2 * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: update.c,v 1.151.12.5.12.1 2009/07/28 14:18:08 marka Exp $ */
22 #include <isc/netaddr.h>
23 #include <isc/print.h>
24 #include <isc/serial.h>
25 #include <isc/stats.h>
26 #include <isc/string.h>
27 #include <isc/taskpool.h>
31 #include <dns/dbiterator.h>
33 #include <dns/dnssec.h>
34 #include <dns/events.h>
35 #include <dns/fixedname.h>
36 #include <dns/journal.h>
37 #include <dns/keyvalues.h>
38 #include <dns/message.h>
40 #include <dns/nsec3.h>
41 #include <dns/rdataclass.h>
42 #include <dns/rdataset.h>
43 #include <dns/rdatasetiter.h>
44 #include <dns/rdatastruct.h>
45 #include <dns/rdatatype.h>
52 #include <named/client.h>
53 #include <named/log.h>
54 #include <named/server.h>
55 #include <named/update.h>
59 * This module implements dynamic update as in RFC2136.
64 * - document strict minimality
67 /**************************************************************************/
70 * Log level for tracing dynamic update protocol requests.
72 #define LOGLEVEL_PROTOCOL ISC_LOG_INFO
75 * Log level for low-level debug tracing.
77 #define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8)
80 * Check an operation for failure. These macros all assume that
81 * the function using them has a 'result' variable and a 'failure'
86 if (result != ISC_R_SUCCESS) goto failure; \
90 * Fail unconditionally with result 'code', which must not
91 * be ISC_R_SUCCESS. The reason for failure presumably has
92 * been logged already.
94 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
95 * from complaining about "end-of-loop code not reached".
101 if (result != ISC_R_SUCCESS) goto failure; \
105 * Fail unconditionally and log as a client error.
106 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
107 * from complaining about "end-of-loop code not reached".
109 #define FAILC(code, msg) \
111 const char *_what = "failed"; \
114 case DNS_R_NXDOMAIN: \
115 case DNS_R_YXDOMAIN: \
116 case DNS_R_YXRRSET: \
117 case DNS_R_NXRRSET: \
118 _what = "unsuccessful"; \
120 update_log(client, zone, LOGLEVEL_PROTOCOL, \
121 "update %s: %s (%s)", _what, \
122 msg, isc_result_totext(result)); \
123 if (result != ISC_R_SUCCESS) goto failure; \
125 #define PREREQFAILC(code, msg) \
127 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
131 #define FAILN(code, name, msg) \
133 const char *_what = "failed"; \
136 case DNS_R_NXDOMAIN: \
137 case DNS_R_YXDOMAIN: \
138 case DNS_R_YXRRSET: \
139 case DNS_R_NXRRSET: \
140 _what = "unsuccessful"; \
142 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \
143 char _nbuf[DNS_NAME_FORMATSIZE]; \
144 dns_name_format(name, _nbuf, sizeof(_nbuf)); \
145 update_log(client, zone, LOGLEVEL_PROTOCOL, \
146 "update %s: %s: %s (%s)", _what, _nbuf, \
147 msg, isc_result_totext(result)); \
149 if (result != ISC_R_SUCCESS) goto failure; \
151 #define PREREQFAILN(code, name, msg) \
153 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
154 FAILN(code, name, msg); \
157 #define FAILNT(code, name, type, msg) \
159 const char *_what = "failed"; \
162 case DNS_R_NXDOMAIN: \
163 case DNS_R_YXDOMAIN: \
164 case DNS_R_YXRRSET: \
165 case DNS_R_NXRRSET: \
166 _what = "unsuccessful"; \
168 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \
169 char _nbuf[DNS_NAME_FORMATSIZE]; \
170 char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \
171 dns_name_format(name, _nbuf, sizeof(_nbuf)); \
172 dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
173 update_log(client, zone, LOGLEVEL_PROTOCOL, \
174 "update %s: %s/%s: %s (%s)", \
175 _what, _nbuf, _tbuf, msg, \
176 isc_result_totext(result)); \
178 if (result != ISC_R_SUCCESS) goto failure; \
180 #define PREREQFAILNT(code, name, type, msg) \
182 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
183 FAILNT(code, name, type, msg); \
187 * Fail unconditionally and log as a server error.
188 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
189 * from complaining about "end-of-loop code not reached".
191 #define FAILS(code, msg) \
194 update_log(client, zone, LOGLEVEL_PROTOCOL, \
196 msg, isc_result_totext(result)); \
197 if (result != ISC_R_SUCCESS) goto failure; \
201 * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
203 #define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0)
205 /**************************************************************************/
207 typedef struct rr rr_t;
210 /* dns_name_t name; */
215 typedef struct update_event update_event_t;
217 struct update_event {
218 ISC_EVENT_COMMON(update_event_t);
221 dns_message_t *answer;
224 /**************************************************************************/
226 * Forward declarations.
229 static void update_action(isc_task_t *task, isc_event_t *event);
230 static void updatedone_action(isc_task_t *task, isc_event_t *event);
231 static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
232 static void forward_done(isc_task_t *task, isc_event_t *event);
234 /**************************************************************************/
237 update_log(ns_client_t *client, dns_zone_t *zone,
238 int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
241 update_log(ns_client_t *client, dns_zone_t *zone,
242 int level, const char *fmt, ...)
246 char namebuf[DNS_NAME_FORMATSIZE];
247 char classbuf[DNS_RDATACLASS_FORMATSIZE];
249 if (client == NULL || zone == NULL)
252 if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE)
255 dns_name_format(dns_zone_getorigin(zone), namebuf,
257 dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
261 vsnprintf(message, sizeof(message), fmt, ap);
264 ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
265 level, "updating zone '%s/%s': %s",
266 namebuf, classbuf, message);
270 * Increment updated-related statistics counters.
273 inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
274 isc_stats_increment(ns_g_server->nsstats, counter);
277 isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
278 if (zonestats != NULL)
279 isc_stats_increment(zonestats, counter);
284 * Override the default acl logging when checking whether a client
285 * can update the zone or whether we can forward the request to the
286 * master based on IP address.
288 * 'message' contains the type of operation that is being attempted.
289 * 'slave' indicates if this is a slave zone. If 'acl' is NULL then
291 * If the zone has no access controls configured ('acl' == NULL &&
292 * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
295 * If the request was signed log that we received it.
298 checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
299 dns_name_t *zonename, isc_boolean_t slave,
300 isc_boolean_t has_ssutable)
302 char namebuf[DNS_NAME_FORMATSIZE];
303 char classbuf[DNS_RDATACLASS_FORMATSIZE];
304 int level = ISC_LOG_ERROR;
305 const char *msg = "denied";
308 if (slave && acl == NULL) {
309 result = DNS_R_NOTIMP;
310 level = ISC_LOG_DEBUG(3);
313 result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
314 if (result == ISC_R_SUCCESS) {
315 level = ISC_LOG_DEBUG(3);
317 } else if (acl == NULL && !has_ssutable) {
318 level = ISC_LOG_INFO;
322 if (client->signer != NULL) {
323 dns_name_format(client->signer, namebuf, sizeof(namebuf));
324 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
325 NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
326 "signer \"%s\" %s", namebuf, msg);
329 dns_name_format(zonename, namebuf, sizeof(namebuf));
330 dns_rdataclass_format(client->view->rdclass, classbuf,
333 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
334 NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
335 message, namebuf, classbuf, msg);
340 * Update a single RR in version 'ver' of 'db' and log the
344 * \li '*tuple' == NULL. Either the tuple is freed, or its
345 * ownership has been transferred to the diff.
348 do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
351 dns_diff_t temp_diff;
355 * Create a singleton diff.
357 dns_diff_init(diff->mctx, &temp_diff);
358 temp_diff.resign = diff->resign;
359 ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
362 * Apply it to the database.
364 result = dns_diff_apply(&temp_diff, db, ver);
365 ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
366 if (result != ISC_R_SUCCESS) {
367 dns_difftuple_free(tuple);
372 * Merge it into the current pending journal entry.
374 dns_diff_appendminimal(diff, tuple);
377 * Do not clear temp_diff.
379 return (ISC_R_SUCCESS);
383 * Perform the updates in 'updates' in version 'ver' of 'db' and log the
387 * \li 'updates' is empty.
390 do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
394 while (! ISC_LIST_EMPTY(updates->tuples)) {
395 dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
396 ISC_LIST_UNLINK(updates->tuples, t, link);
397 CHECK(do_one_tuple(&t, db, ver, diff));
399 return (ISC_R_SUCCESS);
402 dns_diff_clear(diff);
407 update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
408 dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
411 dns_difftuple_t *tuple = NULL;
413 result = dns_difftuple_create(diff->mctx, op,
414 name, ttl, rdata, &tuple);
415 if (result != ISC_R_SUCCESS)
417 return (do_one_tuple(&tuple, db, ver, diff));
420 /**************************************************************************/
422 * Callback-style iteration over rdatasets and rdatas.
424 * foreach_rrset() can be used to iterate over the RRsets
425 * of a name and call a callback function with each
426 * one. Similarly, foreach_rr() can be used to iterate
427 * over the individual RRs at name, optionally restricted
428 * to RRs of a given type.
430 * The callback functions are called "actions" and take
431 * two arguments: a void pointer for passing arbitrary
432 * context information, and a pointer to the current RRset
433 * or RR. By convention, their names end in "_action".
437 * XXXRTH We might want to make this public somewhere in libdns.
441 * Function type for foreach_rrset() iterator actions.
443 typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
446 * Function type for foreach_rr() iterator actions.
448 typedef isc_result_t rr_func(void *data, rr_t *rr);
451 * Internal context struct for foreach_node_rr().
455 void * rr_action_data;
456 } foreach_node_rr_ctx_t;
459 * Internal helper function for foreach_node_rr().
462 foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
464 foreach_node_rr_ctx_t *ctx = data;
465 for (result = dns_rdataset_first(rdataset);
466 result == ISC_R_SUCCESS;
467 result = dns_rdataset_next(rdataset))
469 rr_t rr = { 0, DNS_RDATA_INIT };
471 dns_rdataset_current(rdataset, &rr.rdata);
472 rr.ttl = rdataset->ttl;
473 result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
474 if (result != ISC_R_SUCCESS)
477 if (result != ISC_R_NOMORE)
479 return (ISC_R_SUCCESS);
483 * For each rdataset of 'name' in 'ver' of 'db', call 'action'
484 * with the rdataset and 'action_data' as arguments. If the name
485 * does not exist, do nothing.
487 * If 'action' returns an error, abort iteration and return the error.
490 foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
491 rrset_func *action, void *action_data)
495 dns_rdatasetiter_t *iter;
498 result = dns_db_findnode(db, name, ISC_FALSE, &node);
499 if (result == ISC_R_NOTFOUND)
500 return (ISC_R_SUCCESS);
501 if (result != ISC_R_SUCCESS)
505 result = dns_db_allrdatasets(db, node, ver,
506 (isc_stdtime_t) 0, &iter);
507 if (result != ISC_R_SUCCESS)
510 for (result = dns_rdatasetiter_first(iter);
511 result == ISC_R_SUCCESS;
512 result = dns_rdatasetiter_next(iter))
514 dns_rdataset_t rdataset;
516 dns_rdataset_init(&rdataset);
517 dns_rdatasetiter_current(iter, &rdataset);
519 result = (*action)(action_data, &rdataset);
521 dns_rdataset_disassociate(&rdataset);
522 if (result != ISC_R_SUCCESS)
523 goto cleanup_iterator;
525 if (result == ISC_R_NOMORE)
526 result = ISC_R_SUCCESS;
529 dns_rdatasetiter_destroy(&iter);
532 dns_db_detachnode(db, &node);
538 * For each RR of 'name' in 'ver' of 'db', call 'action'
539 * with the RR and 'action_data' as arguments. If the name
540 * does not exist, do nothing.
542 * If 'action' returns an error, abort iteration
543 * and return the error.
546 foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
547 rr_func *rr_action, void *rr_action_data)
549 foreach_node_rr_ctx_t ctx;
550 ctx.rr_action = rr_action;
551 ctx.rr_action_data = rr_action_data;
552 return (foreach_rrset(db, ver, name,
553 foreach_node_rr_action, &ctx));
558 * For each of the RRs specified by 'db', 'ver', 'name', 'type',
559 * (which can be dns_rdatatype_any to match any type), and 'covers', call
560 * 'action' with the RR and 'action_data' as arguments. If the name
561 * does not exist, or if no RRset of the given type exists at the name,
564 * If 'action' returns an error, abort iteration and return the error.
567 foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
568 dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
569 void *rr_action_data)
574 dns_rdataset_t rdataset;
576 if (type == dns_rdatatype_any)
577 return (foreach_node_rr(db, ver, name,
578 rr_action, rr_action_data));
581 if (type == dns_rdatatype_nsec3 ||
582 (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
583 result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
585 result = dns_db_findnode(db, name, ISC_FALSE, &node);
586 if (result == ISC_R_NOTFOUND)
587 return (ISC_R_SUCCESS);
588 if (result != ISC_R_SUCCESS)
591 dns_rdataset_init(&rdataset);
592 result = dns_db_findrdataset(db, node, ver, type, covers,
593 (isc_stdtime_t) 0, &rdataset, NULL);
594 if (result == ISC_R_NOTFOUND) {
595 result = ISC_R_SUCCESS;
598 if (result != ISC_R_SUCCESS)
601 for (result = dns_rdataset_first(&rdataset);
602 result == ISC_R_SUCCESS;
603 result = dns_rdataset_next(&rdataset))
605 rr_t rr = { 0, DNS_RDATA_INIT };
606 dns_rdataset_current(&rdataset, &rr.rdata);
607 rr.ttl = rdataset.ttl;
608 result = (*rr_action)(rr_action_data, &rr);
609 if (result != ISC_R_SUCCESS)
610 goto cleanup_rdataset;
612 if (result != ISC_R_NOMORE)
613 goto cleanup_rdataset;
614 result = ISC_R_SUCCESS;
617 dns_rdataset_disassociate(&rdataset);
619 dns_db_detachnode(db, &node);
624 /**************************************************************************/
626 * Various tests on the database contents (for prerequisites, etc).
630 * Function type for predicate functions that compare a database RR 'db_rr'
631 * against an update RR 'update_rr'.
633 typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
636 * Helper function for rrset_exists().
639 rrset_exists_action(void *data, rr_t *rr) {
642 return (ISC_R_EXISTS);
646 * Utility macro for RR existence checking functions.
648 * If the variable 'result' has the value ISC_R_EXISTS or
649 * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
650 * respectively, and return success.
652 * If 'result' has any other value, there was a failure.
653 * Return the failure result code and do not set *exists.
655 * This would be more readable as "do { if ... } while(0)",
656 * but that form generates tons of warnings on Solaris 2.6.
658 #define RETURN_EXISTENCE_FLAG \
659 return ((result == ISC_R_EXISTS) ? \
660 (*exists = ISC_TRUE, ISC_R_SUCCESS) : \
661 ((result == ISC_R_SUCCESS) ? \
662 (*exists = ISC_FALSE, ISC_R_SUCCESS) : \
666 * Set '*exists' to true iff an rrset of the given type exists,
667 * to false otherwise.
670 rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
671 dns_rdatatype_t type, dns_rdatatype_t covers,
672 isc_boolean_t *exists)
675 result = foreach_rr(db, ver, name, type, covers,
676 rrset_exists_action, NULL);
677 RETURN_EXISTENCE_FLAG;
681 * Set '*visible' to true if the RRset exists and is part of the
682 * visible zone. Otherwise '*visible' is set to false unless a
686 rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
687 dns_rdatatype_t type, isc_boolean_t *visible)
690 dns_fixedname_t fixed;
692 dns_fixedname_init(&fixed);
693 result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD,
694 (isc_stdtime_t) 0, NULL,
695 dns_fixedname_name(&fixed), NULL, NULL);
701 * Glue, obscured, deleted or replaced records.
703 case DNS_R_DELEGATION:
708 case DNS_R_EMPTYNAME:
709 case DNS_R_COVERINGNSEC:
710 *visible = ISC_FALSE;
711 result = ISC_R_SUCCESS;
720 * Helper function for cname_incompatible_rrset_exists.
723 cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
725 if (rrset->type != dns_rdatatype_cname &&
726 ! dns_rdatatype_isdnssec(rrset->type))
727 return (ISC_R_EXISTS);
728 return (ISC_R_SUCCESS);
732 * Check whether there is an rrset incompatible with adding a CNAME RR,
733 * i.e., anything but another CNAME (which can be replaced) or a
734 * DNSSEC RR (which can coexist).
736 * If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
737 * Otherwise, set it to ISC_FALSE.
740 cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
741 dns_name_t *name, isc_boolean_t *exists) {
743 result = foreach_rrset(db, ver, name,
744 cname_compatibility_action, NULL);
745 RETURN_EXISTENCE_FLAG;
749 * Helper function for rr_count().
752 count_rr_action(void *data, rr_t *rr) {
756 return (ISC_R_SUCCESS);
760 * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
763 rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
764 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp)
767 return (foreach_rr(db, ver, name, type, covers,
768 count_rr_action, countp));
772 * Context struct and helper function for name_exists().
776 name_exists_action(void *data, dns_rdataset_t *rrset) {
779 return (ISC_R_EXISTS);
783 * Set '*exists' to true iff the given name exists, to false otherwise.
786 name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
787 isc_boolean_t *exists)
790 result = foreach_rrset(db, ver, name,
791 name_exists_action, NULL);
792 RETURN_EXISTENCE_FLAG;
796 * 'ssu_check_t' is used to pass the arguments to
797 * dns_ssutable_checkrules() to the callback function
801 /* The ownername of the record to be updated. */
804 /* The signature's name if the request was signed. */
807 /* The address of the client if the request was received via TCP. */
808 isc_netaddr_t *tcpaddr;
810 /* The ssu table to check against. */
811 dns_ssutable_t *table;
815 ssu_checkrule(void *data, dns_rdataset_t *rrset) {
816 ssu_check_t *ssuinfo = data;
817 isc_boolean_t result;
820 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
821 * if we're normally not allowed to.
823 if (rrset->type == dns_rdatatype_rrsig ||
824 rrset->type == dns_rdatatype_nsec)
825 return (ISC_R_SUCCESS);
826 result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
827 ssuinfo->name, ssuinfo->tcpaddr,
829 return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
833 ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
834 dns_ssutable_t *ssutable, dns_name_t *signer,
835 isc_netaddr_t *tcpaddr)
841 ssuinfo.table = ssutable;
842 ssuinfo.signer = signer;
843 ssuinfo.tcpaddr = tcpaddr;
844 result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
845 return (ISC_TF(result == ISC_R_SUCCESS));
848 /**************************************************************************/
850 * Checking of "RRset exists (value dependent)" prerequisites.
852 * In the RFC2136 section 3.2.5, this is the pseudocode involving
853 * a variable called "temp", a mapping of <name, type> tuples to rrsets.
855 * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
856 * where each tuple has op==DNS_DIFFOP_EXISTS.
861 * Append a tuple asserting the existence of the RR with
862 * 'name' and 'rdata' to 'diff'.
865 temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
867 dns_difftuple_t *tuple = NULL;
869 REQUIRE(DNS_DIFF_VALID(diff));
870 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
871 name, 0, rdata, &tuple));
872 ISC_LIST_APPEND(diff->tuples, tuple, link);
878 * Compare two rdatasets represented as sorted lists of tuples.
879 * All list elements must have the same owner name and type.
880 * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
884 temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
886 if (a == NULL || b == NULL)
888 INSIST(a->op == DNS_DIFFOP_EXISTS &&
889 b->op == DNS_DIFFOP_EXISTS);
890 INSIST(a->rdata.type == b->rdata.type);
891 INSIST(dns_name_equal(&a->name, &b->name));
892 if (dns_rdata_compare(&a->rdata, &b->rdata) != 0)
893 return (DNS_R_NXRRSET);
894 a = ISC_LIST_NEXT(a, link);
895 b = ISC_LIST_NEXT(b, link);
897 if (a != NULL || b != NULL)
898 return (DNS_R_NXRRSET);
899 return (ISC_R_SUCCESS);
903 * A comparison function defining the sorting order for the entries
904 * in the "temp" data structure. The major sort key is the owner name,
905 * followed by the type and rdata.
908 temp_order(const void *av, const void *bv) {
909 dns_difftuple_t const * const *ap = av;
910 dns_difftuple_t const * const *bp = bv;
911 dns_difftuple_t const *a = *ap;
912 dns_difftuple_t const *b = *bp;
914 r = dns_name_compare(&a->name, &b->name);
917 r = (b->rdata.type - a->rdata.type);
920 r = dns_rdata_compare(&a->rdata, &b->rdata);
925 * Check the "RRset exists (value dependent)" prerequisite information
926 * in 'temp' against the contents of the database 'db'.
928 * Return ISC_R_SUCCESS if the prerequisites are satisfied,
929 * rcode(dns_rcode_nxrrset) if not.
931 * 'temp' must be pre-sorted.
935 temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
936 dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
944 dns_diff_init(mctx, &trash);
947 * For each name and type in the prerequisites,
948 * construct a sorted rdata list of the corresponding
949 * database contents, and compare the lists.
951 t = ISC_LIST_HEAD(temp->tuples);
954 (void)dns_name_copy(name, tmpname, NULL);
955 *typep = t->rdata.type;
957 /* A new unique name begins here. */
959 result = dns_db_findnode(db, name, ISC_FALSE, &node);
960 if (result == ISC_R_NOTFOUND) {
961 dns_diff_clear(&trash);
962 return (DNS_R_NXRRSET);
964 if (result != ISC_R_SUCCESS) {
965 dns_diff_clear(&trash);
969 /* A new unique type begins here. */
970 while (t != NULL && dns_name_equal(&t->name, name)) {
971 dns_rdatatype_t type, covers;
972 dns_rdataset_t rdataset;
973 dns_diff_t d_rrs; /* Database RRs with
974 this name and type */
975 dns_diff_t u_rrs; /* Update RRs with
976 this name and type */
978 *typep = type = t->rdata.type;
979 if (type == dns_rdatatype_rrsig ||
980 type == dns_rdatatype_sig)
981 covers = dns_rdata_covers(&t->rdata);
982 else if (type == dns_rdatatype_any) {
983 dns_db_detachnode(db, &node);
984 dns_diff_clear(&trash);
985 return (DNS_R_NXRRSET);
990 * Collect all database RRs for this name and type
991 * onto d_rrs and sort them.
993 dns_rdataset_init(&rdataset);
994 result = dns_db_findrdataset(db, node, ver, type,
995 covers, (isc_stdtime_t) 0,
997 if (result != ISC_R_SUCCESS) {
998 dns_db_detachnode(db, &node);
999 dns_diff_clear(&trash);
1000 return (DNS_R_NXRRSET);
1003 dns_diff_init(mctx, &d_rrs);
1004 dns_diff_init(mctx, &u_rrs);
1006 for (result = dns_rdataset_first(&rdataset);
1007 result == ISC_R_SUCCESS;
1008 result = dns_rdataset_next(&rdataset))
1010 dns_rdata_t rdata = DNS_RDATA_INIT;
1011 dns_rdataset_current(&rdataset, &rdata);
1012 result = temp_append(&d_rrs, name, &rdata);
1013 if (result != ISC_R_SUCCESS)
1016 if (result != ISC_R_NOMORE)
1018 result = dns_diff_sort(&d_rrs, temp_order);
1019 if (result != ISC_R_SUCCESS)
1023 * Collect all update RRs for this name and type
1024 * onto u_rrs. No need to sort them here -
1025 * they are already sorted.
1028 dns_name_equal(&t->name, name) &&
1029 t->rdata.type == type)
1031 dns_difftuple_t *next =
1032 ISC_LIST_NEXT(t, link);
1033 ISC_LIST_UNLINK(temp->tuples, t, link);
1034 ISC_LIST_APPEND(u_rrs.tuples, t, link);
1038 /* Compare the two sorted lists. */
1039 result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
1040 ISC_LIST_HEAD(d_rrs.tuples));
1041 if (result != ISC_R_SUCCESS)
1045 * We are done with the tuples, but we can't free
1046 * them yet because "name" still points into one
1047 * of them. Move them on a temporary list.
1049 ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
1050 ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
1051 dns_rdataset_disassociate(&rdataset);
1056 dns_diff_clear(&d_rrs);
1057 dns_diff_clear(&u_rrs);
1058 dns_diff_clear(&trash);
1059 dns_rdataset_disassociate(&rdataset);
1060 dns_db_detachnode(db, &node);
1064 dns_db_detachnode(db, &node);
1067 dns_diff_clear(&trash);
1068 return (ISC_R_SUCCESS);
1071 /**************************************************************************/
1073 * Conditional deletion of RRs.
1077 * Context structure for delete_if().
1081 rr_predicate *predicate;
1083 dns_dbversion_t *ver;
1086 dns_rdata_t *update_rr;
1087 } conditional_delete_ctx_t;
1090 * Predicate functions for delete_if().
1094 * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
1095 * an RRSIG nor an NSEC3PARAM nor a NSEC.
1097 static isc_boolean_t
1098 type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1100 return ((db_rr->type != dns_rdatatype_soa &&
1101 db_rr->type != dns_rdatatype_ns &&
1102 db_rr->type != dns_rdatatype_nsec3param &&
1103 db_rr->type != dns_rdatatype_rrsig &&
1104 db_rr->type != dns_rdatatype_nsec) ?
1105 ISC_TRUE : ISC_FALSE);
1109 * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
1111 static isc_boolean_t
1112 type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1114 return ((db_rr->type != dns_rdatatype_rrsig &&
1115 db_rr->type != dns_rdatatype_nsec) ?
1116 ISC_TRUE : ISC_FALSE);
1120 * Return true always.
1122 static isc_boolean_t
1123 true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1130 * Return true if the record is a RRSIG.
1132 static isc_boolean_t
1133 rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1135 return ((db_rr->type == dns_rdatatype_rrsig) ?
1136 ISC_TRUE : ISC_FALSE);
1140 * Return true iff the two RRs have identical rdata.
1142 static isc_boolean_t
1143 rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1145 * XXXRTH This is not a problem, but we should consider creating
1146 * dns_rdata_equal() (that used dns_name_equal()), since it
1147 * would be faster. Not a priority.
1149 return (dns_rdata_compare(update_rr, db_rr) == 0 ?
1150 ISC_TRUE : ISC_FALSE);
1154 * Return true iff 'update_rr' should replace 'db_rr' according
1155 * to the special RFC2136 rules for CNAME, SOA, and WKS records.
1157 * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
1158 * make little sense, so we replace those, too.
1160 * Additionally replace RRSIG that have been generated by the same key
1161 * for the same type. This simplifies refreshing a offline KSK by not
1162 * requiring that the old RRSIG be deleted. It also simplifies key
1163 * rollover by only requiring that the new RRSIG be added.
1165 static isc_boolean_t
1166 replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1167 dns_rdata_rrsig_t updatesig, dbsig;
1168 isc_result_t result;
1170 if (db_rr->type != update_rr->type)
1172 if (db_rr->type == dns_rdatatype_cname)
1174 if (db_rr->type == dns_rdatatype_dname)
1176 if (db_rr->type == dns_rdatatype_soa)
1178 if (db_rr->type == dns_rdatatype_nsec)
1180 if (db_rr->type == dns_rdatatype_rrsig) {
1182 * Replace existing RRSIG with the same keyid,
1183 * covered and algorithm.
1185 result = dns_rdata_tostruct(db_rr, &dbsig, NULL);
1186 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1187 result = dns_rdata_tostruct(update_rr, &updatesig, NULL);
1188 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1189 if (dbsig.keyid == updatesig.keyid &&
1190 dbsig.covered == updatesig.covered &&
1191 dbsig.algorithm == updatesig.algorithm)
1194 if (db_rr->type == dns_rdatatype_wks) {
1196 * Compare the address and protocol fields only. These
1197 * form the first five bytes of the RR data. Do a
1198 * raw binary comparison; unpacking the WKS RRs using
1199 * dns_rdata_tostruct() might be cleaner in some ways.
1201 INSIST(db_rr->length >= 5 && update_rr->length >= 5);
1202 return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
1203 ISC_TRUE : ISC_FALSE);
1206 if (db_rr->type == dns_rdatatype_nsec3param) {
1207 if (db_rr->length != update_rr->length)
1209 INSIST(db_rr->length >= 4 && update_rr->length >= 4);
1211 * Replace records added in this UPDATE request.
1213 if (db_rr->data[0] == update_rr->data[0] &&
1214 db_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
1215 update_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
1216 memcmp(db_rr->data+2, update_rr->data+2,
1217 update_rr->length - 2) == 0)
1224 * Internal helper function for delete_if().
1227 delete_if_action(void *data, rr_t *rr) {
1228 conditional_delete_ctx_t *ctx = data;
1229 if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
1230 isc_result_t result;
1231 result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
1232 DNS_DIFFOP_DEL, ctx->name,
1233 rr->ttl, &rr->rdata);
1236 return (ISC_R_SUCCESS);
1241 * Conditionally delete RRs. Apply 'predicate' to the RRs
1242 * specified by 'db', 'ver', 'name', and 'type' (which can
1243 * be dns_rdatatype_any to match any type). Delete those
1244 * RRs for which the predicate returns true, and log the
1245 * deletions in 'diff'.
1248 delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
1249 dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
1250 dns_rdata_t *update_rr, dns_diff_t *diff)
1252 conditional_delete_ctx_t ctx;
1253 ctx.predicate = predicate;
1258 ctx.update_rr = update_rr;
1259 return (foreach_rr(db, ver, name, type, covers,
1260 delete_if_action, &ctx));
1263 /**************************************************************************/
1265 * Prepare an RR for the addition of the new RR 'ctx->update_rr',
1266 * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
1267 * the RRs if it is replaced by the new RR or has a conflicting TTL.
1268 * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
1269 * we need to do all deletions before any additions so that we don't run
1270 * into transient states with conflicting TTLs.
1275 dns_dbversion_t *ver;
1278 dns_rdata_t *update_rr;
1279 dns_ttl_t update_rr_ttl;
1280 isc_boolean_t ignore_add;
1281 dns_diff_t del_diff;
1282 dns_diff_t add_diff;
1283 } add_rr_prepare_ctx_t;
1286 add_rr_prepare_action(void *data, rr_t *rr) {
1287 isc_result_t result = ISC_R_SUCCESS;
1288 add_rr_prepare_ctx_t *ctx = data;
1289 dns_difftuple_t *tuple = NULL;
1290 isc_boolean_t equal;
1293 * If the update RR is a "duplicate" of the update RR,
1294 * the update should be silently ignored.
1296 equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0);
1297 if (equal && rr->ttl == ctx->update_rr_ttl) {
1298 ctx->ignore_add = ISC_TRUE;
1299 return (ISC_R_SUCCESS);
1303 * If this RR is "equal" to the update RR, it should
1304 * be deleted before the update RR is added.
1306 if (replaces_p(ctx->update_rr, &rr->rdata)) {
1307 CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
1308 ctx->name, rr->ttl, &rr->rdata,
1310 dns_diff_append(&ctx->del_diff, &tuple);
1311 return (ISC_R_SUCCESS);
1315 * If this RR differs in TTL from the update RR,
1316 * its TTL must be adjusted.
1318 if (rr->ttl != ctx->update_rr_ttl) {
1319 CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
1320 ctx->name, rr->ttl, &rr->rdata,
1322 dns_diff_append(&ctx->del_diff, &tuple);
1324 CHECK(dns_difftuple_create(ctx->add_diff.mctx,
1325 DNS_DIFFOP_ADD, ctx->name,
1327 &rr->rdata, &tuple));
1328 dns_diff_append(&ctx->add_diff, &tuple);
1335 /**************************************************************************/
1337 * Miscellaneous subroutines.
1341 * Extract a single update RR from 'section' of dynamic update message
1342 * 'msg', with consistency checking.
1344 * Stores the owner name, rdata, and TTL of the update RR at 'name',
1345 * 'rdata', and 'ttl', respectively.
1348 get_current_rr(dns_message_t *msg, dns_section_t section,
1349 dns_rdataclass_t zoneclass, dns_name_t **name,
1350 dns_rdata_t *rdata, dns_rdatatype_t *covers,
1351 dns_ttl_t *ttl, dns_rdataclass_t *update_class)
1353 dns_rdataset_t *rdataset;
1354 isc_result_t result;
1355 dns_message_currentname(msg, section, name);
1356 rdataset = ISC_LIST_HEAD((*name)->list);
1357 INSIST(rdataset != NULL);
1358 INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
1359 *covers = rdataset->covers;
1360 *ttl = rdataset->ttl;
1361 result = dns_rdataset_first(rdataset);
1362 INSIST(result == ISC_R_SUCCESS);
1363 dns_rdataset_current(rdataset, rdata);
1364 INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
1365 *update_class = rdata->rdclass;
1366 rdata->rdclass = zoneclass;
1370 * Increment the SOA serial number of database 'db', version 'ver'.
1371 * Replace the SOA record in the database, and log the
1376 * XXXRTH Failures in this routine will be worth logging, when
1377 * we have a logging system. Failure to find the zonename
1378 * or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
1382 increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
1383 dns_diff_t *diff, isc_mem_t *mctx)
1385 dns_difftuple_t *deltuple = NULL;
1386 dns_difftuple_t *addtuple = NULL;
1387 isc_uint32_t serial;
1388 isc_result_t result;
1390 CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
1391 CHECK(dns_difftuple_copy(deltuple, &addtuple));
1392 addtuple->op = DNS_DIFFOP_ADD;
1394 serial = dns_soa_getserial(&addtuple->rdata);
1397 serial = (serial + 1) & 0xFFFFFFFF;
1401 dns_soa_setserial(serial, &addtuple->rdata);
1402 CHECK(do_one_tuple(&deltuple, db, ver, diff));
1403 CHECK(do_one_tuple(&addtuple, db, ver, diff));
1404 result = ISC_R_SUCCESS;
1407 if (addtuple != NULL)
1408 dns_difftuple_free(&addtuple);
1409 if (deltuple != NULL)
1410 dns_difftuple_free(&deltuple);
1415 * Check that the new SOA record at 'update_rdata' does not
1416 * illegally cause the SOA serial number to decrease or stay
1417 * unchanged relative to the existing SOA in 'db'.
1419 * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
1421 * William King points out that RFC2136 is inconsistent about
1422 * the case where the serial number stays unchanged:
1424 * section 3.4.2.2 requires a server to ignore a SOA update request
1425 * if the serial number on the update SOA is less_than_or_equal to
1426 * the zone SOA serial.
1428 * section 3.6 requires a server to ignore a SOA update request if
1429 * the serial is less_than the zone SOA serial.
1431 * Paul says 3.4.2.2 is correct.
1435 check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
1436 dns_rdata_t *update_rdata, isc_boolean_t *ok)
1438 isc_uint32_t db_serial;
1439 isc_uint32_t update_serial;
1440 isc_result_t result;
1442 update_serial = dns_soa_getserial(update_rdata);
1444 result = dns_db_getsoaserial(db, ver, &db_serial);
1445 if (result != ISC_R_SUCCESS)
1448 if (DNS_SERIAL_GE(db_serial, update_serial)) {
1454 return (ISC_R_SUCCESS);
1458 /**************************************************************************/
1460 * Incremental updating of NSECs and RRSIGs.
1463 #define MAXZONEKEYS 32 /*%< Maximum number of zone keys supported. */
1466 * We abuse the dns_diff_t type to represent a set of domain names
1467 * affected by the update.
1470 namelist_append_name(dns_diff_t *list, dns_name_t *name) {
1471 isc_result_t result;
1472 dns_difftuple_t *tuple = NULL;
1473 static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
1475 CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
1476 &dummy_rdata, &tuple));
1477 dns_diff_append(list, &tuple);
1483 namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
1485 isc_result_t result;
1486 dns_fixedname_t fixedname;
1488 dns_dbiterator_t *dbit = NULL;
1490 dns_fixedname_init(&fixedname);
1491 child = dns_fixedname_name(&fixedname);
1493 CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
1495 for (result = dns_dbiterator_seek(dbit, name);
1496 result == ISC_R_SUCCESS;
1497 result = dns_dbiterator_next(dbit))
1499 dns_dbnode_t *node = NULL;
1500 CHECK(dns_dbiterator_current(dbit, &node, child));
1501 dns_db_detachnode(db, &node);
1502 if (! dns_name_issubdomain(child, name))
1504 CHECK(namelist_append_name(affected, child));
1506 if (result == ISC_R_NOMORE)
1507 result = ISC_R_SUCCESS;
1510 dns_dbiterator_destroy(&dbit);
1517 * Helper function for non_nsec_rrset_exists().
1520 is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
1522 if (!(rrset->type == dns_rdatatype_nsec ||
1523 rrset->type == dns_rdatatype_nsec3 ||
1524 (rrset->type == dns_rdatatype_rrsig &&
1525 (rrset->covers == dns_rdatatype_nsec ||
1526 rrset->covers == dns_rdatatype_nsec3))))
1527 return (ISC_R_EXISTS);
1528 return (ISC_R_SUCCESS);
1532 * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
1533 * i.e., anything that justifies the continued existence of a name
1534 * after a secure update.
1536 * If such an rrset exists, set '*exists' to ISC_TRUE.
1537 * Otherwise, set it to ISC_FALSE.
1540 non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
1541 dns_name_t *name, isc_boolean_t *exists)
1543 isc_result_t result;
1544 result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
1545 RETURN_EXISTENCE_FLAG;
1549 * A comparison function for sorting dns_diff_t:s by name.
1552 name_order(const void *av, const void *bv) {
1553 dns_difftuple_t const * const *ap = av;
1554 dns_difftuple_t const * const *bp = bv;
1555 dns_difftuple_t const *a = *ap;
1556 dns_difftuple_t const *b = *bp;
1557 return (dns_name_compare(&a->name, &b->name));
1561 uniqify_name_list(dns_diff_t *list) {
1562 isc_result_t result;
1563 dns_difftuple_t *p, *q;
1565 CHECK(dns_diff_sort(list, name_order));
1567 p = ISC_LIST_HEAD(list->tuples);
1570 q = ISC_LIST_NEXT(p, link);
1571 if (q == NULL || ! dns_name_equal(&p->name, &q->name))
1573 ISC_LIST_UNLINK(list->tuples, q, link);
1574 dns_difftuple_free(&q);
1576 p = ISC_LIST_NEXT(p, link);
1583 is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1584 isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure)
1586 isc_result_t result;
1587 dns_fixedname_t foundname;
1588 dns_fixedname_init(&foundname);
1589 result = dns_db_find(db, name, ver, dns_rdatatype_any,
1590 DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
1591 (isc_stdtime_t) 0, NULL,
1592 dns_fixedname_name(&foundname),
1594 if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) {
1597 if (unsecure != NULL)
1598 *unsecure = ISC_FALSE;
1599 return (ISC_R_SUCCESS);
1600 } else if (result == DNS_R_ZONECUT) {
1603 if (unsecure != NULL) {
1605 * We are at the zonecut. Check to see if there
1608 if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0,
1609 (isc_stdtime_t) 0, NULL,
1610 dns_fixedname_name(&foundname),
1611 NULL, NULL) == DNS_R_NXRRSET)
1612 *unsecure = ISC_TRUE;
1614 *unsecure = ISC_FALSE;
1616 return (ISC_R_SUCCESS);
1617 } else if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
1618 result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
1621 if (unsecure != NULL)
1622 *unsecure = ISC_FALSE;
1623 return (ISC_R_SUCCESS);
1630 if (unsecure != NULL)
1631 *unsecure = ISC_FALSE;
1637 * Find the next/previous name that has a NSEC record.
1638 * In other words, skip empty database nodes and names that
1639 * have had their NSECs removed because they are obscured by
1643 next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1644 dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
1645 isc_boolean_t forward)
1647 isc_result_t result;
1648 dns_dbiterator_t *dbit = NULL;
1649 isc_boolean_t has_nsec;
1650 unsigned int wraps = 0;
1651 isc_boolean_t secure = dns_db_issecure(db);
1653 CHECK(dns_db_createiterator(db, 0, &dbit));
1655 CHECK(dns_dbiterator_seek(dbit, oldname));
1657 dns_dbnode_t *node = NULL;
1660 result = dns_dbiterator_next(dbit);
1662 result = dns_dbiterator_prev(dbit);
1663 if (result == ISC_R_NOMORE) {
1668 CHECK(dns_dbiterator_first(dbit));
1670 CHECK(dns_dbiterator_last(dbit));
1673 update_log(client, zone, ISC_LOG_ERROR,
1674 "secure zone with no NSECs");
1675 result = DNS_R_BADZONE;
1679 CHECK(dns_dbiterator_current(dbit, &node, newname));
1680 dns_db_detachnode(db, &node);
1683 * The iterator may hold the tree lock, and
1684 * rrset_exists() calls dns_db_findnode() which
1685 * may try to reacquire it. To avoid deadlock
1686 * we must pause the iterator first.
1688 CHECK(dns_dbiterator_pause(dbit));
1690 CHECK(rrset_exists(db, ver, newname,
1691 dns_rdatatype_nsec, 0, &has_nsec));
1693 dns_fixedname_t ffound;
1695 dns_fixedname_init(&ffound);
1696 found = dns_fixedname_name(&ffound);
1697 result = dns_db_find(db, newname, ver,
1699 DNS_DBFIND_NOWILD, 0, NULL, found,
1701 if (result == ISC_R_SUCCESS ||
1702 result == DNS_R_EMPTYNAME ||
1703 result == DNS_R_NXRRSET ||
1704 result == DNS_R_CNAME ||
1705 (result == DNS_R_DELEGATION &&
1706 dns_name_equal(newname, found))) {
1707 has_nsec = ISC_TRUE;
1708 result = ISC_R_SUCCESS;
1709 } else if (result != DNS_R_NXDOMAIN)
1712 } while (! has_nsec);
1715 dns_dbiterator_destroy(&dbit);
1720 static isc_boolean_t
1721 has_opt_bit(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
1722 isc_result_t result;
1723 dns_rdata_t rdata = DNS_RDATA_INIT;
1724 dns_rdataset_t rdataset;
1725 isc_boolean_t has_bit = ISC_FALSE;
1727 dns_rdataset_init(&rdataset);
1728 CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
1729 dns_rdatatype_none, 0, &rdataset, NULL));
1730 CHECK(dns_rdataset_first(&rdataset));
1731 dns_rdataset_current(&rdataset, &rdata);
1732 has_bit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt);
1734 if (dns_rdataset_isassociated(&rdataset))
1735 dns_rdataset_disassociate(&rdataset);
1740 set_bit(unsigned char *array, unsigned int index) {
1741 unsigned int shift, bit;
1743 shift = 7 - (index % 8);
1746 array[index / 8] |= bit;
1750 * Add a NSEC record for "name", recording the change in "diff".
1751 * The existing NSEC is removed.
1754 add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1755 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
1758 isc_result_t result;
1759 dns_dbnode_t *node = NULL;
1760 unsigned char buffer[DNS_NSEC_BUFFERSIZE];
1761 dns_rdata_t rdata = DNS_RDATA_INIT;
1762 dns_difftuple_t *tuple = NULL;
1763 dns_fixedname_t fixedname;
1766 dns_fixedname_init(&fixedname);
1767 target = dns_fixedname_name(&fixedname);
1770 * Find the successor name, aka NSEC target.
1772 CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE));
1775 * Create the NSEC RDATA.
1777 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
1778 dns_rdata_init(&rdata);
1779 CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
1781 * Preserve the status of the OPT bit in the origin's NSEC record.
1783 if (dns_name_equal(dns_db_origin(db), name) &&
1784 has_opt_bit(db, ver, node))
1786 isc_region_t region;
1789 dns_name_init(&next, NULL);
1790 dns_rdata_toregion(&rdata, ®ion);
1791 dns_name_fromregion(&next, ®ion);
1792 isc_region_consume(®ion, next.length);
1793 INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
1794 region.base[0] == 0 &&
1795 region.base[1] > dns_rdatatype_opt / 8);
1796 set_bit(region.base + 2, dns_rdatatype_opt);
1798 dns_db_detachnode(db, &node);
1801 * Delete the old NSEC and record the change.
1803 CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
1806 * Add the new NSEC and record the change.
1808 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
1809 nsecttl, &rdata, &tuple));
1810 CHECK(do_one_tuple(&tuple, db, ver, diff));
1811 INSIST(tuple == NULL);
1815 dns_db_detachnode(db, &node);
1820 * Add a placeholder NSEC record for "name", recording the change in "diff".
1823 add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1826 isc_result_t result;
1827 dns_difftuple_t *tuple = NULL;
1829 unsigned char data[1] = { 0 }; /* The root domain, no bits. */
1830 dns_rdata_t rdata = DNS_RDATA_INIT;
1833 r.length = sizeof(data);
1834 dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
1835 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
1837 CHECK(do_one_tuple(&tuple, db, ver, diff));
1843 find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
1844 isc_mem_t *mctx, unsigned int maxkeys,
1845 dst_key_t **keys, unsigned int *nkeys)
1847 isc_result_t result;
1848 dns_dbnode_t *node = NULL;
1849 const char *directory = dns_zone_getkeydirectory(zone);
1850 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
1851 CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
1852 directory, mctx, maxkeys, keys, nkeys));
1855 dns_db_detachnode(db, &node);
1859 static isc_boolean_t
1860 ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
1861 isc_boolean_t ret = ISC_FALSE;
1862 isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
1863 isc_result_t result;
1864 dns_dbnode_t *node = NULL;
1865 dns_rdataset_t rdataset;
1866 dns_rdata_t rdata = DNS_RDATA_INIT;
1867 dns_rdata_dnskey_t dnskey;
1869 dns_rdataset_init(&rdataset);
1870 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
1871 CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
1873 CHECK(dns_rdataset_first(&rdataset));
1874 while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
1875 dns_rdataset_current(&rdataset, &rdata);
1876 CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
1877 if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
1878 == DNS_KEYOWNER_ZONE) {
1879 if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
1880 have_ksk = ISC_TRUE;
1882 have_nonksk = ISC_TRUE;
1884 dns_rdata_reset(&rdata);
1885 result = dns_rdataset_next(&rdataset);
1887 if (have_ksk && have_nonksk)
1890 if (dns_rdataset_isassociated(&rdataset))
1891 dns_rdataset_disassociate(&rdataset);
1893 dns_db_detachnode(db, &node);
1898 * Add RRSIG records for an RRset, recording the change in "diff".
1901 add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1902 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
1903 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
1904 isc_stdtime_t inception, isc_stdtime_t expire,
1905 isc_boolean_t check_ksk)
1907 isc_result_t result;
1908 dns_dbnode_t *node = NULL;
1909 dns_rdataset_t rdataset;
1910 dns_rdata_t sig_rdata = DNS_RDATA_INIT;
1911 isc_buffer_t buffer;
1912 unsigned char data[1024]; /* XXX */
1914 isc_boolean_t added_sig = ISC_FALSE;
1915 isc_mem_t *mctx = client->mctx;
1917 dns_rdataset_init(&rdataset);
1918 isc_buffer_init(&buffer, data, sizeof(data));
1920 /* Get the rdataset to sign. */
1921 if (type == dns_rdatatype_nsec3)
1922 CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
1924 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
1925 CHECK(dns_db_findrdataset(db, node, ver, type, 0,
1926 (isc_stdtime_t) 0, &rdataset, NULL));
1927 dns_db_detachnode(db, &node);
1929 for (i = 0; i < nkeys; i++) {
1931 if (check_ksk && type != dns_rdatatype_dnskey &&
1932 (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
1935 if (!dst_key_isprivate(keys[i]))
1938 /* Calculate the signature, creating a RRSIG RDATA. */
1939 CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
1940 &inception, &expire,
1941 mctx, &buffer, &sig_rdata));
1943 /* Update the database and journal with the RRSIG. */
1944 /* XXX inefficient - will cause dataset merging */
1945 CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
1946 rdataset.ttl, &sig_rdata));
1947 dns_rdata_reset(&sig_rdata);
1948 added_sig = ISC_TRUE;
1951 update_log(client, zone, ISC_LOG_ERROR,
1952 "found no private keys, "
1953 "unable to generate any signatures");
1954 result = ISC_R_NOTFOUND;
1958 if (dns_rdataset_isassociated(&rdataset))
1959 dns_rdataset_disassociate(&rdataset);
1961 dns_db_detachnode(db, &node);
1966 * Delete expired RRsigs and any RRsigs we are about to re-sign.
1967 * See also zone.c:del_sigs().
1970 del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1971 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys)
1973 isc_result_t result;
1974 dns_dbnode_t *node = NULL;
1975 dns_rdataset_t rdataset;
1976 dns_rdata_t rdata = DNS_RDATA_INIT;
1978 dns_rdata_rrsig_t rrsig;
1979 isc_boolean_t found;
1981 dns_rdataset_init(&rdataset);
1983 result = dns_db_findnode(db, name, ISC_FALSE, &node);
1984 if (result == ISC_R_NOTFOUND)
1985 return (ISC_R_SUCCESS);
1986 if (result != ISC_R_SUCCESS)
1988 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig,
1989 dns_rdatatype_dnskey, (isc_stdtime_t) 0,
1991 dns_db_detachnode(db, &node);
1993 if (result == ISC_R_NOTFOUND)
1994 return (ISC_R_SUCCESS);
1995 if (result != ISC_R_SUCCESS)
1998 for (result = dns_rdataset_first(&rdataset);
1999 result == ISC_R_SUCCESS;
2000 result = dns_rdataset_next(&rdataset)) {
2001 dns_rdataset_current(&rdataset, &rdata);
2002 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
2003 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2005 for (i = 0; i < nkeys; i++) {
2006 if (rrsig.keyid == dst_key_id(keys[i])) {
2008 if (!dst_key_isprivate(keys[i])) {
2010 * The re-signing code in zone.c
2011 * will mark this as offline.
2012 * Just skip the record for now.
2016 result = update_one_rr(db, ver, diff,
2017 DNS_DIFFOP_DEL, name,
2018 rdataset.ttl, &rdata);
2023 * If there is not a matching DNSKEY then delete the RRSIG.
2026 result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
2027 name, rdataset.ttl, &rdata);
2028 dns_rdata_reset(&rdata);
2029 if (result != ISC_R_SUCCESS)
2032 dns_rdataset_disassociate(&rdataset);
2033 if (result == ISC_R_NOMORE)
2034 result = ISC_R_SUCCESS;
2037 dns_db_detachnode(db, &node);
2042 add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
2043 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
2044 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
2045 isc_stdtime_t inception, isc_stdtime_t expire,
2046 isc_boolean_t check_ksk)
2048 isc_result_t result;
2050 dns_rdatasetiter_t *iter;
2053 result = dns_db_findnode(db, name, ISC_FALSE, &node);
2054 if (result == ISC_R_NOTFOUND)
2055 return (ISC_R_SUCCESS);
2056 if (result != ISC_R_SUCCESS)
2060 result = dns_db_allrdatasets(db, node, ver,
2061 (isc_stdtime_t) 0, &iter);
2062 if (result != ISC_R_SUCCESS)
2065 for (result = dns_rdatasetiter_first(iter);
2066 result == ISC_R_SUCCESS;
2067 result = dns_rdatasetiter_next(iter))
2069 dns_rdataset_t rdataset;
2070 dns_rdatatype_t type;
2073 dns_rdataset_init(&rdataset);
2074 dns_rdatasetiter_current(iter, &rdataset);
2075 type = rdataset.type;
2076 dns_rdataset_disassociate(&rdataset);
2079 * We don't need to sign unsigned NSEC records at the cut
2080 * as they are handled elsewhere.
2082 if ((type == dns_rdatatype_rrsig) ||
2083 (cut && type != dns_rdatatype_ds))
2085 result = rrset_exists(db, ver, name, dns_rdatatype_rrsig,
2087 if (result != ISC_R_SUCCESS)
2088 goto cleanup_iterator;
2091 result = add_sigs(client, zone, db, ver, name, type, diff,
2092 keys, nkeys, inception, expire, check_ksk);
2093 if (result != ISC_R_SUCCESS)
2094 goto cleanup_iterator;
2096 if (result == ISC_R_NOMORE)
2097 result = ISC_R_SUCCESS;
2100 dns_rdatasetiter_destroy(&iter);
2103 dns_db_detachnode(db, &node);
2109 * Update RRSIG, NSEC and NSEC3 records affected by an update. The original
2110 * update, including the SOA serial update but excluding the RRSIG & NSEC
2111 * changes, is in "diff" and has already been applied to "newver" of "db".
2112 * The database version prior to the update is "oldver".
2114 * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver"
2115 * and added (as a minimal diff) to "diff".
2117 * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
2120 update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
2121 dns_dbversion_t *oldver, dns_dbversion_t *newver,
2122 dns_diff_t *diff, isc_uint32_t sigvalidityinterval,
2123 isc_boolean_t *deleted_zsk)
2125 isc_result_t result;
2127 dns_diff_t diffnames;
2128 dns_diff_t affected;
2129 dns_diff_t sig_diff;
2130 dns_diff_t nsec_diff;
2131 dns_diff_t nsec_mindiff;
2133 dst_key_t *zone_keys[MAXZONEKEYS];
2134 unsigned int nkeys = 0;
2136 isc_stdtime_t now, inception, expire;
2138 dns_rdata_soa_t soa;
2139 dns_rdata_t rdata = DNS_RDATA_INIT;
2140 dns_rdataset_t rdataset;
2141 dns_dbnode_t *node = NULL;
2142 isc_boolean_t check_ksk;
2143 isc_boolean_t unsecure;
2146 dns_diff_init(client->mctx, &diffnames);
2147 dns_diff_init(client->mctx, &affected);
2149 dns_diff_init(client->mctx, &sig_diff);
2150 sig_diff.resign = dns_zone_getsigresigninginterval(zone);
2151 dns_diff_init(client->mctx, &nsec_diff);
2152 dns_diff_init(client->mctx, &nsec_mindiff);
2154 result = find_zone_keys(zone, db, newver, client->mctx,
2155 MAXZONEKEYS, zone_keys, &nkeys);
2156 if (result != ISC_R_SUCCESS) {
2157 update_log(client, zone, ISC_LOG_ERROR,
2158 "could not get zone keys for secure dynamic update");
2162 isc_stdtime_get(&now);
2163 inception = now - 3600; /* Allow for some clock skew. */
2164 expire = now + sigvalidityinterval;
2167 * Do we look at the KSK flag on the DNSKEY to determining which
2168 * keys sign which RRsets? First check the zone option then
2169 * check the keys flags to make sure at least one has a ksk set
2172 check_ksk = ISC_TF((dns_zone_getoptions(zone) &
2173 DNS_ZONEOPT_UPDATECHECKKSK) != 0);
2175 * If we are not checking the ZSK flag then all DNSKEY's are
2176 * already signing all RRsets so we don't need to trigger special
2179 if (*deleted_zsk && (!check_ksk || !ksk_sanity(db, oldver)))
2180 *deleted_zsk = ISC_FALSE;
2183 check_ksk = ksk_sanity(db, newver);
2184 if (!check_ksk && ksk_sanity(db, oldver))
2185 update_log(client, zone, ISC_LOG_WARNING,
2186 "disabling update-check-ksk");
2190 * If we have deleted a ZSK and we we still have some ZSK's
2191 * we don't need to convert the KSK's to a ZSK's.
2193 if (*deleted_zsk && check_ksk)
2194 *deleted_zsk = ISC_FALSE;
2197 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
2199 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
2200 dns_rdataset_init(&rdataset);
2201 CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
2202 (isc_stdtime_t) 0, &rdataset, NULL));
2203 CHECK(dns_rdataset_first(&rdataset));
2204 dns_rdataset_current(&rdataset, &rdata);
2205 CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
2206 nsecttl = soa.minimum;
2207 dns_rdataset_disassociate(&rdataset);
2208 dns_db_detachnode(db, &node);
2211 * Find all RRsets directly affected by the update, and
2212 * update their RRSIGs. Also build a list of names affected
2213 * by the update in "diffnames".
2215 CHECK(dns_diff_sort(diff, temp_order));
2217 t = ISC_LIST_HEAD(diff->tuples);
2219 dns_name_t *name = &t->name;
2220 /* Now "name" is a new, unique name affected by the update. */
2222 CHECK(namelist_append_name(&diffnames, name));
2224 while (t != NULL && dns_name_equal(&t->name, name)) {
2225 dns_rdatatype_t type;
2226 type = t->rdata.type;
2229 * Now "name" and "type" denote a new unique RRset
2230 * affected by the update.
2233 /* Don't sign RRSIGs. */
2234 if (type == dns_rdatatype_rrsig)
2238 * Delete all old RRSIGs covering this type, since they
2239 * are all invalid when the signed RRset has changed.
2240 * We may not be able to recreate all of them - tough.
2241 * Special case changes to the zone's DNSKEY records
2242 * to support offline KSKs.
2244 if (type == dns_rdatatype_dnskey)
2245 del_keysigs(db, newver, name, &sig_diff,
2248 CHECK(delete_if(true_p, db, newver, name,
2249 dns_rdatatype_rrsig, type,
2253 * If this RRset is still visible after the update,
2254 * add a new signature for it.
2256 CHECK(rrset_visible(db, newver, name, type, &flag));
2258 CHECK(add_sigs(client, zone, db, newver, name,
2259 type, &sig_diff, zone_keys,
2260 nkeys, inception, expire,
2264 /* Skip any other updates to the same RRset. */
2266 dns_name_equal(&t->name, name) &&
2267 t->rdata.type == type)
2269 t = ISC_LIST_NEXT(t, link);
2273 update_log(client, zone, ISC_LOG_DEBUG(3), "updated data signatures");
2275 /* Remove orphaned NSECs and RRSIG NSECs. */
2276 for (t = ISC_LIST_HEAD(diffnames.tuples);
2278 t = ISC_LIST_NEXT(t, link))
2280 CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag));
2282 CHECK(delete_if(true_p, db, newver, &t->name,
2283 dns_rdatatype_any, 0,
2287 update_log(client, zone, ISC_LOG_DEBUG(3),
2288 "removed any orphaned NSEC records");
2291 * If we don't have a NSEC record at the origin then we need to
2292 * update the NSEC3 records.
2294 CHECK(rrset_exists(db, newver, dns_db_origin(db), dns_rdatatype_nsec,
2299 update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
2302 * When a name is created or deleted, its predecessor needs to
2303 * have its NSEC updated.
2305 for (t = ISC_LIST_HEAD(diffnames.tuples);
2307 t = ISC_LIST_NEXT(t, link))
2309 isc_boolean_t existed, exists;
2310 dns_fixedname_t fixedname;
2311 dns_name_t *prevname;
2313 dns_fixedname_init(&fixedname);
2314 prevname = dns_fixedname_name(&fixedname);
2316 CHECK(name_exists(db, oldver, &t->name, &existed));
2317 CHECK(name_exists(db, newver, &t->name, &exists));
2318 if (exists == existed)
2322 * Find the predecessor.
2323 * When names become obscured or unobscured in this update
2324 * transaction, we may find the wrong predecessor because
2325 * the NSECs have not yet been updated to reflect the delegation
2326 * change. This should not matter because in this case,
2327 * the correct predecessor is either the delegation node or
2328 * a newly unobscured node, and those nodes are on the
2329 * "affected" list in any case.
2331 CHECK(next_active(client, zone, db, newver,
2332 &t->name, prevname, ISC_FALSE));
2333 CHECK(namelist_append_name(&affected, prevname));
2337 * Find names potentially affected by delegation changes
2338 * (obscured by adding an NS or DNAME, or unobscured by
2341 for (t = ISC_LIST_HEAD(diffnames.tuples);
2343 t = ISC_LIST_NEXT(t, link))
2345 isc_boolean_t ns_existed, dname_existed;
2346 isc_boolean_t ns_exists, dname_exists;
2348 CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0,
2350 CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0,
2352 CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
2354 CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0,
2356 if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
2359 * There was a delegation change. Mark all subdomains
2360 * of t->name as potentially needing a NSEC update.
2362 CHECK(namelist_append_subdomain(db, &t->name, &affected));
2365 ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link);
2366 INSIST(ISC_LIST_EMPTY(diffnames.tuples));
2368 CHECK(uniqify_name_list(&affected));
2371 * Determine which names should have NSECs, and delete/create
2372 * NSECs to make it so. We don't know the final NSEC targets yet,
2373 * so we just create placeholder NSECs with arbitrary contents
2374 * to indicate that their respective owner names should be part of
2377 for (t = ISC_LIST_HEAD(affected.tuples);
2379 t = ISC_LIST_NEXT(t, link))
2381 isc_boolean_t exists;
2382 dns_name_t *name = &t->name;
2384 CHECK(name_exists(db, newver, name, &exists));
2387 CHECK(is_active(db, newver, name, &flag, &cut, NULL));
2390 * This name is obscured. Delete any
2391 * existing NSEC record.
2393 CHECK(delete_if(true_p, db, newver, name,
2394 dns_rdatatype_nsec, 0,
2396 CHECK(delete_if(rrsig_p, db, newver, name,
2397 dns_rdatatype_any, 0, NULL, diff));
2400 * This name is not obscured. It should have a NSEC.
2402 CHECK(rrset_exists(db, newver, name,
2403 dns_rdatatype_nsec, 0, &flag));
2405 CHECK(add_placeholder_nsec(db, newver, name,
2407 CHECK(add_exposed_sigs(client, zone, db, newver, name,
2408 cut, diff, zone_keys, nkeys,
2409 inception, expire, check_ksk));
2414 * Now we know which names are part of the NSEC chain.
2415 * Make them all point at their correct targets.
2417 for (t = ISC_LIST_HEAD(affected.tuples);
2419 t = ISC_LIST_NEXT(t, link))
2421 CHECK(rrset_exists(db, newver, &t->name,
2422 dns_rdatatype_nsec, 0, &flag));
2425 * There is a NSEC, but we don't know if it is correct.
2426 * Delete it and create a correct one to be sure.
2427 * If the update was unnecessary, the diff minimization
2428 * will take care of eliminating it from the journal,
2431 * The RRSIG bit should always be set in the NSECs
2432 * we generate, because they will all get RRSIG NSECs.
2433 * (XXX what if the zone keys are missing?).
2434 * Because the RRSIG NSECs have not necessarily been
2435 * created yet, the correctness of the bit mask relies
2436 * on the assumption that NSECs are only created if
2437 * there is other data, and if there is other data,
2438 * there are other RRSIGs.
2440 CHECK(add_nsec(client, zone, db, newver, &t->name,
2441 nsecttl, &nsec_diff));
2446 * Minimize the set of NSEC updates so that we don't
2447 * have to regenerate the RRSIG NSECs for NSECs that were
2448 * replaced with identical ones.
2450 while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
2451 ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
2452 dns_diff_appendminimal(&nsec_mindiff, &t);
2455 update_log(client, zone, ISC_LOG_DEBUG(3),
2456 "signing rebuilt NSEC chain");
2458 /* Update RRSIG NSECs. */
2459 for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
2461 t = ISC_LIST_NEXT(t, link))
2463 if (t->op == DNS_DIFFOP_DEL) {
2464 CHECK(delete_if(true_p, db, newver, &t->name,
2465 dns_rdatatype_rrsig, dns_rdatatype_nsec,
2467 } else if (t->op == DNS_DIFFOP_ADD) {
2468 CHECK(add_sigs(client, zone, db, newver, &t->name,
2469 dns_rdatatype_nsec, &sig_diff,
2470 zone_keys, nkeys, inception, expire,
2479 /* Record our changes for the journal. */
2480 while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
2481 ISC_LIST_UNLINK(sig_diff.tuples, t, link);
2482 dns_diff_appendminimal(diff, &t);
2484 while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
2485 ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
2486 dns_diff_appendminimal(diff, &t);
2489 INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
2490 INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
2491 INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
2494 * Check if we have any active NSEC3 chains by looking for a
2497 CHECK(rrset_exists(db, newver, dns_db_origin(db),
2498 dns_rdatatype_nsec3param, 0, &flag));
2500 update_log(client, zone, ISC_LOG_DEBUG(3),
2501 "no NSEC3 chains to rebuild");
2505 update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains");
2507 dns_diff_clear(&diffnames);
2508 dns_diff_clear(&affected);
2510 CHECK(dns_diff_sort(diff, temp_order));
2513 * Find names potentially affected by delegation changes
2514 * (obscured by adding an NS or DNAME, or unobscured by
2517 t = ISC_LIST_HEAD(diff->tuples);
2519 dns_name_t *name = &t->name;
2521 isc_boolean_t ns_existed, dname_existed;
2522 isc_boolean_t ns_exists, dname_exists;
2524 if (t->rdata.type == dns_rdatatype_nsec ||
2525 t->rdata.type == dns_rdatatype_rrsig) {
2526 t = ISC_LIST_NEXT(t, link);
2530 CHECK(namelist_append_name(&affected, name));
2532 CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns, 0,
2534 CHECK(rrset_exists(db, oldver, name, dns_rdatatype_dname, 0,
2536 CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0,
2538 CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
2541 if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
2544 * There was a delegation change. Mark all subdomains
2545 * of t->name as potentially needing a NSEC3 update.
2547 CHECK(namelist_append_subdomain(db, name, &affected));
2550 while (t != NULL && dns_name_equal(&t->name, name))
2551 t = ISC_LIST_NEXT(t, link);
2554 for (t = ISC_LIST_HEAD(affected.tuples);
2556 t = ISC_LIST_NEXT(t, link)) {
2557 dns_name_t *name = &t->name;
2559 unsecure = ISC_FALSE; /* Silence compiler warning. */
2560 CHECK(is_active(db, newver, name, &flag, &cut, &unsecure));
2563 CHECK(delete_if(rrsig_p, db, newver, name,
2564 dns_rdatatype_any, 0, NULL, diff));
2565 CHECK(dns_nsec3_delnsec3s(db, newver, name,
2568 CHECK(add_exposed_sigs(client, zone, db, newver, name,
2569 cut, diff, zone_keys, nkeys,
2570 inception, expire, check_ksk));
2571 CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl,
2572 unsecure, &nsec_diff));
2577 * Minimize the set of NSEC3 updates so that we don't
2578 * have to regenerate the RRSIG NSEC3s for NSEC3s that were
2579 * replaced with identical ones.
2581 while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
2582 ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
2583 dns_diff_appendminimal(&nsec_mindiff, &t);
2586 update_log(client, zone, ISC_LOG_DEBUG(3),
2587 "signing rebuilt NSEC3 chain");
2589 /* Update RRSIG NSEC3s. */
2590 for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
2592 t = ISC_LIST_NEXT(t, link))
2594 if (t->op == DNS_DIFFOP_DEL) {
2595 CHECK(delete_if(true_p, db, newver, &t->name,
2596 dns_rdatatype_rrsig,
2597 dns_rdatatype_nsec3,
2599 } else if (t->op == DNS_DIFFOP_ADD) {
2600 CHECK(add_sigs(client, zone, db, newver, &t->name,
2601 dns_rdatatype_nsec3,
2602 &sig_diff, zone_keys, nkeys,
2603 inception, expire, check_ksk));
2609 /* Record our changes for the journal. */
2610 while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
2611 ISC_LIST_UNLINK(sig_diff.tuples, t, link);
2612 dns_diff_appendminimal(diff, &t);
2614 while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
2615 ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
2616 dns_diff_appendminimal(diff, &t);
2619 INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
2620 INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
2621 INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
2624 dns_diff_clear(&sig_diff);
2625 dns_diff_clear(&nsec_diff);
2626 dns_diff_clear(&nsec_mindiff);
2628 dns_diff_clear(&affected);
2629 dns_diff_clear(&diffnames);
2631 for (i = 0; i < nkeys; i++)
2632 dst_key_free(&zone_keys[i]);
2638 /**************************************************************************/
2640 * The actual update code in all its glory. We try to follow
2641 * the RFC2136 pseudocode as closely as possible.
2645 send_update_event(ns_client_t *client, dns_zone_t *zone) {
2646 isc_result_t result = ISC_R_SUCCESS;
2647 update_event_t *event = NULL;
2648 isc_task_t *zonetask = NULL;
2649 ns_client_t *evclient;
2651 event = (update_event_t *)
2652 isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
2653 update_action, NULL, sizeof(*event));
2655 FAIL(ISC_R_NOMEMORY);
2657 event->result = ISC_R_SUCCESS;
2660 ns_client_attach(client, &evclient);
2661 INSIST(client->nupdates == 0);
2663 event->ev_arg = evclient;
2665 dns_zone_gettask(zone, &zonetask);
2666 isc_task_send(zonetask, ISC_EVENT_PTR(&event));
2670 isc_event_free(ISC_EVENT_PTR(&event));
2675 respond(ns_client_t *client, isc_result_t result) {
2676 isc_result_t msg_result;
2678 msg_result = dns_message_reply(client->message, ISC_TRUE);
2679 if (msg_result != ISC_R_SUCCESS)
2681 client->message->rcode = dns_result_torcode(result);
2683 ns_client_send(client);
2687 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
2689 "could not create update response message: %s",
2690 isc_result_totext(msg_result));
2691 ns_client_next(client, msg_result);
2695 ns_update_start(ns_client_t *client, isc_result_t sigresult) {
2696 dns_message_t *request = client->message;
2697 isc_result_t result;
2698 dns_name_t *zonename;
2699 dns_rdataset_t *zone_rdataset;
2700 dns_zone_t *zone = NULL;
2703 * Interpret the zone section.
2705 result = dns_message_firstname(request, DNS_SECTION_ZONE);
2706 if (result != ISC_R_SUCCESS)
2707 FAILC(DNS_R_FORMERR, "update zone section empty");
2710 * The zone section must contain exactly one "question", and
2711 * it must be of type SOA.
2714 dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
2715 zone_rdataset = ISC_LIST_HEAD(zonename->list);
2716 if (zone_rdataset->type != dns_rdatatype_soa)
2717 FAILC(DNS_R_FORMERR,
2718 "update zone section contains non-SOA");
2719 if (ISC_LIST_NEXT(zone_rdataset, link) != NULL)
2720 FAILC(DNS_R_FORMERR,
2721 "update zone section contains multiple RRs");
2723 /* The zone section must have exactly one name. */
2724 result = dns_message_nextname(request, DNS_SECTION_ZONE);
2725 if (result != ISC_R_NOMORE)
2726 FAILC(DNS_R_FORMERR,
2727 "update zone section contains multiple RRs");
2729 result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
2731 if (result != ISC_R_SUCCESS)
2732 FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
2734 switch(dns_zone_gettype(zone)) {
2735 case dns_zone_master:
2737 * We can now fail due to a bad signature as we now know
2738 * that we are the master.
2740 if (sigresult != ISC_R_SUCCESS)
2742 CHECK(send_update_event(client, zone));
2744 case dns_zone_slave:
2745 CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
2746 "update forwarding", zonename, ISC_TRUE,
2748 CHECK(send_forward_event(client, zone));
2751 FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
2756 if (result == DNS_R_REFUSED) {
2757 INSIST(dns_zone_gettype(zone) == dns_zone_slave);
2758 inc_stats(zone, dns_nsstatscounter_updaterej);
2761 * We failed without having sent an update event to the zone.
2762 * We are still in the client task context, so we can
2763 * simply give an error response without switching tasks.
2765 respond(client, result);
2767 dns_zone_detach(&zone);
2771 * DS records are not allowed to exist without corresponding NS records,
2772 * RFC 3658, 2.2 Protocol Change,
2773 * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
2777 remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
2778 isc_result_t result;
2779 isc_boolean_t ns_exists;
2780 dns_difftuple_t *tupple;
2781 dns_diff_t temp_diff;
2783 dns_diff_init(diff->mctx, &temp_diff);
2785 for (tupple = ISC_LIST_HEAD(diff->tuples);
2787 tupple = ISC_LIST_NEXT(tupple, link)) {
2788 if (!((tupple->op == DNS_DIFFOP_DEL &&
2789 tupple->rdata.type == dns_rdatatype_ns) ||
2790 (tupple->op == DNS_DIFFOP_ADD &&
2791 tupple->rdata.type == dns_rdatatype_ds)))
2793 CHECK(rrset_exists(db, newver, &tupple->name,
2794 dns_rdatatype_ns, 0, &ns_exists));
2796 !dns_name_equal(&tupple->name, dns_db_origin(db)))
2798 CHECK(delete_if(true_p, db, newver, &tupple->name,
2799 dns_rdatatype_ds, 0, NULL, &temp_diff));
2801 result = ISC_R_SUCCESS;
2804 for (tupple = ISC_LIST_HEAD(temp_diff.tuples);
2806 tupple = ISC_LIST_HEAD(temp_diff.tuples)) {
2807 ISC_LIST_UNLINK(temp_diff.tuples, tupple, link);
2808 dns_diff_appendminimal(diff, &tupple);
2814 * This implements the post load integrity checks for mx records.
2817 check_mx(ns_client_t *client, dns_zone_t *zone,
2818 dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff)
2820 char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
2821 char ownerbuf[DNS_NAME_FORMATSIZE];
2822 char namebuf[DNS_NAME_FORMATSIZE];
2823 char altbuf[DNS_NAME_FORMATSIZE];
2825 dns_fixedname_t fixed;
2826 dns_name_t *foundname;
2829 isc_boolean_t ok = ISC_TRUE;
2830 isc_boolean_t isaddress;
2831 isc_result_t result;
2832 struct in6_addr addr6;
2833 struct in_addr addr;
2834 unsigned int options;
2836 dns_fixedname_init(&fixed);
2837 foundname = dns_fixedname_name(&fixed);
2838 dns_rdata_init(&rdata);
2839 options = dns_zone_getoptions(zone);
2841 for (t = ISC_LIST_HEAD(diff->tuples);
2843 t = ISC_LIST_NEXT(t, link)) {
2844 if (t->op != DNS_DIFFOP_ADD ||
2845 t->rdata.type != dns_rdatatype_mx)
2848 result = dns_rdata_tostruct(&t->rdata, &mx, NULL);
2849 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2851 * Check if we will error out if we attempt to reload the
2854 dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
2855 dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
2856 isaddress = ISC_FALSE;
2857 if ((options & DNS_RDATA_CHECKMX) != 0 &&
2858 strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) {
2859 if (tmp[strlen(tmp) - 1] == '.')
2860 tmp[strlen(tmp) - 1] = '\0';
2861 if (inet_aton(tmp, &addr) == 1 ||
2862 inet_pton(AF_INET6, tmp, &addr6) == 1)
2863 isaddress = ISC_TRUE;
2866 if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
2867 update_log(client, zone, ISC_LOG_ERROR,
2870 dns_result_totext(DNS_R_MXISADDRESS));
2872 } else if (isaddress) {
2873 update_log(client, zone, ISC_LOG_WARNING,
2874 "%s/MX: warning: '%s': %s",
2876 dns_result_totext(DNS_R_MXISADDRESS));
2880 * Check zone integrity checks.
2882 if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0)
2884 result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a,
2885 0, 0, NULL, foundname, NULL, NULL);
2886 if (result == ISC_R_SUCCESS)
2889 if (result == DNS_R_NXRRSET) {
2890 result = dns_db_find(db, &mx.mx, newver,
2892 0, 0, NULL, foundname,
2894 if (result == ISC_R_SUCCESS)
2898 if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
2899 update_log(client, zone, ISC_LOG_ERROR,
2900 "%s/MX '%s' has no address records "
2901 "(A or AAAA)", ownerbuf, namebuf);
2903 } else if (result == DNS_R_CNAME) {
2904 update_log(client, zone, ISC_LOG_ERROR,
2905 "%s/MX '%s' is a CNAME (illegal)",
2908 } else if (result == DNS_R_DNAME) {
2909 dns_name_format(foundname, altbuf, sizeof altbuf);
2910 update_log(client, zone, ISC_LOG_ERROR,
2911 "%s/MX '%s' is below a DNAME '%s' (illegal)",
2912 ownerbuf, namebuf, altbuf);
2916 return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
2920 rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
2921 const dns_rdata_t *rdata, isc_boolean_t *flag)
2923 dns_rdataset_t rdataset;
2924 dns_dbnode_t *node = NULL;
2925 isc_result_t result;
2927 dns_rdataset_init(&rdataset);
2928 if (rdata->type == dns_rdatatype_nsec3)
2929 CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
2931 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
2932 result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
2933 (isc_stdtime_t) 0, &rdataset, NULL);
2934 if (result == ISC_R_NOTFOUND) {
2936 result = ISC_R_SUCCESS;
2940 for (result = dns_rdataset_first(&rdataset);
2941 result == ISC_R_SUCCESS;
2942 result = dns_rdataset_next(&rdataset)) {
2943 dns_rdata_t myrdata = DNS_RDATA_INIT;
2944 dns_rdataset_current(&rdataset, &myrdata);
2945 if (!dns_rdata_compare(&myrdata, rdata))
2948 dns_rdataset_disassociate(&rdataset);
2949 if (result == ISC_R_SUCCESS) {
2951 } else if (result == ISC_R_NOMORE) {
2953 result = ISC_R_SUCCESS;
2958 dns_db_detachnode(db, &node);
2963 get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
2964 dns_dbnode_t *node = NULL;
2965 dns_rdata_nsec3param_t nsec3param;
2966 dns_rdataset_t rdataset;
2967 isc_result_t result;
2968 unsigned int iterations = 0;
2970 dns_rdataset_init(&rdataset);
2972 result = dns_db_getoriginnode(db, &node);
2973 if (result != ISC_R_SUCCESS)
2975 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
2976 0, (isc_stdtime_t) 0, &rdataset, NULL);
2977 dns_db_detachnode(db, &node);
2978 if (result == ISC_R_NOTFOUND)
2980 if (result != ISC_R_SUCCESS)
2983 for (result = dns_rdataset_first(&rdataset);
2984 result == ISC_R_SUCCESS;
2985 result = dns_rdataset_next(&rdataset)) {
2986 dns_rdata_t rdata = DNS_RDATA_INIT;
2987 dns_rdataset_current(&rdataset, &rdata);
2988 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
2989 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
2991 if (nsec3param.iterations > iterations)
2992 iterations = nsec3param.iterations;
2994 if (result != ISC_R_NOMORE)
2998 *iterationsp = iterations;
2999 result = ISC_R_SUCCESS;
3002 if (dns_rdataset_isassociated(&rdataset))
3003 dns_rdataset_disassociate(&rdataset);
3008 * Prevent the zone entering a inconsistent state where
3009 * NSEC only DNSKEYs are present with NSEC3 chains.
3012 check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
3013 dns_dbversion_t *ver, dns_diff_t *diff)
3015 dns_diff_t temp_diff;
3017 dns_difftuple_t *tuple, *newtuple = NULL, *next;
3019 isc_result_t result;
3020 unsigned int iterations = 0, max;
3022 dns_diff_init(diff->mctx, &temp_diff);
3024 CHECK(dns_nsec_nseconly(db, ver, &flag));
3027 CHECK(dns_nsec3_active(db, ver, ISC_FALSE, &flag));
3029 update_log(client, zone, ISC_LOG_WARNING,
3030 "NSEC only DNSKEYs and NSEC3 chains not allowed");
3032 CHECK(get_iterations(db, ver, &iterations));
3033 CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
3034 if (iterations > max) {
3036 update_log(client, zone, ISC_LOG_WARNING,
3037 "too many NSEC3 iterations (%u) for "
3038 "weakest DNSKEY (%u)", iterations, max);
3042 for (tuple = ISC_LIST_HEAD(diff->tuples);
3045 next = ISC_LIST_NEXT(tuple, link);
3046 if (tuple->rdata.type != dns_rdatatype_dnskey &&
3047 tuple->rdata.type != dns_rdatatype_nsec3param)
3049 op = (tuple->op == DNS_DIFFOP_DEL) ?
3050 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
3051 CHECK(dns_difftuple_create(temp_diff.mctx, op,
3052 &tuple->name, tuple->ttl,
3053 &tuple->rdata, &newtuple));
3054 CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
3055 INSIST(newtuple == NULL);
3057 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3059 tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
3060 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3061 dns_diff_appendminimal(diff, &tuple);
3067 dns_diff_clear(&temp_diff);
3071 #ifdef ALLOW_NSEC3PARAM_UPDATE
3073 * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
3076 add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
3077 dns_name_t *name, dns_dbversion_t *ver, dns_diff_t *diff)
3079 isc_result_t result = ISC_R_SUCCESS;
3080 dns_difftuple_t *tuple, *newtuple = NULL, *next;
3081 dns_rdata_t rdata = DNS_RDATA_INIT;
3082 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
3083 dns_diff_t temp_diff;
3087 update_log(client, zone, ISC_LOG_DEBUG(3),
3088 "checking for NSEC3PARAM changes");
3090 dns_diff_init(diff->mctx, &temp_diff);
3093 * Extract NSEC3PARAM tuples from list.
3095 for (tuple = ISC_LIST_HEAD(diff->tuples);
3099 next = ISC_LIST_NEXT(tuple, link);
3101 if (tuple->rdata.type != dns_rdatatype_nsec3param ||
3102 !dns_name_equal(name, &tuple->name))
3104 ISC_LIST_UNLINK(diff->tuples, tuple, link);
3105 ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
3108 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3109 tuple != NULL; tuple = next) {
3111 if (tuple->op == DNS_DIFFOP_ADD) {
3112 next = ISC_LIST_NEXT(tuple, link);
3113 while (next != NULL) {
3114 unsigned char *next_data = next->rdata.data;
3115 unsigned char *tuple_data = tuple->rdata.data;
3116 if (next_data[0] != tuple_data[0] ||
3118 next_data[2] != tuple_data[2] ||
3119 next_data[3] != tuple_data[3] ||
3120 next_data[4] != tuple_data[4] ||
3121 !memcmp(&next_data[5], &tuple_data[5],
3123 next = ISC_LIST_NEXT(next, link);
3126 op = (next->op == DNS_DIFFOP_DEL) ?
3127 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
3128 CHECK(dns_difftuple_create(diff->mctx, op,
3132 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3133 ISC_LIST_UNLINK(temp_diff.tuples, next, link);
3134 dns_diff_appendminimal(diff, &next);
3135 next = ISC_LIST_NEXT(tuple, link);
3138 INSIST(tuple->rdata.data[1] & DNS_NSEC3FLAG_UPDATE);
3141 * See if we already have a CREATE request in progress.
3143 dns_rdata_clone(&tuple->rdata, &rdata);
3144 INSIST(rdata.length <= sizeof(buf));
3145 memcpy(buf, rdata.data, rdata.length);
3146 buf[1] |= DNS_NSEC3FLAG_CREATE;
3147 buf[1] &= ~DNS_NSEC3FLAG_UPDATE;
3150 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3153 CHECK(dns_difftuple_create(diff->mctx,
3158 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3161 * Remove the temporary add record.
3163 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
3165 &tuple->rdata, &newtuple));
3166 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3167 next = ISC_LIST_NEXT(tuple, link);
3168 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3169 dns_diff_appendminimal(diff, &tuple);
3170 dns_rdata_reset(&rdata);
3172 next = ISC_LIST_NEXT(tuple, link);
3176 * Reverse any pending changes.
3178 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3179 tuple != NULL; tuple = next) {
3180 next = ISC_LIST_NEXT(tuple, link);
3181 if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
3182 op = (tuple->op == DNS_DIFFOP_DEL) ?
3183 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
3184 CHECK(dns_difftuple_create(diff->mctx, op, name,
3185 tuple->ttl, &tuple->rdata,
3187 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3188 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3189 dns_diff_appendminimal(diff, &tuple);
3194 * Convert deletions into delayed deletions.
3196 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3197 tuple != NULL; tuple = next) {
3198 next = ISC_LIST_NEXT(tuple, link);
3200 * See if we already have a REMOVE request in progress.
3202 dns_rdata_clone(&tuple->rdata, &rdata);
3203 INSIST(rdata.length <= sizeof(buf));
3204 memcpy(buf, rdata.data, rdata.length);
3205 buf[1] |= DNS_NSEC3FLAG_REMOVE;
3208 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3211 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
3212 name, tuple->ttl, &rdata,
3214 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3216 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
3217 tuple->ttl, &tuple->rdata,
3219 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3220 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3221 dns_diff_appendminimal(diff, &tuple);
3222 dns_rdata_reset(&rdata);
3225 result = ISC_R_SUCCESS;
3227 dns_diff_clear(&temp_diff);
3233 * Add records to cause the delayed signing of the zone by added DNSKEY
3234 * to remove the RRSIG records generated by a deleted DNSKEY.
3237 add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
3238 dns_rdatatype_t privatetype, dns_diff_t *diff)
3240 dns_difftuple_t *tuple, *newtuple = NULL;
3241 dns_rdata_dnskey_t dnskey;
3242 dns_rdata_t rdata = DNS_RDATA_INIT;
3245 isc_result_t result = ISC_R_SUCCESS;
3247 unsigned char buf[5];
3249 for (tuple = ISC_LIST_HEAD(diff->tuples);
3251 tuple = ISC_LIST_NEXT(tuple, link)) {
3252 if (tuple->rdata.type != dns_rdatatype_dnskey)
3255 dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
3257 (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
3258 != DNS_KEYOWNER_ZONE)
3261 dns_rdata_toregion(&tuple->rdata, &r);
3262 keyid = dst_region_computeid(&r, dnskey.algorithm);
3264 buf[0] = dnskey.algorithm;
3265 buf[1] = (keyid & 0xff00) >> 8;
3266 buf[2] = (keyid & 0xff);
3267 buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
3270 rdata.length = sizeof(buf);
3271 rdata.type = privatetype;
3272 rdata.rdclass = tuple->rdata.rdclass;
3274 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3277 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
3278 name, 0, &rdata, &newtuple));
3279 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3280 INSIST(newtuple == NULL);
3282 * Remove any record which says this operation has already
3286 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3288 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
3289 name, 0, &rdata, &newtuple));
3290 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3291 INSIST(newtuple == NULL);
3298 #ifdef ALLOW_NSEC3PARAM_UPDATE
3300 * Mark all NSEC3 chains for deletion without creating a NSEC chain as
3301 * a side effect of deleting the last chain.
3304 delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
3307 dns_dbnode_t *node = NULL;
3308 dns_difftuple_t *tuple = NULL;
3310 dns_rdata_t rdata = DNS_RDATA_INIT;
3311 dns_rdataset_t rdataset;
3313 isc_result_t result = ISC_R_SUCCESS;
3314 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
3316 dns_name_init(&next, NULL);
3317 dns_rdataset_init(&rdataset);
3319 result = dns_db_getoriginnode(db, &node);
3320 if (result != ISC_R_SUCCESS)
3324 * Cause all NSEC3 chains to be deleted.
3326 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
3327 0, (isc_stdtime_t) 0, &rdataset, NULL);
3328 if (result == ISC_R_NOTFOUND)
3330 if (result != ISC_R_SUCCESS)
3333 for (result = dns_rdataset_first(&rdataset);
3334 result == ISC_R_SUCCESS;
3335 result = dns_rdataset_next(&rdataset)) {
3336 dns_rdataset_current(&rdataset, &rdata);
3337 INSIST(rdata.length <= sizeof(buf));
3338 memcpy(buf, rdata.data, rdata.length);
3340 if (buf[1] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
3341 dns_rdata_reset(&rdata);
3345 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
3346 origin, 0, &rdata, &tuple));
3347 CHECK(do_one_tuple(&tuple, db, ver, diff));
3348 INSIST(tuple == NULL);
3350 buf[1] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
3353 CHECK(rr_exists(db, ver, origin, &rdata, &flag));
3356 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
3357 origin, 0, &rdata, &tuple));
3358 CHECK(do_one_tuple(&tuple, db, ver, diff));
3359 INSIST(tuple == NULL);
3361 dns_rdata_reset(&rdata);
3363 if (result != ISC_R_NOMORE)
3366 result = ISC_R_SUCCESS;
3369 if (dns_rdataset_isassociated(&rdataset))
3370 dns_rdataset_disassociate(&rdataset);
3371 dns_db_detachnode(db, &node);
3377 update_action(isc_task_t *task, isc_event_t *event) {
3378 update_event_t *uev = (update_event_t *) event;
3379 dns_zone_t *zone = uev->zone;
3380 ns_client_t *client = (ns_client_t *)event->ev_arg;
3382 isc_result_t result;
3383 dns_db_t *db = NULL;
3384 dns_dbversion_t *oldver = NULL;
3385 dns_dbversion_t *ver = NULL;
3386 dns_diff_t diff; /* Pending updates. */
3387 dns_diff_t temp; /* Pending RR existence assertions. */
3388 isc_boolean_t soa_serial_changed = ISC_FALSE;
3389 isc_mem_t *mctx = client->mctx;
3390 dns_rdatatype_t covers;
3391 dns_message_t *request = client->message;
3392 dns_rdataclass_t zoneclass;
3393 dns_name_t *zonename;
3394 dns_ssutable_t *ssutable = NULL;
3395 dns_fixedname_t tmpnamefixed;
3396 dns_name_t *tmpname = NULL;
3397 unsigned int options;
3398 isc_boolean_t deleted_zsk;
3399 dns_difftuple_t *tuple;
3400 dns_rdata_dnskey_t dnskey;
3401 #ifdef ALLOW_NSEC3PARAM_UPDATE
3402 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
3404 #if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
3405 isc_boolean_t had_dnskey;
3408 INSIST(event->ev_type == DNS_EVENT_UPDATE);
3410 dns_diff_init(mctx, &diff);
3411 dns_diff_init(mctx, &temp);
3413 CHECK(dns_zone_getdb(zone, &db));
3414 zonename = dns_db_origin(db);
3415 zoneclass = dns_db_class(db);
3416 dns_zone_getssutable(zone, &ssutable);
3417 dns_db_currentversion(db, &oldver);
3418 CHECK(dns_db_newversion(db, &ver));
3421 * Check prerequisites.
3424 for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
3425 result == ISC_R_SUCCESS;
3426 result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
3428 dns_name_t *name = NULL;
3429 dns_rdata_t rdata = DNS_RDATA_INIT;
3431 dns_rdataclass_t update_class;
3434 get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
3435 &name, &rdata, &covers, &ttl, &update_class);
3438 PREREQFAILC(DNS_R_FORMERR,
3439 "prerequisite TTL is not zero");
3441 if (! dns_name_issubdomain(name, zonename))
3442 PREREQFAILN(DNS_R_NOTZONE, name,
3443 "prerequisite name is out of zone");
3445 if (update_class == dns_rdataclass_any) {
3446 if (rdata.length != 0)
3447 PREREQFAILC(DNS_R_FORMERR,
3448 "class ANY prerequisite "
3449 "RDATA is not empty");
3450 if (rdata.type == dns_rdatatype_any) {
3451 CHECK(name_exists(db, ver, name, &flag));
3453 PREREQFAILN(DNS_R_NXDOMAIN, name,
3459 CHECK(rrset_exists(db, ver, name,
3460 rdata.type, covers, &flag));
3462 /* RRset does not exist. */
3463 PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type,
3464 "'rrset exists (value independent)' "
3465 "prerequisite not satisfied");
3468 } else if (update_class == dns_rdataclass_none) {
3469 if (rdata.length != 0)
3470 PREREQFAILC(DNS_R_FORMERR,
3471 "class NONE prerequisite "
3472 "RDATA is not empty");
3473 if (rdata.type == dns_rdatatype_any) {
3474 CHECK(name_exists(db, ver, name, &flag));
3476 PREREQFAILN(DNS_R_YXDOMAIN, name,
3477 "'name not in use' "
3482 CHECK(rrset_exists(db, ver, name,
3483 rdata.type, covers, &flag));
3486 PREREQFAILNT(DNS_R_YXRRSET, name,
3488 "'rrset does not exist' "
3493 } else if (update_class == zoneclass) {
3494 /* "temp<rr.name, rr.type> += rr;" */
3495 result = temp_append(&temp, name, &rdata);
3496 if (result != ISC_R_SUCCESS) {
3497 UNEXPECTED_ERROR(__FILE__, __LINE__,
3498 "temp entry creation failed: %s",
3499 dns_result_totext(result));
3500 FAIL(ISC_R_UNEXPECTED);
3503 PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite");
3506 if (result != ISC_R_NOMORE)
3511 * Perform the final check of the "rrset exists (value dependent)"
3514 if (ISC_LIST_HEAD(temp.tuples) != NULL) {
3515 dns_rdatatype_t type;
3518 * Sort the prerequisite records by owner name,
3521 result = dns_diff_sort(&temp, temp_order);
3522 if (result != ISC_R_SUCCESS)
3523 FAILC(result, "'RRset exists (value dependent)' "
3524 "prerequisite not satisfied");
3526 dns_fixedname_init(&tmpnamefixed);
3527 tmpname = dns_fixedname_name(&tmpnamefixed);
3528 result = temp_check(mctx, &temp, db, ver, tmpname, &type);
3529 if (result != ISC_R_SUCCESS)
3530 FAILNT(result, tmpname, type,
3531 "'RRset exists (value dependent)' "
3532 "prerequisite not satisfied");
3535 update_log(client, zone, LOGLEVEL_DEBUG,
3536 "prerequisites are OK");
3539 * Check Requestor's Permissions. It seems a bit silly to do this
3540 * only after prerequisite testing, but that is what RFC2136 says.
3542 result = ISC_R_SUCCESS;
3543 if (ssutable == NULL)
3544 CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
3545 "update", zonename, ISC_FALSE, ISC_FALSE));
3546 else if (client->signer == NULL && !TCPCLIENT(client))
3547 CHECK(checkupdateacl(client, NULL, "update", zonename,
3548 ISC_FALSE, ISC_TRUE));
3550 if (dns_zone_getupdatedisabled(zone))
3551 FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
3552 "because the zone is frozen. Use "
3553 "'rndc thaw' to re-enable updates.");
3556 * Perform the Update Section Prescan.
3559 for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
3560 result == ISC_R_SUCCESS;
3561 result = dns_message_nextname(request, DNS_SECTION_UPDATE))
3563 dns_name_t *name = NULL;
3564 dns_rdata_t rdata = DNS_RDATA_INIT;
3566 dns_rdataclass_t update_class;
3567 get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
3568 &name, &rdata, &covers, &ttl, &update_class);
3570 if (! dns_name_issubdomain(name, zonename))
3571 FAILC(DNS_R_NOTZONE,
3572 "update RR is outside zone");
3573 if (update_class == zoneclass) {
3575 * Check for meta-RRs. The RFC2136 pseudocode says
3576 * check for ANY|AXFR|MAILA|MAILB, but the text adds
3577 * "or any other QUERY metatype"
3579 if (dns_rdatatype_ismeta(rdata.type)) {
3580 FAILC(DNS_R_FORMERR,
3581 "meta-RR in update");
3583 result = dns_zone_checknames(zone, name, &rdata);
3584 if (result != ISC_R_SUCCESS)
3585 FAIL(DNS_R_REFUSED);
3586 } else if (update_class == dns_rdataclass_any) {
3587 if (ttl != 0 || rdata.length != 0 ||
3588 (dns_rdatatype_ismeta(rdata.type) &&
3589 rdata.type != dns_rdatatype_any))
3590 FAILC(DNS_R_FORMERR,
3591 "meta-RR in update");
3592 } else if (update_class == dns_rdataclass_none) {
3594 dns_rdatatype_ismeta(rdata.type))
3595 FAILC(DNS_R_FORMERR,
3596 "meta-RR in update");
3598 update_log(client, zone, ISC_LOG_WARNING,
3599 "update RR has incorrect class %d",
3601 FAIL(DNS_R_FORMERR);
3604 * draft-ietf-dnsind-simple-secure-update-01 says
3605 * "Unlike traditional dynamic update, the client
3606 * is forbidden from updating NSEC records."
3608 if (dns_db_issecure(db)) {
3609 if (rdata.type == dns_rdatatype_nsec3) {
3610 FAILC(DNS_R_REFUSED,
3611 "explicit NSEC3 updates are not allowed "
3613 } else if (rdata.type == dns_rdatatype_nsec) {
3614 FAILC(DNS_R_REFUSED,
3615 "explicit NSEC updates are not allowed "
3617 } else if (rdata.type == dns_rdatatype_rrsig &&
3618 !dns_name_equal(name, zonename)) {
3619 FAILC(DNS_R_REFUSED,
3620 "explicit RRSIG updates are currently "
3621 "not supported in secure zones except "
3626 if (ssutable != NULL) {
3627 isc_netaddr_t *tcpaddr, netaddr;
3629 * If this is a TCP connection then pass the
3630 * address of the client through for tcp-self
3631 * and 6to4-self otherwise pass NULL. This
3632 * provides weak address based authentication.
3634 if (TCPCLIENT(client)) {
3635 isc_netaddr_fromsockaddr(&netaddr,
3640 if (rdata.type != dns_rdatatype_any) {
3641 if (!dns_ssutable_checkrules(ssutable,
3645 FAILC(DNS_R_REFUSED,
3646 "rejected by secure update");
3648 if (!ssu_checkall(db, ver, name, ssutable,
3649 client->signer, tcpaddr))
3650 FAILC(DNS_R_REFUSED,
3651 "rejected by secure update");
3655 if (result != ISC_R_NOMORE)
3658 update_log(client, zone, LOGLEVEL_DEBUG,
3659 "update section prescan OK");
3662 * Process the Update Section.
3665 options = dns_zone_getoptions(zone);
3666 for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
3667 result == ISC_R_SUCCESS;
3668 result = dns_message_nextname(request, DNS_SECTION_UPDATE))
3670 dns_name_t *name = NULL;
3671 dns_rdata_t rdata = DNS_RDATA_INIT;
3673 dns_rdataclass_t update_class;
3676 get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
3677 &name, &rdata, &covers, &ttl, &update_class);
3679 if (update_class == zoneclass) {
3682 * RFC1123 doesn't allow MF and MD in master zones. */
3683 if (rdata.type == dns_rdatatype_md ||
3684 rdata.type == dns_rdatatype_mf) {
3685 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3687 dns_rdatatype_format(rdata.type, typebuf,
3689 update_log(client, zone, LOGLEVEL_PROTOCOL,
3690 "attempt to add %s ignored",
3694 if ((rdata.type == dns_rdatatype_ns ||
3695 rdata.type == dns_rdatatype_dname) &&
3696 dns_name_iswildcard(name)) {
3697 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3699 dns_rdatatype_format(rdata.type, typebuf,
3701 update_log(client, zone,
3703 "attempt to add wildcard %s record "
3704 "ignored", typebuf);
3707 if (rdata.type == dns_rdatatype_cname) {
3708 CHECK(cname_incompatible_rrset_exists(db, ver,
3712 update_log(client, zone,
3714 "attempt to add CNAME "
3715 "alongside non-CNAME "
3720 CHECK(rrset_exists(db, ver, name,
3721 dns_rdatatype_cname, 0,
3724 ! dns_rdatatype_isdnssec(rdata.type))
3726 update_log(client, zone,
3728 "attempt to add non-CNAME "
3729 "alongside CNAME ignored");
3733 if (rdata.type == dns_rdatatype_soa) {
3735 CHECK(rrset_exists(db, ver, name,
3736 dns_rdatatype_soa, 0,
3739 update_log(client, zone,
3741 "attempt to create 2nd "
3745 CHECK(check_soa_increment(db, ver, &rdata,
3748 update_log(client, zone,
3750 "SOA update failed to "
3751 "increment serial, "
3755 soa_serial_changed = ISC_TRUE;
3758 #ifdef ALLOW_NSEC3PARAM_UPDATE
3759 if (rdata.type == dns_rdatatype_nsec3param) {
3761 * Ignore attempts to add NSEC3PARAM records
3762 * with any flags other than OPTOUT.
3764 if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
3765 update_log(client, zone,
3767 "attempt to add NSEC3PARAM "
3768 "record with non OPTOUT "
3774 * Set the NSEC3CHAIN creation flag.
3776 INSIST(rdata.length <= sizeof(buf));
3777 memcpy(buf, rdata.data, rdata.length);
3778 buf[1] |= DNS_NSEC3FLAG_UPDATE;
3781 * Force the TTL to zero for NSEC3PARAM records.
3786 if (rdata.type == dns_rdatatype_nsec3param) {
3787 update_log(client, zone, LOGLEVEL_PROTOCOL,
3788 "attempt to add NSEC3PARAM "
3794 if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
3795 dns_name_internalwildcard(name)) {
3796 char namestr[DNS_NAME_FORMATSIZE];
3797 dns_name_format(name, namestr,
3799 update_log(client, zone, LOGLEVEL_PROTOCOL,
3800 "warning: ownername '%s' contains "
3801 "a non-terminal wildcard", namestr);
3804 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
3805 char namestr[DNS_NAME_FORMATSIZE];
3806 char typestr[DNS_RDATATYPE_FORMATSIZE];
3807 dns_name_format(name, namestr,
3809 dns_rdatatype_format(rdata.type, typestr,
3811 update_log(client, zone, LOGLEVEL_PROTOCOL,
3812 "adding an RR at '%s' %s",
3816 /* Prepare the affected RRset for the addition. */
3818 add_rr_prepare_ctx_t ctx;
3823 ctx.update_rr = &rdata;
3824 ctx.update_rr_ttl = ttl;
3825 ctx.ignore_add = ISC_FALSE;
3826 dns_diff_init(mctx, &ctx.del_diff);
3827 dns_diff_init(mctx, &ctx.add_diff);
3828 CHECK(foreach_rr(db, ver, name, rdata.type,
3829 covers, add_rr_prepare_action,
3832 if (ctx.ignore_add) {
3833 dns_diff_clear(&ctx.del_diff);
3834 dns_diff_clear(&ctx.add_diff);
3836 CHECK(do_diff(&ctx.del_diff, db, ver,
3838 CHECK(do_diff(&ctx.add_diff, db, ver,
3840 CHECK(update_one_rr(db, ver, &diff,
3842 name, ttl, &rdata));
3845 } else if (update_class == dns_rdataclass_any) {
3846 if (rdata.type == dns_rdatatype_any) {
3847 if (isc_log_wouldlog(ns_g_lctx,
3850 char namestr[DNS_NAME_FORMATSIZE];
3851 dns_name_format(name, namestr,
3853 update_log(client, zone,
3855 "delete all rrsets from "
3856 "name '%s'", namestr);
3858 if (dns_name_equal(name, zonename)) {
3859 CHECK(delete_if(type_not_soa_nor_ns_p,
3861 dns_rdatatype_any, 0,
3864 CHECK(delete_if(type_not_dnssec,
3866 dns_rdatatype_any, 0,
3869 #ifndef ALLOW_NSEC3PARAM_UPDATE
3870 } else if (rdata.type == dns_rdatatype_nsec3param) {
3871 update_log(client, zone, LOGLEVEL_PROTOCOL,
3872 "attempt to delete a NSEC3PARAM "
3876 } else if (dns_name_equal(name, zonename) &&
3877 (rdata.type == dns_rdatatype_soa ||
3878 rdata.type == dns_rdatatype_ns)) {
3879 update_log(client, zone, LOGLEVEL_PROTOCOL,
3880 "attempt to delete all SOA "
3881 "or NS records ignored");
3884 if (isc_log_wouldlog(ns_g_lctx,
3887 char namestr[DNS_NAME_FORMATSIZE];
3888 char typestr[DNS_RDATATYPE_FORMATSIZE];
3889 dns_name_format(name, namestr,
3891 dns_rdatatype_format(rdata.type,
3894 update_log(client, zone,
3896 "deleting rrset at '%s' %s",
3899 CHECK(delete_if(true_p, db, ver, name,
3900 rdata.type, covers, &rdata,
3903 } else if (update_class == dns_rdataclass_none) {
3905 * The (name == zonename) condition appears in
3906 * RFC2136 3.4.2.4 but is missing from the pseudocode.
3908 if (dns_name_equal(name, zonename)) {
3909 if (rdata.type == dns_rdatatype_soa) {
3910 update_log(client, zone,
3912 "attempt to delete SOA "
3916 if (rdata.type == dns_rdatatype_ns) {
3918 CHECK(rr_count(db, ver, name,
3922 update_log(client, zone,
3931 update_log(client, zone,
3934 CHECK(delete_if(rr_equal_p, db, ver, name,
3935 rdata.type, covers, &rdata, &diff));
3938 if (result != ISC_R_NOMORE)
3942 * Check that any changes to DNSKEY/NSEC3PARAM records make sense.
3943 * If they don't then back out all changes to DNSKEY/NSEC3PARAM
3946 if (! ISC_LIST_EMPTY(diff.tuples))
3947 CHECK(check_dnssec(client, zone, db, ver, &diff));
3950 * If any changes were made, increment the SOA serial number,
3951 * update RRSIGs and NSECs (if zone is secure), and write the update
3954 if (! ISC_LIST_EMPTY(diff.tuples)) {
3956 dns_journal_t *journal;
3957 isc_boolean_t has_dnskey;
3960 * Increment the SOA serial, but only if it was not
3961 * changed as a result of an update operation.
3963 if (! soa_serial_changed) {
3964 CHECK(increment_soa_serial(db, ver, &diff, mctx));
3967 CHECK(check_mx(client, zone, db, ver, &diff));
3969 CHECK(remove_orphaned_ds(db, ver, &diff));
3971 CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
3974 #if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
3975 CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
3978 #ifndef ALLOW_SECURE_TO_INSECURE
3979 if (had_dnskey && !has_dnskey) {
3980 update_log(client, zone, LOGLEVEL_PROTOCOL,
3981 "update rejected: all DNSKEY records "
3983 result = DNS_R_REFUSED;
3987 #ifndef ALLOW_INSECURE_TO_SECURE
3988 if (!had_dnskey && has_dnskey) {
3989 update_log(client, zone, LOGLEVEL_PROTOCOL,
3990 "update rejected: DNSKEY record added");
3991 result = DNS_R_REFUSED;
3997 CHECK(add_signing_records(db, zonename, ver,
3998 dns_zone_getprivatetype(zone),
4001 #ifdef ALLOW_NSEC3PARAM_UPDATE
4002 CHECK(add_nsec3param_records(client, zone, db, zonename,
4008 * We are transitioning from secure to insecure.
4009 * Cause all NSEC3 chains to be deleted. When the
4010 * the last signature for the DNSKEY records are
4011 * remove any NSEC chain present will also be removed.
4013 #ifdef ALLOW_NSEC3PARAM_UPDATE
4014 CHECK(delete_chains(db, ver, zonename, &diff));
4016 } else if (has_dnskey && dns_db_isdnssec(db)) {
4017 isc_uint32_t interval;
4018 interval = dns_zone_getsigvalidityinterval(zone);
4019 result = update_signatures(client, zone, db, oldver,
4020 ver, &diff, interval,
4022 if (result != ISC_R_SUCCESS) {
4023 update_log(client, zone,
4025 "RRSIG/NSEC/NSEC3 update failed: %s",
4026 isc_result_totext(result));
4031 journalfile = dns_zone_getjournal(zone);
4032 if (journalfile != NULL) {
4033 update_log(client, zone, LOGLEVEL_DEBUG,
4034 "writing journal %s", journalfile);
4037 result = dns_journal_open(mctx, journalfile,
4038 ISC_TRUE, &journal);
4039 if (result != ISC_R_SUCCESS)
4040 FAILS(result, "journal open failed");
4042 result = dns_journal_write_transaction(journal, &diff);
4043 if (result != ISC_R_SUCCESS) {
4044 dns_journal_destroy(&journal);
4045 FAILS(result, "journal write failed");
4048 dns_journal_destroy(&journal);
4052 * XXXRTH Just a note that this committing code will have
4053 * to change to handle databases that need two-phase
4054 * commit, but this isn't a priority.
4056 update_log(client, zone, LOGLEVEL_DEBUG,
4057 "committing update transaction");
4059 dns_db_closeversion(db, &ver, ISC_TRUE);
4062 * Mark the zone as dirty so that it will be written to disk.
4064 dns_zone_markdirty(zone);
4067 * Notify slaves of the change we just made.
4069 dns_zone_notify(zone);
4072 * Cause the zone to be signed with the key that we
4073 * have just added or have the corresponding signatures
4076 * Note: we are already committed to this course of action.
4078 for (tuple = ISC_LIST_HEAD(diff.tuples);
4080 tuple = ISC_LIST_NEXT(tuple, link)) {
4082 dns_secalg_t algorithm;
4085 if (tuple->rdata.type != dns_rdatatype_dnskey)
4088 dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
4090 (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
4091 != DNS_KEYOWNER_ZONE)
4094 dns_rdata_toregion(&tuple->rdata, &r);
4095 algorithm = dnskey.algorithm;
4096 keyid = dst_region_computeid(&r, algorithm);
4098 result = dns_zone_signwithkey(zone, algorithm, keyid,
4099 ISC_TF(tuple->op == DNS_DIFFOP_DEL));
4100 if (result != ISC_R_SUCCESS) {
4101 update_log(client, zone, ISC_LOG_ERROR,
4102 "dns_zone_signwithkey failed: %s",
4103 dns_result_totext(result));
4107 #ifdef ALLOW_NSEC3PARAM_UPDATE
4109 * Cause the zone to add/delete NSEC3 chains for the
4110 * deferred NSEC3PARAM changes.
4112 * Note: we are already committed to this course of action.
4114 for (tuple = ISC_LIST_HEAD(diff.tuples);
4116 tuple = ISC_LIST_NEXT(tuple, link)) {
4117 dns_rdata_nsec3param_t nsec3param;
4119 if (tuple->rdata.type != dns_rdatatype_nsec3param ||
4120 tuple->op != DNS_DIFFOP_ADD)
4123 dns_rdata_tostruct(&tuple->rdata, &nsec3param, NULL);
4124 if (nsec3param.flags == 0)
4127 result = dns_zone_addnsec3chain(zone, &nsec3param);
4128 if (result != ISC_R_SUCCESS) {
4129 update_log(client, zone, ISC_LOG_ERROR,
4130 "dns_zone_addnsec3chain failed: %s",
4131 dns_result_totext(result));
4136 update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
4137 dns_db_closeversion(db, &ver, ISC_TRUE);
4139 result = ISC_R_SUCCESS;
4143 if (result == DNS_R_REFUSED)
4144 inc_stats(zone, dns_nsstatscounter_updaterej);
4147 * The reason for failure should have been logged at this point.
4150 update_log(client, zone, LOGLEVEL_DEBUG,
4152 dns_db_closeversion(db, &ver, ISC_FALSE);
4156 dns_diff_clear(&temp);
4157 dns_diff_clear(&diff);
4160 dns_db_closeversion(db, &oldver, ISC_FALSE);
4165 if (ssutable != NULL)
4166 dns_ssutable_detach(&ssutable);
4168 isc_task_detach(&task);
4169 uev->result = result;
4171 INSIST(uev->zone == zone); /* we use this later */
4172 uev->ev_type = DNS_EVENT_UPDATEDONE;
4173 uev->ev_action = updatedone_action;
4174 isc_task_send(client->task, &event);
4175 INSIST(event == NULL);
4179 updatedone_action(isc_task_t *task, isc_event_t *event) {
4180 update_event_t *uev = (update_event_t *) event;
4181 ns_client_t *client = (ns_client_t *) event->ev_arg;
4185 INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
4186 INSIST(task == client->task);
4188 INSIST(client->nupdates > 0);
4189 switch (uev->result) {
4191 inc_stats(uev->zone, dns_nsstatscounter_updatedone);
4194 inc_stats(uev->zone, dns_nsstatscounter_updaterej);
4197 inc_stats(uev->zone, dns_nsstatscounter_updatefail);
4200 if (uev->zone != NULL)
4201 dns_zone_detach(&uev->zone);
4203 respond(client, uev->result);
4204 isc_event_free(&event);
4205 ns_client_detach(&client);
4209 * Update forwarding support.
4213 forward_fail(isc_task_t *task, isc_event_t *event) {
4214 ns_client_t *client = (ns_client_t *)event->ev_arg;
4218 INSIST(client->nupdates > 0);
4220 respond(client, DNS_R_SERVFAIL);
4221 isc_event_free(&event);
4222 ns_client_detach(&client);
4227 forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
4228 update_event_t *uev = arg;
4229 ns_client_t *client = uev->ev_arg;
4230 dns_zone_t *zone = uev->zone;
4232 if (result != ISC_R_SUCCESS) {
4233 INSIST(answer == NULL);
4234 uev->ev_type = DNS_EVENT_UPDATEDONE;
4235 uev->ev_action = forward_fail;
4236 inc_stats(zone, dns_nsstatscounter_updatefwdfail);
4238 uev->ev_type = DNS_EVENT_UPDATEDONE;
4239 uev->ev_action = forward_done;
4240 uev->answer = answer;
4241 inc_stats(zone, dns_nsstatscounter_updaterespfwd);
4243 isc_task_send(client->task, ISC_EVENT_PTR(&uev));
4244 dns_zone_detach(&zone);
4248 forward_done(isc_task_t *task, isc_event_t *event) {
4249 update_event_t *uev = (update_event_t *) event;
4250 ns_client_t *client = (ns_client_t *)event->ev_arg;
4254 INSIST(client->nupdates > 0);
4256 ns_client_sendraw(client, uev->answer);
4257 dns_message_destroy(&uev->answer);
4258 isc_event_free(&event);
4259 ns_client_detach(&client);
4263 forward_action(isc_task_t *task, isc_event_t *event) {
4264 update_event_t *uev = (update_event_t *) event;
4265 dns_zone_t *zone = uev->zone;
4266 ns_client_t *client = (ns_client_t *)event->ev_arg;
4267 isc_result_t result;
4269 result = dns_zone_forwardupdate(zone, client->message,
4270 forward_callback, event);
4271 if (result != ISC_R_SUCCESS) {
4272 uev->ev_type = DNS_EVENT_UPDATEDONE;
4273 uev->ev_action = forward_fail;
4274 isc_task_send(client->task, &event);
4275 inc_stats(zone, dns_nsstatscounter_updatefwdfail);
4276 dns_zone_detach(&zone);
4278 inc_stats(zone, dns_nsstatscounter_updatereqfwd);
4279 isc_task_detach(&task);
4283 send_forward_event(ns_client_t *client, dns_zone_t *zone) {
4284 isc_result_t result = ISC_R_SUCCESS;
4285 update_event_t *event = NULL;
4286 isc_task_t *zonetask = NULL;
4287 ns_client_t *evclient;
4289 event = (update_event_t *)
4290 isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
4291 forward_action, NULL, sizeof(*event));
4293 FAIL(ISC_R_NOMEMORY);
4295 event->result = ISC_R_SUCCESS;
4298 ns_client_attach(client, &evclient);
4299 INSIST(client->nupdates == 0);
4301 event->ev_arg = evclient;
4303 dns_zone_gettask(zone, &zonetask);
4304 isc_task_send(zonetask, ISC_EVENT_PTR(&event));
4308 isc_event_free(ISC_EVENT_PTR(&event));