bool
nsec_update_label_record(zdb_rr_label *label, nsec_node *node, nsec_node *next_node, u8 *name, u32 ttl)
{
type_bit_maps_context tbmctx;
u8 tmp_bitmap[256 * (1 + 1 + 32)]; /* 'max window count' * 'max window length' */
u32 tbm_size = type_bit_maps_initialize(&tbmctx, label, TRUE, TRUE);
type_bit_maps_write(tmp_bitmap, &tbmctx);
/*
* Get the NSEC record
*/
zdb_packed_ttlrdata *nsec_record;
if((nsec_record = zdb_record_find(&label->resource_record_set, TYPE_NSEC)) != NULL)
{
/*
* has record -> compare the type and the nsec next
* if something does not match remove the record and its signature (no record)
*
*/
log_debug("nsec_update_label_record: [%{dnsname}] %{dnsname} (=> %{dnsname}) updating record.", name, node->inverse_relative_name, next_node->inverse_relative_name);
/*
* If there is more than one record, clean-up
*/
if(nsec_record->next == NULL)
{
u8* rdata = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
u16 size = ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_record);
u16 dname_len = dnsname_len(rdata);
if(dname_len < size)
{
u8* type_bitmap = &rdata[dname_len];
/*
* check the type bitmap
*/
if(memcmp(tmp_bitmap, type_bitmap, size - dname_len) == 0)
{
/*
* check the nsec next
*/
if(dnsname_equals(rdata, name))
{
/* All good */
return FALSE;
}
}
}
}
if(zdb_listener_notify_enabled())
{
zdb_packed_ttlrdata *nsec_rec = nsec_record;
do
{
zdb_ttlrdata unpacked_ttlrdata;
unpacked_ttlrdata.ttl = nsec_rec->ttl;
unpacked_ttlrdata.rdata_size = ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_rec);
unpacked_ttlrdata.rdata_pointer = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_rec);
zdb_listener_notify_remove_record(name, TYPE_NSEC, &unpacked_ttlrdata);
nsec_rec = nsec_rec->next;
}
while(nsec_rec != NULL);
}
zdb_record_delete(&label->resource_record_set, TYPE_NSEC);
rrsig_delete(name, label, TYPE_NSEC);
nsec_record = NULL;
}
/*
* no record -> create one and schedule a signature
*/
if(nsec_record == NULL)
{
zdb_packed_ttlrdata *nsec_record;
u8 next_name[256];
log_debug("nsec_update_label_record: [%{dnsname}] %{dnsname} (=> %{dnsname}) building new record.", name, node->inverse_relative_name, next_node->inverse_relative_name);
u16 dname_len = nsec_inverse_name(next_name, next_node->inverse_relative_name);
u16 rdata_size = dname_len + tbm_size;
ZDB_RECORD_ZALLOC_EMPTY(nsec_record, ttl, rdata_size);
u8* rdata = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
memcpy(rdata, next_name, dname_len);
rdata += dname_len;
memcpy(rdata, tmp_bitmap, tbm_size);
zdb_record_insert(&label->resource_record_set, TYPE_NSEC, nsec_record);
if(zdb_listener_notify_enabled())
{
dnsname_vector name_path;
zdb_ttlrdata unpacked_ttlrdata;
unpacked_ttlrdata.ttl = ttl;
unpacked_ttlrdata.rdata_size = rdata_size;
unpacked_ttlrdata.rdata_pointer = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
dnsname_to_dnsname_vector(name, &name_path);
zdb_listener_notify_add_record(name_path.labels, name_path.size, TYPE_NSEC, &unpacked_ttlrdata);
}
/*
* Schedule a signature
*/
}
label->flags |= ZDB_RR_LABEL_NSEC;
return TRUE;
}
ya_result
nsec_update_zone(zdb_zone *zone)
{
nsec_node *nsec_tree = NULL;
soa_rdata soa;
u8 name[MAX_DOMAIN_LENGTH];
u8 inverse_name[MAX_DOMAIN_LENGTH];
u8 tmp_bitmap[256 * (1 + 1 + 32)]; /* 'max window count' * 'max window length' */
ya_result return_code;
if(FAIL(return_code = zdb_zone_getsoa(zone, &soa)))
{
return return_code;
}
zdb_zone_label_iterator label_iterator;
zdb_zone_label_iterator_init(zone, &label_iterator);
while(zdb_zone_label_iterator_hasnext(&label_iterator))
{
zdb_zone_label_iterator_nextname(&label_iterator, name);
zdb_rr_label* label = zdb_zone_label_iterator_next(&label_iterator);
if(zdb_rr_label_is_glue(label) || (label->resource_record_set == NULL))
{
continue;
}
nsec_inverse_name(inverse_name, name);
nsec_node *node = nsec_avl_insert(&nsec_tree, inverse_name);
node->label = label;
label->nsec.nsec.node = node;
}
/*
* Now that we have the NSEC chain
*/
nsec_node *first_node;
nsec_node *node;
type_bit_maps_context tbmctx;
nsec_avl_iterator nsec_iter;
nsec_avl_iterator_init(&nsec_tree, &nsec_iter);
if(nsec_avl_iterator_hasnext(&nsec_iter))
{
first_node = nsec_avl_iterator_next_node(&nsec_iter);
node = first_node;
do
{
nsec_node *next_node;
nsec_update_zone_count++;
if(nsec_avl_iterator_hasnext(&nsec_iter))
{
next_node = nsec_avl_iterator_next_node(&nsec_iter);
}
else
{
next_node = first_node;
}
/*
* Compute the type bitmap
*/
zdb_rr_label *label = node->label;
u32 tbm_size = type_bit_maps_initialize(&tbmctx, label, TRUE, TRUE);
type_bit_maps_write(tmp_bitmap, &tbmctx);
nsec_inverse_name(name, next_node->inverse_relative_name);
/*
* Get the NSEC record
*/
zdb_packed_ttlrdata *nsec_record;
if((nsec_record = zdb_record_find(&label->resource_record_set, TYPE_NSEC)) != NULL)
{
/*
* has record -> compare the type and the nsec next
* if something does not match remove the record and its signature (no record)
*
*/
if(nsec_record->next == NULL)
{
u8* rdata = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
u16 size = ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_record);
u16 dname_len = dnsname_len(rdata);
if(dname_len < size)
{
u8* type_bitmap = &rdata[dname_len];
/*
* check the type bitmap
*/
if(memcmp(tmp_bitmap, type_bitmap, size - dname_len) == 0)
{
/*
* check the nsec next
*/
if(dnsname_equals(rdata, name))
{
/* All good */
label->flags |= ZDB_RR_LABEL_NSEC;
node = next_node;
continue;
}
}
}
}
if(zdb_listener_notify_enabled())
{
zdb_packed_ttlrdata *nsec_rec = nsec_record;
do
{
zdb_ttlrdata unpacked_ttlrdata;
unpacked_ttlrdata.ttl = nsec_rec->ttl;
unpacked_ttlrdata.rdata_size = ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_rec);
unpacked_ttlrdata.rdata_pointer = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_rec);
zdb_listener_notify_remove_record(name, TYPE_NSEC, &unpacked_ttlrdata);
nsec_rec = nsec_rec->next;
}
while(nsec_rec != NULL);
}
zdb_record_delete(&label->resource_record_set, TYPE_NSEC);
rrsig_delete(name, label, TYPE_NSEC);
nsec_record = NULL;
}
/*
* no record -> create one and schedule a signature
*/
if(nsec_record == NULL)
{
zdb_packed_ttlrdata *nsec_record;
u16 dname_len = nsec_inverse_name(name, next_node->inverse_relative_name);
u16 rdata_size = dname_len + tbm_size;
ZDB_RECORD_ZALLOC_EMPTY(nsec_record, soa.minimum, rdata_size);
u8* rdata = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
memcpy(rdata, name, dname_len);
rdata += dname_len;
memcpy(rdata, tmp_bitmap, tbm_size);
zdb_record_insert(&label->resource_record_set, TYPE_NSEC, nsec_record);
/*
* Schedule a signature
*/
}
label->flags |= ZDB_RR_LABEL_NSEC;
node = next_node;
}
while(node != first_node);
}
zone->nsec.nsec = nsec_tree;
return SUCCESS;
}
ya_result
xfr_input_stream_init(input_stream* filtering_stream, const u8 *origin, input_stream *xfr_source_stream, message_data *message, u32 current_serial, xfr_copy_flags flags)
{
yassert(filtering_stream != NULL && origin != NULL && xfr_source_stream != NULL && message != NULL);
input_stream *is = xfr_source_stream;
packet_unpack_reader_data reader;
u8 *buffer;
u8 *record;
u8 *ptr;
#if DNSCORE_HAS_TSIG_SUPPORT
const tsig_item *tsig;
#endif
ya_result record_len;
ya_result return_value;
u32 origin_len;
u32 last_serial = 0;
u16 tcplen;
u16 qtype;
u16 qclass;
u16 old_mac_size;
bool last_message_had_tsig;
bool need_cleanup_tsig = FALSE;
#if DNSCORE_HAS_TSIG_SUPPORT
u8 old_mac[64];
#endif
/*
* ensure the stream will be unusable if the initialisation fails
*/
input_stream_set_void(filtering_stream);
/*
* Start by reading the first packet, and determine if it's an AXFR or an IXFR (for the name)
* note: it's read and converted to the host endianness
*/
if(!is_fd_input_stream(is))
{
// expected file input stream
return INVALID_ARGUMENT_ERROR;
}
//buffer_input_stream_init(is, is, 4096);
/* TCP length */
if(FAIL(return_value = input_stream_read_nu16(is, &tcplen)))
{
return return_value;
}
if(return_value != 2)
{
return UNEXPECTED_EOF;
}
/* if the length is not enough, return the most appropriate error code */
origin_len = dnsname_len(origin);
if(tcplen < DNS_HEADER_LENGTH + origin_len + 4)
{
return_value = UNEXPECTED_EOF;
if(tcplen >= DNS_HEADER_LENGTH)
{
if(ISOK(return_value = input_stream_read_fully(is, message->pool_buffer, DNS_HEADER_LENGTH)))
{
return_value = MAKE_DNSMSG_ERROR(MESSAGE_RCODE(message->pool_buffer));
}
}
return return_value;
}
/* read the whole message */
buffer = &message->buffer[0];
record = &message->pool_buffer[0];
assert(sizeof(message->pool_buffer) >= 255 + 10 + 65535);
if(FAIL(return_value = input_stream_read_fully(is, buffer, tcplen)))
{
return return_value;
}
#if DEBUG_XFR_INPUT_STREAM
log_memdump(g_system_logger, MSG_DEBUG1, &message->buffer[0], tcplen, 32);
#endif
message->received = return_value;
/* check the message makes sense */
const u64 *h64 = (u64*)buffer;
u64 m64 = AXFR_MESSAGE_HEADER_MASK;
u64 r64 = AXFR_MESSAGE_HEADER_RESULT;
if(((*h64&m64) != r64) || (MESSAGE_NS(message->buffer) != 0))
{
u8 code = MESSAGE_RCODE(message->buffer);
if(code != 0)
{
return_value = MAKE_DNSMSG_ERROR(code);
}
else
{
return_value = UNPROCESSABLE_MESSAGE;
}
return return_value;
}
//m64 = AXFR_NEXT_MESSAGE_HEADER_MASK;
//r64 = AXFR_NEXT_MESSAGE_HEADER_RESULT;
packet_reader_init(&reader, buffer, tcplen);
reader.offset = DNS_HEADER_LENGTH;
packet_reader_read_fqdn(&reader, record, RDATA_MAX_LENGTH + 1);
if(!dnsname_equals(record, origin))
{
return INVALID_PROTOCOL;
}
if(FAIL(return_value = packet_reader_read_u16(&reader, &qtype)))
{
return return_value;
}
if(return_value != 2)
{
return UNEXPECTED_EOF;
}
/*
* check that we are allowed to process this particular kind of transfer
* note : this does not determine what is REALLY begin transferred
*/
switch(qtype)
{
case TYPE_AXFR:
{
if((flags & XFR_ALLOW_AXFR) == 0)
{
return INVALID_PROTOCOL;
}
break;
}
case TYPE_IXFR:
{
if((flags & XFR_ALLOW_IXFR) == 0)
{
return INVALID_PROTOCOL;
}
break;
}
default:
{
return INVALID_PROTOCOL;
}
}
if(FAIL(return_value = packet_reader_read_u16(&reader, &qclass)))
{
return return_value;
}
if(qclass != CLASS_IN)
{
/** wrong answer */
return INVALID_PROTOCOL;
}
/* check for TSIG and verify */
u16 ancount = ntohs(MESSAGE_AN(buffer));
#if DNSCORE_HAS_TSIG_SUPPORT
if((last_message_had_tsig = ((tsig = message->tsig.tsig) != NULL)))
{
/* verify the TSIG
*
* AR > 0
* skip ALL the records until the last AR
* it MUST be a TSIG
* It's the first TSIG answering to our query
* verify it
*
*/
message->tsig.tsig = NULL;
old_mac_size = message->tsig.mac_size;
memcpy(old_mac, message->tsig.mac, old_mac_size);
if(FAIL(return_value = tsig_message_extract(message)))
{
log_debug("xfr_input_stream: error extracting the signature");
return return_value;
}
if(return_value == 0)
{
log_debug("xfr_input_stream: no signature when one was requested");
return TSIG_BADSIG; /* no signature, when one was requested, is a bad signature */
}
if(message->tsig.tsig != tsig)
{
/* This is not the one we started with */
log_debug("xfr_input_stream: signature key does not match");
return TSIG_BADSIG;
}
/// check that the tsig in the message matches the one that was sent
if(FAIL(return_value = tsig_verify_tcp_first_message(message, old_mac, old_mac_size)))
{
return return_value;
}
reader.packet_size = message->received;
need_cleanup_tsig = TRUE;
}
#endif
log_debug("xfr_input_stream: expecting %5d answer records", ancount);
/*
* read the SOA (it MUST be an SOA)
*/
if(FAIL(record_len = packet_reader_read_record(&reader, record, RDATA_MAX_LENGTH + 1)))
{
return record_len;
}
if(!dnsname_equals(record, origin))
{
return INVALID_PROTOCOL;
}
ptr = &record[origin_len];
if(GET_U16_AT(*ptr) != TYPE_SOA)
{
return INVALID_PROTOCOL;
}
ptr += 8; /* type class ttl */
u16 rdata_size = ntohs(GET_U16_AT(*ptr));
if(rdata_size < 22)
{
return INVALID_PROTOCOL;
}
rdata_size -= 16;
ptr += 2; /* rdata size */
s32 len = dnsname_len(ptr);
if(len >= rdata_size)
{
return INVALID_PROTOCOL;
}
rdata_size -= len;
ptr += len;
len = dnsname_len(ptr);
if(len >= rdata_size)
{
return INVALID_PROTOCOL;
}
rdata_size -= len;
if(rdata_size != 4)
{
return INVALID_PROTOCOL;
}
ptr += len;
// if the serial of the SOA is the same one as we know, then there is no
// need to download the zone
last_serial = ntohl(GET_U32_AT(*ptr));
if(last_serial == current_serial)
{
//args->out_loaded_serial = args->current_serial;
return ZONE_ALREADY_UP_TO_DATE;
}
xfr_input_stream_data *data;
ZALLOC_OR_DIE(xfr_input_stream_data*, data, xfr_input_stream_data, XFRISDTA_TAG);
ZEROMEMORY(data, sizeof(xfr_input_stream_data));
/*
* We have got the first SOA
* Next time we find this SOA (second next time for IXFR) the stream, it will be the end of the stream
*/
/*
* The stream can be AXFR or IXFR.
* The only way to know this is to look at the records, maybe on many packets.
* If there are two SOA (different serial numbers) for the start, then it's an IXFR, else it's an AXFR.
*
* OPEN A PIPE STREAM "XFRs"
*
* Save the first SOA
*/
MALLOC_OR_DIE(u8*, data->first_soa_record, record_len, XFRISSOA_TAG);
MEMCOPY(data->first_soa_record, record, record_len);
data->first_soa_record_size = record_len;
filtering_stream->vtbl = &xfr_input_stream_vtbl;
filtering_stream->data = data;
pipe_stream_init(&data->pipe_stream_output, &data->pipe_stream_input, 65536);
MEMCOPY(&data->reader, &reader, sizeof(packet_unpack_reader_data));
data->origin = origin;
data->message = message;
data->ancount = ancount - 1;
data->record_index++;
data->last_serial = last_serial;
data->xfr_mode = TYPE_ANY;
data->ixfr_mark = FALSE;
data->last_message_had_tsig = last_message_had_tsig;
data->source_stream = *is;
data->need_cleanup_tsig = need_cleanup_tsig;
/*
* Then we read all records for all packets
* If we find an SOA ...
* AXFR: it has to be the last serial and it is the end of the stream.
* IXFR: if it's not the last serial it has to go from step to step
* AND once we have reached the "last serial" once, the next hit is the end of the stream.
*/
data->eos = FALSE;
/*
* In order to know what the type is, read the first packet.
*/
return_value = xfr_input_stream_read_packet(data);
if(FAIL(return_value))
{
xfr_input_stream_close(filtering_stream);
}
return return_value;
}
ya_result
nsec_update_zone(zdb_zone *zone, bool read_only) // read_only a.k.a slave
{
nsec_node *nsec_tree = NULL;
nsec_node *first_node;
nsec_node *node;
u8 *prev_name;
u8 *name;
soa_rdata soa;
u32 missing_nsec_records = 0;
u32 sibling_count = 0;
u32 nsec_under_delegation = 0;
ya_result return_code;
u8 name_buffer[2][MAX_DOMAIN_LENGTH];
u8 inverse_name[MAX_DOMAIN_LENGTH];
u8 tmp_bitmap[256 * (1 + 1 + 32)]; /* 'max window count' * 'max window length' */
yassert(zdb_zone_islocked_weak(zone));
if(FAIL(return_code = zdb_zone_getsoa(zone, &soa))) // zone is locked (weak)
{
return return_code;
}
#ifdef DEBUG
memset(name_buffer, 0xde, sizeof(name_buffer));
#endif
name = name_buffer[0];
prev_name = name_buffer[1];
zdb_zone_label_iterator label_iterator;
zdb_zone_label_iterator_init(&label_iterator, zone);
while(zdb_zone_label_iterator_hasnext(&label_iterator))
{
zdb_zone_label_iterator_nextname(&label_iterator, name);
zdb_rr_label* label = zdb_zone_label_iterator_next(&label_iterator);
if(zdb_rr_label_is_glue(label) || (label->resource_record_set == NULL))
{
// we are under a delegation or on an empty (non-terminal)
// there should not be an NSEC record here
zdb_packed_ttlrdata *nsec_record;
if((nsec_record = zdb_record_find(&label->resource_record_set, TYPE_NSEC)) != NULL) // zone is locked
{
nsec_under_delegation++;
log_err("nsec: %{dnsname}: unexpected NSEC record under a delegation", name);
}
continue;
}
nsec_inverse_name(inverse_name, name);
nsec_node *node = nsec_avl_insert(&nsec_tree, inverse_name);
node->label = label;
label->nsec.nsec.node = node;
}
/*
* Now that we have the NSEC chain
*/
type_bit_maps_context tbmctx;
nsec_avl_iterator nsec_iter;
nsec_avl_iterator_init(&nsec_tree, &nsec_iter);
if(nsec_avl_iterator_hasnext(&nsec_iter))
{
first_node = nsec_avl_iterator_next_node(&nsec_iter);
node = first_node;
do
{
nsec_node *next_node;
nsec_update_zone_count++;
if(nsec_avl_iterator_hasnext(&nsec_iter))
{
next_node = nsec_avl_iterator_next_node(&nsec_iter);
}
else
{
next_node = first_node;
}
/*
* Compute the type bitmap
*/
zdb_rr_label *label = node->label;
if(label == NULL)
{
node = next_node;
continue;
}
u32 tbm_size = type_bit_maps_initialise_from_label(&tbmctx, label, TRUE, TRUE);
type_bit_maps_write(&tbmctx, tmp_bitmap);
u8 *tmp_name = prev_name;
prev_name = name;
name = tmp_name;
nsec_inverse_name(name, next_node->inverse_relative_name);
/*
* Get the NSEC record
*/
zdb_packed_ttlrdata *nsec_record;
if((nsec_record = zdb_record_find(&label->resource_record_set, TYPE_NSEC)) != NULL) // zone is locked
{
/*
* has record -> compare the type and the nsec next
* if something does not match remove the record and its signature (no record)
*
*/
if(nsec_record->next == NULL) // should only be one record => delete all if not the case (the rrsig is lost anyway)
{
const u8 *rdata = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
const u16 size = ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_record);
const u16 dname_len = dnsname_len(rdata);
if(dname_len < size)
{
const u8 *type_bitmap = &rdata[dname_len];
/*
* check the type bitmap
*/
if(memcmp(tmp_bitmap, type_bitmap, size - dname_len) == 0)
{
/*
* check the nsec next
*/
if(dnsname_equals(rdata, name))
{
/* All good */
label->flags |= ZDB_RR_LABEL_NSEC;
node = next_node;
continue;
}
else // else the "next fqdn" do not match (this is irrecoverable for a slave)
{
rdata_desc nsec_desc = {TYPE_NSEC, size, rdata};
log_debug("nsec: %{dnsname}: src: %{dnsname} %{typerdatadesc} next field do not match expected value (%{dnsname})", zone->origin, prev_name, &nsec_desc, name);
}
}
else // else the type bitmap do not match (this is wrong)
{
rdata_desc nsec_desc = {TYPE_NSEC, size, rdata};
log_debug("nsec: %{dnsname}: src: %{dnsname} %{typerdatadesc} types map do not match expected value", zone->origin, prev_name, &nsec_desc);
}
}
else // else the "next fqdn" do not match (early test, this is irrecoverable for a slave)
{
rdata_desc nsec_desc = {TYPE_NSEC, size, rdata};
log_debug("nsec: %{dnsname}: src: %{dnsname} %{typerdatadesc} next field do not match expected value (%{dnsname})", zone->origin, prev_name, &nsec_desc, name);
}
}
else
{
sibling_count++;
log_warn("nsec: %{dnsname}: %{dnsname}: multiple NSEC records where only one is expected", zone->origin, prev_name);
}
// wrong NSEC RRSET
zdb_packed_ttlrdata *nsec_rec = nsec_record;
do
{
zdb_ttlrdata unpacked_ttlrdata;
unpacked_ttlrdata.ttl = nsec_rec->ttl;
unpacked_ttlrdata.rdata_size = ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_rec);
unpacked_ttlrdata.rdata_pointer = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_rec);
rdata_desc nsec_desc = {TYPE_NSEC, unpacked_ttlrdata.rdata_size, unpacked_ttlrdata.rdata_pointer};
if(!read_only)
{
log_warn("nsec: %{dnsname}: del: %{dnsname} %{typerdatadesc}", zone->origin, prev_name, &nsec_desc);
#if ZDB_CHANGE_FEEDBACK_SUPPORT
zdb_listener_notify_remove_record(zone, name, TYPE_NSEC, &unpacked_ttlrdata);
#endif
}
else
{
log_err("nsec: %{dnsname}: got: %{dnsname} %{typerdatadesc}", zone->origin, prev_name, &nsec_desc);
}
nsec_rec = nsec_rec->next;
}
while(nsec_rec != NULL);
if(!read_only)
{
zdb_record_delete(&label->resource_record_set, TYPE_NSEC);
rrsig_delete(zone, name, label, TYPE_NSEC);
nsec_record = NULL;
}
}
/*
* no record -> create one and schedule a signature (MASTER ONLY)
*/
if(nsec_record == NULL)
{
missing_nsec_records++;
zdb_packed_ttlrdata *nsec_record;
u16 dname_len = nsec_inverse_name(name, next_node->inverse_relative_name);
u16 rdata_size = dname_len + tbm_size;
ZDB_RECORD_ZALLOC_EMPTY(nsec_record, soa.minimum, rdata_size);
u8* rdata = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
memcpy(rdata, name, dname_len);
rdata += dname_len;
memcpy(rdata, tmp_bitmap, tbm_size);
rdata_desc nsec_desc = {TYPE_NSEC, ZDB_PACKEDRECORD_PTR_RDATASIZE(nsec_record), ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record)};
if(!read_only)
{
zdb_record_insert(&label->resource_record_set, TYPE_NSEC, nsec_record);
#ifdef DEBUG
log_debug("nsec: %{dnsname}: add: %{dnsname} %{typerdatadesc}", zone->origin, prev_name, &nsec_desc);
#endif
#if ZDB_CHANGE_FEEDBACK_SUPPORT
if(zdb_listener_notify_enabled())
{
dnsname_vector name_path;
zdb_ttlrdata unpacked_ttlrdata;
unpacked_ttlrdata.ttl = nsec_record->ttl;
unpacked_ttlrdata.rdata_size = rdata_size;
unpacked_ttlrdata.rdata_pointer = ZDB_PACKEDRECORD_PTR_RDATAPTR(nsec_record);
dnsname_to_dnsname_vector(name, &name_path);
zdb_listener_notify_add_record(zone, name_path.labels, name_path.size, TYPE_NSEC, &unpacked_ttlrdata);
}
#endif
/*
* Schedule a signature
*/
}
else
{
log_warn("nsec: %{dnsname}: need: %{dnsname} %{typerdatadesc}", zone->origin, prev_name, &nsec_desc);
ZDB_RECORD_ZFREE(nsec_record);
}
}
label->flags |= ZDB_RR_LABEL_NSEC;
node = next_node;
}
while(node != first_node);
}
zone->nsec.nsec = nsec_tree;
if(read_only)
{
if(missing_nsec_records + sibling_count + nsec_under_delegation)
{
log_err("nsec: missing records: %u, nsec with siblings: %u, nsec under delegation: %u", missing_nsec_records, sibling_count, nsec_under_delegation);
//return DNSSEC_ERROR_NSEC_INVALIDZONESTATE;
}
}
else
{
if(missing_nsec_records + sibling_count + nsec_under_delegation)
{
log_warn("nsec: missing records: %u, nsec with siblings: %u, nsec under delegation: %u", missing_nsec_records, sibling_count, nsec_under_delegation);
}
}
return SUCCESS;
}
static ya_result
xfr_input_stream_read_packet(xfr_input_stream_data *data)
{
message_data *message = data->message;
packet_unpack_reader_data *reader = &data->reader;
u8 *record = &message->pool_buffer[0];
u32 record_len;
ya_result return_value = SUCCESS;
#if DEBUG_XFR_INPUT_STREAM
log_debug("xfr_input_stream_read_packet(%p) ancount=%hd record_index=%u", data, data->ancount, data->record_index);
#endif
while((data->ancount > 0) && (pipe_stream_write_available(&data->pipe_stream_output) > 2048 ))
{
--data->ancount;
if(FAIL(record_len = packet_reader_read_record(reader, record, RDATA_MAX_LENGTH + 1)))
{
if(record_len != UNSUPPORTED_TYPE)
{
data->eos = TRUE;
return_value = record_len;
break;
}
log_err("xfr_input_stream: skipped unsupported record #%d %{recordwire}", data->record_index, record);
data->record_index++;
continue;
}
#if DEBUG_XFR_INPUT_STREAM
log_debug("xfr_input_stream: #%u %{recordwire}", data->record_index, record);
#endif
u8 *ptr = record + dnsname_len(record);
u16 rtype = GET_U16_AT(*ptr);
switch(rtype)
{
case TYPE_SOA:
{
/* handle SOA case */
if(!dnsname_equals(record, data->origin))
{
data->eos = TRUE;
return_value = ERROR; // OWNER OF SOA RECORD SHOULD BE ORIGIN (protocol error)
return return_value;
}
ptr += 10; /* type class ttl rdata_size */
ptr += dnsname_len(ptr);
ptr += dnsname_len(ptr);
u32 soa_serial = ntohl(GET_U32_AT(*ptr));
if(data->xfr_mode == TYPE_ANY)
{
if(data->record_index == 1)
{
/*
* This is an IXFR, the first record is not sent up
*/
data->xfr_mode = TYPE_IXFR;
}
else
{
output_stream_write(&data->pipe_stream_output, data->first_soa_record, data->first_soa_record_size);
data->xfr_mode = TYPE_AXFR;
}
}
if(soa_serial == data->last_serial)
{
// the SOA serial has the same value as the last record we expect
// if it's an AXFR or this is the second time it happens on an IXFR, then it's then end of the stream
if(data->xfr_mode == TYPE_AXFR || ((data->xfr_mode == TYPE_IXFR) && data->ixfr_mark))
{
return_value = SUCCESS;
/*
* The last record of an AXFR must be written,
* the last record of an IXFR must not.
*/
if(data->xfr_mode == TYPE_AXFR)
{
#if DEBUG_XFR_INPUT_STREAM
log_debug("xfr_input_stream: #%u %{recordwire} ; (AXFR END)", data->record_index, record);
#endif
return_value = output_stream_write(&data->pipe_stream_output, record, record_len);
}
#if DEBUG_XFR_INPUT_STREAM
else
{
log_debug("xfr_input_stream: #%u %{recordwire} ; (IXFR END)", data->record_index, record);
}
#endif
// done
data->eos = TRUE;
return return_value; // reached the end
}
// IXFR needs to find the mark twice
#if DEBUG_XFR_INPUT_STREAM
log_debug("xfr_input_stream: #%u %{recordwire} ; (IXFR LAST)", data->record_index, record);
#endif
data->ixfr_mark = TRUE;
}
break;
}
case TYPE_IXFR:
case TYPE_AXFR:
case TYPE_OPT:
case TYPE_ANY:
return INVALID_PROTOCOL;
default:
if(data->record_index == 1)
{
// special case to detect an AXFR returned by an IXFR query
if(data->xfr_mode == TYPE_ANY)
{
data->xfr_mode = TYPE_AXFR;
if(FAIL(return_value = output_stream_write(&data->pipe_stream_output, data->first_soa_record, data->first_soa_record_size)))
{
return return_value;
}
}
else
{
return_value = ERROR;
return return_value; // invalid status
}
}
break;
}
#if DEBUG_XFR_INPUT_STREAM
log_debug("xfr_input_stream: >%u %{recordwire}", data->record_index, record);
#endif
if(FAIL(return_value = output_stream_write(&data->pipe_stream_output, record, record_len)))
{
data->eos = TRUE;
break;
}
if(return_value != record_len)
{
return UNEXPECTED_EOF;
}
data->record_index++;
}
return return_value;
}
