rpz.h revision 224090
1/* 2 * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14 * PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17/* $Id: rpz.h,v 1.3 2011-01-13 04:59:26 tbox Exp $ */ 18 19#ifndef DNS_RPZ_H 20#define DNS_RPZ_H 1 21 22#include <isc/lang.h> 23 24#include <dns/fixedname.h> 25#include <dns/rdata.h> 26#include <dns/types.h> 27 28ISC_LANG_BEGINDECLS 29 30#define DNS_RPZ_IP_ZONE "rpz-ip" 31#define DNS_RPZ_NSIP_ZONE "rpz-nsip" 32#define DNS_RPZ_NSDNAME_ZONE "rpz-nsdname" 33 34typedef isc_uint8_t dns_rpz_cidr_bits_t; 35 36typedef enum { 37 DNS_RPZ_TYPE_BAD, 38 DNS_RPZ_TYPE_QNAME, 39 DNS_RPZ_TYPE_IP, 40 DNS_RPZ_TYPE_NSIP, 41 DNS_RPZ_TYPE_NSDNAME 42} dns_rpz_type_t; 43 44/* 45 * Require DNS_RPZ_POLICY_NO_OP < DNS_RPZ_POLICY_NXDOMAIN < 46 * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME. 47 */ 48typedef enum { 49 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what something else says */ 50 DNS_RPZ_POLICY_NO_OP = 1, /* 'no-op': do not rewrite */ 51 DNS_RPZ_POLICY_NXDOMAIN = 2, /* 'nxdomain': answer with NXDOMAIN */ 52 DNS_RPZ_POLICY_NODATA = 3, /* 'nodata': answer with ANCOUNT=0 */ 53 DNS_RPZ_POLICY_CNAME = 4, /* 'cname x': answer with x's rrsets */ 54 DNS_RPZ_POLICY_RECORD = 5, 55 DNS_RPZ_POLICY_MISS, 56 DNS_RPZ_POLICY_ERROR 57} dns_rpz_policy_t; 58 59/* 60 * Specify a response policy zone. 61 */ 62typedef struct dns_rpz_zone dns_rpz_zone_t; 63 64struct dns_rpz_zone { 65 ISC_LINK(dns_rpz_zone_t) link; 66 int num; 67 dns_name_t origin; /* Policy zone name */ 68 dns_name_t nsdname; /* RPZ_NSDNAME_ZONE.origin */ 69 dns_rpz_policy_t policy; /* RPZ_POLICY_GIVEN or override */ 70 dns_name_t cname; /* override name for 71 RPZ_POLICY_CNAME */ 72}; 73 74/* 75 * Radix trees for response policy IP addresses. 76 */ 77typedef struct dns_rpz_cidr dns_rpz_cidr_t; 78 79/* 80 * context for finding the best policy 81 */ 82typedef struct { 83 unsigned int state; 84# define DNS_RPZ_REWRITTEN 0x0001 85# define DNS_RPZ_DONE_QNAME 0x0002 86# define DNS_RPZ_DONE_A 0x0004 87# define DNS_RPZ_RECURSING 0x0008 88# define DNS_RPZ_HAVE_IP 0x0010 89# define DNS_RPZ_HAVE_NSIPv4 0x0020 90# define DNS_RPZ_HAVE_NSIPv6 0x0040 91# define DNS_RPZ_HAD_NSDNAME 0x0080 92 /* 93 * Best match so far. 94 */ 95 struct { 96 dns_rpz_type_t type; 97 dns_rpz_zone_t *rpz; 98 dns_rpz_cidr_bits_t prefix; 99 dns_rpz_policy_t policy; 100 dns_ttl_t ttl; 101 isc_result_t result; 102 dns_zone_t *zone; 103 dns_db_t *db; 104 dns_dbnode_t *node; 105 dns_rdataset_t *rdataset; 106 } m; 107 /* 108 * State for chasing NS names and addresses including recursion. 109 */ 110 struct { 111 unsigned int label; 112 dns_db_t *db; 113 dns_rdataset_t *ns_rdataset; 114 dns_rdatatype_t r_type; 115 isc_result_t r_result; 116 dns_rdataset_t *r_rdataset; 117 } ns; 118 /* 119 * State of real query while recursing for NSIP or NSDNAME. 120 */ 121 struct { 122 isc_result_t result; 123 isc_boolean_t is_zone; 124 isc_boolean_t authoritative; 125 dns_zone_t *zone; 126 dns_db_t *db; 127 dns_dbnode_t *node; 128 dns_rdataset_t *rdataset; 129 dns_rdataset_t *sigrdataset; 130 dns_rdatatype_t qtype; 131 } q; 132 dns_name_t *qname; 133 dns_name_t *r_name; 134 dns_name_t *fname; 135 dns_fixedname_t _qnamef; 136 dns_fixedname_t _r_namef; 137 dns_fixedname_t _fnamef; 138} dns_rpz_st_t; 139 140#define DNS_RPZ_TTL_DEFAULT 5 141 142/* 143 * So various response policy zone messages can be turned up or down. 144 */ 145#define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 146#define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 147#define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 148#define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 149 150const char * 151dns_rpz_type2str(dns_rpz_type_t type); 152 153dns_rpz_policy_t 154dns_rpz_str2policy(const char *str); 155 156void 157dns_rpz_set_need(isc_boolean_t need); 158 159isc_boolean_t 160dns_rpz_needed(void); 161 162void 163dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); 164 165void 166dns_rpz_view_destroy(dns_view_t *view); 167 168isc_result_t 169dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, 170 dns_rpz_cidr_t **rbtdb_cidr); 171void 172dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); 173 174void 175dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); 176 177void 178dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); 179 180isc_result_t 181dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, 182 dns_rpz_type_t type, dns_name_t *canon_name, 183 dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); 184 185dns_rpz_policy_t 186dns_rpz_decode_cname(dns_rdataset_t *, dns_name_t *selfname); 187 188#endif /* DNS_RPZ_H */ 189 190