PowerDNS / pdns / 17468346531

coverage: 65.858% (-0.1%) from 65.97%
17468346531

Pull #16040

github

web-flow 
Merge d7e69d5eb into 858e581ad
Pull Request #16040: rest api: better report ill-formed zone data

42107 of 92548 branches covered (45.5%)

Branch coverage included in aggregate %.

25 of 29 new or added lines in 1 file covered. (86.21%)

1653 existing lines in 28 files now uncovered.

128067 of 165849 relevant lines covered (77.22%)

5792596.38 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

72.77
/pdns/rfc2136handler.cc
1 
#include "dnswriter.hh"
2 
#ifdef HAVE_CONFIG_H
3 
#include "config.h"
4 
#endif
5 
#include "packethandler.hh"
6 
#include "qtype.hh"
7 
#include "dnspacket.hh"
8 
#include "auth-caches.hh"
9 
#include "statbag.hh"
10 
#include "dnsseckeeper.hh"
11 
#include "base64.hh"
12 
#include "base32.hh"
13 









14



#include "misc.hh"










15



#include "arguments.hh"










16



#include "resolver.hh"










17



#include "dns_random.hh"










18



#include "backends/gsql/ssql.hh"










19



#include "communicator.hh"










20



#include "query-local-address.hh"










21



#include "gss_context.hh"










22



#include "auth-main.hh"










23












24



extern StatBag S;










25












26



std::mutex PacketHandler::s_rfc2136lock;










27












28



// Implement section 3.2.1 and 3.2.2 of RFC2136










29



int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di) {




418





30



  if (rr->d_ttl != 0)





418!






UNCOV

31



    return RCode::FormErr;




×







32












33



  // 3.2.1 and 3.2.2 check content length.










34



  if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)





418!






UNCOV

35



    return RCode::FormErr;




×







36












37



  bool foundRecord=false;




418





38



  DNSResourceRecord rec;




418





39



  di->backend->lookup(QType(QType::ANY), rr->d_name, di->id);




418





40



  while(di->backend->get(rec)) {





440





41



    if (!rec.qtype.getCode())





330





42



      continue;




22





43



    if ((rr->d_type != QType::ANY && rec.qtype == rr->d_type) || rr->d_type == QType::ANY) {





308!





44



      foundRecord=true;




308





45



      di->backend->lookupEnd();




308





46



      break;




308





47



    }




308





48



  }




308





49












50



  // Section 3.2.1










51



  if (rr->d_class == QClass::ANY && !foundRecord) {





418





52



    if (rr->d_type == QType::ANY)





66





53



      return RCode::NXDomain;




44





54



    if (rr->d_type != QType::ANY)





22!





55



      return RCode::NXRRSet;




22





56



  }




22





57












58



  // Section 3.2.2










59



  if (rr->d_class == QClass::NONE && foundRecord) {





352





60



    if (rr->d_type == QType::ANY)





44





61



      return RCode::YXDomain;




22





62



    if (rr->d_type != QType::ANY)





22!





63



      return RCode::YXRRSet;




22





64



  }




22





65












66



  return RCode::NoError;




308





67



}




352





68












69












70



// Method implements section 3.4.1 of RFC2136










71



int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {




5,006





72



  // The RFC stats that d_class != ZCLASS, but we only support the IN class.










73



  if (rr->d_class != QClass::IN && rr->d_class != QClass::NONE && rr->d_class != QClass::ANY) {





5,006!






UNCOV

74



    return RCode::FormErr;




×







75



  }




×







76












77



  QType qtype = QType(rr->d_type);




5,006





78












79



  if (!qtype.isSupportedType()) {





5,006!






UNCOV

80



    return RCode::FormErr;




×







81



  }




×







82












83



  if ((rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_ttl != 0) {





5,006!






UNCOV

84



    return RCode::FormErr;




×







85



  }




×







86












87



  if (rr->d_class == QClass::ANY && rr->d_clen != 0) {





5,006!






UNCOV

88



    return RCode::FormErr;




×







89



  }




×







90












91



  if (qtype.isMetadataType()) {





5,006!






UNCOV

92



    return RCode::FormErr;




×







93



  }




×







94












95



  if (rr->d_class != QClass::ANY && qtype.getCode() == QType::ANY) {





5,006





96



    return RCode::FormErr;




22





97



  }




22





98












99



  return RCode::NoError;




4,984





100



}




5,006





101












102












103



// Implements section 3.4.2 of RFC2136










104



// NOLINTNEXTLINE(readability-function-cognitive-complexity)










105



static uint performUpdate(DNSSECKeeper& dsk, const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool& narrow, bool& haveNSEC3, NSEC3PARAMRecordContent& ns3pr, bool& updatedSerial) // NOLINT(readability-identifier-length)










106



{




4,852





107



  QType rrType = QType(rr->d_type);




4,852





108












109



  if (rrType == QType::NSEC || rrType == QType::NSEC3) {





4,852!






UNCOV

110



    g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<". These are generated records, ignoring!"<<endl;




×







111



    return 0;




×







112



  }




×







113












114



  if (!isPresigned && rrType == QType::RRSIG) {





4,852!






UNCOV

115



    g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<" in non-presigned zone, ignoring!"<<endl;




×







116



    return 0;




×







117



  }




×







118












119



  if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_name != di->zone.operator const DNSName&()) {





4,852!






UNCOV

120



    g_log<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_name<<"|"<<rrType.toString()<<", "<<rrType.toString()<<" must be at zone apex, ignoring!"<<endl;




×







121



    return 0;




×







122



  }




×







123












124












125



  uint changedRecords = 0;




4,852





126



  DNSResourceRecord rec;




4,852





127



  vector<DNSResourceRecord> rrset, recordsToDelete;




4,852





128



  set<DNSName> delnonterm, insnonterm; // used to (at the end) fix ENT records.




4,852





129












130












131



  if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update





4,852





132



    DLOG(g_log<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_name<<"|"<<rrType.toString()<<endl);




3,644





133












134



    if (rrType == QType::NSEC3PARAM) {





3,644





135



      g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;




44





136












137



      ns3pr = NSEC3PARAMRecordContent(rr->getContent()->getZoneRepresentation(), di->zone);




44





138



      narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record




44





139



      dsk.setNSEC3PARAM(di->zone, ns3pr, narrow);




44





140



      haveNSEC3 = true;




44





141












142



      string error;




44





143



      string info;




44





144



      if (!dsk.rectifyZone(di->zone, error, info, false)) {





44!






UNCOV

145



        throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error);




×







146



      }




×







147



      return 1;




44





148



    }




44





149












150












151












152



    bool foundRecord = false;




3,600





153



    di->backend->lookup(rrType, rr->d_name, di->id);




3,600





154



    while (di->backend->get(rec)) {





110,828





155



      rrset.push_back(rec);




107,228





156



      foundRecord = true;




107,228





157



    }




107,228





158












159



    if (foundRecord) {





3,600





160












161



      if (rrType == QType::SOA) { // SOA updates require the serial to be higher than the current





2,552





162



        SOAData sdOld, sdUpdate;




88





163



        DNSResourceRecord *oldRec = &rrset.front();




88





164



        fillSOAData(oldRec->content, sdOld);




88





165



        oldRec->setContent(rr->getContent()->getZoneRepresentation());




88





166



        fillSOAData(oldRec->content, sdUpdate);




88





167



        if (rfc1982LessThan(sdOld.serial, sdUpdate.serial)) {





88





168



          di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);




44





169



          updatedSerial = true;




44





170



          changedRecords++;




44





171



          g_log<<Logger::Notice<<msgPrefix<<"Replacing SOA record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




44





172



        } else {




44





173



          g_log<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;




44





174



        }




44





175












176



      // It's not possible to have multiple CNAME's with the same NAME. So we always update.










177



      } else if (rrType == QType::CNAME) {





2,464





178



        int changedCNames = 0;




44





179



        for (auto& i : rrset) {





44





180



          if (i.ttl != rr->d_ttl || i.content != rr->getContent()->getZoneRepresentation()) {





44!





181



            i.ttl = rr->d_ttl;




44





182



            i.setContent(rr->getContent()->getZoneRepresentation());




44





183



            changedCNames++;




44





184



          }




44





185



        }




44





186



        if (changedCNames > 0) {





44!





187



          di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);




44





188



          g_log<<Logger::Notice<<msgPrefix<<"Replacing CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




44





189



          changedRecords += changedCNames;




44





190



        } else {




44






UNCOV

191



          g_log<<Logger::Notice<<msgPrefix<<"Replace for CNAME record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl;




×







192



        }




×







193












194



      // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectively means a update of TTL)










195



      } else {




2,420





196



        int updateTTL=0;




2,420





197



        foundRecord = false;




2,420





198



        bool lowerCase = false;




2,420





199



        if (rrType.getCode() == QType::PTR ||





2,420





200



            rrType.getCode() == QType::MX ||





2,420





201



            rrType.getCode() == QType::SRV) {





2,420





202



          lowerCase = true;




154





203



        }




154





204



        string content = rr->getContent()->getZoneRepresentation();




2,420





205



        if (lowerCase) content = toLower(content);





2,420





206



        for (auto& i : rrset) {





107,096





207



          string icontent = i.getZoneRepresentation();




107,096





208



          if (lowerCase) icontent = toLower(icontent);





107,096





209



          if (rrType == i.qtype.getCode()) {





107,096!





210



            if (icontent == content) {





107,096





211



              foundRecord=true;




132





212



            }




132





213



            if (i.ttl != rr->d_ttl)  {





107,096





214



              i.ttl = rr->d_ttl;




264





215



              updateTTL++;




264





216



            }




264





217



          }




107,096





218



        }




107,096





219



        if (updateTTL > 0) {





2,420





220



          di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);




154





221



          g_log<<Logger::Notice<<msgPrefix<<"Updating TTLs for "<<rr->d_name<<"|"<<rrType.toString()<<endl;




154





222



          changedRecords += updateTTL;




154





223



        } else {




2,266





224



          g_log<<Logger::Notice<<msgPrefix<<"Replace for recordset "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but no changes made."<<endl;




2,266





225



        }




2,266





226



      }




2,420





227












228



      // ReplaceRRSet dumps our ordername and auth flag, so we need to correct it if we have changed records.










229



      // We can take the auth flag from the first RR in the set, as the name is different, so should the auth be.










230



      if (changedRecords > 0) {





2,552





231



        bool auth = rrset.front().auth;




242





232












233



        if(haveNSEC3) {





242





234



          DNSName ordername;




132





235



          if(! narrow) {





132





236



            ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, rr->d_name)));




88





237



          }




88





238












239



          if (narrow) {





132





240



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false);




44





241



          }




44





242



          else {




88





243



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);




88





244



          }




88





245



          if(!auth || rrType == QType::DS) {





132!





246



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !narrow);




×







247



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !narrow);




×







248



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !narrow);




×







249



          }




×







250












251



        } else { // NSEC




132





252



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth, QType::ANY, false);




110





253



          if(!auth || rrType == QType::DS) {





110!





254



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false);




×







255



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false);




×







256



          }




×







257



        }




110





258



      }




242





259












260



    } // if (foundRecord)




2,552





261












262



    // If we haven't found a record that matches, we must add it.










263



    if (! foundRecord) {





3,600





264



      g_log<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




3,336





265



      delnonterm.insert(rr->d_name); // always remove any ENT's in the place where we're going to add a record.




3,336





266



      auto newRec = DNSResourceRecord::fromWire(*rr);




3,336





267



      newRec.domain_id = di->id;




3,336





268



      newRec.auth = (rr->d_name == di->zone.operator const DNSName&() || rrType.getCode() != QType::NS);





3,336





269



      di->backend->feedRecord(newRec, DNSName());




3,336





270



      changedRecords++;




3,336





271












272












273



      // because we added a record, we need to fix DNSSEC data.










274



      DNSName shorter(rr->d_name);




3,336





275



      bool auth=newRec.auth;




3,336





276



      bool fixDS = (rrType == QType::DS);




3,336





277












278



      if (di->zone.operator const DNSName&() != shorter) { // Everything at APEX is auth=1 && no ENT's





3,336





279



        do {




6,672





280












281



          if (di->zone.operator const DNSName&() == shorter) {





6,672





282



            break;




2,882





283



          }




2,882





284












285



          bool foundShorter = false;




3,790





286



          di->backend->lookup(QType(QType::ANY), shorter, di->id);




3,790





287



          while (di->backend->get(rec)) {





114,280





288



            if (rec.qname == rr->d_name && rec.qtype == QType::DS)





110,490





289



              fixDS = true;




66





290



            if (shorter != rr->d_name) {





110,490





291



              foundShorter = true;




366





292



            }




366





293



            if (rec.qtype == QType::NS) // are we inserting below a delegate?





110,490





294



              auth=false;




550





295



          }




110,490





296












297



          if (!foundShorter && auth && shorter != rr->d_name) { // haven't found any record at current level, insert ENT.





3,790





298



            insnonterm.insert(shorter);




220





299



          }




220





300



          if (foundShorter)





3,790





301



            break; // if we find a shorter record, we can stop searching




278





302



        } while(shorter.chopOff());





3,790!





303



      }




3,160





304












305



      if(haveNSEC3)





3,336





306



      {




1,826





307



        DNSName ordername;




1,826





308



        if(! narrow) {





1,826





309



          ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, rr->d_name)));




1,222





310



        }




1,222





311












312



        if (narrow) {





1,826





313



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false);




604





314



        }




604





315



        else {




1,222





316



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);




1,222





317



        }




1,222





318












319



        if (fixDS) {





1,826





320



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, !narrow);




36





321



        }




36





322












323



        if(!auth) {





1,826





324



          if (ns3pr.d_flags != 0) {





228





325



            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !narrow);




152





326



          }




152





327



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !narrow);




228





328



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !narrow);




228





329



        }




228





330



      }




1,826





331



      else { // NSEC




1,510





332



        DNSName ordername=rr->d_name.makeRelative(di->zone);




1,510





333



        di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, false);




1,510





334



        if (fixDS) {





1,510





335



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, false);




30





336



        }




30





337



        if(!auth) {





1,510





338



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false);




190





339



          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false);




190





340



        }




190





341



      }




1,510





342












343












344



      // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.










345



      // Auth can only be false when the rr->d_name is not the zone










346



      if (auth == false && rrType == QType::NS) {





3,336





347



        DLOG(g_log<<msgPrefix<<"Going to fix auth flags below "<<rr->d_name<<endl);




242





348



        insnonterm.clear(); // No ENT's are needed below delegates (auth=0)




242





349



        vector<DNSName> qnames;




242





350



        di->backend->listSubZone(ZoneName(rr->d_name), di->id);




242





351



        while(di->backend->get(rec)) {





726





352



          if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && rr->d_name != rec.qname) // Skip ENT, DS and our already corrected record.





484





353



            qnames.push_back(rec.qname);




132





354



        }




484





355



        for(const auto & qname : qnames) {





242





356



          if(haveNSEC3)  {





132





357



            DNSName ordername;




72





358



            if(! narrow) {





72





359



              ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname)));




48





360



            }




48





361












362



            if (narrow) {





72





363



              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, false);




24





364



            }




24





365



            else {




48





366



              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth, QType::ANY, true);




48





367



            }




48





368












369



            if (ns3pr.d_flags != 0) {





72





370



              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, !narrow);




48





371



            }




48





372



          }




72





373



          else { // NSEC




60





374



            DNSName ordername=DNSName(qname).makeRelative(di->zone);




60





375



            di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS, false);




60





376



          }




60





377












378



          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, haveNSEC3 && !narrow);





132





379



          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, haveNSEC3 && !narrow);





132





380



        }




132





381



      }




242





382



    }




3,336





383



  } // rr->d_class == QClass::IN




3,600





384












385












386



  // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by










387



  // the code that calls this performUpdate().










388



  if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.





4,808





389



    DLOG(g_log<<msgPrefix<<"Deleting records: "<<rr->d_name<<"; QClass:"<<rr->d_class<<"; rrType: "<<rrType.toString()<<endl);




1,186





390












391



    if (rrType == QType::NSEC3PARAM) {





1,186





392



      g_log<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;




28





393



      // Be sure to use a ZoneName with a variant matching the domain we are










394



      // working on, for the sake of unsetNSEC3PARAM.










395



      ZoneName zonename(rr->d_name, di->zone.getVariant());




28





396



      if (rr->d_class == QClass::ANY) {





28!





397



        dsk.unsetNSEC3PARAM(zonename);




28





398



      }




28





399



      else if (rr->d_class == QClass::NONE) {





×







400



        NSEC3PARAMRecordContent nsec3rr(rr->getContent()->getZoneRepresentation(), di->zone);




×







401



        if (haveNSEC3 && ns3pr.getZoneRepresentation() == nsec3rr.getZoneRepresentation()) {





×







402



          dsk.unsetNSEC3PARAM(zonename);




×







403



        }




×







404



        else {




×








UNCOV

405



          return 0;




×








UNCOV

406



        }




×








UNCOV

407



      } else {




×








UNCOV

408



        return 0;




×








UNCOV

409



      }




×







410












411



      // Update NSEC3 variables, other RR's in this update package might need them as well.










412



      haveNSEC3 = false;




28





413



      narrow = false;




28





414












415



      string error;




28





416



      string info;




28





417



      if (!dsk.rectifyZone(di->zone, error, info, false)) {





28!






UNCOV

418



        throw PDNSException("Failed to rectify '" + di->zone.toLogString() + "': " + error);




×








UNCOV

419



      }




×







420



      return 1;




28





421



    } // end of NSEC3PARAM delete block




28





422












423












424



    di->backend->lookup(rrType, rr->d_name, di->id);




1,158





425



    while(di->backend->get(rec)) {





4,736





426



      if (rr->d_class == QClass::ANY) { // 3.4.2.3





3,578





427



        if (rec.qname == di->zone.operator const DNSName&() && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) { // Never delete all SOA and NS's





2,992!





428



          rrset.push_back(rec);




44





429



        }




44





430



        else




2,948





431



          recordsToDelete.push_back(rec);




2,948





432



      }




2,992





433



      if (rr->d_class == QClass::NONE) { // 3.4.2.4





3,578





434



        auto repr = rec.getZoneRepresentation();




586





435



        if (rec.qtype == QType::TXT) {





586





436



          DLOG(g_log<<msgPrefix<<"Adjusting TXT content from ["<<repr<<"]"<<endl);




66





437



          auto drc = DNSRecordContent::make(rec.qtype.getCode(), QClass::IN, repr);




66





438



          auto ser = drc->serialize(rec.qname, true, true);




66





439



          auto rc = DNSRecordContent::deserialize(rec.qname, rec.qtype.getCode(), ser);




66





440



          repr = rc->getZoneRepresentation(true);




66





441



          DLOG(g_log<<msgPrefix<<"Adjusted TXT content to ["<<repr<<"]"<<endl);




66





442



        }




66





443



        DLOG(g_log<<msgPrefix<<"Matching RR in RRset - (adjusted) representation from request=["<<repr<<"], rr->getContent()->getZoneRepresentation()=["<<rr->getContent()->getZoneRepresentation()<<"]"<<endl);




586





444



        if (rrType == rec.qtype && repr == rr->getContent()->getZoneRepresentation())





586!





445



          recordsToDelete.push_back(rec);




410





446



        else




176





447



          rrset.push_back(rec);




176





448



      }




586





449



    }




3,578





450



  










451



    if (recordsToDelete.size()) {





1,158





452



      di->backend->replaceRRSet(di->id, rr->d_name, rrType, rrset);




1,114





453



      g_log<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_name<<"|"<<rrType.toString()<<endl;




1,114





454



      changedRecords += recordsToDelete.size();




1,114





455












456












457



      // If we've removed a delegate, we need to reset ordername/auth for some records.










458



      if (rrType == QType::NS && rr->d_name != di->zone.operator const DNSName&()) { 





1,114





459



        vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;




154





460



        di->backend->listSubZone(ZoneName(rr->d_name), di->id);




154





461



        while (di->backend->get(rec)) {





396





462



          if (rec.qtype.getCode()) // skip ENT records, they are always auth=false





242!





463



            belowOldDelegate.push_back(rec.qname);




242





464



          if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_name)





242!





465



            nsRecs.push_back(rec.qname);




22





466



        }




242





467












468



        for(auto &belowOldDel: belowOldDelegate)





154





469



        {




242





470



          bool isBelowDelegate = false;




242





471



          for(const auto & ns: nsRecs) {





242





472



            if (ns.isPartOf(belowOldDel)) {





66





473



              isBelowDelegate=true;




22





474



              break;




22





475



            }




22





476



          }




66





477



          if (!isBelowDelegate)





242





478



            updateAuthFlag.push_back(belowOldDel);




220





479



        }




242





480












481



        for (const auto &changeRec:updateAuthFlag) {





220





482



          DNSName ordername;




220





483



          if(haveNSEC3)  {





220





484



            if(! narrow) {





120





485



              ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, changeRec)));




80





486



            }




80





487



          }




120





488



          else { // NSEC




100





489



            ordername=changeRec.makeRelative(di->zone);




100





490



          }




100





491



          di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, haveNSEC3 && !narrow);





220





492



        }




220





493



      }




154





494












495



      // Fix ENT records.










496



      // We must check if we have a record below the current level and if we removed the 'last' record










497



      // on that level. If so, we must insert an ENT record.










498



      // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.










499



      bool foundDeeper = false, foundOtherWithSameName = false;




1,114





500



      di->backend->listSubZone(ZoneName(rr->d_name), di->id);




1,114





501



      while (di->backend->get(rec)) {





6,328





502



        if (rec.qname == rr->d_name && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))





5,214!





503



          foundOtherWithSameName = true;




946





504



        if (rec.qname != rr->d_name && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT





5,214





505



          foundDeeper = true;




3,872





506



      }




5,214





507












508



      if (foundDeeper && !foundOtherWithSameName) {





1,114





509



        insnonterm.insert(rr->d_name);




132





510



      } else if (!foundOtherWithSameName) {





982





511



        // If we didn't have to insert an ENT, we might have deleted a record at very deep level










512



        // and we must then clean up the ENT's above the deleted record.










513



        DNSName shorter(rr->d_name);




718





514



        while (shorter != di->zone.operator const DNSName&()) {





1,114!





515



          shorter.chopOff();




1,114





516



          bool foundRealRR = false;




1,114





517



          bool foundEnt = false;




1,114





518












519



          // The reason for a listSubZone here is because might go up the tree and find the ENT of another branch










520



          // consider these non ENT-records:










521



          // b.c.d.e.test.com










522



          // b.d.e.test.com










523



          // if we delete b.c.d.e.test.com, we go up to d.e.test.com and then find b.d.e.test.com because that's below d.e.test.com.










524



          // At that point we can stop deleting ENT's because the tree is in tact again.










525



          di->backend->listSubZone(ZoneName(shorter), di->id);




1,114





526












527



          while (di->backend->get(rec)) {





15,170





528



            if (rec.qtype.getCode())





14,056





529



              foundRealRR = true;




12,150





530



            else




1,906





531



              foundEnt = true;




1,906





532



          }




14,056





533



          if (!foundRealRR) {





1,114





534



            if (foundEnt) // only delete the ENT if we actually found one.





396





535



              delnonterm.insert(shorter);




330





536



          } else




396





537



            break;




718





538



        }




1,114





539



      }




718





540



    } else { // if (recordsToDelete.size())




1,114





541



      g_log<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_name<<"|"<<rrType.toString()<<" requested, but not found."<<endl;




44





542



    }




44





543



  } // (End of delete block d_class == ANY || d_class == NONE




1,158





544



  










545












546












547



  //Insert and delete ENT's










548



  if (insnonterm.size() > 0 || delnonterm.size() > 0) {





4,780





549



    DLOG(g_log<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);




3,644





550



    di->backend->updateEmptyNonTerminals(di->id, insnonterm, delnonterm, false);




3,644





551



    for (const auto &i: insnonterm) {





3,644





552



      string hashed;




352





553



      if(haveNSEC3)





352





554



      {




192





555



        DNSName ordername;




192





556



        if(! narrow) {





192





557



          ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, i)));




128





558



        }




128





559



        di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, !narrow);




192





560



      }




192





561



    }




352





562



  }




3,644





563












564



  return changedRecords;




4,780





565



}




4,808





566












567



int PacketHandler::forwardPacket(const string &msgPrefix, const DNSPacket& p, const DomainInfo& di) {




×







568



  vector<string> forward;




×







569



  B.getDomainMetadata(p.qdomainzone, "FORWARD-DNSUPDATE", forward);




×







570












571



  if (forward.size() == 0 && ! ::arg().mustDo("forward-dnsupdate")) {





×







572



    g_log << Logger::Notice << msgPrefix << "Not configured to forward to primary, returning Refused." << endl;




×








UNCOV

573



    return RCode::Refused;




×







574



  }




×







575












576



  for (const auto& remote : di.primaries) {





×







577



    g_log << Logger::Notice << msgPrefix << "Forwarding packet to primary " << remote << endl;




×







578












579



    if (!pdns::isQueryLocalAddressFamilyEnabled(remote.sin4.sin_family)) {





×







580



      continue;




×







581



    }




×







582



    auto local = pdns::getQueryLocalAddress(remote.sin4.sin_family, 0);




×








UNCOV

583



    int sock = makeQuerySocket(local, false); // create TCP socket. RFC2136 section 6.2 seems to be ok with this.




×







584



    if(sock < 0) {





×







585



      g_log<<Logger::Error<<msgPrefix<<"Error creating socket: "<<stringerror()<<endl;




×







586



      continue;




×







587



    }




×







588












589



    if( connect(sock, (struct sockaddr*)&remote, remote.getSocklen()) < 0 ) {





×







590



      g_log<<Logger::Error<<msgPrefix<<"Failed to connect to "<<remote.toStringWithPort()<<": "<<stringerror()<<endl;




×







591



      try {




×







592



        closesocket(sock);




×







593



      }




×








UNCOV

594



      catch(const PDNSException& e) {




×







595



        g_log << Logger::Error << "Error closing primary forwarding socket after connect() failed: " << e.reason << endl;




×







596



      }




×







597



      continue;




×







598



    }




×







599












600



    DNSPacket l_forwardPacket(p);




×







601



    l_forwardPacket.setID(dns_random_uint16());




×







602



    l_forwardPacket.setRemote(&remote);




×







603



    uint16_t len=htons(l_forwardPacket.getString().length());




×







604



    string buffer((const char*)&len, 2);




×







605



    buffer.append(l_forwardPacket.getString());




×







606



    if(write(sock, buffer.c_str(), buffer.length()) < 0) {





×







607



      g_log<<Logger::Error<<msgPrefix<<"Unable to forward update message to "<<remote.toStringWithPort()<<", error:"<<stringerror()<<endl;




×







608



      try {




×







609



        closesocket(sock);




×







610



      }




×








UNCOV

611



      catch(const PDNSException& e) {




×







612



        g_log << Logger::Error << "Error closing primary forwarding socket after write() failed: " << e.reason << endl;




×







613



      }




×







614



      continue;




×







615



    }




×







616












617



    int res = waitForData(sock, 10, 0);




×







618



    if (!res) {





×







619



      g_log << Logger::Error << msgPrefix << "Timeout waiting for reply from primary at " << remote.toStringWithPort() << endl;




×







620



      try {




×







621



        closesocket(sock);




×







622



      }




×







623



      catch(const PDNSException& e) {




×







624



        g_log << Logger::Error << "Error closing primary forwarding socket after a timeout occurred: " << e.reason << endl;




×







625



      }




×







626



      continue;




×







627



    }




×







628



    if (res < 0) {





×







629



      g_log << Logger::Error << msgPrefix << "Error waiting for answer from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;




×







630



      try {




×







631



        closesocket(sock);




×







632



      }




×








UNCOV

633



      catch(const PDNSException& e) {




×







634



        g_log << Logger::Error << "Error closing primary forwarding socket after an error occurred: " << e.reason << endl;




×







635



      }




×







636



      continue;




×







637



    }




×







638












639



    unsigned char lenBuf[2];




×







640



    ssize_t recvRes;




×







641



    recvRes = recv(sock, &lenBuf, sizeof(lenBuf), 0);




×







642



    if (recvRes < 0 || static_cast<size_t>(recvRes) < sizeof(lenBuf)) {





×







643



      g_log << Logger::Error << msgPrefix << "Could not receive data (length) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;




×







644



      try {




×







645



        closesocket(sock);




×







646



      }




×







647



      catch(const PDNSException& e) {




×








UNCOV

648



        g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl;




×







649



      }




×







650



      continue;




×







651



    }




×







652



    size_t packetLen = lenBuf[0]*256+lenBuf[1];




×







653












654



    buffer.resize(packetLen);




×







655



    recvRes = recv(sock, &buffer.at(0), packetLen, 0);




×







656



    if (recvRes < 0) {





×







657



      g_log << Logger::Error << msgPrefix << "Could not receive data (dnspacket) from primary at " << remote.toStringWithPort() << ", error:" << stringerror() << endl;




×







658



      try {




×







659



        closesocket(sock);




×







660



      }




×







661



      catch(const PDNSException& e) {




×







662



        g_log << Logger::Error << "Error closing primary forwarding socket after recv() failed: " << e.reason << endl;




×







663



      }




×







664



      continue;




×







665



    }




×







666



    try {




×








UNCOV

667



      closesocket(sock);




×







668



    }




×







669



    catch(const PDNSException& e) {




×







670



      g_log << Logger::Error << "Error closing primary forwarding socket: " << e.reason << endl;




×







671



    }




×







672












673



    try {




×







674



      MOADNSParser mdp(false, buffer.data(), static_cast<unsigned int>(recvRes));




×







675



      g_log<<Logger::Info<<msgPrefix<<"Forward update message to "<<remote.toStringWithPort()<<", result was RCode "<<mdp.d_header.rcode<<endl;




×







676



      return mdp.d_header.rcode;




×







677



    }




×







678



    catch (...) {




×







679



      g_log << Logger::Error << msgPrefix << "Failed to parse response packet from primary at " << remote.toStringWithPort() << endl;




×








UNCOV

680



      continue;




×







681



    }




×








UNCOV

682



  }




×








UNCOV

683



  g_log << Logger::Error << msgPrefix << "Failed to forward packet to primary(s). Returning ServFail." << endl;




×








UNCOV

684



  return RCode::ServFail;




×







685













UNCOV

686



}




×







687












688



static bool isUpdateAllowed(UeberBackend& UBackend, const std::string& msgPrefix, DNSPacket& packet)










689



{




2,294





690



  // Check permissions - IP based










691



  vector<string> allowedRanges;




2,294





692












693



  UBackend.getDomainMetadata(packet.qdomainzone, "ALLOW-DNSUPDATE-FROM", allowedRanges);




2,294





694



  if (! ::arg()["allow-dnsupdate-from"].empty()) {





2,294!





695



    stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );




2,294





696



  }




2,294





697












698



  NetmaskGroup nmg;




2,294





699



  for(const auto& range: allowedRanges) {





4,588





700



    nmg.addMask(range);




4,588





701



  }




4,588





702












703



  if ( ! nmg.match(packet.getInnerRemote())) {





2,294!






UNCOV

704



    g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;




×







705



    return false;




×







706



  }




×







707












708



  // Check permissions - TSIG based.










709



  vector<string> tsigKeys;




2,294





710



  UBackend.getDomainMetadata(packet.qdomainzone, "TSIG-ALLOW-DNSUPDATE", tsigKeys);




2,294





711



  if (!tsigKeys.empty()) {





2,294!






UNCOV

712



    bool validKey = false;




×







713












714



    TSIGRecordContent trc;




×








UNCOV

715



    DNSName inputkey;




×







716



    string message;




×







717



    if (! packet.getTSIGDetails(&trc,  &inputkey)) {





×







718



      g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;




×







719



      return false;




×







720



    }




×







721



#ifdef ENABLE_GSS_TSIG




×







722



    if (g_doGssTSIG && packet.d_tsig_algo == TSIG_GSS) {





×







723



      GssName inputname(packet.d_peer_principal); // match against principal since GSS requires that




×







724



      for(const auto& key: tsigKeys) {





×







725



        if (inputname.match(key)) {





×







726



          validKey = true;




×







727



          break;




×







728



        }




×







729



      }




×







730



    }




×







731



    else




×







732



#endif




×







733



    {




×







734



      for(const auto& key: tsigKeys) {





×







735



        if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid.





×







736



          validKey=true;




×







737



          break;




×







738



        }




×







739



      }




×







740



    }




×







741












742



    if (!validKey) {





×








UNCOV

743



      g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;




×







744



      return false;




×







745



    }




×







746



  } else if(::arg().mustDo("dnsupdate-require-tsig")) {





2,294!





747



    g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but domain is not secured with TSIG. Sending REFUSED"<<endl;




×








UNCOV

748



    return false;




×







749



  }




×







750












751



  if (tsigKeys.empty() && packet.d_havetsig) {





2,294!






UNCOV

752



    g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;




×








UNCOV

753



  }




×







754












755



  return true;




2,294





756



}




2,294





757












758



static uint8_t updatePrereqCheck323(MOADNSParser& mdp, DomainInfo& info, const std::string& msgPrefix)










759



{




2,118





760



  using rrSetKey_t = pair<DNSName, QType>;




2,118





761



  using rrVector_t = vector<DNSResourceRecord>;




2,118





762



  using RRsetMap_t = std::map<rrSetKey_t, rrVector_t>;




2,118





763



  RRsetMap_t preReqRRsets;




2,118





764












765



  for(const auto& rec: mdp.d_answers) {





5,314





766



    const DNSRecord* dnsRecord = &rec;




5,314





767



    if (dnsRecord->d_place == DNSResourceRecord::ANSWER) {





5,314





768



      // Last line of 3.2.3










769



      if (dnsRecord->d_class != QClass::IN && dnsRecord->d_class != QClass::NONE && dnsRecord->d_class != QClass::ANY) {





308!





770



        return RCode::FormErr;




×







771



      }




×







772












773



      if (dnsRecord->d_class == QClass::IN) {





308





774



        rrSetKey_t key = {dnsRecord->d_name, QType(dnsRecord->d_type)};




198





775



        rrVector_t *vec = &preReqRRsets[key];




198





776



        vec->push_back(DNSResourceRecord::fromWire(*dnsRecord));




198





777



      }




198





778



    }




308





779



  }




5,314





780












781



  if (!preReqRRsets.empty()) {





2,118





782



    RRsetMap_t zoneRRsets;




66





783



    for (auto & preReqRRset : preReqRRsets) {





66





784



      rrSetKey_t rrSet=preReqRRset.first;




66





785



      rrVector_t *vec = &preReqRRset.second;




66





786












787



      DNSResourceRecord rec;




66





788



      info.backend->lookup(QType(QType::ANY), rrSet.first, info.id);




66





789



      size_t foundRR{0};




66





790



      size_t matchRR{0};




66





791



      while (info.backend->get(rec)) {





264





792



        if (rec.qtype == rrSet.second) {





198!





793



          foundRR++;




198





794



          for(auto & rrItem : *vec) {





594





795



            rrItem.ttl = rec.ttl; // The compare one line below also compares TTL, so we make them equal because TTL is not user within prerequisite checks.




594





796



            if (rrItem == rec) {





594





797



              matchRR++;




198





798



            }




198





799



          }




594





800



        }




198





801



      }




198





802



      if (matchRR != foundRR || foundRR != vec->size()) {





66!





803



        g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check (RRs differ), returning NXRRSet"<<endl;




44





804



        return RCode::NXRRSet;




44





805



      }




44





806



    }




66





807



  }




66





808



  return RCode::NoError;




2,074





809



}




2,118





810












811



static uint8_t updateRecords(MOADNSParser& mdp, DNSSECKeeper& dsk, DomainInfo& info, uint& changedRecords, const std::unique_ptr<AuthLua4>& update_policy_lua, DNSPacket& packet, bool isPresigned, bool& narrow, bool& haveNSEC3, NSEC3PARAMRecordContent& ns3pr, bool& updatedSerial, const std::string& msgPrefix)










812



{




2,030





813



  vector<const DNSRecord *> cnamesToAdd;




2,030





814



  vector<const DNSRecord *> nonCnamesToAdd;




2,030





815



  vector<const DNSRecord *> nsRRtoDelete;




2,030





816












817



  bool anyRecordProcessed{false};




2,030





818



  bool anyRecordAcceptedByLua{false};




2,030





819



  for(const auto & answer : mdp.d_answers) {





5,116





820



    const DNSRecord *dnsRecord = &answer;




5,116





821



    if (dnsRecord->d_place == DNSResourceRecord::AUTHORITY) {





5,116





822



      anyRecordProcessed = true;




4,940





823



      /* see if it's permitted by policy */










824



      if (update_policy_lua != nullptr) {





4,940!






UNCOV

825



        if (!update_policy_lua->updatePolicy(dnsRecord->d_name, QType(dnsRecord->d_type), info.zone.operator const DNSName&(), packet)) {





×








UNCOV

826



          g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << dnsRecord->d_name << "/" << QType(dnsRecord->d_type).toString() << ": Not permitted by policy"<<endl;




×








UNCOV

827



          continue;




×








UNCOV

828



        }




×








UNCOV

829



        g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << dnsRecord->d_name << "/" << QType(dnsRecord->d_type).toString() << ": Permitted by policy"<<endl;




×








UNCOV

830



        anyRecordAcceptedByLua = true;




×








UNCOV

831



      }




×







832












833



      if (dnsRecord->d_class == QClass::NONE  && dnsRecord->d_type == QType::NS && dnsRecord->d_name == info.zone.operator const DNSName&()) {





4,940!





834



        nsRRtoDelete.push_back(dnsRecord);




66





835



      }




66





836



      else if (dnsRecord->d_class == QClass::IN && dnsRecord->d_ttl > 0) {





4,874!





837



        if (dnsRecord->d_type == QType::CNAME) {





3,688





838



          cnamesToAdd.push_back(dnsRecord);




154





839



        } else {




3,534





840



          nonCnamesToAdd.push_back(dnsRecord);




3,534





841



        }




3,534





842



      }




3,688





843



      else {




1,186





844



        changedRecords += performUpdate(dsk, msgPrefix, dnsRecord, &info, isPresigned, narrow, haveNSEC3, ns3pr, updatedSerial);




1,186





845



      }




1,186





846



    }




4,940





847



  }




5,116





848












849



  if (update_policy_lua != nullptr) {





2,030!





850



    // If the Lua update policy script has been invoked, and has rejected










851



    // everything, better return Refused.











UNCOV

852



    if (anyRecordProcessed && !anyRecordAcceptedByLua) {





×








UNCOV

853



      return RCode::Refused;




×








UNCOV

854



    }




×








UNCOV

855



  }




×







856












857



  for (const auto &resrec : cnamesToAdd) {





2,030





858



    DNSResourceRecord rec;




154





859



    info.backend->lookup(QType(QType::ANY), resrec->d_name, info.id);




154





860



    while (info.backend->get(rec)) {





220





861



      if (rec.qtype != QType::CNAME && rec.qtype != QType::ENT && rec.qtype != QType::RRSIG) {





88!





862



        // leave database handle in a consistent state










863



        info.backend->lookupEnd();




22





864



        g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << resrec->d_name << "/" << QType(resrec->d_type).toString() << ": Data other than CNAME exists for the same name"<<endl;




22





865



        return RCode::Refused;




22





866



      }




22





867



    }




88





868



    changedRecords += performUpdate(dsk, msgPrefix, resrec, &info, isPresigned, narrow, haveNSEC3, ns3pr, updatedSerial);




132





869



  }




132





870



  for (const auto &resrec : nonCnamesToAdd) {





3,534





871



    DNSResourceRecord rec;




3,534





872



    info.backend->lookup(QType(QType::CNAME), resrec->d_name, info.id);




3,534





873



    while (info.backend->get(rec)) {





3,534





874



      if (rec.qtype == QType::CNAME && resrec->d_type != QType::RRSIG) {





22!





875



        // leave database handle in a consistent state










876



        info.backend->lookupEnd();




22





877



        g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << resrec->d_name << "/" << QType(resrec->d_type).toString() << ": CNAME exists for the same name"<<endl;




22





878



        return RCode::Refused;




22





879



      }




22





880



    }




22





881



    changedRecords += performUpdate(dsk, msgPrefix, resrec, &info, isPresigned, narrow, haveNSEC3, ns3pr, updatedSerial);




3,512





882



  }




3,512





883












884



  if (!nsRRtoDelete.empty()) {





1,986





885



    vector<DNSResourceRecord> nsRRInZone;




44





886



    DNSResourceRecord rec;




44





887



    info.backend->lookup(QType(QType::NS), info.zone.operator const DNSName&(), info.id);




44





888



    while (info.backend->get(rec)) {





132





889



      nsRRInZone.push_back(rec);




88





890



    }




88





891



    if (nsRRInZone.size() > nsRRtoDelete.size()) { // only delete if the NS's we delete are less then what we have in the zone (3.4.2.4)





44





892



      for (auto& inZone: nsRRInZone) {





44





893



        for (auto& resrec: nsRRtoDelete) {





44





894



          if (inZone.getZoneRepresentation() == resrec->getContent()->getZoneRepresentation()) {





44





895



            changedRecords += performUpdate(dsk, msgPrefix, resrec, &info, isPresigned, narrow, haveNSEC3, ns3pr, updatedSerial);




22





896



          }




22





897



        }




44





898



      }




44





899



    }




22





900



  }




44





901












902



  return RCode::NoError;




1,986





903



}




2,008





904












905



int PacketHandler::processUpdate(DNSPacket& packet)










906



{




2,294





907



  if (! ::arg().mustDo("dnsupdate")) {





2,294!






UNCOV

908



    return RCode::Refused;




×








UNCOV

909



  }




×







910












911



  string msgPrefix="UPDATE (" + std::to_string(packet.d.id) + ") from " + packet.getRemoteString() + " for " + packet.qdomainzone.toLogString() + ": ";




2,294





912



  g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl;




2,294





913












914



  // if there is policy, we delegate all checks to it










915



  if (this->d_update_policy_lua == nullptr) {





2,294!





916



    if (!isUpdateAllowed(B, msgPrefix, packet)) {





2,294!






UNCOV

917



      return RCode::Refused;




×








UNCOV

918



    }




×







919



  }




2,294





920












921



  // RFC2136 uses the same DNS Header and Message as defined in RFC1035.










922



  // This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different










923



  // variable names during the use of our MOADNSParser.










924



  MOADNSParser mdp(false, packet.getString());




2,294





925



  if (mdp.d_header.qdcount != 1) {





2,294!






UNCOV

926



    g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;




×








UNCOV

927



    return RCode::FormErr;




×








UNCOV

928



  }




×







929












930



  if (packet.qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA





2,294!





931



    g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;




×







932



    return RCode::FormErr;




×







933



  }




×







934












935



  if (packet.qclass != QClass::IN) {





2,294!





936



    g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;




×








UNCOV

937



    return RCode::NotAuth;




×








UNCOV

938



  }




×







939












940



  DomainInfo di;




2,294





941



  di.backend=nullptr;




2,294





942



  if(!B.getDomainInfo(packet.qdomainzone, di) || (di.backend == nullptr)) {





2,294!





943



    g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<packet.qdomainzone<<"' (or backend does not support DNS update operation)"<<endl;




22





944



    return RCode::NotAuth;




22





945



  }




22





946












947



  if (di.kind == DomainInfo::Secondary) {





2,272!






UNCOV

948



    return forwardPacket(msgPrefix, packet, di);




×








UNCOV

949



  }




×







950












951



  // Check if all the records provided are within the zone










952



  for(const auto & answer : mdp.d_answers) {





5,556





953



    const DNSRecord *dnsRecord = &answer;




5,556





954



    // Skip this check for other field types (like the TSIG -  which is in the additional section)










955



    // For a TSIG, the label is the dnskey, so it does not pass the endOn validation.










956



    if (dnsRecord->d_place != DNSResourceRecord::ANSWER && dnsRecord->d_place != DNSResourceRecord::AUTHORITY) {





5,556!






UNCOV

957



      continue;




×








UNCOV

958



    }




×







959












960



    if (!dnsRecord->d_name.isPartOf(di.zone)) {





5,556





961



      g_log<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;




44





962



      return RCode::NotZone;




44





963



    }




44





964



  }




5,556





965












966



  auto lock = std::scoped_lock(s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything




2,228





967



  g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;




2,228





968



  if (!di.backend->startTransaction(packet.qdomainzone, UnknownDomainID)) { // Not giving the domain_id means that we do not delete the existing records.





2,228!






UNCOV

969



    g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<packet.qdomainzone<<" does not support transaction. Can't do Update packet."<<endl;




×








UNCOV

970



    return RCode::NotImp;




×








UNCOV

971



  }




×







972












973



  // 3.2.1 and 3.2.2 - Prerequisite check










974



  for(const auto & answer : mdp.d_answers) {





5,424





975



    const DNSRecord *dnsRecord = &answer;




5,424





976



    if (dnsRecord->d_place == DNSResourceRecord::ANSWER) {





5,424





977



      int res = checkUpdatePrerequisites(dnsRecord, &di);




418





978



      if (res>0) {





418





979



        g_log<<Logger::Error<<msgPrefix<<"Failed PreRequisites check for "<<dnsRecord->d_name<<", returning "<<RCode::to_s(res)<<endl;




110





980



        di.backend->abortTransaction();




110





981



        return res;




110





982



      }




110





983



    }




418





984



  }




5,424





985












986



  // 3.2.3 - Prerequisite check - this is outside of updatePrerequisitesCheck because we check an RRSet and not the RR.










987



  if (auto rcode = updatePrereqCheck323(mdp, di, msgPrefix); rcode != RCode::NoError) {





2,118





988



    di.backend->abortTransaction();




44





989



    return rcode;




44





990



  }




44





991












992



  // 3.4 - Prescan & Add/Update/Delete records - is all done within a try block.










993



  try {




2,074





994



    // 3.4.1 - Prescan section










995



    for(const auto & answer : mdp.d_answers) {





5,182





996



      const DNSRecord *dnsRecord = &answer;




5,182





997



      if (dnsRecord->d_place == DNSResourceRecord::AUTHORITY) {





5,182





998



        int res = checkUpdatePrescan(dnsRecord);




5,006





999



        if (res>0) {





5,006





1000



          g_log<<Logger::Error<<msgPrefix<<"Failed prescan check, returning "<<res<<endl;




22





1001



          di.backend->abortTransaction();




22





1002



          return res;




22





1003



        }




22





1004



      }




5,006





1005



    }




5,182





1006












1007



    bool updatedSerial{false};




2,052





1008



    NSEC3PARAMRecordContent ns3pr;




2,052





1009



    bool narrow=false;




2,052





1010



    bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);




2,052





1011



    bool isPresigned = d_dk.isPresigned(di.zone);




2,052





1012



    string soaEditSetting;




2,052





1013



    d_dk.getSoaEdit(di.zone, soaEditSetting);




2,052





1014












1015



    // 3.4.2 - Perform the updates.










1016



    // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)










1017



    // This means we must do it outside the normal performUpdate() because that focusses only on a separate RR.










1018












1019



    // Another special case is the addition of both a CNAME and a non-CNAME for the same name (#6270)










1020



    set<DNSName> cn, nocn;




2,052





1021



    for (const auto &rr : mdp.d_answers) {





5,160





1022



      if (rr.d_place == DNSResourceRecord::AUTHORITY && rr.d_class == QClass::IN && rr.d_ttl > 0) {





5,160!





1023



        // Addition










1024



        if (rr.d_type == QType::CNAME) {





3,732





1025



          cn.insert(rr.d_name);




176





1026



        } else if (rr.d_type != QType::RRSIG) {





3,556!





1027



          nocn.insert(rr.d_name);




3,556





1028



        }




3,556





1029



      }




3,732





1030



    }




5,160





1031



    for (auto const &n : cn) {





2,052





1032



      if (nocn.count(n) > 0) {





176





1033



        g_log<<Logger::Error<<msgPrefix<<"Refusing update, found CNAME and non-CNAME addition"<<endl;




22





1034



        di.backend->abortTransaction();




22





1035



        return RCode::FormErr;




22





1036



      }




22





1037



    }




176





1038












1039



    uint changedRecords = 0;




2,030





1040



    if (auto rcode = updateRecords(mdp, d_dk, di, changedRecords, d_update_policy_lua, packet, isPresigned, narrow, haveNSEC3, ns3pr, updatedSerial, msgPrefix); rcode != RCode::NoError) {





2,030





1041



      di.backend->abortTransaction();




44





1042



      return rcode;




44





1043



    }




44





1044












1045



    // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message










1046



    if (changedRecords != 0 && !updatedSerial) {





1,986





1047



      increaseSerial(msgPrefix, &di, soaEditSetting, haveNSEC3, narrow, &ns3pr);




1,766





1048



      changedRecords++;




1,766





1049



    }




1,766





1050












1051



    if (changedRecords != 0) {





1,986





1052



      if (!di.backend->commitTransaction()) {





1,810!





1053



        g_log<<Logger::Error<<msgPrefix<<"Failed to commit updates!"<<endl;




×







1054



        return RCode::ServFail;




×







1055



      }




×







1056












1057



      S.deposit("dnsupdate-changes", changedRecords);




1,810





1058












1059



      d_dk.clearMetaCache(di.zone);




1,810





1060



      // Purge the records!










1061



      purgeAuthCaches(di.zone.operator const DNSName&().toString() + "$");




1,810





1062












1063



      // Notify secondaries










1064



      if (di.kind == DomainInfo::Primary) {





1,810!





1065



        vector<string> notify;




1,810





1066



        B.getDomainMetadata(packet.qdomainzone, "NOTIFY-DNSUPDATE", notify);




1,810





1067



        if (!notify.empty() && notify.front() == "1") {





1,810!






UNCOV

1068



          Communicator.notifyDomain(di.zone, &B);




×








UNCOV

1069



        }




×







1070



      }




1,810





1071












1072



      g_log<<Logger::Info<<msgPrefix<<"Update completed, "<<changedRecords<<" changed records committed."<<endl;




1,810





1073



    } else {




1,810





1074



      //No change, no commit, we perform abort() because some backends might like this more.










1075



      g_log<<Logger::Info<<msgPrefix<<"Update completed, 0 changes, rolling back."<<endl;




176





1076



      di.backend->abortTransaction();




176





1077



    }




176





1078



    return RCode::NoError; //rfc 2136 3.4.2.5




1,986





1079



  }




1,986





1080



  catch (SSqlException &e) {




2,074






UNCOV

1081



    g_log<<Logger::Error<<msgPrefix<<"Caught SSqlException: "<<e.txtReason()<<"; Sending ServFail!"<<endl;




×








UNCOV

1082



    di.backend->abortTransaction();




×








UNCOV

1083



    return RCode::ServFail;




×








UNCOV

1084



  }




×







1085



  catch (DBException &e) {




2,074






UNCOV

1086



    g_log<<Logger::Error<<msgPrefix<<"Caught DBException: "<<e.reason<<"; Sending ServFail!"<<endl;




×








UNCOV

1087



    di.backend->abortTransaction();




×








UNCOV

1088



    return RCode::ServFail;




×








UNCOV

1089



  }




×







1090



  catch (PDNSException &e) {




2,074






UNCOV

1091



    g_log<<Logger::Error<<msgPrefix<<"Caught PDNSException: "<<e.reason<<"; Sending ServFail!"<<endl;




×








UNCOV

1092



    di.backend->abortTransaction();




×








UNCOV

1093



    return RCode::ServFail;




×








UNCOV

1094



  }




×







1095



  catch(std::exception &e) {




2,074






UNCOV

1096



    g_log<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;




×








UNCOV

1097



    di.backend->abortTransaction();




×








UNCOV

1098



    return RCode::ServFail;




×








UNCOV

1099



  }




×







1100



  catch (...) {




2,074






UNCOV

1101



    g_log<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;




×








UNCOV

1102



    di.backend->abortTransaction();




×








UNCOV

1103



    return RCode::ServFail;




×








UNCOV

1104



  }




×







1105



}




2,074





1106












1107



void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, const string& soaEditSetting,  bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {




1,766





1108



  SOAData sd;




1,766





1109



  if (!di->backend->getSOA(di->zone, di->id, sd)) {





1,766!






UNCOV

1110



    throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");




×








UNCOV

1111



  }




×







1112












1113



  uint32_t oldSerial = sd.serial;




1,766





1114












1115



  vector<string> soaEdit2136Setting;




1,766





1116



  B.getDomainMetadata(di->zone, "SOA-EDIT-DNSUPDATE", soaEdit2136Setting);




1,766





1117



  string soaEdit2136 = "DEFAULT";




1,766





1118



  string soaEdit;




1,766





1119



  if (!soaEdit2136Setting.empty()) {





1,766!






UNCOV

1120



    soaEdit2136 = soaEdit2136Setting[0];




×








UNCOV

1121



    if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){





×








UNCOV

1122



      if (soaEditSetting.empty()) {





×








UNCOV

1123



        g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;




×








UNCOV

1124



        soaEdit2136 = "DEFAULT";




×








UNCOV

1125



      } else




×








UNCOV

1126



        soaEdit = soaEditSetting;




×








UNCOV

1127



    }




×








UNCOV

1128



  }




×







1129












1130



  DNSResourceRecord rr;




1,766





1131



  if (makeIncreasedSOARecord(sd, soaEdit2136, soaEdit, rr)) {





1,766!





1132



    di->backend->replaceRRSet(di->id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr));




1,766





1133



    g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl;




1,766





1134












1135



    //Correct ordername + auth flag










1136



    DNSName ordername;




1,766





1137



    if (haveNSEC3) {





1,766





1138



      if (!narrow) {





968





1139



        ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname)));




660





1140



      }




660





1141



    } else { // NSEC




968





1142



      ordername = rr.qname.makeRelative(di->zone);




798





1143



    }




798





1144



    di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3 && !narrow);





1,766





1145



  }




1,766





1146



}




1,766



















    

  • 

    •