rpz.h revision 236374
1/* 2 * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14 * PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17/* $Id$ */ 18 19#ifndef DNS_RPZ_H 20#define DNS_RPZ_H 1 21 22#include <isc/lang.h> 23 24#include <dns/fixedname.h> 25#include <dns/rdata.h> 26#include <dns/types.h> 27 28ISC_LANG_BEGINDECLS 29 30#define DNS_RPZ_IP_ZONE "rpz-ip" 31#define DNS_RPZ_NSIP_ZONE "rpz-nsip" 32#define DNS_RPZ_NSDNAME_ZONE "rpz-nsdname" 33 34typedef isc_uint8_t dns_rpz_cidr_bits_t; 35 36typedef enum { 37 DNS_RPZ_TYPE_BAD, 38 DNS_RPZ_TYPE_QNAME, 39 DNS_RPZ_TYPE_IP, 40 DNS_RPZ_TYPE_NSDNAME, 41 DNS_RPZ_TYPE_NSIP 42} dns_rpz_type_t; 43 44/* 45 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN < 46 * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing 47 * policies. 48 */ 49typedef enum { 50 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 51 DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */ 52 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 53 DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */ 54 DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */ 55 DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */ 56 DNS_RPZ_POLICY_RECORD, 57 DNS_RPZ_POLICY_WILDCNAME, 58 DNS_RPZ_POLICY_MISS, 59 DNS_RPZ_POLICY_ERROR 60} dns_rpz_policy_t; 61 62/* 63 * Specify a response policy zone. 64 */ 65typedef struct dns_rpz_zone dns_rpz_zone_t; 66 67struct dns_rpz_zone { 68 ISC_LINK(dns_rpz_zone_t) link; 69 int num; 70 dns_name_t origin; /* Policy zone name */ 71 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 72 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 73 dns_name_t cname; /* override value for ..._CNAME */ 74}; 75 76/* 77 * Radix trees for response policy IP addresses. 78 */ 79typedef struct dns_rpz_cidr dns_rpz_cidr_t; 80 81/* 82 * context for finding the best policy 83 */ 84typedef struct { 85 unsigned int state; 86# define DNS_RPZ_REWRITTEN 0x0001 87# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */ 88# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */ 89# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */ 90# define DNS_RPZ_DONE_IPv4 0x0010 91# define DNS_RPZ_RECURSING 0x0020 92# define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */ 93# define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */ 94# define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */ 95# define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */ 96 /* 97 * Best match so far. 98 */ 99 struct { 100 dns_rpz_type_t type; 101 dns_rpz_zone_t *rpz; 102 dns_rpz_cidr_bits_t prefix; 103 dns_rpz_policy_t policy; 104 dns_ttl_t ttl; 105 isc_result_t result; 106 dns_zone_t *zone; 107 dns_db_t *db; 108 dns_dbversion_t *version; 109 dns_dbnode_t *node; 110 dns_rdataset_t *rdataset; 111 } m; 112 /* 113 * State for chasing IP addresses and NS names including recursion. 114 */ 115 struct { 116 unsigned int label; 117 dns_db_t *db; 118 dns_rdataset_t *ns_rdataset; 119 dns_rdatatype_t r_type; 120 isc_result_t r_result; 121 dns_rdataset_t *r_rdataset; 122 } r; 123 /* 124 * State of real query while recursing for NSIP or NSDNAME. 125 */ 126 struct { 127 isc_result_t result; 128 isc_boolean_t is_zone; 129 isc_boolean_t authoritative; 130 dns_zone_t *zone; 131 dns_db_t *db; 132 dns_dbnode_t *node; 133 dns_rdataset_t *rdataset; 134 dns_rdataset_t *sigrdataset; 135 dns_rdatatype_t qtype; 136 } q; 137 dns_name_t *qname; 138 dns_name_t *r_name; 139 dns_name_t *fname; 140 dns_fixedname_t _qnamef; 141 dns_fixedname_t _r_namef; 142 dns_fixedname_t _fnamef; 143} dns_rpz_st_t; 144 145#define DNS_RPZ_TTL_DEFAULT 5 146 147/* 148 * So various response policy zone messages can be turned up or down. 149 */ 150#define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 151#define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 152#define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 153#define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 154#define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 155 156const char * 157dns_rpz_type2str(dns_rpz_type_t type); 158 159dns_rpz_policy_t 160dns_rpz_str2policy(const char *str); 161 162const char * 163dns_rpz_policy2str(dns_rpz_policy_t policy); 164 165void 166dns_rpz_set_need(isc_boolean_t need); 167 168isc_boolean_t 169dns_rpz_needed(void); 170 171void 172dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); 173 174void 175dns_rpz_view_destroy(dns_view_t *view); 176 177isc_result_t 178dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, 179 dns_rpz_cidr_t **rbtdb_cidr); 180void 181dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); 182 183void 184dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); 185 186void 187dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); 188 189isc_result_t 190dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, 191 dns_rpz_type_t type, dns_name_t *canon_name, 192 dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); 193 194dns_rpz_policy_t 195dns_rpz_decode_cname(dns_rdataset_t *, dns_name_t *selfname); 196 197ISC_LANG_ENDDECLS 198 199#endif /* DNS_RPZ_H */ 200 201