1/*
2 * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002  Internet Software Consortium.
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
16 */
17
18/* $Id: rootns.c,v 1.40 2010/06/18 05:36:24 marka Exp $ */
19
20/*! \file */
21
22#include <config.h>
23
24#include <isc/buffer.h>
25#include <isc/string.h>		/* Required for HP/UX (and others?) */
26#include <isc/util.h>
27
28#include <dns/callbacks.h>
29#include <dns/db.h>
30#include <dns/dbiterator.h>
31#include <dns/fixedname.h>
32#include <dns/log.h>
33#include <dns/master.h>
34#include <dns/rdata.h>
35#include <dns/rdata.h>
36#include <dns/rdataset.h>
37#include <dns/rdatasetiter.h>
38#include <dns/rdatastruct.h>
39#include <dns/rdatatype.h>
40#include <dns/result.h>
41#include <dns/rootns.h>
42#include <dns/view.h>
43
44static char root_ns[] =
45";\n"
46"; Internet Root Nameservers\n"
47";\n"
48"$TTL 518400\n"
49".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
50".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
51".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
52".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
53".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
54".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
55".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
56".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
57".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
58".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
59".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
60".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
61".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
62"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
63"A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
64"B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201\n"
65"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
66"D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13\n"
67"D.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2d::d\n"
68"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
69"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
70"F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2F::F\n"
71"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
72"H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53\n"
73"H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::803F:235\n"
74"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
75"I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53\n"
76"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
77"J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30\n"
78"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
79"K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7FD::1\n"
80"L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42\n"
81"L.ROOT-SERVERS.NET.     604800  IN      AAAA    2001:500:3::42\n"
82"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n"
83"M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:DC3::35\n";
84
85static isc_result_t
86in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
87	isc_result_t result;
88	dns_rdata_t rdata = DNS_RDATA_INIT;
89	dns_rdata_ns_t ns;
90
91	if (!dns_rdataset_isassociated(rootns))
92		return (ISC_R_NOTFOUND);
93
94	result = dns_rdataset_first(rootns);
95	while (result == ISC_R_SUCCESS) {
96		dns_rdataset_current(rootns, &rdata);
97		result = dns_rdata_tostruct(&rdata, &ns, NULL);
98		if (result != ISC_R_SUCCESS)
99			return (result);
100		if (dns_name_compare(name, &ns.name) == 0)
101			return (ISC_R_SUCCESS);
102		result = dns_rdataset_next(rootns);
103		dns_rdata_reset(&rdata);
104	}
105	if (result == ISC_R_NOMORE)
106		result = ISC_R_NOTFOUND;
107	return (result);
108}
109
110static isc_result_t
111check_node(dns_rdataset_t *rootns, dns_name_t *name,
112	   dns_rdatasetiter_t *rdsiter) {
113	isc_result_t result;
114	dns_rdataset_t rdataset;
115
116	dns_rdataset_init(&rdataset);
117	result = dns_rdatasetiter_first(rdsiter);
118	while (result == ISC_R_SUCCESS) {
119		dns_rdatasetiter_current(rdsiter, &rdataset);
120		switch (rdataset.type) {
121		case dns_rdatatype_a:
122		case dns_rdatatype_aaaa:
123			result = in_rootns(rootns, name);
124			if (result != ISC_R_SUCCESS)
125				goto cleanup;
126			break;
127		case dns_rdatatype_ns:
128			if (dns_name_compare(name, dns_rootname) == 0)
129				break;
130			/*FALLTHROUGH*/
131		default:
132			result = ISC_R_FAILURE;
133			goto cleanup;
134		}
135		dns_rdataset_disassociate(&rdataset);
136		result = dns_rdatasetiter_next(rdsiter);
137	}
138	if (result == ISC_R_NOMORE)
139		result = ISC_R_SUCCESS;
140 cleanup:
141	if (dns_rdataset_isassociated(&rdataset))
142		dns_rdataset_disassociate(&rdataset);
143	return (result);
144}
145
146static isc_result_t
147check_hints(dns_db_t *db) {
148	isc_result_t result;
149	dns_rdataset_t rootns;
150	dns_dbiterator_t *dbiter = NULL;
151	dns_dbnode_t *node = NULL;
152	isc_stdtime_t now;
153	dns_fixedname_t fixname;
154	dns_name_t *name;
155	dns_rdatasetiter_t *rdsiter = NULL;
156
157	isc_stdtime_get(&now);
158
159	dns_fixedname_init(&fixname);
160	name = dns_fixedname_name(&fixname);
161
162	dns_rdataset_init(&rootns);
163	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
164			  now, NULL, name, &rootns, NULL);
165	result = dns_db_createiterator(db, 0, &dbiter);
166	if (result != ISC_R_SUCCESS)
167		goto cleanup;
168	result = dns_dbiterator_first(dbiter);
169	while (result == ISC_R_SUCCESS) {
170		result = dns_dbiterator_current(dbiter, &node, name);
171		if (result != ISC_R_SUCCESS)
172			goto cleanup;
173		result = dns_db_allrdatasets(db, node, NULL, now, &rdsiter);
174		if (result != ISC_R_SUCCESS)
175			goto cleanup;
176		result = check_node(&rootns, name, rdsiter);
177		if (result != ISC_R_SUCCESS)
178			goto cleanup;
179		dns_rdatasetiter_destroy(&rdsiter);
180		dns_db_detachnode(db, &node);
181		result = dns_dbiterator_next(dbiter);
182	}
183	if (result == ISC_R_NOMORE)
184		result = ISC_R_SUCCESS;
185
186 cleanup:
187	if (dns_rdataset_isassociated(&rootns))
188		dns_rdataset_disassociate(&rootns);
189	if (rdsiter != NULL)
190		dns_rdatasetiter_destroy(&rdsiter);
191	if (node != NULL)
192		dns_db_detachnode(db, &node);
193	if (dbiter != NULL)
194		dns_dbiterator_destroy(&dbiter);
195	return (result);
196}
197
198isc_result_t
199dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
200		  const char *filename, dns_db_t **target)
201{
202	isc_result_t result, eresult;
203	isc_buffer_t source;
204	unsigned int len;
205	dns_rdatacallbacks_t callbacks;
206	dns_db_t *db = NULL;
207
208	REQUIRE(target != NULL && *target == NULL);
209
210	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
211			       rdclass, 0, NULL, &db);
212	if (result != ISC_R_SUCCESS)
213		return (result);
214
215	dns_rdatacallbacks_init(&callbacks);
216
217	len = strlen(root_ns);
218	isc_buffer_init(&source, root_ns, len);
219	isc_buffer_add(&source, len);
220
221	result = dns_db_beginload(db, &callbacks.add,
222				  &callbacks.add_private);
223	if (result != ISC_R_SUCCESS)
224		return (result);
225	if (filename != NULL) {
226		/*
227		 * Load the hints from the specified filename.
228		 */
229		result = dns_master_loadfile(filename, &db->origin,
230					     &db->origin, db->rdclass,
231					     DNS_MASTER_HINT,
232					     &callbacks, db->mctx);
233	} else if (rdclass == dns_rdataclass_in) {
234		/*
235		 * Default to using the Internet root servers.
236		 */
237		result = dns_master_loadbuffer(&source, &db->origin,
238					       &db->origin, db->rdclass,
239					       DNS_MASTER_HINT,
240					       &callbacks, db->mctx);
241	} else
242		result = ISC_R_NOTFOUND;
243	eresult = dns_db_endload(db, &callbacks.add_private);
244	if (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE)
245		result = eresult;
246	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
247		goto db_detach;
248	if (check_hints(db) != ISC_R_SUCCESS)
249		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
250			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
251			      "extra data in root hints '%s'",
252			      (filename != NULL) ? filename : "<BUILT-IN>");
253	*target = db;
254	return (ISC_R_SUCCESS);
255
256 db_detach:
257	dns_db_detach(&db);
258
259	return (result);
260}
261
262static void
263report(dns_view_t *view, dns_name_t *name, isc_boolean_t missing,
264       dns_rdata_t *rdata)
265{
266	const char *viewname = "", *sep = "";
267	char namebuf[DNS_NAME_FORMATSIZE];
268	char typebuf[DNS_RDATATYPE_FORMATSIZE];
269	char databuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
270	isc_buffer_t buffer;
271	isc_result_t result;
272
273	if (strcmp(view->name, "_bind") != 0 &&
274	    strcmp(view->name, "_default") != 0) {
275		viewname = view->name;
276		sep = ": view ";
277	}
278
279	dns_name_format(name, namebuf, sizeof(namebuf));
280	dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
281	isc_buffer_init(&buffer, databuf, sizeof(databuf) - 1);
282	result = dns_rdata_totext(rdata, NULL, &buffer);
283	RUNTIME_CHECK(result == ISC_R_SUCCESS);
284	databuf[isc_buffer_usedlength(&buffer)] = '\0';
285
286	if (missing)
287		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
288			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
289			      "checkhints%s%s: %s/%s (%s) missing from hints",
290			      sep, viewname, namebuf, typebuf, databuf);
291	else
292		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
293			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
294			      "checkhints%s%s: %s/%s (%s) extra record "
295			      "in hints", sep, viewname, namebuf, typebuf,
296			      databuf);
297}
298
299static isc_boolean_t
300inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) {
301	isc_result_t result;
302	dns_rdata_t current = DNS_RDATA_INIT;
303
304	result = dns_rdataset_first(rrset);
305	while (result == ISC_R_SUCCESS) {
306		dns_rdataset_current(rrset, &current);
307		if (dns_rdata_compare(rdata, &current) == 0)
308			return (ISC_TRUE);
309		dns_rdata_reset(&current);
310		result = dns_rdataset_next(rrset);
311	}
312	return (ISC_FALSE);
313}
314
315/*
316 * Check that the address RRsets match.
317 *
318 * Note we don't complain about missing glue records.
319 */
320
321static void
322check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
323		      dns_name_t *name, isc_stdtime_t now)
324{
325	isc_result_t hresult, rresult, result;
326	dns_rdataset_t hintrrset, rootrrset;
327	dns_rdata_t rdata = DNS_RDATA_INIT;
328	dns_name_t *foundname;
329	dns_fixedname_t fixed;
330
331	dns_rdataset_init(&hintrrset);
332	dns_rdataset_init(&rootrrset);
333	dns_fixedname_init(&fixed);
334	foundname = dns_fixedname_name(&fixed);
335
336	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_a, 0,
337			      now, NULL, foundname, &hintrrset, NULL);
338	rresult = dns_db_find(db, name, NULL, dns_rdatatype_a,
339			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
340			      &rootrrset, NULL);
341	if (hresult == ISC_R_SUCCESS &&
342	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
343		result = dns_rdataset_first(&rootrrset);
344		while (result == ISC_R_SUCCESS) {
345			dns_rdata_reset(&rdata);
346			dns_rdataset_current(&rootrrset, &rdata);
347			if (!inrrset(&hintrrset, &rdata))
348				report(view, name, ISC_TRUE, &rdata);
349			result = dns_rdataset_next(&rootrrset);
350		}
351		result = dns_rdataset_first(&hintrrset);
352		while (result == ISC_R_SUCCESS) {
353			dns_rdata_reset(&rdata);
354			dns_rdataset_current(&hintrrset, &rdata);
355			if (!inrrset(&rootrrset, &rdata))
356				report(view, name, ISC_FALSE, &rdata);
357			result = dns_rdataset_next(&hintrrset);
358		}
359	}
360	if (hresult == ISC_R_NOTFOUND &&
361	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
362		result = dns_rdataset_first(&rootrrset);
363		while (result == ISC_R_SUCCESS) {
364			dns_rdata_reset(&rdata);
365			dns_rdataset_current(&rootrrset, &rdata);
366			report(view, name, ISC_TRUE, &rdata);
367			result = dns_rdataset_next(&rootrrset);
368		}
369	}
370	if (dns_rdataset_isassociated(&rootrrset))
371		dns_rdataset_disassociate(&rootrrset);
372	if (dns_rdataset_isassociated(&hintrrset))
373		dns_rdataset_disassociate(&hintrrset);
374
375	/*
376	 * Check AAAA records.
377	 */
378	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_aaaa, 0,
379			      now, NULL, foundname, &hintrrset, NULL);
380	rresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
381			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
382			      &rootrrset, NULL);
383	if (hresult == ISC_R_SUCCESS &&
384	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
385		result = dns_rdataset_first(&rootrrset);
386		while (result == ISC_R_SUCCESS) {
387			dns_rdata_reset(&rdata);
388			dns_rdataset_current(&rootrrset, &rdata);
389			if (!inrrset(&hintrrset, &rdata))
390				report(view, name, ISC_TRUE, &rdata);
391			dns_rdata_reset(&rdata);
392			result = dns_rdataset_next(&rootrrset);
393		}
394		result = dns_rdataset_first(&hintrrset);
395		while (result == ISC_R_SUCCESS) {
396			dns_rdata_reset(&rdata);
397			dns_rdataset_current(&hintrrset, &rdata);
398			if (!inrrset(&rootrrset, &rdata))
399				report(view, name, ISC_FALSE, &rdata);
400			dns_rdata_reset(&rdata);
401			result = dns_rdataset_next(&hintrrset);
402		}
403	}
404	if (hresult == ISC_R_NOTFOUND &&
405	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
406		result = dns_rdataset_first(&rootrrset);
407		while (result == ISC_R_SUCCESS) {
408			dns_rdata_reset(&rdata);
409			dns_rdataset_current(&rootrrset, &rdata);
410			report(view, name, ISC_TRUE, &rdata);
411			dns_rdata_reset(&rdata);
412			result = dns_rdataset_next(&rootrrset);
413		}
414	}
415	if (dns_rdataset_isassociated(&rootrrset))
416		dns_rdataset_disassociate(&rootrrset);
417	if (dns_rdataset_isassociated(&hintrrset))
418		dns_rdataset_disassociate(&hintrrset);
419}
420
421void
422dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db) {
423	isc_result_t result;
424	dns_rdata_t rdata = DNS_RDATA_INIT;
425	dns_rdata_ns_t ns;
426	dns_rdataset_t hintns, rootns;
427	const char *viewname = "", *sep = "";
428	isc_stdtime_t now;
429	dns_name_t *name;
430	dns_fixedname_t fixed;
431
432	REQUIRE(hints != NULL);
433	REQUIRE(db != NULL);
434	REQUIRE(view != NULL);
435
436	isc_stdtime_get(&now);
437
438	if (strcmp(view->name, "_bind") != 0 &&
439	    strcmp(view->name, "_default") != 0) {
440		viewname = view->name;
441		sep = ": view ";
442	}
443
444	dns_rdataset_init(&hintns);
445	dns_rdataset_init(&rootns);
446	dns_fixedname_init(&fixed);
447	name = dns_fixedname_name(&fixed);
448
449	result = dns_db_find(hints, dns_rootname, NULL, dns_rdatatype_ns, 0,
450			     now, NULL, name, &hintns, NULL);
451	if (result != ISC_R_SUCCESS) {
452		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
453			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
454			      "checkhints%s%s: unable to get root NS rrset "
455			      "from hints: %s", sep, viewname,
456			      dns_result_totext(result));
457		goto cleanup;
458	}
459
460	result = dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
461			     now, NULL, name, &rootns, NULL);
462	if (result != ISC_R_SUCCESS) {
463		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
464			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
465			      "checkhints%s%s: unable to get root NS rrset "
466			      "from cache: %s", sep, viewname,
467			      dns_result_totext(result));
468		goto cleanup;
469	}
470
471	/*
472	 * Look for missing root NS names.
473	 */
474	result = dns_rdataset_first(&rootns);
475	while (result == ISC_R_SUCCESS) {
476		dns_rdataset_current(&rootns, &rdata);
477		result = dns_rdata_tostruct(&rdata, &ns, NULL);
478		RUNTIME_CHECK(result == ISC_R_SUCCESS);
479		result = in_rootns(&hintns, &ns.name);
480		if (result != ISC_R_SUCCESS) {
481			char namebuf[DNS_NAME_FORMATSIZE];
482			/* missing from hints */
483			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
484			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
485				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
486				      "checkhints%s%s: unable to find root "
487				      "NS '%s' in hints", sep, viewname,
488				      namebuf);
489		} else
490			check_address_records(view, hints, db, &ns.name, now);
491		dns_rdata_reset(&rdata);
492		result = dns_rdataset_next(&rootns);
493	}
494	if (result != ISC_R_NOMORE) {
495		goto cleanup;
496	}
497
498	/*
499	 * Look for extra root NS names.
500	 */
501	result = dns_rdataset_first(&hintns);
502	while (result == ISC_R_SUCCESS) {
503		dns_rdataset_current(&hintns, &rdata);
504		result = dns_rdata_tostruct(&rdata, &ns, NULL);
505		RUNTIME_CHECK(result == ISC_R_SUCCESS);
506		result = in_rootns(&rootns, &ns.name);
507		if (result != ISC_R_SUCCESS) {
508			char namebuf[DNS_NAME_FORMATSIZE];
509			/* extra entry in hints */
510			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
511			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
512				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
513				      "checkhints%s%s: extra NS '%s' in hints",
514				      sep, viewname, namebuf);
515		}
516		dns_rdata_reset(&rdata);
517		result = dns_rdataset_next(&hintns);
518	}
519	if (result != ISC_R_NOMORE) {
520		goto cleanup;
521	}
522
523 cleanup:
524	if (dns_rdataset_isassociated(&rootns))
525		dns_rdataset_disassociate(&rootns);
526	if (dns_rdataset_isassociated(&hintns))
527		dns_rdataset_disassociate(&hintns);
528}
529