1*00b67f09SDavid van Moolenbroek /* $NetBSD: rpz.h,v 1.8 2015/07/08 17:28:59 christos Exp $ */ 2*00b67f09SDavid van Moolenbroek 3*00b67f09SDavid van Moolenbroek /* 4*00b67f09SDavid van Moolenbroek * Copyright (C) 2011-2013, 2015 Internet Systems Consortium, Inc. ("ISC") 5*00b67f09SDavid van Moolenbroek * 6*00b67f09SDavid van Moolenbroek * Permission to use, copy, modify, and/or distribute this software for any 7*00b67f09SDavid van Moolenbroek * purpose with or without fee is hereby granted, provided that the above 8*00b67f09SDavid van Moolenbroek * copyright notice and this permission notice appear in all copies. 9*00b67f09SDavid van Moolenbroek * 10*00b67f09SDavid van Moolenbroek * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11*00b67f09SDavid van Moolenbroek * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12*00b67f09SDavid van Moolenbroek * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13*00b67f09SDavid van Moolenbroek * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14*00b67f09SDavid van Moolenbroek * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15*00b67f09SDavid van Moolenbroek * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16*00b67f09SDavid van Moolenbroek * PERFORMANCE OF THIS SOFTWARE. 17*00b67f09SDavid van Moolenbroek */ 18*00b67f09SDavid van Moolenbroek 19*00b67f09SDavid van Moolenbroek /* Id */ 20*00b67f09SDavid van Moolenbroek 21*00b67f09SDavid van Moolenbroek 22*00b67f09SDavid van Moolenbroek #ifndef DNS_RPZ_H 23*00b67f09SDavid van Moolenbroek #define DNS_RPZ_H 1 24*00b67f09SDavid van Moolenbroek 25*00b67f09SDavid van Moolenbroek #include <isc/lang.h> 26*00b67f09SDavid van Moolenbroek #include <isc/refcount.h> 27*00b67f09SDavid van Moolenbroek #include <isc/rwlock.h> 28*00b67f09SDavid van Moolenbroek 29*00b67f09SDavid van Moolenbroek #include <dns/fixedname.h> 30*00b67f09SDavid van Moolenbroek #include <dns/rdata.h> 31*00b67f09SDavid van Moolenbroek #include <dns/types.h> 32*00b67f09SDavid van Moolenbroek 33*00b67f09SDavid van Moolenbroek ISC_LANG_BEGINDECLS 34*00b67f09SDavid van Moolenbroek 35*00b67f09SDavid van Moolenbroek #define DNS_RPZ_PREFIX "rpz-" 36*00b67f09SDavid van Moolenbroek /* 37*00b67f09SDavid van Moolenbroek * Sub-zones of various trigger types. 38*00b67f09SDavid van Moolenbroek */ 39*00b67f09SDavid van Moolenbroek #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX"client-ip" 40*00b67f09SDavid van Moolenbroek #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip" 41*00b67f09SDavid van Moolenbroek #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip" 42*00b67f09SDavid van Moolenbroek #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname" 43*00b67f09SDavid van Moolenbroek /* 44*00b67f09SDavid van Moolenbroek * Special policies. 45*00b67f09SDavid van Moolenbroek */ 46*00b67f09SDavid van Moolenbroek #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX"passthru" 47*00b67f09SDavid van Moolenbroek #define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX"drop" 48*00b67f09SDavid van Moolenbroek #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX"tcp-only" 49*00b67f09SDavid van Moolenbroek 50*00b67f09SDavid van Moolenbroek 51*00b67f09SDavid van Moolenbroek typedef isc_uint8_t dns_rpz_prefix_t; 52*00b67f09SDavid van Moolenbroek 53*00b67f09SDavid van Moolenbroek typedef enum { 54*00b67f09SDavid van Moolenbroek DNS_RPZ_TYPE_BAD, 55*00b67f09SDavid van Moolenbroek DNS_RPZ_TYPE_CLIENT_IP, 56*00b67f09SDavid van Moolenbroek DNS_RPZ_TYPE_QNAME, 57*00b67f09SDavid van Moolenbroek DNS_RPZ_TYPE_IP, 58*00b67f09SDavid van Moolenbroek DNS_RPZ_TYPE_NSDNAME, 59*00b67f09SDavid van Moolenbroek DNS_RPZ_TYPE_NSIP 60*00b67f09SDavid van Moolenbroek } dns_rpz_type_t; 61*00b67f09SDavid van Moolenbroek 62*00b67f09SDavid van Moolenbroek /* 63*00b67f09SDavid van Moolenbroek * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP 64*00b67f09SDavid van Moolenbroek * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA 65*00b67f09SDavid van Moolenbroek * < DNS_RPZ_POLICY_CNAME to choose among competing policies. 66*00b67f09SDavid van Moolenbroek */ 67*00b67f09SDavid van Moolenbroek typedef enum { 68*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 69*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ 70*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 71*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ 72*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ 73*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ 74*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ 75*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ 76*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_RECORD, 77*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_WILDCNAME, 78*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_MISS, 79*00b67f09SDavid van Moolenbroek DNS_RPZ_POLICY_ERROR 80*00b67f09SDavid van Moolenbroek } dns_rpz_policy_t; 81*00b67f09SDavid van Moolenbroek 82*00b67f09SDavid van Moolenbroek typedef isc_uint8_t dns_rpz_num_t; 83*00b67f09SDavid van Moolenbroek 84*00b67f09SDavid van Moolenbroek #define DNS_RPZ_MAX_ZONES 32 85*00b67f09SDavid van Moolenbroek #if DNS_RPZ_MAX_ZONES > 32 86*00b67f09SDavid van Moolenbroek # if DNS_RPZ_MAX_ZONES > 64 87*00b67f09SDavid van Moolenbroek # error "rpz zone bit masks must fit in a word" 88*00b67f09SDavid van Moolenbroek # endif 89*00b67f09SDavid van Moolenbroek typedef isc_uint64_t dns_rpz_zbits_t; 90*00b67f09SDavid van Moolenbroek #else 91*00b67f09SDavid van Moolenbroek typedef isc_uint32_t dns_rpz_zbits_t; 92*00b67f09SDavid van Moolenbroek #endif 93*00b67f09SDavid van Moolenbroek 94*00b67f09SDavid van Moolenbroek #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) 95*00b67f09SDavid van Moolenbroek 96*00b67f09SDavid van Moolenbroek #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES 97*00b67f09SDavid van Moolenbroek 98*00b67f09SDavid van Moolenbroek #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) 99*00b67f09SDavid van Moolenbroek 100*00b67f09SDavid van Moolenbroek /* 101*00b67f09SDavid van Moolenbroek * Mask of the specified and higher numbered policy zones 102*00b67f09SDavid van Moolenbroek * Avoid hassles with (1<<33) or (1<<65) 103*00b67f09SDavid van Moolenbroek */ 104*00b67f09SDavid van Moolenbroek #define DNS_RPZ_ZMASK(n) ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \ 105*00b67f09SDavid van Moolenbroek 0 : (1<<((n)+1))) -1)) 106*00b67f09SDavid van Moolenbroek 107*00b67f09SDavid van Moolenbroek /* 108*00b67f09SDavid van Moolenbroek * The trigger counter type. 109*00b67f09SDavid van Moolenbroek */ 110*00b67f09SDavid van Moolenbroek typedef size_t dns_rpz_trigger_counter_t; 111*00b67f09SDavid van Moolenbroek 112*00b67f09SDavid van Moolenbroek /* 113*00b67f09SDavid van Moolenbroek * The number of triggers of each type in a response policy zone. 114*00b67f09SDavid van Moolenbroek */ 115*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_triggers dns_rpz_triggers_t; 116*00b67f09SDavid van Moolenbroek struct dns_rpz_triggers { 117*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t client_ipv4; 118*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t client_ipv6; 119*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t qname; 120*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t ipv4; 121*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t ipv6; 122*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t nsdname; 123*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t nsipv4; 124*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t nsipv6; 125*00b67f09SDavid van Moolenbroek }; 126*00b67f09SDavid van Moolenbroek 127*00b67f09SDavid van Moolenbroek /* 128*00b67f09SDavid van Moolenbroek * A single response policy zone. 129*00b67f09SDavid van Moolenbroek */ 130*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_zone dns_rpz_zone_t; 131*00b67f09SDavid van Moolenbroek struct dns_rpz_zone { 132*00b67f09SDavid van Moolenbroek isc_refcount_t refs; 133*00b67f09SDavid van Moolenbroek dns_rpz_num_t num; /* ordinal in list of policy zones */ 134*00b67f09SDavid van Moolenbroek dns_name_t origin; /* Policy zone name */ 135*00b67f09SDavid van Moolenbroek dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ 136*00b67f09SDavid van Moolenbroek dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ 137*00b67f09SDavid van Moolenbroek dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 138*00b67f09SDavid van Moolenbroek dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ 139*00b67f09SDavid van Moolenbroek dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ 140*00b67f09SDavid van Moolenbroek dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ 141*00b67f09SDavid van Moolenbroek dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ 142*00b67f09SDavid van Moolenbroek dns_name_t cname; /* override value for ..._CNAME */ 143*00b67f09SDavid van Moolenbroek dns_ttl_t max_policy_ttl; 144*00b67f09SDavid van Moolenbroek dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 145*00b67f09SDavid van Moolenbroek }; 146*00b67f09SDavid van Moolenbroek 147*00b67f09SDavid van Moolenbroek /* 148*00b67f09SDavid van Moolenbroek * Radix tree node for response policy IP addresses 149*00b67f09SDavid van Moolenbroek */ 150*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; 151*00b67f09SDavid van Moolenbroek 152*00b67f09SDavid van Moolenbroek /* 153*00b67f09SDavid van Moolenbroek * Bitfields indicating which policy zones have policies of 154*00b67f09SDavid van Moolenbroek * which type. 155*00b67f09SDavid van Moolenbroek */ 156*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_have dns_rpz_have_t; 157*00b67f09SDavid van Moolenbroek struct dns_rpz_have { 158*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t client_ipv4; 159*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t client_ipv6; 160*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t client_ip; 161*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t qname; 162*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t ipv4; 163*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t ipv6; 164*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t ip; 165*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t nsdname; 166*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t nsipv4; 167*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t nsipv6; 168*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t nsip; 169*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t qname_skip_recurse; 170*00b67f09SDavid van Moolenbroek }; 171*00b67f09SDavid van Moolenbroek 172*00b67f09SDavid van Moolenbroek /* 173*00b67f09SDavid van Moolenbroek * Policy options 174*00b67f09SDavid van Moolenbroek */ 175*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_popt dns_rpz_popt_t; 176*00b67f09SDavid van Moolenbroek struct dns_rpz_popt { 177*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t no_rd_ok; 178*00b67f09SDavid van Moolenbroek isc_boolean_t break_dnssec; 179*00b67f09SDavid van Moolenbroek isc_boolean_t qname_wait_recurse; 180*00b67f09SDavid van Moolenbroek unsigned int min_ns_labels; 181*00b67f09SDavid van Moolenbroek dns_rpz_num_t num_zones; 182*00b67f09SDavid van Moolenbroek }; 183*00b67f09SDavid van Moolenbroek 184*00b67f09SDavid van Moolenbroek /* 185*00b67f09SDavid van Moolenbroek * Response policy zones known to a view. 186*00b67f09SDavid van Moolenbroek */ 187*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_zones dns_rpz_zones_t; 188*00b67f09SDavid van Moolenbroek struct dns_rpz_zones { 189*00b67f09SDavid van Moolenbroek dns_rpz_popt_t p; 190*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; 191*00b67f09SDavid van Moolenbroek dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; 192*00b67f09SDavid van Moolenbroek 193*00b67f09SDavid van Moolenbroek /* 194*00b67f09SDavid van Moolenbroek * RPZ policy version number (initially 0, increases whenever 195*00b67f09SDavid van Moolenbroek * the server is reconfigured with new zones or policy) 196*00b67f09SDavid van Moolenbroek */ 197*00b67f09SDavid van Moolenbroek int rpz_ver; 198*00b67f09SDavid van Moolenbroek 199*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t defined; 200*00b67f09SDavid van Moolenbroek 201*00b67f09SDavid van Moolenbroek /* 202*00b67f09SDavid van Moolenbroek * The set of records for a policy zone are in one of these states: 203*00b67f09SDavid van Moolenbroek * never loaded load_begun=0 have=0 204*00b67f09SDavid van Moolenbroek * during initial loading load_begun=1 have=0 205*00b67f09SDavid van Moolenbroek * and rbtdb->rpzsp == rbtdb->load_rpzsp 206*00b67f09SDavid van Moolenbroek * after good load load_begun=1 have!=0 207*00b67f09SDavid van Moolenbroek * after failed initial load load_begun=1 have=0 208*00b67f09SDavid van Moolenbroek * and rbtdb->load_rpzsp == NULL 209*00b67f09SDavid van Moolenbroek * reloading after failure load_begun=1 have=0 210*00b67f09SDavid van Moolenbroek * reloading after success 211*00b67f09SDavid van Moolenbroek * main rpzs load_begun=1 have!=0 212*00b67f09SDavid van Moolenbroek * load rpzs load_begun=1 have=0 213*00b67f09SDavid van Moolenbroek */ 214*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t load_begun; 215*00b67f09SDavid van Moolenbroek dns_rpz_have_t have; 216*00b67f09SDavid van Moolenbroek 217*00b67f09SDavid van Moolenbroek /* 218*00b67f09SDavid van Moolenbroek * total_triggers maintains the total number of triggers in all 219*00b67f09SDavid van Moolenbroek * policy zones in the view. It is only used to print summary 220*00b67f09SDavid van Moolenbroek * statistics after a zone load of how the trigger counts 221*00b67f09SDavid van Moolenbroek * changed. 222*00b67f09SDavid van Moolenbroek */ 223*00b67f09SDavid van Moolenbroek dns_rpz_triggers_t total_triggers; 224*00b67f09SDavid van Moolenbroek 225*00b67f09SDavid van Moolenbroek isc_mem_t *mctx; 226*00b67f09SDavid van Moolenbroek isc_refcount_t refs; 227*00b67f09SDavid van Moolenbroek /* 228*00b67f09SDavid van Moolenbroek * One lock for short term read-only search that guarantees the 229*00b67f09SDavid van Moolenbroek * consistency of the pointers. 230*00b67f09SDavid van Moolenbroek * A second lock for maintenance that guarantees no other thread 231*00b67f09SDavid van Moolenbroek * is adding or deleting nodes. 232*00b67f09SDavid van Moolenbroek */ 233*00b67f09SDavid van Moolenbroek isc_rwlock_t search_lock; 234*00b67f09SDavid van Moolenbroek isc_mutex_t maint_lock; 235*00b67f09SDavid van Moolenbroek 236*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *cidr; 237*00b67f09SDavid van Moolenbroek dns_rbt_t *rbt; 238*00b67f09SDavid van Moolenbroek }; 239*00b67f09SDavid van Moolenbroek 240*00b67f09SDavid van Moolenbroek 241*00b67f09SDavid van Moolenbroek /* 242*00b67f09SDavid van Moolenbroek * context for finding the best policy 243*00b67f09SDavid van Moolenbroek */ 244*00b67f09SDavid van Moolenbroek typedef struct { 245*00b67f09SDavid van Moolenbroek unsigned int state; 246*00b67f09SDavid van Moolenbroek # define DNS_RPZ_REWRITTEN 0x0001 247*00b67f09SDavid van Moolenbroek # define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ 248*00b67f09SDavid van Moolenbroek # define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ 249*00b67f09SDavid van Moolenbroek # define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ 250*00b67f09SDavid van Moolenbroek # define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ 251*00b67f09SDavid van Moolenbroek # define DNS_RPZ_DONE_IPv4 0x0020 252*00b67f09SDavid van Moolenbroek # define DNS_RPZ_RECURSING 0x0040 253*00b67f09SDavid van Moolenbroek # define DNS_RPZ_ACTIVE 0x0080 254*00b67f09SDavid van Moolenbroek /* 255*00b67f09SDavid van Moolenbroek * Best match so far. 256*00b67f09SDavid van Moolenbroek */ 257*00b67f09SDavid van Moolenbroek struct { 258*00b67f09SDavid van Moolenbroek dns_rpz_type_t type; 259*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz; 260*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t prefix; 261*00b67f09SDavid van Moolenbroek dns_rpz_policy_t policy; 262*00b67f09SDavid van Moolenbroek dns_ttl_t ttl; 263*00b67f09SDavid van Moolenbroek isc_result_t result; 264*00b67f09SDavid van Moolenbroek dns_zone_t *zone; 265*00b67f09SDavid van Moolenbroek dns_db_t *db; 266*00b67f09SDavid van Moolenbroek dns_dbversion_t *version; 267*00b67f09SDavid van Moolenbroek dns_dbnode_t *node; 268*00b67f09SDavid van Moolenbroek dns_rdataset_t *rdataset; 269*00b67f09SDavid van Moolenbroek } m; 270*00b67f09SDavid van Moolenbroek /* 271*00b67f09SDavid van Moolenbroek * State for chasing IP addresses and NS names including recursion. 272*00b67f09SDavid van Moolenbroek */ 273*00b67f09SDavid van Moolenbroek struct { 274*00b67f09SDavid van Moolenbroek unsigned int label; 275*00b67f09SDavid van Moolenbroek dns_db_t *db; 276*00b67f09SDavid van Moolenbroek dns_rdataset_t *ns_rdataset; 277*00b67f09SDavid van Moolenbroek dns_rdatatype_t r_type; 278*00b67f09SDavid van Moolenbroek isc_result_t r_result; 279*00b67f09SDavid van Moolenbroek dns_rdataset_t *r_rdataset; 280*00b67f09SDavid van Moolenbroek } r; 281*00b67f09SDavid van Moolenbroek 282*00b67f09SDavid van Moolenbroek /* 283*00b67f09SDavid van Moolenbroek * State of real query while recursing for NSIP or NSDNAME. 284*00b67f09SDavid van Moolenbroek */ 285*00b67f09SDavid van Moolenbroek struct { 286*00b67f09SDavid van Moolenbroek isc_result_t result; 287*00b67f09SDavid van Moolenbroek isc_boolean_t is_zone; 288*00b67f09SDavid van Moolenbroek isc_boolean_t authoritative; 289*00b67f09SDavid van Moolenbroek dns_zone_t *zone; 290*00b67f09SDavid van Moolenbroek dns_db_t *db; 291*00b67f09SDavid van Moolenbroek dns_dbnode_t *node; 292*00b67f09SDavid van Moolenbroek dns_rdataset_t *rdataset; 293*00b67f09SDavid van Moolenbroek dns_rdataset_t *sigrdataset; 294*00b67f09SDavid van Moolenbroek dns_rdatatype_t qtype; 295*00b67f09SDavid van Moolenbroek } q; 296*00b67f09SDavid van Moolenbroek 297*00b67f09SDavid van Moolenbroek /* 298*00b67f09SDavid van Moolenbroek * A copy of the 'have' and 'p' structures and the RPZ 299*00b67f09SDavid van Moolenbroek * policy version as of the beginning of RPZ processing, 300*00b67f09SDavid van Moolenbroek * used to avoid problems when policy is updated while 301*00b67f09SDavid van Moolenbroek * RPZ recursion is ongoing. 302*00b67f09SDavid van Moolenbroek */ 303*00b67f09SDavid van Moolenbroek dns_rpz_have_t have; 304*00b67f09SDavid van Moolenbroek dns_rpz_popt_t popt; 305*00b67f09SDavid van Moolenbroek int rpz_ver; 306*00b67f09SDavid van Moolenbroek 307*00b67f09SDavid van Moolenbroek /* 308*00b67f09SDavid van Moolenbroek * p_name: current policy owner name 309*00b67f09SDavid van Moolenbroek * r_name: recursing for this name to possible policy triggers 310*00b67f09SDavid van Moolenbroek * f_name: saved found name from before recursion 311*00b67f09SDavid van Moolenbroek */ 312*00b67f09SDavid van Moolenbroek dns_name_t *p_name; 313*00b67f09SDavid van Moolenbroek dns_name_t *r_name; 314*00b67f09SDavid van Moolenbroek dns_name_t *fname; 315*00b67f09SDavid van Moolenbroek dns_fixedname_t _p_namef; 316*00b67f09SDavid van Moolenbroek dns_fixedname_t _r_namef; 317*00b67f09SDavid van Moolenbroek dns_fixedname_t _fnamef; 318*00b67f09SDavid van Moolenbroek } dns_rpz_st_t; 319*00b67f09SDavid van Moolenbroek 320*00b67f09SDavid van Moolenbroek #define DNS_RPZ_TTL_DEFAULT 5 321*00b67f09SDavid van Moolenbroek #define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 322*00b67f09SDavid van Moolenbroek 323*00b67f09SDavid van Moolenbroek /* 324*00b67f09SDavid van Moolenbroek * So various response policy zone messages can be turned up or down. 325*00b67f09SDavid van Moolenbroek */ 326*00b67f09SDavid van Moolenbroek #define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 327*00b67f09SDavid van Moolenbroek #define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 328*00b67f09SDavid van Moolenbroek #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 329*00b67f09SDavid van Moolenbroek #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 330*00b67f09SDavid van Moolenbroek #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 331*00b67f09SDavid van Moolenbroek #define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1) 332*00b67f09SDavid van Moolenbroek 333*00b67f09SDavid van Moolenbroek const char * 334*00b67f09SDavid van Moolenbroek dns_rpz_type2str(dns_rpz_type_t type); 335*00b67f09SDavid van Moolenbroek 336*00b67f09SDavid van Moolenbroek dns_rpz_policy_t 337*00b67f09SDavid van Moolenbroek dns_rpz_str2policy(const char *str); 338*00b67f09SDavid van Moolenbroek 339*00b67f09SDavid van Moolenbroek const char * 340*00b67f09SDavid van Moolenbroek dns_rpz_policy2str(dns_rpz_policy_t policy); 341*00b67f09SDavid van Moolenbroek 342*00b67f09SDavid van Moolenbroek dns_rpz_policy_t 343*00b67f09SDavid van Moolenbroek dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 344*00b67f09SDavid van Moolenbroek dns_name_t *selfname); 345*00b67f09SDavid van Moolenbroek 346*00b67f09SDavid van Moolenbroek isc_result_t 347*00b67f09SDavid van Moolenbroek dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx); 348*00b67f09SDavid van Moolenbroek 349*00b67f09SDavid van Moolenbroek void 350*00b67f09SDavid van Moolenbroek dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); 351*00b67f09SDavid van Moolenbroek 352*00b67f09SDavid van Moolenbroek void 353*00b67f09SDavid van Moolenbroek dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); 354*00b67f09SDavid van Moolenbroek 355*00b67f09SDavid van Moolenbroek isc_result_t 356*00b67f09SDavid van Moolenbroek dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, 357*00b67f09SDavid van Moolenbroek dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); 358*00b67f09SDavid van Moolenbroek 359*00b67f09SDavid van Moolenbroek isc_result_t 360*00b67f09SDavid van Moolenbroek dns_rpz_ready(dns_rpz_zones_t *rpzs, 361*00b67f09SDavid van Moolenbroek dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num); 362*00b67f09SDavid van Moolenbroek 363*00b67f09SDavid van Moolenbroek isc_result_t 364*00b67f09SDavid van Moolenbroek dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); 365*00b67f09SDavid van Moolenbroek 366*00b67f09SDavid van Moolenbroek void 367*00b67f09SDavid van Moolenbroek dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); 368*00b67f09SDavid van Moolenbroek 369*00b67f09SDavid van Moolenbroek dns_rpz_num_t 370*00b67f09SDavid van Moolenbroek dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 371*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, 372*00b67f09SDavid van Moolenbroek dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); 373*00b67f09SDavid van Moolenbroek 374*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t 375*00b67f09SDavid van Moolenbroek dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 376*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbits, dns_name_t *trig_name); 377*00b67f09SDavid van Moolenbroek 378*00b67f09SDavid van Moolenbroek ISC_LANG_ENDDECLS 379*00b67f09SDavid van Moolenbroek 380*00b67f09SDavid van Moolenbroek #endif /* DNS_RPZ_H */ 381*00b67f09SDavid van Moolenbroek 382