1/* 2 * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") 3 * Copyright (C) 1999-2003 Internet Software Consortium. 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 * PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* $Id: update.c,v 1.186.16.7 2011/11/03 02:55:34 each Exp $ */ 19 20#include <config.h> 21 22#include <isc/netaddr.h> 23#include <isc/print.h> 24#include <isc/serial.h> 25#include <isc/stats.h> 26#include <isc/string.h> 27#include <isc/taskpool.h> 28#include <isc/util.h> 29 30#include <dns/db.h> 31#include <dns/dbiterator.h> 32#include <dns/diff.h> 33#include <dns/dnssec.h> 34#include <dns/events.h> 35#include <dns/fixedname.h> 36#include <dns/journal.h> 37#include <dns/keyvalues.h> 38#include <dns/message.h> 39#include <dns/nsec.h> 40#include <dns/nsec3.h> 41#include <dns/private.h> 42#include <dns/rdataclass.h> 43#include <dns/rdataset.h> 44#include <dns/rdatasetiter.h> 45#include <dns/rdatastruct.h> 46#include <dns/rdatatype.h> 47#include <dns/soa.h> 48#include <dns/ssu.h> 49#include <dns/tsig.h> 50#include <dns/view.h> 51#include <dns/zone.h> 52#include <dns/zt.h> 53 54#include <named/client.h> 55#include <named/log.h> 56#include <named/server.h> 57#include <named/update.h> 58 59/*! \file 60 * \brief 61 * This module implements dynamic update as in RFC2136. 62 */ 63 64/* 65 * XXX TODO: 66 * - document strict minimality 67 */ 68 69/**************************************************************************/ 70 71/*% 72 * Log level for tracing dynamic update protocol requests. 73 */ 74#define LOGLEVEL_PROTOCOL ISC_LOG_INFO 75 76/*% 77 * Log level for low-level debug tracing. 78 */ 79#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) 80 81/*% 82 * Check an operation for failure. These macros all assume that 83 * the function using them has a 'result' variable and a 'failure' 84 * label. 85 */ 86#define CHECK(op) \ 87 do { result = (op); \ 88 if (result != ISC_R_SUCCESS) goto failure; \ 89 } while (0) 90 91/*% 92 * Fail unconditionally with result 'code', which must not 93 * be ISC_R_SUCCESS. The reason for failure presumably has 94 * been logged already. 95 * 96 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler 97 * from complaining about "end-of-loop code not reached". 98 */ 99 100#define FAIL(code) \ 101 do { \ 102 result = (code); \ 103 if (result != ISC_R_SUCCESS) goto failure; \ 104 } while (0) 105 106/*% 107 * Fail unconditionally and log as a client error. 108 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler 109 * from complaining about "end-of-loop code not reached". 110 */ 111#define FAILC(code, msg) \ 112 do { \ 113 const char *_what = "failed"; \ 114 result = (code); \ 115 switch (result) { \ 116 case DNS_R_NXDOMAIN: \ 117 case DNS_R_YXDOMAIN: \ 118 case DNS_R_YXRRSET: \ 119 case DNS_R_NXRRSET: \ 120 _what = "unsuccessful"; \ 121 } \ 122 update_log(client, zone, LOGLEVEL_PROTOCOL, \ 123 "update %s: %s (%s)", _what, \ 124 msg, isc_result_totext(result)); \ 125 if (result != ISC_R_SUCCESS) goto failure; \ 126 } while (0) 127#define PREREQFAILC(code, msg) \ 128 do { \ 129 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \ 130 FAILC(code, msg); \ 131 } while (0) 132 133#define FAILN(code, name, msg) \ 134 do { \ 135 const char *_what = "failed"; \ 136 result = (code); \ 137 switch (result) { \ 138 case DNS_R_NXDOMAIN: \ 139 case DNS_R_YXDOMAIN: \ 140 case DNS_R_YXRRSET: \ 141 case DNS_R_NXRRSET: \ 142 _what = "unsuccessful"; \ 143 } \ 144 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ 145 char _nbuf[DNS_NAME_FORMATSIZE]; \ 146 dns_name_format(name, _nbuf, sizeof(_nbuf)); \ 147 update_log(client, zone, LOGLEVEL_PROTOCOL, \ 148 "update %s: %s: %s (%s)", _what, _nbuf, \ 149 msg, isc_result_totext(result)); \ 150 } \ 151 if (result != ISC_R_SUCCESS) goto failure; \ 152 } while (0) 153#define PREREQFAILN(code, name, msg) \ 154 do { \ 155 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \ 156 FAILN(code, name, msg); \ 157 } while (0) 158 159#define FAILNT(code, name, type, msg) \ 160 do { \ 161 const char *_what = "failed"; \ 162 result = (code); \ 163 switch (result) { \ 164 case DNS_R_NXDOMAIN: \ 165 case DNS_R_YXDOMAIN: \ 166 case DNS_R_YXRRSET: \ 167 case DNS_R_NXRRSET: \ 168 _what = "unsuccessful"; \ 169 } \ 170 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ 171 char _nbuf[DNS_NAME_FORMATSIZE]; \ 172 char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \ 173 dns_name_format(name, _nbuf, sizeof(_nbuf)); \ 174 dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \ 175 update_log(client, zone, LOGLEVEL_PROTOCOL, \ 176 "update %s: %s/%s: %s (%s)", \ 177 _what, _nbuf, _tbuf, msg, \ 178 isc_result_totext(result)); \ 179 } \ 180 if (result != ISC_R_SUCCESS) goto failure; \ 181 } while (0) 182#define PREREQFAILNT(code, name, type, msg) \ 183 do { \ 184 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \ 185 FAILNT(code, name, type, msg); \ 186 } while (0) 187 188/*% 189 * Fail unconditionally and log as a server error. 190 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler 191 * from complaining about "end-of-loop code not reached". 192 */ 193#define FAILS(code, msg) \ 194 do { \ 195 result = (code); \ 196 update_log(client, zone, LOGLEVEL_PROTOCOL, \ 197 "error: %s: %s", \ 198 msg, isc_result_totext(result)); \ 199 if (result != ISC_R_SUCCESS) goto failure; \ 200 } while (0) 201 202/* 203 * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE. 204 */ 205#define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0) 206 207/**************************************************************************/ 208 209typedef struct rr rr_t; 210 211struct rr { 212 /* dns_name_t name; */ 213 isc_uint32_t ttl; 214 dns_rdata_t rdata; 215}; 216 217typedef struct update_event update_event_t; 218 219struct update_event { 220 ISC_EVENT_COMMON(update_event_t); 221 dns_zone_t *zone; 222 isc_result_t result; 223 dns_message_t *answer; 224}; 225 226/**************************************************************************/ 227/* 228 * Forward declarations. 229 */ 230 231static void update_action(isc_task_t *task, isc_event_t *event); 232static void updatedone_action(isc_task_t *task, isc_event_t *event); 233static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone); 234static void forward_done(isc_task_t *task, isc_event_t *event); 235 236/**************************************************************************/ 237 238static void 239update_log(ns_client_t *client, dns_zone_t *zone, 240 int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5); 241 242static void 243update_log(ns_client_t *client, dns_zone_t *zone, 244 int level, const char *fmt, ...) 245{ 246 va_list ap; 247 char message[4096]; 248 char namebuf[DNS_NAME_FORMATSIZE]; 249 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 250 251 if (client == NULL || zone == NULL) 252 return; 253 254 if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE) 255 return; 256 257 dns_name_format(dns_zone_getorigin(zone), namebuf, 258 sizeof(namebuf)); 259 dns_rdataclass_format(dns_zone_getclass(zone), classbuf, 260 sizeof(classbuf)); 261 262 va_start(ap, fmt); 263 vsnprintf(message, sizeof(message), fmt, ap); 264 va_end(ap); 265 266 ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE, 267 level, "updating zone '%s/%s': %s", 268 namebuf, classbuf, message); 269} 270 271/*% 272 * Increment updated-related statistics counters. 273 */ 274static inline void 275inc_stats(dns_zone_t *zone, isc_statscounter_t counter) { 276 isc_stats_increment(ns_g_server->nsstats, counter); 277 278 if (zone != NULL) { 279 isc_stats_t *zonestats = dns_zone_getrequeststats(zone); 280 if (zonestats != NULL) 281 isc_stats_increment(zonestats, counter); 282 } 283} 284 285/*% 286 * Check if we could have queried for the contents of this zone or 287 * if the zone is potentially updateable. 288 * If the zone can potentially be updated and the check failed then 289 * log a error otherwise we log a informational message. 290 */ 291static isc_result_t 292checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename, 293 dns_acl_t *updateacl, dns_ssutable_t *ssutable) 294{ 295 char namebuf[DNS_NAME_FORMATSIZE]; 296 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 297 int level; 298 isc_result_t result; 299 300 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 301 if (result != ISC_R_SUCCESS) { 302 dns_name_format(zonename, namebuf, sizeof(namebuf)); 303 dns_rdataclass_format(client->view->rdclass, classbuf, 304 sizeof(classbuf)); 305 306 level = (updateacl == NULL && ssutable == NULL) ? 307 ISC_LOG_INFO : ISC_LOG_ERROR; 308 309 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 310 NS_LOGMODULE_UPDATE, level, 311 "update '%s/%s' denied due to allow-query", 312 namebuf, classbuf); 313 } else if (updateacl == NULL && ssutable == NULL) { 314 dns_name_format(zonename, namebuf, sizeof(namebuf)); 315 dns_rdataclass_format(client->view->rdclass, classbuf, 316 sizeof(classbuf)); 317 318 result = DNS_R_REFUSED; 319 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 320 NS_LOGMODULE_UPDATE, ISC_LOG_INFO, 321 "update '%s/%s' denied", namebuf, classbuf); 322 } 323 return (result); 324} 325 326/*% 327 * Override the default acl logging when checking whether a client 328 * can update the zone or whether we can forward the request to the 329 * master based on IP address. 330 * 331 * 'message' contains the type of operation that is being attempted. 332 * 'slave' indicates if this is a slave zone. If 'acl' is NULL then 333 * log at debug=3. 334 * If the zone has no access controls configured ('acl' == NULL && 335 * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise 336 * at error. 337 * 338 * If the request was signed log that we received it. 339 */ 340static isc_result_t 341checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, 342 dns_name_t *zonename, isc_boolean_t slave, 343 isc_boolean_t has_ssutable) 344{ 345 char namebuf[DNS_NAME_FORMATSIZE]; 346 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 347 int level = ISC_LOG_ERROR; 348 const char *msg = "denied"; 349 isc_result_t result; 350 351 if (slave && acl == NULL) { 352 result = DNS_R_NOTIMP; 353 level = ISC_LOG_DEBUG(3); 354 msg = "disabled"; 355 } else { 356 result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); 357 if (result == ISC_R_SUCCESS) { 358 level = ISC_LOG_DEBUG(3); 359 msg = "approved"; 360 } else if (acl == NULL && !has_ssutable) { 361 level = ISC_LOG_INFO; 362 } 363 } 364 365 if (client->signer != NULL) { 366 dns_name_format(client->signer, namebuf, sizeof(namebuf)); 367 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 368 NS_LOGMODULE_UPDATE, ISC_LOG_INFO, 369 "signer \"%s\" %s", namebuf, msg); 370 } 371 372 dns_name_format(zonename, namebuf, sizeof(namebuf)); 373 dns_rdataclass_format(client->view->rdclass, classbuf, 374 sizeof(classbuf)); 375 376 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 377 NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", 378 message, namebuf, classbuf, msg); 379 return (result); 380} 381 382/*% 383 * Update a single RR in version 'ver' of 'db' and log the 384 * update in 'diff'. 385 * 386 * Ensures: 387 * \li '*tuple' == NULL. Either the tuple is freed, or its 388 * ownership has been transferred to the diff. 389 */ 390static isc_result_t 391do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, 392 dns_diff_t *diff) 393{ 394 dns_diff_t temp_diff; 395 isc_result_t result; 396 397 /* 398 * Create a singleton diff. 399 */ 400 dns_diff_init(diff->mctx, &temp_diff); 401 temp_diff.resign = diff->resign; 402 ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); 403 404 /* 405 * Apply it to the database. 406 */ 407 result = dns_diff_apply(&temp_diff, db, ver); 408 ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); 409 if (result != ISC_R_SUCCESS) { 410 dns_difftuple_free(tuple); 411 return (result); 412 } 413 414 /* 415 * Merge it into the current pending journal entry. 416 */ 417 dns_diff_appendminimal(diff, tuple); 418 419 /* 420 * Do not clear temp_diff. 421 */ 422 return (ISC_R_SUCCESS); 423} 424 425/*% 426 * Perform the updates in 'updates' in version 'ver' of 'db' and log the 427 * update in 'diff'. 428 * 429 * Ensures: 430 * \li 'updates' is empty. 431 */ 432static isc_result_t 433do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, 434 dns_diff_t *diff) 435{ 436 isc_result_t result; 437 while (! ISC_LIST_EMPTY(updates->tuples)) { 438 dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples); 439 ISC_LIST_UNLINK(updates->tuples, t, link); 440 CHECK(do_one_tuple(&t, db, ver, diff)); 441 } 442 return (ISC_R_SUCCESS); 443 444 failure: 445 dns_diff_clear(diff); 446 return (result); 447} 448 449static isc_result_t 450update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, 451 dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl, 452 dns_rdata_t *rdata) 453{ 454 dns_difftuple_t *tuple = NULL; 455 isc_result_t result; 456 result = dns_difftuple_create(diff->mctx, op, 457 name, ttl, rdata, &tuple); 458 if (result != ISC_R_SUCCESS) 459 return (result); 460 return (do_one_tuple(&tuple, db, ver, diff)); 461} 462 463/**************************************************************************/ 464/* 465 * Callback-style iteration over rdatasets and rdatas. 466 * 467 * foreach_rrset() can be used to iterate over the RRsets 468 * of a name and call a callback function with each 469 * one. Similarly, foreach_rr() can be used to iterate 470 * over the individual RRs at name, optionally restricted 471 * to RRs of a given type. 472 * 473 * The callback functions are called "actions" and take 474 * two arguments: a void pointer for passing arbitrary 475 * context information, and a pointer to the current RRset 476 * or RR. By convention, their names end in "_action". 477 */ 478 479/* 480 * XXXRTH We might want to make this public somewhere in libdns. 481 */ 482 483/*% 484 * Function type for foreach_rrset() iterator actions. 485 */ 486typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset); 487 488/*% 489 * Function type for foreach_rr() iterator actions. 490 */ 491typedef isc_result_t rr_func(void *data, rr_t *rr); 492 493/*% 494 * Internal context struct for foreach_node_rr(). 495 */ 496typedef struct { 497 rr_func * rr_action; 498 void * rr_action_data; 499} foreach_node_rr_ctx_t; 500 501/*% 502 * Internal helper function for foreach_node_rr(). 503 */ 504static isc_result_t 505foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { 506 isc_result_t result; 507 foreach_node_rr_ctx_t *ctx = data; 508 for (result = dns_rdataset_first(rdataset); 509 result == ISC_R_SUCCESS; 510 result = dns_rdataset_next(rdataset)) 511 { 512 rr_t rr = { 0, DNS_RDATA_INIT }; 513 514 dns_rdataset_current(rdataset, &rr.rdata); 515 rr.ttl = rdataset->ttl; 516 result = (*ctx->rr_action)(ctx->rr_action_data, &rr); 517 if (result != ISC_R_SUCCESS) 518 return (result); 519 } 520 if (result != ISC_R_NOMORE) 521 return (result); 522 return (ISC_R_SUCCESS); 523} 524 525/*% 526 * For each rdataset of 'name' in 'ver' of 'db', call 'action' 527 * with the rdataset and 'action_data' as arguments. If the name 528 * does not exist, do nothing. 529 * 530 * If 'action' returns an error, abort iteration and return the error. 531 */ 532static isc_result_t 533foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 534 rrset_func *action, void *action_data) 535{ 536 isc_result_t result; 537 dns_dbnode_t *node; 538 dns_rdatasetiter_t *iter; 539 540 node = NULL; 541 result = dns_db_findnode(db, name, ISC_FALSE, &node); 542 if (result == ISC_R_NOTFOUND) 543 return (ISC_R_SUCCESS); 544 if (result != ISC_R_SUCCESS) 545 return (result); 546 547 iter = NULL; 548 result = dns_db_allrdatasets(db, node, ver, 549 (isc_stdtime_t) 0, &iter); 550 if (result != ISC_R_SUCCESS) 551 goto cleanup_node; 552 553 for (result = dns_rdatasetiter_first(iter); 554 result == ISC_R_SUCCESS; 555 result = dns_rdatasetiter_next(iter)) 556 { 557 dns_rdataset_t rdataset; 558 559 dns_rdataset_init(&rdataset); 560 dns_rdatasetiter_current(iter, &rdataset); 561 562 result = (*action)(action_data, &rdataset); 563 564 dns_rdataset_disassociate(&rdataset); 565 if (result != ISC_R_SUCCESS) 566 goto cleanup_iterator; 567 } 568 if (result == ISC_R_NOMORE) 569 result = ISC_R_SUCCESS; 570 571 cleanup_iterator: 572 dns_rdatasetiter_destroy(&iter); 573 574 cleanup_node: 575 dns_db_detachnode(db, &node); 576 577 return (result); 578} 579 580/*% 581 * For each RR of 'name' in 'ver' of 'db', call 'action' 582 * with the RR and 'action_data' as arguments. If the name 583 * does not exist, do nothing. 584 * 585 * If 'action' returns an error, abort iteration 586 * and return the error. 587 */ 588static isc_result_t 589foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 590 rr_func *rr_action, void *rr_action_data) 591{ 592 foreach_node_rr_ctx_t ctx; 593 ctx.rr_action = rr_action; 594 ctx.rr_action_data = rr_action_data; 595 return (foreach_rrset(db, ver, name, 596 foreach_node_rr_action, &ctx)); 597} 598 599 600/*% 601 * For each of the RRs specified by 'db', 'ver', 'name', 'type', 602 * (which can be dns_rdatatype_any to match any type), and 'covers', call 603 * 'action' with the RR and 'action_data' as arguments. If the name 604 * does not exist, or if no RRset of the given type exists at the name, 605 * do nothing. 606 * 607 * If 'action' returns an error, abort iteration and return the error. 608 */ 609static isc_result_t 610foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 611 dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action, 612 void *rr_action_data) 613{ 614 615 isc_result_t result; 616 dns_dbnode_t *node; 617 dns_rdataset_t rdataset; 618 619 if (type == dns_rdatatype_any) 620 return (foreach_node_rr(db, ver, name, 621 rr_action, rr_action_data)); 622 623 node = NULL; 624 if (type == dns_rdatatype_nsec3 || 625 (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3)) 626 result = dns_db_findnsec3node(db, name, ISC_FALSE, &node); 627 else 628 result = dns_db_findnode(db, name, ISC_FALSE, &node); 629 if (result == ISC_R_NOTFOUND) 630 return (ISC_R_SUCCESS); 631 if (result != ISC_R_SUCCESS) 632 return (result); 633 634 dns_rdataset_init(&rdataset); 635 result = dns_db_findrdataset(db, node, ver, type, covers, 636 (isc_stdtime_t) 0, &rdataset, NULL); 637 if (result == ISC_R_NOTFOUND) { 638 result = ISC_R_SUCCESS; 639 goto cleanup_node; 640 } 641 if (result != ISC_R_SUCCESS) 642 goto cleanup_node; 643 644 for (result = dns_rdataset_first(&rdataset); 645 result == ISC_R_SUCCESS; 646 result = dns_rdataset_next(&rdataset)) 647 { 648 rr_t rr = { 0, DNS_RDATA_INIT }; 649 dns_rdataset_current(&rdataset, &rr.rdata); 650 rr.ttl = rdataset.ttl; 651 result = (*rr_action)(rr_action_data, &rr); 652 if (result != ISC_R_SUCCESS) 653 goto cleanup_rdataset; 654 } 655 if (result != ISC_R_NOMORE) 656 goto cleanup_rdataset; 657 result = ISC_R_SUCCESS; 658 659 cleanup_rdataset: 660 dns_rdataset_disassociate(&rdataset); 661 cleanup_node: 662 dns_db_detachnode(db, &node); 663 664 return (result); 665} 666 667/**************************************************************************/ 668/* 669 * Various tests on the database contents (for prerequisites, etc). 670 */ 671 672/*% 673 * Function type for predicate functions that compare a database RR 'db_rr' 674 * against an update RR 'update_rr'. 675 */ 676typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr); 677 678/*% 679 * Helper function for rrset_exists(). 680 */ 681static isc_result_t 682rrset_exists_action(void *data, rr_t *rr) { 683 UNUSED(data); 684 UNUSED(rr); 685 return (ISC_R_EXISTS); 686} 687 688/*% 689 * Utility macro for RR existence checking functions. 690 * 691 * If the variable 'result' has the value ISC_R_EXISTS or 692 * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE, 693 * respectively, and return success. 694 * 695 * If 'result' has any other value, there was a failure. 696 * Return the failure result code and do not set *exists. 697 * 698 * This would be more readable as "do { if ... } while(0)", 699 * but that form generates tons of warnings on Solaris 2.6. 700 */ 701#define RETURN_EXISTENCE_FLAG \ 702 return ((result == ISC_R_EXISTS) ? \ 703 (*exists = ISC_TRUE, ISC_R_SUCCESS) : \ 704 ((result == ISC_R_SUCCESS) ? \ 705 (*exists = ISC_FALSE, ISC_R_SUCCESS) : \ 706 result)) 707 708/*% 709 * Set '*exists' to true iff an rrset of the given type exists, 710 * to false otherwise. 711 */ 712static isc_result_t 713rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 714 dns_rdatatype_t type, dns_rdatatype_t covers, 715 isc_boolean_t *exists) 716{ 717 isc_result_t result; 718 result = foreach_rr(db, ver, name, type, covers, 719 rrset_exists_action, NULL); 720 RETURN_EXISTENCE_FLAG; 721} 722 723/*% 724 * Set '*visible' to true if the RRset exists and is part of the 725 * visible zone. Otherwise '*visible' is set to false unless a 726 * error occurs. 727 */ 728static isc_result_t 729rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 730 dns_rdatatype_t type, isc_boolean_t *visible) 731{ 732 isc_result_t result; 733 dns_fixedname_t fixed; 734 735 dns_fixedname_init(&fixed); 736 result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD, 737 (isc_stdtime_t) 0, NULL, 738 dns_fixedname_name(&fixed), NULL, NULL); 739 switch (result) { 740 case ISC_R_SUCCESS: 741 *visible = ISC_TRUE; 742 break; 743 /* 744 * Glue, obscured, deleted or replaced records. 745 */ 746 case DNS_R_DELEGATION: 747 case DNS_R_DNAME: 748 case DNS_R_CNAME: 749 case DNS_R_NXDOMAIN: 750 case DNS_R_NXRRSET: 751 case DNS_R_EMPTYNAME: 752 case DNS_R_COVERINGNSEC: 753 *visible = ISC_FALSE; 754 result = ISC_R_SUCCESS; 755 break; 756 default: 757 break; 758 } 759 return (result); 760} 761 762/*% 763 * Helper function for cname_incompatible_rrset_exists. 764 */ 765static isc_result_t 766cname_compatibility_action(void *data, dns_rdataset_t *rrset) { 767 UNUSED(data); 768 if (rrset->type != dns_rdatatype_cname && 769 ! dns_rdatatype_isdnssec(rrset->type)) 770 return (ISC_R_EXISTS); 771 return (ISC_R_SUCCESS); 772} 773 774/*% 775 * Check whether there is an rrset incompatible with adding a CNAME RR, 776 * i.e., anything but another CNAME (which can be replaced) or a 777 * DNSSEC RR (which can coexist). 778 * 779 * If such an incompatible rrset exists, set '*exists' to ISC_TRUE. 780 * Otherwise, set it to ISC_FALSE. 781 */ 782static isc_result_t 783cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, 784 dns_name_t *name, isc_boolean_t *exists) { 785 isc_result_t result; 786 result = foreach_rrset(db, ver, name, 787 cname_compatibility_action, NULL); 788 RETURN_EXISTENCE_FLAG; 789} 790 791/*% 792 * Helper function for rr_count(). 793 */ 794static isc_result_t 795count_rr_action(void *data, rr_t *rr) { 796 int *countp = data; 797 UNUSED(rr); 798 (*countp)++; 799 return (ISC_R_SUCCESS); 800} 801 802/*% 803 * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'. 804 */ 805static isc_result_t 806rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 807 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp) 808{ 809 *countp = 0; 810 return (foreach_rr(db, ver, name, type, covers, 811 count_rr_action, countp)); 812} 813 814/*% 815 * Context struct and helper function for name_exists(). 816 */ 817 818static isc_result_t 819name_exists_action(void *data, dns_rdataset_t *rrset) { 820 UNUSED(data); 821 UNUSED(rrset); 822 return (ISC_R_EXISTS); 823} 824 825/*% 826 * Set '*exists' to true iff the given name exists, to false otherwise. 827 */ 828static isc_result_t 829name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 830 isc_boolean_t *exists) 831{ 832 isc_result_t result; 833 result = foreach_rrset(db, ver, name, 834 name_exists_action, NULL); 835 RETURN_EXISTENCE_FLAG; 836} 837 838/* 839 * 'ssu_check_t' is used to pass the arguments to 840 * dns_ssutable_checkrules() to the callback function 841 * ssu_checkrule(). 842 */ 843typedef struct { 844 /* The ownername of the record to be updated. */ 845 dns_name_t *name; 846 847 /* The signature's name if the request was signed. */ 848 dns_name_t *signer; 849 850 /* The address of the client if the request was received via TCP. */ 851 isc_netaddr_t *tcpaddr; 852 853 /* The ssu table to check against. */ 854 dns_ssutable_t *table; 855 856 /* the key used for TKEY requests */ 857 dst_key_t *key; 858} ssu_check_t; 859 860static isc_result_t 861ssu_checkrule(void *data, dns_rdataset_t *rrset) { 862 ssu_check_t *ssuinfo = data; 863 isc_boolean_t result; 864 865 /* 866 * If we're deleting all records, it's ok to delete RRSIG and NSEC even 867 * if we're normally not allowed to. 868 */ 869 if (rrset->type == dns_rdatatype_rrsig || 870 rrset->type == dns_rdatatype_nsec) 871 return (ISC_R_SUCCESS); 872 result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer, 873 ssuinfo->name, ssuinfo->tcpaddr, 874 rrset->type, ssuinfo->key); 875 return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE); 876} 877 878static isc_boolean_t 879ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 880 dns_ssutable_t *ssutable, dns_name_t *signer, 881 isc_netaddr_t *tcpaddr, dst_key_t *key) 882{ 883 isc_result_t result; 884 ssu_check_t ssuinfo; 885 886 ssuinfo.name = name; 887 ssuinfo.table = ssutable; 888 ssuinfo.signer = signer; 889 ssuinfo.tcpaddr = tcpaddr; 890 ssuinfo.key = key; 891 result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo); 892 return (ISC_TF(result == ISC_R_SUCCESS)); 893} 894 895/**************************************************************************/ 896/* 897 * Checking of "RRset exists (value dependent)" prerequisites. 898 * 899 * In the RFC2136 section 3.2.5, this is the pseudocode involving 900 * a variable called "temp", a mapping of <name, type> tuples to rrsets. 901 * 902 * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t" 903 * where each tuple has op==DNS_DIFFOP_EXISTS. 904 */ 905 906 907/*% 908 * Append a tuple asserting the existence of the RR with 909 * 'name' and 'rdata' to 'diff'. 910 */ 911static isc_result_t 912temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) { 913 isc_result_t result; 914 dns_difftuple_t *tuple = NULL; 915 916 REQUIRE(DNS_DIFF_VALID(diff)); 917 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS, 918 name, 0, rdata, &tuple)); 919 ISC_LIST_APPEND(diff->tuples, tuple, link); 920 failure: 921 return (result); 922} 923 924/*% 925 * Compare two rdatasets represented as sorted lists of tuples. 926 * All list elements must have the same owner name and type. 927 * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset) 928 * if not. 929 */ 930static isc_result_t 931temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) { 932 for (;;) { 933 if (a == NULL || b == NULL) 934 break; 935 INSIST(a->op == DNS_DIFFOP_EXISTS && 936 b->op == DNS_DIFFOP_EXISTS); 937 INSIST(a->rdata.type == b->rdata.type); 938 INSIST(dns_name_equal(&a->name, &b->name)); 939 if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0) 940 return (DNS_R_NXRRSET); 941 a = ISC_LIST_NEXT(a, link); 942 b = ISC_LIST_NEXT(b, link); 943 } 944 if (a != NULL || b != NULL) 945 return (DNS_R_NXRRSET); 946 return (ISC_R_SUCCESS); 947} 948 949/*% 950 * A comparison function defining the sorting order for the entries 951 * in the "temp" data structure. The major sort key is the owner name, 952 * followed by the type and rdata. 953 */ 954static int 955temp_order(const void *av, const void *bv) { 956 dns_difftuple_t const * const *ap = av; 957 dns_difftuple_t const * const *bp = bv; 958 dns_difftuple_t const *a = *ap; 959 dns_difftuple_t const *b = *bp; 960 int r; 961 r = dns_name_compare(&a->name, &b->name); 962 if (r != 0) 963 return (r); 964 r = (b->rdata.type - a->rdata.type); 965 if (r != 0) 966 return (r); 967 r = dns_rdata_casecompare(&a->rdata, &b->rdata); 968 return (r); 969} 970 971/*% 972 * Check the "RRset exists (value dependent)" prerequisite information 973 * in 'temp' against the contents of the database 'db'. 974 * 975 * Return ISC_R_SUCCESS if the prerequisites are satisfied, 976 * rcode(dns_rcode_nxrrset) if not. 977 * 978 * 'temp' must be pre-sorted. 979 */ 980 981static isc_result_t 982temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, 983 dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep) 984{ 985 isc_result_t result; 986 dns_name_t *name; 987 dns_dbnode_t *node; 988 dns_difftuple_t *t; 989 dns_diff_t trash; 990 991 dns_diff_init(mctx, &trash); 992 993 /* 994 * For each name and type in the prerequisites, 995 * construct a sorted rdata list of the corresponding 996 * database contents, and compare the lists. 997 */ 998 t = ISC_LIST_HEAD(temp->tuples); 999 while (t != NULL) { 1000 name = &t->name; 1001 (void)dns_name_copy(name, tmpname, NULL); 1002 *typep = t->rdata.type; 1003 1004 /* A new unique name begins here. */ 1005 node = NULL; 1006 result = dns_db_findnode(db, name, ISC_FALSE, &node); 1007 if (result == ISC_R_NOTFOUND) { 1008 dns_diff_clear(&trash); 1009 return (DNS_R_NXRRSET); 1010 } 1011 if (result != ISC_R_SUCCESS) { 1012 dns_diff_clear(&trash); 1013 return (result); 1014 } 1015 1016 /* A new unique type begins here. */ 1017 while (t != NULL && dns_name_equal(&t->name, name)) { 1018 dns_rdatatype_t type, covers; 1019 dns_rdataset_t rdataset; 1020 dns_diff_t d_rrs; /* Database RRs with 1021 this name and type */ 1022 dns_diff_t u_rrs; /* Update RRs with 1023 this name and type */ 1024 1025 *typep = type = t->rdata.type; 1026 if (type == dns_rdatatype_rrsig || 1027 type == dns_rdatatype_sig) 1028 covers = dns_rdata_covers(&t->rdata); 1029 else if (type == dns_rdatatype_any) { 1030 dns_db_detachnode(db, &node); 1031 dns_diff_clear(&trash); 1032 return (DNS_R_NXRRSET); 1033 } else 1034 covers = 0; 1035 1036 /* 1037 * Collect all database RRs for this name and type 1038 * onto d_rrs and sort them. 1039 */ 1040 dns_rdataset_init(&rdataset); 1041 result = dns_db_findrdataset(db, node, ver, type, 1042 covers, (isc_stdtime_t) 0, 1043 &rdataset, NULL); 1044 if (result != ISC_R_SUCCESS) { 1045 dns_db_detachnode(db, &node); 1046 dns_diff_clear(&trash); 1047 return (DNS_R_NXRRSET); 1048 } 1049 1050 dns_diff_init(mctx, &d_rrs); 1051 dns_diff_init(mctx, &u_rrs); 1052 1053 for (result = dns_rdataset_first(&rdataset); 1054 result == ISC_R_SUCCESS; 1055 result = dns_rdataset_next(&rdataset)) 1056 { 1057 dns_rdata_t rdata = DNS_RDATA_INIT; 1058 dns_rdataset_current(&rdataset, &rdata); 1059 result = temp_append(&d_rrs, name, &rdata); 1060 if (result != ISC_R_SUCCESS) 1061 goto failure; 1062 } 1063 if (result != ISC_R_NOMORE) 1064 goto failure; 1065 result = dns_diff_sort(&d_rrs, temp_order); 1066 if (result != ISC_R_SUCCESS) 1067 goto failure; 1068 1069 /* 1070 * Collect all update RRs for this name and type 1071 * onto u_rrs. No need to sort them here - 1072 * they are already sorted. 1073 */ 1074 while (t != NULL && 1075 dns_name_equal(&t->name, name) && 1076 t->rdata.type == type) 1077 { 1078 dns_difftuple_t *next = 1079 ISC_LIST_NEXT(t, link); 1080 ISC_LIST_UNLINK(temp->tuples, t, link); 1081 ISC_LIST_APPEND(u_rrs.tuples, t, link); 1082 t = next; 1083 } 1084 1085 /* Compare the two sorted lists. */ 1086 result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples), 1087 ISC_LIST_HEAD(d_rrs.tuples)); 1088 if (result != ISC_R_SUCCESS) 1089 goto failure; 1090 1091 /* 1092 * We are done with the tuples, but we can't free 1093 * them yet because "name" still points into one 1094 * of them. Move them on a temporary list. 1095 */ 1096 ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link); 1097 ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link); 1098 dns_rdataset_disassociate(&rdataset); 1099 1100 continue; 1101 1102 failure: 1103 dns_diff_clear(&d_rrs); 1104 dns_diff_clear(&u_rrs); 1105 dns_diff_clear(&trash); 1106 dns_rdataset_disassociate(&rdataset); 1107 dns_db_detachnode(db, &node); 1108 return (result); 1109 } 1110 1111 dns_db_detachnode(db, &node); 1112 } 1113 1114 dns_diff_clear(&trash); 1115 return (ISC_R_SUCCESS); 1116} 1117 1118/**************************************************************************/ 1119/* 1120 * Conditional deletion of RRs. 1121 */ 1122 1123/*% 1124 * Context structure for delete_if(). 1125 */ 1126 1127typedef struct { 1128 rr_predicate *predicate; 1129 dns_db_t *db; 1130 dns_dbversion_t *ver; 1131 dns_diff_t *diff; 1132 dns_name_t *name; 1133 dns_rdata_t *update_rr; 1134} conditional_delete_ctx_t; 1135 1136/*% 1137 * Predicate functions for delete_if(). 1138 */ 1139 1140/*% 1141 * Return true iff 'db_rr' is neither a SOA nor an NS RR nor 1142 * an RRSIG nor an NSEC3PARAM nor a NSEC. 1143 */ 1144static isc_boolean_t 1145type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { 1146 UNUSED(update_rr); 1147 return ((db_rr->type != dns_rdatatype_soa && 1148 db_rr->type != dns_rdatatype_ns && 1149 db_rr->type != dns_rdatatype_nsec3param && 1150 db_rr->type != dns_rdatatype_rrsig && 1151 db_rr->type != dns_rdatatype_nsec) ? 1152 ISC_TRUE : ISC_FALSE); 1153} 1154 1155/*% 1156 * Return true iff 'db_rr' is neither a RRSIG nor a NSEC. 1157 */ 1158static isc_boolean_t 1159type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { 1160 UNUSED(update_rr); 1161 return ((db_rr->type != dns_rdatatype_rrsig && 1162 db_rr->type != dns_rdatatype_nsec) ? 1163 ISC_TRUE : ISC_FALSE); 1164} 1165 1166/*% 1167 * Return true always. 1168 */ 1169static isc_boolean_t 1170true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { 1171 UNUSED(update_rr); 1172 UNUSED(db_rr); 1173 return (ISC_TRUE); 1174} 1175 1176/*% 1177 * Return true if the record is a RRSIG. 1178 */ 1179static isc_boolean_t 1180rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { 1181 UNUSED(update_rr); 1182 return ((db_rr->type == dns_rdatatype_rrsig) ? 1183 ISC_TRUE : ISC_FALSE); 1184} 1185 1186/*% 1187 * Return true iff the two RRs have identical rdata. 1188 */ 1189static isc_boolean_t 1190rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { 1191 /* 1192 * XXXRTH This is not a problem, but we should consider creating 1193 * dns_rdata_equal() (that used dns_name_equal()), since it 1194 * would be faster. Not a priority. 1195 */ 1196 return (dns_rdata_casecompare(update_rr, db_rr) == 0 ? 1197 ISC_TRUE : ISC_FALSE); 1198} 1199 1200/*% 1201 * Return true iff 'update_rr' should replace 'db_rr' according 1202 * to the special RFC2136 rules for CNAME, SOA, and WKS records. 1203 * 1204 * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs 1205 * make little sense, so we replace those, too. 1206 * 1207 * Additionally replace RRSIG that have been generated by the same key 1208 * for the same type. This simplifies refreshing a offline KSK by not 1209 * requiring that the old RRSIG be deleted. It also simplifies key 1210 * rollover by only requiring that the new RRSIG be added. 1211 */ 1212static isc_boolean_t 1213replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { 1214 dns_rdata_rrsig_t updatesig, dbsig; 1215 isc_result_t result; 1216 1217 if (db_rr->type != update_rr->type) 1218 return (ISC_FALSE); 1219 if (db_rr->type == dns_rdatatype_cname) 1220 return (ISC_TRUE); 1221 if (db_rr->type == dns_rdatatype_dname) 1222 return (ISC_TRUE); 1223 if (db_rr->type == dns_rdatatype_soa) 1224 return (ISC_TRUE); 1225 if (db_rr->type == dns_rdatatype_nsec) 1226 return (ISC_TRUE); 1227 if (db_rr->type == dns_rdatatype_rrsig) { 1228 /* 1229 * Replace existing RRSIG with the same keyid, 1230 * covered and algorithm. 1231 */ 1232 result = dns_rdata_tostruct(db_rr, &dbsig, NULL); 1233 RUNTIME_CHECK(result == ISC_R_SUCCESS); 1234 result = dns_rdata_tostruct(update_rr, &updatesig, NULL); 1235 RUNTIME_CHECK(result == ISC_R_SUCCESS); 1236 if (dbsig.keyid == updatesig.keyid && 1237 dbsig.covered == updatesig.covered && 1238 dbsig.algorithm == updatesig.algorithm) 1239 return (ISC_TRUE); 1240 } 1241 if (db_rr->type == dns_rdatatype_wks) { 1242 /* 1243 * Compare the address and protocol fields only. These 1244 * form the first five bytes of the RR data. Do a 1245 * raw binary comparison; unpacking the WKS RRs using 1246 * dns_rdata_tostruct() might be cleaner in some ways. 1247 */ 1248 INSIST(db_rr->length >= 5 && update_rr->length >= 5); 1249 return (memcmp(db_rr->data, update_rr->data, 5) == 0 ? 1250 ISC_TRUE : ISC_FALSE); 1251 } 1252 1253 if (db_rr->type == dns_rdatatype_nsec3param) { 1254 if (db_rr->length != update_rr->length) 1255 return (ISC_FALSE); 1256 INSIST(db_rr->length >= 4 && update_rr->length >= 4); 1257 /* 1258 * Replace NSEC3PARAM records that only differ by the 1259 * flags field. 1260 */ 1261 if (db_rr->data[0] == update_rr->data[0] && 1262 memcmp(db_rr->data+2, update_rr->data+2, 1263 update_rr->length - 2) == 0) 1264 return (ISC_TRUE); 1265 } 1266 return (ISC_FALSE); 1267} 1268 1269/*% 1270 * Internal helper function for delete_if(). 1271 */ 1272static isc_result_t 1273delete_if_action(void *data, rr_t *rr) { 1274 conditional_delete_ctx_t *ctx = data; 1275 if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) { 1276 isc_result_t result; 1277 result = update_one_rr(ctx->db, ctx->ver, ctx->diff, 1278 DNS_DIFFOP_DEL, ctx->name, 1279 rr->ttl, &rr->rdata); 1280 return (result); 1281 } else { 1282 return (ISC_R_SUCCESS); 1283 } 1284} 1285 1286/*% 1287 * Conditionally delete RRs. Apply 'predicate' to the RRs 1288 * specified by 'db', 'ver', 'name', and 'type' (which can 1289 * be dns_rdatatype_any to match any type). Delete those 1290 * RRs for which the predicate returns true, and log the 1291 * deletions in 'diff'. 1292 */ 1293static isc_result_t 1294delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver, 1295 dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, 1296 dns_rdata_t *update_rr, dns_diff_t *diff) 1297{ 1298 conditional_delete_ctx_t ctx; 1299 ctx.predicate = predicate; 1300 ctx.db = db; 1301 ctx.ver = ver; 1302 ctx.diff = diff; 1303 ctx.name = name; 1304 ctx.update_rr = update_rr; 1305 return (foreach_rr(db, ver, name, type, covers, 1306 delete_if_action, &ctx)); 1307} 1308 1309/**************************************************************************/ 1310/*% 1311 * Prepare an RR for the addition of the new RR 'ctx->update_rr', 1312 * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting 1313 * the RRs if it is replaced by the new RR or has a conflicting TTL. 1314 * The necessary changes are appended to ctx->del_diff and ctx->add_diff; 1315 * we need to do all deletions before any additions so that we don't run 1316 * into transient states with conflicting TTLs. 1317 */ 1318 1319typedef struct { 1320 dns_db_t *db; 1321 dns_dbversion_t *ver; 1322 dns_diff_t *diff; 1323 dns_name_t *name; 1324 dns_rdata_t *update_rr; 1325 dns_ttl_t update_rr_ttl; 1326 isc_boolean_t ignore_add; 1327 dns_diff_t del_diff; 1328 dns_diff_t add_diff; 1329} add_rr_prepare_ctx_t; 1330 1331static isc_result_t 1332add_rr_prepare_action(void *data, rr_t *rr) { 1333 isc_result_t result = ISC_R_SUCCESS; 1334 add_rr_prepare_ctx_t *ctx = data; 1335 dns_difftuple_t *tuple = NULL; 1336 isc_boolean_t equal; 1337 1338 /* 1339 * If the update RR is a "duplicate" of the update RR, 1340 * the update should be silently ignored. 1341 */ 1342 equal = ISC_TF(dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0); 1343 if (equal && rr->ttl == ctx->update_rr_ttl) { 1344 ctx->ignore_add = ISC_TRUE; 1345 return (ISC_R_SUCCESS); 1346 } 1347 1348 /* 1349 * If this RR is "equal" to the update RR, it should 1350 * be deleted before the update RR is added. 1351 */ 1352 if (replaces_p(ctx->update_rr, &rr->rdata)) { 1353 CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL, 1354 ctx->name, rr->ttl, &rr->rdata, 1355 &tuple)); 1356 dns_diff_append(&ctx->del_diff, &tuple); 1357 return (ISC_R_SUCCESS); 1358 } 1359 1360 /* 1361 * If this RR differs in TTL from the update RR, 1362 * its TTL must be adjusted. 1363 */ 1364 if (rr->ttl != ctx->update_rr_ttl) { 1365 CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL, 1366 ctx->name, rr->ttl, &rr->rdata, 1367 &tuple)); 1368 dns_diff_append(&ctx->del_diff, &tuple); 1369 if (!equal) { 1370 CHECK(dns_difftuple_create(ctx->add_diff.mctx, 1371 DNS_DIFFOP_ADD, ctx->name, 1372 ctx->update_rr_ttl, 1373 &rr->rdata, &tuple)); 1374 dns_diff_append(&ctx->add_diff, &tuple); 1375 } 1376 } 1377 failure: 1378 return (result); 1379} 1380 1381/**************************************************************************/ 1382/* 1383 * Miscellaneous subroutines. 1384 */ 1385 1386/*% 1387 * Extract a single update RR from 'section' of dynamic update message 1388 * 'msg', with consistency checking. 1389 * 1390 * Stores the owner name, rdata, and TTL of the update RR at 'name', 1391 * 'rdata', and 'ttl', respectively. 1392 */ 1393static void 1394get_current_rr(dns_message_t *msg, dns_section_t section, 1395 dns_rdataclass_t zoneclass, dns_name_t **name, 1396 dns_rdata_t *rdata, dns_rdatatype_t *covers, 1397 dns_ttl_t *ttl, dns_rdataclass_t *update_class) 1398{ 1399 dns_rdataset_t *rdataset; 1400 isc_result_t result; 1401 dns_message_currentname(msg, section, name); 1402 rdataset = ISC_LIST_HEAD((*name)->list); 1403 INSIST(rdataset != NULL); 1404 INSIST(ISC_LIST_NEXT(rdataset, link) == NULL); 1405 *covers = rdataset->covers; 1406 *ttl = rdataset->ttl; 1407 result = dns_rdataset_first(rdataset); 1408 INSIST(result == ISC_R_SUCCESS); 1409 dns_rdataset_current(rdataset, rdata); 1410 INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE); 1411 *update_class = rdata->rdclass; 1412 rdata->rdclass = zoneclass; 1413} 1414 1415/*% 1416 * Increment the SOA serial number of database 'db', version 'ver'. 1417 * Replace the SOA record in the database, and log the 1418 * change in 'diff'. 1419 */ 1420 1421 /* 1422 * XXXRTH Failures in this routine will be worth logging, when 1423 * we have a logging system. Failure to find the zonename 1424 * or the SOA rdataset warrant at least an UNEXPECTED_ERROR(). 1425 */ 1426 1427static isc_result_t 1428increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver, 1429 dns_diff_t *diff, isc_mem_t *mctx) 1430{ 1431 dns_difftuple_t *deltuple = NULL; 1432 dns_difftuple_t *addtuple = NULL; 1433 isc_uint32_t serial; 1434 isc_result_t result; 1435 1436 CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple)); 1437 CHECK(dns_difftuple_copy(deltuple, &addtuple)); 1438 addtuple->op = DNS_DIFFOP_ADD; 1439 1440 serial = dns_soa_getserial(&addtuple->rdata); 1441 1442 /* RFC1982 */ 1443 serial = (serial + 1) & 0xFFFFFFFF; 1444 if (serial == 0) 1445 serial = 1; 1446 1447 dns_soa_setserial(serial, &addtuple->rdata); 1448 CHECK(do_one_tuple(&deltuple, db, ver, diff)); 1449 CHECK(do_one_tuple(&addtuple, db, ver, diff)); 1450 result = ISC_R_SUCCESS; 1451 1452 failure: 1453 if (addtuple != NULL) 1454 dns_difftuple_free(&addtuple); 1455 if (deltuple != NULL) 1456 dns_difftuple_free(&deltuple); 1457 return (result); 1458} 1459 1460/*% 1461 * Check that the new SOA record at 'update_rdata' does not 1462 * illegally cause the SOA serial number to decrease or stay 1463 * unchanged relative to the existing SOA in 'db'. 1464 * 1465 * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not. 1466 * 1467 * William King points out that RFC2136 is inconsistent about 1468 * the case where the serial number stays unchanged: 1469 * 1470 * section 3.4.2.2 requires a server to ignore a SOA update request 1471 * if the serial number on the update SOA is less_than_or_equal to 1472 * the zone SOA serial. 1473 * 1474 * section 3.6 requires a server to ignore a SOA update request if 1475 * the serial is less_than the zone SOA serial. 1476 * 1477 * Paul says 3.4.2.2 is correct. 1478 * 1479 */ 1480static isc_result_t 1481check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, 1482 dns_rdata_t *update_rdata, isc_boolean_t *ok) 1483{ 1484 isc_uint32_t db_serial; 1485 isc_uint32_t update_serial; 1486 isc_result_t result; 1487 1488 update_serial = dns_soa_getserial(update_rdata); 1489 1490 result = dns_db_getsoaserial(db, ver, &db_serial); 1491 if (result != ISC_R_SUCCESS) 1492 return (result); 1493 1494 if (DNS_SERIAL_GE(db_serial, update_serial)) { 1495 *ok = ISC_FALSE; 1496 } else { 1497 *ok = ISC_TRUE; 1498 } 1499 1500 return (ISC_R_SUCCESS); 1501 1502} 1503 1504/**************************************************************************/ 1505/* 1506 * Incremental updating of NSECs and RRSIGs. 1507 */ 1508 1509/*% 1510 * We abuse the dns_diff_t type to represent a set of domain names 1511 * affected by the update. 1512 */ 1513static isc_result_t 1514namelist_append_name(dns_diff_t *list, dns_name_t *name) { 1515 isc_result_t result; 1516 dns_difftuple_t *tuple = NULL; 1517 static dns_rdata_t dummy_rdata = DNS_RDATA_INIT; 1518 1519 CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0, 1520 &dummy_rdata, &tuple)); 1521 dns_diff_append(list, &tuple); 1522 failure: 1523 return (result); 1524} 1525 1526static isc_result_t 1527namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) 1528{ 1529 isc_result_t result; 1530 dns_fixedname_t fixedname; 1531 dns_name_t *child; 1532 dns_dbiterator_t *dbit = NULL; 1533 1534 dns_fixedname_init(&fixedname); 1535 child = dns_fixedname_name(&fixedname); 1536 1537 CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit)); 1538 1539 for (result = dns_dbiterator_seek(dbit, name); 1540 result == ISC_R_SUCCESS; 1541 result = dns_dbiterator_next(dbit)) 1542 { 1543 dns_dbnode_t *node = NULL; 1544 CHECK(dns_dbiterator_current(dbit, &node, child)); 1545 dns_db_detachnode(db, &node); 1546 if (! dns_name_issubdomain(child, name)) 1547 break; 1548 CHECK(namelist_append_name(affected, child)); 1549 } 1550 if (result == ISC_R_NOMORE) 1551 result = ISC_R_SUCCESS; 1552 failure: 1553 if (dbit != NULL) 1554 dns_dbiterator_destroy(&dbit); 1555 return (result); 1556} 1557 1558 1559 1560/*% 1561 * Helper function for non_nsec_rrset_exists(). 1562 */ 1563static isc_result_t 1564is_non_nsec_action(void *data, dns_rdataset_t *rrset) { 1565 UNUSED(data); 1566 if (!(rrset->type == dns_rdatatype_nsec || 1567 rrset->type == dns_rdatatype_nsec3 || 1568 (rrset->type == dns_rdatatype_rrsig && 1569 (rrset->covers == dns_rdatatype_nsec || 1570 rrset->covers == dns_rdatatype_nsec3)))) 1571 return (ISC_R_EXISTS); 1572 return (ISC_R_SUCCESS); 1573} 1574 1575/*% 1576 * Check whether there is an rrset other than a NSEC or RRSIG NSEC, 1577 * i.e., anything that justifies the continued existence of a name 1578 * after a secure update. 1579 * 1580 * If such an rrset exists, set '*exists' to ISC_TRUE. 1581 * Otherwise, set it to ISC_FALSE. 1582 */ 1583static isc_result_t 1584non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, 1585 dns_name_t *name, isc_boolean_t *exists) 1586{ 1587 isc_result_t result; 1588 result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL); 1589 RETURN_EXISTENCE_FLAG; 1590} 1591 1592/*% 1593 * A comparison function for sorting dns_diff_t:s by name. 1594 */ 1595static int 1596name_order(const void *av, const void *bv) { 1597 dns_difftuple_t const * const *ap = av; 1598 dns_difftuple_t const * const *bp = bv; 1599 dns_difftuple_t const *a = *ap; 1600 dns_difftuple_t const *b = *bp; 1601 return (dns_name_compare(&a->name, &b->name)); 1602} 1603 1604static isc_result_t 1605uniqify_name_list(dns_diff_t *list) { 1606 isc_result_t result; 1607 dns_difftuple_t *p, *q; 1608 1609 CHECK(dns_diff_sort(list, name_order)); 1610 1611 p = ISC_LIST_HEAD(list->tuples); 1612 while (p != NULL) { 1613 do { 1614 q = ISC_LIST_NEXT(p, link); 1615 if (q == NULL || ! dns_name_equal(&p->name, &q->name)) 1616 break; 1617 ISC_LIST_UNLINK(list->tuples, q, link); 1618 dns_difftuple_free(&q); 1619 } while (1); 1620 p = ISC_LIST_NEXT(p, link); 1621 } 1622 failure: 1623 return (result); 1624} 1625 1626static isc_result_t 1627is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 1628 isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure) 1629{ 1630 isc_result_t result; 1631 dns_fixedname_t foundname; 1632 dns_fixedname_init(&foundname); 1633 result = dns_db_find(db, name, ver, dns_rdatatype_any, 1634 DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, 1635 (isc_stdtime_t) 0, NULL, 1636 dns_fixedname_name(&foundname), 1637 NULL, NULL); 1638 if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) { 1639 *flag = ISC_TRUE; 1640 *cut = ISC_FALSE; 1641 if (unsecure != NULL) 1642 *unsecure = ISC_FALSE; 1643 return (ISC_R_SUCCESS); 1644 } else if (result == DNS_R_ZONECUT) { 1645 *flag = ISC_TRUE; 1646 *cut = ISC_TRUE; 1647 if (unsecure != NULL) { 1648 /* 1649 * We are at the zonecut. Check to see if there 1650 * is a DS RRset. 1651 */ 1652 if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0, 1653 (isc_stdtime_t) 0, NULL, 1654 dns_fixedname_name(&foundname), 1655 NULL, NULL) == DNS_R_NXRRSET) 1656 *unsecure = ISC_TRUE; 1657 else 1658 *unsecure = ISC_FALSE; 1659 } 1660 return (ISC_R_SUCCESS); 1661 } else if (result == DNS_R_GLUE || result == DNS_R_DNAME || 1662 result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) { 1663 *flag = ISC_FALSE; 1664 *cut = ISC_FALSE; 1665 if (unsecure != NULL) 1666 *unsecure = ISC_FALSE; 1667 return (ISC_R_SUCCESS); 1668 } else { 1669 /* 1670 * Silence compiler. 1671 */ 1672 *flag = ISC_FALSE; 1673 *cut = ISC_FALSE; 1674 if (unsecure != NULL) 1675 *unsecure = ISC_FALSE; 1676 return (result); 1677 } 1678} 1679 1680/*% 1681 * Find the next/previous name that has a NSEC record. 1682 * In other words, skip empty database nodes and names that 1683 * have had their NSECs removed because they are obscured by 1684 * a zone cut. 1685 */ 1686static isc_result_t 1687next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 1688 dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname, 1689 isc_boolean_t forward) 1690{ 1691 isc_result_t result; 1692 dns_dbiterator_t *dbit = NULL; 1693 isc_boolean_t has_nsec = ISC_FALSE; 1694 unsigned int wraps = 0; 1695 isc_boolean_t secure = dns_db_issecure(db); 1696 1697 CHECK(dns_db_createiterator(db, 0, &dbit)); 1698 1699 CHECK(dns_dbiterator_seek(dbit, oldname)); 1700 do { 1701 dns_dbnode_t *node = NULL; 1702 1703 if (forward) 1704 result = dns_dbiterator_next(dbit); 1705 else 1706 result = dns_dbiterator_prev(dbit); 1707 if (result == ISC_R_NOMORE) { 1708 /* 1709 * Wrap around. 1710 */ 1711 if (forward) 1712 CHECK(dns_dbiterator_first(dbit)); 1713 else 1714 CHECK(dns_dbiterator_last(dbit)); 1715 wraps++; 1716 if (wraps == 2) { 1717 update_log(client, zone, ISC_LOG_ERROR, 1718 "secure zone with no NSECs"); 1719 result = DNS_R_BADZONE; 1720 goto failure; 1721 } 1722 } 1723 CHECK(dns_dbiterator_current(dbit, &node, newname)); 1724 dns_db_detachnode(db, &node); 1725 1726 /* 1727 * The iterator may hold the tree lock, and 1728 * rrset_exists() calls dns_db_findnode() which 1729 * may try to reacquire it. To avoid deadlock 1730 * we must pause the iterator first. 1731 */ 1732 CHECK(dns_dbiterator_pause(dbit)); 1733 if (secure) { 1734 CHECK(rrset_exists(db, ver, newname, 1735 dns_rdatatype_nsec, 0, &has_nsec)); 1736 } else { 1737 dns_fixedname_t ffound; 1738 dns_name_t *found; 1739 dns_fixedname_init(&ffound); 1740 found = dns_fixedname_name(&ffound); 1741 result = dns_db_find(db, newname, ver, 1742 dns_rdatatype_soa, 1743 DNS_DBFIND_NOWILD, 0, NULL, found, 1744 NULL, NULL); 1745 if (result == ISC_R_SUCCESS || 1746 result == DNS_R_EMPTYNAME || 1747 result == DNS_R_NXRRSET || 1748 result == DNS_R_CNAME || 1749 (result == DNS_R_DELEGATION && 1750 dns_name_equal(newname, found))) { 1751 has_nsec = ISC_TRUE; 1752 result = ISC_R_SUCCESS; 1753 } else if (result != DNS_R_NXDOMAIN) 1754 break; 1755 } 1756 } while (! has_nsec); 1757 failure: 1758 if (dbit != NULL) 1759 dns_dbiterator_destroy(&dbit); 1760 1761 return (result); 1762} 1763 1764/*% 1765 * Add a NSEC record for "name", recording the change in "diff". 1766 * The existing NSEC is removed. 1767 */ 1768static isc_result_t 1769add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 1770 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl, 1771 dns_diff_t *diff) 1772{ 1773 isc_result_t result; 1774 dns_dbnode_t *node = NULL; 1775 unsigned char buffer[DNS_NSEC_BUFFERSIZE]; 1776 dns_rdata_t rdata = DNS_RDATA_INIT; 1777 dns_difftuple_t *tuple = NULL; 1778 dns_fixedname_t fixedname; 1779 dns_name_t *target; 1780 1781 dns_fixedname_init(&fixedname); 1782 target = dns_fixedname_name(&fixedname); 1783 1784 /* 1785 * Find the successor name, aka NSEC target. 1786 */ 1787 CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE)); 1788 1789 /* 1790 * Create the NSEC RDATA. 1791 */ 1792 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 1793 dns_rdata_init(&rdata); 1794 CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata)); 1795 dns_db_detachnode(db, &node); 1796 1797 /* 1798 * Delete the old NSEC and record the change. 1799 */ 1800 CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0, 1801 NULL, diff)); 1802 /* 1803 * Add the new NSEC and record the change. 1804 */ 1805 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 1806 nsecttl, &rdata, &tuple)); 1807 CHECK(do_one_tuple(&tuple, db, ver, diff)); 1808 INSIST(tuple == NULL); 1809 1810 failure: 1811 if (node != NULL) 1812 dns_db_detachnode(db, &node); 1813 return (result); 1814} 1815 1816/*% 1817 * Add a placeholder NSEC record for "name", recording the change in "diff". 1818 */ 1819static isc_result_t 1820add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 1821 dns_diff_t *diff) 1822{ 1823 isc_result_t result; 1824 dns_difftuple_t *tuple = NULL; 1825 isc_region_t r; 1826 unsigned char data[1] = { 0 }; /* The root domain, no bits. */ 1827 dns_rdata_t rdata = DNS_RDATA_INIT; 1828 1829 r.base = data; 1830 r.length = sizeof(data); 1831 dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r); 1832 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, 1833 &rdata, &tuple)); 1834 CHECK(do_one_tuple(&tuple, db, ver, diff)); 1835 failure: 1836 return (result); 1837} 1838 1839static isc_result_t 1840find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, 1841 isc_mem_t *mctx, unsigned int maxkeys, 1842 dst_key_t **keys, unsigned int *nkeys) 1843{ 1844 isc_result_t result; 1845 dns_dbnode_t *node = NULL; 1846 const char *directory = dns_zone_getkeydirectory(zone); 1847 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); 1848 CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), 1849 directory, mctx, maxkeys, keys, nkeys)); 1850 failure: 1851 if (node != NULL) 1852 dns_db_detachnode(db, &node); 1853 return (result); 1854} 1855 1856/*% 1857 * Add RRSIG records for an RRset, recording the change in "diff". 1858 */ 1859static isc_result_t 1860add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 1861 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, 1862 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, 1863 isc_stdtime_t inception, isc_stdtime_t expire, 1864 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly) 1865{ 1866 isc_result_t result; 1867 dns_dbnode_t *node = NULL; 1868 dns_rdataset_t rdataset; 1869 dns_rdata_t sig_rdata = DNS_RDATA_INIT; 1870 isc_buffer_t buffer; 1871 unsigned char data[1024]; /* XXX */ 1872 unsigned int i, j; 1873 isc_boolean_t added_sig = ISC_FALSE; 1874 isc_mem_t *mctx = client->mctx; 1875 1876 dns_rdataset_init(&rdataset); 1877 isc_buffer_init(&buffer, data, sizeof(data)); 1878 1879 /* Get the rdataset to sign. */ 1880 if (type == dns_rdatatype_nsec3) 1881 CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); 1882 else 1883 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 1884 CHECK(dns_db_findrdataset(db, node, ver, type, 0, 1885 (isc_stdtime_t) 0, &rdataset, NULL)); 1886 dns_db_detachnode(db, &node); 1887 1888#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) 1889#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) 1890#define ALG(x) dst_key_alg(x) 1891 1892 /* 1893 * If we are honoring KSK flags then we need to check that we 1894 * have both KSK and non-KSK keys that are not revoked per 1895 * algorithm. 1896 */ 1897 for (i = 0; i < nkeys; i++) { 1898 isc_boolean_t both = ISC_FALSE; 1899 1900 if (!dst_key_isprivate(keys[i])) 1901 continue; 1902 1903 if (check_ksk && !REVOKE(keys[i])) { 1904 isc_boolean_t have_ksk, have_nonksk; 1905 if (KSK(keys[i])) { 1906 have_ksk = ISC_TRUE; 1907 have_nonksk = ISC_FALSE; 1908 } else { 1909 have_ksk = ISC_FALSE; 1910 have_nonksk = ISC_TRUE; 1911 } 1912 for (j = 0; j < nkeys; j++) { 1913 if (j == i || ALG(keys[i]) != ALG(keys[j])) 1914 continue; 1915 if (REVOKE(keys[j])) 1916 continue; 1917 if (KSK(keys[j])) 1918 have_ksk = ISC_TRUE; 1919 else 1920 have_nonksk = ISC_TRUE; 1921 both = have_ksk && have_nonksk; 1922 if (both) 1923 break; 1924 } 1925 } 1926 1927 if (both) { 1928 if (type == dns_rdatatype_dnskey) { 1929 if (!KSK(keys[i]) && keyset_kskonly) 1930 continue; 1931 } else if (KSK(keys[i])) 1932 continue; 1933 } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) 1934 continue; 1935 1936 /* Calculate the signature, creating a RRSIG RDATA. */ 1937 CHECK(dns_dnssec_sign(name, &rdataset, keys[i], 1938 &inception, &expire, 1939 mctx, &buffer, &sig_rdata)); 1940 1941 /* Update the database and journal with the RRSIG. */ 1942 /* XXX inefficient - will cause dataset merging */ 1943 CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, 1944 rdataset.ttl, &sig_rdata)); 1945 dns_rdata_reset(&sig_rdata); 1946 isc_buffer_init(&buffer, data, sizeof(data)); 1947 added_sig = ISC_TRUE; 1948 } 1949 if (!added_sig) { 1950 update_log(client, zone, ISC_LOG_ERROR, 1951 "found no active private keys, " 1952 "unable to generate any signatures"); 1953 result = ISC_R_NOTFOUND; 1954 } 1955 1956 failure: 1957 if (dns_rdataset_isassociated(&rdataset)) 1958 dns_rdataset_disassociate(&rdataset); 1959 if (node != NULL) 1960 dns_db_detachnode(db, &node); 1961 return (result); 1962} 1963 1964/* 1965 * Delete expired RRsigs and any RRsigs we are about to re-sign. 1966 * See also zone.c:del_sigs(). 1967 */ 1968static isc_result_t 1969del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 1970 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys) 1971{ 1972 isc_result_t result; 1973 dns_dbnode_t *node = NULL; 1974 dns_rdataset_t rdataset; 1975 dns_rdata_t rdata = DNS_RDATA_INIT; 1976 unsigned int i; 1977 dns_rdata_rrsig_t rrsig; 1978 isc_boolean_t found; 1979 1980 dns_rdataset_init(&rdataset); 1981 1982 result = dns_db_findnode(db, name, ISC_FALSE, &node); 1983 if (result == ISC_R_NOTFOUND) 1984 return (ISC_R_SUCCESS); 1985 if (result != ISC_R_SUCCESS) 1986 goto failure; 1987 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, 1988 dns_rdatatype_dnskey, (isc_stdtime_t) 0, 1989 &rdataset, NULL); 1990 dns_db_detachnode(db, &node); 1991 1992 if (result == ISC_R_NOTFOUND) 1993 return (ISC_R_SUCCESS); 1994 if (result != ISC_R_SUCCESS) 1995 goto failure; 1996 1997 for (result = dns_rdataset_first(&rdataset); 1998 result == ISC_R_SUCCESS; 1999 result = dns_rdataset_next(&rdataset)) { 2000 dns_rdataset_current(&rdataset, &rdata); 2001 result = dns_rdata_tostruct(&rdata, &rrsig, NULL); 2002 RUNTIME_CHECK(result == ISC_R_SUCCESS); 2003 found = ISC_FALSE; 2004 for (i = 0; i < nkeys; i++) { 2005 if (rrsig.keyid == dst_key_id(keys[i])) { 2006 found = ISC_TRUE; 2007 if (!dst_key_isprivate(keys[i])) { 2008 /* 2009 * The re-signing code in zone.c 2010 * will mark this as offline. 2011 * Just skip the record for now. 2012 */ 2013 break; 2014 } 2015 result = update_one_rr(db, ver, diff, 2016 DNS_DIFFOP_DEL, name, 2017 rdataset.ttl, &rdata); 2018 break; 2019 } 2020 } 2021 /* 2022 * If there is not a matching DNSKEY then delete the RRSIG. 2023 */ 2024 if (!found) 2025 result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, 2026 name, rdataset.ttl, &rdata); 2027 dns_rdata_reset(&rdata); 2028 if (result != ISC_R_SUCCESS) 2029 break; 2030 } 2031 dns_rdataset_disassociate(&rdataset); 2032 if (result == ISC_R_NOMORE) 2033 result = ISC_R_SUCCESS; 2034failure: 2035 if (node != NULL) 2036 dns_db_detachnode(db, &node); 2037 return (result); 2038} 2039 2040static isc_result_t 2041add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 2042 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut, 2043 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, 2044 isc_stdtime_t inception, isc_stdtime_t expire, 2045 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly) 2046{ 2047 isc_result_t result; 2048 dns_dbnode_t *node; 2049 dns_rdatasetiter_t *iter; 2050 2051 node = NULL; 2052 result = dns_db_findnode(db, name, ISC_FALSE, &node); 2053 if (result == ISC_R_NOTFOUND) 2054 return (ISC_R_SUCCESS); 2055 if (result != ISC_R_SUCCESS) 2056 return (result); 2057 2058 iter = NULL; 2059 result = dns_db_allrdatasets(db, node, ver, 2060 (isc_stdtime_t) 0, &iter); 2061 if (result != ISC_R_SUCCESS) 2062 goto cleanup_node; 2063 2064 for (result = dns_rdatasetiter_first(iter); 2065 result == ISC_R_SUCCESS; 2066 result = dns_rdatasetiter_next(iter)) 2067 { 2068 dns_rdataset_t rdataset; 2069 dns_rdatatype_t type; 2070 isc_boolean_t flag; 2071 2072 dns_rdataset_init(&rdataset); 2073 dns_rdatasetiter_current(iter, &rdataset); 2074 type = rdataset.type; 2075 dns_rdataset_disassociate(&rdataset); 2076 2077 /* 2078 * We don't need to sign unsigned NSEC records at the cut 2079 * as they are handled elsewhere. 2080 */ 2081 if ((type == dns_rdatatype_rrsig) || 2082 (cut && type != dns_rdatatype_ds)) 2083 continue; 2084 result = rrset_exists(db, ver, name, dns_rdatatype_rrsig, 2085 type, &flag); 2086 if (result != ISC_R_SUCCESS) 2087 goto cleanup_iterator; 2088 if (flag) 2089 continue;; 2090 result = add_sigs(client, zone, db, ver, name, type, diff, 2091 keys, nkeys, inception, expire, 2092 check_ksk, keyset_kskonly); 2093 if (result != ISC_R_SUCCESS) 2094 goto cleanup_iterator; 2095 } 2096 if (result == ISC_R_NOMORE) 2097 result = ISC_R_SUCCESS; 2098 2099 cleanup_iterator: 2100 dns_rdatasetiter_destroy(&iter); 2101 2102 cleanup_node: 2103 dns_db_detachnode(db, &node); 2104 2105 return (result); 2106} 2107 2108/*% 2109 * Update RRSIG, NSEC and NSEC3 records affected by an update. The original 2110 * update, including the SOA serial update but excluding the RRSIG & NSEC 2111 * changes, is in "diff" and has already been applied to "newver" of "db". 2112 * The database version prior to the update is "oldver". 2113 * 2114 * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver" 2115 * and added (as a minimal diff) to "diff". 2116 * 2117 * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds. 2118 */ 2119static isc_result_t 2120update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 2121 dns_dbversion_t *oldver, dns_dbversion_t *newver, 2122 dns_diff_t *diff, isc_uint32_t sigvalidityinterval) 2123{ 2124 isc_result_t result; 2125 dns_difftuple_t *t; 2126 dns_diff_t diffnames; 2127 dns_diff_t affected; 2128 dns_diff_t sig_diff; 2129 dns_diff_t nsec_diff; 2130 dns_diff_t nsec_mindiff; 2131 isc_boolean_t flag, build_nsec, build_nsec3; 2132 dst_key_t *zone_keys[DNS_MAXZONEKEYS]; 2133 unsigned int nkeys = 0; 2134 unsigned int i; 2135 isc_stdtime_t now, inception, expire; 2136 dns_ttl_t nsecttl; 2137 dns_rdata_soa_t soa; 2138 dns_rdata_t rdata = DNS_RDATA_INIT; 2139 dns_rdataset_t rdataset; 2140 dns_dbnode_t *node = NULL; 2141 isc_boolean_t check_ksk, keyset_kskonly; 2142 isc_boolean_t unsecure; 2143 isc_boolean_t cut; 2144 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 2145 2146 dns_diff_init(client->mctx, &diffnames); 2147 dns_diff_init(client->mctx, &affected); 2148 2149 dns_diff_init(client->mctx, &sig_diff); 2150 sig_diff.resign = dns_zone_getsigresigninginterval(zone); 2151 dns_diff_init(client->mctx, &nsec_diff); 2152 dns_diff_init(client->mctx, &nsec_mindiff); 2153 2154 result = find_zone_keys(zone, db, newver, client->mctx, 2155 DNS_MAXZONEKEYS, zone_keys, &nkeys); 2156 if (result != ISC_R_SUCCESS) { 2157 update_log(client, zone, ISC_LOG_ERROR, 2158 "could not get zone keys for secure dynamic update"); 2159 goto failure; 2160 } 2161 2162 isc_stdtime_get(&now); 2163 inception = now - 3600; /* Allow for some clock skew. */ 2164 expire = now + sigvalidityinterval; 2165 2166 /* 2167 * Do we look at the KSK flag on the DNSKEY to determining which 2168 * keys sign which RRsets? First check the zone option then 2169 * check the keys flags to make sure at least one has a ksk set 2170 * and one doesn't. 2171 */ 2172 check_ksk = ISC_TF((dns_zone_getoptions(zone) & 2173 DNS_ZONEOPT_UPDATECHECKKSK) != 0); 2174 keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) & 2175 DNS_ZONEOPT_DNSKEYKSKONLY) != 0); 2176 2177 /* 2178 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field. 2179 */ 2180 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); 2181 dns_rdataset_init(&rdataset); 2182 CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0, 2183 (isc_stdtime_t) 0, &rdataset, NULL)); 2184 CHECK(dns_rdataset_first(&rdataset)); 2185 dns_rdataset_current(&rdataset, &rdata); 2186 CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); 2187 nsecttl = soa.minimum; 2188 dns_rdataset_disassociate(&rdataset); 2189 dns_db_detachnode(db, &node); 2190 2191 /* 2192 * Find all RRsets directly affected by the update, and 2193 * update their RRSIGs. Also build a list of names affected 2194 * by the update in "diffnames". 2195 */ 2196 CHECK(dns_diff_sort(diff, temp_order)); 2197 2198 t = ISC_LIST_HEAD(diff->tuples); 2199 while (t != NULL) { 2200 dns_name_t *name = &t->name; 2201 /* Now "name" is a new, unique name affected by the update. */ 2202 2203 CHECK(namelist_append_name(&diffnames, name)); 2204 2205 while (t != NULL && dns_name_equal(&t->name, name)) { 2206 dns_rdatatype_t type; 2207 type = t->rdata.type; 2208 2209 /* 2210 * Now "name" and "type" denote a new unique RRset 2211 * affected by the update. 2212 */ 2213 2214 /* Don't sign RRSIGs. */ 2215 if (type == dns_rdatatype_rrsig) 2216 goto skip; 2217 2218 /* 2219 * Delete all old RRSIGs covering this type, since they 2220 * are all invalid when the signed RRset has changed. 2221 * We may not be able to recreate all of them - tough. 2222 * Special case changes to the zone's DNSKEY records 2223 * to support offline KSKs. 2224 */ 2225 if (type == dns_rdatatype_dnskey) 2226 del_keysigs(db, newver, name, &sig_diff, 2227 zone_keys, nkeys); 2228 else 2229 CHECK(delete_if(true_p, db, newver, name, 2230 dns_rdatatype_rrsig, type, 2231 NULL, &sig_diff)); 2232 2233 /* 2234 * If this RRset is still visible after the update, 2235 * add a new signature for it. 2236 */ 2237 CHECK(rrset_visible(db, newver, name, type, &flag)); 2238 if (flag) { 2239 CHECK(add_sigs(client, zone, db, newver, name, 2240 type, &sig_diff, zone_keys, 2241 nkeys, inception, expire, 2242 check_ksk, keyset_kskonly)); 2243 } 2244 skip: 2245 /* Skip any other updates to the same RRset. */ 2246 while (t != NULL && 2247 dns_name_equal(&t->name, name) && 2248 t->rdata.type == type) 2249 { 2250 t = ISC_LIST_NEXT(t, link); 2251 } 2252 } 2253 } 2254 update_log(client, zone, ISC_LOG_DEBUG(3), "updated data signatures"); 2255 2256 /* Remove orphaned NSECs and RRSIG NSECs. */ 2257 for (t = ISC_LIST_HEAD(diffnames.tuples); 2258 t != NULL; 2259 t = ISC_LIST_NEXT(t, link)) 2260 { 2261 CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag)); 2262 if (! flag) { 2263 CHECK(delete_if(true_p, db, newver, &t->name, 2264 dns_rdatatype_any, 0, 2265 NULL, &sig_diff)); 2266 } 2267 } 2268 update_log(client, zone, ISC_LOG_DEBUG(3), 2269 "removed any orphaned NSEC records"); 2270 2271 /* 2272 * See if we need to build NSEC or NSEC3 chains. 2273 */ 2274 CHECK(dns_private_chains(db, newver, privatetype, &build_nsec, 2275 &build_nsec3)); 2276 if (!build_nsec) 2277 goto update_nsec3; 2278 2279 update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain"); 2280 2281 /* 2282 * When a name is created or deleted, its predecessor needs to 2283 * have its NSEC updated. 2284 */ 2285 for (t = ISC_LIST_HEAD(diffnames.tuples); 2286 t != NULL; 2287 t = ISC_LIST_NEXT(t, link)) 2288 { 2289 isc_boolean_t existed, exists; 2290 dns_fixedname_t fixedname; 2291 dns_name_t *prevname; 2292 2293 dns_fixedname_init(&fixedname); 2294 prevname = dns_fixedname_name(&fixedname); 2295 2296 CHECK(name_exists(db, oldver, &t->name, &existed)); 2297 CHECK(name_exists(db, newver, &t->name, &exists)); 2298 if (exists == existed) 2299 continue; 2300 2301 /* 2302 * Find the predecessor. 2303 * When names become obscured or unobscured in this update 2304 * transaction, we may find the wrong predecessor because 2305 * the NSECs have not yet been updated to reflect the delegation 2306 * change. This should not matter because in this case, 2307 * the correct predecessor is either the delegation node or 2308 * a newly unobscured node, and those nodes are on the 2309 * "affected" list in any case. 2310 */ 2311 CHECK(next_active(client, zone, db, newver, 2312 &t->name, prevname, ISC_FALSE)); 2313 CHECK(namelist_append_name(&affected, prevname)); 2314 } 2315 2316 /* 2317 * Find names potentially affected by delegation changes 2318 * (obscured by adding an NS or DNAME, or unobscured by 2319 * removing one). 2320 */ 2321 for (t = ISC_LIST_HEAD(diffnames.tuples); 2322 t != NULL; 2323 t = ISC_LIST_NEXT(t, link)) 2324 { 2325 isc_boolean_t ns_existed, dname_existed; 2326 isc_boolean_t ns_exists, dname_exists; 2327 2328 CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0, 2329 &ns_existed)); 2330 CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0, 2331 &dname_existed)); 2332 CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, 2333 &ns_exists)); 2334 CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0, 2335 &dname_exists)); 2336 if ((ns_exists || dname_exists) == (ns_existed || dname_existed)) 2337 continue; 2338 /* 2339 * There was a delegation change. Mark all subdomains 2340 * of t->name as potentially needing a NSEC update. 2341 */ 2342 CHECK(namelist_append_subdomain(db, &t->name, &affected)); 2343 } 2344 2345 ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link); 2346 INSIST(ISC_LIST_EMPTY(diffnames.tuples)); 2347 2348 CHECK(uniqify_name_list(&affected)); 2349 2350 /* 2351 * Determine which names should have NSECs, and delete/create 2352 * NSECs to make it so. We don't know the final NSEC targets yet, 2353 * so we just create placeholder NSECs with arbitrary contents 2354 * to indicate that their respective owner names should be part of 2355 * the NSEC chain. 2356 */ 2357 for (t = ISC_LIST_HEAD(affected.tuples); 2358 t != NULL; 2359 t = ISC_LIST_NEXT(t, link)) 2360 { 2361 isc_boolean_t exists; 2362 dns_name_t *name = &t->name; 2363 2364 CHECK(name_exists(db, newver, name, &exists)); 2365 if (! exists) 2366 continue; 2367 CHECK(is_active(db, newver, name, &flag, &cut, NULL)); 2368 if (!flag) { 2369 /* 2370 * This name is obscured. Delete any 2371 * existing NSEC record. 2372 */ 2373 CHECK(delete_if(true_p, db, newver, name, 2374 dns_rdatatype_nsec, 0, 2375 NULL, &nsec_diff)); 2376 CHECK(delete_if(rrsig_p, db, newver, name, 2377 dns_rdatatype_any, 0, NULL, diff)); 2378 } else { 2379 /* 2380 * This name is not obscured. It needs to have a 2381 * NSEC unless it is the at the origin, in which 2382 * case it should already exist if there is a complete 2383 * NSEC chain and if there isn't a complete NSEC chain 2384 * we don't want to add one as that would signal that 2385 * there is a complete NSEC chain. 2386 */ 2387 if (!dns_name_equal(name, dns_db_origin(db))) { 2388 CHECK(rrset_exists(db, newver, name, 2389 dns_rdatatype_nsec, 0, 2390 &flag)); 2391 if (!flag) 2392 CHECK(add_placeholder_nsec(db, newver, 2393 name, diff)); 2394 } 2395 CHECK(add_exposed_sigs(client, zone, db, newver, name, 2396 cut, &sig_diff, zone_keys, nkeys, 2397 inception, expire, check_ksk, 2398 keyset_kskonly)); 2399 } 2400 } 2401 2402 /* 2403 * Now we know which names are part of the NSEC chain. 2404 * Make them all point at their correct targets. 2405 */ 2406 for (t = ISC_LIST_HEAD(affected.tuples); 2407 t != NULL; 2408 t = ISC_LIST_NEXT(t, link)) 2409 { 2410 CHECK(rrset_exists(db, newver, &t->name, 2411 dns_rdatatype_nsec, 0, &flag)); 2412 if (flag) { 2413 /* 2414 * There is a NSEC, but we don't know if it is correct. 2415 * Delete it and create a correct one to be sure. 2416 * If the update was unnecessary, the diff minimization 2417 * will take care of eliminating it from the journal, 2418 * IXFRs, etc. 2419 * 2420 * The RRSIG bit should always be set in the NSECs 2421 * we generate, because they will all get RRSIG NSECs. 2422 * (XXX what if the zone keys are missing?). 2423 * Because the RRSIG NSECs have not necessarily been 2424 * created yet, the correctness of the bit mask relies 2425 * on the assumption that NSECs are only created if 2426 * there is other data, and if there is other data, 2427 * there are other RRSIGs. 2428 */ 2429 CHECK(add_nsec(client, zone, db, newver, &t->name, 2430 nsecttl, &nsec_diff)); 2431 } 2432 } 2433 2434 /* 2435 * Minimize the set of NSEC updates so that we don't 2436 * have to regenerate the RRSIG NSECs for NSECs that were 2437 * replaced with identical ones. 2438 */ 2439 while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { 2440 ISC_LIST_UNLINK(nsec_diff.tuples, t, link); 2441 dns_diff_appendminimal(&nsec_mindiff, &t); 2442 } 2443 2444 update_log(client, zone, ISC_LOG_DEBUG(3), 2445 "signing rebuilt NSEC chain"); 2446 2447 /* Update RRSIG NSECs. */ 2448 for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); 2449 t != NULL; 2450 t = ISC_LIST_NEXT(t, link)) 2451 { 2452 if (t->op == DNS_DIFFOP_DEL) { 2453 CHECK(delete_if(true_p, db, newver, &t->name, 2454 dns_rdatatype_rrsig, dns_rdatatype_nsec, 2455 NULL, &sig_diff)); 2456 } else if (t->op == DNS_DIFFOP_ADD) { 2457 CHECK(add_sigs(client, zone, db, newver, &t->name, 2458 dns_rdatatype_nsec, &sig_diff, 2459 zone_keys, nkeys, inception, expire, 2460 check_ksk, keyset_kskonly)); 2461 } else { 2462 INSIST(0); 2463 } 2464 } 2465 2466 update_nsec3: 2467 2468 /* Record our changes for the journal. */ 2469 while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) { 2470 ISC_LIST_UNLINK(sig_diff.tuples, t, link); 2471 dns_diff_appendminimal(diff, &t); 2472 } 2473 while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { 2474 ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); 2475 dns_diff_appendminimal(diff, &t); 2476 } 2477 2478 INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); 2479 INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); 2480 INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); 2481 2482 if (!build_nsec3) { 2483 update_log(client, zone, ISC_LOG_DEBUG(3), 2484 "no NSEC3 chains to rebuild"); 2485 goto failure; 2486 } 2487 2488 update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains"); 2489 2490 dns_diff_clear(&diffnames); 2491 dns_diff_clear(&affected); 2492 2493 CHECK(dns_diff_sort(diff, temp_order)); 2494 2495 /* 2496 * Find names potentially affected by delegation changes 2497 * (obscured by adding an NS or DNAME, or unobscured by 2498 * removing one). 2499 */ 2500 t = ISC_LIST_HEAD(diff->tuples); 2501 while (t != NULL) { 2502 dns_name_t *name = &t->name; 2503 2504 isc_boolean_t ns_existed, dname_existed; 2505 isc_boolean_t ns_exists, dname_exists; 2506 isc_boolean_t exists, existed; 2507 2508 if (t->rdata.type == dns_rdatatype_nsec || 2509 t->rdata.type == dns_rdatatype_rrsig) { 2510 t = ISC_LIST_NEXT(t, link); 2511 continue; 2512 } 2513 2514 CHECK(namelist_append_name(&affected, name)); 2515 2516 CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns, 0, 2517 &ns_existed)); 2518 CHECK(rrset_exists(db, oldver, name, dns_rdatatype_dname, 0, 2519 &dname_existed)); 2520 CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0, 2521 &ns_exists)); 2522 CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0, 2523 &dname_exists)); 2524 2525 exists = ns_exists || dname_exists; 2526 existed = ns_existed || dname_existed; 2527 if (exists == existed) 2528 goto nextname; 2529 /* 2530 * There was a delegation change. Mark all subdomains 2531 * of t->name as potentially needing a NSEC3 update. 2532 */ 2533 CHECK(namelist_append_subdomain(db, name, &affected)); 2534 2535 nextname: 2536 while (t != NULL && dns_name_equal(&t->name, name)) 2537 t = ISC_LIST_NEXT(t, link); 2538 } 2539 2540 for (t = ISC_LIST_HEAD(affected.tuples); 2541 t != NULL; 2542 t = ISC_LIST_NEXT(t, link)) { 2543 dns_name_t *name = &t->name; 2544 2545 unsecure = ISC_FALSE; /* Silence compiler warning. */ 2546 CHECK(is_active(db, newver, name, &flag, &cut, &unsecure)); 2547 2548 if (!flag) { 2549 CHECK(delete_if(rrsig_p, db, newver, name, 2550 dns_rdatatype_any, 0, NULL, diff)); 2551 CHECK(dns_nsec3_delnsec3sx(db, newver, name, 2552 privatetype, &nsec_diff)); 2553 } else { 2554 CHECK(add_exposed_sigs(client, zone, db, newver, name, 2555 cut, &sig_diff, zone_keys, nkeys, 2556 inception, expire, check_ksk, 2557 keyset_kskonly)); 2558 CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl, 2559 unsecure, privatetype, 2560 &nsec_diff)); 2561 } 2562 } 2563 2564 /* 2565 * Minimize the set of NSEC3 updates so that we don't 2566 * have to regenerate the RRSIG NSEC3s for NSEC3s that were 2567 * replaced with identical ones. 2568 */ 2569 while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { 2570 ISC_LIST_UNLINK(nsec_diff.tuples, t, link); 2571 dns_diff_appendminimal(&nsec_mindiff, &t); 2572 } 2573 2574 update_log(client, zone, ISC_LOG_DEBUG(3), 2575 "signing rebuilt NSEC3 chain"); 2576 2577 /* Update RRSIG NSEC3s. */ 2578 for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); 2579 t != NULL; 2580 t = ISC_LIST_NEXT(t, link)) 2581 { 2582 if (t->op == DNS_DIFFOP_DEL) { 2583 CHECK(delete_if(true_p, db, newver, &t->name, 2584 dns_rdatatype_rrsig, 2585 dns_rdatatype_nsec3, 2586 NULL, &sig_diff)); 2587 } else if (t->op == DNS_DIFFOP_ADD) { 2588 CHECK(add_sigs(client, zone, db, newver, &t->name, 2589 dns_rdatatype_nsec3, 2590 &sig_diff, zone_keys, nkeys, 2591 inception, expire, check_ksk, 2592 keyset_kskonly)); 2593 } else { 2594 INSIST(0); 2595 } 2596 } 2597 2598 /* Record our changes for the journal. */ 2599 while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) { 2600 ISC_LIST_UNLINK(sig_diff.tuples, t, link); 2601 dns_diff_appendminimal(diff, &t); 2602 } 2603 while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { 2604 ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); 2605 dns_diff_appendminimal(diff, &t); 2606 } 2607 2608 INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); 2609 INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); 2610 INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); 2611 2612 failure: 2613 dns_diff_clear(&sig_diff); 2614 dns_diff_clear(&nsec_diff); 2615 dns_diff_clear(&nsec_mindiff); 2616 2617 dns_diff_clear(&affected); 2618 dns_diff_clear(&diffnames); 2619 2620 for (i = 0; i < nkeys; i++) 2621 dst_key_free(&zone_keys[i]); 2622 2623 return (result); 2624} 2625 2626 2627/**************************************************************************/ 2628/*% 2629 * The actual update code in all its glory. We try to follow 2630 * the RFC2136 pseudocode as closely as possible. 2631 */ 2632 2633static isc_result_t 2634send_update_event(ns_client_t *client, dns_zone_t *zone) { 2635 isc_result_t result = ISC_R_SUCCESS; 2636 update_event_t *event = NULL; 2637 isc_task_t *zonetask = NULL; 2638 ns_client_t *evclient; 2639 2640 event = (update_event_t *) 2641 isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE, 2642 update_action, NULL, sizeof(*event)); 2643 if (event == NULL) 2644 FAIL(ISC_R_NOMEMORY); 2645 event->zone = zone; 2646 event->result = ISC_R_SUCCESS; 2647 2648 evclient = NULL; 2649 ns_client_attach(client, &evclient); 2650 INSIST(client->nupdates == 0); 2651 client->nupdates++; 2652 event->ev_arg = evclient; 2653 2654 dns_zone_gettask(zone, &zonetask); 2655 isc_task_send(zonetask, ISC_EVENT_PTR(&event)); 2656 2657 failure: 2658 if (event != NULL) 2659 isc_event_free(ISC_EVENT_PTR(&event)); 2660 return (result); 2661} 2662 2663static void 2664respond(ns_client_t *client, isc_result_t result) { 2665 isc_result_t msg_result; 2666 2667 msg_result = dns_message_reply(client->message, ISC_TRUE); 2668 if (msg_result != ISC_R_SUCCESS) 2669 goto msg_failure; 2670 client->message->rcode = dns_result_torcode(result); 2671 2672 ns_client_send(client); 2673 return; 2674 2675 msg_failure: 2676 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE, 2677 ISC_LOG_ERROR, 2678 "could not create update response message: %s", 2679 isc_result_totext(msg_result)); 2680 ns_client_next(client, msg_result); 2681} 2682 2683void 2684ns_update_start(ns_client_t *client, isc_result_t sigresult) { 2685 dns_message_t *request = client->message; 2686 isc_result_t result; 2687 dns_name_t *zonename; 2688 dns_rdataset_t *zone_rdataset; 2689 dns_zone_t *zone = NULL; 2690 2691 /* 2692 * Interpret the zone section. 2693 */ 2694 result = dns_message_firstname(request, DNS_SECTION_ZONE); 2695 if (result != ISC_R_SUCCESS) 2696 FAILC(DNS_R_FORMERR, "update zone section empty"); 2697 2698 /* 2699 * The zone section must contain exactly one "question", and 2700 * it must be of type SOA. 2701 */ 2702 zonename = NULL; 2703 dns_message_currentname(request, DNS_SECTION_ZONE, &zonename); 2704 zone_rdataset = ISC_LIST_HEAD(zonename->list); 2705 if (zone_rdataset->type != dns_rdatatype_soa) 2706 FAILC(DNS_R_FORMERR, 2707 "update zone section contains non-SOA"); 2708 if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) 2709 FAILC(DNS_R_FORMERR, 2710 "update zone section contains multiple RRs"); 2711 2712 /* The zone section must have exactly one name. */ 2713 result = dns_message_nextname(request, DNS_SECTION_ZONE); 2714 if (result != ISC_R_NOMORE) 2715 FAILC(DNS_R_FORMERR, 2716 "update zone section contains multiple RRs"); 2717 2718 result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, 2719 &zone); 2720 if (result != ISC_R_SUCCESS) 2721 FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); 2722 2723 switch(dns_zone_gettype(zone)) { 2724 case dns_zone_master: 2725 case dns_zone_dlz: 2726 /* 2727 * We can now fail due to a bad signature as we now know 2728 * that we are the master. 2729 */ 2730 if (sigresult != ISC_R_SUCCESS) 2731 FAIL(sigresult); 2732 CHECK(send_update_event(client, zone)); 2733 break; 2734 case dns_zone_slave: 2735 CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), 2736 "update forwarding", zonename, ISC_TRUE, 2737 ISC_FALSE)); 2738 CHECK(send_forward_event(client, zone)); 2739 break; 2740 default: 2741 FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); 2742 } 2743 return; 2744 2745 failure: 2746 if (result == DNS_R_REFUSED) { 2747 INSIST(dns_zone_gettype(zone) == dns_zone_slave); 2748 inc_stats(zone, dns_nsstatscounter_updaterej); 2749 } 2750 /* 2751 * We failed without having sent an update event to the zone. 2752 * We are still in the client task context, so we can 2753 * simply give an error response without switching tasks. 2754 */ 2755 respond(client, result); 2756 if (zone != NULL) 2757 dns_zone_detach(&zone); 2758} 2759 2760/*% 2761 * DS records are not allowed to exist without corresponding NS records, 2762 * RFC 3658, 2.2 Protocol Change, 2763 * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". 2764 */ 2765 2766static isc_result_t 2767remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { 2768 isc_result_t result; 2769 isc_boolean_t ns_exists; 2770 dns_difftuple_t *tupple; 2771 dns_diff_t temp_diff; 2772 2773 dns_diff_init(diff->mctx, &temp_diff); 2774 2775 for (tupple = ISC_LIST_HEAD(diff->tuples); 2776 tupple != NULL; 2777 tupple = ISC_LIST_NEXT(tupple, link)) { 2778 if (!((tupple->op == DNS_DIFFOP_DEL && 2779 tupple->rdata.type == dns_rdatatype_ns) || 2780 (tupple->op == DNS_DIFFOP_ADD && 2781 tupple->rdata.type == dns_rdatatype_ds))) 2782 continue; 2783 CHECK(rrset_exists(db, newver, &tupple->name, 2784 dns_rdatatype_ns, 0, &ns_exists)); 2785 if (ns_exists && 2786 !dns_name_equal(&tupple->name, dns_db_origin(db))) 2787 continue; 2788 CHECK(delete_if(true_p, db, newver, &tupple->name, 2789 dns_rdatatype_ds, 0, NULL, &temp_diff)); 2790 } 2791 result = ISC_R_SUCCESS; 2792 2793 failure: 2794 for (tupple = ISC_LIST_HEAD(temp_diff.tuples); 2795 tupple != NULL; 2796 tupple = ISC_LIST_HEAD(temp_diff.tuples)) { 2797 ISC_LIST_UNLINK(temp_diff.tuples, tupple, link); 2798 dns_diff_appendminimal(diff, &tupple); 2799 } 2800 return (result); 2801} 2802 2803/* 2804 * This implements the post load integrity checks for mx records. 2805 */ 2806static isc_result_t 2807check_mx(ns_client_t *client, dns_zone_t *zone, 2808 dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) 2809{ 2810 char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")]; 2811 char ownerbuf[DNS_NAME_FORMATSIZE]; 2812 char namebuf[DNS_NAME_FORMATSIZE]; 2813 char altbuf[DNS_NAME_FORMATSIZE]; 2814 dns_difftuple_t *t; 2815 dns_fixedname_t fixed; 2816 dns_name_t *foundname; 2817 dns_rdata_mx_t mx; 2818 dns_rdata_t rdata; 2819 isc_boolean_t ok = ISC_TRUE; 2820 isc_boolean_t isaddress; 2821 isc_result_t result; 2822 struct in6_addr addr6; 2823 struct in_addr addr; 2824 unsigned int options; 2825 2826 dns_fixedname_init(&fixed); 2827 foundname = dns_fixedname_name(&fixed); 2828 dns_rdata_init(&rdata); 2829 options = dns_zone_getoptions(zone); 2830 2831 for (t = ISC_LIST_HEAD(diff->tuples); 2832 t != NULL; 2833 t = ISC_LIST_NEXT(t, link)) { 2834 if (t->op != DNS_DIFFOP_ADD || 2835 t->rdata.type != dns_rdatatype_mx) 2836 continue; 2837 2838 result = dns_rdata_tostruct(&t->rdata, &mx, NULL); 2839 RUNTIME_CHECK(result == ISC_R_SUCCESS); 2840 /* 2841 * Check if we will error out if we attempt to reload the 2842 * zone. 2843 */ 2844 dns_name_format(&mx.mx, namebuf, sizeof(namebuf)); 2845 dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf)); 2846 isaddress = ISC_FALSE; 2847 if ((options & DNS_RDATA_CHECKMX) != 0 && 2848 strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) { 2849 if (tmp[strlen(tmp) - 1] == '.') 2850 tmp[strlen(tmp) - 1] = '\0'; 2851 if (inet_aton(tmp, &addr) == 1 || 2852 inet_pton(AF_INET6, tmp, &addr6) == 1) 2853 isaddress = ISC_TRUE; 2854 } 2855 2856 if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) { 2857 update_log(client, zone, ISC_LOG_ERROR, 2858 "%s/MX: '%s': %s", 2859 ownerbuf, namebuf, 2860 dns_result_totext(DNS_R_MXISADDRESS)); 2861 ok = ISC_FALSE; 2862 } else if (isaddress) { 2863 update_log(client, zone, ISC_LOG_WARNING, 2864 "%s/MX: warning: '%s': %s", 2865 ownerbuf, namebuf, 2866 dns_result_totext(DNS_R_MXISADDRESS)); 2867 } 2868 2869 /* 2870 * Check zone integrity checks. 2871 */ 2872 if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) 2873 continue; 2874 result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, 2875 0, 0, NULL, foundname, NULL, NULL); 2876 if (result == ISC_R_SUCCESS) 2877 continue; 2878 2879 if (result == DNS_R_NXRRSET) { 2880 result = dns_db_find(db, &mx.mx, newver, 2881 dns_rdatatype_aaaa, 2882 0, 0, NULL, foundname, 2883 NULL, NULL); 2884 if (result == ISC_R_SUCCESS) 2885 continue; 2886 } 2887 2888 if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) { 2889 update_log(client, zone, ISC_LOG_ERROR, 2890 "%s/MX '%s' has no address records " 2891 "(A or AAAA)", ownerbuf, namebuf); 2892 ok = ISC_FALSE; 2893 } else if (result == DNS_R_CNAME) { 2894 update_log(client, zone, ISC_LOG_ERROR, 2895 "%s/MX '%s' is a CNAME (illegal)", 2896 ownerbuf, namebuf); 2897 ok = ISC_FALSE; 2898 } else if (result == DNS_R_DNAME) { 2899 dns_name_format(foundname, altbuf, sizeof altbuf); 2900 update_log(client, zone, ISC_LOG_ERROR, 2901 "%s/MX '%s' is below a DNAME '%s' (illegal)", 2902 ownerbuf, namebuf, altbuf); 2903 ok = ISC_FALSE; 2904 } 2905 } 2906 return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED); 2907} 2908 2909static isc_result_t 2910rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, 2911 const dns_rdata_t *rdata, isc_boolean_t *flag) 2912{ 2913 dns_rdataset_t rdataset; 2914 dns_dbnode_t *node = NULL; 2915 isc_result_t result; 2916 2917 dns_rdataset_init(&rdataset); 2918 if (rdata->type == dns_rdatatype_nsec3) 2919 CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); 2920 else 2921 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 2922 result = dns_db_findrdataset(db, node, ver, rdata->type, 0, 2923 (isc_stdtime_t) 0, &rdataset, NULL); 2924 if (result == ISC_R_NOTFOUND) { 2925 *flag = ISC_FALSE; 2926 result = ISC_R_SUCCESS; 2927 goto failure; 2928 } 2929 2930 for (result = dns_rdataset_first(&rdataset); 2931 result == ISC_R_SUCCESS; 2932 result = dns_rdataset_next(&rdataset)) { 2933 dns_rdata_t myrdata = DNS_RDATA_INIT; 2934 dns_rdataset_current(&rdataset, &myrdata); 2935 if (!dns_rdata_casecompare(&myrdata, rdata)) 2936 break; 2937 } 2938 dns_rdataset_disassociate(&rdataset); 2939 if (result == ISC_R_SUCCESS) { 2940 *flag = ISC_TRUE; 2941 } else if (result == ISC_R_NOMORE) { 2942 *flag = ISC_FALSE; 2943 result = ISC_R_SUCCESS; 2944 } 2945 2946 failure: 2947 if (node != NULL) 2948 dns_db_detachnode(db, &node); 2949 return (result); 2950} 2951 2952static isc_result_t 2953get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype, 2954 unsigned int *iterationsp) 2955{ 2956 dns_dbnode_t *node = NULL; 2957 dns_rdata_nsec3param_t nsec3param; 2958 dns_rdataset_t rdataset; 2959 isc_result_t result; 2960 unsigned int iterations = 0; 2961 2962 dns_rdataset_init(&rdataset); 2963 2964 result = dns_db_getoriginnode(db, &node); 2965 if (result != ISC_R_SUCCESS) 2966 return (result); 2967 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 2968 0, (isc_stdtime_t) 0, &rdataset, NULL); 2969 if (result == ISC_R_NOTFOUND) 2970 goto try_private; 2971 if (result != ISC_R_SUCCESS) 2972 goto failure; 2973 2974 for (result = dns_rdataset_first(&rdataset); 2975 result == ISC_R_SUCCESS; 2976 result = dns_rdataset_next(&rdataset)) { 2977 dns_rdata_t rdata = DNS_RDATA_INIT; 2978 dns_rdataset_current(&rdataset, &rdata); 2979 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 2980 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) 2981 continue; 2982 if (nsec3param.iterations > iterations) 2983 iterations = nsec3param.iterations; 2984 } 2985 if (result != ISC_R_NOMORE) 2986 goto failure; 2987 2988 dns_rdataset_disassociate(&rdataset); 2989 2990 try_private: 2991 if (privatetype == 0) 2992 goto success; 2993 2994 result = dns_db_findrdataset(db, node, ver, privatetype, 2995 0, (isc_stdtime_t) 0, &rdataset, NULL); 2996 if (result == ISC_R_NOTFOUND) 2997 goto success; 2998 if (result != ISC_R_SUCCESS) 2999 goto failure; 3000 3001 for (result = dns_rdataset_first(&rdataset); 3002 result == ISC_R_SUCCESS; 3003 result = dns_rdataset_next(&rdataset)) { 3004 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 3005 dns_rdata_t private = DNS_RDATA_INIT; 3006 dns_rdata_t rdata = DNS_RDATA_INIT; 3007 3008 dns_rdataset_current(&rdataset, &rdata); 3009 if (!dns_nsec3param_fromprivate(&private, &rdata, 3010 buf, sizeof(buf))) 3011 continue; 3012 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 3013 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) 3014 continue; 3015 if (nsec3param.iterations > iterations) 3016 iterations = nsec3param.iterations; 3017 } 3018 if (result != ISC_R_NOMORE) 3019 goto failure; 3020 3021 success: 3022 *iterationsp = iterations; 3023 result = ISC_R_SUCCESS; 3024 3025 failure: 3026 if (node != NULL) 3027 dns_db_detachnode(db, &node); 3028 if (dns_rdataset_isassociated(&rdataset)) 3029 dns_rdataset_disassociate(&rdataset); 3030 return (result); 3031} 3032 3033/* 3034 * Prevent the zone entering a inconsistent state where 3035 * NSEC only DNSKEYs are present with NSEC3 chains. 3036 */ 3037static isc_result_t 3038check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 3039 dns_dbversion_t *ver, dns_diff_t *diff) 3040{ 3041 dns_difftuple_t *tuple; 3042 isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE; 3043 isc_result_t result; 3044 unsigned int iterations = 0, max; 3045 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 3046 3047 /* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */ 3048 for (tuple = ISC_LIST_HEAD(diff->tuples); 3049 tuple != NULL; 3050 tuple = ISC_LIST_NEXT(tuple, link)) { 3051 if (tuple->op != DNS_DIFFOP_ADD) 3052 continue; 3053 3054 if (tuple->rdata.type == dns_rdatatype_dnskey) { 3055 isc_uint8_t alg; 3056 alg = tuple->rdata.data[3]; 3057 if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 || 3058 alg == DST_ALG_DSA || alg == DST_ALG_ECC) { 3059 nseconly = ISC_TRUE; 3060 break; 3061 } 3062 } else if (tuple->rdata.type == dns_rdatatype_nsec3param) { 3063 nsec3 = ISC_TRUE; 3064 break; 3065 } 3066 } 3067 3068 /* Check existing DB for NSEC-only DNSKEY */ 3069 if (!nseconly) 3070 CHECK(dns_nsec_nseconly(db, ver, &nseconly)); 3071 3072 /* Check existing DB for NSEC3 */ 3073 if (!nsec3) 3074 CHECK(dns_nsec3_activex(db, ver, ISC_FALSE, 3075 privatetype, &nsec3)); 3076 3077 /* Refuse to allow NSEC3 with NSEC-only keys */ 3078 if (nseconly && nsec3) { 3079 update_log(client, zone, ISC_LOG_ERROR, 3080 "NSEC only DNSKEYs and NSEC3 chains not allowed"); 3081 result = DNS_R_REFUSED; 3082 goto failure; 3083 } 3084 3085 /* Verify NSEC3 params */ 3086 CHECK(get_iterations(db, ver, privatetype, &iterations)); 3087 CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max)); 3088 if (max != 0 && iterations > max) { 3089 update_log(client, zone, ISC_LOG_ERROR, 3090 "too many NSEC3 iterations (%u) for " 3091 "weakest DNSKEY (%u)", iterations, max); 3092 result = DNS_R_REFUSED; 3093 goto failure; 3094 } 3095 3096 failure: 3097 return (result); 3098} 3099 3100/* 3101 * Delay NSEC3PARAM changes as they need to be applied to the whole zone. 3102 */ 3103static isc_result_t 3104add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, 3105 dns_dbversion_t *ver, dns_diff_t *diff) 3106{ 3107 isc_result_t result = ISC_R_SUCCESS; 3108 dns_difftuple_t *tuple, *newtuple = NULL, *next; 3109 dns_rdata_t rdata = DNS_RDATA_INIT; 3110 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1]; 3111 dns_diff_t temp_diff; 3112 dns_diffop_t op; 3113 isc_boolean_t flag; 3114 dns_name_t *name = dns_zone_getorigin(zone); 3115 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 3116 isc_uint32_t ttl = 0; 3117 isc_boolean_t ttl_good = ISC_FALSE; 3118 3119 update_log(client, zone, ISC_LOG_DEBUG(3), 3120 "checking for NSEC3PARAM changes"); 3121 3122 dns_diff_init(diff->mctx, &temp_diff); 3123 3124 /* 3125 * Extract NSEC3PARAM tuples from list. 3126 */ 3127 for (tuple = ISC_LIST_HEAD(diff->tuples); 3128 tuple != NULL; 3129 tuple = next) { 3130 3131 next = ISC_LIST_NEXT(tuple, link); 3132 3133 if (tuple->rdata.type != dns_rdatatype_nsec3param || 3134 !dns_name_equal(name, &tuple->name)) 3135 continue; 3136 ISC_LIST_UNLINK(diff->tuples, tuple, link); 3137 ISC_LIST_APPEND(temp_diff.tuples, tuple, link); 3138 } 3139 3140 /* 3141 * Extract TTL changes pairs, we don't need to convert these to 3142 * delayed changes. 3143 */ 3144 for (tuple = ISC_LIST_HEAD(temp_diff.tuples); 3145 tuple != NULL; tuple = next) { 3146 if (tuple->op == DNS_DIFFOP_ADD) { 3147 if (!ttl_good) { 3148 /* 3149 * Any adds here will contain the final 3150 * NSEC3PARAM RRset TTL. 3151 */ 3152 ttl = tuple->ttl; 3153 ttl_good = ISC_TRUE; 3154 } 3155 /* 3156 * Walk the temp_diff list looking for the 3157 * corresponding delete. 3158 */ 3159 next = ISC_LIST_HEAD(temp_diff.tuples); 3160 while (next != NULL) { 3161 unsigned char *next_data = next->rdata.data; 3162 unsigned char *tuple_data = tuple->rdata.data; 3163 if (next->op == DNS_DIFFOP_DEL && 3164 next->rdata.length == tuple->rdata.length && 3165 !memcmp(next_data, tuple_data, 3166 next->rdata.length)) { 3167 ISC_LIST_UNLINK(temp_diff.tuples, next, 3168 link); 3169 ISC_LIST_APPEND(diff->tuples, next, 3170 link); 3171 break; 3172 } 3173 next = ISC_LIST_NEXT(next, link); 3174 } 3175 /* 3176 * If we have not found a pair move onto the next 3177 * tuple. 3178 */ 3179 if (next == NULL) { 3180 next = ISC_LIST_NEXT(tuple, link); 3181 continue; 3182 } 3183 /* 3184 * Find the next tuple to be processed before 3185 * unlinking then complete moving the pair to 'diff'. 3186 */ 3187 next = ISC_LIST_NEXT(tuple, link); 3188 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); 3189 ISC_LIST_APPEND(diff->tuples, tuple, link); 3190 } else 3191 next = ISC_LIST_NEXT(tuple, link); 3192 } 3193 3194 /* 3195 * Preserve any ongoing changes from a BIND 9.6.x upgrade. 3196 * 3197 * Any NSEC3PARAM records with flags other than OPTOUT named 3198 * in managing and should not be touched so revert such changes 3199 * taking into account any TTL change of the NSEC3PARAM RRset. 3200 */ 3201 for (tuple = ISC_LIST_HEAD(temp_diff.tuples); 3202 tuple != NULL; tuple = next) { 3203 next = ISC_LIST_NEXT(tuple, link); 3204 if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) { 3205 /* 3206 * If we havn't had any adds then the tuple->ttl must 3207 * be the original ttl and should be used for any 3208 * future changes. 3209 */ 3210 if (!ttl_good) { 3211 ttl = tuple->ttl; 3212 ttl_good = ISC_TRUE; 3213 } 3214 op = (tuple->op == DNS_DIFFOP_DEL) ? 3215 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL; 3216 CHECK(dns_difftuple_create(diff->mctx, op, name, 3217 ttl, &tuple->rdata, 3218 &newtuple)); 3219 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3220 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); 3221 dns_diff_appendminimal(diff, &tuple); 3222 } 3223 } 3224 3225 /* 3226 * We now have just the actual changes to the NSEC3PARAM RRset. 3227 * Convert the adds to delayed adds and the deletions into delayed 3228 * deletions. 3229 */ 3230 for (tuple = ISC_LIST_HEAD(temp_diff.tuples); 3231 tuple != NULL; tuple = next) { 3232 /* 3233 * If we havn't had any adds then the tuple->ttl must be the 3234 * original ttl and should be used for any future changes. 3235 */ 3236 if (!ttl_good) { 3237 ttl = tuple->ttl; 3238 ttl_good = ISC_TRUE; 3239 } 3240 if (tuple->op == DNS_DIFFOP_ADD) { 3241 /* 3242 * Look for any deletes which match this ADD ignoring 3243 * OPTOUT. We don't need to explictly remove them as 3244 * they will be removed a side effect of processing 3245 * the add. 3246 */ 3247 next = ISC_LIST_HEAD(temp_diff.tuples); 3248 while (next != NULL) { 3249 unsigned char *next_data = next->rdata.data; 3250 unsigned char *tuple_data = tuple->rdata.data; 3251 if (next->op != DNS_DIFFOP_DEL || 3252 next->rdata.length != tuple->rdata.length || 3253 next_data[0] != tuple_data[0] || 3254 next_data[2] != tuple_data[2] || 3255 next_data[3] != tuple_data[3] || 3256 memcmp(next_data + 4, tuple_data + 4, 3257 tuple->rdata.length - 4)) { 3258 next = ISC_LIST_NEXT(next, link); 3259 continue; 3260 } 3261 ISC_LIST_UNLINK(temp_diff.tuples, next, link); 3262 ISC_LIST_APPEND(diff->tuples, next, link); 3263 next = ISC_LIST_HEAD(temp_diff.tuples); 3264 } 3265 /* 3266 * See if we already have a CREATE request in progress. 3267 */ 3268 dns_nsec3param_toprivate(&tuple->rdata, &rdata, 3269 privatetype, buf, sizeof(buf)); 3270 buf[2] |= DNS_NSEC3FLAG_CREATE; 3271 CHECK(rr_exists(db, ver, name, &rdata, &flag)); 3272 3273 if (!flag) { 3274 CHECK(dns_difftuple_create(diff->mctx, 3275 DNS_DIFFOP_ADD, 3276 name, 0, &rdata, 3277 &newtuple)); 3278 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3279 } 3280 3281 /* 3282 * Remove any existing CREATE request to add an 3283 * otherwise indentical chain with a reversed 3284 * OPTOUT state. 3285 */ 3286 buf[2] ^= DNS_NSEC3FLAG_OPTOUT; 3287 CHECK(rr_exists(db, ver, name, &rdata, &flag)); 3288 3289 if (flag) { 3290 CHECK(dns_difftuple_create(diff->mctx, 3291 DNS_DIFFOP_DEL, 3292 name, 0, &rdata, 3293 &newtuple)); 3294 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3295 } 3296 3297 /* 3298 * Find the next tuple to be processed and remove the 3299 * temporary add record. 3300 */ 3301 next = ISC_LIST_NEXT(tuple, link); 3302 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, 3303 name, ttl, &tuple->rdata, 3304 &newtuple)); 3305 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3306 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); 3307 dns_diff_appendminimal(diff, &tuple); 3308 dns_rdata_reset(&rdata); 3309 } else 3310 next = ISC_LIST_NEXT(tuple, link); 3311 } 3312 3313 for (tuple = ISC_LIST_HEAD(temp_diff.tuples); 3314 tuple != NULL; tuple = next) { 3315 3316 INSIST(ttl_good); 3317 3318 next = ISC_LIST_NEXT(tuple, link); 3319 /* 3320 * See if we already have a REMOVE request in progress. 3321 */ 3322 dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype, 3323 buf, sizeof(buf)); 3324 3325 buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC; 3326 3327 CHECK(rr_exists(db, ver, name, &rdata, &flag)); 3328 if (!flag) { 3329 buf[2] &= ~DNS_NSEC3FLAG_NONSEC; 3330 CHECK(rr_exists(db, ver, name, &rdata, &flag)); 3331 } 3332 3333 if (!flag) { 3334 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 3335 name, 0, &rdata, &newtuple)); 3336 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3337 } 3338 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 3339 ttl, &tuple->rdata, &newtuple)); 3340 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3341 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); 3342 dns_diff_appendminimal(diff, &tuple); 3343 dns_rdata_reset(&rdata); 3344 } 3345 3346 result = ISC_R_SUCCESS; 3347 failure: 3348 dns_diff_clear(&temp_diff); 3349 return (result); 3350} 3351 3352static isc_result_t 3353rollback_private(dns_db_t *db, dns_rdatatype_t privatetype, 3354 dns_dbversion_t *ver, dns_diff_t *diff) 3355{ 3356 dns_diff_t temp_diff; 3357 dns_diffop_t op; 3358 dns_difftuple_t *tuple, *newtuple = NULL, *next; 3359 dns_name_t *name = dns_db_origin(db); 3360 isc_mem_t *mctx = diff->mctx; 3361 isc_result_t result; 3362 3363 if (privatetype == 0) 3364 return (ISC_R_SUCCESS); 3365 3366 dns_diff_init(mctx, &temp_diff); 3367 3368 /* 3369 * Extract the changes to be rolled back. 3370 */ 3371 for (tuple = ISC_LIST_HEAD(diff->tuples); 3372 tuple != NULL; tuple = next) { 3373 3374 next = ISC_LIST_NEXT(tuple, link); 3375 3376 if (tuple->rdata.type != privatetype || 3377 !dns_name_equal(name, &tuple->name)) 3378 continue; 3379 3380 /* 3381 * Allow records which indicate that a zone has been 3382 * signed with a DNSKEY to be be removed. 3383 */ 3384 if (tuple->op == DNS_DIFFOP_DEL && 3385 tuple->rdata.length == 5 && 3386 tuple->rdata.data[0] != 0 && 3387 tuple->rdata.data[4] != 0) 3388 continue; 3389 3390 ISC_LIST_UNLINK(diff->tuples, tuple, link); 3391 ISC_LIST_PREPEND(temp_diff.tuples, tuple, link); 3392 } 3393 3394 /* 3395 * Rollback the changes. 3396 */ 3397 while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) { 3398 op = (tuple->op == DNS_DIFFOP_DEL) ? 3399 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL; 3400 CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl, 3401 &tuple->rdata, &newtuple)); 3402 CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff)); 3403 } 3404 result = ISC_R_SUCCESS; 3405 3406 failure: 3407 dns_diff_clear(&temp_diff); 3408 return (result); 3409} 3410 3411/* 3412 * Add records to cause the delayed signing of the zone by added DNSKEY 3413 * to remove the RRSIG records generated by a deleted DNSKEY. 3414 */ 3415static isc_result_t 3416add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, 3417 dns_dbversion_t *ver, dns_diff_t *diff) 3418{ 3419 dns_difftuple_t *tuple, *newtuple = NULL, *next; 3420 dns_rdata_dnskey_t dnskey; 3421 dns_rdata_t rdata = DNS_RDATA_INIT; 3422 isc_boolean_t flag; 3423 isc_region_t r; 3424 isc_result_t result = ISC_R_SUCCESS; 3425 isc_uint16_t keyid; 3426 unsigned char buf[5]; 3427 dns_name_t *name = dns_db_origin(db); 3428 dns_diff_t temp_diff; 3429 3430 dns_diff_init(diff->mctx, &temp_diff); 3431 3432 /* 3433 * Extract the DNSKEY tuples from the list. 3434 */ 3435 for (tuple = ISC_LIST_HEAD(diff->tuples); 3436 tuple != NULL; tuple = next) { 3437 3438 next = ISC_LIST_NEXT(tuple, link); 3439 3440 if (tuple->rdata.type != dns_rdatatype_dnskey) 3441 continue; 3442 3443 ISC_LIST_UNLINK(diff->tuples, tuple, link); 3444 ISC_LIST_APPEND(temp_diff.tuples, tuple, link); 3445 } 3446 3447 /* 3448 * Extract TTL changes pairs, we don't need signing records for these. 3449 */ 3450 for (tuple = ISC_LIST_HEAD(temp_diff.tuples); 3451 tuple != NULL; tuple = next) { 3452 if (tuple->op == DNS_DIFFOP_ADD) { 3453 /* 3454 * Walk the temp_diff list looking for the 3455 * corresponding delete. 3456 */ 3457 next = ISC_LIST_HEAD(temp_diff.tuples); 3458 while (next != NULL) { 3459 unsigned char *next_data = next->rdata.data; 3460 unsigned char *tuple_data = tuple->rdata.data; 3461 if (next->op == DNS_DIFFOP_DEL && 3462 dns_name_equal(&tuple->name, &next->name) && 3463 next->rdata.length == tuple->rdata.length && 3464 !memcmp(next_data, tuple_data, 3465 next->rdata.length)) { 3466 ISC_LIST_UNLINK(temp_diff.tuples, next, 3467 link); 3468 ISC_LIST_APPEND(diff->tuples, next, 3469 link); 3470 break; 3471 } 3472 next = ISC_LIST_NEXT(next, link); 3473 } 3474 /* 3475 * If we have not found a pair move onto the next 3476 * tuple. 3477 */ 3478 if (next == NULL) { 3479 next = ISC_LIST_NEXT(tuple, link); 3480 continue; 3481 } 3482 /* 3483 * Find the next tuple to be processed before 3484 * unlinking then complete moving the pair to 'diff'. 3485 */ 3486 next = ISC_LIST_NEXT(tuple, link); 3487 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); 3488 ISC_LIST_APPEND(diff->tuples, tuple, link); 3489 } else 3490 next = ISC_LIST_NEXT(tuple, link); 3491 } 3492 3493 /* 3494 * Process the remaining DNSKEY entries. 3495 */ 3496 for (tuple = ISC_LIST_HEAD(temp_diff.tuples); 3497 tuple != NULL; 3498 tuple = ISC_LIST_HEAD(temp_diff.tuples)) { 3499 3500 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); 3501 ISC_LIST_APPEND(diff->tuples, tuple, link); 3502 3503 dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); 3504 if ((dnskey.flags & 3505 (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) 3506 != DNS_KEYOWNER_ZONE) 3507 continue; 3508 3509 dns_rdata_toregion(&tuple->rdata, &r); 3510 3511 keyid = dst_region_computeid(&r, dnskey.algorithm); 3512 3513 buf[0] = dnskey.algorithm; 3514 buf[1] = (keyid & 0xff00) >> 8; 3515 buf[2] = (keyid & 0xff); 3516 buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1; 3517 buf[4] = 0; 3518 rdata.data = buf; 3519 rdata.length = sizeof(buf); 3520 rdata.type = privatetype; 3521 rdata.rdclass = tuple->rdata.rdclass; 3522 3523 CHECK(rr_exists(db, ver, name, &rdata, &flag)); 3524 if (flag) 3525 continue; 3526 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 3527 name, 0, &rdata, &newtuple)); 3528 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3529 INSIST(newtuple == NULL); 3530 /* 3531 * Remove any record which says this operation has already 3532 * completed. 3533 */ 3534 buf[4] = 1; 3535 CHECK(rr_exists(db, ver, name, &rdata, &flag)); 3536 if (flag) { 3537 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, 3538 name, 0, &rdata, &newtuple)); 3539 CHECK(do_one_tuple(&newtuple, db, ver, diff)); 3540 INSIST(newtuple == NULL); 3541 } 3542 } 3543 3544 failure: 3545 dns_diff_clear(&temp_diff); 3546 return (result); 3547} 3548 3549static isc_boolean_t 3550isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) { 3551 isc_result_t result; 3552 isc_boolean_t build_nsec, build_nsec3; 3553 3554 if (dns_db_issecure(db)) 3555 return (ISC_TRUE); 3556 3557 result = dns_private_chains(db, ver, privatetype, 3558 &build_nsec, &build_nsec3); 3559 RUNTIME_CHECK(result == ISC_R_SUCCESS); 3560 return (build_nsec || build_nsec3); 3561} 3562 3563static void 3564update_action(isc_task_t *task, isc_event_t *event) { 3565 update_event_t *uev = (update_event_t *) event; 3566 dns_zone_t *zone = uev->zone; 3567 ns_client_t *client = (ns_client_t *)event->ev_arg; 3568 3569 isc_result_t result; 3570 dns_db_t *db = NULL; 3571 dns_dbversion_t *oldver = NULL; 3572 dns_dbversion_t *ver = NULL; 3573 dns_diff_t diff; /* Pending updates. */ 3574 dns_diff_t temp; /* Pending RR existence assertions. */ 3575 isc_boolean_t soa_serial_changed = ISC_FALSE; 3576 isc_mem_t *mctx = client->mctx; 3577 dns_rdatatype_t covers; 3578 dns_message_t *request = client->message; 3579 dns_rdataclass_t zoneclass; 3580 dns_name_t *zonename; 3581 dns_ssutable_t *ssutable = NULL; 3582 dns_fixedname_t tmpnamefixed; 3583 dns_name_t *tmpname = NULL; 3584 unsigned int options; 3585 dns_difftuple_t *tuple; 3586 dns_rdata_dnskey_t dnskey; 3587 isc_boolean_t had_dnskey; 3588 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 3589 3590 INSIST(event->ev_type == DNS_EVENT_UPDATE); 3591 3592 dns_diff_init(mctx, &diff); 3593 dns_diff_init(mctx, &temp); 3594 3595 CHECK(dns_zone_getdb(zone, &db)); 3596 zonename = dns_db_origin(db); 3597 zoneclass = dns_db_class(db); 3598 dns_zone_getssutable(zone, &ssutable); 3599 3600 /* 3601 * Update message processing can leak record existance information 3602 * so check that we are allowed to query this zone. Additionally 3603 * if we would refuse all updates for this zone we bail out here. 3604 */ 3605 CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename, 3606 dns_zone_getupdateacl(zone), ssutable)); 3607 3608 /* 3609 * Get old and new versions now that queryacl has been checked. 3610 */ 3611 dns_db_currentversion(db, &oldver); 3612 CHECK(dns_db_newversion(db, &ver)); 3613 3614 /* 3615 * Check prerequisites. 3616 */ 3617 3618 for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE); 3619 result == ISC_R_SUCCESS; 3620 result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE)) 3621 { 3622 dns_name_t *name = NULL; 3623 dns_rdata_t rdata = DNS_RDATA_INIT; 3624 dns_ttl_t ttl; 3625 dns_rdataclass_t update_class; 3626 isc_boolean_t flag; 3627 3628 get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass, 3629 &name, &rdata, &covers, &ttl, &update_class); 3630 3631 if (ttl != 0) 3632 PREREQFAILC(DNS_R_FORMERR, 3633 "prerequisite TTL is not zero"); 3634 3635 if (! dns_name_issubdomain(name, zonename)) 3636 PREREQFAILN(DNS_R_NOTZONE, name, 3637 "prerequisite name is out of zone"); 3638 3639 if (update_class == dns_rdataclass_any) { 3640 if (rdata.length != 0) 3641 PREREQFAILC(DNS_R_FORMERR, 3642 "class ANY prerequisite " 3643 "RDATA is not empty"); 3644 if (rdata.type == dns_rdatatype_any) { 3645 CHECK(name_exists(db, ver, name, &flag)); 3646 if (! flag) { 3647 PREREQFAILN(DNS_R_NXDOMAIN, name, 3648 "'name in use' " 3649 "prerequisite not " 3650 "satisfied"); 3651 } 3652 } else { 3653 CHECK(rrset_exists(db, ver, name, 3654 rdata.type, covers, &flag)); 3655 if (! flag) { 3656 /* RRset does not exist. */ 3657 PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type, 3658 "'rrset exists (value independent)' " 3659 "prerequisite not satisfied"); 3660 } 3661 } 3662 } else if (update_class == dns_rdataclass_none) { 3663 if (rdata.length != 0) 3664 PREREQFAILC(DNS_R_FORMERR, 3665 "class NONE prerequisite " 3666 "RDATA is not empty"); 3667 if (rdata.type == dns_rdatatype_any) { 3668 CHECK(name_exists(db, ver, name, &flag)); 3669 if (flag) { 3670 PREREQFAILN(DNS_R_YXDOMAIN, name, 3671 "'name not in use' " 3672 "prerequisite not " 3673 "satisfied"); 3674 } 3675 } else { 3676 CHECK(rrset_exists(db, ver, name, 3677 rdata.type, covers, &flag)); 3678 if (flag) { 3679 /* RRset exists. */ 3680 PREREQFAILNT(DNS_R_YXRRSET, name, 3681 rdata.type, 3682 "'rrset does not exist' " 3683 "prerequisite not " 3684 "satisfied"); 3685 } 3686 } 3687 } else if (update_class == zoneclass) { 3688 /* "temp<rr.name, rr.type> += rr;" */ 3689 result = temp_append(&temp, name, &rdata); 3690 if (result != ISC_R_SUCCESS) { 3691 UNEXPECTED_ERROR(__FILE__, __LINE__, 3692 "temp entry creation failed: %s", 3693 dns_result_totext(result)); 3694 FAIL(ISC_R_UNEXPECTED); 3695 } 3696 } else { 3697 PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite"); 3698 } 3699 } 3700 if (result != ISC_R_NOMORE) 3701 FAIL(result); 3702 3703 /* 3704 * Perform the final check of the "rrset exists (value dependent)" 3705 * prerequisites. 3706 */ 3707 if (ISC_LIST_HEAD(temp.tuples) != NULL) { 3708 dns_rdatatype_t type; 3709 3710 /* 3711 * Sort the prerequisite records by owner name, 3712 * type, and rdata. 3713 */ 3714 result = dns_diff_sort(&temp, temp_order); 3715 if (result != ISC_R_SUCCESS) 3716 FAILC(result, "'RRset exists (value dependent)' " 3717 "prerequisite not satisfied"); 3718 3719 dns_fixedname_init(&tmpnamefixed); 3720 tmpname = dns_fixedname_name(&tmpnamefixed); 3721 result = temp_check(mctx, &temp, db, ver, tmpname, &type); 3722 if (result != ISC_R_SUCCESS) 3723 FAILNT(result, tmpname, type, 3724 "'RRset exists (value dependent)' " 3725 "prerequisite not satisfied"); 3726 } 3727 3728 update_log(client, zone, LOGLEVEL_DEBUG, 3729 "prerequisites are OK"); 3730 3731 /* 3732 * Check Requestor's Permissions. It seems a bit silly to do this 3733 * only after prerequisite testing, but that is what RFC2136 says. 3734 */ 3735 if (ssutable == NULL) 3736 CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), 3737 "update", zonename, ISC_FALSE, ISC_FALSE)); 3738 else if (client->signer == NULL && !TCPCLIENT(client)) 3739 CHECK(checkupdateacl(client, NULL, "update", zonename, 3740 ISC_FALSE, ISC_TRUE)); 3741 3742 if (dns_zone_getupdatedisabled(zone)) 3743 FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled " 3744 "because the zone is frozen. Use " 3745 "'rndc thaw' to re-enable updates."); 3746 3747 /* 3748 * Perform the Update Section Prescan. 3749 */ 3750 3751 for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); 3752 result == ISC_R_SUCCESS; 3753 result = dns_message_nextname(request, DNS_SECTION_UPDATE)) 3754 { 3755 dns_name_t *name = NULL; 3756 dns_rdata_t rdata = DNS_RDATA_INIT; 3757 dns_ttl_t ttl; 3758 dns_rdataclass_t update_class; 3759 get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, 3760 &name, &rdata, &covers, &ttl, &update_class); 3761 3762 if (! dns_name_issubdomain(name, zonename)) 3763 FAILC(DNS_R_NOTZONE, 3764 "update RR is outside zone"); 3765 if (update_class == zoneclass) { 3766 /* 3767 * Check for meta-RRs. The RFC2136 pseudocode says 3768 * check for ANY|AXFR|MAILA|MAILB, but the text adds 3769 * "or any other QUERY metatype" 3770 */ 3771 if (dns_rdatatype_ismeta(rdata.type)) { 3772 FAILC(DNS_R_FORMERR, 3773 "meta-RR in update"); 3774 } 3775 result = dns_zone_checknames(zone, name, &rdata); 3776 if (result != ISC_R_SUCCESS) 3777 FAIL(DNS_R_REFUSED); 3778 } else if (update_class == dns_rdataclass_any) { 3779 if (ttl != 0 || rdata.length != 0 || 3780 (dns_rdatatype_ismeta(rdata.type) && 3781 rdata.type != dns_rdatatype_any)) 3782 FAILC(DNS_R_FORMERR, 3783 "meta-RR in update"); 3784 } else if (update_class == dns_rdataclass_none) { 3785 if (ttl != 0 || 3786 dns_rdatatype_ismeta(rdata.type)) 3787 FAILC(DNS_R_FORMERR, 3788 "meta-RR in update"); 3789 } else { 3790 update_log(client, zone, ISC_LOG_WARNING, 3791 "update RR has incorrect class %d", 3792 update_class); 3793 FAIL(DNS_R_FORMERR); 3794 } 3795 3796 /* 3797 * draft-ietf-dnsind-simple-secure-update-01 says 3798 * "Unlike traditional dynamic update, the client 3799 * is forbidden from updating NSEC records." 3800 */ 3801 if (rdata.type == dns_rdatatype_nsec3) { 3802 FAILC(DNS_R_REFUSED, 3803 "explicit NSEC3 updates are not allowed " 3804 "in secure zones"); 3805 } else if (rdata.type == dns_rdatatype_nsec) { 3806 FAILC(DNS_R_REFUSED, 3807 "explicit NSEC updates are not allowed " 3808 "in secure zones"); 3809 } else if (rdata.type == dns_rdatatype_rrsig && 3810 !dns_name_equal(name, zonename)) { 3811 FAILC(DNS_R_REFUSED, 3812 "explicit RRSIG updates are currently " 3813 "not supported in secure zones except " 3814 "at the apex"); 3815 } 3816 3817 if (ssutable != NULL) { 3818 isc_netaddr_t *tcpaddr, netaddr; 3819 dst_key_t *tsigkey = NULL; 3820 /* 3821 * If this is a TCP connection then pass the 3822 * address of the client through for tcp-self 3823 * and 6to4-self otherwise pass NULL. This 3824 * provides weak address based authentication. 3825 */ 3826 if (TCPCLIENT(client)) { 3827 isc_netaddr_fromsockaddr(&netaddr, 3828 &client->peeraddr); 3829 tcpaddr = &netaddr; 3830 } else 3831 tcpaddr = NULL; 3832 3833 if (client->message->tsigkey != NULL) 3834 tsigkey = client->message->tsigkey->key; 3835 3836 if (rdata.type != dns_rdatatype_any) { 3837 if (!dns_ssutable_checkrules(ssutable, 3838 client->signer, 3839 name, tcpaddr, 3840 rdata.type, 3841 tsigkey)) 3842 FAILC(DNS_R_REFUSED, 3843 "rejected by secure update"); 3844 } else { 3845 if (!ssu_checkall(db, ver, name, ssutable, 3846 client->signer, tcpaddr, 3847 tsigkey)) 3848 FAILC(DNS_R_REFUSED, 3849 "rejected by secure update"); 3850 } 3851 } 3852 } 3853 if (result != ISC_R_NOMORE) 3854 FAIL(result); 3855 3856 update_log(client, zone, LOGLEVEL_DEBUG, 3857 "update section prescan OK"); 3858 3859 /* 3860 * Process the Update Section. 3861 */ 3862 3863 options = dns_zone_getoptions(zone); 3864 for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); 3865 result == ISC_R_SUCCESS; 3866 result = dns_message_nextname(request, DNS_SECTION_UPDATE)) 3867 { 3868 dns_name_t *name = NULL; 3869 dns_rdata_t rdata = DNS_RDATA_INIT; 3870 dns_ttl_t ttl; 3871 dns_rdataclass_t update_class; 3872 isc_boolean_t flag; 3873 3874 get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, 3875 &name, &rdata, &covers, &ttl, &update_class); 3876 3877 if (update_class == zoneclass) { 3878 3879 /* 3880 * RFC1123 doesn't allow MF and MD in master zones. */ 3881 if (rdata.type == dns_rdatatype_md || 3882 rdata.type == dns_rdatatype_mf) { 3883 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 3884 3885 dns_rdatatype_format(rdata.type, typebuf, 3886 sizeof(typebuf)); 3887 update_log(client, zone, LOGLEVEL_PROTOCOL, 3888 "attempt to add %s ignored", 3889 typebuf); 3890 continue; 3891 } 3892 if ((rdata.type == dns_rdatatype_ns || 3893 rdata.type == dns_rdatatype_dname) && 3894 dns_name_iswildcard(name)) { 3895 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 3896 3897 dns_rdatatype_format(rdata.type, typebuf, 3898 sizeof(typebuf)); 3899 update_log(client, zone, 3900 LOGLEVEL_PROTOCOL, 3901 "attempt to add wildcard %s record " 3902 "ignored", typebuf); 3903 continue; 3904 } 3905 if (rdata.type == dns_rdatatype_cname) { 3906 CHECK(cname_incompatible_rrset_exists(db, ver, 3907 name, 3908 &flag)); 3909 if (flag) { 3910 update_log(client, zone, 3911 LOGLEVEL_PROTOCOL, 3912 "attempt to add CNAME " 3913 "alongside non-CNAME " 3914 "ignored"); 3915 continue; 3916 } 3917 } else { 3918 CHECK(rrset_exists(db, ver, name, 3919 dns_rdatatype_cname, 0, 3920 &flag)); 3921 if (flag && 3922 ! dns_rdatatype_isdnssec(rdata.type)) 3923 { 3924 update_log(client, zone, 3925 LOGLEVEL_PROTOCOL, 3926 "attempt to add non-CNAME " 3927 "alongside CNAME ignored"); 3928 continue; 3929 } 3930 } 3931 if (rdata.type == dns_rdatatype_soa) { 3932 isc_boolean_t ok; 3933 CHECK(rrset_exists(db, ver, name, 3934 dns_rdatatype_soa, 0, 3935 &flag)); 3936 if (! flag) { 3937 update_log(client, zone, 3938 LOGLEVEL_PROTOCOL, 3939 "attempt to create 2nd " 3940 "SOA ignored"); 3941 continue; 3942 } 3943 CHECK(check_soa_increment(db, ver, &rdata, 3944 &ok)); 3945 if (! ok) { 3946 update_log(client, zone, 3947 LOGLEVEL_PROTOCOL, 3948 "SOA update failed to " 3949 "increment serial, " 3950 "ignoring it"); 3951 continue; 3952 } 3953 soa_serial_changed = ISC_TRUE; 3954 } 3955 3956 if (rdata.type == privatetype) { 3957 update_log(client, zone, LOGLEVEL_PROTOCOL, 3958 "attempt to add a private type " 3959 "(%u) record rejected internal " 3960 "use only", privatetype); 3961 continue; 3962 } 3963 3964 if (rdata.type == dns_rdatatype_nsec3param) { 3965 /* 3966 * Ignore attempts to add NSEC3PARAM records 3967 * with any flags other than OPTOUT. 3968 */ 3969 if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) { 3970 update_log(client, zone, 3971 LOGLEVEL_PROTOCOL, 3972 "attempt to add NSEC3PARAM " 3973 "record with non OPTOUT " 3974 "flag"); 3975 continue; 3976 } 3977 } 3978 3979 if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 && 3980 dns_name_internalwildcard(name)) { 3981 char namestr[DNS_NAME_FORMATSIZE]; 3982 dns_name_format(name, namestr, 3983 sizeof(namestr)); 3984 update_log(client, zone, LOGLEVEL_PROTOCOL, 3985 "warning: ownername '%s' contains " 3986 "a non-terminal wildcard", namestr); 3987 } 3988 3989 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { 3990 char namestr[DNS_NAME_FORMATSIZE]; 3991 char typestr[DNS_RDATATYPE_FORMATSIZE]; 3992 dns_name_format(name, namestr, 3993 sizeof(namestr)); 3994 dns_rdatatype_format(rdata.type, typestr, 3995 sizeof(typestr)); 3996 update_log(client, zone, LOGLEVEL_PROTOCOL, 3997 "adding an RR at '%s' %s", 3998 namestr, typestr); 3999 } 4000 4001 /* Prepare the affected RRset for the addition. */ 4002 { 4003 add_rr_prepare_ctx_t ctx; 4004 ctx.db = db; 4005 ctx.ver = ver; 4006 ctx.diff = &diff; 4007 ctx.name = name; 4008 ctx.update_rr = &rdata; 4009 ctx.update_rr_ttl = ttl; 4010 ctx.ignore_add = ISC_FALSE; 4011 dns_diff_init(mctx, &ctx.del_diff); 4012 dns_diff_init(mctx, &ctx.add_diff); 4013 CHECK(foreach_rr(db, ver, name, rdata.type, 4014 covers, add_rr_prepare_action, 4015 &ctx)); 4016 4017 if (ctx.ignore_add) { 4018 dns_diff_clear(&ctx.del_diff); 4019 dns_diff_clear(&ctx.add_diff); 4020 } else { 4021 CHECK(do_diff(&ctx.del_diff, db, ver, 4022 &diff)); 4023 CHECK(do_diff(&ctx.add_diff, db, ver, 4024 &diff)); 4025 CHECK(update_one_rr(db, ver, &diff, 4026 DNS_DIFFOP_ADD, 4027 name, ttl, &rdata)); 4028 } 4029 } 4030 } else if (update_class == dns_rdataclass_any) { 4031 if (rdata.type == dns_rdatatype_any) { 4032 if (isc_log_wouldlog(ns_g_lctx, 4033 LOGLEVEL_PROTOCOL)) 4034 { 4035 char namestr[DNS_NAME_FORMATSIZE]; 4036 dns_name_format(name, namestr, 4037 sizeof(namestr)); 4038 update_log(client, zone, 4039 LOGLEVEL_PROTOCOL, 4040 "delete all rrsets from " 4041 "name '%s'", namestr); 4042 } 4043 if (dns_name_equal(name, zonename)) { 4044 CHECK(delete_if(type_not_soa_nor_ns_p, 4045 db, ver, name, 4046 dns_rdatatype_any, 0, 4047 &rdata, &diff)); 4048 } else { 4049 CHECK(delete_if(type_not_dnssec, 4050 db, ver, name, 4051 dns_rdatatype_any, 0, 4052 &rdata, &diff)); 4053 } 4054 } else if (dns_name_equal(name, zonename) && 4055 (rdata.type == dns_rdatatype_soa || 4056 rdata.type == dns_rdatatype_ns)) { 4057 update_log(client, zone, LOGLEVEL_PROTOCOL, 4058 "attempt to delete all SOA " 4059 "or NS records ignored"); 4060 continue; 4061 } else { 4062 if (isc_log_wouldlog(ns_g_lctx, 4063 LOGLEVEL_PROTOCOL)) 4064 { 4065 char namestr[DNS_NAME_FORMATSIZE]; 4066 char typestr[DNS_RDATATYPE_FORMATSIZE]; 4067 dns_name_format(name, namestr, 4068 sizeof(namestr)); 4069 dns_rdatatype_format(rdata.type, 4070 typestr, 4071 sizeof(typestr)); 4072 update_log(client, zone, 4073 LOGLEVEL_PROTOCOL, 4074 "deleting rrset at '%s' %s", 4075 namestr, typestr); 4076 } 4077 CHECK(delete_if(true_p, db, ver, name, 4078 rdata.type, covers, &rdata, 4079 &diff)); 4080 } 4081 } else if (update_class == dns_rdataclass_none) { 4082 char namestr[DNS_NAME_FORMATSIZE]; 4083 char typestr[DNS_RDATATYPE_FORMATSIZE]; 4084 4085 /* 4086 * The (name == zonename) condition appears in 4087 * RFC2136 3.4.2.4 but is missing from the pseudocode. 4088 */ 4089 if (dns_name_equal(name, zonename)) { 4090 if (rdata.type == dns_rdatatype_soa) { 4091 update_log(client, zone, 4092 LOGLEVEL_PROTOCOL, 4093 "attempt to delete SOA " 4094 "ignored"); 4095 continue; 4096 } 4097 if (rdata.type == dns_rdatatype_ns) { 4098 int count; 4099 CHECK(rr_count(db, ver, name, 4100 dns_rdatatype_ns, 4101 0, &count)); 4102 if (count == 1) { 4103 update_log(client, zone, 4104 LOGLEVEL_PROTOCOL, 4105 "attempt to " 4106 "delete last " 4107 "NS ignored"); 4108 continue; 4109 } 4110 } 4111 } 4112 dns_name_format(name, namestr, sizeof(namestr)); 4113 dns_rdatatype_format(rdata.type, typestr, 4114 sizeof(typestr)); 4115 update_log(client, zone, LOGLEVEL_PROTOCOL, 4116 "deleting an RR at %s %s", namestr, typestr); 4117 CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type, 4118 covers, &rdata, &diff)); 4119 } 4120 } 4121 if (result != ISC_R_NOMORE) 4122 FAIL(result); 4123 4124 /* 4125 * Check that any changes to DNSKEY/NSEC3PARAM records make sense. 4126 * If they don't then back out all changes to DNSKEY/NSEC3PARAM 4127 * records. 4128 */ 4129 if (! ISC_LIST_EMPTY(diff.tuples)) 4130 CHECK(check_dnssec(client, zone, db, ver, &diff)); 4131 4132 if (! ISC_LIST_EMPTY(diff.tuples)) { 4133 unsigned int errors = 0; 4134 CHECK(dns_zone_nscheck(zone, db, ver, &errors)); 4135 if (errors != 0) { 4136 update_log(client, zone, LOGLEVEL_PROTOCOL, 4137 "update rejected: post update name server " 4138 "sanity check failed"); 4139 result = DNS_R_REFUSED; 4140 goto failure; 4141 } 4142 } 4143 4144 /* 4145 * If any changes were made, increment the SOA serial number, 4146 * update RRSIGs and NSECs (if zone is secure), and write the update 4147 * to the journal. 4148 */ 4149 if (! ISC_LIST_EMPTY(diff.tuples)) { 4150 char *journalfile; 4151 dns_journal_t *journal; 4152 isc_boolean_t has_dnskey; 4153 4154 /* 4155 * Increment the SOA serial, but only if it was not 4156 * changed as a result of an update operation. 4157 */ 4158 if (! soa_serial_changed) { 4159 CHECK(increment_soa_serial(db, ver, &diff, mctx)); 4160 } 4161 4162 CHECK(check_mx(client, zone, db, ver, &diff)); 4163 4164 CHECK(remove_orphaned_ds(db, ver, &diff)); 4165 4166 CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, 4167 0, &has_dnskey)); 4168 4169#define ALLOW_SECURE_TO_INSECURE(zone) \ 4170 ((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0) 4171 4172 if (!ALLOW_SECURE_TO_INSECURE(zone)) { 4173 CHECK(rrset_exists(db, oldver, zonename, 4174 dns_rdatatype_dnskey, 0, 4175 &had_dnskey)); 4176 if (had_dnskey && !has_dnskey) { 4177 update_log(client, zone, LOGLEVEL_PROTOCOL, 4178 "update rejected: all DNSKEY " 4179 "records removed and " 4180 "'dnssec-secure-to-insecure' " 4181 "not set"); 4182 result = DNS_R_REFUSED; 4183 goto failure; 4184 } 4185 } 4186 4187 CHECK(rollback_private(db, privatetype, ver, &diff)); 4188 4189 CHECK(add_signing_records(db, privatetype, ver, &diff)); 4190 4191 CHECK(add_nsec3param_records(client, zone, db, ver, &diff)); 4192 4193 if (!has_dnskey) { 4194 /* 4195 * We are transitioning from secure to insecure. 4196 * Cause all NSEC3 chains to be deleted. When the 4197 * the last signature for the DNSKEY records are 4198 * remove any NSEC chain present will also be removed. 4199 */ 4200 CHECK(dns_nsec3param_deletechains(db, ver, zone, 4201 &diff)); 4202 } else if (has_dnskey && isdnssec(db, ver, privatetype)) { 4203 isc_uint32_t interval; 4204 interval = dns_zone_getsigvalidityinterval(zone); 4205 result = update_signatures(client, zone, db, oldver, 4206 ver, &diff, interval); 4207 if (result != ISC_R_SUCCESS) { 4208 update_log(client, zone, 4209 ISC_LOG_ERROR, 4210 "RRSIG/NSEC/NSEC3 update failed: %s", 4211 isc_result_totext(result)); 4212 goto failure; 4213 } 4214 } 4215 4216 journalfile = dns_zone_getjournal(zone); 4217 if (journalfile != NULL) { 4218 update_log(client, zone, LOGLEVEL_DEBUG, 4219 "writing journal %s", journalfile); 4220 4221 journal = NULL; 4222 result = dns_journal_open(mctx, journalfile, 4223 ISC_TRUE, &journal); 4224 if (result != ISC_R_SUCCESS) 4225 FAILS(result, "journal open failed"); 4226 4227 result = dns_journal_write_transaction(journal, &diff); 4228 if (result != ISC_R_SUCCESS) { 4229 dns_journal_destroy(&journal); 4230 FAILS(result, "journal write failed"); 4231 } 4232 4233 dns_journal_destroy(&journal); 4234 } 4235 4236 /* 4237 * XXXRTH Just a note that this committing code will have 4238 * to change to handle databases that need two-phase 4239 * commit, but this isn't a priority. 4240 */ 4241 update_log(client, zone, LOGLEVEL_DEBUG, 4242 "committing update transaction"); 4243 4244 dns_db_closeversion(db, &ver, ISC_TRUE); 4245 4246 /* 4247 * Mark the zone as dirty so that it will be written to disk. 4248 */ 4249 dns_zone_markdirty(zone); 4250 4251 /* 4252 * Notify slaves of the change we just made. 4253 */ 4254 dns_zone_notify(zone); 4255 4256 /* 4257 * Cause the zone to be signed with the key that we 4258 * have just added or have the corresponding signatures 4259 * deleted. 4260 * 4261 * Note: we are already committed to this course of action. 4262 */ 4263 for (tuple = ISC_LIST_HEAD(diff.tuples); 4264 tuple != NULL; 4265 tuple = ISC_LIST_NEXT(tuple, link)) { 4266 isc_region_t r; 4267 dns_secalg_t algorithm; 4268 isc_uint16_t keyid; 4269 4270 if (tuple->rdata.type != dns_rdatatype_dnskey) 4271 continue; 4272 4273 dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); 4274 if ((dnskey.flags & 4275 (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) 4276 != DNS_KEYOWNER_ZONE) 4277 continue; 4278 4279 dns_rdata_toregion(&tuple->rdata, &r); 4280 algorithm = dnskey.algorithm; 4281 keyid = dst_region_computeid(&r, algorithm); 4282 4283 result = dns_zone_signwithkey(zone, algorithm, keyid, 4284 ISC_TF(tuple->op == DNS_DIFFOP_DEL)); 4285 if (result != ISC_R_SUCCESS) { 4286 update_log(client, zone, ISC_LOG_ERROR, 4287 "dns_zone_signwithkey failed: %s", 4288 dns_result_totext(result)); 4289 } 4290 } 4291 4292 /* 4293 * Cause the zone to add/delete NSEC3 chains for the 4294 * deferred NSEC3PARAM changes. 4295 * 4296 * Note: we are already committed to this course of action. 4297 */ 4298 for (tuple = ISC_LIST_HEAD(diff.tuples); 4299 tuple != NULL; 4300 tuple = ISC_LIST_NEXT(tuple, link)) { 4301 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 4302 dns_rdata_t rdata = DNS_RDATA_INIT; 4303 dns_rdata_nsec3param_t nsec3param; 4304 4305 if (tuple->rdata.type != privatetype || 4306 tuple->op != DNS_DIFFOP_ADD) 4307 continue; 4308 4309 if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata, 4310 buf, sizeof(buf))) 4311 continue; 4312 dns_rdata_tostruct(&rdata, &nsec3param, NULL); 4313 if (nsec3param.flags == 0) 4314 continue; 4315 4316 result = dns_zone_addnsec3chain(zone, &nsec3param); 4317 if (result != ISC_R_SUCCESS) { 4318 update_log(client, zone, ISC_LOG_ERROR, 4319 "dns_zone_addnsec3chain failed: %s", 4320 dns_result_totext(result)); 4321 } 4322 } 4323 } else { 4324 update_log(client, zone, LOGLEVEL_DEBUG, "redundant request"); 4325 dns_db_closeversion(db, &ver, ISC_TRUE); 4326 } 4327 result = ISC_R_SUCCESS; 4328 goto common; 4329 4330 failure: 4331 /* 4332 * The reason for failure should have been logged at this point. 4333 */ 4334 if (ver != NULL) { 4335 update_log(client, zone, LOGLEVEL_DEBUG, 4336 "rolling back"); 4337 dns_db_closeversion(db, &ver, ISC_FALSE); 4338 } 4339 4340 common: 4341 dns_diff_clear(&temp); 4342 dns_diff_clear(&diff); 4343 4344 if (oldver != NULL) 4345 dns_db_closeversion(db, &oldver, ISC_FALSE); 4346 4347 if (db != NULL) 4348 dns_db_detach(&db); 4349 4350 if (ssutable != NULL) 4351 dns_ssutable_detach(&ssutable); 4352 4353 isc_task_detach(&task); 4354 uev->result = result; 4355 if (zone != NULL) 4356 INSIST(uev->zone == zone); /* we use this later */ 4357 uev->ev_type = DNS_EVENT_UPDATEDONE; 4358 uev->ev_action = updatedone_action; 4359 isc_task_send(client->task, &event); 4360 INSIST(event == NULL); 4361} 4362 4363static void 4364updatedone_action(isc_task_t *task, isc_event_t *event) { 4365 update_event_t *uev = (update_event_t *) event; 4366 ns_client_t *client = (ns_client_t *) event->ev_arg; 4367 4368 UNUSED(task); 4369 4370 INSIST(event->ev_type == DNS_EVENT_UPDATEDONE); 4371 INSIST(task == client->task); 4372 4373 INSIST(client->nupdates > 0); 4374 switch (uev->result) { 4375 case ISC_R_SUCCESS: 4376 inc_stats(uev->zone, dns_nsstatscounter_updatedone); 4377 break; 4378 case DNS_R_REFUSED: 4379 inc_stats(uev->zone, dns_nsstatscounter_updaterej); 4380 break; 4381 default: 4382 inc_stats(uev->zone, dns_nsstatscounter_updatefail); 4383 break; 4384 } 4385 if (uev->zone != NULL) 4386 dns_zone_detach(&uev->zone); 4387 client->nupdates--; 4388 respond(client, uev->result); 4389 isc_event_free(&event); 4390 ns_client_detach(&client); 4391} 4392 4393/*% 4394 * Update forwarding support. 4395 */ 4396 4397static void 4398forward_fail(isc_task_t *task, isc_event_t *event) { 4399 ns_client_t *client = (ns_client_t *)event->ev_arg; 4400 4401 UNUSED(task); 4402 4403 INSIST(client->nupdates > 0); 4404 client->nupdates--; 4405 respond(client, DNS_R_SERVFAIL); 4406 isc_event_free(&event); 4407 ns_client_detach(&client); 4408} 4409 4410 4411static void 4412forward_callback(void *arg, isc_result_t result, dns_message_t *answer) { 4413 update_event_t *uev = arg; 4414 ns_client_t *client = uev->ev_arg; 4415 dns_zone_t *zone = uev->zone; 4416 4417 if (result != ISC_R_SUCCESS) { 4418 INSIST(answer == NULL); 4419 uev->ev_type = DNS_EVENT_UPDATEDONE; 4420 uev->ev_action = forward_fail; 4421 inc_stats(zone, dns_nsstatscounter_updatefwdfail); 4422 } else { 4423 uev->ev_type = DNS_EVENT_UPDATEDONE; 4424 uev->ev_action = forward_done; 4425 uev->answer = answer; 4426 inc_stats(zone, dns_nsstatscounter_updaterespfwd); 4427 } 4428 isc_task_send(client->task, ISC_EVENT_PTR(&uev)); 4429 dns_zone_detach(&zone); 4430} 4431 4432static void 4433forward_done(isc_task_t *task, isc_event_t *event) { 4434 update_event_t *uev = (update_event_t *) event; 4435 ns_client_t *client = (ns_client_t *)event->ev_arg; 4436 4437 UNUSED(task); 4438 4439 INSIST(client->nupdates > 0); 4440 client->nupdates--; 4441 ns_client_sendraw(client, uev->answer); 4442 dns_message_destroy(&uev->answer); 4443 isc_event_free(&event); 4444 ns_client_detach(&client); 4445} 4446 4447static void 4448forward_action(isc_task_t *task, isc_event_t *event) { 4449 update_event_t *uev = (update_event_t *) event; 4450 dns_zone_t *zone = uev->zone; 4451 ns_client_t *client = (ns_client_t *)event->ev_arg; 4452 isc_result_t result; 4453 4454 result = dns_zone_forwardupdate(zone, client->message, 4455 forward_callback, event); 4456 if (result != ISC_R_SUCCESS) { 4457 uev->ev_type = DNS_EVENT_UPDATEDONE; 4458 uev->ev_action = forward_fail; 4459 isc_task_send(client->task, &event); 4460 inc_stats(zone, dns_nsstatscounter_updatefwdfail); 4461 dns_zone_detach(&zone); 4462 } else 4463 inc_stats(zone, dns_nsstatscounter_updatereqfwd); 4464 isc_task_detach(&task); 4465} 4466 4467static isc_result_t 4468send_forward_event(ns_client_t *client, dns_zone_t *zone) { 4469 isc_result_t result = ISC_R_SUCCESS; 4470 update_event_t *event = NULL; 4471 isc_task_t *zonetask = NULL; 4472 ns_client_t *evclient; 4473 4474 /* 4475 * This may take some time so replace this client. 4476 */ 4477 if (!client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0) 4478 CHECK(ns_client_replace(client)); 4479 4480 event = (update_event_t *) 4481 isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE, 4482 forward_action, NULL, sizeof(*event)); 4483 if (event == NULL) 4484 FAIL(ISC_R_NOMEMORY); 4485 event->zone = zone; 4486 event->result = ISC_R_SUCCESS; 4487 4488 evclient = NULL; 4489 ns_client_attach(client, &evclient); 4490 INSIST(client->nupdates == 0); 4491 client->nupdates++; 4492 event->ev_arg = evclient; 4493 4494 dns_zone_gettask(zone, &zonetask); 4495 isc_task_send(zonetask, ISC_EVENT_PTR(&event)); 4496 4497 failure: 4498 if (event != NULL) 4499 isc_event_free(ISC_EVENT_PTR(&event)); 4500 return (result); 4501} 4502