/contrib/bind9/lib/dns/zone.c
C | 14592 lines | 11254 code | 1786 blank | 1552 comment | 3275 complexity | d13f256320707749935465f4f1a2a4ac MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
- /*
- * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
- /* $Id$ */
- /*! \file */
- #include <config.h>
- #include <errno.h>
- #include <isc/file.h>
- #include <isc/mutex.h>
- #include <isc/print.h>
- #include <isc/random.h>
- #include <isc/ratelimiter.h>
- #include <isc/refcount.h>
- #include <isc/rwlock.h>
- #include <isc/serial.h>
- #include <isc/strerror.h>
- #include <isc/stats.h>
- #include <isc/stdtime.h>
- #include <isc/string.h>
- #include <isc/taskpool.h>
- #include <isc/timer.h>
- #include <isc/util.h>
- #include <dns/acache.h>
- #include <dns/acl.h>
- #include <dns/adb.h>
- #include <dns/callbacks.h>
- #include <dns/db.h>
- #include <dns/dbiterator.h>
- #include <dns/dnssec.h>
- #include <dns/events.h>
- #include <dns/journal.h>
- #include <dns/keydata.h>
- #include <dns/keytable.h>
- #include <dns/keyvalues.h>
- #include <dns/log.h>
- #include <dns/master.h>
- #include <dns/masterdump.h>
- #include <dns/message.h>
- #include <dns/name.h>
- #include <dns/nsec.h>
- #include <dns/nsec3.h>
- #include <dns/peer.h>
- #include <dns/private.h>
- #include <dns/rbt.h>
- #include <dns/rcode.h>
- #include <dns/rdataclass.h>
- #include <dns/rdatalist.h>
- #include <dns/rdataset.h>
- #include <dns/rdatasetiter.h>
- #include <dns/rdatastruct.h>
- #include <dns/rdatatype.h>
- #include <dns/request.h>
- #include <dns/resolver.h>
- #include <dns/result.h>
- #include <dns/rriterator.h>
- #include <dns/soa.h>
- #include <dns/ssu.h>
- #include <dns/stats.h>
- #include <dns/time.h>
- #include <dns/tsig.h>
- #include <dns/xfrin.h>
- #include <dns/zone.h>
- #include <dst/dst.h>
- #define ZONE_MAGIC ISC_MAGIC('Z', 'O', 'N', 'E')
- #define DNS_ZONE_VALID(zone) ISC_MAGIC_VALID(zone, ZONE_MAGIC)
- #define NOTIFY_MAGIC ISC_MAGIC('N', 't', 'f', 'y')
- #define DNS_NOTIFY_VALID(notify) ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
- #define STUB_MAGIC ISC_MAGIC('S', 't', 'u', 'b')
- #define DNS_STUB_VALID(stub) ISC_MAGIC_VALID(stub, STUB_MAGIC)
- #define ZONEMGR_MAGIC ISC_MAGIC('Z', 'm', 'g', 'r')
- #define DNS_ZONEMGR_VALID(stub) ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
- #define LOAD_MAGIC ISC_MAGIC('L', 'o', 'a', 'd')
- #define DNS_LOAD_VALID(load) ISC_MAGIC_VALID(load, LOAD_MAGIC)
- #define FORWARD_MAGIC ISC_MAGIC('F', 'o', 'r', 'w')
- #define DNS_FORWARD_VALID(load) ISC_MAGIC_VALID(load, FORWARD_MAGIC)
- #define IO_MAGIC ISC_MAGIC('Z', 'm', 'I', 'O')
- #define DNS_IO_VALID(load) ISC_MAGIC_VALID(load, IO_MAGIC)
- /*%
- * Ensure 'a' is at least 'min' but not more than 'max'.
- */
- #define RANGE(a, min, max) \
- (((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
- #define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
- /*%
- * Key flags
- */
- #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
- #define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
- #define ALG(x) dst_key_alg(x)
- /*
- * Default values.
- */
- #define DNS_DEFAULT_IDLEIN 3600 /*%< 1 hour */
- #define DNS_DEFAULT_IDLEOUT 3600 /*%< 1 hour */
- #define MAX_XFER_TIME (2*3600) /*%< Documented default is 2 hours */
- #define RESIGN_DELAY 3600 /*%< 1 hour */
- #ifndef DNS_MAX_EXPIRE
- #define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */
- #endif
- #ifndef DNS_DUMP_DELAY
- #define DNS_DUMP_DELAY 900 /*%< 15 minutes */
- #endif
- typedef struct dns_notify dns_notify_t;
- typedef struct dns_stub dns_stub_t;
- typedef struct dns_load dns_load_t;
- typedef struct dns_forward dns_forward_t;
- typedef ISC_LIST(dns_forward_t) dns_forwardlist_t;
- typedef struct dns_io dns_io_t;
- typedef ISC_LIST(dns_io_t) dns_iolist_t;
- typedef struct dns_signing dns_signing_t;
- typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
- typedef struct dns_nsec3chain dns_nsec3chain_t;
- typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
- typedef struct dns_keyfetch dns_keyfetch_t;
- #define DNS_ZONE_CHECKLOCK
- #ifdef DNS_ZONE_CHECKLOCK
- #define LOCK_ZONE(z) \
- do { LOCK(&(z)->lock); \
- INSIST((z)->locked == ISC_FALSE); \
- (z)->locked = ISC_TRUE; \
- } while (0)
- #define UNLOCK_ZONE(z) \
- do { (z)->locked = ISC_FALSE; UNLOCK(&(z)->lock); } while (0)
- #define LOCKED_ZONE(z) ((z)->locked)
- #else
- #define LOCK_ZONE(z) LOCK(&(z)->lock)
- #define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
- #define LOCKED_ZONE(z) ISC_TRUE
- #endif
- #ifdef ISC_RWLOCK_USEATOMIC
- #define ZONEDB_INITLOCK(l) isc_rwlock_init((l), 0, 0)
- #define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
- #define ZONEDB_LOCK(l, t) RWLOCK((l), (t))
- #define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t))
- #else
- #define ZONEDB_INITLOCK(l) isc_mutex_init(l)
- #define ZONEDB_DESTROYLOCK(l) DESTROYLOCK(l)
- #define ZONEDB_LOCK(l, t) LOCK(l)
- #define ZONEDB_UNLOCK(l, t) UNLOCK(l)
- #endif
- struct dns_zone {
- /* Unlocked */
- unsigned int magic;
- isc_mutex_t lock;
- #ifdef DNS_ZONE_CHECKLOCK
- isc_boolean_t locked;
- #endif
- isc_mem_t *mctx;
- isc_refcount_t erefs;
- #ifdef ISC_RWLOCK_USEATOMIC
- isc_rwlock_t dblock;
- #else
- isc_mutex_t dblock;
- #endif
- dns_db_t *db; /* Locked by dblock */
- /* Locked */
- dns_zonemgr_t *zmgr;
- ISC_LINK(dns_zone_t) link; /* Used by zmgr. */
- isc_timer_t *timer;
- unsigned int irefs;
- dns_name_t origin;
- char *masterfile;
- dns_masterformat_t masterformat;
- char *journal;
- isc_int32_t journalsize;
- dns_rdataclass_t rdclass;
- dns_zonetype_t type;
- unsigned int flags;
- unsigned int options;
- unsigned int db_argc;
- char **db_argv;
- isc_time_t expiretime;
- isc_time_t refreshtime;
- isc_time_t dumptime;
- isc_time_t loadtime;
- isc_time_t notifytime;
- isc_time_t resigntime;
- isc_time_t keywarntime;
- isc_time_t signingtime;
- isc_time_t nsec3chaintime;
- isc_time_t refreshkeytime;
- isc_uint32_t refreshkeycount;
- isc_uint32_t refresh;
- isc_uint32_t retry;
- isc_uint32_t expire;
- isc_uint32_t minimum;
- isc_stdtime_t key_expiry;
- isc_stdtime_t log_key_expired_timer;
- char *keydirectory;
- isc_uint32_t maxrefresh;
- isc_uint32_t minrefresh;
- isc_uint32_t maxretry;
- isc_uint32_t minretry;
- isc_sockaddr_t *masters;
- dns_name_t **masterkeynames;
- isc_boolean_t *mastersok;
- unsigned int masterscnt;
- unsigned int curmaster;
- isc_sockaddr_t masteraddr;
- dns_notifytype_t notifytype;
- isc_sockaddr_t *notify;
- unsigned int notifycnt;
- isc_sockaddr_t notifyfrom;
- isc_task_t *task;
- isc_sockaddr_t notifysrc4;
- isc_sockaddr_t notifysrc6;
- isc_sockaddr_t xfrsource4;
- isc_sockaddr_t xfrsource6;
- isc_sockaddr_t altxfrsource4;
- isc_sockaddr_t altxfrsource6;
- isc_sockaddr_t sourceaddr;
- dns_xfrin_ctx_t *xfr; /* task locked */
- dns_tsigkey_t *tsigkey; /* key used for xfr */
- /* Access Control Lists */
- dns_acl_t *update_acl;
- dns_acl_t *forward_acl;
- dns_acl_t *notify_acl;
- dns_acl_t *query_acl;
- dns_acl_t *queryon_acl;
- dns_acl_t *xfr_acl;
- isc_boolean_t update_disabled;
- isc_boolean_t zero_no_soa_ttl;
- dns_severity_t check_names;
- ISC_LIST(dns_notify_t) notifies;
- dns_request_t *request;
- dns_loadctx_t *lctx;
- dns_io_t *readio;
- dns_dumpctx_t *dctx;
- dns_io_t *writeio;
- isc_uint32_t maxxfrin;
- isc_uint32_t maxxfrout;
- isc_uint32_t idlein;
- isc_uint32_t idleout;
- isc_event_t ctlevent;
- dns_ssutable_t *ssutable;
- isc_uint32_t sigvalidityinterval;
- isc_uint32_t sigresigninginterval;
- dns_view_t *view;
- dns_acache_t *acache;
- dns_checkmxfunc_t checkmx;
- dns_checksrvfunc_t checksrv;
- dns_checknsfunc_t checkns;
- /*%
- * Zones in certain states such as "waiting for zone transfer"
- * or "zone transfer in progress" are kept on per-state linked lists
- * in the zone manager using the 'statelink' field. The 'statelist'
- * field points at the list the zone is currently on. It the zone
- * is not on any such list, statelist is NULL.
- */
- ISC_LINK(dns_zone_t) statelink;
- dns_zonelist_t *statelist;
- /*%
- * Statistics counters about zone management.
- */
- isc_stats_t *stats;
- /*%
- * Optional per-zone statistics counters. Counted outside of this
- * module.
- */
- isc_boolean_t requeststats_on;
- isc_stats_t *requeststats;
- isc_uint32_t notifydelay;
- dns_isselffunc_t isself;
- void *isselfarg;
- char * strnamerd;
- char * strname;
- char * strrdclass;
- char * strviewname;
- /*%
- * Serial number for deferred journal compaction.
- */
- isc_uint32_t compact_serial;
- /*%
- * Keys that are signing the zone for the first time.
- */
- dns_signinglist_t signing;
- dns_nsec3chainlist_t nsec3chain;
- /*%
- * Signing / re-signing quantum stopping parameters.
- */
- isc_uint32_t signatures;
- isc_uint32_t nodes;
- dns_rdatatype_t privatetype;
- /*%
- * Autosigning/key-maintenance options
- */
- isc_uint32_t keyopts;
- /*%
- * True if added by "rndc addzone"
- */
- isc_boolean_t added;
- /*%
- * whether a rpz radix was needed when last loaded
- */
- isc_boolean_t rpz_zone;
- /*%
- * Outstanding forwarded UPDATE requests.
- */
- dns_forwardlist_t forwards;
- };
- #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
- #define DNS_ZONE_SETFLAG(z,f) do { \
- INSIST(LOCKED_ZONE(z)); \
- (z)->flags |= (f); \
- } while (0)
- #define DNS_ZONE_CLRFLAG(z,f) do { \
- INSIST(LOCKED_ZONE(z)); \
- (z)->flags &= ~(f); \
- } while (0)
- /* XXX MPA these may need to go back into zone.h */
- #define DNS_ZONEFLG_REFRESH 0x00000001U /*%< refresh check in progress */
- #define DNS_ZONEFLG_NEEDDUMP 0x00000002U /*%< zone need consolidation */
- #define DNS_ZONEFLG_USEVC 0x00000004U /*%< use tcp for refresh query */
- #define DNS_ZONEFLG_DUMPING 0x00000008U /*%< a dump is in progress */
- #define DNS_ZONEFLG_HASINCLUDE 0x00000010U /*%< $INCLUDE in zone file */
- #define DNS_ZONEFLG_LOADED 0x00000020U /*%< database has loaded */
- #define DNS_ZONEFLG_EXITING 0x00000040U /*%< zone is being destroyed */
- #define DNS_ZONEFLG_EXPIRED 0x00000080U /*%< zone has expired */
- #define DNS_ZONEFLG_NEEDREFRESH 0x00000100U /*%< refresh check needed */
- #define DNS_ZONEFLG_UPTODATE 0x00000200U /*%< zone contents are
- * uptodate */
- #define DNS_ZONEFLG_NEEDNOTIFY 0x00000400U /*%< need to send out notify
- * messages */
- #define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U /*%< generate a journal diff on
- * reload */
- #define DNS_ZONEFLG_NOMASTERS 0x00001000U /*%< an attempt to refresh a
- * zone with no masters
- * occurred */
- #define DNS_ZONEFLG_LOADING 0x00002000U /*%< load from disk in progress*/
- #define DNS_ZONEFLG_HAVETIMERS 0x00004000U /*%< timer values have been set
- * from SOA (if not set, we
- * are still using
- * default timer values) */
- #define DNS_ZONEFLG_FORCEXFER 0x00008000U /*%< Force a zone xfer */
- #define DNS_ZONEFLG_NOREFRESH 0x00010000U
- #define DNS_ZONEFLG_DIALNOTIFY 0x00020000U
- #define DNS_ZONEFLG_DIALREFRESH 0x00040000U
- #define DNS_ZONEFLG_SHUTDOWN 0x00080000U
- #define DNS_ZONEFLAG_NOIXFR 0x00100000U /*%< IXFR failed, force AXFR */
- #define DNS_ZONEFLG_FLUSH 0x00200000U
- #define DNS_ZONEFLG_NOEDNS 0x00400000U
- #define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
- #define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U
- #define DNS_ZONEFLG_NEEDCOMPACT 0x02000000U
- #define DNS_ZONEFLG_REFRESHING 0x04000000U /*%< Refreshing keydata */
- #define DNS_ZONEFLG_THAW 0x08000000U
- /* #define DNS_ZONEFLG_XXXXX 0x10000000U XXXMPA unused. */
- #define DNS_ZONEFLG_NODELAY 0x20000000U
- #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
- #define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
- /* Flags for zone_load() */
- #define DNS_ZONELOADFLAG_NOSTAT 0x00000001U /* Do not stat() master files */
- #define DNS_ZONELOADFLAG_THAW 0x00000002U /* Thaw the zone on successful
- load. */
- #define UNREACH_CHACHE_SIZE 10U
- #define UNREACH_HOLD_TIME 600 /* 10 minutes */
- #define CHECK(op) \
- do { result = (op); \
- if (result != ISC_R_SUCCESS) goto failure; \
- } while (0)
- struct dns_unreachable {
- isc_sockaddr_t remote;
- isc_sockaddr_t local;
- isc_uint32_t expire;
- isc_uint32_t last;
- };
- struct dns_zonemgr {
- unsigned int magic;
- isc_mem_t * mctx;
- int refs; /* Locked by rwlock */
- isc_taskmgr_t * taskmgr;
- isc_timermgr_t * timermgr;
- isc_socketmgr_t * socketmgr;
- isc_taskpool_t * zonetasks;
- isc_task_t * task;
- isc_ratelimiter_t * rl;
- isc_rwlock_t rwlock;
- isc_mutex_t iolock;
- isc_rwlock_t urlock;
- /* Locked by rwlock. */
- dns_zonelist_t zones;
- dns_zonelist_t waiting_for_xfrin;
- dns_zonelist_t xfrin_in_progress;
- /* Configuration data. */
- isc_uint32_t transfersin;
- isc_uint32_t transfersperns;
- unsigned int serialqueryrate;
- /* Locked by iolock */
- isc_uint32_t iolimit;
- isc_uint32_t ioactive;
- dns_iolist_t high;
- dns_iolist_t low;
- /* Locked by urlock. */
- /* LRU cache */
- struct dns_unreachable unreachable[UNREACH_CHACHE_SIZE];
- };
- /*%
- * Hold notify state.
- */
- struct dns_notify {
- unsigned int magic;
- unsigned int flags;
- isc_mem_t *mctx;
- dns_zone_t *zone;
- dns_adbfind_t *find;
- dns_request_t *request;
- dns_name_t ns;
- isc_sockaddr_t dst;
- ISC_LINK(dns_notify_t) link;
- };
- #define DNS_NOTIFY_NOSOA 0x0001U
- /*%
- * dns_stub holds state while performing a 'stub' transfer.
- * 'db' is the zone's 'db' or a new one if this is the initial
- * transfer.
- */
- struct dns_stub {
- unsigned int magic;
- isc_mem_t *mctx;
- dns_zone_t *zone;
- dns_db_t *db;
- dns_dbversion_t *version;
- };
- /*%
- * Hold load state.
- */
- struct dns_load {
- unsigned int magic;
- isc_mem_t *mctx;
- dns_zone_t *zone;
- dns_db_t *db;
- isc_time_t loadtime;
- dns_rdatacallbacks_t callbacks;
- };
- /*%
- * Hold forward state.
- */
- struct dns_forward {
- unsigned int magic;
- isc_mem_t *mctx;
- dns_zone_t *zone;
- isc_buffer_t *msgbuf;
- dns_request_t *request;
- isc_uint32_t which;
- isc_sockaddr_t addr;
- dns_updatecallback_t callback;
- void *callback_arg;
- ISC_LINK(dns_forward_t) link;
- };
- /*%
- * Hold IO request state.
- */
- struct dns_io {
- unsigned int magic;
- dns_zonemgr_t *zmgr;
- isc_boolean_t high;
- isc_task_t *task;
- ISC_LINK(dns_io_t) link;
- isc_event_t *event;
- };
- /*%
- * Hold state for when we are signing a zone with a new
- * DNSKEY as result of an update.
- */
- struct dns_signing {
- unsigned int magic;
- dns_db_t *db;
- dns_dbiterator_t *dbiterator;
- dns_secalg_t algorithm;
- isc_uint16_t keyid;
- isc_boolean_t delete;
- isc_boolean_t done;
- ISC_LINK(dns_signing_t) link;
- };
- struct dns_nsec3chain {
- unsigned int magic;
- dns_db_t *db;
- dns_dbiterator_t *dbiterator;
- dns_rdata_nsec3param_t nsec3param;
- unsigned char salt[255];
- isc_boolean_t done;
- isc_boolean_t seen_nsec;
- isc_boolean_t delete_nsec;
- isc_boolean_t save_delete_nsec;
- ISC_LINK(dns_nsec3chain_t) link;
- };
- /*%<
- * 'dbiterator' contains a iterator for the database. If we are creating
- * a NSEC3 chain only the non-NSEC3 nodes will be iterated. If we are
- * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
- * iterated.
- *
- * 'nsec3param' contains the parameters of the NSEC3 chain being created
- * or removed.
- *
- * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
- *
- * 'seen_nsec' will be set to true if, while iterating the zone to create a
- * NSEC3 chain, a NSEC record is seen.
- *
- * 'delete_nsec' will be set to true if, at the completion of the creation
- * of a NSEC3 chain, 'seen_nsec' is true. If 'delete_nsec' is true then we
- * are in the process of deleting the NSEC chain.
- *
- * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
- * so it can be recovered in the event of a error.
- */
- struct dns_keyfetch {
- dns_fixedname_t name;
- dns_rdataset_t keydataset;
- dns_rdataset_t dnskeyset;
- dns_rdataset_t dnskeysigset;
- dns_zone_t *zone;
- dns_db_t *db;
- dns_fetch_t *fetch;
- };
- #define HOUR 3600
- #define DAY (24*HOUR)
- #define MONTH (30*DAY)
- #define SEND_BUFFER_SIZE 2048
- static void zone_settimer(dns_zone_t *, isc_time_t *);
- static void cancel_refresh(dns_zone_t *);
- static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
- const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
- static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
- ISC_FORMAT_PRINTF(3, 4);
- static void queue_xfrin(dns_zone_t *zone);
- static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff, dns_diffop_t op,
- dns_name_t *name, dns_ttl_t ttl,
- dns_rdata_t *rdata);
- static void zone_unload(dns_zone_t *zone);
- static void zone_expire(dns_zone_t *zone);
- static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
- static void zone_idetach(dns_zone_t **zonep);
- static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
- isc_boolean_t dump);
- static inline void zone_attachdb(dns_zone_t *zone, dns_db_t *db);
- static inline void zone_detachdb(dns_zone_t *zone);
- static isc_result_t default_journal(dns_zone_t *zone);
- static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
- static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db,
- isc_time_t loadtime, isc_result_t result);
- static void zone_needdump(dns_zone_t *zone, unsigned int delay);
- static void zone_shutdown(isc_task_t *, isc_event_t *);
- static void zone_loaddone(void *arg, isc_result_t result);
- static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
- isc_time_t loadtime);
- static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
- static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
- static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
- static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
- #if 0
- /* ondestroy example */
- static void dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event);
- #endif
- static void refresh_callback(isc_task_t *, isc_event_t *);
- static void stub_callback(isc_task_t *, isc_event_t *);
- static void queue_soa_query(dns_zone_t *zone);
- static void soa_query(isc_task_t *, isc_event_t *);
- static void ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset,
- dns_stub_t *stub);
- static int message_count(dns_message_t *msg, dns_section_t section,
- dns_rdatatype_t type);
- static void notify_cancel(dns_zone_t *zone);
- static void notify_find_address(dns_notify_t *notify);
- static void notify_send(dns_notify_t *notify);
- static isc_result_t notify_createmessage(dns_zone_t *zone,
- unsigned int flags,
- dns_message_t **messagep);
- static void notify_done(isc_task_t *task, isc_event_t *event);
- static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
- static isc_result_t zone_dump(dns_zone_t *, isc_boolean_t);
- static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
- static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr,
- dns_zone_t *zone);
- static void zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi);
- static void zonemgr_free(dns_zonemgr_t *zmgr);
- static isc_result_t zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
- isc_task_t *task, isc_taskaction_t action,
- void *arg, dns_io_t **iop);
- static void zonemgr_putio(dns_io_t **iop);
- static void zonemgr_cancelio(dns_io_t *io);
- static isc_result_t
- zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
- unsigned int *soacount, isc_uint32_t *serial,
- isc_uint32_t *refresh, isc_uint32_t *retry,
- isc_uint32_t *expire, isc_uint32_t *minimum,
- unsigned int *errors);
- static void zone_freedbargs(dns_zone_t *zone);
- static void forward_callback(isc_task_t *task, isc_event_t *event);
- static void zone_saveunique(dns_zone_t *zone, const char *path,
- const char *templat);
- static void zone_maintenance(dns_zone_t *zone);
- static void zone_notify(dns_zone_t *zone, isc_time_t *now);
- static void dump_done(void *arg, isc_result_t result);
- static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
- isc_uint16_t keyid, isc_boolean_t delete);
- static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, dns_name_t *name,
- dns_diff_t *diff);
- static void zone_rekey(dns_zone_t *zone);
- static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr,
- dst_key_t **keys, unsigned int nkeys);
- #define ENTER zone_debuglog(zone, me, 1, "enter")
- static const unsigned int dbargc_default = 1;
- static const char *dbargv_default[] = { "rbt" };
- #define DNS_ZONE_JITTER_ADD(a, b, c) \
- do { \
- isc_interval_t _i; \
- isc_uint32_t _j; \
- _j = isc_random_jitter((b), (b)/4); \
- isc_interval_set(&_i, _j, 0); \
- if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
- dns_zone_log(zone, ISC_LOG_WARNING, \
- "epoch approaching: upgrade required: " \
- "now + %s failed", #b); \
- isc_interval_set(&_i, _j/2, 0); \
- (void)isc_time_add((a), &_i, (c)); \
- } \
- } while (0)
- #define DNS_ZONE_TIME_ADD(a, b, c) \
- do { \
- isc_interval_t _i; \
- isc_interval_set(&_i, (b), 0); \
- if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
- dns_zone_log(zone, ISC_LOG_WARNING, \
- "epoch approaching: upgrade required: " \
- "now + %s failed", #b); \
- isc_interval_set(&_i, (b)/2, 0); \
- (void)isc_time_add((a), &_i, (c)); \
- } \
- } while (0)
- /*%
- * Increment resolver-related statistics counters. Zone must be locked.
- */
- static inline void
- inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
- if (zone->stats != NULL)
- isc_stats_increment(zone->stats, counter);
- }
- /***
- *** Public functions.
- ***/
- isc_result_t
- dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
- isc_result_t result;
- dns_zone_t *zone;
- isc_time_t now;
- REQUIRE(zonep != NULL && *zonep == NULL);
- REQUIRE(mctx != NULL);
- TIME_NOW(&now);
- zone = isc_mem_get(mctx, sizeof(*zone));
- if (zone == NULL)
- return (ISC_R_NOMEMORY);
- zone->mctx = NULL;
- isc_mem_attach(mctx, &zone->mctx);
- result = isc_mutex_init(&zone->lock);
- if (result != ISC_R_SUCCESS)
- goto free_zone;
- result = ZONEDB_INITLOCK(&zone->dblock);
- if (result != ISC_R_SUCCESS)
- goto free_mutex;
- /* XXX MPA check that all elements are initialised */
- #ifdef DNS_ZONE_CHECKLOCK
- zone->locked = ISC_FALSE;
- #endif
- zone->db = NULL;
- zone->zmgr = NULL;
- ISC_LINK_INIT(zone, link);
- result = isc_refcount_init(&zone->erefs, 1); /* Implicit attach. */
- if (result != ISC_R_SUCCESS)
- goto free_dblock;
- zone->irefs = 0;
- dns_name_init(&zone->origin, NULL);
- zone->strnamerd = NULL;
- zone->strname = NULL;
- zone->strrdclass = NULL;
- zone->strviewname = NULL;
- zone->masterfile = NULL;
- zone->masterformat = dns_masterformat_none;
- zone->keydirectory = NULL;
- zone->journalsize = -1;
- zone->journal = NULL;
- zone->rdclass = dns_rdataclass_none;
- zone->type = dns_zone_none;
- zone->flags = 0;
- zone->options = 0;
- zone->keyopts = 0;
- zone->db_argc = 0;
- zone->db_argv = NULL;
- isc_time_settoepoch(&zone->expiretime);
- isc_time_settoepoch(&zone->refreshtime);
- isc_time_settoepoch(&zone->dumptime);
- isc_time_settoepoch(&zone->loadtime);
- zone->notifytime = now;
- isc_time_settoepoch(&zone->resigntime);
- isc_time_settoepoch(&zone->keywarntime);
- isc_time_settoepoch(&zone->signingtime);
- isc_time_settoepoch(&zone->nsec3chaintime);
- isc_time_settoepoch(&zone->refreshkeytime);
- zone->refreshkeycount = 0;
- zone->refresh = DNS_ZONE_DEFAULTREFRESH;
- zone->retry = DNS_ZONE_DEFAULTRETRY;
- zone->expire = 0;
- zone->minimum = 0;
- zone->maxrefresh = DNS_ZONE_MAXREFRESH;
- zone->minrefresh = DNS_ZONE_MINREFRESH;
- zone->maxretry = DNS_ZONE_MAXRETRY;
- zone->minretry = DNS_ZONE_MINRETRY;
- zone->masters = NULL;
- zone->masterkeynames = NULL;
- zone->mastersok = NULL;
- zone->masterscnt = 0;
- zone->curmaster = 0;
- zone->notify = NULL;
- zone->notifytype = dns_notifytype_yes;
- zone->notifycnt = 0;
- zone->task = NULL;
- zone->update_acl = NULL;
- zone->forward_acl = NULL;
- zone->notify_acl = NULL;
- zone->query_acl = NULL;
- zone->queryon_acl = NULL;
- zone->xfr_acl = NULL;
- zone->update_disabled = ISC_FALSE;
- zone->zero_no_soa_ttl = ISC_TRUE;
- zone->check_names = dns_severity_ignore;
- zone->request = NULL;
- zone->lctx = NULL;
- zone->readio = NULL;
- zone->dctx = NULL;
- zone->writeio = NULL;
- zone->timer = NULL;
- zone->idlein = DNS_DEFAULT_IDLEIN;
- zone->idleout = DNS_DEFAULT_IDLEOUT;
- zone->log_key_expired_timer = 0;
- ISC_LIST_INIT(zone->notifies);
- isc_sockaddr_any(&zone->notifysrc4);
- isc_sockaddr_any6(&zone->notifysrc6);
- isc_sockaddr_any(&zone->xfrsource4);
- isc_sockaddr_any6(&zone->xfrsource6);
- isc_sockaddr_any(&zone->altxfrsource4);
- isc_sockaddr_any6(&zone->altxfrsource6);
- zone->xfr = NULL;
- zone->tsigkey = NULL;
- zone->maxxfrin = MAX_XFER_TIME;
- zone->maxxfrout = MAX_XFER_TIME;
- zone->ssutable = NULL;
- zone->sigvalidityinterval = 30 * 24 * 3600;
- zone->sigresigninginterval = 7 * 24 * 3600;
- zone->view = NULL;
- zone->acache = NULL;
- zone->checkmx = NULL;
- zone->checksrv = NULL;
- zone->checkns = NULL;
- ISC_LINK_INIT(zone, statelink);
- zone->statelist = NULL;
- zone->stats = NULL;
- zone->requeststats_on = ISC_FALSE;
- zone->requeststats = NULL;
- zone->notifydelay = 5;
- zone->isself = NULL;
- zone->isselfarg = NULL;
- ISC_LIST_INIT(zone->signing);
- ISC_LIST_INIT(zone->nsec3chain);
- zone->signatures = 10;
- zone->nodes = 100;
- zone->privatetype = (dns_rdatatype_t)0xffffU;
- zone->added = ISC_FALSE;
- zone->rpz_zone = ISC_FALSE;
- ISC_LIST_INIT(zone->forwards);
- zone->magic = ZONE_MAGIC;
- /* Must be after magic is set. */
- result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
- if (result != ISC_R_SUCCESS)
- goto free_erefs;
- ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
- DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
- NULL, NULL);
- *zonep = zone;
- return (ISC_R_SUCCESS);
- free_erefs:
- isc_refcount_decrement(&zone->erefs, NULL);
- isc_refcount_destroy(&zone->erefs);
- free_dblock:
- ZONEDB_DESTROYLOCK(&zone->dblock);
- free_mutex:
- DESTROYLOCK(&zone->lock);
- free_zone:
- isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
- return (result);
- }
- /*
- * Free a zone. Because we require that there be no more
- * outstanding events or references, no locking is necessary.
- */
- static void
- zone_free(dns_zone_t *zone) {
- isc_mem_t *mctx = NULL;
- dns_signing_t *signing;
- dns_nsec3chain_t *nsec3chain;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(isc_refcount_current(&zone->erefs) == 0);
- REQUIRE(zone->irefs == 0);
- REQUIRE(!LOCKED_ZONE(zone));
- REQUIRE(zone->timer == NULL);
- /*
- * Managed objects. Order is important.
- */
- if (zone->request != NULL)
- dns_request_destroy(&zone->request); /* XXXMPA */
- INSIST(zone->readio == NULL);
- INSIST(zone->statelist == NULL);
- INSIST(zone->writeio == NULL);
- if (zone->task != NULL)
- isc_task_detach(&zone->task);
- if (zone->zmgr != NULL)
- dns_zonemgr_releasezone(zone->zmgr, zone);
- /* Unmanaged objects */
- for (signing = ISC_LIST_HEAD(zone->signing);
- signing != NULL;
- signing = ISC_LIST_HEAD(zone->signing)) {
- ISC_LIST_UNLINK(zone->signing, signing, link);
- dns_db_detach(&signing->db);
- dns_dbiterator_destroy(&signing->dbiterator);
- isc_mem_put(zone->mctx, signing, sizeof *signing);
- }
- for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
- nsec3chain != NULL;
- nsec3chain = ISC_LIST_HEAD(zone->nsec3chain)) {
- ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
- dns_db_detach(&nsec3chain->db);
- dns_dbiterator_destroy(&nsec3chain->dbiterator);
- isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
- }
- if (zone->masterfile != NULL)
- isc_mem_free(zone->mctx, zone->masterfile);
- zone->masterfile = NULL;
- if (zone->keydirectory != NULL)
- isc_mem_free(zone->mctx, zone->keydirectory);
- zone->keydirectory = NULL;
- zone->journalsize = -1;
- if (zone->journal != NULL)
- isc_mem_free(zone->mctx, zone->journal);
- zone->journal = NULL;
- if (zone->stats != NULL)
- isc_stats_detach(&zone->stats);
- if (zone->requeststats != NULL)
- isc_stats_detach(&zone->requeststats);
- if (zone->db != NULL)
- zone_detachdb(zone);
- if (zone->acache != NULL)
- dns_acache_detach(&zone->acache);
- zone_freedbargs(zone);
- RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
- == ISC_R_SUCCESS);
- RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0)
- == ISC_R_SUCCESS);
- zone->check_names = dns_severity_ignore;
- if (zone->update_acl != NULL)
- dns_acl_detach(&zone->update_acl);
- if (zone->forward_acl != NULL)
- dns_acl_detach(&zone->forward_acl);
- if (zone->notify_acl != NULL)
- dns_acl_detach(&zone->notify_acl);
- if (zone->query_acl != NULL)
- dns_acl_detach(&zone->query_acl);
- if (zone->queryon_acl != NULL)
- dns_acl_detach(&zone->queryon_acl);
- if (zone->xfr_acl != NULL)
- dns_acl_detach(&zone->xfr_acl);
- if (dns_name_dynamic(&zone->origin))
- dns_name_free(&zone->origin, zone->mctx);
- if (zone->strnamerd != NULL)
- isc_mem_free(zone->mctx, zone->strnamerd);
- if (zone->strname != NULL)
- isc_mem_free(zone->mctx, zone->strname);
- if (zone->strrdclass != NULL)
- isc_mem_free(zone->mctx, zone->strrdclass);
- if (zone->strviewname != NULL)
- isc_mem_free(zone->mctx, zone->strviewname);
- if (zone->ssutable != NULL)
- dns_ssutable_detach(&zone->ssutable);
- /* last stuff */
- ZONEDB_DESTROYLOCK(&zone->dblock);
- DESTROYLOCK(&zone->lock);
- isc_refcount_destroy(&zone->erefs);
- zone->magic = 0;
- mctx = zone->mctx;
- isc_mem_put(mctx, zone, sizeof(*zone));
- isc_mem_detach(&mctx);
- }
- /*
- * Single shot.
- */
- void
- dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
- char namebuf[1024];
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(rdclass != dns_rdataclass_none);
- /*
- * Test and set.
- */
- LOCK_ZONE(zone);
- REQUIRE(zone->rdclass == dns_rdataclass_none ||
- zone->rdclass == rdclass);
- zone->rdclass = rdclass;
- if (zone->strnamerd != NULL)
- isc_mem_free(zone->mctx, zone->strnamerd);
- if (zone->strrdclass != NULL)
- isc_mem_free(zone->mctx, zone->strrdclass);
- zone_namerd_tostr(zone, namebuf, sizeof namebuf);
- zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
- zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
- zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
- UNLOCK_ZONE(zone);
- }
- dns_rdataclass_t
- dns_zone_getclass(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->rdclass);
- }
- void
- dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->notifytype = notifytype;
- UNLOCK_ZONE(zone);
- }
- isc_result_t
- dns_zone_getserial2(dns_zone_t *zone, isc_uint32_t *serialp) {
- isc_result_t result;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(serialp != NULL);
- LOCK_ZONE(zone);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL) {
- result = zone_get_from_db(zone, zone->db, NULL, NULL, serialp,
- NULL, NULL, NULL, NULL, NULL);
- } else
- result = DNS_R_NOTLOADED;
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- UNLOCK_ZONE(zone);
- return (result);
- }
- isc_uint32_t
- dns_zone_getserial(dns_zone_t *zone) {
- isc_result_t result;
- isc_uint32_t serial;
- result = dns_zone_getserial2(zone, &serial);
- if (result != ISC_R_SUCCESS)
- serial = 0; /* XXX: not really correct, but no other choice */
- return (serial);
- }
- /*
- * Single shot.
- */
- void
- dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(type != dns_zone_none);
- /*
- * Test and set.
- */
- LOCK_ZONE(zone);
- REQUIRE(zone->type == dns_zone_none || zone->type == type);
- zone->type = type;
- UNLOCK_ZONE(zone);
- }
- static void
- zone_freedbargs(dns_zone_t *zone) {
- unsigned int i;
- /* Free the old database argument list. */
- if (zone->db_argv != NULL) {
- for (i = 0; i < zone->db_argc; i++)
- isc_mem_free(zone->mctx, zone->db_argv[i]);
- isc_mem_put(zone->mctx, zone->db_argv,
- zone->db_argc * sizeof(*zone->db_argv));
- }
- zone->db_argc = 0;
- zone->db_argv = NULL;
- }
- isc_result_t
- dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
- size_t size = 0;
- unsigned int i;
- isc_result_t result = ISC_R_SUCCESS;
- void *mem;
- char **tmp, *tmp2;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(argv != NULL && *argv == NULL);
- LOCK_ZONE(zone);
- size = (zone->db_argc + 1) * sizeof(char *);
- for (i = 0; i < zone->db_argc; i++)
- size += strlen(zone->db_argv[i]) + 1;
- mem = isc_mem_allocate(mctx, size);
- if (mem != NULL) {
- tmp = mem;
- tmp2 = mem;
- tmp2 += (zone->db_argc + 1) * sizeof(char *);
- for (i = 0; i < zone->db_argc; i++) {
- *tmp++ = tmp2;
- strcpy(tmp2, zone->db_argv[i]);
- tmp2 += strlen(tmp2) + 1;
- }
- *tmp = NULL;
- } else
- result = ISC_R_NOMEMORY;
- UNLOCK_ZONE(zone);
- *argv = mem;
- return (result);
- }
- isc_result_t
- dns_zone_setdbtype(dns_zone_t *zone,
- unsigned int dbargc, const char * const *dbargv) {
- isc_result_t result = ISC_R_SUCCESS;
- char **new = NULL;
- unsigned int i;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(dbargc >= 1);
- REQUIRE(dbargv != NULL);
- LOCK_ZONE(zone);
- /* Set up a new database argument list. */
- new = isc_mem_get(zone->mctx, dbargc * sizeof(*new));
- if (new == NULL)
- goto nomem;
- for (i = 0; i < dbargc; i++)
- new[i] = NULL;
- for (i = 0; i < dbargc; i++) {
- new[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
- if (new[i] == NULL)
- goto nomem;
- }
- /* Free the old list. */
- zone_freedbargs(zone);
- zone->db_argc = dbargc;
- zone->db_argv = new;
- result = ISC_R_SUCCESS;
- goto unlock;
- nomem:
- if (new != NULL) {
- for (i = 0; i < dbargc; i++)
- if (new[i] != NULL)
- isc_mem_free(zone->mctx, new[i]);
- isc_mem_put(zone->mctx, new, dbargc * sizeof(*new));
- }
- result = ISC_R_NOMEMORY;
- unlock:
- UNLOCK_ZONE(zone);
- return (result);
- }
- void
- dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
- char namebuf[1024];
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->view != NULL)
- dns_view_weakdetach(&zone->view);
- dns_view_weakattach(view, &zone->view);
- if (zone->strviewname != NULL)
- isc_mem_free(zone->mctx, zone->strviewname);
- if (zone->strnamerd != NULL)
- isc_mem_free(zone->mctx, zone->strnamerd);
- zone_namerd_tostr(zone, namebuf, sizeof namebuf);
- zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
- zone_viewname_tostr(zone, namebuf, sizeof namebuf);
- zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
- UNLOCK_ZONE(zone);
- }
- dns_view_t *
- dns_zone_getview(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->view);
- }
- isc_result_t
- dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
- isc_result_t result;
- char namebuf[1024];
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(origin != NULL);
- LOCK_ZONE(zone);
- if (dns_name_dynamic(&zone->origin)) {
- dns_name_free(&zone->origin, zone->mctx);
- dns_name_init(&zone->origin, NULL);
- }
- result = dns_name_dup(origin, zone->mctx, &zone->origin);
- if (zone->strnamerd != NULL)
- isc_mem_free(zone->mctx, zone->strnamerd);
- if (zone->strname != NULL)
- isc_mem_free(zone->mctx, zone->strname);
- zone_namerd_tostr(zone, namebuf, sizeof namebuf);
- zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
- zone_name_tostr(zone, namebuf, sizeof namebuf);
- zone->strname = isc_mem_strdup(zone->mctx, namebuf);
- UNLOCK_ZONE(zone);
- return (result);
- }
- void
- dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(acache != NULL);
- LOCK_ZONE(zone);
- if (zone->acache != NULL)
- dns_acache_detach(&zone->acache);
- dns_acache_attach(acache, &zone->acache);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL) {
- isc_result_t result;
- /*
- * If the zone reuses an existing DB, the DB needs to be
- * set in the acache explicitly. We can safely ignore the
- * case where the DB is already set. If other error happens,
- * the acache will not work effectively.
- */
- result = dns_acache_setdb(acache, zone->db);
- if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "dns_acache_setdb() failed: %s",
- isc_result_totext(result));
- }
- }
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- UNLOCK_ZONE(zone);
- }
- static isc_result_t
- dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
- char *copy;
- if (value != NULL) {
- copy = isc_mem_strdup(zone->mctx, value);
- if (copy == NULL)
- return (ISC_R_NOMEMORY);
- } else {
- copy = NULL;
- }
- if (*field != NULL)
- isc_mem_free(zone->mctx, *field);
- *field = copy;
- return (ISC_R_SUCCESS);
- }
- isc_result_t
- dns_zone_setfile(dns_zone_t *zone, const char *file) {
- return (dns_zone_setfile2(zone, file, dns_masterformat_text));
- }
- isc_result_t
- dns_zone_setfile2(dns_zone_t *zone, const char *file,
- dns_masterformat_t format) {
- isc_result_t result = ISC_R_SUCCESS;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- result = dns_zone_setstring(zone, &zone->masterfile, file);
- if (result == ISC_R_SUCCESS) {
- zone->masterformat = format;
- result = default_journal(zone);
- }
- UNLOCK_ZONE(zone);
- return (result);
- }
- const char *
- dns_zone_getfile(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->masterfile);
- }
- static isc_result_t
- default_journal(dns_zone_t *zone) {
- isc_result_t result;
- char *journal;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(LOCKED_ZONE(zone));
- if (zone->masterfile != NULL) {
- /* Calculate string length including '\0'. */
- int len = strlen(zone->masterfile) + sizeof(".jnl");
- journal = isc_mem_allocate(zone->mctx, len);
- if (journal == NULL)
- return (ISC_R_NOMEMORY);
- strcpy(journal, zone->masterfile);
- strcat(journal, ".jnl");
- } else {
- journal = NULL;
- }
- result = dns_zone_setstring(zone, &zone->journal, journal);
- if (journal != NULL)
- isc_mem_free(zone->mctx, journal);
- return (result);
- }
- isc_result_t
- dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
- isc_result_t result = ISC_R_SUCCESS;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- result = dns_zone_setstring(zone, &zone->journal, journal);
- UNLOCK_ZONE(zone);
- return (result);
- }
- char *
- dns_zone_getjournal(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->journal);
- }
- /*
- * Return true iff the zone is "dynamic", in the sense that the zone's
- * master file (if any) is written by the server, rather than being
- * updated manually and read by the server.
- *
- * This is true for slave zones, stub zones, key zones, and zones that
- * allow dynamic updates either by having an update policy ("ssutable")
- * or an "allow-update" ACL with a value other than exactly "{ none; }".
- */
- static isc_boolean_t
- zone_isdynamic(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (ISC_TF(zone->type == dns_zone_slave ||
- zone->type == dns_zone_stub ||
- zone->type == dns_zone_key ||
- (!zone->update_disabled && zone->ssutable != NULL) ||
- (!zone->update_disabled && zone->update_acl != NULL &&
- !dns_acl_isnone(zone->update_acl))));
- }
- static isc_result_t
- zone_load(dns_zone_t *zone, unsigned int flags) {
- isc_result_t result;
- isc_time_t now;
- isc_time_t loadtime, filetime;
- dns_db_t *db = NULL;
- isc_boolean_t rbt;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- TIME_NOW(&now);
- INSIST(zone->type != dns_zone_none);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
- if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
- result = DNS_R_CONTINUE;
- goto cleanup;
- }
- INSIST(zone->db_argc >= 1);
- rbt = strcmp(zone->db_argv[0], "rbt") == 0 ||
- strcmp(zone->db_argv[0], "rbt64") == 0;
- if (zone->db != NULL && zone->masterfile == NULL && rbt) {
- /*
- * The zone has no master file configured.
- */
- result = ISC_R_SUCCESS;
- goto cleanup;
- }
- if (zone->db != NULL && zone_isdynamic(zone)) {
- /*
- * This is a slave, stub, or dynamically updated
- * zone being reloaded. Do nothing - the database
- * we already have is guaranteed to be up-to-date.
- */
- if (zone->type == dns_zone_master)
- result = DNS_R_DYNAMIC;
- else
- result = ISC_R_SUCCESS;
- goto cleanup;
- }
- /*
- * Store the current time before the zone is loaded, so that if the
- * file changes between the time of the load and the time that
- * zone->loadtime is set, then the file will still be reloaded
- * the next time dns_zone_load is called.
- */
- TIME_NOW(&loadtime);
- /*
- * Don't do the load if the file that stores the zone is older
- * than the last time the zone was loaded. If the zone has not
- * been loaded yet, zone->loadtime will be the epoch.
- */
- if (zone->masterfile != NULL) {
- /*
- * The file is already loaded. If we are just doing a
- * "rndc reconfig", we are done.
- */
- if (!isc_time_isepoch(&zone->loadtime) &&
- (flags & DNS_ZONELOADFLAG_NOSTAT) != 0 &&
- zone->rpz_zone == dns_rpz_needed()) {
- result = ISC_R_SUCCESS;
- goto cleanup;
- }
- result = isc_file_getmodtime(zone->masterfile, &filetime);
- if (result == ISC_R_SUCCESS) {
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
- isc_time_compare(&filetime, &zone->loadtime) <= 0 &&
- zone->rpz_zone == dns_rpz_needed()) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "skipping load: master file "
- "older than last load");
- result = DNS_R_UPTODATE;
- goto cleanup;
- }
- loadtime = filetime;
- zone->rpz_zone = dns_rpz_needed();
- }
- }
- /*
- * Built in zones (with the exception of empty zones) don't need
- * to be reloaded.
- */
- if (zone->type == dns_zone_master &&
- strcmp(zone->db_argv[0], "_builtin") == 0 &&
- (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- result = ISC_R_SUCCESS;
- goto cleanup;
- }
- if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
- rbt) {
- if (zone->masterfile == NULL ||
- !isc_file_exists(zone->masterfile)) {
- if (zone->masterfile != NULL) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "no master file");
- }
- zone->refreshtime = now;
- if (zone->task != NULL)
- zone_settimer(zone, &now);
- result = ISC_R_SUCCESS;
- goto cleanup;
- }
- }
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "starting load");
- result = dns_db_create(zone->mctx, zone->db_argv[0],
- &zone->origin, (zone->type == dns_zone_stub) ?
- dns_dbtype_stub : dns_dbtype_zone,
- zone->rdclass,
- zone->db_argc - 1, zone->db_argv + 1,
- &db);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "loading zone: creating database: %s",
- isc_result_totext(result));
- goto cleanup;
- }
- dns_db_settask(db, zone->task);
- if (! dns_db_ispersistent(db)) {
- if (zone->masterfile != NULL) {
- result = zone_startload(db, zone, loadtime);
- } else {
- result = DNS_R_NOMASTERFILE;
- if (zone->type == dns_zone_master) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "loading zone: "
- "no master file configured");
- goto cleanup;
- }
- dns_zone_log(zone, ISC_LOG_INFO, "loading zone: "
- "no master file configured: continuing");
- }
- }
- if (result == DNS_R_CONTINUE) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
- if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
- goto cleanup;
- }
- result = zone_postload(zone, db, loadtime, result);
- cleanup:
- UNLOCK_ZONE(zone);
- if (db != NULL)
- dns_db_detach(&db);
- return (result);
- }
- isc_result_t
- dns_zone_load(dns_zone_t *zone) {
- return (zone_load(zone, 0));
- }
- isc_result_t
- dns_zone_loadnew(dns_zone_t *zone) {
- return (zone_load(zone, DNS_ZONELOADFLAG_NOSTAT));
- }
- isc_result_t
- dns_zone_loadandthaw(dns_zone_t *zone) {
- isc_result_t result;
- result = zone_load(zone, DNS_ZONELOADFLAG_THAW);
- switch (result) {
- case DNS_R_CONTINUE:
- /* Deferred thaw. */
- break;
- case ISC_R_SUCCESS:
- case DNS_R_UPTODATE:
- case DNS_R_SEENINCLUDE:
- zone->update_disabled = ISC_FALSE;
- break;
- case DNS_R_NOMASTERFILE:
- zone->update_disabled = ISC_FALSE;
- break;
- default:
- /* Error, remain in disabled state. */
- break;
- }
- return (result);
- }
- static unsigned int
- get_master_options(dns_zone_t *zone) {
- unsigned int options;
- options = DNS_MASTER_ZONE;
- if (zone->type == dns_zone_slave)
- options |= DNS_MASTER_SLAVE;
- if (zone->type == dns_zone_key)
- options |= DNS_MASTER_KEY;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
- options |= DNS_MASTER_CHECKNS;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
- options |= DNS_MASTER_FATALNS;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
- options |= DNS_MASTER_CHECKNAMES;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
- options |= DNS_MASTER_CHECKNAMESFAIL;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX))
- options |= DNS_MASTER_CHECKMX;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
- options |= DNS_MASTER_CHECKMXFAIL;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
- options |= DNS_MASTER_CHECKWILDCARD;
- if (zone->type == dns_zone_master &&
- ((zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl)) ||
- zone->ssutable != NULL))
- options |= DNS_MASTER_RESIGN;
- return (options);
- }
- static void
- zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
- dns_load_t *load = event->ev_arg;
- isc_result_t result = ISC_R_SUCCESS;
- unsigned int options;
- REQUIRE(DNS_LOAD_VALID(load));
- if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
- result = ISC_R_CANCELED;
- isc_event_free(&event);
- if (result == ISC_R_CANCELED)
- goto fail;
- options = get_master_options(load->zone);
- result = dns_master_loadfileinc3(load->zone->masterfile,
- dns_db_origin(load->db),
- dns_db_origin(load->db),
- load->zone->rdclass,
- options,
- load->zone->sigresigninginterval,
- &load->callbacks, task,
- zone_loaddone, load,
- &load->zone->lctx, load->zone->mctx,
- load->zone->masterformat);
- if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
- result != DNS_R_SEENINCLUDE)
- goto fail;
- return;
- fail:
- zone_loaddone(load, result);
- }
- static void
- zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
- const char me[] = "zone_gotwritehandle";
- dns_zone_t *zone = event->ev_arg;
- isc_result_t result = ISC_R_SUCCESS;
- dns_dbversion_t *version = NULL;
- REQUIRE(DNS_ZONE_VALID(zone));
- INSIST(task == zone->task);
- ENTER;
- if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
- result = ISC_R_CANCELED;
- isc_event_free(&event);
- if (result == ISC_R_CANCELED)
- goto fail;
- LOCK_ZONE(zone);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL) {
- dns_db_currentversion(zone->db, &version);
- result = dns_master_dumpinc2(zone->mctx, zone->db, version,
- &dns_master_style_default,
- zone->masterfile, zone->task,
- dump_done, zone, &zone->dctx,
- zone->masterformat);
- dns_db_closeversion(zone->db, &version, ISC_FALSE);
- } else
- result = ISC_R_CANCELED;
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- UNLOCK_ZONE(zone);
- if (result != DNS_R_CONTINUE)
- goto fail;
- return;
- fail:
- dump_done(zone, result);
- }
- static isc_result_t
- zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
- dns_load_t *load;
- isc_result_t result;
- isc_result_t tresult;
- unsigned int options;
- options = get_master_options(zone);
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
- options |= DNS_MASTER_MANYERRORS;
- if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
- load = isc_mem_get(zone->mctx, sizeof(*load));
- if (load == NULL)
- return (ISC_R_NOMEMORY);
- load->mctx = NULL;
- load->zone = NULL;
- load->db = NULL;
- load->loadtime = loadtime;
- load->magic = LOAD_MAGIC;
- isc_mem_attach(zone->mctx, &load->mctx);
- zone_iattach(zone, &load->zone);
- dns_db_attach(db, &load->db);
- dns_rdatacallbacks_init(&load->callbacks);
- result = dns_db_beginload(db, &load->callbacks.add,
- &load->callbacks.add_private);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = zonemgr_getio(zone->zmgr, ISC_TRUE, zone->task,
- zone_gotreadhandle, load,
- &zone->readio);
- if (result != ISC_R_SUCCESS) {
- /*
- * We can't report multiple errors so ignore
- * the result of dns_db_endload().
- */
- (void)dns_db_endload(load->db,
- &load->callbacks.add_private);
- goto cleanup;
- } else
- result = DNS_R_CONTINUE;
- } else {
- dns_rdatacallbacks_t callbacks;
- dns_rdatacallbacks_init(&callbacks);
- result = dns_db_beginload(db, &callbacks.add,
- &callbacks.add_private);
- if (result != ISC_R_SUCCESS)
- return (result);
- result = dns_master_loadfile3(zone->masterfile, &zone->origin,
- &zone->origin, zone->rdclass,
- options, zone->sigresigninginterval,
- &callbacks, zone->mctx,
- zone->masterformat);
- tresult = dns_db_endload(db, &callbacks.add_private);
- if (result == ISC_R_SUCCESS)
- result = tresult;
- }
- return (result);
- cleanup:
- load->magic = 0;
- dns_db_detach(&load->db);
- zone_idetach(&load->zone);
- isc_mem_detach(&load->mctx);
- isc_mem_put(zone->mctx, load, sizeof(*load));
- return (result);
- }
- static isc_boolean_t
- zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
- dns_name_t *owner)
- {
- isc_result_t result;
- char ownerbuf[DNS_NAME_FORMATSIZE];
- char namebuf[DNS_NAME_FORMATSIZE];
- char altbuf[DNS_NAME_FORMATSIZE];
- dns_fixedname_t fixed;
- dns_name_t *foundname;
- int level;
- /*
- * "." means the services does not exist.
- */
- if (dns_name_equal(name, dns_rootname))
- return (ISC_TRUE);
- /*
- * Outside of zone.
- */
- if (!dns_name_issubdomain(name, &zone->origin)) {
- if (zone->checkmx != NULL)
- return ((zone->checkmx)(zone, name, owner));
- return (ISC_TRUE);
- }
- if (zone->type == dns_zone_master)
- level = ISC_LOG_ERROR;
- else
- level = ISC_LOG_WARNING;
- dns_fixedname_init(&fixed);
- foundname = dns_fixedname_name(&fixed);
- result = dns_db_find(db, name, NULL, dns_rdatatype_a,
- 0, 0, NULL, foundname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- return (ISC_TRUE);
- if (result == DNS_R_NXRRSET) {
- result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
- 0, 0, NULL, foundname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- return (ISC_TRUE);
- }
- dns_name_format(owner, ownerbuf, sizeof ownerbuf);
- dns_name_format(name, namebuf, sizeof namebuf);
- if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
- result == DNS_R_EMPTYNAME) {
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
- level = ISC_LOG_WARNING;
- dns_zone_log(zone, level,
- "%s/MX '%s' has no address records (A or AAAA)",
- ownerbuf, namebuf);
- return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
- }
- if (result == DNS_R_CNAME) {
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
- level = ISC_LOG_WARNING;
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
- dns_zone_log(zone, level,
- "%s/MX '%s' is a CNAME (illegal)",
- ownerbuf, namebuf);
- return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
- }
- if (result == DNS_R_DNAME) {
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
- level = ISC_LOG_WARNING;
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
- dns_name_format(foundname, altbuf, sizeof altbuf);
- dns_zone_log(zone, level, "%s/MX '%s' is below a DNAME"
- " '%s' (illegal)", ownerbuf, namebuf,
- altbuf);
- }
- return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
- }
- if (zone->checkmx != NULL && result == DNS_R_DELEGATION)
- return ((zone->checkmx)(zone, name, owner));
- return (ISC_TRUE);
- }
- static isc_boolean_t
- zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
- dns_name_t *owner)
- {
- isc_result_t result;
- char ownerbuf[DNS_NAME_FORMATSIZE];
- char namebuf[DNS_NAME_FORMATSIZE];
- char altbuf[DNS_NAME_FORMATSIZE];
- dns_fixedname_t fixed;
- dns_name_t *foundname;
- int level;
- /*
- * "." means the services does not exist.
- */
- if (dns_name_equal(name, dns_rootname))
- return (ISC_TRUE);
- /*
- * Outside of zone.
- */
- if (!dns_name_issubdomain(name, &zone->origin)) {
- if (zone->checksrv != NULL)
- return ((zone->checksrv)(zone, name, owner));
- return (ISC_TRUE);
- }
- if (zone->type == dns_zone_master)
- level = ISC_LOG_ERROR;
- else
- level = ISC_LOG_WARNING;
- dns_fixedname_init(&fixed);
- foundname = dns_fixedname_name(&fixed);
- result = dns_db_find(db, name, NULL, dns_rdatatype_a,
- 0, 0, NULL, foundname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- return (ISC_TRUE);
- if (result == DNS_R_NXRRSET) {
- result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
- 0, 0, NULL, foundname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- return (ISC_TRUE);
- }
- dns_name_format(owner, ownerbuf, sizeof ownerbuf);
- dns_name_format(name, namebuf, sizeof namebuf);
- if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
- result == DNS_R_EMPTYNAME) {
- dns_zone_log(zone, level,
- "%s/SRV '%s' has no address records (A or AAAA)",
- ownerbuf, namebuf);
- /* XXX950 make fatal for 9.5.0. */
- return (ISC_TRUE);
- }
- if (result == DNS_R_CNAME) {
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
- level = ISC_LOG_WARNING;
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
- dns_zone_log(zone, level,
- "%s/SRV '%s' is a CNAME (illegal)",
- ownerbuf, namebuf);
- return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
- }
- if (result == DNS_R_DNAME) {
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
- level = ISC_LOG_WARNING;
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
- dns_name_format(foundname, altbuf, sizeof altbuf);
- dns_zone_log(zone, level, "%s/SRV '%s' is below a "
- "DNAME '%s' (illegal)", ownerbuf, namebuf,
- altbuf);
- }
- return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
- }
- if (zone->checksrv != NULL && result == DNS_R_DELEGATION)
- return ((zone->checksrv)(zone, name, owner));
- return (ISC_TRUE);
- }
- static isc_boolean_t
- zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
- dns_name_t *owner)
- {
- isc_boolean_t answer = ISC_TRUE;
- isc_result_t result, tresult;
- char ownerbuf[DNS_NAME_FORMATSIZE];
- char namebuf[DNS_NAME_FORMATSIZE];
- char altbuf[DNS_NAME_FORMATSIZE];
- dns_fixedname_t fixed;
- dns_name_t *foundname;
- dns_rdataset_t a;
- dns_rdataset_t aaaa;
- int level;
- /*
- * Outside of zone.
- */
- if (!dns_name_issubdomain(name, &zone->origin)) {
- if (zone->checkns != NULL)
- return ((zone->checkns)(zone, name, owner, NULL, NULL));
- return (ISC_TRUE);
- }
- if (zone->type == dns_zone_master)
- level = ISC_LOG_ERROR;
- else
- level = ISC_LOG_WARNING;
- dns_fixedname_init(&fixed);
- foundname = dns_fixedname_name(&fixed);
- dns_rdataset_init(&a);
- dns_rdataset_init(&aaaa);
- result = dns_db_find(db, name, NULL, dns_rdatatype_a,
- DNS_DBFIND_GLUEOK, 0, NULL,
- foundname, &a, NULL);
- if (result == ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&a);
- return (ISC_TRUE);
- } else if (result == DNS_R_DELEGATION)
- dns_rdataset_disassociate(&a);
- if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
- result == DNS_R_GLUE) {
- tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
- DNS_DBFIND_GLUEOK, 0, NULL,
- foundname, &aaaa, NULL);
- if (tresult == ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&aaaa);
- return (ISC_TRUE);
- }
- if (tresult == DNS_R_DELEGATION)
- dns_rdataset_disassociate(&aaaa);
- if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
- /*
- * Check glue against child zone.
- */
- if (zone->checkns != NULL)
- answer = (zone->checkns)(zone, name, owner,
- &a, &aaaa);
- if (dns_rdataset_isassociated(&a))
- dns_rdataset_disassociate(&a);
- if (dns_rdataset_isassociated(&aaaa))
- dns_rdataset_disassociate(&aaaa);
- return (answer);
- }
- }
- dns_name_format(owner, ownerbuf, sizeof ownerbuf);
- dns_name_format(name, namebuf, sizeof namebuf);
- if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
- result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION) {
- const char *what;
- isc_boolean_t required = ISC_FALSE;
- if (dns_name_issubdomain(name, owner)) {
- what = "REQUIRED GLUE ";
- required = ISC_TRUE;
- } else if (result == DNS_R_DELEGATION)
- what = "SIBLING GLUE ";
- else
- what = "";
- if (result != DNS_R_DELEGATION || required ||
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING)) {
- dns_zone_log(zone, level, "%s/NS '%s' has no %s"
- "address records (A or AAAA)",
- ownerbuf, namebuf, what);
- /*
- * Log missing address record.
- */
- if (result == DNS_R_DELEGATION && zone->checkns != NULL)
- (void)(zone->checkns)(zone, name, owner,
- &a, &aaaa);
- /* XXX950 make fatal for 9.5.0. */
- /* answer = ISC_FALSE; */
- }
- } else if (result == DNS_R_CNAME) {
- dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
- ownerbuf, namebuf);
- /* XXX950 make fatal for 9.5.0. */
- /* answer = ISC_FALSE; */
- } else if (result == DNS_R_DNAME) {
- dns_name_format(foundname, altbuf, sizeof altbuf);
- dns_zone_log(zone, level,
- "%s/NS '%s' is below a DNAME '%s' (illegal)",
- ownerbuf, namebuf, altbuf);
- /* XXX950 make fatal for 9.5.0. */
- /* answer = ISC_FALSE; */
- }
- if (dns_rdataset_isassociated(&a))
- dns_rdataset_disassociate(&a);
- if (dns_rdataset_isassociated(&aaaa))
- dns_rdataset_disassociate(&aaaa);
- return (answer);
- }
- static isc_boolean_t
- zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
- dns_rdataset_t *rdataset)
- {
- dns_rdataset_t tmprdataset;
- isc_result_t result;
- isc_boolean_t answer = ISC_TRUE;
- isc_boolean_t format = ISC_TRUE;
- int level = ISC_LOG_WARNING;
- char ownerbuf[DNS_NAME_FORMATSIZE];
- char typebuf[DNS_RDATATYPE_FORMATSIZE];
- unsigned int count1 = 0;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL))
- level = ISC_LOG_ERROR;
- dns_rdataset_init(&tmprdataset);
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset)) {
- dns_rdata_t rdata1 = DNS_RDATA_INIT;
- unsigned int count2 = 0;
- count1++;
- dns_rdataset_current(rdataset, &rdata1);
- dns_rdataset_clone(rdataset, &tmprdataset);
- for (result = dns_rdataset_first(&tmprdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&tmprdataset)) {
- dns_rdata_t rdata2 = DNS_RDATA_INIT;
- count2++;
- if (count1 >= count2)
- continue;
- dns_rdataset_current(&tmprdataset, &rdata2);
- if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
- if (format) {
- dns_name_format(owner, ownerbuf,
- sizeof ownerbuf);
- dns_rdatatype_format(rdata1.type,
- typebuf,
- sizeof(typebuf));
- format = ISC_FALSE;
- }
- dns_zone_log(zone, level, "%s/%s has "
- "semantically identical records",
- ownerbuf, typebuf);
- if (level == ISC_LOG_ERROR)
- answer = ISC_FALSE;
- break;
- }
- }
- dns_rdataset_disassociate(&tmprdataset);
- if (!format)
- break;
- }
- return (answer);
- }
- static isc_boolean_t
- zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
- dns_dbiterator_t *dbiterator = NULL;
- dns_dbnode_t *node = NULL;
- dns_fixedname_t fixed;
- dns_name_t *name;
- dns_rdataset_t rdataset;
- dns_rdatasetiter_t *rdsit = NULL;
- isc_boolean_t ok = ISC_TRUE;
- isc_result_t result;
- dns_fixedname_init(&fixed);
- name = dns_fixedname_name(&fixed);
- dns_rdataset_init(&rdataset);
- result = dns_db_createiterator(db, 0, &dbiterator);
- if (result != ISC_R_SUCCESS)
- return (ISC_TRUE);
- for (result = dns_dbiterator_first(dbiterator);
- result == ISC_R_SUCCESS;
- result = dns_dbiterator_next(dbiterator)) {
- result = dns_dbiterator_current(dbiterator, &node, name);
- if (result != ISC_R_SUCCESS)
- continue;
- result = dns_db_allrdatasets(db, node, NULL, 0, &rdsit);
- if (result != ISC_R_SUCCESS)
- continue;
- for (result = dns_rdatasetiter_first(rdsit);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(rdsit)) {
- dns_rdatasetiter_current(rdsit, &rdataset);
- if (!zone_rrset_check_dup(zone, name, &rdataset))
- ok = ISC_FALSE;
- dns_rdataset_disassociate(&rdataset);
- }
- dns_rdatasetiter_destroy(&rdsit);
- dns_db_detachnode(db, &node);
- }
- if (node != NULL)
- dns_db_detachnode(db, &node);
- dns_dbiterator_destroy(&dbiterator);
- return (ok);
- }
- static isc_boolean_t
- integrity_checks(dns_zone_t *zone, dns_db_t *db) {
- dns_dbiterator_t *dbiterator = NULL;
- dns_dbnode_t *node = NULL;
- dns_rdataset_t rdataset;
- dns_fixedname_t fixed;
- dns_fixedname_t fixedbottom;
- dns_rdata_mx_t mx;
- dns_rdata_ns_t ns;
- dns_rdata_in_srv_t srv;
- dns_rdata_t rdata;
- dns_name_t *name;
- dns_name_t *bottom;
- isc_result_t result;
- isc_boolean_t ok = ISC_TRUE;
- dns_fixedname_init(&fixed);
- name = dns_fixedname_name(&fixed);
- dns_fixedname_init(&fixedbottom);
- bottom = dns_fixedname_name(&fixedbottom);
- dns_rdataset_init(&rdataset);
- dns_rdata_init(&rdata);
- result = dns_db_createiterator(db, 0, &dbiterator);
- if (result != ISC_R_SUCCESS)
- return (ISC_TRUE);
- result = dns_dbiterator_first(dbiterator);
- while (result == ISC_R_SUCCESS) {
- result = dns_dbiterator_current(dbiterator, &node, name);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- /*
- * Is this name visible in the zone?
- */
- if (!dns_name_issubdomain(name, &zone->origin) ||
- (dns_name_countlabels(bottom) > 0 &&
- dns_name_issubdomain(name, bottom)))
- goto next;
- /*
- * Don't check the NS records at the origin.
- */
- if (dns_name_equal(name, &zone->origin))
- goto checkmx;
- result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
- 0, 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS)
- goto checkmx;
- /*
- * Remember bottom of zone.
- */
- dns_name_copy(name, bottom, NULL);
- result = dns_rdataset_first(&rdataset);
- while (result == ISC_R_SUCCESS) {
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &ns, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!zone_check_glue(zone, db, &ns.name, name))
- ok = ISC_FALSE;
- dns_rdata_reset(&rdata);
- result = dns_rdataset_next(&rdataset);
- }
- dns_rdataset_disassociate(&rdataset);
- goto next;
- checkmx:
- result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
- 0, 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS)
- goto checksrv;
- result = dns_rdataset_first(&rdataset);
- while (result == ISC_R_SUCCESS) {
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &mx, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!zone_check_mx(zone, db, &mx.mx, name))
- ok = ISC_FALSE;
- dns_rdata_reset(&rdata);
- result = dns_rdataset_next(&rdataset);
- }
- dns_rdataset_disassociate(&rdataset);
- checksrv:
- if (zone->rdclass != dns_rdataclass_in)
- goto next;
- result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv,
- 0, 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS)
- goto next;
- result = dns_rdataset_first(&rdataset);
- while (result == ISC_R_SUCCESS) {
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &srv, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!zone_check_srv(zone, db, &srv.target, name))
- ok = ISC_FALSE;
- dns_rdata_reset(&rdata);
- result = dns_rdataset_next(&rdataset);
- }
- dns_rdataset_disassociate(&rdataset);
- next:
- dns_db_detachnode(db, &node);
- result = dns_dbiterator_next(dbiterator);
- }
- cleanup:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- dns_dbiterator_destroy(&dbiterator);
- return (ok);
- }
- /*
- * OpenSSL verification of RSA keys with exponent 3 is known to be
- * broken prior OpenSSL 0.9.8c/0.9.7k. Look for such keys and warn
- * if they are in use.
- */
- static void
- zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *version = NULL;
- dns_rdata_dnskey_t dnskey;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_t rdataset;
- isc_result_t result;
- isc_boolean_t logit, foundrsa = ISC_FALSE, foundmd5 = ISC_FALSE;
- const char *algorithm;
- result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- dns_db_currentversion(db, &version);
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
- dns_rdatatype_none, 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset))
- {
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
- INSIST(result == ISC_R_SUCCESS);
- if ((dnskey.algorithm == DST_ALG_RSASHA1 ||
- dnskey.algorithm == DST_ALG_RSAMD5) &&
- dnskey.datalen > 1 && dnskey.data[0] == 1 &&
- dnskey.data[1] == 3)
- {
- if (dnskey.algorithm == DST_ALG_RSASHA1) {
- logit = !foundrsa;
- foundrsa = ISC_TRUE;
- algorithm = "RSASHA1";
- } else {
- logit = !foundmd5;
- foundmd5 = ISC_TRUE;
- algorithm = "RSAMD5";
- }
- if (logit)
- dns_zone_log(zone, ISC_LOG_WARNING,
- "weak %s (%u) key found "
- "(exponent=3)", algorithm,
- dnskey.algorithm);
- if (foundrsa && foundmd5)
- break;
- }
- dns_rdata_reset(&rdata);
- }
- dns_rdataset_disassociate(&rdataset);
- cleanup:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (version != NULL)
- dns_db_closeversion(db, &version, ISC_FALSE);
- }
- static void
- resume_signingwithkey(dns_zone_t *zone) {
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *version = NULL;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_t rdataset;
- isc_result_t result;
- result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- dns_db_currentversion(zone->db, &version);
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(zone->db, node, version,
- zone->privatetype,
- dns_rdatatype_none, 0,
- &rdataset, NULL);
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto cleanup;
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset))
- {
- dns_rdataset_current(&rdataset, &rdata);
- if (rdata.length != 5 ||
- rdata.data[0] == 0 || rdata.data[4] != 0) {
- dns_rdata_reset(&rdata);
- continue;
- }
- result = zone_signwithkey(zone, rdata.data[0],
- (rdata.data[1] << 8) | rdata.data[2],
- ISC_TF(rdata.data[3]));
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
- }
- dns_rdata_reset(&rdata);
- }
- dns_rdataset_disassociate(&rdataset);
- cleanup:
- if (node != NULL)
- dns_db_detachnode(zone->db, &node);
- if (version != NULL)
- dns_db_closeversion(zone->db, &version, ISC_FALSE);
- }
- static isc_result_t
- zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
- dns_nsec3chain_t *nsec3chain, *current;
- isc_result_t result;
- isc_time_t now;
- unsigned int options = 0;
- char saltbuf[255*2+1];
- char flags[sizeof("REMOVE|CREATE|NONSEC|OPTOUT")];
- int i;
- nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
- if (nsec3chain == NULL)
- return (ISC_R_NOMEMORY);
- nsec3chain->magic = 0;
- nsec3chain->done = ISC_FALSE;
- nsec3chain->db = NULL;
- nsec3chain->dbiterator = NULL;
- nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
- nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
- nsec3chain->nsec3param.hash = nsec3param->hash;
- nsec3chain->nsec3param.iterations = nsec3param->iterations;
- nsec3chain->nsec3param.flags = nsec3param->flags;
- nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
- memcpy(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
- nsec3chain->nsec3param.salt = nsec3chain->salt;
- nsec3chain->seen_nsec = ISC_FALSE;
- nsec3chain->delete_nsec = ISC_FALSE;
- nsec3chain->save_delete_nsec = ISC_FALSE;
- if (nsec3param->flags == 0)
- strlcpy(flags, "NONE", sizeof(flags));
- else {
- flags[0] = '\0';
- if (nsec3param->flags & DNS_NSEC3FLAG_REMOVE)
- strlcat(flags, "REMOVE", sizeof(flags));
- if (nsec3param->flags & DNS_NSEC3FLAG_CREATE) {
- if (flags[0] == '\0')
- strlcpy(flags, "CREATE", sizeof(flags));
- else
- strlcat(flags, "|CREATE", sizeof(flags));
- }
- if (nsec3param->flags & DNS_NSEC3FLAG_NONSEC) {
- if (flags[0] == '\0')
- strlcpy(flags, "NONSEC", sizeof(flags));
- else
- strlcat(flags, "|NONSEC", sizeof(flags));
- }
- if (nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) {
- if (flags[0] == '\0')
- strlcpy(flags, "OPTOUT", sizeof(flags));
- else
- strlcat(flags, "|OPTOUT", sizeof(flags));
- }
- }
- if (nsec3param->salt_length == 0)
- strlcpy(saltbuf, "-", sizeof(saltbuf));
- else
- for (i = 0; i < nsec3param->salt_length; i++)
- sprintf(&saltbuf[i*2], "%02X", nsec3chain->salt[i]);
- dns_zone_log(zone, ISC_LOG_INFO,
- "zone_addnsec3chain(%u,%s,%u,%s)",
- nsec3param->hash, flags, nsec3param->iterations,
- saltbuf);
- for (current = ISC_LIST_HEAD(zone->nsec3chain);
- current != NULL;
- current = ISC_LIST_NEXT(current, link)) {
- if (current->db == zone->db &&
- current->nsec3param.hash == nsec3param->hash &&
- current->nsec3param.iterations == nsec3param->iterations &&
- current->nsec3param.salt_length == nsec3param->salt_length
- && !memcmp(current->nsec3param.salt, nsec3param->salt,
- nsec3param->salt_length))
- current->done = ISC_TRUE;
- }
- if (zone->db != NULL) {
- dns_db_attach(zone->db, &nsec3chain->db);
- if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0)
- options = DNS_DB_NONSEC3;
- result = dns_db_createiterator(nsec3chain->db, options,
- &nsec3chain->dbiterator);
- if (result == ISC_R_SUCCESS)
- dns_dbiterator_first(nsec3chain->dbiterator);
- if (result == ISC_R_SUCCESS) {
- dns_dbiterator_pause(nsec3chain->dbiterator);
- ISC_LIST_INITANDAPPEND(zone->nsec3chain,
- nsec3chain, link);
- nsec3chain = NULL;
- if (isc_time_isepoch(&zone->nsec3chaintime)) {
- TIME_NOW(&now);
- zone->nsec3chaintime = now;
- if (zone->task != NULL)
- zone_settimer(zone, &now);
- }
- }
- } else
- result = ISC_R_NOTFOUND;
- if (nsec3chain != NULL) {
- if (nsec3chain->db != NULL)
- dns_db_detach(&nsec3chain->db);
- if (nsec3chain->dbiterator != NULL)
- dns_dbiterator_destroy(&nsec3chain->dbiterator);
- isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
- }
- return (result);
- }
- static void
- resume_addnsec3chain(dns_zone_t *zone) {
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *version = NULL;
- dns_rdataset_t rdataset;
- isc_result_t result;
- dns_rdata_nsec3param_t nsec3param;
- if (zone->privatetype == 0)
- return;
- result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- dns_db_currentversion(zone->db, &version);
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(zone->db, node, version,
- zone->privatetype, dns_rdatatype_none,
- 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto cleanup;
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset))
- {
- unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_t private = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &private);
- if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
- sizeof(buf)))
- continue;
- result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 ||
- (nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
- result = zone_addnsec3chain(zone, &nsec3param);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_addnsec3chain failed: %s",
- dns_result_totext(result));
- }
- }
- }
- dns_rdataset_disassociate(&rdataset);
- cleanup:
- if (node != NULL)
- dns_db_detachnode(zone->db, &node);
- if (version != NULL)
- dns_db_closeversion(zone->db, &version, ISC_FALSE);
- }
- static void
- set_resigntime(dns_zone_t *zone) {
- dns_rdataset_t rdataset;
- dns_fixedname_t fixed;
- unsigned int resign;
- isc_result_t result;
- isc_uint32_t nanosecs;
- dns_rdataset_init(&rdataset);
- dns_fixedname_init(&fixed);
- result = dns_db_getsigningtime(zone->db, &rdataset,
- dns_fixedname_name(&fixed));
- if (result != ISC_R_SUCCESS) {
- isc_time_settoepoch(&zone->resigntime);
- return;
- }
- resign = rdataset.resign;
- dns_rdataset_disassociate(&rdataset);
- isc_random_get(&nanosecs);
- nanosecs %= 1000000000;
- isc_time_set(&zone->resigntime, resign, nanosecs);
- }
- static isc_result_t
- check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
- dns_dbnode_t *node = NULL;
- dns_rdataset_t rdataset;
- dns_dbversion_t *version = NULL;
- dns_rdata_nsec3param_t nsec3param;
- isc_boolean_t ok = ISC_FALSE;
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_boolean_t dynamic = (zone->type == dns_zone_master) ?
- zone_isdynamic(zone) : ISC_FALSE;
- dns_rdataset_init(&rdataset);
- result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "nsec3param lookup failure: %s",
- dns_result_totext(result));
- return (result);
- }
- dns_db_currentversion(db, &version);
- result = dns_db_findrdataset(db, node, version,
- dns_rdatatype_nsec3param,
- dns_rdatatype_none, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- result = ISC_R_SUCCESS;
- goto cleanup;
- }
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- dns_zone_log(zone, ISC_LOG_ERROR,
- "nsec3param lookup failure: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- /*
- * For dynamic zones we must support every algorithm so we can
- * regenerate all the NSEC3 chains.
- * For non-dynamic zones we only need to find a supported algorithm.
- */
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset))
- {
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
- dns_rdata_reset(&rdata);
- INSIST(result == ISC_R_SUCCESS);
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
- nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
- {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "nsec3 test \"unknown\" hash algorithm found: %u",
- nsec3param.hash);
- ok = ISC_TRUE;
- } else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
- if (dynamic) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "unsupported nsec3 hash algorithm"
- " in dynamic zone: %u",
- nsec3param.hash);
- result = DNS_R_BADZONE;
- /* Stop second error message. */
- ok = ISC_TRUE;
- break;
- } else
- dns_zone_log(zone, ISC_LOG_WARNING,
- "unsupported nsec3 hash algorithm: %u",
- nsec3param.hash);
- } else
- ok = ISC_TRUE;
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (!ok) {
- result = DNS_R_BADZONE;
- dns_zone_log(zone, ISC_LOG_ERROR,
- "no supported nsec3 hash algorithm");
- }
- cleanup:
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- dns_db_closeversion(db, &version, ISC_FALSE);
- dns_db_detachnode(db, &node);
- return (result);
- }
- /*
- * Set the timer for refreshing the key zone to the soonest future time
- * of the set (current timer, keydata->refresh, keydata->addhd,
- * keydata->removehd).
- */
- static void
- set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
- isc_stdtime_t now)
- {
- const char me[] = "set_refreshkeytimer";
- isc_stdtime_t then;
- isc_time_t timenow, timethen;
- char timebuf[80];
- ENTER;
- then = key->refresh;
- if (key->addhd > now && key->addhd < then)
- then = key->addhd;
- if (key->removehd > now && key->removehd < then)
- then = key->removehd;
- TIME_NOW(&timenow);
- if (then > now)
- DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
- else
- timethen = timenow;
- if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
- isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
- zone->refreshkeytime = timethen;
- isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
- zone_settimer(zone, &timenow);
- }
- /*
- * Convert key(s) linked from 'keynode' to KEYDATA and add to the key zone.
- * If the key zone is changed, set '*changed' to ISC_TRUE.
- */
- static isc_result_t
- create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff, dns_keytable_t *keytable,
- dns_keynode_t **keynodep, isc_boolean_t *changed)
- {
- const char me[] = "create_keydata";
- isc_result_t result = ISC_R_SUCCESS;
- isc_buffer_t keyb, dstb;
- unsigned char key_buf[4096], dst_buf[DST_KEY_MAXSIZE];
- dns_rdata_keydata_t keydata;
- dns_rdata_dnskey_t dnskey;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_keynode_t *keynode;
- isc_stdtime_t now;
- isc_region_t r;
- dst_key_t *key;
- REQUIRE(keynodep != NULL);
- keynode = *keynodep;
- ENTER;
- isc_stdtime_get(&now);
- /* Loop in case there's more than one key. */
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
- key = dns_keynode_key(keynode);
- if (key == NULL)
- goto skip;
- isc_buffer_init(&dstb, dst_buf, sizeof(dst_buf));
- CHECK(dst_key_todns(key, &dstb));
- /* Convert DST key to DNSKEY. */
- dns_rdata_reset(&rdata);
- isc_buffer_usedregion(&dstb, &r);
- dns_rdata_fromregion(&rdata, dst_key_class(key),
- dns_rdatatype_dnskey, &r);
- /* DSTKEY to KEYDATA. */
- CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
- CHECK(dns_keydata_fromdnskey(&keydata, &dnskey, now, 0, 0,
- NULL));
- /* KEYDATA to rdata. */
- dns_rdata_reset(&rdata);
- isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
- CHECK(dns_rdata_fromstruct(&rdata,
- zone->rdclass, dns_rdatatype_keydata,
- &keydata, &keyb));
- /* Add rdata to zone. */
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD,
- dst_key_name(key), 0, &rdata));
- *changed = ISC_TRUE;
- skip:
- result = dns_keytable_nextkeynode(keytable, keynode, &nextnode);
- if (result != ISC_R_NOTFOUND) {
- dns_keytable_detachkeynode(keytable, &keynode);
- keynode = nextnode;
- }
- }
- /* Refresh new keys from the zone apex as soon as possible. */
- if (*changed)
- set_refreshkeytimer(zone, &keydata, now);
- if (keynode != NULL)
- dns_keytable_detachkeynode(keytable, &keynode);
- *keynodep = NULL;
- return (ISC_R_SUCCESS);
- failure:
- return (result);
- }
- /*
- * Remove from the key zone all the KEYDATA records found in rdataset.
- */
- static isc_result_t
- delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
- dns_name_t *name, dns_rdataset_t *rdataset)
- {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_result_t result, uresult;
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset)) {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(rdataset, &rdata);
- uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
- name, 0, &rdata);
- if (uresult != ISC_R_SUCCESS)
- return (uresult);
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- return (result);
- }
- /*
- * Compute the DNSSEC key ID for a DNSKEY record.
- */
- static isc_result_t
- compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
- dns_keytag_t *tag)
- {
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned char data[4096];
- isc_buffer_t buffer;
- dst_key_t *dstkey = NULL;
- isc_buffer_init(&buffer, data, sizeof(data));
- dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
- dns_rdatatype_dnskey, dnskey, &buffer);
- result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
- if (result == ISC_R_SUCCESS)
- *tag = dst_key_id(dstkey);
- dst_key_free(&dstkey);
- return (result);
- }
- /*
- * Add key to the security roots.
- */
- static void
- trust_key(dns_zone_t *zone, dns_name_t *keyname,
- dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) {
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned char data[4096];
- isc_buffer_t buffer;
- dns_keytable_t *sr = NULL;
- dst_key_t *dstkey = NULL;
- /* Convert dnskey to DST key. */
- isc_buffer_init(&buffer, data, sizeof(data));
- dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
- dns_rdatatype_dnskey, dnskey, &buffer);
- result = dns_view_getsecroots(zone->view, &sr);
- if (result != ISC_R_SUCCESS)
- goto failure;
- CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
- CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
- dns_keytable_detach(&sr);
- failure:
- if (dstkey != NULL)
- dst_key_free(&dstkey);
- if (sr != NULL)
- dns_keytable_detach(&sr);
- return;
- }
- /*
- * Add a null key to the security roots for so that all queries
- * to the zone will fail.
- */
- static void
- fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
- isc_result_t result;
- dns_keytable_t *sr = NULL;
- result = dns_view_getsecroots(zone->view, &sr);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_marksecure(sr, keyname);
- dns_keytable_detach(&sr);
- }
- }
- /*
- * Scan a set of KEYDATA records from the key zone. The ones that are
- * valid (i.e., the add holddown timer has expired) become trusted keys.
- */
- static void
- load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_keydata_t keydata;
- dns_rdata_dnskey_t dnskey;
- isc_mem_t *mctx = zone->mctx;
- int trusted = 0, revoked = 0, pending = 0;
- isc_stdtime_t now;
- dns_keytable_t *sr = NULL;
- isc_stdtime_get(&now);
- result = dns_view_getsecroots(zone->view, &sr);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_delete(sr, name);
- dns_keytable_detach(&sr);
- }
- /* Now insert all the accepted trust anchors from this keydata set. */
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset)) {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(rdataset, &rdata);
- /* Convert rdata to keydata. */
- dns_rdata_tostruct(&rdata, &keydata, NULL);
- /* Set the key refresh timer. */
- set_refreshkeytimer(zone, &keydata, now);
- /* If the removal timer is nonzero, this key was revoked. */
- if (keydata.removehd != 0) {
- revoked++;
- continue;
- }
- /*
- * If the add timer is still pending, this key is not
- * trusted yet.
- */
- if (now < keydata.addhd) {
- pending++;
- continue;
- }
- /* Convert keydata to dnskey. */
- dns_keydata_todnskey(&keydata, &dnskey, NULL);
- /* Add to keytables. */
- trusted++;
- trust_key(zone, name, &dnskey, mctx);
- }
- if (trusted == 0 && pending != 0) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(name, namebuf, sizeof namebuf);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "No valid trust anchors for '%s'!", namebuf);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "%d key(s) revoked, %d still pending",
- revoked, pending);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "All queries to '%s' will fail", namebuf);
- fail_secure(zone, name);
- }
- }
- static isc_result_t
- do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff)
- {
- dns_diff_t temp_diff;
- isc_result_t result;
- /*
- * Create a singleton diff.
- */
- dns_diff_init(diff->mctx, &temp_diff);
- temp_diff.resign = diff->resign;
- ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
- /*
- * Apply it to the database.
- */
- result = dns_diff_apply(&temp_diff, db, ver);
- ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
- if (result != ISC_R_SUCCESS) {
- dns_difftuple_free(tuple);
- return (result);
- }
- /*
- * Merge it into the current pending journal entry.
- */
- dns_diff_appendminimal(diff, tuple);
- /*
- * Do not clear temp_diff.
- */
- return (ISC_R_SUCCESS);
- }
- static isc_result_t
- update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
- dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
- dns_rdata_t *rdata)
- {
- dns_difftuple_t *tuple = NULL;
- isc_result_t result;
- result = dns_difftuple_create(diff->mctx, op,
- name, ttl, rdata, &tuple);
- if (result != ISC_R_SUCCESS)
- return (result);
- return (do_one_tuple(&tuple, db, ver, diff));
- }
- static isc_result_t
- increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff, isc_mem_t *mctx) {
- dns_difftuple_t *deltuple = NULL;
- dns_difftuple_t *addtuple = NULL;
- isc_uint32_t serial;
- isc_result_t result;
- CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
- CHECK(dns_difftuple_copy(deltuple, &addtuple));
- addtuple->op = DNS_DIFFOP_ADD;
- serial = dns_soa_getserial(&addtuple->rdata);
- /* RFC1982 */
- serial = (serial + 1) & 0xFFFFFFFF;
- if (serial == 0)
- serial = 1;
- dns_soa_setserial(serial, &addtuple->rdata);
- CHECK(do_one_tuple(&deltuple, db, ver, diff));
- CHECK(do_one_tuple(&addtuple, db, ver, diff));
- result = ISC_R_SUCCESS;
- failure:
- if (addtuple != NULL)
- dns_difftuple_free(&addtuple);
- if (deltuple != NULL)
- dns_difftuple_free(&deltuple);
- return (result);
- }
- /*
- * Write all transactions in 'diff' to the zone journal file.
- */
- static isc_result_t
- zone_journal(dns_zone_t *zone, dns_diff_t *diff, const char *caller) {
- const char me[] = "zone_journal";
- const char *journalfile;
- isc_result_t result = ISC_R_SUCCESS;
- dns_journal_t *journal = NULL;
- ENTER;
- journalfile = dns_zone_getjournal(zone);
- if (journalfile != NULL) {
- result = dns_journal_open(zone->mctx, journalfile,
- ISC_TRUE, &journal);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "%s:dns_journal_open -> %s\n",
- caller, dns_result_totext(result));
- return (result);
- }
- result = dns_journal_write_transaction(journal, diff);
- dns_journal_destroy(&journal);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "%s:dns_journal_write_transaction -> %s\n",
- caller, dns_result_totext(result));
- return (result);
- }
- }
- return (result);
- }
- /*
- * Create an SOA record for a newly-created zone
- */
- static isc_result_t
- add_soa(dns_zone_t *zone, dns_db_t *db) {
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned char buf[DNS_SOA_BUFFERSIZE];
- dns_dbversion_t *ver = NULL;
- dns_diff_t diff;
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
- dns_diff_init(zone->mctx, &diff);
- result = dns_db_newversion(db, &ver);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "add_soa:dns_db_newversion -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /* Build SOA record */
- result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
- 0, 0, 0, 0, 0, buf, &rdata);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "add_soa:dns_soa_buildrdata -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD,
- &zone->origin, 0, &rdata);
- failure:
- dns_diff_clear(&diff);
- if (ver != NULL)
- dns_db_closeversion(db, &ver, ISC_TF(result == ISC_R_SUCCESS));
- return (result);
- }
- /*
- * Synchronize the set of initializing keys found in managed-keys {}
- * statements with the set of trust anchors found in the managed-keys.bind
- * zone. If a domain is no longer named in managed-keys, delete all keys
- * from that domain from the key zone. If a domain is mentioned in in
- * managed-keys but there are no references to it in the key zone, load
- * the key zone with the initializing key(s) for that domain.
- */
- static isc_result_t
- sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
- isc_result_t result = ISC_R_SUCCESS;
- isc_boolean_t changed = ISC_FALSE;
- isc_boolean_t commit = ISC_FALSE;
- dns_rbtnodechain_t chain;
- dns_fixedname_t fn;
- dns_name_t foundname, *origin;
- dns_keynode_t *keynode = NULL;
- dns_view_t *view = zone->view;
- dns_keytable_t *sr = NULL;
- dns_dbversion_t *ver = NULL;
- dns_diff_t diff;
- dns_rriterator_t rrit;
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
- dns_name_init(&foundname, NULL);
- dns_fixedname_init(&fn);
- origin = dns_fixedname_name(&fn);
- dns_diff_init(zone->mctx, &diff);
- CHECK(dns_view_getsecroots(view, &sr));
- result = dns_db_newversion(db, &ver);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sync_keyzone:dns_db_newversion -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /*
- * Walk the zone DB. If we find any keys whose names are no longer
- * in managed-keys (or *are* in trusted-keys, meaning they are
- * permanent and not RFC5011-maintained), delete them from the
- * zone. Otherwise call load_secroots(), which loads keys into
- * secroots as appropriate.
- */
- dns_rriterator_init(&rrit, db, ver, 0);
- for (result = dns_rriterator_first(&rrit);
- result == ISC_R_SUCCESS;
- result = dns_rriterator_nextrrset(&rrit)) {
- dns_rdataset_t *rdataset = NULL;
- dns_name_t *rrname = NULL;
- isc_uint32_t ttl;
- dns_rriterator_current(&rrit, &rrname, &ttl,
- &rdataset, NULL);
- if (!dns_rdataset_isassociated(rdataset)) {
- dns_rriterator_destroy(&rrit);
- goto failure;
- }
- if (rdataset->type != dns_rdatatype_keydata)
- continue;
- result = dns_keytable_find(sr, rrname, &keynode);
- if ((result != ISC_R_SUCCESS &&
- result != DNS_R_PARTIALMATCH) ||
- dns_keynode_managed(keynode) == ISC_FALSE) {
- CHECK(delete_keydata(db, ver, &diff,
- rrname, rdataset));
- changed = ISC_TRUE;
- } else {
- load_secroots(zone, rrname, rdataset);
- }
- if (keynode != NULL)
- dns_keytable_detachkeynode(sr, &keynode);
- }
- dns_rriterator_destroy(&rrit);
- /*
- * Now walk secroots to find any managed keys that aren't
- * in the zone. If we find any, we add them to the zone.
- */
- RWLOCK(&sr->rwlock, isc_rwlocktype_write);
- dns_rbtnodechain_init(&chain, zone->mctx);
- result = dns_rbtnodechain_first(&chain, sr->table, &foundname, origin);
- if (result == ISC_R_NOTFOUND)
- result = ISC_R_NOMORE;
- while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
- dns_rbtnode_t *rbtnode = NULL;
- dns_rbtnodechain_current(&chain, &foundname, origin, &rbtnode);
- if (rbtnode->data == NULL)
- goto skip;
- dns_keytable_attachkeynode(sr, rbtnode->data, &keynode);
- if (dns_keynode_managed(keynode)) {
- dns_fixedname_t fname;
- dns_name_t *keyname;
- dst_key_t *key;
- key = dns_keynode_key(keynode);
- dns_fixedname_init(&fname);
- if (key == NULL) /* fail_secure() was called. */
- goto skip;
- keyname = dst_key_name(key);
- result = dns_db_find(db, keyname, ver,
- dns_rdatatype_keydata,
- DNS_DBFIND_NOWILD, 0, NULL,
- dns_fixedname_name(&fname),
- NULL, NULL);
- if (result != ISC_R_SUCCESS)
- result = create_keydata(zone, db, ver, &diff,
- sr, &keynode, &changed);
- if (result != ISC_R_SUCCESS)
- break;
- }
- skip:
- result = dns_rbtnodechain_next(&chain, &foundname, origin);
- if (keynode != NULL)
- dns_keytable_detachkeynode(sr, &keynode);
- }
- RWUNLOCK(&sr->rwlock, isc_rwlocktype_write);
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (changed) {
- /* Write changes to journal file. */
- CHECK(increment_soa_serial(db, ver, &diff, zone->mctx));
- CHECK(zone_journal(zone, &diff, "sync_keyzone"));
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
- zone_needdump(zone, 30);
- commit = ISC_TRUE;
- }
- failure:
- if (keynode != NULL)
- dns_keytable_detachkeynode(sr, &keynode);
- if (sr != NULL)
- dns_keytable_detach(&sr);
- if (ver != NULL)
- dns_db_closeversion(db, &ver, commit);
- dns_diff_clear(&diff);
- return (result);
- }
- static isc_result_t
- zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
- isc_result_t result)
- {
- unsigned int soacount = 0;
- unsigned int nscount = 0;
- unsigned int errors = 0;
- isc_uint32_t serial, oldserial, refresh, retry, expire, minimum;
- isc_time_t now;
- isc_boolean_t needdump = ISC_FALSE;
- isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
- isc_boolean_t nomaster = ISC_FALSE;
- unsigned int options;
- TIME_NOW(&now);
- /*
- * Initiate zone transfer? We may need a error code that
- * indicates that the "permanent" form does not exist.
- * XXX better error feedback to log.
- */
- if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
- if (zone->type == dns_zone_slave ||
- zone->type == dns_zone_stub) {
- if (result == ISC_R_FILENOTFOUND)
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "no master file");
- else if (result != DNS_R_NOMASTERFILE)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "loading from master file %s "
- "failed: %s",
- zone->masterfile,
- dns_result_totext(result));
- } else {
- int level = ISC_LOG_ERROR;
- if (zone->type == dns_zone_key &&
- result == ISC_R_FILENOTFOUND)
- level = ISC_LOG_DEBUG(1);
- dns_zone_log(zone, level,
- "loading from master file %s failed: %s",
- zone->masterfile,
- dns_result_totext(result));
- nomaster = ISC_TRUE;
- }
- if (zone->type != dns_zone_key)
- goto cleanup;
- }
- dns_zone_log(zone, ISC_LOG_DEBUG(2),
- "number of nodes in database: %u",
- dns_db_nodecount(db));
- if (result == DNS_R_SEENINCLUDE)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
- else
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
- /*
- * If there's no master file for a key zone, then the zone is new:
- * create an SOA record. (We do this now, instead of later, so that
- * if there happens to be a journal file, we can roll forward from
- * a sane starting point.)
- */
- if (nomaster && zone->type == dns_zone_key) {
- result = add_soa(zone, db);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- }
- /*
- * Apply update log, if any, on initial load.
- */
- if (zone->journal != NULL &&
- ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
- ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
- {
- if (zone->type == dns_zone_master &&
- (zone->update_acl != NULL || zone->ssutable != NULL))
- options = DNS_JOURNALOPT_RESIGN;
- else
- options = 0;
- result = dns_journal_rollforward2(zone->mctx, db, options,
- zone->sigresigninginterval,
- zone->journal);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
- result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
- result != ISC_R_RANGE) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "journal rollforward failed: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "journal rollforward failed: "
- "journal out of sync with zone");
- goto cleanup;
- }
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "journal rollforward completed "
- "successfully: %s",
- dns_result_totext(result));
- if (result == ISC_R_SUCCESS)
- needdump = ISC_TRUE;
- }
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded; checking validity");
- /*
- * Obtain ns, soa and cname counts for top of zone.
- */
- INSIST(db != NULL);
- result = zone_get_from_db(zone, db, &nscount, &soacount, &serial,
- &refresh, &retry, &expire, &minimum,
- &errors);
- if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "could not find NS and/or SOA records");
- }
- /*
- * Master / Slave / Stub zones require both NS and SOA records at
- * the top of the zone.
- */
- switch (zone->type) {
- case dns_zone_dlz:
- case dns_zone_master:
- case dns_zone_slave:
- case dns_zone_stub:
- if (soacount != 1) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "has %d SOA records", soacount);
- result = DNS_R_BADZONE;
- }
- if (nscount == 0) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "has no NS records");
- result = DNS_R_BADZONE;
- }
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- if (zone->type == dns_zone_master && errors != 0) {
- result = DNS_R_BADZONE;
- goto cleanup;
- }
- if (zone->type != dns_zone_stub) {
- result = check_nsec3param(zone, db);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- }
- if (zone->type == dns_zone_master &&
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
- !integrity_checks(zone, db)) {
- result = DNS_R_BADZONE;
- goto cleanup;
- }
- if (zone->type == dns_zone_master &&
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
- !zone_check_dup(zone, db)) {
- result = DNS_R_BADZONE;
- goto cleanup;
- }
- if (zone->db != NULL) {
- /*
- * This is checked in zone_replacedb() for slave zones
- * as they don't reload from disk.
- */
- result = zone_get_from_db(zone, zone->db, NULL, NULL,
- &oldserial, NULL, NULL, NULL,
- NULL, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
- !isc_serial_gt(serial, oldserial)) {
- isc_uint32_t serialmin, serialmax;
- INSIST(zone->type == dns_zone_master);
- serialmin = (oldserial + 1) & 0xffffffffU;
- serialmax = (oldserial + 0x7fffffffU) &
- 0xffffffffU;
- dns_zone_log(zone, ISC_LOG_ERROR,
- "ixfr-from-differences: "
- "new serial (%u) out of range "
- "[%u - %u]", serial, serialmin,
- serialmax);
- result = DNS_R_BADZONE;
- goto cleanup;
- } else if (!isc_serial_ge(serial, oldserial))
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone serial (%u/%u) has gone "
- "backwards", serial, oldserial);
- else if (serial == oldserial && !hasinclude &&
- strcmp(zone->db_argv[0], "_builtin") != 0)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone serial (%u) unchanged. "
- "zone may fail to transfer "
- "to slaves.", serial);
- }
- if (zone->type == dns_zone_master &&
- (zone->update_acl != NULL || zone->ssutable != NULL) &&
- zone->sigresigninginterval < (3 * refresh) &&
- dns_db_issecure(db))
- {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "sig-re-signing-interval less than "
- "3 * refresh.");
- }
- zone->refresh = RANGE(refresh,
- zone->minrefresh, zone->maxrefresh);
- zone->retry = RANGE(retry,
- zone->minretry, zone->maxretry);
- zone->expire = RANGE(expire, zone->refresh + zone->retry,
- DNS_MAX_EXPIRE);
- zone->minimum = minimum;
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
- if (zone->type == dns_zone_slave ||
- zone->type == dns_zone_stub) {
- isc_time_t t;
- isc_uint32_t delay;
- result = isc_file_getmodtime(zone->journal, &t);
- if (result != ISC_R_SUCCESS)
- result = isc_file_getmodtime(zone->masterfile,
- &t);
- if (result == ISC_R_SUCCESS)
- DNS_ZONE_TIME_ADD(&t, zone->expire,
- &zone->expiretime);
- else
- DNS_ZONE_TIME_ADD(&now, zone->retry,
- &zone->expiretime);
- delay = isc_random_jitter(zone->retry,
- (zone->retry * 3) / 4);
- DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
- if (isc_time_compare(&zone->refreshtime,
- &zone->expiretime) >= 0)
- zone->refreshtime = now;
- }
- break;
- case dns_zone_key:
- result = sync_keyzone(zone, db);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- break;
- default:
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "unexpected zone type %d", zone->type);
- result = ISC_R_UNEXPECTED;
- goto cleanup;
- }
- /*
- * Check for weak DNSKEY's.
- */
- if (zone->type == dns_zone_master)
- zone_check_dnskeys(zone, db);
- /*
- * Schedule DNSSEC key refresh.
- */
- if (zone->type == dns_zone_master &&
- DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
- zone->refreshkeytime = now;
- #if 0
- /* destroy notification example. */
- {
- isc_event_t *e = isc_event_allocate(zone->mctx, NULL,
- DNS_EVENT_DBDESTROYED,
- dns_zonemgr_dbdestroyed,
- zone,
- sizeof(isc_event_t));
- dns_db_ondestroy(db, zone->task, &e);
- }
- #endif
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
- if (zone->db != NULL) {
- result = zone_replacedb(zone, db, ISC_FALSE);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- } else {
- zone_attachdb(zone, db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- DNS_ZONE_SETFLAG(zone,
- DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
- }
- result = ISC_R_SUCCESS;
- if (needdump) {
- if (zone->type == dns_zone_key)
- zone_needdump(zone, 30);
- else
- zone_needdump(zone, DNS_DUMP_DELAY);
- }
- if (zone->task != NULL) {
- if (zone->type == dns_zone_master) {
- set_resigntime(zone);
- resume_signingwithkey(zone);
- resume_addnsec3chain(zone);
- }
- if (zone->type == dns_zone_master &&
- zone_isdynamic(zone) &&
- dns_db_issecure(db)) {
- dns_name_t *name;
- dns_fixedname_t fixed;
- dns_rdataset_t next;
- dns_rdataset_init(&next);
- dns_fixedname_init(&fixed);
- name = dns_fixedname_name(&fixed);
- result = dns_db_getsigningtime(db, &next, name);
- if (result == ISC_R_SUCCESS) {
- isc_stdtime_t timenow;
- char namebuf[DNS_NAME_FORMATSIZE];
- char typebuf[DNS_RDATATYPE_FORMATSIZE];
- isc_stdtime_get(&timenow);
- dns_name_format(name, namebuf, sizeof(namebuf));
- dns_rdatatype_format(next.covers,
- typebuf, sizeof(typebuf));
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "next resign: %s/%s in %d seconds",
- namebuf, typebuf,
- next.resign - timenow);
- dns_rdataset_disassociate(&next);
- } else
- dns_zone_log(zone, ISC_LOG_WARNING,
- "signed dynamic zone has no "
- "resign event scheduled");
- }
- zone_settimer(zone, &now);
- }
- if (! dns_db_ispersistent(db))
- dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", serial,
- dns_db_issecure(db) ? " (DNSSEC signed)" : "");
- zone->loadtime = loadtime;
- return (result);
- cleanup:
- if (zone->type == dns_zone_slave ||
- zone->type == dns_zone_stub ||
- zone->type == dns_zone_key) {
- if (zone->journal != NULL)
- zone_saveunique(zone, zone->journal, "jn-XXXXXXXX");
- if (zone->masterfile != NULL)
- zone_saveunique(zone, zone->masterfile, "db-XXXXXXXX");
- /* Mark the zone for immediate refresh. */
- zone->refreshtime = now;
- if (zone->task != NULL)
- zone_settimer(zone, &now);
- result = ISC_R_SUCCESS;
- } else if (zone->type == dns_zone_master)
- dns_zone_log(zone, ISC_LOG_ERROR, "not loaded due to errors.");
- return (result);
- }
- static isc_boolean_t
- exit_check(dns_zone_t *zone) {
- REQUIRE(LOCKED_ZONE(zone));
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
- zone->irefs == 0)
- {
- /*
- * DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
- */
- INSIST(isc_refcount_current(&zone->erefs) == 0);
- return (ISC_TRUE);
- }
- return (ISC_FALSE);
- }
- static isc_boolean_t
- zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
- dns_name_t *name, isc_boolean_t logit)
- {
- isc_result_t result;
- char namebuf[DNS_NAME_FORMATSIZE];
- char altbuf[DNS_NAME_FORMATSIZE];
- dns_fixedname_t fixed;
- dns_name_t *foundname;
- int level;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS))
- return (ISC_TRUE);
- if (zone->type == dns_zone_master)
- level = ISC_LOG_ERROR;
- else
- level = ISC_LOG_WARNING;
- dns_fixedname_init(&fixed);
- foundname = dns_fixedname_name(&fixed);
- result = dns_db_find(db, name, version, dns_rdatatype_a,
- 0, 0, NULL, foundname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- return (ISC_TRUE);
- if (result == DNS_R_NXRRSET) {
- result = dns_db_find(db, name, version, dns_rdatatype_aaaa,
- 0, 0, NULL, foundname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- return (ISC_TRUE);
- }
- if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
- result == DNS_R_EMPTYNAME) {
- if (logit) {
- dns_name_format(name, namebuf, sizeof namebuf);
- dns_zone_log(zone, level, "NS '%s' has no address "
- "records (A or AAAA)", namebuf);
- }
- return (ISC_FALSE);
- }
- if (result == DNS_R_CNAME) {
- if (logit) {
- dns_name_format(name, namebuf, sizeof namebuf);
- dns_zone_log(zone, level, "NS '%s' is a CNAME "
- "(illegal)", namebuf);
- }
- return (ISC_FALSE);
- }
- if (result == DNS_R_DNAME) {
- if (logit) {
- dns_name_format(name, namebuf, sizeof namebuf);
- dns_name_format(foundname, altbuf, sizeof altbuf);
- dns_zone_log(zone, level, "NS '%s' is below a DNAME "
- "'%s' (illegal)", namebuf, altbuf);
- }
- return (ISC_FALSE);
- }
- return (ISC_TRUE);
- }
- static isc_result_t
- zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
- dns_dbversion_t *version, unsigned int *nscount,
- unsigned int *errors, isc_boolean_t logit)
- {
- isc_result_t result;
- unsigned int count = 0;
- unsigned int ecount = 0;
- dns_rdataset_t rdataset;
- dns_rdata_t rdata;
- dns_rdata_ns_t ns;
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
- dns_rdatatype_none, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto success;
- }
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto invalidate_rdataset;
- }
- result = dns_rdataset_first(&rdataset);
- while (result == ISC_R_SUCCESS) {
- if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
- (zone->type == dns_zone_master ||
- zone->type == dns_zone_slave)) {
- dns_rdata_init(&rdata);
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &ns, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (dns_name_issubdomain(&ns.name, &zone->origin) &&
- !zone_check_ns(zone, db, version, &ns.name, logit))
- ecount++;
- }
- count++;
- result = dns_rdataset_next(&rdataset);
- }
- dns_rdataset_disassociate(&rdataset);
- success:
- if (nscount != NULL)
- *nscount = count;
- if (errors != NULL)
- *errors = ecount;
- result = ISC_R_SUCCESS;
- invalidate_rdataset:
- dns_rdataset_invalidate(&rdataset);
- return (result);
- }
- static isc_result_t
- zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
- unsigned int *soacount,
- isc_uint32_t *serial, isc_uint32_t *refresh,
- isc_uint32_t *retry, isc_uint32_t *expire,
- isc_uint32_t *minimum)
- {
- isc_result_t result;
- unsigned int count;
- dns_rdataset_t rdataset;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_soa_t soa;
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
- dns_rdatatype_none, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- if (soacount != NULL)
- *soacount = 0;
- if (serial != NULL)
- *serial = 0;
- if (refresh != NULL)
- *refresh = 0;
- if (retry != NULL)
- *retry = 0;
- if (expire != NULL)
- *expire = 0;
- if (minimum != NULL)
- *minimum = 0;
- result = ISC_R_SUCCESS;
- goto invalidate_rdataset;
- }
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto invalidate_rdataset;
- }
- count = 0;
- result = dns_rdataset_first(&rdataset);
- while (result == ISC_R_SUCCESS) {
- dns_rdata_init(&rdata);
- dns_rdataset_current(&rdataset, &rdata);
- count++;
- if (count == 1) {
- result = dns_rdata_tostruct(&rdata, &soa, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- }
- result = dns_rdataset_next(&rdataset);
- dns_rdata_reset(&rdata);
- }
- dns_rdataset_disassociate(&rdataset);
- if (soacount != NULL)
- *soacount = count;
- if (count > 0) {
- if (serial != NULL)
- *serial = soa.serial;
- if (refresh != NULL)
- *refresh = soa.refresh;
- if (retry != NULL)
- *retry = soa.retry;
- if (expire != NULL)
- *expire = soa.expire;
- if (minimum != NULL)
- *minimum = soa.minimum;
- }
- result = ISC_R_SUCCESS;
- invalidate_rdataset:
- dns_rdataset_invalidate(&rdataset);
- return (result);
- }
- /*
- * zone must be locked.
- */
- static isc_result_t
- zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
- unsigned int *soacount, isc_uint32_t *serial,
- isc_uint32_t *refresh, isc_uint32_t *retry,
- isc_uint32_t *expire, isc_uint32_t *minimum,
- unsigned int *errors)
- {
- isc_result_t result;
- isc_result_t answer = ISC_R_SUCCESS;
- dns_dbversion_t *version = NULL;
- dns_dbnode_t *node;
- REQUIRE(db != NULL);
- REQUIRE(zone != NULL);
- dns_db_currentversion(db, &version);
- node = NULL;
- result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS) {
- answer = result;
- goto closeversion;
- }
- if (nscount != NULL || errors != NULL) {
- result = zone_count_ns_rr(zone, db, node, version,
- nscount, errors, ISC_TRUE);
- if (result != ISC_R_SUCCESS)
- answer = result;
- }
- if (soacount != NULL || serial != NULL || refresh != NULL
- || retry != NULL || expire != NULL || minimum != NULL) {
- result = zone_load_soa_rr(db, node, version, soacount,
- serial, refresh, retry, expire,
- minimum);
- if (result != ISC_R_SUCCESS)
- answer = result;
- }
- dns_db_detachnode(db, &node);
- closeversion:
- dns_db_closeversion(db, &version, ISC_FALSE);
- return (answer);
- }
- void
- dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
- REQUIRE(DNS_ZONE_VALID(source));
- REQUIRE(target != NULL && *target == NULL);
- isc_refcount_increment(&source->erefs, NULL);
- *target = source;
- }
- void
- dns_zone_detach(dns_zone_t **zonep) {
- dns_zone_t *zone;
- unsigned int refs;
- isc_boolean_t free_now = ISC_FALSE;
- REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
- zone = *zonep;
- isc_refcount_decrement(&zone->erefs, &refs);
- if (refs == 0) {
- LOCK_ZONE(zone);
- /*
- * We just detached the last external reference.
- */
- if (zone->task != NULL) {
- /*
- * This zone is being managed. Post
- * its control event and let it clean
- * up synchronously in the context of
- * its task.
- */
- isc_event_t *ev = &zone->ctlevent;
- isc_task_send(zone->task, &ev);
- } else {
- /*
- * This zone is not being managed; it has
- * no task and can have no outstanding
- * events. Free it immediately.
- */
- /*
- * Unmanaged zones should not have non-null views;
- * we have no way of detaching from the view here
- * without causing deadlock because this code is called
- * with the view already locked.
- */
- INSIST(zone->view == NULL);
- free_now = ISC_TRUE;
- }
- UNLOCK_ZONE(zone);
- }
- *zonep = NULL;
- if (free_now)
- zone_free(zone);
- }
- void
- dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
- REQUIRE(DNS_ZONE_VALID(source));
- REQUIRE(target != NULL && *target == NULL);
- LOCK_ZONE(source);
- zone_iattach(source, target);
- UNLOCK_ZONE(source);
- }
- isc_result_t
- dns_zone_synckeyzone(dns_zone_t *zone) {
- isc_result_t result;
- dns_db_t *db = NULL;
- if (zone->type != dns_zone_key)
- return (DNS_R_BADZONE);
- CHECK(dns_zone_getdb(zone, &db));
- LOCK_ZONE(zone);
- result = sync_keyzone(zone, db);
- UNLOCK_ZONE(zone);
- failure:
- if (db != NULL)
- dns_db_detach(&db);
- return (result);
- }
- static void
- zone_iattach(dns_zone_t *source, dns_zone_t **target) {
- /*
- * 'source' locked by caller.
- */
- REQUIRE(LOCKED_ZONE(source));
- REQUIRE(DNS_ZONE_VALID(source));
- REQUIRE(target != NULL && *target == NULL);
- INSIST(source->irefs + isc_refcount_current(&source->erefs) > 0);
- source->irefs++;
- INSIST(source->irefs != 0);
- *target = source;
- }
- static void
- zone_idetach(dns_zone_t **zonep) {
- dns_zone_t *zone;
- /*
- * 'zone' locked by caller.
- */
- REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
- zone = *zonep;
- REQUIRE(LOCKED_ZONE(*zonep));
- *zonep = NULL;
- INSIST(zone->irefs > 0);
- zone->irefs--;
- INSIST(zone->irefs + isc_refcount_current(&zone->erefs) > 0);
- }
- void
- dns_zone_idetach(dns_zone_t **zonep) {
- dns_zone_t *zone;
- isc_boolean_t free_needed;
- REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
- zone = *zonep;
- *zonep = NULL;
- LOCK_ZONE(zone);
- INSIST(zone->irefs > 0);
- zone->irefs--;
- free_needed = exit_check(zone);
- UNLOCK_ZONE(zone);
- if (free_needed)
- zone_free(zone);
- }
- isc_mem_t *
- dns_zone_getmctx(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->mctx);
- }
- dns_zonemgr_t *
- dns_zone_getmgr(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->zmgr);
- }
- void
- dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (value)
- DNS_ZONE_SETFLAG(zone, flags);
- else
- DNS_ZONE_CLRFLAG(zone, flags);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value)
- {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (value)
- zone->options |= option;
- else
- zone->options &= ~option;
- UNLOCK_ZONE(zone);
- }
- unsigned int
- dns_zone_getoptions(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->options);
- }
- void
- dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, isc_boolean_t value)
- {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (value)
- zone->keyopts |= keyopt;
- else
- zone->keyopts &= ~keyopt;
- UNLOCK_ZONE(zone);
- }
- unsigned int
- dns_zone_getkeyopts(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->keyopts);
- }
- isc_result_t
- dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->xfrsource4 = *xfrsource;
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_sockaddr_t *
- dns_zone_getxfrsource4(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->xfrsource4);
- }
- isc_result_t
- dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->xfrsource6 = *xfrsource;
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_sockaddr_t *
- dns_zone_getxfrsource6(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->xfrsource6);
- }
- isc_result_t
- dns_zone_setaltxfrsource4(dns_zone_t *zone,
- const isc_sockaddr_t *altxfrsource)
- {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->altxfrsource4 = *altxfrsource;
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_sockaddr_t *
- dns_zone_getaltxfrsource4(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->altxfrsource4);
- }
- isc_result_t
- dns_zone_setaltxfrsource6(dns_zone_t *zone,
- const isc_sockaddr_t *altxfrsource)
- {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->altxfrsource6 = *altxfrsource;
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_sockaddr_t *
- dns_zone_getaltxfrsource6(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->altxfrsource6);
- }
- isc_result_t
- dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->notifysrc4 = *notifysrc;
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_sockaddr_t *
- dns_zone_getnotifysrc4(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->notifysrc4);
- }
- isc_result_t
- dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->notifysrc6 = *notifysrc;
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_sockaddr_t *
- dns_zone_getnotifysrc6(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->notifysrc6);
- }
- isc_result_t
- dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
- isc_uint32_t count)
- {
- isc_sockaddr_t *new;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(count == 0 || notify != NULL);
- LOCK_ZONE(zone);
- if (zone->notify != NULL) {
- isc_mem_put(zone->mctx, zone->notify,
- zone->notifycnt * sizeof(*new));
- zone->notify = NULL;
- zone->notifycnt = 0;
- }
- if (count != 0) {
- new = isc_mem_get(zone->mctx, count * sizeof(*new));
- if (new == NULL) {
- UNLOCK_ZONE(zone);
- return (ISC_R_NOMEMORY);
- }
- memcpy(new, notify, count * sizeof(*new));
- zone->notify = new;
- zone->notifycnt = count;
- }
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_result_t
- dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
- isc_uint32_t count)
- {
- isc_result_t result;
- result = dns_zone_setmasterswithkeys(zone, masters, NULL, count);
- return (result);
- }
- static isc_boolean_t
- same_masters(const isc_sockaddr_t *old, const isc_sockaddr_t *new,
- isc_uint32_t count)
- {
- unsigned int i;
- for (i = 0; i < count; i++)
- if (!isc_sockaddr_equal(&old[i], &new[i]))
- return (ISC_FALSE);
- return (ISC_TRUE);
- }
- static isc_boolean_t
- same_keynames(dns_name_t **old, dns_name_t **new, isc_uint32_t count) {
- unsigned int i;
- if (old == NULL && new == NULL)
- return (ISC_TRUE);
- if (old == NULL || new == NULL)
- return (ISC_FALSE);
- for (i = 0; i < count; i++) {
- if (old[i] == NULL && new[i] == NULL)
- continue;
- if (old[i] == NULL || new[i] == NULL ||
- !dns_name_equal(old[i], new[i]))
- return (ISC_FALSE);
- }
- return (ISC_TRUE);
- }
- isc_result_t
- dns_zone_setmasterswithkeys(dns_zone_t *zone,
- const isc_sockaddr_t *masters,
- dns_name_t **keynames,
- isc_uint32_t count)
- {
- isc_sockaddr_t *new;
- isc_result_t result = ISC_R_SUCCESS;
- dns_name_t **newname;
- isc_boolean_t *newok;
- unsigned int i;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(count == 0 || masters != NULL);
- if (keynames != NULL) {
- REQUIRE(count != 0);
- }
- LOCK_ZONE(zone);
- /*
- * The refresh code assumes that 'masters' wouldn't change under it.
- * If it will change then kill off any current refresh in progress
- * and update the masters info. If it won't change then we can just
- * unlock and exit.
- */
- if (count != zone->masterscnt ||
- !same_masters(zone->masters, masters, count) ||
- !same_keynames(zone->masterkeynames, keynames, count)) {
- if (zone->request != NULL)
- dns_request_cancel(zone->request);
- } else
- goto unlock;
- if (zone->masters != NULL) {
- isc_mem_put(zone->mctx, zone->masters,
- zone->masterscnt * sizeof(*new));
- zone->masters = NULL;
- }
- if (zone->masterkeynames != NULL) {
- for (i = 0; i < zone->masterscnt; i++) {
- if (zone->masterkeynames[i] != NULL) {
- dns_name_free(zone->masterkeynames[i],
- zone->mctx);
- isc_mem_put(zone->mctx,
- zone->masterkeynames[i],
- sizeof(dns_name_t));
- zone->masterkeynames[i] = NULL;
- }
- }
- isc_mem_put(zone->mctx, zone->masterkeynames,
- zone->masterscnt * sizeof(dns_name_t *));
- zone->masterkeynames = NULL;
- }
- if (zone->mastersok != NULL) {
- isc_mem_put(zone->mctx, zone->mastersok,
- zone->masterscnt * sizeof(isc_boolean_t));
- zone->mastersok = NULL;
- }
- zone->masterscnt = 0;
- /*
- * If count == 0, don't allocate any space for masters, mastersok or
- * keynames so internally, those pointers are NULL if count == 0
- */
- if (count == 0)
- goto unlock;
- /*
- * masters must contain count elements!
- */
- new = isc_mem_get(zone->mctx, count * sizeof(*new));
- if (new == NULL) {
- result = ISC_R_NOMEMORY;
- goto unlock;
- }
- memcpy(new, masters, count * sizeof(*new));
- /*
- * Similarly for mastersok.
- */
- newok = isc_mem_get(zone->mctx, count * sizeof(*newok));
- if (newok == NULL) {
- result = ISC_R_NOMEMORY;
- isc_mem_put(zone->mctx, new, count * sizeof(*new));
- goto unlock;
- };
- for (i = 0; i < count; i++)
- newok[i] = ISC_FALSE;
- /*
- * if keynames is non-NULL, it must contain count elements!
- */
- newname = NULL;
- if (keynames != NULL) {
- newname = isc_mem_get(zone->mctx, count * sizeof(*newname));
- if (newname == NULL) {
- result = ISC_R_NOMEMORY;
- isc_mem_put(zone->mctx, new, count * sizeof(*new));
- isc_mem_put(zone->mctx, newok, count * sizeof(*newok));
- goto unlock;
- }
- for (i = 0; i < count; i++)
- newname[i] = NULL;
- for (i = 0; i < count; i++) {
- if (keynames[i] != NULL) {
- newname[i] = isc_mem_get(zone->mctx,
- sizeof(dns_name_t));
- if (newname[i] == NULL)
- goto allocfail;
- dns_name_init(newname[i], NULL);
- result = dns_name_dup(keynames[i], zone->mctx,
- newname[i]);
- if (result != ISC_R_SUCCESS) {
- allocfail:
- for (i = 0; i < count; i++)
- if (newname[i] != NULL)
- dns_name_free(
- newname[i],
- zone->mctx);
- isc_mem_put(zone->mctx, new,
- count * sizeof(*new));
- isc_mem_put(zone->mctx, newok,
- count * sizeof(*newok));
- isc_mem_put(zone->mctx, newname,
- count * sizeof(*newname));
- goto unlock;
- }
- }
- }
- }
- /*
- * Everything is ok so attach to the zone.
- */
- zone->curmaster = 0;
- zone->masters = new;
- zone->mastersok = newok;
- zone->masterkeynames = newname;
- zone->masterscnt = count;
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
- unlock:
- UNLOCK_ZONE(zone);
- return (result);
- }
- isc_result_t
- dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
- isc_result_t result = ISC_R_SUCCESS;
- REQUIRE(DNS_ZONE_VALID(zone));
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db == NULL)
- result = DNS_R_NOTLOADED;
- else
- dns_db_attach(zone->db, dpb);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- return (result);
- }
- void
- dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(zone->type == dns_zone_staticstub);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
- REQUIRE(zone->db == NULL);
- dns_db_attach(db, &zone->db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- }
- /*
- * Co-ordinates the starting of routine jobs.
- */
- void
- dns_zone_maintenance(dns_zone_t *zone) {
- const char me[] = "dns_zone_maintenance";
- isc_time_t now;
- REQUIRE(DNS_ZONE_VALID(zone));
- ENTER;
- LOCK_ZONE(zone);
- TIME_NOW(&now);
- zone_settimer(zone, &now);
- UNLOCK_ZONE(zone);
- }
- static inline isc_boolean_t
- was_dumping(dns_zone_t *zone) {
- isc_boolean_t dumping;
- REQUIRE(LOCKED_ZONE(zone));
- dumping = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
- if (!dumping) {
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
- isc_time_settoepoch(&zone->dumptime);
- }
- return (dumping);
- }
- static isc_result_t
- find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- isc_mem_t *mctx, unsigned int maxkeys,
- dst_key_t **keys, unsigned int *nkeys)
- {
- isc_result_t result;
- dns_dbnode_t *node = NULL;
- const char *directory = dns_zone_getkeydirectory(zone);
- CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
- result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
- directory, mctx, maxkeys, keys,
- nkeys);
- if (result == ISC_R_NOTFOUND)
- result = ISC_R_SUCCESS;
- failure:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- return (result);
- }
- static isc_result_t
- offline(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, dns_name_t *name,
- dns_ttl_t ttl, dns_rdata_t *rdata)
- {
- isc_result_t result;
- if ((rdata->flags & DNS_RDATA_OFFLINE) != 0)
- return (ISC_R_SUCCESS);
- result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN,
- name, ttl, rdata);
- if (result != ISC_R_SUCCESS)
- return (result);
- rdata->flags |= DNS_RDATA_OFFLINE;
- result = update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
- name, ttl, rdata);
- return (result);
- }
- static void
- set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
- {
- unsigned int delta;
- char timebuf[80];
- zone->key_expiry = when;
- if (when <= now) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "DNSKEY RRSIG(s) have expired");
- isc_time_settoepoch(&zone->keywarntime);
- } else if (when < now + 7 * 24 * 3600) {
- isc_time_t t;
- isc_time_set(&t, when, 0);
- isc_time_formattimestamp(&t, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_WARNING,
- "DNSKEY RRSIG(s) will expire within 7 days: %s",
- timebuf);
- delta = when - now;
- delta--; /* loop prevention */
- delta /= 24 * 3600; /* to whole days */
- delta *= 24 * 3600; /* to seconds */
- isc_time_set(&zone->keywarntime, when - delta, 0);
- } else {
- isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
- isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "setting keywarntime to %s", timebuf);
- }
- }
- /*
- * Helper function to del_sigs(). We don't want to delete RRSIGs that
- * have no new key.
- */
- static isc_boolean_t
- delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) {
- unsigned int i = 0;
- /*
- * It's okay to delete a signature if there is an active ZSK
- * with the same algorithm
- */
- for (i = 0; i < nkeys; i++) {
- if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) &&
- (dst_key_isprivate(keys[i])) && !KSK(keys[i]))
- return (ISC_TRUE);
- }
- /*
- * Failing that, it is *not* okay to delete a signature
- * if the associated public key is still in the DNSKEY RRset
- */
- for (i = 0; i < nkeys; i++) {
- if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
- (rrsig_ptr->keyid == dst_key_id(keys[i])))
- return (ISC_FALSE);
- }
- /*
- * But if the key is gone, then go ahead.
- */
- return (ISC_TRUE);
- }
- /*
- * Delete expired RRsigs and any RRsigs we are about to re-sign.
- * See also update.c:del_keysigs().
- */
- static isc_result_t
- del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
- dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
- unsigned int nkeys, isc_stdtime_t now, isc_boolean_t incremental)
- {
- isc_result_t result;
- dns_dbnode_t *node = NULL;
- dns_rdataset_t rdataset;
- unsigned int i;
- dns_rdata_rrsig_t rrsig;
- isc_boolean_t found, changed;
- isc_int64_t warn = 0, maybe = 0;
- dns_rdataset_init(&rdataset);
- if (type == dns_rdatatype_nsec3)
- result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
- else
- result = dns_db_findnode(db, name, ISC_FALSE, &node);
- if (result == ISC_R_NOTFOUND)
- return (ISC_R_SUCCESS);
- if (result != ISC_R_SUCCESS)
- goto failure;
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type,
- (isc_stdtime_t) 0, &rdataset, NULL);
- dns_db_detachnode(db, &node);
- if (result == ISC_R_NOTFOUND) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- return (ISC_R_SUCCESS);
- }
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto failure;
- }
- changed = ISC_FALSE;
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (type != dns_rdatatype_dnskey) {
- if (delsig_ok(&rrsig, keys, nkeys)) {
- result = update_one_rr(db, ver, diff,
- DNS_DIFFOP_DELRESIGN, name,
- rdataset.ttl, &rdata);
- if (incremental)
- changed = ISC_TRUE;
- if (result != ISC_R_SUCCESS)
- break;
- } else {
- /*
- * At this point, we've got an RRSIG,
- * which is signed by an inactive key.
- * An administrator needs to provide a new
- * key/alg, but until that time, we want to
- * keep the old RRSIG. Marking the key as
- * offline will prevent us spinning waiting
- * for the private part.
- */
- if (incremental) {
- result = offline(db, ver, diff, name,
- rdataset.ttl, &rdata);
- changed = ISC_TRUE;
- if (result != ISC_R_SUCCESS)
- break;
- }
- /*
- * Log the key id and algorithm of
- * the inactive key with no replacement
- */
- if (zone->log_key_expired_timer <= now) {
- char origin[DNS_NAME_FORMATSIZE];
- char algbuf[DNS_NAME_FORMATSIZE];
- dns_name_format(&zone->origin, origin,
- sizeof(origin));
- dns_secalg_format(rrsig.algorithm,
- algbuf,
- sizeof(algbuf));
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Key %s/%s/%d "
- "missing or inactive "
- "and has no replacement: "
- "retaining signatures.",
- origin, algbuf,
- rrsig.keyid);
- zone->log_key_expired_timer = now +
- 3600;
- }
- }
- continue;
- }
- /*
- * RRSIG(DNSKEY) requires special processing.
- */
- found = ISC_FALSE;
- for (i = 0; i < nkeys; i++) {
- if (rrsig.algorithm == dst_key_alg(keys[i]) &&
- rrsig.keyid == dst_key_id(keys[i])) {
- found = ISC_TRUE;
- /*
- * Mark offline RRSIG(DNSKEY).
- * We want the earliest offline expire time
- * iff there is a new offline signature.
- */
- if (!dst_key_isprivate(keys[i])) {
- isc_int64_t timeexpire =
- dns_time64_from32(rrsig.timeexpire);
- if (warn != 0 && warn > timeexpire)
- warn = timeexpire;
- if (rdata.flags & DNS_RDATA_OFFLINE) {
- if (maybe == 0 ||
- maybe > timeexpire)
- maybe = timeexpire;
- break;
- }
- if (warn == 0)
- warn = maybe;
- if (warn == 0 || warn > timeexpire)
- warn = timeexpire;
- result = offline(db, ver, diff, name,
- rdataset.ttl, &rdata);
- break;
- }
- result = update_one_rr(db, ver, diff,
- DNS_DIFFOP_DELRESIGN,
- name, rdataset.ttl,
- &rdata);
- break;
- }
- }
- /*
- * If there is not a matching DNSKEY then
- * delete the RRSIG.
- */
- if (!found)
- result = update_one_rr(db, ver, diff,
- DNS_DIFFOP_DELRESIGN, name,
- rdataset.ttl, &rdata);
- if (result != ISC_R_SUCCESS)
- break;
- }
- if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0)
- dns_db_resigned(db, &rdataset, ver);
- dns_rdataset_disassociate(&rdataset);
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (warn > 0) {
- #if defined(STDTIME_ON_32BITS)
- isc_stdtime_t stdwarn = (isc_stdtime_t)warn;
- if (warn == stdwarn)
- #endif
- set_key_expiry_warning(zone, (isc_stdtime_t)warn, now);
- #if defined(STDTIME_ON_32BITS)
- else
- dns_zone_log(zone, ISC_LOG_ERROR,
- "key expiry warning time out of range");
- #endif
- }
- failure:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- return (result);
- }
- static isc_result_t
- add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
- dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
- unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
- isc_stdtime_t expire, isc_boolean_t check_ksk,
- isc_boolean_t keyset_kskonly)
- {
- isc_result_t result;
- dns_dbnode_t *node = NULL;
- dns_rdataset_t rdataset;
- dns_rdata_t sig_rdata = DNS_RDATA_INIT;
- unsigned char data[1024]; /* XXX */
- isc_buffer_t buffer;
- unsigned int i, j;
- dns_rdataset_init(&rdataset);
- isc_buffer_init(&buffer, data, sizeof(data));
- if (type == dns_rdatatype_nsec3)
- result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
- else
- result = dns_db_findnode(db, name, ISC_FALSE, &node);
- if (result == ISC_R_NOTFOUND)
- return (ISC_R_SUCCESS);
- if (result != ISC_R_SUCCESS)
- goto failure;
- result = dns_db_findrdataset(db, node, ver, type, 0,
- (isc_stdtime_t) 0, &rdataset, NULL);
- dns_db_detachnode(db, &node);
- if (result == ISC_R_NOTFOUND) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- return (ISC_R_SUCCESS);
- }
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto failure;
- }
- for (i = 0; i < nkeys; i++) {
- isc_boolean_t both = ISC_FALSE;
- if (!dst_key_isprivate(keys[i]))
- continue;
- if (check_ksk && !REVOKE(keys[i])) {
- isc_boolean_t have_ksk, have_nonksk;
- if (KSK(keys[i])) {
- have_ksk = ISC_TRUE;
- have_nonksk = ISC_FALSE;
- } else {
- have_ksk = ISC_FALSE;
- have_nonksk = ISC_TRUE;
- }
- for (j = 0; j < nkeys; j++) {
- if (j == i || ALG(keys[i]) != ALG(keys[j]))
- continue;
- if (REVOKE(keys[j]))
- continue;
- if (KSK(keys[j]))
- have_ksk = ISC_TRUE;
- else
- have_nonksk = ISC_TRUE;
- both = have_ksk && have_nonksk;
- if (both)
- break;
- }
- }
- if (both) {
- if (type == dns_rdatatype_dnskey) {
- if (!KSK(keys[i]) && keyset_kskonly)
- continue;
- } else if (KSK(keys[i]))
- continue;
- } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
- continue;
- /* Calculate the signature, creating a RRSIG RDATA. */
- isc_buffer_clear(&buffer);
- CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
- &inception, &expire,
- mctx, &buffer, &sig_rdata));
- /* Update the database and journal with the RRSIG. */
- /* XXX inefficient - will cause dataset merging */
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
- name, rdataset.ttl, &sig_rdata));
- dns_rdata_reset(&sig_rdata);
- isc_buffer_init(&buffer, data, sizeof(data));
- }
- failure:
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- return (result);
- }
- static void
- zone_resigninc(dns_zone_t *zone) {
- dns_db_t *db = NULL;
- dns_dbversion_t *version = NULL;
- dns_diff_t sig_diff;
- dns_fixedname_t fixed;
- dns_name_t *name;
- dns_rdataset_t rdataset;
- dns_rdatatype_t covers;
- dst_key_t *zone_keys[DNS_MAXZONEKEYS];
- isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
- isc_result_t result;
- isc_stdtime_t now, inception, soaexpire, expire, stop;
- isc_uint32_t jitter;
- unsigned int i;
- unsigned int nkeys = 0;
- unsigned int resign;
- dns_rdataset_init(&rdataset);
- dns_fixedname_init(&fixed);
- dns_diff_init(zone->mctx, &sig_diff);
- sig_diff.resign = zone->sigresigninginterval;
- /*
- * Updates are disabled. Pause for 5 minutes.
- */
- if (zone->update_disabled) {
- result = ISC_R_FAILURE;
- goto failure;
- }
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- dns_db_attach(zone->db, &db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- result = dns_db_newversion(db, &version);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:dns_db_newversion -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = find_zone_keys(zone, db, version, zone->mctx, DNS_MAXZONEKEYS,
- zone_keys, &nkeys);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:find_zone_keys -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- isc_stdtime_get(&now);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
- /*
- * Spread out signatures over time if they happen to be
- * clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur.
- */
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
- stop = now + 5;
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
- name = dns_fixedname_name(&fixed);
- result = dns_db_getsigningtime(db, &rdataset, name);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:dns_db_getsigningtime -> %s\n",
- dns_result_totext(result));
- }
- i = 0;
- while (result == ISC_R_SUCCESS) {
- resign = rdataset.resign;
- covers = rdataset.covers;
- dns_rdataset_disassociate(&rdataset);
- /*
- * Stop if we hit the SOA as that means we have walked the
- * entire zone. The SOA record should always be the most
- * recent signature.
- */
- /* XXXMPA increase number of RRsets signed pre call */
- if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
- resign > stop)
- break;
- result = del_sigs(zone, db, version, name, covers, &sig_diff,
- zone_keys, nkeys, now, ISC_TRUE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:del_sigs -> %s\n",
- dns_result_totext(result));
- break;
- }
- result = add_sigs(db, version, name, covers, &sig_diff,
- zone_keys, nkeys, zone->mctx, inception,
- expire, check_ksk, keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:add_sigs -> %s\n",
- dns_result_totext(result));
- break;
- }
- result = dns_db_getsigningtime(db, &rdataset,
- dns_fixedname_name(&fixed));
- if (nkeys == 0 && result == ISC_R_NOTFOUND) {
- result = ISC_R_SUCCESS;
- break;
- }
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:dns_db_getsigningtime -> %s\n",
- dns_result_totext(result));
- }
- if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS)
- goto failure;
- result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
- &sig_diff, zone_keys, nkeys, now, ISC_TRUE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:del_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /*
- * Did we change anything in the zone?
- */
- if (ISC_LIST_EMPTY(sig_diff.tuples))
- goto failure;
- /* Increment SOA serial if we have made changes */
- result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:increment_soa_serial -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /*
- * Generate maximum life time signatures so that the above loop
- * termination is sensible.
- */
- result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
- &sig_diff, zone_keys, nkeys, zone->mctx, inception,
- soaexpire, check_ksk, keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_resigninc:add_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /* Write changes to journal file. */
- CHECK(zone_journal(zone, &sig_diff, "zone_resigninc"));
- /* Everything has succeeded. Commit the changes. */
- dns_db_closeversion(db, &version, ISC_TRUE);
- failure:
- dns_diff_clear(&sig_diff);
- for (i = 0; i < nkeys; i++)
- dst_key_free(&zone_keys[i]);
- if (version != NULL) {
- dns_db_closeversion(zone->db, &version, ISC_FALSE);
- dns_db_detach(&db);
- } else if (db != NULL)
- dns_db_detach(&db);
- if (result == ISC_R_SUCCESS) {
- set_resigntime(zone);
- LOCK_ZONE(zone);
- zone_needdump(zone, DNS_DUMP_DELAY);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- UNLOCK_ZONE(zone);
- } else {
- /*
- * Something failed. Retry in 5 minutes.
- */
- isc_interval_t ival;
- isc_interval_set(&ival, 300, 0);
- isc_time_nowplusinterval(&zone->resigntime, &ival);
- }
- }
- static isc_result_t
- next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
- dns_name_t *newname, isc_boolean_t bottom)
- {
- isc_result_t result;
- dns_dbiterator_t *dbit = NULL;
- dns_rdatasetiter_t *rdsit = NULL;
- dns_dbnode_t *node = NULL;
- CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
- CHECK(dns_dbiterator_seek(dbit, oldname));
- do {
- result = dns_dbiterator_next(dbit);
- if (result == ISC_R_NOMORE)
- CHECK(dns_dbiterator_first(dbit));
- CHECK(dns_dbiterator_current(dbit, &node, newname));
- if (bottom && dns_name_issubdomain(newname, oldname) &&
- !dns_name_equal(newname, oldname)) {
- dns_db_detachnode(db, &node);
- continue;
- }
- /*
- * Is this node empty?
- */
- CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsit));
- result = dns_rdatasetiter_first(rdsit);
- dns_db_detachnode(db, &node);
- dns_rdatasetiter_destroy(&rdsit);
- if (result != ISC_R_NOMORE)
- break;
- } while (1);
- failure:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (dbit != NULL)
- dns_dbiterator_destroy(&dbit);
- return (result);
- }
- static isc_boolean_t
- signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
- dns_rdatatype_t type, dst_key_t *key)
- {
- isc_result_t result;
- dns_rdataset_t rdataset;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_rrsig_t rrsig;
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
- type, 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- return (ISC_FALSE);
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdataset_current(&rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
- INSIST(result == ISC_R_SUCCESS);
- if (rrsig.algorithm == dst_key_alg(key) &&
- rrsig.keyid == dst_key_id(key)) {
- dns_rdataset_disassociate(&rdataset);
- return (ISC_TRUE);
- }
- dns_rdata_reset(&rdata);
- }
- dns_rdataset_disassociate(&rdataset);
- return (ISC_FALSE);
- }
- static isc_result_t
- add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
- dns_dbnode_t *node, dns_ttl_t ttl, isc_boolean_t bottom,
- dns_diff_t *diff)
- {
- dns_fixedname_t fixed;
- dns_name_t *next;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_result_t result;
- unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
- dns_fixedname_init(&fixed);
- next = dns_fixedname_name(&fixed);
- CHECK(next_active(db, version, name, next, bottom));
- CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer,
- &rdata));
- CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
- &rdata));
- failure:
- return (result);
- }
- static isc_result_t
- sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
- dns_dbversion_t *version, isc_boolean_t build_nsec3,
- isc_boolean_t build_nsec, dst_key_t *key,
- isc_stdtime_t inception, isc_stdtime_t expire,
- unsigned int minimum, isc_boolean_t is_ksk,
- isc_boolean_t keyset_kskonly, isc_boolean_t *delegation,
- dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
- {
- isc_result_t result;
- dns_rdatasetiter_t *iterator = NULL;
- dns_rdataset_t rdataset;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_buffer_t buffer;
- unsigned char data[1024];
- isc_boolean_t seen_soa, seen_ns, seen_rr, seen_dname, seen_nsec,
- seen_nsec3, seen_ds;
- isc_boolean_t bottom;
- result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result != ISC_R_SUCCESS) {
- if (result == ISC_R_NOTFOUND)
- result = ISC_R_SUCCESS;
- return (result);
- }
- dns_rdataset_init(&rdataset);
- isc_buffer_init(&buffer, data, sizeof(data));
- seen_rr = seen_soa = seen_ns = seen_dname = seen_nsec =
- seen_nsec3 = seen_ds = ISC_FALSE;
- for (result = dns_rdatasetiter_first(iterator);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
- dns_rdatasetiter_current(iterator, &rdataset);
- if (rdataset.type == dns_rdatatype_soa)
- seen_soa = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_ns)
- seen_ns = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_ds)
- seen_ds = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_dname)
- seen_dname = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_nsec)
- seen_nsec = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_nsec3)
- seen_nsec3 = ISC_TRUE;
- if (rdataset.type != dns_rdatatype_rrsig)
- seen_rr = ISC_TRUE;
- dns_rdataset_disassociate(&rdataset);
- }
- if (result != ISC_R_NOMORE)
- goto failure;
- if (seen_ns && !seen_soa)
- *delegation = ISC_TRUE;
- /*
- * Going from insecure to NSEC3.
- * Don't generate NSEC3 records for NSEC3 records.
- */
- if (build_nsec3 && !seen_nsec3 && seen_rr) {
- isc_boolean_t unsecure = !seen_ds && seen_ns && !seen_soa;
- CHECK(dns_nsec3_addnsec3s(db, version, name, minimum,
- unsecure, diff));
- (*signatures)--;
- }
- /*
- * Going from insecure to NSEC.
- * Don't generate NSEC records for NSEC3 records.
- */
- if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
- /* Build and add NSEC. */
- bottom = (seen_ns && !seen_soa) || seen_dname;
- /*
- * Build a NSEC record except at the origin.
- */
- if (!dns_name_equal(name, dns_db_origin(db))) {
- CHECK(add_nsec(db, version, name, node, minimum,
- bottom, diff));
- /* Count a NSEC generation as a signature generation. */
- (*signatures)--;
- }
- }
- result = dns_rdatasetiter_first(iterator);
- while (result == ISC_R_SUCCESS) {
- dns_rdatasetiter_current(iterator, &rdataset);
- if (rdataset.type == dns_rdatatype_soa ||
- rdataset.type == dns_rdatatype_rrsig)
- goto next_rdataset;
- if (rdataset.type == dns_rdatatype_dnskey) {
- if (!is_ksk && keyset_kskonly)
- goto next_rdataset;
- } else if (is_ksk)
- goto next_rdataset;
- if (*delegation &&
- rdataset.type != dns_rdatatype_ds &&
- rdataset.type != dns_rdatatype_nsec)
- goto next_rdataset;
- if (signed_with_key(db, node, version, rdataset.type, key))
- goto next_rdataset;
- /* Calculate the signature, creating a RRSIG RDATA. */
- isc_buffer_clear(&buffer);
- CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
- &expire, mctx, &buffer, &rdata));
- /* Update the database and journal with the RRSIG. */
- /* XXX inefficient - will cause dataset merging */
- CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
- name, rdataset.ttl, &rdata));
- dns_rdata_reset(&rdata);
- (*signatures)--;
- next_rdataset:
- dns_rdataset_disassociate(&rdataset);
- result = dns_rdatasetiter_next(iterator);
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (seen_dname)
- *delegation = ISC_TRUE;
- failure:
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- if (iterator != NULL)
- dns_rdatasetiter_destroy(&iterator);
- return (result);
- }
- /*
- * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
- */
- static isc_result_t
- updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
- dns_ttl_t minimum, isc_boolean_t update_only, dns_diff_t *diff)
- {
- isc_result_t result;
- dns_rdataset_t rdataset;
- dns_dbnode_t *node = NULL;
- CHECK(dns_db_getoriginnode(db, &node));
- if (update_only) {
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, version,
- dns_rdatatype_nsec,
- dns_rdatatype_none,
- 0, &rdataset, NULL);
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- if (result == ISC_R_NOTFOUND)
- goto success;
- if (result != ISC_R_SUCCESS)
- goto failure;
- }
- CHECK(delete_nsec(db, version, node, name, diff));
- CHECK(add_nsec(db, version, name, node, minimum, ISC_FALSE, diff));
- success:
- result = ISC_R_SUCCESS;
- failure:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- return (result);
- }
- static isc_result_t
- updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
- dns_dbversion_t *version, isc_boolean_t build_nsec3,
- dns_ttl_t minimum, dns_diff_t *diff)
- {
- isc_result_t result;
- dns_dbnode_t *node = NULL;
- dns_rdataset_t rdataset;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned char data[5];
- isc_boolean_t seen_done = ISC_FALSE;
- isc_boolean_t have_rr = ISC_FALSE;
- dns_rdataset_init(&rdataset);
- result = dns_db_getoriginnode(signing->db, &node);
- if (result != ISC_R_SUCCESS)
- goto failure;
- result = dns_db_findrdataset(signing->db, node, version,
- zone->privatetype, dns_rdatatype_none,
- 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- result = ISC_R_SUCCESS;
- goto failure;
- }
- if (result != ISC_R_SUCCESS) {
- INSIST(!dns_rdataset_isassociated(&rdataset));
- goto failure;
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdataset_current(&rdataset, &rdata);
- /*
- * If we don't match the algorithm or keyid skip the record.
- */
- if (rdata.length != 5 ||
- rdata.data[0] != signing->algorithm ||
- rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
- rdata.data[2] != (signing->keyid & 0xff)) {
- have_rr = ISC_TRUE;
- dns_rdata_reset(&rdata);
- continue;
- }
- /*
- * We have a match. If we were signing (!signing->delete)
- * and we already have a record indicating that we have
- * finished signing (rdata.data[4] != 0) then keep it.
- * Otherwise it needs to be deleted as we have removed all
- * the signatures (signing->delete), so any record indicating
- * completion is now out of date, or we have finished signing
- * with the new record so we no longer need to remember that
- * we need to sign the zone with the matching key across a
- * nameserver re-start.
- */
- if (!signing->delete && rdata.data[4] != 0) {
- seen_done = ISC_TRUE;
- have_rr = ISC_TRUE;
- } else
- CHECK(update_one_rr(signing->db, version, diff,
- DNS_DIFFOP_DEL, &zone->origin,
- rdataset.ttl, &rdata));
- dns_rdata_reset(&rdata);
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (!signing->delete && !seen_done) {
- /*
- * If we were signing then we need to indicate that we have
- * finished signing the zone with this key. If it is already
- * there we don't need to add it a second time.
- */
- data[0] = signing->algorithm;
- data[1] = (signing->keyid >> 8) & 0xff;
- data[2] = signing->keyid & 0xff;
- data[3] = 0;
- data[4] = 1;
- rdata.length = sizeof(data);
- rdata.data = data;
- rdata.type = zone->privatetype;
- rdata.rdclass = dns_db_class(signing->db);
- CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
- &zone->origin, rdataset.ttl, &rdata));
- } else if (!have_rr) {
- dns_name_t *origin = dns_db_origin(signing->db);
- /*
- * Rebuild the NSEC/NSEC3 record for the origin as we no
- * longer have any private records.
- */
- if (build_nsec3)
- CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
- minimum, ISC_FALSE, diff));
- CHECK(updatesecure(signing->db, version, origin, minimum,
- ISC_TRUE, diff));
- }
- failure:
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- if (node != NULL)
- dns_db_detachnode(signing->db, &node);
- return (result);
- }
- /*
- * If 'active' is set then we are not done with the chain yet so only
- * delete the nsec3param record which indicates a full chain exists
- * (flags == 0).
- */
- static isc_result_t
- fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
- isc_boolean_t active, dns_rdatatype_t privatetype,
- dns_diff_t *diff)
- {
- dns_dbnode_t *node = NULL;
- dns_name_t *name = dns_db_origin(db);
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_t rdataset;
- dns_rdata_nsec3param_t nsec3param;
- isc_result_t result;
- isc_buffer_t buffer;
- unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
- dns_ttl_t ttl = 0;
- dns_rdataset_init(&rdataset);
- result = dns_db_getoriginnode(db, &node);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
- 0, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND)
- goto try_private;
- if (result != ISC_R_SUCCESS)
- goto failure;
- /*
- * Preserve the existing ttl.
- */
- ttl = rdataset.ttl;
- /*
- * Delete all NSEC3PARAM records which match that in nsec3chain.
- */
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdataset_current(&rdataset, &rdata);
- CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
- if (nsec3param.hash != chain->nsec3param.hash ||
- (active && nsec3param.flags != 0) ||
- nsec3param.iterations != chain->nsec3param.iterations ||
- nsec3param.salt_length != chain->nsec3param.salt_length ||
- memcmp(nsec3param.salt, chain->nsec3param.salt,
- nsec3param.salt_length)) {
- dns_rdata_reset(&rdata);
- continue;
- }
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
- name, rdataset.ttl, &rdata));
- dns_rdata_reset(&rdata);
- }
- if (result != ISC_R_NOMORE)
- goto failure;
- dns_rdataset_disassociate(&rdataset);
- try_private:
- if (active)
- goto add;
- /*
- * Delete all private records which match that in nsec3chain.
- */
- result = dns_db_findrdataset(db, node, ver, privatetype,
- 0, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND)
- goto add;
- if (result != ISC_R_SUCCESS)
- goto failure;
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t private = DNS_RDATA_INIT;
- unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
- dns_rdataset_current(&rdataset, &private);
- if (!dns_nsec3param_fromprivate(&private, &rdata,
- buf, sizeof(buf)))
- continue;
- CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
- if (nsec3param.hash != chain->nsec3param.hash ||
- nsec3param.iterations != chain->nsec3param.iterations ||
- nsec3param.salt_length != chain->nsec3param.salt_length ||
- memcmp(nsec3param.salt, chain->nsec3param.salt,
- nsec3param.salt_length)) {
- dns_rdata_reset(&rdata);
- continue;
- }
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
- name, rdataset.ttl, &private));
- dns_rdata_reset(&rdata);
- }
- if (result != ISC_R_NOMORE)
- goto failure;
- add:
- if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
- result = ISC_R_SUCCESS;
- goto failure;
- }
- /*
- * Add a NSEC3PARAM record which matches that in nsec3chain but
- * with all flags bits cleared.
- *
- * Note: we do not clear chain->nsec3param.flags as this change
- * may be reversed.
- */
- isc_buffer_init(&buffer, ¶mbuf, sizeof(parambuf));
- CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db),
- dns_rdatatype_nsec3param,
- &chain->nsec3param, &buffer));
- rdata.data[1] = 0; /* Clear flag bits. */
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata));
- failure:
- dns_db_detachnode(db, &node);
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- return (result);
- }
- static isc_result_t
- delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
- dns_name_t *name, dns_diff_t *diff)
- {
- dns_rdataset_t rdataset;
- isc_result_t result;
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
- 0, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND)
- return (ISC_R_SUCCESS);
- if (result != ISC_R_SUCCESS)
- return (result);
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &rdata);
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
- rdataset.ttl, &rdata));
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- failure:
- dns_rdataset_disassociate(&rdataset);
- return (result);
- }
- static isc_result_t
- deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
- dns_name_t *name, const dns_rdata_nsec3param_t *param,
- dns_diff_t *diff)
- {
- dns_rdataset_t rdataset;
- dns_rdata_nsec3_t nsec3;
- isc_result_t result;
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
- 0, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND)
- return (ISC_R_SUCCESS);
- if (result != ISC_R_SUCCESS)
- return (result);
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &rdata);
- CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
- if (nsec3.hash != param->hash ||
- nsec3.iterations != param->iterations ||
- nsec3.salt_length != param->salt_length ||
- memcmp(nsec3.salt, param->salt, nsec3.salt_length))
- continue;
- CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
- rdataset.ttl, &rdata));
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- failure:
- dns_rdataset_disassociate(&rdataset);
- return (result);
- }
- static isc_result_t
- need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
- const dns_rdata_nsec3param_t *param,
- isc_boolean_t *answer)
- {
- dns_dbnode_t *node = NULL;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_nsec3param_t myparam;
- dns_rdataset_t rdataset;
- isc_result_t result;
- *answer = ISC_FALSE;
- result = dns_db_getoriginnode(db, &node);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
- 0, 0, &rdataset, NULL);
- if (result == ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&rdataset);
- dns_db_detachnode(db, &node);
- return (result);
- }
- if (result != ISC_R_NOTFOUND) {
- dns_db_detachnode(db, &node);
- return (result);
- }
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
- 0, 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND) {
- *answer = ISC_TRUE;
- dns_db_detachnode(db, &node);
- return (ISC_R_SUCCESS);
- }
- if (result != ISC_R_SUCCESS) {
- dns_db_detachnode(db, &node);
- return (result);
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdataset_current(&rdataset, &rdata);
- CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL));
- dns_rdata_reset(&rdata);
- /*
- * Ignore any NSEC3PARAM removals.
- */
- if (NSEC3REMOVE(myparam.flags))
- continue;
- /*
- * Ignore the chain that we are in the process of deleting.
- */
- if (myparam.hash == param->hash &&
- myparam.iterations == param->iterations &&
- myparam.salt_length == param->salt_length &&
- !memcmp(myparam.salt, param->salt, myparam.salt_length))
- continue;
- /*
- * Found an active NSEC3 chain.
- */
- break;
- }
- if (result == ISC_R_NOMORE) {
- *answer = ISC_TRUE;
- result = ISC_R_SUCCESS;
- }
- failure:
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- dns_db_detachnode(db, &node);
- return (result);
- }
- static isc_result_t
- update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
- dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone,
- isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t now,
- isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
- dns_diff_t *sig_diff)
- {
- dns_difftuple_t *tuple;
- isc_result_t result;
- for (tuple = ISC_LIST_HEAD(diff->tuples);
- tuple != NULL;
- tuple = ISC_LIST_HEAD(diff->tuples)) {
- result = del_sigs(zone, db, version, &tuple->name,
- tuple->rdata.type, sig_diff,
- zone_keys, nkeys, now, ISC_FALSE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "update_sigs:del_sigs -> %s\n",
- dns_result_totext(result));
- return (result);
- }
- result = add_sigs(db, version, &tuple->name,
- tuple->rdata.type, sig_diff,
- zone_keys, nkeys, zone->mctx, inception,
- expire, check_ksk, keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "update_sigs:add_sigs -> %s\n",
- dns_result_totext(result));
- return (result);
- }
- do {
- dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
- while (next != NULL &&
- (tuple->rdata.type != next->rdata.type ||
- !dns_name_equal(&tuple->name, &next->name)))
- next = ISC_LIST_NEXT(next, link);
- ISC_LIST_UNLINK(diff->tuples, tuple, link);
- dns_diff_appendminimal(sig_diff, &tuple);
- INSIST(tuple == NULL);
- tuple = next;
- } while (tuple != NULL);
- }
- return (ISC_R_SUCCESS);
- }
- /*
- * Incrementally build and sign a new NSEC3 chain using the parameters
- * requested.
- */
- static void
- zone_nsec3chain(dns_zone_t *zone) {
- dns_db_t *db = NULL;
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *version = NULL;
- dns_diff_t sig_diff;
- dns_diff_t nsec_diff;
- dns_diff_t nsec3_diff;
- dns_diff_t param_diff;
- dns_fixedname_t fixed;
- dns_fixedname_t nextfixed;
- dns_name_t *name, *nextname;
- dns_rdataset_t rdataset;
- dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain;
- dns_nsec3chainlist_t cleanup;
- dst_key_t *zone_keys[DNS_MAXZONEKEYS];
- isc_int32_t signatures;
- isc_boolean_t check_ksk, keyset_kskonly;
- isc_boolean_t delegation;
- isc_boolean_t first;
- isc_result_t result;
- isc_stdtime_t now, inception, soaexpire, expire;
- isc_uint32_t jitter;
- unsigned int i;
- unsigned int nkeys = 0;
- isc_uint32_t nodes;
- isc_boolean_t unsecure = ISC_FALSE;
- isc_boolean_t seen_soa, seen_ns, seen_dname, seen_ds;
- isc_boolean_t seen_nsec, seen_nsec3, seen_rr;
- dns_rdatasetiter_t *iterator = NULL;
- isc_boolean_t buildnsecchain;
- isc_boolean_t updatensec = ISC_FALSE;
- dns_rdatatype_t privatetype = zone->privatetype;
- dns_rdataset_init(&rdataset);
- dns_fixedname_init(&fixed);
- name = dns_fixedname_name(&fixed);
- dns_fixedname_init(&nextfixed);
- nextname = dns_fixedname_name(&nextfixed);
- dns_diff_init(zone->mctx, ¶m_diff);
- dns_diff_init(zone->mctx, &nsec3_diff);
- dns_diff_init(zone->mctx, &nsec_diff);
- dns_diff_init(zone->mctx, &sig_diff);
- sig_diff.resign = zone->sigresigninginterval;
- ISC_LIST_INIT(cleanup);
- /*
- * Updates are disabled. Pause for 5 minutes.
- */
- if (zone->update_disabled) {
- result = ISC_R_FAILURE;
- goto failure;
- }
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- dns_db_attach(zone->db, &db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- result = dns_db_newversion(db, &version);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:dns_db_newversion -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = find_zone_keys(zone, db, version, zone->mctx,
- DNS_MAXZONEKEYS, zone_keys, &nkeys);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:find_zone_keys -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- isc_stdtime_get(&now);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
- /*
- * Spread out signatures over time if they happen to be
- * clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur.
- */
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
- /*
- * We keep pulling nodes off each iterator in turn until
- * we have no more nodes to pull off or we reach the limits
- * for this quantum.
- */
- nodes = zone->nodes;
- signatures = zone->signatures;
- LOCK_ZONE(zone);
- nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
- UNLOCK_ZONE(zone);
- first = ISC_TRUE;
- if (nsec3chain != NULL)
- nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
- /*
- * Generate new NSEC3 chains first.
- */
- while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
- LOCK_ZONE(zone);
- nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (nsec3chain->done || nsec3chain->db != zone->db) {
- ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
- ISC_LIST_APPEND(cleanup, nsec3chain, link);
- }
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- UNLOCK_ZONE(zone);
- if (ISC_LIST_TAIL(cleanup) == nsec3chain)
- goto next_addchain;
- /*
- * Possible future db.
- */
- if (nsec3chain->db != db) {
- goto next_addchain;
- }
- if (NSEC3REMOVE(nsec3chain->nsec3param.flags))
- goto next_addchain;
- dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
- if (nsec3chain->delete_nsec) {
- delegation = ISC_FALSE;
- dns_dbiterator_pause(nsec3chain->dbiterator);
- CHECK(delete_nsec(db, version, node, name, &nsec_diff));
- goto next_addnode;
- }
- /*
- * On the first pass we need to check if the current node
- * has not been obscured.
- */
- delegation = ISC_FALSE;
- unsecure = ISC_FALSE;
- if (first) {
- dns_fixedname_t ffound;
- dns_name_t *found;
- dns_fixedname_init(&ffound);
- found = dns_fixedname_name(&ffound);
- result = dns_db_find(db, name, version,
- dns_rdatatype_soa,
- DNS_DBFIND_NOWILD, 0, NULL, found,
- NULL, NULL);
- if ((result == DNS_R_DELEGATION ||
- result == DNS_R_DNAME) &&
- !dns_name_equal(name, found)) {
- /*
- * Remember the obscuring name so that
- * we skip all obscured names.
- */
- dns_name_copy(found, name, NULL);
- delegation = ISC_TRUE;
- goto next_addnode;
- }
- }
- /*
- * Check to see if this is a bottom of zone node.
- */
- result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result == ISC_R_NOTFOUND) /* Empty node? */
- goto next_addnode;
- if (result != ISC_R_SUCCESS)
- goto failure;
- seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec =
- ISC_FALSE;
- for (result = dns_rdatasetiter_first(iterator);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
- dns_rdatasetiter_current(iterator, &rdataset);
- INSIST(rdataset.type != dns_rdatatype_nsec3);
- if (rdataset.type == dns_rdatatype_soa)
- seen_soa = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_ns)
- seen_ns = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_dname)
- seen_dname = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_ds)
- seen_ds = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_nsec)
- seen_nsec = ISC_TRUE;
- dns_rdataset_disassociate(&rdataset);
- }
- dns_rdatasetiter_destroy(&iterator);
- /*
- * Is there a NSEC chain than needs to be cleaned up?
- */
- if (seen_nsec)
- nsec3chain->seen_nsec = ISC_TRUE;
- if (seen_ns && !seen_soa && !seen_ds)
- unsecure = ISC_TRUE;
- if ((seen_ns && !seen_soa) || seen_dname)
- delegation = ISC_TRUE;
- /*
- * Process one node.
- */
- dns_dbiterator_pause(nsec3chain->dbiterator);
- result = dns_nsec3_addnsec3(db, version, name,
- &nsec3chain->nsec3param,
- zone->minimum, unsecure,
- &nsec3_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns_nsec3_addnsec3 -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /*
- * Treat each call to dns_nsec3_addnsec3() as if it's cost is
- * two signatures. Additionally there will, in general, be
- * two signature generated below.
- *
- * If we are only changing the optout flag the cost is half
- * that of the cost of generating a completely new chain.
- */
- signatures -= 4;
- /*
- * Go onto next node.
- */
- next_addnode:
- first = ISC_FALSE;
- dns_db_detachnode(db, &node);
- do {
- result = dns_dbiterator_next(nsec3chain->dbiterator);
- if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
- CHECK(fixup_nsec3param(db, version, nsec3chain,
- ISC_FALSE, privatetype,
- ¶m_diff));
- LOCK_ZONE(zone);
- ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
- link);
- UNLOCK_ZONE(zone);
- ISC_LIST_APPEND(cleanup, nsec3chain, link);
- goto next_addchain;
- }
- if (result == ISC_R_NOMORE) {
- dns_dbiterator_pause(nsec3chain->dbiterator);
- if (nsec3chain->seen_nsec) {
- CHECK(fixup_nsec3param(db, version,
- nsec3chain,
- ISC_TRUE,
- privatetype,
- ¶m_diff));
- nsec3chain->delete_nsec = ISC_TRUE;
- goto same_addchain;
- }
- CHECK(fixup_nsec3param(db, version, nsec3chain,
- ISC_FALSE, privatetype,
- ¶m_diff));
- LOCK_ZONE(zone);
- ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
- link);
- UNLOCK_ZONE(zone);
- ISC_LIST_APPEND(cleanup, nsec3chain, link);
- goto next_addchain;
- } else if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "dns_dbiterator_next -> %s\n",
- dns_result_totext(result));
- goto failure;
- } else if (delegation) {
- dns_dbiterator_current(nsec3chain->dbiterator,
- &node, nextname);
- dns_db_detachnode(db, &node);
- if (!dns_name_issubdomain(nextname, name))
- break;
- } else
- break;
- } while (1);
- continue;
- same_addchain:
- CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
- first = ISC_TRUE;
- continue;
- next_addchain:
- dns_dbiterator_pause(nsec3chain->dbiterator);
- nsec3chain = nextnsec3chain;
- first = ISC_TRUE;
- if (nsec3chain != NULL)
- nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
- }
- /*
- * Process removals.
- */
- LOCK_ZONE(zone);
- nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
- UNLOCK_ZONE(zone);
- first = ISC_TRUE;
- buildnsecchain = ISC_FALSE;
- while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
- LOCK_ZONE(zone);
- nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
- UNLOCK_ZONE(zone);
- if (nsec3chain->db != db)
- goto next_removechain;
- if (!NSEC3REMOVE(nsec3chain->nsec3param.flags))
- goto next_removechain;
- /*
- * Work out if we need to build a NSEC chain as a consequence
- * of removing this NSEC3 chain.
- */
- if (first && !updatensec &&
- (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0) {
- result = need_nsec_chain(db, version,
- &nsec3chain->nsec3param,
- &buildnsecchain);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "need_nsec_chain -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- if (first)
- dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
- "buildnsecchain = %u\n", buildnsecchain);
- dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
- delegation = ISC_FALSE;
- if (!buildnsecchain) {
- /*
- * Delete the NSECPARAM record that matches this chain.
- */
- if (first) {
- result = fixup_nsec3param(db, version,
- nsec3chain,
- ISC_TRUE, privatetype,
- ¶m_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "fixup_nsec3param -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- /*
- * Delete the NSEC3 records.
- */
- result = deletematchingnsec3(db, version, node, name,
- &nsec3chain->nsec3param,
- &nsec3_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "deletematchingnsec3 -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- goto next_removenode;
- }
- if (first) {
- dns_fixedname_t ffound;
- dns_name_t *found;
- dns_fixedname_init(&ffound);
- found = dns_fixedname_name(&ffound);
- result = dns_db_find(db, name, version,
- dns_rdatatype_soa,
- DNS_DBFIND_NOWILD, 0, NULL, found,
- NULL, NULL);
- if ((result == DNS_R_DELEGATION ||
- result == DNS_R_DNAME) &&
- !dns_name_equal(name, found)) {
- /*
- * Remember the obscuring name so that
- * we skip all obscured names.
- */
- dns_name_copy(found, name, NULL);
- delegation = ISC_TRUE;
- goto next_removenode;
- }
- }
- /*
- * Check to see if this is a bottom of zone node.
- */
- result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result == ISC_R_NOTFOUND) /* Empty node? */
- goto next_removenode;
- if (result != ISC_R_SUCCESS)
- goto failure;
- seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
- seen_rr = ISC_FALSE;
- for (result = dns_rdatasetiter_first(iterator);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
- dns_rdatasetiter_current(iterator, &rdataset);
- if (rdataset.type == dns_rdatatype_soa)
- seen_soa = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_ns)
- seen_ns = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_dname)
- seen_dname = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_nsec)
- seen_nsec = ISC_TRUE;
- else if (rdataset.type == dns_rdatatype_nsec3)
- seen_nsec3 = ISC_TRUE;
- if (rdataset.type != dns_rdatatype_rrsig)
- seen_rr = ISC_TRUE;
- dns_rdataset_disassociate(&rdataset);
- }
- dns_rdatasetiter_destroy(&iterator);
- if (!seen_rr || seen_nsec3 || seen_nsec)
- goto next_removenode;
- if ((seen_ns && !seen_soa) || seen_dname)
- delegation = ISC_TRUE;
- /*
- * Add a NSEC record except at the origin.
- */
- if (!dns_name_equal(name, dns_db_origin(db))) {
- dns_dbiterator_pause(nsec3chain->dbiterator);
- CHECK(add_nsec(db, version, name, node, zone->minimum,
- delegation, &nsec_diff));
- }
- next_removenode:
- first = ISC_FALSE;
- dns_db_detachnode(db, &node);
- do {
- result = dns_dbiterator_next(nsec3chain->dbiterator);
- if (result == ISC_R_NOMORE && buildnsecchain) {
- /*
- * The NSEC chain should now be built.
- * We can now remove the NSEC3 chain.
- */
- updatensec = ISC_TRUE;
- goto same_removechain;
- }
- if (result == ISC_R_NOMORE) {
- LOCK_ZONE(zone);
- ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
- link);
- UNLOCK_ZONE(zone);
- ISC_LIST_APPEND(cleanup, nsec3chain, link);
- dns_dbiterator_pause(nsec3chain->dbiterator);
- result = fixup_nsec3param(db, version,
- nsec3chain, ISC_FALSE,
- privatetype,
- ¶m_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "fixup_nsec3param -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- goto next_removechain;
- } else if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "dns_dbiterator_next -> %s\n",
- dns_result_totext(result));
- goto failure;
- } else if (delegation) {
- dns_dbiterator_current(nsec3chain->dbiterator,
- &node, nextname);
- dns_db_detachnode(db, &node);
- if (!dns_name_issubdomain(nextname, name))
- break;
- } else
- break;
- } while (1);
- continue;
- same_removechain:
- CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
- buildnsecchain = ISC_FALSE;
- first = ISC_TRUE;
- continue;
- next_removechain:
- dns_dbiterator_pause(nsec3chain->dbiterator);
- nsec3chain = nextnsec3chain;
- first = ISC_TRUE;
- }
- /*
- * We may need to update the NSEC/NSEC3 records for the zone apex.
- */
- if (!ISC_LIST_EMPTY(param_diff.tuples)) {
- isc_boolean_t rebuild_nsec = ISC_FALSE,
- rebuild_nsec3 = ISC_FALSE;
- result = dns_db_getoriginnode(db, &node);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns_db_allrdatasets -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- for (result = dns_rdatasetiter_first(iterator);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
- dns_rdatasetiter_current(iterator, &rdataset);
- if (rdataset.type == dns_rdatatype_nsec)
- rebuild_nsec = ISC_TRUE;
- if (rdataset.type == dns_rdatatype_nsec3param)
- rebuild_nsec3 = ISC_TRUE;
- dns_rdataset_disassociate(&rdataset);
- }
- dns_rdatasetiter_destroy(&iterator);
- dns_db_detachnode(db, &node);
- if (rebuild_nsec) {
- if (nsec3chain != NULL)
- dns_dbiterator_pause(nsec3chain->dbiterator);
- result = updatesecure(db, version, &zone->origin,
- zone->minimum, ISC_TRUE,
- &nsec_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "updatesecure -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- if (rebuild_nsec3) {
- result = dns_nsec3_addnsec3s(db, version,
- dns_db_origin(db),
- zone->minimum, ISC_FALSE,
- &nsec3_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "dns_nsec3_addnsec3s -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- }
- /*
- * Add / update signatures for the NSEC3 records.
- */
- result = update_sigs(&nsec3_diff, db, version, zone_keys,
- nkeys, zone, inception, expire, now,
- check_ksk, keyset_kskonly, &sig_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "update_sigs -> %s\n", dns_result_totext(result));
- goto failure;
- }
- /*
- * We have changed the NSEC3PARAM or private RRsets
- * above so we need to update the signatures.
- */
- result = update_sigs(¶m_diff, db, version, zone_keys,
- nkeys, zone, inception, expire, now,
- check_ksk, keyset_kskonly, &sig_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "update_sigs -> %s\n", dns_result_totext(result));
- goto failure;
- }
- if (updatensec) {
- if (nsec3chain != NULL)
- dns_dbiterator_pause(nsec3chain->dbiterator);
- result = updatesecure(db, version, &zone->origin,
- zone->minimum, ISC_FALSE, &nsec_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "updatesecure -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- result = update_sigs(&nsec_diff, db, version, zone_keys,
- nkeys, zone, inception, expire, now,
- check_ksk, keyset_kskonly, &sig_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "update_sigs -> %s\n", dns_result_totext(result));
- goto failure;
- }
- /*
- * If we made no effective changes to the zone then we can just
- * cleanup otherwise we need to increment the serial.
- */
- if (ISC_LIST_HEAD(sig_diff.tuples) == NULL)
- goto done;
- result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
- &sig_diff, zone_keys, nkeys, now, ISC_FALSE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "del_sigs -> %s\n", dns_result_totext(result));
- goto failure;
- }
- result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "increment_soa_serial -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
- &sig_diff, zone_keys, nkeys, zone->mctx, inception,
- soaexpire, check_ksk, keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "add_sigs -> %s\n", dns_result_totext(result));
- goto failure;
- }
- /* Write changes to journal file. */
- CHECK(zone_journal(zone, &sig_diff, "zone_nsec3chain"));
- LOCK_ZONE(zone);
- zone_needdump(zone, DNS_DUMP_DELAY);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- UNLOCK_ZONE(zone);
- done:
- /*
- * Pause all iterators so that dns_db_closeversion() can succeed.
- */
- LOCK_ZONE(zone);
- for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
- nsec3chain != NULL;
- nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
- dns_dbiterator_pause(nsec3chain->dbiterator);
- UNLOCK_ZONE(zone);
- /*
- * Everything has succeeded. Commit the changes.
- */
- dns_db_closeversion(db, &version, ISC_TRUE);
- /*
- * Everything succeeded so we can clean these up now.
- */
- nsec3chain = ISC_LIST_HEAD(cleanup);
- while (nsec3chain != NULL) {
- ISC_LIST_UNLINK(cleanup, nsec3chain, link);
- dns_db_detach(&nsec3chain->db);
- dns_dbiterator_destroy(&nsec3chain->dbiterator);
- isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
- nsec3chain = ISC_LIST_HEAD(cleanup);
- }
- set_resigntime(zone);
- failure:
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s\n",
- dns_result_totext(result));
- /*
- * On error roll back the current nsec3chain.
- */
- if (result != ISC_R_SUCCESS && nsec3chain != NULL) {
- if (nsec3chain->done) {
- dns_db_detach(&nsec3chain->db);
- dns_dbiterator_destroy(&nsec3chain->dbiterator);
- isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
- } else {
- result = dns_dbiterator_first(nsec3chain->dbiterator);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_dbiterator_pause(nsec3chain->dbiterator);
- nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
- }
- }
- /*
- * Rollback the cleanup list.
- */
- nsec3chain = ISC_LIST_TAIL(cleanup);
- while (nsec3chain != NULL) {
- ISC_LIST_UNLINK(cleanup, nsec3chain, link);
- if (nsec3chain->done) {
- dns_db_detach(&nsec3chain->db);
- dns_dbiterator_destroy(&nsec3chain->dbiterator);
- isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
- } else {
- LOCK_ZONE(zone);
- ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
- UNLOCK_ZONE(zone);
- result = dns_dbiterator_first(nsec3chain->dbiterator);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_dbiterator_pause(nsec3chain->dbiterator);
- nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
- }
- nsec3chain = ISC_LIST_TAIL(cleanup);
- }
- LOCK_ZONE(zone);
- for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
- nsec3chain != NULL;
- nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
- dns_dbiterator_pause(nsec3chain->dbiterator);
- UNLOCK_ZONE(zone);
- dns_diff_clear(¶m_diff);
- dns_diff_clear(&nsec3_diff);
- dns_diff_clear(&nsec_diff);
- dns_diff_clear(&sig_diff);
- if (iterator != NULL)
- dns_rdatasetiter_destroy(&iterator);
- for (i = 0; i < nkeys; i++)
- dst_key_free(&zone_keys[i]);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (version != NULL) {
- dns_db_closeversion(db, &version, ISC_FALSE);
- dns_db_detach(&db);
- } else if (db != NULL)
- dns_db_detach(&db);
- LOCK_ZONE(zone);
- if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
- isc_interval_t i;
- if (zone->update_disabled || result != ISC_R_SUCCESS)
- isc_interval_set(&i, 60, 0); /* 1 minute */
- else
- isc_interval_set(&i, 0, 10000000); /* 10 ms */
- isc_time_nowplusinterval(&zone->nsec3chaintime, &i);
- } else
- isc_time_settoepoch(&zone->nsec3chaintime);
- UNLOCK_ZONE(zone);
- }
- static isc_result_t
- del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
- dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
- isc_uint16_t keyid, dns_diff_t *diff)
- {
- dns_rdata_rrsig_t rrsig;
- dns_rdataset_t rdataset;
- dns_rdatasetiter_t *iterator = NULL;
- isc_result_t result;
- result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result != ISC_R_SUCCESS) {
- if (result == ISC_R_NOTFOUND)
- result = ISC_R_SUCCESS;
- return (result);
- }
- dns_rdataset_init(&rdataset);
- for (result = dns_rdatasetiter_first(iterator);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
- dns_rdatasetiter_current(iterator, &rdataset);
- if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &rdata);
- CHECK(update_one_rr(db, version, diff,
- DNS_DIFFOP_DEL, name,
- rdataset.ttl, &rdata));
- }
- if (result != ISC_R_NOMORE)
- goto failure;
- dns_rdataset_disassociate(&rdataset);
- continue;
- }
- if (rdataset.type != dns_rdatatype_rrsig) {
- dns_rdataset_disassociate(&rdataset);
- continue;
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &rdata);
- CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
- if (rrsig.algorithm != algorithm ||
- rrsig.keyid != keyid)
- continue;
- CHECK(update_one_rr(db, version, diff,
- DNS_DIFFOP_DELRESIGN, name,
- rdataset.ttl, &rdata));
- }
- dns_rdataset_disassociate(&rdataset);
- if (result != ISC_R_NOMORE)
- break;
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- failure:
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- dns_rdatasetiter_destroy(&iterator);
- return (result);
- }
- /*
- * Incrementally sign the zone using the keys requested.
- * Builds the NSEC chain if required.
- */
- static void
- zone_sign(dns_zone_t *zone) {
- dns_db_t *db = NULL;
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *version = NULL;
- dns_diff_t sig_diff;
- dns_diff_t post_diff;
- dns_fixedname_t fixed;
- dns_fixedname_t nextfixed;
- dns_name_t *name, *nextname;
- dns_rdataset_t rdataset;
- dns_signing_t *signing, *nextsigning;
- dns_signinglist_t cleanup;
- dst_key_t *zone_keys[DNS_MAXZONEKEYS];
- isc_int32_t signatures;
- isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
- isc_boolean_t commit = ISC_FALSE;
- isc_boolean_t delegation;
- isc_boolean_t build_nsec = ISC_FALSE;
- isc_boolean_t build_nsec3 = ISC_FALSE;
- isc_boolean_t first;
- isc_result_t result;
- isc_stdtime_t now, inception, soaexpire, expire;
- isc_uint32_t jitter;
- unsigned int i, j;
- unsigned int nkeys = 0;
- isc_uint32_t nodes;
- dns_rdataset_init(&rdataset);
- dns_fixedname_init(&fixed);
- name = dns_fixedname_name(&fixed);
- dns_fixedname_init(&nextfixed);
- nextname = dns_fixedname_name(&nextfixed);
- dns_diff_init(zone->mctx, &sig_diff);
- sig_diff.resign = zone->sigresigninginterval;
- dns_diff_init(zone->mctx, &post_diff);
- ISC_LIST_INIT(cleanup);
- /*
- * Updates are disabled. Pause for 5 minutes.
- */
- if (zone->update_disabled) {
- result = ISC_R_FAILURE;
- goto failure;
- }
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- dns_db_attach(zone->db, &db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- result = dns_db_newversion(db, &version);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:dns_db_newversion -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = find_zone_keys(zone, db, version, zone->mctx,
- DNS_MAXZONEKEYS, zone_keys, &nkeys);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:find_zone_keys -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- isc_stdtime_get(&now);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
- /*
- * Spread out signatures over time if they happen to be
- * clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur.
- */
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
- /*
- * We keep pulling nodes off each iterator in turn until
- * we have no more nodes to pull off or we reach the limits
- * for this quantum.
- */
- nodes = zone->nodes;
- signatures = zone->signatures;
- signing = ISC_LIST_HEAD(zone->signing);
- first = ISC_TRUE;
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
- /* Determine which type of chain to build */
- CHECK(dns_private_chains(db, version, zone->privatetype,
- &build_nsec, &build_nsec3));
- /* If neither chain is found, default to NSEC */
- if (!build_nsec && !build_nsec3)
- build_nsec = ISC_TRUE;
- while (signing != NULL && nodes-- > 0 && signatures > 0) {
- nextsigning = ISC_LIST_NEXT(signing, link);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (signing->done || signing->db != zone->db) {
- /*
- * The zone has been reloaded. We will have
- * created new signings as part of the reload
- * process so we can destroy this one.
- */
- ISC_LIST_UNLINK(zone->signing, signing, link);
- ISC_LIST_APPEND(cleanup, signing, link);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- goto next_signing;
- }
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (signing->db != db)
- goto next_signing;
- delegation = ISC_FALSE;
- if (first && signing->delete) {
- /*
- * Remove the key we are deleting from consideration.
- */
- for (i = 0, j = 0; i < nkeys; i++) {
- /*
- * Find the key we want to remove.
- */
- if (ALG(zone_keys[i]) == signing->algorithm &&
- dst_key_id(zone_keys[i]) == signing->keyid)
- {
- if (KSK(zone_keys[i]))
- dst_key_free(&zone_keys[i]);
- continue;
- }
- zone_keys[j] = zone_keys[i];
- j++;
- }
- nkeys = j;
- }
- dns_dbiterator_current(signing->dbiterator, &node, name);
- if (signing->delete) {
- dns_dbiterator_pause(signing->dbiterator);
- CHECK(del_sig(db, version, name, node, nkeys,
- signing->algorithm, signing->keyid,
- &sig_diff));
- }
- /*
- * On the first pass we need to check if the current node
- * has not been obscured.
- */
- if (first) {
- dns_fixedname_t ffound;
- dns_name_t *found;
- dns_fixedname_init(&ffound);
- found = dns_fixedname_name(&ffound);
- result = dns_db_find(db, name, version,
- dns_rdatatype_soa,
- DNS_DBFIND_NOWILD, 0, NULL, found,
- NULL, NULL);
- if ((result == DNS_R_DELEGATION ||
- result == DNS_R_DNAME) &&
- !dns_name_equal(name, found)) {
- /*
- * Remember the obscuring name so that
- * we skip all obscured names.
- */
- dns_name_copy(found, name, NULL);
- delegation = ISC_TRUE;
- goto next_node;
- }
- }
- /*
- * Process one node.
- */
- dns_dbiterator_pause(signing->dbiterator);
- for (i = 0; i < nkeys; i++) {
- isc_boolean_t both = ISC_FALSE;
- /*
- * Find the keys we want to sign with.
- */
- if (!dst_key_isprivate(zone_keys[i]))
- continue;
- /*
- * When adding look for the specific key.
- */
- if (!signing->delete &&
- (dst_key_alg(zone_keys[i]) != signing->algorithm ||
- dst_key_id(zone_keys[i]) != signing->keyid))
- continue;
- /*
- * When deleting make sure we are properly signed
- * with the algorithm that was being removed.
- */
- if (signing->delete &&
- ALG(zone_keys[i]) != signing->algorithm)
- continue;
- /*
- * Do we do KSK processing?
- */
- if (check_ksk && !REVOKE(zone_keys[i])) {
- isc_boolean_t have_ksk, have_nonksk;
- if (KSK(zone_keys[i])) {
- have_ksk = ISC_TRUE;
- have_nonksk = ISC_FALSE;
- } else {
- have_ksk = ISC_FALSE;
- have_nonksk = ISC_TRUE;
- }
- for (j = 0; j < nkeys; j++) {
- if (j == i ||
- ALG(zone_keys[i]) !=
- ALG(zone_keys[j]))
- continue;
- if (REVOKE(zone_keys[j]))
- continue;
- if (KSK(zone_keys[j]))
- have_ksk = ISC_TRUE;
- else
- have_nonksk = ISC_TRUE;
- both = have_ksk && have_nonksk;
- if (both)
- break;
- }
- }
- if (both || REVOKE(zone_keys[i]))
- is_ksk = KSK(zone_keys[i]);
- else
- is_ksk = ISC_FALSE;
- CHECK(sign_a_node(db, name, node, version, build_nsec3,
- build_nsec, zone_keys[i], inception,
- expire, zone->minimum, is_ksk,
- ISC_TF(both && keyset_kskonly),
- &delegation, &sig_diff,
- &signatures, zone->mctx));
- /*
- * If we are adding we are done. Look for other keys
- * of the same algorithm if deleting.
- */
- if (!signing->delete)
- break;
- }
- /*
- * Go onto next node.
- */
- next_node:
- first = ISC_FALSE;
- dns_db_detachnode(db, &node);
- do {
- result = dns_dbiterator_next(signing->dbiterator);
- if (result == ISC_R_NOMORE) {
- ISC_LIST_UNLINK(zone->signing, signing, link);
- ISC_LIST_APPEND(cleanup, signing, link);
- dns_dbiterator_pause(signing->dbiterator);
- if (nkeys != 0 && build_nsec) {
- /*
- * We have finished regenerating the
- * zone with a zone signing key.
- * The NSEC chain is now complete and
- * there is a full set of signatures
- * for the zone. We can now clear the
- * OPT bit from the NSEC record.
- */
- result = updatesecure(db, version,
- &zone->origin,
- zone->minimum,
- ISC_FALSE,
- &post_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone,
- ISC_LOG_ERROR,
- "updatesecure -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- result = updatesignwithkey(zone, signing,
- version,
- build_nsec3,
- zone->minimum,
- &post_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "updatesignwithkey "
- "-> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- build_nsec = ISC_FALSE;
- goto next_signing;
- } else if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:dns_dbiterator_next -> %s\n",
- dns_result_totext(result));
- goto failure;
- } else if (delegation) {
- dns_dbiterator_current(signing->dbiterator,
- &node, nextname);
- dns_db_detachnode(db, &node);
- if (!dns_name_issubdomain(nextname, name))
- break;
- } else
- break;
- } while (1);
- continue;
- next_signing:
- dns_dbiterator_pause(signing->dbiterator);
- signing = nextsigning;
- first = ISC_TRUE;
- }
- if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
- result = update_sigs(&post_diff, db, version, zone_keys,
- nkeys, zone, inception, expire, now,
- check_ksk, keyset_kskonly, &sig_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
- "update_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- /*
- * Have we changed anything?
- */
- if (ISC_LIST_HEAD(sig_diff.tuples) == NULL) {
- result = ISC_R_SUCCESS;
- goto pauseall;
- }
- commit = ISC_TRUE;
- result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
- &sig_diff, zone_keys, nkeys, now, ISC_FALSE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:del_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:increment_soa_serial -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /*
- * Generate maximum life time signatures so that the above loop
- * termination is sensible.
- */
- result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
- &sig_diff, zone_keys, nkeys, zone->mctx, inception,
- soaexpire, check_ksk, keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:add_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- /*
- * Write changes to journal file.
- */
- CHECK(zone_journal(zone, &sig_diff, "zone_sign"));
- pauseall:
- /*
- * Pause all iterators so that dns_db_closeversion() can succeed.
- */
- for (signing = ISC_LIST_HEAD(zone->signing);
- signing != NULL;
- signing = ISC_LIST_NEXT(signing, link))
- dns_dbiterator_pause(signing->dbiterator);
- for (signing = ISC_LIST_HEAD(cleanup);
- signing != NULL;
- signing = ISC_LIST_NEXT(signing, link))
- dns_dbiterator_pause(signing->dbiterator);
- /*
- * Everything has succeeded. Commit the changes.
- */
- dns_db_closeversion(db, &version, commit);
- /*
- * Everything succeeded so we can clean these up now.
- */
- signing = ISC_LIST_HEAD(cleanup);
- while (signing != NULL) {
- ISC_LIST_UNLINK(cleanup, signing, link);
- dns_db_detach(&signing->db);
- dns_dbiterator_destroy(&signing->dbiterator);
- isc_mem_put(zone->mctx, signing, sizeof *signing);
- signing = ISC_LIST_HEAD(cleanup);
- }
- set_resigntime(zone);
- if (commit) {
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- zone_needdump(zone, DNS_DUMP_DELAY);
- UNLOCK_ZONE(zone);
- }
- failure:
- /*
- * Rollback the cleanup list.
- */
- signing = ISC_LIST_HEAD(cleanup);
- while (signing != NULL) {
- ISC_LIST_UNLINK(cleanup, signing, link);
- ISC_LIST_PREPEND(zone->signing, signing, link);
- dns_dbiterator_first(signing->dbiterator);
- dns_dbiterator_pause(signing->dbiterator);
- signing = ISC_LIST_HEAD(cleanup);
- }
- for (signing = ISC_LIST_HEAD(zone->signing);
- signing != NULL;
- signing = ISC_LIST_NEXT(signing, link))
- dns_dbiterator_pause(signing->dbiterator);
- dns_diff_clear(&sig_diff);
- for (i = 0; i < nkeys; i++)
- dst_key_free(&zone_keys[i]);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (version != NULL) {
- dns_db_closeversion(db, &version, ISC_FALSE);
- dns_db_detach(&db);
- } else if (db != NULL)
- dns_db_detach(&db);
- if (ISC_LIST_HEAD(zone->signing) != NULL) {
- isc_interval_t i;
- if (zone->update_disabled || result != ISC_R_SUCCESS)
- isc_interval_set(&i, 60, 0); /* 1 minute */
- else
- isc_interval_set(&i, 0, 10000000); /* 10 ms */
- isc_time_nowplusinterval(&zone->signingtime, &i);
- } else
- isc_time_settoepoch(&zone->signingtime);
- }
- static void
- normalize_key(dns_rdata_t *rr, dns_rdata_t *target,
- unsigned char *data, int size) {
- dns_rdata_dnskey_t dnskey;
- dns_rdata_keydata_t keydata;
- isc_buffer_t buf;
- dns_rdata_reset(target);
- isc_buffer_init(&buf, data, size);
- switch (rr->type) {
- case dns_rdatatype_dnskey:
- dns_rdata_tostruct(rr, &dnskey, NULL);
- dnskey.flags &= ~DNS_KEYFLAG_REVOKE;
- dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
- &dnskey, &buf);
- break;
- case dns_rdatatype_keydata:
- dns_rdata_tostruct(rr, &keydata, NULL);
- dns_keydata_todnskey(&keydata, &dnskey, NULL);
- dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
- &dnskey, &buf);
- break;
- default:
- INSIST(0);
- }
- }
- /*
- * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
- * a KEYDATA rdataset from the key zone.
- *
- * 'rr' contains either a DNSKEY record, or a KEYDATA record
- *
- * After normalizing keys to the same format (DNSKEY, with revoke bit
- * cleared), return ISC_TRUE if a key that matches 'rr' is found in
- * 'rdset', or ISC_FALSE if not.
- */
- static isc_boolean_t
- matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) {
- unsigned char data1[4096], data2[4096];
- dns_rdata_t rdata, rdata1, rdata2;
- isc_result_t result;
- dns_rdata_init(&rdata);
- dns_rdata_init(&rdata1);
- dns_rdata_init(&rdata2);
- normalize_key(rr, &rdata1, data1, sizeof(data1));
- for (result = dns_rdataset_first(rdset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdset)) {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(rdset, &rdata);
- normalize_key(&rdata, &rdata2, data2, sizeof(data2));
- if (dns_rdata_compare(&rdata1, &rdata2) == 0)
- return (ISC_TRUE);
- }
- return (ISC_FALSE);
- }
- /*
- * Calculate the refresh interval for a keydata zone, per
- * RFC5011: MAX(1 hr,
- * MIN(15 days,
- * 1/2 * OrigTTL,
- * 1/2 * RRSigExpirationInterval))
- * or for retries: MAX(1 hr,
- * MIN(1 day,
- * 1/10 * OrigTTL,
- * 1/10 * RRSigExpirationInterval))
- */
- static inline isc_stdtime_t
- refresh_time(dns_keyfetch_t *kfetch, isc_boolean_t retry) {
- isc_result_t result;
- isc_uint32_t t;
- dns_rdataset_t *rdset;
- dns_rdata_t sigrr = DNS_RDATA_INIT;
- dns_rdata_sig_t sig;
- isc_stdtime_t now;
- isc_stdtime_get(&now);
- if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
- rdset = &kfetch->dnskeysigset;
- else
- return (now + HOUR);
- result = dns_rdataset_first(rdset);
- if (result != ISC_R_SUCCESS)
- return (now + HOUR);
- dns_rdataset_current(rdset, &sigrr);
- result = dns_rdata_tostruct(&sigrr, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!retry) {
- t = sig.originalttl / 2;
- if (isc_serial_gt(sig.timeexpire, now)) {
- isc_uint32_t exp = (sig.timeexpire - now) / 2;
- if (t > exp)
- t = exp;
- }
- if (t > (15*DAY))
- t = (15*DAY);
- if (t < HOUR)
- t = HOUR;
- } else {
- t = sig.originalttl / 10;
- if (isc_serial_gt(sig.timeexpire, now)) {
- isc_uint32_t exp = (sig.timeexpire - now) / 10;
- if (t > exp)
- t = exp;
- }
- if (t > DAY)
- t = DAY;
- if (t < HOUR)
- t = HOUR;
- }
- return (now + t);
- }
- /*
- * This routine is called when no changes are needed in a KEYDATA
- * record except to simply update the refresh timer. Caller should
- * hold zone lock.
- */
- static isc_result_t
- minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff)
- {
- isc_result_t result;
- isc_buffer_t keyb;
- unsigned char key_buf[4096];
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_keydata_t keydata;
- dns_name_t *name;
- dns_zone_t *zone = kfetch->zone;
- isc_stdtime_t now;
- name = dns_fixedname_name(&kfetch->name);
- isc_stdtime_get(&now);
- for (result = dns_rdataset_first(&kfetch->keydataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->keydataset)) {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&kfetch->keydataset, &rdata);
- /* Delete old version */
- CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL,
- name, 0, &rdata));
- /* Update refresh timer */
- CHECK(dns_rdata_tostruct(&rdata, &keydata, NULL));
- keydata.refresh = refresh_time(kfetch, ISC_TRUE);
- set_refreshkeytimer(zone, &keydata, now);
- dns_rdata_reset(&rdata);
- isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
- CHECK(dns_rdata_fromstruct(&rdata,
- zone->rdclass, dns_rdatatype_keydata,
- &keydata, &keyb));
- /* Insert updated version */
- CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD,
- name, 0, &rdata));
- }
- result = ISC_R_SUCCESS;
- failure:
- return (result);
- }
- /*
- * Verify that DNSKEY set is signed by the key specified in 'keydata'.
- */
- static isc_boolean_t
- revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
- isc_result_t result;
- dns_name_t *keyname;
- isc_mem_t *mctx;
- dns_rdata_t sigrr = DNS_RDATA_INIT;
- dns_rdata_t rr = DNS_RDATA_INIT;
- dns_rdata_rrsig_t sig;
- dns_rdata_dnskey_t dnskey;
- dst_key_t *dstkey = NULL;
- unsigned char key_buf[4096];
- isc_buffer_t keyb;
- isc_boolean_t answer = ISC_FALSE;
- REQUIRE(kfetch != NULL && keydata != NULL);
- REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
- keyname = dns_fixedname_name(&kfetch->name);
- mctx = kfetch->zone->view->mctx;
- /* Generate a key from keydata */
- isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
- dns_keydata_todnskey(keydata, &dnskey, NULL);
- dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey,
- &dnskey, &keyb);
- result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
- if (result != ISC_R_SUCCESS)
- return (ISC_FALSE);
- /* See if that key generated any of the signatures */
- for (result = dns_rdataset_first(&kfetch->dnskeysigset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->dnskeysigset)) {
- dns_fixedname_t fixed;
- dns_fixedname_init(&fixed);
- dns_rdata_reset(&sigrr);
- dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
- result = dns_rdata_tostruct(&sigrr, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (dst_key_alg(dstkey) == sig.algorithm &&
- (dst_key_id(dstkey) == sig.keyid ||
- dst_key_rid(dstkey) == sig.keyid)) {
- result = dns_dnssec_verify2(keyname,
- &kfetch->dnskeyset,
- dstkey, ISC_FALSE, mctx, &sigrr,
- dns_fixedname_name(&fixed));
- dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
- "Confirm revoked DNSKEY is self-signed: "
- "%s", dns_result_totext(result));
- if (result == ISC_R_SUCCESS) {
- answer = ISC_TRUE;
- break;
- }
- }
- }
- dst_key_free(&dstkey);
- return (answer);
- }
- /*
- * A DNSKEY set has been fetched from the zone apex of a zone whose trust
- * anchors are being managed; scan the keyset, and update the key zone and the
- * local trust anchors according to RFC5011.
- */
- static void
- keyfetch_done(isc_task_t *task, isc_event_t *event) {
- isc_result_t result, eresult;
- dns_fetchevent_t *devent;
- dns_keyfetch_t *kfetch;
- dns_zone_t *zone;
- isc_mem_t *mctx = NULL;
- dns_keytable_t *secroots = NULL;
- dns_dbversion_t *ver = NULL;
- dns_diff_t diff;
- isc_boolean_t alldone = ISC_FALSE;
- isc_boolean_t commit = ISC_FALSE;
- dns_name_t *keyname;
- dns_rdata_t sigrr = DNS_RDATA_INIT;
- dns_rdata_t dnskeyrr = DNS_RDATA_INIT;
- dns_rdata_t keydatarr = DNS_RDATA_INIT;
- dns_rdata_rrsig_t sig;
- dns_rdata_dnskey_t dnskey;
- dns_rdata_keydata_t keydata;
- isc_boolean_t initializing;
- char namebuf[DNS_NAME_FORMATSIZE];
- unsigned char key_buf[4096];
- isc_buffer_t keyb;
- dst_key_t *dstkey;
- isc_stdtime_t now;
- int pending = 0;
- isc_boolean_t secure;
- isc_boolean_t free_needed;
- UNUSED(task);
- INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
- INSIST(event->ev_arg != NULL);
- kfetch = event->ev_arg;
- zone = kfetch->zone;
- isc_mem_attach(zone->mctx, &mctx);
- keyname = dns_fixedname_name(&kfetch->name);
- devent = (dns_fetchevent_t *) event;
- eresult = devent->result;
- /* Free resources which are not of interest */
- if (devent->node != NULL)
- dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
- dns_db_detach(&devent->db);
- isc_event_free(&event);
- dns_resolver_destroyfetch(&kfetch->fetch);
- LOCK_ZONE(zone);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL)
- goto cleanup;
- isc_stdtime_get(&now);
- dns_name_format(keyname, namebuf, sizeof(namebuf));
- result = dns_view_getsecroots(zone->view, &secroots);
- INSIST(result == ISC_R_SUCCESS);
- dns_diff_init(mctx, &diff);
- diff.resign = zone->sigresigninginterval;
- CHECK(dns_db_newversion(kfetch->db, &ver));
- zone->refreshkeycount--;
- alldone = ISC_TF(zone->refreshkeycount == 0);
- if (alldone)
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
- /* Fetch failed */
- if (eresult != ISC_R_SUCCESS ||
- !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Unable to fetch DNSKEY set "
- "'%s': %s", namebuf, dns_result_totext(eresult));
- CHECK(minimal_update(kfetch, ver, &diff));
- goto done;
- }
- /* No RRSIGs found */
- if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "No DNSKEY RRSIGs found for "
- "'%s': %s", namebuf, dns_result_totext(eresult));
- CHECK(minimal_update(kfetch, ver, &diff));
- goto done;
- }
- /*
- * Validate the dnskeyset against the current trusted keys.
- */
- for (result = dns_rdataset_first(&kfetch->dnskeysigset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->dnskeysigset)) {
- dns_keynode_t *keynode = NULL;
- dns_rdata_reset(&sigrr);
- dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
- result = dns_rdata_tostruct(&sigrr, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- result = dns_keytable_find(secroots, keyname, &keynode);
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
- dns_fixedname_t fixed;
- dns_fixedname_init(&fixed);
- dstkey = dns_keynode_key(keynode);
- if (dstkey == NULL) /* fail_secure() was called */
- break;
- if (dst_key_alg(dstkey) == sig.algorithm &&
- dst_key_id(dstkey) == sig.keyid) {
- result = dns_dnssec_verify2(keyname,
- &kfetch->dnskeyset,
- dstkey, ISC_FALSE,
- zone->view->mctx, &sigrr,
- dns_fixedname_name(&fixed));
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Verifying DNSKEY set for zone "
- "'%s': %s", namebuf,
- dns_result_totext(result));
- if (result == ISC_R_SUCCESS) {
- kfetch->dnskeyset.trust =
- dns_trust_secure;
- kfetch->dnskeysigset.trust =
- dns_trust_secure;
- dns_keytable_detachkeynode(secroots,
- &keynode);
- break;
- }
- }
- result = dns_keytable_nextkeynode(secroots,
- keynode, &nextnode);
- dns_keytable_detachkeynode(secroots, &keynode);
- keynode = nextnode;
- }
- if (kfetch->dnskeyset.trust == dns_trust_secure)
- break;
- }
- /*
- * If we were not able to verify the answer using the current
- * trusted keys then all we can do is look at any revoked keys.
- */
- secure = ISC_TF(kfetch->dnskeyset.trust == dns_trust_secure);
- /*
- * First scan keydataset to find keys that are not in dnskeyset
- * - Missing keys which are not scheduled for removal,
- * log a warning
- * - Missing keys which are scheduled for removal and
- * the remove hold-down timer has completed should
- * be removed from the key zone
- * - Missing keys whose acceptance timers have not yet
- * completed, log a warning and reset the acceptance
- * timer to 30 days in the future
- * - All keys not being removed have their refresh timers
- * updated
- */
- initializing = ISC_TRUE;
- for (result = dns_rdataset_first(&kfetch->keydataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->keydataset)) {
- dns_rdata_reset(&keydatarr);
- dns_rdataset_current(&kfetch->keydataset, &keydatarr);
- dns_rdata_tostruct(&keydatarr, &keydata, NULL);
- /*
- * If any keydata record has a nonzero add holddown, then
- * there was a pre-existing trust anchor for this domain;
- * that means we are *not* initializing it and shouldn't
- * automatically trust all the keys we find at the zone apex.
- */
- initializing = initializing && ISC_TF(keydata.addhd == 0);
- if (! matchkey(&kfetch->dnskeyset, &keydatarr)) {
- isc_boolean_t deletekey = ISC_FALSE;
- if (!secure) {
- if (now > keydata.removehd)
- deletekey = ISC_TRUE;
- } else if (now < keydata.addhd) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Pending key unexpectedly missing "
- "from %s; restarting acceptance "
- "timer", namebuf);
- keydata.addhd = now + MONTH;
- keydata.refresh = refresh_time(kfetch,
- ISC_FALSE);
- } else if (keydata.addhd == 0) {
- keydata.addhd = now;
- } else if (keydata.removehd == 0) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Active key unexpectedly missing "
- "from %s", namebuf);
- keydata.refresh = now + HOUR;
- } else if (now > keydata.removehd) {
- deletekey = ISC_TRUE;
- } else {
- keydata.refresh = refresh_time(kfetch,
- ISC_FALSE);
- }
- if (secure || deletekey) {
- /* Delete old version */
- CHECK(update_one_rr(kfetch->db, ver, &diff,
- DNS_DIFFOP_DEL, keyname, 0,
- &keydatarr));
- }
- if (!secure || deletekey)
- continue;
- dns_rdata_reset(&keydatarr);
- isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
- dns_rdata_fromstruct(&keydatarr, zone->rdclass,
- dns_rdatatype_keydata,
- &keydata, &keyb);
- /* Insert updated version */
- CHECK(update_one_rr(kfetch->db, ver, &diff,
- DNS_DIFFOP_ADD, keyname, 0,
- &keydatarr));
- set_refreshkeytimer(zone, &keydata, now);
- }
- }
- /*
- * Next scan dnskeyset:
- * - If new keys are found (i.e., lacking a match in keydataset)
- * add them to the key zone and set the acceptance timer
- * to 30 days in the future (or to immediately if we've
- * determined that we're initializing the zone for the
- * first time)
- * - Previously-known keys that have been revoked
- * must be scheduled for removal from the key zone (or,
- * if they hadn't been accepted as trust anchors yet
- * anyway, removed at once)
- * - Previously-known unrevoked keys whose acceptance timers
- * have completed are promoted to trust anchors
- * - All keys not being removed have their refresh
- * timers updated
- */
- for (result = dns_rdataset_first(&kfetch->dnskeyset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->dnskeyset)) {
- isc_boolean_t revoked = ISC_FALSE;
- isc_boolean_t newkey = ISC_FALSE;
- isc_boolean_t updatekey = ISC_FALSE;
- isc_boolean_t deletekey = ISC_FALSE;
- isc_boolean_t trustkey = ISC_FALSE;
- dns_rdata_reset(&dnskeyrr);
- dns_rdataset_current(&kfetch->dnskeyset, &dnskeyrr);
- dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
- /* Skip ZSK's */
- if (!ISC_TF(dnskey.flags & DNS_KEYFLAG_KSK))
- continue;
- revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
- if (matchkey(&kfetch->keydataset, &dnskeyrr)) {
- dns_rdata_reset(&keydatarr);
- dns_rdataset_current(&kfetch->keydataset, &keydatarr);
- dns_rdata_tostruct(&keydatarr, &keydata, NULL);
- if (revoked && revocable(kfetch, &keydata)) {
- if (keydata.addhd > now) {
- /*
- * Key wasn't trusted yet, and now
- * it's been revoked? Just remove it
- */
- deletekey = ISC_TRUE;
- } else if (keydata.removehd == 0) {
- /* Remove from secroots */
- dns_view_untrust(zone->view, keyname,
- &dnskey, mctx);
- /* If initializing, delete now */
- if (keydata.addhd == 0)
- deletekey = ISC_TRUE;
- else
- keydata.removehd = now + MONTH;
- } else if (keydata.removehd < now) {
- /* Scheduled for removal */
- deletekey = ISC_TRUE;
- }
- } else if (revoked) {
- if (secure && keydata.removehd == 0) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Active key for zone "
- "'%s' is revoked but "
- "did not self-sign; "
- "ignoring.", namebuf);
- continue;
- }
- } else if (secure) {
- if (keydata.removehd != 0) {
- /*
- * Key isn't revoked--but it
- * seems it used to be.
- * Remove it now and add it
- * back as if it were a fresh key.
- */
- deletekey = ISC_TRUE;
- newkey = ISC_TRUE;
- } else if (keydata.addhd > now)
- pending++;
- else if (keydata.addhd == 0)
- keydata.addhd = now;
- if (keydata.addhd <= now)
- trustkey = ISC_TRUE;
- }
- if (!deletekey && !newkey)
- updatekey = ISC_TRUE;
- } else if (secure) {
- /*
- * Key wasn't in the key zone but it's
- * revoked now anyway, so just skip it
- */
- if (revoked)
- continue;
- /* Key wasn't in the key zone: add it */
- newkey = ISC_TRUE;
- if (initializing) {
- dns_keytag_t tag = 0;
- CHECK(compute_tag(keyname, &dnskey,
- mctx, &tag));
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Initializing automatic trust "
- "anchor management for zone '%s'; "
- "DNSKEY ID %d is now trusted, "
- "waiving the normal 30-day "
- "waiting period.",
- namebuf, tag);
- trustkey = ISC_TRUE;
- }
- }
- /* Delete old version */
- if (deletekey || !newkey)
- CHECK(update_one_rr(kfetch->db, ver, &diff,
- DNS_DIFFOP_DEL, keyname, 0,
- &keydatarr));
- if (updatekey) {
- /* Set refresh timer */
- keydata.refresh = refresh_time(kfetch, ISC_FALSE);
- dns_rdata_reset(&keydatarr);
- isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
- dns_rdata_fromstruct(&keydatarr, zone->rdclass,
- dns_rdatatype_keydata,
- &keydata, &keyb);
- /* Insert updated version */
- CHECK(update_one_rr(kfetch->db, ver, &diff,
- DNS_DIFFOP_ADD, keyname, 0,
- &keydatarr));
- } else if (newkey) {
- /* Convert DNSKEY to KEYDATA */
- dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
- dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0,
- NULL);
- keydata.addhd = initializing ? now : now + MONTH;
- keydata.refresh = refresh_time(kfetch, ISC_FALSE);
- dns_rdata_reset(&keydatarr);
- isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
- dns_rdata_fromstruct(&keydatarr, zone->rdclass,
- dns_rdatatype_keydata,
- &keydata, &keyb);
- /* Insert into key zone */
- CHECK(update_one_rr(kfetch->db, ver, &diff,
- DNS_DIFFOP_ADD, keyname, 0,
- &keydatarr));
- }
- if (trustkey) {
- /* Trust this key. */
- dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
- trust_key(zone, keyname, &dnskey, mctx);
- }
- if (!deletekey)
- set_refreshkeytimer(zone, &keydata, now);
- }
- /*
- * RFC5011 says, "A trust point that has all of its trust anchors
- * revoked is considered deleted and is treated as if the trust
- * point was never configured." But if someone revoked their
- * active key before the standby was trusted, that would mean the
- * zone would suddenly be nonsecured. We avoid this by checking to
- * see if there's pending keydata. If so, we put a null key in
- * the security roots; then all queries to the zone will fail.
- */
- if (pending != 0)
- fail_secure(zone, keyname);
- done:
- if (!ISC_LIST_EMPTY(diff.tuples)) {
- /* Write changes to journal file. */
- CHECK(increment_soa_serial(kfetch->db, ver, &diff, mctx));
- CHECK(zone_journal(zone, &diff, "keyfetch_done"));
- commit = ISC_TRUE;
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
- zone_needdump(zone, 30);
- }
- failure:
- dns_diff_clear(&diff);
- if (ver != NULL)
- dns_db_closeversion(kfetch->db, &ver, commit);
- cleanup:
- dns_db_detach(&kfetch->db);
- INSIST(zone->irefs > 0);
- zone->irefs--;
- kfetch->zone = NULL;
- if (dns_rdataset_isassociated(&kfetch->keydataset))
- dns_rdataset_disassociate(&kfetch->keydataset);
- if (dns_rdataset_isassociated(&kfetch->dnskeyset))
- dns_rdataset_disassociate(&kfetch->dnskeyset);
- if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
- dns_rdataset_disassociate(&kfetch->dnskeysigset);
- dns_name_free(keyname, mctx);
- isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t));
- isc_mem_detach(&mctx);
- if (secroots != NULL)
- dns_keytable_detach(&secroots);
- free_needed = exit_check(zone);
- UNLOCK_ZONE(zone);
- if (free_needed)
- zone_free(zone);
- }
- /*
- * Refresh the data in the key zone. Initiate a fetch to get new DNSKEY
- * records from the zone apex.
- */
- static void
- zone_refreshkeys(dns_zone_t *zone) {
- const char me[] = "zone_refreshkeys";
- isc_result_t result;
- dns_rriterator_t rrit;
- dns_db_t *db = NULL;
- dns_dbversion_t *ver = NULL;
- dns_diff_t diff;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_keydata_t kd;
- isc_stdtime_t now;
- isc_boolean_t commit = ISC_FALSE;
- isc_boolean_t fetching = ISC_FALSE, fetch_err = ISC_FALSE;
- ENTER;
- REQUIRE(zone->db != NULL);
- isc_stdtime_get(&now);
- LOCK_ZONE(zone);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
- isc_time_settoepoch(&zone->refreshkeytime);
- UNLOCK_ZONE(zone);
- return;
- }
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- dns_db_attach(zone->db, &db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- dns_diff_init(zone->mctx, &diff);
- CHECK(dns_db_newversion(db, &ver));
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
- dns_rriterator_init(&rrit, db, ver, 0);
- for (result = dns_rriterator_first(&rrit);
- result == ISC_R_SUCCESS;
- result = dns_rriterator_nextrrset(&rrit)) {
- isc_stdtime_t timer = 0xffffffff;
- dns_name_t *name = NULL, *kname = NULL;
- dns_rdataset_t *kdset = NULL;
- dns_keyfetch_t *kfetch;
- isc_uint32_t ttl;
- dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
- if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
- !dns_rdataset_isassociated(kdset))
- continue;
- /*
- * Scan the stored keys looking for ones that need
- * removal or refreshing
- */
- for (result = dns_rdataset_first(kdset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(kdset)) {
- dns_rdata_reset(&rdata);
- dns_rdataset_current(kdset, &rdata);
- result = dns_rdata_tostruct(&rdata, &kd, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- /* Removal timer expired? */
- if (kd.removehd != 0 && kd.removehd < now) {
- CHECK(update_one_rr(db, ver, &diff,
- DNS_DIFFOP_DEL, name, ttl,
- &rdata));
- continue;
- }
- /* Acceptance timer expired? */
- if (kd.addhd != 0 && kd.addhd < now)
- timer = kd.addhd;
- /* Or do we just need to refresh the keyset? */
- if (timer > kd.refresh)
- timer = kd.refresh;
- }
- if (timer > now)
- continue;
- kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
- if (kfetch == NULL) {
- fetch_err = ISC_TRUE;
- goto failure;
- }
- zone->refreshkeycount++;
- kfetch->zone = zone;
- zone->irefs++;
- INSIST(zone->irefs != 0);
- dns_fixedname_init(&kfetch->name);
- kname = dns_fixedname_name(&kfetch->name);
- dns_name_dup(name, zone->mctx, kname);
- dns_rdataset_init(&kfetch->dnskeyset);
- dns_rdataset_init(&kfetch->dnskeysigset);
- dns_rdataset_init(&kfetch->keydataset);
- dns_rdataset_clone(kdset, &kfetch->keydataset);
- kfetch->db = NULL;
- dns_db_attach(db, &kfetch->db);
- kfetch->fetch = NULL;
- result = dns_resolver_createfetch(zone->view->resolver,
- kname, dns_rdatatype_dnskey,
- NULL, NULL, NULL,
- DNS_FETCHOPT_NOVALIDATE,
- zone->task,
- keyfetch_done, kfetch,
- &kfetch->dnskeyset,
- &kfetch->dnskeysigset,
- &kfetch->fetch);
- if (result == ISC_R_SUCCESS)
- fetching = ISC_TRUE;
- else {
- zone->refreshkeycount--;
- zone->irefs--;
- dns_db_detach(&kfetch->db);
- dns_rdataset_disassociate(&kfetch->keydataset);
- dns_name_free(kname, zone->mctx);
- isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Failed to create fetch for "
- "DNSKEY update");
- fetch_err = ISC_TRUE;
- }
- }
- if (!ISC_LIST_EMPTY(diff.tuples)) {
- CHECK(increment_soa_serial(db, ver, &diff, zone->mctx));
- CHECK(zone_journal(zone, &diff, "zone_refreshkeys"));
- commit = ISC_TRUE;
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
- zone_needdump(zone, 30);
- }
- failure:
- if (fetch_err) {
- /*
- * Error during a key fetch; retry in an hour.
- */
- isc_time_t timenow, timethen;
- char timebuf[80];
- TIME_NOW(&timenow);
- DNS_ZONE_TIME_ADD(&timenow, HOUR, &timethen);
- zone->refreshkeytime = timethen;
- zone_settimer(zone, &timenow);
- isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
- timebuf);
- if (!fetching)
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
- }
- UNLOCK_ZONE(zone);
- dns_diff_clear(&diff);
- if (ver != NULL) {
- dns_rriterator_destroy(&rrit);
- dns_db_closeversion(db, &ver, commit);
- }
- dns_db_detach(&db);
- }
- static void
- zone_maintenance(dns_zone_t *zone) {
- const char me[] = "zone_maintenance";
- isc_time_t now;
- isc_result_t result;
- isc_boolean_t dumping;
- REQUIRE(DNS_ZONE_VALID(zone));
- ENTER;
- /*
- * Configuring the view of this zone may have
- * failed, for example because the config file
- * had a syntax error. In that case, the view
- * db or resolver will be NULL, and we had better not try
- * to do maintenance on it.
- */
- if (zone->view == NULL || zone->view->adb == NULL)
- return;
- TIME_NOW(&now);
- /*
- * Expire check.
- */
- switch (zone->type) {
- case dns_zone_slave:
- case dns_zone_stub:
- LOCK_ZONE(zone);
- if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- zone_expire(zone);
- zone->refreshtime = now;
- }
- UNLOCK_ZONE(zone);
- break;
- default:
- break;
- }
- /*
- * Up to date check.
- */
- switch (zone->type) {
- case dns_zone_slave:
- case dns_zone_stub:
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
- isc_time_compare(&now, &zone->refreshtime) >= 0)
- dns_zone_refresh(zone);
- break;
- default:
- break;
- }
- /*
- * Do we need to consolidate the backing store?
- */
- switch (zone->type) {
- case dns_zone_master:
- case dns_zone_slave:
- case dns_zone_key:
- case dns_zone_stub:
- LOCK_ZONE(zone);
- if (zone->masterfile != NULL &&
- isc_time_compare(&now, &zone->dumptime) >= 0 &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) {
- dumping = was_dumping(zone);
- } else
- dumping = ISC_TRUE;
- UNLOCK_ZONE(zone);
- if (!dumping) {
- result = zone_dump(zone, ISC_TRUE); /* task locked */
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_WARNING,
- "dump failed: %s",
- dns_result_totext(result));
- }
- break;
- default:
- break;
- }
- /*
- * Do we need to refresh keys?
- */
- switch (zone->type) {
- case dns_zone_key:
- if (isc_time_compare(&now, &zone->refreshkeytime) >= 0 &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING))
- zone_refreshkeys(zone);
- break;
- case dns_zone_master:
- if (!isc_time_isepoch(&zone->refreshkeytime) &&
- isc_time_compare(&now, &zone->refreshkeytime) >= 0)
- zone_rekey(zone);
- default:
- break;
- }
- switch (zone->type) {
- case dns_zone_master:
- case dns_zone_slave:
- /*
- * Do we need to send out notify messages?
- */
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) &&
- isc_time_compare(&now, &zone->notifytime) >= 0)
- zone_notify(zone, &now);
- /*
- * Do we need to sign/resign some RRsets?
- */
- if (!isc_time_isepoch(&zone->signingtime) &&
- isc_time_compare(&now, &zone->signingtime) >= 0)
- zone_sign(zone);
- else if (!isc_time_isepoch(&zone->resigntime) &&
- isc_time_compare(&now, &zone->resigntime) >= 0)
- zone_resigninc(zone);
- else if (!isc_time_isepoch(&zone->nsec3chaintime) &&
- isc_time_compare(&now, &zone->nsec3chaintime) >= 0)
- zone_nsec3chain(zone);
- /*
- * Do we need to issue a key expiry warning.
- */
- if (!isc_time_isepoch(&zone->keywarntime) &&
- isc_time_compare(&now, &zone->keywarntime) >= 0)
- set_key_expiry_warning(zone, zone->key_expiry,
- isc_time_seconds(&now));
- break;
- default:
- break;
- }
- zone_settimer(zone, &now);
- }
- void
- dns_zone_markdirty(dns_zone_t *zone) {
- LOCK_ZONE(zone);
- if (zone->type == dns_zone_master)
- set_resigntime(zone); /* XXXMPA make separate call back */
- zone_needdump(zone, DNS_DUMP_DELAY);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_expire(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone_expire(zone);
- UNLOCK_ZONE(zone);
- }
- static void
- zone_expire(dns_zone_t *zone) {
- /*
- * 'zone' locked by caller.
- */
- REQUIRE(LOCKED_ZONE(zone));
- dns_zone_log(zone, ISC_LOG_WARNING, "expired");
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
- zone->refresh = DNS_ZONE_DEFAULTREFRESH;
- zone->retry = DNS_ZONE_DEFAULTRETRY;
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
- zone_unload(zone);
- }
- void
- dns_zone_refresh(dns_zone_t *zone) {
- isc_interval_t i;
- isc_uint32_t oldflags;
- unsigned int j;
- isc_result_t result;
- REQUIRE(DNS_ZONE_VALID(zone));
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
- return;
- /*
- * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
- * in progress at a time.
- */
- LOCK_ZONE(zone);
- oldflags = zone->flags;
- if (zone->masterscnt == 0) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
- if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "cannot refresh: no masters");
- goto unlock;
- }
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
- if ((oldflags & (DNS_ZONEFLG_REFRESH|DNS_ZONEFLG_LOADING)) != 0)
- goto unlock;
- /*
- * Set the next refresh time as if refresh check has failed.
- * Setting this to the retry time will do that. XXXMLG
- * If we are successful it will be reset using zone->refresh.
- */
- isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
- 0);
- result = isc_time_nowplusinterval(&zone->refreshtime, &i);
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_WARNING,
- "isc_time_nowplusinterval() failed: %s",
- dns_result_totext(result));
- /*
- * When lacking user-specified timer values from the SOA,
- * do exponential backoff of the retry time up to a
- * maximum of six hours.
- */
- if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
- zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
- zone->curmaster = 0;
- for (j = 0; j < zone->masterscnt; j++)
- zone->mastersok[j] = ISC_FALSE;
- /* initiate soa query */
- queue_soa_query(zone);
- unlock:
- UNLOCK_ZONE(zone);
- }
- isc_result_t
- dns_zone_flush(dns_zone_t *zone) {
- isc_result_t result = ISC_R_SUCCESS;
- isc_boolean_t dumping;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- zone->masterfile != NULL) {
- result = ISC_R_ALREADYRUNNING;
- dumping = was_dumping(zone);
- } else
- dumping = ISC_TRUE;
- UNLOCK_ZONE(zone);
- if (!dumping)
- result = zone_dump(zone, ISC_FALSE); /* Unknown task. */
- return (result);
- }
- isc_result_t
- dns_zone_dump(dns_zone_t *zone) {
- isc_result_t result = ISC_R_ALREADYRUNNING;
- isc_boolean_t dumping;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- dumping = was_dumping(zone);
- UNLOCK_ZONE(zone);
- if (!dumping)
- result = zone_dump(zone, ISC_FALSE); /* Unknown task. */
- return (result);
- }
- static void
- zone_needdump(dns_zone_t *zone, unsigned int delay) {
- isc_time_t dumptime;
- isc_time_t now;
- /*
- * 'zone' locked by caller
- */
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(LOCKED_ZONE(zone));
- /*
- * Do we have a place to dump to and are we loaded?
- */
- if (zone->masterfile == NULL ||
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
- return;
- TIME_NOW(&now);
- /* add some noise */
- DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
- if (isc_time_isepoch(&zone->dumptime) ||
- isc_time_compare(&zone->dumptime, &dumptime) > 0)
- zone->dumptime = dumptime;
- if (zone->task != NULL)
- zone_settimer(zone, &now);
- }
- static void
- dump_done(void *arg, isc_result_t result) {
- const char me[] = "dump_done";
- dns_zone_t *zone = arg;
- dns_db_t *db;
- dns_dbversion_t *version;
- isc_boolean_t again = ISC_FALSE;
- isc_boolean_t compact = ISC_FALSE;
- isc_uint32_t serial;
- isc_result_t tresult;
- REQUIRE(DNS_ZONE_VALID(zone));
- ENTER;
- if (result == ISC_R_SUCCESS && zone->journal != NULL &&
- zone->journalsize != -1) {
- /*
- * We don't own these, zone->dctx must stay valid.
- */
- db = dns_dumpctx_db(zone->dctx);
- version = dns_dumpctx_version(zone->dctx);
- tresult = dns_db_getsoaserial(db, version, &serial);
- /*
- * Note: we are task locked here so we can test
- * zone->xfr safely.
- */
- if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) {
- tresult = dns_journal_compact(zone->mctx,
- zone->journal,
- serial,
- zone->journalsize);
- switch (tresult) {
- case ISC_R_SUCCESS:
- case ISC_R_NOSPACE:
- case ISC_R_NOTFOUND:
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "dns_journal_compact: %s",
- dns_result_totext(tresult));
- break;
- default:
- dns_zone_log(zone, ISC_LOG_ERROR,
- "dns_journal_compact failed: %s",
- dns_result_totext(tresult));
- break;
- }
- } else if (tresult == ISC_R_SUCCESS) {
- compact = ISC_TRUE;
- zone->compact_serial = serial;
- }
- }
- LOCK_ZONE(zone);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
- if (compact)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
- if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
- /*
- * Try again in a short while.
- */
- zone_needdump(zone, DNS_DUMP_DELAY);
- } else if (result == ISC_R_SUCCESS &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
- isc_time_settoepoch(&zone->dumptime);
- again = ISC_TRUE;
- } else if (result == ISC_R_SUCCESS)
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
- if (zone->dctx != NULL)
- dns_dumpctx_detach(&zone->dctx);
- zonemgr_putio(&zone->writeio);
- UNLOCK_ZONE(zone);
- if (again)
- (void)zone_dump(zone, ISC_FALSE);
- dns_zone_idetach(&zone);
- }
- static isc_result_t
- zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
- const char me[] = "zone_dump";
- isc_result_t result;
- dns_dbversion_t *version = NULL;
- isc_boolean_t again;
- dns_db_t *db = NULL;
- char *masterfile = NULL;
- dns_masterformat_t masterformat = dns_masterformat_none;
- /*
- * 'compact' MUST only be set if we are task locked.
- */
- REQUIRE(DNS_ZONE_VALID(zone));
- ENTER;
- redo:
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
- dns_db_attach(zone->db, &db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- LOCK_ZONE(zone);
- if (zone->masterfile != NULL) {
- masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
- masterformat = zone->masterformat;
- }
- UNLOCK_ZONE(zone);
- if (db == NULL) {
- result = DNS_R_NOTLOADED;
- goto fail;
- }
- if (masterfile == NULL) {
- result = DNS_R_NOMASTERFILE;
- goto fail;
- }
- if (compact && zone->type != dns_zone_stub) {
- dns_zone_t *dummy = NULL;
- LOCK_ZONE(zone);
- zone_iattach(zone, &dummy);
- result = zonemgr_getio(zone->zmgr, ISC_FALSE, zone->task,
- zone_gotwritehandle, zone,
- &zone->writeio);
- if (result != ISC_R_SUCCESS)
- zone_idetach(&dummy);
- else
- result = DNS_R_CONTINUE;
- UNLOCK_ZONE(zone);
- } else {
- dns_db_currentversion(db, &version);
- result = dns_master_dump2(zone->mctx, db, version,
- &dns_master_style_default,
- masterfile, masterformat);
- dns_db_closeversion(db, &version, ISC_FALSE);
- }
- fail:
- if (db != NULL)
- dns_db_detach(&db);
- if (masterfile != NULL)
- isc_mem_free(zone->mctx, masterfile);
- masterfile = NULL;
- if (result == DNS_R_CONTINUE)
- return (ISC_R_SUCCESS); /* XXXMPA */
- again = ISC_FALSE;
- LOCK_ZONE(zone);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
- if (result != ISC_R_SUCCESS) {
- /*
- * Try again in a short while.
- */
- zone_needdump(zone, DNS_DUMP_DELAY);
- } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
- isc_time_settoepoch(&zone->dumptime);
- again = ISC_TRUE;
- } else
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
- UNLOCK_ZONE(zone);
- if (again)
- goto redo;
- return (result);
- }
- static isc_result_t
- dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
- dns_masterformat_t format)
- {
- isc_result_t result;
- dns_dbversion_t *version = NULL;
- dns_db_t *db = NULL;
- REQUIRE(DNS_ZONE_VALID(zone));
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
- dns_db_attach(zone->db, &db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (db == NULL)
- return (DNS_R_NOTLOADED);
- dns_db_currentversion(db, &version);
- result = dns_master_dumptostream2(zone->mctx, db, version, style,
- format, fd);
- dns_db_closeversion(db, &version, ISC_FALSE);
- dns_db_detach(&db);
- return (result);
- }
- isc_result_t
- dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
- const dns_master_style_t *style) {
- return dumptostream(zone, fd, style, format);
- }
- isc_result_t
- dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
- return dumptostream(zone, fd, &dns_master_style_default,
- dns_masterformat_text);
- }
- isc_result_t
- dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
- return dumptostream(zone, fd, &dns_master_style_full,
- dns_masterformat_text);
- }
- void
- dns_zone_unload(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone_unload(zone);
- UNLOCK_ZONE(zone);
- }
- static void
- notify_cancel(dns_zone_t *zone) {
- dns_notify_t *notify;
- /*
- * 'zone' locked by caller.
- */
- REQUIRE(LOCKED_ZONE(zone));
- for (notify = ISC_LIST_HEAD(zone->notifies);
- notify != NULL;
- notify = ISC_LIST_NEXT(notify, link)) {
- if (notify->find != NULL)
- dns_adb_cancelfind(notify->find);
- if (notify->request != NULL)
- dns_request_cancel(notify->request);
- }
- }
- static void
- forward_cancel(dns_zone_t *zone) {
- dns_forward_t *forward;
- /*
- * 'zone' locked by caller.
- */
- REQUIRE(LOCKED_ZONE(zone));
- for (forward = ISC_LIST_HEAD(zone->forwards);
- forward != NULL;
- forward = ISC_LIST_NEXT(forward, link)) {
- if (forward->request != NULL)
- dns_request_cancel(forward->request);
- }
- }
- static void
- zone_unload(dns_zone_t *zone) {
- /*
- * 'zone' locked by caller.
- */
- REQUIRE(LOCKED_ZONE(zone));
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
- if (zone->writeio != NULL)
- zonemgr_cancelio(zone->writeio);
- if (zone->dctx != NULL)
- dns_dumpctx_cancel(zone->dctx);
- }
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
- zone_detachdb(zone);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
- }
- void
- dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(val > 0);
- zone->minrefresh = val;
- }
- void
- dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(val > 0);
- zone->maxrefresh = val;
- }
- void
- dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(val > 0);
- zone->minretry = val;
- }
- void
- dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(val > 0);
- zone->maxretry = val;
- }
- static isc_boolean_t
- notify_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr) {
- dns_notify_t *notify;
- for (notify = ISC_LIST_HEAD(zone->notifies);
- notify != NULL;
- notify = ISC_LIST_NEXT(notify, link)) {
- if (notify->request != NULL)
- continue;
- if (name != NULL && dns_name_dynamic(¬ify->ns) &&
- dns_name_equal(name, ¬ify->ns))
- return (ISC_TRUE);
- if (addr != NULL && isc_sockaddr_equal(addr, ¬ify->dst))
- return (ISC_TRUE);
- }
- return (ISC_FALSE);
- }
- static isc_boolean_t
- notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
- dns_tsigkey_t *key = NULL;
- isc_sockaddr_t src;
- isc_sockaddr_t any;
- isc_boolean_t isself;
- isc_netaddr_t dstaddr;
- isc_result_t result;
- if (zone->view == NULL || zone->isself == NULL)
- return (ISC_FALSE);
- switch (isc_sockaddr_pf(dst)) {
- case PF_INET:
- src = zone->notifysrc4;
- isc_sockaddr_any(&any);
- break;
- case PF_INET6:
- src = zone->notifysrc6;
- isc_sockaddr_any6(&any);
- break;
- default:
- return (ISC_FALSE);
- }
- /*
- * When sending from any the kernel will assign a source address
- * that matches the destination address.
- */
- if (isc_sockaddr_eqaddr(&any, &src))
- src = *dst;
- isc_netaddr_fromsockaddr(&dstaddr, dst);
- result = dns_view_getpeertsig(zone->view, &dstaddr, &key);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
- return (ISC_FALSE);
- isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
- zone->isselfarg);
- if (key != NULL)
- dns_tsigkey_detach(&key);
- return (isself);
- }
- static void
- notify_destroy(dns_notify_t *notify, isc_boolean_t locked) {
- isc_mem_t *mctx;
- /*
- * Caller holds zone lock.
- */
- REQUIRE(DNS_NOTIFY_VALID(notify));
- if (notify->zone != NULL) {
- if (!locked)
- LOCK_ZONE(notify->zone);
- REQUIRE(LOCKED_ZONE(notify->zone));
- if (ISC_LINK_LINKED(notify, link))
- ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
- if (!locked)
- UNLOCK_ZONE(notify->zone);
- if (locked)
- zone_idetach(¬ify->zone);
- else
- dns_zone_idetach(¬ify->zone);
- }
- if (notify->find != NULL)
- dns_adb_destroyfind(¬ify->find);
- if (notify->request != NULL)
- dns_request_destroy(¬ify->request);
- if (dns_name_dynamic(¬ify->ns))
- dns_name_free(¬ify->ns, notify->mctx);
- mctx = notify->mctx;
- isc_mem_put(notify->mctx, notify, sizeof(*notify));
- isc_mem_detach(&mctx);
- }
- static isc_result_t
- notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
- dns_notify_t *notify;
- REQUIRE(notifyp != NULL && *notifyp == NULL);
- notify = isc_mem_get(mctx, sizeof(*notify));
- if (notify == NULL)
- return (ISC_R_NOMEMORY);
- notify->mctx = NULL;
- isc_mem_attach(mctx, ¬ify->mctx);
- notify->flags = flags;
- notify->zone = NULL;
- notify->find = NULL;
- notify->request = NULL;
- isc_sockaddr_any(¬ify->dst);
- dns_name_init(¬ify->ns, NULL);
- ISC_LINK_INIT(notify, link);
- notify->magic = NOTIFY_MAGIC;
- *notifyp = notify;
- return (ISC_R_SUCCESS);
- }
- /*
- * XXXAG should check for DNS_ZONEFLG_EXITING
- */
- static void
- process_adb_event(isc_task_t *task, isc_event_t *ev) {
- dns_notify_t *notify;
- isc_eventtype_t result;
- UNUSED(task);
- notify = ev->ev_arg;
- REQUIRE(DNS_NOTIFY_VALID(notify));
- INSIST(task == notify->zone->task);
- result = ev->ev_type;
- isc_event_free(&ev);
- if (result == DNS_EVENT_ADBMOREADDRESSES) {
- dns_adb_destroyfind(¬ify->find);
- notify_find_address(notify);
- return;
- }
- if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
- LOCK_ZONE(notify->zone);
- notify_send(notify);
- UNLOCK_ZONE(notify->zone);
- }
- notify_destroy(notify, ISC_FALSE);
- }
- static void
- notify_find_address(dns_notify_t *notify) {
- isc_result_t result;
- unsigned int options;
- REQUIRE(DNS_NOTIFY_VALID(notify));
- options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET |
- DNS_ADBFIND_INET6 | DNS_ADBFIND_RETURNLAME;
- if (notify->zone->view->adb == NULL)
- goto destroy;
- result = dns_adb_createfind(notify->zone->view->adb,
- notify->zone->task,
- process_adb_event, notify,
- ¬ify->ns, dns_rootname, 0,
- options, 0, NULL,
- notify->zone->view->dstport,
- ¬ify->find);
- /* Something failed? */
- if (result != ISC_R_SUCCESS)
- goto destroy;
- /* More addresses pending? */
- if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0)
- return;
- /* We have as many addresses as we can get. */
- LOCK_ZONE(notify->zone);
- notify_send(notify);
- UNLOCK_ZONE(notify->zone);
- destroy:
- notify_destroy(notify, ISC_FALSE);
- }
- static isc_result_t
- notify_send_queue(dns_notify_t *notify) {
- isc_event_t *e;
- isc_result_t result;
- e = isc_event_allocate(notify->mctx, NULL,
- DNS_EVENT_NOTIFYSENDTOADDR,
- notify_send_toaddr,
- notify, sizeof(isc_event_t));
- if (e == NULL)
- return (ISC_R_NOMEMORY);
- e->ev_arg = notify;
- e->ev_sender = NULL;
- result = isc_ratelimiter_enqueue(notify->zone->zmgr->rl,
- notify->zone->task, &e);
- if (result != ISC_R_SUCCESS)
- isc_event_free(&e);
- return (result);
- }
- static void
- notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
- dns_notify_t *notify;
- isc_result_t result;
- dns_message_t *message = NULL;
- isc_netaddr_t dstip;
- dns_tsigkey_t *key = NULL;
- char addrbuf[ISC_SOCKADDR_FORMATSIZE];
- isc_sockaddr_t src;
- int timeout;
- isc_boolean_t have_notifysource = ISC_FALSE;
- notify = event->ev_arg;
- REQUIRE(DNS_NOTIFY_VALID(notify));
- UNUSED(task);
- LOCK_ZONE(notify->zone);
- if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0) {
- result = ISC_R_CANCELED;
- goto cleanup;
- }
- if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
- DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
- notify->zone->view->requestmgr == NULL ||
- notify->zone->db == NULL) {
- result = ISC_R_CANCELED;
- goto cleanup;
- }
- /*
- * The raw IPv4 address should also exist. Don't send to the
- * mapped form.
- */
- if (isc_sockaddr_pf(¬ify->dst) == PF_INET6 &&
- IN6_IS_ADDR_V4MAPPED(¬ify->dst.type.sin6.sin6_addr)) {
- isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf));
- notify_log(notify->zone, ISC_LOG_DEBUG(3),
- "notify: ignoring IPv6 mapped IPV4 address: %s",
- addrbuf);
- result = ISC_R_CANCELED;
- goto cleanup;
- }
- result = notify_createmessage(notify->zone, notify->flags, &message);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- isc_netaddr_fromsockaddr(&dstip, ¬ify->dst);
- isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf));
- result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
- notify_log(notify->zone, ISC_LOG_ERROR, "NOTIFY to %s not "
- "sent. Peer TSIG key lookup failure.", addrbuf);
- goto cleanup_message;
- }
- notify_log(notify->zone, ISC_LOG_DEBUG(3), "sending notify to %s",
- addrbuf);
- if (notify->zone->view->peers != NULL) {
- dns_peer_t *peer = NULL;
- result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
- &dstip, &peer);
- if (result == ISC_R_SUCCESS) {
- result = dns_peer_getnotifysource(peer, &src);
- if (result == ISC_R_SUCCESS)
- have_notifysource = ISC_TRUE;
- }
- }
- switch (isc_sockaddr_pf(¬ify->dst)) {
- case PF_INET:
- if (!have_notifysource)
- src = notify->zone->notifysrc4;
- break;
- case PF_INET6:
- if (!have_notifysource)
- src = notify->zone->notifysrc6;
- break;
- default:
- result = ISC_R_NOTIMPLEMENTED;
- goto cleanup_key;
- }
- timeout = 15;
- if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY))
- timeout = 30;
- result = dns_request_createvia2(notify->zone->view->requestmgr,
- message, &src, ¬ify->dst, 0, key,
- timeout * 3, timeout,
- notify->zone->task, notify_done,
- notify, ¬ify->request);
- if (result == ISC_R_SUCCESS) {
- if (isc_sockaddr_pf(¬ify->dst) == AF_INET) {
- inc_stats(notify->zone,
- dns_zonestatscounter_notifyoutv4);
- } else {
- inc_stats(notify->zone,
- dns_zonestatscounter_notifyoutv6);
- }
- }
- cleanup_key:
- if (key != NULL)
- dns_tsigkey_detach(&key);
- cleanup_message:
- dns_message_destroy(&message);
- cleanup:
- UNLOCK_ZONE(notify->zone);
- if (result != ISC_R_SUCCESS)
- notify_destroy(notify, ISC_FALSE);
- isc_event_free(&event);
- }
- static void
- notify_send(dns_notify_t *notify) {
- dns_adbaddrinfo_t *ai;
- isc_sockaddr_t dst;
- isc_result_t result;
- dns_notify_t *new = NULL;
- /*
- * Zone lock held by caller.
- */
- REQUIRE(DNS_NOTIFY_VALID(notify));
- REQUIRE(LOCKED_ZONE(notify->zone));
- for (ai = ISC_LIST_HEAD(notify->find->list);
- ai != NULL;
- ai = ISC_LIST_NEXT(ai, publink)) {
- dst = ai->sockaddr;
- if (notify_isqueued(notify->zone, NULL, &dst))
- continue;
- if (notify_isself(notify->zone, &dst))
- continue;
- new = NULL;
- result = notify_create(notify->mctx,
- (notify->flags & DNS_NOTIFY_NOSOA),
- &new);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- zone_iattach(notify->zone, &new->zone);
- ISC_LIST_APPEND(new->zone->notifies, new, link);
- new->dst = dst;
- result = notify_send_queue(new);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- new = NULL;
- }
- cleanup:
- if (new != NULL)
- notify_destroy(new, ISC_TRUE);
- }
- void
- dns_zone_notify(dns_zone_t *zone) {
- isc_time_t now;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- TIME_NOW(&now);
- zone_settimer(zone, &now);
- UNLOCK_ZONE(zone);
- }
- static void
- zone_notify(dns_zone_t *zone, isc_time_t *now) {
- dns_dbnode_t *node = NULL;
- dns_db_t *zonedb = NULL;
- dns_dbversion_t *version = NULL;
- dns_name_t *origin = NULL;
- dns_name_t master;
- dns_rdata_ns_t ns;
- dns_rdata_soa_t soa;
- isc_uint32_t serial;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_t nsrdset;
- dns_rdataset_t soardset;
- isc_result_t result;
- dns_notify_t *notify = NULL;
- unsigned int i;
- isc_sockaddr_t dst;
- isc_boolean_t isqueued;
- dns_notifytype_t notifytype;
- unsigned int flags = 0;
- isc_boolean_t loggednotify = ISC_FALSE;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- notifytype = zone->notifytype;
- DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
- UNLOCK_ZONE(zone);
- if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
- return;
- if (notifytype == dns_notifytype_no)
- return;
- if (notifytype == dns_notifytype_masteronly &&
- zone->type != dns_zone_master)
- return;
- origin = &zone->origin;
- /*
- * If the zone is dialup we are done as we don't want to send
- * the current soa so as to force a refresh query.
- */
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
- flags |= DNS_NOTIFY_NOSOA;
- /*
- * Get SOA RRset.
- */
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
- dns_db_attach(zone->db, &zonedb);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (zonedb == NULL)
- return;
- dns_db_currentversion(zonedb, &version);
- result = dns_db_findnode(zonedb, origin, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS)
- goto cleanup1;
- dns_rdataset_init(&soardset);
- result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
- dns_rdatatype_none, 0, &soardset, NULL);
- if (result != ISC_R_SUCCESS)
- goto cleanup2;
- /*
- * Find serial and master server's name.
- */
- dns_name_init(&master, NULL);
- result = dns_rdataset_first(&soardset);
- if (result != ISC_R_SUCCESS)
- goto cleanup3;
- dns_rdataset_current(&soardset, &rdata);
- result = dns_rdata_tostruct(&rdata, &soa, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_rdata_reset(&rdata);
- result = dns_name_dup(&soa.origin, zone->mctx, &master);
- serial = soa.serial;
- dns_rdataset_disassociate(&soardset);
- if (result != ISC_R_SUCCESS)
- goto cleanup3;
- /*
- * Enqueue notify requests for 'also-notify' servers.
- */
- LOCK_ZONE(zone);
- for (i = 0; i < zone->notifycnt; i++) {
- dst = zone->notify[i];
- if (notify_isqueued(zone, NULL, &dst))
- continue;
- result = notify_create(zone->mctx, flags, ¬ify);
- if (result != ISC_R_SUCCESS)
- continue;
- zone_iattach(zone, ¬ify->zone);
- notify->dst = dst;
- ISC_LIST_APPEND(zone->notifies, notify, link);
- result = notify_send_queue(notify);
- if (result != ISC_R_SUCCESS)
- notify_destroy(notify, ISC_TRUE);
- if (!loggednotify) {
- notify_log(zone, ISC_LOG_INFO,
- "sending notifies (serial %u)",
- serial);
- loggednotify = ISC_TRUE;
- }
- notify = NULL;
- }
- UNLOCK_ZONE(zone);
- if (notifytype == dns_notifytype_explicit)
- goto cleanup3;
- /*
- * Process NS RRset to generate notifies.
- */
- dns_rdataset_init(&nsrdset);
- result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns,
- dns_rdatatype_none, 0, &nsrdset, NULL);
- if (result != ISC_R_SUCCESS)
- goto cleanup3;
- result = dns_rdataset_first(&nsrdset);
- while (result == ISC_R_SUCCESS) {
- dns_rdataset_current(&nsrdset, &rdata);
- result = dns_rdata_tostruct(&rdata, &ns, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_rdata_reset(&rdata);
- /*
- * Don't notify the master server unless explicitly
- * configured to do so.
- */
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
- dns_name_compare(&master, &ns.name) == 0) {
- result = dns_rdataset_next(&nsrdset);
- continue;
- }
- if (!loggednotify) {
- notify_log(zone, ISC_LOG_INFO,
- "sending notifies (serial %u)",
- serial);
- loggednotify = ISC_TRUE;
- }
- LOCK_ZONE(zone);
- isqueued = notify_isqueued(zone, &ns.name, NULL);
- UNLOCK_ZONE(zone);
- if (isqueued) {
- result = dns_rdataset_next(&nsrdset);
- continue;
- }
- result = notify_create(zone->mctx, flags, ¬ify);
- if (result != ISC_R_SUCCESS)
- continue;
- dns_zone_iattach(zone, ¬ify->zone);
- result = dns_name_dup(&ns.name, zone->mctx, ¬ify->ns);
- if (result != ISC_R_SUCCESS) {
- LOCK_ZONE(zone);
- notify_destroy(notify, ISC_TRUE);
- UNLOCK_ZONE(zone);
- continue;
- }
- LOCK_ZONE(zone);
- ISC_LIST_APPEND(zone->notifies, notify, link);
- UNLOCK_ZONE(zone);
- notify_find_address(notify);
- notify = NULL;
- result = dns_rdataset_next(&nsrdset);
- }
- dns_rdataset_disassociate(&nsrdset);
- cleanup3:
- if (dns_name_dynamic(&master))
- dns_name_free(&master, zone->mctx);
- cleanup2:
- dns_db_detachnode(zonedb, &node);
- cleanup1:
- dns_db_closeversion(zonedb, &version, ISC_FALSE);
- dns_db_detach(&zonedb);
- }
- /***
- *** Private
- ***/
- static inline isc_result_t
- save_nsrrset(dns_message_t *message, dns_name_t *name,
- dns_db_t *db, dns_dbversion_t *version)
- {
- dns_rdataset_t *nsrdataset = NULL;
- dns_rdataset_t *rdataset = NULL;
- dns_dbnode_t *node = NULL;
- dns_rdata_ns_t ns;
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- /*
- * Extract NS RRset from message.
- */
- result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
- dns_rdatatype_ns, dns_rdatatype_none,
- NULL, &nsrdataset);
- if (result != ISC_R_SUCCESS)
- goto fail;
- /*
- * Add NS rdataset.
- */
- result = dns_db_findnode(db, name, ISC_TRUE, &node);
- if (result != ISC_R_SUCCESS)
- goto fail;
- result = dns_db_addrdataset(db, node, version, 0,
- nsrdataset, 0, NULL);
- dns_db_detachnode(db, &node);
- if (result != ISC_R_SUCCESS)
- goto fail;
- /*
- * Add glue rdatasets.
- */
- for (result = dns_rdataset_first(nsrdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(nsrdataset)) {
- dns_rdataset_current(nsrdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &ns, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_rdata_reset(&rdata);
- if (!dns_name_issubdomain(&ns.name, name))
- continue;
- rdataset = NULL;
- result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
- &ns.name, dns_rdatatype_aaaa,
- dns_rdatatype_none, NULL,
- &rdataset);
- if (result == ISC_R_SUCCESS) {
- result = dns_db_findnode(db, &ns.name,
- ISC_TRUE, &node);
- if (result != ISC_R_SUCCESS)
- goto fail;
- result = dns_db_addrdataset(db, node, version, 0,
- rdataset, 0, NULL);
- dns_db_detachnode(db, &node);
- if (result != ISC_R_SUCCESS)
- goto fail;
- }
- rdataset = NULL;
- result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
- &ns.name, dns_rdatatype_a,
- dns_rdatatype_none, NULL,
- &rdataset);
- if (result == ISC_R_SUCCESS) {
- result = dns_db_findnode(db, &ns.name,
- ISC_TRUE, &node);
- if (result != ISC_R_SUCCESS)
- goto fail;
- result = dns_db_addrdataset(db, node, version, 0,
- rdataset, 0, NULL);
- dns_db_detachnode(db, &node);
- if (result != ISC_R_SUCCESS)
- goto fail;
- }
- }
- if (result != ISC_R_NOMORE)
- goto fail;
- return (ISC_R_SUCCESS);
- fail:
- return (result);
- }
- static void
- stub_callback(isc_task_t *task, isc_event_t *event) {
- const char me[] = "stub_callback";
- dns_requestevent_t *revent = (dns_requestevent_t *)event;
- dns_stub_t *stub = NULL;
- dns_message_t *msg = NULL;
- dns_zone_t *zone = NULL;
- char master[ISC_SOCKADDR_FORMATSIZE];
- char source[ISC_SOCKADDR_FORMATSIZE];
- isc_uint32_t nscnt, cnamecnt, refresh, retry, expire;
- isc_result_t result;
- isc_time_t now;
- isc_boolean_t exiting = ISC_FALSE;
- isc_interval_t i;
- unsigned int j;
- stub = revent->ev_arg;
- INSIST(DNS_STUB_VALID(stub));
- UNUSED(task);
- zone = stub->zone;
- ENTER;
- TIME_NOW(&now);
- LOCK_ZONE(zone);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
- zone_debuglog(zone, me, 1, "exiting");
- exiting = ISC_TRUE;
- goto next_master;
- }
- isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
- isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
- if (revent->result != ISC_R_SUCCESS) {
- if (revent->result == ISC_R_TIMEDOUT &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "refreshing stub: timeout retrying "
- " without EDNS master %s (source %s)",
- master, source);
- goto same_master;
- }
- dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
- &zone->sourceaddr, &now);
- dns_zone_log(zone, ISC_LOG_INFO,
- "could not refresh stub from master %s"
- " (source %s): %s", master, source,
- dns_result_totext(revent->result));
- goto next_master;
- }
- result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
- if (result != ISC_R_SUCCESS)
- goto next_master;
- result = dns_request_getresponse(revent->request, msg, 0);
- if (result != ISC_R_SUCCESS)
- goto next_master;
- /*
- * Unexpected rcode.
- */
- if (msg->rcode != dns_rcode_noerror) {
- char rcode[128];
- isc_buffer_t rb;
- isc_buffer_init(&rb, rcode, sizeof(rcode));
- (void)dns_rcode_totext(msg->rcode, &rb);
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
- (msg->rcode == dns_rcode_servfail ||
- msg->rcode == dns_rcode_notimp ||
- msg->rcode == dns_rcode_formerr)) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "refreshing stub: rcode (%.*s) retrying "
- "without EDNS master %s (source %s)",
- (int)rb.used, rcode, master, source);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
- goto same_master;
- }
- dns_zone_log(zone, ISC_LOG_INFO,
- "refreshing stub: "
- "unexpected rcode (%.*s) from %s (source %s)",
- (int)rb.used, rcode, master, source);
- goto next_master;
- }
- /*
- * We need complete messages.
- */
- if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
- if (dns_request_usedtcp(revent->request)) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refreshing stub: truncated TCP "
- "response from master %s (source %s)",
- master, source);
- goto next_master;
- }
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
- goto same_master;
- }
- /*
- * If non-auth log and next master.
- */
- if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
- dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
- "non-authoritative answer from "
- "master %s (source %s)", master, source);
- goto next_master;
- }
- /*
- * Sanity checks.
- */
- cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
- nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
- if (cnamecnt != 0) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refreshing stub: unexpected CNAME response "
- "from master %s (source %s)", master, source);
- goto next_master;
- }
- if (nscnt == 0) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refreshing stub: no NS records in response "
- "from master %s (source %s)", master, source);
- goto next_master;
- }
- /*
- * Save answer.
- */
- result = save_nsrrset(msg, &zone->origin, stub->db, stub->version);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refreshing stub: unable to save NS records "
- "from master %s (source %s)", master, source);
- goto next_master;
- }
- /*
- * Tidy up.
- */
- dns_db_closeversion(stub->db, &stub->version, ISC_TRUE);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
- if (zone->db == NULL)
- zone_attachdb(zone, stub->db);
- result = zone_get_from_db(zone, zone->db, NULL, NULL, NULL, &refresh,
- &retry, &expire, NULL, NULL);
- if (result == ISC_R_SUCCESS) {
- zone->refresh = RANGE(refresh, zone->minrefresh,
- zone->maxrefresh);
- zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
- zone->expire = RANGE(expire, zone->refresh + zone->retry,
- DNS_MAX_EXPIRE);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
- }
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- dns_db_detach(&stub->db);
- dns_message_destroy(&msg);
- isc_event_free(&event);
- dns_request_destroy(&zone->request);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
- DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
- isc_interval_set(&i, zone->expire, 0);
- DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
- if (zone->masterfile != NULL)
- zone_needdump(zone, 0);
- zone_settimer(zone, &now);
- goto free_stub;
- next_master:
- if (stub->version != NULL)
- dns_db_closeversion(stub->db, &stub->version, ISC_FALSE);
- if (stub->db != NULL)
- dns_db_detach(&stub->db);
- if (msg != NULL)
- dns_message_destroy(&msg);
- isc_event_free(&event);
- dns_request_destroy(&zone->request);
- /*
- * Skip to next failed / untried master.
- */
- do {
- zone->curmaster++;
- } while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster]);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
- if (exiting || zone->curmaster >= zone->masterscnt) {
- isc_boolean_t done = ISC_TRUE;
- if (!exiting &&
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
- /*
- * Did we get a good answer from all the masters?
- */
- for (j = 0; j < zone->masterscnt; j++)
- if (zone->mastersok[j] == ISC_FALSE) {
- done = ISC_FALSE;
- break;
- }
- } else
- done = ISC_TRUE;
- if (!done) {
- zone->curmaster = 0;
- /*
- * Find the next failed master.
- */
- while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster])
- zone->curmaster++;
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
- } else {
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
- zone_settimer(zone, &now);
- goto free_stub;
- }
- }
- queue_soa_query(zone);
- goto free_stub;
- same_master:
- if (msg != NULL)
- dns_message_destroy(&msg);
- isc_event_free(&event);
- dns_request_destroy(&zone->request);
- ns_query(zone, NULL, stub);
- UNLOCK_ZONE(zone);
- goto done;
- free_stub:
- UNLOCK_ZONE(zone);
- stub->magic = 0;
- dns_zone_idetach(&stub->zone);
- INSIST(stub->db == NULL);
- INSIST(stub->version == NULL);
- isc_mem_put(stub->mctx, stub, sizeof(*stub));
- done:
- INSIST(event == NULL);
- return;
- }
- /*
- * An SOA query has finished (successfully or not).
- */
- static void
- refresh_callback(isc_task_t *task, isc_event_t *event) {
- const char me[] = "refresh_callback";
- dns_requestevent_t *revent = (dns_requestevent_t *)event;
- dns_zone_t *zone;
- dns_message_t *msg = NULL;
- isc_uint32_t soacnt, cnamecnt, soacount, nscount;
- isc_time_t now;
- char master[ISC_SOCKADDR_FORMATSIZE];
- char source[ISC_SOCKADDR_FORMATSIZE];
- dns_rdataset_t *rdataset = NULL;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_soa_t soa;
- isc_result_t result;
- isc_uint32_t serial, oldserial = 0;
- unsigned int j;
- isc_boolean_t do_queue_xfrin = ISC_FALSE;
- zone = revent->ev_arg;
- INSIST(DNS_ZONE_VALID(zone));
- UNUSED(task);
- ENTER;
- TIME_NOW(&now);
- LOCK_ZONE(zone);
- /*
- * if timeout log and next master;
- */
- isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
- isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
- if (revent->result != ISC_R_SUCCESS) {
- if (revent->result == ISC_R_TIMEDOUT &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "refresh: timeout retrying without EDNS "
- "master %s (source %s)", master, source);
- goto same_master;
- }
- if (revent->result == ISC_R_TIMEDOUT &&
- !dns_request_usedtcp(revent->request)) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: retry limit for "
- "master %s exceeded (source %s)",
- master, source);
- /* Try with slave with TCP. */
- if (zone->type == dns_zone_slave &&
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) {
- if (!dns_zonemgr_unreachable(zone->zmgr,
- &zone->masteraddr,
- &zone->sourceaddr,
- &now))
- {
- DNS_ZONE_SETFLAG(zone,
- DNS_ZONEFLG_SOABEFOREAXFR);
- goto tcp_transfer;
- }
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "refresh: skipped tcp fallback "
- "as master %s (source %s) is "
- "unreachable (cached)",
- master, source);
- }
- } else
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: failure trying master "
- "%s (source %s): %s", master, source,
- dns_result_totext(revent->result));
- goto next_master;
- }
- result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
- if (result != ISC_R_SUCCESS)
- goto next_master;
- result = dns_request_getresponse(revent->request, msg, 0);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: failure trying master "
- "%s (source %s): %s", master, source,
- dns_result_totext(result));
- goto next_master;
- }
- /*
- * Unexpected rcode.
- */
- if (msg->rcode != dns_rcode_noerror) {
- char rcode[128];
- isc_buffer_t rb;
- isc_buffer_init(&rb, rcode, sizeof(rcode));
- (void)dns_rcode_totext(msg->rcode, &rb);
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
- (msg->rcode == dns_rcode_servfail ||
- msg->rcode == dns_rcode_notimp ||
- msg->rcode == dns_rcode_formerr)) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "refresh: rcode (%.*s) retrying without "
- "EDNS master %s (source %s)",
- (int)rb.used, rcode, master, source);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
- goto same_master;
- }
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: unexpected rcode (%.*s) from "
- "master %s (source %s)", (int)rb.used, rcode,
- master, source);
- /*
- * Perhaps AXFR/IXFR is allowed even if SOA queries aren't.
- */
- if (msg->rcode == dns_rcode_refused &&
- zone->type == dns_zone_slave)
- goto tcp_transfer;
- goto next_master;
- }
- /*
- * If truncated punt to zone transfer which will query again.
- */
- if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
- if (zone->type == dns_zone_slave) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: truncated UDP answer, "
- "initiating TCP zone xfer "
- "for master %s (source %s)",
- master, source);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
- goto tcp_transfer;
- } else {
- INSIST(zone->type == dns_zone_stub);
- if (dns_request_usedtcp(revent->request)) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: truncated TCP response "
- "from master %s (source %s)",
- master, source);
- goto next_master;
- }
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
- goto same_master;
- }
- }
- /*
- * if non-auth log and next master;
- */
- if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: non-authoritative answer from "
- "master %s (source %s)", master, source);
- goto next_master;
- }
- cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
- soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
- nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
- soacount = message_count(msg, DNS_SECTION_AUTHORITY,
- dns_rdatatype_soa);
- /*
- * There should not be a CNAME record at top of zone.
- */
- if (cnamecnt != 0) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: CNAME at top of zone "
- "in master %s (source %s)", master, source);
- goto next_master;
- }
- /*
- * if referral log and next master;
- */
- if (soacnt == 0 && soacount == 0 && nscount != 0) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: referral response "
- "from master %s (source %s)", master, source);
- goto next_master;
- }
- /*
- * if nodata log and next master;
- */
- if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: NODATA response "
- "from master %s (source %s)", master, source);
- goto next_master;
- }
- /*
- * Only one soa at top of zone.
- */
- if (soacnt != 1) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: answer SOA count (%d) != 1 "
- "from master %s (source %s)",
- soacnt, master, source);
- goto next_master;
- }
- /*
- * Extract serial
- */
- rdataset = NULL;
- result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
- dns_rdatatype_soa, dns_rdatatype_none,
- NULL, &rdataset);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: unable to get SOA record "
- "from master %s (source %s)", master, source);
- goto next_master;
- }
- result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: dns_rdataset_first() failed");
- goto next_master;
- }
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &soa, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- serial = soa.serial;
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- result = zone_get_from_db(zone, zone->db, NULL, NULL,
- &oldserial, NULL, NULL, NULL, NULL,
- NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- zone_debuglog(zone, me, 1, "serial: new %u, old %u",
- serial, oldserial);
- } else
- zone_debuglog(zone, me, 1, "serial: new %u, old not loaded",
- serial);
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
- isc_serial_gt(serial, oldserial)) {
- if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
- &zone->sourceaddr, &now))
- {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refresh: skipping %s as master %s "
- "(source %s) is unreachable (cached)",
- zone->type == dns_zone_slave ?
- "zone transfer" : "NS query",
- master, source);
- goto next_master;
- }
- tcp_transfer:
- isc_event_free(&event);
- dns_request_destroy(&zone->request);
- if (zone->type == dns_zone_slave) {
- do_queue_xfrin = ISC_TRUE;
- } else {
- INSIST(zone->type == dns_zone_stub);
- ns_query(zone, rdataset, NULL);
- }
- if (msg != NULL)
- dns_message_destroy(&msg);
- } else if (isc_serial_eq(soa.serial, oldserial)) {
- if (zone->masterfile != NULL) {
- result = ISC_R_FAILURE;
- if (zone->journal != NULL)
- result = isc_file_settime(zone->journal, &now);
- if (result == ISC_R_SUCCESS &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
- result = isc_file_settime(zone->masterfile,
- &now);
- } else if (result != ISC_R_SUCCESS)
- result = isc_file_settime(zone->masterfile,
- &now);
- /* Someone removed the file from underneath us! */
- if (result == ISC_R_FILENOTFOUND) {
- zone_needdump(zone, DNS_DUMP_DELAY);
- } else if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "refresh: could not set file "
- "modification time of '%s': %s",
- zone->masterfile,
- dns_result_totext(result));
- }
- DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
- DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
- zone->mastersok[zone->curmaster] = ISC_TRUE;
- goto next_master;
- } else {
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
- dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
- "received from master %s < ours (%u)",
- soa.serial, master, oldserial);
- else
- zone_debuglog(zone, me, 1, "ahead");
- zone->mastersok[zone->curmaster] = ISC_TRUE;
- goto next_master;
- }
- if (msg != NULL)
- dns_message_destroy(&msg);
- goto detach;
- next_master:
- if (msg != NULL)
- dns_message_destroy(&msg);
- isc_event_free(&event);
- dns_request_destroy(&zone->request);
- /*
- * Skip to next failed / untried master.
- */
- do {
- zone->curmaster++;
- } while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster]);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
- if (zone->curmaster >= zone->masterscnt) {
- isc_boolean_t done = ISC_TRUE;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
- /*
- * Did we get a good answer from all the masters?
- */
- for (j = 0; j < zone->masterscnt; j++)
- if (zone->mastersok[j] == ISC_FALSE) {
- done = ISC_FALSE;
- break;
- }
- } else
- done = ISC_TRUE;
- if (!done) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
- zone->curmaster = 0;
- /*
- * Find the next failed master.
- */
- while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster])
- zone->curmaster++;
- goto requeue;
- }
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
- zone->refreshtime = now;
- }
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
- zone_settimer(zone, &now);
- goto detach;
- }
- requeue:
- queue_soa_query(zone);
- goto detach;
- same_master:
- if (msg != NULL)
- dns_message_destroy(&msg);
- isc_event_free(&event);
- dns_request_destroy(&zone->request);
- queue_soa_query(zone);
- detach:
- UNLOCK_ZONE(zone);
- if (do_queue_xfrin)
- queue_xfrin(zone);
- dns_zone_idetach(&zone);
- return;
- }
- static void
- queue_soa_query(dns_zone_t *zone) {
- const char me[] = "queue_soa_query";
- isc_event_t *e;
- dns_zone_t *dummy = NULL;
- isc_result_t result;
- ENTER;
- /*
- * Locked by caller
- */
- REQUIRE(LOCKED_ZONE(zone));
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
- cancel_refresh(zone);
- return;
- }
- e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
- soa_query, zone, sizeof(isc_event_t));
- if (e == NULL) {
- cancel_refresh(zone);
- return;
- }
- /*
- * Attach so that we won't clean up
- * until the event is delivered.
- */
- zone_iattach(zone, &dummy);
- e->ev_arg = zone;
- e->ev_sender = NULL;
- result = isc_ratelimiter_enqueue(zone->zmgr->rl, zone->task, &e);
- if (result != ISC_R_SUCCESS) {
- zone_idetach(&dummy);
- isc_event_free(&e);
- cancel_refresh(zone);
- }
- }
- static inline isc_result_t
- create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
- dns_message_t **messagep)
- {
- dns_message_t *message = NULL;
- dns_name_t *qname = NULL;
- dns_rdataset_t *qrdataset = NULL;
- isc_result_t result;
- result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
- &message);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- message->opcode = dns_opcode_query;
- message->rdclass = zone->rdclass;
- result = dns_message_gettempname(message, &qname);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = dns_message_gettemprdataset(message, &qrdataset);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- /*
- * Make question.
- */
- dns_name_init(qname, NULL);
- dns_name_clone(&zone->origin, qname);
- dns_rdataset_init(qrdataset);
- dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
- ISC_LIST_APPEND(qname->list, qrdataset, link);
- dns_message_addname(message, qname, DNS_SECTION_QUESTION);
- *messagep = message;
- return (ISC_R_SUCCESS);
- cleanup:
- if (qname != NULL)
- dns_message_puttempname(message, &qname);
- if (qrdataset != NULL)
- dns_message_puttemprdataset(message, &qrdataset);
- if (message != NULL)
- dns_message_destroy(&message);
- return (result);
- }
- static isc_result_t
- add_opt(dns_message_t *message, isc_uint16_t udpsize, isc_boolean_t reqnsid) {
- dns_rdataset_t *rdataset = NULL;
- dns_rdatalist_t *rdatalist = NULL;
- dns_rdata_t *rdata = NULL;
- isc_result_t result;
- result = dns_message_gettemprdatalist(message, &rdatalist);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = dns_message_gettemprdata(message, &rdata);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = dns_message_gettemprdataset(message, &rdataset);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- dns_rdataset_init(rdataset);
- rdatalist->type = dns_rdatatype_opt;
- rdatalist->covers = 0;
- /*
- * Set Maximum UDP buffer size.
- */
- rdatalist->rdclass = udpsize;
- /*
- * Set EXTENDED-RCODE, VERSION, DO and Z to 0.
- */
- rdatalist->ttl = 0;
- /* Set EDNS options if applicable */
- if (reqnsid) {
- unsigned char data[4];
- isc_buffer_t buf;
- isc_buffer_init(&buf, data, sizeof(data));
- isc_buffer_putuint16(&buf, DNS_OPT_NSID);
- isc_buffer_putuint16(&buf, 0);
- rdata->data = data;
- rdata->length = sizeof(data);
- } else {
- rdata->data = NULL;
- rdata->length = 0;
- }
- rdata->rdclass = rdatalist->rdclass;
- rdata->type = rdatalist->type;
- rdata->flags = 0;
- ISC_LIST_INIT(rdatalist->rdata);
- ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
- RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
- == ISC_R_SUCCESS);
- return (dns_message_setopt(message, rdataset));
- cleanup:
- if (rdatalist != NULL)
- dns_message_puttemprdatalist(message, &rdatalist);
- if (rdataset != NULL)
- dns_message_puttemprdataset(message, &rdataset);
- if (rdata != NULL)
- dns_message_puttemprdata(message, &rdata);
- return (result);
- }
- static void
- soa_query(isc_task_t *task, isc_event_t *event) {
- const char me[] = "soa_query";
- isc_result_t result = ISC_R_FAILURE;
- dns_message_t *message = NULL;
- dns_zone_t *zone = event->ev_arg;
- dns_zone_t *dummy = NULL;
- isc_netaddr_t masterip;
- dns_tsigkey_t *key = NULL;
- isc_uint32_t options;
- isc_boolean_t cancel = ISC_TRUE;
- int timeout;
- isc_boolean_t have_xfrsource, reqnsid;
- isc_uint16_t udpsize = SEND_BUFFER_SIZE;
- REQUIRE(DNS_ZONE_VALID(zone));
- UNUSED(task);
- ENTER;
- LOCK_ZONE(zone);
- if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
- zone->view->requestmgr == NULL) {
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
- cancel = ISC_FALSE;
- goto cleanup;
- }
- /*
- * XXX Optimisation: Create message when zone is setup and reuse.
- */
- result = create_query(zone, dns_rdatatype_soa, &message);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- again:
- INSIST(zone->masterscnt > 0);
- INSIST(zone->curmaster < zone->masterscnt);
- zone->masteraddr = zone->masters[zone->curmaster];
- isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
- /*
- * First, look for a tsig key in the master statement, then
- * try for a server key.
- */
- if ((zone->masterkeynames != NULL) &&
- (zone->masterkeynames[zone->curmaster] != NULL)) {
- dns_view_t *view = dns_zone_getview(zone);
- dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
- result = dns_view_gettsig(view, keyname, &key);
- if (result != ISC_R_SUCCESS) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(keyname, namebuf, sizeof(namebuf));
- dns_zone_log(zone, ISC_LOG_ERROR,
- "unable to find key: %s", namebuf);
- goto skip_master;
- }
- }
- if (key == NULL) {
- result = dns_view_getpeertsig(zone->view, &masterip, &key);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
- char addrbuf[ISC_NETADDR_FORMATSIZE];
- isc_netaddr_format(&masterip, addrbuf, sizeof(addrbuf));
- dns_zone_log(zone, ISC_LOG_ERROR,
- "unable to find TSIG key for %s", addrbuf);
- goto skip_master;
- }
- }
- have_xfrsource = ISC_FALSE;
- reqnsid = zone->view->requestnsid;
- if (zone->view->peers != NULL) {
- dns_peer_t *peer = NULL;
- isc_boolean_t edns;
- result = dns_peerlist_peerbyaddr(zone->view->peers,
- &masterip, &peer);
- if (result == ISC_R_SUCCESS) {
- result = dns_peer_getsupportedns(peer, &edns);
- if (result == ISC_R_SUCCESS && !edns)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
- result = dns_peer_gettransfersource(peer,
- &zone->sourceaddr);
- if (result == ISC_R_SUCCESS)
- have_xfrsource = ISC_TRUE;
- if (zone->view->resolver != NULL)
- udpsize =
- dns_resolver_getudpsize(zone->view->resolver);
- (void)dns_peer_getudpsize(peer, &udpsize);
- (void)dns_peer_getrequestnsid(peer, &reqnsid);
- }
- }
- switch (isc_sockaddr_pf(&zone->masteraddr)) {
- case PF_INET:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
- if (isc_sockaddr_equal(&zone->altxfrsource4,
- &zone->xfrsource4))
- goto skip_master;
- zone->sourceaddr = zone->altxfrsource4;
- } else if (!have_xfrsource)
- zone->sourceaddr = zone->xfrsource4;
- break;
- case PF_INET6:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
- if (isc_sockaddr_equal(&zone->altxfrsource6,
- &zone->xfrsource6))
- goto skip_master;
- zone->sourceaddr = zone->altxfrsource6;
- } else if (!have_xfrsource)
- zone->sourceaddr = zone->xfrsource6;
- break;
- default:
- result = ISC_R_NOTIMPLEMENTED;
- goto cleanup;
- }
- options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
- DNS_REQUESTOPT_TCP : 0;
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
- result = add_opt(message, udpsize, reqnsid);
- if (result != ISC_R_SUCCESS)
- zone_debuglog(zone, me, 1,
- "unable to add opt record: %s",
- dns_result_totext(result));
- }
- zone_iattach(zone, &dummy);
- timeout = 15;
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
- timeout = 30;
- result = dns_request_createvia2(zone->view->requestmgr, message,
- &zone->sourceaddr, &zone->masteraddr,
- options, key, timeout * 3, timeout,
- zone->task, refresh_callback, zone,
- &zone->request);
- if (result != ISC_R_SUCCESS) {
- zone_idetach(&dummy);
- zone_debuglog(zone, me, 1,
- "dns_request_createvia2() failed: %s",
- dns_result_totext(result));
- goto cleanup;
- } else {
- if (isc_sockaddr_pf(&zone->masteraddr) == PF_INET)
- inc_stats(zone, dns_zonestatscounter_soaoutv4);
- else
- inc_stats(zone, dns_zonestatscounter_soaoutv6);
- }
- cancel = ISC_FALSE;
- cleanup:
- if (key != NULL)
- dns_tsigkey_detach(&key);
- if (result != ISC_R_SUCCESS)
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
- if (message != NULL)
- dns_message_destroy(&message);
- if (cancel)
- cancel_refresh(zone);
- isc_event_free(&event);
- UNLOCK_ZONE(zone);
- dns_zone_idetach(&zone);
- return;
- skip_master:
- if (key != NULL)
- dns_tsigkey_detach(&key);
- /*
- * Skip to next failed / untried master.
- */
- do {
- zone->curmaster++;
- } while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster]);
- if (zone->curmaster < zone->masterscnt)
- goto again;
- zone->curmaster = 0;
- goto cleanup;
- }
- static void
- ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
- const char me[] = "ns_query";
- isc_result_t result;
- dns_message_t *message = NULL;
- isc_netaddr_t masterip;
- dns_tsigkey_t *key = NULL;
- dns_dbnode_t *node = NULL;
- int timeout;
- isc_boolean_t have_xfrsource = ISC_FALSE, reqnsid;
- isc_uint16_t udpsize = SEND_BUFFER_SIZE;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(LOCKED_ZONE(zone));
- REQUIRE((soardataset != NULL && stub == NULL) ||
- (soardataset == NULL && stub != NULL));
- REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
- ENTER;
- if (stub == NULL) {
- stub = isc_mem_get(zone->mctx, sizeof(*stub));
- if (stub == NULL)
- goto cleanup;
- stub->magic = STUB_MAGIC;
- stub->mctx = zone->mctx;
- stub->zone = NULL;
- stub->db = NULL;
- stub->version = NULL;
- /*
- * Attach so that the zone won't disappear from under us.
- */
- zone_iattach(zone, &stub->zone);
- /*
- * If a db exists we will update it, otherwise we create a
- * new one and attach it to the zone once we have the NS
- * RRset and glue.
- */
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL) {
- dns_db_attach(zone->db, &stub->db);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- } else {
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- INSIST(zone->db_argc >= 1);
- result = dns_db_create(zone->mctx, zone->db_argv[0],
- &zone->origin, dns_dbtype_stub,
- zone->rdclass,
- zone->db_argc - 1,
- zone->db_argv + 1,
- &stub->db);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "refreshing stub: "
- "could not create "
- "database: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- dns_db_settask(stub->db, zone->task);
- }
- result = dns_db_newversion(stub->db, &stub->version);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
- "dns_db_newversion() failed: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- /*
- * Update SOA record.
- */
- result = dns_db_findnode(stub->db, &zone->origin, ISC_TRUE,
- &node);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
- "dns_db_findnode() failed: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- result = dns_db_addrdataset(stub->db, node, stub->version, 0,
- soardataset, 0, NULL);
- dns_db_detachnode(stub->db, &node);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "refreshing stub: "
- "dns_db_addrdataset() failed: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- }
- /*
- * XXX Optimisation: Create message when zone is setup and reuse.
- */
- result = create_query(zone, dns_rdatatype_ns, &message);
- INSIST(result == ISC_R_SUCCESS);
- INSIST(zone->masterscnt > 0);
- INSIST(zone->curmaster < zone->masterscnt);
- zone->masteraddr = zone->masters[zone->curmaster];
- isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
- /*
- * First, look for a tsig key in the master statement, then
- * try for a server key.
- */
- if ((zone->masterkeynames != NULL) &&
- (zone->masterkeynames[zone->curmaster] != NULL)) {
- dns_view_t *view = dns_zone_getview(zone);
- dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
- result = dns_view_gettsig(view, keyname, &key);
- if (result != ISC_R_SUCCESS) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(keyname, namebuf, sizeof(namebuf));
- dns_zone_log(zone, ISC_LOG_ERROR,
- "unable to find key: %s", namebuf);
- }
- }
- if (key == NULL)
- (void)dns_view_getpeertsig(zone->view, &masterip, &key);
- reqnsid = zone->view->requestnsid;
- if (zone->view->peers != NULL) {
- dns_peer_t *peer = NULL;
- isc_boolean_t edns;
- result = dns_peerlist_peerbyaddr(zone->view->peers,
- &masterip, &peer);
- if (result == ISC_R_SUCCESS) {
- result = dns_peer_getsupportedns(peer, &edns);
- if (result == ISC_R_SUCCESS && !edns)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
- result = dns_peer_gettransfersource(peer,
- &zone->sourceaddr);
- if (result == ISC_R_SUCCESS)
- have_xfrsource = ISC_TRUE;
- if (zone->view->resolver != NULL)
- udpsize =
- dns_resolver_getudpsize(zone->view->resolver);
- (void)dns_peer_getudpsize(peer, &udpsize);
- (void)dns_peer_getrequestnsid(peer, &reqnsid);
- }
- }
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
- result = add_opt(message, udpsize, reqnsid);
- if (result != ISC_R_SUCCESS)
- zone_debuglog(zone, me, 1,
- "unable to add opt record: %s",
- dns_result_totext(result));
- }
- /*
- * Always use TCP so that we shouldn't truncate in additional section.
- */
- switch (isc_sockaddr_pf(&zone->masteraddr)) {
- case PF_INET:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
- zone->sourceaddr = zone->altxfrsource4;
- else if (!have_xfrsource)
- zone->sourceaddr = zone->xfrsource4;
- break;
- case PF_INET6:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
- zone->sourceaddr = zone->altxfrsource6;
- else if (!have_xfrsource)
- zone->sourceaddr = zone->xfrsource6;
- break;
- default:
- result = ISC_R_NOTIMPLEMENTED;
- POST(result);
- goto cleanup;
- }
- timeout = 15;
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
- timeout = 30;
- result = dns_request_createvia2(zone->view->requestmgr, message,
- &zone->sourceaddr, &zone->masteraddr,
- DNS_REQUESTOPT_TCP, key, timeout * 3,
- timeout, zone->task, stub_callback,
- stub, &zone->request);
- if (result != ISC_R_SUCCESS) {
- zone_debuglog(zone, me, 1,
- "dns_request_createvia() failed: %s",
- dns_result_totext(result));
- goto cleanup;
- }
- dns_message_destroy(&message);
- goto unlock;
- cleanup:
- cancel_refresh(zone);
- if (stub != NULL) {
- stub->magic = 0;
- if (stub->version != NULL)
- dns_db_closeversion(stub->db, &stub->version,
- ISC_FALSE);
- if (stub->db != NULL)
- dns_db_detach(&stub->db);
- if (stub->zone != NULL)
- zone_idetach(&stub->zone);
- isc_mem_put(stub->mctx, stub, sizeof(*stub));
- }
- if (message != NULL)
- dns_message_destroy(&message);
- unlock:
- if (key != NULL)
- dns_tsigkey_detach(&key);
- return;
- }
- /*
- * Handle the control event. Note that although this event causes the zone
- * to shut down, it is not a shutdown event in the sense of the task library.
- */
- static void
- zone_shutdown(isc_task_t *task, isc_event_t *event) {
- dns_zone_t *zone = (dns_zone_t *) event->ev_arg;
- isc_boolean_t free_needed, linked = ISC_FALSE;
- UNUSED(task);
- REQUIRE(DNS_ZONE_VALID(zone));
- INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
- INSIST(isc_refcount_current(&zone->erefs) == 0);
- zone_debuglog(zone, "zone_shutdown", 3, "shutting down");
- /*
- * Stop things being restarted after we cancel them below.
- */
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
- UNLOCK_ZONE(zone);
- /*
- * If we were waiting for xfrin quota, step out of
- * the queue.
- * If there's no zone manager, we can't be waiting for the
- * xfrin quota
- */
- if (zone->zmgr != NULL) {
- RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
- if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
- ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
- statelink);
- linked = ISC_TRUE;
- zone->statelist = NULL;
- }
- RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
- }
- /*
- * In task context, no locking required. See zone_xfrdone().
- */
- if (zone->xfr != NULL)
- dns_xfrin_shutdown(zone->xfr);
- LOCK_ZONE(zone);
- if (linked) {
- INSIST(zone->irefs > 0);
- zone->irefs--;
- }
- if (zone->request != NULL) {
- dns_request_cancel(zone->request);
- }
- if (zone->readio != NULL)
- zonemgr_cancelio(zone->readio);
- if (zone->lctx != NULL)
- dns_loadctx_cancel(zone->lctx);
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
- if (zone->writeio != NULL)
- zonemgr_cancelio(zone->writeio);
- if (zone->dctx != NULL)
- dns_dumpctx_cancel(zone->dctx);
- }
- notify_cancel(zone);
- forward_cancel(zone);
- if (zone->timer != NULL) {
- isc_timer_detach(&zone->timer);
- INSIST(zone->irefs > 0);
- zone->irefs--;
- }
- if (zone->view != NULL)
- dns_view_weakdetach(&zone->view);
- /*
- * We have now canceled everything set the flag to allow exit_check()
- * to succeed. We must not unlock between setting this flag and
- * calling exit_check().
- */
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
- free_needed = exit_check(zone);
- UNLOCK_ZONE(zone);
- if (free_needed)
- zone_free(zone);
- }
- static void
- zone_timer(isc_task_t *task, isc_event_t *event) {
- const char me[] = "zone_timer";
- dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
- UNUSED(task);
- REQUIRE(DNS_ZONE_VALID(zone));
- ENTER;
- zone_maintenance(zone);
- isc_event_free(&event);
- }
- static void
- zone_settimer(dns_zone_t *zone, isc_time_t *now) {
- const char me[] = "zone_settimer";
- isc_time_t next;
- isc_result_t result;
- ENTER;
- REQUIRE(DNS_ZONE_VALID(zone));
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
- return;
- isc_time_settoepoch(&next);
- switch (zone->type) {
- case dns_zone_master:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
- next = zone->notifytime;
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
- INSIST(!isc_time_isepoch(&zone->dumptime));
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->dumptime, &next) < 0)
- next = zone->dumptime;
- }
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
- !isc_time_isepoch(&zone->refreshkeytime)) {
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->refreshkeytime, &next) < 0)
- next = zone->refreshkeytime;
- }
- if (!isc_time_isepoch(&zone->resigntime)) {
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->resigntime, &next) < 0)
- next = zone->resigntime;
- }
- if (!isc_time_isepoch(&zone->keywarntime)) {
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->keywarntime, &next) < 0)
- next = zone->keywarntime;
- }
- if (!isc_time_isepoch(&zone->signingtime)) {
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->signingtime, &next) < 0)
- next = zone->signingtime;
- }
- if (!isc_time_isepoch(&zone->nsec3chaintime)) {
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->nsec3chaintime, &next) < 0)
- next = zone->nsec3chaintime;
- }
- break;
- case dns_zone_slave:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
- next = zone->notifytime;
- /*FALLTHROUGH*/
- case dns_zone_stub:
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
- INSIST(!isc_time_isepoch(&zone->refreshtime));
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->refreshtime, &next) < 0)
- next = zone->refreshtime;
- }
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- INSIST(!isc_time_isepoch(&zone->expiretime));
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->expiretime, &next) < 0)
- next = zone->expiretime;
- }
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
- INSIST(!isc_time_isepoch(&zone->dumptime));
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->dumptime, &next) < 0)
- next = zone->dumptime;
- }
- break;
- case dns_zone_key:
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
- INSIST(!isc_time_isepoch(&zone->dumptime));
- if (isc_time_isepoch(&next) ||
- isc_time_compare(&zone->dumptime, &next) < 0)
- next = zone->dumptime;
- }
- if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
- if (isc_time_isepoch(&next) ||
- (!isc_time_isepoch(&zone->refreshkeytime) &&
- isc_time_compare(&zone->refreshkeytime, &next) < 0))
- next = zone->refreshkeytime;
- }
- break;
- default:
- break;
- }
- if (isc_time_isepoch(&next)) {
- zone_debuglog(zone, me, 10, "settimer inactive");
- result = isc_timer_reset(zone->timer, isc_timertype_inactive,
- NULL, NULL, ISC_TRUE);
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "could not deactivate zone timer: %s",
- isc_result_totext(result));
- } else {
- if (isc_time_compare(&next, now) <= 0)
- next = *now;
- result = isc_timer_reset(zone->timer, isc_timertype_once,
- &next, NULL, ISC_TRUE);
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "could not reset zone timer: %s",
- isc_result_totext(result));
- }
- }
- static void
- cancel_refresh(dns_zone_t *zone) {
- const char me[] = "cancel_refresh";
- isc_time_t now;
- /*
- * 'zone' locked by caller.
- */
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(LOCKED_ZONE(zone));
- ENTER;
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
- TIME_NOW(&now);
- zone_settimer(zone, &now);
- }
- static isc_result_t
- notify_createmessage(dns_zone_t *zone, unsigned int flags,
- dns_message_t **messagep)
- {
- dns_db_t *zonedb = NULL;
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *version = NULL;
- dns_message_t *message = NULL;
- dns_rdataset_t rdataset;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_name_t *tempname = NULL;
- dns_rdata_t *temprdata = NULL;
- dns_rdatalist_t *temprdatalist = NULL;
- dns_rdataset_t *temprdataset = NULL;
- isc_result_t result;
- isc_region_t r;
- isc_buffer_t *b = NULL;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(messagep != NULL && *messagep == NULL);
- result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
- &message);
- if (result != ISC_R_SUCCESS)
- return (result);
- message->opcode = dns_opcode_notify;
- message->flags |= DNS_MESSAGEFLAG_AA;
- message->rdclass = zone->rdclass;
- result = dns_message_gettempname(message, &tempname);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = dns_message_gettemprdataset(message, &temprdataset);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- /*
- * Make question.
- */
- dns_name_init(tempname, NULL);
- dns_name_clone(&zone->origin, tempname);
- dns_rdataset_init(temprdataset);
- dns_rdataset_makequestion(temprdataset, zone->rdclass,
- dns_rdatatype_soa);
- ISC_LIST_APPEND(tempname->list, temprdataset, link);
- dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
- tempname = NULL;
- temprdataset = NULL;
- if ((flags & DNS_NOTIFY_NOSOA) != 0)
- goto done;
- result = dns_message_gettempname(message, &tempname);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- result = dns_message_gettemprdata(message, &temprdata);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- result = dns_message_gettemprdataset(message, &temprdataset);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- result = dns_message_gettemprdatalist(message, &temprdatalist);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
- dns_db_attach(zone->db, &zonedb);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- dns_name_init(tempname, NULL);
- dns_name_clone(&zone->origin, tempname);
- dns_db_currentversion(zonedb, &version);
- result = dns_db_findnode(zonedb, tempname, ISC_FALSE, &node);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- dns_rdataset_init(&rdataset);
- result = dns_db_findrdataset(zonedb, node, version,
- dns_rdatatype_soa,
- dns_rdatatype_none, 0, &rdataset,
- NULL);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- result = dns_rdataset_first(&rdataset);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- dns_rdataset_current(&rdataset, &rdata);
- dns_rdata_toregion(&rdata, &r);
- result = isc_buffer_allocate(zone->mctx, &b, r.length);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- isc_buffer_putmem(b, r.base, r.length);
- isc_buffer_usedregion(b, &r);
- dns_rdata_init(temprdata);
- dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
- dns_message_takebuffer(message, &b);
- result = dns_rdataset_next(&rdataset);
- dns_rdataset_disassociate(&rdataset);
- if (result != ISC_R_NOMORE)
- goto soa_cleanup;
- temprdatalist->rdclass = rdata.rdclass;
- temprdatalist->type = rdata.type;
- temprdatalist->covers = 0;
- temprdatalist->ttl = rdataset.ttl;
- ISC_LIST_INIT(temprdatalist->rdata);
- ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
- dns_rdataset_init(temprdataset);
- result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
- if (result != ISC_R_SUCCESS)
- goto soa_cleanup;
- ISC_LIST_APPEND(tempname->list, temprdataset, link);
- dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
- temprdatalist = NULL;
- temprdataset = NULL;
- temprdata = NULL;
- tempname = NULL;
- soa_cleanup:
- if (node != NULL)
- dns_db_detachnode(zonedb, &node);
- if (version != NULL)
- dns_db_closeversion(zonedb, &version, ISC_FALSE);
- if (zonedb != NULL)
- dns_db_detach(&zonedb);
- if (tempname != NULL)
- dns_message_puttempname(message, &tempname);
- if (temprdata != NULL)
- dns_message_puttemprdata(message, &temprdata);
- if (temprdataset != NULL)
- dns_message_puttemprdataset(message, &temprdataset);
- if (temprdatalist != NULL)
- dns_message_puttemprdatalist(message, &temprdatalist);
- done:
- *messagep = message;
- return (ISC_R_SUCCESS);
- cleanup:
- if (tempname != NULL)
- dns_message_puttempname(message, &tempname);
- if (temprdataset != NULL)
- dns_message_puttemprdataset(message, &temprdataset);
- dns_message_destroy(&message);
- return (result);
- }
- isc_result_t
- dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
- dns_message_t *msg)
- {
- unsigned int i;
- dns_rdata_soa_t soa;
- dns_rdataset_t *rdataset = NULL;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_result_t result;
- char fromtext[ISC_SOCKADDR_FORMATSIZE];
- int match = 0;
- isc_netaddr_t netaddr;
- isc_sockaddr_t local, remote;
- REQUIRE(DNS_ZONE_VALID(zone));
- /*
- * If type != T_SOA return DNS_R_NOTIMP. We don't yet support
- * ROLLOVER.
- *
- * SOA: RFC1996
- * Check that 'from' is a valid notify source, (zone->masters).
- * Return DNS_R_REFUSED if not.
- *
- * If the notify message contains a serial number check it
- * against the zones serial and return if <= current serial
- *
- * If a refresh check is progress, if so just record the
- * fact we received a NOTIFY and from where and return.
- * We will perform a new refresh check when the current one
- * completes. Return ISC_R_SUCCESS.
- *
- * Otherwise initiate a refresh check using 'from' as the
- * first address to check. Return ISC_R_SUCCESS.
- */
- isc_sockaddr_format(from, fromtext, sizeof(fromtext));
- /*
- * We only handle NOTIFY (SOA) at the present.
- */
- LOCK_ZONE(zone);
- if (isc_sockaddr_pf(from) == PF_INET)
- inc_stats(zone, dns_zonestatscounter_notifyinv4);
- else
- inc_stats(zone, dns_zonestatscounter_notifyinv6);
- if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
- dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
- dns_rdatatype_soa, dns_rdatatype_none,
- NULL, NULL) != ISC_R_SUCCESS) {
- UNLOCK_ZONE(zone);
- if (msg->counts[DNS_SECTION_QUESTION] == 0) {
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "NOTIFY with no "
- "question section from: %s", fromtext);
- return (DNS_R_FORMERR);
- }
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "NOTIFY zone does not match");
- return (DNS_R_NOTIMP);
- }
- /*
- * If we are a master zone just succeed.
- */
- if (zone->type == dns_zone_master) {
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- isc_netaddr_fromsockaddr(&netaddr, from);
- for (i = 0; i < zone->masterscnt; i++) {
- if (isc_sockaddr_eqaddr(from, &zone->masters[i]))
- break;
- if (zone->view->aclenv.match_mapped &&
- IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
- isc_sockaddr_pf(&zone->masters[i]) == AF_INET) {
- isc_netaddr_t na1, na2;
- isc_netaddr_fromv4mapped(&na1, &netaddr);
- isc_netaddr_fromsockaddr(&na2, &zone->masters[i]);
- if (isc_netaddr_equal(&na1, &na2))
- break;
- }
- }
- /*
- * Accept notify requests from non masters if they are on
- * 'zone->notify_acl'.
- */
- if (i >= zone->masterscnt && zone->notify_acl != NULL &&
- dns_acl_match(&netaddr, NULL, zone->notify_acl,
- &zone->view->aclenv,
- &match, NULL) == ISC_R_SUCCESS &&
- match > 0)
- {
- /* Accept notify. */
- } else if (i >= zone->masterscnt) {
- UNLOCK_ZONE(zone);
- dns_zone_log(zone, ISC_LOG_INFO,
- "refused notify from non-master: %s", fromtext);
- inc_stats(zone, dns_zonestatscounter_notifyrej);
- return (DNS_R_REFUSED);
- }
- /*
- * If the zone is loaded and there are answers check the serial
- * to see if we need to do a refresh. Do not worry about this
- * check if we are a dialup zone as we use the notify request
- * to trigger a refresh check.
- */
- if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH)) {
- result = dns_message_findname(msg, DNS_SECTION_ANSWER,
- &zone->origin,
- dns_rdatatype_soa,
- dns_rdatatype_none, NULL,
- &rdataset);
- if (result == ISC_R_SUCCESS)
- result = dns_rdataset_first(rdataset);
- if (result == ISC_R_SUCCESS) {
- isc_uint32_t serial = 0, oldserial;
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &soa, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- serial = soa.serial;
- /*
- * The following should safely be performed without DB
- * lock and succeed in this context.
- */
- result = zone_get_from_db(zone, zone->db, NULL, NULL,
- &oldserial, NULL, NULL, NULL,
- NULL, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (isc_serial_le(serial, oldserial)) {
- dns_zone_log(zone,
- ISC_LOG_INFO,
- "notify from %s: "
- "zone is up to date",
- fromtext);
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- }
- }
- /*
- * If we got this far and there was a refresh in progress just
- * let it complete. Record where we got the notify from so we
- * can perform a refresh check when the current one completes
- */
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
- zone->notifyfrom = *from;
- UNLOCK_ZONE(zone);
- dns_zone_log(zone, ISC_LOG_INFO,
- "notify from %s: refresh in progress, "
- "refresh check queued",
- fromtext);
- return (ISC_R_SUCCESS);
- }
- zone->notifyfrom = *from;
- local = zone->masteraddr;
- remote = zone->sourceaddr;
- UNLOCK_ZONE(zone);
- dns_zonemgr_unreachabledel(zone->zmgr, &local, &remote);
- dns_zone_refresh(zone);
- return (ISC_R_SUCCESS);
- }
- void
- dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->notify_acl != NULL)
- dns_acl_detach(&zone->notify_acl);
- dns_acl_attach(acl, &zone->notify_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->query_acl != NULL)
- dns_acl_detach(&zone->query_acl);
- dns_acl_attach(acl, &zone->query_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->queryon_acl != NULL)
- dns_acl_detach(&zone->queryon_acl);
- dns_acl_attach(acl, &zone->queryon_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->update_acl != NULL)
- dns_acl_detach(&zone->update_acl);
- dns_acl_attach(acl, &zone->update_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->forward_acl != NULL)
- dns_acl_detach(&zone->forward_acl);
- dns_acl_attach(acl, &zone->forward_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->xfr_acl != NULL)
- dns_acl_detach(&zone->xfr_acl);
- dns_acl_attach(acl, &zone->xfr_acl);
- UNLOCK_ZONE(zone);
- }
- dns_acl_t *
- dns_zone_getnotifyacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->notify_acl);
- }
- dns_acl_t *
- dns_zone_getqueryacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->query_acl);
- }
- dns_acl_t *
- dns_zone_getqueryonacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->queryon_acl);
- }
- dns_acl_t *
- dns_zone_getupdateacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->update_acl);
- }
- dns_acl_t *
- dns_zone_getforwardacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->forward_acl);
- }
- dns_acl_t *
- dns_zone_getxfracl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->xfr_acl);
- }
- void
- dns_zone_clearupdateacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->update_acl != NULL)
- dns_acl_detach(&zone->update_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_clearforwardacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->forward_acl != NULL)
- dns_acl_detach(&zone->forward_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_clearnotifyacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->notify_acl != NULL)
- dns_acl_detach(&zone->notify_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_clearqueryacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->query_acl != NULL)
- dns_acl_detach(&zone->query_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_clearqueryonacl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->queryon_acl != NULL)
- dns_acl_detach(&zone->queryon_acl);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_clearxfracl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->xfr_acl != NULL)
- dns_acl_detach(&zone->xfr_acl);
- UNLOCK_ZONE(zone);
- }
- isc_boolean_t
- dns_zone_getupdatedisabled(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->update_disabled);
- }
- void
- dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->update_disabled = state;
- }
- isc_boolean_t
- dns_zone_getzeronosoattl(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->zero_no_soa_ttl);
- }
- void
- dns_zone_setzeronosoattl(dns_zone_t *zone, isc_boolean_t state) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->zero_no_soa_ttl = state;
- }
- void
- dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->check_names = severity;
- }
- dns_severity_t
- dns_zone_getchecknames(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->check_names);
- }
- void
- dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->journalsize = size;
- }
- isc_int32_t
- dns_zone_getjournalsize(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->journalsize);
- }
- static void
- zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
- isc_result_t result = ISC_R_FAILURE;
- isc_buffer_t buffer;
- REQUIRE(buf != NULL);
- REQUIRE(length > 1U);
- /*
- * Leave space for terminating '\0'.
- */
- isc_buffer_init(&buffer, buf, length - 1);
- if (dns_name_dynamic(&zone->origin))
- result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
- if (result != ISC_R_SUCCESS &&
- isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
- isc_buffer_putstr(&buffer, "<UNKNOWN>");
- if (isc_buffer_availablelength(&buffer) > 0)
- isc_buffer_putstr(&buffer, "/");
- (void)dns_rdataclass_totext(zone->rdclass, &buffer);
- if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
- strcmp(zone->view->name, "_default") != 0 &&
- strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) {
- isc_buffer_putstr(&buffer, "/");
- isc_buffer_putstr(&buffer, zone->view->name);
- }
- buf[isc_buffer_usedlength(&buffer)] = '\0';
- }
- static void
- zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
- isc_result_t result = ISC_R_FAILURE;
- isc_buffer_t buffer;
- REQUIRE(buf != NULL);
- REQUIRE(length > 1U);
- /*
- * Leave space for terminating '\0'.
- */
- isc_buffer_init(&buffer, buf, length - 1);
- if (dns_name_dynamic(&zone->origin))
- result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
- if (result != ISC_R_SUCCESS &&
- isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
- isc_buffer_putstr(&buffer, "<UNKNOWN>");
- buf[isc_buffer_usedlength(&buffer)] = '\0';
- }
- static void
- zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
- isc_buffer_t buffer;
- REQUIRE(buf != NULL);
- REQUIRE(length > 1U);
- /*
- * Leave space for terminating '\0'.
- */
- isc_buffer_init(&buffer, buf, length - 1);
- (void)dns_rdataclass_totext(zone->rdclass, &buffer);
- buf[isc_buffer_usedlength(&buffer)] = '\0';
- }
- static void
- zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
- isc_buffer_t buffer;
- REQUIRE(buf != NULL);
- REQUIRE(length > 1U);
- /*
- * Leave space for terminating '\0'.
- */
- isc_buffer_init(&buffer, buf, length - 1);
- if (zone->view == NULL) {
- isc_buffer_putstr(&buffer, "_none");
- } else if (strlen(zone->view->name)
- < isc_buffer_availablelength(&buffer)) {
- isc_buffer_putstr(&buffer, zone->view->name);
- } else {
- isc_buffer_putstr(&buffer, "_toolong");
- }
- buf[isc_buffer_usedlength(&buffer)] = '\0';
- }
- void
- dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(buf != NULL);
- zone_namerd_tostr(zone, buf, length);
- }
- static void
- notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
- va_list ap;
- char message[4096];
- if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
- return;
- va_start(ap, fmt);
- vsnprintf(message, sizeof(message), fmt, ap);
- va_end(ap);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
- level, "zone %s: %s", zone->strnamerd, message);
- }
- void
- dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
- int level, const char *fmt, ...) {
- va_list ap;
- char message[4096];
- if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
- return;
- va_start(ap, fmt);
- vsnprintf(message, sizeof(message), fmt, ap);
- va_end(ap);
- isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
- level, "%s %s: %s", (zone->type == dns_zone_key) ?
- "managed-keys-zone" : "zone", zone->strnamerd, message);
- }
- void
- dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
- va_list ap;
- char message[4096];
- if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
- return;
- va_start(ap, fmt);
- vsnprintf(message, sizeof(message), fmt, ap);
- va_end(ap);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
- level, "%s %s: %s", (zone->type == dns_zone_key) ?
- "managed-keys-zone" : "zone", zone->strnamerd, message);
- }
- static void
- zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
- const char *fmt, ...)
- {
- va_list ap;
- char message[4096];
- int level = ISC_LOG_DEBUG(debuglevel);
- if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
- return;
- va_start(ap, fmt);
- vsnprintf(message, sizeof(message), fmt, ap);
- va_end(ap);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
- level, "%s: %s %s: %s", me, zone->type != dns_zone_key ?
- "zone" : "managed-keys-zone", zone->strnamerd, message);
- }
- static int
- message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
- {
- isc_result_t result;
- dns_name_t *name;
- dns_rdataset_t *curr;
- int count = 0;
- result = dns_message_firstname(msg, section);
- while (result == ISC_R_SUCCESS) {
- name = NULL;
- dns_message_currentname(msg, section, &name);
- for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
- curr = ISC_LIST_PREV(curr, link)) {
- if (curr->type == type)
- count++;
- }
- result = dns_message_nextname(msg, section);
- }
- return (count);
- }
- void
- dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->maxxfrin = maxxfrin;
- }
- isc_uint32_t
- dns_zone_getmaxxfrin(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->maxxfrin);
- }
- void
- dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->maxxfrout = maxxfrout;
- }
- isc_uint32_t
- dns_zone_getmaxxfrout(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->maxxfrout);
- }
- dns_zonetype_t
- dns_zone_gettype(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->type);
- }
- dns_name_t *
- dns_zone_getorigin(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (&zone->origin);
- }
- void
- dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->task != NULL)
- isc_task_detach(&zone->task);
- isc_task_attach(task, &zone->task);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
- dns_db_settask(zone->db, zone->task);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_gettask(dns_zone_t *zone, isc_task_t **target) {
- REQUIRE(DNS_ZONE_VALID(zone));
- isc_task_attach(zone->task, target);
- }
- void
- dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein) {
- REQUIRE(DNS_ZONE_VALID(zone));
- if (idlein == 0)
- idlein = DNS_DEFAULT_IDLEIN;
- zone->idlein = idlein;
- }
- isc_uint32_t
- dns_zone_getidlein(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->idlein);
- }
- void
- dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->idleout = idleout;
- }
- isc_uint32_t
- dns_zone_getidleout(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->idleout);
- }
- static void
- notify_done(isc_task_t *task, isc_event_t *event) {
- dns_requestevent_t *revent = (dns_requestevent_t *)event;
- dns_notify_t *notify;
- isc_result_t result;
- dns_message_t *message = NULL;
- isc_buffer_t buf;
- char rcode[128];
- char addrbuf[ISC_SOCKADDR_FORMATSIZE];
- UNUSED(task);
- notify = event->ev_arg;
- REQUIRE(DNS_NOTIFY_VALID(notify));
- INSIST(task == notify->zone->task);
- isc_buffer_init(&buf, rcode, sizeof(rcode));
- isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf));
- result = revent->result;
- if (result == ISC_R_SUCCESS)
- result = dns_message_create(notify->zone->mctx,
- DNS_MESSAGE_INTENTPARSE, &message);
- if (result == ISC_R_SUCCESS)
- result = dns_request_getresponse(revent->request, message,
- DNS_MESSAGEPARSE_PRESERVEORDER);
- if (result == ISC_R_SUCCESS)
- result = dns_rcode_totext(message->rcode, &buf);
- if (result == ISC_R_SUCCESS)
- notify_log(notify->zone, ISC_LOG_DEBUG(3),
- "notify response from %s: %.*s",
- addrbuf, (int)buf.used, rcode);
- else
- notify_log(notify->zone, ISC_LOG_DEBUG(2),
- "notify to %s failed: %s", addrbuf,
- dns_result_totext(result));
- /*
- * Old bind's return formerr if they see a soa record. Retry w/o
- * the soa if we see a formerr and had sent a SOA.
- */
- isc_event_free(&event);
- if (message != NULL && message->rcode == dns_rcode_formerr &&
- (notify->flags & DNS_NOTIFY_NOSOA) == 0) {
- notify->flags |= DNS_NOTIFY_NOSOA;
- dns_request_destroy(¬ify->request);
- result = notify_send_queue(notify);
- if (result != ISC_R_SUCCESS)
- notify_destroy(notify, ISC_FALSE);
- } else {
- if (result == ISC_R_TIMEDOUT)
- notify_log(notify->zone, ISC_LOG_DEBUG(1),
- "notify to %s: retries exceeded", addrbuf);
- notify_destroy(notify, ISC_FALSE);
- }
- if (message != NULL)
- dns_message_destroy(&message);
- }
- isc_result_t
- dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
- isc_result_t result;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
- result = zone_replacedb(zone, db, dump);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- UNLOCK_ZONE(zone);
- return (result);
- }
- static isc_result_t
- zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
- dns_dbversion_t *ver;
- isc_result_t result;
- unsigned int soacount = 0;
- unsigned int nscount = 0;
- /*
- * 'zone' and 'zonedb' locked by caller.
- */
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(LOCKED_ZONE(zone));
- result = zone_get_from_db(zone, db, &nscount, &soacount,
- NULL, NULL, NULL, NULL, NULL, NULL);
- if (result == ISC_R_SUCCESS) {
- if (soacount != 1) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "has %d SOA records", soacount);
- result = DNS_R_BADZONE;
- }
- if (nscount == 0 && zone->type != dns_zone_key) {
- dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
- result = DNS_R_BADZONE;
- }
- if (result != ISC_R_SUCCESS)
- return (result);
- } else {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "retrieving SOA and NS records failed: %s",
- dns_result_totext(result));
- return (result);
- }
- result = check_nsec3param(zone, db);
- if (result != ISC_R_SUCCESS)
- return (result);
- ver = NULL;
- dns_db_currentversion(db, &ver);
- /*
- * The initial version of a slave zone is always dumped;
- * subsequent versions may be journaled instead if this
- * is enabled in the configuration.
- */
- if (zone->db != NULL && zone->journal != NULL &&
- DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
- isc_uint32_t serial, oldserial;
- dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
- result = dns_db_getsoaserial(db, ver, &serial);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "ixfr-from-differences: unable to get "
- "new serial");
- goto fail;
- }
- /*
- * This is checked in zone_postload() for master zones.
- */
- result = zone_get_from_db(zone, zone->db, NULL, NULL,
- &oldserial, NULL, NULL, NULL, NULL,
- NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (zone->type == dns_zone_slave &&
- !isc_serial_gt(serial, oldserial)) {
- isc_uint32_t serialmin, serialmax;
- serialmin = (oldserial + 1) & 0xffffffffU;
- serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU;
- dns_zone_log(zone, ISC_LOG_ERROR,
- "ixfr-from-differences: failed: "
- "new serial (%u) out of range [%u - %u]",
- serial, serialmin, serialmax);
- result = ISC_R_RANGE;
- goto fail;
- }
- result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
- zone->journal);
- if (result != ISC_R_SUCCESS)
- goto fail;
- if (dump)
- zone_needdump(zone, DNS_DUMP_DELAY);
- else if (zone->journalsize != -1) {
- result = dns_journal_compact(zone->mctx, zone->journal,
- serial, zone->journalsize);
- switch (result) {
- case ISC_R_SUCCESS:
- case ISC_R_NOSPACE:
- case ISC_R_NOTFOUND:
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "dns_journal_compact: %s",
- dns_result_totext(result));
- break;
- default:
- dns_zone_log(zone, ISC_LOG_ERROR,
- "dns_journal_compact failed: %s",
- dns_result_totext(result));
- break;
- }
- }
- } else {
- if (dump && zone->masterfile != NULL) {
- /*
- * If DNS_ZONEFLG_FORCEXFER was set we don't want
- * to keep the old masterfile.
- */
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
- remove(zone->masterfile) < 0 && errno != ENOENT) {
- char strbuf[ISC_STRERRORSIZE];
- isc__strerror(errno, strbuf, sizeof(strbuf));
- isc_log_write(dns_lctx,
- DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_ZONE,
- ISC_LOG_WARNING,
- "unable to remove masterfile "
- "'%s': '%s'",
- zone->masterfile, strbuf);
- }
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
- else
- zone_needdump(zone, 0);
- }
- if (dump && zone->journal != NULL) {
- /*
- * The in-memory database just changed, and
- * because 'dump' is set, it didn't change by
- * being loaded from disk. Also, we have not
- * journaled diffs for this change.
- * Therefore, the on-disk journal is missing
- * the deltas for this change. Since it can
- * no longer be used to bring the zone
- * up-to-date, it is useless and should be
- * removed.
- */
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
- "removing journal file");
- if (remove(zone->journal) < 0 && errno != ENOENT) {
- char strbuf[ISC_STRERRORSIZE];
- isc__strerror(errno, strbuf, sizeof(strbuf));
- isc_log_write(dns_lctx,
- DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_ZONE,
- ISC_LOG_WARNING,
- "unable to remove journal "
- "'%s': '%s'",
- zone->journal, strbuf);
- }
- }
- }
- dns_db_closeversion(db, &ver, ISC_FALSE);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
- "replacing zone database");
- if (zone->db != NULL)
- zone_detachdb(zone);
- zone_attachdb(zone, db);
- dns_db_settask(zone->db, zone->task);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
- return (ISC_R_SUCCESS);
- fail:
- dns_db_closeversion(db, &ver, ISC_FALSE);
- return (result);
- }
- /* The caller must hold the dblock as a writer. */
- static inline void
- zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
- REQUIRE(zone->db == NULL && db != NULL);
- dns_db_attach(db, &zone->db);
- if (zone->acache != NULL) {
- isc_result_t result;
- result = dns_acache_setdb(zone->acache, db);
- if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "dns_acache_setdb() failed: %s",
- isc_result_totext(result));
- }
- }
- }
- /* The caller must hold the dblock as a writer. */
- static inline void
- zone_detachdb(dns_zone_t *zone) {
- REQUIRE(zone->db != NULL);
- if (zone->acache != NULL)
- (void)dns_acache_putdb(zone->acache, zone->db);
- dns_db_detach(&zone->db);
- }
- static void
- zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
- isc_time_t now;
- isc_boolean_t again = ISC_FALSE;
- unsigned int soacount;
- unsigned int nscount;
- isc_uint32_t serial, refresh, retry, expire, minimum;
- isc_result_t xfrresult = result;
- isc_boolean_t free_needed;
- REQUIRE(DNS_ZONE_VALID(zone));
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "zone transfer finished: %s", dns_result_totext(result));
- LOCK_ZONE(zone);
- INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
- TIME_NOW(&now);
- switch (result) {
- case ISC_R_SUCCESS:
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- /*FALLTHROUGH*/
- case DNS_R_UPTODATE:
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
- /*
- * Has the zone expired underneath us?
- */
- ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db == NULL) {
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- goto same_master;
- }
- /*
- * Update the zone structure's data from the actual
- * SOA received.
- */
- nscount = 0;
- soacount = 0;
- INSIST(zone->db != NULL);
- result = zone_get_from_db(zone, zone->db, &nscount,
- &soacount, &serial, &refresh,
- &retry, &expire, &minimum, NULL);
- ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (result == ISC_R_SUCCESS) {
- if (soacount != 1)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "transferred zone "
- "has %d SOA record%s", soacount,
- (soacount != 0) ? "s" : "");
- if (nscount == 0) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "transferred zone "
- "has no NS records");
- if (DNS_ZONE_FLAG(zone,
- DNS_ZONEFLG_HAVETIMERS)) {
- zone->refresh = DNS_ZONE_DEFAULTREFRESH;
- zone->retry = DNS_ZONE_DEFAULTRETRY;
- }
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
- zone_unload(zone);
- goto next_master;
- }
- zone->refresh = RANGE(refresh, zone->minrefresh,
- zone->maxrefresh);
- zone->retry = RANGE(retry, zone->minretry,
- zone->maxretry);
- zone->expire = RANGE(expire,
- zone->refresh + zone->retry,
- DNS_MAX_EXPIRE);
- zone->minimum = minimum;
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
- }
- /*
- * Set our next update/expire times.
- */
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
- zone->refreshtime = now;
- DNS_ZONE_TIME_ADD(&now, zone->expire,
- &zone->expiretime);
- } else {
- DNS_ZONE_JITTER_ADD(&now, zone->refresh,
- &zone->refreshtime);
- DNS_ZONE_TIME_ADD(&now, zone->expire,
- &zone->expiretime);
- }
- if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
- char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
- if (zone->tsigkey != NULL) {
- char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(&zone->tsigkey->name, namebuf,
- sizeof(namebuf));
- snprintf(buf, sizeof(buf), ": TSIG '%s'",
- namebuf);
- } else
- buf[0] = '\0';
- dns_zone_log(zone, ISC_LOG_INFO,
- "transferred serial %u%s",
- serial, buf);
- }
- /*
- * This is not necessary if we just performed a AXFR
- * however it is necessary for an IXFR / UPTODATE and
- * won't hurt with an AXFR.
- */
- if (zone->masterfile != NULL || zone->journal != NULL) {
- result = ISC_R_FAILURE;
- if (zone->journal != NULL)
- result = isc_file_settime(zone->journal, &now);
- if (result != ISC_R_SUCCESS &&
- zone->masterfile != NULL)
- result = isc_file_settime(zone->masterfile,
- &now);
- /* Someone removed the file from underneath us! */
- if (result == ISC_R_FILENOTFOUND &&
- zone->masterfile != NULL) {
- unsigned int delay = DNS_DUMP_DELAY;
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY))
- delay = 0;
- zone_needdump(zone, delay);
- } else if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR,
- "transfer: could not set file "
- "modification time of '%s': %s",
- zone->masterfile,
- dns_result_totext(result));
- }
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
- inc_stats(zone, dns_zonestatscounter_xfrsuccess);
- break;
- case DNS_R_BADIXFR:
- /* Force retry with AXFR. */
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
- goto same_master;
- default:
- next_master:
- /*
- * Skip to next failed / untried master.
- */
- do {
- zone->curmaster++;
- } while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster]);
- /* FALLTHROUGH */
- same_master:
- if (zone->curmaster >= zone->masterscnt) {
- zone->curmaster = 0;
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
- while (zone->curmaster < zone->masterscnt &&
- zone->mastersok[zone->curmaster])
- zone->curmaster++;
- again = ISC_TRUE;
- } else
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
- } else {
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
- again = ISC_TRUE;
- }
- inc_stats(zone, dns_zonestatscounter_xfrfail);
- break;
- }
- zone_settimer(zone, &now);
- /*
- * If creating the transfer object failed, zone->xfr is NULL.
- * Otherwise, we are called as the done callback of a zone
- * transfer object that just entered its shutting-down
- * state. Since we are no longer responsible for shutting
- * it down, we can detach our reference.
- */
- if (zone->xfr != NULL)
- dns_xfrin_detach(&zone->xfr);
- if (zone->tsigkey != NULL)
- dns_tsigkey_detach(&zone->tsigkey);
- /*
- * Handle any deferred journal compaction.
- */
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) {
- result = dns_journal_compact(zone->mctx, zone->journal,
- zone->compact_serial,
- zone->journalsize);
- switch (result) {
- case ISC_R_SUCCESS:
- case ISC_R_NOSPACE:
- case ISC_R_NOTFOUND:
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "dns_journal_compact: %s",
- dns_result_totext(result));
- break;
- default:
- dns_zone_log(zone, ISC_LOG_ERROR,
- "dns_journal_compact failed: %s",
- dns_result_totext(result));
- break;
- }
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
- }
- /*
- * This transfer finishing freed up a transfer quota slot.
- * Let any other zones waiting for quota have it.
- */
- UNLOCK_ZONE(zone);
- RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
- ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
- zone->statelist = NULL;
- zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
- RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
- LOCK_ZONE(zone);
- /*
- * Retry with a different server if necessary.
- */
- if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
- queue_soa_query(zone);
- INSIST(zone->irefs > 0);
- zone->irefs--;
- free_needed = exit_check(zone);
- UNLOCK_ZONE(zone);
- if (free_needed)
- zone_free(zone);
- }
- static void
- zone_loaddone(void *arg, isc_result_t result) {
- static char me[] = "zone_loaddone";
- dns_load_t *load = arg;
- dns_zone_t *zone;
- isc_result_t tresult;
- REQUIRE(DNS_LOAD_VALID(load));
- zone = load->zone;
- ENTER;
- tresult = dns_db_endload(load->db, &load->callbacks.add_private);
- if (tresult != ISC_R_SUCCESS &&
- (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
- result = tresult;
- LOCK_ZONE(load->zone);
- (void)zone_postload(load->zone, load->db, load->loadtime, result);
- zonemgr_putio(&load->zone->readio);
- DNS_ZONE_CLRFLAG(load->zone, DNS_ZONEFLG_LOADING);
- /*
- * Leave the zone frozen if the reload fails.
- */
- if ((result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) &&
- DNS_ZONE_FLAG(load->zone, DNS_ZONEFLG_THAW))
- zone->update_disabled = ISC_FALSE;
- DNS_ZONE_CLRFLAG(load->zone, DNS_ZONEFLG_THAW);
- UNLOCK_ZONE(load->zone);
- load->magic = 0;
- dns_db_detach(&load->db);
- if (load->zone->lctx != NULL)
- dns_loadctx_detach(&load->zone->lctx);
- dns_zone_idetach(&load->zone);
- isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
- }
- void
- dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(table != NULL);
- REQUIRE(*table == NULL);
- LOCK_ZONE(zone);
- if (zone->ssutable != NULL)
- dns_ssutable_attach(zone->ssutable, table);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->ssutable != NULL)
- dns_ssutable_detach(&zone->ssutable);
- if (table != NULL)
- dns_ssutable_attach(table, &zone->ssutable);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->sigvalidityinterval = interval;
- }
- isc_uint32_t
- dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->sigvalidityinterval);
- }
- void
- dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->sigresigninginterval = interval;
- }
- isc_uint32_t
- dns_zone_getsigresigninginterval(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->sigresigninginterval);
- }
- static void
- queue_xfrin(dns_zone_t *zone) {
- const char me[] = "queue_xfrin";
- isc_result_t result;
- dns_zonemgr_t *zmgr = zone->zmgr;
- ENTER;
- INSIST(zone->statelist == NULL);
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
- LOCK_ZONE(zone);
- zone->irefs++;
- UNLOCK_ZONE(zone);
- zone->statelist = &zmgr->waiting_for_xfrin;
- result = zmgr_start_xfrin_ifquota(zmgr, zone);
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- if (result == ISC_R_QUOTA) {
- dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
- "zone transfer deferred due to quota");
- } else if (result != ISC_R_SUCCESS) {
- dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
- "starting zone transfer: %s",
- isc_result_totext(result));
- }
- }
- /*
- * This event callback is called when a zone has received
- * any necessary zone transfer quota. This is the time
- * to go ahead and start the transfer.
- */
- static void
- got_transfer_quota(isc_task_t *task, isc_event_t *event) {
- isc_result_t result;
- dns_peer_t *peer = NULL;
- char master[ISC_SOCKADDR_FORMATSIZE];
- char source[ISC_SOCKADDR_FORMATSIZE];
- dns_rdatatype_t xfrtype;
- dns_zone_t *zone = event->ev_arg;
- isc_netaddr_t masterip;
- isc_sockaddr_t sourceaddr;
- isc_sockaddr_t masteraddr;
- isc_time_t now;
- const char *soa_before = "";
- UNUSED(task);
- INSIST(task == zone->task);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
- result = ISC_R_CANCELED;
- goto cleanup;
- }
- TIME_NOW(&now);
- isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
- if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
- &zone->sourceaddr, &now))
- {
- isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
- dns_zone_log(zone, ISC_LOG_INFO,
- "got_transfer_quota: skipping zone transfer as "
- "master %s (source %s) is unreachable (cached)",
- master, source);
- result = ISC_R_CANCELED;
- goto cleanup;
- }
- isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
- (void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
- soa_before = "SOA before ";
- /*
- * Decide whether we should request IXFR or AXFR.
- */
- if (zone->db == NULL) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "no database exists yet, requesting AXFR of "
- "initial version from %s", master);
- xfrtype = dns_rdatatype_axfr;
- } else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "ixfr-from-differences "
- "set, requesting %sAXFR from %s", soa_before,
- master);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
- xfrtype = dns_rdatatype_soa;
- else
- xfrtype = dns_rdatatype_axfr;
- } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "forced reload, requesting AXFR of "
- "initial version from %s", master);
- xfrtype = dns_rdatatype_axfr;
- } else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "retrying with AXFR from %s due to "
- "previous IXFR failure", master);
- xfrtype = dns_rdatatype_axfr;
- LOCK_ZONE(zone);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
- UNLOCK_ZONE(zone);
- } else {
- isc_boolean_t use_ixfr = ISC_TRUE;
- if (peer != NULL &&
- dns_peer_getrequestixfr(peer, &use_ixfr) ==
- ISC_R_SUCCESS) {
- ; /* Using peer setting */
- } else {
- use_ixfr = zone->view->requestixfr;
- }
- if (use_ixfr == ISC_FALSE) {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "IXFR disabled, requesting %sAXFR from %s",
- soa_before, master);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
- xfrtype = dns_rdatatype_soa;
- else
- xfrtype = dns_rdatatype_axfr;
- } else {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "requesting IXFR from %s", master);
- xfrtype = dns_rdatatype_ixfr;
- }
- }
- /*
- * Determine if we should attempt to sign the request with TSIG.
- */
- result = ISC_R_NOTFOUND;
- /*
- * First, look for a tsig key in the master statement, then
- * try for a server key.
- */
- if ((zone->masterkeynames != NULL) &&
- (zone->masterkeynames[zone->curmaster] != NULL)) {
- dns_view_t *view = dns_zone_getview(zone);
- dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
- result = dns_view_gettsig(view, keyname, &zone->tsigkey);
- }
- if (zone->tsigkey == NULL)
- result = dns_view_getpeertsig(zone->view, &masterip,
- &zone->tsigkey);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "could not get TSIG key for zone transfer: %s",
- isc_result_totext(result));
- }
- LOCK_ZONE(zone);
- masteraddr = zone->masteraddr;
- sourceaddr = zone->sourceaddr;
- UNLOCK_ZONE(zone);
- INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
- result = dns_xfrin_create2(zone, xfrtype, &masteraddr, &sourceaddr,
- zone->tsigkey, zone->mctx,
- zone->zmgr->timermgr, zone->zmgr->socketmgr,
- zone->task, zone_xfrdone, &zone->xfr);
- if (result == ISC_R_SUCCESS) {
- LOCK_ZONE(zone);
- if (xfrtype == dns_rdatatype_axfr) {
- if (isc_sockaddr_pf(&masteraddr) == PF_INET)
- inc_stats(zone, dns_zonestatscounter_axfrreqv4);
- else
- inc_stats(zone, dns_zonestatscounter_axfrreqv6);
- } else if (xfrtype == dns_rdatatype_ixfr) {
- if (isc_sockaddr_pf(&masteraddr) == PF_INET)
- inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
- else
- inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
- }
- UNLOCK_ZONE(zone);
- }
- cleanup:
- /*
- * Any failure in this function is handled like a failed
- * zone transfer. This ensures that we get removed from
- * zmgr->xfrin_in_progress.
- */
- if (result != ISC_R_SUCCESS)
- zone_xfrdone(zone, result);
- isc_event_free(&event);
- }
- /*
- * Update forwarding support.
- */
- static void
- forward_destroy(dns_forward_t *forward) {
- forward->magic = 0;
- if (forward->request != NULL)
- dns_request_destroy(&forward->request);
- if (forward->msgbuf != NULL)
- isc_buffer_free(&forward->msgbuf);
- if (forward->zone != NULL) {
- LOCK(&forward->zone->lock);
- if (ISC_LINK_LINKED(forward, link))
- ISC_LIST_UNLINK(forward->zone->forwards, forward, link);
- UNLOCK(&forward->zone->lock);
- dns_zone_idetach(&forward->zone);
- }
- isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
- }
- static isc_result_t
- sendtomaster(dns_forward_t *forward) {
- isc_result_t result;
- isc_sockaddr_t src;
- LOCK_ZONE(forward->zone);
- if (DNS_ZONE_FLAG(forward->zone, DNS_ZONEFLG_EXITING)) {
- UNLOCK_ZONE(forward->zone);
- return (ISC_R_CANCELED);
- }
- if (forward->which >= forward->zone->masterscnt) {
- UNLOCK_ZONE(forward->zone);
- return (ISC_R_NOMORE);
- }
- forward->addr = forward->zone->masters[forward->which];
- /*
- * Always use TCP regardless of whether the original update
- * used TCP.
- * XXX The timeout may but a bit small if we are far down a
- * transfer graph and the master has to try several masters.
- */
- switch (isc_sockaddr_pf(&forward->addr)) {
- case PF_INET:
- src = forward->zone->xfrsource4;
- break;
- case PF_INET6:
- src = forward->zone->xfrsource6;
- break;
- default:
- result = ISC_R_NOTIMPLEMENTED;
- goto unlock;
- }
- result = dns_request_createraw(forward->zone->view->requestmgr,
- forward->msgbuf,
- &src, &forward->addr,
- DNS_REQUESTOPT_TCP, 15 /* XXX */,
- forward->zone->task,
- forward_callback, forward,
- &forward->request);
- if (result == ISC_R_SUCCESS) {
- if (!ISC_LINK_LINKED(forward, link))
- ISC_LIST_APPEND(forward->zone->forwards, forward, link);
- }
- unlock:
- UNLOCK_ZONE(forward->zone);
- return (result);
- }
- static void
- forward_callback(isc_task_t *task, isc_event_t *event) {
- const char me[] = "forward_callback";
- dns_requestevent_t *revent = (dns_requestevent_t *)event;
- dns_message_t *msg = NULL;
- char master[ISC_SOCKADDR_FORMATSIZE];
- isc_result_t result;
- dns_forward_t *forward;
- dns_zone_t *zone;
- UNUSED(task);
- forward = revent->ev_arg;
- INSIST(DNS_FORWARD_VALID(forward));
- zone = forward->zone;
- INSIST(DNS_ZONE_VALID(zone));
- ENTER;
- isc_sockaddr_format(&forward->addr, master, sizeof(master));
- if (revent->result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_INFO,
- "could not forward dynamic update to %s: %s",
- master, dns_result_totext(revent->result));
- goto next_master;
- }
- result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
- if (result != ISC_R_SUCCESS)
- goto next_master;
- result = dns_request_getresponse(revent->request, msg,
- DNS_MESSAGEPARSE_PRESERVEORDER |
- DNS_MESSAGEPARSE_CLONEBUFFER);
- if (result != ISC_R_SUCCESS)
- goto next_master;
- switch (msg->rcode) {
- /*
- * Pass these rcodes back to client.
- */
- case dns_rcode_noerror:
- case dns_rcode_yxdomain:
- case dns_rcode_yxrrset:
- case dns_rcode_nxrrset:
- case dns_rcode_refused:
- case dns_rcode_nxdomain:
- break;
- /* These should not occur if the masters/zone are valid. */
- case dns_rcode_notzone:
- case dns_rcode_notauth: {
- char rcode[128];
- isc_buffer_t rb;
- isc_buffer_init(&rb, rcode, sizeof(rcode));
- (void)dns_rcode_totext(msg->rcode, &rb);
- dns_zone_log(zone, ISC_LOG_WARNING,
- "forwarding dynamic update: "
- "unexpected response: master %s returned: %.*s",
- master, (int)rb.used, rcode);
- goto next_master;
- }
- /* Try another server for these rcodes. */
- case dns_rcode_formerr:
- case dns_rcode_servfail:
- case dns_rcode_notimp:
- case dns_rcode_badvers:
- default:
- goto next_master;
- }
- /* call callback */
- (forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
- msg = NULL;
- dns_request_destroy(&forward->request);
- forward_destroy(forward);
- isc_event_free(&event);
- return;
- next_master:
- if (msg != NULL)
- dns_message_destroy(&msg);
- isc_event_free(&event);
- forward->which++;
- dns_request_destroy(&forward->request);
- result = sendtomaster(forward);
- if (result != ISC_R_SUCCESS) {
- /* call callback */
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "exhausted dynamic update forwarder list");
- (forward->callback)(forward->callback_arg, result, NULL);
- forward_destroy(forward);
- }
- }
- isc_result_t
- dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
- dns_updatecallback_t callback, void *callback_arg)
- {
- dns_forward_t *forward;
- isc_result_t result;
- isc_region_t *mr;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(msg != NULL);
- REQUIRE(callback != NULL);
- forward = isc_mem_get(zone->mctx, sizeof(*forward));
- if (forward == NULL)
- return (ISC_R_NOMEMORY);
- forward->request = NULL;
- forward->zone = NULL;
- forward->msgbuf = NULL;
- forward->which = 0;
- forward->mctx = 0;
- forward->callback = callback;
- forward->callback_arg = callback_arg;
- ISC_LINK_INIT(forward, link);
- forward->magic = FORWARD_MAGIC;
- mr = dns_message_getrawmessage(msg);
- if (mr == NULL) {
- result = ISC_R_UNEXPECTEDEND;
- goto cleanup;
- }
- result = isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = isc_buffer_copyregion(forward->msgbuf, mr);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- isc_mem_attach(zone->mctx, &forward->mctx);
- dns_zone_iattach(zone, &forward->zone);
- result = sendtomaster(forward);
- cleanup:
- if (result != ISC_R_SUCCESS) {
- forward_destroy(forward);
- }
- return (result);
- }
- isc_result_t
- dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(next != NULL && *next == NULL);
- *next = ISC_LIST_NEXT(zone, link);
- if (*next == NULL)
- return (ISC_R_NOMORE);
- else
- return (ISC_R_SUCCESS);
- }
- isc_result_t
- dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- REQUIRE(first != NULL && *first == NULL);
- *first = ISC_LIST_HEAD(zmgr->zones);
- if (*first == NULL)
- return (ISC_R_NOMORE);
- else
- return (ISC_R_SUCCESS);
- }
- /***
- *** Zone manager.
- ***/
- isc_result_t
- dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
- isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
- dns_zonemgr_t **zmgrp)
- {
- dns_zonemgr_t *zmgr;
- isc_result_t result;
- isc_interval_t interval;
- zmgr = isc_mem_get(mctx, sizeof(*zmgr));
- if (zmgr == NULL)
- return (ISC_R_NOMEMORY);
- zmgr->mctx = NULL;
- zmgr->refs = 1;
- isc_mem_attach(mctx, &zmgr->mctx);
- zmgr->taskmgr = taskmgr;
- zmgr->timermgr = timermgr;
- zmgr->socketmgr = socketmgr;
- zmgr->zonetasks = NULL;
- zmgr->task = NULL;
- zmgr->rl = NULL;
- ISC_LIST_INIT(zmgr->zones);
- ISC_LIST_INIT(zmgr->waiting_for_xfrin);
- ISC_LIST_INIT(zmgr->xfrin_in_progress);
- memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
- result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
- if (result != ISC_R_SUCCESS)
- goto free_mem;
- zmgr->transfersin = 10;
- zmgr->transfersperns = 2;
- /* Unreachable lock. */
- result = isc_rwlock_init(&zmgr->urlock, 0, 0);
- if (result != ISC_R_SUCCESS)
- goto free_rwlock;
- /* Create a single task for queueing of SOA queries. */
- result = isc_task_create(taskmgr, 1, &zmgr->task);
- if (result != ISC_R_SUCCESS)
- goto free_urlock;
- isc_task_setname(zmgr->task, "zmgr", zmgr);
- result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
- &zmgr->rl);
- if (result != ISC_R_SUCCESS)
- goto free_task;
- /* default to 20 refresh queries / notifies per second. */
- isc_interval_set(&interval, 0, 1000000000/2);
- result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- isc_ratelimiter_setpertic(zmgr->rl, 10);
- zmgr->iolimit = 1;
- zmgr->ioactive = 0;
- ISC_LIST_INIT(zmgr->high);
- ISC_LIST_INIT(zmgr->low);
- result = isc_mutex_init(&zmgr->iolock);
- if (result != ISC_R_SUCCESS)
- goto free_rl;
- zmgr->magic = ZONEMGR_MAGIC;
- *zmgrp = zmgr;
- return (ISC_R_SUCCESS);
- #if 0
- free_iolock:
- DESTROYLOCK(&zmgr->iolock);
- #endif
- free_rl:
- isc_ratelimiter_detach(&zmgr->rl);
- free_task:
- isc_task_detach(&zmgr->task);
- free_urlock:
- isc_rwlock_destroy(&zmgr->urlock);
- free_rwlock:
- isc_rwlock_destroy(&zmgr->rwlock);
- free_mem:
- isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
- isc_mem_detach(&mctx);
- return (result);
- }
- isc_result_t
- dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
- isc_result_t result;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- if (zmgr->zonetasks == NULL)
- return (ISC_R_FAILURE);
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- LOCK_ZONE(zone);
- REQUIRE(zone->task == NULL);
- REQUIRE(zone->timer == NULL);
- REQUIRE(zone->zmgr == NULL);
- isc_taskpool_gettask(zmgr->zonetasks, &zone->task);
- /*
- * Set the task name. The tag will arbitrarily point to one
- * of the zones sharing the task (in practice, the one
- * to be managed last).
- */
- isc_task_setname(zone->task, "zone", zone);
- result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
- NULL, NULL,
- zone->task, zone_timer, zone,
- &zone->timer);
- if (result != ISC_R_SUCCESS)
- goto cleanup_task;
- /*
- * The timer "holds" a iref.
- */
- zone->irefs++;
- INSIST(zone->irefs != 0);
- ISC_LIST_APPEND(zmgr->zones, zone, link);
- zone->zmgr = zmgr;
- zmgr->refs++;
- goto unlock;
- cleanup_task:
- isc_task_detach(&zone->task);
- unlock:
- UNLOCK_ZONE(zone);
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- return (result);
- }
- void
- dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
- isc_boolean_t free_now = ISC_FALSE;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- REQUIRE(zone->zmgr == zmgr);
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- LOCK_ZONE(zone);
- ISC_LIST_UNLINK(zmgr->zones, zone, link);
- zone->zmgr = NULL;
- zmgr->refs--;
- if (zmgr->refs == 0)
- free_now = ISC_TRUE;
- UNLOCK_ZONE(zone);
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- if (free_now)
- zonemgr_free(zmgr);
- ENSURE(zone->zmgr == NULL);
- }
- void
- dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
- REQUIRE(DNS_ZONEMGR_VALID(source));
- REQUIRE(target != NULL && *target == NULL);
- RWLOCK(&source->rwlock, isc_rwlocktype_write);
- REQUIRE(source->refs > 0);
- source->refs++;
- INSIST(source->refs > 0);
- RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
- *target = source;
- }
- void
- dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
- dns_zonemgr_t *zmgr;
- isc_boolean_t free_now = ISC_FALSE;
- REQUIRE(zmgrp != NULL);
- zmgr = *zmgrp;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- zmgr->refs--;
- if (zmgr->refs == 0)
- free_now = ISC_TRUE;
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- if (free_now)
- zonemgr_free(zmgr);
- *zmgrp = NULL;
- }
- isc_result_t
- dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
- dns_zone_t *p;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
- for (p = ISC_LIST_HEAD(zmgr->zones);
- p != NULL;
- p = ISC_LIST_NEXT(p, link))
- {
- dns_zone_maintenance(p);
- }
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
- /*
- * Recent configuration changes may have increased the
- * amount of available transfers quota. Make sure any
- * transfers currently blocked on quota get started if
- * possible.
- */
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- zmgr_resume_xfrs(zmgr, ISC_TRUE);
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- return (ISC_R_SUCCESS);
- }
- void
- dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- zmgr_resume_xfrs(zmgr, ISC_TRUE);
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- }
- void
- dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
- dns_zone_t *zone;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- isc_ratelimiter_shutdown(zmgr->rl);
- if (zmgr->task != NULL)
- isc_task_destroy(&zmgr->task);
- if (zmgr->zonetasks != NULL)
- isc_taskpool_destroy(&zmgr->zonetasks);
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
- for (zone = ISC_LIST_HEAD(zmgr->zones);
- zone != NULL;
- zone = ISC_LIST_NEXT(zone, link))
- {
- LOCK_ZONE(zone);
- forward_cancel(zone);
- UNLOCK_ZONE(zone);
- }
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
- }
- isc_result_t
- dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones) {
- isc_result_t result;
- int ntasks = num_zones / 100;
- isc_taskpool_t *pool = NULL;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- /*
- * For anything fewer than 1000 zones we use 10 tasks in
- * the task pool. More than that, and we'll scale at one
- * task per 100 zones.
- */
- if (ntasks < 10)
- ntasks = 10;
- /* Create or resize the zone task pool. */
- if (zmgr->zonetasks == NULL)
- result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx,
- ntasks, 2, &pool);
- else
- result = isc_taskpool_expand(&zmgr->zonetasks, ntasks, &pool);
- if (result == ISC_R_SUCCESS)
- zmgr->zonetasks = pool;
- return (result);
- }
- static void
- zonemgr_free(dns_zonemgr_t *zmgr) {
- isc_mem_t *mctx;
- INSIST(zmgr->refs == 0);
- INSIST(ISC_LIST_EMPTY(zmgr->zones));
- zmgr->magic = 0;
- DESTROYLOCK(&zmgr->iolock);
- isc_ratelimiter_detach(&zmgr->rl);
- isc_rwlock_destroy(&zmgr->urlock);
- isc_rwlock_destroy(&zmgr->rwlock);
- mctx = zmgr->mctx;
- isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
- isc_mem_detach(&mctx);
- }
- void
- dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- zmgr->transfersin = value;
- }
- isc_uint32_t
- dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- return (zmgr->transfersin);
- }
- void
- dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- zmgr->transfersperns = value;
- }
- isc_uint32_t
- dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- return (zmgr->transfersperns);
- }
- /*
- * Try to start a new incoming zone transfer to fill a quota
- * slot that was just vacated.
- *
- * Requires:
- * The zone manager is locked by the caller.
- */
- static void
- zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi) {
- dns_zone_t *zone;
- dns_zone_t *next;
- for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
- zone != NULL;
- zone = next)
- {
- isc_result_t result;
- next = ISC_LIST_NEXT(zone, statelink);
- result = zmgr_start_xfrin_ifquota(zmgr, zone);
- if (result == ISC_R_SUCCESS) {
- if (multi)
- continue;
- /*
- * We successfully filled the slot. We're done.
- */
- break;
- } else if (result == ISC_R_QUOTA) {
- /*
- * Not enough quota. This is probably the per-server
- * quota, because we usually get called when a unit of
- * global quota has just been freed. Try the next
- * zone, it may succeed if it uses another master.
- */
- continue;
- } else {
- dns_zone_log(zone, ISC_LOG_DEBUG(1),
- "starting zone transfer: %s",
- isc_result_totext(result));
- break;
- }
- }
- }
- /*
- * Try to start an incoming zone transfer for 'zone', quota permitting.
- *
- * Requires:
- * The zone manager is locked by the caller.
- *
- * Returns:
- * ISC_R_SUCCESS There was enough quota and we attempted to
- * start a transfer. zone_xfrdone() has been or will
- * be called.
- * ISC_R_QUOTA Not enough quota.
- * Others Failure.
- */
- static isc_result_t
- zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
- dns_peer_t *peer = NULL;
- isc_netaddr_t masterip;
- isc_uint32_t nxfrsin, nxfrsperns;
- dns_zone_t *x;
- isc_uint32_t maxtransfersin, maxtransfersperns;
- isc_event_t *e;
- /*
- * If we are exiting just pretend we got quota so the zone will
- * be cleaned up in the zone's task context.
- */
- LOCK_ZONE(zone);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
- UNLOCK_ZONE(zone);
- goto gotquota;
- }
- /*
- * Find any configured information about the server we'd
- * like to transfer this zone from.
- */
- isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
- (void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
- UNLOCK_ZONE(zone);
- /*
- * Determine the total maximum number of simultaneous
- * transfers allowed, and the maximum for this specific
- * master.
- */
- maxtransfersin = zmgr->transfersin;
- maxtransfersperns = zmgr->transfersperns;
- if (peer != NULL)
- (void)dns_peer_gettransfers(peer, &maxtransfersperns);
- /*
- * Count the total number of transfers that are in progress,
- * and the number of transfers in progress from this master.
- * We linearly scan a list of all transfers; if this turns
- * out to be too slow, we could hash on the master address.
- */
- nxfrsin = nxfrsperns = 0;
- for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
- x != NULL;
- x = ISC_LIST_NEXT(x, statelink))
- {
- isc_netaddr_t xip;
- LOCK_ZONE(x);
- isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
- UNLOCK_ZONE(x);
- nxfrsin++;
- if (isc_netaddr_equal(&xip, &masterip))
- nxfrsperns++;
- }
- /* Enforce quota. */
- if (nxfrsin >= maxtransfersin)
- return (ISC_R_QUOTA);
- if (nxfrsperns >= maxtransfersperns)
- return (ISC_R_QUOTA);
- gotquota:
- /*
- * We have sufficient quota. Move the zone to the "xfrin_in_progress"
- * list and send it an event to let it start the actual transfer in the
- * context of its own task.
- */
- e = isc_event_allocate(zmgr->mctx, zmgr, DNS_EVENT_ZONESTARTXFRIN,
- got_transfer_quota, zone, sizeof(isc_event_t));
- if (e == NULL)
- return (ISC_R_NOMEMORY);
- LOCK_ZONE(zone);
- INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
- ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
- ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
- zone->statelist = &zmgr->xfrin_in_progress;
- isc_task_send(zone->task, &e);
- dns_zone_log(zone, ISC_LOG_INFO, "Transfer started.");
- UNLOCK_ZONE(zone);
- return (ISC_R_SUCCESS);
- }
- void
- dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- REQUIRE(iolimit > 0);
- zmgr->iolimit = iolimit;
- }
- isc_uint32_t
- dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- return (zmgr->iolimit);
- }
- /*
- * Get permission to request a file handle from the OS.
- * An event will be sent to action when one is available.
- * There are two queues available (high and low), the high
- * queue will be serviced before the low one.
- *
- * zonemgr_putio() must be called after the event is delivered to
- * 'action'.
- */
- static isc_result_t
- zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
- isc_task_t *task, isc_taskaction_t action, void *arg,
- dns_io_t **iop)
- {
- dns_io_t *io;
- isc_boolean_t queue;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- REQUIRE(iop != NULL && *iop == NULL);
- io = isc_mem_get(zmgr->mctx, sizeof(*io));
- if (io == NULL)
- return (ISC_R_NOMEMORY);
- io->event = isc_event_allocate(zmgr->mctx, task, DNS_EVENT_IOREADY,
- action, arg, sizeof(*io->event));
- if (io->event == NULL) {
- isc_mem_put(zmgr->mctx, io, sizeof(*io));
- return (ISC_R_NOMEMORY);
- }
- io->zmgr = zmgr;
- io->high = high;
- io->task = NULL;
- isc_task_attach(task, &io->task);
- ISC_LINK_INIT(io, link);
- io->magic = IO_MAGIC;
- LOCK(&zmgr->iolock);
- zmgr->ioactive++;
- queue = ISC_TF(zmgr->ioactive > zmgr->iolimit);
- if (queue) {
- if (io->high)
- ISC_LIST_APPEND(zmgr->high, io, link);
- else
- ISC_LIST_APPEND(zmgr->low, io, link);
- }
- UNLOCK(&zmgr->iolock);
- *iop = io;
- if (!queue) {
- isc_task_send(io->task, &io->event);
- }
- return (ISC_R_SUCCESS);
- }
- static void
- zonemgr_putio(dns_io_t **iop) {
- dns_io_t *io;
- dns_io_t *next;
- dns_zonemgr_t *zmgr;
- REQUIRE(iop != NULL);
- io = *iop;
- REQUIRE(DNS_IO_VALID(io));
- *iop = NULL;
- INSIST(!ISC_LINK_LINKED(io, link));
- INSIST(io->event == NULL);
- zmgr = io->zmgr;
- isc_task_detach(&io->task);
- io->magic = 0;
- isc_mem_put(zmgr->mctx, io, sizeof(*io));
- LOCK(&zmgr->iolock);
- INSIST(zmgr->ioactive > 0);
- zmgr->ioactive--;
- next = HEAD(zmgr->high);
- if (next == NULL)
- next = HEAD(zmgr->low);
- if (next != NULL) {
- if (next->high)
- ISC_LIST_UNLINK(zmgr->high, next, link);
- else
- ISC_LIST_UNLINK(zmgr->low, next, link);
- INSIST(next->event != NULL);
- }
- UNLOCK(&zmgr->iolock);
- if (next != NULL)
- isc_task_send(next->task, &next->event);
- }
- static void
- zonemgr_cancelio(dns_io_t *io) {
- isc_boolean_t send_event = ISC_FALSE;
- REQUIRE(DNS_IO_VALID(io));
- /*
- * If we are queued to be run then dequeue.
- */
- LOCK(&io->zmgr->iolock);
- if (ISC_LINK_LINKED(io, link)) {
- if (io->high)
- ISC_LIST_UNLINK(io->zmgr->high, io, link);
- else
- ISC_LIST_UNLINK(io->zmgr->low, io, link);
- send_event = ISC_TRUE;
- INSIST(io->event != NULL);
- }
- UNLOCK(&io->zmgr->iolock);
- if (send_event) {
- io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
- isc_task_send(io->task, &io->event);
- }
- }
- static void
- zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
- char *buf;
- int buflen;
- isc_result_t result;
- buflen = strlen(path) + strlen(templat) + 2;
- buf = isc_mem_get(zone->mctx, buflen);
- if (buf == NULL)
- return;
- result = isc_file_template(path, templat, buf, buflen);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- result = isc_file_renameunique(path, buf);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
- dns_zone_log(zone, ISC_LOG_WARNING, "unable to load from '%s'; "
- "renaming file to '%s' for failure analysis and "
- "retransferring.", path, buf);
- cleanup:
- isc_mem_put(zone->mctx, buf, buflen);
- }
- #if 0
- /* Hook for ondestroy notification from a database. */
- static void
- dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
- dns_db_t *db = event->sender;
- UNUSED(task);
- isc_event_free(&event);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
- "database (%p) destroyed", (void*) db);
- }
- #endif
- void
- dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
- isc_interval_t interval;
- isc_uint32_t s, ns;
- isc_uint32_t pertic;
- isc_result_t result;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- if (value == 0)
- value = 1;
- if (value == 1) {
- s = 1;
- ns = 0;
- pertic = 1;
- } else if (value <= 10) {
- s = 0;
- ns = 1000000000 / value;
- pertic = 1;
- } else {
- s = 0;
- ns = (1000000000 / value) * 10;
- pertic = 10;
- }
- isc_interval_set(&interval, s, ns);
- result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- isc_ratelimiter_setpertic(zmgr->rl, pertic);
- zmgr->serialqueryrate = value;
- }
- unsigned int
- dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- return (zmgr->serialqueryrate);
- }
- isc_boolean_t
- dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
- isc_sockaddr_t *local, isc_time_t *now)
- {
- unsigned int i;
- isc_rwlocktype_t locktype;
- isc_result_t result;
- isc_uint32_t seconds = isc_time_seconds(now);
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- locktype = isc_rwlocktype_read;
- RWLOCK(&zmgr->urlock, locktype);
- for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
- if (zmgr->unreachable[i].expire >= seconds &&
- isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
- isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
- result = isc_rwlock_tryupgrade(&zmgr->urlock);
- if (result == ISC_R_SUCCESS) {
- locktype = isc_rwlocktype_write;
- zmgr->unreachable[i].last = seconds;
- }
- break;
- }
- }
- RWUNLOCK(&zmgr->urlock, locktype);
- return (ISC_TF(i < UNREACH_CHACHE_SIZE));
- }
- void
- dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
- isc_sockaddr_t *local)
- {
- unsigned int i;
- isc_rwlocktype_t locktype;
- isc_result_t result;
- char master[ISC_SOCKADDR_FORMATSIZE];
- char source[ISC_SOCKADDR_FORMATSIZE];
- isc_sockaddr_format(remote, master, sizeof(master));
- isc_sockaddr_format(local, source, sizeof(source));
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- locktype = isc_rwlocktype_read;
- RWLOCK(&zmgr->urlock, locktype);
- for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
- if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
- isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
- result = isc_rwlock_tryupgrade(&zmgr->urlock);
- if (result == ISC_R_SUCCESS) {
- locktype = isc_rwlocktype_write;
- zmgr->unreachable[i].expire = 0;
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_ZONE, ISC_LOG_INFO,
- "master %s (source %s) deleted "
- "from unreachable cache",
- master, source);
- }
- break;
- }
- }
- RWUNLOCK(&zmgr->urlock, locktype);
- }
- void
- dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
- isc_sockaddr_t *local, isc_time_t *now)
- {
- isc_uint32_t seconds = isc_time_seconds(now);
- isc_uint32_t last = seconds;
- unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- RWLOCK(&zmgr->urlock, isc_rwlocktype_write);
- for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
- /* Existing entry? */
- if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
- isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
- break;
- /* Empty slot? */
- if (zmgr->unreachable[i].expire < seconds)
- slot = i;
- /* Least recently used slot? */
- if (zmgr->unreachable[i].last < last) {
- last = zmgr->unreachable[i].last;
- oldest = i;
- }
- }
- if (i < UNREACH_CHACHE_SIZE) {
- /*
- * Found a existing entry. Update the expire timer and
- * last usage timestamps.
- */
- zmgr->unreachable[i].expire = seconds + UNREACH_HOLD_TIME;
- zmgr->unreachable[i].last = seconds;
- } else if (slot != UNREACH_CHACHE_SIZE) {
- /*
- * Found a empty slot. Add a new entry to the cache.
- */
- zmgr->unreachable[slot].expire = seconds + UNREACH_HOLD_TIME;
- zmgr->unreachable[slot].last = seconds;
- zmgr->unreachable[slot].remote = *remote;
- zmgr->unreachable[slot].local = *local;
- } else {
- /*
- * Replace the least recently used entry in the cache.
- */
- zmgr->unreachable[oldest].expire = seconds + UNREACH_HOLD_TIME;
- zmgr->unreachable[oldest].last = seconds;
- zmgr->unreachable[oldest].remote = *remote;
- zmgr->unreachable[oldest].local = *local;
- }
- RWUNLOCK(&zmgr->urlock, isc_rwlocktype_write);
- }
- void
- dns_zone_forcereload(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- if (zone->type == dns_zone_master)
- return;
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
- UNLOCK_ZONE(zone);
- dns_zone_refresh(zone);
- }
- isc_boolean_t
- dns_zone_isforced(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
- }
- isc_result_t
- dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
- /*
- * This function is obsoleted.
- */
- UNUSED(zone);
- UNUSED(on);
- return (ISC_R_NOTIMPLEMENTED);
- }
- isc_uint64_t *
- dns_zone_getstatscounters(dns_zone_t *zone) {
- /*
- * This function is obsoleted.
- */
- UNUSED(zone);
- return (NULL);
- }
- void
- dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(zone->stats == NULL);
- LOCK_ZONE(zone);
- zone->stats = NULL;
- isc_stats_attach(stats, &zone->stats);
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- if (zone->requeststats_on && stats == NULL)
- zone->requeststats_on = ISC_FALSE;
- else if (!zone->requeststats_on && stats != NULL) {
- if (zone->requeststats == NULL) {
- isc_stats_attach(stats, &zone->requeststats);
- zone->requeststats_on = ISC_TRUE;
- }
- }
- UNLOCK_ZONE(zone);
- return;
- }
- isc_stats_t *
- dns_zone_getrequeststats(dns_zone_t *zone) {
- /*
- * We don't lock zone for efficiency reason. This is not catastrophic
- * because requeststats must always be valid when requeststats_on is
- * true.
- * Some counters may be incremented while requeststats_on is becoming
- * false, or some cannot be incremented just after the statistics are
- * installed, but it shouldn't matter much in practice.
- */
- if (zone->requeststats_on)
- return (zone->requeststats);
- else
- return (NULL);
- }
- void
- dns_zone_dialup(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone_debuglog(zone, "dns_zone_dialup", 3,
- "notify = %d, refresh = %d",
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
- dns_zone_notify(zone);
- if (zone->type != dns_zone_master &&
- DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
- dns_zone_refresh(zone);
- }
- void
- dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
- DNS_ZONEFLG_DIALREFRESH |
- DNS_ZONEFLG_NOREFRESH);
- switch (dialup) {
- case dns_dialuptype_no:
- break;
- case dns_dialuptype_yes:
- DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY |
- DNS_ZONEFLG_DIALREFRESH |
- DNS_ZONEFLG_NOREFRESH));
- break;
- case dns_dialuptype_notify:
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
- break;
- case dns_dialuptype_notifypassive:
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
- break;
- case dns_dialuptype_refresh:
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
- break;
- case dns_dialuptype_passive:
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
- break;
- default:
- INSIST(0);
- }
- UNLOCK_ZONE(zone);
- }
- isc_result_t
- dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
- isc_result_t result = ISC_R_SUCCESS;
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- result = dns_zone_setstring(zone, &zone->keydirectory, directory);
- UNLOCK_ZONE(zone);
- return (result);
- }
- const char *
- dns_zone_getkeydirectory(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->keydirectory);
- }
- unsigned int
- dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
- dns_zone_t *zone;
- unsigned int count = 0;
- REQUIRE(DNS_ZONEMGR_VALID(zmgr));
- RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
- switch (state) {
- case DNS_ZONESTATE_XFERRUNNING:
- for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
- zone != NULL;
- zone = ISC_LIST_NEXT(zone, statelink))
- count++;
- break;
- case DNS_ZONESTATE_XFERDEFERRED:
- for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
- zone != NULL;
- zone = ISC_LIST_NEXT(zone, statelink))
- count++;
- break;
- case DNS_ZONESTATE_SOAQUERY:
- for (zone = ISC_LIST_HEAD(zmgr->zones);
- zone != NULL;
- zone = ISC_LIST_NEXT(zone, link))
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH))
- count++;
- break;
- case DNS_ZONESTATE_ANY:
- for (zone = ISC_LIST_HEAD(zmgr->zones);
- zone != NULL;
- zone = ISC_LIST_NEXT(zone, link)) {
- dns_view_t *view = zone->view;
- if (view != NULL && strcmp(view->name, "_bind") == 0)
- continue;
- count++;
- }
- break;
- default:
- INSIST(0);
- }
- RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
- return (count);
- }
- isc_result_t
- dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
- isc_boolean_t ok = ISC_TRUE;
- isc_boolean_t fail = ISC_FALSE;
- char namebuf[DNS_NAME_FORMATSIZE];
- char namebuf2[DNS_NAME_FORMATSIZE];
- char typebuf[DNS_RDATATYPE_FORMATSIZE];
- int level = ISC_LOG_WARNING;
- dns_name_t bad;
- REQUIRE(DNS_ZONE_VALID(zone));
- if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
- return (ISC_R_SUCCESS);
- if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
- level = ISC_LOG_ERROR;
- fail = ISC_TRUE;
- }
- ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, ISC_TRUE);
- if (!ok) {
- dns_name_format(name, namebuf, sizeof(namebuf));
- dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
- dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
- dns_result_totext(DNS_R_BADOWNERNAME));
- if (fail)
- return (DNS_R_BADOWNERNAME);
- }
- dns_name_init(&bad, NULL);
- ok = dns_rdata_checknames(rdata, name, &bad);
- if (!ok) {
- dns_name_format(name, namebuf, sizeof(namebuf));
- dns_name_format(&bad, namebuf2, sizeof(namebuf2));
- dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
- dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
- namebuf2, dns_result_totext(DNS_R_BADNAME));
- if (fail)
- return (DNS_R_BADNAME);
- }
- return (ISC_R_SUCCESS);
- }
- void
- dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->checkmx = checkmx;
- }
- void
- dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->checksrv = checksrv;
- }
- void
- dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->checkns = checkns;
- }
- void
- dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->isself = isself;
- zone->isselfarg = arg;
- UNLOCK_ZONE(zone);
- }
- void
- dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->notifydelay = delay;
- UNLOCK_ZONE(zone);
- }
- isc_uint32_t
- dns_zone_getnotifydelay(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->notifydelay);
- }
- isc_result_t
- dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
- isc_uint16_t keyid, isc_boolean_t delete)
- {
- isc_result_t result;
- REQUIRE(DNS_ZONE_VALID(zone));
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
- algorithm, keyid);
- LOCK_ZONE(zone);
- result = zone_signwithkey(zone, algorithm, keyid, delete);
- UNLOCK_ZONE(zone);
- return (result);
- }
- static const char *hex = "0123456789ABCDEF";
- isc_result_t
- dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
- isc_result_t result;
- char salt[255*2+1];
- unsigned int i, j;
- REQUIRE(DNS_ZONE_VALID(zone));
- if (nsec3param->salt_length != 0) {
- INSIST((nsec3param->salt_length * 2U) < sizeof(salt));
- for (i = 0, j = 0; i < nsec3param->salt_length; i++) {
- salt[j++] = hex[(nsec3param->salt[i] >> 4) & 0xf];
- salt[j++] = hex[nsec3param->salt[i] & 0xf];
- }
- salt[j] = '\0';
- } else
- strcpy(salt, "-");
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
- nsec3param->hash, nsec3param->iterations,
- salt);
- LOCK_ZONE(zone);
- result = zone_addnsec3chain(zone, nsec3param);
- UNLOCK_ZONE(zone);
- return (result);
- }
- void
- dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes) {
- REQUIRE(DNS_ZONE_VALID(zone));
- if (nodes == 0)
- nodes = 1;
- zone->nodes = nodes;
- }
- void
- dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures) {
- REQUIRE(DNS_ZONE_VALID(zone));
- /*
- * We treat signatures as a signed value so explicitly
- * limit its range here.
- */
- if (signatures > ISC_INT32_MAX)
- signatures = ISC_INT32_MAX;
- else if (signatures == 0)
- signatures = 1;
- zone->signatures = signatures;
- }
- void
- dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
- REQUIRE(DNS_ZONE_VALID(zone));
- zone->privatetype = type;
- }
- dns_rdatatype_t
- dns_zone_getprivatetype(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->privatetype);
- }
- static isc_result_t
- zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
- isc_boolean_t delete)
- {
- dns_signing_t *signing;
- dns_signing_t *current;
- isc_result_t result = ISC_R_SUCCESS;
- isc_time_t now;
- signing = isc_mem_get(zone->mctx, sizeof *signing);
- if (signing == NULL)
- return (ISC_R_NOMEMORY);
- signing->magic = 0;
- signing->db = NULL;
- signing->dbiterator = NULL;
- signing->algorithm = algorithm;
- signing->keyid = keyid;
- signing->delete = delete;
- signing->done = ISC_FALSE;
- TIME_NOW(&now);
- for (current = ISC_LIST_HEAD(zone->signing);
- current != NULL;
- current = ISC_LIST_NEXT(current, link)) {
- if (current->db == zone->db &&
- current->algorithm == signing->algorithm &&
- current->keyid == signing->keyid) {
- if (current->delete != signing->delete)
- current->done = ISC_TRUE;
- else
- goto cleanup;
- }
- }
- if (zone->db != NULL) {
- dns_db_attach(zone->db, &signing->db);
- result = dns_db_createiterator(signing->db, 0,
- &signing->dbiterator);
- if (result == ISC_R_SUCCESS)
- result = dns_dbiterator_first(signing->dbiterator);
- if (result == ISC_R_SUCCESS) {
- dns_dbiterator_pause(signing->dbiterator);
- ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
- signing = NULL;
- if (isc_time_isepoch(&zone->signingtime)) {
- zone->signingtime = now;
- if (zone->task != NULL)
- zone_settimer(zone, &now);
- }
- }
- } else
- result = ISC_R_NOTFOUND;
- cleanup:
- if (signing != NULL) {
- if (signing->db != NULL)
- dns_db_detach(&signing->db);
- if (signing->dbiterator != NULL)
- dns_dbiterator_destroy(&signing->dbiterator);
- isc_mem_put(zone->mctx, signing, sizeof *signing);
- }
- return (result);
- }
- static void
- logmsg(const char *format, ...) {
- va_list args;
- va_start(args, format);
- isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
- ISC_LOG_DEBUG(1), format, args);
- va_end(args);
- }
- static void
- clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
- dns_dnsseckey_t *key;
- while (!ISC_LIST_EMPTY(*list)) {
- key = ISC_LIST_HEAD(*list);
- ISC_LIST_UNLINK(*list, key, link);
- dns_dnsseckey_destroy(mctx, &key);
- }
- }
- /* Called once; *timep should be set to the current time. */
- static isc_result_t
- next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
- isc_result_t result;
- isc_stdtime_t now, then = 0, event;
- int i;
- now = *timep;
- for (i = 0; i <= DST_MAX_TIMES; i++) {
- result = dst_key_gettime(key, i, &event);
- if (result == ISC_R_SUCCESS && event > now &&
- (then == 0 || event < then))
- then = event;
- }
- if (then != 0) {
- *timep = then;
- return (ISC_R_SUCCESS);
- }
- return (ISC_R_NOTFOUND);
- }
- static isc_result_t
- rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
- const dns_rdata_t *rdata, isc_boolean_t *flag)
- {
- dns_rdataset_t rdataset;
- dns_dbnode_t *node = NULL;
- isc_result_t result;
- dns_rdataset_init(&rdataset);
- if (rdata->type == dns_rdatatype_nsec3)
- CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
- else
- CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
- result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
- (isc_stdtime_t) 0, &rdataset, NULL);
- if (result == ISC_R_NOTFOUND) {
- *flag = ISC_FALSE;
- result = ISC_R_SUCCESS;
- goto failure;
- }
- for (result = dns_rdataset_first(&rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdata_t myrdata = DNS_RDATA_INIT;
- dns_rdataset_current(&rdataset, &myrdata);
- if (!dns_rdata_compare(&myrdata, rdata))
- break;
- }
- dns_rdataset_disassociate(&rdataset);
- if (result == ISC_R_SUCCESS) {
- *flag = ISC_TRUE;
- } else if (result == ISC_R_NOMORE) {
- *flag = ISC_FALSE;
- result = ISC_R_SUCCESS;
- }
- failure:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- return (result);
- }
- /*
- * Add records to signal the state of signing or of key removal.
- */
- static isc_result_t
- add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
- dns_dbversion_t *ver, dns_diff_t *diff,
- isc_boolean_t sign_all)
- {
- dns_difftuple_t *tuple, *newtuple = NULL;
- dns_rdata_dnskey_t dnskey;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- isc_boolean_t flag;
- isc_region_t r;
- isc_result_t result = ISC_R_SUCCESS;
- isc_uint16_t keyid;
- unsigned char buf[5];
- dns_name_t *name = dns_db_origin(db);
- for (tuple = ISC_LIST_HEAD(diff->tuples);
- tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
- if (tuple->rdata.type != dns_rdatatype_dnskey)
- continue;
- result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if ((dnskey.flags &
- (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
- != DNS_KEYOWNER_ZONE)
- continue;
- dns_rdata_toregion(&tuple->rdata, &r);
- keyid = dst_region_computeid(&r, dnskey.algorithm);
- buf[0] = dnskey.algorithm;
- buf[1] = (keyid & 0xff00) >> 8;
- buf[2] = (keyid & 0xff);
- buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
- buf[4] = 0;
- rdata.data = buf;
- rdata.length = sizeof(buf);
- rdata.type = privatetype;
- rdata.rdclass = tuple->rdata.rdclass;
- if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
- CHECK(rr_exists(db, ver, name, &rdata, &flag));
- if (flag)
- continue;
- CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
- name, 0, &rdata, &newtuple));
- CHECK(do_one_tuple(&newtuple, db, ver, diff));
- INSIST(newtuple == NULL);
- }
- /*
- * Remove any record which says this operation has already
- * completed.
- */
- buf[4] = 1;
- CHECK(rr_exists(db, ver, name, &rdata, &flag));
- if (flag) {
- CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
- name, 0, &rdata, &newtuple));
- CHECK(do_one_tuple(&newtuple, db, ver, diff));
- INSIST(newtuple == NULL);
- }
- }
- failure:
- return (result);
- }
- static isc_result_t
- sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff, dns_diff_t *sig_diff)
- {
- isc_result_t result;
- isc_stdtime_t now, inception, soaexpire;
- isc_boolean_t check_ksk, keyset_kskonly;
- dst_key_t *zone_keys[DNS_MAXZONEKEYS];
- unsigned int nkeys = 0, i;
- dns_difftuple_t *tuple;
- result = find_zone_keys(zone, db, ver, zone->mctx, DNS_MAXZONEKEYS,
- zone_keys, &nkeys);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:find_zone_keys -> %s\n",
- dns_result_totext(result));
- return (result);
- }
- isc_stdtime_get(&now);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
- /*
- * See if update_sigs will update DNSKEY signature and if not
- * cause them to sign so that so that newly activated keys
- * are used.
- */
- for (tuple = ISC_LIST_HEAD(diff->tuples);
- tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
- if (tuple->rdata.type == dns_rdatatype_dnskey &&
- dns_name_equal(&tuple->name, &zone->origin))
- break;
- }
- if (tuple == NULL) {
- result = del_sigs(zone, db, ver, &zone->origin,
- dns_rdatatype_dnskey, sig_diff,
- zone_keys, nkeys, now, ISC_FALSE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:del_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
- sig_diff, zone_keys, nkeys, zone->mctx,
- inception, soaexpire, check_ksk,
- keyset_kskonly);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:add_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- }
- result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
- inception, soaexpire, now, check_ksk,
- keyset_kskonly, sig_diff);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:update_sigs -> %s\n",
- dns_result_totext(result));
- goto failure;
- }
- failure:
- for (i = 0; i < nkeys; i++)
- dst_key_free(&zone_keys[i]);
- return (result);
- }
- /*
- * Prevent the zone entering a inconsistent state where
- * NSEC only DNSKEYs are present with NSEC3 chains.
- * See update.c:check_dnssec()
- */
- static isc_boolean_t
- dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff)
- {
- isc_result_t result;
- dns_difftuple_t *tuple;
- isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
- dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
- /* Scan the tuples for an NSEC-only DNSKEY */
- for (tuple = ISC_LIST_HEAD(diff->tuples);
- tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
- isc_uint8_t alg;
- if (tuple->rdata.type != dns_rdatatype_dnskey ||
- tuple->op != DNS_DIFFOP_ADD)
- continue;
- alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
- alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
- nseconly = ISC_TRUE;
- break;
- }
- }
- /* Check existing DB for NSEC-only DNSKEY */
- if (!nseconly)
- CHECK(dns_nsec_nseconly(db, ver, &nseconly));
- /* Check existing DB for NSEC3 */
- if (!nsec3)
- CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
- privatetype, &nsec3));
- /* Refuse to allow NSEC3 with NSEC-only keys */
- if (nseconly && nsec3) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "NSEC only DNSKEYs and NSEC3 chains not allowed");
- goto failure;
- }
- return (ISC_TRUE);
- failure:
- return (ISC_FALSE);
- }
- static isc_result_t
- clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff)
- {
- isc_result_t result;
- dns_dbnode_t *node = NULL;
- dns_rdataset_t rdataset;
- dns_rdataset_init(&rdataset);
- CHECK(dns_db_getoriginnode(db, &node));
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
- dns_rdatatype_none, 0, &rdataset, NULL);
- if (dns_rdataset_isassociated(&rdataset))
- dns_rdataset_disassociate(&rdataset);
- if (result != ISC_R_NOTFOUND)
- goto failure;
- result = dns_nsec3param_deletechains(db, ver, zone, diff);
- failure:
- if (node != NULL)
- dns_db_detachnode(db, &node);
- return (result);
- }
- /*
- * Given an RRSIG rdataset and an algorithm, determine whether there
- * are any signatures using that algorithm.
- */
- static isc_boolean_t
- signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_rrsig_t rrsig;
- isc_result_t result;
- REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
- if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
- return (ISC_FALSE);
- }
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset))
- {
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_rdata_reset(&rdata);
- if (rrsig.algorithm == alg)
- return (ISC_TRUE);
- }
- return (ISC_FALSE);
- }
- static isc_result_t
- add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- dns_diff_t *diff)
- {
- dns_name_t *origin;
- isc_boolean_t build_nsec3;
- isc_result_t result;
- origin = dns_db_origin(db);
- CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
- &build_nsec3));
- if (build_nsec3)
- CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
- ISC_FALSE, zone->privatetype, diff));
- CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff));
- failure:
- return (result);
- }
- static void
- zone_rekey(dns_zone_t *zone) {
- isc_result_t result;
- dns_db_t *db = NULL;
- dns_dbnode_t *node = NULL;
- dns_dbversion_t *ver = NULL;
- dns_rdataset_t soaset, soasigs, keyset, keysigs;
- dns_dnsseckeylist_t dnskeys, keys, rmkeys;
- dns_dnsseckey_t *key;
- dns_diff_t diff, sig_diff;
- isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
- isc_boolean_t newalg = ISC_FALSE;
- isc_boolean_t fullsign;
- dns_ttl_t ttl = 3600;
- const char *dir;
- isc_mem_t *mctx;
- isc_stdtime_t now;
- isc_time_t timenow;
- isc_interval_t ival;
- char timebuf[80];
- REQUIRE(DNS_ZONE_VALID(zone));
- ISC_LIST_INIT(dnskeys);
- ISC_LIST_INIT(keys);
- ISC_LIST_INIT(rmkeys);
- dns_rdataset_init(&soaset);
- dns_rdataset_init(&soasigs);
- dns_rdataset_init(&keyset);
- dns_rdataset_init(&keysigs);
- dir = dns_zone_getkeydirectory(zone);
- mctx = zone->mctx;
- dns_diff_init(mctx, &diff);
- dns_diff_init(mctx, &sig_diff);
- sig_diff.resign = zone->sigresigninginterval;
- CHECK(dns_zone_getdb(zone, &db));
- CHECK(dns_db_newversion(db, &ver));
- CHECK(dns_db_getoriginnode(db, &node));
- TIME_NOW(&timenow);
- now = isc_time_seconds(&timenow);
- dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
- /* Get the SOA record's TTL */
- CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
- dns_rdatatype_none, 0, &soaset, &soasigs));
- ttl = soaset.ttl;
- dns_rdataset_disassociate(&soaset);
- /* Get the DNSKEY rdataset */
- result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
- dns_rdatatype_none, 0, &keyset, &keysigs);
- if (result == ISC_R_SUCCESS) {
- ttl = keyset.ttl;
- result = dns_dnssec_keylistfromrdataset(&zone->origin, dir,
- mctx, &keyset,
- &keysigs, &soasigs,
- ISC_FALSE, ISC_FALSE,
- &dnskeys);
- /* Can't get keys for some reason; try again later. */
- if (result != ISC_R_SUCCESS)
- goto trylater;
- } else if (result != ISC_R_NOTFOUND)
- goto failure;
- /*
- * True when called from "rndc sign". Indicates the zone should be
- * fully signed now.
- */
- fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0);
- result = dns_dnssec_findmatchingkeys(&zone->origin, dir, mctx, &keys);
- if (result == ISC_R_SUCCESS) {
- isc_boolean_t check_ksk;
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
- &zone->origin, ttl, &diff,
- ISC_TF(!check_ksk),
- mctx, logmsg);
- /* Keys couldn't be updated for some reason;
- * try again later. */
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
- "couldn't update zone keys: %s",
- isc_result_totext(result));
- goto trylater;
- }
- /*
- * See if any pre-existing keys have newly become active;
- * also, see if any new key is for a new algorithm, as in that
- * event, we need to sign the zone fully. (If there's a new
- * key, but it's for an already-existing algorithm, then
- * the zone signing can be handled incrementally.)
- */
- for (key = ISC_LIST_HEAD(dnskeys);
- key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (!key->first_sign)
- continue;
- newactive = ISC_TRUE;
- if (!dns_rdataset_isassociated(&keysigs)) {
- newalg = ISC_TRUE;
- break;
- }
- if (signed_with_alg(&keysigs, dst_key_alg(key->key))) {
- /*
- * This isn't a new algorithm; clear
- * first_sign so we won't sign the
- * whole zone with this key later
- */
- key->first_sign = ISC_FALSE;
- } else {
- newalg = ISC_TRUE;
- break;
- }
- }
- if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) &&
- dnskey_sane(zone, db, ver, &diff)) {
- CHECK(dns_diff_apply(&diff, db, ver));
- CHECK(clean_nsec3param(zone, db, ver, &diff));
- CHECK(add_signing_records(db, zone->privatetype,
- ver, &diff,
- ISC_TF(newalg || fullsign)));
- CHECK(increment_soa_serial(db, ver, &diff, mctx));
- CHECK(add_chains(zone, db, ver, &diff));
- CHECK(sign_apex(zone, db, ver, &diff, &sig_diff));
- CHECK(zone_journal(zone, &sig_diff, "zone_rekey"));
- commit = ISC_TRUE;
- }
- }
- dns_db_closeversion(db, &ver, commit);
- if (commit) {
- dns_difftuple_t *tuple;
- LOCK_ZONE(zone);
- DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- zone_needdump(zone, DNS_DUMP_DELAY);
- zone_settimer(zone, &timenow);
- /* Remove any signatures from removed keys. */
- if (!ISC_LIST_EMPTY(rmkeys)) {
- for (key = ISC_LIST_HEAD(rmkeys);
- key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- result = zone_signwithkey(zone,
- dst_key_alg(key->key),
- dst_key_id(key->key),
- ISC_TRUE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
- }
- }
- }
- if (fullsign) {
- /*
- * "rndc sign" was called, so we now sign the zone
- * with all active keys, whether they're new or not.
- */
- for (key = ISC_LIST_HEAD(dnskeys);
- key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (!key->force_sign && !key->hint_sign)
- continue;
- result = zone_signwithkey(zone,
- dst_key_alg(key->key),
- dst_key_id(key->key),
- ISC_FALSE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
- }
- }
- } else if (newalg) {
- /*
- * We haven't been told to sign fully, but a new
- * algorithm was added to the DNSKEY. We sign
- * the full zone, but only with newly active
- * keys.
- */
- for (key = ISC_LIST_HEAD(dnskeys);
- key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (!key->first_sign)
- continue;
- result = zone_signwithkey(zone,
- dst_key_alg(key->key),
- dst_key_id(key->key),
- ISC_FALSE);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
- }
- }
- }
- /*
- * Clear fullsign flag, if it was set, so we don't do
- * another full signing next time
- */
- zone->keyopts &= ~DNS_ZONEKEY_FULLSIGN;
- /*
- * Cause the zone to add/delete NSEC3 chains for the
- * deferred NSEC3PARAM changes.
- */
- for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
- tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
- unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_nsec3param_t nsec3param;
- if (tuple->rdata.type != zone->privatetype ||
- tuple->op != DNS_DIFFOP_ADD)
- continue;
- if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
- buf, sizeof(buf)))
- continue;
- result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (nsec3param.flags == 0)
- continue;
- result = zone_addnsec3chain(zone, &nsec3param);
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_addnsec3chain failed: %s",
- dns_result_totext(result));
- }
- }
- /*
- * Schedule the next resigning event
- */
- set_resigntime(zone);
- UNLOCK_ZONE(zone);
- }
- isc_time_settoepoch(&zone->refreshkeytime);
- /*
- * If we're doing key maintenance, set the key refresh timer to
- * the next scheduled key event or to one hour in the future,
- * whichever is sooner.
- */
- if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) {
- isc_time_t timethen;
- isc_stdtime_t then;
- LOCK_ZONE(zone);
- DNS_ZONE_TIME_ADD(&timenow, HOUR, &timethen);
- zone->refreshkeytime = timethen;
- UNLOCK_ZONE(zone);
- for (key = ISC_LIST_HEAD(dnskeys);
- key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- then = now;
- result = next_keyevent(key->key, &then);
- if (result != ISC_R_SUCCESS)
- continue;
- DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
- LOCK_ZONE(zone);
- if (isc_time_compare(&timethen,
- &zone->refreshkeytime) < 0) {
- zone->refreshkeytime = timethen;
- }
- UNLOCK_ZONE(zone);
- }
- zone_settimer(zone, &timenow);
- isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
- }
- failure:
- dns_diff_clear(&diff);
- dns_diff_clear(&sig_diff);
- clear_keylist(&dnskeys, mctx);
- clear_keylist(&keys, mctx);
- clear_keylist(&rmkeys, mctx);
- if (ver != NULL)
- dns_db_closeversion(db, &ver, ISC_FALSE);
- if (dns_rdataset_isassociated(&keyset))
- dns_rdataset_disassociate(&keyset);
- if (dns_rdataset_isassociated(&keysigs))
- dns_rdataset_disassociate(&keysigs);
- if (dns_rdataset_isassociated(&soasigs))
- dns_rdataset_disassociate(&soasigs);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (db != NULL)
- dns_db_detach(&db);
- return;
- trylater:
- isc_interval_set(&ival, HOUR, 0);
- isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
- goto failure;
- }
- void
- dns_zone_rekey(dns_zone_t *zone, isc_boolean_t fullsign) {
- isc_time_t now;
- if (zone->type == dns_zone_master && zone->task != NULL) {
- LOCK_ZONE(zone);
- if (fullsign)
- zone->keyopts |= DNS_ZONEKEY_FULLSIGN;
- TIME_NOW(&now);
- zone->refreshkeytime = now;
- zone_settimer(zone, &now);
- UNLOCK_ZONE(zone);
- }
- }
- isc_result_t
- dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
- unsigned int *errors)
- {
- isc_result_t result;
- dns_dbnode_t *node = NULL;
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(errors != NULL);
- result = dns_db_getoriginnode(db, &node);
- if (result != ISC_R_SUCCESS)
- return (result);
- result = zone_count_ns_rr(zone, db, node, version, NULL, errors,
- ISC_FALSE);
- dns_db_detachnode(db, &node);
- return (result);
- }
- void
- dns_zone_setadded(dns_zone_t *zone, isc_boolean_t added) {
- REQUIRE(DNS_ZONE_VALID(zone));
- LOCK_ZONE(zone);
- zone->added = added;
- UNLOCK_ZONE(zone);
- }
- isc_boolean_t
- dns_zone_getadded(dns_zone_t *zone) {
- REQUIRE(DNS_ZONE_VALID(zone));
- return (zone->added);
- }
- isc_result_t
- dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db)
- {
- isc_time_t loadtime;
- isc_result_t result;
- TIME_NOW(&loadtime);
- LOCK_ZONE(zone);
- result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
- UNLOCK_ZONE(zone);
- return result;
- }