authzone.h File Reference

This file contains the functions for an authority zone. More...

#include "util/rbtree.h"
#include "util/locks.h"
#include "services/mesh.h"
#include "services/rpz.h"

Data Structures

struct  auth_zones
 Authoritative zones, shared. More...
 
struct  auth_zone
 Auth zone. More...
 
struct  auth_data
 Auth data. More...
 
struct  auth_rrset
 A auth data RRset. More...
 
struct  auth_xfer
 Authoritative zone transfer structure. More...
 
struct  auth_nextprobe
 The next probe task. More...
 
struct  auth_probe
 The probe task. More...
 
struct  auth_transfer
 The transfer task. More...
 
struct  auth_addr
 list of addresses More...
 
struct  auth_master
 auth zone master upstream, and the config settings for it More...
 
struct  auth_chunk
 auth zone master zone transfer data chunk More...
 

Macros

#define ZONEMD_SCHEME_SIMPLE   1
 ZONEMD scheme definitions.
 
#define ZONEMD_ALGO_SHA384   1
 ZONEMD hash algorithm definition for SHA384.
 
#define ZONEMD_ALGO_SHA512   2
 ZONEMD hash algorithm definition for SHA512.
 

Functions

struct auth_zonesauth_zones_create (void)
 Create auth zones structure.
 
int auth_zones_apply_cfg (struct auth_zones *az, struct config_file *cfg, int setup, int *is_rpz, struct module_env *env, struct module_stack *mods)
 Apply configuration to auth zones. More...
 
void auth_xfer_pickup_initial (struct auth_zones *az, struct module_env *env)
 initial pick up of worker timeouts, ties events to worker event loop More...
 
void auth_zones_cleanup (struct auth_zones *az)
 Cleanup auth zones. More...
 
void auth_zones_delete (struct auth_zones *az)
 Delete auth zones structure.
 
int auth_zone_write_file (struct auth_zone *z, const char *fname)
 Write auth zone data to file, in zonefile format.
 
int auth_zones_lookup (struct auth_zones *az, struct query_info *qinfo, struct regional *region, struct dns_msg **msg, int *fallback, uint8_t *dp_nm, size_t dp_nmlen)
 Use auth zones to lookup the answer to a query. More...
 
int auth_zones_answer (struct auth_zones *az, struct module_env *env, struct query_info *qinfo, struct edns_data *edns, struct comm_reply *repinfo, struct sldns_buffer *buf, struct regional *temp)
 Answer query from auth zone. More...
 
struct auth_zoneauth_zones_find_zone (struct auth_zones *az, uint8_t *name, size_t name_len, uint16_t dclass)
 Find the auth zone that is above the given qname. More...
 
struct auth_zoneauth_zone_find (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 find an auth zone by name (exact match by name or NULL returned)
 
struct auth_xferauth_xfer_find (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 find an xfer zone by name (exact match by name or NULL returned)
 
struct auth_zoneauth_zone_create (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 create an auth zone. More...
 
int auth_zone_set_zonefile (struct auth_zone *z, char *zonefile)
 set auth zone zonefile string. More...
 
int auth_zone_set_fallback (struct auth_zone *z, char *fallbackstr)
 set auth zone fallback. More...
 
int auth_zones_can_fallback (struct auth_zones *az, uint8_t *nm, size_t nmlen, uint16_t dclass)
 see if the auth zone for the name can fallback More...
 
int auth_zones_notify (struct auth_zones *az, struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t dclass, struct sockaddr_storage *addr, socklen_t addrlen, int has_serial, uint32_t serial, int *refused)
 process notify for auth zones. More...
 
int auth_zone_parse_notify_serial (struct sldns_buffer *pkt, uint32_t *serial)
 process notify packet and read serial number from SOA. More...
 
int auth_zones_startprobesequence (struct auth_zones *az, struct module_env *env, uint8_t *nm, size_t nmlen, uint16_t dclass)
 for the zone and if not already going, starts the probe sequence. More...
 
int auth_zone_read_zonefile (struct auth_zone *z, struct config_file *cfg)
 read auth zone from zonefile. More...
 
struct auth_rrsetauth_zone_get_soa_rrset (struct auth_zone *z)
 find the apex SOA RRset, if it exists. More...
 
int auth_zone_get_serial (struct auth_zone *z, uint32_t *serial)
 find serial number of zone or false if none (no SOA record) More...
 
int xfr_find_soa (struct auth_zone *z, struct auth_xfer *xfr)
 Find auth_zone SOA and populate the values in xfr(soa values).
 
int auth_zone_cmp (const void *z1, const void *z2)
 compare auth_zones for sorted rbtree
 
int auth_data_cmp (const void *z1, const void *z2)
 compare auth_data for sorted rbtree
 
int auth_xfer_cmp (const void *z1, const void *z2)
 compare auth_xfer for sorted rbtree
 
struct auth_xferauth_xfer_create (struct auth_zones *az, struct auth_zone *z)
 Create auth_xfer structure. More...
 
int xfer_set_masters (struct auth_master **list, struct config_auth *c, int with_http)
 Set masters in auth xfer structure from config. More...
 
void auth_xfer_timer (void *arg)
 xfer nextprobe timeout callback, this is part of task_nextprobe
 
int auth_xfer_probe_udp_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo)
 callback for commpoint udp replies to task_probe More...
 
int auth_xfer_transfer_tcp_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo)
 callback for task_transfer tcp connections
 
int auth_xfer_transfer_http_callback (struct comm_point *c, void *arg, int err, struct comm_reply *repinfo)
 callback for task_transfer http connections
 
void auth_xfer_probe_timer_callback (void *arg)
 xfer probe timeout callback, part of task_probe More...
 
void auth_xfer_transfer_timer_callback (void *arg)
 xfer transfer timeout callback, part of task_transfer More...
 
void auth_xfer_probe_lookup_callback (void *arg, int rcode, struct sldns_buffer *buf, enum sec_status sec, char *why_bogus, int was_ratelimited)
 mesh callback for task_probe on lookup of host names
 
void auth_xfer_transfer_lookup_callback (void *arg, int rcode, struct sldns_buffer *buf, enum sec_status sec, char *why_bogus, int was_ratelimited)
 mesh callback for task_transfer on lookup of host names
 
int compare_serial (uint32_t a, uint32_t b)
 
int auth_zone_generate_zonemd_hash (struct auth_zone *z, int scheme, int hashalgo, uint8_t *hash, size_t buflen, size_t *resultlen, struct regional *region, struct sldns_buffer *buf, char **reason)
 Generate ZONEMD digest for the auth zone. More...
 
int zonemd_hashalgo_supported (int hashalgo)
 returns true if a zonemd hash algo is supported
 
int zonemd_scheme_supported (int scheme)
 returns true if a zonemd scheme is supported
 
int auth_zone_generate_zonemd_check (struct auth_zone *z, int scheme, int hashalgo, uint8_t *hash, size_t hashlen, struct regional *region, struct sldns_buffer *buf, char **reason)
 Check ZONEMD digest for the auth zone. More...
 
void auth_zone_verify_zonemd (struct auth_zone *z, struct module_env *env, struct module_stack *mods, char **result, int offline, int only_online)
 Perform ZONEMD checks and verification for the auth zone. More...
 
void auth_zonemd_dnskey_lookup_callback (void *arg, int rcode, struct sldns_buffer *buf, enum sec_status sec, char *why_bogus, int was_ratelimited)
 mesh callback for zonemd on lookup of dnskey
 
void auth_zones_pickup_zonemd_verify (struct auth_zones *az, struct module_env *env)
 Check the ZONEMD records that need online DNSSEC chain lookups, for them spawn the lookup process to get it checked out. More...
 

Detailed Description

This file contains the functions for an authority zone.

This zone is queried by the iterator, just like a stub or forward zone, but then the data is locally held.

Function Documentation

◆ auth_zones_apply_cfg()

int auth_zones_apply_cfg ( struct auth_zones az,
struct config_file cfg,
int  setup,
int *  is_rpz,
struct module_env env,
struct module_stack mods 
)

Apply configuration to auth zones.

Reads zonefiles.

Parameters
azauth zones structure
cfgconfig to apply.
setupif true, also sets up values in the auth zones structure
is_rpzset to 1 if at least one RPZ zone is configured.
envenvironment for offline verification.
modsmodules in environment.
Returns
false on failure.

References auth_zones_cfg(), auth_zones_read_zones(), auth_zones_setup_zones(), config_file::auths, az_delete_deleted_zones(), az_setall_deleted(), config_auth::isrpz, log_err(), log_warn(), config_auth::name, and config_auth::next.

Referenced by check_auth(), and context_finalize().

◆ auth_xfer_pickup_initial()

void auth_xfer_pickup_initial ( struct auth_zones az,
struct module_env env 
)

initial pick up of worker timeouts, ties events to worker event loop

Parameters
azauth zones structure
envworker env, of first worker that receives the events (if any) in its eventloop.

References auth_xfer::have_zone, auth_xfer::lease_time, auth_zones::lock, auth_xfer::lock, module_env::now, RBTREE_FOR, auth_xfer::task_nextprobe, xfr_set_timeout(), and auth_zones::xtree.

◆ auth_zones_cleanup()

void auth_zones_cleanup ( struct auth_zones az)

Cleanup auth zones.

This removes all events from event bases. Stops the xfr tasks. But leaves zone data.

Parameters
azauth zones structure.

References auth_chunks_delete(), auth_zones::lock, auth_xfer::lock, RBTREE_FOR, auth_xfer::task_nextprobe, auth_xfer::task_probe, auth_xfer::task_transfer, xfr_nextprobe_disown(), xfr_probe_disown(), xfr_transfer_disown(), and auth_zones::xtree.

Referenced by daemon_cleanup().

◆ auth_zones_lookup()

int auth_zones_lookup ( struct auth_zones az,
struct query_info qinfo,
struct regional region,
struct dns_msg **  msg,
int *  fallback,
uint8_t *  dp_nm,
size_t  dp_nmlen 
)

Use auth zones to lookup the answer to a query.

The query is from the iterator. And the auth zones attempts to provide the answer instead of going to the internet.

Parameters
azauth zones structure.
qinfoquery info to lookup.
regionregion to use to allocate the reply in.
msgreply is stored here (if one).
fallbackif true, fallback to making a query to the internet.
dp_nmname of delegation point to look for. This zone is used to answer the query. If the dp_nm is not found, fallback is set to true and false returned.
dp_nmlenlength of dp_nm.
Returns
0: failure (an error of some sort, like servfail). if 0 and fallback is true, fallback to the internet. if 0 and fallback is false, like getting servfail. If true, an answer is available.

References auth_zone_find(), auth_zone_generate_answer(), auth_zone::fallback_enabled, auth_zone::for_upstream, auth_zones::lock, auth_zone::lock, query_info::qclass, and auth_zone::zone_expired.

Referenced by q_ans_query().

◆ auth_zones_answer()

int auth_zones_answer ( struct auth_zones az,
struct module_env env,
struct query_info qinfo,
struct edns_data edns,
struct comm_reply repinfo,
struct sldns_buffer buf,
struct regional temp 
)

Answer query from auth zone.

Create authoritative answer.

Parameters
azauth zones structure.
envthe module environment.
qinfoquery info (parsed).
ednsedns info (parsed).
bufbuffer with query ID and flags, also for reply.
repinforeply information for a communication point.
temptemporary storage region.
Returns
false if not answered

References auth_error_encode(), auth_zones_find_zone(), dname_remove_label(), auth_zone::fallback_enabled, auth_zone::for_downstream, auth_zones::have_downstream, LDNS_RR_TYPE_DS, auth_zones::lock, auth_zone::lock, auth_zones::num_query_down, query_info::qclass, query_info::qname, query_info::qname_len, query_info::qtype, and auth_zone::zone_expired.

Referenced by handle_newq().

◆ auth_zones_find_zone()

struct auth_zone* auth_zones_find_zone ( struct auth_zones az,
uint8_t *  name,
size_t  name_len,
uint16_t  dclass 
)

Find the auth zone that is above the given qname.

Return NULL when there is no auth_zone above the give name, otherwise returns the closest auth_zone above the qname that pertains to it.

Parameters
azauth zones structure.
namequery to look up for.
name_lenlength of name.
dclassclass of zone to find.
Returns
NULL or auth_zone that pertains to the query.

Find the auth zone that is above the given qname.

References auth_zone_find(), auth_zone_find_less_equal(), auth_zone::dclass, dname_count_size_labels(), dname_get_shared_topdomain(), dname_is_root(), dname_remove_label(), and auth_zone::name.

Referenced by auth_zone_delegpt(), and auth_zones_answer().

◆ auth_zone_create()

struct auth_zone* auth_zone_create ( struct auth_zones az,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass 
)

◆ auth_zone_set_zonefile()

int auth_zone_set_zonefile ( struct auth_zone z,
char *  zonefile 
)

set auth zone zonefile string.

caller must have lock on zone

References log_err(), and auth_zone::zonefile.

Referenced by auth_zones_cfg().

◆ auth_zone_set_fallback()

int auth_zone_set_fallback ( struct auth_zone z,
char *  fallbackstr 
)

set auth zone fallback.

caller must have lock on zone. fallbackstr is "yes" or "no". false on parse failure.

caller must have lock on zone

References auth_zone::fallback_enabled, and log_err().

◆ auth_zones_can_fallback()

int auth_zones_can_fallback ( struct auth_zones az,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass 
)

see if the auth zone for the name can fallback

Parameters
azauth zones
nmname of delegation point.
nmlenlength of nm.
dclassclass of zone to look for.
Returns
true if fallback_enabled is true. false if not. if the zone does not exist, fallback is true (more lenient) also true if zone does not do upstream requests.

References auth_zone_find(), auth_zone::dclass, auth_zone::fallback_enabled, auth_zone::for_upstream, auth_zones::lock, and auth_zone::lock.

◆ auth_zones_notify()

int auth_zones_notify ( struct auth_zones az,
struct module_env env,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass,
struct sockaddr_storage *  addr,
socklen_t  addrlen,
int  has_serial,
uint32_t  serial,
int *  refused 
)

process notify for auth zones.

first checks the access list. Then processes the notify. This starts the probe sequence or it notes the serial number (if any)

Parameters
azauth zones structure.
envmodule env of the worker that is handling the notify. it will pick up the task probe (or transfer), unless already in progress by another worker.
nmname of the zone. Uncompressed. from query.
nmlenlength of name.
dclassclass of zone.
addrsource address of notify
addrlenlength of addr.
has_serialif true, the notify has a serial attached.
serialthe serial number, if has_serial is true.
refusedis set to true on failure to note refused access.
Returns
fail on failures (refused is false) and when access is denied (refused is true). True when processed.

References auth_xfer_find(), az_xfr_allowed_notify(), auth_zones::lock, auth_xfer::lock, and xfr_process_notify().

◆ auth_zone_parse_notify_serial()

int auth_zone_parse_notify_serial ( struct sldns_buffer pkt,
uint32_t *  serial 
)

process notify packet and read serial number from SOA.

returns 0 if no soa record in the notify

References query_info_parse(), and sldns_buffer_set_position().

◆ auth_zones_startprobesequence()

int auth_zones_startprobesequence ( struct auth_zones az,
struct module_env env,
uint8_t *  nm,
size_t  nmlen,
uint16_t  dclass 
)

for the zone and if not already going, starts the probe sequence.

false if zone cannot be found. This is like a notify arrived and was accepted for that zone.

References auth_xfer_find(), auth_xfer::dclass, auth_zones::lock, auth_xfer::lock, and xfr_process_notify().

Referenced by do_auth_zone_transfer().

◆ auth_zone_read_zonefile()

◆ auth_zone_get_soa_rrset()

struct auth_rrset* auth_zone_get_soa_rrset ( struct auth_zone z)

find the apex SOA RRset, if it exists.

NULL if no SOA RRset.

find the apex SOA RRset, if it exists.

References az_domain_rrset(), az_find_name(), LDNS_RR_TYPE_SOA, auth_zone::name, and auth_zone::namelen.

Referenced by rpz_add_soa().

◆ auth_zone_get_serial()

int auth_zone_get_serial ( struct auth_zone z,
uint32_t *  serial 
)

find serial number of zone or false if none (no SOA record)

find serial number of zone or false if none (no SOA record)

References az_domain_rrset(), az_find_name(), packed_rrset_data::count, auth_rrset::data, LDNS_RR_TYPE_SOA, auth_zone::name, auth_zone::namelen, and packed_rrset_data::rr_len.

Referenced by auth_zone_zonemd_check_hash(), and do_list_auth_zones().

◆ auth_xfer_create()

struct auth_xfer* auth_xfer_create ( struct auth_zones az,
struct auth_zone z 
)

Create auth_xfer structure.

Caller must have wrlock on az. Returns locked xfer zone.

Parameters
azzones structure.
zzone with name and class
Returns
xfer zone or NULL

This populates the have_zone, soa values, and so on times. and sets the timeout, if a zone transfer is needed a short timeout is set. For that the auth_zone itself must exist (and read in zonefile) returns false on alloc failure.

References auth_xfer_new(), log_err(), auth_xfer::node, rbtree_insert(), and auth_zones::xtree.

Referenced by auth_zones_find_or_add_xfer().

◆ xfer_set_masters()

int xfer_set_masters ( struct auth_master **  list,
struct config_auth c,
int  with_http 
)

Set masters in auth xfer structure from config.

Parameters
listpointer to start of list. The malloced list is returned here.
cthe config items to copy over.
with_httpif true, http urls are also included, before the masters.
Returns
false on failure.

References auth_master::allow_notify, config_auth::allow_notify, auth_master_new(), auth_master::file, auth_master::host, auth_master::http, auth_master::ixfr, log_err(), config_auth::masters, config_strlist::next, parse_url(), auth_master::port, auth_master::ssl, config_strlist::str, and config_auth::urls.

◆ auth_xfer_probe_udp_callback()

◆ auth_xfer_probe_timer_callback()

◆ auth_xfer_transfer_timer_callback()

◆ auth_zone_generate_zonemd_hash()

int auth_zone_generate_zonemd_hash ( struct auth_zone z,
int  scheme,
int  hashalgo,
uint8_t *  hash,
size_t  buflen,
size_t *  resultlen,
struct regional region,
struct sldns_buffer buf,
char **  reason 
)

Generate ZONEMD digest for the auth zone.

Parameters
zthe auth zone to digest. omits zonemd at apex and its RRSIG from the digest.
schemethe collation scheme to use. Numbers as defined for ZONEMD.
hashalgothe hash algo, from the registry defined for ZONEMD type.
hashthe result buffer.
buflensize of the result buffer, must be large enough. or the routine fails.
resultlensize of the hash in the result buffer of the result.
regiontemp region for allocs during canonicalisation.
buftemp buffer during canonicalisation.
reasonfailure reason, returns a string, NULL on success.
Returns
false on failure.

References secalgo_hash_delete(), zonemd_digest_finish(), zonemd_digest_init(), ZONEMD_SCHEME_SIMPLE, and zonemd_simple_collate().

Referenced by auth_zone_generate_zonemd_check(), and zonemd_generate_test().

◆ auth_zone_generate_zonemd_check()

int auth_zone_generate_zonemd_check ( struct auth_zone z,
int  scheme,
int  hashalgo,
uint8_t *  hash,
size_t  hashlen,
struct regional region,
struct sldns_buffer buf,
char **  reason 
)

Check ZONEMD digest for the auth zone.

Parameters
zauth zone to digest.
schemezonemd scheme.
hashalgozonemd hash algorithm.
hashthe hash to check.
hashlenlength of hash buffer.
regiontemp region for allocs during canonicalisation.
buftemp buffer during canonicalisation.
reasonstring returned with failure reason. If the hash cannot be checked, but it is allowed, for unknown algorithms, the routine returns success, and the reason is nonNULL, with the allowance reason.
Returns
false on failure.

References auth_zone_generate_zonemd_hash(), log_hex(), VERB_ALGO, verbose(), verbosity, zonemd_hashalgo_supported(), and zonemd_scheme_supported().

◆ auth_zone_verify_zonemd()

void auth_zone_verify_zonemd ( struct auth_zone z,
struct module_env env,
struct module_stack mods,
char **  result,
int  offline,
int  only_online 
)

Perform ZONEMD checks and verification for the auth zone.

This includes DNSSEC verification if applicable.

Parameters
zauth zone to check. Caller holds lock. wrlock.
envwith temp region, buffer and config.
modsmodule stack for validator env.
resultif not NULL, result string strdupped in here.
offlineif true, there is no spawned lookup when online is needed. Those zones are skipped for ZONEMD checking.
only_onlineif true, only for ZONEMD that need online lookup of DNSKEY chain of trust are processed.

References module_env::anchors, anchors_lookup(), auth_zone_verify_zonemd_with_key(), auth_zone_zonemd_fail(), rbtree_type::count, auth_zone::data, auth_zone::dclass, trust_anchor::lock, auth_zone::name, trust_anchor::name, auth_zone::namelen, trust_anchor::numDNSKEY, trust_anchor::numDS, query_dname_compare(), regional_free_all(), module_env::scratch, auth_zone::zonemd_check, zonemd_get_dnskey_from_anchor(), and zonemd_lookup_dnskey().

Referenced by auth_zones_pickup_zonemd_verify(), do_auth_zone_reload(), xfr_process_chunk_list(), and zonemd_offline_verify().

◆ auth_zones_pickup_zonemd_verify()

void auth_zones_pickup_zonemd_verify ( struct auth_zones az,
struct module_env env 
)

Check the ZONEMD records that need online DNSSEC chain lookups, for them spawn the lookup process to get it checked out.

Attaches the lookup process to the worker event base and mesh state.

Parameters
azauth zones, every zones is checked.
envenv of the worker where the task is attached.

References auth_zone_verify_zonemd(), auth_zone::dclass, rbnode_type::key, auth_zones::lock, auth_zone::lock, log_err(), module_env::mesh, mesh_area::mods, auth_zone::name, auth_zone::namelabs, auth_zone::namelen, auth_zone::node, RBTREE_FOR, rbtree_search(), auth_zone::zonemd_check, and auth_zones::ztree.