PowerDNS / pdns / 16652550721

coverage: 62.94% (-2.9%) from 65.842%
16652550721

Pull #15953

github

web-flow 
Merge 9982780da into 132cad30c
Pull Request #15953: auth: fallback to TCP if UDP queries return with TC

39763 of 92464 branches covered (43.0%)

Branch coverage included in aggregate %.

0 of 227 new or added lines in 3 files covered. (0.0%)

5128 existing lines in 68 files now uncovered.

122895 of 165969 relevant lines covered (74.05%)

3515414.29 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/pdns/rfc2136handler.cc
1 
#include "dnswriter.hh"
2 
#ifdef HAVE_CONFIG_H
3 
#include "config.h"
4 
#endif
5 
#include "packethandler.hh"
6 
#include "qtype.hh"
7 
#include "dnspacket.hh"
8 
#include "auth-caches.hh"
9 
#include "statbag.hh"
10 
#include "dnsseckeeper.hh"
11 
#include "base64.hh"
12 
#include "base32.hh"
13 









14



#include "misc.hh"










15



#include "arguments.hh"










16



#include "resolver.hh"










17



#include "dns_random.hh"










18



#include "backends/gsql/ssql.hh"










19



#include "communicator.hh"










20



#include "query-local-address.hh"










21



#include "gss_context.hh"










22



#include "auth-main.hh"










23












24



extern StatBag S;










25



extern CommunicatorClass Communicator;










26












27



std::mutex PacketHandler::s_rfc2136lock;










28












29



// Implement section 3.2.1 and 3.2.2 of RFC2136











UNCOV

30



int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {




×








UNCOV

31



  if (rr->d_ttl != 0)





×







32



    return RCode::FormErr;




×







33












34



  // 3.2.1 and 3.2.2 check content length.











UNCOV

35



  if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)





×







36



    return RCode::FormErr;




×







37













UNCOV

38



  bool foundRecord=false;




×








UNCOV

39



  DNSResourceRecord rec;




×








UNCOV

40



  di->backend->lookup(QType(QType::ANY), rr->d_name, di->id);




×








UNCOV

41



  while(di->backend->get(rec)) {





×








UNCOV

42



    if (!rec.qtype.getCode())





×








UNCOV

43



      continue;




×








UNCOV

44



    if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY)





×








UNCOV

45



      foundRecord=true;




×








UNCOV

46



  }




×







47












48



  // Section 3.2.1











UNCOV

49



  if (rr->d_class == QClass::ANY && !foundRecord) {





×








UNCOV

50



    if (rr->d_type == QType::ANY)





×








UNCOV

51



      return RCode::NXDomain;




×








UNCOV

52



    if (rr->d_type != QType::ANY)





×








UNCOV

53



      return RCode::NXRRSet;




×








UNCOV

54



  }




×







55












56



  // Section 3.2.2











UNCOV

57



  if (rr->d_class == QClass::NONE && foundRecord) {





×








UNCOV

58



    if (rr->d_type == QType::ANY)





×








UNCOV

59



      return RCode::YXDomain;




×








UNCOV

60



    if (rr->d_type != QType::ANY)





×








UNCOV

61



      return RCode::YXRRSet;




×








UNCOV

62



  }




×







63













UNCOV

64



  return RCode::NoError;




×








UNCOV

65



}




×







66












67












68



// Method implements section 3.4.1 of RFC2136











UNCOV

69



int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {




×







70



  // The RFC stats that d_class != ZCLASS, but we only support the IN class.











UNCOV

71



  if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) {





×







72



    return RCode::FormErr;




×







73



  }




×







74













UNCOV

75



  QType qtype = QType(rr->d_type);




×







76













UNCOV

77



  if (!qtype.isSupportedType()) {





×







78



    return RCode::FormErr;




×







79



  }




×







80













UNCOV

81



  if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) {





×







82



    return RCode::FormErr;




×







83



  }




×







84













UNCOV

85



  if (rr->d_class == QClass::ANY && rr->d_clen != 0) {





×







86



    return RCode::FormErr;




×







87



  }




×







88













UNCOV

89



  if (qtype.isMetadataType()) {





×







90



    return RCode::FormErr;




×







91



  }




×







92













UNCOV

93



  if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) {





×








UNCOV

94



    return RCode::FormErr;




×








UNCOV

95



  }




×







96













UNCOV

97



  return RCode::NoError;




×








UNCOV

98



}




×







99












100












101



// Implements section 3.4.2 of RFC2136










102



// NOLINTNEXTLINE(readability-function-cognitive-complexity)











UNCOV

103



uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {




×







104













UNCOV

105



  QType rrType = QType(rr->d_type);




×







106













UNCOV

107



  if (rrType == QType::NSEC || rrType == QType::NSEC3) {





×







108



    g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<". These are generated records, ignoring!"<<endl;




×







109



    return 0;




×







110



  }




×







111













UNCOV

112



  if (!isPresigned && rrType == QType::RRSIG) {





×







113



    g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<" in non-presigned zone, ignoring!"<<endl;




×







114



    return 0;




×







115



  }




×







116













UNCOV

117



  if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone.operator const DNSName&()) {





×







118



    g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<", "<<rrType.toString()<<" must be at zone apex, ignoring!"<<endl;




×







119



    return 0;




×







120



  }




×







121












122













UNCOV

123



  uint changedRecords = 0;




×








UNCOV

124



  DNSResourceRecord rec;




×








UNCOV

125



  vector<DNSResourceRecord> rrset, recordsToDelete;




×








UNCOV

126



  set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records.




×







127












128













UNCOV

129



  if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update





×








UNCOV

130



    DLOG(g_log<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.toString()<<endl);




×







131













UNCOV

132



    if (rrType == QType::NSEC3PARAM) {





×








UNCOV

133



      g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;




×







134













UNCOV

135



      *ns3pr = NSEC3PARAMRecordContent(rr->getContent()->getZoneRepresentation(), di->zone);




×








UNCOV

136



      *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record




×








UNCOV

137



      d_dk.setNSEC3PARAM(di->zone, *ns3pr, (*narrow));




×








UNCOV

138



      *haveNSEC3 = true;




×







139













UNCOV

140



      string error;




×








UNCOV

141



      string info;




×








UNCOV

142



      if (!d_dk.rectifyZone(di->zone, error, info, false)) {





×







143



        throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error);




×







144



      }




×








UNCOV

145



      return 1;




×








UNCOV

146



    }




×







147












148












149













UNCOV

150



    bool foundRecord = false;




×








UNCOV

151



    di->backend->lookup(rrType, rr->d_name, di->id);




×








UNCOV

152



    while (di->backend->get(rec)) {





×








UNCOV

153



      rrset.push_back(rec);




×








UNCOV

154



      foundRecord = true;




×








UNCOV

155



    }




×







156













UNCOV

157



    if (foundRecord) {





×







158













UNCOV

159



      if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current





×








UNCOV

160



        SOAData sdOld, sdUpdate;




×








UNCOV

161



        DNSResourceRecord *oldRec = &rrset.front();




×








UNCOV

162



        fillSOAData(oldRec->content, sdOld);




×








UNCOV

163



        oldRec->setContent(rr->getContent()->getZoneRepresentation());




×








UNCOV

164



        fillSOAData(oldRec->content, sdUpdate);




×








UNCOV

165



        if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {





×








UNCOV

166



          di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);




×








UNCOV

167



          *updatedSerial = true;




×








UNCOV

168



          changedRecords++;




×








UNCOV

169



          g_log<<Logger::Notice<<msgPrefix<<"Replacing SOA record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




×








UNCOV

170



        } else {




×








UNCOV

171



          g_log<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;




×








UNCOV

172



        }




×







173












174



      // It's not possible to have multiple CNAME's with the same NAME. So we always update.











UNCOV

175



      } else if (rrType == QType::CNAME) {





×








UNCOV

176



        int changedCNames = 0;




×








UNCOV

177



        for (auto& i : rrset) {





×








UNCOV

178



          if (i.ttl != rr->d_ttl || i.content != rr->getContent()->getZoneRepresentation()) {





×








UNCOV

179



            i.ttl = rr->d_ttl;




×








UNCOV

180



            i.setContent(rr->getContent()->getZoneRepresentation());




×








UNCOV

181



            changedCNames++;




×








UNCOV

182



          }




×








UNCOV

183



        }




×








UNCOV

184



        if (changedCNames > 0) {





×








UNCOV

185



          di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);




×








UNCOV

186



          g_log<<Logger::Notice<<msgPrefix<<"Replacing CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




×








UNCOV

187



          changedRecords += changedCNames;




×








UNCOV

188



        } else {




×







189



          g_log<<Logger::Notice<<msgPrefix<<"Replace for CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl;




×







190



        }




×







191












192



      // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL)











UNCOV

193



      } else {




×








UNCOV

194



        int updateTTL=0;




×








UNCOV

195



        foundRecord = false;




×








UNCOV

196



        bool lowerCase = false;




×








UNCOV

197



        if (rrType.getCode() == QType::PTR ||





×








UNCOV

198



            rrType.getCode() == QType::MX ||





×








UNCOV

199



            rrType.getCode() == QType::SRV) {





×








UNCOV

200



          lowerCase = true;




×








UNCOV

201



        }




×








UNCOV

202



        string content = rr->getContent()->getZoneRepresentation();




×








UNCOV

203



        if (lowerCase) content = toLower(content);





×








UNCOV

204



        for (auto& i : rrset) {





×








UNCOV

205



          string icontent = i.getZoneRepresentation();




×








UNCOV

206



          if (lowerCase) icontent = toLower(icontent);





×








UNCOV

207



          if (rrType == i.qtype.getCode()) {





×








UNCOV

208



            if (icontent == content) {





×








UNCOV

209



              foundRecord=true;




×








UNCOV

210



            }




×








UNCOV

211



            if (i.ttl != rr->d_ttl)  {





×








UNCOV

212



              i.ttl = rr->d_ttl;




×








UNCOV

213



              updateTTL++;




×








UNCOV

214



            }




×








UNCOV

215



          }




×








UNCOV

216



        }




×








UNCOV

217



        if (updateTTL > 0) {





×








UNCOV

218



          di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);




×








UNCOV

219



          g_log<<Logger::Notice<<msgPrefix<<"Updating TTLs for "<<rr->d_name<<"|"<<rrType.toString()<<endl;




×








UNCOV

220



          changedRecords += updateTTL;




×








UNCOV

221



        } else {




×








UNCOV

222



          g_log<<Logger::Notice<<msgPrefix<<"Replace for recordset "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl;




×








UNCOV

223



        }




×








UNCOV

224



      }




×







225












226



      // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records.










227



      // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.











UNCOV

228



      if (changedRecords > 0) {





×








UNCOV

229



        bool auth = rrset.front().auth;




×







230













UNCOV

231



        if(*haveNSEC3) {





×








UNCOV

232



          DNSName ordername;




×








UNCOV

233



          if(! *narrow)





×








UNCOV

234



            ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));




×







235













UNCOV

236



          if (*narrow) {





×








UNCOV

237



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false);




×








UNCOV

238



          }




×








UNCOV

239



          else {




×








UNCOV

240



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);




×








UNCOV

241



          }




×








UNCOV

242



          if(!auth || rrType == QType::DS) {





×







243



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !*narrow);




×







244



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !*narrow);




×







245



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !*narrow);




×







246



          }




×







247













UNCOV

248



        } else { // NSEC




×








UNCOV

249



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth, QType::ANY, false);




×








UNCOV

250



          if(!auth || rrType == QType::DS) {





×







251



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false);




×







252



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false);




×







253



          }




×








UNCOV

254



        }




×








UNCOV

255



      }




×







256













UNCOV

257



    } // if (foundRecord)




×







258












259



    // If we haven't found a record that matches, we must add it.











UNCOV

260



    if (! foundRecord) {





×








UNCOV

261



      g_log<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




×








UNCOV

262



      delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record.




×








UNCOV

263



      auto newRec = DNSResourceRecord::fromWire(*rr);




×








UNCOV

264



      newRec.domain_id = di->id;




×








UNCOV

265



      newRec.auth = (rr->d_name == di->zone.operator const DNSName&() || rrType.getCode() != QType::NS);





×








UNCOV

266



      di->backend->feedRecord(newRec, DNSName());




×








UNCOV

267



      changedRecords++;




×







268












269












270



      // because we added a record, we need to fix DNSSEC data.











UNCOV

271



      DNSName shorter(rr->d_name);




×








UNCOV

272



      bool auth=newRec.auth;




×








UNCOV

273



      bool fixDS = (rrType == QType::DS);




×







274













UNCOV

275



      if (di->zone.operator const DNSName&() != shorter) { // Everything at APEX is auth=1 && no ENT's





×








UNCOV

276



        do {




×







277













UNCOV

278



          if (di->zone.operator const DNSName&() == shorter) {





×








UNCOV

279



            break;




×








UNCOV

280



          }




×







281













UNCOV

282



          bool foundShorter = false;




×








UNCOV

283



          di->backend->lookup(QType(QType::ANY), shorter, di->id);




×








UNCOV

284



          while (di->backend->get(rec)) {





×








UNCOV

285



            if (rec.qname == rr->d_name && rec.qtype == QType::DS)





×








UNCOV

286



              fixDS = true;




×








UNCOV

287



            if (shorter != rr->d_name) {





×








UNCOV

288



              foundShorter = true;




×








UNCOV

289



            }




×








UNCOV

290



            if (rec.qtype == QType::NS) // are we inserting below a delegate?





×








UNCOV

291



              auth=false;




×








UNCOV

292



          }




×







293













UNCOV

294



          if (!foundShorter && auth && shorter != rr->d_name) { // haven't found any record at current level, insert ENT.





×








UNCOV

295



            insnonterm.insert(shorter);




×








UNCOV

296



          }




×








UNCOV

297



          if (foundShorter)





×








UNCOV

298



            break; // if we find a shorter record, we can stop searching




×








UNCOV

299



        } while(shorter.chopOff());





×








UNCOV

300



      }




×







301













UNCOV

302



      if(*haveNSEC3)





×








UNCOV

303



      {




×








UNCOV

304



        DNSName ordername;




×








UNCOV

305



        if(! *narrow)





×








UNCOV

306



          ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));




×







307













UNCOV

308



        if (*narrow) {





×








UNCOV

309



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false);




×








UNCOV

310



        }




×








UNCOV

311



        else {




×








UNCOV

312



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);




×








UNCOV

313



        }




×







314













UNCOV

315



        if (fixDS) {





×








UNCOV

316



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, !*narrow);




×








UNCOV

317



        }




×







318













UNCOV

319



        if(!auth) {





×








UNCOV

320



          if (ns3pr->d_flags != 0) {





×








UNCOV

321



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !*narrow);




×








UNCOV

322



          }




×








UNCOV

323



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !*narrow);




×








UNCOV

324



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !*narrow);




×








UNCOV

325



        }




×








UNCOV

326



      }




×








UNCOV

327



      else { // NSEC




×








UNCOV

328



        DNSName ordername=rr->d_name.makeRelative(di->zone);




×








UNCOV

329



        di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, false);




×








UNCOV

330



        if (fixDS) {





×








UNCOV

331



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, false);




×








UNCOV

332



        }




×








UNCOV

333



        if(!auth) {





×








UNCOV

334



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false);




×








UNCOV

335



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false);




×








UNCOV

336



        }




×








UNCOV

337



      }




×







338












339












340



      // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.










341



      // Auth can only be false when the rr->d_name is not the zone











UNCOV

342



      if (auth == false && rrType == QType::NS) {





×








UNCOV

343



        DLOG(g_log<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl);




×








UNCOV

344



        insnonterm.clear(); // No ENT's are needed below delegates (auth=0)




×








UNCOV

345



        vector<DNSName> qnames;




×








UNCOV

346



        di->backend->listSubZone(ZoneName(rr->d_name), di->id);




×








UNCOV

347



        while(di->backend->get(rec)) {





×








UNCOV

348



          if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record.





×








UNCOV

349



            qnames.push_back(rec.qname);




×








UNCOV

350



        }




×








UNCOV

351



        for(const auto & qname : qnames) {





×








UNCOV

352



          if(*haveNSEC3)  {





×








UNCOV

353



            DNSName ordername;




×








UNCOV

354



            if(! *narrow)





×








UNCOV

355



              ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));




×







356













UNCOV

357



            if (*narrow) {





×








UNCOV

358



              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, false);




×








UNCOV

359



            }




×








UNCOV

360



            else {




×








UNCOV

361



              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth, QType::ANY, true);




×








UNCOV

362



            }




×







363













UNCOV

364



            if (ns3pr->d_flags != 0) {





×








UNCOV

365



              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, !*narrow);




×








UNCOV

366



            }




×








UNCOV

367



          }




×








UNCOV

368



          else { // NSEC




×








UNCOV

369



            DNSName ordername=DNSName(qname).makeRelative(di->zone);




×








UNCOV

370



            di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS, false);




×








UNCOV

371



          }




×







372













UNCOV

373



          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3 && !*narrow);





×








UNCOV

374



          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3 && !*narrow);





×








UNCOV

375



        }




×








UNCOV

376



      }




×








UNCOV

377



    }




×








UNCOV

378



  } // rr->d_class == QClass::IN




×







379












380












381



  // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by










382



  // the code that calls this performUpdate().











UNCOV

383



  if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.





×








UNCOV

384



    DLOG(g_log<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.toString()<<endl);




×







385













UNCOV

386



    if (rrType == QType::NSEC3PARAM) {





×








UNCOV

387



      g_log<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;




×







388



      // Be sure to use a ZoneName with a variant matching the domain we are










389



      // working on, for the sake of unsetNSEC3PARAM.











UNCOV

390



      ZoneName zonename(rr->d_name, di->zone.getVariant());




×








UNCOV

391



      if (rr->d_class == QClass::ANY) {





×








UNCOV

392



        d_dk.unsetNSEC3PARAM(zonename);




×








UNCOV

393



      }




×







394



      else if (rr->d_class == QClass::NONE) {





×







395



        NSEC3PARAMRecordContent nsec3rr(rr->getContent()->getZoneRepresentation(), di->zone);




×







396



        if (*haveNSEC3 && ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())





×







397



          d_dk.unsetNSEC3PARAM(zonename);




×







398



        else




×







399



          return 0;




×







400



      } else




×







401



        return 0;




×







402












403



      // Update NSEC3 variables, other RR's in this update package might need them as well.











UNCOV

404



      *haveNSEC3 = false;




×








UNCOV

405



      *narrow = false;




×







406













UNCOV

407



      string error;




×








UNCOV

408



      string info;




×








UNCOV

409



      if (!d_dk.rectifyZone(di->zone, error, info, false)) {





×







410



        throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error);




×







411



      }




×








UNCOV

412



      return 1;




×








UNCOV

413



    } // end of NSEC3PARAM delete block




×







414












415













UNCOV

416



    di->backend->lookup(rrType, rr->d_name, di->id);




×








UNCOV

417



    while(di->backend->get(rec)) {





×








UNCOV

418



      if (rr->d_class == QClass::ANY) { // 3.4.2.3





×








UNCOV

419



        if (rec.qname == di->zone.operator const DNSName&() && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) { // Never delete all SOA and NS's





×








UNCOV

420



          rrset.push_back(rec);




×








UNCOV

421



        }




×








UNCOV

422



        else




×








UNCOV

423



          recordsToDelete.push_back(rec);




×








UNCOV

424



      }




×








UNCOV

425



      if (rr->d_class == QClass::NONE) { // 3.4.2.4





×








UNCOV

426



        auto repr = rec.getZoneRepresentation();




×








UNCOV

427



        if (rec.qtype == QType::TXT) {





×








UNCOV

428



          DLOG(g_log<<msgPrefix<<"Adjusting TXT content from ["<<repr<<"]"<<endl);




×








UNCOV

429



          auto drc = DNSRecordContent::make(rec.qtype.getCode(), QClass::IN, repr);




×








UNCOV

430



          auto ser = drc->serialize(rec.qname, true, true);




×








UNCOV

431



          auto rc = DNSRecordContent::deserialize(rec.qname, rec.qtype.getCode(), ser);




×








UNCOV

432



          repr = rc->getZoneRepresentation(true);




×








UNCOV

433



          DLOG(g_log<<msgPrefix<<"Adjusted TXT content to ["<<repr<<"]"<<endl);




×








UNCOV

434



        }




×








UNCOV

435



        DLOG(g_log<<msgPrefix<<"Matching RR in RRset - (adjusted) representation from request=["<<repr<<"], rr->getContent()->getZoneRepresentation()=["<<rr->getContent()->getZoneRepresentation()<<"]"<<endl);




×








UNCOV

436



        if (rrType == rec.qtype && repr == rr->getContent()->getZoneRepresentation())





×








UNCOV

437



          recordsToDelete.push_back(rec);




×








UNCOV

438



        else




×








UNCOV

439



          rrset.push_back(rec);




×








UNCOV

440



      }




×








UNCOV

441



    }




×







442



  











UNCOV

443



    if (recordsToDelete.size()) {





×








UNCOV

444



      di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);




×








UNCOV

445



      g_log<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




×








UNCOV

446



      changedRecords += recordsToDelete.size();




×







447












448












449



      // If we've removed a delegate, we need to reset ordername/auth for some records.











UNCOV

450



      if (rrType == QType::NS && rr->d_name != di->zone.operator const DNSName&()) { 





×








UNCOV

451



        vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;




×








UNCOV

452



        di->backend->listSubZone(ZoneName(rr->d_name), di->id);




×








UNCOV

453



        while (di->backend->get(rec)) {





×








UNCOV

454



          if (rec.qtype.getCode()) // skip ENT records, they are always auth=false





×








UNCOV

455



            belowOldDelegate.push_back(rec.qname);




×








UNCOV

456



          if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name)





×








UNCOV

457



            nsRecs.push_back(rec.qname);




×








UNCOV

458



        }




×







459













UNCOV

460



        for(auto &belowOldDel: belowOldDelegate)





×








UNCOV

461



        {




×








UNCOV

462



          bool isBelowDelegate = false;




×








UNCOV

463



          for(const auto & ns: nsRecs) {





×








UNCOV

464



            if (ns.isPartOf(belowOldDel)) {





×








UNCOV

465



              isBelowDelegate=true;




×








UNCOV

466



              break;




×








UNCOV

467



            }




×








UNCOV

468



          }




×








UNCOV

469



          if (!isBelowDelegate)





×








UNCOV

470



            updateAuthFlag.push_back(belowOldDel);




×








UNCOV

471



        }




×







472













UNCOV

473



        for (const auto &changeRec:updateAuthFlag) {





×








UNCOV

474



          DNSName ordername;




×








UNCOV

475



          if(*haveNSEC3)  {





×








UNCOV

476



            if(! *narrow) {





×








UNCOV

477



              ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)));




×








UNCOV

478



            }




×








UNCOV

479



          }




×








UNCOV

480



          else { // NSEC




×








UNCOV

481



            ordername=changeRec.makeRelative(di->zone);




×








UNCOV

482



          }




×








UNCOV

483



          di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3 && !*narrow);





×








UNCOV

484



        }




×








UNCOV

485



      }




×







486












487



      // Fix ENT records.










488



      // We must check if we have a record below the current level and if we removed the 'last' record










489



      // on that level. If so, we must insert an ENT record.










490



      // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.











UNCOV

491



      bool foundDeeper = false, foundOtherWithSameName = false;




×








UNCOV

492



      di->backend->listSubZone(ZoneName(rr->d_name), di->id);




×








UNCOV

493



      while (di->backend->get(rec)) {





×








UNCOV

494



        if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))





×








UNCOV

495



          foundOtherWithSameName = true;




×








UNCOV

496



        if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT





×








UNCOV

497



          foundDeeper = true;




×








UNCOV

498



      }




×







499













UNCOV

500



      if (foundDeeper && !foundOtherWithSameName) {





×








UNCOV

501



        insnonterm.insert(rr->d_name);




×








UNCOV

502



      } else if (!foundOtherWithSameName) {





×







503



        // If we didn't have to insert an ENT, we might have deleted a record at very deep level










504



        // and we must then clean up the ENT's above the deleted record.











UNCOV

505



        DNSName shorter(rr->d_name);




×








UNCOV

506



        while (shorter != di->zone.operator const DNSName&()) {





×








UNCOV

507



          shorter.chopOff();




×








UNCOV

508



          bool foundRealRR = false;




×








UNCOV

509



          bool foundEnt = false;




×







510












511



          // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch










512



          // consider these non ENT-records:










513



          // b.c.d.e.test.com










514



          // b.d.e.test.com










515



          // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.










516



          // At that point we can stop deleting ENT's because the tree is in tact again.











UNCOV

517



          di->backend->listSubZone(ZoneName(shorter), di->id);




×







518













UNCOV

519



          while (di->backend->get(rec)) {





×








UNCOV

520



            if (rec.qtype.getCode())





×








UNCOV

521



              foundRealRR = true;




×








UNCOV

522



            else




×








UNCOV

523



              foundEnt = true;




×








UNCOV

524



          }




×








UNCOV

525



          if (!foundRealRR) {





×








UNCOV

526



            if (foundEnt) // only delete the ENT if we actually found one.





×








UNCOV

527



              delnonterm.insert(shorter);




×








UNCOV

528



          } else




×








UNCOV

529



            break;




×








UNCOV

530



        }




×








UNCOV

531



      }




×








UNCOV

532



    } else { // if (recordsToDelete.size())




×








UNCOV

533



      g_log<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but not found."<<endl;




×








UNCOV

534



    }




×








UNCOV

535



  } // (End of delete block d_class == ANY || d_class == NONE




×







536



  










537












538












539



  //Insert and delete ENT's











UNCOV

540



  if (insnonterm.size() > 0 || delnonterm.size() > 0) {





×








UNCOV

541



    DLOG(g_log<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);




×








UNCOV

542



    di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false);




×








UNCOV

543



    for (const auto &i: insnonterm) {





×








UNCOV

544



      string hashed;




×








UNCOV

545



      if(*haveNSEC3)





×








UNCOV

546



      {




×








UNCOV

547



        DNSName ordername;




×








UNCOV

548



        if(! *narrow) {





×








UNCOV

549



          ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));




×








UNCOV

550



        }




×








UNCOV

551



        di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, !*narrow);




×








UNCOV

552



      }




×








UNCOV

553



    }




×








UNCOV

554



  }




×







555













UNCOV

556



  return changedRecords;




×








UNCOV

557



}




×







558












559



int PacketHandler::forwardPacket(const string &msgPrefix, const DNSPacket& p, const DomainInfo& di) {




×







560



  vector<string> forward;




×







561



  B.getDomainMetadata(p.qdomainzone, "FORWARD-DNSUPDATE", forward);




×







562












563



  if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) {





×







564



    g_log << Logger::Notice << msgPrefix << "Not configured to forward to primary, returning Refused." << endl;




×







565



    return RCode::Refused;




×







566



  }




×







567












568



  for (const auto& remote : di.primaries) {





×







569



    g_log << Logger::Notice << msgPrefix << "Forwarding packet to primary " << remote << endl;




×







570












571



    if (!pdns::isQueryLocalAddressFamilyEnabled(remote.sin4.sin_family)) {





×







572



      continue;




×







573



    }




×







574



    auto local = pdns::getQueryLocalAddress(remote.sin4.sin_family, 0);




×







575



    int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.




×







576



    if(sock < 0) {





×







577



      g_log<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl;




×







578



      continue;




×







579



    }




×







580












581



    if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {





×







582



      g_log<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;




×







583



      try {




×







584



        closesocket(sock);




×







585



      }




×







586



      catch(const PDNSException& e) {




×







587



        g_log << Logger::Error << "Error closing primary forwarding socket after connect() failed: " << e.reason << endl;




×







588



      }




×







589



      continue;




×







590



    }




×







591












592



    DNSPacket l_forwardPacket(p);




×







593



    l_forwardPacket.setID(dns_random_uint16());




×







594



    l_forwardPacket.setRemote(&remote);




×







595



    uint16_t len=htons(l_forwardPacket.getString().length());




×







596



    string buffer((const char*)&len, 2);




×







597



    buffer.append(l_forwardPacket.getString());




×







598



    if(write(sock, buffer.c_str(), buffer.length()) < 0) {





×







599



      g_log<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;




×







600



      try {




×







601



        closesocket(sock);




×







602



      }




×







603



      catch(const PDNSException& e) {




×







604



        g_log << Logger::Error << "Error closing primary forwarding socket after write() failed: " << e.reason << endl;




×







605



      }




×







606



      continue;




×







607



    }




×







608












609



    int res = waitForData(sock, 10, 0);




×







610



    if (!res) {





×







611



      g_log << Logger::Error << msgPrefix << "Timeout waiting for reply from primary at " << remote.toStringWithPort() << endl;




×







612



      try {




×







613



        closesocket(sock);




×







614



      }




×







615



      catch(const PDNSException& e) {




×







616



        g_log << Logger::Error << "Error closing primary forwarding socket after a timeout occurred: " << e.reason << endl;




×







617



      }




×







618



      continue;




×







619



    }




×







620



    if (res < 0) {





×







621



      g_log << Logger::Error << msgPrefix << "Error waiting for answer from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;




×







622



      try {




×







623



        closesocket(sock);




×







624



      }




×







625



      catch(const PDNSException& e) {




×







626



        g_log << Logger::Error << "Error closing primary forwarding socket after an error occurred: " << e.reason << endl;




×







627



      }




×







628



      continue;




×







629



    }




×







630












631



    unsigned char lenBuf[2];




×







632



    ssize_t recvRes;




×







633



    recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);




×







634



    if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) {





×







635



      g_log << Logger::Error << msgPrefix << "Could not receive data (length) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;




×







636



      try {




×







637



        closesocket(sock);




×







638



      }




×







639



      catch(const PDNSException& e) {




×







640



        g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl;




×







641



      }




×







642



      continue;




×







643



    }




×







644



    size_t packetLen = lenBuf[0]*256+lenBuf[1];




×







645












646



    buffer.resize(packetLen);




×







647



    recvRes = recv(sock, &buffer.at(0), packetLen, 0);




×







648



    if (recvRes < 0) {





×







649



      g_log << Logger::Error << msgPrefix << "Could not receive data (dnspacket) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;




×







650



      try {




×







651



        closesocket(sock);




×







652



      }




×







653



      catch(const PDNSException& e) {




×







654



        g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl;




×







655



      }




×







656



      continue;




×







657



    }




×







658



    try {




×







659



      closesocket(sock);




×







660



    }




×







661



    catch(const PDNSException& e) {




×







662



      g_log << Logger::Error << "Error closing primary forwarding socket: " << e.reason << endl;




×







663



    }




×







664












665



    try {




×







666



      MOADNSParser mdp(false, buffer.data(), static_cast<unsigned int>(recvRes));




×







667



      g_log<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;




×







668



      return mdp.d_header.rcode;




×







669



    }




×







670



    catch (...) {




×







671



      g_log << Logger::Error << msgPrefix << "Failed to parse response packet from primary at " << remote.toStringWithPort() << endl;




×







672



      continue;




×







673



    }




×







674



  }




×







675



  g_log << Logger::Error << msgPrefix << "Failed to forward packet to primary(s). Returning ServFail." << endl;




×







676



  return RCode::ServFail;




×







677












678



}




×







679













UNCOV

680



int PacketHandler::processUpdate(DNSPacket& packet) { // NOLINT(readability-function-cognitive-complexity)




×








UNCOV

681



  if (! ::arg().mustDo("dnsupdate"))





×







682



    return RCode::Refused;




×







683













UNCOV

684



  string msgPrefix="UPDATE (" + std::to_string(packet.d.id) + ") from " + packet.getRemoteString() + " for " + packet.qdomainzone.toLogString() + ": ";




×








UNCOV

685



  g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl;




×







686












687



  // if there is policy, we delegate all checks to it











UNCOV

688



  if (this->d_update_policy_lua == nullptr) {





×







689












690



    // Check permissions - IP based











UNCOV

691



    vector<string> allowedRanges;




×








UNCOV

692



    B.getDomainMetadata(packet.qdomainzone, "ALLOW-DNSUPDATE-FROM", allowedRanges);




×








UNCOV

693



    if (! ::arg()["allow-dnsupdate-from"].empty())





×








UNCOV

694



      stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );




×







695













UNCOV

696



    NetmaskGroup ng;




×








UNCOV

697



    for(const auto& i: allowedRanges) {





×








UNCOV

698



      ng.addMask(i);




×








UNCOV

699



    }




×







700













UNCOV

701



    if ( ! ng.match(packet.getInnerRemote())) {





×







702



      g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;




×







703



      return RCode::Refused;




×







704



    }




×







705












706












707



    // Check permissions - TSIG based.











UNCOV

708



    vector<string> tsigKeys;




×








UNCOV

709



    B.getDomainMetadata(packet.qdomainzone, "TSIG-ALLOW-DNSUPDATE", tsigKeys);




×








UNCOV

710



    if (tsigKeys.size() > 0) {





×







711



      bool validKey = false;




×







712












713



      TSIGRecordContent trc;




×







714



      DNSName inputkey;




×







715



      string message;




×







716



      if (! packet.getTSIGDetails(&trc,  &inputkey)) {





×







717



        g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;




×







718



        return RCode::Refused;




×







719



      }




×







720



#ifdef ENABLE_GSS_TSIG




×







721



      if (g_doGssTSIG && packet.d_tsig_algo == TSIG_GSS) {





×







722



        GssName inputname(packet.d_peer_principal); // match against principal since GSS requires that




×







723



        for(const auto& key: tsigKeys) {





×







724



          if (inputname.match(key)) {





×







725



            validKey = true;




×







726



            break;




×







727



          }




×







728



        }




×







729



      }




×







730



      else




×







731



#endif




×







732



        {




×







733



        for(const auto& key: tsigKeys) {





×







734



          if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid.





×







735



            validKey=true;




×







736



            break;




×







737



          }




×







738



        }




×







739



      }




×







740












741



      if (!validKey) {





×







742



        g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;




×







743



        return RCode::Refused;




×







744



      }




×








UNCOV

745



    } else if(::arg().mustDo("dnsupdate-require-tsig")) {





×







746



      g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but domain is not secured with TSIG. Sending REFUSED"<<endl;




×







747



      return RCode::Refused;




×







748



    }




×







749













UNCOV

750



    if (tsigKeys.empty() && packet.d_havetsig) {





×







751



      g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;




×







752



    }




×







753













UNCOV

754



  }




×







755












756



  // RFC2136 uses the same DNS Header and Message as defined in RFC1035.










757



  // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different










758



  // variable names during the use of our MOADNSParser.











UNCOV

759



  MOADNSParser mdp(false, packet.getString());




×








UNCOV

760



  if (mdp.d_header.qdcount != 1) {





×







761



    g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;




×







762



    return RCode::FormErr;




×







763



  }




×







764













UNCOV

765



  if (packet.qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA





×







766



    g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;




×







767



    return RCode::FormErr;




×







768



  }




×







769













UNCOV

770



  if (packet.qclass != QClass::IN) {





×







771



    g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;




×







772



    return RCode::NotAuth;




×







773



  }




×







774













UNCOV

775



  DomainInfo di;




×








UNCOV

776



  di.backend=nullptr;




×








UNCOV

777



  if(!B.getDomainInfo(packet.qdomainzone, di) || (di.backend == nullptr)) {





×








UNCOV

778



    g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<packet.qdomainzone<<"' (or backend does not support DNS update operation)"<<endl;




×








UNCOV

779



    return RCode::NotAuth;




×








UNCOV

780



  }




×







781













UNCOV

782



  if (di.kind == DomainInfo::Secondary)





×







783



    return forwardPacket(msgPrefix, packet, di);




×







784












785



  // Check if all the records provided are within the zone











UNCOV

786



  for(const auto & answer : mdp.d_answers) {





×








UNCOV

787



    const DNSRecord *dnsRecord = &answer;




×







788



    // Skip this check for other field types (like the TSIG -  which is in the additional section)










789



    // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.











UNCOV

790



    if (dnsRecord->d_place != DNSResourceRecord::ANSWER && dnsRecord->d_place != DNSResourceRecord::AUTHORITY) {





×







791



      continue;




×







792



    }




×







793













UNCOV

794



    if (!dnsRecord->d_name.isPartOf(di.zone)) {





×








UNCOV

795



      g_log<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;




×








UNCOV

796



      return RCode::NotZone;




×








UNCOV

797



    }




×








UNCOV

798



  }




×







799












800













UNCOV

801



  auto lock = std::scoped_lock(s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything




×








UNCOV

802



  g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;




×








UNCOV

803



  if (!di.backend->startTransaction(packet.qdomainzone, UnknownDomainID)) { // Not giving the domain_id means that we do not delete the existing records.





×







804



    g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<packet.qdomainzone<<" does not support transaction. Can't do Update packet."<<endl;




×







805



    return RCode::NotImp;




×







806



  }




×







807












808



  // 3.2.1 and 3.2.2 - Prerequisite check











UNCOV

809



  for(const auto & answer : mdp.d_answers) {





×








UNCOV

810



    const DNSRecord *dnsRecord = &answer;




×








UNCOV

811



    if (dnsRecord->d_place == DNSResourceRecord::ANSWER) {





×








UNCOV

812



      int res = checkUpdatePrerequisites(dnsRecord, &di);




×








UNCOV

813



      if (res>0) {





×








UNCOV

814



        g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check for "<<dnsRecord->d_name<<", returning "<<RCode::to_s(res)<<endl;




×








UNCOV

815



        di.backend->abortTransaction();




×








UNCOV

816



        return res;




×








UNCOV

817



      }




×








UNCOV

818



    }




×








UNCOV

819



  }




×







820












821



  // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR.











UNCOV

822



  typedef pair<DNSName, QType> rrSetKey_t;




×








UNCOV

823



  typedef vector<DNSResourceRecord> rrVector_t;




×








UNCOV

824



  typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;




×








UNCOV

825



  RRsetMap_t preReqRRsets;




×








UNCOV

826



  for(const auto& i: mdp.d_answers) {





×








UNCOV

827



    const DNSRecord* dnsRecord = &i;




×








UNCOV

828



    if (dnsRecord->d_place == DNSResourceRecord::ANSWER) {





×







829



      // Last line of 3.2.3











UNCOV

830



      if (dnsRecord->d_class != QClass::IN && dnsRecord->d_class != QClass::NONE && dnsRecord->d_class != QClass::ANY) {





×







831



        di.backend->abortTransaction();




×







832



        return RCode::FormErr;




×







833



      }




×







834













UNCOV

835



      if (dnsRecord->d_class == QClass::IN) {





×








UNCOV

836



        rrSetKey_t key = {dnsRecord->d_name, QType(dnsRecord->d_type)};




×








UNCOV

837



        rrVector_t *vec = &preReqRRsets[key];




×








UNCOV

838



        vec->push_back(DNSResourceRecord::fromWire(*dnsRecord));




×








UNCOV

839



      }




×








UNCOV

840



    }




×








UNCOV

841



  }




×







842













UNCOV

843



  if (preReqRRsets.size() > 0) {





×








UNCOV

844



    RRsetMap_t zoneRRsets;




×








UNCOV

845



    for (auto & preReqRRset : preReqRRsets) {





×








UNCOV

846



      rrSetKey_t rrSet=preReqRRset.first;




×








UNCOV

847



      rrVector_t *vec = &preReqRRset.second;




×







848













UNCOV

849



      DNSResourceRecord rec;




×








UNCOV

850



      di.backend->lookup(QType(QType::ANY), rrSet.first, di.id);




×








UNCOV

851



      uint16_t foundRR=0, matchRR=0;




×








UNCOV

852



      while (di.backend->get(rec)) {





×








UNCOV

853



        if (rec.qtype == rrSet.second) {





×








UNCOV

854



          foundRR++;




×








UNCOV

855



          for(auto & rrItem : *vec) {





×








UNCOV

856



            rrItem.ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.




×








UNCOV

857



            if (rrItem == rec)





×








UNCOV

858



              matchRR++;




×








UNCOV

859



          }




×








UNCOV

860



        }




×








UNCOV

861



      }




×








UNCOV

862



      if (matchRR != foundRR || foundRR != vec->size()) {





×








UNCOV

863



        g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check (RRs differ), returning NXRRSet"<<endl;




×








UNCOV

864



        di.backend->abortTransaction();




×








UNCOV

865



        return RCode::NXRRSet;




×








UNCOV

866



      }




×








UNCOV

867



    }




×








UNCOV

868



  }




×







869












870












871












872



  // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block.











UNCOV

873



  try {




×








UNCOV

874



    uint changedRecords = 0;




×







875



    // 3.4.1 - Prescan section











UNCOV

876



    for(const auto & answer : mdp.d_answers) {





×








UNCOV

877



      const DNSRecord *dnsRecord = &answer;




×








UNCOV

878



      if (dnsRecord->d_place == DNSResourceRecord::AUTHORITY) {





×








UNCOV

879



        int res = checkUpdatePrescan(dnsRecord);




×








UNCOV

880



        if (res>0) {





×








UNCOV

881



          g_log<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;




×








UNCOV

882



          di.backend->abortTransaction();




×








UNCOV

883



          return res;




×








UNCOV

884



        }




×








UNCOV

885



      }




×








UNCOV

886



    }




×







887













UNCOV

888



    bool updatedSerial=false;




×








UNCOV

889



    NSEC3PARAMRecordContent ns3pr;




×








UNCOV

890



    bool narrow=false;




×








UNCOV

891



    bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);




×








UNCOV

892



    bool isPresigned = d_dk.isPresigned(di.zone);




×








UNCOV

893



    string soaEditSetting;




×








UNCOV

894



    d_dk.getSoaEdit(di.zone, soaEditSetting);




×







895












896



    // 3.4.2 - Perform the updates.










897



    // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)










898



    // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR.











UNCOV

899



    vector<const DNSRecord *> nsRRtoDelete;




×







900












901



    // Another special case is the addition of both a CNAME and a non-CNAME for the same name (#6270)











UNCOV

902



    set<DNSName> cn, nocn;




×








UNCOV

903



    for (const auto &rr : mdp.d_answers) {





×








UNCOV

904



      if (rr.d_place == DNSResourceRecord::AUTHORITY && rr.d_class == QClass::IN && rr.d_ttl > 0) {





×







905



        // Addition











UNCOV

906



        if (rr.d_type == QType::CNAME) {





×








UNCOV

907



          cn.insert(rr.d_name);




×








UNCOV

908



        } else if (rr.d_type != QType::RRSIG) {





×








UNCOV

909



          nocn.insert(rr.d_name);




×








UNCOV

910



        }




×








UNCOV

911



      }




×








UNCOV

912



    }




×








UNCOV

913



    for (auto const &n : cn) {





×








UNCOV

914



      if (nocn.count(n) > 0) {





×








UNCOV

915



        g_log<<Logger::Error<<msgPrefix<<"Refusing update, found CNAME and non-CNAME addition"<<endl;




×








UNCOV

916



        di.backend->abortTransaction();




×








UNCOV

917



        return RCode::FormErr;




×








UNCOV

918



      }




×








UNCOV

919



    }




×







920













UNCOV

921



    vector<const DNSRecord *> cnamesToAdd, nonCnamesToAdd;




×








UNCOV

922



    for(const auto & answer : mdp.d_answers) {





×








UNCOV

923



      const DNSRecord *dnsRecord = &answer;




×








UNCOV

924



      if (dnsRecord->d_place == DNSResourceRecord::AUTHORITY) {





×







925



        /* see if it's permitted by policy */











UNCOV

926



        if (this->d_update_policy_lua != nullptr) {





×







927



          if (!this->d_update_policy_lua->updatePolicy(dnsRecord->d_name, QType(dnsRecord->d_type), di.zone.operator const DNSName&(), packet)) {





×







928



            g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << dnsRecord->d_name << "/" << QType(dnsRecord->d_type).toString() << ": Not permitted by policy"<<endl;




×







929



            continue;




×







930



          } else {




×







931



            g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << dnsRecord->d_name << "/" << QType(dnsRecord->d_type).toString() << ": Permitted by policy"<<endl;




×







932



          }




×







933



        }




×







934













UNCOV

935



        if (dnsRecord->d_class == QClass::NONE  && dnsRecord->d_type == QType::NS && dnsRecord->d_name == di.zone.operator const DNSName&()) {





×








UNCOV

936



          nsRRtoDelete.push_back(dnsRecord);




×








UNCOV

937



        }




×








UNCOV

938



        else if (dnsRecord->d_class == QClass::IN &&  dnsRecord->d_ttl > 0) {





×








UNCOV

939



          if (dnsRecord->d_type == QType::CNAME) {





×








UNCOV

940



            cnamesToAdd.push_back(dnsRecord);




×








UNCOV

941



          } else {




×








UNCOV

942



            nonCnamesToAdd.push_back(dnsRecord);




×








UNCOV

943



          }




×








UNCOV

944



        }




×








UNCOV

945



        else




×








UNCOV

946



          changedRecords += performUpdate(msgPrefix, dnsRecord, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);




×








UNCOV

947



      }




×








UNCOV

948



    }




×








UNCOV

949



    for (const auto &rr : cnamesToAdd) {





×








UNCOV

950



      DNSResourceRecord rec;




×








UNCOV

951



      di.backend->lookup(QType(QType::ANY), rr->d_name, di.id);




×








UNCOV

952



      while (di.backend->get(rec)) {





×








UNCOV

953



        if (rec.qtype != QType::CNAME && rec.qtype != QType::ENT && rec.qtype != QType::RRSIG) {





×







954



          // leave database handle in a consistent state











UNCOV

955



          while (di.backend->get(rec))





×







956



            ;




×








UNCOV

957



          g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Data other than CNAME exists for the same name"<<endl;




×








UNCOV

958



          di.backend->abortTransaction();




×








UNCOV

959



          return RCode::Refused;




×








UNCOV

960



        }




×








UNCOV

961



      }




×








UNCOV

962



      changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);




×








UNCOV

963



    }




×








UNCOV

964



    for (const auto &rr : nonCnamesToAdd) {





×








UNCOV

965



      DNSResourceRecord rec;




×








UNCOV

966



      di.backend->lookup(QType(QType::CNAME), rr->d_name, di.id);




×








UNCOV

967



      while (di.backend->get(rec)) {





×








UNCOV

968



        if (rec.qtype == QType::CNAME && rr->d_type != QType::RRSIG) {





×







969



          // leave database handle in a consistent state











UNCOV

970



          while (di.backend->get(rec))





×







971



            ;




×








UNCOV

972



          g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": CNAME exists for the same name"<<endl;




×








UNCOV

973



          di.backend->abortTransaction();




×








UNCOV

974



          return RCode::Refused;




×








UNCOV

975



        }




×








UNCOV

976



      }




×








UNCOV

977



      changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);




×








UNCOV

978



    }




×








UNCOV

979



    if (nsRRtoDelete.size()) {





×








UNCOV

980



      vector<DNSResourceRecord> nsRRInZone;




×








UNCOV

981



      DNSResourceRecord rec;




×








UNCOV

982



      di.backend->lookup(QType(QType::NS), di.zone.operator const DNSName&(), di.id);




×








UNCOV

983



      while (di.backend->get(rec)) {





×








UNCOV

984



        nsRRInZone.push_back(rec);




×








UNCOV

985



      }




×








UNCOV

986



      if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)





×








UNCOV

987



        for (auto& inZone: nsRRInZone) {





×








UNCOV

988



          for (auto& rr: nsRRtoDelete) {





×








UNCOV

989



            if (inZone.getZoneRepresentation() == (rr)->getContent()->getZoneRepresentation())





×








UNCOV

990



              changedRecords += performUpdate(msgPrefix, rr, &di, isPresigned, &narrow, &haveNSEC3, &ns3pr, &updatedSerial);




×








UNCOV

991



          }




×








UNCOV

992



        }




×








UNCOV

993



      }




×








UNCOV

994



    }




×







995












996



    // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message











UNCOV

997



    if (changedRecords > 0 && !updatedSerial) {





×








UNCOV

998



      increaseSerial(msgPrefix, &di, soaEditSetting, haveNSEC3, narrow, &ns3pr);




×








UNCOV

999



      changedRecords++;




×








UNCOV

1000



    }




×







1001













UNCOV

1002



    if (changedRecords > 0) {





×








UNCOV

1003



      if (!di.backend->commitTransaction()) {





×







1004



       g_log<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl;




×







1005



        return RCode::ServFail;




×







1006



      }




×







1007













UNCOV

1008



      S.deposit("dnsupdate-changes", changedRecords);




×







1009













UNCOV

1010



      d_dk.clearMetaCache(di.zone);




×







1011



      // Purge the records!











UNCOV

1012



      purgeAuthCaches(di.zone.operator const DNSName&().toString() + "$");




×







1013












1014



      // Notify secondaries











UNCOV

1015



      if (di.kind == DomainInfo::Primary) {





×








UNCOV

1016



        vector<string> notify;




×








UNCOV

1017



        B.getDomainMetadata(packet.qdomainzone, "NOTIFY-DNSUPDATE", notify);




×








UNCOV

1018



        if (!notify.empty() && notify.front() == "1") {





×







1019



          Communicator.notifyDomain(di.zone, &B);




×







1020



        }




×








UNCOV

1021



      }




×







1022













UNCOV

1023



      g_log<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl;




×








UNCOV

1024



    } else {




×







1025



      //No change, no commit, we perform abort() because some backends might like this more.











UNCOV

1026



      g_log<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl;




×








UNCOV

1027



      di.backend->abortTransaction();




×








UNCOV

1028



    }




×








UNCOV

1029



    return RCode::NoError; //rfc 2136 3.4.2.5




×








UNCOV

1030



  }




×








UNCOV

1031



  catch (SSqlException &e) {




×







1032



    g_log<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;




×







1033



    di.backend->abortTransaction();




×







1034



    return RCode::ServFail;




×







1035



  }




×








UNCOV

1036



  catch (DBException &e) {




×







1037



    g_log<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;




×







1038



    di.backend->abortTransaction();




×







1039



    return RCode::ServFail;




×







1040



  }




×








UNCOV

1041



  catch (PDNSException &e) {




×







1042



    g_log<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl;




×







1043



    di.backend->abortTransaction();




×







1044



    return RCode::ServFail;




×







1045



  }




×








UNCOV

1046



  catch(std::exception &e) {




×







1047



    g_log<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;




×







1048



    di.backend->abortTransaction();




×







1049



    return RCode::ServFail;




×







1050



  }




×








UNCOV

1051



  catch (...) {




×







1052



    g_log<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;




×







1053



    di.backend->abortTransaction();




×







1054



    return RCode::ServFail;




×







1055



  }




×








UNCOV

1056



}




×







1057













UNCOV

1058



void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, const string& soaEditSetting,  bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {




×








UNCOV

1059



  SOAData sd;




×








UNCOV

1060



  if (!di->backend->getSOA(di->zone, di->id, sd)) {





×







1061



    throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");




×







1062



  }




×







1063













UNCOV

1064



  uint32_t oldSerial = sd.serial;




×







1065













UNCOV

1066



  vector<string> soaEdit2136Setting;




×








UNCOV

1067



  B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting);




×








UNCOV

1068



  string soaEdit2136 = "DEFAULT";




×








UNCOV

1069



  string soaEdit;




×








UNCOV

1070



  if (!soaEdit2136Setting.empty()) {





×







1071



    soaEdit2136 = soaEdit2136Setting[0];




×







1072



    if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){





×







1073



      if (soaEditSetting.empty()) {





×







1074



        g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;




×







1075



        soaEdit2136 = "DEFAULT";




×







1076



      } else




×







1077



        soaEdit = soaEditSetting;




×







1078



    }




×







1079



  }




×







1080













UNCOV

1081



  DNSResourceRecord rr;




×








UNCOV

1082



  if (makeIncreasedSOARecord(sd, soaEdit2136, soaEdit, rr)) {





×








UNCOV

1083



    di->backend->replaceRRSet(di->id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr));




×








UNCOV

1084



    g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl;




×







1085












1086



    //Correct ordername + auth flag











UNCOV

1087



    DNSName ordername;




×








UNCOV

1088



    if (haveNSEC3) {





×








UNCOV

1089



      if (!narrow) {





×








UNCOV

1090



        ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname)));




×








UNCOV

1091



      }




×








UNCOV

1092



    } else { // NSEC




×








UNCOV

1093



      ordername = rr.qname.makeRelative(di->zone);




×








UNCOV

1094



    }




×








UNCOV

1095



    di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3 && !narrow);





×








UNCOV

1096



  }




×








UNCOV

1097



}




×





















    

  • 

    •