search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / external / bsd / bind / dist / lib / dns / nsec3.c
blob6c54932d4b34c10c655554ace04ca6f88509fe48
1 /* $NetBSD$ */
2
3 /*
4 * Copyright (C) 2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16 * PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 /* Id: nsec3.c,v 1.13 2009/12/01 05:28:40 marka Exp */
20
21 #include <config.h>
22
23 #include <isc/base32.h>
24 #include <isc/buffer.h>
25 #include <isc/hex.h>
26 #include <isc/iterated_hash.h>
27 #include <isc/string.h>
28 #include <isc/util.h>
29
30 #include <dst/dst.h>
31
32 #include <dns/db.h>
33 #include <dns/compress.h>
34 #include <dns/dbiterator.h>
35 #include <dns/diff.h>
36 #include <dns/fixedname.h>
37 #include <dns/nsec3.h>
38 #include <dns/rdata.h>
39 #include <dns/rdatalist.h>
40 #include <dns/rdataset.h>
41 #include <dns/rdatasetiter.h>
42 #include <dns/rdatastruct.h>
43 #include <dns/result.h>
44
45 #define CHECK(x) do { \
46 result = (x); \
47 if (result != ISC_R_SUCCESS) \
48 goto failure; \
49 } while (0)
50
51 #define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
52 #define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
53 #define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
54
55 static void
56 set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
57 unsigned int shift, mask;
58
59 shift = 7 - (index % 8);
60 mask = 1 << shift;
61
62 if (bit != 0)
63 array[index / 8] |= mask;
64 else
65 array[index / 8] &= (~mask & 0xFF);
66 }
67
68 static unsigned int
69 bit_isset(unsigned char *array, unsigned int index) {
70 unsigned int byte, shift, mask;
71
72 byte = array[index / 8];
73 shift = 7 - (index % 8);
74 mask = 1 << shift;
75
76 return ((byte & mask) != 0);
77 }
78
79 isc_result_t
80 dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
81 dns_dbnode_t *node, unsigned int hashalg,
82 unsigned int flags, unsigned int iterations,
83 const unsigned char *salt, size_t salt_length,
84 const unsigned char *nexthash, size_t hash_length,
85 unsigned char *buffer, dns_rdata_t *rdata)
86 {
87 isc_result_t result;
88 dns_rdataset_t rdataset;
89 isc_region_t r;
90 unsigned int i, window;
91 int octet;
92 isc_boolean_t found;
93 isc_boolean_t found_ns;
94 isc_boolean_t need_rrsig;
95
96 unsigned char *nsec_bits, *bm;
97 unsigned int max_type;
98 dns_rdatasetiter_t *rdsiter;
99 unsigned char *p;
100
101 REQUIRE(salt_length < 256U);
102 REQUIRE(hash_length < 256U);
103 REQUIRE(flags <= 0xffU);
104 REQUIRE(hashalg <= 0xffU);
105 REQUIRE(iterations <= 0xffffU);
106
107 switch (hashalg) {
108 case dns_hash_sha1:
109 REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH);
110 break;
111 }
112
113 memset(buffer, 0, DNS_NSEC3_BUFFERSIZE);
114
115 p = buffer;
116
117 *p++ = hashalg;
118 *p++ = flags;
119
120 *p++ = iterations >> 8;
121 *p++ = iterations;
122
123 *p++ = salt_length;
124 memcpy(p, salt, salt_length);
125 p += salt_length;
126
127 *p++ = hash_length;
128 memcpy(p, nexthash, hash_length);
129 p += hash_length;
130
131 r.length = p - buffer;
132 r.base = buffer;
133
134 /*
135 * Use the end of the space for a raw bitmap leaving enough
136 * space for the window identifiers and length octets.
137 */
138 bm = r.base + r.length + 512;
139 nsec_bits = r.base + r.length;
140 max_type = 0;
141 if (node == NULL)
142 goto collapse_bitmap;
143 dns_rdataset_init(&rdataset);
144 rdsiter = NULL;
145 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
146 if (result != ISC_R_SUCCESS)
147 return (result);
148 found = found_ns = need_rrsig = ISC_FALSE;
149 for (result = dns_rdatasetiter_first(rdsiter);
150 result == ISC_R_SUCCESS;
151 result = dns_rdatasetiter_next(rdsiter))
152 {
153 dns_rdatasetiter_current(rdsiter, &rdataset);
154 if (rdataset.type != dns_rdatatype_nsec &&
155 rdataset.type != dns_rdatatype_nsec3 &&
156 rdataset.type != dns_rdatatype_rrsig) {
157 if (rdataset.type > max_type)
158 max_type = rdataset.type;
159 set_bit(bm, rdataset.type, 1);
160 /*
161 * Work out if we need to set the RRSIG bit for
162 * this node. We set the RRSIG bit if either of
163 * the following conditions are met:
164 * 1) We have a SOA or DS then we need to set
165 * the RRSIG bit as both always will be signed.
166 * 2) We set the RRSIG bit if we don't have
167 * a NS record but do have other data.
168 */
169 if (rdataset.type == dns_rdatatype_soa ||
170 rdataset.type == dns_rdatatype_ds)
171 need_rrsig = ISC_TRUE;
172 else if (rdataset.type == dns_rdatatype_ns)
173 found_ns = ISC_TRUE;
174 else
175 found = ISC_TRUE;
176 }
177 dns_rdataset_disassociate(&rdataset);
178 }
179 if ((found && !found_ns) || need_rrsig) {
180 if (dns_rdatatype_rrsig > max_type)
181 max_type = dns_rdatatype_rrsig;
182 set_bit(bm, dns_rdatatype_rrsig, 1);
183 }
184
185 /*
186 * At zone cuts, deny the existence of glue in the parent zone.
187 */
188 if (bit_isset(bm, dns_rdatatype_ns) &&
189 ! bit_isset(bm, dns_rdatatype_soa)) {
190 for (i = 0; i <= max_type; i++) {
191 if (bit_isset(bm, i) &&
192 ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
193 set_bit(bm, i, 0);
194 }
195 }
196
197 dns_rdatasetiter_destroy(&rdsiter);
198 if (result != ISC_R_NOMORE)
199 return (result);
200
201 collapse_bitmap:
202 for (window = 0; window < 256; window++) {
203 if (window * 256 > max_type)
204 break;
205 for (octet = 31; octet >= 0; octet--)
206 if (bm[window * 32 + octet] != 0)
207 break;
208 if (octet < 0)
209 continue;
210 nsec_bits[0] = window;
211 nsec_bits[1] = octet + 1;
212 /*
213 * Note: potentially overlapping move.
214 */
215 memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
216 nsec_bits += 3 + octet;
217 }
218 r.length = nsec_bits - r.base;
219 INSIST(r.length <= DNS_NSEC3_BUFFERSIZE);
220 dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r);
221
222 return (ISC_R_SUCCESS);
223 }
224
225 isc_boolean_t
226 dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) {
227 dns_rdata_nsec3_t nsec3;
228 isc_result_t result;
229 isc_boolean_t present;
230 unsigned int i, len, window;
231
232 REQUIRE(rdata != NULL);
233 REQUIRE(rdata->type == dns_rdatatype_nsec3);
234
235 /* This should never fail */
236 result = dns_rdata_tostruct(rdata, &nsec3, NULL);
237 INSIST(result == ISC_R_SUCCESS);
238
239 present = ISC_FALSE;
240 for (i = 0; i < nsec3.len; i += len) {
241 INSIST(i + 2 <= nsec3.len);
242 window = nsec3.typebits[i];
243 len = nsec3.typebits[i + 1];
244 INSIST(len > 0 && len <= 32);
245 i += 2;
246 INSIST(i + len <= nsec3.len);
247 if (window * 256 > type)
248 break;
249 if ((window + 1) * 256 <= type)
250 continue;
251 if (type < (window * 256) + len * 8)
252 present = ISC_TF(bit_isset(&nsec3.typebits[i],
253 type % 256));
254 break;
255 }
256 dns_rdata_freestruct(&nsec3);
257 return (present);
258 }
259
260 isc_result_t
261 dns_nsec3_hashname(dns_fixedname_t *result,
262 unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
263 size_t *hash_length, dns_name_t *name, dns_name_t *origin,
264 dns_hash_t hashalg, unsigned int iterations,
265 const unsigned char *salt, size_t saltlength)
266 {
267 unsigned char hash[NSEC3_MAX_HASH_LENGTH];
268 unsigned char nametext[DNS_NAME_FORMATSIZE];
269 dns_fixedname_t fixed;
270 dns_name_t *downcased;
271 isc_buffer_t namebuffer;
272 isc_region_t region;
273 size_t len;
274
275 if (rethash == NULL)
276 rethash = hash;
277
278 memset(rethash, 0, NSEC3_MAX_HASH_LENGTH);
279
280 dns_fixedname_init(&fixed);
281 downcased = dns_fixedname_name(&fixed);
282 dns_name_downcase(name, downcased, NULL);
283
284 /* hash the node name */
285 len = isc_iterated_hash(rethash, hashalg, iterations, salt, saltlength,
286 downcased->ndata, downcased->length);
287 if (len == 0U)
288 return (DNS_R_BADALG);
289
290 if (hash_length != NULL)
291 *hash_length = len;
292
293 /* convert the hash to base32hex */
294 region.base = rethash;
295 region.length = len;
296 isc_buffer_init(&namebuffer, nametext, sizeof nametext);
297 isc_base32hex_totext(&region, 1, "", &namebuffer);
298
299 /* convert the hex to a domain name */
300 dns_fixedname_init(result);
301 return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer,
302 origin, 0, NULL));
303 }
304
305 unsigned int
306 dns_nsec3_hashlength(dns_hash_t hash) {
307
308 switch (hash) {
309 case dns_hash_sha1: return(ISC_SHA1_DIGESTLENGTH);
310 }
311 return (0);
312 }
313
314 isc_boolean_t
315 dns_nsec3_supportedhash(dns_hash_t hash) {
316 switch (hash) {
317 case dns_hash_sha1: return (ISC_TRUE);
318 }
319 return (ISC_FALSE);
320 }
321
322 /*%
323 * Update a single RR in version 'ver' of 'db' and log the
324 * update in 'diff'.
325 *
326 * Ensures:
327 * \li '*tuple' == NULL. Either the tuple is freed, or its
328 * ownership has been transferred to the diff.
329 */
330 static isc_result_t
331 do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
332 dns_diff_t *diff)
333 {
334 dns_diff_t temp_diff;
335 isc_result_t result;
336
337 /*
338 * Create a singleton diff.
339 */
340 dns_diff_init(diff->mctx, &temp_diff);
341 temp_diff.resign = diff->resign;
342 ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
343
344 /*
345 * Apply it to the database.
346 */
347 result = dns_diff_apply(&temp_diff, db, ver);
348 ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
349 if (result != ISC_R_SUCCESS) {
350 dns_difftuple_free(tuple);
351 return (result);
352 }
353
354 /*
355 * Merge it into the current pending journal entry.
356 */
357 dns_diff_appendminimal(diff, tuple);
358
359 /*
360 * Do not clear temp_diff.
361 */
362 return (ISC_R_SUCCESS);
363 }
364
365 /*%
366 * Set '*exists' to true iff the given name exists, to false otherwise.
367 */
368 static isc_result_t
369 name_exists(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
370 isc_boolean_t *exists)
371 {
372 isc_result_t result;
373 dns_dbnode_t *node = NULL;
374 dns_rdatasetiter_t *iter = NULL;
375
376 result = dns_db_findnode(db, name, ISC_FALSE, &node);
377 if (result == ISC_R_NOTFOUND) {
378 *exists = ISC_FALSE;
379 return (ISC_R_SUCCESS);
380 }
381 if (result != ISC_R_SUCCESS)
382 return (result);
383
384 result = dns_db_allrdatasets(db, node, version,
385 (isc_stdtime_t) 0, &iter);
386 if (result != ISC_R_SUCCESS)
387 goto cleanup_node;
388
389 result = dns_rdatasetiter_first(iter);
390 if (result == ISC_R_SUCCESS) {
391 *exists = ISC_TRUE;
392 } else if (result == ISC_R_NOMORE) {
393 *exists = ISC_FALSE;
394 result = ISC_R_SUCCESS;
395 } else
396 *exists = ISC_FALSE;
397 dns_rdatasetiter_destroy(&iter);
398
399 cleanup_node:
400 dns_db_detachnode(db, &node);
401 return (result);
402 }
403
404 static isc_boolean_t
405 match_nsec3param(const dns_rdata_nsec3_t *nsec3,
406 const dns_rdata_nsec3param_t *nsec3param)
407 {
408 if (nsec3->hash == nsec3param->hash &&
409 nsec3->iterations == nsec3param->iterations &&
410 nsec3->salt_length == nsec3param->salt_length &&
411 !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length))
412 return (ISC_TRUE);
413 return (ISC_FALSE);
414 }
415
416 /*%
417 * Delete NSEC3 records at "name" which match "param", recording the
418 * change in "diff".
419 */
420 static isc_result_t
421 delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
422 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
423 {
424 dns_dbnode_t *node = NULL ;
425 dns_difftuple_t *tuple = NULL;
426 dns_rdata_nsec3_t nsec3;
427 dns_rdataset_t rdataset;
428 isc_result_t result;
429
430 result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
431 if (result == ISC_R_NOTFOUND)
432 return (ISC_R_SUCCESS);
433 if (result != ISC_R_SUCCESS)
434 return (result);
435
436 dns_rdataset_init(&rdataset);
437 result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0,
438 (isc_stdtime_t) 0, &rdataset, NULL);
439
440 if (result == ISC_R_NOTFOUND) {
441 result = ISC_R_SUCCESS;
442 goto cleanup_node;
443 }
444 if (result != ISC_R_SUCCESS)
445 goto cleanup_node;
446
447 for (result = dns_rdataset_first(&rdataset);
448 result == ISC_R_SUCCESS;
449 result = dns_rdataset_next(&rdataset))
450 {
451 dns_rdata_t rdata = DNS_RDATA_INIT;
452 dns_rdataset_current(&rdataset, &rdata);
453 CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
454
455 if (!match_nsec3param(&nsec3, nsec3param))
456 continue;
457
458 result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name,
459 rdataset.ttl, &rdata, &tuple);
460 if (result != ISC_R_SUCCESS)
461 goto failure;
462 result = do_one_tuple(&tuple, db, version, diff);
463 if (result != ISC_R_SUCCESS)
464 goto failure;
465 }
466 if (result != ISC_R_NOMORE)
467 goto failure;
468 result = ISC_R_SUCCESS;
469
470 failure:
471 dns_rdataset_disassociate(&rdataset);
472 cleanup_node:
473 dns_db_detachnode(db, &node);
474
475 return (result);
476 }
477
478 static isc_boolean_t
479 better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
480 dns_rdataset_t rdataset;
481 isc_result_t result;
482
483 if (REMOVE(param->data[1]))
484 return (ISC_TRUE);
485
486 dns_rdataset_init(&rdataset);
487 dns_rdataset_clone(nsec3paramset, &rdataset);
488 for (result = dns_rdataset_first(&rdataset);
489 result == ISC_R_SUCCESS;
490 result = dns_rdataset_next(&rdataset)) {
491 dns_rdata_t rdata = DNS_RDATA_INIT;
492 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
493
494 if (rdataset.type != dns_rdatatype_nsec3param) {
495 dns_rdata_t tmprdata = DNS_RDATA_INIT;
496 dns_rdataset_current(&rdataset, &tmprdata);
497 if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
498 buf, sizeof(buf)))
499 continue;
500 } else
501 dns_rdataset_current(&rdataset, &rdata);
502
503 if (rdata.length != param->length)
504 continue;
505 if (rdata.data[0] != param->data[0] ||
506 REMOVE(rdata.data[1]) ||
507 rdata.data[2] != param->data[2] ||
508 rdata.data[3] != param->data[3] ||
509 rdata.data[4] != param->data[4] ||
510 memcmp(&rdata.data[5], &param->data[5], param->data[4]))
511 continue;
512 if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) {
513 dns_rdataset_disassociate(&rdataset);
514 return (ISC_TRUE);
515 }
516 }
517 dns_rdataset_disassociate(&rdataset);
518 return (ISC_FALSE);
519 }
520
521 static isc_result_t
522 find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
523 const dns_rdata_nsec3param_t *nsec3param)
524 {
525 isc_result_t result;
526 for (result = dns_rdataset_first(rdataset);
527 result == ISC_R_SUCCESS;
528 result = dns_rdataset_next(rdataset)) {
529 dns_rdata_t rdata = DNS_RDATA_INIT;
530
531 dns_rdataset_current(rdataset, &rdata);
532 CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL));
533 dns_rdata_reset(&rdata);
534 if (match_nsec3param(nsec3, nsec3param))
535 break;
536 }
537 failure:
538 return (result);
539 }
540
541 isc_result_t
542 dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
543 dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
544 dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff)
545 {
546 dns_dbiterator_t *dbit = NULL;
547 dns_dbnode_t *node = NULL;
548 dns_dbnode_t *newnode = NULL;
549 dns_difftuple_t *tuple = NULL;
550 dns_fixedname_t fixed;
551 dns_fixedname_t fprev;
552 dns_hash_t hash;
553 dns_name_t *hashname;
554 dns_name_t *origin;
555 dns_name_t *prev;
556 dns_name_t empty;
557 dns_rdata_nsec3_t nsec3;
558 dns_rdata_t rdata = DNS_RDATA_INIT;
559 dns_rdataset_t rdataset;
560 int pass;
561 isc_boolean_t exists;
562 isc_boolean_t remove_unsecure = ISC_FALSE;
563 isc_uint8_t flags;
564 isc_buffer_t buffer;
565 isc_result_t result;
566 unsigned char *old_next;
567 unsigned char *salt;
568 unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
569 unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
570 unsigned int iterations;
571 unsigned int labels;
572 size_t next_length;
573 unsigned int old_length;
574 unsigned int salt_length;
575
576 dns_fixedname_init(&fixed);
577 hashname = dns_fixedname_name(&fixed);
578 dns_fixedname_init(&fprev);
579 prev = dns_fixedname_name(&fprev);
580
581 dns_rdataset_init(&rdataset);
582
583 origin = dns_db_origin(db);
584
585 /*
586 * Chain parameters.
587 */
588 hash = nsec3param->hash;
589 iterations = nsec3param->iterations;
590 salt_length = nsec3param->salt_length;
591 salt = nsec3param->salt;
592
593 /*
594 * Default flags for a new chain.
595 */
596 flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
597
598 /*
599 * If this is the first NSEC3 in the chain nexthash will
600 * remain pointing to itself.
601 */
602 next_length = sizeof(nexthash);
603 CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
604 name, origin, hash, iterations,
605 salt, salt_length));
606
607 /*
608 * Create the node if it doesn't exist and hold
609 * a reference to it until we have added the NSEC3.
610 */
611 CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode));
612
613 /*
614 * Seek the iterator to the 'newnode'.
615 */
616 CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
617 CHECK(dns_dbiterator_seek(dbit, hashname));
618 CHECK(dns_dbiterator_pause(dbit));
619 result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3,
620 0, (isc_stdtime_t) 0, &rdataset, NULL);
621 /*
622 * If we updating a existing NSEC3 then find its
623 * next field.
624 */
625 if (result == ISC_R_SUCCESS) {
626 result = find_nsec3(&nsec3, &rdataset, nsec3param);
627 if (result == ISC_R_SUCCESS) {
628 if (!CREATE(nsec3param->flags))
629 flags = nsec3.flags;
630 next_length = nsec3.next_length;
631 INSIST(next_length <= sizeof(nexthash));
632 memcpy(nexthash, nsec3.next, next_length);
633 dns_rdataset_disassociate(&rdataset);
634 /*
635 * If the NSEC3 is not for a unsecure delegation then
636 * we are just updating it. If it is for a unsecure
637 * delegation then we need find out if we need to
638 * remove the NSEC3 record or not by examining the
639 * previous NSEC3 record.
640 */
641 if (!unsecure)
642 goto addnsec3;
643 else
644 remove_unsecure = ISC_TRUE;
645 } else {
646 dns_rdataset_disassociate(&rdataset);
647 if (result != ISC_R_NOMORE)
648 goto failure;
649 }
650 }
651
652 /*
653 * Find the previous NSEC3 (if any) and update it if required.
654 */
655 pass = 0;
656 do {
657 result = dns_dbiterator_prev(dbit);
658 if (result == ISC_R_NOMORE) {
659 pass++;
660 CHECK(dns_dbiterator_last(dbit));
661 }
662 CHECK(dns_dbiterator_current(dbit, &node, prev));
663 CHECK(dns_dbiterator_pause(dbit));
664 result = dns_db_findrdataset(db, node, version,
665 dns_rdatatype_nsec3, 0,
666 (isc_stdtime_t) 0, &rdataset,
667 NULL);
668 dns_db_detachnode(db, &node);
669 if (result != ISC_R_SUCCESS)
670 continue;
671
672 result = find_nsec3(&nsec3, &rdataset, nsec3param);
673 if (result == ISC_R_NOMORE) {
674 dns_rdataset_disassociate(&rdataset);
675 continue;
676 }
677 if (result != ISC_R_SUCCESS)
678 goto failure;
679
680 if (remove_unsecure) {
681 dns_rdataset_disassociate(&rdataset);
682 /*
683 * We have found the previous NSEC3 record and can now
684 * see if the existing NSEC3 record needs to be
685 * updated or deleted.
686 */
687 if (!OPTOUT(nsec3.flags)) {
688 /*
689 * Just update the NSEC3 record.
690 */
691 goto addnsec3;
692 } else {
693 /*
694 * This is actually a deletion not a add.
695 */
696 result = dns_nsec3_delnsec3(db, version, name,
697 nsec3param, diff);
698 goto failure;
699 }
700 } else {
701 /*
702 * Is this is a unsecure delegation we are adding?
703 * If so no change is required.
704 */
705 if (OPTOUT(nsec3.flags) && unsecure) {
706 dns_rdataset_disassociate(&rdataset);
707 goto failure;
708 }
709 }
710
711 old_next = nsec3.next;
712 old_length = nsec3.next_length;
713
714 /*
715 * Delete the old previous NSEC3.
716 */
717 CHECK(delete(db, version, prev, nsec3param, diff));
718
719 /*
720 * Fixup the previous NSEC3.
721 */
722 nsec3.next = nexthash;
723 nsec3.next_length = next_length;
724 isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
725 CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
726 dns_rdatatype_nsec3, &nsec3,
727 &buffer));
728 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
729 rdataset.ttl, &rdata, &tuple));
730 CHECK(do_one_tuple(&tuple, db, version, diff));
731 INSIST(old_length <= sizeof(nexthash));
732 memcpy(nexthash, old_next, old_length);
733 if (!CREATE(nsec3param->flags))
734 flags = nsec3.flags;
735 dns_rdata_reset(&rdata);
736 dns_rdataset_disassociate(&rdataset);
737 break;
738 } while (pass < 2);
739
740 addnsec3:
741 /*
742 * Create the NSEC3 RDATA.
743 */
744 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
745 CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
746 salt, salt_length, nexthash, next_length,
747 nsec3buf, &rdata));
748 dns_db_detachnode(db, &node);
749
750 /*
751 * Delete the old NSEC3 and record the change.
752 */
753 CHECK(delete(db, version, hashname, nsec3param, diff));
754 /*
755 * Add the new NSEC3 and record the change.
756 */
757 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
758 hashname, nsecttl, &rdata, &tuple));
759 CHECK(do_one_tuple(&tuple, db, version, diff));
760 INSIST(tuple == NULL);
761 dns_rdata_reset(&rdata);
762 dns_db_detachnode(db, &newnode);
763
764 /*
765 * Add missing NSEC3 records for empty nodes
766 */
767 dns_name_init(&empty, NULL);
768 dns_name_clone(name, &empty);
769 do {
770 labels = dns_name_countlabels(&empty) - 1;
771 if (labels <= dns_name_countlabels(origin))
772 break;
773 dns_name_getlabelsequence(&empty, 1, labels, &empty);
774 CHECK(name_exists(db, version, &empty, &exists));
775 if (exists)
776 break;
777 CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
778 &empty, origin, hash, iterations,
779 salt, salt_length));
780
781 /*
782 * Create the node if it doesn't exist and hold
783 * a reference to it until we have added the NSEC3
784 * or we discover we don't need to add make a change.
785 */
786 CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode));
787 result = dns_db_findrdataset(db, newnode, version,
788 dns_rdatatype_nsec3, 0,
789 (isc_stdtime_t) 0, &rdataset,
790 NULL);
791 if (result == ISC_R_SUCCESS) {
792 result = find_nsec3(&nsec3, &rdataset, nsec3param);
793 dns_rdataset_disassociate(&rdataset);
794 if (result == ISC_R_SUCCESS) {
795 dns_db_detachnode(db, &newnode);
796 break;
797 }
798 if (result != ISC_R_NOMORE)
799 goto failure;
800 }
801
802 /*
803 * Find the previous NSEC3 and update it.
804 */
805 CHECK(dns_dbiterator_seek(dbit, hashname));
806 pass = 0;
807 do {
808 result = dns_dbiterator_prev(dbit);
809 if (result == ISC_R_NOMORE) {
810 pass++;
811 CHECK(dns_dbiterator_last(dbit));
812 }
813 CHECK(dns_dbiterator_current(dbit, &node, prev));
814 CHECK(dns_dbiterator_pause(dbit));
815 result = dns_db_findrdataset(db, node, version,
816 dns_rdatatype_nsec3, 0,
817 (isc_stdtime_t) 0,
818 &rdataset, NULL);
819 dns_db_detachnode(db, &node);
820 if (result != ISC_R_SUCCESS)
821 continue;
822 result = find_nsec3(&nsec3, &rdataset, nsec3param);
823 if (result == ISC_R_NOMORE) {
824 dns_rdataset_disassociate(&rdataset);
825 continue;
826 }
827 if (result != ISC_R_SUCCESS)
828 goto failure;
829
830 old_next = nsec3.next;
831 old_length = nsec3.next_length;
832
833 /*
834 * Delete the old previous NSEC3.
835 */
836 CHECK(delete(db, version, prev, nsec3param, diff));
837
838 /*
839 * Fixup the previous NSEC3.
840 */
841 nsec3.next = nexthash;
842 nsec3.next_length = next_length;
843 isc_buffer_init(&buffer, nsec3buf,
844 sizeof(nsec3buf));
845 CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
846 dns_rdatatype_nsec3, &nsec3,
847 &buffer));
848 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
849 prev, rdataset.ttl, &rdata,
850 &tuple));
851 CHECK(do_one_tuple(&tuple, db, version, diff));
852 INSIST(old_length <= sizeof(nexthash));
853 memcpy(nexthash, old_next, old_length);
854 if (!CREATE(nsec3param->flags))
855 flags = nsec3.flags;
856 dns_rdata_reset(&rdata);
857 dns_rdataset_disassociate(&rdataset);
858 break;
859 } while (pass < 2);
860
861 INSIST(pass < 2);
862
863 /*
864 * Create the NSEC3 RDATA for the empty node.
865 */
866 CHECK(dns_nsec3_buildrdata(db, version, NULL, hash, flags,
867 iterations, salt, salt_length,
868 nexthash, next_length, nsec3buf,
869 &rdata));
870 /*
871 * Delete the old NSEC3 and record the change.
872 */
873 CHECK(delete(db, version, hashname, nsec3param, diff));
874
875 /*
876 * Add the new NSEC3 and record the change.
877 */
878 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
879 hashname, nsecttl, &rdata, &tuple));
880 CHECK(do_one_tuple(&tuple, db, version, diff));
881 INSIST(tuple == NULL);
882 dns_rdata_reset(&rdata);
883 dns_db_detachnode(db, &newnode);
884 } while (1);
885
886 if (result == ISC_R_NOMORE)
887 result = ISC_R_SUCCESS;
888
889 failure:
890 if (dbit != NULL)
891 dns_dbiterator_destroy(&dbit);
892 if (dns_rdataset_isassociated(&rdataset))
893 dns_rdataset_disassociate(&rdataset);
894 if (node != NULL)
895 dns_db_detachnode(db, &node);
896 if (newnode != NULL)
897 dns_db_detachnode(db, &newnode);
898 return (result);
899 }
900
901 /*%
902 * Add NSEC3 records for "name", recording the change in "diff".
903 * The existing NSEC3 records are removed.
904 */
905 isc_result_t
906 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
907 dns_name_t *name, dns_ttl_t nsecttl,
908 isc_boolean_t unsecure, dns_diff_t *diff)
909 {
910 dns_dbnode_t *node = NULL;
911 dns_rdata_nsec3param_t nsec3param;
912 dns_rdataset_t rdataset;
913 isc_result_t result;
914
915 dns_rdataset_init(&rdataset);
916
917 /*
918 * Find the NSEC3 parameters for this zone.
919 */
920 result = dns_db_getoriginnode(db, &node);
921 if (result != ISC_R_SUCCESS)
922 return (result);
923
924 result = dns_db_findrdataset(db, node, version,
925 dns_rdatatype_nsec3param, 0, 0,
926 &rdataset, NULL);
927 dns_db_detachnode(db, &node);
928 if (result == ISC_R_NOTFOUND)
929 return (ISC_R_SUCCESS);
930 if (result != ISC_R_SUCCESS)
931 return (result);
932
933 /*
934 * Update each active NSEC3 chain.
935 */
936 for (result = dns_rdataset_first(&rdataset);
937 result == ISC_R_SUCCESS;
938 result = dns_rdataset_next(&rdataset)) {
939 dns_rdata_t rdata = DNS_RDATA_INIT;
940
941 dns_rdataset_current(&rdataset, &rdata);
942 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
943
944 if (nsec3param.flags != 0)
945 continue;
946 /*
947 * We have a active chain. Update it.
948 */
949 CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
950 nsecttl, unsecure, diff));
951 }
952 if (result == ISC_R_NOMORE)
953 result = ISC_R_SUCCESS;
954
955 failure:
956 if (dns_rdataset_isassociated(&rdataset))
957 dns_rdataset_disassociate(&rdataset);
958 if (node != NULL)
959 dns_db_detachnode(db, &node);
960
961 return (result);
962 }
963
964 isc_boolean_t
965 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
966 unsigned char *buf, size_t buflen)
967 {
968 dns_decompress_t dctx;
969 isc_result_t result;
970 isc_buffer_t buf1;
971 isc_buffer_t buf2;
972
973 /*
974 * Algorithm 0 (reserved by RFC 4034) is used to identify
975 * NSEC3PARAM records from DNSKEY pointers.
976 */
977 if (src->length < 1 || src->data[0] != 0)
978 return (ISC_FALSE);
979
980 isc_buffer_init(&buf1, src->data + 1, src->length - 1);
981 isc_buffer_add(&buf1, src->length - 1);
982 isc_buffer_setactive(&buf1, src->length - 1);
983 isc_buffer_init(&buf2, buf, buflen);
984 dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
985 result = dns_rdata_fromwire(target, src->rdclass,
986 dns_rdatatype_nsec3param,
987 &buf1, &dctx, 0, &buf2);
988 dns_decompress_invalidate(&dctx);
989
990 return (ISC_TF(result == ISC_R_SUCCESS));
991 }
992
993 void
994 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
995 dns_rdatatype_t privatetype,
996 unsigned char *buf, size_t buflen)
997 {
998 REQUIRE(buflen >= src->length + 1);
999
1000 REQUIRE(DNS_RDATA_INITIALIZED(target));
1001
1002 memcpy(buf + 1, src->data, src->length);
1003 buf[0] = 0;
1004 target->data = buf;
1005 target->length = src->length + 1;
1006 target->type = privatetype;
1007 target->rdclass = src->rdclass;
1008 target->flags = 0;
1009 ISC_LINK_INIT(target, link);
1010 }
1011
1012 isc_result_t
1013 dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
1014 dns_name_t *name, dns_ttl_t nsecttl,
1015 isc_boolean_t unsecure, dns_rdatatype_t type,
1016 dns_diff_t *diff)
1017 {
1018 dns_dbnode_t *node = NULL;
1019 dns_rdata_nsec3param_t nsec3param;
1020 dns_rdataset_t rdataset;
1021 dns_rdataset_t prdataset;
1022 isc_result_t result;
1023
1024 dns_rdataset_init(&rdataset);
1025 dns_rdataset_init(&prdataset);
1026
1027 /*
1028 * Find the NSEC3 parameters for this zone.
1029 */
1030 result = dns_db_getoriginnode(db, &node);
1031 if (result != ISC_R_SUCCESS)
1032 return (result);
1033
1034 result = dns_db_findrdataset(db, node, version, type, 0, 0,
1035 &prdataset, NULL);
1036 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
1037 goto failure;
1038
1039 result = dns_db_findrdataset(db, node, version,
1040 dns_rdatatype_nsec3param, 0, 0,
1041 &rdataset, NULL);
1042 if (result == ISC_R_NOTFOUND)
1043 goto try_private;
1044 if (result != ISC_R_SUCCESS)
1045 goto failure;
1046
1047 /*
1048 * Update each active NSEC3 chain.
1049 */
1050 for (result = dns_rdataset_first(&rdataset);
1051 result == ISC_R_SUCCESS;
1052 result = dns_rdataset_next(&rdataset)) {
1053 dns_rdata_t rdata = DNS_RDATA_INIT;
1054
1055 dns_rdataset_current(&rdataset, &rdata);
1056 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
1057
1058 if (nsec3param.flags != 0)
1059 continue;
1060
1061 /*
1062 * We have a active chain. Update it.
1063 */
1064 CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
1065 nsecttl, unsecure, diff));
1066 }
1067 if (result != ISC_R_NOMORE)
1068 goto failure;
1069
1070 dns_rdataset_disassociate(&rdataset);
1071
1072 try_private:
1073 if (!dns_rdataset_isassociated(&prdataset))
1074 goto success;
1075 /*
1076 * Update each active NSEC3 chain.
1077 */
1078 for (result = dns_rdataset_first(&prdataset);
1079 result == ISC_R_SUCCESS;
1080 result = dns_rdataset_next(&prdataset)) {
1081 dns_rdata_t rdata1 = DNS_RDATA_INIT;
1082 dns_rdata_t rdata2 = DNS_RDATA_INIT;
1083 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
1084
1085 dns_rdataset_current(&prdataset, &rdata1);
1086 if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
1087 buf, sizeof(buf)))
1088 continue;
1089 CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
1090
1091 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
1092 continue;
1093 if (better_param(&prdataset, &rdata2))
1094 continue;
1095
1096 /*
1097 * We have a active chain. Update it.
1098 */
1099 CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
1100 nsecttl, unsecure, diff));
1101 }
1102 if (result == ISC_R_NOMORE)
1103 success:
1104 result = ISC_R_SUCCESS;
1105 failure:
1106 if (dns_rdataset_isassociated(&rdataset))
1107 dns_rdataset_disassociate(&rdataset);
1108 if (dns_rdataset_isassociated(&prdataset))
1109 dns_rdataset_disassociate(&prdataset);
1110 if (node != NULL)
1111 dns_db_detachnode(db, &node);
1112
1113 return (result);
1114 }
1115
1116 /*%
1117 * Determine whether any NSEC3 records that were associated with
1118 * 'name' should be deleted or if they should continue to exist.
1119 * ISC_TRUE indicates they should be deleted.
1120 * ISC_FALSE indicates they should be retained.
1121 */
1122 static isc_result_t
1123 deleteit(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1124 isc_boolean_t *yesno)
1125 {
1126 isc_result_t result;
1127 dns_fixedname_t foundname;
1128 dns_fixedname_init(&foundname);
1129
1130 result = dns_db_find(db, name, ver, dns_rdatatype_any,
1131 DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
1132 (isc_stdtime_t) 0, NULL,
1133 dns_fixedname_name(&foundname),
1134 NULL, NULL);
1135 if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS ||
1136 result == DNS_R_ZONECUT) {
1137 *yesno = ISC_FALSE;
1138 return (ISC_R_SUCCESS);
1139 }
1140 if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
1141 result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
1142 *yesno = ISC_TRUE;
1143 return (ISC_R_SUCCESS);
1144 }
1145 /*
1146 * Silence compiler.
1147 */
1148 *yesno = ISC_TRUE;
1149 return (result);
1150 }
1151
1152 isc_result_t
1153 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1154 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
1155 {
1156 dns_dbiterator_t *dbit = NULL;
1157 dns_dbnode_t *node = NULL;
1158 dns_difftuple_t *tuple = NULL;
1159 dns_fixedname_t fixed;
1160 dns_fixedname_t fprev;
1161 dns_hash_t hash;
1162 dns_name_t *hashname;
1163 dns_name_t *origin;
1164 dns_name_t *prev;
1165 dns_name_t empty;
1166 dns_rdata_nsec3_t nsec3;
1167 dns_rdata_t rdata = DNS_RDATA_INIT;
1168 dns_rdataset_t rdataset;
1169 int pass;
1170 isc_boolean_t yesno;
1171 isc_buffer_t buffer;
1172 isc_result_t result;
1173 unsigned char *salt;
1174 unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
1175 unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
1176 unsigned int iterations;
1177 unsigned int labels;
1178 size_t next_length;
1179 unsigned int salt_length;
1180
1181 dns_fixedname_init(&fixed);
1182 hashname = dns_fixedname_name(&fixed);
1183 dns_fixedname_init(&fprev);
1184 prev = dns_fixedname_name(&fprev);
1185
1186 dns_rdataset_init(&rdataset);
1187
1188 origin = dns_db_origin(db);
1189
1190 /*
1191 * Chain parameters.
1192 */
1193 hash = nsec3param->hash;
1194 iterations = nsec3param->iterations;
1195 salt_length = nsec3param->salt_length;
1196 salt = nsec3param->salt;
1197
1198 /*
1199 * If this is the first NSEC3 in the chain nexthash will
1200 * remain pointing to itself.
1201 */
1202 next_length = sizeof(nexthash);
1203 CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
1204 name, origin, hash, iterations,
1205 salt, salt_length));
1206
1207 CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
1208
1209 result = dns_dbiterator_seek(dbit, hashname);
1210 if (result == ISC_R_NOTFOUND)
1211 goto success;
1212 if (result != ISC_R_SUCCESS)
1213 goto failure;
1214
1215 CHECK(dns_dbiterator_current(dbit, &node, NULL));
1216 CHECK(dns_dbiterator_pause(dbit));
1217 result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3,
1218 0, (isc_stdtime_t) 0, &rdataset, NULL);
1219 dns_db_detachnode(db, &node);
1220 if (result == ISC_R_NOTFOUND)
1221 goto success;
1222 if (result != ISC_R_SUCCESS)
1223 goto failure;
1224
1225 /*
1226 * If we find a existing NSEC3 for this chain then save the
1227 * next field.
1228 */
1229 result = find_nsec3(&nsec3, &rdataset, nsec3param);
1230 if (result == ISC_R_SUCCESS) {
1231 next_length = nsec3.next_length;
1232 INSIST(next_length <= sizeof(nexthash));
1233 memcpy(nexthash, nsec3.next, next_length);
1234 }
1235 dns_rdataset_disassociate(&rdataset);
1236 if (result == ISC_R_NOMORE)
1237 goto success;
1238 if (result != ISC_R_SUCCESS)
1239 goto failure;
1240
1241 /*
1242 * Find the previous NSEC3 and update it.
1243 */
1244 pass = 0;
1245 do {
1246 result = dns_dbiterator_prev(dbit);
1247 if (result == ISC_R_NOMORE) {
1248 pass++;
1249 CHECK(dns_dbiterator_last(dbit));
1250 }
1251 CHECK(dns_dbiterator_current(dbit, &node, prev));
1252 CHECK(dns_dbiterator_pause(dbit));
1253 result = dns_db_findrdataset(db, node, version,
1254 dns_rdatatype_nsec3, 0,
1255 (isc_stdtime_t) 0, &rdataset,
1256 NULL);
1257 dns_db_detachnode(db, &node);
1258 if (result != ISC_R_SUCCESS)
1259 continue;
1260 result = find_nsec3(&nsec3, &rdataset, nsec3param);
1261 if (result == ISC_R_NOMORE) {
1262 dns_rdataset_disassociate(&rdataset);
1263 continue;
1264 }
1265 if (result != ISC_R_SUCCESS)
1266 goto failure;
1267
1268 /*
1269 * Delete the old previous NSEC3.
1270 */
1271 CHECK(delete(db, version, prev, nsec3param, diff));
1272
1273 /*
1274 * Fixup the previous NSEC3.
1275 */
1276 nsec3.next = nexthash;
1277 nsec3.next_length = next_length;
1278 isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
1279 CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
1280 dns_rdatatype_nsec3, &nsec3,
1281 &buffer));
1282 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
1283 rdataset.ttl, &rdata, &tuple));
1284 CHECK(do_one_tuple(&tuple, db, version, diff));
1285 dns_rdata_reset(&rdata);
1286 dns_rdataset_disassociate(&rdataset);
1287 break;
1288 } while (pass < 2);
1289
1290 /*
1291 * Delete the old NSEC3 and record the change.
1292 */
1293 CHECK(delete(db, version, hashname, nsec3param, diff));
1294
1295 /*
1296 * Delete NSEC3 records for now non active nodes.
1297 */
1298 dns_name_init(&empty, NULL);
1299 dns_name_clone(name, &empty);
1300 do {
1301 labels = dns_name_countlabels(&empty) - 1;
1302 if (labels <= dns_name_countlabels(origin))
1303 break;
1304 dns_name_getlabelsequence(&empty, 1, labels, &empty);
1305 CHECK(deleteit(db, version, &empty, &yesno));
1306 if (!yesno)
1307 break;
1308
1309 CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
1310 &empty, origin, hash, iterations,
1311 salt, salt_length));
1312 result = dns_dbiterator_seek(dbit, hashname);
1313 if (result == ISC_R_NOTFOUND)
1314 goto success;
1315 if (result != ISC_R_SUCCESS)
1316 goto failure;
1317
1318 CHECK(dns_dbiterator_current(dbit, &node, NULL));
1319 CHECK(dns_dbiterator_pause(dbit));
1320 result = dns_db_findrdataset(db, node, version,
1321 dns_rdatatype_nsec3, 0,
1322 (isc_stdtime_t) 0, &rdataset,
1323 NULL);
1324 dns_db_detachnode(db, &node);
1325 if (result == ISC_R_NOTFOUND)
1326 goto success;
1327 if (result != ISC_R_SUCCESS)
1328 goto failure;
1329
1330 result = find_nsec3(&nsec3, &rdataset, nsec3param);
1331 if (result == ISC_R_SUCCESS) {
1332 next_length = nsec3.next_length;
1333 INSIST(next_length <= sizeof(nexthash));
1334 memcpy(nexthash, nsec3.next, next_length);
1335 }
1336 dns_rdataset_disassociate(&rdataset);
1337 if (result == ISC_R_NOMORE)
1338 goto success;
1339 if (result != ISC_R_SUCCESS)
1340 goto failure;
1341
1342 pass = 0;
1343 do {
1344 result = dns_dbiterator_prev(dbit);
1345 if (result == ISC_R_NOMORE) {
1346 pass++;
1347 CHECK(dns_dbiterator_last(dbit));
1348 }
1349 CHECK(dns_dbiterator_current(dbit, &node, prev));
1350 CHECK(dns_dbiterator_pause(dbit));
1351 result = dns_db_findrdataset(db, node, version,
1352 dns_rdatatype_nsec3, 0,
1353 (isc_stdtime_t) 0,
1354 &rdataset, NULL);
1355 dns_db_detachnode(db, &node);
1356 if (result != ISC_R_SUCCESS)
1357 continue;
1358 result = find_nsec3(&nsec3, &rdataset, nsec3param);
1359 if (result == ISC_R_NOMORE) {
1360 dns_rdataset_disassociate(&rdataset);
1361 continue;
1362 }
1363 if (result != ISC_R_SUCCESS)
1364 goto failure;
1365
1366 /*
1367 * Delete the old previous NSEC3.
1368 */
1369 CHECK(delete(db, version, prev, nsec3param, diff));
1370
1371 /*
1372 * Fixup the previous NSEC3.
1373 */
1374 nsec3.next = nexthash;
1375 nsec3.next_length = next_length;
1376 isc_buffer_init(&buffer, nsec3buf,
1377 sizeof(nsec3buf));
1378 CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
1379 dns_rdatatype_nsec3, &nsec3,
1380 &buffer));
1381 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
1382 prev, rdataset.ttl, &rdata,
1383 &tuple));
1384 CHECK(do_one_tuple(&tuple, db, version, diff));
1385 dns_rdata_reset(&rdata);
1386 dns_rdataset_disassociate(&rdataset);
1387 break;
1388 } while (pass < 2);
1389
1390 INSIST(pass < 2);
1391
1392 /*
1393 * Delete the old NSEC3 and record the change.
1394 */
1395 CHECK(delete(db, version, hashname, nsec3param, diff));
1396 } while (1);
1397
1398 success:
1399 result = ISC_R_SUCCESS;
1400
1401 failure:
1402 if (dbit != NULL)
1403 dns_dbiterator_destroy(&dbit);
1404 if (dns_rdataset_isassociated(&rdataset))
1405 dns_rdataset_disassociate(&rdataset);
1406 if (node != NULL)
1407 dns_db_detachnode(db, &node);
1408 return (result);
1409 }
1410
1411 isc_result_t
1412 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1413 dns_diff_t *diff)
1414 {
1415 return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
1416 }
1417
1418 isc_result_t
1419 dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
1420 dns_rdatatype_t type, dns_diff_t *diff)
1421 {
1422 dns_dbnode_t *node = NULL;
1423 dns_rdata_nsec3param_t nsec3param;
1424 dns_rdataset_t rdataset;
1425 isc_result_t result;
1426
1427 dns_rdataset_init(&rdataset);
1428
1429 /*
1430 * Find the NSEC3 parameters for this zone.
1431 */
1432 result = dns_db_getoriginnode(db, &node);
1433 if (result != ISC_R_SUCCESS)
1434 return (result);
1435
1436 result = dns_db_findrdataset(db, node, version,
1437 dns_rdatatype_nsec3param, 0, 0,
1438 &rdataset, NULL);
1439 if (result == ISC_R_NOTFOUND)
1440 goto try_private;
1441 if (result != ISC_R_SUCCESS)
1442 goto failure;
1443
1444 /*
1445 * Update each active NSEC3 chain.
1446 */
1447 for (result = dns_rdataset_first(&rdataset);
1448 result == ISC_R_SUCCESS;
1449 result = dns_rdataset_next(&rdataset)) {
1450 dns_rdata_t rdata = DNS_RDATA_INIT;
1451
1452 dns_rdataset_current(&rdataset, &rdata);
1453 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
1454
1455 if (nsec3param.flags != 0)
1456 continue;
1457 /*
1458 * We have a active chain. Update it.
1459 */
1460 CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
1461 }
1462 dns_rdataset_disassociate(&rdataset);
1463
1464 try_private:
1465 if (type == 0)
1466 goto success;
1467 result = dns_db_findrdataset(db, node, version, type, 0, 0,
1468 &rdataset, NULL);
1469 if (result == ISC_R_NOTFOUND)
1470 goto success;
1471 if (result != ISC_R_SUCCESS)
1472 goto failure;
1473
1474 /*
1475 * Update each NSEC3 chain being built.
1476 */
1477 for (result = dns_rdataset_first(&rdataset);
1478 result == ISC_R_SUCCESS;
1479 result = dns_rdataset_next(&rdataset)) {
1480 dns_rdata_t rdata1 = DNS_RDATA_INIT;
1481 dns_rdata_t rdata2 = DNS_RDATA_INIT;
1482 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
1483
1484 dns_rdataset_current(&rdataset, &rdata1);
1485 if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
1486 buf, sizeof(buf)))
1487 continue;
1488 CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
1489
1490 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
1491 continue;
1492 if (better_param(&rdataset, &rdata2))
1493 continue;
1494
1495 /*
1496 * We have a active chain. Update it.
1497 */
1498 CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
1499 }
1500 if (result == ISC_R_NOMORE)
1501 success:
1502 result = ISC_R_SUCCESS;
1503
1504 failure:
1505 if (dns_rdataset_isassociated(&rdataset))
1506 dns_rdataset_disassociate(&rdataset);
1507 if (node != NULL)
1508 dns_db_detachnode(db, &node);
1509
1510 return (result);
1511 }
1512
1513 isc_result_t
1514 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
1515 isc_boolean_t complete, isc_boolean_t *answer)
1516 {
1517 return (dns_nsec3_activex(db, version, complete, 0, answer));
1518 }
1519
1520 isc_result_t
1521 dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
1522 isc_boolean_t complete, dns_rdatatype_t type,
1523 isc_boolean_t *answer)
1524 {
1525 dns_dbnode_t *node = NULL;
1526 dns_rdataset_t rdataset;
1527 dns_rdata_nsec3param_t nsec3param;
1528 isc_result_t result;
1529
1530 REQUIRE(answer != NULL);
1531
1532 dns_rdataset_init(&rdataset);
1533
1534 result = dns_db_getoriginnode(db, &node);
1535 if (result != ISC_R_SUCCESS)
1536 return (result);
1537
1538 result = dns_db_findrdataset(db, node, version,
1539 dns_rdatatype_nsec3param, 0, 0,
1540 &rdataset, NULL);
1541
1542 if (result == ISC_R_NOTFOUND)
1543 goto try_private;
1544
1545 if (result != ISC_R_SUCCESS) {
1546 dns_db_detachnode(db, &node);
1547 return (result);
1548 }
1549 for (result = dns_rdataset_first(&rdataset);
1550 result == ISC_R_SUCCESS;
1551 result = dns_rdataset_next(&rdataset)) {
1552 dns_rdata_t rdata = DNS_RDATA_INIT;
1553
1554 dns_rdataset_current(&rdataset, &rdata);
1555 result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
1556 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1557
1558 if (nsec3param.flags == 0)
1559 break;
1560 }
1561 dns_rdataset_disassociate(&rdataset);
1562 if (result == ISC_R_SUCCESS) {
1563 dns_db_detachnode(db, &node);
1564 *answer = ISC_TRUE;
1565 return (ISC_R_SUCCESS);
1566 }
1567 if (result == ISC_R_NOMORE)
1568 *answer = ISC_FALSE;
1569
1570 try_private:
1571 if (type == 0 || complete) {
1572 *answer = ISC_FALSE;
1573 return (ISC_R_SUCCESS);
1574 }
1575 result = dns_db_findrdataset(db, node, version, type, 0, 0,
1576 &rdataset, NULL);
1577
1578 dns_db_detachnode(db, &node);
1579 if (result == ISC_R_NOTFOUND) {
1580 *answer = ISC_FALSE;
1581 return (ISC_R_SUCCESS);
1582 }
1583 if (result != ISC_R_SUCCESS)
1584 return (result);
1585
1586 for (result = dns_rdataset_first(&rdataset);
1587 result == ISC_R_SUCCESS;
1588 result = dns_rdataset_next(&rdataset)) {
1589 dns_rdata_t rdata1 = DNS_RDATA_INIT;
1590 dns_rdata_t rdata2 = DNS_RDATA_INIT;
1591 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
1592
1593 dns_rdataset_current(&rdataset, &rdata1);
1594 if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
1595 buf, sizeof(buf)))
1596 continue;
1597 result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
1598 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1599
1600 if (!complete && CREATE(nsec3param.flags))
1601 break;
1602 }
1603 dns_rdataset_disassociate(&rdataset);
1604 if (result == ISC_R_SUCCESS) {
1605 *answer = ISC_TRUE;
1606 result = ISC_R_SUCCESS;
1607 }
1608 if (result == ISC_R_NOMORE) {
1609 *answer = ISC_FALSE;
1610 result = ISC_R_SUCCESS;
1611 }
1612
1613 return (result);
1614 }
1615
1616 isc_result_t
1617 dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
1618 isc_mem_t *mctx, unsigned int *iterationsp)
1619 {
1620 dns_dbnode_t *node = NULL;
1621 dns_rdataset_t rdataset;
1622 dst_key_t *key = NULL;
1623 isc_buffer_t buffer;
1624 isc_result_t result;
1625 isc_uint16_t bits, minbits = 4096;
1626
1627 result = dns_db_getoriginnode(db, &node);
1628 if (result != ISC_R_SUCCESS)
1629 return (result);
1630
1631 dns_rdataset_init(&rdataset);
1632 result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
1633 0, 0, &rdataset, NULL);
1634 dns_db_detachnode(db, &node);
1635 if (result == ISC_R_NOTFOUND) {
1636 *iterationsp = 0;
1637 return (ISC_R_SUCCESS);
1638 }
1639 if (result != ISC_R_SUCCESS)
1640 goto failure;
1641
1642 for (result = dns_rdataset_first(&rdataset);
1643 result == ISC_R_SUCCESS;
1644 result = dns_rdataset_next(&rdataset)) {
1645 dns_rdata_t rdata = DNS_RDATA_INIT;
1646
1647 dns_rdataset_current(&rdataset, &rdata);
1648 isc_buffer_init(&buffer, rdata.data, rdata.length);
1649 isc_buffer_add(&buffer, rdata.length);
1650 CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
1651 &buffer, mctx, &key));
1652 bits = dst_key_getbits(key);
1653 dst_key_free(&key);
1654 if (minbits > bits)
1655 minbits = bits;
1656 }
1657 if (result != ISC_R_NOMORE)
1658 goto failure;
1659
1660 if (minbits <= 1024)
1661 *iterationsp = 150;
1662 else if (minbits <= 2048)
1663 *iterationsp = 500;
1664 else
1665 *iterationsp = 2500;
1666 result = ISC_R_SUCCESS;
1667
1668 failure:
1669 if (dns_rdataset_isassociated(&rdataset))
1670 dns_rdataset_disassociate(&rdataset);
1671 return (result);
1672 }
NetBSD on the FriendlyARM MINI2440