2 * services/authzone.c - authoritative zone that is locally hosted.
4 * Copyright (c) 2017, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains the functions for an authority zone. This zone
40 * is queried by the iterator, just like a stub or forward zone, but then
41 * the data is locally held.
45 #include "services/authzone.h"
46 #include "util/data/dname.h"
47 #include "util/data/msgparse.h"
48 #include "util/data/msgreply.h"
49 #include "util/data/msgencode.h"
50 #include "util/data/packed_rrset.h"
51 #include "util/regional.h"
52 #include "util/net_help.h"
53 #include "util/netevent.h"
54 #include "util/config_file.h"
56 #include "util/module.h"
57 #include "util/random.h"
58 #include "services/cache/dns.h"
59 #include "services/outside_network.h"
60 #include "services/listen_dnsport.h"
61 #include "services/mesh.h"
62 #include "sldns/rrdef.h"
63 #include "sldns/pkthdr.h"
64 #include "sldns/sbuffer.h"
65 #include "sldns/str2wire.h"
66 #include "sldns/wire2str.h"
67 #include "sldns/parseutil.h"
68 #include "sldns/keyraw.h"
69 #include "validator/val_nsec3.h"
70 #include "validator/val_secalgo.h"
73 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */
74 #define N3HASHBUFLEN 32
75 /** max number of CNAMEs we are willing to follow (in one answer) */
76 #define MAX_CNAME_CHAIN 8
77 /** timeout for probe packets for SOA */
78 #define AUTH_PROBE_TIMEOUT 100 /* msec */
79 /** when to stop with SOA probes (when exponential timeouts exceed this) */
80 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */
81 /* auth transfer timeout for TCP connections, in msec */
82 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */
83 /* auth transfer max backoff for failed tranfers and probes */
84 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */
85 /* auth http port number */
86 #define AUTH_HTTP_PORT 80
87 /* auth https port number */
88 #define AUTH_HTTPS_PORT 443
89 /* max depth for nested $INCLUDEs */
90 #define MAX_INCLUDE_DEPTH 10
91 /** number of timeouts before we fallback from IXFR to AXFR,
92 * because some versions of servers (eg. dnsmasq) drop IXFR packets. */
93 #define NUM_TIMEOUTS_FALLBACK_IXFR 3
95 /** pick up nextprobe task to start waiting to perform transfer actions */
96 static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
97 int failure, int lookup_only);
98 /** move to sending the probe packets, next if fails. task_probe */
99 static void xfr_probe_send_or_end(struct auth_xfer* xfr,
100 struct module_env* env);
101 /** pick up probe task with specified(or NULL) destination first,
102 * or transfer task if nothing to probe, or false if already in progress */
103 static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
104 struct auth_master* spec);
105 /** delete xfer structure (not its tree entry) */
106 static void auth_xfer_delete(struct auth_xfer* xfr);
108 /** create new dns_msg */
109 static struct dns_msg*
110 msg_create(struct regional* region, struct query_info* qinfo)
112 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region,
113 sizeof(struct dns_msg));
116 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname,
118 if(!msg->qinfo.qname)
120 msg->qinfo.qname_len = qinfo->qname_len;
121 msg->qinfo.qtype = qinfo->qtype;
122 msg->qinfo.qclass = qinfo->qclass;
123 msg->qinfo.local_alias = NULL;
124 /* non-packed reply_info, because it needs to grow the array */
125 msg->rep = (struct reply_info*)regional_alloc_zero(region,
126 sizeof(struct reply_info)-sizeof(struct rrset_ref));
129 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA);
130 msg->rep->authoritative = 1;
131 msg->rep->qdcount = 1;
132 /* rrsets is NULL, no rrsets yet */
136 /** grow rrset array by one in msg */
138 msg_grow_array(struct regional* region, struct dns_msg* msg)
140 if(msg->rep->rrsets == NULL) {
141 msg->rep->rrsets = regional_alloc_zero(region,
142 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
143 if(!msg->rep->rrsets)
146 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets;
147 msg->rep->rrsets = regional_alloc_zero(region,
148 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
149 if(!msg->rep->rrsets)
151 memmove(msg->rep->rrsets, rrsets_old,
152 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count);
157 /** get ttl of rrset */
159 get_rrset_ttl(struct ub_packed_rrset_key* k)
161 struct packed_rrset_data* d = (struct packed_rrset_data*)
166 /** Copy rrset into region from domain-datanode and packet rrset */
167 static struct ub_packed_rrset_key*
168 auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node,
169 struct auth_rrset* rrset, struct regional* region, time_t adjust)
171 struct ub_packed_rrset_key key;
172 memset(&key, 0, sizeof(key));
173 key.entry.key = &key;
174 key.entry.data = rrset->data;
175 key.rk.dname = node->name;
176 key.rk.dname_len = node->namelen;
177 key.rk.type = htons(rrset->type);
178 key.rk.rrset_class = htons(z->dclass);
179 key.entry.hash = rrset_key_hash(&key.rk);
180 return packed_rrset_copy_region(&key, region, adjust);
183 /** fix up msg->rep TTL and prefetch ttl */
185 msg_ttl(struct dns_msg* msg)
187 if(msg->rep->rrset_count == 0) return;
188 if(msg->rep->rrset_count == 1) {
189 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
190 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
191 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
192 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) <
194 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[
195 msg->rep->rrset_count-1]);
196 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
197 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
201 /** see if rrset is a duplicate in the answer message */
203 msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen,
204 uint16_t type, uint16_t dclass)
207 for(i=0; i<msg->rep->rrset_count; i++) {
208 struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
209 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen &&
210 ntohs(k->rk.rrset_class) == dclass &&
211 query_dname_compare(k->rk.dname, nm) == 0)
217 /** add rrset to answer section (no auth, add rrsets yet) */
219 msg_add_rrset_an(struct auth_zone* z, struct regional* region,
220 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
222 log_assert(msg->rep->ns_numrrsets == 0);
223 log_assert(msg->rep->ar_numrrsets == 0);
226 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
230 if(!msg_grow_array(region, msg))
233 if(!(msg->rep->rrsets[msg->rep->rrset_count] =
234 auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
236 msg->rep->rrset_count++;
237 msg->rep->an_numrrsets++;
242 /** add rrset to authority section (no additonal section rrsets yet) */
244 msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
245 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
247 log_assert(msg->rep->ar_numrrsets == 0);
250 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
254 if(!msg_grow_array(region, msg))
257 if(!(msg->rep->rrsets[msg->rep->rrset_count] =
258 auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
260 msg->rep->rrset_count++;
261 msg->rep->ns_numrrsets++;
266 /** add rrset to additional section */
268 msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
269 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
273 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
277 if(!msg_grow_array(region, msg))
280 if(!(msg->rep->rrsets[msg->rep->rrset_count] =
281 auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
283 msg->rep->rrset_count++;
284 msg->rep->ar_numrrsets++;
289 struct auth_zones* auth_zones_create(void)
291 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az));
293 log_err("out of memory");
296 rbtree_init(&az->ztree, &auth_zone_cmp);
297 rbtree_init(&az->xtree, &auth_xfer_cmp);
298 lock_rw_init(&az->lock);
299 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree));
300 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree));
301 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */
302 lock_rw_init(&az->rpz_lock);
303 lock_protect(&az->rpz_lock, &az->rpz_first, sizeof(az->rpz_first));
307 int auth_zone_cmp(const void* z1, const void* z2)
309 /* first sort on class, so that hierarchy can be maintained within
311 struct auth_zone* a = (struct auth_zone*)z1;
312 struct auth_zone* b = (struct auth_zone*)z2;
314 if(a->dclass != b->dclass) {
315 if(a->dclass < b->dclass)
319 /* sorted such that higher zones sort before lower zones (their
321 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
324 int auth_data_cmp(const void* z1, const void* z2)
326 struct auth_data* a = (struct auth_data*)z1;
327 struct auth_data* b = (struct auth_data*)z2;
329 /* canonical sort, because DNSSEC needs that */
330 return dname_canon_lab_cmp(a->name, a->namelabs, b->name,
334 int auth_xfer_cmp(const void* z1, const void* z2)
336 /* first sort on class, so that hierarchy can be maintained within
338 struct auth_xfer* a = (struct auth_xfer*)z1;
339 struct auth_xfer* b = (struct auth_xfer*)z2;
341 if(a->dclass != b->dclass) {
342 if(a->dclass < b->dclass)
346 /* sorted such that higher zones sort before lower zones (their
348 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
351 /** delete auth rrset node */
353 auth_rrset_delete(struct auth_rrset* rrset)
360 /** delete auth data domain node */
362 auth_data_delete(struct auth_data* n)
364 struct auth_rrset* p, *np;
369 auth_rrset_delete(p);
376 /** helper traverse to delete zones */
378 auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg))
380 struct auth_data* z = (struct auth_data*)n->key;
384 /** delete an auth zone structure (tree remove must be done elsewhere) */
386 auth_zone_delete(struct auth_zone* z, struct auth_zones* az)
389 lock_rw_destroy(&z->lock);
390 traverse_postorder(&z->data, auth_data_del, NULL);
393 /* keep RPZ linked list intact */
394 lock_rw_wrlock(&az->rpz_lock);
396 z->rpz_az_prev->rpz_az_next = z->rpz_az_next;
398 az->rpz_first = z->rpz_az_next;
400 z->rpz_az_next->rpz_az_prev = z->rpz_az_prev;
401 lock_rw_unlock(&az->rpz_lock);
411 auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen,
414 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z));
421 z->namelabs = dname_count_labels(nm);
422 z->name = memdup(nm, nmlen);
427 rbtree_init(&z->data, &auth_data_cmp);
428 lock_rw_init(&z->lock);
429 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)-
430 sizeof(&z->rpz_az_next)-sizeof(&z->rpz_az_prev));
431 lock_rw_wrlock(&z->lock);
432 /* z lock protects all, except rbtree itself and the rpz linked list
433 * pointers, which are protected using az->lock */
434 if(!rbtree_insert(&az->ztree, &z->node)) {
435 lock_rw_unlock(&z->lock);
436 auth_zone_delete(z, NULL);
437 log_warn("duplicate auth zone");
444 auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
447 struct auth_zone key;
452 key.namelabs = dname_count_labels(nm);
453 return (struct auth_zone*)rbtree_search(&az->ztree, &key);
457 auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
460 struct auth_xfer key;
465 key.namelabs = dname_count_labels(nm);
466 return (struct auth_xfer*)rbtree_search(&az->xtree, &key);
469 /** find an auth zone or sorted less-or-equal, return true if exact */
471 auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen,
472 uint16_t dclass, struct auth_zone** z)
474 struct auth_zone key;
479 key.namelabs = dname_count_labels(nm);
480 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z);
484 /** find the auth zone that is above the given name */
486 auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len,
490 size_t nmlen = name_len;
492 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) {
496 /* less-or-nothing */
497 if(!z) return NULL; /* nothing smaller, nothing above it */
498 /* we found smaller name; smaller may be above the name,
499 * but not below it. */
500 nm = dname_get_shared_topdomain(z->name, name);
501 dname_count_size_labels(nm, &nmlen);
507 z = auth_zone_find(az, nm, nmlen, dclass);
509 if(dname_is_root(nm)) break;
510 dname_remove_label(&nm, &nmlen);
515 /** find or create zone with name str. caller must have lock on az.
516 * returns a wrlocked zone */
517 static struct auth_zone*
518 auth_zones_find_or_add_zone(struct auth_zones* az, char* name)
520 uint8_t nm[LDNS_MAX_DOMAINLEN+1];
521 size_t nmlen = sizeof(nm);
524 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) {
525 log_err("cannot parse auth zone name: %s", name);
528 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
530 /* not found, create the zone */
531 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
533 lock_rw_wrlock(&z->lock);
538 /** find or create xfer zone with name str. caller must have lock on az.
539 * returns a locked xfer */
540 static struct auth_xfer*
541 auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z)
544 x = auth_xfer_find(az, z->name, z->namelen, z->dclass);
546 /* not found, create the zone */
547 x = auth_xfer_create(az, z);
549 lock_basic_lock(&x->lock);
555 auth_zone_set_zonefile(struct auth_zone* z, char* zonefile)
557 if(z->zonefile) free(z->zonefile);
558 if(zonefile == NULL) {
561 z->zonefile = strdup(zonefile);
563 log_err("malloc failure");
570 /** set auth zone fallback. caller must have lock on zone */
572 auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr)
574 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){
575 log_err("auth zone fallback, expected yes or no, got %s",
579 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0);
583 /** create domain with the given name */
584 static struct auth_data*
585 az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen)
587 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n));
589 memset(n, 0, sizeof(*n));
591 n->name = memdup(nm, nmlen);
597 n->namelabs = dname_count_labels(nm);
598 if(!rbtree_insert(&z->data, &n->node)) {
599 log_warn("duplicate auth domain name");
607 /** find domain with exactly the given name */
608 static struct auth_data*
609 az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen)
611 struct auth_zone key;
615 key.namelabs = dname_count_labels(nm);
616 return (struct auth_data*)rbtree_search(&z->data, &key);
619 /** Find domain name (or closest match) */
621 az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact,
622 struct auth_data** node)
624 struct auth_zone key;
626 key.name = qinfo->qname;
627 key.namelen = qinfo->qname_len;
628 key.namelabs = dname_count_labels(key.name);
629 *node_exact = rbtree_find_less_equal(&z->data, &key,
630 (rbnode_type**)node);
633 /** find or create domain with name in zone */
634 static struct auth_data*
635 az_domain_find_or_create(struct auth_zone* z, uint8_t* dname,
638 struct auth_data* n = az_find_name(z, dname, dname_len);
640 n = az_domain_create(z, dname, dname_len);
645 /** find rrset of given type in the domain */
646 static struct auth_rrset*
647 az_domain_rrset(struct auth_data* n, uint16_t t)
649 struct auth_rrset* rrset;
660 /** remove rrset of this type from domain */
662 domain_remove_rrset(struct auth_data* node, uint16_t rr_type)
664 struct auth_rrset* rrset, *prev;
667 rrset = node->rrsets;
669 if(rrset->type == rr_type) {
670 /* found it, now delete it */
671 if(prev) prev->next = rrset->next;
672 else node->rrsets = rrset->next;
673 auth_rrset_delete(rrset);
681 /** find an rrsig index in the rrset. returns true if found */
683 az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len,
687 for(i=d->count; i<d->count + d->rrsig_count; i++) {
688 if(d->rr_len[i] != len)
690 if(memcmp(d->rr_data[i], rdata, len) == 0) {
698 /** see if rdata is duplicate */
700 rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len)
703 for(i=0; i<d->count + d->rrsig_count; i++) {
704 if(d->rr_len[i] != len)
706 if(memcmp(d->rr_data[i], rdata, len) == 0)
712 /** get rrsig type covered from rdata.
713 * @param rdata: rdata in wireformat, starting with 16bit rdlength.
714 * @param rdatalen: length of rdata buffer.
715 * @return type covered (or 0).
718 rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen)
722 return sldns_read_uint16(rdata+2);
725 /** remove RR from existing RRset. Also sig, if it is a signature.
726 * reallocates the packed rrset for a new one, false on alloc failure */
728 rrset_remove_rr(struct auth_rrset* rrset, size_t index)
730 struct packed_rrset_data* d, *old = rrset->data;
732 if(index >= old->count + old->rrsig_count)
733 return 0; /* index out of bounds */
734 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - (
735 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) +
736 old->rr_len[index]));
738 log_err("malloc failure");
742 d->count = old->count;
743 d->rrsig_count = old->rrsig_count;
744 if(index < d->count) d->count--;
745 else d->rrsig_count--;
746 d->trust = old->trust;
747 d->security = old->security;
749 /* set rr_len, needed for ptr_fixup */
750 d->rr_len = (size_t*)((uint8_t*)d +
751 sizeof(struct packed_rrset_data));
753 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t));
754 if(index+1 < old->count+old->rrsig_count)
755 memmove(&d->rr_len[index], &old->rr_len[index+1],
756 (old->count+old->rrsig_count - (index+1))*sizeof(size_t));
757 packed_rrset_ptr_fixup(d);
761 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t));
762 if(index+1 < old->count+old->rrsig_count)
763 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1],
764 (old->count+old->rrsig_count - (index+1))*sizeof(time_t));
766 /* move over rr_data */
767 for(i=0; i<d->count+d->rrsig_count; i++) {
769 if(i < index) oldi = i;
771 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]);
774 /* recalc ttl (lowest of remaining RR ttls) */
775 if(d->count + d->rrsig_count > 0)
776 d->ttl = d->rr_ttl[0];
777 for(i=0; i<d->count+d->rrsig_count; i++) {
778 if(d->rr_ttl[i] < d->ttl)
779 d->ttl = d->rr_ttl[i];
787 /** add RR to existing RRset. If insert_sig is true, add to rrsigs.
788 * This reallocates the packed rrset for a new one */
790 rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata,
791 size_t rdatalen, int insert_sig)
793 struct packed_rrset_data* d, *old = rrset->data;
794 size_t total, old_total;
796 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
797 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)
800 log_err("out of memory");
803 /* copy base values */
804 memcpy(d, old, sizeof(struct packed_rrset_data));
810 old_total = old->count + old->rrsig_count;
811 total = d->count + d->rrsig_count;
812 /* set rr_len, needed for ptr_fixup */
813 d->rr_len = (size_t*)((uint8_t*)d +
814 sizeof(struct packed_rrset_data));
816 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t));
817 if(old->rrsig_count != 0)
818 memmove(d->rr_len+d->count, old->rr_len+old->count,
819 old->rrsig_count*sizeof(size_t));
821 d->rr_len[d->count-1] = rdatalen;
822 else d->rr_len[total-1] = rdatalen;
823 packed_rrset_ptr_fixup(d);
824 if((time_t)rr_ttl < d->ttl)
827 /* copy old values into new array */
828 if(old->count != 0) {
829 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t));
830 /* all the old rr pieces are allocated sequential, so we
831 * can copy them in one go */
832 memmove(d->rr_data[0], old->rr_data[0],
833 (old->rr_data[old->count-1] - old->rr_data[0]) +
834 old->rr_len[old->count-1]);
836 if(old->rrsig_count != 0) {
837 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count,
838 old->rrsig_count*sizeof(time_t));
839 memmove(d->rr_data[d->count], old->rr_data[old->count],
840 (old->rr_data[old_total-1] - old->rr_data[old->count]) +
841 old->rr_len[old_total-1]);
844 /* insert new value */
846 d->rr_ttl[d->count-1] = rr_ttl;
847 memmove(d->rr_data[d->count-1], rdata, rdatalen);
849 d->rr_ttl[total-1] = rr_ttl;
850 memmove(d->rr_data[total-1], rdata, rdatalen);
858 /** Create new rrset for node with packed rrset with one RR element */
859 static struct auth_rrset*
860 rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
861 uint8_t* rdata, size_t rdatalen)
863 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1,
865 struct auth_rrset* p, *prev;
866 struct packed_rrset_data* d;
868 log_err("out of memory");
871 rrset->type = rr_type;
873 /* the rrset data structure, with one RR */
874 d = (struct packed_rrset_data*)calloc(1,
875 sizeof(struct packed_rrset_data) + sizeof(size_t) +
876 sizeof(uint8_t*) + sizeof(time_t) + rdatalen);
879 log_err("out of memory");
884 d->trust = rrset_trust_prim_noglue;
885 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data));
886 d->rr_data = (uint8_t**)&(d->rr_len[1]);
887 d->rr_ttl = (time_t*)&(d->rr_data[1]);
888 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]);
891 d->rr_len[0] = rdatalen;
892 d->rr_ttl[0] = rr_ttl;
893 memmove(d->rr_data[0], rdata, rdatalen);
896 /* insert rrset into linked list for domain */
897 /* find sorted place to link the rrset into the list */
900 while(p && p->type<=rr_type) {
904 /* so, prev is smaller, and p is larger than rr_type */
906 if(prev) prev->next = rrset;
907 else node->rrsets = rrset;
911 /** count number (and size) of rrsigs that cover a type */
913 rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz)
915 struct packed_rrset_data* d = rrsig->data;
918 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG);
919 for(i=0; i<d->count+d->rrsig_count; i++) {
920 if(rrsig_rdata_get_type_covered(d->rr_data[i],
921 d->rr_len[i]) == rr_type) {
923 (*sigsz) += d->rr_len[i];
929 /** See if rrsig set has covered sigs for rrset and move them over */
931 rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type,
932 struct auth_rrset* rrset, struct auth_rrset* rrsig)
934 size_t sigs, sigsz, i, j, total;
935 struct packed_rrset_data* sigold = rrsig->data;
936 struct packed_rrset_data* old = rrset->data;
937 struct packed_rrset_data* d, *sigd;
939 log_assert(rrset->type == rr_type);
940 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG);
941 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz);
943 /* 0 rrsigs to move over, done */
947 /* allocate rrset sigsz larger for extra sigs elements, and
948 * allocate rrsig sigsz smaller for less sigs elements. */
949 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
950 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
953 log_err("out of memory");
956 /* copy base values */
957 total = old->count + old->rrsig_count;
958 memcpy(d, old, sizeof(struct packed_rrset_data));
959 d->rrsig_count += sigs;
961 d->rr_len = (size_t*)((uint8_t*)d +
962 sizeof(struct packed_rrset_data));
964 memmove(d->rr_len, old->rr_len, total*sizeof(size_t));
965 j = d->count+d->rrsig_count-sigs;
966 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
967 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
968 sigold->rr_len[i]) == rr_type) {
969 d->rr_len[j] = sigold->rr_len[i];
973 packed_rrset_ptr_fixup(d);
975 /* copy old values into new array */
977 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t));
978 /* all the old rr pieces are allocated sequential, so we
979 * can copy them in one go */
980 memmove(d->rr_data[0], old->rr_data[0],
981 (old->rr_data[total-1] - old->rr_data[0]) +
982 old->rr_len[total-1]);
985 /* move over the rrsigs to the larger rrset*/
986 j = d->count+d->rrsig_count-sigs;
987 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
988 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
989 sigold->rr_len[i]) == rr_type) {
990 /* move this one over to location j */
991 d->rr_ttl[j] = sigold->rr_ttl[i];
992 memmove(d->rr_data[j], sigold->rr_data[i],
994 if(d->rr_ttl[j] < d->ttl)
995 d->ttl = d->rr_ttl[j];
1000 /* put it in and deallocate the old rrset */
1004 /* now make rrsig set smaller */
1005 if(sigold->count+sigold->rrsig_count == sigs) {
1006 /* remove all sigs from rrsig, remove it entirely */
1007 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG);
1010 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) +
1011 sizeof(uint8_t*) + sizeof(time_t)) + sigsz);
1012 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold)
1013 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
1016 /* no need to free up d, it has already been placed in the
1017 * node->rrset structure */
1018 log_err("out of memory");
1021 /* copy base values */
1022 memcpy(sigd, sigold, sizeof(struct packed_rrset_data));
1023 /* in sigd the RRSIGs are stored in the base of the RR, in count */
1024 sigd->count -= sigs;
1026 sigd->rr_len = (size_t*)((uint8_t*)sigd +
1027 sizeof(struct packed_rrset_data));
1029 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
1030 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
1031 sigold->rr_len[i]) != rr_type) {
1032 sigd->rr_len[j] = sigold->rr_len[i];
1036 packed_rrset_ptr_fixup(sigd);
1038 /* copy old values into new rrsig array */
1040 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
1041 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
1042 sigold->rr_len[i]) != rr_type) {
1043 /* move this one over to location j */
1044 sigd->rr_ttl[j] = sigold->rr_ttl[i];
1045 memmove(sigd->rr_data[j], sigold->rr_data[i],
1047 if(j==0) sigd->ttl = sigd->rr_ttl[j];
1049 if(sigd->rr_ttl[j] < sigd->ttl)
1050 sigd->ttl = sigd->rr_ttl[j];
1056 /* put it in and deallocate the old rrset */
1063 /** copy the rrsigs from the rrset to the rrsig rrset, because the rrset
1064 * is going to be deleted. reallocates the RRSIG rrset data. */
1066 rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset,
1067 struct auth_rrset* rrsigset)
1070 if(rrset->data->rrsig_count == 0)
1073 /* move them over one by one, because there might be duplicates,
1074 * duplicates are ignored */
1075 for(i=rrset->data->count;
1076 i<rrset->data->count+rrset->data->rrsig_count; i++) {
1077 uint8_t* rdata = rrset->data->rr_data[i];
1078 size_t rdatalen = rrset->data->rr_len[i];
1079 time_t rr_ttl = rrset->data->rr_ttl[i];
1081 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) {
1084 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0))
1090 /** Add rr to node, ignores duplicate RRs,
1091 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
1093 az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
1094 uint8_t* rdata, size_t rdatalen, int* duplicate)
1096 struct auth_rrset* rrset;
1097 /* packed rrsets have their rrsigs along with them, sort them out */
1098 if(rr_type == LDNS_RR_TYPE_RRSIG) {
1099 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
1100 if((rrset=az_domain_rrset(node, ctype))!= NULL) {
1101 /* a node of the correct type exists, add the RRSIG
1102 * to the rrset of the covered data type */
1103 if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1104 if(duplicate) *duplicate = 1;
1107 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1))
1109 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1110 /* add RRSIG to rrset of type RRSIG */
1111 if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1112 if(duplicate) *duplicate = 1;
1115 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
1118 /* create rrset of type RRSIG */
1119 if(!rrset_create(node, rr_type, rr_ttl, rdata,
1124 /* normal RR type */
1125 if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1126 /* add data to existing node with data type */
1127 if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1128 if(duplicate) *duplicate = 1;
1131 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
1134 struct auth_rrset* rrsig;
1135 /* create new node with data type */
1136 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata,
1140 /* see if node of type RRSIG has signatures that
1141 * cover the data type, and move them over */
1142 /* and then make the RRSIG type smaller */
1143 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
1145 if(!rrset_moveover_rrsigs(node, rr_type,
1154 /** insert RR into zone, ignore duplicates */
1156 az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
1157 size_t dname_len, int* duplicate)
1159 struct auth_data* node;
1160 uint8_t* dname = rr;
1161 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
1162 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
1163 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len);
1164 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
1166 /* rdata points to rdata prefixed with uint16 rdatalength */
1167 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
1169 if(rr_class != z->dclass) {
1170 log_err("wrong class for RR");
1173 if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
1174 log_err("cannot create domain");
1177 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen,
1179 log_err("cannot add RR to domain");
1183 if(!(rpz_insert_rr(z->rpz, z->name, z->namelen, dname,
1184 dname_len, rr_type, rr_class, rr_ttl, rdata, rdatalen,
1191 /** Remove rr from node, ignores nonexisting RRs,
1192 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
1194 az_domain_remove_rr(struct auth_data* node, uint16_t rr_type,
1195 uint8_t* rdata, size_t rdatalen, int* nonexist)
1197 struct auth_rrset* rrset;
1200 /* find the plain RR of the given type */
1201 if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1202 if(packed_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) {
1203 if(rrset->data->count == 1 &&
1204 rrset->data->rrsig_count == 0) {
1205 /* last RR, delete the rrset */
1206 domain_remove_rrset(node, rr_type);
1207 } else if(rrset->data->count == 1 &&
1208 rrset->data->rrsig_count != 0) {
1209 /* move RRSIGs to the RRSIG rrset, or
1210 * this one becomes that RRset */
1211 struct auth_rrset* rrsigset = az_domain_rrset(
1212 node, LDNS_RR_TYPE_RRSIG);
1214 /* move left over rrsigs to the
1215 * existing rrset of type RRSIG */
1216 rrsigs_copy_from_rrset_to_rrsigset(
1218 /* and then delete the rrset */
1219 domain_remove_rrset(node, rr_type);
1221 /* no rrset of type RRSIG, this
1222 * set is now of that type,
1223 * just remove the rr */
1224 if(!rrset_remove_rr(rrset, index))
1226 rrset->type = LDNS_RR_TYPE_RRSIG;
1227 rrset->data->count = rrset->data->rrsig_count;
1228 rrset->data->rrsig_count = 0;
1231 /* remove the RR from the rrset */
1232 if(!rrset_remove_rr(rrset, index))
1237 /* rr not found in rrset */
1240 /* is it a type RRSIG, look under the covered type */
1241 if(rr_type == LDNS_RR_TYPE_RRSIG) {
1242 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
1243 if((rrset=az_domain_rrset(node, ctype))!= NULL) {
1244 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen,
1246 /* rrsig should have d->count > 0, be
1247 * over some rr of that type */
1248 /* remove the rrsig from the rrsigs list of the
1250 if(!rrset_remove_rr(rrset, index))
1255 /* also RRSIG not found */
1258 /* nothing found to delete */
1259 if(nonexist) *nonexist = 1;
1263 /** remove RR from zone, ignore if it does not exist, false on alloc failure*/
1265 az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
1266 size_t dname_len, int* nonexist)
1268 struct auth_data* node;
1269 uint8_t* dname = rr;
1270 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
1271 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
1272 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
1274 /* rdata points to rdata prefixed with uint16 rdatalength */
1275 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
1277 if(rr_class != z->dclass) {
1278 log_err("wrong class for RR");
1279 /* really also a nonexisting entry, because no records
1280 * of that class in the zone, but return an error because
1281 * getting records of the wrong class is a failure of the
1285 node = az_find_name(z, dname, dname_len);
1287 /* node with that name does not exist */
1288 /* nonexisting entry, because no such name */
1292 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) {
1293 /* alloc failure or so */
1296 /* remove the node, if necessary */
1297 /* an rrsets==NULL entry is not kept around for empty nonterminals,
1298 * and also parent nodes are not kept around, so we just delete it */
1299 if(node->rrsets == NULL) {
1300 (void)rbtree_delete(&z->data, node);
1301 auth_data_delete(node);
1304 rpz_remove_rr(z->rpz, z->namelen, dname, dname_len, rr_type,
1305 rr_class, rdata, rdatalen);
1310 /** decompress an RR into the buffer where it'll be an uncompressed RR
1311 * with uncompressed dname and uncompressed rdata (dnames) */
1313 decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt,
1314 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class,
1315 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen)
1317 sldns_buffer pktbuf;
1318 size_t dname_len = 0;
1322 const sldns_rr_descriptor* desc;
1323 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen);
1324 sldns_buffer_clear(buf);
1326 /* decompress dname */
1327 sldns_buffer_set_position(&pktbuf,
1328 (size_t)(dname - sldns_buffer_current(&pktbuf)));
1329 dname_len = pkt_dname_len(&pktbuf);
1330 if(dname_len == 0) return 0; /* parse fail on dname */
1331 if(!sldns_buffer_available(buf, dname_len)) return 0;
1332 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname);
1333 sldns_buffer_skip(buf, (ssize_t)dname_len);
1335 /* type, class, ttl and rdatalength fields */
1336 if(!sldns_buffer_available(buf, 10)) return 0;
1337 sldns_buffer_write_u16(buf, rr_type);
1338 sldns_buffer_write_u16(buf, rr_class);
1339 sldns_buffer_write_u32(buf, rr_ttl);
1340 rdlenpos = sldns_buffer_position(buf);
1341 sldns_buffer_write_u16(buf, 0); /* rd length position */
1343 /* decompress rdata */
1344 desc = sldns_rr_descript(rr_type);
1347 if(rdlen > 0 && desc && desc->_dname_count > 0) {
1348 int count = (int)desc->_dname_count;
1350 size_t len; /* how much rdata to plain copy */
1351 size_t uncompressed_len, compressed_len;
1353 /* decompress dnames. */
1354 while(rdlen > 0 && count) {
1355 switch(desc->_wireformat[rdf]) {
1356 case LDNS_RDF_TYPE_DNAME:
1357 sldns_buffer_set_position(&pktbuf,
1359 sldns_buffer_begin(&pktbuf)));
1360 oldpos = sldns_buffer_position(&pktbuf);
1361 /* moves pktbuf to right after the
1362 * compressed dname, and returns uncompressed
1364 uncompressed_len = pkt_dname_len(&pktbuf);
1365 if(!uncompressed_len)
1366 return 0; /* parse error in dname */
1367 if(!sldns_buffer_available(buf,
1369 /* dname too long for buffer */
1371 dname_pkt_copy(&pktbuf,
1372 sldns_buffer_current(buf), rd);
1373 sldns_buffer_skip(buf, (ssize_t)uncompressed_len);
1374 compressed_len = sldns_buffer_position(
1376 rd += compressed_len;
1377 rdlen -= compressed_len;
1381 case LDNS_RDF_TYPE_STR:
1385 len = get_rdf_size(desc->_wireformat[rdf]);
1389 if(!sldns_buffer_available(buf, len))
1390 return 0; /* too long for buffer */
1391 sldns_buffer_write(buf, rd, len);
1398 /* copy remaining data */
1400 if(!sldns_buffer_available(buf, rdlen)) return 0;
1401 sldns_buffer_write(buf, rd, rdlen);
1403 /* fixup rdlength */
1404 sldns_buffer_write_u16_at(buf, rdlenpos,
1405 sldns_buffer_position(buf)-rdlenpos-2);
1406 sldns_buffer_flip(buf);
1410 /** insert RR into zone, from packet, decompress RR,
1411 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */
1413 az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
1414 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type,
1415 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data,
1416 uint16_t rr_rdlen, int* duplicate)
1421 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname,
1422 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) {
1423 log_err("could not decompress RR");
1426 rr = sldns_buffer_begin(scratch_buffer);
1427 rr_len = sldns_buffer_limit(scratch_buffer);
1428 dname_len = dname_valid(rr, rr_len);
1429 return az_insert_rr(z, rr, rr_len, dname_len, duplicate);
1432 /** remove RR from zone, from packet, decompress RR,
1433 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/
1435 az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
1436 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type,
1437 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data,
1438 uint16_t rr_rdlen, int* nonexist)
1443 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname,
1444 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) {
1445 log_err("could not decompress RR");
1448 rr = sldns_buffer_begin(scratch_buffer);
1449 rr_len = sldns_buffer_limit(scratch_buffer);
1450 dname_len = dname_valid(rr, rr_len);
1451 return az_remove_rr(z, rr, rr_len, dname_len, nonexist);
1456 * @param z: zone to read in.
1457 * @param in: file to read from (just opened).
1458 * @param rr: buffer to use for RRs, 64k.
1459 * passed so that recursive includes can use the same buffer and do
1460 * not grow the stack too much.
1461 * @param rrbuflen: sizeof rr buffer.
1462 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on,
1463 * that is kept between includes.
1464 * The lineno is set at 1 and then increased by the function.
1465 * @param fname: file name.
1466 * @param depth: recursion depth for includes
1467 * @param cfg: config for chroot.
1468 * returns false on failure, has printed an error message
1471 az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
1472 struct sldns_file_parse_state* state, char* fname, int depth,
1473 struct config_file* cfg)
1475 size_t rr_len, dname_len;
1482 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len,
1484 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) {
1485 /* we have $INCLUDE or $something */
1486 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 ||
1487 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) {
1489 int lineno_orig = state->lineno;
1490 char* incfile = (char*)rr + 8;
1491 if(depth > MAX_INCLUDE_DEPTH) {
1492 log_err("%s:%d max include depth"
1493 "exceeded", fname, state->lineno);
1497 while(*incfile == ' ' || *incfile == '\t')
1499 /* adjust for chroot on include file */
1500 if(cfg->chrootdir && cfg->chrootdir[0] &&
1501 strncmp(incfile, cfg->chrootdir,
1502 strlen(cfg->chrootdir)) == 0)
1503 incfile += strlen(cfg->chrootdir);
1504 incfile = strdup(incfile);
1506 log_err("malloc failure");
1509 verbose(VERB_ALGO, "opening $INCLUDE %s",
1511 inc = fopen(incfile, "r");
1513 log_err("%s:%d cannot open include "
1514 "file %s: %s", fname,
1515 lineno_orig, incfile,
1520 /* recurse read that file now */
1521 if(!az_parse_file(z, inc, rr, rrbuflen,
1522 state, incfile, depth+1, cfg)) {
1523 log_err("%s:%d cannot parse include "
1525 lineno_orig, incfile);
1531 verbose(VERB_ALGO, "done with $INCLUDE %s",
1534 state->lineno = lineno_orig;
1539 log_err("parse error %s %d:%d: %s", fname,
1540 state->lineno, LDNS_WIREPARSE_OFFSET(status),
1541 sldns_get_errorstr_parse(status));
1545 /* EMPTY line, TTL or ORIGIN */
1548 /* insert wirerr in rrbuf */
1549 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) {
1551 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr,
1552 rr_len, dname_len), buf, sizeof(buf));
1553 log_err("%s:%d cannot insert RR of type %s",
1554 fname, state->lineno, buf);
1562 auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg)
1564 uint8_t rr[LDNS_RR_BUF_SIZE];
1565 struct sldns_file_parse_state state;
1568 if(!z || !z->zonefile || z->zonefile[0]==0)
1569 return 1; /* no file, or "", nothing to read */
1571 zfilename = z->zonefile;
1572 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
1573 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1574 zfilename += strlen(cfg->chrootdir);
1575 if(verbosity >= VERB_ALGO) {
1577 dname_str(z->name, nm);
1578 verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm);
1580 in = fopen(zfilename, "r");
1582 char* n = sldns_wire2str_dname(z->name, z->namelen);
1583 if(z->zone_is_slave && errno == ENOENT) {
1584 /* we fetch the zone contents later, no file yet */
1585 verbose(VERB_ALGO, "no zonefile %s for %s",
1586 zfilename, n?n:"error");
1590 log_err("cannot open zonefile %s for %s: %s",
1591 zfilename, n?n:"error", strerror(errno));
1596 /* clear the data tree */
1597 traverse_postorder(&z->data, auth_data_del, NULL);
1598 rbtree_init(&z->data, &auth_data_cmp);
1599 /* clear the RPZ policies */
1603 memset(&state, 0, sizeof(state));
1604 /* default TTL to 3600 */
1605 state.default_ttl = 3600;
1606 /* set $ORIGIN to the zone name */
1607 if(z->namelen <= sizeof(state.origin)) {
1608 memcpy(state.origin, z->name, z->namelen);
1609 state.origin_len = z->namelen;
1611 /* parse the (toplevel) file */
1612 if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) {
1613 char* n = sldns_wire2str_dname(z->name, z->namelen);
1614 log_err("error parsing zonefile %s for %s",
1615 zfilename, n?n:"error");
1623 rpz_finish_config(z->rpz);
1627 /** write buffer to file and check return codes */
1629 write_out(FILE* out, const char* str, size_t len)
1634 r = fwrite(str, 1, len, out);
1636 log_err("write failed: %s", strerror(errno));
1638 } else if(r < len) {
1639 log_err("write failed: too short (disk full?)");
1645 /** convert auth rr to string */
1647 auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl,
1648 struct packed_rrset_data* data, size_t i, char* s, size_t buflen)
1651 size_t slen = buflen, datlen;
1653 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG;
1656 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0, NULL);
1657 w += sldns_str_print(&s, &slen, "\t");
1658 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]);
1659 w += sldns_wire2str_class_print(&s, &slen, cl);
1660 w += sldns_str_print(&s, &slen, "\t");
1661 w += sldns_wire2str_type_print(&s, &slen, tp);
1662 w += sldns_str_print(&s, &slen, "\t");
1663 datlen = data->rr_len[i]-2;
1664 dat = data->rr_data[i]+2;
1665 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0, NULL);
1667 if(tp == LDNS_RR_TYPE_DNSKEY) {
1668 w += sldns_str_print(&s, &slen, " ;{id = %u}",
1669 sldns_calc_keytag_raw(data->rr_data[i]+2,
1670 data->rr_len[i]-2));
1672 w += sldns_str_print(&s, &slen, "\n");
1674 if(w >= (int)buflen) {
1675 log_nametypeclass(NO_VERBOSE, "RR too long to print", nm, tp, cl);
1681 /** write rrset to file */
1683 auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node,
1684 struct auth_rrset* r, FILE* out)
1686 size_t i, count = r->data->count + r->data->rrsig_count;
1687 char buf[LDNS_RR_BUF_SIZE];
1688 for(i=0; i<count; i++) {
1689 if(!auth_rr_to_string(node->name, node->namelen, r->type,
1690 z->dclass, r->data, i, buf, sizeof(buf))) {
1691 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i);
1694 if(!write_out(out, buf, strlen(buf)))
1700 /** write domain to file */
1702 auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out)
1704 struct auth_rrset* r;
1705 /* if this is zone apex, write SOA first */
1706 if(z->namelen == n->namelen) {
1707 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA);
1709 if(!auth_zone_write_rrset(z, n, soa, out))
1713 /* write all the RRsets for this domain */
1714 for(r = n->rrsets; r; r = r->next) {
1715 if(z->namelen == n->namelen &&
1716 r->type == LDNS_RR_TYPE_SOA)
1717 continue; /* skip SOA here */
1718 if(!auth_zone_write_rrset(z, n, r, out))
1724 int auth_zone_write_file(struct auth_zone* z, const char* fname)
1727 struct auth_data* n;
1728 out = fopen(fname, "w");
1730 log_err("could not open %s: %s", fname, strerror(errno));
1733 RBTREE_FOR(n, struct auth_data*, &z->data) {
1734 if(!auth_zone_write_domain(z, n, out)) {
1735 log_err("could not write domain to %s", fname);
1744 /** read all auth zones from file (if they have) */
1746 auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg)
1748 struct auth_zone* z;
1749 lock_rw_wrlock(&az->lock);
1750 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1751 lock_rw_wrlock(&z->lock);
1752 if(!auth_zone_read_zonefile(z, cfg)) {
1753 lock_rw_unlock(&z->lock);
1754 lock_rw_unlock(&az->lock);
1757 lock_rw_unlock(&z->lock);
1759 lock_rw_unlock(&az->lock);
1763 /** find serial number of zone or false if none */
1765 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
1767 struct auth_data* apex;
1768 struct auth_rrset* soa;
1769 struct packed_rrset_data* d;
1770 apex = az_find_name(z, z->name, z->namelen);
1772 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
1773 if(!soa || soa->data->count==0)
1774 return 0; /* no RRset or no RRs in rrset */
1775 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */
1777 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20));
1781 /** Find auth_zone SOA and populate the values in xfr(soa values). */
1783 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr)
1785 struct auth_data* apex;
1786 struct auth_rrset* soa;
1787 struct packed_rrset_data* d;
1788 apex = az_find_name(z, z->name, z->namelen);
1790 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
1791 if(!soa || soa->data->count==0)
1792 return 0; /* no RRset or no RRs in rrset */
1793 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */
1794 /* SOA record ends with serial, refresh, retry, expiry, minimum,
1795 * as 4 byte fields */
1798 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20));
1799 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16));
1800 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12));
1801 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8));
1802 /* soa minimum at d->rr_len[0]-4 */
1807 * Setup auth_xfer zone
1808 * This populates the have_zone, soa values, and so on times.
1809 * Doesn't do network traffic yet, can set option flags.
1810 * @param z: locked by caller, and modified for setup
1811 * @param x: locked by caller, and modified.
1812 * @return false on failure.
1815 auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x)
1817 /* for a zone without zone transfers, x==NULL, so skip them,
1818 * i.e. the zone config is fixed with no masters or urls */
1819 if(!z || !x) return 1;
1820 if(!xfr_find_soa(z, x)) {
1823 /* nothing for probe, nextprobe and transfer tasks */
1829 * @param az: auth zones structure
1830 * @return false on failure.
1833 auth_zones_setup_zones(struct auth_zones* az)
1835 struct auth_zone* z;
1836 struct auth_xfer* x;
1837 lock_rw_wrlock(&az->lock);
1838 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1839 lock_rw_wrlock(&z->lock);
1840 x = auth_xfer_find(az, z->name, z->namelen, z->dclass);
1842 lock_basic_lock(&x->lock);
1844 if(!auth_xfer_setup(z, x)) {
1846 lock_basic_unlock(&x->lock);
1848 lock_rw_unlock(&z->lock);
1849 lock_rw_unlock(&az->lock);
1853 lock_basic_unlock(&x->lock);
1855 lock_rw_unlock(&z->lock);
1857 lock_rw_unlock(&az->lock);
1861 /** set config items and create zones */
1863 auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
1865 struct auth_zone* z;
1866 struct auth_xfer* x = NULL;
1870 /* if the rpz lock is needed, grab it before the other
1871 * locks to avoid a lock dependency cycle */
1872 lock_rw_wrlock(&az->rpz_lock);
1874 lock_rw_wrlock(&az->lock);
1875 if(!(z=auth_zones_find_or_add_zone(az, c->name))) {
1876 lock_rw_unlock(&az->lock);
1878 lock_rw_unlock(&az->rpz_lock);
1882 if(c->masters || c->urls) {
1883 if(!(x=auth_zones_find_or_add_xfer(az, z))) {
1884 lock_rw_unlock(&az->lock);
1885 lock_rw_unlock(&z->lock);
1887 lock_rw_unlock(&az->rpz_lock);
1892 if(c->for_downstream)
1893 az->have_downstream = 1;
1894 lock_rw_unlock(&az->lock);
1897 z->zone_deleted = 0;
1898 if(!auth_zone_set_zonefile(z, c->zonefile)) {
1900 lock_basic_unlock(&x->lock);
1902 lock_rw_unlock(&z->lock);
1904 lock_rw_unlock(&az->rpz_lock);
1908 z->for_downstream = c->for_downstream;
1909 z->for_upstream = c->for_upstream;
1910 z->fallback_enabled = c->fallback_enabled;
1911 if(c->isrpz && !z->rpz){
1912 if(!(z->rpz = rpz_create(c))){
1913 fatal_exit("Could not setup RPZ zones");
1916 lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz));
1917 /* the az->rpz_lock is locked above */
1918 z->rpz_az_next = az->rpz_first;
1920 az->rpz_first->rpz_az_prev = z;
1924 lock_rw_unlock(&az->rpz_lock);
1929 z->zone_is_slave = 1;
1930 /* set options on xfer zone */
1931 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) {
1932 lock_basic_unlock(&x->lock);
1933 lock_rw_unlock(&z->lock);
1936 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) {
1937 lock_basic_unlock(&x->lock);
1938 lock_rw_unlock(&z->lock);
1941 lock_basic_unlock(&x->lock);
1944 lock_rw_unlock(&z->lock);
1948 /** set all auth zones deleted, then in auth_zones_cfg, it marks them
1949 * as nondeleted (if they are still in the config), and then later
1950 * we can find deleted zones */
1952 az_setall_deleted(struct auth_zones* az)
1954 struct auth_zone* z;
1955 lock_rw_wrlock(&az->lock);
1956 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1957 lock_rw_wrlock(&z->lock);
1958 z->zone_deleted = 1;
1959 lock_rw_unlock(&z->lock);
1961 lock_rw_unlock(&az->lock);
1964 /** find zones that are marked deleted and delete them.
1965 * This is called from apply_cfg, and there are no threads and no
1966 * workers, so the xfr can just be deleted. */
1968 az_delete_deleted_zones(struct auth_zones* az)
1970 struct auth_zone* z;
1971 struct auth_zone* delete_list = NULL, *next;
1972 struct auth_xfer* xfr;
1973 lock_rw_wrlock(&az->lock);
1974 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1975 lock_rw_wrlock(&z->lock);
1976 if(z->zone_deleted) {
1977 /* we cannot alter the rbtree right now, but
1978 * we can put it on a linked list and then
1980 z->delete_next = delete_list;
1983 lock_rw_unlock(&z->lock);
1985 /* now we are out of the tree loop and we can loop and delete
1989 next = z->delete_next;
1990 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass);
1992 (void)rbtree_delete(&az->xtree, &xfr->node);
1993 auth_xfer_delete(xfr);
1995 (void)rbtree_delete(&az->ztree, &z->node);
1996 auth_zone_delete(z, az);
1999 lock_rw_unlock(&az->lock);
2002 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
2003 int setup, int* is_rpz)
2005 struct config_auth* p;
2006 az_setall_deleted(az);
2007 for(p = cfg->auths; p; p = p->next) {
2008 if(!p->name || p->name[0] == 0) {
2009 log_warn("auth-zone without a name, skipped");
2012 *is_rpz = (*is_rpz || p->isrpz);
2013 if(!auth_zones_cfg(az, p)) {
2014 log_err("cannot config auth zone %s", p->name);
2018 az_delete_deleted_zones(az);
2019 if(!auth_zones_read_zones(az, cfg))
2022 if(!auth_zones_setup_zones(az))
2029 * @param at: transfer structure with chunks list. The chunks and their
2033 auth_chunks_delete(struct auth_transfer* at)
2035 if(at->chunks_first) {
2036 struct auth_chunk* c, *cn;
2037 c = at->chunks_first;
2045 at->chunks_first = NULL;
2046 at->chunks_last = NULL;
2049 /** free master addr list */
2051 auth_free_master_addrs(struct auth_addr* list)
2053 struct auth_addr *n;
2061 /** free the masters list */
2063 auth_free_masters(struct auth_master* list)
2065 struct auth_master* n;
2068 auth_free_master_addrs(list->list);
2076 /** delete auth xfer structure
2077 * @param xfr: delete this xfer and its tasks.
2080 auth_xfer_delete(struct auth_xfer* xfr)
2083 lock_basic_destroy(&xfr->lock);
2085 if(xfr->task_nextprobe) {
2086 comm_timer_delete(xfr->task_nextprobe->timer);
2087 free(xfr->task_nextprobe);
2089 if(xfr->task_probe) {
2090 auth_free_masters(xfr->task_probe->masters);
2091 comm_point_delete(xfr->task_probe->cp);
2092 comm_timer_delete(xfr->task_probe->timer);
2093 free(xfr->task_probe);
2095 if(xfr->task_transfer) {
2096 auth_free_masters(xfr->task_transfer->masters);
2097 comm_point_delete(xfr->task_transfer->cp);
2098 comm_timer_delete(xfr->task_transfer->timer);
2099 if(xfr->task_transfer->chunks_first) {
2100 auth_chunks_delete(xfr->task_transfer);
2102 free(xfr->task_transfer);
2104 auth_free_masters(xfr->allow_notify_list);
2108 /** helper traverse to delete zones */
2110 auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg))
2112 struct auth_zone* z = (struct auth_zone*)n->key;
2113 auth_zone_delete(z, NULL);
2116 /** helper traverse to delete xfer zones */
2118 auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg))
2120 struct auth_xfer* z = (struct auth_xfer*)n->key;
2121 auth_xfer_delete(z);
2124 void auth_zones_delete(struct auth_zones* az)
2127 lock_rw_destroy(&az->lock);
2128 lock_rw_destroy(&az->rpz_lock);
2129 traverse_postorder(&az->ztree, auth_zone_del, NULL);
2130 traverse_postorder(&az->xtree, auth_xfer_del, NULL);
2134 /** true if domain has only nsec3 */
2136 domain_has_only_nsec3(struct auth_data* n)
2138 struct auth_rrset* rrset = n->rrsets;
2141 if(rrset->type == LDNS_RR_TYPE_NSEC3) {
2143 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) {
2146 rrset = rrset->next;
2151 /** see if the domain has a wildcard child '*.domain' */
2152 static struct auth_data*
2153 az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen)
2155 uint8_t wc[LDNS_MAX_DOMAINLEN];
2156 if(nmlen+2 > sizeof(wc))
2157 return NULL; /* result would be too long */
2158 wc[0] = 1; /* length of wildcard label */
2159 wc[1] = (uint8_t)'*'; /* wildcard label */
2160 memmove(wc+2, nm, nmlen);
2161 return az_find_name(z, wc, nmlen+2);
2164 /** find wildcard between qname and cename */
2165 static struct auth_data*
2166 az_find_wildcard(struct auth_zone* z, struct query_info* qinfo,
2167 struct auth_data* ce)
2169 uint8_t* nm = qinfo->qname;
2170 size_t nmlen = qinfo->qname_len;
2171 struct auth_data* node;
2172 if(!dname_subdomain_c(nm, z->name))
2173 return NULL; /* out of zone */
2174 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
2175 /* see if we can go up to find the wildcard */
2176 if(nmlen == z->namelen)
2177 return NULL; /* top of zone reached */
2178 if(ce && nmlen == ce->namelen)
2179 return NULL; /* ce reached */
2180 if(dname_is_root(nm))
2181 return NULL; /* cannot go up */
2182 dname_remove_label(&nm, &nmlen);
2187 /** domain is not exact, find first candidate ce (name that matches
2188 * a part of qname) in tree */
2189 static struct auth_data*
2190 az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo,
2191 struct auth_data* n)
2196 nm = dname_get_shared_topdomain(qinfo->qname, n->name);
2200 dname_count_size_labels(nm, &nmlen);
2201 n = az_find_name(z, nm, nmlen);
2202 /* delete labels and go up on name */
2204 if(dname_is_root(nm))
2205 return NULL; /* cannot go up */
2206 dname_remove_label(&nm, &nmlen);
2207 n = az_find_name(z, nm, nmlen);
2212 /** go up the auth tree to next existing name. */
2213 static struct auth_data*
2214 az_domain_go_up(struct auth_zone* z, struct auth_data* n)
2216 uint8_t* nm = n->name;
2217 size_t nmlen = n->namelen;
2218 while(!dname_is_root(nm)) {
2219 dname_remove_label(&nm, &nmlen);
2220 if((n=az_find_name(z, nm, nmlen)) != NULL)
2226 /** Find the closest encloser, an name that exists and is above the
2228 * return true if the node (param node) is existing, nonobscured and
2229 * can be used to generate answers from. It is then also node_exact.
2230 * returns false if the node is not good enough (or it wasn't node_exact)
2231 * in this case the ce can be filled.
2232 * if ce is NULL, no ce exists, and likely the zone is completely empty,
2233 * not even with a zone apex.
2234 * if ce is nonNULL it is the closest enclosing upper name (that exists
2235 * itself for answer purposes). That name may have DNAME, NS or wildcard
2236 * rrset is the closest DNAME or NS rrset that was found.
2239 az_find_ce(struct auth_zone* z, struct query_info* qinfo,
2240 struct auth_data* node, int node_exact, struct auth_data** ce,
2241 struct auth_rrset** rrset)
2243 struct auth_data* n = node;
2247 /* if not exact, lookup closest exact match */
2248 n = az_find_candidate_ce(z, qinfo, n);
2250 /* if exact, the node itself is the first candidate ce */
2254 /* no direct answer from nsec3-only domains */
2255 if(n && domain_has_only_nsec3(n)) {
2260 /* with exact matches, walk up the labels until we find the
2261 * delegation, or DNAME or zone end */
2263 /* see if the current candidate has issues */
2264 /* not zone apex and has type NS */
2265 if(n->namelen != z->namelen &&
2266 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
2267 /* delegate here, but DS at exact the dp has notype */
2268 (qinfo->qtype != LDNS_RR_TYPE_DS ||
2269 n->namelen != qinfo->qname_len)) {
2271 /* this is ce and the lowernode is nonexisting */
2275 /* not equal to qname and has type DNAME */
2276 if(n->namelen != qinfo->qname_len &&
2277 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
2278 /* this is ce and the lowernode is nonexisting */
2283 if(*ce == NULL && !domain_has_only_nsec3(n)) {
2284 /* if not found yet, this exact name must be
2285 * our lowest match (but not nsec3onlydomain) */
2289 /* walk up the tree by removing labels from name and lookup */
2290 n = az_domain_go_up(z, n);
2292 /* found no problems, if it was an exact node, it is fine to use */
2296 /** add additional A/AAAA from domain names in rrset rdata (+offset)
2297 * offset is number of bytes in rdata where the dname is located. */
2299 az_add_additionals_from(struct auth_zone* z, struct regional* region,
2300 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset)
2302 struct packed_rrset_data* d = rrset->data;
2305 for(i=0; i<d->count; i++) {
2307 struct auth_data* domain;
2308 struct auth_rrset* ref;
2309 if(d->rr_len[i] < 2+offset)
2310 continue; /* too short */
2311 if(!(dlen = dname_valid(d->rr_data[i]+2+offset,
2312 d->rr_len[i]-2-offset)))
2313 continue; /* malformed */
2314 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen);
2317 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) {
2318 if(!msg_add_rrset_ar(z, region, msg, domain, ref))
2321 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) {
2322 if(!msg_add_rrset_ar(z, region, msg, domain, ref))
2329 /** add negative SOA record (with negative TTL) */
2331 az_add_negative_soa(struct auth_zone* z, struct regional* region,
2332 struct dns_msg* msg)
2335 struct packed_rrset_data* d;
2336 struct auth_rrset* soa;
2337 struct auth_data* apex = az_find_name(z, z->name, z->namelen);
2339 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
2341 /* must be first to put in message; we want to fix the TTL with
2342 * one RRset here, otherwise we'd need to loop over the RRs to get
2343 * the resulting lower TTL */
2344 log_assert(msg->rep->rrset_count == 0);
2345 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0;
2347 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data;
2348 /* last 4 bytes are minimum ttl in network format */
2349 if(d->count == 0) return 0;
2350 if(d->rr_len[0] < 2+4) return 0;
2351 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
2352 d->ttl = (time_t)minimum;
2353 d->rr_ttl[0] = (time_t)minimum;
2354 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
2355 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
2356 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
2360 /** See if the query goes to empty nonterminal (that has no auth_data,
2361 * but there are nodes underneath. We already checked that there are
2362 * not NS, or DNAME above, so that we only need to check if some node
2363 * exists below (with nonempty rr list), return true if emptynonterminal */
2365 az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo,
2366 struct auth_data* node)
2368 struct auth_data* next;
2370 /* no smaller was found, use first (smallest) node as the
2372 next = (struct auth_data*)rbtree_first(&z->data);
2374 next = (struct auth_data*)rbtree_next(&node->node);
2376 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) {
2377 /* the next name has empty rrsets, is an empty nonterminal
2378 * itself, see if there exists something below it */
2379 next = (struct auth_data*)rbtree_next(&node->node);
2381 if((rbnode_type*)next == RBTREE_NULL || !next) {
2382 /* there is no next node, so something below it cannot
2386 /* a next node exists, if there was something below the query,
2387 * this node has to be it. See if it is below the query name */
2388 if(dname_strict_subdomain_c(next->name, qinfo->qname))
2393 /** create synth cname target name in buffer, or fail if too long */
2395 synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len,
2396 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen)
2398 size_t newlen = qname_len + dtarglen - dname_len;
2399 if(newlen > buflen) {
2400 /* YXDOMAIN error */
2403 /* new name is concatenation of qname front (without DNAME owner)
2404 * and DNAME target name */
2405 memcpy(buf, qname, qname_len-dname_len);
2406 memmove(buf+(qname_len-dname_len), dtarg, dtarglen);
2410 /** create synthetic CNAME rrset for in a DNAME answer in region,
2411 * false on alloc failure, cname==NULL when name too long. */
2413 create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
2414 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass,
2415 struct ub_packed_rrset_key** cname)
2417 uint8_t buf[LDNS_MAX_DOMAINLEN];
2419 size_t dtarglen, newlen;
2420 struct packed_rrset_data* d;
2422 /* get DNAME target name */
2423 if(dname->data->count < 1) return 0;
2424 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */
2425 dtarg = dname->data->rr_data[0]+2;
2426 dtarglen = dname->data->rr_len[0]-2;
2427 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen)
2428 return 0; /* rdatalen in DNAME rdata is malformed */
2429 if(dname_valid(dtarg, dtarglen) != dtarglen)
2430 return 0; /* DNAME RR has malformed rdata */
2432 return 0; /* too short */
2433 if(qname_len <= node->namelen)
2434 return 0; /* qname too short for dname removal */
2436 /* synthesize a CNAME */
2437 newlen = synth_cname_buf(qname, qname_len, node->namelen,
2438 dtarg, dtarglen, buf, sizeof(buf));
2440 /* YXDOMAIN error */
2444 *cname = (struct ub_packed_rrset_key*)regional_alloc(region,
2445 sizeof(struct ub_packed_rrset_key));
2447 return 0; /* out of memory */
2448 memset(&(*cname)->entry, 0, sizeof((*cname)->entry));
2449 (*cname)->entry.key = (*cname);
2450 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME);
2451 (*cname)->rk.rrset_class = htons(dclass);
2452 (*cname)->rk.flags = 0;
2453 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len);
2454 if(!(*cname)->rk.dname)
2455 return 0; /* out of memory */
2456 (*cname)->rk.dname_len = qname_len;
2457 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk);
2458 d = (struct packed_rrset_data*)regional_alloc_zero(region,
2459 sizeof(struct packed_rrset_data) + sizeof(size_t) +
2460 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t)
2463 return 0; /* out of memory */
2464 (*cname)->entry.data = d;
2465 d->ttl = 0; /* 0 for synthesized CNAME TTL */
2468 d->trust = rrset_trust_ans_noAA;
2469 d->rr_len = (size_t*)((uint8_t*)d +
2470 sizeof(struct packed_rrset_data));
2471 d->rr_len[0] = newlen + sizeof(uint16_t);
2472 packed_rrset_ptr_fixup(d);
2473 d->rr_ttl[0] = d->ttl;
2474 sldns_write_uint16(d->rr_data[0], newlen);
2475 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen);
2479 /** add a synthesized CNAME to the answer section */
2481 add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len,
2482 struct regional* region, struct dns_msg* msg, struct auth_data* dname,
2483 struct auth_rrset* rrset)
2485 struct ub_packed_rrset_key* cname;
2486 /* synthesize a CNAME */
2487 if(!create_synth_cname(qname, qname_len, region, dname, rrset,
2488 z->dclass, &cname)) {
2493 /* cname cannot be create because of YXDOMAIN */
2494 msg->rep->flags |= LDNS_RCODE_YXDOMAIN;
2497 /* add cname to message */
2498 if(!msg_grow_array(region, msg))
2500 msg->rep->rrsets[msg->rep->rrset_count] = cname;
2501 msg->rep->rrset_count++;
2502 msg->rep->an_numrrsets++;
2507 /** Change a dname to a different one, for wildcard namechange */
2509 az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
2510 size_t newlen, int an_only)
2513 size_t start = 0, end = msg->rep->rrset_count;
2514 if(!an_only) start = msg->rep->an_numrrsets;
2515 if(an_only) end = msg->rep->an_numrrsets;
2516 for(i=start; i<end; i++) {
2517 /* allocated in region so we can change the ptrs */
2518 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname)
2520 msg->rep->rrsets[i]->rk.dname = newname;
2521 msg->rep->rrsets[i]->rk.dname_len = newlen;
2526 /** find NSEC record covering the query */
2527 static struct auth_rrset*
2528 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
2530 uint8_t* nm = (*node)->name;
2531 size_t nmlen = (*node)->namelen;
2532 struct auth_rrset* rrset;
2533 /* find the NSEC for the smallest-or-equal node */
2534 /* if node == NULL, we did not find a smaller name. But the zone
2535 * name is the smallest name and should have an NSEC. So there is
2536 * no NSEC to return (for a properly signed zone) */
2537 /* for empty nonterminals, the auth-data node should not exist,
2538 * and thus we don't need to go rbtree_previous here to find
2539 * a domain with an NSEC record */
2540 /* but there could be glue, and if this is node, then it has no NSEC.
2541 * Go up to find nonglue (previous) NSEC-holding nodes */
2542 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
2543 if(dname_is_root(nm)) return NULL;
2544 if(nmlen == z->namelen) return NULL;
2545 dname_remove_label(&nm, &nmlen);
2546 /* adjust *node for the nsec rrset to find in */
2547 *node = az_find_name(z, nm, nmlen);
2552 /** Find NSEC and add for wildcard denial */
2554 az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region,
2555 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen)
2557 struct query_info qinfo;
2559 struct auth_data* node;
2560 struct auth_rrset* nsec;
2561 uint8_t wc[LDNS_MAX_DOMAINLEN];
2562 if(cenmlen+2 > sizeof(wc))
2563 return 0; /* result would be too long */
2564 wc[0] = 1; /* length of wildcard label */
2565 wc[1] = (uint8_t)'*'; /* wildcard label */
2566 memmove(wc+2, cenm, cenmlen);
2568 /* we have '*.ce' in wc wildcard name buffer */
2569 /* get nsec cover for that */
2571 qinfo.qname_len = cenmlen+2;
2574 az_find_domain(z, &qinfo, &node_exact, &node);
2575 if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
2576 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
2581 /** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */
2583 az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt,
2586 struct auth_data* apex;
2587 struct auth_rrset* param;
2589 apex = az_find_name(z, z->name, z->namelen);
2591 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM);
2592 if(!param || param->data->count==0)
2593 return 0; /* no RRset or no RRs in rrset */
2594 /* find out which NSEC3PARAM RR has supported parameters */
2595 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */
2596 for(i=0; i<param->data->count; i++) {
2597 uint8_t* rdata = param->data->rr_data[i]+2;
2598 size_t rdatalen = param->data->rr_len[i];
2600 continue; /* too short */
2601 if(!nsec3_hash_algo_size_supported((int)(rdata[0])))
2602 continue; /* unsupported algo */
2603 if(rdatalen < (size_t)(2+5+(size_t)rdata[4]))
2604 continue; /* salt missing */
2605 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0)
2606 continue; /* unknown flags */
2607 *algo = (int)(rdata[0]);
2608 *iter = sldns_read_uint16(rdata+2);
2609 *saltlen = rdata[4];
2612 else *salt = rdata+5;
2615 /* no supported params */
2619 /** Hash a name with nsec3param into buffer, it has zone name appended.
2620 * return length of hash */
2622 az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen,
2623 int algo, size_t iter, uint8_t* salt, size_t saltlen)
2625 size_t hlen = nsec3_hash_algo_size_supported(algo);
2626 /* buffer has domain name, nsec3hash, and 256 is for max saltlen
2627 * (salt has 0-255 length) */
2628 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256];
2630 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p))
2633 return 0; /* somehow too large for destination buffer */
2634 /* hashfunc(name, salt) */
2635 memmove(p, nm, nmlen);
2636 query_dname_tolower(p);
2637 if(salt && saltlen > 0)
2638 memmove(p+nmlen, salt, saltlen);
2639 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf);
2640 for(i=0; i<iter; i++) {
2641 /* hashfunc(hash, salt) */
2642 memmove(p, buf, hlen);
2643 if(salt && saltlen > 0)
2644 memmove(p+hlen, salt, saltlen);
2645 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen,
2646 (unsigned char*)buf);
2651 /** Hash name and return b32encoded hashname for lookup, zone name appended */
2653 az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen,
2654 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt,
2657 uint8_t hash[N3HASHBUFLEN];
2660 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter,
2664 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */
2666 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1),
2670 hashname[0] = (uint8_t)ret;
2672 if((*hashnmlen) - ret < z->namelen)
2674 memmove(hashname+ret, z->name, z->namelen);
2675 *hashnmlen = z->namelen+(size_t)ret;
2679 /** Find the datanode that covers the nsec3hash-name */
2680 static struct auth_data*
2681 az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen)
2683 struct query_info qinfo;
2684 struct auth_data* node;
2688 qinfo.qname = hashnm;
2689 qinfo.qname_len = hashnmlen;
2690 /* because canonical ordering and b32 nsec3 ordering are the same.
2691 * this is a good lookup to find the nsec3 name. */
2692 az_find_domain(z, &qinfo, &node_exact, &node);
2693 /* but we may have to skip non-nsec3 nodes */
2694 /* this may be a lot, the way to speed that up is to have a
2695 * separate nsec3 tree with nsec3 nodes */
2696 while(node && (rbnode_type*)node != RBTREE_NULL &&
2697 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
2698 node = (struct auth_data*)rbtree_previous(&node->node);
2700 if((rbnode_type*)node == RBTREE_NULL)
2705 /** Find cover for hashed(nm, nmlen) (or NULL) */
2706 static struct auth_data*
2707 az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen,
2708 int algo, size_t iter, uint8_t* salt, size_t saltlen)
2710 struct auth_data* node;
2711 uint8_t hname[LDNS_MAX_DOMAINLEN];
2712 size_t hlen = sizeof(hname);
2713 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
2716 node = az_nsec3_findnode(z, hname, hlen);
2719 /* we did not find any, perhaps because the NSEC3 hash is before
2720 * the first hash, we have to find the 'last hash' in the zone */
2721 node = (struct auth_data*)rbtree_last(&z->data);
2722 while(node && (rbnode_type*)node != RBTREE_NULL &&
2723 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
2724 node = (struct auth_data*)rbtree_previous(&node->node);
2726 if((rbnode_type*)node == RBTREE_NULL)
2731 /** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */
2732 static struct auth_data*
2733 az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen,
2734 int algo, size_t iter, uint8_t* salt, size_t saltlen)
2736 struct auth_data* node;
2737 uint8_t hname[LDNS_MAX_DOMAINLEN];
2738 size_t hlen = sizeof(hname);
2739 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
2742 node = az_find_name(z, hname, hlen);
2743 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3))
2748 /** Return nextcloser name (as a ref into the qname). This is one label
2749 * more than the cenm (cename must be a suffix of qname) */
2751 az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len,
2752 uint8_t** nx, size_t* nxlen)
2754 int celabs = dname_count_labels(cenm);
2755 int qlabs = dname_count_labels(qname);
2756 int strip = qlabs - celabs -1;
2757 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs));
2761 dname_remove_labels(nx, nxlen, strip);
2764 /** Find the closest encloser that has exact NSEC3.
2765 * updated cenm to the new name. If it went up no-exact-ce is true. */
2766 static struct auth_data*
2767 az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen,
2768 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen)
2770 struct auth_data* node;
2771 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
2772 algo, iter, salt, saltlen)) == NULL) {
2773 if(*cenmlen == z->namelen) {
2774 /* next step up would take us out of the zone. fail */
2778 dname_remove_label(cenm, cenmlen);
2783 /* Insert NSEC3 record in authority section, if NULL does nothing */
2785 az_nsec3_insert(struct auth_zone* z, struct regional* region,
2786 struct dns_msg* msg, struct auth_data* node)
2788 struct auth_rrset* nsec3;
2789 if(!node) return 1; /* no node, skip this */
2790 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3);
2791 if(!nsec3) return 1; /* if no nsec3 RR, skip it */
2792 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0;
2796 /** add NSEC3 records to the zone for the nsec3 proof.
2797 * Specify with the flags with parts of the proof are required.
2798 * the ce is the exact matching name (for notype) but also delegation points.
2799 * qname is the one where the nextcloser name can be derived from.
2800 * If NSEC3 is not properly there (in the zone) nothing is added.
2801 * always enabled: include nsec3 proving about the Closest Encloser.
2802 * that is an exact match that should exist for it.
2803 * If that does not exist, a higher exact match + nxproof is enabled
2804 * (for some sort of opt-out empty nonterminal cases).
2805 * nodataproof: search for exact match and include that instead.
2806 * ceproof: include ce proof NSEC3 (omitted for wildcard replies).
2807 * nxproof: include denial of the qname.
2808 * wcproof: include denial of wildcard (wildcard.ce).
2811 az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
2812 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname,
2813 size_t qname_len, int nodataproof, int ceproof, int nxproof,
2817 size_t iter, saltlen;
2819 int no_exact_ce = 0;
2820 struct auth_data* node;
2822 /* find parameters of nsec3 proof */
2823 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen))
2824 return 1; /* no nsec3 */
2826 /* see if the node has a hash of itself for the nodata
2827 * proof nsec3, this has to be an exact match nsec3. */
2828 struct auth_data* match;
2829 match = az_nsec3_find_exact(z, qname, qname_len, algo,
2830 iter, salt, saltlen);
2832 if(!az_nsec3_insert(z, region, msg, match))
2834 /* only nodata NSEC3 needed, no CE or others. */
2838 /* find ce that has an NSEC3 */
2840 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
2841 algo, iter, salt, saltlen);
2842 if(no_exact_ce) nxproof = 1;
2843 if(!az_nsec3_insert(z, region, msg, node))
2850 /* create nextcloser domain name */
2851 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen);
2852 /* find nsec3 that matches or covers it */
2853 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt,
2855 if(!az_nsec3_insert(z, region, msg, node))
2859 /* create wildcard name *.ce */
2860 uint8_t wc[LDNS_MAX_DOMAINLEN];
2862 if(cenmlen+2 > sizeof(wc))
2863 return 0; /* result would be too long */
2864 wc[0] = 1; /* length of wildcard label */
2865 wc[1] = (uint8_t)'*'; /* wildcard label */
2866 memmove(wc+2, cenm, cenmlen);
2868 /* find nsec3 that matches or covers it */
2869 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt,
2871 if(!az_nsec3_insert(z, region, msg, node))
2877 /** generate answer for positive answer */
2879 az_generate_positive_answer(struct auth_zone* z, struct regional* region,
2880 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
2882 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2883 /* see if we want additional rrs */
2884 if(rrset->type == LDNS_RR_TYPE_MX) {
2885 if(!az_add_additionals_from(z, region, msg, rrset, 2))
2887 } else if(rrset->type == LDNS_RR_TYPE_SRV) {
2888 if(!az_add_additionals_from(z, region, msg, rrset, 6))
2890 } else if(rrset->type == LDNS_RR_TYPE_NS) {
2891 if(!az_add_additionals_from(z, region, msg, rrset, 0))
2897 /** generate answer for type ANY answer */
2899 az_generate_any_answer(struct auth_zone* z, struct regional* region,
2900 struct dns_msg* msg, struct auth_data* node)
2902 struct auth_rrset* rrset;
2904 /* add a couple (at least one) RRs */
2905 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) {
2906 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2909 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) {
2910 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2913 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) {
2914 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2917 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) {
2918 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2921 if(added == 0 && node && node->rrsets) {
2922 if(!msg_add_rrset_an(z, region, msg, node,
2923 node->rrsets)) return 0;
2928 /** follow cname chain and add more data to the answer section */
2930 follow_cname_chain(struct auth_zone* z, uint16_t qtype,
2931 struct regional* region, struct dns_msg* msg,
2932 struct packed_rrset_data* d)
2935 /* see if we can add the target of the CNAME into the answer */
2936 while(maxchain++ < MAX_CNAME_CHAIN) {
2937 struct auth_data* node;
2938 struct auth_rrset* rrset;
2940 /* d has cname rdata */
2941 if(d->count == 0) break; /* no CNAME */
2942 if(d->rr_len[0] < 2+1) break; /* too small */
2943 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0)
2944 break; /* malformed */
2945 if(!dname_subdomain_c(d->rr_data[0]+2, z->name))
2946 break; /* target out of zone */
2947 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL)
2948 break; /* no such target name */
2949 if((rrset=az_domain_rrset(node, qtype))!=NULL) {
2950 /* done we found the target */
2951 if(!msg_add_rrset_an(z, region, msg, node, rrset))
2955 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL)
2956 break; /* no further CNAME chain, notype */
2957 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2963 /** generate answer for cname answer */
2965 az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo,
2966 struct regional* region, struct dns_msg* msg,
2967 struct auth_data* node, struct auth_rrset* rrset)
2969 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2970 if(!rrset) return 1;
2971 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data))
2976 /** generate answer for notype answer */
2978 az_generate_notype_answer(struct auth_zone* z, struct regional* region,
2979 struct dns_msg* msg, struct auth_data* node)
2981 struct auth_rrset* rrset;
2982 if(!az_add_negative_soa(z, region, msg)) return 0;
2983 /* DNSSEC denial NSEC */
2984 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) {
2985 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0;
2987 /* DNSSEC denial NSEC3 */
2988 if(!az_add_nsec3_proof(z, region, msg, node->name,
2989 node->namelen, msg->qinfo.qname,
2990 msg->qinfo.qname_len, 1, 1, 0, 0))
2996 /** generate answer for referral answer */
2998 az_generate_referral_answer(struct auth_zone* z, struct regional* region,
2999 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset)
3001 struct auth_rrset* ds, *nsec;
3002 /* turn off AA flag, referral is nonAA because it leaves the zone */
3004 msg->rep->flags &= ~BIT_AA;
3005 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0;
3006 /* add DS or deny it */
3007 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) {
3008 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0;
3011 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) {
3012 if(!msg_add_rrset_ns(z, region, msg, ce, nsec))
3015 if(!az_add_nsec3_proof(z, region, msg, ce->name,
3016 ce->namelen, msg->qinfo.qname,
3017 msg->qinfo.qname_len, 1, 1, 0, 0))
3021 /* add additional rrs for type NS */
3022 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0;
3026 /** generate answer for DNAME answer */
3028 az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo,
3029 struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3030 struct auth_rrset* rrset)
3033 /* add the DNAME and then a CNAME */
3034 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0;
3035 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region,
3036 msg, ce, rrset)) return 0;
3037 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN)
3039 if(msg->rep->rrset_count == 0 ||
3040 !msg->rep->rrsets[msg->rep->rrset_count-1])
3042 if(!follow_cname_chain(z, qinfo->qtype, region, msg,
3043 (struct packed_rrset_data*)msg->rep->rrsets[
3044 msg->rep->rrset_count-1]->entry.data))
3049 /** generate answer for wildcard answer */
3051 az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
3052 struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3053 struct auth_data* wildcard, struct auth_data* node)
3055 struct auth_rrset* rrset, *nsec;
3057 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
3058 /* wildcard has type, add it */
3059 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
3061 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3062 msg->qinfo.qname_len, 1);
3063 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) {
3064 /* wildcard has cname instead, do that */
3065 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
3067 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3068 msg->qinfo.qname_len, 1);
3069 if(!follow_cname_chain(z, qinfo->qtype, region, msg,
3072 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) {
3073 /* add ANY rrsets from wildcard node */
3074 if(!az_generate_any_answer(z, region, msg, wildcard))
3076 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3077 msg->qinfo.qname_len, 1);
3079 /* wildcard has nodata, notype answer */
3080 /* call other notype routine for dnssec notype denials */
3081 if(!az_generate_notype_answer(z, region, msg, wildcard))
3083 /* because the notype, there is no positive data with an
3084 * RRSIG that indicates the wildcard position. Thus the
3085 * wildcard qname denial needs to have a CE nsec3. */
3089 /* ce and node for dnssec denial of wildcard original name */
3090 if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
3091 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
3093 uint8_t* wildup = wildcard->name;
3094 size_t wilduplen= wildcard->namelen;
3095 dname_remove_label(&wildup, &wilduplen);
3096 if(!az_add_nsec3_proof(z, region, msg, wildup,
3097 wilduplen, msg->qinfo.qname,
3098 msg->qinfo.qname_len, 0, insert_ce, 1, 0))
3102 /* fixup name of wildcard from *.zone to qname, use already allocated
3103 * pointer to msg qname */
3104 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3105 msg->qinfo.qname_len, 0);
3109 /** generate answer for nxdomain answer */
3111 az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region,
3112 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node)
3114 struct auth_rrset* nsec;
3115 msg->rep->flags |= LDNS_RCODE_NXDOMAIN;
3116 if(!az_add_negative_soa(z, region, msg)) return 0;
3117 if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
3118 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
3119 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name,
3120 ce->namelen)) return 0;
3122 if(!az_add_nsec3_proof(z, region, msg, ce->name,
3123 ce->namelen, msg->qinfo.qname,
3124 msg->qinfo.qname_len, 0, 1, 1, 1))
3130 /** Create answers when an exact match exists for the domain name */
3132 az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
3133 struct regional* region, struct dns_msg* msg, struct auth_data* node)
3135 struct auth_rrset* rrset;
3136 /* positive answer, rrset we are looking for exists */
3137 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) {
3138 return az_generate_positive_answer(z, region, msg, node, rrset);
3141 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) {
3142 return az_generate_cname_answer(z, qinfo, region, msg,
3146 if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
3147 return az_generate_any_answer(z, region, msg, node);
3149 /* NOERROR/NODATA (no such type at domain name) */
3150 return az_generate_notype_answer(z, region, msg, node);
3153 /** Generate answer without an existing-node that we can use.
3154 * So it'll be a referral, DNAME or nxdomain */
3156 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
3157 struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3158 struct auth_rrset* rrset, struct auth_data* node)
3160 struct auth_data* wildcard;
3162 /* we do not have an exact matching name (that exists) */
3163 /* see if we have a NS or DNAME in the ce */
3164 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) {
3165 return az_generate_referral_answer(z, region, msg, ce, rrset);
3167 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) {
3168 return az_generate_dname_answer(z, qinfo, region, msg, ce,
3171 /* if there is an empty nonterminal, wildcard and nxdomain don't
3172 * happen, it is a notype answer */
3173 if(az_empty_nonterminal(z, qinfo, node)) {
3174 return az_generate_notype_answer(z, region, msg, node);
3176 /* see if we have a wildcard under the ce */
3177 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) {
3178 return az_generate_wildcard_answer(z, qinfo, region, msg,
3179 ce, wildcard, node);
3181 /* generate nxdomain answer */
3182 return az_generate_nxdomain_answer(z, region, msg, ce, node);
3185 /** Lookup answer in a zone. */
3187 auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo,
3188 struct regional* region, struct dns_msg** msg, int* fallback)
3190 struct auth_data* node, *ce;
3191 struct auth_rrset* rrset;
3192 int node_exact, node_exists;
3193 /* does the zone want fallback in case of failure? */
3194 *fallback = z->fallback_enabled;
3195 if(!(*msg=msg_create(region, qinfo))) return 0;
3197 /* lookup if there is a matching domain name for the query */
3198 az_find_domain(z, qinfo, &node_exact, &node);
3200 /* see if node exists for generating answers from (i.e. not glue and
3201 * obscured by NS or DNAME or NSEC3-only), and also return the
3202 * closest-encloser from that, closest node that should be used
3203 * to generate answers from that is above the query */
3204 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset);
3206 if(verbosity >= VERB_ALGO) {
3207 char zname[256], qname[256], nname[256], cename[256],
3208 tpstr[32], rrstr[32];
3209 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname,
3211 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr));
3212 sldns_wire2str_dname_buf(z->name, z->namelen, zname,
3215 sldns_wire2str_dname_buf(node->name, node->namelen,
3216 nname, sizeof(nname));
3217 else snprintf(nname, sizeof(nname), "NULL");
3219 sldns_wire2str_dname_buf(ce->name, ce->namelen,
3220 cename, sizeof(cename));
3221 else snprintf(cename, sizeof(cename), "NULL");
3222 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr,
3224 else snprintf(rrstr, sizeof(rrstr), "NULL");
3225 log_info("auth_zone %s query %s %s, domain %s %s %s, "
3226 "ce %s, rrset %s", zname, qname, tpstr, nname,
3227 (node_exact?"exact":"notexact"),
3228 (node_exists?"exist":"notexist"), cename, rrstr);
3232 /* the node is fine, generate answer from node */
3233 return az_generate_answer_with_node(z, qinfo, region, *msg,
3236 return az_generate_answer_nonexistnode(z, qinfo, region, *msg,
3240 int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
3241 struct regional* region, struct dns_msg** msg, int* fallback,
3242 uint8_t* dp_nm, size_t dp_nmlen)
3245 struct auth_zone* z;
3246 /* find the zone that should contain the answer. */
3247 lock_rw_rdlock(&az->lock);
3248 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass);
3250 lock_rw_unlock(&az->lock);
3251 /* no auth zone, fallback to internet */
3255 lock_rw_rdlock(&z->lock);
3256 lock_rw_unlock(&az->lock);
3258 /* if not for upstream queries, fallback */
3259 if(!z->for_upstream) {
3260 lock_rw_unlock(&z->lock);
3264 if(z->zone_expired) {
3265 *fallback = z->fallback_enabled;
3266 lock_rw_unlock(&z->lock);
3269 /* see what answer that zone would generate */
3270 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback);
3271 lock_rw_unlock(&z->lock);
3275 /** encode auth answer */
3277 auth_answer_encode(struct query_info* qinfo, struct module_env* env,
3278 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
3279 struct regional* temp, struct dns_msg* msg)
3282 udpsize = edns->udp_size;
3283 edns->edns_version = EDNS_ADVERTISED_VERSION;
3284 edns->udp_size = EDNS_ADVERTISED_SIZE;
3285 edns->ext_rcode = 0;
3286 edns->bits &= EDNS_DO;
3288 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep,
3289 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp)
3290 || !reply_info_answer_encode(qinfo, msg->rep,
3291 *(uint16_t*)sldns_buffer_begin(buf),
3292 sldns_buffer_read_u16_at(buf, 2),
3293 buf, 0, 0, temp, udpsize, edns,
3294 (int)(edns->bits&EDNS_DO), 0)) {
3295 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
3296 *(uint16_t*)sldns_buffer_begin(buf),
3297 sldns_buffer_read_u16_at(buf, 2), edns);
3301 /** encode auth error answer */
3303 auth_error_encode(struct query_info* qinfo, struct module_env* env,
3304 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
3305 struct regional* temp, int rcode)
3307 edns->edns_version = EDNS_ADVERTISED_VERSION;
3308 edns->udp_size = EDNS_ADVERTISED_SIZE;
3309 edns->ext_rcode = 0;
3310 edns->bits &= EDNS_DO;
3312 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
3313 rcode, edns, repinfo, temp))
3314 edns->opt_list = NULL;
3315 error_encode(buf, rcode|BIT_AA, qinfo,
3316 *(uint16_t*)sldns_buffer_begin(buf),
3317 sldns_buffer_read_u16_at(buf, 2), edns);
3320 int auth_zones_answer(struct auth_zones* az, struct module_env* env,
3321 struct query_info* qinfo, struct edns_data* edns,
3322 struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp)
3324 struct dns_msg* msg = NULL;
3325 struct auth_zone* z;
3329 lock_rw_rdlock(&az->lock);
3330 if(!az->have_downstream) {
3331 /* no downstream auth zones */
3332 lock_rw_unlock(&az->lock);
3335 if(qinfo->qtype == LDNS_RR_TYPE_DS) {
3336 uint8_t* delname = qinfo->qname;
3337 size_t delnamelen = qinfo->qname_len;
3338 dname_remove_label(&delname, &delnamelen);
3339 z = auth_zones_find_zone(az, delname, delnamelen,
3342 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len,
3346 /* no zone above it */
3347 lock_rw_unlock(&az->lock);
3350 lock_rw_rdlock(&z->lock);
3351 lock_rw_unlock(&az->lock);
3352 if(!z->for_downstream) {
3353 lock_rw_unlock(&z->lock);
3356 if(z->zone_expired) {
3357 if(z->fallback_enabled) {
3358 lock_rw_unlock(&z->lock);
3361 lock_rw_unlock(&z->lock);
3362 lock_rw_wrlock(&az->lock);
3363 az->num_query_down++;
3364 lock_rw_unlock(&az->lock);
3365 auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
3366 LDNS_RCODE_SERVFAIL);
3370 /* answer it from zone z */
3371 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);
3372 lock_rw_unlock(&z->lock);
3373 if(!r && fallback) {
3374 /* fallback to regular answering (recursive) */
3377 lock_rw_wrlock(&az->lock);
3378 az->num_query_down++;
3379 lock_rw_unlock(&az->lock);
3383 auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
3384 LDNS_RCODE_SERVFAIL);
3385 else auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg);
3390 int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen,
3394 struct auth_zone* z;
3395 lock_rw_rdlock(&az->lock);
3396 z = auth_zone_find(az, nm, nmlen, dclass);
3398 lock_rw_unlock(&az->lock);
3399 /* no such auth zone, fallback */
3402 lock_rw_rdlock(&z->lock);
3403 lock_rw_unlock(&az->lock);
3404 r = z->fallback_enabled || (!z->for_upstream);
3405 lock_rw_unlock(&z->lock);
3410 auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial)
3412 struct query_info q;
3414 memset(&q, 0, sizeof(q));
3415 sldns_buffer_set_position(pkt, 0);
3416 if(!query_info_parse(&q, pkt)) return 0;
3417 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0;
3418 /* skip name of RR in answer section */
3419 if(sldns_buffer_remaining(pkt) < 1) return 0;
3420 if(pkt_dname_len(pkt) == 0) return 0;
3422 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/)
3424 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0;
3425 sldns_buffer_skip(pkt, 2); /* class */
3426 sldns_buffer_skip(pkt, 4); /* ttl */
3427 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */
3428 if(sldns_buffer_remaining(pkt) < rdlen) return 0;
3429 if(rdlen < 22) return 0; /* bad soa length */
3430 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20));
3431 *serial = sldns_buffer_read_u32(pkt);
3432 /* return true when has serial in answer section */
3436 /** see if addr appears in the list */
3438 addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr,
3441 struct auth_addr* p;
3442 for(p=list; p; p=p->next) {
3443 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0)
3449 /** check if an address matches a master specification (or one of its
3450 * addresses in the addr list) */
3452 addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr,
3453 socklen_t addrlen, struct auth_master** fromhost)
3455 struct sockaddr_storage a;
3458 if(addr_in_list(master->list, addr, addrlen)) {
3462 /* compare address (but not port number, that is the destination
3463 * port of the master, the port number of the received notify is
3464 * allowed to by any port on that master) */
3465 if(extstrtoaddr(master->host, &a, &alen) &&
3466 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) {
3470 /* prefixes, addr/len, like 10.0.0.0/8 */
3471 /* not http and has a / and there is one / */
3472 if(master->allow_notify && !master->http &&
3473 strchr(master->host, '/') != NULL &&
3474 strchr(master->host, '/') == strrchr(master->host, '/') &&
3475 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen,
3476 &net) && alen == addrlen) {
3477 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32),
3478 &a, net, alen) >= net) {
3479 *fromhost = NULL; /* prefix does not have destination
3480 to send the probe or transfer with */
3481 return 1; /* matches the netblock */
3487 /** check access list for notifies */
3489 az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr,
3490 socklen_t addrlen, struct auth_master** fromhost)
3492 struct auth_master* p;
3493 for(p=xfr->allow_notify_list; p; p=p->next) {
3494 if(addr_matches_master(p, addr, addrlen, fromhost)) {
3501 /** see if the serial means the zone has to be updated, i.e. the serial
3502 * is newer than the zone serial, or we have no zone */
3504 xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial)
3507 return 1; /* no zone, anything is better */
3508 if(xfr->zone_expired)
3509 return 1; /* expired, the sent serial is better than expired
3511 if(compare_serial(xfr->serial, serial) < 0)
3512 return 1; /* our serial is smaller than the sent serial,
3513 the data is newer, fetch it */
3517 /** note notify serial, updates the notify information in the xfr struct */
3519 xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial)
3521 if(xfr->notify_received && xfr->notify_has_serial && has_serial) {
3522 /* see if this serial is newer */
3523 if(compare_serial(xfr->notify_serial, serial) < 0)
3524 xfr->notify_serial = serial;
3525 } else if(xfr->notify_received && xfr->notify_has_serial &&
3527 /* remove serial, we have notify without serial */
3528 xfr->notify_has_serial = 0;
3529 xfr->notify_serial = 0;
3530 } else if(xfr->notify_received && !xfr->notify_has_serial) {
3531 /* we already have notify without serial, keep it
3532 * that way; no serial check when current operation
3535 xfr->notify_received = 1;
3536 xfr->notify_has_serial = has_serial;
3537 xfr->notify_serial = serial;
3541 /** process a notify serial, start new probe or note serial. xfr is locked */
3543 xfr_process_notify(struct auth_xfer* xfr, struct module_env* env,
3544 int has_serial, uint32_t serial, struct auth_master* fromhost)
3546 /* if the serial of notify is older than we have, don't fetch
3547 * a zone, we already have it */
3548 if(has_serial && !xfr_serial_means_update(xfr, serial)) {
3549 lock_basic_unlock(&xfr->lock);
3552 /* start new probe with this addr src, or note serial */
3553 if(!xfr_start_probe(xfr, env, fromhost)) {
3554 /* not started because already in progress, note the serial */
3555 xfr_note_notify_serial(xfr, has_serial, serial);
3556 lock_basic_unlock(&xfr->lock);
3558 /* successful end of start_probe unlocked xfr->lock */
3561 int auth_zones_notify(struct auth_zones* az, struct module_env* env,
3562 uint8_t* nm, size_t nmlen, uint16_t dclass,
3563 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial,
3564 uint32_t serial, int* refused)
3566 struct auth_xfer* xfr;
3567 struct auth_master* fromhost = NULL;
3568 /* see which zone this is */
3569 lock_rw_rdlock(&az->lock);
3570 xfr = auth_xfer_find(az, nm, nmlen, dclass);
3572 lock_rw_unlock(&az->lock);
3573 /* no such zone, refuse the notify */
3577 lock_basic_lock(&xfr->lock);
3578 lock_rw_unlock(&az->lock);
3580 /* check access list for notifies */
3581 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) {
3582 lock_basic_unlock(&xfr->lock);
3583 /* notify not allowed, refuse the notify */
3588 /* process the notify */
3589 xfr_process_notify(xfr, env, has_serial, serial, fromhost);
3593 int auth_zones_startprobesequence(struct auth_zones* az,
3594 struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass)
3596 struct auth_xfer* xfr;
3597 lock_rw_rdlock(&az->lock);
3598 xfr = auth_xfer_find(az, nm, nmlen, dclass);
3600 lock_rw_unlock(&az->lock);
3603 lock_basic_lock(&xfr->lock);
3604 lock_rw_unlock(&az->lock);
3606 xfr_process_notify(xfr, env, 0, 0, NULL);
3610 /** set a zone expired */
3612 auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env,
3615 struct auth_zone* z;
3618 lock_basic_lock(&xfr->lock);
3619 xfr->zone_expired = expired;
3620 lock_basic_unlock(&xfr->lock);
3622 /* find auth_zone */
3623 lock_rw_rdlock(&env->auth_zones->lock);
3624 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
3627 lock_rw_unlock(&env->auth_zones->lock);
3630 lock_rw_wrlock(&z->lock);
3631 lock_rw_unlock(&env->auth_zones->lock);
3633 /* expire auth_zone */
3634 z->zone_expired = expired;
3635 lock_rw_unlock(&z->lock);
3638 /** find master (from notify or probe) in list of masters */
3639 static struct auth_master*
3640 find_master_by_host(struct auth_master* list, char* host)
3642 struct auth_master* p;
3643 for(p=list; p; p=p->next) {
3644 if(strcmp(p->host, host) == 0)
3650 /** delete the looked up auth_addrs for all the masters in the list */
3652 xfr_masterlist_free_addrs(struct auth_master* list)
3654 struct auth_master* m;
3655 for(m=list; m; m=m->next) {
3657 auth_free_master_addrs(m->list);
3663 /** copy a list of auth_addrs */
3664 static struct auth_addr*
3665 auth_addr_list_copy(struct auth_addr* source)
3667 struct auth_addr* list = NULL, *last = NULL;
3668 struct auth_addr* p;
3669 for(p=source; p; p=p->next) {
3670 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p));
3672 log_err("malloc failure");
3673 auth_free_master_addrs(list);
3677 if(last) last->next = a;
3684 /** copy a master to a new structure, NULL on alloc failure */
3685 static struct auth_master*
3686 auth_master_copy(struct auth_master* o)
3688 struct auth_master* m;
3690 m = (struct auth_master*)memdup(o, sizeof(*o));
3692 log_err("malloc failure");
3697 m->host = strdup(m->host);
3700 log_err("malloc failure");
3705 m->file = strdup(m->file);
3709 log_err("malloc failure");
3714 m->list = auth_addr_list_copy(m->list);
3725 /** copy the master addresses from the task_probe lookups to the allow_notify
3726 * list of masters */
3728 probe_copy_masters_for_allow_notify(struct auth_xfer* xfr)
3730 struct auth_master* list = NULL, *last = NULL;
3731 struct auth_master* p;
3732 /* build up new list with copies */
3733 for(p = xfr->task_probe->masters; p; p=p->next) {
3734 struct auth_master* m = auth_master_copy(p);
3736 auth_free_masters(list);
3737 /* failed because of malloc failure, use old list */
3741 if(last) last->next = m;
3745 /* success, replace list */
3746 auth_free_masters(xfr->allow_notify_list);
3747 xfr->allow_notify_list = list;
3750 /** start the lookups for task_transfer */
3752 xfr_transfer_start_lookups(struct auth_xfer* xfr)
3754 /* delete all the looked up addresses in the list */
3755 xfr->task_transfer->scan_addr = NULL;
3756 xfr_masterlist_free_addrs(xfr->task_transfer->masters);
3758 /* start lookup at the first master */
3759 xfr->task_transfer->lookup_target = xfr->task_transfer->masters;
3760 xfr->task_transfer->lookup_aaaa = 0;
3763 /** move to the next lookup of hostname for task_transfer */
3765 xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env)
3767 if(!xfr->task_transfer->lookup_target)
3768 return; /* already at end of list */
3769 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) {
3770 /* move to lookup AAAA */
3771 xfr->task_transfer->lookup_aaaa = 1;
3774 xfr->task_transfer->lookup_target =
3775 xfr->task_transfer->lookup_target->next;
3776 xfr->task_transfer->lookup_aaaa = 0;
3777 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL)
3778 xfr->task_transfer->lookup_aaaa = 1;
3781 /** start the lookups for task_probe */
3783 xfr_probe_start_lookups(struct auth_xfer* xfr)
3785 /* delete all the looked up addresses in the list */
3786 xfr->task_probe->scan_addr = NULL;
3787 xfr_masterlist_free_addrs(xfr->task_probe->masters);
3789 /* start lookup at the first master */
3790 xfr->task_probe->lookup_target = xfr->task_probe->masters;
3791 xfr->task_probe->lookup_aaaa = 0;
3794 /** move to the next lookup of hostname for task_probe */
3796 xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env)
3798 if(!xfr->task_probe->lookup_target)
3799 return; /* already at end of list */
3800 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) {
3801 /* move to lookup AAAA */
3802 xfr->task_probe->lookup_aaaa = 1;
3805 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next;
3806 xfr->task_probe->lookup_aaaa = 0;
3807 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL)
3808 xfr->task_probe->lookup_aaaa = 1;
3811 /** start the iteration of the task_transfer list of masters */
3813 xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec)
3816 xfr->task_transfer->scan_specific = find_master_by_host(
3817 xfr->task_transfer->masters, spec->host);
3818 if(xfr->task_transfer->scan_specific) {
3819 xfr->task_transfer->scan_target = NULL;
3820 xfr->task_transfer->scan_addr = NULL;
3821 if(xfr->task_transfer->scan_specific->list)
3822 xfr->task_transfer->scan_addr =
3823 xfr->task_transfer->scan_specific->list;
3827 /* no specific (notified) host to scan */
3828 xfr->task_transfer->scan_specific = NULL;
3829 xfr->task_transfer->scan_addr = NULL;
3830 /* pick up first scan target */
3831 xfr->task_transfer->scan_target = xfr->task_transfer->masters;
3832 if(xfr->task_transfer->scan_target && xfr->task_transfer->
3834 xfr->task_transfer->scan_addr =
3835 xfr->task_transfer->scan_target->list;
3838 /** start the iteration of the task_probe list of masters */
3840 xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec)
3843 xfr->task_probe->scan_specific = find_master_by_host(
3844 xfr->task_probe->masters, spec->host);
3845 if(xfr->task_probe->scan_specific) {
3846 xfr->task_probe->scan_target = NULL;
3847 xfr->task_probe->scan_addr = NULL;
3848 if(xfr->task_probe->scan_specific->list)
3849 xfr->task_probe->scan_addr =
3850 xfr->task_probe->scan_specific->list;
3854 /* no specific (notified) host to scan */
3855 xfr->task_probe->scan_specific = NULL;
3856 xfr->task_probe->scan_addr = NULL;
3857 /* pick up first scan target */
3858 xfr->task_probe->scan_target = xfr->task_probe->masters;
3859 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list)
3860 xfr->task_probe->scan_addr =
3861 xfr->task_probe->scan_target->list;
3864 /** pick up the master that is being scanned right now, task_transfer */
3865 static struct auth_master*
3866 xfr_transfer_current_master(struct auth_xfer* xfr)
3868 if(xfr->task_transfer->scan_specific)
3869 return xfr->task_transfer->scan_specific;
3870 return xfr->task_transfer->scan_target;
3873 /** pick up the master that is being scanned right now, task_probe */
3874 static struct auth_master*
3875 xfr_probe_current_master(struct auth_xfer* xfr)
3877 if(xfr->task_probe->scan_specific)
3878 return xfr->task_probe->scan_specific;
3879 return xfr->task_probe->scan_target;
3882 /** true if at end of list, task_transfer */
3884 xfr_transfer_end_of_list(struct auth_xfer* xfr)
3886 return !xfr->task_transfer->scan_specific &&
3887 !xfr->task_transfer->scan_target;
3890 /** true if at end of list, task_probe */
3892 xfr_probe_end_of_list(struct auth_xfer* xfr)
3894 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target;
3897 /** move to next master in list, task_transfer */
3899 xfr_transfer_nextmaster(struct auth_xfer* xfr)
3901 if(!xfr->task_transfer->scan_specific &&
3902 !xfr->task_transfer->scan_target)
3904 if(xfr->task_transfer->scan_addr) {
3905 xfr->task_transfer->scan_addr =
3906 xfr->task_transfer->scan_addr->next;
3907 if(xfr->task_transfer->scan_addr)
3910 if(xfr->task_transfer->scan_specific) {
3911 xfr->task_transfer->scan_specific = NULL;
3912 xfr->task_transfer->scan_target = xfr->task_transfer->masters;
3913 if(xfr->task_transfer->scan_target && xfr->task_transfer->
3915 xfr->task_transfer->scan_addr =
3916 xfr->task_transfer->scan_target->list;
3919 if(!xfr->task_transfer->scan_target)
3921 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next;
3922 if(xfr->task_transfer->scan_target && xfr->task_transfer->
3924 xfr->task_transfer->scan_addr =
3925 xfr->task_transfer->scan_target->list;
3929 /** move to next master in list, task_probe */
3931 xfr_probe_nextmaster(struct auth_xfer* xfr)
3933 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target)
3935 if(xfr->task_probe->scan_addr) {
3936 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next;
3937 if(xfr->task_probe->scan_addr)
3940 if(xfr->task_probe->scan_specific) {
3941 xfr->task_probe->scan_specific = NULL;
3942 xfr->task_probe->scan_target = xfr->task_probe->masters;
3943 if(xfr->task_probe->scan_target && xfr->task_probe->
3945 xfr->task_probe->scan_addr =
3946 xfr->task_probe->scan_target->list;
3949 if(!xfr->task_probe->scan_target)
3951 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next;
3952 if(xfr->task_probe->scan_target && xfr->task_probe->
3954 xfr->task_probe->scan_addr =
3955 xfr->task_probe->scan_target->list;
3959 /** create SOA probe packet for xfr */
3961 xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf,
3964 struct query_info qinfo;
3966 memset(&qinfo, 0, sizeof(qinfo));
3967 qinfo.qname = xfr->name;
3968 qinfo.qname_len = xfr->namelen;
3969 qinfo.qtype = LDNS_RR_TYPE_SOA;
3970 qinfo.qclass = xfr->dclass;
3971 qinfo_query_encode(buf, &qinfo);
3972 sldns_buffer_write_u16_at(buf, 0, id);
3975 /** create IXFR/AXFR packet for xfr */
3977 xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id,
3978 struct auth_master* master)
3980 struct query_info qinfo;
3983 have_zone = xfr->have_zone;
3984 serial = xfr->serial;
3986 memset(&qinfo, 0, sizeof(qinfo));
3987 qinfo.qname = xfr->name;
3988 qinfo.qname_len = xfr->namelen;
3989 xfr->task_transfer->got_xfr_serial = 0;
3990 xfr->task_transfer->rr_scan_num = 0;
3991 xfr->task_transfer->incoming_xfr_serial = 0;
3992 xfr->task_transfer->on_ixfr_is_axfr = 0;
3993 xfr->task_transfer->on_ixfr = 1;
3994 qinfo.qtype = LDNS_RR_TYPE_IXFR;
3995 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) {
3996 qinfo.qtype = LDNS_RR_TYPE_AXFR;
3997 xfr->task_transfer->ixfr_fail = 0;
3998 xfr->task_transfer->on_ixfr = 0;
4001 qinfo.qclass = xfr->dclass;
4002 qinfo_query_encode(buf, &qinfo);
4003 sldns_buffer_write_u16_at(buf, 0, id);
4005 /* append serial for IXFR */
4006 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) {
4007 size_t end = sldns_buffer_limit(buf);
4008 sldns_buffer_clear(buf);
4009 sldns_buffer_set_position(buf, end);
4010 /* auth section count 1 */
4011 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1);
4013 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */
4014 sldns_buffer_write_u8(buf, 0x0C);
4015 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA);
4016 sldns_buffer_write_u16(buf, qinfo.qclass);
4017 sldns_buffer_write_u32(buf, 0); /* ttl */
4018 sldns_buffer_write_u16(buf, 22); /* rdata length */
4019 sldns_buffer_write_u8(buf, 0); /* . */
4020 sldns_buffer_write_u8(buf, 0); /* . */
4021 sldns_buffer_write_u32(buf, serial); /* serial */
4022 sldns_buffer_write_u32(buf, 0); /* refresh */
4023 sldns_buffer_write_u32(buf, 0); /* retry */
4024 sldns_buffer_write_u32(buf, 0); /* expire */
4025 sldns_buffer_write_u32(buf, 0); /* minimum */
4026 sldns_buffer_flip(buf);
4030 /** check if returned packet is OK */
4032 check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr,
4035 /* parse to see if packet worked, valid reply */
4037 /* check serial number of SOA */
4038 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE)
4042 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id)
4045 /* check flag bits and rcode */
4046 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt)))
4048 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY)
4050 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR)
4054 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1)
4056 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE);
4057 if(sldns_buffer_remaining(pkt) < xfr->namelen)
4059 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0)
4061 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen);
4063 /* check qtype, qclass */
4064 if(sldns_buffer_remaining(pkt) < 4)
4066 if(sldns_buffer_read_u16(pkt) != qtype)
4068 if(sldns_buffer_read_u16(pkt) != xfr->dclass)
4073 /* read serial number, from answer section SOA */
4074 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0)
4076 /* read from first record SOA record */
4077 if(sldns_buffer_remaining(pkt) < 1)
4079 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt),
4082 if(!pkt_dname_len(pkt))
4084 /* type, class, ttl, rdatalen */
4085 if(sldns_buffer_remaining(pkt) < 4+4+2)
4087 if(sldns_buffer_read_u16(pkt) != qtype)
4089 if(sldns_buffer_read_u16(pkt) != xfr->dclass)
4091 sldns_buffer_skip(pkt, 4); /* ttl */
4092 rdlen = sldns_buffer_read_u16(pkt);
4093 if(sldns_buffer_remaining(pkt) < rdlen)
4095 if(sldns_buffer_remaining(pkt) < 1)
4097 if(!pkt_dname_len(pkt)) /* soa name */
4099 if(sldns_buffer_remaining(pkt) < 1)
4101 if(!pkt_dname_len(pkt)) /* soa name */
4103 if(sldns_buffer_remaining(pkt) < 20)
4105 *serial = sldns_buffer_read_u32(pkt);
4110 /** read one line from chunks into buffer at current position */
4112 chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos,
4117 /* more text in this chunk? */
4118 if(*chunk_pos < (*chunk)->len) {
4120 while(*chunk_pos < (*chunk)->len) {
4121 char c = (char)((*chunk)->data[*chunk_pos]);
4123 if(sldns_buffer_remaining(buf) < 2) {
4124 /* buffer too short */
4125 verbose(VERB_ALGO, "http chunkline, "
4129 sldns_buffer_write_u8(buf, (uint8_t)c);
4136 /* move to next chunk */
4137 *chunk = (*chunk)->next;
4141 if(readsome) return 1;
4145 /** count number of open and closed parenthesis in a chunkline */
4147 chunkline_count_parens(sldns_buffer* buf, size_t start)
4149 size_t end = sldns_buffer_position(buf);
4152 int squote = 0, dquote = 0;
4153 for(i=start; i<end; i++) {
4154 char c = (char)sldns_buffer_read_u8_at(buf, i);
4155 if(squote && c != '\'') continue;
4156 if(dquote && c != '"') continue;
4158 dquote = !dquote; /* skip quoted part */
4160 squote = !squote; /* skip quoted part */
4166 /* rest is a comment */
4173 /** remove trailing ;... comment from a line in the chunkline buffer */
4175 chunkline_remove_trailcomment(sldns_buffer* buf, size_t start)
4177 size_t end = sldns_buffer_position(buf);
4179 int squote = 0, dquote = 0;
4180 for(i=start; i<end; i++) {
4181 char c = (char)sldns_buffer_read_u8_at(buf, i);
4182 if(squote && c != '\'') continue;
4183 if(dquote && c != '"') continue;
4185 dquote = !dquote; /* skip quoted part */
4187 squote = !squote; /* skip quoted part */
4189 /* rest is a comment */
4190 sldns_buffer_set_position(buf, i);
4194 /* nothing to remove */
4197 /** see if a chunkline is a comment line (or empty line) */
4199 chunkline_is_comment_line_or_empty(sldns_buffer* buf)
4201 size_t i, end = sldns_buffer_limit(buf);
4202 for(i=0; i<end; i++) {
4203 char c = (char)sldns_buffer_read_u8_at(buf, i);
4205 return 1; /* comment */
4206 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n')
4207 return 0; /* not a comment */
4209 return 1; /* empty */
4212 /** find a line with ( ) collated */
4214 chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos,
4219 sldns_buffer_clear(buf);
4220 pos = sldns_buffer_position(buf);
4221 if(!chunkline_get_line(chunk, chunk_pos, buf)) {
4222 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf))
4223 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4224 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0);
4225 sldns_buffer_flip(buf);
4228 parens += chunkline_count_parens(buf, pos);
4230 chunkline_remove_trailcomment(buf, pos);
4231 pos = sldns_buffer_position(buf);
4232 if(!chunkline_get_line(chunk, chunk_pos, buf)) {
4233 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf))
4234 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4235 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0);
4236 sldns_buffer_flip(buf);
4239 parens += chunkline_count_parens(buf, pos);
4242 if(sldns_buffer_remaining(buf) < 1) {
4243 verbose(VERB_ALGO, "http chunkline: "
4247 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4248 sldns_buffer_flip(buf);
4252 /** process $ORIGIN for http */
4254 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4256 char* line = (char*)sldns_buffer_begin(buf);
4257 if(strncmp(line, "$ORIGIN", 7) == 0 &&
4258 isspace((unsigned char)line[7])) {
4260 pstate->origin_len = sizeof(pstate->origin);
4261 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8),
4262 pstate->origin, &pstate->origin_len);
4263 if(s) pstate->origin_len = 0;
4269 /** process $TTL for http */
4271 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4273 char* line = (char*)sldns_buffer_begin(buf);
4274 if(strncmp(line, "$TTL", 4) == 0 &&
4275 isspace((unsigned char)line[4])) {
4276 const char* end = NULL;
4277 pstate->default_ttl = sldns_str2period(
4278 sldns_strip_ws(line+5), &end);
4284 /** find noncomment RR line in chunks, collates lines if ( ) format */
4286 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
4287 sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4289 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
4290 if(chunkline_is_comment_line_or_empty(buf)) {
4291 /* a comment, go to next line */
4294 if(http_parse_origin(buf, pstate)) {
4295 continue; /* $ORIGIN has been handled */
4297 if(http_parse_ttl(buf, pstate)) {
4298 continue; /* $TTL has been handled */
4302 /* no noncomments, fail */
4306 /** check syntax of chunklist zonefile, parse first RR, return false on
4307 * failure and return a string in the scratch buffer (first RR string)
4310 http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf)
4312 uint8_t rr[LDNS_RR_BUF_SIZE];
4313 size_t rr_len, dname_len = 0;
4314 struct sldns_file_parse_state pstate;
4315 struct auth_chunk* chunk;
4318 memset(&pstate, 0, sizeof(pstate));
4319 pstate.default_ttl = 3600;
4320 if(xfr->namelen < sizeof(pstate.origin)) {
4321 pstate.origin_len = xfr->namelen;
4322 memmove(pstate.origin, xfr->name, xfr->namelen);
4324 chunk = xfr->task_transfer->chunks_first;
4326 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) {
4329 rr_len = sizeof(rr);
4330 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len,
4331 &dname_len, pstate.default_ttl,
4332 pstate.origin_len?pstate.origin:NULL, pstate.origin_len,
4333 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len);
4335 log_err("parse failure on first RR[%d]: %s",
4336 LDNS_WIREPARSE_OFFSET(e),
4337 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)));
4340 /* check that class is correct */
4341 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) {
4342 log_err("parse failure: first record in downloaded zonefile "
4343 "from wrong RR class");
4349 /** sum sizes of chunklist */
4351 chunklist_sum(struct auth_chunk* list)
4353 struct auth_chunk* p;
4355 for(p=list; p; p=p->next) {
4361 /** remove newlines from collated line */
4363 chunkline_newline_removal(sldns_buffer* buf)
4365 size_t i, end=sldns_buffer_limit(buf);
4366 for(i=0; i<end; i++) {
4367 char c = (char)sldns_buffer_read_u8_at(buf, i);
4368 if(c == '\n' && i==end-1) {
4369 sldns_buffer_write_u8_at(buf, i, 0);
4370 sldns_buffer_set_limit(buf, end-1);
4374 sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
4378 /** for http download, parse and add RR to zone */
4380 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z,
4381 sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4383 uint8_t rr[LDNS_RR_BUF_SIZE];
4384 size_t rr_len, dname_len = 0;
4386 char* line = (char*)sldns_buffer_begin(buf);
4387 rr_len = sizeof(rr);
4388 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len,
4389 pstate->default_ttl,
4390 pstate->origin_len?pstate->origin:NULL, pstate->origin_len,
4391 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len);
4393 log_err("%s/%s parse failure RR[%d]: %s in '%s'",
4394 xfr->task_transfer->master->host,
4395 xfr->task_transfer->master->file,
4396 LDNS_WIREPARSE_OFFSET(e),
4397 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)),
4402 return 1; /* empty line or so */
4405 if(dname_len < sizeof(pstate->prev_rr)) {
4406 memmove(pstate->prev_rr, rr, dname_len);
4407 pstate->prev_rr_len = dname_len;
4410 return az_insert_rr(z, rr, rr_len, dname_len, NULL);
4413 /** RR list iterator, returns RRs from answer section one by one from the
4414 * dns packets in the chunklist */
4416 chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk,
4417 int* rr_num, size_t* rr_pos)
4419 *rr_chunk = xfr->task_transfer->chunks_first;
4424 /** RR list iterator, see if we are at the end of the list */
4426 chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num)
4429 if(rr_chunk->len < LDNS_HEADER_SIZE)
4431 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data))
4433 /* no more RRs in this chunk */
4434 /* continue with next chunk, see if it has RRs */
4435 rr_chunk = rr_chunk->next;
4441 /** RR list iterator, move to next RR */
4443 chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num,
4444 size_t* rr_pos, size_t rr_nextpos)
4446 /* already at end of chunks? */
4449 /* move within this chunk */
4450 if((*rr_chunk)->len >= LDNS_HEADER_SIZE &&
4451 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) {
4453 *rr_pos = rr_nextpos;
4456 /* no more RRs in this chunk */
4457 /* continue with next chunk, see if it has RRs */
4459 *rr_chunk = (*rr_chunk)->next;
4463 if((*rr_chunk)->len >= LDNS_HEADER_SIZE &&
4464 LDNS_ANCOUNT((*rr_chunk)->data) > 0) {
4467 *rr_chunk = (*rr_chunk)->next;
4471 /** RR iterator, get current RR information, false on parse error */
4473 chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num,
4474 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type,
4475 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen,
4476 uint8_t** rr_rdata, size_t* rr_nextpos)
4479 /* integrity checks on position */
4480 if(!rr_chunk) return 0;
4481 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0;
4482 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0;
4483 if(rr_pos >= rr_chunk->len) return 0;
4485 /* fetch rr information */
4486 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len);
4489 /* skip question section */
4490 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE);
4491 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) {
4492 if(pkt_dname_len(&pkt) == 0) return 0;
4493 if(sldns_buffer_remaining(&pkt) < 4) return 0;
4494 sldns_buffer_skip(&pkt, 4); /* type and class */
4497 sldns_buffer_set_position(&pkt, rr_pos);
4499 *rr_dname = sldns_buffer_current(&pkt);
4500 if(pkt_dname_len(&pkt) == 0) return 0;
4501 if(sldns_buffer_remaining(&pkt) < 10) return 0;
4502 *rr_type = sldns_buffer_read_u16(&pkt);
4503 *rr_class = sldns_buffer_read_u16(&pkt);
4504 *rr_ttl = sldns_buffer_read_u32(&pkt);
4505 *rr_rdlen = sldns_buffer_read_u16(&pkt);
4506 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0;
4507 *rr_rdata = sldns_buffer_current(&pkt);
4508 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen));
4509 *rr_nextpos = sldns_buffer_position(&pkt);
4513 /** print log message where we are in parsing the zone transfer */
4515 log_rrlist_position(const char* label, struct auth_chunk* rr_chunk,
4516 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter)
4523 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len);
4524 sldns_buffer_set_position(&pkt, (size_t)(rr_dname -
4525 sldns_buffer_begin(&pkt)));
4526 if((dlen=pkt_dname_len(&pkt)) == 0) return;
4527 if(dlen >= sizeof(buf)) return;
4528 dname_pkt_copy(&pkt, buf, rr_dname);
4529 dname_str(buf, str);
4530 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr));
4531 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter,
4535 /** check that start serial is OK for ixfr. we are at rr_counter == 0,
4536 * and we are going to check rr_counter == 1 (has to be type SOA) serial */
4538 ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos,
4539 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class,
4540 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata,
4541 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial)
4543 uint32_t startserial;
4544 /* move forward on RR */
4545 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4546 if(chunk_rrlist_end(rr_chunk, rr_num)) {
4548 verbose(VERB_OPS, "IXFR has no second SOA record");
4551 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4552 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4553 &rr_rdata, &rr_nextpos)) {
4554 verbose(VERB_OPS, "IXFR cannot parse second SOA record");
4555 /* failed to parse RR */
4558 if(rr_type != LDNS_RR_TYPE_SOA) {
4559 verbose(VERB_OPS, "IXFR second record is not type SOA");
4563 verbose(VERB_OPS, "IXFR, second SOA has short rdlength");
4564 return 0; /* bad SOA rdlen */
4566 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4567 if(startserial == transfer_serial) {
4568 /* empty AXFR, not an IXFR */
4569 verbose(VERB_OPS, "IXFR second serial same as first");
4572 if(startserial != xfr_serial) {
4573 /* wrong start serial, it does not match the serial in
4575 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u "
4576 "in memory, rejecting the zone transfer",
4577 (unsigned)startserial, (unsigned)transfer_serial,
4578 (unsigned)xfr_serial);
4581 /* everything OK in second SOA serial */
4585 /** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */
4587 apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z,
4588 struct sldns_buffer* scratch_buffer)
4590 struct auth_chunk* rr_chunk;
4593 uint8_t* rr_dname, *rr_rdata;
4594 uint16_t rr_type, rr_class, rr_rdlen;
4597 int have_transfer_serial = 0;
4598 uint32_t transfer_serial = 0;
4599 size_t rr_counter = 0;
4603 /* start RR iterator over chunklist of packets */
4604 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos);
4605 while(!chunk_rrlist_end(rr_chunk, rr_num)) {
4606 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4607 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4608 &rr_rdata, &rr_nextpos)) {
4609 /* failed to parse RR */
4612 if(verbosity>=7) log_rrlist_position("apply ixfr",
4613 rr_chunk, rr_dname, rr_type, rr_counter);
4614 /* twiddle add/del mode and check for start and end */
4615 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA)
4617 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) {
4618 /* this is an AXFR returned from the IXFR master */
4619 /* but that should already have been detected, by
4620 * on_ixfr_is_axfr */
4623 if(rr_type == LDNS_RR_TYPE_SOA) {
4625 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */
4626 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4627 if(have_transfer_serial == 0) {
4628 have_transfer_serial = 1;
4629 transfer_serial = serial;
4630 delmode = 1; /* gets negated below */
4631 /* check second RR before going any further */
4632 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos,
4633 rr_dname, rr_type, rr_class, rr_ttl,
4634 rr_rdlen, rr_rdata, rr_nextpos,
4635 transfer_serial, xfr->serial)) {
4638 } else if(transfer_serial == serial) {
4639 have_transfer_serial++;
4640 if(rr_counter == 1) {
4641 /* empty AXFR, with SOA; SOA; */
4642 /* should have been detected by
4643 * on_ixfr_is_axfr */
4646 if(have_transfer_serial == 3) {
4647 /* see serial three times for end */
4650 * SOA 1 second RR, followed by del
4651 * SOA 2 followed by add
4652 * SOA 2 followed by del
4653 * SOA 3 followed by add
4655 /* ended by SOA record */
4656 xfr->serial = transfer_serial;
4660 /* twiddle add/del mode */
4661 /* switch from delete part to add part and back again
4662 * just before the soa, it gets deleted and added too
4663 * this means we switch to delete mode for the final
4664 * SOA(so skip that one) */
4667 /* process this RR */
4668 /* if the RR is deleted twice or added twice, then we
4669 * softfail, and continue with the rest of the IXFR, so
4670 * that we serve something fairly nice during the refetch */
4671 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"),
4672 rr_chunk, rr_dname, rr_type, rr_counter);
4674 /* delete this RR */
4676 if(!az_remove_rr_decompress(z, rr_chunk->data,
4677 rr_chunk->len, scratch_buffer, rr_dname,
4678 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen,
4680 /* failed, malloc error or so */
4684 /* it was removal of a nonexisting RR */
4685 if(verbosity>=4) log_rrlist_position(
4686 "IXFR error nonexistent RR",
4687 rr_chunk, rr_dname, rr_type, rr_counter);
4690 } else if(rr_counter != 0) {
4691 /* skip first SOA RR for addition, it is added in
4692 * the addition part near the end of the ixfr, when
4693 * that serial is seen the second time. */
4696 if(!az_insert_rr_decompress(z, rr_chunk->data,
4697 rr_chunk->len, scratch_buffer, rr_dname,
4698 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen,
4700 /* failed, malloc error or so */
4704 /* it was a duplicate */
4705 if(verbosity>=4) log_rrlist_position(
4706 "IXFR error duplicate RR",
4707 rr_chunk, rr_dname, rr_type, rr_counter);
4713 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4716 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone");
4722 /** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */
4724 apply_axfr(struct auth_xfer* xfr, struct auth_zone* z,
4725 struct sldns_buffer* scratch_buffer)
4727 struct auth_chunk* rr_chunk;
4730 uint8_t* rr_dname, *rr_rdata;
4731 uint16_t rr_type, rr_class, rr_rdlen;
4733 uint32_t serial = 0;
4735 size_t rr_counter = 0;
4736 int have_end_soa = 0;
4738 /* clear the data tree */
4739 traverse_postorder(&z->data, auth_data_del, NULL);
4740 rbtree_init(&z->data, &auth_data_cmp);
4741 /* clear the RPZ policies */
4748 /* insert all RRs in to the zone */
4749 /* insert the SOA only once, skip the last one */
4750 /* start RR iterator over chunklist of packets */
4751 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos);
4752 while(!chunk_rrlist_end(rr_chunk, rr_num)) {
4753 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4754 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4755 &rr_rdata, &rr_nextpos)) {
4756 /* failed to parse RR */
4759 if(verbosity>=7) log_rrlist_position("apply_axfr",
4760 rr_chunk, rr_dname, rr_type, rr_counter);
4761 if(rr_type == LDNS_RR_TYPE_SOA) {
4762 if(rr_counter != 0) {
4763 /* end of the axfr */
4767 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */
4768 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4772 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len,
4773 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl,
4774 rr_rdata, rr_rdlen, NULL)) {
4775 /* failed, malloc error or so */
4780 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4783 log_err("no end SOA record for AXFR");
4787 xfr->serial = serial;
4792 /** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */
4794 apply_http(struct auth_xfer* xfr, struct auth_zone* z,
4795 struct sldns_buffer* scratch_buffer)
4797 /* parse data in chunks */
4798 /* parse RR's and read into memory. ignore $INCLUDE from the
4800 struct sldns_file_parse_state pstate;
4801 struct auth_chunk* chunk;
4803 memset(&pstate, 0, sizeof(pstate));
4804 pstate.default_ttl = 3600;
4805 if(xfr->namelen < sizeof(pstate.origin)) {
4806 pstate.origin_len = xfr->namelen;
4807 memmove(pstate.origin, xfr->name, xfr->namelen);
4810 if(verbosity >= VERB_ALGO)
4811 verbose(VERB_ALGO, "http download %s of size %d",
4812 xfr->task_transfer->master->file,
4813 (int)chunklist_sum(xfr->task_transfer->chunks_first));
4814 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) {
4816 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) {
4817 memmove(preview, xfr->task_transfer->chunks_first->data,
4819 preview[sizeof(preview)-1]=0;
4821 memmove(preview, xfr->task_transfer->chunks_first->data,
4822 xfr->task_transfer->chunks_first->len);
4823 preview[xfr->task_transfer->chunks_first->len]=0;
4825 log_info("auth zone http downloaded content preview: %s",
4829 /* perhaps a little syntax check before we try to apply the data? */
4830 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) {
4831 log_err("http download %s/%s does not contain a zonefile, "
4832 "but got '%s'", xfr->task_transfer->master->host,
4833 xfr->task_transfer->master->file,
4834 sldns_buffer_begin(scratch_buffer));
4838 /* clear the data tree */
4839 traverse_postorder(&z->data, auth_data_del, NULL);
4840 rbtree_init(&z->data, &auth_data_cmp);
4841 /* clear the RPZ policies */
4848 chunk = xfr->task_transfer->chunks_first;
4851 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) {
4852 /* process this line */
4854 chunkline_newline_removal(scratch_buffer);
4855 if(chunkline_is_comment_line_or_empty(scratch_buffer)) {
4858 /* parse line and add RR */
4859 if(http_parse_origin(scratch_buffer, &pstate)) {
4860 continue; /* $ORIGIN has been handled */
4862 if(http_parse_ttl(scratch_buffer, &pstate)) {
4863 continue; /* $TTL has been handled */
4865 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) {
4866 verbose(VERB_ALGO, "error parsing line [%s:%d] %s",
4867 xfr->task_transfer->master->file,
4869 sldns_buffer_begin(scratch_buffer));
4876 /** write http chunks to zonefile to create downloaded file */
4878 auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname)
4881 struct auth_chunk* p;
4882 out = fopen(fname, "w");
4884 log_err("could not open %s: %s", fname, strerror(errno));
4887 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) {
4888 if(!write_out(out, (char*)p->data, p->len)) {
4889 log_err("could not write http download to %s", fname);
4898 /** write to zonefile after zone has been updated */
4900 xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
4902 struct config_file* cfg = env->cfg;
4903 struct auth_zone* z;
4906 lock_basic_unlock(&xfr->lock);
4908 /* get lock again, so it is a readlock and concurrently queries
4909 * can be answered */
4910 lock_rw_rdlock(&env->auth_zones->lock);
4911 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
4914 lock_rw_unlock(&env->auth_zones->lock);
4915 /* the zone is gone, ignore xfr results */
4916 lock_basic_lock(&xfr->lock);
4919 lock_rw_rdlock(&z->lock);
4920 lock_basic_lock(&xfr->lock);
4921 lock_rw_unlock(&env->auth_zones->lock);
4923 if(z->zonefile == NULL || z->zonefile[0] == 0) {
4924 lock_rw_unlock(&z->lock);
4925 /* no write needed, no zonefile set */
4928 zfilename = z->zonefile;
4929 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
4930 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
4931 zfilename += strlen(cfg->chrootdir);
4932 if(verbosity >= VERB_ALGO) {
4934 dname_str(z->name, nm);
4935 verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm);
4938 /* write to tempfile first */
4939 if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) {
4940 verbose(VERB_ALGO, "tmpfilename too long, cannot update "
4941 " zonefile %s", zfilename);
4942 lock_rw_unlock(&z->lock);
4945 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename,
4946 (unsigned)getpid());
4947 if(xfr->task_transfer->master->http) {
4948 /* use the stored chunk list to write them */
4949 if(!auth_zone_write_chunks(xfr, tmpfile)) {
4951 lock_rw_unlock(&z->lock);
4954 } else if(!auth_zone_write_file(z, tmpfile)) {
4956 lock_rw_unlock(&z->lock);
4959 if(rename(tmpfile, zfilename) < 0) {
4960 log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
4963 lock_rw_unlock(&z->lock);
4966 lock_rw_unlock(&z->lock);
4969 /** process chunk list and update zone in memory,
4970 * return false if it did not work */
4972 xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
4975 struct auth_zone* z;
4977 /* obtain locks and structures */
4978 /* release xfr lock, then, while holding az->lock grab both
4979 * z->lock and xfr->lock */
4980 lock_basic_unlock(&xfr->lock);
4981 lock_rw_rdlock(&env->auth_zones->lock);
4982 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
4985 lock_rw_unlock(&env->auth_zones->lock);
4986 /* the zone is gone, ignore xfr results */
4987 lock_basic_lock(&xfr->lock);
4990 lock_rw_wrlock(&z->lock);
4991 lock_basic_lock(&xfr->lock);
4992 lock_rw_unlock(&env->auth_zones->lock);
4995 if(xfr->task_transfer->master->http) {
4996 if(!apply_http(xfr, z, env->scratch_buffer)) {
4997 lock_rw_unlock(&z->lock);
4998 verbose(VERB_ALGO, "http from %s: could not store data",
4999 xfr->task_transfer->master->host);
5002 } else if(xfr->task_transfer->on_ixfr &&
5003 !xfr->task_transfer->on_ixfr_is_axfr) {
5004 if(!apply_ixfr(xfr, z, env->scratch_buffer)) {
5005 lock_rw_unlock(&z->lock);
5006 verbose(VERB_ALGO, "xfr from %s: could not store IXFR"
5007 " data", xfr->task_transfer->master->host);
5012 if(!apply_axfr(xfr, z, env->scratch_buffer)) {
5013 lock_rw_unlock(&z->lock);
5014 verbose(VERB_ALGO, "xfr from %s: could not store AXFR"
5015 " data", xfr->task_transfer->master->host);
5019 xfr->zone_expired = 0;
5020 z->zone_expired = 0;
5021 if(!xfr_find_soa(z, xfr)) {
5022 lock_rw_unlock(&z->lock);
5023 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update"
5024 " (or malformed RR)", xfr->task_transfer->master->host);
5028 xfr->lease_time = *env->now;
5031 rpz_finish_config(z->rpz);
5034 lock_rw_unlock(&z->lock);
5036 if(verbosity >= VERB_QUERY && xfr->have_zone) {
5038 dname_str(xfr->name, zname);
5039 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname,
5040 (unsigned)xfr->serial);
5042 /* see if we need to write to a zonefile */
5043 xfr_write_after_update(xfr, env);
5047 /** disown task_transfer. caller must hold xfr.lock */
5049 xfr_transfer_disown(struct auth_xfer* xfr)
5051 /* remove timer (from this worker's event base) */
5052 comm_timer_delete(xfr->task_transfer->timer);
5053 xfr->task_transfer->timer = NULL;
5054 /* remove the commpoint */
5055 comm_point_delete(xfr->task_transfer->cp);
5056 xfr->task_transfer->cp = NULL;
5057 /* we don't own this item anymore */
5058 xfr->task_transfer->worker = NULL;
5059 xfr->task_transfer->env = NULL;
5062 /** lookup a host name for its addresses, if needed */
5064 xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
5066 struct sockaddr_storage addr;
5067 socklen_t addrlen = 0;
5068 struct auth_master* master = xfr->task_transfer->lookup_target;
5069 struct query_info qinfo;
5070 uint16_t qflags = BIT_RD;
5071 uint8_t dname[LDNS_MAX_DOMAINLEN+1];
5072 struct edns_data edns;
5073 sldns_buffer* buf = env->scratch_buffer;
5074 if(!master) return 0;
5075 if(extstrtoaddr(master->host, &addr, &addrlen)) {
5076 /* not needed, host is in IP addr format */
5079 if(master->allow_notify)
5080 return 0; /* allow-notifies are not transferred from, no
5083 /* use mesh_new_callback to probe for non-addr hosts,
5084 * and then wait for them to be looked up (in cache, or query) */
5085 qinfo.qname_len = sizeof(dname);
5086 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len)
5088 log_err("cannot parse host name of master %s", master->host);
5091 qinfo.qname = dname;
5092 qinfo.qclass = xfr->dclass;
5093 qinfo.qtype = LDNS_RR_TYPE_A;
5094 if(xfr->task_transfer->lookup_aaaa)
5095 qinfo.qtype = LDNS_RR_TYPE_AAAA;
5096 qinfo.local_alias = NULL;
5097 if(verbosity >= VERB_ALGO) {
5099 char buf2[LDNS_MAX_DOMAINLEN+1];
5100 dname_str(xfr->name, buf2);
5101 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
5102 " for task_transfer", buf2);
5103 log_query_info(VERB_ALGO, buf1, &qinfo);
5105 edns.edns_present = 1;
5107 edns.edns_version = 0;
5108 edns.bits = EDNS_DO;
5109 edns.opt_list = NULL;
5110 if(sldns_buffer_capacity(buf) < 65535)
5111 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
5112 else edns.udp_size = 65535;
5114 /* unlock xfr during mesh_new_callback() because the callback can be
5115 * called straight away */
5116 lock_basic_unlock(&xfr->lock);
5117 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
5118 &auth_xfer_transfer_lookup_callback, xfr)) {
5119 lock_basic_lock(&xfr->lock);
5120 log_err("out of memory lookup up master %s", master->host);
5123 lock_basic_lock(&xfr->lock);
5127 /** initiate TCP to the target and fetch zone.
5128 * returns true if that was successfully started, and timeout setup. */
5130 xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
5132 struct sockaddr_storage addr;
5133 socklen_t addrlen = 0;
5134 struct auth_master* master = xfr->task_transfer->master;
5135 char *auth_name = NULL;
5138 if(!master) return 0;
5139 if(master->allow_notify) return 0; /* only for notify */
5141 /* get master addr */
5142 if(xfr->task_transfer->scan_addr) {
5143 addrlen = xfr->task_transfer->scan_addr->addrlen;
5144 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen);
5146 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
5147 /* the ones that are not in addr format are supposed
5148 * to be looked up. The lookup has failed however,
5151 dname_str(xfr->name, zname);
5152 log_err("%s: failed lookup, cannot transfer from master %s",
5153 zname, master->host);
5158 /* remove previous TCP connection (if any) */
5159 if(xfr->task_transfer->cp) {
5160 comm_point_delete(xfr->task_transfer->cp);
5161 xfr->task_transfer->cp = NULL;
5163 if(!xfr->task_transfer->timer) {
5164 xfr->task_transfer->timer = comm_timer_create(env->worker_base,
5165 auth_xfer_transfer_timer_callback, xfr);
5166 if(!xfr->task_transfer->timer) {
5167 log_err("malloc failure");
5171 timeout = AUTH_TRANSFER_TIMEOUT;
5173 t.tv_sec = timeout/1000;
5174 t.tv_usec = (timeout%1000)*1000;
5178 /* perform http fetch */
5179 /* store http port number into sockaddr,
5180 * unless someone used unbound's host@port notation */
5181 xfr->task_transfer->on_ixfr = 0;
5182 if(strchr(master->host, '@') == NULL)
5183 sockaddr_store_port(&addr, addrlen, master->port);
5184 xfr->task_transfer->cp = outnet_comm_point_for_http(
5185 env->outnet, auth_xfer_transfer_http_callback, xfr,
5186 &addr, addrlen, -1, master->ssl, master->host,
5188 if(!xfr->task_transfer->cp) {
5189 char zname[255+1], as[256];
5190 dname_str(xfr->name, zname);
5191 addr_to_str(&addr, addrlen, as, sizeof(as));
5192 verbose(VERB_ALGO, "cannot create http cp "
5193 "connection for %s to %s", zname, as);
5196 comm_timer_set(xfr->task_transfer->timer, &t);
5197 if(verbosity >= VERB_ALGO) {
5198 char zname[255+1], as[256];
5199 dname_str(xfr->name, zname);
5200 addr_to_str(&addr, addrlen, as, sizeof(as));
5201 verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as);
5206 /* perform AXFR/IXFR */
5207 /* set the packet to be written */
5209 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
5210 xfr_create_ixfr_packet(xfr, env->scratch_buffer,
5211 xfr->task_transfer->id, master);
5214 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet,
5215 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen,
5216 env->scratch_buffer, -1,
5217 auth_name != NULL, auth_name);
5218 if(!xfr->task_transfer->cp) {
5219 char zname[255+1], as[256];
5220 dname_str(xfr->name, zname);
5221 addr_to_str(&addr, addrlen, as, sizeof(as));
5222 verbose(VERB_ALGO, "cannot create tcp cp connection for "
5223 "xfr %s to %s", zname, as);
5226 comm_timer_set(xfr->task_transfer->timer, &t);
5227 if(verbosity >= VERB_ALGO) {
5228 char zname[255+1], as[256];
5229 dname_str(xfr->name, zname);
5230 addr_to_str(&addr, addrlen, as, sizeof(as));
5231 verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname,
5232 (xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as);
5237 /** perform next lookup, next transfer TCP, or end and resume wait time task */
5239 xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env)
5241 log_assert(xfr->task_transfer->worker == env->worker);
5243 /* are we performing lookups? */
5244 while(xfr->task_transfer->lookup_target) {
5245 if(xfr_transfer_lookup_host(xfr, env)) {
5246 /* wait for lookup to finish,
5247 * note that the hostname may be in unbound's cache
5248 * and we may then get an instant cache response,
5249 * and that calls the callback just like a full
5250 * lookup and lookup failures also call callback */
5251 if(verbosity >= VERB_ALGO) {
5253 dname_str(xfr->name, zname);
5254 verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname);
5256 lock_basic_unlock(&xfr->lock);
5259 xfr_transfer_move_to_next_lookup(xfr, env);
5262 /* initiate TCP and fetch the zone from the master */
5263 /* and set timeout on it */
5264 while(!xfr_transfer_end_of_list(xfr)) {
5265 xfr->task_transfer->master = xfr_transfer_current_master(xfr);
5266 if(xfr_transfer_init_fetch(xfr, env)) {
5267 /* successfully started, wait for callback */
5268 lock_basic_unlock(&xfr->lock);
5271 /* failed to fetch, next master */
5272 xfr_transfer_nextmaster(xfr);
5274 if(verbosity >= VERB_ALGO) {
5276 dname_str(xfr->name, zname);
5277 verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname);
5280 /* we failed to fetch the zone, move to wait task
5281 * use the shorter retry timeout */
5282 xfr_transfer_disown(xfr);
5284 /* pick up the nextprobe task and wait */
5285 if(xfr->task_nextprobe->worker == NULL)
5286 xfr_set_timeout(xfr, env, 1, 0);
5287 lock_basic_unlock(&xfr->lock);
5290 /** add addrs from A or AAAA rrset to the master */
5292 xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
5296 struct packed_rrset_data* data;
5297 if(!m || !rrset) return;
5298 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA)
5300 data = (struct packed_rrset_data*)rrset->entry.data;
5301 for(i=0; i<data->count; i++) {
5302 struct auth_addr* a;
5303 size_t len = data->rr_len[i] - 2;
5304 uint8_t* rdata = data->rr_data[i]+2;
5305 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE)
5306 continue; /* wrong length for A */
5307 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE)
5308 continue; /* wrong length for AAAA */
5310 /* add and alloc it */
5311 a = (struct auth_addr*)calloc(1, sizeof(*a));
5313 log_err("out of memory");
5316 if(rrtype == LDNS_RR_TYPE_A) {
5317 struct sockaddr_in* sa;
5318 a->addrlen = (socklen_t)sizeof(*sa);
5319 sa = (struct sockaddr_in*)&a->addr;
5320 sa->sin_family = AF_INET;
5321 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
5322 memmove(&sa->sin_addr, rdata, INET_SIZE);
5324 struct sockaddr_in6* sa;
5325 a->addrlen = (socklen_t)sizeof(*sa);
5326 sa = (struct sockaddr_in6*)&a->addr;
5327 sa->sin6_family = AF_INET6;
5328 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
5329 memmove(&sa->sin6_addr, rdata, INET6_SIZE);
5331 if(verbosity >= VERB_ALGO) {
5333 addr_to_str(&a->addr, a->addrlen, s, sizeof(s));
5334 verbose(VERB_ALGO, "auth host %s lookup %s",
5337 /* append to list */
5343 /** callback for task_transfer lookup of host name, of A or AAAA */
5344 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
5345 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
5346 int ATTR_UNUSED(was_ratelimited))
5348 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5349 struct module_env* env;
5350 log_assert(xfr->task_transfer);
5351 lock_basic_lock(&xfr->lock);
5352 env = xfr->task_transfer->env;
5353 if(!env || env->outnet->want_to_quit) {
5354 lock_basic_unlock(&xfr->lock);
5355 return; /* stop on quit */
5358 /* process result */
5359 if(rcode == LDNS_RCODE_NOERROR) {
5360 uint16_t wanted_qtype = LDNS_RR_TYPE_A;
5361 struct regional* temp = env->scratch;
5362 struct query_info rq;
5363 struct reply_info* rep;
5364 if(xfr->task_transfer->lookup_aaaa)
5365 wanted_qtype = LDNS_RR_TYPE_AAAA;
5366 memset(&rq, 0, sizeof(rq));
5367 rep = parse_reply_in_temp_region(buf, temp, &rq);
5368 if(rep && rq.qtype == wanted_qtype &&
5369 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
5370 /* parsed successfully */
5371 struct ub_packed_rrset_key* answer =
5372 reply_find_answer_rrset(&rq, rep);
5374 xfr_master_add_addrs(xfr->task_transfer->
5375 lookup_target, answer, wanted_qtype);
5377 if(verbosity >= VERB_ALGO) {
5379 dname_str(xfr->name, zname);
5380 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
5384 if(verbosity >= VERB_ALGO) {
5386 dname_str(xfr->name, zname);
5387 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
5391 if(verbosity >= VERB_ALGO) {
5393 dname_str(xfr->name, zname);
5394 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
5397 if(xfr->task_transfer->lookup_target->list &&
5398 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr))
5399 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list;
5401 /* move to lookup AAAA after A lookup, move to next hostname lookup,
5402 * or move to fetch the zone, or, if nothing to do, end task_transfer */
5403 xfr_transfer_move_to_next_lookup(xfr, env);
5404 xfr_transfer_nexttarget_or_end(xfr, env);
5407 /** check if xfer (AXFR or IXFR) packet is OK.
5408 * return false if we lost connection (SERVFAIL, or unreadable).
5409 * return false if we need to move from IXFR to AXFR, with gonextonfail
5410 * set to false, so the same master is tried again, but with AXFR.
5411 * return true if fine to link into data.
5412 * return true with transferdone=true when the transfer has ended.
5415 check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr,
5416 int* gonextonfail, int* transferdone)
5418 uint8_t* wire = sldns_buffer_begin(pkt);
5420 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) {
5421 verbose(VERB_ALGO, "xfr to %s failed, packet too small",
5422 xfr->task_transfer->master->host);
5425 if(!LDNS_QR_WIRE(wire)) {
5426 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag",
5427 xfr->task_transfer->master->host);
5430 if(LDNS_TC_WIRE(wire)) {
5431 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag",
5432 xfr->task_transfer->master->host);
5436 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) {
5437 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID",
5438 xfr->task_transfer->master->host);
5441 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) {
5443 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode,
5445 /* if we are doing IXFR, check for fallback */
5446 if(xfr->task_transfer->on_ixfr) {
5447 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL ||
5448 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL ||
5449 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED ||
5450 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) {
5451 verbose(VERB_ALGO, "xfr to %s, fallback "
5452 "from IXFR to AXFR (with rcode %s)",
5453 xfr->task_transfer->master->host,
5455 xfr->task_transfer->ixfr_fail = 1;
5460 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s",
5461 xfr->task_transfer->master->host, rcode);
5464 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) {
5465 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode",
5466 xfr->task_transfer->master->host);
5469 if(LDNS_QDCOUNT(wire) > 1) {
5470 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d",
5471 xfr->task_transfer->master->host,
5472 (int)LDNS_QDCOUNT(wire));
5477 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE);
5478 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) {
5479 size_t pos = sldns_buffer_position(pkt);
5480 uint16_t qtype, qclass;
5481 if(pkt_dname_len(pkt) == 0) {
5482 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5484 xfr->task_transfer->master->host);
5487 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos),
5489 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5491 xfr->task_transfer->master->host);
5494 if(sldns_buffer_remaining(pkt) < 4) {
5495 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5496 "truncated query RR",
5497 xfr->task_transfer->master->host);
5500 qtype = sldns_buffer_read_u16(pkt);
5501 qclass = sldns_buffer_read_u16(pkt);
5502 if(qclass != xfr->dclass) {
5503 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5505 xfr->task_transfer->master->host);
5508 if(xfr->task_transfer->on_ixfr) {
5509 if(qtype != LDNS_RR_TYPE_IXFR) {
5510 verbose(VERB_ALGO, "xfr to %s failed, packet "
5511 "with wrong qtype, expected IXFR",
5512 xfr->task_transfer->master->host);
5516 if(qtype != LDNS_RR_TYPE_AXFR) {
5517 verbose(VERB_ALGO, "xfr to %s failed, packet "
5518 "with wrong qtype, expected AXFR",
5519 xfr->task_transfer->master->host);
5525 /* check parse of RRs in packet, store first SOA serial
5526 * to be able to detect last SOA (with that serial) to see if done */
5527 /* also check for IXFR 'zone up to date' reply */
5528 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) {
5529 size_t pos = sldns_buffer_position(pkt);
5531 if(pkt_dname_len(pkt) == 0) {
5532 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5533 "malformed dname in answer section",
5534 xfr->task_transfer->master->host);
5537 if(sldns_buffer_remaining(pkt) < 10) {
5538 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5540 xfr->task_transfer->master->host);
5543 tp = sldns_buffer_read_u16(pkt);
5544 (void)sldns_buffer_read_u16(pkt); /* class */
5545 (void)sldns_buffer_read_u32(pkt); /* ttl */
5546 rdlen = sldns_buffer_read_u16(pkt);
5547 if(sldns_buffer_remaining(pkt) < rdlen) {
5548 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5549 "truncated RR rdata",
5550 xfr->task_transfer->master->host);
5554 /* RR parses (haven't checked rdata itself), now look at
5555 * SOA records to see serial number */
5556 if(xfr->task_transfer->rr_scan_num == 0 &&
5557 tp != LDNS_RR_TYPE_SOA) {
5558 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5559 "malformed zone transfer, no start SOA",
5560 xfr->task_transfer->master->host);
5563 if(xfr->task_transfer->rr_scan_num == 1 &&
5564 tp != LDNS_RR_TYPE_SOA) {
5565 /* second RR is not a SOA record, this is not an IXFR
5566 * the master is replying with an AXFR */
5567 xfr->task_transfer->on_ixfr_is_axfr = 1;
5569 if(tp == LDNS_RR_TYPE_SOA) {
5572 verbose(VERB_ALGO, "xfr to %s failed, packet "
5573 "with SOA with malformed rdata",
5574 xfr->task_transfer->master->host);
5577 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos),
5579 verbose(VERB_ALGO, "xfr to %s failed, packet "
5580 "with SOA with wrong dname",
5581 xfr->task_transfer->master->host);
5585 /* read serial number of SOA */
5586 serial = sldns_buffer_read_u32_at(pkt,
5587 sldns_buffer_position(pkt)+rdlen-20);
5589 /* check for IXFR 'zone has SOA x' reply */
5590 if(xfr->task_transfer->on_ixfr &&
5591 xfr->task_transfer->rr_scan_num == 0 &&
5592 LDNS_ANCOUNT(wire)==1) {
5593 verbose(VERB_ALGO, "xfr to %s ended, "
5594 "IXFR reply that zone has serial %u,"
5595 " fallback from IXFR to AXFR",
5596 xfr->task_transfer->master->host,
5598 xfr->task_transfer->ixfr_fail = 1;
5603 /* if first SOA, store serial number */
5604 if(xfr->task_transfer->got_xfr_serial == 0) {
5605 xfr->task_transfer->got_xfr_serial = 1;
5606 xfr->task_transfer->incoming_xfr_serial =
5608 verbose(VERB_ALGO, "xfr %s: contains "
5610 xfr->task_transfer->master->host,
5612 /* see if end of AXFR */
5613 } else if(!xfr->task_transfer->on_ixfr ||
5614 xfr->task_transfer->on_ixfr_is_axfr) {
5615 /* second SOA with serial is the end
5618 verbose(VERB_ALGO, "xfr %s: last AXFR packet",
5619 xfr->task_transfer->master->host);
5620 /* for IXFR, count SOA records with that serial */
5621 } else if(xfr->task_transfer->incoming_xfr_serial ==
5622 serial && xfr->task_transfer->got_xfr_serial
5624 xfr->task_transfer->got_xfr_serial++;
5625 /* if not first soa, if serial==firstserial, the
5626 * third time we are at the end, for IXFR */
5627 } else if(xfr->task_transfer->incoming_xfr_serial ==
5628 serial && xfr->task_transfer->got_xfr_serial
5630 verbose(VERB_ALGO, "xfr %s: last IXFR packet",
5631 xfr->task_transfer->master->host);
5633 /* continue parse check, if that succeeds,
5634 * transfer is done */
5637 xfr->task_transfer->rr_scan_num++;
5639 /* skip over RR rdata to go to the next RR */
5640 sldns_buffer_skip(pkt, (ssize_t)rdlen);
5643 /* check authority section */
5644 /* we skip over the RRs checking packet format */
5645 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) {
5647 if(pkt_dname_len(pkt) == 0) {
5648 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5649 "malformed dname in authority section",
5650 xfr->task_transfer->master->host);
5653 if(sldns_buffer_remaining(pkt) < 10) {
5654 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5656 xfr->task_transfer->master->host);
5659 (void)sldns_buffer_read_u16(pkt); /* type */
5660 (void)sldns_buffer_read_u16(pkt); /* class */
5661 (void)sldns_buffer_read_u32(pkt); /* ttl */
5662 rdlen = sldns_buffer_read_u16(pkt);
5663 if(sldns_buffer_remaining(pkt) < rdlen) {
5664 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5665 "truncated RR rdata",
5666 xfr->task_transfer->master->host);
5669 /* skip over RR rdata to go to the next RR */
5670 sldns_buffer_skip(pkt, (ssize_t)rdlen);
5673 /* check additional section */
5674 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) {
5676 if(pkt_dname_len(pkt) == 0) {
5677 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5678 "malformed dname in additional section",
5679 xfr->task_transfer->master->host);
5682 if(sldns_buffer_remaining(pkt) < 10) {
5683 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5685 xfr->task_transfer->master->host);
5688 (void)sldns_buffer_read_u16(pkt); /* type */
5689 (void)sldns_buffer_read_u16(pkt); /* class */
5690 (void)sldns_buffer_read_u32(pkt); /* ttl */
5691 rdlen = sldns_buffer_read_u16(pkt);
5692 if(sldns_buffer_remaining(pkt) < rdlen) {
5693 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5694 "truncated RR rdata",
5695 xfr->task_transfer->master->host);
5698 /* skip over RR rdata to go to the next RR */
5699 sldns_buffer_skip(pkt, (ssize_t)rdlen);
5705 /** Link the data from this packet into the worklist of transferred data */
5707 xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr)
5710 struct auth_chunk* e;
5711 e = (struct auth_chunk*)calloc(1, sizeof(*e));
5714 e->len = sldns_buffer_limit(pkt);
5715 e->data = memdup(sldns_buffer_begin(pkt), e->len);
5721 /* alloc succeeded, link into list */
5722 if(!xfr->task_transfer->chunks_first)
5723 xfr->task_transfer->chunks_first = e;
5724 if(xfr->task_transfer->chunks_last)
5725 xfr->task_transfer->chunks_last->next = e;
5726 xfr->task_transfer->chunks_last = e;
5730 /** task transfer. the list of data is complete. process it and if failed
5731 * move to next master, if succeeded, end the task transfer */
5733 process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env)
5736 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) {
5738 auth_chunks_delete(xfr->task_transfer);
5740 /* we fetched the zone, move to wait task */
5741 xfr_transfer_disown(xfr);
5743 if(xfr->notify_received && (!xfr->notify_has_serial ||
5744 (xfr->notify_has_serial &&
5745 xfr_serial_means_update(xfr, xfr->notify_serial)))) {
5746 uint32_t sr = xfr->notify_serial;
5747 int has_sr = xfr->notify_has_serial;
5748 /* we received a notify while probe/transfer was
5749 * in progress. start a new probe and transfer */
5750 xfr->notify_received = 0;
5751 xfr->notify_has_serial = 0;
5752 xfr->notify_serial = 0;
5753 if(!xfr_start_probe(xfr, env, NULL)) {
5754 /* if we couldn't start it, already in
5755 * progress; restore notify serial,
5756 * while xfr still locked */
5757 xfr->notify_received = 1;
5758 xfr->notify_has_serial = has_sr;
5759 xfr->notify_serial = sr;
5760 lock_basic_unlock(&xfr->lock);
5764 /* pick up the nextprobe task and wait (normail wait time) */
5765 if(xfr->task_nextprobe->worker == NULL)
5766 xfr_set_timeout(xfr, env, 0, 0);
5768 lock_basic_unlock(&xfr->lock);
5771 /* processing failed */
5772 /* when done, delete data from list */
5773 auth_chunks_delete(xfr->task_transfer);
5775 xfr->task_transfer->ixfr_fail = 1;
5777 xfr_transfer_nextmaster(xfr);
5779 xfr_transfer_nexttarget_or_end(xfr, env);
5782 /** callback for the task_transfer timer */
5784 auth_xfer_transfer_timer_callback(void* arg)
5786 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5787 struct module_env* env;
5788 int gonextonfail = 1;
5789 log_assert(xfr->task_transfer);
5790 lock_basic_lock(&xfr->lock);
5791 env = xfr->task_transfer->env;
5792 if(!env || env->outnet->want_to_quit) {
5793 lock_basic_unlock(&xfr->lock);
5794 return; /* stop on quit */
5797 verbose(VERB_ALGO, "xfr stopped, connection timeout to %s",
5798 xfr->task_transfer->master->host);
5800 /* see if IXFR caused the failure, if so, try AXFR */
5801 if(xfr->task_transfer->on_ixfr) {
5802 xfr->task_transfer->ixfr_possible_timeout_count++;
5803 if(xfr->task_transfer->ixfr_possible_timeout_count >=
5804 NUM_TIMEOUTS_FALLBACK_IXFR) {
5805 verbose(VERB_ALGO, "xfr to %s, fallback "
5806 "from IXFR to AXFR (because of timeouts)",
5807 xfr->task_transfer->master->host);
5808 xfr->task_transfer->ixfr_fail = 1;
5813 /* delete transferred data from list */
5814 auth_chunks_delete(xfr->task_transfer);
5815 comm_point_delete(xfr->task_transfer->cp);
5816 xfr->task_transfer->cp = NULL;
5818 xfr_transfer_nextmaster(xfr);
5819 xfr_transfer_nexttarget_or_end(xfr, env);
5822 /** callback for task_transfer tcp connections */
5824 auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
5825 struct comm_reply* ATTR_UNUSED(repinfo))
5827 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5828 struct module_env* env;
5829 int gonextonfail = 1;
5830 int transferdone = 0;
5831 log_assert(xfr->task_transfer);
5832 lock_basic_lock(&xfr->lock);
5833 env = xfr->task_transfer->env;
5834 if(!env || env->outnet->want_to_quit) {
5835 lock_basic_unlock(&xfr->lock);
5836 return 0; /* stop on quit */
5838 /* stop the timer */
5839 comm_timer_disable(xfr->task_transfer->timer);
5841 if(err != NETEVENT_NOERROR) {
5842 /* connection failed, closed, or timeout */
5843 /* stop this transfer, cleanup
5844 * and continue task_transfer*/
5845 verbose(VERB_ALGO, "xfr stopped, connection lost to %s",
5846 xfr->task_transfer->master->host);
5848 /* see if IXFR caused the failure, if so, try AXFR */
5849 if(xfr->task_transfer->on_ixfr) {
5850 xfr->task_transfer->ixfr_possible_timeout_count++;
5851 if(xfr->task_transfer->ixfr_possible_timeout_count >=
5852 NUM_TIMEOUTS_FALLBACK_IXFR) {
5853 verbose(VERB_ALGO, "xfr to %s, fallback "
5854 "from IXFR to AXFR (because of timeouts)",
5855 xfr->task_transfer->master->host);
5856 xfr->task_transfer->ixfr_fail = 1;
5862 /* delete transferred data from list */
5863 auth_chunks_delete(xfr->task_transfer);
5864 comm_point_delete(xfr->task_transfer->cp);
5865 xfr->task_transfer->cp = NULL;
5867 xfr_transfer_nextmaster(xfr);
5868 xfr_transfer_nexttarget_or_end(xfr, env);
5871 /* note that IXFR worked without timeout */
5872 if(xfr->task_transfer->on_ixfr)
5873 xfr->task_transfer->ixfr_possible_timeout_count = 0;
5875 /* handle returned packet */
5876 /* if it fails, cleanup and end this transfer */
5877 /* if it needs to fallback from IXFR to AXFR, do that */
5878 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) {
5881 /* if it is good, link it into the list of data */
5882 /* if the link into list of data fails (malloc fail) cleanup and end */
5883 if(!xfer_link_data(c->buffer, xfr)) {
5884 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed",
5885 xfr->task_transfer->master->host);
5888 /* if the transfer is done now, disconnect and process the list */
5890 comm_point_delete(xfr->task_transfer->cp);
5891 xfr->task_transfer->cp = NULL;
5892 process_list_end_transfer(xfr, env);
5896 /* if we want to read more messages, setup the commpoint to read
5897 * a DNS packet, and the timeout */
5898 lock_basic_unlock(&xfr->lock);
5899 c->tcp_is_reading = 1;
5900 sldns_buffer_clear(c->buffer);
5901 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT);
5905 /** callback for task_transfer http connections */
5907 auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err,
5908 struct comm_reply* repinfo)
5910 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5911 struct module_env* env;
5912 log_assert(xfr->task_transfer);
5913 lock_basic_lock(&xfr->lock);
5914 env = xfr->task_transfer->env;
5915 if(!env || env->outnet->want_to_quit) {
5916 lock_basic_unlock(&xfr->lock);
5917 return 0; /* stop on quit */
5919 verbose(VERB_ALGO, "auth zone transfer http callback");
5920 /* stop the timer */
5921 comm_timer_disable(xfr->task_transfer->timer);
5923 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) {
5924 /* connection failed, closed, or timeout */
5925 /* stop this transfer, cleanup
5926 * and continue task_transfer*/
5927 verbose(VERB_ALGO, "http stopped, connection lost to %s",
5928 xfr->task_transfer->master->host);
5930 /* delete transferred data from list */
5931 auth_chunks_delete(xfr->task_transfer);
5932 if(repinfo) repinfo->c = NULL; /* signal cp deleted to
5933 the routine calling this callback */
5934 comm_point_delete(xfr->task_transfer->cp);
5935 xfr->task_transfer->cp = NULL;
5936 xfr_transfer_nextmaster(xfr);
5937 xfr_transfer_nexttarget_or_end(xfr, env);
5941 /* if it is good, link it into the list of data */
5942 /* if the link into list of data fails (malloc fail) cleanup and end */
5943 if(sldns_buffer_limit(c->buffer) > 0) {
5944 verbose(VERB_ALGO, "auth zone http queued up %d bytes",
5945 (int)sldns_buffer_limit(c->buffer));
5946 if(!xfer_link_data(c->buffer, xfr)) {
5947 verbose(VERB_ALGO, "http stopped to %s, malloc failed",
5948 xfr->task_transfer->master->host);
5952 /* if the transfer is done now, disconnect and process the list */
5953 if(err == NETEVENT_DONE) {
5954 if(repinfo) repinfo->c = NULL; /* signal cp deleted to
5955 the routine calling this callback */
5956 comm_point_delete(xfr->task_transfer->cp);
5957 xfr->task_transfer->cp = NULL;
5958 process_list_end_transfer(xfr, env);
5962 /* if we want to read more messages, setup the commpoint to read
5963 * a DNS packet, and the timeout */
5964 lock_basic_unlock(&xfr->lock);
5965 c->tcp_is_reading = 1;
5966 sldns_buffer_clear(c->buffer);
5967 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT);
5972 /** start transfer task by this worker , xfr is locked. */
5974 xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env,
5975 struct auth_master* master)
5977 log_assert(xfr->task_transfer != NULL);
5978 log_assert(xfr->task_transfer->worker == NULL);
5979 log_assert(xfr->task_transfer->chunks_first == NULL);
5980 log_assert(xfr->task_transfer->chunks_last == NULL);
5981 xfr->task_transfer->worker = env->worker;
5982 xfr->task_transfer->env = env;
5984 /* init transfer process */
5985 /* find that master in the transfer's list of masters? */
5986 xfr_transfer_start_list(xfr, master);
5987 /* start lookup for hostnames in transfer master list */
5988 xfr_transfer_start_lookups(xfr);
5990 /* initiate TCP, and set timeout on it */
5991 xfr_transfer_nexttarget_or_end(xfr, env);
5994 /** disown task_probe. caller must hold xfr.lock */
5996 xfr_probe_disown(struct auth_xfer* xfr)
5998 /* remove timer (from this worker's event base) */
5999 comm_timer_delete(xfr->task_probe->timer);
6000 xfr->task_probe->timer = NULL;
6001 /* remove the commpoint */
6002 comm_point_delete(xfr->task_probe->cp);
6003 xfr->task_probe->cp = NULL;
6004 /* we don't own this item anymore */
6005 xfr->task_probe->worker = NULL;
6006 xfr->task_probe->env = NULL;
6009 /** send the UDP probe to the master, this is part of task_probe */
6011 xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
6014 struct sockaddr_storage addr;
6015 socklen_t addrlen = 0;
6018 struct auth_master* master = xfr_probe_current_master(xfr);
6019 char *auth_name = NULL;
6020 if(!master) return 0;
6021 if(master->allow_notify) return 0; /* only for notify */
6022 if(master->http) return 0; /* only masters get SOA UDP probe,
6023 not urls, if those are in this list */
6025 /* get master addr */
6026 if(xfr->task_probe->scan_addr) {
6027 addrlen = xfr->task_probe->scan_addr->addrlen;
6028 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen);
6030 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
6031 /* the ones that are not in addr format are supposed
6032 * to be looked up. The lookup has failed however,
6035 dname_str(xfr->name, zname);
6036 log_err("%s: failed lookup, cannot probe to master %s",
6037 zname, master->host);
6040 if (auth_name != NULL) {
6041 if (addr.ss_family == AF_INET
6042 && (int)ntohs(((struct sockaddr_in *)&addr)->sin_port)
6043 == env->cfg->ssl_port)
6044 ((struct sockaddr_in *)&addr)->sin_port
6045 = htons((uint16_t)env->cfg->port);
6046 else if (addr.ss_family == AF_INET6
6047 && (int)ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
6048 == env->cfg->ssl_port)
6049 ((struct sockaddr_in6 *)&addr)->sin6_port
6050 = htons((uint16_t)env->cfg->port);
6055 /* create new ID for new probes, but not on timeout retries,
6056 * this means we'll accept replies to previous retries to same ip */
6057 if(timeout == AUTH_PROBE_TIMEOUT)
6058 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
6059 xfr_create_soa_probe_packet(xfr, env->scratch_buffer,
6060 xfr->task_probe->id);
6061 /* we need to remove the cp if we have a different ip4/ip6 type now */
6062 if(xfr->task_probe->cp &&
6063 ((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) ||
6064 (!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen)))
6066 comm_point_delete(xfr->task_probe->cp);
6067 xfr->task_probe->cp = NULL;
6069 if(!xfr->task_probe->cp) {
6070 if(addr_is_ip6(&addr, addrlen))
6071 xfr->task_probe->cp_is_ip6 = 1;
6072 else xfr->task_probe->cp_is_ip6 = 0;
6073 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet,
6074 auth_xfer_probe_udp_callback, xfr, &addr, addrlen);
6075 if(!xfr->task_probe->cp) {
6076 char zname[255+1], as[256];
6077 dname_str(xfr->name, zname);
6078 addr_to_str(&addr, addrlen, as, sizeof(as));
6079 verbose(VERB_ALGO, "cannot create udp cp for "
6080 "probe %s to %s", zname, as);
6084 if(!xfr->task_probe->timer) {
6085 xfr->task_probe->timer = comm_timer_create(env->worker_base,
6086 auth_xfer_probe_timer_callback, xfr);
6087 if(!xfr->task_probe->timer) {
6088 log_err("malloc failure");
6093 /* send udp packet */
6094 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer,
6095 (struct sockaddr*)&addr, addrlen)) {
6096 char zname[255+1], as[256];
6097 dname_str(xfr->name, zname);
6098 addr_to_str(&addr, addrlen, as, sizeof(as));
6099 verbose(VERB_ALGO, "failed to send soa probe for %s to %s",
6103 if(verbosity >= VERB_ALGO) {
6104 char zname[255+1], as[256];
6105 dname_str(xfr->name, zname);
6106 addr_to_str(&addr, addrlen, as, sizeof(as));
6107 verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname,
6110 xfr->task_probe->timeout = timeout;
6112 t.tv_sec = timeout/1000;
6113 t.tv_usec = (timeout%1000)*1000;
6115 comm_timer_set(xfr->task_probe->timer, &t);
6120 /** callback for task_probe timer */
6122 auth_xfer_probe_timer_callback(void* arg)
6124 struct auth_xfer* xfr = (struct auth_xfer*)arg;
6125 struct module_env* env;
6126 log_assert(xfr->task_probe);
6127 lock_basic_lock(&xfr->lock);
6128 env = xfr->task_probe->env;
6129 if(!env || env->outnet->want_to_quit) {
6130 lock_basic_unlock(&xfr->lock);
6131 return; /* stop on quit */
6134 if(verbosity >= VERB_ALGO) {
6136 dname_str(xfr->name, zname);
6137 verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname);
6139 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) {
6140 /* try again with bigger timeout */
6141 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) {
6142 lock_basic_unlock(&xfr->lock);
6146 /* delete commpoint so a new one is created, with a fresh port nr */
6147 comm_point_delete(xfr->task_probe->cp);
6148 xfr->task_probe->cp = NULL;
6150 /* too many timeouts (or fail to send), move to next or end */
6151 xfr_probe_nextmaster(xfr);
6152 xfr_probe_send_or_end(xfr, env);
6155 /** callback for task_probe udp packets */
6157 auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
6158 struct comm_reply* repinfo)
6160 struct auth_xfer* xfr = (struct auth_xfer*)arg;
6161 struct module_env* env;
6162 log_assert(xfr->task_probe);
6163 lock_basic_lock(&xfr->lock);
6164 env = xfr->task_probe->env;
6165 if(!env || env->outnet->want_to_quit) {
6166 lock_basic_unlock(&xfr->lock);
6167 return 0; /* stop on quit */
6170 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT
6171 * and we set rep.c=NULL to stop if from looking inside the commpoint*/
6173 /* stop the timer */
6174 comm_timer_disable(xfr->task_probe->timer);
6176 /* see if we got a packet and what that means */
6177 if(err == NETEVENT_NOERROR) {
6178 uint32_t serial = 0;
6179 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr,
6181 /* successful lookup */
6182 if(verbosity >= VERB_ALGO) {
6184 dname_str(xfr->name, buf);
6185 verbose(VERB_ALGO, "auth zone %s: soa probe "
6186 "serial is %u", buf, (unsigned)serial);
6188 /* see if this serial indicates that the zone has
6190 if(xfr_serial_means_update(xfr, serial)) {
6191 /* if updated, start the transfer task, if needed */
6192 verbose(VERB_ALGO, "auth_zone updated, start transfer");
6193 if(xfr->task_transfer->worker == NULL) {
6194 struct auth_master* master =
6195 xfr_probe_current_master(xfr);
6196 /* if we have download URLs use them
6197 * in preference to this master we
6198 * just probed the SOA from */
6199 if(xfr->task_transfer->masters &&
6200 xfr->task_transfer->masters->http)
6202 xfr_probe_disown(xfr);
6203 xfr_start_transfer(xfr, env, master);
6207 /* other tasks are running, we don't do this anymore */
6208 xfr_probe_disown(xfr);
6209 lock_basic_unlock(&xfr->lock);
6210 /* return, we don't sent a reply to this udp packet,
6211 * and we setup the tasks to do next */
6214 verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial");
6215 /* we if cannot find updates amongst the
6216 * masters, this means we then have a new lease
6218 xfr->task_probe->have_new_lease = 1;
6221 if(verbosity >= VERB_ALGO) {
6223 dname_str(xfr->name, buf);
6224 verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf);
6228 if(verbosity >= VERB_ALGO) {
6230 dname_str(xfr->name, buf);
6231 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf);
6235 /* failed lookup or not an update */
6236 /* delete commpoint so a new one is created, with a fresh port nr */
6237 comm_point_delete(xfr->task_probe->cp);
6238 xfr->task_probe->cp = NULL;
6240 /* if the result was not a successfull probe, we need
6241 * to send the next one */
6242 xfr_probe_nextmaster(xfr);
6243 xfr_probe_send_or_end(xfr, env);
6247 /** lookup a host name for its addresses, if needed */
6249 xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
6251 struct sockaddr_storage addr;
6252 socklen_t addrlen = 0;
6253 struct auth_master* master = xfr->task_probe->lookup_target;
6254 struct query_info qinfo;
6255 uint16_t qflags = BIT_RD;
6256 uint8_t dname[LDNS_MAX_DOMAINLEN+1];
6257 struct edns_data edns;
6258 sldns_buffer* buf = env->scratch_buffer;
6259 if(!master) return 0;
6260 if(extstrtoaddr(master->host, &addr, &addrlen)) {
6261 /* not needed, host is in IP addr format */
6264 if(master->allow_notify && !master->http &&
6265 strchr(master->host, '/') != NULL &&
6266 strchr(master->host, '/') == strrchr(master->host, '/')) {
6267 return 0; /* is IP/prefix format, not something to look up */
6270 /* use mesh_new_callback to probe for non-addr hosts,
6271 * and then wait for them to be looked up (in cache, or query) */
6272 qinfo.qname_len = sizeof(dname);
6273 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len)
6275 log_err("cannot parse host name of master %s", master->host);
6278 qinfo.qname = dname;
6279 qinfo.qclass = xfr->dclass;
6280 qinfo.qtype = LDNS_RR_TYPE_A;
6281 if(xfr->task_probe->lookup_aaaa)
6282 qinfo.qtype = LDNS_RR_TYPE_AAAA;
6283 qinfo.local_alias = NULL;
6284 if(verbosity >= VERB_ALGO) {
6286 char buf2[LDNS_MAX_DOMAINLEN+1];
6287 dname_str(xfr->name, buf2);
6288 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
6289 " for task_probe", buf2);
6290 log_query_info(VERB_ALGO, buf1, &qinfo);
6292 edns.edns_present = 1;
6294 edns.edns_version = 0;
6295 edns.bits = EDNS_DO;
6296 edns.opt_list = NULL;
6297 if(sldns_buffer_capacity(buf) < 65535)
6298 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
6299 else edns.udp_size = 65535;
6301 /* unlock xfr during mesh_new_callback() because the callback can be
6302 * called straight away */
6303 lock_basic_unlock(&xfr->lock);
6304 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
6305 &auth_xfer_probe_lookup_callback, xfr)) {
6306 lock_basic_lock(&xfr->lock);
6307 log_err("out of memory lookup up master %s", master->host);
6310 lock_basic_lock(&xfr->lock);
6314 /** move to sending the probe packets, next if fails. task_probe */
6316 xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
6318 /* are we doing hostname lookups? */
6319 while(xfr->task_probe->lookup_target) {
6320 if(xfr_probe_lookup_host(xfr, env)) {
6321 /* wait for lookup to finish,
6322 * note that the hostname may be in unbound's cache
6323 * and we may then get an instant cache response,
6324 * and that calls the callback just like a full
6325 * lookup and lookup failures also call callback */
6326 if(verbosity >= VERB_ALGO) {
6328 dname_str(xfr->name, zname);
6329 verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname);
6331 lock_basic_unlock(&xfr->lock);
6334 xfr_probe_move_to_next_lookup(xfr, env);
6336 /* probe of list has ended. Create or refresh the list of of
6337 * allow_notify addrs */
6338 probe_copy_masters_for_allow_notify(xfr);
6339 if(verbosity >= VERB_ALGO) {
6341 dname_str(xfr->name, zname);
6342 verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname);
6344 if(xfr->task_probe->only_lookup) {
6345 /* only wanted lookups for copy, stop probe and start wait */
6346 xfr->task_probe->only_lookup = 0;
6347 if(verbosity >= VERB_ALGO) {
6349 dname_str(xfr->name, zname);
6350 verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname);
6352 xfr_probe_disown(xfr);
6353 if(xfr->task_nextprobe->worker == NULL)
6354 xfr_set_timeout(xfr, env, 0, 0);
6355 lock_basic_unlock(&xfr->lock);
6359 /* send probe packets */
6360 while(!xfr_probe_end_of_list(xfr)) {
6361 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) {
6362 /* successfully sent probe, wait for callback */
6363 lock_basic_unlock(&xfr->lock);
6366 /* failed to send probe, next master */
6367 xfr_probe_nextmaster(xfr);
6370 /* done with probe sequence, wait */
6371 if(xfr->task_probe->have_new_lease) {
6372 /* if zone not updated, start the wait timer again */
6373 if(verbosity >= VERB_ALGO) {
6375 dname_str(xfr->name, zname);
6376 verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname);
6378 xfr_probe_disown(xfr);
6380 xfr->lease_time = *env->now;
6381 if(xfr->task_nextprobe->worker == NULL)
6382 xfr_set_timeout(xfr, env, 0, 0);
6384 if(verbosity >= VERB_ALGO) {
6386 dname_str(xfr->name, zname);
6387 verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname);
6389 /* we failed to send this as well, move to the wait task,
6390 * use the shorter retry timeout */
6391 xfr_probe_disown(xfr);
6392 /* pick up the nextprobe task and wait */
6393 if(xfr->task_nextprobe->worker == NULL)
6394 xfr_set_timeout(xfr, env, 1, 0);
6397 lock_basic_unlock(&xfr->lock);
6400 /** callback for task_probe lookup of host name, of A or AAAA */
6401 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
6402 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
6403 int ATTR_UNUSED(was_ratelimited))
6405 struct auth_xfer* xfr = (struct auth_xfer*)arg;
6406 struct module_env* env;
6407 log_assert(xfr->task_probe);
6408 lock_basic_lock(&xfr->lock);
6409 env = xfr->task_probe->env;
6410 if(!env || env->outnet->want_to_quit) {
6411 lock_basic_unlock(&xfr->lock);
6412 return; /* stop on quit */
6415 /* process result */
6416 if(rcode == LDNS_RCODE_NOERROR) {
6417 uint16_t wanted_qtype = LDNS_RR_TYPE_A;
6418 struct regional* temp = env->scratch;
6419 struct query_info rq;
6420 struct reply_info* rep;
6421 if(xfr->task_probe->lookup_aaaa)
6422 wanted_qtype = LDNS_RR_TYPE_AAAA;
6423 memset(&rq, 0, sizeof(rq));
6424 rep = parse_reply_in_temp_region(buf, temp, &rq);
6425 if(rep && rq.qtype == wanted_qtype &&
6426 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
6427 /* parsed successfully */
6428 struct ub_packed_rrset_key* answer =
6429 reply_find_answer_rrset(&rq, rep);
6431 xfr_master_add_addrs(xfr->task_probe->
6432 lookup_target, answer, wanted_qtype);
6434 if(verbosity >= VERB_ALGO) {
6436 dname_str(xfr->name, zname);
6437 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
6441 if(verbosity >= VERB_ALGO) {
6443 dname_str(xfr->name, zname);
6444 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
6448 if(verbosity >= VERB_ALGO) {
6450 dname_str(xfr->name, zname);
6451 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
6454 if(xfr->task_probe->lookup_target->list &&
6455 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr))
6456 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list;
6458 /* move to lookup AAAA after A lookup, move to next hostname lookup,
6459 * or move to send the probes, or, if nothing to do, end task_probe */
6460 xfr_probe_move_to_next_lookup(xfr, env);
6461 xfr_probe_send_or_end(xfr, env);
6464 /** disown task_nextprobe. caller must hold xfr.lock */
6466 xfr_nextprobe_disown(struct auth_xfer* xfr)
6468 /* delete the timer, because the next worker to pick this up may
6469 * not have the same event base */
6470 comm_timer_delete(xfr->task_nextprobe->timer);
6471 xfr->task_nextprobe->timer = NULL;
6472 xfr->task_nextprobe->next_probe = 0;
6473 /* we don't own this item anymore */
6474 xfr->task_nextprobe->worker = NULL;
6475 xfr->task_nextprobe->env = NULL;
6478 /** xfer nextprobe timeout callback, this is part of task_nextprobe */
6480 auth_xfer_timer(void* arg)
6482 struct auth_xfer* xfr = (struct auth_xfer*)arg;
6483 struct module_env* env;
6484 log_assert(xfr->task_nextprobe);
6485 lock_basic_lock(&xfr->lock);
6486 env = xfr->task_nextprobe->env;
6487 if(!env || env->outnet->want_to_quit) {
6488 lock_basic_unlock(&xfr->lock);
6489 return; /* stop on quit */
6492 /* see if zone has expired, and if so, also set auth_zone expired */
6493 if(xfr->have_zone && !xfr->zone_expired &&
6494 *env->now >= xfr->lease_time + xfr->expiry) {
6495 lock_basic_unlock(&xfr->lock);
6496 auth_xfer_set_expired(xfr, env, 1);
6497 lock_basic_lock(&xfr->lock);
6500 xfr_nextprobe_disown(xfr);
6502 if(!xfr_start_probe(xfr, env, NULL)) {
6503 /* not started because already in progress */
6504 lock_basic_unlock(&xfr->lock);
6508 /** return true if there are probe (SOA UDP query) targets in the master list*/
6510 have_probe_targets(struct auth_master* list)
6512 struct auth_master* p;
6513 for(p=list; p; p = p->next) {
6514 if(!p->allow_notify && p->host)
6520 /** start task_probe if possible, if no masters for probe start task_transfer
6521 * returns true if task has been started, and false if the task is already
6524 xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
6525 struct auth_master* spec)
6527 /* see if we need to start a probe (or maybe it is already in
6528 * progress (due to notify)) */
6529 if(xfr->task_probe->worker == NULL) {
6530 if(!have_probe_targets(xfr->task_probe->masters) &&
6531 !(xfr->task_probe->only_lookup &&
6532 xfr->task_probe->masters != NULL)) {
6533 /* useless to pick up task_probe, no masters to
6534 * probe. Instead attempt to pick up task transfer */
6535 if(xfr->task_transfer->worker == NULL) {
6536 xfr_start_transfer(xfr, env, spec);
6539 /* task transfer already in progress */
6543 /* pick up the probe task ourselves */
6544 xfr->task_probe->worker = env->worker;
6545 xfr->task_probe->env = env;
6546 xfr->task_probe->cp = NULL;
6548 /* start the task */
6549 /* have not seen a new lease yet, this scan */
6550 xfr->task_probe->have_new_lease = 0;
6551 /* if this was a timeout, no specific first master to scan */
6552 /* otherwise, spec is nonNULL the notified master, scan
6553 * first and also transfer first from it */
6554 xfr_probe_start_list(xfr, spec);
6555 /* setup to start the lookup of hostnames of masters afresh */
6556 xfr_probe_start_lookups(xfr);
6557 /* send the probe packet or next send, or end task */
6558 xfr_probe_send_or_end(xfr, env);
6564 /** for task_nextprobe.
6565 * determine next timeout for auth_xfer. Also (re)sets timer.
6566 * @param xfr: task structure
6567 * @param env: module environment, with worker and time.
6568 * @param failure: set true if timer should be set for failure retry.
6569 * @param lookup_only: only perform lookups when timer done, 0 sec timeout
6572 xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
6573 int failure, int lookup_only)
6576 log_assert(xfr->task_nextprobe != NULL);
6577 log_assert(xfr->task_nextprobe->worker == NULL ||
6578 xfr->task_nextprobe->worker == env->worker);
6579 /* normally, nextprobe = startoflease + refresh,
6580 * but if expiry is sooner, use that one.
6581 * after a failure, use the retry timer instead. */
6582 xfr->task_nextprobe->next_probe = *env->now;
6583 if(xfr->lease_time && !failure)
6584 xfr->task_nextprobe->next_probe = xfr->lease_time;
6587 xfr->task_nextprobe->backoff = 0;
6589 if(xfr->task_nextprobe->backoff == 0)
6590 xfr->task_nextprobe->backoff = 3;
6591 else xfr->task_nextprobe->backoff *= 2;
6592 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF)
6593 xfr->task_nextprobe->backoff =
6594 AUTH_TRANSFER_MAX_BACKOFF;
6597 if(xfr->have_zone) {
6598 time_t wait = xfr->refresh;
6599 if(failure) wait = xfr->retry;
6600 if(xfr->expiry < wait)
6601 xfr->task_nextprobe->next_probe += xfr->expiry;
6602 else xfr->task_nextprobe->next_probe += wait;
6604 xfr->task_nextprobe->next_probe +=
6605 xfr->task_nextprobe->backoff;
6606 /* put the timer exactly on expiry, if possible */
6607 if(xfr->lease_time && xfr->lease_time+xfr->expiry <
6608 xfr->task_nextprobe->next_probe &&
6609 xfr->lease_time+xfr->expiry > *env->now)
6610 xfr->task_nextprobe->next_probe =
6611 xfr->lease_time+xfr->expiry;
6613 xfr->task_nextprobe->next_probe +=
6614 xfr->task_nextprobe->backoff;
6617 if(!xfr->task_nextprobe->timer) {
6618 xfr->task_nextprobe->timer = comm_timer_create(
6619 env->worker_base, auth_xfer_timer, xfr);
6620 if(!xfr->task_nextprobe->timer) {
6621 /* failed to malloc memory. likely zone transfer
6622 * also fails for that. skip the timeout */
6624 dname_str(xfr->name, zname);
6625 log_err("cannot allocate timer, no refresh for %s",
6630 xfr->task_nextprobe->worker = env->worker;
6631 xfr->task_nextprobe->env = env;
6632 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe)
6633 tv.tv_sec = xfr->task_nextprobe->next_probe -
6634 *(xfr->task_nextprobe->env->now);
6636 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) {
6637 /* don't lookup_only, if lookup timeout is 0 anyway,
6638 * or if we don't have masters to lookup */
6640 if(xfr->task_probe->worker == NULL)
6641 xfr->task_probe->only_lookup = 1;
6643 if(verbosity >= VERB_ALGO) {
6645 dname_str(xfr->name, zname);
6646 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds",
6647 zname, (int)tv.tv_sec);
6650 comm_timer_set(xfr->task_nextprobe->timer, &tv);
6653 /** initial pick up of worker timeouts, ties events to worker event loop */
6655 auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env)
6657 struct auth_xfer* x;
6658 lock_rw_wrlock(&az->lock);
6659 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
6660 lock_basic_lock(&x->lock);
6661 /* set lease_time, because we now have timestamp in env,
6662 * (not earlier during startup and apply_cfg), and this
6663 * notes the start time when the data was acquired */
6665 x->lease_time = *env->now;
6666 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) {
6667 xfr_set_timeout(x, env, 0, 1);
6669 lock_basic_unlock(&x->lock);
6671 lock_rw_unlock(&az->lock);
6674 void auth_zones_cleanup(struct auth_zones* az)
6676 struct auth_xfer* x;
6677 lock_rw_wrlock(&az->lock);
6678 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
6679 lock_basic_lock(&x->lock);
6680 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) {
6681 xfr_nextprobe_disown(x);
6683 if(x->task_probe && x->task_probe->worker != NULL) {
6684 xfr_probe_disown(x);
6686 if(x->task_transfer && x->task_transfer->worker != NULL) {
6687 auth_chunks_delete(x->task_transfer);
6688 xfr_transfer_disown(x);
6690 lock_basic_unlock(&x->lock);
6692 lock_rw_unlock(&az->lock);
6696 * malloc the xfer and tasks
6697 * @param z: auth_zone with name of zone.
6699 static struct auth_xfer*
6700 auth_xfer_new(struct auth_zone* z)
6702 struct auth_xfer* xfr;
6703 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr));
6704 if(!xfr) return NULL;
6705 xfr->name = memdup(z->name, z->namelen);
6710 xfr->node.key = xfr;
6711 xfr->namelen = z->namelen;
6712 xfr->namelabs = z->namelabs;
6713 xfr->dclass = z->dclass;
6715 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1,
6716 sizeof(struct auth_nextprobe));
6717 if(!xfr->task_nextprobe) {
6722 xfr->task_probe = (struct auth_probe*)calloc(1,
6723 sizeof(struct auth_probe));
6724 if(!xfr->task_probe) {
6725 free(xfr->task_nextprobe);
6730 xfr->task_transfer = (struct auth_transfer*)calloc(1,
6731 sizeof(struct auth_transfer));
6732 if(!xfr->task_transfer) {
6733 free(xfr->task_probe);
6734 free(xfr->task_nextprobe);
6740 lock_basic_init(&xfr->lock);
6741 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name));
6742 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen));
6743 lock_protect(&xfr->lock, xfr->name, xfr->namelen);
6744 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs));
6745 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass));
6746 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received));
6747 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial));
6748 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired));
6749 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone));
6750 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial));
6751 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry));
6752 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh));
6753 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry));
6754 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time));
6755 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker,
6756 sizeof(xfr->task_nextprobe->worker));
6757 lock_protect(&xfr->lock, &xfr->task_probe->worker,
6758 sizeof(xfr->task_probe->worker));
6759 lock_protect(&xfr->lock, &xfr->task_transfer->worker,
6760 sizeof(xfr->task_transfer->worker));
6761 lock_basic_lock(&xfr->lock);
6765 /** Create auth_xfer structure.
6766 * This populates the have_zone, soa values, and so on times.
6767 * and sets the timeout, if a zone transfer is needed a short timeout is set.
6768 * For that the auth_zone itself must exist (and read in zonefile)
6769 * returns false on alloc failure. */
6771 auth_xfer_create(struct auth_zones* az, struct auth_zone* z)
6773 struct auth_xfer* xfr;
6776 xfr = auth_xfer_new(z);
6778 log_err("malloc failure");
6781 /* insert in tree */
6782 (void)rbtree_insert(&az->xtree, &xfr->node);
6786 /** create new auth_master structure */
6787 static struct auth_master*
6788 auth_master_new(struct auth_master*** list)
6790 struct auth_master *m;
6791 m = (struct auth_master*)calloc(1, sizeof(*m));
6793 log_err("malloc failure");
6796 /* set first pointer to m, or next pointer of previous element to m */
6798 /* store m's next pointer as future point to store at */
6799 (*list) = &(m->next);
6803 /** dup_prefix : create string from initial part of other string, malloced */
6805 dup_prefix(char* str, size_t num)
6808 size_t len = strlen(str);
6809 if(len < num) num = len; /* not more than strlen */
6810 result = (char*)malloc(num+1);
6812 log_err("malloc failure");
6815 memmove(result, str, num);
6820 /** dup string and print error on error */
6824 char* result = strdup(str);
6826 log_err("malloc failure");
6832 /** find first of two characters */
6834 str_find_first_of_chars(char* s, char a, char b)
6836 char* ra = strchr(s, a);
6837 char* rb = strchr(s, b);
6840 if(ra < rb) return ra;
6844 /** parse URL into host and file parts, false on malloc or parse error */
6846 parse_url(char* url, char** host, char** file, int* port, int* ssl)
6849 /* parse http://www.example.com/file.htm
6850 * or http://127.0.0.1 (index.html)
6851 * or https://[::1@1234]/a/b/c/d */
6853 *port = AUTH_HTTPS_PORT;
6855 /* parse http:// or https:// */
6856 if(strncmp(p, "http://", 7) == 0) {
6859 *port = AUTH_HTTP_PORT;
6860 } else if(strncmp(p, "https://", 8) == 0) {
6862 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") &&
6863 strchr(p, ':') >= strstr(p, "://")) {
6864 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p));
6865 log_err("protocol %s:// not supported (for url %s)",
6871 /* parse hostname part */
6873 char* end = strchr(p, ']');
6874 p++; /* skip over [ */
6876 *host = dup_prefix(p, (size_t)(end-p));
6877 if(!*host) return 0;
6878 p = end+1; /* skip over ] */
6881 if(!*host) return 0;
6885 char* end = str_find_first_of_chars(p, ':', '/');
6887 *host = dup_prefix(p, (size_t)(end-p));
6888 if(!*host) return 0;
6891 if(!*host) return 0;
6893 p = end; /* at next : or / or NULL */
6896 /* parse port number */
6897 if(p && p[0] == ':') {
6899 *port = strtol(p+1, &end, 10);
6903 /* parse filename part */
6904 while(p && *p == '/')
6907 *file = strdup("index.html");
6908 else *file = strdup(p);
6910 log_err("malloc failure");
6917 xfer_set_masters(struct auth_master** list, struct config_auth* c,
6920 struct auth_master* m;
6921 struct config_strlist* p;
6922 /* list points to the first, or next pointer for the new element */
6924 list = &( (*list)->next );
6927 for(p = c->urls; p; p = p->next) {
6928 m = auth_master_new(&list);
6930 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
6933 for(p = c->masters; p; p = p->next) {
6934 m = auth_master_new(&list);
6935 m->ixfr = 1; /* this flag is not configurable */
6936 m->host = strdup(p->str);
6938 log_err("malloc failure");
6942 for(p = c->allow_notify; p; p = p->next) {
6943 m = auth_master_new(&list);
6944 m->allow_notify = 1;
6945 m->host = strdup(p->str);
6947 log_err("malloc failure");
6954 #define SERIAL_BITS 32
6956 compare_serial(uint32_t a, uint32_t b)
6958 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1));
6962 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) {