update.c revision 26e1af486a8c56671aebda6d3f256364e49117b3
/*
* Copyright (C) 1999, 2000 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <isc/assertions.h>
#include <isc/taskpool.h>
#include <dns/dbiterator.h>
#include <dns/fixedname.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
/*
* This module implements dynamic update as in RFC2136.
*/
/*
XXX TODO:
- forwarding
- document strict minimality
*/
/**************************************************************************/
/*
* Convenience macro of common isc_log_write() arguments
* to use in reportings server errors.
*/
#define UPDATE_ERROR_LOGARGS \
/*
* Convenience macro of common isc_log_write() arguments
* to use in tracing dynamic update protocol requests.
*/
#define UPDATE_PROTOCOL_LOGARGS \
/*
* Convenience macro of common isc_log_write() arguments
* to use in low-level debug tracing.
*/
#define UPDATE_DEBUG_LOGARGS \
/*
* Check an operation for failure. These macros all assume that
* the function using them has a 'result' variable and a 'failure'
* label.
*/
} while (0)
/*
* Fail unconditionally with result 'code', which must not
* be DNS_R_SUCCESS. The reason for failure presumably has
* been logged already.
*/
do { \
goto failure; \
} while (0)
/*
* Fail unconditionally and log as a client error.
*/
do { \
"dynamic update failed: %s (%s)", \
goto failure; \
} while (0)
/*
* Fail unconditionally and log as a server error.
*/
do { \
"dynamic update error: %s: %s", \
goto failure; \
} while (0)
/**************************************************************************/
struct rr {
/* dns_name_t name; */
};
typedef struct update_event update_event_t;
struct update_event {
};
/**************************************************************************/
/*
* Forward declarations.
*/
/**************************************************************************/
/*
* Update a single RR in version 'ver' of 'db' and log the
* update in 'diff'.
*
* Ensures:
* '*tuple' == NULL. Either the tuple is freed, or its
* ownership has been transferred to the diff.
*/
static isc_result_t
{
/* Create a singleton diff */
/* Apply it to the database. */
if (result != DNS_R_SUCCESS) {
return (result);
}
/* Merge it into the current pending journal entry. */
/* Do not clear temp_diff. */
return (DNS_R_SUCCESS);
}
static isc_result_t
{
if (result != DNS_R_SUCCESS)
return (result);
}
/**************************************************************************/
/*
* Callback-style iteration over rdatasets and rdatas.
*
* foreach_rrset() can be used to iterate over the RRsets
* of a name and call a callback function with each
* one. Similarly, foreach_rr() can be used to iterate
* over the individual RRs at name, optionally restricted
* to RRs of a given type.
*
* The callback functions are called "actions" and take
* two arguments: a void pointer for passing arbitrary
* context information, and a pointer to the current RRset
* or RR. By convention, their names end in "_action".
*/
/*
* XXXRTH We might want to make this public somewhere in libdns.
*/
/* Function type for foreach_rrset() iterator actions. */
/* Function type for foreach_rr() iterator actions. */
/* Internal context struct for foreach_node_rr(). */
typedef struct {
void * rr_action_data;
/* Internal helper function for foreach_node_rr(). */
static isc_result_t
{
result == DNS_R_SUCCESS;
{
if (result != DNS_R_SUCCESS)
return (result);
}
if (result != DNS_R_NOMORE)
return (result);
return (DNS_R_SUCCESS);
}
/*
* For each rdataset of 'name' in 'ver' of 'db', call 'action'
* with the rdataset and 'action_data' as arguments. If the name
* does not exist, do nothing.
*
* If 'action' returns an error, abort iteration and return the error.
*/
static isc_result_t
void *action_data)
{
if (result == DNS_R_NOTFOUND)
return (DNS_R_SUCCESS);
if (result != DNS_R_SUCCESS)
return (result);
(isc_stdtime_t) 0, &iter);
if (result != DNS_R_SUCCESS)
goto cleanup_node;
result == DNS_R_SUCCESS;
{
if (result != DNS_R_SUCCESS)
goto cleanup_iterator;
}
if (result == DNS_R_NOMORE)
return (result);
}
/*
* For each RR of 'name' in 'ver' of 'db', call 'action'
* with the RR and 'action_data' as arguments. If the name
* does not exist, do nothing.
*
* If 'action' returns an error, abort iteration
* and return the error.
*/
static isc_result_t
void *rr_action_data)
{
}
/*
* For each of the RRs specified by 'db', 'ver', 'name', 'type',
* (which can be dns_rdatatype_any to match any type), and 'covers', call
* 'action' with the RR and 'action_data' as arguments. If the name
* does not exist, or if no RRset of the given type exists at the name,
* do nothing.
*
* If 'action' returns an error, abort iteration and return the error.
*/
static isc_result_t
void *rr_action_data)
{
if (type == dns_rdatatype_any)
if (result == DNS_R_NOTFOUND)
return (DNS_R_SUCCESS);
if (result != DNS_R_SUCCESS)
return (result);
if (result == DNS_R_NOTFOUND) {
goto cleanup_node;
}
if (result != DNS_R_SUCCESS)
goto cleanup_node;
result == DNS_R_SUCCESS;
{
if (result != DNS_R_SUCCESS)
goto cleanup_rdataset;
}
if (result != DNS_R_NOMORE)
goto cleanup_rdataset;
return (result);
}
/**************************************************************************/
/*
* Various tests on the database contents (for prerequisites, etc).
*/
/*
* Function type for predicate functions that compare a database RR 'db_rr'
* against an update RR 'update_rr'.
*/
/* Helper function for rrset_exists(). */
static isc_result_t
{
return (DNS_R_EXISTS);
}
/*
* Utility macro for RR existence checking functions.
*
* If the variable 'result' has the value DNS_R_EXISTS or
* DNS_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
* respectively, and return success.
*
* If 'result' has any other value, there was a failure.
* Return the failure result code and do not set *exists.
*
* This would be more readable as "do { if ... } while(0)",
* but that form generates tons of warnings on Solaris 2.6.
*/
#define RETURN_EXISTENCE_FLAG \
return ((result == DNS_R_EXISTS) ? \
((result == DNS_R_SUCCESS) ? \
result));
/*
* Set '*exists' to true iff an rrset of the given type exists,
* to false otherwise.
*/
static isc_result_t
{
}
/* Helper function for cname_incompatible_rrset_exists */
static isc_result_t
/*ARGSUSED*/
{
return (DNS_R_EXISTS);
return (DNS_R_SUCCESS);
}
/*
* Check whether there is an rrset incompatible with adding a CNAME RR,
* i.e., anything but another CNAME (which can be replaced) or a
* DNSSEC RR (which can coexist).
*
* If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
* Otherwise, set it to ISC_FALSE.
*/
static isc_result_t
}
/* Helper function for rr_count(). */
static isc_result_t
(*countp)++;
return (DNS_R_SUCCESS);
}
/*
* Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
*/
static isc_result_t
{
*countp = 0;
}
/* Context struct for matching_rr_exists(). */
typedef struct {
/* Helper function for matching_rr_exists(). */
static isc_result_t
return (DNS_R_EXISTS);
return (DNS_R_SUCCESS);
}
/*
* Compare the 'update_rr' with all RRs in the RRset specified by 'db',
* 'ver', 'name', and 'type' using 'predicate'. If the predicate returns
* true for at least one of them, set '*exists' to ISC_TRUE. Otherwise,
* set it to ISC_FALSE.
*/
static isc_result_t
{
}
/* Context struct and helper function for name_exists() */
static isc_result_t
{
return (DNS_R_EXISTS);
}
/*
* Set '*exists' to true iff the given name exists, to false otherwise.
*/
static isc_result_t
{
}
/**************************************************************************/
/*
* Checking of "RRset exists (value dependent)" prerequisites.
*
* In the RFC2136 section 3.2.5, this is the pseudocode involving
* a variable called "temp", a mapping of <name, type> tuples to rrsets.
*
* Here, we represent the "temp" data structure as (non-minimial) "dns_diff_t"
* where each typle has op==DNS_DIFFOP_EXISTS.
*/
/*
* Append a tuple asserting the existence of the RR with
* 'name' and 'rdata' to 'diff'.
*/
static isc_result_t
{
return (result);
}
/*
* Compare two rdatasets represented as sorted lists of tuples.
* All list elements must have the same owner name and type.
* Return DNS_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
* if not.
*/
static isc_result_t
for (;;) {
break;
return (DNS_R_NXRRSET);
a = ISC_LIST_NEXT(a, link);
b = ISC_LIST_NEXT(b, link);
}
return (DNS_R_NXRRSET);
return (DNS_R_SUCCESS);
}
/*
* A comparison function defining the sorting order for the entries
* in the "temp" data structure. The major sort key is the owner name,
* followed by the type and rdata.
*/
static int
{
dns_difftuple_t *a = *ap;
dns_difftuple_t *b = *bp;
int r;
if (r != 0)
return (r);
if (r != 0)
return (r);
return (r);
}
/*
* Check the "RRset exists (value dependent)" prerequisite information
* in 'temp' against the contents of the database 'db'.
*
* Return DNS_R_SUCCESS if the prerequisites are satisfied,
* rcode(dns_rcode_nxrrset) if not.
*/
static isc_result_t
{
dns_difftuple_t *t;
/* Exit early if the list is empty (for efficiency only). */
return (DNS_R_SUCCESS);
/*
* Sort the prerequisite records by owner name,
* type, and rdata.
*/
if (result != DNS_R_SUCCESS)
return (result);
/*
* For each name and type in the prerequisites,
* construct a sorted rdata list of the corresponding
* database contents, and compare the lists.
*/
while (t != NULL) {
/* A new unique name begins here. */
if (result == DNS_R_NOTFOUND)
return (DNS_R_NXRRSET);
if (result != DNS_R_SUCCESS)
return (result);
/* A new unique type begins here. */
this name and type */
this name and type */
if (type == dns_rdatatype_sig)
else
covers = 0;
/*
* Collect all database RRs for this name and type
* onto d_rrs and sort them.
*/
covers, (isc_stdtime_t) 0,
if (result != DNS_R_SUCCESS) {
return (DNS_R_NXRRSET);
}
result == DNS_R_SUCCESS;
{
if (result != DNS_R_SUCCESS)
goto failure;
}
if (result != DNS_R_NOMORE)
goto failure;
if (result != DNS_R_SUCCESS)
goto failure;
/*
* Collect all update RRs for this name and type
* onto u_rrs. No need to sort them here -
* they are already sorted.
*/
while (t != NULL &&
{
ISC_LIST_NEXT(t, link);
t = next;
}
/* Compare the two sorted lists. */
if (result != DNS_R_SUCCESS)
goto failure;
/*
* We are done with the tuples, but we can't free
* them yet because "name" still points into one
* of them. Move them on a temporary list.
*/
continue;
return (result);
}
}
return (DNS_R_SUCCESS);
}
/**************************************************************************/
/*
* Conditional deletion of RRs.
*/
/* Context structure for delete_if(). */
typedef struct {
/* Predicate functions for delete_if(). */
/* Return true iff 'update_rr' is neither a SOA nor an NS RR. */
static isc_boolean_t
{
}
/* Return true always. */
static isc_boolean_t
{
return (ISC_TRUE);
}
/* Return true iff the two RRs have identical rdata. */
static isc_boolean_t
/*
* XXXRTH This is not a problem, but we should consider creating
* dns_rdata_equal() (that used dns_name_equal()), since it
* would be faster. Not a priority.
*/
}
/*
* Return true iff 'update_rr' should replace 'db_rr' according
* to the special RFC2136 rules for CNAME, SOA, and WKS records.
*/
static isc_boolean_t
return (ISC_FALSE);
return (ISC_TRUE);
return (ISC_TRUE);
/*
* RFC2136 does not mention NXT, but multiple NXTs make little
* sense, so we replace those, too.
*/
return (ISC_TRUE);
/*
* Compare the address and protocol fields only. These
* form the first five bytes of the RR data. Do a
* raw binary comparison; unpacking the WKS RRs using
* dns_rdata_tostruct() might be cleaner in some ways,
* but it would require us to pass around an mctx.
*/
}
return (ISC_FALSE);
}
/* Internal helper function for delete_if(). */
static isc_result_t
return (result);
} else {
return (DNS_R_SUCCESS);
}
}
/*
* Conditionally delete RRs. Apply 'predicate' to the RRs
* specified by 'db', 'ver', 'name', and 'type' (which can
* be dns_rdatatype_any to match any type). Delete those
* RRs for which the predicate returns true, and log the
* deletions in 'diff'.
*/
static isc_result_t
{
delete_if_action, &ctx));
}
/**************************************************************************/
/*
* Miscellaneous subroutines.
*/
/*
* Extract a single update RR from 'section' of dynamic update message
* 'msg', with consistency checking.
*
* Stores the owner name, rdata, and TTL of the update RR at 'name',
* 'rdata', and 'ttl', respectively.
*/
static void
{
}
/*
* Increment the SOA serial number of database 'db', version 'ver'.
* Replace the SOA record in the database, and log the
* change in 'diff'.
*/
/*
* XXXRTH Failures in this routine will be worth logging, when
* we have a logging system. Failure to find the zonename
* or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
*/
static isc_result_t
{
/* RFC1982 */
if (serial == 0)
serial = 1;
return (result);
}
/*
* Check that the new SOA record at 'update_rdata' does not
* illegally cause the SOA serial number to decrease or stay
* unchanged relative to the existing SOA in 'db'.
*
* Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
*
* William King points out that RFC2136 is inconsistent about
* the case where the serial number stays unchanged:
*
* section 3.4.2.2 requires a server to ignore a SOA update request
* if the serial number on the update SOA is less_than_or_equal to
* the zone SOA serial.
*
* section 3.6 requires a server to ignore a SOA update request if
* the serial is less_than the zone SOA serial.
*
* Paul says 3.4.2.2 is correct.
*
*/
static isc_result_t
{
if (result != DNS_R_SUCCESS)
return (result);
} else {
}
return (DNS_R_SUCCESS);
}
/**************************************************************************/
/*
* Incremental updating of NXTs and SIGs.
*/
/*
* We abuse the dns_diff_t type to represent a set of domain names
* affected by the update.
*/
static isc_result_t
&dummy_rdata, &tuple));
return (result);
}
static isc_result_t
{
result == DNS_R_SUCCESS;
{
break;
}
return (result);
}
/* Helper function for non_nxt_rrset_exists(). */
static isc_result_t
/*ARGSUSED*/
{
return (DNS_R_EXISTS);
return (DNS_R_SUCCESS);
}
/*
* Check whether there is an rrset other than a NXT or SIG NXT,
* i.e., anything that justifies the continued existence of a name
* after a secure update.
*
* If such an rrset exists, set '*exists' to ISC_TRUE.
* Otherwise, set it to ISC_FALSE.
*/
static isc_result_t
}
/*
* A comparison function for sorting dns_diff_t:s by name.
*/
static int
{
dns_difftuple_t *a = *ap;
dns_difftuple_t *b = *bp;
}
static isc_result_t
dns_difftuple_t *p, *q;
while (p != NULL) {
do {
q = ISC_LIST_NEXT(p, link);
break;
dns_difftuple_free(&q);
} while (1);
p = ISC_LIST_NEXT(p, link);
}
return (result);
}
static isc_result_t
{
(isc_stdtime_t) 0, NULL,
if (result == DNS_R_SUCCESS) {
return (DNS_R_SUCCESS);
} else if (result == DNS_R_ZONECUT) {
/* XXX should omit non-delegation types from NXT */
return (DNS_R_SUCCESS);
} else if (result == DNS_R_GLUE) {
return (DNS_R_SUCCESS);
} else {
return (result);
}
}
/*
* In other words, skip empty database nodes and names that
* have had their NXTs removed because they are obscured by
* a zone cut.
*/
static isc_result_t
{
do {
if (forward)
else
if (result == DNS_R_NOMORE) {
/* Wrap around. */
if (forward)
else
}
/*
* The iterator may hold the tree lock, and
* rrset_exists() calls dns_db_findnode() which
* may try to reacquire it. To avoid deadlock
* we must pause the iterator first.
*/
dns_rdatatype_nxt, 0, &has_nxt));
} while (! has_nxt);
return (result);
}
/*
* Add a NXT record for "name", recording the change in "diff".
*/
static isc_result_t
unsigned char buffer[DNS_NXT_BUFFERSIZE];
/* Find the successor name, aka NXT target. */
/* Create the NXT RDATA. */
/* Create a diff tuple, update the database, and record the change. */
3600, /* XXXRTH */
return (result);
}
/*
* Add a placeholder NXT record for "name", recording the change in "diff".
*/
static isc_result_t
isc_region_t r;
return (result);
}
static isc_result_t
{
return (result);
}
/*
* Add SIG records for an RRset, recording the change in "diff".
*/
static isc_result_t
{
unsigned int i;
/* Get the rdataset to sign. */
(isc_stdtime_t) 0,
for (i = 0; i < nkeys; i++) {
/* Calculate the signature, creating a SIG RDATA. */
/* Update the database and journal with the SIG. */
/* XXX inefficient - will cause dataset merging */
}
return (result);
}
/*
* Update SIG and NXT records affected by an update. The original
* update, including the SOA serial update but exluding the SIG & NXT
* changes, is in "diff" and has already been applied to "newver" of "db".
* The database version prior to the update is "oldver".
*
* The necessary SIG and NXT changes will be applied to "newver"
* and added (as a minimal diff) to "diff".
*/
static isc_result_t
{
dns_difftuple_t *t;
unsigned int nkeys = 0;
unsigned int i;
if (result != DNS_R_SUCCESS) {
"could not get zone keys for secure "
"dynamic update");
goto failure;
}
/*
* Find all RRsets directly affected by the update, and
* update their SIGs. Also build a list of names affected
* by the update in "diffnames".
*/
while (t != NULL) {
/* Now "name" is a new, unique name affected by the update. */
/*
* Now "name" and "type" denote a new unique RRset
* affected by the update.
*/
/* Don't sign SIGs. */
if (type == dns_rdatatype_sig)
goto skip;
/*
* Delete all old SIGs covering this type, since they
* are all invalid when the signed RRset has changed.
* We may not be able to recreate all of them - tough.
*/
/*
* If this RRset still exists after the update,
* add a new signature for it.
*/
if (flag) {
}
skip:
/* Skip any other updates to the same RRset. */
while (t != NULL &&
{
t = ISC_LIST_NEXT(t, link);
}
}
}
/* Remove orphaned NXTs and SIG NXTs. */
t != NULL;
t = ISC_LIST_NEXT(t, link))
{
if (! flag) {
}
}
/*
* When a name is created or deleted, its predecessor needs to
* have its NXT updated.
*/
t != NULL;
t = ISC_LIST_NEXT(t, link))
{
continue;
/*
* Find the predecessor.
* When names become obscured or unobscured in this update
* transaction, we may find the wrong predecessor because
* the NXTs have not yet been updated to reflect the delegation
* change. This should not matter because in this case,
* the correct predecessor is either the delegation node or
* a newly unobscured node, and those nodes are on the
* "affected" list in any case.
*/
}
/* Find names affected by delegation changes. */
t != NULL;
t = ISC_LIST_NEXT(t, link))
{
&existed));
&exists));
continue;
/*
* There was a delegation change. Mark all subdomains
* of t->name as potentially needing a NXT update.
*/
}
/*
* NXTs to make it so. We don't know the final NXT targets yet,
* so we just create placeholder NXTs with arbitrary contents
* to indicate that their respective owner names should be part of
* the NXT chain.
*/
t != NULL;
t = ISC_LIST_NEXT(t, link))
{
if (! exists)
continue;
if (flag) {
/*
* This name is obscured. Delete any
* existing NXT record.
*/
} else {
/* This name is not obscured. It should have a NXT. */
dns_rdatatype_nxt, 0, &flag));
if (! flag) {
}
}
}
/*
* Now we know which names are part of the NXT chain.
* Make them all point at their correct targets.
*/
t != NULL;
t = ISC_LIST_NEXT(t, link))
{
dns_rdatatype_nxt, 0, &flag));
if (flag) {
/*
* There is a NXT, but we don't know if it is correct.
* Delete it and create a correct one to be sure.
* If the update was unnecessary, the diff minimization
* will take care of eliminating it from the journal,
* IXFRs, etc.
*
* The SIG bit should always be set in the NXTs
* we generate, because they will all get SIG NXTs.
* (XXX what if the zone keys are missing?).
* Because the SIG NXTs have not necessarily been
* created yet, the correctness of the bit mask relies
* on the assumption that NXTs are only created if
* there is other data, and if there is other data,
* there are other SIGs.
*/
}
}
/*
* Minimize the set of NXT updates so that we don't
* have to regenerate the SIG NXTs for NXTs that were
* replaced with identical ones.
*/
}
/* Update SIG NXTs. */
t != NULL;
t = ISC_LIST_NEXT(t, link))
{
if (t->op == DNS_DIFFOP_DEL) {
} else if (t->op == DNS_DIFFOP_ADD) {
expire));
} else {
INSIST(0);
}
}
/* Record our changes for the journal. */
dns_diff_appendminimal(diff, &t);
}
dns_diff_appendminimal(diff, &t);
}
for (i = 0; i < nkeys; i++)
dst_key_free(zone_keys[i]);
return (result);
}
/**************************************************************************/
/*
* The actual update code in all its glory. We try to follow
* the RFC2136 pseudocode as closely as possible.
*/
static isc_result_t
event = (update_event_t *)
return (result);
}
static void
if (msg_result != DNS_R_SUCCESS)
goto msg_failure;
return;
"could not create update response message: %s",
}
void
{
/*
* Interpret the zone section.
*/
if (result != DNS_R_SUCCESS)
"update zone section empty");
/*
* The zone section must contain exactly one "question", and
* it must be of type SOA.
*/
"update zone section contains non-SOA");
"update zone section contains multiple RRs");
/* The zone section must have exactly one name. */
if (result != DNS_R_NOMORE)
"update zone section contains multiple RRs");
if (result != DNS_R_SUCCESS)
"not authoritative for update zone");
switch(dns_zone_gettype(zone)) {
case dns_zone_master:
break; /* OK. */
case dns_zone_slave:
"update forwarding"); /* XXX implement */
default:
"not authoritative for update zone");
}
return;
/*
* We failed without having sent an update event to the zone.
* We are still in the client task context, so we can
* simply give an error response without switching tasks.
*/
}
static void
{
/* Check prerequisites. */
result == DNS_R_SUCCESS;
{
if (ttl != 0)
"prerequisite name is out of zone");
if (update_class == dns_rdataclass_any) {
"class ANY prerequisite "
"RDATA is not empty");
if (! flag) {
"'name in use' prerequisite "
"not satisfied");
}
} else {
if (! flag) {
/* RRset does not exist. */
"'rrset exists (value independent)' "
"prerequisite not satisfied");
}
}
} else if (update_class == dns_rdataclass_none) {
"class NONE prerequisite"
"RDATA is not empty");
if (flag) {
"'name not in use' prerequisite "
"not satisfied");
}
} else {
if (flag) {
/* RRset exists. */
"'rrset does not exist' "
"prerequisite not satisfied");
}
}
} else if (update_class == zoneclass) {
/* "temp<rr.name, rr.type> += rr;" */
if (result != DNS_R_SUCCESS) {
"temp entry creation failed: %s",
}
} else {
}
}
if (result != DNS_R_NOMORE)
/*
* Perform the final check of the "rrset exists (value dependent)"
* prerequisites.
*/
if (result != DNS_R_SUCCESS)
"prerequisite not satisfied");
/*
* Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says.
*/
NULL,
ISC_FALSE));
/* Perform the Update Section Prescan. */
result == DNS_R_SUCCESS;
{
"update RR is outside zone");
if (update_class == zoneclass) {
/*
* Check for meta-RRs. The RFC2136 pseudocode says
* check for ANY|AXFR|MAILA|MAILB, but the text adds
* "or any other QUERY metatype"
*/
"meta-RR in update");
}
} else if (update_class == dns_rdataclass_any) {
"meta-RR in update");
} else if (update_class == dns_rdataclass_none) {
if (ttl != 0 ||
"meta-RR in update");
} else {
"update RR has incorrect class %d",
}
/*
* draft-ietf-dnsind-simple-secure-update-01 says
* "Unlike traditional dynamic update, the client
* is forbidden from updating NXT records."
*/
"explicit NXT updates are not allowed "
"in secure zones");
}
}
if (result != DNS_R_NOMORE)
/* Process the Update Section. */
result == DNS_R_SUCCESS;
{
if (update_class == zoneclass) {
name,
&flag));
if (flag) {
"attempt to add CNAME "
"alongside non-CNAME "
"ignored");
continue;
}
} else {
&flag));
if (flag &&
{
"attempt to add non-CNAME "
"alongside CNAME ignored");
continue;
}
}
&flag));
if (! flag) {
"attempt to create 2nd "
"SOA ignored");
continue;
}
&ok));
if (! ok) {
"SOA update failed to "
"increment serial, "
"ignoring it");
continue;
}
}
/*
* Add an RR. If an identical RR already exists,
* do nothing. If a similar but not identical
* CNAME, SOA, or WKS exists, remove it first.
*/
&flag));
if (! flag) {
"adding an RR");
&diff));
if (result != DNS_R_SUCCESS)
} else {
"attempt to add existing RR "
"ignored");
}
} else if (update_class == dns_rdataclass_any) {
"delete all rrsets from a name");
} else {
}
"attempt to delete all SOA "
"or NS records ignored");
continue;
} else {
"deleting an rrset");
&diff));
}
} else if (update_class == dns_rdataclass_none) {
/*
* The (name == zonename) condition appears in
* RFC2136 3.4.2.4 but is missing from the pseudocode.
*/
"attempt to delete SOA "
"ignored");
continue;
}
int count;
0, &count));
if (count == 1) {
"attempt to delete last "
"NS ignored");
continue;
}
}
}
"deleting an RR");
}
}
if (result != DNS_R_NOMORE)
/*
* If any changes were made, increment the SOA serial number,
* update SIGs and NXTs (if zone is secure), and write the update
* to the journal.
*/
/*
* Increment the SOA serial, but only if it was not
* changed as a result of an update operation.
*/
if (! soa_serial_changed) {
}
if (dns_db_issecure(db)) {
if (result != DNS_R_SUCCESS) {
goto failure;
}
}
if (result != DNS_R_SUCCESS)
if (result != DNS_R_SUCCESS) {
}
}
/*
* XXXRTH Just a note that this committing code will have to change
* to handle databases that need two-phase commit, but this
* isn't a priority.
*/
goto common;
/* The reason for failure should have been logged at this point. */
"rolling back");
}
dns_db_detach(&db);
}
static void
{
}