | } |
292 | ||
c2b4ccc0 | 293 | getQuestion(fd, mesg.get(), pktlen, remote); |
12c86877 | 294 | S.inc("tcp-queries"); |
5fd567ec | 295 | if(remote.sin4.sin_family == AF_INET6) |
296 | S.inc("tcp6-queries"); | |
297 | else | |
298 | S.inc("tcp4-queries"); | |
3e579e91 | 299 | |
ff76e8b4 | 300 | packet=shared_ptr<DNSPacket>(new DNSPacket); |
809fe23f | 301 | packet->setRemote(&remote); |
e9dd48f9 | 302 | packet->d_tcp=true; |
ff76e8b4 | 303 | packet->setSocket(fd); |
c2b4ccc0 | 304 | if(packet->parse(mesg.get(), pktlen)<0) |
4957a608 | 305 | break; |
c1663439 | 306 | |
6e59a580 KM |
307 | if(packet->qtype.getCode()==QType::AXFR) { |
308 | if(doAXFR(packet->qdomain, packet, fd)) | |
5fd567ec | 309 | incTCPAnswerCount(remote); |
6e59a580 KM |
310 | continue; |
311 | } | |
312 | ||
313 | if(packet->qtype.getCode()==QType::IXFR) { | |
314 | if(doIXFR(packet, fd)) | |
5fd567ec | 315 | incTCPAnswerCount(remote); |
4957a608 | 316 | continue; |
12c86877 BH |
317 | } |
318 | ||
ff76e8b4 | 319 | shared_ptr<DNSPacket> reply; |
ff76e8b4 | 320 | shared_ptr<DNSPacket> cached= shared_ptr<DNSPacket>(new DNSPacket); |
fe498ace BH |
321 | if(logDNSQueries) { |
322 | string remote; | |
323 | if(packet->hasEDNSSubnet()) | |
ded6b08d | 324 | remote = packet->getRemote().toString() + "<-" + packet->getRealRemote().toString(); |
fe498ace | 325 | else |
ded6b08d | 326 | remote = packet->getRemote().toString(); |
fe498ace | 327 | L << Logger::Notice<<"TCP Remote "<< remote <<" wants '" << packet->qdomain<<"|"<<packet->qtype.getName() << |
bb5903e2 | 328 | "', do = " <<packet->d_dnssecOk <<", bufsize = "<< packet->getMaxReplyLen()<<": "; |
fe498ace | 329 | } |
bb5903e2 | 330 | |
ff76e8b4 | 331 | |
75fde355 | 332 | if(!packet->d.rd && packet->couldBeCached() && PC.get(packet.get(), cached.get(), false)) { // short circuit - does the PacketCache recognize this question? |
21a303f3 | 333 | if(logDNSQueries) |
bb5903e2 | 334 | L<<"packetcache HIT"<<endl; |
d06799d4 | 335 | cached->setRemote(&packet->d_remote); |
4957a608 BH |
336 | cached->d.id=packet->d.id; |
337 | cached->d.rd=packet->d.rd; // copy in recursion desired bit | |
338 | cached->commitD(); // commit d to the packet inlined | |
339 | ||
3e8216c8 PD |
340 | if(LPE) LPE->police(&(*packet), &(*cached), true); |
341 | ||
e02d0a59 | 342 | sendPacket(cached, fd); // presigned, don't do it again |
4957a608 | 343 | continue; |
12c86877 | 344 | } |
21a303f3 | 345 | if(logDNSQueries) |
bb5903e2 | 346 | L<<"packetcache MISS"<<endl; |
12c86877 | 347 | { |
4957a608 BH |
348 | Lock l(&s_plock); |
349 | if(!s_P) { | |
350 | L<<Logger::Error<<"TCP server is without backend connections, launching"<<endl; | |
351 | s_P=new PacketHandler; | |
352 | } | |
353 | bool shouldRecurse; | |
354 | ||
355 | reply=shared_ptr<DNSPacket>(s_P->questionOrRecurse(packet.get(), &shouldRecurse)); // we really need to ask the backend :-) | |
356 | ||
3e8216c8 PD |
357 | if(LPE) LPE->police(&(*packet), &(*reply), true); |
358 | ||
4957a608 BH |
359 | if(shouldRecurse) { |
360 | proxyQuestion(packet); | |
361 | continue; | |
362 | } | |
12c86877 BH |
363 | } |
364 | ||
12c86877 | 365 | if(!reply) // unable to write an answer? |
4957a608 | 366 | break; |
b552d7b1 | 367 | |
ff76e8b4 | 368 | sendPacket(reply, fd); |
12c86877 | 369 | } |
12c86877 | 370 | } |
3f81d239 | 371 | catch(PDNSException &ae) { |
556252ea BH |
372 | Lock l(&s_plock); |
373 | delete s_P; | |
374 | s_P = 0; // on next call, backend will be recycled | |
027ffd26 | 375 | L<<Logger::Error<<"TCP nameserver had error, cycling backend: "<<ae.reason<<endl; |
ef1d2f44 | 376 | } |
0afa9049 | 377 | catch(NetworkError &e) { |
2e7834cb | 378 | L<<Logger::Info<<"TCP Connection Thread died because of network error: "<<e.what()<<endl; |
0afa9049 BH |
379 | } |
380 | ||
adc10f99 | 381 | catch(std::exception &e) { |
12c86877 BH |
382 | L<<Logger::Error<<"TCP Connection Thread died because of STL error: "<<e.what()<<endl; |
383 | } | |
384 | catch( ... ) | |
385 | { | |
386 | L << Logger::Error << "TCP Connection Thread caught unknown exception." << endl; | |
387 | } | |
12c86877 | 388 | d_connectionroom_sem->post(); |
3897b9e1 | 389 | closesocket(fd); |
12c86877 BH |
390 | |
391 | return 0; | |
392 | } | |
393 | ||
78bcb858 | 394 | |
e082fb4c | 395 | // call this method with s_plock held! |
ff76e8b4 | 396 | bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q) |
12c86877 | 397 | { |
379ab445 | 398 | if(::arg().mustDo("disable-axfr")) |
318c3ec6 BH |
399 | return false; |
400 | ||
78bcb858 BH |
401 | if(q->d_havetsig) { // if you have one, it must be good |
402 | TSIGRecordContent trc; | |
7abbc40f PD |
403 | DNSName keyname; |
404 | string secret; | |
84fc3f8b | 405 | if(!checkForCorrectTSIG(q.get(), s_P->getBackend(), &keyname, &secret, &trc)) { |
78bcb858 | 406 | return false; |
7f9ac49b AT |
407 | } else { |
408 | getTSIGHashEnum(trc.d_algoName, q->d_tsig_algo); | |
409 | if (q->d_tsig_algo == TSIG_GSS) { | |
1635f12b | 410 | GssContext gssctx(keyname); |
7f9ac49b AT |
411 | if (!gssctx.getPeerPrincipal(q->d_peer_principal)) { |
412 | L<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl; | |
413 | } | |
414 | } | |
415 | } | |
416 | ||
78bcb858 | 417 | DNSSECKeeper dk; |
5e29f2f9 | 418 | |
84fc3f8b AT |
419 | if (q->d_tsig_algo == TSIG_GSS) { |
420 | vector<string> princs; | |
421 | s_P->getBackend()->getDomainMetadata(q->qdomain, "GSS-ALLOW-AXFR-PRINCIPAL", princs); | |
ff05fd12 | 422 | for(const std::string& princ : princs) { |
84fc3f8b AT |
423 | if (q->d_peer_principal == princ) { |
424 | L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: TSIG signed request with authorized principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig'"<<endl; | |
425 | return true; | |
426 | } | |
427 | } | |
428 | L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' denied: TSIG signed request with principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig' is not permitted"<<endl; | |
429 | return false; | |
430 | } | |
431 | ||
3d03fee8 | 432 | if(!dk.TSIGGrantsAccess(q->qdomain, keyname)) { |
84fc3f8b | 433 | L<<Logger::Error<<"AXFR '"<<q->qdomain<<"' denied: key with name '"<<keyname<<"' and algorithm '"<<getTSIGAlgoName(q->d_tsig_algo)<<"' does not grant access to zone"<<endl; |
78bcb858 BH |
434 | return false; |
435 | } | |
436 | else { | |
84fc3f8b | 437 | L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: TSIG signed request with authorized key '"<<keyname<<"' and algorithm '"<<getTSIGAlgoName(q->d_tsig_algo)<<"'"<<endl; |
78bcb858 BH |
438 | return true; |
439 | } | |
440 | } | |
93afc0a3 PD |
441 | |
442 | // cerr<<"checking allow-axfr-ips"<<endl; | |
443 | if(!(::arg()["allow-axfr-ips"].empty()) && d_ng.match( (ComboAddress *) &q->d_remote )) { | |
444 | L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: client IP "<<q->getRemote()<<" is in allow-axfr-ips"<<endl; | |
12c86877 | 445 | return true; |
ab5edd12 | 446 | } |
93afc0a3 PD |
447 | |
448 | FindNS fns; | |
449 | ||
450 | // cerr<<"doing per-zone-axfr-acls"<<endl; | |
451 | SOAData sd; | |
79ba7763 | 452 | if(s_P->getBackend()->getSOAUncached(q->qdomain,sd)) { |
93afc0a3 PD |
453 | // cerr<<"got backend and SOA"<<endl; |
454 | DNSBackend *B=sd.db; | |
455 | vector<string> acl; | |
894bcf36 | 456 | s_P->getBackend()->getDomainMetadata(q->qdomain, "ALLOW-AXFR-FROM", acl); |
93afc0a3 PD |
457 | for (vector<string>::const_iterator i = acl.begin(); i != acl.end(); ++i) { |
458 | // cerr<<"matching against "<<*i<<endl; | |
459 | if(pdns_iequals(*i, "AUTO-NS")) { | |
460 | // cerr<<"AUTO-NS magic please!"<<endl; | |
461 | ||
462 | DNSResourceRecord rr; | |
7abbc40f | 463 | set<DNSName> nsset; |
93afc0a3 PD |
464 | |
465 | B->lookup(QType(QType::NS),q->qdomain); | |
466 | while(B->get(rr)) | |
290a083d | 467 | nsset.insert(DNSName(rr.content)); |
7abbc40f PD |
468 | for(const auto & j: nsset) { |
469 | vector<string> nsips=fns.lookup(j, B); | |
93afc0a3 PD |
470 | for(vector<string>::const_iterator k=nsips.begin();k!=nsips.end();++k) { |
471 | // cerr<<"got "<<*k<<" from AUTO-NS"<<endl; | |
ded6b08d | 472 | if(*k == q->getRemote().toString()) |
93afc0a3 PD |
473 | { |
474 | // cerr<<"got AUTO-NS hit"<<endl; | |
475 | L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: client IP "<<q->getRemote()<<" is in NSset"<<endl; | |
476 | return true; | |
477 | } | |
478 | } | |
479 | } | |
480 | } | |
481 | else | |
482 | { | |
483 | Netmask nm = Netmask(*i); | |
484 | if(nm.match( (ComboAddress *) &q->d_remote )) | |
485 | { | |
486 | L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: client IP "<<q->getRemote()<<" is in per-domain ACL"<<endl; | |
487 | // cerr<<"hit!"<<endl; | |
488 | return true; | |
489 | } | |
490 | } | |
491 | } | |
492 | } | |
493 | ||
12c86877 BH |
494 | extern CommunicatorClass Communicator; |
495 | ||
ded6b08d | 496 | if(Communicator.justNotified(q->qdomain, q->getRemote().toString())) { // we just notified this ip |
12c86877 BH |
497 | L<<Logger::Warning<<"Approved AXFR of '"<<q->qdomain<<"' from recently notified slave "<<q->getRemote()<<endl; |
498 | return true; | |
499 | } | |
500 | ||
93afc0a3 | 501 | L<<Logger::Error<<"AXFR of domain '"<<q->qdomain<<"' denied: client IP "<<q->getRemote()<<" has no permission"<<endl; |
12c86877 BH |
502 | return false; |
503 | } | |
504 | ||
b317b510 | 505 | namespace { |
54d84273 PD |
506 | struct NSECXEntry |
507 | { | |
508 | set<uint16_t> d_set; | |
509 | unsigned int d_ttl; | |
feef1ece | 510 | bool d_auth; |
54d84273 | 511 | }; |
8e9b7d99 | 512 | |
54d84273 PD |
513 | DNSResourceRecord makeDNSRRFromSOAData(const SOAData& sd) |
514 | { | |
515 | DNSResourceRecord soa; | |
516 | soa.qname= sd.qname; | |
517 | soa.qtype=QType::SOA; | |
518 | soa.content=serializeSOAData(sd); | |
519 | soa.ttl=sd.ttl; | |
520 | soa.domain_id=sd.domain_id; | |
521 | soa.auth = true; | |
522 | soa.d_place=DNSResourceRecord::ANSWER; | |
523 | return soa; | |
524 | } | |
8e9b7d99 | 525 | |
54d84273 PD |
526 | shared_ptr<DNSPacket> getFreshAXFRPacket(shared_ptr<DNSPacket> q) |
527 | { | |
528 | shared_ptr<DNSPacket> ret = shared_ptr<DNSPacket>(q->replyPacket()); | |
529 | ret->setCompress(false); | |
530 | ret->d_dnssecOk=false; // RFC 5936, 2.2.5 | |
531 | ret->d_tcp = true; | |
532 | return ret; | |
533 | } | |
8e9b7d99 BH |
534 | } |
535 | ||
54d84273 | 536 | |
12c86877 | 537 | /** do the actual zone transfer. Return 0 in case of error, 1 in case of success */ |
7abbc40f | 538 | int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int outsock) |
12c86877 | 539 | { |
8e9b7d99 | 540 | shared_ptr<DNSPacket> outpacket= getFreshAXFRPacket(q); |
c67e46a1 | 541 | if(q->d_dnssecOk) |
05e24311 | 542 | outpacket->d_dnssecOk=true; // RFC 5936, 2.2.5 'SHOULD' |
22893145 | 543 | |
f43c4448 | 544 | L<<Logger::Error<<"AXFR of domain '"<<target<<"' initiated by "<<q->getRemote()<<endl; |
12c86877 | 545 | |
22893145 | 546 | // determine if zone exists and AXFR is allowed using existing backend before spawning a new backend. |
12c86877 BH |
547 | SOAData sd; |
548 | { | |
549 | Lock l(&s_plock); | |
8e9b7d99 | 550 | DLOG(L<<"Looking for SOA"<<endl); // find domain_id via SOA and list complete domain. No SOA, no AXFR |
12a965c5 BH |
551 | if(!s_P) { |
552 | L<<Logger::Error<<"TCP server is without backend connections in doAXFR, launching"<<endl; | |
553 | s_P=new PacketHandler; | |
554 | } | |
12c86877 | 555 | |
8090f5a2 | 556 | if (!canDoAXFR(q)) { |
f43c4448 | 557 | L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: "<<q->getRemote()<<" cannot request AXFR"<<endl; |
8090f5a2 AT |
558 | outpacket->setRcode(9); // 'NOTAUTH' |
559 | sendPacket(outpacket,outsock); | |
560 | return 0; | |
561 | } | |
562 | ||
22893145 | 563 | // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first. |
8090f5a2 | 564 | if(!s_P->getBackend()->getSOAUncached(target, sd)) { |
f43c4448 | 565 | L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: not authoritative"<<endl; |
12c86877 | 566 | outpacket->setRcode(9); // 'NOTAUTH' |
ff76e8b4 | 567 | sendPacket(outpacket,outsock); |
12c86877 BH |
568 | return 0; |
569 | } | |
3de83124 | 570 | } |
22893145 | 571 | |
8e9b7d99 | 572 | UeberBackend db; |
79ba7763 | 573 | if(!db.getSOAUncached(target, sd)) { |
f43c4448 | 574 | L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: not authoritative in second instance"<<endl; |
79ba7763 | 575 | outpacket->setRcode(RCode::NotAuth); |
ff76e8b4 | 576 | sendPacket(outpacket,outsock); |
3de83124 | 577 | return 0; |
12c86877 | 578 | } |
3de83124 | 579 | |
22893145 CH |
580 | DNSSECKeeper dk; |
581 | dk.clearCaches(target); | |
582 | bool securedZone = dk.isSecuredZone(target); | |
583 | bool presignedZone = dk.isPresigned(target); | |
584 | ||
585 | bool noAXFRBecauseOfNSEC3Narrow=false; | |
586 | NSEC3PARAMRecordContent ns3pr; | |
587 | bool narrow; | |
588 | bool NSEC3Zone=false; | |
589 | if(dk.getNSEC3PARAM(target, &ns3pr, &narrow)) { | |
590 | NSEC3Zone=true; | |
591 | if(narrow) { | |
f43c4448 | 592 | L<<Logger::Error<<"Not doing AXFR of an NSEC3 narrow zone '"<<target<<"' for "<<q->getRemote()<<endl; |
22893145 CH |
593 | noAXFRBecauseOfNSEC3Narrow=true; |
594 | } | |
595 | } | |
596 | ||
597 | if(noAXFRBecauseOfNSEC3Narrow) { | |
f43c4448 | 598 | L<<Logger::Error<<"AXFR of domain '"<<target<<"' denied to "<<q->getRemote()<<endl; |
22893145 CH |
599 | outpacket->setRcode(RCode::Refused); |
600 | // FIXME: should actually figure out if we are auth over a zone, and send out 9 if we aren't | |
601 | sendPacket(outpacket,outsock); | |
602 | return 0; | |
603 | } | |
604 | ||
78bcb858 | 605 | TSIGRecordContent trc; |
7abbc40f PD |
606 | DNSName tsigkeyname; |
607 | string tsigsecret; | |
78bcb858 BH |
608 | |
609 | q->getTSIGDetails(&trc, &tsigkeyname, 0); | |
610 | ||
611 | if(!tsigkeyname.empty()) { | |
2c26f25a | 612 | string tsig64; |
3343ad1f | 613 | DNSName algorithm=trc.d_algoName; // FIXME400: check |
290a083d | 614 | if (algorithm == DNSName("hmac-md5.sig-alg.reg.int")) |
615 | algorithm = DNSName("hmac-md5"); | |
616 | if (algorithm != DNSName("gss-tsig")) { | |
84fc3f8b AT |
617 | Lock l(&s_plock); |
618 | s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64); | |
619 | B64Decode(tsig64, tsigsecret); | |
620 | } | |
78bcb858 | 621 | } |
8e9b7d99 | 622 | |
8e9b7d99 BH |
623 | |
624 | UeberBackend signatureDB; | |
8e9b7d99 | 625 | |
8267bd2c | 626 | // SOA *must* go out first, our signing pipe might reorder |
12c86877 | 627 | DLOG(L<<"Sending out SOA"<<endl); |
8267bd2c BH |
628 | DNSResourceRecord soa = makeDNSRRFromSOAData(sd); |
629 | outpacket->addRecord(soa); | |
92c90b44 | 630 | editSOA(dk, sd.qname, outpacket.get()); |
8d3cbffa | 631 | if(securedZone) { |
7abbc40f | 632 | set<DNSName> authSet; |
8d3cbffa BH |
633 | authSet.insert(target); |
634 | addRRSigs(dk, signatureDB, authSet, outpacket->getRRS()); | |
635 | } | |
8e9b7d99 | 636 | |
78bcb858 BH |
637 | if(!tsigkeyname.empty()) |
638 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac); // first answer is 'normal' | |
639 | ||
8267bd2c | 640 | sendPacket(outpacket, outsock); |
78bcb858 BH |
641 | |
642 | trc.d_mac = outpacket->d_trc.d_mac; | |
8267bd2c BH |
643 | outpacket = getFreshAXFRPacket(q); |
644 | ||
ff99a74b | 645 | ChunkedSigningPipe csp(target, securedZone, "", ::arg().asNum("signing-threads", 1)); |
8e9b7d99 | 646 | |
bec14a20 | 647 | typedef map<string, NSECXEntry> nsecxrepo_t; |
9d3151d9 | 648 | nsecxrepo_t nsecxrepo; |
4888e4b2 BH |
649 | |
650 | // this is where the DNSKEYs go in | |
0c350cb5 | 651 | |
4c1474f3 | 652 | DNSSECKeeper::keyset_t keys = dk.getKeys(target); |
0c350cb5 | 653 | |
8e9b7d99 | 654 | DNSResourceRecord rr; |
0c350cb5 | 655 | |
794c2f92 PD |
656 | rr.qname = target; |
657 | rr.ttl = sd.default_ttl; | |
658 | rr.auth = 1; // please sign! | |
659 | ||
991a0977 | 660 | string publishCDNSKEY, publishCDS; |
0900d2d3 CH |
661 | dk.getFromMeta(q->qdomain, "PUBLISH-CDNSKEY", publishCDNSKEY); |
662 | dk.getFromMeta(q->qdomain, "PUBLISH-CDS", publishCDS); | |
991a0977 | 663 | vector<DNSResourceRecord> cds, cdnskey; |
f889ab99 PL |
664 | DNSSECKeeper::keyset_t entryPoints = dk.getEntryPoints(q->qdomain); |
665 | set<uint32_t> entryPointIds; | |
666 | for (auto const& value : entryPoints) | |
667 | entryPointIds.insert(value.second.id); | |
991a0977 | 668 | |
ff05fd12 | 669 | for(const DNSSECKeeper::keyset_t::value_type& value : keys) { |
4c1474f3 | 670 | rr.qtype = QType(QType::DNSKEY); |
4c1474f3 | 671 | rr.content = value.first.getDNSKEY().getZoneRepresentation(); |
28e2e78e | 672 | string keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr, rr.qname) : labelReverse(rr.qname.toString()); |
9d3151d9 | 673 | NSECXEntry& ne = nsecxrepo[keyname]; |
b317b510 BH |
674 | |
675 | ne.d_set.insert(rr.qtype.getCode()); | |
794c2f92 | 676 | ne.d_ttl = sd.default_ttl; |
8e9b7d99 | 677 | csp.submit(rr); |
991a0977 PL |
678 | |
679 | // generate CDS and CDNSKEY records | |
f889ab99 | 680 | if(entryPointIds.count(value.second.id) > 0){ |
991a0977 PL |
681 | if(publishCDNSKEY == "1") { |
682 | rr.qtype=QType(QType::CDNSKEY); | |
683 | rr.content = value.first.getDNSKEY().getZoneRepresentation(); | |
684 | cdnskey.push_back(rr); | |
685 | } | |
686 | ||
687 | if(!publishCDS.empty()){ | |
688 | rr.qtype=QType(QType::CDS); | |
689 | vector<string> digestAlgos; | |
690 | stringtok(digestAlgos, publishCDS, ", "); | |
56225bd3 | 691 | for(auto const &digestAlgo : digestAlgos) { |
335da0ba | 692 | rr.content=makeDSFromDNSKey(target, value.first.getDNSKEY(), pdns_stou(digestAlgo)).getZoneRepresentation(); |
991a0977 PL |
693 | cds.push_back(rr); |
694 | } | |
695 | } | |
696 | } | |
4c1474f3 | 697 | } |
0c350cb5 | 698 | |
cc8df07f | 699 | if(::arg().mustDo("direct-dnskey")) { |
6dae726d PD |
700 | sd.db->lookup(QType(QType::DNSKEY), target, NULL, sd.domain_id); |
701 | while(sd.db->get(rr)) { | |
702 | rr.ttl = sd.default_ttl; | |
703 | csp.submit(rr); | |
704 | } | |
705 | } | |
706 | ||
b8adb30d KM |
707 | uint8_t flags; |
708 | ||
95c5bc40 | 709 | if(NSEC3Zone) { // now stuff in the NSEC3PARAM |
b8adb30d | 710 | flags = ns3pr.d_flags; |
ce464268 | 711 | rr.qtype = QType(QType::NSEC3PARAM); |
95c5bc40 | 712 | ns3pr.d_flags = 0; |
ce464268 | 713 | rr.content = ns3pr.getZoneRepresentation(); |
b8adb30d | 714 | ns3pr.d_flags = flags; |
28e2e78e | 715 | string keyname = hashQNameWithSalt(ns3pr, rr.qname); |
ce464268 BH |
716 | NSECXEntry& ne = nsecxrepo[keyname]; |
717 | ||
718 | ne.d_set.insert(rr.qtype.getCode()); | |
719 | csp.submit(rr); | |
720 | } | |
8e9b7d99 | 721 | |
0c350cb5 BH |
722 | // now start list zone |
723 | if(!(sd.db->list(target, sd.domain_id))) { | |
724 | L<<Logger::Error<<"Backend signals error condition"<<endl; | |
725 | outpacket->setRcode(2); // 'SERVFAIL' | |
726 | sendPacket(outpacket,outsock); | |
727 | return 0; | |
728 | } | |
729 | ||
b772ffea | 730 | |
5633a4af | 731 | const bool rectify = !(presignedZone || ::arg().mustDo("disable-axfr-rectify")); |
7abbc40f | 732 | set<DNSName> qnames, nsset, terms; |
b772ffea KM |
733 | vector<DNSResourceRecord> rrs; |
734 | ||
991a0977 | 735 | // Add the CDNSKEY and CDS records we created earlier |
56225bd3 | 736 | for (auto const &rr : cds) |
991a0977 PL |
737 | rrs.push_back(rr); |
738 | ||
56225bd3 | 739 | for (auto const &rr : cdnskey) |
991a0977 PL |
740 | rrs.push_back(rr); |
741 | ||
b772ffea | 742 | while(sd.db->get(rr)) { |
7abbc40f | 743 | if(rr.qname.isPartOf(target)) { |
7f6f4d4f | 744 | if (rr.qtype.getCode() == QType::ALIAS && ::arg().mustDo("outgoing-axfr-expand-alias")) { |
273d88b2 PD |
745 | vector<DNSResourceRecord> ips; |
746 | int ret1 = stubDoResolve(rr.content, QType::A, ips); | |
747 | int ret2 = stubDoResolve(rr.content, QType::AAAA, ips); | |
748 | if(ret1 != RCode::NoError || ret2 != RCode::NoError) { | |
749 | L<<Logger::Error<<"Error resolving for ALIAS "<<rr.content<<", aborting AXFR"<<endl; | |
750 | outpacket->setRcode(2); // 'SERVFAIL' | |
751 | sendPacket(outpacket,outsock); | |
752 | return 0; | |
753 | } | |
d86e1bf7 | 754 | for(const auto& ip: ips) { |
273d88b2 PD |
755 | rr.qtype = ip.qtype; |
756 | rr.content = ip.content; | |
d86e1bf7 PD |
757 | rrs.push_back(rr); |
758 | } | |
759 | } | |
760 | else { | |
761 | rrs.push_back(rr); | |
762 | } | |
763 | ||
b772ffea KM |
764 | if (rectify) { |
765 | if (rr.qtype.getCode()) { | |
766 | qnames.insert(rr.qname); | |
e325f20c | 767 | if(rr.qtype.getCode() == QType::NS && rr.qname!=target) |
b772ffea KM |
768 | nsset.insert(rr.qname); |
769 | } else { | |
770 | // remove existing ents | |
771 | continue; | |
772 | } | |
773 | } | |
b772ffea | 774 | } else { |
9cb2b2a4 KM |
775 | if (rr.qtype.getCode()) |
776 | L<<Logger::Warning<<"Zone '"<<target<<"' contains out-of-zone data '"<<rr.qname<<"|"<<rr.qtype.getName()<<"', ignoring"<<endl; | |
b772ffea KM |
777 | continue; |
778 | } | |
779 | } | |
780 | ||
781 | if(rectify) { | |
782 | // set auth | |
ff05fd12 | 783 | for(DNSResourceRecord &rr : rrs) { |
b772ffea | 784 | rr.auth=true; |
e325f20c | 785 | if (rr.qtype.getCode() != QType::NS || rr.qname!=target) { |
7abbc40f | 786 | DNSName shorter(rr.qname); |
b772ffea | 787 | do { |
e325f20c | 788 | if (shorter==target) // apex is always auth |
b772ffea | 789 | continue; |
e325f20c | 790 | if(nsset.count(shorter) && !(rr.qname==shorter && rr.qtype.getCode() == QType::DS)) |
b772ffea | 791 | rr.auth=false; |
7abbc40f | 792 | } while(shorter.chopOff()); |
b772ffea KM |
793 | } else |
794 | continue; | |
795 | } | |
796 | ||
797 | if(NSEC3Zone) { | |
798 | // ents are only required for NSEC3 zones | |
799 | uint32_t maxent = ::arg().asNum("max-ent-entries"); | |
6ded341a KM |
800 | set<DNSName> nsec3set, nonterm; |
801 | for (auto &rr: rrs) { | |
802 | bool skip=false; | |
803 | DNSName shorter = rr.qname; | |
804 | if (shorter != target && shorter.chopOff() && shorter != target) { | |
805 | do { | |
806 | if(nsset.count(shorter)) { | |
807 | skip=true; | |
808 | break; | |
809 | } | |
810 | } while(shorter.chopOff() && shorter != target); | |
811 | } | |
812 | shorter = rr.qname; | |
813 | if(!skip && (rr.qtype.getCode() != QType::NS || !ns3pr.d_flags)) { | |
814 | do { | |
815 | if(!nsec3set.count(shorter)) { | |
816 | nsec3set.insert(shorter); | |
817 | } | |
818 | } while(shorter != target && shorter.chopOff()); | |
819 | } | |
820 | } | |
821 | ||
ff05fd12 | 822 | for(DNSResourceRecord &rr : rrs) { |
7abbc40f | 823 | DNSName shorter(rr.qname); |
e325f20c | 824 | while(shorter != target && shorter.chopOff()) { |
6ded341a | 825 | if(!qnames.count(shorter) && !nonterm.count(shorter) && nsec3set.count(shorter)) { |
b772ffea KM |
826 | if(!(maxent)) { |
827 | L<<Logger::Warning<<"Zone '"<<target<<"' has too many empty non terminals."<<endl; | |
828 | return 0; | |
829 | } | |
6ded341a KM |
830 | nonterm.insert(shorter); |
831 | --maxent; | |
b772ffea KM |
832 | } |
833 | } | |
834 | } | |
835 | ||
9e23e712 | 836 | for(const auto& nt : nonterm) { |
b772ffea | 837 | DNSResourceRecord rr; |
6ded341a | 838 | rr.qname=nt; |
b772ffea | 839 | rr.qtype="TYPE0"; |
6ded341a | 840 | rr.auth=true; |
b772ffea KM |
841 | rrs.push_back(rr); |
842 | } | |
843 | } | |
6ded341a | 844 | |
d51db84f | 845 | DLOG(for(const auto &rr: rrs) cerr<<rr.qname<<"\t"<<rr.qtype.getName()<<"\t"<<rr.auth<<endl;); |
b772ffea KM |
846 | } |
847 | ||
848 | ||
12c86877 | 849 | /* now write all other records */ |
8e9b7d99 | 850 | |
9d3151d9 | 851 | string keyname; |
ac4a2f1e | 852 | set<string> ns3rrs; |
3370c993 | 853 | unsigned int udiff; |
1c6d9830 BH |
854 | DTime dt; |
855 | dt.set(); | |
bec14a20 | 856 | int records=0; |
e83371bb | 857 | for(DNSResourceRecord &rr : rrs) { |
ac4a2f1e KM |
858 | if (rr.qtype.getCode() == QType::RRSIG) { |
859 | RRSIGRecordContent rrc(rr.content); | |
860 | if(presignedZone && rrc.d_type == QType::NSEC3) | |
a5e5bd73 | 861 | ns3rrs.insert(fromBase32Hex(makeRelative(rr.qname.toStringNoDot(), target.toStringNoDot()))); // FIXME400 |
794c2f92 | 862 | continue; |
ac4a2f1e | 863 | } |
6dae726d | 864 | |
991a0977 | 865 | // only skip the DNSKEY, CDNSKEY and CDS if direct-dnskey is enabled, to avoid changing behaviour |
6dae726d | 866 | // when it is not enabled. |
991a0977 | 867 | if(::arg().mustDo("direct-dnskey") && (rr.qtype.getCode() == QType::DNSKEY || rr.qtype.getCode() == QType::CDNSKEY || rr.qtype.getCode() == QType::CDS)) |
6dae726d PD |
868 | continue; |
869 | ||
bec14a20 | 870 | records++; |
feef1ece | 871 | if(securedZone && (rr.auth || rr.qtype.getCode() == QType::NS)) { |
b5baefaf | 872 | if (NSEC3Zone || rr.qtype.getCode()) { |
28e2e78e | 873 | keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr, rr.qname) : labelReverse(rr.qname.toString()); |
b5baefaf PD |
874 | NSECXEntry& ne = nsecxrepo[keyname]; |
875 | ne.d_ttl = sd.default_ttl; | |
ac4a2f1e | 876 | ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && (!ns3pr.d_flags || (presignedZone && ns3pr.d_flags)))); |
b5baefaf PD |
877 | if (rr.qtype.getCode()) { |
878 | ne.d_set.insert(rr.qtype.getCode()); | |
879 | } | |
880 | } | |
b317b510 | 881 | } |
b5baefaf PD |
882 | |
883 | if (!rr.qtype.getCode()) | |
884 | continue; // skip empty non-terminals | |
885 | ||
add640c0 | 886 | if(rr.qtype.getCode() == QType::SOA) |
12c86877 | 887 | continue; // skip SOA - would indicate end of AXFR |
add640c0 | 888 | |
1c6d9830 BH |
889 | if(csp.submit(rr)) { |
890 | for(;;) { | |
891 | outpacket->getRRS() = csp.getChunk(); | |
892 | if(!outpacket->getRRS().empty()) { | |
54d84273 PD |
893 | if(!tsigkeyname.empty()) |
894 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac, true); | |
1c6d9830 | 895 | sendPacket(outpacket, outsock); |
78bcb858 | 896 | trc.d_mac=outpacket->d_trc.d_mac; |
1c6d9830 BH |
897 | outpacket=getFreshAXFRPacket(q); |
898 | } | |
899 | else | |
900 | break; | |
901 | } | |
12c86877 BH |
902 | } |
903 | } | |
78bcb858 | 904 | /* |
3370c993 | 905 | udiff=dt.udiffNoReset(); |
1c6d9830 BH |
906 | cerr<<"Starting NSEC: "<<csp.d_signed/(udiff/1000000.0)<<" sigs/s, "<<csp.d_signed<<" / "<<udiff/1000000.0<<endl; |
907 | cerr<<"Outstanding: "<<csp.d_outstanding<<", "<<csp.d_queued - csp.d_signed << endl; | |
908 | cerr<<"Ready for consumption: "<<csp.getReady()<<endl; | |
78bcb858 | 909 | */ |
feef1ece | 910 | if(securedZone) { |
4888e4b2 | 911 | if(NSEC3Zone) { |
9d3151d9 | 912 | for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) { |
ac4a2f1e | 913 | if(iter->second.d_auth && (!presignedZone || !ns3pr.d_flags || ns3rrs.count(iter->first))) { |
feef1ece PD |
914 | NSEC3RecordContent n3rc; |
915 | n3rc.d_set = iter->second.d_set; | |
916 | if (n3rc.d_set.size() && (n3rc.d_set.size() != 1 || !n3rc.d_set.count(QType::NS))) | |
917 | n3rc.d_set.insert(QType::RRSIG); | |
918 | n3rc.d_salt=ns3pr.d_salt; | |
919 | n3rc.d_flags = ns3pr.d_flags; | |
920 | n3rc.d_iterations = ns3pr.d_iterations; | |
921 | n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now | |
922 | nsecxrepo_t::const_iterator inext = iter; | |
923 | inext++; | |
924 | if(inext == nsecxrepo.end()) | |
925 | inext = nsecxrepo.begin(); | |
ac4a2f1e | 926 | while((!inext->second.d_auth || (presignedZone && ns3pr.d_flags && !ns3rrs.count(inext->first))) && inext != iter) |
feef1ece PD |
927 | { |
928 | inext++; | |
929 | if(inext == nsecxrepo.end()) | |
930 | inext = nsecxrepo.begin(); | |
931 | } | |
932 | n3rc.d_nexthash = inext->first; | |
7abbc40f | 933 | rr.qname = DNSName(toBase32Hex(iter->first))+DNSName(sd.qname); |
feef1ece PD |
934 | |
935 | rr.ttl = sd.default_ttl; | |
936 | rr.content = n3rc.getZoneRepresentation(); | |
937 | rr.qtype = QType::NSEC3; | |
938 | rr.d_place = DNSResourceRecord::ANSWER; | |
939 | rr.auth=true; | |
940 | if(csp.submit(rr)) { | |
941 | for(;;) { | |
942 | outpacket->getRRS() = csp.getChunk(); | |
943 | if(!outpacket->getRRS().empty()) { | |
944 | if(!tsigkeyname.empty()) | |
945 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac, true); | |
946 | sendPacket(outpacket, outsock); | |
947 | trc.d_mac=outpacket->d_trc.d_mac; | |
948 | outpacket=getFreshAXFRPacket(q); | |
949 | } | |
950 | else | |
951 | break; | |
1c6d9830 | 952 | } |
1c6d9830 | 953 | } |
8e9b7d99 | 954 | } |
4888e4b2 BH |
955 | } |
956 | } | |
9d3151d9 | 957 | else for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) { |
ed9c3a50 | 958 | NSECRecordContent nrc; |
b317b510 | 959 | nrc.d_set = iter->second.d_set; |
ed9c3a50 BH |
960 | nrc.d_set.insert(QType::RRSIG); |
961 | nrc.d_set.insert(QType::NSEC); | |
9d3151d9 | 962 | if(boost::next(iter) != nsecxrepo.end()) { |
290a083d | 963 | nrc.d_next = DNSName(labelReverse(boost::next(iter)->first)); |
ed9c3a50 BH |
964 | } |
965 | else | |
290a083d | 966 | nrc.d_next=DNSName(labelReverse(nsecxrepo.begin()->first)); |
ed9c3a50 | 967 | |
290a083d | 968 | rr.qname = DNSName(labelReverse(iter->first)); |
ed9c3a50 | 969 | |
b5baefaf | 970 | rr.ttl = sd.default_ttl; |
ed9c3a50 BH |
971 | rr.content = nrc.getZoneRepresentation(); |
972 | rr.qtype = QType::NSEC; | |
973 | rr.d_place = DNSResourceRecord::ANSWER; | |
5f5221b4 | 974 | rr.auth=true; |
8e9b7d99 | 975 | if(csp.submit(rr)) { |
1c6d9830 BH |
976 | for(;;) { |
977 | outpacket->getRRS() = csp.getChunk(); | |
978 | if(!outpacket->getRRS().empty()) { | |
78bcb858 BH |
979 | if(!tsigkeyname.empty()) |
980 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac, true); | |
1c6d9830 | 981 | sendPacket(outpacket, outsock); |
78bcb858 | 982 | trc.d_mac=outpacket->d_trc.d_mac; |
1c6d9830 BH |
983 | outpacket=getFreshAXFRPacket(q); |
984 | } | |
985 | else | |
986 | break; | |
987 | } | |
8e9b7d99 | 988 | } |
add640c0 | 989 | } |
add640c0 | 990 | } |
78bcb858 | 991 | /* |
3370c993 | 992 | udiff=dt.udiffNoReset(); |
1c6d9830 BH |
993 | cerr<<"Flushing pipe: "<<csp.d_signed/(udiff/1000000.0)<<" sigs/s, "<<csp.d_signed<<" / "<<udiff/1000000.0<<endl; |
994 | cerr<<"Outstanding: "<<csp.d_outstanding<<", "<<csp.d_queued - csp.d_signed << endl; | |
995 | cerr<<"Ready for consumption: "<<csp.getReady()<<endl; | |
78bcb858 | 996 | * */ |
bec14a20 BH |
997 | for(;;) { |
998 | outpacket->getRRS() = csp.getChunk(true); // flush the pipe | |
999 | if(!outpacket->getRRS().empty()) { | |
78bcb858 BH |
1000 | if(!tsigkeyname.empty()) |
1001 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac, true); // first answer is 'normal' | |
bec14a20 | 1002 | sendPacket(outpacket, outsock); |
78bcb858 | 1003 | trc.d_mac=outpacket->d_trc.d_mac; |
bec14a20 BH |
1004 | outpacket=getFreshAXFRPacket(q); |
1005 | } | |
1006 | else | |
1007 | break; | |
12c86877 | 1008 | } |
8e9b7d99 | 1009 | |
1c6d9830 | 1010 | udiff=dt.udiffNoReset(); |
f1f85f12 BH |
1011 | if(securedZone) |
1012 | L<<Logger::Info<<"Done signing: "<<csp.d_signed/(udiff/1000000.0)<<" sigs/s, "<<endl; | |
1c6d9830 | 1013 | |
12c86877 BH |
1014 | DLOG(L<<"Done writing out records"<<endl); |
1015 | /* and terminate with yet again the SOA record */ | |
8e9b7d99 | 1016 | outpacket=getFreshAXFRPacket(q); |
12c86877 | 1017 | outpacket->addRecord(soa); |
92c90b44 | 1018 | editSOA(dk, sd.qname, outpacket.get()); |
78bcb858 BH |
1019 | if(!tsigkeyname.empty()) |
1020 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac, true); | |
92c90b44 | 1021 | |
ff76e8b4 | 1022 | sendPacket(outpacket, outsock); |
78bcb858 | 1023 | |
12c86877 | 1024 | DLOG(L<<"last packet - close"<<endl); |
20ca8e7d | 1025 | L<<Logger::Error<<"AXFR of domain '"<<target<<"' to "<<q->getRemote()<<" finished"<<endl; |
12c86877 BH |
1026 | |
1027 | return 1; | |
1028 | } | |
1029 | ||
6e59a580 KM |
1030 | int TCPNameserver::doIXFR(shared_ptr<DNSPacket> q, int outsock) |
1031 | { | |
1032 | shared_ptr<DNSPacket> outpacket=getFreshAXFRPacket(q); | |
1033 | if(q->d_dnssecOk) | |
1034 | outpacket->d_dnssecOk=true; // RFC 5936, 2.2.5 'SHOULD' | |
1035 | ||
6e59a580 KM |
1036 | uint32_t serial = 0; |
1037 | MOADNSParser mdp(q->getString()); | |
1038 | for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i != mdp.d_answers.end(); ++i) { | |
1039 | const DNSRecord *rr = &i->first; | |
e693ff5a | 1040 | if (rr->d_type == QType::SOA && rr->d_place == DNSResourceRecord::AUTHORITY) { |
6e59a580 KM |
1041 | vector<string>parts; |
1042 | stringtok(parts, rr->d_content->getZoneRepresentation()); | |
1043 | if (parts.size() >= 3) { | |
335da0ba | 1044 | serial=pdns_stou(parts[2]); |
6e59a580 KM |
1045 | } else { |
1046 | L<<Logger::Error<<"No serial in IXFR query"<<endl; | |
1047 | outpacket->setRcode(RCode::FormErr); | |
1048 | sendPacket(outpacket,outsock); | |
1049 | return 0; | |
1050 | } | |
3e67ea8b KM |
1051 | } else if (rr->d_type != QType::TSIG && rr->d_type != QType::OPT) { |
1052 | L<<Logger::Error<<"Additional records in IXFR query, type: "<<QType(rr->d_type).getName()<<endl; | |
6e59a580 KM |
1053 | outpacket->setRcode(RCode::FormErr); |
1054 | sendPacket(outpacket,outsock); | |
1055 | return 0; | |
1056 | } | |
1057 | } | |
1058 | ||
1059 | L<<Logger::Error<<"IXFR of domain '"<<q->qdomain<<"' initiated by "<<q->getRemote()<<" with serial "<<serial<<endl; | |
1060 | ||
22893145 | 1061 | // determine if zone exists and AXFR is allowed using existing backend before spawning a new backend. |
6e59a580 | 1062 | SOAData sd; |
6e59a580 KM |
1063 | { |
1064 | Lock l(&s_plock); | |
1065 | DLOG(L<<"Looking for SOA"<<endl); // find domain_id via SOA and list complete domain. No SOA, no IXFR | |
1066 | if(!s_P) { | |
1067 | L<<Logger::Error<<"TCP server is without backend connections in doIXFR, launching"<<endl; | |
1068 | s_P=new PacketHandler; | |
1069 | } | |
1070 | ||
22893145 CH |
1071 | // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first. |
1072 | if(!canDoAXFR(q) || !s_P->getBackend()->getSOAUncached(q->qdomain, sd)) { | |
6e59a580 KM |
1073 | L<<Logger::Error<<"IXFR of domain '"<<q->qdomain<<"' failed: not authoritative"<<endl; |
1074 | outpacket->setRcode(9); // 'NOTAUTH' | |
1075 | sendPacket(outpacket,outsock); | |
1076 | return 0; | |
1077 | } | |
1078 | } | |
1079 | ||
22893145 CH |
1080 | DNSSECKeeper dk; |
1081 | NSEC3PARAMRecordContent ns3pr; | |
1082 | bool narrow; | |
1083 | ||
1084 | dk.clearCaches(q->qdomain); | |
1085 | bool securedZone = dk.isSecuredZone(q->qdomain); | |
1086 | if(dk.getNSEC3PARAM(q->qdomain, &ns3pr, &narrow)) { | |
1087 | if(narrow) { | |
1088 | L<<Logger::Error<<"Not doing IXFR of an NSEC3 narrow zone."<<endl; | |
1089 | L<<Logger::Error<<"IXFR of domain '"<<q->qdomain<<"' denied to "<<q->getRemote()<<endl; | |
1090 | outpacket->setRcode(RCode::Refused); | |
1091 | sendPacket(outpacket,outsock); | |
1092 | return 0; | |
1093 | } | |
1094 | } | |
1095 | ||
7abbc40f | 1096 | DNSName target = q->qdomain; |
6e59a580 KM |
1097 | |
1098 | UeberBackend db; | |
79ba7763 | 1099 | if(!db.getSOAUncached(target, sd)) { |
f43c4448 | 1100 | L<<Logger::Error<<"IXFR of domain '"<<target<<"' failed: not authoritative in second instance"<<endl; |
79ba7763 | 1101 | outpacket->setRcode(RCode::NotAuth); |
6e59a580 KM |
1102 | sendPacket(outpacket,outsock); |
1103 | return 0; | |
1104 | } | |
24d9e514 PD |
1105 | |
1106 | string soaedit; | |
4192773a | 1107 | dk.getSoaEdit(target, soaedit); |
24d9e514 | 1108 | if (!rfc1982LessThan(serial, calculateEditSOA(sd, soaedit))) { |
6e59a580 | 1109 | TSIGRecordContent trc; |
7abbc40f PD |
1110 | DNSName tsigkeyname; |
1111 | string tsigsecret; | |
6e59a580 KM |
1112 | |
1113 | q->getTSIGDetails(&trc, &tsigkeyname, 0); | |
1114 | ||
1115 | if(!tsigkeyname.empty()) { | |
bb7fb11c | 1116 | string tsig64; |
3343ad1f | 1117 | DNSName algorithm=trc.d_algoName; // FIXME400: was toLowerCanonic, compare output |
290a083d | 1118 | if (algorithm == DNSName("hmac-md5.sig-alg.reg.int")) |
1119 | algorithm = DNSName("hmac-md5"); | |
6e59a580 KM |
1120 | Lock l(&s_plock); |
1121 | s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64); | |
1122 | B64Decode(tsig64, tsigsecret); | |
1123 | } | |
1124 | ||
1125 | UeberBackend signatureDB; | |
1126 | ||
1127 | // SOA *must* go out first, our signing pipe might reorder | |
1128 | DLOG(L<<"Sending out SOA"<<endl); | |
1129 | DNSResourceRecord soa = makeDNSRRFromSOAData(sd); | |
1130 | outpacket->addRecord(soa); | |
1131 | editSOA(dk, sd.qname, outpacket.get()); | |
1132 | if(securedZone) { | |
7abbc40f | 1133 | set<DNSName> authSet; |
6e59a580 KM |
1134 | authSet.insert(target); |
1135 | addRRSigs(dk, signatureDB, authSet, outpacket->getRRS()); | |
1136 | } | |
1137 | ||
1138 | if(!tsigkeyname.empty()) | |
1139 | outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac); // first answer is 'normal' | |
1140 | ||
1141 | sendPacket(outpacket, outsock); | |
1142 | ||
f43c4448 | 1143 | L<<Logger::Error<<"IXFR of domain '"<<target<<"' to "<<q->getRemote()<<" finished"<<endl; |
6e59a580 KM |
1144 | |
1145 | return 1; | |
1146 | } | |
1147 | ||
f43c4448 | 1148 | L<<Logger::Error<<"IXFR fallback to AXFR for domain '"<<target<<"' our serial "<<sd.serial<<endl; |
6e59a580 KM |
1149 | return doAXFR(q->qdomain, q, outsock); |
1150 | } | |
1151 | ||
12c86877 BH |
1152 | TCPNameserver::~TCPNameserver() |
1153 | { | |
1154 | delete d_connectionroom_sem; | |
1155 | } | |
1156 | ||
1157 | TCPNameserver::TCPNameserver() | |
1158 | { | |
379ab445 BH |
1159 | // sem_init(&d_connectionroom_sem,0,::arg().asNum("max-tcp-connections")); |
1160 | d_connectionroom_sem = new Semaphore( ::arg().asNum( "max-tcp-connections" )); | |
117e1bf2 | 1161 | d_tid=0; |
12c86877 | 1162 | vector<string>locals; |
379ab445 | 1163 | stringtok(locals,::arg()["local-address"]," ,"); |
12c86877 BH |
1164 | |
1165 | vector<string>locals6; | |
379ab445 | 1166 | stringtok(locals6,::arg()["local-ipv6"]," ,"); |
12c86877 | 1167 | |
12c86877 | 1168 | if(locals.empty() && locals6.empty()) |
3f81d239 | 1169 | throw PDNSException("No local address specified"); |
12c86877 | 1170 | |
68b011bd | 1171 | d_ng.toMasks(::arg()["allow-axfr-ips"] ); |
9f1d5826 | 1172 | |
12c86877 | 1173 | signal(SIGPIPE,SIG_IGN); |
12c86877 BH |
1174 | |
1175 | for(vector<string>::const_iterator laddr=locals.begin();laddr!=locals.end();++laddr) { | |
12c86877 | 1176 | int s=socket(AF_INET,SOCK_STREAM,0); |
326484be | 1177 | |
12c86877 | 1178 | if(s<0) |
3f81d239 | 1179 | throw PDNSException("Unable to acquire TCP socket: "+stringerror()); |
12c86877 | 1180 | |
3897b9e1 | 1181 | setCloseOnExec(s); |
fb316318 | 1182 | |
379ab445 | 1183 | ComboAddress local(*laddr, ::arg().asNum("local-port")); |
12c86877 BH |
1184 | |
1185 | int tmp=1; | |
1186 | if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char*)&tmp,sizeof tmp)<0) { | |
1187 | L<<Logger::Error<<"Setsockopt failed"<<endl; | |
1188 | exit(1); | |
1189 | } | |
326484be | 1190 | |
fec7dd5a SS |
1191 | if( ::arg().mustDo("non-local-bind") ) |
1192 | Utility::setBindAny(AF_INET, s); | |
1193 | ||
379ab445 | 1194 | if(::bind(s, (sockaddr*)&local, local.getSocklen())<0) { |
2c896042 | 1195 | close(s); |
5ecb2885 MZ |
1196 | if( errno == EADDRNOTAVAIL && ! ::arg().mustDo("local-address-nonexist-fail") ) { |
1197 | L<<Logger::Error<<"IPv4 Address " << *laddr << " does not exist on this server - skipping TCP bind" << endl; | |
1198 | continue; | |
1199 | } else { | |
c057bfaa | 1200 | L<<Logger::Error<<"Unable to bind to TCP socket " << *laddr << ": "<<strerror(errno)<<endl; |
2ab7e9ac | 1201 | throw PDNSException("Unable to bind to TCP socket"); |
5ecb2885 | 1202 | } |
12c86877 BH |
1203 | } |
1204 | ||
1205 | listen(s,128); | |
ff76e8b4 | 1206 | L<<Logger::Error<<"TCP server bound to "<<local.toStringWithPort()<<endl; |
12c86877 | 1207 | d_sockets.push_back(s); |
8edfedf1 BH |
1208 | struct pollfd pfd; |
1209 | memset(&pfd, 0, sizeof(pfd)); | |
1210 | pfd.fd = s; | |
1211 | pfd.events = POLLIN; | |
1212 | ||
1213 | d_prfds.push_back(pfd); | |
12c86877 BH |
1214 | } |
1215 | ||
12c86877 | 1216 | for(vector<string>::const_iterator laddr=locals6.begin();laddr!=locals6.end();++laddr) { |
12c86877 BH |
1217 | int s=socket(AF_INET6,SOCK_STREAM,0); |
1218 | ||
1219 | if(s<0) | |
3f81d239 | 1220 | throw PDNSException("Unable to acquire TCPv6 socket: "+stringerror()); |
178d5134 | 1221 | |
3897b9e1 | 1222 | setCloseOnExec(s); |
fb316318 | 1223 | |
379ab445 | 1224 | ComboAddress local(*laddr, ::arg().asNum("local-port")); |
12c86877 BH |
1225 | |
1226 | int tmp=1; | |
1227 | if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char*)&tmp,sizeof tmp)<0) { | |
1228 | L<<Logger::Error<<"Setsockopt failed"<<endl; | |
1229 | exit(1); | |
1230 | } | |
fec7dd5a SS |
1231 | if( ::arg().mustDo("non-local-bind") ) |
1232 | Utility::setBindAny(AF_INET6, s); | |
326484be BH |
1233 | if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &tmp, sizeof(tmp)) < 0) { |
1234 | L<<Logger::Error<<"Failed to set IPv6 socket to IPv6 only, continuing anyhow: "<<strerror(errno)<<endl; | |
1235 | } | |
ff76e8b4 | 1236 | if(bind(s, (const sockaddr*)&local, local.getSocklen())<0) { |
2c896042 | 1237 | close(s); |
5ecb2885 MZ |
1238 | if( errno == EADDRNOTAVAIL && ! ::arg().mustDo("local-ipv6-nonexist-fail") ) { |
1239 | L<<Logger::Error<<"IPv6 Address " << *laddr << " does not exist on this server - skipping TCP bind" << endl; | |
1240 | continue; | |
1241 | } else { | |
c057bfaa | 1242 | L<<Logger::Error<<"Unable to bind to TCPv6 socket" << *laddr << ": "<<strerror(errno)<<endl; |
2ab7e9ac | 1243 | throw PDNSException("Unable to bind to TCPv6 socket"); |
5ecb2885 | 1244 | } |
12c86877 BH |
1245 | } |
1246 | ||
1247 | listen(s,128); | |
506a9050 | 1248 | L<<Logger::Error<<"TCPv6 server bound to "<<local.toStringWithPort()<<endl; // this gets %eth0 right |
12c86877 | 1249 | d_sockets.push_back(s); |
8edfedf1 BH |
1250 | |
1251 | struct pollfd pfd; | |
1252 | memset(&pfd, 0, sizeof(pfd)); | |
1253 | pfd.fd = s; | |
1254 | pfd.events = POLLIN; | |
1255 | ||
1256 | d_prfds.push_back(pfd); | |
12c86877 | 1257 | } |
12c86877 BH |
1258 | } |
1259 | ||
1260 | ||
ff76e8b4 | 1261 | //! Start of TCP operations thread, we launch a new thread for each incoming TCP question |
12c86877 BH |
1262 | void TCPNameserver::thread() |
1263 | { | |
12c86877 BH |
1264 | try { |
1265 | for(;;) { | |
1266 | int fd; | |
1267 | struct sockaddr_in remote; | |
1268 | Utility::socklen_t addrlen=sizeof(remote); | |
1269 | ||
8edfedf1 | 1270 | int ret=poll(&d_prfds[0], d_prfds.size(), -1); // blocks, forever if need be |
8a63d3ce | 1271 | if(ret <= 0) |
4957a608 | 1272 | continue; |
8a63d3ce | 1273 | |
12c86877 | 1274 | int sock=-1; |
ff05fd12 | 1275 | for(const struct pollfd& pfd : d_prfds) { |
4957a608 BH |
1276 | if(pfd.revents == POLLIN) { |
1277 | sock = pfd.fd; | |
1278 | addrlen=sizeof(remote); | |
1279 | ||
1280 | if((fd=accept(sock, (sockaddr*)&remote, &addrlen))<0) { | |
1281 | L<<Logger::Error<<"TCP question accept error: "<<strerror(errno)<<endl; | |
1282 | ||
1283 | if(errno==EMFILE) { | |
b34510a3 | 1284 | L<<Logger::Error<<"TCP handler out of filedescriptors, exiting, won't recover from this"<<endl; |
4957a608 BH |
1285 | exit(1); |
1286 | } | |
1287 | } | |
1288 | else { | |
1289 | pthread_t tid; | |
1290 | d_connectionroom_sem->wait(); // blocks if no connections are available | |
1291 | ||
1292 | int room; | |
1293 | d_connectionroom_sem->getValue( &room); | |
1294 | if(room<1) | |
b34510a3 | 1295 | L<<Logger::Warning<<"Limit of simultaneous TCP connections reached - raise max-tcp-connections"<<endl; |
4957a608 | 1296 | |
222efdc0 | 1297 | if(pthread_create(&tid, 0, &doConnection, reinterpret_cast<void*>(fd))) { |
4957a608 BH |
1298 | L<<Logger::Error<<"Error creating thread: "<<stringerror()<<endl; |
1299 | d_connectionroom_sem->post(); | |
48e8d70b | 1300 | close(fd); |
4957a608 BH |
1301 | } |
1302 | } | |
1303 | } | |
12c86877 BH |
1304 | } |
1305 | } | |
1306 | } | |
3f81d239 | 1307 | catch(PDNSException &AE) { |
abc1d928 | 1308 | L<<Logger::Error<<"TCP Nameserver thread dying because of fatal error: "<<AE.reason<<endl; |
12c86877 BH |
1309 | } |
1310 | catch(...) { | |
1311 | L<<Logger::Error<<"TCPNameserver dying because of an unexpected fatal error"<<endl; | |
1312 | } | |
1313 | exit(1); // take rest of server with us | |
1314 | } | |
1315 | ||
1316 |