2 * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
24 #include <dns/fixedname.h>
25 #include <dns/rdata.h>
26 #include <dns/types.h>
30 #define DNS_RPZ_PREFIX "rpz-"
31 #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip"
32 #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip"
33 #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname"
34 #define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru"
36 typedef isc_uint8_t dns_rpz_cidr_bits_t;
47 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN <
48 * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing
52 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */
53 DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */
54 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */
55 DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */
56 DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */
57 DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */
58 DNS_RPZ_POLICY_RECORD,
59 DNS_RPZ_POLICY_WILDCNAME,
65 * Specify a response policy zone.
67 typedef struct dns_rpz_zone dns_rpz_zone_t;
70 ISC_LINK(dns_rpz_zone_t) link;
71 int num; /* ordinal in list of policy zones */
72 dns_name_t origin; /* Policy zone name */
73 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
74 dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */
75 dns_name_t cname; /* override value for ..._CNAME */
76 dns_ttl_t max_policy_ttl;
77 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
78 isc_boolean_t recursive_only;
79 isc_boolean_t defined;
83 * Radix trees for response policy IP addresses.
85 typedef struct dns_rpz_cidr dns_rpz_cidr_t;
88 * context for finding the best policy
92 # define DNS_RPZ_REWRITTEN 0x0001
93 # define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */
94 # define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */
95 # define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */
96 # define DNS_RPZ_DONE_IPv4 0x0010
97 # define DNS_RPZ_RECURSING 0x0020
98 # define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */
99 # define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */
100 # define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */
101 # define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */
108 dns_rpz_cidr_bits_t prefix;
109 dns_rpz_policy_t policy;
114 dns_dbversion_t *version;
116 dns_rdataset_t *rdataset;
119 * State for chasing IP addresses and NS names including recursion.
124 dns_rdataset_t *ns_rdataset;
125 dns_rdatatype_t r_type;
126 isc_result_t r_result;
127 dns_rdataset_t *r_rdataset;
130 * State of real query while recursing for NSIP or NSDNAME.
134 isc_boolean_t is_zone;
135 isc_boolean_t authoritative;
139 dns_rdataset_t *rdataset;
140 dns_rdataset_t *sigrdataset;
141 dns_rdatatype_t qtype;
146 dns_fixedname_t _qnamef;
147 dns_fixedname_t _r_namef;
148 dns_fixedname_t _fnamef;
151 #define DNS_RPZ_TTL_DEFAULT 5
152 #define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT
155 * So various response policy zone messages can be turned up or down.
157 #define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING
158 #define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO
159 #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1)
160 #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2)
161 #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3)
162 #define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1)
165 dns_rpz_type2str(dns_rpz_type_t type);
168 dns_rpz_str2policy(const char *str);
171 dns_rpz_policy2str(dns_rpz_policy_t policy);
174 dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
177 dns_rpz_view_destroy(dns_view_t *view);
180 dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
181 dns_rpz_cidr_t **rbtdb_cidr);
183 dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
186 dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
189 dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
192 dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
193 dns_rpz_type_t type, dns_name_t *canon_name,
194 dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
197 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
198 dns_name_t *selfname);
202 #endif /* DNS_RPZ_H */