20618548088

Committed 31 Dec 2025 12:00PM UTC coverage: 72.648% (-0.7%) from 73.336%

Build # 20618548088

Build Type

Pull #16693

github

Committed by

web-flow

Commit Message

Merge 3f7d9a75b into 65de281db

Pull Request Pull Request #16693: auth: plumbing for structured logging

Run Details

39009 of 65430 branches covered (59.62%)

Branch coverage included in aggregate %.

807 of 2400 new or added lines in 58 files covered. (33.63%)

200 existing lines in 39 files now uncovered.

129187 of 166092 relevant lines covered (77.78%)

5266744.49 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

56.61

/modules/bindbackend/binddnssec.cc

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "bindbackend2.hh"
#include "pdns/arguments.hh"
#include "pdns/dnsrecords.hh"

#ifndef HAVE_SQLITE3

void Bind2Backend::setupDNSSEC()
{
  if (!getArg("dnssec-db").empty()) {
    throw runtime_error("bind-dnssec-db requires building PowerDNS with SQLite3");
  }
}

unsigned int Bind2Backend::getCapabilities()
{
  unsigned int caps = CAP_LIST | CAP_SEARCH;
  if (d_hybrid) {
    caps |= CAP_DNSSEC;
  }
  return caps;
}

bool Bind2Backend::getNSEC3PARAM(const ZoneName& /* name */, NSEC3PARAMRecordContent* /* ns3p */)
{
  return false;
}

bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& /* name */, NSEC3PARAMRecordContent* /* ns3p */)
{
  return false;
}

bool Bind2Backend::getAllDomainMetadata(const ZoneName& /* name */, std::map<std::string, std::vector<std::string>>& /* meta */)
{
  return false;
}

bool Bind2Backend::getDomainMetadata(const ZoneName& /* name */, const std::string& /* kind */, std::vector<std::string>& /* meta */)
{
  return false;
}

bool Bind2Backend::setDomainMetadata(const ZoneName& /* name */, const std::string& /* kind */, const std::vector<std::string>& /* meta */)
{
  return false;
}

bool Bind2Backend::getDomainKeys(const ZoneName& /* name */, std::vector<KeyData>& /* keys */)
{
  return false;
}

bool Bind2Backend::removeDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::addDomainKey(const ZoneName& /* name */, const KeyData& /* key */, int64_t& /* id */)
{
  return false;
}

bool Bind2Backend::activateDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::deactivateDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::publishDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::unpublishDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::getTSIGKey(const DNSName& /* name */, DNSName& /* algorithm */, string& /* content */)
{
  return false;
}

bool Bind2Backend::setTSIGKey(const DNSName& /* name */, const DNSName& /* algorithm */, const string& /* content */)
{
  return false;
}

bool Bind2Backend::deleteTSIGKey(const DNSName& /* name */)
{
  return false;
}

bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& /* keys */)
{
  return false;
}

void Bind2Backend::setupStatements()
{
}

void Bind2Backend::freeStatements()
{
}

#else

#include "pdns/logger.hh"
#include "pdns/ssqlite3.hh"

#define ASSERT_ROW_COLUMNS(query, row, num)                                                                                                \
  {                                                                                                                                        \
    if (row.size() != num) {                                                                                                               \
      throw PDNSException(std::string(query) + " returned wrong number of columns, expected " #num ", got " + std::to_string(row.size())); \
    }                                                                                                                                      \
  }

void Bind2Backend::setupDNSSEC()
{
  if (getArg("dnssec-db").empty() || d_hybrid)
    return;
  try {
    d_dnssecdb = std::make_shared<SSQLite3>(d_slog, getArg("dnssec-db"), getArg("dnssec-db-journal-mode"));
    setupStatements();
  }
  catch (SSqlException& se) {
    // this error is meant to kill the server dead - it makes no sense to continue..
    throw runtime_error("Error opening DNSSEC database in BIND backend: " + se.txtReason());
  }

  d_dnssecdb->setLog(::arg().mustDo("query-logging"));
}

void Bind2Backend::setupStatements()
{
  d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain", 1);
  d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind", 2);
  d_deleteDomainMetadataQuery_stmt = d_dnssecdb->prepare("delete from domainmetadata where domain=:domain and kind=:kind", 2);
  d_insertDomainMetadataQuery_stmt = d_dnssecdb->prepare("insert into domainmetadata (domain, kind, content) values (:domain,:kind,:content)", 3);
  d_getDomainKeysQuery_stmt = d_dnssecdb->prepare("select id,flags, active, published, content from cryptokeys where domain=:domain", 1);
  d_deleteDomainKeyQuery_stmt = d_dnssecdb->prepare("delete from cryptokeys where domain=:domain and id=:key_id", 2);
  d_insertDomainKeyQuery_stmt = d_dnssecdb->prepare("insert into cryptokeys (domain, flags, active, published, content) values (:domain, :flags, :active, :published, :content)", 5);
  d_GetLastInsertedKeyIdQuery_stmt = d_dnssecdb->prepare("select last_insert_rowid()", 0);
  d_activateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=1 where domain=:domain and id=:key_id", 2);
  d_deactivateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=0 where domain=:domain and id=:key_id", 2);
  d_publishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=1 where domain=:domain and id=:key_id", 2);
  d_unpublishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=0 where domain=:domain and id=:key_id", 2);
  d_getTSIGKeyQuery_stmt = d_dnssecdb->prepare("select algorithm, secret from tsigkeys where name=:key_name", 1);
  d_setTSIGKeyQuery_stmt = d_dnssecdb->prepare("replace into tsigkeys (name,algorithm,secret) values(:key_name, :algorithm, :content)", 3);
  d_deleteTSIGKeyQuery_stmt = d_dnssecdb->prepare("delete from tsigkeys where name=:key_name", 1);
  d_getTSIGKeysQuery_stmt = d_dnssecdb->prepare("select name,algorithm,secret from tsigkeys", 0);
}

void Bind2Backend::freeStatements()
{
  d_getAllDomainMetadataQuery_stmt.reset();
  d_getDomainMetadataQuery_stmt.reset();
  d_deleteDomainMetadataQuery_stmt.reset();
  d_insertDomainMetadataQuery_stmt.reset();
  d_getDomainKeysQuery_stmt.reset();
  d_deleteDomainKeyQuery_stmt.reset();
  d_insertDomainKeyQuery_stmt.reset();
  d_GetLastInsertedKeyIdQuery_stmt.reset();
  d_activateDomainKeyQuery_stmt.reset();
  d_deactivateDomainKeyQuery_stmt.reset();
  d_publishDomainKeyQuery_stmt.reset();
  d_unpublishDomainKeyQuery_stmt.reset();
  d_getTSIGKeyQuery_stmt.reset();
  d_setTSIGKeyQuery_stmt.reset();
  d_deleteTSIGKeyQuery_stmt.reset();
  d_getTSIGKeysQuery_stmt.reset();
}

unsigned int Bind2Backend::getCapabilities()
{
  unsigned int caps = CAP_LIST | CAP_SEARCH;
  if (d_dnssecdb || d_hybrid) {
    caps |= CAP_DNSSEC;
  }
  return caps;
}

// NOLINTNEXTLINE(readability-convert-member-functions-to-static)
bool Bind2Backend::getNSEC3PARAM(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
{
  BB2DomainInfo bbd;
  if (!safeGetBBDomainInfo(name, &bbd))
    return false;

  if (ns3p != nullptr) {
    *ns3p = bbd.d_nsec3param;
  }

  return bbd.d_nsec3zone;
}

bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  string value;
  vector<string> meta;
  getDomainMetadata(name, "NSEC3PARAM", meta);
  if (!meta.empty())
    value = *meta.begin();
  else
    return false; // No NSEC3 zone

  static int maxNSEC3Iterations = ::arg().asNum("max-nsec3-iterations");
  if (ns3p) {
    auto tmp = std::dynamic_pointer_cast<NSEC3PARAMRecordContent>(DNSRecordContent::make(QType::NSEC3PARAM, 1, value));
    *ns3p = *tmp;

    if (ns3p->d_iterations > maxNSEC3Iterations) {
      ns3p->d_iterations = maxNSEC3Iterations;
      SLOG(g_log << Logger::Error << "Number of NSEC3 iterations for zone '" << name << "' is above 'max-nsec3-iterations'. Value adjusted to: " << maxNSEC3Iterations << endl,
           d_slog->info(Logr::Error, "Number of NSEC3 iterations for zone exceeds max-nsec3-iterations, clamping", "zone", Logging::Loggable(name), "max-nsec3-iterations", Logging::Loggable(maxNSEC3Iterations)));
    }

    if (ns3p->d_algorithm != 1) {
      SLOG(g_log << Logger::Error << "Invalid hash algorithm for NSEC3: '" << std::to_string(ns3p->d_algorithm) << "', setting to 1 for zone '" << name << "'." << endl,
           d_slog->info(Logr::Error, "Invalid hash algorithm for NSEC3 on zone, setting to 1", "zone", Logging::Loggable(name), "algorithm", Logging::Loggable(ns3p->d_algorithm)));
      ns3p->d_algorithm = 1;
    }
  }

  return true;
}

bool Bind2Backend::getAllDomainMetadata(const ZoneName& name, std::map<std::string, std::vector<std::string>>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getAllDomainMetadataQuery_stmt->bind("domain", name)->execute();

    SSqlStatement::row_t row;
    while (d_getAllDomainMetadataQuery_stmt->hasNextRow()) {
      d_getAllDomainMetadataQuery_stmt->nextRow(row);
      meta[row[0]].push_back(row[1]);
    }

    d_getAllDomainMetadataQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getDomainMetadata(const ZoneName& name, const std::string& kind, std::vector<std::string>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute();

    SSqlStatement::row_t row;
    while (d_getDomainMetadataQuery_stmt->hasNextRow()) {
      d_getDomainMetadataQuery_stmt->nextRow(row);
      meta.push_back(row[0]);
    }

    d_getDomainMetadataQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::setDomainMetadata(const ZoneName& name, const std::string& kind, const std::vector<std::string>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute()->reset();
    if (!meta.empty()) {
      for (const auto& value : meta) {
        d_insertDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->bind("content", value)->execute()->reset();
      }
    }
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getDomainKeys(const ZoneName& name, std::vector<KeyData>& keys)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getDomainKeysQuery_stmt->bind("domain", name)->execute();

    KeyData kd;
    SSqlStatement::row_t row;
    while (d_getDomainKeysQuery_stmt->hasNextRow()) {
      d_getDomainKeysQuery_stmt->nextRow(row);
      pdns::checked_stoi_into(kd.id, row[0]);
      pdns::checked_stoi_into(kd.flags, row[1]);
      kd.active = (row[2] == "1");
      kd.published = (row[3] == "1");
      kd.content = row[4];
      keys.push_back(kd);
    }

    d_getDomainKeysQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::removeDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, removeDomainKeys(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t& keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_insertDomainKeyQuery_stmt->bind("domain", name)->bind("flags", key.flags)->bind("active", key.active)->bind("published", key.published)->bind("content", key.content)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): " + se.txtReason());
  }

  try {
    d_GetLastInsertedKeyIdQuery_stmt->execute();
    if (!d_GetLastInsertedKeyIdQuery_stmt->hasNextRow()) {
      keyId = -2;
      return true;
    }
    SSqlStatement::row_t row;
    d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);
    ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);
    keyId = std::stoi(row[0]);
    d_GetLastInsertedKeyIdQuery_stmt->reset();
    if (keyId == 0) {
      // No insert took place, report as error.
      keyId = -1;
    }
    return true;
  }
  catch (SSqlException& e) {
    keyId = -2;
    return true;
  }
}

bool Bind2Backend::activateDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_activateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::deactivateDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deactivateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::publishDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_publishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, publishDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::unpublishDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_unpublishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, unpublishDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName& algorithm, string& content)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getTSIGKeyQuery_stmt->bind("key_name", name)->execute();

    SSqlStatement::row_t row;
    while (d_getTSIGKeyQuery_stmt->hasNextRow()) {
      d_getTSIGKeyQuery_stmt->nextRow(row);
      if (row.size() >= 2 && (algorithm.empty() || algorithm == DNSName(row[0]))) {
        algorithm = DNSName(row[0]);
        content = row[1];
      }
    }

    d_getTSIGKeyQuery_stmt->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, const string& content)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_setTSIGKeyQuery_stmt->bind("key_name", name)->bind("algorithm", algorithm)->bind("content", content)->execute()->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::deleteTSIGKey(const DNSName& name)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteTSIGKeyQuery_stmt->bind("key_name", name)->execute()->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& keys)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getTSIGKeysQuery_stmt->execute();

    SSqlStatement::row_t row;
    while (d_getTSIGKeysQuery_stmt->hasNextRow()) {
      d_getTSIGKeysQuery_stmt->nextRow(row);
      struct TSIGKey key;
      key.name = DNSName(row[0]);
      key.algorithm = DNSName(row[1]);
      key.key = row[2];
      keys.push_back(key);
    }

    d_getTSIGKeysQuery_stmt->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): " + e.txtReason());
  }
  return true;
}

#endif

1	/*
2	* This file is part of PowerDNS or dnsdist.
3	* Copyright -- PowerDNS.COM B.V. and its contributors
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of version 2 of the GNU General Public License as
7	* published by the Free Software Foundation.
8	*
9	* In addition, for the avoidance of any doubt, permission is granted to
10	* link this program with OpenSSL and to (re)distribute the binaries
11	* produced as the result of such linking.
12	*
13	* This program is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public License
19	* along with this program; if not, write to the Free Software
20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21	*/
22
23	#ifdef HAVE_CONFIG_H
24	#include "config.h"
25	#endif
26	#include "bindbackend2.hh"
27	#include "pdns/arguments.hh"
28	#include "pdns/dnsrecords.hh"
29
30	#ifndef HAVE_SQLITE3
31
32	void Bind2Backend::setupDNSSEC()
33	{
34	if (!getArg("dnssec-db").empty()) {
35	throw runtime_error("bind-dnssec-db requires building PowerDNS with SQLite3");
36	}
37	}
38
39	unsigned int Bind2Backend::getCapabilities()
40	{
41	unsigned int caps = CAP_LIST \| CAP_SEARCH;
42	if (d_hybrid) {
43	caps \|= CAP_DNSSEC;
44	}
45	return caps;
46	}
47
48	bool Bind2Backend::getNSEC3PARAM(const ZoneName& /* name /, NSEC3PARAMRecordContent /* ns3p */)
49	{
50	return false;
51	}
52
53	bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& /* name /, NSEC3PARAMRecordContent /* ns3p */)
54	{
55	return false;
56	}
57
58	bool Bind2Backend::getAllDomainMetadata(const ZoneName& /* name /, std::map<std::string, std::vector<std::string>>& / meta */)
59	{
60	return false;
61	}
62
63	bool Bind2Backend::getDomainMetadata(const ZoneName& /* name /, const std::string& / kind /, std::vector<std::string>& / meta */)
64	{
65	return false;
66	}
67
68	bool Bind2Backend::setDomainMetadata(const ZoneName& /* name /, const std::string& / kind /, const std::vector<std::string>& / meta */)
69	{
70	return false;
71	}
72
73	bool Bind2Backend::getDomainKeys(const ZoneName& /* name /, std::vector<KeyData>& / keys */)
74	{
75	return false;
76	}
77
78	bool Bind2Backend::removeDomainKey(const ZoneName& /* name /, unsigned int / id */)
79	{
80	return false;
81	}
82
83	bool Bind2Backend::addDomainKey(const ZoneName& /* name /, const KeyData& / key /, int64_t& / id */)
84	{
85	return false;
86	}
87
88	bool Bind2Backend::activateDomainKey(const ZoneName& /* name /, unsigned int / id */)
89	{
90	return false;
91	}
92
93	bool Bind2Backend::deactivateDomainKey(const ZoneName& /* name /, unsigned int / id */)
94	{
95	return false;
96	}
97
98	bool Bind2Backend::publishDomainKey(const ZoneName& /* name /, unsigned int / id */)
99	{
100	return false;
101	}
102
103	bool Bind2Backend::unpublishDomainKey(const ZoneName& /* name /, unsigned int / id */)
104	{
105	return false;
106	}
107
108	bool Bind2Backend::getTSIGKey(const DNSName& /* name /, DNSName& / algorithm /, string& / content */)
109	{
110	return false;
111	}
112
113	bool Bind2Backend::setTSIGKey(const DNSName& /* name /, const DNSName& / algorithm /, const string& / content */)
114	{
115	return false;
116	}
117
118	bool Bind2Backend::deleteTSIGKey(const DNSName& /* name */)
119	{
120	return false;
121	}
122
123	bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& /* keys */)
124	{
125	return false;
126	}
127
128	void Bind2Backend::setupStatements()
129	{
130	}
131
132	void Bind2Backend::freeStatements()
133	{
134	}
135
136	#else
137
138	#include "pdns/logger.hh"
139	#include "pdns/ssqlite3.hh"
140
141	#define ASSERT_ROW_COLUMNS(query, row, num) \
142	{ \	129✔
143	if (row.size() != num) { \	129✔
144	throw PDNSException(std::string(query) + " returned wrong number of columns, expected " #num ", got " + std::to_string(row.size())); \	×
145	} \	×
146	}	129✔
147
148	void Bind2Backend::setupDNSSEC()
149	{	3,370✔
150	if (getArg("dnssec-db").empty() \|\| d_hybrid)	3,370!
151	return;	2,060✔
152	try {	1,310✔
153	d_dnssecdb = std::make_shared<SSQLite3>(d_slog, getArg("dnssec-db"), getArg("dnssec-db-journal-mode"));	1,310✔
154	setupStatements();	1,310✔
155	}	1,310✔
156	catch (SSqlException& se) {	1,310✔
157	// this error is meant to kill the server dead - it makes no sense to continue..
158	throw runtime_error("Error opening DNSSEC database in BIND backend: " + se.txtReason());	×
159	}	×
160
161	d_dnssecdb->setLog(::arg().mustDo("query-logging"));	1,310✔
162	}	1,310✔
163
164	void Bind2Backend::setupStatements()
165	{	1,310✔
166	d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain", 1);	1,310✔
167	d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind", 2);	1,310✔
168	d_deleteDomainMetadataQuery_stmt = d_dnssecdb->prepare("delete from domainmetadata where domain=:domain and kind=:kind", 2);	1,310✔
169	d_insertDomainMetadataQuery_stmt = d_dnssecdb->prepare("insert into domainmetadata (domain, kind, content) values (:domain,:kind,:content)", 3);	1,310✔
170	d_getDomainKeysQuery_stmt = d_dnssecdb->prepare("select id,flags, active, published, content from cryptokeys where domain=:domain", 1);	1,310✔
171	d_deleteDomainKeyQuery_stmt = d_dnssecdb->prepare("delete from cryptokeys where domain=:domain and id=:key_id", 2);	1,310✔
172	d_insertDomainKeyQuery_stmt = d_dnssecdb->prepare("insert into cryptokeys (domain, flags, active, published, content) values (:domain, :flags, :active, :published, :content)", 5);	1,310✔
173	d_GetLastInsertedKeyIdQuery_stmt = d_dnssecdb->prepare("select last_insert_rowid()", 0);	1,310✔
174	d_activateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=1 where domain=:domain and id=:key_id", 2);	1,310✔
175	d_deactivateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=0 where domain=:domain and id=:key_id", 2);	1,310✔
176	d_publishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=1 where domain=:domain and id=:key_id", 2);	1,310✔
177	d_unpublishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=0 where domain=:domain and id=:key_id", 2);	1,310✔
178	d_getTSIGKeyQuery_stmt = d_dnssecdb->prepare("select algorithm, secret from tsigkeys where name=:key_name", 1);	1,310✔
179	d_setTSIGKeyQuery_stmt = d_dnssecdb->prepare("replace into tsigkeys (name,algorithm,secret) values(:key_name, :algorithm, :content)", 3);	1,310✔
180	d_deleteTSIGKeyQuery_stmt = d_dnssecdb->prepare("delete from tsigkeys where name=:key_name", 1);	1,310✔
181	d_getTSIGKeysQuery_stmt = d_dnssecdb->prepare("select name,algorithm,secret from tsigkeys", 0);	1,310✔
182	}	1,310✔
183
184	void Bind2Backend::freeStatements()
185	{	3,242✔
186	d_getAllDomainMetadataQuery_stmt.reset();	3,242✔
187	d_getDomainMetadataQuery_stmt.reset();	3,242✔
188	d_deleteDomainMetadataQuery_stmt.reset();	3,242✔
189	d_insertDomainMetadataQuery_stmt.reset();	3,242✔
190	d_getDomainKeysQuery_stmt.reset();	3,242✔
191	d_deleteDomainKeyQuery_stmt.reset();	3,242✔
192	d_insertDomainKeyQuery_stmt.reset();	3,242✔
193	d_GetLastInsertedKeyIdQuery_stmt.reset();	3,242✔
194	d_activateDomainKeyQuery_stmt.reset();	3,242✔
195	d_deactivateDomainKeyQuery_stmt.reset();	3,242✔
196	d_publishDomainKeyQuery_stmt.reset();	3,242✔
197	d_unpublishDomainKeyQuery_stmt.reset();	3,242✔
198	d_getTSIGKeyQuery_stmt.reset();	3,242✔
199	d_setTSIGKeyQuery_stmt.reset();	3,242✔
200	d_deleteTSIGKeyQuery_stmt.reset();	3,242✔
201	d_getTSIGKeysQuery_stmt.reset();	3,242✔
202	}	3,242✔
203
204	unsigned int Bind2Backend::getCapabilities()
205	{	7,316✔
206	unsigned int caps = CAP_LIST \| CAP_SEARCH;	7,316✔
207	if (d_dnssecdb \|\| d_hybrid) {	7,316!
208	caps \|= CAP_DNSSEC;	7,270✔
209	}	7,270✔
210	return caps;	7,316✔
211	}	7,316✔
212
213	// NOLINTNEXTLINE(readability-convert-member-functions-to-static)
214	bool Bind2Backend::getNSEC3PARAM(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
215	{	×
216	BB2DomainInfo bbd;	×
217	if (!safeGetBBDomainInfo(name, &bbd))	×
218	return false;	×
219
220	if (ns3p != nullptr) {	×
221	*ns3p = bbd.d_nsec3param;	×
222	}	×
223
224	return bbd.d_nsec3zone;	×
225	}	×
226
227	bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
228	{	2,737✔
229	if (!d_dnssecdb \|\| d_hybrid)	2,737!
230	return false;	23✔
231
232	string value;	2,714✔
233	vector<string> meta;	2,714✔
234	getDomainMetadata(name, "NSEC3PARAM", meta);	2,714✔
235	if (!meta.empty())	2,714✔
236	value = *meta.begin();	715✔
237	else	1,999✔
238	return false; // No NSEC3 zone	1,999✔
239
240	static int maxNSEC3Iterations = ::arg().asNum("max-nsec3-iterations");	715✔
241	if (ns3p) {	715!
242	auto tmp = std::dynamic_pointer_cast<NSEC3PARAMRecordContent>(DNSRecordContent::make(QType::NSEC3PARAM, 1, value));	715✔
243	ns3p = tmp;	715✔
244
245	if (ns3p->d_iterations > maxNSEC3Iterations) {	715!
246	ns3p->d_iterations = maxNSEC3Iterations;	×
NEW 247	SLOG(g_log << Logger::Error << "Number of NSEC3 iterations for zone '" << name << "' is above 'max-nsec3-iterations'. Value adjusted to: " << maxNSEC3Iterations << endl,	×
NEW 248	d_slog->info(Logr::Error, "Number of NSEC3 iterations for zone exceeds max-nsec3-iterations, clamping", "zone", Logging::Loggable(name), "max-nsec3-iterations", Logging::Loggable(maxNSEC3Iterations)));	×
UNCOV 249	}	×
250
251	if (ns3p->d_algorithm != 1) {	715!
NEW 252	SLOG(g_log << Logger::Error << "Invalid hash algorithm for NSEC3: '" << std::to_string(ns3p->d_algorithm) << "', setting to 1 for zone '" << name << "'." << endl,	×
NEW 253	d_slog->info(Logr::Error, "Invalid hash algorithm for NSEC3 on zone, setting to 1", "zone", Logging::Loggable(name), "algorithm", Logging::Loggable(ns3p->d_algorithm)));	×
254	ns3p->d_algorithm = 1;	×
255	}	×
256	}	715✔
257
258	return true;	715✔
259	}	2,714✔
260
261	bool Bind2Backend::getAllDomainMetadata(const ZoneName& name, std::map<std::string, std::vector<std::string>>& meta)
262	{	640✔
263	if (!d_dnssecdb \|\| d_hybrid)	640!
264	return false;	47✔
265
266	try {	593✔
267	d_getAllDomainMetadataQuery_stmt->bind("domain", name)->execute();	593✔
268
269	SSqlStatement::row_t row;	593✔
270	while (d_getAllDomainMetadataQuery_stmt->hasNextRow()) {	1,185✔
271	d_getAllDomainMetadataQuery_stmt->nextRow(row);	592✔
272	meta[row[0]].push_back(row[1]);	592✔
273	}	592✔
274
275	d_getAllDomainMetadataQuery_stmt->reset();	593✔
276	}	593✔
277	catch (SSqlException& se) {	593✔
278	throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): " + se.txtReason());	×
279	}	×
280	return true;	593✔
281	}	593✔
282
283	bool Bind2Backend::getDomainMetadata(const ZoneName& name, const std::string& kind, std::vector<std::string>& meta)
284	{	3,238✔
285	if (!d_dnssecdb \|\| d_hybrid)	3,238!
286	return false;	4✔
287
288	try {	3,234✔
289	d_getDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute();	3,234✔
290
291	SSqlStatement::row_t row;	3,234✔
292	while (d_getDomainMetadataQuery_stmt->hasNextRow()) {	3,972✔
293	d_getDomainMetadataQuery_stmt->nextRow(row);	738✔
294	meta.push_back(row[0]);	738✔
295	}	738✔
296
297	d_getDomainMetadataQuery_stmt->reset();	3,234✔
298	}	3,234✔
299	catch (SSqlException& se) {	3,234✔
300	throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): " + se.txtReason());	×
301	}	×
302	return true;	3,234✔
303	}	3,234✔
304
305	bool Bind2Backend::setDomainMetadata(const ZoneName& name, const std::string& kind, const std::vector<std::string>& meta)
306	{	261✔
307	if (!d_dnssecdb \|\| d_hybrid)	261!
308	return false;	×
309
310	try {	261✔
311	d_deleteDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute()->reset();	261✔
312	if (!meta.empty()) {	261✔
313	for (const auto& value : meta) {	192✔
314	d_insertDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->bind("content", value)->execute()->reset();	192✔
315	}	192✔
316	}	192✔
317	}	261✔
318	catch (SSqlException& se) {	261✔
319	throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): " + se.txtReason());	×
320	}	×
321	return true;	261✔
322	}	261✔
323
324	bool Bind2Backend::getDomainKeys(const ZoneName& name, std::vector<KeyData>& keys)
325	{	678✔
326	if (!d_dnssecdb \|\| d_hybrid)	678!
327	return false;	43✔
328
329	try {	635✔
330	d_getDomainKeysQuery_stmt->bind("domain", name)->execute();	635✔
331
332	KeyData kd;	635✔
333	SSqlStatement::row_t row;	635✔
334	while (d_getDomainKeysQuery_stmt->hasNextRow()) {	1,163✔
335	d_getDomainKeysQuery_stmt->nextRow(row);	528✔
336	pdns::checked_stoi_into(kd.id, row[0]);	528✔
337	pdns::checked_stoi_into(kd.flags, row[1]);	528✔
338	kd.active = (row[2] == "1");	528✔
339	kd.published = (row[3] == "1");	528✔
340	kd.content = row[4];	528✔
341	keys.push_back(kd);	528✔
342	}	528✔
343
344	d_getDomainKeysQuery_stmt->reset();	635✔
345	}	635✔
346	catch (SSqlException& se) {	635✔
347	throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): " + se.txtReason());	×
348	}	×
349	return true;	635✔
350	}	635✔
351
352	bool Bind2Backend::removeDomainKey(const ZoneName& name, unsigned int keyId)
353	{	×
354	if (!d_dnssecdb \|\| d_hybrid)	×
355	return false;	×
356
357	try {	×
358	d_deleteDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
359	}	×
360	catch (SSqlException& se) {	×
361	throw PDNSException("Error accessing DNSSEC database in BIND backend, removeDomainKeys(): " + se.txtReason());	×
362	}	×
363	return true;	×
364	}	×
365
366	bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t& keyId)
367	{	129✔
368	if (!d_dnssecdb \|\| d_hybrid)	129!
369	return false;	×
370
371	try {	129✔
372	d_insertDomainKeyQuery_stmt->bind("domain", name)->bind("flags", key.flags)->bind("active", key.active)->bind("published", key.published)->bind("content", key.content)->execute()->reset();	129✔
373	}	129✔
374	catch (SSqlException& se) {	129✔
375	throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): " + se.txtReason());	×
376	}	×
377
378	try {	129✔
379	d_GetLastInsertedKeyIdQuery_stmt->execute();	129✔
380	if (!d_GetLastInsertedKeyIdQuery_stmt->hasNextRow()) {	129!
381	keyId = -2;	×
382	return true;	×
383	}	×
384	SSqlStatement::row_t row;	129✔
385	d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);	129✔
386	ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);	129!
387	keyId = std::stoi(row[0]);	129✔
388	d_GetLastInsertedKeyIdQuery_stmt->reset();	129✔
389	if (keyId == 0) {	129!
390	// No insert took place, report as error.
391	keyId = -1;	×
392	}	×
393	return true;	129✔
394	}	129✔
395	catch (SSqlException& e) {	129✔
396	keyId = -2;	×
397	return true;	×
398	}	×
399	}	129✔
400
401	bool Bind2Backend::activateDomainKey(const ZoneName& name, unsigned int keyId)
402	{	×
403	if (!d_dnssecdb \|\| d_hybrid)	×
404	return false;	×
405
406	try {	×
407	d_activateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
408	}	×
409	catch (SSqlException& se) {	×
410	throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): " + se.txtReason());	×
411	}	×
412	return true;	×
413	}	×
414
415	bool Bind2Backend::deactivateDomainKey(const ZoneName& name, unsigned int keyId)
416	{	×
417	if (!d_dnssecdb \|\| d_hybrid)	×
418	return false;	×
419
420	try {	×
421	d_deactivateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
422	}	×
423	catch (SSqlException& se) {	×
424	throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): " + se.txtReason());	×
425	}	×
426	return true;	×
427	}	×
428
429	bool Bind2Backend::publishDomainKey(const ZoneName& name, unsigned int keyId)
430	{	×
431	if (!d_dnssecdb \|\| d_hybrid)	×
432	return false;	×
433
434	try {	×
435	d_publishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
436	}	×
437	catch (SSqlException& se) {	×
438	throw PDNSException("Error accessing DNSSEC database in BIND backend, publishDomainKey(): " + se.txtReason());	×
439	}	×
440	return true;	×
441	}	×
442
443	bool Bind2Backend::unpublishDomainKey(const ZoneName& name, unsigned int keyId)
444	{	5✔
445	if (!d_dnssecdb \|\| d_hybrid)	5!
446	return false;	×
447
448	try {	5✔
449	d_unpublishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	5✔
450	}	5✔
451	catch (SSqlException& se) {	5✔
452	throw PDNSException("Error accessing DNSSEC database in BIND backend, unpublishDomainKey(): " + se.txtReason());	×
453	}	×
454	return true;	5✔
455	}	5✔
456
457	bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName& algorithm, string& content)
458	{	47✔
459	if (!d_dnssecdb \|\| d_hybrid)	47!
460	return false;	×
461
462	try {	47✔
463	d_getTSIGKeyQuery_stmt->bind("key_name", name)->execute();	47✔
464
465	SSqlStatement::row_t row;	47✔
466	while (d_getTSIGKeyQuery_stmt->hasNextRow()) {	94✔
467	d_getTSIGKeyQuery_stmt->nextRow(row);	47✔
468	if (row.size() >= 2 && (algorithm.empty() \|\| algorithm == DNSName(row[0]))) {	47!
469	algorithm = DNSName(row[0]);	47✔
470	content = row[1];	47✔
471	}	47✔
472	}	47✔
473
474	d_getTSIGKeyQuery_stmt->reset();	47✔
475	}	47✔
476	catch (SSqlException& e) {	47✔
477	throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): " + e.txtReason());	×
478	}	×
479	return true;	47✔
480	}	47✔
481
482	bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, const string& content)
483	{	5✔
484	if (!d_dnssecdb \|\| d_hybrid)	5!
485	return false;	×
486
487	try {	5✔
488	d_setTSIGKeyQuery_stmt->bind("key_name", name)->bind("algorithm", algorithm)->bind("content", content)->execute()->reset();	5✔
489	}	5✔
490	catch (SSqlException& e) {	5✔
491	throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): " + e.txtReason());	×
492	}	×
493	return true;	5✔
494	}	5✔
495
496	bool Bind2Backend::deleteTSIGKey(const DNSName& name)
497	{	×
498	if (!d_dnssecdb \|\| d_hybrid)	×
499	return false;	×
500
501	try {	×
502	d_deleteTSIGKeyQuery_stmt->bind("key_name", name)->execute()->reset();	×
503	}	×
504	catch (SSqlException& e) {	×
505	throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): " + e.txtReason());	×
506	}	×
507	return true;	×
508	}	×
509
510	bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& keys)
511	{	×
512	if (!d_dnssecdb \|\| d_hybrid)	×
513	return false;	×
514
515	try {	×
516	d_getTSIGKeysQuery_stmt->execute();	×
517
518	SSqlStatement::row_t row;	×
519	while (d_getTSIGKeysQuery_stmt->hasNextRow()) {	×
520	d_getTSIGKeysQuery_stmt->nextRow(row);	×
521	struct TSIGKey key;	×
522	key.name = DNSName(row[0]);	×
523	key.algorithm = DNSName(row[1]);	×
524	key.key = row[2];	×
525	keys.push_back(key);	×
526	}	×
527
528	d_getTSIGKeysQuery_stmt->reset();	×
529	}	×
530	catch (SSqlException& e) {	×
531	throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): " + e.txtReason());	×
532	}	×
533	return true;	×
534	}	×
535
536	#endif

PowerDNS / pdns / 20618548088

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous