nsec3.c revision 1.2.2.2
1 1.2.2.2 pgoyette /* $NetBSD: nsec3.c,v 1.2.2.2 2018/09/06 06:55:00 pgoyette Exp $ */ 2 1.2.2.2 pgoyette 3 1.2.2.2 pgoyette /* 4 1.2.2.2 pgoyette * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 1.2.2.2 pgoyette * 6 1.2.2.2 pgoyette * This Source Code Form is subject to the terms of the Mozilla Public 7 1.2.2.2 pgoyette * License, v. 2.0. If a copy of the MPL was not distributed with this 8 1.2.2.2 pgoyette * file, You can obtain one at http://mozilla.org/MPL/2.0/. 9 1.2.2.2 pgoyette * 10 1.2.2.2 pgoyette * See the COPYRIGHT file distributed with this work for additional 11 1.2.2.2 pgoyette * information regarding copyright ownership. 12 1.2.2.2 pgoyette */ 13 1.2.2.2 pgoyette 14 1.2.2.2 pgoyette 15 1.2.2.2 pgoyette #include <config.h> 16 1.2.2.2 pgoyette 17 1.2.2.2 pgoyette #include <isc/base32.h> 18 1.2.2.2 pgoyette #include <isc/buffer.h> 19 1.2.2.2 pgoyette #include <isc/hex.h> 20 1.2.2.2 pgoyette #include <isc/iterated_hash.h> 21 1.2.2.2 pgoyette #include <isc/log.h> 22 1.2.2.2 pgoyette #include <isc/string.h> 23 1.2.2.2 pgoyette #include <isc/util.h> 24 1.2.2.2 pgoyette #include <isc/safe.h> 25 1.2.2.2 pgoyette 26 1.2.2.2 pgoyette #include <dst/dst.h> 27 1.2.2.2 pgoyette 28 1.2.2.2 pgoyette #include <dns/db.h> 29 1.2.2.2 pgoyette #include <dns/zone.h> 30 1.2.2.2 pgoyette #include <dns/compress.h> 31 1.2.2.2 pgoyette #include <dns/dbiterator.h> 32 1.2.2.2 pgoyette #include <dns/diff.h> 33 1.2.2.2 pgoyette #include <dns/fixedname.h> 34 1.2.2.2 pgoyette #include <dns/nsec.h> 35 1.2.2.2 pgoyette #include <dns/nsec3.h> 36 1.2.2.2 pgoyette #include <dns/rdata.h> 37 1.2.2.2 pgoyette #include <dns/rdatalist.h> 38 1.2.2.2 pgoyette #include <dns/rdataset.h> 39 1.2.2.2 pgoyette #include <dns/rdatasetiter.h> 40 1.2.2.2 pgoyette #include <dns/rdatastruct.h> 41 1.2.2.2 pgoyette #include <dns/result.h> 42 1.2.2.2 pgoyette 43 1.2.2.2 pgoyette #define CHECK(x) do { \ 44 1.2.2.2 pgoyette result = (x); \ 45 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) \ 46 1.2.2.2 pgoyette goto failure; \ 47 1.2.2.2 pgoyette } while (/*CONSTCOND*/0) 48 1.2.2.2 pgoyette 49 1.2.2.2 pgoyette #define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) 50 1.2.2.2 pgoyette #define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0) 51 1.2.2.2 pgoyette #define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0) 52 1.2.2.2 pgoyette #define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) 53 1.2.2.2 pgoyette 54 1.2.2.2 pgoyette isc_result_t 55 1.2.2.2 pgoyette dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, 56 1.2.2.2 pgoyette dns_dbnode_t *node, unsigned int hashalg, 57 1.2.2.2 pgoyette unsigned int flags, unsigned int iterations, 58 1.2.2.2 pgoyette const unsigned char *salt, size_t salt_length, 59 1.2.2.2 pgoyette const unsigned char *nexthash, size_t hash_length, 60 1.2.2.2 pgoyette unsigned char *buffer, dns_rdata_t *rdata) 61 1.2.2.2 pgoyette { 62 1.2.2.2 pgoyette isc_result_t result; 63 1.2.2.2 pgoyette dns_rdataset_t rdataset; 64 1.2.2.2 pgoyette isc_region_t r; 65 1.2.2.2 pgoyette unsigned int i; 66 1.2.2.2 pgoyette isc_boolean_t found; 67 1.2.2.2 pgoyette isc_boolean_t found_ns; 68 1.2.2.2 pgoyette isc_boolean_t need_rrsig; 69 1.2.2.2 pgoyette 70 1.2.2.2 pgoyette unsigned char *nsec_bits, *bm; 71 1.2.2.2 pgoyette unsigned int max_type; 72 1.2.2.2 pgoyette dns_rdatasetiter_t *rdsiter; 73 1.2.2.2 pgoyette unsigned char *p; 74 1.2.2.2 pgoyette 75 1.2.2.2 pgoyette REQUIRE(salt_length < 256U); 76 1.2.2.2 pgoyette REQUIRE(hash_length < 256U); 77 1.2.2.2 pgoyette REQUIRE(flags <= 0xffU); 78 1.2.2.2 pgoyette REQUIRE(hashalg <= 0xffU); 79 1.2.2.2 pgoyette REQUIRE(iterations <= 0xffffU); 80 1.2.2.2 pgoyette 81 1.2.2.2 pgoyette switch (hashalg) { 82 1.2.2.2 pgoyette case dns_hash_sha1: 83 1.2.2.2 pgoyette REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH); 84 1.2.2.2 pgoyette break; 85 1.2.2.2 pgoyette } 86 1.2.2.2 pgoyette 87 1.2.2.2 pgoyette memset(buffer, 0, DNS_NSEC3_BUFFERSIZE); 88 1.2.2.2 pgoyette 89 1.2.2.2 pgoyette p = buffer; 90 1.2.2.2 pgoyette 91 1.2.2.2 pgoyette *p++ = hashalg; 92 1.2.2.2 pgoyette *p++ = flags; 93 1.2.2.2 pgoyette 94 1.2.2.2 pgoyette *p++ = iterations >> 8; 95 1.2.2.2 pgoyette *p++ = iterations; 96 1.2.2.2 pgoyette 97 1.2.2.2 pgoyette *p++ = (unsigned char)salt_length; 98 1.2.2.2 pgoyette memmove(p, salt, salt_length); 99 1.2.2.2 pgoyette p += salt_length; 100 1.2.2.2 pgoyette 101 1.2.2.2 pgoyette *p++ = (unsigned char)hash_length; 102 1.2.2.2 pgoyette memmove(p, nexthash, hash_length); 103 1.2.2.2 pgoyette p += hash_length; 104 1.2.2.2 pgoyette 105 1.2.2.2 pgoyette r.length = (unsigned int)(p - buffer); 106 1.2.2.2 pgoyette r.base = buffer; 107 1.2.2.2 pgoyette 108 1.2.2.2 pgoyette /* 109 1.2.2.2 pgoyette * Use the end of the space for a raw bitmap leaving enough 110 1.2.2.2 pgoyette * space for the window identifiers and length octets. 111 1.2.2.2 pgoyette */ 112 1.2.2.2 pgoyette bm = r.base + r.length + 512; 113 1.2.2.2 pgoyette nsec_bits = r.base + r.length; 114 1.2.2.2 pgoyette max_type = 0; 115 1.2.2.2 pgoyette if (node == NULL) 116 1.2.2.2 pgoyette goto collapse_bitmap; 117 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 118 1.2.2.2 pgoyette rdsiter = NULL; 119 1.2.2.2 pgoyette result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); 120 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 121 1.2.2.2 pgoyette return (result); 122 1.2.2.2 pgoyette found = found_ns = need_rrsig = ISC_FALSE; 123 1.2.2.2 pgoyette for (result = dns_rdatasetiter_first(rdsiter); 124 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 125 1.2.2.2 pgoyette result = dns_rdatasetiter_next(rdsiter)) 126 1.2.2.2 pgoyette { 127 1.2.2.2 pgoyette dns_rdatasetiter_current(rdsiter, &rdataset); 128 1.2.2.2 pgoyette if (rdataset.type != dns_rdatatype_nsec && 129 1.2.2.2 pgoyette rdataset.type != dns_rdatatype_nsec3 && 130 1.2.2.2 pgoyette rdataset.type != dns_rdatatype_rrsig) { 131 1.2.2.2 pgoyette if (rdataset.type > max_type) 132 1.2.2.2 pgoyette max_type = rdataset.type; 133 1.2.2.2 pgoyette dns_nsec_setbit(bm, rdataset.type, 1); 134 1.2.2.2 pgoyette /* 135 1.2.2.2 pgoyette * Work out if we need to set the RRSIG bit for 136 1.2.2.2 pgoyette * this node. We set the RRSIG bit if either of 137 1.2.2.2 pgoyette * the following conditions are met: 138 1.2.2.2 pgoyette * 1) We have a SOA or DS then we need to set 139 1.2.2.2 pgoyette * the RRSIG bit as both always will be signed. 140 1.2.2.2 pgoyette * 2) We set the RRSIG bit if we don't have 141 1.2.2.2 pgoyette * a NS record but do have other data. 142 1.2.2.2 pgoyette */ 143 1.2.2.2 pgoyette if (rdataset.type == dns_rdatatype_soa || 144 1.2.2.2 pgoyette rdataset.type == dns_rdatatype_ds) 145 1.2.2.2 pgoyette need_rrsig = ISC_TRUE; 146 1.2.2.2 pgoyette else if (rdataset.type == dns_rdatatype_ns) 147 1.2.2.2 pgoyette found_ns = ISC_TRUE; 148 1.2.2.2 pgoyette else 149 1.2.2.2 pgoyette found = ISC_TRUE; 150 1.2.2.2 pgoyette } 151 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 152 1.2.2.2 pgoyette } 153 1.2.2.2 pgoyette if ((found && !found_ns) || need_rrsig) { 154 1.2.2.2 pgoyette if (dns_rdatatype_rrsig > max_type) 155 1.2.2.2 pgoyette max_type = dns_rdatatype_rrsig; 156 1.2.2.2 pgoyette dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1); 157 1.2.2.2 pgoyette } 158 1.2.2.2 pgoyette 159 1.2.2.2 pgoyette /* 160 1.2.2.2 pgoyette * At zone cuts, deny the existence of glue in the parent zone. 161 1.2.2.2 pgoyette */ 162 1.2.2.2 pgoyette if (dns_nsec_isset(bm, dns_rdatatype_ns) && 163 1.2.2.2 pgoyette ! dns_nsec_isset(bm, dns_rdatatype_soa)) { 164 1.2.2.2 pgoyette for (i = 0; i <= max_type; i++) { 165 1.2.2.2 pgoyette if (dns_nsec_isset(bm, i) && 166 1.2.2.2 pgoyette ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i)) 167 1.2.2.2 pgoyette dns_nsec_setbit(bm, i, 0); 168 1.2.2.2 pgoyette } 169 1.2.2.2 pgoyette } 170 1.2.2.2 pgoyette 171 1.2.2.2 pgoyette dns_rdatasetiter_destroy(&rdsiter); 172 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 173 1.2.2.2 pgoyette return (result); 174 1.2.2.2 pgoyette 175 1.2.2.2 pgoyette collapse_bitmap: 176 1.2.2.2 pgoyette nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type); 177 1.2.2.2 pgoyette r.length = (unsigned int)(nsec_bits - r.base); 178 1.2.2.2 pgoyette INSIST(r.length <= DNS_NSEC3_BUFFERSIZE); 179 1.2.2.2 pgoyette dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r); 180 1.2.2.2 pgoyette 181 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 182 1.2.2.2 pgoyette } 183 1.2.2.2 pgoyette 184 1.2.2.2 pgoyette isc_boolean_t 185 1.2.2.2 pgoyette dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) { 186 1.2.2.2 pgoyette dns_rdata_nsec3_t nsec3; 187 1.2.2.2 pgoyette isc_result_t result; 188 1.2.2.2 pgoyette isc_boolean_t present; 189 1.2.2.2 pgoyette unsigned int i, len, window; 190 1.2.2.2 pgoyette 191 1.2.2.2 pgoyette REQUIRE(rdata != NULL); 192 1.2.2.2 pgoyette REQUIRE(rdata->type == dns_rdatatype_nsec3); 193 1.2.2.2 pgoyette 194 1.2.2.2 pgoyette /* This should never fail */ 195 1.2.2.2 pgoyette result = dns_rdata_tostruct(rdata, &nsec3, NULL); 196 1.2.2.2 pgoyette INSIST(result == ISC_R_SUCCESS); 197 1.2.2.2 pgoyette 198 1.2.2.2 pgoyette present = ISC_FALSE; 199 1.2.2.2 pgoyette for (i = 0; i < nsec3.len; i += len) { 200 1.2.2.2 pgoyette INSIST(i + 2 <= nsec3.len); 201 1.2.2.2 pgoyette window = nsec3.typebits[i]; 202 1.2.2.2 pgoyette len = nsec3.typebits[i + 1]; 203 1.2.2.2 pgoyette INSIST(len > 0 && len <= 32); 204 1.2.2.2 pgoyette i += 2; 205 1.2.2.2 pgoyette INSIST(i + len <= nsec3.len); 206 1.2.2.2 pgoyette if (window * 256 > type) 207 1.2.2.2 pgoyette break; 208 1.2.2.2 pgoyette if ((window + 1) * 256 <= type) 209 1.2.2.2 pgoyette continue; 210 1.2.2.2 pgoyette if (type < (window * 256) + len * 8) 211 1.2.2.2 pgoyette present = ISC_TF(dns_nsec_isset(&nsec3.typebits[i], 212 1.2.2.2 pgoyette type % 256)); 213 1.2.2.2 pgoyette break; 214 1.2.2.2 pgoyette } 215 1.2.2.2 pgoyette dns_rdata_freestruct(&nsec3); 216 1.2.2.2 pgoyette return (present); 217 1.2.2.2 pgoyette } 218 1.2.2.2 pgoyette 219 1.2.2.2 pgoyette isc_result_t 220 1.2.2.2 pgoyette dns_nsec3_hashname(dns_fixedname_t *result, 221 1.2.2.2 pgoyette unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 222 1.2.2.2 pgoyette size_t *hash_length, const dns_name_t *name, 223 1.2.2.2 pgoyette const dns_name_t *origin, 224 1.2.2.2 pgoyette dns_hash_t hashalg, unsigned int iterations, 225 1.2.2.2 pgoyette const unsigned char *salt, size_t saltlength) 226 1.2.2.2 pgoyette { 227 1.2.2.2 pgoyette unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 228 1.2.2.2 pgoyette unsigned char nametext[DNS_NAME_FORMATSIZE]; 229 1.2.2.2 pgoyette dns_fixedname_t fixed; 230 1.2.2.2 pgoyette dns_name_t *downcased; 231 1.2.2.2 pgoyette isc_buffer_t namebuffer; 232 1.2.2.2 pgoyette isc_region_t region; 233 1.2.2.2 pgoyette size_t len; 234 1.2.2.2 pgoyette 235 1.2.2.2 pgoyette if (rethash == NULL) 236 1.2.2.2 pgoyette rethash = hash; 237 1.2.2.2 pgoyette 238 1.2.2.2 pgoyette memset(rethash, 0, NSEC3_MAX_HASH_LENGTH); 239 1.2.2.2 pgoyette 240 1.2.2.2 pgoyette downcased = dns_fixedname_initname(&fixed); 241 1.2.2.2 pgoyette dns_name_downcase(name, downcased, NULL); 242 1.2.2.2 pgoyette 243 1.2.2.2 pgoyette /* hash the node name */ 244 1.2.2.2 pgoyette len = isc_iterated_hash(rethash, hashalg, iterations, 245 1.2.2.2 pgoyette salt, (int)saltlength, 246 1.2.2.2 pgoyette downcased->ndata, downcased->length); 247 1.2.2.2 pgoyette if (len == 0U) 248 1.2.2.2 pgoyette return (DNS_R_BADALG); 249 1.2.2.2 pgoyette 250 1.2.2.2 pgoyette if (hash_length != NULL) 251 1.2.2.2 pgoyette *hash_length = len; 252 1.2.2.2 pgoyette 253 1.2.2.2 pgoyette /* convert the hash to base32hex non-padded */ 254 1.2.2.2 pgoyette region.base = rethash; 255 1.2.2.2 pgoyette region.length = (unsigned int)len; 256 1.2.2.2 pgoyette isc_buffer_init(&namebuffer, nametext, sizeof nametext); 257 1.2.2.2 pgoyette isc_base32hexnp_totext(®ion, 1, "", &namebuffer); 258 1.2.2.2 pgoyette 259 1.2.2.2 pgoyette /* convert the hex to a domain name */ 260 1.2.2.2 pgoyette dns_fixedname_init(result); 261 1.2.2.2 pgoyette return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer, 262 1.2.2.2 pgoyette origin, 0, NULL)); 263 1.2.2.2 pgoyette } 264 1.2.2.2 pgoyette 265 1.2.2.2 pgoyette unsigned int 266 1.2.2.2 pgoyette dns_nsec3_hashlength(dns_hash_t hash) { 267 1.2.2.2 pgoyette 268 1.2.2.2 pgoyette switch (hash) { 269 1.2.2.2 pgoyette case dns_hash_sha1: 270 1.2.2.2 pgoyette return(ISC_SHA1_DIGESTLENGTH); 271 1.2.2.2 pgoyette } 272 1.2.2.2 pgoyette return (0); 273 1.2.2.2 pgoyette } 274 1.2.2.2 pgoyette 275 1.2.2.2 pgoyette isc_boolean_t 276 1.2.2.2 pgoyette dns_nsec3_supportedhash(dns_hash_t hash) { 277 1.2.2.2 pgoyette switch (hash) { 278 1.2.2.2 pgoyette case dns_hash_sha1: 279 1.2.2.2 pgoyette return (ISC_TRUE); 280 1.2.2.2 pgoyette } 281 1.2.2.2 pgoyette return (ISC_FALSE); 282 1.2.2.2 pgoyette } 283 1.2.2.2 pgoyette 284 1.2.2.2 pgoyette /*% 285 1.2.2.2 pgoyette * Update a single RR in version 'ver' of 'db' and log the 286 1.2.2.2 pgoyette * update in 'diff'. 287 1.2.2.2 pgoyette * 288 1.2.2.2 pgoyette * Ensures: 289 1.2.2.2 pgoyette * \li '*tuple' == NULL. Either the tuple is freed, or its 290 1.2.2.2 pgoyette * ownership has been transferred to the diff. 291 1.2.2.2 pgoyette */ 292 1.2.2.2 pgoyette static isc_result_t 293 1.2.2.2 pgoyette do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, 294 1.2.2.2 pgoyette dns_diff_t *diff) 295 1.2.2.2 pgoyette { 296 1.2.2.2 pgoyette dns_diff_t temp_diff; 297 1.2.2.2 pgoyette isc_result_t result; 298 1.2.2.2 pgoyette 299 1.2.2.2 pgoyette /* 300 1.2.2.2 pgoyette * Create a singleton diff. 301 1.2.2.2 pgoyette */ 302 1.2.2.2 pgoyette dns_diff_init(diff->mctx, &temp_diff); 303 1.2.2.2 pgoyette ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); 304 1.2.2.2 pgoyette 305 1.2.2.2 pgoyette /* 306 1.2.2.2 pgoyette * Apply it to the database. 307 1.2.2.2 pgoyette */ 308 1.2.2.2 pgoyette result = dns_diff_apply(&temp_diff, db, ver); 309 1.2.2.2 pgoyette ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); 310 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) { 311 1.2.2.2 pgoyette dns_difftuple_free(tuple); 312 1.2.2.2 pgoyette return (result); 313 1.2.2.2 pgoyette } 314 1.2.2.2 pgoyette 315 1.2.2.2 pgoyette /* 316 1.2.2.2 pgoyette * Merge it into the current pending journal entry. 317 1.2.2.2 pgoyette */ 318 1.2.2.2 pgoyette dns_diff_appendminimal(diff, tuple); 319 1.2.2.2 pgoyette 320 1.2.2.2 pgoyette /* 321 1.2.2.2 pgoyette * Do not clear temp_diff. 322 1.2.2.2 pgoyette */ 323 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 324 1.2.2.2 pgoyette } 325 1.2.2.2 pgoyette 326 1.2.2.2 pgoyette /*% 327 1.2.2.2 pgoyette * Set '*exists' to true iff the given name exists, to false otherwise. 328 1.2.2.2 pgoyette */ 329 1.2.2.2 pgoyette static isc_result_t 330 1.2.2.2 pgoyette name_exists(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 331 1.2.2.2 pgoyette isc_boolean_t *exists) 332 1.2.2.2 pgoyette { 333 1.2.2.2 pgoyette isc_result_t result; 334 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 335 1.2.2.2 pgoyette dns_rdatasetiter_t *iter = NULL; 336 1.2.2.2 pgoyette 337 1.2.2.2 pgoyette result = dns_db_findnode(db, name, ISC_FALSE, &node); 338 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) { 339 1.2.2.2 pgoyette *exists = ISC_FALSE; 340 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 341 1.2.2.2 pgoyette } 342 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 343 1.2.2.2 pgoyette return (result); 344 1.2.2.2 pgoyette 345 1.2.2.2 pgoyette result = dns_db_allrdatasets(db, node, version, 346 1.2.2.2 pgoyette (isc_stdtime_t) 0, &iter); 347 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 348 1.2.2.2 pgoyette goto cleanup_node; 349 1.2.2.2 pgoyette 350 1.2.2.2 pgoyette result = dns_rdatasetiter_first(iter); 351 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 352 1.2.2.2 pgoyette *exists = ISC_TRUE; 353 1.2.2.2 pgoyette } else if (result == ISC_R_NOMORE) { 354 1.2.2.2 pgoyette *exists = ISC_FALSE; 355 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 356 1.2.2.2 pgoyette } else 357 1.2.2.2 pgoyette *exists = ISC_FALSE; 358 1.2.2.2 pgoyette dns_rdatasetiter_destroy(&iter); 359 1.2.2.2 pgoyette 360 1.2.2.2 pgoyette cleanup_node: 361 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 362 1.2.2.2 pgoyette return (result); 363 1.2.2.2 pgoyette } 364 1.2.2.2 pgoyette 365 1.2.2.2 pgoyette static isc_boolean_t 366 1.2.2.2 pgoyette match_nsec3param(const dns_rdata_nsec3_t *nsec3, 367 1.2.2.2 pgoyette const dns_rdata_nsec3param_t *nsec3param) 368 1.2.2.2 pgoyette { 369 1.2.2.2 pgoyette if (nsec3->hash == nsec3param->hash && 370 1.2.2.2 pgoyette nsec3->iterations == nsec3param->iterations && 371 1.2.2.2 pgoyette nsec3->salt_length == nsec3param->salt_length && 372 1.2.2.2 pgoyette !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length)) 373 1.2.2.2 pgoyette return (ISC_TRUE); 374 1.2.2.2 pgoyette return (ISC_FALSE); 375 1.2.2.2 pgoyette } 376 1.2.2.2 pgoyette 377 1.2.2.2 pgoyette /*% 378 1.2.2.2 pgoyette * Delete NSEC3 records at "name" which match "param", recording the 379 1.2.2.2 pgoyette * change in "diff". 380 1.2.2.2 pgoyette */ 381 1.2.2.2 pgoyette static isc_result_t 382 1.2.2.2 pgoyette delnsec3(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 383 1.2.2.2 pgoyette const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) 384 1.2.2.2 pgoyette { 385 1.2.2.2 pgoyette dns_dbnode_t *node = NULL ; 386 1.2.2.2 pgoyette dns_difftuple_t *tuple = NULL; 387 1.2.2.2 pgoyette dns_rdata_nsec3_t nsec3; 388 1.2.2.2 pgoyette dns_rdataset_t rdataset; 389 1.2.2.2 pgoyette isc_result_t result; 390 1.2.2.2 pgoyette 391 1.2.2.2 pgoyette result = dns_db_findnsec3node(db, name, ISC_FALSE, &node); 392 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 393 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 394 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 395 1.2.2.2 pgoyette return (result); 396 1.2.2.2 pgoyette 397 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 398 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0, 399 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, NULL); 400 1.2.2.2 pgoyette 401 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) { 402 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 403 1.2.2.2 pgoyette goto cleanup_node; 404 1.2.2.2 pgoyette } 405 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 406 1.2.2.2 pgoyette goto cleanup_node; 407 1.2.2.2 pgoyette 408 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 409 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 410 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) 411 1.2.2.2 pgoyette { 412 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 413 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 414 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL)); 415 1.2.2.2 pgoyette 416 1.2.2.2 pgoyette if (!match_nsec3param(&nsec3, nsec3param)) 417 1.2.2.2 pgoyette continue; 418 1.2.2.2 pgoyette 419 1.2.2.2 pgoyette result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name, 420 1.2.2.2 pgoyette rdataset.ttl, &rdata, &tuple); 421 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 422 1.2.2.2 pgoyette goto failure; 423 1.2.2.2 pgoyette result = do_one_tuple(&tuple, db, version, diff); 424 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 425 1.2.2.2 pgoyette goto failure; 426 1.2.2.2 pgoyette } 427 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 428 1.2.2.2 pgoyette goto failure; 429 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 430 1.2.2.2 pgoyette 431 1.2.2.2 pgoyette failure: 432 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 433 1.2.2.2 pgoyette cleanup_node: 434 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 435 1.2.2.2 pgoyette 436 1.2.2.2 pgoyette return (result); 437 1.2.2.2 pgoyette } 438 1.2.2.2 pgoyette 439 1.2.2.2 pgoyette static isc_boolean_t 440 1.2.2.2 pgoyette better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) { 441 1.2.2.2 pgoyette dns_rdataset_t rdataset; 442 1.2.2.2 pgoyette isc_result_t result; 443 1.2.2.2 pgoyette 444 1.2.2.2 pgoyette if (REMOVE(param->data[1])) 445 1.2.2.2 pgoyette return (ISC_TRUE); 446 1.2.2.2 pgoyette 447 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 448 1.2.2.2 pgoyette dns_rdataset_clone(nsec3paramset, &rdataset); 449 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 450 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 451 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 452 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 453 1.2.2.2 pgoyette unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 454 1.2.2.2 pgoyette 455 1.2.2.2 pgoyette if (rdataset.type != dns_rdatatype_nsec3param) { 456 1.2.2.2 pgoyette dns_rdata_t tmprdata = DNS_RDATA_INIT; 457 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &tmprdata); 458 1.2.2.2 pgoyette if (!dns_nsec3param_fromprivate(&tmprdata, &rdata, 459 1.2.2.2 pgoyette buf, sizeof(buf))) 460 1.2.2.2 pgoyette continue; 461 1.2.2.2 pgoyette } else 462 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 463 1.2.2.2 pgoyette 464 1.2.2.2 pgoyette if (rdata.length != param->length) 465 1.2.2.2 pgoyette continue; 466 1.2.2.2 pgoyette if (rdata.data[0] != param->data[0] || 467 1.2.2.2 pgoyette REMOVE(rdata.data[1]) || 468 1.2.2.2 pgoyette rdata.data[2] != param->data[2] || 469 1.2.2.2 pgoyette rdata.data[3] != param->data[3] || 470 1.2.2.2 pgoyette rdata.data[4] != param->data[4] || 471 1.2.2.2 pgoyette memcmp(&rdata.data[5], ¶m->data[5], param->data[4])) 472 1.2.2.2 pgoyette continue; 473 1.2.2.2 pgoyette if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) { 474 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 475 1.2.2.2 pgoyette return (ISC_TRUE); 476 1.2.2.2 pgoyette } 477 1.2.2.2 pgoyette } 478 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 479 1.2.2.2 pgoyette return (ISC_FALSE); 480 1.2.2.2 pgoyette } 481 1.2.2.2 pgoyette 482 1.2.2.2 pgoyette static isc_result_t 483 1.2.2.2 pgoyette find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset, 484 1.2.2.2 pgoyette const dns_rdata_nsec3param_t *nsec3param) 485 1.2.2.2 pgoyette { 486 1.2.2.2 pgoyette isc_result_t result; 487 1.2.2.2 pgoyette for (result = dns_rdataset_first(rdataset); 488 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 489 1.2.2.2 pgoyette result = dns_rdataset_next(rdataset)) { 490 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 491 1.2.2.2 pgoyette 492 1.2.2.2 pgoyette dns_rdataset_current(rdataset, &rdata); 493 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL)); 494 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 495 1.2.2.2 pgoyette if (match_nsec3param(nsec3, nsec3param)) 496 1.2.2.2 pgoyette break; 497 1.2.2.2 pgoyette } 498 1.2.2.2 pgoyette failure: 499 1.2.2.2 pgoyette return (result); 500 1.2.2.2 pgoyette } 501 1.2.2.2 pgoyette 502 1.2.2.2 pgoyette isc_result_t 503 1.2.2.2 pgoyette dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 504 1.2.2.2 pgoyette const dns_name_t *name, 505 1.2.2.2 pgoyette const dns_rdata_nsec3param_t *nsec3param, 506 1.2.2.2 pgoyette dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff) 507 1.2.2.2 pgoyette { 508 1.2.2.2 pgoyette dns_dbiterator_t *dbit = NULL; 509 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 510 1.2.2.2 pgoyette dns_dbnode_t *newnode = NULL; 511 1.2.2.2 pgoyette dns_difftuple_t *tuple = NULL; 512 1.2.2.2 pgoyette dns_fixedname_t fixed; 513 1.2.2.2 pgoyette dns_fixedname_t fprev; 514 1.2.2.2 pgoyette dns_hash_t hash; 515 1.2.2.2 pgoyette dns_name_t *hashname; 516 1.2.2.2 pgoyette dns_name_t *origin; 517 1.2.2.2 pgoyette dns_name_t *prev; 518 1.2.2.2 pgoyette dns_name_t empty; 519 1.2.2.2 pgoyette dns_rdata_nsec3_t nsec3; 520 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 521 1.2.2.2 pgoyette dns_rdataset_t rdataset; 522 1.2.2.2 pgoyette int pass; 523 1.2.2.2 pgoyette isc_boolean_t exists = ISC_FALSE; 524 1.2.2.2 pgoyette isc_boolean_t maybe_remove_unsecure = ISC_FALSE; 525 1.2.2.2 pgoyette isc_uint8_t flags; 526 1.2.2.2 pgoyette isc_buffer_t buffer; 527 1.2.2.2 pgoyette isc_result_t result; 528 1.2.2.2 pgoyette unsigned char *old_next; 529 1.2.2.2 pgoyette unsigned char *salt; 530 1.2.2.2 pgoyette unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 531 1.2.2.2 pgoyette unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 532 1.2.2.2 pgoyette unsigned int iterations; 533 1.2.2.2 pgoyette unsigned int labels; 534 1.2.2.2 pgoyette size_t next_length; 535 1.2.2.2 pgoyette unsigned int old_length; 536 1.2.2.2 pgoyette unsigned int salt_length; 537 1.2.2.2 pgoyette 538 1.2.2.2 pgoyette hashname = dns_fixedname_initname(&fixed); 539 1.2.2.2 pgoyette prev = dns_fixedname_initname(&fprev); 540 1.2.2.2 pgoyette 541 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 542 1.2.2.2 pgoyette 543 1.2.2.2 pgoyette origin = dns_db_origin(db); 544 1.2.2.2 pgoyette 545 1.2.2.2 pgoyette /* 546 1.2.2.2 pgoyette * Chain parameters. 547 1.2.2.2 pgoyette */ 548 1.2.2.2 pgoyette hash = nsec3param->hash; 549 1.2.2.2 pgoyette iterations = nsec3param->iterations; 550 1.2.2.2 pgoyette salt_length = nsec3param->salt_length; 551 1.2.2.2 pgoyette salt = nsec3param->salt; 552 1.2.2.2 pgoyette 553 1.2.2.2 pgoyette /* 554 1.2.2.2 pgoyette * Default flags for a new chain. 555 1.2.2.2 pgoyette */ 556 1.2.2.2 pgoyette flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 557 1.2.2.2 pgoyette 558 1.2.2.2 pgoyette /* 559 1.2.2.2 pgoyette * If this is the first NSEC3 in the chain nexthash will 560 1.2.2.2 pgoyette * remain pointing to itself. 561 1.2.2.2 pgoyette */ 562 1.2.2.2 pgoyette next_length = sizeof(nexthash); 563 1.2.2.2 pgoyette CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 564 1.2.2.2 pgoyette name, origin, hash, iterations, 565 1.2.2.2 pgoyette salt, salt_length)); 566 1.2.2.2 pgoyette INSIST(next_length <= sizeof(nexthash)); 567 1.2.2.2 pgoyette 568 1.2.2.2 pgoyette /* 569 1.2.2.2 pgoyette * Create the node if it doesn't exist and hold 570 1.2.2.2 pgoyette * a reference to it until we have added the NSEC3. 571 1.2.2.2 pgoyette */ 572 1.2.2.2 pgoyette CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode)); 573 1.2.2.2 pgoyette 574 1.2.2.2 pgoyette /* 575 1.2.2.2 pgoyette * Seek the iterator to the 'newnode'. 576 1.2.2.2 pgoyette */ 577 1.2.2.2 pgoyette CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 578 1.2.2.2 pgoyette CHECK(dns_dbiterator_seek(dbit, hashname)); 579 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 580 1.2.2.2 pgoyette result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3, 581 1.2.2.2 pgoyette 0, (isc_stdtime_t) 0, &rdataset, NULL); 582 1.2.2.2 pgoyette /* 583 1.2.2.2 pgoyette * If we updating a existing NSEC3 then find its 584 1.2.2.2 pgoyette * next field. 585 1.2.2.2 pgoyette */ 586 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 587 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 588 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 589 1.2.2.2 pgoyette if (!CREATE(nsec3param->flags)) 590 1.2.2.2 pgoyette flags = nsec3.flags; 591 1.2.2.2 pgoyette next_length = nsec3.next_length; 592 1.2.2.2 pgoyette INSIST(next_length <= sizeof(nexthash)); 593 1.2.2.2 pgoyette memmove(nexthash, nsec3.next, next_length); 594 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 595 1.2.2.2 pgoyette /* 596 1.2.2.2 pgoyette * If the NSEC3 is not for a unsecure delegation then 597 1.2.2.2 pgoyette * we are just updating it. If it is for a unsecure 598 1.2.2.2 pgoyette * delegation then we need find out if we need to 599 1.2.2.2 pgoyette * remove the NSEC3 record or not by examining the 600 1.2.2.2 pgoyette * previous NSEC3 record. 601 1.2.2.2 pgoyette */ 602 1.2.2.2 pgoyette if (!unsecure) 603 1.2.2.2 pgoyette goto addnsec3; 604 1.2.2.2 pgoyette else if (CREATE(nsec3param->flags) && OPTOUT(flags)) { 605 1.2.2.2 pgoyette result = dns_nsec3_delnsec3(db, version, name, 606 1.2.2.2 pgoyette nsec3param, diff); 607 1.2.2.2 pgoyette goto failure; 608 1.2.2.2 pgoyette } else 609 1.2.2.2 pgoyette maybe_remove_unsecure = ISC_TRUE; 610 1.2.2.2 pgoyette } else { 611 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 612 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 613 1.2.2.2 pgoyette goto failure; 614 1.2.2.2 pgoyette } 615 1.2.2.2 pgoyette } 616 1.2.2.2 pgoyette 617 1.2.2.2 pgoyette /* 618 1.2.2.2 pgoyette * Find the previous NSEC3 (if any) and update it if required. 619 1.2.2.2 pgoyette */ 620 1.2.2.2 pgoyette pass = 0; 621 1.2.2.2 pgoyette do { 622 1.2.2.2 pgoyette result = dns_dbiterator_prev(dbit); 623 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 624 1.2.2.2 pgoyette pass++; 625 1.2.2.2 pgoyette CHECK(dns_dbiterator_last(dbit)); 626 1.2.2.2 pgoyette } 627 1.2.2.2 pgoyette CHECK(dns_dbiterator_current(dbit, &node, prev)); 628 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 629 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 630 1.2.2.2 pgoyette dns_rdatatype_nsec3, 0, 631 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, 632 1.2.2.2 pgoyette NULL); 633 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 634 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 635 1.2.2.2 pgoyette continue; 636 1.2.2.2 pgoyette 637 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 638 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 639 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 640 1.2.2.2 pgoyette continue; 641 1.2.2.2 pgoyette } 642 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 643 1.2.2.2 pgoyette goto failure; 644 1.2.2.2 pgoyette 645 1.2.2.2 pgoyette if (maybe_remove_unsecure) { 646 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 647 1.2.2.2 pgoyette /* 648 1.2.2.2 pgoyette * If we have OPTOUT set in the previous NSEC3 record 649 1.2.2.2 pgoyette * we actually need to delete the NSEC3 record. 650 1.2.2.2 pgoyette * Otherwise we just need to replace the NSEC3 record. 651 1.2.2.2 pgoyette */ 652 1.2.2.2 pgoyette if (OPTOUT(nsec3.flags)) { 653 1.2.2.2 pgoyette result = dns_nsec3_delnsec3(db, version, name, 654 1.2.2.2 pgoyette nsec3param, diff); 655 1.2.2.2 pgoyette goto failure; 656 1.2.2.2 pgoyette } 657 1.2.2.2 pgoyette goto addnsec3; 658 1.2.2.2 pgoyette } else { 659 1.2.2.2 pgoyette /* 660 1.2.2.2 pgoyette * Is this is a unsecure delegation we are adding? 661 1.2.2.2 pgoyette * If so no change is required. 662 1.2.2.2 pgoyette */ 663 1.2.2.2 pgoyette if (OPTOUT(nsec3.flags) && unsecure) { 664 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 665 1.2.2.2 pgoyette goto failure; 666 1.2.2.2 pgoyette } 667 1.2.2.2 pgoyette } 668 1.2.2.2 pgoyette 669 1.2.2.2 pgoyette old_next = nsec3.next; 670 1.2.2.2 pgoyette old_length = nsec3.next_length; 671 1.2.2.2 pgoyette 672 1.2.2.2 pgoyette /* 673 1.2.2.2 pgoyette * Delete the old previous NSEC3. 674 1.2.2.2 pgoyette */ 675 1.2.2.2 pgoyette CHECK(delnsec3(db, version, prev, nsec3param, diff)); 676 1.2.2.2 pgoyette 677 1.2.2.2 pgoyette /* 678 1.2.2.2 pgoyette * Fixup the previous NSEC3. 679 1.2.2.2 pgoyette */ 680 1.2.2.2 pgoyette nsec3.next = nexthash; 681 1.2.2.2 pgoyette nsec3.next_length = (unsigned char)next_length; 682 1.2.2.2 pgoyette isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 683 1.2.2.2 pgoyette CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 684 1.2.2.2 pgoyette dns_rdatatype_nsec3, &nsec3, 685 1.2.2.2 pgoyette &buffer)); 686 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 687 1.2.2.2 pgoyette rdataset.ttl, &rdata, &tuple)); 688 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, version, diff)); 689 1.2.2.2 pgoyette INSIST(old_length <= sizeof(nexthash)); 690 1.2.2.2 pgoyette memmove(nexthash, old_next, old_length); 691 1.2.2.2 pgoyette if (!CREATE(nsec3param->flags)) 692 1.2.2.2 pgoyette flags = nsec3.flags; 693 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 694 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 695 1.2.2.2 pgoyette break; 696 1.2.2.2 pgoyette } while (pass < 2); 697 1.2.2.2 pgoyette 698 1.2.2.2 pgoyette addnsec3: 699 1.2.2.2 pgoyette /* 700 1.2.2.2 pgoyette * Create the NSEC3 RDATA. 701 1.2.2.2 pgoyette */ 702 1.2.2.2 pgoyette CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 703 1.2.2.2 pgoyette CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations, 704 1.2.2.2 pgoyette salt, salt_length, nexthash, next_length, 705 1.2.2.2 pgoyette nsec3buf, &rdata)); 706 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 707 1.2.2.2 pgoyette 708 1.2.2.2 pgoyette /* 709 1.2.2.2 pgoyette * Delete the old NSEC3 and record the change. 710 1.2.2.2 pgoyette */ 711 1.2.2.2 pgoyette CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 712 1.2.2.2 pgoyette /* 713 1.2.2.2 pgoyette * Add the new NSEC3 and record the change. 714 1.2.2.2 pgoyette */ 715 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 716 1.2.2.2 pgoyette hashname, nsecttl, &rdata, &tuple)); 717 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, version, diff)); 718 1.2.2.2 pgoyette INSIST(tuple == NULL); 719 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 720 1.2.2.2 pgoyette dns_db_detachnode(db, &newnode); 721 1.2.2.2 pgoyette 722 1.2.2.2 pgoyette /* 723 1.2.2.2 pgoyette * Add missing NSEC3 records for empty nodes 724 1.2.2.2 pgoyette */ 725 1.2.2.2 pgoyette dns_name_init(&empty, NULL); 726 1.2.2.2 pgoyette dns_name_clone(name, &empty); 727 1.2.2.2 pgoyette do { 728 1.2.2.2 pgoyette labels = dns_name_countlabels(&empty) - 1; 729 1.2.2.2 pgoyette if (labels <= dns_name_countlabels(origin)) 730 1.2.2.2 pgoyette break; 731 1.2.2.2 pgoyette dns_name_getlabelsequence(&empty, 1, labels, &empty); 732 1.2.2.2 pgoyette CHECK(name_exists(db, version, &empty, &exists)); 733 1.2.2.2 pgoyette if (exists) 734 1.2.2.2 pgoyette break; 735 1.2.2.2 pgoyette CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 736 1.2.2.2 pgoyette &empty, origin, hash, iterations, 737 1.2.2.2 pgoyette salt, salt_length)); 738 1.2.2.2 pgoyette 739 1.2.2.2 pgoyette /* 740 1.2.2.2 pgoyette * Create the node if it doesn't exist and hold 741 1.2.2.2 pgoyette * a reference to it until we have added the NSEC3 742 1.2.2.2 pgoyette * or we discover we don't need to add make a change. 743 1.2.2.2 pgoyette */ 744 1.2.2.2 pgoyette CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode)); 745 1.2.2.2 pgoyette result = dns_db_findrdataset(db, newnode, version, 746 1.2.2.2 pgoyette dns_rdatatype_nsec3, 0, 747 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, 748 1.2.2.2 pgoyette NULL); 749 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 750 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 751 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 752 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 753 1.2.2.2 pgoyette dns_db_detachnode(db, &newnode); 754 1.2.2.2 pgoyette break; 755 1.2.2.2 pgoyette } 756 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 757 1.2.2.2 pgoyette goto failure; 758 1.2.2.2 pgoyette } 759 1.2.2.2 pgoyette 760 1.2.2.2 pgoyette /* 761 1.2.2.2 pgoyette * Find the previous NSEC3 and update it. 762 1.2.2.2 pgoyette */ 763 1.2.2.2 pgoyette CHECK(dns_dbiterator_seek(dbit, hashname)); 764 1.2.2.2 pgoyette pass = 0; 765 1.2.2.2 pgoyette do { 766 1.2.2.2 pgoyette result = dns_dbiterator_prev(dbit); 767 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 768 1.2.2.2 pgoyette pass++; 769 1.2.2.2 pgoyette CHECK(dns_dbiterator_last(dbit)); 770 1.2.2.2 pgoyette } 771 1.2.2.2 pgoyette CHECK(dns_dbiterator_current(dbit, &node, prev)); 772 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 773 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 774 1.2.2.2 pgoyette dns_rdatatype_nsec3, 0, 775 1.2.2.2 pgoyette (isc_stdtime_t) 0, 776 1.2.2.2 pgoyette &rdataset, NULL); 777 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 778 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 779 1.2.2.2 pgoyette continue; 780 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 781 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 782 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 783 1.2.2.2 pgoyette continue; 784 1.2.2.2 pgoyette } 785 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 786 1.2.2.2 pgoyette goto failure; 787 1.2.2.2 pgoyette 788 1.2.2.2 pgoyette old_next = nsec3.next; 789 1.2.2.2 pgoyette old_length = nsec3.next_length; 790 1.2.2.2 pgoyette 791 1.2.2.2 pgoyette /* 792 1.2.2.2 pgoyette * Delete the old previous NSEC3. 793 1.2.2.2 pgoyette */ 794 1.2.2.2 pgoyette CHECK(delnsec3(db, version, prev, nsec3param, diff)); 795 1.2.2.2 pgoyette 796 1.2.2.2 pgoyette /* 797 1.2.2.2 pgoyette * Fixup the previous NSEC3. 798 1.2.2.2 pgoyette */ 799 1.2.2.2 pgoyette nsec3.next = nexthash; 800 1.2.2.2 pgoyette nsec3.next_length = (unsigned char)next_length; 801 1.2.2.2 pgoyette isc_buffer_init(&buffer, nsec3buf, 802 1.2.2.2 pgoyette sizeof(nsec3buf)); 803 1.2.2.2 pgoyette CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 804 1.2.2.2 pgoyette dns_rdatatype_nsec3, &nsec3, 805 1.2.2.2 pgoyette &buffer)); 806 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 807 1.2.2.2 pgoyette prev, rdataset.ttl, &rdata, 808 1.2.2.2 pgoyette &tuple)); 809 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, version, diff)); 810 1.2.2.2 pgoyette INSIST(old_length <= sizeof(nexthash)); 811 1.2.2.2 pgoyette memmove(nexthash, old_next, old_length); 812 1.2.2.2 pgoyette if (!CREATE(nsec3param->flags)) 813 1.2.2.2 pgoyette flags = nsec3.flags; 814 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 815 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 816 1.2.2.2 pgoyette break; 817 1.2.2.2 pgoyette } while (pass < 2); 818 1.2.2.2 pgoyette 819 1.2.2.2 pgoyette INSIST(pass < 2); 820 1.2.2.2 pgoyette 821 1.2.2.2 pgoyette /* 822 1.2.2.2 pgoyette * Create the NSEC3 RDATA for the empty node. 823 1.2.2.2 pgoyette */ 824 1.2.2.2 pgoyette CHECK(dns_nsec3_buildrdata(db, version, NULL, hash, flags, 825 1.2.2.2 pgoyette iterations, salt, salt_length, 826 1.2.2.2 pgoyette nexthash, next_length, nsec3buf, 827 1.2.2.2 pgoyette &rdata)); 828 1.2.2.2 pgoyette /* 829 1.2.2.2 pgoyette * Delete the old NSEC3 and record the change. 830 1.2.2.2 pgoyette */ 831 1.2.2.2 pgoyette CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 832 1.2.2.2 pgoyette 833 1.2.2.2 pgoyette /* 834 1.2.2.2 pgoyette * Add the new NSEC3 and record the change. 835 1.2.2.2 pgoyette */ 836 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 837 1.2.2.2 pgoyette hashname, nsecttl, &rdata, &tuple)); 838 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, version, diff)); 839 1.2.2.2 pgoyette INSIST(tuple == NULL); 840 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 841 1.2.2.2 pgoyette dns_db_detachnode(db, &newnode); 842 1.2.2.2 pgoyette } while (1); 843 1.2.2.2 pgoyette 844 1.2.2.2 pgoyette /* result cannot be ISC_R_NOMORE here */ 845 1.2.2.2 pgoyette INSIST(result != ISC_R_NOMORE); 846 1.2.2.2 pgoyette 847 1.2.2.2 pgoyette failure: 848 1.2.2.2 pgoyette if (dbit != NULL) 849 1.2.2.2 pgoyette dns_dbiterator_destroy(&dbit); 850 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 851 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 852 1.2.2.2 pgoyette if (node != NULL) 853 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 854 1.2.2.2 pgoyette if (newnode != NULL) 855 1.2.2.2 pgoyette dns_db_detachnode(db, &newnode); 856 1.2.2.2 pgoyette return (result); 857 1.2.2.2 pgoyette } 858 1.2.2.2 pgoyette 859 1.2.2.2 pgoyette /*% 860 1.2.2.2 pgoyette * Add NSEC3 records for "name", recording the change in "diff". 861 1.2.2.2 pgoyette * The existing NSEC3 records are removed. 862 1.2.2.2 pgoyette */ 863 1.2.2.2 pgoyette isc_result_t 864 1.2.2.2 pgoyette dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 865 1.2.2.2 pgoyette const dns_name_t *name, dns_ttl_t nsecttl, 866 1.2.2.2 pgoyette isc_boolean_t unsecure, dns_diff_t *diff) 867 1.2.2.2 pgoyette { 868 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 869 1.2.2.2 pgoyette dns_rdata_nsec3param_t nsec3param; 870 1.2.2.2 pgoyette dns_rdataset_t rdataset; 871 1.2.2.2 pgoyette isc_result_t result; 872 1.2.2.2 pgoyette 873 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 874 1.2.2.2 pgoyette 875 1.2.2.2 pgoyette /* 876 1.2.2.2 pgoyette * Find the NSEC3 parameters for this zone. 877 1.2.2.2 pgoyette */ 878 1.2.2.2 pgoyette result = dns_db_getoriginnode(db, &node); 879 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 880 1.2.2.2 pgoyette return (result); 881 1.2.2.2 pgoyette 882 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 883 1.2.2.2 pgoyette dns_rdatatype_nsec3param, 0, 0, 884 1.2.2.2 pgoyette &rdataset, NULL); 885 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 886 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 887 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 888 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 889 1.2.2.2 pgoyette return (result); 890 1.2.2.2 pgoyette 891 1.2.2.2 pgoyette /* 892 1.2.2.2 pgoyette * Update each active NSEC3 chain. 893 1.2.2.2 pgoyette */ 894 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 895 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 896 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 897 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 898 1.2.2.2 pgoyette 899 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 900 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 901 1.2.2.2 pgoyette 902 1.2.2.2 pgoyette if (nsec3param.flags != 0) 903 1.2.2.2 pgoyette continue; 904 1.2.2.2 pgoyette /* 905 1.2.2.2 pgoyette * We have a active chain. Update it. 906 1.2.2.2 pgoyette */ 907 1.2.2.2 pgoyette CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 908 1.2.2.2 pgoyette nsecttl, unsecure, diff)); 909 1.2.2.2 pgoyette } 910 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) 911 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 912 1.2.2.2 pgoyette 913 1.2.2.2 pgoyette failure: 914 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 915 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 916 1.2.2.2 pgoyette if (node != NULL) 917 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 918 1.2.2.2 pgoyette 919 1.2.2.2 pgoyette return (result); 920 1.2.2.2 pgoyette } 921 1.2.2.2 pgoyette 922 1.2.2.2 pgoyette isc_boolean_t 923 1.2.2.2 pgoyette dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 924 1.2.2.2 pgoyette unsigned char *buf, size_t buflen) 925 1.2.2.2 pgoyette { 926 1.2.2.2 pgoyette dns_decompress_t dctx; 927 1.2.2.2 pgoyette isc_result_t result; 928 1.2.2.2 pgoyette isc_buffer_t buf1; 929 1.2.2.2 pgoyette isc_buffer_t buf2; 930 1.2.2.2 pgoyette 931 1.2.2.2 pgoyette /* 932 1.2.2.2 pgoyette * Algorithm 0 (reserved by RFC 4034) is used to identify 933 1.2.2.2 pgoyette * NSEC3PARAM records from DNSKEY pointers. 934 1.2.2.2 pgoyette */ 935 1.2.2.2 pgoyette if (src->length < 1 || src->data[0] != 0) 936 1.2.2.2 pgoyette return (ISC_FALSE); 937 1.2.2.2 pgoyette 938 1.2.2.2 pgoyette isc_buffer_init(&buf1, src->data + 1, src->length - 1); 939 1.2.2.2 pgoyette isc_buffer_add(&buf1, src->length - 1); 940 1.2.2.2 pgoyette isc_buffer_setactive(&buf1, src->length - 1); 941 1.2.2.2 pgoyette isc_buffer_init(&buf2, buf, (unsigned int)buflen); 942 1.2.2.2 pgoyette dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); 943 1.2.2.2 pgoyette result = dns_rdata_fromwire(target, src->rdclass, 944 1.2.2.2 pgoyette dns_rdatatype_nsec3param, 945 1.2.2.2 pgoyette &buf1, &dctx, 0, &buf2); 946 1.2.2.2 pgoyette dns_decompress_invalidate(&dctx); 947 1.2.2.2 pgoyette 948 1.2.2.2 pgoyette return (ISC_TF(result == ISC_R_SUCCESS)); 949 1.2.2.2 pgoyette } 950 1.2.2.2 pgoyette 951 1.2.2.2 pgoyette void 952 1.2.2.2 pgoyette dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 953 1.2.2.2 pgoyette dns_rdatatype_t privatetype, 954 1.2.2.2 pgoyette unsigned char *buf, size_t buflen) 955 1.2.2.2 pgoyette { 956 1.2.2.2 pgoyette REQUIRE(buflen >= src->length + 1); 957 1.2.2.2 pgoyette 958 1.2.2.2 pgoyette REQUIRE(DNS_RDATA_INITIALIZED(target)); 959 1.2.2.2 pgoyette 960 1.2.2.2 pgoyette memmove(buf + 1, src->data, src->length); 961 1.2.2.2 pgoyette buf[0] = 0; 962 1.2.2.2 pgoyette target->data = buf; 963 1.2.2.2 pgoyette target->length = src->length + 1; 964 1.2.2.2 pgoyette target->type = privatetype; 965 1.2.2.2 pgoyette target->rdclass = src->rdclass; 966 1.2.2.2 pgoyette target->flags = 0; 967 1.2.2.2 pgoyette ISC_LINK_INIT(target, link); 968 1.2.2.2 pgoyette } 969 1.2.2.2 pgoyette 970 1.2.2.2 pgoyette static isc_result_t 971 1.2.2.2 pgoyette rr_exists(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 972 1.2.2.2 pgoyette const dns_rdata_t *rdata, isc_boolean_t *flag) 973 1.2.2.2 pgoyette { 974 1.2.2.2 pgoyette dns_rdataset_t rdataset; 975 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 976 1.2.2.2 pgoyette isc_result_t result; 977 1.2.2.2 pgoyette 978 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 979 1.2.2.2 pgoyette if (rdata->type == dns_rdatatype_nsec3) 980 1.2.2.2 pgoyette CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); 981 1.2.2.2 pgoyette else 982 1.2.2.2 pgoyette CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); 983 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, ver, rdata->type, 0, 984 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, NULL); 985 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) { 986 1.2.2.2 pgoyette *flag = ISC_FALSE; 987 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 988 1.2.2.2 pgoyette goto failure; 989 1.2.2.2 pgoyette } 990 1.2.2.2 pgoyette 991 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 992 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 993 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 994 1.2.2.2 pgoyette dns_rdata_t myrdata = DNS_RDATA_INIT; 995 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &myrdata); 996 1.2.2.2 pgoyette if (!dns_rdata_casecompare(&myrdata, rdata)) 997 1.2.2.2 pgoyette break; 998 1.2.2.2 pgoyette } 999 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1000 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 1001 1.2.2.2 pgoyette *flag = ISC_TRUE; 1002 1.2.2.2 pgoyette } else if (result == ISC_R_NOMORE) { 1003 1.2.2.2 pgoyette *flag = ISC_FALSE; 1004 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1005 1.2.2.2 pgoyette } 1006 1.2.2.2 pgoyette 1007 1.2.2.2 pgoyette failure: 1008 1.2.2.2 pgoyette if (node != NULL) 1009 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1010 1.2.2.2 pgoyette return (result); 1011 1.2.2.2 pgoyette } 1012 1.2.2.2 pgoyette 1013 1.2.2.2 pgoyette isc_result_t 1014 1.2.2.2 pgoyette dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst, 1015 1.2.2.2 pgoyette size_t dstlen) 1016 1.2.2.2 pgoyette { 1017 1.2.2.2 pgoyette isc_result_t result; 1018 1.2.2.2 pgoyette isc_region_t r; 1019 1.2.2.2 pgoyette isc_buffer_t b; 1020 1.2.2.2 pgoyette 1021 1.2.2.2 pgoyette REQUIRE(nsec3param != NULL); 1022 1.2.2.2 pgoyette REQUIRE(dst != NULL); 1023 1.2.2.2 pgoyette 1024 1.2.2.2 pgoyette if (nsec3param->salt_length == 0) { 1025 1.2.2.2 pgoyette if (dstlen < 2U) { 1026 1.2.2.2 pgoyette return (ISC_R_NOSPACE); 1027 1.2.2.2 pgoyette } 1028 1.2.2.2 pgoyette strlcpy(dst, "-", dstlen); 1029 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1030 1.2.2.2 pgoyette } 1031 1.2.2.2 pgoyette 1032 1.2.2.2 pgoyette r.base = nsec3param->salt; 1033 1.2.2.2 pgoyette r.length = nsec3param->salt_length; 1034 1.2.2.2 pgoyette isc_buffer_init(&b, dst, (unsigned int)dstlen); 1035 1.2.2.2 pgoyette 1036 1.2.2.2 pgoyette result = isc_hex_totext(&r, 2, "", &b); 1037 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) { 1038 1.2.2.2 pgoyette return (result); 1039 1.2.2.2 pgoyette } 1040 1.2.2.2 pgoyette 1041 1.2.2.2 pgoyette if (isc_buffer_availablelength(&b) < 1) { 1042 1.2.2.2 pgoyette return (ISC_R_NOSPACE); 1043 1.2.2.2 pgoyette } 1044 1.2.2.2 pgoyette isc_buffer_putuint8(&b, 0); 1045 1.2.2.2 pgoyette 1046 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1047 1.2.2.2 pgoyette } 1048 1.2.2.2 pgoyette 1049 1.2.2.2 pgoyette isc_result_t 1050 1.2.2.2 pgoyette dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 1051 1.2.2.2 pgoyette dns_zone_t *zone, isc_boolean_t nonsec, 1052 1.2.2.2 pgoyette dns_diff_t *diff) 1053 1.2.2.2 pgoyette { 1054 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 1055 1.2.2.2 pgoyette dns_difftuple_t *tuple = NULL; 1056 1.2.2.2 pgoyette dns_name_t next; 1057 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1058 1.2.2.2 pgoyette dns_rdataset_t rdataset; 1059 1.2.2.2 pgoyette isc_boolean_t flag; 1060 1.2.2.2 pgoyette isc_result_t result = ISC_R_SUCCESS; 1061 1.2.2.2 pgoyette unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1]; 1062 1.2.2.2 pgoyette dns_name_t *origin = dns_zone_getorigin(zone); 1063 1.2.2.2 pgoyette dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 1064 1.2.2.2 pgoyette 1065 1.2.2.2 pgoyette dns_name_init(&next, NULL); 1066 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 1067 1.2.2.2 pgoyette 1068 1.2.2.2 pgoyette result = dns_db_getoriginnode(db, &node); 1069 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1070 1.2.2.2 pgoyette return (result); 1071 1.2.2.2 pgoyette 1072 1.2.2.2 pgoyette /* 1073 1.2.2.2 pgoyette * Cause all NSEC3 chains to be deleted. 1074 1.2.2.2 pgoyette */ 1075 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 1076 1.2.2.2 pgoyette 0, (isc_stdtime_t) 0, &rdataset, NULL); 1077 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1078 1.2.2.2 pgoyette goto try_private; 1079 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1080 1.2.2.2 pgoyette goto failure; 1081 1.2.2.2 pgoyette 1082 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1083 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1084 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1085 1.2.2.2 pgoyette dns_rdata_t private = DNS_RDATA_INIT; 1086 1.2.2.2 pgoyette 1087 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 1088 1.2.2.2 pgoyette 1089 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1090 1.2.2.2 pgoyette rdataset.ttl, &rdata, &tuple)); 1091 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, ver, diff)); 1092 1.2.2.2 pgoyette INSIST(tuple == NULL); 1093 1.2.2.2 pgoyette 1094 1.2.2.2 pgoyette dns_nsec3param_toprivate(&rdata, &private, privatetype, 1095 1.2.2.2 pgoyette buf, sizeof(buf)); 1096 1.2.2.2 pgoyette buf[2] = DNS_NSEC3FLAG_REMOVE; 1097 1.2.2.2 pgoyette if (nonsec) 1098 1.2.2.2 pgoyette buf[2] |= DNS_NSEC3FLAG_NONSEC; 1099 1.2.2.2 pgoyette 1100 1.2.2.2 pgoyette CHECK(rr_exists(db, ver, origin, &private, &flag)); 1101 1.2.2.2 pgoyette 1102 1.2.2.2 pgoyette if (!flag) { 1103 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1104 1.2.2.2 pgoyette origin, 0, &private, 1105 1.2.2.2 pgoyette &tuple)); 1106 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, ver, diff)); 1107 1.2.2.2 pgoyette INSIST(tuple == NULL); 1108 1.2.2.2 pgoyette } 1109 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 1110 1.2.2.2 pgoyette } 1111 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 1112 1.2.2.2 pgoyette goto failure; 1113 1.2.2.2 pgoyette 1114 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1115 1.2.2.2 pgoyette 1116 1.2.2.2 pgoyette try_private: 1117 1.2.2.2 pgoyette if (privatetype == 0) 1118 1.2.2.2 pgoyette goto success; 1119 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, ver, privatetype, 0, 1120 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, NULL); 1121 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1122 1.2.2.2 pgoyette goto success; 1123 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1124 1.2.2.2 pgoyette goto failure; 1125 1.2.2.2 pgoyette 1126 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1127 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1128 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1129 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 1130 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 1131 1.2.2.2 pgoyette INSIST(rdata.length <= sizeof(buf)); 1132 1.2.2.2 pgoyette memmove(buf, rdata.data, rdata.length); 1133 1.2.2.2 pgoyette 1134 1.2.2.2 pgoyette /* 1135 1.2.2.2 pgoyette * Private NSEC3 record length >= 6. 1136 1.2.2.2 pgoyette * <0(1), hash(1), flags(1), iterations(2), saltlen(1)> 1137 1.2.2.2 pgoyette */ 1138 1.2.2.2 pgoyette if (rdata.length < 6 || buf[0] != 0 || 1139 1.2.2.2 pgoyette (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 || 1140 1.2.2.2 pgoyette (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0)) 1141 1.2.2.2 pgoyette continue; 1142 1.2.2.2 pgoyette 1143 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1144 1.2.2.2 pgoyette 0, &rdata, &tuple)); 1145 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, ver, diff)); 1146 1.2.2.2 pgoyette INSIST(tuple == NULL); 1147 1.2.2.2 pgoyette 1148 1.2.2.2 pgoyette rdata.data = buf; 1149 1.2.2.2 pgoyette buf[2] = DNS_NSEC3FLAG_REMOVE; 1150 1.2.2.2 pgoyette if (nonsec) 1151 1.2.2.2 pgoyette buf[2] |= DNS_NSEC3FLAG_NONSEC; 1152 1.2.2.2 pgoyette 1153 1.2.2.2 pgoyette CHECK(rr_exists(db, ver, origin, &rdata, &flag)); 1154 1.2.2.2 pgoyette 1155 1.2.2.2 pgoyette if (!flag) { 1156 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1157 1.2.2.2 pgoyette origin, 0, &rdata, &tuple)); 1158 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, ver, diff)); 1159 1.2.2.2 pgoyette INSIST(tuple == NULL); 1160 1.2.2.2 pgoyette } 1161 1.2.2.2 pgoyette } 1162 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 1163 1.2.2.2 pgoyette goto failure; 1164 1.2.2.2 pgoyette success: 1165 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1166 1.2.2.2 pgoyette 1167 1.2.2.2 pgoyette failure: 1168 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 1169 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1170 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1171 1.2.2.2 pgoyette return (result); 1172 1.2.2.2 pgoyette } 1173 1.2.2.2 pgoyette 1174 1.2.2.2 pgoyette isc_result_t 1175 1.2.2.2 pgoyette dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1176 1.2.2.2 pgoyette const dns_name_t *name, dns_ttl_t nsecttl, 1177 1.2.2.2 pgoyette isc_boolean_t unsecure, dns_rdatatype_t type, 1178 1.2.2.2 pgoyette dns_diff_t *diff) 1179 1.2.2.2 pgoyette { 1180 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 1181 1.2.2.2 pgoyette dns_rdata_nsec3param_t nsec3param; 1182 1.2.2.2 pgoyette dns_rdataset_t rdataset; 1183 1.2.2.2 pgoyette dns_rdataset_t prdataset; 1184 1.2.2.2 pgoyette isc_result_t result; 1185 1.2.2.2 pgoyette 1186 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 1187 1.2.2.2 pgoyette dns_rdataset_init(&prdataset); 1188 1.2.2.2 pgoyette 1189 1.2.2.2 pgoyette /* 1190 1.2.2.2 pgoyette * Find the NSEC3 parameters for this zone. 1191 1.2.2.2 pgoyette */ 1192 1.2.2.2 pgoyette result = dns_db_getoriginnode(db, &node); 1193 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1194 1.2.2.2 pgoyette return (result); 1195 1.2.2.2 pgoyette 1196 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, type, 0, 0, 1197 1.2.2.2 pgoyette &prdataset, NULL); 1198 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) 1199 1.2.2.2 pgoyette goto failure; 1200 1.2.2.2 pgoyette 1201 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 1202 1.2.2.2 pgoyette dns_rdatatype_nsec3param, 0, 0, 1203 1.2.2.2 pgoyette &rdataset, NULL); 1204 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1205 1.2.2.2 pgoyette goto try_private; 1206 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1207 1.2.2.2 pgoyette goto failure; 1208 1.2.2.2 pgoyette 1209 1.2.2.2 pgoyette /* 1210 1.2.2.2 pgoyette * Update each active NSEC3 chain. 1211 1.2.2.2 pgoyette */ 1212 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1213 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1214 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1215 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1216 1.2.2.2 pgoyette 1217 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 1218 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1219 1.2.2.2 pgoyette 1220 1.2.2.2 pgoyette if (nsec3param.flags != 0) 1221 1.2.2.2 pgoyette continue; 1222 1.2.2.2 pgoyette 1223 1.2.2.2 pgoyette /* 1224 1.2.2.2 pgoyette * We have a active chain. Update it. 1225 1.2.2.2 pgoyette */ 1226 1.2.2.2 pgoyette CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1227 1.2.2.2 pgoyette nsecttl, unsecure, diff)); 1228 1.2.2.2 pgoyette } 1229 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 1230 1.2.2.2 pgoyette goto failure; 1231 1.2.2.2 pgoyette 1232 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1233 1.2.2.2 pgoyette 1234 1.2.2.2 pgoyette try_private: 1235 1.2.2.2 pgoyette if (!dns_rdataset_isassociated(&prdataset)) 1236 1.2.2.2 pgoyette goto success; 1237 1.2.2.2 pgoyette /* 1238 1.2.2.2 pgoyette * Update each active NSEC3 chain. 1239 1.2.2.2 pgoyette */ 1240 1.2.2.2 pgoyette for (result = dns_rdataset_first(&prdataset); 1241 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1242 1.2.2.2 pgoyette result = dns_rdataset_next(&prdataset)) { 1243 1.2.2.2 pgoyette dns_rdata_t rdata1 = DNS_RDATA_INIT; 1244 1.2.2.2 pgoyette dns_rdata_t rdata2 = DNS_RDATA_INIT; 1245 1.2.2.2 pgoyette unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1246 1.2.2.2 pgoyette 1247 1.2.2.2 pgoyette dns_rdataset_current(&prdataset, &rdata1); 1248 1.2.2.2 pgoyette if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, 1249 1.2.2.2 pgoyette buf, sizeof(buf))) 1250 1.2.2.2 pgoyette continue; 1251 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1252 1.2.2.2 pgoyette 1253 1.2.2.2 pgoyette if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) 1254 1.2.2.2 pgoyette continue; 1255 1.2.2.2 pgoyette if (better_param(&prdataset, &rdata2)) 1256 1.2.2.2 pgoyette continue; 1257 1.2.2.2 pgoyette 1258 1.2.2.2 pgoyette /* 1259 1.2.2.2 pgoyette * We have a active chain. Update it. 1260 1.2.2.2 pgoyette */ 1261 1.2.2.2 pgoyette CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1262 1.2.2.2 pgoyette nsecttl, unsecure, diff)); 1263 1.2.2.2 pgoyette } 1264 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) 1265 1.2.2.2 pgoyette success: 1266 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1267 1.2.2.2 pgoyette failure: 1268 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 1269 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1270 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&prdataset)) 1271 1.2.2.2 pgoyette dns_rdataset_disassociate(&prdataset); 1272 1.2.2.2 pgoyette if (node != NULL) 1273 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1274 1.2.2.2 pgoyette 1275 1.2.2.2 pgoyette return (result); 1276 1.2.2.2 pgoyette } 1277 1.2.2.2 pgoyette 1278 1.2.2.2 pgoyette /*% 1279 1.2.2.2 pgoyette * Determine whether any NSEC3 records that were associated with 1280 1.2.2.2 pgoyette * 'name' should be deleted or if they should continue to exist. 1281 1.2.2.2 pgoyette * ISC_TRUE indicates they should be deleted. 1282 1.2.2.2 pgoyette * ISC_FALSE indicates they should be retained. 1283 1.2.2.2 pgoyette */ 1284 1.2.2.2 pgoyette static isc_result_t 1285 1.2.2.2 pgoyette deleteit(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 1286 1.2.2.2 pgoyette isc_boolean_t *yesno) 1287 1.2.2.2 pgoyette { 1288 1.2.2.2 pgoyette isc_result_t result; 1289 1.2.2.2 pgoyette dns_fixedname_t foundname; 1290 1.2.2.2 pgoyette dns_fixedname_init(&foundname); 1291 1.2.2.2 pgoyette 1292 1.2.2.2 pgoyette result = dns_db_find(db, name, ver, dns_rdatatype_any, 1293 1.2.2.2 pgoyette DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, 1294 1.2.2.2 pgoyette (isc_stdtime_t) 0, NULL, 1295 1.2.2.2 pgoyette dns_fixedname_name(&foundname), 1296 1.2.2.2 pgoyette NULL, NULL); 1297 1.2.2.2 pgoyette if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS || 1298 1.2.2.2 pgoyette result == DNS_R_ZONECUT) { 1299 1.2.2.2 pgoyette *yesno = ISC_FALSE; 1300 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1301 1.2.2.2 pgoyette } 1302 1.2.2.2 pgoyette if (result == DNS_R_GLUE || result == DNS_R_DNAME || 1303 1.2.2.2 pgoyette result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) { 1304 1.2.2.2 pgoyette *yesno = ISC_TRUE; 1305 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1306 1.2.2.2 pgoyette } 1307 1.2.2.2 pgoyette /* 1308 1.2.2.2 pgoyette * Silence compiler. 1309 1.2.2.2 pgoyette */ 1310 1.2.2.2 pgoyette *yesno = ISC_TRUE; 1311 1.2.2.2 pgoyette return (result); 1312 1.2.2.2 pgoyette } 1313 1.2.2.2 pgoyette 1314 1.2.2.2 pgoyette isc_result_t 1315 1.2.2.2 pgoyette dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, 1316 1.2.2.2 pgoyette const dns_name_t *name, 1317 1.2.2.2 pgoyette const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) 1318 1.2.2.2 pgoyette { 1319 1.2.2.2 pgoyette dns_dbiterator_t *dbit = NULL; 1320 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 1321 1.2.2.2 pgoyette dns_difftuple_t *tuple = NULL; 1322 1.2.2.2 pgoyette dns_fixedname_t fixed; 1323 1.2.2.2 pgoyette dns_fixedname_t fprev; 1324 1.2.2.2 pgoyette dns_hash_t hash; 1325 1.2.2.2 pgoyette dns_name_t *hashname; 1326 1.2.2.2 pgoyette dns_name_t *origin; 1327 1.2.2.2 pgoyette dns_name_t *prev; 1328 1.2.2.2 pgoyette dns_name_t empty; 1329 1.2.2.2 pgoyette dns_rdata_nsec3_t nsec3; 1330 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1331 1.2.2.2 pgoyette dns_rdataset_t rdataset; 1332 1.2.2.2 pgoyette int pass; 1333 1.2.2.2 pgoyette isc_boolean_t yesno; 1334 1.2.2.2 pgoyette isc_buffer_t buffer; 1335 1.2.2.2 pgoyette isc_result_t result; 1336 1.2.2.2 pgoyette unsigned char *salt; 1337 1.2.2.2 pgoyette unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 1338 1.2.2.2 pgoyette unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 1339 1.2.2.2 pgoyette unsigned int iterations; 1340 1.2.2.2 pgoyette unsigned int labels; 1341 1.2.2.2 pgoyette size_t next_length; 1342 1.2.2.2 pgoyette unsigned int salt_length; 1343 1.2.2.2 pgoyette 1344 1.2.2.2 pgoyette hashname = dns_fixedname_initname(&fixed); 1345 1.2.2.2 pgoyette prev = dns_fixedname_initname(&fprev); 1346 1.2.2.2 pgoyette 1347 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 1348 1.2.2.2 pgoyette 1349 1.2.2.2 pgoyette origin = dns_db_origin(db); 1350 1.2.2.2 pgoyette 1351 1.2.2.2 pgoyette /* 1352 1.2.2.2 pgoyette * Chain parameters. 1353 1.2.2.2 pgoyette */ 1354 1.2.2.2 pgoyette hash = nsec3param->hash; 1355 1.2.2.2 pgoyette iterations = nsec3param->iterations; 1356 1.2.2.2 pgoyette salt_length = nsec3param->salt_length; 1357 1.2.2.2 pgoyette salt = nsec3param->salt; 1358 1.2.2.2 pgoyette 1359 1.2.2.2 pgoyette /* 1360 1.2.2.2 pgoyette * If this is the first NSEC3 in the chain nexthash will 1361 1.2.2.2 pgoyette * remain pointing to itself. 1362 1.2.2.2 pgoyette */ 1363 1.2.2.2 pgoyette next_length = sizeof(nexthash); 1364 1.2.2.2 pgoyette CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 1365 1.2.2.2 pgoyette name, origin, hash, iterations, 1366 1.2.2.2 pgoyette salt, salt_length)); 1367 1.2.2.2 pgoyette 1368 1.2.2.2 pgoyette CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 1369 1.2.2.2 pgoyette 1370 1.2.2.2 pgoyette result = dns_dbiterator_seek(dbit, hashname); 1371 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) 1372 1.2.2.2 pgoyette goto success; 1373 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1374 1.2.2.2 pgoyette goto failure; 1375 1.2.2.2 pgoyette 1376 1.2.2.2 pgoyette CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1377 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 1378 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 1379 1.2.2.2 pgoyette 0, (isc_stdtime_t) 0, &rdataset, NULL); 1380 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1381 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1382 1.2.2.2 pgoyette goto success; 1383 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1384 1.2.2.2 pgoyette goto failure; 1385 1.2.2.2 pgoyette 1386 1.2.2.2 pgoyette /* 1387 1.2.2.2 pgoyette * If we find a existing NSEC3 for this chain then save the 1388 1.2.2.2 pgoyette * next field. 1389 1.2.2.2 pgoyette */ 1390 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 1391 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 1392 1.2.2.2 pgoyette next_length = nsec3.next_length; 1393 1.2.2.2 pgoyette INSIST(next_length <= sizeof(nexthash)); 1394 1.2.2.2 pgoyette memmove(nexthash, nsec3.next, next_length); 1395 1.2.2.2 pgoyette } 1396 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1397 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) 1398 1.2.2.2 pgoyette goto success; 1399 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1400 1.2.2.2 pgoyette goto failure; 1401 1.2.2.2 pgoyette 1402 1.2.2.2 pgoyette /* 1403 1.2.2.2 pgoyette * Find the previous NSEC3 and update it. 1404 1.2.2.2 pgoyette */ 1405 1.2.2.2 pgoyette pass = 0; 1406 1.2.2.2 pgoyette do { 1407 1.2.2.2 pgoyette result = dns_dbiterator_prev(dbit); 1408 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 1409 1.2.2.2 pgoyette pass++; 1410 1.2.2.2 pgoyette CHECK(dns_dbiterator_last(dbit)); 1411 1.2.2.2 pgoyette } 1412 1.2.2.2 pgoyette CHECK(dns_dbiterator_current(dbit, &node, prev)); 1413 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 1414 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 1415 1.2.2.2 pgoyette dns_rdatatype_nsec3, 0, 1416 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, 1417 1.2.2.2 pgoyette NULL); 1418 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1419 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1420 1.2.2.2 pgoyette continue; 1421 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 1422 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 1423 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1424 1.2.2.2 pgoyette continue; 1425 1.2.2.2 pgoyette } 1426 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1427 1.2.2.2 pgoyette goto failure; 1428 1.2.2.2 pgoyette 1429 1.2.2.2 pgoyette /* 1430 1.2.2.2 pgoyette * Delete the old previous NSEC3. 1431 1.2.2.2 pgoyette */ 1432 1.2.2.2 pgoyette CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1433 1.2.2.2 pgoyette 1434 1.2.2.2 pgoyette /* 1435 1.2.2.2 pgoyette * Fixup the previous NSEC3. 1436 1.2.2.2 pgoyette */ 1437 1.2.2.2 pgoyette nsec3.next = nexthash; 1438 1.2.2.2 pgoyette nsec3.next_length = (unsigned char)next_length; 1439 1.2.2.2 pgoyette if (CREATE(nsec3param->flags)) 1440 1.2.2.2 pgoyette nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 1441 1.2.2.2 pgoyette isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 1442 1.2.2.2 pgoyette CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1443 1.2.2.2 pgoyette dns_rdatatype_nsec3, &nsec3, 1444 1.2.2.2 pgoyette &buffer)); 1445 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 1446 1.2.2.2 pgoyette rdataset.ttl, &rdata, &tuple)); 1447 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, version, diff)); 1448 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 1449 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1450 1.2.2.2 pgoyette break; 1451 1.2.2.2 pgoyette } while (pass < 2); 1452 1.2.2.2 pgoyette 1453 1.2.2.2 pgoyette /* 1454 1.2.2.2 pgoyette * Delete the old NSEC3 and record the change. 1455 1.2.2.2 pgoyette */ 1456 1.2.2.2 pgoyette CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1457 1.2.2.2 pgoyette 1458 1.2.2.2 pgoyette /* 1459 1.2.2.2 pgoyette * Delete NSEC3 records for now non active nodes. 1460 1.2.2.2 pgoyette */ 1461 1.2.2.2 pgoyette dns_name_init(&empty, NULL); 1462 1.2.2.2 pgoyette dns_name_clone(name, &empty); 1463 1.2.2.2 pgoyette do { 1464 1.2.2.2 pgoyette labels = dns_name_countlabels(&empty) - 1; 1465 1.2.2.2 pgoyette if (labels <= dns_name_countlabels(origin)) 1466 1.2.2.2 pgoyette break; 1467 1.2.2.2 pgoyette dns_name_getlabelsequence(&empty, 1, labels, &empty); 1468 1.2.2.2 pgoyette CHECK(deleteit(db, version, &empty, &yesno)); 1469 1.2.2.2 pgoyette if (!yesno) 1470 1.2.2.2 pgoyette break; 1471 1.2.2.2 pgoyette 1472 1.2.2.2 pgoyette CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, 1473 1.2.2.2 pgoyette &empty, origin, hash, iterations, 1474 1.2.2.2 pgoyette salt, salt_length)); 1475 1.2.2.2 pgoyette result = dns_dbiterator_seek(dbit, hashname); 1476 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) 1477 1.2.2.2 pgoyette goto success; 1478 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1479 1.2.2.2 pgoyette goto failure; 1480 1.2.2.2 pgoyette 1481 1.2.2.2 pgoyette CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1482 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 1483 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 1484 1.2.2.2 pgoyette dns_rdatatype_nsec3, 0, 1485 1.2.2.2 pgoyette (isc_stdtime_t) 0, &rdataset, 1486 1.2.2.2 pgoyette NULL); 1487 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1488 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1489 1.2.2.2 pgoyette goto success; 1490 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1491 1.2.2.2 pgoyette goto failure; 1492 1.2.2.2 pgoyette 1493 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 1494 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 1495 1.2.2.2 pgoyette next_length = nsec3.next_length; 1496 1.2.2.2 pgoyette INSIST(next_length <= sizeof(nexthash)); 1497 1.2.2.2 pgoyette memmove(nexthash, nsec3.next, next_length); 1498 1.2.2.2 pgoyette } 1499 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1500 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) 1501 1.2.2.2 pgoyette goto success; 1502 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1503 1.2.2.2 pgoyette goto failure; 1504 1.2.2.2 pgoyette 1505 1.2.2.2 pgoyette pass = 0; 1506 1.2.2.2 pgoyette do { 1507 1.2.2.2 pgoyette result = dns_dbiterator_prev(dbit); 1508 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 1509 1.2.2.2 pgoyette pass++; 1510 1.2.2.2 pgoyette CHECK(dns_dbiterator_last(dbit)); 1511 1.2.2.2 pgoyette } 1512 1.2.2.2 pgoyette CHECK(dns_dbiterator_current(dbit, &node, prev)); 1513 1.2.2.2 pgoyette CHECK(dns_dbiterator_pause(dbit)); 1514 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 1515 1.2.2.2 pgoyette dns_rdatatype_nsec3, 0, 1516 1.2.2.2 pgoyette (isc_stdtime_t) 0, 1517 1.2.2.2 pgoyette &rdataset, NULL); 1518 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1519 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1520 1.2.2.2 pgoyette continue; 1521 1.2.2.2 pgoyette result = find_nsec3(&nsec3, &rdataset, nsec3param); 1522 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 1523 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1524 1.2.2.2 pgoyette continue; 1525 1.2.2.2 pgoyette } 1526 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1527 1.2.2.2 pgoyette goto failure; 1528 1.2.2.2 pgoyette 1529 1.2.2.2 pgoyette /* 1530 1.2.2.2 pgoyette * Delete the old previous NSEC3. 1531 1.2.2.2 pgoyette */ 1532 1.2.2.2 pgoyette CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1533 1.2.2.2 pgoyette 1534 1.2.2.2 pgoyette /* 1535 1.2.2.2 pgoyette * Fixup the previous NSEC3. 1536 1.2.2.2 pgoyette */ 1537 1.2.2.2 pgoyette nsec3.next = nexthash; 1538 1.2.2.2 pgoyette nsec3.next_length = (unsigned char)next_length; 1539 1.2.2.2 pgoyette isc_buffer_init(&buffer, nsec3buf, 1540 1.2.2.2 pgoyette sizeof(nsec3buf)); 1541 1.2.2.2 pgoyette CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1542 1.2.2.2 pgoyette dns_rdatatype_nsec3, &nsec3, 1543 1.2.2.2 pgoyette &buffer)); 1544 1.2.2.2 pgoyette CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1545 1.2.2.2 pgoyette prev, rdataset.ttl, &rdata, 1546 1.2.2.2 pgoyette &tuple)); 1547 1.2.2.2 pgoyette CHECK(do_one_tuple(&tuple, db, version, diff)); 1548 1.2.2.2 pgoyette dns_rdata_reset(&rdata); 1549 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1550 1.2.2.2 pgoyette break; 1551 1.2.2.2 pgoyette } while (pass < 2); 1552 1.2.2.2 pgoyette 1553 1.2.2.2 pgoyette INSIST(pass < 2); 1554 1.2.2.2 pgoyette 1555 1.2.2.2 pgoyette /* 1556 1.2.2.2 pgoyette * Delete the old NSEC3 and record the change. 1557 1.2.2.2 pgoyette */ 1558 1.2.2.2 pgoyette CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1559 1.2.2.2 pgoyette } while (1); 1560 1.2.2.2 pgoyette 1561 1.2.2.2 pgoyette success: 1562 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1563 1.2.2.2 pgoyette 1564 1.2.2.2 pgoyette failure: 1565 1.2.2.2 pgoyette if (dbit != NULL) 1566 1.2.2.2 pgoyette dns_dbiterator_destroy(&dbit); 1567 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 1568 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1569 1.2.2.2 pgoyette if (node != NULL) 1570 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1571 1.2.2.2 pgoyette return (result); 1572 1.2.2.2 pgoyette } 1573 1.2.2.2 pgoyette 1574 1.2.2.2 pgoyette isc_result_t 1575 1.2.2.2 pgoyette dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, 1576 1.2.2.2 pgoyette const dns_name_t *name, 1577 1.2.2.2 pgoyette dns_diff_t *diff) 1578 1.2.2.2 pgoyette { 1579 1.2.2.2 pgoyette return (dns_nsec3_delnsec3sx(db, version, name, 0, diff)); 1580 1.2.2.2 pgoyette } 1581 1.2.2.2 pgoyette 1582 1.2.2.2 pgoyette isc_result_t 1583 1.2.2.2 pgoyette dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1584 1.2.2.2 pgoyette const dns_name_t *name, 1585 1.2.2.2 pgoyette dns_rdatatype_t privatetype, dns_diff_t *diff) 1586 1.2.2.2 pgoyette { 1587 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 1588 1.2.2.2 pgoyette dns_rdata_nsec3param_t nsec3param; 1589 1.2.2.2 pgoyette dns_rdataset_t rdataset; 1590 1.2.2.2 pgoyette isc_result_t result; 1591 1.2.2.2 pgoyette 1592 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 1593 1.2.2.2 pgoyette 1594 1.2.2.2 pgoyette /* 1595 1.2.2.2 pgoyette * Find the NSEC3 parameters for this zone. 1596 1.2.2.2 pgoyette */ 1597 1.2.2.2 pgoyette result = dns_db_getoriginnode(db, &node); 1598 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1599 1.2.2.2 pgoyette return (result); 1600 1.2.2.2 pgoyette 1601 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 1602 1.2.2.2 pgoyette dns_rdatatype_nsec3param, 0, 0, 1603 1.2.2.2 pgoyette &rdataset, NULL); 1604 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1605 1.2.2.2 pgoyette goto try_private; 1606 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1607 1.2.2.2 pgoyette goto failure; 1608 1.2.2.2 pgoyette 1609 1.2.2.2 pgoyette /* 1610 1.2.2.2 pgoyette * Update each active NSEC3 chain. 1611 1.2.2.2 pgoyette */ 1612 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1613 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1614 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1615 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1616 1.2.2.2 pgoyette 1617 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 1618 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1619 1.2.2.2 pgoyette 1620 1.2.2.2 pgoyette if (nsec3param.flags != 0) 1621 1.2.2.2 pgoyette continue; 1622 1.2.2.2 pgoyette /* 1623 1.2.2.2 pgoyette * We have a active chain. Update it. 1624 1.2.2.2 pgoyette */ 1625 1.2.2.2 pgoyette CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1626 1.2.2.2 pgoyette } 1627 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1628 1.2.2.2 pgoyette 1629 1.2.2.2 pgoyette try_private: 1630 1.2.2.2 pgoyette if (privatetype == 0) 1631 1.2.2.2 pgoyette goto success; 1632 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1633 1.2.2.2 pgoyette &rdataset, NULL); 1634 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1635 1.2.2.2 pgoyette goto success; 1636 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1637 1.2.2.2 pgoyette goto failure; 1638 1.2.2.2 pgoyette 1639 1.2.2.2 pgoyette /* 1640 1.2.2.2 pgoyette * Update each NSEC3 chain being built. 1641 1.2.2.2 pgoyette */ 1642 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1643 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1644 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1645 1.2.2.2 pgoyette dns_rdata_t rdata1 = DNS_RDATA_INIT; 1646 1.2.2.2 pgoyette dns_rdata_t rdata2 = DNS_RDATA_INIT; 1647 1.2.2.2 pgoyette unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1648 1.2.2.2 pgoyette 1649 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata1); 1650 1.2.2.2 pgoyette if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, 1651 1.2.2.2 pgoyette buf, sizeof(buf))) 1652 1.2.2.2 pgoyette continue; 1653 1.2.2.2 pgoyette CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1654 1.2.2.2 pgoyette 1655 1.2.2.2 pgoyette if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) 1656 1.2.2.2 pgoyette continue; 1657 1.2.2.2 pgoyette if (better_param(&rdataset, &rdata2)) 1658 1.2.2.2 pgoyette continue; 1659 1.2.2.2 pgoyette 1660 1.2.2.2 pgoyette /* 1661 1.2.2.2 pgoyette * We have a active chain. Update it. 1662 1.2.2.2 pgoyette */ 1663 1.2.2.2 pgoyette CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1664 1.2.2.2 pgoyette } 1665 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) 1666 1.2.2.2 pgoyette success: 1667 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1668 1.2.2.2 pgoyette 1669 1.2.2.2 pgoyette failure: 1670 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 1671 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1672 1.2.2.2 pgoyette if (node != NULL) 1673 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1674 1.2.2.2 pgoyette 1675 1.2.2.2 pgoyette return (result); 1676 1.2.2.2 pgoyette } 1677 1.2.2.2 pgoyette 1678 1.2.2.2 pgoyette isc_result_t 1679 1.2.2.2 pgoyette dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, 1680 1.2.2.2 pgoyette isc_boolean_t complete, isc_boolean_t *answer) 1681 1.2.2.2 pgoyette { 1682 1.2.2.2 pgoyette return (dns_nsec3_activex(db, version, complete, 0, answer)); 1683 1.2.2.2 pgoyette } 1684 1.2.2.2 pgoyette 1685 1.2.2.2 pgoyette isc_result_t 1686 1.2.2.2 pgoyette dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, 1687 1.2.2.2 pgoyette isc_boolean_t complete, dns_rdatatype_t privatetype, 1688 1.2.2.2 pgoyette isc_boolean_t *answer) 1689 1.2.2.2 pgoyette { 1690 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 1691 1.2.2.2 pgoyette dns_rdataset_t rdataset; 1692 1.2.2.2 pgoyette dns_rdata_nsec3param_t nsec3param; 1693 1.2.2.2 pgoyette isc_result_t result; 1694 1.2.2.2 pgoyette 1695 1.2.2.2 pgoyette REQUIRE(answer != NULL); 1696 1.2.2.2 pgoyette 1697 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 1698 1.2.2.2 pgoyette 1699 1.2.2.2 pgoyette result = dns_db_getoriginnode(db, &node); 1700 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1701 1.2.2.2 pgoyette return (result); 1702 1.2.2.2 pgoyette 1703 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, 1704 1.2.2.2 pgoyette dns_rdatatype_nsec3param, 0, 0, 1705 1.2.2.2 pgoyette &rdataset, NULL); 1706 1.2.2.2 pgoyette 1707 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) 1708 1.2.2.2 pgoyette goto try_private; 1709 1.2.2.2 pgoyette 1710 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) { 1711 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1712 1.2.2.2 pgoyette return (result); 1713 1.2.2.2 pgoyette } 1714 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1715 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1716 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1717 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1718 1.2.2.2 pgoyette 1719 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 1720 1.2.2.2 pgoyette result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); 1721 1.2.2.2 pgoyette RUNTIME_CHECK(result == ISC_R_SUCCESS); 1722 1.2.2.2 pgoyette 1723 1.2.2.2 pgoyette if (nsec3param.flags == 0) 1724 1.2.2.2 pgoyette break; 1725 1.2.2.2 pgoyette } 1726 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1727 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 1728 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1729 1.2.2.2 pgoyette *answer = ISC_TRUE; 1730 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1731 1.2.2.2 pgoyette } 1732 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) 1733 1.2.2.2 pgoyette *answer = ISC_FALSE; 1734 1.2.2.2 pgoyette 1735 1.2.2.2 pgoyette try_private: 1736 1.2.2.2 pgoyette if (privatetype == 0 || complete) { 1737 1.2.2.2 pgoyette *answer = ISC_FALSE; 1738 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1739 1.2.2.2 pgoyette } 1740 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1741 1.2.2.2 pgoyette &rdataset, NULL); 1742 1.2.2.2 pgoyette 1743 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1744 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) { 1745 1.2.2.2 pgoyette *answer = ISC_FALSE; 1746 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1747 1.2.2.2 pgoyette } 1748 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1749 1.2.2.2 pgoyette return (result); 1750 1.2.2.2 pgoyette 1751 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1752 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1753 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1754 1.2.2.2 pgoyette dns_rdata_t rdata1 = DNS_RDATA_INIT; 1755 1.2.2.2 pgoyette dns_rdata_t rdata2 = DNS_RDATA_INIT; 1756 1.2.2.2 pgoyette unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1757 1.2.2.2 pgoyette 1758 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata1); 1759 1.2.2.2 pgoyette if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, 1760 1.2.2.2 pgoyette buf, sizeof(buf))) 1761 1.2.2.2 pgoyette continue; 1762 1.2.2.2 pgoyette result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL); 1763 1.2.2.2 pgoyette RUNTIME_CHECK(result == ISC_R_SUCCESS); 1764 1.2.2.2 pgoyette 1765 1.2.2.2 pgoyette if (!complete && CREATE(nsec3param.flags)) 1766 1.2.2.2 pgoyette break; 1767 1.2.2.2 pgoyette } 1768 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1769 1.2.2.2 pgoyette if (result == ISC_R_SUCCESS) { 1770 1.2.2.2 pgoyette *answer = ISC_TRUE; 1771 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1772 1.2.2.2 pgoyette } 1773 1.2.2.2 pgoyette if (result == ISC_R_NOMORE) { 1774 1.2.2.2 pgoyette *answer = ISC_FALSE; 1775 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1776 1.2.2.2 pgoyette } 1777 1.2.2.2 pgoyette 1778 1.2.2.2 pgoyette return (result); 1779 1.2.2.2 pgoyette } 1780 1.2.2.2 pgoyette 1781 1.2.2.2 pgoyette isc_result_t 1782 1.2.2.2 pgoyette dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, 1783 1.2.2.2 pgoyette isc_mem_t *mctx, unsigned int *iterationsp) 1784 1.2.2.2 pgoyette { 1785 1.2.2.2 pgoyette dns_dbnode_t *node = NULL; 1786 1.2.2.2 pgoyette dns_rdataset_t rdataset; 1787 1.2.2.2 pgoyette dst_key_t *key = NULL; 1788 1.2.2.2 pgoyette isc_buffer_t buffer; 1789 1.2.2.2 pgoyette isc_result_t result; 1790 1.2.2.2 pgoyette unsigned int bits, minbits = 4096; 1791 1.2.2.2 pgoyette 1792 1.2.2.2 pgoyette result = dns_db_getoriginnode(db, &node); 1793 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1794 1.2.2.2 pgoyette return (result); 1795 1.2.2.2 pgoyette 1796 1.2.2.2 pgoyette dns_rdataset_init(&rdataset); 1797 1.2.2.2 pgoyette result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 1798 1.2.2.2 pgoyette 0, 0, &rdataset, NULL); 1799 1.2.2.2 pgoyette dns_db_detachnode(db, &node); 1800 1.2.2.2 pgoyette if (result == ISC_R_NOTFOUND) { 1801 1.2.2.2 pgoyette *iterationsp = 0; 1802 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1803 1.2.2.2 pgoyette } 1804 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1805 1.2.2.2 pgoyette goto failure; 1806 1.2.2.2 pgoyette 1807 1.2.2.2 pgoyette for (result = dns_rdataset_first(&rdataset); 1808 1.2.2.2 pgoyette result == ISC_R_SUCCESS; 1809 1.2.2.2 pgoyette result = dns_rdataset_next(&rdataset)) { 1810 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1811 1.2.2.2 pgoyette 1812 1.2.2.2 pgoyette dns_rdataset_current(&rdataset, &rdata); 1813 1.2.2.2 pgoyette isc_buffer_init(&buffer, rdata.data, rdata.length); 1814 1.2.2.2 pgoyette isc_buffer_add(&buffer, rdata.length); 1815 1.2.2.2 pgoyette CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass, 1816 1.2.2.2 pgoyette &buffer, mctx, &key)); 1817 1.2.2.2 pgoyette bits = dst_key_size(key); 1818 1.2.2.2 pgoyette dst_key_free(&key); 1819 1.2.2.2 pgoyette if (minbits > bits) 1820 1.2.2.2 pgoyette minbits = bits; 1821 1.2.2.2 pgoyette } 1822 1.2.2.2 pgoyette if (result != ISC_R_NOMORE) 1823 1.2.2.2 pgoyette goto failure; 1824 1.2.2.2 pgoyette 1825 1.2.2.2 pgoyette if (minbits <= 1024) 1826 1.2.2.2 pgoyette *iterationsp = 150; 1827 1.2.2.2 pgoyette else if (minbits <= 2048) 1828 1.2.2.2 pgoyette *iterationsp = 500; 1829 1.2.2.2 pgoyette else 1830 1.2.2.2 pgoyette *iterationsp = 2500; 1831 1.2.2.2 pgoyette result = ISC_R_SUCCESS; 1832 1.2.2.2 pgoyette 1833 1.2.2.2 pgoyette failure: 1834 1.2.2.2 pgoyette if (dns_rdataset_isassociated(&rdataset)) 1835 1.2.2.2 pgoyette dns_rdataset_disassociate(&rdataset); 1836 1.2.2.2 pgoyette return (result); 1837 1.2.2.2 pgoyette } 1838 1.2.2.2 pgoyette 1839 1.2.2.2 pgoyette isc_result_t 1840 1.2.2.2 pgoyette dns_nsec3_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, 1841 1.2.2.2 pgoyette const dns_name_t *nsec3name, dns_rdataset_t *nsec3set, 1842 1.2.2.2 pgoyette dns_name_t *zonename, isc_boolean_t *exists, 1843 1.2.2.2 pgoyette isc_boolean_t *data, isc_boolean_t *optout, 1844 1.2.2.2 pgoyette isc_boolean_t *unknown, isc_boolean_t *setclosest, 1845 1.2.2.2 pgoyette isc_boolean_t *setnearest, dns_name_t *closest, 1846 1.2.2.2 pgoyette dns_name_t *nearest, dns_nseclog_t logit, void *arg) 1847 1.2.2.2 pgoyette { 1848 1.2.2.2 pgoyette char namebuf[DNS_NAME_FORMATSIZE]; 1849 1.2.2.2 pgoyette dns_fixedname_t fzone; 1850 1.2.2.2 pgoyette dns_fixedname_t qfixed; 1851 1.2.2.2 pgoyette dns_label_t hashlabel; 1852 1.2.2.2 pgoyette dns_name_t *qname; 1853 1.2.2.2 pgoyette dns_name_t *zone; 1854 1.2.2.2 pgoyette dns_rdata_nsec3_t nsec3; 1855 1.2.2.2 pgoyette dns_rdata_t rdata = DNS_RDATA_INIT; 1856 1.2.2.2 pgoyette int order; 1857 1.2.2.2 pgoyette int scope; 1858 1.2.2.2 pgoyette isc_boolean_t atparent; 1859 1.2.2.2 pgoyette isc_boolean_t first; 1860 1.2.2.2 pgoyette isc_boolean_t ns; 1861 1.2.2.2 pgoyette isc_boolean_t soa; 1862 1.2.2.2 pgoyette isc_buffer_t buffer; 1863 1.2.2.2 pgoyette isc_result_t answer = ISC_R_IGNORE; 1864 1.2.2.2 pgoyette isc_result_t result; 1865 1.2.2.2 pgoyette unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 1866 1.2.2.2 pgoyette unsigned char owner[NSEC3_MAX_HASH_LENGTH]; 1867 1.2.2.2 pgoyette unsigned int length; 1868 1.2.2.2 pgoyette unsigned int qlabels; 1869 1.2.2.2 pgoyette unsigned int zlabels; 1870 1.2.2.2 pgoyette 1871 1.2.2.2 pgoyette REQUIRE((exists == NULL && data == NULL) || 1872 1.2.2.2 pgoyette (exists != NULL && data != NULL)); 1873 1.2.2.2 pgoyette REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3); 1874 1.2.2.2 pgoyette REQUIRE((setclosest == NULL && closest == NULL) || 1875 1.2.2.2 pgoyette (setclosest != NULL && closest != NULL)); 1876 1.2.2.2 pgoyette REQUIRE((setnearest == NULL && nearest == NULL) || 1877 1.2.2.2 pgoyette (setnearest != NULL && nearest != NULL)); 1878 1.2.2.2 pgoyette 1879 1.2.2.2 pgoyette result = dns_rdataset_first(nsec3set); 1880 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) { 1881 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set"); 1882 1.2.2.2 pgoyette return (result); 1883 1.2.2.2 pgoyette } 1884 1.2.2.2 pgoyette 1885 1.2.2.2 pgoyette dns_rdataset_current(nsec3set, &rdata); 1886 1.2.2.2 pgoyette 1887 1.2.2.2 pgoyette result = dns_rdata_tostruct(&rdata, &nsec3, NULL); 1888 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1889 1.2.2.2 pgoyette return (result); 1890 1.2.2.2 pgoyette 1891 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3"); 1892 1.2.2.2 pgoyette 1893 1.2.2.2 pgoyette zone = dns_fixedname_initname(&fzone); 1894 1.2.2.2 pgoyette zlabels = dns_name_countlabels(nsec3name); 1895 1.2.2.2 pgoyette 1896 1.2.2.2 pgoyette /* 1897 1.2.2.2 pgoyette * NSEC3 records must have two or more labels to be valid. 1898 1.2.2.2 pgoyette */ 1899 1.2.2.2 pgoyette if (zlabels < 2) 1900 1.2.2.2 pgoyette return (ISC_R_IGNORE); 1901 1.2.2.2 pgoyette 1902 1.2.2.2 pgoyette /* 1903 1.2.2.2 pgoyette * Strip off the NSEC3 hash to get the zone. 1904 1.2.2.2 pgoyette */ 1905 1.2.2.2 pgoyette zlabels--; 1906 1.2.2.2 pgoyette dns_name_split(nsec3name, zlabels, NULL, zone); 1907 1.2.2.2 pgoyette 1908 1.2.2.2 pgoyette /* 1909 1.2.2.2 pgoyette * If not below the zone name we can ignore this record. 1910 1.2.2.2 pgoyette */ 1911 1.2.2.2 pgoyette if (!dns_name_issubdomain(name, zone)) 1912 1.2.2.2 pgoyette return (ISC_R_IGNORE); 1913 1.2.2.2 pgoyette 1914 1.2.2.2 pgoyette /* 1915 1.2.2.2 pgoyette * Is this zone the same or deeper than the current zone? 1916 1.2.2.2 pgoyette */ 1917 1.2.2.2 pgoyette if (dns_name_countlabels(zonename) == 0 || 1918 1.2.2.2 pgoyette dns_name_issubdomain(zone, zonename)) 1919 1.2.2.2 pgoyette dns_name_copy(zone, zonename, NULL); 1920 1.2.2.2 pgoyette 1921 1.2.2.2 pgoyette if (!dns_name_equal(zone, zonename)) 1922 1.2.2.2 pgoyette return (ISC_R_IGNORE); 1923 1.2.2.2 pgoyette 1924 1.2.2.2 pgoyette /* 1925 1.2.2.2 pgoyette * Are we only looking for the most enclosing zone? 1926 1.2.2.2 pgoyette */ 1927 1.2.2.2 pgoyette if (exists == NULL || data == NULL) 1928 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 1929 1.2.2.2 pgoyette 1930 1.2.2.2 pgoyette /* 1931 1.2.2.2 pgoyette * Only set unknown once we are sure that this NSEC3 is from 1932 1.2.2.2 pgoyette * the deepest covering zone. 1933 1.2.2.2 pgoyette */ 1934 1.2.2.2 pgoyette if (!dns_nsec3_supportedhash(nsec3.hash)) { 1935 1.2.2.2 pgoyette if (unknown != NULL) 1936 1.2.2.2 pgoyette *unknown = ISC_TRUE; 1937 1.2.2.2 pgoyette return (ISC_R_IGNORE); 1938 1.2.2.2 pgoyette } 1939 1.2.2.2 pgoyette 1940 1.2.2.2 pgoyette /* 1941 1.2.2.2 pgoyette * Recover the hash from the first label. 1942 1.2.2.2 pgoyette */ 1943 1.2.2.2 pgoyette dns_name_getlabel(nsec3name, 0, &hashlabel); 1944 1.2.2.2 pgoyette isc_region_consume(&hashlabel, 1); 1945 1.2.2.2 pgoyette isc_buffer_init(&buffer, owner, sizeof(owner)); 1946 1.2.2.2 pgoyette result = isc_base32hex_decoderegion(&hashlabel, &buffer); 1947 1.2.2.2 pgoyette if (result != ISC_R_SUCCESS) 1948 1.2.2.2 pgoyette return (result); 1949 1.2.2.2 pgoyette 1950 1.2.2.2 pgoyette /* 1951 1.2.2.2 pgoyette * The hash lengths should match. If not ignore the record. 1952 1.2.2.2 pgoyette */ 1953 1.2.2.2 pgoyette if (isc_buffer_usedlength(&buffer) != nsec3.next_length) 1954 1.2.2.2 pgoyette return (ISC_R_IGNORE); 1955 1.2.2.2 pgoyette 1956 1.2.2.2 pgoyette /* 1957 1.2.2.2 pgoyette * Work out what this NSEC3 covers. 1958 1.2.2.2 pgoyette * Inside (<0) or outside (>=0). 1959 1.2.2.2 pgoyette */ 1960 1.2.2.2 pgoyette scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); 1961 1.2.2.2 pgoyette 1962 1.2.2.2 pgoyette /* 1963 1.2.2.2 pgoyette * Prepare to compute all the hashes. 1964 1.2.2.2 pgoyette */ 1965 1.2.2.2 pgoyette qname = dns_fixedname_initname(&qfixed); 1966 1.2.2.2 pgoyette dns_name_downcase(name, qname, NULL); 1967 1.2.2.2 pgoyette qlabels = dns_name_countlabels(qname); 1968 1.2.2.2 pgoyette first = ISC_TRUE; 1969 1.2.2.2 pgoyette 1970 1.2.2.2 pgoyette while (qlabels >= zlabels) { 1971 1.2.2.2 pgoyette length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, 1972 1.2.2.2 pgoyette nsec3.salt, nsec3.salt_length, 1973 1.2.2.2 pgoyette qname->ndata, qname->length); 1974 1.2.2.2 pgoyette /* 1975 1.2.2.2 pgoyette * The computed hash length should match. 1976 1.2.2.2 pgoyette */ 1977 1.2.2.2 pgoyette if (length != nsec3.next_length) { 1978 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 1979 1.2.2.2 pgoyette "ignoring NSEC bad length %u vs %u", 1980 1.2.2.2 pgoyette length, nsec3.next_length); 1981 1.2.2.2 pgoyette return (ISC_R_IGNORE); 1982 1.2.2.2 pgoyette } 1983 1.2.2.2 pgoyette 1984 1.2.2.2 pgoyette order = isc_safe_memcompare(hash, owner, length); 1985 1.2.2.2 pgoyette if (first && order == 0) { 1986 1.2.2.2 pgoyette /* 1987 1.2.2.2 pgoyette * The hashes are the same. 1988 1.2.2.2 pgoyette */ 1989 1.2.2.2 pgoyette atparent = dns_rdatatype_atparent(type); 1990 1.2.2.2 pgoyette ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns); 1991 1.2.2.2 pgoyette soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa); 1992 1.2.2.2 pgoyette if (ns && !soa) { 1993 1.2.2.2 pgoyette if (!atparent) { 1994 1.2.2.2 pgoyette /* 1995 1.2.2.2 pgoyette * This NSEC3 record is from somewhere 1996 1.2.2.2 pgoyette * higher in the DNS, and at the 1997 1.2.2.2 pgoyette * parent of a delegation. It can not 1998 1.2.2.2 pgoyette * be legitimately used here. 1999 1.2.2.2 pgoyette */ 2000 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2001 1.2.2.2 pgoyette "ignoring parent NSEC3"); 2002 1.2.2.2 pgoyette return (ISC_R_IGNORE); 2003 1.2.2.2 pgoyette } 2004 1.2.2.2 pgoyette } else if (atparent && ns && soa) { 2005 1.2.2.2 pgoyette /* 2006 1.2.2.2 pgoyette * This NSEC3 record is from the child. 2007 1.2.2.2 pgoyette * It can not be legitimately used here. 2008 1.2.2.2 pgoyette */ 2009 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2010 1.2.2.2 pgoyette "ignoring child NSEC3"); 2011 1.2.2.2 pgoyette return (ISC_R_IGNORE); 2012 1.2.2.2 pgoyette } 2013 1.2.2.2 pgoyette if (type == dns_rdatatype_cname || 2014 1.2.2.2 pgoyette type == dns_rdatatype_nxt || 2015 1.2.2.2 pgoyette type == dns_rdatatype_nsec || 2016 1.2.2.2 pgoyette type == dns_rdatatype_key || 2017 1.2.2.2 pgoyette !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) { 2018 1.2.2.2 pgoyette *exists = ISC_TRUE; 2019 1.2.2.2 pgoyette *data = dns_nsec3_typepresent(&rdata, type); 2020 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2021 1.2.2.2 pgoyette "NSEC3 proves name exists (owner) " 2022 1.2.2.2 pgoyette "data=%d", *data); 2023 1.2.2.2 pgoyette return (ISC_R_SUCCESS); 2024 1.2.2.2 pgoyette } 2025 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2026 1.2.2.2 pgoyette "NSEC3 proves CNAME exists"); 2027 1.2.2.2 pgoyette return (ISC_R_IGNORE); 2028 1.2.2.2 pgoyette } 2029 1.2.2.2 pgoyette 2030 1.2.2.2 pgoyette if (order == 0 && 2031 1.2.2.2 pgoyette dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) && 2032 1.2.2.2 pgoyette !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa)) 2033 1.2.2.2 pgoyette { 2034 1.2.2.2 pgoyette /* 2035 1.2.2.2 pgoyette * This NSEC3 record is from somewhere higher in 2036 1.2.2.2 pgoyette * the DNS, and at the parent of a delegation. 2037 1.2.2.2 pgoyette * It can not be legitimately used here. 2038 1.2.2.2 pgoyette */ 2039 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2040 1.2.2.2 pgoyette "ignoring parent NSEC3"); 2041 1.2.2.2 pgoyette return (ISC_R_IGNORE); 2042 1.2.2.2 pgoyette } 2043 1.2.2.2 pgoyette 2044 1.2.2.2 pgoyette /* 2045 1.2.2.2 pgoyette * Potential closest encloser. 2046 1.2.2.2 pgoyette */ 2047 1.2.2.2 pgoyette if (order == 0) { 2048 1.2.2.2 pgoyette if (closest != NULL && 2049 1.2.2.2 pgoyette (dns_name_countlabels(closest) == 0 || 2050 1.2.2.2 pgoyette dns_name_issubdomain(qname, closest)) && 2051 1.2.2.2 pgoyette !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) && 2052 1.2.2.2 pgoyette !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) && 2053 1.2.2.2 pgoyette (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) || 2054 1.2.2.2 pgoyette !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns))) 2055 1.2.2.2 pgoyette { 2056 1.2.2.2 pgoyette 2057 1.2.2.2 pgoyette dns_name_format(qname, namebuf, 2058 1.2.2.2 pgoyette sizeof(namebuf)); 2059 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2060 1.2.2.2 pgoyette "NSEC3 indicates potential closest " 2061 1.2.2.2 pgoyette "encloser: '%s'", namebuf); 2062 1.2.2.2 pgoyette dns_name_copy(qname, closest, NULL); 2063 1.2.2.2 pgoyette *setclosest = ISC_TRUE; 2064 1.2.2.2 pgoyette } 2065 1.2.2.2 pgoyette dns_name_format(qname, namebuf, sizeof(namebuf)); 2066 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2067 1.2.2.2 pgoyette "NSEC3 at super-domain %s", namebuf); 2068 1.2.2.2 pgoyette return (answer); 2069 1.2.2.2 pgoyette } 2070 1.2.2.2 pgoyette 2071 1.2.2.2 pgoyette /* 2072 1.2.2.2 pgoyette * Find if the name does not exist. 2073 1.2.2.2 pgoyette * 2074 1.2.2.2 pgoyette * We continue as we need to find the name closest to the 2075 1.2.2.2 pgoyette * closest encloser that doesn't exist. 2076 1.2.2.2 pgoyette * 2077 1.2.2.2 pgoyette * We also need to continue to ensure that we are not 2078 1.2.2.2 pgoyette * proving the non-existence of a record in a sub-zone. 2079 1.2.2.2 pgoyette * If that would be the case we will return ISC_R_IGNORE 2080 1.2.2.2 pgoyette * above. 2081 1.2.2.2 pgoyette */ 2082 1.2.2.2 pgoyette if ((scope < 0 && order > 0 && 2083 1.2.2.2 pgoyette memcmp(hash, nsec3.next, length) < 0) || 2084 1.2.2.2 pgoyette (scope >= 0 && (order > 0 || 2085 1.2.2.2 pgoyette memcmp(hash, nsec3.next, length) < 0))) 2086 1.2.2.2 pgoyette { 2087 1.2.2.2 pgoyette dns_name_format(qname, namebuf, sizeof(namebuf)); 2088 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), "NSEC3 proves " 2089 1.2.2.2 pgoyette "name does not exist: '%s'", namebuf); 2090 1.2.2.2 pgoyette if (nearest != NULL && 2091 1.2.2.2 pgoyette (dns_name_countlabels(nearest) == 0 || 2092 1.2.2.2 pgoyette dns_name_issubdomain(nearest, qname))) { 2093 1.2.2.2 pgoyette dns_name_copy(qname, nearest, NULL); 2094 1.2.2.2 pgoyette *setnearest = ISC_TRUE; 2095 1.2.2.2 pgoyette } 2096 1.2.2.2 pgoyette 2097 1.2.2.2 pgoyette *exists = ISC_FALSE; 2098 1.2.2.2 pgoyette *data = ISC_FALSE; 2099 1.2.2.2 pgoyette if (optout != NULL) { 2100 1.2.2.2 pgoyette if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0) 2101 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2102 1.2.2.2 pgoyette "NSEC3 indicates optout"); 2103 1.2.2.2 pgoyette else 2104 1.2.2.2 pgoyette (*logit)(arg, ISC_LOG_DEBUG(3), 2105 1.2.2.2 pgoyette "NSEC3 indicates secure range"); 2106 1.2.2.2 pgoyette *optout = 2107 1.2.2.2 pgoyette ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT); 2108 1.2.2.2 pgoyette } 2109 1.2.2.2 pgoyette answer = ISC_R_SUCCESS; 2110 1.2.2.2 pgoyette } 2111 1.2.2.2 pgoyette 2112 1.2.2.2 pgoyette qlabels--; 2113 1.2.2.2 pgoyette if (qlabels > 0) 2114 1.2.2.2 pgoyette dns_name_split(qname, qlabels, NULL, qname); 2115 1.2.2.2 pgoyette first = ISC_FALSE; 2116 1.2.2.2 pgoyette } 2117 1.2.2.2 pgoyette return (answer); 2118 1.2.2.2 pgoyette } 2119
Indexes created Sun Mar 01 05:31:48 UTC 2026