nsec3.c revision 1.1
1 1.1 christos /* $NetBSD: nsec3.c,v 1.1 2024/02/18 20:57:32 christos Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 1.1 christos * 6 1.1 christos * SPDX-License-Identifier: MPL-2.0 7 1.1 christos * 8 1.1 christos * This Source Code Form is subject to the terms of the Mozilla Public 9 1.1 christos * License, v. 2.0. If a copy of the MPL was not distributed with this 10 1.1 christos * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 1.1 christos * 12 1.1 christos * See the COPYRIGHT file distributed with this work for additional 13 1.1 christos * information regarding copyright ownership. 14 1.1 christos */ 15 1.1 christos 16 1.1 christos #include <inttypes.h> 17 1.1 christos #include <stdbool.h> 18 1.1 christos 19 1.1 christos #include <isc/base32.h> 20 1.1 christos #include <isc/buffer.h> 21 1.1 christos #include <isc/hex.h> 22 1.1 christos #include <isc/iterated_hash.h> 23 1.1 christos #include <isc/md.h> 24 1.1 christos #include <isc/nonce.h> 25 1.1 christos #include <isc/safe.h> 26 1.1 christos #include <isc/string.h> 27 1.1 christos #include <isc/util.h> 28 1.1 christos 29 1.1 christos #include <dns/compress.h> 30 1.1 christos #include <dns/db.h> 31 1.1 christos #include <dns/dbiterator.h> 32 1.1 christos #include <dns/diff.h> 33 1.1 christos #include <dns/fixedname.h> 34 1.1 christos #include <dns/nsec.h> 35 1.1 christos #include <dns/nsec3.h> 36 1.1 christos #include <dns/rdata.h> 37 1.1 christos #include <dns/rdatalist.h> 38 1.1 christos #include <dns/rdataset.h> 39 1.1 christos #include <dns/rdatasetiter.h> 40 1.1 christos #include <dns/rdatastruct.h> 41 1.1 christos #include <dns/result.h> 42 1.1 christos #include <dns/zone.h> 43 1.1 christos 44 1.1 christos #include <dst/dst.h> 45 1.1 christos 46 1.1 christos #define CHECK(x) \ 47 1.1 christos do { \ 48 1.1 christos result = (x); \ 49 1.1 christos if (result != ISC_R_SUCCESS) \ 50 1.1 christos goto failure; \ 51 1.1 christos } while (0) 52 1.1 christos 53 1.1 christos #define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0) 54 1.1 christos #define CREATE(x) (((x)&DNS_NSEC3FLAG_CREATE) != 0) 55 1.1 christos #define INITIAL(x) (((x)&DNS_NSEC3FLAG_INITIAL) != 0) 56 1.1 christos #define REMOVE(x) (((x)&DNS_NSEC3FLAG_REMOVE) != 0) 57 1.1 christos 58 1.1 christos isc_result_t 59 1.1 christos dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, 60 1.1 christos unsigned int hashalg, unsigned int flags, 61 1.1 christos unsigned int iterations, const unsigned char *salt, 62 1.1 christos size_t salt_length, const unsigned char *nexthash, 63 1.1 christos size_t hash_length, unsigned char *buffer, 64 1.1 christos dns_rdata_t *rdata) { 65 1.1 christos isc_result_t result; 66 1.1 christos dns_rdataset_t rdataset; 67 1.1 christos isc_region_t r; 68 1.1 christos unsigned int i; 69 1.1 christos bool found; 70 1.1 christos bool found_ns; 71 1.1 christos bool need_rrsig; 72 1.1 christos 73 1.1 christos unsigned char *nsec_bits, *bm; 74 1.1 christos unsigned int max_type; 75 1.1 christos dns_rdatasetiter_t *rdsiter; 76 1.1 christos unsigned char *p; 77 1.1 christos 78 1.1 christos REQUIRE(salt_length < 256U); 79 1.1 christos REQUIRE(hash_length < 256U); 80 1.1 christos REQUIRE(flags <= 0xffU); 81 1.1 christos REQUIRE(hashalg <= 0xffU); 82 1.1 christos REQUIRE(iterations <= 0xffffU); 83 1.1 christos 84 1.1 christos switch (hashalg) { 85 1.1 christos case dns_hash_sha1: 86 1.1 christos REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH); 87 1.1 christos break; 88 1.1 christos } 89 1.1 christos 90 1.1 christos memset(buffer, 0, DNS_NSEC3_BUFFERSIZE); 91 1.1 christos 92 1.1 christos p = buffer; 93 1.1 christos 94 1.1 christos *p++ = hashalg; 95 1.1 christos *p++ = flags; 96 1.1 christos 97 1.1 christos *p++ = iterations >> 8; 98 1.1 christos *p++ = iterations; 99 1.1 christos 100 1.1 christos *p++ = (unsigned char)salt_length; 101 1.1 christos memmove(p, salt, salt_length); 102 1.1 christos p += salt_length; 103 1.1 christos 104 1.1 christos *p++ = (unsigned char)hash_length; 105 1.1 christos memmove(p, nexthash, hash_length); 106 1.1 christos p += hash_length; 107 1.1 christos 108 1.1 christos r.length = (unsigned int)(p - buffer); 109 1.1 christos r.base = buffer; 110 1.1 christos 111 1.1 christos /* 112 1.1 christos * Use the end of the space for a raw bitmap leaving enough 113 1.1 christos * space for the window identifiers and length octets. 114 1.1 christos */ 115 1.1 christos bm = r.base + r.length + 512; 116 1.1 christos nsec_bits = r.base + r.length; 117 1.1 christos max_type = 0; 118 1.1 christos if (node == NULL) { 119 1.1 christos goto collapse_bitmap; 120 1.1 christos } 121 1.1 christos dns_rdataset_init(&rdataset); 122 1.1 christos rdsiter = NULL; 123 1.1 christos result = dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter); 124 1.1 christos if (result != ISC_R_SUCCESS) { 125 1.1 christos return (result); 126 1.1 christos } 127 1.1 christos found = found_ns = need_rrsig = false; 128 1.1 christos for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; 129 1.1 christos result = dns_rdatasetiter_next(rdsiter)) 130 1.1 christos { 131 1.1 christos dns_rdatasetiter_current(rdsiter, &rdataset); 132 1.1 christos if (rdataset.type != dns_rdatatype_nsec && 133 1.1 christos rdataset.type != dns_rdatatype_nsec3 && 134 1.1 christos rdataset.type != dns_rdatatype_rrsig) 135 1.1 christos { 136 1.1 christos if (rdataset.type > max_type) { 137 1.1 christos max_type = rdataset.type; 138 1.1 christos } 139 1.1 christos dns_nsec_setbit(bm, rdataset.type, 1); 140 1.1 christos /* 141 1.1 christos * Work out if we need to set the RRSIG bit for 142 1.1 christos * this node. We set the RRSIG bit if either of 143 1.1 christos * the following conditions are met: 144 1.1 christos * 1) We have a SOA or DS then we need to set 145 1.1 christos * the RRSIG bit as both always will be signed. 146 1.1 christos * 2) We set the RRSIG bit if we don't have 147 1.1 christos * a NS record but do have other data. 148 1.1 christos */ 149 1.1 christos if (rdataset.type == dns_rdatatype_soa || 150 1.1 christos rdataset.type == dns_rdatatype_ds) 151 1.1 christos { 152 1.1 christos need_rrsig = true; 153 1.1 christos } else if (rdataset.type == dns_rdatatype_ns) { 154 1.1 christos found_ns = true; 155 1.1 christos } else { 156 1.1 christos found = true; 157 1.1 christos } 158 1.1 christos } 159 1.1 christos dns_rdataset_disassociate(&rdataset); 160 1.1 christos } 161 1.1 christos if ((found && !found_ns) || need_rrsig) { 162 1.1 christos if (dns_rdatatype_rrsig > max_type) { 163 1.1 christos max_type = dns_rdatatype_rrsig; 164 1.1 christos } 165 1.1 christos dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1); 166 1.1 christos } 167 1.1 christos 168 1.1 christos /* 169 1.1 christos * At zone cuts, deny the existence of glue in the parent zone. 170 1.1 christos */ 171 1.1 christos if (dns_nsec_isset(bm, dns_rdatatype_ns) && 172 1.1 christos !dns_nsec_isset(bm, dns_rdatatype_soa)) 173 1.1 christos { 174 1.1 christos for (i = 0; i <= max_type; i++) { 175 1.1 christos if (dns_nsec_isset(bm, i) && 176 1.1 christos !dns_rdatatype_iszonecutauth((dns_rdatatype_t)i)) 177 1.1 christos { 178 1.1 christos dns_nsec_setbit(bm, i, 0); 179 1.1 christos } 180 1.1 christos } 181 1.1 christos } 182 1.1 christos 183 1.1 christos dns_rdatasetiter_destroy(&rdsiter); 184 1.1 christos if (result != ISC_R_NOMORE) { 185 1.1 christos return (result); 186 1.1 christos } 187 1.1 christos 188 1.1 christos collapse_bitmap: 189 1.1 christos nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type); 190 1.1 christos r.length = (unsigned int)(nsec_bits - r.base); 191 1.1 christos INSIST(r.length <= DNS_NSEC3_BUFFERSIZE); 192 1.1 christos dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r); 193 1.1 christos 194 1.1 christos return (ISC_R_SUCCESS); 195 1.1 christos } 196 1.1 christos 197 1.1 christos bool 198 1.1 christos dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) { 199 1.1 christos dns_rdata_nsec3_t nsec3; 200 1.1 christos isc_result_t result; 201 1.1 christos bool present; 202 1.1 christos unsigned int i, len, window; 203 1.1 christos 204 1.1 christos REQUIRE(rdata != NULL); 205 1.1 christos REQUIRE(rdata->type == dns_rdatatype_nsec3); 206 1.1 christos 207 1.1 christos /* This should never fail */ 208 1.1 christos result = dns_rdata_tostruct(rdata, &nsec3, NULL); 209 1.1 christos INSIST(result == ISC_R_SUCCESS); 210 1.1 christos 211 1.1 christos present = false; 212 1.1 christos for (i = 0; i < nsec3.len; i += len) { 213 1.1 christos INSIST(i + 2 <= nsec3.len); 214 1.1 christos window = nsec3.typebits[i]; 215 1.1 christos len = nsec3.typebits[i + 1]; 216 1.1 christos INSIST(len > 0 && len <= 32); 217 1.1 christos i += 2; 218 1.1 christos INSIST(i + len <= nsec3.len); 219 1.1 christos if (window * 256 > type) { 220 1.1 christos break; 221 1.1 christos } 222 1.1 christos if ((window + 1) * 256 <= type) { 223 1.1 christos continue; 224 1.1 christos } 225 1.1 christos if (type < (window * 256) + len * 8) { 226 1.1 christos present = dns_nsec_isset(&nsec3.typebits[i], 227 1.1 christos type % 256); 228 1.1 christos } 229 1.1 christos break; 230 1.1 christos } 231 1.1 christos dns_rdata_freestruct(&nsec3); 232 1.1 christos return (present); 233 1.1 christos } 234 1.1 christos 235 1.1 christos isc_result_t 236 1.1 christos dns_nsec3_generate_salt(unsigned char *salt, size_t saltlen) { 237 1.1 christos if (saltlen > 255U) { 238 1.1 christos return (ISC_R_RANGE); 239 1.1 christos } 240 1.1 christos isc_nonce_buf(salt, saltlen); 241 1.1 christos return (ISC_R_SUCCESS); 242 1.1 christos } 243 1.1 christos 244 1.1 christos isc_result_t 245 1.1 christos dns_nsec3_hashname(dns_fixedname_t *result, 246 1.1 christos unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 247 1.1 christos size_t *hash_length, const dns_name_t *name, 248 1.1 christos const dns_name_t *origin, dns_hash_t hashalg, 249 1.1 christos unsigned int iterations, const unsigned char *salt, 250 1.1 christos size_t saltlength) { 251 1.1 christos unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 252 1.1 christos unsigned char nametext[DNS_NAME_FORMATSIZE]; 253 1.1 christos dns_fixedname_t fixed; 254 1.1 christos dns_name_t *downcased; 255 1.1 christos isc_buffer_t namebuffer; 256 1.1 christos isc_region_t region; 257 1.1 christos size_t len; 258 1.1 christos 259 1.1 christos if (rethash == NULL) { 260 1.1 christos rethash = hash; 261 1.1 christos } 262 1.1 christos 263 1.1 christos memset(rethash, 0, NSEC3_MAX_HASH_LENGTH); 264 1.1 christos 265 1.1 christos downcased = dns_fixedname_initname(&fixed); 266 1.1 christos dns_name_downcase(name, downcased, NULL); 267 1.1 christos 268 1.1 christos /* hash the node name */ 269 1.1 christos len = isc_iterated_hash(rethash, hashalg, iterations, salt, 270 1.1 christos (int)saltlength, downcased->ndata, 271 1.1 christos downcased->length); 272 1.1 christos if (len == 0U) { 273 1.1 christos return (DNS_R_BADALG); 274 1.1 christos } 275 1.1 christos 276 1.1 christos if (hash_length != NULL) { 277 1.1 christos *hash_length = len; 278 1.1 christos } 279 1.1 christos 280 1.1 christos /* convert the hash to base32hex non-padded */ 281 1.1 christos region.base = rethash; 282 1.1 christos region.length = (unsigned int)len; 283 1.1 christos isc_buffer_init(&namebuffer, nametext, sizeof nametext); 284 1.1 christos isc_base32hexnp_totext(®ion, 1, "", &namebuffer); 285 1.1 christos 286 1.1 christos /* convert the hex to a domain name */ 287 1.1 christos dns_fixedname_init(result); 288 1.1 christos return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer, 289 1.1 christos origin, 0, NULL)); 290 1.1 christos } 291 1.1 christos 292 1.1 christos unsigned int 293 1.1 christos dns_nsec3_hashlength(dns_hash_t hash) { 294 1.1 christos switch (hash) { 295 1.1 christos case dns_hash_sha1: 296 1.1 christos return (ISC_SHA1_DIGESTLENGTH); 297 1.1 christos } 298 1.1 christos return (0); 299 1.1 christos } 300 1.1 christos 301 1.1 christos bool 302 1.1 christos dns_nsec3_supportedhash(dns_hash_t hash) { 303 1.1 christos switch (hash) { 304 1.1 christos case dns_hash_sha1: 305 1.1 christos return (true); 306 1.1 christos } 307 1.1 christos return (false); 308 1.1 christos } 309 1.1 christos 310 1.1 christos /*% 311 1.1 christos * Update a single RR in version 'ver' of 'db' and log the 312 1.1 christos * update in 'diff'. 313 1.1 christos * 314 1.1 christos * Ensures: 315 1.1 christos * \li '*tuple' == NULL. Either the tuple is freed, or its 316 1.1 christos * ownership has been transferred to the diff. 317 1.1 christos */ 318 1.1 christos static isc_result_t 319 1.1 christos do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, 320 1.1 christos dns_diff_t *diff) { 321 1.1 christos dns_diff_t temp_diff; 322 1.1 christos isc_result_t result; 323 1.1 christos 324 1.1 christos /* 325 1.1 christos * Create a singleton diff. 326 1.1 christos */ 327 1.1 christos dns_diff_init(diff->mctx, &temp_diff); 328 1.1 christos ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); 329 1.1 christos 330 1.1 christos /* 331 1.1 christos * Apply it to the database. 332 1.1 christos */ 333 1.1 christos result = dns_diff_apply(&temp_diff, db, ver); 334 1.1 christos ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); 335 1.1 christos if (result != ISC_R_SUCCESS) { 336 1.1 christos dns_difftuple_free(tuple); 337 1.1 christos return (result); 338 1.1 christos } 339 1.1 christos 340 1.1 christos /* 341 1.1 christos * Merge it into the current pending journal entry. 342 1.1 christos */ 343 1.1 christos dns_diff_appendminimal(diff, tuple); 344 1.1 christos 345 1.1 christos /* 346 1.1 christos * Do not clear temp_diff. 347 1.1 christos */ 348 1.1 christos return (ISC_R_SUCCESS); 349 1.1 christos } 350 1.1 christos 351 1.1 christos /*% 352 1.1 christos * Set '*exists' to true iff the given name exists, to false otherwise. 353 1.1 christos */ 354 1.1 christos static isc_result_t 355 1.1 christos name_exists(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 356 1.1 christos bool *exists) { 357 1.1 christos isc_result_t result; 358 1.1 christos dns_dbnode_t *node = NULL; 359 1.1 christos dns_rdatasetiter_t *iter = NULL; 360 1.1 christos 361 1.1 christos result = dns_db_findnode(db, name, false, &node); 362 1.1 christos if (result == ISC_R_NOTFOUND) { 363 1.1 christos *exists = false; 364 1.1 christos return (ISC_R_SUCCESS); 365 1.1 christos } 366 1.1 christos if (result != ISC_R_SUCCESS) { 367 1.1 christos return (result); 368 1.1 christos } 369 1.1 christos 370 1.1 christos result = dns_db_allrdatasets(db, node, version, 0, (isc_stdtime_t)0, 371 1.1 christos &iter); 372 1.1 christos if (result != ISC_R_SUCCESS) { 373 1.1 christos goto cleanup_node; 374 1.1 christos } 375 1.1 christos 376 1.1 christos result = dns_rdatasetiter_first(iter); 377 1.1 christos if (result == ISC_R_SUCCESS) { 378 1.1 christos *exists = true; 379 1.1 christos } else if (result == ISC_R_NOMORE) { 380 1.1 christos *exists = false; 381 1.1 christos result = ISC_R_SUCCESS; 382 1.1 christos } else { 383 1.1 christos *exists = false; 384 1.1 christos } 385 1.1 christos dns_rdatasetiter_destroy(&iter); 386 1.1 christos 387 1.1 christos cleanup_node: 388 1.1 christos dns_db_detachnode(db, &node); 389 1.1 christos return (result); 390 1.1 christos } 391 1.1 christos 392 1.1 christos static bool 393 1.1 christos match_nsec3param(const dns_rdata_nsec3_t *nsec3, 394 1.1 christos const dns_rdata_nsec3param_t *nsec3param) { 395 1.1 christos if (nsec3->hash == nsec3param->hash && 396 1.1 christos nsec3->iterations == nsec3param->iterations && 397 1.1 christos nsec3->salt_length == nsec3param->salt_length && 398 1.1 christos !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length)) 399 1.1 christos { 400 1.1 christos return (true); 401 1.1 christos } 402 1.1 christos return (false); 403 1.1 christos } 404 1.1 christos 405 1.1 christos /*% 406 1.1 christos * Delete NSEC3 records at "name" which match "param", recording the 407 1.1 christos * change in "diff". 408 1.1 christos */ 409 1.1 christos static isc_result_t 410 1.1 christos delnsec3(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, 411 1.1 christos const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) { 412 1.1 christos dns_dbnode_t *node = NULL; 413 1.1 christos dns_difftuple_t *tuple = NULL; 414 1.1 christos dns_rdata_nsec3_t nsec3; 415 1.1 christos dns_rdataset_t rdataset; 416 1.1 christos isc_result_t result; 417 1.1 christos 418 1.1 christos result = dns_db_findnsec3node(db, name, false, &node); 419 1.1 christos if (result == ISC_R_NOTFOUND) { 420 1.1 christos return (ISC_R_SUCCESS); 421 1.1 christos } 422 1.1 christos if (result != ISC_R_SUCCESS) { 423 1.1 christos return (result); 424 1.1 christos } 425 1.1 christos 426 1.1 christos dns_rdataset_init(&rdataset); 427 1.1 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0, 428 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 429 1.1 christos 430 1.1 christos if (result == ISC_R_NOTFOUND) { 431 1.1 christos result = ISC_R_SUCCESS; 432 1.1 christos goto cleanup_node; 433 1.1 christos } 434 1.1 christos if (result != ISC_R_SUCCESS) { 435 1.1 christos goto cleanup_node; 436 1.1 christos } 437 1.1 christos 438 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 439 1.1 christos result = dns_rdataset_next(&rdataset)) 440 1.1 christos { 441 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 442 1.1 christos dns_rdataset_current(&rdataset, &rdata); 443 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL)); 444 1.1 christos 445 1.1 christos if (!match_nsec3param(&nsec3, nsec3param)) { 446 1.1 christos continue; 447 1.1 christos } 448 1.1 christos 449 1.1 christos result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name, 450 1.1 christos rdataset.ttl, &rdata, &tuple); 451 1.1 christos if (result != ISC_R_SUCCESS) { 452 1.1 christos goto failure; 453 1.1 christos } 454 1.1 christos result = do_one_tuple(&tuple, db, version, diff); 455 1.1 christos if (result != ISC_R_SUCCESS) { 456 1.1 christos goto failure; 457 1.1 christos } 458 1.1 christos } 459 1.1 christos if (result != ISC_R_NOMORE) { 460 1.1 christos goto failure; 461 1.1 christos } 462 1.1 christos result = ISC_R_SUCCESS; 463 1.1 christos 464 1.1 christos failure: 465 1.1 christos dns_rdataset_disassociate(&rdataset); 466 1.1 christos cleanup_node: 467 1.1 christos dns_db_detachnode(db, &node); 468 1.1 christos 469 1.1 christos return (result); 470 1.1 christos } 471 1.1 christos 472 1.1 christos static bool 473 1.1 christos better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) { 474 1.1 christos dns_rdataset_t rdataset; 475 1.1 christos isc_result_t result; 476 1.1 christos 477 1.1 christos if (REMOVE(param->data[1])) { 478 1.1 christos return (true); 479 1.1 christos } 480 1.1 christos 481 1.1 christos dns_rdataset_init(&rdataset); 482 1.1 christos dns_rdataset_clone(nsec3paramset, &rdataset); 483 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 484 1.1 christos result = dns_rdataset_next(&rdataset)) 485 1.1 christos { 486 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 487 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 488 1.1 christos 489 1.1 christos if (rdataset.type != dns_rdatatype_nsec3param) { 490 1.1 christos dns_rdata_t tmprdata = DNS_RDATA_INIT; 491 1.1 christos dns_rdataset_current(&rdataset, &tmprdata); 492 1.1 christos if (!dns_nsec3param_fromprivate(&tmprdata, &rdata, buf, 493 1.1 christos sizeof(buf))) 494 1.1 christos { 495 1.1 christos continue; 496 1.1 christos } 497 1.1 christos } else { 498 1.1 christos dns_rdataset_current(&rdataset, &rdata); 499 1.1 christos } 500 1.1 christos 501 1.1 christos if (rdata.length != param->length) { 502 1.1 christos continue; 503 1.1 christos } 504 1.1 christos if (rdata.data[0] != param->data[0] || REMOVE(rdata.data[1]) || 505 1.1 christos rdata.data[2] != param->data[2] || 506 1.1 christos rdata.data[3] != param->data[3] || 507 1.1 christos rdata.data[4] != param->data[4] || 508 1.1 christos memcmp(&rdata.data[5], ¶m->data[5], param->data[4])) 509 1.1 christos { 510 1.1 christos continue; 511 1.1 christos } 512 1.1 christos if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) { 513 1.1 christos dns_rdataset_disassociate(&rdataset); 514 1.1 christos return (true); 515 1.1 christos } 516 1.1 christos } 517 1.1 christos dns_rdataset_disassociate(&rdataset); 518 1.1 christos return (false); 519 1.1 christos } 520 1.1 christos 521 1.1 christos static isc_result_t 522 1.1 christos find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset, 523 1.1 christos const dns_rdata_nsec3param_t *nsec3param) { 524 1.1 christos isc_result_t result; 525 1.1 christos for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; 526 1.1 christos result = dns_rdataset_next(rdataset)) 527 1.1 christos { 528 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 529 1.1 christos 530 1.1 christos dns_rdataset_current(rdataset, &rdata); 531 1.1 christos CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL)); 532 1.1 christos dns_rdata_reset(&rdata); 533 1.1 christos if (match_nsec3param(nsec3, nsec3param)) { 534 1.1 christos break; 535 1.1 christos } 536 1.1 christos } 537 1.1 christos failure: 538 1.1 christos return (result); 539 1.1 christos } 540 1.1 christos 541 1.1 christos isc_result_t 542 1.1 christos dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 543 1.1 christos const dns_name_t *name, 544 1.1 christos const dns_rdata_nsec3param_t *nsec3param, dns_ttl_t nsecttl, 545 1.1 christos bool unsecure, dns_diff_t *diff) { 546 1.1 christos dns_dbiterator_t *dbit = NULL; 547 1.1 christos dns_dbnode_t *node = NULL; 548 1.1 christos dns_dbnode_t *newnode = NULL; 549 1.1 christos dns_difftuple_t *tuple = NULL; 550 1.1 christos dns_fixedname_t fixed; 551 1.1 christos dns_fixedname_t fprev; 552 1.1 christos dns_hash_t hash; 553 1.1 christos dns_name_t *hashname; 554 1.1 christos dns_name_t *origin; 555 1.1 christos dns_name_t *prev; 556 1.1 christos dns_name_t empty; 557 1.1 christos dns_rdata_nsec3_t nsec3; 558 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 559 1.1 christos dns_rdataset_t rdataset; 560 1.1 christos int pass; 561 1.1 christos bool exists = false; 562 1.1 christos bool maybe_remove_unsecure = false; 563 1.1 christos uint8_t flags; 564 1.1 christos isc_buffer_t buffer; 565 1.1 christos isc_result_t result; 566 1.1 christos unsigned char *old_next; 567 1.1 christos unsigned char *salt; 568 1.1 christos unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 569 1.1 christos unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 570 1.1 christos unsigned int iterations; 571 1.1 christos unsigned int labels; 572 1.1 christos size_t next_length; 573 1.1 christos unsigned int old_length; 574 1.1 christos unsigned int salt_length; 575 1.1 christos 576 1.1 christos hashname = dns_fixedname_initname(&fixed); 577 1.1 christos prev = dns_fixedname_initname(&fprev); 578 1.1 christos 579 1.1 christos dns_rdataset_init(&rdataset); 580 1.1 christos 581 1.1 christos origin = dns_db_origin(db); 582 1.1 christos 583 1.1 christos /* 584 1.1 christos * Chain parameters. 585 1.1 christos */ 586 1.1 christos hash = nsec3param->hash; 587 1.1 christos iterations = nsec3param->iterations; 588 1.1 christos salt_length = nsec3param->salt_length; 589 1.1 christos salt = nsec3param->salt; 590 1.1 christos 591 1.1 christos /* 592 1.1 christos * Default flags for a new chain. 593 1.1 christos */ 594 1.1 christos flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 595 1.1 christos 596 1.1 christos /* 597 1.1 christos * If this is the first NSEC3 in the chain nexthash will 598 1.1 christos * remain pointing to itself. 599 1.1 christos */ 600 1.1 christos next_length = sizeof(nexthash); 601 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, name, origin, 602 1.1 christos hash, iterations, salt, salt_length)); 603 1.1 christos INSIST(next_length <= sizeof(nexthash)); 604 1.1 christos 605 1.1 christos /* 606 1.1 christos * Create the node if it doesn't exist and hold 607 1.1 christos * a reference to it until we have added the NSEC3. 608 1.1 christos */ 609 1.1 christos CHECK(dns_db_findnsec3node(db, hashname, true, &newnode)); 610 1.1 christos 611 1.1 christos /* 612 1.1 christos * Seek the iterator to the 'newnode'. 613 1.1 christos */ 614 1.1 christos CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 615 1.1 christos CHECK(dns_dbiterator_seek(dbit, hashname)); 616 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 617 1.1 christos result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3, 618 1.1 christos 0, (isc_stdtime_t)0, &rdataset, NULL); 619 1.1 christos /* 620 1.1 christos * If we updating a existing NSEC3 then find its 621 1.1 christos * next field. 622 1.1 christos */ 623 1.1 christos if (result == ISC_R_SUCCESS) { 624 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 625 1.1 christos if (result == ISC_R_SUCCESS) { 626 1.1 christos if (!CREATE(nsec3param->flags)) { 627 1.1 christos flags = nsec3.flags; 628 1.1 christos } 629 1.1 christos next_length = nsec3.next_length; 630 1.1 christos INSIST(next_length <= sizeof(nexthash)); 631 1.1 christos memmove(nexthash, nsec3.next, next_length); 632 1.1 christos dns_rdataset_disassociate(&rdataset); 633 1.1 christos /* 634 1.1 christos * If the NSEC3 is not for a unsecure delegation then 635 1.1 christos * we are just updating it. If it is for a unsecure 636 1.1 christos * delegation then we need find out if we need to 637 1.1 christos * remove the NSEC3 record or not by examining the 638 1.1 christos * previous NSEC3 record. 639 1.1 christos */ 640 1.1 christos if (!unsecure) { 641 1.1 christos goto addnsec3; 642 1.1 christos } else if (CREATE(nsec3param->flags) && OPTOUT(flags)) { 643 1.1 christos result = dns_nsec3_delnsec3(db, version, name, 644 1.1 christos nsec3param, diff); 645 1.1 christos goto failure; 646 1.1 christos } else { 647 1.1 christos maybe_remove_unsecure = true; 648 1.1 christos } 649 1.1 christos } else { 650 1.1 christos dns_rdataset_disassociate(&rdataset); 651 1.1 christos if (result != ISC_R_NOMORE) { 652 1.1 christos goto failure; 653 1.1 christos } 654 1.1 christos } 655 1.1 christos } 656 1.1 christos 657 1.1 christos /* 658 1.1 christos * Find the previous NSEC3 (if any) and update it if required. 659 1.1 christos */ 660 1.1 christos pass = 0; 661 1.1 christos do { 662 1.1 christos result = dns_dbiterator_prev(dbit); 663 1.1 christos if (result == ISC_R_NOMORE) { 664 1.1 christos pass++; 665 1.1 christos CHECK(dns_dbiterator_last(dbit)); 666 1.1 christos } 667 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 668 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 669 1.1 christos result = dns_db_findrdataset(db, node, version, 670 1.1 christos dns_rdatatype_nsec3, 0, 671 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 672 1.1 christos dns_db_detachnode(db, &node); 673 1.1 christos if (result != ISC_R_SUCCESS) { 674 1.1 christos continue; 675 1.1 christos } 676 1.1 christos 677 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 678 1.1 christos if (result == ISC_R_NOMORE) { 679 1.1 christos dns_rdataset_disassociate(&rdataset); 680 1.1 christos continue; 681 1.1 christos } 682 1.1 christos if (result != ISC_R_SUCCESS) { 683 1.1 christos goto failure; 684 1.1 christos } 685 1.1 christos 686 1.1 christos if (maybe_remove_unsecure) { 687 1.1 christos dns_rdataset_disassociate(&rdataset); 688 1.1 christos /* 689 1.1 christos * If we have OPTOUT set in the previous NSEC3 record 690 1.1 christos * we actually need to delete the NSEC3 record. 691 1.1 christos * Otherwise we just need to replace the NSEC3 record. 692 1.1 christos */ 693 1.1 christos if (OPTOUT(nsec3.flags)) { 694 1.1 christos result = dns_nsec3_delnsec3(db, version, name, 695 1.1 christos nsec3param, diff); 696 1.1 christos goto failure; 697 1.1 christos } 698 1.1 christos goto addnsec3; 699 1.1 christos } else { 700 1.1 christos /* 701 1.1 christos * Is this is a unsecure delegation we are adding? 702 1.1 christos * If so no change is required. 703 1.1 christos */ 704 1.1 christos if (OPTOUT(nsec3.flags) && unsecure) { 705 1.1 christos dns_rdataset_disassociate(&rdataset); 706 1.1 christos goto failure; 707 1.1 christos } 708 1.1 christos } 709 1.1 christos 710 1.1 christos old_next = nsec3.next; 711 1.1 christos old_length = nsec3.next_length; 712 1.1 christos 713 1.1 christos /* 714 1.1 christos * Delete the old previous NSEC3. 715 1.1 christos */ 716 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 717 1.1 christos 718 1.1 christos /* 719 1.1 christos * Fixup the previous NSEC3. 720 1.1 christos */ 721 1.1 christos nsec3.next = nexthash; 722 1.1 christos nsec3.next_length = (unsigned char)next_length; 723 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 724 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 725 1.1 christos dns_rdatatype_nsec3, &nsec3, 726 1.1 christos &buffer)); 727 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 728 1.1 christos rdataset.ttl, &rdata, &tuple)); 729 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 730 1.1 christos INSIST(old_length <= sizeof(nexthash)); 731 1.1 christos memmove(nexthash, old_next, old_length); 732 1.1 christos if (!CREATE(nsec3param->flags)) { 733 1.1 christos flags = nsec3.flags; 734 1.1 christos } 735 1.1 christos dns_rdata_reset(&rdata); 736 1.1 christos dns_rdataset_disassociate(&rdataset); 737 1.1 christos break; 738 1.1 christos } while (pass < 2); 739 1.1 christos 740 1.1 christos addnsec3: 741 1.1 christos /* 742 1.1 christos * Create the NSEC3 RDATA. 743 1.1 christos */ 744 1.1 christos CHECK(dns_db_findnode(db, name, false, &node)); 745 1.1 christos CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations, 746 1.1 christos salt, salt_length, nexthash, next_length, 747 1.1 christos nsec3buf, &rdata)); 748 1.1 christos dns_db_detachnode(db, &node); 749 1.1 christos 750 1.1 christos /* 751 1.1 christos * Delete the old NSEC3 and record the change. 752 1.1 christos */ 753 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 754 1.1 christos /* 755 1.1 christos * Add the new NSEC3 and record the change. 756 1.1 christos */ 757 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, hashname, 758 1.1 christos nsecttl, &rdata, &tuple)); 759 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 760 1.1 christos INSIST(tuple == NULL); 761 1.1 christos dns_rdata_reset(&rdata); 762 1.1 christos dns_db_detachnode(db, &newnode); 763 1.1 christos 764 1.1 christos /* 765 1.1 christos * Add missing NSEC3 records for empty nodes 766 1.1 christos */ 767 1.1 christos dns_name_init(&empty, NULL); 768 1.1 christos dns_name_clone(name, &empty); 769 1.1 christos do { 770 1.1 christos labels = dns_name_countlabels(&empty) - 1; 771 1.1 christos if (labels <= dns_name_countlabels(origin)) { 772 1.1 christos break; 773 1.1 christos } 774 1.1 christos dns_name_getlabelsequence(&empty, 1, labels, &empty); 775 1.1 christos CHECK(name_exists(db, version, &empty, &exists)); 776 1.1 christos if (exists) { 777 1.1 christos break; 778 1.1 christos } 779 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, &empty, 780 1.1 christos origin, hash, iterations, salt, 781 1.1 christos salt_length)); 782 1.1 christos 783 1.1 christos /* 784 1.1 christos * Create the node if it doesn't exist and hold 785 1.1 christos * a reference to it until we have added the NSEC3 786 1.1 christos * or we discover we don't need to add make a change. 787 1.1 christos */ 788 1.1 christos CHECK(dns_db_findnsec3node(db, hashname, true, &newnode)); 789 1.1 christos result = dns_db_findrdataset(db, newnode, version, 790 1.1 christos dns_rdatatype_nsec3, 0, 791 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 792 1.1 christos if (result == ISC_R_SUCCESS) { 793 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 794 1.1 christos dns_rdataset_disassociate(&rdataset); 795 1.1 christos if (result == ISC_R_SUCCESS) { 796 1.1 christos dns_db_detachnode(db, &newnode); 797 1.1 christos break; 798 1.1 christos } 799 1.1 christos if (result != ISC_R_NOMORE) { 800 1.1 christos goto failure; 801 1.1 christos } 802 1.1 christos } 803 1.1 christos 804 1.1 christos /* 805 1.1 christos * Find the previous NSEC3 and update it. 806 1.1 christos */ 807 1.1 christos CHECK(dns_dbiterator_seek(dbit, hashname)); 808 1.1 christos pass = 0; 809 1.1 christos do { 810 1.1 christos result = dns_dbiterator_prev(dbit); 811 1.1 christos if (result == ISC_R_NOMORE) { 812 1.1 christos pass++; 813 1.1 christos CHECK(dns_dbiterator_last(dbit)); 814 1.1 christos } 815 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 816 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 817 1.1 christos result = dns_db_findrdataset( 818 1.1 christos db, node, version, dns_rdatatype_nsec3, 0, 819 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 820 1.1 christos dns_db_detachnode(db, &node); 821 1.1 christos if (result != ISC_R_SUCCESS) { 822 1.1 christos continue; 823 1.1 christos } 824 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 825 1.1 christos if (result == ISC_R_NOMORE) { 826 1.1 christos dns_rdataset_disassociate(&rdataset); 827 1.1 christos continue; 828 1.1 christos } 829 1.1 christos if (result != ISC_R_SUCCESS) { 830 1.1 christos goto failure; 831 1.1 christos } 832 1.1 christos 833 1.1 christos old_next = nsec3.next; 834 1.1 christos old_length = nsec3.next_length; 835 1.1 christos 836 1.1 christos /* 837 1.1 christos * Delete the old previous NSEC3. 838 1.1 christos */ 839 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 840 1.1 christos 841 1.1 christos /* 842 1.1 christos * Fixup the previous NSEC3. 843 1.1 christos */ 844 1.1 christos nsec3.next = nexthash; 845 1.1 christos nsec3.next_length = (unsigned char)next_length; 846 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 847 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 848 1.1 christos dns_rdatatype_nsec3, &nsec3, 849 1.1 christos &buffer)); 850 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 851 1.1 christos prev, rdataset.ttl, &rdata, 852 1.1 christos &tuple)); 853 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 854 1.1 christos INSIST(old_length <= sizeof(nexthash)); 855 1.1 christos memmove(nexthash, old_next, old_length); 856 1.1 christos if (!CREATE(nsec3param->flags)) { 857 1.1 christos flags = nsec3.flags; 858 1.1 christos } 859 1.1 christos dns_rdata_reset(&rdata); 860 1.1 christos dns_rdataset_disassociate(&rdataset); 861 1.1 christos break; 862 1.1 christos } while (pass < 2); 863 1.1 christos 864 1.1 christos INSIST(pass < 2); 865 1.1 christos 866 1.1 christos /* 867 1.1 christos * Create the NSEC3 RDATA for the empty node. 868 1.1 christos */ 869 1.1 christos CHECK(dns_nsec3_buildrdata( 870 1.1 christos db, version, NULL, hash, flags, iterations, salt, 871 1.1 christos salt_length, nexthash, next_length, nsec3buf, &rdata)); 872 1.1 christos /* 873 1.1 christos * Delete the old NSEC3 and record the change. 874 1.1 christos */ 875 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 876 1.1 christos 877 1.1 christos /* 878 1.1 christos * Add the new NSEC3 and record the change. 879 1.1 christos */ 880 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, hashname, 881 1.1 christos nsecttl, &rdata, &tuple)); 882 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 883 1.1 christos INSIST(tuple == NULL); 884 1.1 christos dns_rdata_reset(&rdata); 885 1.1 christos dns_db_detachnode(db, &newnode); 886 1.1 christos } while (1); 887 1.1 christos 888 1.1 christos /* result cannot be ISC_R_NOMORE here */ 889 1.1 christos INSIST(result != ISC_R_NOMORE); 890 1.1 christos 891 1.1 christos failure: 892 1.1 christos if (dbit != NULL) { 893 1.1 christos dns_dbiterator_destroy(&dbit); 894 1.1 christos } 895 1.1 christos if (dns_rdataset_isassociated(&rdataset)) { 896 1.1 christos dns_rdataset_disassociate(&rdataset); 897 1.1 christos } 898 1.1 christos if (node != NULL) { 899 1.1 christos dns_db_detachnode(db, &node); 900 1.1 christos } 901 1.1 christos if (newnode != NULL) { 902 1.1 christos dns_db_detachnode(db, &newnode); 903 1.1 christos } 904 1.1 christos return (result); 905 1.1 christos } 906 1.1 christos 907 1.1 christos /*% 908 1.1 christos * Add NSEC3 records for "name", recording the change in "diff". 909 1.1 christos * The existing NSEC3 records are removed. 910 1.1 christos */ 911 1.1 christos isc_result_t 912 1.1 christos dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 913 1.1 christos const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure, 914 1.1 christos dns_diff_t *diff) { 915 1.1 christos dns_dbnode_t *node = NULL; 916 1.1 christos dns_rdata_nsec3param_t nsec3param; 917 1.1 christos dns_rdataset_t rdataset; 918 1.1 christos isc_result_t result; 919 1.1 christos 920 1.1 christos dns_rdataset_init(&rdataset); 921 1.1 christos 922 1.1 christos /* 923 1.1 christos * Find the NSEC3 parameters for this zone. 924 1.1 christos */ 925 1.1 christos result = dns_db_getoriginnode(db, &node); 926 1.1 christos if (result != ISC_R_SUCCESS) { 927 1.1 christos return (result); 928 1.1 christos } 929 1.1 christos 930 1.1 christos result = dns_db_findrdataset(db, node, version, 931 1.1 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 932 1.1 christos NULL); 933 1.1 christos dns_db_detachnode(db, &node); 934 1.1 christos if (result == ISC_R_NOTFOUND) { 935 1.1 christos return (ISC_R_SUCCESS); 936 1.1 christos } 937 1.1 christos if (result != ISC_R_SUCCESS) { 938 1.1 christos return (result); 939 1.1 christos } 940 1.1 christos 941 1.1 christos /* 942 1.1 christos * Update each active NSEC3 chain. 943 1.1 christos */ 944 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 945 1.1 christos result = dns_rdataset_next(&rdataset)) 946 1.1 christos { 947 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 948 1.1 christos 949 1.1 christos dns_rdataset_current(&rdataset, &rdata); 950 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 951 1.1 christos 952 1.1 christos if (nsec3param.flags != 0) { 953 1.1 christos continue; 954 1.1 christos } 955 1.1 christos /* 956 1.1 christos * We have a active chain. Update it. 957 1.1 christos */ 958 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 959 1.1 christos nsecttl, unsecure, diff)); 960 1.1 christos } 961 1.1 christos if (result == ISC_R_NOMORE) { 962 1.1 christos result = ISC_R_SUCCESS; 963 1.1 christos } 964 1.1 christos 965 1.1 christos failure: 966 1.1 christos if (dns_rdataset_isassociated(&rdataset)) { 967 1.1 christos dns_rdataset_disassociate(&rdataset); 968 1.1 christos } 969 1.1 christos if (node != NULL) { 970 1.1 christos dns_db_detachnode(db, &node); 971 1.1 christos } 972 1.1 christos 973 1.1 christos return (result); 974 1.1 christos } 975 1.1 christos 976 1.1 christos bool 977 1.1 christos dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 978 1.1 christos unsigned char *buf, size_t buflen) { 979 1.1 christos dns_decompress_t dctx; 980 1.1 christos isc_result_t result; 981 1.1 christos isc_buffer_t buf1; 982 1.1 christos isc_buffer_t buf2; 983 1.1 christos 984 1.1 christos /* 985 1.1 christos * Algorithm 0 (reserved by RFC 4034) is used to identify 986 1.1 christos * NSEC3PARAM records from DNSKEY pointers. 987 1.1 christos */ 988 1.1 christos if (src->length < 1 || src->data[0] != 0) { 989 1.1 christos return (false); 990 1.1 christos } 991 1.1 christos 992 1.1 christos isc_buffer_init(&buf1, src->data + 1, src->length - 1); 993 1.1 christos isc_buffer_add(&buf1, src->length - 1); 994 1.1 christos isc_buffer_setactive(&buf1, src->length - 1); 995 1.1 christos isc_buffer_init(&buf2, buf, (unsigned int)buflen); 996 1.1 christos dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); 997 1.1 christos result = dns_rdata_fromwire(target, src->rdclass, 998 1.1 christos dns_rdatatype_nsec3param, &buf1, &dctx, 0, 999 1.1 christos &buf2); 1000 1.1 christos dns_decompress_invalidate(&dctx); 1001 1.1 christos 1002 1.1 christos return (result == ISC_R_SUCCESS); 1003 1.1 christos } 1004 1.1 christos 1005 1.1 christos void 1006 1.1 christos dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 1007 1.1 christos dns_rdatatype_t privatetype, unsigned char *buf, 1008 1.1 christos size_t buflen) { 1009 1.1 christos REQUIRE(buflen >= src->length + 1); 1010 1.1 christos 1011 1.1 christos REQUIRE(DNS_RDATA_INITIALIZED(target)); 1012 1.1 christos 1013 1.1 christos memmove(buf + 1, src->data, src->length); 1014 1.1 christos buf[0] = 0; 1015 1.1 christos target->data = buf; 1016 1.1 christos target->length = src->length + 1; 1017 1.1 christos target->type = privatetype; 1018 1.1 christos target->rdclass = src->rdclass; 1019 1.1 christos target->flags = 0; 1020 1.1 christos ISC_LINK_INIT(target, link); 1021 1.1 christos } 1022 1.1 christos 1023 1.1 christos static isc_result_t 1024 1.1 christos rr_exists(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 1025 1.1 christos const dns_rdata_t *rdata, bool *flag) { 1026 1.1 christos dns_rdataset_t rdataset; 1027 1.1 christos dns_dbnode_t *node = NULL; 1028 1.1 christos isc_result_t result; 1029 1.1 christos 1030 1.1 christos dns_rdataset_init(&rdataset); 1031 1.1 christos if (rdata->type == dns_rdatatype_nsec3) { 1032 1.1 christos CHECK(dns_db_findnsec3node(db, name, false, &node)); 1033 1.1 christos } else { 1034 1.1 christos CHECK(dns_db_findnode(db, name, false, &node)); 1035 1.1 christos } 1036 1.1 christos result = dns_db_findrdataset(db, node, ver, rdata->type, 0, 1037 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1038 1.1 christos if (result == ISC_R_NOTFOUND) { 1039 1.1 christos *flag = false; 1040 1.1 christos result = ISC_R_SUCCESS; 1041 1.1 christos goto failure; 1042 1.1 christos } 1043 1.1 christos 1044 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1045 1.1 christos result = dns_rdataset_next(&rdataset)) 1046 1.1 christos { 1047 1.1 christos dns_rdata_t myrdata = DNS_RDATA_INIT; 1048 1.1 christos dns_rdataset_current(&rdataset, &myrdata); 1049 1.1 christos if (!dns_rdata_casecompare(&myrdata, rdata)) { 1050 1.1 christos break; 1051 1.1 christos } 1052 1.1 christos } 1053 1.1 christos dns_rdataset_disassociate(&rdataset); 1054 1.1 christos if (result == ISC_R_SUCCESS) { 1055 1.1 christos *flag = true; 1056 1.1 christos } else if (result == ISC_R_NOMORE) { 1057 1.1 christos *flag = false; 1058 1.1 christos result = ISC_R_SUCCESS; 1059 1.1 christos } 1060 1.1 christos 1061 1.1 christos failure: 1062 1.1 christos if (node != NULL) { 1063 1.1 christos dns_db_detachnode(db, &node); 1064 1.1 christos } 1065 1.1 christos return (result); 1066 1.1 christos } 1067 1.1 christos 1068 1.1 christos isc_result_t 1069 1.1 christos dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst, 1070 1.1 christos size_t dstlen) { 1071 1.1 christos isc_result_t result; 1072 1.1 christos isc_region_t r; 1073 1.1 christos isc_buffer_t b; 1074 1.1 christos 1075 1.1 christos REQUIRE(nsec3param != NULL); 1076 1.1 christos REQUIRE(dst != NULL); 1077 1.1 christos 1078 1.1 christos if (nsec3param->salt_length == 0) { 1079 1.1 christos if (dstlen < 2U) { 1080 1.1 christos return (ISC_R_NOSPACE); 1081 1.1 christos } 1082 1.1 christos strlcpy(dst, "-", dstlen); 1083 1.1 christos return (ISC_R_SUCCESS); 1084 1.1 christos } 1085 1.1 christos 1086 1.1 christos r.base = nsec3param->salt; 1087 1.1 christos r.length = nsec3param->salt_length; 1088 1.1 christos isc_buffer_init(&b, dst, (unsigned int)dstlen); 1089 1.1 christos 1090 1.1 christos result = isc_hex_totext(&r, 2, "", &b); 1091 1.1 christos if (result != ISC_R_SUCCESS) { 1092 1.1 christos return (result); 1093 1.1 christos } 1094 1.1 christos 1095 1.1 christos if (isc_buffer_availablelength(&b) < 1) { 1096 1.1 christos return (ISC_R_NOSPACE); 1097 1.1 christos } 1098 1.1 christos isc_buffer_putuint8(&b, 0); 1099 1.1 christos 1100 1.1 christos return (ISC_R_SUCCESS); 1101 1.1 christos } 1102 1.1 christos 1103 1.1 christos isc_result_t 1104 1.1 christos dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 1105 1.1 christos dns_zone_t *zone, bool nonsec, dns_diff_t *diff) { 1106 1.1 christos dns_dbnode_t *node = NULL; 1107 1.1 christos dns_difftuple_t *tuple = NULL; 1108 1.1 christos dns_name_t next; 1109 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1110 1.1 christos dns_rdataset_t rdataset; 1111 1.1 christos bool flag; 1112 1.1 christos isc_result_t result = ISC_R_SUCCESS; 1113 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1]; 1114 1.1 christos dns_name_t *origin = dns_zone_getorigin(zone); 1115 1.1 christos dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); 1116 1.1 christos 1117 1.1 christos dns_name_init(&next, NULL); 1118 1.1 christos dns_rdataset_init(&rdataset); 1119 1.1 christos 1120 1.1 christos result = dns_db_getoriginnode(db, &node); 1121 1.1 christos if (result != ISC_R_SUCCESS) { 1122 1.1 christos return (result); 1123 1.1 christos } 1124 1.1 christos 1125 1.1 christos /* 1126 1.1 christos * Cause all NSEC3 chains to be deleted. 1127 1.1 christos */ 1128 1.1 christos result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, 1129 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1130 1.1 christos if (result == ISC_R_NOTFOUND) { 1131 1.1 christos goto try_private; 1132 1.1 christos } 1133 1.1 christos if (result != ISC_R_SUCCESS) { 1134 1.1 christos goto failure; 1135 1.1 christos } 1136 1.1 christos 1137 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1138 1.1 christos result = dns_rdataset_next(&rdataset)) 1139 1.1 christos { 1140 1.1 christos dns_rdata_t private = DNS_RDATA_INIT; 1141 1.1 christos 1142 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1143 1.1 christos 1144 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1145 1.1 christos rdataset.ttl, &rdata, &tuple)); 1146 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1147 1.1 christos INSIST(tuple == NULL); 1148 1.1 christos 1149 1.1 christos dns_nsec3param_toprivate(&rdata, &private, privatetype, buf, 1150 1.1 christos sizeof(buf)); 1151 1.1 christos buf[2] = DNS_NSEC3FLAG_REMOVE; 1152 1.1 christos if (nonsec) { 1153 1.1 christos buf[2] |= DNS_NSEC3FLAG_NONSEC; 1154 1.1 christos } 1155 1.1 christos 1156 1.1 christos CHECK(rr_exists(db, ver, origin, &private, &flag)); 1157 1.1 christos 1158 1.1 christos if (!flag) { 1159 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1160 1.1 christos origin, 0, &private, 1161 1.1 christos &tuple)); 1162 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1163 1.1 christos INSIST(tuple == NULL); 1164 1.1 christos } 1165 1.1 christos dns_rdata_reset(&rdata); 1166 1.1 christos } 1167 1.1 christos if (result != ISC_R_NOMORE) { 1168 1.1 christos goto failure; 1169 1.1 christos } 1170 1.1 christos 1171 1.1 christos dns_rdataset_disassociate(&rdataset); 1172 1.1 christos 1173 1.1 christos try_private: 1174 1.1 christos if (privatetype == 0) { 1175 1.1 christos goto success; 1176 1.1 christos } 1177 1.1 christos result = dns_db_findrdataset(db, node, ver, privatetype, 0, 1178 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1179 1.1 christos if (result == ISC_R_NOTFOUND) { 1180 1.1 christos goto success; 1181 1.1 christos } 1182 1.1 christos if (result != ISC_R_SUCCESS) { 1183 1.1 christos goto failure; 1184 1.1 christos } 1185 1.1 christos 1186 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1187 1.1 christos result = dns_rdataset_next(&rdataset)) 1188 1.1 christos { 1189 1.1 christos dns_rdata_reset(&rdata); 1190 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1191 1.1 christos INSIST(rdata.length <= sizeof(buf)); 1192 1.1 christos memmove(buf, rdata.data, rdata.length); 1193 1.1 christos 1194 1.1 christos /* 1195 1.1 christos * Private NSEC3 record length >= 6. 1196 1.1 christos * <0(1), hash(1), flags(1), iterations(2), saltlen(1)> 1197 1.1 christos */ 1198 1.1 christos if (rdata.length < 6 || buf[0] != 0 || 1199 1.1 christos (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 || 1200 1.1 christos (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0)) 1201 1.1 christos { 1202 1.1 christos continue; 1203 1.1 christos } 1204 1.1 christos 1205 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 1206 1.1 christos 0, &rdata, &tuple)); 1207 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1208 1.1 christos INSIST(tuple == NULL); 1209 1.1 christos 1210 1.1 christos rdata.data = buf; 1211 1.1 christos buf[2] = DNS_NSEC3FLAG_REMOVE; 1212 1.1 christos if (nonsec) { 1213 1.1 christos buf[2] |= DNS_NSEC3FLAG_NONSEC; 1214 1.1 christos } 1215 1.1 christos 1216 1.1 christos CHECK(rr_exists(db, ver, origin, &rdata, &flag)); 1217 1.1 christos 1218 1.1 christos if (!flag) { 1219 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1220 1.1 christos origin, 0, &rdata, &tuple)); 1221 1.1 christos CHECK(do_one_tuple(&tuple, db, ver, diff)); 1222 1.1 christos INSIST(tuple == NULL); 1223 1.1 christos } 1224 1.1 christos } 1225 1.1 christos if (result != ISC_R_NOMORE) { 1226 1.1 christos goto failure; 1227 1.1 christos } 1228 1.1 christos success: 1229 1.1 christos result = ISC_R_SUCCESS; 1230 1.1 christos 1231 1.1 christos failure: 1232 1.1 christos if (dns_rdataset_isassociated(&rdataset)) { 1233 1.1 christos dns_rdataset_disassociate(&rdataset); 1234 1.1 christos } 1235 1.1 christos dns_db_detachnode(db, &node); 1236 1.1 christos return (result); 1237 1.1 christos } 1238 1.1 christos 1239 1.1 christos isc_result_t 1240 1.1 christos dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1241 1.1 christos const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure, 1242 1.1 christos dns_rdatatype_t type, dns_diff_t *diff) { 1243 1.1 christos dns_dbnode_t *node = NULL; 1244 1.1 christos dns_rdata_nsec3param_t nsec3param; 1245 1.1 christos dns_rdataset_t rdataset; 1246 1.1 christos dns_rdataset_t prdataset; 1247 1.1 christos isc_result_t result; 1248 1.1 christos 1249 1.1 christos dns_rdataset_init(&rdataset); 1250 1.1 christos dns_rdataset_init(&prdataset); 1251 1.1 christos 1252 1.1 christos /* 1253 1.1 christos * Find the NSEC3 parameters for this zone. 1254 1.1 christos */ 1255 1.1 christos result = dns_db_getoriginnode(db, &node); 1256 1.1 christos if (result != ISC_R_SUCCESS) { 1257 1.1 christos return (result); 1258 1.1 christos } 1259 1.1 christos 1260 1.1 christos result = dns_db_findrdataset(db, node, version, type, 0, 0, &prdataset, 1261 1.1 christos NULL); 1262 1.1 christos if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { 1263 1.1 christos goto failure; 1264 1.1 christos } 1265 1.1 christos 1266 1.1 christos result = dns_db_findrdataset(db, node, version, 1267 1.1 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 1268 1.1 christos NULL); 1269 1.1 christos if (result == ISC_R_NOTFOUND) { 1270 1.1 christos goto try_private; 1271 1.1 christos } 1272 1.1 christos if (result != ISC_R_SUCCESS) { 1273 1.1 christos goto failure; 1274 1.1 christos } 1275 1.1 christos 1276 1.1 christos /* 1277 1.1 christos * Update each active NSEC3 chain. 1278 1.1 christos */ 1279 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1280 1.1 christos result = dns_rdataset_next(&rdataset)) 1281 1.1 christos { 1282 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1283 1.1 christos 1284 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1285 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1286 1.1 christos 1287 1.1 christos if (nsec3param.flags != 0) { 1288 1.1 christos continue; 1289 1.1 christos } 1290 1.1 christos 1291 1.1 christos /* 1292 1.1 christos * We have a active chain. Update it. 1293 1.1 christos */ 1294 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1295 1.1 christos nsecttl, unsecure, diff)); 1296 1.1 christos } 1297 1.1 christos if (result != ISC_R_NOMORE) { 1298 1.1 christos goto failure; 1299 1.1 christos } 1300 1.1 christos 1301 1.1 christos dns_rdataset_disassociate(&rdataset); 1302 1.1 christos 1303 1.1 christos try_private: 1304 1.1 christos if (!dns_rdataset_isassociated(&prdataset)) { 1305 1.1 christos goto success; 1306 1.1 christos } 1307 1.1 christos /* 1308 1.1 christos * Update each active NSEC3 chain. 1309 1.1 christos */ 1310 1.1 christos for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS; 1311 1.1 christos result = dns_rdataset_next(&prdataset)) 1312 1.1 christos { 1313 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1314 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1315 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1316 1.1 christos 1317 1.1 christos dns_rdataset_current(&prdataset, &rdata1); 1318 1.1 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf, 1319 1.1 christos sizeof(buf))) 1320 1.1 christos { 1321 1.1 christos continue; 1322 1.1 christos } 1323 1.1 christos CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1324 1.1 christos 1325 1.1 christos if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { 1326 1.1 christos continue; 1327 1.1 christos } 1328 1.1 christos if (better_param(&prdataset, &rdata2)) { 1329 1.1 christos continue; 1330 1.1 christos } 1331 1.1 christos 1332 1.1 christos /* 1333 1.1 christos * We have a active chain. Update it. 1334 1.1 christos */ 1335 1.1 christos CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param, 1336 1.1 christos nsecttl, unsecure, diff)); 1337 1.1 christos } 1338 1.1 christos if (result == ISC_R_NOMORE) { 1339 1.1 christos success: 1340 1.1 christos result = ISC_R_SUCCESS; 1341 1.1 christos } 1342 1.1 christos failure: 1343 1.1 christos if (dns_rdataset_isassociated(&rdataset)) { 1344 1.1 christos dns_rdataset_disassociate(&rdataset); 1345 1.1 christos } 1346 1.1 christos if (dns_rdataset_isassociated(&prdataset)) { 1347 1.1 christos dns_rdataset_disassociate(&prdataset); 1348 1.1 christos } 1349 1.1 christos if (node != NULL) { 1350 1.1 christos dns_db_detachnode(db, &node); 1351 1.1 christos } 1352 1.1 christos 1353 1.1 christos return (result); 1354 1.1 christos } 1355 1.1 christos 1356 1.1 christos /*% 1357 1.1 christos * Determine whether any NSEC3 records that were associated with 1358 1.1 christos * 'name' should be deleted or if they should continue to exist. 1359 1.1 christos * true indicates they should be deleted. 1360 1.1 christos * false indicates they should be retained. 1361 1.1 christos */ 1362 1.1 christos static isc_result_t 1363 1.1 christos deleteit(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name, 1364 1.1 christos bool *yesno) { 1365 1.1 christos isc_result_t result; 1366 1.1 christos dns_fixedname_t foundname; 1367 1.1 christos dns_fixedname_init(&foundname); 1368 1.1 christos 1369 1.1 christos result = dns_db_find(db, name, ver, dns_rdatatype_any, 1370 1.1 christos DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, 1371 1.1 christos (isc_stdtime_t)0, NULL, 1372 1.1 christos dns_fixedname_name(&foundname), NULL, NULL); 1373 1.1 christos if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS || 1374 1.1 christos result == DNS_R_ZONECUT) 1375 1.1 christos { 1376 1.1 christos *yesno = false; 1377 1.1 christos return (ISC_R_SUCCESS); 1378 1.1 christos } 1379 1.1 christos if (result == DNS_R_GLUE || result == DNS_R_DNAME || 1380 1.1 christos result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) 1381 1.1 christos { 1382 1.1 christos *yesno = true; 1383 1.1 christos return (ISC_R_SUCCESS); 1384 1.1 christos } 1385 1.1 christos /* 1386 1.1 christos * Silence compiler. 1387 1.1 christos */ 1388 1.1 christos *yesno = true; 1389 1.1 christos return (result); 1390 1.1 christos } 1391 1.1 christos 1392 1.1 christos isc_result_t 1393 1.1 christos dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, 1394 1.1 christos const dns_name_t *name, 1395 1.1 christos const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) { 1396 1.1 christos dns_dbiterator_t *dbit = NULL; 1397 1.1 christos dns_dbnode_t *node = NULL; 1398 1.1 christos dns_difftuple_t *tuple = NULL; 1399 1.1 christos dns_fixedname_t fixed; 1400 1.1 christos dns_fixedname_t fprev; 1401 1.1 christos dns_hash_t hash; 1402 1.1 christos dns_name_t *hashname; 1403 1.1 christos dns_name_t *origin; 1404 1.1 christos dns_name_t *prev; 1405 1.1 christos dns_name_t empty; 1406 1.1 christos dns_rdata_nsec3_t nsec3; 1407 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1408 1.1 christos dns_rdataset_t rdataset; 1409 1.1 christos int pass; 1410 1.1 christos bool yesno; 1411 1.1 christos isc_buffer_t buffer; 1412 1.1 christos isc_result_t result; 1413 1.1 christos unsigned char *salt; 1414 1.1 christos unsigned char nexthash[NSEC3_MAX_HASH_LENGTH]; 1415 1.1 christos unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE]; 1416 1.1 christos unsigned int iterations; 1417 1.1 christos unsigned int labels; 1418 1.1 christos size_t next_length; 1419 1.1 christos unsigned int salt_length; 1420 1.1 christos 1421 1.1 christos hashname = dns_fixedname_initname(&fixed); 1422 1.1 christos prev = dns_fixedname_initname(&fprev); 1423 1.1 christos 1424 1.1 christos dns_rdataset_init(&rdataset); 1425 1.1 christos 1426 1.1 christos origin = dns_db_origin(db); 1427 1.1 christos 1428 1.1 christos /* 1429 1.1 christos * Chain parameters. 1430 1.1 christos */ 1431 1.1 christos hash = nsec3param->hash; 1432 1.1 christos iterations = nsec3param->iterations; 1433 1.1 christos salt_length = nsec3param->salt_length; 1434 1.1 christos salt = nsec3param->salt; 1435 1.1 christos 1436 1.1 christos /* 1437 1.1 christos * If this is the first NSEC3 in the chain nexthash will 1438 1.1 christos * remain pointing to itself. 1439 1.1 christos */ 1440 1.1 christos next_length = sizeof(nexthash); 1441 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, name, origin, 1442 1.1 christos hash, iterations, salt, salt_length)); 1443 1.1 christos 1444 1.1 christos CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); 1445 1.1 christos 1446 1.1 christos result = dns_dbiterator_seek(dbit, hashname); 1447 1.1 christos if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { 1448 1.1 christos goto cleanup_orphaned_ents; 1449 1.1 christos } 1450 1.1 christos if (result != ISC_R_SUCCESS) { 1451 1.1 christos goto failure; 1452 1.1 christos } 1453 1.1 christos 1454 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1455 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1456 1.1 christos result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0, 1457 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1458 1.1 christos dns_db_detachnode(db, &node); 1459 1.1 christos if (result == ISC_R_NOTFOUND) { 1460 1.1 christos goto cleanup_orphaned_ents; 1461 1.1 christos } 1462 1.1 christos if (result != ISC_R_SUCCESS) { 1463 1.1 christos goto failure; 1464 1.1 christos } 1465 1.1 christos 1466 1.1 christos /* 1467 1.1 christos * If we find a existing NSEC3 for this chain then save the 1468 1.1 christos * next field. 1469 1.1 christos */ 1470 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1471 1.1 christos if (result == ISC_R_SUCCESS) { 1472 1.1 christos next_length = nsec3.next_length; 1473 1.1 christos INSIST(next_length <= sizeof(nexthash)); 1474 1.1 christos memmove(nexthash, nsec3.next, next_length); 1475 1.1 christos } 1476 1.1 christos dns_rdataset_disassociate(&rdataset); 1477 1.1 christos if (result == ISC_R_NOMORE) { 1478 1.1 christos goto success; 1479 1.1 christos } 1480 1.1 christos if (result != ISC_R_SUCCESS) { 1481 1.1 christos goto failure; 1482 1.1 christos } 1483 1.1 christos 1484 1.1 christos /* 1485 1.1 christos * Find the previous NSEC3 and update it. 1486 1.1 christos */ 1487 1.1 christos pass = 0; 1488 1.1 christos do { 1489 1.1 christos result = dns_dbiterator_prev(dbit); 1490 1.1 christos if (result == ISC_R_NOMORE) { 1491 1.1 christos pass++; 1492 1.1 christos CHECK(dns_dbiterator_last(dbit)); 1493 1.1 christos } 1494 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 1495 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1496 1.1 christos result = dns_db_findrdataset(db, node, version, 1497 1.1 christos dns_rdatatype_nsec3, 0, 1498 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1499 1.1 christos dns_db_detachnode(db, &node); 1500 1.1 christos if (result != ISC_R_SUCCESS) { 1501 1.1 christos continue; 1502 1.1 christos } 1503 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1504 1.1 christos if (result == ISC_R_NOMORE) { 1505 1.1 christos dns_rdataset_disassociate(&rdataset); 1506 1.1 christos continue; 1507 1.1 christos } 1508 1.1 christos if (result != ISC_R_SUCCESS) { 1509 1.1 christos goto failure; 1510 1.1 christos } 1511 1.1 christos 1512 1.1 christos /* 1513 1.1 christos * Delete the old previous NSEC3. 1514 1.1 christos */ 1515 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1516 1.1 christos 1517 1.1 christos /* 1518 1.1 christos * Fixup the previous NSEC3. 1519 1.1 christos */ 1520 1.1 christos nsec3.next = nexthash; 1521 1.1 christos nsec3.next_length = (unsigned char)next_length; 1522 1.1 christos if (CREATE(nsec3param->flags)) { 1523 1.1 christos nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; 1524 1.1 christos } 1525 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 1526 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1527 1.1 christos dns_rdatatype_nsec3, &nsec3, 1528 1.1 christos &buffer)); 1529 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev, 1530 1.1 christos rdataset.ttl, &rdata, &tuple)); 1531 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 1532 1.1 christos dns_rdata_reset(&rdata); 1533 1.1 christos dns_rdataset_disassociate(&rdataset); 1534 1.1 christos break; 1535 1.1 christos } while (pass < 2); 1536 1.1 christos 1537 1.1 christos /* 1538 1.1 christos * Delete the old NSEC3 and record the change. 1539 1.1 christos */ 1540 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1541 1.1 christos 1542 1.1 christos /* 1543 1.1 christos * Delete NSEC3 records for now non active nodes. 1544 1.1 christos */ 1545 1.1 christos cleanup_orphaned_ents: 1546 1.1 christos dns_name_init(&empty, NULL); 1547 1.1 christos dns_name_clone(name, &empty); 1548 1.1 christos do { 1549 1.1 christos labels = dns_name_countlabels(&empty) - 1; 1550 1.1 christos if (labels <= dns_name_countlabels(origin)) { 1551 1.1 christos break; 1552 1.1 christos } 1553 1.1 christos dns_name_getlabelsequence(&empty, 1, labels, &empty); 1554 1.1 christos CHECK(deleteit(db, version, &empty, &yesno)); 1555 1.1 christos if (!yesno) { 1556 1.1 christos break; 1557 1.1 christos } 1558 1.1 christos 1559 1.1 christos CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, &empty, 1560 1.1 christos origin, hash, iterations, salt, 1561 1.1 christos salt_length)); 1562 1.1 christos result = dns_dbiterator_seek(dbit, hashname); 1563 1.1 christos if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { 1564 1.1 christos goto success; 1565 1.1 christos } 1566 1.1 christos if (result != ISC_R_SUCCESS) { 1567 1.1 christos goto failure; 1568 1.1 christos } 1569 1.1 christos 1570 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, NULL)); 1571 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1572 1.1 christos result = dns_db_findrdataset(db, node, version, 1573 1.1 christos dns_rdatatype_nsec3, 0, 1574 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1575 1.1 christos dns_db_detachnode(db, &node); 1576 1.1 christos if (result == ISC_R_NOTFOUND) { 1577 1.1 christos goto success; 1578 1.1 christos } 1579 1.1 christos if (result != ISC_R_SUCCESS) { 1580 1.1 christos goto failure; 1581 1.1 christos } 1582 1.1 christos 1583 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1584 1.1 christos if (result == ISC_R_SUCCESS) { 1585 1.1 christos next_length = nsec3.next_length; 1586 1.1 christos INSIST(next_length <= sizeof(nexthash)); 1587 1.1 christos memmove(nexthash, nsec3.next, next_length); 1588 1.1 christos } 1589 1.1 christos dns_rdataset_disassociate(&rdataset); 1590 1.1 christos if (result == ISC_R_NOMORE) { 1591 1.1 christos goto success; 1592 1.1 christos } 1593 1.1 christos if (result != ISC_R_SUCCESS) { 1594 1.1 christos goto failure; 1595 1.1 christos } 1596 1.1 christos 1597 1.1 christos pass = 0; 1598 1.1 christos do { 1599 1.1 christos result = dns_dbiterator_prev(dbit); 1600 1.1 christos if (result == ISC_R_NOMORE) { 1601 1.1 christos pass++; 1602 1.1 christos CHECK(dns_dbiterator_last(dbit)); 1603 1.1 christos } 1604 1.1 christos CHECK(dns_dbiterator_current(dbit, &node, prev)); 1605 1.1 christos CHECK(dns_dbiterator_pause(dbit)); 1606 1.1 christos result = dns_db_findrdataset( 1607 1.1 christos db, node, version, dns_rdatatype_nsec3, 0, 1608 1.1 christos (isc_stdtime_t)0, &rdataset, NULL); 1609 1.1 christos dns_db_detachnode(db, &node); 1610 1.1 christos if (result != ISC_R_SUCCESS) { 1611 1.1 christos continue; 1612 1.1 christos } 1613 1.1 christos result = find_nsec3(&nsec3, &rdataset, nsec3param); 1614 1.1 christos if (result == ISC_R_NOMORE) { 1615 1.1 christos dns_rdataset_disassociate(&rdataset); 1616 1.1 christos continue; 1617 1.1 christos } 1618 1.1 christos if (result != ISC_R_SUCCESS) { 1619 1.1 christos goto failure; 1620 1.1 christos } 1621 1.1 christos 1622 1.1 christos /* 1623 1.1 christos * Delete the old previous NSEC3. 1624 1.1 christos */ 1625 1.1 christos CHECK(delnsec3(db, version, prev, nsec3param, diff)); 1626 1.1 christos 1627 1.1 christos /* 1628 1.1 christos * Fixup the previous NSEC3. 1629 1.1 christos */ 1630 1.1 christos nsec3.next = nexthash; 1631 1.1 christos nsec3.next_length = (unsigned char)next_length; 1632 1.1 christos isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); 1633 1.1 christos CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, 1634 1.1 christos dns_rdatatype_nsec3, &nsec3, 1635 1.1 christos &buffer)); 1636 1.1 christos CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, 1637 1.1 christos prev, rdataset.ttl, &rdata, 1638 1.1 christos &tuple)); 1639 1.1 christos CHECK(do_one_tuple(&tuple, db, version, diff)); 1640 1.1 christos dns_rdata_reset(&rdata); 1641 1.1 christos dns_rdataset_disassociate(&rdataset); 1642 1.1 christos break; 1643 1.1 christos } while (pass < 2); 1644 1.1 christos 1645 1.1 christos INSIST(pass < 2); 1646 1.1 christos 1647 1.1 christos /* 1648 1.1 christos * Delete the old NSEC3 and record the change. 1649 1.1 christos */ 1650 1.1 christos CHECK(delnsec3(db, version, hashname, nsec3param, diff)); 1651 1.1 christos } while (1); 1652 1.1 christos 1653 1.1 christos success: 1654 1.1 christos result = ISC_R_SUCCESS; 1655 1.1 christos 1656 1.1 christos failure: 1657 1.1 christos if (dbit != NULL) { 1658 1.1 christos dns_dbiterator_destroy(&dbit); 1659 1.1 christos } 1660 1.1 christos if (dns_rdataset_isassociated(&rdataset)) { 1661 1.1 christos dns_rdataset_disassociate(&rdataset); 1662 1.1 christos } 1663 1.1 christos if (node != NULL) { 1664 1.1 christos dns_db_detachnode(db, &node); 1665 1.1 christos } 1666 1.1 christos return (result); 1667 1.1 christos } 1668 1.1 christos 1669 1.1 christos isc_result_t 1670 1.1 christos dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, 1671 1.1 christos const dns_name_t *name, dns_diff_t *diff) { 1672 1.1 christos return (dns_nsec3_delnsec3sx(db, version, name, 0, diff)); 1673 1.1 christos } 1674 1.1 christos 1675 1.1 christos isc_result_t 1676 1.1 christos dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, 1677 1.1 christos const dns_name_t *name, dns_rdatatype_t privatetype, 1678 1.1 christos dns_diff_t *diff) { 1679 1.1 christos dns_dbnode_t *node = NULL; 1680 1.1 christos dns_rdata_nsec3param_t nsec3param; 1681 1.1 christos dns_rdataset_t rdataset; 1682 1.1 christos isc_result_t result; 1683 1.1 christos 1684 1.1 christos dns_rdataset_init(&rdataset); 1685 1.1 christos 1686 1.1 christos /* 1687 1.1 christos * Find the NSEC3 parameters for this zone. 1688 1.1 christos */ 1689 1.1 christos result = dns_db_getoriginnode(db, &node); 1690 1.1 christos if (result != ISC_R_SUCCESS) { 1691 1.1 christos return (result); 1692 1.1 christos } 1693 1.1 christos 1694 1.1 christos result = dns_db_findrdataset(db, node, version, 1695 1.1 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 1696 1.1 christos NULL); 1697 1.1 christos if (result == ISC_R_NOTFOUND) { 1698 1.1 christos goto try_private; 1699 1.1 christos } 1700 1.1 christos if (result != ISC_R_SUCCESS) { 1701 1.1 christos goto failure; 1702 1.1 christos } 1703 1.1 christos 1704 1.1 christos /* 1705 1.1 christos * Update each active NSEC3 chain. 1706 1.1 christos */ 1707 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1708 1.1 christos result = dns_rdataset_next(&rdataset)) 1709 1.1 christos { 1710 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1711 1.1 christos 1712 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1713 1.1 christos CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); 1714 1.1 christos 1715 1.1 christos if (nsec3param.flags != 0) { 1716 1.1 christos continue; 1717 1.1 christos } 1718 1.1 christos /* 1719 1.1 christos * We have a active chain. Update it. 1720 1.1 christos */ 1721 1.1 christos CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1722 1.1 christos } 1723 1.1 christos dns_rdataset_disassociate(&rdataset); 1724 1.1 christos 1725 1.1 christos try_private: 1726 1.1 christos if (privatetype == 0) { 1727 1.1 christos goto success; 1728 1.1 christos } 1729 1.1 christos result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1730 1.1 christos &rdataset, NULL); 1731 1.1 christos if (result == ISC_R_NOTFOUND) { 1732 1.1 christos goto success; 1733 1.1 christos } 1734 1.1 christos if (result != ISC_R_SUCCESS) { 1735 1.1 christos goto failure; 1736 1.1 christos } 1737 1.1 christos 1738 1.1 christos /* 1739 1.1 christos * Update each NSEC3 chain being built. 1740 1.1 christos */ 1741 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1742 1.1 christos result = dns_rdataset_next(&rdataset)) 1743 1.1 christos { 1744 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1745 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1746 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1747 1.1 christos 1748 1.1 christos dns_rdataset_current(&rdataset, &rdata1); 1749 1.1 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf, 1750 1.1 christos sizeof(buf))) 1751 1.1 christos { 1752 1.1 christos continue; 1753 1.1 christos } 1754 1.1 christos CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL)); 1755 1.1 christos 1756 1.1 christos if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { 1757 1.1 christos continue; 1758 1.1 christos } 1759 1.1 christos if (better_param(&rdataset, &rdata2)) { 1760 1.1 christos continue; 1761 1.1 christos } 1762 1.1 christos 1763 1.1 christos /* 1764 1.1 christos * We have a active chain. Update it. 1765 1.1 christos */ 1766 1.1 christos CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff)); 1767 1.1 christos } 1768 1.1 christos if (result == ISC_R_NOMORE) { 1769 1.1 christos success: 1770 1.1 christos result = ISC_R_SUCCESS; 1771 1.1 christos } 1772 1.1 christos 1773 1.1 christos failure: 1774 1.1 christos if (dns_rdataset_isassociated(&rdataset)) { 1775 1.1 christos dns_rdataset_disassociate(&rdataset); 1776 1.1 christos } 1777 1.1 christos if (node != NULL) { 1778 1.1 christos dns_db_detachnode(db, &node); 1779 1.1 christos } 1780 1.1 christos 1781 1.1 christos return (result); 1782 1.1 christos } 1783 1.1 christos 1784 1.1 christos isc_result_t 1785 1.1 christos dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, bool complete, 1786 1.1 christos bool *answer) { 1787 1.1 christos return (dns_nsec3_activex(db, version, complete, 0, answer)); 1788 1.1 christos } 1789 1.1 christos 1790 1.1 christos isc_result_t 1791 1.1 christos dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete, 1792 1.1 christos dns_rdatatype_t privatetype, bool *answer) { 1793 1.1 christos dns_dbnode_t *node = NULL; 1794 1.1 christos dns_rdataset_t rdataset; 1795 1.1 christos dns_rdata_nsec3param_t nsec3param; 1796 1.1 christos isc_result_t result; 1797 1.1 christos 1798 1.1 christos REQUIRE(answer != NULL); 1799 1.1 christos 1800 1.1 christos dns_rdataset_init(&rdataset); 1801 1.1 christos 1802 1.1 christos result = dns_db_getoriginnode(db, &node); 1803 1.1 christos if (result != ISC_R_SUCCESS) { 1804 1.1 christos return (result); 1805 1.1 christos } 1806 1.1 christos 1807 1.1 christos result = dns_db_findrdataset(db, node, version, 1808 1.1 christos dns_rdatatype_nsec3param, 0, 0, &rdataset, 1809 1.1 christos NULL); 1810 1.1 christos 1811 1.1 christos if (result == ISC_R_NOTFOUND) { 1812 1.1 christos goto try_private; 1813 1.1 christos } 1814 1.1 christos 1815 1.1 christos if (result != ISC_R_SUCCESS) { 1816 1.1 christos dns_db_detachnode(db, &node); 1817 1.1 christos return (result); 1818 1.1 christos } 1819 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1820 1.1 christos result = dns_rdataset_next(&rdataset)) 1821 1.1 christos { 1822 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1823 1.1 christos 1824 1.1 christos dns_rdataset_current(&rdataset, &rdata); 1825 1.1 christos result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); 1826 1.1 christos RUNTIME_CHECK(result == ISC_R_SUCCESS); 1827 1.1 christos 1828 1.1 christos if (nsec3param.flags == 0) { 1829 1.1 christos break; 1830 1.1 christos } 1831 1.1 christos } 1832 1.1 christos dns_rdataset_disassociate(&rdataset); 1833 1.1 christos if (result == ISC_R_SUCCESS) { 1834 1.1 christos dns_db_detachnode(db, &node); 1835 1.1 christos *answer = true; 1836 1.1 christos return (ISC_R_SUCCESS); 1837 1.1 christos } 1838 1.1 christos if (result == ISC_R_NOMORE) { 1839 1.1 christos *answer = false; 1840 1.1 christos } 1841 1.1 christos 1842 1.1 christos try_private: 1843 1.1 christos if (privatetype == 0 || complete) { 1844 1.1 christos dns_db_detachnode(db, &node); 1845 1.1 christos *answer = false; 1846 1.1 christos return (ISC_R_SUCCESS); 1847 1.1 christos } 1848 1.1 christos result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, 1849 1.1 christos &rdataset, NULL); 1850 1.1 christos 1851 1.1 christos dns_db_detachnode(db, &node); 1852 1.1 christos if (result == ISC_R_NOTFOUND) { 1853 1.1 christos *answer = false; 1854 1.1 christos return (ISC_R_SUCCESS); 1855 1.1 christos } 1856 1.1 christos if (result != ISC_R_SUCCESS) { 1857 1.1 christos return (result); 1858 1.1 christos } 1859 1.1 christos 1860 1.1 christos for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; 1861 1.1 christos result = dns_rdataset_next(&rdataset)) 1862 1.1 christos { 1863 1.1 christos dns_rdata_t rdata1 = DNS_RDATA_INIT; 1864 1.1 christos dns_rdata_t rdata2 = DNS_RDATA_INIT; 1865 1.1 christos unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; 1866 1.1 christos 1867 1.1 christos dns_rdataset_current(&rdataset, &rdata1); 1868 1.1 christos if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf, 1869 1.1 christos sizeof(buf))) 1870 1.1 christos { 1871 1.1 christos continue; 1872 1.1 christos } 1873 1.1 christos result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL); 1874 1.1 christos RUNTIME_CHECK(result == ISC_R_SUCCESS); 1875 1.1 christos 1876 1.1 christos if (!complete && CREATE(nsec3param.flags)) { 1877 1.1 christos break; 1878 1.1 christos } 1879 1.1 christos } 1880 1.1 christos dns_rdataset_disassociate(&rdataset); 1881 1.1 christos if (result == ISC_R_SUCCESS) { 1882 1.1 christos *answer = true; 1883 1.1 christos result = ISC_R_SUCCESS; 1884 1.1 christos } 1885 1.1 christos if (result == ISC_R_NOMORE) { 1886 1.1 christos *answer = false; 1887 1.1 christos result = ISC_R_SUCCESS; 1888 1.1 christos } 1889 1.1 christos 1890 1.1 christos return (result); 1891 1.1 christos } 1892 1.1 christos 1893 1.1 christos unsigned int 1894 1.1 christos dns_nsec3_maxiterations(void) { 1895 1.1 christos return (DNS_NSEC3_MAXITERATIONS); 1896 1.1 christos } 1897 1.1 christos 1898 1.1 christos isc_result_t 1899 1.1 christos dns_nsec3_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, 1900 1.1 christos const dns_name_t *nsec3name, dns_rdataset_t *nsec3set, 1901 1.1 christos dns_name_t *zonename, bool *exists, bool *data, 1902 1.1 christos bool *optout, bool *unknown, bool *setclosest, 1903 1.1 christos bool *setnearest, dns_name_t *closest, 1904 1.1 christos dns_name_t *nearest, dns_nseclog_t logit, void *arg) { 1905 1.1 christos char namebuf[DNS_NAME_FORMATSIZE]; 1906 1.1 christos dns_fixedname_t fzone; 1907 1.1 christos dns_fixedname_t qfixed; 1908 1.1 christos dns_label_t hashlabel; 1909 1.1 christos dns_name_t *qname; 1910 1.1 christos dns_name_t *zone; 1911 1.1 christos dns_rdata_nsec3_t nsec3; 1912 1.1 christos dns_rdata_t rdata = DNS_RDATA_INIT; 1913 1.1 christos int order; 1914 1.1 christos int scope; 1915 1.1 christos bool atparent; 1916 1.1 christos bool first; 1917 1.1 christos bool ns; 1918 1.1 christos bool soa; 1919 1.1 christos isc_buffer_t buffer; 1920 1.1 christos isc_result_t answer = ISC_R_IGNORE; 1921 1.1 christos isc_result_t result; 1922 1.1 christos unsigned char hash[NSEC3_MAX_HASH_LENGTH]; 1923 1.1 christos unsigned char owner[NSEC3_MAX_HASH_LENGTH]; 1924 1.1 christos unsigned int length; 1925 1.1 christos unsigned int qlabels; 1926 1.1 christos unsigned int zlabels; 1927 1.1 christos 1928 1.1 christos REQUIRE((exists == NULL && data == NULL) || 1929 1.1 christos (exists != NULL && data != NULL)); 1930 1.1 christos REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3); 1931 1.1 christos REQUIRE((setclosest == NULL && closest == NULL) || 1932 1.1 christos (setclosest != NULL && closest != NULL)); 1933 1.1 christos REQUIRE((setnearest == NULL && nearest == NULL) || 1934 1.1 christos (setnearest != NULL && nearest != NULL)); 1935 1.1 christos 1936 1.1 christos result = dns_rdataset_first(nsec3set); 1937 1.1 christos if (result != ISC_R_SUCCESS) { 1938 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set"); 1939 1.1 christos return (result); 1940 1.1 christos } 1941 1.1 christos 1942 1.1 christos dns_rdataset_current(nsec3set, &rdata); 1943 1.1 christos 1944 1.1 christos result = dns_rdata_tostruct(&rdata, &nsec3, NULL); 1945 1.1 christos if (result != ISC_R_SUCCESS) { 1946 1.1 christos return (result); 1947 1.1 christos } 1948 1.1 christos 1949 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3"); 1950 1.1 christos 1951 1.1 christos zone = dns_fixedname_initname(&fzone); 1952 1.1 christos zlabels = dns_name_countlabels(nsec3name); 1953 1.1 christos 1954 1.1 christos /* 1955 1.1 christos * NSEC3 records must have two or more labels to be valid. 1956 1.1 christos */ 1957 1.1 christos if (zlabels < 2) { 1958 1.1 christos return (ISC_R_IGNORE); 1959 1.1 christos } 1960 1.1 christos 1961 1.1 christos /* 1962 1.1 christos * Strip off the NSEC3 hash to get the zone. 1963 1.1 christos */ 1964 1.1 christos zlabels--; 1965 1.1 christos dns_name_split(nsec3name, zlabels, NULL, zone); 1966 1.1 christos 1967 1.1 christos /* 1968 1.1 christos * If not below the zone name we can ignore this record. 1969 1.1 christos */ 1970 1.1 christos if (!dns_name_issubdomain(name, zone)) { 1971 1.1 christos return (ISC_R_IGNORE); 1972 1.1 christos } 1973 1.1 christos 1974 1.1 christos /* 1975 1.1 christos * Is this zone the same or deeper than the current zone? 1976 1.1 christos */ 1977 1.1 christos if (dns_name_countlabels(zonename) == 0 || 1978 1.1 christos dns_name_issubdomain(zone, zonename)) 1979 1.1 christos { 1980 1.1 christos dns_name_copynf(zone, zonename); 1981 1.1 christos } 1982 1.1 christos 1983 1.1 christos if (!dns_name_equal(zone, zonename)) { 1984 1.1 christos return (ISC_R_IGNORE); 1985 1.1 christos } 1986 1.1 christos 1987 1.1 christos /* 1988 1.1 christos * Are we only looking for the most enclosing zone? 1989 1.1 christos */ 1990 1.1 christos if (exists == NULL || data == NULL) { 1991 1.1 christos return (ISC_R_SUCCESS); 1992 1.1 christos } 1993 1.1 christos 1994 1.1 christos /* 1995 1.1 christos * Only set unknown once we are sure that this NSEC3 is from 1996 1.1 christos * the deepest covering zone. 1997 1.1 christos */ 1998 1.1 christos if (!dns_nsec3_supportedhash(nsec3.hash)) { 1999 1.1 christos if (unknown != NULL) { 2000 1.1 christos *unknown = true; 2001 1.1 christos } 2002 1.1 christos return (ISC_R_IGNORE); 2003 1.1 christos } 2004 1.1 christos 2005 1.1 christos /* 2006 1.1 christos * Recover the hash from the first label. 2007 1.1 christos */ 2008 1.1 christos dns_name_getlabel(nsec3name, 0, &hashlabel); 2009 1.1 christos isc_region_consume(&hashlabel, 1); 2010 1.1 christos isc_buffer_init(&buffer, owner, sizeof(owner)); 2011 1.1 christos result = isc_base32hex_decoderegion(&hashlabel, &buffer); 2012 1.1 christos if (result != ISC_R_SUCCESS) { 2013 1.1 christos return (result); 2014 1.1 christos } 2015 1.1 christos 2016 1.1 christos /* 2017 1.1 christos * The hash lengths should match. If not ignore the record. 2018 1.1 christos */ 2019 1.1 christos if (isc_buffer_usedlength(&buffer) != nsec3.next_length) { 2020 1.1 christos return (ISC_R_IGNORE); 2021 1.1 christos } 2022 1.1 christos 2023 1.1 christos /* 2024 1.1 christos * Work out what this NSEC3 covers. 2025 1.1 christos * Inside (<0) or outside (>=0). 2026 1.1 christos */ 2027 1.1 christos scope = memcmp(owner, nsec3.next, nsec3.next_length); 2028 1.1 christos 2029 1.1 christos /* 2030 1.1 christos * Prepare to compute all the hashes. 2031 1.1 christos */ 2032 1.1 christos qname = dns_fixedname_initname(&qfixed); 2033 1.1 christos dns_name_downcase(name, qname, NULL); 2034 1.1 christos qlabels = dns_name_countlabels(qname); 2035 1.1 christos first = true; 2036 1.1 christos 2037 1.1 christos while (qlabels >= zlabels) { 2038 1.1 christos /* 2039 1.1 christos * If there are too many iterations reject the NSEC3 record. 2040 1.1 christos */ 2041 1.1 christos if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) { 2042 1.1 christos return (DNS_R_NSEC3ITERRANGE); 2043 1.1 christos } 2044 1.1 christos 2045 1.1 christos length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, 2046 1.1 christos nsec3.salt, nsec3.salt_length, 2047 1.1 christos qname->ndata, qname->length); 2048 1.1 christos /* 2049 1.1 christos * The computed hash length should match. 2050 1.1 christos */ 2051 1.1 christos if (length != nsec3.next_length) { 2052 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2053 1.1 christos "ignoring NSEC bad length %u vs %u", length, 2054 1.1 christos nsec3.next_length); 2055 1.1 christos return (ISC_R_IGNORE); 2056 1.1 christos } 2057 1.1 christos 2058 1.1 christos order = memcmp(hash, owner, length); 2059 1.1 christos if (first && order == 0) { 2060 1.1 christos /* 2061 1.1 christos * The hashes are the same. 2062 1.1 christos */ 2063 1.1 christos atparent = dns_rdatatype_atparent(type); 2064 1.1 christos ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns); 2065 1.1 christos soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa); 2066 1.1 christos if (ns && !soa) { 2067 1.1 christos if (!atparent) { 2068 1.1 christos /* 2069 1.1 christos * This NSEC3 record is from somewhere 2070 1.1 christos * higher in the DNS, and at the 2071 1.1 christos * parent of a delegation. It can not 2072 1.1 christos * be legitimately used here. 2073 1.1 christos */ 2074 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2075 1.1 christos "ignoring parent NSEC3"); 2076 1.1 christos return (ISC_R_IGNORE); 2077 1.1 christos } 2078 1.1 christos } else if (atparent && ns && soa) { 2079 1.1 christos /* 2080 1.1 christos * This NSEC3 record is from the child. 2081 1.1 christos * It can not be legitimately used here. 2082 1.1 christos */ 2083 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2084 1.1 christos "ignoring child NSEC3"); 2085 1.1 christos return (ISC_R_IGNORE); 2086 1.1 christos } 2087 1.1 christos if (type == dns_rdatatype_cname || 2088 1.1 christos type == dns_rdatatype_nxt || 2089 1.1 christos type == dns_rdatatype_nsec || 2090 1.1 christos type == dns_rdatatype_key || 2091 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) 2092 1.1 christos { 2093 1.1 christos *exists = true; 2094 1.1 christos *data = dns_nsec3_typepresent(&rdata, type); 2095 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2096 1.1 christos "NSEC3 proves name exists (owner) " 2097 1.1 christos "data=%d", 2098 1.1 christos *data); 2099 1.1 christos return (ISC_R_SUCCESS); 2100 1.1 christos } 2101 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2102 1.1 christos "NSEC3 proves CNAME exists"); 2103 1.1 christos return (ISC_R_IGNORE); 2104 1.1 christos } 2105 1.1 christos 2106 1.1 christos if (order == 0 && 2107 1.1 christos dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) && 2108 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa)) 2109 1.1 christos { 2110 1.1 christos /* 2111 1.1 christos * This NSEC3 record is from somewhere higher in 2112 1.1 christos * the DNS, and at the parent of a delegation. 2113 1.1 christos * It can not be legitimately used here. 2114 1.1 christos */ 2115 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2116 1.1 christos "ignoring parent NSEC3"); 2117 1.1 christos return (ISC_R_IGNORE); 2118 1.1 christos } 2119 1.1 christos 2120 1.1 christos /* 2121 1.1 christos * Potential closest encloser. 2122 1.1 christos */ 2123 1.1 christos if (order == 0) { 2124 1.1 christos if (closest != NULL && 2125 1.1 christos (dns_name_countlabels(closest) == 0 || 2126 1.1 christos dns_name_issubdomain(qname, closest)) && 2127 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) && 2128 1.1 christos !dns_nsec3_typepresent(&rdata, 2129 1.1 christos dns_rdatatype_dname) && 2130 1.1 christos (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) || 2131 1.1 christos !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns))) 2132 1.1 christos { 2133 1.1 christos dns_name_format(qname, namebuf, 2134 1.1 christos sizeof(namebuf)); 2135 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2136 1.1 christos "NSEC3 indicates potential closest " 2137 1.1 christos "encloser: '%s'", 2138 1.1 christos namebuf); 2139 1.1 christos dns_name_copynf(qname, closest); 2140 1.1 christos *setclosest = true; 2141 1.1 christos } 2142 1.1 christos dns_name_format(qname, namebuf, sizeof(namebuf)); 2143 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2144 1.1 christos "NSEC3 at super-domain %s", namebuf); 2145 1.1 christos return (answer); 2146 1.1 christos } 2147 1.1 christos 2148 1.1 christos /* 2149 1.1 christos * Find if the name does not exist. 2150 1.1 christos * 2151 1.1 christos * We continue as we need to find the name closest to the 2152 1.1 christos * closest encloser that doesn't exist. 2153 1.1 christos * 2154 1.1 christos * We also need to continue to ensure that we are not 2155 1.1 christos * proving the non-existence of a record in a sub-zone. 2156 1.1 christos * If that would be the case we will return ISC_R_IGNORE 2157 1.1 christos * above. 2158 1.1 christos */ 2159 1.1 christos if ((scope < 0 && order > 0 && 2160 1.1 christos memcmp(hash, nsec3.next, length) < 0) || 2161 1.1 christos (scope >= 0 && 2162 1.1 christos (order > 0 || memcmp(hash, nsec3.next, length) < 0))) 2163 1.1 christos { 2164 1.1 christos dns_name_format(qname, namebuf, sizeof(namebuf)); 2165 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2166 1.1 christos "NSEC3 proves " 2167 1.1 christos "name does not exist: '%s'", 2168 1.1 christos namebuf); 2169 1.1 christos if (nearest != NULL && 2170 1.1 christos (dns_name_countlabels(nearest) == 0 || 2171 1.1 christos dns_name_issubdomain(nearest, qname))) 2172 1.1 christos { 2173 1.1 christos dns_name_copynf(qname, nearest); 2174 1.1 christos *setnearest = true; 2175 1.1 christos } 2176 1.1 christos 2177 1.1 christos *exists = false; 2178 1.1 christos *data = false; 2179 1.1 christos if (optout != NULL) { 2180 1.1 christos *optout = ((nsec3.flags & 2181 1.1 christos DNS_NSEC3FLAG_OPTOUT) != 0); 2182 1.1 christos (*logit)(arg, ISC_LOG_DEBUG(3), 2183 1.1 christos (*optout ? "NSEC3 indicates optout" 2184 1.1 christos : "NSEC3 indicates secure " 2185 1.1 christos "range")); 2186 1.1 christos } 2187 1.1 christos answer = ISC_R_SUCCESS; 2188 1.1 christos } 2189 1.1 christos 2190 1.1 christos qlabels--; 2191 1.1 christos if (qlabels > 0) { 2192 1.1 christos dns_name_split(qname, qlabels, NULL, qname); 2193 1.1 christos } 2194 1.1 christos first = false; 2195 1.1 christos } 2196 1.1 christos return (answer); 2197 1.1 christos } 2198
Indexes created Sun Mar 01 05:31:48 UTC 2026