authzone.c File Reference

This file contains the functions for an authority zone. More...

#include "config.h"
#include "services/authzone.h"
#include "util/data/dname.h"
#include "util/data/msgparse.h"
#include "util/data/msgreply.h"
#include "util/data/msgencode.h"
#include "util/data/packed_rrset.h"
#include "util/regional.h"
#include "util/net_help.h"
#include "util/netevent.h"
#include "util/config_file.h"
#include "util/log.h"
#include "util/module.h"
#include "util/random.h"
#include "services/cache/dns.h"
#include "services/outside_network.h"
#include "services/listen_dnsport.h"
#include "services/mesh.h"
#include "sldns/rrdef.h"
#include "sldns/pkthdr.h"
#include "sldns/sbuffer.h"
#include "sldns/str2wire.h"
#include "sldns/wire2str.h"
#include "sldns/parseutil.h"
#include "sldns/keyraw.h"
#include "validator/val_nsec3.h"
#include "validator/val_nsec.h"
#include "validator/val_secalgo.h"
#include "validator/val_sigcrypt.h"
#include "validator/val_anchor.h"
#include "validator/val_utils.h"
#include <ctype.h>

Macros

#define N3HASHBUFLEN   32
 bytes to use for NSEC3 hash buffer. More...
 
#define MAX_CNAME_CHAIN   8
 max number of CNAMEs we are willing to follow (in one answer)
 
#define AUTH_PROBE_TIMEOUT   100 /* msec */
 timeout for probe packets for SOA
 
#define AUTH_PROBE_TIMEOUT_STOP   1000 /* msec */
 when to stop with SOA probes (when exponential timeouts exceed this)
 
#define AUTH_TRANSFER_TIMEOUT   10000 /* msec */
 
#define AUTH_TRANSFER_MAX_BACKOFF   86400 /* sec */
 
#define AUTH_HTTP_PORT   80
 
#define AUTH_HTTPS_PORT   443
 
#define MAX_INCLUDE_DEPTH   10
 
#define NUM_TIMEOUTS_FALLBACK_IXFR   3
 number of timeouts before we fallback from IXFR to AXFR, because some versions of servers (eg. More...
 
#define SERIAL_BITS   32
 

Functions

static void xfr_set_timeout (struct auth_xfer *xfr, struct module_env *env, int failure, int lookup_only)
 pick up nextprobe task to start waiting to perform transfer actions More...
 
static void xfr_probe_send_or_end (struct auth_xfer *xfr, struct module_env *env)
 move to sending the probe packets, next if fails. More...
 
static int xfr_start_probe (struct auth_xfer *xfr, struct module_env *env, struct auth_master *spec)
 pick up probe task with specified(or NULL) destination first, or transfer task if nothing to probe, or false if already in progress More...
 
void auth_xfer_delete (struct auth_xfer *xfr)
 delete xfer structure (not its tree entry) More...
 
static struct dns_msgmsg_create (struct regional *region, struct query_info *qinfo)
 create new dns_msg
 
static int msg_grow_array (struct regional *region, struct dns_msg *msg)
 grow rrset array by one in msg
 
static time_t get_rrset_ttl (struct ub_packed_rrset_key *k)
 get ttl of rrset
 
static struct ub_packed_rrset_keyauth_packed_rrset_copy_region (struct auth_zone *z, struct auth_data *node, struct auth_rrset *rrset, struct regional *region, time_t adjust)
 Copy rrset into region from domain-datanode and packet rrset.
 
static void msg_ttl (struct dns_msg *msg)
 fix up msg->rep TTL and prefetch ttl
 
static int msg_rrset_duplicate (struct dns_msg *msg, uint8_t *nm, size_t nmlen, uint16_t type, uint16_t dclass)
 see if rrset is a duplicate in the answer message
 
static int msg_add_rrset_an (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset)
 add rrset to answer section (no auth, add rrsets yet)
 
static int msg_add_rrset_ns (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset)
 add rrset to authority section (no additional section rrsets yet)
 
static int msg_add_rrset_ar (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset)
 add rrset to additional section
 
struct auth_zonesauth_zones_create (void)
 Create auth zones structure.
 
int auth_zone_cmp (const void *z1, const void *z2)
 compare auth_zones for sorted rbtree
 
int auth_data_cmp (const void *z1, const void *z2)
 compare auth_data for sorted rbtree
 
int auth_xfer_cmp (const void *z1, const void *z2)
 compare auth_xfer for sorted rbtree
 
static void auth_rrset_delete (struct auth_rrset *rrset)
 delete auth rrset node
 
static void auth_data_delete (struct auth_data *n)
 delete auth data domain node
 
static void auth_data_del (rbnode_type *n, void *ATTR_UNUSED(arg))
 helper traverse to delete zones
 
static void auth_zone_delete (struct auth_zone *z, struct auth_zones *az)
 delete an auth zone structure (tree remove must be done elsewhere)
 
struct auth_zoneauth_zone_create (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 create an auth zone. More...
 
struct auth_zoneauth_zone_find (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 find an auth zone by name (exact match by name or NULL returned)
 
struct auth_xferauth_xfer_find (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 find an xfer zone by name (exact match by name or NULL returned)
 
static int auth_zone_find_less_equal (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass, struct auth_zone **z)
 find an auth zone or sorted less-or-equal, return true if exact
 
struct auth_zoneauth_zones_find_zone (struct auth_zones *az, uint8_t *name, size_t name_len, uint16_t dclass)
 find the auth zone that is above the given name More...
 
static struct auth_zoneauth_zones_find_or_add_zone (struct auth_zones *az, char *name)
 find or create zone with name str. More...
 
static struct auth_xferauth_zones_find_or_add_xfer (struct auth_zones *az, struct auth_zone *z)
 find or create xfer zone with name str. More...
 
int auth_zone_set_zonefile (struct auth_zone *z, char *zonefile)
 set auth zone zonefile string. More...
 
int auth_zone_set_fallback (struct auth_zone *z, char *fallbackstr)
 set auth zone fallback. More...
 
static struct auth_dataaz_domain_create (struct auth_zone *z, uint8_t *nm, size_t nmlen)
 create domain with the given name
 
static struct auth_dataaz_find_name (struct auth_zone *z, uint8_t *nm, size_t nmlen)
 find domain with exactly the given name
 
static void az_find_domain (struct auth_zone *z, struct query_info *qinfo, int *node_exact, struct auth_data **node)
 Find domain name (or closest match)
 
static struct auth_dataaz_domain_find_or_create (struct auth_zone *z, uint8_t *dname, size_t dname_len)
 find or create domain with name in zone
 
static struct auth_rrsetaz_domain_rrset (struct auth_data *n, uint16_t t)
 find rrset of given type in the domain
 
static void domain_remove_rrset (struct auth_data *node, uint16_t rr_type)
 remove rrset of this type from domain
 
static int az_rrset_find_rrsig (struct packed_rrset_data *d, uint8_t *rdata, size_t len, size_t *index)
 find an rrsig index in the rrset. More...
 
static int rdata_duplicate (struct packed_rrset_data *d, uint8_t *rdata, size_t len)
 see if rdata is duplicate
 
static uint16_t rrsig_rdata_get_type_covered (uint8_t *rdata, size_t rdatalen)
 get rrsig type covered from rdata. More...
 
static int rrset_remove_rr (struct auth_rrset *rrset, size_t index)
 remove RR from existing RRset. More...
 
static int rrset_add_rr (struct auth_rrset *rrset, uint32_t rr_ttl, uint8_t *rdata, size_t rdatalen, int insert_sig)
 add RR to existing RRset. More...
 
static struct auth_rrsetrrset_create (struct auth_data *node, uint16_t rr_type, uint32_t rr_ttl, uint8_t *rdata, size_t rdatalen)
 Create new rrset for node with packed rrset with one RR element.
 
static size_t rrsig_num_that_cover (struct auth_rrset *rrsig, uint16_t rr_type, size_t *sigsz)
 count number (and size) of rrsigs that cover a type
 
static int rrset_moveover_rrsigs (struct auth_data *node, uint16_t rr_type, struct auth_rrset *rrset, struct auth_rrset *rrsig)
 See if rrsig set has covered sigs for rrset and move them over.
 
static int rrsigs_copy_from_rrset_to_rrsigset (struct auth_rrset *rrset, struct auth_rrset *rrsigset)
 copy the rrsigs from the rrset to the rrsig rrset, because the rrset is going to be deleted. More...
 
static int az_domain_add_rr (struct auth_data *node, uint16_t rr_type, uint32_t rr_ttl, uint8_t *rdata, size_t rdatalen, int *duplicate)
 Add rr to node, ignores duplicate RRs, rdata points to buffer with rdatalen octets, starts with 2bytelength.
 
static int az_insert_rr (struct auth_zone *z, uint8_t *rr, size_t rr_len, size_t dname_len, int *duplicate)
 insert RR into zone, ignore duplicates
 
static int az_domain_remove_rr (struct auth_data *node, uint16_t rr_type, uint8_t *rdata, size_t rdatalen, int *nonexist)
 Remove rr from node, ignores nonexisting RRs, rdata points to buffer with rdatalen octets, starts with 2bytelength.
 
static int az_remove_rr (struct auth_zone *z, uint8_t *rr, size_t rr_len, size_t dname_len, int *nonexist)
 remove RR from zone, ignore if it does not exist, false on alloc failure
 
static int decompress_rr_into_buffer (struct sldns_buffer *buf, uint8_t *pkt, size_t pktlen, uint8_t *dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint8_t *rr_data, uint16_t rr_rdlen)
 decompress an RR into the buffer where it'll be an uncompressed RR with uncompressed dname and uncompressed rdata (dnames)
 
static int az_insert_rr_decompress (struct auth_zone *z, uint8_t *pkt, size_t pktlen, struct sldns_buffer *scratch_buffer, uint8_t *dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint8_t *rr_data, uint16_t rr_rdlen, int *duplicate)
 insert RR into zone, from packet, decompress RR, if duplicate is nonNULL set the flag but otherwise ignore duplicates
 
static int az_remove_rr_decompress (struct auth_zone *z, uint8_t *pkt, size_t pktlen, struct sldns_buffer *scratch_buffer, uint8_t *dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint8_t *rr_data, uint16_t rr_rdlen, int *nonexist)
 remove RR from zone, from packet, decompress RR, if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries
 
static int az_parse_file (struct auth_zone *z, FILE *in, uint8_t *rr, size_t rrbuflen, struct sldns_file_parse_state *state, char *fname, int depth, struct config_file *cfg)
 Parse zonefile. More...
 
int auth_zone_read_zonefile (struct auth_zone *z, struct config_file *cfg)
 read auth zone from zonefile. More...
 
static int write_out (FILE *out, const char *str, size_t len)
 write buffer to file and check return codes
 
static int auth_rr_to_string (uint8_t *nm, size_t nmlen, uint16_t tp, uint16_t cl, struct packed_rrset_data *data, size_t i, char *s, size_t buflen)
 convert auth rr to string
 
static int auth_zone_write_rrset (struct auth_zone *z, struct auth_data *node, struct auth_rrset *r, FILE *out)
 write rrset to file
 
static int auth_zone_write_domain (struct auth_zone *z, struct auth_data *n, FILE *out)
 write domain to file
 
int auth_zone_write_file (struct auth_zone *z, const char *fname)
 Write auth zone data to file, in zonefile format.
 
static void zonemd_offline_verify (struct auth_zone *z, struct module_env *env_for_val, struct module_stack *mods)
 offline verify for zonemd, while reading a zone file to immediately spot bad hashes in zonefile as they are read. More...
 
static int auth_zones_read_zones (struct auth_zones *az, struct config_file *cfg, struct module_env *env, struct module_stack *mods)
 read all auth zones from file (if they have)
 
static int zonemd_fetch_parameters (struct auth_rrset *zonemd_rrset, size_t i, uint32_t *serial, int *scheme, int *hashalgo, uint8_t **hash, size_t *hashlen)
 fetch the content of a ZONEMD RR from the rdata
 
static int zonemd_is_duplicate_scheme_hash (struct auth_rrset *zonemd_rrset, size_t index, int scheme, int hashalgo)
 See if the ZONEMD scheme, hash occurs more than once. More...
 
static int auth_zone_zonemd_check_hash (struct auth_zone *z, struct module_env *env, char **reason)
 Check ZONEMDs if present for the auth zone. More...
 
struct auth_rrsetauth_zone_get_soa_rrset (struct auth_zone *z)
 find the apex SOA RRset, if it exists More...
 
int auth_zone_get_serial (struct auth_zone *z, uint32_t *serial)
 find serial number of zone or false if none More...
 
int xfr_find_soa (struct auth_zone *z, struct auth_xfer *xfr)
 Find auth_zone SOA and populate the values in xfr(soa values).
 
static int auth_xfer_setup (struct auth_zone *z, struct auth_xfer *x)
 Setup auth_xfer zone This populates the have_zone, soa values, and so on times. More...
 
static int auth_zones_setup_zones (struct auth_zones *az)
 Setup all zones. More...
 
static int auth_zones_cfg (struct auth_zones *az, struct config_auth *c)
 set config items and create zones
 
static void az_setall_deleted (struct auth_zones *az)
 set all auth zones deleted, then in auth_zones_cfg, it marks them as nondeleted (if they are still in the config), and then later we can find deleted zones
 
static void az_delete_deleted_zones (struct auth_zones *az)
 find zones that are marked deleted and delete them. More...
 
int auth_zones_apply_cfg (struct auth_zones *az, struct config_file *cfg, int setup, int *is_rpz, struct module_env *env, struct module_stack *mods)
 Apply configuration to auth zones. More...
 
static void auth_chunks_delete (struct auth_transfer *at)
 delete chunks More...
 
static void auth_free_master_addrs (struct auth_addr *list)
 free master addr list
 
static void auth_free_masters (struct auth_master *list)
 free the masters list
 
static void auth_zone_del (rbnode_type *n, void *ATTR_UNUSED(arg))
 helper traverse to delete zones
 
static void auth_xfer_del (rbnode_type *n, void *ATTR_UNUSED(arg))
 helper traverse to delete xfer zones
 
void auth_zones_delete (struct auth_zones *az)
 Delete auth zones structure.
 
static int domain_has_only_nsec3 (struct auth_data *n)
 true if domain has only nsec3
 
static struct auth_dataaz_find_wildcard_domain (struct auth_zone *z, uint8_t *nm, size_t nmlen)
 see if the domain has a wildcard child '*.domain'
 
static struct auth_dataaz_find_wildcard (struct auth_zone *z, struct query_info *qinfo, struct auth_data *ce)
 find wildcard between qname and cename
 
static struct auth_dataaz_find_candidate_ce (struct auth_zone *z, struct query_info *qinfo, struct auth_data *n)
 domain is not exact, find first candidate ce (name that matches a part of qname) in tree
 
static struct auth_dataaz_domain_go_up (struct auth_zone *z, struct auth_data *n)
 go up the auth tree to next existing name.
 
static int az_find_ce (struct auth_zone *z, struct query_info *qinfo, struct auth_data *node, int node_exact, struct auth_data **ce, struct auth_rrset **rrset)
 Find the closest encloser, an name that exists and is above the qname. More...
 
static int az_add_additionals_from (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_rrset *rrset, size_t offset)
 add additional A/AAAA from domain names in rrset rdata (+offset) offset is number of bytes in rdata where the dname is located.
 
static int az_add_negative_soa (struct auth_zone *z, struct regional *region, struct dns_msg *msg)
 add negative SOA record (with negative TTL)
 
static int az_empty_nonterminal (struct auth_zone *z, struct query_info *qinfo, struct auth_data *node)
 See if the query goes to empty nonterminal (that has no auth_data, but there are nodes underneath. More...
 
static size_t synth_cname_buf (uint8_t *qname, size_t qname_len, size_t dname_len, uint8_t *dtarg, size_t dtarglen, uint8_t *buf, size_t buflen)
 create synth cname target name in buffer, or fail if too long
 
static int create_synth_cname (uint8_t *qname, size_t qname_len, struct regional *region, struct auth_data *node, struct auth_rrset *dname, uint16_t dclass, struct ub_packed_rrset_key **cname)
 create synthetic CNAME rrset for in a DNAME answer in region, false on alloc failure, cname==NULL when name too long.
 
static int add_synth_cname (struct auth_zone *z, uint8_t *qname, size_t qname_len, struct regional *region, struct dns_msg *msg, struct auth_data *dname, struct auth_rrset *rrset)
 add a synthesized CNAME to the answer section
 
static void az_change_dnames (struct dns_msg *msg, uint8_t *oldname, uint8_t *newname, size_t newlen, int an_only)
 Change a dname to a different one, for wildcard namechange.
 
static struct auth_rrsetaz_find_nsec_cover (struct auth_zone *z, struct auth_data **node)
 find NSEC record covering the query
 
static int az_nsec_wildcard_denial (struct auth_zone *z, struct regional *region, struct dns_msg *msg, uint8_t *cenm, size_t cenmlen)
 Find NSEC and add for wildcard denial.
 
static int az_nsec3_param (struct auth_zone *z, int *algo, size_t *iter, uint8_t **salt, size_t *saltlen)
 Find the NSEC3PARAM rrset (if any) and if true you have the parameters.
 
static size_t az_nsec3_hash (uint8_t *buf, size_t buflen, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen)
 Hash a name with nsec3param into buffer, it has zone name appended. More...
 
static int az_nsec3_hashname (struct auth_zone *z, uint8_t *hashname, size_t *hashnmlen, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen)
 Hash name and return b32encoded hashname for lookup, zone name appended.
 
static struct auth_dataaz_nsec3_findnode (struct auth_zone *z, uint8_t *hashnm, size_t hashnmlen)
 Find the datanode that covers the nsec3hash-name.
 
static struct auth_dataaz_nsec3_find_cover (struct auth_zone *z, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen)
 Find cover for hashed(nm, nmlen) (or NULL)
 
static struct auth_dataaz_nsec3_find_exact (struct auth_zone *z, uint8_t *nm, size_t nmlen, int algo, size_t iter, uint8_t *salt, size_t saltlen)
 Find exact match for hashed(nm, nmlen) NSEC3 record or NULL.
 
static void az_nsec3_get_nextcloser (uint8_t *cenm, uint8_t *qname, size_t qname_len, uint8_t **nx, size_t *nxlen)
 Return nextcloser name (as a ref into the qname). More...
 
static struct auth_dataaz_nsec3_find_ce (struct auth_zone *z, uint8_t **cenm, size_t *cenmlen, int *no_exact_ce, int algo, size_t iter, uint8_t *salt, size_t saltlen)
 Find the closest encloser that has exact NSEC3. More...
 
static int az_nsec3_insert (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node)
 
static int az_add_nsec3_proof (struct auth_zone *z, struct regional *region, struct dns_msg *msg, uint8_t *cenm, size_t cenmlen, uint8_t *qname, size_t qname_len, int nodataproof, int ceproof, int nxproof, int wcproof)
 add NSEC3 records to the zone for the nsec3 proof. More...
 
static int az_generate_positive_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset)
 generate answer for positive answer
 
static int az_generate_any_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node)
 generate answer for type ANY answer
 
static int follow_cname_chain (struct auth_zone *z, uint16_t qtype, struct regional *region, struct dns_msg *msg, struct packed_rrset_data *d)
 follow cname chain and add more data to the answer section
 
static int az_generate_cname_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *node, struct auth_rrset *rrset)
 generate answer for cname answer
 
static int az_generate_notype_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *node)
 generate answer for notype answer
 
static int az_generate_referral_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_rrset *rrset)
 generate answer for referral answer
 
static int az_generate_dname_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_rrset *rrset)
 generate answer for DNAME answer
 
static int az_generate_wildcard_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_data *wildcard, struct auth_data *node)
 generate answer for wildcard answer
 
static int az_generate_nxdomain_answer (struct auth_zone *z, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_data *node)
 generate answer for nxdomain answer
 
static int az_generate_answer_with_node (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *node)
 Create answers when an exact match exists for the domain name.
 
static int az_generate_answer_nonexistnode (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg *msg, struct auth_data *ce, struct auth_rrset *rrset, struct auth_data *node)
 Generate answer without an existing-node that we can use. More...
 
static int auth_zone_generate_answer (struct auth_zone *z, struct query_info *qinfo, struct regional *region, struct dns_msg **msg, int *fallback)
 Lookup answer in a zone.
 
int auth_zones_lookup (struct auth_zones *az, struct query_info *qinfo, struct regional *region, struct dns_msg **msg, int *fallback, uint8_t *dp_nm, size_t dp_nmlen)
 Use auth zones to lookup the answer to a query. More...
 
static void auth_answer_encode (struct query_info *qinfo, struct module_env *env, struct edns_data *edns, struct comm_reply *repinfo, sldns_buffer *buf, struct regional *temp, struct dns_msg *msg)
 encode auth answer
 
static void auth_error_encode (struct query_info *qinfo, struct module_env *env, struct edns_data *edns, struct comm_reply *repinfo, sldns_buffer *buf, struct regional *temp, int rcode)
 encode auth error answer
 
int auth_zones_answer (struct auth_zones *az, struct module_env *env, struct query_info *qinfo, struct edns_data *edns, struct comm_reply *repinfo, struct sldns_buffer *buf, struct regional *temp)
 Answer query from auth zone. More...
 
int auth_zones_can_fallback (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 see if the auth zone for the name can fallback More...
 
int auth_zone_parse_notify_serial (sldns_buffer *pkt, uint32_t *serial)
 process notify packet and read serial number from SOA. More...
 
static int addr_in_list (struct auth_addr *list, struct sockaddr_storage *addr, socklen_t addrlen)
 see if addr appears in the list
 
static int addr_matches_master (struct auth_master *master, struct sockaddr_storage *addr, socklen_t addrlen, struct auth_master **fromhost)
 check if an address matches a master specification (or one of its addresses in the addr list)
 
static int az_xfr_allowed_notify (struct auth_xfer *xfr, struct sockaddr_storage *addr, socklen_t addrlen, struct auth_master **fromhost)
 check access list for notifies
 
static int xfr_serial_means_update (struct auth_xfer *xfr, uint32_t serial)
 see if the serial means the zone has to be updated, i.e. More...
 
static void xfr_note_notify_serial (struct auth_xfer *xfr, int has_serial, uint32_t serial)
 note notify serial, updates the notify information in the xfr struct
 
static void xfr_process_notify (struct auth_xfer *xfr, struct module_env *env, int has_serial, uint32_t serial, struct auth_master *fromhost)
 process a notify serial, start new probe or note serial. More...
 
int auth_zones_notify (struct auth_zones *az, struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t dclass, struct sockaddr_storage *addr, socklen_t addrlen, int has_serial, uint32_t serial, int *refused)
 process notify for auth zones. More...
 
int auth_zones_startprobesequence (struct auth_zones *az, struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t dclass)
 for the zone and if not already going, starts the probe sequence. More...
 
static void auth_xfer_set_expired (struct auth_xfer *xfr, struct module_env *env, int expired)
 set a zone expired
 
static struct auth_masterfind_master_by_host (struct auth_master *list, char *host)
 find master (from notify or probe) in list of masters
 
static void xfr_masterlist_free_addrs (struct auth_master *list)
 delete the looked up auth_addrs for all the masters in the list
 
static struct auth_addrauth_addr_list_copy (struct auth_addr *source)
 copy a list of auth_addrs
 
static struct auth_masterauth_master_copy (struct auth_master *o)
 copy a master to a new structure, NULL on alloc failure
 
static void probe_copy_masters_for_allow_notify (struct auth_xfer *xfr)
 copy the master addresses from the task_probe lookups to the allow_notify list of masters
 
static void xfr_transfer_start_lookups (struct auth_xfer *xfr)
 start the lookups for task_transfer
 
static void xfr_transfer_move_to_next_lookup (struct auth_xfer *xfr, struct module_env *env)
 move to the next lookup of hostname for task_transfer
 
static void xfr_probe_start_lookups (struct auth_xfer *xfr)
 start the lookups for task_probe
 
static void xfr_probe_move_to_next_lookup (struct auth_xfer *xfr, struct module_env *env)
 move to the next lookup of hostname for task_probe
 
static void xfr_transfer_start_list (struct auth_xfer *xfr, struct auth_master *spec)
 start the iteration of the task_transfer list of masters
 
static void xfr_probe_start_list (struct auth_xfer *xfr, struct auth_master *spec)
 start the iteration of the task_probe list of masters
 
static struct auth_masterxfr_transfer_current_master (struct auth_xfer *xfr)
 pick up the master that is being scanned right now, task_transfer
 
static struct auth_masterxfr_probe_current_master (struct auth_xfer *xfr)
 pick up the master that is being scanned right now, task_probe
 
static int xfr_transfer_end_of_list (struct auth_xfer *xfr)
 true if at end of list, task_transfer
 
static int xfr_probe_end_of_list (struct auth_xfer *xfr)
 true if at end of list, task_probe
 
static void xfr_transfer_nextmaster (struct auth_xfer *xfr)
 move to next master in list, task_transfer
 
static void xfr_probe_nextmaster (struct auth_xfer *xfr)
 move to next master in list, task_probe
 
static void xfr_create_soa_probe_packet (struct auth_xfer *xfr, sldns_buffer *buf, uint16_t id)
 create SOA probe packet for xfr
 
static void xfr_create_ixfr_packet (struct auth_xfer *xfr, sldns_buffer *buf, uint16_t id, struct auth_master *master)
 create IXFR/AXFR packet for xfr
 
static int check_packet_ok (sldns_buffer *pkt, uint16_t qtype, struct auth_xfer *xfr, uint32_t *serial)
 check if returned packet is OK
 
static int chunkline_get_line (struct auth_chunk **chunk, size_t *chunk_pos, sldns_buffer *buf)
 read one line from chunks into buffer at current position
 
static int chunkline_count_parens (sldns_buffer *buf, size_t start)
 count number of open and closed parenthesis in a chunkline
 
static void chunkline_remove_trailcomment (sldns_buffer *buf, size_t start)
 remove trailing ;... More...
 
static int chunkline_is_comment_line_or_empty (sldns_buffer *buf)
 see if a chunkline is a comment line (or empty line)
 
static int chunkline_get_line_collated (struct auth_chunk **chunk, size_t *chunk_pos, sldns_buffer *buf)
 find a line with ( ) collated
 
static int http_parse_origin (sldns_buffer *buf, struct sldns_file_parse_state *pstate)
 process $ORIGIN for http, 0 nothing, 1 done, 2 error
 
static int http_parse_ttl (sldns_buffer *buf, struct sldns_file_parse_state *pstate)
 process $TTL for http, 0 nothing, 1 done, 2 error
 
static int chunkline_non_comment_RR (struct auth_chunk **chunk, size_t *chunk_pos, sldns_buffer *buf, struct sldns_file_parse_state *pstate)
 find noncomment RR line in chunks, collates lines if ( ) format
 
static int http_zonefile_syntax_check (struct auth_xfer *xfr, sldns_buffer *buf)
 check syntax of chunklist zonefile, parse first RR, return false on failure and return a string in the scratch buffer (first RR string) on failure.
 
static size_t chunklist_sum (struct auth_chunk *list)
 sum sizes of chunklist
 
static void chunkline_newline_removal (sldns_buffer *buf)
 remove newlines from collated line
 
static int http_parse_add_rr (struct auth_xfer *xfr, struct auth_zone *z, sldns_buffer *buf, struct sldns_file_parse_state *pstate)
 for http download, parse and add RR to zone
 
static void chunk_rrlist_start (struct auth_xfer *xfr, struct auth_chunk **rr_chunk, int *rr_num, size_t *rr_pos)
 RR list iterator, returns RRs from answer section one by one from the dns packets in the chunklist.
 
static int chunk_rrlist_end (struct auth_chunk *rr_chunk, int rr_num)
 RR list iterator, see if we are at the end of the list.
 
static void chunk_rrlist_gonext (struct auth_chunk **rr_chunk, int *rr_num, size_t *rr_pos, size_t rr_nextpos)
 RR list iterator, move to next RR.
 
static int chunk_rrlist_get_current (struct auth_chunk *rr_chunk, int rr_num, size_t rr_pos, uint8_t **rr_dname, uint16_t *rr_type, uint16_t *rr_class, uint32_t *rr_ttl, uint16_t *rr_rdlen, uint8_t **rr_rdata, size_t *rr_nextpos)
 RR iterator, get current RR information, false on parse error.
 
static void log_rrlist_position (const char *label, struct auth_chunk *rr_chunk, uint8_t *rr_dname, uint16_t rr_type, size_t rr_counter)
 print log message where we are in parsing the zone transfer
 
static int ixfr_start_serial (struct auth_chunk *rr_chunk, int rr_num, size_t rr_pos, uint8_t *rr_dname, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t *rr_rdata, size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial)
 check that start serial is OK for ixfr. More...
 
static int apply_ixfr (struct auth_xfer *xfr, struct auth_zone *z, struct sldns_buffer *scratch_buffer)
 apply IXFR to zone in memory. More...
 
static int apply_axfr (struct auth_xfer *xfr, struct auth_zone *z, struct sldns_buffer *scratch_buffer)
 apply AXFR to zone in memory. More...
 
static int apply_http (struct auth_xfer *xfr, struct auth_zone *z, struct sldns_buffer *scratch_buffer)
 apply HTTP to zone in memory. More...
 
static int auth_zone_write_chunks (struct auth_xfer *xfr, const char *fname)
 write http chunks to zonefile to create downloaded file
 
static void xfr_write_after_update (struct auth_xfer *xfr, struct module_env *env)
 write to zonefile after zone has been updated
 
static int xfr_process_reacquire_locks (struct auth_xfer *xfr, struct module_env *env, struct auth_zone **z)
 reacquire locks and structures. More...
 
static int xfr_process_chunk_list (struct auth_xfer *xfr, struct module_env *env, int *ixfr_fail)
 process chunk list and update zone in memory, return false if it did not work
 
static void xfr_transfer_disown (struct auth_xfer *xfr)
 disown task_transfer. More...
 
static int xfr_transfer_lookup_host (struct auth_xfer *xfr, struct module_env *env)
 lookup a host name for its addresses, if needed
 
static int xfr_transfer_init_fetch (struct auth_xfer *xfr, struct module_env *env)
 initiate TCP to the target and fetch zone. More...
 
static void xfr_transfer_nexttarget_or_end (struct auth_xfer *xfr, struct module_env *env)
 perform next lookup, next transfer TCP, or end and resume wait time task
 
static void xfr_master_add_addrs (struct auth_master *m, struct ub_packed_rrset_key *rrset, uint16_t rrtype)
 add addrs from A or AAAA rrset to the master
 
void auth_xfer_transfer_lookup_callback (void *arg, int rcode, sldns_buffer *buf, enum sec_status ATTR_UNUSED(sec), char *ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 callback for task_transfer lookup of host name, of A or AAAA
 
static int check_xfer_packet (sldns_buffer *pkt, struct auth_xfer *xfr, int *gonextonfail, int *transferdone)
 check if xfer (AXFR or IXFR) packet is OK. More...
 
static int xfer_link_data (sldns_buffer *pkt, struct auth_xfer *xfr)
 Link the data from this packet into the worklist of transferred data.
 
static void process_list_end_transfer (struct auth_xfer *xfr, struct module_env *env)
 task transfer. More...
 
void auth_xfer_transfer_timer_callback (void *arg)
 callback for the task_transfer timer More...
 
int auth_xfer_transfer_tcp_callback (struct comm_point *c, void *arg, int err, struct comm_reply *ATTR_UNUSED(repinfo))
 callback for task_transfer tcp connections
 
int auth_xfer_transfer_http_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo)
 callback for task_transfer http connections
 
static void xfr_start_transfer (struct auth_xfer *xfr, struct module_env *env, struct auth_master *master)
 start transfer task by this worker , xfr is locked.
 
static void xfr_probe_disown (struct auth_xfer *xfr)
 disown task_probe. More...
 
static int xfr_probe_send_probe (struct auth_xfer *xfr, struct module_env *env, int timeout)
 send the UDP probe to the master, this is part of task_probe
 
void auth_xfer_probe_timer_callback (void *arg)
 callback for task_probe timer More...
 
int auth_xfer_probe_udp_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo)
 callback for task_probe udp packets More...
 
static int xfr_probe_lookup_host (struct auth_xfer *xfr, struct module_env *env)
 lookup a host name for its addresses, if needed
 
void auth_xfer_probe_lookup_callback (void *arg, int rcode, sldns_buffer *buf, enum sec_status ATTR_UNUSED(sec), char *ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 callback for task_probe lookup of host name, of A or AAAA
 
static void xfr_nextprobe_disown (struct auth_xfer *xfr)
 disown task_nextprobe. More...
 
void auth_xfer_timer (void *arg)
 xfer nextprobe timeout callback, this is part of task_nextprobe
 
static int have_probe_targets (struct auth_master *list)
 return true if there are probe (SOA UDP query) targets in the master list
 
void auth_xfer_pickup_initial (struct auth_zones *az, struct module_env *env)
 initial pick up of worker timeouts, ties events to worker event loop More...
 
void auth_zones_cleanup (struct auth_zones *az)
 Cleanup auth zones. More...
 
static struct auth_xferauth_xfer_new (struct auth_zone *z)
 malloc the xfer and tasks More...
 
struct auth_xferauth_xfer_create (struct auth_zones *az, struct auth_zone *z)
 Create auth_xfer structure. More...
 
static struct auth_masterauth_master_new (struct auth_master ***list)
 create new auth_master structure
 
static char * dup_prefix (char *str, size_t num)
 dup_prefix : create string from initial part of other string, malloced
 
static char * dup_all (char *str)
 dup string and print error on error
 
static char * str_find_first_of_chars (char *s, char a, char b)
 find first of two characters
 
static int parse_url (char *url, char **host, char **file, int *port, int *ssl)
 parse URL into host and file parts, false on malloc or parse error
 
int xfer_set_masters (struct auth_master **list, struct config_auth *c, int with_http)
 Set masters in auth xfer structure from config. More...
 
int compare_serial (uint32_t a, uint32_t b)
 
int zonemd_hashalgo_supported (int hashalgo)
 returns true if a zonemd hash algo is supported
 
int zonemd_scheme_supported (int scheme)
 returns true if a zonemd scheme is supported
 
static struct secalgo_hash * zonemd_digest_init (int hashalgo, char **reason)
 initialize hash for hashing with zonemd hash algo
 
static int zonemd_digest_update (int hashalgo, struct secalgo_hash *h, uint8_t *data, size_t len, char **reason)
 update the hash for zonemd
 
static int zonemd_digest_finish (int hashalgo, struct secalgo_hash *h, uint8_t *result, size_t hashlen, size_t *resultlen, char **reason)
 finish the hash for zonemd
 
static size_t authdata_rrsets_to_list (struct auth_rrset **array, size_t arraysize, struct auth_rrset *first)
 add rrsets from node to the list
 
static int rrlist_compare (const void *arg1, const void *arg2)
 compare rr list entries
 
static void addrrsigtype_if_needed (struct auth_rrset **array, size_t arraysize, size_t *rrnum, struct auth_data *node)
 add type RRSIG to rr list if not one there already, this is to perform RRSIG collate processing at that point.
 
static int zonemd_simple_rrset (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct auth_data *node, struct auth_rrset *rrset, struct regional *region, struct sldns_buffer *buf, char **reason)
 collate the RRs in an RRset using the simple scheme
 
static size_t zonemd_simple_count_rrsig (struct auth_rrset *rrset, struct auth_rrset **rrlist, size_t rrnum, struct auth_zone *z, struct auth_data *node)
 count number of RRSIGs in a domain name rrset list
 
static int zonemd_simple_rrsig_allocs (struct regional *region, struct packed_rrset_data *data, size_t count)
 allocate sparse rrset data for the number of entries in tepm region
 
static void add_rrlist_rrsigs_into_data (struct packed_rrset_data *data, size_t *done, struct auth_rrset **rrlist, size_t rrnum, struct auth_zone *z, struct auth_data *node)
 add the RRSIGs from the rrs in the domain into the data
 
static void add_rrset_into_data (struct packed_rrset_data *data, size_t *done, struct auth_rrset *rrset, struct auth_zone *z, struct auth_data *node)
 
static int zonemd_simple_rrsig (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct auth_data *node, struct auth_rrset *rrset, struct auth_rrset **rrlist, size_t rrnum, struct regional *region, struct sldns_buffer *buf, char **reason)
 collate the RRSIGs using the simple scheme
 
static int zonemd_simple_domain (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct auth_data *node, struct regional *region, struct sldns_buffer *buf, char **reason)
 collate a domain's rrsets using the simple scheme
 
static int zonemd_simple_collate (struct auth_zone *z, int hashalgo, struct secalgo_hash *h, struct regional *region, struct sldns_buffer *buf, char **reason)
 collate the zone using the simple scheme
 
int auth_zone_generate_zonemd_hash (struct auth_zone *z, int scheme, int hashalgo, uint8_t *hash, size_t hashlen, size_t *resultlen, struct regional *region, struct sldns_buffer *buf, char **reason)
 Generate ZONEMD digest for the auth zone. More...
 
int auth_zone_generate_zonemd_check (struct auth_zone *z, int scheme, int hashalgo, uint8_t *hash, size_t hashlen, struct regional *region, struct sldns_buffer *buf, char **reason)
 Check ZONEMD digest for the auth zone. More...
 
static void auth_zone_log (uint8_t *name, enum verbosity_value level, const char *format,...) ATTR_FORMAT(printf
 log auth zone message with zone name in front.
 
static int zonemd_dnssec_verify_rrset (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, struct auth_data *node, struct auth_rrset *rrset, char **why_bogus, uint8_t *sigalg)
 ZONEMD, dnssec verify the rrset with the dnskey.
 
static int nsec3_of_param_has_type (struct auth_rrset *nsec3, int algo, size_t iter, uint8_t *salt, size_t saltlen, uint16_t rrtype)
 check for nsec3, the RR with params equal, if bitmap has the type
 
static int zonemd_check_dnssec_absence (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, struct auth_data *apex, char **reason, char **why_bogus, uint8_t *sigalg)
 Verify the absence of ZONEMD with DNSSEC by checking NSEC, NSEC3 type flag. More...
 
static int zonemd_check_dnssec_soazonemd (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, struct auth_data *apex, struct auth_rrset *zonemd_rrset, char **reason, char **why_bogus, uint8_t *sigalg)
 Verify the SOA and ZONEMD DNSSEC signatures. More...
 
static void auth_zone_zonemd_fail (struct auth_zone *z, struct module_env *env, char *reason, char *why_bogus, char **result)
 Fail the ZONEMD verification. More...
 
static void auth_zone_verify_zonemd_with_key (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *dnskey, int is_insecure, char **result, uint8_t *sigalg)
 Verify the zonemd with DNSSEC and hash check, with given key. More...
 
static struct ub_packed_rrset_keyzonemd_get_dnskey_from_anchor (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct trust_anchor *anchor, int *is_insecure, char **why_bogus, struct ub_packed_rrset_key *keystorage)
 verify the zone DNSKEY rrset from the trust anchor This is possible because the anchor is for the zone itself, and can thus apply straight to the zone DNSKEY set. More...
 
static struct ub_packed_rrset_keyauth_zone_verify_zonemd_key_with_ds (struct auth_zone *z, struct module_env *env, struct module_stack *mods, struct ub_packed_rrset_key *ds, int *is_insecure, char **why_bogus, struct ub_packed_rrset_key *keystorage, uint8_t *sigalg)
 verify the DNSKEY from the zone with looked up DS record
 
void auth_zonemd_dnskey_lookup_callback (void *arg, int rcode, sldns_buffer *buf, enum sec_status sec, char *why_bogus, int ATTR_UNUSED(was_ratelimited))
 callback for ZONEMD lookup of DNSKEY
 
static int zonemd_lookup_dnskey (struct auth_zone *z, struct module_env *env)
 lookup DNSKEY for ZONEMD verification
 
void auth_zone_verify_zonemd (struct auth_zone *z, struct module_env *env, struct module_stack *mods, char **result, int offline, int only_online)
 Perform ZONEMD checks and verification for the auth zone. More...
 
void auth_zones_pickup_zonemd_verify (struct auth_zones *az, struct module_env *env)
 Check the ZONEMD records that need online DNSSEC chain lookups, for them spawn the lookup process to get it checked out. More...
 

Detailed Description

This file contains the functions for an authority zone.

This zone is queried by the iterator, just like a stub or forward zone, but then the data is locally held.

Macro Definition Documentation

◆ N3HASHBUFLEN

#define N3HASHBUFLEN   32

bytes to use for NSEC3 hash buffer.

20 for sha1

◆ NUM_TIMEOUTS_FALLBACK_IXFR

#define NUM_TIMEOUTS_FALLBACK_IXFR   3

number of timeouts before we fallback from IXFR to AXFR, because some versions of servers (eg.

dnsmasq) drop IXFR packets.

Function Documentation

◆ xfr_set_timeout()

static void xfr_set_timeout ( struct auth_xfer xfr,
struct module_env env,
int  failure,
int  lookup_only 
)
static

pick up nextprobe task to start waiting to perform transfer actions

for task_nextprobe.

determine next timeout for auth_xfer. Also (re)sets timer.

Parameters
xfrtask structure
envmodule environment, with worker and time.
failureset true if timer should be set for failure retry.
lookup_onlyonly perform lookups when timer done, 0 sec timeout

References auth_nextprobe::backoff, auth_xfer::lease_time, log_assert, auth_nextprobe::next_probe, module_env::now, auth_xfer::task_nextprobe, and module_env::worker.

Referenced by auth_xfer_pickup_initial(), process_list_end_transfer(), xfr_probe_send_or_end(), and xfr_transfer_nexttarget_or_end().

◆ xfr_probe_send_or_end()

◆ xfr_start_probe()

static int xfr_start_probe ( struct auth_xfer xfr,
struct module_env env,
struct auth_master spec 
)
static

pick up probe task with specified(or NULL) destination first, or transfer task if nothing to probe, or false if already in progress

start task_probe if possible, if no masters for probe start task_transfer returns true if task has been started, and false if the task is already in progress.

References auth_probe::cp, auth_probe::have_new_lease, have_probe_targets(), auth_probe::masters, auth_probe::only_lookup, auth_xfer::task_probe, auth_xfer::task_transfer, module_env::worker, xfr_probe_send_or_end(), xfr_probe_start_list(), xfr_probe_start_lookups(), and xfr_start_transfer().

Referenced by auth_xfer_timer(), process_list_end_transfer(), and xfr_process_notify().

◆ auth_xfer_delete()

◆ auth_zone_create()

struct auth_zone* auth_zone_create ( struct auth_zones az,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass 
)

◆ auth_zones_find_zone()

struct auth_zone* auth_zones_find_zone ( struct auth_zones az,
uint8_t *  name,
size_t  name_len,
uint16_t  dclass 
)

find the auth zone that is above the given name

Find the auth zone that is above the given qname.

References auth_zone_find(), auth_zone_find_less_equal(), auth_zone::dclass, dname_count_size_labels(), dname_get_shared_topdomain(), dname_is_root(), dname_remove_label(), and auth_zone::name.

Referenced by auth_zone_delegpt(), and auth_zones_answer().

◆ auth_zones_find_or_add_zone()

static struct auth_zone* auth_zones_find_or_add_zone ( struct auth_zones az,
char *  name 
)
static

find or create zone with name str.

caller must have lock on az. returns a wrlocked zone

References auth_zone_create(), auth_zone_find(), LDNS_MAX_DOMAINLEN, LDNS_RR_CLASS_IN, auth_zone::lock, log_err(), auth_zone::name, and sldns_str2wire_dname_buf().

Referenced by auth_zones_cfg().

◆ auth_zones_find_or_add_xfer()

static struct auth_xfer* auth_zones_find_or_add_xfer ( struct auth_zones az,
struct auth_zone z 
)
static

find or create xfer zone with name str.

caller must have lock on az. returns a locked xfer

References auth_xfer_create(), auth_xfer_find(), auth_zone::dclass, auth_xfer::lock, auth_zone::name, and auth_zone::namelen.

Referenced by auth_zones_cfg().

◆ auth_zone_set_zonefile()

int auth_zone_set_zonefile ( struct auth_zone z,
char *  zonefile 
)

set auth zone zonefile string.

caller must have lock on zone

References log_err(), and auth_zone::zonefile.

Referenced by auth_zones_cfg().

◆ auth_zone_set_fallback()

int auth_zone_set_fallback ( struct auth_zone z,
char *  fallbackstr 
)

set auth zone fallback.

caller must have lock on zone

References auth_zone::fallback_enabled, and log_err().

◆ az_rrset_find_rrsig()

static int az_rrset_find_rrsig ( struct packed_rrset_data d,
uint8_t *  rdata,
size_t  len,
size_t *  index 
)
static

find an rrsig index in the rrset.

returns true if found

References packed_rrset_data::count, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.

Referenced by az_domain_remove_rr().

◆ rrsig_rdata_get_type_covered()

static uint16_t rrsig_rdata_get_type_covered ( uint8_t *  rdata,
size_t  rdatalen 
)
static

get rrsig type covered from rdata.

Parameters
rdatardata in wireformat, starting with 16bit rdlength.
rdatalenlength of rdata buffer.
Returns
type covered (or 0).

Referenced by az_domain_add_rr(), az_domain_remove_rr(), rrset_moveover_rrsigs(), rrsig_num_that_cover(), and zonemd_simple_count_rrsig().

◆ rrset_remove_rr()

static int rrset_remove_rr ( struct auth_rrset rrset,
size_t  index 
)
static

◆ rrset_add_rr()

static int rrset_add_rr ( struct auth_rrset rrset,
uint32_t  rr_ttl,
uint8_t *  rdata,
size_t  rdatalen,
int  insert_sig 
)
static

◆ rrsigs_copy_from_rrset_to_rrsigset()

static int rrsigs_copy_from_rrset_to_rrsigset ( struct auth_rrset rrset,
struct auth_rrset rrsigset 
)
static

copy the rrsigs from the rrset to the rrsig rrset, because the rrset is going to be deleted.

reallocates the RRSIG rrset data.

References packed_rrset_data::count, auth_rrset::data, rdata_duplicate(), packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rr_ttl, rrset_add_rr(), and packed_rrset_data::rrsig_count.

Referenced by az_domain_remove_rr().

◆ az_parse_file()

static int az_parse_file ( struct auth_zone z,
FILE *  in,
uint8_t *  rr,
size_t  rrbuflen,
struct sldns_file_parse_state state,
char *  fname,
int  depth,
struct config_file cfg 
)
static

Parse zonefile.

Parameters
zzone to read in.
infile to read from (just opened).
rrbuffer to use for RRs, 64k. passed so that recursive includes can use the same buffer and do not grow the stack too much.
rrbuflensizeof rr buffer.
stateparse state with $ORIGIN, $TTL and 'prev-dname' and so on, that is kept between includes. The lineno is set at 1 and then increased by the function.
fnamefile name.
depthrecursion depth for includes
cfgconfig for chroot. returns false on failure, has printed an error message

References sldns_file_parse_state::lineno, and sldns_fp2wire_rr_buf().

Referenced by auth_zone_read_zonefile().

◆ auth_zone_read_zonefile()

◆ zonemd_offline_verify()

static void zonemd_offline_verify ( struct auth_zone z,
struct module_env env_for_val,
struct module_stack mods 
)
static

offline verify for zonemd, while reading a zone file to immediately spot bad hashes in zonefile as they are read.

Creates temp buffers, but uses anchors and validation environment from the module_env.

References auth_zone_verify_zonemd(), module_env::cfg, log_err(), config_file::msg_buffer_size, module_env::now, regional_create(), regional_destroy(), module_env::scratch, module_env::scratch_buffer, sldns_buffer_free(), sldns_buffer_new(), and auth_zone::zonemd_check.

Referenced by auth_zones_read_zones().

◆ zonemd_is_duplicate_scheme_hash()

static int zonemd_is_duplicate_scheme_hash ( struct auth_rrset zonemd_rrset,
size_t  index,
int  scheme,
int  hashalgo 
)
static

See if the ZONEMD scheme, hash occurs more than once.

Parameters
zonemd_rrsetthe zonemd rrset to check with the RRs in it.
indexindex of the original, this is allowed to have that scheme and hashalgo, but other RRs should not have it.
schemethe scheme to check for.
hashalgothe hash algorithm to check for.
Returns
true if it occurs more than once.

References packed_rrset_data::count, auth_rrset::data, VERB_ALGO, verbose(), and zonemd_fetch_parameters().

◆ auth_zone_zonemd_check_hash()

static int auth_zone_zonemd_check_hash ( struct auth_zone z,
struct module_env env,
char **  reason 
)
static

Check ZONEMDs if present for the auth zone.

Depending on config it can warn or fail on that. Checks the hash of the ZONEMD.

Parameters
zauth zone to check for. caller must hold lock on zone.
envmodule env for temp buffers.
reasonreturned on failure.
Returns
false on failure, true if hash checks out.

References auth_zone_get_serial(), az_domain_rrset(), az_find_name(), auth_zone::name, auth_zone::namelen, regional_free_all(), module_env::scratch, and module_env::scratch_buffer.

◆ auth_zone_get_soa_rrset()

struct auth_rrset* auth_zone_get_soa_rrset ( struct auth_zone z)

find the apex SOA RRset, if it exists

find the apex SOA RRset, if it exists.

References az_domain_rrset(), az_find_name(), LDNS_RR_TYPE_SOA, auth_zone::name, and auth_zone::namelen.

Referenced by rpz_add_soa().

◆ auth_zone_get_serial()

int auth_zone_get_serial ( struct auth_zone z,
uint32_t *  serial 
)

find serial number of zone or false if none

find serial number of zone or false if none (no SOA record)

References az_domain_rrset(), az_find_name(), packed_rrset_data::count, auth_rrset::data, LDNS_RR_TYPE_SOA, auth_zone::name, auth_zone::namelen, and packed_rrset_data::rr_len.

Referenced by auth_zone_zonemd_check_hash(), and do_list_auth_zones().

◆ auth_xfer_setup()

static int auth_xfer_setup ( struct auth_zone z,
struct auth_xfer x 
)
static

Setup auth_xfer zone This populates the have_zone, soa values, and so on times.

Doesn't do network traffic yet, can set option flags.

Parameters
zlocked by caller, and modified for setup
xlocked by caller, and modified.
Returns
false on failure.

References xfr_find_soa().

Referenced by auth_zones_setup_zones().

◆ auth_zones_setup_zones()

static int auth_zones_setup_zones ( struct auth_zones az)
static

Setup all zones.

Parameters
azauth zones structure
Returns
false on failure.

References auth_xfer_find(), auth_xfer_setup(), auth_zone::dclass, auth_zones::lock, auth_zone::lock, auth_xfer::lock, auth_zone::name, auth_zone::namelen, RBTREE_FOR, and auth_zones::ztree.

Referenced by auth_zones_apply_cfg().

◆ az_delete_deleted_zones()

static void az_delete_deleted_zones ( struct auth_zones az)
static

find zones that are marked deleted and delete them.

This is called from apply_cfg, and there are no threads and no workers, so the xfr can just be deleted.

References auth_xfer_delete(), auth_xfer_find(), auth_zone_delete(), auth_zone::dclass, auth_zone::delete_next, auth_zones::lock, auth_zone::lock, auth_zone::name, auth_zone::namelen, auth_zone::node, auth_xfer::node, rbtree_delete(), RBTREE_FOR, auth_zones::xtree, auth_zone::zone_deleted, and auth_zones::ztree.

Referenced by auth_zones_apply_cfg().

◆ auth_zones_apply_cfg()

int auth_zones_apply_cfg ( struct auth_zones az,
struct config_file cfg,
int  setup,
int *  is_rpz,
struct module_env env,
struct module_stack mods 
)

Apply configuration to auth zones.

Reads zonefiles.

Parameters
azauth zones structure
cfgconfig to apply.
setupif true, also sets up values in the auth zones structure
is_rpzset to 1 if at least one RPZ zone is configured.
envenvironment for offline verification.
modsmodules in environment.
Returns
false on failure.

References auth_zones_cfg(), auth_zones_read_zones(), auth_zones_setup_zones(), config_file::auths, az_delete_deleted_zones(), az_setall_deleted(), config_auth::isrpz, log_err(), log_warn(), config_auth::name, and config_auth::next.

Referenced by check_auth(), and context_finalize().

◆ auth_chunks_delete()

static void auth_chunks_delete ( struct auth_transfer at)
static

delete chunks

Parameters
attransfer structure with chunks list. The chunks and their data are freed.

References auth_transfer::chunks_first, auth_transfer::chunks_last, auth_chunk::data, and auth_chunk::next.

Referenced by auth_xfer_delete(), auth_xfer_transfer_http_callback(), auth_xfer_transfer_timer_callback(), auth_zones_cleanup(), and process_list_end_transfer().

◆ az_find_ce()

static int az_find_ce ( struct auth_zone z,
struct query_info qinfo,
struct auth_data node,
int  node_exact,
struct auth_data **  ce,
struct auth_rrset **  rrset 
)
static

Find the closest encloser, an name that exists and is above the qname.

return true if the node (param node) is existing, nonobscured and can be used to generate answers from. It is then also node_exact. returns false if the node is not good enough (or it wasn't node_exact) in this case the ce can be filled. if ce is NULL, no ce exists, and likely the zone is completely empty, not even with a zone apex. if ce is nonNULL it is the closest enclosing upper name (that exists itself for answer purposes). That name may have DNAME, NS or wildcard rrset is the closest DNAME or NS rrset that was found.

References az_domain_go_up(), az_domain_rrset(), az_find_candidate_ce(), domain_has_only_nsec3(), LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, auth_zone::namelen, auth_data::namelen, auth_data::node, query_info::qname_len, and query_info::qtype.

Referenced by auth_zone_generate_answer().

◆ az_empty_nonterminal()

static int az_empty_nonterminal ( struct auth_zone z,
struct query_info qinfo,
struct auth_data node 
)
static

See if the query goes to empty nonterminal (that has no auth_data, but there are nodes underneath.

We already checked that there are not NS, or DNAME above, so that we only need to check if some node exists below (with nonempty rr list), return true if emptynonterminal

References auth_zone::data, dname_strict_subdomain_c(), auth_data::name, auth_data::node, query_info::qname, rbtree_first(), rbtree_next(), RBTREE_NULL, and auth_data::rrsets.

Referenced by az_generate_answer_nonexistnode().

◆ az_nsec3_hash()

static size_t az_nsec3_hash ( uint8_t *  buf,
size_t  buflen,
uint8_t *  nm,
size_t  nmlen,
int  algo,
size_t  iter,
uint8_t *  salt,
size_t  saltlen 
)
static

Hash a name with nsec3param into buffer, it has zone name appended.

return length of hash

References LDNS_MAX_DOMAINLEN, N3HASHBUFLEN, nsec3_hash_algo_size_supported(), query_dname_tolower(), and secalgo_nsec3_hash().

Referenced by az_nsec3_hashname().

◆ az_nsec3_get_nextcloser()

static void az_nsec3_get_nextcloser ( uint8_t *  cenm,
uint8_t *  qname,
size_t  qname_len,
uint8_t **  nx,
size_t *  nxlen 
)
static

Return nextcloser name (as a ref into the qname).

This is one label more than the cenm (cename must be a suffix of qname)

References dname_count_labels(), dname_remove_labels(), dname_strict_subdomain(), and log_assert.

◆ az_nsec3_find_ce()

static struct auth_data* az_nsec3_find_ce ( struct auth_zone z,
uint8_t **  cenm,
size_t *  cenmlen,
int *  no_exact_ce,
int  algo,
size_t  iter,
uint8_t *  salt,
size_t  saltlen 
)
static

Find the closest encloser that has exact NSEC3.

updated cenm to the new name. If it went up no-exact-ce is true.

References az_nsec3_find_exact(), dname_remove_label(), auth_zone::namelen, and auth_data::node.

◆ az_add_nsec3_proof()

static int az_add_nsec3_proof ( struct auth_zone z,
struct regional region,
struct dns_msg msg,
uint8_t *  cenm,
size_t  cenmlen,
uint8_t *  qname,
size_t  qname_len,
int  nodataproof,
int  ceproof,
int  nxproof,
int  wcproof 
)
static

add NSEC3 records to the zone for the nsec3 proof.

Specify with the flags with parts of the proof are required. the ce is the exact matching name (for notype) but also delegation points. qname is the one where the nextcloser name can be derived from. If NSEC3 is not properly there (in the zone) nothing is added. always enabled: include nsec3 proving about the Closest Encloser. that is an exact match that should exist for it. If that does not exist, a higher exact match + nxproof is enabled (for some sort of opt-out empty nonterminal cases). nodataproof: search for exact match and include that instead. ceproof: include ce proof NSEC3 (omitted for wildcard replies). nxproof: include denial of the qname. wcproof: include denial of wildcard (wildcard.ce).

References az_nsec3_find_exact(), az_nsec3_param(), match(), and auth_data::node.

Referenced by az_generate_wildcard_answer().

◆ az_generate_answer_nonexistnode()

static int az_generate_answer_nonexistnode ( struct auth_zone z,
struct query_info qinfo,
struct regional region,
struct dns_msg msg,
struct auth_data ce,
struct auth_rrset rrset,
struct auth_data node 
)
static

◆ auth_zones_lookup()

int auth_zones_lookup ( struct auth_zones az,
struct query_info qinfo,
struct regional region,
struct dns_msg **  msg,
int *  fallback,
uint8_t *  dp_nm,
size_t  dp_nmlen 
)

Use auth zones to lookup the answer to a query.

The query is from the iterator. And the auth zones attempts to provide the answer instead of going to the internet.

Parameters
azauth zones structure.
qinfoquery info to lookup.
regionregion to use to allocate the reply in.
msgreply is stored here (if one).
fallbackif true, fallback to making a query to the internet.
dp_nmname of delegation point to look for. This zone is used to answer the query. If the dp_nm is not found, fallback is set to true and false returned.
dp_nmlenlength of dp_nm.
Returns
0: failure (an error of some sort, like servfail). if 0 and fallback is true, fallback to the internet. if 0 and fallback is false, like getting servfail. If true, an answer is available.

References auth_zone_find(), auth_zone_generate_answer(), auth_zone::fallback_enabled, auth_zone::for_upstream, auth_zones::lock, auth_zone::lock, query_info::qclass, and auth_zone::zone_expired.

Referenced by q_ans_query().

◆ auth_zones_answer()

int auth_zones_answer ( struct auth_zones az,
struct module_env env,
struct query_info qinfo,
struct edns_data edns,
struct comm_reply repinfo,
struct sldns_buffer buf,
struct regional temp 
)

Answer query from auth zone.

Create authoritative answer.

Parameters
azauth zones structure.
envthe module environment.
qinfoquery info (parsed).
ednsedns info (parsed).
bufbuffer with query ID and flags, also for reply.
repinforeply information for a communication point.
temptemporary storage region.
Returns
false if not answered

References auth_error_encode(), auth_zones_find_zone(), dname_remove_label(), auth_zone::fallback_enabled, auth_zone::for_downstream, auth_zones::have_downstream, LDNS_RR_TYPE_DS, auth_zones::lock, auth_zone::lock, auth_zones::num_query_down, query_info::qclass, query_info::qname, query_info::qname_len, query_info::qtype, and auth_zone::zone_expired.

Referenced by handle_newq().

◆ auth_zones_can_fallback()

int auth_zones_can_fallback ( struct auth_zones az,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass 
)

see if the auth zone for the name can fallback

Parameters
azauth zones
nmname of delegation point.
nmlenlength of nm.
dclassclass of zone to look for.
Returns
true if fallback_enabled is true. false if not. if the zone does not exist, fallback is true (more lenient) also true if zone does not do upstream requests.

References auth_zone_find(), auth_zone::dclass, auth_zone::fallback_enabled, auth_zone::for_upstream, auth_zones::lock, and auth_zone::lock.

◆ auth_zone_parse_notify_serial()

int auth_zone_parse_notify_serial ( struct sldns_buffer pkt,
uint32_t *  serial 
)

process notify packet and read serial number from SOA.

returns 0 if no soa record in the notify

References query_info_parse(), and sldns_buffer_set_position().

◆ xfr_serial_means_update()

static int xfr_serial_means_update ( struct auth_xfer xfr,
uint32_t  serial 
)
static

see if the serial means the zone has to be updated, i.e.

the serial is newer than the zone serial, or we have no zone

References auth_xfer::have_zone, and auth_xfer::zone_expired.

Referenced by auth_xfer_probe_udp_callback(), process_list_end_transfer(), and xfr_process_notify().

◆ xfr_process_notify()

static void xfr_process_notify ( struct auth_xfer xfr,
struct module_env env,
int  has_serial,
uint32_t  serial,
struct auth_master fromhost 
)
static

process a notify serial, start new probe or note serial.

xfr is locked

References auth_xfer::lock, xfr_note_notify_serial(), xfr_serial_means_update(), and xfr_start_probe().

Referenced by auth_zones_notify(), and auth_zones_startprobesequence().

◆ auth_zones_notify()

int auth_zones_notify ( struct auth_zones az,
struct module_env env,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass,
struct sockaddr_storage *  addr,
socklen_t  addrlen,
int  has_serial,
uint32_t  serial,
int *  refused 
)

process notify for auth zones.

first checks the access list. Then processes the notify. This starts the probe sequence or it notes the serial number (if any)

Parameters
azauth zones structure.
envmodule env of the worker that is handling the notify. it will pick up the task probe (or transfer), unless already in progress by another worker.
nmname of the zone. Uncompressed. from query.
nmlenlength of name.
dclassclass of zone.
addrsource address of notify
addrlenlength of addr.
has_serialif true, the notify has a serial attached.
serialthe serial number, if has_serial is true.
refusedis set to true on failure to note refused access.
Returns
fail on failures (refused is false) and when access is denied (refused is true). True when processed.

References auth_xfer_find(), az_xfr_allowed_notify(), auth_zones::lock, auth_xfer::lock, and xfr_process_notify().

◆ auth_zones_startprobesequence()

int auth_zones_startprobesequence ( struct auth_zones az,
struct module_env env,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass 
)

for the zone and if not already going, starts the probe sequence.

false if zone cannot be found. This is like a notify arrived and was accepted for that zone.

References auth_xfer_find(), auth_xfer::dclass, auth_zones::lock, auth_xfer::lock, and xfr_process_notify().

Referenced by do_auth_zone_transfer().

◆ chunkline_remove_trailcomment()

static void chunkline_remove_trailcomment ( sldns_buffer buf,
size_t  start 
)
static

remove trailing ;...

comment from a line in the chunkline buffer

References sldns_buffer_position(), sldns_buffer_read_u8_at(), and sldns_buffer_set_position().

Referenced by chunkline_get_line_collated().

◆ ixfr_start_serial()

static int ixfr_start_serial ( struct auth_chunk rr_chunk,
int  rr_num,
size_t  rr_pos,
uint8_t *  rr_dname,
uint16_t  rr_type,
uint16_t  rr_class,
uint32_t  rr_ttl,
uint16_t  rr_rdlen,
uint8_t *  rr_rdata,
size_t  rr_nextpos,
uint32_t  transfer_serial,
uint32_t  xfr_serial 
)
static

check that start serial is OK for ixfr.

we are at rr_counter == 0, and we are going to check rr_counter == 1 (has to be type SOA) serial

References chunk_rrlist_end(), chunk_rrlist_get_current(), chunk_rrlist_gonext(), LDNS_RR_TYPE_SOA, VERB_OPS, and verbose().

◆ apply_ixfr()

static int apply_ixfr ( struct auth_xfer xfr,
struct auth_zone z,
struct sldns_buffer scratch_buffer 
)
static

apply IXFR to zone in memory.

z is locked. false on failure(mallocfail)

References chunk_rrlist_end(), chunk_rrlist_get_current(), chunk_rrlist_start(), LDNS_RR_TYPE_SOA, log_rrlist_position(), and verbosity.

Referenced by xfr_process_chunk_list().

◆ apply_axfr()

static int apply_axfr ( struct auth_xfer xfr,
struct auth_zone z,
struct sldns_buffer scratch_buffer 
)
static

◆ apply_http()

◆ xfr_process_reacquire_locks()

static int xfr_process_reacquire_locks ( struct auth_xfer xfr,
struct module_env env,
struct auth_zone **  z 
)
static

reacquire locks and structures.

Starts with no locks, ends with xfr and z locks, if fail, no z lock

References auth_zone_find(), module_env::auth_zones, auth_xfer::dclass, auth_zones::lock, auth_xfer::lock, auth_xfer::name, and auth_xfer::namelen.

Referenced by xfr_process_chunk_list().

◆ xfr_transfer_disown()

static void xfr_transfer_disown ( struct auth_xfer xfr)
static

◆ xfr_transfer_init_fetch()

static int xfr_transfer_init_fetch ( struct auth_xfer xfr,
struct module_env env 
)
static

◆ check_xfer_packet()

static int check_xfer_packet ( sldns_buffer pkt,
struct auth_xfer xfr,
int *  gonextonfail,
int *  transferdone 
)
static

check if xfer (AXFR or IXFR) packet is OK.

return false if we lost connection (SERVFAIL, or unreadable). return false if we need to move from IXFR to AXFR, with gonextonfail set to false, so the same master is tried again, but with AXFR. return true if fine to link into data. return true with transferdone=true when the transfer has ended.

References sldns_buffer_begin(), and sldns_buffer_limit().

◆ process_list_end_transfer()

static void process_list_end_transfer ( struct auth_xfer xfr,
struct module_env env 
)
static

◆ auth_xfer_transfer_timer_callback()

◆ xfr_probe_disown()

static void xfr_probe_disown ( struct auth_xfer xfr)
static

◆ auth_xfer_probe_timer_callback()

◆ auth_xfer_probe_udp_callback()

◆ xfr_nextprobe_disown()

static void xfr_nextprobe_disown ( struct auth_xfer xfr)
static

disown task_nextprobe.

caller must hold xfr.lock

References comm_timer_delete(), auth_nextprobe::next_probe, auth_xfer::task_nextprobe, and auth_nextprobe::timer.

Referenced by auth_xfer_timer(), and auth_zones_cleanup().

◆ auth_xfer_pickup_initial()

void auth_xfer_pickup_initial ( struct auth_zones az,
struct module_env env 
)

initial pick up of worker timeouts, ties events to worker event loop

Parameters
azauth zones structure
envworker env, of first worker that receives the events (if any) in its eventloop.

References auth_xfer::have_zone, auth_xfer::lease_time, auth_zones::lock, auth_xfer::lock, module_env::now, RBTREE_FOR, auth_xfer::task_nextprobe, xfr_set_timeout(), and auth_zones::xtree.

◆ auth_zones_cleanup()

void auth_zones_cleanup ( struct auth_zones az)

Cleanup auth zones.

This removes all events from event bases. Stops the xfr tasks. But leaves zone data.

Parameters
azauth zones structure.

References auth_chunks_delete(), auth_zones::lock, auth_xfer::lock, RBTREE_FOR, auth_xfer::task_nextprobe, auth_xfer::task_probe, auth_xfer::task_transfer, xfr_nextprobe_disown(), xfr_probe_disown(), xfr_transfer_disown(), and auth_zones::xtree.

Referenced by daemon_cleanup().

◆ auth_xfer_new()

◆ auth_xfer_create()

struct auth_xfer* auth_xfer_create ( struct auth_zones az,
struct auth_zone z 
)

Create auth_xfer structure.

This populates the have_zone, soa values, and so on times. and sets the timeout, if a zone transfer is needed a short timeout is set. For that the auth_zone itself must exist (and read in zonefile) returns false on alloc failure.

References auth_xfer_new(), log_err(), auth_xfer::node, rbtree_insert(), and auth_zones::xtree.

Referenced by auth_zones_find_or_add_xfer().

◆ xfer_set_masters()

int xfer_set_masters ( struct auth_master **  list,
struct config_auth c,
int  with_http 
)

Set masters in auth xfer structure from config.

Parameters
listpointer to start of list. The malloced list is returned here.
cthe config items to copy over.
with_httpif true, http urls are also included, before the masters.
Returns
false on failure.

References auth_master::allow_notify, config_auth::allow_notify, auth_master_new(), auth_master::file, auth_master::host, auth_master::http, auth_master::ixfr, log_err(), config_auth::masters, config_strlist::next, parse_url(), auth_master::port, auth_master::ssl, config_strlist::str, and config_auth::urls.

◆ auth_zone_generate_zonemd_hash()

int auth_zone_generate_zonemd_hash ( struct auth_zone z,
int  scheme,
int  hashalgo,
uint8_t *  hash,
size_t  buflen,
size_t *  resultlen,
struct regional region,
struct sldns_buffer buf,
char **  reason 
)

Generate ZONEMD digest for the auth zone.

Parameters
zthe auth zone to digest. omits zonemd at apex and its RRSIG from the digest.
schemethe collation scheme to use. Numbers as defined for ZONEMD.
hashalgothe hash algo, from the registry defined for ZONEMD type.
hashthe result buffer.
buflensize of the result buffer, must be large enough. or the routine fails.
resultlensize of the hash in the result buffer of the result.
regiontemp region for allocs during canonicalisation.
buftemp buffer during canonicalisation.
reasonfailure reason, returns a string, NULL on success.
Returns
false on failure.

References secalgo_hash_delete(), zonemd_digest_finish(), zonemd_digest_init(), ZONEMD_SCHEME_SIMPLE, and zonemd_simple_collate().

Referenced by auth_zone_generate_zonemd_check(), and zonemd_generate_test().

◆ auth_zone_generate_zonemd_check()

int auth_zone_generate_zonemd_check ( struct auth_zone z,
int  scheme,
int  hashalgo,
uint8_t *  hash,
size_t  hashlen,
struct regional region,
struct sldns_buffer buf,
char **  reason 
)

Check ZONEMD digest for the auth zone.

Parameters
zauth zone to digest.
schemezonemd scheme.
hashalgozonemd hash algorithm.
hashthe hash to check.
hashlenlength of hash buffer.
regiontemp region for allocs during canonicalisation.
buftemp buffer during canonicalisation.
reasonstring returned with failure reason. If the hash cannot be checked, but it is allowed, for unknown algorithms, the routine returns success, and the reason is nonNULL, with the allowance reason.
Returns
false on failure.

References auth_zone_generate_zonemd_hash(), log_hex(), VERB_ALGO, verbose(), verbosity, zonemd_hashalgo_supported(), and zonemd_scheme_supported().

◆ zonemd_check_dnssec_absence()

static int zonemd_check_dnssec_absence ( struct auth_zone z,
struct module_env env,
struct module_stack mods,
struct ub_packed_rrset_key dnskey,
struct auth_data apex,
char **  reason,
char **  why_bogus,
uint8_t *  sigalg 
)
static

Verify the absence of ZONEMD with DNSSEC by checking NSEC, NSEC3 type flag.

return false on failure, reason contains description of failure.

References az_domain_rrset().

◆ zonemd_check_dnssec_soazonemd()

static int zonemd_check_dnssec_soazonemd ( struct auth_zone z,
struct module_env env,
struct module_stack mods,
struct ub_packed_rrset_key dnskey,
struct auth_data apex,
struct auth_rrset zonemd_rrset,
char **  reason,
char **  why_bogus,
uint8_t *  sigalg 
)
static

Verify the SOA and ZONEMD DNSSEC signatures.

return false on failure, reason contains description of failure.

References auth_zone_log(), az_domain_rrset(), LDNS_RR_TYPE_SOA, auth_zone::name, VERB_ALGO, and zonemd_dnssec_verify_rrset().

◆ auth_zone_zonemd_fail()

static void auth_zone_zonemd_fail ( struct auth_zone z,
struct module_env env,
char *  reason,
char *  why_bogus,
char **  result 
)
static

Fail the ZONEMD verification.

Parameters
zauth zone that fails.
envenvironment with config, to ignore failure or not.
reasonfailure string description.
why_bogusfailure string for DNSSEC verification failure.
resultstrdup result in here if not NULL.

References module_env::cfg, dname_str(), log_err(), log_warn(), auth_zone::name, VERB_ALGO, verbose(), auth_zone::zone_expired, and config_file::zonemd_permissive_mode.

Referenced by auth_zone_verify_zonemd().

◆ auth_zone_verify_zonemd_with_key()

static void auth_zone_verify_zonemd_with_key ( struct auth_zone z,
struct module_env env,
struct module_stack mods,
struct ub_packed_rrset_key dnskey,
int  is_insecure,
char **  result,
uint8_t *  sigalg 
)
static

Verify the zonemd with DNSSEC and hash check, with given key.

Parameters
zauth zone.
envenvironment with config and temp buffers.
modsmodule stack with validator env for verification.
dnskeydnskey that we can use, or NULL. If nonnull, the key has been verified and is the start of the chain of trust.
is_insecureif true, the dnskey is not used, the zone is insecure. And dnssec is not used. It is DNSSEC secure insecure or not under a trust anchor.
sigalgif nonNULL provide algorithm downgrade protection. Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1.
resultif not NULL result reason copied here.

References az_domain_rrset(), az_find_name(), auth_zone::name, and auth_zone::namelen.

Referenced by auth_zone_verify_zonemd().

◆ zonemd_get_dnskey_from_anchor()

static struct ub_packed_rrset_key* zonemd_get_dnskey_from_anchor ( struct auth_zone z,
struct module_env env,
struct module_stack mods,
struct trust_anchor anchor,
int *  is_insecure,
char **  why_bogus,
struct ub_packed_rrset_key keystorage 
)
static

verify the zone DNSKEY rrset from the trust anchor This is possible because the anchor is for the zone itself, and can thus apply straight to the zone DNSKEY set.

Parameters
zthe auth zone.
envenvironment with time and temp buffers.
modsmodule stack for validator environment for dnssec validation.
anchortrust anchor to use
is_insecurereturned, true if the zone is securely insecure.
why_bogusif the routine fails, returns the failure reason.
keystoragewhere to store the ub_packed_rrset_key that is created on success. A pointer to it is returned on success.
Returns
the dnskey RRset, reference to zone data and keystorage, or NULL on failure.

References az_domain_rrset(), az_find_name(), auth_zone::name, and auth_zone::namelen.

Referenced by auth_zone_verify_zonemd().

◆ auth_zone_verify_zonemd()

void auth_zone_verify_zonemd ( struct auth_zone z,
struct module_env env,
struct module_stack mods,
char **  result,
int  offline,
int  only_online 
)

Perform ZONEMD checks and verification for the auth zone.

This includes DNSSEC verification if applicable.

Parameters
zauth zone to check. Caller holds lock. wrlock.
envwith temp region, buffer and config.
modsmodule stack for validator env.
resultif not NULL, result string strdupped in here.
offlineif true, there is no spawned lookup when online is needed. Those zones are skipped for ZONEMD checking.
only_onlineif true, only for ZONEMD that need online lookup of DNSKEY chain of trust are processed.

References module_env::anchors, anchors_lookup(), auth_zone_verify_zonemd_with_key(), auth_zone_zonemd_fail(), rbtree_type::count, auth_zone::data, auth_zone::dclass, trust_anchor::lock, auth_zone::name, trust_anchor::name, auth_zone::namelen, trust_anchor::numDNSKEY, trust_anchor::numDS, query_dname_compare(), regional_free_all(), module_env::scratch, auth_zone::zonemd_check, zonemd_get_dnskey_from_anchor(), and zonemd_lookup_dnskey().

Referenced by auth_zones_pickup_zonemd_verify(), do_auth_zone_reload(), xfr_process_chunk_list(), and zonemd_offline_verify().

◆ auth_zones_pickup_zonemd_verify()

void auth_zones_pickup_zonemd_verify ( struct auth_zones az,
struct module_env env 
)

Check the ZONEMD records that need online DNSSEC chain lookups, for them spawn the lookup process to get it checked out.

Attaches the lookup process to the worker event base and mesh state.

Parameters
azauth zones, every zones is checked.
envenv of the worker where the task is attached.

References auth_zone_verify_zonemd(), auth_zone::dclass, rbnode_type::key, auth_zones::lock, auth_zone::lock, log_err(), module_env::mesh, mesh_area::mods, auth_zone::name, auth_zone::namelabs, auth_zone::namelen, auth_zone::node, RBTREE_FOR, rbtree_search(), auth_zone::zonemd_check, and auth_zones::ztree.