2 * services/authzone.c - authoritative zone that is locally hosted.
4 * Copyright (c) 2017, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains the functions for an authority zone. This zone
40 * is queried by the iterator, just like a stub or forward zone, but then
41 * the data is locally held.
45 #include "services/authzone.h"
46 #include "util/data/dname.h"
47 #include "util/data/msgparse.h"
48 #include "util/data/msgreply.h"
49 #include "util/data/msgencode.h"
50 #include "util/data/packed_rrset.h"
51 #include "util/regional.h"
52 #include "util/net_help.h"
53 #include "util/netevent.h"
54 #include "util/config_file.h"
56 #include "util/module.h"
57 #include "util/random.h"
58 #include "services/cache/dns.h"
59 #include "services/outside_network.h"
60 #include "services/listen_dnsport.h"
61 #include "services/mesh.h"
62 #include "sldns/rrdef.h"
63 #include "sldns/pkthdr.h"
64 #include "sldns/sbuffer.h"
65 #include "sldns/str2wire.h"
66 #include "sldns/wire2str.h"
67 #include "sldns/parseutil.h"
68 #include "sldns/keyraw.h"
69 #include "validator/val_nsec3.h"
70 #include "validator/val_secalgo.h"
73 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */
74 #define N3HASHBUFLEN 32
75 /** max number of CNAMEs we are willing to follow (in one answer) */
76 #define MAX_CNAME_CHAIN 8
77 /** timeout for probe packets for SOA */
78 #define AUTH_PROBE_TIMEOUT 100 /* msec */
79 /** when to stop with SOA probes (when exponential timeouts exceed this) */
80 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */
81 /* auth transfer timeout for TCP connections, in msec */
82 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */
83 /* auth transfer max backoff for failed tranfers and probes */
84 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */
85 /* auth http port number */
86 #define AUTH_HTTP_PORT 80
87 /* auth https port number */
88 #define AUTH_HTTPS_PORT 443
89 /* max depth for nested $INCLUDEs */
90 #define MAX_INCLUDE_DEPTH 10
91 /** number of timeouts before we fallback from IXFR to AXFR,
92 * because some versions of servers (eg. dnsmasq) drop IXFR packets. */
93 #define NUM_TIMEOUTS_FALLBACK_IXFR 3
95 /** pick up nextprobe task to start waiting to perform transfer actions */
96 static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
97 int failure, int lookup_only);
98 /** move to sending the probe packets, next if fails. task_probe */
99 static void xfr_probe_send_or_end(struct auth_xfer* xfr,
100 struct module_env* env);
101 /** pick up probe task with specified(or NULL) destination first,
102 * or transfer task if nothing to probe, or false if already in progress */
103 static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
104 struct auth_master* spec);
105 /** delete xfer structure (not its tree entry) */
106 void auth_xfer_delete(struct auth_xfer* xfr);
108 /** create new dns_msg */
109 static struct dns_msg*
110 msg_create(struct regional* region, struct query_info* qinfo)
112 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region,
113 sizeof(struct dns_msg));
116 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname,
118 if(!msg->qinfo.qname)
120 msg->qinfo.qname_len = qinfo->qname_len;
121 msg->qinfo.qtype = qinfo->qtype;
122 msg->qinfo.qclass = qinfo->qclass;
123 msg->qinfo.local_alias = NULL;
124 /* non-packed reply_info, because it needs to grow the array */
125 msg->rep = (struct reply_info*)regional_alloc_zero(region,
126 sizeof(struct reply_info)-sizeof(struct rrset_ref));
129 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA);
130 msg->rep->authoritative = 1;
131 msg->rep->qdcount = 1;
132 /* rrsets is NULL, no rrsets yet */
136 /** grow rrset array by one in msg */
138 msg_grow_array(struct regional* region, struct dns_msg* msg)
140 if(msg->rep->rrsets == NULL) {
141 msg->rep->rrsets = regional_alloc_zero(region,
142 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
143 if(!msg->rep->rrsets)
146 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets;
147 msg->rep->rrsets = regional_alloc_zero(region,
148 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
149 if(!msg->rep->rrsets)
151 memmove(msg->rep->rrsets, rrsets_old,
152 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count);
157 /** get ttl of rrset */
159 get_rrset_ttl(struct ub_packed_rrset_key* k)
161 struct packed_rrset_data* d = (struct packed_rrset_data*)
166 /** Copy rrset into region from domain-datanode and packet rrset */
167 static struct ub_packed_rrset_key*
168 auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node,
169 struct auth_rrset* rrset, struct regional* region, time_t adjust)
171 struct ub_packed_rrset_key key;
172 memset(&key, 0, sizeof(key));
173 key.entry.key = &key;
174 key.entry.data = rrset->data;
175 key.rk.dname = node->name;
176 key.rk.dname_len = node->namelen;
177 key.rk.type = htons(rrset->type);
178 key.rk.rrset_class = htons(z->dclass);
179 key.entry.hash = rrset_key_hash(&key.rk);
180 return packed_rrset_copy_region(&key, region, adjust);
183 /** fix up msg->rep TTL and prefetch ttl */
185 msg_ttl(struct dns_msg* msg)
187 if(msg->rep->rrset_count == 0) return;
188 if(msg->rep->rrset_count == 1) {
189 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
190 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
191 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
192 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) <
194 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[
195 msg->rep->rrset_count-1]);
196 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
197 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
201 /** see if rrset is a duplicate in the answer message */
203 msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen,
204 uint16_t type, uint16_t dclass)
207 for(i=0; i<msg->rep->rrset_count; i++) {
208 struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
209 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen &&
210 ntohs(k->rk.rrset_class) == dclass &&
211 query_dname_compare(k->rk.dname, nm) == 0)
217 /** add rrset to answer section (no auth, add rrsets yet) */
219 msg_add_rrset_an(struct auth_zone* z, struct regional* region,
220 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
222 log_assert(msg->rep->ns_numrrsets == 0);
223 log_assert(msg->rep->ar_numrrsets == 0);
226 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
230 if(!msg_grow_array(region, msg))
233 if(!(msg->rep->rrsets[msg->rep->rrset_count] =
234 auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
236 msg->rep->rrset_count++;
237 msg->rep->an_numrrsets++;
242 /** add rrset to authority section (no additonal section rrsets yet) */
244 msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
245 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
247 log_assert(msg->rep->ar_numrrsets == 0);
250 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
254 if(!msg_grow_array(region, msg))
257 if(!(msg->rep->rrsets[msg->rep->rrset_count] =
258 auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
260 msg->rep->rrset_count++;
261 msg->rep->ns_numrrsets++;
266 /** add rrset to additional section */
268 msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
269 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
273 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
277 if(!msg_grow_array(region, msg))
280 if(!(msg->rep->rrsets[msg->rep->rrset_count] =
281 auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
283 msg->rep->rrset_count++;
284 msg->rep->ar_numrrsets++;
289 struct auth_zones* auth_zones_create(void)
291 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az));
293 log_err("out of memory");
296 rbtree_init(&az->ztree, &auth_zone_cmp);
297 rbtree_init(&az->xtree, &auth_xfer_cmp);
298 lock_rw_init(&az->lock);
299 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree));
300 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree));
301 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */
305 int auth_zone_cmp(const void* z1, const void* z2)
307 /* first sort on class, so that hierarchy can be maintained within
309 struct auth_zone* a = (struct auth_zone*)z1;
310 struct auth_zone* b = (struct auth_zone*)z2;
312 if(a->dclass != b->dclass) {
313 if(a->dclass < b->dclass)
317 /* sorted such that higher zones sort before lower zones (their
319 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
322 int auth_data_cmp(const void* z1, const void* z2)
324 struct auth_data* a = (struct auth_data*)z1;
325 struct auth_data* b = (struct auth_data*)z2;
327 /* canonical sort, because DNSSEC needs that */
328 return dname_canon_lab_cmp(a->name, a->namelabs, b->name,
332 int auth_xfer_cmp(const void* z1, const void* z2)
334 /* first sort on class, so that hierarchy can be maintained within
336 struct auth_xfer* a = (struct auth_xfer*)z1;
337 struct auth_xfer* b = (struct auth_xfer*)z2;
339 if(a->dclass != b->dclass) {
340 if(a->dclass < b->dclass)
344 /* sorted such that higher zones sort before lower zones (their
346 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
349 /** delete auth rrset node */
351 auth_rrset_delete(struct auth_rrset* rrset)
358 /** delete auth data domain node */
360 auth_data_delete(struct auth_data* n)
362 struct auth_rrset* p, *np;
367 auth_rrset_delete(p);
374 /** helper traverse to delete zones */
376 auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg))
378 struct auth_data* z = (struct auth_data*)n->key;
382 /** delete an auth zone structure (tree remove must be done elsewhere) */
384 auth_zone_delete(struct auth_zone* z)
387 lock_rw_destroy(&z->lock);
388 traverse_postorder(&z->data, auth_data_del, NULL);
395 auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen,
398 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z));
405 z->namelabs = dname_count_labels(nm);
406 z->name = memdup(nm, nmlen);
411 rbtree_init(&z->data, &auth_data_cmp);
412 lock_rw_init(&z->lock);
413 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type));
414 lock_rw_wrlock(&z->lock);
415 /* z lock protects all, except rbtree itself, which is az->lock */
416 if(!rbtree_insert(&az->ztree, &z->node)) {
417 lock_rw_unlock(&z->lock);
419 log_warn("duplicate auth zone");
426 auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
429 struct auth_zone key;
434 key.namelabs = dname_count_labels(nm);
435 return (struct auth_zone*)rbtree_search(&az->ztree, &key);
439 auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
442 struct auth_xfer key;
447 key.namelabs = dname_count_labels(nm);
448 return (struct auth_xfer*)rbtree_search(&az->xtree, &key);
451 /** find an auth zone or sorted less-or-equal, return true if exact */
453 auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen,
454 uint16_t dclass, struct auth_zone** z)
456 struct auth_zone key;
461 key.namelabs = dname_count_labels(nm);
462 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z);
466 /** find the auth zone that is above the given name */
468 auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len,
472 size_t nmlen = name_len;
474 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) {
478 /* less-or-nothing */
479 if(!z) return NULL; /* nothing smaller, nothing above it */
480 /* we found smaller name; smaller may be above the name,
481 * but not below it. */
482 nm = dname_get_shared_topdomain(z->name, name);
483 dname_count_size_labels(nm, &nmlen);
489 z = auth_zone_find(az, nm, nmlen, dclass);
491 if(dname_is_root(nm)) break;
492 dname_remove_label(&nm, &nmlen);
497 /** find or create zone with name str. caller must have lock on az.
498 * returns a wrlocked zone */
499 static struct auth_zone*
500 auth_zones_find_or_add_zone(struct auth_zones* az, char* name)
502 uint8_t nm[LDNS_MAX_DOMAINLEN+1];
503 size_t nmlen = sizeof(nm);
506 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) {
507 log_err("cannot parse auth zone name: %s", name);
510 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
512 /* not found, create the zone */
513 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
515 lock_rw_wrlock(&z->lock);
520 /** find or create xfer zone with name str. caller must have lock on az.
521 * returns a locked xfer */
522 static struct auth_xfer*
523 auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z)
526 x = auth_xfer_find(az, z->name, z->namelen, z->dclass);
528 /* not found, create the zone */
529 x = auth_xfer_create(az, z);
531 lock_basic_lock(&x->lock);
537 auth_zone_set_zonefile(struct auth_zone* z, char* zonefile)
539 if(z->zonefile) free(z->zonefile);
540 if(zonefile == NULL) {
543 z->zonefile = strdup(zonefile);
545 log_err("malloc failure");
552 /** set auth zone fallback. caller must have lock on zone */
554 auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr)
556 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){
557 log_err("auth zone fallback, expected yes or no, got %s",
561 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0);
565 /** create domain with the given name */
566 static struct auth_data*
567 az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen)
569 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n));
571 memset(n, 0, sizeof(*n));
573 n->name = memdup(nm, nmlen);
579 n->namelabs = dname_count_labels(nm);
580 if(!rbtree_insert(&z->data, &n->node)) {
581 log_warn("duplicate auth domain name");
589 /** find domain with exactly the given name */
590 static struct auth_data*
591 az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen)
593 struct auth_zone key;
597 key.namelabs = dname_count_labels(nm);
598 return (struct auth_data*)rbtree_search(&z->data, &key);
601 /** Find domain name (or closest match) */
603 az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact,
604 struct auth_data** node)
606 struct auth_zone key;
608 key.name = qinfo->qname;
609 key.namelen = qinfo->qname_len;
610 key.namelabs = dname_count_labels(key.name);
611 *node_exact = rbtree_find_less_equal(&z->data, &key,
612 (rbnode_type**)node);
615 /** find or create domain with name in zone */
616 static struct auth_data*
617 az_domain_find_or_create(struct auth_zone* z, uint8_t* dname,
620 struct auth_data* n = az_find_name(z, dname, dname_len);
622 n = az_domain_create(z, dname, dname_len);
627 /** find rrset of given type in the domain */
628 static struct auth_rrset*
629 az_domain_rrset(struct auth_data* n, uint16_t t)
631 struct auth_rrset* rrset;
642 /** remove rrset of this type from domain */
644 domain_remove_rrset(struct auth_data* node, uint16_t rr_type)
646 struct auth_rrset* rrset, *prev;
649 rrset = node->rrsets;
651 if(rrset->type == rr_type) {
652 /* found it, now delete it */
653 if(prev) prev->next = rrset->next;
654 else node->rrsets = rrset->next;
655 auth_rrset_delete(rrset);
663 /** find an rr index in the rrset. returns true if found */
665 az_rrset_find_rr(struct packed_rrset_data* d, uint8_t* rdata, size_t len,
669 for(i=0; i<d->count; i++) {
670 if(d->rr_len[i] != len)
672 if(memcmp(d->rr_data[i], rdata, len) == 0) {
680 /** find an rrsig index in the rrset. returns true if found */
682 az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len,
686 for(i=d->count; i<d->count + d->rrsig_count; i++) {
687 if(d->rr_len[i] != len)
689 if(memcmp(d->rr_data[i], rdata, len) == 0) {
697 /** see if rdata is duplicate */
699 rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len)
702 for(i=0; i<d->count + d->rrsig_count; i++) {
703 if(d->rr_len[i] != len)
705 if(memcmp(d->rr_data[i], rdata, len) == 0)
711 /** get rrsig type covered from rdata.
712 * @param rdata: rdata in wireformat, starting with 16bit rdlength.
713 * @param rdatalen: length of rdata buffer.
714 * @return type covered (or 0).
717 rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen)
721 return sldns_read_uint16(rdata+2);
724 /** remove RR from existing RRset. Also sig, if it is a signature.
725 * reallocates the packed rrset for a new one, false on alloc failure */
727 rrset_remove_rr(struct auth_rrset* rrset, size_t index)
729 struct packed_rrset_data* d, *old = rrset->data;
731 if(index >= old->count + old->rrsig_count)
732 return 0; /* index out of bounds */
733 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - (
734 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) +
735 old->rr_len[index]));
737 log_err("malloc failure");
741 d->count = old->count;
742 d->rrsig_count = old->rrsig_count;
743 if(index < d->count) d->count--;
744 else d->rrsig_count--;
745 d->trust = old->trust;
746 d->security = old->security;
748 /* set rr_len, needed for ptr_fixup */
749 d->rr_len = (size_t*)((uint8_t*)d +
750 sizeof(struct packed_rrset_data));
752 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t));
753 if(index+1 < old->count+old->rrsig_count)
754 memmove(&d->rr_len[index], &old->rr_len[index+1],
755 (old->count+old->rrsig_count - (index+1))*sizeof(size_t));
756 packed_rrset_ptr_fixup(d);
760 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t));
761 if(index+1 < old->count+old->rrsig_count)
762 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1],
763 (old->count+old->rrsig_count - (index+1))*sizeof(time_t));
765 /* move over rr_data */
766 for(i=0; i<d->count+d->rrsig_count; i++) {
768 if(i < index) oldi = i;
770 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]);
773 /* recalc ttl (lowest of remaining RR ttls) */
774 if(d->count + d->rrsig_count > 0)
775 d->ttl = d->rr_ttl[0];
776 for(i=0; i<d->count+d->rrsig_count; i++) {
777 if(d->rr_ttl[i] < d->ttl)
778 d->ttl = d->rr_ttl[i];
786 /** add RR to existing RRset. If insert_sig is true, add to rrsigs.
787 * This reallocates the packed rrset for a new one */
789 rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata,
790 size_t rdatalen, int insert_sig)
792 struct packed_rrset_data* d, *old = rrset->data;
793 size_t total, old_total;
795 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
796 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)
799 log_err("out of memory");
802 /* copy base values */
803 memcpy(d, old, sizeof(struct packed_rrset_data));
809 old_total = old->count + old->rrsig_count;
810 total = d->count + d->rrsig_count;
811 /* set rr_len, needed for ptr_fixup */
812 d->rr_len = (size_t*)((uint8_t*)d +
813 sizeof(struct packed_rrset_data));
815 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t));
816 if(old->rrsig_count != 0)
817 memmove(d->rr_len+d->count, old->rr_len+old->count,
818 old->rrsig_count*sizeof(size_t));
820 d->rr_len[d->count-1] = rdatalen;
821 else d->rr_len[total-1] = rdatalen;
822 packed_rrset_ptr_fixup(d);
823 if((time_t)rr_ttl < d->ttl)
826 /* copy old values into new array */
827 if(old->count != 0) {
828 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t));
829 /* all the old rr pieces are allocated sequential, so we
830 * can copy them in one go */
831 memmove(d->rr_data[0], old->rr_data[0],
832 (old->rr_data[old->count-1] - old->rr_data[0]) +
833 old->rr_len[old->count-1]);
835 if(old->rrsig_count != 0) {
836 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count,
837 old->rrsig_count*sizeof(time_t));
838 memmove(d->rr_data[d->count], old->rr_data[old->count],
839 (old->rr_data[old_total-1] - old->rr_data[old->count]) +
840 old->rr_len[old_total-1]);
843 /* insert new value */
845 d->rr_ttl[d->count-1] = rr_ttl;
846 memmove(d->rr_data[d->count-1], rdata, rdatalen);
848 d->rr_ttl[total-1] = rr_ttl;
849 memmove(d->rr_data[total-1], rdata, rdatalen);
857 /** Create new rrset for node with packed rrset with one RR element */
858 static struct auth_rrset*
859 rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
860 uint8_t* rdata, size_t rdatalen)
862 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1,
864 struct auth_rrset* p, *prev;
865 struct packed_rrset_data* d;
867 log_err("out of memory");
870 rrset->type = rr_type;
872 /* the rrset data structure, with one RR */
873 d = (struct packed_rrset_data*)calloc(1,
874 sizeof(struct packed_rrset_data) + sizeof(size_t) +
875 sizeof(uint8_t*) + sizeof(time_t) + rdatalen);
878 log_err("out of memory");
883 d->trust = rrset_trust_prim_noglue;
884 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data));
885 d->rr_data = (uint8_t**)&(d->rr_len[1]);
886 d->rr_ttl = (time_t*)&(d->rr_data[1]);
887 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]);
890 d->rr_len[0] = rdatalen;
891 d->rr_ttl[0] = rr_ttl;
892 memmove(d->rr_data[0], rdata, rdatalen);
895 /* insert rrset into linked list for domain */
896 /* find sorted place to link the rrset into the list */
899 while(p && p->type<=rr_type) {
903 /* so, prev is smaller, and p is larger than rr_type */
905 if(prev) prev->next = rrset;
906 else node->rrsets = rrset;
910 /** count number (and size) of rrsigs that cover a type */
912 rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz)
914 struct packed_rrset_data* d = rrsig->data;
917 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG);
918 for(i=0; i<d->count+d->rrsig_count; i++) {
919 if(rrsig_rdata_get_type_covered(d->rr_data[i],
920 d->rr_len[i]) == rr_type) {
922 (*sigsz) += d->rr_len[i];
928 /** See if rrsig set has covered sigs for rrset and move them over */
930 rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type,
931 struct auth_rrset* rrset, struct auth_rrset* rrsig)
933 size_t sigs, sigsz, i, j, total;
934 struct packed_rrset_data* sigold = rrsig->data;
935 struct packed_rrset_data* old = rrset->data;
936 struct packed_rrset_data* d, *sigd;
938 log_assert(rrset->type == rr_type);
939 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG);
940 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz);
942 /* 0 rrsigs to move over, done */
946 /* allocate rrset sigsz larger for extra sigs elements, and
947 * allocate rrsig sigsz smaller for less sigs elements. */
948 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
949 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
952 log_err("out of memory");
955 /* copy base values */
956 total = old->count + old->rrsig_count;
957 memcpy(d, old, sizeof(struct packed_rrset_data));
958 d->rrsig_count += sigs;
960 d->rr_len = (size_t*)((uint8_t*)d +
961 sizeof(struct packed_rrset_data));
963 memmove(d->rr_len, old->rr_len, total*sizeof(size_t));
964 j = d->count+d->rrsig_count-sigs;
965 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
966 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
967 sigold->rr_len[i]) == rr_type) {
968 d->rr_len[j] = sigold->rr_len[i];
972 packed_rrset_ptr_fixup(d);
974 /* copy old values into new array */
976 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t));
977 /* all the old rr pieces are allocated sequential, so we
978 * can copy them in one go */
979 memmove(d->rr_data[0], old->rr_data[0],
980 (old->rr_data[total-1] - old->rr_data[0]) +
981 old->rr_len[total-1]);
984 /* move over the rrsigs to the larger rrset*/
985 j = d->count+d->rrsig_count-sigs;
986 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
987 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
988 sigold->rr_len[i]) == rr_type) {
989 /* move this one over to location j */
990 d->rr_ttl[j] = sigold->rr_ttl[i];
991 memmove(d->rr_data[j], sigold->rr_data[i],
993 if(d->rr_ttl[j] < d->ttl)
994 d->ttl = d->rr_ttl[j];
999 /* put it in and deallocate the old rrset */
1003 /* now make rrsig set smaller */
1004 if(sigold->count+sigold->rrsig_count == sigs) {
1005 /* remove all sigs from rrsig, remove it entirely */
1006 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG);
1009 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) +
1010 sizeof(uint8_t*) + sizeof(time_t)) + sigsz);
1011 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold)
1012 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
1015 /* no need to free up d, it has already been placed in the
1016 * node->rrset structure */
1017 log_err("out of memory");
1020 /* copy base values */
1021 memcpy(sigd, sigold, sizeof(struct packed_rrset_data));
1022 /* in sigd the RRSIGs are stored in the base of the RR, in count */
1023 sigd->count -= sigs;
1025 sigd->rr_len = (size_t*)((uint8_t*)sigd +
1026 sizeof(struct packed_rrset_data));
1028 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
1029 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
1030 sigold->rr_len[i]) != rr_type) {
1031 sigd->rr_len[j] = sigold->rr_len[i];
1035 packed_rrset_ptr_fixup(sigd);
1037 /* copy old values into new rrsig array */
1039 for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
1040 if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
1041 sigold->rr_len[i]) != rr_type) {
1042 /* move this one over to location j */
1043 sigd->rr_ttl[j] = sigold->rr_ttl[i];
1044 memmove(sigd->rr_data[j], sigold->rr_data[i],
1046 if(j==0) sigd->ttl = sigd->rr_ttl[j];
1048 if(sigd->rr_ttl[j] < sigd->ttl)
1049 sigd->ttl = sigd->rr_ttl[j];
1055 /* put it in and deallocate the old rrset */
1062 /** copy the rrsigs from the rrset to the rrsig rrset, because the rrset
1063 * is going to be deleted. reallocates the RRSIG rrset data. */
1065 rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset,
1066 struct auth_rrset* rrsigset)
1069 if(rrset->data->rrsig_count == 0)
1072 /* move them over one by one, because there might be duplicates,
1073 * duplicates are ignored */
1074 for(i=rrset->data->count;
1075 i<rrset->data->count+rrset->data->rrsig_count; i++) {
1076 uint8_t* rdata = rrset->data->rr_data[i];
1077 size_t rdatalen = rrset->data->rr_len[i];
1078 time_t rr_ttl = rrset->data->rr_ttl[i];
1080 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) {
1083 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0))
1089 /** Add rr to node, ignores duplicate RRs,
1090 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
1092 az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
1093 uint8_t* rdata, size_t rdatalen, int* duplicate)
1095 struct auth_rrset* rrset;
1096 /* packed rrsets have their rrsigs along with them, sort them out */
1097 if(rr_type == LDNS_RR_TYPE_RRSIG) {
1098 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
1099 if((rrset=az_domain_rrset(node, ctype))!= NULL) {
1100 /* a node of the correct type exists, add the RRSIG
1101 * to the rrset of the covered data type */
1102 if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1103 if(duplicate) *duplicate = 1;
1106 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1))
1108 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1109 /* add RRSIG to rrset of type RRSIG */
1110 if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1111 if(duplicate) *duplicate = 1;
1114 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
1117 /* create rrset of type RRSIG */
1118 if(!rrset_create(node, rr_type, rr_ttl, rdata,
1123 /* normal RR type */
1124 if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1125 /* add data to existing node with data type */
1126 if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1127 if(duplicate) *duplicate = 1;
1130 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
1133 struct auth_rrset* rrsig;
1134 /* create new node with data type */
1135 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata,
1139 /* see if node of type RRSIG has signatures that
1140 * cover the data type, and move them over */
1141 /* and then make the RRSIG type smaller */
1142 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
1144 if(!rrset_moveover_rrsigs(node, rr_type,
1153 /** insert RR into zone, ignore duplicates */
1155 az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
1156 size_t dname_len, int* duplicate)
1158 struct auth_data* node;
1159 uint8_t* dname = rr;
1160 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
1161 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
1162 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len);
1163 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
1165 /* rdata points to rdata prefixed with uint16 rdatalength */
1166 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
1168 if(rr_class != z->dclass) {
1169 log_err("wrong class for RR");
1172 if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
1173 log_err("cannot create domain");
1176 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen,
1178 log_err("cannot add RR to domain");
1184 /** Remove rr from node, ignores nonexisting RRs,
1185 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
1187 az_domain_remove_rr(struct auth_data* node, uint16_t rr_type,
1188 uint8_t* rdata, size_t rdatalen, int* nonexist)
1190 struct auth_rrset* rrset;
1193 /* find the plain RR of the given type */
1194 if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1195 if(az_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) {
1196 if(rrset->data->count == 1 &&
1197 rrset->data->rrsig_count == 0) {
1198 /* last RR, delete the rrset */
1199 domain_remove_rrset(node, rr_type);
1200 } else if(rrset->data->count == 1 &&
1201 rrset->data->rrsig_count != 0) {
1202 /* move RRSIGs to the RRSIG rrset, or
1203 * this one becomes that RRset */
1204 struct auth_rrset* rrsigset = az_domain_rrset(
1205 node, LDNS_RR_TYPE_RRSIG);
1207 /* move left over rrsigs to the
1208 * existing rrset of type RRSIG */
1209 rrsigs_copy_from_rrset_to_rrsigset(
1211 /* and then delete the rrset */
1212 domain_remove_rrset(node, rr_type);
1214 /* no rrset of type RRSIG, this
1215 * set is now of that type,
1216 * just remove the rr */
1217 if(!rrset_remove_rr(rrset, index))
1219 rrset->type = LDNS_RR_TYPE_RRSIG;
1220 rrset->data->count = rrset->data->rrsig_count;
1221 rrset->data->rrsig_count = 0;
1224 /* remove the RR from the rrset */
1225 if(!rrset_remove_rr(rrset, index))
1230 /* rr not found in rrset */
1233 /* is it a type RRSIG, look under the covered type */
1234 if(rr_type == LDNS_RR_TYPE_RRSIG) {
1235 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
1236 if((rrset=az_domain_rrset(node, ctype))!= NULL) {
1237 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen,
1239 /* rrsig should have d->count > 0, be
1240 * over some rr of that type */
1241 /* remove the rrsig from the rrsigs list of the
1243 if(!rrset_remove_rr(rrset, index))
1248 /* also RRSIG not found */
1251 /* nothing found to delete */
1252 if(nonexist) *nonexist = 1;
1256 /** remove RR from zone, ignore if it does not exist, false on alloc failure*/
1258 az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
1259 size_t dname_len, int* nonexist)
1261 struct auth_data* node;
1262 uint8_t* dname = rr;
1263 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
1264 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
1265 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
1267 /* rdata points to rdata prefixed with uint16 rdatalength */
1268 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
1270 if(rr_class != z->dclass) {
1271 log_err("wrong class for RR");
1272 /* really also a nonexisting entry, because no records
1273 * of that class in the zone, but return an error because
1274 * getting records of the wrong class is a failure of the
1278 node = az_find_name(z, dname, dname_len);
1280 /* node with that name does not exist */
1281 /* nonexisting entry, because no such name */
1285 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) {
1286 /* alloc failure or so */
1289 /* remove the node, if necessary */
1290 /* an rrsets==NULL entry is not kept around for empty nonterminals,
1291 * and also parent nodes are not kept around, so we just delete it */
1292 if(node->rrsets == NULL) {
1293 (void)rbtree_delete(&z->data, node);
1294 auth_data_delete(node);
1299 /** decompress an RR into the buffer where it'll be an uncompressed RR
1300 * with uncompressed dname and uncompressed rdata (dnames) */
1302 decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt,
1303 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class,
1304 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen)
1306 sldns_buffer pktbuf;
1307 size_t dname_len = 0;
1311 const sldns_rr_descriptor* desc;
1312 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen);
1313 sldns_buffer_clear(buf);
1315 /* decompress dname */
1316 sldns_buffer_set_position(&pktbuf,
1317 (size_t)(dname - sldns_buffer_current(&pktbuf)));
1318 dname_len = pkt_dname_len(&pktbuf);
1319 if(dname_len == 0) return 0; /* parse fail on dname */
1320 if(!sldns_buffer_available(buf, dname_len)) return 0;
1321 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname);
1322 sldns_buffer_skip(buf, (ssize_t)dname_len);
1324 /* type, class, ttl and rdatalength fields */
1325 if(!sldns_buffer_available(buf, 10)) return 0;
1326 sldns_buffer_write_u16(buf, rr_type);
1327 sldns_buffer_write_u16(buf, rr_class);
1328 sldns_buffer_write_u32(buf, rr_ttl);
1329 rdlenpos = sldns_buffer_position(buf);
1330 sldns_buffer_write_u16(buf, 0); /* rd length position */
1332 /* decompress rdata */
1333 desc = sldns_rr_descript(rr_type);
1336 if(rdlen > 0 && desc && desc->_dname_count > 0) {
1337 int count = (int)desc->_dname_count;
1339 size_t len; /* how much rdata to plain copy */
1340 size_t uncompressed_len, compressed_len;
1342 /* decompress dnames. */
1343 while(rdlen > 0 && count) {
1344 switch(desc->_wireformat[rdf]) {
1345 case LDNS_RDF_TYPE_DNAME:
1346 sldns_buffer_set_position(&pktbuf,
1348 sldns_buffer_begin(&pktbuf)));
1349 oldpos = sldns_buffer_position(&pktbuf);
1350 /* moves pktbuf to right after the
1351 * compressed dname, and returns uncompressed
1353 uncompressed_len = pkt_dname_len(&pktbuf);
1354 if(!uncompressed_len)
1355 return 0; /* parse error in dname */
1356 if(!sldns_buffer_available(buf,
1358 /* dname too long for buffer */
1360 dname_pkt_copy(&pktbuf,
1361 sldns_buffer_current(buf), rd);
1362 sldns_buffer_skip(buf, (ssize_t)uncompressed_len);
1363 compressed_len = sldns_buffer_position(
1365 rd += compressed_len;
1366 rdlen -= compressed_len;
1370 case LDNS_RDF_TYPE_STR:
1374 len = get_rdf_size(desc->_wireformat[rdf]);
1378 if(!sldns_buffer_available(buf, len))
1379 return 0; /* too long for buffer */
1380 sldns_buffer_write(buf, rd, len);
1387 /* copy remaining data */
1389 if(!sldns_buffer_available(buf, rdlen)) return 0;
1390 sldns_buffer_write(buf, rd, rdlen);
1392 /* fixup rdlength */
1393 sldns_buffer_write_u16_at(buf, rdlenpos,
1394 sldns_buffer_position(buf)-rdlenpos-2);
1395 sldns_buffer_flip(buf);
1399 /** insert RR into zone, from packet, decompress RR,
1400 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */
1402 az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
1403 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type,
1404 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data,
1405 uint16_t rr_rdlen, int* duplicate)
1410 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname,
1411 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) {
1412 log_err("could not decompress RR");
1415 rr = sldns_buffer_begin(scratch_buffer);
1416 rr_len = sldns_buffer_limit(scratch_buffer);
1417 dname_len = dname_valid(rr, rr_len);
1418 return az_insert_rr(z, rr, rr_len, dname_len, duplicate);
1421 /** remove RR from zone, from packet, decompress RR,
1422 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/
1424 az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
1425 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type,
1426 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data,
1427 uint16_t rr_rdlen, int* nonexist)
1432 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname,
1433 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) {
1434 log_err("could not decompress RR");
1437 rr = sldns_buffer_begin(scratch_buffer);
1438 rr_len = sldns_buffer_limit(scratch_buffer);
1439 dname_len = dname_valid(rr, rr_len);
1440 return az_remove_rr(z, rr, rr_len, dname_len, nonexist);
1445 * @param z: zone to read in.
1446 * @param in: file to read from (just opened).
1447 * @param rr: buffer to use for RRs, 64k.
1448 * passed so that recursive includes can use the same buffer and do
1449 * not grow the stack too much.
1450 * @param rrbuflen: sizeof rr buffer.
1451 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on,
1452 * that is kept between includes.
1453 * The lineno is set at 1 and then increased by the function.
1454 * @param fname: file name.
1455 * @param depth: recursion depth for includes
1456 * @param cfg: config for chroot.
1457 * returns false on failure, has printed an error message
1460 az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
1461 struct sldns_file_parse_state* state, char* fname, int depth,
1462 struct config_file* cfg)
1464 size_t rr_len, dname_len;
1471 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len,
1473 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) {
1474 /* we have $INCLUDE or $something */
1475 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 ||
1476 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) {
1478 int lineno_orig = state->lineno;
1479 char* incfile = (char*)rr + 8;
1480 if(depth > MAX_INCLUDE_DEPTH) {
1481 log_err("%s:%d max include depth"
1482 "exceeded", fname, state->lineno);
1486 while(*incfile == ' ' || *incfile == '\t')
1488 /* adjust for chroot on include file */
1489 if(cfg->chrootdir && cfg->chrootdir[0] &&
1490 strncmp(incfile, cfg->chrootdir,
1491 strlen(cfg->chrootdir)) == 0)
1492 incfile += strlen(cfg->chrootdir);
1493 incfile = strdup(incfile);
1495 log_err("malloc failure");
1498 verbose(VERB_ALGO, "opening $INCLUDE %s",
1500 inc = fopen(incfile, "r");
1502 log_err("%s:%d cannot open include "
1503 "file %s: %s", fname,
1504 lineno_orig, incfile,
1509 /* recurse read that file now */
1510 if(!az_parse_file(z, inc, rr, rrbuflen,
1511 state, incfile, depth+1, cfg)) {
1512 log_err("%s:%d cannot parse include "
1514 lineno_orig, incfile);
1520 verbose(VERB_ALGO, "done with $INCLUDE %s",
1523 state->lineno = lineno_orig;
1528 log_err("parse error %s %d:%d: %s", fname,
1529 state->lineno, LDNS_WIREPARSE_OFFSET(status),
1530 sldns_get_errorstr_parse(status));
1534 /* EMPTY line, TTL or ORIGIN */
1537 /* insert wirerr in rrbuf */
1538 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) {
1540 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr,
1541 rr_len, dname_len), buf, sizeof(buf));
1542 log_err("%s:%d cannot insert RR of type %s",
1543 fname, state->lineno, buf);
1551 auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg)
1553 uint8_t rr[LDNS_RR_BUF_SIZE];
1554 struct sldns_file_parse_state state;
1557 if(!z || !z->zonefile || z->zonefile[0]==0)
1558 return 1; /* no file, or "", nothing to read */
1560 zfilename = z->zonefile;
1561 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
1562 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1563 zfilename += strlen(cfg->chrootdir);
1564 if(verbosity >= VERB_ALGO) {
1566 dname_str(z->name, nm);
1567 verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm);
1569 in = fopen(zfilename, "r");
1571 char* n = sldns_wire2str_dname(z->name, z->namelen);
1572 if(z->zone_is_slave && errno == ENOENT) {
1573 /* we fetch the zone contents later, no file yet */
1574 verbose(VERB_ALGO, "no zonefile %s for %s",
1575 zfilename, n?n:"error");
1579 log_err("cannot open zonefile %s for %s: %s",
1580 zfilename, n?n:"error", strerror(errno));
1585 /* clear the data tree */
1586 traverse_postorder(&z->data, auth_data_del, NULL);
1587 rbtree_init(&z->data, &auth_data_cmp);
1589 memset(&state, 0, sizeof(state));
1590 /* default TTL to 3600 */
1591 state.default_ttl = 3600;
1592 /* set $ORIGIN to the zone name */
1593 if(z->namelen <= sizeof(state.origin)) {
1594 memcpy(state.origin, z->name, z->namelen);
1595 state.origin_len = z->namelen;
1597 /* parse the (toplevel) file */
1598 if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) {
1599 char* n = sldns_wire2str_dname(z->name, z->namelen);
1600 log_err("error parsing zonefile %s for %s",
1601 zfilename, n?n:"error");
1610 /** write buffer to file and check return codes */
1612 write_out(FILE* out, const char* str, size_t len)
1617 r = fwrite(str, 1, len, out);
1619 log_err("write failed: %s", strerror(errno));
1621 } else if(r < len) {
1622 log_err("write failed: too short (disk full?)");
1628 /** convert auth rr to string */
1630 auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl,
1631 struct packed_rrset_data* data, size_t i, char* s, size_t buflen)
1634 size_t slen = buflen, datlen;
1636 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG;
1639 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0);
1640 w += sldns_str_print(&s, &slen, "\t");
1641 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]);
1642 w += sldns_wire2str_class_print(&s, &slen, cl);
1643 w += sldns_str_print(&s, &slen, "\t");
1644 w += sldns_wire2str_type_print(&s, &slen, tp);
1645 w += sldns_str_print(&s, &slen, "\t");
1646 datlen = data->rr_len[i]-2;
1647 dat = data->rr_data[i]+2;
1648 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0);
1650 if(tp == LDNS_RR_TYPE_DNSKEY) {
1651 w += sldns_str_print(&s, &slen, " ;{id = %u}",
1652 sldns_calc_keytag_raw(data->rr_data[i]+2,
1653 data->rr_len[i]-2));
1655 w += sldns_str_print(&s, &slen, "\n");
1657 if(w > (int)buflen) {
1658 log_nametypeclass(0, "RR too long to print", nm, tp, cl);
1664 /** write rrset to file */
1666 auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node,
1667 struct auth_rrset* r, FILE* out)
1669 size_t i, count = r->data->count + r->data->rrsig_count;
1670 char buf[LDNS_RR_BUF_SIZE];
1671 for(i=0; i<count; i++) {
1672 if(!auth_rr_to_string(node->name, node->namelen, r->type,
1673 z->dclass, r->data, i, buf, sizeof(buf))) {
1674 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i);
1677 if(!write_out(out, buf, strlen(buf)))
1683 /** write domain to file */
1685 auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out)
1687 struct auth_rrset* r;
1688 /* if this is zone apex, write SOA first */
1689 if(z->namelen == n->namelen) {
1690 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA);
1692 if(!auth_zone_write_rrset(z, n, soa, out))
1696 /* write all the RRsets for this domain */
1697 for(r = n->rrsets; r; r = r->next) {
1698 if(z->namelen == n->namelen &&
1699 r->type == LDNS_RR_TYPE_SOA)
1700 continue; /* skip SOA here */
1701 if(!auth_zone_write_rrset(z, n, r, out))
1707 int auth_zone_write_file(struct auth_zone* z, const char* fname)
1710 struct auth_data* n;
1711 out = fopen(fname, "w");
1713 log_err("could not open %s: %s", fname, strerror(errno));
1716 RBTREE_FOR(n, struct auth_data*, &z->data) {
1717 if(!auth_zone_write_domain(z, n, out)) {
1718 log_err("could not write domain to %s", fname);
1727 /** read all auth zones from file (if they have) */
1729 auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg)
1731 struct auth_zone* z;
1732 lock_rw_wrlock(&az->lock);
1733 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1734 lock_rw_wrlock(&z->lock);
1735 if(!auth_zone_read_zonefile(z, cfg)) {
1736 lock_rw_unlock(&z->lock);
1737 lock_rw_unlock(&az->lock);
1740 lock_rw_unlock(&z->lock);
1742 lock_rw_unlock(&az->lock);
1746 /** find serial number of zone or false if none */
1748 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
1750 struct auth_data* apex;
1751 struct auth_rrset* soa;
1752 struct packed_rrset_data* d;
1753 apex = az_find_name(z, z->name, z->namelen);
1755 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
1756 if(!soa || soa->data->count==0)
1757 return 0; /* no RRset or no RRs in rrset */
1758 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */
1760 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20));
1764 /** Find auth_zone SOA and populate the values in xfr(soa values). */
1766 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr)
1768 struct auth_data* apex;
1769 struct auth_rrset* soa;
1770 struct packed_rrset_data* d;
1771 apex = az_find_name(z, z->name, z->namelen);
1773 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
1774 if(!soa || soa->data->count==0)
1775 return 0; /* no RRset or no RRs in rrset */
1776 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */
1777 /* SOA record ends with serial, refresh, retry, expiry, minimum,
1778 * as 4 byte fields */
1781 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20));
1782 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16));
1783 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12));
1784 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8));
1785 /* soa minimum at d->rr_len[0]-4 */
1790 * Setup auth_xfer zone
1791 * This populates the have_zone, soa values, and so on times.
1792 * Doesn't do network traffic yet, can set option flags.
1793 * @param z: locked by caller, and modified for setup
1794 * @param x: locked by caller, and modified.
1795 * @return false on failure.
1798 auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x)
1800 /* for a zone without zone transfers, x==NULL, so skip them,
1801 * i.e. the zone config is fixed with no masters or urls */
1802 if(!z || !x) return 1;
1803 if(!xfr_find_soa(z, x)) {
1806 /* nothing for probe, nextprobe and transfer tasks */
1812 * @param az: auth zones structure
1813 * @return false on failure.
1816 auth_zones_setup_zones(struct auth_zones* az)
1818 struct auth_zone* z;
1819 struct auth_xfer* x;
1820 lock_rw_wrlock(&az->lock);
1821 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1822 lock_rw_wrlock(&z->lock);
1823 x = auth_xfer_find(az, z->name, z->namelen, z->dclass);
1825 lock_basic_lock(&x->lock);
1827 if(!auth_xfer_setup(z, x)) {
1829 lock_basic_unlock(&x->lock);
1831 lock_rw_unlock(&z->lock);
1832 lock_rw_unlock(&az->lock);
1836 lock_basic_unlock(&x->lock);
1838 lock_rw_unlock(&z->lock);
1840 lock_rw_unlock(&az->lock);
1844 /** set config items and create zones */
1846 auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
1848 struct auth_zone* z;
1849 struct auth_xfer* x = NULL;
1852 lock_rw_wrlock(&az->lock);
1853 if(!(z=auth_zones_find_or_add_zone(az, c->name))) {
1854 lock_rw_unlock(&az->lock);
1857 if(c->masters || c->urls) {
1858 if(!(x=auth_zones_find_or_add_xfer(az, z))) {
1859 lock_rw_unlock(&az->lock);
1860 lock_rw_unlock(&z->lock);
1864 if(c->for_downstream)
1865 az->have_downstream = 1;
1866 lock_rw_unlock(&az->lock);
1869 z->zone_deleted = 0;
1870 if(!auth_zone_set_zonefile(z, c->zonefile)) {
1872 lock_basic_unlock(&x->lock);
1874 lock_rw_unlock(&z->lock);
1877 z->for_downstream = c->for_downstream;
1878 z->for_upstream = c->for_upstream;
1879 z->fallback_enabled = c->fallback_enabled;
1883 z->zone_is_slave = 1;
1884 /* set options on xfer zone */
1885 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) {
1886 lock_basic_unlock(&x->lock);
1887 lock_rw_unlock(&z->lock);
1890 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) {
1891 lock_basic_unlock(&x->lock);
1892 lock_rw_unlock(&z->lock);
1895 lock_basic_unlock(&x->lock);
1898 lock_rw_unlock(&z->lock);
1902 /** set all auth zones deleted, then in auth_zones_cfg, it marks them
1903 * as nondeleted (if they are still in the config), and then later
1904 * we can find deleted zones */
1906 az_setall_deleted(struct auth_zones* az)
1908 struct auth_zone* z;
1909 lock_rw_wrlock(&az->lock);
1910 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1911 lock_rw_wrlock(&z->lock);
1912 z->zone_deleted = 1;
1913 lock_rw_unlock(&z->lock);
1915 lock_rw_unlock(&az->lock);
1918 /** find zones that are marked deleted and delete them.
1919 * This is called from apply_cfg, and there are no threads and no
1920 * workers, so the xfr can just be deleted. */
1922 az_delete_deleted_zones(struct auth_zones* az)
1924 struct auth_zone* z;
1925 struct auth_zone* delete_list = NULL, *next;
1926 struct auth_xfer* xfr;
1927 lock_rw_wrlock(&az->lock);
1928 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1929 lock_rw_wrlock(&z->lock);
1930 if(z->zone_deleted) {
1931 /* we cannot alter the rbtree right now, but
1932 * we can put it on a linked list and then
1934 z->delete_next = delete_list;
1937 lock_rw_unlock(&z->lock);
1939 /* now we are out of the tree loop and we can loop and delete
1943 next = z->delete_next;
1944 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass);
1946 (void)rbtree_delete(&az->xtree, &xfr->node);
1947 auth_xfer_delete(xfr);
1949 (void)rbtree_delete(&az->ztree, &z->node);
1950 auth_zone_delete(z);
1953 lock_rw_unlock(&az->lock);
1956 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
1959 struct config_auth* p;
1960 az_setall_deleted(az);
1961 for(p = cfg->auths; p; p = p->next) {
1962 if(!p->name || p->name[0] == 0) {
1963 log_warn("auth-zone without a name, skipped");
1966 if(!auth_zones_cfg(az, p)) {
1967 log_err("cannot config auth zone %s", p->name);
1971 az_delete_deleted_zones(az);
1972 if(!auth_zones_read_zones(az, cfg))
1975 if(!auth_zones_setup_zones(az))
1982 * @param at: transfer structure with chunks list. The chunks and their
1986 auth_chunks_delete(struct auth_transfer* at)
1988 if(at->chunks_first) {
1989 struct auth_chunk* c, *cn;
1990 c = at->chunks_first;
1998 at->chunks_first = NULL;
1999 at->chunks_last = NULL;
2002 /** free master addr list */
2004 auth_free_master_addrs(struct auth_addr* list)
2006 struct auth_addr *n;
2014 /** free the masters list */
2016 auth_free_masters(struct auth_master* list)
2018 struct auth_master* n;
2021 auth_free_master_addrs(list->list);
2029 /** delete auth xfer structure
2030 * @param xfr: delete this xfer and its tasks.
2033 auth_xfer_delete(struct auth_xfer* xfr)
2036 lock_basic_destroy(&xfr->lock);
2038 if(xfr->task_nextprobe) {
2039 comm_timer_delete(xfr->task_nextprobe->timer);
2040 free(xfr->task_nextprobe);
2042 if(xfr->task_probe) {
2043 auth_free_masters(xfr->task_probe->masters);
2044 comm_point_delete(xfr->task_probe->cp);
2045 free(xfr->task_probe);
2047 if(xfr->task_transfer) {
2048 auth_free_masters(xfr->task_transfer->masters);
2049 comm_point_delete(xfr->task_transfer->cp);
2050 if(xfr->task_transfer->chunks_first) {
2051 auth_chunks_delete(xfr->task_transfer);
2053 free(xfr->task_transfer);
2055 auth_free_masters(xfr->allow_notify_list);
2059 /** helper traverse to delete zones */
2061 auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg))
2063 struct auth_zone* z = (struct auth_zone*)n->key;
2064 auth_zone_delete(z);
2067 /** helper traverse to delete xfer zones */
2069 auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg))
2071 struct auth_xfer* z = (struct auth_xfer*)n->key;
2072 auth_xfer_delete(z);
2075 void auth_zones_delete(struct auth_zones* az)
2078 lock_rw_destroy(&az->lock);
2079 traverse_postorder(&az->ztree, auth_zone_del, NULL);
2080 traverse_postorder(&az->xtree, auth_xfer_del, NULL);
2084 /** true if domain has only nsec3 */
2086 domain_has_only_nsec3(struct auth_data* n)
2088 struct auth_rrset* rrset = n->rrsets;
2091 if(rrset->type == LDNS_RR_TYPE_NSEC3) {
2093 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) {
2096 rrset = rrset->next;
2101 /** see if the domain has a wildcard child '*.domain' */
2102 static struct auth_data*
2103 az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen)
2105 uint8_t wc[LDNS_MAX_DOMAINLEN];
2106 if(nmlen+2 > sizeof(wc))
2107 return NULL; /* result would be too long */
2108 wc[0] = 1; /* length of wildcard label */
2109 wc[1] = (uint8_t)'*'; /* wildcard label */
2110 memmove(wc+2, nm, nmlen);
2111 return az_find_name(z, wc, nmlen+2);
2114 /** find wildcard between qname and cename */
2115 static struct auth_data*
2116 az_find_wildcard(struct auth_zone* z, struct query_info* qinfo,
2117 struct auth_data* ce)
2119 uint8_t* nm = qinfo->qname;
2120 size_t nmlen = qinfo->qname_len;
2121 struct auth_data* node;
2122 if(!dname_subdomain_c(nm, z->name))
2123 return NULL; /* out of zone */
2124 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
2125 /* see if we can go up to find the wildcard */
2126 if(nmlen == z->namelen)
2127 return NULL; /* top of zone reached */
2128 if(ce && nmlen == ce->namelen)
2129 return NULL; /* ce reached */
2130 if(dname_is_root(nm))
2131 return NULL; /* cannot go up */
2132 dname_remove_label(&nm, &nmlen);
2137 /** domain is not exact, find first candidate ce (name that matches
2138 * a part of qname) in tree */
2139 static struct auth_data*
2140 az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo,
2141 struct auth_data* n)
2146 nm = dname_get_shared_topdomain(qinfo->qname, n->name);
2150 dname_count_size_labels(nm, &nmlen);
2151 n = az_find_name(z, nm, nmlen);
2152 /* delete labels and go up on name */
2154 if(dname_is_root(nm))
2155 return NULL; /* cannot go up */
2156 dname_remove_label(&nm, &nmlen);
2157 n = az_find_name(z, nm, nmlen);
2162 /** go up the auth tree to next existing name. */
2163 static struct auth_data*
2164 az_domain_go_up(struct auth_zone* z, struct auth_data* n)
2166 uint8_t* nm = n->name;
2167 size_t nmlen = n->namelen;
2168 while(!dname_is_root(nm)) {
2169 dname_remove_label(&nm, &nmlen);
2170 if((n=az_find_name(z, nm, nmlen)) != NULL)
2176 /** Find the closest encloser, an name that exists and is above the
2178 * return true if the node (param node) is existing, nonobscured and
2179 * can be used to generate answers from. It is then also node_exact.
2180 * returns false if the node is not good enough (or it wasn't node_exact)
2181 * in this case the ce can be filled.
2182 * if ce is NULL, no ce exists, and likely the zone is completely empty,
2183 * not even with a zone apex.
2184 * if ce is nonNULL it is the closest enclosing upper name (that exists
2185 * itself for answer purposes). That name may have DNAME, NS or wildcard
2186 * rrset is the closest DNAME or NS rrset that was found.
2189 az_find_ce(struct auth_zone* z, struct query_info* qinfo,
2190 struct auth_data* node, int node_exact, struct auth_data** ce,
2191 struct auth_rrset** rrset)
2193 struct auth_data* n = node;
2197 /* if not exact, lookup closest exact match */
2198 n = az_find_candidate_ce(z, qinfo, n);
2200 /* if exact, the node itself is the first candidate ce */
2204 /* no direct answer from nsec3-only domains */
2205 if(n && domain_has_only_nsec3(n)) {
2210 /* with exact matches, walk up the labels until we find the
2211 * delegation, or DNAME or zone end */
2213 /* see if the current candidate has issues */
2214 /* not zone apex and has type NS */
2215 if(n->namelen != z->namelen &&
2216 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
2217 /* delegate here, but DS at exact the dp has notype */
2218 (qinfo->qtype != LDNS_RR_TYPE_DS ||
2219 n->namelen != qinfo->qname_len)) {
2221 /* this is ce and the lowernode is nonexisting */
2225 /* not equal to qname and has type DNAME */
2226 if(n->namelen != qinfo->qname_len &&
2227 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
2228 /* this is ce and the lowernode is nonexisting */
2233 if(*ce == NULL && !domain_has_only_nsec3(n)) {
2234 /* if not found yet, this exact name must be
2235 * our lowest match (but not nsec3onlydomain) */
2239 /* walk up the tree by removing labels from name and lookup */
2240 n = az_domain_go_up(z, n);
2242 /* found no problems, if it was an exact node, it is fine to use */
2246 /** add additional A/AAAA from domain names in rrset rdata (+offset)
2247 * offset is number of bytes in rdata where the dname is located. */
2249 az_add_additionals_from(struct auth_zone* z, struct regional* region,
2250 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset)
2252 struct packed_rrset_data* d = rrset->data;
2255 for(i=0; i<d->count; i++) {
2257 struct auth_data* domain;
2258 struct auth_rrset* ref;
2259 if(d->rr_len[i] < 2+offset)
2260 continue; /* too short */
2261 if(!(dlen = dname_valid(d->rr_data[i]+2+offset,
2262 d->rr_len[i]-2-offset)))
2263 continue; /* malformed */
2264 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen);
2267 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) {
2268 if(!msg_add_rrset_ar(z, region, msg, domain, ref))
2271 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) {
2272 if(!msg_add_rrset_ar(z, region, msg, domain, ref))
2279 /** add negative SOA record (with negative TTL) */
2281 az_add_negative_soa(struct auth_zone* z, struct regional* region,
2282 struct dns_msg* msg)
2285 struct packed_rrset_data* d;
2286 struct auth_rrset* soa;
2287 struct auth_data* apex = az_find_name(z, z->name, z->namelen);
2289 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
2291 /* must be first to put in message; we want to fix the TTL with
2292 * one RRset here, otherwise we'd need to loop over the RRs to get
2293 * the resulting lower TTL */
2294 log_assert(msg->rep->rrset_count == 0);
2295 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0;
2297 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data;
2298 /* last 4 bytes are minimum ttl in network format */
2299 if(d->count == 0) return 0;
2300 if(d->rr_len[0] < 2+4) return 0;
2301 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
2302 d->ttl = (time_t)minimum;
2303 d->rr_ttl[0] = (time_t)minimum;
2304 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
2305 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
2306 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
2310 /** See if the query goes to empty nonterminal (that has no auth_data,
2311 * but there are nodes underneath. We already checked that there are
2312 * not NS, or DNAME above, so that we only need to check if some node
2313 * exists below (with nonempty rr list), return true if emptynonterminal */
2315 az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo,
2316 struct auth_data* node)
2318 struct auth_data* next;
2320 /* no smaller was found, use first (smallest) node as the
2322 next = (struct auth_data*)rbtree_first(&z->data);
2324 next = (struct auth_data*)rbtree_next(&node->node);
2326 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) {
2327 /* the next name has empty rrsets, is an empty nonterminal
2328 * itself, see if there exists something below it */
2329 next = (struct auth_data*)rbtree_next(&node->node);
2331 if((rbnode_type*)next == RBTREE_NULL || !next) {
2332 /* there is no next node, so something below it cannot
2336 /* a next node exists, if there was something below the query,
2337 * this node has to be it. See if it is below the query name */
2338 if(dname_strict_subdomain_c(next->name, qinfo->qname))
2343 /** create synth cname target name in buffer, or fail if too long */
2345 synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len,
2346 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen)
2348 size_t newlen = qname_len + dtarglen - dname_len;
2349 if(newlen > buflen) {
2350 /* YXDOMAIN error */
2353 /* new name is concatenation of qname front (without DNAME owner)
2354 * and DNAME target name */
2355 memcpy(buf, qname, qname_len-dname_len);
2356 memmove(buf+(qname_len-dname_len), dtarg, dtarglen);
2360 /** create synthetic CNAME rrset for in a DNAME answer in region,
2361 * false on alloc failure, cname==NULL when name too long. */
2363 create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
2364 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass,
2365 struct ub_packed_rrset_key** cname)
2367 uint8_t buf[LDNS_MAX_DOMAINLEN];
2369 size_t dtarglen, newlen;
2370 struct packed_rrset_data* d;
2372 /* get DNAME target name */
2373 if(dname->data->count < 1) return 0;
2374 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */
2375 dtarg = dname->data->rr_data[0]+2;
2376 dtarglen = dname->data->rr_len[0]-2;
2377 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen)
2378 return 0; /* rdatalen in DNAME rdata is malformed */
2379 if(dname_valid(dtarg, dtarglen) != dtarglen)
2380 return 0; /* DNAME RR has malformed rdata */
2382 /* synthesize a CNAME */
2383 newlen = synth_cname_buf(qname, qname_len, node->namelen,
2384 dtarg, dtarglen, buf, sizeof(buf));
2386 /* YXDOMAIN error */
2390 *cname = (struct ub_packed_rrset_key*)regional_alloc(region,
2391 sizeof(struct ub_packed_rrset_key));
2393 return 0; /* out of memory */
2394 memset(&(*cname)->entry, 0, sizeof((*cname)->entry));
2395 (*cname)->entry.key = (*cname);
2396 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME);
2397 (*cname)->rk.rrset_class = htons(dclass);
2398 (*cname)->rk.flags = 0;
2399 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len);
2400 if(!(*cname)->rk.dname)
2401 return 0; /* out of memory */
2402 (*cname)->rk.dname_len = qname_len;
2403 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk);
2404 d = (struct packed_rrset_data*)regional_alloc_zero(region,
2405 sizeof(struct packed_rrset_data) + sizeof(size_t) +
2406 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t)
2409 return 0; /* out of memory */
2410 (*cname)->entry.data = d;
2411 d->ttl = 0; /* 0 for synthesized CNAME TTL */
2414 d->trust = rrset_trust_ans_noAA;
2415 d->rr_len = (size_t*)((uint8_t*)d +
2416 sizeof(struct packed_rrset_data));
2417 d->rr_len[0] = newlen + sizeof(uint16_t);
2418 packed_rrset_ptr_fixup(d);
2419 d->rr_ttl[0] = d->ttl;
2420 sldns_write_uint16(d->rr_data[0], newlen);
2421 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen);
2425 /** add a synthesized CNAME to the answer section */
2427 add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len,
2428 struct regional* region, struct dns_msg* msg, struct auth_data* dname,
2429 struct auth_rrset* rrset)
2431 struct ub_packed_rrset_key* cname;
2432 /* synthesize a CNAME */
2433 if(!create_synth_cname(qname, qname_len, region, dname, rrset,
2434 z->dclass, &cname)) {
2439 /* cname cannot be create because of YXDOMAIN */
2440 msg->rep->flags |= LDNS_RCODE_YXDOMAIN;
2443 /* add cname to message */
2444 if(!msg_grow_array(region, msg))
2446 msg->rep->rrsets[msg->rep->rrset_count] = cname;
2447 msg->rep->rrset_count++;
2448 msg->rep->an_numrrsets++;
2453 /** Change a dname to a different one, for wildcard namechange */
2455 az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
2456 size_t newlen, int an_only)
2459 size_t start = 0, end = msg->rep->rrset_count;
2460 if(!an_only) start = msg->rep->an_numrrsets;
2461 if(an_only) end = msg->rep->an_numrrsets;
2462 for(i=start; i<end; i++) {
2463 /* allocated in region so we can change the ptrs */
2464 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname)
2466 msg->rep->rrsets[i]->rk.dname = newname;
2467 msg->rep->rrsets[i]->rk.dname_len = newlen;
2472 /** find NSEC record covering the query */
2473 static struct auth_rrset*
2474 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
2476 uint8_t* nm = (*node)->name;
2477 size_t nmlen = (*node)->namelen;
2478 struct auth_rrset* rrset;
2479 /* find the NSEC for the smallest-or-equal node */
2480 /* if node == NULL, we did not find a smaller name. But the zone
2481 * name is the smallest name and should have an NSEC. So there is
2482 * no NSEC to return (for a properly signed zone) */
2483 /* for empty nonterminals, the auth-data node should not exist,
2484 * and thus we don't need to go rbtree_previous here to find
2485 * a domain with an NSEC record */
2486 /* but there could be glue, and if this is node, then it has no NSEC.
2487 * Go up to find nonglue (previous) NSEC-holding nodes */
2488 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
2489 if(dname_is_root(nm)) return NULL;
2490 if(nmlen == z->namelen) return NULL;
2491 dname_remove_label(&nm, &nmlen);
2492 /* adjust *node for the nsec rrset to find in */
2493 *node = az_find_name(z, nm, nmlen);
2498 /** Find NSEC and add for wildcard denial */
2500 az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region,
2501 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen)
2503 struct query_info qinfo;
2505 struct auth_data* node;
2506 struct auth_rrset* nsec;
2507 uint8_t wc[LDNS_MAX_DOMAINLEN];
2508 if(cenmlen+2 > sizeof(wc))
2509 return 0; /* result would be too long */
2510 wc[0] = 1; /* length of wildcard label */
2511 wc[1] = (uint8_t)'*'; /* wildcard label */
2512 memmove(wc+2, cenm, cenmlen);
2514 /* we have '*.ce' in wc wildcard name buffer */
2515 /* get nsec cover for that */
2517 qinfo.qname_len = cenmlen+2;
2520 az_find_domain(z, &qinfo, &node_exact, &node);
2521 if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
2522 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
2527 /** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */
2529 az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt,
2532 struct auth_data* apex;
2533 struct auth_rrset* param;
2535 apex = az_find_name(z, z->name, z->namelen);
2537 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM);
2538 if(!param || param->data->count==0)
2539 return 0; /* no RRset or no RRs in rrset */
2540 /* find out which NSEC3PARAM RR has supported parameters */
2541 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */
2542 for(i=0; i<param->data->count; i++) {
2543 uint8_t* rdata = param->data->rr_data[i]+2;
2544 size_t rdatalen = param->data->rr_len[i];
2546 continue; /* too short */
2547 if(!nsec3_hash_algo_size_supported((int)(rdata[0])))
2548 continue; /* unsupported algo */
2549 if(rdatalen < (size_t)(2+5+(size_t)rdata[4]))
2550 continue; /* salt missing */
2551 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0)
2552 continue; /* unknown flags */
2553 *algo = (int)(rdata[0]);
2554 *iter = sldns_read_uint16(rdata+2);
2555 *saltlen = rdata[4];
2558 else *salt = rdata+5;
2561 /* no supported params */
2565 /** Hash a name with nsec3param into buffer, it has zone name appended.
2566 * return length of hash */
2568 az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen,
2569 int algo, size_t iter, uint8_t* salt, size_t saltlen)
2571 size_t hlen = nsec3_hash_algo_size_supported(algo);
2572 /* buffer has domain name, nsec3hash, and 256 is for max saltlen
2573 * (salt has 0-255 length) */
2574 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256];
2576 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p))
2579 return 0; /* somehow too large for destination buffer */
2580 /* hashfunc(name, salt) */
2581 memmove(p, nm, nmlen);
2582 query_dname_tolower(p);
2583 memmove(p+nmlen, salt, saltlen);
2584 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf);
2585 for(i=0; i<iter; i++) {
2586 /* hashfunc(hash, salt) */
2587 memmove(p, buf, hlen);
2588 memmove(p+hlen, salt, saltlen);
2589 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen,
2590 (unsigned char*)buf);
2595 /** Hash name and return b32encoded hashname for lookup, zone name appended */
2597 az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen,
2598 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt,
2601 uint8_t hash[N3HASHBUFLEN];
2604 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter,
2608 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */
2610 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1),
2614 hashname[0] = (uint8_t)ret;
2616 if((*hashnmlen) - ret < z->namelen)
2618 memmove(hashname+ret, z->name, z->namelen);
2619 *hashnmlen = z->namelen+(size_t)ret;
2623 /** Find the datanode that covers the nsec3hash-name */
2624 static struct auth_data*
2625 az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen)
2627 struct query_info qinfo;
2628 struct auth_data* node;
2632 qinfo.qname = hashnm;
2633 qinfo.qname_len = hashnmlen;
2634 /* because canonical ordering and b32 nsec3 ordering are the same.
2635 * this is a good lookup to find the nsec3 name. */
2636 az_find_domain(z, &qinfo, &node_exact, &node);
2637 /* but we may have to skip non-nsec3 nodes */
2638 /* this may be a lot, the way to speed that up is to have a
2639 * separate nsec3 tree with nsec3 nodes */
2640 while(node && (rbnode_type*)node != RBTREE_NULL &&
2641 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
2642 node = (struct auth_data*)rbtree_previous(&node->node);
2644 if((rbnode_type*)node == RBTREE_NULL)
2649 /** Find cover for hashed(nm, nmlen) (or NULL) */
2650 static struct auth_data*
2651 az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen,
2652 int algo, size_t iter, uint8_t* salt, size_t saltlen)
2654 struct auth_data* node;
2655 uint8_t hname[LDNS_MAX_DOMAINLEN];
2656 size_t hlen = sizeof(hname);
2657 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
2660 node = az_nsec3_findnode(z, hname, hlen);
2663 /* we did not find any, perhaps because the NSEC3 hash is before
2664 * the first hash, we have to find the 'last hash' in the zone */
2665 node = (struct auth_data*)rbtree_last(&z->data);
2666 while(node && (rbnode_type*)node != RBTREE_NULL &&
2667 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
2668 node = (struct auth_data*)rbtree_previous(&node->node);
2670 if((rbnode_type*)node == RBTREE_NULL)
2675 /** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */
2676 static struct auth_data*
2677 az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen,
2678 int algo, size_t iter, uint8_t* salt, size_t saltlen)
2680 struct auth_data* node;
2681 uint8_t hname[LDNS_MAX_DOMAINLEN];
2682 size_t hlen = sizeof(hname);
2683 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
2686 node = az_find_name(z, hname, hlen);
2687 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3))
2692 /** Return nextcloser name (as a ref into the qname). This is one label
2693 * more than the cenm (cename must be a suffix of qname) */
2695 az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len,
2696 uint8_t** nx, size_t* nxlen)
2698 int celabs = dname_count_labels(cenm);
2699 int qlabs = dname_count_labels(qname);
2700 int strip = qlabs - celabs -1;
2701 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs));
2705 dname_remove_labels(nx, nxlen, strip);
2708 /** Find the closest encloser that has exact NSEC3.
2709 * updated cenm to the new name. If it went up no-exact-ce is true. */
2710 static struct auth_data*
2711 az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen,
2712 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen)
2714 struct auth_data* node;
2715 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
2716 algo, iter, salt, saltlen)) == NULL) {
2717 if(*cenmlen == z->namelen) {
2718 /* next step up would take us out of the zone. fail */
2722 dname_remove_label(cenm, cenmlen);
2727 /* Insert NSEC3 record in authority section, if NULL does nothing */
2729 az_nsec3_insert(struct auth_zone* z, struct regional* region,
2730 struct dns_msg* msg, struct auth_data* node)
2732 struct auth_rrset* nsec3;
2733 if(!node) return 1; /* no node, skip this */
2734 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3);
2735 if(!nsec3) return 1; /* if no nsec3 RR, skip it */
2736 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0;
2740 /** add NSEC3 records to the zone for the nsec3 proof.
2741 * Specify with the flags with parts of the proof are required.
2742 * the ce is the exact matching name (for notype) but also delegation points.
2743 * qname is the one where the nextcloser name can be derived from.
2744 * If NSEC3 is not properly there (in the zone) nothing is added.
2745 * always enabled: include nsec3 proving about the Closest Encloser.
2746 * that is an exact match that should exist for it.
2747 * If that does not exist, a higher exact match + nxproof is enabled
2748 * (for some sort of opt-out empty nonterminal cases).
2749 * ceproof: include ce proof NSEC3 (omitted for wildcard replies).
2750 * nxproof: include denial of the qname.
2751 * wcproof: include denial of wildcard (wildcard.ce).
2754 az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
2755 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname,
2756 size_t qname_len, int ceproof, int nxproof, int wcproof)
2759 size_t iter, saltlen;
2761 int no_exact_ce = 0;
2762 struct auth_data* node;
2764 /* find parameters of nsec3 proof */
2765 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen))
2766 return 1; /* no nsec3 */
2767 /* find ce that has an NSEC3 */
2769 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
2770 algo, iter, salt, saltlen);
2771 if(no_exact_ce) nxproof = 1;
2772 if(!az_nsec3_insert(z, region, msg, node))
2779 /* create nextcloser domain name */
2780 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen);
2781 /* find nsec3 that matches or covers it */
2782 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt,
2784 if(!az_nsec3_insert(z, region, msg, node))
2788 /* create wildcard name *.ce */
2789 uint8_t wc[LDNS_MAX_DOMAINLEN];
2791 if(cenmlen+2 > sizeof(wc))
2792 return 0; /* result would be too long */
2793 wc[0] = 1; /* length of wildcard label */
2794 wc[1] = (uint8_t)'*'; /* wildcard label */
2795 memmove(wc+2, cenm, cenmlen);
2797 /* find nsec3 that matches or covers it */
2798 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt,
2800 if(!az_nsec3_insert(z, region, msg, node))
2806 /** generate answer for positive answer */
2808 az_generate_positive_answer(struct auth_zone* z, struct regional* region,
2809 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
2811 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2812 /* see if we want additional rrs */
2813 if(rrset->type == LDNS_RR_TYPE_MX) {
2814 if(!az_add_additionals_from(z, region, msg, rrset, 2))
2816 } else if(rrset->type == LDNS_RR_TYPE_SRV) {
2817 if(!az_add_additionals_from(z, region, msg, rrset, 6))
2819 } else if(rrset->type == LDNS_RR_TYPE_NS) {
2820 if(!az_add_additionals_from(z, region, msg, rrset, 0))
2826 /** generate answer for type ANY answer */
2828 az_generate_any_answer(struct auth_zone* z, struct regional* region,
2829 struct dns_msg* msg, struct auth_data* node)
2831 struct auth_rrset* rrset;
2833 /* add a couple (at least one) RRs */
2834 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) {
2835 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2838 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) {
2839 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2842 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) {
2843 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2846 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) {
2847 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2850 if(added == 0 && node && node->rrsets) {
2851 if(!msg_add_rrset_an(z, region, msg, node,
2852 node->rrsets)) return 0;
2857 /** follow cname chain and add more data to the answer section */
2859 follow_cname_chain(struct auth_zone* z, uint16_t qtype,
2860 struct regional* region, struct dns_msg* msg,
2861 struct packed_rrset_data* d)
2864 /* see if we can add the target of the CNAME into the answer */
2865 while(maxchain++ < MAX_CNAME_CHAIN) {
2866 struct auth_data* node;
2867 struct auth_rrset* rrset;
2869 /* d has cname rdata */
2870 if(d->count == 0) break; /* no CNAME */
2871 if(d->rr_len[0] < 2+1) break; /* too small */
2872 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0)
2873 break; /* malformed */
2874 if(!dname_subdomain_c(d->rr_data[0]+2, z->name))
2875 break; /* target out of zone */
2876 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL)
2877 break; /* no such target name */
2878 if((rrset=az_domain_rrset(node, qtype))!=NULL) {
2879 /* done we found the target */
2880 if(!msg_add_rrset_an(z, region, msg, node, rrset))
2884 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL)
2885 break; /* no further CNAME chain, notype */
2886 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2892 /** generate answer for cname answer */
2894 az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo,
2895 struct regional* region, struct dns_msg* msg,
2896 struct auth_data* node, struct auth_rrset* rrset)
2898 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
2899 if(!rrset) return 1;
2900 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data))
2905 /** generate answer for notype answer */
2907 az_generate_notype_answer(struct auth_zone* z, struct regional* region,
2908 struct dns_msg* msg, struct auth_data* node)
2910 struct auth_rrset* rrset;
2911 if(!az_add_negative_soa(z, region, msg)) return 0;
2912 /* DNSSEC denial NSEC */
2913 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) {
2914 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0;
2916 /* DNSSEC denial NSEC3 */
2917 if(!az_add_nsec3_proof(z, region, msg, node->name,
2918 node->namelen, msg->qinfo.qname,
2919 msg->qinfo.qname_len, 1, 0, 0))
2925 /** generate answer for referral answer */
2927 az_generate_referral_answer(struct auth_zone* z, struct regional* region,
2928 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset)
2930 struct auth_rrset* ds, *nsec;
2931 /* turn off AA flag, referral is nonAA because it leaves the zone */
2933 msg->rep->flags &= ~BIT_AA;
2934 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0;
2935 /* add DS or deny it */
2936 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) {
2937 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0;
2940 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) {
2941 if(!msg_add_rrset_ns(z, region, msg, ce, nsec))
2944 if(!az_add_nsec3_proof(z, region, msg, ce->name,
2945 ce->namelen, msg->qinfo.qname,
2946 msg->qinfo.qname_len, 1, 0, 0))
2950 /* add additional rrs for type NS */
2951 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0;
2955 /** generate answer for DNAME answer */
2957 az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo,
2958 struct regional* region, struct dns_msg* msg, struct auth_data* ce,
2959 struct auth_rrset* rrset)
2962 /* add the DNAME and then a CNAME */
2963 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0;
2964 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region,
2965 msg, ce, rrset)) return 0;
2966 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN)
2968 if(msg->rep->rrset_count == 0 ||
2969 !msg->rep->rrsets[msg->rep->rrset_count-1])
2971 if(!follow_cname_chain(z, qinfo->qtype, region, msg,
2972 (struct packed_rrset_data*)msg->rep->rrsets[
2973 msg->rep->rrset_count-1]->entry.data))
2978 /** generate answer for wildcard answer */
2980 az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
2981 struct regional* region, struct dns_msg* msg, struct auth_data* ce,
2982 struct auth_data* wildcard, struct auth_data* node)
2984 struct auth_rrset* rrset, *nsec;
2985 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
2986 /* wildcard has type, add it */
2987 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
2989 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
2990 msg->qinfo.qname_len, 1);
2991 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) {
2992 /* wildcard has cname instead, do that */
2993 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
2995 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
2996 msg->qinfo.qname_len, 1);
2997 if(!follow_cname_chain(z, qinfo->qtype, region, msg,
3000 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) {
3001 /* add ANY rrsets from wildcard node */
3002 if(!az_generate_any_answer(z, region, msg, wildcard))
3004 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3005 msg->qinfo.qname_len, 1);
3007 /* wildcard has nodata, notype answer */
3008 /* call other notype routine for dnssec notype denials */
3009 if(!az_generate_notype_answer(z, region, msg, wildcard))
3013 /* ce and node for dnssec denial of wildcard original name */
3014 if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
3015 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
3017 uint8_t* wildup = wildcard->name;
3018 size_t wilduplen= wildcard->namelen;
3019 dname_remove_label(&wildup, &wilduplen);
3020 if(!az_add_nsec3_proof(z, region, msg, wildup,
3021 wilduplen, msg->qinfo.qname,
3022 msg->qinfo.qname_len, 0, 1, 0))
3026 /* fixup name of wildcard from *.zone to qname, use already allocated
3027 * pointer to msg qname */
3028 az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3029 msg->qinfo.qname_len, 0);
3033 /** generate answer for nxdomain answer */
3035 az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region,
3036 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node)
3038 struct auth_rrset* nsec;
3039 msg->rep->flags |= LDNS_RCODE_NXDOMAIN;
3040 if(!az_add_negative_soa(z, region, msg)) return 0;
3041 if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
3042 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
3043 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name,
3044 ce->namelen)) return 0;
3046 if(!az_add_nsec3_proof(z, region, msg, ce->name,
3047 ce->namelen, msg->qinfo.qname,
3048 msg->qinfo.qname_len, 1, 1, 1))
3054 /** Create answers when an exact match exists for the domain name */
3056 az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
3057 struct regional* region, struct dns_msg* msg, struct auth_data* node)
3059 struct auth_rrset* rrset;
3060 /* positive answer, rrset we are looking for exists */
3061 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) {
3062 return az_generate_positive_answer(z, region, msg, node, rrset);
3065 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) {
3066 return az_generate_cname_answer(z, qinfo, region, msg,
3070 if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
3071 return az_generate_any_answer(z, region, msg, node);
3073 /* NOERROR/NODATA (no such type at domain name) */
3074 return az_generate_notype_answer(z, region, msg, node);
3077 /** Generate answer without an existing-node that we can use.
3078 * So it'll be a referral, DNAME or nxdomain */
3080 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
3081 struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3082 struct auth_rrset* rrset, struct auth_data* node)
3084 struct auth_data* wildcard;
3086 /* we do not have an exact matching name (that exists) */
3087 /* see if we have a NS or DNAME in the ce */
3088 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) {
3089 return az_generate_referral_answer(z, region, msg, ce, rrset);
3091 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) {
3092 return az_generate_dname_answer(z, qinfo, region, msg, ce,
3095 /* if there is an empty nonterminal, wildcard and nxdomain don't
3096 * happen, it is a notype answer */
3097 if(az_empty_nonterminal(z, qinfo, node)) {
3098 return az_generate_notype_answer(z, region, msg, node);
3100 /* see if we have a wildcard under the ce */
3101 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) {
3102 return az_generate_wildcard_answer(z, qinfo, region, msg,
3103 ce, wildcard, node);
3105 /* generate nxdomain answer */
3106 return az_generate_nxdomain_answer(z, region, msg, ce, node);
3109 /** Lookup answer in a zone. */
3111 auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo,
3112 struct regional* region, struct dns_msg** msg, int* fallback)
3114 struct auth_data* node, *ce;
3115 struct auth_rrset* rrset;
3116 int node_exact, node_exists;
3117 /* does the zone want fallback in case of failure? */
3118 *fallback = z->fallback_enabled;
3119 if(!(*msg=msg_create(region, qinfo))) return 0;
3121 /* lookup if there is a matching domain name for the query */
3122 az_find_domain(z, qinfo, &node_exact, &node);
3124 /* see if node exists for generating answers from (i.e. not glue and
3125 * obscured by NS or DNAME or NSEC3-only), and also return the
3126 * closest-encloser from that, closest node that should be used
3127 * to generate answers from that is above the query */
3128 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset);
3130 if(verbosity >= VERB_ALGO) {
3131 char zname[256], qname[256], nname[256], cename[256],
3132 tpstr[32], rrstr[32];
3133 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname,
3135 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr));
3136 sldns_wire2str_dname_buf(z->name, z->namelen, zname,
3139 sldns_wire2str_dname_buf(node->name, node->namelen,
3140 nname, sizeof(nname));
3141 else snprintf(nname, sizeof(nname), "NULL");
3143 sldns_wire2str_dname_buf(ce->name, ce->namelen,
3144 cename, sizeof(cename));
3145 else snprintf(cename, sizeof(cename), "NULL");
3146 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr,
3148 else snprintf(rrstr, sizeof(rrstr), "NULL");
3149 log_info("auth_zone %s query %s %s, domain %s %s %s, "
3150 "ce %s, rrset %s", zname, qname, tpstr, nname,
3151 (node_exact?"exact":"notexact"),
3152 (node_exists?"exist":"notexist"), cename, rrstr);
3156 /* the node is fine, generate answer from node */
3157 return az_generate_answer_with_node(z, qinfo, region, *msg,
3160 return az_generate_answer_nonexistnode(z, qinfo, region, *msg,
3164 int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
3165 struct regional* region, struct dns_msg** msg, int* fallback,
3166 uint8_t* dp_nm, size_t dp_nmlen)
3169 struct auth_zone* z;
3170 /* find the zone that should contain the answer. */
3171 lock_rw_rdlock(&az->lock);
3172 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass);
3174 lock_rw_unlock(&az->lock);
3175 /* no auth zone, fallback to internet */
3179 lock_rw_rdlock(&z->lock);
3180 lock_rw_unlock(&az->lock);
3182 /* if not for upstream queries, fallback */
3183 if(!z->for_upstream) {
3184 lock_rw_unlock(&z->lock);
3188 if(z->zone_expired) {
3189 *fallback = z->fallback_enabled;
3190 lock_rw_unlock(&z->lock);
3193 /* see what answer that zone would generate */
3194 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback);
3195 lock_rw_unlock(&z->lock);
3199 /** encode auth answer */
3201 auth_answer_encode(struct query_info* qinfo, struct module_env* env,
3202 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
3203 struct regional* temp, struct dns_msg* msg)
3206 udpsize = edns->udp_size;
3207 edns->edns_version = EDNS_ADVERTISED_VERSION;
3208 edns->udp_size = EDNS_ADVERTISED_SIZE;
3209 edns->ext_rcode = 0;
3210 edns->bits &= EDNS_DO;
3212 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep,
3213 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp)
3214 || !reply_info_answer_encode(qinfo, msg->rep,
3215 *(uint16_t*)sldns_buffer_begin(buf),
3216 sldns_buffer_read_u16_at(buf, 2),
3217 buf, 0, 0, temp, udpsize, edns,
3218 (int)(edns->bits&EDNS_DO), 0)) {
3219 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
3220 *(uint16_t*)sldns_buffer_begin(buf),
3221 sldns_buffer_read_u16_at(buf, 2), edns);
3225 /** encode auth error answer */
3227 auth_error_encode(struct query_info* qinfo, struct module_env* env,
3228 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
3229 struct regional* temp, int rcode)
3231 edns->edns_version = EDNS_ADVERTISED_VERSION;
3232 edns->udp_size = EDNS_ADVERTISED_SIZE;
3233 edns->ext_rcode = 0;
3234 edns->bits &= EDNS_DO;
3236 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
3237 rcode, edns, repinfo, temp))
3238 edns->opt_list = NULL;
3239 error_encode(buf, rcode|BIT_AA, qinfo,
3240 *(uint16_t*)sldns_buffer_begin(buf),
3241 sldns_buffer_read_u16_at(buf, 2), edns);
3244 int auth_zones_answer(struct auth_zones* az, struct module_env* env,
3245 struct query_info* qinfo, struct edns_data* edns,
3246 struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp)
3248 struct dns_msg* msg = NULL;
3249 struct auth_zone* z;
3253 lock_rw_rdlock(&az->lock);
3254 if(!az->have_downstream) {
3255 /* no downstream auth zones */
3256 lock_rw_unlock(&az->lock);
3259 if(qinfo->qtype == LDNS_RR_TYPE_DS) {
3260 uint8_t* delname = qinfo->qname;
3261 size_t delnamelen = qinfo->qname_len;
3262 dname_remove_label(&delname, &delnamelen);
3263 z = auth_zones_find_zone(az, delname, delnamelen,
3266 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len,
3270 /* no zone above it */
3271 lock_rw_unlock(&az->lock);
3274 lock_rw_rdlock(&z->lock);
3275 lock_rw_unlock(&az->lock);
3276 if(!z->for_downstream) {
3277 lock_rw_unlock(&z->lock);
3280 if(z->zone_expired) {
3281 if(z->fallback_enabled) {
3282 lock_rw_unlock(&z->lock);
3285 lock_rw_unlock(&z->lock);
3286 lock_rw_wrlock(&az->lock);
3287 az->num_query_down++;
3288 lock_rw_unlock(&az->lock);
3289 auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
3290 LDNS_RCODE_SERVFAIL);
3294 /* answer it from zone z */
3295 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);
3296 lock_rw_unlock(&z->lock);
3297 if(!r && fallback) {
3298 /* fallback to regular answering (recursive) */
3301 lock_rw_wrlock(&az->lock);
3302 az->num_query_down++;
3303 lock_rw_unlock(&az->lock);
3307 auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
3308 LDNS_RCODE_SERVFAIL);
3309 else auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg);
3314 int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen,
3318 struct auth_zone* z;
3319 lock_rw_rdlock(&az->lock);
3320 z = auth_zone_find(az, nm, nmlen, dclass);
3322 lock_rw_unlock(&az->lock);
3323 /* no such auth zone, fallback */
3326 lock_rw_rdlock(&z->lock);
3327 lock_rw_unlock(&az->lock);
3328 r = z->fallback_enabled || (!z->for_upstream);
3329 lock_rw_unlock(&z->lock);
3334 auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial)
3336 struct query_info q;
3338 memset(&q, 0, sizeof(q));
3339 sldns_buffer_set_position(pkt, 0);
3340 if(!query_info_parse(&q, pkt)) return 0;
3341 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0;
3342 /* skip name of RR in answer section */
3343 if(sldns_buffer_remaining(pkt) < 1) return 0;
3344 if(pkt_dname_len(pkt) == 0) return 0;
3346 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/)
3348 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0;
3349 sldns_buffer_skip(pkt, 2); /* class */
3350 sldns_buffer_skip(pkt, 4); /* ttl */
3351 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */
3352 if(sldns_buffer_remaining(pkt) < rdlen) return 0;
3353 if(rdlen < 22) return 0; /* bad soa length */
3354 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20));
3355 *serial = sldns_buffer_read_u32(pkt);
3356 /* return true when has serial in answer section */
3360 /** see if addr appears in the list */
3362 addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr,
3365 struct auth_addr* p;
3366 for(p=list; p; p=p->next) {
3367 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0)
3373 /** check if an address matches a master specification (or one of its
3374 * addresses in the addr list) */
3376 addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr,
3377 socklen_t addrlen, struct auth_master** fromhost)
3379 struct sockaddr_storage a;
3382 if(addr_in_list(master->list, addr, addrlen)) {
3386 /* compare address (but not port number, that is the destination
3387 * port of the master, the port number of the received notify is
3388 * allowed to by any port on that master) */
3389 if(extstrtoaddr(master->host, &a, &alen) &&
3390 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) {
3394 /* prefixes, addr/len, like 10.0.0.0/8 */
3395 /* not http and has a / and there is one / */
3396 if(master->allow_notify && !master->http &&
3397 strchr(master->host, '/') != NULL &&
3398 strchr(master->host, '/') == strrchr(master->host, '/') &&
3399 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen,
3400 &net) && alen == addrlen) {
3401 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32),
3402 &a, net, alen) >= net) {
3403 *fromhost = NULL; /* prefix does not have destination
3404 to send the probe or transfer with */
3405 return 1; /* matches the netblock */
3411 /** check access list for notifies */
3413 az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr,
3414 socklen_t addrlen, struct auth_master** fromhost)
3416 struct auth_master* p;
3417 for(p=xfr->allow_notify_list; p; p=p->next) {
3418 if(addr_matches_master(p, addr, addrlen, fromhost)) {
3425 /** see if the serial means the zone has to be updated, i.e. the serial
3426 * is newer than the zone serial, or we have no zone */
3428 xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial)
3431 return 1; /* no zone, anything is better */
3432 if(xfr->zone_expired)
3433 return 1; /* expired, the sent serial is better than expired
3435 if(compare_serial(xfr->serial, serial) < 0)
3436 return 1; /* our serial is smaller than the sent serial,
3437 the data is newer, fetch it */
3441 /** note notify serial, updates the notify information in the xfr struct */
3443 xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial)
3445 if(xfr->notify_received && xfr->notify_has_serial && has_serial) {
3446 /* see if this serial is newer */
3447 if(compare_serial(xfr->notify_serial, serial) < 0)
3448 xfr->notify_serial = serial;
3449 } else if(xfr->notify_received && xfr->notify_has_serial &&
3451 /* remove serial, we have notify without serial */
3452 xfr->notify_has_serial = 0;
3453 xfr->notify_serial = 0;
3454 } else if(xfr->notify_received && !xfr->notify_has_serial) {
3455 /* we already have notify without serial, keep it
3456 * that way; no serial check when current operation
3459 xfr->notify_received = 1;
3460 xfr->notify_has_serial = has_serial;
3461 xfr->notify_serial = serial;
3465 /** process a notify serial, start new probe or note serial. xfr is locked */
3467 xfr_process_notify(struct auth_xfer* xfr, struct module_env* env,
3468 int has_serial, uint32_t serial, struct auth_master* fromhost)
3470 /* if the serial of notify is older than we have, don't fetch
3471 * a zone, we already have it */
3472 if(has_serial && !xfr_serial_means_update(xfr, serial)) {
3473 lock_basic_unlock(&xfr->lock);
3476 /* start new probe with this addr src, or note serial */
3477 if(!xfr_start_probe(xfr, env, fromhost)) {
3478 /* not started because already in progress, note the serial */
3479 xfr_note_notify_serial(xfr, has_serial, serial);
3480 lock_basic_unlock(&xfr->lock);
3482 /* successful end of start_probe unlocked xfr->lock */
3485 int auth_zones_notify(struct auth_zones* az, struct module_env* env,
3486 uint8_t* nm, size_t nmlen, uint16_t dclass,
3487 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial,
3488 uint32_t serial, int* refused)
3490 struct auth_xfer* xfr;
3491 struct auth_master* fromhost = NULL;
3492 /* see which zone this is */
3493 lock_rw_rdlock(&az->lock);
3494 xfr = auth_xfer_find(az, nm, nmlen, dclass);
3496 lock_rw_unlock(&az->lock);
3497 /* no such zone, refuse the notify */
3501 lock_basic_lock(&xfr->lock);
3502 lock_rw_unlock(&az->lock);
3504 /* check access list for notifies */
3505 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) {
3506 lock_basic_unlock(&xfr->lock);
3507 /* notify not allowed, refuse the notify */
3512 /* process the notify */
3513 xfr_process_notify(xfr, env, has_serial, serial, fromhost);
3517 int auth_zones_startprobesequence(struct auth_zones* az,
3518 struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass)
3520 struct auth_xfer* xfr;
3521 lock_rw_rdlock(&az->lock);
3522 xfr = auth_xfer_find(az, nm, nmlen, dclass);
3524 lock_rw_unlock(&az->lock);
3527 lock_basic_lock(&xfr->lock);
3528 lock_rw_unlock(&az->lock);
3530 xfr_process_notify(xfr, env, 0, 0, NULL);
3534 /** set a zone expired */
3536 auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env,
3539 struct auth_zone* z;
3542 lock_basic_lock(&xfr->lock);
3543 xfr->zone_expired = expired;
3544 lock_basic_unlock(&xfr->lock);
3546 /* find auth_zone */
3547 lock_rw_rdlock(&env->auth_zones->lock);
3548 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
3551 lock_rw_unlock(&env->auth_zones->lock);
3554 lock_rw_wrlock(&z->lock);
3555 lock_rw_unlock(&env->auth_zones->lock);
3557 /* expire auth_zone */
3558 z->zone_expired = expired;
3559 lock_rw_unlock(&z->lock);
3562 /** find master (from notify or probe) in list of masters */
3563 static struct auth_master*
3564 find_master_by_host(struct auth_master* list, char* host)
3566 struct auth_master* p;
3567 for(p=list; p; p=p->next) {
3568 if(strcmp(p->host, host) == 0)
3574 /** delete the looked up auth_addrs for all the masters in the list */
3576 xfr_masterlist_free_addrs(struct auth_master* list)
3578 struct auth_master* m;
3579 for(m=list; m; m=m->next) {
3581 auth_free_master_addrs(m->list);
3587 /** copy a list of auth_addrs */
3588 static struct auth_addr*
3589 auth_addr_list_copy(struct auth_addr* source)
3591 struct auth_addr* list = NULL, *last = NULL;
3592 struct auth_addr* p;
3593 for(p=source; p; p=p->next) {
3594 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p));
3596 log_err("malloc failure");
3597 auth_free_master_addrs(list);
3601 if(last) last->next = a;
3608 /** copy a master to a new structure, NULL on alloc failure */
3609 static struct auth_master*
3610 auth_master_copy(struct auth_master* o)
3612 struct auth_master* m;
3614 m = (struct auth_master*)memdup(o, sizeof(*o));
3616 log_err("malloc failure");
3621 m->host = strdup(m->host);
3624 log_err("malloc failure");
3629 m->file = strdup(m->file);
3633 log_err("malloc failure");
3638 m->list = auth_addr_list_copy(m->list);
3649 /** copy the master addresses from the task_probe lookups to the allow_notify
3650 * list of masters */
3652 probe_copy_masters_for_allow_notify(struct auth_xfer* xfr)
3654 struct auth_master* list = NULL, *last = NULL;
3655 struct auth_master* p;
3656 /* build up new list with copies */
3657 for(p = xfr->task_probe->masters; p; p=p->next) {
3658 struct auth_master* m = auth_master_copy(p);
3660 auth_free_masters(list);
3661 /* failed because of malloc failure, use old list */
3665 if(last) last->next = m;
3669 /* success, replace list */
3670 auth_free_masters(xfr->allow_notify_list);
3671 xfr->allow_notify_list = list;
3674 /** start the lookups for task_transfer */
3676 xfr_transfer_start_lookups(struct auth_xfer* xfr)
3678 /* delete all the looked up addresses in the list */
3679 xfr_masterlist_free_addrs(xfr->task_transfer->masters);
3681 /* start lookup at the first master */
3682 xfr->task_transfer->lookup_target = xfr->task_transfer->masters;
3683 xfr->task_transfer->lookup_aaaa = 0;
3686 /** move to the next lookup of hostname for task_transfer */
3688 xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env)
3690 if(!xfr->task_transfer->lookup_target)
3691 return; /* already at end of list */
3692 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) {
3693 /* move to lookup AAAA */
3694 xfr->task_transfer->lookup_aaaa = 1;
3697 xfr->task_transfer->lookup_target =
3698 xfr->task_transfer->lookup_target->next;
3699 xfr->task_transfer->lookup_aaaa = 0;
3700 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL)
3701 xfr->task_transfer->lookup_aaaa = 1;
3704 /** start the lookups for task_probe */
3706 xfr_probe_start_lookups(struct auth_xfer* xfr)
3708 /* delete all the looked up addresses in the list */
3709 xfr_masterlist_free_addrs(xfr->task_probe->masters);
3711 /* start lookup at the first master */
3712 xfr->task_probe->lookup_target = xfr->task_probe->masters;
3713 xfr->task_probe->lookup_aaaa = 0;
3716 /** move to the next lookup of hostname for task_probe */
3718 xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env)
3720 if(!xfr->task_probe->lookup_target)
3721 return; /* already at end of list */
3722 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) {
3723 /* move to lookup AAAA */
3724 xfr->task_probe->lookup_aaaa = 1;
3727 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next;
3728 xfr->task_probe->lookup_aaaa = 0;
3729 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL)
3730 xfr->task_probe->lookup_aaaa = 1;
3733 /** start the iteration of the task_transfer list of masters */
3735 xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec)
3738 xfr->task_transfer->scan_specific = find_master_by_host(
3739 xfr->task_transfer->masters, spec->host);
3740 if(xfr->task_transfer->scan_specific) {
3741 xfr->task_transfer->scan_target = NULL;
3742 xfr->task_transfer->scan_addr = NULL;
3743 if(xfr->task_transfer->scan_specific->list)
3744 xfr->task_transfer->scan_addr =
3745 xfr->task_transfer->scan_specific->list;
3749 /* no specific (notified) host to scan */
3750 xfr->task_transfer->scan_specific = NULL;
3751 xfr->task_transfer->scan_addr = NULL;
3752 /* pick up first scan target */
3753 xfr->task_transfer->scan_target = xfr->task_transfer->masters;
3754 if(xfr->task_transfer->scan_target && xfr->task_transfer->
3756 xfr->task_transfer->scan_addr =
3757 xfr->task_transfer->scan_target->list;
3760 /** start the iteration of the task_probe list of masters */
3762 xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec)
3765 xfr->task_probe->scan_specific = find_master_by_host(
3766 xfr->task_probe->masters, spec->host);
3767 if(xfr->task_probe->scan_specific) {
3768 xfr->task_probe->scan_target = NULL;
3769 xfr->task_probe->scan_addr = NULL;
3770 if(xfr->task_probe->scan_specific->list)
3771 xfr->task_probe->scan_addr =
3772 xfr->task_probe->scan_specific->list;
3776 /* no specific (notified) host to scan */
3777 xfr->task_probe->scan_specific = NULL;
3778 xfr->task_probe->scan_addr = NULL;
3779 /* pick up first scan target */
3780 xfr->task_probe->scan_target = xfr->task_probe->masters;
3781 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list)
3782 xfr->task_probe->scan_addr =
3783 xfr->task_probe->scan_target->list;
3786 /** pick up the master that is being scanned right now, task_transfer */
3787 static struct auth_master*
3788 xfr_transfer_current_master(struct auth_xfer* xfr)
3790 if(xfr->task_transfer->scan_specific)
3791 return xfr->task_transfer->scan_specific;
3792 return xfr->task_transfer->scan_target;
3795 /** pick up the master that is being scanned right now, task_probe */
3796 static struct auth_master*
3797 xfr_probe_current_master(struct auth_xfer* xfr)
3799 if(xfr->task_probe->scan_specific)
3800 return xfr->task_probe->scan_specific;
3801 return xfr->task_probe->scan_target;
3804 /** true if at end of list, task_transfer */
3806 xfr_transfer_end_of_list(struct auth_xfer* xfr)
3808 return !xfr->task_transfer->scan_specific &&
3809 !xfr->task_transfer->scan_target;
3812 /** true if at end of list, task_probe */
3814 xfr_probe_end_of_list(struct auth_xfer* xfr)
3816 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target;
3819 /** move to next master in list, task_transfer */
3821 xfr_transfer_nextmaster(struct auth_xfer* xfr)
3823 if(!xfr->task_transfer->scan_specific &&
3824 !xfr->task_transfer->scan_target)
3826 if(xfr->task_transfer->scan_addr) {
3827 xfr->task_transfer->scan_addr =
3828 xfr->task_transfer->scan_addr->next;
3829 if(xfr->task_transfer->scan_addr)
3832 if(xfr->task_transfer->scan_specific) {
3833 xfr->task_transfer->scan_specific = NULL;
3834 xfr->task_transfer->scan_target = xfr->task_transfer->masters;
3835 if(xfr->task_transfer->scan_target && xfr->task_transfer->
3837 xfr->task_transfer->scan_addr =
3838 xfr->task_transfer->scan_target->list;
3841 if(!xfr->task_transfer->scan_target)
3843 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next;
3844 if(xfr->task_transfer->scan_target && xfr->task_transfer->
3846 xfr->task_transfer->scan_addr =
3847 xfr->task_transfer->scan_target->list;
3851 /** move to next master in list, task_probe */
3853 xfr_probe_nextmaster(struct auth_xfer* xfr)
3855 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target)
3857 if(xfr->task_probe->scan_addr) {
3858 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next;
3859 if(xfr->task_probe->scan_addr)
3862 if(xfr->task_probe->scan_specific) {
3863 xfr->task_probe->scan_specific = NULL;
3864 xfr->task_probe->scan_target = xfr->task_probe->masters;
3865 if(xfr->task_probe->scan_target && xfr->task_probe->
3867 xfr->task_probe->scan_addr =
3868 xfr->task_probe->scan_target->list;
3871 if(!xfr->task_probe->scan_target)
3873 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next;
3874 if(xfr->task_probe->scan_target && xfr->task_probe->
3876 xfr->task_probe->scan_addr =
3877 xfr->task_probe->scan_target->list;
3881 /** create SOA probe packet for xfr */
3883 xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf,
3886 struct query_info qinfo;
3888 memset(&qinfo, 0, sizeof(qinfo));
3889 qinfo.qname = xfr->name;
3890 qinfo.qname_len = xfr->namelen;
3891 qinfo.qtype = LDNS_RR_TYPE_SOA;
3892 qinfo.qclass = xfr->dclass;
3893 qinfo_query_encode(buf, &qinfo);
3894 sldns_buffer_write_u16_at(buf, 0, id);
3897 /** create IXFR/AXFR packet for xfr */
3899 xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id,
3900 struct auth_master* master)
3902 struct query_info qinfo;
3905 have_zone = xfr->have_zone;
3906 serial = xfr->serial;
3908 memset(&qinfo, 0, sizeof(qinfo));
3909 qinfo.qname = xfr->name;
3910 qinfo.qname_len = xfr->namelen;
3911 xfr->task_transfer->got_xfr_serial = 0;
3912 xfr->task_transfer->rr_scan_num = 0;
3913 xfr->task_transfer->incoming_xfr_serial = 0;
3914 xfr->task_transfer->on_ixfr_is_axfr = 0;
3915 xfr->task_transfer->on_ixfr = 1;
3916 qinfo.qtype = LDNS_RR_TYPE_IXFR;
3917 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) {
3918 qinfo.qtype = LDNS_RR_TYPE_AXFR;
3919 xfr->task_transfer->ixfr_fail = 0;
3920 xfr->task_transfer->on_ixfr = 0;
3923 qinfo.qclass = xfr->dclass;
3924 qinfo_query_encode(buf, &qinfo);
3925 sldns_buffer_write_u16_at(buf, 0, id);
3927 /* append serial for IXFR */
3928 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) {
3929 size_t end = sldns_buffer_limit(buf);
3930 sldns_buffer_clear(buf);
3931 sldns_buffer_set_position(buf, end);
3932 /* auth section count 1 */
3933 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1);
3935 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */
3936 sldns_buffer_write_u8(buf, 0x0C);
3937 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA);
3938 sldns_buffer_write_u16(buf, qinfo.qclass);
3939 sldns_buffer_write_u32(buf, 0); /* ttl */
3940 sldns_buffer_write_u16(buf, 22); /* rdata length */
3941 sldns_buffer_write_u8(buf, 0); /* . */
3942 sldns_buffer_write_u8(buf, 0); /* . */
3943 sldns_buffer_write_u32(buf, serial); /* serial */
3944 sldns_buffer_write_u32(buf, 0); /* refresh */
3945 sldns_buffer_write_u32(buf, 0); /* retry */
3946 sldns_buffer_write_u32(buf, 0); /* expire */
3947 sldns_buffer_write_u32(buf, 0); /* minimum */
3948 sldns_buffer_flip(buf);
3952 /** check if returned packet is OK */
3954 check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr,
3957 /* parse to see if packet worked, valid reply */
3959 /* check serial number of SOA */
3960 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE)
3964 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id)
3967 /* check flag bits and rcode */
3968 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt)))
3970 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY)
3972 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR)
3976 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1)
3978 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE);
3979 if(sldns_buffer_remaining(pkt) < xfr->namelen)
3981 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0)
3983 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen);
3985 /* check qtype, qclass */
3986 if(sldns_buffer_remaining(pkt) < 4)
3988 if(sldns_buffer_read_u16(pkt) != qtype)
3990 if(sldns_buffer_read_u16(pkt) != xfr->dclass)
3995 /* read serial number, from answer section SOA */
3996 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0)
3998 /* read from first record SOA record */
3999 if(sldns_buffer_remaining(pkt) < 1)
4001 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt),
4004 if(!pkt_dname_len(pkt))
4006 /* type, class, ttl, rdatalen */
4007 if(sldns_buffer_remaining(pkt) < 4+4+2)
4009 if(sldns_buffer_read_u16(pkt) != qtype)
4011 if(sldns_buffer_read_u16(pkt) != xfr->dclass)
4013 sldns_buffer_skip(pkt, 4); /* ttl */
4014 rdlen = sldns_buffer_read_u16(pkt);
4015 if(sldns_buffer_remaining(pkt) < rdlen)
4017 if(sldns_buffer_remaining(pkt) < 1)
4019 if(!pkt_dname_len(pkt)) /* soa name */
4021 if(sldns_buffer_remaining(pkt) < 1)
4023 if(!pkt_dname_len(pkt)) /* soa name */
4025 if(sldns_buffer_remaining(pkt) < 20)
4027 *serial = sldns_buffer_read_u32(pkt);
4032 /** read one line from chunks into buffer at current position */
4034 chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos,
4039 /* more text in this chunk? */
4040 if(*chunk_pos < (*chunk)->len) {
4042 while(*chunk_pos < (*chunk)->len) {
4043 char c = (char)((*chunk)->data[*chunk_pos]);
4045 if(sldns_buffer_remaining(buf) < 2) {
4046 /* buffer too short */
4047 verbose(VERB_ALGO, "http chunkline, "
4051 sldns_buffer_write_u8(buf, (uint8_t)c);
4058 /* move to next chunk */
4059 *chunk = (*chunk)->next;
4063 if(readsome) return 1;
4067 /** count number of open and closed parenthesis in a chunkline */
4069 chunkline_count_parens(sldns_buffer* buf, size_t start)
4071 size_t end = sldns_buffer_position(buf);
4074 int squote = 0, dquote = 0;
4075 for(i=start; i<end; i++) {
4076 char c = (char)sldns_buffer_read_u8_at(buf, i);
4077 if(squote && c != '\'') continue;
4078 if(dquote && c != '"') continue;
4080 dquote = !dquote; /* skip quoted part */
4082 squote = !squote; /* skip quoted part */
4088 /* rest is a comment */
4095 /** remove trailing ;... comment from a line in the chunkline buffer */
4097 chunkline_remove_trailcomment(sldns_buffer* buf, size_t start)
4099 size_t end = sldns_buffer_position(buf);
4101 int squote = 0, dquote = 0;
4102 for(i=start; i<end; i++) {
4103 char c = (char)sldns_buffer_read_u8_at(buf, i);
4104 if(squote && c != '\'') continue;
4105 if(dquote && c != '"') continue;
4107 dquote = !dquote; /* skip quoted part */
4109 squote = !squote; /* skip quoted part */
4111 /* rest is a comment */
4112 sldns_buffer_set_position(buf, i);
4116 /* nothing to remove */
4119 /** see if a chunkline is a comment line (or empty line) */
4121 chunkline_is_comment_line_or_empty(sldns_buffer* buf)
4123 size_t i, end = sldns_buffer_limit(buf);
4124 for(i=0; i<end; i++) {
4125 char c = (char)sldns_buffer_read_u8_at(buf, i);
4127 return 1; /* comment */
4128 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n')
4129 return 0; /* not a comment */
4131 return 1; /* empty */
4134 /** find a line with ( ) collated */
4136 chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos,
4141 sldns_buffer_clear(buf);
4142 pos = sldns_buffer_position(buf);
4143 if(!chunkline_get_line(chunk, chunk_pos, buf)) {
4144 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf))
4145 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4146 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0);
4147 sldns_buffer_flip(buf);
4150 parens += chunkline_count_parens(buf, pos);
4152 chunkline_remove_trailcomment(buf, pos);
4153 pos = sldns_buffer_position(buf);
4154 if(!chunkline_get_line(chunk, chunk_pos, buf)) {
4155 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf))
4156 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4157 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0);
4158 sldns_buffer_flip(buf);
4161 parens += chunkline_count_parens(buf, pos);
4164 if(sldns_buffer_remaining(buf) < 1) {
4165 verbose(VERB_ALGO, "http chunkline: "
4169 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4170 sldns_buffer_flip(buf);
4174 /** process $ORIGIN for http */
4176 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4178 char* line = (char*)sldns_buffer_begin(buf);
4179 if(strncmp(line, "$ORIGIN", 7) == 0 &&
4180 isspace((unsigned char)line[7])) {
4182 pstate->origin_len = sizeof(pstate->origin);
4183 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8),
4184 pstate->origin, &pstate->origin_len);
4185 if(s) pstate->origin_len = 0;
4191 /** process $TTL for http */
4193 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4195 char* line = (char*)sldns_buffer_begin(buf);
4196 if(strncmp(line, "$TTL", 4) == 0 &&
4197 isspace((unsigned char)line[4])) {
4198 const char* end = NULL;
4199 pstate->default_ttl = sldns_str2period(
4200 sldns_strip_ws(line+5), &end);
4206 /** find noncomment RR line in chunks, collates lines if ( ) format */
4208 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
4209 sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4211 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
4212 if(chunkline_is_comment_line_or_empty(buf)) {
4213 /* a comment, go to next line */
4216 if(http_parse_origin(buf, pstate)) {
4217 continue; /* $ORIGIN has been handled */
4219 if(http_parse_ttl(buf, pstate)) {
4220 continue; /* $TTL has been handled */
4224 /* no noncomments, fail */
4228 /** check syntax of chunklist zonefile, parse first RR, return false on
4229 * failure and return a string in the scratch buffer (first RR string)
4232 http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf)
4234 uint8_t rr[LDNS_RR_BUF_SIZE];
4235 size_t rr_len, dname_len = 0;
4236 struct sldns_file_parse_state pstate;
4237 struct auth_chunk* chunk;
4240 memset(&pstate, 0, sizeof(pstate));
4241 pstate.default_ttl = 3600;
4242 if(xfr->namelen < sizeof(pstate.origin)) {
4243 pstate.origin_len = xfr->namelen;
4244 memmove(pstate.origin, xfr->name, xfr->namelen);
4246 chunk = xfr->task_transfer->chunks_first;
4248 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) {
4251 rr_len = sizeof(rr);
4252 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len,
4253 &dname_len, pstate.default_ttl,
4254 pstate.origin_len?pstate.origin:NULL, pstate.origin_len,
4255 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len);
4257 log_err("parse failure on first RR[%d]: %s",
4258 LDNS_WIREPARSE_OFFSET(e),
4259 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)));
4262 /* check that class is correct */
4263 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) {
4264 log_err("parse failure: first record in downloaded zonefile "
4265 "from wrong RR class");
4271 /** sum sizes of chunklist */
4273 chunklist_sum(struct auth_chunk* list)
4275 struct auth_chunk* p;
4277 for(p=list; p; p=p->next) {
4283 /** remove newlines from collated line */
4285 chunkline_newline_removal(sldns_buffer* buf)
4287 size_t i, end=sldns_buffer_limit(buf);
4288 for(i=0; i<end; i++) {
4289 char c = (char)sldns_buffer_read_u8_at(buf, i);
4290 if(c == '\n' && i==end-1) {
4291 sldns_buffer_write_u8_at(buf, i, 0);
4292 sldns_buffer_set_limit(buf, end-1);
4296 sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
4300 /** for http download, parse and add RR to zone */
4302 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z,
4303 sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4305 uint8_t rr[LDNS_RR_BUF_SIZE];
4306 size_t rr_len, dname_len = 0;
4308 char* line = (char*)sldns_buffer_begin(buf);
4309 rr_len = sizeof(rr);
4310 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len,
4311 pstate->default_ttl,
4312 pstate->origin_len?pstate->origin:NULL, pstate->origin_len,
4313 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len);
4315 log_err("%s/%s parse failure RR[%d]: %s in '%s'",
4316 xfr->task_transfer->master->host,
4317 xfr->task_transfer->master->file,
4318 LDNS_WIREPARSE_OFFSET(e),
4319 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)),
4324 return 1; /* empty line or so */
4327 if(dname_len < sizeof(pstate->prev_rr)) {
4328 memmove(pstate->prev_rr, rr, dname_len);
4329 pstate->prev_rr_len = dname_len;
4332 return az_insert_rr(z, rr, rr_len, dname_len, NULL);
4335 /** RR list iterator, returns RRs from answer section one by one from the
4336 * dns packets in the chunklist */
4338 chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk,
4339 int* rr_num, size_t* rr_pos)
4341 *rr_chunk = xfr->task_transfer->chunks_first;
4346 /** RR list iterator, see if we are at the end of the list */
4348 chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num)
4351 if(rr_chunk->len < LDNS_HEADER_SIZE)
4353 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data))
4355 /* no more RRs in this chunk */
4356 /* continue with next chunk, see if it has RRs */
4357 rr_chunk = rr_chunk->next;
4363 /** RR list iterator, move to next RR */
4365 chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num,
4366 size_t* rr_pos, size_t rr_nextpos)
4368 /* already at end of chunks? */
4371 /* move within this chunk */
4372 if((*rr_chunk)->len >= LDNS_HEADER_SIZE &&
4373 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) {
4375 *rr_pos = rr_nextpos;
4378 /* no more RRs in this chunk */
4379 /* continue with next chunk, see if it has RRs */
4381 *rr_chunk = (*rr_chunk)->next;
4385 if((*rr_chunk)->len >= LDNS_HEADER_SIZE &&
4386 LDNS_ANCOUNT((*rr_chunk)->data) > 0) {
4389 *rr_chunk = (*rr_chunk)->next;
4393 /** RR iterator, get current RR information, false on parse error */
4395 chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num,
4396 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type,
4397 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen,
4398 uint8_t** rr_rdata, size_t* rr_nextpos)
4401 /* integrity checks on position */
4402 if(!rr_chunk) return 0;
4403 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0;
4404 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0;
4405 if(rr_pos >= rr_chunk->len) return 0;
4407 /* fetch rr information */
4408 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len);
4411 /* skip question section */
4412 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE);
4413 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) {
4414 if(pkt_dname_len(&pkt) == 0) return 0;
4415 if(sldns_buffer_remaining(&pkt) < 4) return 0;
4416 sldns_buffer_skip(&pkt, 4); /* type and class */
4419 sldns_buffer_set_position(&pkt, rr_pos);
4421 *rr_dname = sldns_buffer_current(&pkt);
4422 if(pkt_dname_len(&pkt) == 0) return 0;
4423 if(sldns_buffer_remaining(&pkt) < 10) return 0;
4424 *rr_type = sldns_buffer_read_u16(&pkt);
4425 *rr_class = sldns_buffer_read_u16(&pkt);
4426 *rr_ttl = sldns_buffer_read_u32(&pkt);
4427 *rr_rdlen = sldns_buffer_read_u16(&pkt);
4428 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0;
4429 *rr_rdata = sldns_buffer_current(&pkt);
4430 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen));
4431 *rr_nextpos = sldns_buffer_position(&pkt);
4435 /** print log message where we are in parsing the zone transfer */
4437 log_rrlist_position(const char* label, struct auth_chunk* rr_chunk,
4438 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter)
4445 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len);
4446 sldns_buffer_set_position(&pkt, (size_t)(rr_dname -
4447 sldns_buffer_begin(&pkt)));
4448 if((dlen=pkt_dname_len(&pkt)) == 0) return;
4449 if(dlen >= sizeof(buf)) return;
4450 dname_pkt_copy(&pkt, buf, rr_dname);
4451 dname_str(buf, str);
4452 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr));
4453 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter,
4457 /** check that start serial is OK for ixfr. we are at rr_counter == 0,
4458 * and we are going to check rr_counter == 1 (has to be type SOA) serial */
4460 ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos,
4461 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class,
4462 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata,
4463 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial)
4465 uint32_t startserial;
4466 /* move forward on RR */
4467 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4468 if(chunk_rrlist_end(rr_chunk, rr_num)) {
4470 verbose(VERB_OPS, "IXFR has no second SOA record");
4473 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4474 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4475 &rr_rdata, &rr_nextpos)) {
4476 verbose(VERB_OPS, "IXFR cannot parse second SOA record");
4477 /* failed to parse RR */
4480 if(rr_type != LDNS_RR_TYPE_SOA) {
4481 verbose(VERB_OPS, "IXFR second record is not type SOA");
4485 verbose(VERB_OPS, "IXFR, second SOA has short rdlength");
4486 return 0; /* bad SOA rdlen */
4488 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4489 if(startserial == transfer_serial) {
4490 /* empty AXFR, not an IXFR */
4491 verbose(VERB_OPS, "IXFR second serial same as first");
4494 if(startserial != xfr_serial) {
4495 /* wrong start serial, it does not match the serial in
4497 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u "
4498 "in memory, rejecting the zone transfer",
4499 (unsigned)startserial, (unsigned)transfer_serial,
4500 (unsigned)xfr_serial);
4503 /* everything OK in second SOA serial */
4507 /** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */
4509 apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z,
4510 struct sldns_buffer* scratch_buffer)
4512 struct auth_chunk* rr_chunk;
4515 uint8_t* rr_dname, *rr_rdata;
4516 uint16_t rr_type, rr_class, rr_rdlen;
4519 int have_transfer_serial = 0;
4520 uint32_t transfer_serial = 0;
4521 size_t rr_counter = 0;
4525 /* start RR iterator over chunklist of packets */
4526 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos);
4527 while(!chunk_rrlist_end(rr_chunk, rr_num)) {
4528 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4529 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4530 &rr_rdata, &rr_nextpos)) {
4531 /* failed to parse RR */
4534 if(verbosity>=7) log_rrlist_position("apply ixfr",
4535 rr_chunk, rr_dname, rr_type, rr_counter);
4536 /* twiddle add/del mode and check for start and end */
4537 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA)
4539 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) {
4540 /* this is an AXFR returned from the IXFR master */
4541 /* but that should already have been detected, by
4542 * on_ixfr_is_axfr */
4545 if(rr_type == LDNS_RR_TYPE_SOA) {
4547 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */
4548 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4549 if(have_transfer_serial == 0) {
4550 have_transfer_serial = 1;
4551 transfer_serial = serial;
4552 delmode = 1; /* gets negated below */
4553 /* check second RR before going any further */
4554 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos,
4555 rr_dname, rr_type, rr_class, rr_ttl,
4556 rr_rdlen, rr_rdata, rr_nextpos,
4557 transfer_serial, xfr->serial)) {
4560 } else if(transfer_serial == serial) {
4561 have_transfer_serial++;
4562 if(rr_counter == 1) {
4563 /* empty AXFR, with SOA; SOA; */
4564 /* should have been detected by
4565 * on_ixfr_is_axfr */
4568 if(have_transfer_serial == 3) {
4569 /* see serial three times for end */
4572 * SOA 1 second RR, followed by del
4573 * SOA 2 followed by add
4574 * SOA 2 followed by del
4575 * SOA 3 followed by add
4577 /* ended by SOA record */
4578 xfr->serial = transfer_serial;
4582 /* twiddle add/del mode */
4583 /* switch from delete part to add part and back again
4584 * just before the soa, it gets deleted and added too
4585 * this means we switch to delete mode for the final
4586 * SOA(so skip that one) */
4589 /* process this RR */
4590 /* if the RR is deleted twice or added twice, then we
4591 * softfail, and continue with the rest of the IXFR, so
4592 * that we serve something fairly nice during the refetch */
4593 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"),
4594 rr_chunk, rr_dname, rr_type, rr_counter);
4596 /* delete this RR */
4598 if(!az_remove_rr_decompress(z, rr_chunk->data,
4599 rr_chunk->len, scratch_buffer, rr_dname,
4600 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen,
4602 /* failed, malloc error or so */
4606 /* it was removal of a nonexisting RR */
4607 if(verbosity>=4) log_rrlist_position(
4608 "IXFR error nonexistent RR",
4609 rr_chunk, rr_dname, rr_type, rr_counter);
4612 } else if(rr_counter != 0) {
4613 /* skip first SOA RR for addition, it is added in
4614 * the addition part near the end of the ixfr, when
4615 * that serial is seen the second time. */
4618 if(!az_insert_rr_decompress(z, rr_chunk->data,
4619 rr_chunk->len, scratch_buffer, rr_dname,
4620 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen,
4622 /* failed, malloc error or so */
4626 /* it was a duplicate */
4627 if(verbosity>=4) log_rrlist_position(
4628 "IXFR error duplicate RR",
4629 rr_chunk, rr_dname, rr_type, rr_counter);
4635 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4638 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone");
4644 /** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */
4646 apply_axfr(struct auth_xfer* xfr, struct auth_zone* z,
4647 struct sldns_buffer* scratch_buffer)
4649 struct auth_chunk* rr_chunk;
4652 uint8_t* rr_dname, *rr_rdata;
4653 uint16_t rr_type, rr_class, rr_rdlen;
4655 uint32_t serial = 0;
4657 size_t rr_counter = 0;
4658 int have_end_soa = 0;
4660 /* clear the data tree */
4661 traverse_postorder(&z->data, auth_data_del, NULL);
4662 rbtree_init(&z->data, &auth_data_cmp);
4666 /* insert all RRs in to the zone */
4667 /* insert the SOA only once, skip the last one */
4668 /* start RR iterator over chunklist of packets */
4669 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos);
4670 while(!chunk_rrlist_end(rr_chunk, rr_num)) {
4671 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4672 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4673 &rr_rdata, &rr_nextpos)) {
4674 /* failed to parse RR */
4677 if(verbosity>=7) log_rrlist_position("apply_axfr",
4678 rr_chunk, rr_dname, rr_type, rr_counter);
4679 if(rr_type == LDNS_RR_TYPE_SOA) {
4680 if(rr_counter != 0) {
4681 /* end of the axfr */
4685 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */
4686 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4690 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len,
4691 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl,
4692 rr_rdata, rr_rdlen, NULL)) {
4693 /* failed, malloc error or so */
4698 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4701 log_err("no end SOA record for AXFR");
4705 xfr->serial = serial;
4710 /** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */
4712 apply_http(struct auth_xfer* xfr, struct auth_zone* z,
4713 struct sldns_buffer* scratch_buffer)
4715 /* parse data in chunks */
4716 /* parse RR's and read into memory. ignore $INCLUDE from the
4718 struct sldns_file_parse_state pstate;
4719 struct auth_chunk* chunk;
4721 memset(&pstate, 0, sizeof(pstate));
4722 pstate.default_ttl = 3600;
4723 if(xfr->namelen < sizeof(pstate.origin)) {
4724 pstate.origin_len = xfr->namelen;
4725 memmove(pstate.origin, xfr->name, xfr->namelen);
4728 if(verbosity >= VERB_ALGO)
4729 verbose(VERB_ALGO, "http download %s of size %d",
4730 xfr->task_transfer->master->file,
4731 (int)chunklist_sum(xfr->task_transfer->chunks_first));
4732 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) {
4734 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) {
4735 memmove(preview, xfr->task_transfer->chunks_first->data,
4737 preview[sizeof(preview)-1]=0;
4739 memmove(preview, xfr->task_transfer->chunks_first->data,
4740 xfr->task_transfer->chunks_first->len);
4741 preview[xfr->task_transfer->chunks_first->len]=0;
4743 log_info("auth zone http downloaded content preview: %s",
4747 /* perhaps a little syntax check before we try to apply the data? */
4748 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) {
4749 log_err("http download %s/%s does not contain a zonefile, "
4750 "but got '%s'", xfr->task_transfer->master->host,
4751 xfr->task_transfer->master->file,
4752 sldns_buffer_begin(scratch_buffer));
4756 /* clear the data tree */
4757 traverse_postorder(&z->data, auth_data_del, NULL);
4758 rbtree_init(&z->data, &auth_data_cmp);
4762 chunk = xfr->task_transfer->chunks_first;
4765 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) {
4766 /* process this line */
4768 chunkline_newline_removal(scratch_buffer);
4769 if(chunkline_is_comment_line_or_empty(scratch_buffer)) {
4772 /* parse line and add RR */
4773 if(http_parse_origin(scratch_buffer, &pstate)) {
4774 continue; /* $ORIGIN has been handled */
4776 if(http_parse_ttl(scratch_buffer, &pstate)) {
4777 continue; /* $TTL has been handled */
4779 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) {
4780 verbose(VERB_ALGO, "error parsing line [%s:%d] %s",
4781 xfr->task_transfer->master->file,
4783 sldns_buffer_begin(scratch_buffer));
4790 /** write http chunks to zonefile to create downloaded file */
4792 auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname)
4795 struct auth_chunk* p;
4796 out = fopen(fname, "w");
4798 log_err("could not open %s: %s", fname, strerror(errno));
4801 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) {
4802 if(!write_out(out, (char*)p->data, p->len)) {
4803 log_err("could not write http download to %s", fname);
4812 /** write to zonefile after zone has been updated */
4814 xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
4816 struct config_file* cfg = env->cfg;
4817 struct auth_zone* z;
4820 lock_basic_unlock(&xfr->lock);
4822 /* get lock again, so it is a readlock and concurrently queries
4823 * can be answered */
4824 lock_rw_rdlock(&env->auth_zones->lock);
4825 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
4828 lock_rw_unlock(&env->auth_zones->lock);
4829 /* the zone is gone, ignore xfr results */
4830 lock_basic_lock(&xfr->lock);
4833 lock_rw_rdlock(&z->lock);
4834 lock_basic_lock(&xfr->lock);
4835 lock_rw_unlock(&env->auth_zones->lock);
4837 if(z->zonefile == NULL || z->zonefile[0] == 0) {
4838 lock_rw_unlock(&z->lock);
4839 /* no write needed, no zonefile set */
4842 zfilename = z->zonefile;
4843 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
4844 cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
4845 zfilename += strlen(cfg->chrootdir);
4847 /* write to tempfile first */
4848 if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) {
4849 verbose(VERB_ALGO, "tmpfilename too long, cannot update "
4850 " zonefile %s", zfilename);
4851 lock_rw_unlock(&z->lock);
4854 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename,
4855 (unsigned)getpid());
4856 if(xfr->task_transfer->master->http) {
4857 /* use the stored chunk list to write them */
4858 if(!auth_zone_write_chunks(xfr, tmpfile)) {
4860 lock_rw_unlock(&z->lock);
4862 } else if(!auth_zone_write_file(z, tmpfile)) {
4864 lock_rw_unlock(&z->lock);
4867 if(rename(tmpfile, zfilename) < 0) {
4868 log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
4871 lock_rw_unlock(&z->lock);
4874 lock_rw_unlock(&z->lock);
4877 /** process chunk list and update zone in memory,
4878 * return false if it did not work */
4880 xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
4883 struct auth_zone* z;
4885 /* obtain locks and structures */
4886 /* release xfr lock, then, while holding az->lock grab both
4887 * z->lock and xfr->lock */
4888 lock_basic_unlock(&xfr->lock);
4889 lock_rw_rdlock(&env->auth_zones->lock);
4890 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
4893 lock_rw_unlock(&env->auth_zones->lock);
4894 /* the zone is gone, ignore xfr results */
4895 lock_basic_lock(&xfr->lock);
4898 lock_rw_wrlock(&z->lock);
4899 lock_basic_lock(&xfr->lock);
4900 lock_rw_unlock(&env->auth_zones->lock);
4903 if(xfr->task_transfer->master->http) {
4904 if(!apply_http(xfr, z, env->scratch_buffer)) {
4905 lock_rw_unlock(&z->lock);
4906 verbose(VERB_ALGO, "http from %s: could not store data",
4907 xfr->task_transfer->master->host);
4910 } else if(xfr->task_transfer->on_ixfr &&
4911 !xfr->task_transfer->on_ixfr_is_axfr) {
4912 if(!apply_ixfr(xfr, z, env->scratch_buffer)) {
4913 lock_rw_unlock(&z->lock);
4914 verbose(VERB_ALGO, "xfr from %s: could not store IXFR"
4915 " data", xfr->task_transfer->master->host);
4920 if(!apply_axfr(xfr, z, env->scratch_buffer)) {
4921 lock_rw_unlock(&z->lock);
4922 verbose(VERB_ALGO, "xfr from %s: could not store AXFR"
4923 " data", xfr->task_transfer->master->host);
4927 xfr->zone_expired = 0;
4928 z->zone_expired = 0;
4929 if(!xfr_find_soa(z, xfr)) {
4930 lock_rw_unlock(&z->lock);
4931 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update"
4932 " (or malformed RR)", xfr->task_transfer->master->host);
4936 xfr->lease_time = *env->now;
4939 lock_rw_unlock(&z->lock);
4941 if(verbosity >= VERB_QUERY && xfr->have_zone) {
4943 dname_str(xfr->name, zname);
4944 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname,
4945 (unsigned)xfr->serial);
4947 /* see if we need to write to a zonefile */
4948 xfr_write_after_update(xfr, env);
4952 /** disown task_transfer. caller must hold xfr.lock */
4954 xfr_transfer_disown(struct auth_xfer* xfr)
4956 /* remove the commpoint */
4957 comm_point_delete(xfr->task_transfer->cp);
4958 xfr->task_transfer->cp = NULL;
4959 /* we don't own this item anymore */
4960 xfr->task_transfer->worker = NULL;
4961 xfr->task_transfer->env = NULL;
4964 /** lookup a host name for its addresses, if needed */
4966 xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
4968 struct sockaddr_storage addr;
4969 socklen_t addrlen = 0;
4970 struct auth_master* master = xfr->task_transfer->lookup_target;
4971 struct query_info qinfo;
4972 uint16_t qflags = BIT_RD;
4973 uint8_t dname[LDNS_MAX_DOMAINLEN+1];
4974 struct edns_data edns;
4975 sldns_buffer* buf = env->scratch_buffer;
4976 if(!master) return 0;
4977 if(extstrtoaddr(master->host, &addr, &addrlen)) {
4978 /* not needed, host is in IP addr format */
4981 if(master->allow_notify)
4982 return 0; /* allow-notifies are not transferred from, no
4985 /* use mesh_new_callback to probe for non-addr hosts,
4986 * and then wait for them to be looked up (in cache, or query) */
4987 qinfo.qname_len = sizeof(dname);
4988 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len)
4990 log_err("cannot parse host name of master %s", master->host);
4993 qinfo.qname = dname;
4994 qinfo.qclass = xfr->dclass;
4995 qinfo.qtype = LDNS_RR_TYPE_A;
4996 if(xfr->task_transfer->lookup_aaaa)
4997 qinfo.qtype = LDNS_RR_TYPE_AAAA;
4998 qinfo.local_alias = NULL;
4999 if(verbosity >= VERB_ALGO) {
5001 char buf2[LDNS_MAX_DOMAINLEN+1];
5002 dname_str(xfr->name, buf2);
5003 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
5004 " for task_transfer", buf2);
5005 log_query_info(VERB_ALGO, buf1, &qinfo);
5007 edns.edns_present = 1;
5009 edns.edns_version = 0;
5010 edns.bits = EDNS_DO;
5011 edns.opt_list = NULL;
5012 if(sldns_buffer_capacity(buf) < 65535)
5013 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
5014 else edns.udp_size = 65535;
5016 /* unlock xfr during mesh_new_callback() because the callback can be
5017 * called straight away */
5018 lock_basic_unlock(&xfr->lock);
5019 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
5020 &auth_xfer_transfer_lookup_callback, xfr)) {
5021 lock_basic_lock(&xfr->lock);
5022 log_err("out of memory lookup up master %s", master->host);
5025 lock_basic_lock(&xfr->lock);
5029 /** initiate TCP to the target and fetch zone.
5030 * returns true if that was successfully started, and timeout setup. */
5032 xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
5034 struct sockaddr_storage addr;
5035 socklen_t addrlen = 0;
5036 struct auth_master* master = xfr->task_transfer->master;
5037 if(!master) return 0;
5038 if(master->allow_notify) return 0; /* only for notify */
5040 /* get master addr */
5041 if(xfr->task_transfer->scan_addr) {
5042 addrlen = xfr->task_transfer->scan_addr->addrlen;
5043 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen);
5045 if(!extstrtoaddr(master->host, &addr, &addrlen)) {
5046 /* the ones that are not in addr format are supposed
5047 * to be looked up. The lookup has failed however,
5050 dname_str(xfr->name, zname);
5051 log_err("%s: failed lookup, cannot transfer from master %s",
5052 zname, master->host);
5057 /* remove previous TCP connection (if any) */
5058 if(xfr->task_transfer->cp) {
5059 comm_point_delete(xfr->task_transfer->cp);
5060 xfr->task_transfer->cp = NULL;
5064 /* perform http fetch */
5065 /* store http port number into sockaddr,
5066 * unless someone used unbound's host@port notation */
5067 if(strchr(master->host, '@') == NULL)
5068 sockaddr_store_port(&addr, addrlen, master->port);
5069 xfr->task_transfer->cp = outnet_comm_point_for_http(
5070 env->outnet, auth_xfer_transfer_http_callback, xfr,
5071 &addr, addrlen, AUTH_TRANSFER_TIMEOUT, master->ssl,
5072 master->host, master->file);
5073 if(!xfr->task_transfer->cp) {
5075 dname_str(xfr->name, zname);
5076 verbose(VERB_ALGO, "cannot create http cp "
5077 "connection for %s to %s", zname,
5084 /* perform AXFR/IXFR */
5085 /* set the packet to be written */
5087 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
5088 xfr_create_ixfr_packet(xfr, env->scratch_buffer,
5089 xfr->task_transfer->id, master);
5092 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet,
5093 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen,
5094 env->scratch_buffer, AUTH_TRANSFER_TIMEOUT);
5095 if(!xfr->task_transfer->cp) {
5097 dname_str(xfr->name, zname);
5098 verbose(VERB_ALGO, "cannot create tcp cp connection for "
5099 "xfr %s to %s", zname, master->host);
5105 /** perform next lookup, next transfer TCP, or end and resume wait time task */
5107 xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env)
5109 log_assert(xfr->task_transfer->worker == env->worker);
5111 /* are we performing lookups? */
5112 while(xfr->task_transfer->lookup_target) {
5113 if(xfr_transfer_lookup_host(xfr, env)) {
5114 /* wait for lookup to finish,
5115 * note that the hostname may be in unbound's cache
5116 * and we may then get an instant cache response,
5117 * and that calls the callback just like a full
5118 * lookup and lookup failures also call callback */
5119 lock_basic_unlock(&xfr->lock);
5122 xfr_transfer_move_to_next_lookup(xfr, env);
5125 /* initiate TCP and fetch the zone from the master */
5126 /* and set timeout on it */
5127 while(!xfr_transfer_end_of_list(xfr)) {
5128 xfr->task_transfer->master = xfr_transfer_current_master(xfr);
5129 if(xfr_transfer_init_fetch(xfr, env)) {
5130 /* successfully started, wait for callback */
5131 lock_basic_unlock(&xfr->lock);
5134 /* failed to fetch, next master */
5135 xfr_transfer_nextmaster(xfr);
5138 /* we failed to fetch the zone, move to wait task
5139 * use the shorter retry timeout */
5140 xfr_transfer_disown(xfr);
5142 /* pick up the nextprobe task and wait */
5143 if(xfr->task_nextprobe->worker == NULL)
5144 xfr_set_timeout(xfr, env, 1, 0);
5145 lock_basic_unlock(&xfr->lock);
5148 /** add addrs from A or AAAA rrset to the master */
5150 xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
5154 struct packed_rrset_data* data;
5155 if(!m || !rrset) return;
5156 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA)
5158 data = (struct packed_rrset_data*)rrset->entry.data;
5159 for(i=0; i<data->count; i++) {
5160 struct auth_addr* a;
5161 size_t len = data->rr_len[i] - 2;
5162 uint8_t* rdata = data->rr_data[i]+2;
5163 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE)
5164 continue; /* wrong length for A */
5165 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE)
5166 continue; /* wrong length for AAAA */
5168 /* add and alloc it */
5169 a = (struct auth_addr*)calloc(1, sizeof(*a));
5171 log_err("out of memory");
5174 if(rrtype == LDNS_RR_TYPE_A) {
5175 struct sockaddr_in* sa;
5176 a->addrlen = (socklen_t)sizeof(*sa);
5177 sa = (struct sockaddr_in*)&a->addr;
5178 sa->sin_family = AF_INET;
5179 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
5180 memmove(&sa->sin_addr, rdata, INET_SIZE);
5182 struct sockaddr_in6* sa;
5183 a->addrlen = (socklen_t)sizeof(*sa);
5184 sa = (struct sockaddr_in6*)&a->addr;
5185 sa->sin6_family = AF_INET6;
5186 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
5187 memmove(&sa->sin6_addr, rdata, INET6_SIZE);
5189 if(verbosity >= VERB_ALGO) {
5191 addr_to_str(&a->addr, a->addrlen, s, sizeof(s));
5192 verbose(VERB_ALGO, "auth host %s lookup %s",
5195 /* append to list */
5201 /** callback for task_transfer lookup of host name, of A or AAAA */
5202 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
5203 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
5204 int ATTR_UNUSED(was_ratelimited))
5206 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5207 struct module_env* env;
5208 log_assert(xfr->task_transfer);
5209 lock_basic_lock(&xfr->lock);
5210 env = xfr->task_transfer->env;
5211 if(env->outnet->want_to_quit) {
5212 lock_basic_unlock(&xfr->lock);
5213 return; /* stop on quit */
5216 /* process result */
5217 if(rcode == LDNS_RCODE_NOERROR) {
5218 uint16_t wanted_qtype = LDNS_RR_TYPE_A;
5219 struct regional* temp = env->scratch;
5220 struct query_info rq;
5221 struct reply_info* rep;
5222 if(xfr->task_transfer->lookup_aaaa)
5223 wanted_qtype = LDNS_RR_TYPE_AAAA;
5224 memset(&rq, 0, sizeof(rq));
5225 rep = parse_reply_in_temp_region(buf, temp, &rq);
5226 if(rep && rq.qtype == wanted_qtype &&
5227 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
5228 /* parsed successfully */
5229 struct ub_packed_rrset_key* answer =
5230 reply_find_answer_rrset(&rq, rep);
5232 xfr_master_add_addrs(xfr->task_transfer->
5233 lookup_target, answer, wanted_qtype);
5237 if(xfr->task_transfer->lookup_target->list &&
5238 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr))
5239 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list;
5241 /* move to lookup AAAA after A lookup, move to next hostname lookup,
5242 * or move to fetch the zone, or, if nothing to do, end task_transfer */
5243 xfr_transfer_move_to_next_lookup(xfr, env);
5244 xfr_transfer_nexttarget_or_end(xfr, env);
5247 /** check if xfer (AXFR or IXFR) packet is OK.
5248 * return false if we lost connection (SERVFAIL, or unreadable).
5249 * return false if we need to move from IXFR to AXFR, with gonextonfail
5250 * set to false, so the same master is tried again, but with AXFR.
5251 * return true if fine to link into data.
5252 * return true with transferdone=true when the transfer has ended.
5255 check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr,
5256 int* gonextonfail, int* transferdone)
5258 uint8_t* wire = sldns_buffer_begin(pkt);
5260 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) {
5261 verbose(VERB_ALGO, "xfr to %s failed, packet too small",
5262 xfr->task_transfer->master->host);
5265 if(!LDNS_QR_WIRE(wire)) {
5266 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag",
5267 xfr->task_transfer->master->host);
5270 if(LDNS_TC_WIRE(wire)) {
5271 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag",
5272 xfr->task_transfer->master->host);
5276 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) {
5277 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID",
5278 xfr->task_transfer->master->host);
5281 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) {
5283 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode,
5285 /* if we are doing IXFR, check for fallback */
5286 if(xfr->task_transfer->on_ixfr) {
5287 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL ||
5288 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL ||
5289 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED ||
5290 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) {
5291 verbose(VERB_ALGO, "xfr to %s, fallback "
5292 "from IXFR to AXFR (with rcode %s)",
5293 xfr->task_transfer->master->host,
5295 xfr->task_transfer->ixfr_fail = 1;
5300 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s",
5301 xfr->task_transfer->master->host, rcode);
5304 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) {
5305 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode",
5306 xfr->task_transfer->master->host);
5309 if(LDNS_QDCOUNT(wire) > 1) {
5310 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d",
5311 xfr->task_transfer->master->host,
5312 (int)LDNS_QDCOUNT(wire));
5317 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE);
5318 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) {
5319 size_t pos = sldns_buffer_position(pkt);
5320 uint16_t qtype, qclass;
5321 if(pkt_dname_len(pkt) == 0) {
5322 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5324 xfr->task_transfer->master->host);
5327 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos),
5329 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5331 xfr->task_transfer->master->host);
5334 if(sldns_buffer_remaining(pkt) < 4) {
5335 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5336 "truncated query RR",
5337 xfr->task_transfer->master->host);
5340 qtype = sldns_buffer_read_u16(pkt);
5341 qclass = sldns_buffer_read_u16(pkt);
5342 if(qclass != xfr->dclass) {
5343 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5345 xfr->task_transfer->master->host);
5348 if(xfr->task_transfer->on_ixfr) {
5349 if(qtype != LDNS_RR_TYPE_IXFR) {
5350 verbose(VERB_ALGO, "xfr to %s failed, packet "
5351 "with wrong qtype, expected IXFR",
5352 xfr->task_transfer->master->host);
5356 if(qtype != LDNS_RR_TYPE_AXFR) {
5357 verbose(VERB_ALGO, "xfr to %s failed, packet "
5358 "with wrong qtype, expected AXFR",
5359 xfr->task_transfer->master->host);
5365 /* check parse of RRs in packet, store first SOA serial
5366 * to be able to detect last SOA (with that serial) to see if done */
5367 /* also check for IXFR 'zone up to date' reply */
5368 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) {
5369 size_t pos = sldns_buffer_position(pkt);
5371 if(pkt_dname_len(pkt) == 0) {
5372 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5373 "malformed dname in answer section",
5374 xfr->task_transfer->master->host);
5377 if(sldns_buffer_remaining(pkt) < 10) {
5378 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5380 xfr->task_transfer->master->host);
5383 tp = sldns_buffer_read_u16(pkt);
5384 (void)sldns_buffer_read_u16(pkt); /* class */
5385 (void)sldns_buffer_read_u32(pkt); /* ttl */
5386 rdlen = sldns_buffer_read_u16(pkt);
5387 if(sldns_buffer_remaining(pkt) < rdlen) {
5388 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5389 "truncated RR rdata",
5390 xfr->task_transfer->master->host);
5394 /* RR parses (haven't checked rdata itself), now look at
5395 * SOA records to see serial number */
5396 if(xfr->task_transfer->rr_scan_num == 0 &&
5397 tp != LDNS_RR_TYPE_SOA) {
5398 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5399 "malformed zone transfer, no start SOA",
5400 xfr->task_transfer->master->host);
5403 if(xfr->task_transfer->rr_scan_num == 1 &&
5404 tp != LDNS_RR_TYPE_SOA) {
5405 /* second RR is not a SOA record, this is not an IXFR
5406 * the master is replying with an AXFR */
5407 xfr->task_transfer->on_ixfr_is_axfr = 1;
5409 if(tp == LDNS_RR_TYPE_SOA) {
5412 verbose(VERB_ALGO, "xfr to %s failed, packet "
5413 "with SOA with malformed rdata",
5414 xfr->task_transfer->master->host);
5417 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos),
5419 verbose(VERB_ALGO, "xfr to %s failed, packet "
5420 "with SOA with wrong dname",
5421 xfr->task_transfer->master->host);
5425 /* read serial number of SOA */
5426 serial = sldns_buffer_read_u32_at(pkt,
5427 sldns_buffer_position(pkt)+rdlen-20);
5429 /* check for IXFR 'zone has SOA x' reply */
5430 if(xfr->task_transfer->on_ixfr &&
5431 xfr->task_transfer->rr_scan_num == 0 &&
5432 LDNS_ANCOUNT(wire)==1) {
5433 verbose(VERB_ALGO, "xfr to %s ended, "
5434 "IXFR reply that zone has serial %u",
5435 xfr->task_transfer->master->host,
5440 /* if first SOA, store serial number */
5441 if(xfr->task_transfer->got_xfr_serial == 0) {
5442 xfr->task_transfer->got_xfr_serial = 1;
5443 xfr->task_transfer->incoming_xfr_serial =
5445 verbose(VERB_ALGO, "xfr %s: contains "
5447 xfr->task_transfer->master->host,
5449 /* see if end of AXFR */
5450 } else if(!xfr->task_transfer->on_ixfr ||
5451 xfr->task_transfer->on_ixfr_is_axfr) {
5452 /* second SOA with serial is the end
5455 verbose(VERB_ALGO, "xfr %s: last AXFR packet",
5456 xfr->task_transfer->master->host);
5457 /* for IXFR, count SOA records with that serial */
5458 } else if(xfr->task_transfer->incoming_xfr_serial ==
5459 serial && xfr->task_transfer->got_xfr_serial
5461 xfr->task_transfer->got_xfr_serial++;
5462 /* if not first soa, if serial==firstserial, the
5463 * third time we are at the end, for IXFR */
5464 } else if(xfr->task_transfer->incoming_xfr_serial ==
5465 serial && xfr->task_transfer->got_xfr_serial
5467 verbose(VERB_ALGO, "xfr %s: last IXFR packet",
5468 xfr->task_transfer->master->host);
5470 /* continue parse check, if that succeeds,
5471 * transfer is done */
5474 xfr->task_transfer->rr_scan_num++;
5476 /* skip over RR rdata to go to the next RR */
5477 sldns_buffer_skip(pkt, (ssize_t)rdlen);
5480 /* check authority section */
5481 /* we skip over the RRs checking packet format */
5482 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) {
5484 if(pkt_dname_len(pkt) == 0) {
5485 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5486 "malformed dname in authority section",
5487 xfr->task_transfer->master->host);
5490 if(sldns_buffer_remaining(pkt) < 10) {
5491 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5493 xfr->task_transfer->master->host);
5496 (void)sldns_buffer_read_u16(pkt); /* type */
5497 (void)sldns_buffer_read_u16(pkt); /* class */
5498 (void)sldns_buffer_read_u32(pkt); /* ttl */
5499 rdlen = sldns_buffer_read_u16(pkt);
5500 if(sldns_buffer_remaining(pkt) < rdlen) {
5501 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5502 "truncated RR rdata",
5503 xfr->task_transfer->master->host);
5506 /* skip over RR rdata to go to the next RR */
5507 sldns_buffer_skip(pkt, (ssize_t)rdlen);
5510 /* check additional section */
5511 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) {
5513 if(pkt_dname_len(pkt) == 0) {
5514 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5515 "malformed dname in additional section",
5516 xfr->task_transfer->master->host);
5519 if(sldns_buffer_remaining(pkt) < 10) {
5520 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5522 xfr->task_transfer->master->host);
5525 (void)sldns_buffer_read_u16(pkt); /* type */
5526 (void)sldns_buffer_read_u16(pkt); /* class */
5527 (void)sldns_buffer_read_u32(pkt); /* ttl */
5528 rdlen = sldns_buffer_read_u16(pkt);
5529 if(sldns_buffer_remaining(pkt) < rdlen) {
5530 verbose(VERB_ALGO, "xfr to %s failed, packet with "
5531 "truncated RR rdata",
5532 xfr->task_transfer->master->host);
5535 /* skip over RR rdata to go to the next RR */
5536 sldns_buffer_skip(pkt, (ssize_t)rdlen);
5542 /** Link the data from this packet into the worklist of transferred data */
5544 xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr)
5547 struct auth_chunk* e;
5548 e = (struct auth_chunk*)calloc(1, sizeof(*e));
5551 e->len = sldns_buffer_limit(pkt);
5552 e->data = memdup(sldns_buffer_begin(pkt), e->len);
5558 /* alloc succeeded, link into list */
5559 if(!xfr->task_transfer->chunks_first)
5560 xfr->task_transfer->chunks_first = e;
5561 if(xfr->task_transfer->chunks_last)
5562 xfr->task_transfer->chunks_last->next = e;
5563 xfr->task_transfer->chunks_last = e;
5567 /** task transfer. the list of data is complete. process it and if failed
5568 * move to next master, if succeeded, end the task transfer */
5570 process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env)
5573 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) {
5575 auth_chunks_delete(xfr->task_transfer);
5577 /* we fetched the zone, move to wait task */
5578 xfr_transfer_disown(xfr);
5580 if(xfr->notify_received && (!xfr->notify_has_serial ||
5581 (xfr->notify_has_serial &&
5582 xfr_serial_means_update(xfr, xfr->notify_serial)))) {
5583 uint32_t sr = xfr->notify_serial;
5584 int has_sr = xfr->notify_has_serial;
5585 /* we received a notify while probe/transfer was
5586 * in progress. start a new probe and transfer */
5587 xfr->notify_received = 0;
5588 xfr->notify_has_serial = 0;
5589 xfr->notify_serial = 0;
5590 if(!xfr_start_probe(xfr, env, NULL)) {
5591 /* if we couldn't start it, already in
5592 * progress; restore notify serial,
5593 * while xfr still locked */
5594 xfr->notify_received = 1;
5595 xfr->notify_has_serial = has_sr;
5596 xfr->notify_serial = sr;
5597 lock_basic_unlock(&xfr->lock);
5601 /* pick up the nextprobe task and wait (normail wait time) */
5602 if(xfr->task_nextprobe->worker == NULL)
5603 xfr_set_timeout(xfr, env, 0, 0);
5605 lock_basic_unlock(&xfr->lock);
5608 /* processing failed */
5609 /* when done, delete data from list */
5610 auth_chunks_delete(xfr->task_transfer);
5612 xfr->task_transfer->ixfr_fail = 1;
5614 xfr_transfer_nextmaster(xfr);
5616 xfr_transfer_nexttarget_or_end(xfr, env);
5619 /** callback for task_transfer tcp connections */
5621 auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
5622 struct comm_reply* ATTR_UNUSED(repinfo))
5624 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5625 struct module_env* env;
5626 int gonextonfail = 1;
5627 int transferdone = 0;
5628 log_assert(xfr->task_transfer);
5629 lock_basic_lock(&xfr->lock);
5630 env = xfr->task_transfer->env;
5631 if(env->outnet->want_to_quit) {
5632 lock_basic_unlock(&xfr->lock);
5633 return 0; /* stop on quit */
5636 if(err != NETEVENT_NOERROR) {
5637 /* connection failed, closed, or timeout */
5638 /* stop this transfer, cleanup
5639 * and continue task_transfer*/
5640 verbose(VERB_ALGO, "xfr stopped, connection lost to %s",
5641 xfr->task_transfer->master->host);
5643 /* see if IXFR caused the failure, if so, try AXFR */
5644 if(xfr->task_transfer->on_ixfr) {
5645 xfr->task_transfer->ixfr_possible_timeout_count++;
5646 if(xfr->task_transfer->ixfr_possible_timeout_count >=
5647 NUM_TIMEOUTS_FALLBACK_IXFR) {
5648 verbose(VERB_ALGO, "xfr to %s, fallback "
5649 "from IXFR to AXFR (because of timeouts)",
5650 xfr->task_transfer->master->host);
5651 xfr->task_transfer->ixfr_fail = 1;
5657 /* delete transferred data from list */
5658 auth_chunks_delete(xfr->task_transfer);
5659 comm_point_delete(xfr->task_transfer->cp);
5660 xfr->task_transfer->cp = NULL;
5662 xfr_transfer_nextmaster(xfr);
5663 xfr_transfer_nexttarget_or_end(xfr, env);
5666 /* note that IXFR worked without timeout */
5667 if(xfr->task_transfer->on_ixfr)
5668 xfr->task_transfer->ixfr_possible_timeout_count = 0;
5670 /* handle returned packet */
5671 /* if it fails, cleanup and end this transfer */
5672 /* if it needs to fallback from IXFR to AXFR, do that */
5673 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) {
5676 /* if it is good, link it into the list of data */
5677 /* if the link into list of data fails (malloc fail) cleanup and end */
5678 if(!xfer_link_data(c->buffer, xfr)) {
5679 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed",
5680 xfr->task_transfer->master->host);
5683 /* if the transfer is done now, disconnect and process the list */
5685 comm_point_delete(xfr->task_transfer->cp);
5686 xfr->task_transfer->cp = NULL;
5687 process_list_end_transfer(xfr, env);
5691 /* if we want to read more messages, setup the commpoint to read
5692 * a DNS packet, and the timeout */
5693 lock_basic_unlock(&xfr->lock);
5694 c->tcp_is_reading = 1;
5695 sldns_buffer_clear(c->buffer);
5696 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT);
5700 /** callback for task_transfer http connections */
5702 auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err,
5703 struct comm_reply* repinfo)
5705 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5706 struct module_env* env;
5707 log_assert(xfr->task_transfer);
5708 lock_basic_lock(&xfr->lock);
5709 env = xfr->task_transfer->env;
5710 if(env->outnet->want_to_quit) {
5711 lock_basic_unlock(&xfr->lock);
5712 return 0; /* stop on quit */
5714 verbose(VERB_ALGO, "auth zone transfer http callback");
5716 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) {
5717 /* connection failed, closed, or timeout */
5718 /* stop this transfer, cleanup
5719 * and continue task_transfer*/
5720 verbose(VERB_ALGO, "http stopped, connection lost to %s",
5721 xfr->task_transfer->master->host);
5723 /* delete transferred data from list */
5724 auth_chunks_delete(xfr->task_transfer);
5725 if(repinfo) repinfo->c = NULL; /* signal cp deleted to
5726 the routine calling this callback */
5727 comm_point_delete(xfr->task_transfer->cp);
5728 xfr->task_transfer->cp = NULL;
5729 xfr_transfer_nextmaster(xfr);
5730 xfr_transfer_nexttarget_or_end(xfr, env);
5734 /* if it is good, link it into the list of data */
5735 /* if the link into list of data fails (malloc fail) cleanup and end */
5736 if(sldns_buffer_limit(c->buffer) > 0) {
5737 verbose(VERB_ALGO, "auth zone http queued up %d bytes",
5738 (int)sldns_buffer_limit(c->buffer));
5739 if(!xfer_link_data(c->buffer, xfr)) {
5740 verbose(VERB_ALGO, "http stopped to %s, malloc failed",
5741 xfr->task_transfer->master->host);
5745 /* if the transfer is done now, disconnect and process the list */
5746 if(err == NETEVENT_DONE) {
5747 if(repinfo) repinfo->c = NULL; /* signal cp deleted to
5748 the routine calling this callback */
5749 comm_point_delete(xfr->task_transfer->cp);
5750 xfr->task_transfer->cp = NULL;
5751 process_list_end_transfer(xfr, env);
5755 /* if we want to read more messages, setup the commpoint to read
5756 * a DNS packet, and the timeout */
5757 lock_basic_unlock(&xfr->lock);
5758 c->tcp_is_reading = 1;
5759 sldns_buffer_clear(c->buffer);
5760 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT);
5765 /** start transfer task by this worker , xfr is locked. */
5767 xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env,
5768 struct auth_master* master)
5770 log_assert(xfr->task_transfer != NULL);
5771 log_assert(xfr->task_transfer->worker == NULL);
5772 log_assert(xfr->task_transfer->chunks_first == NULL);
5773 log_assert(xfr->task_transfer->chunks_last == NULL);
5774 xfr->task_transfer->worker = env->worker;
5775 xfr->task_transfer->env = env;
5777 /* init transfer process */
5778 /* find that master in the transfer's list of masters? */
5779 xfr_transfer_start_list(xfr, master);
5780 /* start lookup for hostnames in transfer master list */
5781 xfr_transfer_start_lookups(xfr);
5783 /* initiate TCP, and set timeout on it */
5784 xfr_transfer_nexttarget_or_end(xfr, env);
5787 /** disown task_probe. caller must hold xfr.lock */
5789 xfr_probe_disown(struct auth_xfer* xfr)
5791 /* remove timer (from this worker's event base) */
5792 comm_timer_delete(xfr->task_probe->timer);
5793 xfr->task_probe->timer = NULL;
5794 /* remove the commpoint */
5795 comm_point_delete(xfr->task_probe->cp);
5796 xfr->task_probe->cp = NULL;
5797 /* we don't own this item anymore */
5798 xfr->task_probe->worker = NULL;
5799 xfr->task_probe->env = NULL;
5802 /** send the UDP probe to the master, this is part of task_probe */
5804 xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
5807 struct sockaddr_storage addr;
5808 socklen_t addrlen = 0;
5811 struct auth_master* master = xfr_probe_current_master(xfr);
5812 if(!master) return 0;
5813 if(master->allow_notify) return 0; /* only for notify */
5814 if(master->http) return 0; /* only masters get SOA UDP probe,
5815 not urls, if those are in this list */
5817 /* get master addr */
5818 if(xfr->task_probe->scan_addr) {
5819 addrlen = xfr->task_probe->scan_addr->addrlen;
5820 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen);
5822 if(!extstrtoaddr(master->host, &addr, &addrlen)) {
5823 /* the ones that are not in addr format are supposed
5824 * to be looked up. The lookup has failed however,
5827 dname_str(xfr->name, zname);
5828 log_err("%s: failed lookup, cannot probe to master %s",
5829 zname, master->host);
5835 /* create new ID for new probes, but not on timeout retries,
5836 * this means we'll accept replies to previous retries to same ip */
5837 if(timeout == AUTH_PROBE_TIMEOUT)
5838 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
5839 xfr_create_soa_probe_packet(xfr, env->scratch_buffer,
5840 xfr->task_probe->id);
5841 if(!xfr->task_probe->cp) {
5842 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet,
5843 auth_xfer_probe_udp_callback, xfr, &addr, addrlen);
5844 if(!xfr->task_probe->cp) {
5846 dname_str(xfr->name, zname);
5847 verbose(VERB_ALGO, "cannot create udp cp for "
5848 "probe %s to %s", zname, master->host);
5852 if(!xfr->task_probe->timer) {
5853 xfr->task_probe->timer = comm_timer_create(env->worker_base,
5854 auth_xfer_probe_timer_callback, xfr);
5855 if(!xfr->task_probe->timer) {
5856 log_err("malloc failure");
5861 /* send udp packet */
5862 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer,
5863 (struct sockaddr*)&addr, addrlen)) {
5865 dname_str(xfr->name, zname);
5866 verbose(VERB_ALGO, "failed to send soa probe for %s to %s",
5867 zname, master->host);
5870 xfr->task_probe->timeout = timeout;
5872 t.tv_sec = timeout/1000;
5873 t.tv_usec = (timeout%1000)*1000;
5875 comm_timer_set(xfr->task_probe->timer, &t);
5880 /** callback for task_probe timer */
5882 auth_xfer_probe_timer_callback(void* arg)
5884 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5885 struct module_env* env;
5886 log_assert(xfr->task_probe);
5887 lock_basic_lock(&xfr->lock);
5888 env = xfr->task_probe->env;
5889 if(env->outnet->want_to_quit) {
5890 lock_basic_unlock(&xfr->lock);
5891 return; /* stop on quit */
5894 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) {
5895 /* try again with bigger timeout */
5896 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) {
5897 lock_basic_unlock(&xfr->lock);
5901 /* delete commpoint so a new one is created, with a fresh port nr */
5902 comm_point_delete(xfr->task_probe->cp);
5903 xfr->task_probe->cp = NULL;
5905 /* too many timeouts (or fail to send), move to next or end */
5906 xfr_probe_nextmaster(xfr);
5907 xfr_probe_send_or_end(xfr, env);
5910 /** callback for task_probe udp packets */
5912 auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
5913 struct comm_reply* repinfo)
5915 struct auth_xfer* xfr = (struct auth_xfer*)arg;
5916 struct module_env* env;
5917 log_assert(xfr->task_probe);
5918 lock_basic_lock(&xfr->lock);
5919 env = xfr->task_probe->env;
5920 if(env->outnet->want_to_quit) {
5921 lock_basic_unlock(&xfr->lock);
5922 return 0; /* stop on quit */
5925 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT
5926 * and we set rep.c=NULL to stop if from looking inside the commpoint*/
5928 /* stop the timer */
5929 comm_timer_disable(xfr->task_probe->timer);
5931 /* see if we got a packet and what that means */
5932 if(err == NETEVENT_NOERROR) {
5933 uint32_t serial = 0;
5934 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr,
5936 /* successful lookup */
5937 if(verbosity >= VERB_ALGO) {
5939 dname_str(xfr->name, buf);
5940 verbose(VERB_ALGO, "auth zone %s: soa probe "
5941 "serial is %u", buf, (unsigned)serial);
5943 /* see if this serial indicates that the zone has
5945 if(xfr_serial_means_update(xfr, serial)) {
5946 /* if updated, start the transfer task, if needed */
5947 verbose(VERB_ALGO, "auth_zone updated, start transfer");
5948 if(xfr->task_transfer->worker == NULL) {
5949 struct auth_master* master =
5950 xfr_probe_current_master(xfr);
5951 /* if we have download URLs use them
5952 * in preference to this master we
5953 * just probed the SOA from */
5954 if(xfr->task_transfer->masters &&
5955 xfr->task_transfer->masters->http)
5957 xfr_probe_disown(xfr);
5958 xfr_start_transfer(xfr, env, master);
5962 /* other tasks are running, we don't do this anymore */
5963 xfr_probe_disown(xfr);
5964 lock_basic_unlock(&xfr->lock);
5965 /* return, we don't sent a reply to this udp packet,
5966 * and we setup the tasks to do next */
5969 verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial");
5970 /* we if cannot find updates amongst the
5971 * masters, this means we then have a new lease
5973 xfr->task_probe->have_new_lease = 1;
5976 if(verbosity >= VERB_ALGO) {
5978 dname_str(xfr->name, buf);
5979 verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf);
5983 if(verbosity >= VERB_ALGO) {
5985 dname_str(xfr->name, buf);
5986 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf);
5990 /* failed lookup or not an update */
5991 /* delete commpoint so a new one is created, with a fresh port nr */
5992 comm_point_delete(xfr->task_probe->cp);
5993 xfr->task_probe->cp = NULL;
5995 /* if the result was not a successfull probe, we need
5996 * to send the next one */
5997 xfr_probe_nextmaster(xfr);
5998 xfr_probe_send_or_end(xfr, env);
6002 /** lookup a host name for its addresses, if needed */
6004 xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
6006 struct sockaddr_storage addr;
6007 socklen_t addrlen = 0;
6008 struct auth_master* master = xfr->task_probe->lookup_target;
6009 struct query_info qinfo;
6010 uint16_t qflags = BIT_RD;
6011 uint8_t dname[LDNS_MAX_DOMAINLEN+1];
6012 struct edns_data edns;
6013 sldns_buffer* buf = env->scratch_buffer;
6014 if(!master) return 0;
6015 if(extstrtoaddr(master->host, &addr, &addrlen)) {
6016 /* not needed, host is in IP addr format */
6019 if(master->allow_notify && !master->http &&
6020 strchr(master->host, '/') != NULL &&
6021 strchr(master->host, '/') == strrchr(master->host, '/')) {
6022 return 0; /* is IP/prefix format, not something to look up */
6025 /* use mesh_new_callback to probe for non-addr hosts,
6026 * and then wait for them to be looked up (in cache, or query) */
6027 qinfo.qname_len = sizeof(dname);
6028 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len)
6030 log_err("cannot parse host name of master %s", master->host);
6033 qinfo.qname = dname;
6034 qinfo.qclass = xfr->dclass;
6035 qinfo.qtype = LDNS_RR_TYPE_A;
6036 if(xfr->task_probe->lookup_aaaa)
6037 qinfo.qtype = LDNS_RR_TYPE_AAAA;
6038 qinfo.local_alias = NULL;
6039 if(verbosity >= VERB_ALGO) {
6041 char buf2[LDNS_MAX_DOMAINLEN+1];
6042 dname_str(xfr->name, buf2);
6043 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
6044 " for task_probe", buf2);
6045 log_query_info(VERB_ALGO, buf1, &qinfo);
6047 edns.edns_present = 1;
6049 edns.edns_version = 0;
6050 edns.bits = EDNS_DO;
6051 edns.opt_list = NULL;
6052 if(sldns_buffer_capacity(buf) < 65535)
6053 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
6054 else edns.udp_size = 65535;
6056 /* unlock xfr during mesh_new_callback() because the callback can be
6057 * called straight away */
6058 lock_basic_unlock(&xfr->lock);
6059 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
6060 &auth_xfer_probe_lookup_callback, xfr)) {
6061 lock_basic_lock(&xfr->lock);
6062 log_err("out of memory lookup up master %s", master->host);
6065 lock_basic_lock(&xfr->lock);
6069 /** move to sending the probe packets, next if fails. task_probe */
6071 xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
6073 /* are we doing hostname lookups? */
6074 while(xfr->task_probe->lookup_target) {
6075 if(xfr_probe_lookup_host(xfr, env)) {
6076 /* wait for lookup to finish,
6077 * note that the hostname may be in unbound's cache
6078 * and we may then get an instant cache response,
6079 * and that calls the callback just like a full
6080 * lookup and lookup failures also call callback */
6081 lock_basic_unlock(&xfr->lock);
6084 xfr_probe_move_to_next_lookup(xfr, env);
6086 /* probe of list has ended. Create or refresh the list of of
6087 * allow_notify addrs */
6088 probe_copy_masters_for_allow_notify(xfr);
6089 if(xfr->task_probe->only_lookup) {
6090 /* only wanted lookups for copy, stop probe and start wait */
6091 xfr->task_probe->only_lookup = 0;
6092 xfr_probe_disown(xfr);
6093 if(xfr->task_nextprobe->worker == NULL)
6094 xfr_set_timeout(xfr, env, 0, 0);
6095 lock_basic_unlock(&xfr->lock);
6099 /* send probe packets */
6100 while(!xfr_probe_end_of_list(xfr)) {
6101 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) {
6102 /* successfully sent probe, wait for callback */
6103 lock_basic_unlock(&xfr->lock);
6106 /* failed to send probe, next master */
6107 xfr_probe_nextmaster(xfr);
6110 /* done with probe sequence, wait */
6111 if(xfr->task_probe->have_new_lease) {
6112 /* if zone not updated, start the wait timer again */
6113 verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait");
6114 xfr_probe_disown(xfr);
6116 xfr->lease_time = *env->now;
6117 if(xfr->task_nextprobe->worker == NULL)
6118 xfr_set_timeout(xfr, env, 0, 0);
6120 /* we failed to send this as well, move to the wait task,
6121 * use the shorter retry timeout */
6122 xfr_probe_disown(xfr);
6123 /* pick up the nextprobe task and wait */
6124 if(xfr->task_nextprobe->worker == NULL)
6125 xfr_set_timeout(xfr, env, 1, 0);
6128 lock_basic_unlock(&xfr->lock);
6131 /** callback for task_probe lookup of host name, of A or AAAA */
6132 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
6133 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
6134 int ATTR_UNUSED(was_ratelimited))
6136 struct auth_xfer* xfr = (struct auth_xfer*)arg;
6137 struct module_env* env;
6138 log_assert(xfr->task_probe);
6139 lock_basic_lock(&xfr->lock);
6140 env = xfr->task_probe->env;
6141 if(env->outnet->want_to_quit) {
6142 lock_basic_unlock(&xfr->lock);
6143 return; /* stop on quit */
6146 /* process result */
6147 if(rcode == LDNS_RCODE_NOERROR) {
6148 uint16_t wanted_qtype = LDNS_RR_TYPE_A;
6149 struct regional* temp = env->scratch;
6150 struct query_info rq;
6151 struct reply_info* rep;
6152 if(xfr->task_probe->lookup_aaaa)
6153 wanted_qtype = LDNS_RR_TYPE_AAAA;
6154 memset(&rq, 0, sizeof(rq));
6155 rep = parse_reply_in_temp_region(buf, temp, &rq);
6156 if(rep && rq.qtype == wanted_qtype &&
6157 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
6158 /* parsed successfully */
6159 struct ub_packed_rrset_key* answer =
6160 reply_find_answer_rrset(&rq, rep);
6162 xfr_master_add_addrs(xfr->task_probe->
6163 lookup_target, answer, wanted_qtype);
6167 if(xfr->task_probe->lookup_target->list &&
6168 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr))
6169 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list;
6171 /* move to lookup AAAA after A lookup, move to next hostname lookup,
6172 * or move to send the probes, or, if nothing to do, end task_probe */
6173 xfr_probe_move_to_next_lookup(xfr, env);
6174 xfr_probe_send_or_end(xfr, env);
6177 /** disown task_nextprobe. caller must hold xfr.lock */
6179 xfr_nextprobe_disown(struct auth_xfer* xfr)
6181 /* delete the timer, because the next worker to pick this up may
6182 * not have the same event base */
6183 comm_timer_delete(xfr->task_nextprobe->timer);
6184 xfr->task_nextprobe->timer = NULL;
6185 xfr->task_nextprobe->next_probe = 0;
6186 /* we don't own this item anymore */
6187 xfr->task_nextprobe->worker = NULL;
6188 xfr->task_nextprobe->env = NULL;
6191 /** xfer nextprobe timeout callback, this is part of task_nextprobe */
6193 auth_xfer_timer(void* arg)
6195 struct auth_xfer* xfr = (struct auth_xfer*)arg;
6196 struct module_env* env;
6197 log_assert(xfr->task_nextprobe);
6198 lock_basic_lock(&xfr->lock);
6199 env = xfr->task_nextprobe->env;
6200 if(env->outnet->want_to_quit) {
6201 lock_basic_unlock(&xfr->lock);
6202 return; /* stop on quit */
6205 /* see if zone has expired, and if so, also set auth_zone expired */
6206 if(xfr->have_zone && !xfr->zone_expired &&
6207 *env->now >= xfr->lease_time + xfr->expiry) {
6208 lock_basic_unlock(&xfr->lock);
6209 auth_xfer_set_expired(xfr, env, 1);
6210 lock_basic_lock(&xfr->lock);
6213 xfr_nextprobe_disown(xfr);
6215 if(!xfr_start_probe(xfr, env, NULL)) {
6216 /* not started because already in progress */
6217 lock_basic_unlock(&xfr->lock);
6221 /** return true if there are probe (SOA UDP query) targets in the master list*/
6223 have_probe_targets(struct auth_master* list)
6225 struct auth_master* p;
6226 for(p=list; p; p = p->next) {
6227 if(!p->allow_notify && p->host)
6233 /** start task_probe if possible, if no masters for probe start task_transfer
6234 * returns true if task has been started, and false if the task is already
6237 xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
6238 struct auth_master* spec)
6240 /* see if we need to start a probe (or maybe it is already in
6241 * progress (due to notify)) */
6242 if(xfr->task_probe->worker == NULL) {
6243 if(!have_probe_targets(xfr->task_probe->masters) &&
6244 !(xfr->task_probe->only_lookup &&
6245 xfr->task_probe->masters != NULL)) {
6246 /* useless to pick up task_probe, no masters to
6247 * probe. Instead attempt to pick up task transfer */
6248 if(xfr->task_transfer->worker == NULL) {
6249 xfr_start_transfer(xfr, env, spec);
6252 /* task transfer already in progress */
6256 /* pick up the probe task ourselves */
6257 xfr->task_probe->worker = env->worker;
6258 xfr->task_probe->env = env;
6259 xfr->task_probe->cp = NULL;
6261 /* start the task */
6262 /* have not seen a new lease yet, this scan */
6263 xfr->task_probe->have_new_lease = 0;
6264 /* if this was a timeout, no specific first master to scan */
6265 /* otherwise, spec is nonNULL the notified master, scan
6266 * first and also transfer first from it */
6267 xfr_probe_start_list(xfr, spec);
6268 /* setup to start the lookup of hostnames of masters afresh */
6269 xfr_probe_start_lookups(xfr);
6270 /* send the probe packet or next send, or end task */
6271 xfr_probe_send_or_end(xfr, env);
6277 /** for task_nextprobe.
6278 * determine next timeout for auth_xfer. Also (re)sets timer.
6279 * @param xfr: task structure
6280 * @param env: module environment, with worker and time.
6281 * @param failure: set true if timer should be set for failure retry.
6282 * @param lookup_only: only perform lookups when timer done, 0 sec timeout
6285 xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
6286 int failure, int lookup_only)
6289 log_assert(xfr->task_nextprobe != NULL);
6290 log_assert(xfr->task_nextprobe->worker == NULL ||
6291 xfr->task_nextprobe->worker == env->worker);
6292 /* normally, nextprobe = startoflease + refresh,
6293 * but if expiry is sooner, use that one.
6294 * after a failure, use the retry timer instead. */
6295 xfr->task_nextprobe->next_probe = *env->now;
6296 if(xfr->lease_time && !failure)
6297 xfr->task_nextprobe->next_probe = xfr->lease_time;
6300 xfr->task_nextprobe->backoff = 0;
6302 if(xfr->task_nextprobe->backoff == 0)
6303 xfr->task_nextprobe->backoff = 3;
6304 else xfr->task_nextprobe->backoff *= 2;
6305 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF)
6306 xfr->task_nextprobe->backoff =
6307 AUTH_TRANSFER_MAX_BACKOFF;
6310 if(xfr->have_zone) {
6311 time_t wait = xfr->refresh;
6312 if(failure) wait = xfr->retry;
6313 if(xfr->expiry < wait)
6314 xfr->task_nextprobe->next_probe += xfr->expiry;
6315 else xfr->task_nextprobe->next_probe += wait;
6317 xfr->task_nextprobe->next_probe +=
6318 xfr->task_nextprobe->backoff;
6319 /* put the timer exactly on expiry, if possible */
6320 if(xfr->lease_time && xfr->lease_time+xfr->expiry <
6321 xfr->task_nextprobe->next_probe &&
6322 xfr->lease_time+xfr->expiry > *env->now)
6323 xfr->task_nextprobe->next_probe =
6324 xfr->lease_time+xfr->expiry;
6326 xfr->task_nextprobe->next_probe +=
6327 xfr->task_nextprobe->backoff;
6330 if(!xfr->task_nextprobe->timer) {
6331 xfr->task_nextprobe->timer = comm_timer_create(
6332 env->worker_base, auth_xfer_timer, xfr);
6333 if(!xfr->task_nextprobe->timer) {
6334 /* failed to malloc memory. likely zone transfer
6335 * also fails for that. skip the timeout */
6337 dname_str(xfr->name, zname);
6338 log_err("cannot allocate timer, no refresh for %s",
6343 xfr->task_nextprobe->worker = env->worker;
6344 xfr->task_nextprobe->env = env;
6345 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe)
6346 tv.tv_sec = xfr->task_nextprobe->next_probe -
6347 *(xfr->task_nextprobe->env->now);
6349 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) {
6350 /* don't lookup_only, if lookup timeout is 0 anyway,
6351 * or if we don't have masters to lookup */
6353 if(xfr->task_probe && xfr->task_probe->worker == NULL)
6354 xfr->task_probe->only_lookup = 1;
6356 if(verbosity >= VERB_ALGO) {
6358 dname_str(xfr->name, zname);
6359 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds",
6360 zname, (int)tv.tv_sec);
6363 comm_timer_set(xfr->task_nextprobe->timer, &tv);
6366 /** initial pick up of worker timeouts, ties events to worker event loop */
6368 auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env)
6370 struct auth_xfer* x;
6371 lock_rw_wrlock(&az->lock);
6372 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
6373 lock_basic_lock(&x->lock);
6374 /* set lease_time, because we now have timestamp in env,
6375 * (not earlier during startup and apply_cfg), and this
6376 * notes the start time when the data was acquired */
6378 x->lease_time = *env->now;
6379 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) {
6380 xfr_set_timeout(x, env, 0, 1);
6382 lock_basic_unlock(&x->lock);
6384 lock_rw_unlock(&az->lock);
6387 void auth_zones_cleanup(struct auth_zones* az)
6389 struct auth_xfer* x;
6390 lock_rw_wrlock(&az->lock);
6391 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
6392 lock_basic_lock(&x->lock);
6393 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) {
6394 xfr_nextprobe_disown(x);
6396 if(x->task_probe && x->task_probe->worker != NULL) {
6397 xfr_probe_disown(x);
6399 if(x->task_transfer && x->task_transfer->worker != NULL) {
6400 auth_chunks_delete(x->task_transfer);
6401 xfr_transfer_disown(x);
6403 lock_basic_unlock(&x->lock);
6405 lock_rw_unlock(&az->lock);
6409 * malloc the xfer and tasks
6410 * @param z: auth_zone with name of zone.
6412 static struct auth_xfer*
6413 auth_xfer_new(struct auth_zone* z)
6415 struct auth_xfer* xfr;
6416 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr));
6417 if(!xfr) return NULL;
6418 xfr->name = memdup(z->name, z->namelen);
6423 xfr->node.key = xfr;
6424 xfr->namelen = z->namelen;
6425 xfr->namelabs = z->namelabs;
6426 xfr->dclass = z->dclass;
6428 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1,
6429 sizeof(struct auth_nextprobe));
6430 if(!xfr->task_nextprobe) {
6435 xfr->task_probe = (struct auth_probe*)calloc(1,
6436 sizeof(struct auth_probe));
6437 if(!xfr->task_probe) {
6438 free(xfr->task_nextprobe);
6443 xfr->task_transfer = (struct auth_transfer*)calloc(1,
6444 sizeof(struct auth_transfer));
6445 if(!xfr->task_transfer) {
6446 free(xfr->task_probe);
6447 free(xfr->task_nextprobe);
6453 lock_basic_init(&xfr->lock);
6454 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name));
6455 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen));
6456 lock_protect(&xfr->lock, xfr->name, xfr->namelen);
6457 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs));
6458 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass));
6459 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received));
6460 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial));
6461 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired));
6462 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone));
6463 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial));
6464 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry));
6465 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh));
6466 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry));
6467 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time));
6468 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker,
6469 sizeof(xfr->task_nextprobe->worker));
6470 lock_protect(&xfr->lock, &xfr->task_probe->worker,
6471 sizeof(xfr->task_probe->worker));
6472 lock_protect(&xfr->lock, &xfr->task_transfer->worker,
6473 sizeof(xfr->task_transfer->worker));
6474 lock_basic_lock(&xfr->lock);
6478 /** Create auth_xfer structure.
6479 * This populates the have_zone, soa values, and so on times.
6480 * and sets the timeout, if a zone transfer is needed a short timeout is set.
6481 * For that the auth_zone itself must exist (and read in zonefile)
6482 * returns false on alloc failure. */
6484 auth_xfer_create(struct auth_zones* az, struct auth_zone* z)
6486 struct auth_xfer* xfr;
6489 xfr = auth_xfer_new(z);
6491 log_err("malloc failure");
6494 /* insert in tree */
6495 (void)rbtree_insert(&az->xtree, &xfr->node);
6499 /** create new auth_master structure */
6500 static struct auth_master*
6501 auth_master_new(struct auth_master*** list)
6503 struct auth_master *m;
6504 m = (struct auth_master*)calloc(1, sizeof(*m));
6506 log_err("malloc failure");
6509 /* set first pointer to m, or next pointer of previous element to m */
6511 /* store m's next pointer as future point to store at */
6512 (*list) = &(m->next);
6516 /** dup_prefix : create string from initial part of other string, malloced */
6518 dup_prefix(char* str, size_t num)
6521 size_t len = strlen(str);
6522 if(len < num) num = len; /* not more than strlen */
6523 result = (char*)malloc(num+1);
6525 log_err("malloc failure");
6528 memmove(result, str, num);
6533 /** dup string and print error on error */
6537 char* result = strdup(str);
6539 log_err("malloc failure");
6545 /** find first of two characters */
6547 str_find_first_of_chars(char* s, char a, char b)
6549 char* ra = strchr(s, a);
6550 char* rb = strchr(s, b);
6553 if(ra < rb) return ra;
6557 /** parse URL into host and file parts, false on malloc or parse error */
6559 parse_url(char* url, char** host, char** file, int* port, int* ssl)
6562 /* parse http://www.example.com/file.htm
6563 * or http://127.0.0.1 (index.html)
6564 * or https://[::1@1234]/a/b/c/d */
6566 *port = AUTH_HTTPS_PORT;
6568 /* parse http:// or https:// */
6569 if(strncmp(p, "http://", 7) == 0) {
6572 *port = AUTH_HTTP_PORT;
6573 } else if(strncmp(p, "https://", 8) == 0) {
6575 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") &&
6576 strchr(p, ':') >= strstr(p, "://")) {
6577 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p));
6578 log_err("protocol %s:// not supported (for url %s)",
6584 /* parse hostname part */
6586 char* end = strchr(p, ']');
6587 p++; /* skip over [ */
6589 *host = dup_prefix(p, (size_t)(end-p));
6590 if(!*host) return 0;
6591 p = end+1; /* skip over ] */
6594 if(!*host) return 0;
6598 char* end = str_find_first_of_chars(p, ':', '/');
6600 *host = dup_prefix(p, (size_t)(end-p));
6601 if(!*host) return 0;
6604 if(!*host) return 0;
6606 p = end; /* at next : or / or NULL */
6609 /* parse port number */
6610 if(p && p[0] == ':') {
6612 *port = strtol(p+1, &end, 10);
6616 /* parse filename part */
6617 while(p && *p == '/')
6620 *file = strdup("index.html");
6621 else *file = strdup(p);
6623 log_err("malloc failure");
6630 xfer_set_masters(struct auth_master** list, struct config_auth* c,
6633 struct auth_master* m;
6634 struct config_strlist* p;
6635 /* list points to the first, or next pointer for the new element */
6637 list = &( (*list)->next );
6640 for(p = c->urls; p; p = p->next) {
6641 m = auth_master_new(&list);
6643 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
6646 for(p = c->masters; p; p = p->next) {
6647 m = auth_master_new(&list);
6648 m->ixfr = 1; /* this flag is not configurable */
6649 m->host = strdup(p->str);
6651 log_err("malloc failure");
6655 for(p = c->allow_notify; p; p = p->next) {
6656 m = auth_master_new(&list);
6657 m->allow_notify = 1;
6658 m->host = strdup(p->str);
6660 log_err("malloc failure");
6667 #define SERIAL_BITS 32
6669 compare_serial(uint32_t a, uint32_t b)
6671 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1));
6675 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) {