dns.c 12.4 KB
Newer Older
Ted Lemon's avatar
Ted Lemon committed
1 2
/* dns.c

3
   Domain Name Service subroutines. */
Ted Lemon's avatar
Ted Lemon committed
4 5

/*
Ted Lemon's avatar
Ted Lemon committed
6
 * Copyright (c) 2000 Internet Software Consortium.
Ted Lemon's avatar
Ted Lemon committed
7
 * All rights reserved.
Ted Lemon's avatar
Ted Lemon committed
8
 *
Ted Lemon's avatar
Ted Lemon committed
9 10 11
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
Ted Lemon's avatar
Ted Lemon committed
12
 *
Ted Lemon's avatar
Ted Lemon committed
13 14 15 16 17 18 19 20
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of The Internet Software Consortium nor the names
 *    of its contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
Ted Lemon's avatar
Ted Lemon committed
21
 *
Ted Lemon's avatar
Ted Lemon committed
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
 * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
 * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * This software has been written for the Internet Software Consortium
37
 * by Ted Lemon in cooperation with Nominum, Inc.
Ted Lemon's avatar
Ted Lemon committed
38
 * To learn more about the Internet Software Consortium, see
39
 * ``http://www.isc.org/''.  To learn more about Nominum, Inc., see
Ted Lemon's avatar
Ted Lemon committed
40
 * ``http://www.nominum.com''.
Ted Lemon's avatar
Ted Lemon committed
41 42 43 44
 */

#ifndef lint
static char copyright[] =
45
"$Id: dns.c,v 1.21 2000/04/20 00:55:51 mellon Exp $ Copyright (c) 2000 The Internet Software Consortium.  All rights reserved.\n";
Ted Lemon's avatar
Ted Lemon committed
46 47 48 49 50
#endif /* not lint */

#include "dhcpd.h"
#include "arpa/nameser.h"

Ted Lemon's avatar
Ted Lemon committed
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
/* This file is kind of a crutch for the BIND 8 nsupdate code, which has
 * itself been cruelly hacked from its original state.   What this code
 * does is twofold: first, it maintains a database of zone cuts that can
 * be used to figure out which server should be contacted to update any
 * given domain name.   Secondly, it maintains a set of named TSIG keys,
 * and associates those keys with zones.   When an update is requested for
 * a particular zone, the key associated with that zone is used for the
 * update.
 *
 * The way this works is that you define the domain name to which an
 * SOA corresponds, and the addresses of some primaries for that domain name:
 *
 *	zone FOO.COM {
 *	  primary 10.0.17.1;
 *	  secondary 10.0.22.1, 10.0.23.1;
Ted Lemon's avatar
Ted Lemon committed
66
 *	  key "FOO.COM Key";
Ted Lemon's avatar
Ted Lemon committed
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117
 * 	}
 *
 * If an update is requested for GAZANGA.TOPANGA.FOO.COM, then the name
 * server looks in its database for a zone record for "GAZANGA.TOPANGA.FOO.COM",
 * doesn't find it, looks for one for "TOPANGA.FOO.COM", doesn't find *that*,
 * looks for "FOO.COM", finds it. So it
 * attempts the update to the primary for FOO.COM.   If that times out, it
 * tries the secondaries.   You can list multiple primaries if you have some
 * kind of magic name server that supports that.   You shouldn't list
 * secondaries that don't know how to forward updates (e.g., BIND 8 doesn't
 * support update forwarding, AFAIK).   If no TSIG key is listed, the update
 * is attempted without TSIG.
 *
 * The DHCP server tries to find an existing zone for any given name by
 * trying to look up a local zone structure for each domain containing
 * that name, all the way up to '.'.   If it finds one cached, it tries
 * to use that one to do the update.   That's why it tries to update
 * "FOO.COM" above, even though theoretically it should try GAZANGA...
 * and TOPANGA... first.
 *
 * If the update fails with a predefined or cached zone (we'll get to
 * those in a second), then it tries to find a more specific zone.   This
 * is done by looking first for an SOA for GAZANGA.TOPANGA.FOO.COM.   Then
 * an SOA for TOPANGA.FOO.COM is sought.   If during this search a predefined
 * or cached zone is found, the update fails - there's something wrong
 * somewhere.
 *
 * If a more specific zone _is_ found, that zone is cached for the length of
 * its TTL in the same database as that described above.   TSIG updates are
 * never done for cached zones - if you want TSIG updates you _must_
 * write a zone definition linking the key to the zone.   In cases where you
 * know for sure what the key is but do not want to hardcode the IP addresses
 * of the primary or secondaries, a zone declaration can be made that doesn't
 * include any primary or secondary declarations.   When the DHCP server
 * encounters this while hunting up a matching zone for a name, it looks up
 * the SOA, fills in the IP addresses, and uses that record for the update.
 * If the SOA lookup returns NXRRSET, a warning is printed and the zone is
 * discarded, TSIG key and all.   The search for the zone then continues as if
 * the zone record hadn't been found.   Zones without IP addresses don't
 * match when initially hunting for a predefined or cached zone to update.
 *
 * When an update is attempted and no predefined or cached zone is found
 * that matches any enclosing domain of the domain being updated, the DHCP
 * server goes through the same process that is done when the update to a
 * predefined or cached zone fails - starting with the most specific domain
 * name (GAZANGA.TOPANGA.FOO.COM) and moving to the least specific (the root),
 * it tries to look up an SOA record.   When it finds one, it creates a cached
 * zone and attempts an update, and gives up if the update fails.
 *
 * TSIG keys are defined like this:
 *
Ted Lemon's avatar
Ted Lemon committed
118 119 120 121
 *	key "FOO.COM Key" {
 *		algorithm HMAC-MD5.SIG-ALG.REG.INT;
 *		secret <Base64>;
 *	}
Ted Lemon's avatar
Ted Lemon committed
122
 *
Ted Lemon's avatar
Ted Lemon committed
123 124 125 126 127 128 129
 * <Base64> is a number expressed in base64 that represents the key.
 * It's also permissible to use a quoted string here - this will be
 * translated as the ASCII bytes making up the string, and will not
 * include any NUL termination.  The key name can be any text string,
 * and the key type must be one of the key types defined in the draft
 * or by the IANA.  Currently only the HMAC-MD5... key type is
 * supported.
Ted Lemon's avatar
Ted Lemon committed
130
 */
Ted Lemon's avatar
Ted Lemon committed
131

Ted Lemon's avatar
Ted Lemon committed
132 133
struct hash_table *tsig_key_hash;
struct hash_table *dns_zone_hash;
Ted Lemon's avatar
Ted Lemon committed
134

135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188
#if defined (NSUPDATE)
isc_result_t find_tsig_key (ns_tsig_key **key, const char *zname)
{
	struct dns_zone *zone;
	isc_result_t status;
	ns_tsig_key *tkey;

	zone = (struct dns_zone *)0;
	status = dns_zone_lookup (&zone, zname);
	if (status != ISC_R_SUCCESS)
		return status;
	if (!zone -> key) {
		dns_zone_dereference (&zone, MDL);
		return ISC_R_KEY_UNKNOWN;
	}
	
	if ((!zone -> key -> name ||
	     strlen (zone -> key -> name) > NS_MAXDNAME) ||
	    (!zone -> key -> algorithm ||
	     strlen (zone -> key -> algorithm) > NS_MAXDNAME) ||
	    (!zone -> key -> key.len)) {
		dns_zone_dereference (&zone, MDL);
		return ISC_R_INVALIDKEY;
	}
	tkey = dmalloc (sizeof *tkey, MDL);
	if (!tkey) {
	      nomem:
		dns_zone_dereference (&zone, MDL);
		return ISC_R_NOMEMORY;
	}
	memset (tkey, 0, sizeof *tkey);
	tkey -> data = dmalloc (zone -> key -> key.len, MDL);
	if (!tkey -> data) {
		dfree (tkey, MDL);
		goto nomem;
	}
	strcpy (tkey -> name, zone -> key -> name);
	strcpy (tkey -> alg, zone -> key -> algorithm);
	memcpy (tkey -> data,
		zone -> key -> key.data, zone -> key -> key.len);
	tkey -> len = zone -> key -> key.len;
	*key = tkey;
	return ISC_R_SUCCESS;
}

void tkey_free (ns_tsig_key **key)
{
	if ((*key) -> data)
		dfree ((*key) -> data, MDL);
	dfree ((*key), MDL);
	*key = (ns_tsig_key *)0;
}
#endif

Ted Lemon's avatar
Ted Lemon committed
189
isc_result_t enter_dns_zone (struct dns_zone *zone)
Ted Lemon's avatar
Ted Lemon committed
190
{
Ted Lemon's avatar
Ted Lemon committed
191 192 193
	struct dns_zone *tz;

	if (dns_zone_hash) {
194 195
		tz = hash_lookup (dns_zone_hash,
				  (unsigned char *)zone -> name, 0);
Ted Lemon's avatar
Ted Lemon committed
196 197 198
		if (tz == zone)
			return ISC_R_SUCCESS;
		if (tz)
199 200
			delete_hash_entry (dns_zone_hash,
					   (unsigned char *)zone -> name, 0);
Ted Lemon's avatar
Ted Lemon committed
201 202 203
	} else {
		dns_zone_hash =
			new_hash ((hash_reference)dns_zone_reference,
204
				  (hash_dereference)dns_zone_dereference, 1);
Ted Lemon's avatar
Ted Lemon committed
205 206
		if (!dns_zone_hash)
			return ISC_R_NOMEMORY;
207
	}
208
	add_hash (dns_zone_hash, (unsigned char *)zone -> name, 0, zone);
Ted Lemon's avatar
Ted Lemon committed
209
	return ISC_R_SUCCESS;
Ted Lemon's avatar
Ted Lemon committed
210 211
}

212 213
isc_result_t dns_zone_lookup (struct dns_zone **zone, const char *name)
{
Ted Lemon's avatar
Ted Lemon committed
214
	struct dns_zone *tz;
215 216
	unsigned len;
	char *tname = (char *)0;
Ted Lemon's avatar
Ted Lemon committed
217 218 219

	if (!dns_zone_hash)
		return ISC_R_NOTFOUND;
220 221 222 223 224 225 226 227 228 229 230

	len = strlen (name);
	if (name [len - 1] != '.') {
		tname = dmalloc (len + 2, MDL);
		if (!tname)
			return ISC_R_NOMEMORY;;
		strcpy (tname, name);
		tname [len] = '.';
		tname [len + 1] = 0;
		name = tname;
	}
Ted Lemon's avatar
Ted Lemon committed
231
	tz = hash_lookup (dns_zone_hash, name, 0);
232 233
	if (tname)
		dfree (tname, MDL);
Ted Lemon's avatar
Ted Lemon committed
234 235 236 237 238
	if (!tz)
		return ISC_R_NOTFOUND;
	if (!dns_zone_reference (zone, tz, MDL))
		return ISC_R_UNEXPECTED;
	return ISC_R_SUCCESS;
Ted Lemon's avatar
Ted Lemon committed
239 240
}

Ted Lemon's avatar
Ted Lemon committed
241
isc_result_t enter_tsig_key (struct tsig_key *tkey)
Ted Lemon's avatar
Ted Lemon committed
242
{
Ted Lemon's avatar
Ted Lemon committed
243 244 245
	struct tsig_key *tk;

	if (tsig_key_hash) {
246 247
		tk = hash_lookup (tsig_key_hash,
				  (unsigned char *)tkey -> name, 0);
Ted Lemon's avatar
Ted Lemon committed
248 249 250
		if (tk == tkey)
			return ISC_R_SUCCESS;
		if (tk)
251 252
			delete_hash_entry (tsig_key_hash,
					   (unsigned char *)tkey -> name, 0);
Ted Lemon's avatar
Ted Lemon committed
253 254 255
	} else {
		tsig_key_hash =
			new_hash ((hash_reference)tsig_key_reference,
256
				  (hash_dereference)tsig_key_dereference, 1);
Ted Lemon's avatar
Ted Lemon committed
257 258
		if (!tsig_key_hash)
			return ISC_R_NOMEMORY;
Ted Lemon's avatar
Ted Lemon committed
259
	}
260
	add_hash (tsig_key_hash, (unsigned char *)tkey -> name, 0, tkey);
Ted Lemon's avatar
Ted Lemon committed
261 262
	return ISC_R_SUCCESS;
	
Ted Lemon's avatar
Ted Lemon committed
263 264
}

Ted Lemon's avatar
Ted Lemon committed
265 266 267 268 269
isc_result_t tsig_key_lookup (struct tsig_key **tkey, const char *name) {
	struct tsig_key *tk;

	if (!tsig_key_hash)
		return ISC_R_NOTFOUND;
270
	tk = hash_lookup (tsig_key_hash, (const unsigned char *)name, 0);
Ted Lemon's avatar
Ted Lemon committed
271 272 273 274 275
	if (!tk)
		return ISC_R_NOTFOUND;
	if (!tsig_key_reference (tkey, tk, MDL))
		return ISC_R_UNEXPECTED;
	return ISC_R_SUCCESS;
Ted Lemon's avatar
Ted Lemon committed
276 277
}

Ted Lemon's avatar
Ted Lemon committed
278 279 280 281
int dns_zone_dereference (ptr, file, line)
	struct dns_zone **ptr;
	const char *file;
	int line;
Ted Lemon's avatar
Ted Lemon committed
282
{
283
	int i;
Ted Lemon's avatar
Ted Lemon committed
284 285 286 287 288 289 290 291 292
	struct dns_zone *dns_zone;

	if (!ptr || !*ptr) {
		log_error ("%s(%d): null pointer", file, line);
#if defined (POINTER_DEBUG)
		abort ();
#else
		return 0;
#endif
293 294
	}

Ted Lemon's avatar
Ted Lemon committed
295 296 297 298 299 300
	dns_zone = *ptr;
	*ptr = (struct dns_zone *)0;
	--dns_zone -> refcnt;
	rc_register (file, line, ptr, dns_zone, dns_zone -> refcnt);
	if (dns_zone -> refcnt > 0)
		return 1;
Ted Lemon's avatar
Ted Lemon committed
301

Ted Lemon's avatar
Ted Lemon committed
302 303 304 305 306 307 308 309 310 311
	if (dns_zone -> refcnt < 0) {
		log_error ("%s(%d): negative refcnt!", file, line);
#if defined (DEBUG_RC_HISTORY)
		dump_rc_history ();
#endif
#if defined (POINTER_DEBUG)
		abort ();
#else
		return 0;
#endif
Ted Lemon's avatar
Ted Lemon committed
312
	}
313

Ted Lemon's avatar
Ted Lemon committed
314 315 316 317 318 319 320 321 322 323
	if (dns_zone -> name)
		dfree (dns_zone -> name, file, line);
	if (dns_zone -> key)
		tsig_key_dereference (&dns_zone -> key, file, line);
	if (dns_zone -> primary)
		option_cache_dereference (&dns_zone -> primary, file, line);
	if (dns_zone -> secondary)
		option_cache_dereference (&dns_zone -> secondary, file, line);
	dfree (dns_zone, file, line);
	return 1;
Ted Lemon's avatar
Ted Lemon committed
324 325
}

326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394
#if defined (NSUPDATE)
int find_cached_zone (const char *dname, ns_class class,
		      char *zname, size_t zsize,
		      struct in_addr *addrs, int naddrs)
{
	isc_result_t status = ISC_R_NOTFOUND;
	const char *np;
	struct dns_zone *zone = (struct dns_zone *)0;
	struct data_string nsaddrs;
	int aix;

	/* For each subzone, try to find a cached zone. */
	for (np = dname - 1; np; np = strchr (np, '.')) {
		np++;
		status = dns_zone_lookup (&zone, np);
		if (status == ISC_R_SUCCESS)
			break;
	}

	if (status != ISC_R_SUCCESS)
		return 0;

	/* Make sure the zone name will fit. */
	if (strlen (zone -> name) > zsize)
		return 0;
	strcpy (zname, zone -> name);

	memset (&nsaddrs, 0, sizeof nsaddrs);
	aix = 0;

	if (zone -> primary) {
		if (evaluate_option_cache (&nsaddrs, (struct packet *)0,
					   (struct lease *)0,
					   (struct option_state *)0,
					   (struct option_state *)0,
					   &global_scope,
					   zone -> primary, MDL)) {
			int ip = 0;
			while (aix < naddrs) {
				if (ip + 4 > nsaddrs.len)
					break;
				memcpy (&addrs [aix], &nsaddrs.data [ip], 4);
				ip += 4;
				aix++;
			}
			data_string_forget (&nsaddrs, MDL);
		}
	}
	if (zone -> secondary) {
		if (evaluate_option_cache (&nsaddrs, (struct packet *)0,
					   (struct lease *)0,
					   (struct option_state *)0,
					   (struct option_state *)0,
					   &global_scope,
					   zone -> secondary, MDL)) {
			int ip = 0;
			while (aix < naddrs) {
				if (ip + 4 > nsaddrs.len)
					break;
				memcpy (&addrs [aix], &nsaddrs.data [ip], 4);
				ip += 4;
				aix++;
			}
			data_string_forget (&nsaddrs, MDL);
		}
	}
	return aix;
}
#endif /* NSUPDATE */