OpenDNSSEC-signer 1.2.1
|
00001 /* 00002 * $Id$ 00003 * 00004 * Copyright (c) 2011 NLNet Labs. All rights reserved. 00005 * 00006 * Redistribution and use in source and binary forms, with or without 00007 * modification, are permitted provided that the following conditions 00008 * are met: 00009 * 1. Redistributions of source code must retain the above copyright 00010 * notice, this list of conditions and the following disclaimer. 00011 * 2. Redistributions in binary form must reproduce the above copyright 00012 * notice, this list of conditions and the following disclaimer in the 00013 * documentation and/or other materials provided with the distribution. 00014 * 00015 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 00016 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 00017 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 00018 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 00019 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 00020 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 00021 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 00022 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER 00023 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 00024 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN 00025 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 00026 * 00027 */ 00028 00034 #include "config.h" 00035 #include "signer/backup.h" 00036 #include "signer/denial.h" 00037 #include "signer/domain.h" 00038 #include "signer/nsec3params.h" 00039 #include "util/log.h" 00040 #include "util/se_malloc.h" 00041 00042 #include <ldns/ldns.h> 00043 00044 #define SE_MAX_RRTYPE_COUNT 65536 00045 00046 static const char* denial_str = "denial"; 00047 00048 00053 denial_type* 00054 denial_create(ldns_rdf* owner) 00055 { 00056 denial_type* denial = NULL; 00057 char* str = NULL; 00058 00059 if (!owner) { 00060 se_log_error("[%s] unable to create denial of existence data point: " 00061 "no owner name", denial_str); 00062 return NULL; 00063 } 00064 se_log_assert(owner); 00065 00066 denial = (denial_type*) se_malloc(sizeof(denial_type)); 00067 if (!denial) { 00068 str = ldns_rdf2str(denial->owner); 00069 se_log_error("[%s] unable to create denial of existence data point: " 00070 "%s: allocator failed", denial_str, str?str:"(null)"); 00071 free((void*)str); 00072 free((void*)denial); 00073 return NULL; 00074 } 00075 se_log_assert(denial); 00076 00077 denial->owner = ldns_rdf_clone(owner); 00078 denial->bitmap_changed = 0; 00079 denial->nxt_changed = 0; 00080 denial->rrset = NULL; 00081 denial->domain = NULL; 00082 return denial; 00083 } 00084 00085 00090 denial_type* 00091 denial_recover_from_backup(FILE* fd) 00092 { 00093 denial_type* denial = NULL; 00094 const char* name = NULL; 00095 uint32_t internal_serial = 0; 00096 uint32_t outbound_serial = 0; 00097 int domain_status = DOMAIN_STATUS_NONE; 00098 size_t subdomain_count = 0; 00099 size_t subdomain_auth = 0; 00100 int nsec_bitmap_changed = 0; 00101 int nsec_nxt_changed = 0; 00102 00103 se_log_assert(fd); 00104 00105 /* Read everything, don't use everything */ 00106 if (!backup_read_str(fd, &name) || 00107 !backup_read_uint32_t(fd, &internal_serial) || 00108 !backup_read_uint32_t(fd, &outbound_serial) || 00109 !backup_read_int(fd, &domain_status) || 00110 !backup_read_size_t(fd, &subdomain_count) || 00111 !backup_read_size_t(fd, &subdomain_auth) || 00112 !backup_read_int(fd, &nsec_bitmap_changed) || 00113 !backup_read_int(fd, &nsec_nxt_changed)) { 00114 se_log_error("domain part in backup file is corrupted"); 00115 if (name) { 00116 se_free((void*)name); 00117 } 00118 return NULL; 00119 } 00120 00121 denial = (denial_type*) se_malloc(sizeof(denial_type)); 00122 se_log_assert(name); 00123 denial->owner = ldns_dname_new_frm_str(name); 00124 if (!denial->owner) { 00125 se_log_error("failed to create owner for denial"); 00126 se_free((void*)name); 00127 se_free((void*)denial); 00128 return NULL; 00129 } 00130 denial->domain = NULL; 00131 denial->rrset = NULL; 00132 denial->bitmap_changed = nsec_bitmap_changed; 00133 denial->nxt_changed = nsec_nxt_changed; 00134 00135 se_free((void*)name); 00136 return denial; 00137 } 00138 00139 00144 int 00145 denial_recover_rrsig_from_backup(denial_type* denial, ldns_rr* rrsig, 00146 ldns_rr_type type_covered, const char* locator, uint32_t flags) 00147 { 00148 se_log_assert(rrsig); 00149 se_log_assert(denial); 00150 se_log_assert(denial->owner); 00151 se_log_assert(denial->rrset); 00152 se_log_assert((ldns_dname_compare(denial->owner, 00153 ldns_rr_owner(rrsig)) == 0)); 00154 00155 if (type_covered == LDNS_RR_TYPE_NSEC || 00156 type_covered == LDNS_RR_TYPE_NSEC3) { 00157 return rrset_recover_rrsig_from_backup(denial->rrset, 00158 rrsig, locator, flags); 00159 } else { 00160 se_log_error("unable to recover RRSIG to denial: type covered not NSEC(3)"); 00161 } 00162 return 1; 00163 } 00164 00165 00170 static void 00171 denial_create_bitmap(denial_type* denial, ldns_rr_type types[], 00172 size_t* types_count) 00173 { 00174 ldns_rbnode_t* node = LDNS_RBTREE_NULL; 00175 domain_type* domain = NULL; 00176 rrset_type* rrset = NULL; 00177 00178 se_log_assert(denial->domain); 00179 00180 domain = (domain_type*) denial->domain; 00181 node = ldns_rbtree_first(domain->rrsets); 00182 00183 while (node && node != LDNS_RBTREE_NULL) { 00184 rrset = (rrset_type*) node->data; 00185 types[*types_count] = rrset->rr_type; 00186 *types_count = *types_count + 1; 00187 node = ldns_rbtree_next(node); 00188 } 00189 return; 00190 } 00191 00192 00197 static ldns_rr* 00198 denial_create_nsec(denial_type* denial, denial_type* nxt, uint32_t ttl, 00199 ldns_rr_class klass) 00200 { 00201 ldns_rr* nsec_rr = NULL; 00202 ldns_rdf* rdf = NULL; 00203 ldns_rr_type types[SE_MAX_RRTYPE_COUNT]; 00204 size_t types_count = 0; 00205 00206 se_log_assert(denial); 00207 se_log_assert(denial->owner); 00208 se_log_assert(nxt); 00209 se_log_assert(nxt->owner); 00210 00211 nsec_rr = ldns_rr_new(); 00212 if (!nsec_rr) { 00213 se_log_alert("[%s] unable to create NSEC RR: ldns error", 00214 denial_str); 00215 return NULL; 00216 } 00217 se_log_assert(nsec_rr); 00218 00219 ldns_rr_set_type(nsec_rr, LDNS_RR_TYPE_NSEC); 00220 rdf = ldns_rdf_clone(denial->owner); 00221 if (!rdf) { 00222 se_log_alert("[%s] unable to create NSEC RR: failed to clone owner", 00223 denial_str); 00224 ldns_rr_free(nsec_rr); 00225 return NULL; 00226 } 00227 ldns_rr_set_owner(nsec_rr, rdf); 00228 00229 rdf = ldns_rdf_clone(nxt->owner); 00230 if (!rdf) { 00231 se_log_alert("[%s] unable to create NSEC RR: failed to clone nxt", 00232 denial_str); 00233 ldns_rr_free(nsec_rr); 00234 return NULL; 00235 } 00236 ldns_rr_push_rdf(nsec_rr, rdf); 00237 00238 /* create types bitmap */ 00239 denial_create_bitmap(denial, types, &types_count); 00240 types[types_count] = LDNS_RR_TYPE_RRSIG; 00241 types_count++; 00242 types[types_count] = LDNS_RR_TYPE_NSEC; 00243 types_count++; 00244 00245 rdf = ldns_dnssec_create_nsec_bitmap(types, 00246 types_count, LDNS_RR_TYPE_NSEC); 00247 if (!rdf) { 00248 se_log_alert("[%s] unable to create NSEC RR: failed to create bitmap", 00249 denial_str); 00250 ldns_rr_free(nsec_rr); 00251 return NULL; 00252 } 00253 ldns_rr_push_rdf(nsec_rr, rdf); 00254 ldns_rr_set_ttl(nsec_rr, ttl); 00255 ldns_rr_set_class(nsec_rr, klass); 00256 return nsec_rr; 00257 } 00258 00259 00264 int 00265 denial_nsecify(denial_type* denial, denial_type* nxt, uint32_t ttl, 00266 ldns_rr_class klass) 00267 { 00268 ldns_rr* nsec_rr = NULL; 00269 int error = 0; 00270 00271 if (!denial) { 00272 se_log_error("[%s] unable to nsecify: no data point", denial_str); 00273 return 1; 00274 } 00275 se_log_assert(denial); 00276 00277 if (!nxt) { 00278 se_log_error("[%s] unable to nsecify: no next", denial_str); 00279 return 1; 00280 } 00281 se_log_assert(nxt); 00282 00283 if (denial->nxt_changed || denial->bitmap_changed) { 00284 /* assert there is a NSEC RRset */ 00285 if (!denial->rrset) { 00286 denial->rrset = rrset_create(LDNS_RR_TYPE_NSEC); 00287 if (!denial->rrset) { 00288 se_log_alert("[%s] unable to nsecify: failed to " 00289 "create NSEC RRset", denial_str); 00290 return 1; 00291 } 00292 } 00293 se_log_assert(denial->rrset); 00294 /* create new NSEC rr */ 00295 nsec_rr = denial_create_nsec(denial, nxt, ttl, klass); 00296 if (!nsec_rr) { 00297 se_log_alert("[%s] unable to nsecify: failed to " 00298 "create NSEC RR", denial_str); 00299 return 1; 00300 } 00301 /* delete old NSEC RR(s)... */ 00302 error = rrset_del_rrs(denial->rrset); 00303 if (error) { 00304 se_log_alert("[%s] unable to nsecify: failed to " 00305 "wipe out NSEC RRset", denial_str); 00306 ldns_rr_free(nsec_rr); 00307 return error; 00308 } 00309 /* ...and add the new one */ 00310 error = rrset_add_rr(denial->rrset, nsec_rr); 00311 if (error) { 00312 se_log_alert("[%s] unable to nsecify: failed to " 00313 "add NSEC to RRset", denial_str); 00314 ldns_rr_free(nsec_rr); 00315 return error; 00316 } 00317 /* commit */ 00318 denial->rrset->initialized = 0; /* hack */ 00319 error = rrset_update(denial->rrset, 0); 00320 if (error) { 00321 se_log_alert("[%s] unable to nsecify: failed to " 00322 "commit the NSEC RRset", denial_str); 00323 return error; 00324 } 00325 /* ok */ 00326 denial->bitmap_changed = 0; 00327 denial->nxt_changed = 0; 00328 } 00329 return 0; 00330 } 00331 00332 00337 static ldns_rr* 00338 denial_create_nsec3(denial_type* denial, denial_type* nxt, uint32_t ttl, 00339 ldns_rr_class klass, nsec3params_type* nsec3params) 00340 { 00341 ldns_status status = LDNS_STATUS_OK; 00342 ldns_rr* nsec_rr = NULL; 00343 ldns_rdf* rdf = NULL; 00344 ldns_rdf* next_owner_label = NULL; 00345 ldns_rdf* next_owner_rdf = NULL; 00346 char* next_owner_string = NULL; 00347 domain_type* domain = NULL; 00348 ldns_rr_type types[SE_MAX_RRTYPE_COUNT]; 00349 size_t types_count = 0; 00350 int i = 0; 00351 00352 se_log_assert(denial); 00353 se_log_assert(denial->owner); 00354 se_log_assert(nxt); 00355 se_log_assert(nxt->owner); 00356 se_log_assert(nsec3params); 00357 00358 nsec_rr = ldns_rr_new(); 00359 if (!nsec_rr) { 00360 se_log_alert("[%s] unable to create NSEC3 RR: ldns error", 00361 denial_str); 00362 return NULL; 00363 } 00364 se_log_assert(nsec_rr); 00365 00366 ldns_rr_set_type(nsec_rr, LDNS_RR_TYPE_NSEC3); 00367 rdf = ldns_rdf_clone(denial->owner); 00368 if (!rdf) { 00369 se_log_alert("[%s] unable to create NSEC3 RR: failed to clone owner", 00370 denial_str); 00371 ldns_rr_free(nsec_rr); 00372 return NULL; 00373 } 00374 ldns_rr_set_owner(nsec_rr, rdf); 00375 00376 /* set all to NULL first, then call nsec3_add_param_rdfs. */ 00377 for (i=0; i < SE_NSEC3_RDATA_NSEC3PARAMS; i++) { 00378 ldns_rr_push_rdf(nsec_rr, NULL); 00379 } 00380 ldns_nsec3_add_param_rdfs(nsec_rr, nsec3params->algorithm, 00381 nsec3params->flags, nsec3params->iterations, 00382 nsec3params->salt_len, nsec3params->salt_data); 00383 /* nxt owner label */ 00384 next_owner_label = ldns_dname_label(nxt->owner, 0); 00385 if (!next_owner_label) { 00386 se_log_alert("[%s] unable to create NSEC3 RR: failed to get nxt " 00387 "owner label", denial_str); 00388 ldns_rr_free(nsec_rr); 00389 return NULL; 00390 } 00391 next_owner_string = ldns_rdf2str(next_owner_label); 00392 if (!next_owner_string) { 00393 se_log_alert("[%s] unable to create NSEC3 RR: failed to get nxt " 00394 "owner string", denial_str); 00395 ldns_rdf_deep_free(next_owner_label); 00396 ldns_rr_free(nsec_rr); 00397 return NULL; 00398 } 00399 if (next_owner_string[strlen(next_owner_string)-1] == '.') { 00400 next_owner_string[strlen(next_owner_string)-1] = '\0'; 00401 } 00402 status = ldns_str2rdf_b32_ext(&next_owner_rdf, next_owner_string); 00403 free((void*)next_owner_string); 00404 ldns_rdf_deep_free(next_owner_label); 00405 if (status != LDNS_STATUS_OK) { 00406 se_log_alert("[%s] unable to create NSEC3 RR: failed to create nxt " 00407 "owner rdf: %s", denial_str, ldns_get_errorstr_by_id(status)); 00408 ldns_rr_free(nsec_rr); 00409 return NULL; 00410 } 00411 ldns_rr_push_rdf(nsec_rr, next_owner_rdf); 00412 00413 /* create types bitmap */ 00414 denial_create_bitmap(denial, types, &types_count); 00415 /* only add RRSIG type if we have authoritative data to sign */ 00416 domain = (domain_type*) denial->domain; 00417 if (domain_count_rrset(domain) > 0 && 00418 (domain->domain_status == DOMAIN_STATUS_APEX || 00419 domain->domain_status == DOMAIN_STATUS_AUTH || 00420 domain->domain_status == DOMAIN_STATUS_DS)) { 00421 types[types_count] = LDNS_RR_TYPE_RRSIG; 00422 types_count++; 00423 } 00424 /* and don't add NSEC3 type... */ 00425 rdf = ldns_dnssec_create_nsec_bitmap(types, 00426 types_count, LDNS_RR_TYPE_NSEC3); 00427 if (!rdf) { 00428 se_log_alert("[%s] unable to create NSEC3 RR: failed to create " 00429 "bitmap", denial_str); 00430 ldns_rr_free(nsec_rr); 00431 return NULL; 00432 } 00433 ldns_rr_push_rdf(nsec_rr, rdf); 00434 ldns_rr_set_ttl(nsec_rr, ttl); 00435 ldns_rr_set_class(nsec_rr, klass); 00436 return nsec_rr; 00437 } 00438 00439 00444 int 00445 denial_nsecify3(denial_type* denial, denial_type* nxt, uint32_t ttl, 00446 ldns_rr_class klass, nsec3params_type* nsec3params) 00447 { 00448 ldns_rr* nsec_rr = NULL; 00449 int error = 0; 00450 00451 if (!denial) { 00452 se_log_error("[%s] unable to nsecify3: no data point", denial_str); 00453 return 1; 00454 } 00455 se_log_assert(denial); 00456 00457 if (!nxt) { 00458 se_log_error("[%s] unable to nsecify3: no next", denial_str); 00459 return 1; 00460 } 00461 se_log_assert(nxt); 00462 00463 if (denial->nxt_changed || denial->bitmap_changed) { 00464 /* assert there is a NSEC RRset */ 00465 if (!denial->rrset) { 00466 denial->rrset = rrset_create(LDNS_RR_TYPE_NSEC3); 00467 if (!denial->rrset) { 00468 se_log_alert("[%s] unable to nsecify3: failed to " 00469 "create NSEC3 RRset", denial_str); 00470 return 1; 00471 } 00472 } 00473 se_log_assert(denial->rrset); 00474 /* create new NSEC3 rr */ 00475 nsec_rr = denial_create_nsec3(denial, nxt, ttl, klass, nsec3params); 00476 if (!nsec_rr) { 00477 se_log_alert("[%s] unable to nsecify3: failed to " 00478 "create NSEC3 RR", denial_str); 00479 return 1; 00480 } 00481 se_log_assert(nsec_rr); 00482 /* delete old NSEC RR(s) */ 00483 error = rrset_del_rrs(denial->rrset); 00484 if (error) { 00485 se_log_alert("[%s] unable to nsecify3: failed to " 00486 "wipe out NSEC3 RRset", denial_str); 00487 return error; 00488 } 00489 /* add the new one */ 00490 error = rrset_add_rr(denial->rrset, nsec_rr); 00491 if (error) { 00492 se_log_alert("[%s] unable to nsecify3: failed to " 00493 "add NSEC3 to RRset", denial_str); 00494 return error; 00495 } 00496 /* commit */ 00497 denial->rrset->initialized = 0; /* hack */ 00498 error = rrset_update(denial->rrset, 0); 00499 if (error) { 00500 se_log_alert("[%s] unable to nsecify3: failed to " 00501 "commit the NSEC3 RRset", denial_str); 00502 return error; 00503 } 00504 /* ok */ 00505 denial->bitmap_changed = 0; 00506 denial->nxt_changed = 0; 00507 } 00508 return 0; 00509 } 00510 00511 00516 void 00517 denial_cleanup(denial_type* denial) 00518 { 00519 if (!denial) { 00520 return; 00521 } 00522 if (denial->owner) { 00523 ldns_rdf_deep_free(denial->owner); 00524 denial->owner = NULL; 00525 } 00526 if (denial->rrset) { 00527 rrset_cleanup(denial->rrset); 00528 denial->rrset = NULL; 00529 } 00530 free((void*)denial); 00531 return; 00532 00533 }