mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 22:57:08 +00:00
0b8117df2f
git-svn-id: file:///svn/unbound/trunk@4251 be551aaa-1e26-0410-a405-d3ace91eadb9
2370 lines
69 KiB
C
2370 lines
69 KiB
C
/*
|
|
* services/authzone.c - authoritative zone that is locally hosted.
|
|
*
|
|
* Copyright (c) 2017, NLnet Labs. All rights reserved.
|
|
*
|
|
* This software is open source.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
*
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* Neither the name of the NLNET LABS nor the names of its contributors may
|
|
* be used to endorse or promote products derived from this software without
|
|
* specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* This file contains the functions for an authority zone. This zone
|
|
* is queried by the iterator, just like a stub or forward zone, but then
|
|
* the data is locally held.
|
|
*/
|
|
|
|
#include "config.h"
|
|
#include "services/authzone.h"
|
|
#include "util/data/dname.h"
|
|
#include "util/data/msgreply.h"
|
|
#include "util/data/packed_rrset.h"
|
|
#include "util/regional.h"
|
|
#include "util/net_help.h"
|
|
#include "util/config_file.h"
|
|
#include "util/log.h"
|
|
#include "services/cache/dns.h"
|
|
#include "sldns/rrdef.h"
|
|
#include "sldns/pkthdr.h"
|
|
#include "sldns/sbuffer.h"
|
|
#include "sldns/str2wire.h"
|
|
#include "sldns/wire2str.h"
|
|
#include "sldns/parseutil.h"
|
|
#include "validator/val_nsec3.h"
|
|
#include "validator/val_secalgo.h"
|
|
|
|
/** bytes to use for NSEC3 hash buffer. 20 for sha1 */
|
|
#define N3HASHBUFLEN 32
|
|
/** max number of CNAMEs we are willing to follow (in one answer) */
|
|
#define MAX_CNAME_CHAIN 8
|
|
|
|
/** create new dns_msg */
|
|
static struct dns_msg*
|
|
msg_create(struct regional* region, struct query_info* qinfo)
|
|
{
|
|
struct dns_msg* msg = (struct dns_msg*)regional_alloc(region,
|
|
sizeof(struct dns_msg));
|
|
if(!msg)
|
|
return NULL;
|
|
msg->qinfo.qname = regional_alloc_init(region, qinfo->qname,
|
|
qinfo->qname_len);
|
|
if(!msg->qinfo.qname)
|
|
return NULL;
|
|
msg->qinfo.qname_len = qinfo->qname_len;
|
|
msg->qinfo.qtype = qinfo->qtype;
|
|
msg->qinfo.qclass = qinfo->qclass;
|
|
msg->qinfo.local_alias = NULL;
|
|
/* non-packed reply_info, because it needs to grow the array */
|
|
msg->rep = (struct reply_info*)regional_alloc_zero(region,
|
|
sizeof(struct reply_info)-sizeof(struct rrset_ref));
|
|
if(!msg->rep)
|
|
return NULL;
|
|
msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA);
|
|
msg->rep->authoritative = 1;
|
|
msg->rep->qdcount = 1;
|
|
/* rrsets is NULL, no rrsets yet */
|
|
return msg;
|
|
}
|
|
|
|
/** grow rrset array by one in msg */
|
|
static int
|
|
msg_grow_array(struct regional* region, struct dns_msg* msg)
|
|
{
|
|
if(msg->rep->rrsets == NULL) {
|
|
msg->rep->rrsets = regional_alloc_zero(region,
|
|
sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
|
|
if(!msg->rep->rrsets)
|
|
return 0;
|
|
} else {
|
|
struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets;
|
|
msg->rep->rrsets = regional_alloc_zero(region,
|
|
sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
|
|
if(!msg->rep->rrsets)
|
|
return 0;
|
|
memmove(msg->rep->rrsets, rrsets_old,
|
|
sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count);
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** get ttl of rrset */
|
|
static time_t
|
|
get_rrset_ttl(struct ub_packed_rrset_key* k)
|
|
{
|
|
struct packed_rrset_data* d = (struct packed_rrset_data*)
|
|
k->entry.data;
|
|
return d->ttl;
|
|
}
|
|
|
|
/** Copy rrset into region from domain-datanode and packet rrset */
|
|
static struct ub_packed_rrset_key*
|
|
auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node,
|
|
struct auth_rrset* rrset, struct regional* region, time_t adjust)
|
|
{
|
|
struct ub_packed_rrset_key key;
|
|
memset(&key, 0, sizeof(key));
|
|
key.entry.key = &key;
|
|
key.entry.data = rrset->data;
|
|
key.rk.dname = node->name;
|
|
key.rk.dname_len = node->namelen;
|
|
key.rk.type = htons(rrset->type);
|
|
key.rk.rrset_class = htons(z->dclass);
|
|
key.entry.hash = rrset_key_hash(&key.rk);
|
|
return packed_rrset_copy_region(&key, region, adjust);
|
|
}
|
|
|
|
/** fix up msg->rep TTL and prefetch ttl */
|
|
static void
|
|
msg_ttl(struct dns_msg* msg)
|
|
{
|
|
if(msg->rep->rrset_count == 0) return;
|
|
if(msg->rep->rrset_count == 1) {
|
|
msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
|
|
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
|
|
} else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) <
|
|
msg->rep->ttl) {
|
|
msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[
|
|
msg->rep->rrset_count-1]);
|
|
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
|
|
}
|
|
}
|
|
|
|
/** see if rrset is a duplicate in the answer message */
|
|
static int
|
|
msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen,
|
|
uint16_t type, uint16_t dclass)
|
|
{
|
|
size_t i;
|
|
for(i=0; i<msg->rep->rrset_count; i++) {
|
|
struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
|
|
if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen &&
|
|
ntohs(k->rk.rrset_class) == dclass &&
|
|
query_dname_compare(k->rk.dname, nm) == 0)
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/** add rrset to answer section (no auth, add rrsets yet) */
|
|
static int
|
|
msg_add_rrset_an(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
|
|
{
|
|
log_assert(msg->rep->ns_numrrsets == 0);
|
|
log_assert(msg->rep->ar_numrrsets == 0);
|
|
if(!rrset)
|
|
return 1;
|
|
if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
|
|
z->dclass))
|
|
return 1;
|
|
/* grow array */
|
|
if(!msg_grow_array(region, msg))
|
|
return 0;
|
|
/* copy it */
|
|
if(!(msg->rep->rrsets[msg->rep->rrset_count] =
|
|
auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
|
|
return 0;
|
|
msg->rep->rrset_count++;
|
|
msg->rep->an_numrrsets++;
|
|
msg_ttl(msg);
|
|
return 1;
|
|
}
|
|
|
|
/** add rrset to authority section (no additonal section rrsets yet) */
|
|
static int
|
|
msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
|
|
{
|
|
log_assert(msg->rep->ar_numrrsets == 0);
|
|
if(!rrset)
|
|
return 1;
|
|
if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
|
|
z->dclass))
|
|
return 1;
|
|
/* grow array */
|
|
if(!msg_grow_array(region, msg))
|
|
return 0;
|
|
/* copy it */
|
|
if(!(msg->rep->rrsets[msg->rep->rrset_count] =
|
|
auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
|
|
return 0;
|
|
msg->rep->rrset_count++;
|
|
msg->rep->ns_numrrsets++;
|
|
msg_ttl(msg);
|
|
return 1;
|
|
}
|
|
|
|
/** add rrset to additional section */
|
|
static int
|
|
msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
|
|
{
|
|
if(!rrset)
|
|
return 1;
|
|
if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
|
|
z->dclass))
|
|
return 1;
|
|
/* grow array */
|
|
if(!msg_grow_array(region, msg))
|
|
return 0;
|
|
/* copy it */
|
|
if(!(msg->rep->rrsets[msg->rep->rrset_count] =
|
|
auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
|
|
return 0;
|
|
msg->rep->rrset_count++;
|
|
msg->rep->ar_numrrsets++;
|
|
msg_ttl(msg);
|
|
return 1;
|
|
}
|
|
|
|
struct auth_zones* auth_zones_create(void)
|
|
{
|
|
struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az));
|
|
if(!az) {
|
|
log_err("out of memory");
|
|
return NULL;
|
|
}
|
|
rbtree_init(&az->ztree, &auth_zone_cmp);
|
|
lock_rw_init(&az->lock);
|
|
lock_protect(&az->lock, &az->ztree, sizeof(az->ztree));
|
|
/* also lock protects the rbnode's in struct auth_zone */
|
|
return az;
|
|
}
|
|
|
|
int auth_zone_cmp(const void* z1, const void* z2)
|
|
{
|
|
/* first sort on class, so that hierarchy can be maintained within
|
|
* a class */
|
|
struct auth_zone* a = (struct auth_zone*)z1;
|
|
struct auth_zone* b = (struct auth_zone*)z2;
|
|
int m;
|
|
if(a->dclass != b->dclass) {
|
|
if(a->dclass < b->dclass)
|
|
return -1;
|
|
return 1;
|
|
}
|
|
/* sorted such that higher zones sort before lower zones (their
|
|
* contents) */
|
|
return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
|
|
}
|
|
|
|
int auth_data_cmp(const void* z1, const void* z2)
|
|
{
|
|
struct auth_data* a = (struct auth_data*)z1;
|
|
struct auth_data* b = (struct auth_data*)z2;
|
|
int m;
|
|
/* canonical sort, because DNSSEC needs that */
|
|
return dname_canon_lab_cmp(a->name, a->namelabs, b->name,
|
|
b->namelabs, &m);
|
|
}
|
|
|
|
/** delete auth rrset node */
|
|
static void
|
|
auth_rrset_delete(struct auth_rrset* rrset)
|
|
{
|
|
if(!rrset) return;
|
|
free(rrset->data);
|
|
free(rrset);
|
|
}
|
|
|
|
/** delete auth data domain node */
|
|
static void
|
|
auth_data_delete(struct auth_data* n)
|
|
{
|
|
struct auth_rrset* p, *np;
|
|
if(!n) return;
|
|
p = n->rrsets;
|
|
while(p) {
|
|
np = p->next;
|
|
auth_rrset_delete(p);
|
|
p = np;
|
|
}
|
|
free(n->name);
|
|
free(n);
|
|
}
|
|
|
|
/** helper traverse to delete zones */
|
|
static void
|
|
auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg))
|
|
{
|
|
struct auth_data* z = (struct auth_data*)n->key;
|
|
auth_data_delete(z);
|
|
}
|
|
|
|
/** delete an auth zone structure (tree remove must be done elsewhere) */
|
|
static void
|
|
auth_zone_delete(struct auth_zone* z)
|
|
{
|
|
if(!z) return;
|
|
lock_rw_destroy(&z->lock);
|
|
traverse_postorder(&z->data, auth_data_del, NULL);
|
|
free(z->name);
|
|
free(z->zonefile);
|
|
free(z);
|
|
}
|
|
|
|
struct auth_zone*
|
|
auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen,
|
|
uint16_t dclass)
|
|
{
|
|
struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z));
|
|
if(!z) {
|
|
return NULL;
|
|
}
|
|
z->node.key = z;
|
|
z->dclass = dclass;
|
|
z->namelen = nmlen;
|
|
z->namelabs = dname_count_labels(nm);
|
|
z->name = memdup(nm, nmlen);
|
|
if(!z->name) {
|
|
free(z);
|
|
return NULL;
|
|
}
|
|
rbtree_init(&z->data, &auth_data_cmp);
|
|
lock_rw_init(&z->lock);
|
|
lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type));
|
|
lock_rw_wrlock(&z->lock);
|
|
/* z lock protects all, except rbtree itself, which is az->lock */
|
|
if(!rbtree_insert(&az->ztree, &z->node)) {
|
|
lock_rw_unlock(&z->lock);
|
|
auth_zone_delete(z);
|
|
log_warn("duplicate auth zone");
|
|
return NULL;
|
|
}
|
|
return z;
|
|
}
|
|
|
|
struct auth_zone*
|
|
auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
|
|
uint16_t dclass)
|
|
{
|
|
struct auth_zone key;
|
|
key.node.key = &key;
|
|
key.dclass = dclass;
|
|
key.name = nm;
|
|
key.namelen = nmlen;
|
|
key.namelabs = dname_count_labels(nm);
|
|
return (struct auth_zone*)rbtree_search(&az->ztree, &key);
|
|
}
|
|
|
|
/** find an auth zone or sorted less-or-equal, return true if exact */
|
|
static int
|
|
auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen,
|
|
uint16_t dclass, struct auth_zone** z)
|
|
{
|
|
struct auth_zone key;
|
|
key.node.key = &key;
|
|
key.dclass = dclass;
|
|
key.name = nm;
|
|
key.namelen = nmlen;
|
|
key.namelabs = dname_count_labels(nm);
|
|
return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z);
|
|
}
|
|
|
|
/** find the auth zone that is above the given qname */
|
|
struct auth_zone*
|
|
auth_zones_find_zone(struct auth_zones* az, struct query_info* qinfo)
|
|
{
|
|
uint8_t* nm = qinfo->qname;
|
|
size_t nmlen = qinfo->qname_len;
|
|
struct auth_zone* z;
|
|
if(auth_zone_find_less_equal(az, nm, nmlen, qinfo->qclass, &z)) {
|
|
/* exact match */
|
|
return z;
|
|
} else {
|
|
/* less-or-nothing */
|
|
if(!z) return NULL; /* nothing smaller, nothing above it */
|
|
/* we found smaller name; smaller may be above the qname,
|
|
* but not below it. */
|
|
nm = dname_get_shared_topdomain(z->name, qinfo->qname);
|
|
dname_count_size_labels(nm, &nmlen);
|
|
}
|
|
/* search up */
|
|
while(!z && !dname_is_root(nm)) {
|
|
dname_remove_label(&nm, &nmlen);
|
|
z = auth_zone_find(az, nm, nmlen, qinfo->qclass);
|
|
}
|
|
return z;
|
|
}
|
|
|
|
/** find or create zone with name str. caller must have lock on az.
|
|
* returns a wrlocked zone */
|
|
static struct auth_zone*
|
|
auth_zones_find_or_add_zone(struct auth_zones* az, char* name)
|
|
{
|
|
uint8_t nm[LDNS_MAX_DOMAINLEN+1];
|
|
size_t nmlen = sizeof(nm);
|
|
struct auth_zone* z;
|
|
|
|
if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) {
|
|
log_err("cannot parse auth zone name: %s", name);
|
|
return 0;
|
|
}
|
|
z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
|
|
if(!z) {
|
|
/* not found, create the zone */
|
|
z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
|
|
} else {
|
|
lock_rw_wrlock(&z->lock);
|
|
}
|
|
return z;
|
|
}
|
|
|
|
int
|
|
auth_zone_set_zonefile(struct auth_zone* z, char* zonefile)
|
|
{
|
|
if(z->zonefile) free(z->zonefile);
|
|
if(zonefile == NULL) {
|
|
z->zonefile = NULL;
|
|
} else {
|
|
z->zonefile = strdup(zonefile);
|
|
if(!z->zonefile) {
|
|
log_err("malloc failure");
|
|
return 0;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** set auth zone fallback. caller must have lock on zone */
|
|
int
|
|
auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr)
|
|
{
|
|
if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){
|
|
log_err("auth zone fallback, expected yes or no, got %s",
|
|
fallbackstr);
|
|
return 0;
|
|
}
|
|
z->fallback_enabled = (strcmp(fallbackstr, "yes")==0);
|
|
return 1;
|
|
}
|
|
|
|
/** create domain with the given name */
|
|
static struct auth_data*
|
|
az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen)
|
|
{
|
|
struct auth_data* n = (struct auth_data*)malloc(sizeof(*n));
|
|
if(!n) return NULL;
|
|
memset(n, 0, sizeof(*n));
|
|
n->node.key = n;
|
|
n->name = memdup(nm, nmlen);
|
|
if(!n->name) {
|
|
free(n);
|
|
return NULL;
|
|
}
|
|
n->namelen = nmlen;
|
|
n->namelabs = dname_count_labels(nm);
|
|
if(!rbtree_insert(&z->data, &n->node)) {
|
|
log_warn("duplicate auth domain name");
|
|
free(n->name);
|
|
free(n);
|
|
return NULL;
|
|
}
|
|
return n;
|
|
}
|
|
|
|
/** find domain with exactly the given name */
|
|
static struct auth_data*
|
|
az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen)
|
|
{
|
|
struct auth_zone key;
|
|
key.node.key = &key;
|
|
key.name = nm;
|
|
key.namelen = nmlen;
|
|
key.namelabs = dname_count_labels(nm);
|
|
return (struct auth_data*)rbtree_search(&z->data, &key);
|
|
}
|
|
|
|
/** Find domain name (or closest match) */
|
|
static void
|
|
az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact,
|
|
struct auth_data** node)
|
|
{
|
|
struct auth_zone key;
|
|
key.node.key = &key;
|
|
key.name = qinfo->qname;
|
|
key.namelen = qinfo->qname_len;
|
|
key.namelabs = dname_count_labels(key.name);
|
|
*node_exact = rbtree_find_less_equal(&z->data, &key,
|
|
(rbnode_type**)node);
|
|
}
|
|
|
|
/** find or create domain with name in zone */
|
|
static struct auth_data*
|
|
az_domain_find_or_create(struct auth_zone* z, uint8_t* dname,
|
|
size_t dname_len)
|
|
{
|
|
struct auth_data* n = az_find_name(z, dname, dname_len);
|
|
if(!n) {
|
|
n = az_domain_create(z, dname, dname_len);
|
|
}
|
|
return n;
|
|
}
|
|
|
|
/** find rrset of given type in the domain */
|
|
static struct auth_rrset*
|
|
az_domain_rrset(struct auth_data* n, uint16_t t)
|
|
{
|
|
struct auth_rrset* rrset;
|
|
if(!n) return NULL;
|
|
rrset = n->rrsets;
|
|
while(rrset) {
|
|
if(rrset->type == t)
|
|
return rrset;
|
|
rrset = rrset->next;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/** remove rrset of this type from domain */
|
|
static void
|
|
domain_remove_rrset(struct auth_data* node, uint16_t rr_type)
|
|
{
|
|
struct auth_rrset* rrset, *prev;
|
|
if(!node) return;
|
|
prev = NULL;
|
|
rrset = node->rrsets;
|
|
while(rrset) {
|
|
if(rrset->type == rr_type) {
|
|
/* found it, now delete it */
|
|
if(prev) prev->next = rrset->next;
|
|
else node->rrsets = rrset->next;
|
|
auth_rrset_delete(rrset);
|
|
return;
|
|
}
|
|
prev = rrset;
|
|
rrset = rrset->next;
|
|
}
|
|
}
|
|
|
|
/** see if rdata is duplicate */
|
|
static int
|
|
rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len)
|
|
{
|
|
size_t i;
|
|
for(i=0; i<d->count + d->rrsig_count; i++) {
|
|
if(d->rr_len[i] != len)
|
|
continue;
|
|
if(memcmp(d->rr_data[i], rdata, len) == 0)
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/** get rrsig type covered from rdata.
|
|
* @param rdata: rdata in wireformat, starting with 16bit rdlength.
|
|
* @param rdatalen: length of rdata buffer.
|
|
* @return type covered (or 0).
|
|
*/
|
|
static uint16_t
|
|
rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen)
|
|
{
|
|
if(rdatalen < 4)
|
|
return 0;
|
|
return sldns_read_uint16(rdata+2);
|
|
}
|
|
|
|
/** add RR to existing RRset. If insert_sig is true, add to rrsigs.
|
|
* This reallocates the packed rrset for a new one */
|
|
static int
|
|
rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata,
|
|
size_t rdatalen, int insert_sig)
|
|
{
|
|
struct packed_rrset_data* d, *old = rrset->data;
|
|
size_t total, old_total;
|
|
|
|
d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
|
|
+ sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)
|
|
+ rdatalen);
|
|
if(!d) {
|
|
log_err("out of memory");
|
|
return 0;
|
|
}
|
|
/* copy base values */
|
|
memcpy(d, old, sizeof(struct packed_rrset_data));
|
|
if(!insert_sig) {
|
|
d->count++;
|
|
} else {
|
|
d->rrsig_count++;
|
|
}
|
|
old_total = old->count + old->rrsig_count;
|
|
total = d->count + d->rrsig_count;
|
|
/* set rr_len, needed for ptr_fixup */
|
|
d->rr_len = (size_t*)((uint8_t*)d +
|
|
sizeof(struct packed_rrset_data));
|
|
if(old->count != 0)
|
|
memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t));
|
|
if(old->rrsig_count != 0)
|
|
memmove(d->rr_len+d->count, old->rr_len+old->count,
|
|
old->rrsig_count*sizeof(size_t));
|
|
if(!insert_sig)
|
|
d->rr_len[d->count-1] = rdatalen;
|
|
else d->rr_len[total-1] = rdatalen;
|
|
packed_rrset_ptr_fixup(d);
|
|
if((time_t)rr_ttl < d->ttl)
|
|
d->ttl = rr_ttl;
|
|
|
|
/* copy old values into new array */
|
|
if(old->count != 0) {
|
|
memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t));
|
|
/* all the old rr pieces are allocated sequential, so we
|
|
* can copy them in one go */
|
|
memmove(d->rr_data[0], old->rr_data[0],
|
|
(old->rr_data[old->count-1] - old->rr_data[0]) +
|
|
old->rr_len[old->count-1]);
|
|
}
|
|
if(old->rrsig_count != 0) {
|
|
memmove(d->rr_ttl+d->count, old->rr_ttl+old->count,
|
|
old->rrsig_count*sizeof(time_t));
|
|
memmove(d->rr_data[d->count], old->rr_data[old->count],
|
|
(old->rr_data[old_total-1] - old->rr_data[old->count]) +
|
|
old->rr_len[old_total-1]);
|
|
}
|
|
|
|
/* insert new value */
|
|
if(!insert_sig) {
|
|
d->rr_ttl[d->count-1] = rr_ttl;
|
|
memmove(d->rr_data[d->count-1], rdata, rdatalen);
|
|
} else {
|
|
d->rr_ttl[total-1] = rr_ttl;
|
|
memmove(d->rr_data[total-1], rdata, rdatalen);
|
|
}
|
|
|
|
rrset->data = d;
|
|
free(old);
|
|
return 1;
|
|
}
|
|
|
|
/** Create new rrset for node with packed rrset with one RR element */
|
|
static struct auth_rrset*
|
|
rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
|
|
uint8_t* rdata, size_t rdatalen)
|
|
{
|
|
struct auth_rrset* rrset = (struct auth_rrset*)calloc(1,
|
|
sizeof(*rrset));
|
|
struct auth_rrset* p, *prev;
|
|
struct packed_rrset_data* d;
|
|
if(!rrset) {
|
|
log_err("out of memory");
|
|
return NULL;
|
|
}
|
|
rrset->type = rr_type;
|
|
|
|
/* the rrset data structure, with one RR */
|
|
d = (struct packed_rrset_data*)calloc(1,
|
|
sizeof(struct packed_rrset_data) + sizeof(size_t) +
|
|
sizeof(uint8_t*) + sizeof(time_t) + rdatalen);
|
|
if(!d) {
|
|
free(rrset);
|
|
log_err("out of memory");
|
|
return NULL;
|
|
}
|
|
rrset->data = d;
|
|
d->ttl = rr_ttl;
|
|
d->trust = rrset_trust_prim_noglue;
|
|
d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data));
|
|
d->rr_data = (uint8_t**)&(d->rr_len[1]);
|
|
d->rr_ttl = (time_t*)&(d->rr_data[1]);
|
|
d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]);
|
|
|
|
/* insert the RR */
|
|
d->rr_len[0] = rdatalen;
|
|
d->rr_ttl[0] = rr_ttl;
|
|
memmove(d->rr_data[0], rdata, rdatalen);
|
|
d->count++;
|
|
|
|
/* insert rrset into linked list for domain */
|
|
/* find sorted place to link the rrset into the list */
|
|
prev = NULL;
|
|
p = node->rrsets;
|
|
while(p && p->type<=rr_type) {
|
|
prev = p;
|
|
p = p->next;
|
|
}
|
|
/* so, prev is smaller, and p is larger than rr_type */
|
|
rrset->next = p;
|
|
if(prev) prev->next = rrset;
|
|
else node->rrsets = rrset;
|
|
return rrset;
|
|
}
|
|
|
|
/** count number (and size) of rrsigs that cover a type */
|
|
static size_t
|
|
rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz)
|
|
{
|
|
struct packed_rrset_data* d = rrsig->data;
|
|
size_t i, num = 0;
|
|
*sigsz = 0;
|
|
log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG);
|
|
for(i=0; i<d->count+d->rrsig_count; i++) {
|
|
if(rrsig_rdata_get_type_covered(d->rr_data[i],
|
|
d->rr_len[i]) == rr_type) {
|
|
num++;
|
|
(*sigsz) += d->rr_len[i];
|
|
}
|
|
}
|
|
return num;
|
|
}
|
|
|
|
/** See if rrsig set has covered sigs for rrset and move them over */
|
|
static int
|
|
rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type,
|
|
struct auth_rrset* rrset, struct auth_rrset* rrsig)
|
|
{
|
|
size_t sigs, sigsz, i, j, total;
|
|
struct packed_rrset_data* sigold = rrsig->data;
|
|
struct packed_rrset_data* old = rrset->data;
|
|
struct packed_rrset_data* d, *sigd;
|
|
|
|
log_assert(rrset->type == rr_type);
|
|
log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG);
|
|
sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz);
|
|
if(sigs == 0) {
|
|
/* 0 rrsigs to move over, done */
|
|
return 1;
|
|
}
|
|
log_info("moveover %d sigs size %d", (int)sigs, (int)sigsz);
|
|
|
|
/* allocate rrset sigsz larger for extra sigs elements, and
|
|
* allocate rrsig sigsz smaller for less sigs elements. */
|
|
d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
|
|
+ sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
|
|
+ sigsz);
|
|
if(!d) {
|
|
log_err("out of memory");
|
|
return 0;
|
|
}
|
|
/* copy base values */
|
|
total = old->count + old->rrsig_count;
|
|
memcpy(d, old, sizeof(struct packed_rrset_data));
|
|
d->rrsig_count += sigs;
|
|
/* setup rr_len */
|
|
d->rr_len = (size_t*)((uint8_t*)d +
|
|
sizeof(struct packed_rrset_data));
|
|
if(total != 0)
|
|
memmove(d->rr_len, old->rr_len, total*sizeof(size_t));
|
|
j = d->count+d->rrsig_count-sigs;
|
|
for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
|
|
if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
|
|
sigold->rr_len[i]) == rr_type) {
|
|
d->rr_len[j] = sigold->rr_len[i];
|
|
j++;
|
|
}
|
|
}
|
|
packed_rrset_ptr_fixup(d);
|
|
|
|
/* copy old values into new array */
|
|
if(total != 0) {
|
|
memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t));
|
|
/* all the old rr pieces are allocated sequential, so we
|
|
* can copy them in one go */
|
|
memmove(d->rr_data[0], old->rr_data[0],
|
|
(old->rr_data[total-1] - old->rr_data[0]) +
|
|
old->rr_len[total-1]);
|
|
}
|
|
|
|
/* move over the rrsigs to the larger rrset*/
|
|
j = d->count+d->rrsig_count-sigs;
|
|
for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
|
|
if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
|
|
sigold->rr_len[i]) == rr_type) {
|
|
/* move this one over to location j */
|
|
d->rr_ttl[j] = sigold->rr_ttl[i];
|
|
memmove(d->rr_data[j], sigold->rr_data[i],
|
|
sigold->rr_len[i]);
|
|
if(d->rr_ttl[j] < d->ttl)
|
|
d->ttl = d->rr_ttl[j];
|
|
j++;
|
|
}
|
|
}
|
|
|
|
/* put it in and deallocate the old rrset */
|
|
rrset->data = d;
|
|
free(old);
|
|
|
|
/* now make rrsig set smaller */
|
|
if(sigold->count+sigold->rrsig_count == sigs) {
|
|
/* remove all sigs from rrsig, remove it entirely */
|
|
domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG);
|
|
return 1;
|
|
}
|
|
log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) +
|
|
sizeof(uint8_t*) + sizeof(time_t)) + sigsz);
|
|
sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold)
|
|
- sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
|
|
- sigsz);
|
|
if(!sigd) {
|
|
/* no need to free up d, it has already been placed in the
|
|
* node->rrset structure */
|
|
log_err("out of memory");
|
|
return 0;
|
|
}
|
|
/* copy base values */
|
|
memcpy(sigd, sigold, sizeof(struct packed_rrset_data));
|
|
sigd->rrsig_count -= sigs;
|
|
/* setup rr_len */
|
|
sigd->rr_len = (size_t*)((uint8_t*)sigd +
|
|
sizeof(struct packed_rrset_data));
|
|
j = 0;
|
|
for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
|
|
if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
|
|
sigold->rr_len[i]) != rr_type) {
|
|
sigd->rr_len[j] = sigold->rr_len[i];
|
|
j++;
|
|
}
|
|
}
|
|
packed_rrset_ptr_fixup(sigd);
|
|
|
|
/* copy old values into new rrsig array */
|
|
j = 0;
|
|
for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
|
|
if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
|
|
sigold->rr_len[i]) != rr_type) {
|
|
/* move this one over to location j */
|
|
sigd->rr_ttl[j] = sigold->rr_ttl[i];
|
|
memmove(sigd->rr_data[j], sigold->rr_data[i],
|
|
sigold->rr_len[i]);
|
|
if(j==0) sigd->ttl = sigd->rr_ttl[j];
|
|
else {
|
|
if(sigd->rr_ttl[j] < sigd->ttl)
|
|
sigd->ttl = sigd->rr_ttl[j];
|
|
}
|
|
j++;
|
|
}
|
|
}
|
|
|
|
/* put it in and deallocate the old rrset */
|
|
rrsig->data = sigd;
|
|
free(sigold);
|
|
|
|
return 1;
|
|
}
|
|
|
|
/** Add rr to node, ignores duplicate RRs,
|
|
* rdata points to buffer with rdatalen octets, starts with 2bytelength. */
|
|
static int
|
|
az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
|
|
uint8_t* rdata, size_t rdatalen)
|
|
{
|
|
struct auth_rrset* rrset;
|
|
/* packed rrsets have their rrsigs along with them, sort them out */
|
|
if(rr_type == LDNS_RR_TYPE_RRSIG) {
|
|
uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
|
|
if((rrset=az_domain_rrset(node, ctype))!= NULL) {
|
|
/* a node of the correct type exists, add the RRSIG
|
|
* to the rrset of the covered data type */
|
|
if(rdata_duplicate(rrset->data, rdata, rdatalen))
|
|
return 1;
|
|
if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1))
|
|
return 0;
|
|
} else if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
|
|
/* add RRSIG to rrset of type RRSIG */
|
|
if(rdata_duplicate(rrset->data, rdata, rdatalen))
|
|
return 1;
|
|
if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
|
|
return 0;
|
|
} else {
|
|
/* create rrset of type RRSIG */
|
|
if(!rrset_create(node, rr_type, rr_ttl, rdata,
|
|
rdatalen))
|
|
return 0;
|
|
}
|
|
} else {
|
|
/* normal RR type */
|
|
if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
|
|
/* add data to existing node with data type */
|
|
if(rdata_duplicate(rrset->data, rdata, rdatalen))
|
|
return 1;
|
|
if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
|
|
return 0;
|
|
} else {
|
|
struct auth_rrset* rrsig;
|
|
/* create new node with data type */
|
|
if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata,
|
|
rdatalen)))
|
|
return 0;
|
|
|
|
/* see if node of type RRSIG has signatures that
|
|
* cover the data type, and move them over */
|
|
/* and then make the RRSIG type smaller */
|
|
if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
|
|
!= NULL) {
|
|
if(!rrset_moveover_rrsigs(node, rr_type,
|
|
rrset, rrsig))
|
|
return 0;
|
|
}
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** insert RR into zone, ignore duplicates */
|
|
static int
|
|
az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
|
|
size_t dname_len)
|
|
{
|
|
struct auth_data* node;
|
|
uint8_t* dname = rr;
|
|
uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
|
|
uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
|
|
uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len);
|
|
size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
|
|
dname_len))+2;
|
|
/* rdata points to rdata prefixed with uint16 rdatalength */
|
|
uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
|
|
|
|
if(rr_class != z->dclass) {
|
|
log_err("wrong class for RR");
|
|
return 0;
|
|
}
|
|
if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
|
|
log_err("cannot create domain");
|
|
return 0;
|
|
}
|
|
if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen)) {
|
|
log_err("cannot add RR to domain");
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/**
|
|
* Parse zonefile
|
|
* @param z: zone to read in.
|
|
* @param in: file to read from (just opened).
|
|
* @param rr: buffer to use for RRs, 64k.
|
|
* passed so that recursive includes can use the same buffer and do
|
|
* not grow the stack too much.
|
|
* @param rrbuflen: sizeof rr buffer.
|
|
* @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on,
|
|
* that is kept between includes.
|
|
* The lineno is set at 1 and then increased by the function.
|
|
* returns false on failure, has printed an error message
|
|
*/
|
|
static int
|
|
az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
|
|
struct sldns_file_parse_state* state)
|
|
{
|
|
size_t rr_len, dname_len;
|
|
int status;
|
|
state->lineno = 1;
|
|
|
|
while(!feof(in)) {
|
|
rr_len = rrbuflen;
|
|
dname_len = 0;
|
|
status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len,
|
|
state);
|
|
if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) {
|
|
/* we have $INCLUDE or $something */
|
|
if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 ||
|
|
strncmp((char*)rr, "$INCLUDE\t", 9) == 0) {
|
|
FILE* inc;
|
|
int lineno_orig = state->lineno;
|
|
char* incfile = (char*)rr + 8;
|
|
/* skip spaces */
|
|
while(*incfile == ' ' || *incfile == '\t')
|
|
incfile++;
|
|
verbose(VERB_ALGO, "opening $INCLUDE %s",
|
|
incfile);
|
|
inc = fopen(incfile, "r");
|
|
if(!inc) {
|
|
log_err("%s:%d cannot open include "
|
|
"file %s: %s", z->zonefile,
|
|
lineno_orig, incfile,
|
|
strerror(errno));
|
|
return 0;
|
|
}
|
|
/* recurse read that file now */
|
|
if(!az_parse_file(z, inc, rr, rrbuflen,
|
|
state)) {
|
|
log_err("%s:%d cannot parse include "
|
|
"file %s", z->zonefile,
|
|
lineno_orig, incfile);
|
|
fclose(inc);
|
|
return 0;
|
|
}
|
|
fclose(inc);
|
|
verbose(VERB_ALGO, "done with $INCLUDE %s",
|
|
incfile);
|
|
state->lineno = lineno_orig;
|
|
}
|
|
continue;
|
|
}
|
|
if(status != 0) {
|
|
log_err("parse error %s %d:%d: %s", z->zonefile,
|
|
state->lineno, LDNS_WIREPARSE_OFFSET(status),
|
|
sldns_get_errorstr_parse(status));
|
|
return 0;
|
|
}
|
|
if(rr_len == 0) {
|
|
/* EMPTY line, TTL or ORIGIN */
|
|
continue;
|
|
}
|
|
/* insert wirerr in rrbuf */
|
|
if(!az_insert_rr(z, rr, rr_len, dname_len)) {
|
|
char buf[17];
|
|
sldns_wire2str_type_buf(sldns_wirerr_get_type(rr,
|
|
rr_len, dname_len), buf, sizeof(buf));
|
|
log_err("%s:%d cannot insert RR of type %s",
|
|
z->zonefile, state->lineno, buf);
|
|
return 0;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
int
|
|
auth_zone_read_zonefile(struct auth_zone* z)
|
|
{
|
|
uint8_t rr[LDNS_RR_BUF_SIZE];
|
|
struct sldns_file_parse_state state;
|
|
FILE* in;
|
|
if(!z || !z->zonefile || z->zonefile[0]==0)
|
|
return 1; /* no file, or "", nothing to read */
|
|
verbose(VERB_ALGO, "read zonefile %s", z->zonefile);
|
|
in = fopen(z->zonefile, "r");
|
|
if(!in) {
|
|
char* n = sldns_wire2str_dname(z->name, z->namelen);
|
|
log_err("cannot open zonefile %s for %s: %s",
|
|
z->zonefile, n?n:"error", strerror(errno));
|
|
free(n);
|
|
return 0;
|
|
}
|
|
memset(&state, 0, sizeof(state));
|
|
/* default TTL to 3600 */
|
|
state.default_ttl = 3600;
|
|
/* set $ORIGIN to the zone name */
|
|
if(z->namelen <= sizeof(state.origin)) {
|
|
memcpy(state.origin, z->name, z->namelen);
|
|
state.origin_len = z->namelen;
|
|
}
|
|
/* parse the (toplevel) file */
|
|
if(!az_parse_file(z, in, rr, sizeof(rr), &state)) {
|
|
char* n = sldns_wire2str_dname(z->name, z->namelen);
|
|
log_err("error parsing zonefile %s for %s",
|
|
z->zonefile, n?n:"error");
|
|
free(n);
|
|
fclose(in);
|
|
return 0;
|
|
}
|
|
fclose(in);
|
|
return 1;
|
|
}
|
|
|
|
/** write buffer to file and check return codes */
|
|
static int
|
|
write_out(FILE* out, const char* str)
|
|
{
|
|
size_t r, len = strlen(str);
|
|
if(len == 0)
|
|
return 1;
|
|
r = fwrite(str, 1, len, out);
|
|
if(r == 0) {
|
|
log_err("write failed: %s", strerror(errno));
|
|
return 0;
|
|
} else if(r < len) {
|
|
log_err("write failed: too short (disk full?)");
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** write rrset to file */
|
|
static int
|
|
auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node,
|
|
struct auth_rrset* r, FILE* out)
|
|
{
|
|
size_t i, count = r->data->count + r->data->rrsig_count;
|
|
char buf[LDNS_RR_BUF_SIZE];
|
|
for(i=0; i<count; i++) {
|
|
struct ub_packed_rrset_key key;
|
|
memset(&key, 0, sizeof(key));
|
|
key.entry.key = &key;
|
|
key.entry.data = r->data;
|
|
key.rk.dname = node->name;
|
|
key.rk.dname_len = node->namelen;
|
|
key.rk.type = htons(r->type);
|
|
key.rk.rrset_class = htons(z->dclass);
|
|
if(!packed_rr_to_string(&key, i, 0, buf, sizeof(buf))) {
|
|
verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i);
|
|
continue;
|
|
}
|
|
if(!write_out(out, buf))
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** write domain to file */
|
|
static int
|
|
auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out)
|
|
{
|
|
struct auth_rrset* r;
|
|
/* if this is zone apex, write SOA first */
|
|
if(z->namelen == n->namelen) {
|
|
struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA);
|
|
if(soa) {
|
|
if(!auth_zone_write_rrset(z, n, soa, out))
|
|
return 0;
|
|
}
|
|
}
|
|
/* write all the RRsets for this domain */
|
|
for(r = n->rrsets; r; r = r->next) {
|
|
if(z->namelen == n->namelen &&
|
|
r->type == LDNS_RR_TYPE_SOA)
|
|
continue; /* skip SOA here */
|
|
if(!auth_zone_write_rrset(z, n, r, out))
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
int auth_zone_write_file(struct auth_zone* z, const char* fname)
|
|
{
|
|
FILE* out;
|
|
struct auth_data* n;
|
|
out = fopen(fname, "w");
|
|
if(!out) {
|
|
log_err("could not open %s: %s", fname, strerror(errno));
|
|
return 0;
|
|
}
|
|
RBTREE_FOR(n, struct auth_data*, &z->data) {
|
|
if(!auth_zone_write_domain(z, n, out)) {
|
|
log_err("could not write domain to %s", fname);
|
|
fclose(out);
|
|
return 0;
|
|
}
|
|
}
|
|
fclose(out);
|
|
return 1;
|
|
}
|
|
|
|
/** read all auth zones from file (if they have) */
|
|
static int
|
|
auth_zones_read_zones(struct auth_zones* az)
|
|
{
|
|
struct auth_zone* z;
|
|
lock_rw_wrlock(&az->lock);
|
|
RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
|
|
lock_rw_wrlock(&z->lock);
|
|
if(!auth_zone_read_zonefile(z)) {
|
|
lock_rw_unlock(&z->lock);
|
|
lock_rw_unlock(&az->lock);
|
|
return 0;
|
|
}
|
|
lock_rw_unlock(&z->lock);
|
|
}
|
|
lock_rw_unlock(&az->lock);
|
|
return 1;
|
|
}
|
|
|
|
/** set str2list with (zonename, zonefile) config items and create zones */
|
|
static int
|
|
auth_zones_cfg_zonefile(struct auth_zones* az, struct config_str2list* zlist)
|
|
{
|
|
struct auth_zone* z;
|
|
while(zlist) {
|
|
lock_rw_wrlock(&az->lock);
|
|
if(!(z=auth_zones_find_or_add_zone(az, zlist->str))) {
|
|
lock_rw_unlock(&az->lock);
|
|
return 0;
|
|
}
|
|
lock_rw_unlock(&az->lock);
|
|
if(!auth_zone_set_zonefile(z, zlist->str2)) {
|
|
lock_rw_unlock(&z->lock);
|
|
return 0;
|
|
}
|
|
lock_rw_unlock(&z->lock);
|
|
zlist = zlist->next;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** set str2list with (zonename, fallback) config items and create zones */
|
|
static int
|
|
auth_zones_cfg_fallback(struct auth_zones* az, struct config_str2list* zlist)
|
|
{
|
|
struct auth_zone* z;
|
|
while(zlist) {
|
|
lock_rw_wrlock(&az->lock);
|
|
if(!(z=auth_zones_find_or_add_zone(az, zlist->str))) {
|
|
lock_rw_unlock(&az->lock);
|
|
return 0;
|
|
}
|
|
lock_rw_unlock(&az->lock);
|
|
if(!auth_zone_set_fallback(z, zlist->str2)) {
|
|
lock_rw_unlock(&z->lock);
|
|
return 0;
|
|
}
|
|
lock_rw_unlock(&z->lock);
|
|
zlist = zlist->next;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
int auth_zones_apply_config(struct auth_zones* az, struct config_file* cfg)
|
|
{
|
|
(void)cfg;
|
|
/* TODO cfg str2lists */
|
|
/* create config items for
|
|
* auth-zone: name: "example.com"
|
|
* zonefile: "zones/example.com"
|
|
* fallback: yes
|
|
*/
|
|
if(!auth_zones_cfg_zonefile(az, NULL /*cfg->auth_zones*/))
|
|
return 0;
|
|
if(!auth_zones_cfg_fallback(az, NULL /*cfg->auth_zones*/))
|
|
return 0;
|
|
if(!auth_zones_read_zones(az))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** helper traverse to delete zones */
|
|
static void
|
|
auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg))
|
|
{
|
|
struct auth_zone* z = (struct auth_zone*)n->key;
|
|
auth_zone_delete(z);
|
|
}
|
|
|
|
void auth_zones_delete(struct auth_zones* az)
|
|
{
|
|
if(!az) return;
|
|
lock_rw_destroy(&az->lock);
|
|
traverse_postorder(&az->ztree, auth_zone_del, NULL);
|
|
free(az);
|
|
}
|
|
|
|
/** true if domain has only nsec3 */
|
|
static int
|
|
domain_has_only_nsec3(struct auth_data* n)
|
|
{
|
|
struct auth_rrset* rrset = n->rrsets;
|
|
int nsec3_seen = 0;
|
|
while(rrset) {
|
|
if(rrset->type == LDNS_RR_TYPE_NSEC3) {
|
|
nsec3_seen = 1;
|
|
} else if(rrset->type != LDNS_RR_TYPE_RRSIG) {
|
|
return 0;
|
|
}
|
|
rrset = rrset->next;
|
|
}
|
|
return nsec3_seen;
|
|
}
|
|
|
|
/** see if the domain has a wildcard child '*.domain' */
|
|
static struct auth_data*
|
|
az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen)
|
|
{
|
|
uint8_t wc[LDNS_MAX_DOMAINLEN];
|
|
if(nmlen+2 > sizeof(wc))
|
|
return NULL; /* result would be too long */
|
|
wc[0] = 1; /* length of wildcard label */
|
|
wc[1] = (uint8_t)'*'; /* wildcard label */
|
|
memmove(wc+2, nm, nmlen);
|
|
return az_find_name(z, wc, nmlen+2);
|
|
}
|
|
|
|
/** find wildcard between qname and cename */
|
|
static struct auth_data*
|
|
az_find_wildcard(struct auth_zone* z, struct query_info* qinfo,
|
|
struct auth_data* ce)
|
|
{
|
|
uint8_t* nm = qinfo->qname;
|
|
size_t nmlen = qinfo->qname_len;
|
|
struct auth_data* node;
|
|
if(!dname_subdomain_c(nm, z->name))
|
|
return NULL; /* out of zone */
|
|
while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
|
|
/* see if we can go up to find the wildcard */
|
|
if(nmlen == z->namelen)
|
|
return NULL; /* top of zone reached */
|
|
if(ce && nmlen == ce->namelen)
|
|
return NULL; /* ce reached */
|
|
if(dname_is_root(nm))
|
|
return NULL; /* cannot go up */
|
|
dname_remove_label(&nm, &nmlen);
|
|
}
|
|
return node;
|
|
}
|
|
|
|
/** domain is not exact, find first candidate ce (name that matches
|
|
* a part of qname) in tree */
|
|
static struct auth_data*
|
|
az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo,
|
|
struct auth_data* n)
|
|
{
|
|
uint8_t* nm;
|
|
size_t nmlen;
|
|
if(n) {
|
|
nm = dname_get_shared_topdomain(qinfo->qname, n->name);
|
|
} else {
|
|
nm = qinfo->qname;
|
|
}
|
|
dname_count_size_labels(nm, &nmlen);
|
|
n = az_find_name(z, nm, nmlen);
|
|
/* delete labels and go up on name */
|
|
while(!n) {
|
|
if(dname_is_root(nm))
|
|
return NULL; /* cannot go up */
|
|
dname_remove_label(&nm, &nmlen);
|
|
n = az_find_name(z, nm, nmlen);
|
|
}
|
|
return n;
|
|
}
|
|
|
|
/** go up the auth tree to next existing name. */
|
|
static struct auth_data*
|
|
az_domain_go_up(struct auth_zone* z, struct auth_data* n)
|
|
{
|
|
uint8_t* nm = n->name;
|
|
size_t nmlen = n->namelen;
|
|
while(!dname_is_root(nm)) {
|
|
dname_remove_label(&nm, &nmlen);
|
|
if((n=az_find_name(z, nm, nmlen)) != NULL)
|
|
return n;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/** Find the closest encloser, an name that exists and is above the
|
|
* qname.
|
|
* return true if the node (param node) is existing, nonobscured and
|
|
* can be used to generate answers from. It is then also node_exact.
|
|
* returns false if the node is not good enough (or it wasn't node_exact)
|
|
* in this case the ce can be filled.
|
|
* if ce is NULL, no ce exists, and likely the zone is completely empty,
|
|
* not even with a zone apex.
|
|
* if ce is nonNULL it is the closest enclosing upper name (that exists
|
|
* itself for answer purposes). That name may have DNAME, NS or wildcard
|
|
* rrset is the closest DNAME or NS rrset that was found.
|
|
*/
|
|
static int
|
|
az_find_ce(struct auth_zone* z, struct query_info* qinfo,
|
|
struct auth_data* node, int node_exact, struct auth_data** ce,
|
|
struct auth_rrset** rrset)
|
|
{
|
|
struct auth_data* n = node;
|
|
*ce = NULL;
|
|
*rrset = NULL;
|
|
if(!node_exact) {
|
|
/* if not exact, lookup closest exact match */
|
|
n = az_find_candidate_ce(z, qinfo, n);
|
|
} else {
|
|
/* if exact, the node itself is the first candidate ce */
|
|
*ce = n;
|
|
}
|
|
|
|
/* no direct answer from nsec3-only domains */
|
|
if(n && domain_has_only_nsec3(n)) {
|
|
node_exact = 0;
|
|
*ce = NULL;
|
|
}
|
|
|
|
/* with exact matches, walk up the labels until we find the
|
|
* delegation, or DNAME or zone end */
|
|
while(n) {
|
|
/* see if the current candidate has issues */
|
|
/* not zone apex and has type NS */
|
|
if(n->namelen != z->namelen &&
|
|
(*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
|
|
/* delegate here, but DS at exact the dp has notype */
|
|
(qinfo->qtype != LDNS_RR_TYPE_DS ||
|
|
n->namelen != qinfo->qname_len)) {
|
|
/* referral */
|
|
/* this is ce and the lowernode is nonexisting */
|
|
*ce = n;
|
|
return 0;
|
|
}
|
|
/* not equal to qname and has type DNAME */
|
|
if(n->namelen != qinfo->qname_len &&
|
|
(*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
|
|
/* this is ce and the lowernode is nonexisting */
|
|
*ce = n;
|
|
return 0;
|
|
}
|
|
|
|
if(*ce == NULL && !domain_has_only_nsec3(n)) {
|
|
/* if not found yet, this exact name must be
|
|
* our lowest match (but not nsec3onlydomain) */
|
|
*ce = n;
|
|
}
|
|
|
|
/* walk up the tree by removing labels from name and lookup */
|
|
n = az_domain_go_up(z, n);
|
|
}
|
|
/* found no problems, if it was an exact node, it is fine to use */
|
|
return node_exact;
|
|
}
|
|
|
|
/** add additional A/AAAA from domain names in rrset rdata (+offset)
|
|
* offset is number of bytes in rdata where the dname is located. */
|
|
static int
|
|
az_add_additionals_from(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_rrset* rrset, size_t offset)
|
|
{
|
|
struct packed_rrset_data* d = rrset->data;
|
|
size_t i;
|
|
if(!d) return 0;
|
|
for(i=0; i<d->count; i++) {
|
|
size_t dlen;
|
|
struct auth_data* domain;
|
|
struct auth_rrset* ref;
|
|
if(d->rr_len[i] < 2+offset)
|
|
continue; /* too short */
|
|
if(!(dlen = dname_valid(d->rr_data[i]+2+offset,
|
|
d->rr_len[i]-2-offset)))
|
|
continue; /* malformed */
|
|
domain = az_find_name(z, d->rr_data[i]+2+offset, dlen);
|
|
if(!domain)
|
|
continue;
|
|
if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) {
|
|
if(!msg_add_rrset_ar(z, region, msg, domain, ref))
|
|
return 0;
|
|
}
|
|
if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) {
|
|
if(!msg_add_rrset_ar(z, region, msg, domain, ref))
|
|
return 0;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** add negative SOA record (with negative TTL) */
|
|
static int
|
|
az_add_negative_soa(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg)
|
|
{
|
|
uint32_t minimum;
|
|
struct packed_rrset_data* d;
|
|
struct auth_rrset* soa;
|
|
struct auth_data* apex = az_find_name(z, z->name, z->namelen);
|
|
if(!apex) return 0;
|
|
soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
|
|
if(!soa) return 0;
|
|
/* must be first to put in message; we want to fix the TTL with
|
|
* one RRset here, otherwise we'd need to loop over the RRs to get
|
|
* the resulting lower TTL */
|
|
log_assert(msg->rep->rrset_count == 0);
|
|
if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0;
|
|
/* fixup TTL */
|
|
d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data;
|
|
/* last 4 bytes are minimum ttl in network format */
|
|
if(d->count == 0) return 0;
|
|
if(d->rr_len[0] < 2+4) return 0;
|
|
minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
|
|
d->ttl = (time_t)minimum;
|
|
d->rr_ttl[0] = (time_t)minimum;
|
|
msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
|
|
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
|
|
return 1;
|
|
}
|
|
|
|
/** See if the query goes to empty nonterminal (that has no auth_data,
|
|
* but there are nodes underneath. We already checked that there are
|
|
* not NS, or DNAME above, so that we only need to check if some node
|
|
* exists below (with nonempty rr list), return true if emptynonterminal */
|
|
static int
|
|
az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo,
|
|
struct auth_data* node)
|
|
{
|
|
struct auth_data* next;
|
|
if(!node) {
|
|
/* no smaller was found, use first (smallest) node as the
|
|
* next one */
|
|
next = (struct auth_data*)rbtree_first(&z->data);
|
|
} else {
|
|
next = (struct auth_data*)rbtree_next(&node->node);
|
|
}
|
|
while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) {
|
|
/* the next name has empty rrsets, is an empty nonterminal
|
|
* itself, see if there exists something below it */
|
|
next = (struct auth_data*)rbtree_next(&node->node);
|
|
}
|
|
if((rbnode_type*)next == RBTREE_NULL || !next) {
|
|
/* there is no next node, so something below it cannot
|
|
* exist */
|
|
return 0;
|
|
}
|
|
/* a next node exists, if there was something below the query,
|
|
* this node has to be it. See if it is below the query name */
|
|
if(dname_strict_subdomain_c(next->name, qinfo->qname))
|
|
return 1;
|
|
return 0;
|
|
}
|
|
|
|
/** create synth cname target name in buffer, or fail if too long */
|
|
static size_t
|
|
synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len,
|
|
uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen)
|
|
{
|
|
size_t newlen = qname_len + dtarglen - dname_len;
|
|
if(newlen > buflen) {
|
|
/* YXDOMAIN error */
|
|
return 0;
|
|
}
|
|
/* new name is concatenation of qname front (without DNAME owner)
|
|
* and DNAME target name */
|
|
memcpy(buf, qname, qname_len-dname_len);
|
|
memmove(buf+(qname_len-dname_len), dtarg, dtarglen);
|
|
return newlen;
|
|
}
|
|
|
|
/** create synthetic CNAME rrset for in a DNAME answer in region,
|
|
* false on alloc failure, cname==NULL when name too long. */
|
|
static int
|
|
create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
|
|
struct auth_data* node, struct auth_rrset* dname, uint16_t dclass,
|
|
struct ub_packed_rrset_key** cname)
|
|
{
|
|
uint8_t buf[LDNS_MAX_DOMAINLEN];
|
|
uint8_t* dtarg;
|
|
size_t dtarglen, newlen;
|
|
struct packed_rrset_data* d;
|
|
|
|
/* get DNAME target name */
|
|
if(dname->data->count < 1) return 0;
|
|
if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */
|
|
dtarg = dname->data->rr_data[0]+2;
|
|
dtarglen = dname->data->rr_len[0]-2;
|
|
if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen)
|
|
return 0; /* rdatalen in DNAME rdata is malformed */
|
|
if(dname_valid(dtarg, dtarglen) != dtarglen)
|
|
return 0; /* DNAME RR has malformed rdata */
|
|
|
|
/* synthesize a CNAME */
|
|
newlen = synth_cname_buf(qname, qname_len, node->namelen,
|
|
dtarg, dtarglen, buf, sizeof(buf));
|
|
if(newlen == 0) {
|
|
/* YXDOMAIN error */
|
|
*cname = NULL;
|
|
return 1;
|
|
}
|
|
*cname = (struct ub_packed_rrset_key*)regional_alloc(region,
|
|
sizeof(struct ub_packed_rrset_key));
|
|
if(!*cname)
|
|
return 0; /* out of memory */
|
|
memset(&(*cname)->entry, 0, sizeof((*cname)->entry));
|
|
(*cname)->entry.key = (*cname);
|
|
(*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME);
|
|
(*cname)->rk.rrset_class = htons(dclass);
|
|
(*cname)->rk.flags = 0;
|
|
(*cname)->rk.dname = regional_alloc_init(region, qname, qname_len);
|
|
if(!(*cname)->rk.dname)
|
|
return 0; /* out of memory */
|
|
(*cname)->rk.dname_len = qname_len;
|
|
(*cname)->entry.hash = rrset_key_hash(&(*cname)->rk);
|
|
d = (struct packed_rrset_data*)regional_alloc_zero(region,
|
|
sizeof(struct packed_rrset_data) + sizeof(size_t) +
|
|
sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t)
|
|
+ newlen);
|
|
if(!d)
|
|
return 0; /* out of memory */
|
|
(*cname)->entry.data = d;
|
|
d->ttl = 0; /* 0 for synthesized CNAME TTL */
|
|
d->count = 1;
|
|
d->rrsig_count = 0;
|
|
d->trust = rrset_trust_ans_noAA;
|
|
d->rr_len = (size_t*)((uint8_t*)d +
|
|
sizeof(struct packed_rrset_data));
|
|
d->rr_len[0] = newlen + sizeof(uint16_t);
|
|
packed_rrset_ptr_fixup(d);
|
|
d->rr_ttl[0] = d->ttl;
|
|
sldns_write_uint16(d->rr_data[0], newlen);
|
|
memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen);
|
|
return 1;
|
|
}
|
|
|
|
/** add a synthesized CNAME to the answer section */
|
|
static int
|
|
add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len,
|
|
struct regional* region, struct dns_msg* msg, struct auth_data* dname,
|
|
struct auth_rrset* rrset)
|
|
{
|
|
struct ub_packed_rrset_key* cname;
|
|
/* synthesize a CNAME */
|
|
if(!create_synth_cname(qname, qname_len, region, dname, rrset,
|
|
z->dclass, &cname)) {
|
|
/* out of memory */
|
|
return 0;
|
|
}
|
|
if(!cname) {
|
|
/* cname cannot be create because of YXDOMAIN */
|
|
msg->rep->flags |= LDNS_RCODE_YXDOMAIN;
|
|
return 1;
|
|
}
|
|
/* add cname to message */
|
|
if(!msg_grow_array(region, msg))
|
|
return 0;
|
|
msg->rep->rrsets[msg->rep->rrset_count] = cname;
|
|
msg->rep->rrset_count++;
|
|
msg->rep->an_numrrsets++;
|
|
msg_ttl(msg);
|
|
return 1;
|
|
}
|
|
|
|
/** Change a dname to a different one, for wildcard namechange */
|
|
static void
|
|
az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
|
|
size_t newlen, int an_only)
|
|
{
|
|
size_t i;
|
|
size_t start = 0, end = msg->rep->rrset_count;
|
|
if(!an_only) start = msg->rep->an_numrrsets;
|
|
if(an_only) end = msg->rep->an_numrrsets;
|
|
for(i=start; i<end; i++) {
|
|
/* allocated in region so we can change the ptrs */
|
|
if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname)
|
|
== 0) {
|
|
msg->rep->rrsets[i]->rk.dname = newname;
|
|
msg->rep->rrsets[i]->rk.dname_len = newlen;
|
|
}
|
|
}
|
|
}
|
|
|
|
/** find NSEC record covering the query */
|
|
static struct auth_rrset*
|
|
az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
|
|
{
|
|
uint8_t* nm = (*node)->name;
|
|
size_t nmlen = (*node)->namelen;
|
|
struct auth_rrset* rrset;
|
|
/* find the NSEC for the smallest-or-equal node */
|
|
/* if node == NULL, we did not find a smaller name. But the zone
|
|
* name is the smallest name and should have an NSEC. So there is
|
|
* no NSEC to return (for a properly signed zone) */
|
|
/* for empty nonterminals, the auth-data node should not exist,
|
|
* and thus we don't need to go rbtree_previous here to find
|
|
* a domain with an NSEC record */
|
|
/* but there could be glue, and if this is node, then it has no NSEC.
|
|
* Go up to find nonglue (previous) NSEC-holding nodes */
|
|
while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
|
|
if(dname_is_root(nm)) return NULL;
|
|
if(nmlen == z->namelen) return NULL;
|
|
dname_remove_label(&nm, &nmlen);
|
|
/* adjust *node for the nsec rrset to find in */
|
|
*node = az_find_name(z, nm, nmlen);
|
|
}
|
|
return rrset;
|
|
}
|
|
|
|
/** Find NSEC and add for wildcard denial */
|
|
static int
|
|
az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, uint8_t* cenm, size_t cenmlen)
|
|
{
|
|
struct query_info qinfo;
|
|
int node_exact;
|
|
struct auth_data* node;
|
|
struct auth_rrset* nsec;
|
|
uint8_t wc[LDNS_MAX_DOMAINLEN];
|
|
if(cenmlen+2 > sizeof(wc))
|
|
return 0; /* result would be too long */
|
|
wc[0] = 1; /* length of wildcard label */
|
|
wc[1] = (uint8_t)'*'; /* wildcard label */
|
|
memmove(wc+2, cenm, cenmlen);
|
|
|
|
/* we have '*.ce' in wc wildcard name buffer */
|
|
/* get nsec cover for that */
|
|
qinfo.qname = wc;
|
|
qinfo.qname_len = cenmlen+2;
|
|
qinfo.qtype = 0;
|
|
qinfo.qclass = 0;
|
|
az_find_domain(z, &qinfo, &node_exact, &node);
|
|
if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
|
|
if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */
|
|
static int
|
|
az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt,
|
|
size_t* saltlen)
|
|
{
|
|
struct auth_data* apex;
|
|
struct auth_rrset* param;
|
|
size_t i;
|
|
apex = az_find_name(z, z->name, z->namelen);
|
|
if(!apex) return 0;
|
|
param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM);
|
|
if(!param || param->data->count==0)
|
|
return 0; /* no RRset or no RRs in rrset */
|
|
/* find out which NSEC3PARAM RR has supported parameters */
|
|
/* skip unknown flags (dynamic signer is recalculating nsec3 chain) */
|
|
for(i=0; i<param->data->count; i++) {
|
|
uint8_t* rdata = param->data->rr_data[i]+2;
|
|
size_t rdatalen = param->data->rr_len[i];
|
|
if(rdatalen < 2+5)
|
|
continue; /* too short */
|
|
if(!nsec3_hash_algo_size_supported((int)(rdata[0])))
|
|
continue; /* unsupported algo */
|
|
if(rdatalen < (size_t)(2+5+(size_t)rdata[4]))
|
|
continue; /* salt missing */
|
|
if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0)
|
|
continue; /* unknown flags */
|
|
*algo = (int)(rdata[0]);
|
|
*iter = sldns_read_uint16(rdata+2);
|
|
*saltlen = rdata[4];
|
|
if(*saltlen == 0)
|
|
*salt = NULL;
|
|
else *salt = rdata+5;
|
|
return 1;
|
|
}
|
|
/* no supported params */
|
|
return 0;
|
|
}
|
|
|
|
/** Hash a name with nsec3param into buffer, it has zone name appended.
|
|
* return length of hash */
|
|
static size_t
|
|
az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen,
|
|
int algo, size_t iter, uint8_t* salt, size_t saltlen)
|
|
{
|
|
size_t hlen = nsec3_hash_algo_size_supported(algo);
|
|
/* buffer has domain name, nsec3hash, and 256 is for max saltlen
|
|
* (salt has 0-255 length) */
|
|
unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256];
|
|
size_t i;
|
|
if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p))
|
|
return 0;
|
|
if(hlen > buflen)
|
|
return 0; /* somehow too large for destination buffer */
|
|
/* hashfunc(name, salt) */
|
|
memmove(p, nm, nmlen);
|
|
query_dname_tolower(p);
|
|
memmove(p+nmlen, salt, saltlen);
|
|
(void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf);
|
|
for(i=0; i<iter; i++) {
|
|
/* hashfunc(hash, salt) */
|
|
memmove(p, buf, hlen);
|
|
memmove(p+hlen, salt, saltlen);
|
|
(void)secalgo_nsec3_hash(algo, p, hlen+saltlen,
|
|
(unsigned char*)buf);
|
|
}
|
|
return hlen;
|
|
}
|
|
|
|
/** Hash name and return b32encoded hashname for lookup, zone name appended */
|
|
static int
|
|
az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen,
|
|
uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt,
|
|
size_t saltlen)
|
|
{
|
|
uint8_t hash[N3HASHBUFLEN];
|
|
size_t hlen;
|
|
int ret;
|
|
hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter,
|
|
salt, saltlen);
|
|
if(!hlen) return 0;
|
|
/* b32 encode */
|
|
if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */
|
|
return 0;
|
|
ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1),
|
|
(*hashnmlen)-1);
|
|
if(ret<1)
|
|
return 0;
|
|
hashname[0] = (uint8_t)ret;
|
|
ret++;
|
|
if((*hashnmlen) - ret < z->namelen)
|
|
return 0;
|
|
memmove(hashname+ret, z->name, z->namelen);
|
|
*hashnmlen = z->namelen+(size_t)ret;
|
|
return 1;
|
|
}
|
|
|
|
/** Find the datanode that covers the nsec3hash-name */
|
|
struct auth_data*
|
|
az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen)
|
|
{
|
|
struct query_info qinfo;
|
|
struct auth_data* node;
|
|
int node_exact;
|
|
qinfo.qclass = 0;
|
|
qinfo.qtype = 0;
|
|
qinfo.qname = hashnm;
|
|
qinfo.qname_len = hashnmlen;
|
|
/* because canonical ordering and b32 nsec3 ordering are the same.
|
|
* this is a good lookup to find the nsec3 name. */
|
|
az_find_domain(z, &qinfo, &node_exact, &node);
|
|
/* but we may have to skip non-nsec3 nodes */
|
|
/* this may be a lot, the way to speed that up is to have a
|
|
* separate nsec3 tree with nsec3 nodes */
|
|
while(node && (rbnode_type*)node != RBTREE_NULL &&
|
|
!az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
|
|
node = (struct auth_data*)rbtree_previous(&node->node);
|
|
}
|
|
if((rbnode_type*)node == RBTREE_NULL)
|
|
node = NULL;
|
|
return node;
|
|
}
|
|
|
|
/** Find cover for hashed(nm, nmlen) (or NULL) */
|
|
static struct auth_data*
|
|
az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen,
|
|
int algo, size_t iter, uint8_t* salt, size_t saltlen)
|
|
{
|
|
struct auth_data* node;
|
|
uint8_t hname[LDNS_MAX_DOMAINLEN];
|
|
size_t hlen = sizeof(hname);
|
|
if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
|
|
salt, saltlen))
|
|
return NULL;
|
|
node = az_nsec3_findnode(z, hname, hlen);
|
|
if(node)
|
|
return node;
|
|
/* we did not find any, perhaps because the NSEC3 hash is before
|
|
* the first hash, we have to find the 'last hash' in the zone */
|
|
node = (struct auth_data*)rbtree_last(&z->data);
|
|
while(node && (rbnode_type*)node != RBTREE_NULL &&
|
|
!az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
|
|
node = (struct auth_data*)rbtree_previous(&node->node);
|
|
}
|
|
if((rbnode_type*)node == RBTREE_NULL)
|
|
node = NULL;
|
|
return node;
|
|
}
|
|
|
|
/** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */
|
|
static struct auth_data*
|
|
az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen,
|
|
int algo, size_t iter, uint8_t* salt, size_t saltlen)
|
|
{
|
|
struct auth_data* node;
|
|
uint8_t hname[LDNS_MAX_DOMAINLEN];
|
|
size_t hlen = sizeof(hname);
|
|
if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
|
|
salt, saltlen))
|
|
return NULL;
|
|
node = az_find_name(z, hname, hlen);
|
|
if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3))
|
|
return node;
|
|
return NULL;
|
|
}
|
|
|
|
/** Return nextcloser name (as a ref into the qname). This is one label
|
|
* more than the cenm (cename must be a suffix of qname) */
|
|
static void
|
|
az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len,
|
|
uint8_t** nx, size_t* nxlen)
|
|
{
|
|
int celabs = dname_count_labels(cenm);
|
|
int qlabs = dname_count_labels(qname);
|
|
int strip = qlabs - celabs -1;
|
|
log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs));
|
|
*nx = qname;
|
|
*nxlen = qname_len;
|
|
if(strip>0)
|
|
dname_remove_labels(nx, nxlen, strip);
|
|
}
|
|
|
|
/** Find the closest encloser that has exact NSEC3.
|
|
* updated cenm to the new name. If it went up no-exact-ce is true. */
|
|
static struct auth_data*
|
|
az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen,
|
|
int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen)
|
|
{
|
|
struct auth_data* node;
|
|
while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
|
|
algo, iter, salt, saltlen)) == NULL) {
|
|
if(*cenmlen == z->namelen) {
|
|
/* next step up would take us out of the zone. fail */
|
|
return NULL;
|
|
}
|
|
*no_exact_ce = 1;
|
|
dname_remove_label(cenm, cenmlen);
|
|
}
|
|
return node;
|
|
}
|
|
|
|
/* Insert NSEC3 record in authority section, if NULL does nothing */
|
|
static int
|
|
az_nsec3_insert(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node)
|
|
{
|
|
struct auth_rrset* nsec3;
|
|
if(!node) return 1; /* no node, skip this */
|
|
nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3);
|
|
if(!nsec3) return 1; /* if no nsec3 RR, skip it */
|
|
if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** add NSEC3 records to the zone for the nsec3 proof.
|
|
* Specify with the flags with parts of the proof are required.
|
|
* the ce is the exact matching name (for notype) but also delegation points.
|
|
* qname is the one where the nextcloser name can be derived from.
|
|
* If NSEC3 is not properly there (in the zone) nothing is added.
|
|
* always enabled: include nsec3 proving about the Closest Encloser.
|
|
* that is an exact match that should exist for it.
|
|
* If that does not exist, a higher exact match + nxproof is enabled
|
|
* (for some sort of opt-out empty nonterminal cases).
|
|
* nxproof: include denial of the qname.
|
|
* wcproof: include denial of wildcard (wildcard.ce).
|
|
*/
|
|
static int
|
|
az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname,
|
|
size_t qname_len, int nxproof, int wcproof)
|
|
{
|
|
int algo;
|
|
size_t iter, saltlen;
|
|
uint8_t* salt;
|
|
int no_exact_ce = 0;
|
|
struct auth_data* node;
|
|
|
|
/* find parameters of nsec3 proof */
|
|
if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen))
|
|
return 1; /* no nsec3 */
|
|
/* find ce that has an NSEC3 */
|
|
node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
|
|
algo, iter, salt, saltlen);
|
|
if(no_exact_ce) nxproof = 1;
|
|
if(!az_nsec3_insert(z, region, msg, node))
|
|
return 0;
|
|
|
|
if(nxproof) {
|
|
uint8_t* nx;
|
|
size_t nxlen;
|
|
/* create nextcloser domain name */
|
|
az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen);
|
|
/* find nsec3 that matches or covers it */
|
|
node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt,
|
|
saltlen);
|
|
if(!az_nsec3_insert(z, region, msg, node))
|
|
return 0;
|
|
}
|
|
if(wcproof) {
|
|
/* create wildcard name *.ce */
|
|
uint8_t wc[LDNS_MAX_DOMAINLEN];
|
|
size_t wclen;
|
|
if(cenmlen+2 > sizeof(wc))
|
|
return 0; /* result would be too long */
|
|
wc[0] = 1; /* length of wildcard label */
|
|
wc[1] = (uint8_t)'*'; /* wildcard label */
|
|
memmove(wc+2, cenm, cenmlen);
|
|
wclen = cenmlen+2;
|
|
/* find nsec3 that matches or covers it */
|
|
node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt,
|
|
saltlen);
|
|
if(!az_nsec3_insert(z, region, msg, node))
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for positive answer */
|
|
static int
|
|
az_generate_positive_answer(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
|
|
{
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
/* see if we want additional rrs */
|
|
if(rrset->type == LDNS_RR_TYPE_MX) {
|
|
if(!az_add_additionals_from(z, region, msg, rrset, 2))
|
|
return 0;
|
|
} else if(rrset->type == LDNS_RR_TYPE_SRV) {
|
|
if(!az_add_additionals_from(z, region, msg, rrset, 6))
|
|
return 0;
|
|
} else if(rrset->type == LDNS_RR_TYPE_NS) {
|
|
if(!az_add_additionals_from(z, region, msg, rrset, 0))
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for type ANY answer */
|
|
static int
|
|
az_generate_any_answer(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node)
|
|
{
|
|
struct auth_rrset* rrset;
|
|
int added = 0;
|
|
/* add a couple (at least one) RRs */
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) {
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
added++;
|
|
}
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) {
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
added++;
|
|
}
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) {
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
added++;
|
|
}
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) {
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
added++;
|
|
}
|
|
if(added == 0 && node->rrsets) {
|
|
if(!msg_add_rrset_an(z, region, msg, node,
|
|
node->rrsets)) return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** follow cname chain and add more data to the answer section */
|
|
static int
|
|
follow_cname_chain(struct auth_zone* z, uint16_t qtype,
|
|
struct regional* region, struct dns_msg* msg,
|
|
struct packed_rrset_data* d)
|
|
{
|
|
int maxchain = 0;
|
|
/* see if we can add the target of the CNAME into the answer */
|
|
while(maxchain++ < MAX_CNAME_CHAIN) {
|
|
struct auth_data* node;
|
|
struct auth_rrset* rrset;
|
|
size_t clen;
|
|
/* d has cname rdata */
|
|
if(d->count == 0) break; /* no CNAME */
|
|
if(d->rr_len[0] < 2+1) break; /* too small */
|
|
if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0)
|
|
break; /* malformed */
|
|
if(!dname_subdomain_c(d->rr_data[0]+2, z->name))
|
|
break; /* target out of zone */
|
|
if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL)
|
|
break; /* no such target name */
|
|
if((rrset=az_domain_rrset(node, qtype))!=NULL) {
|
|
/* done we found the target */
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset))
|
|
return 0;
|
|
break;
|
|
}
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL)
|
|
break; /* no further CNAME chain, notype */
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
d = rrset->data;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for cname answer */
|
|
static int
|
|
az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg* msg,
|
|
struct auth_data* node, struct auth_rrset* rrset)
|
|
{
|
|
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
|
if(!rrset) return 1;
|
|
if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for notype answer */
|
|
static int
|
|
az_generate_notype_answer(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* node)
|
|
{
|
|
struct auth_rrset* rrset;
|
|
if(!az_add_negative_soa(z, region, msg)) return 0;
|
|
/* DNSSEC denial NSEC */
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) {
|
|
if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0;
|
|
} else if(node) {
|
|
/* DNSSEC denial NSEC3 */
|
|
if(!az_add_nsec3_proof(z, region, msg, node->name,
|
|
node->namelen, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 0, 0))
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for referral answer */
|
|
static int
|
|
az_generate_referral_answer(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset)
|
|
{
|
|
struct auth_rrset* ds, *nsec;
|
|
/* turn off AA flag, referral is nonAA because it leaves the zone */
|
|
log_assert(ce);
|
|
msg->rep->flags &= ~BIT_AA;
|
|
if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0;
|
|
/* add DS or deny it */
|
|
if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) {
|
|
if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0;
|
|
} else {
|
|
/* deny the DS */
|
|
if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) {
|
|
if(!msg_add_rrset_ns(z, region, msg, ce, nsec))
|
|
return 0;
|
|
} else {
|
|
if(!az_add_nsec3_proof(z, region, msg, ce->name,
|
|
ce->namelen, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 0, 0))
|
|
return 0;
|
|
}
|
|
}
|
|
/* add additional rrs for type NS */
|
|
if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for DNAME answer */
|
|
static int
|
|
az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg* msg, struct auth_data* ce,
|
|
struct auth_rrset* rrset)
|
|
{
|
|
log_assert(ce);
|
|
/* add the DNAME and then a CNAME */
|
|
if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0;
|
|
if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region,
|
|
msg, ce, rrset)) return 0;
|
|
if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN)
|
|
return 1;
|
|
if(msg->rep->rrset_count == 0 ||
|
|
!msg->rep->rrsets[msg->rep->rrset_count-1])
|
|
return 0;
|
|
if(!follow_cname_chain(z, qinfo->qtype, region, msg,
|
|
(struct packed_rrset_data*)msg->rep->rrsets[
|
|
msg->rep->rrset_count-1]->entry.data))
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for wildcard answer */
|
|
static int
|
|
az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg* msg, struct auth_data* ce,
|
|
struct auth_data* wildcard, struct auth_data* node)
|
|
{
|
|
struct auth_rrset* rrset, *nsec;
|
|
if(verbosity>=VERB_ALGO) {
|
|
char wcname[256];
|
|
sldns_wire2str_dname_buf(wildcard->name, wildcard->namelen,
|
|
wcname, sizeof(wcname));
|
|
log_info("wildcard %s", wcname);
|
|
}
|
|
if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
|
|
/* wildcard has type, add it */
|
|
if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
|
|
return 0;
|
|
az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 1);
|
|
} else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) {
|
|
/* wildcard has cname instead, do that */
|
|
if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
|
|
return 0;
|
|
az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 1);
|
|
if(!follow_cname_chain(z, qinfo->qtype, region, msg,
|
|
rrset->data))
|
|
return 0;
|
|
} else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) {
|
|
/* add ANY rrsets from wildcard node */
|
|
if(!az_generate_any_answer(z, region, msg, wildcard))
|
|
return 0;
|
|
az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 1);
|
|
} else {
|
|
/* wildcard has nodata, notype answer */
|
|
/* call other notype routine for dnssec notype denials */
|
|
if(!az_generate_notype_answer(z, region, msg, wildcard))
|
|
return 0;
|
|
}
|
|
|
|
/* ce and node for dnssec denial of wildcard original name */
|
|
if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
|
|
if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
|
|
} else if(ce) {
|
|
if(!az_add_nsec3_proof(z, region, msg, ce->name,
|
|
ce->namelen, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 1, 0))
|
|
return 0;
|
|
}
|
|
|
|
/* fixup name of wildcard from *.zone to qname, use already allocated
|
|
* pointer to msg qname */
|
|
az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 0);
|
|
return 1;
|
|
}
|
|
|
|
/** generate answer for nxdomain answer */
|
|
static int
|
|
az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region,
|
|
struct dns_msg* msg, struct auth_data* ce, struct auth_data* node)
|
|
{
|
|
struct auth_rrset* nsec;
|
|
msg->rep->flags |= LDNS_RCODE_NXDOMAIN;
|
|
if(!az_add_negative_soa(z, region, msg)) return 0;
|
|
if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
|
|
if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
|
|
if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name,
|
|
ce->namelen)) return 0;
|
|
} else if(ce) {
|
|
if(!az_add_nsec3_proof(z, region, msg, ce->name,
|
|
ce->namelen, msg->qinfo.qname,
|
|
msg->qinfo.qname_len, 1, 1))
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** Create answers when an exact match exists for the domain name */
|
|
static int
|
|
az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg* msg, struct auth_data* node)
|
|
{
|
|
struct auth_rrset* rrset;
|
|
/* positive answer, rrset we are looking for exists */
|
|
if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) {
|
|
return az_generate_positive_answer(z, region, msg, node, rrset);
|
|
}
|
|
/* CNAME? */
|
|
if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) {
|
|
return az_generate_cname_answer(z, qinfo, region, msg,
|
|
node, rrset);
|
|
}
|
|
/* type ANY ? */
|
|
if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
|
|
return az_generate_any_answer(z, region, msg, node);
|
|
}
|
|
/* NOERROR/NODATA (no such type at domain name) */
|
|
return az_generate_notype_answer(z, region, msg, node);
|
|
}
|
|
|
|
/** Generate answer without an existing-node that we can use.
|
|
* So it'll be a referral, DNAME or nxdomain */
|
|
static int
|
|
az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg* msg, struct auth_data* ce,
|
|
struct auth_rrset* rrset, struct auth_data* node)
|
|
{
|
|
struct auth_data* wildcard;
|
|
|
|
/* we do not have an exact matching name (that exists) */
|
|
/* see if we have a NS or DNAME in the ce */
|
|
if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) {
|
|
return az_generate_referral_answer(z, region, msg, ce, rrset);
|
|
}
|
|
if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) {
|
|
return az_generate_dname_answer(z, qinfo, region, msg, ce,
|
|
rrset);
|
|
}
|
|
/* if there is an empty nonterminal, wildcard and nxdomain don't
|
|
* happen, it is a notype answer */
|
|
if(az_empty_nonterminal(z, qinfo, node)) {
|
|
return az_generate_notype_answer(z, region, msg, node);
|
|
}
|
|
/* see if we have a wildcard under the ce */
|
|
if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) {
|
|
return az_generate_wildcard_answer(z, qinfo, region, msg,
|
|
ce, wildcard, node);
|
|
}
|
|
/* generate nxdomain answer */
|
|
return az_generate_nxdomain_answer(z, region, msg, ce, node);
|
|
}
|
|
|
|
/** Lookup answer in a zone. */
|
|
static int
|
|
auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg** msg, int* fallback)
|
|
{
|
|
struct auth_data* node, *ce;
|
|
struct auth_rrset* rrset;
|
|
int node_exact, node_exists;
|
|
/* does the zone want fallback in case of failure? */
|
|
*fallback = z->fallback_enabled;
|
|
if(!(*msg=msg_create(region, qinfo))) return 0;
|
|
|
|
/* lookup if there is a matching domain name for the query */
|
|
az_find_domain(z, qinfo, &node_exact, &node);
|
|
|
|
/* see if node exists for generating answers from (i.e. not glue and
|
|
* obscured by NS or DNAME or NSEC3-only), and also return the
|
|
* closest-encloser from that, closest node that should be used
|
|
* to generate answers from that is above the query */
|
|
node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset);
|
|
|
|
if(verbosity >= VERB_ALGO) {
|
|
char zname[256], qname[256], nname[256], cename[256],
|
|
tpstr[32], rrstr[32];
|
|
sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname,
|
|
sizeof(qname));
|
|
sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr));
|
|
sldns_wire2str_dname_buf(z->name, z->namelen, zname,
|
|
sizeof(zname));
|
|
if(node)
|
|
sldns_wire2str_dname_buf(node->name, node->namelen,
|
|
nname, sizeof(nname));
|
|
else snprintf(nname, sizeof(nname), "NULL");
|
|
if(ce)
|
|
sldns_wire2str_dname_buf(ce->name, ce->namelen,
|
|
cename, sizeof(cename));
|
|
else snprintf(cename, sizeof(cename), "NULL");
|
|
if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr,
|
|
sizeof(rrstr));
|
|
else snprintf(rrstr, sizeof(rrstr), "NULL");
|
|
log_info("auth_zone %s query %s %s, domain %s %s %s, "
|
|
"ce %s, rrset %s", zname, qname, tpstr, nname,
|
|
(node_exact?"exact":"notexact"),
|
|
(node_exists?"exist":"notexist"), cename, rrstr);
|
|
}
|
|
|
|
if(node_exists) {
|
|
/* the node is fine, generate answer from node */
|
|
return az_generate_answer_with_node(z, qinfo, region, *msg,
|
|
node);
|
|
}
|
|
return az_generate_answer_nonexistnode(z, qinfo, region, *msg,
|
|
ce, rrset, node);
|
|
}
|
|
|
|
int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
|
|
struct regional* region, struct dns_msg** msg, int* fallback,
|
|
uint8_t* dp_nm, size_t dp_nmlen)
|
|
{
|
|
int r;
|
|
struct auth_zone* z;
|
|
|
|
/* find the zone that should contain the answer. */
|
|
lock_rw_rdlock(&az->lock);
|
|
z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass);
|
|
if(!z) {
|
|
lock_rw_unlock(&az->lock);
|
|
verbose(VERB_ALGO, "no auth zone for query, fallback");
|
|
/* no auth zone, fallback to internet */
|
|
*fallback = 1;
|
|
return 0;
|
|
}
|
|
lock_rw_rdlock(&z->lock);
|
|
lock_rw_unlock(&az->lock);
|
|
|
|
/* see what answer that zone would generate */
|
|
r = auth_zone_generate_answer(z, qinfo, region, msg, fallback);
|
|
lock_rw_unlock(&z->lock);
|
|
return r;
|
|
}
|