update.c revision 9198ab377b1cbf07d6d0c6eec25296c135bd66bd
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.196 2011/08/30 05:16:11 marka Exp $ */
#include <config.h>
#include <isc/taskpool.h>
#include <dns/dbiterator.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
/*! \file
* \brief
* This module implements dynamic update as in RFC2136.
*/
/*
* XXX TODO:
* - document strict minimality
*/
/**************************************************************************/
/*%
* Log level for tracing dynamic update protocol requests.
*/
#define LOGLEVEL_PROTOCOL ISC_LOG_INFO
/*%
* Log level for low-level debug tracing.
*/
/*%
* Check an operation for failure. These macros all assume that
* the function using them has a 'result' variable and a 'failure'
* label.
*/
} while (0)
/*%
* Fail unconditionally with result 'code', which must not
* be ISC_R_SUCCESS. The reason for failure presumably has
* been logged already.
*
* The test against ISC_R_SUCCESS is there to keep the Solaris compiler
* from complaining about "end-of-loop code not reached".
*/
do { \
} while (0)
/*%
* Fail unconditionally and log as a client error.
* The test against ISC_R_SUCCESS is there to keep the Solaris compiler
* from complaining about "end-of-loop code not reached".
*/
do { \
const char *_what = "failed"; \
switch (result) { \
case DNS_R_NXDOMAIN: \
case DNS_R_YXDOMAIN: \
case DNS_R_YXRRSET: \
case DNS_R_NXRRSET: \
_what = "unsuccessful"; \
} \
"update %s: %s (%s)", _what, \
} while (0)
do { \
} while (0)
do { \
const char *_what = "failed"; \
switch (result) { \
case DNS_R_NXDOMAIN: \
case DNS_R_YXDOMAIN: \
case DNS_R_YXRRSET: \
case DNS_R_NXRRSET: \
_what = "unsuccessful"; \
} \
char _nbuf[DNS_NAME_FORMATSIZE]; \
} \
} while (0)
do { \
} while (0)
do { \
const char *_what = "failed"; \
switch (result) { \
case DNS_R_NXDOMAIN: \
case DNS_R_YXDOMAIN: \
case DNS_R_YXRRSET: \
case DNS_R_NXRRSET: \
_what = "unsuccessful"; \
} \
char _nbuf[DNS_NAME_FORMATSIZE]; \
char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \
"update %s: %s/%s: %s (%s)", \
isc_result_totext(result)); \
} \
} while (0)
do { \
} while (0)
/*%
* Fail unconditionally and log as a server error.
* The test against ISC_R_SUCCESS is there to keep the Solaris compiler
* from complaining about "end-of-loop code not reached".
*/
do { \
"error: %s: %s", \
} while (0)
/*
* Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
*/
/**************************************************************************/
struct rr {
/* dns_name_t name; */
};
typedef struct update_event update_event_t;
struct update_event {
};
/**************************************************************************/
/*
* Forward declarations.
*/
/**************************************************************************/
static void
static void
{
char message[4096];
char namebuf[DNS_NAME_FORMATSIZE];
return;
return;
sizeof(namebuf));
sizeof(classbuf));
level, "updating zone '%s/%s': %s",
}
static void
}
/*%
* Increment updated-related statistics counters.
*/
static inline void
}
}
/*%
* Check if we could have queried for the contents of this zone or
* if the zone is potentially updateable.
* If the zone can potentially be updated and the check failed then
* log a error otherwise we log a informational message.
*/
static isc_result_t
{
char namebuf[DNS_NAME_FORMATSIZE];
int level;
if (result != ISC_R_SUCCESS) {
sizeof(classbuf));
"update '%s/%s' denied due to allow-query",
sizeof(classbuf));
}
return (result);
}
/*%
* Override the default acl logging when checking whether a client
* can update the zone or whether we can forward the request to the
* master based on IP address.
*
* 'message' contains the type of operation that is being attempted.
* 'slave' indicates if this is a slave zone. If 'acl' is NULL then
* log at debug=3.
* If the zone has no access controls configured ('acl' == NULL &&
* 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
* at error.
*
* If the request was signed log that we received it.
*/
static isc_result_t
{
char namebuf[DNS_NAME_FORMATSIZE];
int level = ISC_LOG_ERROR;
const char *msg = "denied";
msg = "disabled";
} else {
if (result == ISC_R_SUCCESS) {
msg = "approved";
}
}
}
sizeof(classbuf));
return (result);
}
/*%
* Update a single RR in version 'ver' of 'db' and log the
* update in 'diff'.
*
* Ensures:
* \li '*tuple' == NULL. Either the tuple is freed, or its
* ownership has been transferred to the diff.
*/
static isc_result_t
{
/*
* Create a singleton diff.
*/
/*
* Apply it to the database.
*/
if (result != ISC_R_SUCCESS) {
return (result);
}
/*
* Merge it into the current pending journal entry.
*/
/*
* Do not clear temp_diff.
*/
return (ISC_R_SUCCESS);
}
/*%
* Perform the updates in 'updates' in version 'ver' of 'db' and log the
* update in 'diff'.
*
* Ensures:
* \li 'updates' is empty.
*/
static isc_result_t
{
}
return (ISC_R_SUCCESS);
return (result);
}
static isc_result_t
{
if (result != ISC_R_SUCCESS)
return (result);
}
/**************************************************************************/
/*
* Callback-style iteration over rdatasets and rdatas.
*
* foreach_rrset() can be used to iterate over the RRsets
* of a name and call a callback function with each
* one. Similarly, foreach_rr() can be used to iterate
* over the individual RRs at name, optionally restricted
* to RRs of a given type.
*
* The callback functions are called "actions" and take
* two arguments: a void pointer for passing arbitrary
* context information, and a pointer to the current RRset
* or RR. By convention, their names end in "_action".
*/
/*
* XXXRTH We might want to make this public somewhere in libdns.
*/
/*%
* Function type for foreach_rrset() iterator actions.
*/
/*%
* Function type for foreach_rr() iterator actions.
*/
/*%
* Internal context struct for foreach_node_rr().
*/
typedef struct {
void * rr_action_data;
/*%
* Internal helper function for foreach_node_rr().
*/
static isc_result_t
result == ISC_R_SUCCESS;
{
if (result != ISC_R_SUCCESS)
return (result);
}
if (result != ISC_R_NOMORE)
return (result);
return (ISC_R_SUCCESS);
}
/*%
* For each rdataset of 'name' in 'ver' of 'db', call 'action'
* with the rdataset and 'action_data' as arguments. If the name
* does not exist, do nothing.
*
* If 'action' returns an error, abort iteration and return the error.
*/
static isc_result_t
{
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
return (result);
(isc_stdtime_t) 0, &iter);
if (result != ISC_R_SUCCESS)
goto cleanup_node;
result == ISC_R_SUCCESS;
{
if (result != ISC_R_SUCCESS)
goto cleanup_iterator;
}
if (result == ISC_R_NOMORE)
return (result);
}
/*%
* For each RR of 'name' in 'ver' of 'db', call 'action'
* with the RR and 'action_data' as arguments. If the name
* does not exist, do nothing.
*
* If 'action' returns an error, abort iteration
* and return the error.
*/
static isc_result_t
{
}
/*%
* For each of the RRs specified by 'db', 'ver', 'name', 'type',
* (which can be dns_rdatatype_any to match any type), and 'covers', call
* 'action' with the RR and 'action_data' as arguments. If the name
* does not exist, or if no RRset of the given type exists at the name,
* do nothing.
*
* If 'action' returns an error, abort iteration and return the error.
*/
static isc_result_t
void *rr_action_data)
{
if (type == dns_rdatatype_any)
if (type == dns_rdatatype_nsec3 ||
else
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
return (result);
if (result == ISC_R_NOTFOUND) {
goto cleanup_node;
}
if (result != ISC_R_SUCCESS)
goto cleanup_node;
result == ISC_R_SUCCESS;
{
if (result != ISC_R_SUCCESS)
goto cleanup_rdataset;
}
if (result != ISC_R_NOMORE)
goto cleanup_rdataset;
return (result);
}
/**************************************************************************/
/*
* Various tests on the database contents (for prerequisites, etc).
*/
/*%
* Function type for predicate functions that compare a database RR 'db_rr'
* against an update RR 'update_rr'.
*/
/*%
* Helper function for rrset_exists().
*/
static isc_result_t
return (ISC_R_EXISTS);
}
/*%
* Utility macro for RR existence checking functions.
*
* If the variable 'result' has the value ISC_R_EXISTS or
* ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
* respectively, and return success.
*
* If 'result' has any other value, there was a failure.
* Return the failure result code and do not set *exists.
*
* This would be more readable as "do { if ... } while(0)",
* but that form generates tons of warnings on Solaris 2.6.
*/
#define RETURN_EXISTENCE_FLAG \
return ((result == ISC_R_EXISTS) ? \
((result == ISC_R_SUCCESS) ? \
result))
/*%
* Set '*exists' to true iff an rrset of the given type exists,
* to false otherwise.
*/
static isc_result_t
{
}
/*%
* Helper function for cname_incompatible_rrset_exists.
*/
static isc_result_t
return (ISC_R_EXISTS);
return (ISC_R_SUCCESS);
}
/*%
* Check whether there is an rrset incompatible with adding a CNAME RR,
* i.e., anything but another CNAME (which can be replaced) or a
* DNSSEC RR (which can coexist).
*
* If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
* Otherwise, set it to ISC_FALSE.
*/
static isc_result_t
}
/*%
* Helper function for rr_count().
*/
static isc_result_t
(*countp)++;
return (ISC_R_SUCCESS);
}
/*%
* Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
*/
static isc_result_t
{
*countp = 0;
}
/*%
* Context struct and helper function for name_exists().
*/
static isc_result_t
return (ISC_R_EXISTS);
}
/*%
* Set '*exists' to true iff the given name exists, to false otherwise.
*/
static isc_result_t
{
}
/*
* 'ssu_check_t' is used to pass the arguments to
* dns_ssutable_checkrules() to the callback function
* ssu_checkrule().
*/
typedef struct {
/* The ownername of the record to be updated. */
/* The signature's name if the request was signed. */
/* The address of the client if the request was received via TCP. */
/* The ssu table to check against. */
/* the key used for TKEY requests */
} ssu_check_t;
static isc_result_t
/*
* If we're deleting all records, it's ok to delete RRSIG and NSEC even
* if we're normally not allowed to.
*/
return (ISC_R_SUCCESS);
}
static isc_boolean_t
{
}
/**************************************************************************/
/*
* Checking of "RRset exists (value dependent)" prerequisites.
*
* In the RFC2136 section 3.2.5, this is the pseudocode involving
* a variable called "temp", a mapping of <name, type> tuples to rrsets.
*
* Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
* where each tuple has op==DNS_DIFFOP_EXISTS.
*/
/*%
* Append a tuple asserting the existence of the RR with
* 'name' and 'rdata' to 'diff'.
*/
static isc_result_t
return (result);
}
/*%
* Compare two rdatasets represented as sorted lists of tuples.
* All list elements must have the same owner name and type.
* Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
* if not.
*/
static isc_result_t
for (;;) {
break;
b->op == DNS_DIFFOP_EXISTS);
return (DNS_R_NXRRSET);
a = ISC_LIST_NEXT(a, link);
b = ISC_LIST_NEXT(b, link);
}
return (DNS_R_NXRRSET);
return (ISC_R_SUCCESS);
}
/*%
* A comparison function defining the sorting order for the entries
* in the "temp" data structure. The major sort key is the owner name,
* followed by the type and rdata.
*/
static int
dns_difftuple_t const *a = *ap;
dns_difftuple_t const *b = *bp;
int r;
if (r != 0)
return (r);
if (r != 0)
return (r);
return (r);
}
/*%
* Check the "RRset exists (value dependent)" prerequisite information
* in 'temp' against the contents of the database 'db'.
*
* Return ISC_R_SUCCESS if the prerequisites are satisfied,
* rcode(dns_rcode_nxrrset) if not.
*
* 'temp' must be pre-sorted.
*/
static isc_result_t
{
dns_difftuple_t *t;
/*
* For each name and type in the prerequisites,
* construct a sorted rdata list of the corresponding
* database contents, and compare the lists.
*/
while (t != NULL) {
/* A new unique name begins here. */
if (result == ISC_R_NOTFOUND) {
return (DNS_R_NXRRSET);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
/* A new unique type begins here. */
this name and type */
this name and type */
if (type == dns_rdatatype_rrsig ||
else if (type == dns_rdatatype_any) {
return (DNS_R_NXRRSET);
} else
covers = 0;
/*
* Collect all database RRs for this name and type
* onto d_rrs and sort them.
*/
covers, (isc_stdtime_t) 0,
if (result != ISC_R_SUCCESS) {
return (DNS_R_NXRRSET);
}
result == ISC_R_SUCCESS;
{
if (result != ISC_R_SUCCESS)
goto failure;
}
if (result != ISC_R_NOMORE)
goto failure;
if (result != ISC_R_SUCCESS)
goto failure;
/*
* Collect all update RRs for this name and type
* onto u_rrs. No need to sort them here -
* they are already sorted.
*/
while (t != NULL &&
{
ISC_LIST_NEXT(t, link);
t = next;
}
/* Compare the two sorted lists. */
if (result != ISC_R_SUCCESS)
goto failure;
/*
* We are done with the tuples, but we can't free
* them yet because "name" still points into one
* of them. Move them on a temporary list.
*/
continue;
return (result);
}
}
return (ISC_R_SUCCESS);
}
/**************************************************************************/
/*
* Conditional deletion of RRs.
*/
/*%
* Context structure for delete_if().
*/
typedef struct {
/*%
* Predicate functions for delete_if().
*/
/*%
* Return true iff 'db_rr' is neither a SOA nor an NS RR nor
* an RRSIG nor an NSEC3PARAM nor a NSEC.
*/
static isc_boolean_t
}
/*%
* Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
*/
static isc_boolean_t
}
/*%
* Return true always.
*/
static isc_boolean_t
return (ISC_TRUE);
}
/*%
* Return true iff the two RRs have identical rdata.
*/
static isc_boolean_t
/*
* XXXRTH This is not a problem, but we should consider creating
* dns_rdata_equal() (that used dns_name_equal()), since it
* would be faster. Not a priority.
*/
}
/*%
* Return true iff 'update_rr' should replace 'db_rr' according
* to the special RFC2136 rules for CNAME, SOA, and WKS records.
*
* RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
* make little sense, so we replace those, too.
*
* Additionally replace RRSIG that have been generated by the same key
* for the same type. This simplifies refreshing a offline KSK by not
* requiring that the old RRSIG be deleted. It also simplifies key
* rollover by only requiring that the new RRSIG be added.
*/
static isc_boolean_t
return (ISC_FALSE);
return (ISC_TRUE);
return (ISC_TRUE);
return (ISC_TRUE);
return (ISC_TRUE);
/*
* Replace existing RRSIG with the same keyid,
* covered and algorithm.
*/
return (ISC_TRUE);
}
/*
* Compare the address and protocol fields only. These
* form the first five bytes of the RR data. Do a
* raw binary comparison; unpacking the WKS RRs using
* dns_rdata_tostruct() might be cleaner in some ways.
*/
}
return (ISC_FALSE);
/*
* Replace NSEC3PARAM records that only differ by the
* flags field.
*/
return (ISC_TRUE);
}
return (ISC_FALSE);
}
/*%
* Internal helper function for delete_if().
*/
static isc_result_t
return (result);
} else {
return (ISC_R_SUCCESS);
}
}
/*%
* Conditionally delete RRs. Apply 'predicate' to the RRs
* specified by 'db', 'ver', 'name', and 'type' (which can
* be dns_rdatatype_any to match any type). Delete those
* RRs for which the predicate returns true, and log the
* deletions in 'diff'.
*/
static isc_result_t
{
delete_if_action, &ctx));
}
/**************************************************************************/
/*%
* Prepare an RR for the addition of the new RR 'ctx->update_rr',
* with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
* the RRs if it is replaced by the new RR or has a conflicting TTL.
* The necessary changes are appended to ctx->del_diff and ctx->add_diff;
* we need to do all deletions before any additions so that we don't run
* into transient states with conflicting TTLs.
*/
typedef struct {
static isc_result_t
/*
* If the update RR is a "duplicate" of the update RR,
* the update should be silently ignored.
*/
return (ISC_R_SUCCESS);
}
/*
* If this RR is "equal" to the update RR, it should
* be deleted before the update RR is added.
*/
&tuple));
return (ISC_R_SUCCESS);
}
/*
* If this RR differs in TTL from the update RR,
* its TTL must be adjusted.
*/
&tuple));
if (!equal) {
}
}
return (result);
}
/**************************************************************************/
/*
* Miscellaneous subroutines.
*/
/*%
* Extract a single update RR from 'section' of dynamic update message
* 'msg', with consistency checking.
*
* Stores the owner name, rdata, and TTL of the update RR at 'name',
* 'rdata', and 'ttl', respectively.
*/
static void
{
}
/*%
* Increment the SOA serial number of database 'db', version 'ver'.
* Replace the SOA record in the database, and log the
* change in 'diff'.
*/
/*
* XXXRTH Failures in this routine will be worth logging, when
* we have a logging system. Failure to find the zonename
* or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
*/
static isc_result_t
{
return (result);
}
/*%
* Check that the new SOA record at 'update_rdata' does not
* illegally cause the SOA serial number to decrease or stay
* unchanged relative to the existing SOA in 'db'.
*
* Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
*
* William King points out that RFC2136 is inconsistent about
* the case where the serial number stays unchanged:
*
* section 3.4.2.2 requires a server to ignore a SOA update request
* if the serial number on the update SOA is less_than_or_equal to
* the zone SOA serial.
*
* section 3.6 requires a server to ignore a SOA update request if
* the serial is less_than the zone SOA serial.
*
* Paul says 3.4.2.2 is correct.
*
*/
static isc_result_t
{
if (result != ISC_R_SUCCESS)
return (result);
} else {
}
return (ISC_R_SUCCESS);
}
/**************************************************************************/
/*%
* The actual update code in all its glory. We try to follow
* the RFC2136 pseudocode as closely as possible.
*/
static isc_result_t
event = (update_event_t *)
return (result);
}
static void
if (msg_result != ISC_R_SUCCESS)
goto msg_failure;
return;
"could not create update response message: %s",
}
void
/*
* Interpret the zone section.
*/
if (result != ISC_R_SUCCESS)
/*
* The zone section must contain exactly one "question", and
* it must be of type SOA.
*/
"update zone section contains non-SOA");
"update zone section contains multiple RRs");
/* The zone section must have exactly one name. */
if (result != ISC_R_NOMORE)
"update zone section contains multiple RRs");
&zone);
if (result != ISC_R_SUCCESS)
/*
* If there is a raw (unsigned) zone associated with this
* zone then it processes the UPDATE request.
*/
}
switch(dns_zone_gettype(zone)) {
case dns_zone_master:
case dns_zone_dlz:
/*
* We can now fail due to a bad signature as we now know
* that we are the master.
*/
if (sigresult != ISC_R_SUCCESS)
break;
case dns_zone_slave:
ISC_FALSE));
break;
default:
}
return;
if (result == DNS_R_REFUSED) {
}
/*
* We failed without having sent an update event to the zone.
* We are still in the client task context, so we can
* simply give an error response without switching tasks.
*/
}
/*%
* DS records are not allowed to exist without corresponding NS records,
* RFC 3658, 2.2 Protocol Change,
* "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
*/
static isc_result_t
continue;
dns_rdatatype_ns, 0, &ns_exists));
if (ns_exists &&
continue;
}
}
return (result);
}
/*
* This implements the post load integrity checks for mx records.
*/
static isc_result_t
{
char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
char ownerbuf[DNS_NAME_FORMATSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
char altbuf[DNS_NAME_FORMATSIZE];
dns_difftuple_t *t;
unsigned int options;
t != NULL;
t = ISC_LIST_NEXT(t, link)) {
if (t->op != DNS_DIFFOP_ADD ||
continue;
/*
* Check if we will error out if we attempt to reload the
* zone.
*/
if ((options & DNS_RDATA_CHECKMX) != 0 &&
}
} else if (isaddress) {
}
/*
* Check zone integrity checks.
*/
if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0)
continue;
if (result == ISC_R_SUCCESS)
continue;
if (result == DNS_R_NXRRSET) {
if (result == ISC_R_SUCCESS)
continue;
}
} else if (result == DNS_R_CNAME) {
} else if (result == DNS_R_DNAME) {
}
}
}
static isc_result_t
{
else
if (result == ISC_R_NOTFOUND) {
goto failure;
}
result == ISC_R_SUCCESS;
break;
}
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_NOMORE) {
}
return (result);
}
static isc_result_t
unsigned int *iterationsp)
{
unsigned int iterations = 0;
if (result != ISC_R_SUCCESS)
return (result);
if (result == ISC_R_NOTFOUND)
goto try_private;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
continue;
}
if (result != ISC_R_NOMORE)
goto failure;
if (privatetype == 0)
goto success;
if (result == ISC_R_NOTFOUND)
goto success;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
continue;
continue;
}
if (result != ISC_R_NOMORE)
goto failure;
return (result);
}
/*
* Prevent the zone entering a inconsistent state where
* NSEC only DNSKEYs are present with NSEC3 chains.
*/
static isc_result_t
{
unsigned int iterations = 0, max;
/* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
continue;
break;
}
break;
}
}
/* Check existing DB for NSEC-only DNSKEY */
if (!nseconly) {
/*
* An NSEC3PARAM update can proceed without a DNSKEY (it
* will trigger a delayed change), so we can ignore
* ISC_R_NOTFOUND here.
*/
if (result == ISC_R_NOTFOUND)
}
/* Check existing DB for NSEC3 */
if (!nsec3)
privatetype, &nsec3));
/* Refuse to allow NSEC3 with NSEC-only keys */
"NSEC only DNSKEYs and NSEC3 chains not allowed");
goto failure;
}
/* Verify NSEC3 params */
"too many NSEC3 iterations (%u) for "
goto failure;
}
return (result);
}
/*
* Delay NSEC3PARAM changes as they need to be applied to the whole zone.
*/
static isc_result_t
{
isc_uint32_t ttl = 0;
"checking for NSEC3PARAM changes");
/*
* Extract NSEC3PARAM tuples from list.
*/
continue;
}
/*
* Extract TTL changes pairs, we don't need to convert these to
* delayed changes.
*/
if (!ttl_good) {
/*
* Any adds here will contain the final
* NSEC3PARAM RRset TTL.
*/
}
/*
* Walk the temp_diff list looking for the
* corresponding delete.
*/
link);
link);
break;
}
}
/*
* If we have not found a pair move onto the next
* tuple.
*/
continue;
}
/*
* Find the next tuple to be processed before
* unlinking then complete moving the pair to 'diff'.
*/
} else
}
/*
* Preserve any ongoing changes from a BIND 9.6.x upgrade.
*
* Any NSEC3PARAM records with flags other than OPTOUT named
* in managing and should not be touched so revert such changes
* taking into account any TTL change of the NSEC3PARAM RRset.
*/
/*
* If we havn't had any adds then the tuple->ttl must
* be the original ttl and should be used for any
* future changes.
*/
if (!ttl_good) {
}
&newtuple));
}
}
/*
* We now have just the actual changes to the NSEC3PARAM RRset.
* Convert the adds to delayed adds and the deletions into delayed
* deletions.
*/
/*
* If we havn't had any adds then the tuple->ttl must be the
* original ttl and should be used for any future changes.
*/
if (!ttl_good) {
}
/*
* Look for any deletes which match this ADD ignoring
* flags. We don't need to explictly remove them as
* they will be removed a side effect of processing
* the add.
*/
next_data[0] != tuple_data[0] ||
continue;
}
}
/*
* Create a private-type record to signal that
*/
/*
* If the zone is not currently capable of
* supporting an NSEC3 chain, then we set the
* INITIAL flag to indicate that these parameters
* are to be used later.
*/
/*
* See if this CREATE request already exists.
*/
if (!flag) {
&newtuple));
}
/*
* Remove any existing CREATE request to add an
* otherwise indentical chain with a reversed
* OPTOUT state.
*/
if (flag) {
&newtuple));
}
/*
* Find the next tuple to be processed and remove the
* temporary add record.
*/
&newtuple));
} else
}
/*
* See if we already have a REMOVE request in progress.
*/
if (!flag) {
}
if (!flag) {
}
}
return (result);
}
static isc_result_t
{
if (privatetype == 0)
return (ISC_R_SUCCESS);
/*
* Extract the changes to be rolled back.
*/
continue;
/*
* Allow records which indicate that a zone has been
* signed with a DNSKEY to be removed.
*/
continue;
}
/*
* Rollback the changes.
*/
}
return (result);
}
/*
* Add records to cause the delayed signing of the zone by added DNSKEY
* to remove the RRSIG records generated by a deleted DNSKEY.
*/
static isc_result_t
{
isc_region_t r;
unsigned char buf[5];
/*
* Extract the DNSKEY tuples from the list.
*/
continue;
}
/*
* Extract TTL changes pairs, we don't need signing records for these.
*/
/*
* Walk the temp_diff list looking for the
* corresponding delete.
*/
link);
link);
break;
}
}
/*
* If we have not found a pair move onto the next
* tuple.
*/
continue;
}
/*
* Find the next tuple to be processed before
* unlinking then complete moving the pair to 'diff'.
*/
} else
}
/*
* Process the remaining DNSKEY entries.
*/
continue;
buf[4] = 0;
if (flag)
continue;
/*
* Remove any record which says this operation has already
* completed.
*/
if (flag) {
}
}
return (result);
}
static isc_boolean_t
if (dns_db_issecure(db))
return (ISC_TRUE);
&build_nsec, &build_nsec3);
return (build_nsec || build_nsec3);
}
static void
unsigned int options;
/*
* Update message processing can leak record existance information
* so check that we are allowed to query this zone. Additionally
* if we would refuse all updates for this zone we bail out here.
*/
/*
* Get old and new versions now that queryacl has been checked.
*/
/*
* Check prerequisites.
*/
result == ISC_R_SUCCESS;
{
if (ttl != 0)
"prerequisite TTL is not zero");
"prerequisite name is out of zone");
if (update_class == dns_rdataclass_any) {
"class ANY prerequisite "
"RDATA is not empty");
if (! flag) {
"'name in use' "
"prerequisite not "
"satisfied");
}
} else {
if (! flag) {
/* RRset does not exist. */
"'rrset exists (value independent)' "
"prerequisite not satisfied");
}
}
} else if (update_class == dns_rdataclass_none) {
"class NONE prerequisite "
"RDATA is not empty");
if (flag) {
"'name not in use' "
"prerequisite not "
"satisfied");
}
} else {
if (flag) {
/* RRset exists. */
"'rrset does not exist' "
"prerequisite not "
"satisfied");
}
}
} else if (update_class == zoneclass) {
/* "temp<rr.name, rr.type> += rr;" */
if (result != ISC_R_SUCCESS) {
"temp entry creation failed: %s",
}
} else {
}
}
if (result != ISC_R_NOMORE)
/*
* Perform the final check of the "rrset exists (value dependent)"
* prerequisites.
*/
/*
* Sort the prerequisite records by owner name,
* type, and rdata.
*/
if (result != ISC_R_SUCCESS)
"prerequisite not satisfied");
if (result != ISC_R_SUCCESS)
"'RRset exists (value dependent)' "
"prerequisite not satisfied");
}
"prerequisites are OK");
/*
* Check Requestor's Permissions. It seems a bit silly to do this
* only after prerequisite testing, but that is what RFC2136 says.
*/
"because the zone is frozen. Use "
"'rndc thaw' to re-enable updates.");
/*
* Perform the Update Section Prescan.
*/
result == ISC_R_SUCCESS;
{
"update RR is outside zone");
if (update_class == zoneclass) {
/*
* Check for meta-RRs. The RFC2136 pseudocode says
* check for ANY|AXFR|MAILA|MAILB, but the text adds
* "or any other QUERY metatype"
*/
"meta-RR in update");
}
if (result != ISC_R_SUCCESS)
} else if (update_class == dns_rdataclass_any) {
"meta-RR in update");
} else if (update_class == dns_rdataclass_none) {
if (ttl != 0 ||
"meta-RR in update");
} else {
"update RR has incorrect class %d",
}
/*
* draft-ietf-dnsind-simple-secure-update-01 says
* "Unlike traditional dynamic update, the client
* is forbidden from updating NSEC records."
*/
"explicit NSEC3 updates are not allowed "
"in secure zones");
"explicit NSEC updates are not allowed "
"in secure zones");
"explicit RRSIG updates are currently "
"not supported in secure zones except "
"at the apex");
}
/*
* If this is a TCP connection then pass the
* address of the client through for tcp-self
* and 6to4-self otherwise pass NULL. This
* provides weak address based authentication.
*/
} else
tsigkey))
"rejected by secure update");
} else {
tsigkey))
"rejected by secure update");
}
}
}
if (result != ISC_R_NOMORE)
"update section prescan OK");
/*
* Process the Update Section.
*/
result == ISC_R_SUCCESS;
{
if (update_class == zoneclass) {
/*
* RFC1123 doesn't allow MF and MD in master zones. */
char typebuf[DNS_RDATATYPE_FORMATSIZE];
sizeof(typebuf));
"attempt to add %s ignored",
typebuf);
continue;
}
char typebuf[DNS_RDATATYPE_FORMATSIZE];
sizeof(typebuf));
"attempt to add wildcard %s record "
"ignored", typebuf);
continue;
}
name,
&flag));
if (flag) {
"attempt to add CNAME "
"alongside non-CNAME "
"ignored");
continue;
}
} else {
&flag));
if (flag &&
{
"attempt to add non-CNAME "
"alongside CNAME ignored");
continue;
}
}
&flag));
if (! flag) {
"attempt to create 2nd "
"SOA ignored");
continue;
}
&ok));
if (! ok) {
"SOA update failed to "
"increment serial, "
"ignoring it");
continue;
}
}
"attempt to add a private type "
"(%u) record rejected internal "
"use only", privatetype);
continue;
}
/*
* Ignore attempts to add NSEC3PARAM records
* with any flags other than OPTOUT.
*/
"attempt to add NSEC3PARAM "
"record with non OPTOUT "
"flag");
continue;
}
}
if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
char namestr[DNS_NAME_FORMATSIZE];
sizeof(namestr));
"warning: ownername '%s' contains "
"a non-terminal wildcard", namestr);
}
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
sizeof(namestr));
sizeof(typestr));
"adding an RR at '%s' %s",
}
/* Prepare the affected RRset for the addition. */
{
&ctx));
if (ctx.ignore_add) {
} else {
&diff));
&diff));
}
}
} else if (update_class == dns_rdataclass_any) {
{
char namestr[DNS_NAME_FORMATSIZE];
sizeof(namestr));
"delete all rrsets from "
"name '%s'", namestr);
}
} else {
}
"attempt to delete all SOA "
"or NS records ignored");
continue;
} else {
{
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
sizeof(namestr));
sizeof(typestr));
"deleting rrset at '%s' %s",
}
&diff));
}
} else if (update_class == dns_rdataclass_none) {
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
/*
* The (name == zonename) condition appears in
* RFC2136 3.4.2.4 but is missing from the pseudocode.
*/
"attempt to delete SOA "
"ignored");
continue;
}
int count;
0, &count));
if (count == 1) {
"attempt to "
"delete last "
"NS ignored");
continue;
}
}
}
sizeof(typestr));
}
}
if (result != ISC_R_NOMORE)
/*
* Check that any changes to DNSKEY/NSEC3PARAM records make sense.
* If they don't then back out all changes to DNSKEY/NSEC3PARAM
* records.
*/
unsigned int errors = 0;
if (errors != 0) {
"update rejected: post update name server "
"sanity check failed");
goto failure;
}
}
/*
* If any changes were made, increment the SOA serial number,
* update RRSIGs and NSECs (if zone is secure), and write the update
* to the journal.
*/
char *journalfile;
/*
* Increment the SOA serial, but only if it was not
* changed as a result of an update operation.
*/
if (! soa_serial_changed) {
}
0, &has_dnskey));
#define ALLOW_SECURE_TO_INSECURE(zone) \
if (!ALLOW_SECURE_TO_INSECURE(zone)) {
&had_dnskey));
if (had_dnskey && !has_dnskey) {
"update rejected: all DNSKEY "
"records removed and "
"'dnssec-secure-to-insecure' "
"not set");
goto failure;
}
}
if (had_dnskey && !has_dnskey) {
/*
* We are transitioning from secure to insecure.
* Cause all NSEC3 chains to be deleted. When the
* the last signature for the DNSKEY records are
* remove any NSEC chain present will also be removed.
*/
&diff));
if (result != ISC_R_SUCCESS) {
goto failure;
}
}
if (journalfile != NULL) {
"writing journal %s", journalfile);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
}
}
/*
* XXXRTH Just a note that this committing code will have
* to change to handle databases that need two-phase
* commit, but this isn't a priority.
*/
"committing update transaction");
/*
* Mark the zone as dirty so that it will be written to disk.
*/
/*
* Notify slaves of the change we just made.
*/
/*
* Cause the zone to be signed with the key that we
* have just added or have the corresponding signatures
* deleted.
*
* Note: we are already committed to this course of action.
*/
isc_region_t r;
continue;
continue;
if (result != ISC_R_SUCCESS) {
"dns_zone_signwithkey failed: %s",
}
}
/*
* deferred NSEC3PARAM changes.
*
* Note: we are already committed to this course of action.
*/
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
continue;
continue;
if (nsec3param.flags == 0)
continue;
if (result != ISC_R_SUCCESS) {
"dns_zone_addnsec3chain failed: %s",
}
}
} else {
}
goto common;
/*
* The reason for failure should have been logged at this point.
*/
"rolling back");
}
dns_db_detach(&db);
}
static void
case ISC_R_SUCCESS:
break;
case DNS_R_REFUSED:
break;
default:
break;
}
}
/*%
* Update forwarding support.
*/
static void
}
static void
if (result != ISC_R_SUCCESS) {
} else {
}
}
static void
}
static void
if (result != ISC_R_SUCCESS) {
} else
}
static isc_result_t
event = (update_event_t *)
return (result);
}