This file contains the functions for an authority zone. More...
#include "config.h"#include "services/authzone.h"#include "util/data/dname.h"#include "util/data/msgparse.h"#include "util/data/msgreply.h"#include "util/data/msgencode.h"#include "util/data/packed_rrset.h"#include "util/regional.h"#include "util/net_help.h"#include "util/netevent.h"#include "util/config_file.h"#include "util/log.h"#include "util/module.h"#include "util/random.h"#include "services/cache/dns.h"#include "services/outside_network.h"#include "services/listen_dnsport.h"#include "services/mesh.h"#include "sldns/rrdef.h"#include "sldns/pkthdr.h"#include "sldns/sbuffer.h"#include "sldns/str2wire.h"#include "sldns/wire2str.h"#include "sldns/parseutil.h"#include "sldns/keyraw.h"#include "validator/val_nsec3.h"#include "validator/val_nsec.h"#include "validator/val_secalgo.h"#include "validator/val_sigcrypt.h"#include "validator/val_anchor.h"#include "validator/val_utils.h"#include <ctype.h>Macros | |
| #define | N3HASHBUFLEN 32 |
| bytes to use for NSEC3 hash buffer. More... | |
| #define | MAX_CNAME_CHAIN 8 |
| max number of CNAMEs we are willing to follow (in one answer) | |
| #define | AUTH_PROBE_TIMEOUT 100 /* msec */ |
| timeout for probe packets for SOA | |
| #define | AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ |
| when to stop with SOA probes (when exponential timeouts exceed this) | |
| #define | AUTH_TRANSFER_TIMEOUT 10000 /* msec */ |
| #define | AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ |
| #define | AUTH_HTTP_PORT 80 |
| #define | AUTH_HTTPS_PORT 443 |
| #define | MAX_INCLUDE_DEPTH 10 |
| #define | NUM_TIMEOUTS_FALLBACK_IXFR 3 |
| number of timeouts before we fallback from IXFR to AXFR, because some versions of servers (eg. More... | |
| #define | SERIAL_BITS 32 |
Functions | |
| static void | xfr_set_timeout (struct auth_xfer *xfr, struct module_env *env, int failure, int lookup_only) |
| pick up nextprobe task to start waiting to perform transfer actions More... | |
| static void | xfr_probe_send_or_end (struct auth_xfer *xfr, struct module_env *env) |
| move to sending the probe packets, next if fails. More... | |
| static int | xfr_start_probe (struct auth_xfer *xfr, struct module_env *env, struct auth_master *spec) |
| pick up probe task with specified(or NULL) destination first, or transfer task if nothing to probe, or false if already in progress More... | |
| void | auth_xfer_delete (struct auth_xfer *xfr) |
| delete xfer structure (not its tree entry) More... | |
| static struct dns_msg * | msg_create (struct regional *region, struct query_info *qinfo) |
| create new dns_msg | |
| static int | msg_grow_array (struct regional *region, struct dns_msg *msg) |
| grow rrset array by one in msg | |
| static time_t | get_rrset_ttl (struct ub_packed_rrset_key *k) |
| get ttl of rrset | |
| static struct ub_packed_rrset_key * | auth_packed_rrset_copy_region (struct auth_zone *z, struct auth_data *node, struct auth_rrset *rrset, struct regional *region, time_t adjust) |
| Copy rrset into region from domain-datanode and packet rrset. | |
| static void | msg_ttl (struct dns_msg *msg) |
| fix up msg->rep TTL and prefetch ttl | |
| static int | msg_rrset_duplicate (struct dns_msg *msg, uint8_t *nm, size_t nmlen, uint16_t type, uint16_t dclass) |
| see if rrset is a duplicate in the answer message | |
| static int | msg_add_rrset_an (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset) |
| add rrset to answer section (no auth, add rrsets yet) | |
| static int | msg_add_rrset_ns (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset) |
| add rrset to authority section (no additional section rrsets yet) | |
| static int | msg_add_rrset_ar (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset) |
| add rrset to additional section | |
| struct auth_zones * | auth_zones_create (void) |
| Create auth zones structure. | |
| int | auth_zone_cmp (const void *z1, const void *z2) |
| compare auth_zones for sorted rbtree | |
| int | auth_data_cmp (const void *z1, const void *z2) |
| compare auth_data for sorted rbtree | |
| int | auth_xfer_cmp (const void *z1, const void *z2) |
| compare auth_xfer for sorted rbtree | |
| static void | auth_rrset_delete (struct auth_rrset *rrset) |
| delete auth rrset node | |
| static void | auth_data_delete (struct auth_data *n) |
| delete auth data domain node | |
| static void | auth_data_del (rbnode_type *n, void *ATTR_UNUSED(arg)) |
| helper traverse to delete zones | |
| static void | auth_zone_delete (struct auth_zone *z, struct auth_zones *az) |
| delete an auth zone structure (tree remove must be done elsewhere) | |
| struct auth_zone * | auth_zone_create (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass) |
| create an auth zone. More... | |
| struct auth_zone * | auth_zone_find (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass) |
| find an auth zone by name (exact match by name or NULL returned) | |
| struct auth_xfer * | auth_xfer_find (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass) |
| find an xfer zone by name (exact match by name or NULL returned) | |
| static int | auth_zone_find_less_equal (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass, struct auth_zone **z) |
| find an auth zone or sorted less-or-equal, return true if exact | |
| struct auth_zone * | auth_zones_find_zone (struct auth_zones *az, uint8_t *name, size_t name_len, uint16_t dclass) |
| find the auth zone that is above the given name More... | |
| static struct auth_zone * | auth_zones_find_or_add_zone (struct auth_zones *az, char *name) |
| find or create zone with name str. More... | |
| static struct auth_xfer * | auth_zones_find_or_add_xfer (struct auth_zones *az, struct auth_zone *z) |
| find or create xfer zone with name str. More... | |
| int | auth_zone_set_zonefile (struct auth_zone *z, char *zonefile) |
| set auth zone zonefile string. More... | |
| int | auth_zone_set_fallback (struct auth_zone *z, char *fallbackstr) |
| set auth zone fallback. More... | |
| static struct auth_data * | az_domain_create (struct auth_zone *z, uint8_t *nm, size_t nmlen) |
| create domain with the given name | |
| static struct auth_data * | az_find_name (struct auth_zone *z, uint8_t *nm, size_t nmlen) |
| find domain with exactly the given name | |
| static void | az_find_domain (struct auth_zone *z, struct query_info *qinfo, int *node_exact, struct auth_data **node) |
| Find domain name (or closest match) | |
| static struct auth_data * | az_domain_find_or_create (struct auth_zone *z, uint8_t *dname, size_t dname_len) |
| find or create domain with name in zone | |
| static struct auth_rrset * | az_domain_rrset (struct auth_data *n, uint16_t t) |
| find rrset of given type in the domain | |
| static void | domain_remove_rrset (struct auth_data *node, uint16_t rr_type) |
| remove rrset of this type from domain | |
| static int | az_rrset_find_rrsig (struct packed_rrset_data *d, uint8_t *rdata, size_t len, size_t *index) |
| find an rrsig index in the rrset. More... | |
| static int | rdata_duplicate (struct packed_rrset_data *d, uint8_t *rdata, size_t len) |
| see if rdata is duplicate | |
| static uint16_t | rrsig_rdata_get_type_covered (uint8_t *rdata, size_t rdatalen) |
| get rrsig type covered from rdata. More... | |
| static int | rrset_remove_rr (struct auth_rrset *rrset, size_t index) |
| remove RR from existing RRset. More... | |
| static int | rrset_add_rr (struct auth_rrset *rrset, uint32_t rr_ttl, uint8_t *rdata, size_t rdatalen, int insert_sig) |
| add RR to existing RRset. More... | |
| static struct auth_rrset * | rrset_create (struct auth_data *node, uint16_t rr_type, uint32_t rr_ttl, uint8_t *rdata, size_t rdatalen) |
| Create new rrset for node with packed rrset with one RR element. | |
| static size_t | rrsig_num_that_cover (struct auth_rrset *rrsig, uint16_t rr_type, size_t *sigsz) |
| count number (and size) of rrsigs that cover a type | |
| static int | rrset_moveover_rrsigs (struct auth_data *node, uint16_t rr_type, struct auth_rrset *rrset, struct auth_rrset *rrsig) |
| See if rrsig set has covered sigs for rrset and move them over. | |
| static int | rrsigs_copy_from_rrset_to_rrsigset (struct auth_rrset *rrset, struct auth_rrset *rrsigset) |
| copy the rrsigs from the rrset to the rrsig rrset, because the rrset is going to be deleted. More... | |
| static int | az_domain_add_rr (struct auth_data *node, uint16_t rr_type, uint32_t rr_ttl, uint8_t *rdata, size_t rdatalen, int *duplicate) |
| Add rr to node, ignores duplicate RRs, rdata points to buffer with rdatalen octets, starts with 2bytelength. | |
| static int | az_insert_rr (struct auth_zone *z, uint8_t *rr, size_t rr_len, size_t dname_len, int *duplicate) |
| insert RR into zone, ignore duplicates | |
| static int | az_domain_remove_rr (struct auth_data *node, uint16_t rr_type, uint8_t *rdata, size_t rdatalen, int *nonexist) |
| Remove rr from node, ignores nonexisting RRs, rdata points to buffer with rdatalen octets, starts with 2bytelength. | |
| static int | az_remove_rr (struct auth_zone *z, uint8_t *rr, size_t rr_len, size_t dname_len, int *nonexist) |
| remove RR from zone, ignore if it does not exist, false on alloc failure | |
| static int | decompress_rr_into_buffer (struct sldns_buffer *buf, uint8_t *pkt, size_t pktlen, uint8_t *dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint8_t *rr_data, uint16_t rr_rdlen) |
| decompress an RR into the buffer where it'll be an uncompressed RR with uncompressed dname and uncompressed rdata (dnames) | |
| static int | az_insert_rr_decompress (struct auth_zone *z, uint8_t *pkt, size_t pktlen, struct sldns_buffer *scratch_buffer, uint8_t *dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint8_t *rr_data, uint16_t rr_rdlen, int *duplicate) |
| insert RR into zone, from packet, decompress RR, if duplicate is nonNULL set the flag but otherwise ignore duplicates | |
| static int | az_remove_rr_decompress (struct auth_zone *z, uint8_t *pkt, size_t pktlen, struct sldns_buffer *scratch_buffer, uint8_t *dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint8_t *rr_data, uint16_t rr_rdlen, int *nonexist) |
| remove RR from zone, from packet, decompress RR, if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries | |
| static int | az_parse_file (struct auth_zone *z, FILE *in, uint8_t *rr, size_t rrbuflen, struct sldns_file_parse_state *state, char *fname, int depth, struct config_file *cfg) |
| Parse zonefile. More... | |
| int | auth_zone_read_zonefile (struct auth_zone *z, struct config_file *cfg) |
| read auth zone from zonefile. More... | |
| static int | write_out (FILE *out, const char *str, size_t len) |
| write buffer to file and check return codes | |
| static int | auth_rr_to_string (uint8_t *nm, size_t nmlen, uint16_t tp, uint16_t cl, struct packed_rrset_data *data, size_t i, char *s, size_t buflen) |
| convert auth rr to string | |
| static int | auth_zone_write_rrset (struct auth_zone *z, struct auth_data *node, struct auth_rrset *r, FILE *out) |
| write rrset to file | |
| static int | auth_zone_write_domain (struct auth_zone *z, struct auth_data *n, FILE *out) |
| write domain to file | |
| int | auth_zone_write_file (struct auth_zone *z, const char *fname) |
| Write auth zone data to file, in zonefile format. | |
| static void | zonemd_offline_verify (struct auth_zone *z, struct module_env *env_for_val, struct module_stack *mods) |
| offline verify for zonemd, while reading a zone file to immediately spot bad hashes in zonefile as they are read. More... | |
| static int | auth_zones_read_zones (struct auth_zones *az, struct config_file *cfg, struct module_env *env, struct module_stack *mods) |
| read all auth zones from file (if they have) | |
| static int | zonemd_fetch_parameters (struct auth_rrset *zonemd_rrset, size_t i, uint32_t *serial, int *scheme, int *hashalgo, uint8_t **hash, size_t *hashlen) |
| fetch the content of a ZONEMD RR from the rdata | |
| static int | zonemd_is_duplicate_scheme_hash (struct auth_rrset *zonemd_rrset, size_t index, int scheme, int hashalgo) |
| See if the ZONEMD scheme, hash occurs more than once. More... | |
| static int | auth_zone_zonemd_check_hash (struct auth_zone *z, struct module_env *env, char **reason) |
| Check ZONEMDs if present for the auth zone. More... | |
| struct auth_rrset * | auth_zone_get_soa_rrset (struct auth_zone *z) |
| find the apex SOA RRset, if it exists More... | |
| int | auth_zone_get_serial (struct auth_zone *z, uint32_t *serial) |
| find serial number of zone or false if none More... | |
| int | xfr_find_soa (struct auth_zone *z, struct auth_xfer *xfr) |
| Find auth_zone SOA and populate the values in xfr(soa values). | |
| static int | auth_xfer_setup (struct auth_zone *z, struct auth_xfer *x) |
| Setup auth_xfer zone This populates the have_zone, soa values, and so on times. More... | |
| static int | auth_zones_setup_zones (struct auth_zones *az) |
| Setup all zones. More... | |
| static int | auth_zones_cfg (struct auth_zones *az, struct config_auth *c) |
| set config items and create zones | |
| static void | az_setall_deleted (struct auth_zones *az) |
| set all auth zones deleted, then in auth_zones_cfg, it marks them as nondeleted (if they are still in the config), and then later we can find deleted zones | |
| static void | az_delete_deleted_zones (struct auth_zones *az) |
| find zones that are marked deleted and delete them. More... | |
| int | auth_zones_apply_cfg (struct auth_zones *az, struct config_file *cfg, int setup, int *is_rpz, struct module_env *env, struct module_stack *mods) |
| Apply configuration to auth zones. More... | |
| static void | auth_chunks_delete (struct auth_transfer *at) |
| delete chunks More... | |
| static void | auth_free_master_addrs (struct auth_addr *list) |
| free master addr list | |
| static void | auth_free_masters (struct auth_master *list) |
| free the masters list | |
| static void | auth_zone_del (rbnode_type *n, void *ATTR_UNUSED(arg)) |
| helper traverse to delete zones | |
| static void | auth_xfer_del (rbnode_type *n, void *ATTR_UNUSED(arg)) |
| helper traverse to delete xfer zones | |
| void | auth_zones_delete (struct auth_zones *az) |
| Delete auth zones structure. | |
| static int | domain_has_only_nsec3 (struct auth_data *n) |
| true if domain has only nsec3 | |
| static struct auth_data * | az_find_wildcard_domain (struct auth_zone *z, uint8_t *nm, size_t nmlen) |
| see if the domain has a wildcard child '*.domain' | |
| static struct auth_data * | az_find_wildcard (struct auth_zone *z, struct query_info *qinfo, struct auth_data *ce) |
| find wildcard between qname and cename | |
| static struct auth_data * | az_find_candidate_ce (struct auth_zone *z, struct query_info *qinfo, struct auth_data *n) |
| domain is not exact, find first candidate ce (name that matches a part of qname) in tree | |
| static struct auth_data * | az_domain_go_up (struct auth_zone *z, struct auth_data *n) |
| go up the auth tree to next existing name. | |
| static int | az_find_ce (struct auth_zone *z, struct query_info *qinfo, struct auth_data *node, int node_exact, struct auth_data **ce, struct auth_rrset **rrset) |
| Find the closest encloser, an name that exists and is above the qname. More... | |
| static int | az_add_additionals_from (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_rrset *rrset, size_t offset) |
| add additional A/AAAA from domain names in rrset rdata (+offset) offset is number of bytes in rdata where the dname is located. | |
| static int | az_add_negative_soa (struct auth_zone *z, struct regional *region, struct dns_msg *msg) |
| add negative SOA record (with negative TTL) | |
| static int | az_empty_nonterminal (struct auth_zone *z, struct query_info *qinfo, struct auth_data *node) |
| See if the query goes to empty nonterminal (that has no auth_data, but there are nodes underneath. More... | |
| static size_t | synth_cname_buf (uint8_t *qname, size_t qname_len, size_t dname_len, uint8_t *dtarg, size_t dtarglen, uint8_t *buf, size_t buflen) |
| create synth cname target name in buffer, or fail if too long | |
| static int | create_synth_cname (uint8_t *qname, size_t qname_len, struct regional *region, struct auth_data *node, struct auth_rrset *dname, uint16_t dclass, struct ub_packed_rrset_key **cname) |
| create synthetic CNAME rrset for in a DNAME answer in region, false on alloc failure, cname==NULL when name too long. | |
| static int | add_synth_cname (struct auth_zone *z, uint8_t *qname, size_t qname_len, struct regional *region, struct dns_msg *msg, struct auth_data *dname, struct auth_rrset *rrset) |
| add a synthesized CNAME to the answer section | |
| static void | az_change_dnames (struct dns_msg *msg, uint8_t *oldname, uint8_t *newname, size_t newlen, int an_only) |
| Change a dname to a different one, for wildcard namechange. | |
| static struct auth_rrset * | az_find_nsec_cover (struct auth_zone *z, struct auth_data **node) |
| find NSEC record covering the query | |
| static int | az_nsec_wildcard_denial (struct auth_zone *z, struct regional *region, struct dns_msg *msg, uint8_t *cenm, size_t cenmlen) |
| Find NSEC and add for wildcard denial. | |
| static int | az_nsec3_param (struct auth_zone *z, int *algo, size_t *iter, uint8_t **salt, size_t *saltlen) |
| Find the NSEC3PARAM rrset (if any) and if true you have the parameters. | |
| static size_t | az_nsec3_hash (uint8_t *buf, size_t buflen, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen) |
| Hash a name with nsec3param into buffer, it has zone name appended. More... | |
| static int | az_nsec3_hashname (struct auth_zone *z, uint8_t *hashname, size_t *hashnmlen, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen) |
| Hash name and return b32encoded hashname for lookup, zone name appended. | |
| static struct auth_data * | az_nsec3_findnode (struct auth_zone *z, uint8_t *hashnm, size_t hashnmlen) |
| Find the datanode that covers the nsec3hash-name. | |
| static struct auth_data * | az_nsec3_find_cover (struct auth_zone *z, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen) |
| Find cover for hashed(nm, nmlen) (or NULL) | |
| static struct auth_data * | az_nsec3_find_exact (struct auth_zone *z, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen) |
| Find exact match for hashed(nm, nmlen) NSEC3 record or NULL. | |
| static void | az_nsec3_get_nextcloser (uint8_t *cenm, uint8_t *qname, size_t qname_len, uint8_t **nx, size_t *nxlen) |
| Return nextcloser name (as a ref into the qname). More... | |
| static struct auth_data * | az_nsec3_find_ce (struct auth_zone *z, uint8_t **cenm, size_t *cenmlen, int *no_exact_ce, int algo, size_t iter, uint8_t *salt, size_t saltlen) |
| Find the closest encloser that has exact NSEC3. More... | |
| static int | az_nsec3_insert (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node) |
| static int | az_add_nsec3_proof (struct auth_zone *z, struct regional *region, struct dns_msg *msg, uint8_t *cenm, size_t cenmlen, uint8_t *qname, size_t qname_len, int nodataproof, int ceproof, int nxproof, int wcproof) |
| add NSEC3 records to the zone for the nsec3 proof. More... | |
| static int | az_generate_positive_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset) |
| generate answer for positive answer | |
| static int | az_generate_any_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node) |
| generate answer for type ANY answer | |
| static int | follow_cname_chain (struct auth_zone *z, uint16_t qtype, struct regional *region, struct dns_msg *msg, struct packed_rrset_data *d) |
| follow cname chain and add more data to the answer section | |
| static int | az_generate_cname_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset) |
| generate answer for cname answer | |
| static int | az_generate_notype_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node) |
| generate answer for notype answer | |
| static int | az_generate_referral_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_rrset *rrset) |
| generate answer for referral answer | |
| static int | az_generate_dname_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_rrset *rrset) |
| generate answer for DNAME answer | |
| static int | az_generate_wildcard_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_data *wildcard, struct auth_data *node) |
| generate answer for wildcard answer | |
| static int | az_generate_nxdomain_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_data *node) |
| generate answer for nxdomain answer | |
| static int | az_generate_answer_with_node (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *node) |
| Create answers when an exact match exists for the domain name. | |
| static int | az_generate_answer_nonexistnode (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_rrset *rrset, struct auth_data *node) |
| Generate answer without an existing-node that we can use. More... | |
| static int | auth_zone_generate_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg **msg, int *fallback) |
| Lookup answer in a zone. | |
| int | auth_zones_lookup (struct auth_zones *az, struct query_info *qinfo, struct regional *region, struct dns_msg **msg, int *fallback, uint8_t *dp_nm, size_t dp_nmlen) |
| Use auth zones to lookup the answer to a query. More... | |
| static void | auth_answer_encode (struct query_info *qinfo, struct module_env *env, struct edns_data *edns, struct comm_reply *repinfo, sldns_buffer *buf, struct regional *temp, struct dns_msg *msg) |
| encode auth answer | |
| static void | auth_error_encode (struct query_info *qinfo, struct module_env *env, struct edns_data *edns, struct comm_reply *repinfo, sldns_buffer *buf, struct regional *temp, int rcode) |
| encode auth error answer | |
| int | auth_zones_answer (struct auth_zones *az, struct module_env *env, struct query_info *qinfo, struct edns_data *edns, struct comm_reply *repinfo, struct sldns_buffer *buf, struct regional *temp) |
| Answer query from auth zone. More... | |
| int | auth_zones_can_fallback (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass) |
| see if the auth zone for the name can fallback More... | |
| int | auth_zone_parse_notify_serial (sldns_buffer *pkt, uint32_t *serial) |
| process notify packet and read serial number from SOA. More... | |
| static void | addr_port_to_str (struct sockaddr_storage *addr, socklen_t addrlen, char *buf, size_t len) |
| print addr to str, and if not 53, append "@port_number", for logs. | |
| static int | addr_in_list (struct auth_addr *list, struct sockaddr_storage *addr, socklen_t addrlen) |
| see if addr appears in the list | |
| static int | addr_matches_master (struct auth_master *master, struct sockaddr_storage *addr, socklen_t addrlen, struct auth_master **fromhost) |
| check if an address matches a master specification (or one of its addresses in the addr list) | |
| static int | az_xfr_allowed_notify (struct auth_xfer *xfr, struct sockaddr_storage *addr, socklen_t addrlen, struct auth_master **fromhost) |
| check access list for notifies | |
| static int | xfr_serial_means_update (struct auth_xfer *xfr, uint32_t serial) |
| see if the serial means the zone has to be updated, i.e. More... | |
| static void | xfr_note_notify_serial (struct auth_xfer *xfr, int has_serial, uint32_t serial) |
| note notify serial, updates the notify information in the xfr struct | |
| static void | xfr_process_notify (struct auth_xfer *xfr, struct module_env *env, int has_serial, uint32_t serial, struct auth_master *fromhost) |
| process a notify serial, start new probe or note serial. More... | |
| int | auth_zones_notify (struct auth_zones *az, struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t dclass, struct sockaddr_storage *addr, socklen_t addrlen, int has_serial, uint32_t serial, int *refused) |
| process notify for auth zones. More... | |
| int | auth_zones_startprobesequence (struct auth_zones *az, struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t dclass) |
| for the zone and if not already going, starts the probe sequence. More... | |
| static void | auth_xfer_set_expired (struct auth_xfer *xfr, struct module_env *env, int expired) |
| set a zone expired | |
| static struct auth_master * | find_master_by_host (struct auth_master *list, char *host) |
| find master (from notify or probe) in list of masters | |
| static void | xfr_masterlist_free_addrs (struct auth_master *list) |
| delete the looked up auth_addrs for all the masters in the list | |
| static struct auth_addr * | auth_addr_list_copy (struct auth_addr *source) |
| copy a list of auth_addrs | |
| static struct auth_master * | auth_master_copy (struct auth_master *o) |
| copy a master to a new structure, NULL on alloc failure | |
| static void | probe_copy_masters_for_allow_notify (struct auth_xfer *xfr) |
| copy the master addresses from the task_probe lookups to the allow_notify list of masters | |
| static void | xfr_transfer_start_lookups (struct auth_xfer *xfr) |
| start the lookups for task_transfer | |
| static void | xfr_transfer_move_to_next_lookup (struct auth_xfer *xfr, struct module_env *env) |
| move to the next lookup of hostname for task_transfer | |
| static void | xfr_probe_start_lookups (struct auth_xfer *xfr) |
| start the lookups for task_probe | |
| static void | xfr_probe_move_to_next_lookup (struct auth_xfer *xfr, struct module_env *env) |
| move to the next lookup of hostname for task_probe | |
| static void | xfr_transfer_start_list (struct auth_xfer *xfr, struct auth_master *spec) |
| start the iteration of the task_transfer list of masters | |
| static void | xfr_probe_start_list (struct auth_xfer *xfr, struct auth_master *spec) |
| start the iteration of the task_probe list of masters | |
| static struct auth_master * | xfr_transfer_current_master (struct auth_xfer *xfr) |
| pick up the master that is being scanned right now, task_transfer | |
| static struct auth_master * | xfr_probe_current_master (struct auth_xfer *xfr) |
| pick up the master that is being scanned right now, task_probe | |
| static int | xfr_transfer_end_of_list (struct auth_xfer *xfr) |
| true if at end of list, task_transfer | |
| static int | xfr_probe_end_of_list (struct auth_xfer *xfr) |
| true if at end of list, task_probe | |
| static void | xfr_transfer_nextmaster (struct auth_xfer *xfr) |
| move to next master in list, task_transfer | |
| static void | xfr_probe_nextmaster (struct auth_xfer *xfr) |
| move to next master in list, task_probe | |
| static void | xfr_create_soa_probe_packet (struct auth_xfer *xfr, sldns_buffer *buf, uint16_t id) |
| create SOA probe packet for xfr | |
| static void | xfr_create_ixfr_packet (struct auth_xfer *xfr, sldns_buffer *buf, uint16_t id, struct auth_master *master) |
| create IXFR/AXFR packet for xfr | |
| static int | check_packet_ok (sldns_buffer *pkt, uint16_t qtype, struct auth_xfer *xfr, uint32_t *serial) |
| check if returned packet is OK | |
| static int | chunkline_get_line (struct auth_chunk **chunk, size_t *chunk_pos, sldns_buffer *buf) |
| read one line from chunks into buffer at current position | |
| static int | chunkline_count_parens (sldns_buffer *buf, size_t start) |
| count number of open and closed parenthesis in a chunkline | |
| static void | chunkline_remove_trailcomment (sldns_buffer *buf, size_t start) |
| remove trailing ;... More... | |
| static int | chunkline_is_comment_line_or_empty (sldns_buffer *buf) |
| see if a chunkline is a comment line (or empty line) | |
| static int | chunkline_get_line_collated (struct auth_chunk **chunk, size_t *chunk_pos, sldns_buffer *buf) |
| find a line with ( ) collated | |
| static int | http_parse_origin (sldns_buffer *buf, struct sldns_file_parse_state *pstate) |
| process $ORIGIN for http, 0 nothing, 1 done, 2 error | |
| static int | http_parse_ttl (sldns_buffer *buf, struct sldns_file_parse_state *pstate) |
| process $TTL for http, 0 nothing, 1 done, 2 error | |
| static int | chunkline_non_comment_RR (struct auth_chunk **chunk, size_t *chunk_pos, sldns_buffer *buf, struct sldns_file_parse_state *pstate) |
| find noncomment RR line in chunks, collates lines if ( ) format | |
| static int | http_zonefile_syntax_check (struct auth_xfer *xfr, sldns_buffer *buf) |
| check syntax of chunklist zonefile, parse first RR, return false on failure and return a string in the scratch buffer (first RR string) on failure. | |
| static size_t | chunklist_sum (struct auth_chunk *list) |
| sum sizes of chunklist | |
| static void | chunkline_newline_removal (sldns_buffer *buf) |
| remove newlines from collated line | |
| static int | http_parse_add_rr (struct auth_xfer *xfr, struct auth_zone *z, sldns_buffer *buf, struct sldns_file_parse_state *pstate) |
| for http download, parse and add RR to zone | |
| static void | chunk_rrlist_start (struct auth_xfer *xfr, struct auth_chunk **rr_chunk, int *rr_num, size_t *rr_pos) |
| RR list iterator, returns RRs from answer section one by one from the dns packets in the chunklist. | |
| static int | chunk_rrlist_end (struct auth_chunk *rr_chunk, int rr_num) |
| RR list iterator, see if we are at the end of the list. | |
| static void | chunk_rrlist_gonext (struct auth_chunk **rr_chunk, int *rr_num, size_t *rr_pos, size_t rr_nextpos) |
| RR list iterator, move to next RR. | |
| static int | chunk_rrlist_get_current (struct auth_chunk *rr_chunk, int rr_num, size_t rr_pos, uint8_t **rr_dname, uint16_t *rr_type, uint16_t *rr_class, uint32_t *rr_ttl, uint16_t *rr_rdlen, uint8_t **rr_rdata, size_t *rr_nextpos) |
| RR iterator, get current RR information, false on parse error. | |
| static void | log_rrlist_position (const char *label, struct auth_chunk *rr_chunk, uint8_t *rr_dname, uint16_t rr_type, size_t rr_counter) |
| print log message where we are in parsing the zone transfer | |
| static int | ixfr_start_serial (struct auth_chunk *rr_chunk, int rr_num, size_t rr_pos, uint8_t *rr_dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t *rr_rdata, size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial) |
| check that start serial is OK for ixfr. More... | |
| static int | apply_ixfr (struct auth_xfer *xfr, struct auth_zone *z, struct sldns_buffer *scratch_buffer) |
| apply IXFR to zone in memory. More... | |
| static int | apply_axfr (struct auth_xfer *xfr, struct auth_zone *z, struct sldns_buffer *scratch_buffer) |
| apply AXFR to zone in memory. More... | |
| static int | apply_http (struct auth_xfer *xfr, struct auth_zone *z, struct sldns_buffer *scratch_buffer) |
| apply HTTP to zone in memory. More... | |
| static int | auth_zone_write_chunks (struct auth_xfer *xfr, const char *fname) |
| write http chunks to zonefile to create downloaded file | |
| static void | xfr_write_after_update (struct auth_xfer *xfr, struct module_env *env) |
| write to zonefile after zone has been updated | |
| static int | xfr_process_reacquire_locks (struct auth_xfer *xfr, struct module_env *env, struct auth_zone **z) |
| reacquire locks and structures. More... | |
| static int | xfr_process_chunk_list (struct auth_xfer *xfr, struct module_env *env, int *ixfr_fail) |
| process chunk list and update zone in memory, return false if it did not work | |
| static void | xfr_transfer_disown (struct auth_xfer *xfr) |
| disown task_transfer. More... | |
| static int | xfr_transfer_lookup_host (struct auth_xfer *xfr, struct module_env *env) |
| lookup a host name for its addresses, if needed | |
| static int | xfr_transfer_init_fetch (struct auth_xfer *xfr, struct module_env *env) |
| initiate TCP to the target and fetch zone. More... | |
| static void | xfr_transfer_nexttarget_or_end (struct auth_xfer *xfr, struct module_env *env) |
| perform next lookup, next transfer TCP, or end and resume wait time task | |
| static void | xfr_master_add_addrs (struct auth_master *m, struct ub_packed_rrset_key *rrset, uint16_t rrtype) |
| add addrs from A or AAAA rrset to the master | |
| void | auth_xfer_transfer_lookup_callback (void *arg, int rcode, sldns_buffer *buf, enum sec_status ATTR_UNUSED(sec), char *ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited)) |
| callback for task_transfer lookup of host name, of A or AAAA | |
| static int | check_xfer_packet (sldns_buffer *pkt, struct auth_xfer *xfr, int *gonextonfail, int *transferdone) |
| check if xfer (AXFR or IXFR) packet is OK. More... | |
| static int | xfer_link_data (sldns_buffer *pkt, struct auth_xfer *xfr) |
| Link the data from this packet into the worklist of transferred data. | |
| static void | process_list_end_transfer (struct auth_xfer *xfr, struct module_env *env) |
| task transfer. More... | |
| void | auth_xfer_transfer_timer_callback (void *arg) |
| callback for the task_transfer timer More... | |
| int | auth_xfer_transfer_tcp_callback (struct comm_point *c, void *arg, int err, struct comm_reply *ATTR_UNUSED(repinfo)) |
| callback for task_transfer tcp connections | |
| int | auth_xfer_transfer_http_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo) |
| callback for task_transfer http connections | |
| static void | xfr_start_transfer (struct auth_xfer *xfr, struct module_env *env, struct auth_master *master) |
| start transfer task by this worker , xfr is locked. | |
| static void | xfr_probe_disown (struct auth_xfer *xfr) |
| disown task_probe. More... | |
| static int | xfr_probe_send_probe (struct auth_xfer *xfr, struct module_env *env, int timeout) |
| send the UDP probe to the master, this is part of task_probe | |
| void | auth_xfer_probe_timer_callback (void *arg) |
| callback for task_probe timer More... | |
| int | auth_xfer_probe_udp_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo) |
| callback for task_probe udp packets More... | |
| static int | xfr_probe_lookup_host (struct auth_xfer *xfr, struct module_env *env) |
| lookup a host name for its addresses, if needed | |
| void | auth_xfer_probe_lookup_callback (void *arg, int rcode, sldns_buffer *buf, enum sec_status ATTR_UNUSED(sec), char *ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited)) |
| callback for task_probe lookup of host name, of A or AAAA | |
| static void | xfr_nextprobe_disown (struct auth_xfer *xfr) |
| disown task_nextprobe. More... | |
| void | auth_xfer_timer (void *arg) |
| xfer nextprobe timeout callback, this is part of task_nextprobe | |
| static int | have_probe_targets (struct auth_master *list) |
| return true if there are probe (SOA UDP query) targets in the master list | |
| void | auth_xfer_pickup_initial (struct auth_zones *az, struct module_env *env) |
| initial pick up of worker timeouts, ties events to worker event loop More... | |
| void | auth_zones_cleanup (struct auth_zones *az) |
| Cleanup auth zones. More... | |
| static struct auth_xfer * | auth_xfer_new (struct auth_zone *z) |
| malloc the xfer and tasks More... | |
| struct auth_xfer * | auth_xfer_create (struct auth_zones *az, struct auth_zone *z) |
| Create auth_xfer structure. More... | |
| static struct auth_master * | auth_master_new (struct auth_master ***list) |
| create new auth_master structure | |
| static char * | dup_prefix (char *str, size_t num) |
| dup_prefix : create string from initial part of other string, malloced | |
| static char * | dup_all (char *str) |
| dup string and print error on error | |
| static char * | str_find_first_of_chars (char *s, char a, char b) |
| find first of two characters | |
| static int | parse_url (char *url, char **host, char **file, int *port, int *ssl) |
| parse URL into host and file parts, false on malloc or parse error | |
| int | xfer_set_masters (struct auth_master **list, struct config_auth *c, int with_http) |
| Set masters in auth xfer structure from config. More... | |
| int | compare_serial (uint32_t a, uint32_t b) |
| int | zonemd_hashalgo_supported (int hashalgo) |
| returns true if a zonemd hash algo is supported | |
| int | zonemd_scheme_supported (int scheme) |
| returns true if a zonemd scheme is supported | |
| static struct secalgo_hash * | zonemd_digest_init (int hashalgo, char **reason) |
| initialize hash for hashing with zonemd hash algo | |
| static int | zonemd_digest_update (int hashalgo, struct secalgo_hash *h, uint8_t *data, size_t len, char **reason) |
| update the hash for zonemd | |
| static int | zonemd_digest_finish (int hashalgo, struct secalgo_hash *h, uint8_t *result, size_t hashlen, size_t *resultlen, char **reason) |
| finish the hash for zonemd | |
| static size_t | authdata_rrsets_to_list (struct auth_rrset **array, size_t arraysize, struct auth_rrset *first) |
| add rrsets from node to the list | |
| static int | rrlist_compare (const void *arg1, const void *arg2) |
| compare rr list entries | |
| static void | addrrsigtype_if_needed (struct auth_rrset **array, size_t arraysize, size_t *rrnum, struct auth_data *node) |
| add type RRSIG to rr list if not one there already, this is to perform RRSIG collate processing at that point. | |
| static int | zonemd_simple_rrset (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct auth_data *node, struct auth_rrset *rrset, struct regional *region, struct sldns_buffer *buf, char **reason) |
| collate the RRs in an RRset using the simple scheme | |
| static size_t | zonemd_simple_count_rrsig (struct auth_rrset *rrset, struct auth_rrset **rrlist, size_t rrnum, struct auth_zone *z, struct auth_data *node) |
| count number of RRSIGs in a domain name rrset list | |
| static int | zonemd_simple_rrsig_allocs (struct regional *region, struct packed_rrset_data *data, size_t count) |
| allocate sparse rrset data for the number of entries in tepm region | |
| static void | add_rrlist_rrsigs_into_data (struct packed_rrset_data *data, size_t *done, struct auth_rrset **rrlist, size_t rrnum, struct auth_zone *z, struct auth_data *node) |
| add the RRSIGs from the rrs in the domain into the data | |
| static void | add_rrset_into_data (struct packed_rrset_data *data, size_t *done, struct auth_rrset *rrset, struct auth_zone *z, struct auth_data *node) |
| static int | zonemd_simple_rrsig (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct auth_data *node, struct auth_rrset *rrset, struct auth_rrset **rrlist, size_t rrnum, struct regional *region, struct sldns_buffer *buf, char **reason) |
| collate the RRSIGs using the simple scheme | |
| static int | zonemd_simple_domain (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct auth_data *node, struct regional *region, struct sldns_buffer *buf, char **reason) |
| collate a domain's rrsets using the simple scheme | |
| static int | zonemd_simple_collate (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct regional *region, struct sldns_buffer *buf, char **reason) |
| collate the zone using the simple scheme | |
| int | auth_zone_generate_zonemd_hash (struct auth_zone *z, int scheme, int hashalgo, uint8_t *hash, size_t hashlen, size_t *resultlen, struct regional *region, struct sldns_buffer *buf, char **reason) |
| Generate ZONEMD digest for the auth zone. More... | |
| int | auth_zone_generate_zonemd_check (struct auth_zone *z, int scheme, int hashalgo, uint8_t *hash, size_t hashlen, struct regional *region, struct sldns_buffer *buf, char **reason) |
| Check ZONEMD digest for the auth zone. More... | |
| static void | auth_zone_log (uint8_t *name, enum verbosity_value level, const char *format,...) ATTR_FORMAT(printf |
| log auth zone message with zone name in front. | |
| static int | zonemd_dnssec_verify_rrset (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, struct auth_data *node, struct auth_rrset *rrset, char **why_bogus, uint8_t *sigalg, char *reasonbuf, size_t reasonlen) |
| ZONEMD, dnssec verify the rrset with the dnskey. | |
| static int | nsec3_of_param_has_type (struct auth_rrset *nsec3, int algo, size_t iter, uint8_t *salt, size_t saltlen, uint16_t rrtype) |
| check for nsec3, the RR with params equal, if bitmap has the type | |
| static int | zonemd_check_dnssec_absence (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, struct auth_data *apex, char **reason, char **why_bogus, uint8_t *sigalg, char *reasonbuf, size_t reasonlen) |
| Verify the absence of ZONEMD with DNSSEC by checking NSEC, NSEC3 type flag. More... | |
| static int | zonemd_check_dnssec_soazonemd (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, struct auth_data *apex, struct auth_rrset *zonemd_rrset, char **reason, char **why_bogus, uint8_t *sigalg, char *reasonbuf, size_t reasonlen) |
| Verify the SOA and ZONEMD DNSSEC signatures. More... | |
| static void | auth_zone_zonemd_fail (struct auth_zone *z, struct module_env *env, char *reason, char *why_bogus, char **result) |
| Fail the ZONEMD verification. More... | |
| static void | auth_zone_verify_zonemd_with_key (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, int is_insecure, char **result, uint8_t *sigalg) |
| Verify the zonemd with DNSSEC and hash check, with given key. More... | |
| static struct ub_packed_rrset_key * | zonemd_get_dnskey_from_anchor (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct trust_anchor *anchor, int *is_insecure, char **why_bogus, struct ub_packed_rrset_key *keystorage, char *reasonbuf, size_t reasonlen) |
| verify the zone DNSKEY rrset from the trust anchor This is possible because the anchor is for the zone itself, and can thus apply straight to the zone DNSKEY set. More... | |
| static struct ub_packed_rrset_key * | auth_zone_verify_zonemd_key_with_ds (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *ds, int *is_insecure, char **why_bogus, struct ub_packed_rrset_key *keystorage, uint8_t *sigalg, char *reasonbuf, size_t reasonlen) |
| verify the DNSKEY from the zone with looked up DS record | |
| void | auth_zonemd_dnskey_lookup_callback (void *arg, int rcode, sldns_buffer *buf, enum sec_status sec, char *why_bogus, int ATTR_UNUSED(was_ratelimited)) |
| callback for ZONEMD lookup of DNSKEY | |
| static int | zonemd_lookup_dnskey (struct auth_zone *z, struct module_env *env) |
| lookup DNSKEY for ZONEMD verification | |
| void | auth_zone_verify_zonemd (struct auth_zone *z, struct module_env *env, struct module_stack *mods, char **result, int offline, int only_online) |
| Perform ZONEMD checks and verification for the auth zone. More... | |
| void | auth_zones_pickup_zonemd_verify (struct auth_zones *az, struct module_env *env) |
| Check the ZONEMD records that need online DNSSEC chain lookups, for them spawn the lookup process to get it checked out. More... | |
This file contains the functions for an authority zone.
This zone is queried by the iterator, just like a stub or forward zone, but then the data is locally held.
| #define N3HASHBUFLEN 32 |
bytes to use for NSEC3 hash buffer.
20 for sha1
| #define NUM_TIMEOUTS_FALLBACK_IXFR 3 |
number of timeouts before we fallback from IXFR to AXFR, because some versions of servers (eg.
dnsmasq) drop IXFR packets.
|
static |
pick up nextprobe task to start waiting to perform transfer actions
for task_nextprobe.
determine next timeout for auth_xfer. Also (re)sets timer.
| xfr | task structure |
| env | module environment, with worker and time. |
| failure | set true if timer should be set for failure retry. |
| lookup_only | only perform lookups when timer done, 0 sec timeout |
References auth_nextprobe::backoff, auth_xfer::lease_time, log_assert, auth_nextprobe::next_probe, module_env::now, auth_xfer::task_nextprobe, and module_env::worker.
Referenced by auth_xfer_pickup_initial(), process_list_end_transfer(), xfr_probe_send_or_end(), and xfr_transfer_nexttarget_or_end().
|
static |
move to sending the probe packets, next if fails.
task_probe
References AUTH_PROBE_TIMEOUT, dname_str(), auth_probe::have_new_lease, auth_xfer::have_zone, auth_xfer::lease_time, auth_xfer::lock, auth_probe::lookup_target, auth_xfer::name, module_env::now, auth_probe::only_lookup, probe_copy_masters_for_allow_notify(), auth_xfer::task_nextprobe, auth_xfer::task_probe, VERB_ALGO, verbose(), verbosity, xfr_probe_disown(), xfr_probe_end_of_list(), xfr_probe_lookup_host(), xfr_probe_move_to_next_lookup(), xfr_probe_nextmaster(), xfr_probe_send_probe(), and xfr_set_timeout().
Referenced by auth_xfer_probe_timer_callback(), auth_xfer_probe_udp_callback(), and xfr_start_probe().
|
static |
pick up probe task with specified(or NULL) destination first, or transfer task if nothing to probe, or false if already in progress
start task_probe if possible, if no masters for probe start task_transfer returns true if task has been started, and false if the task is already in progress.
References auth_probe::cp, auth_probe::have_new_lease, have_probe_targets(), auth_probe::masters, auth_probe::only_lookup, auth_xfer::task_probe, auth_xfer::task_transfer, module_env::worker, xfr_probe_send_or_end(), xfr_probe_start_list(), xfr_probe_start_lookups(), and xfr_start_transfer().
Referenced by auth_xfer_timer(), process_list_end_transfer(), and xfr_process_notify().
| void auth_xfer_delete | ( | struct auth_xfer * | xfr | ) |
delete xfer structure (not its tree entry)
delete auth xfer structure
| xfr | delete this xfer and its tasks. |
References auth_xfer::allow_notify_list, auth_chunks_delete(), auth_free_masters(), auth_transfer::chunks_first, comm_point_delete(), comm_timer_delete(), auth_probe::cp, auth_transfer::cp, auth_xfer::lock, auth_probe::masters, auth_transfer::masters, auth_xfer::name, auth_xfer::task_nextprobe, auth_xfer::task_probe, auth_xfer::task_transfer, auth_nextprobe::timer, auth_probe::timer, and auth_transfer::timer.
Referenced by az_delete_deleted_zones().
| struct auth_zone* auth_zone_create | ( | struct auth_zones * | az, |
| uint8_t * | nm, | ||
| size_t | nmlen, | ||
| uint16_t | dclass | ||
| ) |
create an auth zone.
returns wrlocked zone. caller must have wrlock on az. returns NULL on malloc failure
References auth_data_cmp(), auth_zone_delete(), auth_zone::data, auth_zone::dclass, dname_count_labels(), rbnode_type::key, auth_zone::lock, log_warn(), memdup(), auth_zone::name, auth_zone::namelabs, auth_zone::namelen, auth_zone::node, rbtree_init(), rbtree_insert(), auth_zone::rpz_az_next, auth_zone::rpz_az_prev, and auth_zones::ztree.
Referenced by auth_zones_find_or_add_zone().
| struct auth_zone* auth_zones_find_zone | ( | struct auth_zones * | az, |
| uint8_t * | name, | ||
| size_t | name_len, | ||
| uint16_t | dclass | ||
| ) |
find the auth zone that is above the given name
Find the auth zone that is above the given qname.
References auth_zone_find(), auth_zone_find_less_equal(), auth_zone::dclass, dname_count_size_labels(), dname_get_shared_topdomain(), dname_is_root(), dname_remove_label(), and auth_zone::name.
Referenced by auth_zone_delegpt(), and auth_zones_answer().
|
static |
find or create zone with name str.
caller must have lock on az. returns a wrlocked zone
References auth_zone_create(), auth_zone_find(), LDNS_MAX_DOMAINLEN, LDNS_RR_CLASS_IN, auth_zone::lock, log_err(), auth_zone::name, and sldns_str2wire_dname_buf().
Referenced by auth_zones_cfg().
|
static |
find or create xfer zone with name str.
caller must have lock on az. returns a locked xfer
References auth_xfer_create(), auth_xfer_find(), auth_zone::dclass, auth_xfer::lock, auth_zone::name, and auth_zone::namelen.
Referenced by auth_zones_cfg().
| int auth_zone_set_zonefile | ( | struct auth_zone * | z, |
| char * | zonefile | ||
| ) |
set auth zone zonefile string.
caller must have lock on zone
References log_err(), and auth_zone::zonefile.
Referenced by auth_zones_cfg().
| int auth_zone_set_fallback | ( | struct auth_zone * | z, |
| char * | fallbackstr | ||
| ) |
set auth zone fallback.
caller must have lock on zone
References auth_zone::fallback_enabled, and log_err().
|
static |
find an rrsig index in the rrset.
returns true if found
References packed_rrset_data::count, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by az_domain_remove_rr().
|
static |
get rrsig type covered from rdata.
| rdata | rdata in wireformat, starting with 16bit rdlength. |
| rdatalen | length of rdata buffer. |
Referenced by az_domain_add_rr(), az_domain_remove_rr(), rrset_moveover_rrsigs(), rrsig_num_that_cover(), and zonemd_simple_count_rrsig().
|
static |
remove RR from existing RRset.
Also sig, if it is a signature. reallocates the packed rrset for a new one, false on alloc failure
References packed_rrset_data::count, auth_rrset::data, log_err(), packed_rrset_ptr_fixup(), packed_rrset_sizeof(), packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rr_ttl, packed_rrset_data::rrsig_count, packed_rrset_data::security, packed_rrset_data::trust, and packed_rrset_data::ttl.
Referenced by az_domain_remove_rr().
|
static |
add RR to existing RRset.
If insert_sig is true, add to rrsigs. This reallocates the packed rrset for a new one
References packed_rrset_data::count, auth_rrset::data, log_err(), packed_rrset_ptr_fixup(), packed_rrset_sizeof(), packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rr_ttl, packed_rrset_data::rrsig_count, and packed_rrset_data::ttl.
Referenced by az_domain_add_rr(), and rrsigs_copy_from_rrset_to_rrsigset().
|
static |
copy the rrsigs from the rrset to the rrsig rrset, because the rrset is going to be deleted.
reallocates the RRSIG rrset data.
References packed_rrset_data::count, auth_rrset::data, rdata_duplicate(), packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rr_ttl, rrset_add_rr(), and packed_rrset_data::rrsig_count.
Referenced by az_domain_remove_rr().
|
static |
Parse zonefile.
| z | zone to read in. |
| in | file to read from (just opened). |
| rr | buffer to use for RRs, 64k. passed so that recursive includes can use the same buffer and do not grow the stack too much. |
| rrbuflen | sizeof rr buffer. |
| state | parse state with $ORIGIN, $TTL and 'prev-dname' and so on, that is kept between includes. The lineno is set at 1 and then increased by the function. |
| fname | file name. |
| depth | recursion depth for includes |
| cfg | config for chroot. returns false on failure, has printed an error message |
References sldns_file_parse_state::lineno, and sldns_fp2wire_rr_buf().
Referenced by auth_zone_read_zonefile().
| int auth_zone_read_zonefile | ( | struct auth_zone * | z, |
| struct config_file * | cfg | ||
| ) |
read auth zone from zonefile.
caller must lock zone. false on failure
References auth_data_cmp(), auth_data_del(), az_parse_file(), config_file::chrootdir, auth_zone::data, sldns_file_parse_state::default_ttl, dname_str(), LDNS_RR_BUF_SIZE, log_err(), auth_zone::name, auth_zone::namelen, sldns_file_parse_state::origin, sldns_file_parse_state::origin_len, rbtree_init(), auth_zone::rpz, rpz_clear(), rpz_finish_config(), sldns_wire2str_dname(), traverse_postorder(), VERB_ALGO, verbose(), verbosity, auth_zone::zone_is_slave, and auth_zone::zonefile.
Referenced by auth_zones_read_zones(), and do_auth_zone_reload().
|
static |
offline verify for zonemd, while reading a zone file to immediately spot bad hashes in zonefile as they are read.
Creates temp buffers, but uses anchors and validation environment from the module_env.
References auth_zone_verify_zonemd(), module_env::cfg, log_err(), config_file::msg_buffer_size, module_env::now, regional_create(), regional_destroy(), module_env::scratch, module_env::scratch_buffer, sldns_buffer_free(), sldns_buffer_new(), and auth_zone::zonemd_check.
Referenced by auth_zones_read_zones().
|
static |
See if the ZONEMD scheme, hash occurs more than once.
| zonemd_rrset | the zonemd rrset to check with the RRs in it. |
| index | index of the original, this is allowed to have that scheme and hashalgo, but other RRs should not have it. |
| scheme | the scheme to check for. |
| hashalgo | the hash algorithm to check for. |
References packed_rrset_data::count, auth_rrset::data, VERB_ALGO, verbose(), and zonemd_fetch_parameters().
|
static |
Check ZONEMDs if present for the auth zone.
Depending on config it can warn or fail on that. Checks the hash of the ZONEMD.
| z | auth zone to check for. caller must hold lock on zone. |
| env | module env for temp buffers. |
| reason | returned on failure. |
References auth_zone_get_serial(), az_domain_rrset(), az_find_name(), auth_zone::name, auth_zone::namelen, regional_free_all(), module_env::scratch, and module_env::scratch_buffer.
| struct auth_rrset* auth_zone_get_soa_rrset | ( | struct auth_zone * | z | ) |
find the apex SOA RRset, if it exists
find the apex SOA RRset, if it exists.
References az_domain_rrset(), az_find_name(), LDNS_RR_TYPE_SOA, auth_zone::name, and auth_zone::namelen.
Referenced by rpz_add_soa().
| int auth_zone_get_serial | ( | struct auth_zone * | z, |
| uint32_t * | serial | ||
| ) |
find serial number of zone or false if none
find serial number of zone or false if none (no SOA record)
References az_domain_rrset(), az_find_name(), packed_rrset_data::count, auth_rrset::data, LDNS_RR_TYPE_SOA, auth_zone::name, auth_zone::namelen, and packed_rrset_data::rr_len.
Referenced by auth_zone_zonemd_check_hash(), and do_list_auth_zones().
Setup auth_xfer zone This populates the have_zone, soa values, and so on times.
Doesn't do network traffic yet, can set option flags.
| z | locked by caller, and modified for setup |
| x | locked by caller, and modified. |
References xfr_find_soa().
Referenced by auth_zones_setup_zones().
|
static |
Setup all zones.
| az | auth zones structure |
References auth_xfer_find(), auth_xfer_setup(), auth_zone::dclass, auth_zones::lock, auth_zone::lock, auth_xfer::lock, auth_zone::name, auth_zone::namelen, RBTREE_FOR, and auth_zones::ztree.
Referenced by auth_zones_apply_cfg().
|
static |
find zones that are marked deleted and delete them.
This is called from apply_cfg, and there are no threads and no workers, so the xfr can just be deleted.
References auth_xfer_delete(), auth_xfer_find(), auth_zone_delete(), auth_zone::dclass, auth_zone::delete_next, auth_zones::lock, auth_zone::lock, auth_zone::name, auth_zone::namelen, auth_zone::node, auth_xfer::node, rbtree_delete(), RBTREE_FOR, auth_zones::xtree, auth_zone::zone_deleted, and auth_zones::ztree.
Referenced by auth_zones_apply_cfg().
| int auth_zones_apply_cfg | ( | struct auth_zones * | az, |
| struct config_file * | cfg, | ||
| int | setup, | ||
| int * | is_rpz, | ||
| struct module_env * | env, | ||
| struct module_stack * | mods | ||
| ) |
Apply configuration to auth zones.
Reads zonefiles.
| az | auth zones structure |
| cfg | config to apply. |
| setup | if true, also sets up values in the auth zones structure |
| is_rpz | set to 1 if at least one RPZ zone is configured. |
| env | environment for offline verification. |
| mods | modules in environment. |
References auth_zones_cfg(), auth_zones_read_zones(), auth_zones_setup_zones(), config_file::auths, az_delete_deleted_zones(), az_setall_deleted(), config_auth::isrpz, log_err(), log_warn(), config_auth::name, and config_auth::next.
Referenced by check_auth(), and context_finalize().
|
static |
delete chunks
| at | transfer structure with chunks list. The chunks and their data are freed. |
References auth_transfer::chunks_first, auth_transfer::chunks_last, auth_chunk::data, and auth_chunk::next.
Referenced by auth_xfer_delete(), auth_xfer_transfer_http_callback(), auth_xfer_transfer_timer_callback(), auth_zones_cleanup(), and process_list_end_transfer().
|
static |
Find the closest encloser, an name that exists and is above the qname.
return true if the node (param node) is existing, nonobscured and can be used to generate answers from. It is then also node_exact. returns false if the node is not good enough (or it wasn't node_exact) in this case the ce can be filled. if ce is NULL, no ce exists, and likely the zone is completely empty, not even with a zone apex. if ce is nonNULL it is the closest enclosing upper name (that exists itself for answer purposes). That name may have DNAME, NS or wildcard rrset is the closest DNAME or NS rrset that was found.
References az_domain_go_up(), az_domain_rrset(), az_find_candidate_ce(), domain_has_only_nsec3(), LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, auth_zone::namelen, auth_data::namelen, auth_data::node, query_info::qname_len, and query_info::qtype.
Referenced by auth_zone_generate_answer().
|
static |
See if the query goes to empty nonterminal (that has no auth_data, but there are nodes underneath.
We already checked that there are not NS, or DNAME above, so that we only need to check if some node exists below (with nonempty rr list), return true if emptynonterminal
References auth_zone::data, dname_strict_subdomain_c(), auth_data::name, auth_data::node, query_info::qname, rbtree_first(), rbtree_next(), RBTREE_NULL, and auth_data::rrsets.
Referenced by az_generate_answer_nonexistnode().
|
static |
Hash a name with nsec3param into buffer, it has zone name appended.
return length of hash
References LDNS_MAX_DOMAINLEN, N3HASHBUFLEN, nsec3_hash_algo_size_supported(), query_dname_tolower(), and secalgo_nsec3_hash().
Referenced by az_nsec3_hashname().
|
static |
Return nextcloser name (as a ref into the qname).
This is one label more than the cenm (cename must be a suffix of qname)
References dname_count_labels(), dname_remove_labels(), dname_strict_subdomain(), and log_assert.
|
static |
Find the closest encloser that has exact NSEC3.
updated cenm to the new name. If it went up no-exact-ce is true.
References az_nsec3_find_exact(), dname_remove_label(), auth_zone::namelen, and auth_data::node.
|
static |
add NSEC3 records to the zone for the nsec3 proof.
Specify with the flags with parts of the proof are required. the ce is the exact matching name (for notype) but also delegation points. qname is the one where the nextcloser name can be derived from. If NSEC3 is not properly there (in the zone) nothing is added. always enabled: include nsec3 proving about the Closest Encloser. that is an exact match that should exist for it. If that does not exist, a higher exact match + nxproof is enabled (for some sort of opt-out empty nonterminal cases). nodataproof: search for exact match and include that instead. ceproof: include ce proof NSEC3 (omitted for wildcard replies). nxproof: include denial of the qname. wcproof: include denial of wildcard (wildcard.ce).
References az_nsec3_find_exact(), az_nsec3_param(), match(), and auth_data::node.
Referenced by az_generate_wildcard_answer().
|
static |
Generate answer without an existing-node that we can use.
So it'll be a referral, DNAME or nxdomain
References az_empty_nonterminal(), az_find_wildcard(), az_generate_dname_answer(), az_generate_notype_answer(), az_generate_nxdomain_answer(), az_generate_referral_answer(), az_generate_wildcard_answer(), LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_NS, auth_data::node, and auth_rrset::type.
Referenced by auth_zone_generate_answer().
| int auth_zones_lookup | ( | struct auth_zones * | az, |
| struct query_info * | qinfo, | ||
| struct regional * | region, | ||
| struct dns_msg ** | msg, | ||
| int * | fallback, | ||
| uint8_t * | dp_nm, | ||
| size_t | dp_nmlen | ||
| ) |
Use auth zones to lookup the answer to a query.
The query is from the iterator. And the auth zones attempts to provide the answer instead of going to the internet.
| az | auth zones structure. |
| qinfo | query info to lookup. |
| region | region to use to allocate the reply in. |
| msg | reply is stored here (if one). |
| fallback | if true, fallback to making a query to the internet. |
| dp_nm | name of delegation point to look for. This zone is used to answer the query. If the dp_nm is not found, fallback is set to true and false returned. |
| dp_nmlen | length of dp_nm. |
References auth_zone_find(), auth_zone_generate_answer(), auth_zone::fallback_enabled, auth_zone::for_upstream, auth_zones::lock, auth_zone::lock, query_info::qclass, and auth_zone::zone_expired.
Referenced by q_ans_query().
| int auth_zones_answer | ( | struct auth_zones * | az, |
| struct module_env * | env, | ||
| struct query_info * | qinfo, | ||
| struct edns_data * | edns, | ||
| struct comm_reply * | repinfo, | ||
| struct sldns_buffer * | buf, | ||
| struct regional * | temp | ||
| ) |
Answer query from auth zone.
Create authoritative answer.
| az | auth zones structure. |
| env | the module environment. |
| qinfo | query info (parsed). |
| edns | edns info (parsed). |
| buf | buffer with query ID and flags, also for reply. |
| repinfo | reply information for a communication point. |
| temp | temporary storage region. |
References auth_error_encode(), auth_zones_find_zone(), dname_remove_label(), auth_zone::fallback_enabled, auth_zone::for_downstream, auth_zones::have_downstream, LDNS_RR_TYPE_DS, auth_zones::lock, auth_zone::lock, auth_zones::num_query_down, query_info::qclass, query_info::qname, query_info::qname_len, query_info::qtype, and auth_zone::zone_expired.
Referenced by handle_newq().
| int auth_zones_can_fallback | ( | struct auth_zones * | az, |
| uint8_t * | nm, | ||
| size_t | nmlen, | ||
| uint16_t | dclass | ||
| ) |
see if the auth zone for the name can fallback
| az | auth zones |
| nm | name of delegation point. |
| nmlen | length of nm. |
| dclass | class of zone to look for. |
References auth_zone_find(), auth_zone::dclass, auth_zone::fallback_enabled, auth_zone::for_upstream, auth_zones::lock, and auth_zone::lock.
| int auth_zone_parse_notify_serial | ( | struct sldns_buffer * | pkt, |
| uint32_t * | serial | ||
| ) |
process notify packet and read serial number from SOA.
returns 0 if no soa record in the notify
References query_info_parse(), and sldns_buffer_set_position().
|
static |
see if the serial means the zone has to be updated, i.e.
the serial is newer than the zone serial, or we have no zone
References auth_xfer::have_zone, and auth_xfer::zone_expired.
Referenced by auth_xfer_probe_udp_callback(), process_list_end_transfer(), and xfr_process_notify().
|
static |
process a notify serial, start new probe or note serial.
xfr is locked
References auth_xfer::lock, xfr_note_notify_serial(), xfr_serial_means_update(), and xfr_start_probe().
Referenced by auth_zones_notify(), and auth_zones_startprobesequence().
| int auth_zones_notify | ( | struct auth_zones * | az, |
| struct module_env * | env, | ||
| uint8_t * | nm, | ||
| size_t | nmlen, | ||
| uint16_t | dclass, | ||
| struct sockaddr_storage * | addr, | ||
| socklen_t | addrlen, | ||
| int | has_serial, | ||
| uint32_t | serial, | ||
| int * | refused | ||
| ) |
process notify for auth zones.
first checks the access list. Then processes the notify. This starts the probe sequence or it notes the serial number (if any)
| az | auth zones structure. |
| env | module env of the worker that is handling the notify. it will pick up the task probe (or transfer), unless already in progress by another worker. |
| nm | name of the zone. Uncompressed. from query. |
| nmlen | length of name. |
| dclass | class of zone. |
| addr | source address of notify |
| addrlen | length of addr. |
| has_serial | if true, the notify has a serial attached. |
| serial | the serial number, if has_serial is true. |
| refused | is set to true on failure to note refused access. |
References auth_xfer_find(), az_xfr_allowed_notify(), auth_zones::lock, auth_xfer::lock, and xfr_process_notify().
| int auth_zones_startprobesequence | ( | struct auth_zones * | az, |
| struct module_env * | env, | ||
| uint8_t * | nm, | ||
| size_t | nmlen, | ||
| uint16_t | dclass | ||
| ) |
for the zone and if not already going, starts the probe sequence.
false if zone cannot be found. This is like a notify arrived and was accepted for that zone.
References auth_xfer_find(), auth_xfer::dclass, auth_zones::lock, auth_xfer::lock, and xfr_process_notify().
Referenced by do_auth_zone_transfer().
|
static |
remove trailing ;...
comment from a line in the chunkline buffer
References sldns_buffer_position(), sldns_buffer_read_u8_at(), and sldns_buffer_set_position().
Referenced by chunkline_get_line_collated().
|
static |
check that start serial is OK for ixfr.
we are at rr_counter == 0, and we are going to check rr_counter == 1 (has to be type SOA) serial
References chunk_rrlist_end(), chunk_rrlist_get_current(), chunk_rrlist_gonext(), LDNS_RR_TYPE_SOA, VERB_OPS, and verbose().
|
static |
apply IXFR to zone in memory.
z is locked. false on failure(mallocfail)
References chunk_rrlist_end(), chunk_rrlist_get_current(), chunk_rrlist_start(), LDNS_RR_TYPE_SOA, log_rrlist_position(), and verbosity.
Referenced by xfr_process_chunk_list().
|
static |
apply AXFR to zone in memory.
z is locked. false on failure(mallocfail)
References auth_data_cmp(), auth_data_del(), chunk_rrlist_end(), chunk_rrlist_get_current(), chunk_rrlist_start(), auth_zone::data, auth_xfer::have_zone, LDNS_RR_TYPE_SOA, log_rrlist_position(), rbtree_init(), auth_zone::rpz, rpz_clear(), auth_xfer::serial, traverse_postorder(), and verbosity.
Referenced by xfr_process_chunk_list().
|
static |
apply HTTP to zone in memory.
z is locked. false on failure(mallocfail)
References auth_data_cmp(), auth_data_del(), chunkline_get_line_collated(), chunkline_is_comment_line_or_empty(), chunkline_newline_removal(), chunklist_sum(), auth_transfer::chunks_first, auth_zone::data, auth_chunk::data, sldns_file_parse_state::default_ttl, auth_master::file, auth_xfer::have_zone, auth_master::host, http_parse_add_rr(), http_parse_origin(), http_parse_ttl(), http_zonefile_syntax_check(), auth_chunk::len, sldns_file_parse_state::lineno, log_err(), log_info(), auth_transfer::master, auth_xfer::name, auth_xfer::namelen, sldns_file_parse_state::origin, sldns_file_parse_state::origin_len, rbtree_init(), auth_zone::rpz, rpz_clear(), auth_xfer::serial, sldns_buffer_begin(), auth_xfer::task_transfer, traverse_postorder(), VERB_ALGO, verbose(), and verbosity.
Referenced by xfr_process_chunk_list().
|
static |
reacquire locks and structures.
Starts with no locks, ends with xfr and z locks, if fail, no z lock
References auth_zone_find(), module_env::auth_zones, auth_xfer::dclass, auth_zones::lock, auth_xfer::lock, auth_xfer::name, and auth_xfer::namelen.
Referenced by xfr_process_chunk_list().
|
static |
disown task_transfer.
caller must hold xfr.lock
References comm_point_delete(), comm_timer_delete(), auth_transfer::cp, auth_xfer::task_transfer, and auth_transfer::timer.
Referenced by auth_zones_cleanup(), process_list_end_transfer(), and xfr_transfer_nexttarget_or_end().
|
static |
initiate TCP to the target and fetch zone.
returns true if that was successfully started, and timeout setup.
References auth_addr::addr, auth_addr::addrlen, auth_master::allow_notify, auth_xfer_transfer_timer_callback(), authextstrtoaddr(), comm_point_delete(), comm_timer_create(), auth_transfer::cp, dname_str(), auth_master::host, log_err(), auth_transfer::master, auth_xfer::name, auth_transfer::scan_addr, auth_xfer::task_transfer, auth_transfer::timer, and module_env::worker_base.
Referenced by xfr_transfer_nexttarget_or_end().
|
static |
check if xfer (AXFR or IXFR) packet is OK.
return false if we lost connection (SERVFAIL, or unreadable). return false if we need to move from IXFR to AXFR, with gonextonfail set to false, so the same master is tried again, but with AXFR. return true if fine to link into data. return true with transferdone=true when the transfer has ended.
References sldns_buffer_begin(), and sldns_buffer_limit().
|
static |
task transfer.
the list of data is complete. process it and if failed move to next master, if succeeded, end the task transfer
References auth_chunks_delete(), auth_transfer::ixfr_fail, auth_xfer::lock, auth_xfer::notify_has_serial, auth_xfer::notify_received, auth_xfer::notify_serial, auth_xfer::task_nextprobe, auth_xfer::task_transfer, xfr_process_chunk_list(), xfr_serial_means_update(), xfr_set_timeout(), xfr_start_probe(), xfr_transfer_disown(), xfr_transfer_nextmaster(), and xfr_transfer_nexttarget_or_end().
Referenced by auth_xfer_transfer_http_callback().
| void auth_xfer_transfer_timer_callback | ( | void * | arg | ) |
callback for the task_transfer timer
xfer transfer timeout callback, part of task_transfer
References auth_chunks_delete(), comm_point_delete(), auth_transfer::cp, auth_master::host, auth_transfer::ixfr_fail, auth_transfer::ixfr_possible_timeout_count, auth_xfer::lock, log_assert, auth_transfer::master, NUM_TIMEOUTS_FALLBACK_IXFR, auth_transfer::on_ixfr, module_env::outnet, auth_xfer::task_transfer, VERB_ALGO, verbose(), outside_network::want_to_quit, xfr_transfer_nextmaster(), and xfr_transfer_nexttarget_or_end().
Referenced by fptr_whitelist_comm_timer(), and xfr_transfer_init_fetch().
|
static |
disown task_probe.
caller must hold xfr.lock
References comm_point_delete(), comm_timer_delete(), auth_probe::cp, auth_xfer::task_probe, and auth_probe::timer.
Referenced by auth_xfer_probe_udp_callback(), auth_zones_cleanup(), and xfr_probe_send_or_end().
| void auth_xfer_probe_timer_callback | ( | void * | arg | ) |
callback for task_probe timer
xfer probe timeout callback, part of task_probe
References AUTH_PROBE_TIMEOUT_STOP, comm_point_delete(), auth_probe::cp, dname_str(), auth_xfer::lock, log_assert, auth_xfer::name, module_env::outnet, auth_xfer::task_probe, auth_probe::timeout, VERB_ALGO, verbose(), verbosity, outside_network::want_to_quit, xfr_probe_nextmaster(), xfr_probe_send_or_end(), and xfr_probe_send_probe().
Referenced by fptr_whitelist_comm_timer(), and xfr_probe_send_probe().
| int auth_xfer_probe_udp_callback | ( | struct comm_point * | c, |
| void * | arg, | ||
| int | err, | ||
| struct comm_reply * | repinfo | ||
| ) |
callback for task_probe udp packets
callback for commpoint udp replies to task_probe
References comm_point::buffer, comm_reply::c, check_packet_ok(), comm_point_delete(), comm_timer_disable(), auth_probe::cp, dname_str(), auth_probe::have_new_lease, auth_master::http, LDNS_RR_TYPE_SOA, auth_xfer::lock, log_assert, auth_transfer::masters, auth_xfer::name, NETEVENT_NOERROR, module_env::outnet, auth_xfer::task_probe, auth_xfer::task_transfer, auth_probe::timer, VERB_ALGO, verbose(), verbosity, outside_network::want_to_quit, xfr_probe_current_master(), xfr_probe_disown(), xfr_probe_nextmaster(), xfr_probe_send_or_end(), xfr_serial_means_update(), and xfr_start_transfer().
Referenced by fptr_whitelist_comm_point(), and xfr_probe_send_probe().
|
static |
disown task_nextprobe.
caller must hold xfr.lock
References comm_timer_delete(), auth_nextprobe::next_probe, auth_xfer::task_nextprobe, and auth_nextprobe::timer.
Referenced by auth_xfer_timer(), and auth_zones_cleanup().
| void auth_xfer_pickup_initial | ( | struct auth_zones * | az, |
| struct module_env * | env | ||
| ) |
initial pick up of worker timeouts, ties events to worker event loop
| az | auth zones structure |
| env | worker env, of first worker that receives the events (if any) in its eventloop. |
References auth_xfer::have_zone, auth_xfer::lease_time, auth_zones::lock, auth_xfer::lock, module_env::now, RBTREE_FOR, auth_xfer::task_nextprobe, xfr_set_timeout(), and auth_zones::xtree.
| void auth_zones_cleanup | ( | struct auth_zones * | az | ) |
Cleanup auth zones.
This removes all events from event bases. Stops the xfr tasks. But leaves zone data.
| az | auth zones structure. |
References auth_chunks_delete(), auth_zones::lock, auth_xfer::lock, RBTREE_FOR, auth_xfer::task_nextprobe, auth_xfer::task_probe, auth_xfer::task_transfer, xfr_nextprobe_disown(), xfr_probe_disown(), xfr_transfer_disown(), and auth_zones::xtree.
Referenced by daemon_cleanup().
malloc the xfer and tasks
| z | auth_zone with name of zone. |
References auth_zone::dclass, auth_xfer::dclass, auth_xfer::expiry, auth_xfer::have_zone, rbnode_type::key, auth_xfer::lease_time, auth_xfer::lock, memdup(), auth_zone::name, auth_xfer::name, auth_zone::namelabs, auth_xfer::namelabs, auth_zone::namelen, auth_xfer::namelen, auth_xfer::node, auth_xfer::notify_received, auth_xfer::notify_serial, auth_xfer::refresh, auth_xfer::retry, auth_xfer::serial, auth_xfer::task_nextprobe, auth_xfer::task_probe, auth_xfer::task_transfer, and auth_xfer::zone_expired.
Referenced by auth_xfer_create().
| struct auth_xfer* auth_xfer_create | ( | struct auth_zones * | az, |
| struct auth_zone * | z | ||
| ) |
Create auth_xfer structure.
This populates the have_zone, soa values, and so on times. and sets the timeout, if a zone transfer is needed a short timeout is set. For that the auth_zone itself must exist (and read in zonefile) returns false on alloc failure.
References auth_xfer_new(), log_err(), auth_xfer::node, rbtree_insert(), and auth_zones::xtree.
Referenced by auth_zones_find_or_add_xfer().
| int xfer_set_masters | ( | struct auth_master ** | list, |
| struct config_auth * | c, | ||
| int | with_http | ||
| ) |
Set masters in auth xfer structure from config.
| list | pointer to start of list. The malloced list is returned here. |
| c | the config items to copy over. |
| with_http | if true, http urls are also included, before the masters. |
References auth_master::allow_notify, config_auth::allow_notify, auth_master_new(), auth_master::file, auth_master::host, auth_master::http, auth_master::ixfr, log_err(), config_auth::masters, config_strlist::next, parse_url(), auth_master::port, auth_master::ssl, config_strlist::str, and config_auth::urls.
| int auth_zone_generate_zonemd_hash | ( | struct auth_zone * | z, |
| int | scheme, | ||
| int | hashalgo, | ||
| uint8_t * | hash, | ||
| size_t | buflen, | ||
| size_t * | resultlen, | ||
| struct regional * | region, | ||
| struct sldns_buffer * | buf, | ||
| char ** | reason | ||
| ) |
Generate ZONEMD digest for the auth zone.
| z | the auth zone to digest. omits zonemd at apex and its RRSIG from the digest. |
| scheme | the collation scheme to use. Numbers as defined for ZONEMD. |
| hashalgo | the hash algo, from the registry defined for ZONEMD type. |
| hash | the result buffer. |
| buflen | size of the result buffer, must be large enough. or the routine fails. |
| resultlen | size of the hash in the result buffer of the result. |
| region | temp region for allocs during canonicalisation. |
| buf | temp buffer during canonicalisation. |
| reason | failure reason, returns a string, NULL on success. |
References secalgo_hash_delete(), zonemd_digest_finish(), zonemd_digest_init(), ZONEMD_SCHEME_SIMPLE, and zonemd_simple_collate().
Referenced by auth_zone_generate_zonemd_check(), and zonemd_generate_test().
| int auth_zone_generate_zonemd_check | ( | struct auth_zone * | z, |
| int | scheme, | ||
| int | hashalgo, | ||
| uint8_t * | hash, | ||
| size_t | hashlen, | ||
| struct regional * | region, | ||
| struct sldns_buffer * | buf, | ||
| char ** | reason | ||
| ) |
Check ZONEMD digest for the auth zone.
| z | auth zone to digest. |
| scheme | zonemd scheme. |
| hashalgo | zonemd hash algorithm. |
| hash | the hash to check. |
| hashlen | length of hash buffer. |
| region | temp region for allocs during canonicalisation. |
| buf | temp buffer during canonicalisation. |
| reason | string returned with failure reason. If the hash cannot be checked, but it is allowed, for unknown algorithms, the routine returns success, and the reason is nonNULL, with the allowance reason. |
References auth_zone_generate_zonemd_hash(), log_hex(), VERB_ALGO, verbose(), verbosity, zonemd_hashalgo_supported(), and zonemd_scheme_supported().
|
static |
Verify the absence of ZONEMD with DNSSEC by checking NSEC, NSEC3 type flag.
return false on failure, reason contains description of failure.
References az_domain_rrset().
|
static |
Verify the SOA and ZONEMD DNSSEC signatures.
return false on failure, reason contains description of failure.
References auth_zone_log(), az_domain_rrset(), LDNS_RR_TYPE_SOA, auth_zone::name, VERB_ALGO, and zonemd_dnssec_verify_rrset().
|
static |
Fail the ZONEMD verification.
| z | auth zone that fails. |
| env | environment with config, to ignore failure or not. |
| reason | failure string description. |
| why_bogus | failure string for DNSSEC verification failure. |
| result | strdup result in here if not NULL. |
References module_env::cfg, dname_str(), log_err(), log_warn(), auth_zone::name, VERB_ALGO, verbose(), auth_zone::zone_expired, and config_file::zonemd_permissive_mode.
Referenced by auth_zone_verify_zonemd().
|
static |
Verify the zonemd with DNSSEC and hash check, with given key.
| z | auth zone. |
| env | environment with config and temp buffers. |
| mods | module stack with validator env for verification. |
| dnskey | dnskey that we can use, or NULL. If nonnull, the key has been verified and is the start of the chain of trust. |
| is_insecure | if true, the dnskey is not used, the zone is insecure. And dnssec is not used. It is DNSSEC secure insecure or not under a trust anchor. |
| sigalg | if nonNULL provide algorithm downgrade protection. Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1. |
| result | if not NULL result reason copied here. |
References az_domain_rrset(), az_find_name(), auth_zone::name, and auth_zone::namelen.
Referenced by auth_zone_verify_zonemd().
|
static |
verify the zone DNSKEY rrset from the trust anchor This is possible because the anchor is for the zone itself, and can thus apply straight to the zone DNSKEY set.
| z | the auth zone. |
| env | environment with time and temp buffers. |
| mods | module stack for validator environment for dnssec validation. |
| anchor | trust anchor to use |
| is_insecure | returned, true if the zone is securely insecure. |
| why_bogus | if the routine fails, returns the failure reason. |
| keystorage | where to store the ub_packed_rrset_key that is created on success. A pointer to it is returned on success. |
| reasonbuf | buffer to use for fail reason string print. |
| reasonlen | length of reasonbuf. |
References az_domain_rrset(), az_find_name(), auth_zone::name, and auth_zone::namelen.
Referenced by auth_zone_verify_zonemd().
| void auth_zone_verify_zonemd | ( | struct auth_zone * | z, |
| struct module_env * | env, | ||
| struct module_stack * | mods, | ||
| char ** | result, | ||
| int | offline, | ||
| int | only_online | ||
| ) |
Perform ZONEMD checks and verification for the auth zone.
This includes DNSSEC verification if applicable.
| z | auth zone to check. Caller holds lock. wrlock. |
| env | with temp region, buffer and config. |
| mods | module stack for validator env. |
| result | if not NULL, result string strdupped in here. |
| offline | if true, there is no spawned lookup when online is needed. Those zones are skipped for ZONEMD checking. |
| only_online | if true, only for ZONEMD that need online lookup of DNSKEY chain of trust are processed. |
References module_env::anchors, anchors_lookup(), auth_zone_verify_zonemd_with_key(), auth_zone_zonemd_fail(), rbtree_type::count, auth_zone::data, auth_zone::dclass, trust_anchor::lock, auth_zone::name, trust_anchor::name, auth_zone::namelen, trust_anchor::numDNSKEY, trust_anchor::numDS, query_dname_compare(), regional_free_all(), module_env::scratch, auth_zone::zonemd_check, zonemd_get_dnskey_from_anchor(), and zonemd_lookup_dnskey().
Referenced by auth_zones_pickup_zonemd_verify(), do_auth_zone_reload(), xfr_process_chunk_list(), and zonemd_offline_verify().
| void auth_zones_pickup_zonemd_verify | ( | struct auth_zones * | az, |
| struct module_env * | env | ||
| ) |
Check the ZONEMD records that need online DNSSEC chain lookups, for them spawn the lookup process to get it checked out.
Attaches the lookup process to the worker event base and mesh state.
| az | auth zones, every zones is checked. |
| env | env of the worker where the task is attached. |
References auth_zone_verify_zonemd(), auth_zone::dclass, rbnode_type::key, auth_zones::lock, auth_zone::lock, log_err(), module_env::mesh, mesh_area::mods, auth_zone::name, auth_zone::namelabs, auth_zone::namelen, auth_zone::node, RBTREE_FOR, rbtree_search(), auth_zone::zonemd_check, and auth_zones::ztree.