nsec3.c revision 1.7
1 1.5 christos /* $NetBSD: nsec3.c,v 1.7 2021/02/19 16:42:16 christos Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 1.1 christos * 6 1.1 christos * This Source Code Form is subject to the terms of the Mozilla Public 7 1.1 christos * License, v. 2.0. If a copy of the MPL was not distributed with this 8 1.7 christos * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 1.1 christos * 10 1.1 christos * See the COPYRIGHT file distributed with this work for additional 11 1.1 christos * information regarding copyright ownership. 12 1.1 christos */ 13 1.1 christos 14 1.3 christos #include <inttypes.h> 15 1.3 christos #include <stdbool.h> 16 1.3 christos 17 1.1 christos #include <isc/base32.h> 18 1.1 christos #include <isc/buffer.h> 19 1.1 christos #include <isc/hex.h> 20 1.1 christos #include <isc/iterated_hash.h> 21 1.3 christos #include <isc/md.h> 22 1.7 christos #include <isc/nonce.h> 23 1.6 christos #include <isc/safe.h> 24 1.1 christos #include <isc/string.h> 25 1.1 christos #include <isc/util.h> 26 1.1 christos 27 1.6 christos #include <dns/compress.h> 28 1.1 christos #include <dns/db.h> 29 1.1 christos #include <dns/dbiterator.h> 30 1.1 christos #include <dns/diff.h> 31 1.1 christos #include <dns/fixedname.h> 32 1.1 christos #include <dns/nsec.h> 33 1.1 christos #include <dns/nsec3.h> 34 1.1 christos #include <dns/rdata.h> 35 1.1 christos #include <dns/rdatalist.h> 36 1.1 christos #include <dns/rdataset.h> 37 1.1 christos #include <dns/rdatasetiter.h> 38 1.1 christos #include <dns/rdatastruct.h> 39 1.1 christos #include <dns/result.h> 40 1.6 christos #include <dns/zone.h> 41 1.6 christos 42 1.6 christos #include <dst/dst.h> 43 1.1 christos 44 1.6 christos #define CHECK(x) \ 45 1.6 christos do { \ 46 1.6 christos result = (x); \ 47 1.6 christos if (result != ISC_R_SUCCESS) \ 48 1.6 christos goto failure; \ 49 1.2 christos } while (/*CONSTCOND*/0) 50 1.1 christos 51 1.6 christos #define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0) 52 1.6 christos #define CREATE(x) (((x)&DNS_NSEC3FLAG_CREATE) != 0) 53 1.6 christos #define INITIAL(x) (((x)&DNS_NSEC3FLAG_INITIAL) != 0) 54 1.6 christos #define REMOVE(x) (((x)&DNS_NSEC3FLAG_REMOVE) != 0) 55 1.1 christos 56 1.1 christos isc_result_t 57 1.6 christos dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, 58 1.6 christos unsigned int hashalg, unsigned int flags, 59 1.6 christos unsigned int iterations, const unsigned char *salt, 60 1.6 christos size_t salt_length, const unsigned char *nexthash, 61 1.6 christos size_t hash_length, unsigned char *buffer, 62 1.6 christos dns_rdata_t *rdata) { 63 1.1 christos isc_result_t result; 64 1.1 christos dns_rdataset_t rdataset; 65 1.1 christos isc_region_t r; 66 1.1 christos unsigned int i; 67 1.3 christos bool found; 68 1.3 christos bool found_ns; 69 1.3 christos bool need_rrsig; 70 1.1 christos 71 1.1 christos unsigned char *nsec_bits, *bm; 72 1.1 christos unsigned int max_type; 73 1.1 christos dns_rdatasetiter_t *rdsiter; 74 1.1 christos unsigned char *p; 75 1.1 christos 76 1.1 christos REQUIRE(salt_length < 256U); 77 1.1 christos REQUIRE(hash_length < 256U); 78 1.1 christos REQUIRE(flags <= 0xffU); 79 1.1 christos REQUIRE(hashalg <= 0xffU); 80 1.1 christos REQUIRE(iterations <= 0xffffU); 81 1.1 christos 82 1.1 christos switch (hashalg) { 83 1.1 christos case dns_hash_sha1: 84 1.1 christos REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH); 85 1.1 christos break; 86 1.1 christos } 87 1.1 christos 88 1.1 christos memset(buffer, 0, DNS_NSEC3_BUFFERSIZE); 89 1.1 christos 90 1.1 christos p = buffer; 91 1.1 christos 92 1.1 christos *p++ = hashalg; 93 1.1 christos *p++ = flags; 94 1.1 christos 95 1.1 christos *p++ = iterations >> 8; 96 1.1 christos *p++ = iterations; 97 1.1 christos 98 1.1 christos *p++ = (unsigned char)salt_length; 99 1.1 christos memmove(p, salt, salt_length); 100 1.1 christos p += salt_length; 101 1.1 christos 102 1.1 christos *p++ = (unsigned char)hash_length; 103 1.1 christos memmove(p, nexthash, hash_length); 104 1.1 christos p += hash_length; 105 1.1 christos 106 1.1 christos r.length = (unsigned int)(p - buffer); 107 1.1 christos r.base = buffer; 108 1.1 christos 109 1.1 christos /* 110 1.1 christos * Use the end of the space for a raw bitmap leaving enough 111 1.1 christos * space for the window identifiers and length octets. 112 1.1 christos */ 113 1.1 christos bm = r.base + r.length + 512; 114 1.1 christos nsec_bits = r.base + r.length; 115 1.1 christos max_type = 0; 116 1.6 christos if (node == NULL) { 117 1.1 christos goto collapse_bitmap; 118 1.6 christos } 119 1.1 christos dns_rdataset_init(&rdataset); 120 1.1 christos rdsiter = NULL; 121 1.1 christos result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); 122 1.6 christos if (result != ISC_R_SUCCESS) { 123 1.1 christos return (result); 124 1.6 christos } 125 1.3 christos found = found_ns = need_rrsig = false; 126 1.6 christos for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; 127 1.1 christos result = dns_rdatasetiter_next(rdsiter)) 128 1.1 christos { 129 1.1 christos dns_rdatasetiter_current(rdsiter, &rdataset); 130 1.1 christos if (rdataset.type != dns_rdatatype_nsec && 131 1.1 christos rdataset.type != dns_rdatatype_nsec3 && 132 1.6 christos rdataset.type != dns_rdatatype_rrsig) 133 1.6 christos { 134 1.6 christos if (rdataset.type > max_type) { 135 1.1 christos max_type = rdataset.type; 136 1.6 christos } 137 1.1 christos dns_nsec_setbit(bm, rdataset.type, 1); 138 1.1 christos /* 139 1.1 christos * Work out if we need to set the RRSIG bit for 140 1.1 christos * this node. We set the RRSIG bit if either of 141 1.1 christos * the following conditions are met: 142 1.1 christos * 1) We have a SOA or DS then we need to set 143 1.1 christos * the RRSIG bit as both always will be signed. 144 1.1 christos * 2) We set the RRSIG bit if we don't have 145 1.1 christos * a NS record but do have other data. 146 1.1 christos */ 147 1.1 christos if (rdataset.type == dns_rdatatype_soa || 148 1.6 christos rdataset.type == dns_rdatatype_ds) { 149 1.3 christos need_rrsig = true; 150 1.6 christos } else if (rdataset.type == dns_rdatatype_ns) { 151 1.3 christos found_ns = true; 152 1.6 christos } else { 153 1.3 christos found = true; 154 1.6 christos } 155 1.1 christos } 156 1.1 christos dns_rdataset_disassociate(&rdataset); 157 1.1 christos } 158 1.1 christos if ((found && !found_ns) || need_rrsig) { 159 1.6 christos if (dns_rdatatype_rrsig > max_type) { 160 1.1 christos max_type = dns_rdatatype_rrsig; 161 1.6 christos } 162 1.1 christos dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1); 163 1.1 christos } 164 1.1 christos 165 1.1 christos /* 166 1.1 christos * At zone cuts, deny the existence of glue in the parent zone. 167 1.1 christos */ 168 1.1 christos if (dns_nsec_isset(bm, dns_rdatatype_ns) && 169 1.6 christos !dns_nsec_isset(bm, dns_rdatatype_soa)) 170 1.6 christos { 171 1.1 christos for (i = 0; i <= max_type; i++) { 172 1.1 christos if (dns_nsec_isset(bm, i) && 173 1.6 christos !dns_rdatatype_iszonecutauth((dns_rdatatype_t)i)) { 174 1.1 christos dns_nsec_setbit(bm, i, 0); 175 1.6 christos } 176 1.1 christos } 177 1.1 christos } 178 1.1 christos 179 1.1 christos dns_rdatasetiter_destroy(&rdsiter); 180 1.6 christos if (result != ISC_R_NOMORE) { 181 1.1 christos return (result); 182 1.6 christos } 183 1.1 christos 184 1.6 christos collapse_bitmap: 185 1.1 christos nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type); 186 1.1 christos r.length = (unsigned int)(nsec_bits - r.base); 187 1.1 christos INSIST(r.length <= DNS_NSEC3_BUFFERSIZE); 188 1.1 christos dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r); 189 1.1 christos 190 1.1 christos return (ISC_R_SUCCESS); 191 1.1 christos } 192 1.1 christos 193 1.3 christos bool 194 1.1 christos dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) { 195 1.1 christos dns_rdata_nsec3_t nsec3; 196 1.1 christos isc_result_t result; 197 1.3 christos bool present; 198 1.1 christos unsigned int i, len, window; 199 1.1 christos 200 1.1 christos REQUIRE(rdata != NULL); 201 1.1 christos REQUIRE(rdata->type == dns_rdatatype_nsec3); 202 1.1 christos 203 1.1 christos /* This should never fail */ 204 1.1 christos result = dns_rdata_tostruct(rdata, &nsec3, NULL); 205 1.1 christos INSIST(result == ISC_R_SUCCESS); 206 1.1 christos 207 1.3 christos present = false; 208 1.1 christos for (i = 0; i < nsec3.len; i += len) { 209 1.1 christos INSIST(i + 2 <= nsec3.len); 210 1.1 christos window = nsec3.typebits[i]; 211 1.1 christos len = nsec3.typebits[i + 1]; 212 1.1 christos INSIST(len > 0 && len <= 32); 213 1.1 christos i += 2; 214 1.1 christos INSIST(i + len <= nsec3.len); 215 1.6 christos if (window * 256 > type) { 216 1.1 christos break; 217 1.6 christos } 218 1.6 christos if ((window + 1) * 256 <= type) { 219 1.1 christos continue; 220 1.6 christos } 221 1.3 christos if (type < (window * 256) + len * 8) { 222 1.3 christos present = dns_nsec_isset(&nsec3.typebits[i], 223 1.3 christos type % 256); 224 1.3 christos } 225 1.1 christos break; 226 1.1 christos } 227 1.1 christos dns_rdata_freestruct(&nsec3); 228 1.1 christos return (present); 229 1.1 christos } 230 1.1 christos 231 1.1 christos isc_result_t 232 1.7 christos dns_nsec3_generate_salt(unsigned char *salt, size_t saltlen) { 233 1.7 christos if (saltlen > 255U) { 234 1.7 christos return (ISC_R_RANGE); 235 1.7 christos } 236 1.7 christos isc_nonce_buf(salt, saltlen); 237 1.7 christos return (ISC_R_SUCCESS); 238 1.7 christos } 239 1.7 christos 240 1.7 christos isc_result_t 241 1.1 christos dns_nsec3_hashname(dns_fixedname_t *result, 242 1.1 christos unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 243 1.1 christos size_t *hash_length, const dns_name_t *name, 244 1.6 christos const dns_name_t *origin, dns_hash_t hashalg, 245 1.6 christos unsigned int iterations, const unsigned char *salt, 246 1.6 christos size_t saltlength) { 247 1.1 christos unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 248 1.1 christos unsigned char nametext[DNS_NAME_FORMATSIZE]; 249 1.1 christos dns_fixedname_t fixed; 250 1.1 christos dns_name_t *downcased; 251 1.1 christos isc_buffer_t namebuffer; 252 1.1 christos isc_region_t region; 253 1.1 christos size_t len; 254 1.1 christos 255 1.6 christos if (rethash == NULL) { 256 1.1 christos rethash = hash; 257 1.6 christos } 258 1.1 christos 259 1.1 christos memset(rethash, 0, NSEC3_MAX_HASH_LENGTH); 260 1.1 christos 261 1.1 christos downcased = dns_fixedname_initname(&fixed); 262 1.1 christos dns_name_downcase(name, downcased, NULL); 263 1.1 christos 264 1.1 christos /* hash the node name */ 265 1.6 christos len = isc_iterated_hash(rethash, hashalg, iterations, salt, 266 1.6 christos (int)saltlength, downcased->ndata, 267 1.6 christos downcased->length); 268 1.6 christos if (len == 0U) { 269 1.1 christos return (DNS_R_BADALG); 270 1.6 christos } 271 1.1 christos 272 1.6 christos if (hash_length != NULL) { 273 1.1 christos *hash_length = len; 274 1.6 christos } 275 1.1 christos 276 1.1 christos /* convert the hash to base32hex non-padded */ 277 1.1 christos region.base = rethash; 278 1.1 christos region.length = (unsigned int)len; 279 1.1 christos isc_buffer_init(&namebuffer, nametext, sizeof nametext); 280 1.1 christos isc_base32hexnp_totext(®ion, 1, "", &namebuffer); 281 1.1 christos 282 1.1 christos /* convert the hex to a domain name */ 283 1.1 christos dns_fixedname_init(result); 284 1.1 christos return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer, 285 1.1 christos origin, 0, NULL)); 286 1.1 christos } 287 1.1 christos 288 1.1 christos unsigned int 289 1.1 christos dns_nsec3_hashlength(dns_hash_t hash) { 290 1.1 christos switch (hash) { 291 1.1 christos case dns_hash_sha1: 292 1.6 christos return (ISC_SHA1_DIGESTLENGTH); 293 1.1 christos } 294 1.1 christos return (0); 295 1.1 christos } 296 1.1 christos 297 1.3 christos bool 298 1.1 christos dns_nsec3_supportedhash(dns_hash_t hash) { 299 1.1 christos switch (hash) { 300 1.1 christos case dns_hash_sha1: 301 1.3 christos return (true); 302 1.1 christos } 303 1.3 christos return (false); 304 1.1 christos } 305 1.1 christos 306 1.1 christos /*% 307 1.1 christos * Update a single RR in version 'ver' of 'db' and log the 308 1.1 christos * update in 'diff'. 309 1.1 christos * 310 1.1 christos * Ensures: 311 1.1 christos * \li '*tuple' == NULL. Either the tuple is freed, or its 312 1.1 christos * ownership has been transferred to the diff. 313 1.1 christos */ 314 1.1 christos static isc_result_t 315 1.1 christos do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, 316 1.6 christos dns_diff_t *diff) { 317 1.1 christos dns_diff_t temp_diff; 318 1.1 christos isc_result_t result; 319 1.1 christos 320 1.1 christos /* 321 1.1 christos * Create a singleton diff. 322 1.1 christos */ 323 1.1 christos dns_diff_init(diff->mctx, &temp_diff); 324 1.1 christos ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); 325 1.1 christos 326 1.1 christos /* 327 1.1 christos * Apply it to the database. 328 1.1 christos */ 329 1.1 christos result = dns_diff_apply(&temp_diff, db, ver); 330 1.1 christos ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); 331 1.1 christos if (result != ISC_R_SUCCESS) { 332 1.1 christos dns_difftuple_free(tuple); 333 1.1 christos return (result); 334 1.1 christos } 335 1.1 christos 336 1.1 christos /* 337 1.1 christos * Merge it into the current pending journal entry. 338 1.1 christos */ 339 1.1 christos dns_diff_appendminimal(diff, tuple); 340 1.1 christos 341 1.1 christos /* 342 1.1 christos * Do not clear temp_diff. 343 1.1 christos */ 344 1.1 christos return (ISC_R_SUCCESS); 345 1.1 christos } 346 1.1 christos 347 1.1 christos /*% 348 1.1 christos * Set '*exists' to true iff the given name exists, to false otherwise. 349 1.1 christos */ 350 1.1 christos static isc_result_t 351 1.1 christos name_exists(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 352 1.6 christos bool *exists) { 353 1.1 christos isc_result_t result; 354 1.1 christos dns_dbnode_t *node = NULL; 355 1.1 christos dns_rdatasetiter_t *iter = NULL; 356 1.1 christos 357 1.3 christos result = dns_db_findnode(db, name, false, &node); 358 1.1 christos if (result == ISC_R_NOTFOUND) { 359 1.3 christos *exists = false; 360 1.1 christos return (ISC_R_SUCCESS); 361 1.1 christos } 362 1.6 christos if (result != ISC_R_SUCCESS) { 363 1.1 christos return (result); 364 1.6 christos } 365 1.1 christos 366 1.6 christos result = dns_db_allrdatasets(db, node, version, (isc_stdtime_t)0, 367 1.6 christos &iter); 368 1.6 christos if (result != ISC_R_SUCCESS) { 369 1.1 christos goto cleanup_node; 370 1.6 christos } 371 1.1 christos 372 1.1 christos result = dns_rdatasetiter_first(iter); 373 1.1 christos if (result == ISC_R_SUCCESS) { 374 1.3 christos *exists = true; 375 1.1 christos } else if (result == ISC_R_NOMORE) { 376 1.3 christos *exists = false; 377 1.1 christos result = ISC_R_SUCCESS; 378 1.6 christos } else { 379 1.3 christos *exists = false; 380 1.6 christos } 381 1.1 christos dns_rdatasetiter_destroy(&iter); 382 1.1 christos 383 1.6 christos cleanup_node: 384 1.1 christos dns_db_detachnode(db, &node); 385 1.1 christos return (result); 386 1.1 christos } 387 1.1 christos 388 1.3 christos static bool 389 1.1 christos match_nsec3param(const dns_rdata_nsec3_t *nsec3, 390 1.6 christos const dns_rdata_nsec3param_t *nsec3param) { 391 1.1 christos if (nsec3->hash == nsec3param->hash && 392 1.1 christos nsec3->iterations == nsec3param->iterations && 393 1.1 christos nsec3->salt_length == nsec3param->salt_length && 394 1.1 christos !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length)) 395 1.6 christos { 396 1.3 christos return (true); 397 1.6 christos } 398 1.3 christos return (false); 399 1.1 christos } 400 1.1 christos 401 1.1 christos /*% 402 1.1 christos * Delete NSEC3 records at "name" which match "param", recording the 403 1.1 christos * change in "diff". 404 1.1 christos */ 405 1.1 christos static isc_result_t 406 1.1 christos delnsec3(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 407 1.6 christos const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) { 408 1.6 christos dns_dbnode_t *node = NULL; 409 1.1 christos dns_difftuple_t *tuple = NULL; 410 1.1 christos dns_rdata_nsec3_t nsec3; 411 1.1 christos dns_rdataset_t rdataset; 412 1.1 christos isc_result_t result; 413 1.1 christos 414 1.3 christos result = dns_db_findnsec3node(db, name, false, &node); 415 1.6 christos if (result == ISC_R_NOTFOUND) { 416 1.1 christos return (ISC_R_SUCCESS); 417 1.6 christos } 418 1.6 christos if (result != ISC_R_SUCCESS) { 419 1.1 christos return (result); 420 1.6 christos } 421 1.1 christos 422 1.1 christos dns_rdataset_init(&rdataset); 423 1.1 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0, 424 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 425 1.1 christos 426 1.1 christos if (result == ISC_R_NOTFOUND) { 427 1.1 christos result = ISC_R_SUCCESS; 428 1.1 christos goto cleanup_node; 429 1.1 christos } 430 1.6 christos if (result != ISC_R_SUCCESS) { 431 1.1 christos goto cleanup_node; 432 1.6 christos } 433 1.1 christos 434 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 435 1.1 christos result = dns_rdataset_next(&rdataset)) 436 1.1 christos { 437 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 438 1.1 christos dns_rdataset_current(&rdataset, &rdata); 439 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL)); 440 1.1 christos 441 1.6 christos if (!match_nsec3param(&nsec3, nsec3param)) { 442 1.1 christos continue; 443 1.6 christos } 444 1.1 christos 445 1.1 christos result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name, 446 1.1 christos rdataset.ttl, &rdata, &tuple); 447 1.6 christos if (result != ISC_R_SUCCESS) { 448 1.1 christos goto failure; 449 1.6 christos } 450 1.1 christos result = do_one_tuple(&tuple, db, version, diff); 451 1.6 christos if (result != ISC_R_SUCCESS) { 452 1.1 christos goto failure; 453 1.6 christos } 454 1.1 christos } 455 1.6 christos if (result != ISC_R_NOMORE) { 456 1.1 christos goto failure; 457 1.6 christos } 458 1.1 christos result = ISC_R_SUCCESS; 459 1.1 christos 460 1.6 christos failure: 461 1.1 christos dns_rdataset_disassociate(&rdataset); 462 1.6 christos cleanup_node: 463 1.1 christos dns_db_detachnode(db, &node); 464 1.1 christos 465 1.1 christos return (result); 466 1.1 christos } 467 1.1 christos 468 1.3 christos static bool 469 1.1 christos better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) { 470 1.1 christos dns_rdataset_t rdataset; 471 1.1 christos isc_result_t result; 472 1.1 christos 473 1.6 christos if (REMOVE(param->data[1])) { 474 1.3 christos return (true); 475 1.6 christos } 476 1.1 christos 477 1.1 christos dns_rdataset_init(&rdataset); 478 1.1 christos dns_rdataset_clone(nsec3paramset, &rdataset); 479 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 480 1.6 christos result = dns_rdataset_next(&rdataset)) 481 1.6 christos { 482 1.6 christos dns_rdata_t rdata = DNS_RDATA_INIT; 483 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 484 1.1 christos 485 1.1 christos if (rdataset.type != dns_rdatatype_nsec3param) { 486 1.6 christos dns_rdata_t tmprdata = DNS_RDATA_INIT; 487 1.1 christos dns_rdataset_current(&rdataset, &tmprdata); 488 1.6 christos if (!dns_nsec3param_fromprivate(&tmprdata, &rdata, buf, 489 1.6 christos sizeof(buf))) { 490 1.1 christos continue; 491 1.6 christos } 492 1.6 christos } else { 493 1.1 christos dns_rdataset_current(&rdataset, &rdata); 494 1.6 christos } 495 1.1 christos 496 1.6 christos if (rdata.length != param->length) { 497 1.1 christos continue; 498 1.6 christos } 499 1.6 christos if (rdata.data[0] != param->data[0] || REMOVE(rdata.data[1]) || 500 1.1 christos rdata.data[2] != param->data[2] || 501 1.1 christos rdata.data[3] != param->data[3] || 502 1.1 christos rdata.data[4] != param->data[4] || 503 1.1 christos memcmp(&rdata.data[5], ¶m->data[5], param->data[4])) 504 1.6 christos { 505 1.1 christos continue; 506 1.6 christos } 507 1.1 christos if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) { 508 1.1 christos dns_rdataset_disassociate(&rdataset); 509 1.3 christos return (true); 510 1.1 christos } 511 1.1 christos } 512 1.1 christos dns_rdataset_disassociate(&rdataset); 513 1.3 christos return (false); 514 1.1 christos } 515 1.1 christos 516 1.1 christos static isc_result_t 517 1.1 christos find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset, 518 1.6 christos const dns_rdata_nsec3param_t *nsec3param) { 519 1.1 christos isc_result_t result; 520 1.6 christos for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; 521 1.6 christos result = dns_rdataset_next(rdataset)) 522 1.6 christos { 523 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 524 1.1 christos 525 1.1 christos dns_rdataset_current(rdataset, &rdata); 526 1.1 christos CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL)); 527 1.1 christos dns_rdata_reset(&rdata); 528 1.6 christos if (match_nsec3param(nsec3, nsec3param)) { 529 1.1 christos break; 530 1.6 christos } 531 1.1 christos } 532 1.6 christos failure: 533 1.1 christos return (result); 534 1.1 christos } 535 1.1 christos 536 1.1 christos isc_result_t 537 1.1 christos dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 538 1.1 christos const dns_name_t *name, 539 1.6 christos const dns_rdata_nsec3param_t *nsec3param, dns_ttl_t nsecttl, 540 1.6 christos bool unsecure, dns_diff_t *diff) { 541 1.1 christos dns_dbiterator_t *dbit = NULL; 542 1.1 christos dns_dbnode_t *node = NULL; 543 1.1 christos dns_dbnode_t *newnode = NULL; 544 1.1 christos dns_difftuple_t *tuple = NULL; 545 1.1 christos dns_fixedname_t fixed; 546 1.1 christos dns_fixedname_t fprev; 547 1.1 christos dns_hash_t hash; 548 1.1 christos dns_name_t *hashname; 549 1.1 christos dns_name_t *origin; 550 1.1 christos dns_name_t *prev; 551 1.1 christos dns_name_t empty; 552 1.1 christos dns_rdata_nsec3_t nsec3; 553 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 554 1.1 christos dns_rdataset_t rdataset; 555 1.1 christos int pass; 556 1.3 christos bool exists = false; 557 1.3 christos bool maybe_remove_unsecure = false; 558 1.3 christos uint8_t flags; 559 1.1 christos isc_buffer_t buffer; 560 1.1 christos isc_result_t result; 561 1.1 christos unsigned char *old_next; 562 1.1 christos unsigned char *salt; 563 1.1 christos unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 564 1.1 christos unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 565 1.1 christos unsigned int iterations; 566 1.1 christos unsigned int labels; 567 1.1 christos size_t next_length; 568 1.1 christos unsigned int old_length; 569 1.1 christos unsigned int salt_length; 570 1.1 christos 571 1.1 christos hashname = dns_fixedname_initname(&fixed); 572 1.1 christos prev = dns_fixedname_initname(&fprev); 573 1.1 christos 574 1.1 christos dns_rdataset_init(&rdataset); 575 1.1 christos 576 1.1 christos origin = dns_db_origin(db); 577 1.1 christos 578 1.1 christos /* 579 1.1 christos * Chain parameters. 580 1.1 christos */ 581 1.1 christos hash = nsec3param->hash; 582 1.1 christos iterations = nsec3param->iterations; 583 1.1 christos salt_length = nsec3param->salt_length; 584 1.1 christos salt = nsec3param->salt; 585 1.1 christos 586 1.1 christos /* 587 1.1 christos * Default flags for a new chain. 588 1.1 christos */ 589 1.1 christos flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 590 1.1 christos 591 1.1 christos /* 592 1.1 christos * If this is the first NSEC3 in the chain nexthash will 593 1.1 christos * remain pointing to itself. 594 1.1 christos */ 595 1.1 christos next_length = sizeof(nexthash); 596 1.6 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, name, origin, 597 1.6 christos hash, iterations, salt, salt_length)); 598 1.1 christos INSIST(next_length <= sizeof(nexthash)); 599 1.1 christos 600 1.1 christos /* 601 1.1 christos * Create the node if it doesn't exist and hold 602 1.1 christos * a reference to it until we have added the NSEC3. 603 1.1 christos */ 604 1.3 christos CHECK(dns_db_findnsec3node(db, hashname, true, &newnode)); 605 1.1 christos 606 1.1 christos /* 607 1.1 christos * Seek the iterator to the 'newnode'. 608 1.1 christos */ 609 1.1 christos CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 610 1.1 christos CHECK(dns_dbiterator_seek(dbit, hashname)); 611 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 612 1.1 christos result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3, 613 1.6 christos 0, (isc_stdtime_t)0, &rdataset, NULL); 614 1.1 christos /* 615 1.1 christos * If we updating a existing NSEC3 then find its 616 1.1 christos * next field. 617 1.1 christos */ 618 1.1 christos if (result == ISC_R_SUCCESS) { 619 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 620 1.1 christos if (result == ISC_R_SUCCESS) { 621 1.6 christos if (!CREATE(nsec3param->flags)) { 622 1.1 christos flags = nsec3.flags; 623 1.6 christos } 624 1.1 christos next_length = nsec3.next_length; 625 1.1 christos INSIST(next_length <= sizeof(nexthash)); 626 1.1 christos memmove(nexthash, nsec3.next, next_length); 627 1.1 christos dns_rdataset_disassociate(&rdataset); 628 1.1 christos /* 629 1.1 christos * If the NSEC3 is not for a unsecure delegation then 630 1.1 christos * we are just updating it. If it is for a unsecure 631 1.1 christos * delegation then we need find out if we need to 632 1.1 christos * remove the NSEC3 record or not by examining the 633 1.1 christos * previous NSEC3 record. 634 1.1 christos */ 635 1.6 christos if (!unsecure) { 636 1.1 christos goto addnsec3; 637 1.6 christos } else if (CREATE(nsec3param->flags) && OPTOUT(flags)) { 638 1.1 christos result = dns_nsec3_delnsec3(db, version, name, 639 1.1 christos nsec3param, diff); 640 1.1 christos goto failure; 641 1.6 christos } else { 642 1.3 christos maybe_remove_unsecure = true; 643 1.6 christos } 644 1.1 christos } else { 645 1.1 christos dns_rdataset_disassociate(&rdataset); 646 1.6 christos if (result != ISC_R_NOMORE) { 647 1.1 christos goto failure; 648 1.6 christos } 649 1.1 christos } 650 1.1 christos } 651 1.1 christos 652 1.1 christos /* 653 1.1 christos * Find the previous NSEC3 (if any) and update it if required. 654 1.1 christos */ 655 1.1 christos pass = 0; 656 1.1 christos do { 657 1.1 christos result = dns_dbiterator_prev(dbit); 658 1.1 christos if (result == ISC_R_NOMORE) { 659 1.1 christos pass++; 660 1.1 christos CHECK(dns_dbiterator_last(dbit)); 661 1.1 christos } 662 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 663 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 664 1.1 christos result = dns_db_findrdataset(db, node, version, 665 1.1 christos dns_rdatatype_nsec3, 0, 666 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 667 1.1 christos dns_db_detachnode(db, &node); 668 1.6 christos if (result != ISC_R_SUCCESS) { 669 1.1 christos continue; 670 1.6 christos } 671 1.1 christos 672 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 673 1.1 christos if (result == ISC_R_NOMORE) { 674 1.1 christos dns_rdataset_disassociate(&rdataset); 675 1.1 christos continue; 676 1.1 christos } 677 1.6 christos if (result != ISC_R_SUCCESS) { 678 1.1 christos goto failure; 679 1.6 christos } 680 1.1 christos 681 1.1 christos if (maybe_remove_unsecure) { 682 1.1 christos dns_rdataset_disassociate(&rdataset); 683 1.1 christos /* 684 1.1 christos * If we have OPTOUT set in the previous NSEC3 record 685 1.1 christos * we actually need to delete the NSEC3 record. 686 1.1 christos * Otherwise we just need to replace the NSEC3 record. 687 1.1 christos */ 688 1.1 christos if (OPTOUT(nsec3.flags)) { 689 1.1 christos result = dns_nsec3_delnsec3(db, version, name, 690 1.1 christos nsec3param, diff); 691 1.1 christos goto failure; 692 1.1 christos } 693 1.1 christos goto addnsec3; 694 1.1 christos } else { 695 1.1 christos /* 696 1.1 christos * Is this is a unsecure delegation we are adding? 697 1.1 christos * If so no change is required. 698 1.1 christos */ 699 1.1 christos if (OPTOUT(nsec3.flags) && unsecure) { 700 1.1 christos dns_rdataset_disassociate(&rdataset); 701 1.1 christos goto failure; 702 1.1 christos } 703 1.1 christos } 704 1.1 christos 705 1.1 christos old_next = nsec3.next; 706 1.1 christos old_length = nsec3.next_length; 707 1.1 christos 708 1.1 christos /* 709 1.1 christos * Delete the old previous NSEC3. 710 1.1 christos */ 711 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 712 1.1 christos 713 1.1 christos /* 714 1.1 christos * Fixup the previous NSEC3. 715 1.1 christos */ 716 1.1 christos nsec3.next = nexthash; 717 1.1 christos nsec3.next_length = (unsigned char)next_length; 718 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 719 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 720 1.1 christos dns_rdatatype_nsec3, &nsec3, 721 1.1 christos &buffer)); 722 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 723 1.1 christos rdataset.ttl, &rdata, &tuple)); 724 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 725 1.1 christos INSIST(old_length <= sizeof(nexthash)); 726 1.1 christos memmove(nexthash, old_next, old_length); 727 1.6 christos if (!CREATE(nsec3param->flags)) { 728 1.1 christos flags = nsec3.flags; 729 1.6 christos } 730 1.1 christos dns_rdata_reset(&rdata); 731 1.1 christos dns_rdataset_disassociate(&rdataset); 732 1.1 christos break; 733 1.1 christos } while (pass < 2); 734 1.1 christos 735 1.6 christos addnsec3: 736 1.1 christos /* 737 1.1 christos * Create the NSEC3 RDATA. 738 1.1 christos */ 739 1.3 christos CHECK(dns_db_findnode(db, name, false, &node)); 740 1.1 christos CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations, 741 1.1 christos salt, salt_length, nexthash, next_length, 742 1.1 christos nsec3buf, &rdata)); 743 1.1 christos dns_db_detachnode(db, &node); 744 1.1 christos 745 1.1 christos /* 746 1.1 christos * Delete the old NSEC3 and record the change. 747 1.1 christos */ 748 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 749 1.1 christos /* 750 1.1 christos * Add the new NSEC3 and record the change. 751 1.1 christos */ 752 1.6 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, hashname, 753 1.6 christos nsecttl, &rdata, &tuple)); 754 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 755 1.1 christos INSIST(tuple == NULL); 756 1.1 christos dns_rdata_reset(&rdata); 757 1.1 christos dns_db_detachnode(db, &newnode); 758 1.1 christos 759 1.1 christos /* 760 1.1 christos * Add missing NSEC3 records for empty nodes 761 1.1 christos */ 762 1.1 christos dns_name_init(&empty, NULL); 763 1.1 christos dns_name_clone(name, &empty); 764 1.1 christos do { 765 1.1 christos labels = dns_name_countlabels(&empty) - 1; 766 1.6 christos if (labels <= dns_name_countlabels(origin)) { 767 1.1 christos break; 768 1.6 christos } 769 1.1 christos dns_name_getlabelsequence(&empty, 1, labels, &empty); 770 1.1 christos CHECK(name_exists(db, version, &empty, &exists)); 771 1.6 christos if (exists) { 772 1.1 christos break; 773 1.6 christos } 774 1.6 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, &empty, 775 1.6 christos origin, hash, iterations, salt, 776 1.6 christos salt_length)); 777 1.1 christos 778 1.1 christos /* 779 1.1 christos * Create the node if it doesn't exist and hold 780 1.1 christos * a reference to it until we have added the NSEC3 781 1.1 christos * or we discover we don't need to add make a change. 782 1.1 christos */ 783 1.3 christos CHECK(dns_db_findnsec3node(db, hashname, true, &newnode)); 784 1.1 christos result = dns_db_findrdataset(db, newnode, version, 785 1.1 christos dns_rdatatype_nsec3, 0, 786 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 787 1.1 christos if (result == ISC_R_SUCCESS) { 788 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 789 1.1 christos dns_rdataset_disassociate(&rdataset); 790 1.1 christos if (result == ISC_R_SUCCESS) { 791 1.1 christos dns_db_detachnode(db, &newnode); 792 1.1 christos break; 793 1.1 christos } 794 1.6 christos if (result != ISC_R_NOMORE) { 795 1.1 christos goto failure; 796 1.6 christos } 797 1.1 christos } 798 1.1 christos 799 1.1 christos /* 800 1.1 christos * Find the previous NSEC3 and update it. 801 1.1 christos */ 802 1.1 christos CHECK(dns_dbiterator_seek(dbit, hashname)); 803 1.1 christos pass = 0; 804 1.1 christos do { 805 1.1 christos result = dns_dbiterator_prev(dbit); 806 1.1 christos if (result == ISC_R_NOMORE) { 807 1.1 christos pass++; 808 1.1 christos CHECK(dns_dbiterator_last(dbit)); 809 1.1 christos } 810 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 811 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 812 1.6 christos result = dns_db_findrdataset( 813 1.6 christos db, node, version, dns_rdatatype_nsec3, 0, 814 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 815 1.1 christos dns_db_detachnode(db, &node); 816 1.6 christos if (result != ISC_R_SUCCESS) { 817 1.1 christos continue; 818 1.6 christos } 819 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 820 1.1 christos if (result == ISC_R_NOMORE) { 821 1.1 christos dns_rdataset_disassociate(&rdataset); 822 1.1 christos continue; 823 1.1 christos } 824 1.6 christos if (result != ISC_R_SUCCESS) { 825 1.1 christos goto failure; 826 1.6 christos } 827 1.1 christos 828 1.1 christos old_next = nsec3.next; 829 1.1 christos old_length = nsec3.next_length; 830 1.1 christos 831 1.1 christos /* 832 1.1 christos * Delete the old previous NSEC3. 833 1.1 christos */ 834 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 835 1.1 christos 836 1.1 christos /* 837 1.1 christos * Fixup the previous NSEC3. 838 1.1 christos */ 839 1.1 christos nsec3.next = nexthash; 840 1.1 christos nsec3.next_length = (unsigned char)next_length; 841 1.6 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 842 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 843 1.1 christos dns_rdatatype_nsec3, &nsec3, 844 1.1 christos &buffer)); 845 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 846 1.1 christos prev, rdataset.ttl, &rdata, 847 1.1 christos &tuple)); 848 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 849 1.1 christos INSIST(old_length <= sizeof(nexthash)); 850 1.1 christos memmove(nexthash, old_next, old_length); 851 1.6 christos if (!CREATE(nsec3param->flags)) { 852 1.1 christos flags = nsec3.flags; 853 1.6 christos } 854 1.1 christos dns_rdata_reset(&rdata); 855 1.1 christos dns_rdataset_disassociate(&rdataset); 856 1.1 christos break; 857 1.1 christos } while (pass < 2); 858 1.1 christos 859 1.1 christos INSIST(pass < 2); 860 1.1 christos 861 1.1 christos /* 862 1.1 christos * Create the NSEC3 RDATA for the empty node. 863 1.1 christos */ 864 1.6 christos CHECK(dns_nsec3_buildrdata( 865 1.6 christos db, version, NULL, hash, flags, iterations, salt, 866 1.6 christos salt_length, nexthash, next_length, nsec3buf, &rdata)); 867 1.1 christos /* 868 1.1 christos * Delete the old NSEC3 and record the change. 869 1.1 christos */ 870 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 871 1.1 christos 872 1.1 christos /* 873 1.1 christos * Add the new NSEC3 and record the change. 874 1.1 christos */ 875 1.6 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, hashname, 876 1.6 christos nsecttl, &rdata, &tuple)); 877 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 878 1.1 christos INSIST(tuple == NULL); 879 1.1 christos dns_rdata_reset(&rdata); 880 1.1 christos dns_db_detachnode(db, &newnode); 881 1.1 christos } while (1); 882 1.1 christos 883 1.1 christos /* result cannot be ISC_R_NOMORE here */ 884 1.1 christos INSIST(result != ISC_R_NOMORE); 885 1.1 christos 886 1.6 christos failure: 887 1.6 christos if (dbit != NULL) { 888 1.1 christos dns_dbiterator_destroy(&dbit); 889 1.6 christos } 890 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 891 1.1 christos dns_rdataset_disassociate(&rdataset); 892 1.6 christos } 893 1.6 christos if (node != NULL) { 894 1.1 christos dns_db_detachnode(db, &node); 895 1.6 christos } 896 1.6 christos if (newnode != NULL) { 897 1.1 christos dns_db_detachnode(db, &newnode); 898 1.6 christos } 899 1.1 christos return (result); 900 1.1 christos } 901 1.1 christos 902 1.1 christos /*% 903 1.1 christos * Add NSEC3 records for "name", recording the change in "diff". 904 1.1 christos * The existing NSEC3 records are removed. 905 1.1 christos */ 906 1.1 christos isc_result_t 907 1.1 christos dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 908 1.6 christos const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure, 909 1.6 christos dns_diff_t *diff) { 910 1.1 christos dns_dbnode_t *node = NULL; 911 1.1 christos dns_rdata_nsec3param_t nsec3param; 912 1.1 christos dns_rdataset_t rdataset; 913 1.1 christos isc_result_t result; 914 1.1 christos 915 1.1 christos dns_rdataset_init(&rdataset); 916 1.1 christos 917 1.1 christos /* 918 1.1 christos * Find the NSEC3 parameters for this zone. 919 1.1 christos */ 920 1.1 christos result = dns_db_getoriginnode(db, &node); 921 1.6 christos if (result != ISC_R_SUCCESS) { 922 1.1 christos return (result); 923 1.6 christos } 924 1.1 christos 925 1.1 christos result = dns_db_findrdataset(db, node, version, 926 1.6 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 927 1.6 christos NULL); 928 1.1 christos dns_db_detachnode(db, &node); 929 1.6 christos if (result == ISC_R_NOTFOUND) { 930 1.1 christos return (ISC_R_SUCCESS); 931 1.6 christos } 932 1.6 christos if (result != ISC_R_SUCCESS) { 933 1.1 christos return (result); 934 1.6 christos } 935 1.1 christos 936 1.1 christos /* 937 1.1 christos * Update each active NSEC3 chain. 938 1.1 christos */ 939 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 940 1.6 christos result = dns_rdataset_next(&rdataset)) 941 1.6 christos { 942 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 943 1.1 christos 944 1.1 christos dns_rdataset_current(&rdataset, &rdata); 945 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 946 1.1 christos 947 1.6 christos if (nsec3param.flags != 0) { 948 1.1 christos continue; 949 1.6 christos } 950 1.1 christos /* 951 1.1 christos * We have a active chain. Update it. 952 1.1 christos */ 953 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 954 1.1 christos nsecttl, unsecure, diff)); 955 1.1 christos } 956 1.6 christos if (result == ISC_R_NOMORE) { 957 1.1 christos result = ISC_R_SUCCESS; 958 1.6 christos } 959 1.1 christos 960 1.6 christos failure: 961 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 962 1.1 christos dns_rdataset_disassociate(&rdataset); 963 1.6 christos } 964 1.6 christos if (node != NULL) { 965 1.1 christos dns_db_detachnode(db, &node); 966 1.6 christos } 967 1.1 christos 968 1.1 christos return (result); 969 1.1 christos } 970 1.1 christos 971 1.3 christos bool 972 1.1 christos dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 973 1.6 christos unsigned char *buf, size_t buflen) { 974 1.1 christos dns_decompress_t dctx; 975 1.1 christos isc_result_t result; 976 1.1 christos isc_buffer_t buf1; 977 1.1 christos isc_buffer_t buf2; 978 1.1 christos 979 1.1 christos /* 980 1.1 christos * Algorithm 0 (reserved by RFC 4034) is used to identify 981 1.1 christos * NSEC3PARAM records from DNSKEY pointers. 982 1.1 christos */ 983 1.6 christos if (src->length < 1 || src->data[0] != 0) { 984 1.3 christos return (false); 985 1.6 christos } 986 1.1 christos 987 1.1 christos isc_buffer_init(&buf1, src->data + 1, src->length - 1); 988 1.1 christos isc_buffer_add(&buf1, src->length - 1); 989 1.1 christos isc_buffer_setactive(&buf1, src->length - 1); 990 1.1 christos isc_buffer_init(&buf2, buf, (unsigned int)buflen); 991 1.1 christos dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); 992 1.1 christos result = dns_rdata_fromwire(target, src->rdclass, 993 1.6 christos dns_rdatatype_nsec3param, &buf1, &dctx, 0, 994 1.6 christos &buf2); 995 1.1 christos dns_decompress_invalidate(&dctx); 996 1.1 christos 997 1.3 christos return (result == ISC_R_SUCCESS); 998 1.1 christos } 999 1.1 christos 1000 1.1 christos void 1001 1.1 christos dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 1002 1.6 christos dns_rdatatype_t privatetype, unsigned char *buf, 1003 1.6 christos size_t buflen) { 1004 1.1 christos REQUIRE(buflen >= src->length + 1); 1005 1.1 christos 1006 1.1 christos REQUIRE(DNS_RDATA_INITIALIZED(target)); 1007 1.1 christos 1008 1.1 christos memmove(buf + 1, src->data, src->length); 1009 1.1 christos buf[0] = 0; 1010 1.1 christos target->data = buf; 1011 1.1 christos target->length = src->length + 1; 1012 1.1 christos target->type = privatetype; 1013 1.1 christos target->rdclass = src->rdclass; 1014 1.1 christos target->flags = 0; 1015 1.1 christos ISC_LINK_INIT(target, link); 1016 1.1 christos } 1017 1.1 christos 1018 1.1 christos static isc_result_t 1019 1.1 christos rr_exists(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 1020 1.6 christos const dns_rdata_t *rdata, bool *flag) { 1021 1.1 christos dns_rdataset_t rdataset; 1022 1.1 christos dns_dbnode_t *node = NULL; 1023 1.1 christos isc_result_t result; 1024 1.1 christos 1025 1.1 christos dns_rdataset_init(&rdataset); 1026 1.6 christos if (rdata->type == dns_rdatatype_nsec3) { 1027 1.3 christos CHECK(dns_db_findnsec3node(db, name, false, &node)); 1028 1.6 christos } else { 1029 1.3 christos CHECK(dns_db_findnode(db, name, false, &node)); 1030 1.6 christos } 1031 1.1 christos result = dns_db_findrdataset(db, node, ver, rdata->type, 0, 1032 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1033 1.1 christos if (result == ISC_R_NOTFOUND) { 1034 1.3 christos *flag = false; 1035 1.1 christos result = ISC_R_SUCCESS; 1036 1.1 christos goto failure; 1037 1.1 christos } 1038 1.1 christos 1039 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1040 1.6 christos result = dns_rdataset_next(&rdataset)) 1041 1.6 christos { 1042 1.1 christos dns_rdata_t myrdata = DNS_RDATA_INIT; 1043 1.1 christos dns_rdataset_current(&rdataset, &myrdata); 1044 1.6 christos if (!dns_rdata_casecompare(&myrdata, rdata)) { 1045 1.1 christos break; 1046 1.6 christos } 1047 1.1 christos } 1048 1.1 christos dns_rdataset_disassociate(&rdataset); 1049 1.1 christos if (result == ISC_R_SUCCESS) { 1050 1.3 christos *flag = true; 1051 1.1 christos } else if (result == ISC_R_NOMORE) { 1052 1.3 christos *flag = false; 1053 1.1 christos result = ISC_R_SUCCESS; 1054 1.1 christos } 1055 1.1 christos 1056 1.6 christos failure: 1057 1.6 christos if (node != NULL) { 1058 1.1 christos dns_db_detachnode(db, &node); 1059 1.6 christos } 1060 1.1 christos return (result); 1061 1.1 christos } 1062 1.1 christos 1063 1.1 christos isc_result_t 1064 1.1 christos dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst, 1065 1.6 christos size_t dstlen) { 1066 1.1 christos isc_result_t result; 1067 1.1 christos isc_region_t r; 1068 1.1 christos isc_buffer_t b; 1069 1.1 christos 1070 1.1 christos REQUIRE(nsec3param != NULL); 1071 1.1 christos REQUIRE(dst != NULL); 1072 1.1 christos 1073 1.1 christos if (nsec3param->salt_length == 0) { 1074 1.1 christos if (dstlen < 2U) { 1075 1.1 christos return (ISC_R_NOSPACE); 1076 1.1 christos } 1077 1.1 christos strlcpy(dst, "-", dstlen); 1078 1.1 christos return (ISC_R_SUCCESS); 1079 1.1 christos } 1080 1.1 christos 1081 1.1 christos r.base = nsec3param->salt; 1082 1.1 christos r.length = nsec3param->salt_length; 1083 1.1 christos isc_buffer_init(&b, dst, (unsigned int)dstlen); 1084 1.1 christos 1085 1.1 christos result = isc_hex_totext(&r, 2, "", &b); 1086 1.1 christos if (result != ISC_R_SUCCESS) { 1087 1.1 christos return (result); 1088 1.1 christos } 1089 1.1 christos 1090 1.1 christos if (isc_buffer_availablelength(&b) < 1) { 1091 1.1 christos return (ISC_R_NOSPACE); 1092 1.1 christos } 1093 1.1 christos isc_buffer_putuint8(&b, 0); 1094 1.1 christos 1095 1.1 christos return (ISC_R_SUCCESS); 1096 1.1 christos } 1097 1.1 christos 1098 1.1 christos isc_result_t 1099 1.1 christos dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 1100 1.6 christos dns_zone_t *zone, bool nonsec, dns_diff_t *diff) { 1101 1.1 christos dns_dbnode_t *node = NULL; 1102 1.1 christos dns_difftuple_t *tuple = NULL; 1103 1.1 christos dns_name_t next; 1104 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1105 1.1 christos dns_rdataset_t rdataset; 1106 1.3 christos bool flag; 1107 1.1 christos isc_result_t result = ISC_R_SUCCESS; 1108 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1]; 1109 1.1 christos dns_name_t *origin = dns_zone_getorigin(zone); 1110 1.1 christos dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 1111 1.1 christos 1112 1.1 christos dns_name_init(&next, NULL); 1113 1.1 christos dns_rdataset_init(&rdataset); 1114 1.1 christos 1115 1.1 christos result = dns_db_getoriginnode(db, &node); 1116 1.6 christos if (result != ISC_R_SUCCESS) { 1117 1.1 christos return (result); 1118 1.6 christos } 1119 1.1 christos 1120 1.1 christos /* 1121 1.1 christos * Cause all NSEC3 chains to be deleted. 1122 1.1 christos */ 1123 1.6 christos result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, 1124 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1125 1.6 christos if (result == ISC_R_NOTFOUND) { 1126 1.1 christos goto try_private; 1127 1.6 christos } 1128 1.6 christos if (result != ISC_R_SUCCESS) { 1129 1.1 christos goto failure; 1130 1.6 christos } 1131 1.1 christos 1132 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1133 1.6 christos result = dns_rdataset_next(&rdataset)) 1134 1.6 christos { 1135 1.1 christos dns_rdata_t private = DNS_RDATA_INIT; 1136 1.1 christos 1137 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1138 1.1 christos 1139 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1140 1.1 christos rdataset.ttl, &rdata, &tuple)); 1141 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1142 1.1 christos INSIST(tuple == NULL); 1143 1.1 christos 1144 1.6 christos dns_nsec3param_toprivate(&rdata, &private, privatetype, buf, 1145 1.6 christos sizeof(buf)); 1146 1.1 christos buf[2] = DNS_NSEC3FLAG_REMOVE; 1147 1.6 christos if (nonsec) { 1148 1.1 christos buf[2] |= DNS_NSEC3FLAG_NONSEC; 1149 1.6 christos } 1150 1.1 christos 1151 1.1 christos CHECK(rr_exists(db, ver, origin, &private, &flag)); 1152 1.1 christos 1153 1.1 christos if (!flag) { 1154 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1155 1.1 christos origin, 0, &private, 1156 1.1 christos &tuple)); 1157 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1158 1.1 christos INSIST(tuple == NULL); 1159 1.1 christos } 1160 1.1 christos dns_rdata_reset(&rdata); 1161 1.1 christos } 1162 1.6 christos if (result != ISC_R_NOMORE) { 1163 1.1 christos goto failure; 1164 1.6 christos } 1165 1.1 christos 1166 1.1 christos dns_rdataset_disassociate(&rdataset); 1167 1.1 christos 1168 1.6 christos try_private: 1169 1.6 christos if (privatetype == 0) { 1170 1.1 christos goto success; 1171 1.6 christos } 1172 1.1 christos result = dns_db_findrdataset(db, node, ver, privatetype, 0, 1173 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1174 1.6 christos if (result == ISC_R_NOTFOUND) { 1175 1.1 christos goto success; 1176 1.6 christos } 1177 1.6 christos if (result != ISC_R_SUCCESS) { 1178 1.1 christos goto failure; 1179 1.6 christos } 1180 1.1 christos 1181 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1182 1.6 christos result = dns_rdataset_next(&rdataset)) 1183 1.6 christos { 1184 1.1 christos dns_rdata_reset(&rdata); 1185 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1186 1.1 christos INSIST(rdata.length <= sizeof(buf)); 1187 1.1 christos memmove(buf, rdata.data, rdata.length); 1188 1.1 christos 1189 1.1 christos /* 1190 1.1 christos * Private NSEC3 record length >= 6. 1191 1.1 christos * <0(1), hash(1), flags(1), iterations(2), saltlen(1)> 1192 1.1 christos */ 1193 1.1 christos if (rdata.length < 6 || buf[0] != 0 || 1194 1.1 christos (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 || 1195 1.1 christos (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0)) 1196 1.6 christos { 1197 1.1 christos continue; 1198 1.6 christos } 1199 1.1 christos 1200 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1201 1.1 christos 0, &rdata, &tuple)); 1202 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1203 1.1 christos INSIST(tuple == NULL); 1204 1.1 christos 1205 1.1 christos rdata.data = buf; 1206 1.1 christos buf[2] = DNS_NSEC3FLAG_REMOVE; 1207 1.6 christos if (nonsec) { 1208 1.1 christos buf[2] |= DNS_NSEC3FLAG_NONSEC; 1209 1.6 christos } 1210 1.1 christos 1211 1.1 christos CHECK(rr_exists(db, ver, origin, &rdata, &flag)); 1212 1.1 christos 1213 1.1 christos if (!flag) { 1214 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1215 1.1 christos origin, 0, &rdata, &tuple)); 1216 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1217 1.1 christos INSIST(tuple == NULL); 1218 1.1 christos } 1219 1.1 christos } 1220 1.6 christos if (result != ISC_R_NOMORE) { 1221 1.1 christos goto failure; 1222 1.6 christos } 1223 1.6 christos success: 1224 1.1 christos result = ISC_R_SUCCESS; 1225 1.1 christos 1226 1.6 christos failure: 1227 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 1228 1.1 christos dns_rdataset_disassociate(&rdataset); 1229 1.6 christos } 1230 1.1 christos dns_db_detachnode(db, &node); 1231 1.1 christos return (result); 1232 1.1 christos } 1233 1.1 christos 1234 1.1 christos isc_result_t 1235 1.1 christos dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1236 1.6 christos const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure, 1237 1.6 christos dns_rdatatype_t type, dns_diff_t *diff) { 1238 1.1 christos dns_dbnode_t *node = NULL; 1239 1.1 christos dns_rdata_nsec3param_t nsec3param; 1240 1.1 christos dns_rdataset_t rdataset; 1241 1.1 christos dns_rdataset_t prdataset; 1242 1.1 christos isc_result_t result; 1243 1.1 christos 1244 1.1 christos dns_rdataset_init(&rdataset); 1245 1.1 christos dns_rdataset_init(&prdataset); 1246 1.1 christos 1247 1.1 christos /* 1248 1.1 christos * Find the NSEC3 parameters for this zone. 1249 1.1 christos */ 1250 1.1 christos result = dns_db_getoriginnode(db, &node); 1251 1.6 christos if (result != ISC_R_SUCCESS) { 1252 1.1 christos return (result); 1253 1.6 christos } 1254 1.1 christos 1255 1.6 christos result = dns_db_findrdataset(db, node, version, type, 0, 0, &prdataset, 1256 1.6 christos NULL); 1257 1.6 christos if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { 1258 1.1 christos goto failure; 1259 1.6 christos } 1260 1.1 christos 1261 1.1 christos result = dns_db_findrdataset(db, node, version, 1262 1.6 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 1263 1.6 christos NULL); 1264 1.6 christos if (result == ISC_R_NOTFOUND) { 1265 1.1 christos goto try_private; 1266 1.6 christos } 1267 1.6 christos if (result != ISC_R_SUCCESS) { 1268 1.1 christos goto failure; 1269 1.6 christos } 1270 1.1 christos 1271 1.1 christos /* 1272 1.1 christos * Update each active NSEC3 chain. 1273 1.1 christos */ 1274 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1275 1.6 christos result = dns_rdataset_next(&rdataset)) 1276 1.6 christos { 1277 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1278 1.1 christos 1279 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1280 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1281 1.1 christos 1282 1.6 christos if (nsec3param.flags != 0) { 1283 1.1 christos continue; 1284 1.6 christos } 1285 1.1 christos 1286 1.1 christos /* 1287 1.1 christos * We have a active chain. Update it. 1288 1.1 christos */ 1289 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1290 1.1 christos nsecttl, unsecure, diff)); 1291 1.1 christos } 1292 1.6 christos if (result != ISC_R_NOMORE) { 1293 1.1 christos goto failure; 1294 1.6 christos } 1295 1.1 christos 1296 1.1 christos dns_rdataset_disassociate(&rdataset); 1297 1.1 christos 1298 1.6 christos try_private: 1299 1.6 christos if (!dns_rdataset_isassociated(&prdataset)) { 1300 1.1 christos goto success; 1301 1.6 christos } 1302 1.1 christos /* 1303 1.1 christos * Update each active NSEC3 chain. 1304 1.1 christos */ 1305 1.6 christos for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS; 1306 1.6 christos result = dns_rdataset_next(&prdataset)) 1307 1.6 christos { 1308 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1309 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1310 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1311 1.1 christos 1312 1.1 christos dns_rdataset_current(&prdataset, &rdata1); 1313 1.6 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf, 1314 1.6 christos sizeof(buf))) { 1315 1.1 christos continue; 1316 1.6 christos } 1317 1.1 christos CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1318 1.1 christos 1319 1.6 christos if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { 1320 1.1 christos continue; 1321 1.6 christos } 1322 1.6 christos if (better_param(&prdataset, &rdata2)) { 1323 1.1 christos continue; 1324 1.6 christos } 1325 1.1 christos 1326 1.1 christos /* 1327 1.1 christos * We have a active chain. Update it. 1328 1.1 christos */ 1329 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1330 1.1 christos nsecttl, unsecure, diff)); 1331 1.1 christos } 1332 1.6 christos if (result == ISC_R_NOMORE) { 1333 1.6 christos success: 1334 1.1 christos result = ISC_R_SUCCESS; 1335 1.6 christos } 1336 1.6 christos failure: 1337 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 1338 1.1 christos dns_rdataset_disassociate(&rdataset); 1339 1.6 christos } 1340 1.6 christos if (dns_rdataset_isassociated(&prdataset)) { 1341 1.1 christos dns_rdataset_disassociate(&prdataset); 1342 1.6 christos } 1343 1.6 christos if (node != NULL) { 1344 1.1 christos dns_db_detachnode(db, &node); 1345 1.6 christos } 1346 1.1 christos 1347 1.1 christos return (result); 1348 1.1 christos } 1349 1.1 christos 1350 1.1 christos /*% 1351 1.1 christos * Determine whether any NSEC3 records that were associated with 1352 1.1 christos * 'name' should be deleted or if they should continue to exist. 1353 1.3 christos * true indicates they should be deleted. 1354 1.3 christos * false indicates they should be retained. 1355 1.1 christos */ 1356 1.1 christos static isc_result_t 1357 1.1 christos deleteit(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 1358 1.6 christos bool *yesno) { 1359 1.1 christos isc_result_t result; 1360 1.1 christos dns_fixedname_t foundname; 1361 1.1 christos dns_fixedname_init(&foundname); 1362 1.1 christos 1363 1.1 christos result = dns_db_find(db, name, ver, dns_rdatatype_any, 1364 1.1 christos DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, 1365 1.6 christos (isc_stdtime_t)0, NULL, 1366 1.6 christos dns_fixedname_name(&foundname), NULL, NULL); 1367 1.1 christos if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS || 1368 1.6 christos result == DNS_R_ZONECUT) 1369 1.6 christos { 1370 1.3 christos *yesno = false; 1371 1.1 christos return (ISC_R_SUCCESS); 1372 1.1 christos } 1373 1.1 christos if (result == DNS_R_GLUE || result == DNS_R_DNAME || 1374 1.6 christos result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) 1375 1.6 christos { 1376 1.3 christos *yesno = true; 1377 1.1 christos return (ISC_R_SUCCESS); 1378 1.1 christos } 1379 1.1 christos /* 1380 1.1 christos * Silence compiler. 1381 1.1 christos */ 1382 1.3 christos *yesno = true; 1383 1.1 christos return (result); 1384 1.1 christos } 1385 1.1 christos 1386 1.1 christos isc_result_t 1387 1.1 christos dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, 1388 1.1 christos const dns_name_t *name, 1389 1.6 christos const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) { 1390 1.1 christos dns_dbiterator_t *dbit = NULL; 1391 1.1 christos dns_dbnode_t *node = NULL; 1392 1.1 christos dns_difftuple_t *tuple = NULL; 1393 1.1 christos dns_fixedname_t fixed; 1394 1.1 christos dns_fixedname_t fprev; 1395 1.1 christos dns_hash_t hash; 1396 1.1 christos dns_name_t *hashname; 1397 1.1 christos dns_name_t *origin; 1398 1.1 christos dns_name_t *prev; 1399 1.1 christos dns_name_t empty; 1400 1.1 christos dns_rdata_nsec3_t nsec3; 1401 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1402 1.1 christos dns_rdataset_t rdataset; 1403 1.1 christos int pass; 1404 1.3 christos bool yesno; 1405 1.1 christos isc_buffer_t buffer; 1406 1.1 christos isc_result_t result; 1407 1.1 christos unsigned char *salt; 1408 1.1 christos unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 1409 1.1 christos unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 1410 1.1 christos unsigned int iterations; 1411 1.1 christos unsigned int labels; 1412 1.1 christos size_t next_length; 1413 1.1 christos unsigned int salt_length; 1414 1.1 christos 1415 1.1 christos hashname = dns_fixedname_initname(&fixed); 1416 1.1 christos prev = dns_fixedname_initname(&fprev); 1417 1.1 christos 1418 1.1 christos dns_rdataset_init(&rdataset); 1419 1.1 christos 1420 1.1 christos origin = dns_db_origin(db); 1421 1.1 christos 1422 1.1 christos /* 1423 1.1 christos * Chain parameters. 1424 1.1 christos */ 1425 1.1 christos hash = nsec3param->hash; 1426 1.1 christos iterations = nsec3param->iterations; 1427 1.1 christos salt_length = nsec3param->salt_length; 1428 1.1 christos salt = nsec3param->salt; 1429 1.1 christos 1430 1.1 christos /* 1431 1.1 christos * If this is the first NSEC3 in the chain nexthash will 1432 1.1 christos * remain pointing to itself. 1433 1.1 christos */ 1434 1.1 christos next_length = sizeof(nexthash); 1435 1.6 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, name, origin, 1436 1.6 christos hash, iterations, salt, salt_length)); 1437 1.1 christos 1438 1.1 christos CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 1439 1.1 christos 1440 1.1 christos result = dns_dbiterator_seek(dbit, hashname); 1441 1.6 christos if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { 1442 1.1 christos goto success; 1443 1.6 christos } 1444 1.6 christos if (result != ISC_R_SUCCESS) { 1445 1.1 christos goto failure; 1446 1.6 christos } 1447 1.1 christos 1448 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1449 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1450 1.6 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0, 1451 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1452 1.1 christos dns_db_detachnode(db, &node); 1453 1.6 christos if (result == ISC_R_NOTFOUND) { 1454 1.1 christos goto success; 1455 1.6 christos } 1456 1.6 christos if (result != ISC_R_SUCCESS) { 1457 1.1 christos goto failure; 1458 1.6 christos } 1459 1.1 christos 1460 1.1 christos /* 1461 1.1 christos * If we find a existing NSEC3 for this chain then save the 1462 1.1 christos * next field. 1463 1.1 christos */ 1464 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1465 1.1 christos if (result == ISC_R_SUCCESS) { 1466 1.1 christos next_length = nsec3.next_length; 1467 1.1 christos INSIST(next_length <= sizeof(nexthash)); 1468 1.1 christos memmove(nexthash, nsec3.next, next_length); 1469 1.1 christos } 1470 1.1 christos dns_rdataset_disassociate(&rdataset); 1471 1.6 christos if (result == ISC_R_NOMORE) { 1472 1.1 christos goto success; 1473 1.6 christos } 1474 1.6 christos if (result != ISC_R_SUCCESS) { 1475 1.1 christos goto failure; 1476 1.6 christos } 1477 1.1 christos 1478 1.1 christos /* 1479 1.1 christos * Find the previous NSEC3 and update it. 1480 1.1 christos */ 1481 1.1 christos pass = 0; 1482 1.1 christos do { 1483 1.1 christos result = dns_dbiterator_prev(dbit); 1484 1.1 christos if (result == ISC_R_NOMORE) { 1485 1.1 christos pass++; 1486 1.1 christos CHECK(dns_dbiterator_last(dbit)); 1487 1.1 christos } 1488 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 1489 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1490 1.1 christos result = dns_db_findrdataset(db, node, version, 1491 1.1 christos dns_rdatatype_nsec3, 0, 1492 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1493 1.1 christos dns_db_detachnode(db, &node); 1494 1.6 christos if (result != ISC_R_SUCCESS) { 1495 1.1 christos continue; 1496 1.6 christos } 1497 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1498 1.1 christos if (result == ISC_R_NOMORE) { 1499 1.1 christos dns_rdataset_disassociate(&rdataset); 1500 1.1 christos continue; 1501 1.1 christos } 1502 1.6 christos if (result != ISC_R_SUCCESS) { 1503 1.1 christos goto failure; 1504 1.6 christos } 1505 1.1 christos 1506 1.1 christos /* 1507 1.1 christos * Delete the old previous NSEC3. 1508 1.1 christos */ 1509 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1510 1.1 christos 1511 1.1 christos /* 1512 1.1 christos * Fixup the previous NSEC3. 1513 1.1 christos */ 1514 1.1 christos nsec3.next = nexthash; 1515 1.1 christos nsec3.next_length = (unsigned char)next_length; 1516 1.6 christos if (CREATE(nsec3param->flags)) { 1517 1.1 christos nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 1518 1.6 christos } 1519 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 1520 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1521 1.1 christos dns_rdatatype_nsec3, &nsec3, 1522 1.1 christos &buffer)); 1523 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 1524 1.1 christos rdataset.ttl, &rdata, &tuple)); 1525 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 1526 1.1 christos dns_rdata_reset(&rdata); 1527 1.1 christos dns_rdataset_disassociate(&rdataset); 1528 1.1 christos break; 1529 1.1 christos } while (pass < 2); 1530 1.1 christos 1531 1.1 christos /* 1532 1.1 christos * Delete the old NSEC3 and record the change. 1533 1.1 christos */ 1534 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1535 1.1 christos 1536 1.1 christos /* 1537 1.1 christos * Delete NSEC3 records for now non active nodes. 1538 1.1 christos */ 1539 1.1 christos dns_name_init(&empty, NULL); 1540 1.1 christos dns_name_clone(name, &empty); 1541 1.1 christos do { 1542 1.1 christos labels = dns_name_countlabels(&empty) - 1; 1543 1.6 christos if (labels <= dns_name_countlabels(origin)) { 1544 1.1 christos break; 1545 1.6 christos } 1546 1.1 christos dns_name_getlabelsequence(&empty, 1, labels, &empty); 1547 1.1 christos CHECK(deleteit(db, version, &empty, &yesno)); 1548 1.6 christos if (!yesno) { 1549 1.1 christos break; 1550 1.6 christos } 1551 1.1 christos 1552 1.6 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, &empty, 1553 1.6 christos origin, hash, iterations, salt, 1554 1.6 christos salt_length)); 1555 1.1 christos result = dns_dbiterator_seek(dbit, hashname); 1556 1.6 christos if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { 1557 1.1 christos goto success; 1558 1.6 christos } 1559 1.6 christos if (result != ISC_R_SUCCESS) { 1560 1.1 christos goto failure; 1561 1.6 christos } 1562 1.1 christos 1563 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1564 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1565 1.1 christos result = dns_db_findrdataset(db, node, version, 1566 1.1 christos dns_rdatatype_nsec3, 0, 1567 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1568 1.1 christos dns_db_detachnode(db, &node); 1569 1.6 christos if (result == ISC_R_NOTFOUND) { 1570 1.1 christos goto success; 1571 1.6 christos } 1572 1.6 christos if (result != ISC_R_SUCCESS) { 1573 1.1 christos goto failure; 1574 1.6 christos } 1575 1.1 christos 1576 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1577 1.1 christos if (result == ISC_R_SUCCESS) { 1578 1.1 christos next_length = nsec3.next_length; 1579 1.1 christos INSIST(next_length <= sizeof(nexthash)); 1580 1.1 christos memmove(nexthash, nsec3.next, next_length); 1581 1.1 christos } 1582 1.1 christos dns_rdataset_disassociate(&rdataset); 1583 1.6 christos if (result == ISC_R_NOMORE) { 1584 1.1 christos goto success; 1585 1.6 christos } 1586 1.6 christos if (result != ISC_R_SUCCESS) { 1587 1.1 christos goto failure; 1588 1.6 christos } 1589 1.1 christos 1590 1.1 christos pass = 0; 1591 1.1 christos do { 1592 1.1 christos result = dns_dbiterator_prev(dbit); 1593 1.1 christos if (result == ISC_R_NOMORE) { 1594 1.1 christos pass++; 1595 1.1 christos CHECK(dns_dbiterator_last(dbit)); 1596 1.1 christos } 1597 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 1598 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1599 1.6 christos result = dns_db_findrdataset( 1600 1.6 christos db, node, version, dns_rdatatype_nsec3, 0, 1601 1.6 christos (isc_stdtime_t)0, &rdataset, NULL); 1602 1.1 christos dns_db_detachnode(db, &node); 1603 1.6 christos if (result != ISC_R_SUCCESS) { 1604 1.1 christos continue; 1605 1.6 christos } 1606 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1607 1.1 christos if (result == ISC_R_NOMORE) { 1608 1.1 christos dns_rdataset_disassociate(&rdataset); 1609 1.1 christos continue; 1610 1.1 christos } 1611 1.6 christos if (result != ISC_R_SUCCESS) { 1612 1.1 christos goto failure; 1613 1.6 christos } 1614 1.1 christos 1615 1.1 christos /* 1616 1.1 christos * Delete the old previous NSEC3. 1617 1.1 christos */ 1618 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1619 1.1 christos 1620 1.1 christos /* 1621 1.1 christos * Fixup the previous NSEC3. 1622 1.1 christos */ 1623 1.1 christos nsec3.next = nexthash; 1624 1.1 christos nsec3.next_length = (unsigned char)next_length; 1625 1.6 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 1626 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1627 1.1 christos dns_rdatatype_nsec3, &nsec3, 1628 1.1 christos &buffer)); 1629 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1630 1.1 christos prev, rdataset.ttl, &rdata, 1631 1.1 christos &tuple)); 1632 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 1633 1.1 christos dns_rdata_reset(&rdata); 1634 1.1 christos dns_rdataset_disassociate(&rdataset); 1635 1.1 christos break; 1636 1.1 christos } while (pass < 2); 1637 1.1 christos 1638 1.1 christos INSIST(pass < 2); 1639 1.1 christos 1640 1.1 christos /* 1641 1.1 christos * Delete the old NSEC3 and record the change. 1642 1.1 christos */ 1643 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1644 1.1 christos } while (1); 1645 1.1 christos 1646 1.6 christos success: 1647 1.1 christos result = ISC_R_SUCCESS; 1648 1.1 christos 1649 1.6 christos failure: 1650 1.6 christos if (dbit != NULL) { 1651 1.1 christos dns_dbiterator_destroy(&dbit); 1652 1.6 christos } 1653 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 1654 1.1 christos dns_rdataset_disassociate(&rdataset); 1655 1.6 christos } 1656 1.6 christos if (node != NULL) { 1657 1.1 christos dns_db_detachnode(db, &node); 1658 1.6 christos } 1659 1.1 christos return (result); 1660 1.1 christos } 1661 1.1 christos 1662 1.1 christos isc_result_t 1663 1.1 christos dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, 1664 1.6 christos const dns_name_t *name, dns_diff_t *diff) { 1665 1.1 christos return (dns_nsec3_delnsec3sx(db, version, name, 0, diff)); 1666 1.1 christos } 1667 1.1 christos 1668 1.1 christos isc_result_t 1669 1.1 christos dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1670 1.6 christos const dns_name_t *name, dns_rdatatype_t privatetype, 1671 1.6 christos dns_diff_t *diff) { 1672 1.1 christos dns_dbnode_t *node = NULL; 1673 1.1 christos dns_rdata_nsec3param_t nsec3param; 1674 1.1 christos dns_rdataset_t rdataset; 1675 1.1 christos isc_result_t result; 1676 1.1 christos 1677 1.1 christos dns_rdataset_init(&rdataset); 1678 1.1 christos 1679 1.1 christos /* 1680 1.1 christos * Find the NSEC3 parameters for this zone. 1681 1.1 christos */ 1682 1.1 christos result = dns_db_getoriginnode(db, &node); 1683 1.6 christos if (result != ISC_R_SUCCESS) { 1684 1.1 christos return (result); 1685 1.6 christos } 1686 1.1 christos 1687 1.1 christos result = dns_db_findrdataset(db, node, version, 1688 1.6 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 1689 1.6 christos NULL); 1690 1.6 christos if (result == ISC_R_NOTFOUND) { 1691 1.1 christos goto try_private; 1692 1.6 christos } 1693 1.6 christos if (result != ISC_R_SUCCESS) { 1694 1.1 christos goto failure; 1695 1.6 christos } 1696 1.1 christos 1697 1.1 christos /* 1698 1.1 christos * Update each active NSEC3 chain. 1699 1.1 christos */ 1700 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1701 1.6 christos result = dns_rdataset_next(&rdataset)) 1702 1.6 christos { 1703 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1704 1.1 christos 1705 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1706 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1707 1.1 christos 1708 1.6 christos if (nsec3param.flags != 0) { 1709 1.1 christos continue; 1710 1.6 christos } 1711 1.1 christos /* 1712 1.1 christos * We have a active chain. Update it. 1713 1.1 christos */ 1714 1.1 christos CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1715 1.1 christos } 1716 1.1 christos dns_rdataset_disassociate(&rdataset); 1717 1.1 christos 1718 1.6 christos try_private: 1719 1.6 christos if (privatetype == 0) { 1720 1.1 christos goto success; 1721 1.6 christos } 1722 1.1 christos result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1723 1.1 christos &rdataset, NULL); 1724 1.6 christos if (result == ISC_R_NOTFOUND) { 1725 1.1 christos goto success; 1726 1.6 christos } 1727 1.6 christos if (result != ISC_R_SUCCESS) { 1728 1.1 christos goto failure; 1729 1.6 christos } 1730 1.1 christos 1731 1.1 christos /* 1732 1.1 christos * Update each NSEC3 chain being built. 1733 1.1 christos */ 1734 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1735 1.6 christos result = dns_rdataset_next(&rdataset)) 1736 1.6 christos { 1737 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1738 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1739 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1740 1.1 christos 1741 1.1 christos dns_rdataset_current(&rdataset, &rdata1); 1742 1.6 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf, 1743 1.6 christos sizeof(buf))) { 1744 1.1 christos continue; 1745 1.6 christos } 1746 1.1 christos CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1747 1.1 christos 1748 1.6 christos if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { 1749 1.1 christos continue; 1750 1.6 christos } 1751 1.6 christos if (better_param(&rdataset, &rdata2)) { 1752 1.1 christos continue; 1753 1.6 christos } 1754 1.1 christos 1755 1.1 christos /* 1756 1.1 christos * We have a active chain. Update it. 1757 1.1 christos */ 1758 1.1 christos CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1759 1.1 christos } 1760 1.6 christos if (result == ISC_R_NOMORE) { 1761 1.6 christos success: 1762 1.1 christos result = ISC_R_SUCCESS; 1763 1.6 christos } 1764 1.1 christos 1765 1.6 christos failure: 1766 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 1767 1.1 christos dns_rdataset_disassociate(&rdataset); 1768 1.6 christos } 1769 1.6 christos if (node != NULL) { 1770 1.1 christos dns_db_detachnode(db, &node); 1771 1.6 christos } 1772 1.1 christos 1773 1.1 christos return (result); 1774 1.1 christos } 1775 1.1 christos 1776 1.1 christos isc_result_t 1777 1.6 christos dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, bool complete, 1778 1.6 christos bool *answer) { 1779 1.1 christos return (dns_nsec3_activex(db, version, complete, 0, answer)); 1780 1.1 christos } 1781 1.1 christos 1782 1.1 christos isc_result_t 1783 1.6 christos dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete, 1784 1.6 christos dns_rdatatype_t privatetype, bool *answer) { 1785 1.1 christos dns_dbnode_t *node = NULL; 1786 1.1 christos dns_rdataset_t rdataset; 1787 1.1 christos dns_rdata_nsec3param_t nsec3param; 1788 1.1 christos isc_result_t result; 1789 1.1 christos 1790 1.1 christos REQUIRE(answer != NULL); 1791 1.1 christos 1792 1.1 christos dns_rdataset_init(&rdataset); 1793 1.1 christos 1794 1.1 christos result = dns_db_getoriginnode(db, &node); 1795 1.6 christos if (result != ISC_R_SUCCESS) { 1796 1.1 christos return (result); 1797 1.6 christos } 1798 1.1 christos 1799 1.1 christos result = dns_db_findrdataset(db, node, version, 1800 1.6 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 1801 1.6 christos NULL); 1802 1.1 christos 1803 1.6 christos if (result == ISC_R_NOTFOUND) { 1804 1.1 christos goto try_private; 1805 1.6 christos } 1806 1.1 christos 1807 1.1 christos if (result != ISC_R_SUCCESS) { 1808 1.1 christos dns_db_detachnode(db, &node); 1809 1.1 christos return (result); 1810 1.1 christos } 1811 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1812 1.6 christos result = dns_rdataset_next(&rdataset)) 1813 1.6 christos { 1814 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1815 1.1 christos 1816 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1817 1.1 christos result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); 1818 1.1 christos RUNTIME_CHECK(result == ISC_R_SUCCESS); 1819 1.1 christos 1820 1.6 christos if (nsec3param.flags == 0) { 1821 1.1 christos break; 1822 1.6 christos } 1823 1.1 christos } 1824 1.1 christos dns_rdataset_disassociate(&rdataset); 1825 1.1 christos if (result == ISC_R_SUCCESS) { 1826 1.1 christos dns_db_detachnode(db, &node); 1827 1.3 christos *answer = true; 1828 1.1 christos return (ISC_R_SUCCESS); 1829 1.1 christos } 1830 1.6 christos if (result == ISC_R_NOMORE) { 1831 1.3 christos *answer = false; 1832 1.6 christos } 1833 1.1 christos 1834 1.6 christos try_private: 1835 1.1 christos if (privatetype == 0 || complete) { 1836 1.3 christos *answer = false; 1837 1.1 christos return (ISC_R_SUCCESS); 1838 1.1 christos } 1839 1.1 christos result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1840 1.1 christos &rdataset, NULL); 1841 1.1 christos 1842 1.1 christos dns_db_detachnode(db, &node); 1843 1.1 christos if (result == ISC_R_NOTFOUND) { 1844 1.3 christos *answer = false; 1845 1.1 christos return (ISC_R_SUCCESS); 1846 1.1 christos } 1847 1.6 christos if (result != ISC_R_SUCCESS) { 1848 1.1 christos return (result); 1849 1.6 christos } 1850 1.1 christos 1851 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1852 1.6 christos result = dns_rdataset_next(&rdataset)) 1853 1.6 christos { 1854 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1855 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1856 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1857 1.1 christos 1858 1.1 christos dns_rdataset_current(&rdataset, &rdata1); 1859 1.6 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf, 1860 1.6 christos sizeof(buf))) { 1861 1.1 christos continue; 1862 1.6 christos } 1863 1.1 christos result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL); 1864 1.1 christos RUNTIME_CHECK(result == ISC_R_SUCCESS); 1865 1.1 christos 1866 1.6 christos if (!complete && CREATE(nsec3param.flags)) { 1867 1.1 christos break; 1868 1.6 christos } 1869 1.1 christos } 1870 1.1 christos dns_rdataset_disassociate(&rdataset); 1871 1.1 christos if (result == ISC_R_SUCCESS) { 1872 1.3 christos *answer = true; 1873 1.1 christos result = ISC_R_SUCCESS; 1874 1.1 christos } 1875 1.1 christos if (result == ISC_R_NOMORE) { 1876 1.3 christos *answer = false; 1877 1.1 christos result = ISC_R_SUCCESS; 1878 1.1 christos } 1879 1.1 christos 1880 1.1 christos return (result); 1881 1.1 christos } 1882 1.1 christos 1883 1.1 christos isc_result_t 1884 1.6 christos dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, isc_mem_t *mctx, 1885 1.6 christos unsigned int *iterationsp) { 1886 1.1 christos dns_dbnode_t *node = NULL; 1887 1.1 christos dns_rdataset_t rdataset; 1888 1.1 christos dst_key_t *key = NULL; 1889 1.1 christos isc_buffer_t buffer; 1890 1.1 christos isc_result_t result; 1891 1.1 christos unsigned int bits, minbits = 4096; 1892 1.1 christos 1893 1.1 christos result = dns_db_getoriginnode(db, &node); 1894 1.6 christos if (result != ISC_R_SUCCESS) { 1895 1.1 christos return (result); 1896 1.6 christos } 1897 1.1 christos 1898 1.1 christos dns_rdataset_init(&rdataset); 1899 1.6 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0, 1900 1.6 christos 0, &rdataset, NULL); 1901 1.1 christos dns_db_detachnode(db, &node); 1902 1.1 christos if (result == ISC_R_NOTFOUND) { 1903 1.1 christos *iterationsp = 0; 1904 1.1 christos return (ISC_R_SUCCESS); 1905 1.1 christos } 1906 1.6 christos if (result != ISC_R_SUCCESS) { 1907 1.1 christos goto failure; 1908 1.6 christos } 1909 1.1 christos 1910 1.6 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1911 1.6 christos result = dns_rdataset_next(&rdataset)) 1912 1.6 christos { 1913 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1914 1.4 christos dns_rdataset_current(&rdataset, &rdata); 1915 1.4 christos 1916 1.4 christos REQUIRE(rdata.type == dns_rdatatype_key || 1917 1.4 christos rdata.type == dns_rdatatype_dnskey); 1918 1.4 christos REQUIRE(rdata.length > 3); 1919 1.4 christos 1920 1.4 christos /* Skip unsupported algorithms when 1921 1.4 christos * calculating the maximum iterations. 1922 1.4 christos */ 1923 1.6 christos if (!dst_algorithm_supported(rdata.data[3])) { 1924 1.4 christos continue; 1925 1.6 christos } 1926 1.1 christos 1927 1.1 christos isc_buffer_init(&buffer, rdata.data, rdata.length); 1928 1.1 christos isc_buffer_add(&buffer, rdata.length); 1929 1.1 christos CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass, 1930 1.1 christos &buffer, mctx, &key)); 1931 1.1 christos bits = dst_key_size(key); 1932 1.1 christos dst_key_free(&key); 1933 1.6 christos if (minbits > bits) { 1934 1.1 christos minbits = bits; 1935 1.6 christos } 1936 1.1 christos } 1937 1.6 christos if (result != ISC_R_NOMORE) { 1938 1.1 christos goto failure; 1939 1.6 christos } 1940 1.1 christos 1941 1.6 christos if (minbits <= 1024) { 1942 1.1 christos *iterationsp = 150; 1943 1.6 christos } else if (minbits <= 2048) { 1944 1.1 christos *iterationsp = 500; 1945 1.6 christos } else { 1946 1.1 christos *iterationsp = 2500; 1947 1.6 christos } 1948 1.1 christos result = ISC_R_SUCCESS; 1949 1.1 christos 1950 1.6 christos failure: 1951 1.6 christos if (dns_rdataset_isassociated(&rdataset)) { 1952 1.1 christos dns_rdataset_disassociate(&rdataset); 1953 1.6 christos } 1954 1.1 christos return (result); 1955 1.1 christos } 1956 1.1 christos 1957 1.1 christos isc_result_t 1958 1.1 christos dns_nsec3_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, 1959 1.1 christos const dns_name_t *nsec3name, dns_rdataset_t *nsec3set, 1960 1.6 christos dns_name_t *zonename, bool *exists, bool *data, 1961 1.6 christos bool *optout, bool *unknown, bool *setclosest, 1962 1.3 christos bool *setnearest, dns_name_t *closest, 1963 1.6 christos dns_name_t *nearest, dns_nseclog_t logit, void *arg) { 1964 1.1 christos char namebuf[DNS_NAME_FORMATSIZE]; 1965 1.1 christos dns_fixedname_t fzone; 1966 1.1 christos dns_fixedname_t qfixed; 1967 1.1 christos dns_label_t hashlabel; 1968 1.1 christos dns_name_t *qname; 1969 1.1 christos dns_name_t *zone; 1970 1.1 christos dns_rdata_nsec3_t nsec3; 1971 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1972 1.1 christos int order; 1973 1.1 christos int scope; 1974 1.3 christos bool atparent; 1975 1.3 christos bool first; 1976 1.3 christos bool ns; 1977 1.3 christos bool soa; 1978 1.1 christos isc_buffer_t buffer; 1979 1.1 christos isc_result_t answer = ISC_R_IGNORE; 1980 1.1 christos isc_result_t result; 1981 1.1 christos unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 1982 1.1 christos unsigned char owner[NSEC3_MAX_HASH_LENGTH]; 1983 1.1 christos unsigned int length; 1984 1.1 christos unsigned int qlabels; 1985 1.1 christos unsigned int zlabels; 1986 1.1 christos 1987 1.1 christos REQUIRE((exists == NULL && data == NULL) || 1988 1.1 christos (exists != NULL && data != NULL)); 1989 1.1 christos REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3); 1990 1.1 christos REQUIRE((setclosest == NULL && closest == NULL) || 1991 1.1 christos (setclosest != NULL && closest != NULL)); 1992 1.1 christos REQUIRE((setnearest == NULL && nearest == NULL) || 1993 1.1 christos (setnearest != NULL && nearest != NULL)); 1994 1.1 christos 1995 1.1 christos result = dns_rdataset_first(nsec3set); 1996 1.1 christos if (result != ISC_R_SUCCESS) { 1997 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set"); 1998 1.1 christos return (result); 1999 1.1 christos } 2000 1.1 christos 2001 1.1 christos dns_rdataset_current(nsec3set, &rdata); 2002 1.1 christos 2003 1.1 christos result = dns_rdata_tostruct(&rdata, &nsec3, NULL); 2004 1.6 christos if (result != ISC_R_SUCCESS) { 2005 1.1 christos return (result); 2006 1.6 christos } 2007 1.1 christos 2008 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3"); 2009 1.1 christos 2010 1.1 christos zone = dns_fixedname_initname(&fzone); 2011 1.1 christos zlabels = dns_name_countlabels(nsec3name); 2012 1.1 christos 2013 1.1 christos /* 2014 1.1 christos * NSEC3 records must have two or more labels to be valid. 2015 1.1 christos */ 2016 1.6 christos if (zlabels < 2) { 2017 1.1 christos return (ISC_R_IGNORE); 2018 1.6 christos } 2019 1.1 christos 2020 1.1 christos /* 2021 1.1 christos * Strip off the NSEC3 hash to get the zone. 2022 1.1 christos */ 2023 1.1 christos zlabels--; 2024 1.1 christos dns_name_split(nsec3name, zlabels, NULL, zone); 2025 1.1 christos 2026 1.1 christos /* 2027 1.1 christos * If not below the zone name we can ignore this record. 2028 1.1 christos */ 2029 1.6 christos if (!dns_name_issubdomain(name, zone)) { 2030 1.1 christos return (ISC_R_IGNORE); 2031 1.6 christos } 2032 1.1 christos 2033 1.1 christos /* 2034 1.1 christos * Is this zone the same or deeper than the current zone? 2035 1.1 christos */ 2036 1.1 christos if (dns_name_countlabels(zonename) == 0 || 2037 1.6 christos dns_name_issubdomain(zone, zonename)) { 2038 1.5 christos dns_name_copynf(zone, zonename); 2039 1.6 christos } 2040 1.1 christos 2041 1.6 christos if (!dns_name_equal(zone, zonename)) { 2042 1.1 christos return (ISC_R_IGNORE); 2043 1.6 christos } 2044 1.1 christos 2045 1.1 christos /* 2046 1.1 christos * Are we only looking for the most enclosing zone? 2047 1.1 christos */ 2048 1.6 christos if (exists == NULL || data == NULL) { 2049 1.1 christos return (ISC_R_SUCCESS); 2050 1.6 christos } 2051 1.1 christos 2052 1.1 christos /* 2053 1.1 christos * Only set unknown once we are sure that this NSEC3 is from 2054 1.1 christos * the deepest covering zone. 2055 1.1 christos */ 2056 1.1 christos if (!dns_nsec3_supportedhash(nsec3.hash)) { 2057 1.6 christos if (unknown != NULL) { 2058 1.3 christos *unknown = true; 2059 1.6 christos } 2060 1.1 christos return (ISC_R_IGNORE); 2061 1.1 christos } 2062 1.1 christos 2063 1.1 christos /* 2064 1.1 christos * Recover the hash from the first label. 2065 1.1 christos */ 2066 1.1 christos dns_name_getlabel(nsec3name, 0, &hashlabel); 2067 1.1 christos isc_region_consume(&hashlabel, 1); 2068 1.1 christos isc_buffer_init(&buffer, owner, sizeof(owner)); 2069 1.1 christos result = isc_base32hex_decoderegion(&hashlabel, &buffer); 2070 1.6 christos if (result != ISC_R_SUCCESS) { 2071 1.1 christos return (result); 2072 1.6 christos } 2073 1.1 christos 2074 1.1 christos /* 2075 1.1 christos * The hash lengths should match. If not ignore the record. 2076 1.1 christos */ 2077 1.6 christos if (isc_buffer_usedlength(&buffer) != nsec3.next_length) { 2078 1.1 christos return (ISC_R_IGNORE); 2079 1.6 christos } 2080 1.1 christos 2081 1.1 christos /* 2082 1.1 christos * Work out what this NSEC3 covers. 2083 1.1 christos * Inside (<0) or outside (>=0). 2084 1.1 christos */ 2085 1.3 christos scope = memcmp(owner, nsec3.next, nsec3.next_length); 2086 1.1 christos 2087 1.1 christos /* 2088 1.1 christos * Prepare to compute all the hashes. 2089 1.1 christos */ 2090 1.1 christos qname = dns_fixedname_initname(&qfixed); 2091 1.1 christos dns_name_downcase(name, qname, NULL); 2092 1.1 christos qlabels = dns_name_countlabels(qname); 2093 1.3 christos first = true; 2094 1.1 christos 2095 1.1 christos while (qlabels >= zlabels) { 2096 1.1 christos length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, 2097 1.1 christos nsec3.salt, nsec3.salt_length, 2098 1.1 christos qname->ndata, qname->length); 2099 1.1 christos /* 2100 1.1 christos * The computed hash length should match. 2101 1.1 christos */ 2102 1.1 christos if (length != nsec3.next_length) { 2103 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2104 1.6 christos "ignoring NSEC bad length %u vs %u", length, 2105 1.6 christos nsec3.next_length); 2106 1.1 christos return (ISC_R_IGNORE); 2107 1.1 christos } 2108 1.1 christos 2109 1.3 christos order = memcmp(hash, owner, length); 2110 1.1 christos if (first && order == 0) { 2111 1.1 christos /* 2112 1.1 christos * The hashes are the same. 2113 1.1 christos */ 2114 1.1 christos atparent = dns_rdatatype_atparent(type); 2115 1.1 christos ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns); 2116 1.1 christos soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa); 2117 1.1 christos if (ns && !soa) { 2118 1.1 christos if (!atparent) { 2119 1.1 christos /* 2120 1.1 christos * This NSEC3 record is from somewhere 2121 1.1 christos * higher in the DNS, and at the 2122 1.1 christos * parent of a delegation. It can not 2123 1.1 christos * be legitimately used here. 2124 1.1 christos */ 2125 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2126 1.1 christos "ignoring parent NSEC3"); 2127 1.1 christos return (ISC_R_IGNORE); 2128 1.1 christos } 2129 1.1 christos } else if (atparent && ns && soa) { 2130 1.1 christos /* 2131 1.1 christos * This NSEC3 record is from the child. 2132 1.1 christos * It can not be legitimately used here. 2133 1.1 christos */ 2134 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2135 1.1 christos "ignoring child NSEC3"); 2136 1.1 christos return (ISC_R_IGNORE); 2137 1.1 christos } 2138 1.1 christos if (type == dns_rdatatype_cname || 2139 1.1 christos type == dns_rdatatype_nxt || 2140 1.1 christos type == dns_rdatatype_nsec || 2141 1.1 christos type == dns_rdatatype_key || 2142 1.6 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) 2143 1.6 christos { 2144 1.3 christos *exists = true; 2145 1.1 christos *data = dns_nsec3_typepresent(&rdata, type); 2146 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2147 1.1 christos "NSEC3 proves name exists (owner) " 2148 1.6 christos "data=%d", 2149 1.6 christos *data); 2150 1.1 christos return (ISC_R_SUCCESS); 2151 1.1 christos } 2152 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2153 1.1 christos "NSEC3 proves CNAME exists"); 2154 1.1 christos return (ISC_R_IGNORE); 2155 1.1 christos } 2156 1.1 christos 2157 1.1 christos if (order == 0 && 2158 1.1 christos dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) && 2159 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa)) 2160 1.1 christos { 2161 1.1 christos /* 2162 1.1 christos * This NSEC3 record is from somewhere higher in 2163 1.1 christos * the DNS, and at the parent of a delegation. 2164 1.1 christos * It can not be legitimately used here. 2165 1.1 christos */ 2166 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2167 1.1 christos "ignoring parent NSEC3"); 2168 1.1 christos return (ISC_R_IGNORE); 2169 1.1 christos } 2170 1.1 christos 2171 1.1 christos /* 2172 1.1 christos * Potential closest encloser. 2173 1.1 christos */ 2174 1.1 christos if (order == 0) { 2175 1.1 christos if (closest != NULL && 2176 1.1 christos (dns_name_countlabels(closest) == 0 || 2177 1.1 christos dns_name_issubdomain(qname, closest)) && 2178 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) && 2179 1.6 christos !dns_nsec3_typepresent(&rdata, 2180 1.6 christos dns_rdatatype_dname) && 2181 1.1 christos (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) || 2182 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns))) 2183 1.1 christos { 2184 1.1 christos dns_name_format(qname, namebuf, 2185 1.1 christos sizeof(namebuf)); 2186 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2187 1.1 christos "NSEC3 indicates potential closest " 2188 1.6 christos "encloser: '%s'", 2189 1.6 christos namebuf); 2190 1.5 christos dns_name_copynf(qname, closest); 2191 1.3 christos *setclosest = true; 2192 1.1 christos } 2193 1.1 christos dns_name_format(qname, namebuf, sizeof(namebuf)); 2194 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2195 1.1 christos "NSEC3 at super-domain %s", namebuf); 2196 1.1 christos return (answer); 2197 1.1 christos } 2198 1.1 christos 2199 1.1 christos /* 2200 1.1 christos * Find if the name does not exist. 2201 1.1 christos * 2202 1.1 christos * We continue as we need to find the name closest to the 2203 1.1 christos * closest encloser that doesn't exist. 2204 1.1 christos * 2205 1.1 christos * We also need to continue to ensure that we are not 2206 1.1 christos * proving the non-existence of a record in a sub-zone. 2207 1.1 christos * If that would be the case we will return ISC_R_IGNORE 2208 1.1 christos * above. 2209 1.1 christos */ 2210 1.1 christos if ((scope < 0 && order > 0 && 2211 1.1 christos memcmp(hash, nsec3.next, length) < 0) || 2212 1.6 christos (scope >= 0 && 2213 1.6 christos (order > 0 || memcmp(hash, nsec3.next, length) < 0))) 2214 1.1 christos { 2215 1.1 christos dns_name_format(qname, namebuf, sizeof(namebuf)); 2216 1.6 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2217 1.6 christos "NSEC3 proves " 2218 1.6 christos "name does not exist: '%s'", 2219 1.6 christos namebuf); 2220 1.1 christos if (nearest != NULL && 2221 1.1 christos (dns_name_countlabels(nearest) == 0 || 2222 1.6 christos dns_name_issubdomain(nearest, qname))) 2223 1.6 christos { 2224 1.5 christos dns_name_copynf(qname, nearest); 2225 1.3 christos *setnearest = true; 2226 1.1 christos } 2227 1.1 christos 2228 1.3 christos *exists = false; 2229 1.3 christos *data = false; 2230 1.1 christos if (optout != NULL) { 2231 1.6 christos *optout = ((nsec3.flags & 2232 1.6 christos DNS_NSEC3FLAG_OPTOUT) != 0); 2233 1.3 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2234 1.6 christos (*optout ? "NSEC3 indicates optout" 2235 1.6 christos : "NSEC3 indicates secure " 2236 1.6 christos "range")); 2237 1.1 christos } 2238 1.1 christos answer = ISC_R_SUCCESS; 2239 1.1 christos } 2240 1.1 christos 2241 1.1 christos qlabels--; 2242 1.6 christos if (qlabels > 0) { 2243 1.1 christos dns_name_split(qname, qlabels, NULL, qname); 2244 1.6 christos } 2245 1.3 christos first = false; 2246 1.1 christos } 2247 1.1 christos return (answer); 2248 1.1 christos } 2249
Indexes created Sun Mar 01 05:31:48 UTC 2026