auth_srv.cc 28 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15 16
#include <config.h>

17 18
#include <netinet/in.h>

19
#include <algorithm>
20
#include <cassert>
21
#include <iostream>
22
#include <vector>
23
#include <memory>
24

25 26
#include <boost/bind.hpp>

27 28 29 30 31 32
#include <asiolink/asiolink.h>

#include <config/ccsession.h>

#include <cc/data.h>

33 34
#include <exceptions/exceptions.h>

35
#include <util/buffer.h>
36

37
#include <dns/edns.h>
JINMEI Tatuya's avatar
JINMEI Tatuya committed
38
#include <dns/exceptions.h>
39 40 41
#include <dns/messagerenderer.h>
#include <dns/name.h>
#include <dns/question.h>
42
#include <dns/opcode.h>
43
#include <dns/rcode.h>
44 45 46
#include <dns/rrset.h>
#include <dns/rrttl.h>
#include <dns/message.h>
47
#include <dns/tsig.h>
48

Evan Hunt's avatar
Evan Hunt committed
49 50
#include <datasrc/query.h>
#include <datasrc/data_source.h>
51
#include <datasrc/memory_datasrc.h>
Evan Hunt's avatar
Evan Hunt committed
52 53
#include <datasrc/static_datasrc.h>
#include <datasrc/sqlite3_datasrc.h>
54

55 56
#include <xfr/xfrout_client.h>

57
#include <auth/common.h>
58
#include <auth/auth_config.h>
59
#include <auth/auth_srv.h>
60
#include <auth/query.h>
61
#include <auth/statistics.h>
62
#include <auth/auth_log.h>
63 64 65

using namespace std;

66
using namespace isc;
67
using namespace isc::cc;
Evan Hunt's avatar
Evan Hunt committed
68
using namespace isc::datasrc;
69
using namespace isc::dns;
70
using namespace isc::util;
71
using namespace isc::auth;
72 73
using namespace isc::dns::rdata;
using namespace isc::data;
74
using namespace isc::config;
75
using namespace isc::xfr;
76 77
using namespace isc::asiolink;
using namespace isc::asiodns;
78
using namespace isc::server_common::portconfig;
79

80 81 82 83 84 85
class AuthSrvImpl {
private:
    // prohibit copy
    AuthSrvImpl(const AuthSrvImpl& source);
    AuthSrvImpl& operator=(const AuthSrvImpl& source);
public:
86
    AuthSrvImpl(const bool use_cache, AbstractXfroutClient& xfrout_client);
Han Feng's avatar
Han Feng committed
87
    ~AuthSrvImpl();
88
    isc::data::ConstElementPtr setDbFile(isc::data::ConstElementPtr config);
89

90 91
    bool processNormalQuery(const IOMessage& io_message, Message& message,
                            OutputBuffer& buffer,
92
                            auto_ptr<TSIGContext> tsig_context);
93 94
    bool processXfrQuery(const IOMessage& io_message, Message& message,
                         OutputBuffer& buffer,
95
                         auto_ptr<TSIGContext> tsig_context);
96 97
    bool processNotify(const IOMessage& io_message, Message& message,
                       OutputBuffer& buffer,
98
                       auto_ptr<TSIGContext> tsig_context);
Evan Hunt's avatar
Evan Hunt committed
99

100 101
    IOService io_service_;

Evan Hunt's avatar
Evan Hunt committed
102 103 104 105
    /// Currently non-configurable, but will be.
    static const uint16_t DEFAULT_LOCAL_UDPSIZE = 4096;

    /// These members are public because AuthSrv accesses them directly.
106
    ModuleCCSession* config_session_;
Evan Hunt's avatar
Evan Hunt committed
107 108
    AbstractSession* xfrin_session_;

109
    /// In-memory data source.  Currently class IN only for simplicity.
110 111
    const RRClass memory_client_class_;
    AuthSrv::InMemoryClientPtr memory_client_;
112

Michal Vaner's avatar
Michal Vaner committed
113 114
    /// Hot spot cache
    isc::datasrc::HotCache cache_;
115

116 117 118
    /// Interval timer for periodic submission of statistics counters.
    IntervalTimer statistics_timer_;

119
    /// Query counters for statistics
120
    AuthCounters counters_;
121 122 123

    /// Addresses we listen on
    AddressList listen_addresses_;
124 125

    /// The TSIG keyring
126
    const boost::shared_ptr<TSIGKeyRing>* keyring_;
127 128 129 130

    /// Bind the ModuleSpec object in config_session_ with
    /// isc:config::ModuleSpec::validateStatistics.
    void registerStatisticsValidator();
131 132 133 134 135 136 137 138 139 140 141 142 143 144

    /// \brief Resume the server
    ///
    /// This is a wrapper call for DNSServer::resume(done), if 'done' is true,
    /// the Rcode set in the given Message is counted in the statistics
    /// counter.
    ///
    /// This method is expected to be called by processMessage()
    ///
    /// \param server The DNSServer as passed to processMessage()
    /// \param message The response as constructed by processMessage()
    /// \param done If true, the Rcode from the given message is counted,
    ///             this value is then passed to server->resume(bool)
    void resumeServer(isc::asiodns::DNSServer* server,
145
                      isc::dns::Message& message,
146
                      bool done);
Evan Hunt's avatar
Evan Hunt committed
147 148 149
private:
    std::string db_file_;

150
    MetaDataSrc data_sources_;
151 152 153
    /// We keep a pointer to the currently running sqlite datasource
    /// so that we can specifically remove that one should the database
    /// file change
154
    ConstDataSrcPtr cur_datasrc_;
155

156
    bool xfrout_connected_;
157
    AbstractXfroutClient& xfrout_client_;
158

159
    /// Increment query counter
160
    void incCounter(const int protocol);
161 162 163

    // validateStatistics
    bool validateStatistics(isc::data::ConstElementPtr data) const;
164 165
};

166 167
AuthSrvImpl::AuthSrvImpl(const bool use_cache,
                         AbstractXfroutClient& xfrout_client) :
168
    config_session_(NULL),
169
    xfrin_session_(NULL),
170
    memory_client_class_(RRClass::IN()),
171
    statistics_timer_(io_service_),
172
    counters_(),
173
    keyring_(NULL),
174
    xfrout_connected_(false),
175
    xfrout_client_(xfrout_client)
176
{
177 178
    // cur_datasrc_ is automatically initialized by the default constructor,
    // effectively being an empty (sqlite) data source.  once ccsession is up
179
    // the datasource will be set by the configuration setting
180

181
    // add static data source
182
    data_sources_.addDataSrc(ConstDataSrcPtr(new StaticDataSrc));
Evan Hunt's avatar
Evan Hunt committed
183 184 185

    // enable or disable the cache
    cache_.setEnabled(use_cache);
186 187
}

Han Feng's avatar
Han Feng committed
188
AuthSrvImpl::~AuthSrvImpl() {
189
    if (xfrout_connected_) {
190
        xfrout_client_.disconnect();
191
        xfrout_connected_ = false;
Han Feng's avatar
Han Feng committed
192
    }
193
}
194

195
// This is a derived class of \c DNSLookup, to serve as a
196
// callback in the asiolink module.  It calls
197
// AuthSrv::processMessage() on a single DNS message.
198
class MessageLookup : public DNSLookup {
199
public:
200
    MessageLookup(AuthSrv* srv) : server_(srv) {}
201 202 203 204 205
    virtual void operator()(const IOMessage& io_message,
                            MessagePtr message,
                            MessagePtr answer_message,
                            OutputBufferPtr buffer,
                            DNSServer* server) const
206
    {
207
        (void) answer_message;
208
        server_->processMessage(io_message, *message, *buffer, server);
209 210 211 212 213
    }
private:
    AuthSrv* server_;
};

214 215 216 217 218 219 220 221
// This is a derived class of \c DNSAnswer, to serve as a callback in the
// asiolink module.  We actually shouldn't do anything in this class because
// we build complete response messages in the process methods; otherwise
// the response message will contain trailing garbage.  In future, we should
// probably even drop the reliance on DNSAnswer.  We don't need the coroutine
// tricks provided in that framework, and its overhead would be significant
// in terms of performance consideration for the authoritative server
// implementation.
222 223
class MessageAnswer : public DNSAnswer {
public:
224 225
    MessageAnswer(AuthSrv*) {}
    virtual void operator()(const IOMessage&, MessagePtr,
226
                            MessagePtr, OutputBufferPtr) const
227
    {}
228 229
};

230
// This is a derived class of \c SimpleCallback, to serve
231
// as a callback in the asiolink module.  It checks for queued
232
// configuration messages, and executes them if found.
233
class ConfigChecker : public SimpleCallback {
234 235
public:
    ConfigChecker(AuthSrv* srv) : server_(srv) {}
Michal Vaner's avatar
Michal Vaner committed
236
    virtual void operator()(const IOMessage&) const {
237 238 239
        ModuleCCSession* cfg_session = server_->getConfigSession();
        if (cfg_session != NULL && cfg_session->hasQueuedMsgs()) {
            cfg_session->checkCommand();
240 241 242 243 244 245
        }
    }
private:
    AuthSrv* server_;
};

246 247 248 249 250 251 252
AuthSrv::AuthSrv(const bool use_cache, AbstractXfroutClient& xfrout_client)
{
    impl_ = new AuthSrvImpl(use_cache, xfrout_client);
    checkin_ = new ConfigChecker(this);
    dns_lookup_ = new MessageLookup(this);
    dns_answer_ = new MessageAnswer(this);
}
253

254 255
void
AuthSrv::stop() {
256
    impl_->io_service_.stop();
257 258
}

259
AuthSrv::~AuthSrv() {
260
    delete impl_;
261
    delete checkin_;
262 263
    delete dns_lookup_;
    delete dns_answer_;
264 265
}

266
namespace {
267 268
class QuestionInserter {
public:
269
    QuestionInserter(Message& message) : message_(message) {}
270
    void operator()(const QuestionPtr question) {
271
        message_.addQuestion(question);
272
    }
273
    Message& message_;
274 275
};

276
void
277 278
makeErrorMessage(Message& message, OutputBuffer& buffer,
                 const Rcode& rcode,
279 280
                 std::auto_ptr<TSIGContext> tsig_context =
                 std::auto_ptr<TSIGContext>())
281
{
282 283 284
    // extract the parameters that should be kept.
    // XXX: with the current implementation, it's not easy to set EDNS0
    // depending on whether the query had it.  So we'll simply omit it.
285 286 287 288
    const qid_t qid = message.getQid();
    const bool rd = message.getHeaderFlag(Message::HEADERFLAG_RD);
    const bool cd = message.getHeaderFlag(Message::HEADERFLAG_CD);
    const Opcode& opcode = message.getOpcode();
289 290
    vector<QuestionPtr> questions;

291 292 293
    // If this is an error to a query or notify, we should also copy the
    // question section.
    if (opcode == Opcode::QUERY() || opcode == Opcode::NOTIFY()) {
294
        questions.assign(message.beginQuestion(), message.endQuestion());
295
    }
296

297 298 299 300
    message.clear(Message::RENDER);
    message.setQid(qid);
    message.setOpcode(opcode);
    message.setHeaderFlag(Message::HEADERFLAG_QR);
301
    if (rd) {
302
        message.setHeaderFlag(Message::HEADERFLAG_RD);
303 304
    }
    if (cd) {
305
        message.setHeaderFlag(Message::HEADERFLAG_CD);
306
    }
307
    for_each(questions.begin(), questions.end(), QuestionInserter(message));
308
    message.setRcode(rcode);
309

310
    MessageRenderer renderer(buffer);
311
    if (tsig_context.get() != NULL) {
312
        message.toWire(renderer, *tsig_context);
313
    } else {
314
        message.toWire(renderer);
315
    }
316
    LOG_DEBUG(auth_logger, DBG_AUTH_MESSAGES, AUTH_SEND_ERROR_RESPONSE)
317
              .arg(renderer.getLength()).arg(message);
318
}
319
}
320

321 322 323 324 325
IOService&
AuthSrv::getIOService() {
    return (impl_->io_service_);
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
326 327 328 329 330 331 332 333 334 335
void
AuthSrv::setCacheSlots(const size_t slots) {
    impl_->cache_.setSlots(slots);
}

size_t
AuthSrv::getCacheSlots() const {
    return (impl_->cache_.getSlots());
}

336
void
337 338
AuthSrv::setXfrinSession(AbstractSession* xfrin_session) {
    impl_->xfrin_session_ = xfrin_session;
339 340
}

341
void
342 343
AuthSrv::setConfigSession(ModuleCCSession* config_session) {
    impl_->config_session_ = config_session;
344
    impl_->registerStatisticsValidator();
345 346
}

347
void
348 349
AuthSrv::setStatisticsSession(AbstractSession* statistics_session) {
    impl_->counters_.setStatisticsSession(statistics_session);
350 351
}

352
ModuleCCSession*
353
AuthSrv::getConfigSession() const {
354
    return (impl_->config_session_);
355 356
}

357 358
AuthSrv::InMemoryClientPtr
AuthSrv::getInMemoryClient(const RRClass& rrclass) {
359
    // XXX: for simplicity, we only support the IN class right now.
360
    if (rrclass != impl_->memory_client_class_) {
361 362 363 364
        isc_throw(InvalidParameter,
                  "Memory data source is not supported for RR class "
                  << rrclass);
    }
365
    return (impl_->memory_client_);
366 367 368
}

void
369 370
AuthSrv::setInMemoryClient(const isc::dns::RRClass& rrclass,
                           InMemoryClientPtr memory_client)
371 372
{
    // XXX: see above
373
    if (rrclass != impl_->memory_client_class_) {
374 375 376
        isc_throw(InvalidParameter,
                  "Memory data source is not supported for RR class "
                  << rrclass);
377
    } else if (!impl_->memory_client_ && memory_client) {
378
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_MEM_DATASRC_ENABLED)
379
                  .arg(rrclass);
380
    } else if (impl_->memory_client_ && !memory_client) {
381
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_MEM_DATASRC_DISABLED)
382
                  .arg(rrclass);
383
    }
384
    impl_->memory_client_ = memory_client;
385 386
}

387 388
uint32_t
AuthSrv::getStatisticsTimerInterval() const {
389
    return (impl_->statistics_timer_.getInterval() / 1000);
390 391 392 393 394 395 396
}

void
AuthSrv::setStatisticsTimerInterval(uint32_t interval) {
    if (interval == impl_->statistics_timer_.getInterval()) {
        return;
    }
397
    if (interval > 86400) {
398
        // It can't occur since the value is checked in
399 400 401
        // statisticsIntervalConfig::build().
        isc_throw(InvalidParameter, "Too long interval: " << interval);
    }
402 403
    if (interval == 0) {
        impl_->statistics_timer_.cancel();
404
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_STATS_TIMER_DISABLED);
405
    } else {
406 407
        impl_->statistics_timer_.setup(boost::bind(&AuthSrv::submitStatistics,
                                                   this),
408
                                       interval * 1000);
409 410
        LOG_DEBUG(auth_logger, DBG_AUTH_OPS, AUTH_STATS_TIMER_SET)
                  .arg(interval);
411 412 413
    }
}

414
void
415 416
AuthSrv::processMessage(const IOMessage& io_message, Message& message,
                        OutputBuffer& buffer, DNSServer* server)
JINMEI Tatuya's avatar
cleanup  
JINMEI Tatuya committed
417
{
418 419
    InputBuffer request_buffer(io_message.getData(), io_message.getDataSize());

420 421 422
    // First, check the header part.  If we fail even for the base header,
    // just drop the message.
    try {
423
        message.parseHeader(request_buffer);
424 425

        // Ignore all responses.
426
        if (message.getHeaderFlag(Message::HEADERFLAG_QR)) {
427
            LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_RESPONSE_RECEIVED);
428
            impl_->resumeServer(server, message, false);
429
            return;
430 431
        }
    } catch (const Exception& ex) {
432 433
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_HEADER_PARSE_FAIL)
                  .arg(ex.what());
434
        impl_->resumeServer(server, message, false);
435
        return;
436 437
    }

438
    try {
439
        // Parse the message.
440
        message.fromWire(request_buffer);
441
    } catch (const DNSProtocolError& error) {
442
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_PACKET_PROTOCOL_ERROR)
443
                  .arg(error.getRcode().toText()).arg(error.what());
444
        makeErrorMessage(message, buffer, error.getRcode());
445
        impl_->resumeServer(server, message, true);
446
        return;
447
    } catch (const Exception& ex) {
448
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_PACKET_PARSE_ERROR)
449
                  .arg(ex.what());
450
        makeErrorMessage(message, buffer, Rcode::SERVFAIL());
451
        impl_->resumeServer(server, message, true);
452
        return;
453
    } // other exceptions will be handled at a higher layer.
454

455
    LOG_DEBUG(auth_logger, DBG_AUTH_MESSAGES, AUTH_PACKET_RECEIVED)
456
              .arg(message);
457

458
    // Perform further protocol-level validation.
459 460 461
    // TSIG first
    // If this is set to something, we know we need to answer with TSIG as well
    std::auto_ptr<TSIGContext> tsig_context;
462
    const TSIGRecord* tsig_record(message.getTSIGRecord());
463 464 465 466
    TSIGError tsig_error(TSIGError::NOERROR());

    // Do we do TSIG?
    // The keyring can be null if we're in test
467
    if (impl_->keyring_ != NULL && tsig_record != NULL) {
468 469 470
        tsig_context.reset(new TSIGContext(tsig_record->getName(),
                                           tsig_record->getRdata().
                                                getAlgorithm(),
471
                                           **impl_->keyring_));
472 473 474
        tsig_error = tsig_context->verify(tsig_record, io_message.getData(),
                                          io_message.getDataSize());
    }
JINMEI Tatuya's avatar
JINMEI Tatuya committed
475

476
    if (tsig_error != TSIGError::NOERROR()) {
477
        makeErrorMessage(message, buffer, tsig_error.toRcode(), tsig_context);
478
        impl_->resumeServer(server, message, true);
479 480 481 482 483
        return;
    }

    // update per opcode statistics counter.  This can only be reliable after
    // TSIG check succeeds.
484
    impl_->counters_.inc(message.getOpcode());
485 486

    bool send_answer = true;
487
    if (message.getOpcode() == Opcode::NOTIFY()) {
488 489
        send_answer = impl_->processNotify(io_message, message, buffer,
                                           tsig_context);
490
    } else if (message.getOpcode() != Opcode::QUERY()) {
491
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_UNSUPPORTED_OPCODE)
492
                  .arg(message.getOpcode().toText());
493
        makeErrorMessage(message, buffer, Rcode::NOTIMP(), tsig_context);
494
    } else if (message.getRRCount(Message::SECTION_QUESTION) != 1) {
495
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
496
    } else {
497
        ConstQuestionPtr question = *message.beginQuestion();
498 499
        const RRType &qtype = question->getType();
        if (qtype == RRType::AXFR()) {
500 501
            send_answer = impl_->processXfrQuery(io_message, message, buffer,
                                                 tsig_context);
502
        } else if (qtype == RRType::IXFR()) {
503 504
            send_answer = impl_->processXfrQuery(io_message, message, buffer,
                                                 tsig_context);
505
        } else {
506 507
            send_answer = impl_->processNormalQuery(io_message, message,
                                                    buffer, tsig_context);
508
        }
509
    }
510

511
    impl_->resumeServer(server, message, send_answer);
512 513 514
}

bool
515 516
AuthSrvImpl::processNormalQuery(const IOMessage& io_message, Message& message,
                                OutputBuffer& buffer,
517
                                auto_ptr<TSIGContext> tsig_context)
518
{
519
    ConstEDNSPtr remote_edns = message.getEDNS();
520
    const bool dnssec_ok = remote_edns && remote_edns->getDNSSECAwareness();
521
    const uint16_t remote_bufsize = remote_edns ? remote_edns->getUDPSize() :
522
        Message::DEFAULT_MAX_UDPSIZE;
523

524 525 526
    message.makeResponse();
    message.setHeaderFlag(Message::HEADERFLAG_AA);
    message.setRcode(Rcode::NOERROR());
527

528 529 530
    // Increment query counter.
    incCounter(io_message.getSocket().getProtocol());

531 532
    if (remote_edns) {
        EDNSPtr local_edns = EDNSPtr(new EDNS());
533
        local_edns->setDNSSECAwareness(dnssec_ok);
534
        local_edns->setUDPSize(AuthSrvImpl::DEFAULT_LOCAL_UDPSIZE);
535
        message.setEDNS(local_edns);
536
    }
537

538
    try {
Jerry's avatar
Jerry committed
539 540
        // If a memory data source is configured call the separate
        // Query::process()
541
        const ConstQuestionPtr question = *message.beginQuestion();
542
        if (memory_client_ && memory_client_class_ == question->getClass()) {
543 544
            const RRType& qtype = question->getType();
            const Name& qname = question->getName();
545
            auth::Query(*memory_client_, qname, qtype, message,
546
                        dnssec_ok).process();
547
        } else {
548
            datasrc::Query query(message, cache_, dnssec_ok);
549 550
            data_sources_.doQuery(query);
        }
551
    } catch (const Exception& ex) {
552
        LOG_ERROR(auth_logger, AUTH_PROCESS_FAIL).arg(ex.what());
553
        makeErrorMessage(message, buffer, Rcode::SERVFAIL());
554
        return (true);
555
    }
556

557
    MessageRenderer renderer(buffer);
558 559
    const bool udp_buffer =
        (io_message.getSocket().getProtocol() == IPPROTO_UDP);
560
    renderer.setLengthLimit(udp_buffer ? remote_bufsize : 65535);
561
    if (tsig_context.get() != NULL) {
562
        message.toWire(renderer, *tsig_context);
563
    } else {
564
        message.toWire(renderer);
565
    }
566
    LOG_DEBUG(auth_logger, DBG_AUTH_MESSAGES, AUTH_SEND_NORMAL_RESPONSE)
567
              .arg(renderer.getLength()).arg(message);
568

569
    return (true);
570 571
}

572
bool
573 574
AuthSrvImpl::processXfrQuery(const IOMessage& io_message, Message& message,
                             OutputBuffer& buffer,
575
                             auto_ptr<TSIGContext> tsig_context)
JINMEI Tatuya's avatar
JINMEI Tatuya committed
576
{
577 578 579
    // Increment query counter.
    incCounter(io_message.getSocket().getProtocol());

Han Feng's avatar
Han Feng committed
580
    if (io_message.getSocket().getProtocol() == IPPROTO_UDP) {
581
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_AXFR_UDP);
582
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
583
        return (true);
Han Feng's avatar
Han Feng committed
584
    }
585 586

    try {
587 588 589 590
        if (!xfrout_connected_) {
            xfrout_client_.connect();
            xfrout_connected_ = true;
        }
591 592 593 594
        xfrout_client_.sendXfroutRequestInfo(
            io_message.getSocket().getNative(),
            io_message.getData(),
            io_message.getDataSize());
595
    } catch (const XfroutError& err) {
596
        if (xfrout_connected_) {
JINMEI Tatuya's avatar
JINMEI Tatuya committed
597
            // disconnect() may trigger an exception, but since we try it
598 599 600 601
            // only if we've successfully opened it, it shouldn't happen in
            // normal condition.  Should this occur, we'll propagate it to the
            // upper layer.
            xfrout_client_.disconnect();
602
            xfrout_connected_ = false;
603
        }
604

605 606
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_AXFR_ERROR)
                  .arg(err.what());
607
        makeErrorMessage(message, buffer, Rcode::SERVFAIL(), tsig_context);
608
        return (true);
609
    }
610

611
    return (false);
612 613 614
}

bool
615 616
AuthSrvImpl::processNotify(const IOMessage& io_message, Message& message,
                           OutputBuffer& buffer,
617
                           std::auto_ptr<TSIGContext> tsig_context)
618
{
619 620
    // The incoming notify must contain exactly one question for SOA of the
    // zone name.
621
    if (message.getRRCount(Message::SECTION_QUESTION) != 1) {
622
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_NOTIFY_QUESTIONS)
623
                  .arg(message.getRRCount(Message::SECTION_QUESTION));
624
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
625 626
        return (true);
    }
627
    ConstQuestionPtr question = *message.beginQuestion();
628
    if (question->getType() != RRType::SOA()) {
629
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_NOTIFY_RRTYPE)
630
                  .arg(question->getType().toText());
631
        makeErrorMessage(message, buffer, Rcode::FORMERR(), tsig_context);
632 633 634 635 636 637 638
        return (true);
    }

    // According to RFC 1996, rcode should be "no error" and AA bit should be
    // on, but we don't check these conditions.  This behavior is compatible
    // with BIND 9.

639 640
    // TODO check with the conf-mgr whether current server is the auth of the
    // zone
641 642 643 644 645

    // In the code that follows, we simply ignore the notify if any internal
    // error happens rather than returning (e.g.) SERVFAIL.  RFC 1996 is
    // silent about such cases, but there doesn't seem to be anything we can
    // improve at the primary server side by sending an error anyway.
646
    if (xfrin_session_ == NULL) {
647
        LOG_DEBUG(auth_logger, DBG_AUTH_DETAIL, AUTH_NO_XFRIN);
JINMEI Tatuya's avatar
JINMEI Tatuya committed
648
        return (false);
Han Feng's avatar
Han Feng committed
649
    }
650

JINMEI Tatuya's avatar
JINMEI Tatuya committed
651 652
    const string remote_ip_address =
        io_message.getRemoteEndpoint().getAddress().toText();
JINMEI Tatuya's avatar
JINMEI Tatuya committed
653 654
    static const string command_template_start =
        "{\"command\": [\"notify\", {\"zone_name\" : \"";
655
    static const string command_template_master = "\", \"master\" : \"";
656
    static const string command_template_rrclass = "\", \"zone_class\" : \"";
657
    static const string command_template_end = "\"}]}";
658

Han Feng's avatar
Han Feng committed
659
    try {
660
        ConstElementPtr notify_command = Element::fromJSON(
661
                command_template_start + question->getName().toText() +
662 663
                command_template_master + remote_ip_address +
                command_template_rrclass + question->getClass().toText() +
664
                command_template_end);
Han Feng's avatar
Han Feng committed
665
        const unsigned int seq =
666
            xfrin_session_->group_sendmsg(notify_command, "Zonemgr",
667
                                          "*", "*");
668
        ConstElementPtr env, answer, parsed_answer;
669
        xfrin_session_->group_recvmsg(env, answer, false, seq);
Han Feng's avatar
Han Feng committed
670
        int rcode;
671 672
        parsed_answer = parseAnswer(rcode, answer);
        if (rcode != 0) {
673
            LOG_ERROR(auth_logger, AUTH_ZONEMGR_ERROR)
674
                      .arg(parsed_answer->str());
675
            return (false);
Han Feng's avatar
Han Feng committed
676
        }
677
    } catch (const Exception& ex) {
678
        LOG_ERROR(auth_logger, AUTH_ZONEMGR_COMMS).arg(ex.what());
679
        return (false);
680
    }
681

682 683 684
    message.makeResponse();
    message.setHeaderFlag(Message::HEADERFLAG_AA);
    message.setRcode(Rcode::NOERROR());
685

686
    MessageRenderer renderer(buffer);
687
    if (tsig_context.get() != NULL) {
688
        message.toWire(renderer, *tsig_context);
689
    } else {
690
        message.toWire(renderer);
691