2 * Copyright (C) 2004, 2005, 2007-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2001, 2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
25 #include <isc/string.h>
30 #include <dns/rdata.h>
31 #include <dns/rdatalist.h>
32 #include <dns/rdataset.h>
33 #include <dns/rdatasetiter.h>
34 #include <dns/rdatastruct.h>
35 #include <dns/result.h>
39 #define RETERR(x) do { \
41 if (result != ISC_R_SUCCESS) \
46 set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
47 unsigned int shift, mask;
49 shift = 7 - (index % 8);
53 array[index / 8] |= mask;
55 array[index / 8] &= (~mask & 0xFF);
59 bit_isset(unsigned char *array, unsigned int index) {
60 unsigned int byte, shift, mask;
62 byte = array[index / 8];
63 shift = 7 - (index % 8);
66 return ((byte & mask) != 0);
70 dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
71 dns_dbnode_t *node, dns_name_t *target,
72 unsigned char *buffer, dns_rdata_t *rdata)
75 dns_rdataset_t rdataset;
77 unsigned int i, window;
80 unsigned char *nsec_bits, *bm;
81 unsigned int max_type;
82 dns_rdatasetiter_t *rdsiter;
84 memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
85 dns_name_toregion(target, &r);
86 memcpy(buffer, r.base, r.length);
89 * Use the end of the space for a raw bitmap leaving enough
90 * space for the window identifiers and length octets.
92 bm = r.base + r.length + 512;
93 nsec_bits = r.base + r.length;
94 set_bit(bm, dns_rdatatype_rrsig, 1);
95 set_bit(bm, dns_rdatatype_nsec, 1);
96 max_type = dns_rdatatype_nsec;
97 dns_rdataset_init(&rdataset);
99 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
100 if (result != ISC_R_SUCCESS)
102 for (result = dns_rdatasetiter_first(rdsiter);
103 result == ISC_R_SUCCESS;
104 result = dns_rdatasetiter_next(rdsiter))
106 dns_rdatasetiter_current(rdsiter, &rdataset);
107 if (rdataset.type != dns_rdatatype_nsec &&
108 rdataset.type != dns_rdatatype_nsec3 &&
109 rdataset.type != dns_rdatatype_rrsig) {
110 if (rdataset.type > max_type)
111 max_type = rdataset.type;
112 set_bit(bm, rdataset.type, 1);
114 dns_rdataset_disassociate(&rdataset);
118 * At zone cuts, deny the existence of glue in the parent zone.
120 if (bit_isset(bm, dns_rdatatype_ns) &&
121 ! bit_isset(bm, dns_rdatatype_soa)) {
122 for (i = 0; i <= max_type; i++) {
123 if (bit_isset(bm, i) &&
124 ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
129 dns_rdatasetiter_destroy(&rdsiter);
130 if (result != ISC_R_NOMORE)
133 for (window = 0; window < 256; window++) {
134 if (window * 256 > max_type)
136 for (octet = 31; octet >= 0; octet--)
137 if (bm[window * 32 + octet] != 0)
141 nsec_bits[0] = window;
142 nsec_bits[1] = octet + 1;
144 * Note: potential overlapping move.
146 memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
147 nsec_bits += 3 + octet;
149 r.length = nsec_bits - r.base;
150 INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
151 dns_rdata_fromregion(rdata,
156 return (ISC_R_SUCCESS);
161 dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
162 dns_name_t *target, dns_ttl_t ttl)
165 dns_rdata_t rdata = DNS_RDATA_INIT;
166 unsigned char data[DNS_NSEC_BUFFERSIZE];
167 dns_rdatalist_t rdatalist;
168 dns_rdataset_t rdataset;
170 dns_rdataset_init(&rdataset);
171 dns_rdata_init(&rdata);
173 RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
175 rdatalist.rdclass = dns_db_class(db);
176 rdatalist.type = dns_rdatatype_nsec;
177 rdatalist.covers = 0;
179 ISC_LIST_INIT(rdatalist.rdata);
180 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
181 RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
182 result = dns_db_addrdataset(db, node, version, 0, &rdataset,
184 if (result == DNS_R_UNCHANGED)
185 result = ISC_R_SUCCESS;
188 if (dns_rdataset_isassociated(&rdataset))
189 dns_rdataset_disassociate(&rdataset);
194 dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
195 dns_rdata_nsec_t nsecstruct;
197 isc_boolean_t present;
198 unsigned int i, len, window;
200 REQUIRE(nsec != NULL);
201 REQUIRE(nsec->type == dns_rdatatype_nsec);
203 /* This should never fail */
204 result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
205 INSIST(result == ISC_R_SUCCESS);
208 for (i = 0; i < nsecstruct.len; i += len) {
209 INSIST(i + 2 <= nsecstruct.len);
210 window = nsecstruct.typebits[i];
211 len = nsecstruct.typebits[i + 1];
212 INSIST(len > 0 && len <= 32);
214 INSIST(i + len <= nsecstruct.len);
215 if (window * 256 > type)
217 if ((window + 1) * 256 <= type)
219 if (type < (window * 256) + len * 8)
220 present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
224 dns_rdata_freestruct(&nsecstruct);
229 dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
230 isc_boolean_t *answer)
232 dns_dbnode_t *node = NULL;
233 dns_rdataset_t rdataset;
234 dns_rdata_dnskey_t dnskey;
237 REQUIRE(answer != NULL);
239 dns_rdataset_init(&rdataset);
241 result = dns_db_getoriginnode(db, &node);
242 if (result != ISC_R_SUCCESS)
245 result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
246 0, 0, &rdataset, NULL);
247 dns_db_detachnode(db, &node);
249 if (result == ISC_R_NOTFOUND) {
251 return (ISC_R_SUCCESS);
253 if (result != ISC_R_SUCCESS)
255 for (result = dns_rdataset_first(&rdataset);
256 result == ISC_R_SUCCESS;
257 result = dns_rdataset_next(&rdataset)) {
258 dns_rdata_t rdata = DNS_RDATA_INIT;
260 dns_rdataset_current(&rdataset, &rdata);
261 result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
262 RUNTIME_CHECK(result == ISC_R_SUCCESS);
264 if (dnskey.algorithm == DST_ALG_RSAMD5 ||
265 dnskey.algorithm == DST_ALG_RSASHA1 ||
266 dnskey.algorithm == DST_ALG_DSA ||
267 dnskey.algorithm == DST_ALG_ECC)
270 dns_rdataset_disassociate(&rdataset);
271 if (result == ISC_R_SUCCESS)
273 if (result == ISC_R_NOMORE) {
275 result = ISC_R_SUCCESS;
281 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
282 * or we can determine whether there is data or not at the name.
283 * If the name does not exist return the wildcard name.
285 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
288 dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
289 dns_name_t *nsecname, dns_rdataset_t *nsecset,
290 isc_boolean_t *exists, isc_boolean_t *data,
291 dns_name_t *wild, dns_nseclog_t logit, void *arg)
294 dns_rdata_t rdata = DNS_RDATA_INIT;
296 dns_namereln_t relation;
297 unsigned int olabels, nlabels, labels;
298 dns_rdata_nsec_t nsec;
299 isc_boolean_t atparent;
303 REQUIRE(exists != NULL);
304 REQUIRE(data != NULL);
305 REQUIRE(nsecset != NULL &&
306 nsecset->type == dns_rdatatype_nsec);
308 result = dns_rdataset_first(nsecset);
309 if (result != ISC_R_SUCCESS) {
310 (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
313 dns_rdataset_current(nsecset, &rdata);
315 (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
316 relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
320 * The name is not within the NSEC range.
322 (*logit)(arg, ISC_LOG_DEBUG(3),
323 "NSEC does not cover name, before NSEC");
324 return (ISC_R_IGNORE);
329 * The names are the same. If we are validating "."
330 * then atparent should not be set as there is no parent.
332 atparent = (olabels != 1) && dns_rdatatype_atparent(type);
333 ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
334 soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
338 * This NSEC record is from somewhere higher in
339 * the DNS, and at the parent of a delegation.
340 * It can not be legitimately used here.
342 (*logit)(arg, ISC_LOG_DEBUG(3),
343 "ignoring parent nsec");
344 return (ISC_R_IGNORE);
346 } else if (atparent && ns && soa) {
348 * This NSEC record is from the child.
349 * It can not be legitimately used here.
351 (*logit)(arg, ISC_LOG_DEBUG(3),
352 "ignoring child nsec");
353 return (ISC_R_IGNORE);
355 if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
356 type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
357 !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
359 *data = dns_nsec_typepresent(&rdata, type);
360 (*logit)(arg, ISC_LOG_DEBUG(3),
361 "nsec proves name exists (owner) data=%d",
363 return (ISC_R_SUCCESS);
365 (*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
366 return (ISC_R_IGNORE);
369 if (relation == dns_namereln_subdomain &&
370 dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
371 !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
374 * This NSEC record is from somewhere higher in
375 * the DNS, and at the parent of a delegation.
376 * It can not be legitimately used here.
378 (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
379 return (ISC_R_IGNORE);
382 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
383 if (result != ISC_R_SUCCESS)
385 relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
387 dns_rdata_freestruct(&nsec);
388 (*logit)(arg, ISC_LOG_DEBUG(3),
389 "ignoring nsec matches next name");
390 return (ISC_R_IGNORE);
393 if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
395 * The name is not within the NSEC range.
397 dns_rdata_freestruct(&nsec);
398 (*logit)(arg, ISC_LOG_DEBUG(3),
399 "ignoring nsec because name is past end of range");
400 return (ISC_R_IGNORE);
403 if (order > 0 && relation == dns_namereln_subdomain) {
404 (*logit)(arg, ISC_LOG_DEBUG(3),
405 "nsec proves name exist (empty)");
406 dns_rdata_freestruct(&nsec);
409 return (ISC_R_SUCCESS);
413 dns_name_init(&common, NULL);
414 if (olabels > nlabels) {
415 labels = dns_name_countlabels(nsecname);
416 dns_name_getlabelsequence(nsecname, labels - olabels,
419 labels = dns_name_countlabels(&nsec.next);
420 dns_name_getlabelsequence(&nsec.next, labels - nlabels,
423 result = dns_name_concatenate(dns_wildcardname, &common,
425 if (result != ISC_R_SUCCESS) {
426 dns_rdata_freestruct(&nsec);
427 (*logit)(arg, ISC_LOG_DEBUG(3),
428 "failure generating wildcard name");
432 dns_rdata_freestruct(&nsec);
433 (*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
435 return (ISC_R_SUCCESS);