16652550721

Committed 31 Jul 2025 02:58PM UTC coverage: 62.94% (-2.9%) from 65.842%

Build # 16652550721

Build Type

Pull #15953

github

Committed by

web-flow

Commit Message

Merge 9982780da into 132cad30c

Pull Request Pull Request #15953: auth: fallback to TCP if UDP queries return with TC

Run Details

39763 of 92464 branches covered (43.0%)

Branch coverage included in aggregate %.

0 of 227 new or added lines in 3 files covered. (0.0%)

5128 existing lines in 68 files now uncovered.

122895 of 165969 relevant lines covered (74.05%)

3515414.29 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

8.0

/modules/bindbackend/binddnssec.cc

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "bindbackend2.hh"
#include "pdns/arguments.hh"
#include "pdns/dnsrecords.hh"

#ifndef HAVE_SQLITE3

void Bind2Backend::setupDNSSEC()
{
  if (!getArg("dnssec-db").empty()) {
    throw runtime_error("bind-dnssec-db requires building PowerDNS with SQLite3");
  }
}

unsigned int Bind2Backend::getCapabilities()
{
  unsigned int caps = CAP_LIST | CAP_SEARCH;
  if (d_hybrid) {
    caps |= CAP_DNSSEC;
  }
  return caps;
}

bool Bind2Backend::getNSEC3PARAM(const ZoneName& /* name */, NSEC3PARAMRecordContent* /* ns3p */)
{
  return false;
}

bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& /* name */, NSEC3PARAMRecordContent* /* ns3p */)
{
  return false;
}

bool Bind2Backend::getAllDomainMetadata(const ZoneName& /* name */, std::map<std::string, std::vector<std::string>>& /* meta */)
{
  return false;
}

bool Bind2Backend::getDomainMetadata(const ZoneName& /* name */, const std::string& /* kind */, std::vector<std::string>& /* meta */)
{
  return false;
}

bool Bind2Backend::setDomainMetadata(const ZoneName& /* name */, const std::string& /* kind */, const std::vector<std::string>& /* meta */)
{
  return false;
}

bool Bind2Backend::getDomainKeys(const ZoneName& /* name */, std::vector<KeyData>& /* keys */)
{
  return false;
}

bool Bind2Backend::removeDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::addDomainKey(const ZoneName& /* name */, const KeyData& /* key */, int64_t& /* id */)
{
  return false;
}

bool Bind2Backend::activateDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::deactivateDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::publishDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::unpublishDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::getTSIGKey(const DNSName& /* name */, DNSName& /* algorithm */, string& /* content */)
{
  return false;
}

bool Bind2Backend::setTSIGKey(const DNSName& /* name */, const DNSName& /* algorithm */, const string& /* content */)
{
  return false;
}

bool Bind2Backend::deleteTSIGKey(const DNSName& /* name */)
{
  return false;
}

bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& /* keys */)
{
  return false;
}

void Bind2Backend::setupStatements()
{
}

void Bind2Backend::freeStatements()
{
}

#else

#include "pdns/logger.hh"
#include "pdns/ssqlite3.hh"

#define ASSERT_ROW_COLUMNS(query, row, num)                                                                                                \
  {                                                                                                                                        \
    if (row.size() != num) {                                                                                                               \
      throw PDNSException(std::string(query) + " returned wrong number of columns, expected " #num ", got " + std::to_string(row.size())); \
    }                                                                                                                                      \
  }

void Bind2Backend::setupDNSSEC()
{
  if (getArg("dnssec-db").empty() || d_hybrid)
    return;
  try {
    d_dnssecdb = std::make_shared<SSQLite3>(getArg("dnssec-db"), getArg("dnssec-db-journal-mode"));
    setupStatements();
  }
  catch (SSqlException& se) {
    // this error is meant to kill the server dead - it makes no sense to continue..
    throw runtime_error("Error opening DNSSEC database in BIND backend: " + se.txtReason());
  }

  d_dnssecdb->setLog(::arg().mustDo("query-logging"));
}

void Bind2Backend::setupStatements()
{
  d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain", 1);
  d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind", 2);
  d_deleteDomainMetadataQuery_stmt = d_dnssecdb->prepare("delete from domainmetadata where domain=:domain and kind=:kind", 2);
  d_insertDomainMetadataQuery_stmt = d_dnssecdb->prepare("insert into domainmetadata (domain, kind, content) values (:domain,:kind,:content)", 3);
  d_getDomainKeysQuery_stmt = d_dnssecdb->prepare("select id,flags, active, published, content from cryptokeys where domain=:domain", 1);
  d_deleteDomainKeyQuery_stmt = d_dnssecdb->prepare("delete from cryptokeys where domain=:domain and id=:key_id", 2);
  d_insertDomainKeyQuery_stmt = d_dnssecdb->prepare("insert into cryptokeys (domain, flags, active, published, content) values (:domain, :flags, :active, :published, :content)", 5);
  d_GetLastInsertedKeyIdQuery_stmt = d_dnssecdb->prepare("select last_insert_rowid()", 0);
  d_activateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=1 where domain=:domain and id=:key_id", 2);
  d_deactivateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=0 where domain=:domain and id=:key_id", 2);
  d_publishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=1 where domain=:domain and id=:key_id", 2);
  d_unpublishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=0 where domain=:domain and id=:key_id", 2);
  d_getTSIGKeyQuery_stmt = d_dnssecdb->prepare("select algorithm, secret from tsigkeys where name=:key_name", 1);
  d_setTSIGKeyQuery_stmt = d_dnssecdb->prepare("replace into tsigkeys (name,algorithm,secret) values(:key_name, :algorithm, :content)", 3);
  d_deleteTSIGKeyQuery_stmt = d_dnssecdb->prepare("delete from tsigkeys where name=:key_name", 1);
  d_getTSIGKeysQuery_stmt = d_dnssecdb->prepare("select name,algorithm,secret from tsigkeys", 0);
}

void Bind2Backend::freeStatements()
{
  d_getAllDomainMetadataQuery_stmt.reset();
  d_getDomainMetadataQuery_stmt.reset();
  d_deleteDomainMetadataQuery_stmt.reset();
  d_insertDomainMetadataQuery_stmt.reset();
  d_getDomainKeysQuery_stmt.reset();
  d_deleteDomainKeyQuery_stmt.reset();
  d_insertDomainKeyQuery_stmt.reset();
  d_GetLastInsertedKeyIdQuery_stmt.reset();
  d_activateDomainKeyQuery_stmt.reset();
  d_deactivateDomainKeyQuery_stmt.reset();
  d_publishDomainKeyQuery_stmt.reset();
  d_unpublishDomainKeyQuery_stmt.reset();
  d_getTSIGKeyQuery_stmt.reset();
  d_setTSIGKeyQuery_stmt.reset();
  d_deleteTSIGKeyQuery_stmt.reset();
  d_getTSIGKeysQuery_stmt.reset();
}

unsigned int Bind2Backend::getCapabilities()
{
  unsigned int caps = CAP_LIST | CAP_SEARCH;
  if (d_dnssecdb || d_hybrid) {
    caps |= CAP_DNSSEC;
  }
  return caps;
}

// NOLINTNEXTLINE(readability-convert-member-functions-to-static)
bool Bind2Backend::getNSEC3PARAM(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
{
  BB2DomainInfo bbd;
  if (!safeGetBBDomainInfo(name, &bbd))
    return false;

  if (ns3p != nullptr) {
    *ns3p = bbd.d_nsec3param;
  }

  return bbd.d_nsec3zone;
}

bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  string value;
  vector<string> meta;
  getDomainMetadata(name, "NSEC3PARAM", meta);
  if (!meta.empty())
    value = *meta.begin();
  else
    return false; // No NSEC3 zone

  static int maxNSEC3Iterations = ::arg().asNum("max-nsec3-iterations");
  if (ns3p) {
    auto tmp = std::dynamic_pointer_cast<NSEC3PARAMRecordContent>(DNSRecordContent::make(QType::NSEC3PARAM, 1, value));
    *ns3p = *tmp;

    if (ns3p->d_iterations > maxNSEC3Iterations) {
      ns3p->d_iterations = maxNSEC3Iterations;
      g_log << Logger::Error << "Number of NSEC3 iterations for zone '" << name << "' is above 'max-nsec3-iterations'. Value adjusted to: " << maxNSEC3Iterations << endl;
    }

    if (ns3p->d_algorithm != 1) {
      g_log << Logger::Error << "Invalid hash algorithm for NSEC3: '" << std::to_string(ns3p->d_algorithm) << "', setting to 1 for zone '" << name << "'." << endl;
      ns3p->d_algorithm = 1;
    }
  }

  return true;
}

bool Bind2Backend::getAllDomainMetadata(const ZoneName& name, std::map<std::string, std::vector<std::string>>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getAllDomainMetadataQuery_stmt->bind("domain", name)->execute();

    SSqlStatement::row_t row;
    while (d_getAllDomainMetadataQuery_stmt->hasNextRow()) {
      d_getAllDomainMetadataQuery_stmt->nextRow(row);
      meta[row[0]].push_back(row[1]);
    }

    d_getAllDomainMetadataQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getDomainMetadata(const ZoneName& name, const std::string& kind, std::vector<std::string>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute();

    SSqlStatement::row_t row;
    while (d_getDomainMetadataQuery_stmt->hasNextRow()) {
      d_getDomainMetadataQuery_stmt->nextRow(row);
      meta.push_back(row[0]);
    }

    d_getDomainMetadataQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::setDomainMetadata(const ZoneName& name, const std::string& kind, const std::vector<std::string>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute()->reset();
    if (!meta.empty()) {
      for (const auto& value : meta) {
        d_insertDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->bind("content", value)->execute()->reset();
      }
    }
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getDomainKeys(const ZoneName& name, std::vector<KeyData>& keys)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getDomainKeysQuery_stmt->bind("domain", name)->execute();

    KeyData kd;
    SSqlStatement::row_t row;
    while (d_getDomainKeysQuery_stmt->hasNextRow()) {
      d_getDomainKeysQuery_stmt->nextRow(row);
      pdns::checked_stoi_into(kd.id, row[0]);
      pdns::checked_stoi_into(kd.flags, row[1]);
      kd.active = (row[2] == "1");
      kd.published = (row[3] == "1");
      kd.content = row[4];
      keys.push_back(kd);
    }

    d_getDomainKeysQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::removeDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, removeDomainKeys(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t& keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_insertDomainKeyQuery_stmt->bind("domain", name)->bind("flags", key.flags)->bind("active", key.active)->bind("published", key.published)->bind("content", key.content)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): " + se.txtReason());
  }

  try {
    d_GetLastInsertedKeyIdQuery_stmt->execute();
    if (!d_GetLastInsertedKeyIdQuery_stmt->hasNextRow()) {
      keyId = -2;
      return true;
    }
    SSqlStatement::row_t row;
    d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);
    ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);
    keyId = std::stoi(row[0]);
    d_GetLastInsertedKeyIdQuery_stmt->reset();
    if (keyId == 0) {
      // No insert took place, report as error.
      keyId = -1;
    }
    return true;
  }
  catch (SSqlException& e) {
    keyId = -2;
    return true;
  }
}

bool Bind2Backend::activateDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_activateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::deactivateDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deactivateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::publishDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_publishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, publishDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::unpublishDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_unpublishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, unpublishDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName& algorithm, string& content)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getTSIGKeyQuery_stmt->bind("key_name", name)->execute();

    SSqlStatement::row_t row;
    while (d_getTSIGKeyQuery_stmt->hasNextRow()) {
      d_getTSIGKeyQuery_stmt->nextRow(row);
      if (row.size() >= 2 && (algorithm.empty() || algorithm == DNSName(row[0]))) {
        algorithm = DNSName(row[0]);
        content = row[1];
      }
    }

    d_getTSIGKeyQuery_stmt->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, const string& content)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_setTSIGKeyQuery_stmt->bind("key_name", name)->bind("algorithm", algorithm)->bind("content", content)->execute()->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::deleteTSIGKey(const DNSName& name)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteTSIGKeyQuery_stmt->bind("key_name", name)->execute()->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& keys)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getTSIGKeysQuery_stmt->execute();

    SSqlStatement::row_t row;
    while (d_getTSIGKeysQuery_stmt->hasNextRow()) {
      d_getTSIGKeysQuery_stmt->nextRow(row);
      struct TSIGKey key;
      key.name = DNSName(row[0]);
      key.algorithm = DNSName(row[1]);
      key.key = row[2];
      keys.push_back(key);
    }

    d_getTSIGKeysQuery_stmt->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): " + e.txtReason());
  }
  return true;
}

#endif

1	/*
2	* This file is part of PowerDNS or dnsdist.
3	* Copyright -- PowerDNS.COM B.V. and its contributors
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of version 2 of the GNU General Public License as
7	* published by the Free Software Foundation.
8	*
9	* In addition, for the avoidance of any doubt, permission is granted to
10	* link this program with OpenSSL and to (re)distribute the binaries
11	* produced as the result of such linking.
12	*
13	* This program is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public License
19	* along with this program; if not, write to the Free Software
20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21	*/
22
23	#ifdef HAVE_CONFIG_H
24	#include "config.h"
25	#endif
26	#include "bindbackend2.hh"
27	#include "pdns/arguments.hh"
28	#include "pdns/dnsrecords.hh"
29
30	#ifndef HAVE_SQLITE3
31
32	void Bind2Backend::setupDNSSEC()
33	{
34	if (!getArg("dnssec-db").empty()) {
35	throw runtime_error("bind-dnssec-db requires building PowerDNS with SQLite3");
36	}
37	}
38
39	unsigned int Bind2Backend::getCapabilities()
40	{
41	unsigned int caps = CAP_LIST \| CAP_SEARCH;
42	if (d_hybrid) {
43	caps \|= CAP_DNSSEC;
44	}
45	return caps;
46	}
47
48	bool Bind2Backend::getNSEC3PARAM(const ZoneName& /* name /, NSEC3PARAMRecordContent /* ns3p */)
49	{
50	return false;
51	}
52
53	bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& /* name /, NSEC3PARAMRecordContent /* ns3p */)
54	{
55	return false;
56	}
57
58	bool Bind2Backend::getAllDomainMetadata(const ZoneName& /* name /, std::map<std::string, std::vector<std::string>>& / meta */)
59	{
60	return false;
61	}
62
63	bool Bind2Backend::getDomainMetadata(const ZoneName& /* name /, const std::string& / kind /, std::vector<std::string>& / meta */)
64	{
65	return false;
66	}
67
68	bool Bind2Backend::setDomainMetadata(const ZoneName& /* name /, const std::string& / kind /, const std::vector<std::string>& / meta */)
69	{
70	return false;
71	}
72
73	bool Bind2Backend::getDomainKeys(const ZoneName& /* name /, std::vector<KeyData>& / keys */)
74	{
75	return false;
76	}
77
78	bool Bind2Backend::removeDomainKey(const ZoneName& /* name /, unsigned int / id */)
79	{
80	return false;
81	}
82
83	bool Bind2Backend::addDomainKey(const ZoneName& /* name /, const KeyData& / key /, int64_t& / id */)
84	{
85	return false;
86	}
87
88	bool Bind2Backend::activateDomainKey(const ZoneName& /* name /, unsigned int / id */)
89	{
90	return false;
91	}
92
93	bool Bind2Backend::deactivateDomainKey(const ZoneName& /* name /, unsigned int / id */)
94	{
95	return false;
96	}
97
98	bool Bind2Backend::publishDomainKey(const ZoneName& /* name /, unsigned int / id */)
99	{
100	return false;
101	}
102
103	bool Bind2Backend::unpublishDomainKey(const ZoneName& /* name /, unsigned int / id */)
104	{
105	return false;
106	}
107
108	bool Bind2Backend::getTSIGKey(const DNSName& /* name /, DNSName& / algorithm /, string& / content */)
109	{
110	return false;
111	}
112
113	bool Bind2Backend::setTSIGKey(const DNSName& /* name /, const DNSName& / algorithm /, const string& / content */)
114	{
115	return false;
116	}
117
118	bool Bind2Backend::deleteTSIGKey(const DNSName& /* name */)
119	{
120	return false;
121	}
122
123	bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& /* keys */)
124	{
125	return false;
126	}
127
128	void Bind2Backend::setupStatements()
129	{
130	}
131
132	void Bind2Backend::freeStatements()
133	{
134	}
135
136	#else
137
138	#include "pdns/logger.hh"
139	#include "pdns/ssqlite3.hh"
140
141	#define ASSERT_ROW_COLUMNS(query, row, num) \
UNCOV 142	{ \	×
UNCOV 143	if (row.size() != num) { \	×
144	throw PDNSException(std::string(query) + " returned wrong number of columns, expected " #num ", got " + std::to_string(row.size())); \	×
145	} \	×
UNCOV 146	}	×
147
148	void Bind2Backend::setupDNSSEC()
149	{	1,867✔
150	if (getArg("dnssec-db").empty() \|\| d_hybrid)	1,867!
151	return;	1,867✔
UNCOV 152	try {	×
UNCOV 153	d_dnssecdb = std::make_shared<SSQLite3>(getArg("dnssec-db"), getArg("dnssec-db-journal-mode"));	×
UNCOV 154	setupStatements();	×
UNCOV 155	}	×
UNCOV 156	catch (SSqlException& se) {	×
157	// this error is meant to kill the server dead - it makes no sense to continue..
158	throw runtime_error("Error opening DNSSEC database in BIND backend: " + se.txtReason());	×
159	}	×
160
UNCOV 161	d_dnssecdb->setLog(::arg().mustDo("query-logging"));	×
UNCOV 162	}	×
163
164	void Bind2Backend::setupStatements()
UNCOV 165	{	×
UNCOV 166	d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain", 1);	×
UNCOV 167	d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind", 2);	×
UNCOV 168	d_deleteDomainMetadataQuery_stmt = d_dnssecdb->prepare("delete from domainmetadata where domain=:domain and kind=:kind", 2);	×
UNCOV 169	d_insertDomainMetadataQuery_stmt = d_dnssecdb->prepare("insert into domainmetadata (domain, kind, content) values (:domain,:kind,:content)", 3);	×
UNCOV 170	d_getDomainKeysQuery_stmt = d_dnssecdb->prepare("select id,flags, active, published, content from cryptokeys where domain=:domain", 1);	×
UNCOV 171	d_deleteDomainKeyQuery_stmt = d_dnssecdb->prepare("delete from cryptokeys where domain=:domain and id=:key_id", 2);	×
UNCOV 172	d_insertDomainKeyQuery_stmt = d_dnssecdb->prepare("insert into cryptokeys (domain, flags, active, published, content) values (:domain, :flags, :active, :published, :content)", 5);	×
UNCOV 173	d_GetLastInsertedKeyIdQuery_stmt = d_dnssecdb->prepare("select last_insert_rowid()", 0);	×
UNCOV 174	d_activateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=1 where domain=:domain and id=:key_id", 2);	×
UNCOV 175	d_deactivateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=0 where domain=:domain and id=:key_id", 2);	×
UNCOV 176	d_publishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=1 where domain=:domain and id=:key_id", 2);	×
UNCOV 177	d_unpublishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=0 where domain=:domain and id=:key_id", 2);	×
UNCOV 178	d_getTSIGKeyQuery_stmt = d_dnssecdb->prepare("select algorithm, secret from tsigkeys where name=:key_name", 1);	×
UNCOV 179	d_setTSIGKeyQuery_stmt = d_dnssecdb->prepare("replace into tsigkeys (name,algorithm,secret) values(:key_name, :algorithm, :content)", 3);	×
UNCOV 180	d_deleteTSIGKeyQuery_stmt = d_dnssecdb->prepare("delete from tsigkeys where name=:key_name", 1);	×
UNCOV 181	d_getTSIGKeysQuery_stmt = d_dnssecdb->prepare("select name,algorithm,secret from tsigkeys", 0);	×
UNCOV 182	}	×
183
184	void Bind2Backend::freeStatements()
185	{	1,851✔
186	d_getAllDomainMetadataQuery_stmt.reset();	1,851✔
187	d_getDomainMetadataQuery_stmt.reset();	1,851✔
188	d_deleteDomainMetadataQuery_stmt.reset();	1,851✔
189	d_insertDomainMetadataQuery_stmt.reset();	1,851✔
190	d_getDomainKeysQuery_stmt.reset();	1,851✔
191	d_deleteDomainKeyQuery_stmt.reset();	1,851✔
192	d_insertDomainKeyQuery_stmt.reset();	1,851✔
193	d_GetLastInsertedKeyIdQuery_stmt.reset();	1,851✔
194	d_activateDomainKeyQuery_stmt.reset();	1,851✔
195	d_deactivateDomainKeyQuery_stmt.reset();	1,851✔
196	d_publishDomainKeyQuery_stmt.reset();	1,851✔
197	d_unpublishDomainKeyQuery_stmt.reset();	1,851✔
198	d_getTSIGKeyQuery_stmt.reset();	1,851✔
199	d_setTSIGKeyQuery_stmt.reset();	1,851✔
200	d_deleteTSIGKeyQuery_stmt.reset();	1,851✔
201	d_getTSIGKeysQuery_stmt.reset();	1,851✔
202	}	1,851✔
203
204	unsigned int Bind2Backend::getCapabilities()
205	{	19✔
206	unsigned int caps = CAP_LIST \| CAP_SEARCH;	19✔
207	if (d_dnssecdb \|\| d_hybrid) {	19!
UNCOV 208	caps \|= CAP_DNSSEC;	×
UNCOV 209	}	×
210	return caps;	19✔
211	}	19✔
212
213	// NOLINTNEXTLINE(readability-convert-member-functions-to-static)
214	bool Bind2Backend::getNSEC3PARAM(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
215	{	×
216	BB2DomainInfo bbd;	×
217	if (!safeGetBBDomainInfo(name, &bbd))	×
218	return false;	×
219
220	if (ns3p != nullptr) {	×
221	*ns3p = bbd.d_nsec3param;	×
222	}	×
223
224	return bbd.d_nsec3zone;	×
225	}	×
226
227	bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
UNCOV 228	{	×
UNCOV 229	if (!d_dnssecdb \|\| d_hybrid)	×
UNCOV 230	return false;	×
231
UNCOV 232	string value;	×
UNCOV 233	vector<string> meta;	×
UNCOV 234	getDomainMetadata(name, "NSEC3PARAM", meta);	×
UNCOV 235	if (!meta.empty())	×
UNCOV 236	value = *meta.begin();	×
UNCOV 237	else	×
UNCOV 238	return false; // No NSEC3 zone	×
239
UNCOV 240	static int maxNSEC3Iterations = ::arg().asNum("max-nsec3-iterations");	×
UNCOV 241	if (ns3p) {	×
UNCOV 242	auto tmp = std::dynamic_pointer_cast<NSEC3PARAMRecordContent>(DNSRecordContent::make(QType::NSEC3PARAM, 1, value));	×
UNCOV 243	ns3p = tmp;	×
244
UNCOV 245	if (ns3p->d_iterations > maxNSEC3Iterations) {	×
246	ns3p->d_iterations = maxNSEC3Iterations;	×
247	g_log << Logger::Error << "Number of NSEC3 iterations for zone '" << name << "' is above 'max-nsec3-iterations'. Value adjusted to: " << maxNSEC3Iterations << endl;	×
248	}	×
249
UNCOV 250	if (ns3p->d_algorithm != 1) {	×
251	g_log << Logger::Error << "Invalid hash algorithm for NSEC3: '" << std::to_string(ns3p->d_algorithm) << "', setting to 1 for zone '" << name << "'." << endl;	×
252	ns3p->d_algorithm = 1;	×
253	}	×
UNCOV 254	}	×
255
UNCOV 256	return true;	×
UNCOV 257	}	×
258
259	bool Bind2Backend::getAllDomainMetadata(const ZoneName& name, std::map<std::string, std::vector<std::string>>& meta)
UNCOV 260	{	×
UNCOV 261	if (!d_dnssecdb \|\| d_hybrid)	×
UNCOV 262	return false;	×
263
UNCOV 264	try {	×
UNCOV 265	d_getAllDomainMetadataQuery_stmt->bind("domain", name)->execute();	×
266
UNCOV 267	SSqlStatement::row_t row;	×
UNCOV 268	while (d_getAllDomainMetadataQuery_stmt->hasNextRow()) {	×
UNCOV 269	d_getAllDomainMetadataQuery_stmt->nextRow(row);	×
UNCOV 270	meta[row[0]].push_back(row[1]);	×
UNCOV 271	}	×
272
UNCOV 273	d_getAllDomainMetadataQuery_stmt->reset();	×
UNCOV 274	}	×
UNCOV 275	catch (SSqlException& se) {	×
276	throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): " + se.txtReason());	×
277	}	×
UNCOV 278	return true;	×
UNCOV 279	}	×
280
281	bool Bind2Backend::getDomainMetadata(const ZoneName& name, const std::string& kind, std::vector<std::string>& meta)
282	{	4✔
283	if (!d_dnssecdb \|\| d_hybrid)	4!
284	return false;	4✔
285
UNCOV 286	try {	×
UNCOV 287	d_getDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute();	×
288
UNCOV 289	SSqlStatement::row_t row;	×
UNCOV 290	while (d_getDomainMetadataQuery_stmt->hasNextRow()) {	×
UNCOV 291	d_getDomainMetadataQuery_stmt->nextRow(row);	×
UNCOV 292	meta.push_back(row[0]);	×
UNCOV 293	}	×
294
UNCOV 295	d_getDomainMetadataQuery_stmt->reset();	×
UNCOV 296	}	×
UNCOV 297	catch (SSqlException& se) {	×
298	throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): " + se.txtReason());	×
299	}	×
UNCOV 300	return true;	×
UNCOV 301	}	×
302
303	bool Bind2Backend::setDomainMetadata(const ZoneName& name, const std::string& kind, const std::vector<std::string>& meta)
UNCOV 304	{	×
UNCOV 305	if (!d_dnssecdb \|\| d_hybrid)	×
306	return false;	×
307
UNCOV 308	try {	×
UNCOV 309	d_deleteDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute()->reset();	×
UNCOV 310	if (!meta.empty()) {	×
UNCOV 311	for (const auto& value : meta) {	×
UNCOV 312	d_insertDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->bind("content", value)->execute()->reset();	×
UNCOV 313	}	×
UNCOV 314	}	×
UNCOV 315	}	×
UNCOV 316	catch (SSqlException& se) {	×
317	throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): " + se.txtReason());	×
318	}	×
UNCOV 319	return true;	×
UNCOV 320	}	×
321
322	bool Bind2Backend::getDomainKeys(const ZoneName& name, std::vector<KeyData>& keys)
UNCOV 323	{	×
UNCOV 324	if (!d_dnssecdb \|\| d_hybrid)	×
UNCOV 325	return false;	×
326
UNCOV 327	try {	×
UNCOV 328	d_getDomainKeysQuery_stmt->bind("domain", name)->execute();	×
329
UNCOV 330	KeyData kd;	×
UNCOV 331	SSqlStatement::row_t row;	×
UNCOV 332	while (d_getDomainKeysQuery_stmt->hasNextRow()) {	×
UNCOV 333	d_getDomainKeysQuery_stmt->nextRow(row);	×
UNCOV 334	pdns::checked_stoi_into(kd.id, row[0]);	×
UNCOV 335	pdns::checked_stoi_into(kd.flags, row[1]);	×
UNCOV 336	kd.active = (row[2] == "1");	×
UNCOV 337	kd.published = (row[3] == "1");	×
UNCOV 338	kd.content = row[4];	×
UNCOV 339	keys.push_back(kd);	×
UNCOV 340	}	×
341
UNCOV 342	d_getDomainKeysQuery_stmt->reset();	×
UNCOV 343	}	×
UNCOV 344	catch (SSqlException& se) {	×
345	throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): " + se.txtReason());	×
346	}	×
UNCOV 347	return true;	×
UNCOV 348	}	×
349
350	bool Bind2Backend::removeDomainKey(const ZoneName& name, unsigned int keyId)
351	{	×
352	if (!d_dnssecdb \|\| d_hybrid)	×
353	return false;	×
354
355	try {	×
356	d_deleteDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
357	}	×
358	catch (SSqlException& se) {	×
359	throw PDNSException("Error accessing DNSSEC database in BIND backend, removeDomainKeys(): " + se.txtReason());	×
360	}	×
361	return true;	×
362	}	×
363
364	bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t& keyId)
UNCOV 365	{	×
UNCOV 366	if (!d_dnssecdb \|\| d_hybrid)	×
367	return false;	×
368
UNCOV 369	try {	×
UNCOV 370	d_insertDomainKeyQuery_stmt->bind("domain", name)->bind("flags", key.flags)->bind("active", key.active)->bind("published", key.published)->bind("content", key.content)->execute()->reset();	×
UNCOV 371	}	×
UNCOV 372	catch (SSqlException& se) {	×
373	throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): " + se.txtReason());	×
374	}	×
375
UNCOV 376	try {	×
UNCOV 377	d_GetLastInsertedKeyIdQuery_stmt->execute();	×
UNCOV 378	if (!d_GetLastInsertedKeyIdQuery_stmt->hasNextRow()) {	×
379	keyId = -2;	×
380	return true;	×
381	}	×
UNCOV 382	SSqlStatement::row_t row;	×
UNCOV 383	d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);	×
UNCOV 384	ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);	×
UNCOV 385	keyId = std::stoi(row[0]);	×
UNCOV 386	d_GetLastInsertedKeyIdQuery_stmt->reset();	×
UNCOV 387	if (keyId == 0) {	×
388	// No insert took place, report as error.
389	keyId = -1;	×
390	}	×
UNCOV 391	return true;	×
UNCOV 392	}	×
UNCOV 393	catch (SSqlException& e) {	×
394	keyId = -2;	×
395	return true;	×
396	}	×
UNCOV 397	}	×
398
399	bool Bind2Backend::activateDomainKey(const ZoneName& name, unsigned int keyId)
400	{	×
401	if (!d_dnssecdb \|\| d_hybrid)	×
402	return false;	×
403
404	try {	×
405	d_activateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
406	}	×
407	catch (SSqlException& se) {	×
408	throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): " + se.txtReason());	×
409	}	×
410	return true;	×
411	}	×
412
413	bool Bind2Backend::deactivateDomainKey(const ZoneName& name, unsigned int keyId)
414	{	×
415	if (!d_dnssecdb \|\| d_hybrid)	×
416	return false;	×
417
418	try {	×
419	d_deactivateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
420	}	×
421	catch (SSqlException& se) {	×
422	throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): " + se.txtReason());	×
423	}	×
424	return true;	×
425	}	×
426
427	bool Bind2Backend::publishDomainKey(const ZoneName& name, unsigned int keyId)
428	{	×
429	if (!d_dnssecdb \|\| d_hybrid)	×
430	return false;	×
431
432	try {	×
433	d_publishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
434	}	×
435	catch (SSqlException& se) {	×
436	throw PDNSException("Error accessing DNSSEC database in BIND backend, publishDomainKey(): " + se.txtReason());	×
437	}	×
438	return true;	×
439	}	×
440
441	bool Bind2Backend::unpublishDomainKey(const ZoneName& name, unsigned int keyId)
UNCOV 442	{	×
UNCOV 443	if (!d_dnssecdb \|\| d_hybrid)	×
444	return false;	×
445
UNCOV 446	try {	×
UNCOV 447	d_unpublishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
UNCOV 448	}	×
UNCOV 449	catch (SSqlException& se) {	×
450	throw PDNSException("Error accessing DNSSEC database in BIND backend, unpublishDomainKey(): " + se.txtReason());	×
451	}	×
UNCOV 452	return true;	×
UNCOV 453	}	×
454
455	bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName& algorithm, string& content)
UNCOV 456	{	×
UNCOV 457	if (!d_dnssecdb \|\| d_hybrid)	×
458	return false;	×
459
UNCOV 460	try {	×
UNCOV 461	d_getTSIGKeyQuery_stmt->bind("key_name", name)->execute();	×
462
UNCOV 463	SSqlStatement::row_t row;	×
UNCOV 464	while (d_getTSIGKeyQuery_stmt->hasNextRow()) {	×
UNCOV 465	d_getTSIGKeyQuery_stmt->nextRow(row);	×
UNCOV 466	if (row.size() >= 2 && (algorithm.empty() \|\| algorithm == DNSName(row[0]))) {	×
UNCOV 467	algorithm = DNSName(row[0]);	×
UNCOV 468	content = row[1];	×
UNCOV 469	}	×
UNCOV 470	}	×
471
UNCOV 472	d_getTSIGKeyQuery_stmt->reset();	×
UNCOV 473	}	×
UNCOV 474	catch (SSqlException& e) {	×
475	throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): " + e.txtReason());	×
476	}	×
UNCOV 477	return true;	×
UNCOV 478	}	×
479
480	bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, const string& content)
UNCOV 481	{	×
UNCOV 482	if (!d_dnssecdb \|\| d_hybrid)	×
483	return false;	×
484
UNCOV 485	try {	×
UNCOV 486	d_setTSIGKeyQuery_stmt->bind("key_name", name)->bind("algorithm", algorithm)->bind("content", content)->execute()->reset();	×
UNCOV 487	}	×
UNCOV 488	catch (SSqlException& e) {	×
489	throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): " + e.txtReason());	×
490	}	×
UNCOV 491	return true;	×
UNCOV 492	}	×
493
494	bool Bind2Backend::deleteTSIGKey(const DNSName& name)
495	{	×
496	if (!d_dnssecdb \|\| d_hybrid)	×
497	return false;	×
498
499	try {	×
500	d_deleteTSIGKeyQuery_stmt->bind("key_name", name)->execute()->reset();	×
501	}	×
502	catch (SSqlException& e) {	×
503	throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): " + e.txtReason());	×
504	}	×
505	return true;	×
506	}	×
507
508	bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& keys)
509	{	×
510	if (!d_dnssecdb \|\| d_hybrid)	×
511	return false;	×
512
513	try {	×
514	d_getTSIGKeysQuery_stmt->execute();	×
515
516	SSqlStatement::row_t row;	×
517	while (d_getTSIGKeysQuery_stmt->hasNextRow()) {	×
518	d_getTSIGKeysQuery_stmt->nextRow(row);	×
519	struct TSIGKey key;	×
520	key.name = DNSName(row[0]);	×
521	key.algorithm = DNSName(row[1]);	×
522	key.key = row[2];	×
523	keys.push_back(key);	×
524	}	×
525
526	d_getTSIGKeysQuery_stmt->reset();	×
527	}	×
528	catch (SSqlException& e) {	×
529	throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): " + e.txtReason());	×
530	}	×
531	return true;	×
532	}	×
533
534	#endif

PowerDNS / pdns / 16652550721

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous