static isc_stdtime_t
setresign(dns_rdataset_t *modified) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_rrsig_t sig;
isc_stdtime_t when;
isc_result_t result;
result = dns_rdataset_first(modified);
INSIST(result == ISC_R_SUCCESS);
dns_rdataset_current(modified, &rdata);
(void)dns_rdata_tostruct(&rdata, &sig, NULL);
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
when = 0;
else
when = sig.timeexpire;
dns_rdata_reset(&rdata);
result = dns_rdataset_next(modified);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(modified, &rdata);
(void)dns_rdata_tostruct(&rdata, &sig, NULL);
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
goto next_rr;
}
if (when == 0 || sig.timeexpire < when)
when = sig.timeexpire;
next_rr:
dns_rdata_reset(&rdata);
result = dns_rdataset_next(modified);
}
INSIST(result == ISC_R_NOMORE);
return (when);
}
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
dns_additionaldatafunc_t add, void *arg)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
/*
* For each rdata in rdataset, call 'add' for each name and type in the
* rdata which is subject to additional section processing.
*/
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS)
return (result);
do {
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_additionaldata(&rdata, add, arg);
if (result == ISC_R_SUCCESS)
result = dns_rdataset_next(rdataset);
dns_rdata_reset(&rdata);
} while (result == ISC_R_SUCCESS);
if (result != ISC_R_NOMORE)
return (result);
return (ISC_R_SUCCESS);
}
/*
* Return true iff 'slab' (slab data of type 'type' and class 'rdclass')
* contains an rdata identical to 'rdata'. This does case insensitive
* comparisons per DNSSEC.
*/
static inline isc_boolean_t
rdata_in_slab(unsigned char *slab, unsigned int reservelen,
dns_rdataclass_t rdclass, dns_rdatatype_t type,
dns_rdata_t *rdata)
{
unsigned int count, i;
unsigned char *current;
dns_rdata_t trdata = DNS_RDATA_INIT;
int n;
current = slab + reservelen;
count = *current++ * 256;
count += *current++;
#if DNS_RDATASET_FIXED
current += (4 * count);
#endif
for (i = 0; i < count; i++) {
rdata_from_slab(¤t, rdclass, type, &trdata);
n = dns_rdata_compare(&trdata, rdata);
if (n == 0)
return (ISC_TRUE);
if (n > 0) /* In DNSSEC order. */
break;
dns_rdata_reset(&trdata);
}
return (ISC_FALSE);
}
static isc_result_t
fill_array(int *pos, dns_rdataset_t *rdataset,
int size, unsigned char **rdatas, lwres_uint16_t *rdatalen)
{
dns_rdata_t rdata;
isc_result_t result;
isc_region_t r;
UNUSED(size);
dns_rdata_init(&rdata);
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset))
{
INSIST(*pos < size);
dns_rdataset_current(rdataset, &rdata);
dns_rdata_toregion(&rdata, &r);
rdatas[*pos] = r.base;
rdatalen[*pos] = r.length;
dns_rdata_reset(&rdata);
(*pos)++;
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
return (result);
}
static void
db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
isc_uint32_t *ttl, dns_rdata_t **rdata)
{
REQUIRE(name != NULL && *name == NULL);
REQUIRE(it->result == ISC_R_SUCCESS);
*name = dns_fixedname_name(&it->fixedname);
*ttl = it->rdataset.ttl;
dns_rdata_reset(&it->rdata);
dns_rdataset_current(&it->rdataset, &it->rdata);
*rdata = &it->rdata;
}
static void
parse_rdata(isc_mem_t *mctx, char **cmdlinep, dns_rdataclass_t rdataclass,
dns_rdatatype_t rdatatype, dns_rdata_t *rdata)
{
char *cmdline = *cmdlinep;
isc_buffer_t source, *buf = NULL, *newbuf = NULL;
isc_region_t r;
isc_lex_t *lex = NULL;
dns_rdatacallbacks_t callbacks;
isc_result_t result;
while (cmdline != NULL && *cmdline != 0 &&
isspace((unsigned char)*cmdline))
cmdline++;
if (cmdline != NULL && *cmdline != 0) {
dns_rdatacallbacks_init(&callbacks);
result = isc_lex_create(mctx, strlen(cmdline), &lex);
check_result(result, "isc_lex_create");
isc_buffer_init(&source, cmdline, strlen(cmdline));
isc_buffer_add(&source, strlen(cmdline));
result = isc_lex_openbuffer(lex, &source);
check_result(result, "isc_lex_openbuffer");
result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
check_result(result, "isc_buffer_allocate");
result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
dns_rootname, 0, mctx, buf,
&callbacks);
isc_lex_destroy(&lex);
if (result == ISC_R_SUCCESS) {
isc_buffer_usedregion(buf, &r);
result = isc_buffer_allocate(mctx, &newbuf, r.length);
check_result(result, "isc_buffer_allocate");
isc_buffer_putmem(newbuf, r.base, r.length);
isc_buffer_usedregion(newbuf, &r);
dns_rdata_reset(rdata);
dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
isc_buffer_free(&buf);
ISC_LIST_APPEND(usedbuffers, newbuf, link);
} else {
fprintf(stderr, "invalid rdata format: %s\n",
isc_result_totext(result));
isc_buffer_free(&buf);
exit(1);
}
} else {
rdata->flags = DNS_RDATA_UPDATE;
}
*cmdlinep = cmdline;
}
static isc_boolean_t
inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) {
isc_result_t result;
dns_rdata_t current = DNS_RDATA_INIT;
result = dns_rdataset_first(rrset);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(rrset, ¤t);
if (dns_rdata_compare(rdata, ¤t) == 0)
return (ISC_TRUE);
dns_rdata_reset(¤t);
result = dns_rdataset_next(rrset);
}
return (ISC_FALSE);
}
/*%
* short_form message print handler. Calls above say_message()
*/
static isc_result_t
short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
isc_buffer_t *buf, dig_query_t *query)
{
dns_name_t *name;
dns_rdataset_t *rdataset;
isc_result_t result, loopresult;
dns_name_t empty_name;
dns_rdata_t rdata = DNS_RDATA_INIT;
UNUSED(flags);
dns_name_init(&empty_name, NULL);
result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;) {
name = NULL;
dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
result = say_message(&rdata, query,
buf);
if (result == ISC_R_NOSPACE)
return (result);
check_result(result, "say_message");
loopresult = dns_rdataset_next(rdataset);
dns_rdata_reset(&rdata);
}
}
result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS)
return (result);
}
return (ISC_R_SUCCESS);
}
static inline isc_result_t
copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
isc_result_t result;
unsigned int count;
isc_region_t ar, r;
dns_rdata_t rdata = DNS_RDATA_INIT;
/*
* Copy the rdataset count to the buffer.
*/
isc_buffer_availableregion(buffer, &ar);
if (ar.length < 2)
return (ISC_R_NOSPACE);
count = dns_rdataset_count(rdataset);
INSIST(count <= 65535);
isc_buffer_putuint16(buffer, (isc_uint16_t)count);
result = dns_rdataset_first(rdataset);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
dns_rdata_toregion(&rdata, &r);
INSIST(r.length <= 65535);
isc_buffer_availableregion(buffer, &ar);
if (ar.length < 2)
return (ISC_R_NOSPACE);
/*
* Copy the rdata length to the buffer.
*/
isc_buffer_putuint16(buffer, (isc_uint16_t)r.length);
/*
* Copy the rdata to the buffer.
*/
result = isc_buffer_copyregion(buffer, &r);
if (result != ISC_R_SUCCESS)
return (result);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
}
if (result != ISC_R_NOMORE)
return (result);
return (ISC_R_SUCCESS);
}
void
dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
isc_uint32_t *ttl, dns_rdataset_t **rdataset,
dns_rdata_t **rdata)
{
REQUIRE(name != NULL && *name == NULL);
REQUIRE(VALID_RRITERATOR(it));
REQUIRE(it->result == ISC_R_SUCCESS);
REQUIRE(rdataset == NULL || *rdataset == NULL);
REQUIRE(rdata == NULL || *rdata == NULL);
*name = dns_fixedname_name(&it->fixedname);
*ttl = it->rdataset.ttl;
dns_rdata_reset(&it->rdata);
dns_rdataset_current(&it->rdataset, &it->rdata);
if (rdataset != NULL)
*rdataset = &it->rdataset;
if (rdata != NULL)
*rdata = &it->rdata;
}
static isc_result_t
in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_ns_t ns;
if (!dns_rdataset_isassociated(rootns))
return (ISC_R_NOTFOUND);
result = dns_rdataset_first(rootns);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(rootns, &rdata);
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS)
return (result);
if (dns_name_compare(name, &ns.name) == 0)
return (ISC_R_SUCCESS);
result = dns_rdataset_next(rootns);
dns_rdata_reset(&rdata);
}
if (result == ISC_R_NOMORE)
result = ISC_R_NOTFOUND;
return (result);
}
static void
chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
isc_result_t result;
dns_rdataset_t *rdataset;
dns_rdata_cname_t cname;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL, &rdataset);
if (result != ISC_R_SUCCESS)
return;
result = dns_rdataset_first(rdataset);
check_result(result, "dns_rdataset_first");
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname, NULL);
dns_rdata_freestruct(&cname);
}
}
isc_result_t
dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
dns_rdatatype_t type, dns_rdataset_t *rdataset)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_region_t remaining;
isc_buffer_t source;
dns_name_t tname;
dns_rdatatype_t ttype;
dns_trust_t trust = dns_trust_none;
dns_rdataset_t clone;
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(name != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
REQUIRE(type != dns_rdatatype_rrsig);
dns_rdataset_init(&clone);
dns_rdataset_clone(ncacherdataset, &clone);
result = dns_rdataset_first(&clone);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(&clone, &rdata);
isc_buffer_init(&source, rdata.data, rdata.length);
isc_buffer_add(&source, rdata.length);
dns_name_init(&tname, NULL);
isc_buffer_remainingregion(&source, &remaining);
dns_name_fromregion(&tname, &remaining);
INSIST(remaining.length >= tname.length);
isc_buffer_forward(&source, tname.length);
remaining.length -= tname.length;
INSIST(remaining.length >= 3);
ttype = isc_buffer_getuint16(&source);
if (ttype == type && dns_name_equal(&tname, name)) {
trust = isc_buffer_getuint8(&source);
INSIST(trust <= dns_trust_ultimate);
isc_buffer_remainingregion(&source, &remaining);
break;
}
result = dns_rdataset_next(&clone);
dns_rdata_reset(&rdata);
}
dns_rdataset_disassociate(&clone);
if (result == ISC_R_NOMORE)
return (ISC_R_NOTFOUND);
if (result != ISC_R_SUCCESS)
return (result);
INSIST(remaining.length != 0);
rdataset->methods = &rdataset_methods;
rdataset->rdclass = ncacherdataset->rdclass;
rdataset->type = type;
rdataset->covers = 0;
rdataset->ttl = ncacherdataset->ttl;
rdataset->trust = trust;
rdataset->private1 = NULL;
rdataset->private2 = NULL;
rdataset->private3 = remaining.base;
/*
* Reset iterator state.
*/
rdataset->privateuint4 = 0;
rdataset->private5 = NULL;
rdataset->private6 = NULL;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
isc_buffer_t *target, unsigned int options,
unsigned int *countp)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
isc_region_t remaining, tavailable;
isc_buffer_t source, savedbuffer, rdlen;
dns_name_t name;
dns_rdatatype_t type;
unsigned int i, rcount, count;
/*
* Convert the negative caching rdataset 'rdataset' to wire format,
* compressing names as specified in 'cctx', and storing the result in
* 'target'.
*/
REQUIRE(rdataset != NULL);
REQUIRE(rdataset->type == 0);
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
savedbuffer = *target;
count = 0;
result = dns_rdataset_first(rdataset);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
isc_buffer_init(&source, rdata.data, rdata.length);
isc_buffer_add(&source, rdata.length);
dns_name_init(&name, NULL);
isc_buffer_remainingregion(&source, &remaining);
dns_name_fromregion(&name, &remaining);
INSIST(remaining.length >= name.length);
isc_buffer_forward(&source, name.length);
remaining.length -= name.length;
INSIST(remaining.length >= 5);
type = isc_buffer_getuint16(&source);
isc_buffer_forward(&source, 1);
rcount = isc_buffer_getuint16(&source);
for (i = 0; i < rcount; i++) {
/*
* Get the length of this rdata and set up an
* rdata structure for it.
*/
isc_buffer_remainingregion(&source, &remaining);
INSIST(remaining.length >= 2);
dns_rdata_reset(&rdata);
rdata.length = isc_buffer_getuint16(&source);
isc_buffer_remainingregion(&source, &remaining);
rdata.data = remaining.base;
rdata.type = type;
rdata.rdclass = rdataset->rdclass;
INSIST(remaining.length >= rdata.length);
isc_buffer_forward(&source, rdata.length);
if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
dns_rdatatype_isdnssec(type))
continue;
/*
* Write the name.
*/
dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
result = dns_name_towire(&name, cctx, target);
if (result != ISC_R_SUCCESS)
goto rollback;
/*
* See if we have space for type, class, ttl, and
* rdata length. Write the type, class, and ttl.
*/
isc_buffer_availableregion(target, &tavailable);
if (tavailable.length < 10) {
result = ISC_R_NOSPACE;
goto rollback;
}
isc_buffer_putuint16(target, type);
isc_buffer_putuint16(target, rdataset->rdclass);
isc_buffer_putuint32(target, rdataset->ttl);
/*
* Save space for rdata length.
*/
rdlen = *target;
isc_buffer_add(target, 2);
/*
* Write the rdata.
*/
result = dns_rdata_towire(&rdata, cctx, target);
if (result != ISC_R_SUCCESS)
goto rollback;
/*
* Set the rdata length field to the compressed
* length.
*/
INSIST((target->used >= rdlen.used + 2) &&
(target->used - rdlen.used - 2 < 65536));
isc_buffer_putuint16(&rdlen,
(isc_uint16_t)(target->used -
rdlen.used - 2));
count++;
}
INSIST(isc_buffer_remaininglength(&source) == 0);
result = dns_rdataset_next(rdataset);
dns_rdata_reset(&rdata);
}
if (result != ISC_R_NOMORE)
goto rollback;
*countp = count;
return (ISC_R_SUCCESS);
rollback:
INSIST(savedbuffer.used < 65536);
dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
*countp = 0;
*target = savedbuffer;
return (result);
}
void
dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db) {
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_ns_t ns;
dns_rdataset_t hintns, rootns;
const char *viewname = "", *sep = "";
isc_stdtime_t now;
dns_name_t *name;
dns_fixedname_t fixed;
REQUIRE(hints != NULL);
REQUIRE(db != NULL);
REQUIRE(view != NULL);
isc_stdtime_get(&now);
if (strcmp(view->name, "_bind") != 0 &&
strcmp(view->name, "_default") != 0) {
viewname = view->name;
sep = ": view ";
}
dns_rdataset_init(&hintns);
dns_rdataset_init(&rootns);
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
result = dns_db_find(hints, dns_rootname, NULL, dns_rdatatype_ns, 0,
now, NULL, name, &hintns, NULL);
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
"checkhints%s%s: unable to get root NS rrset "
"from hints: %s", sep, viewname,
dns_result_totext(result));
goto cleanup;
}
result = dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
now, NULL, name, &rootns, NULL);
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
"checkhints%s%s: unable to get root NS rrset "
"from cache: %s", sep, viewname,
dns_result_totext(result));
goto cleanup;
}
/*
* Look for missing root NS names.
*/
result = dns_rdataset_first(&rootns);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(&rootns, &rdata);
result = dns_rdata_tostruct(&rdata, &ns, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
result = in_rootns(&hintns, &ns.name);
if (result != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
/* missing from hints */
dns_name_format(&ns.name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
"checkhints%s%s: unable to find root "
"NS '%s' in hints", sep, viewname,
namebuf);
} else
check_address_records(view, hints, db, &ns.name, now);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rootns);
}
if (result != ISC_R_NOMORE) {
goto cleanup;
}
/*
* Look for extra root NS names.
*/
result = dns_rdataset_first(&hintns);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(&hintns, &rdata);
result = dns_rdata_tostruct(&rdata, &ns, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
result = in_rootns(&rootns, &ns.name);
if (result != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
/* extra entry in hints */
dns_name_format(&ns.name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
"checkhints%s%s: extra NS '%s' in hints",
sep, viewname, namebuf);
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&hintns);
}
if (result != ISC_R_NOMORE) {
goto cleanup;
}
cleanup:
if (dns_rdataset_isassociated(&rootns))
dns_rdataset_disassociate(&rootns);
if (dns_rdataset_isassociated(&hintns))
dns_rdataset_disassociate(&hintns);
}
static void
check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
dns_name_t *name, isc_stdtime_t now)
{
isc_result_t hresult, rresult, result;
dns_rdataset_t hintrrset, rootrrset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_name_t *foundname;
dns_fixedname_t fixed;
dns_rdataset_init(&hintrrset);
dns_rdataset_init(&rootrrset);
dns_fixedname_init(&fixed);
foundname = dns_fixedname_name(&fixed);
hresult = dns_db_find(hints, name, NULL, dns_rdatatype_a, 0,
now, NULL, foundname, &hintrrset, NULL);
rresult = dns_db_find(db, name, NULL, dns_rdatatype_a,
DNS_DBFIND_GLUEOK, now, NULL, foundname,
&rootrrset, NULL);
if (hresult == ISC_R_SUCCESS &&
(rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
result = dns_rdataset_first(&rootrrset);
while (result == ISC_R_SUCCESS) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&rootrrset, &rdata);
if (!inrrset(&hintrrset, &rdata))
report(view, name, ISC_TRUE, &rdata);
result = dns_rdataset_next(&rootrrset);
}
result = dns_rdataset_first(&hintrrset);
while (result == ISC_R_SUCCESS) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&hintrrset, &rdata);
if (!inrrset(&rootrrset, &rdata))
report(view, name, ISC_FALSE, &rdata);
result = dns_rdataset_next(&hintrrset);
}
}
if (hresult == ISC_R_NOTFOUND &&
(rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
result = dns_rdataset_first(&rootrrset);
while (result == ISC_R_SUCCESS) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&rootrrset, &rdata);
report(view, name, ISC_TRUE, &rdata);
result = dns_rdataset_next(&rootrrset);
}
}
if (dns_rdataset_isassociated(&rootrrset))
dns_rdataset_disassociate(&rootrrset);
if (dns_rdataset_isassociated(&hintrrset))
dns_rdataset_disassociate(&hintrrset);
/*
* Check AAAA records.
*/
hresult = dns_db_find(hints, name, NULL, dns_rdatatype_aaaa, 0,
now, NULL, foundname, &hintrrset, NULL);
rresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
DNS_DBFIND_GLUEOK, now, NULL, foundname,
&rootrrset, NULL);
if (hresult == ISC_R_SUCCESS &&
(rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
result = dns_rdataset_first(&rootrrset);
while (result == ISC_R_SUCCESS) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&rootrrset, &rdata);
if (!inrrset(&hintrrset, &rdata))
report(view, name, ISC_TRUE, &rdata);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rootrrset);
}
result = dns_rdataset_first(&hintrrset);
while (result == ISC_R_SUCCESS) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&hintrrset, &rdata);
if (!inrrset(&rootrrset, &rdata))
report(view, name, ISC_FALSE, &rdata);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&hintrrset);
}
}
if (hresult == ISC_R_NOTFOUND &&
(rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
result = dns_rdataset_first(&rootrrset);
while (result == ISC_R_SUCCESS) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&rootrrset, &rdata);
report(view, name, ISC_TRUE, &rdata);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rootrrset);
}
}
if (dns_rdataset_isassociated(&rootrrset))
dns_rdataset_disassociate(&rootrrset);
if (dns_rdataset_isassociated(&hintrrset))
dns_rdataset_disassociate(&hintrrset);
}
static isc_result_t
printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
dns_section_t section) {
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED(query);
UNUSED(headers);
debug("printsection()");
result = dns_message_firstname(msg, section);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;) {
name = NULL;
dns_message_currentname(msg, section,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
if (section != DNS_SECTION_ANSWER)
goto def_short_section;
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("Name:\t%s\n", namebuf);
printa(&rdata);
break;
case dns_rdatatype_soa:
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("%s\n", namebuf);
printsoa(&rdata);
break;
default:
def_short_section:
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("%s\t", namebuf);
printrdata(&rdata);
break;
}
dns_rdata_reset(&rdata);
loopresult = dns_rdataset_next(rdataset);
}
}
result = dns_message_nextname(msg, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS) {
return (result);
}
}
return (ISC_R_SUCCESS);
}
static isc_result_t
detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
dns_section_t section) {
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED(query);
debug("detailsection()");
if (headers) {
switch (section) {
case DNS_SECTION_QUESTION:
puts(" QUESTIONS:");
break;
case DNS_SECTION_ANSWER:
puts(" ANSWERS:");
break;
case DNS_SECTION_AUTHORITY:
puts(" AUTHORITY RECORDS:");
break;
case DNS_SECTION_ADDITIONAL:
puts(" ADDITIONAL RECORDS:");
break;
}
}
result = dns_message_firstname(msg, section);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;) {
name = NULL;
dns_message_currentname(msg, section,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if (section == DNS_SECTION_QUESTION) {
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("\t%s, ", namebuf);
dns_rdatatype_format(rdataset->type,
namebuf,
sizeof(namebuf));
printf("type = %s, ", namebuf);
dns_rdataclass_format(rdataset->rdclass,
namebuf,
sizeof(namebuf));
printf("class = %s\n", namebuf);
}
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
dns_name_format(name, namebuf,
sizeof(namebuf));
printf(" -> %s\n", namebuf);
switch (rdata.type) {
case dns_rdatatype_soa:
printsoa(&rdata);
break;
default:
printf("\t");
printrdata(&rdata);
}
dns_rdata_reset(&rdata);
printf("\tttl = %u\n", rdataset->ttl);
loopresult = dns_rdataset_next(rdataset);
}
}
result = dns_message_nextname(msg, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS) {
return (result);
}
}
return (ISC_R_SUCCESS);
}
ATF_TC_BODY(isdn, tc) {
struct {
unsigned char data[64];
size_t len;
isc_boolean_t ok;
} test_data[] = {
{
/* "" */
{ 0x00 }, 1, ISC_TRUE
},
{
/* "\001" */
{ 0x1, 0x01 }, 2, ISC_TRUE
},
{
/* "\001" "" */
{ 0x1, 0x01, 0x00 }, 3, ISC_TRUE
},
{
/* "\000" "\001" */
{ 0x1, 0x01, 0x01, 0x01 }, 4, ISC_TRUE
},
{
/* sentinal */
{ 0x00 }, 0, ISC_FALSE
}
};
unsigned char buf1[1024];
unsigned char buf2[1024];
isc_buffer_t source, target1, target2;
dns_rdata_t rdata;
dns_decompress_t dctx;
isc_result_t result;
size_t i;
dns_rdata_isdn_t isdn;
UNUSED(tc);
for (i = 0; test_data[i].len != 0; i++) {
isc_buffer_init(&source, test_data[i].data, test_data[i].len);
isc_buffer_add(&source, test_data[i].len);
isc_buffer_setactive(&source, test_data[i].len);
isc_buffer_init(&target1, buf1, sizeof(buf1));
dns_rdata_init(&rdata);
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
result = dns_rdata_fromwire(&rdata, dns_rdataclass_in,
dns_rdatatype_isdn, &source,
&dctx, 0, &target1);
dns_decompress_invalidate(&dctx);
if (test_data[i].ok)
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
else
ATF_REQUIRE(result != ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
continue;
result = dns_rdata_tostruct(&rdata, &isdn, NULL);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_buffer_init(&target2, buf2, sizeof(buf2));
dns_rdata_reset(&rdata);
result = dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
dns_rdatatype_isdn, &isdn,
&target2);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_REQUIRE_EQ(isc_buffer_usedlength(&target2),
test_data[i].len);
ATF_REQUIRE_EQ(memcmp(buf2, test_data[i].data,
test_data[i].len), 0);
}
}
int
main (int *argc, char **argv)
{
isc_mem_t *mctx = NULL;
isc_entropy_t *ectx = NULL;
isc_result_t result;
char *basedn;
ldap_info *tmp;
LDAPMod *base_attrs[2];
LDAPMod base;
isc_buffer_t buff;
char *zonefile;
char fullbasedn[1024];
char *ctmp;
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdatasetiter_t *riter;
dns_name_t *zone, *name;
dns_db_t *db = NULL;
dns_dbiterator_t *dbit = NULL;
dns_dbnode_t *node;
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
int topt;
if ((int) argc < 2)
{
usage ();
exit (-1);
}
while ((topt = getopt ((int) argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
{
switch (topt)
{
case 'v':
printf("%s\n", VERSION);
exit(0);
case 'c':
create_base++;
break;
case 'd':
debug++;
break;
case 'D':
binddn = strdup (optarg);
break;
case 'w':
bindpw = strdup (optarg);
break;
case 'b':
ldapbase = strdup (optarg);
break;
case 'z':
argzone = strdup (optarg);
// We wipe argzone all to hell when we parse it for the DN */
gbl_zone = strdup(argzone);
break;
case 'f':
zonefile = strdup (optarg);
break;
case 'h':
ldapsystem = strdup (optarg);
break;
case '?':
default:
usage ();
exit (0);
}
}
if ((argzone == NULL) || (zonefile == NULL))
{
usage ();
exit (-1);
}
if (debug)
printf ("Initializing ISC Routines, parsing zone file\n");
result = isc_mem_create (0, 0, &mctx);
isc_result_check (result, "isc_mem_create");
result = isc_entropy_create(mctx, &ectx);
isc_result_check (result, "isc_entropy_create");
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
isc_result_check (result, "isc_hash_create");
isc_buffer_init (&buff, argzone, strlen (argzone));
isc_buffer_add (&buff, strlen (argzone));
dns_fixedname_init (&fixedzone);
zone = dns_fixedname_name (&fixedzone);
result = dns_name_fromtext (zone, &buff, dns_rootname, 0, NULL);
isc_result_check (result, "dns_name_fromtext");
result = dns_db_create (mctx, "rbt", zone, dns_dbtype_zone,
dns_rdataclass_in, 0, NULL, &db);
isc_result_check (result, "dns_db_create");
result = dns_db_load (db, zonefile);
isc_result_check (result, "Check Zone Syntax: dns_db_load");
result = dns_db_createiterator (db, 0, &dbit);
isc_result_check (result, "dns_db_createiterator");
result = dns_dbiterator_first (dbit);
isc_result_check (result, "dns_dbiterator_first");
dns_fixedname_init (&fixedname);
name = dns_fixedname_name (&fixedname);
dns_rdataset_init (&rdataset);
dns_rdata_init (&rdata);
while (result == ISC_R_SUCCESS)
{
node = NULL;
result = dns_dbiterator_current (dbit, &node, name);
if (result == ISC_R_NOMORE)
break;
isc_result_check (result, "dns_dbiterator_current");
riter = NULL;
result = dns_db_allrdatasets (db, node, NULL, 0, &riter);
isc_result_check (result, "dns_db_allrdatasets");
result = dns_rdatasetiter_first (riter);
//isc_result_check(result, "dns_rdatasetiter_first");
while (result == ISC_R_SUCCESS)
{
dns_rdatasetiter_current (riter, &rdataset);
result = dns_rdataset_first (&rdataset);
isc_result_check (result, "dns_rdatasetiter_current");
while (result == ISC_R_SUCCESS)
{
dns_rdataset_current (&rdataset, &rdata);
generate_ldap (name, &rdata, rdataset.ttl);
dns_rdata_reset (&rdata);
result = dns_rdataset_next (&rdataset);
}
dns_rdataset_disassociate (&rdataset);
result = dns_rdatasetiter_next (riter);
}
dns_rdatasetiter_destroy (&riter);
result = dns_dbiterator_next (dbit);
}
/* Initialize the LDAP Connection */
if (debug)
printf ("Initializing LDAP Connection to %s as %s\n", ldapsystem, binddn);
init_ldap_conn ();
if (create_base)
{
if (debug)
printf ("Creating base zone DN %s\n", argzone);
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
{
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
base.mod_op = LDAP_MOD_ADD;
base.mod_type = "objectClass";
base.mod_values = topObjectClasses;
base_attrs[0] = &base;
base_attrs[1] = NULL;
if (ldapbase)
{
if (ctmp != &basedn[0])
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
else
sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
}
else
{
if (ctmp != &basedn[0])
sprintf (fullbasedn, "%s", ctmp + 1);
else
sprintf (fullbasedn, "%s", ctmp);
}
result = ldap_add_s (conn, fullbasedn, base_attrs);
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
}
}
}
else
{
if (debug)
printf ("Skipping zone base dn creation for %s\n", argzone);
}
for (tmp = ldap_info_base; tmp != NULL; tmp = tmp->next)
{
if (debug)
printf ("Adding DN: %s\n", tmp->dn);
add_ldap_values (tmp);
}
if (debug)
printf("Operation Complete.\n");
/* Cleanup */
isc_hash_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
if (zonefile)
free(zonefile);
return 0;
}
isc_result_t
dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
dns_rdatatype_t covers, dns_rdataset_t *rdataset)
{
dns_name_t tname;
dns_rdata_rrsig_t rrsig;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t clone;
dns_rdatatype_t type;
dns_trust_t trust = dns_trust_none;
isc_buffer_t source;
isc_region_t remaining, sigregion;
isc_result_t result;
unsigned char *raw;
unsigned int count;
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(name != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
dns_rdataset_init(&clone);
dns_rdataset_clone(ncacherdataset, &clone);
result = dns_rdataset_first(&clone);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(&clone, &rdata);
isc_buffer_init(&source, rdata.data, rdata.length);
isc_buffer_add(&source, rdata.length);
dns_name_init(&tname, NULL);
isc_buffer_remainingregion(&source, &remaining);
dns_name_fromregion(&tname, &remaining);
INSIST(remaining.length >= tname.length);
isc_buffer_forward(&source, tname.length);
isc_region_consume(&remaining, tname.length);
INSIST(remaining.length >= 2);
type = isc_buffer_getuint16(&source);
isc_region_consume(&remaining, 2);
if (type != dns_rdatatype_rrsig ||
!dns_name_equal(&tname, name)) {
result = dns_rdataset_next(&clone);
dns_rdata_reset(&rdata);
continue;
}
INSIST(remaining.length >= 1);
trust = isc_buffer_getuint8(&source);
INSIST(trust <= dns_trust_ultimate);
isc_region_consume(&remaining, 1);
raw = remaining.base;
count = raw[0] * 256 + raw[1];
INSIST(count > 0);
raw += 2;
sigregion.length = raw[0] * 256 + raw[1];
raw += 2;
sigregion.base = raw;
dns_rdata_reset(&rdata);
dns_rdata_fromregion(&rdata, rdataset->rdclass,
dns_rdatatype_rrsig, &sigregion);
(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
if (rrsig.covered == covers) {
isc_buffer_remainingregion(&source, &remaining);
break;
}
result = dns_rdataset_next(&clone);
dns_rdata_reset(&rdata);
}
dns_rdataset_disassociate(&clone);
if (result == ISC_R_NOMORE)
return (ISC_R_NOTFOUND);
if (result != ISC_R_SUCCESS)
return (result);
INSIST(remaining.length != 0);
rdataset->methods = &rdataset_methods;
rdataset->rdclass = ncacherdataset->rdclass;
rdataset->type = dns_rdatatype_rrsig;
rdataset->covers = covers;
rdataset->ttl = ncacherdataset->ttl;
rdataset->trust = trust;
rdataset->private1 = NULL;
rdataset->private2 = NULL;
rdataset->private3 = remaining.base;
/*
* Reset iterator state.
*/
rdataset->privateuint4 = 0;
rdataset->private5 = NULL;
rdataset->private6 = NULL;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
dst_key_t *pubkey = NULL;
unsigned int count = 0;
REQUIRE(nkeys != NULL);
REQUIRE(keys != NULL);
*nkeys = 0;
dns_rdataset_init(&rdataset);
RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
&rdataset, NULL));
RETERR(dns_rdataset_first(&rdataset));
while (result == ISC_R_SUCCESS && count < maxkeys) {
pubkey = NULL;
dns_rdataset_current(&rdataset, &rdata);
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto next;
keys[count] = NULL;
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
dst_key_alg(pubkey),
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory,
mctx, &keys[count]);
if (result == ISC_R_FILENOTFOUND) {
keys[count] = pubkey;
pubkey = NULL;
count++;
goto next;
}
if (result != ISC_R_SUCCESS)
goto failure;
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
/* We should never get here. */
dst_key_free(&keys[count]);
goto next;
}
count++;
next:
if (pubkey != NULL)
dst_key_free(&pubkey);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rdataset);
}
if (result != ISC_R_NOMORE)
goto failure;
if (count == 0)
result = ISC_R_NOTFOUND;
else
result = ISC_R_SUCCESS;
failure:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (result != ISC_R_SUCCESS)
while (count > 0)
dst_key_free(&keys[--count]);
*nkeys = count;
return (result);
}
isc_result_t
dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
unsigned int reservelen, isc_mem_t *mctx,
dns_rdataclass_t rdclass, dns_rdatatype_t type,
unsigned int flags, unsigned char **tslabp)
{
unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent, *data;
unsigned int ocount, ncount, count, olength, tlength, tcount, length;
dns_rdata_t ordata = DNS_RDATA_INIT;
dns_rdata_t nrdata = DNS_RDATA_INIT;
isc_boolean_t added_something = ISC_FALSE;
unsigned int oadded = 0;
unsigned int nadded = 0;
unsigned int nncount = 0;
#if DNS_RDATASET_FIXED
unsigned int oncount;
unsigned int norder = 0;
unsigned int oorder = 0;
unsigned char *offsetbase;
unsigned int *offsettable;
#endif
/*
* XXX Need parameter to allow "delete rdatasets in nslab" merge,
* or perhaps another merge routine for this purpose.
*/
REQUIRE(tslabp != NULL && *tslabp == NULL);
REQUIRE(oslab != NULL && nslab != NULL);
ocurrent = oslab + reservelen;
ocount = *ocurrent++ * 256;
ocount += *ocurrent++;
#if DNS_RDATASET_FIXED
ocurrent += (4 * ocount);
#endif
ostart = ocurrent;
ncurrent = nslab + reservelen;
ncount = *ncurrent++ * 256;
ncount += *ncurrent++;
#if DNS_RDATASET_FIXED
ncurrent += (4 * ncount);
#endif
INSIST(ocount > 0 && ncount > 0);
#if DNS_RDATASET_FIXED
oncount = ncount;
#endif
/*
* Yes, this is inefficient!
*/
/*
* Figure out the length of the old slab's data.
*/
olength = 0;
for (count = 0; count < ocount; count++) {
length = *ocurrent++ * 256;
length += *ocurrent++;
#if DNS_RDATASET_FIXED
olength += length + 8;
ocurrent += length + 2;
#else
olength += length + 2;
ocurrent += length;
#endif
}
/*
* Start figuring out the target length and count.
*/
tlength = reservelen + 2 + olength;
tcount = ocount;
/*
* Add in the length of rdata in the new slab that aren't in
* the old slab.
*/
do {
dns_rdata_init(&nrdata);
rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata))
{
/*
* This rdata isn't in the old slab.
*/
#if DNS_RDATASET_FIXED
tlength += nrdata.length + 8;
#else
tlength += nrdata.length + 2;
#endif
if (type == dns_rdatatype_rrsig)
tlength++;
tcount++;
nncount++;
added_something = ISC_TRUE;
}
ncount--;
} while (ncount > 0);
ncount = nncount;
if (((flags & DNS_RDATASLAB_EXACT) != 0) &&
(tcount != ncount + ocount))
return (DNS_R_NOTEXACT);
if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0)
return (DNS_R_UNCHANGED);
/*
* Ensure that singleton types are actually singletons.
*/
if (tcount > 1 && dns_rdatatype_issingleton(type)) {
/*
* We have a singleton type, but there's more than one
* RR in the rdataset.
*/
return (DNS_R_SINGLETON);
}
if (tcount > 0xffff)
return (ISC_R_NOSPACE);
/*
* Copy the reserved area from the new slab.
*/
tstart = isc_mem_get(mctx, tlength);
if (tstart == NULL)
return (ISC_R_NOMEMORY);
memcpy(tstart, nslab, reservelen);
tcurrent = tstart + reservelen;
#if DNS_RDATASET_FIXED
offsetbase = tcurrent;
#endif
/*
* Write the new count.
*/
*tcurrent++ = (tcount & 0xff00) >> 8;
*tcurrent++ = (tcount & 0x00ff);
#if DNS_RDATASET_FIXED
/*
* Skip offset table.
*/
tcurrent += (tcount * 4);
offsettable = isc_mem_get(mctx,
(ocount + oncount) * sizeof(unsigned int));
if (offsettable == NULL) {
isc_mem_put(mctx, tstart, tlength);
return (ISC_R_NOMEMORY);
}
memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int));
#endif
/*
* Merge the two slabs.
*/
ocurrent = ostart;
INSIST(ocount != 0);
#if DNS_RDATASET_FIXED
oorder = ocurrent[2] * 256 + ocurrent[3];
INSIST(oorder < ocount);
#endif
rdata_from_slab(&ocurrent, rdclass, type, &ordata);
ncurrent = nslab + reservelen + 2;
#if DNS_RDATASET_FIXED
ncurrent += (4 * oncount);
#endif
if (ncount > 0) {
do {
dns_rdata_reset(&nrdata);
#if DNS_RDATASET_FIXED
norder = ncurrent[2] * 256 + ncurrent[3];
INSIST(norder < oncount);
#endif
rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
} while (rdata_in_slab(oslab, reservelen, rdclass,
type, &nrdata));
}
while (oadded < ocount || nadded < ncount) {
isc_boolean_t fromold;
if (oadded == ocount)
fromold = ISC_FALSE;
else if (nadded == ncount)
fromold = ISC_TRUE;
else
fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0);
if (fromold) {
#if DNS_RDATASET_FIXED
offsettable[oorder] = tcurrent - offsetbase;
#endif
length = ordata.length;
data = ordata.data;
if (type == dns_rdatatype_rrsig) {
length++;
data--;
}
*tcurrent++ = (length & 0xff00) >> 8;
*tcurrent++ = (length & 0x00ff);
#if DNS_RDATASET_FIXED
tcurrent += 2; /* fill in later */
#endif
memcpy(tcurrent, data, length);
tcurrent += length;
oadded++;
if (oadded < ocount) {
dns_rdata_reset(&ordata);
#if DNS_RDATASET_FIXED
oorder = ocurrent[2] * 256 + ocurrent[3];
INSIST(oorder < ocount);
#endif
rdata_from_slab(&ocurrent, rdclass, type,
&ordata);
}
} else {
#if DNS_RDATASET_FIXED
offsettable[ocount + norder] = tcurrent - offsetbase;
#endif
length = nrdata.length;
data = nrdata.data;
if (type == dns_rdatatype_rrsig) {
length++;
data--;
}
*tcurrent++ = (length & 0xff00) >> 8;
*tcurrent++ = (length & 0x00ff);
#if DNS_RDATASET_FIXED
tcurrent += 2; /* fill in later */
#endif
memcpy(tcurrent, data, length);
tcurrent += length;
nadded++;
if (nadded < ncount) {
do {
dns_rdata_reset(&nrdata);
#if DNS_RDATASET_FIXED
norder = ncurrent[2] * 256 + ncurrent[3];
INSIST(norder < oncount);
#endif
rdata_from_slab(&ncurrent, rdclass,
type, &nrdata);
} while (rdata_in_slab(oslab, reservelen,
rdclass, type,
&nrdata));
}
}
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS)
continue;
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset)) {
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
found_key = ISC_TRUE;
ttl = keyset->ttl;
break;
} else
found_incompatible = ISC_TRUE;
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
if (randomdata == NULL)
goto failure;
result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
ISC_FALSE);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
isc_buffer_base(&secret),
isc_buffer_usedlength(&secret),
ISC_TRUE, signer, tkeyin->inception,
tkeyin->expire, ring->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist))
free_namelist(msg, namelist);
if (shared != NULL)
isc_buffer_free(&shared);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (randomdata != NULL)
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
return (result);
}
void
dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
dns_rdataset_t *rdataset)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_trust_t trust;
isc_region_t remaining, sigregion;
isc_buffer_t source;
dns_name_t tname;
dns_rdatatype_t type;
unsigned int count;
dns_rdata_rrsig_t rrsig;
unsigned char *raw;
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(found != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
dns_rdataset_current(ncacherdataset, &rdata);
isc_buffer_init(&source, rdata.data, rdata.length);
isc_buffer_add(&source, rdata.length);
dns_name_init(&tname, NULL);
isc_buffer_remainingregion(&source, &remaining);
dns_name_fromregion(found, &remaining);
INSIST(remaining.length >= found->length);
isc_buffer_forward(&source, found->length);
remaining.length -= found->length;
INSIST(remaining.length >= 5);
type = isc_buffer_getuint16(&source);
trust = isc_buffer_getuint8(&source);
INSIST(trust <= dns_trust_ultimate);
isc_buffer_remainingregion(&source, &remaining);
rdataset->methods = &rdataset_methods;
rdataset->rdclass = ncacherdataset->rdclass;
rdataset->type = type;
if (type == dns_rdatatype_rrsig) {
/*
* Extract covers from RRSIG.
*/
raw = remaining.base;
count = raw[0] * 256 + raw[1];
INSIST(count > 0);
raw += 2;
sigregion.length = raw[0] * 256 + raw[1];
raw += 2;
sigregion.base = raw;
dns_rdata_reset(&rdata);
dns_rdata_fromregion(&rdata, rdataset->rdclass,
rdataset->type, &sigregion);
(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
rdataset->covers = rrsig.covered;
} else
rdataset->covers = 0;
rdataset->ttl = ncacherdataset->ttl;
rdataset->trust = trust;
rdataset->private1 = NULL;
rdataset->private2 = NULL;
rdataset->private3 = remaining.base;
/*
* Reset iterator state.
*/
rdataset->privateuint4 = 0;
rdataset->private5 = NULL;
rdataset->private6 = NULL;
}
isc_result_t
dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
{
dns_rdata_any_tsig_t tsig, querytsig;
isc_region_t r, source_r, header_r, sig_r;
isc_buffer_t databuf;
unsigned char data[32];
dns_name_t *keyname;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_stdtime_t now;
isc_result_t ret;
dns_tsigkey_t *tsigkey;
dst_key_t *key = NULL;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_uint16_t addcount, id;
unsigned int siglen;
unsigned int alg;
isc_boolean_t response;
REQUIRE(source != NULL);
REQUIRE(DNS_MESSAGE_VALID(msg));
tsigkey = dns_message_gettsigkey(msg);
response = is_response(msg);
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
msg->verify_attempted = 1;
if (msg->tcp_continuation) {
if (tsigkey == NULL || msg->querytsig == NULL)
return (DNS_R_UNEXPECTEDTSIG);
return (tsig_verify_tcp(source, msg));
}
/*
* There should be a TSIG record...
*/
if (msg->tsig == NULL)
return (DNS_R_EXPECTEDTSIG);
/*
* If this is a response and there's no key or query TSIG, there
* shouldn't be one on the response.
*/
if (response && (tsigkey == NULL || msg->querytsig == NULL))
return (DNS_R_UNEXPECTEDTSIG);
mctx = msg->mctx;
/*
* If we're here, we know the message is well formed and contains a
* TSIG record.
*/
keyname = msg->tsigname;
ret = dns_rdataset_first(msg->tsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->tsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdata_reset(&rdata);
if (response) {
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->querytsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
}
#if defined(__clang__) && \
( __clang_major__ < 3 || \
(__clang_major__ == 3 && __clang_minor__ < 2) || \
(__clang_major__ == 4 && __clang_minor__ < 2))
/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
else memset(&querytsig, 0, sizeof(querytsig));
#endif
/*
* Do the key name and algorithm match that of the query?
*/
if (response &&
(!dns_name_equal(keyname, &tsigkey->name) ||
!dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
msg->tsigstatus = dns_tsigerror_badkey;
tsig_log(msg->tsigkey, 2,
"key name and algorithm do not match");
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Get the current time.
*/
isc_stdtime_get(&now);
/*
* Find dns_tsigkey_t based on keyname.
*/
if (tsigkey == NULL) {
ret = ISC_R_NOTFOUND;
if (ring1 != NULL)
ret = dns_tsigkey_find(&tsigkey, keyname,
&tsig.algorithm, ring1);
if (ret == ISC_R_NOTFOUND && ring2 != NULL)
ret = dns_tsigkey_find(&tsigkey, keyname,
&tsig.algorithm, ring2);
if (ret != ISC_R_SUCCESS) {
msg->tsigstatus = dns_tsigerror_badkey;
ret = dns_tsigkey_create(keyname, &tsig.algorithm,
NULL, 0, ISC_FALSE, NULL,
now, now,
mctx, NULL, &msg->tsigkey);
if (ret != ISC_R_SUCCESS)
return (ret);
tsig_log(msg->tsigkey, 2, "unknown key");
return (DNS_R_TSIGVERIFYFAILURE);
}
msg->tsigkey = tsigkey;
}
key = tsigkey->key;
/*
* Is the time ok?
*/
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired");
return (DNS_R_CLOCKSKEW);
} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature is in the future");
return (DNS_R_CLOCKSKEW);
}
/*
* Check digest length.
*/
alg = dst_key_alg(key);
ret = dst_key_sigsize(key, &siglen);
if (ret != ISC_R_SUCCESS)
return (ret);
if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
isc_uint16_t digestbits = dst_key_getbits(key);
if (tsig.siglen > siglen) {
tsig_log(msg->tsigkey, 2, "signature length too big");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 &&
(tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
tsig_log(msg->tsigkey, 2,
"signature length below minimum");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 && digestbits != 0 &&
tsig.siglen < ((digestbits + 1) / 8)) {
msg->tsigstatus = dns_tsigerror_badtrunc;
tsig_log(msg->tsigkey, 2,
"truncated signature length too small");
return (DNS_R_TSIGVERIFYFAILURE);
}
if (tsig.siglen > 0 && digestbits == 0 &&
tsig.siglen < siglen) {
msg->tsigstatus = dns_tsigerror_badtrunc;
tsig_log(msg->tsigkey, 2, "signature length too small");
return (DNS_R_TSIGVERIFYFAILURE);
}
}
if (tsig.siglen > 0) {
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_FALSE, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
if (response) {
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (querytsig.siglen > 0) {
r.length = querytsig.siglen;
r.base = querytsig.signature;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter.
*/
memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
/*
* Put in the original id.
*/
id = htons(tsig.originalid);
memmove(&header[0], &id, 2);
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(ctx, &header_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
isc_buffer_usedregion(source, &source_r);
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key name.
*/
dns_name_toregion(&tsigkey->name, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, tsig.common.rdclass);
isc_buffer_putuint32(&databuf, msg->tsig->ttl);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key algorithm.
*/
dns_name_toregion(tsigkey->algorithm, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_clear(&databuf);
isc_buffer_putuint48(&databuf, tsig.timesigned);
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_putuint16(&databuf, tsig.error);
isc_buffer_putuint16(&databuf, tsig.otherlen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (tsig.otherlen > 0) {
r.base = tsig.other;
r.length = tsig.otherlen;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
msg->tsigstatus = dns_tsigerror_badsig;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(1)");
goto cleanup_context;
} else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dst_context_destroy(&ctx);
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
msg->tsigstatus = dns_rcode_noerror;
if (tsig.error != dns_rcode_noerror) {
if (tsig.error == dns_tsigerror_badtime)
return (DNS_R_CLOCKSKEW);
else
return (DNS_R_TSIGERRORSET);
}
msg->verified_sig = 1;
return (ISC_R_SUCCESS);
cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
return (ret);
}
static void
resolve_ns(isc_task_t *task, isc_event_t *event) {
struct probe_trans *trans = event->ev_arg;
dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
dns_name_t *name;
dns_rdataset_t *rdataset;
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_t rdata = DNS_RDATA_INIT;
struct probe_ns *pns;
REQUIRE(task == probe_task);
REQUIRE(trans->inuse == ISC_TRUE);
INSIST(outstanding_probes > 0);
for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
name = ISC_LIST_NEXT(name, link)) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
(void)print_rdataset(rdataset, name);
if (rdataset->type != dns_rdatatype_ns)
continue;
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset)) {
dns_rdata_ns_t ns;
dns_rdataset_current(rdataset, &rdata);
/*
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS)
continue;
pns = isc_mem_get(mctx, sizeof(*pns));
if (pns == NULL) {
fprintf(stderr,
"resolve_ns: mem_get failed");
result = ISC_R_NOMEMORY;
POST(result);
/*
* XXX: should we continue with the
* available servers anyway?
*/
goto cleanup;
}
dns_fixedname_init(&pns->fixedname);
pns->name =
dns_fixedname_name(&pns->fixedname);
ISC_LINK_INIT(pns, link);
ISC_LIST_APPEND(trans->nslist, pns, link);
ISC_LIST_INIT(pns->servers);
dns_name_copy(&ns.name, pns->name, NULL);
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
}
}
}
cleanup:
dns_client_freeresanswer(client, &rev->answerlist);
dns_client_destroyrestrans(&trans->resid);
isc_event_free(&event);
if (!ISC_LIST_EMPTY(trans->nslist)) {
/* Go get addresses of NSes */
trans->current_ns = ISC_LIST_HEAD(trans->nslist);
result = fetch_nsaddress(trans);
} else
result = ISC_R_FAILURE;
if (result == ISC_R_SUCCESS)
return;
reset_probe(trans);
}
static isc_result_t
tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
dns_rdata_any_tsig_t tsig, querytsig;
isc_region_t r, source_r, header_r, sig_r;
isc_buffer_t databuf;
unsigned char data[32];
dns_name_t *keyname;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_stdtime_t now;
isc_result_t ret;
dns_tsigkey_t *tsigkey;
dst_key_t *key = NULL;
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_uint16_t addcount, id;
isc_boolean_t has_tsig = ISC_FALSE;
isc_mem_t *mctx;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
REQUIRE(dns_message_gettsigkey(msg) != NULL);
REQUIRE(msg->tcp_continuation == 1);
REQUIRE(msg->querytsig != NULL);
if (!is_response(msg))
return (DNS_R_EXPECTEDRESPONSE);
mctx = msg->mctx;
tsigkey = dns_message_gettsigkey(msg);
/*
* Extract and parse the previous TSIG
*/
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->querytsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdata_reset(&rdata);
/*
* If there is a TSIG in this message, do some checks.
*/
if (msg->tsig != NULL) {
has_tsig = ISC_TRUE;
keyname = msg->tsigname;
ret = dns_rdataset_first(msg->tsig);
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
dns_rdataset_current(msg->tsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
/*
* Do the key name and algorithm match that of the query?
*/
if (!dns_name_equal(keyname, &tsigkey->name) ||
!dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
msg->tsigstatus = dns_tsigerror_badkey;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"key name and algorithm do not match");
goto cleanup_querystruct;
}
/*
* Is the time ok?
*/
isc_stdtime_get(&now);
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired");
ret = DNS_R_CLOCKSKEW;
goto cleanup_querystruct;
} else if (now + msg->timeadjust <
tsig.timesigned - tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2,
"signature is in the future");
ret = DNS_R_CLOCKSKEW;
goto cleanup_querystruct;
}
}
key = tsigkey->key;
if (msg->tsigctx == NULL) {
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_FALSE, &msg->tsigctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
/*
* Digest the length of the query signature
*/
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the data of the query signature
*/
if (querytsig.siglen > 0) {
r.length = querytsig.siglen;
r.base = querytsig.signature;
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter if necessary.
*/
if (has_tsig) {
memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
}
/*
* Put in the original id.
*/
/* XXX Can TCP transfers be forwarded? How would that work? */
if (has_tsig) {
id = htons(tsig.originalid);
memmove(&header[0], &id, 2);
}
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(msg->tsigctx, &header_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
isc_buffer_usedregion(source, &source_r);
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
if (has_tsig)
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
else
r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the time signed and fudge.
*/
if (has_tsig) {
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint48(&databuf, tsig.timesigned);
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
if (tsig.siglen == 0) {
if (tsig.error != dns_rcode_noerror) {
if (tsig.error == dns_tsigerror_badtime)
ret = DNS_R_CLOCKSKEW;
else
ret = DNS_R_TSIGERRORSET;
} else {
tsig_log(msg->tsigkey, 2,
"signature is empty");
ret = DNS_R_TSIGVERIFYFAILURE;
}
goto cleanup_context;
}
ret = dst_context_verify(msg->tsigctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(2)");
ret = DNS_R_TSIGVERIFYFAILURE;
goto cleanup_context;
}
else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dst_context_destroy(&msg->tsigctx);
}
msg->tsigstatus = dns_rcode_noerror;
return (ISC_R_SUCCESS);
cleanup_context:
dst_context_destroy(&msg->tsigctx);
cleanup_querystruct:
dns_rdata_freestruct(&querytsig);
return (ret);
}
ATF_TC_BODY(csync, tc) {
struct {
const char *data;
isc_boolean_t ok;
} text_data[] = {
{ "", ISC_FALSE },
{ "0", ISC_FALSE },
{ "0 0", ISC_TRUE },
{ "0 0 A", ISC_TRUE },
{ "0 0 NS", ISC_TRUE },
{ "0 0 AAAA", ISC_TRUE },
{ "0 0 A AAAA", ISC_TRUE },
{ "0 0 A NS AAAA", ISC_TRUE },
{ "0 0 A NS AAAA BOGUS", ISC_FALSE },
{ NULL, ISC_FALSE },
};
struct {
unsigned char data[64];
size_t len;
isc_boolean_t ok;
} wire_data[] = {
/* short */
{ { 0x00 }, 0, ISC_FALSE },
/* short */
{ { 0x00 }, 1, ISC_FALSE },
/* short */
{ { 0x00, 0x00 }, 2, ISC_FALSE },
/* short */
{ { 0x00, 0x00, 0x00 }, 3, ISC_FALSE },
/* short */
{ { 0x00, 0x00, 0x00, 0x00 }, 4, ISC_FALSE },
/* short */
{ { 0x00, 0x00, 0x00, 0x00, 0x00 }, 5, ISC_FALSE },
/* serial + flags only */
{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 6, ISC_TRUE },
/* bad type map */
{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 7, ISC_FALSE },
/* bad type map */
{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
8, ISC_FALSE },
/* good type map */
{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02 },
9, ISC_TRUE }
};
unsigned char buf1[1024];
unsigned char buf2[1024];
isc_buffer_t source, target1, target2;
isc_result_t result;
size_t i;
dns_rdataclass_t rdclass = dns_rdataclass_in;
dns_rdatatype_t type = dns_rdatatype_csync;
isc_lex_t *lex = NULL;
dns_rdatacallbacks_t callbacks;
dns_rdata_csync_t csync;
dns_decompress_t dctx;
UNUSED(tc);
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = isc_lex_create(mctx, 64, &lex);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
dns_rdatacallbacks_init(&callbacks);
callbacks.error = error_callback;
callbacks.warn = warn_callback;
for (i = 0; text_data[i].data != NULL; i++) {
size_t length = strlen(text_data[i].data);
isc_buffer_constinit(&source, text_data[i].data, length);
isc_buffer_add(&source, length);
result = isc_lex_openbuffer(lex, &source);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_buffer_init(&target1, buf1, sizeof(buf1));
result = dns_rdata_fromtext(NULL, rdclass, type, lex,
dns_rootname, 0, NULL, &target1,
&callbacks);
if (text_data[i].ok)
ATF_CHECK_EQ(result, ISC_R_SUCCESS);
else
ATF_CHECK(result != ISC_R_SUCCESS);
}
isc_lex_destroy(&lex);
for (i = 0; i < sizeof(wire_data)/sizeof(wire_data[0]); i++) {
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_buffer_init(&source, wire_data[i].data, wire_data[i].len);
isc_buffer_add(&source, wire_data[i].len);
isc_buffer_setactive(&source, wire_data[i].len);
isc_buffer_init(&target1, buf1, sizeof(buf1));
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
result = dns_rdata_fromwire(&rdata, rdclass, type, &source,
&dctx, 0, &target1);
dns_decompress_invalidate(&dctx);
if (wire_data[i].ok)
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
else
ATF_REQUIRE(result != ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
continue;
result = dns_rdata_tostruct(&rdata, &csync, NULL);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_buffer_init(&target2, buf2, sizeof(buf2));
dns_rdata_reset(&rdata);
result = dns_rdata_fromstruct(&rdata, rdclass, type,
&csync, &target2);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_REQUIRE_EQ(isc_buffer_usedlength(&target2),
wire_data[i].len);
ATF_REQUIRE_EQ(memcmp(buf2, wire_data[i].data,
wire_data[i].len), 0);
}
}
static isc_result_t
towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
dns_compress_t *cctx, isc_buffer_t *target,
dns_rdatasetorderfunc_t order, const void *order_arg,
isc_boolean_t partial, unsigned int options,
unsigned int *countp, void **state)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_region_t r;
isc_result_t result;
unsigned int i, count = 0, added, choice;
isc_buffer_t savedbuffer, rdlen, rrbuffer;
unsigned int headlen;
isc_boolean_t question = ISC_FALSE;
isc_boolean_t shuffle = ISC_FALSE;
dns_rdata_t *shuffled = NULL, shuffled_fixed[MAX_SHUFFLE];
struct towire_sort *sorted = NULL, sorted_fixed[MAX_SHUFFLE];
/* count processed auswer ips */
int answer_count = 0;
int is_no_auth_answer = 0;
/* tmp count for record */
int tmp_count = 0;
UNUSED(state);
/*
* Convert 'rdataset' to wire format, compressing names as specified
* in cctx, and storing the result in 'target'.
*/
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE(countp != NULL);
REQUIRE((order == NULL) == (order_arg == NULL));
REQUIRE(cctx != NULL && cctx->mctx != NULL);
if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) {
question = ISC_TRUE;
count = 1;
result = dns_rdataset_first(rdataset);
INSIST(result == ISC_R_NOMORE);
} else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
/*
* This is a negative caching rdataset.
*/
unsigned int ncache_opts = 0;
if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0)
ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
countp));
} else {
count = (rdataset->methods->count)(rdataset);
result = dns_rdataset_first(rdataset);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS)
return (result);
}
/*
* Do we want to shuffle this answer?
*/
if (!question && count > 1 &&
(!WANT_FIXED(rdataset) || order != NULL) &&
rdataset->type != dns_rdatatype_rrsig)
shuffle = ISC_TRUE;
if (shuffle && count > MAX_SHUFFLE) {
shuffled = isc_mem_get(cctx->mctx, count * sizeof(*shuffled));
sorted = isc_mem_get(cctx->mctx, count * sizeof(*sorted));
if (shuffled == NULL || sorted == NULL)
shuffle = ISC_FALSE;
} else {
shuffled = shuffled_fixed;
sorted = sorted_fixed;
}
if (shuffle) {
/*
* First we get handles to all of the rdata.
*/
i = 0;
do {
INSIST(i < count);
dns_rdata_init(&shuffled[i]);
dns_rdataset_current(rdataset, &shuffled[i]);
i++;
result = dns_rdataset_next(rdataset);
} while (result == ISC_R_SUCCESS);
if (result != ISC_R_NOMORE)
goto cleanup;
INSIST(i == count);
/*
* Now we shuffle.
*/
if (WANT_FIXED(rdataset)) {
/*
* 'Fixed' order.
*/
INSIST(order != NULL);
for (i = 0; i < count; i++) {
sorted[i].key = (*order)(&shuffled[i],
order_arg);
sorted[i].rdata = &shuffled[i];
}
} else if (WANT_RANDOM(rdataset)) {
/*
* 'Random' order.
*/
for (i = 0; i < count; i++) {
dns_rdata_t rdata;
isc_uint32_t val;
isc_random_get(&val);
choice = i + (val % (count - i));
rdata = shuffled[i];
shuffled[i] = shuffled[choice];
shuffled[choice] = rdata;
if (order != NULL)
sorted[i].key = (*order)(&shuffled[i],
order_arg);
else
sorted[i].key = 0; /* Unused */
sorted[i].rdata = &shuffled[i];
}
} else {
/*
* "Cyclic" order.
*/
isc_uint32_t val;
unsigned int j;
val = rdataset->count;
if (val == ISC_UINT32_MAX)
isc_random_get(&val);
j = val % count;
for (i = 0; i < count; i++) {
if (order != NULL)
sorted[i].key = (*order)(&shuffled[j],
order_arg);
else
sorted[i].key = 0; /* Unused */
sorted[i].rdata = &shuffled[j];
j++;
if (j == count)
j = 0; /* Wrap around. */
}
}
/*
* Sorted order.
*/
if (order != NULL)
qsort(sorted, count, sizeof(sorted[0]),
towire_compare);
}
savedbuffer = *target;
i = 0;
added = 0;
// save the count here
tmp_count = count;
do {
/*
* Copy out the name, type, class, ttl.
*/
/* mark if is answer data. */
is_no_auth_answer = 0;
/* Answer from a non-authoritative server,we set the ttl fixed as 500. */
if(rdataset->attributes == DNS_RDATASETATTR_LOADORDER &&
rdataset->type == dns_rdatatype_a){
/* Answer from a non-authoritative server,we set the ttl fixed as 500. */
if(rdataset->trust == dns_trust_answer ){
is_no_auth_answer = 1;
}
/* for all multi-ip answer,if set DNS_ANSWER_ONLY_ONE_IP flag, return only 1 ip. */
if(answer_count == 0){
answer_count ++;
}else{
if( DNS_ANSWER_ONLY_ONE_IP ){
//fprintf(stderr,"DNS_ANSWER_ONLY_ONE_IP set,skip. \n");
if (shuffle) {
tmp_count--;
if (i == tmp_count)
result = ISC_R_NOMORE;
else
result = ISC_R_SUCCESS;
} else {
result = dns_rdataset_next(rdataset);
}
continue;
}
}
}
rrbuffer = *target;
dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
result = dns_name_towire(owner_name, cctx, target);
if (result != ISC_R_SUCCESS)
goto rollback;
headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
if (!question)
headlen += sizeof(dns_ttl_t)
+ 2; /* XXX 2 for rdata len */
isc_buffer_availableregion(target, &r);
if (r.length < headlen) {
result = ISC_R_NOSPACE;
goto rollback;
}
isc_buffer_putuint16(target, rdataset->type);
isc_buffer_putuint16(target, rdataset->rdclass);
if (!question) {
if( is_no_auth_answer ){
isc_buffer_putuint32(target, DNS_DEFAULT_TTL_FOR_NO_AUTH_NAME);
}else{
isc_buffer_putuint32(target, rdataset->ttl);
}
//fprintf(stderr,"xxxxxxxxx:trust : %d artr: %d ttl:%d cover: %d type: %d count: %d class: %d\n", rdataset->trust,rdataset->attributes,rdataset->ttl, rdataset->covers,rdataset->type, rdataset->count, rdataset->rdclass);
/*
* Save space for rdlen.
*/
rdlen = *target;
isc_buffer_add(target, 2);
/*
* Copy out the rdata
*/
if (shuffle)
rdata = *(sorted[i].rdata);
else {
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
}
result = dns_rdata_towire(&rdata, cctx, target);
if (result != ISC_R_SUCCESS)
goto rollback;
INSIST((target->used >= rdlen.used + 2) &&
(target->used - rdlen.used - 2 < 65536));
isc_buffer_putuint16(&rdlen,
(isc_uint16_t)(target->used -
rdlen.used - 2));
added++;
}
if (shuffle) {
i++;
if (i == tmp_count)
result = ISC_R_NOMORE;
else
result = ISC_R_SUCCESS;
} else {
result = dns_rdataset_next(rdataset);
}
} while (result == ISC_R_SUCCESS);
if (result != ISC_R_NOMORE)
goto rollback;
*countp += tmp_count;
result = ISC_R_SUCCESS;
goto cleanup;
rollback:
if (partial && result == ISC_R_NOSPACE) {
INSIST(rrbuffer.used < 65536);
dns_compress_rollback(cctx, (isc_uint16_t)rrbuffer.used);
*countp += added;
*target = rrbuffer;
goto cleanup;
}
INSIST(savedbuffer.used < 65536);
dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
*countp = 0;
*target = savedbuffer;
cleanup:
if (sorted != NULL && sorted != sorted_fixed)
isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
if (shuffled != NULL && shuffled != shuffled_fixed)
isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled));
return (result);
}
