xref: /openbsd-src/usr.sbin/nsd/axfr.c (revision b71395ea3d4830c6fd338870b804059761b8292d)

/*
 * axfr.c -- generating AXFR responses.
 *
 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
 *
 * See LICENSE for the license.
 *
 */

#include "config.h"

#include "axfr.h"
#include "dns.h"
#include "packet.h"
#include "options.h"
#include "ixfr.h"

/* draft-ietf-dnsop-rfc2845bis-06, section 5.3.1 says to sign every packet */
#define AXFR_TSIG_SIGN_EVERY_NTH	0	/* tsig sign every N packets. */

query_state_type
query_axfr(struct nsd *nsd, struct query *query, int wstats)
{
	domain_type *closest_match;
	domain_type *closest_encloser;
	int exact;
	int added;
	uint16_t total_added = 0;

	if (query->axfr_is_done)
		return QUERY_PROCESSED;

	if (query->maxlen > AXFR_MAX_MESSAGE_LEN)
		query->maxlen = AXFR_MAX_MESSAGE_LEN;

	assert(!query_overflow(query));
	/* only keep running values for most packets */
	query->tsig_prepare_it = 0;
	query->tsig_update_it = 1;
	if(query->tsig_sign_it) {
		/* prepare for next updates */
		query->tsig_prepare_it = 1;
		query->tsig_sign_it = 0;
	}

	if (query->axfr_zone == NULL) {
		domain_type* qdomain;
		/* Start AXFR.  */
		if(wstats) {
			STATUP(nsd, raxfr);
		}
		exact = namedb_lookup(nsd->db,
				      query->qname,
				      &closest_match,
				      &closest_encloser);

		qdomain = closest_encloser;
		query->axfr_zone = domain_find_zone(nsd->db, closest_encloser);

		if (!exact
		    || query->axfr_zone == NULL
		    || query->axfr_zone->apex != qdomain
		    || query->axfr_zone->soa_rrset == NULL)
		{
			/* No SOA no transfer */
			RCODE_SET(query->packet, RCODE_NOTAUTH);
			return QUERY_PROCESSED;
		}
		if(wstats) {
			ZTATUP(nsd, query->axfr_zone, raxfr);
		}

		query->axfr_current_domain = qdomain;
		query->axfr_current_rrset = NULL;
		query->axfr_current_rr = 0;
		if(query->tsig.status == TSIG_OK) {
			query->tsig_sign_it = 1; /* sign first packet in stream */
		}

		query_add_compression_domain(query, qdomain, QHEADERSZ);

		assert(query->axfr_zone->soa_rrset->rr_count == 1);
		added = packet_encode_rr(query,
					 query->axfr_zone->apex,
					 &query->axfr_zone->soa_rrset->rrs[0],
					 query->axfr_zone->soa_rrset->rrs[0].ttl);
		if (!added) {
			/* XXX: This should never happen... generate error code? */
			abort();
		}
		++total_added;
	} else {
		/*
		 * Query name and EDNS need not be repeated after the
		 * first response packet.
		 */
		query->edns.status = EDNS_NOT_PRESENT;
		buffer_set_limit(query->packet, QHEADERSZ);
		QDCOUNT_SET(query->packet, 0);
		query_prepare_response(query);
	}

	/* Add zone RRs until answer is full.  */
	while (query->axfr_current_domain != NULL &&
			domain_is_subdomain(query->axfr_current_domain,
					    query->axfr_zone->apex))
	{
		if (!query->axfr_current_rrset) {
			query->axfr_current_rrset = domain_find_any_rrset(
				query->axfr_current_domain,
				query->axfr_zone);
			query->axfr_current_rr = 0;
		}
		while (query->axfr_current_rrset) {
			if (query->axfr_current_rrset != query->axfr_zone->soa_rrset
			    && query->axfr_current_rrset->zone == query->axfr_zone)
			{
				while (query->axfr_current_rr < query->axfr_current_rrset->rr_count) {
					size_t oldmaxlen = query->maxlen;
					if(total_added == 0)
						/* RR > 16K can be first RR */
						query->maxlen = (query->tcp?TCP_MAX_MESSAGE_LEN:UDP_MAX_MESSAGE_LEN);
					added = packet_encode_rr(
						query,
						query->axfr_current_domain,
						&query->axfr_current_rrset->rrs[query->axfr_current_rr],
						query->axfr_current_rrset->rrs[query->axfr_current_rr].ttl);
					if(total_added == 0) {
						query->maxlen = oldmaxlen;
						if(query_overflow(query)) {
							if(added) {
								++total_added;
								++query->axfr_current_rr;
								goto return_answer;
							}
						}
					}
					if (!added)
						goto return_answer;
					++total_added;
					++query->axfr_current_rr;
				}
			}

			query->axfr_current_rrset = query->axfr_current_rrset->next;
			query->axfr_current_rr = 0;
		}
		assert(query->axfr_current_domain);
		query->axfr_current_domain
			= domain_next(query->axfr_current_domain);
	}

	/* Add terminating SOA RR.  */
	assert(query->axfr_zone->soa_rrset->rr_count == 1);
	added = packet_encode_rr(query,
				 query->axfr_zone->apex,
				 &query->axfr_zone->soa_rrset->rrs[0],
				 query->axfr_zone->soa_rrset->rrs[0].ttl);
	if (added) {
		++total_added;
		query->tsig_sign_it = 1; /* sign last packet */
		query->axfr_is_done = 1;
	}

return_answer:
	AA_SET(query->packet);
	ANCOUNT_SET(query->packet, total_added);
	NSCOUNT_SET(query->packet, 0);
	ARCOUNT_SET(query->packet, 0);

	/* check if it needs tsig signatures */
	if(query->tsig.status == TSIG_OK) {
#if AXFR_TSIG_SIGN_EVERY_NTH > 0
		if(query->tsig.updates_since_last_prepare >= AXFR_TSIG_SIGN_EVERY_NTH) {
#endif
			query->tsig_sign_it = 1;
#if AXFR_TSIG_SIGN_EVERY_NTH > 0
		}
#endif
	}
	query_clear_compression_tables(query);
	return QUERY_IN_AXFR;
}

/* See if the query can be admitted. */
static int axfr_ixfr_can_admit_query(struct nsd* nsd, struct query* q)
{
	struct acl_options *acl = NULL;
	struct zone_options* zone_opt;
	zone_opt = zone_options_find(nsd->options, q->qname);
	if(zone_opt && q->is_proxied && acl_check_incoming_block_proxy(
		zone_opt->pattern->provide_xfr, q, &acl) == -1) {
		/* the proxy address is blocked */
		if (verbosity >= 2) {
			char address[128], proxy[128];
			addr2str(&q->client_addr, address, sizeof(address));
			addr2str(&q->remote_addr, proxy, sizeof(proxy));
			VERBOSITY(2, (LOG_INFO, "%s for %s from %s via proxy %s refused because of proxy, %s %s",
				(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
				dname_to_string(q->qname, NULL),
				address, proxy,
				(acl?acl->ip_address_spec:"."),
				(acl ? ( acl->nokey    ? "NOKEY"
				      : acl->blocked  ? "BLOCKED"
				      : acl->key_name )
				    : "no acl matches")));
		}
		RCODE_SET(q->packet, RCODE_REFUSE);
		/* RFC8914 - Extended DNS Errors
		 * 4.19.  Extended DNS Error Code 18 - Prohibited */
		q->edns.ede = EDE_PROHIBITED;
		return 0;
	}
	if(!zone_opt ||
	   acl_check_incoming(zone_opt->pattern->provide_xfr, q, &acl)==-1)
	{
		if (verbosity >= 2) {
			char a[128];
			addr2str(&q->client_addr, a, sizeof(a));
			VERBOSITY(2, (LOG_INFO, "%s for %s from %s refused, %s",
				(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
				dname_to_string(q->qname, NULL), a, acl?"blocked":"no acl matches"));
		}
		DEBUG(DEBUG_XFRD,1, (LOG_INFO, "%s refused, %s",
			(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
			acl?"blocked":"no acl matches"));
		if (!zone_opt) {
			RCODE_SET(q->packet, RCODE_NOTAUTH);
		} else {
			RCODE_SET(q->packet, RCODE_REFUSE);
			/* RFC8914 - Extended DNS Errors
			 * 4.19.  Extended DNS Error Code 18 - Prohibited */
			q->edns.ede = EDE_PROHIBITED;
		}
		return 0;
	}
	DEBUG(DEBUG_XFRD,1, (LOG_INFO, "%s admitted acl %s %s",
		(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
		acl->ip_address_spec, acl->key_name?acl->key_name:"NOKEY"));
	if (verbosity >= 1) {
		char a[128];
		addr2str(&q->client_addr, a, sizeof(a));
		VERBOSITY(1, (LOG_INFO, "%s for %s from %s",
			(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
			dname_to_string(q->qname, NULL), a));
	}
	return 1;
}

/*
 * Answer if this is an AXFR or IXFR query.
 */
query_state_type
answer_axfr_ixfr(struct nsd *nsd, struct query *q)
{
	/* Is it AXFR? */
	switch (q->qtype) {
	case TYPE_AXFR:
		if (q->tcp) {
			if(!axfr_ixfr_can_admit_query(nsd, q))
				return QUERY_PROCESSED;
			return query_axfr(nsd, q, 1);
		}
		/* AXFR over UDP queries are discarded. */
		RCODE_SET(q->packet, RCODE_IMPL);
		return QUERY_PROCESSED;
	case TYPE_IXFR:
		if(!axfr_ixfr_can_admit_query(nsd, q)) {
			/* get rid of authority section, if present */
			NSCOUNT_SET(q->packet, 0);
			ARCOUNT_SET(q->packet, 0);
			if(QDCOUNT(q->packet) > 0 && (size_t)QHEADERSZ+4+
				q->qname->name_size <= buffer_limit(q->packet)) {
				buffer_set_position(q->packet, QHEADERSZ+4+
					q->qname->name_size);
			}
			return QUERY_PROCESSED;
		}
		return query_ixfr(nsd, q);
	default:
		return QUERY_DISCARDED;
	}
}