/**
* Publish the NSEC3 parameters as indicated by the signer configuration.
*
*/
ods_status
zone_publish_nsec3param(zone_type* zone)
{
rrset_type* rrset = NULL;
rr_type* n3prr = NULL;
ldns_rr* rr = NULL;
ods_status status = ODS_STATUS_OK;
if (!zone || !zone->name || !zone->db || !zone->signconf) {
return ODS_STATUS_ASSERT_ERR;
}
if (!zone->signconf->nsec3params) {
/* NSEC */
ods_log_assert(zone->signconf->nsec_type == LDNS_RR_TYPE_NSEC);
return ODS_STATUS_OK;
}
if (!zone->signconf->nsec3params->rr) {
rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
if (!rr) {
ods_log_error("[%s] unable to publish nsec3params for zone %s: "
"error creating rr (%s)", zone_str, zone->name,
ods_status2str(status));
return ODS_STATUS_MALLOC_ERR;
}
ldns_rr_set_class(rr, zone->klass);
ldns_rr_set_ttl(rr, 0);
ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex));
ldns_nsec3_add_param_rdfs(rr,
zone->signconf->nsec3params->algorithm, 0,
zone->signconf->nsec3params->iterations,
zone->signconf->nsec3params->salt_len,
zone->signconf->nsec3params->salt_data);
/**
* Always set bit 7 of the flags to zero,
* according to rfc5155 section 11
*/
ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(rr, 1)), 7, 0);
zone->signconf->nsec3params->rr = rr;
}
ods_log_assert(zone->signconf->nsec3params->rr);
status = zone_add_rr(zone, zone->signconf->nsec3params->rr, 0);
if (status == ODS_STATUS_UNCHANGED) {
/* rr already exists, adjust pointer */
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_NSEC3PARAMS);
ods_log_assert(rrset);
n3prr = rrset_lookup_rr(rrset, zone->signconf->nsec3params->rr);
ods_log_assert(n3prr);
if (n3prr->rr != zone->signconf->nsec3params->rr) {
ldns_rr_free(zone->signconf->nsec3params->rr);
}
zone->signconf->nsec3params->rr = n3prr->rr;
status = ODS_STATUS_OK;
} else if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to publish nsec3params for zone %s: "
"error adding nsec3params (%s)", zone_str,
zone->name, ods_status2str(status));
}
return status;
}
/**
* Update DNS output adapter.
*
*/
ods_status
dnsout_update(dnsout_type** addns, const char* filename, time_t* last_mod)
{
dnsout_type* new_addns = NULL;
time_t st_mtime = 0;
ods_status status = ODS_STATUS_OK;
if (!filename || !addns || !last_mod) {
return ODS_STATUS_UNCHANGED;
}
/* read the new signer configuration */
new_addns = dnsout_create();
if (!new_addns) {
ods_log_error("[%s] unable to update dnsout: dnsout_create() "
"failed", adapter_str);
return ODS_STATUS_ERR;
}
status = dnsout_read(new_addns, filename);
if (status == ODS_STATUS_OK) {
*addns = new_addns;
*last_mod = st_mtime;
} else {
ods_log_error("[%s] unable to update dnsout: dnsout_read(%s) "
"failed (%s)", adapter_str, filename, ods_status2str(status));
dnsout_cleanup(new_addns);
}
return status;
}
/**
* Update serial.
*
*/
ods_status
zone_update_serial(zone_type* zone)
{
ods_status status = ODS_STATUS_OK;
rrset_type* rrset = NULL;
rr_type* soa = NULL;
ldns_rr* rr = NULL;
ldns_rdf* soa_rdata = NULL;
ods_log_assert(zone);
ods_log_assert(zone->apex);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
if (zone->db->serial_updated) {
/* already done, unmark and return ok */
ods_log_debug("[%s] zone %s soa serial already up to date",
zone_str, zone->name);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_SOA);
ods_log_assert(rrset);
ods_log_assert(rrset->rrs);
ods_log_assert(rrset->rrs[0].rr);
rr = ldns_rr_clone(rrset->rrs[0].rr);
if (!rr) {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"clone soa rr", zone_str, zone->name);
return ODS_STATUS_ERR;
}
status = namedb_update_serial(zone->db, zone->signconf->soa_serial,
zone->db->inbserial);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to update zone %s soa serial: %s",
zone_str, zone->name, ods_status2str(status));
ldns_rr_free(rr);
return status;
}
ods_log_verbose("[%s] zone %s set soa serial to %u", zone_str,
zone->name, zone->db->intserial);
soa_rdata = ldns_rr_set_rdf(rr,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
zone->db->intserial), SE_SOA_RDATA_SERIAL);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"replace soa serial rdata", zone_str, zone->name);
ldns_rr_free(rr);
return ODS_STATUS_ERR;
}
soa = rrset_add_rr(rrset, rr);
ods_log_assert(soa);
rrset_diff(rrset, 0, 0);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
/**
* Read DNS output adapter.
*
*/
static ods_status
dnsout_read(dnsout_type* addns, const char* filename)
{
const char* rngfile = ODS_SE_RNGDIR "/addns.rng";
ods_status status = ODS_STATUS_OK;
FILE* fd = NULL;
if (!filename || !addns) {
return ODS_STATUS_ASSERT_ERR;
}
ods_log_debug("[%s] read dnsout file %s", adapter_str, filename);
status = parse_file_check(filename, rngfile);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to read dnsout: parse error in "
"file %s (%s)", adapter_str, filename, ods_status2str(status));
return status;
}
fd = ods_fopen(filename, NULL, "r");
if (fd) {
addns->tsig = parse_addns_tsig(addns->allocator, filename);
addns->provide_xfr = parse_addns_provide_xfr(addns->allocator,
filename, addns->tsig);
addns->do_notify = parse_addns_do_notify(addns->allocator, filename,
addns->tsig);
ods_fclose(fd);
return ODS_STATUS_OK;
}
ods_log_error("[%s] unable to read dnsout: failed to open file %s",
adapter_str, filename);
return ODS_STATUS_ERR;
}
/**
* Load zone signconf.
*
*/
ods_status
tools_signconf(zone_type* zone)
{
ods_status status = ODS_STATUS_OK;
signconf_type* new_signconf = NULL;
ods_log_assert(zone);
ods_log_assert(zone->name);
status = zone_load_signconf(zone, &new_signconf);
if (status == ODS_STATUS_OK) {
ods_log_assert(new_signconf);
/* Denial of Existence Rollover? */
if (signconf_compare_denial(zone->signconf, new_signconf)
== TASK_NSECIFY) {
/**
* Or NSEC -> NSEC3, or NSEC3 -> NSEC, or NSEC3 params changed.
* All NSEC(3)s become invalid.
*/
namedb_wipe_denial(zone->db);
namedb_cleanup_denials(zone->db);
namedb_init_denials(zone->db);
}
/* all ok, switch signer configuration */
signconf_cleanup(zone->signconf);
ods_log_debug("[%s] zone %s switch to new signconf", tools_str,
zone->name);
zone->signconf = new_signconf;
signconf_log(zone->signconf, zone->name);
zone->default_ttl = (uint32_t) duration2time(zone->signconf->soa_min);
} else if (status != ODS_STATUS_UNCHANGED) {
ods_log_error("[%s] unable to load signconf for zone %s: %s",
tools_str, zone->name, ods_status2str(status));
}
return status;
}
/**
* Update zone list.
*
*/
ods_status
zonelist_update(zonelist_type* zl, const char* zlfile)
{
zonelist_type* new_zlist = NULL;
allocator_type* tmp_alloc = NULL;
time_t st_mtime = 0;
ods_status status = ODS_STATUS_OK;
char* datestamp = NULL;
ods_log_debug("[%s] update zone list", zl_str);
if (!zl|| !zl->zones || !zlfile) {
return ODS_STATUS_ASSERT_ERR;
}
/* is the file updated? */
st_mtime = ods_file_lastmodified(zlfile);
if (st_mtime <= zl->last_modified) {
(void)time_datestamp(zl->last_modified, "%Y-%m-%d %T", &datestamp);
ods_log_debug("[%s] zonelist file %s is unchanged since %s",
zl_str, zlfile, datestamp?datestamp:"Unknown");
free((void*)datestamp);
return ODS_STATUS_UNCHANGED;
}
/* create new zonelist */
tmp_alloc = allocator_create(malloc, free);
if (!tmp_alloc) {
return ODS_STATUS_MALLOC_ERR;
}
new_zlist = zonelist_create(tmp_alloc);
if (!new_zlist) {
ods_log_error("[%s] unable to update zonelist: zonelist_create() "
"failed", zl_str);
allocator_cleanup(tmp_alloc);
return ODS_STATUS_ERR;
}
/* read zonelist */
status = zonelist_read(new_zlist, zlfile);
if (status == ODS_STATUS_OK) {
zl->just_removed = 0;
zl->just_added = 0;
zl->just_updated = 0;
new_zlist->last_modified = st_mtime;
zonelist_merge(zl, new_zlist);
(void)time_datestamp(zl->last_modified, "%Y-%m-%d %T", &datestamp);
ods_log_debug("[%s] file %s is modified since %s", zl_str, zlfile,
datestamp?datestamp:"Unknown");
free((void*)datestamp);
} else {
ods_log_error("[%s] unable to update zonelist: read file %s failed "
"(%s)", zl_str, zlfile, ods_status2str(status));
}
zonelist_free(new_zlist);
allocator_cleanup(tmp_alloc);
return status;
}
/**
* Start dns handler listener.
*
*/
ods_status
dnshandler_listen(dnshandler_type* dnshandler)
{
ods_status status = ODS_STATUS_OK;
ods_log_assert(dnshandler);
status = sock_listen(dnshandler->socklist, dnshandler->interfaces);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to start: sock_listen() "
"failed (%s)", dnsh_str, ods_status2str(status));
dnshandler->thread_id = 0;
}
return status;
}
/**
* Load signer configuration for zone.
*
*/
ods_status
zone_load_signconf(zone_type* zone, signconf_type** new_signconf)
{
ods_status status = ODS_STATUS_OK;
signconf_type* signconf = NULL;
char* datestamp = NULL;
if (!zone || !zone->name || !zone->signconf) {
return ODS_STATUS_ASSERT_ERR;
}
if (!zone->signconf_filename) {
ods_log_warning("[%s] zone %s has no signconf filename, treat as "
"insecure?", zone_str, zone->name);
return ODS_STATUS_INSECURE;
}
status = signconf_update(&signconf, zone->signconf_filename,
zone->signconf->last_modified);
if (status == ODS_STATUS_OK) {
if (!signconf) {
/* this is unexpected */
ods_log_alert("[%s] unable to load signconf for zone %s: signconf "
"status ok but no signconf stored", zone_str, zone->name);
return ODS_STATUS_ASSERT_ERR;
}
(void)time_datestamp(signconf->last_modified, "%Y-%m-%d %T",
&datestamp);
ods_log_debug("[%s] zone %s signconf file %s is modified since %s",
zone_str, zone->name, zone->signconf_filename,
datestamp?datestamp:"Unknown");
free((void*)datestamp);
*new_signconf = signconf;
} else if (status == ODS_STATUS_UNCHANGED) {
(void)time_datestamp(zone->signconf->last_modified,
"%Y-%m-%d %T", &datestamp);
ods_log_verbose("[%s] zone %s signconf file %s is unchanged since "
"%s", zone_str, zone->name, zone->signconf_filename,
datestamp?datestamp:"Unknown");
free((void*)datestamp);
} else {
ods_log_error("[%s] unable to load signconf for zone %s: signconf %s "
"%s", zone_str, zone->name, zone->signconf_filename,
ods_status2str(status));
}
return status;
}
/**
* Set up engine.
*
*/
void
engine_setup(engine_type* engine, handled_xxxx_cmd_type *commands,
help_xxxx_cmd_type *help)
{
ods_status status;
engine->commands = commands;
engine->help = help;
status = engine_setup_and_return_status(engine);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] setup failed: %s", engine_str,
ods_status2str(status));
engine->need_to_exit = 1;
if (status != ODS_STATUS_WRITE_PIDFILE_ERR) {
/* command handler had not yet been started */
engine->cmdhandler_done = 1;
}
}
}
/**
* Create ACL.
*
*/
acl_type*
acl_create(allocator_type* allocator, char* address, char* port,
char* tsig_name, tsig_type* tsig)
{
ods_status status = ODS_STATUS_OK;
acl_type* acl = NULL;
char* p = NULL;
if (!allocator) {
return NULL;
}
acl = (acl_type*) allocator_alloc(allocator, sizeof(acl_type));
if (!acl) {
ods_log_error("[%s] unable to create acl: allocator_alloc() "
"failed", acl_str);
return NULL;
}
acl->address = NULL;
acl->next = NULL;
acl->tsig = NULL;
if (tsig_name) {
acl->tsig = tsig_lookup_by_name(tsig, tsig_name);
if (!acl->tsig) {
ods_log_error("[%s] unable to create acl: tsig %s not found",
acl_str, tsig_name);
acl_cleanup(acl, allocator);
return NULL;
}
}
acl->port = 0;
if (port) {
acl->port = atoi((const char*) port);
}
memset(&acl->addr, 0, sizeof(union acl_addr_storage));
memset(&acl->range_mask, 0, sizeof(union acl_addr_storage));
if (address) {
acl->family = acl_parse_family(address);
acl->range_type = acl_parse_range_type(address, &p);
acl->address = allocator_strdup(allocator, address);
if (!acl->address) {
ods_log_error("[%s] unable to create acl: allocator_strdup() "
"failed", acl_str);
acl_cleanup(acl, allocator);
return NULL;
}
if (acl->family == AF_INET6) {
if (inet_pton(AF_INET6, acl->address, &acl->addr.addr6) != 1) {
ods_log_error("[%s] unable to create acl: bad ipv6 address "
"(%s)", acl_str, acl->address);
acl_cleanup(acl, allocator);
return NULL;
}
if (acl->range_type == ACL_RANGE_MASK ||
acl->range_type == ACL_RANGE_MINMAX) {
if (inet_pton(AF_INET6, p, &acl->range_mask.addr6) != 1) {
ods_log_error("[%s] unable to create acl: bad ipv6 address"
" mask (%s)", acl_str, p);
acl_cleanup(acl, allocator);
return NULL;
}
} else if (acl->range_type == ACL_RANGE_SUBNET) {
status = acl_parse_range_subnet(p, &acl->range_mask.addr6, 128);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to create acl: %s (%s)",
acl_str, ods_status2str(status), p);
acl_cleanup(acl, allocator);
return NULL;
}
}
} else if (acl->family == AF_INET) {
if (inet_pton(AF_INET, acl->address, &acl->addr.addr) != 1) {
ods_log_error("[%s] unable to create acl: bad ipv4 address "
"(%s)", acl_str, acl->address);
acl_cleanup(acl, allocator);
return NULL;
}
if (acl->range_type == ACL_RANGE_MASK ||
acl->range_type == ACL_RANGE_MINMAX) {
if (inet_pton(AF_INET, p, &acl->range_mask.addr) != 1) {
ods_log_error("[%s] unable to create acl: bad ipv4 address"
" mask (%s)", acl_str, p);
acl_cleanup(acl, allocator);
return NULL;
}
} else if (acl->range_type == ACL_RANGE_SUBNET) {
status = acl_parse_range_subnet(p, &acl->range_mask.addr, 32);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to create acl: %s (%s)",
acl_str, ods_status2str(status), p);
acl_cleanup(acl, allocator);
return NULL;
}
}
}
}
acl->ixfr_disabled = 0;
return acl;
}
/**
* Start engine.
*
*/
void
engine_start(const char* cfgfile, int cmdline_verbosity, int daemonize,
int info, int single_run)
{
engine_type* engine = NULL;
int use_syslog = 0;
ods_status zl_changed = ODS_STATUS_UNCHANGED;
ods_status status = ODS_STATUS_OK;
int close_hsm = 0;
ods_log_assert(cfgfile);
ods_log_init(NULL, use_syslog, cmdline_verbosity);
ods_log_verbose("[%s] starting signer", engine_str);
/* initialize */
xmlInitGlobals();
xmlInitParser();
xmlInitThreads();
engine = engine_create();
if (!engine) {
ods_fatal_exit("[%s] create failed", engine_str);
return;
}
engine->daemonize = daemonize;
/* config */
engine->config = engine_config(engine->allocator, cfgfile,
cmdline_verbosity);
status = engine_config_check(engine->config);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] cfgfile %s has errors", engine_str, cfgfile);
goto earlyexit;
}
if (info) {
engine_config_print(stdout, engine->config); /* for debugging */
goto earlyexit;
}
/* check pidfile */
if (!util_check_pidfile(engine->config->pid_filename)) {
exit(1);
}
/* open log */
ods_log_init(engine->config->log_filename, engine->config->use_syslog,
engine->config->verbosity);
/* setup */
tzset(); /* for portability */
status = engine_setup(engine);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] setup failed: %s", engine_str,
ods_status2str(status));
engine->need_to_exit = 1;
if (status != ODS_STATUS_WRITE_PIDFILE_ERR) {
/* command handler had not yet been started */
engine->cmdhandler_done = 1;
}
} else {
/* setup ok, mark hsm open */
close_hsm = 1;
}
/* run */
while (engine->need_to_exit == 0) {
/* update zone list */
lock_basic_lock(&engine->zonelist->zl_lock);
zl_changed = zonelist_update(engine->zonelist,
engine->config->zonelist_filename);
engine->zonelist->just_removed = 0;
engine->zonelist->just_added = 0;
engine->zonelist->just_updated = 0;
lock_basic_unlock(&engine->zonelist->zl_lock);
/* start/reload */
if (engine->need_to_reload) {
ods_log_info("[%s] signer reloading", engine_str);
engine->need_to_reload = 0;
} else {
ods_log_info("[%s] signer started", engine_str);
zl_changed = engine_recover(engine);
}
if (zl_changed == ODS_STATUS_OK ||
zl_changed == ODS_STATUS_UNCHANGED) {
engine_update_zones(engine, zl_changed);
}
engine_run(engine, single_run);
}
/* shutdown */
ods_log_info("[%s] signer shutdown", engine_str);
if (close_hsm) {
ods_log_verbose("[%s] close hsm", engine_str);
hsm_close();
}
if (!engine->cmdhandler_done) {
engine_stop_xfrhandler(engine);
engine_stop_dnshandler(engine);
engine_stop_cmdhandler(engine);
}
earlyexit:
if (engine && engine->config) {
if (engine->config->pid_filename) {
(void)unlink(engine->config->pid_filename);
}
if (engine->config->clisock_filename) {
(void)unlink(engine->config->clisock_filename);
}
}
tsig_handler_cleanup();
engine_cleanup(engine);
engine = NULL;
ods_log_close();
xmlCleanupParser();
xmlCleanupGlobals();
xmlCleanupThreads();
return;
}
/**
* Try to recover from the backup files.
*
*/
static ods_status
engine_recover(engine_type* engine)
{
ldns_rbnode_t* node = LDNS_RBTREE_NULL;
zone_type* zone = NULL;
ods_status status = ODS_STATUS_OK;
ods_status result = ODS_STATUS_UNCHANGED;
if (!engine || !engine->zonelist || !engine->zonelist->zones) {
ods_log_error("[%s] cannot recover zones: no engine or zonelist",
engine_str);
return ODS_STATUS_ERR; /* no need to update zones */
}
ods_log_assert(engine);
ods_log_assert(engine->zonelist);
ods_log_assert(engine->zonelist->zones);
lock_basic_lock(&engine->zonelist->zl_lock);
/* [LOCK] zonelist */
node = ldns_rbtree_first(engine->zonelist->zones);
while (node && node != LDNS_RBTREE_NULL) {
zone = (zone_type*) node->data;
ods_log_assert(zone->zl_status == ZONE_ZL_ADDED);
status = zone_recover2(zone);
if (status == ODS_STATUS_OK) {
ods_log_assert(zone->task);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
/* notify nameserver */
if (engine->config->notify_command && !zone->notify_ns) {
set_notify_ns(zone, engine->config->notify_command);
}
/* schedule task */
lock_basic_lock(&engine->taskq->schedule_lock);
/* [LOCK] schedule */
status = schedule_task(engine->taskq, (task_type*) zone->task, 0);
/* [UNLOCK] schedule */
lock_basic_unlock(&engine->taskq->schedule_lock);
if (status != ODS_STATUS_OK) {
ods_log_crit("[%s] unable to schedule task for zone %s: %s",
engine_str, zone->name, ods_status2str(status));
task_cleanup((task_type*) zone->task);
zone->task = NULL;
result = ODS_STATUS_OK; /* will trigger update zones */
} else {
ods_log_debug("[%s] recovered zone %s", engine_str,
zone->name);
/* recovery done */
zone->zl_status = ZONE_ZL_OK;
}
} else {
if (status != ODS_STATUS_UNCHANGED) {
ods_log_warning("[%s] unable to recover zone %s from backup,"
" performing full sign", engine_str, zone->name);
}
result = ODS_STATUS_OK; /* will trigger update zones */
}
node = ldns_rbtree_next(node);
}
/* [UNLOCK] zonelist */
lock_basic_unlock(&engine->zonelist->zl_lock);
return result;
}
/**
* Update zones.
*
*/
void
engine_update_zones(engine_type* engine, ods_status zl_changed)
{
ldns_rbnode_t* node = LDNS_RBTREE_NULL;
zone_type* zone = NULL;
zone_type* delzone = NULL;
task_type* task = NULL;
ods_status status = ODS_STATUS_OK;
unsigned wake_up = 0;
int warnings = 0;
time_t now = 0;
if (!engine || !engine->zonelist || !engine->zonelist->zones) {
return;
}
now = time_now();
ods_log_debug("[%s] commit zone list changes", engine_str);
lock_basic_lock(&engine->zonelist->zl_lock);
node = ldns_rbtree_first(engine->zonelist->zones);
while (node && node != LDNS_RBTREE_NULL) {
zone = (zone_type*) node->data;
task = NULL; /* reset task */
if (zone->zl_status == ZONE_ZL_REMOVED) {
node = ldns_rbtree_next(node);
lock_basic_lock(&zone->zone_lock);
delzone = zonelist_del_zone(engine->zonelist, zone);
if (delzone) {
lock_basic_lock(&engine->taskq->schedule_lock);
task = unschedule_task(engine->taskq,
(task_type*) zone->task);
lock_basic_unlock(&engine->taskq->schedule_lock);
}
task_cleanup(task);
task = NULL;
lock_basic_unlock(&zone->zone_lock);
netio_remove_handler(engine->xfrhandler->netio,
&zone->xfrd->handler);
zone_cleanup(zone);
zone = NULL;
continue;
} else if (zone->zl_status == ZONE_ZL_ADDED) {
lock_basic_lock(&zone->zone_lock);
ods_log_assert(!zone->task);
/* set notify nameserver command */
if (engine->config->notify_command && !zone->notify_ns) {
set_notify_ns(zone, engine->config->notify_command);
}
/* create task */
task = task_create(TASK_SIGNCONF, now, zone);
lock_basic_unlock(&zone->zone_lock);
if (!task) {
ods_log_crit("[%s] unable to create task for zone %s: "
"task_create() failed", engine_str, zone->name);
node = ldns_rbtree_next(node);
continue;
}
}
/* load adapter config */
status = adapter_load_config(zone->adinbound);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to load config for inbound adapter "
"for zone %s: %s", engine_str, zone->name,
ods_status2str(status));
}
status = adapter_load_config(zone->adoutbound);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to load config for outbound adapter "
"for zone %s: %s", engine_str, zone->name,
ods_status2str(status));
}
/* for dns adapters */
warnings += dnsconfig_zone(engine, zone);
if (zone->zl_status == ZONE_ZL_ADDED) {
ods_log_assert(task);
lock_basic_lock(&zone->zone_lock);
zone->task = task;
lock_basic_unlock(&zone->zone_lock);
lock_basic_lock(&engine->taskq->schedule_lock);
status = schedule_task(engine->taskq, task, 0);
lock_basic_unlock(&engine->taskq->schedule_lock);
} else if (zl_changed == ODS_STATUS_OK) {
/* always try to update signconf */
lock_basic_lock(&zone->zone_lock);
status = zone_reschedule_task(zone, engine->taskq, TASK_SIGNCONF);
lock_basic_unlock(&zone->zone_lock);
}
if (status != ODS_STATUS_OK) {
ods_log_crit("[%s] unable to schedule task for zone %s: %s",
engine_str, zone->name, ods_status2str(status));
} else {
wake_up = 1;
zone->zl_status = ZONE_ZL_OK;
}
node = ldns_rbtree_next(node);
}
lock_basic_unlock(&engine->zonelist->zl_lock);
if (engine->dnshandler) {
dnshandler_fwd_notify(engine->dnshandler,
(uint8_t*) ODS_SE_NOTIFY_CMD, strlen(ODS_SE_NOTIFY_CMD));
} else if (warnings) {
ods_log_warning("[%s] no dnshandler/listener configured, but zones "
"are configured with dns adapters: notify and zone transfer "
"requests will not work properly", engine_str);
}
if (wake_up) {
engine_wakeup_workers(engine);
}
return;
}
/**
* Set up engine.
*
*/
static ods_status
engine_setup(engine_type* engine)
{
ods_status status = ODS_STATUS_OK;
struct sigaction action;
int result = 0;
int sockets[2] = {0,0};
ods_log_debug("[%s] setup signer engine", engine_str);
if (!engine || !engine->config) {
return ODS_STATUS_ASSERT_ERR;
}
/* set edns */
edns_init(&engine->edns, EDNS_MAX_MESSAGE_LEN);
/* create command handler (before chowning socket file) */
engine->cmdhandler = cmdhandler_create(engine->allocator,
engine->config->clisock_filename);
if (!engine->cmdhandler) {
return ODS_STATUS_CMDHANDLER_ERR;
}
engine->dnshandler = dnshandler_create(engine->allocator,
engine->config->interfaces);
engine->xfrhandler = xfrhandler_create(engine->allocator);
if (!engine->xfrhandler) {
return ODS_STATUS_XFRHANDLER_ERR;
}
if (engine->dnshandler) {
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets) == -1) {
return ODS_STATUS_XFRHANDLER_ERR;
}
engine->xfrhandler->dnshandler.fd = sockets[0];
engine->dnshandler->xfrhandler.fd = sockets[1];
status = dnshandler_listen(engine->dnshandler);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] setup: unable to listen to sockets (%s)",
engine_str, ods_status2str(status));
}
}
/* privdrop */
engine->uid = privuid(engine->config->username);
engine->gid = privgid(engine->config->group);
/* TODO: does piddir exists? */
/* remove the chown stuff: piddir? */
ods_chown(engine->config->pid_filename, engine->uid, engine->gid, 1);
ods_chown(engine->config->clisock_filename, engine->uid, engine->gid, 0);
ods_chown(engine->config->working_dir, engine->uid, engine->gid, 0);
if (engine->config->log_filename && !engine->config->use_syslog) {
ods_chown(engine->config->log_filename, engine->uid, engine->gid, 0);
}
if (engine->config->working_dir &&
chdir(engine->config->working_dir) != 0) {
ods_log_error("[%s] setup: unable to chdir to %s (%s)", engine_str,
engine->config->working_dir, strerror(errno));
return ODS_STATUS_CHDIR_ERR;
}
if (engine_privdrop(engine) != ODS_STATUS_OK) {
return ODS_STATUS_PRIVDROP_ERR;
}
/* daemonize */
if (engine->daemonize) {
switch ((engine->pid = fork())) {
case -1: /* error */
ods_log_error("[%s] setup: unable to fork daemon (%s)",
engine_str, strerror(errno));
return ODS_STATUS_FORK_ERR;
case 0: /* child */
break;
default: /* parent */
engine_cleanup(engine);
engine = NULL;
xmlCleanupParser();
xmlCleanupGlobals();
xmlCleanupThreads();
exit(0);
}
if (setsid() == -1) {
ods_log_error("[%s] setup: unable to setsid daemon (%s)",
engine_str, strerror(errno));
return ODS_STATUS_SETSID_ERR;
}
}
engine->pid = getpid();
ods_log_verbose("[%s] running as pid %lu", engine_str,
(unsigned long) engine->pid);
/* catch signals */
signal_set_engine(engine);
action.sa_handler = signal_handler;
sigfillset(&action.sa_mask);
action.sa_flags = 0;
sigaction(SIGTERM, &action, NULL);
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGILL, &action, NULL);
sigaction(SIGUSR1, &action, NULL);
sigaction(SIGALRM, &action, NULL);
sigaction(SIGCHLD, &action, NULL);
action.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &action, NULL);
/* set up hsm */ /* LEAK */
result = lhsm_open(engine->config->cfg_filename);
if (result != HSM_OK) {
return ODS_STATUS_HSM_ERR;
}
/* create workers/drudgers */
engine_create_workers(engine);
engine_create_drudgers(engine);
/* start cmd/dns/xfr handlers */
engine_start_cmdhandler(engine);
engine_start_dnshandler(engine);
engine_start_xfrhandler(engine);
tsig_handler_init(engine->allocator);
/* write pidfile */
if (util_write_pidfile(engine->config->pid_filename, engine->pid) == -1) {
hsm_close();
return ODS_STATUS_WRITE_PIDFILE_ERR;
}
/* setup done */
return ODS_STATUS_OK;
}
/**
* Start engine.
*
*/
int
engine_start(const char* cfgfile, int cmdline_verbosity, int daemonize,
int info, int single_run)
{
engine_type* engine = NULL;
ods_status zl_changed = ODS_STATUS_UNCHANGED;
ods_status status = ODS_STATUS_OK;
engine = engine_create();
if (!engine) {
ods_fatal_exit("[%s] create failed", engine_str);
return 1;
}
engine->daemonize = daemonize;
/* config */
engine->config = engine_config(cfgfile, cmdline_verbosity);
status = engine_config_check(engine->config);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] cfgfile %s has errors", engine_str, cfgfile);
goto earlyexit;
}
if (info) {
engine_config_print(stdout, engine->config); /* for debugging */
goto earlyexit;
}
/* check pidfile */
if (!util_check_pidfile(engine->config->pid_filename)) {
exit(1);
}
/* open log */
ods_log_init("ods-signerd", engine->config->use_syslog,
engine->config->log_filename, engine->config->verbosity);
/* setup */
status = engine_setup(engine);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] setup failed: %s", engine_str,
ods_status2str(status));
if (status != ODS_STATUS_WRITE_PIDFILE_ERR) {
/* command handler had not yet been started */
engine->cmdhandler_done = 1;
}
goto earlyexit;
}
/* run */
while (engine->need_to_exit == 0) {
/* update zone list */
lock_basic_lock(&engine->zonelist->zl_lock);
zl_changed = zonelist_update(engine->zonelist,
engine->config->zonelist_filename);
engine->zonelist->just_removed = 0;
engine->zonelist->just_added = 0;
engine->zonelist->just_updated = 0;
lock_basic_unlock(&engine->zonelist->zl_lock);
/* start/reload */
if (engine->need_to_reload) {
ods_log_info("[%s] signer reloading", engine_str);
fifoq_wipe(engine->signq);
engine->need_to_reload = 0;
} else {
ods_log_info("[%s] signer started (version %s), pid %u",
engine_str, PACKAGE_VERSION, engine->pid);
if (hsm_open2(engine->config->repositories, hsm_check_pin) != HSM_OK) {
char* error = hsm_get_error(NULL);
if (error != NULL) {
ods_log_error("[%s] %s", "hsm", error);
free(error);
}
ods_log_error("[%s] opening hsm failed (for engine recover)", engine_str);
break;
}
zl_changed = engine_recover(engine);
hsm_close();
}
if (zl_changed == ODS_STATUS_OK ||
zl_changed == ODS_STATUS_UNCHANGED) {
engine_update_zones(engine, zl_changed);
}
if (hsm_open2(engine->config->repositories, hsm_check_pin) != HSM_OK) {
char* error = hsm_get_error(NULL);
if (error != NULL) {
ods_log_error("[%s] %s", "hsm", error);
free(error);
}
ods_log_error("[%s] opening hsm failed (for engine run)", engine_str);
break;
}
engine_run(engine, single_run);
hsm_close();
}
/* shutdown */
ods_log_info("[%s] signer shutdown", engine_str);
engine_stop_cmdhandler(engine);
engine_stop_xfrhandler(engine);
engine_stop_dnshandler(engine);
earlyexit:
if (engine && engine->config) {
if (engine->config->pid_filename) {
(void)unlink(engine->config->pid_filename);
}
if (engine->config->clisock_filename) {
(void)unlink(engine->config->clisock_filename);
}
}
tsig_handler_cleanup();
engine_cleanup(engine);
engine = NULL;
return 1;
}
/**
* Process SOA.
*
*/
static ods_status
adapi_process_soa(zone_type* zone, ldns_rr* rr, int add, int backup)
{
uint32_t tmp = 0;
ldns_rdf* soa_rdata = NULL;
ods_status status = ODS_STATUS_OK;
ods_log_assert(rr);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->signconf);
if (backup) {
/* no need to do processing */
return ODS_STATUS_OK;
}
if (zone->signconf->soa_ttl) {
tmp = (uint32_t) duration2time(zone->signconf->soa_ttl);
ods_log_verbose("[%s] zone %s set soa ttl to %u",
adapi_str, zone->name, tmp);
ldns_rr_set_ttl(rr, tmp);
}
if (zone->signconf->soa_min) {
tmp = (uint32_t) duration2time(zone->signconf->soa_min);
ods_log_verbose("[%s] zone %s set soa minimum to %u",
adapi_str, zone->name, tmp);
soa_rdata = ldns_rr_set_rdf(rr,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, tmp),
SE_SOA_RDATA_MINIMUM);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to %s soa to zone %s: failed to replace "
"soa minimum rdata", adapi_str, add?"add":"delete",
zone->name);
return ODS_STATUS_ASSERT_ERR;
}
}
if (!add) {
/* we are done */
return ODS_STATUS_OK;
}
tmp = ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
status = namedb_update_serial(zone->db, zone->name,
zone->signconf->soa_serial, tmp);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to add soa to zone %s: failed to replace "
"soa serial rdata (%s)", adapi_str, zone->name,
ods_status2str(status));
if (status == ODS_STATUS_CONFLICT_ERR) {
ods_log_error("[%s] If this is the result of a key rollover, "
"please increment the serial in the unsigned zone %s",
adapi_str, zone->name);
}
return status;
}
ods_log_verbose("[%s] zone %s set soa serial to %u", adapi_str,
zone->name, zone->db->intserial);
soa_rdata = ldns_rr_set_rdf(rr, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
zone->db->intserial), SE_SOA_RDATA_SERIAL);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to add soa to zone %s: failed to replace "
"soa serial rdata", adapi_str, zone->name);
return ODS_STATUS_ERR;
}
zone->db->serial_updated = 1;
return ODS_STATUS_OK;
}
/**
* Perform task.
*
*/
static void
worker_perform_task(worker_type* worker)
{
engine_type* engine = NULL;
zone_type* zone = NULL;
task_type* task = NULL;
task_id what = TASK_NONE;
time_t when = 0;
time_t never = (3600*24*365);
ods_status status = ODS_STATUS_OK;
int backup = 0;
time_t start = 0;
time_t end = 0;
if (!worker || !worker->task || !worker->task->zone || !worker->engine) {
return;
}
engine = (engine_type*) worker->engine;
task = (task_type*) worker->task;
zone = (zone_type*) worker->task->zone;
ods_log_debug("[%s[%i]] perform task %s for zone %s at %u",
worker2str(worker->type), worker->thread_num, task_what2str(task->what),
task_who2str(task), (uint32_t) worker->clock_in);
/* do what you have been told to do */
switch (task->what) {
case TASK_SIGNCONF:
/* perform 'load signconf' task */
worker_working_with(worker, TASK_SIGNCONF, TASK_READ,
"configure", task_who2str(task), &what, &when);
status = tools_signconf(zone);
if (status == ODS_STATUS_UNCHANGED) {
if (!zone->signconf->last_modified) {
ods_log_debug("[%s[%i]] no signconf.xml for zone %s yet",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
status = ODS_STATUS_ERR;
}
}
if (status == ODS_STATUS_UNCHANGED) {
if (task->halted != TASK_NONE && task->halted != TASK_SIGNCONF) {
goto task_perform_continue;
}
status = ODS_STATUS_OK;
} else if (status == ODS_STATUS_OK) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
} else {
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
/* break; */
case TASK_READ:
/* perform 'read input adapter' task */
worker_working_with(worker, TASK_READ, TASK_SIGN,
"read", task_who2str(task), &what, &when);
task->what = TASK_READ;
if (!zone->signconf->last_modified) {
ods_log_debug("[%s[%i]] no signconf.xml for zone %s yet",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
status = ODS_STATUS_ERR;
} else {
lhsm_check_connection((void*)engine);
status = tools_input(zone);
}
if (status == ODS_STATUS_UNCHANGED) {
ods_log_verbose("[%s[%i]] zone %s unsigned data not changed, "
"continue", worker2str(worker->type), worker->thread_num,
task_who2str(task));
status = ODS_STATUS_OK;
}
if (status == ODS_STATUS_OK) {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
} else {
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
/* break; */
case TASK_SIGN:
/* perform 'sign' task */
worker_working_with(worker, TASK_SIGN, TASK_WRITE,
"sign", task_who2str(task), &what, &when);
task->what = TASK_SIGN;
status = zone_update_serial(zone);
if (status == ODS_STATUS_OK) {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
} else {
ods_log_error("[%s[%i]] unable to sign zone %s: "
"failed to increment serial",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
/* start timer */
start = time(NULL);
if (zone->stats) {
lock_basic_lock(&zone->stats->stats_lock);
if (!zone->stats->start_time) {
zone->stats->start_time = start;
}
zone->stats->sig_count = 0;
zone->stats->sig_soa_count = 0;
zone->stats->sig_reuse = 0;
zone->stats->sig_time = 0;
lock_basic_unlock(&zone->stats->stats_lock);
}
/* check the HSM connection before queuing sign operations */
lhsm_check_connection((void*)engine);
/* queue menial, hard signing work */
worker_queue_zone(worker, engine->signq, zone);
ods_log_deeebug("[%s[%i]] wait until drudgers are finished "
"signing zone %s", worker2str(worker->type), worker->thread_num,
task_who2str(task));
/* sleep until work is done */
worker_sleep_unless(worker, 0);
/* stop timer */
end = time(NULL);
status = worker_check_jobs(worker, task);
worker_clear_jobs(worker);
if (status == ODS_STATUS_OK && zone->stats) {
lock_basic_lock(&zone->stats->stats_lock);
zone->stats->sig_time = (end-start);
lock_basic_unlock(&zone->stats->stats_lock);
}
if (status != ODS_STATUS_OK) {
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
} else {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
}
/* break; */
case TASK_WRITE:
/* perform 'write to output adapter' task */
worker_working_with(worker, TASK_WRITE, TASK_SIGN,
"write", task_who2str(task), &what, &when);
task->what = TASK_WRITE;
status = tools_output(zone, engine);
if (status == ODS_STATUS_OK) {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
} else {
/* clear signatures? */
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
zone->db->is_processed = 1;
if (zone->signconf &&
duration2time(zone->signconf->sig_resign_interval)) {
what = TASK_SIGN;
when = worker->clock_in +
duration2time(zone->signconf->sig_resign_interval);
} else {
ods_log_error("[%s[%i]] unable to retrieve resign interval "
"for zone %s: duration2time() failed",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
ods_log_info("[%s[%i]] defaulting to 1H resign interval for "
"zone %s", worker2str(worker->type), worker->thread_num,
task_who2str(task));
what = TASK_SIGN;
when = worker->clock_in + 3600;
}
backup = 1;
break;
case TASK_NONE:
worker->working_with = TASK_NONE;
/* no task */
ods_log_warning("[%s[%i]] none task for zone %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
when = time_now() + never;
break;
default:
worker->working_with = TASK_NONE;
/* unknown task */
ods_log_warning("[%s[%i]] unknown task, trying full sign zone %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
what = TASK_SIGNCONF;
when = time_now();
break;
}
/* no error */
task->backoff = 0;
if (task->interrupt != TASK_NONE && task->interrupt != what) {
ods_log_debug("[%s[%i]] interrupt task %s for zone %s",
worker2str(worker->type), worker->thread_num,
task_what2str(what), task_who2str(task));
task->halted = what;
task->halted_when = when;
task->what = task->interrupt;
task->when = time_now();
} else {
ods_log_debug("[%s[%i]] next task %s for zone %s",
worker2str(worker->type), worker->thread_num,
task_what2str(what), task_who2str(task));
task->what = what;
task->when = when;
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
task->halted_when = 0;
}
/* backup the last successful run */
if (backup) {
status = zone_backup2(zone);
if (status != ODS_STATUS_OK) {
ods_log_warning("[%s[%i]] unable to backup zone %s: %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task), ods_status2str(status));
/* just a warning */
status = ODS_STATUS_OK;
}
backup = 0;
}
return;
task_perform_fail:
if (status != ODS_STATUS_XFR_NOT_READY) {
/* other statuses is critical, and we know it is not ODS_STATUS_OK */
ods_log_crit("[%s[%i]] CRITICAL: failed to sign zone %s: %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task), ods_status2str(status));
}
/* in case of failure, also mark zone processed (for single run usage) */
zone->db->is_processed = 1;
if (task->backoff) {
task->backoff *= 2;
} else {
task->backoff = 60;
}
if (task->backoff > ODS_SE_MAX_BACKOFF) {
task->backoff = ODS_SE_MAX_BACKOFF;
}
ods_log_info("[%s[%i]] backoff task %s for zone %s with %u seconds",
worker2str(worker->type), worker->thread_num,
task_what2str(task->what), task_who2str(task), task->backoff);
task->when = time_now() + task->backoff;
return;
task_perform_continue:
ods_log_info("[%s[%i]] continue task %s for zone %s",
worker2str(worker->type), worker->thread_num,
task_what2str(task->halted), task_who2str(task));
task->what = task->halted;
task->when = task->halted_when;
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
task->halted_when = 0;
return;
}
/**
* Write zone to output adapter.
*
*/
ods_status
tools_output(zone_type* zone, engine_type* engine)
{
ods_status status = ODS_STATUS_OK;
ods_log_assert(engine);
ods_log_assert(engine->config);
ods_log_assert(zone);
ods_log_assert(zone->db);
ods_log_assert(zone->name);
ods_log_assert(zone->signconf);
ods_log_assert(zone->adoutbound);
/* prepare */
if (zone->stats) {
pthread_mutex_lock(&zone->stats->stats_lock);
if (zone->stats->sort_done == 0 &&
(zone->stats->sig_count <= zone->stats->sig_soa_count)) {
ods_log_verbose("[%s] skip write zone %s serial %u (zone not "
"changed)", tools_str, zone->name?zone->name:"(null)",
zone->db->intserial);
stats_clear(zone->stats);
pthread_mutex_unlock(&zone->stats->stats_lock);
zone->db->intserial =
zone->db->outserial;
return ODS_STATUS_OK;
}
pthread_mutex_unlock(&zone->stats->stats_lock);
}
/* Output Adapter */
status = adapter_write((void*)zone);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to write zone %s: adapter failed (%s)",
tools_str, zone->name, ods_status2str(status));
return status;
}
zone->db->outserial = zone->db->intserial;
zone->db->is_initialized = 1;
zone->db->have_serial = 1;
pthread_mutex_lock(&zone->ixfr->ixfr_lock);
ixfr_purge(zone->ixfr, zone->name);
pthread_mutex_unlock(&zone->ixfr->ixfr_lock);
/* kick the nameserver */
if (zone->notify_ns) {
int pid_status;
pid_t pid, wpid;
ods_log_verbose("[%s] notify nameserver: %s", tools_str,
zone->notify_ns);
/** fork */
switch ((pid = fork())) {
case -1: /* error */
ods_log_error("[%s] notify nameserver failed: unable to fork "
"(%s)", tools_str, strerror(errno));
return ODS_STATUS_FORK_ERR;
case 0: /* child */
/** close fds */
ods_closeall(0);
/** execv */
execvp(zone->notify_ns, zone->notify_args);
/** error */
ods_log_error("[%s] notify nameserver failed: execv() failed "
"(%s)", tools_str, strerror(errno));
exit(1);
break;
default: /* parent */
ods_log_debug("[%s] notify nameserver process forked",
tools_str);
/** wait for completion */
while((wpid = waitpid(pid, &pid_status, 0)) <= 0) {
if (errno != EINTR) {
break;
}
}
if (wpid == -1) {
ods_log_error("[%s] notify nameserver failed: waitpid() "
"failed (%s)", tools_str, strerror(errno));
} else if (!WIFEXITED(pid_status)) {
ods_log_error("[%s] notify nameserver failed: notify "
"command did not terminate normally", tools_str);
} else {
ods_log_verbose("[%s] notify nameserver ok", tools_str);
}
break;
}
}
/* log stats */
if (zone->stats) {
pthread_mutex_lock(&zone->stats->stats_lock);
zone->stats->end_time = time(NULL);
ods_log_debug("[%s] log stats for zone %s serial %u", tools_str,
zone->name?zone->name:"(null)", (unsigned) zone->db->outserial);
stats_log(zone->stats, zone->name, zone->db->outserial,
zone->signconf->nsec_type);
stats_clear(zone->stats);
pthread_mutex_unlock(&zone->stats->stats_lock);
}
if (engine->dnshandler) {
ods_log_debug("[%s] forward a notify", tools_str);
dnshandler_fwd_notify(engine->dnshandler, (uint8_t*) ODS_SE_NOTIFY_CMD,
strlen(ODS_SE_NOTIFY_CMD));
}
return status;
}
/**
* Recover zone from backup.
*
*/
ods_status
zone_recover2(zone_type* zone)
{
char* filename = NULL;
FILE* fd = NULL;
const char* token = NULL;
time_t when = 0;
task_type* task = NULL;
ods_status status = ODS_STATUS_OK;
/* zone part */
int klass = 0;
uint32_t inbound = 0, internal = 0, outbound = 0;
/* signconf part */
time_t lastmod = 0;
/* nsec3params part */
const char* salt = NULL;
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->signconf);
ods_log_assert(zone->db);
filename = ods_build_path(zone->name, ".backup2", 0, 1);
if (!filename) {
return ODS_STATUS_MALLOC_ERR;
}
fd = ods_fopen(filename, NULL, "r");
if (fd) {
/* start recovery */
if (!backup_read_check_str(fd, ODS_SE_FILE_MAGIC_V3)) {
ods_log_error("[%s] corrupted backup file zone %s: read magic "
"error", zone_str, zone->name);
goto recover_error2;
}
if (!backup_read_check_str(fd, ";;Time:") |
!backup_read_time_t(fd, &when)) {
ods_log_error("[%s] corrupted backup file zone %s: read time "
"error", zone_str, zone->name);
goto recover_error2;
}
/* zone stuff */
if (!backup_read_check_str(fd, ";;Zone:") |
!backup_read_check_str(fd, "name") |
!backup_read_check_str(fd, zone->name)) {
ods_log_error("[%s] corrupted backup file zone %s: read name "
"error", zone_str, zone->name);
goto recover_error2;
}
if (!backup_read_check_str(fd, "class") |
!backup_read_int(fd, &klass)) {
ods_log_error("[%s] corrupted backup file zone %s: read class "
"error", zone_str, zone->name);
goto recover_error2;
}
if (!backup_read_check_str(fd, "inbound") |
!backup_read_uint32_t(fd, &inbound) |
!backup_read_check_str(fd, "internal") |
!backup_read_uint32_t(fd, &internal) |
!backup_read_check_str(fd, "outbound") |
!backup_read_uint32_t(fd, &outbound)) {
ods_log_error("[%s] corrupted backup file zone %s: read serial "
"error", zone_str, zone->name);
goto recover_error2;
}
zone->klass = (ldns_rr_class) klass;
zone->db->inbserial = inbound;
zone->db->intserial = internal;
zone->db->outserial = outbound;
/* signconf part */
if (!backup_read_check_str(fd, ";;Signconf:") |
!backup_read_check_str(fd, "lastmod") |
!backup_read_time_t(fd, &lastmod) |
!backup_read_check_str(fd, "maxzonettl") |
!backup_read_check_str(fd, "0") |
!backup_read_check_str(fd, "resign") |
!backup_read_duration(fd, &zone->signconf->sig_resign_interval) |
!backup_read_check_str(fd, "refresh") |
!backup_read_duration(fd, &zone->signconf->sig_refresh_interval) |
!backup_read_check_str(fd, "valid") |
!backup_read_duration(fd, &zone->signconf->sig_validity_default) |
!backup_read_check_str(fd, "denial") |
!backup_read_duration(fd,&zone->signconf->sig_validity_denial) |
!backup_read_check_str(fd, "jitter") |
!backup_read_duration(fd, &zone->signconf->sig_jitter) |
!backup_read_check_str(fd, "offset") |
!backup_read_duration(fd, &zone->signconf->sig_inception_offset) |
!backup_read_check_str(fd, "nsec") |
!backup_read_rr_type(fd, &zone->signconf->nsec_type) |
!backup_read_check_str(fd, "dnskeyttl") |
!backup_read_duration(fd, &zone->signconf->dnskey_ttl) |
!backup_read_check_str(fd, "soattl") |
!backup_read_duration(fd, &zone->signconf->soa_ttl) |
!backup_read_check_str(fd, "soamin") |
!backup_read_duration(fd, &zone->signconf->soa_min) |
!backup_read_check_str(fd, "serial") |
!backup_read_str(fd, &zone->signconf->soa_serial)) {
ods_log_error("[%s] corrupted backup file zone %s: read signconf "
"error", zone_str, zone->name);
goto recover_error2;
}
/* nsec3params part */
if (zone->signconf->nsec_type == LDNS_RR_TYPE_NSEC3) {
if (!backup_read_check_str(fd, ";;Nsec3parameters:") |
!backup_read_check_str(fd, "salt") |
!backup_read_str(fd, &salt) |
!backup_read_check_str(fd, "algorithm") |
!backup_read_uint32_t(fd, &zone->signconf->nsec3_algo) |
!backup_read_check_str(fd, "optout") |
!backup_read_int(fd, &zone->signconf->nsec3_optout) |
!backup_read_check_str(fd, "iterations") |
!backup_read_uint32_t(fd, &zone->signconf->nsec3_iterations)) {
ods_log_error("[%s] corrupted backup file zone %s: read "
"nsec3parameters error", zone_str, zone->name);
goto recover_error2;
}
zone->signconf->nsec3_salt = allocator_strdup(
zone->signconf->allocator, salt);
free((void*) salt);
salt = NULL;
zone->signconf->nsec3params = nsec3params_create(
(void*) zone->signconf,
(uint8_t) zone->signconf->nsec3_algo,
(uint8_t) zone->signconf->nsec3_optout,
(uint16_t) zone->signconf->nsec3_iterations,
zone->signconf->nsec3_salt);
if (!zone->signconf->nsec3params) {
ods_log_error("[%s] corrupted backup file zone %s: unable to "
"create nsec3param", zone_str, zone->name);
goto recover_error2;
}
}
zone->signconf->last_modified = lastmod;
zone->default_ttl = (uint32_t) duration2time(zone->signconf->soa_min);
/* keys part */
zone->signconf->keys = keylist_create((void*) zone->signconf);
while (backup_read_str(fd, &token)) {
if (ods_strcmp(token, ";;Key:") == 0) {
if (!key_recover2(fd, zone->signconf->keys)) {
ods_log_error("[%s] corrupted backup file zone %s: read "
"key error", zone_str, zone->name);
goto recover_error2;
}
} else if (ods_strcmp(token, ";;") == 0) {
/* keylist done */
free((void*) token);
token = NULL;
break;
} else {
/* keylist corrupted */
goto recover_error2;
}
free((void*) token);
token = NULL;
}
/* publish dnskeys */
status = zone_publish_dnskeys(zone);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] corrupted backup file zone %s: unable to "
"publish dnskeys (%s)", zone_str, zone->name,
ods_status2str(status));
goto recover_error2;
}
/* publish nsec3param */
status = zone_publish_nsec3param(zone);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] corrupted backup file zone %s: unable to "
"publish nsec3param (%s)", zone_str, zone->name,
ods_status2str(status));
goto recover_error2;
}
/* publish other records */
status = backup_read_namedb(fd, zone);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] corrupted backup file zone %s: unable to "
"read resource records (%s)", zone_str, zone->name,
ods_status2str(status));
goto recover_error2;
}
/* task */
task = task_create(TASK_SIGN, when, (void*) zone);
if (!task) {
ods_log_error("[%s] failed to restore zone %s: unable to "
"create task", zone_str, zone->name);
goto recover_error2;
}
zone->task = (void*) task;
free((void*)filename);
ods_fclose(fd);
/* journal */
zone->db->is_initialized = 1;
filename = ods_build_path(zone->name, ".ixfr", 0, 1);
if (filename) {
fd = ods_fopen(filename, NULL, "r");
}
if (fd) {
status = backup_read_ixfr(fd, zone);
if (status != ODS_STATUS_OK) {
ods_log_warning("[%s] corrupted journal file zone %s, "
"skipping (%s)", zone_str, zone->name,
ods_status2str(status));
ixfr_cleanup(zone->ixfr);
zone->ixfr = ixfr_create((void*)zone);
}
}
lock_basic_lock(&zone->ixfr->ixfr_lock);
ixfr_purge(zone->ixfr);
lock_basic_unlock(&zone->ixfr->ixfr_lock);
/* all ok */
free((void*)filename);
ods_fclose(fd);
if (zone->stats) {
lock_basic_lock(&zone->stats->stats_lock);
stats_clear(zone->stats);
lock_basic_unlock(&zone->stats->stats_lock);
}
return ODS_STATUS_OK;
}
return ODS_STATUS_UNCHANGED;
recover_error2:
free((void*)filename);
ods_fclose(fd);
/* signconf cleanup */
free((void*)salt);
salt = NULL;
signconf_cleanup(zone->signconf);
zone->signconf = signconf_create();
ods_log_assert(zone->signconf);
/* namedb cleanup */
namedb_cleanup(zone->db);
zone->db = namedb_create((void*)zone);
ods_log_assert(zone->db);
/* stats reset */
if (zone->stats) {
lock_basic_lock(&zone->stats->stats_lock);
stats_clear(zone->stats);
lock_basic_unlock(&zone->stats->stats_lock);
}
return ODS_STATUS_ERR;
}
/**
* Work.
*
*/
static void
worker_work(worker_type* worker)
{
time_t now = 0;
time_t timeout = 1;
engine_type* engine = NULL;
zone_type* zone = NULL;
ods_status status = ODS_STATUS_OK;
ods_log_assert(worker);
ods_log_assert(worker->type == WORKER_WORKER);
engine = (engine_type*) worker->engine;
while (worker->need_to_exit == 0) {
ods_log_debug("[%s[%i]] report for duty", worker2str(worker->type),
worker->thread_num);
now = time_now();
lock_basic_lock(&engine->taskq->schedule_lock);
worker->task = schedule_pop_task(engine->taskq);
if (worker->task) {
worker->working_with = worker->task->what;
lock_basic_unlock(&engine->taskq->schedule_lock);
zone = (zone_type*) worker->task->zone;
lock_basic_lock(&zone->zone_lock);
ods_log_debug("[%s[%i]] start working on zone %s",
worker2str(worker->type), worker->thread_num, zone->name);
worker->clock_in = time(NULL);
worker_perform_task(worker);
zone->task = worker->task;
ods_log_debug("[%s[%i]] finished working on zone %s",
worker2str(worker->type), worker->thread_num, zone->name);
lock_basic_lock(&engine->taskq->schedule_lock);
worker->task = NULL;
worker->working_with = TASK_NONE;
status = schedule_task(engine->taskq, zone->task, 1);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s[%i]] unable to schedule task for zone %s: "
"%s", worker2str(worker->type), worker->thread_num,
zone->name, ods_status2str(status));
}
lock_basic_unlock(&engine->taskq->schedule_lock);
lock_basic_unlock(&zone->zone_lock);
timeout = 1;
/** Do we need to tell the engine that we require a reload? */
lock_basic_lock(&engine->signal_lock);
if (engine->need_to_reload) {
lock_basic_alarm(&engine->signal_cond);
}
lock_basic_unlock(&engine->signal_lock);
} else {
ods_log_debug("[%s[%i]] nothing to do", worker2str(worker->type),
worker->thread_num);
worker->task = schedule_get_first_task(engine->taskq);
lock_basic_unlock(&engine->taskq->schedule_lock);
if (worker->task && !engine->taskq->loading) {
timeout = (worker->task->when - now);
} else {
timeout *= 2;
}
if (timeout > ODS_SE_MAX_BACKOFF) {
timeout = ODS_SE_MAX_BACKOFF;
}
worker->task = NULL;
worker_sleep(worker, timeout);
}
}
return;
}
/**
* Read zone from input adapter.
*
*/
ods_status
tools_input(zone_type* zone)
{
ods_status status = ODS_STATUS_OK;
time_t start = 0;
time_t end = 0;
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->adinbound);
ods_log_assert(zone->signconf);
/* Key Rollover? */
status = zone_publish_dnskeys(zone, 0);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to read zone %s: failed to "
"publish dnskeys (%s)", tools_str, zone->name,
ods_status2str(status));
zone_rollback_dnskeys(zone);
zone_rollback_nsec3param(zone);
namedb_rollback(zone->db, 0);
return status;
}
/* Denial of Existence Rollover? */
if (!zone->signconf->passthrough)
status = zone_publish_nsec3param(zone);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to read zone %s: failed to "
"publish nsec3param (%s)", tools_str, zone->name,
ods_status2str(status));
zone_rollback_dnskeys(zone);
zone_rollback_nsec3param(zone);
namedb_rollback(zone->db, 0);
return status;
}
if (zone->stats) {
pthread_mutex_lock(&zone->stats->stats_lock);
zone->stats->sort_done = 0;
zone->stats->sort_count = 0;
zone->stats->sort_time = 0;
pthread_mutex_unlock(&zone->stats->stats_lock);
}
/* Input Adapter */
start = time(NULL);
status = adapter_read((void*)zone);
if (status != ODS_STATUS_OK && status != ODS_STATUS_UNCHANGED) {
if (status == ODS_STATUS_XFRINCOMPLETE) {
ods_log_info("[%s] read zone %s: xfr in progress",
tools_str, zone->name);
} else {
ods_log_error("[%s] unable to read zone %s: adapter failed (%s)",
tools_str, zone->name, ods_status2str(status));
}
zone_rollback_dnskeys(zone);
zone_rollback_nsec3param(zone);
namedb_rollback(zone->db, 0);
}
end = time(NULL);
if ((status == ODS_STATUS_OK || status == ODS_STATUS_UNCHANGED)
&& zone->stats) {
pthread_mutex_lock(&zone->stats->stats_lock);
zone->stats->start_time = start;
zone->stats->sort_time = (end-start);
zone->stats->sort_done = 1;
pthread_mutex_unlock(&zone->stats->stats_lock);
}
return status;
}
