1*00b67f09SDavid van Moolenbroek /* $NetBSD: update.c,v 1.11 2015/07/08 17:28:55 christos Exp $ */
2*00b67f09SDavid van Moolenbroek
3*00b67f09SDavid van Moolenbroek /*
4*00b67f09SDavid van Moolenbroek * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
5*00b67f09SDavid van Moolenbroek * Copyright (C) 1999-2003 Internet Software Consortium.
6*00b67f09SDavid van Moolenbroek *
7*00b67f09SDavid van Moolenbroek * Permission to use, copy, modify, and/or distribute this software for any
8*00b67f09SDavid van Moolenbroek * purpose with or without fee is hereby granted, provided that the above
9*00b67f09SDavid van Moolenbroek * copyright notice and this permission notice appear in all copies.
10*00b67f09SDavid van Moolenbroek *
11*00b67f09SDavid van Moolenbroek * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12*00b67f09SDavid van Moolenbroek * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13*00b67f09SDavid van Moolenbroek * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14*00b67f09SDavid van Moolenbroek * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15*00b67f09SDavid van Moolenbroek * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16*00b67f09SDavid van Moolenbroek * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17*00b67f09SDavid van Moolenbroek * PERFORMANCE OF THIS SOFTWARE.
18*00b67f09SDavid van Moolenbroek */
19*00b67f09SDavid van Moolenbroek
20*00b67f09SDavid van Moolenbroek /* Id: update.c,v 1.199 2011/12/22 07:32:40 each Exp */
21*00b67f09SDavid van Moolenbroek
22*00b67f09SDavid van Moolenbroek #include <config.h>
23*00b67f09SDavid van Moolenbroek
24*00b67f09SDavid van Moolenbroek #include <isc/netaddr.h>
25*00b67f09SDavid van Moolenbroek #include <isc/print.h>
26*00b67f09SDavid van Moolenbroek #include <isc/serial.h>
27*00b67f09SDavid van Moolenbroek #include <isc/stats.h>
28*00b67f09SDavid van Moolenbroek #include <isc/string.h>
29*00b67f09SDavid van Moolenbroek #include <isc/taskpool.h>
30*00b67f09SDavid van Moolenbroek #include <isc/util.h>
31*00b67f09SDavid van Moolenbroek
32*00b67f09SDavid van Moolenbroek #include <dns/db.h>
33*00b67f09SDavid van Moolenbroek #include <dns/dbiterator.h>
34*00b67f09SDavid van Moolenbroek #include <dns/diff.h>
35*00b67f09SDavid van Moolenbroek #include <dns/dnssec.h>
36*00b67f09SDavid van Moolenbroek #include <dns/events.h>
37*00b67f09SDavid van Moolenbroek #include <dns/fixedname.h>
38*00b67f09SDavid van Moolenbroek #include <dns/journal.h>
39*00b67f09SDavid van Moolenbroek #include <dns/keyvalues.h>
40*00b67f09SDavid van Moolenbroek #include <dns/message.h>
41*00b67f09SDavid van Moolenbroek #include <dns/nsec.h>
42*00b67f09SDavid van Moolenbroek #include <dns/nsec3.h>
43*00b67f09SDavid van Moolenbroek #include <dns/private.h>
44*00b67f09SDavid van Moolenbroek #include <dns/rdataclass.h>
45*00b67f09SDavid van Moolenbroek #include <dns/rdataset.h>
46*00b67f09SDavid van Moolenbroek #include <dns/rdatasetiter.h>
47*00b67f09SDavid van Moolenbroek #include <dns/rdatastruct.h>
48*00b67f09SDavid van Moolenbroek #include <dns/rdatatype.h>
49*00b67f09SDavid van Moolenbroek #include <dns/soa.h>
50*00b67f09SDavid van Moolenbroek #include <dns/ssu.h>
51*00b67f09SDavid van Moolenbroek #include <dns/tsig.h>
52*00b67f09SDavid van Moolenbroek #include <dns/update.h>
53*00b67f09SDavid van Moolenbroek #include <dns/view.h>
54*00b67f09SDavid van Moolenbroek #include <dns/zone.h>
55*00b67f09SDavid van Moolenbroek #include <dns/zt.h>
56*00b67f09SDavid van Moolenbroek
57*00b67f09SDavid van Moolenbroek #include <named/client.h>
58*00b67f09SDavid van Moolenbroek #include <named/log.h>
59*00b67f09SDavid van Moolenbroek #include <named/server.h>
60*00b67f09SDavid van Moolenbroek #include <named/update.h>
61*00b67f09SDavid van Moolenbroek
62*00b67f09SDavid van Moolenbroek #include "pfilter.h"
63*00b67f09SDavid van Moolenbroek
64*00b67f09SDavid van Moolenbroek /*! \file
65*00b67f09SDavid van Moolenbroek * \brief
66*00b67f09SDavid van Moolenbroek * This module implements dynamic update as in RFC2136.
67*00b67f09SDavid van Moolenbroek */
68*00b67f09SDavid van Moolenbroek
69*00b67f09SDavid van Moolenbroek /*
70*00b67f09SDavid van Moolenbroek * XXX TODO:
71*00b67f09SDavid van Moolenbroek * - document strict minimality
72*00b67f09SDavid van Moolenbroek */
73*00b67f09SDavid van Moolenbroek
74*00b67f09SDavid van Moolenbroek /**************************************************************************/
75*00b67f09SDavid van Moolenbroek
76*00b67f09SDavid van Moolenbroek /*%
77*00b67f09SDavid van Moolenbroek * Log level for tracing dynamic update protocol requests.
78*00b67f09SDavid van Moolenbroek */
79*00b67f09SDavid van Moolenbroek #define LOGLEVEL_PROTOCOL ISC_LOG_INFO
80*00b67f09SDavid van Moolenbroek
81*00b67f09SDavid van Moolenbroek /*%
82*00b67f09SDavid van Moolenbroek * Log level for low-level debug tracing.
83*00b67f09SDavid van Moolenbroek */
84*00b67f09SDavid van Moolenbroek #define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8)
85*00b67f09SDavid van Moolenbroek
86*00b67f09SDavid van Moolenbroek /*%
87*00b67f09SDavid van Moolenbroek * Check an operation for failure. These macros all assume that
88*00b67f09SDavid van Moolenbroek * the function using them has a 'result' variable and a 'failure'
89*00b67f09SDavid van Moolenbroek * label.
90*00b67f09SDavid van Moolenbroek */
91*00b67f09SDavid van Moolenbroek #define CHECK(op) \
92*00b67f09SDavid van Moolenbroek do { result = (op); \
93*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) goto failure; \
94*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
95*00b67f09SDavid van Moolenbroek
96*00b67f09SDavid van Moolenbroek /*%
97*00b67f09SDavid van Moolenbroek * Fail unconditionally with result 'code', which must not
98*00b67f09SDavid van Moolenbroek * be ISC_R_SUCCESS. The reason for failure presumably has
99*00b67f09SDavid van Moolenbroek * been logged already.
100*00b67f09SDavid van Moolenbroek *
101*00b67f09SDavid van Moolenbroek * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
102*00b67f09SDavid van Moolenbroek * from complaining about "end-of-loop code not reached".
103*00b67f09SDavid van Moolenbroek */
104*00b67f09SDavid van Moolenbroek
105*00b67f09SDavid van Moolenbroek #define FAIL(code) \
106*00b67f09SDavid van Moolenbroek do { \
107*00b67f09SDavid van Moolenbroek result = (code); \
108*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) goto failure; \
109*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
110*00b67f09SDavid van Moolenbroek
111*00b67f09SDavid van Moolenbroek /*%
112*00b67f09SDavid van Moolenbroek * Fail unconditionally and log as a client error.
113*00b67f09SDavid van Moolenbroek * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
114*00b67f09SDavid van Moolenbroek * from complaining about "end-of-loop code not reached".
115*00b67f09SDavid van Moolenbroek */
116*00b67f09SDavid van Moolenbroek #define FAILC(code, msg) \
117*00b67f09SDavid van Moolenbroek do { \
118*00b67f09SDavid van Moolenbroek const char *_what = "failed"; \
119*00b67f09SDavid van Moolenbroek result = (code); \
120*00b67f09SDavid van Moolenbroek switch (result) { \
121*00b67f09SDavid van Moolenbroek case DNS_R_NXDOMAIN: \
122*00b67f09SDavid van Moolenbroek case DNS_R_YXDOMAIN: \
123*00b67f09SDavid van Moolenbroek case DNS_R_YXRRSET: \
124*00b67f09SDavid van Moolenbroek case DNS_R_NXRRSET: \
125*00b67f09SDavid van Moolenbroek _what = "unsuccessful"; \
126*00b67f09SDavid van Moolenbroek } \
127*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL, \
128*00b67f09SDavid van Moolenbroek "update %s: %s (%s)", _what, \
129*00b67f09SDavid van Moolenbroek msg, isc_result_totext(result)); \
130*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) goto failure; \
131*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
132*00b67f09SDavid van Moolenbroek #define PREREQFAILC(code, msg) \
133*00b67f09SDavid van Moolenbroek do { \
134*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
135*00b67f09SDavid van Moolenbroek FAILC(code, msg); \
136*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
137*00b67f09SDavid van Moolenbroek
138*00b67f09SDavid van Moolenbroek #define FAILN(code, name, msg) \
139*00b67f09SDavid van Moolenbroek do { \
140*00b67f09SDavid van Moolenbroek const char *_what = "failed"; \
141*00b67f09SDavid van Moolenbroek result = (code); \
142*00b67f09SDavid van Moolenbroek switch (result) { \
143*00b67f09SDavid van Moolenbroek case DNS_R_NXDOMAIN: \
144*00b67f09SDavid van Moolenbroek case DNS_R_YXDOMAIN: \
145*00b67f09SDavid van Moolenbroek case DNS_R_YXRRSET: \
146*00b67f09SDavid van Moolenbroek case DNS_R_NXRRSET: \
147*00b67f09SDavid van Moolenbroek _what = "unsuccessful"; \
148*00b67f09SDavid van Moolenbroek } \
149*00b67f09SDavid van Moolenbroek if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \
150*00b67f09SDavid van Moolenbroek char _nbuf[DNS_NAME_FORMATSIZE]; \
151*00b67f09SDavid van Moolenbroek dns_name_format(name, _nbuf, sizeof(_nbuf)); \
152*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL, \
153*00b67f09SDavid van Moolenbroek "update %s: %s: %s (%s)", _what, _nbuf, \
154*00b67f09SDavid van Moolenbroek msg, isc_result_totext(result)); \
155*00b67f09SDavid van Moolenbroek } \
156*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) goto failure; \
157*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
158*00b67f09SDavid van Moolenbroek #define PREREQFAILN(code, name, msg) \
159*00b67f09SDavid van Moolenbroek do { \
160*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
161*00b67f09SDavid van Moolenbroek FAILN(code, name, msg); \
162*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
163*00b67f09SDavid van Moolenbroek
164*00b67f09SDavid van Moolenbroek #define FAILNT(code, name, type, msg) \
165*00b67f09SDavid van Moolenbroek do { \
166*00b67f09SDavid van Moolenbroek const char *_what = "failed"; \
167*00b67f09SDavid van Moolenbroek result = (code); \
168*00b67f09SDavid van Moolenbroek switch (result) { \
169*00b67f09SDavid van Moolenbroek case DNS_R_NXDOMAIN: \
170*00b67f09SDavid van Moolenbroek case DNS_R_YXDOMAIN: \
171*00b67f09SDavid van Moolenbroek case DNS_R_YXRRSET: \
172*00b67f09SDavid van Moolenbroek case DNS_R_NXRRSET: \
173*00b67f09SDavid van Moolenbroek _what = "unsuccessful"; \
174*00b67f09SDavid van Moolenbroek } \
175*00b67f09SDavid van Moolenbroek if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \
176*00b67f09SDavid van Moolenbroek char _nbuf[DNS_NAME_FORMATSIZE]; \
177*00b67f09SDavid van Moolenbroek char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \
178*00b67f09SDavid van Moolenbroek dns_name_format(name, _nbuf, sizeof(_nbuf)); \
179*00b67f09SDavid van Moolenbroek dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
180*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL, \
181*00b67f09SDavid van Moolenbroek "update %s: %s/%s: %s (%s)", \
182*00b67f09SDavid van Moolenbroek _what, _nbuf, _tbuf, msg, \
183*00b67f09SDavid van Moolenbroek isc_result_totext(result)); \
184*00b67f09SDavid van Moolenbroek } \
185*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) goto failure; \
186*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
187*00b67f09SDavid van Moolenbroek #define PREREQFAILNT(code, name, type, msg) \
188*00b67f09SDavid van Moolenbroek do { \
189*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
190*00b67f09SDavid van Moolenbroek FAILNT(code, name, type, msg); \
191*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
192*00b67f09SDavid van Moolenbroek
193*00b67f09SDavid van Moolenbroek /*%
194*00b67f09SDavid van Moolenbroek * Fail unconditionally and log as a server error.
195*00b67f09SDavid van Moolenbroek * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
196*00b67f09SDavid van Moolenbroek * from complaining about "end-of-loop code not reached".
197*00b67f09SDavid van Moolenbroek */
198*00b67f09SDavid van Moolenbroek #define FAILS(code, msg) \
199*00b67f09SDavid van Moolenbroek do { \
200*00b67f09SDavid van Moolenbroek result = (code); \
201*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL, \
202*00b67f09SDavid van Moolenbroek "error: %s: %s", \
203*00b67f09SDavid van Moolenbroek msg, isc_result_totext(result)); \
204*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) goto failure; \
205*00b67f09SDavid van Moolenbroek } while (/*CONSTCOND*/0)
206*00b67f09SDavid van Moolenbroek
207*00b67f09SDavid van Moolenbroek /*
208*00b67f09SDavid van Moolenbroek * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
209*00b67f09SDavid van Moolenbroek */
210*00b67f09SDavid van Moolenbroek #define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0)
211*00b67f09SDavid van Moolenbroek
212*00b67f09SDavid van Moolenbroek /**************************************************************************/
213*00b67f09SDavid van Moolenbroek
214*00b67f09SDavid van Moolenbroek typedef struct rr rr_t;
215*00b67f09SDavid van Moolenbroek
216*00b67f09SDavid van Moolenbroek struct rr {
217*00b67f09SDavid van Moolenbroek /* dns_name_t name; */
218*00b67f09SDavid van Moolenbroek isc_uint32_t ttl;
219*00b67f09SDavid van Moolenbroek dns_rdata_t rdata;
220*00b67f09SDavid van Moolenbroek };
221*00b67f09SDavid van Moolenbroek
222*00b67f09SDavid van Moolenbroek typedef struct update_event update_event_t;
223*00b67f09SDavid van Moolenbroek
224*00b67f09SDavid van Moolenbroek struct update_event {
225*00b67f09SDavid van Moolenbroek ISC_EVENT_COMMON(update_event_t);
226*00b67f09SDavid van Moolenbroek dns_zone_t *zone;
227*00b67f09SDavid van Moolenbroek isc_result_t result;
228*00b67f09SDavid van Moolenbroek dns_message_t *answer;
229*00b67f09SDavid van Moolenbroek };
230*00b67f09SDavid van Moolenbroek
231*00b67f09SDavid van Moolenbroek /**************************************************************************/
232*00b67f09SDavid van Moolenbroek /*
233*00b67f09SDavid van Moolenbroek * Forward declarations.
234*00b67f09SDavid van Moolenbroek */
235*00b67f09SDavid van Moolenbroek
236*00b67f09SDavid van Moolenbroek static void update_action(isc_task_t *task, isc_event_t *event);
237*00b67f09SDavid van Moolenbroek static void updatedone_action(isc_task_t *task, isc_event_t *event);
238*00b67f09SDavid van Moolenbroek static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
239*00b67f09SDavid van Moolenbroek static void forward_done(isc_task_t *task, isc_event_t *event);
240*00b67f09SDavid van Moolenbroek
241*00b67f09SDavid van Moolenbroek /**************************************************************************/
242*00b67f09SDavid van Moolenbroek
243*00b67f09SDavid van Moolenbroek static void
244*00b67f09SDavid van Moolenbroek update_log(ns_client_t *client, dns_zone_t *zone,
245*00b67f09SDavid van Moolenbroek int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
246*00b67f09SDavid van Moolenbroek
247*00b67f09SDavid van Moolenbroek static void
update_log(ns_client_t * client,dns_zone_t * zone,int level,const char * fmt,...)248*00b67f09SDavid van Moolenbroek update_log(ns_client_t *client, dns_zone_t *zone,
249*00b67f09SDavid van Moolenbroek int level, const char *fmt, ...)
250*00b67f09SDavid van Moolenbroek {
251*00b67f09SDavid van Moolenbroek va_list ap;
252*00b67f09SDavid van Moolenbroek char message[4096];
253*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
254*00b67f09SDavid van Moolenbroek char classbuf[DNS_RDATACLASS_FORMATSIZE];
255*00b67f09SDavid van Moolenbroek
256*00b67f09SDavid van Moolenbroek if (client == NULL || zone == NULL)
257*00b67f09SDavid van Moolenbroek return;
258*00b67f09SDavid van Moolenbroek
259*00b67f09SDavid van Moolenbroek if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE)
260*00b67f09SDavid van Moolenbroek return;
261*00b67f09SDavid van Moolenbroek
262*00b67f09SDavid van Moolenbroek dns_name_format(dns_zone_getorigin(zone), namebuf,
263*00b67f09SDavid van Moolenbroek sizeof(namebuf));
264*00b67f09SDavid van Moolenbroek dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
265*00b67f09SDavid van Moolenbroek sizeof(classbuf));
266*00b67f09SDavid van Moolenbroek
267*00b67f09SDavid van Moolenbroek va_start(ap, fmt);
268*00b67f09SDavid van Moolenbroek vsnprintf(message, sizeof(message), fmt, ap);
269*00b67f09SDavid van Moolenbroek va_end(ap);
270*00b67f09SDavid van Moolenbroek
271*00b67f09SDavid van Moolenbroek ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
272*00b67f09SDavid van Moolenbroek level, "updating zone '%s/%s': %s",
273*00b67f09SDavid van Moolenbroek namebuf, classbuf, message);
274*00b67f09SDavid van Moolenbroek }
275*00b67f09SDavid van Moolenbroek
276*00b67f09SDavid van Moolenbroek static void
update_log_cb(void * arg,dns_zone_t * zone,int level,const char * message)277*00b67f09SDavid van Moolenbroek update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
278*00b67f09SDavid van Moolenbroek update_log(arg, zone, level, "%s", message);
279*00b67f09SDavid van Moolenbroek }
280*00b67f09SDavid van Moolenbroek
281*00b67f09SDavid van Moolenbroek /*%
282*00b67f09SDavid van Moolenbroek * Increment updated-related statistics counters.
283*00b67f09SDavid van Moolenbroek */
284*00b67f09SDavid van Moolenbroek static inline void
inc_stats(dns_zone_t * zone,isc_statscounter_t counter)285*00b67f09SDavid van Moolenbroek inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
286*00b67f09SDavid van Moolenbroek isc_stats_increment(ns_g_server->nsstats, counter);
287*00b67f09SDavid van Moolenbroek
288*00b67f09SDavid van Moolenbroek if (zone != NULL) {
289*00b67f09SDavid van Moolenbroek isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
290*00b67f09SDavid van Moolenbroek if (zonestats != NULL)
291*00b67f09SDavid van Moolenbroek isc_stats_increment(zonestats, counter);
292*00b67f09SDavid van Moolenbroek }
293*00b67f09SDavid van Moolenbroek }
294*00b67f09SDavid van Moolenbroek
295*00b67f09SDavid van Moolenbroek /*%
296*00b67f09SDavid van Moolenbroek * Check if we could have queried for the contents of this zone or
297*00b67f09SDavid van Moolenbroek * if the zone is potentially updateable.
298*00b67f09SDavid van Moolenbroek * If the zone can potentially be updated and the check failed then
299*00b67f09SDavid van Moolenbroek * log a error otherwise we log a informational message.
300*00b67f09SDavid van Moolenbroek */
301*00b67f09SDavid van Moolenbroek static isc_result_t
checkqueryacl(ns_client_t * client,dns_acl_t * queryacl,dns_name_t * zonename,dns_acl_t * updateacl,dns_ssutable_t * ssutable)302*00b67f09SDavid van Moolenbroek checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
303*00b67f09SDavid van Moolenbroek dns_acl_t *updateacl, dns_ssutable_t *ssutable)
304*00b67f09SDavid van Moolenbroek {
305*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
306*00b67f09SDavid van Moolenbroek char classbuf[DNS_RDATACLASS_FORMATSIZE];
307*00b67f09SDavid van Moolenbroek int level;
308*00b67f09SDavid van Moolenbroek isc_result_t result;
309*00b67f09SDavid van Moolenbroek
310*00b67f09SDavid van Moolenbroek result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
311*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
312*00b67f09SDavid van Moolenbroek pfilter_notify(result, client, "queryacl");
313*00b67f09SDavid van Moolenbroek dns_name_format(zonename, namebuf, sizeof(namebuf));
314*00b67f09SDavid van Moolenbroek dns_rdataclass_format(client->view->rdclass, classbuf,
315*00b67f09SDavid van Moolenbroek sizeof(classbuf));
316*00b67f09SDavid van Moolenbroek
317*00b67f09SDavid van Moolenbroek level = (updateacl == NULL && ssutable == NULL) ?
318*00b67f09SDavid van Moolenbroek ISC_LOG_INFO : ISC_LOG_ERROR;
319*00b67f09SDavid van Moolenbroek
320*00b67f09SDavid van Moolenbroek ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
321*00b67f09SDavid van Moolenbroek NS_LOGMODULE_UPDATE, level,
322*00b67f09SDavid van Moolenbroek "update '%s/%s' denied due to allow-query",
323*00b67f09SDavid van Moolenbroek namebuf, classbuf);
324*00b67f09SDavid van Moolenbroek } else if (updateacl == NULL && ssutable == NULL) {
325*00b67f09SDavid van Moolenbroek dns_name_format(zonename, namebuf, sizeof(namebuf));
326*00b67f09SDavid van Moolenbroek dns_rdataclass_format(client->view->rdclass, classbuf,
327*00b67f09SDavid van Moolenbroek sizeof(classbuf));
328*00b67f09SDavid van Moolenbroek
329*00b67f09SDavid van Moolenbroek result = DNS_R_REFUSED;
330*00b67f09SDavid van Moolenbroek pfilter_notify(result, client, "updateacl");
331*00b67f09SDavid van Moolenbroek ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
332*00b67f09SDavid van Moolenbroek NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
333*00b67f09SDavid van Moolenbroek "update '%s/%s' denied", namebuf, classbuf);
334*00b67f09SDavid van Moolenbroek }
335*00b67f09SDavid van Moolenbroek return (result);
336*00b67f09SDavid van Moolenbroek }
337*00b67f09SDavid van Moolenbroek
338*00b67f09SDavid van Moolenbroek /*%
339*00b67f09SDavid van Moolenbroek * Override the default acl logging when checking whether a client
340*00b67f09SDavid van Moolenbroek * can update the zone or whether we can forward the request to the
341*00b67f09SDavid van Moolenbroek * master based on IP address.
342*00b67f09SDavid van Moolenbroek *
343*00b67f09SDavid van Moolenbroek * 'message' contains the type of operation that is being attempted.
344*00b67f09SDavid van Moolenbroek * 'slave' indicates if this is a slave zone. If 'acl' is NULL then
345*00b67f09SDavid van Moolenbroek * log at debug=3.
346*00b67f09SDavid van Moolenbroek * If the zone has no access controls configured ('acl' == NULL &&
347*00b67f09SDavid van Moolenbroek * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
348*00b67f09SDavid van Moolenbroek * at error.
349*00b67f09SDavid van Moolenbroek *
350*00b67f09SDavid van Moolenbroek * If the request was signed log that we received it.
351*00b67f09SDavid van Moolenbroek */
352*00b67f09SDavid van Moolenbroek static isc_result_t
checkupdateacl(ns_client_t * client,dns_acl_t * acl,const char * message,dns_name_t * zonename,isc_boolean_t slave,isc_boolean_t has_ssutable)353*00b67f09SDavid van Moolenbroek checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
354*00b67f09SDavid van Moolenbroek dns_name_t *zonename, isc_boolean_t slave,
355*00b67f09SDavid van Moolenbroek isc_boolean_t has_ssutable)
356*00b67f09SDavid van Moolenbroek {
357*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
358*00b67f09SDavid van Moolenbroek char classbuf[DNS_RDATACLASS_FORMATSIZE];
359*00b67f09SDavid van Moolenbroek int level = ISC_LOG_ERROR;
360*00b67f09SDavid van Moolenbroek const char *msg = "denied";
361*00b67f09SDavid van Moolenbroek isc_result_t result;
362*00b67f09SDavid van Moolenbroek
363*00b67f09SDavid van Moolenbroek if (slave && acl == NULL) {
364*00b67f09SDavid van Moolenbroek result = DNS_R_NOTIMP;
365*00b67f09SDavid van Moolenbroek level = ISC_LOG_DEBUG(3);
366*00b67f09SDavid van Moolenbroek msg = "disabled";
367*00b67f09SDavid van Moolenbroek } else {
368*00b67f09SDavid van Moolenbroek result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
369*00b67f09SDavid van Moolenbroek pfilter_notify(result, client, "updateacl");
370*00b67f09SDavid van Moolenbroek if (result == ISC_R_SUCCESS) {
371*00b67f09SDavid van Moolenbroek level = ISC_LOG_DEBUG(3);
372*00b67f09SDavid van Moolenbroek msg = "approved";
373*00b67f09SDavid van Moolenbroek } else if (acl == NULL && !has_ssutable) {
374*00b67f09SDavid van Moolenbroek level = ISC_LOG_INFO;
375*00b67f09SDavid van Moolenbroek }
376*00b67f09SDavid van Moolenbroek }
377*00b67f09SDavid van Moolenbroek
378*00b67f09SDavid van Moolenbroek if (client->signer != NULL) {
379*00b67f09SDavid van Moolenbroek dns_name_format(client->signer, namebuf, sizeof(namebuf));
380*00b67f09SDavid van Moolenbroek ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
381*00b67f09SDavid van Moolenbroek NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
382*00b67f09SDavid van Moolenbroek "signer \"%s\" %s", namebuf, msg);
383*00b67f09SDavid van Moolenbroek }
384*00b67f09SDavid van Moolenbroek
385*00b67f09SDavid van Moolenbroek dns_name_format(zonename, namebuf, sizeof(namebuf));
386*00b67f09SDavid van Moolenbroek dns_rdataclass_format(client->view->rdclass, classbuf,
387*00b67f09SDavid van Moolenbroek sizeof(classbuf));
388*00b67f09SDavid van Moolenbroek
389*00b67f09SDavid van Moolenbroek ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
390*00b67f09SDavid van Moolenbroek NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
391*00b67f09SDavid van Moolenbroek message, namebuf, classbuf, msg);
392*00b67f09SDavid van Moolenbroek return (result);
393*00b67f09SDavid van Moolenbroek }
394*00b67f09SDavid van Moolenbroek
395*00b67f09SDavid van Moolenbroek /*%
396*00b67f09SDavid van Moolenbroek * Update a single RR in version 'ver' of 'db' and log the
397*00b67f09SDavid van Moolenbroek * update in 'diff'.
398*00b67f09SDavid van Moolenbroek *
399*00b67f09SDavid van Moolenbroek * Ensures:
400*00b67f09SDavid van Moolenbroek * \li '*tuple' == NULL. Either the tuple is freed, or its
401*00b67f09SDavid van Moolenbroek * ownership has been transferred to the diff.
402*00b67f09SDavid van Moolenbroek */
403*00b67f09SDavid van Moolenbroek static isc_result_t
do_one_tuple(dns_difftuple_t ** tuple,dns_db_t * db,dns_dbversion_t * ver,dns_diff_t * diff)404*00b67f09SDavid van Moolenbroek do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
405*00b67f09SDavid van Moolenbroek dns_diff_t *diff)
406*00b67f09SDavid van Moolenbroek {
407*00b67f09SDavid van Moolenbroek dns_diff_t temp_diff;
408*00b67f09SDavid van Moolenbroek isc_result_t result;
409*00b67f09SDavid van Moolenbroek
410*00b67f09SDavid van Moolenbroek /*
411*00b67f09SDavid van Moolenbroek * Create a singleton diff.
412*00b67f09SDavid van Moolenbroek */
413*00b67f09SDavid van Moolenbroek dns_diff_init(diff->mctx, &temp_diff);
414*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
415*00b67f09SDavid van Moolenbroek
416*00b67f09SDavid van Moolenbroek /*
417*00b67f09SDavid van Moolenbroek * Apply it to the database.
418*00b67f09SDavid van Moolenbroek */
419*00b67f09SDavid van Moolenbroek result = dns_diff_apply(&temp_diff, db, ver);
420*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
421*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
422*00b67f09SDavid van Moolenbroek dns_difftuple_free(tuple);
423*00b67f09SDavid van Moolenbroek return (result);
424*00b67f09SDavid van Moolenbroek }
425*00b67f09SDavid van Moolenbroek
426*00b67f09SDavid van Moolenbroek /*
427*00b67f09SDavid van Moolenbroek * Merge it into the current pending journal entry.
428*00b67f09SDavid van Moolenbroek */
429*00b67f09SDavid van Moolenbroek dns_diff_appendminimal(diff, tuple);
430*00b67f09SDavid van Moolenbroek
431*00b67f09SDavid van Moolenbroek /*
432*00b67f09SDavid van Moolenbroek * Do not clear temp_diff.
433*00b67f09SDavid van Moolenbroek */
434*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
435*00b67f09SDavid van Moolenbroek }
436*00b67f09SDavid van Moolenbroek
437*00b67f09SDavid van Moolenbroek /*%
438*00b67f09SDavid van Moolenbroek * Perform the updates in 'updates' in version 'ver' of 'db' and log the
439*00b67f09SDavid van Moolenbroek * update in 'diff'.
440*00b67f09SDavid van Moolenbroek *
441*00b67f09SDavid van Moolenbroek * Ensures:
442*00b67f09SDavid van Moolenbroek * \li 'updates' is empty.
443*00b67f09SDavid van Moolenbroek */
444*00b67f09SDavid van Moolenbroek static isc_result_t
do_diff(dns_diff_t * updates,dns_db_t * db,dns_dbversion_t * ver,dns_diff_t * diff)445*00b67f09SDavid van Moolenbroek do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
446*00b67f09SDavid van Moolenbroek dns_diff_t *diff)
447*00b67f09SDavid van Moolenbroek {
448*00b67f09SDavid van Moolenbroek isc_result_t result;
449*00b67f09SDavid van Moolenbroek while (! ISC_LIST_EMPTY(updates->tuples)) {
450*00b67f09SDavid van Moolenbroek dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
451*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(updates->tuples, t, link);
452*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&t, db, ver, diff));
453*00b67f09SDavid van Moolenbroek }
454*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
455*00b67f09SDavid van Moolenbroek
456*00b67f09SDavid van Moolenbroek failure:
457*00b67f09SDavid van Moolenbroek dns_diff_clear(diff);
458*00b67f09SDavid van Moolenbroek return (result);
459*00b67f09SDavid van Moolenbroek }
460*00b67f09SDavid van Moolenbroek
461*00b67f09SDavid van Moolenbroek static isc_result_t
update_one_rr(dns_db_t * db,dns_dbversion_t * ver,dns_diff_t * diff,dns_diffop_t op,dns_name_t * name,dns_ttl_t ttl,dns_rdata_t * rdata)462*00b67f09SDavid van Moolenbroek update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
463*00b67f09SDavid van Moolenbroek dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
464*00b67f09SDavid van Moolenbroek dns_rdata_t *rdata)
465*00b67f09SDavid van Moolenbroek {
466*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple = NULL;
467*00b67f09SDavid van Moolenbroek isc_result_t result;
468*00b67f09SDavid van Moolenbroek result = dns_difftuple_create(diff->mctx, op,
469*00b67f09SDavid van Moolenbroek name, ttl, rdata, &tuple);
470*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
471*00b67f09SDavid van Moolenbroek return (result);
472*00b67f09SDavid van Moolenbroek return (do_one_tuple(&tuple, db, ver, diff));
473*00b67f09SDavid van Moolenbroek }
474*00b67f09SDavid van Moolenbroek
475*00b67f09SDavid van Moolenbroek /**************************************************************************/
476*00b67f09SDavid van Moolenbroek /*
477*00b67f09SDavid van Moolenbroek * Callback-style iteration over rdatasets and rdatas.
478*00b67f09SDavid van Moolenbroek *
479*00b67f09SDavid van Moolenbroek * foreach_rrset() can be used to iterate over the RRsets
480*00b67f09SDavid van Moolenbroek * of a name and call a callback function with each
481*00b67f09SDavid van Moolenbroek * one. Similarly, foreach_rr() can be used to iterate
482*00b67f09SDavid van Moolenbroek * over the individual RRs at name, optionally restricted
483*00b67f09SDavid van Moolenbroek * to RRs of a given type.
484*00b67f09SDavid van Moolenbroek *
485*00b67f09SDavid van Moolenbroek * The callback functions are called "actions" and take
486*00b67f09SDavid van Moolenbroek * two arguments: a void pointer for passing arbitrary
487*00b67f09SDavid van Moolenbroek * context information, and a pointer to the current RRset
488*00b67f09SDavid van Moolenbroek * or RR. By convention, their names end in "_action".
489*00b67f09SDavid van Moolenbroek */
490*00b67f09SDavid van Moolenbroek
491*00b67f09SDavid van Moolenbroek /*
492*00b67f09SDavid van Moolenbroek * XXXRTH We might want to make this public somewhere in libdns.
493*00b67f09SDavid van Moolenbroek */
494*00b67f09SDavid van Moolenbroek
495*00b67f09SDavid van Moolenbroek /*%
496*00b67f09SDavid van Moolenbroek * Function type for foreach_rrset() iterator actions.
497*00b67f09SDavid van Moolenbroek */
498*00b67f09SDavid van Moolenbroek typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
499*00b67f09SDavid van Moolenbroek
500*00b67f09SDavid van Moolenbroek /*%
501*00b67f09SDavid van Moolenbroek * Function type for foreach_rr() iterator actions.
502*00b67f09SDavid van Moolenbroek */
503*00b67f09SDavid van Moolenbroek typedef isc_result_t rr_func(void *data, rr_t *rr);
504*00b67f09SDavid van Moolenbroek
505*00b67f09SDavid van Moolenbroek /*%
506*00b67f09SDavid van Moolenbroek * Internal context struct for foreach_node_rr().
507*00b67f09SDavid van Moolenbroek */
508*00b67f09SDavid van Moolenbroek typedef struct {
509*00b67f09SDavid van Moolenbroek rr_func * rr_action;
510*00b67f09SDavid van Moolenbroek void * rr_action_data;
511*00b67f09SDavid van Moolenbroek } foreach_node_rr_ctx_t;
512*00b67f09SDavid van Moolenbroek
513*00b67f09SDavid van Moolenbroek /*%
514*00b67f09SDavid van Moolenbroek * Internal helper function for foreach_node_rr().
515*00b67f09SDavid van Moolenbroek */
516*00b67f09SDavid van Moolenbroek static isc_result_t
foreach_node_rr_action(void * data,dns_rdataset_t * rdataset)517*00b67f09SDavid van Moolenbroek foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
518*00b67f09SDavid van Moolenbroek isc_result_t result;
519*00b67f09SDavid van Moolenbroek foreach_node_rr_ctx_t *ctx = data;
520*00b67f09SDavid van Moolenbroek for (result = dns_rdataset_first(rdataset);
521*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
522*00b67f09SDavid van Moolenbroek result = dns_rdataset_next(rdataset))
523*00b67f09SDavid van Moolenbroek {
524*00b67f09SDavid van Moolenbroek rr_t rr = { 0, DNS_RDATA_INIT };
525*00b67f09SDavid van Moolenbroek
526*00b67f09SDavid van Moolenbroek dns_rdataset_current(rdataset, &rr.rdata);
527*00b67f09SDavid van Moolenbroek rr.ttl = rdataset->ttl;
528*00b67f09SDavid van Moolenbroek result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
529*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
530*00b67f09SDavid van Moolenbroek return (result);
531*00b67f09SDavid van Moolenbroek }
532*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
533*00b67f09SDavid van Moolenbroek return (result);
534*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
535*00b67f09SDavid van Moolenbroek }
536*00b67f09SDavid van Moolenbroek
537*00b67f09SDavid van Moolenbroek /*%
538*00b67f09SDavid van Moolenbroek * For each rdataset of 'name' in 'ver' of 'db', call 'action'
539*00b67f09SDavid van Moolenbroek * with the rdataset and 'action_data' as arguments. If the name
540*00b67f09SDavid van Moolenbroek * does not exist, do nothing.
541*00b67f09SDavid van Moolenbroek *
542*00b67f09SDavid van Moolenbroek * If 'action' returns an error, abort iteration and return the error.
543*00b67f09SDavid van Moolenbroek */
544*00b67f09SDavid van Moolenbroek static isc_result_t
foreach_rrset(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,rrset_func * action,void * action_data)545*00b67f09SDavid van Moolenbroek foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
546*00b67f09SDavid van Moolenbroek rrset_func *action, void *action_data)
547*00b67f09SDavid van Moolenbroek {
548*00b67f09SDavid van Moolenbroek isc_result_t result;
549*00b67f09SDavid van Moolenbroek dns_dbnode_t *node;
550*00b67f09SDavid van Moolenbroek dns_rdatasetiter_t *iter;
551*00b67f09SDavid van Moolenbroek
552*00b67f09SDavid van Moolenbroek node = NULL;
553*00b67f09SDavid van Moolenbroek result = dns_db_findnode(db, name, ISC_FALSE, &node);
554*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND)
555*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
556*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
557*00b67f09SDavid van Moolenbroek return (result);
558*00b67f09SDavid van Moolenbroek
559*00b67f09SDavid van Moolenbroek iter = NULL;
560*00b67f09SDavid van Moolenbroek result = dns_db_allrdatasets(db, node, ver,
561*00b67f09SDavid van Moolenbroek (isc_stdtime_t) 0, &iter);
562*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
563*00b67f09SDavid van Moolenbroek goto cleanup_node;
564*00b67f09SDavid van Moolenbroek
565*00b67f09SDavid van Moolenbroek for (result = dns_rdatasetiter_first(iter);
566*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
567*00b67f09SDavid van Moolenbroek result = dns_rdatasetiter_next(iter))
568*00b67f09SDavid van Moolenbroek {
569*00b67f09SDavid van Moolenbroek dns_rdataset_t rdataset;
570*00b67f09SDavid van Moolenbroek
571*00b67f09SDavid van Moolenbroek dns_rdataset_init(&rdataset);
572*00b67f09SDavid van Moolenbroek dns_rdatasetiter_current(iter, &rdataset);
573*00b67f09SDavid van Moolenbroek
574*00b67f09SDavid van Moolenbroek result = (*action)(action_data, &rdataset);
575*00b67f09SDavid van Moolenbroek
576*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
577*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
578*00b67f09SDavid van Moolenbroek goto cleanup_iterator;
579*00b67f09SDavid van Moolenbroek }
580*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOMORE)
581*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
582*00b67f09SDavid van Moolenbroek
583*00b67f09SDavid van Moolenbroek cleanup_iterator:
584*00b67f09SDavid van Moolenbroek dns_rdatasetiter_destroy(&iter);
585*00b67f09SDavid van Moolenbroek
586*00b67f09SDavid van Moolenbroek cleanup_node:
587*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
588*00b67f09SDavid van Moolenbroek
589*00b67f09SDavid van Moolenbroek return (result);
590*00b67f09SDavid van Moolenbroek }
591*00b67f09SDavid van Moolenbroek
592*00b67f09SDavid van Moolenbroek /*%
593*00b67f09SDavid van Moolenbroek * For each RR of 'name' in 'ver' of 'db', call 'action'
594*00b67f09SDavid van Moolenbroek * with the RR and 'action_data' as arguments. If the name
595*00b67f09SDavid van Moolenbroek * does not exist, do nothing.
596*00b67f09SDavid van Moolenbroek *
597*00b67f09SDavid van Moolenbroek * If 'action' returns an error, abort iteration
598*00b67f09SDavid van Moolenbroek * and return the error.
599*00b67f09SDavid van Moolenbroek */
600*00b67f09SDavid van Moolenbroek static isc_result_t
foreach_node_rr(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,rr_func * rr_action,void * rr_action_data)601*00b67f09SDavid van Moolenbroek foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
602*00b67f09SDavid van Moolenbroek rr_func *rr_action, void *rr_action_data)
603*00b67f09SDavid van Moolenbroek {
604*00b67f09SDavid van Moolenbroek foreach_node_rr_ctx_t ctx;
605*00b67f09SDavid van Moolenbroek ctx.rr_action = rr_action;
606*00b67f09SDavid van Moolenbroek ctx.rr_action_data = rr_action_data;
607*00b67f09SDavid van Moolenbroek return (foreach_rrset(db, ver, name,
608*00b67f09SDavid van Moolenbroek foreach_node_rr_action, &ctx));
609*00b67f09SDavid van Moolenbroek }
610*00b67f09SDavid van Moolenbroek
611*00b67f09SDavid van Moolenbroek
612*00b67f09SDavid van Moolenbroek /*%
613*00b67f09SDavid van Moolenbroek * For each of the RRs specified by 'db', 'ver', 'name', 'type',
614*00b67f09SDavid van Moolenbroek * (which can be dns_rdatatype_any to match any type), and 'covers', call
615*00b67f09SDavid van Moolenbroek * 'action' with the RR and 'action_data' as arguments. If the name
616*00b67f09SDavid van Moolenbroek * does not exist, or if no RRset of the given type exists at the name,
617*00b67f09SDavid van Moolenbroek * do nothing.
618*00b67f09SDavid van Moolenbroek *
619*00b67f09SDavid van Moolenbroek * If 'action' returns an error, abort iteration and return the error.
620*00b67f09SDavid van Moolenbroek */
621*00b67f09SDavid van Moolenbroek static isc_result_t
foreach_rr(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,dns_rdatatype_t type,dns_rdatatype_t covers,rr_func * rr_action,void * rr_action_data)622*00b67f09SDavid van Moolenbroek foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
623*00b67f09SDavid van Moolenbroek dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
624*00b67f09SDavid van Moolenbroek void *rr_action_data)
625*00b67f09SDavid van Moolenbroek {
626*00b67f09SDavid van Moolenbroek
627*00b67f09SDavid van Moolenbroek isc_result_t result;
628*00b67f09SDavid van Moolenbroek dns_dbnode_t *node;
629*00b67f09SDavid van Moolenbroek dns_rdataset_t rdataset;
630*00b67f09SDavid van Moolenbroek
631*00b67f09SDavid van Moolenbroek if (type == dns_rdatatype_any)
632*00b67f09SDavid van Moolenbroek return (foreach_node_rr(db, ver, name,
633*00b67f09SDavid van Moolenbroek rr_action, rr_action_data));
634*00b67f09SDavid van Moolenbroek
635*00b67f09SDavid van Moolenbroek node = NULL;
636*00b67f09SDavid van Moolenbroek if (type == dns_rdatatype_nsec3 ||
637*00b67f09SDavid van Moolenbroek (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
638*00b67f09SDavid van Moolenbroek result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
639*00b67f09SDavid van Moolenbroek else
640*00b67f09SDavid van Moolenbroek result = dns_db_findnode(db, name, ISC_FALSE, &node);
641*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND)
642*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
643*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
644*00b67f09SDavid van Moolenbroek return (result);
645*00b67f09SDavid van Moolenbroek
646*00b67f09SDavid van Moolenbroek dns_rdataset_init(&rdataset);
647*00b67f09SDavid van Moolenbroek result = dns_db_findrdataset(db, node, ver, type, covers,
648*00b67f09SDavid van Moolenbroek (isc_stdtime_t) 0, &rdataset, NULL);
649*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND) {
650*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
651*00b67f09SDavid van Moolenbroek goto cleanup_node;
652*00b67f09SDavid van Moolenbroek }
653*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
654*00b67f09SDavid van Moolenbroek goto cleanup_node;
655*00b67f09SDavid van Moolenbroek
656*00b67f09SDavid van Moolenbroek for (result = dns_rdataset_first(&rdataset);
657*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
658*00b67f09SDavid van Moolenbroek result = dns_rdataset_next(&rdataset))
659*00b67f09SDavid van Moolenbroek {
660*00b67f09SDavid van Moolenbroek rr_t rr = { 0, DNS_RDATA_INIT };
661*00b67f09SDavid van Moolenbroek dns_rdataset_current(&rdataset, &rr.rdata);
662*00b67f09SDavid van Moolenbroek rr.ttl = rdataset.ttl;
663*00b67f09SDavid van Moolenbroek result = (*rr_action)(rr_action_data, &rr);
664*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
665*00b67f09SDavid van Moolenbroek goto cleanup_rdataset;
666*00b67f09SDavid van Moolenbroek }
667*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
668*00b67f09SDavid van Moolenbroek goto cleanup_rdataset;
669*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
670*00b67f09SDavid van Moolenbroek
671*00b67f09SDavid van Moolenbroek cleanup_rdataset:
672*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
673*00b67f09SDavid van Moolenbroek cleanup_node:
674*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
675*00b67f09SDavid van Moolenbroek
676*00b67f09SDavid van Moolenbroek return (result);
677*00b67f09SDavid van Moolenbroek }
678*00b67f09SDavid van Moolenbroek
679*00b67f09SDavid van Moolenbroek /**************************************************************************/
680*00b67f09SDavid van Moolenbroek /*
681*00b67f09SDavid van Moolenbroek * Various tests on the database contents (for prerequisites, etc).
682*00b67f09SDavid van Moolenbroek */
683*00b67f09SDavid van Moolenbroek
684*00b67f09SDavid van Moolenbroek /*%
685*00b67f09SDavid van Moolenbroek * Function type for predicate functions that compare a database RR 'db_rr'
686*00b67f09SDavid van Moolenbroek * against an update RR 'update_rr'.
687*00b67f09SDavid van Moolenbroek */
688*00b67f09SDavid van Moolenbroek typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
689*00b67f09SDavid van Moolenbroek
690*00b67f09SDavid van Moolenbroek /*%
691*00b67f09SDavid van Moolenbroek * Helper function for rrset_exists().
692*00b67f09SDavid van Moolenbroek */
693*00b67f09SDavid van Moolenbroek static isc_result_t
rrset_exists_action(void * data,rr_t * rr)694*00b67f09SDavid van Moolenbroek rrset_exists_action(void *data, rr_t *rr) {
695*00b67f09SDavid van Moolenbroek UNUSED(data);
696*00b67f09SDavid van Moolenbroek UNUSED(rr);
697*00b67f09SDavid van Moolenbroek return (ISC_R_EXISTS);
698*00b67f09SDavid van Moolenbroek }
699*00b67f09SDavid van Moolenbroek
700*00b67f09SDavid van Moolenbroek /*%
701*00b67f09SDavid van Moolenbroek * Utility macro for RR existence checking functions.
702*00b67f09SDavid van Moolenbroek *
703*00b67f09SDavid van Moolenbroek * If the variable 'result' has the value ISC_R_EXISTS or
704*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
705*00b67f09SDavid van Moolenbroek * respectively, and return success.
706*00b67f09SDavid van Moolenbroek *
707*00b67f09SDavid van Moolenbroek * If 'result' has any other value, there was a failure.
708*00b67f09SDavid van Moolenbroek * Return the failure result code and do not set *exists.
709*00b67f09SDavid van Moolenbroek *
710*00b67f09SDavid van Moolenbroek * This would be more readable as "do { if ... } while(0)",
711*00b67f09SDavid van Moolenbroek * but that form generates tons of warnings on Solaris 2.6.
712*00b67f09SDavid van Moolenbroek */
713*00b67f09SDavid van Moolenbroek #define RETURN_EXISTENCE_FLAG \
714*00b67f09SDavid van Moolenbroek return ((result == ISC_R_EXISTS) ? \
715*00b67f09SDavid van Moolenbroek (*exists = ISC_TRUE, ISC_R_SUCCESS) : \
716*00b67f09SDavid van Moolenbroek ((result == ISC_R_SUCCESS) ? \
717*00b67f09SDavid van Moolenbroek (*exists = ISC_FALSE, ISC_R_SUCCESS) : \
718*00b67f09SDavid van Moolenbroek result))
719*00b67f09SDavid van Moolenbroek
720*00b67f09SDavid van Moolenbroek /*%
721*00b67f09SDavid van Moolenbroek * Set '*exists' to true iff an rrset of the given type exists,
722*00b67f09SDavid van Moolenbroek * to false otherwise.
723*00b67f09SDavid van Moolenbroek */
724*00b67f09SDavid van Moolenbroek static isc_result_t
rrset_exists(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,dns_rdatatype_t type,dns_rdatatype_t covers,isc_boolean_t * exists)725*00b67f09SDavid van Moolenbroek rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
726*00b67f09SDavid van Moolenbroek dns_rdatatype_t type, dns_rdatatype_t covers,
727*00b67f09SDavid van Moolenbroek isc_boolean_t *exists)
728*00b67f09SDavid van Moolenbroek {
729*00b67f09SDavid van Moolenbroek isc_result_t result;
730*00b67f09SDavid van Moolenbroek result = foreach_rr(db, ver, name, type, covers,
731*00b67f09SDavid van Moolenbroek rrset_exists_action, NULL);
732*00b67f09SDavid van Moolenbroek RETURN_EXISTENCE_FLAG;
733*00b67f09SDavid van Moolenbroek }
734*00b67f09SDavid van Moolenbroek
735*00b67f09SDavid van Moolenbroek /*%
736*00b67f09SDavid van Moolenbroek * Helper function for cname_incompatible_rrset_exists.
737*00b67f09SDavid van Moolenbroek */
738*00b67f09SDavid van Moolenbroek static isc_result_t
cname_compatibility_action(void * data,dns_rdataset_t * rrset)739*00b67f09SDavid van Moolenbroek cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
740*00b67f09SDavid van Moolenbroek UNUSED(data);
741*00b67f09SDavid van Moolenbroek if (rrset->type != dns_rdatatype_cname &&
742*00b67f09SDavid van Moolenbroek ! dns_rdatatype_isdnssec(rrset->type))
743*00b67f09SDavid van Moolenbroek return (ISC_R_EXISTS);
744*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
745*00b67f09SDavid van Moolenbroek }
746*00b67f09SDavid van Moolenbroek
747*00b67f09SDavid van Moolenbroek /*%
748*00b67f09SDavid van Moolenbroek * Check whether there is an rrset incompatible with adding a CNAME RR,
749*00b67f09SDavid van Moolenbroek * i.e., anything but another CNAME (which can be replaced) or a
750*00b67f09SDavid van Moolenbroek * DNSSEC RR (which can coexist).
751*00b67f09SDavid van Moolenbroek *
752*00b67f09SDavid van Moolenbroek * If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
753*00b67f09SDavid van Moolenbroek * Otherwise, set it to ISC_FALSE.
754*00b67f09SDavid van Moolenbroek */
755*00b67f09SDavid van Moolenbroek static isc_result_t
cname_incompatible_rrset_exists(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,isc_boolean_t * exists)756*00b67f09SDavid van Moolenbroek cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
757*00b67f09SDavid van Moolenbroek dns_name_t *name, isc_boolean_t *exists) {
758*00b67f09SDavid van Moolenbroek isc_result_t result;
759*00b67f09SDavid van Moolenbroek result = foreach_rrset(db, ver, name,
760*00b67f09SDavid van Moolenbroek cname_compatibility_action, NULL);
761*00b67f09SDavid van Moolenbroek RETURN_EXISTENCE_FLAG;
762*00b67f09SDavid van Moolenbroek }
763*00b67f09SDavid van Moolenbroek
764*00b67f09SDavid van Moolenbroek /*%
765*00b67f09SDavid van Moolenbroek * Helper function for rr_count().
766*00b67f09SDavid van Moolenbroek */
767*00b67f09SDavid van Moolenbroek static isc_result_t
count_rr_action(void * data,rr_t * rr)768*00b67f09SDavid van Moolenbroek count_rr_action(void *data, rr_t *rr) {
769*00b67f09SDavid van Moolenbroek int *countp = data;
770*00b67f09SDavid van Moolenbroek UNUSED(rr);
771*00b67f09SDavid van Moolenbroek (*countp)++;
772*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
773*00b67f09SDavid van Moolenbroek }
774*00b67f09SDavid van Moolenbroek
775*00b67f09SDavid van Moolenbroek /*%
776*00b67f09SDavid van Moolenbroek * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
777*00b67f09SDavid van Moolenbroek */
778*00b67f09SDavid van Moolenbroek static isc_result_t
rr_count(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,dns_rdatatype_t type,dns_rdatatype_t covers,int * countp)779*00b67f09SDavid van Moolenbroek rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
780*00b67f09SDavid van Moolenbroek dns_rdatatype_t type, dns_rdatatype_t covers, int *countp)
781*00b67f09SDavid van Moolenbroek {
782*00b67f09SDavid van Moolenbroek *countp = 0;
783*00b67f09SDavid van Moolenbroek return (foreach_rr(db, ver, name, type, covers,
784*00b67f09SDavid van Moolenbroek count_rr_action, countp));
785*00b67f09SDavid van Moolenbroek }
786*00b67f09SDavid van Moolenbroek
787*00b67f09SDavid van Moolenbroek /*%
788*00b67f09SDavid van Moolenbroek * Context struct and helper function for name_exists().
789*00b67f09SDavid van Moolenbroek */
790*00b67f09SDavid van Moolenbroek
791*00b67f09SDavid van Moolenbroek static isc_result_t
name_exists_action(void * data,dns_rdataset_t * rrset)792*00b67f09SDavid van Moolenbroek name_exists_action(void *data, dns_rdataset_t *rrset) {
793*00b67f09SDavid van Moolenbroek UNUSED(data);
794*00b67f09SDavid van Moolenbroek UNUSED(rrset);
795*00b67f09SDavid van Moolenbroek return (ISC_R_EXISTS);
796*00b67f09SDavid van Moolenbroek }
797*00b67f09SDavid van Moolenbroek
798*00b67f09SDavid van Moolenbroek /*%
799*00b67f09SDavid van Moolenbroek * Set '*exists' to true iff the given name exists, to false otherwise.
800*00b67f09SDavid van Moolenbroek */
801*00b67f09SDavid van Moolenbroek static isc_result_t
name_exists(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,isc_boolean_t * exists)802*00b67f09SDavid van Moolenbroek name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
803*00b67f09SDavid van Moolenbroek isc_boolean_t *exists)
804*00b67f09SDavid van Moolenbroek {
805*00b67f09SDavid van Moolenbroek isc_result_t result;
806*00b67f09SDavid van Moolenbroek result = foreach_rrset(db, ver, name,
807*00b67f09SDavid van Moolenbroek name_exists_action, NULL);
808*00b67f09SDavid van Moolenbroek RETURN_EXISTENCE_FLAG;
809*00b67f09SDavid van Moolenbroek }
810*00b67f09SDavid van Moolenbroek
811*00b67f09SDavid van Moolenbroek /*
812*00b67f09SDavid van Moolenbroek * 'ssu_check_t' is used to pass the arguments to
813*00b67f09SDavid van Moolenbroek * dns_ssutable_checkrules() to the callback function
814*00b67f09SDavid van Moolenbroek * ssu_checkrule().
815*00b67f09SDavid van Moolenbroek */
816*00b67f09SDavid van Moolenbroek typedef struct {
817*00b67f09SDavid van Moolenbroek /* The ownername of the record to be updated. */
818*00b67f09SDavid van Moolenbroek dns_name_t *name;
819*00b67f09SDavid van Moolenbroek
820*00b67f09SDavid van Moolenbroek /* The signature's name if the request was signed. */
821*00b67f09SDavid van Moolenbroek dns_name_t *signer;
822*00b67f09SDavid van Moolenbroek
823*00b67f09SDavid van Moolenbroek /* The address of the client if the request was received via TCP. */
824*00b67f09SDavid van Moolenbroek isc_netaddr_t *tcpaddr;
825*00b67f09SDavid van Moolenbroek
826*00b67f09SDavid van Moolenbroek /* The ssu table to check against. */
827*00b67f09SDavid van Moolenbroek dns_ssutable_t *table;
828*00b67f09SDavid van Moolenbroek
829*00b67f09SDavid van Moolenbroek /* the key used for TKEY requests */
830*00b67f09SDavid van Moolenbroek dst_key_t *key;
831*00b67f09SDavid van Moolenbroek } ssu_check_t;
832*00b67f09SDavid van Moolenbroek
833*00b67f09SDavid van Moolenbroek static isc_result_t
ssu_checkrule(void * data,dns_rdataset_t * rrset)834*00b67f09SDavid van Moolenbroek ssu_checkrule(void *data, dns_rdataset_t *rrset) {
835*00b67f09SDavid van Moolenbroek ssu_check_t *ssuinfo = data;
836*00b67f09SDavid van Moolenbroek isc_boolean_t result;
837*00b67f09SDavid van Moolenbroek
838*00b67f09SDavid van Moolenbroek /*
839*00b67f09SDavid van Moolenbroek * If we're deleting all records, it's ok to delete RRSIG and NSEC even
840*00b67f09SDavid van Moolenbroek * if we're normally not allowed to.
841*00b67f09SDavid van Moolenbroek */
842*00b67f09SDavid van Moolenbroek if (rrset->type == dns_rdatatype_rrsig ||
843*00b67f09SDavid van Moolenbroek rrset->type == dns_rdatatype_nsec)
844*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
845*00b67f09SDavid van Moolenbroek result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
846*00b67f09SDavid van Moolenbroek ssuinfo->name, ssuinfo->tcpaddr,
847*00b67f09SDavid van Moolenbroek rrset->type, ssuinfo->key);
848*00b67f09SDavid van Moolenbroek return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
849*00b67f09SDavid van Moolenbroek }
850*00b67f09SDavid van Moolenbroek
851*00b67f09SDavid van Moolenbroek static isc_boolean_t
ssu_checkall(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,dns_ssutable_t * ssutable,dns_name_t * signer,isc_netaddr_t * tcpaddr,dst_key_t * key)852*00b67f09SDavid van Moolenbroek ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
853*00b67f09SDavid van Moolenbroek dns_ssutable_t *ssutable, dns_name_t *signer,
854*00b67f09SDavid van Moolenbroek isc_netaddr_t *tcpaddr, dst_key_t *key)
855*00b67f09SDavid van Moolenbroek {
856*00b67f09SDavid van Moolenbroek isc_result_t result;
857*00b67f09SDavid van Moolenbroek ssu_check_t ssuinfo;
858*00b67f09SDavid van Moolenbroek
859*00b67f09SDavid van Moolenbroek ssuinfo.name = name;
860*00b67f09SDavid van Moolenbroek ssuinfo.table = ssutable;
861*00b67f09SDavid van Moolenbroek ssuinfo.signer = signer;
862*00b67f09SDavid van Moolenbroek ssuinfo.tcpaddr = tcpaddr;
863*00b67f09SDavid van Moolenbroek ssuinfo.key = key;
864*00b67f09SDavid van Moolenbroek result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
865*00b67f09SDavid van Moolenbroek return (ISC_TF(result == ISC_R_SUCCESS));
866*00b67f09SDavid van Moolenbroek }
867*00b67f09SDavid van Moolenbroek
868*00b67f09SDavid van Moolenbroek /**************************************************************************/
869*00b67f09SDavid van Moolenbroek /*
870*00b67f09SDavid van Moolenbroek * Checking of "RRset exists (value dependent)" prerequisites.
871*00b67f09SDavid van Moolenbroek *
872*00b67f09SDavid van Moolenbroek * In the RFC2136 section 3.2.5, this is the pseudocode involving
873*00b67f09SDavid van Moolenbroek * a variable called "temp", a mapping of <name, type> tuples to rrsets.
874*00b67f09SDavid van Moolenbroek *
875*00b67f09SDavid van Moolenbroek * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
876*00b67f09SDavid van Moolenbroek * where each tuple has op==DNS_DIFFOP_EXISTS.
877*00b67f09SDavid van Moolenbroek */
878*00b67f09SDavid van Moolenbroek
879*00b67f09SDavid van Moolenbroek
880*00b67f09SDavid van Moolenbroek /*%
881*00b67f09SDavid van Moolenbroek * Append a tuple asserting the existence of the RR with
882*00b67f09SDavid van Moolenbroek * 'name' and 'rdata' to 'diff'.
883*00b67f09SDavid van Moolenbroek */
884*00b67f09SDavid van Moolenbroek static isc_result_t
temp_append(dns_diff_t * diff,dns_name_t * name,dns_rdata_t * rdata)885*00b67f09SDavid van Moolenbroek temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
886*00b67f09SDavid van Moolenbroek isc_result_t result;
887*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple = NULL;
888*00b67f09SDavid van Moolenbroek
889*00b67f09SDavid van Moolenbroek REQUIRE(DNS_DIFF_VALID(diff));
890*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
891*00b67f09SDavid van Moolenbroek name, 0, rdata, &tuple));
892*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, tuple, link);
893*00b67f09SDavid van Moolenbroek failure:
894*00b67f09SDavid van Moolenbroek return (result);
895*00b67f09SDavid van Moolenbroek }
896*00b67f09SDavid van Moolenbroek
897*00b67f09SDavid van Moolenbroek /*%
898*00b67f09SDavid van Moolenbroek * Compare two rdatasets represented as sorted lists of tuples.
899*00b67f09SDavid van Moolenbroek * All list elements must have the same owner name and type.
900*00b67f09SDavid van Moolenbroek * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
901*00b67f09SDavid van Moolenbroek * if not.
902*00b67f09SDavid van Moolenbroek */
903*00b67f09SDavid van Moolenbroek static isc_result_t
temp_check_rrset(dns_difftuple_t * a,dns_difftuple_t * b)904*00b67f09SDavid van Moolenbroek temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
905*00b67f09SDavid van Moolenbroek for (;;) {
906*00b67f09SDavid van Moolenbroek if (a == NULL || b == NULL)
907*00b67f09SDavid van Moolenbroek break;
908*00b67f09SDavid van Moolenbroek INSIST(a->op == DNS_DIFFOP_EXISTS &&
909*00b67f09SDavid van Moolenbroek b->op == DNS_DIFFOP_EXISTS);
910*00b67f09SDavid van Moolenbroek INSIST(a->rdata.type == b->rdata.type);
911*00b67f09SDavid van Moolenbroek INSIST(dns_name_equal(&a->name, &b->name));
912*00b67f09SDavid van Moolenbroek if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0)
913*00b67f09SDavid van Moolenbroek return (DNS_R_NXRRSET);
914*00b67f09SDavid van Moolenbroek a = ISC_LIST_NEXT(a, link);
915*00b67f09SDavid van Moolenbroek b = ISC_LIST_NEXT(b, link);
916*00b67f09SDavid van Moolenbroek }
917*00b67f09SDavid van Moolenbroek if (a != NULL || b != NULL)
918*00b67f09SDavid van Moolenbroek return (DNS_R_NXRRSET);
919*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
920*00b67f09SDavid van Moolenbroek }
921*00b67f09SDavid van Moolenbroek
922*00b67f09SDavid van Moolenbroek /*%
923*00b67f09SDavid van Moolenbroek * A comparison function defining the sorting order for the entries
924*00b67f09SDavid van Moolenbroek * in the "temp" data structure. The major sort key is the owner name,
925*00b67f09SDavid van Moolenbroek * followed by the type and rdata.
926*00b67f09SDavid van Moolenbroek */
927*00b67f09SDavid van Moolenbroek static int
temp_order(const void * av,const void * bv)928*00b67f09SDavid van Moolenbroek temp_order(const void *av, const void *bv) {
929*00b67f09SDavid van Moolenbroek dns_difftuple_t const * const *ap = av;
930*00b67f09SDavid van Moolenbroek dns_difftuple_t const * const *bp = bv;
931*00b67f09SDavid van Moolenbroek dns_difftuple_t const *a = *ap;
932*00b67f09SDavid van Moolenbroek dns_difftuple_t const *b = *bp;
933*00b67f09SDavid van Moolenbroek int r;
934*00b67f09SDavid van Moolenbroek r = dns_name_compare(&a->name, &b->name);
935*00b67f09SDavid van Moolenbroek if (r != 0)
936*00b67f09SDavid van Moolenbroek return (r);
937*00b67f09SDavid van Moolenbroek r = (b->rdata.type - a->rdata.type);
938*00b67f09SDavid van Moolenbroek if (r != 0)
939*00b67f09SDavid van Moolenbroek return (r);
940*00b67f09SDavid van Moolenbroek r = dns_rdata_casecompare(&a->rdata, &b->rdata);
941*00b67f09SDavid van Moolenbroek return (r);
942*00b67f09SDavid van Moolenbroek }
943*00b67f09SDavid van Moolenbroek
944*00b67f09SDavid van Moolenbroek /*%
945*00b67f09SDavid van Moolenbroek * Check the "RRset exists (value dependent)" prerequisite information
946*00b67f09SDavid van Moolenbroek * in 'temp' against the contents of the database 'db'.
947*00b67f09SDavid van Moolenbroek *
948*00b67f09SDavid van Moolenbroek * Return ISC_R_SUCCESS if the prerequisites are satisfied,
949*00b67f09SDavid van Moolenbroek * rcode(dns_rcode_nxrrset) if not.
950*00b67f09SDavid van Moolenbroek *
951*00b67f09SDavid van Moolenbroek * 'temp' must be pre-sorted.
952*00b67f09SDavid van Moolenbroek */
953*00b67f09SDavid van Moolenbroek
954*00b67f09SDavid van Moolenbroek static isc_result_t
temp_check(isc_mem_t * mctx,dns_diff_t * temp,dns_db_t * db,dns_dbversion_t * ver,dns_name_t * tmpname,dns_rdatatype_t * typep)955*00b67f09SDavid van Moolenbroek temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
956*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
957*00b67f09SDavid van Moolenbroek {
958*00b67f09SDavid van Moolenbroek isc_result_t result;
959*00b67f09SDavid van Moolenbroek dns_name_t *name;
960*00b67f09SDavid van Moolenbroek dns_dbnode_t *node;
961*00b67f09SDavid van Moolenbroek dns_difftuple_t *t;
962*00b67f09SDavid van Moolenbroek dns_diff_t trash;
963*00b67f09SDavid van Moolenbroek
964*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &trash);
965*00b67f09SDavid van Moolenbroek
966*00b67f09SDavid van Moolenbroek /*
967*00b67f09SDavid van Moolenbroek * For each name and type in the prerequisites,
968*00b67f09SDavid van Moolenbroek * construct a sorted rdata list of the corresponding
969*00b67f09SDavid van Moolenbroek * database contents, and compare the lists.
970*00b67f09SDavid van Moolenbroek */
971*00b67f09SDavid van Moolenbroek t = ISC_LIST_HEAD(temp->tuples);
972*00b67f09SDavid van Moolenbroek while (t != NULL) {
973*00b67f09SDavid van Moolenbroek name = &t->name;
974*00b67f09SDavid van Moolenbroek (void)dns_name_copy(name, tmpname, NULL);
975*00b67f09SDavid van Moolenbroek *typep = t->rdata.type;
976*00b67f09SDavid van Moolenbroek
977*00b67f09SDavid van Moolenbroek /* A new unique name begins here. */
978*00b67f09SDavid van Moolenbroek node = NULL;
979*00b67f09SDavid van Moolenbroek result = dns_db_findnode(db, name, ISC_FALSE, &node);
980*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND) {
981*00b67f09SDavid van Moolenbroek dns_diff_clear(&trash);
982*00b67f09SDavid van Moolenbroek return (DNS_R_NXRRSET);
983*00b67f09SDavid van Moolenbroek }
984*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
985*00b67f09SDavid van Moolenbroek dns_diff_clear(&trash);
986*00b67f09SDavid van Moolenbroek return (result);
987*00b67f09SDavid van Moolenbroek }
988*00b67f09SDavid van Moolenbroek
989*00b67f09SDavid van Moolenbroek /* A new unique type begins here. */
990*00b67f09SDavid van Moolenbroek while (t != NULL && dns_name_equal(&t->name, name)) {
991*00b67f09SDavid van Moolenbroek dns_rdatatype_t type, covers;
992*00b67f09SDavid van Moolenbroek dns_rdataset_t rdataset;
993*00b67f09SDavid van Moolenbroek dns_diff_t d_rrs; /* Database RRs with
994*00b67f09SDavid van Moolenbroek this name and type */
995*00b67f09SDavid van Moolenbroek dns_diff_t u_rrs; /* Update RRs with
996*00b67f09SDavid van Moolenbroek this name and type */
997*00b67f09SDavid van Moolenbroek
998*00b67f09SDavid van Moolenbroek *typep = type = t->rdata.type;
999*00b67f09SDavid van Moolenbroek if (type == dns_rdatatype_rrsig ||
1000*00b67f09SDavid van Moolenbroek type == dns_rdatatype_sig)
1001*00b67f09SDavid van Moolenbroek covers = dns_rdata_covers(&t->rdata);
1002*00b67f09SDavid van Moolenbroek else if (type == dns_rdatatype_any) {
1003*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
1004*00b67f09SDavid van Moolenbroek dns_diff_clear(&trash);
1005*00b67f09SDavid van Moolenbroek return (DNS_R_NXRRSET);
1006*00b67f09SDavid van Moolenbroek } else
1007*00b67f09SDavid van Moolenbroek covers = 0;
1008*00b67f09SDavid van Moolenbroek
1009*00b67f09SDavid van Moolenbroek /*
1010*00b67f09SDavid van Moolenbroek * Collect all database RRs for this name and type
1011*00b67f09SDavid van Moolenbroek * onto d_rrs and sort them.
1012*00b67f09SDavid van Moolenbroek */
1013*00b67f09SDavid van Moolenbroek dns_rdataset_init(&rdataset);
1014*00b67f09SDavid van Moolenbroek result = dns_db_findrdataset(db, node, ver, type,
1015*00b67f09SDavid van Moolenbroek covers, (isc_stdtime_t) 0,
1016*00b67f09SDavid van Moolenbroek &rdataset, NULL);
1017*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1018*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
1019*00b67f09SDavid van Moolenbroek dns_diff_clear(&trash);
1020*00b67f09SDavid van Moolenbroek return (DNS_R_NXRRSET);
1021*00b67f09SDavid van Moolenbroek }
1022*00b67f09SDavid van Moolenbroek
1023*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &d_rrs);
1024*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &u_rrs);
1025*00b67f09SDavid van Moolenbroek
1026*00b67f09SDavid van Moolenbroek for (result = dns_rdataset_first(&rdataset);
1027*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
1028*00b67f09SDavid van Moolenbroek result = dns_rdataset_next(&rdataset))
1029*00b67f09SDavid van Moolenbroek {
1030*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
1031*00b67f09SDavid van Moolenbroek dns_rdataset_current(&rdataset, &rdata);
1032*00b67f09SDavid van Moolenbroek result = temp_append(&d_rrs, name, &rdata);
1033*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1034*00b67f09SDavid van Moolenbroek goto failure;
1035*00b67f09SDavid van Moolenbroek }
1036*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
1037*00b67f09SDavid van Moolenbroek goto failure;
1038*00b67f09SDavid van Moolenbroek result = dns_diff_sort(&d_rrs, temp_order);
1039*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1040*00b67f09SDavid van Moolenbroek goto failure;
1041*00b67f09SDavid van Moolenbroek
1042*00b67f09SDavid van Moolenbroek /*
1043*00b67f09SDavid van Moolenbroek * Collect all update RRs for this name and type
1044*00b67f09SDavid van Moolenbroek * onto u_rrs. No need to sort them here -
1045*00b67f09SDavid van Moolenbroek * they are already sorted.
1046*00b67f09SDavid van Moolenbroek */
1047*00b67f09SDavid van Moolenbroek while (t != NULL &&
1048*00b67f09SDavid van Moolenbroek dns_name_equal(&t->name, name) &&
1049*00b67f09SDavid van Moolenbroek t->rdata.type == type)
1050*00b67f09SDavid van Moolenbroek {
1051*00b67f09SDavid van Moolenbroek dns_difftuple_t *next =
1052*00b67f09SDavid van Moolenbroek ISC_LIST_NEXT(t, link);
1053*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp->tuples, t, link);
1054*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(u_rrs.tuples, t, link);
1055*00b67f09SDavid van Moolenbroek t = next;
1056*00b67f09SDavid van Moolenbroek }
1057*00b67f09SDavid van Moolenbroek
1058*00b67f09SDavid van Moolenbroek /* Compare the two sorted lists. */
1059*00b67f09SDavid van Moolenbroek result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
1060*00b67f09SDavid van Moolenbroek ISC_LIST_HEAD(d_rrs.tuples));
1061*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1062*00b67f09SDavid van Moolenbroek goto failure;
1063*00b67f09SDavid van Moolenbroek
1064*00b67f09SDavid van Moolenbroek /*
1065*00b67f09SDavid van Moolenbroek * We are done with the tuples, but we can't free
1066*00b67f09SDavid van Moolenbroek * them yet because "name" still points into one
1067*00b67f09SDavid van Moolenbroek * of them. Move them on a temporary list.
1068*00b67f09SDavid van Moolenbroek */
1069*00b67f09SDavid van Moolenbroek ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
1070*00b67f09SDavid van Moolenbroek ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
1071*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
1072*00b67f09SDavid van Moolenbroek
1073*00b67f09SDavid van Moolenbroek continue;
1074*00b67f09SDavid van Moolenbroek
1075*00b67f09SDavid van Moolenbroek failure:
1076*00b67f09SDavid van Moolenbroek dns_diff_clear(&d_rrs);
1077*00b67f09SDavid van Moolenbroek dns_diff_clear(&u_rrs);
1078*00b67f09SDavid van Moolenbroek dns_diff_clear(&trash);
1079*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
1080*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
1081*00b67f09SDavid van Moolenbroek return (result);
1082*00b67f09SDavid van Moolenbroek }
1083*00b67f09SDavid van Moolenbroek
1084*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
1085*00b67f09SDavid van Moolenbroek }
1086*00b67f09SDavid van Moolenbroek
1087*00b67f09SDavid van Moolenbroek dns_diff_clear(&trash);
1088*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1089*00b67f09SDavid van Moolenbroek }
1090*00b67f09SDavid van Moolenbroek
1091*00b67f09SDavid van Moolenbroek /**************************************************************************/
1092*00b67f09SDavid van Moolenbroek /*
1093*00b67f09SDavid van Moolenbroek * Conditional deletion of RRs.
1094*00b67f09SDavid van Moolenbroek */
1095*00b67f09SDavid van Moolenbroek
1096*00b67f09SDavid van Moolenbroek /*%
1097*00b67f09SDavid van Moolenbroek * Context structure for delete_if().
1098*00b67f09SDavid van Moolenbroek */
1099*00b67f09SDavid van Moolenbroek
1100*00b67f09SDavid van Moolenbroek typedef struct {
1101*00b67f09SDavid van Moolenbroek rr_predicate *predicate;
1102*00b67f09SDavid van Moolenbroek dns_db_t *db;
1103*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver;
1104*00b67f09SDavid van Moolenbroek dns_diff_t *diff;
1105*00b67f09SDavid van Moolenbroek dns_name_t *name;
1106*00b67f09SDavid van Moolenbroek dns_rdata_t *update_rr;
1107*00b67f09SDavid van Moolenbroek } conditional_delete_ctx_t;
1108*00b67f09SDavid van Moolenbroek
1109*00b67f09SDavid van Moolenbroek /*%
1110*00b67f09SDavid van Moolenbroek * Predicate functions for delete_if().
1111*00b67f09SDavid van Moolenbroek */
1112*00b67f09SDavid van Moolenbroek
1113*00b67f09SDavid van Moolenbroek /*%
1114*00b67f09SDavid van Moolenbroek * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
1115*00b67f09SDavid van Moolenbroek * an RRSIG nor an NSEC3PARAM nor a NSEC.
1116*00b67f09SDavid van Moolenbroek */
1117*00b67f09SDavid van Moolenbroek static isc_boolean_t
type_not_soa_nor_ns_p(dns_rdata_t * update_rr,dns_rdata_t * db_rr)1118*00b67f09SDavid van Moolenbroek type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1119*00b67f09SDavid van Moolenbroek UNUSED(update_rr);
1120*00b67f09SDavid van Moolenbroek return ((db_rr->type != dns_rdatatype_soa &&
1121*00b67f09SDavid van Moolenbroek db_rr->type != dns_rdatatype_ns &&
1122*00b67f09SDavid van Moolenbroek db_rr->type != dns_rdatatype_nsec3param &&
1123*00b67f09SDavid van Moolenbroek db_rr->type != dns_rdatatype_rrsig &&
1124*00b67f09SDavid van Moolenbroek db_rr->type != dns_rdatatype_nsec) ?
1125*00b67f09SDavid van Moolenbroek ISC_TRUE : ISC_FALSE);
1126*00b67f09SDavid van Moolenbroek }
1127*00b67f09SDavid van Moolenbroek
1128*00b67f09SDavid van Moolenbroek /*%
1129*00b67f09SDavid van Moolenbroek * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
1130*00b67f09SDavid van Moolenbroek */
1131*00b67f09SDavid van Moolenbroek static isc_boolean_t
type_not_dnssec(dns_rdata_t * update_rr,dns_rdata_t * db_rr)1132*00b67f09SDavid van Moolenbroek type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1133*00b67f09SDavid van Moolenbroek UNUSED(update_rr);
1134*00b67f09SDavid van Moolenbroek return ((db_rr->type != dns_rdatatype_rrsig &&
1135*00b67f09SDavid van Moolenbroek db_rr->type != dns_rdatatype_nsec) ?
1136*00b67f09SDavid van Moolenbroek ISC_TRUE : ISC_FALSE);
1137*00b67f09SDavid van Moolenbroek }
1138*00b67f09SDavid van Moolenbroek
1139*00b67f09SDavid van Moolenbroek /*%
1140*00b67f09SDavid van Moolenbroek * Return true always.
1141*00b67f09SDavid van Moolenbroek */
1142*00b67f09SDavid van Moolenbroek static isc_boolean_t
true_p(dns_rdata_t * update_rr,dns_rdata_t * db_rr)1143*00b67f09SDavid van Moolenbroek true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1144*00b67f09SDavid van Moolenbroek UNUSED(update_rr);
1145*00b67f09SDavid van Moolenbroek UNUSED(db_rr);
1146*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1147*00b67f09SDavid van Moolenbroek }
1148*00b67f09SDavid van Moolenbroek
1149*00b67f09SDavid van Moolenbroek /*%
1150*00b67f09SDavid van Moolenbroek * Return true iff the two RRs have identical rdata.
1151*00b67f09SDavid van Moolenbroek */
1152*00b67f09SDavid van Moolenbroek static isc_boolean_t
rr_equal_p(dns_rdata_t * update_rr,dns_rdata_t * db_rr)1153*00b67f09SDavid van Moolenbroek rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1154*00b67f09SDavid van Moolenbroek /*
1155*00b67f09SDavid van Moolenbroek * XXXRTH This is not a problem, but we should consider creating
1156*00b67f09SDavid van Moolenbroek * dns_rdata_equal() (that used dns_name_equal()), since it
1157*00b67f09SDavid van Moolenbroek * would be faster. Not a priority.
1158*00b67f09SDavid van Moolenbroek */
1159*00b67f09SDavid van Moolenbroek return (dns_rdata_casecompare(update_rr, db_rr) == 0 ?
1160*00b67f09SDavid van Moolenbroek ISC_TRUE : ISC_FALSE);
1161*00b67f09SDavid van Moolenbroek }
1162*00b67f09SDavid van Moolenbroek
1163*00b67f09SDavid van Moolenbroek /*%
1164*00b67f09SDavid van Moolenbroek * Return true iff 'update_rr' should replace 'db_rr' according
1165*00b67f09SDavid van Moolenbroek * to the special RFC2136 rules for CNAME, SOA, and WKS records.
1166*00b67f09SDavid van Moolenbroek *
1167*00b67f09SDavid van Moolenbroek * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
1168*00b67f09SDavid van Moolenbroek * make little sense, so we replace those, too.
1169*00b67f09SDavid van Moolenbroek *
1170*00b67f09SDavid van Moolenbroek * Additionally replace RRSIG that have been generated by the same key
1171*00b67f09SDavid van Moolenbroek * for the same type. This simplifies refreshing a offline KSK by not
1172*00b67f09SDavid van Moolenbroek * requiring that the old RRSIG be deleted. It also simplifies key
1173*00b67f09SDavid van Moolenbroek * rollover by only requiring that the new RRSIG be added.
1174*00b67f09SDavid van Moolenbroek */
1175*00b67f09SDavid van Moolenbroek static isc_boolean_t
replaces_p(dns_rdata_t * update_rr,dns_rdata_t * db_rr)1176*00b67f09SDavid van Moolenbroek replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1177*00b67f09SDavid van Moolenbroek dns_rdata_rrsig_t updatesig, dbsig;
1178*00b67f09SDavid van Moolenbroek isc_result_t result;
1179*00b67f09SDavid van Moolenbroek
1180*00b67f09SDavid van Moolenbroek if (db_rr->type != update_rr->type)
1181*00b67f09SDavid van Moolenbroek return (ISC_FALSE);
1182*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_cname)
1183*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1184*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_dname)
1185*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1186*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_soa)
1187*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1188*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_nsec)
1189*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1190*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_rrsig) {
1191*00b67f09SDavid van Moolenbroek /*
1192*00b67f09SDavid van Moolenbroek * Replace existing RRSIG with the same keyid,
1193*00b67f09SDavid van Moolenbroek * covered and algorithm.
1194*00b67f09SDavid van Moolenbroek */
1195*00b67f09SDavid van Moolenbroek result = dns_rdata_tostruct(db_rr, &dbsig, NULL);
1196*00b67f09SDavid van Moolenbroek RUNTIME_CHECK(result == ISC_R_SUCCESS);
1197*00b67f09SDavid van Moolenbroek result = dns_rdata_tostruct(update_rr, &updatesig, NULL);
1198*00b67f09SDavid van Moolenbroek RUNTIME_CHECK(result == ISC_R_SUCCESS);
1199*00b67f09SDavid van Moolenbroek if (dbsig.keyid == updatesig.keyid &&
1200*00b67f09SDavid van Moolenbroek dbsig.covered == updatesig.covered &&
1201*00b67f09SDavid van Moolenbroek dbsig.algorithm == updatesig.algorithm)
1202*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1203*00b67f09SDavid van Moolenbroek }
1204*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_wks) {
1205*00b67f09SDavid van Moolenbroek /*
1206*00b67f09SDavid van Moolenbroek * Compare the address and protocol fields only. These
1207*00b67f09SDavid van Moolenbroek * form the first five bytes of the RR data. Do a
1208*00b67f09SDavid van Moolenbroek * raw binary comparison; unpacking the WKS RRs using
1209*00b67f09SDavid van Moolenbroek * dns_rdata_tostruct() might be cleaner in some ways.
1210*00b67f09SDavid van Moolenbroek */
1211*00b67f09SDavid van Moolenbroek INSIST(db_rr->length >= 5 && update_rr->length >= 5);
1212*00b67f09SDavid van Moolenbroek return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
1213*00b67f09SDavid van Moolenbroek ISC_TRUE : ISC_FALSE);
1214*00b67f09SDavid van Moolenbroek }
1215*00b67f09SDavid van Moolenbroek
1216*00b67f09SDavid van Moolenbroek if (db_rr->type == dns_rdatatype_nsec3param) {
1217*00b67f09SDavid van Moolenbroek if (db_rr->length != update_rr->length)
1218*00b67f09SDavid van Moolenbroek return (ISC_FALSE);
1219*00b67f09SDavid van Moolenbroek INSIST(db_rr->length >= 4 && update_rr->length >= 4);
1220*00b67f09SDavid van Moolenbroek /*
1221*00b67f09SDavid van Moolenbroek * Replace NSEC3PARAM records that only differ by the
1222*00b67f09SDavid van Moolenbroek * flags field.
1223*00b67f09SDavid van Moolenbroek */
1224*00b67f09SDavid van Moolenbroek if (db_rr->data[0] == update_rr->data[0] &&
1225*00b67f09SDavid van Moolenbroek memcmp(db_rr->data+2, update_rr->data+2,
1226*00b67f09SDavid van Moolenbroek update_rr->length - 2) == 0)
1227*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
1228*00b67f09SDavid van Moolenbroek }
1229*00b67f09SDavid van Moolenbroek return (ISC_FALSE);
1230*00b67f09SDavid van Moolenbroek }
1231*00b67f09SDavid van Moolenbroek
1232*00b67f09SDavid van Moolenbroek /*%
1233*00b67f09SDavid van Moolenbroek * Internal helper function for delete_if().
1234*00b67f09SDavid van Moolenbroek */
1235*00b67f09SDavid van Moolenbroek static isc_result_t
delete_if_action(void * data,rr_t * rr)1236*00b67f09SDavid van Moolenbroek delete_if_action(void *data, rr_t *rr) {
1237*00b67f09SDavid van Moolenbroek conditional_delete_ctx_t *ctx = data;
1238*00b67f09SDavid van Moolenbroek if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
1239*00b67f09SDavid van Moolenbroek isc_result_t result;
1240*00b67f09SDavid van Moolenbroek result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
1241*00b67f09SDavid van Moolenbroek DNS_DIFFOP_DEL, ctx->name,
1242*00b67f09SDavid van Moolenbroek rr->ttl, &rr->rdata);
1243*00b67f09SDavid van Moolenbroek return (result);
1244*00b67f09SDavid van Moolenbroek } else {
1245*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1246*00b67f09SDavid van Moolenbroek }
1247*00b67f09SDavid van Moolenbroek }
1248*00b67f09SDavid van Moolenbroek
1249*00b67f09SDavid van Moolenbroek /*%
1250*00b67f09SDavid van Moolenbroek * Conditionally delete RRs. Apply 'predicate' to the RRs
1251*00b67f09SDavid van Moolenbroek * specified by 'db', 'ver', 'name', and 'type' (which can
1252*00b67f09SDavid van Moolenbroek * be dns_rdatatype_any to match any type). Delete those
1253*00b67f09SDavid van Moolenbroek * RRs for which the predicate returns true, and log the
1254*00b67f09SDavid van Moolenbroek * deletions in 'diff'.
1255*00b67f09SDavid van Moolenbroek */
1256*00b67f09SDavid van Moolenbroek static isc_result_t
delete_if(rr_predicate * predicate,dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,dns_rdatatype_t type,dns_rdatatype_t covers,dns_rdata_t * update_rr,dns_diff_t * diff)1257*00b67f09SDavid van Moolenbroek delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
1258*00b67f09SDavid van Moolenbroek dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
1259*00b67f09SDavid van Moolenbroek dns_rdata_t *update_rr, dns_diff_t *diff)
1260*00b67f09SDavid van Moolenbroek {
1261*00b67f09SDavid van Moolenbroek conditional_delete_ctx_t ctx;
1262*00b67f09SDavid van Moolenbroek ctx.predicate = predicate;
1263*00b67f09SDavid van Moolenbroek ctx.db = db;
1264*00b67f09SDavid van Moolenbroek ctx.ver = ver;
1265*00b67f09SDavid van Moolenbroek ctx.diff = diff;
1266*00b67f09SDavid van Moolenbroek ctx.name = name;
1267*00b67f09SDavid van Moolenbroek ctx.update_rr = update_rr;
1268*00b67f09SDavid van Moolenbroek return (foreach_rr(db, ver, name, type, covers,
1269*00b67f09SDavid van Moolenbroek delete_if_action, &ctx));
1270*00b67f09SDavid van Moolenbroek }
1271*00b67f09SDavid van Moolenbroek
1272*00b67f09SDavid van Moolenbroek /**************************************************************************/
1273*00b67f09SDavid van Moolenbroek /*%
1274*00b67f09SDavid van Moolenbroek * Prepare an RR for the addition of the new RR 'ctx->update_rr',
1275*00b67f09SDavid van Moolenbroek * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
1276*00b67f09SDavid van Moolenbroek * the RRs if it is replaced by the new RR or has a conflicting TTL.
1277*00b67f09SDavid van Moolenbroek * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
1278*00b67f09SDavid van Moolenbroek * we need to do all deletions before any additions so that we don't run
1279*00b67f09SDavid van Moolenbroek * into transient states with conflicting TTLs.
1280*00b67f09SDavid van Moolenbroek */
1281*00b67f09SDavid van Moolenbroek
1282*00b67f09SDavid van Moolenbroek typedef struct {
1283*00b67f09SDavid van Moolenbroek dns_db_t *db;
1284*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver;
1285*00b67f09SDavid van Moolenbroek dns_diff_t *diff;
1286*00b67f09SDavid van Moolenbroek dns_name_t *name;
1287*00b67f09SDavid van Moolenbroek dns_rdata_t *update_rr;
1288*00b67f09SDavid van Moolenbroek dns_ttl_t update_rr_ttl;
1289*00b67f09SDavid van Moolenbroek isc_boolean_t ignore_add;
1290*00b67f09SDavid van Moolenbroek dns_diff_t del_diff;
1291*00b67f09SDavid van Moolenbroek dns_diff_t add_diff;
1292*00b67f09SDavid van Moolenbroek } add_rr_prepare_ctx_t;
1293*00b67f09SDavid van Moolenbroek
1294*00b67f09SDavid van Moolenbroek static isc_result_t
add_rr_prepare_action(void * data,rr_t * rr)1295*00b67f09SDavid van Moolenbroek add_rr_prepare_action(void *data, rr_t *rr) {
1296*00b67f09SDavid van Moolenbroek isc_result_t result = ISC_R_SUCCESS;
1297*00b67f09SDavid van Moolenbroek add_rr_prepare_ctx_t *ctx = data;
1298*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple = NULL;
1299*00b67f09SDavid van Moolenbroek isc_boolean_t equal;
1300*00b67f09SDavid van Moolenbroek
1301*00b67f09SDavid van Moolenbroek /*
1302*00b67f09SDavid van Moolenbroek * If the update RR is a "duplicate" of the update RR,
1303*00b67f09SDavid van Moolenbroek * the update should be silently ignored.
1304*00b67f09SDavid van Moolenbroek */
1305*00b67f09SDavid van Moolenbroek equal = ISC_TF(dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0);
1306*00b67f09SDavid van Moolenbroek if (equal && rr->ttl == ctx->update_rr_ttl) {
1307*00b67f09SDavid van Moolenbroek ctx->ignore_add = ISC_TRUE;
1308*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1309*00b67f09SDavid van Moolenbroek }
1310*00b67f09SDavid van Moolenbroek
1311*00b67f09SDavid van Moolenbroek /*
1312*00b67f09SDavid van Moolenbroek * If this RR is "equal" to the update RR, it should
1313*00b67f09SDavid van Moolenbroek * be deleted before the update RR is added.
1314*00b67f09SDavid van Moolenbroek */
1315*00b67f09SDavid van Moolenbroek if (replaces_p(ctx->update_rr, &rr->rdata)) {
1316*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
1317*00b67f09SDavid van Moolenbroek ctx->name, rr->ttl, &rr->rdata,
1318*00b67f09SDavid van Moolenbroek &tuple));
1319*00b67f09SDavid van Moolenbroek dns_diff_append(&ctx->del_diff, &tuple);
1320*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1321*00b67f09SDavid van Moolenbroek }
1322*00b67f09SDavid van Moolenbroek
1323*00b67f09SDavid van Moolenbroek /*
1324*00b67f09SDavid van Moolenbroek * If this RR differs in TTL from the update RR,
1325*00b67f09SDavid van Moolenbroek * its TTL must be adjusted.
1326*00b67f09SDavid van Moolenbroek */
1327*00b67f09SDavid van Moolenbroek if (rr->ttl != ctx->update_rr_ttl) {
1328*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
1329*00b67f09SDavid van Moolenbroek ctx->name, rr->ttl, &rr->rdata,
1330*00b67f09SDavid van Moolenbroek &tuple));
1331*00b67f09SDavid van Moolenbroek dns_diff_append(&ctx->del_diff, &tuple);
1332*00b67f09SDavid van Moolenbroek if (!equal) {
1333*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(ctx->add_diff.mctx,
1334*00b67f09SDavid van Moolenbroek DNS_DIFFOP_ADD, ctx->name,
1335*00b67f09SDavid van Moolenbroek ctx->update_rr_ttl,
1336*00b67f09SDavid van Moolenbroek &rr->rdata, &tuple));
1337*00b67f09SDavid van Moolenbroek dns_diff_append(&ctx->add_diff, &tuple);
1338*00b67f09SDavid van Moolenbroek }
1339*00b67f09SDavid van Moolenbroek }
1340*00b67f09SDavid van Moolenbroek failure:
1341*00b67f09SDavid van Moolenbroek return (result);
1342*00b67f09SDavid van Moolenbroek }
1343*00b67f09SDavid van Moolenbroek
1344*00b67f09SDavid van Moolenbroek /**************************************************************************/
1345*00b67f09SDavid van Moolenbroek /*
1346*00b67f09SDavid van Moolenbroek * Miscellaneous subroutines.
1347*00b67f09SDavid van Moolenbroek */
1348*00b67f09SDavid van Moolenbroek
1349*00b67f09SDavid van Moolenbroek /*%
1350*00b67f09SDavid van Moolenbroek * Extract a single update RR from 'section' of dynamic update message
1351*00b67f09SDavid van Moolenbroek * 'msg', with consistency checking.
1352*00b67f09SDavid van Moolenbroek *
1353*00b67f09SDavid van Moolenbroek * Stores the owner name, rdata, and TTL of the update RR at 'name',
1354*00b67f09SDavid van Moolenbroek * 'rdata', and 'ttl', respectively.
1355*00b67f09SDavid van Moolenbroek */
1356*00b67f09SDavid van Moolenbroek static void
get_current_rr(dns_message_t * msg,dns_section_t section,dns_rdataclass_t zoneclass,dns_name_t ** name,dns_rdata_t * rdata,dns_rdatatype_t * covers,dns_ttl_t * ttl,dns_rdataclass_t * update_class)1357*00b67f09SDavid van Moolenbroek get_current_rr(dns_message_t *msg, dns_section_t section,
1358*00b67f09SDavid van Moolenbroek dns_rdataclass_t zoneclass, dns_name_t **name,
1359*00b67f09SDavid van Moolenbroek dns_rdata_t *rdata, dns_rdatatype_t *covers,
1360*00b67f09SDavid van Moolenbroek dns_ttl_t *ttl, dns_rdataclass_t *update_class)
1361*00b67f09SDavid van Moolenbroek {
1362*00b67f09SDavid van Moolenbroek dns_rdataset_t *rdataset;
1363*00b67f09SDavid van Moolenbroek isc_result_t result;
1364*00b67f09SDavid van Moolenbroek dns_message_currentname(msg, section, name);
1365*00b67f09SDavid van Moolenbroek rdataset = ISC_LIST_HEAD((*name)->list);
1366*00b67f09SDavid van Moolenbroek INSIST(rdataset != NULL);
1367*00b67f09SDavid van Moolenbroek INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
1368*00b67f09SDavid van Moolenbroek *covers = rdataset->covers;
1369*00b67f09SDavid van Moolenbroek *ttl = rdataset->ttl;
1370*00b67f09SDavid van Moolenbroek result = dns_rdataset_first(rdataset);
1371*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_SUCCESS);
1372*00b67f09SDavid van Moolenbroek dns_rdataset_current(rdataset, rdata);
1373*00b67f09SDavid van Moolenbroek INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
1374*00b67f09SDavid van Moolenbroek *update_class = rdata->rdclass;
1375*00b67f09SDavid van Moolenbroek rdata->rdclass = zoneclass;
1376*00b67f09SDavid van Moolenbroek }
1377*00b67f09SDavid van Moolenbroek
1378*00b67f09SDavid van Moolenbroek /*%
1379*00b67f09SDavid van Moolenbroek * Increment the SOA serial number of database 'db', version 'ver'.
1380*00b67f09SDavid van Moolenbroek * Replace the SOA record in the database, and log the
1381*00b67f09SDavid van Moolenbroek * change in 'diff'.
1382*00b67f09SDavid van Moolenbroek */
1383*00b67f09SDavid van Moolenbroek
1384*00b67f09SDavid van Moolenbroek /*
1385*00b67f09SDavid van Moolenbroek * XXXRTH Failures in this routine will be worth logging, when
1386*00b67f09SDavid van Moolenbroek * we have a logging system. Failure to find the zonename
1387*00b67f09SDavid van Moolenbroek * or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
1388*00b67f09SDavid van Moolenbroek */
1389*00b67f09SDavid van Moolenbroek
1390*00b67f09SDavid van Moolenbroek static isc_result_t
update_soa_serial(dns_db_t * db,dns_dbversion_t * ver,dns_diff_t * diff,isc_mem_t * mctx,dns_updatemethod_t method)1391*00b67f09SDavid van Moolenbroek update_soa_serial(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
1392*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, dns_updatemethod_t method)
1393*00b67f09SDavid van Moolenbroek {
1394*00b67f09SDavid van Moolenbroek dns_difftuple_t *deltuple = NULL;
1395*00b67f09SDavid van Moolenbroek dns_difftuple_t *addtuple = NULL;
1396*00b67f09SDavid van Moolenbroek isc_uint32_t serial;
1397*00b67f09SDavid van Moolenbroek isc_result_t result;
1398*00b67f09SDavid van Moolenbroek
1399*00b67f09SDavid van Moolenbroek CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
1400*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_copy(deltuple, &addtuple));
1401*00b67f09SDavid van Moolenbroek addtuple->op = DNS_DIFFOP_ADD;
1402*00b67f09SDavid van Moolenbroek
1403*00b67f09SDavid van Moolenbroek serial = dns_soa_getserial(&addtuple->rdata);
1404*00b67f09SDavid van Moolenbroek serial = dns_update_soaserial(serial, method);
1405*00b67f09SDavid van Moolenbroek dns_soa_setserial(serial, &addtuple->rdata);
1406*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&deltuple, db, ver, diff));
1407*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&addtuple, db, ver, diff));
1408*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1409*00b67f09SDavid van Moolenbroek
1410*00b67f09SDavid van Moolenbroek failure:
1411*00b67f09SDavid van Moolenbroek if (addtuple != NULL)
1412*00b67f09SDavid van Moolenbroek dns_difftuple_free(&addtuple);
1413*00b67f09SDavid van Moolenbroek if (deltuple != NULL)
1414*00b67f09SDavid van Moolenbroek dns_difftuple_free(&deltuple);
1415*00b67f09SDavid van Moolenbroek return (result);
1416*00b67f09SDavid van Moolenbroek }
1417*00b67f09SDavid van Moolenbroek
1418*00b67f09SDavid van Moolenbroek /*%
1419*00b67f09SDavid van Moolenbroek * Check that the new SOA record at 'update_rdata' does not
1420*00b67f09SDavid van Moolenbroek * illegally cause the SOA serial number to decrease or stay
1421*00b67f09SDavid van Moolenbroek * unchanged relative to the existing SOA in 'db'.
1422*00b67f09SDavid van Moolenbroek *
1423*00b67f09SDavid van Moolenbroek * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
1424*00b67f09SDavid van Moolenbroek *
1425*00b67f09SDavid van Moolenbroek * William King points out that RFC2136 is inconsistent about
1426*00b67f09SDavid van Moolenbroek * the case where the serial number stays unchanged:
1427*00b67f09SDavid van Moolenbroek *
1428*00b67f09SDavid van Moolenbroek * section 3.4.2.2 requires a server to ignore a SOA update request
1429*00b67f09SDavid van Moolenbroek * if the serial number on the update SOA is less_than_or_equal to
1430*00b67f09SDavid van Moolenbroek * the zone SOA serial.
1431*00b67f09SDavid van Moolenbroek *
1432*00b67f09SDavid van Moolenbroek * section 3.6 requires a server to ignore a SOA update request if
1433*00b67f09SDavid van Moolenbroek * the serial is less_than the zone SOA serial.
1434*00b67f09SDavid van Moolenbroek *
1435*00b67f09SDavid van Moolenbroek * Paul says 3.4.2.2 is correct.
1436*00b67f09SDavid van Moolenbroek *
1437*00b67f09SDavid van Moolenbroek */
1438*00b67f09SDavid van Moolenbroek static isc_result_t
check_soa_increment(dns_db_t * db,dns_dbversion_t * ver,dns_rdata_t * update_rdata,isc_boolean_t * ok)1439*00b67f09SDavid van Moolenbroek check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
1440*00b67f09SDavid van Moolenbroek dns_rdata_t *update_rdata, isc_boolean_t *ok)
1441*00b67f09SDavid van Moolenbroek {
1442*00b67f09SDavid van Moolenbroek isc_uint32_t db_serial;
1443*00b67f09SDavid van Moolenbroek isc_uint32_t update_serial;
1444*00b67f09SDavid van Moolenbroek isc_result_t result;
1445*00b67f09SDavid van Moolenbroek
1446*00b67f09SDavid van Moolenbroek update_serial = dns_soa_getserial(update_rdata);
1447*00b67f09SDavid van Moolenbroek
1448*00b67f09SDavid van Moolenbroek result = dns_db_getsoaserial(db, ver, &db_serial);
1449*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1450*00b67f09SDavid van Moolenbroek return (result);
1451*00b67f09SDavid van Moolenbroek
1452*00b67f09SDavid van Moolenbroek if (DNS_SERIAL_GE(db_serial, update_serial)) {
1453*00b67f09SDavid van Moolenbroek *ok = ISC_FALSE;
1454*00b67f09SDavid van Moolenbroek } else {
1455*00b67f09SDavid van Moolenbroek *ok = ISC_TRUE;
1456*00b67f09SDavid van Moolenbroek }
1457*00b67f09SDavid van Moolenbroek
1458*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1459*00b67f09SDavid van Moolenbroek
1460*00b67f09SDavid van Moolenbroek }
1461*00b67f09SDavid van Moolenbroek
1462*00b67f09SDavid van Moolenbroek /**************************************************************************/
1463*00b67f09SDavid van Moolenbroek /*%
1464*00b67f09SDavid van Moolenbroek * The actual update code in all its glory. We try to follow
1465*00b67f09SDavid van Moolenbroek * the RFC2136 pseudocode as closely as possible.
1466*00b67f09SDavid van Moolenbroek */
1467*00b67f09SDavid van Moolenbroek
1468*00b67f09SDavid van Moolenbroek static isc_result_t
send_update_event(ns_client_t * client,dns_zone_t * zone)1469*00b67f09SDavid van Moolenbroek send_update_event(ns_client_t *client, dns_zone_t *zone) {
1470*00b67f09SDavid van Moolenbroek isc_result_t result = ISC_R_SUCCESS;
1471*00b67f09SDavid van Moolenbroek update_event_t *event = NULL;
1472*00b67f09SDavid van Moolenbroek isc_task_t *zonetask = NULL;
1473*00b67f09SDavid van Moolenbroek ns_client_t *evclient;
1474*00b67f09SDavid van Moolenbroek
1475*00b67f09SDavid van Moolenbroek event = (update_event_t *)
1476*00b67f09SDavid van Moolenbroek isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
1477*00b67f09SDavid van Moolenbroek update_action, NULL, sizeof(*event));
1478*00b67f09SDavid van Moolenbroek if (event == NULL)
1479*00b67f09SDavid van Moolenbroek FAIL(ISC_R_NOMEMORY);
1480*00b67f09SDavid van Moolenbroek event->zone = zone;
1481*00b67f09SDavid van Moolenbroek event->result = ISC_R_SUCCESS;
1482*00b67f09SDavid van Moolenbroek
1483*00b67f09SDavid van Moolenbroek evclient = NULL;
1484*00b67f09SDavid van Moolenbroek ns_client_attach(client, &evclient);
1485*00b67f09SDavid van Moolenbroek INSIST(client->nupdates == 0);
1486*00b67f09SDavid van Moolenbroek client->nupdates++;
1487*00b67f09SDavid van Moolenbroek event->ev_arg = evclient;
1488*00b67f09SDavid van Moolenbroek
1489*00b67f09SDavid van Moolenbroek dns_zone_gettask(zone, &zonetask);
1490*00b67f09SDavid van Moolenbroek isc_task_send(zonetask, ISC_EVENT_PTR(&event));
1491*00b67f09SDavid van Moolenbroek
1492*00b67f09SDavid van Moolenbroek failure:
1493*00b67f09SDavid van Moolenbroek if (event != NULL)
1494*00b67f09SDavid van Moolenbroek isc_event_free(ISC_EVENT_PTR(&event));
1495*00b67f09SDavid van Moolenbroek return (result);
1496*00b67f09SDavid van Moolenbroek }
1497*00b67f09SDavid van Moolenbroek
1498*00b67f09SDavid van Moolenbroek static void
respond(ns_client_t * client,isc_result_t result)1499*00b67f09SDavid van Moolenbroek respond(ns_client_t *client, isc_result_t result) {
1500*00b67f09SDavid van Moolenbroek isc_result_t msg_result;
1501*00b67f09SDavid van Moolenbroek
1502*00b67f09SDavid van Moolenbroek msg_result = dns_message_reply(client->message, ISC_TRUE);
1503*00b67f09SDavid van Moolenbroek if (msg_result != ISC_R_SUCCESS)
1504*00b67f09SDavid van Moolenbroek goto msg_failure;
1505*00b67f09SDavid van Moolenbroek client->message->rcode = dns_result_torcode(result);
1506*00b67f09SDavid van Moolenbroek
1507*00b67f09SDavid van Moolenbroek ns_client_send(client);
1508*00b67f09SDavid van Moolenbroek return;
1509*00b67f09SDavid van Moolenbroek
1510*00b67f09SDavid van Moolenbroek msg_failure:
1511*00b67f09SDavid van Moolenbroek isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
1512*00b67f09SDavid van Moolenbroek ISC_LOG_ERROR,
1513*00b67f09SDavid van Moolenbroek "could not create update response message: %s",
1514*00b67f09SDavid van Moolenbroek isc_result_totext(msg_result));
1515*00b67f09SDavid van Moolenbroek ns_client_next(client, msg_result);
1516*00b67f09SDavid van Moolenbroek }
1517*00b67f09SDavid van Moolenbroek
1518*00b67f09SDavid van Moolenbroek void
ns_update_start(ns_client_t * client,isc_result_t sigresult)1519*00b67f09SDavid van Moolenbroek ns_update_start(ns_client_t *client, isc_result_t sigresult) {
1520*00b67f09SDavid van Moolenbroek dns_message_t *request = client->message;
1521*00b67f09SDavid van Moolenbroek isc_result_t result;
1522*00b67f09SDavid van Moolenbroek dns_name_t *zonename;
1523*00b67f09SDavid van Moolenbroek dns_rdataset_t *zone_rdataset;
1524*00b67f09SDavid van Moolenbroek dns_zone_t *zone = NULL, *raw = NULL;
1525*00b67f09SDavid van Moolenbroek
1526*00b67f09SDavid van Moolenbroek /*
1527*00b67f09SDavid van Moolenbroek * Interpret the zone section.
1528*00b67f09SDavid van Moolenbroek */
1529*00b67f09SDavid van Moolenbroek result = dns_message_firstname(request, DNS_SECTION_ZONE);
1530*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1531*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR, "update zone section empty");
1532*00b67f09SDavid van Moolenbroek
1533*00b67f09SDavid van Moolenbroek /*
1534*00b67f09SDavid van Moolenbroek * The zone section must contain exactly one "question", and
1535*00b67f09SDavid van Moolenbroek * it must be of type SOA.
1536*00b67f09SDavid van Moolenbroek */
1537*00b67f09SDavid van Moolenbroek zonename = NULL;
1538*00b67f09SDavid van Moolenbroek dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
1539*00b67f09SDavid van Moolenbroek zone_rdataset = ISC_LIST_HEAD(zonename->list);
1540*00b67f09SDavid van Moolenbroek if (zone_rdataset->type != dns_rdatatype_soa)
1541*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR,
1542*00b67f09SDavid van Moolenbroek "update zone section contains non-SOA");
1543*00b67f09SDavid van Moolenbroek if (ISC_LIST_NEXT(zone_rdataset, link) != NULL)
1544*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR,
1545*00b67f09SDavid van Moolenbroek "update zone section contains multiple RRs");
1546*00b67f09SDavid van Moolenbroek
1547*00b67f09SDavid van Moolenbroek /* The zone section must have exactly one name. */
1548*00b67f09SDavid van Moolenbroek result = dns_message_nextname(request, DNS_SECTION_ZONE);
1549*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
1550*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR,
1551*00b67f09SDavid van Moolenbroek "update zone section contains multiple RRs");
1552*00b67f09SDavid van Moolenbroek
1553*00b67f09SDavid van Moolenbroek result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
1554*00b67f09SDavid van Moolenbroek &zone);
1555*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1556*00b67f09SDavid van Moolenbroek FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
1557*00b67f09SDavid van Moolenbroek
1558*00b67f09SDavid van Moolenbroek /*
1559*00b67f09SDavid van Moolenbroek * If there is a raw (unsigned) zone associated with this
1560*00b67f09SDavid van Moolenbroek * zone then it processes the UPDATE request.
1561*00b67f09SDavid van Moolenbroek */
1562*00b67f09SDavid van Moolenbroek dns_zone_getraw(zone, &raw);
1563*00b67f09SDavid van Moolenbroek if (raw != NULL) {
1564*00b67f09SDavid van Moolenbroek dns_zone_detach(&zone);
1565*00b67f09SDavid van Moolenbroek dns_zone_attach(raw, &zone);
1566*00b67f09SDavid van Moolenbroek dns_zone_detach(&raw);
1567*00b67f09SDavid van Moolenbroek }
1568*00b67f09SDavid van Moolenbroek
1569*00b67f09SDavid van Moolenbroek switch(dns_zone_gettype(zone)) {
1570*00b67f09SDavid van Moolenbroek case dns_zone_master:
1571*00b67f09SDavid van Moolenbroek case dns_zone_dlz:
1572*00b67f09SDavid van Moolenbroek /*
1573*00b67f09SDavid van Moolenbroek * We can now fail due to a bad signature as we now know
1574*00b67f09SDavid van Moolenbroek * that we are the master.
1575*00b67f09SDavid van Moolenbroek */
1576*00b67f09SDavid van Moolenbroek if (sigresult != ISC_R_SUCCESS)
1577*00b67f09SDavid van Moolenbroek FAIL(sigresult);
1578*00b67f09SDavid van Moolenbroek CHECK(send_update_event(client, zone));
1579*00b67f09SDavid van Moolenbroek break;
1580*00b67f09SDavid van Moolenbroek case dns_zone_slave:
1581*00b67f09SDavid van Moolenbroek CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
1582*00b67f09SDavid van Moolenbroek "update forwarding", zonename, ISC_TRUE,
1583*00b67f09SDavid van Moolenbroek ISC_FALSE));
1584*00b67f09SDavid van Moolenbroek CHECK(send_forward_event(client, zone));
1585*00b67f09SDavid van Moolenbroek break;
1586*00b67f09SDavid van Moolenbroek default:
1587*00b67f09SDavid van Moolenbroek FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
1588*00b67f09SDavid van Moolenbroek }
1589*00b67f09SDavid van Moolenbroek return;
1590*00b67f09SDavid van Moolenbroek
1591*00b67f09SDavid van Moolenbroek failure:
1592*00b67f09SDavid van Moolenbroek if (result == DNS_R_REFUSED) {
1593*00b67f09SDavid van Moolenbroek INSIST(dns_zone_gettype(zone) == dns_zone_slave);
1594*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updaterej);
1595*00b67f09SDavid van Moolenbroek }
1596*00b67f09SDavid van Moolenbroek /*
1597*00b67f09SDavid van Moolenbroek * We failed without having sent an update event to the zone.
1598*00b67f09SDavid van Moolenbroek * We are still in the client task context, so we can
1599*00b67f09SDavid van Moolenbroek * simply give an error response without switching tasks.
1600*00b67f09SDavid van Moolenbroek */
1601*00b67f09SDavid van Moolenbroek respond(client, result);
1602*00b67f09SDavid van Moolenbroek if (zone != NULL)
1603*00b67f09SDavid van Moolenbroek dns_zone_detach(&zone);
1604*00b67f09SDavid van Moolenbroek }
1605*00b67f09SDavid van Moolenbroek
1606*00b67f09SDavid van Moolenbroek /*%
1607*00b67f09SDavid van Moolenbroek * DS records are not allowed to exist without corresponding NS records,
1608*00b67f09SDavid van Moolenbroek * RFC 3658, 2.2 Protocol Change,
1609*00b67f09SDavid van Moolenbroek * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
1610*00b67f09SDavid van Moolenbroek */
1611*00b67f09SDavid van Moolenbroek
1612*00b67f09SDavid van Moolenbroek static isc_result_t
remove_orphaned_ds(dns_db_t * db,dns_dbversion_t * newver,dns_diff_t * diff)1613*00b67f09SDavid van Moolenbroek remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
1614*00b67f09SDavid van Moolenbroek isc_result_t result;
1615*00b67f09SDavid van Moolenbroek isc_boolean_t ns_exists;
1616*00b67f09SDavid van Moolenbroek dns_difftuple_t *tupple;
1617*00b67f09SDavid van Moolenbroek dns_diff_t temp_diff;
1618*00b67f09SDavid van Moolenbroek
1619*00b67f09SDavid van Moolenbroek dns_diff_init(diff->mctx, &temp_diff);
1620*00b67f09SDavid van Moolenbroek
1621*00b67f09SDavid van Moolenbroek for (tupple = ISC_LIST_HEAD(diff->tuples);
1622*00b67f09SDavid van Moolenbroek tupple != NULL;
1623*00b67f09SDavid van Moolenbroek tupple = ISC_LIST_NEXT(tupple, link)) {
1624*00b67f09SDavid van Moolenbroek if (!((tupple->op == DNS_DIFFOP_DEL &&
1625*00b67f09SDavid van Moolenbroek tupple->rdata.type == dns_rdatatype_ns) ||
1626*00b67f09SDavid van Moolenbroek (tupple->op == DNS_DIFFOP_ADD &&
1627*00b67f09SDavid van Moolenbroek tupple->rdata.type == dns_rdatatype_ds)))
1628*00b67f09SDavid van Moolenbroek continue;
1629*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, newver, &tupple->name,
1630*00b67f09SDavid van Moolenbroek dns_rdatatype_ns, 0, &ns_exists));
1631*00b67f09SDavid van Moolenbroek if (ns_exists &&
1632*00b67f09SDavid van Moolenbroek !dns_name_equal(&tupple->name, dns_db_origin(db)))
1633*00b67f09SDavid van Moolenbroek continue;
1634*00b67f09SDavid van Moolenbroek CHECK(delete_if(true_p, db, newver, &tupple->name,
1635*00b67f09SDavid van Moolenbroek dns_rdatatype_ds, 0, NULL, &temp_diff));
1636*00b67f09SDavid van Moolenbroek }
1637*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1638*00b67f09SDavid van Moolenbroek
1639*00b67f09SDavid van Moolenbroek failure:
1640*00b67f09SDavid van Moolenbroek for (tupple = ISC_LIST_HEAD(temp_diff.tuples);
1641*00b67f09SDavid van Moolenbroek tupple != NULL;
1642*00b67f09SDavid van Moolenbroek tupple = ISC_LIST_HEAD(temp_diff.tuples)) {
1643*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tupple, link);
1644*00b67f09SDavid van Moolenbroek dns_diff_appendminimal(diff, &tupple);
1645*00b67f09SDavid van Moolenbroek }
1646*00b67f09SDavid van Moolenbroek return (result);
1647*00b67f09SDavid van Moolenbroek }
1648*00b67f09SDavid van Moolenbroek
1649*00b67f09SDavid van Moolenbroek /*
1650*00b67f09SDavid van Moolenbroek * This implements the post load integrity checks for mx records.
1651*00b67f09SDavid van Moolenbroek */
1652*00b67f09SDavid van Moolenbroek static isc_result_t
check_mx(ns_client_t * client,dns_zone_t * zone,dns_db_t * db,dns_dbversion_t * newver,dns_diff_t * diff)1653*00b67f09SDavid van Moolenbroek check_mx(ns_client_t *client, dns_zone_t *zone,
1654*00b67f09SDavid van Moolenbroek dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff)
1655*00b67f09SDavid van Moolenbroek {
1656*00b67f09SDavid van Moolenbroek char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
1657*00b67f09SDavid van Moolenbroek char ownerbuf[DNS_NAME_FORMATSIZE];
1658*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
1659*00b67f09SDavid van Moolenbroek char altbuf[DNS_NAME_FORMATSIZE];
1660*00b67f09SDavid van Moolenbroek dns_difftuple_t *t;
1661*00b67f09SDavid van Moolenbroek dns_fixedname_t fixed;
1662*00b67f09SDavid van Moolenbroek dns_name_t *foundname;
1663*00b67f09SDavid van Moolenbroek dns_rdata_mx_t mx;
1664*00b67f09SDavid van Moolenbroek dns_rdata_t rdata;
1665*00b67f09SDavid van Moolenbroek isc_boolean_t ok = ISC_TRUE;
1666*00b67f09SDavid van Moolenbroek isc_boolean_t isaddress;
1667*00b67f09SDavid van Moolenbroek isc_result_t result;
1668*00b67f09SDavid van Moolenbroek struct in6_addr addr6;
1669*00b67f09SDavid van Moolenbroek struct in_addr addr;
1670*00b67f09SDavid van Moolenbroek unsigned int options;
1671*00b67f09SDavid van Moolenbroek
1672*00b67f09SDavid van Moolenbroek dns_fixedname_init(&fixed);
1673*00b67f09SDavid van Moolenbroek foundname = dns_fixedname_name(&fixed);
1674*00b67f09SDavid van Moolenbroek dns_rdata_init(&rdata);
1675*00b67f09SDavid van Moolenbroek options = dns_zone_getoptions(zone);
1676*00b67f09SDavid van Moolenbroek
1677*00b67f09SDavid van Moolenbroek for (t = ISC_LIST_HEAD(diff->tuples);
1678*00b67f09SDavid van Moolenbroek t != NULL;
1679*00b67f09SDavid van Moolenbroek t = ISC_LIST_NEXT(t, link)) {
1680*00b67f09SDavid van Moolenbroek if (t->op != DNS_DIFFOP_ADD ||
1681*00b67f09SDavid van Moolenbroek t->rdata.type != dns_rdatatype_mx)
1682*00b67f09SDavid van Moolenbroek continue;
1683*00b67f09SDavid van Moolenbroek
1684*00b67f09SDavid van Moolenbroek result = dns_rdata_tostruct(&t->rdata, &mx, NULL);
1685*00b67f09SDavid van Moolenbroek RUNTIME_CHECK(result == ISC_R_SUCCESS);
1686*00b67f09SDavid van Moolenbroek /*
1687*00b67f09SDavid van Moolenbroek * Check if we will error out if we attempt to reload the
1688*00b67f09SDavid van Moolenbroek * zone.
1689*00b67f09SDavid van Moolenbroek */
1690*00b67f09SDavid van Moolenbroek dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
1691*00b67f09SDavid van Moolenbroek dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
1692*00b67f09SDavid van Moolenbroek isaddress = ISC_FALSE;
1693*00b67f09SDavid van Moolenbroek if ((options & DNS_RDATA_CHECKMX) != 0 &&
1694*00b67f09SDavid van Moolenbroek strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) {
1695*00b67f09SDavid van Moolenbroek if (tmp[strlen(tmp) - 1] == '.')
1696*00b67f09SDavid van Moolenbroek tmp[strlen(tmp) - 1] = '\0';
1697*00b67f09SDavid van Moolenbroek if (inet_aton(tmp, &addr) == 1 ||
1698*00b67f09SDavid van Moolenbroek inet_pton(AF_INET6, tmp, &addr6) == 1)
1699*00b67f09SDavid van Moolenbroek isaddress = ISC_TRUE;
1700*00b67f09SDavid van Moolenbroek }
1701*00b67f09SDavid van Moolenbroek
1702*00b67f09SDavid van Moolenbroek if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
1703*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
1704*00b67f09SDavid van Moolenbroek "%s/MX: '%s': %s",
1705*00b67f09SDavid van Moolenbroek ownerbuf, namebuf,
1706*00b67f09SDavid van Moolenbroek dns_result_totext(DNS_R_MXISADDRESS));
1707*00b67f09SDavid van Moolenbroek ok = ISC_FALSE;
1708*00b67f09SDavid van Moolenbroek } else if (isaddress) {
1709*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_WARNING,
1710*00b67f09SDavid van Moolenbroek "%s/MX: warning: '%s': %s",
1711*00b67f09SDavid van Moolenbroek ownerbuf, namebuf,
1712*00b67f09SDavid van Moolenbroek dns_result_totext(DNS_R_MXISADDRESS));
1713*00b67f09SDavid van Moolenbroek }
1714*00b67f09SDavid van Moolenbroek
1715*00b67f09SDavid van Moolenbroek /*
1716*00b67f09SDavid van Moolenbroek * Check zone integrity checks.
1717*00b67f09SDavid van Moolenbroek */
1718*00b67f09SDavid van Moolenbroek if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0)
1719*00b67f09SDavid van Moolenbroek continue;
1720*00b67f09SDavid van Moolenbroek result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a,
1721*00b67f09SDavid van Moolenbroek 0, 0, NULL, foundname, NULL, NULL);
1722*00b67f09SDavid van Moolenbroek if (result == ISC_R_SUCCESS)
1723*00b67f09SDavid van Moolenbroek continue;
1724*00b67f09SDavid van Moolenbroek
1725*00b67f09SDavid van Moolenbroek if (result == DNS_R_NXRRSET) {
1726*00b67f09SDavid van Moolenbroek result = dns_db_find(db, &mx.mx, newver,
1727*00b67f09SDavid van Moolenbroek dns_rdatatype_aaaa,
1728*00b67f09SDavid van Moolenbroek 0, 0, NULL, foundname,
1729*00b67f09SDavid van Moolenbroek NULL, NULL);
1730*00b67f09SDavid van Moolenbroek if (result == ISC_R_SUCCESS)
1731*00b67f09SDavid van Moolenbroek continue;
1732*00b67f09SDavid van Moolenbroek }
1733*00b67f09SDavid van Moolenbroek
1734*00b67f09SDavid van Moolenbroek if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
1735*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
1736*00b67f09SDavid van Moolenbroek "%s/MX '%s' has no address records "
1737*00b67f09SDavid van Moolenbroek "(A or AAAA)", ownerbuf, namebuf);
1738*00b67f09SDavid van Moolenbroek ok = ISC_FALSE;
1739*00b67f09SDavid van Moolenbroek } else if (result == DNS_R_CNAME) {
1740*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
1741*00b67f09SDavid van Moolenbroek "%s/MX '%s' is a CNAME (illegal)",
1742*00b67f09SDavid van Moolenbroek ownerbuf, namebuf);
1743*00b67f09SDavid van Moolenbroek ok = ISC_FALSE;
1744*00b67f09SDavid van Moolenbroek } else if (result == DNS_R_DNAME) {
1745*00b67f09SDavid van Moolenbroek dns_name_format(foundname, altbuf, sizeof altbuf);
1746*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
1747*00b67f09SDavid van Moolenbroek "%s/MX '%s' is below a DNAME '%s' (illegal)",
1748*00b67f09SDavid van Moolenbroek ownerbuf, namebuf, altbuf);
1749*00b67f09SDavid van Moolenbroek ok = ISC_FALSE;
1750*00b67f09SDavid van Moolenbroek }
1751*00b67f09SDavid van Moolenbroek }
1752*00b67f09SDavid van Moolenbroek return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
1753*00b67f09SDavid van Moolenbroek }
1754*00b67f09SDavid van Moolenbroek
1755*00b67f09SDavid van Moolenbroek static isc_result_t
rr_exists(dns_db_t * db,dns_dbversion_t * ver,dns_name_t * name,const dns_rdata_t * rdata,isc_boolean_t * flag)1756*00b67f09SDavid van Moolenbroek rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1757*00b67f09SDavid van Moolenbroek const dns_rdata_t *rdata, isc_boolean_t *flag)
1758*00b67f09SDavid van Moolenbroek {
1759*00b67f09SDavid van Moolenbroek dns_rdataset_t rdataset;
1760*00b67f09SDavid van Moolenbroek dns_dbnode_t *node = NULL;
1761*00b67f09SDavid van Moolenbroek isc_result_t result;
1762*00b67f09SDavid van Moolenbroek
1763*00b67f09SDavid van Moolenbroek dns_rdataset_init(&rdataset);
1764*00b67f09SDavid van Moolenbroek if (rdata->type == dns_rdatatype_nsec3)
1765*00b67f09SDavid van Moolenbroek CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
1766*00b67f09SDavid van Moolenbroek else
1767*00b67f09SDavid van Moolenbroek CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
1768*00b67f09SDavid van Moolenbroek result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
1769*00b67f09SDavid van Moolenbroek (isc_stdtime_t) 0, &rdataset, NULL);
1770*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND) {
1771*00b67f09SDavid van Moolenbroek *flag = ISC_FALSE;
1772*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1773*00b67f09SDavid van Moolenbroek goto failure;
1774*00b67f09SDavid van Moolenbroek }
1775*00b67f09SDavid van Moolenbroek
1776*00b67f09SDavid van Moolenbroek for (result = dns_rdataset_first(&rdataset);
1777*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
1778*00b67f09SDavid van Moolenbroek result = dns_rdataset_next(&rdataset)) {
1779*00b67f09SDavid van Moolenbroek dns_rdata_t myrdata = DNS_RDATA_INIT;
1780*00b67f09SDavid van Moolenbroek dns_rdataset_current(&rdataset, &myrdata);
1781*00b67f09SDavid van Moolenbroek if (!dns_rdata_casecompare(&myrdata, rdata))
1782*00b67f09SDavid van Moolenbroek break;
1783*00b67f09SDavid van Moolenbroek }
1784*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
1785*00b67f09SDavid van Moolenbroek if (result == ISC_R_SUCCESS) {
1786*00b67f09SDavid van Moolenbroek *flag = ISC_TRUE;
1787*00b67f09SDavid van Moolenbroek } else if (result == ISC_R_NOMORE) {
1788*00b67f09SDavid van Moolenbroek *flag = ISC_FALSE;
1789*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1790*00b67f09SDavid van Moolenbroek }
1791*00b67f09SDavid van Moolenbroek
1792*00b67f09SDavid van Moolenbroek failure:
1793*00b67f09SDavid van Moolenbroek if (node != NULL)
1794*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
1795*00b67f09SDavid van Moolenbroek return (result);
1796*00b67f09SDavid van Moolenbroek }
1797*00b67f09SDavid van Moolenbroek
1798*00b67f09SDavid van Moolenbroek static isc_result_t
get_iterations(dns_db_t * db,dns_dbversion_t * ver,dns_rdatatype_t privatetype,unsigned int * iterationsp)1799*00b67f09SDavid van Moolenbroek get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
1800*00b67f09SDavid van Moolenbroek unsigned int *iterationsp)
1801*00b67f09SDavid van Moolenbroek {
1802*00b67f09SDavid van Moolenbroek dns_dbnode_t *node = NULL;
1803*00b67f09SDavid van Moolenbroek dns_rdata_nsec3param_t nsec3param;
1804*00b67f09SDavid van Moolenbroek dns_rdataset_t rdataset;
1805*00b67f09SDavid van Moolenbroek isc_result_t result;
1806*00b67f09SDavid van Moolenbroek unsigned int iterations = 0;
1807*00b67f09SDavid van Moolenbroek
1808*00b67f09SDavid van Moolenbroek dns_rdataset_init(&rdataset);
1809*00b67f09SDavid van Moolenbroek
1810*00b67f09SDavid van Moolenbroek result = dns_db_getoriginnode(db, &node);
1811*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1812*00b67f09SDavid van Moolenbroek return (result);
1813*00b67f09SDavid van Moolenbroek result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
1814*00b67f09SDavid van Moolenbroek 0, (isc_stdtime_t) 0, &rdataset, NULL);
1815*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND)
1816*00b67f09SDavid van Moolenbroek goto try_private;
1817*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1818*00b67f09SDavid van Moolenbroek goto failure;
1819*00b67f09SDavid van Moolenbroek
1820*00b67f09SDavid van Moolenbroek for (result = dns_rdataset_first(&rdataset);
1821*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
1822*00b67f09SDavid van Moolenbroek result = dns_rdataset_next(&rdataset)) {
1823*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
1824*00b67f09SDavid van Moolenbroek dns_rdataset_current(&rdataset, &rdata);
1825*00b67f09SDavid van Moolenbroek CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
1826*00b67f09SDavid van Moolenbroek if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
1827*00b67f09SDavid van Moolenbroek continue;
1828*00b67f09SDavid van Moolenbroek if (nsec3param.iterations > iterations)
1829*00b67f09SDavid van Moolenbroek iterations = nsec3param.iterations;
1830*00b67f09SDavid van Moolenbroek }
1831*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
1832*00b67f09SDavid van Moolenbroek goto failure;
1833*00b67f09SDavid van Moolenbroek
1834*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
1835*00b67f09SDavid van Moolenbroek
1836*00b67f09SDavid van Moolenbroek try_private:
1837*00b67f09SDavid van Moolenbroek if (privatetype == 0)
1838*00b67f09SDavid van Moolenbroek goto success;
1839*00b67f09SDavid van Moolenbroek
1840*00b67f09SDavid van Moolenbroek result = dns_db_findrdataset(db, node, ver, privatetype,
1841*00b67f09SDavid van Moolenbroek 0, (isc_stdtime_t) 0, &rdataset, NULL);
1842*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND)
1843*00b67f09SDavid van Moolenbroek goto success;
1844*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1845*00b67f09SDavid van Moolenbroek goto failure;
1846*00b67f09SDavid van Moolenbroek
1847*00b67f09SDavid van Moolenbroek for (result = dns_rdataset_first(&rdataset);
1848*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
1849*00b67f09SDavid van Moolenbroek result = dns_rdataset_next(&rdataset)) {
1850*00b67f09SDavid van Moolenbroek unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
1851*00b67f09SDavid van Moolenbroek dns_rdata_t private = DNS_RDATA_INIT;
1852*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
1853*00b67f09SDavid van Moolenbroek
1854*00b67f09SDavid van Moolenbroek dns_rdataset_current(&rdataset, &rdata);
1855*00b67f09SDavid van Moolenbroek if (!dns_nsec3param_fromprivate(&private, &rdata,
1856*00b67f09SDavid van Moolenbroek buf, sizeof(buf)))
1857*00b67f09SDavid van Moolenbroek continue;
1858*00b67f09SDavid van Moolenbroek CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
1859*00b67f09SDavid van Moolenbroek if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
1860*00b67f09SDavid van Moolenbroek continue;
1861*00b67f09SDavid van Moolenbroek if (nsec3param.iterations > iterations)
1862*00b67f09SDavid van Moolenbroek iterations = nsec3param.iterations;
1863*00b67f09SDavid van Moolenbroek }
1864*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
1865*00b67f09SDavid van Moolenbroek goto failure;
1866*00b67f09SDavid van Moolenbroek
1867*00b67f09SDavid van Moolenbroek success:
1868*00b67f09SDavid van Moolenbroek *iterationsp = iterations;
1869*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1870*00b67f09SDavid van Moolenbroek
1871*00b67f09SDavid van Moolenbroek failure:
1872*00b67f09SDavid van Moolenbroek if (node != NULL)
1873*00b67f09SDavid van Moolenbroek dns_db_detachnode(db, &node);
1874*00b67f09SDavid van Moolenbroek if (dns_rdataset_isassociated(&rdataset))
1875*00b67f09SDavid van Moolenbroek dns_rdataset_disassociate(&rdataset);
1876*00b67f09SDavid van Moolenbroek return (result);
1877*00b67f09SDavid van Moolenbroek }
1878*00b67f09SDavid van Moolenbroek
1879*00b67f09SDavid van Moolenbroek /*
1880*00b67f09SDavid van Moolenbroek * Prevent the zone entering a inconsistent state where
1881*00b67f09SDavid van Moolenbroek * NSEC only DNSKEYs are present with NSEC3 chains.
1882*00b67f09SDavid van Moolenbroek */
1883*00b67f09SDavid van Moolenbroek static isc_result_t
check_dnssec(ns_client_t * client,dns_zone_t * zone,dns_db_t * db,dns_dbversion_t * ver,dns_diff_t * diff)1884*00b67f09SDavid van Moolenbroek check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1885*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver, dns_diff_t *diff)
1886*00b67f09SDavid van Moolenbroek {
1887*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple;
1888*00b67f09SDavid van Moolenbroek isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
1889*00b67f09SDavid van Moolenbroek isc_result_t result;
1890*00b67f09SDavid van Moolenbroek unsigned int iterations = 0, max;
1891*00b67f09SDavid van Moolenbroek dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
1892*00b67f09SDavid van Moolenbroek
1893*00b67f09SDavid van Moolenbroek /* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
1894*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(diff->tuples);
1895*00b67f09SDavid van Moolenbroek tuple != NULL;
1896*00b67f09SDavid van Moolenbroek tuple = ISC_LIST_NEXT(tuple, link)) {
1897*00b67f09SDavid van Moolenbroek if (tuple->op != DNS_DIFFOP_ADD)
1898*00b67f09SDavid van Moolenbroek continue;
1899*00b67f09SDavid van Moolenbroek
1900*00b67f09SDavid van Moolenbroek if (tuple->rdata.type == dns_rdatatype_dnskey) {
1901*00b67f09SDavid van Moolenbroek isc_uint8_t alg;
1902*00b67f09SDavid van Moolenbroek alg = tuple->rdata.data[3];
1903*00b67f09SDavid van Moolenbroek if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
1904*00b67f09SDavid van Moolenbroek alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
1905*00b67f09SDavid van Moolenbroek nseconly = ISC_TRUE;
1906*00b67f09SDavid van Moolenbroek break;
1907*00b67f09SDavid van Moolenbroek }
1908*00b67f09SDavid van Moolenbroek } else if (tuple->rdata.type == dns_rdatatype_nsec3param) {
1909*00b67f09SDavid van Moolenbroek nsec3 = ISC_TRUE;
1910*00b67f09SDavid van Moolenbroek break;
1911*00b67f09SDavid van Moolenbroek }
1912*00b67f09SDavid van Moolenbroek }
1913*00b67f09SDavid van Moolenbroek
1914*00b67f09SDavid van Moolenbroek /* Check existing DB for NSEC-only DNSKEY */
1915*00b67f09SDavid van Moolenbroek if (!nseconly) {
1916*00b67f09SDavid van Moolenbroek result = dns_nsec_nseconly(db, ver, &nseconly);
1917*00b67f09SDavid van Moolenbroek
1918*00b67f09SDavid van Moolenbroek /*
1919*00b67f09SDavid van Moolenbroek * An NSEC3PARAM update can proceed without a DNSKEY (it
1920*00b67f09SDavid van Moolenbroek * will trigger a delayed change), so we can ignore
1921*00b67f09SDavid van Moolenbroek * ISC_R_NOTFOUND here.
1922*00b67f09SDavid van Moolenbroek */
1923*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND)
1924*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1925*00b67f09SDavid van Moolenbroek
1926*00b67f09SDavid van Moolenbroek CHECK(result);
1927*00b67f09SDavid van Moolenbroek }
1928*00b67f09SDavid van Moolenbroek
1929*00b67f09SDavid van Moolenbroek /* Check existing DB for NSEC3 */
1930*00b67f09SDavid van Moolenbroek if (!nsec3)
1931*00b67f09SDavid van Moolenbroek CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
1932*00b67f09SDavid van Moolenbroek privatetype, &nsec3));
1933*00b67f09SDavid van Moolenbroek
1934*00b67f09SDavid van Moolenbroek /* Refuse to allow NSEC3 with NSEC-only keys */
1935*00b67f09SDavid van Moolenbroek if (nseconly && nsec3) {
1936*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
1937*00b67f09SDavid van Moolenbroek "NSEC only DNSKEYs and NSEC3 chains not allowed");
1938*00b67f09SDavid van Moolenbroek result = DNS_R_REFUSED;
1939*00b67f09SDavid van Moolenbroek goto failure;
1940*00b67f09SDavid van Moolenbroek }
1941*00b67f09SDavid van Moolenbroek
1942*00b67f09SDavid van Moolenbroek /* Verify NSEC3 params */
1943*00b67f09SDavid van Moolenbroek CHECK(get_iterations(db, ver, privatetype, &iterations));
1944*00b67f09SDavid van Moolenbroek CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
1945*00b67f09SDavid van Moolenbroek if (max != 0 && iterations > max) {
1946*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
1947*00b67f09SDavid van Moolenbroek "too many NSEC3 iterations (%u) for "
1948*00b67f09SDavid van Moolenbroek "weakest DNSKEY (%u)", iterations, max);
1949*00b67f09SDavid van Moolenbroek result = DNS_R_REFUSED;
1950*00b67f09SDavid van Moolenbroek goto failure;
1951*00b67f09SDavid van Moolenbroek }
1952*00b67f09SDavid van Moolenbroek
1953*00b67f09SDavid van Moolenbroek failure:
1954*00b67f09SDavid van Moolenbroek return (result);
1955*00b67f09SDavid van Moolenbroek }
1956*00b67f09SDavid van Moolenbroek
1957*00b67f09SDavid van Moolenbroek /*
1958*00b67f09SDavid van Moolenbroek * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
1959*00b67f09SDavid van Moolenbroek */
1960*00b67f09SDavid van Moolenbroek static isc_result_t
add_nsec3param_records(ns_client_t * client,dns_zone_t * zone,dns_db_t * db,dns_dbversion_t * ver,dns_diff_t * diff)1961*00b67f09SDavid van Moolenbroek add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1962*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver, dns_diff_t *diff)
1963*00b67f09SDavid van Moolenbroek {
1964*00b67f09SDavid van Moolenbroek isc_result_t result = ISC_R_SUCCESS;
1965*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple, *newtuple = NULL, *next;
1966*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
1967*00b67f09SDavid van Moolenbroek unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
1968*00b67f09SDavid van Moolenbroek dns_diff_t temp_diff;
1969*00b67f09SDavid van Moolenbroek dns_diffop_t op;
1970*00b67f09SDavid van Moolenbroek isc_boolean_t flag;
1971*00b67f09SDavid van Moolenbroek dns_name_t *name = dns_zone_getorigin(zone);
1972*00b67f09SDavid van Moolenbroek dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
1973*00b67f09SDavid van Moolenbroek isc_uint32_t ttl = 0;
1974*00b67f09SDavid van Moolenbroek isc_boolean_t ttl_good = ISC_FALSE;
1975*00b67f09SDavid van Moolenbroek
1976*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_DEBUG(3),
1977*00b67f09SDavid van Moolenbroek "checking for NSEC3PARAM changes");
1978*00b67f09SDavid van Moolenbroek
1979*00b67f09SDavid van Moolenbroek dns_diff_init(diff->mctx, &temp_diff);
1980*00b67f09SDavid van Moolenbroek
1981*00b67f09SDavid van Moolenbroek /*
1982*00b67f09SDavid van Moolenbroek * Extract NSEC3PARAM tuples from list.
1983*00b67f09SDavid van Moolenbroek */
1984*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(diff->tuples);
1985*00b67f09SDavid van Moolenbroek tuple != NULL;
1986*00b67f09SDavid van Moolenbroek tuple = next) {
1987*00b67f09SDavid van Moolenbroek
1988*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
1989*00b67f09SDavid van Moolenbroek
1990*00b67f09SDavid van Moolenbroek if (tuple->rdata.type != dns_rdatatype_nsec3param ||
1991*00b67f09SDavid van Moolenbroek !dns_name_equal(name, &tuple->name))
1992*00b67f09SDavid van Moolenbroek continue;
1993*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(diff->tuples, tuple, link);
1994*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
1995*00b67f09SDavid van Moolenbroek }
1996*00b67f09SDavid van Moolenbroek
1997*00b67f09SDavid van Moolenbroek /*
1998*00b67f09SDavid van Moolenbroek * Extract TTL changes pairs, we don't need to convert these to
1999*00b67f09SDavid van Moolenbroek * delayed changes.
2000*00b67f09SDavid van Moolenbroek */
2001*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
2002*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2003*00b67f09SDavid van Moolenbroek if (tuple->op == DNS_DIFFOP_ADD) {
2004*00b67f09SDavid van Moolenbroek if (!ttl_good) {
2005*00b67f09SDavid van Moolenbroek /*
2006*00b67f09SDavid van Moolenbroek * Any adds here will contain the final
2007*00b67f09SDavid van Moolenbroek * NSEC3PARAM RRset TTL.
2008*00b67f09SDavid van Moolenbroek */
2009*00b67f09SDavid van Moolenbroek ttl = tuple->ttl;
2010*00b67f09SDavid van Moolenbroek ttl_good = ISC_TRUE;
2011*00b67f09SDavid van Moolenbroek }
2012*00b67f09SDavid van Moolenbroek /*
2013*00b67f09SDavid van Moolenbroek * Walk the temp_diff list looking for the
2014*00b67f09SDavid van Moolenbroek * corresponding delete.
2015*00b67f09SDavid van Moolenbroek */
2016*00b67f09SDavid van Moolenbroek next = ISC_LIST_HEAD(temp_diff.tuples);
2017*00b67f09SDavid van Moolenbroek while (next != NULL) {
2018*00b67f09SDavid van Moolenbroek unsigned char *next_data = next->rdata.data;
2019*00b67f09SDavid van Moolenbroek unsigned char *tuple_data = tuple->rdata.data;
2020*00b67f09SDavid van Moolenbroek if (next->op == DNS_DIFFOP_DEL &&
2021*00b67f09SDavid van Moolenbroek next->rdata.length == tuple->rdata.length &&
2022*00b67f09SDavid van Moolenbroek !memcmp(next_data, tuple_data,
2023*00b67f09SDavid van Moolenbroek next->rdata.length)) {
2024*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, next,
2025*00b67f09SDavid van Moolenbroek link);
2026*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, next,
2027*00b67f09SDavid van Moolenbroek link);
2028*00b67f09SDavid van Moolenbroek break;
2029*00b67f09SDavid van Moolenbroek }
2030*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(next, link);
2031*00b67f09SDavid van Moolenbroek }
2032*00b67f09SDavid van Moolenbroek /*
2033*00b67f09SDavid van Moolenbroek * If we have not found a pair move onto the next
2034*00b67f09SDavid van Moolenbroek * tuple.
2035*00b67f09SDavid van Moolenbroek */
2036*00b67f09SDavid van Moolenbroek if (next == NULL) {
2037*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2038*00b67f09SDavid van Moolenbroek continue;
2039*00b67f09SDavid van Moolenbroek }
2040*00b67f09SDavid van Moolenbroek /*
2041*00b67f09SDavid van Moolenbroek * Find the next tuple to be processed before
2042*00b67f09SDavid van Moolenbroek * unlinking then complete moving the pair to 'diff'.
2043*00b67f09SDavid van Moolenbroek */
2044*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2045*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
2046*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, tuple, link);
2047*00b67f09SDavid van Moolenbroek } else
2048*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2049*00b67f09SDavid van Moolenbroek }
2050*00b67f09SDavid van Moolenbroek
2051*00b67f09SDavid van Moolenbroek /*
2052*00b67f09SDavid van Moolenbroek * Preserve any ongoing changes from a BIND 9.6.x upgrade.
2053*00b67f09SDavid van Moolenbroek *
2054*00b67f09SDavid van Moolenbroek * Any NSEC3PARAM records with flags other than OPTOUT named
2055*00b67f09SDavid van Moolenbroek * in managing and should not be touched so revert such changes
2056*00b67f09SDavid van Moolenbroek * taking into account any TTL change of the NSEC3PARAM RRset.
2057*00b67f09SDavid van Moolenbroek */
2058*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
2059*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2060*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2061*00b67f09SDavid van Moolenbroek if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
2062*00b67f09SDavid van Moolenbroek /*
2063*00b67f09SDavid van Moolenbroek * If we havn't had any adds then the tuple->ttl must
2064*00b67f09SDavid van Moolenbroek * be the original ttl and should be used for any
2065*00b67f09SDavid van Moolenbroek * future changes.
2066*00b67f09SDavid van Moolenbroek */
2067*00b67f09SDavid van Moolenbroek if (!ttl_good) {
2068*00b67f09SDavid van Moolenbroek ttl = tuple->ttl;
2069*00b67f09SDavid van Moolenbroek ttl_good = ISC_TRUE;
2070*00b67f09SDavid van Moolenbroek }
2071*00b67f09SDavid van Moolenbroek op = (tuple->op == DNS_DIFFOP_DEL) ?
2072*00b67f09SDavid van Moolenbroek DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
2073*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, op, name,
2074*00b67f09SDavid van Moolenbroek ttl, &tuple->rdata,
2075*00b67f09SDavid van Moolenbroek &newtuple));
2076*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2077*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
2078*00b67f09SDavid van Moolenbroek dns_diff_appendminimal(diff, &tuple);
2079*00b67f09SDavid van Moolenbroek }
2080*00b67f09SDavid van Moolenbroek }
2081*00b67f09SDavid van Moolenbroek
2082*00b67f09SDavid van Moolenbroek /*
2083*00b67f09SDavid van Moolenbroek * We now have just the actual changes to the NSEC3PARAM RRset.
2084*00b67f09SDavid van Moolenbroek * Convert the adds to delayed adds and the deletions into delayed
2085*00b67f09SDavid van Moolenbroek * deletions.
2086*00b67f09SDavid van Moolenbroek */
2087*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
2088*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2089*00b67f09SDavid van Moolenbroek /*
2090*00b67f09SDavid van Moolenbroek * If we havn't had any adds then the tuple->ttl must be the
2091*00b67f09SDavid van Moolenbroek * original ttl and should be used for any future changes.
2092*00b67f09SDavid van Moolenbroek */
2093*00b67f09SDavid van Moolenbroek if (!ttl_good) {
2094*00b67f09SDavid van Moolenbroek ttl = tuple->ttl;
2095*00b67f09SDavid van Moolenbroek ttl_good = ISC_TRUE;
2096*00b67f09SDavid van Moolenbroek }
2097*00b67f09SDavid van Moolenbroek if (tuple->op == DNS_DIFFOP_ADD) {
2098*00b67f09SDavid van Moolenbroek isc_boolean_t nseconly = ISC_FALSE;
2099*00b67f09SDavid van Moolenbroek
2100*00b67f09SDavid van Moolenbroek /*
2101*00b67f09SDavid van Moolenbroek * Look for any deletes which match this ADD ignoring
2102*00b67f09SDavid van Moolenbroek * flags. We don't need to explictly remove them as
2103*00b67f09SDavid van Moolenbroek * they will be removed a side effect of processing
2104*00b67f09SDavid van Moolenbroek * the add.
2105*00b67f09SDavid van Moolenbroek */
2106*00b67f09SDavid van Moolenbroek next = ISC_LIST_HEAD(temp_diff.tuples);
2107*00b67f09SDavid van Moolenbroek while (next != NULL) {
2108*00b67f09SDavid van Moolenbroek unsigned char *next_data = next->rdata.data;
2109*00b67f09SDavid van Moolenbroek unsigned char *tuple_data = tuple->rdata.data;
2110*00b67f09SDavid van Moolenbroek if (next->op != DNS_DIFFOP_DEL ||
2111*00b67f09SDavid van Moolenbroek next->rdata.length != tuple->rdata.length ||
2112*00b67f09SDavid van Moolenbroek next_data[0] != tuple_data[0] ||
2113*00b67f09SDavid van Moolenbroek next_data[2] != tuple_data[2] ||
2114*00b67f09SDavid van Moolenbroek next_data[3] != tuple_data[3] ||
2115*00b67f09SDavid van Moolenbroek memcmp(next_data + 4, tuple_data + 4,
2116*00b67f09SDavid van Moolenbroek tuple->rdata.length - 4)) {
2117*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(next, link);
2118*00b67f09SDavid van Moolenbroek continue;
2119*00b67f09SDavid van Moolenbroek }
2120*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, next, link);
2121*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, next, link);
2122*00b67f09SDavid van Moolenbroek next = ISC_LIST_HEAD(temp_diff.tuples);
2123*00b67f09SDavid van Moolenbroek }
2124*00b67f09SDavid van Moolenbroek
2125*00b67f09SDavid van Moolenbroek /*
2126*00b67f09SDavid van Moolenbroek * Create a private-type record to signal that
2127*00b67f09SDavid van Moolenbroek * we want a delayed NSEC3 chain add/delete
2128*00b67f09SDavid van Moolenbroek */
2129*00b67f09SDavid van Moolenbroek dns_nsec3param_toprivate(&tuple->rdata, &rdata,
2130*00b67f09SDavid van Moolenbroek privatetype, buf, sizeof(buf));
2131*00b67f09SDavid van Moolenbroek buf[2] |= DNS_NSEC3FLAG_CREATE;
2132*00b67f09SDavid van Moolenbroek
2133*00b67f09SDavid van Moolenbroek /*
2134*00b67f09SDavid van Moolenbroek * If the zone is not currently capable of
2135*00b67f09SDavid van Moolenbroek * supporting an NSEC3 chain, then we set the
2136*00b67f09SDavid van Moolenbroek * INITIAL flag to indicate that these parameters
2137*00b67f09SDavid van Moolenbroek * are to be used later.
2138*00b67f09SDavid van Moolenbroek */
2139*00b67f09SDavid van Moolenbroek result = dns_nsec_nseconly(db, ver, &nseconly);
2140*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND || nseconly)
2141*00b67f09SDavid van Moolenbroek buf[2] |= DNS_NSEC3FLAG_INITIAL;
2142*00b67f09SDavid van Moolenbroek
2143*00b67f09SDavid van Moolenbroek /*
2144*00b67f09SDavid van Moolenbroek * See if this CREATE request already exists.
2145*00b67f09SDavid van Moolenbroek */
2146*00b67f09SDavid van Moolenbroek CHECK(rr_exists(db, ver, name, &rdata, &flag));
2147*00b67f09SDavid van Moolenbroek
2148*00b67f09SDavid van Moolenbroek if (!flag) {
2149*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx,
2150*00b67f09SDavid van Moolenbroek DNS_DIFFOP_ADD,
2151*00b67f09SDavid van Moolenbroek name, 0, &rdata,
2152*00b67f09SDavid van Moolenbroek &newtuple));
2153*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2154*00b67f09SDavid van Moolenbroek }
2155*00b67f09SDavid van Moolenbroek
2156*00b67f09SDavid van Moolenbroek /*
2157*00b67f09SDavid van Moolenbroek * Remove any existing CREATE request to add an
2158*00b67f09SDavid van Moolenbroek * otherwise indentical chain with a reversed
2159*00b67f09SDavid van Moolenbroek * OPTOUT state.
2160*00b67f09SDavid van Moolenbroek */
2161*00b67f09SDavid van Moolenbroek buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
2162*00b67f09SDavid van Moolenbroek CHECK(rr_exists(db, ver, name, &rdata, &flag));
2163*00b67f09SDavid van Moolenbroek
2164*00b67f09SDavid van Moolenbroek if (flag) {
2165*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx,
2166*00b67f09SDavid van Moolenbroek DNS_DIFFOP_DEL,
2167*00b67f09SDavid van Moolenbroek name, 0, &rdata,
2168*00b67f09SDavid van Moolenbroek &newtuple));
2169*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2170*00b67f09SDavid van Moolenbroek }
2171*00b67f09SDavid van Moolenbroek
2172*00b67f09SDavid van Moolenbroek /*
2173*00b67f09SDavid van Moolenbroek * Find the next tuple to be processed and remove the
2174*00b67f09SDavid van Moolenbroek * temporary add record.
2175*00b67f09SDavid van Moolenbroek */
2176*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2177*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
2178*00b67f09SDavid van Moolenbroek name, ttl, &tuple->rdata,
2179*00b67f09SDavid van Moolenbroek &newtuple));
2180*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2181*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
2182*00b67f09SDavid van Moolenbroek dns_diff_appendminimal(diff, &tuple);
2183*00b67f09SDavid van Moolenbroek dns_rdata_reset(&rdata);
2184*00b67f09SDavid van Moolenbroek } else
2185*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2186*00b67f09SDavid van Moolenbroek }
2187*00b67f09SDavid van Moolenbroek
2188*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
2189*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2190*00b67f09SDavid van Moolenbroek
2191*00b67f09SDavid van Moolenbroek INSIST(ttl_good);
2192*00b67f09SDavid van Moolenbroek
2193*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2194*00b67f09SDavid van Moolenbroek /*
2195*00b67f09SDavid van Moolenbroek * See if we already have a REMOVE request in progress.
2196*00b67f09SDavid van Moolenbroek */
2197*00b67f09SDavid van Moolenbroek dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype,
2198*00b67f09SDavid van Moolenbroek buf, sizeof(buf));
2199*00b67f09SDavid van Moolenbroek
2200*00b67f09SDavid van Moolenbroek buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
2201*00b67f09SDavid van Moolenbroek
2202*00b67f09SDavid van Moolenbroek CHECK(rr_exists(db, ver, name, &rdata, &flag));
2203*00b67f09SDavid van Moolenbroek if (!flag) {
2204*00b67f09SDavid van Moolenbroek buf[2] &= ~DNS_NSEC3FLAG_NONSEC;
2205*00b67f09SDavid van Moolenbroek CHECK(rr_exists(db, ver, name, &rdata, &flag));
2206*00b67f09SDavid van Moolenbroek }
2207*00b67f09SDavid van Moolenbroek
2208*00b67f09SDavid van Moolenbroek if (!flag) {
2209*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
2210*00b67f09SDavid van Moolenbroek name, 0, &rdata, &newtuple));
2211*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2212*00b67f09SDavid van Moolenbroek }
2213*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
2214*00b67f09SDavid van Moolenbroek ttl, &tuple->rdata, &newtuple));
2215*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2216*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
2217*00b67f09SDavid van Moolenbroek dns_diff_appendminimal(diff, &tuple);
2218*00b67f09SDavid van Moolenbroek dns_rdata_reset(&rdata);
2219*00b67f09SDavid van Moolenbroek }
2220*00b67f09SDavid van Moolenbroek
2221*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
2222*00b67f09SDavid van Moolenbroek failure:
2223*00b67f09SDavid van Moolenbroek dns_diff_clear(&temp_diff);
2224*00b67f09SDavid van Moolenbroek return (result);
2225*00b67f09SDavid van Moolenbroek }
2226*00b67f09SDavid van Moolenbroek
2227*00b67f09SDavid van Moolenbroek static isc_result_t
rollback_private(dns_db_t * db,dns_rdatatype_t privatetype,dns_dbversion_t * ver,dns_diff_t * diff)2228*00b67f09SDavid van Moolenbroek rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
2229*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver, dns_diff_t *diff)
2230*00b67f09SDavid van Moolenbroek {
2231*00b67f09SDavid van Moolenbroek dns_diff_t temp_diff;
2232*00b67f09SDavid van Moolenbroek dns_diffop_t op;
2233*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple, *newtuple = NULL, *next;
2234*00b67f09SDavid van Moolenbroek dns_name_t *name = dns_db_origin(db);
2235*00b67f09SDavid van Moolenbroek isc_mem_t *mctx = diff->mctx;
2236*00b67f09SDavid van Moolenbroek isc_result_t result;
2237*00b67f09SDavid van Moolenbroek
2238*00b67f09SDavid van Moolenbroek if (privatetype == 0)
2239*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
2240*00b67f09SDavid van Moolenbroek
2241*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &temp_diff);
2242*00b67f09SDavid van Moolenbroek
2243*00b67f09SDavid van Moolenbroek /*
2244*00b67f09SDavid van Moolenbroek * Extract the changes to be rolled back.
2245*00b67f09SDavid van Moolenbroek */
2246*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(diff->tuples);
2247*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2248*00b67f09SDavid van Moolenbroek
2249*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2250*00b67f09SDavid van Moolenbroek
2251*00b67f09SDavid van Moolenbroek if (tuple->rdata.type != privatetype ||
2252*00b67f09SDavid van Moolenbroek !dns_name_equal(name, &tuple->name))
2253*00b67f09SDavid van Moolenbroek continue;
2254*00b67f09SDavid van Moolenbroek
2255*00b67f09SDavid van Moolenbroek /*
2256*00b67f09SDavid van Moolenbroek * Allow records which indicate that a zone has been
2257*00b67f09SDavid van Moolenbroek * signed with a DNSKEY to be removed.
2258*00b67f09SDavid van Moolenbroek */
2259*00b67f09SDavid van Moolenbroek if (tuple->op == DNS_DIFFOP_DEL &&
2260*00b67f09SDavid van Moolenbroek tuple->rdata.length == 5 &&
2261*00b67f09SDavid van Moolenbroek tuple->rdata.data[0] != 0 &&
2262*00b67f09SDavid van Moolenbroek tuple->rdata.data[4] != 0)
2263*00b67f09SDavid van Moolenbroek continue;
2264*00b67f09SDavid van Moolenbroek
2265*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(diff->tuples, tuple, link);
2266*00b67f09SDavid van Moolenbroek ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
2267*00b67f09SDavid van Moolenbroek }
2268*00b67f09SDavid van Moolenbroek
2269*00b67f09SDavid van Moolenbroek /*
2270*00b67f09SDavid van Moolenbroek * Rollback the changes.
2271*00b67f09SDavid van Moolenbroek */
2272*00b67f09SDavid van Moolenbroek while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
2273*00b67f09SDavid van Moolenbroek op = (tuple->op == DNS_DIFFOP_DEL) ?
2274*00b67f09SDavid van Moolenbroek DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
2275*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
2276*00b67f09SDavid van Moolenbroek &tuple->rdata, &newtuple));
2277*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
2278*00b67f09SDavid van Moolenbroek }
2279*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
2280*00b67f09SDavid van Moolenbroek
2281*00b67f09SDavid van Moolenbroek failure:
2282*00b67f09SDavid van Moolenbroek dns_diff_clear(&temp_diff);
2283*00b67f09SDavid van Moolenbroek return (result);
2284*00b67f09SDavid van Moolenbroek }
2285*00b67f09SDavid van Moolenbroek
2286*00b67f09SDavid van Moolenbroek /*
2287*00b67f09SDavid van Moolenbroek * Add records to cause the delayed signing of the zone by added DNSKEY
2288*00b67f09SDavid van Moolenbroek * to remove the RRSIG records generated by a deleted DNSKEY.
2289*00b67f09SDavid van Moolenbroek */
2290*00b67f09SDavid van Moolenbroek static isc_result_t
add_signing_records(dns_db_t * db,dns_rdatatype_t privatetype,dns_dbversion_t * ver,dns_diff_t * diff)2291*00b67f09SDavid van Moolenbroek add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
2292*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver, dns_diff_t *diff)
2293*00b67f09SDavid van Moolenbroek {
2294*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple, *newtuple = NULL, *next;
2295*00b67f09SDavid van Moolenbroek dns_rdata_dnskey_t dnskey;
2296*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
2297*00b67f09SDavid van Moolenbroek isc_boolean_t flag;
2298*00b67f09SDavid van Moolenbroek isc_region_t r;
2299*00b67f09SDavid van Moolenbroek isc_result_t result = ISC_R_SUCCESS;
2300*00b67f09SDavid van Moolenbroek isc_uint16_t keyid;
2301*00b67f09SDavid van Moolenbroek unsigned char buf[5];
2302*00b67f09SDavid van Moolenbroek dns_name_t *name = dns_db_origin(db);
2303*00b67f09SDavid van Moolenbroek dns_diff_t temp_diff;
2304*00b67f09SDavid van Moolenbroek
2305*00b67f09SDavid van Moolenbroek dns_diff_init(diff->mctx, &temp_diff);
2306*00b67f09SDavid van Moolenbroek
2307*00b67f09SDavid van Moolenbroek /*
2308*00b67f09SDavid van Moolenbroek * Extract the DNSKEY tuples from the list.
2309*00b67f09SDavid van Moolenbroek */
2310*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(diff->tuples);
2311*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2312*00b67f09SDavid van Moolenbroek
2313*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2314*00b67f09SDavid van Moolenbroek
2315*00b67f09SDavid van Moolenbroek if (tuple->rdata.type != dns_rdatatype_dnskey)
2316*00b67f09SDavid van Moolenbroek continue;
2317*00b67f09SDavid van Moolenbroek
2318*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(diff->tuples, tuple, link);
2319*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
2320*00b67f09SDavid van Moolenbroek }
2321*00b67f09SDavid van Moolenbroek
2322*00b67f09SDavid van Moolenbroek /*
2323*00b67f09SDavid van Moolenbroek * Extract TTL changes pairs, we don't need signing records for these.
2324*00b67f09SDavid van Moolenbroek */
2325*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
2326*00b67f09SDavid van Moolenbroek tuple != NULL; tuple = next) {
2327*00b67f09SDavid van Moolenbroek if (tuple->op == DNS_DIFFOP_ADD) {
2328*00b67f09SDavid van Moolenbroek /*
2329*00b67f09SDavid van Moolenbroek * Walk the temp_diff list looking for the
2330*00b67f09SDavid van Moolenbroek * corresponding delete.
2331*00b67f09SDavid van Moolenbroek */
2332*00b67f09SDavid van Moolenbroek next = ISC_LIST_HEAD(temp_diff.tuples);
2333*00b67f09SDavid van Moolenbroek while (next != NULL) {
2334*00b67f09SDavid van Moolenbroek unsigned char *next_data = next->rdata.data;
2335*00b67f09SDavid van Moolenbroek unsigned char *tuple_data = tuple->rdata.data;
2336*00b67f09SDavid van Moolenbroek if (next->op == DNS_DIFFOP_DEL &&
2337*00b67f09SDavid van Moolenbroek dns_name_equal(&tuple->name, &next->name) &&
2338*00b67f09SDavid van Moolenbroek next->rdata.length == tuple->rdata.length &&
2339*00b67f09SDavid van Moolenbroek !memcmp(next_data, tuple_data,
2340*00b67f09SDavid van Moolenbroek next->rdata.length)) {
2341*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, next,
2342*00b67f09SDavid van Moolenbroek link);
2343*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, next,
2344*00b67f09SDavid van Moolenbroek link);
2345*00b67f09SDavid van Moolenbroek break;
2346*00b67f09SDavid van Moolenbroek }
2347*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(next, link);
2348*00b67f09SDavid van Moolenbroek }
2349*00b67f09SDavid van Moolenbroek /*
2350*00b67f09SDavid van Moolenbroek * If we have not found a pair move onto the next
2351*00b67f09SDavid van Moolenbroek * tuple.
2352*00b67f09SDavid van Moolenbroek */
2353*00b67f09SDavid van Moolenbroek if (next == NULL) {
2354*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2355*00b67f09SDavid van Moolenbroek continue;
2356*00b67f09SDavid van Moolenbroek }
2357*00b67f09SDavid van Moolenbroek /*
2358*00b67f09SDavid van Moolenbroek * Find the next tuple to be processed before
2359*00b67f09SDavid van Moolenbroek * unlinking then complete moving the pair to 'diff'.
2360*00b67f09SDavid van Moolenbroek */
2361*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2362*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
2363*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, tuple, link);
2364*00b67f09SDavid van Moolenbroek } else
2365*00b67f09SDavid van Moolenbroek next = ISC_LIST_NEXT(tuple, link);
2366*00b67f09SDavid van Moolenbroek }
2367*00b67f09SDavid van Moolenbroek
2368*00b67f09SDavid van Moolenbroek /*
2369*00b67f09SDavid van Moolenbroek * Process the remaining DNSKEY entries.
2370*00b67f09SDavid van Moolenbroek */
2371*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
2372*00b67f09SDavid van Moolenbroek tuple != NULL;
2373*00b67f09SDavid van Moolenbroek tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
2374*00b67f09SDavid van Moolenbroek
2375*00b67f09SDavid van Moolenbroek ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
2376*00b67f09SDavid van Moolenbroek ISC_LIST_APPEND(diff->tuples, tuple, link);
2377*00b67f09SDavid van Moolenbroek
2378*00b67f09SDavid van Moolenbroek result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
2379*00b67f09SDavid van Moolenbroek RUNTIME_CHECK(result == ISC_R_SUCCESS);
2380*00b67f09SDavid van Moolenbroek if ((dnskey.flags &
2381*00b67f09SDavid van Moolenbroek (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
2382*00b67f09SDavid van Moolenbroek != DNS_KEYOWNER_ZONE)
2383*00b67f09SDavid van Moolenbroek continue;
2384*00b67f09SDavid van Moolenbroek
2385*00b67f09SDavid van Moolenbroek dns_rdata_toregion(&tuple->rdata, &r);
2386*00b67f09SDavid van Moolenbroek
2387*00b67f09SDavid van Moolenbroek keyid = dst_region_computeid(&r, dnskey.algorithm);
2388*00b67f09SDavid van Moolenbroek
2389*00b67f09SDavid van Moolenbroek buf[0] = dnskey.algorithm;
2390*00b67f09SDavid van Moolenbroek buf[1] = (keyid & 0xff00) >> 8;
2391*00b67f09SDavid van Moolenbroek buf[2] = (keyid & 0xff);
2392*00b67f09SDavid van Moolenbroek buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
2393*00b67f09SDavid van Moolenbroek buf[4] = 0;
2394*00b67f09SDavid van Moolenbroek rdata.data = buf;
2395*00b67f09SDavid van Moolenbroek rdata.length = sizeof(buf);
2396*00b67f09SDavid van Moolenbroek rdata.type = privatetype;
2397*00b67f09SDavid van Moolenbroek rdata.rdclass = tuple->rdata.rdclass;
2398*00b67f09SDavid van Moolenbroek
2399*00b67f09SDavid van Moolenbroek CHECK(rr_exists(db, ver, name, &rdata, &flag));
2400*00b67f09SDavid van Moolenbroek if (flag)
2401*00b67f09SDavid van Moolenbroek continue;
2402*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
2403*00b67f09SDavid van Moolenbroek name, 0, &rdata, &newtuple));
2404*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2405*00b67f09SDavid van Moolenbroek INSIST(newtuple == NULL);
2406*00b67f09SDavid van Moolenbroek /*
2407*00b67f09SDavid van Moolenbroek * Remove any record which says this operation has already
2408*00b67f09SDavid van Moolenbroek * completed.
2409*00b67f09SDavid van Moolenbroek */
2410*00b67f09SDavid van Moolenbroek buf[4] = 1;
2411*00b67f09SDavid van Moolenbroek CHECK(rr_exists(db, ver, name, &rdata, &flag));
2412*00b67f09SDavid van Moolenbroek if (flag) {
2413*00b67f09SDavid van Moolenbroek CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
2414*00b67f09SDavid van Moolenbroek name, 0, &rdata, &newtuple));
2415*00b67f09SDavid van Moolenbroek CHECK(do_one_tuple(&newtuple, db, ver, diff));
2416*00b67f09SDavid van Moolenbroek INSIST(newtuple == NULL);
2417*00b67f09SDavid van Moolenbroek }
2418*00b67f09SDavid van Moolenbroek }
2419*00b67f09SDavid van Moolenbroek
2420*00b67f09SDavid van Moolenbroek failure:
2421*00b67f09SDavid van Moolenbroek dns_diff_clear(&temp_diff);
2422*00b67f09SDavid van Moolenbroek return (result);
2423*00b67f09SDavid van Moolenbroek }
2424*00b67f09SDavid van Moolenbroek
2425*00b67f09SDavid van Moolenbroek static isc_boolean_t
isdnssec(dns_db_t * db,dns_dbversion_t * ver,dns_rdatatype_t privatetype)2426*00b67f09SDavid van Moolenbroek isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
2427*00b67f09SDavid van Moolenbroek isc_result_t result;
2428*00b67f09SDavid van Moolenbroek isc_boolean_t build_nsec, build_nsec3;
2429*00b67f09SDavid van Moolenbroek
2430*00b67f09SDavid van Moolenbroek if (dns_db_issecure(db))
2431*00b67f09SDavid van Moolenbroek return (ISC_TRUE);
2432*00b67f09SDavid van Moolenbroek
2433*00b67f09SDavid van Moolenbroek result = dns_private_chains(db, ver, privatetype,
2434*00b67f09SDavid van Moolenbroek &build_nsec, &build_nsec3);
2435*00b67f09SDavid van Moolenbroek RUNTIME_CHECK(result == ISC_R_SUCCESS);
2436*00b67f09SDavid van Moolenbroek return (build_nsec || build_nsec3);
2437*00b67f09SDavid van Moolenbroek }
2438*00b67f09SDavid van Moolenbroek
2439*00b67f09SDavid van Moolenbroek static void
update_action(isc_task_t * task,isc_event_t * event)2440*00b67f09SDavid van Moolenbroek update_action(isc_task_t *task, isc_event_t *event) {
2441*00b67f09SDavid van Moolenbroek update_event_t *uev = (update_event_t *) event;
2442*00b67f09SDavid van Moolenbroek dns_zone_t *zone = uev->zone;
2443*00b67f09SDavid van Moolenbroek ns_client_t *client = (ns_client_t *)event->ev_arg;
2444*00b67f09SDavid van Moolenbroek isc_result_t result;
2445*00b67f09SDavid van Moolenbroek dns_db_t *db = NULL;
2446*00b67f09SDavid van Moolenbroek dns_dbversion_t *oldver = NULL;
2447*00b67f09SDavid van Moolenbroek dns_dbversion_t *ver = NULL;
2448*00b67f09SDavid van Moolenbroek dns_diff_t diff; /* Pending updates. */
2449*00b67f09SDavid van Moolenbroek dns_diff_t temp; /* Pending RR existence assertions. */
2450*00b67f09SDavid van Moolenbroek isc_boolean_t soa_serial_changed = ISC_FALSE;
2451*00b67f09SDavid van Moolenbroek isc_mem_t *mctx = client->mctx;
2452*00b67f09SDavid van Moolenbroek dns_rdatatype_t covers;
2453*00b67f09SDavid van Moolenbroek dns_message_t *request = client->message;
2454*00b67f09SDavid van Moolenbroek dns_rdataclass_t zoneclass;
2455*00b67f09SDavid van Moolenbroek dns_name_t *zonename;
2456*00b67f09SDavid van Moolenbroek dns_ssutable_t *ssutable = NULL;
2457*00b67f09SDavid van Moolenbroek dns_fixedname_t tmpnamefixed;
2458*00b67f09SDavid van Moolenbroek dns_name_t *tmpname = NULL;
2459*00b67f09SDavid van Moolenbroek unsigned int options, options2;
2460*00b67f09SDavid van Moolenbroek dns_difftuple_t *tuple;
2461*00b67f09SDavid van Moolenbroek dns_rdata_dnskey_t dnskey;
2462*00b67f09SDavid van Moolenbroek isc_boolean_t had_dnskey;
2463*00b67f09SDavid van Moolenbroek dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
2464*00b67f09SDavid van Moolenbroek dns_ttl_t maxttl = 0;
2465*00b67f09SDavid van Moolenbroek
2466*00b67f09SDavid van Moolenbroek INSIST(event->ev_type == DNS_EVENT_UPDATE);
2467*00b67f09SDavid van Moolenbroek
2468*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &diff);
2469*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &temp);
2470*00b67f09SDavid van Moolenbroek
2471*00b67f09SDavid van Moolenbroek CHECK(dns_zone_getdb(zone, &db));
2472*00b67f09SDavid van Moolenbroek zonename = dns_db_origin(db);
2473*00b67f09SDavid van Moolenbroek zoneclass = dns_db_class(db);
2474*00b67f09SDavid van Moolenbroek dns_zone_getssutable(zone, &ssutable);
2475*00b67f09SDavid van Moolenbroek
2476*00b67f09SDavid van Moolenbroek /*
2477*00b67f09SDavid van Moolenbroek * Update message processing can leak record existance information
2478*00b67f09SDavid van Moolenbroek * so check that we are allowed to query this zone. Additionally
2479*00b67f09SDavid van Moolenbroek * if we would refuse all updates for this zone we bail out here.
2480*00b67f09SDavid van Moolenbroek */
2481*00b67f09SDavid van Moolenbroek CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
2482*00b67f09SDavid van Moolenbroek dns_zone_getupdateacl(zone), ssutable));
2483*00b67f09SDavid van Moolenbroek
2484*00b67f09SDavid van Moolenbroek /*
2485*00b67f09SDavid van Moolenbroek * Get old and new versions now that queryacl has been checked.
2486*00b67f09SDavid van Moolenbroek */
2487*00b67f09SDavid van Moolenbroek dns_db_currentversion(db, &oldver);
2488*00b67f09SDavid van Moolenbroek CHECK(dns_db_newversion(db, &ver));
2489*00b67f09SDavid van Moolenbroek
2490*00b67f09SDavid van Moolenbroek /*
2491*00b67f09SDavid van Moolenbroek * Check prerequisites.
2492*00b67f09SDavid van Moolenbroek */
2493*00b67f09SDavid van Moolenbroek
2494*00b67f09SDavid van Moolenbroek for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
2495*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
2496*00b67f09SDavid van Moolenbroek result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
2497*00b67f09SDavid van Moolenbroek {
2498*00b67f09SDavid van Moolenbroek dns_name_t *name = NULL;
2499*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
2500*00b67f09SDavid van Moolenbroek dns_ttl_t ttl;
2501*00b67f09SDavid van Moolenbroek dns_rdataclass_t update_class;
2502*00b67f09SDavid van Moolenbroek isc_boolean_t flag;
2503*00b67f09SDavid van Moolenbroek
2504*00b67f09SDavid van Moolenbroek get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
2505*00b67f09SDavid van Moolenbroek &name, &rdata, &covers, &ttl, &update_class);
2506*00b67f09SDavid van Moolenbroek
2507*00b67f09SDavid van Moolenbroek if (ttl != 0)
2508*00b67f09SDavid van Moolenbroek PREREQFAILC(DNS_R_FORMERR,
2509*00b67f09SDavid van Moolenbroek "prerequisite TTL is not zero");
2510*00b67f09SDavid van Moolenbroek
2511*00b67f09SDavid van Moolenbroek if (! dns_name_issubdomain(name, zonename))
2512*00b67f09SDavid van Moolenbroek PREREQFAILN(DNS_R_NOTZONE, name,
2513*00b67f09SDavid van Moolenbroek "prerequisite name is out of zone");
2514*00b67f09SDavid van Moolenbroek
2515*00b67f09SDavid van Moolenbroek if (update_class == dns_rdataclass_any) {
2516*00b67f09SDavid van Moolenbroek if (rdata.length != 0)
2517*00b67f09SDavid van Moolenbroek PREREQFAILC(DNS_R_FORMERR,
2518*00b67f09SDavid van Moolenbroek "class ANY prerequisite "
2519*00b67f09SDavid van Moolenbroek "RDATA is not empty");
2520*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_any) {
2521*00b67f09SDavid van Moolenbroek CHECK(name_exists(db, ver, name, &flag));
2522*00b67f09SDavid van Moolenbroek if (! flag) {
2523*00b67f09SDavid van Moolenbroek PREREQFAILN(DNS_R_NXDOMAIN, name,
2524*00b67f09SDavid van Moolenbroek "'name in use' "
2525*00b67f09SDavid van Moolenbroek "prerequisite not "
2526*00b67f09SDavid van Moolenbroek "satisfied");
2527*00b67f09SDavid van Moolenbroek }
2528*00b67f09SDavid van Moolenbroek } else {
2529*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, ver, name,
2530*00b67f09SDavid van Moolenbroek rdata.type, covers, &flag));
2531*00b67f09SDavid van Moolenbroek if (! flag) {
2532*00b67f09SDavid van Moolenbroek /* RRset does not exist. */
2533*00b67f09SDavid van Moolenbroek PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type,
2534*00b67f09SDavid van Moolenbroek "'rrset exists (value independent)' "
2535*00b67f09SDavid van Moolenbroek "prerequisite not satisfied");
2536*00b67f09SDavid van Moolenbroek }
2537*00b67f09SDavid van Moolenbroek }
2538*00b67f09SDavid van Moolenbroek } else if (update_class == dns_rdataclass_none) {
2539*00b67f09SDavid van Moolenbroek if (rdata.length != 0)
2540*00b67f09SDavid van Moolenbroek PREREQFAILC(DNS_R_FORMERR,
2541*00b67f09SDavid van Moolenbroek "class NONE prerequisite "
2542*00b67f09SDavid van Moolenbroek "RDATA is not empty");
2543*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_any) {
2544*00b67f09SDavid van Moolenbroek CHECK(name_exists(db, ver, name, &flag));
2545*00b67f09SDavid van Moolenbroek if (flag) {
2546*00b67f09SDavid van Moolenbroek PREREQFAILN(DNS_R_YXDOMAIN, name,
2547*00b67f09SDavid van Moolenbroek "'name not in use' "
2548*00b67f09SDavid van Moolenbroek "prerequisite not "
2549*00b67f09SDavid van Moolenbroek "satisfied");
2550*00b67f09SDavid van Moolenbroek }
2551*00b67f09SDavid van Moolenbroek } else {
2552*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, ver, name,
2553*00b67f09SDavid van Moolenbroek rdata.type, covers, &flag));
2554*00b67f09SDavid van Moolenbroek if (flag) {
2555*00b67f09SDavid van Moolenbroek /* RRset exists. */
2556*00b67f09SDavid van Moolenbroek PREREQFAILNT(DNS_R_YXRRSET, name,
2557*00b67f09SDavid van Moolenbroek rdata.type,
2558*00b67f09SDavid van Moolenbroek "'rrset does not exist' "
2559*00b67f09SDavid van Moolenbroek "prerequisite not "
2560*00b67f09SDavid van Moolenbroek "satisfied");
2561*00b67f09SDavid van Moolenbroek }
2562*00b67f09SDavid van Moolenbroek }
2563*00b67f09SDavid van Moolenbroek } else if (update_class == zoneclass) {
2564*00b67f09SDavid van Moolenbroek /* "temp<rr.name, rr.type> += rr;" */
2565*00b67f09SDavid van Moolenbroek result = temp_append(&temp, name, &rdata);
2566*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
2567*00b67f09SDavid van Moolenbroek UNEXPECTED_ERROR(__FILE__, __LINE__,
2568*00b67f09SDavid van Moolenbroek "temp entry creation failed: %s",
2569*00b67f09SDavid van Moolenbroek dns_result_totext(result));
2570*00b67f09SDavid van Moolenbroek FAIL(ISC_R_UNEXPECTED);
2571*00b67f09SDavid van Moolenbroek }
2572*00b67f09SDavid van Moolenbroek } else {
2573*00b67f09SDavid van Moolenbroek PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite");
2574*00b67f09SDavid van Moolenbroek }
2575*00b67f09SDavid van Moolenbroek }
2576*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
2577*00b67f09SDavid van Moolenbroek FAIL(result);
2578*00b67f09SDavid van Moolenbroek
2579*00b67f09SDavid van Moolenbroek /*
2580*00b67f09SDavid van Moolenbroek * Perform the final check of the "rrset exists (value dependent)"
2581*00b67f09SDavid van Moolenbroek * prerequisites.
2582*00b67f09SDavid van Moolenbroek */
2583*00b67f09SDavid van Moolenbroek if (ISC_LIST_HEAD(temp.tuples) != NULL) {
2584*00b67f09SDavid van Moolenbroek dns_rdatatype_t type;
2585*00b67f09SDavid van Moolenbroek
2586*00b67f09SDavid van Moolenbroek /*
2587*00b67f09SDavid van Moolenbroek * Sort the prerequisite records by owner name,
2588*00b67f09SDavid van Moolenbroek * type, and rdata.
2589*00b67f09SDavid van Moolenbroek */
2590*00b67f09SDavid van Moolenbroek result = dns_diff_sort(&temp, temp_order);
2591*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
2592*00b67f09SDavid van Moolenbroek FAILC(result, "'RRset exists (value dependent)' "
2593*00b67f09SDavid van Moolenbroek "prerequisite not satisfied");
2594*00b67f09SDavid van Moolenbroek
2595*00b67f09SDavid van Moolenbroek dns_fixedname_init(&tmpnamefixed);
2596*00b67f09SDavid van Moolenbroek tmpname = dns_fixedname_name(&tmpnamefixed);
2597*00b67f09SDavid van Moolenbroek result = temp_check(mctx, &temp, db, ver, tmpname, &type);
2598*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
2599*00b67f09SDavid van Moolenbroek FAILNT(result, tmpname, type,
2600*00b67f09SDavid van Moolenbroek "'RRset exists (value dependent)' "
2601*00b67f09SDavid van Moolenbroek "prerequisite not satisfied");
2602*00b67f09SDavid van Moolenbroek }
2603*00b67f09SDavid van Moolenbroek
2604*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_DEBUG,
2605*00b67f09SDavid van Moolenbroek "prerequisites are OK");
2606*00b67f09SDavid van Moolenbroek
2607*00b67f09SDavid van Moolenbroek /*
2608*00b67f09SDavid van Moolenbroek * Check Requestor's Permissions. It seems a bit silly to do this
2609*00b67f09SDavid van Moolenbroek * only after prerequisite testing, but that is what RFC2136 says.
2610*00b67f09SDavid van Moolenbroek */
2611*00b67f09SDavid van Moolenbroek if (ssutable == NULL)
2612*00b67f09SDavid van Moolenbroek CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
2613*00b67f09SDavid van Moolenbroek "update", zonename, ISC_FALSE, ISC_FALSE));
2614*00b67f09SDavid van Moolenbroek else if (client->signer == NULL && !TCPCLIENT(client))
2615*00b67f09SDavid van Moolenbroek CHECK(checkupdateacl(client, NULL, "update", zonename,
2616*00b67f09SDavid van Moolenbroek ISC_FALSE, ISC_TRUE));
2617*00b67f09SDavid van Moolenbroek
2618*00b67f09SDavid van Moolenbroek if (dns_zone_getupdatedisabled(zone))
2619*00b67f09SDavid van Moolenbroek FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
2620*00b67f09SDavid van Moolenbroek "because the zone is frozen. Use "
2621*00b67f09SDavid van Moolenbroek "'rndc thaw' to re-enable updates.");
2622*00b67f09SDavid van Moolenbroek
2623*00b67f09SDavid van Moolenbroek /*
2624*00b67f09SDavid van Moolenbroek * Perform the Update Section Prescan.
2625*00b67f09SDavid van Moolenbroek */
2626*00b67f09SDavid van Moolenbroek
2627*00b67f09SDavid van Moolenbroek for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
2628*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
2629*00b67f09SDavid van Moolenbroek result = dns_message_nextname(request, DNS_SECTION_UPDATE))
2630*00b67f09SDavid van Moolenbroek {
2631*00b67f09SDavid van Moolenbroek dns_name_t *name = NULL;
2632*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
2633*00b67f09SDavid van Moolenbroek dns_ttl_t ttl;
2634*00b67f09SDavid van Moolenbroek dns_rdataclass_t update_class;
2635*00b67f09SDavid van Moolenbroek get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
2636*00b67f09SDavid van Moolenbroek &name, &rdata, &covers, &ttl, &update_class);
2637*00b67f09SDavid van Moolenbroek
2638*00b67f09SDavid van Moolenbroek if (! dns_name_issubdomain(name, zonename))
2639*00b67f09SDavid van Moolenbroek FAILC(DNS_R_NOTZONE,
2640*00b67f09SDavid van Moolenbroek "update RR is outside zone");
2641*00b67f09SDavid van Moolenbroek if (update_class == zoneclass) {
2642*00b67f09SDavid van Moolenbroek /*
2643*00b67f09SDavid van Moolenbroek * Check for meta-RRs. The RFC2136 pseudocode says
2644*00b67f09SDavid van Moolenbroek * check for ANY|AXFR|MAILA|MAILB, but the text adds
2645*00b67f09SDavid van Moolenbroek * "or any other QUERY metatype"
2646*00b67f09SDavid van Moolenbroek */
2647*00b67f09SDavid van Moolenbroek if (dns_rdatatype_ismeta(rdata.type)) {
2648*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR,
2649*00b67f09SDavid van Moolenbroek "meta-RR in update");
2650*00b67f09SDavid van Moolenbroek }
2651*00b67f09SDavid van Moolenbroek result = dns_zone_checknames(zone, name, &rdata);
2652*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
2653*00b67f09SDavid van Moolenbroek FAIL(DNS_R_REFUSED);
2654*00b67f09SDavid van Moolenbroek } else if (update_class == dns_rdataclass_any) {
2655*00b67f09SDavid van Moolenbroek if (ttl != 0 || rdata.length != 0 ||
2656*00b67f09SDavid van Moolenbroek (dns_rdatatype_ismeta(rdata.type) &&
2657*00b67f09SDavid van Moolenbroek rdata.type != dns_rdatatype_any))
2658*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR,
2659*00b67f09SDavid van Moolenbroek "meta-RR in update");
2660*00b67f09SDavid van Moolenbroek } else if (update_class == dns_rdataclass_none) {
2661*00b67f09SDavid van Moolenbroek if (ttl != 0 ||
2662*00b67f09SDavid van Moolenbroek dns_rdatatype_ismeta(rdata.type))
2663*00b67f09SDavid van Moolenbroek FAILC(DNS_R_FORMERR,
2664*00b67f09SDavid van Moolenbroek "meta-RR in update");
2665*00b67f09SDavid van Moolenbroek } else {
2666*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_WARNING,
2667*00b67f09SDavid van Moolenbroek "update RR has incorrect class %d",
2668*00b67f09SDavid van Moolenbroek update_class);
2669*00b67f09SDavid van Moolenbroek FAIL(DNS_R_FORMERR);
2670*00b67f09SDavid van Moolenbroek }
2671*00b67f09SDavid van Moolenbroek
2672*00b67f09SDavid van Moolenbroek /*
2673*00b67f09SDavid van Moolenbroek * draft-ietf-dnsind-simple-secure-update-01 says
2674*00b67f09SDavid van Moolenbroek * "Unlike traditional dynamic update, the client
2675*00b67f09SDavid van Moolenbroek * is forbidden from updating NSEC records."
2676*00b67f09SDavid van Moolenbroek */
2677*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_nsec3) {
2678*00b67f09SDavid van Moolenbroek FAILC(DNS_R_REFUSED,
2679*00b67f09SDavid van Moolenbroek "explicit NSEC3 updates are not allowed "
2680*00b67f09SDavid van Moolenbroek "in secure zones");
2681*00b67f09SDavid van Moolenbroek } else if (rdata.type == dns_rdatatype_nsec) {
2682*00b67f09SDavid van Moolenbroek FAILC(DNS_R_REFUSED,
2683*00b67f09SDavid van Moolenbroek "explicit NSEC updates are not allowed "
2684*00b67f09SDavid van Moolenbroek "in secure zones");
2685*00b67f09SDavid van Moolenbroek } else if (rdata.type == dns_rdatatype_rrsig &&
2686*00b67f09SDavid van Moolenbroek !dns_name_equal(name, zonename)) {
2687*00b67f09SDavid van Moolenbroek FAILC(DNS_R_REFUSED,
2688*00b67f09SDavid van Moolenbroek "explicit RRSIG updates are currently "
2689*00b67f09SDavid van Moolenbroek "not supported in secure zones except "
2690*00b67f09SDavid van Moolenbroek "at the apex");
2691*00b67f09SDavid van Moolenbroek }
2692*00b67f09SDavid van Moolenbroek
2693*00b67f09SDavid van Moolenbroek if (ssutable != NULL) {
2694*00b67f09SDavid van Moolenbroek isc_netaddr_t *tcpaddr, netaddr;
2695*00b67f09SDavid van Moolenbroek dst_key_t *tsigkey = NULL;
2696*00b67f09SDavid van Moolenbroek /*
2697*00b67f09SDavid van Moolenbroek * If this is a TCP connection then pass the
2698*00b67f09SDavid van Moolenbroek * address of the client through for tcp-self
2699*00b67f09SDavid van Moolenbroek * and 6to4-self otherwise pass NULL. This
2700*00b67f09SDavid van Moolenbroek * provides weak address based authentication.
2701*00b67f09SDavid van Moolenbroek */
2702*00b67f09SDavid van Moolenbroek if (TCPCLIENT(client)) {
2703*00b67f09SDavid van Moolenbroek isc_netaddr_fromsockaddr(&netaddr,
2704*00b67f09SDavid van Moolenbroek &client->peeraddr);
2705*00b67f09SDavid van Moolenbroek tcpaddr = &netaddr;
2706*00b67f09SDavid van Moolenbroek } else
2707*00b67f09SDavid van Moolenbroek tcpaddr = NULL;
2708*00b67f09SDavid van Moolenbroek
2709*00b67f09SDavid van Moolenbroek if (client->message->tsigkey != NULL)
2710*00b67f09SDavid van Moolenbroek tsigkey = client->message->tsigkey->key;
2711*00b67f09SDavid van Moolenbroek
2712*00b67f09SDavid van Moolenbroek if (rdata.type != dns_rdatatype_any) {
2713*00b67f09SDavid van Moolenbroek if (!dns_ssutable_checkrules(ssutable,
2714*00b67f09SDavid van Moolenbroek client->signer,
2715*00b67f09SDavid van Moolenbroek name, tcpaddr,
2716*00b67f09SDavid van Moolenbroek rdata.type,
2717*00b67f09SDavid van Moolenbroek tsigkey))
2718*00b67f09SDavid van Moolenbroek FAILC(DNS_R_REFUSED,
2719*00b67f09SDavid van Moolenbroek "rejected by secure update");
2720*00b67f09SDavid van Moolenbroek } else {
2721*00b67f09SDavid van Moolenbroek if (!ssu_checkall(db, ver, name, ssutable,
2722*00b67f09SDavid van Moolenbroek client->signer, tcpaddr,
2723*00b67f09SDavid van Moolenbroek tsigkey))
2724*00b67f09SDavid van Moolenbroek FAILC(DNS_R_REFUSED,
2725*00b67f09SDavid van Moolenbroek "rejected by secure update");
2726*00b67f09SDavid van Moolenbroek }
2727*00b67f09SDavid van Moolenbroek }
2728*00b67f09SDavid van Moolenbroek }
2729*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
2730*00b67f09SDavid van Moolenbroek FAIL(result);
2731*00b67f09SDavid van Moolenbroek
2732*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_DEBUG,
2733*00b67f09SDavid van Moolenbroek "update section prescan OK");
2734*00b67f09SDavid van Moolenbroek
2735*00b67f09SDavid van Moolenbroek /*
2736*00b67f09SDavid van Moolenbroek * Process the Update Section.
2737*00b67f09SDavid van Moolenbroek */
2738*00b67f09SDavid van Moolenbroek
2739*00b67f09SDavid van Moolenbroek options = dns_zone_getoptions(zone);
2740*00b67f09SDavid van Moolenbroek options2 = dns_zone_getoptions2(zone);
2741*00b67f09SDavid van Moolenbroek for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
2742*00b67f09SDavid van Moolenbroek result == ISC_R_SUCCESS;
2743*00b67f09SDavid van Moolenbroek result = dns_message_nextname(request, DNS_SECTION_UPDATE))
2744*00b67f09SDavid van Moolenbroek {
2745*00b67f09SDavid van Moolenbroek dns_name_t *name = NULL;
2746*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
2747*00b67f09SDavid van Moolenbroek dns_ttl_t ttl;
2748*00b67f09SDavid van Moolenbroek dns_rdataclass_t update_class;
2749*00b67f09SDavid van Moolenbroek isc_boolean_t flag;
2750*00b67f09SDavid van Moolenbroek
2751*00b67f09SDavid van Moolenbroek get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
2752*00b67f09SDavid van Moolenbroek &name, &rdata, &covers, &ttl, &update_class);
2753*00b67f09SDavid van Moolenbroek
2754*00b67f09SDavid van Moolenbroek if (update_class == zoneclass) {
2755*00b67f09SDavid van Moolenbroek
2756*00b67f09SDavid van Moolenbroek /*
2757*00b67f09SDavid van Moolenbroek * RFC1123 doesn't allow MF and MD in master zones. */
2758*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_md ||
2759*00b67f09SDavid van Moolenbroek rdata.type == dns_rdatatype_mf) {
2760*00b67f09SDavid van Moolenbroek char typebuf[DNS_RDATATYPE_FORMATSIZE];
2761*00b67f09SDavid van Moolenbroek
2762*00b67f09SDavid van Moolenbroek dns_rdatatype_format(rdata.type, typebuf,
2763*00b67f09SDavid van Moolenbroek sizeof(typebuf));
2764*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
2765*00b67f09SDavid van Moolenbroek "attempt to add %s ignored",
2766*00b67f09SDavid van Moolenbroek typebuf);
2767*00b67f09SDavid van Moolenbroek continue;
2768*00b67f09SDavid van Moolenbroek }
2769*00b67f09SDavid van Moolenbroek if ((rdata.type == dns_rdatatype_ns ||
2770*00b67f09SDavid van Moolenbroek rdata.type == dns_rdatatype_dname) &&
2771*00b67f09SDavid van Moolenbroek dns_name_iswildcard(name)) {
2772*00b67f09SDavid van Moolenbroek char typebuf[DNS_RDATATYPE_FORMATSIZE];
2773*00b67f09SDavid van Moolenbroek
2774*00b67f09SDavid van Moolenbroek dns_rdatatype_format(rdata.type, typebuf,
2775*00b67f09SDavid van Moolenbroek sizeof(typebuf));
2776*00b67f09SDavid van Moolenbroek update_log(client, zone,
2777*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2778*00b67f09SDavid van Moolenbroek "attempt to add wildcard %s record "
2779*00b67f09SDavid van Moolenbroek "ignored", typebuf);
2780*00b67f09SDavid van Moolenbroek continue;
2781*00b67f09SDavid van Moolenbroek }
2782*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_cname) {
2783*00b67f09SDavid van Moolenbroek CHECK(cname_incompatible_rrset_exists(db, ver,
2784*00b67f09SDavid van Moolenbroek name,
2785*00b67f09SDavid van Moolenbroek &flag));
2786*00b67f09SDavid van Moolenbroek if (flag) {
2787*00b67f09SDavid van Moolenbroek update_log(client, zone,
2788*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2789*00b67f09SDavid van Moolenbroek "attempt to add CNAME "
2790*00b67f09SDavid van Moolenbroek "alongside non-CNAME "
2791*00b67f09SDavid van Moolenbroek "ignored");
2792*00b67f09SDavid van Moolenbroek continue;
2793*00b67f09SDavid van Moolenbroek }
2794*00b67f09SDavid van Moolenbroek } else {
2795*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, ver, name,
2796*00b67f09SDavid van Moolenbroek dns_rdatatype_cname, 0,
2797*00b67f09SDavid van Moolenbroek &flag));
2798*00b67f09SDavid van Moolenbroek if (flag &&
2799*00b67f09SDavid van Moolenbroek ! dns_rdatatype_isdnssec(rdata.type))
2800*00b67f09SDavid van Moolenbroek {
2801*00b67f09SDavid van Moolenbroek update_log(client, zone,
2802*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2803*00b67f09SDavid van Moolenbroek "attempt to add non-CNAME "
2804*00b67f09SDavid van Moolenbroek "alongside CNAME ignored");
2805*00b67f09SDavid van Moolenbroek continue;
2806*00b67f09SDavid van Moolenbroek }
2807*00b67f09SDavid van Moolenbroek }
2808*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_soa) {
2809*00b67f09SDavid van Moolenbroek isc_boolean_t ok;
2810*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, ver, name,
2811*00b67f09SDavid van Moolenbroek dns_rdatatype_soa, 0,
2812*00b67f09SDavid van Moolenbroek &flag));
2813*00b67f09SDavid van Moolenbroek if (! flag) {
2814*00b67f09SDavid van Moolenbroek update_log(client, zone,
2815*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2816*00b67f09SDavid van Moolenbroek "attempt to create 2nd "
2817*00b67f09SDavid van Moolenbroek "SOA ignored");
2818*00b67f09SDavid van Moolenbroek continue;
2819*00b67f09SDavid van Moolenbroek }
2820*00b67f09SDavid van Moolenbroek CHECK(check_soa_increment(db, ver, &rdata,
2821*00b67f09SDavid van Moolenbroek &ok));
2822*00b67f09SDavid van Moolenbroek if (! ok) {
2823*00b67f09SDavid van Moolenbroek update_log(client, zone,
2824*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2825*00b67f09SDavid van Moolenbroek "SOA update failed to "
2826*00b67f09SDavid van Moolenbroek "increment serial, "
2827*00b67f09SDavid van Moolenbroek "ignoring it");
2828*00b67f09SDavid van Moolenbroek continue;
2829*00b67f09SDavid van Moolenbroek }
2830*00b67f09SDavid van Moolenbroek soa_serial_changed = ISC_TRUE;
2831*00b67f09SDavid van Moolenbroek }
2832*00b67f09SDavid van Moolenbroek
2833*00b67f09SDavid van Moolenbroek if (rdata.type == privatetype) {
2834*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
2835*00b67f09SDavid van Moolenbroek "attempt to add a private type "
2836*00b67f09SDavid van Moolenbroek "(%u) record rejected internal "
2837*00b67f09SDavid van Moolenbroek "use only", privatetype);
2838*00b67f09SDavid van Moolenbroek continue;
2839*00b67f09SDavid van Moolenbroek }
2840*00b67f09SDavid van Moolenbroek
2841*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_nsec3param) {
2842*00b67f09SDavid van Moolenbroek /*
2843*00b67f09SDavid van Moolenbroek * Ignore attempts to add NSEC3PARAM records
2844*00b67f09SDavid van Moolenbroek * with any flags other than OPTOUT.
2845*00b67f09SDavid van Moolenbroek */
2846*00b67f09SDavid van Moolenbroek if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
2847*00b67f09SDavid van Moolenbroek update_log(client, zone,
2848*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2849*00b67f09SDavid van Moolenbroek "attempt to add NSEC3PARAM "
2850*00b67f09SDavid van Moolenbroek "record with non OPTOUT "
2851*00b67f09SDavid van Moolenbroek "flag");
2852*00b67f09SDavid van Moolenbroek continue;
2853*00b67f09SDavid van Moolenbroek }
2854*00b67f09SDavid van Moolenbroek }
2855*00b67f09SDavid van Moolenbroek
2856*00b67f09SDavid van Moolenbroek if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
2857*00b67f09SDavid van Moolenbroek dns_name_internalwildcard(name)) {
2858*00b67f09SDavid van Moolenbroek char namestr[DNS_NAME_FORMATSIZE];
2859*00b67f09SDavid van Moolenbroek dns_name_format(name, namestr,
2860*00b67f09SDavid van Moolenbroek sizeof(namestr));
2861*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
2862*00b67f09SDavid van Moolenbroek "warning: ownername '%s' contains "
2863*00b67f09SDavid van Moolenbroek "a non-terminal wildcard", namestr);
2864*00b67f09SDavid van Moolenbroek }
2865*00b67f09SDavid van Moolenbroek
2866*00b67f09SDavid van Moolenbroek if ((options2 & DNS_ZONEOPT2_CHECKTTL) != 0) {
2867*00b67f09SDavid van Moolenbroek maxttl = dns_zone_getmaxttl(zone);
2868*00b67f09SDavid van Moolenbroek if (ttl > maxttl) {
2869*00b67f09SDavid van Moolenbroek ttl = maxttl;
2870*00b67f09SDavid van Moolenbroek update_log(client, zone,
2871*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2872*00b67f09SDavid van Moolenbroek "reducing TTL to the "
2873*00b67f09SDavid van Moolenbroek "configured max-zone-ttl %d",
2874*00b67f09SDavid van Moolenbroek maxttl);
2875*00b67f09SDavid van Moolenbroek }
2876*00b67f09SDavid van Moolenbroek }
2877*00b67f09SDavid van Moolenbroek
2878*00b67f09SDavid van Moolenbroek if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
2879*00b67f09SDavid van Moolenbroek char namestr[DNS_NAME_FORMATSIZE];
2880*00b67f09SDavid van Moolenbroek char typestr[DNS_RDATATYPE_FORMATSIZE];
2881*00b67f09SDavid van Moolenbroek char rdstr[2048];
2882*00b67f09SDavid van Moolenbroek isc_buffer_t buf;
2883*00b67f09SDavid van Moolenbroek int len = 0;
2884*00b67f09SDavid van Moolenbroek const char *truncated = "";
2885*00b67f09SDavid van Moolenbroek
2886*00b67f09SDavid van Moolenbroek dns_name_format(name, namestr, sizeof(namestr));
2887*00b67f09SDavid van Moolenbroek dns_rdatatype_format(rdata.type, typestr,
2888*00b67f09SDavid van Moolenbroek sizeof(typestr));
2889*00b67f09SDavid van Moolenbroek isc_buffer_init(&buf, rdstr, sizeof(rdstr));
2890*00b67f09SDavid van Moolenbroek result = dns_rdata_totext(&rdata, NULL, &buf);
2891*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOSPACE) {
2892*00b67f09SDavid van Moolenbroek len = (int)isc_buffer_usedlength(&buf);
2893*00b67f09SDavid van Moolenbroek truncated = " [TRUNCATED]";
2894*00b67f09SDavid van Moolenbroek } else if (result != ISC_R_SUCCESS) {
2895*00b67f09SDavid van Moolenbroek snprintf(rdstr, sizeof(rdstr), "[dns_"
2896*00b67f09SDavid van Moolenbroek "rdata_totext failed: %s]",
2897*00b67f09SDavid van Moolenbroek dns_result_totext(result));
2898*00b67f09SDavid van Moolenbroek len = strlen(rdstr);
2899*00b67f09SDavid van Moolenbroek } else
2900*00b67f09SDavid van Moolenbroek len = (int)isc_buffer_usedlength(&buf);
2901*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
2902*00b67f09SDavid van Moolenbroek "adding an RR at '%s' %s %.*s%s",
2903*00b67f09SDavid van Moolenbroek namestr, typestr, len, rdstr,
2904*00b67f09SDavid van Moolenbroek truncated);
2905*00b67f09SDavid van Moolenbroek }
2906*00b67f09SDavid van Moolenbroek
2907*00b67f09SDavid van Moolenbroek /* Prepare the affected RRset for the addition. */
2908*00b67f09SDavid van Moolenbroek {
2909*00b67f09SDavid van Moolenbroek add_rr_prepare_ctx_t ctx;
2910*00b67f09SDavid van Moolenbroek ctx.db = db;
2911*00b67f09SDavid van Moolenbroek ctx.ver = ver;
2912*00b67f09SDavid van Moolenbroek ctx.diff = &diff;
2913*00b67f09SDavid van Moolenbroek ctx.name = name;
2914*00b67f09SDavid van Moolenbroek ctx.update_rr = &rdata;
2915*00b67f09SDavid van Moolenbroek ctx.update_rr_ttl = ttl;
2916*00b67f09SDavid van Moolenbroek ctx.ignore_add = ISC_FALSE;
2917*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &ctx.del_diff);
2918*00b67f09SDavid van Moolenbroek dns_diff_init(mctx, &ctx.add_diff);
2919*00b67f09SDavid van Moolenbroek CHECK(foreach_rr(db, ver, name, rdata.type,
2920*00b67f09SDavid van Moolenbroek covers, add_rr_prepare_action,
2921*00b67f09SDavid van Moolenbroek &ctx));
2922*00b67f09SDavid van Moolenbroek
2923*00b67f09SDavid van Moolenbroek if (ctx.ignore_add) {
2924*00b67f09SDavid van Moolenbroek dns_diff_clear(&ctx.del_diff);
2925*00b67f09SDavid van Moolenbroek dns_diff_clear(&ctx.add_diff);
2926*00b67f09SDavid van Moolenbroek } else {
2927*00b67f09SDavid van Moolenbroek result = do_diff(&ctx.del_diff, db, ver,
2928*00b67f09SDavid van Moolenbroek &diff);
2929*00b67f09SDavid van Moolenbroek if (result == ISC_R_SUCCESS) {
2930*00b67f09SDavid van Moolenbroek result = do_diff(&ctx.add_diff,
2931*00b67f09SDavid van Moolenbroek db, ver,
2932*00b67f09SDavid van Moolenbroek &diff);
2933*00b67f09SDavid van Moolenbroek }
2934*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
2935*00b67f09SDavid van Moolenbroek dns_diff_clear(&ctx.del_diff);
2936*00b67f09SDavid van Moolenbroek dns_diff_clear(&ctx.add_diff);
2937*00b67f09SDavid van Moolenbroek goto failure;
2938*00b67f09SDavid van Moolenbroek }
2939*00b67f09SDavid van Moolenbroek CHECK(update_one_rr(db, ver, &diff,
2940*00b67f09SDavid van Moolenbroek DNS_DIFFOP_ADD,
2941*00b67f09SDavid van Moolenbroek name, ttl, &rdata));
2942*00b67f09SDavid van Moolenbroek }
2943*00b67f09SDavid van Moolenbroek }
2944*00b67f09SDavid van Moolenbroek } else if (update_class == dns_rdataclass_any) {
2945*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_any) {
2946*00b67f09SDavid van Moolenbroek if (isc_log_wouldlog(ns_g_lctx,
2947*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL))
2948*00b67f09SDavid van Moolenbroek {
2949*00b67f09SDavid van Moolenbroek char namestr[DNS_NAME_FORMATSIZE];
2950*00b67f09SDavid van Moolenbroek dns_name_format(name, namestr,
2951*00b67f09SDavid van Moolenbroek sizeof(namestr));
2952*00b67f09SDavid van Moolenbroek update_log(client, zone,
2953*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2954*00b67f09SDavid van Moolenbroek "delete all rrsets from "
2955*00b67f09SDavid van Moolenbroek "name '%s'", namestr);
2956*00b67f09SDavid van Moolenbroek }
2957*00b67f09SDavid van Moolenbroek if (dns_name_equal(name, zonename)) {
2958*00b67f09SDavid van Moolenbroek CHECK(delete_if(type_not_soa_nor_ns_p,
2959*00b67f09SDavid van Moolenbroek db, ver, name,
2960*00b67f09SDavid van Moolenbroek dns_rdatatype_any, 0,
2961*00b67f09SDavid van Moolenbroek &rdata, &diff));
2962*00b67f09SDavid van Moolenbroek } else {
2963*00b67f09SDavid van Moolenbroek CHECK(delete_if(type_not_dnssec,
2964*00b67f09SDavid van Moolenbroek db, ver, name,
2965*00b67f09SDavid van Moolenbroek dns_rdatatype_any, 0,
2966*00b67f09SDavid van Moolenbroek &rdata, &diff));
2967*00b67f09SDavid van Moolenbroek }
2968*00b67f09SDavid van Moolenbroek } else if (dns_name_equal(name, zonename) &&
2969*00b67f09SDavid van Moolenbroek (rdata.type == dns_rdatatype_soa ||
2970*00b67f09SDavid van Moolenbroek rdata.type == dns_rdatatype_ns)) {
2971*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
2972*00b67f09SDavid van Moolenbroek "attempt to delete all SOA "
2973*00b67f09SDavid van Moolenbroek "or NS records ignored");
2974*00b67f09SDavid van Moolenbroek continue;
2975*00b67f09SDavid van Moolenbroek } else {
2976*00b67f09SDavid van Moolenbroek if (isc_log_wouldlog(ns_g_lctx,
2977*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL))
2978*00b67f09SDavid van Moolenbroek {
2979*00b67f09SDavid van Moolenbroek char namestr[DNS_NAME_FORMATSIZE];
2980*00b67f09SDavid van Moolenbroek char typestr[DNS_RDATATYPE_FORMATSIZE];
2981*00b67f09SDavid van Moolenbroek dns_name_format(name, namestr,
2982*00b67f09SDavid van Moolenbroek sizeof(namestr));
2983*00b67f09SDavid van Moolenbroek dns_rdatatype_format(rdata.type,
2984*00b67f09SDavid van Moolenbroek typestr,
2985*00b67f09SDavid van Moolenbroek sizeof(typestr));
2986*00b67f09SDavid van Moolenbroek update_log(client, zone,
2987*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
2988*00b67f09SDavid van Moolenbroek "deleting rrset at '%s' %s",
2989*00b67f09SDavid van Moolenbroek namestr, typestr);
2990*00b67f09SDavid van Moolenbroek }
2991*00b67f09SDavid van Moolenbroek CHECK(delete_if(true_p, db, ver, name,
2992*00b67f09SDavid van Moolenbroek rdata.type, covers, &rdata,
2993*00b67f09SDavid van Moolenbroek &diff));
2994*00b67f09SDavid van Moolenbroek }
2995*00b67f09SDavid van Moolenbroek } else if (update_class == dns_rdataclass_none) {
2996*00b67f09SDavid van Moolenbroek char namestr[DNS_NAME_FORMATSIZE];
2997*00b67f09SDavid van Moolenbroek char typestr[DNS_RDATATYPE_FORMATSIZE];
2998*00b67f09SDavid van Moolenbroek
2999*00b67f09SDavid van Moolenbroek /*
3000*00b67f09SDavid van Moolenbroek * The (name == zonename) condition appears in
3001*00b67f09SDavid van Moolenbroek * RFC2136 3.4.2.4 but is missing from the pseudocode.
3002*00b67f09SDavid van Moolenbroek */
3003*00b67f09SDavid van Moolenbroek if (dns_name_equal(name, zonename)) {
3004*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_soa) {
3005*00b67f09SDavid van Moolenbroek update_log(client, zone,
3006*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
3007*00b67f09SDavid van Moolenbroek "attempt to delete SOA "
3008*00b67f09SDavid van Moolenbroek "ignored");
3009*00b67f09SDavid van Moolenbroek continue;
3010*00b67f09SDavid van Moolenbroek }
3011*00b67f09SDavid van Moolenbroek if (rdata.type == dns_rdatatype_ns) {
3012*00b67f09SDavid van Moolenbroek int count;
3013*00b67f09SDavid van Moolenbroek CHECK(rr_count(db, ver, name,
3014*00b67f09SDavid van Moolenbroek dns_rdatatype_ns,
3015*00b67f09SDavid van Moolenbroek 0, &count));
3016*00b67f09SDavid van Moolenbroek if (count == 1) {
3017*00b67f09SDavid van Moolenbroek update_log(client, zone,
3018*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL,
3019*00b67f09SDavid van Moolenbroek "attempt to "
3020*00b67f09SDavid van Moolenbroek "delete last "
3021*00b67f09SDavid van Moolenbroek "NS ignored");
3022*00b67f09SDavid van Moolenbroek continue;
3023*00b67f09SDavid van Moolenbroek }
3024*00b67f09SDavid van Moolenbroek }
3025*00b67f09SDavid van Moolenbroek }
3026*00b67f09SDavid van Moolenbroek dns_name_format(name, namestr, sizeof(namestr));
3027*00b67f09SDavid van Moolenbroek dns_rdatatype_format(rdata.type, typestr,
3028*00b67f09SDavid van Moolenbroek sizeof(typestr));
3029*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
3030*00b67f09SDavid van Moolenbroek "deleting an RR at %s %s", namestr, typestr);
3031*00b67f09SDavid van Moolenbroek CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type,
3032*00b67f09SDavid van Moolenbroek covers, &rdata, &diff));
3033*00b67f09SDavid van Moolenbroek }
3034*00b67f09SDavid van Moolenbroek }
3035*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE)
3036*00b67f09SDavid van Moolenbroek FAIL(result);
3037*00b67f09SDavid van Moolenbroek
3038*00b67f09SDavid van Moolenbroek /*
3039*00b67f09SDavid van Moolenbroek * Check that any changes to DNSKEY/NSEC3PARAM records make sense.
3040*00b67f09SDavid van Moolenbroek * If they don't then back out all changes to DNSKEY/NSEC3PARAM
3041*00b67f09SDavid van Moolenbroek * records.
3042*00b67f09SDavid van Moolenbroek */
3043*00b67f09SDavid van Moolenbroek if (! ISC_LIST_EMPTY(diff.tuples))
3044*00b67f09SDavid van Moolenbroek CHECK(check_dnssec(client, zone, db, ver, &diff));
3045*00b67f09SDavid van Moolenbroek
3046*00b67f09SDavid van Moolenbroek if (! ISC_LIST_EMPTY(diff.tuples)) {
3047*00b67f09SDavid van Moolenbroek unsigned int errors = 0;
3048*00b67f09SDavid van Moolenbroek CHECK(dns_zone_nscheck(zone, db, ver, &errors));
3049*00b67f09SDavid van Moolenbroek if (errors != 0) {
3050*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
3051*00b67f09SDavid van Moolenbroek "update rejected: post update name server "
3052*00b67f09SDavid van Moolenbroek "sanity check failed");
3053*00b67f09SDavid van Moolenbroek result = DNS_R_REFUSED;
3054*00b67f09SDavid van Moolenbroek goto failure;
3055*00b67f09SDavid van Moolenbroek }
3056*00b67f09SDavid van Moolenbroek }
3057*00b67f09SDavid van Moolenbroek
3058*00b67f09SDavid van Moolenbroek /*
3059*00b67f09SDavid van Moolenbroek * If any changes were made, increment the SOA serial number,
3060*00b67f09SDavid van Moolenbroek * update RRSIGs and NSECs (if zone is secure), and write the update
3061*00b67f09SDavid van Moolenbroek * to the journal.
3062*00b67f09SDavid van Moolenbroek */
3063*00b67f09SDavid van Moolenbroek if (! ISC_LIST_EMPTY(diff.tuples)) {
3064*00b67f09SDavid van Moolenbroek char *journalfile;
3065*00b67f09SDavid van Moolenbroek dns_journal_t *journal;
3066*00b67f09SDavid van Moolenbroek isc_boolean_t has_dnskey;
3067*00b67f09SDavid van Moolenbroek
3068*00b67f09SDavid van Moolenbroek /*
3069*00b67f09SDavid van Moolenbroek * Increment the SOA serial, but only if it was not
3070*00b67f09SDavid van Moolenbroek * changed as a result of an update operation.
3071*00b67f09SDavid van Moolenbroek */
3072*00b67f09SDavid van Moolenbroek if (! soa_serial_changed) {
3073*00b67f09SDavid van Moolenbroek CHECK(update_soa_serial(db, ver, &diff, mctx,
3074*00b67f09SDavid van Moolenbroek dns_zone_getserialupdatemethod(zone)));
3075*00b67f09SDavid van Moolenbroek }
3076*00b67f09SDavid van Moolenbroek
3077*00b67f09SDavid van Moolenbroek CHECK(check_mx(client, zone, db, ver, &diff));
3078*00b67f09SDavid van Moolenbroek
3079*00b67f09SDavid van Moolenbroek CHECK(remove_orphaned_ds(db, ver, &diff));
3080*00b67f09SDavid van Moolenbroek
3081*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
3082*00b67f09SDavid van Moolenbroek 0, &has_dnskey));
3083*00b67f09SDavid van Moolenbroek
3084*00b67f09SDavid van Moolenbroek #define ALLOW_SECURE_TO_INSECURE(zone) \
3085*00b67f09SDavid van Moolenbroek ((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
3086*00b67f09SDavid van Moolenbroek
3087*00b67f09SDavid van Moolenbroek CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
3088*00b67f09SDavid van Moolenbroek 0, &had_dnskey));
3089*00b67f09SDavid van Moolenbroek if (!ALLOW_SECURE_TO_INSECURE(zone)) {
3090*00b67f09SDavid van Moolenbroek if (had_dnskey && !has_dnskey) {
3091*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_PROTOCOL,
3092*00b67f09SDavid van Moolenbroek "update rejected: all DNSKEY "
3093*00b67f09SDavid van Moolenbroek "records removed and "
3094*00b67f09SDavid van Moolenbroek "'dnssec-secure-to-insecure' "
3095*00b67f09SDavid van Moolenbroek "not set");
3096*00b67f09SDavid van Moolenbroek result = DNS_R_REFUSED;
3097*00b67f09SDavid van Moolenbroek goto failure;
3098*00b67f09SDavid van Moolenbroek }
3099*00b67f09SDavid van Moolenbroek }
3100*00b67f09SDavid van Moolenbroek
3101*00b67f09SDavid van Moolenbroek CHECK(rollback_private(db, privatetype, ver, &diff));
3102*00b67f09SDavid van Moolenbroek
3103*00b67f09SDavid van Moolenbroek CHECK(add_signing_records(db, privatetype, ver, &diff));
3104*00b67f09SDavid van Moolenbroek
3105*00b67f09SDavid van Moolenbroek CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
3106*00b67f09SDavid van Moolenbroek
3107*00b67f09SDavid van Moolenbroek if (had_dnskey && !has_dnskey) {
3108*00b67f09SDavid van Moolenbroek /*
3109*00b67f09SDavid van Moolenbroek * We are transitioning from secure to insecure.
3110*00b67f09SDavid van Moolenbroek * Cause all NSEC3 chains to be deleted. When the
3111*00b67f09SDavid van Moolenbroek * the last signature for the DNSKEY records are
3112*00b67f09SDavid van Moolenbroek * remove any NSEC chain present will also be removed.
3113*00b67f09SDavid van Moolenbroek */
3114*00b67f09SDavid van Moolenbroek CHECK(dns_nsec3param_deletechains(db, ver, zone,
3115*00b67f09SDavid van Moolenbroek ISC_TRUE, &diff));
3116*00b67f09SDavid van Moolenbroek } else if (has_dnskey && isdnssec(db, ver, privatetype)) {
3117*00b67f09SDavid van Moolenbroek isc_uint32_t interval;
3118*00b67f09SDavid van Moolenbroek dns_update_log_t log;
3119*00b67f09SDavid van Moolenbroek
3120*00b67f09SDavid van Moolenbroek interval = dns_zone_getsigvalidityinterval(zone);
3121*00b67f09SDavid van Moolenbroek log.func = update_log_cb;
3122*00b67f09SDavid van Moolenbroek log.arg = client;
3123*00b67f09SDavid van Moolenbroek result = dns_update_signatures(&log, zone, db, oldver,
3124*00b67f09SDavid van Moolenbroek ver, &diff, interval);
3125*00b67f09SDavid van Moolenbroek
3126*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
3127*00b67f09SDavid van Moolenbroek update_log(client, zone,
3128*00b67f09SDavid van Moolenbroek ISC_LOG_ERROR,
3129*00b67f09SDavid van Moolenbroek "RRSIG/NSEC/NSEC3 update failed: %s",
3130*00b67f09SDavid van Moolenbroek isc_result_totext(result));
3131*00b67f09SDavid van Moolenbroek goto failure;
3132*00b67f09SDavid van Moolenbroek }
3133*00b67f09SDavid van Moolenbroek }
3134*00b67f09SDavid van Moolenbroek
3135*00b67f09SDavid van Moolenbroek journalfile = dns_zone_getjournal(zone);
3136*00b67f09SDavid van Moolenbroek if (journalfile != NULL) {
3137*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_DEBUG,
3138*00b67f09SDavid van Moolenbroek "writing journal %s", journalfile);
3139*00b67f09SDavid van Moolenbroek
3140*00b67f09SDavid van Moolenbroek journal = NULL;
3141*00b67f09SDavid van Moolenbroek result = dns_journal_open(mctx, journalfile,
3142*00b67f09SDavid van Moolenbroek DNS_JOURNAL_CREATE, &journal);
3143*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
3144*00b67f09SDavid van Moolenbroek FAILS(result, "journal open failed");
3145*00b67f09SDavid van Moolenbroek
3146*00b67f09SDavid van Moolenbroek result = dns_journal_write_transaction(journal, &diff);
3147*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
3148*00b67f09SDavid van Moolenbroek dns_journal_destroy(&journal);
3149*00b67f09SDavid van Moolenbroek FAILS(result, "journal write failed");
3150*00b67f09SDavid van Moolenbroek }
3151*00b67f09SDavid van Moolenbroek
3152*00b67f09SDavid van Moolenbroek dns_journal_destroy(&journal);
3153*00b67f09SDavid van Moolenbroek }
3154*00b67f09SDavid van Moolenbroek
3155*00b67f09SDavid van Moolenbroek /*
3156*00b67f09SDavid van Moolenbroek * XXXRTH Just a note that this committing code will have
3157*00b67f09SDavid van Moolenbroek * to change to handle databases that need two-phase
3158*00b67f09SDavid van Moolenbroek * commit, but this isn't a priority.
3159*00b67f09SDavid van Moolenbroek */
3160*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_DEBUG,
3161*00b67f09SDavid van Moolenbroek "committing update transaction");
3162*00b67f09SDavid van Moolenbroek
3163*00b67f09SDavid van Moolenbroek dns_db_closeversion(db, &ver, ISC_TRUE);
3164*00b67f09SDavid van Moolenbroek
3165*00b67f09SDavid van Moolenbroek /*
3166*00b67f09SDavid van Moolenbroek * Mark the zone as dirty so that it will be written to disk.
3167*00b67f09SDavid van Moolenbroek */
3168*00b67f09SDavid van Moolenbroek dns_zone_markdirty(zone);
3169*00b67f09SDavid van Moolenbroek
3170*00b67f09SDavid van Moolenbroek /*
3171*00b67f09SDavid van Moolenbroek * Notify slaves of the change we just made.
3172*00b67f09SDavid van Moolenbroek */
3173*00b67f09SDavid van Moolenbroek dns_zone_notify(zone);
3174*00b67f09SDavid van Moolenbroek
3175*00b67f09SDavid van Moolenbroek /*
3176*00b67f09SDavid van Moolenbroek * Cause the zone to be signed with the key that we
3177*00b67f09SDavid van Moolenbroek * have just added or have the corresponding signatures
3178*00b67f09SDavid van Moolenbroek * deleted.
3179*00b67f09SDavid van Moolenbroek *
3180*00b67f09SDavid van Moolenbroek * Note: we are already committed to this course of action.
3181*00b67f09SDavid van Moolenbroek */
3182*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(diff.tuples);
3183*00b67f09SDavid van Moolenbroek tuple != NULL;
3184*00b67f09SDavid van Moolenbroek tuple = ISC_LIST_NEXT(tuple, link)) {
3185*00b67f09SDavid van Moolenbroek isc_region_t r;
3186*00b67f09SDavid van Moolenbroek dns_secalg_t algorithm;
3187*00b67f09SDavid van Moolenbroek isc_uint16_t keyid;
3188*00b67f09SDavid van Moolenbroek
3189*00b67f09SDavid van Moolenbroek if (tuple->rdata.type != dns_rdatatype_dnskey)
3190*00b67f09SDavid van Moolenbroek continue;
3191*00b67f09SDavid van Moolenbroek
3192*00b67f09SDavid van Moolenbroek dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
3193*00b67f09SDavid van Moolenbroek if ((dnskey.flags &
3194*00b67f09SDavid van Moolenbroek (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
3195*00b67f09SDavid van Moolenbroek != DNS_KEYOWNER_ZONE)
3196*00b67f09SDavid van Moolenbroek continue;
3197*00b67f09SDavid van Moolenbroek
3198*00b67f09SDavid van Moolenbroek dns_rdata_toregion(&tuple->rdata, &r);
3199*00b67f09SDavid van Moolenbroek algorithm = dnskey.algorithm;
3200*00b67f09SDavid van Moolenbroek keyid = dst_region_computeid(&r, algorithm);
3201*00b67f09SDavid van Moolenbroek
3202*00b67f09SDavid van Moolenbroek result = dns_zone_signwithkey(zone, algorithm, keyid,
3203*00b67f09SDavid van Moolenbroek ISC_TF(tuple->op == DNS_DIFFOP_DEL));
3204*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
3205*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
3206*00b67f09SDavid van Moolenbroek "dns_zone_signwithkey failed: %s",
3207*00b67f09SDavid van Moolenbroek dns_result_totext(result));
3208*00b67f09SDavid van Moolenbroek }
3209*00b67f09SDavid van Moolenbroek }
3210*00b67f09SDavid van Moolenbroek
3211*00b67f09SDavid van Moolenbroek /*
3212*00b67f09SDavid van Moolenbroek * Cause the zone to add/delete NSEC3 chains for the
3213*00b67f09SDavid van Moolenbroek * deferred NSEC3PARAM changes.
3214*00b67f09SDavid van Moolenbroek *
3215*00b67f09SDavid van Moolenbroek * Note: we are already committed to this course of action.
3216*00b67f09SDavid van Moolenbroek */
3217*00b67f09SDavid van Moolenbroek for (tuple = ISC_LIST_HEAD(diff.tuples);
3218*00b67f09SDavid van Moolenbroek tuple != NULL;
3219*00b67f09SDavid van Moolenbroek tuple = ISC_LIST_NEXT(tuple, link)) {
3220*00b67f09SDavid van Moolenbroek unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
3221*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
3222*00b67f09SDavid van Moolenbroek dns_rdata_nsec3param_t nsec3param;
3223*00b67f09SDavid van Moolenbroek
3224*00b67f09SDavid van Moolenbroek if (tuple->rdata.type != privatetype ||
3225*00b67f09SDavid van Moolenbroek tuple->op != DNS_DIFFOP_ADD)
3226*00b67f09SDavid van Moolenbroek continue;
3227*00b67f09SDavid van Moolenbroek
3228*00b67f09SDavid van Moolenbroek if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
3229*00b67f09SDavid van Moolenbroek buf, sizeof(buf)))
3230*00b67f09SDavid van Moolenbroek continue;
3231*00b67f09SDavid van Moolenbroek dns_rdata_tostruct(&rdata, &nsec3param, NULL);
3232*00b67f09SDavid van Moolenbroek if (nsec3param.flags == 0)
3233*00b67f09SDavid van Moolenbroek continue;
3234*00b67f09SDavid van Moolenbroek
3235*00b67f09SDavid van Moolenbroek result = dns_zone_addnsec3chain(zone, &nsec3param);
3236*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
3237*00b67f09SDavid van Moolenbroek update_log(client, zone, ISC_LOG_ERROR,
3238*00b67f09SDavid van Moolenbroek "dns_zone_addnsec3chain failed: %s",
3239*00b67f09SDavid van Moolenbroek dns_result_totext(result));
3240*00b67f09SDavid van Moolenbroek }
3241*00b67f09SDavid van Moolenbroek }
3242*00b67f09SDavid van Moolenbroek } else {
3243*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
3244*00b67f09SDavid van Moolenbroek dns_db_closeversion(db, &ver, ISC_TRUE);
3245*00b67f09SDavid van Moolenbroek }
3246*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
3247*00b67f09SDavid van Moolenbroek goto common;
3248*00b67f09SDavid van Moolenbroek
3249*00b67f09SDavid van Moolenbroek failure:
3250*00b67f09SDavid van Moolenbroek /*
3251*00b67f09SDavid van Moolenbroek * The reason for failure should have been logged at this point.
3252*00b67f09SDavid van Moolenbroek */
3253*00b67f09SDavid van Moolenbroek if (ver != NULL) {
3254*00b67f09SDavid van Moolenbroek update_log(client, zone, LOGLEVEL_DEBUG,
3255*00b67f09SDavid van Moolenbroek "rolling back");
3256*00b67f09SDavid van Moolenbroek dns_db_closeversion(db, &ver, ISC_FALSE);
3257*00b67f09SDavid van Moolenbroek }
3258*00b67f09SDavid van Moolenbroek
3259*00b67f09SDavid van Moolenbroek common:
3260*00b67f09SDavid van Moolenbroek dns_diff_clear(&temp);
3261*00b67f09SDavid van Moolenbroek dns_diff_clear(&diff);
3262*00b67f09SDavid van Moolenbroek
3263*00b67f09SDavid van Moolenbroek if (oldver != NULL)
3264*00b67f09SDavid van Moolenbroek dns_db_closeversion(db, &oldver, ISC_FALSE);
3265*00b67f09SDavid van Moolenbroek
3266*00b67f09SDavid van Moolenbroek if (db != NULL)
3267*00b67f09SDavid van Moolenbroek dns_db_detach(&db);
3268*00b67f09SDavid van Moolenbroek
3269*00b67f09SDavid van Moolenbroek if (ssutable != NULL)
3270*00b67f09SDavid van Moolenbroek dns_ssutable_detach(&ssutable);
3271*00b67f09SDavid van Moolenbroek
3272*00b67f09SDavid van Moolenbroek isc_task_detach(&task);
3273*00b67f09SDavid van Moolenbroek uev->result = result;
3274*00b67f09SDavid van Moolenbroek if (zone != NULL)
3275*00b67f09SDavid van Moolenbroek INSIST(uev->zone == zone); /* we use this later */
3276*00b67f09SDavid van Moolenbroek uev->ev_type = DNS_EVENT_UPDATEDONE;
3277*00b67f09SDavid van Moolenbroek uev->ev_action = updatedone_action;
3278*00b67f09SDavid van Moolenbroek isc_task_send(client->task, &event);
3279*00b67f09SDavid van Moolenbroek
3280*00b67f09SDavid van Moolenbroek INSIST(ver == NULL);
3281*00b67f09SDavid van Moolenbroek INSIST(event == NULL);
3282*00b67f09SDavid van Moolenbroek }
3283*00b67f09SDavid van Moolenbroek
3284*00b67f09SDavid van Moolenbroek static void
updatedone_action(isc_task_t * task,isc_event_t * event)3285*00b67f09SDavid van Moolenbroek updatedone_action(isc_task_t *task, isc_event_t *event) {
3286*00b67f09SDavid van Moolenbroek update_event_t *uev = (update_event_t *) event;
3287*00b67f09SDavid van Moolenbroek ns_client_t *client = (ns_client_t *) event->ev_arg;
3288*00b67f09SDavid van Moolenbroek
3289*00b67f09SDavid van Moolenbroek UNUSED(task);
3290*00b67f09SDavid van Moolenbroek
3291*00b67f09SDavid van Moolenbroek INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
3292*00b67f09SDavid van Moolenbroek INSIST(task == client->task);
3293*00b67f09SDavid van Moolenbroek
3294*00b67f09SDavid van Moolenbroek INSIST(client->nupdates > 0);
3295*00b67f09SDavid van Moolenbroek switch (uev->result) {
3296*00b67f09SDavid van Moolenbroek case ISC_R_SUCCESS:
3297*00b67f09SDavid van Moolenbroek inc_stats(uev->zone, dns_nsstatscounter_updatedone);
3298*00b67f09SDavid van Moolenbroek break;
3299*00b67f09SDavid van Moolenbroek case DNS_R_REFUSED:
3300*00b67f09SDavid van Moolenbroek inc_stats(uev->zone, dns_nsstatscounter_updaterej);
3301*00b67f09SDavid van Moolenbroek break;
3302*00b67f09SDavid van Moolenbroek default:
3303*00b67f09SDavid van Moolenbroek inc_stats(uev->zone, dns_nsstatscounter_updatefail);
3304*00b67f09SDavid van Moolenbroek break;
3305*00b67f09SDavid van Moolenbroek }
3306*00b67f09SDavid van Moolenbroek if (uev->zone != NULL)
3307*00b67f09SDavid van Moolenbroek dns_zone_detach(&uev->zone);
3308*00b67f09SDavid van Moolenbroek client->nupdates--;
3309*00b67f09SDavid van Moolenbroek respond(client, uev->result);
3310*00b67f09SDavid van Moolenbroek isc_event_free(&event);
3311*00b67f09SDavid van Moolenbroek ns_client_detach(&client);
3312*00b67f09SDavid van Moolenbroek }
3313*00b67f09SDavid van Moolenbroek
3314*00b67f09SDavid van Moolenbroek /*%
3315*00b67f09SDavid van Moolenbroek * Update forwarding support.
3316*00b67f09SDavid van Moolenbroek */
3317*00b67f09SDavid van Moolenbroek
3318*00b67f09SDavid van Moolenbroek static void
forward_fail(isc_task_t * task,isc_event_t * event)3319*00b67f09SDavid van Moolenbroek forward_fail(isc_task_t *task, isc_event_t *event) {
3320*00b67f09SDavid van Moolenbroek ns_client_t *client = (ns_client_t *)event->ev_arg;
3321*00b67f09SDavid van Moolenbroek
3322*00b67f09SDavid van Moolenbroek UNUSED(task);
3323*00b67f09SDavid van Moolenbroek
3324*00b67f09SDavid van Moolenbroek INSIST(client->nupdates > 0);
3325*00b67f09SDavid van Moolenbroek client->nupdates--;
3326*00b67f09SDavid van Moolenbroek respond(client, DNS_R_SERVFAIL);
3327*00b67f09SDavid van Moolenbroek isc_event_free(&event);
3328*00b67f09SDavid van Moolenbroek ns_client_detach(&client);
3329*00b67f09SDavid van Moolenbroek }
3330*00b67f09SDavid van Moolenbroek
3331*00b67f09SDavid van Moolenbroek
3332*00b67f09SDavid van Moolenbroek static void
forward_callback(void * arg,isc_result_t result,dns_message_t * answer)3333*00b67f09SDavid van Moolenbroek forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
3334*00b67f09SDavid van Moolenbroek update_event_t *uev = arg;
3335*00b67f09SDavid van Moolenbroek ns_client_t *client = uev->ev_arg;
3336*00b67f09SDavid van Moolenbroek dns_zone_t *zone = uev->zone;
3337*00b67f09SDavid van Moolenbroek
3338*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
3339*00b67f09SDavid van Moolenbroek INSIST(answer == NULL);
3340*00b67f09SDavid van Moolenbroek uev->ev_type = DNS_EVENT_UPDATEDONE;
3341*00b67f09SDavid van Moolenbroek uev->ev_action = forward_fail;
3342*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updatefwdfail);
3343*00b67f09SDavid van Moolenbroek } else {
3344*00b67f09SDavid van Moolenbroek uev->ev_type = DNS_EVENT_UPDATEDONE;
3345*00b67f09SDavid van Moolenbroek uev->ev_action = forward_done;
3346*00b67f09SDavid van Moolenbroek uev->answer = answer;
3347*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updaterespfwd);
3348*00b67f09SDavid van Moolenbroek }
3349*00b67f09SDavid van Moolenbroek isc_task_send(client->task, ISC_EVENT_PTR(&uev));
3350*00b67f09SDavid van Moolenbroek dns_zone_detach(&zone);
3351*00b67f09SDavid van Moolenbroek }
3352*00b67f09SDavid van Moolenbroek
3353*00b67f09SDavid van Moolenbroek static void
forward_done(isc_task_t * task,isc_event_t * event)3354*00b67f09SDavid van Moolenbroek forward_done(isc_task_t *task, isc_event_t *event) {
3355*00b67f09SDavid van Moolenbroek update_event_t *uev = (update_event_t *) event;
3356*00b67f09SDavid van Moolenbroek ns_client_t *client = (ns_client_t *)event->ev_arg;
3357*00b67f09SDavid van Moolenbroek
3358*00b67f09SDavid van Moolenbroek UNUSED(task);
3359*00b67f09SDavid van Moolenbroek
3360*00b67f09SDavid van Moolenbroek INSIST(client->nupdates > 0);
3361*00b67f09SDavid van Moolenbroek client->nupdates--;
3362*00b67f09SDavid van Moolenbroek ns_client_sendraw(client, uev->answer);
3363*00b67f09SDavid van Moolenbroek dns_message_destroy(&uev->answer);
3364*00b67f09SDavid van Moolenbroek isc_event_free(&event);
3365*00b67f09SDavid van Moolenbroek ns_client_detach(&client);
3366*00b67f09SDavid van Moolenbroek }
3367*00b67f09SDavid van Moolenbroek
3368*00b67f09SDavid van Moolenbroek static void
forward_action(isc_task_t * task,isc_event_t * event)3369*00b67f09SDavid van Moolenbroek forward_action(isc_task_t *task, isc_event_t *event) {
3370*00b67f09SDavid van Moolenbroek update_event_t *uev = (update_event_t *) event;
3371*00b67f09SDavid van Moolenbroek dns_zone_t *zone = uev->zone;
3372*00b67f09SDavid van Moolenbroek ns_client_t *client = (ns_client_t *)event->ev_arg;
3373*00b67f09SDavid van Moolenbroek isc_result_t result;
3374*00b67f09SDavid van Moolenbroek
3375*00b67f09SDavid van Moolenbroek result = dns_zone_forwardupdate(zone, client->message,
3376*00b67f09SDavid van Moolenbroek forward_callback, event);
3377*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
3378*00b67f09SDavid van Moolenbroek uev->ev_type = DNS_EVENT_UPDATEDONE;
3379*00b67f09SDavid van Moolenbroek uev->ev_action = forward_fail;
3380*00b67f09SDavid van Moolenbroek isc_task_send(client->task, &event);
3381*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updatefwdfail);
3382*00b67f09SDavid van Moolenbroek dns_zone_detach(&zone);
3383*00b67f09SDavid van Moolenbroek } else
3384*00b67f09SDavid van Moolenbroek inc_stats(zone, dns_nsstatscounter_updatereqfwd);
3385*00b67f09SDavid van Moolenbroek isc_task_detach(&task);
3386*00b67f09SDavid van Moolenbroek }
3387*00b67f09SDavid van Moolenbroek
3388*00b67f09SDavid van Moolenbroek static isc_result_t
send_forward_event(ns_client_t * client,dns_zone_t * zone)3389*00b67f09SDavid van Moolenbroek send_forward_event(ns_client_t *client, dns_zone_t *zone) {
3390*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
3391*00b67f09SDavid van Moolenbroek char classbuf[DNS_RDATACLASS_FORMATSIZE];
3392*00b67f09SDavid van Moolenbroek isc_result_t result = ISC_R_SUCCESS;
3393*00b67f09SDavid van Moolenbroek update_event_t *event = NULL;
3394*00b67f09SDavid van Moolenbroek isc_task_t *zonetask = NULL;
3395*00b67f09SDavid van Moolenbroek ns_client_t *evclient;
3396*00b67f09SDavid van Moolenbroek
3397*00b67f09SDavid van Moolenbroek /*
3398*00b67f09SDavid van Moolenbroek * This may take some time so replace this client.
3399*00b67f09SDavid van Moolenbroek */
3400*00b67f09SDavid van Moolenbroek if (!client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0)
3401*00b67f09SDavid van Moolenbroek CHECK(ns_client_replace(client));
3402*00b67f09SDavid van Moolenbroek
3403*00b67f09SDavid van Moolenbroek event = (update_event_t *)
3404*00b67f09SDavid van Moolenbroek isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
3405*00b67f09SDavid van Moolenbroek forward_action, NULL, sizeof(*event));
3406*00b67f09SDavid van Moolenbroek if (event == NULL)
3407*00b67f09SDavid van Moolenbroek FAIL(ISC_R_NOMEMORY);
3408*00b67f09SDavid van Moolenbroek event->zone = zone;
3409*00b67f09SDavid van Moolenbroek event->result = ISC_R_SUCCESS;
3410*00b67f09SDavid van Moolenbroek
3411*00b67f09SDavid van Moolenbroek evclient = NULL;
3412*00b67f09SDavid van Moolenbroek ns_client_attach(client, &evclient);
3413*00b67f09SDavid van Moolenbroek INSIST(client->nupdates == 0);
3414*00b67f09SDavid van Moolenbroek client->nupdates++;
3415*00b67f09SDavid van Moolenbroek event->ev_arg = evclient;
3416*00b67f09SDavid van Moolenbroek
3417*00b67f09SDavid van Moolenbroek dns_name_format(dns_zone_getorigin(zone), namebuf,
3418*00b67f09SDavid van Moolenbroek sizeof(namebuf));
3419*00b67f09SDavid van Moolenbroek dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
3420*00b67f09SDavid van Moolenbroek sizeof(classbuf));
3421*00b67f09SDavid van Moolenbroek
3422*00b67f09SDavid van Moolenbroek ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
3423*00b67f09SDavid van Moolenbroek LOGLEVEL_PROTOCOL, "forwarding update for zone '%s/%s'",
3424*00b67f09SDavid van Moolenbroek namebuf, classbuf);
3425*00b67f09SDavid van Moolenbroek
3426*00b67f09SDavid van Moolenbroek dns_zone_gettask(zone, &zonetask);
3427*00b67f09SDavid van Moolenbroek isc_task_send(zonetask, ISC_EVENT_PTR(&event));
3428*00b67f09SDavid van Moolenbroek
3429*00b67f09SDavid van Moolenbroek failure:
3430*00b67f09SDavid van Moolenbroek if (event != NULL)
3431*00b67f09SDavid van Moolenbroek isc_event_free(ISC_EVENT_PTR(&event));
3432*00b67f09SDavid van Moolenbroek return (result);
3433*00b67f09SDavid van Moolenbroek }
3434