1/* 2 * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 3 * Copyright (C) 1999-2001, 2003 Internet Software Consortium. 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 * PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* $Id$ */ 19 20/*! \file */ 21 22#include <config.h> 23 24#include <isc/string.h> 25#include <isc/util.h> 26 27#include <dns/db.h> 28#include <dns/nsec.h> 29#include <dns/rdata.h> 30#include <dns/rdatalist.h> 31#include <dns/rdataset.h> 32#include <dns/rdatasetiter.h> 33#include <dns/rdatastruct.h> 34#include <dns/result.h> 35 36#include <dst/dst.h> 37 38#define RETERR(x) do { \ 39 result = (x); \ 40 if (result != ISC_R_SUCCESS) \ 41 goto failure; \ 42 } while (0) 43 44static void 45set_bit(unsigned char *array, unsigned int index, unsigned int bit) { 46 unsigned int shift, mask; 47 48 shift = 7 - (index % 8); 49 mask = 1 << shift; 50 51 if (bit != 0) 52 array[index / 8] |= mask; 53 else 54 array[index / 8] &= (~mask & 0xFF); 55} 56 57static unsigned int 58bit_isset(unsigned char *array, unsigned int index) { 59 unsigned int byte, shift, mask; 60 61 byte = array[index / 8]; 62 shift = 7 - (index % 8); 63 mask = 1 << shift; 64 65 return ((byte & mask) != 0); 66} 67 68isc_result_t 69dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, 70 dns_dbnode_t *node, dns_name_t *target, 71 unsigned char *buffer, dns_rdata_t *rdata) 72{ 73 isc_result_t result; 74 dns_rdataset_t rdataset; 75 isc_region_t r; 76 unsigned int i, window; 77 int octet; 78 79 unsigned char *nsec_bits, *bm; 80 unsigned int max_type; 81 dns_rdatasetiter_t *rdsiter; 82 83 memset(buffer, 0, DNS_NSEC_BUFFERSIZE); 84 dns_name_toregion(target, &r); 85 memcpy(buffer, r.base, r.length); 86 r.base = buffer; 87 /* 88 * Use the end of the space for a raw bitmap leaving enough 89 * space for the window identifiers and length octets. 90 */ 91 bm = r.base + r.length + 512; 92 nsec_bits = r.base + r.length; 93 set_bit(bm, dns_rdatatype_rrsig, 1); 94 set_bit(bm, dns_rdatatype_nsec, 1); 95 max_type = dns_rdatatype_nsec; 96 dns_rdataset_init(&rdataset); 97 rdsiter = NULL; 98 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); 99 if (result != ISC_R_SUCCESS) 100 return (result); 101 for (result = dns_rdatasetiter_first(rdsiter); 102 result == ISC_R_SUCCESS; 103 result = dns_rdatasetiter_next(rdsiter)) 104 { 105 dns_rdatasetiter_current(rdsiter, &rdataset); 106 if (rdataset.type != dns_rdatatype_nsec && 107 rdataset.type != dns_rdatatype_nsec3 && 108 rdataset.type != dns_rdatatype_rrsig) { 109 if (rdataset.type > max_type) 110 max_type = rdataset.type; 111 set_bit(bm, rdataset.type, 1); 112 } 113 dns_rdataset_disassociate(&rdataset); 114 } 115 116 /* 117 * At zone cuts, deny the existence of glue in the parent zone. 118 */ 119 if (bit_isset(bm, dns_rdatatype_ns) && 120 ! bit_isset(bm, dns_rdatatype_soa)) { 121 for (i = 0; i <= max_type; i++) { 122 if (bit_isset(bm, i) && 123 ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i)) 124 set_bit(bm, i, 0); 125 } 126 } 127 128 dns_rdatasetiter_destroy(&rdsiter); 129 if (result != ISC_R_NOMORE) 130 return (result); 131 132 for (window = 0; window < 256; window++) { 133 if (window * 256 > max_type) 134 break; 135 for (octet = 31; octet >= 0; octet--) 136 if (bm[window * 32 + octet] != 0) 137 break; 138 if (octet < 0) 139 continue; 140 nsec_bits[0] = window; 141 nsec_bits[1] = octet + 1; 142 /* 143 * Note: potential overlapping move. 144 */ 145 memmove(&nsec_bits[2], &bm[window * 32], octet + 1); 146 nsec_bits += 3 + octet; 147 } 148 r.length = nsec_bits - r.base; 149 INSIST(r.length <= DNS_NSEC_BUFFERSIZE); 150 dns_rdata_fromregion(rdata, 151 dns_db_class(db), 152 dns_rdatatype_nsec, 153 &r); 154 155 return (ISC_R_SUCCESS); 156} 157 158 159isc_result_t 160dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, 161 dns_name_t *target, dns_ttl_t ttl) 162{ 163 isc_result_t result; 164 dns_rdata_t rdata = DNS_RDATA_INIT; 165 unsigned char data[DNS_NSEC_BUFFERSIZE]; 166 dns_rdatalist_t rdatalist; 167 dns_rdataset_t rdataset; 168 169 dns_rdataset_init(&rdataset); 170 dns_rdata_init(&rdata); 171 172 RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata)); 173 174 rdatalist.rdclass = dns_db_class(db); 175 rdatalist.type = dns_rdatatype_nsec; 176 rdatalist.covers = 0; 177 rdatalist.ttl = ttl; 178 ISC_LIST_INIT(rdatalist.rdata); 179 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); 180 RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset)); 181 result = dns_db_addrdataset(db, node, version, 0, &rdataset, 182 0, NULL); 183 if (result == DNS_R_UNCHANGED) 184 result = ISC_R_SUCCESS; 185 186 failure: 187 if (dns_rdataset_isassociated(&rdataset)) 188 dns_rdataset_disassociate(&rdataset); 189 return (result); 190} 191 192isc_boolean_t 193dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) { 194 dns_rdata_nsec_t nsecstruct; 195 isc_result_t result; 196 isc_boolean_t present; 197 unsigned int i, len, window; 198 199 REQUIRE(nsec != NULL); 200 REQUIRE(nsec->type == dns_rdatatype_nsec); 201 202 /* This should never fail */ 203 result = dns_rdata_tostruct(nsec, &nsecstruct, NULL); 204 INSIST(result == ISC_R_SUCCESS); 205 206 present = ISC_FALSE; 207 for (i = 0; i < nsecstruct.len; i += len) { 208 INSIST(i + 2 <= nsecstruct.len); 209 window = nsecstruct.typebits[i]; 210 len = nsecstruct.typebits[i + 1]; 211 INSIST(len > 0 && len <= 32); 212 i += 2; 213 INSIST(i + len <= nsecstruct.len); 214 if (window * 256 > type) 215 break; 216 if ((window + 1) * 256 <= type) 217 continue; 218 if (type < (window * 256) + len * 8) 219 present = ISC_TF(bit_isset(&nsecstruct.typebits[i], 220 type % 256)); 221 break; 222 } 223 dns_rdata_freestruct(&nsecstruct); 224 return (present); 225} 226 227isc_result_t 228dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, 229 isc_boolean_t *answer) 230{ 231 dns_dbnode_t *node = NULL; 232 dns_rdataset_t rdataset; 233 dns_rdata_dnskey_t dnskey; 234 isc_result_t result; 235 236 REQUIRE(answer != NULL); 237 238 dns_rdataset_init(&rdataset); 239 240 result = dns_db_getoriginnode(db, &node); 241 if (result != ISC_R_SUCCESS) 242 return (result); 243 244 result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 245 0, 0, &rdataset, NULL); 246 dns_db_detachnode(db, &node); 247 248 if (result == ISC_R_NOTFOUND) { 249 *answer = ISC_FALSE; 250 return (ISC_R_SUCCESS); 251 } 252 if (result != ISC_R_SUCCESS) 253 return (result); 254 for (result = dns_rdataset_first(&rdataset); 255 result == ISC_R_SUCCESS; 256 result = dns_rdataset_next(&rdataset)) { 257 dns_rdata_t rdata = DNS_RDATA_INIT; 258 259 dns_rdataset_current(&rdataset, &rdata); 260 result = dns_rdata_tostruct(&rdata, &dnskey, NULL); 261 RUNTIME_CHECK(result == ISC_R_SUCCESS); 262 263 if (dnskey.algorithm == DST_ALG_RSAMD5 || 264 dnskey.algorithm == DST_ALG_RSASHA1 || 265 dnskey.algorithm == DST_ALG_DSA || 266 dnskey.algorithm == DST_ALG_ECC) 267 break; 268 } 269 dns_rdataset_disassociate(&rdataset); 270 if (result == ISC_R_SUCCESS) 271 *answer = ISC_TRUE; 272 if (result == ISC_R_NOMORE) { 273 *answer = ISC_FALSE; 274 result = ISC_R_SUCCESS; 275 } 276 return (result); 277} 278