Commit fa9b4de7 authored by Witold Krecicki's avatar Witold Krecicki

4576. [func] The RPZ implementation has been substantially...

4576.   [func]          The RPZ implementation has been substantially refactored for improved performance and reliability. [RT #43449]
parent 87ff6241
4576. [func] The RPZ implementation has been substantially
refactored for improved performance and reliability.
[RT #43449]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
......
......@@ -1872,11 +1872,12 @@ configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
static isc_result_t
configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
isc_boolean_t recursive_only_def, dns_ttl_t ttl_def,
const dns_rpz_zone_t *old, isc_boolean_t *old_rpz_okp)
isc_uint32_t minupdateint_def, const dns_rpz_zone_t *old,
isc_boolean_t *old_rpz_okp)
{
const cfg_obj_t *rpz_obj, *obj;
const char *str;
dns_rpz_zone_t *new;
dns_rpz_zone_t *zone = NULL;
isc_result_t result;
dns_rpz_num_t rpz_num;
......@@ -1891,127 +1892,118 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
return (ISC_R_FAILURE);
}
new = isc_mem_get(view->rpzs->mctx, sizeof(*new));
if (new == NULL) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"no memory for response policy zones");
return (ISC_R_NOMEMORY);
}
memset(new, 0, sizeof(*new));
result = isc_refcount_init(&new->refs, 1);
result = dns_rpz_new_zone(view->rpzs, &zone);
if (result != ISC_R_SUCCESS) {
isc_mem_put(view->rpzs->mctx, new, sizeof(*new));
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"Error creating new RPZ zone : %s",
isc_result_totext(result));
return (result);
}
dns_name_init(&new->origin, NULL);
dns_name_init(&new->client_ip, NULL);
dns_name_init(&new->ip, NULL);
dns_name_init(&new->nsdname, NULL);
dns_name_init(&new->nsip, NULL);
dns_name_init(&new->passthru, NULL);
dns_name_init(&new->drop, NULL);
dns_name_init(&new->tcp_only, NULL);
dns_name_init(&new->cname, NULL);
new->num = view->rpzs->p.num_zones++;
view->rpzs->zones[new->num] = new;
obj = cfg_tuple_get(rpz_obj, "recursive-only");
if (cfg_obj_isvoid(obj) ? recursive_only_def : cfg_obj_asboolean(obj)) {
view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(new->num);
view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(zone->num);
} else {
view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(new->num);
view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(zone->num);
}
obj = cfg_tuple_get(rpz_obj, "log");
if (!cfg_obj_isvoid(obj) && !cfg_obj_asboolean(obj)) {
view->rpzs->p.no_log |= DNS_RPZ_ZBIT(new->num);
view->rpzs->p.no_log |= DNS_RPZ_ZBIT(zone->num);
} else {
view->rpzs->p.no_log &= ~DNS_RPZ_ZBIT(new->num);
view->rpzs->p.no_log &= ~DNS_RPZ_ZBIT(zone->num);
}
obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(obj)) {
new->max_policy_ttl = cfg_obj_asuint32(obj);
zone->max_policy_ttl = cfg_obj_asuint32(obj);
} else {
zone->max_policy_ttl = ttl_def;
}
obj = cfg_tuple_get(rpz_obj, "min-update-interval");
if (cfg_obj_isuint32(obj)) {
zone->min_update_int = cfg_obj_asuint32(obj);
} else {
new->max_policy_ttl = ttl_def;
zone->min_update_int = minupdateint_def;
}
if (*old_rpz_okp && new->max_policy_ttl != old->max_policy_ttl)
if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl)
*old_rpz_okp = ISC_FALSE;
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
result = configure_rpz_name(view, rpz_obj, &zone->origin, str, "zone");
if (result != ISC_R_SUCCESS)
return (result);
if (dns_name_equal(&new->origin, dns_rootname)) {
if (dns_name_equal(&zone->origin, dns_rootname)) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"invalid zone name '%s'", str);
return (DNS_R_EMPTYLABEL);
}
for (rpz_num = 0; rpz_num < view->rpzs->p.num_zones-1; ++rpz_num) {
if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin,
&new->origin)) {
&zone->origin)) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"duplicate '%s'", str);
result = DNS_R_DUPLICATE;
return (result);
}
}
if (*old_rpz_okp && !dns_name_equal(&old->origin, &new->origin))
if (*old_rpz_okp && !dns_name_equal(&old->origin, &zone->origin))
*old_rpz_okp = ISC_FALSE;
result = configure_rpz_name2(view, rpz_obj, &new->client_ip,
DNS_RPZ_CLIENT_IP_ZONE, &new->origin);
result = configure_rpz_name2(view, rpz_obj, &zone->client_ip,
DNS_RPZ_CLIENT_IP_ZONE, &zone->origin);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name2(view, rpz_obj, &new->ip,
DNS_RPZ_IP_ZONE, &new->origin);
result = configure_rpz_name2(view, rpz_obj, &zone->ip,
DNS_RPZ_IP_ZONE, &zone->origin);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
DNS_RPZ_NSDNAME_ZONE, &new->origin);
result = configure_rpz_name2(view, rpz_obj, &zone->nsdname,
DNS_RPZ_NSDNAME_ZONE, &zone->origin);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name2(view, rpz_obj, &new->nsip,
DNS_RPZ_NSIP_ZONE, &new->origin);
result = configure_rpz_name2(view, rpz_obj, &zone->nsip,
DNS_RPZ_NSIP_ZONE, &zone->origin);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name(view, rpz_obj, &new->passthru,
result = configure_rpz_name(view, rpz_obj, &zone->passthru,
DNS_RPZ_PASSTHRU_NAME, "name");
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name(view, rpz_obj, &new->drop,
result = configure_rpz_name(view, rpz_obj, &zone->drop,
DNS_RPZ_DROP_NAME, "name");
if (result != ISC_R_SUCCESS)
return (result);
result = configure_rpz_name(view, rpz_obj, &new->tcp_only,
result = configure_rpz_name(view, rpz_obj, &zone->tcp_only,
DNS_RPZ_TCP_ONLY_NAME, "name");
if (result != ISC_R_SUCCESS)
return (result);
obj = cfg_tuple_get(rpz_obj, "policy");
if (cfg_obj_isvoid(obj)) {
new->policy = DNS_RPZ_POLICY_GIVEN;
zone->policy = DNS_RPZ_POLICY_GIVEN;
} else {
str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
new->policy = dns_rpz_str2policy(str);
INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
if (new->policy == DNS_RPZ_POLICY_CNAME) {
zone->policy = dns_rpz_str2policy(str);
INSIST(zone->policy != DNS_RPZ_POLICY_ERROR);
if (zone->policy == DNS_RPZ_POLICY_CNAME) {
str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
result = configure_rpz_name(view, rpz_obj, &new->cname,
result = configure_rpz_name(view, rpz_obj, &zone->cname,
str, "cname");
if (result != ISC_R_SUCCESS)
return (result);
}
}
if (*old_rpz_okp && (new->policy != old->policy ||
!dns_name_equal(&old->cname, &new->cname)))
if (*old_rpz_okp && (zone->policy != old->policy ||
!dns_name_equal(&old->cname, &zone->cname)))
*old_rpz_okp = ISC_FALSE;
return (ISC_R_SUCCESS);
......@@ -2025,7 +2017,8 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
const cfg_obj_t *sub_obj;
isc_boolean_t recursive_only_def;
dns_ttl_t ttl_def;
dns_rpz_zones_t *new;
isc_uint32_t minupdateint_def;
dns_rpz_zones_t *zones;
const dns_rpz_zones_t *old;
dns_view_t *pview;
const dns_rpz_zone_t *old_zone;
......@@ -2038,10 +2031,12 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
if (zone_element == NULL)
return (ISC_R_SUCCESS);
result = dns_rpz_new_zones(&view->rpzs, view->mctx);
result = dns_rpz_new_zones(&view->rpzs, view->mctx,
ns_g_taskmgr, ns_g_timermgr);
if (result != ISC_R_SUCCESS)
return (result);
new = view->rpzs;
zones = view->rpzs;
sub_obj = cfg_tuple_get(rpz_obj, "recursive-only");
if (!cfg_obj_isvoid(sub_obj) &&
......@@ -2053,9 +2048,9 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
sub_obj = cfg_tuple_get(rpz_obj, "break-dnssec");
if (!cfg_obj_isvoid(sub_obj) &&
cfg_obj_asboolean(sub_obj))
new->p.break_dnssec = ISC_TRUE;
zones->p.break_dnssec = ISC_TRUE;
else
new->p.break_dnssec = ISC_FALSE;
zones->p.break_dnssec = ISC_FALSE;
sub_obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(sub_obj))
......@@ -2063,23 +2058,29 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
else
ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
sub_obj = cfg_tuple_get(rpz_obj, "min-update-interval");
if (cfg_obj_isuint32(sub_obj))
minupdateint_def = cfg_obj_asuint32(sub_obj);
else
minupdateint_def = DNS_RPZ_MINUPDATEINT_DEF;
sub_obj = cfg_tuple_get(rpz_obj, "min-ns-dots");
if (cfg_obj_isuint32(sub_obj))
new->p.min_ns_labels = cfg_obj_asuint32(sub_obj) + 1;
zones->p.min_ns_labels = cfg_obj_asuint32(sub_obj) + 1;
else
new->p.min_ns_labels = 2;
zones->p.min_ns_labels = 2;
sub_obj = cfg_tuple_get(rpz_obj, "qname-wait-recurse");
if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj))
new->p.qname_wait_recurse = ISC_TRUE;
zones->p.qname_wait_recurse = ISC_TRUE;
else
new->p.qname_wait_recurse = ISC_FALSE;
zones->p.qname_wait_recurse = ISC_FALSE;
sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj))
new->p.nsip_wait_recurse = ISC_TRUE;
zones->p.nsip_wait_recurse = ISC_TRUE;
else
new->p.nsip_wait_recurse = ISC_FALSE;
zones->p.nsip_wait_recurse = ISC_FALSE;
pview = NULL;
result = dns_viewlist_find(&ns_g_server->viewlist,
......@@ -2106,7 +2107,8 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
}
result = configure_rpz_zone(view, zone_element,
recursive_only_def, ttl_def,
old_zone, old_rpz_okp);
minupdateint_def, old_zone,
old_rpz_okp);
if (result != ISC_R_SUCCESS) {
if (pview != NULL)
dns_view_detach(&pview);
......@@ -2119,7 +2121,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
* zones are unchanged, then use the same policy data.
* Data for individual zones that must be reloaded will be merged.
*/
if (old != NULL && memcmp(&old->p, &new->p, sizeof(new->p)) != 0)
if (old != NULL && memcmp(&old->p, &zones->p, sizeof(zones->p)) != 0)
*old_rpz_okp = ISC_FALSE;
if (*old_rpz_okp) {
dns_rpz_detach_rpzs(&view->rpzs);
......
......@@ -510,24 +510,6 @@ getrrsetstats(dns_db_t *db) {
}
static void
rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) {
sampledb_t *sampledb = (sampledb_t *) db;
REQUIRE(VALID_SAMPLEDB(sampledb));
dns_db_rpz_attach(sampledb->rbtdb, rpzs, rpz_num);
}
static isc_result_t
rpz_ready(dns_db_t *db) {
sampledb_t *sampledb = (sampledb_t *) db;
REQUIRE(VALID_SAMPLEDB(sampledb));
return (dns_db_rpz_ready(sampledb->rbtdb));
}
static isc_result_t
findnodeext(dns_db_t *db, const dns_name_t *name,
isc_boolean_t create, dns_clientinfomethods_t *methods,
......@@ -617,8 +599,8 @@ static dns_dbmethods_t sampledb_methods = {
resigned,
isdnssec,
getrrsetstats,
rpz_attach,
rpz_ready,
NULL,
NULL,
findnodeext,
findext,
setcachestats,
......
......@@ -44,6 +44,7 @@ options {
}
min-ns-dots 0
qname-wait-recurse yes
min-update-interval 0
;
};
......
......@@ -19,7 +19,7 @@ options {
forward only;
forwarders { 10.53.0.3; };
response-policy { zone "policy1"; };
response-policy { zone "policy1" min-update-interval 0; };
};
key rndc_key {
......
......@@ -17,7 +17,9 @@ options {
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
response-policy { zone "policy2"; } qname-wait-recurse no;
response-policy { zone "policy2"; }
qname-wait-recurse no
min-update-interval 0;
};
key rndc_key {
......
......@@ -24,6 +24,7 @@ run_server() {
echo "I:starting resolver using named.$TESTNAME.conf"
cp -f ns2/named.$TESTNAME.conf ns2/named.conf
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2
sleep 3
}
run_query() {
......
This diff is collapsed.
......@@ -228,6 +228,19 @@
<itemizedlist>
<listitem>
<para>
The Response Policy Zone (RPZ) implementation has been
substantially refactored: updates to the RPZ summary
database are no longer directly performed by the zone
database but by a separate function that is called when
a policy zone is updated. This improves both performance
and reliability when policy zones receive frequent updates.
Summary database updates can be rate-limited by using the
<command>min-update-interval</command> option in a
<command>response-policy</command> statement. [RT #43449]
</para>
</listitem>
<listitem>
<para>
<command>dnstap</command> now stores both the local and remote
addresses for all messages, instead of only the remote address.
The default output format for <command>dnstap-read</command> has
......
......@@ -302,10 +302,11 @@ options {
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <quoted_string> [ log <boolean> ] [
max-policy-ttl <integer> ] [ policy ( cname | disabled | drop |
given | no-op | nodata | nxdomain | passthru | tcp-only
<quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
policy ( cname | disabled | drop | given | no-op | nodata |
nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ]; ... } [ break-dnssec <boolean> ] [
max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
rfc2308-type1 <boolean>; // not yet implemented
......@@ -610,10 +611,11 @@ view <string> [ <class> ] {
response-padding { <address_match_element>; ... } block-size
<integer>;
response-policy { zone <quoted_string> [ log <boolean> ] [
max-policy-ttl <integer> ] [ policy ( cname | disabled | drop |
given | no-op | nodata | nxdomain | passthru | tcp-only
<quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
policy ( cname | disabled | drop | given | no-op | nodata |
nxdomain | passthru | tcp-only | <quoted_string> ) ] [
recursive-only <boolean> ]; ... } [ break-dnssec <boolean> ] [
max-policy-ttl <integer> ] [ min-update-interval <integer> ] [
min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
rfc2308-type1 <boolean>; // not yet implemented
......
......@@ -1048,7 +1048,7 @@ dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
* it is dealing with a database that understands response policy zones.
*/
void
dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) {
dns_db_rpz_attach(dns_db_t *db, void *rpzs, isc_uint8_t rpz_num) {
REQUIRE(db->methods->rpz_attach != NULL);
(db->methods->rpz_attach)(db, rpzs, rpz_num);
}
......
......@@ -56,7 +56,6 @@
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
#include <dns/rpz.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
......@@ -167,8 +166,8 @@ typedef struct dns_dbmethods {
dns_dbversion_t *version);
isc_boolean_t (*isdnssec)(dns_db_t *db);
dns_stats_t *(*getrrsetstats)(dns_db_t *db);
void (*rpz_attach)(dns_db_t *db, dns_rpz_zones_t *rpzs,
dns_rpz_num_t rpz_num);
void (*rpz_attach)(dns_db_t *db, void *rpzs,
isc_uint8_t rpz_num);
isc_result_t (*rpz_ready)(dns_db_t *db);
isc_result_t (*findnodeext)(dns_db_t *db, const dns_name_t *name,
isc_boolean_t create,
......@@ -1635,14 +1634,16 @@ dns_db_setcachestats(dns_db_t *db, isc_stats_t *stats);
*/
void
dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num);
dns_db_rpz_attach(dns_db_t *db, void *rpzs, isc_uint8_t rpz_num)
ISC_DEPRECATED;
/*%<
* Attach the response policy information for a view to a database for a
* zone for the view.
*/
isc_result_t
dns_db_rpz_ready(dns_db_t *db);
dns_db_rpz_ready(dns_db_t *db)
ISC_DEPRECATED;
/*%<
* Finish loading a response policy zone.
*/
......
......@@ -75,6 +75,7 @@
#define DNS_EVENT_CATZADDZONE (ISC_EVENTCLASS_DNS + 54)
#define DNS_EVENT_CATZMODZONE (ISC_EVENTCLASS_DNS + 55)
#define DNS_EVENT_CATZDELZONE (ISC_EVENTCLASS_DNS + 56)
#define DNS_EVENT_RPZUPDATED (ISC_EVENTCLASS_DNS + 57)
#define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0)
#define DNS_EVENT_LASTEVENT (ISC_EVENTCLASS_DNS + 65535)
......
......@@ -15,6 +15,10 @@
#include <isc/lang.h>
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/ht.h>
#include <isc/time.h>
#include <isc/event.h>
#include <isc/timer.h>
#include <dns/fixedname.h>
#include <dns/rdata.h>
......@@ -37,7 +41,6 @@ ISC_LANG_BEGINDECLS
#define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX"drop"
#define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX"tcp-only"
typedef isc_uint8_t dns_rpz_prefix_t;
typedef enum {
......@@ -118,20 +121,38 @@ struct dns_rpz_triggers {
* A single response policy zone.
*/
typedef struct dns_rpz_zone dns_rpz_zone_t;
typedef struct dns_rpz_zones dns_rpz_zones_t;
struct dns_rpz_zone {
isc_refcount_t refs;
dns_rpz_num_t num; /* ordinal in list of policy zones */
dns_name_t origin; /* Policy zone name */
dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */
dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */
dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */
dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */
dns_name_t drop; /* DNS_RPZ_DROP_NAME. */
dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */
dns_name_t cname; /* override value for ..._CNAME */
dns_ttl_t max_policy_ttl;
isc_refcount_t refs;
dns_rpz_num_t num; /* ordinal in list of policy zones */
dns_name_t origin; /* Policy zone name */
dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */
dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */
dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */
dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */
dns_name_t drop; /* DNS_RPZ_DROP_NAME. */
dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */
dns_name_t cname; /* override value for ..._CNAME */
dns_ttl_t max_policy_ttl;
dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
isc_uint32_t min_update_int;/* minimal interval between updates */
isc_ht_t *nodes; /* entries in zone */
dns_rpz_zones_t *rpzs; /* owner */
isc_time_t lastupdated; /* last time the zone was processed */
isc_boolean_t updatepending; /* there is an update pending/waiting */
isc_boolean_t updaterunning; /* there is an update running */
dns_db_t *db; /* zones database */
dns_dbversion_t *dbversion; /* version we will be updating to */
dns_db_t *updb; /* zones database we're working on */
dns_dbversion_t *updbversion; /* version we're currently working on */
dns_dbiterator_t *updbit; /* iterator to use when updating */
isc_ht_t *newnodes; /* entries in zone being updated */
isc_boolean_t db_registered; /* is the notify event registered? */
isc_timer_t *updatetimer;
isc_event_t updateevent;
};
/*
......@@ -176,7 +197,6 @@ struct dns_rpz_popt {
/*
* Response policy zones known to a view.
*/
typedef struct dns_rpz_zones dns_rpz_zones_t;
struct dns_rpz_zones {
dns_rpz_popt_t p;
dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES];
......@@ -215,6 +235,9 @@ struct dns_rpz_zones {
dns_rpz_triggers_t total_triggers;
isc_mem_t *mctx;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_task_t *updater;
isc_refcount_t refs;
/*
* One lock for short term read-only search that guarantees the
......@@ -311,6 +334,7 @@ typedef struct {
#define DNS_RPZ_TTL_DEFAULT 5
#define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT
#define DNS_RPZ_MINUPDATEINT_DEF 60
/*
* So various response policy zone messages can be turned up or down.
......@@ -336,7 +360,14 @@ dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
dns_name_t *selfname);
isc_result_t
dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx);
dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx,
isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr);
isc_result_t
dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp);
isc_result_t
dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg);
void
dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target);
......@@ -346,11 +377,13 @@ dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp);
isc_result_t
dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp,
dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num);
dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
ISC_DEPRECATED;
isc_result_t
dns_rpz_ready(dns_rpz_zones_t *rpzs,
dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num);
dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num)
ISC_DEPRECATED;
isc_result_t
dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
......
......@@ -53,7 +53,6 @@
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/rbt.h>
#include <dns/rpz.h>
#include <dns/rdata.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
......@@ -251,8 +250,6 @@ typedef isc_uint64_t rbtdb_serial_t;
#define resign_insert resign_insert64
#define resign_sooner resign_sooner64
#define resigned resigned64
#define rpz_attach rpz_attach64
#define rpz_ready rpz_ready64
#define serialize serialize64
#define set_index set_index64
#define set_ttl set_ttl64
......@@ -678,9 +675,6 @@ struct dns_rbtdb {
dns_rbt_t * tree;
dns_rbt_t * nsec;
dns_rbt_t * nsec3;
dns_rpz_zones_t *rpzs;
dns_rpz_num_t rpz_num;
dns_rpz_zones_t *load_rpzs;
/* Unlocked */
unsigned int quantum;
......@@ -1296,19 +1290,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
if (rbtdb->cachestats != NULL)
isc_stats_detach(&rbtdb->cachestats);
if (rbtdb->load_rpzs != NULL) {
/*
* We must be cleaning up after a failed zone loading.
*/
REQUIRE(rbtdb->rpzs != NULL &&
rbtdb->rpz_num < rbtdb->rpzs->p.num_zones);
dns_rpz_detach_rpzs(&rbtdb->load_rpzs);
}
if (rbtdb->rpzs != NULL) {
REQUIRE(rbtdb->rpz_num < rbtdb->rpzs->p.num_zones);
dns_rpz_detach_rpzs(&rbtdb->rpzs);
}
isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
isc_rwlock_destroy(&rbtdb->tree_lock);
......@@ -1924,7 +1905,6 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
dns_fixedname_t fname;
dns_name_t *name;
isc_result_t result = ISC_R_UNEXPECTED;
unsigned int node_has_rpz;