21496291765

Committed 29 Jan 2026 10:18AM UTC coverage: 66.823% (-4.7%) from 71.534%

Build # 21496291765

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #16782 from rgacogne/ddist-210-a1

dnsdist: Update security polling zone and ChangeLog for 2.1.0-alpha1

Coverage Stats

57917 of 119990 branches covered (48.27%)

Branch coverage included in aggregate %.

131747 of 163841 relevant lines covered (80.41%)

9104990.23 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

59.36

/modules/bindbackend/binddnssec.cc

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "bindbackend2.hh"
#include "pdns/arguments.hh"
#include "pdns/dnsrecords.hh"

#ifndef HAVE_SQLITE3

void Bind2Backend::setupDNSSEC()
{
  if (!getArg("dnssec-db").empty()) {
    throw runtime_error("bind-dnssec-db requires building PowerDNS with SQLite3");
  }
}

unsigned int Bind2Backend::getCapabilities()
{
  unsigned int caps = CAP_LIST | CAP_SEARCH;
  if (d_hybrid) {
    caps |= CAP_DNSSEC;
  }
  return caps;
}

bool Bind2Backend::getNSEC3PARAM(const ZoneName& /* name */, NSEC3PARAMRecordContent* /* ns3p */)
{
  return false;
}

bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& /* name */, NSEC3PARAMRecordContent* /* ns3p */)
{
  return false;
}

bool Bind2Backend::getAllDomainMetadata(const ZoneName& /* name */, std::map<std::string, std::vector<std::string>>& /* meta */)
{
  return false;
}

bool Bind2Backend::getDomainMetadata(const ZoneName& /* name */, const std::string& /* kind */, std::vector<std::string>& /* meta */)
{
  return false;
}

bool Bind2Backend::setDomainMetadata(const ZoneName& /* name */, const std::string& /* kind */, const std::vector<std::string>& /* meta */)
{
  return false;
}

bool Bind2Backend::getDomainKeys(const ZoneName& /* name */, std::vector<KeyData>& /* keys */)
{
  return false;
}

bool Bind2Backend::removeDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::addDomainKey(const ZoneName& /* name */, const KeyData& /* key */, int64_t& /* id */)
{
  return false;
}

bool Bind2Backend::activateDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::deactivateDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::publishDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::unpublishDomainKey(const ZoneName& /* name */, unsigned int /* id */)
{
  return false;
}

bool Bind2Backend::getTSIGKey(const DNSName& /* name */, DNSName& /* algorithm */, string& /* content */)
{
  return false;
}

bool Bind2Backend::setTSIGKey(const DNSName& /* name */, const DNSName& /* algorithm */, const string& /* content */)
{
  return false;
}

bool Bind2Backend::deleteTSIGKey(const DNSName& /* name */)
{
  return false;
}

bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& /* keys */)
{
  return false;
}

void Bind2Backend::setupStatements()
{
}

void Bind2Backend::freeStatements()
{
}

#else

#include "pdns/logger.hh"
#include "pdns/ssqlite3.hh"

#define ASSERT_ROW_COLUMNS(query, row, num)                                                                                                \
  {                                                                                                                                        \
    if (row.size() != num) {                                                                                                               \
      throw PDNSException(std::string(query) + " returned wrong number of columns, expected " #num ", got " + std::to_string(row.size())); \
    }                                                                                                                                      \
  }

void Bind2Backend::setupDNSSEC()
{
  if (getArg("dnssec-db").empty() || d_hybrid)
    return;
  try {
    d_dnssecdb = std::make_shared<SSQLite3>(getArg("dnssec-db"), getArg("dnssec-db-journal-mode"));
    setupStatements();
  }
  catch (SSqlException& se) {
    // this error is meant to kill the server dead - it makes no sense to continue..
    throw runtime_error("Error opening DNSSEC database in BIND backend: " + se.txtReason());
  }

  d_dnssecdb->setLog(::arg().mustDo("query-logging"));
}

void Bind2Backend::setupStatements()
{
  d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain", 1);
  d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind", 2);
  d_deleteDomainMetadataQuery_stmt = d_dnssecdb->prepare("delete from domainmetadata where domain=:domain and kind=:kind", 2);
  d_insertDomainMetadataQuery_stmt = d_dnssecdb->prepare("insert into domainmetadata (domain, kind, content) values (:domain,:kind,:content)", 3);
  d_getDomainKeysQuery_stmt = d_dnssecdb->prepare("select id,flags, active, published, content from cryptokeys where domain=:domain", 1);
  d_deleteDomainKeyQuery_stmt = d_dnssecdb->prepare("delete from cryptokeys where domain=:domain and id=:key_id", 2);
  d_insertDomainKeyQuery_stmt = d_dnssecdb->prepare("insert into cryptokeys (domain, flags, active, published, content) values (:domain, :flags, :active, :published, :content)", 5);
  d_GetLastInsertedKeyIdQuery_stmt = d_dnssecdb->prepare("select last_insert_rowid()", 0);
  d_activateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=1 where domain=:domain and id=:key_id", 2);
  d_deactivateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=0 where domain=:domain and id=:key_id", 2);
  d_publishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=1 where domain=:domain and id=:key_id", 2);
  d_unpublishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=0 where domain=:domain and id=:key_id", 2);
  d_getTSIGKeyQuery_stmt = d_dnssecdb->prepare("select algorithm, secret from tsigkeys where name=:key_name", 1);
  d_setTSIGKeyQuery_stmt = d_dnssecdb->prepare("replace into tsigkeys (name,algorithm,secret) values(:key_name, :algorithm, :content)", 3);
  d_deleteTSIGKeyQuery_stmt = d_dnssecdb->prepare("delete from tsigkeys where name=:key_name", 1);
  d_getTSIGKeysQuery_stmt = d_dnssecdb->prepare("select name,algorithm,secret from tsigkeys", 0);
}

void Bind2Backend::freeStatements()
{
  d_getAllDomainMetadataQuery_stmt.reset();
  d_getDomainMetadataQuery_stmt.reset();
  d_deleteDomainMetadataQuery_stmt.reset();
  d_insertDomainMetadataQuery_stmt.reset();
  d_getDomainKeysQuery_stmt.reset();
  d_deleteDomainKeyQuery_stmt.reset();
  d_insertDomainKeyQuery_stmt.reset();
  d_GetLastInsertedKeyIdQuery_stmt.reset();
  d_activateDomainKeyQuery_stmt.reset();
  d_deactivateDomainKeyQuery_stmt.reset();
  d_publishDomainKeyQuery_stmt.reset();
  d_unpublishDomainKeyQuery_stmt.reset();
  d_getTSIGKeyQuery_stmt.reset();
  d_setTSIGKeyQuery_stmt.reset();
  d_deleteTSIGKeyQuery_stmt.reset();
  d_getTSIGKeysQuery_stmt.reset();
}

unsigned int Bind2Backend::getCapabilities()
{
  unsigned int caps = CAP_LIST | CAP_SEARCH;
  if (d_dnssecdb || d_hybrid) {
    caps |= CAP_DNSSEC;
  }
  return caps;
}

// NOLINTNEXTLINE(readability-convert-member-functions-to-static)
bool Bind2Backend::getNSEC3PARAM(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
{
  BB2DomainInfo bbd;
  if (!safeGetBBDomainInfo(name, &bbd))
    return false;

  if (ns3p != nullptr) {
    *ns3p = bbd.d_nsec3param;
  }

  return bbd.d_nsec3zone;
}

bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  string value;
  vector<string> meta;
  getDomainMetadata(name, "NSEC3PARAM", meta);
  if (!meta.empty())
    value = *meta.begin();
  else
    return false; // No NSEC3 zone

  static int maxNSEC3Iterations = ::arg().asNum("max-nsec3-iterations");
  if (ns3p) {
    auto tmp = std::dynamic_pointer_cast<NSEC3PARAMRecordContent>(DNSRecordContent::make(QType::NSEC3PARAM, 1, value));
    *ns3p = *tmp;

    if (ns3p->d_iterations > maxNSEC3Iterations) {
      ns3p->d_iterations = maxNSEC3Iterations;
      g_log << Logger::Error << "Number of NSEC3 iterations for zone '" << name << "' is above 'max-nsec3-iterations'. Value adjusted to: " << maxNSEC3Iterations << endl;
    }

    if (ns3p->d_algorithm != 1) {
      g_log << Logger::Error << "Invalid hash algorithm for NSEC3: '" << std::to_string(ns3p->d_algorithm) << "', setting to 1 for zone '" << name << "'." << endl;
      ns3p->d_algorithm = 1;
    }
  }

  return true;
}

bool Bind2Backend::getAllDomainMetadata(const ZoneName& name, std::map<std::string, std::vector<std::string>>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getAllDomainMetadataQuery_stmt->bind("domain", name)->execute();

    SSqlStatement::row_t row;
    while (d_getAllDomainMetadataQuery_stmt->hasNextRow()) {
      d_getAllDomainMetadataQuery_stmt->nextRow(row);
      meta[row[0]].push_back(row[1]);
    }

    d_getAllDomainMetadataQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getDomainMetadata(const ZoneName& name, const std::string& kind, std::vector<std::string>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute();

    SSqlStatement::row_t row;
    while (d_getDomainMetadataQuery_stmt->hasNextRow()) {
      d_getDomainMetadataQuery_stmt->nextRow(row);
      meta.push_back(row[0]);
    }

    d_getDomainMetadataQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::setDomainMetadata(const ZoneName& name, const std::string& kind, const std::vector<std::string>& meta)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute()->reset();
    if (!meta.empty()) {
      for (const auto& value : meta) {
        d_insertDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->bind("content", value)->execute()->reset();
      }
    }
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getDomainKeys(const ZoneName& name, std::vector<KeyData>& keys)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getDomainKeysQuery_stmt->bind("domain", name)->execute();

    KeyData kd;
    SSqlStatement::row_t row;
    while (d_getDomainKeysQuery_stmt->hasNextRow()) {
      d_getDomainKeysQuery_stmt->nextRow(row);
      pdns::checked_stoi_into(kd.id, row[0]);
      pdns::checked_stoi_into(kd.flags, row[1]);
      kd.active = (row[2] == "1");
      kd.published = (row[3] == "1");
      kd.content = row[4];
      keys.push_back(kd);
    }

    d_getDomainKeysQuery_stmt->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::removeDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, removeDomainKeys(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t& keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_insertDomainKeyQuery_stmt->bind("domain", name)->bind("flags", key.flags)->bind("active", key.active)->bind("published", key.published)->bind("content", key.content)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): " + se.txtReason());
  }

  try {
    d_GetLastInsertedKeyIdQuery_stmt->execute();
    if (!d_GetLastInsertedKeyIdQuery_stmt->hasNextRow()) {
      keyId = -2;
      return true;
    }
    SSqlStatement::row_t row;
    d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);
    ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);
    keyId = std::stoi(row[0]);
    d_GetLastInsertedKeyIdQuery_stmt->reset();
    if (keyId == 0) {
      // No insert took place, report as error.
      keyId = -1;
    }
    return true;
  }
  catch (SSqlException& e) {
    keyId = -2;
    return true;
  }
}

bool Bind2Backend::activateDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_activateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::deactivateDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deactivateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::publishDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_publishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, publishDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::unpublishDomainKey(const ZoneName& name, unsigned int keyId)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_unpublishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();
  }
  catch (SSqlException& se) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, unpublishDomainKey(): " + se.txtReason());
  }
  return true;
}

bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName& algorithm, string& content)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getTSIGKeyQuery_stmt->bind("key_name", name)->execute();

    SSqlStatement::row_t row;
    while (d_getTSIGKeyQuery_stmt->hasNextRow()) {
      d_getTSIGKeyQuery_stmt->nextRow(row);
      if (row.size() >= 2 && (algorithm.empty() || algorithm == DNSName(row[0]))) {
        algorithm = DNSName(row[0]);
        content = row[1];
      }
    }

    d_getTSIGKeyQuery_stmt->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, const string& content)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_setTSIGKeyQuery_stmt->bind("key_name", name)->bind("algorithm", algorithm)->bind("content", content)->execute()->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::deleteTSIGKey(const DNSName& name)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_deleteTSIGKeyQuery_stmt->bind("key_name", name)->execute()->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): " + e.txtReason());
  }
  return true;
}

bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& keys)
{
  if (!d_dnssecdb || d_hybrid)
    return false;

  try {
    d_getTSIGKeysQuery_stmt->execute();

    SSqlStatement::row_t row;
    while (d_getTSIGKeysQuery_stmt->hasNextRow()) {
      d_getTSIGKeysQuery_stmt->nextRow(row);
      struct TSIGKey key;
      key.name = DNSName(row[0]);
      key.algorithm = DNSName(row[1]);
      key.key = row[2];
      keys.push_back(key);
    }

    d_getTSIGKeysQuery_stmt->reset();
  }
  catch (SSqlException& e) {
    throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): " + e.txtReason());
  }
  return true;
}

#endif

1	/*
2	* This file is part of PowerDNS or dnsdist.
3	* Copyright -- PowerDNS.COM B.V. and its contributors
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of version 2 of the GNU General Public License as
7	* published by the Free Software Foundation.
8	*
9	* In addition, for the avoidance of any doubt, permission is granted to
10	* link this program with OpenSSL and to (re)distribute the binaries
11	* produced as the result of such linking.
12	*
13	* This program is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public License
19	* along with this program; if not, write to the Free Software
20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21	*/
22
23	#ifdef HAVE_CONFIG_H
24	#include "config.h"
25	#endif
26	#include "bindbackend2.hh"
27	#include "pdns/arguments.hh"
28	#include "pdns/dnsrecords.hh"
29
30	#ifndef HAVE_SQLITE3
31
32	void Bind2Backend::setupDNSSEC()
33	{
34	if (!getArg("dnssec-db").empty()) {
35	throw runtime_error("bind-dnssec-db requires building PowerDNS with SQLite3");
36	}
37	}
38
39	unsigned int Bind2Backend::getCapabilities()
40	{
41	unsigned int caps = CAP_LIST \| CAP_SEARCH;
42	if (d_hybrid) {
43	caps \|= CAP_DNSSEC;
44	}
45	return caps;
46	}
47
48	bool Bind2Backend::getNSEC3PARAM(const ZoneName& /* name /, NSEC3PARAMRecordContent /* ns3p */)
49	{
50	return false;
51	}
52
53	bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& /* name /, NSEC3PARAMRecordContent /* ns3p */)
54	{
55	return false;
56	}
57
58	bool Bind2Backend::getAllDomainMetadata(const ZoneName& /* name /, std::map<std::string, std::vector<std::string>>& / meta */)
59	{
60	return false;
61	}
62
63	bool Bind2Backend::getDomainMetadata(const ZoneName& /* name /, const std::string& / kind /, std::vector<std::string>& / meta */)
64	{
65	return false;
66	}
67
68	bool Bind2Backend::setDomainMetadata(const ZoneName& /* name /, const std::string& / kind /, const std::vector<std::string>& / meta */)
69	{
70	return false;
71	}
72
73	bool Bind2Backend::getDomainKeys(const ZoneName& /* name /, std::vector<KeyData>& / keys */)
74	{
75	return false;
76	}
77
78	bool Bind2Backend::removeDomainKey(const ZoneName& /* name /, unsigned int / id */)
79	{
80	return false;
81	}
82
83	bool Bind2Backend::addDomainKey(const ZoneName& /* name /, const KeyData& / key /, int64_t& / id */)
84	{
85	return false;
86	}
87
88	bool Bind2Backend::activateDomainKey(const ZoneName& /* name /, unsigned int / id */)
89	{
90	return false;
91	}
92
93	bool Bind2Backend::deactivateDomainKey(const ZoneName& /* name /, unsigned int / id */)
94	{
95	return false;
96	}
97
98	bool Bind2Backend::publishDomainKey(const ZoneName& /* name /, unsigned int / id */)
99	{
100	return false;
101	}
102
103	bool Bind2Backend::unpublishDomainKey(const ZoneName& /* name /, unsigned int / id */)
104	{
105	return false;
106	}
107
108	bool Bind2Backend::getTSIGKey(const DNSName& /* name /, DNSName& / algorithm /, string& / content */)
109	{
110	return false;
111	}
112
113	bool Bind2Backend::setTSIGKey(const DNSName& /* name /, const DNSName& / algorithm /, const string& / content */)
114	{
115	return false;
116	}
117
118	bool Bind2Backend::deleteTSIGKey(const DNSName& /* name */)
119	{
120	return false;
121	}
122
123	bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& /* keys */)
124	{
125	return false;
126	}
127
128	void Bind2Backend::setupStatements()
129	{
130	}
131
132	void Bind2Backend::freeStatements()
133	{
134	}
135
136	#else
137
138	#include "pdns/logger.hh"	113✔
139	#include "pdns/ssqlite3.hh"	113✔
140
141	#define ASSERT_ROW_COLUMNS(query, row, num) \
142	{ \	113✔
143	if (row.size() != num) { \
144	throw PDNSException(std::string(query) + " returned wrong number of columns, expected " #num ", got " + std::to_string(row.size())); \
145	} \	3,079✔
146	}	3,079!
147		1,907✔
148	void Bind2Backend::setupDNSSEC()	1,172✔
149	{	3,167✔
150	if (getArg("dnssec-db").empty() \|\| d_hybrid)	3,167!
151	return;	3,167✔
152	try {	1,172✔
153	d_dnssecdb = std::make_shared<SSQLite3>(getArg("dnssec-db"), getArg("dnssec-db-journal-mode"));
154	setupStatements();	×
155	}	×
156	catch (SSqlException& se) {
157	// this error is meant to kill the server dead - it makes no sense to continue..	1,172✔
158	throw runtime_error("Error opening DNSSEC database in BIND backend: " + se.txtReason());	1,172✔
159	}
160
161	d_dnssecdb->setLog(::arg().mustDo("query-logging"));	1,172✔
162	}	1,172✔
163		1,172✔
164	void Bind2Backend::setupStatements()	1,172✔
165	{	1,172✔
166	d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain", 1);	1,172✔
167	d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind", 2);	1,172✔
168	d_deleteDomainMetadataQuery_stmt = d_dnssecdb->prepare("delete from domainmetadata where domain=:domain and kind=:kind", 2);	1,172✔
169	d_insertDomainMetadataQuery_stmt = d_dnssecdb->prepare("insert into domainmetadata (domain, kind, content) values (:domain,:kind,:content)", 3);	1,172✔
170	d_getDomainKeysQuery_stmt = d_dnssecdb->prepare("select id,flags, active, published, content from cryptokeys where domain=:domain", 1);	1,172✔
171	d_deleteDomainKeyQuery_stmt = d_dnssecdb->prepare("delete from cryptokeys where domain=:domain and id=:key_id", 2);	1,172✔
172	d_insertDomainKeyQuery_stmt = d_dnssecdb->prepare("insert into cryptokeys (domain, flags, active, published, content) values (:domain, :flags, :active, :published, :content)", 5);	1,172✔
173	d_GetLastInsertedKeyIdQuery_stmt = d_dnssecdb->prepare("select last_insert_rowid()", 0);	1,172✔
174	d_activateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=1 where domain=:domain and id=:key_id", 2);	1,172✔
175	d_deactivateDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set active=0 where domain=:domain and id=:key_id", 2);	1,172✔
176	d_publishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=1 where domain=:domain and id=:key_id", 2);	1,172✔
177	d_unpublishDomainKeyQuery_stmt = d_dnssecdb->prepare("update cryptokeys set published=0 where domain=:domain and id=:key_id", 2);	1,172✔
178	d_getTSIGKeyQuery_stmt = d_dnssecdb->prepare("select algorithm, secret from tsigkeys where name=:key_name", 1);	1,172✔
179	d_setTSIGKeyQuery_stmt = d_dnssecdb->prepare("replace into tsigkeys (name,algorithm,secret) values(:key_name, :algorithm, :content)", 3);
180	d_deleteTSIGKeyQuery_stmt = d_dnssecdb->prepare("delete from tsigkeys where name=:key_name", 1);
181	d_getTSIGKeysQuery_stmt = d_dnssecdb->prepare("select name,algorithm,secret from tsigkeys", 0);	2,999✔
182	}	2,999✔
183		2,999✔
184	void Bind2Backend::freeStatements()	2,999✔
185	{	4,978✔
186	d_getAllDomainMetadataQuery_stmt.reset();	4,978✔
187	d_getDomainMetadataQuery_stmt.reset();	4,978✔
188	d_deleteDomainMetadataQuery_stmt.reset();	4,978✔
189	d_insertDomainMetadataQuery_stmt.reset();	4,978✔
190	d_getDomainKeysQuery_stmt.reset();	4,978✔
191	d_deleteDomainKeyQuery_stmt.reset();	4,978✔
192	d_insertDomainKeyQuery_stmt.reset();	4,978✔
193	d_GetLastInsertedKeyIdQuery_stmt.reset();	4,978✔
194	d_activateDomainKeyQuery_stmt.reset();	4,978✔
195	d_deactivateDomainKeyQuery_stmt.reset();	4,978✔
196	d_publishDomainKeyQuery_stmt.reset();	4,978✔
197	d_unpublishDomainKeyQuery_stmt.reset();	4,978✔
198	d_getTSIGKeyQuery_stmt.reset();	4,978✔
199	d_setTSIGKeyQuery_stmt.reset();	1,979✔
200	d_deleteTSIGKeyQuery_stmt.reset();	1,979✔
201	d_getTSIGKeysQuery_stmt.reset();	3,418✔
202	}	3,418!
203		1,439✔
204	unsigned int Bind2Backend::getCapabilities()
205	{	26✔
206	unsigned int caps = CAP_LIST \| CAP_SEARCH;	26✔
207	if (d_dnssecdb \|\| d_hybrid) {	26!
208	caps \|= CAP_DNSSEC;	×
209	}	×
210	return caps;	26✔
211	}	26!
212
213	// NOLINTNEXTLINE(readability-convert-member-functions-to-static)
214	bool Bind2Backend::getNSEC3PARAM(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)
215	{	×
216	BB2DomainInfo bbd;	×
217	if (!safeGetBBDomainInfo(name, &bbd))	×
218	return false;
219		2,718✔
220	if (ns3p != nullptr) {	2,718!
221	*ns3p = bbd.d_nsec3param;	22✔
222	}
223		2,696✔
224	return bbd.d_nsec3zone;	2,696✔
225	}	2,696✔
226		2,696✔
227	bool Bind2Backend::getNSEC3PARAMuncached(const ZoneName& name, NSEC3PARAMRecordContent* ns3p)	710✔
228	{	1,986✔
229	if (!d_dnssecdb \|\| d_hybrid)	1,986!
230	return false;
231		710✔
232	string value;	710!
233	vector<string> meta;	710✔
234	getDomainMetadata(name, "NSEC3PARAM", meta);	710✔
235	if (!meta.empty())	2,714✔
236	value = *meta.begin();	710!
237	else	×
238	return false; // No NSEC3 zone	×
239
240	static int maxNSEC3Iterations = ::arg().asNum("max-nsec3-iterations");
241	if (ns3p) {	710✔
242	auto tmp = std::dynamic_pointer_cast<NSEC3PARAMRecordContent>(DNSRecordContent::make(QType::NSEC3PARAM, 1, value));	×
243	ns3p = tmp;	×
244
245	if (ns3p->d_iterations > maxNSEC3Iterations) {	710!
246	ns3p->d_iterations = maxNSEC3Iterations;
247	g_log << Logger::Error << "Number of NSEC3 iterations for zone '" << name << "' is above 'max-nsec3-iterations'. Value adjusted to: " << maxNSEC3Iterations << endl;	710✔
248	}	2,696✔
249
250	if (ns3p->d_algorithm != 1) {	715!
251	g_log << Logger::Error << "Invalid hash algorithm for NSEC3: '" << std::to_string(ns3p->d_algorithm) << "', setting to 1 for zone '" << name << "'." << endl;	585✔
252	ns3p->d_algorithm = 1;	585!
253	}	42✔
254	}
255		543✔
256	return true;	543✔
257	}
258		543✔
259	bool Bind2Backend::getAllDomainMetadata(const ZoneName& name, std::map<std::string, std::vector<std::string>>& meta)	1,093✔
260	{	550✔
261	if (!d_dnssecdb \|\| d_hybrid)	550!
262	return false;	550✔
263
264	try {	543✔
265	d_getAllDomainMetadataQuery_stmt->bind("domain", name)->execute();	543✔
266		543✔
267	SSqlStatement::row_t row;	×
268	while (d_getAllDomainMetadataQuery_stmt->hasNextRow()) {	✔
269	d_getAllDomainMetadataQuery_stmt->nextRow(row);	543✔
270	meta[row[0]].push_back(row[1]);	543✔
271	}
272
273	d_getAllDomainMetadataQuery_stmt->reset();	3,192✔
274	}	3,192!
275	catch (SSqlException& se) {	4✔
276	throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): " + se.txtReason());
277	}	3,188✔
278	return true;	3,188✔
279	}
280		3,188✔
281	bool Bind2Backend::getDomainMetadata(const ZoneName& name, const std::string& kind, std::vector<std::string>& meta)	3,921✔
282	{	737✔
283	if (!d_dnssecdb \|\| d_hybrid)	737!
284	return false;	737✔
285
286	try {	3,188✔
287	d_getDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute();	3,188✔
288		3,188✔
289	SSqlStatement::row_t row;	×
290	while (d_getDomainMetadataQuery_stmt->hasNextRow()) {	✔
291	d_getDomainMetadataQuery_stmt->nextRow(row);	3,188✔
292	meta.push_back(row[0]);	3,188✔
293	}
294
295	d_getDomainMetadataQuery_stmt->reset();	248✔
296	}	248!
297	catch (SSqlException& se) {	×
298	throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): " + se.txtReason());
299	}	248✔
300	return true;	248✔
301	}	248✔
302		183✔
303	bool Bind2Backend::setDomainMetadata(const ZoneName& name, const std::string& kind, const std::vector<std::string>& meta)	183✔
304	{	183✔
305	if (!d_dnssecdb \|\| d_hybrid)	183!
306	return false;	248✔
307		248✔
308	try {	×
309	d_deleteDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->execute()->reset();	×
310	if (!meta.empty()) {	248✔
311	for (const auto& value : meta) {	248✔
312	d_insertDomainMetadataQuery_stmt->bind("domain", name)->bind("kind", kind)->bind("content", value)->execute()->reset();
313	}
314	}	578✔
315	}	578!
316	catch (SSqlException& se) {	38✔
317	throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): " + se.txtReason());
318	}	540✔
319	return true;	540✔
320	}
321		540✔
322	bool Bind2Backend::getDomainKeys(const ZoneName& name, std::vector<KeyData>& keys)	540✔
323	{	950✔
324	if (!d_dnssecdb \|\| d_hybrid)	410!
325	return false;	410✔
326		410✔
327	try {	410✔
328	d_getDomainKeysQuery_stmt->bind("domain", name)->execute();	410✔
329		410✔
330	KeyData kd;	410✔
331	SSqlStatement::row_t row;	410✔
332	while (d_getDomainKeysQuery_stmt->hasNextRow()) {	1,153✔
333	d_getDomainKeysQuery_stmt->nextRow(row);	540✔
334	pdns::checked_stoi_into(kd.id, row[0]);	540✔
335	pdns::checked_stoi_into(kd.flags, row[1]);	540✔
336	kd.active = (row[2] == "1");	×
337	kd.published = (row[3] == "1");	×
338	kd.content = row[4];	540✔
339	keys.push_back(kd);	540✔
340	}
341
342	d_getDomainKeysQuery_stmt->reset();	×
343	}	×
344	catch (SSqlException& se) {	×
345	throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): " + se.txtReason());
346	}	×
347	return true;	×
348	}	×
349
350	bool Bind2Backend::removeDomainKey(const ZoneName& name, unsigned int keyId)
351	{	×
352	if (!d_dnssecdb \|\| d_hybrid)	×
353	return false;	×
354
355	try {
356	d_deleteDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	113✔
357	}	113!
358	catch (SSqlException& se) {	×
359	throw PDNSException("Error accessing DNSSEC database in BIND backend, removeDomainKeys(): " + se.txtReason());
360	}	113✔
361	return true;	113✔
362	}	113✔
363		113✔
364	bool Bind2Backend::addDomainKey(const ZoneName& name, const KeyData& key, int64_t& keyId)
365	{	×
366	if (!d_dnssecdb \|\| d_hybrid)	248!
367	return false;	113✔
368		113✔
369	try {	113!
370	d_insertDomainKeyQuery_stmt->bind("domain", name)->bind("flags", key.flags)->bind("active", key.active)->bind("published", key.published)->bind("content", key.content)->execute()->reset();	×
371	}	×
372	catch (SSqlException& se) {	×
373	throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): " + se.txtReason());	113✔
374	}	113✔
375		113!
376	try {	113✔
377	d_GetLastInsertedKeyIdQuery_stmt->execute();	113✔
378	if (!d_GetLastInsertedKeyIdQuery_stmt->hasNextRow()) {	113!
379	keyId = -2;	113✔
380	return true;	113✔
381	}	×
382	SSqlStatement::row_t row;	×
383	d_GetLastInsertedKeyIdQuery_stmt->nextRow(row);	×
384	ASSERT_ROW_COLUMNS("get-last-inserted-key-id-query", row, 1);	113!
385	keyId = std::stoi(row[0]);
386	d_GetLastInsertedKeyIdQuery_stmt->reset();
387	if (keyId == 0) {	×
388	// No insert took place, report as error.	×
389	keyId = -1;	×
390	}
391	return true;	×
392	}	×
393	catch (SSqlException& e) {	×
394	keyId = -2;	×
395	return true;	×
396	}	×
397	}	×
398
399	bool Bind2Backend::activateDomainKey(const ZoneName& name, unsigned int keyId)
400	{
401	if (!d_dnssecdb \|\| d_hybrid)	×
402	return false;	×
403
404	try {
405	d_activateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
406	}	×
407	catch (SSqlException& se) {	×
408	throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): " + se.txtReason());	×
409	}	×
410	return true;	×
411	}	×
412
413	bool Bind2Backend::deactivateDomainKey(const ZoneName& name, unsigned int keyId)
414	{
415	if (!d_dnssecdb \|\| d_hybrid)	×
416	return false;	×
417
418	try {
419	d_deactivateDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	×
420	}	×
421	catch (SSqlException& se) {	×
422	throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): " + se.txtReason());	×
423	}	×
424	return true;	×
425	}	×
426
427	bool Bind2Backend::publishDomainKey(const ZoneName& name, unsigned int keyId)
428	{
429	if (!d_dnssecdb \|\| d_hybrid)	5!
430	return false;	5!
431
432	try {
433	d_publishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	5✔
434	}	5✔
435	catch (SSqlException& se) {	5✔
436	throw PDNSException("Error accessing DNSSEC database in BIND backend, publishDomainKey(): " + se.txtReason());	5✔
437	}	×
438	return true;	×
439	}	5✔
440		5✔
441	bool Bind2Backend::unpublishDomainKey(const ZoneName& name, unsigned int keyId)
442	{
443	if (!d_dnssecdb \|\| d_hybrid)	47!
444	return false;	47!
445
446	try {
447	d_unpublishDomainKeyQuery_stmt->bind("domain", name)->bind("key_id", keyId)->execute()->reset();	47✔
448	}	47✔
449	catch (SSqlException& se) {
450	throw PDNSException("Error accessing DNSSEC database in BIND backend, unpublishDomainKey(): " + se.txtReason());	47✔
451	}	94✔
452	return true;	47✔
453	}	47!
454		47✔
455	bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName& algorithm, string& content)	47✔
456	{	47✔
457	if (!d_dnssecdb \|\| d_hybrid)	47!
458	return false;
459		47✔
460	try {	47✔
461	d_getTSIGKeyQuery_stmt->bind("key_name", name)->execute();	47✔
462
463	SSqlStatement::row_t row;	×
464	while (d_getTSIGKeyQuery_stmt->hasNextRow()) {	47✔
465	d_getTSIGKeyQuery_stmt->nextRow(row);	47✔
466	if (row.size() >= 2 && (algorithm.empty() \|\| algorithm == DNSName(row[0]))) {	141!
467	algorithm = DNSName(row[0]);
468	content = row[1];	5✔
469	}	5!
470	}	×
471
472	d_getTSIGKeyQuery_stmt->reset();	5✔
473	}	5✔
474	catch (SSqlException& e) {	5✔
475	throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): " + e.txtReason());	5✔
476	}	×
477	return true;	×
478	}	5✔
479		5✔
480	bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, const string& content)
481	{
482	if (!d_dnssecdb \|\| d_hybrid)	×
483	return false;	×
484
485	try {
486	d_setTSIGKeyQuery_stmt->bind("key_name", name)->bind("algorithm", algorithm)->bind("content", content)->execute()->reset();	×
487	}	×
488	catch (SSqlException& e) {	×
489	throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): " + e.txtReason());	×
490	}	×
491	return true;	×
492	}	×
493
494	bool Bind2Backend::deleteTSIGKey(const DNSName& name)
495	{
496	if (!d_dnssecdb \|\| d_hybrid)	×
497	return false;	×
498
499	try {
500	d_deleteTSIGKeyQuery_stmt->bind("key_name", name)->execute()->reset();	×
501	}	×
502	catch (SSqlException& e) {
503	throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): " + e.txtReason());	×
504	}	×
505	return true;	×
506	}	×
507
508	bool Bind2Backend::getTSIGKeys(std::vector<struct TSIGKey>& keys)
509	{	×
510	if (!d_dnssecdb \|\| d_hybrid)	×
511	return false;	×
512
513	try {	×
514	d_getTSIGKeysQuery_stmt->execute();	×
515
516	SSqlStatement::row_t row;	×
517	while (d_getTSIGKeysQuery_stmt->hasNextRow()) {	×
518	d_getTSIGKeysQuery_stmt->nextRow(row);	×
519	struct TSIGKey key;	×
520	key.name = DNSName(row[0]);
521	key.algorithm = DNSName(row[1]);
522	key.key = row[2];
523	keys.push_back(key);
524	}
525
526	d_getTSIGKeysQuery_stmt->reset();
527	}
528	catch (SSqlException& e) {
529	throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): " + e.txtReason());
530	}
531	return true;
532	}
533
534	#endif

PowerDNS / pdns / 21496291765

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous