41 static const char* rrset_str =
"rrset";
48 log_rr(ldns_rr* rr,
const char* pre,
int level)
53 if (ods_log_get_level() < level) {
56 str = ldns_rr2str(rr);
58 ods_log_error(
"[%s] %s: Error converting RR to string", rrset_str,
62 str[(strlen(str))-1] =
'\0';
64 for (i=0; i < strlen(str); i++) {
69 if (level == LOG_EMERG) {
70 ods_fatal_exit(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
71 }
else if (level == LOG_ALERT) {
72 ods_log_alert(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
73 }
else if (level == LOG_CRIT) {
74 ods_log_crit(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
75 }
else if (level == LOG_ERR) {
76 ods_log_error(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
77 }
else if (level == LOG_WARNING) {
78 ods_log_warning(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
79 }
else if (level == LOG_NOTICE) {
80 ods_log_info(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
81 }
else if (level == LOG_INFO) {
82 ods_log_verbose(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
83 }
else if (level == LOG_DEBUG) {
84 ods_log_debug(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
85 }
else if (level == LOG_DEEEBUG) {
86 ods_log_deeebug(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
88 ods_log_deeebug(
"[%s] %s: %s", rrset_str, pre?pre:
"", str);
99 log_rrset(ldns_rdf* dname, ldns_rr_type type,
const char* pre,
int level)
104 if (ods_log_get_level() < level) {
107 str = ldns_rdf2str(dname);
111 str[(strlen(str))-1] =
'\0';
113 for (i=0; i < strlen(str); i++) {
114 if (str[i] ==
'\t') {
118 if (level == LOG_EMERG) {
119 ods_fatal_exit(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
121 }
else if (level == LOG_ALERT) {
122 ods_log_alert(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
124 }
else if (level == LOG_CRIT) {
125 ods_log_crit(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
127 }
else if (level == LOG_ERR) {
128 ods_log_error(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
130 }
else if (level == LOG_WARNING) {
131 ods_log_warning(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
133 }
else if (level == LOG_NOTICE) {
134 ods_log_info(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
136 }
else if (level == LOG_INFO) {
137 ods_log_verbose(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
139 }
else if (level == LOG_DEBUG) {
140 ods_log_debug(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
142 }
else if (level == LOG_DEEEBUG) {
143 ods_log_deeebug(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
146 ods_log_deeebug(
"[%s] %s: <%s,%s>", rrset_str, pre?pre:
"", str,
160 if (type == LDNS_RR_TYPE_IXFR) {
162 }
else if (type == LDNS_RR_TYPE_AXFR) {
164 }
else if (type == LDNS_RR_TYPE_MAILB) {
166 }
else if (type == LDNS_RR_TYPE_MAILA) {
168 }
else if (type == LDNS_RR_TYPE_ANY) {
171 const ldns_rr_descriptor* descriptor = ldns_rr_descript(type);
172 if (descriptor && descriptor->_name) {
173 return descriptor->_name;
180 memberdestroy(
void* dummy,
void* member)
187 ldns_rr_free(sig->
rr);
202 if (!type || !zone) {
207 ods_log_error(
"[%s] unable to create RRset %u: allocator_alloc() "
208 "failed", rrset_str, (
unsigned) type);
225 collection_class klass;
226 collection_class_allocated(&klass, NULL, memberdestroy);
238 ldns_status lstatus = LDNS_STATUS_OK;
242 if (!rrset || !rr || rrset->
rr_count <= 0) {
245 for (i=0; i < rrset->
rr_count; i++) {
246 lstatus = util_dnssec_rrs_compare(rrset->
rrs[i].
rr, rr, &cmp);
247 if (lstatus != LDNS_STATUS_OK) {
248 ods_log_error(
"[%s] unable to lookup RR: compare failed (%s)",
249 rrset_str, ldns_get_errorstr_by_id(lstatus));
253 return &rrset->
rrs[i];
265 for (
int i = 0; i < rrset->
rr_count; i++) {
267 return ldns_rr_ttl(rrset->
rrs[i].
rr);
285 for (i=0; i < rrset->
rr_count; i++) {
303 ods_log_assert(rrset);
305 ods_log_assert(rrset->
rrtype == ldns_rr_get_type(rr));
307 rrs_old = rrset->
rrs;
310 ods_fatal_exit(
"[%s] fatal unable to add RR: allocator_alloc() failed",
324 log_rr(rr,
"+RR", LOG_DEEEBUG);
338 ods_log_assert(rrset);
339 ods_log_assert(rrnum < rrset->rr_count);
343 ldns_rr_free(rrset->
rrs[rrnum].
rr);
344 while (rrnum < rrset->rr_count-1) {
345 rrset->
rrs[rrnum] = rrset->
rrs[rrnum+1];
349 rrs_orig = rrset->
rrs;
352 ods_fatal_exit(
"[%s] fatal unable to delete RR: allocator_alloc() failed",
370 uint8_t del_sigs = 0;
377 for (i=0; i < rrset->
rr_count; i++) {
389 if ((rrset->
rrtype == LDNS_RR_TYPE_DNSKEY) && more_coming) {
419 while((rrsig = collection_iterator(rrset->
rrsigs))) {
426 collection_del_cursor(rrset->
rrsigs);
436 const char* locator, uint32_t flags)
439 ods_log_assert(rrset);
441 ods_log_assert(ldns_rr_get_type(rr) == LDNS_RR_TYPE_RRSIG);
446 collection_add(rrset->
rrsigs, &rrsig);
456 ldns_rr_list* rr_list = NULL;
459 rr_list = ldns_rr_list_new();
460 for (i=0; i < rrset->
rr_count; i++) {
462 log_rr(rrset->
rrs[i].
rr,
"RR does not exist", LOG_WARNING);
465 ret = (int) ldns_rr_list_push_rr(rr_list, rrset->
rrs[i].
rr);
467 ldns_rr_list_free(rr_list);
470 if (rrset->
rrtype == LDNS_RR_TYPE_CNAME ||
471 rrset->
rrtype == LDNS_RR_TYPE_DNAME) {
476 ldns_rr_list_sort(rr_list);
486 rrset_sigvalid_period(
signconf_type* sc, ldns_rr_type rrtype, time_t signtime,
487 time_t* inception, time_t* expiration)
492 time_t random_jitter = 0;
493 if (!sc || !rrtype || !signtime) {
498 random_jitter = ods_rand(jitter*2);
502 case LDNS_RR_TYPE_NSEC:
503 case LDNS_RR_TYPE_NSEC3:
506 case LDNS_RR_TYPE_DNSKEY:
516 *inception = signtime - offset;
517 *expiration = (signtime + validity + random_jitter) - jitter;
541 for(
int i=0; i<nrrsigs; i++) {
543 matches[nmatches].
key = NULL;
546 for(
int keyidx=0; keyidx<signconf->
keys->
count; keyidx++) {
548 for(matchidx=0; matchidx<nmatches; matchidx++) {
550 matches[matchidx].
key = &signconf->
keys->
keys[keyidx];
554 if(matchidx==nmatches) {
556 matches[nmatches].
key = &signconf->
keys->
keys[keyidx];
560 *rrsigkeymatchingptr = matches;
561 *nrrsigkeymatchingptr = nmatches;
574 uint32_t newsigs = 0;
575 uint32_t reusedsigs = 0;
576 ldns_rr* rrsig = NULL;
578 ldns_rr_list* rr_list = NULL;
579 ldns_rr_list* rr_list_clone = NULL;
580 const char* locator = NULL;
581 time_t inception = 0;
582 time_t expiration = 0;
585 ldns_rr_type dstatus = LDNS_RR_TYPE_FIRST;
586 ldns_rr_type delegpt = LDNS_RR_TYPE_FIRST;
587 uint8_t algorithm = 0;
590 ods_log_assert(rrset);
592 ods_log_assert(zone);
595 if (rrset->
rrtype == LDNS_RR_TYPE_NSEC ||
596 rrset->
rrtype == LDNS_RR_TYPE_NSEC3) {
597 dstatus = LDNS_RR_TYPE_SOA;
598 delegpt = LDNS_RR_TYPE_SOA;
606 for(nrrsigs=0; (
signature = collection_iterator(rrset->
rrsigs)); nrrsigs++)
614 int nmatchedsignatures;
619 ods_log_assert(rrset->
rrs);
620 ods_log_assert(rrset->
rrs[0].
rr);
623 if (dstatus != LDNS_RR_TYPE_SOA) {
625 "skip signing occluded RRset", LOG_DEEEBUG);
627 free(matchedsignatures);
628 return ODS_STATUS_OK;
630 if (delegpt != LDNS_RR_TYPE_SOA && rrset->
rrtype != LDNS_RR_TYPE_DS) {
632 "skip signing delegation RRset", LOG_DEEEBUG);
634 free(matchedsignatures);
635 return ODS_STATUS_OK;
639 "sign RRset", LOG_DEEEBUG);
640 ods_log_assert(dstatus == LDNS_RR_TYPE_SOA ||
641 (delegpt == LDNS_RR_TYPE_SOA || rrset->
rrtype == LDNS_RR_TYPE_DS));
643 rr_list = rrset2rrlist(rrset);
644 if (ldns_rr_list_rr_count(rr_list) <= 0) {
646 ldns_rr_list_free(rr_list);
648 free(matchedsignatures);
649 return ODS_STATUS_OK;
652 rr_list_clone = ldns_rr_list_clone(rr_list);
659 uint32_t min_ttl = ldns_rr_ttl(ldns_rr_list_rr(rr_list_clone, 0));
660 for (i = 1; i < ldns_rr_list_rr_count(rr_list_clone); i++) {
661 uint32_t rr_ttl = ldns_rr_ttl(ldns_rr_list_rr(rr_list_clone, i));
662 if (rr_ttl < min_ttl) min_ttl = rr_ttl;
664 for (i = 0; i < ldns_rr_list_rr_count(rr_list_clone); i++) {
665 ldns_rr_set_ttl(ldns_rr_list_rr(rr_list_clone, i), min_ttl);
671 &inception, &expiration);
672 uint32_t refresh = 0;
680 for (
int i = 0; i < nmatchedsignatures; i++) {
683 expiration = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(matchedsignatures[i].
signature->
rr));
684 inception = ldns_rdf2native_int32(ldns_rr_rrsig_inception(matchedsignatures[i].
signature->
rr));
686 if (matchedsignatures[i].
key && matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype != LDNS_RR_TYPE_DNSKEY) {
688 matchedsignatures[i].
key = NULL;
690 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype != LDNS_RR_TYPE_DNSKEY && !matchedsignatures[i].
signature) {
692 matchedsignatures[i].
key = NULL;
693 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype != LDNS_RR_TYPE_DNSKEY && !matchedsignatures[i].
key->
publish) {
694 matchedsignatures[i].
key = NULL;
696 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk && rrset->
rrtype == LDNS_RR_TYPE_DNSKEY) {
697 matchedsignatures[i].
key = NULL;
699 }
else if (matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && matchedsignatures[i].
key->
zsk && rrset->
rrtype == LDNS_RR_TYPE_DNSKEY) {
701 matchedsignatures[i].
key = NULL;
703 }
else if (matchedsignatures[i].
key && matchedsignatures[i].
key->
ksk && matchedsignatures[i].
key->
locator == NULL) {
705 matchedsignatures[i].
key = NULL;
706 }
else if (refresh <= (uint32_t) signtime) {
709 }
else if (matchedsignatures[i].
signature && expiration < refresh && matchedsignatures[i].
key && !matchedsignatures[i].
key->
ksk && !matchedsignatures[i].
key->
zsk) {
712 matchedsignatures[i].
key = NULL;
713 }
else if (matchedsignatures[i].
signature && expiration < refresh) {
716 }
else if (matchedsignatures[i].
signature && inception > (uint32_t) signtime) {
719 }
else if (matchedsignatures[i].
signature && !matchedsignatures[i].
key) {
722 }
else if (dstatus != LDNS_RR_TYPE_SOA || (delegpt != LDNS_RR_TYPE_SOA && rrset->
rrtype != LDNS_RR_TYPE_DS)) {
724 matchedsignatures[i].
key = NULL;
727 ods_log_assert(dstatus == LDNS_RR_TYPE_SOA || (delegpt == LDNS_RR_TYPE_SOA || rrset->
rrtype == LDNS_RR_TYPE_DS));
735 for (
int i = 0; i < nmatchedsignatures; i++) {
736 if (!matchedsignatures[i].
signature && matchedsignatures[i].
key) {
741 for (j = 0; j < nmatchedsignatures; j++) {
748 if (j < nmatchedsignatures) {
749 matchedsignatures[i].
key = NULL;
760 for(i=0; i<nrrsigs; i++) {
761 if(matchedsignatures[i].
signature == NULL) {
762 if (rrsigs[i] != NULL) {
769 for(i=0; i<nrrsigs; i++) {
770 if(matchedsignatures[i].
signature == NULL) {
771 if (rrsigs[i] != NULL) {
774 collection_del_cursor(rrset->
rrsigs);
785 rrset_sigvalid_period(zone->
signconf, rrset->
rrtype, signtime, &inception, &expiration);
787 for (
int i = 0; i < nmatchedsignatures; i++) {
788 if (!matchedsignatures[i].
signature && matchedsignatures[i].
key) {
790 ods_log_deeebug(
"[%s] signing RRset[%i] with key %s", rrset_str,
792 rrsig =
lhsm_sign(ctx, rr_list_clone, matchedsignatures[i].
key,
793 zone->
apex, inception, expiration);
795 ods_log_crit(
"[%s] unable to sign RRset[%i]: lhsm_sign() failed",
796 rrset_str, rrset->
rrtype);
797 free(matchedsignatures);
798 ldns_rr_list_free(rr_list);
799 ldns_rr_list_free(rr_list_clone);
800 return ODS_STATUS_HSM_ERR;
803 locator = strdup(matchedsignatures[i].
key->
locator);
819 ods_log_error(
"[%s] unable to publish dnskeys for zone %s: "
820 "error decoding literal dnskey", rrset_str, zone->
name);
821 ldns_rr_list_deep_free(rr_list_clone);
837 free(matchedsignatures);
838 ldns_rr_list_free(rr_list);
839 ldns_rr_list_deep_free(rr_list_clone);
841 if (rrset->
rrtype == LDNS_RR_TYPE_SOA) {
847 return ODS_STATUS_OK;
853 uint8_t dnskeystring[4096];
854 ldns_status ldnsstatus;
856 if ((len = b64_pton(resourcerecord, dnskeystring,
sizeof (dnskeystring) - 2)) < 0) {
857 return ODS_STATUS_PARSE_ERR;
859 dnskeystring[len] =
'\0';
860 if ((ldnsstatus = ldns_rr_new_frm_str(dnskey, (
const char*) dnskeystring, ttl, apex, NULL)) != LDNS_STATUS_OK) {
861 return ODS_STATUS_PARSE_ERR;
863 return ODS_STATUS_OK;
876 ods_status result = ODS_STATUS_OK;
879 ods_log_crit(
"[%s] unable to print RRset: rrset or fd missing",
882 *status = ODS_STATUS_ASSERT_ERR;
885 for (i=0; i < rrset->
rr_count; i++) {
887 result = util_rr_print(fd, rrset->
rrs[i].
rr);
888 if (rrset->
rrtype == LDNS_RR_TYPE_CNAME ||
889 rrset->
rrtype == LDNS_RR_TYPE_DNAME) {
893 if (result != ODS_STATUS_OK) {
896 "error printing RRset", LOG_CRIT);
903 result = ODS_STATUS_OK;
904 while((rrsig = collection_iterator(rrset->
rrsigs))) {
905 if (result == ODS_STATUS_OK) {
906 result = util_rr_print(fd, rrsig->
rr);
907 if (result != ODS_STATUS_OK) {
910 "error printing RRset", LOG_CRIT);
937 for (i=0; i < rrset->
rr_count; i++) {
938 ldns_rr_free(rrset->
rrs[i].
rr);
941 collection_destroy(&rrset->
rrsigs);
958 while((rrsig = collection_iterator(rrset->
rrsigs))) {
959 if ((str = ldns_rr2str(rrsig->
rr))) {
960 fprintf(fd,
"%.*s; {locator %s flags %u}\n", (
int)strlen(str)-1, str,
ldns_rr_type domain_is_delegpt(domain_type *domain)
ldns_rr_type domain_is_occluded(domain_type *domain)
ldns_rr * lhsm_sign(hsm_ctx_t *ctx, ldns_rr_list *rrset, key_type *key_id, ldns_rdf *owner, time_t inception, time_t expiration)
void ixfr_del_rr(ixfr_type *ixfr, ldns_rr *rr)
void ixfr_add_rr(ixfr_type *ixfr, ldns_rr *rr)
const char * rrset_type2str(ldns_rr_type type)
ods_status rrset_sign(hsm_ctx_t *ctx, rrset_type *rrset, time_t signtime)
size_t rrset_count_rr_is_added(rrset_type *rrset)
rrset_type * rrset_create(zone_type *zone, ldns_rr_type type)
collection_class rrset_store_initialize()
ods_status rrset_getliteralrr(ldns_rr **dnskey, const char *resourcerecord, uint32_t ttl, ldns_rdf *apex)
rr_type * rrset_add_rr(rrset_type *rrset, ldns_rr *rr)
void rrset_del_rr(rrset_type *rrset, uint16_t rrnum)
void rrset_drop_rrsigs(zone_type *zone, rrset_type *rrset)
void rrset_diff(rrset_type *rrset, unsigned is_ixfr, unsigned more_coming)
void log_rr(ldns_rr *rr, const char *pre, int level)
void rrset_cleanup(rrset_type *rrset)
rr_type * rrset_lookup_rr(rrset_type *rrset, ldns_rr *rr)
void log_rrset(ldns_rdf *dname, ldns_rr_type type, const char *pre, int level)
void rrset_add_rrsig(rrset_type *rrset, ldns_rr *rr, const char *locator, uint32_t flags)
void rrset_backup2(FILE *fd, rrset_type *rrset)
uint32_t rrset_lookup_ttl(rrset_type *rrset, uint32_t default_ttl)
void rrset_print(FILE *fd, rrset_type *rrset, int skip_rrsigs, ods_status *status)
pthread_mutex_t ixfr_lock
duration_type * sig_jitter
duration_type * sig_refresh_interval
duration_type * sig_inception_offset
const char ** dnskey_signature
duration_type * sig_validity_keyset
duration_type * sig_validity_denial
duration_type * dnskey_ttl
duration_type * sig_validity_default
pthread_mutex_t stats_lock
adapter_type * adoutbound