nsec3.c revision 1.1
1 1.1 christos /* $NetBSD: nsec3.c,v 1.1 2018/08/12 12:08:15 christos Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 1.1 christos * 6 1.1 christos * This Source Code Form is subject to the terms of the Mozilla Public 7 1.1 christos * License, v. 2.0. If a copy of the MPL was not distributed with this 8 1.1 christos * file, You can obtain one at http://mozilla.org/MPL/2.0/. 9 1.1 christos * 10 1.1 christos * See the COPYRIGHT file distributed with this work for additional 11 1.1 christos * information regarding copyright ownership. 12 1.1 christos */ 13 1.1 christos 14 1.1 christos 15 1.1 christos #include <config.h> 16 1.1 christos 17 1.1 christos #include <isc/base32.h> 18 1.1 christos #include <isc/buffer.h> 19 1.1 christos #include <isc/hex.h> 20 1.1 christos #include <isc/iterated_hash.h> 21 1.1 christos #include <isc/log.h> 22 1.1 christos #include <isc/string.h> 23 1.1 christos #include <isc/util.h> 24 1.1 christos #include <isc/safe.h> 25 1.1 christos 26 1.1 christos #include <dst/dst.h> 27 1.1 christos 28 1.1 christos #include <dns/db.h> 29 1.1 christos #include <dns/zone.h> 30 1.1 christos #include <dns/compress.h> 31 1.1 christos #include <dns/dbiterator.h> 32 1.1 christos #include <dns/diff.h> 33 1.1 christos #include <dns/fixedname.h> 34 1.1 christos #include <dns/nsec.h> 35 1.1 christos #include <dns/nsec3.h> 36 1.1 christos #include <dns/rdata.h> 37 1.1 christos #include <dns/rdatalist.h> 38 1.1 christos #include <dns/rdataset.h> 39 1.1 christos #include <dns/rdatasetiter.h> 40 1.1 christos #include <dns/rdatastruct.h> 41 1.1 christos #include <dns/result.h> 42 1.1 christos 43 1.1 christos #define CHECK(x) do { \ 44 1.1 christos result = (x); \ 45 1.1 christos if (result != ISC_R_SUCCESS) \ 46 1.1 christos goto failure; \ 47 1.1 christos } while (0) 48 1.1 christos 49 1.1 christos #define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) 50 1.1 christos #define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0) 51 1.1 christos #define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0) 52 1.1 christos #define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) 53 1.1 christos 54 1.1 christos isc_result_t 55 1.1 christos dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, 56 1.1 christos dns_dbnode_t *node, unsigned int hashalg, 57 1.1 christos unsigned int flags, unsigned int iterations, 58 1.1 christos const unsigned char *salt, size_t salt_length, 59 1.1 christos const unsigned char *nexthash, size_t hash_length, 60 1.1 christos unsigned char *buffer, dns_rdata_t *rdata) 61 1.1 christos { 62 1.1 christos isc_result_t result; 63 1.1 christos dns_rdataset_t rdataset; 64 1.1 christos isc_region_t r; 65 1.1 christos unsigned int i; 66 1.1 christos isc_boolean_t found; 67 1.1 christos isc_boolean_t found_ns; 68 1.1 christos isc_boolean_t need_rrsig; 69 1.1 christos 70 1.1 christos unsigned char *nsec_bits, *bm; 71 1.1 christos unsigned int max_type; 72 1.1 christos dns_rdatasetiter_t *rdsiter; 73 1.1 christos unsigned char *p; 74 1.1 christos 75 1.1 christos REQUIRE(salt_length < 256U); 76 1.1 christos REQUIRE(hash_length < 256U); 77 1.1 christos REQUIRE(flags <= 0xffU); 78 1.1 christos REQUIRE(hashalg <= 0xffU); 79 1.1 christos REQUIRE(iterations <= 0xffffU); 80 1.1 christos 81 1.1 christos switch (hashalg) { 82 1.1 christos case dns_hash_sha1: 83 1.1 christos REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH); 84 1.1 christos break; 85 1.1 christos } 86 1.1 christos 87 1.1 christos memset(buffer, 0, DNS_NSEC3_BUFFERSIZE); 88 1.1 christos 89 1.1 christos p = buffer; 90 1.1 christos 91 1.1 christos *p++ = hashalg; 92 1.1 christos *p++ = flags; 93 1.1 christos 94 1.1 christos *p++ = iterations >> 8; 95 1.1 christos *p++ = iterations; 96 1.1 christos 97 1.1 christos *p++ = (unsigned char)salt_length; 98 1.1 christos memmove(p, salt, salt_length); 99 1.1 christos p += salt_length; 100 1.1 christos 101 1.1 christos *p++ = (unsigned char)hash_length; 102 1.1 christos memmove(p, nexthash, hash_length); 103 1.1 christos p += hash_length; 104 1.1 christos 105 1.1 christos r.length = (unsigned int)(p - buffer); 106 1.1 christos r.base = buffer; 107 1.1 christos 108 1.1 christos /* 109 1.1 christos * Use the end of the space for a raw bitmap leaving enough 110 1.1 christos * space for the window identifiers and length octets. 111 1.1 christos */ 112 1.1 christos bm = r.base + r.length + 512; 113 1.1 christos nsec_bits = r.base + r.length; 114 1.1 christos max_type = 0; 115 1.1 christos if (node == NULL) 116 1.1 christos goto collapse_bitmap; 117 1.1 christos dns_rdataset_init(&rdataset); 118 1.1 christos rdsiter = NULL; 119 1.1 christos result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); 120 1.1 christos if (result != ISC_R_SUCCESS) 121 1.1 christos return (result); 122 1.1 christos found = found_ns = need_rrsig = ISC_FALSE; 123 1.1 christos for (result = dns_rdatasetiter_first(rdsiter); 124 1.1 christos result == ISC_R_SUCCESS; 125 1.1 christos result = dns_rdatasetiter_next(rdsiter)) 126 1.1 christos { 127 1.1 christos dns_rdatasetiter_current(rdsiter, &rdataset); 128 1.1 christos if (rdataset.type != dns_rdatatype_nsec && 129 1.1 christos rdataset.type != dns_rdatatype_nsec3 && 130 1.1 christos rdataset.type != dns_rdatatype_rrsig) { 131 1.1 christos if (rdataset.type > max_type) 132 1.1 christos max_type = rdataset.type; 133 1.1 christos dns_nsec_setbit(bm, rdataset.type, 1); 134 1.1 christos /* 135 1.1 christos * Work out if we need to set the RRSIG bit for 136 1.1 christos * this node. We set the RRSIG bit if either of 137 1.1 christos * the following conditions are met: 138 1.1 christos * 1) We have a SOA or DS then we need to set 139 1.1 christos * the RRSIG bit as both always will be signed. 140 1.1 christos * 2) We set the RRSIG bit if we don't have 141 1.1 christos * a NS record but do have other data. 142 1.1 christos */ 143 1.1 christos if (rdataset.type == dns_rdatatype_soa || 144 1.1 christos rdataset.type == dns_rdatatype_ds) 145 1.1 christos need_rrsig = ISC_TRUE; 146 1.1 christos else if (rdataset.type == dns_rdatatype_ns) 147 1.1 christos found_ns = ISC_TRUE; 148 1.1 christos else 149 1.1 christos found = ISC_TRUE; 150 1.1 christos } 151 1.1 christos dns_rdataset_disassociate(&rdataset); 152 1.1 christos } 153 1.1 christos if ((found && !found_ns) || need_rrsig) { 154 1.1 christos if (dns_rdatatype_rrsig > max_type) 155 1.1 christos max_type = dns_rdatatype_rrsig; 156 1.1 christos dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1); 157 1.1 christos } 158 1.1 christos 159 1.1 christos /* 160 1.1 christos * At zone cuts, deny the existence of glue in the parent zone. 161 1.1 christos */ 162 1.1 christos if (dns_nsec_isset(bm, dns_rdatatype_ns) && 163 1.1 christos ! dns_nsec_isset(bm, dns_rdatatype_soa)) { 164 1.1 christos for (i = 0; i <= max_type; i++) { 165 1.1 christos if (dns_nsec_isset(bm, i) && 166 1.1 christos ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i)) 167 1.1 christos dns_nsec_setbit(bm, i, 0); 168 1.1 christos } 169 1.1 christos } 170 1.1 christos 171 1.1 christos dns_rdatasetiter_destroy(&rdsiter); 172 1.1 christos if (result != ISC_R_NOMORE) 173 1.1 christos return (result); 174 1.1 christos 175 1.1 christos collapse_bitmap: 176 1.1 christos nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type); 177 1.1 christos r.length = (unsigned int)(nsec_bits - r.base); 178 1.1 christos INSIST(r.length <= DNS_NSEC3_BUFFERSIZE); 179 1.1 christos dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r); 180 1.1 christos 181 1.1 christos return (ISC_R_SUCCESS); 182 1.1 christos } 183 1.1 christos 184 1.1 christos isc_boolean_t 185 1.1 christos dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) { 186 1.1 christos dns_rdata_nsec3_t nsec3; 187 1.1 christos isc_result_t result; 188 1.1 christos isc_boolean_t present; 189 1.1 christos unsigned int i, len, window; 190 1.1 christos 191 1.1 christos REQUIRE(rdata != NULL); 192 1.1 christos REQUIRE(rdata->type == dns_rdatatype_nsec3); 193 1.1 christos 194 1.1 christos /* This should never fail */ 195 1.1 christos result = dns_rdata_tostruct(rdata, &nsec3, NULL); 196 1.1 christos INSIST(result == ISC_R_SUCCESS); 197 1.1 christos 198 1.1 christos present = ISC_FALSE; 199 1.1 christos for (i = 0; i < nsec3.len; i += len) { 200 1.1 christos INSIST(i + 2 <= nsec3.len); 201 1.1 christos window = nsec3.typebits[i]; 202 1.1 christos len = nsec3.typebits[i + 1]; 203 1.1 christos INSIST(len > 0 && len <= 32); 204 1.1 christos i += 2; 205 1.1 christos INSIST(i + len <= nsec3.len); 206 1.1 christos if (window * 256 > type) 207 1.1 christos break; 208 1.1 christos if ((window + 1) * 256 <= type) 209 1.1 christos continue; 210 1.1 christos if (type < (window * 256) + len * 8) 211 1.1 christos present = ISC_TF(dns_nsec_isset(&nsec3.typebits[i], 212 1.1 christos type % 256)); 213 1.1 christos break; 214 1.1 christos } 215 1.1 christos dns_rdata_freestruct(&nsec3); 216 1.1 christos return (present); 217 1.1 christos } 218 1.1 christos 219 1.1 christos isc_result_t 220 1.1 christos dns_nsec3_hashname(dns_fixedname_t *result, 221 1.1 christos unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 222 1.1 christos size_t *hash_length, const dns_name_t *name, 223 1.1 christos const dns_name_t *origin, 224 1.1 christos dns_hash_t hashalg, unsigned int iterations, 225 1.1 christos const unsigned char *salt, size_t saltlength) 226 1.1 christos { 227 1.1 christos unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 228 1.1 christos unsigned char nametext[DNS_NAME_FORMATSIZE]; 229 1.1 christos dns_fixedname_t fixed; 230 1.1 christos dns_name_t *downcased; 231 1.1 christos isc_buffer_t namebuffer; 232 1.1 christos isc_region_t region; 233 1.1 christos size_t len; 234 1.1 christos 235 1.1 christos if (rethash == NULL) 236 1.1 christos rethash = hash; 237 1.1 christos 238 1.1 christos memset(rethash, 0, NSEC3_MAX_HASH_LENGTH); 239 1.1 christos 240 1.1 christos downcased = dns_fixedname_initname(&fixed); 241 1.1 christos dns_name_downcase(name, downcased, NULL); 242 1.1 christos 243 1.1 christos /* hash the node name */ 244 1.1 christos len = isc_iterated_hash(rethash, hashalg, iterations, 245 1.1 christos salt, (int)saltlength, 246 1.1 christos downcased->ndata, downcased->length); 247 1.1 christos if (len == 0U) 248 1.1 christos return (DNS_R_BADALG); 249 1.1 christos 250 1.1 christos if (hash_length != NULL) 251 1.1 christos *hash_length = len; 252 1.1 christos 253 1.1 christos /* convert the hash to base32hex non-padded */ 254 1.1 christos region.base = rethash; 255 1.1 christos region.length = (unsigned int)len; 256 1.1 christos isc_buffer_init(&namebuffer, nametext, sizeof nametext); 257 1.1 christos isc_base32hexnp_totext(®ion, 1, "", &namebuffer); 258 1.1 christos 259 1.1 christos /* convert the hex to a domain name */ 260 1.1 christos dns_fixedname_init(result); 261 1.1 christos return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer, 262 1.1 christos origin, 0, NULL)); 263 1.1 christos } 264 1.1 christos 265 1.1 christos unsigned int 266 1.1 christos dns_nsec3_hashlength(dns_hash_t hash) { 267 1.1 christos 268 1.1 christos switch (hash) { 269 1.1 christos case dns_hash_sha1: 270 1.1 christos return(ISC_SHA1_DIGESTLENGTH); 271 1.1 christos } 272 1.1 christos return (0); 273 1.1 christos } 274 1.1 christos 275 1.1 christos isc_boolean_t 276 1.1 christos dns_nsec3_supportedhash(dns_hash_t hash) { 277 1.1 christos switch (hash) { 278 1.1 christos case dns_hash_sha1: 279 1.1 christos return (ISC_TRUE); 280 1.1 christos } 281 1.1 christos return (ISC_FALSE); 282 1.1 christos } 283 1.1 christos 284 1.1 christos /*% 285 1.1 christos * Update a single RR in version 'ver' of 'db' and log the 286 1.1 christos * update in 'diff'. 287 1.1 christos * 288 1.1 christos * Ensures: 289 1.1 christos * \li '*tuple' == NULL. Either the tuple is freed, or its 290 1.1 christos * ownership has been transferred to the diff. 291 1.1 christos */ 292 1.1 christos static isc_result_t 293 1.1 christos do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, 294 1.1 christos dns_diff_t *diff) 295 1.1 christos { 296 1.1 christos dns_diff_t temp_diff; 297 1.1 christos isc_result_t result; 298 1.1 christos 299 1.1 christos /* 300 1.1 christos * Create a singleton diff. 301 1.1 christos */ 302 1.1 christos dns_diff_init(diff->mctx, &temp_diff); 303 1.1 christos ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); 304 1.1 christos 305 1.1 christos /* 306 1.1 christos * Apply it to the database. 307 1.1 christos */ 308 1.1 christos result = dns_diff_apply(&temp_diff, db, ver); 309 1.1 christos ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); 310 1.1 christos if (result != ISC_R_SUCCESS) { 311 1.1 christos dns_difftuple_free(tuple); 312 1.1 christos return (result); 313 1.1 christos } 314 1.1 christos 315 1.1 christos /* 316 1.1 christos * Merge it into the current pending journal entry. 317 1.1 christos */ 318 1.1 christos dns_diff_appendminimal(diff, tuple); 319 1.1 christos 320 1.1 christos /* 321 1.1 christos * Do not clear temp_diff. 322 1.1 christos */ 323 1.1 christos return (ISC_R_SUCCESS); 324 1.1 christos } 325 1.1 christos 326 1.1 christos /*% 327 1.1 christos * Set '*exists' to true iff the given name exists, to false otherwise. 328 1.1 christos */ 329 1.1 christos static isc_result_t 330 1.1 christos name_exists(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 331 1.1 christos isc_boolean_t *exists) 332 1.1 christos { 333 1.1 christos isc_result_t result; 334 1.1 christos dns_dbnode_t *node = NULL; 335 1.1 christos dns_rdatasetiter_t *iter = NULL; 336 1.1 christos 337 1.1 christos result = dns_db_findnode(db, name, ISC_FALSE, &node); 338 1.1 christos if (result == ISC_R_NOTFOUND) { 339 1.1 christos *exists = ISC_FALSE; 340 1.1 christos return (ISC_R_SUCCESS); 341 1.1 christos } 342 1.1 christos if (result != ISC_R_SUCCESS) 343 1.1 christos return (result); 344 1.1 christos 345 1.1 christos result = dns_db_allrdatasets(db, node, version, 346 1.1 christos (isc_stdtime_t) 0, &iter); 347 1.1 christos if (result != ISC_R_SUCCESS) 348 1.1 christos goto cleanup_node; 349 1.1 christos 350 1.1 christos result = dns_rdatasetiter_first(iter); 351 1.1 christos if (result == ISC_R_SUCCESS) { 352 1.1 christos *exists = ISC_TRUE; 353 1.1 christos } else if (result == ISC_R_NOMORE) { 354 1.1 christos *exists = ISC_FALSE; 355 1.1 christos result = ISC_R_SUCCESS; 356 1.1 christos } else 357 1.1 christos *exists = ISC_FALSE; 358 1.1 christos dns_rdatasetiter_destroy(&iter); 359 1.1 christos 360 1.1 christos cleanup_node: 361 1.1 christos dns_db_detachnode(db, &node); 362 1.1 christos return (result); 363 1.1 christos } 364 1.1 christos 365 1.1 christos static isc_boolean_t 366 1.1 christos match_nsec3param(const dns_rdata_nsec3_t *nsec3, 367 1.1 christos const dns_rdata_nsec3param_t *nsec3param) 368 1.1 christos { 369 1.1 christos if (nsec3->hash == nsec3param->hash && 370 1.1 christos nsec3->iterations == nsec3param->iterations && 371 1.1 christos nsec3->salt_length == nsec3param->salt_length && 372 1.1 christos !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length)) 373 1.1 christos return (ISC_TRUE); 374 1.1 christos return (ISC_FALSE); 375 1.1 christos } 376 1.1 christos 377 1.1 christos /*% 378 1.1 christos * Delete NSEC3 records at "name" which match "param", recording the 379 1.1 christos * change in "diff". 380 1.1 christos */ 381 1.1 christos static isc_result_t 382 1.1 christos delnsec3(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 383 1.1 christos const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) 384 1.1 christos { 385 1.1 christos dns_dbnode_t *node = NULL ; 386 1.1 christos dns_difftuple_t *tuple = NULL; 387 1.1 christos dns_rdata_nsec3_t nsec3; 388 1.1 christos dns_rdataset_t rdataset; 389 1.1 christos isc_result_t result; 390 1.1 christos 391 1.1 christos result = dns_db_findnsec3node(db, name, ISC_FALSE, &node); 392 1.1 christos if (result == ISC_R_NOTFOUND) 393 1.1 christos return (ISC_R_SUCCESS); 394 1.1 christos if (result != ISC_R_SUCCESS) 395 1.1 christos return (result); 396 1.1 christos 397 1.1 christos dns_rdataset_init(&rdataset); 398 1.1 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0, 399 1.1 christos (isc_stdtime_t) 0, &rdataset, NULL); 400 1.1 christos 401 1.1 christos if (result == ISC_R_NOTFOUND) { 402 1.1 christos result = ISC_R_SUCCESS; 403 1.1 christos goto cleanup_node; 404 1.1 christos } 405 1.1 christos if (result != ISC_R_SUCCESS) 406 1.1 christos goto cleanup_node; 407 1.1 christos 408 1.1 christos for (result = dns_rdataset_first(&rdataset); 409 1.1 christos result == ISC_R_SUCCESS; 410 1.1 christos result = dns_rdataset_next(&rdataset)) 411 1.1 christos { 412 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 413 1.1 christos dns_rdataset_current(&rdataset, &rdata); 414 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL)); 415 1.1 christos 416 1.1 christos if (!match_nsec3param(&nsec3, nsec3param)) 417 1.1 christos continue; 418 1.1 christos 419 1.1 christos result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name, 420 1.1 christos rdataset.ttl, &rdata, &tuple); 421 1.1 christos if (result != ISC_R_SUCCESS) 422 1.1 christos goto failure; 423 1.1 christos result = do_one_tuple(&tuple, db, version, diff); 424 1.1 christos if (result != ISC_R_SUCCESS) 425 1.1 christos goto failure; 426 1.1 christos } 427 1.1 christos if (result != ISC_R_NOMORE) 428 1.1 christos goto failure; 429 1.1 christos result = ISC_R_SUCCESS; 430 1.1 christos 431 1.1 christos failure: 432 1.1 christos dns_rdataset_disassociate(&rdataset); 433 1.1 christos cleanup_node: 434 1.1 christos dns_db_detachnode(db, &node); 435 1.1 christos 436 1.1 christos return (result); 437 1.1 christos } 438 1.1 christos 439 1.1 christos static isc_boolean_t 440 1.1 christos better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) { 441 1.1 christos dns_rdataset_t rdataset; 442 1.1 christos isc_result_t result; 443 1.1 christos 444 1.1 christos if (REMOVE(param->data[1])) 445 1.1 christos return (ISC_TRUE); 446 1.1 christos 447 1.1 christos dns_rdataset_init(&rdataset); 448 1.1 christos dns_rdataset_clone(nsec3paramset, &rdataset); 449 1.1 christos for (result = dns_rdataset_first(&rdataset); 450 1.1 christos result == ISC_R_SUCCESS; 451 1.1 christos result = dns_rdataset_next(&rdataset)) { 452 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 453 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 454 1.1 christos 455 1.1 christos if (rdataset.type != dns_rdatatype_nsec3param) { 456 1.1 christos dns_rdata_t tmprdata = DNS_RDATA_INIT; 457 1.1 christos dns_rdataset_current(&rdataset, &tmprdata); 458 1.1 christos if (!dns_nsec3param_fromprivate(&tmprdata, &rdata, 459 1.1 christos buf, sizeof(buf))) 460 1.1 christos continue; 461 1.1 christos } else 462 1.1 christos dns_rdataset_current(&rdataset, &rdata); 463 1.1 christos 464 1.1 christos if (rdata.length != param->length) 465 1.1 christos continue; 466 1.1 christos if (rdata.data[0] != param->data[0] || 467 1.1 christos REMOVE(rdata.data[1]) || 468 1.1 christos rdata.data[2] != param->data[2] || 469 1.1 christos rdata.data[3] != param->data[3] || 470 1.1 christos rdata.data[4] != param->data[4] || 471 1.1 christos memcmp(&rdata.data[5], ¶m->data[5], param->data[4])) 472 1.1 christos continue; 473 1.1 christos if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) { 474 1.1 christos dns_rdataset_disassociate(&rdataset); 475 1.1 christos return (ISC_TRUE); 476 1.1 christos } 477 1.1 christos } 478 1.1 christos dns_rdataset_disassociate(&rdataset); 479 1.1 christos return (ISC_FALSE); 480 1.1 christos } 481 1.1 christos 482 1.1 christos static isc_result_t 483 1.1 christos find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset, 484 1.1 christos const dns_rdata_nsec3param_t *nsec3param) 485 1.1 christos { 486 1.1 christos isc_result_t result; 487 1.1 christos for (result = dns_rdataset_first(rdataset); 488 1.1 christos result == ISC_R_SUCCESS; 489 1.1 christos result = dns_rdataset_next(rdataset)) { 490 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 491 1.1 christos 492 1.1 christos dns_rdataset_current(rdataset, &rdata); 493 1.1 christos CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL)); 494 1.1 christos dns_rdata_reset(&rdata); 495 1.1 christos if (match_nsec3param(nsec3, nsec3param)) 496 1.1 christos break; 497 1.1 christos } 498 1.1 christos failure: 499 1.1 christos return (result); 500 1.1 christos } 501 1.1 christos 502 1.1 christos isc_result_t 503 1.1 christos dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 504 1.1 christos const dns_name_t *name, 505 1.1 christos const dns_rdata_nsec3param_t *nsec3param, 506 1.1 christos dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff) 507 1.1 christos { 508 1.1 christos dns_dbiterator_t *dbit = NULL; 509 1.1 christos dns_dbnode_t *node = NULL; 510 1.1 christos dns_dbnode_t *newnode = NULL; 511 1.1 christos dns_difftuple_t *tuple = NULL; 512 1.1 christos dns_fixedname_t fixed; 513 1.1 christos dns_fixedname_t fprev; 514 1.1 christos dns_hash_t hash; 515 1.1 christos dns_name_t *hashname; 516 1.1 christos dns_name_t *origin; 517 1.1 christos dns_name_t *prev; 518 1.1 christos dns_name_t empty; 519 1.1 christos dns_rdata_nsec3_t nsec3; 520 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 521 1.1 christos dns_rdataset_t rdataset; 522 1.1 christos int pass; 523 1.1 christos isc_boolean_t exists = ISC_FALSE; 524 1.1 christos isc_boolean_t maybe_remove_unsecure = ISC_FALSE; 525 1.1 christos isc_uint8_t flags; 526 1.1 christos isc_buffer_t buffer; 527 1.1 christos isc_result_t result; 528 1.1 christos unsigned char *old_next; 529 1.1 christos unsigned char *salt; 530 1.1 christos unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 531 1.1 christos unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 532 1.1 christos unsigned int iterations; 533 1.1 christos unsigned int labels; 534 1.1 christos size_t next_length; 535 1.1 christos unsigned int old_length; 536 1.1 christos unsigned int salt_length; 537 1.1 christos 538 1.1 christos hashname = dns_fixedname_initname(&fixed); 539 1.1 christos prev = dns_fixedname_initname(&fprev); 540 1.1 christos 541 1.1 christos dns_rdataset_init(&rdataset); 542 1.1 christos 543 1.1 christos origin = dns_db_origin(db); 544 1.1 christos 545 1.1 christos /* 546 1.1 christos * Chain parameters. 547 1.1 christos */ 548 1.1 christos hash = nsec3param->hash; 549 1.1 christos iterations = nsec3param->iterations; 550 1.1 christos salt_length = nsec3param->salt_length; 551 1.1 christos salt = nsec3param->salt; 552 1.1 christos 553 1.1 christos /* 554 1.1 christos * Default flags for a new chain. 555 1.1 christos */ 556 1.1 christos flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 557 1.1 christos 558 1.1 christos /* 559 1.1 christos * If this is the first NSEC3 in the chain nexthash will 560 1.1 christos * remain pointing to itself. 561 1.1 christos */ 562 1.1 christos next_length = sizeof(nexthash); 563 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 564 1.1 christos name, origin, hash, iterations, 565 1.1 christos salt, salt_length)); 566 1.1 christos INSIST(next_length <= sizeof(nexthash)); 567 1.1 christos 568 1.1 christos /* 569 1.1 christos * Create the node if it doesn't exist and hold 570 1.1 christos * a reference to it until we have added the NSEC3. 571 1.1 christos */ 572 1.1 christos CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode)); 573 1.1 christos 574 1.1 christos /* 575 1.1 christos * Seek the iterator to the 'newnode'. 576 1.1 christos */ 577 1.1 christos CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 578 1.1 christos CHECK(dns_dbiterator_seek(dbit, hashname)); 579 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 580 1.1 christos result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3, 581 1.1 christos 0, (isc_stdtime_t) 0, &rdataset, NULL); 582 1.1 christos /* 583 1.1 christos * If we updating a existing NSEC3 then find its 584 1.1 christos * next field. 585 1.1 christos */ 586 1.1 christos if (result == ISC_R_SUCCESS) { 587 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 588 1.1 christos if (result == ISC_R_SUCCESS) { 589 1.1 christos if (!CREATE(nsec3param->flags)) 590 1.1 christos flags = nsec3.flags; 591 1.1 christos next_length = nsec3.next_length; 592 1.1 christos INSIST(next_length <= sizeof(nexthash)); 593 1.1 christos memmove(nexthash, nsec3.next, next_length); 594 1.1 christos dns_rdataset_disassociate(&rdataset); 595 1.1 christos /* 596 1.1 christos * If the NSEC3 is not for a unsecure delegation then 597 1.1 christos * we are just updating it. If it is for a unsecure 598 1.1 christos * delegation then we need find out if we need to 599 1.1 christos * remove the NSEC3 record or not by examining the 600 1.1 christos * previous NSEC3 record. 601 1.1 christos */ 602 1.1 christos if (!unsecure) 603 1.1 christos goto addnsec3; 604 1.1 christos else if (CREATE(nsec3param->flags) && OPTOUT(flags)) { 605 1.1 christos result = dns_nsec3_delnsec3(db, version, name, 606 1.1 christos nsec3param, diff); 607 1.1 christos goto failure; 608 1.1 christos } else 609 1.1 christos maybe_remove_unsecure = ISC_TRUE; 610 1.1 christos } else { 611 1.1 christos dns_rdataset_disassociate(&rdataset); 612 1.1 christos if (result != ISC_R_NOMORE) 613 1.1 christos goto failure; 614 1.1 christos } 615 1.1 christos } 616 1.1 christos 617 1.1 christos /* 618 1.1 christos * Find the previous NSEC3 (if any) and update it if required. 619 1.1 christos */ 620 1.1 christos pass = 0; 621 1.1 christos do { 622 1.1 christos result = dns_dbiterator_prev(dbit); 623 1.1 christos if (result == ISC_R_NOMORE) { 624 1.1 christos pass++; 625 1.1 christos CHECK(dns_dbiterator_last(dbit)); 626 1.1 christos } 627 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 628 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 629 1.1 christos result = dns_db_findrdataset(db, node, version, 630 1.1 christos dns_rdatatype_nsec3, 0, 631 1.1 christos (isc_stdtime_t) 0, &rdataset, 632 1.1 christos NULL); 633 1.1 christos dns_db_detachnode(db, &node); 634 1.1 christos if (result != ISC_R_SUCCESS) 635 1.1 christos continue; 636 1.1 christos 637 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 638 1.1 christos if (result == ISC_R_NOMORE) { 639 1.1 christos dns_rdataset_disassociate(&rdataset); 640 1.1 christos continue; 641 1.1 christos } 642 1.1 christos if (result != ISC_R_SUCCESS) 643 1.1 christos goto failure; 644 1.1 christos 645 1.1 christos if (maybe_remove_unsecure) { 646 1.1 christos dns_rdataset_disassociate(&rdataset); 647 1.1 christos /* 648 1.1 christos * If we have OPTOUT set in the previous NSEC3 record 649 1.1 christos * we actually need to delete the NSEC3 record. 650 1.1 christos * Otherwise we just need to replace the NSEC3 record. 651 1.1 christos */ 652 1.1 christos if (OPTOUT(nsec3.flags)) { 653 1.1 christos result = dns_nsec3_delnsec3(db, version, name, 654 1.1 christos nsec3param, diff); 655 1.1 christos goto failure; 656 1.1 christos } 657 1.1 christos goto addnsec3; 658 1.1 christos } else { 659 1.1 christos /* 660 1.1 christos * Is this is a unsecure delegation we are adding? 661 1.1 christos * If so no change is required. 662 1.1 christos */ 663 1.1 christos if (OPTOUT(nsec3.flags) && unsecure) { 664 1.1 christos dns_rdataset_disassociate(&rdataset); 665 1.1 christos goto failure; 666 1.1 christos } 667 1.1 christos } 668 1.1 christos 669 1.1 christos old_next = nsec3.next; 670 1.1 christos old_length = nsec3.next_length; 671 1.1 christos 672 1.1 christos /* 673 1.1 christos * Delete the old previous NSEC3. 674 1.1 christos */ 675 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 676 1.1 christos 677 1.1 christos /* 678 1.1 christos * Fixup the previous NSEC3. 679 1.1 christos */ 680 1.1 christos nsec3.next = nexthash; 681 1.1 christos nsec3.next_length = (unsigned char)next_length; 682 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 683 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 684 1.1 christos dns_rdatatype_nsec3, &nsec3, 685 1.1 christos &buffer)); 686 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 687 1.1 christos rdataset.ttl, &rdata, &tuple)); 688 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 689 1.1 christos INSIST(old_length <= sizeof(nexthash)); 690 1.1 christos memmove(nexthash, old_next, old_length); 691 1.1 christos if (!CREATE(nsec3param->flags)) 692 1.1 christos flags = nsec3.flags; 693 1.1 christos dns_rdata_reset(&rdata); 694 1.1 christos dns_rdataset_disassociate(&rdataset); 695 1.1 christos break; 696 1.1 christos } while (pass < 2); 697 1.1 christos 698 1.1 christos addnsec3: 699 1.1 christos /* 700 1.1 christos * Create the NSEC3 RDATA. 701 1.1 christos */ 702 1.1 christos CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 703 1.1 christos CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations, 704 1.1 christos salt, salt_length, nexthash, next_length, 705 1.1 christos nsec3buf, &rdata)); 706 1.1 christos dns_db_detachnode(db, &node); 707 1.1 christos 708 1.1 christos /* 709 1.1 christos * Delete the old NSEC3 and record the change. 710 1.1 christos */ 711 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 712 1.1 christos /* 713 1.1 christos * Add the new NSEC3 and record the change. 714 1.1 christos */ 715 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 716 1.1 christos hashname, nsecttl, &rdata, &tuple)); 717 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 718 1.1 christos INSIST(tuple == NULL); 719 1.1 christos dns_rdata_reset(&rdata); 720 1.1 christos dns_db_detachnode(db, &newnode); 721 1.1 christos 722 1.1 christos /* 723 1.1 christos * Add missing NSEC3 records for empty nodes 724 1.1 christos */ 725 1.1 christos dns_name_init(&empty, NULL); 726 1.1 christos dns_name_clone(name, &empty); 727 1.1 christos do { 728 1.1 christos labels = dns_name_countlabels(&empty) - 1; 729 1.1 christos if (labels <= dns_name_countlabels(origin)) 730 1.1 christos break; 731 1.1 christos dns_name_getlabelsequence(&empty, 1, labels, &empty); 732 1.1 christos CHECK(name_exists(db, version, &empty, &exists)); 733 1.1 christos if (exists) 734 1.1 christos break; 735 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 736 1.1 christos &empty, origin, hash, iterations, 737 1.1 christos salt, salt_length)); 738 1.1 christos 739 1.1 christos /* 740 1.1 christos * Create the node if it doesn't exist and hold 741 1.1 christos * a reference to it until we have added the NSEC3 742 1.1 christos * or we discover we don't need to add make a change. 743 1.1 christos */ 744 1.1 christos CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode)); 745 1.1 christos result = dns_db_findrdataset(db, newnode, version, 746 1.1 christos dns_rdatatype_nsec3, 0, 747 1.1 christos (isc_stdtime_t) 0, &rdataset, 748 1.1 christos NULL); 749 1.1 christos if (result == ISC_R_SUCCESS) { 750 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 751 1.1 christos dns_rdataset_disassociate(&rdataset); 752 1.1 christos if (result == ISC_R_SUCCESS) { 753 1.1 christos dns_db_detachnode(db, &newnode); 754 1.1 christos break; 755 1.1 christos } 756 1.1 christos if (result != ISC_R_NOMORE) 757 1.1 christos goto failure; 758 1.1 christos } 759 1.1 christos 760 1.1 christos /* 761 1.1 christos * Find the previous NSEC3 and update it. 762 1.1 christos */ 763 1.1 christos CHECK(dns_dbiterator_seek(dbit, hashname)); 764 1.1 christos pass = 0; 765 1.1 christos do { 766 1.1 christos result = dns_dbiterator_prev(dbit); 767 1.1 christos if (result == ISC_R_NOMORE) { 768 1.1 christos pass++; 769 1.1 christos CHECK(dns_dbiterator_last(dbit)); 770 1.1 christos } 771 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 772 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 773 1.1 christos result = dns_db_findrdataset(db, node, version, 774 1.1 christos dns_rdatatype_nsec3, 0, 775 1.1 christos (isc_stdtime_t) 0, 776 1.1 christos &rdataset, NULL); 777 1.1 christos dns_db_detachnode(db, &node); 778 1.1 christos if (result != ISC_R_SUCCESS) 779 1.1 christos continue; 780 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 781 1.1 christos if (result == ISC_R_NOMORE) { 782 1.1 christos dns_rdataset_disassociate(&rdataset); 783 1.1 christos continue; 784 1.1 christos } 785 1.1 christos if (result != ISC_R_SUCCESS) 786 1.1 christos goto failure; 787 1.1 christos 788 1.1 christos old_next = nsec3.next; 789 1.1 christos old_length = nsec3.next_length; 790 1.1 christos 791 1.1 christos /* 792 1.1 christos * Delete the old previous NSEC3. 793 1.1 christos */ 794 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 795 1.1 christos 796 1.1 christos /* 797 1.1 christos * Fixup the previous NSEC3. 798 1.1 christos */ 799 1.1 christos nsec3.next = nexthash; 800 1.1 christos nsec3.next_length = (unsigned char)next_length; 801 1.1 christos isc_buffer_init(&buffer, nsec3buf, 802 1.1 christos sizeof(nsec3buf)); 803 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 804 1.1 christos dns_rdatatype_nsec3, &nsec3, 805 1.1 christos &buffer)); 806 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 807 1.1 christos prev, rdataset.ttl, &rdata, 808 1.1 christos &tuple)); 809 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 810 1.1 christos INSIST(old_length <= sizeof(nexthash)); 811 1.1 christos memmove(nexthash, old_next, old_length); 812 1.1 christos if (!CREATE(nsec3param->flags)) 813 1.1 christos flags = nsec3.flags; 814 1.1 christos dns_rdata_reset(&rdata); 815 1.1 christos dns_rdataset_disassociate(&rdataset); 816 1.1 christos break; 817 1.1 christos } while (pass < 2); 818 1.1 christos 819 1.1 christos INSIST(pass < 2); 820 1.1 christos 821 1.1 christos /* 822 1.1 christos * Create the NSEC3 RDATA for the empty node. 823 1.1 christos */ 824 1.1 christos CHECK(dns_nsec3_buildrdata(db, version, NULL, hash, flags, 825 1.1 christos iterations, salt, salt_length, 826 1.1 christos nexthash, next_length, nsec3buf, 827 1.1 christos &rdata)); 828 1.1 christos /* 829 1.1 christos * Delete the old NSEC3 and record the change. 830 1.1 christos */ 831 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 832 1.1 christos 833 1.1 christos /* 834 1.1 christos * Add the new NSEC3 and record the change. 835 1.1 christos */ 836 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 837 1.1 christos hashname, nsecttl, &rdata, &tuple)); 838 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 839 1.1 christos INSIST(tuple == NULL); 840 1.1 christos dns_rdata_reset(&rdata); 841 1.1 christos dns_db_detachnode(db, &newnode); 842 1.1 christos } while (1); 843 1.1 christos 844 1.1 christos /* result cannot be ISC_R_NOMORE here */ 845 1.1 christos INSIST(result != ISC_R_NOMORE); 846 1.1 christos 847 1.1 christos failure: 848 1.1 christos if (dbit != NULL) 849 1.1 christos dns_dbiterator_destroy(&dbit); 850 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 851 1.1 christos dns_rdataset_disassociate(&rdataset); 852 1.1 christos if (node != NULL) 853 1.1 christos dns_db_detachnode(db, &node); 854 1.1 christos if (newnode != NULL) 855 1.1 christos dns_db_detachnode(db, &newnode); 856 1.1 christos return (result); 857 1.1 christos } 858 1.1 christos 859 1.1 christos /*% 860 1.1 christos * Add NSEC3 records for "name", recording the change in "diff". 861 1.1 christos * The existing NSEC3 records are removed. 862 1.1 christos */ 863 1.1 christos isc_result_t 864 1.1 christos dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 865 1.1 christos const dns_name_t *name, dns_ttl_t nsecttl, 866 1.1 christos isc_boolean_t unsecure, dns_diff_t *diff) 867 1.1 christos { 868 1.1 christos dns_dbnode_t *node = NULL; 869 1.1 christos dns_rdata_nsec3param_t nsec3param; 870 1.1 christos dns_rdataset_t rdataset; 871 1.1 christos isc_result_t result; 872 1.1 christos 873 1.1 christos dns_rdataset_init(&rdataset); 874 1.1 christos 875 1.1 christos /* 876 1.1 christos * Find the NSEC3 parameters for this zone. 877 1.1 christos */ 878 1.1 christos result = dns_db_getoriginnode(db, &node); 879 1.1 christos if (result != ISC_R_SUCCESS) 880 1.1 christos return (result); 881 1.1 christos 882 1.1 christos result = dns_db_findrdataset(db, node, version, 883 1.1 christos dns_rdatatype_nsec3param, 0, 0, 884 1.1 christos &rdataset, NULL); 885 1.1 christos dns_db_detachnode(db, &node); 886 1.1 christos if (result == ISC_R_NOTFOUND) 887 1.1 christos return (ISC_R_SUCCESS); 888 1.1 christos if (result != ISC_R_SUCCESS) 889 1.1 christos return (result); 890 1.1 christos 891 1.1 christos /* 892 1.1 christos * Update each active NSEC3 chain. 893 1.1 christos */ 894 1.1 christos for (result = dns_rdataset_first(&rdataset); 895 1.1 christos result == ISC_R_SUCCESS; 896 1.1 christos result = dns_rdataset_next(&rdataset)) { 897 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 898 1.1 christos 899 1.1 christos dns_rdataset_current(&rdataset, &rdata); 900 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 901 1.1 christos 902 1.1 christos if (nsec3param.flags != 0) 903 1.1 christos continue; 904 1.1 christos /* 905 1.1 christos * We have a active chain. Update it. 906 1.1 christos */ 907 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 908 1.1 christos nsecttl, unsecure, diff)); 909 1.1 christos } 910 1.1 christos if (result == ISC_R_NOMORE) 911 1.1 christos result = ISC_R_SUCCESS; 912 1.1 christos 913 1.1 christos failure: 914 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 915 1.1 christos dns_rdataset_disassociate(&rdataset); 916 1.1 christos if (node != NULL) 917 1.1 christos dns_db_detachnode(db, &node); 918 1.1 christos 919 1.1 christos return (result); 920 1.1 christos } 921 1.1 christos 922 1.1 christos isc_boolean_t 923 1.1 christos dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 924 1.1 christos unsigned char *buf, size_t buflen) 925 1.1 christos { 926 1.1 christos dns_decompress_t dctx; 927 1.1 christos isc_result_t result; 928 1.1 christos isc_buffer_t buf1; 929 1.1 christos isc_buffer_t buf2; 930 1.1 christos 931 1.1 christos /* 932 1.1 christos * Algorithm 0 (reserved by RFC 4034) is used to identify 933 1.1 christos * NSEC3PARAM records from DNSKEY pointers. 934 1.1 christos */ 935 1.1 christos if (src->length < 1 || src->data[0] != 0) 936 1.1 christos return (ISC_FALSE); 937 1.1 christos 938 1.1 christos isc_buffer_init(&buf1, src->data + 1, src->length - 1); 939 1.1 christos isc_buffer_add(&buf1, src->length - 1); 940 1.1 christos isc_buffer_setactive(&buf1, src->length - 1); 941 1.1 christos isc_buffer_init(&buf2, buf, (unsigned int)buflen); 942 1.1 christos dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); 943 1.1 christos result = dns_rdata_fromwire(target, src->rdclass, 944 1.1 christos dns_rdatatype_nsec3param, 945 1.1 christos &buf1, &dctx, 0, &buf2); 946 1.1 christos dns_decompress_invalidate(&dctx); 947 1.1 christos 948 1.1 christos return (ISC_TF(result == ISC_R_SUCCESS)); 949 1.1 christos } 950 1.1 christos 951 1.1 christos void 952 1.1 christos dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 953 1.1 christos dns_rdatatype_t privatetype, 954 1.1 christos unsigned char *buf, size_t buflen) 955 1.1 christos { 956 1.1 christos REQUIRE(buflen >= src->length + 1); 957 1.1 christos 958 1.1 christos REQUIRE(DNS_RDATA_INITIALIZED(target)); 959 1.1 christos 960 1.1 christos memmove(buf + 1, src->data, src->length); 961 1.1 christos buf[0] = 0; 962 1.1 christos target->data = buf; 963 1.1 christos target->length = src->length + 1; 964 1.1 christos target->type = privatetype; 965 1.1 christos target->rdclass = src->rdclass; 966 1.1 christos target->flags = 0; 967 1.1 christos ISC_LINK_INIT(target, link); 968 1.1 christos } 969 1.1 christos 970 1.1 christos static isc_result_t 971 1.1 christos rr_exists(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 972 1.1 christos const dns_rdata_t *rdata, isc_boolean_t *flag) 973 1.1 christos { 974 1.1 christos dns_rdataset_t rdataset; 975 1.1 christos dns_dbnode_t *node = NULL; 976 1.1 christos isc_result_t result; 977 1.1 christos 978 1.1 christos dns_rdataset_init(&rdataset); 979 1.1 christos if (rdata->type == dns_rdatatype_nsec3) 980 1.1 christos CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); 981 1.1 christos else 982 1.1 christos CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 983 1.1 christos result = dns_db_findrdataset(db, node, ver, rdata->type, 0, 984 1.1 christos (isc_stdtime_t) 0, &rdataset, NULL); 985 1.1 christos if (result == ISC_R_NOTFOUND) { 986 1.1 christos *flag = ISC_FALSE; 987 1.1 christos result = ISC_R_SUCCESS; 988 1.1 christos goto failure; 989 1.1 christos } 990 1.1 christos 991 1.1 christos for (result = dns_rdataset_first(&rdataset); 992 1.1 christos result == ISC_R_SUCCESS; 993 1.1 christos result = dns_rdataset_next(&rdataset)) { 994 1.1 christos dns_rdata_t myrdata = DNS_RDATA_INIT; 995 1.1 christos dns_rdataset_current(&rdataset, &myrdata); 996 1.1 christos if (!dns_rdata_casecompare(&myrdata, rdata)) 997 1.1 christos break; 998 1.1 christos } 999 1.1 christos dns_rdataset_disassociate(&rdataset); 1000 1.1 christos if (result == ISC_R_SUCCESS) { 1001 1.1 christos *flag = ISC_TRUE; 1002 1.1 christos } else if (result == ISC_R_NOMORE) { 1003 1.1 christos *flag = ISC_FALSE; 1004 1.1 christos result = ISC_R_SUCCESS; 1005 1.1 christos } 1006 1.1 christos 1007 1.1 christos failure: 1008 1.1 christos if (node != NULL) 1009 1.1 christos dns_db_detachnode(db, &node); 1010 1.1 christos return (result); 1011 1.1 christos } 1012 1.1 christos 1013 1.1 christos isc_result_t 1014 1.1 christos dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst, 1015 1.1 christos size_t dstlen) 1016 1.1 christos { 1017 1.1 christos isc_result_t result; 1018 1.1 christos isc_region_t r; 1019 1.1 christos isc_buffer_t b; 1020 1.1 christos 1021 1.1 christos REQUIRE(nsec3param != NULL); 1022 1.1 christos REQUIRE(dst != NULL); 1023 1.1 christos 1024 1.1 christos if (nsec3param->salt_length == 0) { 1025 1.1 christos if (dstlen < 2U) { 1026 1.1 christos return (ISC_R_NOSPACE); 1027 1.1 christos } 1028 1.1 christos strlcpy(dst, "-", dstlen); 1029 1.1 christos return (ISC_R_SUCCESS); 1030 1.1 christos } 1031 1.1 christos 1032 1.1 christos r.base = nsec3param->salt; 1033 1.1 christos r.length = nsec3param->salt_length; 1034 1.1 christos isc_buffer_init(&b, dst, (unsigned int)dstlen); 1035 1.1 christos 1036 1.1 christos result = isc_hex_totext(&r, 2, "", &b); 1037 1.1 christos if (result != ISC_R_SUCCESS) { 1038 1.1 christos return (result); 1039 1.1 christos } 1040 1.1 christos 1041 1.1 christos if (isc_buffer_availablelength(&b) < 1) { 1042 1.1 christos return (ISC_R_NOSPACE); 1043 1.1 christos } 1044 1.1 christos isc_buffer_putuint8(&b, 0); 1045 1.1 christos 1046 1.1 christos return (ISC_R_SUCCESS); 1047 1.1 christos } 1048 1.1 christos 1049 1.1 christos isc_result_t 1050 1.1 christos dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 1051 1.1 christos dns_zone_t *zone, isc_boolean_t nonsec, 1052 1.1 christos dns_diff_t *diff) 1053 1.1 christos { 1054 1.1 christos dns_dbnode_t *node = NULL; 1055 1.1 christos dns_difftuple_t *tuple = NULL; 1056 1.1 christos dns_name_t next; 1057 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1058 1.1 christos dns_rdataset_t rdataset; 1059 1.1 christos isc_boolean_t flag; 1060 1.1 christos isc_result_t result = ISC_R_SUCCESS; 1061 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1]; 1062 1.1 christos dns_name_t *origin = dns_zone_getorigin(zone); 1063 1.1 christos dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 1064 1.1 christos 1065 1.1 christos dns_name_init(&next, NULL); 1066 1.1 christos dns_rdataset_init(&rdataset); 1067 1.1 christos 1068 1.1 christos result = dns_db_getoriginnode(db, &node); 1069 1.1 christos if (result != ISC_R_SUCCESS) 1070 1.1 christos return (result); 1071 1.1 christos 1072 1.1 christos /* 1073 1.1 christos * Cause all NSEC3 chains to be deleted. 1074 1.1 christos */ 1075 1.1 christos result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 1076 1.1 christos 0, (isc_stdtime_t) 0, &rdataset, NULL); 1077 1.1 christos if (result == ISC_R_NOTFOUND) 1078 1.1 christos goto try_private; 1079 1.1 christos if (result != ISC_R_SUCCESS) 1080 1.1 christos goto failure; 1081 1.1 christos 1082 1.1 christos for (result = dns_rdataset_first(&rdataset); 1083 1.1 christos result == ISC_R_SUCCESS; 1084 1.1 christos result = dns_rdataset_next(&rdataset)) { 1085 1.1 christos dns_rdata_t private = DNS_RDATA_INIT; 1086 1.1 christos 1087 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1088 1.1 christos 1089 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1090 1.1 christos rdataset.ttl, &rdata, &tuple)); 1091 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1092 1.1 christos INSIST(tuple == NULL); 1093 1.1 christos 1094 1.1 christos dns_nsec3param_toprivate(&rdata, &private, privatetype, 1095 1.1 christos buf, sizeof(buf)); 1096 1.1 christos buf[2] = DNS_NSEC3FLAG_REMOVE; 1097 1.1 christos if (nonsec) 1098 1.1 christos buf[2] |= DNS_NSEC3FLAG_NONSEC; 1099 1.1 christos 1100 1.1 christos CHECK(rr_exists(db, ver, origin, &private, &flag)); 1101 1.1 christos 1102 1.1 christos if (!flag) { 1103 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1104 1.1 christos origin, 0, &private, 1105 1.1 christos &tuple)); 1106 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1107 1.1 christos INSIST(tuple == NULL); 1108 1.1 christos } 1109 1.1 christos dns_rdata_reset(&rdata); 1110 1.1 christos } 1111 1.1 christos if (result != ISC_R_NOMORE) 1112 1.1 christos goto failure; 1113 1.1 christos 1114 1.1 christos dns_rdataset_disassociate(&rdataset); 1115 1.1 christos 1116 1.1 christos try_private: 1117 1.1 christos if (privatetype == 0) 1118 1.1 christos goto success; 1119 1.1 christos result = dns_db_findrdataset(db, node, ver, privatetype, 0, 1120 1.1 christos (isc_stdtime_t) 0, &rdataset, NULL); 1121 1.1 christos if (result == ISC_R_NOTFOUND) 1122 1.1 christos goto success; 1123 1.1 christos if (result != ISC_R_SUCCESS) 1124 1.1 christos goto failure; 1125 1.1 christos 1126 1.1 christos for (result = dns_rdataset_first(&rdataset); 1127 1.1 christos result == ISC_R_SUCCESS; 1128 1.1 christos result = dns_rdataset_next(&rdataset)) { 1129 1.1 christos dns_rdata_reset(&rdata); 1130 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1131 1.1 christos INSIST(rdata.length <= sizeof(buf)); 1132 1.1 christos memmove(buf, rdata.data, rdata.length); 1133 1.1 christos 1134 1.1 christos /* 1135 1.1 christos * Private NSEC3 record length >= 6. 1136 1.1 christos * <0(1), hash(1), flags(1), iterations(2), saltlen(1)> 1137 1.1 christos */ 1138 1.1 christos if (rdata.length < 6 || buf[0] != 0 || 1139 1.1 christos (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 || 1140 1.1 christos (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0)) 1141 1.1 christos continue; 1142 1.1 christos 1143 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1144 1.1 christos 0, &rdata, &tuple)); 1145 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1146 1.1 christos INSIST(tuple == NULL); 1147 1.1 christos 1148 1.1 christos rdata.data = buf; 1149 1.1 christos buf[2] = DNS_NSEC3FLAG_REMOVE; 1150 1.1 christos if (nonsec) 1151 1.1 christos buf[2] |= DNS_NSEC3FLAG_NONSEC; 1152 1.1 christos 1153 1.1 christos CHECK(rr_exists(db, ver, origin, &rdata, &flag)); 1154 1.1 christos 1155 1.1 christos if (!flag) { 1156 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1157 1.1 christos origin, 0, &rdata, &tuple)); 1158 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1159 1.1 christos INSIST(tuple == NULL); 1160 1.1 christos } 1161 1.1 christos } 1162 1.1 christos if (result != ISC_R_NOMORE) 1163 1.1 christos goto failure; 1164 1.1 christos success: 1165 1.1 christos result = ISC_R_SUCCESS; 1166 1.1 christos 1167 1.1 christos failure: 1168 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 1169 1.1 christos dns_rdataset_disassociate(&rdataset); 1170 1.1 christos dns_db_detachnode(db, &node); 1171 1.1 christos return (result); 1172 1.1 christos } 1173 1.1 christos 1174 1.1 christos isc_result_t 1175 1.1 christos dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1176 1.1 christos const dns_name_t *name, dns_ttl_t nsecttl, 1177 1.1 christos isc_boolean_t unsecure, dns_rdatatype_t type, 1178 1.1 christos dns_diff_t *diff) 1179 1.1 christos { 1180 1.1 christos dns_dbnode_t *node = NULL; 1181 1.1 christos dns_rdata_nsec3param_t nsec3param; 1182 1.1 christos dns_rdataset_t rdataset; 1183 1.1 christos dns_rdataset_t prdataset; 1184 1.1 christos isc_result_t result; 1185 1.1 christos 1186 1.1 christos dns_rdataset_init(&rdataset); 1187 1.1 christos dns_rdataset_init(&prdataset); 1188 1.1 christos 1189 1.1 christos /* 1190 1.1 christos * Find the NSEC3 parameters for this zone. 1191 1.1 christos */ 1192 1.1 christos result = dns_db_getoriginnode(db, &node); 1193 1.1 christos if (result != ISC_R_SUCCESS) 1194 1.1 christos return (result); 1195 1.1 christos 1196 1.1 christos result = dns_db_findrdataset(db, node, version, type, 0, 0, 1197 1.1 christos &prdataset, NULL); 1198 1.1 christos if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) 1199 1.1 christos goto failure; 1200 1.1 christos 1201 1.1 christos result = dns_db_findrdataset(db, node, version, 1202 1.1 christos dns_rdatatype_nsec3param, 0, 0, 1203 1.1 christos &rdataset, NULL); 1204 1.1 christos if (result == ISC_R_NOTFOUND) 1205 1.1 christos goto try_private; 1206 1.1 christos if (result != ISC_R_SUCCESS) 1207 1.1 christos goto failure; 1208 1.1 christos 1209 1.1 christos /* 1210 1.1 christos * Update each active NSEC3 chain. 1211 1.1 christos */ 1212 1.1 christos for (result = dns_rdataset_first(&rdataset); 1213 1.1 christos result == ISC_R_SUCCESS; 1214 1.1 christos result = dns_rdataset_next(&rdataset)) { 1215 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1216 1.1 christos 1217 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1218 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1219 1.1 christos 1220 1.1 christos if (nsec3param.flags != 0) 1221 1.1 christos continue; 1222 1.1 christos 1223 1.1 christos /* 1224 1.1 christos * We have a active chain. Update it. 1225 1.1 christos */ 1226 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1227 1.1 christos nsecttl, unsecure, diff)); 1228 1.1 christos } 1229 1.1 christos if (result != ISC_R_NOMORE) 1230 1.1 christos goto failure; 1231 1.1 christos 1232 1.1 christos dns_rdataset_disassociate(&rdataset); 1233 1.1 christos 1234 1.1 christos try_private: 1235 1.1 christos if (!dns_rdataset_isassociated(&prdataset)) 1236 1.1 christos goto success; 1237 1.1 christos /* 1238 1.1 christos * Update each active NSEC3 chain. 1239 1.1 christos */ 1240 1.1 christos for (result = dns_rdataset_first(&prdataset); 1241 1.1 christos result == ISC_R_SUCCESS; 1242 1.1 christos result = dns_rdataset_next(&prdataset)) { 1243 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1244 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1245 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1246 1.1 christos 1247 1.1 christos dns_rdataset_current(&prdataset, &rdata1); 1248 1.1 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, 1249 1.1 christos buf, sizeof(buf))) 1250 1.1 christos continue; 1251 1.1 christos CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1252 1.1 christos 1253 1.1 christos if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) 1254 1.1 christos continue; 1255 1.1 christos if (better_param(&prdataset, &rdata2)) 1256 1.1 christos continue; 1257 1.1 christos 1258 1.1 christos /* 1259 1.1 christos * We have a active chain. Update it. 1260 1.1 christos */ 1261 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1262 1.1 christos nsecttl, unsecure, diff)); 1263 1.1 christos } 1264 1.1 christos if (result == ISC_R_NOMORE) 1265 1.1 christos success: 1266 1.1 christos result = ISC_R_SUCCESS; 1267 1.1 christos failure: 1268 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 1269 1.1 christos dns_rdataset_disassociate(&rdataset); 1270 1.1 christos if (dns_rdataset_isassociated(&prdataset)) 1271 1.1 christos dns_rdataset_disassociate(&prdataset); 1272 1.1 christos if (node != NULL) 1273 1.1 christos dns_db_detachnode(db, &node); 1274 1.1 christos 1275 1.1 christos return (result); 1276 1.1 christos } 1277 1.1 christos 1278 1.1 christos /*% 1279 1.1 christos * Determine whether any NSEC3 records that were associated with 1280 1.1 christos * 'name' should be deleted or if they should continue to exist. 1281 1.1 christos * ISC_TRUE indicates they should be deleted. 1282 1.1 christos * ISC_FALSE indicates they should be retained. 1283 1.1 christos */ 1284 1.1 christos static isc_result_t 1285 1.1 christos deleteit(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 1286 1.1 christos isc_boolean_t *yesno) 1287 1.1 christos { 1288 1.1 christos isc_result_t result; 1289 1.1 christos dns_fixedname_t foundname; 1290 1.1 christos dns_fixedname_init(&foundname); 1291 1.1 christos 1292 1.1 christos result = dns_db_find(db, name, ver, dns_rdatatype_any, 1293 1.1 christos DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, 1294 1.1 christos (isc_stdtime_t) 0, NULL, 1295 1.1 christos dns_fixedname_name(&foundname), 1296 1.1 christos NULL, NULL); 1297 1.1 christos if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS || 1298 1.1 christos result == DNS_R_ZONECUT) { 1299 1.1 christos *yesno = ISC_FALSE; 1300 1.1 christos return (ISC_R_SUCCESS); 1301 1.1 christos } 1302 1.1 christos if (result == DNS_R_GLUE || result == DNS_R_DNAME || 1303 1.1 christos result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) { 1304 1.1 christos *yesno = ISC_TRUE; 1305 1.1 christos return (ISC_R_SUCCESS); 1306 1.1 christos } 1307 1.1 christos /* 1308 1.1 christos * Silence compiler. 1309 1.1 christos */ 1310 1.1 christos *yesno = ISC_TRUE; 1311 1.1 christos return (result); 1312 1.1 christos } 1313 1.1 christos 1314 1.1 christos isc_result_t 1315 1.1 christos dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, 1316 1.1 christos const dns_name_t *name, 1317 1.1 christos const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) 1318 1.1 christos { 1319 1.1 christos dns_dbiterator_t *dbit = NULL; 1320 1.1 christos dns_dbnode_t *node = NULL; 1321 1.1 christos dns_difftuple_t *tuple = NULL; 1322 1.1 christos dns_fixedname_t fixed; 1323 1.1 christos dns_fixedname_t fprev; 1324 1.1 christos dns_hash_t hash; 1325 1.1 christos dns_name_t *hashname; 1326 1.1 christos dns_name_t *origin; 1327 1.1 christos dns_name_t *prev; 1328 1.1 christos dns_name_t empty; 1329 1.1 christos dns_rdata_nsec3_t nsec3; 1330 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1331 1.1 christos dns_rdataset_t rdataset; 1332 1.1 christos int pass; 1333 1.1 christos isc_boolean_t yesno; 1334 1.1 christos isc_buffer_t buffer; 1335 1.1 christos isc_result_t result; 1336 1.1 christos unsigned char *salt; 1337 1.1 christos unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 1338 1.1 christos unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 1339 1.1 christos unsigned int iterations; 1340 1.1 christos unsigned int labels; 1341 1.1 christos size_t next_length; 1342 1.1 christos unsigned int salt_length; 1343 1.1 christos 1344 1.1 christos hashname = dns_fixedname_initname(&fixed); 1345 1.1 christos prev = dns_fixedname_initname(&fprev); 1346 1.1 christos 1347 1.1 christos dns_rdataset_init(&rdataset); 1348 1.1 christos 1349 1.1 christos origin = dns_db_origin(db); 1350 1.1 christos 1351 1.1 christos /* 1352 1.1 christos * Chain parameters. 1353 1.1 christos */ 1354 1.1 christos hash = nsec3param->hash; 1355 1.1 christos iterations = nsec3param->iterations; 1356 1.1 christos salt_length = nsec3param->salt_length; 1357 1.1 christos salt = nsec3param->salt; 1358 1.1 christos 1359 1.1 christos /* 1360 1.1 christos * If this is the first NSEC3 in the chain nexthash will 1361 1.1 christos * remain pointing to itself. 1362 1.1 christos */ 1363 1.1 christos next_length = sizeof(nexthash); 1364 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 1365 1.1 christos name, origin, hash, iterations, 1366 1.1 christos salt, salt_length)); 1367 1.1 christos 1368 1.1 christos CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 1369 1.1 christos 1370 1.1 christos result = dns_dbiterator_seek(dbit, hashname); 1371 1.1 christos if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) 1372 1.1 christos goto success; 1373 1.1 christos if (result != ISC_R_SUCCESS) 1374 1.1 christos goto failure; 1375 1.1 christos 1376 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1377 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1378 1.1 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 1379 1.1 christos 0, (isc_stdtime_t) 0, &rdataset, NULL); 1380 1.1 christos dns_db_detachnode(db, &node); 1381 1.1 christos if (result == ISC_R_NOTFOUND) 1382 1.1 christos goto success; 1383 1.1 christos if (result != ISC_R_SUCCESS) 1384 1.1 christos goto failure; 1385 1.1 christos 1386 1.1 christos /* 1387 1.1 christos * If we find a existing NSEC3 for this chain then save the 1388 1.1 christos * next field. 1389 1.1 christos */ 1390 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1391 1.1 christos if (result == ISC_R_SUCCESS) { 1392 1.1 christos next_length = nsec3.next_length; 1393 1.1 christos INSIST(next_length <= sizeof(nexthash)); 1394 1.1 christos memmove(nexthash, nsec3.next, next_length); 1395 1.1 christos } 1396 1.1 christos dns_rdataset_disassociate(&rdataset); 1397 1.1 christos if (result == ISC_R_NOMORE) 1398 1.1 christos goto success; 1399 1.1 christos if (result != ISC_R_SUCCESS) 1400 1.1 christos goto failure; 1401 1.1 christos 1402 1.1 christos /* 1403 1.1 christos * Find the previous NSEC3 and update it. 1404 1.1 christos */ 1405 1.1 christos pass = 0; 1406 1.1 christos do { 1407 1.1 christos result = dns_dbiterator_prev(dbit); 1408 1.1 christos if (result == ISC_R_NOMORE) { 1409 1.1 christos pass++; 1410 1.1 christos CHECK(dns_dbiterator_last(dbit)); 1411 1.1 christos } 1412 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 1413 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1414 1.1 christos result = dns_db_findrdataset(db, node, version, 1415 1.1 christos dns_rdatatype_nsec3, 0, 1416 1.1 christos (isc_stdtime_t) 0, &rdataset, 1417 1.1 christos NULL); 1418 1.1 christos dns_db_detachnode(db, &node); 1419 1.1 christos if (result != ISC_R_SUCCESS) 1420 1.1 christos continue; 1421 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1422 1.1 christos if (result == ISC_R_NOMORE) { 1423 1.1 christos dns_rdataset_disassociate(&rdataset); 1424 1.1 christos continue; 1425 1.1 christos } 1426 1.1 christos if (result != ISC_R_SUCCESS) 1427 1.1 christos goto failure; 1428 1.1 christos 1429 1.1 christos /* 1430 1.1 christos * Delete the old previous NSEC3. 1431 1.1 christos */ 1432 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1433 1.1 christos 1434 1.1 christos /* 1435 1.1 christos * Fixup the previous NSEC3. 1436 1.1 christos */ 1437 1.1 christos nsec3.next = nexthash; 1438 1.1 christos nsec3.next_length = (unsigned char)next_length; 1439 1.1 christos if (CREATE(nsec3param->flags)) 1440 1.1 christos nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 1441 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 1442 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1443 1.1 christos dns_rdatatype_nsec3, &nsec3, 1444 1.1 christos &buffer)); 1445 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 1446 1.1 christos rdataset.ttl, &rdata, &tuple)); 1447 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 1448 1.1 christos dns_rdata_reset(&rdata); 1449 1.1 christos dns_rdataset_disassociate(&rdataset); 1450 1.1 christos break; 1451 1.1 christos } while (pass < 2); 1452 1.1 christos 1453 1.1 christos /* 1454 1.1 christos * Delete the old NSEC3 and record the change. 1455 1.1 christos */ 1456 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1457 1.1 christos 1458 1.1 christos /* 1459 1.1 christos * Delete NSEC3 records for now non active nodes. 1460 1.1 christos */ 1461 1.1 christos dns_name_init(&empty, NULL); 1462 1.1 christos dns_name_clone(name, &empty); 1463 1.1 christos do { 1464 1.1 christos labels = dns_name_countlabels(&empty) - 1; 1465 1.1 christos if (labels <= dns_name_countlabels(origin)) 1466 1.1 christos break; 1467 1.1 christos dns_name_getlabelsequence(&empty, 1, labels, &empty); 1468 1.1 christos CHECK(deleteit(db, version, &empty, &yesno)); 1469 1.1 christos if (!yesno) 1470 1.1 christos break; 1471 1.1 christos 1472 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 1473 1.1 christos &empty, origin, hash, iterations, 1474 1.1 christos salt, salt_length)); 1475 1.1 christos result = dns_dbiterator_seek(dbit, hashname); 1476 1.1 christos if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) 1477 1.1 christos goto success; 1478 1.1 christos if (result != ISC_R_SUCCESS) 1479 1.1 christos goto failure; 1480 1.1 christos 1481 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1482 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1483 1.1 christos result = dns_db_findrdataset(db, node, version, 1484 1.1 christos dns_rdatatype_nsec3, 0, 1485 1.1 christos (isc_stdtime_t) 0, &rdataset, 1486 1.1 christos NULL); 1487 1.1 christos dns_db_detachnode(db, &node); 1488 1.1 christos if (result == ISC_R_NOTFOUND) 1489 1.1 christos goto success; 1490 1.1 christos if (result != ISC_R_SUCCESS) 1491 1.1 christos goto failure; 1492 1.1 christos 1493 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1494 1.1 christos if (result == ISC_R_SUCCESS) { 1495 1.1 christos next_length = nsec3.next_length; 1496 1.1 christos INSIST(next_length <= sizeof(nexthash)); 1497 1.1 christos memmove(nexthash, nsec3.next, next_length); 1498 1.1 christos } 1499 1.1 christos dns_rdataset_disassociate(&rdataset); 1500 1.1 christos if (result == ISC_R_NOMORE) 1501 1.1 christos goto success; 1502 1.1 christos if (result != ISC_R_SUCCESS) 1503 1.1 christos goto failure; 1504 1.1 christos 1505 1.1 christos pass = 0; 1506 1.1 christos do { 1507 1.1 christos result = dns_dbiterator_prev(dbit); 1508 1.1 christos if (result == ISC_R_NOMORE) { 1509 1.1 christos pass++; 1510 1.1 christos CHECK(dns_dbiterator_last(dbit)); 1511 1.1 christos } 1512 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 1513 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1514 1.1 christos result = dns_db_findrdataset(db, node, version, 1515 1.1 christos dns_rdatatype_nsec3, 0, 1516 1.1 christos (isc_stdtime_t) 0, 1517 1.1 christos &rdataset, NULL); 1518 1.1 christos dns_db_detachnode(db, &node); 1519 1.1 christos if (result != ISC_R_SUCCESS) 1520 1.1 christos continue; 1521 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1522 1.1 christos if (result == ISC_R_NOMORE) { 1523 1.1 christos dns_rdataset_disassociate(&rdataset); 1524 1.1 christos continue; 1525 1.1 christos } 1526 1.1 christos if (result != ISC_R_SUCCESS) 1527 1.1 christos goto failure; 1528 1.1 christos 1529 1.1 christos /* 1530 1.1 christos * Delete the old previous NSEC3. 1531 1.1 christos */ 1532 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1533 1.1 christos 1534 1.1 christos /* 1535 1.1 christos * Fixup the previous NSEC3. 1536 1.1 christos */ 1537 1.1 christos nsec3.next = nexthash; 1538 1.1 christos nsec3.next_length = (unsigned char)next_length; 1539 1.1 christos isc_buffer_init(&buffer, nsec3buf, 1540 1.1 christos sizeof(nsec3buf)); 1541 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1542 1.1 christos dns_rdatatype_nsec3, &nsec3, 1543 1.1 christos &buffer)); 1544 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1545 1.1 christos prev, rdataset.ttl, &rdata, 1546 1.1 christos &tuple)); 1547 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 1548 1.1 christos dns_rdata_reset(&rdata); 1549 1.1 christos dns_rdataset_disassociate(&rdataset); 1550 1.1 christos break; 1551 1.1 christos } while (pass < 2); 1552 1.1 christos 1553 1.1 christos INSIST(pass < 2); 1554 1.1 christos 1555 1.1 christos /* 1556 1.1 christos * Delete the old NSEC3 and record the change. 1557 1.1 christos */ 1558 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1559 1.1 christos } while (1); 1560 1.1 christos 1561 1.1 christos success: 1562 1.1 christos result = ISC_R_SUCCESS; 1563 1.1 christos 1564 1.1 christos failure: 1565 1.1 christos if (dbit != NULL) 1566 1.1 christos dns_dbiterator_destroy(&dbit); 1567 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 1568 1.1 christos dns_rdataset_disassociate(&rdataset); 1569 1.1 christos if (node != NULL) 1570 1.1 christos dns_db_detachnode(db, &node); 1571 1.1 christos return (result); 1572 1.1 christos } 1573 1.1 christos 1574 1.1 christos isc_result_t 1575 1.1 christos dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, 1576 1.1 christos const dns_name_t *name, 1577 1.1 christos dns_diff_t *diff) 1578 1.1 christos { 1579 1.1 christos return (dns_nsec3_delnsec3sx(db, version, name, 0, diff)); 1580 1.1 christos } 1581 1.1 christos 1582 1.1 christos isc_result_t 1583 1.1 christos dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1584 1.1 christos const dns_name_t *name, 1585 1.1 christos dns_rdatatype_t privatetype, dns_diff_t *diff) 1586 1.1 christos { 1587 1.1 christos dns_dbnode_t *node = NULL; 1588 1.1 christos dns_rdata_nsec3param_t nsec3param; 1589 1.1 christos dns_rdataset_t rdataset; 1590 1.1 christos isc_result_t result; 1591 1.1 christos 1592 1.1 christos dns_rdataset_init(&rdataset); 1593 1.1 christos 1594 1.1 christos /* 1595 1.1 christos * Find the NSEC3 parameters for this zone. 1596 1.1 christos */ 1597 1.1 christos result = dns_db_getoriginnode(db, &node); 1598 1.1 christos if (result != ISC_R_SUCCESS) 1599 1.1 christos return (result); 1600 1.1 christos 1601 1.1 christos result = dns_db_findrdataset(db, node, version, 1602 1.1 christos dns_rdatatype_nsec3param, 0, 0, 1603 1.1 christos &rdataset, NULL); 1604 1.1 christos if (result == ISC_R_NOTFOUND) 1605 1.1 christos goto try_private; 1606 1.1 christos if (result != ISC_R_SUCCESS) 1607 1.1 christos goto failure; 1608 1.1 christos 1609 1.1 christos /* 1610 1.1 christos * Update each active NSEC3 chain. 1611 1.1 christos */ 1612 1.1 christos for (result = dns_rdataset_first(&rdataset); 1613 1.1 christos result == ISC_R_SUCCESS; 1614 1.1 christos result = dns_rdataset_next(&rdataset)) { 1615 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1616 1.1 christos 1617 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1618 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1619 1.1 christos 1620 1.1 christos if (nsec3param.flags != 0) 1621 1.1 christos continue; 1622 1.1 christos /* 1623 1.1 christos * We have a active chain. Update it. 1624 1.1 christos */ 1625 1.1 christos CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1626 1.1 christos } 1627 1.1 christos dns_rdataset_disassociate(&rdataset); 1628 1.1 christos 1629 1.1 christos try_private: 1630 1.1 christos if (privatetype == 0) 1631 1.1 christos goto success; 1632 1.1 christos result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1633 1.1 christos &rdataset, NULL); 1634 1.1 christos if (result == ISC_R_NOTFOUND) 1635 1.1 christos goto success; 1636 1.1 christos if (result != ISC_R_SUCCESS) 1637 1.1 christos goto failure; 1638 1.1 christos 1639 1.1 christos /* 1640 1.1 christos * Update each NSEC3 chain being built. 1641 1.1 christos */ 1642 1.1 christos for (result = dns_rdataset_first(&rdataset); 1643 1.1 christos result == ISC_R_SUCCESS; 1644 1.1 christos result = dns_rdataset_next(&rdataset)) { 1645 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1646 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1647 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1648 1.1 christos 1649 1.1 christos dns_rdataset_current(&rdataset, &rdata1); 1650 1.1 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, 1651 1.1 christos buf, sizeof(buf))) 1652 1.1 christos continue; 1653 1.1 christos CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1654 1.1 christos 1655 1.1 christos if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) 1656 1.1 christos continue; 1657 1.1 christos if (better_param(&rdataset, &rdata2)) 1658 1.1 christos continue; 1659 1.1 christos 1660 1.1 christos /* 1661 1.1 christos * We have a active chain. Update it. 1662 1.1 christos */ 1663 1.1 christos CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1664 1.1 christos } 1665 1.1 christos if (result == ISC_R_NOMORE) 1666 1.1 christos success: 1667 1.1 christos result = ISC_R_SUCCESS; 1668 1.1 christos 1669 1.1 christos failure: 1670 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 1671 1.1 christos dns_rdataset_disassociate(&rdataset); 1672 1.1 christos if (node != NULL) 1673 1.1 christos dns_db_detachnode(db, &node); 1674 1.1 christos 1675 1.1 christos return (result); 1676 1.1 christos } 1677 1.1 christos 1678 1.1 christos isc_result_t 1679 1.1 christos dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, 1680 1.1 christos isc_boolean_t complete, isc_boolean_t *answer) 1681 1.1 christos { 1682 1.1 christos return (dns_nsec3_activex(db, version, complete, 0, answer)); 1683 1.1 christos } 1684 1.1 christos 1685 1.1 christos isc_result_t 1686 1.1 christos dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, 1687 1.1 christos isc_boolean_t complete, dns_rdatatype_t privatetype, 1688 1.1 christos isc_boolean_t *answer) 1689 1.1 christos { 1690 1.1 christos dns_dbnode_t *node = NULL; 1691 1.1 christos dns_rdataset_t rdataset; 1692 1.1 christos dns_rdata_nsec3param_t nsec3param; 1693 1.1 christos isc_result_t result; 1694 1.1 christos 1695 1.1 christos REQUIRE(answer != NULL); 1696 1.1 christos 1697 1.1 christos dns_rdataset_init(&rdataset); 1698 1.1 christos 1699 1.1 christos result = dns_db_getoriginnode(db, &node); 1700 1.1 christos if (result != ISC_R_SUCCESS) 1701 1.1 christos return (result); 1702 1.1 christos 1703 1.1 christos result = dns_db_findrdataset(db, node, version, 1704 1.1 christos dns_rdatatype_nsec3param, 0, 0, 1705 1.1 christos &rdataset, NULL); 1706 1.1 christos 1707 1.1 christos if (result == ISC_R_NOTFOUND) 1708 1.1 christos goto try_private; 1709 1.1 christos 1710 1.1 christos if (result != ISC_R_SUCCESS) { 1711 1.1 christos dns_db_detachnode(db, &node); 1712 1.1 christos return (result); 1713 1.1 christos } 1714 1.1 christos for (result = dns_rdataset_first(&rdataset); 1715 1.1 christos result == ISC_R_SUCCESS; 1716 1.1 christos result = dns_rdataset_next(&rdataset)) { 1717 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1718 1.1 christos 1719 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1720 1.1 christos result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); 1721 1.1 christos RUNTIME_CHECK(result == ISC_R_SUCCESS); 1722 1.1 christos 1723 1.1 christos if (nsec3param.flags == 0) 1724 1.1 christos break; 1725 1.1 christos } 1726 1.1 christos dns_rdataset_disassociate(&rdataset); 1727 1.1 christos if (result == ISC_R_SUCCESS) { 1728 1.1 christos dns_db_detachnode(db, &node); 1729 1.1 christos *answer = ISC_TRUE; 1730 1.1 christos return (ISC_R_SUCCESS); 1731 1.1 christos } 1732 1.1 christos if (result == ISC_R_NOMORE) 1733 1.1 christos *answer = ISC_FALSE; 1734 1.1 christos 1735 1.1 christos try_private: 1736 1.1 christos if (privatetype == 0 || complete) { 1737 1.1 christos *answer = ISC_FALSE; 1738 1.1 christos return (ISC_R_SUCCESS); 1739 1.1 christos } 1740 1.1 christos result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1741 1.1 christos &rdataset, NULL); 1742 1.1 christos 1743 1.1 christos dns_db_detachnode(db, &node); 1744 1.1 christos if (result == ISC_R_NOTFOUND) { 1745 1.1 christos *answer = ISC_FALSE; 1746 1.1 christos return (ISC_R_SUCCESS); 1747 1.1 christos } 1748 1.1 christos if (result != ISC_R_SUCCESS) 1749 1.1 christos return (result); 1750 1.1 christos 1751 1.1 christos for (result = dns_rdataset_first(&rdataset); 1752 1.1 christos result == ISC_R_SUCCESS; 1753 1.1 christos result = dns_rdataset_next(&rdataset)) { 1754 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1755 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1756 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1757 1.1 christos 1758 1.1 christos dns_rdataset_current(&rdataset, &rdata1); 1759 1.1 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, 1760 1.1 christos buf, sizeof(buf))) 1761 1.1 christos continue; 1762 1.1 christos result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL); 1763 1.1 christos RUNTIME_CHECK(result == ISC_R_SUCCESS); 1764 1.1 christos 1765 1.1 christos if (!complete && CREATE(nsec3param.flags)) 1766 1.1 christos break; 1767 1.1 christos } 1768 1.1 christos dns_rdataset_disassociate(&rdataset); 1769 1.1 christos if (result == ISC_R_SUCCESS) { 1770 1.1 christos *answer = ISC_TRUE; 1771 1.1 christos result = ISC_R_SUCCESS; 1772 1.1 christos } 1773 1.1 christos if (result == ISC_R_NOMORE) { 1774 1.1 christos *answer = ISC_FALSE; 1775 1.1 christos result = ISC_R_SUCCESS; 1776 1.1 christos } 1777 1.1 christos 1778 1.1 christos return (result); 1779 1.1 christos } 1780 1.1 christos 1781 1.1 christos isc_result_t 1782 1.1 christos dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, 1783 1.1 christos isc_mem_t *mctx, unsigned int *iterationsp) 1784 1.1 christos { 1785 1.1 christos dns_dbnode_t *node = NULL; 1786 1.1 christos dns_rdataset_t rdataset; 1787 1.1 christos dst_key_t *key = NULL; 1788 1.1 christos isc_buffer_t buffer; 1789 1.1 christos isc_result_t result; 1790 1.1 christos unsigned int bits, minbits = 4096; 1791 1.1 christos 1792 1.1 christos result = dns_db_getoriginnode(db, &node); 1793 1.1 christos if (result != ISC_R_SUCCESS) 1794 1.1 christos return (result); 1795 1.1 christos 1796 1.1 christos dns_rdataset_init(&rdataset); 1797 1.1 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 1798 1.1 christos 0, 0, &rdataset, NULL); 1799 1.1 christos dns_db_detachnode(db, &node); 1800 1.1 christos if (result == ISC_R_NOTFOUND) { 1801 1.1 christos *iterationsp = 0; 1802 1.1 christos return (ISC_R_SUCCESS); 1803 1.1 christos } 1804 1.1 christos if (result != ISC_R_SUCCESS) 1805 1.1 christos goto failure; 1806 1.1 christos 1807 1.1 christos for (result = dns_rdataset_first(&rdataset); 1808 1.1 christos result == ISC_R_SUCCESS; 1809 1.1 christos result = dns_rdataset_next(&rdataset)) { 1810 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1811 1.1 christos 1812 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1813 1.1 christos isc_buffer_init(&buffer, rdata.data, rdata.length); 1814 1.1 christos isc_buffer_add(&buffer, rdata.length); 1815 1.1 christos CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass, 1816 1.1 christos &buffer, mctx, &key)); 1817 1.1 christos bits = dst_key_size(key); 1818 1.1 christos dst_key_free(&key); 1819 1.1 christos if (minbits > bits) 1820 1.1 christos minbits = bits; 1821 1.1 christos } 1822 1.1 christos if (result != ISC_R_NOMORE) 1823 1.1 christos goto failure; 1824 1.1 christos 1825 1.1 christos if (minbits <= 1024) 1826 1.1 christos *iterationsp = 150; 1827 1.1 christos else if (minbits <= 2048) 1828 1.1 christos *iterationsp = 500; 1829 1.1 christos else 1830 1.1 christos *iterationsp = 2500; 1831 1.1 christos result = ISC_R_SUCCESS; 1832 1.1 christos 1833 1.1 christos failure: 1834 1.1 christos if (dns_rdataset_isassociated(&rdataset)) 1835 1.1 christos dns_rdataset_disassociate(&rdataset); 1836 1.1 christos return (result); 1837 1.1 christos } 1838 1.1 christos 1839 1.1 christos isc_result_t 1840 1.1 christos dns_nsec3_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, 1841 1.1 christos const dns_name_t *nsec3name, dns_rdataset_t *nsec3set, 1842 1.1 christos dns_name_t *zonename, isc_boolean_t *exists, 1843 1.1 christos isc_boolean_t *data, isc_boolean_t *optout, 1844 1.1 christos isc_boolean_t *unknown, isc_boolean_t *setclosest, 1845 1.1 christos isc_boolean_t *setnearest, dns_name_t *closest, 1846 1.1 christos dns_name_t *nearest, dns_nseclog_t logit, void *arg) 1847 1.1 christos { 1848 1.1 christos char namebuf[DNS_NAME_FORMATSIZE]; 1849 1.1 christos dns_fixedname_t fzone; 1850 1.1 christos dns_fixedname_t qfixed; 1851 1.1 christos dns_label_t hashlabel; 1852 1.1 christos dns_name_t *qname; 1853 1.1 christos dns_name_t *zone; 1854 1.1 christos dns_rdata_nsec3_t nsec3; 1855 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1856 1.1 christos int order; 1857 1.1 christos int scope; 1858 1.1 christos isc_boolean_t atparent; 1859 1.1 christos isc_boolean_t first; 1860 1.1 christos isc_boolean_t ns; 1861 1.1 christos isc_boolean_t soa; 1862 1.1 christos isc_buffer_t buffer; 1863 1.1 christos isc_result_t answer = ISC_R_IGNORE; 1864 1.1 christos isc_result_t result; 1865 1.1 christos unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 1866 1.1 christos unsigned char owner[NSEC3_MAX_HASH_LENGTH]; 1867 1.1 christos unsigned int length; 1868 1.1 christos unsigned int qlabels; 1869 1.1 christos unsigned int zlabels; 1870 1.1 christos 1871 1.1 christos REQUIRE((exists == NULL && data == NULL) || 1872 1.1 christos (exists != NULL && data != NULL)); 1873 1.1 christos REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3); 1874 1.1 christos REQUIRE((setclosest == NULL && closest == NULL) || 1875 1.1 christos (setclosest != NULL && closest != NULL)); 1876 1.1 christos REQUIRE((setnearest == NULL && nearest == NULL) || 1877 1.1 christos (setnearest != NULL && nearest != NULL)); 1878 1.1 christos 1879 1.1 christos result = dns_rdataset_first(nsec3set); 1880 1.1 christos if (result != ISC_R_SUCCESS) { 1881 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set"); 1882 1.1 christos return (result); 1883 1.1 christos } 1884 1.1 christos 1885 1.1 christos dns_rdataset_current(nsec3set, &rdata); 1886 1.1 christos 1887 1.1 christos result = dns_rdata_tostruct(&rdata, &nsec3, NULL); 1888 1.1 christos if (result != ISC_R_SUCCESS) 1889 1.1 christos return (result); 1890 1.1 christos 1891 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3"); 1892 1.1 christos 1893 1.1 christos zone = dns_fixedname_initname(&fzone); 1894 1.1 christos zlabels = dns_name_countlabels(nsec3name); 1895 1.1 christos 1896 1.1 christos /* 1897 1.1 christos * NSEC3 records must have two or more labels to be valid. 1898 1.1 christos */ 1899 1.1 christos if (zlabels < 2) 1900 1.1 christos return (ISC_R_IGNORE); 1901 1.1 christos 1902 1.1 christos /* 1903 1.1 christos * Strip off the NSEC3 hash to get the zone. 1904 1.1 christos */ 1905 1.1 christos zlabels--; 1906 1.1 christos dns_name_split(nsec3name, zlabels, NULL, zone); 1907 1.1 christos 1908 1.1 christos /* 1909 1.1 christos * If not below the zone name we can ignore this record. 1910 1.1 christos */ 1911 1.1 christos if (!dns_name_issubdomain(name, zone)) 1912 1.1 christos return (ISC_R_IGNORE); 1913 1.1 christos 1914 1.1 christos /* 1915 1.1 christos * Is this zone the same or deeper than the current zone? 1916 1.1 christos */ 1917 1.1 christos if (dns_name_countlabels(zonename) == 0 || 1918 1.1 christos dns_name_issubdomain(zone, zonename)) 1919 1.1 christos dns_name_copy(zone, zonename, NULL); 1920 1.1 christos 1921 1.1 christos if (!dns_name_equal(zone, zonename)) 1922 1.1 christos return (ISC_R_IGNORE); 1923 1.1 christos 1924 1.1 christos /* 1925 1.1 christos * Are we only looking for the most enclosing zone? 1926 1.1 christos */ 1927 1.1 christos if (exists == NULL || data == NULL) 1928 1.1 christos return (ISC_R_SUCCESS); 1929 1.1 christos 1930 1.1 christos /* 1931 1.1 christos * Only set unknown once we are sure that this NSEC3 is from 1932 1.1 christos * the deepest covering zone. 1933 1.1 christos */ 1934 1.1 christos if (!dns_nsec3_supportedhash(nsec3.hash)) { 1935 1.1 christos if (unknown != NULL) 1936 1.1 christos *unknown = ISC_TRUE; 1937 1.1 christos return (ISC_R_IGNORE); 1938 1.1 christos } 1939 1.1 christos 1940 1.1 christos /* 1941 1.1 christos * Recover the hash from the first label. 1942 1.1 christos */ 1943 1.1 christos dns_name_getlabel(nsec3name, 0, &hashlabel); 1944 1.1 christos isc_region_consume(&hashlabel, 1); 1945 1.1 christos isc_buffer_init(&buffer, owner, sizeof(owner)); 1946 1.1 christos result = isc_base32hex_decoderegion(&hashlabel, &buffer); 1947 1.1 christos if (result != ISC_R_SUCCESS) 1948 1.1 christos return (result); 1949 1.1 christos 1950 1.1 christos /* 1951 1.1 christos * The hash lengths should match. If not ignore the record. 1952 1.1 christos */ 1953 1.1 christos if (isc_buffer_usedlength(&buffer) != nsec3.next_length) 1954 1.1 christos return (ISC_R_IGNORE); 1955 1.1 christos 1956 1.1 christos /* 1957 1.1 christos * Work out what this NSEC3 covers. 1958 1.1 christos * Inside (<0) or outside (>=0). 1959 1.1 christos */ 1960 1.1 christos scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); 1961 1.1 christos 1962 1.1 christos /* 1963 1.1 christos * Prepare to compute all the hashes. 1964 1.1 christos */ 1965 1.1 christos qname = dns_fixedname_initname(&qfixed); 1966 1.1 christos dns_name_downcase(name, qname, NULL); 1967 1.1 christos qlabels = dns_name_countlabels(qname); 1968 1.1 christos first = ISC_TRUE; 1969 1.1 christos 1970 1.1 christos while (qlabels >= zlabels) { 1971 1.1 christos length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, 1972 1.1 christos nsec3.salt, nsec3.salt_length, 1973 1.1 christos qname->ndata, qname->length); 1974 1.1 christos /* 1975 1.1 christos * The computed hash length should match. 1976 1.1 christos */ 1977 1.1 christos if (length != nsec3.next_length) { 1978 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 1979 1.1 christos "ignoring NSEC bad length %u vs %u", 1980 1.1 christos length, nsec3.next_length); 1981 1.1 christos return (ISC_R_IGNORE); 1982 1.1 christos } 1983 1.1 christos 1984 1.1 christos order = isc_safe_memcompare(hash, owner, length); 1985 1.1 christos if (first && order == 0) { 1986 1.1 christos /* 1987 1.1 christos * The hashes are the same. 1988 1.1 christos */ 1989 1.1 christos atparent = dns_rdatatype_atparent(type); 1990 1.1 christos ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns); 1991 1.1 christos soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa); 1992 1.1 christos if (ns && !soa) { 1993 1.1 christos if (!atparent) { 1994 1.1 christos /* 1995 1.1 christos * This NSEC3 record is from somewhere 1996 1.1 christos * higher in the DNS, and at the 1997 1.1 christos * parent of a delegation. It can not 1998 1.1 christos * be legitimately used here. 1999 1.1 christos */ 2000 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2001 1.1 christos "ignoring parent NSEC3"); 2002 1.1 christos return (ISC_R_IGNORE); 2003 1.1 christos } 2004 1.1 christos } else if (atparent && ns && soa) { 2005 1.1 christos /* 2006 1.1 christos * This NSEC3 record is from the child. 2007 1.1 christos * It can not be legitimately used here. 2008 1.1 christos */ 2009 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2010 1.1 christos "ignoring child NSEC3"); 2011 1.1 christos return (ISC_R_IGNORE); 2012 1.1 christos } 2013 1.1 christos if (type == dns_rdatatype_cname || 2014 1.1 christos type == dns_rdatatype_nxt || 2015 1.1 christos type == dns_rdatatype_nsec || 2016 1.1 christos type == dns_rdatatype_key || 2017 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) { 2018 1.1 christos *exists = ISC_TRUE; 2019 1.1 christos *data = dns_nsec3_typepresent(&rdata, type); 2020 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2021 1.1 christos "NSEC3 proves name exists (owner) " 2022 1.1 christos "data=%d", *data); 2023 1.1 christos return (ISC_R_SUCCESS); 2024 1.1 christos } 2025 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2026 1.1 christos "NSEC3 proves CNAME exists"); 2027 1.1 christos return (ISC_R_IGNORE); 2028 1.1 christos } 2029 1.1 christos 2030 1.1 christos if (order == 0 && 2031 1.1 christos dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) && 2032 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa)) 2033 1.1 christos { 2034 1.1 christos /* 2035 1.1 christos * This NSEC3 record is from somewhere higher in 2036 1.1 christos * the DNS, and at the parent of a delegation. 2037 1.1 christos * It can not be legitimately used here. 2038 1.1 christos */ 2039 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2040 1.1 christos "ignoring parent NSEC3"); 2041 1.1 christos return (ISC_R_IGNORE); 2042 1.1 christos } 2043 1.1 christos 2044 1.1 christos /* 2045 1.1 christos * Potential closest encloser. 2046 1.1 christos */ 2047 1.1 christos if (order == 0) { 2048 1.1 christos if (closest != NULL && 2049 1.1 christos (dns_name_countlabels(closest) == 0 || 2050 1.1 christos dns_name_issubdomain(qname, closest)) && 2051 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) && 2052 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) && 2053 1.1 christos (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) || 2054 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns))) 2055 1.1 christos { 2056 1.1 christos 2057 1.1 christos dns_name_format(qname, namebuf, 2058 1.1 christos sizeof(namebuf)); 2059 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2060 1.1 christos "NSEC3 indicates potential closest " 2061 1.1 christos "encloser: '%s'", namebuf); 2062 1.1 christos dns_name_copy(qname, closest, NULL); 2063 1.1 christos *setclosest = ISC_TRUE; 2064 1.1 christos } 2065 1.1 christos dns_name_format(qname, namebuf, sizeof(namebuf)); 2066 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2067 1.1 christos "NSEC3 at super-domain %s", namebuf); 2068 1.1 christos return (answer); 2069 1.1 christos } 2070 1.1 christos 2071 1.1 christos /* 2072 1.1 christos * Find if the name does not exist. 2073 1.1 christos * 2074 1.1 christos * We continue as we need to find the name closest to the 2075 1.1 christos * closest encloser that doesn't exist. 2076 1.1 christos * 2077 1.1 christos * We also need to continue to ensure that we are not 2078 1.1 christos * proving the non-existence of a record in a sub-zone. 2079 1.1 christos * If that would be the case we will return ISC_R_IGNORE 2080 1.1 christos * above. 2081 1.1 christos */ 2082 1.1 christos if ((scope < 0 && order > 0 && 2083 1.1 christos memcmp(hash, nsec3.next, length) < 0) || 2084 1.1 christos (scope >= 0 && (order > 0 || 2085 1.1 christos memcmp(hash, nsec3.next, length) < 0))) 2086 1.1 christos { 2087 1.1 christos dns_name_format(qname, namebuf, sizeof(namebuf)); 2088 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "NSEC3 proves " 2089 1.1 christos "name does not exist: '%s'", namebuf); 2090 1.1 christos if (nearest != NULL && 2091 1.1 christos (dns_name_countlabels(nearest) == 0 || 2092 1.1 christos dns_name_issubdomain(nearest, qname))) { 2093 1.1 christos dns_name_copy(qname, nearest, NULL); 2094 1.1 christos *setnearest = ISC_TRUE; 2095 1.1 christos } 2096 1.1 christos 2097 1.1 christos *exists = ISC_FALSE; 2098 1.1 christos *data = ISC_FALSE; 2099 1.1 christos if (optout != NULL) { 2100 1.1 christos if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0) 2101 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2102 1.1 christos "NSEC3 indicates optout"); 2103 1.1 christos else 2104 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2105 1.1 christos "NSEC3 indicates secure range"); 2106 1.1 christos *optout = 2107 1.1 christos ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT); 2108 1.1 christos } 2109 1.1 christos answer = ISC_R_SUCCESS; 2110 1.1 christos } 2111 1.1 christos 2112 1.1 christos qlabels--; 2113 1.1 christos if (qlabels > 0) 2114 1.1 christos dns_name_split(qname, qlabels, NULL, qname); 2115 1.1 christos first = ISC_FALSE; 2116 1.1 christos } 2117 1.1 christos return (answer); 2118 1.1 christos } 2119
Indexes created Sun Mar 01 05:31:48 UTC 2026