Lines Matching defs:zone
1 /* $NetBSD: zone.c,v 1.23 2025/01/27 15:40:36 christos Exp $ */
93 #include <dns/zone.h>
102 #define DNS_ZONE_VALID(zone) ISC_MAGIC_VALID(zone, ZONE_MAGIC)
389 * Zones in certain states such as "waiting for zone transfer"
390 * or "zone transfer in progress" are kept on per-state linked lists
391 * in the zone manager using the 'statelink' field. The 'statelist'
392 * field points at the list the zone is currently on. It the zone
398 * Statistics counters about zone management.
402 * Optional per-zone statistics counters. Counted outside of this
424 * Keys that are signing the zone for the first time.
465 * catalog zone data
470 * parent catalog zone
502 * soa and maximum zone ttl
508 * Inline zone signing state.
567 DNS_ZONEFLG_NEEDDUMP = 0x00000002U, /*%< zone need consolidation */
570 DNS_ZONEFLG_HASINCLUDE = 0x00000010U, /*%< $INCLUDE in zone file */
572 DNS_ZONEFLG_EXITING = 0x00000040U, /*%< zone is being destroyed */
573 DNS_ZONEFLG_EXPIRED = 0x00000080U, /*%< zone has expired */
575 DNS_ZONEFLG_UPTODATE = 0x00000200U, /*%< zone contents are
583 * zone with no primaries
590 DNS_ZONEFLG_FORCEXFER = 0x00008000U, /*%< Force a zone xfer */
607 * notify due to the zone
626 DNS_ZONELOADFLAG_THAW = 0x00000002U, /* Thaw the zone on successful
695 dns_zone_t *zone;
720 dns_zone_t *zone;
734 * 'db' is the zone's 'db' or a new one if this is the initial
741 dns_zone_t *zone;
751 dns_zone_t *zone;
763 dns_zone_t *zone;
776 * Hold state for when we are signing a zone with a new
814 * 'seen_nsec' will be set to true if, while iterating the zone to create a
831 dns_zone_t *zone;
842 dns_zone_t *zone;
850 dns_zone_t *zone;
880 zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now);
883 dns_zone_t *zone;
892 zone_debuglogc(dns_zone_t *zone, isc_logcategory_t *category, const char *me,
895 zone_debuglog(dns_zone_t *zone, const char *, int debuglevel, const char *msg,
898 notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
901 dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...)
904 queue_xfrin(dns_zone_t *zone);
910 zone_unload(dns_zone_t *zone);
912 zone_expire(dns_zone_t *zone);
914 zone_refresh(dns_zone_t *zone);
920 zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump);
922 zone_attachdb(dns_zone_t *zone, dns_db_t *db);
924 zone_detachdb(dns_zone_t *zone);
926 zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
928 zone_catz_disable(dns_zone_t *zone);
930 default_journal(dns_zone_t *zone);
932 zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result);
934 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
937 zone_needdump(dns_zone_t *zone, unsigned int delay);
943 zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime);
945 zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
947 zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
949 zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
951 zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
953 zone_send_secureserial(dns_zone_t *zone, uint32_t serial);
959 queue_soa_query(dns_zone_t *zone);
963 ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub);
967 checkds_cancel(dns_zone_t *zone);
971 checkds_send(dns_zone_t *zone);
973 checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep);
983 notify_cancel(dns_zone_t *zone);
989 notify_createmessage(dns_zone_t *zone, unsigned int flags,
1000 zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone);
1009 zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
1015 zone_freedbargs(dns_zone_t *zone);
1019 zone_saveunique(dns_zone_t *zone, const char *path, const char *templat);
1021 zone_maintenance(dns_zone_t *zone);
1023 zone_notify(dns_zone_t *zone, isc_time_t *now);
1027 zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
1033 zone_rekey(dns_zone_t *zone);
1035 zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
1037 zone_nsecttl(dns_zone_t *zone);
1041 zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial);
1043 zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
1051 * Attach to TLS client context cache used for zone transfers via
1058 *\li 'zmgr' is a valid zone manager.
1062 #define ENTER zone_debuglog(zone, __func__, 1, "enter")
1074 dns_zone_log(zone, ISC_LOG_WARNING, \
1088 dns_zone_log(zone, ISC_LOG_WARNING, \
1111 dns_zone_t *zone;
1117 dns_zone_t *zone;
1140 inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
1141 if (zone->stats != NULL) {
1142 isc_stats_increment(zone->stats, counter);
1153 dns_zone_t *zone = NULL;
1159 zone = isc_mem_get(mctx, sizeof(*zone));
1160 *zone = (dns_zone_t){
1207 isc_mem_attach(mctx, &zone->mctx);
1208 isc_mutex_init(&zone->lock);
1210 isc_mutex_init(&zone->atomic_lock);
1212 ZONEDB_INITLOCK(&zone->dblock);
1214 isc_refcount_init(&zone->references, 1);
1215 isc_refcount_init(&zone->irefs, 0);
1216 dns_name_init(&zone->origin, NULL);
1217 isc_sockaddr_any(&zone->notifysrc4);
1218 isc_sockaddr_any6(&zone->notifysrc6);
1219 isc_sockaddr_any(&zone->parentalsrc4);
1220 isc_sockaddr_any6(&zone->parentalsrc6);
1221 isc_sockaddr_any(&zone->xfrsource4);
1222 isc_sockaddr_any6(&zone->xfrsource6);
1224 zone->primaries = r;
1225 zone->parentals = r;
1226 zone->notify = r;
1227 zone->defaultkasp = NULL;
1228 ISC_LIST_INIT(zone->keyring);
1230 isc_stats_create(mctx, &zone->gluecachestats,
1233 zone->magic = ZONE_MAGIC;
1236 dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
1238 *zonep = zone;
1252 * Free a zone. Because we require that there be no more
1256 zone_free(dns_zone_t *zone) {
1261 REQUIRE(DNS_ZONE_VALID(zone));
1262 REQUIRE(!LOCKED_ZONE(zone));
1263 REQUIRE(zone->timer == NULL);
1264 REQUIRE(zone->zmgr == NULL);
1266 isc_refcount_destroy(&zone->references);
1267 isc_refcount_destroy(&zone->irefs);
1272 if (zone->request != NULL) {
1273 dns_request_destroy(&zone->request); /* XXXMPA */
1275 INSIST(zone->statelist == NULL);
1276 INSIST(zone->view == NULL);
1277 INSIST(zone->prev_view == NULL);
1280 for (struct np3 *npe = ISC_LIST_HEAD(zone->setnsec3param_queue);
1281 npe != NULL; npe = ISC_LIST_HEAD(zone->setnsec3param_queue))
1283 ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link);
1284 isc_mem_put(zone->mctx, npe, sizeof(*npe));
1287 for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
1288 signing = ISC_LIST_HEAD(zone->signing))
1290 ISC_LIST_UNLINK(zone->signing, signing, link);
1293 isc_mem_put(zone->mctx, signing, sizeof *signing);
1295 for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
1296 nsec3chain = ISC_LIST_HEAD(zone->nsec3chain))
1298 ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
1301 isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
1303 for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
1304 include = ISC_LIST_HEAD(zone->includes))
1306 ISC_LIST_UNLINK(zone->includes, include, link);
1307 isc_mem_free(zone->mctx, include->name);
1308 isc_mem_put(zone->mctx, include, sizeof *include);
1310 for (include = ISC_LIST_HEAD(zone->newincludes); include != NULL;
1311 include = ISC_LIST_HEAD(zone->newincludes))
1313 ISC_LIST_UNLINK(zone->newincludes, include, link);
1314 isc_mem_free(zone->mctx, include->name);
1315 isc_mem_put(zone->mctx, include, sizeof *include);
1317 if (zone->masterfile != NULL) {
1318 isc_mem_free(zone->mctx, zone->masterfile);
1320 zone->masterfile = NULL;
1321 if (zone->keydirectory != NULL) {
1322 isc_mem_free(zone->mctx, zone->keydirectory);
1324 zone->keydirectory = NULL;
1325 if (zone->kasp != NULL) {
1326 dns_kasp_detach(&zone->kasp);
1328 if (zone->defaultkasp != NULL) {
1329 dns_kasp_detach(&zone->defaultkasp);
1331 if (!ISC_LIST_EMPTY(zone->keyring)) {
1332 clear_keylist(&zone->keyring, zone->mctx);
1334 if (!ISC_LIST_EMPTY(zone->checkds_ok)) {
1335 clear_keylist(&zone->checkds_ok, zone->mctx);
1337 if (zone->skr != NULL) {
1338 zone->skrbundle = NULL;
1339 dns_skr_detach(&zone->skr);
1342 zone->journalsize = -1;
1343 if (zone->journal != NULL) {
1344 isc_mem_free(zone->mctx, zone->journal);
1346 zone->journal = NULL;
1347 if (zone->stats != NULL) {
1348 isc_stats_detach(&zone->stats);
1350 if (zone->requeststats != NULL) {
1351 isc_stats_detach(&zone->requeststats);
1353 if (zone->rcvquerystats != NULL) {
1354 dns_stats_detach(&zone->rcvquerystats);
1356 if (zone->dnssecsignstats != NULL) {
1357 dns_stats_detach(&zone->dnssecsignstats);
1359 if (zone->db != NULL) {
1360 zone_detachdb(zone);
1362 if (zone->rpzs != NULL) {
1363 REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones);
1364 dns_rpz_zones_detach(&zone->rpzs);
1365 zone->rpz_num = DNS_RPZ_INVALID_NUM;
1367 if (zone->catzs != NULL) {
1368 dns_catz_zones_detach(&zone->catzs);
1370 zone_freedbargs(zone);
1372 dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0);
1373 dns_zone_setprimaries(zone, NULL, NULL, NULL, NULL, 0);
1374 dns_zone_setalsonotify(zone, NULL, NULL, NULL, NULL, 0);
1376 zone->check_names = dns_severity_ignore;
1377 if (zone->update_acl != NULL) {
1378 dns_acl_detach(&zone->update_acl);
1380 if (zone->forward_acl != NULL) {
1381 dns_acl_detach(&zone->forward_acl);
1383 if (zone->notify_acl != NULL) {
1384 dns_acl_detach(&zone->notify_acl);
1386 if (zone->query_acl != NULL) {
1387 dns_acl_detach(&zone->query_acl);
1389 if (zone->queryon_acl != NULL) {
1390 dns_acl_detach(&zone->queryon_acl);
1392 if (zone->xfr_acl != NULL) {
1393 dns_acl_detach(&zone->xfr_acl);
1395 if (dns_name_dynamic(&zone->origin)) {
1396 dns_name_free(&zone->origin, zone->mctx);
1398 if (zone->strnamerd != NULL) {
1399 isc_mem_free(zone->mctx, zone->strnamerd);
1401 if (zone->strname != NULL) {
1402 isc_mem_free(zone->mctx, zone->strname);
1404 if (zone->strrdclass != NULL) {
1405 isc_mem_free(zone->mctx, zone->strrdclass);
1407 if (zone->strviewname != NULL) {
1408 isc_mem_free(zone->mctx, zone->strviewname);
1410 if (zone->ssutable != NULL) {
1411 dns_ssutable_detach(&zone->ssutable);
1413 if (zone->gluecachestats != NULL) {
1414 isc_stats_detach(&zone->gluecachestats);
1418 ZONEDB_DESTROYLOCK(&zone->dblock);
1419 isc_mutex_destroy(&zone->lock);
1421 isc_mutex_destroy(&zone->atomic_lock);
1423 zone->magic = 0;
1424 isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
1428 * Returns true iff this the signed side of an inline-signing zone.
1429 * Caller should hold zone lock.
1432 inline_secure(dns_zone_t *zone) {
1433 REQUIRE(DNS_ZONE_VALID(zone));
1434 if (zone->raw != NULL) {
1441 * Returns true iff this the unsigned side of an inline-signing zone
1442 * Caller should hold zone lock.
1445 inline_raw(dns_zone_t *zone) {
1446 REQUIRE(DNS_ZONE_VALID(zone));
1447 if (zone->secure != NULL) {
1457 dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
1460 REQUIRE(DNS_ZONE_VALID(zone));
1466 LOCK_ZONE(zone);
1467 INSIST(zone != zone->raw);
1468 REQUIRE(zone->rdclass == dns_rdataclass_none ||
1469 zone->rdclass == rdclass);
1470 zone->rdclass = rdclass;
1472 if (zone->strnamerd != NULL) {
1473 isc_mem_free(zone->mctx, zone->strnamerd);
1475 if (zone->strrdclass != NULL) {
1476 isc_mem_free(zone->mctx, zone->strrdclass);
1479 zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1480 zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1481 zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
1482 zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
1484 if (inline_secure(zone)) {
1485 dns_zone_setclass(zone->raw, rdclass);
1487 UNLOCK_ZONE(zone);
1491 dns_zone_getclass(dns_zone_t *zone) {
1492 REQUIRE(DNS_ZONE_VALID(zone));
1494 return zone->rdclass;
1498 dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
1499 REQUIRE(DNS_ZONE_VALID(zone));
1501 LOCK_ZONE(zone);
1502 zone->notifytype = notifytype;
1503 UNLOCK_ZONE(zone);
1507 dns_zone_setcheckdstype(dns_zone_t *zone, dns_checkdstype_t checkdstype) {
1508 REQUIRE(DNS_ZONE_VALID(zone));
1510 LOCK_ZONE(zone);
1511 zone->checkdstype = checkdstype;
1512 UNLOCK_ZONE(zone);
1516 dns_zone_getserial(dns_zone_t *zone, uint32_t *serialp) {
1520 REQUIRE(DNS_ZONE_VALID(zone));
1523 LOCK_ZONE(zone);
1524 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
1525 if (zone->db != NULL) {
1526 result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
1535 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
1536 UNLOCK_ZONE(zone);
1545 dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
1548 REQUIRE(DNS_ZONE_VALID(zone));
1554 LOCK_ZONE(zone);
1555 REQUIRE(zone->type == dns_zone_none || zone->type == type);
1556 zone->type = type;
1558 if (zone->strnamerd != NULL) {
1559 isc_mem_free(zone->mctx, zone->strnamerd);
1562 zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1563 zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1564 UNLOCK_ZONE(zone);
1568 zone_freedbargs(dns_zone_t *zone) {
1572 if (zone->db_argv != NULL) {
1573 for (i = 0; i < zone->db_argc; i++) {
1574 isc_mem_free(zone->mctx, zone->db_argv[i]);
1576 isc_mem_cput(zone->mctx, zone->db_argv, zone->db_argc,
1577 sizeof(*zone->db_argv));
1579 zone->db_argc = 0;
1580 zone->db_argv = NULL;
1584 dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
1591 REQUIRE(DNS_ZONE_VALID(zone));
1594 LOCK_ZONE(zone);
1595 size = ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *));
1596 for (i = 0; i < zone->db_argc; i++) {
1597 size += strlen(zone->db_argv[i]) + 1;
1604 tmp2 += ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *));
1605 for (i = 0; i < zone->db_argc; i++) {
1607 strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base));
1612 UNLOCK_ZONE(zone);
1618 dns_zone_setdbtype(dns_zone_t *zone, unsigned int dbargc,
1623 REQUIRE(DNS_ZONE_VALID(zone));
1627 LOCK_ZONE(zone);
1630 argv = isc_mem_cget(zone->mctx, dbargc, sizeof(*argv));
1635 argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
1639 zone_freedbargs(zone);
1641 zone->db_argc = dbargc;
1642 zone->db_argv = argv;
1644 UNLOCK_ZONE(zone);
1648 dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) {
1651 if (zone->prev_view == NULL && zone->view != NULL) {
1652 dns_view_weakattach(zone->view, &zone->prev_view);
1655 INSIST(zone != zone->raw);
1656 if (zone->view != NULL) {
1657 dns_view_sfd_del(zone->view, &zone->origin);
1658 dns_view_weakdetach(&zone->view);
1660 dns_view_weakattach(view, &zone->view);
1661 dns_view_sfd_add(view, &zone->origin);
1663 if (zone->strviewname != NULL) {
1664 isc_mem_free(zone->mctx, zone->strviewname);
1666 if (zone->strnamerd != NULL) {
1667 isc_mem_free(zone->mctx, zone->strnamerd);
1670 zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1671 zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1672 zone_viewname_tostr(zone, namebuf, sizeof namebuf);
1673 zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
1675 if (inline_secure(zone)) {
1676 dns_zone_setview(zone->raw, view);
1681 dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
1682 REQUIRE(DNS_ZONE_VALID(zone));
1684 LOCK_ZONE(zone);
1685 dns_zone_setview_helper(zone, view);
1686 UNLOCK_ZONE(zone);
1690 dns_zone_getview(dns_zone_t *zone) {
1691 REQUIRE(DNS_ZONE_VALID(zone));
1693 return zone->view;
1697 dns_zone_setviewcommit(dns_zone_t *zone) {
1698 REQUIRE(DNS_ZONE_VALID(zone));
1700 LOCK_ZONE(zone);
1701 if (zone->prev_view != NULL) {
1702 dns_view_weakdetach(&zone->prev_view);
1704 if (inline_secure(zone)) {
1705 dns_zone_setviewcommit(zone->raw);
1707 UNLOCK_ZONE(zone);
1711 dns_zone_setviewrevert(dns_zone_t *zone) {
1712 REQUIRE(DNS_ZONE_VALID(zone));
1714 LOCK_ZONE(zone);
1715 if (zone->prev_view != NULL) {
1716 dns_zone_setview_helper(zone, zone->prev_view);
1717 dns_view_weakdetach(&zone->prev_view);
1719 if (zone->catzs != NULL) {
1720 zone_catz_enable(zone, zone->catzs);
1722 if (inline_secure(zone)) {
1723 dns_zone_setviewrevert(zone->raw);
1725 UNLOCK_ZONE(zone);
1729 dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
1733 REQUIRE(DNS_ZONE_VALID(zone));
1736 LOCK_ZONE(zone);
1737 INSIST(zone != zone->raw);
1738 if (dns_name_dynamic(&zone->origin)) {
1739 dns_name_free(&zone->origin, zone->mctx);
1740 dns_name_init(&zone->origin, NULL);
1742 dns_name_dup(origin, zone->mctx, &zone->origin);
1744 if (zone->strnamerd != NULL) {
1745 isc_mem_free(zone->mctx, zone->strnamerd);
1747 if (zone->strname != NULL) {
1748 isc_mem_free(zone->mctx, zone->strname);
1751 zone_namerd_tostr(zone, namebuf, sizeof namebuf);
1752 zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
1753 zone_name_tostr(zone, namebuf, sizeof namebuf);
1754 zone->strname = isc_mem_strdup(zone->mctx, namebuf);
1756 if (inline_secure(zone)) {
1757 result = dns_zone_setorigin(zone->raw, origin);
1759 UNLOCK_ZONE(zone);
1764 dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
1768 copy = isc_mem_strdup(zone->mctx, value);
1774 isc_mem_free(zone->mctx, *field);
1782 dns_zone_setfile(dns_zone_t *zone, const char *file, dns_masterformat_t format,
1786 REQUIRE(DNS_ZONE_VALID(zone));
1787 REQUIRE(zone->stream == NULL);
1789 LOCK_ZONE(zone);
1790 result = dns_zone_setstring(zone, &zone->masterfile, file);
1792 zone->masterformat = format;
1794 zone->masterstyle = style;
1796 result = default_journal(zone);
1798 UNLOCK_ZONE(zone);
1804 dns_zone_getfile(dns_zone_t *zone) {
1805 REQUIRE(DNS_ZONE_VALID(zone));
1807 return zone->masterfile;
1811 dns_zone_setstream(dns_zone_t *zone, const FILE *stream,
1815 REQUIRE(DNS_ZONE_VALID(zone));
1817 REQUIRE(zone->masterfile == NULL);
1819 LOCK_ZONE(zone);
1820 zone->stream = stream;
1821 zone->masterformat = format;
1823 zone->masterstyle = style;
1825 result = default_journal(zone);
1826 UNLOCK_ZONE(zone);
1832 dns_zone_getmaxttl(dns_zone_t *zone) {
1833 REQUIRE(DNS_ZONE_VALID(zone));
1835 return zone->maxttl;
1839 dns_zone_setmaxttl(dns_zone_t *zone, dns_ttl_t maxttl) {
1840 REQUIRE(DNS_ZONE_VALID(zone));
1842 LOCK_ZONE(zone);
1844 DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_CHECKTTL);
1846 DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_CHECKTTL);
1848 zone->maxttl = maxttl;
1849 UNLOCK_ZONE(zone);
1855 default_journal(dns_zone_t *zone) {
1859 REQUIRE(DNS_ZONE_VALID(zone));
1860 REQUIRE(LOCKED_ZONE(zone));
1862 if (zone->masterfile != NULL) {
1864 int len = strlen(zone->masterfile) + sizeof(".jnl");
1865 journal = isc_mem_allocate(zone->mctx, len);
1866 strlcpy(journal, zone->masterfile, len);
1871 result = dns_zone_setstring(zone, &zone->journal, journal);
1873 isc_mem_free(zone->mctx, journal);
1879 dns_zone_setjournal(dns_zone_t *zone, const char *myjournal) {
1882 REQUIRE(DNS_ZONE_VALID(zone));
1884 LOCK_ZONE(zone);
1885 result = dns_zone_setstring(zone, &zone->journal, myjournal);
1886 UNLOCK_ZONE(zone);
1892 dns_zone_getjournal(dns_zone_t *zone) {
1893 REQUIRE(DNS_ZONE_VALID(zone));
1895 return zone->journal;
1899 * Return true iff the zone is "dynamic", in the sense that the zone's
1909 dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) {
1910 REQUIRE(DNS_ZONE_VALID(zone));
1912 if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
1913 zone->type == dns_zone_stub || zone->type == dns_zone_key ||
1914 (zone->type == dns_zone_redirect &&
1915 dns_remote_addresses(&zone->primaries) != NULL))
1921 if (zone->type == dns_zone_primary && zone->raw != NULL) {
1926 if (zone->type == dns_zone_primary &&
1927 (!zone->update_disabled || ignore_freeze) &&
1928 ((zone->ssutable != NULL) ||
1929 (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl))))
1938 * Set the response policy index and information for a zone.
1941 dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
1946 LOCK_ZONE(zone);
1947 if (zone->rpzs != NULL) {
1948 REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num);
1950 REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM);
1951 dns_rpz_zones_attach(rpzs, &zone->rpzs);
1952 zone->rpz_num = rpz_num;
1955 UNLOCK_ZONE(zone);
1961 dns_zone_get_rpz_num(dns_zone_t *zone) {
1962 return zone->rpz_num;
1966 * If a zone is a response policy zone, mark its new database.
1969 dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
1970 if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
1973 REQUIRE(zone->rpzs != NULL);
1974 dns_rpz_dbupdate_register(db, zone->rpzs->zones[zone->rpz_num]);
1978 dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
1979 if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
1982 REQUIRE(zone->rpzs != NULL);
1983 dns_rpz_dbupdate_unregister(db, zone->rpzs->zones[zone->rpz_num]);
1987 * If a zone is a catalog zone, attach it to update notification in database.
1990 dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
1991 REQUIRE(DNS_ZONE_VALID(zone));
1994 if (zone->catzs != NULL) {
1995 dns_catz_dbupdate_register(db, zone->catzs);
2000 dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) {
2001 REQUIRE(DNS_ZONE_VALID(zone));
2004 if (zone->catzs != NULL) {
2005 dns_catz_dbupdate_unregister(db, zone->catzs);
2010 zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
2011 REQUIRE(DNS_ZONE_VALID(zone));
2014 INSIST(zone->catzs == NULL || zone->catzs == catzs);
2015 dns_catz_catzs_set_view(catzs, zone->view);
2016 if (zone->catzs == NULL) {
2017 dns_catz_zones_attach(catzs, &zone->catzs);
2022 dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
2023 REQUIRE(DNS_ZONE_VALID(zone));
2025 LOCK_ZONE(zone);
2026 zone_catz_enable(zone, catzs);
2027 UNLOCK_ZONE(zone);
2031 zone_catz_disable(dns_zone_t *zone) {
2032 REQUIRE(DNS_ZONE_VALID(zone));
2034 if (zone->catzs != NULL) {
2035 if (zone->db != NULL) {
2036 dns_zone_catz_disable_db(zone, zone->db);
2038 dns_catz_zones_detach(&zone->catzs);
2043 dns_zone_catz_disable(dns_zone_t *zone) {
2044 REQUIRE(DNS_ZONE_VALID(zone));
2046 LOCK_ZONE(zone);
2047 zone_catz_disable(zone);
2048 UNLOCK_ZONE(zone);
2052 dns_zone_catz_is_enabled(dns_zone_t *zone) {
2053 REQUIRE(DNS_ZONE_VALID(zone));
2055 return zone->catzs != NULL;
2059 * Set catalog zone ownership of the zone
2062 dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz) {
2063 REQUIRE(DNS_ZONE_VALID(zone));
2065 LOCK_ZONE(zone);
2066 INSIST(zone->parentcatz == NULL || zone->parentcatz == catz);
2067 zone->parentcatz = catz;
2068 UNLOCK_ZONE(zone);
2072 dns_zone_get_parentcatz(dns_zone_t *zone) {
2073 REQUIRE(DNS_ZONE_VALID(zone));
2077 LOCK_ZONE(zone);
2078 parentcatz = zone->parentcatz;
2079 UNLOCK_ZONE(zone);
2085 zone_touched(dns_zone_t *zone) {
2090 REQUIRE(DNS_ZONE_VALID(zone));
2092 result = isc_file_getmodtime(zone->masterfile, &modtime);
2094 isc_time_compare(&modtime, &zone->loadtime) > 0)
2099 for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
2115 * call zone_load() for the secure zone; zone_load() calls itself recursively
2116 * in order to load the raw zone.
2119 zone_load(dns_zone_t *zone, unsigned int flags, bool locked) {
2126 REQUIRE(DNS_ZONE_VALID(zone));
2129 LOCK_ZONE(zone);
2132 INSIST(zone != zone->raw);
2133 hasraw = inline_secure(zone);
2136 * We are trying to load an inline-signed zone. First call
2137 * self recursively to try loading the raw version of the zone.
2138 * Assuming the raw zone file is readable, there are two
2141 * a) the raw zone was not yet loaded and thus it will be
2143 * subsequent attempt to load the signed zone file will
2145 * twice: first for the raw zone and then for the secure
2146 * zone; the latter call will take care of syncing the raw
2149 * b) the raw zone was already loaded and we are trying to
2151 * zone_postload() will only be called for the raw zone
2154 * zone_postload() called for the raw zone will take care
2157 result = zone_load(zone->raw, flags, false);
2160 UNLOCK_ZONE(zone);
2164 LOCK_ZONE(zone->raw);
2169 INSIST(zone->type != dns_zone_none);
2171 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
2173 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
2179 INSIST(zone->db_argc >= 1);
2181 rbt = strcmp(zone->db_argv[0], ZONEDB_DEFAULT) == 0;
2183 if (zone->db != NULL && zone->masterfile == NULL && rbt) {
2185 * The zone has no master file configured.
2191 is_dynamic = dns_zone_isdynamic(zone, false);
2192 if (zone->db != NULL && is_dynamic) {
2194 * This is a secondary, stub, or dynamically updated zone
2198 if (zone->type == dns_zone_primary && !hasraw) {
2207 * Store the current time before the zone is loaded, so that if the
2209 * zone->loadtime is set, then the file will still be reloaded
2215 * Don't do the load if the file that stores the zone is older
2216 * than the last time the zone was loaded. If the zone has not
2217 * been loaded yet, zone->loadtime will be the epoch.
2219 if (zone->masterfile != NULL) {
2226 if (!isc_time_isepoch(&zone->loadtime) &&
2233 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
2234 !zone_touched(zone))
2236 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2248 result = isc_file_getmodtime(zone->masterfile, &filetime);
2260 if (zone->type == dns_zone_primary &&
2261 strcmp(zone->db_argv[0], "_builtin") == 0 &&
2262 (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
2263 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
2271 * but we need to associate the database with the zone object.
2273 if (strcmp(zone->db_argv[0], "dlz") == 0) {
2277 for (dlzdb = ISC_LIST_HEAD(zone->view->dlz_unsearched);
2281 if (strcmp(zone->db_argv[1], dlzdb->dlzname) == 0) {
2287 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2291 zone->db_argv[1]);
2296 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
2297 /* ask SDLZ driver if the zone is supported */
2301 zone->view->rdclass, &zone->origin, NULL,
2304 if (zone->db != NULL) {
2305 zone_detachdb(zone);
2307 zone_attachdb(zone, db);
2311 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
2318 result = (*dlzdb->configure_callback)(zone->view, dlzdb,
2319 zone);
2321 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2330 if ((zone->type == dns_zone_secondary ||
2331 zone->type == dns_zone_mirror || zone->type == dns_zone_stub ||
2332 (zone->type == dns_zone_redirect &&
2333 dns_remote_addresses(&zone->primaries) != NULL)) &&
2336 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIRSTREFRESH);
2338 if (zone->stream == NULL &&
2339 (zone->masterfile == NULL ||
2340 !isc_file_exists(zone->masterfile)))
2342 if (zone->masterfile != NULL) {
2343 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2347 zone->refreshtime = now;
2348 if (zone->loop != NULL) {
2349 zone_settimer(zone, &now);
2356 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
2359 result = dns_zone_makedb(zone, &db);
2361 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
2362 "loading zone: creating database: %s",
2368 if (zone->masterfile != NULL || zone->stream != NULL) {
2369 result = zone_startload(db, zone, loadtime);
2372 if (zone->type == dns_zone_primary ||
2373 (zone->type == dns_zone_redirect &&
2374 dns_remote_addresses(&zone->primaries) == NULL))
2376 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2378 "loading zone: "
2382 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
2384 "loading zone: "
2390 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
2392 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
2397 result = zone_postload(zone, db, loadtime, result);
2401 UNLOCK_ZONE(zone->raw);
2404 UNLOCK_ZONE(zone);
2413 dns_zone_load(dns_zone_t *zone, bool newonly) {
2414 return zone_load(zone, newonly ? DNS_ZONELOADFLAG_NOSTAT : 0, false);
2420 dns_zone_t *zone = asl->zone;
2423 REQUIRE(DNS_ZONE_VALID(zone));
2425 LOCK_ZONE(zone);
2426 result = zone_load(zone, asl->flags, true);
2428 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
2430 UNLOCK_ZONE(zone);
2432 /* Inform the zone table we've finished loading */
2437 isc_mem_put(zone->mctx, asl, sizeof(*asl));
2438 dns_zone_idetach(&zone);
2442 dns_zone_asyncload(dns_zone_t *zone, bool newonly, dns_zt_callback_t *done,
2446 REQUIRE(DNS_ZONE_VALID(zone));
2448 if (zone->zmgr == NULL) {
2453 LOCK_ZONE(zone);
2454 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) {
2455 UNLOCK_ZONE(zone);
2459 asl = isc_mem_get(zone->mctx, sizeof(*asl));
2461 asl->zone = NULL;
2466 zone_iattach(zone, &asl->zone);
2467 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
2468 isc_async_run(zone->loop, zone_asyncload, asl);
2469 UNLOCK_ZONE(zone);
2475 dns__zone_loadpending(dns_zone_t *zone) {
2476 REQUIRE(DNS_ZONE_VALID(zone));
2478 return DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
2482 dns_zone_loadandthaw(dns_zone_t *zone) {
2485 if (inline_raw(zone)) {
2486 result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW, false);
2489 * When thawing a zone, we don't know what changes
2491 * zone, schedule a full sign for this zone.
2493 if (zone->type == dns_zone_primary &&
2494 DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
2496 DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
2498 result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
2508 zone->update_disabled = false;
2511 zone->update_disabled = false;
2521 get_primary_options(dns_zone_t *zone) {
2525 if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
2526 (zone->type == dns_zone_redirect &&
2527 dns_remote_addresses(&zone->primaries) == NULL))
2531 if (zone->type == dns_zone_key) {
2534 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) {
2537 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) {
2540 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) {
2543 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
2546 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) {
2549 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
2552 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) {
2555 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) {
2558 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSVCB)) {
2568 dns_zone_t *zone = (dns_zone_t *)arg;
2571 REQUIRE(DNS_ZONE_VALID(zone));
2580 for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
2588 inc = isc_mem_get(zone->mctx, sizeof(dns_include_t));
2589 inc->name = isc_mem_strdup(zone->mctx, filename);
2597 ISC_LIST_APPEND(zone->newincludes, inc, link);
2624 zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
2629 zone->sourceserial = header->sourceserial;
2630 zone->sourceserialset = true;
2634 dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
2635 if (zone == NULL) {
2639 LOCK_ZONE(zone);
2640 zone_setrawdata(zone, header);
2641 UNLOCK_ZONE(zone);
2645 zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
2649 dns_load_t *load = isc_mem_get(zone->mctx, sizeof(*load));
2657 dns_zone_rpz_enable_db(zone, db);
2658 dns_zone_catz_enable_db(zone, db);
2660 options = get_primary_options(zone);
2661 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) {
2665 zone_iattach(zone, &load->zone);
2670 zone_iattach(zone, &load->callbacks.zone);
2677 if (zone->zmgr != NULL && zone->db != NULL) {
2679 zone->masterfile, dns_db_origin(db), dns_db_origin(db),
2680 zone->rdclass, options, 0, &load->callbacks, zone->loop,
2681 zone_loaddone, load, &zone->loadctx,
2682 zone_registerinclude, zone, zone->mctx,
2683 zone->masterformat, zone->maxttl);
2689 } else if (zone->stream != NULL) {
2690 FILE *stream = UNCONST(zone->stream);
2692 stream, &zone->origin, &zone->origin, zone->rdclass,
2693 options, &load->callbacks, zone->mctx);
2696 zone->masterfile, &zone->origin, &zone->origin,
2697 zone->rdclass, options, 0, &load->callbacks,
2698 zone_registerinclude, zone, zone->mctx,
2699 zone->masterformat, zone->maxttl);
2704 dns_zone_rpz_disable_db(zone, load->db);
2705 dns_zone_catz_disable_db(zone, load->db);
2713 zone_idetach(&load->callbacks.zone);
2715 zone_idetach(&load->zone);
2717 isc_mem_put(zone->mctx, load, sizeof(*load));
2722 zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
2740 * Outside of zone.
2742 if (!dns_name_issubdomain(name, &zone->origin)) {
2743 if (zone->checkmx != NULL) {
2744 return (zone->checkmx)(zone, name, owner);
2749 if (zone->type == dns_zone_primary) {
2776 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
2779 dns_zone_log(zone, level,
2786 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
2787 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
2791 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
2792 dns_zone_log(zone, level,
2800 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
2801 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
2805 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
2807 dns_zone_log(zone, level,
2815 if (zone->checkmx != NULL && result == DNS_R_DELEGATION) {
2816 return (zone->checkmx)(zone, name, owner);
2823 zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
2841 * Outside of zone.
2843 if (!dns_name_issubdomain(name, &zone->origin)) {
2844 if (zone->checksrv != NULL) {
2845 return (zone->checksrv)(zone, name, owner);
2850 if (zone->type == dns_zone_primary) {
2877 dns_zone_log(zone, level,
2885 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
2886 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
2890 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
2891 dns_zone_log(zone, level,
2899 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
2900 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
2904 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
2906 dns_zone_log(zone, level,
2914 if (zone->checksrv != NULL && result == DNS_R_DELEGATION) {
2915 return (zone->checksrv)(zone, name, owner);
2922 zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
2936 * Outside of zone.
2938 if (!dns_name_issubdomain(name, &zone->origin)) {
2939 if (zone->checkns != NULL) {
2940 return (zone->checkns)(zone, name, owner, NULL, NULL);
2945 if (zone->type == dns_zone_primary) {
2999 * Check glue against child zone.
3001 if (zone->checkns != NULL) {
3002 answer = (zone->checkns)(zone, name, owner, &a,
3032 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING))
3034 dns_zone_log(zone, level,
3041 if (result == DNS_R_DELEGATION && zone->checkns != NULL)
3043 (void)(zone->checkns)(zone, name, owner, &a,
3050 dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
3056 dns_zone_log(zone, level,
3073 zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
3084 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL)) {
3117 dns_zone_log(zone, level,
3136 zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
3172 if (!zone_rrset_check_dup(zone, name, &rdataset)) {
3221 integrity_checks(dns_zone_t *zone, dns_db_t *db) {
3256 * Is this name visible in the zone?
3258 if (!dns_name_issubdomain(name, &zone->origin) ||
3270 if (dns_name_equal(name, &zone->origin)) {
3280 * Remember bottom of zone due to NS.
3289 if (!zone_check_glue(zone, db, &ns.name, name)) {
3306 if (zone->type == dns_zone_primary) {
3313 dns_zone_log(zone, level, "DS not at delegation point (%s)",
3322 * Remember bottom of zone due to DNAME.
3338 if (!zone_check_mx(zone, db, &mx.mx, name)) {
3347 if (zone->rdclass != dns_rdataclass_in) {
3360 if (!zone_check_srv(zone, db, &srv.target, name)) {
3373 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF)) {
3376 if (zone->rdclass != dns_rdataclass_in) {
3406 dns_zone_log(zone, ISC_LOG_WARNING,
3433 zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
3441 result = dns_db_findnode(db, &zone->origin, false, &node);
3493 dnssec_log(zone, ISC_LOG_WARNING,
3512 resume_signingwithkey(dns_zone_t *zone) {
3520 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3521 if (zone->db != NULL) {
3522 dns_db_attach(zone->db, &db);
3524 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3529 result = dns_db_findnode(db, &zone->origin, false, &node);
3536 result = dns_db_findrdataset(db, node, version, zone->privatetype,
3554 result = zone_signwithkey(zone, rdata.data[0],
3558 dnssec_log(zone, ISC_LOG_ERROR,
3585 zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
3596 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3597 if (zone->db != NULL) {
3598 dns_db_attach(zone->db, &db);
3600 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3608 * If this zone is not NSEC3-capable, attempting to remove any NSEC3
3626 nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
3686 dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)",
3694 for (current = ISC_LIST_HEAD(zone->nsec3chain); current != NULL;
3711 * Attach zone database to the structure initialized above and create
3729 * "nsec3chain" list for the zone and set the appropriate zone
3734 ISC_LIST_INITANDAPPEND(zone->nsec3chain, nsec3chain, link);
3736 if (isc_time_isepoch(&zone->nsec3chaintime)) {
3738 zone->nsec3chaintime = now;
3739 if (zone->loop != NULL) {
3740 zone_settimer(zone, &now);
3752 isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
3763 * Find private-type records at the zone apex which signal that an NSEC3 chain
3770 resume_addnsec3chain(dns_zone_t *zone) {
3779 INSIST(LOCKED_ZONE(zone));
3781 if (zone->privatetype == 0) {
3785 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3786 if (zone->db != NULL) {
3787 dns_db_attach(zone->db, &db);
3789 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3794 result = dns_db_findnode(db, &zone->origin, false, &node);
3802 * In order to create NSEC3 chains we need the DNSKEY RRset at zone
3809 * Get the RRset containing all private-type records at the zone apex.
3812 result = dns_db_findrdataset(db, node, version, zone->privatetype,
3847 result = zone_addnsec3chain(zone, &nsec3param);
3849 dnssec_log(zone, ISC_LOG_ERROR,
3870 set_resigntime(dns_zone_t *zone) {
3878 INSIST(LOCKED_ZONE(zone));
3881 if (!dns_zone_isdynamic(zone, false)) {
3885 if (inline_raw(zone)) {
3891 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
3892 if (zone->db != NULL) {
3893 dns_db_attach(zone->db, &db);
3895 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
3897 isc_time_settoepoch(&zone->resigntime);
3904 isc_time_settoepoch(&zone->resigntime);
3908 resign -= dns_zone_getsigresigninginterval(zone);
3910 isc_time_set(&zone->resigntime, resign, nanosecs);
3918 check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
3925 bool dynamic = (zone->type == dns_zone_primary)
3926 ? dns_zone_isdynamic(zone, false)
3930 result = dns_db_findnode(db, &zone->origin, false, &node);
3932 dns_zone_log(zone, ISC_LOG_ERROR,
3949 dns_zone_log(zone, ISC_LOG_ERROR,
3970 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
3973 dns_zone_log(zone, ISC_LOG_WARNING,
3980 dns_zone_log(zone, ISC_LOG_ERROR,
3982 " in dynamic zone: %u",
3989 dns_zone_log(zone, ISC_LOG_WARNING,
3999 * Warn if the zone has excessive NSEC3 iterations.
4002 dnssec_log(zone, ISC_LOG_WARNING,
4014 dns_zone_log(zone, ISC_LOG_ERROR,
4028 * Set the timer for refreshing the key zone to the soonest future time
4033 set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
4057 if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
4058 isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
4060 zone->refreshkeytime = timethen;
4063 isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
4064 dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
4065 zone_settimer(zone, &timenow);
4070 * zone does not contain a KEYDATA record for the corresponding name,
4071 * then create an empty KEYDATA and push it into the zone as a placeholder,
4075 * If the key zone is changed, set '*changed' to true.
4078 create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
4100 kd.common.rdclass = zone->rdclass;
4106 CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass, dns_rdatatype_keydata,
4108 /* Add rdata to zone. */
4112 /* Refresh new keys from the zone apex as soon as possible. */
4113 set_refreshkeytimer(zone, &kd, now, true);
4121 * Remove from the key zone all the KEYDATA records found in rdataset.
4192 trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey,
4201 result = dns_view_getsecroots(zone->view, &sr);
4213 zone->view));
4226 * to the zone will fail.
4229 fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
4233 result = dns_view_getsecroots(zone->view, &sr);
4241 * Scan a set of KEYDATA records from the key zone. The ones that are
4245 load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
4254 result = dns_view_getsecroots(zone->view, &sr);
4256 dns_keytable_delete(sr, name, sfd_del, zone->view);
4275 set_refreshkeytimer(zone, &keydata, now, true);
4297 trust_key(zone, name, &dnskey, (keydata.addhd == 0));
4303 dnssec_log(zone, ISC_LOG_ERROR,
4305 dnssec_log(zone, ISC_LOG_ERROR,
4308 dnssec_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail",
4310 fail_secure(zone, name);
4361 update_soa_serial(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
4379 dns_zone_log(zone, ISC_LOG_WARNING,
4399 * Write all transactions in 'diff' to the zone journal file.
4402 zone_journal(dns_zone_t *zone, dns_diff_t *diff, uint32_t *sourceserial,
4410 journalfile = dns_zone_getjournal(zone);
4412 result = dns_journal_open(zone->mctx, journalfile, mode,
4415 dns_zone_log(zone, ISC_LOG_ERROR,
4427 dns_zone_log(zone, ISC_LOG_ERROR,
4438 * Create an SOA record for a newly-created zone
4441 add_soa(dns_zone_t *zone, dns_db_t *db) {
4448 dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
4450 dns_diff_init(zone->mctx, &diff);
4453 dns_zone_log(zone, ISC_LOG_ERROR,
4460 result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
4463 dns_zone_log(zone, ISC_LOG_ERROR,
4469 result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD, &zone->origin, 0,
4487 dns_zone_t *zone;
4498 dns_zone_t *zone = ((struct addifmissing_arg *)arg)->zone;
4535 result = create_keydata(zone, db, ver, diff, keynode, keyname, changed);
4544 * zone. If a domain is no longer named in managed-keys, delete all keys
4545 * from that domain from the key zone. If a domain is configured as an
4547 * key zone, load the key zone with the initializing key(s) for that
4550 * zone with the matching key, and schedule a key refresh.
4553 sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
4558 dns_view_t *view = zone->view;
4565 dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
4567 dns_diff_init(zone->mctx, &diff);
4573 dnssec_log(zone, ISC_LOG_ERROR,
4580 * Walk the zone DB. If we find any keys whose names are no longer
4583 * them from the zone. Otherwise call load_secroots(), which
4609 * The managed-keys zone can contain a placeholder instead of
4627 set_refreshkeytimer(zone, &keydata, now, true);
4642 load_secroots(zone, rrname, rdataset);
4653 * the zone. If we find any, add them to the zone directly.
4655 * zone so that they'll be looked up.
4661 arg.zone = zone;
4667 CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
4668 zone->updatemethod));
4669 CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone"));
4671 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
4672 zone_needdump(zone, 30);
4678 dnssec_log(zone, ISC_LOG_ERROR,
4681 isc_time_settoepoch(&zone->refreshkeytime);
4700 dns_zone_synckeyzone(dns_zone_t *zone) {
4704 if (zone->type != dns_zone_key) {
4708 CHECK(dns_zone_getdb(zone, &db));
4710 LOCK_ZONE(zone);
4711 result = sync_keyzone(zone, db);
4712 UNLOCK_ZONE(zone);
4722 maybe_send_secure(dns_zone_t *zone) {
4727 * 'secure' zone. We now need information about the status of the
4728 * 'raw' zone. If we failed to load, then we need it to send a
4734 if (zone->raw->db != NULL) {
4735 if (zone->db != NULL) {
4740 zone->raw, zone->raw->db, NULL, &soacount, NULL,
4743 zone_send_secureserial(zone->raw, serial);
4746 zone_send_securedb(zone->raw, zone->raw->db);
4749 DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
4769 process_zone_setnsec3param(dns_zone_t *zone) {
4771 while ((npe = ISC_LIST_HEAD(zone->setnsec3param_queue)) != NULL) {
4772 ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link);
4773 zone_iattach(zone, &npe->zone);
4774 isc_async_run(zone->loop, setnsec3param, npe);
4779 * The zone is presumed to be locked.
4780 * If this is a inline_raw zone the secure version is also locked.
4783 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
4792 bool hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
4798 INSIST(LOCKED_ZONE(zone));
4799 if (inline_raw(zone)) {
4800 INSIST(LOCKED_ZONE(zone->secure));
4806 * Initiate zone transfer? We may need a error code that
4811 if (zone->type == dns_zone_secondary ||
4812 zone->type == dns_zone_mirror ||
4813 zone->type == dns_zone_stub ||
4814 (zone->type == dns_zone_redirect &&
4815 dns_remote_addresses(&zone->primaries) == NULL))
4818 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4822 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4826 zone->masterfile,
4829 } else if (zone->type == dns_zone_primary &&
4830 inline_secure(zone) && result == ISC_R_FILENOTFOUND)
4832 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4835 maybe_send_secure(zone);
4838 if (zone->type == dns_zone_key &&
4843 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, level,
4845 zone->masterfile,
4850 if (zone->type != dns_zone_key) {
4855 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2),
4860 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
4862 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
4866 * If there's no master file for a key zone, then the zone is new:
4871 if (noprimary && zone->type == dns_zone_key) {
4872 result = add_soa(zone, db);
4881 if (zone->journal != NULL &&
4882 !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
4883 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
4885 result = zone_journal_rollforward(zone, db, &needdump,
4893 * Obtain ns, soa and cname counts for top of zone.
4896 result = zone_get_from_db(zone, db, &nscount, &soacount, &soattl,
4899 if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
4900 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
4906 * zones, an inline-signing zone will perform this action when
4909 is_dynamic = dns_zone_isdynamic(zone, true);
4911 process_zone_setnsec3param(zone);
4919 if (zone->journal != NULL && is_dynamic &&
4920 !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
4926 result = dns_journal_open(zone->mctx, zone->journal,
4939 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4944 if (remove(zone->journal) < 0 && errno != ENOENT) {
4952 zone->journal, strbuf);
4957 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
4962 * records at the top of the zone.
4965 switch (zone->type) {
4973 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4979 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
4986 if (zone->type == dns_zone_primary && errors != 0) {
4990 if (zone->type != dns_zone_stub &&
4991 zone->type != dns_zone_redirect)
4993 result = check_nsec3param(zone, db);
4998 if (zone->type == dns_zone_primary &&
4999 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
5000 !integrity_checks(zone, db))
5005 if (zone->type == dns_zone_primary &&
5006 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
5007 !zone_check_dup(zone, db))
5013 if (zone->type == dns_zone_primary) {
5014 result = dns_zone_cdscheck(zone, db, NULL);
5016 dns_zone_log(zone, ISC_LOG_ERROR,
5023 result = dns_zone_verifydb(zone, db, NULL);
5028 if (zone->db != NULL) {
5036 zone, zone->db, NULL, &oldsoacount, NULL,
5040 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
5045 INSIST(zone->type == dns_zone_primary);
5046 INSIST(zone->raw == NULL);
5049 zone_unchanged(zone->db, db, zone->mctx))
5051 dns_zone_logc(zone,
5056 zone->loadtime = loadtime;
5063 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5072 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5074 "zone serial (%u/%u) has gone "
5078 strcmp(zone->db_argv[0], "_builtin") != 0)
5080 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5082 "zone serial (%u) unchanged. "
5083 "zone may fail to transfer "
5089 if (zone->type == dns_zone_primary &&
5090 (zone->update_acl != NULL || zone->ssutable != NULL) &&
5091 dns_zone_getsigresigninginterval(zone) < (3 * refresh) &&
5094 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5100 zone->refresh = RANGE(refresh, zone->minrefresh,
5101 zone->maxrefresh);
5102 zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
5103 zone->expire = RANGE(expire, zone->refresh + zone->retry,
5105 zone->soattl = soattl;
5106 zone->minimum = minimum;
5107 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
5109 if (zone->type == dns_zone_secondary ||
5110 zone->type == dns_zone_mirror ||
5111 zone->type == dns_zone_stub ||
5112 (zone->type == dns_zone_redirect &&
5113 dns_remote_addresses(&zone->primaries) != NULL))
5118 result = isc_file_getmodtime(zone->journal, &t);
5120 result = isc_file_getmodtime(zone->masterfile,
5124 DNS_ZONE_TIME_ADD(&t, zone->expire,
5125 &zone->expiretime);
5127 DNS_ZONE_TIME_ADD(&now, zone->retry,
5128 &zone->expiretime);
5131 delay = (zone->retry -
5132 isc_random_uniform((zone->retry * 3) / 4));
5133 DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
5134 if (isc_time_compare(&zone->refreshtime,
5135 &zone->expiretime) >= 0)
5137 DNS_ZONE_SETFLAG(zone,
5139 zone->refreshtime = now;
5141 /* The zone is up to date. */
5142 DNS_ZONE_CLRFLAG(zone,
5154 UNEXPECTED_ERROR("unexpected zone type %d", zone->type);
5162 if (zone->type == dns_zone_primary) {
5163 zone_check_dnskeys(zone, db);
5169 if (zone->type == dns_zone_primary &&
5170 DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
5172 zone->refreshkeytime = now;
5175 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
5176 if (zone->db != NULL) {
5178 result = zone_replacedb(zone, db, false);
5179 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
5184 zone_attachdb(zone, db);
5185 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
5186 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED |
5188 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
5189 inline_raw(zone))
5191 if (zone->secure->db == NULL) {
5192 zone_send_securedb(zone, db);
5194 zone_send_secureserial(zone, serial);
5200 * Finished loading inline-signing zone; need to get status
5203 if (zone->type == dns_zone_primary && inline_secure(zone)) {
5204 maybe_send_secure(zone);
5210 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIXJOURNAL);
5211 zone_journal_compact(zone, zone->db, 0);
5214 if (zone->type == dns_zone_key) {
5215 zone_needdump(zone, 30);
5217 zone_needdump(zone, DNS_DUMP_DELAY);
5221 if (zone->loop != NULL) {
5222 if (zone->type == dns_zone_primary) {
5223 set_resigntime(zone);
5224 resume_signingwithkey(zone);
5225 resume_addnsec3chain(zone);
5228 is_dynamic = dns_zone_isdynamic(zone, false);
5229 if (zone->type == dns_zone_primary && is_dynamic &&
5230 dns_db_issecure(db) && !inline_raw(zone))
5251 zone, ISC_LOG_DEBUG(3),
5257 zone));
5259 dnssec_log(zone, ISC_LOG_WARNING,
5260 "signed dynamic zone has no "
5265 zone_settimer(zone, &now);
5271 for (inc = ISC_LIST_HEAD(zone->includes); inc != NULL;
5272 inc = ISC_LIST_HEAD(zone->includes))
5274 ISC_LIST_UNLINK(zone->includes, inc, link);
5275 isc_mem_free(zone->mctx, inc->name);
5276 isc_mem_put(zone->mctx, inc, sizeof(*inc));
5278 zone->nincludes = 0;
5283 for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
5284 inc = ISC_LIST_HEAD(zone->newincludes))
5286 ISC_LIST_UNLINK(zone->newincludes, inc, link);
5287 ISC_LIST_APPEND(zone->includes, inc, link);
5288 zone->nincludes++;
5292 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO,
5297 if (!had_db && zone->type == dns_zone_mirror) {
5298 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO,
5299 "mirror zone is now in use");
5302 zone->loadtime = loadtime;
5307 dns_zone_rpz_disable_db(zone, db);
5308 dns_zone_catz_disable_db(zone, db);
5311 for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
5312 inc = ISC_LIST_HEAD(zone->newincludes))
5314 ISC_LIST_UNLINK(zone->newincludes, inc, link);
5315 isc_mem_free(zone->mctx, inc->name);
5316 isc_mem_put(zone->mctx, inc, sizeof(*inc));
5318 if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
5319 zone->type == dns_zone_stub || zone->type == dns_zone_key ||
5320 (zone->type == dns_zone_redirect &&
5321 dns_remote_addresses(&zone->primaries) != NULL))
5323 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIRSTREFRESH);
5326 if (zone->journal != NULL) {
5327 zone_saveunique(zone, zone->journal,
5330 if (zone->masterfile != NULL) {
5331 zone_saveunique(zone, zone->masterfile,
5336 /* Mark the zone for immediate refresh. */
5337 zone->refreshtime = now;
5338 if (zone->loop != NULL) {
5339 zone_settimer(zone, &now);
5342 } else if (zone->type == dns_zone_primary ||
5343 zone->type == dns_zone_redirect)
5345 if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND)) {
5346 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
5349 } else if (zone->type == dns_zone_primary) {
5355 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
5357 * If this is an inline-signed zone and we were called for the raw
5358 * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone
5359 * as well, but only if this is a reload, not an initial zone load: in
5361 * zone; in the latter case, it will be. Check which case we are
5363 * secure zone: if it is set, this must be a reload.
5365 if (inline_raw(zone) && DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
5367 DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
5369 * Re-start zone maintenance if it had been stalled
5373 if (zone->secure->loop != NULL) {
5374 zone_settimer(zone->secure, &now);
5378 zone_debuglog(zone, __func__, 99, "done");
5384 exit_check(dns_zone_t *zone) {
5385 REQUIRE(LOCKED_ZONE(zone));
5387 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
5388 isc_refcount_current(&zone->irefs) == 0)
5393 INSIST(isc_refcount_current(&zone->references) == 0);
5400 zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
5409 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS)) {
5413 if (zone->type == dns_zone_primary) {
5440 dns_zone_log(zone, level,
5451 dns_zone_log(zone, level,
5463 dns_zone_log(zone, level,
5475 zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
5499 if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
5500 (zone->type == dns_zone_primary ||
5501 zone->type == dns_zone_secondary ||
5502 zone->type == dns_zone_mirror))
5508 if (dns_name_issubdomain(&ns.name, &zone->origin) &&
5509 !zone_check_ns(zone, db, version, &ns.name, logit))
5602 * zone must be locked.
5605 zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
5615 REQUIRE(zone != NULL);
5625 result = dns_db_findnode(db, &zone->origin, false, &node);
5632 result = zone_count_ns_rr(zone, db, node, version, nscount,
5659 zone_destroy(dns_zone_t *zone) {
5663 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
5664 dns_zone_log(zone, ISC_LOG_DEBUG(1), "final reference detached");
5666 if (zone->loop == NULL) {
5668 * This zone is unmanaged; we're probably running in
5672 zone_shutdown(zone);
5675 * This zone has a loop; it can clean
5678 isc_async_run(zone->loop, zone_shutdown, zone);
5710 dns_zone_t *zone;
5713 * 'zone' locked by caller.
5718 zone = *zonep;
5721 INSIST(isc_refcount_decrement(&zone->irefs) - 1 +
5722 isc_refcount_current(&zone->references) >
5728 dns_zone_t *zone;
5732 zone = *zonep;
5735 if (isc_refcount_decrement(&zone->irefs) == 1) {
5737 LOCK_ZONE(zone);
5738 free_needed = exit_check(zone);
5739 UNLOCK_ZONE(zone);
5741 zone_free(zone);
5747 dns_zone_getmctx(dns_zone_t *zone) {
5748 REQUIRE(DNS_ZONE_VALID(zone));
5750 return zone->mctx;
5754 dns_zone_getmgr(dns_zone_t *zone) {
5755 REQUIRE(DNS_ZONE_VALID(zone));
5757 return zone->zmgr;
5761 dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
5762 REQUIRE(DNS_ZONE_VALID(zone));
5764 LOCK_ZONE(zone);
5765 if (zone->kasp != NULL) {
5766 dns_kasp_detach(&zone->kasp);
5769 dns_kasp_attach(kasp, &zone->kasp);
5771 UNLOCK_ZONE(zone);
5775 dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
5776 REQUIRE(DNS_ZONE_VALID(zone));
5778 LOCK_ZONE(zone);
5779 if (zone->defaultkasp != NULL) {
5780 dns_kasp_detach(&zone->defaultkasp);
5783 dns_kasp_attach(kasp, &zone->defaultkasp);
5785 UNLOCK_ZONE(zone);
5789 dns_zone_getkasp(dns_zone_t *zone) {
5792 REQUIRE(DNS_ZONE_VALID(zone));
5794 LOCK_ZONE(zone);
5795 if (inline_raw(zone) && zone->secure != NULL) {
5796 kasp = zone->secure->kasp;
5798 kasp = zone->kasp;
5800 UNLOCK_ZONE(zone);
5806 dns_zone_setskr(dns_zone_t *zone, dns_skr_t *skr) {
5807 REQUIRE(DNS_ZONE_VALID(zone));
5809 LOCK_ZONE(zone);
5810 zone->skrbundle = NULL;
5811 if (zone->skr != NULL) {
5812 dns_skr_detach(&zone->skr);
5815 dns_skr_attach(skr, &zone->skr);
5817 UNLOCK_ZONE(zone);
5821 dns_zone_getskrbundle(dns_zone_t *zone) {
5824 REQUIRE(DNS_ZONE_VALID(zone));
5826 LOCK_ZONE(zone);
5827 if (inline_raw(zone) && zone->secure != NULL) {
5828 bundle = zone->secure->skrbundle;
5830 bundle = zone->skrbundle;
5832 UNLOCK_ZONE(zone);
5838 dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
5839 REQUIRE(DNS_ZONE_VALID(zone));
5842 DNS_ZONE_SETOPTION(zone, option);
5844 DNS_ZONE_CLROPTION(zone, option);
5849 dns_zone_getoptions(dns_zone_t *zone) {
5850 REQUIRE(DNS_ZONE_VALID(zone));
5852 return ISC_ZONE_GET(zone, options);
5856 dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value) {
5857 REQUIRE(DNS_ZONE_VALID(zone));
5860 DNS_ZONEKEY_SETOPTION(zone, keyopt);
5862 DNS_ZONEKEY_CLROPTION(zone, keyopt);
5867 dns_zone_getkeyopts(dns_zone_t *zone) {
5868 REQUIRE(DNS_ZONE_VALID(zone));
5870 return ISC_ZONE_GET(zone, keyopts);
5874 dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
5875 REQUIRE(DNS_ZONE_VALID(zone));
5877 LOCK_ZONE(zone);
5878 zone->xfrsource4 = *xfrsource;
5879 UNLOCK_ZONE(zone);
5885 dns_zone_getxfrsource4(dns_zone_t *zone) {
5886 REQUIRE(DNS_ZONE_VALID(zone));
5887 return &zone->xfrsource4;
5891 dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
5892 REQUIRE(DNS_ZONE_VALID(zone));
5894 LOCK_ZONE(zone);
5895 zone->xfrsource6 = *xfrsource;
5896 UNLOCK_ZONE(zone);
5902 dns_zone_getxfrsource6(dns_zone_t *zone) {
5903 REQUIRE(DNS_ZONE_VALID(zone));
5904 return &zone->xfrsource6;
5908 dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
5909 REQUIRE(DNS_ZONE_VALID(zone));
5911 LOCK_ZONE(zone);
5912 zone->parentalsrc4 = *parentalsrc;
5913 UNLOCK_ZONE(zone);
5919 dns_zone_getparentalsrc4(dns_zone_t *zone) {
5920 REQUIRE(DNS_ZONE_VALID(zone));
5921 return &zone->parentalsrc4;
5925 dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
5926 REQUIRE(DNS_ZONE_VALID(zone));
5928 LOCK_ZONE(zone);
5929 zone->parentalsrc6 = *parentalsrc;
5930 UNLOCK_ZONE(zone);
5936 dns_zone_getparentalsrc6(dns_zone_t *zone) {
5937 REQUIRE(DNS_ZONE_VALID(zone));
5938 return &zone->parentalsrc6;
5942 dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
5943 REQUIRE(DNS_ZONE_VALID(zone));
5945 LOCK_ZONE(zone);
5946 zone->notifysrc4 = *notifysrc;
5947 UNLOCK_ZONE(zone);
5953 dns_zone_getnotifysrc4(dns_zone_t *zone) {
5954 REQUIRE(DNS_ZONE_VALID(zone));
5955 return &zone->notifysrc4;
5959 dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
5960 REQUIRE(DNS_ZONE_VALID(zone));
5962 LOCK_ZONE(zone);
5963 zone->notifysrc6 = *notifysrc;
5964 UNLOCK_ZONE(zone);
5970 dns_zone_getnotifysrc6(dns_zone_t *zone) {
5971 REQUIRE(DNS_ZONE_VALID(zone));
5972 return &zone->notifysrc6;
5976 dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *addresses,
5981 REQUIRE(DNS_ZONE_VALID(zone));
5983 LOCK_ZONE(zone);
5992 if (dns_remote_equal(&zone->notify, &remote)) {
5996 dns_remote_clear(&zone->notify);
6008 dns_remote_init(&zone->notify, count, addresses, sources, keynames,
6009 tlsnames, true, zone->mctx);
6012 UNLOCK_ZONE(zone);
6026 report_no_active_addresses(dns_zone_t *zone, isc_sockaddr_t *addresses,
6030 dns_zone_log(zone, ISC_LOG_NOTICE,
6035 dns_zone_log(zone, ISC_LOG_NOTICE,
6042 dns_zone_setprimaries(dns_zone_t *zone, isc_sockaddr_t *addresses,
6047 REQUIRE(DNS_ZONE_VALID(zone));
6049 LOCK_ZONE(zone);
6064 if (!dns_remote_equal(&zone->primaries, &remote)) {
6065 if (zone->request != NULL) {
6066 dns_request_cancel(zone->request);
6072 dns_remote_clear(&zone->primaries);
6081 report_no_active_addresses(zone, addresses, count, "primaries");
6086 dns_remote_init(&zone->primaries, count, addresses, sources, keynames,
6087 tlsnames, true, zone->mctx);
6089 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOPRIMARIES);
6092 UNLOCK_ZONE(zone);
6096 dns_zone_setparentals(dns_zone_t *zone, isc_sockaddr_t *addresses,
6101 REQUIRE(DNS_ZONE_VALID(zone));
6103 LOCK_ZONE(zone);
6112 if (dns_remote_equal(&zone->parentals, &remote)) {
6116 dns_remote_clear(&zone->parentals);
6125 report_no_active_addresses(zone, addresses, count, "parental-agents");
6130 dns_remote_init(&zone->parentals, count, addresses, sources, keynames,
6131 tlsnames, true, zone->mctx);
6133 dns_zone_log(zone, ISC_LOG_NOTICE, "checkds: set %u parentals", count);
6136 UNLOCK_ZONE(zone);
6140 dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
6143 REQUIRE(DNS_ZONE_VALID(zone));
6145 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
6146 if (zone->db == NULL) {
6149 dns_db_attach(zone->db, dpb);
6151 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
6157 dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
6158 REQUIRE(DNS_ZONE_VALID(zone));
6159 REQUIRE(zone->type == dns_zone_staticstub);
6161 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
6162 REQUIRE(zone->db == NULL);
6163 dns_db_attach(db, &zone->db);
6164 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
6168 was_dumping(dns_zone_t *zone) {
6169 REQUIRE(LOCKED_ZONE(zone));
6171 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
6175 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
6176 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
6177 isc_time_settoepoch(&zone->dumptime);
6182 keyfromfile(dns_zone_t *zone, dst_key_t *pubkey, isc_mem_t *mctx,
6184 const char *directory = zone->keydirectory;
6185 dns_kasp_t *kasp = zone->kasp;
6203 zone->keydirectory);
6225 findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
6257 result = keyfromfile(zone, pubkey, mctx, &keys[count]);
6270 result = keyfromfile(zone, pubkey, mctx,
6384 * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'.
6389 dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
6395 REQUIRE(DNS_ZONE_VALID(zone));
6402 dns_zone_lock_keyfiles(zone);
6404 result = findzonekeys(zone, db, ver, node, dns_db_origin(db), now, mctx,
6407 dns_zone_unlock_keyfiles(zone);
6422 * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys
6426 dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
6429 const char *dir = dns_zone_getkeydirectory(zone);
6433 dns_name_t *origin = dns_zone_getorigin(zone);
6434 dns_kasp_t *kasp = zone->kasp;
6437 REQUIRE(DNS_ZONE_VALID(zone));
6447 dns_zone_lock_keyfiles(zone);
6448 result = dns_dnssec_findmatchingkeys(origin, kasp, dir, zone->keystores,
6449 now, dns_zone_getmctx(zone), keys);
6450 dns_zone_unlock_keyfiles(zone);
6462 origin, kasp, dir, dns_zone_getmctx(zone), &keyset,
6499 dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
6525 set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when,
6530 LOCK_ZONE(zone);
6531 zone->key_expiry = when;
6533 dns_zone_log(zone, ISC_LOG_ERROR,
6535 isc_time_settoepoch(&zone->keywarntime);
6540 dns_zone_log(zone, ISC_LOG_WARNING,
6547 isc_time_set(&zone->keywarntime, when - delta, 0);
6549 isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
6550 isc_time_formattimestamp(&zone->keywarntime, timebuf, 80);
6551 dns_zone_log(zone, ISC_LOG_NOTICE, "setting keywarntime to %s",
6554 UNLOCK_ZONE(zone);
6653 del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
6661 dns_kasp_t *kasp = zone->kasp;
6742 if (zone->log_key_expired_timer <= now) {
6745 dns_name_format(&zone->origin, origin,
6750 dns_zone_log(zone, ISC_LOG_WARNING,
6757 zone->log_key_expired_timer = now +
6838 set_key_expiry_warning(zone, (isc_stdtime_t)timewarn,
6841 dns_zone_log(zone, ISC_LOG_ERROR,
6853 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
6868 if (zone->kasp != NULL) {
6870 offlineksk = dns_kasp_offlineksk(zone->kasp);
6963 type != zone->privatetype)
6974 * This key is not active for zone-signing.
7014 dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone);
7034 dnssecsignstats = dns_zone_getdnssecsignstats(zone);
7060 calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
7068 isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
7071 if (zone->kasp != NULL) {
7072 jitter = dns_kasp_sigjitter(zone->kasp);
7073 sigvalidity = dns_kasp_sigvalidity(zone->kasp);
7107 zone_resigninc(dns_zone_t *zone) {
7124 dns_diff_init(zone->mctx, &_sig_diff);
7130 if (zone->update_disabled) {
7135 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
7136 if (zone->db != NULL) {
7137 dns_db_attach(zone->db, &db);
7139 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
7147 dns_zone_log(zone, ISC_LOG_ERROR,
7155 result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
7158 dns_zone_log(zone, ISC_LOG_ERROR,
7164 calculate_rrsig_validity(zone, now, &inception, &soaexpire, &expire,
7172 dns_zone_log(zone, ISC_LOG_ERROR,
7181 resign -= dns_zone_getsigresigninginterval(zone);
7185 * entire zone. The SOA record should always be the most
7190 dns_name_equal(name, &zone->origin)) ||
7191 i++ > zone->signatures || resign > stop)
7196 result = del_sigs(zone, db, version, name, covers, &zonediff,
7199 dns_zone_log(zone, ISC_LOG_ERROR,
7211 result = add_sigs(db, version, name, zone, covers,
7212 zonediff.diff, zone_keys, nkeys, zone->mctx,
7216 dns_zone_log(zone, ISC_LOG_ERROR,
7227 dns_zone_log(zone, ISC_LOG_ERROR,
7238 result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
7241 dns_zone_log(zone, ISC_LOG_ERROR,
7248 * Did we change anything in the zone?
7261 result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
7262 zone->updatemethod);
7264 dns_zone_log(zone, ISC_LOG_ERROR,
7274 result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
7275 zonediff.diff, zone_keys, nkeys, zone->mctx, now,
7278 dns_zone_log(zone, ISC_LOG_ERROR,
7285 CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_resigninc"));
7302 LOCK_ZONE(zone);
7304 set_resigntime(zone);
7305 zone_needdump(zone, DNS_DUMP_DELAY);
7306 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
7313 isc_time_nowplusinterval(&zone->resigntime, &ival);
7315 UNLOCK_ZONE(zone);
7364 signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
7372 dns_kasp_t *kasp = zone->kasp;
7399 if (zone->kasp != NULL) {
7507 sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
7523 if (zone->kasp != NULL) {
7524 offlineksk = dns_kasp_offlineksk(zone->kasp);
7612 if (zone->kasp != NULL) {
7622 if (signed_with_good_key(zone, db, node, version, rdataset.type,
7632 dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone);
7650 dnssecsignstats = dns_zone_getdnssecsignstats(zone);
7718 updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
7736 zone->privatetype, dns_rdatatype_none, 0,
7770 * we need to sign the zone with the matching key across a
7778 DNS_DIFFOP_DEL, &zone->origin,
7789 * finished signing the zone with this key. If it is already
7799 rdata.type = zone->privatetype;
7802 &zone->origin, rdataset.ttl, &rdata));
7828 * Called from zone_nsec3chain() in order to update zone records indicating
7846 * 0, indicating that this NSEC3 chain is now complete for this zone.
8236 * Add/remove DNSSEC signatures for the list of "raw" zone changes supplied in
8243 dns_zone_t *zone, isc_stdtime_t inception,
8258 result = del_sigs(zone, db, version, &tuple->name,
8262 dns_zone_log(zone, ISC_LOG_ERROR,
8267 result = add_sigs(db, version, &tuple->name, zone,
8269 nkeys, zone->mctx, now, inception, exp);
8271 dns_zone_log(zone, ISC_LOG_ERROR,
8294 zone_nsec3chain(dns_zone_t *zone) {
8324 dns_rdatatype_t privatetype = zone->privatetype;
8331 dns_diff_init(zone->mctx, ¶m_diff);
8332 dns_diff_init(zone->mctx, &nsec3_diff);
8333 dns_diff_init(zone->mctx, &nsec_diff);
8334 dns_diff_init(zone->mctx, &_sig_diff);
8341 if (zone->update_disabled) {
8346 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
8348 * This function is called when zone timer fires, after the latter gets
8350 * zone_addnsec3chain() is closely followed by a zone deletion request,
8352 * after the zone is deleted by rmzone(), which calls dns_db_detach()
8353 * for zone->db, causing the latter to become NULL. Return immediately
8356 if (zone->db != NULL) {
8357 dns_db_attach(zone->db, &db);
8359 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
8366 dnssec_log(zone, ISC_LOG_ERROR,
8374 result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
8377 dnssec_log(zone, ISC_LOG_ERROR,
8383 calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL,
8391 nodes = zone->nodes;
8392 signatures = zone->signatures;
8393 LOCK_ZONE(zone);
8394 nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
8395 UNLOCK_ZONE(zone);
8404 * The following while loop iterates over nodes in the zone database,
8408 * from the zone database; if so, the database iterator is reset to
8426 LOCK_ZONE(zone);
8429 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
8430 if (nsec3chain->done || nsec3chain->db != zone->db) {
8431 ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
8434 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
8435 UNLOCK_ZONE(zone);
8487 * Check to see if this is a bottom of zone node.
8539 zone_nsecttl(zone), unsecure, &nsec3_diff);
8541 dnssec_log(zone, ISC_LOG_ERROR,
8572 LOCK_ZONE(zone);
8573 ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
8575 UNLOCK_ZONE(zone);
8591 LOCK_ZONE(zone);
8592 ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
8594 UNLOCK_ZONE(zone);
8598 dnssec_log(zone, ISC_LOG_ERROR,
8639 * zone needs to switch from NSEC3 to NSEC; if so, it first builds an
8640 * NSEC chain by iterating over all nodes in the zone database and only
8647 LOCK_ZONE(zone);
8648 nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
8649 UNLOCK_ZONE(zone);
8655 LOCK_ZONE(zone);
8657 UNLOCK_ZONE(zone);
8678 dnssec_log(zone, ISC_LOG_ERROR,
8687 dnssec_log(zone, ISC_LOG_DEBUG(3),
8705 dnssec_log(zone, ISC_LOG_ERROR,
8720 dnssec_log(zone, ISC_LOG_ERROR,
8751 * Check to see if this is a bottom of zone node.
8800 zone_nsecttl(zone), delegation,
8820 LOCK_ZONE(zone);
8821 ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
8823 UNLOCK_ZONE(zone);
8829 dnssec_log(zone, ISC_LOG_ERROR,
8837 dnssec_log(zone, ISC_LOG_ERROR,
8869 * We may need to update the NSEC/NSEC3 records for the zone apex.
8878 dnssec_log(zone, ISC_LOG_ERROR,
8903 result = updatesecure(db, version, &zone->origin,
8904 zone_nsecttl(zone), true,
8907 dnssec_log(zone, ISC_LOG_ERROR,
8921 zone_nsecttl(zone), false, &nsec3_diff);
8923 dnssec_log(zone, ISC_LOG_ERROR,
8939 nkeys, zone, inception, expire, 0, now,
8942 dnssec_log(zone, ISC_LOG_ERROR,
8953 nkeys, zone, inception, expire, 0, now,
8956 dnssec_log(zone, ISC_LOG_ERROR,
8963 result = updatesecure(db, version, &zone->origin,
8964 zone_nsecttl(zone), false, &nsec_diff);
8966 dnssec_log(zone, ISC_LOG_ERROR,
8974 zone, inception, expire, 0, now,
8977 dnssec_log(zone, ISC_LOG_ERROR,
8984 * If we made no effective changes to the zone then we can just
8995 result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
8998 dnssec_log(zone, ISC_LOG_ERROR,
9004 result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
9005 zone->updatemethod);
9007 dnssec_log(zone, ISC_LOG_ERROR,
9013 result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
9014 zonediff.diff, zone_keys, nkeys, zone->mctx, now,
9017 dnssec_log(zone, ISC_LOG_ERROR,
9024 CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_nsec3chain"));
9026 LOCK_ZONE(zone);
9027 zone_needdump(zone, DNS_DUMP_DELAY);
9028 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
9029 UNLOCK_ZONE(zone);
9035 LOCK_ZONE(zone);
9036 for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
9041 UNLOCK_ZONE(zone);
9057 isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
9061 LOCK_ZONE(zone);
9062 set_resigntime(zone);
9063 UNLOCK_ZONE(zone);
9067 dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
9078 isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
9096 isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
9098 LOCK_ZONE(zone);
9099 ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
9100 UNLOCK_ZONE(zone);
9109 LOCK_ZONE(zone);
9110 for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
9115 UNLOCK_ZONE(zone);
9140 LOCK_ZONE(zone);
9141 if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
9143 if (zone->update_disabled || result != ISC_R_SUCCESS) {
9148 isc_time_nowplusinterval(&zone->nsec3chaintime, &interval);
9150 isc_time_settoepoch(&zone->nsec3chaintime);
9152 UNLOCK_ZONE(zone);
9264 * Prevent the zone entering a inconsistent state where
9268 dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db,
9277 REQUIRE(DNS_ZONE_VALID(zone));
9280 privatetype = dns_zone_getprivatetype(zone);
9311 /* Scan the zone keys for an NSEC-only DNSKEY */
9345 dns_kasp_t *kasp = zone->kasp;
9363 * Incrementally sign the zone using the keys requested.
9367 zone_sign(dns_zone_t *zone) {
9402 dns_diff_init(zone->mctx, &_sig_diff);
9403 dns_diff_init(zone->mctx, &post_diff);
9410 if (zone->update_disabled) {
9415 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
9416 if (zone->db != NULL) {
9417 dns_db_attach(zone->db, &db);
9419 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
9427 dnssec_log(zone, ISC_LOG_ERROR,
9435 result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
9438 dnssec_log(zone, ISC_LOG_ERROR,
9444 kasp = zone->kasp;
9446 calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL,
9454 nodes = zone->nodes;
9455 signatures = zone->signatures;
9456 signing = ISC_LIST_HEAD(zone->signing);
9462 dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s",
9466 CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
9472 zone, db, version, NULL,
9475 dnssec_log(zone, ISC_LOG_INFO,
9493 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
9494 if (signing->done || signing->db != zone->db) {
9496 * The zone has been reloaded. We will have to
9500 ISC_LIST_UNLINK(zone->signing, signing, link);
9502 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
9505 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
9674 db, zone, name, node, version, build_nsec3,
9676 expire, zone_nsecttl(zone), both, is_ksk,
9678 &signatures, zone->mctx));
9703 ISC_LIST_UNLINK(zone->signing, signing, link);
9709 * zone with a zone signing key.
9712 * for the zone. We can now clear the
9716 db, version, &zone->origin,
9717 zone_nsecttl(zone), false,
9720 dnssec_log(zone, ISC_LOG_ERROR,
9728 zone, signing, version, build_nsec3,
9729 zone_nsecttl(zone), &post_diff);
9731 dnssec_log(zone, ISC_LOG_ERROR,
9739 dnssec_log(zone, ISC_LOG_ERROR,
9765 zone_keys, nkeys, zone, inception,
9768 dnssec_log(zone, ISC_LOG_ERROR,
9788 result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
9791 dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s",
9796 result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
9797 zone->updatemethod);
9799 dnssec_log(zone, ISC_LOG_ERROR,
9809 result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
9810 zonediff.diff, zone_keys, nkeys, zone->mctx, now,
9813 dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
9821 CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_sign"));
9827 for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
9852 isc_mem_put(zone->mctx, signing, sizeof *signing);
9856 LOCK_ZONE(zone);
9857 set_resigntime(zone);
9859 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
9860 zone_needdump(zone, DNS_DUMP_DELAY);
9862 UNLOCK_ZONE(zone);
9866 dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
9874 for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
9886 ISC_LIST_PREPEND(zone->signing, signing, link);
9910 LOCK_ZONE(zone);
9911 if (ISC_LIST_HEAD(zone->signing) != NULL) {
9913 if (zone->update_disabled || result != ISC_R_SUCCESS) {
9918 isc_time_nowplusinterval(&zone->signingtime, &interval);
9920 isc_time_settoepoch(&zone->signingtime);
9922 UNLOCK_ZONE(zone);
9963 * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
9964 * a KEYDATA rdataset from the key zone.
10006 * Calculate the refresh interval for a keydata zone, per
10082 * hold zone lock.
10092 dns_zone_t *zone = kfetch->zone;
10117 set_refreshkeytimer(zone, &keydata, now, false);
10121 CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass,
10155 mctx = kfetch->zone->view->mctx;
10187 dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3),
10203 * A DNSKEY set has been fetched from the zone apex of a zone whose trust
10204 * anchors are being managed; scan the keyset, and update the key zone and the
10212 dns_zone_t *zone = NULL;
10245 zone = kfetch->zone;
10264 LOCK_ZONE(zone);
10265 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) {
10272 result = dns_view_getsecroots(zone->view, &secroots);
10279 zone->refreshkeycount--;
10280 alldone = (zone->refreshkeycount == 0);
10283 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
10286 dnssec_log(zone, ISC_LOG_DEBUG(3),
10292 dnssec_log(zone, ISC_LOG_WARNING,
10301 dnssec_log(zone, ISC_LOG_WARNING,
10378 dnssec_log(zone, ISC_LOG_DEBUG(3),
10379 "Verifying DNSKEY set for zone "
10406 dnssec_log(zone, ISC_LOG_INFO,
10407 "DNSKEY set for zone '%s' could not be verified "
10418 * be removed from the key zone
10443 dns_zone_log(zone, ISC_LOG_ERROR,
10444 "Cannot compute tag for key in zone %s: "
10456 * automatically trust all the keys we find at the zone apex.
10472 dnssec_log(zone, ISC_LOG_INFO,
10473 "Pending key %d for zone %s "
10484 dnssec_log(zone, ISC_LOG_INFO,
10485 "Active key %d for zone %s "
10493 zone, ISC_LOG_INFO,
10494 "Revoked key %d for zone %s no longer "
10515 dns_rdata_fromstruct(&keydatarr, zone->rdclass,
10524 set_refreshkeytimer(zone, &keydata, now, false);
10531 * add them to the key zone and set the acceptance timer
10533 * determined that we're initializing the zone for the
10536 * must be scheduled for removal from the key zone (or,
10570 dns_zone_log(zone, ISC_LOG_ERROR,
10571 "Cannot compute tag for key in zone %s: "
10594 dnssec_log(zone, ISC_LOG_INFO,
10596 "zone %s is now revoked: "
10604 dns_view_untrust(zone->view, keyname,
10618 dnssec_log(zone, ISC_LOG_INFO,
10620 "zone %s is now revoked",
10626 dnssec_log(zone, ISC_LOG_INFO,
10628 "zone %s removal timer "
10634 dnssec_log(zone, ISC_LOG_WARNING,
10635 "Active key %d for zone "
10656 dnssec_log(zone, ISC_LOG_INFO,
10658 "zone %s has returned: "
10670 dnssec_log(zone, ISC_LOG_INFO,
10671 "Key %d for zone %s "
10686 dnssec_log(zone, ISC_LOG_INFO,
10688 "for zone %s was "
10699 * Key wasn't in the key zone but it's
10706 /* Key wasn't in the key zone: add it */
10710 dnssec_log(zone, ISC_LOG_WARNING,
10712 "anchor management for zone '%s'; "
10719 dnssec_log(zone, ISC_LOG_INFO,
10721 "for zone '%s': "
10746 dns_rdata_fromstruct(&keydatarr, zone->rdclass,
10766 dns_rdata_fromstruct(&keydatarr, zone->rdclass,
10770 /* Insert into key zone */
10780 trust_key(zone, keyname, &dnskey, false);
10785 set_refreshkeytimer(zone, &keydata, now, false);
10794 * zone would suddenly be nonsecured. We avoid this by checking to
10796 * the security roots; then all queries to the zone will fail.
10799 fail_secure(zone, keyname);
10805 CHECK(update_soa_serial(zone, kfetch->db, ver, &diff, mctx,
10806 zone->updatemethod));
10807 CHECK(zone_journal(zone, &diff, NULL, "keyfetch_done"));
10810 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
10811 zone_needdump(zone, 30);
10827 dnssec_log(zone, ISC_LOG_ERROR,
10840 isc_refcount_decrement(&zone->irefs);
10860 free_needed = exit_check(zone);
10861 UNLOCK_ZONE(zone);
10864 zone_free(zone);
10873 dns_zone_t *zone = kfetch->zone;
10878 dnssec_log(zone, ISC_LOG_WARNING,
10884 LOCK_ZONE(zone);
10885 zone->refreshkeycount--;
10886 isc_refcount_decrement(&zone->irefs);
10889 dns_name_free(kname, zone->mctx);
10892 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
10898 zone->refreshkeytime = timethen;
10899 zone_settimer(zone, &timenow);
10901 isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
10902 dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
10906 free_needed = exit_check(zone);
10907 UNLOCK_ZONE(zone);
10910 zone_free(zone);
10920 dns_zone_t *zone = kfetch->zone;
10924 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
10928 result = dns_view_getresolver(zone->view, &resolver);
10944 0, options, 0, NULL, zone->loop, keyfetch_done, kfetch,
10956 * Refresh the data in the key zone. Initiate a fetch to look up
10960 zone_refreshkeys(dns_zone_t *zone) {
10974 REQUIRE(zone->db != NULL);
10976 LOCK_ZONE(zone);
10977 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
10978 isc_time_settoepoch(&zone->refreshkeytime);
10979 UNLOCK_ZONE(zone);
10983 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
10984 dns_db_attach(zone->db, &db);
10985 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
10987 dns_diff_init(zone->mctx, &diff);
10991 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
11041 set_refreshkeytimer(zone, &kd, now, false);
11056 kfetch = isc_mem_get(zone->mctx,
11058 *kfetch = (dns_keyfetch_t){ .zone = zone };
11059 isc_mem_attach(zone->mctx, &kfetch->mctx);
11061 zone->refreshkeycount++;
11062 isc_refcount_increment0(&zone->irefs);
11064 dns_name_dup(name, zone->mctx, kname);
11075 dnssec_log(zone, ISC_LOG_DEBUG(3),
11081 isc_async_run(zone->loop, do_keyfetch, kfetch);
11088 CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
11089 zone->updatemethod));
11090 CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys"));
11092 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
11093 zone_needdump(zone, 30);
11098 isc_time_settoepoch(&zone->refreshkeytime);
11102 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
11112 UNLOCK_ZONE(zone);
11118 zone_maintenance(dns_zone_t *zone) {
11124 REQUIRE(DNS_ZONE_VALID(zone));
11132 LOCK_ZONE(zone);
11133 load_pending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
11134 exiting = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING);
11135 if (!load_pending && !exiting && zone->view != NULL) {
11137 dns_view_getadb(zone->view, &adb);
11143 UNLOCK_ZONE(zone);
11154 switch (zone->type) {
11156 if (dns_remote_addresses(&zone->primaries) == NULL) {
11163 LOCK_ZONE(zone);
11164 if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
11165 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
11167 zone_expire(zone);
11168 zone->refreshtime = now;
11170 UNLOCK_ZONE(zone);
11179 switch (zone->type) {
11181 if (dns_remote_addresses(&zone->primaries) == NULL) {
11188 LOCK_ZONE(zone);
11189 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
11190 isc_time_compare(&now, &zone->refreshtime) >= 0)
11192 zone_refresh(zone);
11194 UNLOCK_ZONE(zone);
11204 LOCK_ZONE(zone);
11205 notify = (zone->type == dns_zone_secondary ||
11206 zone->type == dns_zone_mirror) &&
11207 (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
11208 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
11209 isc_time_compare(&now, &zone->notifytime) >= 0;
11210 UNLOCK_ZONE(zone);
11213 zone_notify(zone, &now);
11219 switch (zone->type) {
11226 LOCK_ZONE(zone);
11227 if (zone->masterfile != NULL &&
11228 isc_time_compare(&now, &zone->dumptime) >= 0 &&
11229 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
11230 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP))
11232 dumping = was_dumping(zone);
11236 UNLOCK_ZONE(zone);
11238 result = zone_dump(zone, true); /* loop locked */
11240 dns_zone_log(zone, ISC_LOG_WARNING,
11253 switch (zone->type) {
11256 LOCK_ZONE(zone);
11257 notify = (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
11258 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
11259 isc_time_compare(&now, &zone->notifytime) >= 0;
11260 UNLOCK_ZONE(zone);
11262 zone_notify(zone, &now);
11271 switch (zone->type) {
11273 LOCK_ZONE(zone);
11274 refreshkeys = isc_time_compare(&now, &zone->refreshkeytime) >=
11276 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
11277 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING);
11278 UNLOCK_ZONE(zone);
11280 zone_refreshkeys(zone);
11284 LOCK_ZONE(zone);
11285 if (zone->rss != NULL) {
11286 isc_time_settoepoch(&zone->refreshkeytime);
11287 UNLOCK_ZONE(zone);
11290 rekey = (!isc_time_isepoch(&zone->refreshkeytime) &&
11291 isc_time_compare(&now, &zone->refreshkeytime) >= 0);
11292 UNLOCK_ZONE(zone);
11294 zone_rekey(zone);
11300 switch (zone->type) {
11307 LOCK_ZONE(zone);
11308 if (zone->rss != NULL) {
11309 isc_time_settoepoch(&zone->signingtime);
11310 isc_time_settoepoch(&zone->resigntime);
11311 isc_time_settoepoch(&zone->nsec3chaintime);
11312 isc_time_settoepoch(&zone->keywarntime);
11313 UNLOCK_ZONE(zone);
11316 sign = !isc_time_isepoch(&zone->signingtime) &&
11317 isc_time_compare(&now, &zone->signingtime) >= 0;
11318 resign = !isc_time_isepoch(&zone->resigntime) &&
11319 isc_time_compare(&now, &zone->resigntime) >= 0;
11320 chain = !isc_time_isepoch(&zone->nsec3chaintime) &&
11321 isc_time_compare(&now, &zone->nsec3chaintime) >= 0;
11322 warn_expire = !isc_time_isepoch(&zone->keywarntime) &&
11323 isc_time_compare(&now, &zone->keywarntime) >= 0;
11324 UNLOCK_ZONE(zone);
11327 zone_sign(zone);
11329 zone_resigninc(zone);
11331 zone_nsec3chain(zone);
11338 set_key_expiry_warning(zone, zone->key_expiry,
11346 LOCK_ZONE(zone);
11347 zone_settimer(zone, &now);
11348 UNLOCK_ZONE(zone);
11352 dns_zone_markdirty(dns_zone_t *zone) {
11358 * Obtaining a lock on the zone->secure (see zone_send_secureserial)
11363 LOCK_ZONE(zone);
11364 if (zone->type == dns_zone_primary) {
11365 if (inline_raw(zone)) {
11367 secure = zone->secure;
11368 INSIST(secure != zone);
11371 UNLOCK_ZONE(zone);
11377 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
11378 if (zone->db != NULL) {
11380 zone, zone->db, NULL, &soacount, NULL,
11385 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
11387 zone_send_secureserial(zone, serial);
11393 set_resigntime(zone);
11394 if (zone->loop != NULL) {
11397 zone_settimer(zone, &now);
11404 zone_needdump(zone, DNS_DUMP_DELAY);
11405 UNLOCK_ZONE(zone);
11409 dns_zone_expire(dns_zone_t *zone) {
11410 REQUIRE(DNS_ZONE_VALID(zone));
11412 LOCK_ZONE(zone);
11413 zone_expire(zone);
11414 UNLOCK_ZONE(zone);
11418 zone_expire(dns_zone_t *zone) {
11422 * 'zone' locked by caller.
11425 REQUIRE(LOCKED_ZONE(zone));
11427 dns_zone_log(zone, ISC_LOG_WARNING, "expired");
11429 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
11430 zone->refresh = DNS_ZONE_DEFAULTREFRESH;
11431 zone->retry = DNS_ZONE_DEFAULTRETRY;
11432 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
11435 * An RPZ zone has expired; before unloading it, we must
11441 if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) {
11443 dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num];
11445 CHECK(dns_db_create(zone->mctx, ZONEDB_DEFAULT, &zone->origin,
11446 dns_dbtype_zone, zone->rdclass, 0, NULL,
11449 dns_zone_log(zone, ISC_LOG_WARNING,
11450 "response-policy zone expired; "
11459 zone_unload(zone);
11463 zone_refresh(dns_zone_t *zone) {
11468 REQUIRE(DNS_ZONE_VALID(zone));
11469 REQUIRE(LOCKED_ZONE(zone));
11471 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
11480 oldflags = ISC_ZONE_GET(zone, flags);
11481 if (dns_remote_addresses(&zone->primaries) == NULL) {
11482 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOPRIMARIES);
11484 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
11490 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
11491 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
11499 * If we are successful it will be reset using zone->refresh.
11501 isc_interval_set(&i, zone->retry - isc_random_uniform(zone->retry / 4),
11503 result = isc_time_nowplusinterval(&zone->refreshtime, &i);
11505 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_WARNING,
11515 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) {
11516 zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
11519 dns_remote_reset(&zone->primaries, true);
11522 queue_soa_query(zone);
11527 dns_zone_t *zone = arg;
11529 LOCK_ZONE(zone);
11530 zone_refresh(zone);
11531 UNLOCK_ZONE(zone);
11533 dns_zone_detach(&zone);
11537 dns_zone_refresh(dns_zone_t *zone) {
11538 REQUIRE(DNS_ZONE_VALID(zone));
11540 dns_zone_ref(zone);
11541 isc_async_run(zone->loop, zone_refresh_async, zone);
11545 zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
11551 if (zone->type == dns_zone_primary &&
11552 (inline_secure(zone) ||
11553 (zone->update_acl != NULL || zone->ssutable != NULL)))
11560 result = dns_journal_open(zone->mctx, zone->journal, DNS_JOURNAL_READ,
11563 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(3),
11567 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
11574 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
11589 zone, DNS_LOGCATEGORY_ZONELOAD,
11595 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
11606 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
11608 "with zone");
11612 dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
11621 zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial) {
11628 INSIST(LOCKED_ZONE(zone));
11629 if (inline_raw(zone)) {
11630 INSIST(LOCKED_ZONE(zone->secure));
11633 journalsize = zone->journalsize;
11640 dns_zone_log(zone, ISC_LOG_ERROR,
11642 "could not get zone size: %s",
11648 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIXJOURNAL)) {
11650 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FIXJOURNAL);
11651 zone_debuglog(zone, __func__, 1, "repair full journal");
11653 zone_debuglog(zone, __func__, 1, "target journal size %d",
11656 result = dns_journal_compact(zone->mctx, zone->journal, serial, options,
11662 dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_journal_compact: %s",
11666 dns_zone_log(zone, ISC_LOG_ERROR,
11674 dns_zone_flush(dns_zone_t *zone) {
11678 REQUIRE(DNS_ZONE_VALID(zone));
11680 LOCK_ZONE(zone);
11681 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
11682 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
11683 zone->masterfile != NULL)
11685 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
11687 dumping = was_dumping(zone);
11691 UNLOCK_ZONE(zone);
11693 result = zone_dump(zone, true);
11699 dns_zone_dump(dns_zone_t *zone) {
11703 REQUIRE(DNS_ZONE_VALID(zone));
11705 LOCK_ZONE(zone);
11706 dumping = was_dumping(zone);
11707 UNLOCK_ZONE(zone);
11709 result = zone_dump(zone, false);
11715 zone_needdump(dns_zone_t *zone, unsigned int delay) {
11720 * 'zone' locked by caller
11723 REQUIRE(DNS_ZONE_VALID(zone));
11724 REQUIRE(LOCKED_ZONE(zone));
11730 if (zone->masterfile == NULL ||
11731 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
11740 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
11741 if (isc_time_isepoch(&zone->dumptime) ||
11742 isc_time_compare(&zone->dumptime, &dumptime) > 0)
11744 zone->dumptime = dumptime;
11746 if (zone->loop != NULL) {
11747 zone_settimer(zone, &now);
11753 dns_zone_t *zone = arg;
11762 REQUIRE(DNS_ZONE_VALID(zone));
11767 * Adjust modification time of zone file to preserve expire timing.
11769 if ((zone->type == dns_zone_secondary ||
11770 zone->type == dns_zone_mirror ||
11771 zone->type == dns_zone_redirect) &&
11774 LOCK_ZONE(zone);
11777 isc_interval_set(&i, zone->expire, 0);
11778 result = isc_time_subtract(&zone->expiretime, &i, &when);
11780 (void)isc_file_settime(zone->masterfile, &when);
11784 UNLOCK_ZONE(zone);
11787 if (result == ISC_R_SUCCESS && zone->journal != NULL) {
11789 * We don't own these, zone->dctx must stay valid.
11791 db = dns_dumpctx_db(zone->dumpctx);
11792 version = dns_dumpctx_version(zone->dumpctx);
11799 LOCK_ZONE(zone);
11800 if (inline_raw(zone)) {
11801 secure = zone->secure;
11802 INSIST(secure != zone);
11805 UNLOCK_ZONE(zone);
11813 * If there is a secure version of this zone
11822 mresult = dns_db_getsoaserial(zone->secure->db,
11832 if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) {
11834 if (dns_zone_getdb(zone, &zdb) == ISC_R_SUCCESS) {
11835 zone_journal_compact(zone, zdb, serial);
11840 zone->compact_serial = serial;
11845 UNLOCK_ZONE(zone);
11848 LOCK_ZONE(zone);
11849 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
11851 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
11853 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN)) {
11856 * the zone are gone, which means it is in the process of being
11859 * Detach from the raw version of the zone in case this
11862 if (zone->raw != NULL) {
11863 dns_zone_detach(&zone->raw);
11866 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
11872 zone_needdump(zone, DNS_DUMP_DELAY);
11874 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
11875 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
11876 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
11878 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
11879 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
11880 isc_time_settoepoch(&zone->dumptime);
11883 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
11886 if (zone->dumpctx != NULL) {
11887 dns_dumpctx_detach(&zone->dumpctx);
11889 UNLOCK_ZONE(zone);
11891 (void)zone_dump(zone, false);
11893 dns_zone_idetach(&zone);
11897 zone_dump(dns_zone_t *zone, bool compact) {
11911 REQUIRE(DNS_ZONE_VALID(zone));
11915 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
11916 if (zone->db != NULL) {
11917 dns_db_attach(zone->db, &db);
11919 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
11920 LOCK_ZONE(zone);
11921 if (zone->masterfile != NULL) {
11922 masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
11923 masterformat = zone->masterformat;
11925 if (zone->type == dns_zone_key) {
11927 } else if (zone->masterstyle != NULL) {
11928 masterstyle = zone->masterstyle;
11932 UNLOCK_ZONE(zone);
11946 if (inline_secure(zone)) {
11947 get_raw_serial(zone->raw, &rawdata);
11950 if (compact && zone->type != dns_zone_stub) {
11951 LOCK_ZONE(zone);
11952 zone_iattach(zone, &(dns_zone_t *){ NULL });
11954 INSIST(zone != zone->raw);
11957 zone->mctx, db, version, masterstyle, masterfile,
11958 zone->loop, dump_done, zone, &zone->dumpctx,
11961 UNLOCK_ZONE(zone);
11963 dns_zone_idetach(&(dns_zone_t *){ zone });
11968 result = dns_master_dump(zone->mctx, db, version, masterstyle,
11970 if ((zone->type == dns_zone_secondary ||
11971 zone->type == dns_zone_mirror ||
11972 zone->type == dns_zone_redirect) &&
11977 isc_interval_set(&i, zone->expire, 0);
11978 result = isc_time_subtract(&zone->expiretime, &i,
11981 (void)isc_file_settime(zone->masterfile, &when);
11995 isc_mem_free(zone->mctx, masterfile);
12008 LOCK_ZONE(zone);
12009 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
12014 zone_needdump(zone, DNS_DUMP_DELAY);
12015 } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
12016 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
12017 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
12019 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
12020 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
12021 isc_time_settoepoch(&zone->dumptime);
12024 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
12026 UNLOCK_ZONE(zone);
12035 dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
12042 REQUIRE(DNS_ZONE_VALID(zone));
12044 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
12045 if (zone->db != NULL) {
12046 dns_db_attach(zone->db, &db);
12048 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
12057 } else if (inline_secure(zone)) {
12058 get_raw_serial(zone->raw, &rawdata);
12059 } else if (zone->sourceserialset) {
12061 rawdata.sourceserial = zone->sourceserial;
12063 result = dns_master_dumptostream(zone->mctx, db, version, style, format,
12071 dns_zone_dumptostream(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
12074 return dumptostream(zone, fd, style, format, rawversion);
12078 dns_zone_unload(dns_zone_t *zone) {
12079 REQUIRE(DNS_ZONE_VALID(zone));
12081 LOCK_ZONE(zone);
12082 zone_unload(zone);
12083 UNLOCK_ZONE(zone);
12087 notify_cancel(dns_zone_t *zone) {
12091 * 'zone' locked by caller.
12094 REQUIRE(LOCKED_ZONE(zone));
12096 for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL;
12109 checkds_cancel(dns_zone_t *zone) {
12113 * 'zone' locked by caller.
12116 REQUIRE(LOCKED_ZONE(zone));
12118 for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL;
12131 forward_cancel(dns_zone_t *zone) {
12135 * 'zone' locked by caller.
12138 REQUIRE(LOCKED_ZONE(zone));
12140 for (forward = ISC_LIST_HEAD(zone->forwards); forward != NULL;
12150 zone_unload(dns_zone_t *zone) {
12152 * 'zone' locked by caller.
12155 REQUIRE(LOCKED_ZONE(zone));
12157 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
12158 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
12160 if (zone->dumpctx != NULL) {
12161 dns_dumpctx_cancel(zone->dumpctx);
12164 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
12165 zone_detachdb(zone);
12166 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
12167 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
12168 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
12170 if (zone->type == dns_zone_mirror) {
12171 dns_zone_log(zone, ISC_LOG_INFO,
12172 "mirror zone is no longer in use; "
12178 dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val) {
12179 REQUIRE(DNS_ZONE_VALID(zone));
12182 zone->minrefresh = val;
12186 dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val) {
12187 REQUIRE(DNS_ZONE_VALID(zone));
12190 zone->maxrefresh = val;
12194 dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val) {
12195 REQUIRE(DNS_ZONE_VALID(zone));
12198 zone->minretry = val;
12202 dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val) {
12203 REQUIRE(DNS_ZONE_VALID(zone));
12206 zone->maxretry = val;
12210 dns_zone_getmaxrecords(dns_zone_t *zone) {
12211 REQUIRE(DNS_ZONE_VALID(zone));
12213 return zone->maxrecords;
12217 dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t val) {
12218 REQUIRE(DNS_ZONE_VALID(zone));
12220 zone->maxrecords = val;
12224 dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t val) {
12225 REQUIRE(DNS_ZONE_VALID(zone));
12227 zone->maxrrperset = val;
12228 if (zone->db != NULL) {
12229 dns_db_setmaxrrperset(zone->db, val);
12234 dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t val) {
12235 REQUIRE(DNS_ZONE_VALID(zone));
12237 zone->maxtypepername = val;
12238 if (zone->db != NULL) {
12239 dns_db_setmaxtypepername(zone->db, val);
12244 notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
12251 for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL;
12279 zmgr = notify->zone->zmgr;
12288 notify->zone->zmgr->notifyrl, notify->zone->loop,
12299 notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
12307 if (zone->view == NULL || zone->isself == NULL) {
12313 src = zone->notifysrc4;
12317 src = zone->notifysrc6;
12333 result = dns_view_getpeertsig(zone->view, &dstaddr, &key);
12337 isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
12338 zone->isselfarg);
12351 if (notify->zone != NULL) {
12353 LOCK_ZONE(notify->zone);
12355 REQUIRE(LOCKED_ZONE(notify->zone));
12357 ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
12360 UNLOCK_ZONE(notify->zone);
12363 zone_idetach(¬ify->zone);
12365 dns_zone_idetach(¬ify->zone);
12428 LOCK_ZONE(notify->zone);
12430 UNLOCK_ZONE(notify->zone);
12456 dns_view_getadb(notify->zone->view, &adb);
12462 adb, notify->zone->loop, process_notify_adb_event, notify,
12464 notify->zone->view->dstport, 0, NULL, ¬ify->find);
12478 LOCK_ZONE(notify->zone);
12480 UNLOCK_ZONE(notify->zone);
12489 startup ? notify->zone->zmgr->startupnotifyrl
12490 : notify->zone->zmgr->notifyrl,
12491 notify->zone->loop, notify_send_toaddr, notify,
12510 LOCK_ZONE(notify->zone);
12514 if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0 ||
12516 DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
12517 notify->zone->view->requestmgr == NULL || notify->zone->db == NULL)
12530 notify_log(notify->zone, ISC_LOG_DEBUG(3),
12537 result = notify_createmessage(notify->zone, notify->flags, &message);
12548 result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
12550 notify_log(notify->zone, ISC_LOG_ERROR,
12562 notify_log(notify->zone, ISC_LOG_INFO,
12566 notify_log(notify->zone, ISC_LOG_INFO, "sending notify to %s",
12570 if (notify->zone->view->peers != NULL) {
12573 result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
12594 src = notify->zone->notifysrc4;
12605 src = notify->zone->notifysrc6;
12614 if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY)) {
12625 zmgr_tlsctx_attach(notify->zone->zmgr, &zmgr_tlsctx_cache);
12627 result = dns_request_create(notify->zone->view->requestmgr, message,
12630 udptimeout, 2, notify->zone->loop,
12637 inc_stats(notify->zone,
12640 inc_stats(notify->zone,
12646 notify_log(notify->zone, ISC_LOG_NOTICE,
12660 UNLOCK_ZONE(notify->zone);
12667 notify_log(notify->zone, ISC_LOG_WARNING,
12687 REQUIRE(LOCKED_ZONE(notify->zone));
12689 if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING)) {
12697 if (notify_isqueued(notify->zone, notify->flags, NULL, &dst,
12702 if (notify_isself(notify->zone, &dst)) {
12711 zone_iattach(notify->zone, &newnotify->zone);
12712 ISC_LIST_APPEND(newnotify->zone->notifies, newnotify, link);
12732 dns_zone_notify(dns_zone_t *zone) {
12735 REQUIRE(DNS_ZONE_VALID(zone));
12737 LOCK_ZONE(zone);
12738 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
12741 zone_settimer(zone, &now);
12742 UNLOCK_ZONE(zone);
12746 zone_notify(dns_zone_t *zone, isc_time_t *now) {
12767 REQUIRE(DNS_ZONE_VALID(zone));
12769 LOCK_ZONE(zone);
12770 startup = !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
12771 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
12772 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
12773 notifytype = zone->notifytype;
12774 DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
12775 UNLOCK_ZONE(zone);
12777 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
12778 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
12788 zone->type != dns_zone_primary)
12793 origin = &zone->origin;
12796 * If the zone is dialup we are done as we don't want to send
12799 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) {
12813 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
12814 if (zone->db != NULL) {
12815 dns_db_attach(zone->db, &zonedb);
12817 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
12846 dns_name_dup(&soa.origin, zone->mctx, &primary);
12853 LOCK_ZONE(zone);
12855 dns_remote_reset(&zone->notify, false);
12856 while (!dns_remote_done(&zone->notify)) {
12860 dns_view_t *view = dns_zone_getview(zone);
12862 if (dns_remote_keyname(&zone->notify) != NULL) {
12863 dns_name_t *keyname = dns_remote_keyname(&zone->notify);
12867 if (dns_remote_tlsname(&zone->notify) != NULL) {
12868 dns_name_t *tlsname = dns_remote_tlsname(&zone->notify);
12874 zone, ISC_LOG_INFO,
12877 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
12880 "for zone transfer: %s",
12890 dst = dns_remote_curraddr(&zone->notify);
12891 src = dns_remote_sourceaddr(&zone->notify);
12898 if (notify_isqueued(zone, flags, NULL, &dst, key, transport)) {
12908 result = notify_create(zone->mctx, flags, ¬ify);
12919 zone_iattach(zone, ¬ify->zone);
12936 ISC_LIST_APPEND(zone->notifies, notify, link);
12942 notify_log(zone, ISC_LOG_INFO,
12948 dns_remote_next(&zone->notify, false);
12950 UNLOCK_ZONE(zone);
12979 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
12987 notify_log(zone, ISC_LOG_INFO,
12992 LOCK_ZONE(zone);
12993 isqueued = notify_isqueued(zone, flags, &ns.name, NULL, NULL,
12995 UNLOCK_ZONE(zone);
13000 result = notify_create(zone->mctx, flags, ¬ify);
13004 dns_zone_iattach(zone, ¬ify->zone);
13005 dns_name_dup(&ns.name, zone->mctx, ¬ify->ns);
13006 LOCK_ZONE(zone);
13007 ISC_LIST_APPEND(zone->notifies, notify, link);
13008 UNLOCK_ZONE(zone);
13016 dns_name_free(&primary, zone->mctx);
13029 create_query(dns_zone_t *zone, dns_rdatatype_t rdtype, dns_name_t *name,
13035 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER,
13039 message->rdclass = zone->rdclass;
13049 dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
13089 * Called when stub zone update is finished.
13090 * Update zone refresh, retry, expire values accordingly with
13092 * zone management timer.
13100 dns_zone_t *zone = stub->zone;
13106 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
13107 if (zone->db == NULL) {
13108 zone_attachdb(zone, stub->db);
13110 result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL, NULL,
13113 zone->refresh = RANGE(refresh, zone->minrefresh,
13114 zone->maxrefresh);
13115 zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
13116 zone->expire = RANGE(expire, zone->refresh + zone->retry,
13118 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
13120 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
13123 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
13124 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
13125 DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
13126 isc_interval_set(&i, zone->expire, 0);
13127 DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
13129 if (zone->masterfile != NULL) {
13130 zone_needdump(zone, 0);
13133 zone_settimer(zone, &now);
13148 dns_zone_t *zone = NULL;
13160 zone = stub->zone;
13166 LOCK_ZONE(zone);
13168 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
13169 zone_debuglog(zone, __func__, 1, "exiting");
13173 curraddr = dns_remote_curraddr(&zone->primaries);
13175 isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
13178 dns_zonemgr_unreachableadd(zone->zmgr, &curraddr,
13179 &zone->sourceaddr, &now);
13180 dns_zone_log(zone, ISC_LOG_INFO,
13188 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
13192 dns_zone_log(zone, ISC_LOG_INFO,
13208 dns_zone_log(zone, ISC_LOG_INFO,
13225 dns_zone_log(zone, ISC_LOG_INFO,
13237 dns_zone_log(zone, ISC_LOG_INFO,
13249 dns_zone_log(zone, ISC_LOG_INFO,
13266 dns_zone_log(zone, ISC_LOG_INFO,
13274 dns_zone_log(zone, ISC_LOG_INFO,
13292 zone, ISC_LOG_INFO,
13303 dns_zone_log(zone, ISC_LOG_INFO,
13313 dns_zone_log(zone, ISC_LOG_INFO,
13325 dns_name_free(&sgr->name, zone->mctx);
13327 isc_mem_put(zone->mctx, sgr, sizeof(*sgr));
13331 isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13333 UNLOCK_ZONE(zone);
13335 dns_zone_idetach(&stub->zone);
13340 UNLOCK_ZONE(zone);
13346 * server of the stub zone given.
13352 dns_zone_t *zone;
13357 zone = args->stub->zone;
13358 sgr = isc_mem_get(zone->mctx, sizeof(*sgr));
13365 dns_name_dup(name, zone->mctx, &sgr->name);
13367 create_query(zone, ipv4 ? dns_rdatatype_a : dns_rdatatype_aaaa,
13370 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
13373 zone_debuglog(zone, __func__, 1,
13382 curraddr = dns_remote_curraddr(&zone->primaries);
13384 zone->view->requestmgr, message, &zone->sourceaddr, &curraddr,
13386 args->timeout * 3, args->timeout, 2, zone->loop,
13393 zone_debuglog(zone, __func__, 1,
13404 dns_name_free(&sgr->name, zone->mctx);
13405 isc_mem_put(zone->mctx, sgr, sizeof(*sgr));
13570 dns_zone_t *zone = NULL;
13581 zone = stub->zone;
13587 LOCK_ZONE(zone);
13589 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
13593 curraddr = dns_remote_curraddr(&zone->primaries);
13595 isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
13604 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
13605 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13606 dns_zone_log(zone, ISC_LOG_DEBUG(1),
13614 dns_zonemgr_unreachableadd(zone->zmgr, &curraddr,
13615 &zone->sourceaddr, &now);
13616 dns_zone_log(zone, ISC_LOG_INFO,
13623 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
13641 dns_zone_log(zone, ISC_LOG_INFO,
13658 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
13663 dns_zone_log(zone, ISC_LOG_DEBUG(1),
13667 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13671 dns_zone_log(zone, ISC_LOG_INFO,
13683 dns_zone_log(zone, ISC_LOG_INFO,
13689 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
13697 dns_zone_log(zone, ISC_LOG_INFO,
13712 dns_zone_log(zone, ISC_LOG_INFO,
13720 dns_zone_log(zone, ISC_LOG_INFO,
13732 result = save_nsrrset(msg, &zone->origin, cb_args, stub->db,
13735 dns_zone_log(zone, ISC_LOG_INFO,
13743 dns_request_destroy(&zone->request);
13750 isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13755 UNLOCK_ZONE(zone);
13759 zone_debuglog(zone, __func__, 1, "exiting");
13763 isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13773 dns_request_destroy(&zone->request);
13777 dns_remote_next(&zone->primaries, true);
13778 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
13779 if (exiting || dns_remote_done(&zone->primaries)) {
13780 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
13781 zone_settimer(zone, &now);
13784 queue_soa_query(zone);
13788 isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
13792 dns_request_destroy(&zone->request);
13793 ns_query(zone, NULL, stub);
13794 UNLOCK_ZONE(zone);
13798 UNLOCK_ZONE(zone);
13800 dns_zone_idetach(&stub->zone);
13811 get_edns_expire(dns_zone_t *zone, dns_message_t *message, uint32_t *expirep) {
13842 dns_zone_log(zone, ISC_LOG_DEBUG(1),
13856 * Set the file modification time zone->expire seconds before expiretime.
13859 setmodtime(dns_zone_t *zone, isc_time_t *expiretime) {
13864 isc_interval_set(&i, zone->expire, 0);
13871 if (zone->journal != NULL) {
13872 result = isc_file_settime(zone->journal, &when);
13875 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
13876 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
13878 result = isc_file_settime(zone->masterfile, &when);
13880 result = isc_file_settime(zone->masterfile, &when);
13887 zone_needdump(zone, DNS_DUMP_DELAY);
13889 dns_zone_log(zone, ISC_LOG_ERROR,
13892 zone->masterfile, isc_result_totext(result));
13902 dns_zone_t *zone = dns_request_getarg(request);
13916 INSIST(DNS_ZONE_VALID(zone));
13922 LOCK_ZONE(zone);
13924 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
13931 curraddr = dns_remote_curraddr(&zone->primaries);
13933 isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
13941 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
13942 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
13943 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
13950 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
13956 if ((zone->type == dns_zone_secondary ||
13957 zone->type == dns_zone_mirror ||
13958 zone->type == dns_zone_redirect) &&
13959 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH))
13962 zone->zmgr, &curraddr,
13963 &zone->sourceaddr, &now))
13966 zone,
13970 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
13982 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
13989 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
13993 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14010 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14027 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
14032 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14037 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
14040 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
14043 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14049 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
14052 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14060 (zone->type == dns_zone_secondary ||
14061 zone->type == dns_zone_mirror ||
14062 zone->type == dns_zone_redirect))
14070 * If truncated punt to zone transfer which will query again.
14073 if (zone->type == dns_zone_secondary ||
14074 zone->type == dns_zone_mirror ||
14075 zone->type == dns_zone_redirect)
14077 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14080 "initiating TCP zone xfer "
14083 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
14086 INSIST(zone->type == dns_zone_stub);
14088 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14095 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
14104 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14117 * There should not be a CNAME record at top of zone.
14120 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14121 "refresh: CNAME at top of zone "
14131 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14142 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14150 * Only one soa at top of zone.
14153 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14164 result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
14168 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14177 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
14187 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
14189 result = zone_get_from_db(zone, zone->db, NULL, &dbsoacount,
14194 zone_debuglogc(zone, DNS_LOGCATEGORY_XFER_IN, __func__, 1,
14197 zone_debuglogc(zone, DNS_LOGCATEGORY_XFER_IN, __func__, 1,
14201 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
14202 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
14205 if (dns_zonemgr_unreachable(zone->zmgr, &curraddr,
14206 &zone->sourceaddr, &now))
14208 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14212 (zone->type == dns_zone_secondary ||
14213 zone->type == dns_zone_mirror ||
14214 zone->type == dns_zone_redirect)
14215 ? "zone transfer"
14221 dns_request_destroy(&zone->request);
14222 if (zone->type == dns_zone_secondary ||
14223 zone->type == dns_zone_mirror ||
14224 zone->type == dns_zone_redirect)
14228 INSIST(zone->type == dns_zone_stub);
14229 ns_query(zone, rdataset, NULL);
14241 expire = zone->expire;
14242 get_edns_expire(zone, msg, &expire);
14248 if (isc_time_compare(&expiretime, &zone->expiretime) > 0) {
14249 zone->expiretime = expiretime;
14250 if (zone->masterfile != NULL) {
14251 setmodtime(zone, &expiretime);
14255 DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
14256 dns_remote_mark(&zone->primaries, true);
14259 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER)) {
14260 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14266 zone_debuglogc(zone, DNS_LOGCATEGORY_XFER_IN, __func__,
14269 dns_remote_mark(&zone->primaries, true);
14281 dns_request_destroy(&zone->request);
14285 dns_remote_next(&zone->primaries, true);
14286 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
14287 if (dns_remote_done(&zone->primaries)) {
14288 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
14289 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
14290 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
14291 zone->refreshtime = now;
14293 zone_settimer(zone, &now);
14297 queue_soa_query(zone);
14301 dns_request_destroy(&zone->request);
14308 dns_request_destroy(&zone->request);
14309 queue_soa_query(zone);
14314 zone->xfrintime = isc_time_now();
14316 UNLOCK_ZONE(zone);
14318 queue_xfrin(zone);
14320 dns_zone_idetach(&zone);
14325 dns_zone_t *zone;
14330 queue_soa_query(dns_zone_t *zone) {
14338 REQUIRE(LOCKED_ZONE(zone));
14340 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
14341 cancel_refresh(zone);
14345 sq = isc_mem_get(zone->mctx, sizeof(*sq));
14346 *sq = (struct soaquery){ .zone = NULL };
14349 zone->xfrintime = isc_time_now();
14354 zone_iattach(zone, &sq->zone);
14355 result = isc_ratelimiter_enqueue(zone->zmgr->refreshrl, zone->loop,
14358 zone_idetach(&sq->zone);
14359 isc_mem_put(zone->mctx, sq, sizeof(*sq));
14360 cancel_refresh(zone);
14367 dns_zone_t *zone = sq->zone;
14381 REQUIRE(DNS_ZONE_VALID(zone));
14385 LOCK_ZONE(zone);
14386 if (sq->rlevent->canceled || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
14387 zone->view->requestmgr == NULL)
14389 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
14397 zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(3),
14399 zone->primaries.curraddr, zone->primaries.addrcnt);
14400 INSIST(dns_remote_count(&zone->primaries) > 0);
14401 INSIST(!dns_remote_done(&zone->primaries));
14403 sourceaddr = dns_remote_sourceaddr(&zone->primaries);
14404 curraddr = dns_remote_curraddr(&zone->primaries);
14415 if (dns_remote_keyname(&zone->primaries) != NULL) {
14416 dns_view_t *view = dns_zone_getview(zone);
14417 dns_name_t *keyname = dns_remote_keyname(&zone->primaries);
14422 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14429 result = dns_view_getpeertsig(zone->view, &primaryip, &key);
14435 zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
14441 if (dns_remote_tlsname(&zone->primaries) != NULL) {
14442 dns_view_t *view = dns_zone_getview(zone);
14443 dns_name_t *tlsname = dns_remote_tlsname(&zone->primaries);
14449 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
14457 options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ? DNS_REQUESTOPT_TCP
14459 reqnsid = zone->view->requestnsid;
14460 reqexpire = zone->requestexpire;
14461 if (zone->view->peers != NULL) {
14464 result = dns_peerlist_peerbyaddr(zone->view->peers, &primaryip,
14469 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
14472 &zone->sourceaddr);
14476 udpsize = dns_view_getudpsize(zone->view);
14493 zone->sourceaddr = sourceaddr;
14495 zone->sourceaddr = zone->xfrsource4;
14504 zone->sourceaddr = sourceaddr;
14505 if (isc_sockaddr_equal(&zone->sourceaddr, &any)) {
14506 zone->sourceaddr = zone->xfrsource6;
14521 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
14528 create_query(zone, dns_rdatatype_soa, &zone->origin, &message);
14530 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
14533 zone_debuglogc(zone, DNS_LOGCATEGORY_XFER_IN, __func__,
14539 zone_iattach(zone, &(dns_zone_t *){ NULL });
14541 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) {
14545 zone->view->requestmgr, message, &zone->sourceaddr, &curraddr,
14547 zone->loop, refresh_callback, zone, &zone->request);
14549 zone_idetach(&(dns_zone_t *){ zone });
14550 zone_debuglogc(zone, DNS_LOGCATEGORY_XFER_IN, __func__, 1,
14556 zone->xfrintime = isc_time_now();
14559 inc_stats(zone, dns_zonestatscounter_soaoutv4);
14561 inc_stats(zone, dns_zonestatscounter_soaoutv6);
14573 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
14579 cancel_refresh(zone);
14583 zone->xfrintime = isc_time_now();
14585 UNLOCK_ZONE(zone);
14587 queue_xfrin(zone);
14590 isc_mem_put(zone->mctx, sq, sizeof(*sq));
14591 dns_zone_idetach(&zone);
14607 dns_remote_next(&zone->primaries, true);
14608 if (!dns_remote_done(&zone->primaries)) {
14611 dns_remote_reset(&zone->primaries, false);
14616 ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
14629 REQUIRE(DNS_ZONE_VALID(zone));
14630 REQUIRE(LOCKED_ZONE(zone));
14638 stub = isc_mem_get(zone->mctx, sizeof(*stub));
14640 stub->mctx = zone->mctx;
14641 stub->zone = NULL;
14647 * Attach so that the zone won't disappear from under us.
14649 zone_iattach(zone, &stub->zone);
14653 * new one and attach it to the zone once we have the NS
14656 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
14657 if (zone->db != NULL) {
14658 dns_db_attach(zone->db, &stub->db);
14659 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
14661 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
14663 INSIST(zone->db_argc >= 1);
14664 result = dns_db_create(zone->mctx, zone->db_argv[0],
14665 &zone->origin, dns_dbtype_stub,
14666 zone->rdclass, zone->db_argc - 1,
14667 zone->db_argv + 1, &stub->db);
14669 dns_zone_log(zone, ISC_LOG_ERROR,
14676 dns_db_setloop(stub->db, zone->loop);
14677 dns_db_setmaxrrperset(stub->db, zone->maxrrperset);
14679 zone->maxtypepername);
14684 dns_zone_log(zone, ISC_LOG_INFO,
14694 result = dns_db_findnode(stub->db, &zone->origin, true, &node);
14696 dns_zone_log(zone, ISC_LOG_INFO,
14707 dns_zone_log(zone, ISC_LOG_INFO,
14716 * XXX Optimisation: Create message when zone is setup and reuse.
14718 create_query(zone, dns_rdatatype_ns, &zone->origin, &message);
14720 INSIST(dns_remote_count(&zone->primaries) > 0);
14721 INSIST(!dns_remote_done(&zone->primaries));
14723 sourceaddr = dns_remote_sourceaddr(&zone->primaries);
14724 curraddr = dns_remote_curraddr(&zone->primaries);
14730 if (dns_remote_keyname(&zone->primaries) != NULL) {
14731 dns_view_t *view = dns_zone_getview(zone);
14732 dns_name_t *keyname = dns_remote_keyname(&zone->primaries);
14737 dns_zone_log(zone, ISC_LOG_ERROR,
14742 (void)dns_view_getpeertsig(zone->view, &primaryip, &key);
14747 reqnsid = zone->view->requestnsid;
14748 if (zone->view->peers != NULL) {
14751 result = dns_peerlist_peerbyaddr(zone->view->peers, &primaryip,
14756 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
14759 &zone->sourceaddr);
14763 udpsize = dns_view_getudpsize(zone->view);
14768 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
14771 zone_debuglog(zone, __func__, 1,
14786 zone->sourceaddr = sourceaddr;
14787 if (isc_sockaddr_equal(&zone->sourceaddr, &any)) {
14788 zone->sourceaddr = zone->xfrsource4;
14797 zone->sourceaddr = sourceaddr;
14798 if (isc_sockaddr_equal(&zone->sourceaddr, &any)) {
14799 zone->sourceaddr = zone->xfrsource6;
14809 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) {
14817 cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args));
14825 zone->view->requestmgr, message, &zone->sourceaddr, &curraddr,
14827 2, zone->loop, stub_callback, cb_args, &zone->request);
14829 zone_debuglog(zone, __func__, 1,
14838 cancel_refresh(zone);
14846 if (stub->zone != NULL) {
14847 zone_idetach(&stub->zone);
14861 * Shut the zone down.
14865 dns_zone_t *zone = (dns_zone_t *)arg;
14870 REQUIRE(DNS_ZONE_VALID(zone));
14871 INSIST(isc_refcount_current(&zone->references) == 0);
14873 zone_debuglog(zone, __func__, 3, "shutting down");
14878 * If there's no zone manager, we can't be waiting for the
14881 if (zone->zmgr != NULL) {
14882 RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
14883 if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
14884 ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
14887 zone->statelist = NULL;
14889 if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
14890 ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone,
14892 zone->statelist = NULL;
14893 zmgr_resume_xfrs(zone->zmgr, false);
14895 RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
14901 if (zone->xfr != NULL) {
14903 dns_xfrin_shutdown(zone->xfr);
14906 /* Safe to release the zone now */
14907 if (zone->zmgr != NULL) {
14908 dns_zonemgr_releasezone(zone->zmgr, zone);
14911 LOCK_ZONE(zone);
14912 INSIST(zone != zone->raw);
14916 * to detach them outside of the zone lock to break the lock loop
14917 * between view, adb and zone locks.
14919 view = zone->view;
14920 zone->view = NULL;
14921 prev_view = zone->prev_view;
14922 zone->prev_view = NULL;
14925 isc_refcount_decrement(&zone->irefs);
14927 if (zone->request != NULL) {
14928 dns_request_cancel(zone->request);
14931 if (zone->loadctx != NULL) {
14932 dns_loadctx_cancel(zone->loadctx);
14935 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
14936 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
14938 if (zone->dumpctx != NULL) {
14939 dns_dumpctx_cancel(zone->dumpctx);
14943 checkds_cancel(zone);
14945 notify_cancel(zone);
14947 forward_cancel(zone);
14949 if (zone->timer != NULL) {
14950 isc_refcount_decrement(&zone->irefs);
14951 isc_timer_destroy(&zone->timer);
14959 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
14960 free_needed = exit_check(zone);
14962 * If a dump is in progress for the secure zone, defer detaching from
14963 * the raw zone as it may prevent the unsigned serial number from being
14964 * stored in the raw-format dump of the secure zone. In this scenario,
14965 * dump_done() takes care of cleaning up the zone->raw reference.
14967 if (inline_secure(zone) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
14968 raw = zone->raw;
14969 zone->raw = NULL;
14971 if (inline_raw(zone)) {
14972 secure = zone->secure;
14973 zone->secure = NULL;
14975 UNLOCK_ZONE(zone);
14991 zone_free(zone);
14997 dns_zone_t *zone = (dns_zone_t *)arg;
14999 REQUIRE(DNS_ZONE_VALID(zone));
15001 zone_maintenance(zone);
15005 zone_timer_stop(dns_zone_t *zone) {
15006 zone_debuglog(zone, __func__, 10, "stop zone timer");
15007 if (zone->timer != NULL) {
15008 isc_timer_stop(zone->timer);
15013 zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now) {
15022 if (zone->loop == NULL) {
15023 zone_debuglog(zone, __func__, 10, "zone is not managed");
15024 } else if (zone->timer == NULL) {
15025 isc_refcount_increment0(&zone->irefs);
15026 isc_timer_create(zone->loop, zone_timer, zone, &zone->timer);
15028 if (zone->timer != NULL) {
15029 isc_timer_start(zone->timer, isc_timertype_once, &interval);
15036 dns_zone_t *zone = data->zone;
15041 REQUIRE(DNS_ZONE_VALID(zone));
15044 LOCK_ZONE(zone);
15045 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
15050 switch (zone->type) {
15052 if (dns_remote_addresses(&zone->primaries) != NULL) {
15057 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
15058 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
15060 next = zone->notifytime;
15062 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
15063 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
15065 INSIST(!isc_time_isepoch(&zone->dumptime));
15067 isc_time_compare(&zone->dumptime, &next) < 0)
15069 next = zone->dumptime;
15072 if (zone->type == dns_zone_redirect) {
15075 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
15076 !isc_time_isepoch(&zone->refreshkeytime))
15079 isc_time_compare(&zone->refreshkeytime, &next) < 0)
15081 next = zone->refreshkeytime;
15084 if (!isc_time_isepoch(&zone->resigntime)) {
15086 isc_time_compare(&zone->resigntime, &next) < 0)
15088 next = zone->resigntime;
15091 if (!isc_time_isepoch(&zone->keywarntime)) {
15093 isc_time_compare(&zone->keywarntime, &next) < 0)
15095 next = zone->keywarntime;
15098 if (!isc_time_isepoch(&zone->signingtime)) {
15100 isc_time_compare(&zone->signingtime, &next) < 0)
15102 next = zone->signingtime;
15105 if (!isc_time_isepoch(&zone->nsec3chaintime)) {
15107 isc_time_compare(&zone->nsec3chaintime, &next) < 0)
15109 next = zone->nsec3chaintime;
15117 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
15118 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
15120 next = zone->notifytime;
15124 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
15125 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOPRIMARIES) &&
15126 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
15127 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING) &&
15128 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) &&
15129 !isc_time_isepoch(&zone->refreshtime) &&
15131 isc_time_compare(&zone->refreshtime, &next) < 0))
15133 next = zone->refreshtime;
15135 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
15136 !isc_time_isepoch(&zone->expiretime))
15139 isc_time_compare(&zone->expiretime, &next) < 0)
15141 next = zone->expiretime;
15144 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
15145 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
15147 INSIST(!isc_time_isepoch(&zone->dumptime));
15149 isc_time_compare(&zone->dumptime, &next) < 0)
15151 next = zone->dumptime;
15157 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
15158 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
15160 INSIST(!isc_time_isepoch(&zone->dumptime));
15162 isc_time_compare(&zone->dumptime, &next) < 0)
15164 next = zone->dumptime;
15167 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
15169 (!isc_time_isepoch(&zone->refreshkeytime) &&
15170 isc_time_compare(&zone->refreshkeytime, &next) <
15173 next = zone->refreshkeytime;
15183 zone_timer_stop(zone);
15185 zone_timer_set(zone, &next, now);
15189 isc_mem_put(zone->mctx, data, sizeof(*data));
15190 isc_refcount_decrement(&zone->irefs);
15191 free_needed = exit_check(zone);
15192 UNLOCK_ZONE(zone);
15194 zone_free(zone);
15199 zone_settimer(dns_zone_t *zone, isc_time_t *now) {
15200 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
15204 zone_settimer_t *arg = isc_mem_get(zone->mctx, sizeof(*arg));
15206 .zone = zone,
15209 isc_refcount_increment0(&zone->irefs);
15210 isc_async_run(zone->loop, zone__settimer, arg);
15214 cancel_refresh(dns_zone_t *zone) {
15218 * 'zone' locked by caller.
15221 REQUIRE(DNS_ZONE_VALID(zone));
15222 REQUIRE(LOCKED_ZONE(zone));
15226 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
15228 zone_settimer(zone, &now);
15232 notify_createmessage(dns_zone_t *zone, unsigned int flags,
15250 REQUIRE(DNS_ZONE_VALID(zone));
15253 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER,
15258 message->rdclass = zone->rdclass;
15267 dns_name_clone(&zone->origin, tempname);
15268 dns_rdataset_makequestion(temprdataset, zone->rdclass,
15284 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
15285 INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
15286 dns_db_attach(zone->db, &zonedb);
15287 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
15289 dns_name_clone(&zone->origin, tempname);
15308 isc_buffer_allocate(zone->mctx, &b, r.length);
15362 dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
15377 REQUIRE(DNS_ZONE_VALID(zone));
15384 * Check that 'from' is a valid notify source, (zone->primaries).
15402 * Notify messages are processed by the raw zone.
15404 LOCK_ZONE(zone);
15405 INSIST(zone != zone->raw);
15406 if (inline_secure(zone)) {
15407 result = dns_zone_notifyreceive(zone->raw, from, to, msg);
15408 UNLOCK_ZONE(zone);
15415 inc_stats(zone, dns_zonestatscounter_notifyinv4);
15417 inc_stats(zone, dns_zonestatscounter_notifyinv6);
15420 dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
15424 UNLOCK_ZONE(zone);
15426 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
15433 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_NOTICE,
15434 "NOTIFY zone does not match");
15439 * If we are a primary zone just succeed.
15441 if (zone->type == dns_zone_primary) {
15442 UNLOCK_ZONE(zone);
15447 for (i = 0; i < dns_remote_count(&zone->primaries); i++) {
15448 isc_sockaddr_t sockaddr = dns_remote_addr(&zone->primaries, i);
15452 if (zone->view->aclenv->match_mapped &&
15467 * 'zone->notify_acl'.
15471 if (i >= dns_remote_count(&zone->primaries) &&
15472 zone->notify_acl != NULL &&
15473 (dns_acl_match(&netaddr, tsig, zone->notify_acl, zone->view->aclenv,
15478 } else if (i >= dns_remote_count(&zone->primaries)) {
15479 UNLOCK_ZONE(zone);
15480 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
15482 inc_stats(zone, dns_zonestatscounter_notifyrej);
15487 * If the zone is loaded and there are answers check the serial
15489 * check if we are a dialup zone as we use the notify request
15493 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
15494 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH))
15497 msg, DNS_SECTION_ANSWER, &zone->origin,
15515 result = zone_get_from_db(zone, zone->db, NULL,
15521 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
15524 "zone is up to date",
15526 UNLOCK_ZONE(zone);
15537 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
15538 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
15539 zone->notifyfrom = *from;
15540 UNLOCK_ZONE(zone);
15542 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
15549 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
15559 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
15562 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
15565 zone->notifyfrom = *from;
15566 UNLOCK_ZONE(zone);
15569 dns_zonemgr_unreachabledel(zone->zmgr, from, to);
15571 dns_zone_refresh(zone);
15576 dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
15577 REQUIRE(DNS_ZONE_VALID(zone));
15579 LOCK_ZONE(zone);
15580 if (zone->notify_acl != NULL) {
15581 dns_acl_detach(&zone->notify_acl);
15583 dns_acl_attach(acl, &zone->notify_acl);
15584 UNLOCK_ZONE(zone);
15588 dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
15589 REQUIRE(DNS_ZONE_VALID(zone));
15591 LOCK_ZONE(zone);
15592 if (zone->query_acl != NULL) {
15593 dns_acl_detach(&zone->query_acl);
15595 dns_acl_attach(acl, &zone->query_acl);
15596 UNLOCK_ZONE(zone);
15600 dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
15601 REQUIRE(DNS_ZONE_VALID(zone));
15603 LOCK_ZONE(zone);
15604 if (zone->queryon_acl != NULL) {
15605 dns_acl_detach(&zone->queryon_acl);
15607 dns_acl_attach(acl, &zone->queryon_acl);
15608 UNLOCK_ZONE(zone);
15612 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
15613 REQUIRE(DNS_ZONE_VALID(zone));
15615 LOCK_ZONE(zone);
15616 if (zone->update_acl != NULL) {
15617 dns_acl_detach(&zone->update_acl);
15619 dns_acl_attach(acl, &zone->update_acl);
15620 UNLOCK_ZONE(zone);
15624 dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
15625 REQUIRE(DNS_ZONE_VALID(zone));
15627 LOCK_ZONE(zone);
15628 if (zone->forward_acl != NULL) {
15629 dns_acl_detach(&zone->forward_acl);
15631 dns_acl_attach(acl, &zone->forward_acl);
15632 UNLOCK_ZONE(zone);
15636 dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
15637 REQUIRE(DNS_ZONE_VALID(zone));
15639 LOCK_ZONE(zone);
15640 if (zone->xfr_acl != NULL) {
15641 dns_acl_detach(&zone->xfr_acl);
15643 dns_acl_attach(acl, &zone->xfr_acl);
15644 UNLOCK_ZONE(zone);
15648 dns_zone_getnotifyacl(dns_zone_t *zone) {
15649 REQUIRE(DNS_ZONE_VALID(zone));
15651 return zone->notify_acl;
15655 dns_zone_getqueryacl(dns_zone_t *zone) {
15656 REQUIRE(DNS_ZONE_VALID(zone));
15658 return zone->query_acl;
15662 dns_zone_getqueryonacl(dns_zone_t *zone) {
15663 REQUIRE(DNS_ZONE_VALID(zone));
15665 return zone->queryon_acl;
15669 dns_zone_getupdateacl(dns_zone_t *zone) {
15670 REQUIRE(DNS_ZONE_VALID(zone));
15672 return zone->update_acl;
15676 dns_zone_getforwardacl(dns_zone_t *zone) {
15677 REQUIRE(DNS_ZONE_VALID(zone));
15679 return zone->forward_acl;
15683 dns_zone_getxfracl(dns_zone_t *zone) {
15684 REQUIRE(DNS_ZONE_VALID(zone));
15686 return zone->xfr_acl;
15690 dns_zone_clearupdateacl(dns_zone_t *zone) {
15691 REQUIRE(DNS_ZONE_VALID(zone));
15693 LOCK_ZONE(zone);
15694 if (zone->update_acl != NULL) {
15695 dns_acl_detach(&zone->update_acl);
15697 UNLOCK_ZONE(zone);
15701 dns_zone_clearforwardacl(dns_zone_t *zone) {
15702 REQUIRE(DNS_ZONE_VALID(zone));
15704 LOCK_ZONE(zone);
15705 if (zone->forward_acl != NULL) {
15706 dns_acl_detach(&zone->forward_acl);
15708 UNLOCK_ZONE(zone);
15712 dns_zone_clearnotifyacl(dns_zone_t *zone) {
15713 REQUIRE(DNS_ZONE_VALID(zone));
15715 LOCK_ZONE(zone);
15716 if (zone->notify_acl != NULL) {
15717 dns_acl_detach(&zone->notify_acl);
15719 UNLOCK_ZONE(zone);
15723 dns_zone_clearqueryacl(dns_zone_t *zone) {
15724 REQUIRE(DNS_ZONE_VALID(zone));
15726 LOCK_ZONE(zone);
15727 if (zone->query_acl != NULL) {
15728 dns_acl_detach(&zone->query_acl);
15730 UNLOCK_ZONE(zone);
15734 dns_zone_clearqueryonacl(dns_zone_t *zone) {
15735 REQUIRE(DNS_ZONE_VALID(zone));
15737 LOCK_ZONE(zone);
15738 if (zone->queryon_acl != NULL) {
15739 dns_acl_detach(&zone->queryon_acl);
15741 UNLOCK_ZONE(zone);
15745 dns_zone_clearxfracl(dns_zone_t *zone) {
15746 REQUIRE(DNS_ZONE_VALID(zone));
15748 LOCK_ZONE(zone);
15749 if (zone->xfr_acl != NULL) {
15750 dns_acl_detach(&zone->xfr_acl);
15752 UNLOCK_ZONE(zone);
15756 dns_zone_getupdatedisabled(dns_zone_t *zone) {
15757 REQUIRE(DNS_ZONE_VALID(zone));
15758 return zone->update_disabled;
15762 dns_zone_setupdatedisabled(dns_zone_t *zone, bool state) {
15763 REQUIRE(DNS_ZONE_VALID(zone));
15764 zone->update_disabled = state;
15768 dns_zone_getzeronosoattl(dns_zone_t *zone) {
15769 REQUIRE(DNS_ZONE_VALID(zone));
15770 return zone->zero_no_soa_ttl;
15774 dns_zone_setzeronosoattl(dns_zone_t *zone, bool state) {
15775 REQUIRE(DNS_ZONE_VALID(zone));
15776 zone->zero_no_soa_ttl = state;
15780 dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
15781 REQUIRE(DNS_ZONE_VALID(zone));
15783 zone->check_names = severity;
15787 dns_zone_getchecknames(dns_zone_t *zone) {
15788 REQUIRE(DNS_ZONE_VALID(zone));
15790 return zone->check_names;
15794 dns_zone_setjournalsize(dns_zone_t *zone, int32_t size) {
15795 REQUIRE(DNS_ZONE_VALID(zone));
15797 zone->journalsize = size;
15801 dns_zone_getjournalsize(dns_zone_t *zone) {
15802 REQUIRE(DNS_ZONE_VALID(zone));
15804 return zone->journalsize;
15808 zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
15819 if (zone->type != dns_zone_redirect && zone->type != dns_zone_key) {
15820 if (dns_name_dynamic(&zone->origin)) {
15822 &zone->origin, DNS_NAME_OMITFINALDOT, &buffer);
15834 (void)dns_rdataclass_totext(zone->rdclass, &buffer);
15837 if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
15838 strcmp(zone->view->name, "_default") != 0 &&
15839 strlen(zone->view->name) < isc_buffer_availablelength(&buffer))
15842 isc_buffer_putstr(&buffer, zone->view->name);
15844 if (inline_secure(zone) && 9U < isc_buffer_availablelength(&buffer)) {
15847 if (inline_raw(zone) && 11U < isc_buffer_availablelength(&buffer)) {
15855 zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
15866 if (dns_name_dynamic(&zone->origin)) {
15867 result = dns_name_totext(&zone->origin, DNS_NAME_OMITFINALDOT,
15880 zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
15890 (void)dns_rdataclass_totext(zone->rdclass, &buffer);
15896 zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
15907 if (zone->view == NULL) {
15909 } else if (strlen(zone->view->name) <
15912 isc_buffer_putstr(&buffer, zone->view->name);
15921 dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
15922 REQUIRE(DNS_ZONE_VALID(zone));
15925 LOCK_ZONE(zone);
15926 zone_namerd_tostr(zone, buf, length);
15927 UNLOCK_ZONE(zone);
15931 dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t length) {
15932 REQUIRE(DNS_ZONE_VALID(zone));
15934 zone_name_tostr(zone, buf, length);
15938 dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level,
15943 REQUIRE(DNS_ZONE_VALID(zone));
15951 switch (zone->type) {
15953 zstr = "managed-keys-zone";
15956 zstr = "redirect-zone";
15959 zstr = "zone ";
15964 (prefix != NULL ? ": " : ""), zstr, zone->strnamerd,
15969 notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
15973 dns_zone_logv(zone, DNS_LOGCATEGORY_NOTIFY, level, NULL, fmt, ap);
15978 dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
15983 dns_zone_logv(zone, category, level, NULL, fmt, ap);
15988 dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
15992 dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, NULL, fmt, ap);
15997 zone_debuglogc(dns_zone_t *zone, isc_logcategory_t *category, const char *me,
16003 dns_zone_logv(zone, category, level, me, fmt, ap);
16008 zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel, const char *fmt,
16014 dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, me, fmt, ap);
16019 dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) {
16023 dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap);
16053 dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin) {
16054 REQUIRE(DNS_ZONE_VALID(zone));
16056 zone->maxxfrin = maxxfrin;
16060 dns_zone_getmaxxfrin(dns_zone_t *zone) {
16061 REQUIRE(DNS_ZONE_VALID(zone));
16063 return zone->maxxfrin;
16067 dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout) {
16068 REQUIRE(DNS_ZONE_VALID(zone));
16069 zone->maxxfrout = maxxfrout;
16073 dns_zone_getmaxxfrout(dns_zone_t *zone) {
16074 REQUIRE(DNS_ZONE_VALID(zone));
16076 return zone->maxxfrout;
16080 dns_zone_gettype(dns_zone_t *zone) {
16081 REQUIRE(DNS_ZONE_VALID(zone));
16083 return zone->type;
16113 dns_zone_getredirecttype(dns_zone_t *zone) {
16114 REQUIRE(DNS_ZONE_VALID(zone));
16115 REQUIRE(zone->type == dns_zone_redirect);
16117 return dns_remote_addresses(&zone->primaries) == NULL
16123 dns_zone_getorigin(dns_zone_t *zone) {
16124 REQUIRE(DNS_ZONE_VALID(zone));
16126 return &zone->origin;
16130 dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein) {
16131 REQUIRE(DNS_ZONE_VALID(zone));
16136 zone->idlein = idlein;
16140 dns_zone_getidlein(dns_zone_t *zone) {
16141 REQUIRE(DNS_ZONE_VALID(zone));
16143 return zone->idlein;
16147 dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout) {
16148 REQUIRE(DNS_ZONE_VALID(zone));
16150 zone->idleout = idleout;
16154 dns_zone_getidleout(dns_zone_t *zone) {
16155 REQUIRE(DNS_ZONE_VALID(zone));
16157 return zone->idleout;
16174 dns_message_create(notify->zone->mctx, NULL, NULL,
16190 notify_log(notify->zone, ISC_LOG_DEBUG(3),
16199 notify_log(notify->zone, ISC_LOG_DEBUG(1),
16204 notify_log(notify->zone, ISC_LOG_NOTICE,
16212 notify_log(notify->zone, ISC_LOG_WARNING,
16216 notify_log(notify->zone, ISC_LOG_WARNING,
16224 dns_zone_t *zone;
16231 update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
16233 dns_zone_log(zone, level, "%s", message);
16237 dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, isc_mem_t *mctx,
16242 result = dns_dnssec_keyfromrdata(dns_zone_getorigin(zone), rdata, mctx,
16245 dns_zone_log(zone, ISC_LOG_ERROR,
16265 cdnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata,
16272 dns_zone_log(zone, ISC_LOG_ERROR,
16287 dns_zone_log(zone, ISC_LOG_ERROR,
16304 cds_inuse(dns_zone_t *zone, dns_rdata_t *rdata, dns_dnsseckeylist_t *keylist,
16311 dns_zone_log(zone, ISC_LOG_ERROR,
16333 dns_zone_log(zone, ISC_LOG_ERROR,
16338 result = dns_ds_buildrdata(dns_zone_getorigin(zone), &dnskey,
16341 dns_zone_log(zone, ISC_LOG_ERROR,
16361 dns_zone_dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, bool *inuse) {
16371 REQUIRE(DNS_ZONE_VALID(zone));
16374 mctx = zone->mctx;
16380 kasp = dns_zone_getkasp(zone);
16381 keydir = dns_zone_getkeydirectory(zone);
16382 keystores = dns_zone_getkeystores(zone);
16384 dns_zone_lock_keyfiles(zone);
16385 result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp,
16388 dns_zone_unlock_keyfiles(zone);
16392 dns_zone_log(zone, ISC_LOG_ERROR,
16400 result = dnskey_inuse(zone, rdata, mctx, &keylist, inuse);
16403 result = cdnskey_inuse(zone, rdata, &keylist, inuse);
16406 result = cds_inuse(zone, rdata, &keylist, inuse);
16422 sync_secure_journal(dns_zone_t *zone, dns_zone_t *raw, dns_journal_t *journal,
16472 if (zone->privatetype != 0 && rdata->type == zone->privatetype)
16489 * update the zone with these records from a different provider,
16494 isc_result_t r = dns_zone_dnskey_inuse(zone, rdata,
16524 filter_keymaterial(dns_zone_t *zone, dns_difftuplelist_t *del,
16564 result = dns_zone_dnskey_inuse(zone, &deltuple->rdata,
16573 result = dns_zone_dnskey_inuse(zone, &addtuple->rdata,
16806 dns_zone_t *zone = rss->zone;
16819 LOCK_ZONE(zone);
16822 * The receive_secure_serial() is loop-serialized for the zone. Make
16826 INSIST(zone->rss == NULL || zone->rss == rss);
16828 if (zone->rss != NULL) {
16829 INSIST(zone->rss == rss);
16830 UNLOCK_ZONE(zone);
16832 zone->rss = rss;
16833 dns_diff_init(zone->mctx, &zone->rss_diff);
16836 * zone->db may be NULL, if the load from disk failed.
16839 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
16840 if (zone->db != NULL) {
16841 dns_db_attach(zone->db, &zone->rss_db);
16845 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
16847 if (result == ISC_R_SUCCESS && zone->raw != NULL) {
16848 dns_zone_attach(zone->raw, &zone->rss_raw);
16853 UNLOCK_ZONE(zone);
16858 * We first attempt to sync the raw zone to the secure zone
16859 * by using the raw zone's journal, applying all the deltas
16860 * from the latest source-serial of the secure zone up to
16861 * the current serial number of the raw zone.
16866 CHECK(dns_journal_open(zone->rss_raw->mctx,
16867 zone->rss_raw->journal,
16870 result = dns_journal_open(zone->mctx, zone->journal,
16895 dns_db_currentversion(zone->rss_db, &zone->rss_oldver);
16896 CHECK(dns_db_newversion(zone->rss_db, &zone->rss_newver));
16899 * Try to apply diffs from the raw zone's journal to the secure
16900 * zone. If that fails, we recover by syncing up the databases
16903 result = sync_secure_journal(zone, zone->rss_raw, rjournal,
16905 &zone->rss_diff);
16909 CHECK(sync_secure_db(zone, zone->rss_raw, zone->rss_db,
16910 zone->rss_oldver, &soatuple,
16911 &zone->rss_diff));
16914 CHECK(dns_diff_apply(&zone->rss_diff, zone->rss_db,
16915 zone->rss_newver));
16921 zone->rss_db, zone->rss_oldver,
16922 zone->rss_diff.mctx, DNS_DIFFOP_DEL, &tuple));
16933 CHECK(do_one_tuple(&tuple, zone->rss_db,
16934 zone->rss_newver, &zone->rss_diff));
16935 CHECK(do_one_tuple(&soatuple, zone->rss_db,
16936 zone->rss_newver, &zone->rss_diff));
16938 CHECK(update_soa_serial(zone, zone->rss_db,
16939 zone->rss_newver,
16940 &zone->rss_diff, zone->mctx,
16941 zone->updatemethod));
16945 &log, zone, zone->rss_db, zone->rss_oldver, zone->rss_newver,
16946 &zone->rss_diff, zone->sigvalidityinterval, &zone->rss_state);
16951 isc_async_run(zone->loop, receive_secure_serial, rss);
16956 * If something went wrong while trying to update the secure zone and
16957 * the latter was already signed before, do not apply raw zone deltas
16959 * the secure zone was not yet signed (e.g. because no signing keys
16960 * were created for it), commence applying raw zone deltas to it so
16961 * that contents of the raw zone and the secure zone are kept in sync.
16963 if (result != ISC_R_SUCCESS && dns_db_issecure(zone->rss_db)) {
16968 CHECK(dns_journal_open(zone->rss_raw->mctx,
16969 zone->rss_raw->journal,
16972 CHECK(zone_journal(zone, &zone->rss_diff, &end,
16978 LOCK_ZONE(zone);
16979 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
16981 zone->sourceserial = end;
16982 zone->sourceserialset = true;
16983 zone_needdump(zone, DNS_DUMP_DELAY);
16989 set_resigntime(zone);
16991 zone_settimer(zone, &timenow);
16992 UNLOCK_ZONE(zone);
16994 dns_db_closeversion(zone->rss_db, &zone->rss_oldver, false);
16995 dns_db_closeversion(zone->rss_db, &zone->rss_newver, true);
16998 dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)",
17003 isc_mem_put(zone->mctx, rss, sizeof(*rss));
17004 zone->rss = NULL;
17006 if (zone->rss_raw != NULL) {
17007 dns_zone_detach(&zone->rss_raw);
17010 LOCK_ZONE(zone);
17011 set_resigntime(zone);
17013 zone_settimer(zone, &timenow);
17014 UNLOCK_ZONE(zone);
17018 dns_zone_log(zone, level, "receive_secure_serial: %s",
17027 if (zone->rss_db != NULL) {
17028 if (zone->rss_oldver != NULL) {
17029 dns_db_closeversion(zone->rss_db, &zone->rss_oldver,
17032 if (zone->rss_newver != NULL) {
17033 dns_db_closeversion(zone->rss_db, &zone->rss_newver,
17036 dns_db_detach(&zone->rss_db);
17038 INSIST(zone->rss_oldver == NULL);
17039 INSIST(zone->rss_newver == NULL);
17043 dns_diff_clear(&zone->rss_diff);
17045 dns_zone_idetach(&zone);
17049 zone_send_secureserial(dns_zone_t *zone, uint32_t serial) {
17052 rss = isc_mem_get(zone->secure->mctx, sizeof(*rss));
17058 INSIST(LOCKED_ZONE(zone->secure));
17059 zone_iattach(zone->secure, &rss->zone);
17060 isc_async_run(zone->secure->loop, receive_secure_serial, rss);
17062 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
17120 * nsecparam_t data from a zone.
17123 save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) {
17134 REQUIRE(DNS_ZONE_VALID(zone));
17141 dns_db_attach(zone->db, &db);
17169 nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
17176 dns_nsec3param_toprivate(&rdata, &private, zone->privatetype,
17184 result = dns_db_findrdataset(db, node, version, zone->privatetype,
17235 isc_mem_put(zone->mctx, nsec3p,
17242 nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
17280 * Populate new zone db with private type records found by save_nsec3param().
17283 restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
17291 REQUIRE(DNS_ZONE_VALID(zone));
17294 dns_diff_init(zone->mctx, &diff);
17308 rdata.type = zone->privatetype;
17309 rdata.rdclass = zone->rdclass;
17311 &zone->origin, 0, &rdata);
17364 * update the zone with these records from a different provider,
17365 * and thus they may exist in the raw version of the zone.
17401 dns_zone_t *zone = rss->zone;
17411 LOCK_ZONE(zone);
17412 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || !inline_secure(zone)) {
17418 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
17419 if (zone->db != NULL) {
17420 result = dns_db_getsoaserial(zone->db, NULL, &oldserial);
17426 * assemble nsec3parameters from the old zone, and set a flag
17429 result = save_nsec3param(zone, &nsec3list);
17431 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17435 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17437 result = dns_db_create(zone->mctx, zone->db_argv[0], &zone->origin,
17438 dns_dbtype_zone, zone->rdclass,
17439 zone->db_argc - 1, zone->db_argv + 1, &db);
17444 result = dns_db_setgluecachestats(db, zone->gluecachestats);
17478 result = restore_nsec3param(zone, db, version, &nsec3list);
17487 * Lock hierarchy: zmgr, zone, raw.
17489 INSIST(zone != zone->raw);
17490 LOCK_ZONE(zone->raw);
17491 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
17492 result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
17493 zone_needdump(zone, 0); /* XXXMPA */
17494 UNLOCK_ZONE(zone->raw);
17499 process_zone_setnsec3param(zone);
17502 UNLOCK_ZONE(zone);
17507 dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_db: %s",
17515 isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t));
17525 isc_mem_put(zone->mctx, rss, sizeof(*rss));
17526 dns_zone_idetach(&zone);
17532 zone_send_securedb(dns_zone_t *zone, dns_db_t *db) {
17535 rss = isc_mem_get(zone->secure->mctx, sizeof(*rss));
17538 INSIST(LOCKED_ZONE(zone->secure));
17539 zone_iattach(zone->secure, &rss->zone);
17541 isc_async_run(zone->secure->loop, receive_secure_db, rss);
17543 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
17548 dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
17552 REQUIRE(DNS_ZONE_VALID(zone));
17554 LOCK_ZONE(zone);
17555 if (inline_raw(zone)) {
17556 secure = zone->secure;
17557 INSIST(secure != zone);
17560 UNLOCK_ZONE(zone);
17566 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
17567 result = zone_replacedb(zone, db, dump);
17568 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
17572 UNLOCK_ZONE(zone);
17577 zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
17584 * 'zone' and 'zone->db' locked by caller.
17586 REQUIRE(DNS_ZONE_VALID(zone));
17587 REQUIRE(LOCKED_ZONE(zone));
17588 if (inline_raw(zone)) {
17589 REQUIRE(LOCKED_ZONE(zone->secure));
17592 result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL,
17596 dns_zone_log(zone, ISC_LOG_ERROR, "has %d SOA records",
17600 if (nscount == 0 && zone->type != dns_zone_key) {
17601 dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
17608 dns_zone_log(zone, ISC_LOG_ERROR,
17614 result = check_nsec3param(zone, db);
17623 * The initial version of a secondary zone is always dumped;
17627 if (zone->db != NULL && zone->journal != NULL &&
17628 DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
17629 !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER))
17633 dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
17637 dns_zone_log(zone, ISC_LOG_ERROR,
17646 result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
17651 if ((zone->type == dns_zone_secondary ||
17652 (zone->type == dns_zone_redirect &&
17653 dns_remote_addresses(&zone->primaries) != NULL)) &&
17659 dns_zone_log(zone, ISC_LOG_ERROR,
17667 result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
17668 zone->journal);
17672 dns_zone_log(zone, ISC_LOG_ERROR,
17679 zone_needdump(zone, DNS_DUMP_DELAY);
17681 zone_journal_compact(zone, zone->db, serial);
17683 if (zone->type == dns_zone_primary && inline_raw(zone)) {
17684 zone_send_secureserial(zone, serial);
17688 if (dump && zone->masterfile != NULL) {
17693 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
17694 remove(zone->masterfile) < 0 && errno != ENOENT)
17703 zone->masterfile, strbuf);
17705 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0) {
17706 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
17708 zone_needdump(zone, 0);
17711 if (dump && zone->journal != NULL) {
17719 * no longer be used to bring the zone
17726 if (remove(zone->journal) < 0 && errno != ENOENT) {
17734 zone->journal, strbuf);
17738 if (inline_raw(zone)) {
17739 zone_send_securedb(zone, db);
17745 dns_zone_log(zone, ISC_LOG_DEBUG(3), "replacing zone database");
17747 if (zone->db != NULL) {
17748 zone_detachdb(zone);
17750 zone_attachdb(zone, db);
17751 dns_db_setloop(zone->db, zone->loop);
17752 dns_db_setmaxrrperset(zone->db, zone->maxrrperset);
17753 dns_db_setmaxtypepername(zone->db, zone->maxtypepername);
17754 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
17764 zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
17765 REQUIRE(zone->db == NULL && db != NULL);
17767 dns_db_attach(db, &zone->db);
17772 zone_detachdb(dns_zone_t *zone) {
17773 REQUIRE(zone->db != NULL);
17775 dns_zone_rpz_disable_db(zone, zone->db);
17776 dns_zone_catz_disable_db(zone, zone->db);
17777 dns_db_detach(&zone->db);
17781 zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result) {
17791 REQUIRE(DNS_ZONE_VALID(zone));
17794 zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
17795 expireopt == NULL ? "zone transfer finished: %s"
17796 : "zone transfer finished: %s, expire=%u",
17800 * Obtaining a lock on the zone->secure (see zone_send_secureserial)
17805 LOCK_ZONE(zone);
17806 if (inline_raw(zone)) {
17807 secure = zone->secure;
17808 INSIST(secure != zone);
17811 UNLOCK_ZONE(zone);
17818 INSIST(DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH));
17819 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
17820 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
17825 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
17828 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER |
17831 * Has the zone expired underneath us?
17833 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
17834 if (zone->db == NULL) {
17835 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17839 oldexpire = zone->expire;
17842 * Update the zone structure's data from the actual
17847 INSIST(zone->db != NULL);
17848 result = zone_get_from_db(zone, zone->db, &nscount, &soacount,
17851 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
17854 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
17856 "transferred zone "
17859 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
17861 zone->refresh = DNS_ZONE_DEFAULTREFRESH;
17862 zone->retry = DNS_ZONE_DEFAULTRETRY;
17864 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
17865 zone_unload(zone);
17869 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
17871 "transferred zone "
17873 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
17875 zone->refresh = DNS_ZONE_DEFAULTREFRESH;
17876 zone->retry = DNS_ZONE_DEFAULTRETRY;
17878 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
17879 zone_unload(zone);
17882 zone->refresh = RANGE(refresh, zone->minrefresh,
17883 zone->maxrefresh);
17884 zone->retry = RANGE(retry, zone->minretry,
17885 zone->maxretry);
17886 zone->expire = RANGE(expire,
17887 zone->refresh + zone->retry,
17889 zone->soattl = soattl;
17890 zone->minimum = minimum;
17891 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
17897 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
17898 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
17899 zone->refreshtime = now;
17901 DNS_ZONE_JITTER_ADD(&now, zone->refresh,
17902 &zone->refreshtime);
17907 * an EXPIRE option use that to update zone->expiretime.
17909 expire = zone->expire;
17914 if (oldexpire != zone->expire ||
17915 isc_time_compare(&expiretime, &zone->expiretime) > 0)
17917 zone->expiretime = expiretime;
17923 zone->loadtime = now;
17927 if (zone->tsigkey != NULL) {
17929 dns_name_format(zone->tsigkey->name, namebuf,
17936 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
17939 if (inline_raw(zone)) {
17940 zone_send_secureserial(zone, serial);
17949 if (zone->masterfile != NULL || zone->journal != NULL) {
17957 isc_interval_set(&i, zone->expire, 0);
17958 result = isc_time_subtract(&zone->expiretime, &i,
17965 if (zone->journal != NULL) {
17966 result = isc_file_settime(zone->journal, &when);
17968 if (result != ISC_R_SUCCESS && zone->masterfile != NULL)
17970 result = isc_file_settime(zone->masterfile,
17974 if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY) != 0) ||
17982 zone->masterfile != NULL)
17984 zone_needdump(zone, delay);
17986 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
17990 zone->masterfile,
17994 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
17995 inc_stats(zone, dns_zonestatscounter_xfrsuccess);
18000 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOIXFR);
18005 DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
18006 inc_stats(zone, dns_zonestatscounter_xfrfail);
18010 dns_remote_reset(&zone->primaries, true);
18018 dns_remote_next(&zone->primaries, true);
18020 if (dns_remote_done(&zone->primaries)) {
18021 dns_remote_reset(&zone->primaries, false);
18023 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
18026 inc_stats(zone, dns_zonestatscounter_xfrfail);
18029 zone_settimer(zone, &now);
18032 * We are called as the done callback of a zone
18037 if (zone->xfr != NULL) {
18038 dns_xfrin_detach(&zone->xfr);
18041 if (zone->tsigkey != NULL) {
18042 dns_tsigkey_detach(&zone->tsigkey);
18045 if (zone->transport != NULL) {
18046 dns_transport_detach(&zone->transport);
18052 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) {
18054 if (dns_zone_getdb(zone, &db) == ISC_R_SUCCESS) {
18055 zone_journal_compact(zone, db, zone->compact_serial);
18057 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
18068 if (zone->zmgr != NULL &&
18069 zone->statelist == &zone->zmgr->xfrin_in_progress)
18071 UNLOCK_ZONE(zone);
18072 RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
18073 ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
18074 zone->statelist = NULL;
18075 zmgr_resume_xfrs(zone->zmgr, false);
18076 RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
18077 LOCK_ZONE(zone);
18083 if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
18084 queue_soa_query(zone);
18087 isc_refcount_decrement(&zone->irefs);
18088 free_needed = exit_check(zone);
18089 UNLOCK_ZONE(zone);
18091 zone_free(zone);
18098 dns_zone_t *zone;
18102 zone = load->zone;
18107 * If zone loading failed, remove the update db callbacks prior
18108 * to calling the list of callbacks in the zone load structure.
18111 dns_zone_rpz_disable_db(zone, load->db);
18112 dns_zone_catz_disable_db(zone, load->db);
18123 * Lock hierarchy: zmgr, zone, raw.
18126 LOCK_ZONE(zone);
18127 INSIST(zone != zone->raw);
18128 if (inline_secure(zone)) {
18129 LOCK_ZONE(zone->raw);
18130 } else if (inline_raw(zone)) {
18131 secure = zone->secure;
18134 UNLOCK_ZONE(zone);
18140 (void)zone_postload(zone, load->db, load->loadtime, result);
18141 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADING);
18142 zone_idetach(&load->callbacks.zone);
18144 * Leave the zone frozen if the reload fails.
18147 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_THAW))
18149 zone->update_disabled = false;
18151 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_THAW);
18152 if (inline_secure(zone)) {
18153 UNLOCK_ZONE(zone->raw);
18157 UNLOCK_ZONE(zone);
18160 if (zone->loadctx != NULL) {
18161 dns_loadctx_detach(&zone->loadctx);
18163 isc_mem_put(zone->mctx, load, sizeof(*load));
18165 dns_zone_idetach(&zone);
18169 dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
18170 REQUIRE(DNS_ZONE_VALID(zone));
18174 LOCK_ZONE(zone);
18175 if (zone->ssutable != NULL) {
18176 dns_ssutable_attach(zone->ssutable, table);
18178 UNLOCK_ZONE(zone);
18182 dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
18183 REQUIRE(DNS_ZONE_VALID(zone));
18185 LOCK_ZONE(zone);
18186 if (zone->ssutable != NULL) {
18187 dns_ssutable_detach(&zone->ssutable);
18190 dns_ssutable_attach(table, &zone->ssutable);
18192 UNLOCK_ZONE(zone);
18196 dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval) {
18197 REQUIRE(DNS_ZONE_VALID(zone));
18199 zone->sigvalidityinterval = interval;
18203 dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
18204 REQUIRE(DNS_ZONE_VALID(zone));
18206 return zone->sigvalidityinterval;
18210 dns_zone_setkeyvalidityinterval(dns_zone_t *zone, uint32_t interval) {
18211 REQUIRE(DNS_ZONE_VALID(zone));
18213 zone->keyvalidityinterval = interval;
18217 dns_zone_getkeyvalidityinterval(dns_zone_t *zone) {
18218 REQUIRE(DNS_ZONE_VALID(zone));
18220 return zone->keyvalidityinterval;
18224 dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval) {
18227 REQUIRE(DNS_ZONE_VALID(zone));
18229 LOCK_ZONE(zone);
18230 zone->sigresigninginterval = interval;
18231 set_resigntime(zone);
18232 if (zone->loop != NULL) {
18234 zone_settimer(zone, &now);
18236 UNLOCK_ZONE(zone);
18240 dns_zone_getsigresigninginterval(dns_zone_t *zone) {
18241 REQUIRE(DNS_ZONE_VALID(zone));
18243 return zone->sigresigninginterval;
18247 dns_zone_getsourceaddr(dns_zone_t *zone) {
18250 REQUIRE(DNS_ZONE_VALID(zone));
18252 LOCK_ZONE(zone);
18253 INSIST(dns_remote_count(&zone->primaries) > 0);
18254 sourceaddr = zone->sourceaddr;
18255 UNLOCK_ZONE(zone);
18261 dns_zone_getprimaryaddr(dns_zone_t *zone) {
18264 REQUIRE(DNS_ZONE_VALID(zone));
18266 LOCK_ZONE(zone);
18267 INSIST(dns_remote_count(&zone->primaries) > 0);
18268 curraddr = dns_remote_curraddr(&zone->primaries);
18269 UNLOCK_ZONE(zone);
18275 dns_zone_getxfrintime(dns_zone_t *zone) {
18278 REQUIRE(DNS_ZONE_VALID(zone));
18280 LOCK_ZONE(zone);
18281 xfrintime = zone->xfrintime;
18282 UNLOCK_ZONE(zone);
18288 queue_xfrin(dns_zone_t *zone) {
18290 dns_zonemgr_t *zmgr = zone->zmgr;
18294 INSIST(zone->statelist == NULL);
18297 ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
18298 isc_refcount_increment0(&zone->irefs);
18299 zone->statelist = &zmgr->waiting_for_xfrin;
18300 result = zmgr_start_xfrin_ifquota(zmgr, zone);
18304 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
18305 "zone transfer deferred due to quota");
18307 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
18308 "starting zone transfer: %s",
18315 * before an ongoing incoming zone transfer.
18318 * The zone is locked by the caller.
18321 get_request_transport_type(dns_zone_t *zone) {
18324 if (zone->transport != NULL) {
18325 transport_type = dns_transport_get_type(zone->transport);
18327 transport_type = (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC))
18338 primaryaddr = dns_remote_curraddr(&zone->primaries);
18340 result = dns_peerlist_peerbyaddr(zone->view->peers,
18356 dns_zone_getrequesttransporttype(dns_zone_t *zone) {
18359 REQUIRE(DNS_ZONE_VALID(zone));
18361 LOCK_ZONE(zone);
18362 transport_type = get_request_transport_type(zone);
18363 UNLOCK_ZONE(zone);
18369 * This event callback is called when a zone has received
18370 * any necessary zone transfer quota. This is the time
18375 dns_zone_t *zone = (dns_zone_t *)arg;
18391 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
18392 zone_xfrdone(zone, NULL, ISC_R_CANCELED);
18398 primaryaddr = dns_remote_curraddr(&zone->primaries);
18400 if (dns_zonemgr_unreachable(zone->zmgr, &primaryaddr, &zone->sourceaddr,
18403 isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
18404 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
18405 "got_transfer_quota: skipping zone transfer as "
18408 zone_xfrdone(zone, NULL, ISC_R_CANCELED);
18413 (void)dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, &peer);
18415 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) {
18421 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
18422 loaded = (zone->db != NULL);
18423 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
18426 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
18431 } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
18432 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
18437 } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOIXFR)) {
18438 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
18443 LOCK_ZONE(zone);
18444 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOIXFR);
18445 UNLOCK_ZONE(zone);
18452 use_ixfr = zone->requestixfr;
18455 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
18460 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) {
18466 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
18482 if (dns_remote_keyname(&zone->primaries) != NULL) {
18483 dns_view_t *view = dns_zone_getview(zone);
18484 dns_name_t *keyname = dns_remote_keyname(&zone->primaries);
18485 result = dns_view_gettsig(view, keyname, &zone->tsigkey);
18488 INSIST(zone->tsigkey == NULL);
18489 result = dns_view_getpeertsig(zone->view, &primaryip,
18490 &zone->tsigkey);
18493 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
18494 "could not get TSIG key for zone transfer: %s",
18501 if (dns_remote_tlsname(&zone->primaries) != NULL) {
18502 dns_view_t *view = dns_zone_getview(zone);
18503 dns_name_t *tlsname = dns_remote_tlsname(&zone->primaries);
18505 &zone->transport);
18507 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
18510 "zone transfer: %s",
18515 LOCK_ZONE(zone);
18524 soa_transport_type = get_request_transport_type(zone);
18526 sourceaddr = zone->sourceaddr;
18527 UNLOCK_ZONE(zone);
18531 zmgr_tlsctx_attach(zone->zmgr, &zmgr_tlsctx_cache);
18533 dns_xfrin_create(zone, xfrtype, &primaryaddr, &sourceaddr,
18534 zone->tsigkey, soa_transport_type, zone->transport,
18535 zmgr_tlsctx_cache, zone->mctx, &xfr);
18540 LOCK_ZONE(zone);
18541 if (zone->xfr != NULL) {
18542 dns_xfrin_detach(&zone->xfr);
18544 dns_xfrin_attach(xfr, &zone->xfr);
18545 UNLOCK_ZONE(zone);
18551 * zone transfer. This ensures that we get removed from
18554 result = dns_xfrin_start(zone->xfr, zone_xfrdone);
18556 zone_xfrdone(zone, NULL, result);
18560 LOCK_ZONE(zone);
18563 inc_stats(zone, dns_zonestatscounter_axfrreqv4);
18565 inc_stats(zone, dns_zonestatscounter_axfrreqv6);
18569 inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
18571 inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
18574 UNLOCK_ZONE(zone);
18593 if (forward->zone != NULL) {
18594 LOCK(&forward->zone->lock);
18596 ISC_LIST_UNLINK(forward->zone->forwards, forward, link);
18598 UNLOCK(&forward->zone->lock);
18599 dns_zone_idetach(&forward->zone);
18608 dns_zone_t *zone = forward->zone;
18612 LOCK_ZONE(zone);
18614 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
18615 UNLOCK_ZONE(zone);
18620 if (forward->which >= dns_remote_count(&forward->zone->primaries)) {
18621 UNLOCK_ZONE(zone);
18625 forward->addr = dns_remote_addr(&zone->primaries, forward->which);
18641 src = zone->primaries.sources[forward->which];
18643 src = zone->xfrsource4;
18648 src = zone->primaries.sources[forward->which];
18650 src = zone->xfrsource6;
18662 if (dns_remote_tlsname(&zone->primaries) != NULL &&
18663 zone->primaries.tlsnames[forward->which] != NULL)
18665 dns_view_t *view = dns_zone_getview(zone);
18666 dns_name_t *tlsname = zone->primaries.tlsnames[forward->which];
18678 zmgr_tlsctx_attach(zone->zmgr, &zmgr_tlsctx_cache);
18681 forward->zone->view->requestmgr, forward->msgbuf, &src,
18683 forward->options, 15 /* XXX */, 0, 0, forward->zone->loop,
18690 ISC_LIST_APPEND(zone->forwards, forward, link);
18695 UNLOCK_ZONE(zone);
18698 dns_zone_log(zone, ISC_LOG_ERROR,
18714 dns_zone_t *zone;
18717 zone = forward->zone;
18718 INSIST(DNS_ZONE_VALID(zone));
18726 dns_zone_log(zone, ISC_LOG_INFO,
18732 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
18752 dns_zone_log(zone, ISC_LOG_INFO,
18774 dns_zone_log(zone, ISC_LOG_INFO,
18781 /* These should not occur if the primaries/zone are valid. */
18789 dns_zone_log(zone, ISC_LOG_WARNING,
18821 dns_zone_log(zone, ISC_LOG_DEBUG(3),
18829 dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
18835 REQUIRE(DNS_ZONE_VALID(zone));
18839 forward = isc_mem_get(zone->mctx, sizeof(*forward));
18860 isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
18866 isc_mem_attach(zone->mctx, &forward->mctx);
18867 dns_zone_iattach(zone, &forward->zone);
18878 dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
18879 REQUIRE(DNS_ZONE_VALID(zone));
18882 *next = ISC_LIST_NEXT(zone, link);
18947 zonemgr_keymgmt_add(dns_zonemgr_t *zmgr, dns_zone_t *zone,
18959 dns_name_downcase(&zone->origin, name, NULL);
19095 dns_zone_t *zone = NULL;
19112 dns_zone_create(&zone, mctx, tid);
19114 *zonep = zone;
19120 dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
19121 REQUIRE(DNS_ZONE_VALID(zone));
19125 LOCK_ZONE(zone);
19126 REQUIRE(zone->timer == NULL);
19127 REQUIRE(zone->zmgr == NULL);
19129 isc_loop_t *loop = isc_loop_get(zmgr->loopmgr, zone->tid);
19130 isc_loop_attach(loop, &zone->loop);
19132 zonemgr_keymgmt_add(zmgr, zone, &zone->kfio);
19133 INSIST(zone->kfio != NULL);
19135 ISC_LIST_APPEND(zmgr->zones, zone, link);
19136 zone->zmgr = zmgr;
19140 UNLOCK_ZONE(zone);
19146 dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
19147 REQUIRE(DNS_ZONE_VALID(zone));
19149 REQUIRE(zone->zmgr == zmgr);
19152 LOCK_ZONE(zone);
19154 ISC_LIST_UNLINK(zmgr->zones, zone, link);
19156 if (zone->kfio != NULL) {
19157 zonemgr_keymgmt_delete(zmgr, &zone->kfio);
19158 ENSURE(zone->kfio == NULL);
19161 if (zone->timer != NULL) {
19162 isc_refcount_decrement(&zone->irefs);
19163 isc_timer_destroy(&zone->timer);
19166 isc_loop_detach(&zone->loop);
19169 zone->zmgr = NULL;
19171 UNLOCK_ZONE(zone);
19206 for (dns_zone_t *zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19207 zone = ISC_LIST_NEXT(zone, link))
19211 LOCK_ZONE(zone);
19213 zone_settimer(zone, &now);
19214 UNLOCK_ZONE(zone);
19241 dns_zone_t *zone;
19256 for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19257 zone = ISC_LIST_NEXT(zone, link))
19259 LOCK_ZONE(zone);
19260 forward_cancel(zone);
19261 UNLOCK_ZONE(zone);
19323 * Try to start a new incoming zone transfer to fill a quota
19327 * The zone manager is locked by the caller.
19331 dns_zone_t *zone;
19334 for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin); zone != NULL;
19335 zone = next)
19338 next = ISC_LIST_NEXT(zone, statelink);
19339 result = zmgr_start_xfrin_ifquota(zmgr, zone);
19353 * zone, it may succeed if it uses another primary.
19357 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
19359 "starting zone transfer: %s",
19367 * Try to start an incoming zone transfer for 'zone', quota permitting.
19370 * The zone manager is locked by the caller.
19380 zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
19389 * If we are exiting just pretend we got quota so the zone will
19390 * be cleaned up in the zone's loop context.
19392 LOCK_ZONE(zone);
19393 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
19394 UNLOCK_ZONE(zone);
19400 * like to transfer this zone from.
19402 curraddr = dns_remote_curraddr(&zone->primaries);
19404 (void)dns_peerlist_peerbyaddr(zone->view->peers, &primaryip, &peer);
19405 UNLOCK_ZONE(zone);
19453 * We have sufficient quota. Move the zone to the "xfrin_in_progress"
19456 LOCK_ZONE(zone);
19457 INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
19458 ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
19459 ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
19460 zone->statelist = &zmgr->xfrin_in_progress;
19461 isc_async_run(zone->loop, got_transfer_quota, zone);
19462 dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
19464 UNLOCK_ZONE(zone);
19470 zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
19477 buf = isc_mem_get(zone->mctx, buflen);
19489 dns_zone_log(zone, ISC_LOG_WARNING,
19496 isc_mem_put(zone->mctx, buf, buflen);
19683 dns_zone_stopxfr(dns_zone_t *zone) {
19686 REQUIRE(DNS_ZONE_VALID(zone));
19688 RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read);
19689 LOCK_ZONE(zone);
19690 if (zone->statelist == &zone->zmgr->xfrin_in_progress &&
19691 zone->xfr != NULL)
19693 dns_xfrin_attach(zone->xfr, &xfr);
19695 UNLOCK_ZONE(zone);
19696 RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read);
19705 dns_zone_forcexfr(dns_zone_t *zone) {
19706 REQUIRE(DNS_ZONE_VALID(zone));
19708 if (zone->type == dns_zone_primary ||
19709 (zone->type == dns_zone_redirect &&
19710 dns_remote_addresses(&zone->primaries) == NULL))
19715 LOCK_ZONE(zone);
19716 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
19717 UNLOCK_ZONE(zone);
19718 dns_zone_refresh(zone);
19722 dns_zone_isforced(dns_zone_t *zone) {
19723 REQUIRE(DNS_ZONE_VALID(zone));
19725 return DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER);
19729 dns_zone_setstatistics(dns_zone_t *zone, bool on) {
19733 UNUSED(zone);
19739 dns_zone_getstatscounters(dns_zone_t *zone) {
19743 UNUSED(zone);
19748 dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
19749 REQUIRE(DNS_ZONE_VALID(zone));
19750 REQUIRE(zone->stats == NULL);
19752 LOCK_ZONE(zone);
19753 zone->stats = NULL;
19754 isc_stats_attach(stats, &zone->stats);
19755 UNLOCK_ZONE(zone);
19759 dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
19760 REQUIRE(DNS_ZONE_VALID(zone));
19762 LOCK_ZONE(zone);
19763 if (zone->requeststats_on && stats == NULL) {
19764 zone->requeststats_on = false;
19765 } else if (!zone->requeststats_on && stats != NULL) {
19766 if (zone->requeststats == NULL) {
19767 isc_stats_attach(stats, &zone->requeststats);
19769 zone->requeststats_on = true;
19771 UNLOCK_ZONE(zone);
19775 dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats) {
19776 REQUIRE(DNS_ZONE_VALID(zone));
19778 LOCK_ZONE(zone);
19779 if (zone->requeststats_on && stats != NULL) {
19780 if (zone->rcvquerystats == NULL) {
19781 dns_stats_attach(stats, &zone->rcvquerystats);
19782 zone->requeststats_on = true;
19785 UNLOCK_ZONE(zone);
19789 dns_zone_setdnssecsignstats(dns_zone_t *zone, dns_stats_t *stats) {
19790 REQUIRE(DNS_ZONE_VALID(zone));
19792 LOCK_ZONE(zone);
19793 if (stats != NULL && zone->dnssecsignstats == NULL) {
19794 dns_stats_attach(stats, &zone->dnssecsignstats);
19796 UNLOCK_ZONE(zone);
19800 dns_zone_getdnssecsignstats(dns_zone_t *zone) {
19801 REQUIRE(DNS_ZONE_VALID(zone));
19803 return zone->dnssecsignstats;
19807 dns_zone_getrequeststats(dns_zone_t *zone) {
19809 * We don't lock zone for efficiency reason. This is not catastrophic
19816 if (zone->requeststats_on) {
19817 return zone->requeststats;
19828 dns_zone_getrcvquerystats(dns_zone_t *zone) {
19829 if (zone->requeststats_on) {
19830 return zone->rcvquerystats;
19837 dns_zone_dialup(dns_zone_t *zone) {
19838 REQUIRE(DNS_ZONE_VALID(zone));
19840 zone_debuglog(zone, __func__, 3, "notify = %d, refresh = %d",
19841 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
19842 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
19844 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) {
19845 dns_zone_notify(zone);
19847 if (zone->type != dns_zone_primary &&
19848 dns_remote_addresses(&zone->primaries) != NULL &&
19849 DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
19851 dns_zone_refresh(zone);
19856 dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
19857 REQUIRE(DNS_ZONE_VALID(zone));
19859 LOCK_ZONE(zone);
19860 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
19867 DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY |
19872 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19875 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19876 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19879 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
19880 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19883 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19888 UNLOCK_ZONE(zone);
19892 dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
19895 REQUIRE(DNS_ZONE_VALID(zone));
19897 LOCK_ZONE(zone);
19898 result = dns_zone_setstring(zone, &zone->keydirectory, directory);
19899 UNLOCK_ZONE(zone);
19905 dns_zone_getkeydirectory(dns_zone_t *zone) {
19906 REQUIRE(DNS_ZONE_VALID(zone));
19908 return zone->keydirectory;
19912 dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores) {
19913 REQUIRE(DNS_ZONE_VALID(zone));
19915 LOCK_ZONE(zone);
19916 zone->keystores = keystores;
19917 UNLOCK_ZONE(zone);
19921 dns_zone_getkeystores(dns_zone_t *zone) {
19924 REQUIRE(DNS_ZONE_VALID(zone));
19926 LOCK_ZONE(zone);
19927 if (inline_raw(zone) && zone->secure != NULL) {
19928 ks = zone->secure->keystores;
19930 ks = zone->keystores;
19932 UNLOCK_ZONE(zone);
19939 dns_zone_t *zone;
19947 for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
19948 zone != NULL; zone = ISC_LIST_NEXT(zone, statelink))
19954 for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
19955 zone != NULL; zone = ISC_LIST_NEXT(zone, statelink))
19961 for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19962 zone = ISC_LIST_NEXT(zone, link))
19964 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIRSTREFRESH)) {
19970 for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19971 zone = ISC_LIST_NEXT(zone, link))
19973 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
19979 for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19980 zone = ISC_LIST_NEXT(zone, link))
19982 dns_view_t *view = zone->view;
19990 for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
19991 zone = ISC_LIST_NEXT(zone, link))
19993 dns_view_t *view = zone->view;
19997 if (zone->automatic) {
20012 dns_zone_getxfr(dns_zone_t *zone, dns_xfrin_t **xfrp, bool *is_firstrefresh,
20015 REQUIRE(DNS_ZONE_VALID(zone));
20018 if (zone->zmgr == NULL) {
20030 RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read);
20031 LOCK_ZONE(zone);
20032 *is_firstrefresh = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIRSTREFRESH);
20033 if (zone->xfr != NULL) {
20034 dns_xfrin_attach(zone->xfr, xfrp);
20036 if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
20040 * while the current zone transfer is running.
20042 *needs_refresh = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
20043 } else if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
20045 } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
20046 if (zone->request != NULL) {
20053 * No operation is ongoing or pending, just check if the zone
20056 if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
20057 (zone->type == dns_zone_secondary ||
20058 zone->type == dns_zone_mirror ||
20059 zone->type == dns_zone_stub))
20062 if (isc_time_compare(&now, &zone->refreshtime) >= 0 ||
20063 isc_time_compare(&now, &zone->expiretime) >= 0)
20069 UNLOCK_ZONE(zone);
20070 RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_read);
20076 dns_zone_lock_keyfiles(dns_zone_t *zone) {
20077 REQUIRE(DNS_ZONE_VALID(zone));
20079 if (zone->kasp == NULL) {
20084 REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio));
20085 isc_mutex_lock(&zone->kfio->lock);
20089 dns_zone_unlock_keyfiles(dns_zone_t *zone) {
20090 REQUIRE(DNS_ZONE_VALID(zone));
20092 if (zone->kasp == NULL) {
20097 REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio));
20098 isc_mutex_unlock(&zone->kfio->lock);
20102 dns_zone_checknames(dns_zone_t *zone, const dns_name_t *name,
20112 REQUIRE(DNS_ZONE_VALID(zone));
20114 if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES) &&
20120 if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL) ||
20131 dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
20144 dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
20155 dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
20156 REQUIRE(DNS_ZONE_VALID(zone));
20157 zone->checkmx = checkmx;
20161 dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
20162 REQUIRE(DNS_ZONE_VALID(zone));
20163 zone->checksrv = checksrv;
20167 dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
20168 REQUIRE(DNS_ZONE_VALID(zone));
20169 zone->checkns = checkns;
20173 dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
20174 REQUIRE(DNS_ZONE_VALID(zone));
20176 LOCK_ZONE(zone);
20177 zone->isself = isself;
20178 zone->isselfarg = arg;
20179 UNLOCK_ZONE(zone);
20183 dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay) {
20184 REQUIRE(DNS_ZONE_VALID(zone));
20186 LOCK_ZONE(zone);
20187 zone->notifydelay = delay;
20188 UNLOCK_ZONE(zone);
20192 dns_zone_getnotifydelay(dns_zone_t *zone) {
20193 REQUIRE(DNS_ZONE_VALID(zone));
20195 return zone->notifydelay;
20199 dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
20202 REQUIRE(DNS_ZONE_VALID(zone));
20204 dnssec_log(zone, ISC_LOG_NOTICE,
20207 LOCK_ZONE(zone);
20208 result = zone_signwithkey(zone, algorithm, keyid, deleteit);
20209 UNLOCK_ZONE(zone);
20221 dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
20225 REQUIRE(DNS_ZONE_VALID(zone));
20229 dnssec_log(zone, ISC_LOG_NOTICE,
20232 LOCK_ZONE(zone);
20233 result = zone_addnsec3chain(zone, nsec3param);
20234 UNLOCK_ZONE(zone);
20240 dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes) {
20241 REQUIRE(DNS_ZONE_VALID(zone));
20246 zone->nodes = nodes;
20250 dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures) {
20251 REQUIRE(DNS_ZONE_VALID(zone));
20262 zone->signatures = signatures;
20266 dns_zone_getsignatures(dns_zone_t *zone) {
20267 REQUIRE(DNS_ZONE_VALID(zone));
20268 return zone->signatures;
20272 dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
20273 REQUIRE(DNS_ZONE_VALID(zone));
20274 zone->privatetype = type;
20278 dns_zone_getprivatetype(dns_zone_t *zone) {
20279 REQUIRE(DNS_ZONE_VALID(zone));
20280 return zone->privatetype;
20284 zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
20292 signing = isc_mem_get(zone->mctx, sizeof *signing);
20304 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
20305 if (zone->db != NULL) {
20306 dns_db_attach(zone->db, &db);
20308 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
20317 for (current = ISC_LIST_HEAD(zone->signing); current != NULL;
20339 ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
20341 if (isc_time_isepoch(&zone->signingtime)) {
20342 zone->signingtime = now;
20343 if (zone->loop != NULL) {
20344 zone_settimer(zone, &now);
20357 isc_mem_put(zone->mctx, signing, sizeof *signing);
20590 tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db,
20602 dns_name_equal(&tuple->name, &zone->origin))
20609 result = del_sigs(zone, db, ver, &zone->origin, rrtype,
20612 dnssec_log(zone, ISC_LOG_ERROR,
20617 result = add_sigs(db, ver, &zone->origin, zone, rrtype,
20618 zonediff->diff, keys, nkeys, zone->mctx, now,
20621 dnssec_log(zone, ISC_LOG_ERROR,
20632 sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
20639 result = dns_zone_findkeys(zone, db, ver, now, zone->mctx,
20642 dnssec_log(zone, ISC_LOG_ERROR,
20649 soaexpire = now + dns_zone_getsigvalidityinterval(zone);
20651 keyexpire = dns_zone_getkeyvalidityinterval(zone);
20663 result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now,
20669 result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff,
20675 result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now,
20682 result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
20687 dnssec_log(zone, ISC_LOG_ERROR,
20701 clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
20719 result = dns_nsec3param_deletechains(db, ver, zone, true, diff);
20759 add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
20766 CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
20769 CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone_nsecttl(zone),
20770 false, zone->privatetype, diff));
20772 CHECK(updatesecure(db, ver, origin, zone_nsecttl(zone), true, diff));
20791 dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
20794 if (checkds->zone != NULL) {
20796 LOCK_ZONE(checkds->zone);
20798 REQUIRE(LOCKED_ZONE(checkds->zone));
20800 ISC_LIST_UNLINK(checkds->zone->checkds_requests,
20804 UNLOCK_ZONE(checkds->zone);
20807 zone_idetach(&checkds->zone);
20809 dns_zone_idetach(&checkds->zone);
20852 do_checkds(dns_zone_t *zone, dst_key_t *key, isc_stdtime_t now,
20854 dns_kasp_t *kasp = zone->kasp;
20859 switch (zone->checkdstype) {
20861 num = zone->parent_nscount;
20864 num = dns_remote_count(&zone->parentals);
20868 dns_zone_log(zone, ISC_LOG_WARNING,
20877 dns_zone_log(zone, ISC_LOG_DEBUG(3),
20889 dns_zone_log(zone, ISC_LOG_DEBUG(3),
20899 dns_zone_log(zone, ISC_LOG_DEBUG(3),
20904 dns_zone_lock_keyfiles(zone);
20905 result = dns_keymgr_checkds_id(kasp, &zone->checkds_ok, now, now,
20908 dns_zone_unlock_keyfiles(zone);
20911 dns_zone_log(zone, ISC_LOG_WARNING,
20921 validate_ds(dns_zone_t *zone, dns_message_t *message) {
20922 UNUSED(zone);
20927 /* Check that trust anchor is (grand)parent of zone. */
20944 dns_zone_t *zone = NULL;
20961 zone = checkds->zone;
20965 kasp = zone->kasp;
20971 dns_zone_log(zone, ISC_LOG_DEBUG(1), "checkds: DS query to %s: done",
20974 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTPARSE,
20983 dns_zone_log(zone, ISC_LOG_DEBUG(3),
20988 CHECK(validate_ds(zone, message));
20992 dns_zone_log(zone, ISC_LOG_NOTICE,
21002 dns_zone_log(zone, ISC_LOG_NOTICE,
21016 if (dns_name_compare(&zone->origin, name) != 0) {
21041 dns_zone_log(zone, ISC_LOG_NOTICE,
21048 CHECK(dns_zone_getdb(zone, &db));
21052 LOCK_ZONE(zone);
21053 for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL;
21113 r = dns_ds_buildrdata(&zone->origin, &dnskey,
21122 alldone = do_checkds(zone, key->key,
21137 alldone = do_checkds(zone, key->key, now, false);
21143 UNLOCK_ZONE(zone);
21148 dns_zone_rekey(zone, false);
21153 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21168 dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
21176 checkds_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr,
21180 for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL;
21219 checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) {
21225 REQUIRE(DNS_ZONE_VALID(zone));
21228 dns_message_create(zone->mctx, NULL, NULL, DNS_MESSAGE_INTENTRENDER,
21232 message->rdclass = zone->rdclass;
21243 dns_name_clone(&zone->origin, tempname);
21244 dns_rdataset_makequestion(temprdataset, zone->rdclass,
21273 LOCK_ZONE(checkds->zone);
21275 UNLOCK_ZONE(checkds->zone);
21301 dns_view_getadb(checkds->zone->view, &adb);
21307 adb, checkds->zone->loop, process_checkds_adb_event, checkds,
21309 checkds->zone->view->dstport, 0, NULL, &checkds->find);
21323 LOCK_ZONE(checkds->zone);
21325 UNLOCK_ZONE(checkds->zone);
21348 LOCK_ZONE(checkds->zone);
21350 if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_LOADED) == 0 || canceled ||
21351 DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING) ||
21352 checkds->zone->view->requestmgr == NULL ||
21353 checkds->zone->db == NULL)
21367 dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21374 checkds_createmessage(checkds->zone, &message);
21383 result = dns_view_getpeertsig(checkds->zone->view, &dstip,
21386 dns_zone_log(checkds->zone, ISC_LOG_ERROR,
21398 dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21402 dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21406 if (checkds->zone->view->peers != NULL) {
21409 result = dns_peerlist_peerbyaddr(checkds->zone->view->peers,
21430 src = checkds->zone->parentalsrc4;
21441 src = checkds->zone->parentalsrc6;
21450 dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21456 checkds->zone->view->requestmgr, message, &src, &checkds->dst,
21458 checkds->zone->loop, checkds_done, checkds, &checkds->request);
21460 dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
21472 UNLOCK_ZONE(checkds->zone);
21484 dns_zone_t *zone = NULL;
21490 REQUIRE(LOCKED_ZONE(checkds->zone));
21492 zone = checkds->zone;
21494 if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING)) {
21502 if (checkds_isqueued(zone, NULL, &dst, NULL, NULL)) {
21511 zone_iattach(zone, &newcheckds->zone);
21512 ISC_LIST_APPEND(newcheckds->zone->checkds_requests, newcheckds,
21533 newcheckds->zone->zmgr->checkdsrl,
21534 newcheckds->zone->loop, checkds_send_toaddr, newcheckds,
21549 checkds_send(dns_zone_t *zone) {
21550 dns_view_t *view = dns_zone_getview(zone);
21558 REQUIRE(LOCKED_ZONE(zone));
21560 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21562 dns_remote_count(&zone->parentals));
21564 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
21565 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21570 dns_remote_reset(&zone->parentals, false);
21571 while (!dns_remote_done(&zone->parentals)) {
21579 if (dns_remote_keyname(&zone->parentals) != NULL) {
21581 dns_remote_keyname(&zone->parentals);
21585 if (dns_remote_tlsname(&zone->parentals) != NULL) {
21587 dns_remote_tlsname(&zone->parentals);
21591 zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
21592 "got TLS configuration for zone transfer");
21595 dst = dns_remote_curraddr(&zone->parentals);
21596 src = dns_remote_sourceaddr(&zone->parentals);
21605 if (checkds_isqueued(zone, NULL, &dst, key, transport)) {
21606 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21619 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21624 result = checkds_create(zone->mctx, flags, &checkds);
21626 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21632 zone_iattach(zone, &checkds->zone);
21649 ISC_LIST_APPEND(zone->checkds_requests, checkds, link);
21651 checkds->zone->zmgr->checkdsrl, checkds->zone->loop,
21654 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21662 dns_remote_next(&zone->parentals, false);
21667 * An NS RRset has been fetched from the parent of a zone whose DS RRset needs
21676 dns_zone_t *zone = NULL;
21691 zone = nsfetch->zone;
21708 LOCK_ZONE(zone);
21709 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) {
21713 zone->nsfetchcount--;
21716 dnssec_log(zone, ISC_LOG_DEBUG(3),
21721 dnssec_log(zone, ISC_LOG_DEBUG(3),
21727 dnssec_log(zone, ISC_LOG_WARNING,
21736 dnssec_log(zone, ISC_LOG_WARNING,
21744 dnssec_log(zone, ISC_LOG_WARNING, "No NS RRSIGs found for '%s'",
21752 dnssec_log(zone, ISC_LOG_WARNING,
21760 zone->parent_nscount = dns_rdataset_count(nsrrset);
21762 UNLOCK_ZONE(zone);
21779 LOCK_ZONE(zone);
21780 isqueued = checkds_isqueued(zone, &ns.name, NULL, NULL, NULL);
21781 UNLOCK_ZONE(zone);
21785 result = checkds_create(zone->mctx, 0, &checkds);
21787 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21796 dns_zone_log(zone, ISC_LOG_DEBUG(3),
21801 LOCK_ZONE(zone);
21802 zone_iattach(zone, &checkds->zone);
21803 dns_name_dup(&ns.name, zone->mctx, &checkds->ns);
21804 ISC_LIST_APPEND(zone->checkds_requests, checkds, link);
21805 UNLOCK_ZONE(zone);
21813 LOCK_ZONE(zone);
21818 zone, ISC_LOG_ERROR,
21824 isc_refcount_decrement(&zone->irefs);
21835 UNLOCK_ZONE(zone);
21843 free_needed = exit_check(zone);
21844 UNLOCK_ZONE(zone);
21847 zone_free(zone);
21857 dns_zone_t *zone = nsfetch->zone;
21860 if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
21865 result = dns_view_getresolver(zone->view, &resolver);
21873 dnssec_log(zone, ISC_LOG_WARNING,
21893 NULL, 0, options, 0, NULL, zone->loop, nsfetch_done, nsfetch,
21904 dnssec_log(zone, ISC_LOG_WARNING,
21907 LOCK_ZONE(zone);
21908 zone->nsfetchcount--;
21909 isc_refcount_decrement(&zone->irefs);
21911 dns_name_free(zname, zone->mctx);
21914 free_needed = exit_check(zone);
21915 UNLOCK_ZONE(zone);
21917 zone_free(zone);
21926 * child and parent zone.
21930 dns_zone_t *zone = nsfetch->zone;
21935 LOCK_ZONE(zone);
21936 zone->nsfetchcount++;
21937 isc_refcount_increment0(&zone->irefs);
21942 dnssec_log(zone, ISC_LOG_DEBUG(3),
21946 isc_async_run(zone->loop, do_nsfetch, nsfetch);
21947 UNLOCK_ZONE(zone);
21954 zone_checkds(dns_zone_t *zone) {
21956 dns_checkdstype_t checkdstype = zone->checkdstype;
21962 for (dns_dnsseckey_t *key = ISC_LIST_HEAD(zone->checkds_ok);
21997 LOCK_ZONE(zone);
21998 checkds_send(zone);
21999 UNLOCK_ZONE(zone);
22011 nsfetch = isc_mem_get(zone->mctx, sizeof(dns_nsfetch_t));
22012 *nsfetch = (dns_nsfetch_t){ .zone = zone };
22013 isc_mem_attach(zone->mctx, &nsfetch->mctx);
22014 LOCK_ZONE(zone);
22015 zone->nsfetchcount++;
22016 isc_refcount_increment0(&zone->irefs);
22019 dns_name_clone(&zone->origin, &nsfetch->pname);
22020 dns_name_dup(&zone->origin, zone->mctx, name);
22025 zone, ISC_LOG_DEBUG(3),
22028 isc_async_run(zone->loop, do_nsfetch, nsfetch);
22029 UNLOCK_ZONE(zone);
22085 zone_verifykeys(dns_zone_t *zone, dns_dnsseckeylist_t *newkeys) {
22091 for (key1 = ISC_LIST_HEAD(zone->keyring); key1 != NULL; key1 = next) {
22114 dnssec_log(zone, ISC_LOG_DEBUG(1),
22126 remove_rdataset(dns_zone_t *zone, dns_diff_t *diff, dns_rdataset_t *rdataset) {
22138 dns_difftuple_create(zone->mctx, DNS_DIFFOP_DEL, &zone->origin,
22154 zone_apply_skrbundle(dns_zone_t *zone, dns_skrbundle_t *bundle,
22157 dns_kasp_t *kasp = zone->kasp;
22159 REQUIRE(DNS_ZONE_VALID(zone));
22164 remove_rdataset(zone, diff, dnskeyset);
22165 remove_rdataset(zone, diff, cdsset);
22166 remove_rdataset(zone, diff, cdnskeyset);
22191 zone_rekey(dns_zone_t *zone) {
22216 REQUIRE(DNS_ZONE_VALID(zone));
22227 mctx = zone->mctx;
22232 CHECK(dns_zone_getdb(zone, &db));
22239 kasp = zone->kasp;
22240 dir = dns_zone_getkeydirectory(zone);
22242 dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
22268 result = update_ttl(&keyset, &zone->origin, ttl, &diff);
22270 dnssec_log(zone, ISC_LOG_ERROR,
22277 dnssec_log(zone, ISC_LOG_INFO,
22283 dns_zone_lock_keyfiles(zone);
22286 &zone->origin, kasp, dir, mctx, &keyset, &keysigs,
22289 dns_zone_unlock_keyfiles(zone);
22306 result = update_ttl(&cdsset, &zone->origin, ttl, &diff);
22308 dnssec_log(zone, ISC_LOG_ERROR,
22313 dnssec_log(zone, ISC_LOG_INFO, "Updating CDS TTL from %u to %u",
22326 result = update_ttl(&cdnskeyset, &zone->origin, ttl, &diff);
22329 zone, ISC_LOG_ERROR,
22334 dnssec_log(zone, ISC_LOG_INFO,
22341 * True when called from "rndc sign". Indicates the zone should be
22344 fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
22348 LOCK_ZONE(zone);
22349 if (zone->skr == NULL) {
22350 UNLOCK_ZONE(zone);
22351 dnssec_log(zone, ISC_LOG_DEBUG(1),
22357 bundle = dns_skr_lookup(zone->skr, now, sigval);
22358 zone->skrbundle = bundle;
22359 UNLOCK_ZONE(zone);
22371 dnssec_log(zone, ISC_LOG_DEBUG(1),
22380 zone_apply_skrbundle(zone, bundle, &keyset, &cdsset,
22389 dnssec_log(zone, ISC_LOG_WARNING,
22401 dns_zone_lock_keyfiles(zone);
22402 result = dns_dnssec_findmatchingkeys(&zone->origin, kasp, dir,
22403 zone->keystores, now, mctx, &keys);
22404 dns_zone_unlock_keyfiles(zone);
22407 dnssec_log(zone, ISC_LOG_DEBUG(1),
22414 isc_result_t ret = zone_verifykeys(zone, &keys);
22416 dnssec_log(zone, ISC_LOG_ERROR,
22426 LOCK_ZONE(zone);
22427 checkds_cancel(zone);
22428 clear_keylist(&zone->checkds_ok, zone->mctx);
22429 ISC_LIST_INIT(zone->checkds_ok);
22430 UNLOCK_ZONE(zone);
22432 ret = dns_zone_getdnsseckeys(zone, db, ver, now,
22433 &zone->checkds_ok);
22435 zone_checkds(zone);
22437 dnssec_log(zone,
22447 dns_zone_lock_keyfiles(zone);
22448 result = dns_keymgr_run(&zone->origin, zone->rdclass,
22451 dns_zone_unlock_keyfiles(zone);
22454 dnssec_log(zone, ISC_LOG_ERROR,
22467 dns_zone_lock_keyfiles(zone);
22468 result = dns_keymgr_offline(&zone->origin, &keys, kasp, now,
22470 dns_zone_unlock_keyfiles(zone);
22473 dnssec_log(zone, ISC_LOG_ERROR,
22497 &zone->origin, ttl, &diff, mctx,
22504 dnssec_log(zone, ISC_LOG_ERROR,
22505 "zone_rekey:couldn't update zone keys: %s",
22516 * Publish CDS/CDNSKEY DELETE records if the zone is
22577 digests = dns_kasp_digests(zone->defaultkasp);
22587 dnssec_log(zone, ISC_LOG_ERROR,
22622 &cdsset, &cdnskeyset, &zone->origin, zone->rdclass, ttl,
22625 dnssec_log(zone, ISC_LOG_ERROR,
22636 * event, we need to sign the zone fully. (If there's a new
22638 * the zone signing can be handled incrementally.)
22658 * whole zone with this key later.
22669 * introduce a zone with NSEC only DNSKEYs along with NSEC3
22672 sane_dnskey = dns_zone_check_dnskey_nsec3(zone, db, ver, &diff,
22676 dnssec_log(zone, ISC_LOG_ERROR,
22683 CHECK(clean_nsec3param(zone, db, ver, &diff));
22684 CHECK(add_signing_records(db, zone->privatetype, ver,
22686 CHECK(update_soa_serial(zone, db, ver, &diff, mctx,
22687 zone->updatemethod));
22688 CHECK(add_chains(zone, db, ver, &diff));
22689 CHECK(sign_apex(zone, db, ver, now, &diff, &zonediff));
22690 CHECK(zone_journal(zone, zonediff.diff, NULL,
22698 LOCK_ZONE(zone);
22703 dns_zone_getdnssecsignstats(zone);
22705 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
22707 zone_needdump(zone, DNS_DUMP_DELAY);
22709 zone_settimer(zone, &timenow);
22717 zone, dst_key_alg(key->key),
22720 dnssec_log(zone, ISC_LOG_ERROR,
22746 * "rndc sign" was called, so we now sign the zone
22757 zone, dst_key_alg(key->key),
22760 dnssec_log(zone, ISC_LOG_ERROR,
22770 * the full zone, but only with newly active
22781 zone, dst_key_alg(key->key),
22784 dnssec_log(zone, ISC_LOG_ERROR,
22796 DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN);
22799 * Cause the zone to add/delete NSEC3 chains for the
22809 if (tuple->rdata.type != zone->privatetype ||
22827 result = zone_addnsec3chain(zone, &nsec3param);
22829 dnssec_log(zone, ISC_LOG_ERROR,
22840 resume_addnsec3chain(zone);
22846 set_resigntime(zone);
22849 isc_time_settoepoch(&zone->refreshkeytime);
22866 nexttime_seconds = zone->refreshkeyinterval;
22870 zone->refreshkeytime = timenext;
22871 zone_settimer(zone, &timenow);
22872 isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
22874 dnssec_log(zone, ISC_LOG_DEBUG(3),
22876 dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
22883 else if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
22888 DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
22890 zone->refreshkeytime = timethen;
22902 if (isc_time_compare(&timethen, &zone->refreshkeytime) <
22905 zone->refreshkeytime = timethen;
22909 zone_settimer(zone, &timenow);
22911 isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
22912 dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
22914 UNLOCK_ZONE(zone);
22919 if (!ISC_LIST_EMPTY(zone->keyring)) {
22920 clear_keylist(&zone->keyring, zone->mctx);
22928 dnssec_log(zone, ISC_LOG_DEBUG(3),
22933 ISC_LIST_APPEND(zone->keyring, key, link);
22939 LOCK_ZONE(zone);
22949 dnssec_log(zone, loglevel,
22952 ISC_MIN(zone->refreshkeyinterval, 600));
22953 isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600),
22955 isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
22957 UNLOCK_ZONE(zone);
22995 dns_zone_rekey(dns_zone_t *zone, bool fullsign) {
22998 if (zone->type == dns_zone_primary && zone->loop != NULL) {
22999 LOCK_ZONE(zone);
23002 DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
23006 zone->refreshkeytime = now;
23007 zone_settimer(zone, &now);
23009 UNLOCK_ZONE(zone);
23014 dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
23019 REQUIRE(DNS_ZONE_VALID(zone));
23026 result = zone_count_ns_rr(zone, db, node, version, NULL, errors, false);
23032 dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
23042 REQUIRE(DNS_ZONE_VALID(zone));
23240 dns_zone_setautomatic(dns_zone_t *zone, bool automatic) {
23241 REQUIRE(DNS_ZONE_VALID(zone));
23243 LOCK_ZONE(zone);
23244 zone->automatic = automatic;
23245 UNLOCK_ZONE(zone);
23249 dns_zone_getautomatic(dns_zone_t *zone) {
23250 REQUIRE(DNS_ZONE_VALID(zone));
23251 return zone->automatic;
23255 dns_zone_setadded(dns_zone_t *zone, bool added) {
23256 REQUIRE(DNS_ZONE_VALID(zone));
23258 LOCK_ZONE(zone);
23259 zone->added = added;
23260 UNLOCK_ZONE(zone);
23264 dns_zone_getadded(dns_zone_t *zone) {
23265 REQUIRE(DNS_ZONE_VALID(zone));
23266 return zone->added;
23270 dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db) {
23278 * Lock hierarchy: zmgr, zone, raw.
23281 LOCK_ZONE(zone);
23282 INSIST(zone != zone->raw);
23283 if (inline_secure(zone)) {
23284 LOCK_ZONE(zone->raw);
23285 } else if (inline_raw(zone)) {
23286 secure = zone->secure;
23289 UNLOCK_ZONE(zone);
23295 result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
23296 if (inline_secure(zone)) {
23297 UNLOCK_ZONE(zone->raw);
23301 UNLOCK_ZONE(zone);
23306 dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval) {
23307 REQUIRE(DNS_ZONE_VALID(zone));
23316 zone->refreshkeyinterval = interval * 60;
23321 dns_zone_setrequestixfr(dns_zone_t *zone, bool flag) {
23322 REQUIRE(DNS_ZONE_VALID(zone));
23323 zone->requestixfr = flag;
23327 dns_zone_getrequestixfr(dns_zone_t *zone) {
23328 REQUIRE(DNS_ZONE_VALID(zone));
23329 return zone->requestixfr;
23333 dns_zone_setixfrratio(dns_zone_t *zone, uint32_t ratio) {
23334 REQUIRE(DNS_ZONE_VALID(zone));
23335 zone->ixfr_ratio = ratio;
23339 dns_zone_getixfrratio(dns_zone_t *zone) {
23340 REQUIRE(DNS_ZONE_VALID(zone));
23341 return zone->ixfr_ratio;
23345 dns_zone_setrequestexpire(dns_zone_t *zone, bool flag) {
23346 REQUIRE(DNS_ZONE_VALID(zone));
23347 zone->requestexpire = flag;
23351 dns_zone_getrequestexpire(dns_zone_t *zone) {
23352 REQUIRE(DNS_ZONE_VALID(zone));
23353 return zone->requestexpire;
23357 dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method) {
23358 REQUIRE(DNS_ZONE_VALID(zone));
23359 zone->updatemethod = method;
23363 dns_zone_getserialupdatemethod(dns_zone_t *zone) {
23364 REQUIRE(DNS_ZONE_VALID(zone));
23365 return zone->updatemethod;
23369 * Lock hierarchy: zmgr, zone, raw.
23372 dns_zone_link(dns_zone_t *zone, dns_zone_t *raw) {
23375 REQUIRE(DNS_ZONE_VALID(zone));
23376 REQUIRE(zone->zmgr != NULL);
23377 REQUIRE(zone->loop != NULL);
23378 REQUIRE(zone->raw == NULL);
23385 REQUIRE(zone != raw);
23388 * Lock hierarchy: zmgr, zone, raw.
23390 zmgr = zone->zmgr;
23392 LOCK_ZONE(zone);
23395 isc_loop_attach(zone->loop, &raw->loop);
23397 /* dns_zone_attach(raw, &zone->raw); */
23399 zone->raw = raw;
23401 /* dns_zone_iattach(zone, &raw->secure); */
23402 zone_iattach(zone, &raw->secure);
23409 UNLOCK_ZONE(zone);
23415 dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
23416 REQUIRE(DNS_ZONE_VALID(zone));
23419 LOCK(&zone->lock);
23420 INSIST(zone != zone->raw);
23421 if (zone->raw != NULL) {
23422 dns_zone_attach(zone->raw, raw);
23424 UNLOCK(&zone->lock);
23428 dns_zone_israw(dns_zone_t *zone) {
23430 REQUIRE(DNS_ZONE_VALID(zone));
23431 LOCK(&zone->lock);
23432 israw = zone->secure != NULL;
23433 UNLOCK(&zone->lock);
23438 dns_zone_issecure(dns_zone_t *zone) {
23440 REQUIRE(DNS_ZONE_VALID(zone));
23441 LOCK(&zone->lock);
23442 issecure = zone->raw != NULL;
23443 UNLOCK(&zone->lock);
23450 dns_zone_t *zone;
23466 dns_zone_t *zone = kd->zone;
23470 INSIST(DNS_ZONE_VALID(zone));
23475 dns_diff_init(zone->mctx, &diff);
23477 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23478 if (zone->db != NULL) {
23479 dns_db_attach(zone->db, &db);
23481 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23489 dnssec_log(zone, ISC_LOG_ERROR,
23500 result = dns_db_findrdataset(db, node, newver, zone->privatetype,
23537 &zone->origin, rdataset.ttl,
23545 CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx,
23546 zone->updatemethod));
23548 result = dns_update_signatures(&log, zone, db, oldver, newver,
23550 zone->sigvalidityinterval);
23555 CHECK(zone_journal(zone, &diff, NULL, "keydone"));
23558 LOCK_ZONE(zone);
23559 DNS_ZONE_SETFLAG(zone,
23561 zone_needdump(zone, 30);
23562 UNLOCK_ZONE(zone);
23582 isc_mem_put(zone->mctx, kd, sizeof(*kd));
23583 dns_zone_idetach(&zone);
23590 dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
23595 REQUIRE(DNS_ZONE_VALID(zone));
23597 LOCK_ZONE(zone);
23599 kd = isc_mem_get(zone->mctx, sizeof(*kd));
23639 zone_iattach(zone, &kd->zone);
23640 isc_async_run(zone->loop, keydone, kd);
23645 isc_mem_put(zone->mctx, kd, sizeof(*kd));
23647 UNLOCK_ZONE(zone);
23652 * Called from the zone loop's queue after the relevant event is posted by
23658 dns_zone_t *zone = npe->zone;
23661 INSIST(DNS_ZONE_VALID(zone));
23665 LOCK_ZONE(zone);
23666 loadpending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
23667 UNLOCK_ZONE(zone);
23671 * loop-serialized for the zone. Make sure there's no processing
23674 INSIST(zone->rss_newver == NULL);
23677 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23679 * The zone is not yet fully loaded. Reschedule the event to
23683 if (zone->db == NULL && loadpending) {
23685 isc_async_run(zone->loop, setnsec3param, npe);
23687 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23694 dns_zone_idetach(&zone);
23719 * If not, modify the relevant private-type records at the zone apex and call
23725 dns_zone_t *zone = npe->zone;
23743 dns_diff_init(zone->mctx, &diff);
23745 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23746 if (zone->db != NULL) {
23747 dns_db_attach(zone->db, &db);
23749 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23757 dnssec_log(zone, ISC_LOG_ERROR,
23777 result = dns__zone_lookup_nsec3param(zone, &np->rdata, ¶m,
23787 dnssec_log(zone, ISC_LOG_DEBUG(3),
23803 CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
23806 dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype,
23815 result = dns_db_findrdataset(db, node, newver, zone->privatetype,
23869 CHECK(dns_nsec3param_deletechains(db, newver, zone, !np->nsec,
23876 * passed in the event handler's argument to the zone apex.
23878 * If the zone is not currently capable of supporting an NSEC3
23879 * chain (due to the DNSKEY RRset at the zone apex not existing
23894 rdata.type = zone->privatetype;
23895 rdata.rdclass = zone->rdclass;
23897 &zone->origin, 0, &rdata));
23901 * If we changed anything in the zone, write changes to journal file
23907 CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx,
23908 zone->updatemethod));
23909 result = dns_update_signatures(&log, zone, db, oldver, newver,
23911 zone->sigvalidityinterval);
23915 CHECK(zone_journal(zone, &diff, NULL, "setnsec3param"));
23918 LOCK_ZONE(zone);
23919 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
23920 zone_needdump(zone, 30);
23921 UNLOCK_ZONE(zone);
23944 LOCK_ZONE(zone);
23945 resume_addnsec3chain(zone);
23946 UNLOCK_ZONE(zone);
23949 isc_mem_put(zone->mctx, npe, sizeof(*npe));
23956 * Check if zone has NSEC3PARAM (and thus a chain) with the right parameters.
23965 dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup,
23976 REQUIRE(DNS_ZONE_VALID(zone));
23980 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
23981 if (zone->db != NULL) {
23982 dns_db_attach(zone->db, &db);
23984 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
23990 result = dns_db_findnode(db, &zone->origin, false, &node);
23992 dns_zone_log(zone, ISC_LOG_ERROR,
24007 dns_zone_log(zone, ISC_LOG_ERROR,
24083 dnssec_log(zone, ISC_LOG_INFO, "generated salt: %s",
24122 * the NSEC3 changes requested for the zone:
24127 * signal that the zone should be signed using NSEC instead of NSEC3,
24130 * the zone apex, convert it to a private-type record and store the latter
24133 * Once the nsec3param_t structure is prepared, post an event to the zone's
24138 dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
24152 REQUIRE(DNS_ZONE_VALID(zone));
24154 LOCK_ZONE(zone);
24167 result = dns__zone_lookup_nsec3param(zone, &lookup, ¶m,
24170 UNLOCK_ZONE(zone);
24175 * zone db is NULL for example).
24180 npe = isc_mem_get(zone->mctx, sizeof(*npe));
24194 dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec");
24196 param.common.rdclass = zone->rdclass;
24207 CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
24211 zone->privatetype, np->data,
24224 dnssec_log(zone, ISC_LOG_DEBUG(3),
24234 * setnsec3param() will silently return early if the zone does
24236 * up if zone->db is NULL. All events queued here are
24241 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
24242 if (zone->db != NULL) {
24243 zone_iattach(zone, &npe->zone);
24244 isc_async_run(zone->loop, setnsec3param, npe);
24246 ISC_LIST_APPEND(zone->setnsec3param_queue, npe, link);
24248 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
24253 UNLOCK_ZONE(zone);
24258 dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime) {
24259 REQUIRE(DNS_ZONE_VALID(zone));
24262 LOCK_ZONE(zone);
24263 *loadtime = zone->loadtime;
24264 UNLOCK_ZONE(zone);
24269 dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime) {
24270 REQUIRE(DNS_ZONE_VALID(zone));
24273 LOCK_ZONE(zone);
24274 *expiretime = zone->expiretime;
24275 UNLOCK_ZONE(zone);
24280 dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime) {
24281 REQUIRE(DNS_ZONE_VALID(zone));
24284 LOCK_ZONE(zone);
24285 *refreshtime = zone->refreshtime;
24286 UNLOCK_ZONE(zone);
24291 dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime) {
24292 REQUIRE(DNS_ZONE_VALID(zone));
24295 LOCK_ZONE(zone);
24296 *refreshkeytime = zone->refreshkeytime;
24297 UNLOCK_ZONE(zone);
24302 dns_zone_getincludes(dns_zone_t *zone, char ***includesp) {
24307 REQUIRE(DNS_ZONE_VALID(zone));
24310 LOCK_ZONE(zone);
24311 if (zone->nincludes == 0) {
24315 array = isc_mem_allocate(zone->mctx, sizeof(char *) * zone->nincludes);
24316 for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
24319 INSIST(n < zone->nincludes);
24320 array[n++] = isc_mem_strdup(zone->mctx, include->name);
24322 INSIST(n == zone->nincludes);
24326 UNLOCK_ZONE(zone);
24331 dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level) {
24332 REQUIRE(DNS_ZONE_VALID(zone));
24334 zone->statlevel = level;
24338 dns_zone_getstatlevel(dns_zone_t *zone) {
24339 REQUIRE(DNS_ZONE_VALID(zone));
24341 return zone->statlevel;
24353 dns_zone_t *zone = sse->zone;
24357 INSIST(DNS_ZONE_VALID(zone));
24361 if (zone->update_disabled) {
24367 dns_diff_init(zone->mctx, &diff);
24369 ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
24370 if (zone->db != NULL) {
24371 dns_db_attach(zone->db, &db);
24373 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
24381 dns_zone_log(zone, ISC_LOG_ERROR,
24398 dns_zone_log(zone, ISC_LOG_INFO,
24410 result = dns_update_signatures(&log, zone, db, oldver, newver, &diff,
24411 zone->sigvalidityinterval);
24417 CHECK(zone_journal(zone, &diff, NULL, "setserial"));
24420 LOCK_ZONE(zone);
24421 zone_needdump(zone, 30);
24422 UNLOCK_ZONE(zone);
24443 isc_mem_put(zone->mctx, sse, sizeof(*sse));
24444 dns_zone_idetach(&zone);
24451 dns_zone_setserial(dns_zone_t *zone, uint32_t serial) {
24455 REQUIRE(DNS_ZONE_VALID(zone));
24457 LOCK_ZONE(zone);
24459 if (!inline_secure(zone)) {
24460 if (!dns_zone_isdynamic(zone, true)) {
24466 if (zone->update_disabled) {
24471 sse = isc_mem_get(zone->mctx, sizeof(*sse));
24473 zone_iattach(zone, &sse->zone);
24474 isc_async_run(zone->loop, setserial, sse);
24477 UNLOCK_ZONE(zone);
24482 dns_zone_getgluecachestats(dns_zone_t *zone) {
24483 REQUIRE(DNS_ZONE_VALID(zone));
24485 return zone->gluecachestats;
24489 dns_zone_isloaded(dns_zone_t *zone) {
24490 REQUIRE(DNS_ZONE_VALID(zone));
24492 return DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED);
24496 dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
24502 REQUIRE(DNS_ZONE_VALID(zone));
24507 if (dns_zone_gettype(zone) != dns_zone_mirror) {
24517 if (zone->view != NULL) {
24518 result = dns_view_getsecroots(zone->view, &secroots);
24525 result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
24526 zone->mctx, true, false, dnssec_report);
24538 dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s",
24547 zone_nsecttl(dns_zone_t *zone) {
24548 REQUIRE(DNS_ZONE_VALID(zone));
24550 return ISC_MIN(zone->minimum, zone->soattl);
24584 dns_zone_getmem(dns_zone_t *zone) {
24585 return zone->mctx;
24589 dns_zone_gettid(dns_zone_t *zone) {
24590 return zone->tid;
24594 dns_zone_getloop(dns_zone_t *zone) {
24595 return zone->loop;
24599 dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) {
24600 REQUIRE(DNS_ZONE_VALID(zone));
24606 zone->mctx, zone->db_argv[0], &zone->origin,
24607 (zone->type == dns_zone_stub) ? dns_dbtype_stub
24609 zone->rdclass, zone->db_argc - 1, zone->db_argv + 1, &db);
24614 switch (zone->type) {
24618 result = dns_db_setgluecachestats(db, zone->gluecachestats);
24631 dns_db_setloop(db, zone->loop);
24632 dns_db_setmaxrrperset(db, zone->maxrrperset);
24633 dns_db_setmaxtypepername(db, zone->maxtypepername);
24641 dns_zone_import_skr(dns_zone_t *zone, const char *file) {
24645 REQUIRE(DNS_ZONE_VALID(zone));
24646 REQUIRE(zone->kasp != NULL);
24649 dns_skr_create(zone->mctx, file, &zone->origin, zone->rdclass, &skr);
24651 CHECK(dns_skr_read(zone->mctx, file, &zone->origin, zone->rdclass,
24652 dns_kasp_dnskeyttl(zone->kasp), &skr));
24654 dns_zone_setskr(zone, skr);
24655 dnssec_log(zone, ISC_LOG_DEBUG(1), "imported skr file %s", file);