zone.c revision 7ace3277956c49f7554b7130ef761bde3b35db30
/*
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
/*! \file */
#include <config.h>
#include <errno.h>
#include <isc/ratelimiter.h>
#include <isc/refcount.h>
#include <isc/strerror.h>
#include <isc/taskpool.h>
#include <dns/callbacks.h>
#include <dns/dbiterator.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
#include <dns/masterdump.h>
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/resolver.h>
#include <dns/rriterator.h>
/*%
* Ensure 'a' is at least 'min' but not more than 'max'.
*/
#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
/*%
* Key flags
*/
#define ALG(x) dst_key_alg(x)
/*
* Default values.
*/
#ifndef DNS_MAX_EXPIRE
#endif
#ifndef DNS_DUMP_DELAY
#endif
typedef struct dns_notify dns_notify_t;
typedef struct dns_stub dns_stub_t;
typedef struct dns_load dns_load_t;
typedef struct dns_forward dns_forward_t;
typedef struct dns_signing dns_signing_t;
typedef struct dns_nsec3chain dns_nsec3chain_t;
typedef struct dns_keyfetch dns_keyfetch_t;
typedef struct dns_asyncload dns_asyncload_t;
typedef struct dns_include dns_include_t;
#define DNS_ZONE_CHECKLOCK
#ifdef DNS_ZONE_CHECKLOCK
#define LOCK_ZONE(z) \
} while (0)
#define UNLOCK_ZONE(z) \
#define LOCKED_ZONE(z) ((z)->locked)
#else
#define LOCKED_ZONE(z) ISC_TRUE
#endif
#ifdef ISC_RWLOCK_USEATOMIC
#define ZONEDB_INITLOCK(l) isc_rwlock_init((l), 0, 0)
#define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
#define ZONEDB_LOCK(l, t) RWLOCK((l), (t))
#define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t))
#else
#define ZONEDB_INITLOCK(l) isc_mutex_init(l)
#define ZONEDB_DESTROYLOCK(l) DESTROYLOCK(l)
#define ZONEDB_LOCK(l, t) LOCK(l)
#define ZONEDB_UNLOCK(l, t) UNLOCK(l)
#endif
struct dns_zone {
/* Unlocked */
unsigned int magic;
#ifdef DNS_ZONE_CHECKLOCK
#endif
#ifdef ISC_RWLOCK_USEATOMIC
#else
#endif
/* Locked */
unsigned int irefs;
char *masterfile;
unsigned int nincludes;
char *journal;
unsigned int flags;
unsigned int options;
unsigned int db_argc;
char **db_argv;
char *keydirectory;
unsigned int masterscnt;
unsigned int curmaster;
unsigned int notifycnt;
/* Access Control Lists */
/*%
* Zones in certain states such as "waiting for zone transfer"
* or "zone transfer in progress" are kept on per-state linked lists
* in the zone manager using the 'statelink' field. The 'statelist'
* field points at the list the zone is currently on. It the zone
* is not on any such list, statelist is NULL.
*/
/*%
* Statistics counters about zone management.
*/
/*%
* Optional per-zone statistics counters. Counted outside of this
* module.
*/
void *isselfarg;
char * strnamerd;
char * strname;
char * strrdclass;
char * strviewname;
/*%
* Serial number for deferred journal compaction.
*/
/*%
* Keys that are signing the zone for the first time.
*/
/*%
* Signing / re-signing quantum stopping parameters.
*/
/*%
* Autosigning/key-maintenance options
*/
/*%
* True if added by "rndc addzone"
*/
/*%
* response policy data to be relayed to the database
*/
/*%
* Serial number update method.
*/
/*%
* whether ixfr is requested
*/
/*%
* Outstanding forwarded UPDATE requests.
*/
};
typedef struct {
} zonediff_t;
#define zonediff_init(z, d) \
do { \
zonediff_t *_z = (z); \
} while (0)
#define DNS_ZONE_SETFLAG(z,f) do { \
INSIST(LOCKED_ZONE(z)); \
(z)->flags |= (f); \
} while (0)
#define DNS_ZONE_CLRFLAG(z,f) do { \
INSIST(LOCKED_ZONE(z)); \
(z)->flags &= ~(f); \
} while (0)
/* XXX MPA these may need to go back into zone.h */
* uptodate */
* messages */
* reload */
* zone with no masters
* occurred */
* from SOA (if not set, we
* are still using
* default timer values) */
#define DNS_ZONEFLG_NOREFRESH 0x00010000U
#define DNS_ZONEFLG_DIALNOTIFY 0x00020000U
#define DNS_ZONEFLG_DIALREFRESH 0x00040000U
#define DNS_ZONEFLG_SHUTDOWN 0x00080000U
#define DNS_ZONEFLG_FLUSH 0x00200000U
#define DNS_ZONEFLG_NOEDNS 0x00400000U
#define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
#define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U
#define DNS_ZONEFLG_NEEDCOMPACT 0x02000000U
#define DNS_ZONEFLG_THAW 0x08000000U
#define DNS_ZONEFLG_NODELAY 0x20000000U
#define DNS_ZONEFLG_SENDSECURE 0x40000000U
#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
#define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
/* Flags for zone_load() */
load. */
#define UNREACH_CHACHE_SIZE 10U
} while (0)
struct dns_unreachable {
};
struct dns_zonemgr {
unsigned int magic;
int refs; /* Locked by rwlock */
isc_task_t * task;
/* Locked by rwlock. */
/* Configuration data. */
unsigned int serialqueryrate;
/* Locked by iolock */
/* Locked by urlock. */
/* LRU cache */
};
/*%
* Hold notify state.
*/
struct dns_notify {
unsigned int magic;
unsigned int flags;
};
#define DNS_NOTIFY_NOSOA 0x0001U
/*%
* dns_stub holds state while performing a 'stub' transfer.
* 'db' is the zone's 'db' or a new one if this is the initial
* transfer.
*/
struct dns_stub {
unsigned int magic;
};
/*%
* Hold load state.
*/
struct dns_load {
unsigned int magic;
};
/*%
* Hold forward state.
*/
struct dns_forward {
unsigned int magic;
void *callback_arg;
};
/*%
* Hold IO request state.
*/
struct dns_io {
unsigned int magic;
};
/*%
* Hold state for when we are signing a zone with a new
* DNSKEY as result of an update.
*/
struct dns_signing {
unsigned int magic;
};
struct dns_nsec3chain {
unsigned int magic;
unsigned char salt[255];
};
/*%<
* 'dbiterator' contains a iterator for the database. If we are creating
* a NSEC3 chain only the non-NSEC3 nodes will be iterated. If we are
* removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
* iterated.
*
* 'nsec3param' contains the parameters of the NSEC3 chain being created
* or removed.
*
* 'salt' is buffer space and is referenced via 'nsec3param.salt'.
*
* 'seen_nsec' will be set to true if, while iterating the zone to create a
* NSEC3 chain, a NSEC record is seen.
*
* 'delete_nsec' will be set to true if, at the completion of the creation
* of a NSEC3 chain, 'seen_nsec' is true. If 'delete_nsec' is true then we
* are in the process of deleting the NSEC chain.
*
* 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
* so it can be recovered in the event of a error.
*/
struct dns_keyfetch {
};
/*%
* Hold state for an asynchronous load
*/
struct dns_asyncload {
void *loaded_arg;
};
/*%
* Reference to an include file encountered during loading
*/
struct dns_include {
char *name;
};
#define HOUR 3600
#define SEND_BUFFER_SIZE 2048
static void cancel_refresh(dns_zone_t *);
dns_rdata_t *rdata);
#if 0
/* ondestroy example */
#endif
dns_stub_t *stub);
unsigned int flags,
dns_zone_t *zone);
static isc_result_t
unsigned int *errors);
const char *templat);
dns_diff_t *diff);
static const unsigned int dbargc_default = 1;
static const char *dbargv_default[] = { "rbt" };
#define DNS_ZONE_JITTER_ADD(a, b, c) \
do { \
isc_interval_t _i; \
isc_uint32_t _j; \
"epoch approaching: upgrade required: " \
"now + %s failed", #b); \
(void)isc_time_add((a), &_i, (c)); \
} \
} while (0)
#define DNS_ZONE_TIME_ADD(a, b, c) \
do { \
isc_interval_t _i; \
isc_interval_set(&_i, (b), 0); \
"epoch approaching: upgrade required: " \
"now + %s failed", #b); \
(void)isc_time_add((a), &_i, (c)); \
} \
} while (0)
/*%
* Increment resolver-related statistics counters. Zone must be locked.
*/
static inline void
}
/***
*** Public functions.
***/
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS)
goto free_zone;
if (result != ISC_R_SUCCESS)
goto free_mutex;
/* XXX MPA check that all elements are initialised */
#ifdef DNS_ZONE_CHECKLOCK
#endif
if (result != ISC_R_SUCCESS)
goto free_dblock;
zone->refreshkeyinterval = 0;
zone->refreshkeycount = 0;
zone->masterscnt = 0;
zone->log_key_expired_timer = 0;
zone->sourceserial = 0;
/* Must be after magic is set. */
if (result != ISC_R_SUCCESS)
goto free_erefs;
return (ISC_R_SUCCESS);
return (result);
}
/*
* Free a zone. Because we require that there be no more
* outstanding events or references, no locking is necessary.
*/
static void
dns_include_t *include;
/*
* Managed objects. Order is important.
*/
/* Unmanaged objects */
}
nsec3chain != NULL;
}
include != NULL;
}
}
== ISC_R_SUCCESS);
== ISC_R_SUCCESS);
/* last stuff */
}
/*
* Returns ISC_TRUE iff this the signed side of an inline-signing zone.
* Caller should hold zone lock.
*/
static inline isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
}
/*
* Returns ISC_TRUE iff this the unsigned side of an inline-signing zone
* Caller should hold zone lock.
*/
static inline isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
}
/*
* Single shot.
*/
void
char namebuf[1024];
/*
* Test and set.
*/
if (inline_secure(zone))
}
}
void
}
unsigned int soacount;
NULL);
} else
return (result);
}
if (result != ISC_R_SUCCESS)
serial = 0; /* XXX: not really correct, but no other choice */
return (serial);
}
/*
* Single shot.
*/
void
char namebuf[1024];
/*
* Test and set.
*/
}
static void
unsigned int i;
/* Free the old database argument list. */
}
}
unsigned int i;
void *mem;
}
} else
return (result);
}
unsigned int i;
/* Set up a new database argument list. */
goto nomem;
for (i = 0; i < dbargc; i++)
for (i = 0; i < dbargc; i++) {
goto nomem;
}
/* Free the old list. */
goto unlock;
for (i = 0; i < dbargc; i++)
}
return (result);
}
void
char namebuf[1024];
if (inline_secure(zone))
}
}
char namebuf[1024];
}
return (result);
}
void
/*
* If the zone reuses an existing DB, the DB needs to be
* set in the acache explicitly. We can safely ignore the
* case where the DB is already set. If other error happens,
* the acache will not work effectively.
*/
"dns_acache_setdb() failed: %s",
}
}
}
static isc_result_t
char *copy;
return (ISC_R_NOMEMORY);
} else {
}
return (ISC_R_SUCCESS);
}
}
if (result == ISC_R_SUCCESS) {
}
return (result);
}
const char *
return (zone->masterfile);
}
static isc_result_t
char *journal;
/* Calculate string length including '\0'. */
return (ISC_R_NOMEMORY);
} else {
}
return (result);
}
return (result);
}
char *
}
/*
* Return true iff the zone is "dynamic", in the sense that the zone's
* master file (if any) is written by the server, rather than being
* updated manually and read by the server.
*
* This is true for slave zones, stub zones, key zones, and zones that
* allow dynamic updates either by having an update policy ("ssutable")
* or an "allow-update" ACL with a value other than exactly "{ none; }".
*/
return (ISC_TRUE);
/* If !ignore_freeze, we need check whether updates are disabled. */
return (ISC_TRUE);
return (ISC_FALSE);
}
/*
* Set the response policy index and information for a zone.
*/
{
/*
* Only RBTDB zones can be used for response policy zones,
* because only they have the code to load the create the summary data.
* Only zones that are loaded instead of mmap()ed create the
* summary data and so can be policy zones.
*/
return (ISC_R_NOTIMPLEMENTED);
/*
* This must happen only once or be redundant.
*/
} else {
}
return (ISC_R_SUCCESS);
}
}
/*
* If a zone is a response policy zone, mark its new database.
*/
void
}
}
static isc_boolean_t
dns_include_t *include;
if (result != ISC_R_SUCCESS ||
{
return (ISC_TRUE);
}
include != NULL;
include = ISC_LIST_NEXT(include, link))
{
if (result != ISC_R_SUCCESS ||
return (ISC_TRUE);
}
return (ISC_FALSE);
}
static isc_result_t
if (hasraw) {
if (result != ISC_R_SUCCESS) {
return(result);
}
}
if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
goto cleanup;
}
/*
* The zone has no master file configured.
*/
goto cleanup;
}
/*
* This is a slave, stub, or dynamically updated
* zone being reloaded. Do nothing - the database
* we already have is guaranteed to be up-to-date.
*/
else
goto cleanup;
}
/*
* Store the current time before the zone is loaded, so that if the
* file changes between the time of the load and the time that
* zone->loadtime is set, then the file will still be reloaded
* the next time dns_zone_load is called.
*/
/*
* Don't do the load if the file that stores the zone is older
* than the last time the zone was loaded. If the zone has not
* been loaded yet, zone->loadtime will be the epoch.
*/
/*
* The file is already loaded. If we are just doing a
* "rndc reconfig", we are done.
*/
(flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
goto cleanup;
}
!zone_touched(zone))
{
"skipping load: master file "
"older than last load");
goto cleanup;
}
}
/*
* Built in zones (with the exception of empty zones) don't need
* to be reloaded.
*/
goto cleanup;
}
/*
* Zones associated with a DLZ don't need to be loaded either,
* but we need to associate the database with the zone object.
*/
{
break;
}
"DLZ %s does not exist or is set "
goto cleanup;
}
/* ask SDLZ driver if the zone is supported */
if (result != ISC_R_NOTFOUND) {
dns_db_detach(&db);
}
if (result == ISC_R_SUCCESS) {
goto cleanup;
if (result != ISC_R_SUCCESS)
"DLZ configuration callback: %s",
}
goto cleanup;
}
rbt) {
"no master file");
}
goto cleanup;
}
}
&db);
if (result != ISC_R_SUCCESS) {
"loading zone: creating database: %s",
goto cleanup;
}
if (! dns_db_ispersistent(db)) {
} else {
"loading zone: "
"no master file configured");
goto cleanup;
}
"no master file configured: continuing");
}
}
if (result == DNS_R_CONTINUE) {
if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
goto cleanup;
}
if (hasraw)
dns_db_detach(&db);
return (result);
}
}
}
static void
if (result == ISC_R_CANCELED ||
goto cleanup;
/* Inform the zone table we've finished loading */
}
isc_event_t *e;
return (ISC_R_FAILURE);
sizeof(isc_event_t));
if (e == NULL)
return (ISC_R_SUCCESS);
return (result);
}
}
if (inline_raw(zone))
else
switch (result) {
case DNS_R_CONTINUE:
/* Deferred thaw. */
break;
case DNS_R_UPTODATE:
case ISC_R_SUCCESS:
case DNS_R_SEENINCLUDE:
break;
case DNS_R_NOMASTERFILE:
break;
default:
/* Error, remain in disabled state. */
break;
}
return (result);
}
static unsigned int
unsigned int options;
return (options);
}
static void
return;
return;
return;
}
if (result != ISC_R_SUCCESS)
}
static void
unsigned int options;
if (result == ISC_R_CANCELED)
goto fail;
goto fail;
return;
fail:
}
static void
unsigned int soacount;
NULL);
}
}
static void
const char me[] = "zone_gotwritehandle";
if (result == ISC_R_CANCELED)
goto fail;
if (inline_secure(zone))
} else
if (result != DNS_R_CONTINUE)
goto fail;
return;
fail:
}
/*
* Save the raw serial number for inline-signing zones.
* (XXX: Other information from the header will be used
* for other purposes in the future, but for now this is
* all we're interested in.)
*/
static void
return;
}
void
return;
}
static isc_result_t
unsigned int options;
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS) {
/*
* We can't report multiple errors so ignore
* the result of dns_db_endload().
*/
goto cleanup;
} else
} else {
if (result != ISC_R_SUCCESS) {
return (result);
}
zone->masterformat);
if (result == ISC_R_SUCCESS)
}
return (result);
return (result);
}
static isc_boolean_t
{
char ownerbuf[DNS_NAME_FORMATSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
char altbuf[DNS_NAME_FORMATSIZE];
int level;
/*
* "." means the services does not exist.
*/
return (ISC_TRUE);
/*
* Outside of zone.
*/
return (ISC_TRUE);
}
else
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
if (result == DNS_R_NXRRSET) {
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
}
result == DNS_R_EMPTYNAME) {
}
if (result == DNS_R_CNAME) {
}
if (result == DNS_R_DNAME) {
altbuf);
}
}
return (ISC_TRUE);
}
static isc_boolean_t
{
char ownerbuf[DNS_NAME_FORMATSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
char altbuf[DNS_NAME_FORMATSIZE];
int level;
/*
* "." means the services does not exist.
*/
return (ISC_TRUE);
/*
* Outside of zone.
*/
return (ISC_TRUE);
}
else
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
if (result == DNS_R_NXRRSET) {
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
}
result == DNS_R_EMPTYNAME) {
/* XXX950 make fatal for 9.5.0. */
return (ISC_TRUE);
}
if (result == DNS_R_CNAME) {
}
if (result == DNS_R_DNAME) {
altbuf);
}
}
return (ISC_TRUE);
}
static isc_boolean_t
{
char ownerbuf[DNS_NAME_FORMATSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
char altbuf[DNS_NAME_FORMATSIZE];
int level;
/*
* Outside of zone.
*/
return (ISC_TRUE);
}
else
dns_rdataset_init(&a);
DNS_DBFIND_GLUEOK, 0, NULL,
if (result == ISC_R_SUCCESS) {
return (ISC_TRUE);
} else if (result == DNS_R_DELEGATION)
result == DNS_R_GLUE) {
DNS_DBFIND_GLUEOK, 0, NULL,
if (tresult == ISC_R_SUCCESS) {
return (ISC_TRUE);
}
if (tresult == DNS_R_DELEGATION)
/*
* Check glue against child zone.
*/
&a, &aaaa);
if (dns_rdataset_isassociated(&a))
if (dns_rdataset_isassociated(&aaaa))
return (answer);
}
}
const char *what;
what = "REQUIRED GLUE ";
} else if (result == DNS_R_DELEGATION)
what = "SIBLING GLUE ";
else
what = "";
"address records (A or AAAA)",
/*
* Log missing address record.
*/
&a, &aaaa);
/* XXX950 make fatal for 9.5.0. */
/* answer = ISC_FALSE; */
}
} else if (result == DNS_R_CNAME) {
/* XXX950 make fatal for 9.5.0. */
/* answer = ISC_FALSE; */
} else if (result == DNS_R_DNAME) {
/* XXX950 make fatal for 9.5.0. */
/* answer = ISC_FALSE; */
}
if (dns_rdataset_isassociated(&a))
if (dns_rdataset_isassociated(&aaaa))
return (answer);
}
static isc_boolean_t
{
int level = ISC_LOG_WARNING;
char ownerbuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
unsigned int count1 = 0;
result == ISC_R_SUCCESS;
unsigned int count2 = 0;
count1++;
result == ISC_R_SUCCESS;
count2++;
continue;
if (format) {
sizeof ownerbuf);
sizeof(typebuf));
}
"semantically identical records",
if (level == ISC_LOG_ERROR)
break;
}
}
if (!format)
break;
}
return (answer);
}
static isc_boolean_t
if (result != ISC_R_SUCCESS)
return (ISC_TRUE);
result == ISC_R_SUCCESS;
if (result != ISC_R_SUCCESS)
continue;
if (result != ISC_R_SUCCESS)
continue;
result == ISC_R_SUCCESS;
}
}
return (ok);
}
static isc_boolean_t
char buf[1024];
while (rdl > 0U) {
++data;
--rdl;
i += len;
}
if (i < 6U)
return(ISC_FALSE);
buf[i] = 0;
return (ISC_TRUE);
return (ISC_FALSE);
}
static isc_boolean_t
if (result != ISC_R_SUCCESS)
return (ISC_TRUE);
while (result == ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Is this name visible in the zone?
*/
(dns_name_countlabels(bottom) > 0 &&
goto next;
/*
* Don't check the NS records at the origin.
*/
goto checkmx;
if (result != ISC_R_SUCCESS)
goto checkmx;
/*
* Remember bottom of zone.
*/
while (result == ISC_R_SUCCESS) {
}
goto next;
if (result != ISC_R_SUCCESS)
goto checksrv;
while (result == ISC_R_SUCCESS) {
}
goto next;
if (result != ISC_R_SUCCESS)
goto checkspf;
while (result == ISC_R_SUCCESS) {
}
/*
* Check if there is a type TXT spf record without a type SPF
* RRset being present.
*/
goto next;
goto next;
if (result == ISC_R_SUCCESS) {
}
if (result != ISC_R_SUCCESS)
goto notxt;
while (result == ISC_R_SUCCESS) {
if (have_txt)
break;
}
char namebuf[DNS_NAME_FORMATSIZE];
"record but no SPF/%s record found, add "
}
next:
}
return (ok);
}
/*
* OpenSSL verification of RSA keys with exponent 3 is known to be
* broken prior OpenSSL 0.9.8c/0.9.7k. Look for such keys and warn
* if they are in use.
*/
static void
const char *algorithm;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
result == ISC_R_SUCCESS;
{
{
algorithm = "RSASHA1";
} else {
algorithm = "RSAMD5";
}
if (logit)
"weak %s (%u) key found "
"(exponent=3)", algorithm,
break;
}
}
}
static void
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result == ISC_R_SUCCESS;
{
continue;
}
if (result != ISC_R_SUCCESS) {
"zone_signwithkey failed: %s",
}
}
dns_db_detach(&db);
}
}
static isc_result_t
unsigned int options = 0;
char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
int i;
goto cleanup;
}
goto cleanup;
}
if (nsec3chain == NULL) {
goto cleanup;
}
nsec3chain->magic = 0;
if (nsec3param->flags == 0)
else {
flags[0] = '\0';
if (flags[0] == '\0')
else
}
if (flags[0] == '\0')
else
}
if (flags[0] == '\0')
else
}
if (flags[0] == '\0')
else
}
}
if (nsec3param->salt_length == 0)
else
for (i = 0; i < nsec3param->salt_length; i++)
"zone_addnsec3chain(%u,%s,%u,%s)",
saltbuf);
}
&nsec3chain->dbiterator);
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS) {
nsec3chain, link);
nsec3chain = NULL;
}
}
if (nsec3chain != NULL) {
}
dns_db_detach(&db);
return (result);
}
static void
if (zone->privatetype == 0)
return;
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result == ISC_R_SUCCESS;
{
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
sizeof(buf)))
continue;
{
if (result != ISC_R_SUCCESS) {
"zone_addnsec3chain failed: %s",
}
}
}
dns_db_detach(&db);
}
}
static void
unsigned int resign;
/* We only re-sign zones that can be dynamically updated */
if (zone->update_disabled)
return;
return;
return;
}
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
nanosecs %= 1000000000;
dns_db_detach(&db);
return;
}
static isc_result_t
if (result != ISC_R_SUCCESS) {
"nsec3param lookup failure: %s",
return (result);
}
if (result == ISC_R_NOTFOUND) {
goto cleanup;
}
if (result != ISC_R_SUCCESS) {
"nsec3param lookup failure: %s",
goto cleanup;
}
/*
* For dynamic zones we must support every algorithm so we can
* regenerate all the NSEC3 chains.
* For non-dynamic zones we only need to find a supported algorithm.
*/
result == ISC_R_SUCCESS;
{
{
"nsec3 test \"unknown\" hash algorithm found: %u",
if (dynamic) {
"unsupported nsec3 hash algorithm"
" in dynamic zone: %u",
/* Stop second error message. */
break;
} else
"unsupported nsec3 hash algorithm: %u",
} else
}
if (result == ISC_R_NOMORE)
if (!ok) {
"no supported nsec3 hash algorithm");
}
return (result);
}
/*
* Set the timer for refreshing the key zone to the soonest future time
* of the set (current timer, keydata->refresh, keydata->addhd,
* keydata->removehd).
*/
static void
{
const char me[] = "set_refreshkeytimer";
char timebuf[80];
else
}
/*
* Convert key(s) linked from 'keynode' to KEYDATA and add to the key zone.
* If the key zone is changed, set '*changed' to ISC_TRUE.
*/
static isc_result_t
{
const char me[] = "create_keydata";
isc_region_t r;
/* Loop in case there's more than one key. */
while (result == ISC_R_SUCCESS) {
goto skip;
/* Convert DST key to DNSKEY. */
isc_buffer_usedregion(&dstb, &r);
dns_rdatatype_dnskey, &r);
/* DSTKEY to KEYDATA. */
NULL));
/* KEYDATA to rdata. */
/* Add rdata to zone. */
/* Refresh new keys from the zone apex as soon as possible. */
skip:
if (result != ISC_R_NOTFOUND) {
}
}
return (ISC_R_SUCCESS);
return (result);
}
/*
* Remove from the key zone all the KEYDATA records found in rdataset.
*/
static isc_result_t
{
result == ISC_R_SUCCESS;
if (uresult != ISC_R_SUCCESS)
return (uresult);
}
if (result == ISC_R_NOMORE)
return (result);
}
/*
* Compute the DNSSEC key ID for a DNSKEY record.
*/
static isc_result_t
{
unsigned char data[4096];
if (result == ISC_R_SUCCESS)
return (result);
}
/*
* Add key to the security roots.
*/
static void
unsigned char data[4096];
/* Convert dnskey to DST key. */
if (result != ISC_R_SUCCESS)
goto failure;
return;
}
/*
* Add a null key to the security roots for so that all queries
* to the zone will fail.
*/
static void
if (result == ISC_R_SUCCESS) {
}
}
/*
* Scan a set of KEYDATA records from the key zone. The ones that are
* valid (i.e., the add holddown timer has expired) become trusted keys.
*/
static void
if (result == ISC_R_SUCCESS) {
}
/* Now insert all the accepted trust anchors from this keydata set. */
result == ISC_R_SUCCESS;
/* Convert rdata to keydata. */
/* Set the key refresh timer. */
/* If the removal timer is nonzero, this key was revoked. */
revoked++;
continue;
}
/*
* If the add timer is still pending, this key is not
* trusted yet.
*/
pending++;
continue;
}
/* Convert keydata to dnskey. */
/* Add to keytables. */
trusted++;
}
char namebuf[DNS_NAME_FORMATSIZE];
"No valid trust anchors for '%s'!", namebuf);
"%d key(s) revoked, %d still pending",
"All queries to '%s' will fail", namebuf);
}
}
static isc_result_t
{
/*
* Create a singleton diff.
*/
/*
* Apply it to the database.
*/
if (result != ISC_R_SUCCESS) {
return (result);
}
/*
* Merge it into the current pending journal entry.
*/
/*
* Do not clear temp_diff.
*/
return (ISC_R_SUCCESS);
}
static isc_result_t
{
if (result != ISC_R_SUCCESS)
return (result);
}
static isc_result_t
return (result);
}
/*
* Write all transactions in 'diff' to the zone journal file.
*/
static isc_result_t
const char *caller)
{
const char me[] = "zone_journal";
const char *journalfile;
if (journalfile != NULL) {
&journal);
if (result != ISC_R_SUCCESS) {
"%s:dns_journal_open -> %s",
return (result);
}
if (sourceserial != NULL)
if (result != ISC_R_SUCCESS) {
"%s:dns_journal_write_transaction -> %s",
}
}
return (result);
}
/*
* Create an SOA record for a newly-created zone
*/
static isc_result_t
unsigned char buf[DNS_SOA_BUFFERSIZE];
if (result != ISC_R_SUCCESS) {
"add_soa:dns_db_newversion -> %s",
goto failure;
}
/* Build SOA record */
if (result != ISC_R_SUCCESS) {
"add_soa:dns_soa_buildrdata -> %s",
goto failure;
}
return (result);
}
/*
* Synchronize the set of initializing keys found in managed-keys {}
* statements with the set of trust anchors found in the managed-keys.bind
* zone. If a domain is no longer named in managed-keys, delete all keys
* from that domain from the key zone. If a domain is mentioned in in
* managed-keys but there are no references to it in the key zone, load
* the key zone with the initializing key(s) for that domain.
*/
static isc_result_t
if (result != ISC_R_SUCCESS) {
"sync_keyzone:dns_db_newversion -> %s",
goto failure;
}
/*
* Walk the zone DB. If we find any keys whose names are no longer
* in managed-keys (or *are* in trusted-keys, meaning they are
* permanent and not RFC5011-maintained), delete them from the
* zone. Otherwise call load_secroots(), which loads keys into
* secroots as appropriate.
*/
result == ISC_R_SUCCESS;
if (!dns_rdataset_isassociated(rdataset)) {
goto failure;
}
continue;
if ((result != ISC_R_SUCCESS &&
result != DNS_R_PARTIALMATCH) ||
} else {
}
}
/*
* Now walk secroots to find any managed keys that aren't
* in the zone. If we find any, we add them to the zone.
*/
if (result == ISC_R_NOTFOUND)
goto skip;
if (dns_keynode_managed(keynode)) {
goto skip;
DNS_DBFIND_NOWILD, 0, NULL,
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS)
break;
}
skip:
}
if (result == ISC_R_NOMORE)
if (changed) {
/* Write changes to journal file. */
zone->updatemethod));
}
if (result != ISC_R_SUCCESS &&
"unable to synchronize managed keys: %s",
}
return (result);
}
return (DNS_R_BADZONE);
dns_db_detach(&db);
return (result);
}
static void
/*
* We've finished loading, or else failed to load, an inline-signing
* 'secure' zone. We now need information about the status of the
* 'raw' zone. If we failed to load, then we need it to send a
* copy of its database; if we succeeded, we need it to send its
* serial number so that we can sync with it. If it has not yet
* loaded, we set a flag so that it will send the necessary
* information when it has finished loading.
*/
unsigned int soacount;
} else
} else
}
static isc_boolean_t
return (answer);
}
/*
* The zone is presumed to be locked.
*/
static isc_result_t
{
unsigned int soacount = 0;
unsigned int nscount = 0;
unsigned int errors = 0;
unsigned int options;
/*
* Initiate zone transfer? We may need a error code that
* indicates that the "permanent" form does not exist.
* XXX better error feedback to log.
*/
if (result == ISC_R_FILENOTFOUND)
"no master file");
else if (result != DNS_R_NOMASTERFILE)
"loading from master file %s "
"failed: %s",
{
"no master file, requesting db");
} else {
int level = ISC_LOG_ERROR;
"loading from master file %s failed: %s",
}
goto cleanup;
}
"number of nodes in database: %u",
if (result == DNS_R_SEENINCLUDE)
else
/*
* If there's no master file for a key zone, then the zone is new:
* create an SOA record. (We do this now, instead of later, so that
* if there happens to be a journal file, we can roll forward from
* a sane starting point.)
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
}
/*
* Apply update log, if any, on initial load.
*/
{
else
options = 0;
result != ISC_R_RANGE) {
"journal rollforward failed: %s",
goto cleanup;
}
"journal rollforward failed: "
"journal out of sync with zone");
goto cleanup;
}
"journal rollforward completed "
"successfully: %s",
if (result == ISC_R_SUCCESS)
}
/*
* Obtain ns, soa and cname counts for top of zone.
*/
&errors);
}
/*
* Check to make sure the journal is up to date, and remove the
* journal file if it isn't, as we wouldn't be able to apply
* updates otherwise.
*/
if (result == ISC_R_SUCCESS) {
} else {
}
"journal file is out of date: "
"removing journal file");
char strbuf[ISC_STRERRORSIZE];
"unable to remove journal "
"'%s': '%s'",
}
}
}
/*
* Master / Slave / Stub zones require both NS and SOA records at
* the top of the zone.
*/
case dns_zone_dlz:
case dns_zone_master:
case dns_zone_slave:
case dns_zone_stub:
case dns_zone_redirect:
if (soacount != 1) {
"has %d SOA records", soacount);
}
if (nscount == 0) {
"has no NS records");
}
if (result != ISC_R_SUCCESS)
goto cleanup;
goto cleanup;
}
if (result != ISC_R_SUCCESS)
goto cleanup;
}
goto cleanup;
}
goto cleanup;
}
unsigned int oldsoacount;
/*
* This is checked in zone_replacedb() for slave zones
* as they don't reload from disk.
*/
&oldsoacount, &oldserial,
NULL);
RUNTIME_CHECK(soacount > 0U);
"ixfr-from-differences: "
"unchanged");
return(ISC_R_SUCCESS);
}
0xffffffffU;
"ixfr-from-differences: "
"new serial (%u) out of range "
goto cleanup;
"zone serial (%u/%u) has gone "
"zone serial (%u) unchanged. "
"zone may fail to transfer "
"to slaves.", serial);
}
{
"sig-re-signing-interval less than "
"3 * refresh.");
}
isc_time_t t;
if (result != ISC_R_SUCCESS)
&t);
if (result == ISC_R_SUCCESS)
&zone->expiretime);
else
&zone->expiretime);
&zone->expiretime) >= 0)
}
break;
case dns_zone_key:
if (result != ISC_R_SUCCESS)
goto cleanup;
break;
default:
goto cleanup;
}
/*
* Check for weak DNSKEY's.
*/
/*
* Schedule DNSSEC key refresh.
*/
#if 0
/* destroy notification example. */
{
zone,
sizeof(isc_event_t));
}
#endif
if (result != ISC_R_SUCCESS)
goto cleanup;
} else {
if (result != ISC_R_SUCCESS)
goto cleanup;
{
else
}
}
/*
* Finished loading inline-signing zone; need to get status
* from the raw side now.
*/
if (needdump) {
else
}
}
dns_db_issecure(db)) {
if (result == ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
"next resign: %s/%s in %d seconds",
} else
"signed dynamic zone has no "
"resign event scheduled");
}
}
if (! dns_db_ispersistent(db))
return (result);
/* Mark the zone for immediate refresh. */
"not loaded due to errors.");
}
return (result);
}
static isc_boolean_t
{
/*
* DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
*/
return (ISC_TRUE);
}
return (ISC_FALSE);
}
static isc_boolean_t
{
char namebuf[DNS_NAME_FORMATSIZE];
char altbuf[DNS_NAME_FORMATSIZE];
int level;
return (ISC_TRUE);
else
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
if (result == DNS_R_NXRRSET) {
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
}
result == DNS_R_EMPTYNAME) {
if (logit) {
"records (A or AAAA)", namebuf);
}
return (ISC_FALSE);
}
if (result == DNS_R_CNAME) {
if (logit) {
"(illegal)", namebuf);
}
return (ISC_FALSE);
}
if (result == DNS_R_DNAME) {
if (logit) {
}
return (ISC_FALSE);
}
return (ISC_TRUE);
}
static isc_result_t
{
unsigned int count = 0;
unsigned int ecount = 0;
if (result == ISC_R_NOTFOUND) {
goto success;
}
if (result != ISC_R_SUCCESS) {
goto invalidate_rdataset;
}
while (result == ISC_R_SUCCESS) {
ecount++;
}
count++;
}
return (result);
}
static isc_result_t
unsigned int *soacount,
{
unsigned int count;
if (result == ISC_R_NOTFOUND) {
*soacount = 0;
*serial = 0;
*refresh = 0;
*retry = 0;
*expire = 0;
*minimum = 0;
goto invalidate_rdataset;
}
if (result != ISC_R_SUCCESS) {
goto invalidate_rdataset;
}
count = 0;
while (result == ISC_R_SUCCESS) {
count++;
if (count == 1) {
}
}
if (count > 0) {
} else {
*soacount = 0;
*serial = 0;
*refresh = 0;
*retry = 0;
*expire = 0;
*minimum = 0;
}
return (result);
}
/*
* zone must be locked.
*/
static isc_result_t
unsigned int *errors)
{
if (result != ISC_R_SUCCESS) {
goto closeversion;
}
if (result != ISC_R_SUCCESS)
}
minimum);
if (result != ISC_R_SUCCESS)
}
return (answer);
}
void
}
void
unsigned int refs;
if (refs == 0) {
/*
* We just detached the last external reference.
*/
/*
* This zone is being managed. Post
* its control event and let it clean
* up synchronously in the context of
* its task.
*/
} else {
/*
* This zone is not being managed; it has
* no task and can have no outstanding
* events. Free it immediately.
*/
/*
* Unmanaged zones should not have non-null views;
* we have no way of detaching from the view here
* without causing deadlock because this code is called
* with the view already locked.
*/
}
}
if (free_now) {
}
}
void
}
static void
/*
* 'source' locked by caller.
*/
}
static void
/*
* 'zone' locked by caller.
*/
}
void
if (free_needed)
}
}
}
void
if (value)
else
}
void
{
if (value)
else
}
unsigned int
}
void
{
if (value)
else
}
unsigned int
}
return (ISC_R_SUCCESS);
}
return (&zone->xfrsource4);
}
return (ISC_R_SUCCESS);
}
return (zone->xfrsource4dscp);
}
return (ISC_R_SUCCESS);
}
return (&zone->xfrsource6);
}
return (zone->xfrsource6dscp);
}
return (ISC_R_SUCCESS);
}
const isc_sockaddr_t *altxfrsource)
{
return (ISC_R_SUCCESS);
}
return (&zone->altxfrsource4);
}
return (ISC_R_SUCCESS);
}
return (zone->altxfrsource4dscp);
}
const isc_sockaddr_t *altxfrsource)
{
return (ISC_R_SUCCESS);
}
return (&zone->altxfrsource6);
}
return (ISC_R_SUCCESS);
}
return (zone->altxfrsource6dscp);
}
return (ISC_R_SUCCESS);
}
return (&zone->notifysrc4);
}
return (ISC_R_SUCCESS);
}
return (zone->notifysrc4dscp);
}
return (ISC_R_SUCCESS);
}
return (&zone->notifysrc6);
}
static isc_boolean_t
{
unsigned int i;
for (i = 0; i < count; i++)
return (ISC_FALSE);
return (ISC_TRUE);
}
static isc_boolean_t
unsigned int i;
return (ISC_TRUE);
return (ISC_FALSE);
for (i = 0; i < count; i++) {
continue;
return (ISC_FALSE);
}
return (ISC_TRUE);
}
static void
{
unsigned int count;
*countp = 0;
unsigned int i;
for (i = 0; i < count; i++) {
sizeof(dns_name_t));
}
}
}
}
static isc_result_t
set_addrkeylist(unsigned int count,
{
unsigned int i;
return (ISC_R_NOMEMORY);
return (ISC_R_NOMEMORY);
}
} else
return (ISC_R_NOMEMORY);
}
for (i = 0; i < count; i++)
for (i = 0; i < count; i++) {
sizeof(dns_name_t));
goto allocfail;
newnames[i]);
if (result != ISC_R_SUCCESS) {
for (i = 0; i < count; i++)
newnames[i],
mctx);
return (ISC_R_NOMEMORY);
}
}
}
} else
return (ISC_R_SUCCESS);
}
return (ISC_R_SUCCESS);
}
return (zone->notifysrc6dscp);
}
{
count));
}
{
count));
}
{
goto unlock;
if (count == 0)
goto unlock;
/*
* Set up the notify and notifykey lists
*/
if (result != ISC_R_SUCCESS)
goto unlock;
/*
* Everything is ok so attach to the zone.
*/
return (ISC_R_SUCCESS);
}
{
return (result);
}
const isc_sockaddr_t *masters,
{
unsigned int i;
}
/*
* The refresh code assumes that 'masters' wouldn't change under it.
* If it will change then kill off any current refresh in progress
* and update the masters info. If it won't change then we can just
* unlock and exit.
*/
} else
goto unlock;
/*
* This needs to happen before clear_addresskeylist() sets
* zone->masterscnt to 0:
*/
}
/*
* If count == 0, don't allocate any space for masters, mastersok or
* keynames so internally, those pointers are NULL if count == 0
*/
if (count == 0)
goto unlock;
/*
* mastersok must contain count elements
*/
goto unlock;
};
for (i = 0; i < count; i++)
/*
* Now set up the masters and masterkey lists
*/
if (result != ISC_R_SUCCESS) {
goto unlock;
}
/*
* Everything is ok so attach to the zone.
*/
return (result);
}
else
return (result);
}
void
}
/*
* Co-ordinates the starting of routine jobs.
*/
void
const char me[] = "dns_zone_maintenance";
}
static inline isc_boolean_t
if (!dumping) {
}
return (dumping);
}
static isc_result_t
{
nkeys);
if (result == ISC_R_NOTFOUND)
return (result);
}
static isc_result_t
{
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
return (result);
return (result);
}
static void
{
unsigned int delta;
char timebuf[80];
"DNSKEY RRSIG(s) have expired");
isc_time_t t;
isc_time_set(&t, when, 0);
"DNSKEY RRSIG(s) will expire within 7 days: %s",
timebuf);
delta--; /* loop prevention */
} else {
"setting keywarntime to %s", timebuf);
}
}
/*
* Helper function to del_sigs(). We don't want to delete RRSIGs that
* have no new key.
*/
static isc_boolean_t
unsigned int i = 0;
/*
* It's okay to delete a signature if there is an active ZSK
* with the same algorithm
*/
for (i = 0; i < nkeys; i++) {
return (ISC_TRUE);
}
/*
* Failing that, it is *not* okay to delete a signature
* if the associated public key is still in the DNSKEY RRset
*/
for (i = 0; i < nkeys; i++) {
return (ISC_FALSE);
}
/*
* But if the key is gone, then go ahead.
*/
return (ISC_TRUE);
}
/*
* Delete expired RRsigs and any RRsigs we are about to re-sign.
* See also update.c:del_keysigs().
*/
static isc_result_t
{
unsigned int i;
if (type == dns_rdatatype_nsec3)
else
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
goto failure;
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
result == ISC_R_SUCCESS;
if (type != dns_rdatatype_dnskey) {
if (incremental)
if (result != ISC_R_SUCCESS)
break;
} else {
/*
* At this point, we've got an RRSIG,
* which is signed by an inactive key.
* An administrator needs to provide a new
* keep the old RRSIG. Marking the key as
* offline will prevent us spinning waiting
* for the private part.
*/
if (incremental) {
&rdata);
if (result != ISC_R_SUCCESS)
break;
}
/*
* Log the key id and algorithm of
* the inactive key with no replacement
*/
char origin[DNS_NAME_FORMATSIZE];
char algbuf[DNS_NAME_FORMATSIZE];
sizeof(origin));
sizeof(algbuf));
"Key %s/%s/%d "
"missing or inactive "
"and has no replacement: "
"retaining signatures.",
3600;
}
}
continue;
}
/*
* RRSIG(DNSKEY) requires special processing.
*/
for (i = 0; i < nkeys; i++) {
/*
* Mark offline RRSIG(DNSKEY).
* We want the earliest offline expire time
* iff there is a new offline signature.
*/
if (!dst_key_inactive(keys[i]) &&
!dst_key_isprivate(keys[i]))
{
warn = timeexpire;
if (maybe == 0 ||
maybe > timeexpire)
maybe = timeexpire;
break;
}
if (warn == 0)
warn = timeexpire;
&rdata);
break;
}
&rdata);
break;
}
}
/*
* If there is not a matching DNSKEY then
* delete the RRSIG.
*/
if (!found)
if (result != ISC_R_SUCCESS)
break;
}
if (result == ISC_R_NOMORE)
if (warn > 0) {
#if defined(STDTIME_ON_32BITS)
#endif
#if defined(STDTIME_ON_32BITS)
else
"key expiry warning time out of range");
#endif
}
return (result);
}
static isc_result_t
{
unsigned int i, j;
if (type == dns_rdatatype_nsec3)
else
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
goto failure;
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
for (i = 0; i < nkeys; i++) {
if (!dst_key_isprivate(keys[i]))
continue;
} else {
}
for (j = 0; j < nkeys; j++) {
continue;
continue;
else
if (both)
break;
}
}
if (both) {
if (type == dns_rdatatype_dnskey) {
continue;
continue;
continue;
/* Calculate the signature, creating a RRSIG RDATA. */
/* Update the database and journal with the RRSIG. */
/* XXX inefficient - will cause dataset merging */
}
return (result);
}
static void
const char *me = "zone_resigninc";
unsigned int i;
unsigned int nkeys = 0;
unsigned int resign;
/*
* Zone is frozen or automatic resigning is disabled.
* Pause for 5 minutes.
*/
if (zone->update_disabled ||
{
goto failure;
}
if (result != ISC_R_SUCCESS) {
"zone_resigninc:dns_db_newversion -> %s",
goto failure;
}
if (result != ISC_R_SUCCESS) {
"zone_resigninc:find_zone_keys -> %s",
goto failure;
}
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
"zone_resigninc:dns_db_getsigningtime -> %s",
}
i = 0;
while (result == ISC_R_SUCCESS) {
/*
* Stop if we hit the SOA as that means we have walked the
* entire zone. The SOA record should always be the most
* recent signature.
*/
/* XXXMPA increase number of RRsets signed pre call */
break;
if (result != ISC_R_SUCCESS) {
"zone_resigninc:del_sigs -> %s",
break;
}
if (result != ISC_R_SUCCESS) {
"zone_resigninc:add_sigs -> %s",
break;
}
break;
}
if (result != ISC_R_SUCCESS)
"zone_resigninc:dns_db_getsigningtime -> %s",
}
goto failure;
if (result != ISC_R_SUCCESS) {
"zone_resigninc:del_sigs -> %s",
goto failure;
}
/*
* Did we change anything in the zone?
*/
/*
* Commit the changes if any key has been marked as offline. */
goto failure;
}
/* Increment SOA serial if we have made changes */
zone->updatemethod);
if (result != ISC_R_SUCCESS) {
"zone_resigninc:update_soa_serial -> %s",
goto failure;
}
/*
* Generate maximum life time signatures so that the above loop
* termination is sensible.
*/
if (result != ISC_R_SUCCESS) {
"zone_resigninc:add_sigs -> %s",
goto failure;
}
/* Write changes to journal file. */
/* Everything has succeeded. Commit the changes. */
for (i = 0; i < nkeys; i++)
dst_key_free(&zone_keys[i]);
dns_db_detach(&db);
dns_db_detach(&db);
if (result == ISC_R_SUCCESS) {
} else {
/*
* Something failed. Retry in 5 minutes.
*/
}
}
static isc_result_t
{
do {
if (result == ISC_R_NOMORE)
continue;
}
/*
* Is this node empty?
*/
if (result != ISC_R_NOMORE)
break;
} while (1);
return (result);
}
static isc_boolean_t
{
if (result != ISC_R_SUCCESS) {
return (ISC_FALSE);
}
result == ISC_R_SUCCESS;
return (ISC_TRUE);
}
}
return (ISC_FALSE);
}
static isc_result_t
{
unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
&rdata));
&rdata));
return (result);
}
static isc_result_t
{
unsigned char data[1024];
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOTFOUND)
return (result);
}
result == ISC_R_SUCCESS;
}
if (result != ISC_R_NOMORE)
goto failure;
*delegation = ISC_TRUE;
/*
* Going from insecure to NSEC3.
* Don't generate NSEC3 records for NSEC3 records.
*/
(*signatures)--;
}
/*
* Going from insecure to NSEC.
* Don't generate NSEC records for NSEC3 records.
*/
/* Build and add NSEC. */
/*
* Build a NSEC record except at the origin.
*/
/* Count a NSEC generation as a signature generation. */
(*signatures)--;
}
}
while (result == ISC_R_SUCCESS) {
goto next_rdataset;
if (!is_ksk && keyset_kskonly)
goto next_rdataset;
} else if (is_ksk)
goto next_rdataset;
if (*delegation &&
goto next_rdataset;
goto next_rdataset;
/* Calculate the signature, creating a RRSIG RDATA. */
/* Update the database and journal with the RRSIG. */
/* XXX inefficient - will cause dataset merging */
(*signatures)--;
}
if (result == ISC_R_NOMORE)
if (seen_dname)
*delegation = ISC_TRUE;
return (result);
}
/*
* If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
*/
static isc_result_t
{
if (update_only) {
if (result == ISC_R_NOTFOUND)
goto success;
if (result != ISC_R_SUCCESS)
goto failure;
}
return (result);
}
static isc_result_t
{
unsigned char data[5];
if (result != ISC_R_SUCCESS)
goto failure;
if (result == ISC_R_NOTFOUND) {
goto failure;
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
result == ISC_R_SUCCESS;
/*
* If we don't match the algorithm or keyid skip the record.
*/
continue;
}
/*
* We have a match. If we were signing (!signing->delete)
* and we already have a record indicating that we have
* finished signing (rdata.data[4] != 0) then keep it.
* Otherwise it needs to be deleted as we have removed all
* the signatures (signing->delete), so any record indicating
* completion is now out of date, or we have finished signing
* with the new record so we no longer need to remember that
* we need to sign the zone with the matching key across a
* nameserver re-start.
*/
} else
}
if (result == ISC_R_NOMORE)
/*
* If we were signing then we need to indicate that we have
* finished signing the zone with this key. If it is already
* there we don't need to add it a second time.
*/
data[3] = 0;
} else if (!have_rr) {
/*
* longer have any private records.
*/
if (build_nsec3)
}
return (result);
}
/*
* If 'active' is set then we are not done with the chain yet so only
* delete the nsec3param record which indicates a full chain exists
* (flags == 0).
*/
static isc_result_t
{
unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
if (result == ISC_R_NOTFOUND)
goto try_private;
if (result != ISC_R_SUCCESS)
goto failure;
/*
* Preserve the existing ttl.
*/
/*
* Delete all NSEC3PARAM records which match that in nsec3chain.
*/
result == ISC_R_SUCCESS;
continue;
}
}
if (result != ISC_R_NOMORE)
goto failure;
if (active)
goto add;
/*
* Delete all private records which match that in nsec3chain.
*/
if (result == ISC_R_NOTFOUND)
goto add;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
continue;
if ((!nsec3ok &&
continue;
}
}
if (result != ISC_R_NOMORE)
goto failure;
add:
goto failure;
}
/*
* Add a NSEC3PARAM record which matches that in nsec3chain but
* with all flags bits cleared.
*
* Note: we do not clear chain->nsec3param.flags as this change
* may be reversed.
*/
return (result);
}
static isc_result_t
{
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
return (result);
result == ISC_R_SUCCESS;
}
if (result == ISC_R_NOMORE)
return (result);
}
static isc_result_t
{
if (result == ISC_R_NOTFOUND)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
return (result);
result == ISC_R_SUCCESS;
continue;
}
if (result == ISC_R_NOMORE)
return (result);
}
static isc_result_t
const dns_rdata_nsec3param_t *param,
{
if (result == ISC_R_SUCCESS) {
return (result);
}
if (result != ISC_R_NOTFOUND) {
return (result);
}
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
result == ISC_R_SUCCESS;
/*
* Ignore any NSEC3PARAM removals.
*/
continue;
/*
* Ignore the chain that we are in the process of deleting.
*/
continue;
/*
* Found an active NSEC3 chain.
*/
break;
}
if (result == ISC_R_NOMORE) {
}
return (result);
}
static isc_result_t
{
if (result != ISC_R_SUCCESS) {
"update_sigs:del_sigs -> %s",
return (result);
}
if (result != ISC_R_SUCCESS) {
"update_sigs:add_sigs -> %s",
return (result);
}
do {
}
return (ISC_R_SUCCESS);
}
/*
* Incrementally build and sign a new NSEC3 chain using the parameters
* requested.
*/
static void
const char *me = "zone_nsec3chain";
unsigned int i;
unsigned int nkeys = 0;
/*
* Updates are disabled. Pause for 5 minutes.
*/
if (zone->update_disabled) {
goto failure;
}
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:dns_db_newversion -> %s",
goto failure;
}
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:find_zone_keys -> %s",
goto failure;
}
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
/*
* We keep pulling nodes off each iterator in turn until
* we have no more nodes to pull off or we reach the limits
* for this quantum.
*/
if (nsec3chain != NULL)
/*
* Generate new NSEC3 chains first.
*/
}
goto next_addchain;
/*
* Possible future db.
*/
goto next_addchain;
}
goto next_addchain;
if (nsec3chain->delete_nsec) {
goto next_addnode;
}
/*
* On the first pass we need to check if the current node
* has not been obscured.
*/
if (first) {
if ((result == DNS_R_DELEGATION ||
result == DNS_R_DNAME) &&
/*
* Remember the obscuring name so that
* we skip all obscured names.
*/
goto next_addnode;
}
}
/*
* Check to see if this is a bottom of zone node.
*/
goto next_addnode;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
}
/*
* Is there a NSEC chain than needs to be cleaned up?
*/
if (seen_nsec)
/*
* Process one node.
*/
&nsec3_diff);
if (result != ISC_R_SUCCESS) {
"dns_nsec3_addnsec3 -> %s",
goto failure;
}
/*
* Treat each call to dns_nsec3_addnsec3() as if it's cost is
* two signatures. Additionally there will, in general, be
* two signature generated below.
*
* If we are only changing the optout flag the cost is half
* that of the cost of generating a completely new chain.
*/
signatures -= 4;
/*
* Go onto next node.
*/
do {
¶m_diff));
link);
goto next_addchain;
}
if (result == ISC_R_NOMORE) {
if (nsec3chain->seen_nsec) {
¶m_diff));
goto same_addchain;
}
¶m_diff));
link);
goto next_addchain;
} else if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"dns_dbiterator_next -> %s",
goto failure;
} else if (delegation) {
break;
} else
break;
} while (1);
continue;
continue;
if (nsec3chain != NULL)
}
/*
* Process removals.
*/
goto next_removechain;
goto next_removechain;
/*
* Work out if we need to build a NSEC chain as a consequence
* of removing this NSEC3 chain.
*/
if (first && !updatensec &&
{
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"need_nsec_chain -> %s",
goto failure;
}
}
if (first)
"buildnsecchain = %u\n", buildnsecchain);
if (!buildnsecchain) {
/*
* Delete the NSECPARAM record that matches this chain.
*/
if (first) {
¶m_diff);
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"fixup_nsec3param -> %s",
goto failure;
}
}
/*
* Delete the NSEC3 records.
*/
&nsec3_diff);
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"deletematchingnsec3 -> %s",
goto failure;
}
goto next_removenode;
}
if (first) {
if ((result == DNS_R_DELEGATION ||
result == DNS_R_DNAME) &&
/*
* Remember the obscuring name so that
* we skip all obscured names.
*/
goto next_removenode;
}
}
/*
* Check to see if this is a bottom of zone node.
*/
goto next_removenode;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
}
goto next_removenode;
/*
* Add a NSEC record except at the origin.
*/
delegation, &nsec_diff));
}
do {
/*
* The NSEC chain should now be built.
* We can now remove the NSEC3 chain.
*/
goto same_removechain;
}
if (result == ISC_R_NOMORE) {
link);
¶m_diff);
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"fixup_nsec3param -> %s",
goto failure;
}
goto next_removechain;
} else if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"dns_dbiterator_next -> %s",
goto failure;
} else if (delegation) {
break;
} else
break;
} while (1);
continue;
continue;
}
/*
*/
if (result != ISC_R_SUCCESS) {
"dns_db_allrdatasets -> %s",
goto failure;
}
result == ISC_R_SUCCESS;
}
if (rebuild_nsec) {
if (nsec3chain != NULL)
&nsec_diff);
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"updatesecure -> %s",
goto failure;
}
}
if (rebuild_nsec3) {
if (nsec3chain != NULL)
&nsec3_diff);
if (result != ISC_R_SUCCESS) {
"zone_nsec3chain:"
"dns_nsec3_addnsec3s -> %s",
goto failure;
}
}
}
if (nsec3chain != NULL)
/*
* Add / update signatures for the NSEC3 records.
*/
if (nsec3chain != NULL)
if (result != ISC_R_SUCCESS) {
goto failure;
}
/*
* We have changed the NSEC3PARAM or private RRsets
* above so we need to update the signatures.
*/
if (result != ISC_R_SUCCESS) {
goto failure;
}
if (updatensec) {
if (result != ISC_R_SUCCESS) {
"updatesecure -> %s",
goto failure;
}
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
/*
* If we made no effective changes to the zone then we can just
* cleanup otherwise we need to increment the serial.
*/
/*
* No need to call dns_db_closeversion() here as it is
* called with commit = ISC_TRUE below.
*/
goto done;
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
zone->updatemethod);
if (result != ISC_R_SUCCESS) {
"update_soa_serial -> %s",
goto failure;
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
/* Write changes to journal file. */
done:
/*
* Pause all iterators so that dns_db_closeversion() can succeed.
*/
nsec3chain != NULL;
/*
* Everything has succeeded. Commit the changes.
* Unconditionally commit as zonediff.offline not checked above.
*/
/*
* Everything succeeded so we can clean these up now.
*/
while (nsec3chain != NULL) {
}
if (result != ISC_R_SUCCESS)
/*
* On error roll back the current nsec3chain.
*/
if (nsec3chain->done) {
} else {
}
}
/*
* Rollback the cleanup list.
*/
while (nsec3chain != NULL) {
if (nsec3chain->done) {
} else {
}
}
nsec3chain != NULL;
for (i = 0; i < nkeys; i++)
dst_key_free(&zone_keys[i]);
dns_db_detach(&db);
dns_db_detach(&db);
else
} else
}
static isc_result_t
{
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOTFOUND)
return (result);
}
result == ISC_R_SUCCESS;
result == ISC_R_SUCCESS;
}
if (result != ISC_R_NOMORE)
goto failure;
continue;
}
continue;
}
result == ISC_R_SUCCESS;
continue;
}
if (result != ISC_R_NOMORE)
break;
}
if (result == ISC_R_NOMORE)
return (result);
}
/*
* Incrementally sign the zone using the keys requested.
* Builds the NSEC chain if required.
*/
static void
const char *me = "zone_sign";
unsigned int i, j;
unsigned int nkeys = 0;
/*
* Updates are disabled. Pause for 5 minutes.
*/
if (zone->update_disabled) {
goto failure;
}
goto failure;
}
if (result != ISC_R_SUCCESS) {
"zone_sign:dns_db_newversion -> %s",
goto failure;
}
if (result != ISC_R_SUCCESS) {
"zone_sign:find_zone_keys -> %s",
goto failure;
}
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
/*
* We keep pulling nodes off each iterator in turn until
* we have no more nodes to pull off or we reach the limits
* for this quantum.
*/
/* Determine which type of chain to build */
&build_nsec, &build_nsec3));
/* If neither chain is found, default to NSEC */
if (!build_nsec && !build_nsec3)
/*
* The zone has been reloaded. We will have
* created new signings as part of the reload
* process so we can destroy this one.
*/
goto next_signing;
}
goto next_signing;
/*
* Remove the key we are deleting from consideration.
*/
for (i = 0, j = 0; i < nkeys; i++) {
/*
* Find the key we want to remove.
*/
{
dst_key_free(&zone_keys[i]);
continue;
}
j++;
}
nkeys = j;
}
}
/*
* On the first pass we need to check if the current node
* has not been obscured.
*/
if (first) {
if ((result == DNS_R_DELEGATION ||
result == DNS_R_DNAME) &&
/*
* Remember the obscuring name so that
* we skip all obscured names.
*/
goto next_node;
}
}
/*
* Process one node.
*/
for (i = 0; i < nkeys; i++) {
/*
* Find the keys we want to sign with.
*/
if (!dst_key_isprivate(zone_keys[i]))
continue;
/*
* When adding look for the specific key.
*/
continue;
/*
* When deleting make sure we are properly signed
* with the algorithm that was being removed.
*/
continue;
/*
* Do we do KSK processing?
*/
} else {
}
for (j = 0; j < nkeys; j++) {
if (j == i ||
continue;
continue;
else
if (both)
break;
}
}
else
/*
* If we are adding we are done. Look for other keys
* of the same algorithm if deleting.
*/
break;
}
/*
* Go onto next node.
*/
do {
if (result == ISC_R_NOMORE) {
if (nkeys != 0 && build_nsec) {
/*
* We have finished regenerating the
* zone with a zone signing key.
* The NSEC chain is now complete and
* there is a full set of signatures
* for the zone. We can now clear the
* OPT bit from the NSEC record.
*/
&post_diff);
if (result != ISC_R_SUCCESS) {
"updatesecure -> %s",
goto failure;
}
}
&post_diff);
if (result != ISC_R_SUCCESS) {
"updatesignwithkey -> %s",
goto failure;
}
goto next_signing;
} else if (result != ISC_R_SUCCESS) {
"zone_sign:dns_dbiterator_next -> %s",
goto failure;
} else if (delegation) {
break;
} else
break;
} while (1);
continue;
}
if (result != ISC_R_SUCCESS) {
"update_sigs -> %s",
goto failure;
}
}
/*
* Have we changed anything?
*/
goto pauseall;
}
if (result != ISC_R_SUCCESS) {
"zone_sign:del_sigs -> %s",
goto failure;
}
zone->updatemethod);
if (result != ISC_R_SUCCESS) {
"zone_sign:update_soa_serial -> %s",
goto failure;
}
/*
* Generate maximum life time signatures so that the above loop
* termination is sensible.
*/
if (result != ISC_R_SUCCESS) {
"zone_sign:add_sigs -> %s",
goto failure;
}
/*
* Write changes to journal file.
*/
/*
* Pause all iterators so that dns_db_closeversion() can succeed.
*/
/*
* Everything has succeeded. Commit the changes.
*/
/*
* Everything succeeded so we can clean these up now.
*/
}
if (commit) {
}
/*
* Rollback the cleanup list.
*/
}
for (i = 0; i < nkeys; i++)
dst_key_free(&zone_keys[i]);
dns_db_detach(&db);
dns_db_detach(&db);
else
} else
}
static void
case dns_rdatatype_dnskey:
break;
case dns_rdatatype_keydata:
break;
default:
INSIST(0);
}
}
/*
* 'rdset' contains either a DNSKEY rdataset from the zone apex, or
* a KEYDATA rdataset from the key zone.
*
* 'rr' contains either a DNSKEY record, or a KEYDATA record
*
* After normalizing keys to the same format (DNSKEY, with revoke bit
* cleared), return ISC_TRUE if a key that matches 'rr' is found in
* 'rdset', or ISC_FALSE if not.
*/
static isc_boolean_t
result == ISC_R_SUCCESS;
return (ISC_TRUE);
}
return (ISC_FALSE);
}
/*
* Calculate the refresh interval for a keydata zone, per
* RFC5011: MAX(1 hr,
* MIN(15 days,
* 1/2 * OrigTTL,
* 1/2 * RRSigExpirationInterval))
* or for retries: MAX(1 hr,
* MIN(1 day,
* 1/10 * OrigTTL,
* 1/10 * RRSigExpirationInterval))
*/
static inline isc_stdtime_t
isc_uint32_t t;
else
if (result != ISC_R_SUCCESS)
if (!retry) {
if (t > exp)
t = exp;
}
if (t > (15*DAY))
t = (15*DAY);
if (t < HOUR)
t = HOUR;
} else {
if (t > exp)
t = exp;
}
if (t > DAY)
t = DAY;
if (t < HOUR)
t = HOUR;
}
return (now + t);
}
/*
* This routine is called when no changes are needed in a KEYDATA
* record except to simply update the refresh timer. Caller should
* hold zone lock.
*/
static isc_result_t
{
unsigned char key_buf[4096];
result == ISC_R_SUCCESS;
/* Delete old version */
/* Update refresh timer */
/* Insert updated version */
}
return (result);
}
/*
* Verify that DNSKEY set is signed by the key specified in 'keydata'.
*/
static isc_boolean_t
unsigned char key_buf[4096];
/* Generate a key from keydata */
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
/* See if that key generated any of the signatures */
result == ISC_R_SUCCESS;
"Confirm revoked DNSKEY is self-signed: "
if (result == ISC_R_SUCCESS) {
break;
}
}
}
return (answer);
}
/*
* A DNSKEY set has been fetched from the zone apex of a zone whose trust
* anchors are being managed; scan the keyset, and update the key zone and the
* local trust anchors according to RFC5011.
*/
static void
char namebuf[DNS_NAME_FORMATSIZE];
unsigned char key_buf[4096];
int pending = 0;
/* Free resources which are not of interest */
goto cleanup;
zone->refreshkeycount--;
if (alldone)
/* Fetch failed */
if (eresult != ISC_R_SUCCESS ||
"Unable to fetch DNSKEY set "
goto done;
}
/* No RRSIGs found */
"No DNSKEY RRSIGs found for "
goto done;
}
/*
* Validate the dnskeyset against the current trusted keys.
*/
result == ISC_R_SUCCESS;
while (result == ISC_R_SUCCESS) {
break;
"Verifying DNSKEY set for zone "
"'%s': %s", namebuf,
if (result == ISC_R_SUCCESS) {
&keynode);
break;
}
}
}
break;
}
/*
* If we were not able to verify the answer using the current
* trusted keys then all we can do is look at any revoked keys.
*/
/*
* First scan keydataset to find keys that are not in dnskeyset
* - Missing keys which are not scheduled for removal,
* log a warning
* - Missing keys which are scheduled for removal and
* the remove hold-down timer has completed should
* be removed from the key zone
* - Missing keys whose acceptance timers have not yet
* completed, log a warning and reset the acceptance
* timer to 30 days in the future
* - All keys not being removed have their refresh timers
* updated
*/
result == ISC_R_SUCCESS;
/*
* If any keydata record has a nonzero add holddown, then
* there was a pre-existing trust anchor for this domain;
* that means we are *not* initializing it and shouldn't
* automatically trust all the keys we find at the zone apex.
*/
if (!secure) {
"Pending key unexpectedly missing "
"from %s; restarting acceptance "
"timer", namebuf);
"Active key unexpectedly missing "
"from %s", namebuf);
} else {
}
/* Delete old version */
DNS_DIFFOP_DEL, keyname, 0,
&keydatarr));
}
continue;
/* Insert updated version */
DNS_DIFFOP_ADD, keyname, 0,
&keydatarr));
}
}
/*
* Next scan dnskeyset:
* - If new keys are found (i.e., lacking a match in keydataset)
* add them to the key zone and set the acceptance timer
* to 30 days in the future (or to immediately if we've
* determined that we're initializing the zone for the
* first time)
* - Previously-known keys that have been revoked
* must be scheduled for removal from the key zone (or,
* if they hadn't been accepted as trust anchors yet
* anyway, removed at once)
* - Previously-known unrevoked keys whose acceptance timers
* have completed are promoted to trust anchors
* - All keys not being removed have their refresh
* timers updated
*/
result == ISC_R_SUCCESS;
/* Skip ZSK's */
continue;
/*
* Key wasn't trusted yet, and now
* it's been revoked? Just remove it
*/
/* Remove from secroots */
/* If initializing, delete now */
else
/* Scheduled for removal */
}
} else if (revoked) {
"Active key for zone "
"'%s' is revoked but "
"did not self-sign; "
"ignoring.", namebuf);
continue;
}
} else if (secure) {
/*
* Key isn't revoked--but it
* seems it used to be.
* Remove it now and add it
* back as if it were a fresh key.
*/
pending++;
}
} else if (secure) {
/*
* Key wasn't in the key zone but it's
* revoked now anyway, so just skip it
*/
if (revoked)
continue;
/* Key wasn't in the key zone: add it */
if (initializing) {
dns_keytag_t tag = 0;
"Initializing automatic trust "
"anchor management for zone '%s'; "
"DNSKEY ID %d is now trusted, "
"waiving the normal 30-day "
"waiting period.",
}
}
/* Delete old version */
DNS_DIFFOP_DEL, keyname, 0,
&keydatarr));
if (updatekey) {
/* Set refresh timer */
/* Insert updated version */
DNS_DIFFOP_ADD, keyname, 0,
&keydatarr));
} else if (newkey) {
/* Convert DNSKEY to KEYDATA */
NULL);
/* Insert into key zone */
DNS_DIFFOP_ADD, keyname, 0,
&keydatarr));
}
if (trustkey) {
/* Trust this key. */
}
if (!deletekey)
}
/*
* RFC5011 says, "A trust point that has all of its trust anchors
* revoked is considered deleted and is treated as if the trust
* point was never configured." But if someone revoked their
* active key before the standby was trusted, that would mean the
* zone would suddenly be nonsecured. We avoid this by checking to
* see if there's pending keydata. If so, we put a null key in
* the security roots; then all queries to the zone will fail.
*/
if (pending != 0)
done:
/* Write changes to journal file. */
zone->updatemethod));
}
if (free_needed)
}
/*
* Refresh the data in the key zone. Initiate a fetch to get new DNSKEY
* records from the zone apex.
*/
static void
const char me[] = "zone_refreshkeys";
return;
}
result == ISC_R_SUCCESS;
continue;
/*
* Scan the stored keys looking for ones that need
* removal or refreshing
*/
result == ISC_R_SUCCESS;
/* Removal timer expired? */
&rdata));
continue;
}
/* Acceptance timer expired? */
/* Or do we just need to refresh the keyset? */
}
continue;
goto failure;
}
zone->refreshkeycount++;
if (result == ISC_R_SUCCESS)
else {
zone->refreshkeycount--;
"Failed to create fetch for "
"DNSKEY update");
}
}
zone->updatemethod));
}
if (fetch_err) {
/*
* Error during a key fetch; retry in an hour.
*/
char timebuf[80];
timebuf);
if (!fetching)
}
}
dns_db_detach(&db);
}
static void
const char me[] = "zone_maintenance";
/*
*/
return;
/*
* Configuring the view of this zone may have
* failed, for example because the config file
* had a syntax error. In that case, the view
* adb or resolver will be NULL, and we had better not try
* to do further maintenance on it.
*/
return;
/*
* Expire check.
*/
case dns_zone_redirect:
break;
case dns_zone_slave:
case dns_zone_stub:
}
break;
default:
break;
}
/*
* Up to date check.
*/
case dns_zone_redirect:
break;
case dns_zone_slave:
case dns_zone_stub:
break;
default:
break;
}
/*
* Slaves send notifies before backing up to disk, masters after.
*/
/*
* Do we need to consolidate the backing store?
*/
case dns_zone_master:
case dns_zone_slave:
case dns_zone_key:
case dns_zone_redirect:
case dns_zone_stub:
} else
if (!dumping) {
if (result != ISC_R_SUCCESS)
"dump failed: %s",
}
break;
default:
break;
}
/*
*/
case dns_zone_master:
case dns_zone_redirect:
default:
break;
}
/*
* Do we need to refresh keys?
*/
case dns_zone_key:
}
}
break;
case dns_zone_master:
default:
break;
}
case dns_zone_master:
case dns_zone_redirect:
case dns_zone_slave:
/*
*/
/*
* Do we need to issue a key expiry warning?
*/
isc_time_seconds(&now));
break;
default:
break;
}
}
void
if (inline_raw(zone)) {
unsigned int soacount;
} else
}
/* XXXMPA make separate call back */
if (result == ISC_R_SUCCESS)
}
}
void
}
static void
/*
* 'zone' locked by caller.
*/
}
void
unsigned int j;
return;
/*
* Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
* in progress at a time.
*/
if (zone->masterscnt == 0) {
if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0)
"cannot refresh: no masters");
goto unlock;
}
goto unlock;
/*
* Set the next refresh time as if refresh check has failed.
* Setting this to the retry time will do that. XXXMLG
* If we are successful it will be reset using zone->refresh.
*/
0);
if (result != ISC_R_SUCCESS)
"isc_time_nowplusinterval() failed: %s",
/*
* When lacking user-specified timer values from the SOA,
* do exponential backoff of the retry time up to a
* maximum of six hours.
*/
for (j = 0; j < zone->masterscnt; j++)
/* initiate soa query */
}
} else
if (!dumping)
return (result);
}
if (!dumping)
return (result);
}
static void
const char me[] = "zone_needdump";
/*
* 'zone' locked by caller
*/
/*
* Do we have a place to dump to and are we loaded?
*/
return;
/* add some noise */
}
static void
const char me[] = "dump_done";
/*
* We don't own these, zone->dctx must stay valid.
*/
/*
* If there is a secure version of this zone
* use its serial if it is less than ours.
*/
{
if (mresult == ISC_R_SUCCESS &&
}
/*
* Note: we are task locked here so we can test
* zone->xfr safely.
*/
zone->journalsize);
switch (tresult) {
case ISC_R_SUCCESS:
case ISC_R_NOSPACE:
case ISC_R_NOTFOUND:
"dns_journal_compact: %s",
break;
default:
"dns_journal_compact failed: %s",
break;
}
} else if (tresult == ISC_R_SUCCESS) {
}
}
if (compact)
/*
* Try again in a short while.
*/
} else if (result == ISC_R_SUCCESS &&
} else if (result == ISC_R_SUCCESS)
if (again)
}
static isc_result_t
const char me[] = "zone_dump";
char *masterfile = NULL;
/*
* 'compact' MUST only be set if we are task locked.
*/
redo:
}
goto fail;
}
if (masterfile == NULL) {
goto fail;
}
if (result != ISC_R_SUCCESS)
else
} else {
if (inline_secure(zone))
&rawdata);
}
fail:
dns_db_detach(&db);
if (masterfile != NULL)
masterfile = NULL;
if (result == DNS_R_CONTINUE)
return (ISC_R_SUCCESS); /* XXXMPA */
if (result != ISC_R_SUCCESS) {
/*
* Try again in a short while.
*/
} else
if (again)
goto redo;
return (result);
}
static isc_result_t
{
return (DNS_R_NOTLOADED);
if (rawversion == 0)
else if (inline_secure(zone))
else if (zone->sourceserialset) {
}
dns_db_detach(&db);
return (result);
}
const dns_master_style_t *style,
const isc_uint32_t rawversion)
{
}
const dns_master_style_t *style) {
}
dns_masterformat_text, 0));
}
dns_masterformat_text, 0));
}
void
}
static void
/*
* 'zone' locked by caller.
*/
}
}
static void
/*
* 'zone' locked by caller.
*/
}
}
static void
/*
* 'zone' locked by caller.
*/
}
}
void
}
void
}
void
}
void
}
static isc_boolean_t
continue;
return (ISC_TRUE);
return (ISC_TRUE);
}
return (ISC_FALSE);
}
static isc_boolean_t
return (ISC_FALSE);
switch (isc_sockaddr_pf(dst)) {
case PF_INET:
break;
case PF_INET6:
break;
default:
return (ISC_FALSE);
}
/*
* When sending from any the kernel will assign a source address
* that matches the destination address.
*/
return (ISC_FALSE);
return (isself);
}
static void
/*
* Caller holds zone lock.
*/
if (!locked)
if (!locked)
if (locked)
else
}
}
static isc_result_t
return (ISC_R_NOMEMORY);
return (ISC_R_SUCCESS);
}
/*
* XXXAG should check for DNS_ZONEFLG_EXITING
*/
static void
isc_event_free(&ev);
if (result == DNS_EVENT_ADBMOREADDRESSES) {
return;
}
if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
}
}
static void
unsigned int options;
goto destroy;
/* Something failed? */
if (result != ISC_R_SUCCESS)
goto destroy;
/* More addresses pending? */
return;
/* We have as many addresses as we can get. */
}
static isc_result_t
isc_event_t *e;
notify, sizeof(isc_event_t));
if (e == NULL)
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS)
isc_event_free(&e);
return (result);
}
static void
char addrbuf[ISC_SOCKADDR_FORMATSIZE];
int timeout;
goto cleanup;
}
goto cleanup;
}
/*
* The raw IPv4 address should also exist. Don't send to the
* mapped form.
*/
"notify: ignoring IPv6 mapped IPV4 address: %s",
addrbuf);
goto cleanup;
}
if (result != ISC_R_SUCCESS)
goto cleanup;
/* Transfer ownership of key */
} else {
"NOTIFY to %s not sent. "
"Peer TSIG key lookup failure.", addrbuf);
goto cleanup_message;
}
}
/* XXX: should we log the tsig key too? */
addrbuf);
if (result == ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS)
if (dscp != -1)
}
}
case PF_INET:
if (!have_notifysource)
if (!have_notifydscp)
break;
case PF_INET6:
if (!have_notifysource)
if (!have_notifydscp)
break;
default:
goto cleanup_key;
}
timeout = 15;
timeout = 30;
if (result == ISC_R_SUCCESS) {
} else {
}
}
if (result != ISC_R_SUCCESS)
}
static void
/*
* Zone lock held by caller.
*/
continue;
continue;
&new);
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
}
}
void
}
static void
unsigned int i;
unsigned int flags = 0;
return;
if (notifytype == dns_notifytype_no)
return;
if (notifytype == dns_notifytype_masteronly &&
return;
/*
* If the zone is dialup we are done as we don't want to send
* the current soa so as to force a refresh query.
*/
/*
* Get SOA RRset.
*/
return;
if (result != ISC_R_SUCCESS)
goto cleanup1;
if (result != ISC_R_SUCCESS)
goto cleanup2;
/*
* Find serial and master server's name.
*/
if (result != ISC_R_SUCCESS)
goto cleanup3;
if (result != ISC_R_SUCCESS)
goto cleanup3;
/*
* Enqueue notify requests for 'also-notify' servers.
*/
continue;
if (result != ISC_R_SUCCESS)
continue;
if (result == ISC_R_SUCCESS) {
}
}
if (result != ISC_R_SUCCESS)
if (!loggednotify) {
"sending notifies (serial %u)",
serial);
}
}
if (notifytype == dns_notifytype_explicit)
goto cleanup3;
/*
* Process NS RRset to generate notifies.
*/
if (result != ISC_R_SUCCESS)
goto cleanup3;
while (result == ISC_R_SUCCESS) {
/*
* Don't notify the master server unless explicitly
* configured to do so.
*/
continue;
}
if (!loggednotify) {
"sending notifies (serial %u)",
serial);
}
if (isqueued) {
continue;
}
if (result != ISC_R_SUCCESS)
continue;
if (result != ISC_R_SUCCESS) {
continue;
}
}
if (dns_name_dynamic(&master))
}
/***
*** Private
***/
static inline isc_result_t
{
/*
* Extract NS RRset from message.
*/
NULL, &nsrdataset);
if (result != ISC_R_SUCCESS)
goto fail;
/*
* Add NS rdataset.
*/
if (result != ISC_R_SUCCESS)
goto fail;
nsrdataset, 0, NULL);
if (result != ISC_R_SUCCESS)
goto fail;
/*
* Add glue rdatasets.
*/
result == ISC_R_SUCCESS;
continue;
&rdataset);
if (result == ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS)
goto fail;
if (result != ISC_R_SUCCESS)
goto fail;
}
&rdataset);
if (result == ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS)
goto fail;
if (result != ISC_R_SUCCESS)
goto fail;
}
}
if (result != ISC_R_NOMORE)
goto fail;
return (ISC_R_SUCCESS);
fail:
return (result);
}
static void
const char me[] = "stub_callback";
char master[ISC_SOCKADDR_FORMATSIZE];
char source[ISC_SOCKADDR_FORMATSIZE];
unsigned int j, soacount;
goto next_master;
}
"refreshing stub: timeout retrying "
" without EDNS master %s (source %s)",
goto same_master;
}
"could not refresh stub from master %s"
goto next_master;
}
if (result != ISC_R_SUCCESS)
goto next_master;
if (result != ISC_R_SUCCESS)
goto next_master;
/*
* Unexpected rcode.
*/
char rcode[128];
"refreshing stub: rcode (%.*s) retrying "
"without EDNS master %s (source %s)",
goto same_master;
}
"refreshing stub: "
"unexpected rcode (%.*s) from %s (source %s)",
goto next_master;
}
/*
* We need complete messages.
*/
"refreshing stub: truncated TCP "
"response from master %s (source %s)",
goto next_master;
}
goto same_master;
}
/*
* If non-auth log and next master.
*/
"non-authoritative answer from "
goto next_master;
}
/*
* Sanity checks.
*/
if (cnamecnt != 0) {
"refreshing stub: unexpected CNAME response "
goto next_master;
}
if (nscnt == 0) {
"refreshing stub: no NS records in response "
goto next_master;
}
/*
* Save answer.
*/
if (result != ISC_R_SUCCESS) {
"refreshing stub: unable to save NS records "
goto next_master;
}
/*
* Tidy up.
*/
zone->maxrefresh);
}
zone_needdump(zone, 0);
goto free_stub;
/*
* Skip to next failed / untried master.
*/
do {
if (!exiting &&
/*
* Did we get a good answer from all the masters?
*/
for (j = 0; j < zone->masterscnt; j++)
break;
}
} else
if (!done) {
/*
* Find the next failed master.
*/
} else {
goto free_stub;
}
}
goto free_stub;
goto done;
done:
return;
}
/*
* An SOA query has finished (successfully or not).
*/
static void
const char me[] = "refresh_callback";
char master[ISC_SOCKADDR_FORMATSIZE];
char source[ISC_SOCKADDR_FORMATSIZE];
unsigned int j;
/*
* if timeout log and next master;
*/
"refresh: timeout retrying without EDNS "
goto same_master;
}
"refresh: retry limit for "
"master %s exceeded (source %s)",
/* Try with slave with TCP. */
&zone->masteraddr,
&zone->sourceaddr,
&now))
{
goto tcp_transfer;
}
"refresh: skipped tcp fallback "
"as master %s (source %s) is "
"unreachable (cached)",
}
} else
"refresh: failure trying master "
goto next_master;
}
if (result != ISC_R_SUCCESS)
goto next_master;
if (result != ISC_R_SUCCESS) {
"refresh: failure trying master "
goto next_master;
}
/*
* Unexpected rcode.
*/
char rcode[128];
"refresh: rcode (%.*s) retrying without "
"EDNS master %s (source %s)",
goto same_master;
}
"refresh: unexpected rcode (%.*s) from "
/*
*/
goto tcp_transfer;
goto next_master;
}
/*
* If truncated punt to zone transfer which will query again.
*/
"refresh: truncated UDP answer, "
"initiating TCP zone xfer "
"for master %s (source %s)",
goto tcp_transfer;
} else {
"refresh: truncated TCP response "
"from master %s (source %s)",
goto next_master;
}
goto same_master;
}
}
/*
* if non-auth log and next master;
*/
"refresh: non-authoritative answer from "
goto next_master;
}
/*
* There should not be a CNAME record at top of zone.
*/
if (cnamecnt != 0) {
"refresh: CNAME at top of zone "
goto next_master;
}
/*
* if referral log and next master;
*/
"refresh: referral response "
goto next_master;
}
/*
* if nodata log and next master;
*/
"refresh: NODATA response "
goto next_master;
}
/*
* Only one soa at top of zone.
*/
if (soacnt != 1) {
"refresh: answer SOA count (%d) != 1 "
"from master %s (source %s)",
goto next_master;
}
/*
* Extract serial
*/
if (result != ISC_R_SUCCESS) {
"refresh: unable to get SOA record "
goto next_master;
}
if (result != ISC_R_SUCCESS) {
"refresh: dns_rdataset_first() failed");
goto next_master;
}
unsigned int soacount;
NULL);
RUNTIME_CHECK(soacount > 0U);
} else
serial);
{
"refresh: skipping %s as master %s "
"(source %s) is unreachable (cached)",
"zone transfer" : "NS query",
goto next_master;
}
} else {
}
if (result == ISC_R_SUCCESS &&
&now);
} else if (result != ISC_R_SUCCESS)
&now);
/* Someone removed the file from underneath us! */
if (result == ISC_R_FILENOTFOUND) {
} else if (result != ISC_R_SUCCESS)
"refresh: could not set file "
"modification time of '%s': %s",
}
goto next_master;
} else {
"received from master %s < ours (%u)",
else
goto next_master;
}
goto detach;
/*
* Skip to next failed / untried master.
*/
do {
/*
* Did we get a good answer from all the masters?
*/
for (j = 0; j < zone->masterscnt; j++)
break;
}
} else
if (!done) {
/*
* Find the next failed master.
*/
goto requeue;
}
}
goto detach;
}
goto detach;
if (do_queue_xfrin)
return;
}
static void
const char me[] = "queue_soa_query";
isc_event_t *e;
/*
* Locked by caller
*/
return;
}
if (e == NULL) {
return;
}
/*
* Attach so that we won't clean up
* until the event is delivered.
*/
if (result != ISC_R_SUCCESS) {
isc_event_free(&e);
}
}
static inline isc_result_t
{
&message);
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Make question.
*/
return (ISC_R_SUCCESS);
return (result);
}
static isc_result_t
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Set Maximum UDP buffer size.
*/
/*
* Set EXTENDED-RCODE, VERSION, DO and Z to 0.
*/
/* Set EDNS options if applicable */
if (reqnsid) {
unsigned char data[4];
isc_buffer_putuint16(&buf, 0);
} else {
}
== ISC_R_SUCCESS);
return (result);
}
static void
const char me[] = "soa_query";
int timeout;
goto cleanup;
}
/*
* XXX Optimisation: Create message when zone is setup and reuse.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* First, look for a tsig key in the master statement, then
* try for a server key.
*/
if (result != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
"unable to find key: %s", namebuf);
goto skip_master;
}
}
char addrbuf[ISC_NETADDR_FORMATSIZE];
"unable to find TSIG key for %s", addrbuf);
goto skip_master;
}
}
if (result == ISC_R_SUCCESS) {
&zone->sourceaddr);
if (result == ISC_R_SUCCESS)
if (dscp != -1)
udpsize =
}
}
case PF_INET:
&zone->xfrsource4))
goto skip_master;
if (!have_xfrdscp)
} else if (!have_xfrsource) {
if (!have_xfrdscp)
}
break;
case PF_INET6:
&zone->xfrsource6))
goto skip_master;
if (!have_xfrdscp)
} else if (!have_xfrsource) {
if (!have_xfrdscp)
}
break;
default:
goto cleanup;
}
DNS_REQUESTOPT_TCP : 0;
if (result != ISC_R_SUCCESS)
"unable to add opt record: %s",
}
timeout = 15;
timeout = 30;
if (result != ISC_R_SUCCESS) {
"dns_request_createvia2() failed: %s",
goto cleanup;
} else {
else
}
if (result != ISC_R_SUCCESS)
if (cancel)
return;
/*
* Skip to next failed / untried master.
*/
do {
goto again;
goto cleanup;
}
static void
const char me[] = "ns_query";
int timeout;
goto cleanup;
/*
* Attach so that the zone won't disappear from under us.
*/
/*
* If a db exists we will update it, otherwise we create a
* new one and attach it to the zone once we have the NS
* RRset and glue.
*/
} else {
if (result != ISC_R_SUCCESS) {
"refreshing stub: "
"could not create "
"database: %s",
goto cleanup;
}
}
if (result != ISC_R_SUCCESS) {
"dns_db_newversion() failed: %s",
goto cleanup;
}
/*
* Update SOA record.
*/
&node);
if (result != ISC_R_SUCCESS) {
"dns_db_findnode() failed: %s",
goto cleanup;
}
soardataset, 0, NULL);
if (result != ISC_R_SUCCESS) {
"refreshing stub: "
"dns_db_addrdataset() failed: %s",
goto cleanup;
}
}
/*
* XXX Optimisation: Create message when zone is setup and reuse.
*/
/*
* First, look for a tsig key in the master statement, then
* try for a server key.
*/
if (result != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
"unable to find key: %s", namebuf);
}
}
if (result == ISC_R_SUCCESS) {
&zone->sourceaddr);
if (result == ISC_R_SUCCESS)
udpsize =
}
}
if (result != ISC_R_SUCCESS)
"unable to add opt record: %s",
}
/*
* Always use TCP so that we shouldn't truncate in additional section.
*/
case PF_INET:
if (!have_xfrdscp)
} else if (!have_xfrsource) {
if (!have_xfrdscp)
}
break;
case PF_INET6:
if (!have_xfrdscp)
} else if (!have_xfrsource) {
if (!have_xfrdscp)
}
break;
default:
goto cleanup;
}
timeout = 15;
timeout = 30;
if (result != ISC_R_SUCCESS) {
"dns_request_createvia() failed: %s",
goto cleanup;
}
goto unlock;
}
return;
}
/*
* Handle the control event. Note that although this event causes the zone
* to shut down, it is not a shutdown event in the sense of the task library.
*/
static void
/*
* Stop things being restarted after we cancel them below.
*/
/*
* If we were waiting for xfrin quota, step out of
* the queue.
* If there's no zone manager, we can't be waiting for the
* xfrin quota
*/
}
}
/*
* In task context, no locking required. See zone_xfrdone().
*/
if (linked) {
}
}
}
}
/*
* We have now canceled everything set the flag to allow exit_check()
* to succeed. We must not unlock between setting this flag and
* calling exit_check().
*/
if (inline_secure(zone)) {
}
if (inline_raw(zone)) {
}
if (free_needed)
}
static void
const char me[] = "zone_timer";
}
static void
const char me[] = "zone_settimer";
return;
case dns_zone_redirect:
goto treat_as_slave;
/* FALLTHROUGH */
case dns_zone_master:
if (isc_time_isepoch(&next) ||
}
break;
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
break;
case dns_zone_slave:
/* FALLTHROUGH */
case dns_zone_stub:
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
break;
case dns_zone_key:
if (isc_time_isepoch(&next) ||
}
if (isc_time_isepoch(&next) ||
}
break;
default:
break;
}
if (isc_time_isepoch(&next)) {
if (result != ISC_R_SUCCESS)
"could not deactivate zone timer: %s",
} else {
if (result != ISC_R_SUCCESS)
"could not reset zone timer: %s",
}
}
static void
const char me[] = "cancel_refresh";
/*
* 'zone' locked by caller.
*/
}
static isc_result_t
{
isc_region_t r;
isc_buffer_t *b = NULL;
&message);
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Make question.
*/
temprdataset = NULL;
if ((flags & DNS_NOTIFY_NOSOA) != 0)
goto done;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
dns_rdatatype_none, 0, &rdataset,
NULL);
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
dns_rdata_toregion(&rdata, &r);
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
isc_buffer_usedregion(b, &r);
if (result != ISC_R_NOMORE)
goto soa_cleanup;
temprdatalist->covers = 0;
if (result != ISC_R_SUCCESS)
goto soa_cleanup;
temprdataset = NULL;
if (temprdataset != NULL)
if (temprdatalist != NULL)
done:
return (ISC_R_SUCCESS);
if (temprdataset != NULL)
return (result);
}
{
unsigned int i;
char fromtext[ISC_SOCKADDR_FORMATSIZE];
int match = 0;
isc_uint32_t serial = 0;
/*
* If type != T_SOA return DNS_R_NOTIMP. We don't yet support
* ROLLOVER.
*
* SOA: RFC1996
* Check that 'from' is a valid notify source, (zone->masters).
* Return DNS_R_REFUSED if not.
*
* If the notify message contains a serial number check it
* against the zones serial and return if <= current serial
*
* If a refresh check is progress, if so just record the
* fact we received a NOTIFY and from where and return.
* We will perform a new refresh check when the current one
* completes. Return ISC_R_SUCCESS.
*
* Otherwise initiate a refresh check using 'from' as the
* first address to check. Return ISC_R_SUCCESS.
*/
/*
* Notify messages are processed by the raw zone.
*/
if (inline_secure(zone)) {
return (result);
}
/*
* We only handle NOTIFY (SOA) at the present.
*/
else
"NOTIFY with no "
"question section from: %s", fromtext);
return (DNS_R_FORMERR);
}
"NOTIFY zone does not match");
return (DNS_R_NOTIMP);
}
/*
* If we are a master zone just succeed.
*/
return (ISC_R_SUCCESS);
}
for (i = 0; i < zone->masterscnt; i++) {
break;
break;
}
}
/*
* Accept notify requests from non masters if they are on
* 'zone->notify_acl'.
*/
match > 0)
{
/* Accept notify. */
} else if (i >= zone->masterscnt) {
"refused notify from non-master: %s", fromtext);
return (DNS_R_REFUSED);
}
/*
* If the zone is loaded and there are answers check the serial
* to see if we need to do a refresh. Do not worry about this
* check if we are a dialup zone as we use the notify request
* to trigger a refresh check.
*/
&rdataset);
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS) {
unsigned int soacount;
/*
* The following should safely be performed without DB
* lock and succeed in this context.
*/
RUNTIME_CHECK(soacount > 0U);
"notify from %s: "
"zone is up to date",
fromtext);
return (ISC_R_SUCCESS);
}
}
}
/*
* If we got this far and there was a refresh in progress just
* let it complete. Record where we got the notify from so we
* can perform a refresh check when the current one completes
*/
if (have_serial)
"notify from %s: serial %u: refresh in "
"progress, refresh check queued",
else
"notify from %s: refresh in progress, "
"refresh check queued", fromtext);
return (ISC_R_SUCCESS);
}
if (have_serial)
else
fromtext);
return (ISC_R_SUCCESS);
}
void
}
void
}
void
}
void
}
void
}
void
}
return (zone->notify_acl);
}
}
return (zone->queryon_acl);
}
return (zone->update_acl);
}
return (zone->forward_acl);
}
}
void
}
void
}
void
}
void
}
void
}
void
}
return (zone->update_disabled);
}
void
}
return (zone->zero_no_soa_ttl);
}
void
}
void
}
return (zone->check_names);
}
void
}
return (zone->journalsize);
}
static void
/*
* Leave space for terminating '\0'.
*/
if (result != ISC_R_SUCCESS &&
if (isc_buffer_availablelength(&buffer) > 0)
}
}
}
static void
/*
* Leave space for terminating '\0'.
*/
if (result != ISC_R_SUCCESS &&
}
static void
/*
* Leave space for terminating '\0'.
*/
}
static void
/*
* Leave space for terminating '\0'.
*/
< isc_buffer_availablelength(&buffer)) {
} else {
}
}
void
}
static void
char message[4096];
return;
}
void
char message[4096];
return;
}
void
char message[4096];
return;
}
static void
const char *fmt, ...)
{
char message[4096];
const char *zstr;
return;
case dns_zone_key:
zstr = "managed-keys-zone";
break;
case dns_zone_redirect:
zstr = "redirect-zone";
break;
default:
zstr = "zone";
}
message);
}
static int
{
int count = 0;
while (result == ISC_R_SUCCESS) {
count++;
}
}
return (count);
}
void
}
}
void
}
}
}
}
void
}
void
}
void
if (idlein == 0)
}
}
void
}
}
static void
char rcode[128];
char addrbuf[ISC_SOCKADDR_FORMATSIZE];
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS)
"notify response from %s: %.*s",
else
"notify to %s failed: %s", addrbuf,
/*
* Old bind's return formerr if they see a soa record. Retry w/o
* the soa if we see a formerr and had sent a SOA.
*/
if (result != ISC_R_SUCCESS)
} else {
if (result == ISC_R_TIMEDOUT)
"notify to %s: retries exceeded", addrbuf);
}
}
struct secure_event {
isc_event_t e;
};
static void
}
static isc_result_t
{
int n_soa = 0;
return (DNS_R_UNCHANGED);
result == ISC_R_SUCCESS;
{
n_soa++;
if (n_soa == 2) {
/*
* Save the latest raw SOA record.
*/
soatuplep));
}
if (n_soa == 3)
n_soa = 1;
continue;
}
/* Sanity. */
if (n_soa == 0) {
"corrupt journal file: '%s'\n",
return (ISC_R_FAILURE);
}
if (zone->privatetype != 0 &&
continue;
continue;
&tuple));
}
if (result == ISC_R_NOMORE)
return(result);
}
static isc_result_t
{
if (!seczone->sourceserialset)
return (DNS_R_UNCHANGED);
if (result != ISC_R_SUCCESS)
return (result);
{
{
continue;
}
}
}
}
}
/*
* If the SOA records are the same except for the serial
* remove them from the diff.
*/
}
}
return (DNS_R_UNCHANGED);
/*
* If there are still SOA records in the diff they can now be removed
* saving the new SOA record.
*/
}
}
return (ISC_R_SUCCESS);
}
static void
/*
* zone->db may be NULL if the load from disk failed.
*/
goto failure;
}
/*
* We first attempt to sync the raw zone to the secure zone
* by using the raw zone's journal, applying all the deltas
* from the latest source-serial of the secure zone up to
* the current serial number of the raw zone.
*
* If that fails, then we'll fall back to a direct comparison
* between raw and secure zones.
*/
if (result != ISC_R_SUCCESS)
goto failure;
else {
goto failure;
}
/*
* We read the secure journal first, if that exists
* use its value provided it is greater that from the
* raw journal.
*/
}
}
}
/*
* Try to apply diffs from the raw zone's journal to the secure
* zone. If that fails, we recover by syncing up the databases
* directly.
*/
if (result == DNS_R_UNCHANGED)
goto failure;
else if (result != ISC_R_SUCCESS)
DNS_DIFFOP_DEL, &tuple));
if (newserial == 0)
newserial++;
}
} else
zone->updatemethod));
if (result != ISC_R_SUCCESS)
dns_db_detach(&db);
}
}
static isc_result_t
{
isc_event_t *e;
sizeof(struct secure_event));
if (e == NULL)
return (ISC_R_NOMEMORY);
if (locked)
else
return (ISC_R_SUCCESS);
}
static isc_result_t
{
isc_buffer_t b;
unsigned char buf[DNS_SOA_BUFFERSIZE];
NULL));
/*
* Always bump the serial.
*/
oldserial++;
if (oldserial == 0)
oldserial++;
/*
* Construct a replacement rdataset.
*/
dns_rdatatype_soa, &soa, &b);
temprdatalist.covers = 0;
0, NULL));
}
static void
unsigned int oldserial = 0;
goto unlock;
}
if (result == ISC_R_SUCCESS)
}
if (result != ISC_R_SUCCESS)
goto failure;
if (result != ISC_R_SUCCESS)
goto failure;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
if (result != ISC_R_SUCCESS)
continue;
if (result != ISC_R_SUCCESS)
goto failure;
if (result != ISC_R_SUCCESS)
goto failure;
result == ISC_R_SUCCESS;
continue;
}
} else
0, &rdataset, 0,
NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
}
/*
* Lock hierarchy: zmgr, zone, raw.
*/
if (result != ISC_R_SUCCESS)
dns_db_detach(&db);
}
if (dbiterator != NULL)
}
static isc_result_t
isc_event_t *e;
sizeof(struct secure_event));
if (e == NULL)
return (ISC_R_NOMEMORY);
if (locked)
else
return (ISC_R_SUCCESS);
}
return (result);
}
static isc_result_t
unsigned int soacount = 0;
unsigned int nscount = 0;
/*
* 'zone' and 'zonedb' locked by caller.
*/
if (result != ISC_R_SUCCESS)
return (result);
if (result == ISC_R_SUCCESS) {
if (soacount != 1) {
"has %d SOA records", soacount);
}
}
if (result != ISC_R_SUCCESS)
return (result);
} else {
"retrieving SOA and NS records failed: %s",
return (result);
}
if (result != ISC_R_SUCCESS)
return (result);
/*
* The initial version of a slave zone is always dumped;
* subsequent versions may be journaled instead if this
* is enabled in the configuration.
*/
{
unsigned int soacount;
if (result != ISC_R_SUCCESS) {
"ixfr-from-differences: unable to get "
"new serial");
goto fail;
}
/*
* This is checked in zone_postload() for master zones.
*/
NULL);
RUNTIME_CHECK(soacount > 0U);
"ixfr-from-differences: failed: "
"new serial (%u) out of range [%u - %u]",
goto fail;
}
if (result != ISC_R_SUCCESS)
goto fail;
if (dump)
switch (result) {
case ISC_R_SUCCESS:
case ISC_R_NOSPACE:
case ISC_R_NOTFOUND:
"dns_journal_compact: %s",
break;
default:
"dns_journal_compact failed: %s",
break;
}
}
} else {
/*
* If DNS_ZONEFLG_FORCEXFER was set we don't want
* to keep the old masterfile.
*/
char strbuf[ISC_STRERRORSIZE];
"unable to remove masterfile "
"'%s': '%s'",
}
else
zone_needdump(zone, 0);
}
/*
* The in-memory database just changed, and
* because 'dump' is set, it didn't change by
* being loaded from disk. Also, we have not
* journaled diffs for this change.
* Therefore, the on-disk journal is missing
* the deltas for this change. Since it can
* no longer be used to bring the zone
* up-to-date, it is useless and should be
* removed.
*/
"removing journal file");
char strbuf[ISC_STRERRORSIZE];
"unable to remove journal "
"'%s': '%s'",
}
}
if (inline_raw(zone))
}
return (ISC_R_SUCCESS);
fail:
return (result);
}
/* The caller must hold the dblock as a writer. */
static inline void
"dns_acache_setdb() failed: %s",
}
}
}
/* The caller must hold the dblock as a writer. */
static inline void
}
static void
unsigned int soacount;
unsigned int nscount;
switch (result) {
case ISC_R_SUCCESS:
/*FALLTHROUGH*/
case DNS_R_UPTODATE:
/*
* Has the zone expired underneath us?
*/
goto same_master;
}
/*
* Update the zone structure's data from the actual
* SOA received.
*/
nscount = 0;
soacount = 0;
if (result == ISC_R_SUCCESS) {
if (soacount != 1)
"transferred zone "
"has %d SOA record%s", soacount,
if (nscount == 0) {
"transferred zone "
"has no NS records");
if (DNS_ZONE_FLAG(zone,
}
goto next_master;
}
zone->maxrefresh);
}
/*
*/
&zone->expiretime);
} else {
&zone->refreshtime);
&zone->expiretime);
}
char namebuf[DNS_NAME_FORMATSIZE];
sizeof(namebuf));
namebuf);
} else
buf[0] = '\0';
"transferred serial %u%s",
if (inline_raw(zone))
}
/*
* This is not necessary if we just performed a AXFR
* however it is necessary for an IXFR / UPTODATE and
* won't hurt with an AXFR.
*/
unsigned int delay = DNS_DUMP_DELAY;
if (result != ISC_R_SUCCESS &&
&now);
delay = 0;
if ((result == ISC_R_SUCCESS ||
result == ISC_R_FILENOTFOUND) &&
else if (result != ISC_R_SUCCESS)
"transfer: could not set file "
"modification time of '%s': %s",
}
break;
case DNS_R_BADIXFR:
/* Force retry with AXFR. */
goto same_master;
default:
/*
* Skip to next failed / untried master.
*/
do {
/* FALLTHROUGH */
} else
} else {
}
break;
}
/*
* If creating the transfer object failed, zone->xfr is NULL.
* Otherwise, we are called as the done callback of a zone
* transfer object that just entered its shutting-down
* state. Since we are no longer responsible for shutting
* it down, we can detach our reference.
*/
/*
* Handle any deferred journal compaction.
*/
zone->journalsize);
switch (result) {
case ISC_R_SUCCESS:
case ISC_R_NOSPACE:
case ISC_R_NOTFOUND:
"dns_journal_compact: %s",
break;
default:
"dns_journal_compact failed: %s",
break;
}
}
/*
* This transfer finishing freed up a transfer quota slot.
* Let any other zones waiting for quota have it.
*/
/*
* Retry with a different server if necessary.
*/
if (free_needed)
}
static void
static char me[] = "zone_loaddone";
if (tresult != ISC_R_SUCCESS &&
/*
* Lock hierarchy: zmgr, zone, raw.
*/
if (inline_secure(zone))
/*
* Leave the zone frozen if the reload fails.
*/
if (inline_secure(zone))
}
void
}
void
}
void
}
return (zone->sigvalidityinterval);
}
void
}
return (zone->sigresigninginterval);
}
static void
const char me[] = "queue_xfrin";
if (result == ISC_R_QUOTA) {
"zone transfer deferred due to quota");
} else if (result != ISC_R_SUCCESS) {
"starting zone transfer: %s",
}
}
/*
* This event callback is called when a zone has received
* any necessary zone transfer quota. This is the time
* to go ahead and start the transfer.
*/
static void
char master[ISC_SOCKADDR_FORMATSIZE];
char source[ISC_SOCKADDR_FORMATSIZE];
const char *soa_before = "";
goto cleanup;
}
{
"got_transfer_quota: skipping zone transfer as "
"master %s (source %s) is unreachable (cached)",
goto cleanup;
}
soa_before = "SOA before ";
/*
* Decide whether we should request IXFR or AXFR.
*/
if (!loaded) {
"no database exists yet, requesting AXFR of "
"initial version from %s", master);
"forced reload, requesting AXFR of "
"initial version from %s", master);
"retrying with AXFR from %s due to "
"previous IXFR failure", master);
} else {
"IXFR disabled, requesting %sAXFR from %s",
soa_before, master);
else
} else {
"requesting IXFR from %s", master);
}
}
/*
* Determine if we should attempt to sign the request with TSIG.
*/
/*
* First, look for a tsig key in the master statement, then
* try for a server key.
*/
}
"could not get TSIG key for zone transfer: %s",
}
switch (isc_sockaddr_pf(&masteraddr)) {
case PF_INET:
if (dscp == -1)
break;
case PF_INET6:
if (dscp == -1)
break;
default:
INSIST(0);
};
if (result == ISC_R_SUCCESS) {
if (xfrtype == dns_rdatatype_axfr) {
else
} else if (xfrtype == dns_rdatatype_ixfr) {
else
}
}
/*
* Any failure in this function is handled like a failed
* zone transfer. This ensures that we get removed from
* zmgr->xfrin_in_progress.
*/
if (result != ISC_R_SUCCESS)
}
/*
* Update forwarding support.
*/
static void
}
}
static isc_result_t
return (ISC_R_CANCELED);
}
return (ISC_R_NOMORE);
}
/*
* Always use TCP regardless of whether the original update
* used TCP.
* XXX The timeout may but a bit small if we are far down a
* transfer graph and the master has to try several masters.
*/
case PF_INET:
break;
case PF_INET6:
break;
default:
goto unlock;
}
if (result == ISC_R_SUCCESS) {
}
return (result);
}
static void
const char me[] = "forward_callback";
char master[ISC_SOCKADDR_FORMATSIZE];
"could not forward dynamic update to %s: %s",
goto next_master;
}
if (result != ISC_R_SUCCESS)
goto next_master;
if (result != ISC_R_SUCCESS)
goto next_master;
/*
* Pass these rcodes back to client.
*/
case dns_rcode_noerror:
case dns_rcode_yxdomain:
case dns_rcode_yxrrset:
case dns_rcode_nxrrset:
case dns_rcode_refused:
case dns_rcode_nxdomain: {
char rcode[128];
"forwarded dynamic update: "
"master %s returned: %.*s",
break;
}
case dns_rcode_notzone:
case dns_rcode_notauth: {
char rcode[128];
"forwarding dynamic update: "
"unexpected response: master %s returned: %.*s",
goto next_master;
}
/* Try another server for these rcodes. */
case dns_rcode_formerr:
case dns_rcode_servfail:
case dns_rcode_notimp:
case dns_rcode_badvers:
default:
goto next_master;
}
/* call callback */
return;
if (result != ISC_R_SUCCESS) {
/* call callback */
"exhausted dynamic update forwarder list");
}
}
{
return (ISC_R_NOMEMORY);
goto cleanup;
}
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS) {
}
return (result);
}
return (ISC_R_NOMORE);
else
return (ISC_R_SUCCESS);
}
return (ISC_R_NOMORE);
else
return (ISC_R_SUCCESS);
}
/***
*** Zone manager.
***/
{
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS)
goto free_mem;
/* Unreachable lock. */
if (result != ISC_R_SUCCESS)
goto free_rwlock;
/* Create a single task for queueing of SOA queries. */
if (result != ISC_R_SUCCESS)
goto free_urlock;
if (result != ISC_R_SUCCESS)
goto free_task;
/* default to 20 refresh queries / notifies per second. */
if (result != ISC_R_SUCCESS)
goto free_rl;
return (ISC_R_SUCCESS);
#if 0
#endif
return (result);
}
void *item;
return (ISC_R_FAILURE);
return (ISC_R_FAILURE);
if (result == ISC_R_SUCCESS)
return (result);
}
return (ISC_R_FAILURE);
/*
* Set the task name. The tag will arbitrarily point to one
* of the zones sharing the task (in practice, the one
* to be managed last).
*/
if (result != ISC_R_SUCCESS)
goto cleanup_tasks;
/*
* The timer "holds" a iref.
*/
goto unlock;
return (result);
}
void
if (free_now)
}
void
}
void
if (free_now)
}
dns_zone_t *p;
p != NULL;
p = ISC_LIST_NEXT(p, link))
{
}
/*
* Recent configuration changes may have increased the
* amount of available transfers quota. Make sure any
* transfers currently blocked on quota get started if
* possible.
*/
return (ISC_R_SUCCESS);
}
void
}
void
{
}
}
static isc_result_t
if (result != ISC_R_SUCCESS)
return (result);
return (ISC_R_SUCCESS);
}
static void
}
#define ZONES_PER_TASK 100
#define ZONES_PER_MCTX 1000
/*
* For anything fewer than 1000 zones we use 10 tasks in
* the task pools. More than that, and we'll scale at one
* task per 100 zones. Similarly, for anything smaller than
* 2000 zones we use 2 memory contexts, then scale at 1:1000.
*/
if (ntasks < 10)
ntasks = 10;
if (nmctx < 2)
nmctx = 2;
/* Create or resize the zone task pools. */
else
if (result == ISC_R_SUCCESS)
else
if (result == ISC_R_SUCCESS)
/*
* We always set all tasks in the zone-load task pool to
* privileged. This prevents other tasks in the system from
* running while the server task manager is in privileged
* mode.
*
* NOTE: If we start using task privileges for any other
* part of the system than zone tasks, then this will need to be
* revisted. In that case we'd want to turn on privileges for
* zone tasks only when we were loading, and turn them off the
* rest of the time. For now, however, it's okay to just
* set it and forget it.
*/
/* Create or resize the zone memory context pool. */
else
if (result == ISC_R_SUCCESS)
return (result);
}
static void
}
void
}
return (zmgr->transfersin);
}
void
}
return (zmgr->transfersperns);
}
/*
* Try to start a new incoming zone transfer to fill a quota
* slot that was just vacated.
*
* Requires:
* The zone manager is locked by the caller.
*/
static void
{
if (result == ISC_R_SUCCESS) {
if (multi)
continue;
/*
* We successfully filled the slot. We're done.
*/
break;
} else if (result == ISC_R_QUOTA) {
/*
* Not enough quota. This is probably the per-server
* quota, because we usually get called when a unit of
* global quota has just been freed. Try the next
* zone, it may succeed if it uses another master.
*/
continue;
} else {
"starting zone transfer: %s",
break;
}
}
}
/*
* Try to start an incoming zone transfer for 'zone', quota permitting.
*
* Requires:
* The zone manager is locked by the caller.
*
* Returns:
* ISC_R_SUCCESS There was enough quota and we attempted to
* start a transfer. zone_xfrdone() has been or will
* be called.
* ISC_R_QUOTA Not enough quota.
* Others Failure.
*/
static isc_result_t
dns_zone_t *x;
isc_event_t *e;
/*
* If we are exiting just pretend we got quota so the zone will
* be cleaned up in the zone's task context.
*/
goto gotquota;
}
/*
* Find any configured information about the server we'd
* like to transfer this zone from.
*/
/*
* Determine the total maximum number of simultaneous
* transfers allowed, and the maximum for this specific
* master.
*/
/*
* Count the total number of transfers that are in progress,
* and the number of transfers in progress from this master.
* We linearly scan a list of all transfers; if this turns
* out to be too slow, we could hash on the master address.
*/
nxfrsin = nxfrsperns = 0;
x != NULL;
x = ISC_LIST_NEXT(x, statelink))
{
LOCK_ZONE(x);
UNLOCK_ZONE(x);
nxfrsin++;
nxfrsperns++;
}
/* Enforce quota. */
if (nxfrsin >= maxtransfersin)
return (ISC_R_QUOTA);
if (nxfrsperns >= maxtransfersperns)
return (ISC_R_QUOTA);
/*
* We have sufficient quota. Move the zone to the "xfrin_in_progress"
* list and send it an event to let it start the actual transfer in the
* context of its own task.
*/
if (e == NULL)
return (ISC_R_NOMEMORY);
return (ISC_R_SUCCESS);
}
void
}
}
/*
* Get permission to request a file handle from the OS.
* An event will be sent to action when one is available.
* There are two queues available (high and low), the high
* queue will be serviced before the low one.
*
* zonemgr_putio() must be called after the event is delivered to
* 'action'.
*/
static isc_result_t
{
return (ISC_R_NOMEMORY);
return (ISC_R_NOMEMORY);
}
if (queue) {
else
}
if (!queue)
return (ISC_R_SUCCESS);
}
static void
else
}
}
static void
/*
* If we are queued to be run then dequeue.
*/
else
}
if (send_event) {
}
}
static void
char *buf;
int buflen;
return;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
"renaming file to '%s' for failure analysis and "
}
#if 0
/* Hook for ondestroy notification from a database. */
static void
"database (%p) destroyed", (void*) db);
}
#endif
void
isc_uint32_t s, ns;
if (value == 0)
value = 1;
if (value == 1) {
s = 1;
ns = 0;
pertic = 1;
} else if (value <= 10) {
s = 0;
pertic = 1;
} else {
s = 0;
pertic = 10;
}
}
unsigned int
return (zmgr->serialqueryrate);
}
{
unsigned int i;
for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
if (result == ISC_R_SUCCESS) {
}
break;
}
}
return (ISC_TF(i < UNREACH_CHACHE_SIZE));
}
void
{
unsigned int i;
char master[ISC_SOCKADDR_FORMATSIZE];
char source[ISC_SOCKADDR_FORMATSIZE];
for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
break;
if (result == ISC_R_SUCCESS) {
"master %s (source %s) deleted "
"from unreachable cache",
}
break;
}
}
}
void
{
for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
/* Existing entry? */
break;
/* Empty slot? */
slot = i;
/* Least recently used slot? */
oldest = i;
}
}
if (i < UNREACH_CHACHE_SIZE) {
/*
* Found a existing entry. Update the expire timer and
* last usage timestamps.
*/
} else if (slot != UNREACH_CHACHE_SIZE) {
/*
* Found a empty slot. Add a new entry to the cache.
*/
} else {
/*
* Replace the least recently used entry in the cache.
*/
}
}
void
return;
}
}
/*
* This function is obsoleted.
*/
return (ISC_R_NOTIMPLEMENTED);
}
/*
* This function is obsoleted.
*/
return (NULL);
}
void
}
void
}
}
}
void
}
}
}
/*
* We don't lock zone for efficiency reason. This is not catastrophic
* because requeststats must always be valid when requeststats_on is
* true.
* Some counters may be incremented while requeststats_on is becoming
* false, or some cannot be incremented just after the statistics are
* installed, but it shouldn't matter much in practice.
*/
if (zone->requeststats_on)
return (zone->requeststats);
else
return (NULL);
}
/*
* Return the received query stats bucket
* see note from dns_zone_getrequeststats()
*/
if (zone->requeststats_on)
return (zone->rcvquerystats);
else
return (NULL);
}
void
"notify = %d, refresh = %d",
}
void
switch (dialup) {
case dns_dialuptype_no:
break;
case dns_dialuptype_yes:
break;
case dns_dialuptype_notify:
break;
break;
case dns_dialuptype_refresh:
break;
case dns_dialuptype_passive:
break;
default:
INSIST(0);
}
}
return (result);
}
const char *
return (zone->keydirectory);
}
unsigned int
unsigned int count = 0;
switch (state) {
count++;
break;
count++;
break;
case DNS_ZONESTATE_SOAQUERY:
count++;
break;
case DNS_ZONESTATE_ANY:
continue;
count++;
}
break;
default:
INSIST(0);
}
return (count);
}
char namebuf[DNS_NAME_FORMATSIZE];
char namebuf2[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
int level = ISC_LOG_WARNING;
return (ISC_R_SUCCESS);
}
if (!ok) {
if (fail)
return (DNS_R_BADOWNERNAME);
}
if (!ok) {
if (fail)
return (DNS_R_BADNAME);
}
return (ISC_R_SUCCESS);
}
void
}
void
}
void
}
void
}
void
}
return (zone->notifydelay);
}
{
"dns_zone_signwithkey(algorithm=%u, keyid=%u)",
return (result);
}
static const char *hex = "0123456789ABCDEF";
unsigned int i, j;
if (nsec3param->salt_length != 0) {
for (i = 0, j = 0; i < nsec3param->salt_length; i++) {
}
salt[j] = '\0';
} else
"dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
salt);
return (result);
}
void
if (nodes == 0)
nodes = 1;
}
void
/*
* We treat signatures as a signed value so explicitly
* limit its range here.
*/
if (signatures > ISC_INT32_MAX)
else if (signatures == 0)
signatures = 1;
}
void
}
return (zone->privatetype);
}
static isc_result_t
{
return (ISC_R_NOMEMORY);
goto cleanup;
}
else
goto cleanup;
}
}
&signing->dbiterator);
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS) {
}
}
}
dns_db_detach(&db);
return (result);
}
static void
}
static void
while (!ISC_LIST_EMPTY(*list)) {
}
}
/* Called once; *timep should be set to the current time. */
static isc_result_t
int i;
for (i = 0; i <= DST_MAX_TIMES; i++) {
}
if (then != 0) {
return (ISC_R_SUCCESS);
}
return (ISC_R_NOTFOUND);
}
static isc_result_t
{
else
if (result == ISC_R_NOTFOUND) {
goto failure;
}
result == ISC_R_SUCCESS;
break;
}
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_NOMORE) {
}
return (result);
}
/*
* Add records to signal the state of signing or of key removal.
*/
static isc_result_t
{
isc_region_t r;
unsigned char buf[5];
continue;
continue;
buf[4] = 0;
if (flag)
continue;
}
/*
* Remove any record which says this operation has already
* completed.
*/
if (flag) {
}
}
return (result);
}
static isc_result_t
{
unsigned int nkeys = 0, i;
if (result != ISC_R_SUCCESS) {
"sign_apex:find_zone_keys -> %s",
return (result);
}
/*
* See if update_sigs will update DNSKEY signature and if not
* cause them to sign so that so that newly activated keys
* are used.
*/
break;
}
if (result != ISC_R_SUCCESS) {
"sign_apex:del_sigs -> %s",
goto failure;
}
if (result != ISC_R_SUCCESS) {
"sign_apex:add_sigs -> %s",
goto failure;
}
}
if (result != ISC_R_SUCCESS) {
"sign_apex:update_sigs -> %s",
goto failure;
}
for (i = 0; i < nkeys; i++)
dst_key_free(&zone_keys[i]);
return (result);
}
/*
* Prevent the zone entering a inconsistent state where
* NSEC only DNSKEYs are present with NSEC3 chains.
* See update.c:check_dnssec()
*/
static isc_boolean_t
{
/* Scan the tuples for an NSEC-only DNSKEY */
continue;
break;
}
}
/* Check existing DB for NSEC-only DNSKEY */
if (!nseconly) {
if (result == ISC_R_NOTFOUND)
}
/* Check existing DB for NSEC3 */
if (!nsec3)
privatetype, &nsec3));
/* Refuse to allow NSEC3 with NSEC-only keys */
"NSEC only DNSKEYs and NSEC3 chains not allowed");
goto failure;
}
return (ISC_TRUE);
return (ISC_FALSE);
}
static isc_result_t
{
if (result != ISC_R_NOTFOUND)
goto failure;
return (result);
}
/*
* Given an RRSIG rdataset and an algorithm, determine whether there
* are any signatures using that algorithm.
*/
static isc_boolean_t
return (ISC_FALSE);
}
result == ISC_R_SUCCESS;
{
return (ISC_TRUE);
}
return (ISC_FALSE);
}
static isc_result_t
{
&build_nsec3));
if (build_nsec3)
return (result);
}
static void
const char *dir;
char timebuf[80];
/* Get the SOA record's TTL */
/* Get the DNSKEY rdataset */
if (result == ISC_R_SUCCESS) {
&dnskeys));
} else if (result != ISC_R_NOTFOUND)
goto failure;
/*
* True when called from "rndc sign". Indicates the zone should be
* fully signed now.
*/
if (result == ISC_R_SUCCESS) {
/* Keys couldn't be updated for some reason;
* try again later. */
if (result != ISC_R_SUCCESS) {
"couldn't update zone keys: %s",
goto failure;
}
/*
* See if any pre-existing keys have newly become active;
* also, see if any new key is for a new algorithm, as in that
* event, we need to sign the zone fully. (If there's a new
* key, but it's for an already-existing algorithm, then
* the zone signing can be handled incrementally.)
*/
if (!key->first_sign)
continue;
if (!dns_rdataset_isassociated(&keysigs)) {
break;
}
/*
* This isn't a new algorithm; clear
* first_sign so we won't sign the
* whole zone with this key later
*/
} else {
break;
}
}
zone->updatemethod));
"zone_rekey"));
}
}
if (commit) {
/* Remove any signatures from removed keys. */
if (!ISC_LIST_EMPTY(rmkeys)) {
ISC_TRUE);
if (result != ISC_R_SUCCESS) {
"zone_signwithkey failed: %s",
}
}
}
if (fullsign) {
/*
* "rndc sign" was called, so we now sign the zone
* with all active keys, whether they're new or not.
*/
continue;
if (result != ISC_R_SUCCESS) {
"zone_signwithkey failed: %s",
}
}
} else if (newalg) {
/*
* We haven't been told to sign fully, but a new
* algorithm was added to the DNSKEY. We sign
* the full zone, but only with newly active
* keys.
*/
if (!key->first_sign)
continue;
if (result != ISC_R_SUCCESS) {
"zone_signwithkey failed: %s",
}
}
}
/*
* Clear fullsign flag, if it was set, so we don't do
* another full signing next time
*/
/*
* deferred NSEC3PARAM changes.
*/
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
continue;
continue;
if (nsec3param.flags == 0)
continue;
if (result != ISC_R_SUCCESS) {
"zone_addnsec3chain failed: %s",
}
}
/*
* Activate any NSEC3 chain updates that may have
* been scheduled before this rekey.
*/
/*
* Schedule the next resigning event
*/
}
/*
* If we're doing key maintenance, set the key refresh timer to
* the next scheduled key event or to 'dnssec-loadkeys-interval'
* seconds in the future, whichever is sooner.
*/
&timethen);
if (result != ISC_R_SUCCESS)
continue;
if (isc_time_compare(&timethen,
&zone->refreshkeytime) < 0) {
}
}
}
done:
if (dns_rdataset_isassociated(&keyset))
if (dns_rdataset_isassociated(&keysigs))
if (dns_rdataset_isassociated(&soasigs))
dns_db_detach(&db);
return;
/*
* Something went wrong; try again in ten minutes or
* after a key refresh interval, whichever is shorter.
*/
goto done;
}
void
if (fullsign)
}
}
unsigned int *errors)
{
if (result != ISC_R_SUCCESS)
return (result);
return (result);
}
void
}
}
{
/*
* Lock hierarchy: zmgr, zone, raw.
*/
if (inline_secure(zone))
if (inline_secure(zone))
return result;
}
if (interval == 0)
return (ISC_R_RANGE);
/* Maximum value: 24 hours (3600 minutes) */
/* Multiply by 60 for seconds */
return (ISC_R_SUCCESS);
}
void
}
return (zone->requestixfr);
}
void
}
return(zone->updatemethod);
}
/*
* Lock hierarchy: zmgr, zone, raw.
*/
/*
* Lock hierarchy: zmgr, zone, raw.
*/
if (result != ISC_R_SUCCESS)
goto unlock;
/*
* The timer "holds" a iref.
*/
/* dns_zone_attach(raw, &zone->raw); */
/* dns_zone_iattach(zone, &raw->secure); */
return (result);
}
void
}
struct keydone {
unsigned char data[5];
};
static void
const char *me = "keydone";
if (result != ISC_R_SUCCESS) {
"keydone:dns_db_newversion -> %s",
goto failure;
}
}
goto failure;
if (result != ISC_R_SUCCESS)
goto failure;
if (result == ISC_R_NOTFOUND) {
goto failure;
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
result == ISC_R_SUCCESS;
}
if (found)
&rdata));
}
/* Write changes to journal file. */
zone->updatemethod));
if (!clear_pending)
}
dns_db_detach(&db);
}
}
isc_event_t *e;
isc_buffer_t b;
if (e == NULL) {
goto failure;
}
else {
char *algstr;
size_t n;
if (n == 0U)
algstr++;
else
if (n == 0U) {
}
/* construct a private-type rdata */
isc_buffer_putuint8(&b, alg);
isc_buffer_putuint8(&b, 0);
isc_buffer_putuint8(&b, 1);
}
if (e != NULL)
isc_event_free(&e);
return (result);
}
struct nsec3param {
unsigned int length;
};
static void
const char *me = "setnsec3param";
if (result != ISC_R_SUCCESS) {
"setnsec3param:dns_db_newversion -> %s",
goto failure;
}
}
goto failure;
/*
* Does a private-type record already exist for this chain?
*/
if (result == ISC_R_SUCCESS) {
result == ISC_R_SUCCESS;
break;
}
}
} else if (result != ISC_R_NOTFOUND) {
goto failure;
}
/*
* Does the chain already exist?
*/
if (result == ISC_R_SUCCESS) {
result == ISC_R_SUCCESS;
{
break;
}
}
} else if (result != ISC_R_NOTFOUND) {
goto failure;
}
/*
* We need to remove any existing NSEC3 chains.
*/
/*
* We're creating an NSEC3 chain.
*
* If the zone is not currently capable of supporting
* an NSEC3 chain, add the INITIAL flag, so these
* parameters can be used later when NSEC3 becomes
* available.
*/
}
/* Write changes to journal file. */
zone->updatemethod));
if (result != ISC_R_NOTFOUND)
}
dns_db_detach(&db);
if (commit)
}
{
unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
struct nsec3param *np;
isc_buffer_t b;
isc_event_t *e;
if (e == NULL) {
goto failure;
}
np = (struct nsec3param *) e;
if (hash == 0) {
} else {
¶m, &b));
}
if (e != NULL)
isc_event_free(&e);
return (result);
}
return (ISC_R_SUCCESS);
}
return (ISC_R_SUCCESS);
}
return (ISC_R_SUCCESS);
}
return (ISC_R_SUCCESS);
}
unsigned int
dns_include_t *include;
unsigned int n = 0;
goto done;
goto done;
include != NULL;
include = ISC_LIST_NEXT(include, link)) {
}
done:
return (n);
}
void
}
}