contrib/bind9/lib/dns/include/dns/rpz.h

   1 /*
   2  * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
   3  *
   4  * Permission to use, copy, modify, and/or distribute this software for any
   5  * purpose with or without fee is hereby granted, provided that the above
   6  * copyright notice and this permission notice appear in all copies.
   7  *
   8  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
   9  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  10  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  11  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  12  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  13  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  14  * PERFORMANCE OF THIS SOFTWARE.
  15  */
  16
  17 /* $Id: rpz.h,v 1.3 2011-01-13 04:59:26 tbox Exp $ */
  18
  19 #ifndef DNS_RPZ_H
  20 #define DNS_RPZ_H 1
  21
  22 #include <isc/lang.h>
  23
  24 #include <dns/fixedname.h>
  25 #include <dns/rdata.h>
  26 #include <dns/types.h>
  27
  28 ISC_LANG_BEGINDECLS
  29
  30 #define DNS_RPZ_IP_ZONE         "rpz-ip"
  31 #define DNS_RPZ_NSIP_ZONE       "rpz-nsip"
  32 #define DNS_RPZ_NSDNAME_ZONE    "rpz-nsdname"
  33
  34 typedef isc_uint8_t             dns_rpz_cidr_bits_t;
  35
  36 typedef enum {
  37         DNS_RPZ_TYPE_BAD,
  38         DNS_RPZ_TYPE_QNAME,
  39         DNS_RPZ_TYPE_IP,
  40         DNS_RPZ_TYPE_NSIP,
  41         DNS_RPZ_TYPE_NSDNAME
  42 } dns_rpz_type_t;
  43
  44 /*
  45  * Require DNS_RPZ_POLICY_NO_OP < DNS_RPZ_POLICY_NXDOMAIN <
  46  *         DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME.
  47  */
  48 typedef enum {
  49         DNS_RPZ_POLICY_GIVEN = 0,       /* 'given': what something else says */
  50         DNS_RPZ_POLICY_NO_OP = 1,       /* 'no-op': do not rewrite */
  51         DNS_RPZ_POLICY_NXDOMAIN = 2,    /* 'nxdomain': answer with NXDOMAIN */
  52         DNS_RPZ_POLICY_NODATA = 3,      /* 'nodata': answer with ANCOUNT=0 */
  53         DNS_RPZ_POLICY_CNAME = 4,       /* 'cname x': answer with x's rrsets */
  54         DNS_RPZ_POLICY_RECORD = 5,
  55         DNS_RPZ_POLICY_MISS,
  56         DNS_RPZ_POLICY_ERROR
  57 } dns_rpz_policy_t;
  58
  59 /*
  60  * Specify a response policy zone.
  61  */
  62 typedef struct dns_rpz_zone dns_rpz_zone_t;
  63
  64 struct dns_rpz_zone {
  65         ISC_LINK(dns_rpz_zone_t) link;
  66         int                      num;
  67         dns_name_t               origin;  /* Policy zone name */
  68         dns_name_t               nsdname; /* RPZ_NSDNAME_ZONE.origin */
  69         dns_rpz_policy_t         policy;  /* RPZ_POLICY_GIVEN or override */
  70         dns_name_t               cname;   /* override name for
  71                                              RPZ_POLICY_CNAME */
  72 };
  73
  74 /*
  75  * Radix trees for response policy IP addresses.
  76  */
  77 typedef struct dns_rpz_cidr     dns_rpz_cidr_t;
  78
  79 /*
  80  * context for finding the best policy
  81  */
  82 typedef struct {
  83         unsigned int            state;
  84 # define DNS_RPZ_REWRITTEN      0x0001
  85 # define DNS_RPZ_DONE_QNAME     0x0002
  86 # define DNS_RPZ_DONE_A         0x0004
  87 # define DNS_RPZ_RECURSING      0x0008
  88 # define DNS_RPZ_HAVE_IP        0x0010
  89 # define DNS_RPZ_HAVE_NSIPv4    0x0020
  90 # define DNS_RPZ_HAVE_NSIPv6    0x0040
  91 # define DNS_RPZ_HAD_NSDNAME    0x0080
  92         /*
  93          * Best match so far.
  94          */
  95         struct {
  96                 dns_rpz_type_t          type;
  97                 dns_rpz_zone_t          *rpz;
  98                 dns_rpz_cidr_bits_t     prefix;
  99                 dns_rpz_policy_t        policy;
 100                 dns_ttl_t               ttl;
 101                 isc_result_t            result;
 102                 dns_zone_t              *zone;
 103                 dns_db_t                *db;
 104                 dns_dbnode_t            *node;
 105                 dns_rdataset_t          *rdataset;
 106         } m;
 107         /*
 108          * State for chasing NS names and addresses including recursion.
 109          */
 110         struct {
 111                 unsigned int            label;
 112                 dns_db_t                *db;
 113                 dns_rdataset_t          *ns_rdataset;
 114                 dns_rdatatype_t         r_type;
 115                 isc_result_t            r_result;
 116                 dns_rdataset_t          *r_rdataset;
 117         } ns;
 118         /*
 119          * State of real query while recursing for NSIP or NSDNAME.
 120          */
 121         struct {
 122                 isc_result_t            result;
 123                 isc_boolean_t           is_zone;
 124                 isc_boolean_t           authoritative;
 125                 dns_zone_t              *zone;
 126                 dns_db_t                *db;
 127                 dns_dbnode_t            *node;
 128                 dns_rdataset_t          *rdataset;
 129                 dns_rdataset_t          *sigrdataset;
 130                 dns_rdatatype_t         qtype;
 131         } q;
 132         dns_name_t              *qname;
 133         dns_name_t              *r_name;
 134         dns_name_t              *fname;
 135         dns_fixedname_t         _qnamef;
 136         dns_fixedname_t         _r_namef;
 137         dns_fixedname_t         _fnamef;
 138 } dns_rpz_st_t;
 139
 140 #define DNS_RPZ_TTL_DEFAULT             5
 141
 142 /*
 143  * So various response policy zone messages can be turned up or down.
 144  */
 145 #define DNS_RPZ_ERROR_LEVEL     ISC_LOG_WARNING
 146 #define DNS_RPZ_INFO_LEVEL      ISC_LOG_INFO
 147 #define DNS_RPZ_DEBUG_LEVEL1    ISC_LOG_DEBUG(1)
 148 #define DNS_RPZ_DEBUG_LEVEL2    ISC_LOG_DEBUG(2)
 149
 150 const char *
 151 dns_rpz_type2str(dns_rpz_type_t type);
 152
 153 dns_rpz_policy_t
 154 dns_rpz_str2policy(const char *str);
 155
 156 void
 157 dns_rpz_set_need(isc_boolean_t need);
 158
 159 isc_boolean_t
 160 dns_rpz_needed(void);
 161
 162 void
 163 dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
 164
 165 void
 166 dns_rpz_view_destroy(dns_view_t *view);
 167
 168 isc_result_t
 169 dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
 170                  dns_rpz_cidr_t **rbtdb_cidr);
 171 void
 172 dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
 173
 174 void
 175 dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
 176
 177 void
 178 dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
 179
 180 isc_result_t
 181 dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
 182                   dns_rpz_type_t type, dns_name_t *canon_name,
 183                   dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
 184
 185 dns_rpz_policy_t
 186 dns_rpz_decode_cname(dns_rdataset_t *, dns_name_t *selfname);
 187
 188 #endif /* DNS_RPZ_H */
 189