Index: bin/named/client.c =================================================================== --- bin/named/client.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/client.c 2013-08-05 14:14:45.875498002 +0200 @@ -994,6 +994,11 @@ } if (result != ISC_R_SUCCESS) goto done; + /* + * Stop after the question if TC was set for rate limiting. + */ + if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) + goto renderend; result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER, DNS_MESSAGERENDER_PARTIAL | @@ -1134,6 +1139,51 @@ #endif /* + * Try to rate limit error responses. + */ + if (client->view != NULL && client->view->rrl != NULL) { + isc_boolean_t wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + dns_rrl_result_t rrl_result; + + INSIST(rcode != dns_rcode_noerror && + rcode != dns_rcode_nxdomain); + wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + rrl_result = dns_rrl(client->view, &client->peeraddr, + TCP_CLIENT(client), + dns_rdataclass_in, dns_rdatatype_none, + NULL, result, client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped errors in the query category + * so that they are not lost in silence. + * Starts of rate-limited bursts are logged in + * NS_LOGCATEGORY_RRL. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_EERRORS, + NS_LOGMODULE_CLIENT, + DNS_RRL_LOG_DROP, + "%s", log_buf); + } + /* + * Some error responses cannot be 'slipped', + * so don't try to slip any error responses. + */ + if (!client->view->rrl->log_only) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_ratedropped); + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_dropped); + ns_client_next(client, DNS_R_DROP); + return; + } + } + } + + /* * Message may be an in-progress reply that we had trouble * with, in which case QR will be set. We need to clear QR before * calling dns_message_reply() to avoid triggering an assertion. Index: bin/named/config.c =================================================================== --- bin/named/config.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/config.c 2013-08-05 14:14:45.875498002 +0200 @@ -228,6 +228,13 @@ notify no;\n\ allow-new-zones no;\n\ \n\ + # Prevent use of this zone in DNS amplified reflection DoS attacks\n\ + rate-limit {\n\ + responses-per-second 3;\n\ + slip 0;\n\ + min-table-size 10;\n\ + };\n\ +\n\ zone \"version.bind\" chaos {\n\ type master;\n\ database \"_builtin version\";\n\ Index: bin/named/include/named/query.h =================================================================== --- bin/named/include/named/query.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/include/named/query.h 2013-08-05 14:14:45.875498002 +0200 @@ -85,6 +85,7 @@ #define NS_QUERYATTR_CACHEACLOK 0x2000 #define NS_QUERYATTR_DNS64 0x4000 #define NS_QUERYATTR_DNS64EXCLUDE 0x8000 +#define NS_QUERYATTR_RRL_CHECKED 0x10000 isc_result_t Index: bin/named/include/named/server.h =================================================================== --- bin/named/include/named/server.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/include/named/server.h 2013-08-05 14:14:45.875498002 +0200 @@ -167,7 +167,10 @@ dns_nsstatscounter_rpz_rewrites = 36, - dns_nsstatscounter_max = 37 + dns_nsstatscounter_ratedropped = 37, + dns_nsstatscounter_rateslipped = 38, + + dns_nsstatscounter_max = 39 }; void Index: bin/named/query.c =================================================================== --- bin/named/query.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/query.c 2013-08-05 14:14:45.877498027 +0200 @@ -193,7 +193,7 @@ #ifdef NEWSTATS /* Do query type statistics * - * We only increment per-type if we're using the authoriative + * We only increment per-type if we're using the authoritative * answer counter, preventing double-counting. */ if (counter == dns_nsstatscounter_authans) { @@ -879,11 +879,11 @@ static void rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled, dns_rpz_policy_t policy, dns_rpz_type_t type, - dns_zone_t *zone, dns_name_t *rpz_qname) + dns_zone_t *p_zone, dns_name_t *p_name) { isc_stats_t *zonestats; char qname_buf[DNS_NAME_FORMATSIZE]; - char rpz_qname_buf[DNS_NAME_FORMATSIZE]; + char p_name_buf[DNS_NAME_FORMATSIZE]; /* * Count enabled rewrites in the global counter. @@ -893,8 +893,8 @@ isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_rpz_rewrites); } - if (zone != NULL) { - zonestats = dns_zone_getrequeststats(zone); + if (p_zone != NULL) { + zonestats = dns_zone_getrequeststats(p_zone); if (zonestats != NULL) isc_stats_increment(zonestats, dns_nsstatscounter_rpz_rewrites); @@ -904,22 +904,21 @@ return; dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf)); - dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf)); + dns_name_format(p_name, p_name_buf, sizeof(p_name_buf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s", disabled ? "disabled " : "", dns_rpz_type2str(type), dns_rpz_policy2str(policy), - qname_buf, rpz_qname_buf); + qname_buf, p_name_buf); } static void -rpz_log_fail(ns_client_t *client, int level, - dns_rpz_type_t rpz_type, dns_name_t *name, - const char *str, isc_result_t result) +rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name, + dns_rpz_type_t rpz_type, const char *str, isc_result_t result) { - char namebuf1[DNS_NAME_FORMATSIZE]; - char namebuf2[DNS_NAME_FORMATSIZE]; + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; if (!isc_log_wouldlog(ns_g_lctx, level)) return; @@ -927,44 +926,44 @@ /* * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ - dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1)); - dns_name_format(name, namebuf2, sizeof(namebuf2)); + dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY, level, "rpz %s rewrite %s via %s %sfailed: %s", dns_rpz_type2str(rpz_type), - namebuf1, namebuf2, str, isc_result_totext(result)); + qnamebuf, p_namebuf, str, isc_result_totext(result)); } /* * Get a policy rewrite zone database. */ static isc_result_t -rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname, +rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { - char namebuf1[DNS_NAME_FORMATSIZE]; - char namebuf2[DNS_NAME_FORMATSIZE]; + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; dns_dbversion_t *rpz_version = NULL; isc_result_t result; - result = query_getzonedb(client, rpz_qname, dns_rdatatype_any, + result = query_getzonedb(client, p_name, dns_rdatatype_any, DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version); if (result == ISC_R_SUCCESS) { if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) { - dns_name_format(client->query.qname, namebuf1, - sizeof(namebuf1)); - dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2)); + dns_name_format(client->query.qname, qnamebuf, + sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2, "try rpz %s rewrite %s via %s", dns_rpz_type2str(rpz_type), - namebuf1, namebuf2); + qnamebuf, p_namebuf); } *versionp = rpz_version; return (ISC_R_SUCCESS); } - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname, + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "query_getzonedb() ", result); return (result); } @@ -3913,7 +3912,7 @@ dns_rdataset_disassociate(*rdatasetp); } -static void +static inline void rpz_match_clear(dns_rpz_st_t *st) { rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); @@ -3921,16 +3920,16 @@ } static inline isc_result_t -rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp) +rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { REQUIRE(rdatasetp != NULL); - rpz_clean(zonep, dbp, nodep, rdatasetp); if (*rdatasetp == NULL) { *rdatasetp = query_newrdataset(client); if (*rdatasetp == NULL) return (DNS_R_SERVFAIL); + } else if (dns_rdataset_isassociated(*rdatasetp)) { + dns_rdataset_disassociate(*rdatasetp); } return (ISC_R_SUCCESS); } @@ -3959,13 +3958,83 @@ st->m.policy = DNS_RPZ_POLICY_MISS; } +static dns_rpz_zbits_t +rpz_get_zbits(ns_client_t *client, + dns_rdatatype_t ip_type, dns_rpz_type_t rpz_type) +{ + dns_rpz_zones_t *rpzs; + dns_rpz_st_t *st; + dns_rpz_zbits_t zbits; + + rpzs = client->view->rpzs; + + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits = rpzs->have.client_ip; + break; + case DNS_RPZ_TYPE_QNAME: + zbits = rpzs->have.qname; + break; + case DNS_RPZ_TYPE_IP: + if (ip_type == dns_rdatatype_a) { + zbits = rpzs->have.ipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = rpzs->have.ipv6; + } else { + zbits = rpzs->have.ip; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + zbits = rpzs->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + if (ip_type == dns_rdatatype_a) { + zbits = rpzs->have.nsipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = rpzs->have.nsipv6; + } else { + zbits = rpzs->have.nsip; + } + break; + default: + INSIST(0); + break; + } + + st = client->query.rpz_st; + + /* + * Choose + * the earliest configured policy zone (rpz->num) + * QNAME over IP over NSDNAME over NSIP (rpz_type) + * the smallest name, + * the longest IP address prefix, + * the lexically smallest address. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.type >= rpz_type) { + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num); + } else{ + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1; + } + } + + /* + * If the client wants recursion, allow only compatible policies. + */ + if (!RECURSIONOK(client)) + zbits &= rpzs->p.no_rd_ok; + + return (zbits); +} + /* - * Get NS, A, or AAAA rrset for response policy zone checks. + * Get an NS, A, or AAAA rrset related to the response for the client + * to check the contents of that rrset for hits by eligible policy zones. */ static isc_result_t -rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_name_t *name, dns_rdatatype_t type, - dns_db_t **dbp, dns_dbversion_t *version, +rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, + dns_rpz_type_t rpz_type, dns_db_t **dbp, dns_dbversion_t *version, dns_rdataset_t **rdatasetp, isc_boolean_t resuming) { dns_rpz_st_t *st; @@ -3977,15 +4046,13 @@ dns_clientinfomethods_t cm; dns_clientinfo_t ci; - dns_clientinfomethods_init(&cm, ns_client_sourceip); - dns_clientinfo_init(&ci, client); - st = client->query.rpz_st; if ((st->state & DNS_RPZ_RECURSING) != 0) { INSIST(st->r.r_type == type); INSIST(dns_name_equal(name, st->r_name)); INSIST(*rdatasetp == NULL || !dns_rdataset_isassociated(*rdatasetp)); + INSIST(*dbp == NULL); st->state &= ~DNS_RPZ_RECURSING; *dbp = st->r.db; st->r.db = NULL; @@ -3995,16 +4062,15 @@ st->r.r_rdataset = NULL; result = st->r.r_result; if (result == DNS_R_DELEGATION) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, name, - "rpz_rrset_find(1) ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, "rpz_rrset_find(1) ", result); st->m.policy = DNS_RPZ_POLICY_ERROR; result = DNS_R_SERVFAIL; } return (result); } - result = rpz_ready(client, NULL, NULL, NULL, rdatasetp); + result = rpz_ready(client, rdatasetp); if (result != ISC_R_SUCCESS) { st->m.policy = DNS_RPZ_POLICY_ERROR; return (result); @@ -4019,9 +4085,8 @@ result = query_getdb(client, name, type, 0, &zone, dbp, &version, &is_zone); if (result != ISC_R_SUCCESS) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, name, - "rpz_rrset_find(2) ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, "rpz_rrset_find(2) ", result); st->m.policy = DNS_RPZ_POLICY_ERROR; if (zone != NULL) dns_zone_detach(&zone); @@ -4034,6 +4099,8 @@ node = NULL; dns_fixedname_init(&fixed); found = dns_fixedname_name(&fixed); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK, client->now, &node, found, &cm, &ci, *rdatasetp, NULL); @@ -4072,177 +4139,97 @@ } /* - * Check the IP address in an A or AAAA rdataset against - * the IP or NSIP response policy rules of a view. + * Compute a policy owner name, p_name, in a policy zone given the needed + * policy type and the trigger name. */ static isc_result_t -rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset, - dns_rpz_type_t rpz_type) -{ - dns_rpz_st_t *st; - dns_dbversion_t *version; - dns_zone_t *zone; - dns_db_t *db; - dns_rpz_zone_t *rpz; +rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, + dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_name_t *trig_name) +{ + dns_offsets_t prefix_offsets; + dns_name_t prefix, *suffix; + unsigned int first, labels; isc_result_t result; - st = client->query.rpz_st; - if (st->m.rdataset == NULL) { - st->m.rdataset = query_newrdataset(client); - if (st->m.rdataset == NULL) - return (DNS_R_SERVFAIL); - } - zone = NULL; - db = NULL; - for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) { - if (!RECURSIONOK(client) && rpz->recursive_only) - continue; - - /* - * Do not check policy zones that cannot replace a policy - * already known to match. - */ - if (st->m.policy != DNS_RPZ_POLICY_MISS) { - if (st->m.rpz->num < rpz->num) - break; - if (st->m.rpz->num == rpz->num && - st->m.type < rpz_type) - continue; - } - - /* - * Find the database for this policy zone to get its radix tree. - */ - version = NULL; - result = rpz_getdb(client, rpz_type, &rpz->origin, - &zone, &db, &version); - if (result != ISC_R_SUCCESS) { - rpz_clean(&zone, &db, NULL, NULL); - continue; - } - /* - * Look for a better (e.g. longer prefix) hit for an IP address - * in this rdataset in this radix tree than than the previous - * hit, if any. Note the domain name and quality of the - * best hit. - */ - dns_db_rpz_findips(rpz, rpz_type, zone, db, version, - rdataset, st, client->query.rpz_st->qname); - rpz_clean(&zone, &db, NULL, NULL); - } - return (ISC_R_SUCCESS); -} - -/* - * Look for an A or AAAA rdataset - * and check for IP or NSIP rewrite policy rules. - */ -static isc_result_t -rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_rdatatype_t type, dns_name_t *name, - dns_db_t **dbp, dns_dbversion_t *version, - dns_rdataset_t **rdatasetp, isc_boolean_t resuming) -{ - isc_result_t result; - - result = rpz_rrset_find(client, rpz_type, name, type, dbp, version, - rdatasetp, resuming); - switch (result) { - case ISC_R_SUCCESS: - case DNS_R_GLUE: - case DNS_R_ZONECUT: - result = rpz_rewrite_ip(client, *rdatasetp, rpz_type); + /* + * The policy owner name consists of a suffix depending on the type + * and policy zone and a prefix that is the longest possible string + * from the trigger name that keesp the resulting policy owner name + * from being too long. + */ + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + suffix = &rpz->client_ip; break; - case DNS_R_EMPTYNAME: - case DNS_R_EMPTYWILD: - case DNS_R_NXDOMAIN: - case DNS_R_NCACHENXDOMAIN: - case DNS_R_NXRRSET: - case DNS_R_NCACHENXRRSET: - case ISC_R_NOTFOUND: - result = ISC_R_SUCCESS; + case DNS_RPZ_TYPE_QNAME: + suffix = &rpz->origin; break; - case DNS_R_DELEGATION: - case DNS_R_DUPLICATE: - case DNS_R_DROP: + case DNS_RPZ_TYPE_IP: + suffix = &rpz->ip; break; - case DNS_R_CNAME: - case DNS_R_DNAME: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type, - name, "NS address rewrite rrset ", result); - result = ISC_R_SUCCESS; + case DNS_RPZ_TYPE_NSDNAME: + suffix = &rpz->nsdname; break; - default: - if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - name, "NS address rewrite rrset ", result); - } + case DNS_RPZ_TYPE_NSIP: + suffix = &rpz->nsip; break; + default: + INSIST(0); } - return (result); -} - -/* - * Look for both A and AAAA rdatasets - * and check for IP or NSIP rewrite policy rules. - * Look only for addresses that will be in the ANSWER section - * when checking for IP rules. - */ -static isc_result_t -rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_name_t *name, dns_rdatatype_t type, - dns_rdataset_t **rdatasetp, isc_boolean_t resuming) -{ - dns_rpz_st_t *st; - dns_dbversion_t *version; - dns_db_t *ipdb; - isc_result_t result; - st = client->query.rpz_st; - version = NULL; - ipdb = NULL; - if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && - ((rpz_type == DNS_RPZ_TYPE_NSIP) ? - (st->state & DNS_RPZ_HAVE_NSIPv4) : - (st->state & DNS_RPZ_HAVE_IP)) != 0 && - (type == dns_rdatatype_any || type == dns_rdatatype_a)) { - result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a, - name, &ipdb, version, rdatasetp, - resuming); + /* + * Start with relative version of the full trigger name, + * and trim enough allow the addition of the suffix. + */ + dns_name_init(&prefix, prefix_offsets); + labels = dns_name_countlabels(trig_name); + first = 0; + for (;;) { + dns_name_getlabelsequence(trig_name, first, labels-first-1, + &prefix); + result = dns_name_concatenate(&prefix, suffix, p_name, NULL); if (result == ISC_R_SUCCESS) - st->state |= DNS_RPZ_DONE_IPv4; - } else { - result = ISC_R_SUCCESS; - } - if (result == ISC_R_SUCCESS && - ((rpz_type == DNS_RPZ_TYPE_NSIP) ? - (st->state & DNS_RPZ_HAVE_NSIPv6) : - (st->state & DNS_RPZ_HAVE_IP)) != 0 && - (type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) { - result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa, - name, &ipdb, version, rdatasetp, - resuming); + return (ISC_R_SUCCESS); + INSIST(result == DNS_R_NAMETOOLONG); + /* + * Trim the trigger name until the combination is not too long. + */ + if (labels-first < 2) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix, + rpz_type, "concatentate() ", result); + return (ISC_R_FAILURE); + } + /* + * Complain once about trimming the trigger name. + */ + if (first == 0) { + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix, + rpz_type, "concatentate() ", result); + } + ++first; } - if (ipdb != NULL) - dns_db_detach(&ipdb); - return (result); } /* - * Get the rrset from a response policy zone. + * Look in policy zone rpz for a policy of rpz_type by p_name. + * The self-name (usually the client qname or an NS name) is compared with + * the target of a CNAME policy for the old style passthru encoding. + * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep, + * *rdatasetp, and *policyp. + * The target DNS type, qtype, chooses the best rdataset for *rdatasetp. + * The caller must decide if the found policy is most suitable, including + * better than a previously found policy. + * If it is best, the caller records it in client->query.rpz_st->m. */ static isc_result_t -rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, - dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, - dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, - dns_rpz_policy_t *policyp) +rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, + dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_rpz_policy_t *policyp) { - dns_rpz_policy_t policy; - dns_fixedname_t fixed; + dns_fixedname_t foundf; dns_name_t *found; isc_result_t result; dns_clientinfomethods_t cm; @@ -4250,31 +4237,28 @@ REQUIRE(nodep != NULL); - dns_clientinfomethods_init(&cm, ns_client_sourceip); - dns_clientinfo_init(&ci, client); - - result = rpz_ready(client, zonep, dbp, nodep, rdatasetp); - if (result != ISC_R_SUCCESS) { - *policyp = DNS_RPZ_POLICY_ERROR; - return (result); - } - /* - * Try to get either a CNAME or the type of record demanded by the + * Try to find either a CNAME or the type of record demanded by the * request from the policy zone. */ + rpz_clean(zonep, dbp, nodep, rdatasetp); + result = rpz_ready(client, rdatasetp); + if (result != ISC_R_SUCCESS) + return (DNS_R_SERVFAIL); *versionp = NULL; - result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp); - if (result != ISC_R_SUCCESS) { - *policyp = DNS_RPZ_POLICY_MISS; + result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); + if (result != ISC_R_SUCCESS) return (DNS_R_NXDOMAIN); - } - - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); - result = dns_db_findext(*dbp, qnamef, *versionp, dns_rdatatype_any, 0, + dns_fixedname_init(&foundf); + found = dns_fixedname_name(&foundf); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); + result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); + /* + * Choose the best rdataset if we found something. + */ if (result == ISC_R_SUCCESS) { dns_rdatasetiter_t *rdsiter; @@ -4282,10 +4266,8 @@ result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, &rdsiter); if (result != ISC_R_SUCCESS) { - dns_db_detachnode(*dbp, nodep); - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - qnamef, "allrdatasets() ", result); - *policyp = DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, + rpz_type, "allrdatasets() ", result); return (DNS_R_SERVFAIL); } for (result = dns_rdatasetiter_first(rdsiter); @@ -4301,9 +4283,8 @@ if (result != ISC_R_SUCCESS) { if (result != ISC_R_NOMORE) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, qnamef, "rdatasetiter ", - result); - *policyp = DNS_RPZ_POLICY_ERROR; + p_name, rpz_type, + "rdatasetiter ", result); return (DNS_R_SERVFAIL); } /* @@ -4318,7 +4299,7 @@ qtype == dns_rdatatype_sig) result = DNS_R_NXRRSET; else - result = dns_db_findext(*dbp, qnamef, *versionp, + result = dns_db_findext(*dbp, p_name, *versionp, qtype, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); @@ -4327,162 +4308,477 @@ switch (result) { case ISC_R_SUCCESS: if ((*rdatasetp)->type != dns_rdatatype_cname) { - policy = DNS_RPZ_POLICY_RECORD; + *policyp = DNS_RPZ_POLICY_RECORD; } else { - policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname); - if ((policy == DNS_RPZ_POLICY_RECORD || - policy == DNS_RPZ_POLICY_WILDCNAME) && + *policyp = dns_rpz_decode_cname(rpz, *rdatasetp, + self_name); + if ((*policyp == DNS_RPZ_POLICY_RECORD || + *policyp == DNS_RPZ_POLICY_WILDCNAME) && qtype != dns_rdatatype_cname && qtype != dns_rdatatype_any) - result = DNS_R_CNAME; + return (DNS_R_CNAME); } - break; + return (ISC_R_SUCCESS); case DNS_R_NXRRSET: - policy = DNS_RPZ_POLICY_NODATA; - break; + *policyp = DNS_RPZ_POLICY_NODATA; + return (result); case DNS_R_DNAME: /* * DNAME policy RRs have very few if any uses that are not - * better served with simple wildcards. Making the work would + * better served with simple wildcards. Making them work would * require complications to get the number of labels matched * in the name or the found name to the main DNS_R_DNAME case - * in query_find(). - */ - dns_rdataset_disassociate(*rdatasetp); - dns_db_detachnode(*dbp, nodep); - /* - * Fall through to treat it as a miss. + * in query_find(). The domain also does not appear in the + * summary database at the right level, so this happens only + * with a single policy zone when we have no summary database. + * Treat it as a miss. */ case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: - /* - * If we don't get a qname hit, - * see if it is worth looking for other types. - */ - (void)dns_db_rpz_enabled(*dbp, client->query.rpz_st); - dns_db_detach(dbp); - dns_zone_detach(zonep); - result = DNS_R_NXDOMAIN; - policy = DNS_RPZ_POLICY_MISS; - break; + return (DNS_R_NXDOMAIN); default: - dns_db_detach(dbp); - dns_zone_detach(zonep); - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", result); return (DNS_R_SERVFAIL); } +} - *policyp = policy; - return (result); +static void +rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix, + isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_dbversion_t *version) +{ + dns_rdataset_t *trdataset; + + rpz_match_clear(st); + st->m.rpz = rpz; + st->m.type = rpz_type; + st->m.policy = policy; + dns_name_copy(p_name, st->p_name, NULL); + st->m.prefix = prefix; + st->m.result = result; + st->m.zone = *zonep; + *zonep = NULL; + st->m.db = *dbp; + *dbp = NULL; + st->m.node = *nodep; + *nodep = NULL; + if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { + /* + * Save the replacement rdataset from the policy + * and make the previous replacement rdataset scratch. + */ + trdataset = st->m.rdataset; + st->m.rdataset = *rdatasetp; + *rdatasetp = trdataset; + st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl); + } else { + st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl); + } + st->m.version = version; } /* - * Build and look for a QNAME or NSDNAME owner name in a response policy zone. + * Check this address in every eligible policy zone. */ static isc_result_t -rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, - dns_rpz_type_t rpz_type, dns_rdataset_t **rdatasetp) +rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) { + dns_rpz_zones_t *rpzs; dns_rpz_st_t *st; dns_rpz_zone_t *rpz; - dns_fixedname_t prefixf, rpz_qnamef; - dns_name_t *prefix, *suffix, *rpz_qname; - dns_zone_t *zone; - dns_db_t *db; - dns_dbversion_t *version; - dns_dbnode_t *node; + dns_rpz_prefix_t prefix; + dns_rpz_num_t rpz_num; + dns_fixedname_t ip_namef, p_namef; + dns_name_t *ip_name, *p_name; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; dns_rpz_policy_t policy; - unsigned int labels; isc_result_t result; - st = client->query.rpz_st; - zone = NULL; - db = NULL; - node = NULL; + dns_fixedname_init(&ip_namef); + ip_name = dns_fixedname_name(&ip_namef); - for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) { - if (!RECURSIONOK(client) && rpz->recursive_only) - continue; + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + rpzs = client->view->rpzs; + st = client->query.rpz_st; + while (zbits != 0) { + rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr, + ip_name, &prefix); + if (rpz_num == DNS_RPZ_INVALID_NUM) + break; + zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1); /* - * Do not check policy zones that cannot replace a policy - * already known to match. + * Do not try applying policy zones that cannot replace a + * previously found policy zone. + * Stop looking if the next best choice cannot + * replace what we already have. */ + rpz = rpzs->zones[rpz_num]; if (st->m.policy != DNS_RPZ_POLICY_MISS) { if (st->m.rpz->num < rpz->num) break; if (st->m.rpz->num == rpz->num && - st->m.type < rpz_type) - continue; + (st->m.type < rpz_type || + st->m.prefix > prefix)) + break; } + /* - * Construct the policy's owner name. + * Get the policy for a prefix at least as long + * as the prefix of the entry we had before. */ - dns_fixedname_init(&prefixf); - prefix = dns_fixedname_name(&prefixf); - dns_name_split(qname, 1, prefix, NULL); - if (rpz_type == DNS_RPZ_TYPE_NSDNAME) - suffix = &rpz->nsdname; - else - suffix = &rpz->origin; - dns_fixedname_init(&rpz_qnamef); - rpz_qname = dns_fixedname_name(&rpz_qnamef); - for (;;) { - result = dns_name_concatenate(prefix, suffix, - rpz_qname, NULL); - if (result == ISC_R_SUCCESS) - break; - INSIST(result == DNS_R_NAMETOOLONG); + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); + if (result != ISC_R_SUCCESS) + continue; + result = rpz_find_p(client, ip_name, qtype, + p_name, rpz, rpz_type, + &p_zone, &p_db, &p_version, &p_node, + p_rdatasetp, &policy); + switch (result) { + case DNS_R_NXDOMAIN: /* - * Trim the name until it is not too long. + * Continue after a policy record that is missing + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. */ - labels = dns_name_countlabels(prefix); - if (labels < 2) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, suffix, - "concatentate() ", result); - return (ISC_R_SUCCESS); - } - if (labels+1 == dns_name_countlabels(qname)) { - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, - rpz_type, suffix, - "concatentate() ", result); + continue; + case DNS_R_SERVFAIL: + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + default: + /* + * Forget this policy if it is not preferable + * to the previously found policy. + * If this policy is not good, then stop looking + * because none of the later policy zones would work. + * + * With more than one applicable policy, prefer + * the earliest configured policy, + * client-IP over QNAME over IP over NSDNAME over NSIP, + * the longest prefix + * the lexically smallest address. + * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num. + * We can compare new and current p_name because + * both are of the same type and in the same zone. + * The tests above eliminate other reasons to + * reject this policy. If this policy can't work, + * then neither can later zones. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS && + rpz->num == st->m.rpz->num && + (st->m.type == rpz_type && + st->m.prefix == prefix && + 0 > dns_name_rdatacompare(st->p_name, p_name))) + break; + + /* + * Stop checking after saving an enabled hit in this + * policy zone. The radix tree in the policy zone + * ensures that we found the longest match. + */ + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, prefix, result, + &p_zone, &p_db, &p_node, + p_rdatasetp, p_version); + break; } - dns_name_split(prefix, labels - 1, NULL, prefix); + + /* + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. + */ + rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type, + p_zone, p_name); + } + } + + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + return (ISC_R_SUCCESS); +} + +/* + * Check the IP addresses in the A or AAAA rrsets for name against + * all eligible rpz_type (IP or NSIP) response policy rewrite rules. + */ +static isc_result_t +rpz_rewrite_ip_rrset(ns_client_t *client, + dns_name_t *name, dns_rdatatype_t qtype, + dns_rpz_type_t rpz_type, dns_rdatatype_t ip_type, + dns_db_t **ip_dbp, dns_dbversion_t *ip_version, + dns_rdataset_t **ip_rdatasetp, + dns_rdataset_t **p_rdatasetp, isc_boolean_t resuming) +{ + dns_rpz_zbits_t zbits; + isc_netaddr_t netaddr; + struct in_addr ina; + struct in6_addr in6a; + isc_result_t result; + + zbits = rpz_get_zbits(client, ip_type, rpz_type); + if (zbits == 0) + return (ISC_R_SUCCESS); + + /* + * Get the A or AAAA rdataset. + */ + result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp, + ip_version, ip_rdatasetp, resuming); + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: + break; + case DNS_R_EMPTYNAME: + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case ISC_R_NOTFOUND: + return (ISC_R_SUCCESS); + case DNS_R_DELEGATION: + case DNS_R_DUPLICATE: + case DNS_R_DROP: + return (result); + case DNS_R_CNAME: + case DNS_R_DNAME: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, + "NS address rewrite rrset ", result); + return (ISC_R_SUCCESS); + break; + default: + if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { + client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, "NS address rewrite rrset ", + result); + } + return (DNS_R_SERVFAIL); + } + + /* + * Check all of the IP addresses in the rdataset. + */ + for (result = dns_rdataset_first(*ip_rdatasetp); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(*ip_rdatasetp)) { + + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(*ip_rdatasetp, &rdata); + switch (rdata.type) { + case dns_rdatatype_a: + INSIST(rdata.length == 4); + memcpy(&ina.s_addr, rdata.data, 4); + isc_netaddr_fromin(&netaddr, &ina); + break; + case dns_rdatatype_aaaa: + INSIST(rdata.length == 16); + memcpy(in6a.s6_addr, rdata.data, 16); + isc_netaddr_fromin6(&netaddr, &in6a); + break; + default: + continue; + } + + result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type, + zbits, p_rdatasetp); + if (result != ISC_R_SUCCESS) + return (result); + } + + return (ISC_R_SUCCESS); +} + +/* + * Look for IP addresses in A and AAAA rdatasets + * that trigger all eligible IP or NSIP policy rules. + */ +static isc_result_t +rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rdataset_t **ip_rdatasetp, isc_boolean_t resuming) +{ + dns_rpz_st_t *st; + dns_dbversion_t *ip_version; + dns_db_t *ip_db; + dns_rdataset_t *p_rdataset; + isc_result_t result; + + st = client->query.rpz_st; + ip_version = NULL; + ip_db = NULL; + p_rdataset = NULL; + if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && + (qtype == dns_rdatatype_a || + qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) { + /* + * Rewrite based on an IPv4 address that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, + rpz_type, dns_rdatatype_a, + &ip_db, ip_version, ip_rdatasetp, + &p_rdataset, resuming); + if (result == ISC_R_SUCCESS) + st->state |= DNS_RPZ_DONE_IPv4; + } else { + result = ISC_R_SUCCESS; + } + if (result == ISC_R_SUCCESS && + (qtype == dns_rdatatype_aaaa || + qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) { + /* + * Rewrite based on IPv6 addresses that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, + rpz_type, dns_rdatatype_aaaa, + &ip_db, ip_version, ip_rdatasetp, + &p_rdataset, resuming); + } + if (ip_db != NULL) + dns_db_detach(&ip_db); + query_putrdataset(client, &p_rdataset); + return (result); +} + +/* + * Try to rewrite a request for a qtype rdataset based on the trigger name + * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME). + * Record the results including the replacement rdataset if any + * in client->query.rpz_st. + * *rdatasetp is a scratch rdataset. + */ +static isc_result_t +rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t allowed_zbits, dns_rdataset_t **rdatasetp) +{ + dns_rpz_zone_t *rpz; + dns_rpz_st_t *st; + dns_fixedname_t p_namef; + dns_name_t *p_name; + dns_rpz_zbits_t zbits; + dns_rpz_num_t rpz_num; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; + dns_rpz_policy_t policy; + isc_result_t result; + + zbits = rpz_get_zbits(client, qtype, rpz_type); + zbits &= allowed_zbits; + if (zbits == 0) + return (ISC_R_SUCCESS); + + /* + * If there is only one eligible policy zone, just check it. + * If more than one, then use the summary database to find + * the bit mask of policy zones with policies for this trigger name. + * x&-x is the least significant bit set in x + */ + if (zbits != (zbits & -zbits)) { + zbits = dns_rpz_find_name(client->view->rpzs, + rpz_type, zbits, trig_name); + if (zbits == 0) + return (ISC_R_SUCCESS); + } + + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + st = client->query.rpz_st; + + /* + * Check the trigger name in every policy zone that the summary data + * says has a hit for the trigger name. + * Most of the time there are no eligible zones and the summary data + * keeps us from getting this far. + * We check the most eligible zone first and so usually check only + * one policy zone. + */ + for (rpz_num = 0; + zbits != 0; + ++rpz_num, zbits >>= 1) { + if ((zbits & 1) == 0) { + INSIST(rpz_num <= client->view->rpzs->p.num_zones); + continue; } /* - * See if the policy record exists and get its policy. + * Do not check policy zones that cannot replace a previously + * found policy. */ - result = rpz_find(client, qtype, rpz_qname, qname, rpz, - rpz_type, &zone, &db, &version, &node, - rdatasetp, &policy); + rpz = client->view->rpzs->zones[rpz_num]; + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.rpz->num < rpz->num) + break; + if (st->m.rpz->num == rpz->num && + st->m.type < rpz_type) + break; + } + + /* + * Get the next policy zone's record for this trigger name. + */ + result = rpz_get_p_name(client, p_name, rpz, rpz_type, + trig_name); + if (result != ISC_R_SUCCESS) + continue; + result = rpz_find_p(client, trig_name, qtype, p_name, + rpz, rpz_type, + &p_zone, &p_db, &p_version, &p_node, + rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: - break; + /* + * Continue after a missing policy record + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. + */ + continue; case DNS_R_SERVFAIL: - rpz_clean(&zone, &db, &node, rdatasetp); + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); default: /* - * We are dealing with names here. * With more than one applicable policy, prefer * the earliest configured policy, - * QNAME over IP over NSDNAME over NSIP, + * client-IP over QNAME over IP over NSDNAME over NSIP, * and the smallest name. - * Because of the testing above, - * we known st->m.rpz->num >= rpz->num and either + * We known st->m.rpz->num >= rpz->num and either * st->m.rpz->num > rpz->num or st->m.type >= rpz_type */ if (st->m.policy != DNS_RPZ_POLICY_MISS && rpz->num == st->m.rpz->num && (st->m.type < rpz_type || (st->m.type == rpz_type && - 0 >= dns_name_compare(rpz_qname, st->qname)))) + 0 >= dns_name_compare(p_name, st->p_name)))) continue; #if 0 /* @@ -4505,11 +4801,12 @@ * names in TLDs that start with "rpz-" should * ICANN ever allow such TLDs. */ - labels = dns_name_countlabels(qname); + unsigned int labels; + labels = dns_name_countlabels(trig_name); if (labels >= 2) { dns_label_t label; - dns_name_getlabel(qname, labels-2, &label); + dns_name_getlabel(trig_name, labels-2, &label); if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 && strncasecmp((const char *)label.base+1, DNS_RPZ_PREFIX, @@ -4517,46 +4814,29 @@ continue; } #endif + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, 0, result, + &p_zone, &p_db, &p_node, + rdatasetp, p_version); + /* + * After a hit, higher numbered policy zones + * are irrelevant + */ + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); + return (ISC_R_SUCCESS); + } /* - * Merely log DNS_RPZ_POLICY_DISABLED hits. + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. */ - if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - rpz_log_rewrite(client, ISC_TRUE, policy, - rpz_type, zone, rpz_qname); - continue; - } - - rpz_match_clear(st); - st->m.rpz = rpz; - st->m.type = rpz_type; - st->m.prefix = 0; - st->m.policy = policy; - st->m.result = result; - dns_name_copy(rpz_qname, st->qname, NULL); - if (*rdatasetp != NULL && - dns_rdataset_isassociated(*rdatasetp)) { - dns_rdataset_t *trdataset; - - trdataset = st->m.rdataset; - st->m.rdataset = *rdatasetp; - *rdatasetp = trdataset; - st->m.ttl = ISC_MIN(st->m.rdataset->ttl, - rpz->max_policy_ttl); - } else { - st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, - rpz->max_policy_ttl); - } - st->m.node = node; - node = NULL; - st->m.db = db; - db = NULL; - st->m.version = version; - st->m.zone = zone; - zone = NULL; + rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type, + p_zone, p_name); + break; } } - rpz_clean(&zone, &db, &node, rdatasetp); + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); return (ISC_R_SUCCESS); } @@ -4569,7 +4849,7 @@ st = client->query.rpz_st; if (str != NULL) - rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname, + rpz_log_fail(client, level, nsname, DNS_RPZ_TYPE_NSIP, str, result); if (st->r.ns_rdataset != NULL && dns_rdataset_isassociated(st->r.ns_rdataset)) @@ -4589,7 +4869,9 @@ dns_rdataset_t *rdataset; dns_fixedname_t nsnamef; dns_name_t *nsname; - isc_boolean_t ck_ip; + int qresult_type; + dns_rpz_zbits_t zbits; + isc_netaddr_t netaddr; isc_result_t result; st = client->query.rpz_st; @@ -4603,10 +4885,10 @@ st->m.policy = DNS_RPZ_POLICY_MISS; memset(&st->r, 0, sizeof(st->r)); memset(&st->q, 0, sizeof(st->q)); - dns_fixedname_init(&st->_qnamef); + dns_fixedname_init(&st->_p_namef); dns_fixedname_init(&st->_r_namef); dns_fixedname_init(&st->_fnamef); - st->qname = dns_fixedname_name(&st->_qnamef); + st->p_name = dns_fixedname_name(&st->_p_namef); st->r_name = dns_fixedname_name(&st->_r_namef); st->fname = dns_fixedname_name(&st->_fnamef); client->query.rpz_st = st; @@ -4619,7 +4901,7 @@ case ISC_R_SUCCESS: case DNS_R_GLUE: case DNS_R_ZONECUT: - ck_ip = ISC_TRUE; + qresult_type = 0; break; case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: @@ -4629,73 +4911,136 @@ case DNS_R_NCACHENXRRSET: case DNS_R_CNAME: case DNS_R_DNAME: - ck_ip = ISC_FALSE; + qresult_type = 1; break; case DNS_R_DELEGATION: case ISC_R_NOTFOUND: - return (ISC_R_SUCCESS); + qresult_type = 2; + break; case ISC_R_FAILURE: case ISC_R_TIMEDOUT: case DNS_R_BROKENCHAIN: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME, - client->query.qname, - "stop on qresult in rpz_rewrite() ", - qresult); + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, client->query.qname, + DNS_RPZ_TYPE_QNAME, + "stop on qresult in rpz_rewrite() ", qresult); return (ISC_R_SUCCESS); default: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME, - client->query.qname, + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, client->query.qname, + DNS_RPZ_TYPE_QNAME, "stop on unrecognized qresult in rpz_rewrite() ", qresult); return (ISC_R_SUCCESS); } rdataset = NULL; + + /* + * Check triggers for the client IP address once. + */ + if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) { + st->state |= DNS_RPZ_DONE_CLIENT_IP; + zbits = rpz_get_zbits(client, dns_rdatatype_none, + DNS_RPZ_TYPE_CLIENT_IP); + if (zbits != 0) { + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + result = rpz_rewrite_ip(client, &netaddr, qtype, + DNS_RPZ_TYPE_CLIENT_IP, + zbits, &rdataset); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + + /* + * Check triggers for the query name if this is the first time + * for the current qname. + * There is a first time for each name in a CNAME chain. + */ if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { + if (qresult_type == 2) { + /* + * This request needs recursion that has not been done. + * Get bits for the policy zones that do not + * require recursion be done before applying their + * policies. By not recursing after applying their + * policies, those policy zones leak information + * to operators of the targeted zones. + * Bail out to wait for recursion if there are no + * such policies. + */ + zbits = client->view->rpzs->have.qname_skip_recurse; + if (zbits == 0) { + result = ISC_R_SUCCESS; + goto cleanup; + } + } else { + zbits = DNS_RPZ_ALL_ZBITS; + } + result = rpz_rewrite_name(client, client->query.qname, qtype, + DNS_RPZ_TYPE_QNAME, zbits, &rdataset); + if (result != ISC_R_SUCCESS) + goto cleanup; + /* - * Check rules for the query name if this is the first time - * for the current qname, i.e. we've not been recursing. - * There is a first time for each name in a CNAME chain. + * This may have been an attempt to find a qname trigger + * before required recursion (qresult_type == 2). + * If so and no pre-recursion triggers hit, then quit and + * do everything again after recursing. Do not bother saving + * the work already done, because recursion is so slow. + * If a pre-recursion trigger hit, then no other triggers + * can be relevant and so quit. */ - result = rpz_rewrite_name(client, qtype, client->query.qname, - DNS_RPZ_TYPE_QNAME, &rdataset); - if (result != ISC_R_SUCCESS) + if (qresult_type == 2) goto cleanup; st->r.label = dns_name_countlabels(client->query.qname); + /* + * Check IP addresses for the qname next, + * starting with IPv4 addresses. + */ st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4); st->state |= DNS_RPZ_DONE_QNAME; } /* - * Check known IP addresses for the query name. + * Check known IP addresses for the query name if the database + * lookup resulted in some addresses (qresult_type == 0) + * and if we have not already checked them. * Any recursion required for the query has already happened. * Do not check addresses that will not be in the ANSWER section. */ - if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && - (st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) { - result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP, - client->query.qname, qtype, - &rdataset, resuming); + if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && qresult_type == 0 && + rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) { + result = rpz_rewrite_ip_rrsets(client, + client->query.qname, qtype, + DNS_RPZ_TYPE_IP, + &rdataset, resuming); if (result != ISC_R_SUCCESS) goto cleanup; - st->state &= ~DNS_RPZ_DONE_IPv4; + /* + * We are finished checking the IP addresses for the qname. + * Start with IPv4 if we will check NS IP addesses. + */ st->state |= DNS_RPZ_DONE_QNAME_IP; + st->state &= ~DNS_RPZ_DONE_IPv4; } /* - * Stop looking for rules if there are none of the other kinds. + * Stop looking for rules if there are none of the other kinds + * that could override what we already have. */ - if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 | - DNS_RPZ_HAVE_NSDNAME)) == 0) { + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) { result = ISC_R_SUCCESS; goto cleanup; } dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); - while (st->r.label > client->view->rpz_min_ns_labels) { + while (st->r.label > client->view->rpzs->p.min_ns_labels) { /* * Get NS rrset for each domain in the current qname. */ @@ -4709,8 +5054,8 @@ if (st->r.ns_rdataset == NULL || !dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_db_t *db = NULL; - result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME, - nsname, dns_rdatatype_ns, + result = rpz_rrset_find(client, nsname, dns_rdatatype_ns, + DNS_RPZ_TYPE_NSDNAME, &db, NULL, &st->r.ns_rdataset, resuming); if (db != NULL) @@ -4765,7 +5110,7 @@ dns_rdata_reset(&nsrdata); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - DNS_RPZ_TYPE_NSIP, nsname, + nsname, DNS_RPZ_TYPE_NSIP, "rdata_tostruct() ", result); st->m.policy = DNS_RPZ_POLICY_ERROR; goto cleanup; @@ -4782,11 +5127,11 @@ * Check this NS name if we did not handle it * during a previous recursion. */ - if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 && - (st->state & DNS_RPZ_HAVE_NSDNAME) != 0) { - result = rpz_rewrite_name(client, qtype, - &ns.name, + if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) { + result = rpz_rewrite_name(client, &ns.name, + qtype, DNS_RPZ_TYPE_NSDNAME, + DNS_RPZ_ALL_ZBITS, &rdataset); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&ns); @@ -4797,9 +5142,9 @@ /* * Check all IP addresses for this NS name. */ - result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP, - &ns.name, dns_rdatatype_any, - &rdataset, resuming); + result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype, + DNS_RPZ_TYPE_NSIP, + &rdataset, resuming); dns_rdata_freestruct(&ns); if (result != ISC_R_SUCCESS) goto cleanup; @@ -4809,10 +5154,16 @@ } while (result == ISC_R_SUCCESS); dns_rdataset_disassociate(st->r.ns_rdataset); st->r.label--; + + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) + break; } /* - * Use the best, if any, hit. + * Use the best hit, if any. */ result = ISC_R_SUCCESS; @@ -4827,7 +5178,7 @@ if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && result != DNS_R_DELEGATION) rpz_log_rewrite(client, ISC_FALSE, st->m.policy, - st->m.type, st->m.zone, st->qname); + st->m.type, st->m.zone, st->p_name); rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { @@ -4846,19 +5197,25 @@ * by the client in DNSSEC or a lack of signatures. */ static isc_boolean_t -rpz_ck_dnssec(ns_client_t *client, isc_result_t result, +rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_fixedname_t fixed; dns_name_t *found; dns_rdataset_t trdataset; dns_rdatatype_t type; + isc_result_t result; - if (client->view->rpz_break_dnssec) + if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) return (ISC_TRUE); + /* - * sigrdataset == NULL if and only !WANTDNSSEC(client) + * We do not know if there are signatures if we have not recursed + * for them. */ + if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) + return (ISC_FALSE); + if (sigrdataset == NULL) return (ISC_TRUE); if (dns_rdataset_isassociated(sigrdataset)) @@ -4938,7 +5295,7 @@ if (result != ISC_R_SUCCESS) return (result); rpz_log_rewrite(client, ISC_FALSE, st->m.policy, - st->m.type, st->m.zone, st->qname); + st->m.type, st->m.zone, st->p_name); ns_client_qnamereplace(client, fname); /* * Turn off DNSSEC because the results of a @@ -5865,8 +6222,130 @@ resume: CTRACE("query_find: resume"); - if (!ISC_LIST_EMPTY(client->view->rpz_zones) && - (RECURSIONOK(client) || !client->view->rpz_recursive_only) && + /* + * Rate limit these responses to this client. + * Do not delay counting and handling obvious referrals, + * since those won't come here again. + * Delay handling delegations for which we are certain to recurse and + * return here (DNS_R_DELEGATION, not a child of one of our + * own zones, and recursion enabled) + * Count each response at most once. + */ + if (client->view->rrl != NULL && + ((fname != NULL && dns_name_isabsolute(fname)) || + (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) && + !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) && + (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) { + dns_rdataset_t nc_rdataset; + isc_boolean_t wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + isc_result_t nc_result, resp_result; + dns_rrl_result_t rrl_result; + + client->query.attributes |= NS_QUERYATTR_RRL_CHECKED; + + wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + tname = fname; + if (result == DNS_R_NXDOMAIN) { + /* + * Use the database origin name to rate limit NXDOMAIN + */ + if (db != NULL) + tname = dns_db_origin(db); + resp_result = result; + } else if (result == DNS_R_NCACHENXDOMAIN && + rdataset != NULL && + dns_rdataset_isassociated(rdataset) && + (rdataset->attributes & + DNS_RDATASETATTR_NEGATIVE) != 0) { + /* + * Try to use owner name in the negative cache SOA. + */ + dns_fixedname_init(&fixed); + dns_rdataset_init(&nc_rdataset); + for (nc_result = dns_rdataset_first(rdataset); + nc_result == ISC_R_SUCCESS; + nc_result = dns_rdataset_next(rdataset)) { + dns_ncache_current(rdataset, + dns_fixedname_name(&fixed), + &nc_rdataset); + if (nc_rdataset.type == dns_rdatatype_soa) { + dns_rdataset_disassociate(&nc_rdataset); + tname = dns_fixedname_name(&fixed); + break; + } + dns_rdataset_disassociate(&nc_rdataset); + } + resp_result = DNS_R_NXDOMAIN; + } else if (result == DNS_R_NXRRSET || + result == DNS_R_EMPTYNAME) { + resp_result = DNS_R_NXRRSET; + } else if (result == DNS_R_DELEGATION) { + resp_result = result; + } else if (result == ISC_R_NOTFOUND) { + /* + * Handle referral to ".", including when recursion + * is off or not requested and the hints have not + * been loaded or we have "additional-from-cache no". + */ + tname = dns_rootname; + resp_result = DNS_R_DELEGATION; + } else { + resp_result = ISC_R_SUCCESS; + } + rrl_result = dns_rrl(client->view, &client->peeraddr, + ISC_TF((client->attributes + & NS_CLIENTATTR_TCP) != 0), + client->message->rdclass, qtype, tname, + resp_result, client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped or slipped responses in the query + * category so that requests are not silently lost. + * Starts of rate-limited bursts are logged in + * DNS_LOGCATEGORY_RRL. + * + * Dropped responses are counted with dropped queries + * in QryDropped while slipped responses are counted + * with other truncated responses in RespTruncated. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_EERRORS, + NS_LOGMODULE_QUERY, + DNS_RRL_LOG_DROP, + "%s", log_buf); + } + if (!client->view->rrl->log_only) { + if (rrl_result == DNS_RRL_RESULT_DROP) { + /* + * These will also be counted in + * dns_nsstatscounter_dropped + */ + inc_stats(client, + dns_nsstatscounter_ratedropped); + QUERY_ERROR(DNS_R_DROP); + } else { + /* + * These will also be counted in + * dns_nsstatscounter_truncatedresp + */ + inc_stats(client, + dns_nsstatscounter_rateslipped); + client->message->flags |= + DNS_MESSAGEFLAG_TC; + if (resp_result == DNS_R_NXDOMAIN) + client->message->rcode = + dns_rcode_nxdomain; + } + goto cleanup; + } + } + } + + if (client->view->rpzs != NULL && client->view->rpzs->p.num_zones != 0 && + (RECURSIONOK(client) || client->view->rpzs->p.no_rd_ok != 0) && rpz_ck_dnssec(client, result, rdataset, sigrdataset) && !RECURSING(client) && (client->query.rpz_st == NULL || @@ -5910,7 +6389,8 @@ if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS && rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) { + if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME || + rpz_st->m.type == DNS_RPZ_TYPE_CLIENT_IP) { result = dns_name_copy(client->query.qname, fname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -5934,6 +6414,9 @@ rpz_st->m.zone = NULL; switch (rpz_st->m.policy) { + case DNS_RPZ_POLICY_DROP: + QUERY_ERROR(DNS_R_DROP); + break; case DNS_RPZ_POLICY_NXDOMAIN: result = DNS_R_NXDOMAIN; break; @@ -6002,7 +6485,7 @@ rpz_st->q.is_zone = is_zone; is_zone = ISC_TRUE; rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, - rpz_st->m.type, zone, rpz_st->qname); + rpz_st->m.type, zone, rpz_st->p_name); } } @@ -7318,12 +7801,14 @@ } if (eresult != ISC_R_SUCCESS && - (!PARTIALANSWER(client) || WANTRECURSION(client))) { + (!PARTIALANSWER(client) || WANTRECURSION(client) + || eresult == DNS_R_DROP)) { if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) { /* * This was a duplicate query that we are - * recursing on. Don't send a response now. - * The original query will still cause a response. + * recursing on or the result of rate limiting. + * Don't send a response now for a duplicate query, + * because the original will still cause a response. */ query_next(client, eresult); } else { Index: bin/named/server.c =================================================================== --- bin/named/server.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/server.c 2013-08-05 14:14:45.879498052 +0200 @@ -373,7 +373,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf, isc_boolean_t added); + cfg_aclconfctx_t *aclconf, isc_boolean_t added, + isc_boolean_t old_rpz_ok); static isc_result_t add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx); @@ -1549,17 +1550,24 @@ } static isc_result_t -configure_rpz(dns_view_t *view, const cfg_listelt_t *element, - isc_boolean_t recursive_only_def, dns_ttl_t ttl_def) +configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, + isc_boolean_t recursive_only_def, dns_ttl_t ttl_def, + const dns_rpz_zone_t *old, isc_boolean_t *old_rpz_okp) { const cfg_obj_t *rpz_obj, *obj; const char *str; - dns_rpz_zone_t *old, *new; + dns_rpz_zone_t *new; isc_result_t result; + dns_rpz_num_t rpz_num; + + REQUIRE(old != NULL || !*old_rpz_okp); rpz_obj = cfg_listelt_value(element); - new = isc_mem_get(view->mctx, sizeof(*new)); + if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) + return (ISC_R_NOMEMORY); + + new = isc_mem_get(view->rpzs->mctx, sizeof(*new)); if (new == NULL) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "no memory for response policy zones"); @@ -1567,20 +1575,28 @@ } memset(new, 0, sizeof(*new)); + result = isc_refcount_init(&new->refs, 1); + if (result != ISC_R_SUCCESS) { + isc_mem_put(view->rpzs->mctx, new, sizeof(*new)); + return (result); + } dns_name_init(&new->origin, NULL); + dns_name_init(&new->client_ip, NULL); + dns_name_init(&new->ip, NULL); dns_name_init(&new->nsdname, NULL); + dns_name_init(&new->nsip, NULL); dns_name_init(&new->passthru, NULL); + dns_name_init(&new->drop, NULL); dns_name_init(&new->cname, NULL); - ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link); + new->num = view->rpzs->p.num_zones++; + view->rpzs->zones[new->num] = new; obj = cfg_tuple_get(rpz_obj, "recursive-only"); - if (cfg_obj_isvoid(obj)) { - new->recursive_only = recursive_only_def; + if (cfg_obj_isvoid(obj) ? recursive_only_def : cfg_obj_asboolean(obj)) { + view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(new->num); } else { - new->recursive_only = cfg_obj_asboolean(obj); + view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(new->num); } - if (!new->recursive_only) - view->rpz_recursive_only = ISC_FALSE; obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); if (cfg_obj_isuint32(obj)) { @@ -1588,6 +1604,8 @@ } else { new->max_policy_ttl = ttl_def; } + if (*old_rpz_okp && new->max_policy_ttl != old->max_policy_ttl) + *old_rpz_okp = ISC_FALSE; str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name")); result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone"); @@ -1598,25 +1616,45 @@ "invalid zone name '%s'", str); return (DNS_R_EMPTYLABEL); } - for (old = ISC_LIST_HEAD(view->rpz_zones); - old != new; - old = ISC_LIST_NEXT(old, link)) { - ++new->num; - if (dns_name_equal(&old->origin, &new->origin)) { + for (rpz_num = 0; rpz_num < view->rpzs->p.num_zones-1; ++rpz_num) { + if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, + &new->origin)) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "duplicate '%s'", str); result = DNS_R_DUPLICATE; return (result); } } + if (*old_rpz_okp && !dns_name_equal(&old->origin, &new->origin)) + *old_rpz_okp = ISC_FALSE; + + result = configure_rpz_name2(view, rpz_obj, &new->client_ip, + DNS_RPZ_CLIENT_IP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name2(view, rpz_obj, &new->ip, + DNS_RPZ_IP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); result = configure_rpz_name2(view, rpz_obj, &new->nsdname, DNS_RPZ_NSDNAME_ZONE, &new->origin); if (result != ISC_R_SUCCESS) return (result); + result = configure_rpz_name2(view, rpz_obj, &new->nsip, + DNS_RPZ_NSIP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + result = configure_rpz_name(view, rpz_obj, &new->passthru, - DNS_RPZ_PASSTHRU_ZONE, "zone"); + DNS_RPZ_PASSTHRU_NAME, "name"); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name(view, rpz_obj, &new->drop, + DNS_RPZ_DROP_NAME, "name"); if (result != ISC_R_SUCCESS) return (result); @@ -1635,8 +1673,280 @@ return (result); } } + if (*old_rpz_okp && (new->policy != old->policy || + !dns_name_equal(&old->cname, &new->cname))) + *old_rpz_okp = ISC_FALSE; + + return (ISC_R_SUCCESS); +} + +static isc_result_t +configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj, + isc_boolean_t *old_rpz_okp) +{ + const cfg_listelt_t *zone_element; + const cfg_obj_t *sub_obj; + isc_boolean_t recursive_only_def; + dns_ttl_t ttl_def; + dns_rpz_zones_t *new; + const dns_rpz_zones_t *old; + dns_view_t *pview; + const dns_rpz_zone_t *old_zone; + isc_result_t result; + int i; + + *old_rpz_okp = ISC_FALSE; + + zone_element = cfg_list_first(cfg_tuple_get(rpz_obj, "zone list")); + if (zone_element == NULL) + return (ISC_R_SUCCESS); + + result = dns_rpz_new_zones(&view->rpzs, view->mctx); + if (result != ISC_R_SUCCESS) + return (result); + new = view->rpzs; + + sub_obj = cfg_tuple_get(rpz_obj, "recursive-only"); + if (!cfg_obj_isvoid(sub_obj) && + !cfg_obj_asboolean(sub_obj)) + recursive_only_def = ISC_FALSE; + else + recursive_only_def = ISC_TRUE; + + sub_obj = cfg_tuple_get(rpz_obj, "break-dnssec"); + if (!cfg_obj_isvoid(sub_obj) && + cfg_obj_asboolean(sub_obj)) + new->p.break_dnssec = ISC_TRUE; + else + new->p.break_dnssec = ISC_FALSE; + + sub_obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); + if (cfg_obj_isuint32(sub_obj)) + ttl_def = cfg_obj_asuint32(sub_obj); + else + ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; + + sub_obj = cfg_tuple_get(rpz_obj, "min-ns-dots"); + if (cfg_obj_isuint32(sub_obj)) + new->p.min_ns_labels = cfg_obj_asuint32(sub_obj) + 1; + else + new->p.min_ns_labels = 2; + + sub_obj = cfg_tuple_get(rpz_obj, "qname-wait-recurse"); + if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) + new->p.qname_wait_recurse = ISC_TRUE; + else + new->p.qname_wait_recurse = ISC_FALSE; + + pview = NULL; + result = dns_viewlist_find(&ns_g_server->viewlist, + view->name, view->rdclass, &pview); + if (result == ISC_R_SUCCESS) { + old = pview->rpzs; + } else { + old = NULL; + } + if (old == NULL) + *old_rpz_okp = ISC_FALSE; + else + *old_rpz_okp = ISC_TRUE; + + for (i = 0; + zone_element != NULL; + ++i, zone_element = cfg_list_next(zone_element)) { + if (*old_rpz_okp && i < old->p.num_zones) { + old_zone = old->zones[i]; + } else { + *old_rpz_okp = ISC_FALSE; + old_zone = NULL; + } + result = configure_rpz_zone(view, zone_element, + recursive_only_def, ttl_def, + old_zone, old_rpz_okp); + if (result != ISC_R_SUCCESS) { + if (pview != NULL) + dns_view_detach(&pview); + return (result); + } + } + + /* + * If this is a reloading and the parameters and list of policy + * zones are unchanged, then use the same policy data. + * Data for individual zones that must be reloaded will be merged. + */ + if (old != NULL && memcmp(&old->p, &new->p, sizeof(new->p)) != 0) + *old_rpz_okp = ISC_FALSE; + if (*old_rpz_okp) { + dns_rpz_detach_rpzs(&view->rpzs); + dns_rpz_attach_rpzs(pview->rpzs, &view->rpzs); + } + if (pview != NULL) + dns_view_detach(&pview); + + return (ISC_R_SUCCESS); +} + +#define CHECK_RRL(cond, pat, val1, val2) \ + do { \ + if (!(cond)) { \ + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, \ + pat, val1, val2); \ + result = ISC_R_RANGE; \ + goto cleanup; \ + } \ + } while (0) + +#define CHECK_RRL_RATE(rate, def, max_rate, name) \ + do { \ + obj = NULL; \ + rrl->rate.str = name; \ + result = cfg_map_get(map, name, &obj); \ + if (result == ISC_R_SUCCESS) { \ + rrl->rate.r = cfg_obj_asuint32(obj); \ + CHECK_RRL(rrl->rate.r <= max_rate, \ + name" %d > %d", \ + rrl->rate.r, max_rate); \ + } else { \ + rrl->rate.r = def; \ + } \ + rrl->rate.scaled = rrl->rate.r; \ + } while (0) + +static isc_result_t +configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) { + const cfg_obj_t *obj; + dns_rrl_t *rrl; + isc_result_t result; + int min_entries, i, j; + + /* + * Most DNS servers have few clients, but intentinally open + * recursive and authoritative servers often have many. + * So start with a small number of entries unless told otherwise + * to reduce cold-start costs. + */ + min_entries = 500; + obj = NULL; + result = cfg_map_get(map, "min-table-size", &obj); + if (result == ISC_R_SUCCESS) { + min_entries = cfg_obj_asuint32(obj); + if (min_entries < 1) + min_entries = 1; + } + result = dns_rrl_init(&rrl, view, min_entries); + if (result != ISC_R_SUCCESS) + return (result); + + i = ISC_MAX(20000, min_entries); + obj = NULL; + result = cfg_map_get(map, "max-table-size", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= min_entries, + "max-table-size %d < min-table-size %d", + i, min_entries); + } + rrl->max_entries = i; + + CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE, + "responses-per-second"); + CHECK_RRL_RATE(referrals_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "referrals-per-second"); + CHECK_RRL_RATE(nodata_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "nodata-per-second"); + CHECK_RRL_RATE(nxdomains_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "nxdomains-per-second"); + CHECK_RRL_RATE(errors_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "errors-per-second"); + + CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE, + "all-per-second"); + + CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP, + "slip"); + + i = 15; + obj = NULL; + result = cfg_map_get(map, "window", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW, + "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW); + } + rrl->window = i; + + i = 0; + obj = NULL; + result = cfg_map_get(map, "qps-scale", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, ""); + } + rrl->qps_scale = i; + rrl->qps = 1.0; + + i = 24; + obj = NULL; + result = cfg_map_get(map, "ipv4-prefix-length", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 8 && i <= 32, + "invalid 'ipv4-prefix-length %d'%s", i, ""); + } + rrl->ipv4_prefixlen = i; + if (i == 32) + rrl->ipv4_mask = 0xffffffff; + else + rrl->ipv4_mask = htonl(0xffffffff << (32-i)); + + i = 56; + obj = NULL; + result = cfg_map_get(map, "ipv6-prefix-length", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX, + "ipv6-prefix-length %d < 16 or > %d", + i, DNS_RRL_MAX_PREFIX); + } + rrl->ipv6_prefixlen = i; + for (j = 0; j < 4; ++j) { + if (i <= 0) { + rrl->ipv6_mask[j] = 0; + } else if (i < 32) { + rrl->ipv6_mask[j] = htonl(0xffffffff << (32-i)); + } else { + rrl->ipv6_mask[j] = 0xffffffff; + } + i -= 32; + } + + obj = NULL; + result = cfg_map_get(map, "exempt-clients", &obj); + if (result == ISC_R_SUCCESS) { + result = cfg_acl_fromconfig(obj, config, ns_g_lctx, + ns_g_aclconfctx, ns_g_mctx, + 0, &rrl->exempt); + CHECK_RRL(result == ISC_R_SUCCESS, + "invalid %s%s", "address match list", ""); + } + + obj = NULL; + result = cfg_map_get(map, "log-only", &obj); + if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj)) + rrl->log_only = ISC_TRUE; + else + rrl->log_only = ISC_FALSE; return (ISC_R_SUCCESS); + + cleanup: + dns_rrl_view_destroy(view); + return (result); } /* @@ -1705,7 +2015,7 @@ dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL; unsigned int query_timeout, ndisp; struct cfg_context *nzctx; - dns_rpz_zone_t *rpz; + isc_boolean_t old_rpz_ok; REQUIRE(DNS_VIEW_VALID(view)); @@ -1810,44 +2120,7 @@ obj = NULL; if (view->rdclass == dns_rdataclass_in && need_hints && ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { - const cfg_obj_t *rpz_obj; - isc_boolean_t recursive_only_def; - dns_ttl_t ttl_def; - - rpz_obj = cfg_tuple_get(obj, "recursive-only"); - if (!cfg_obj_isvoid(rpz_obj) && - !cfg_obj_asboolean(rpz_obj)) - recursive_only_def = ISC_FALSE; - else - recursive_only_def = ISC_TRUE; - - rpz_obj = cfg_tuple_get(obj, "break-dnssec"); - if (!cfg_obj_isvoid(rpz_obj) && - cfg_obj_asboolean(rpz_obj)) - view->rpz_break_dnssec = ISC_TRUE; - else - view->rpz_break_dnssec = ISC_FALSE; - - rpz_obj = cfg_tuple_get(obj, "max-policy-ttl"); - if (cfg_obj_isuint32(rpz_obj)) - ttl_def = cfg_obj_asuint32(rpz_obj); - else - ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; - - rpz_obj = cfg_tuple_get(obj, "min-ns-dots"); - if (cfg_obj_isuint32(rpz_obj)) - view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1; - else - view->rpz_min_ns_labels = 2; - - element = cfg_list_first(cfg_tuple_get(obj, "zone list")); - while (element != NULL) { - result = configure_rpz(view, element, - recursive_only_def, ttl_def); - if (result != ISC_R_SUCCESS) - goto cleanup; - element = cfg_list_next(element); - } + CHECK(configure_rpz(view, obj, &old_rpz_ok)); } /* @@ -1868,22 +2141,29 @@ { const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, - actx, ISC_FALSE)); + actx, ISC_FALSE, old_rpz_ok)); } - for (rpz = ISC_LIST_HEAD(view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) - { - if (!rpz->defined) { - char namebuf[DNS_NAME_FORMATSIZE]; + /* + * Check that a master or slave zone was found for each + * zone named in the response policy statement. + */ + if (view->rpzs != NULL) { + dns_rpz_num_t n; - dns_name_format(&rpz->origin, namebuf, sizeof(namebuf)); - cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "'%s' is not a master or slave zone", - namebuf); - result = ISC_R_NOTFOUND; - goto cleanup; + for (n = 0; n < view->rpzs->p.num_zones; ++n) + { + if ((view->rpzs->defined & DNS_RPZ_ZBIT(n)) == 0) { + char namebuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(&view->rpzs->zones[n]->origin, + namebuf, sizeof(namebuf)); + cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "'%s' is not a master or slave zone", + namebuf); + result = ISC_R_NOTFOUND; + goto cleanup; + } } } @@ -1909,7 +2189,7 @@ const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, actx, - ISC_TRUE)); + ISC_TRUE, ISC_FALSE)); } } @@ -3043,6 +3323,14 @@ } } + obj = NULL; + result = ns_config_get(maps, "rate-limit", &obj); + if (result == ISC_R_SUCCESS) { + result = configure_rrl(view, config, obj); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + result = ISC_R_SUCCESS; cleanup: @@ -3375,7 +3663,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf, isc_boolean_t added) + cfg_aclconfctx_t *aclconf, isc_boolean_t added, + isc_boolean_t old_rpz_ok) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ @@ -3396,8 +3685,7 @@ const char *zname; dns_rdataclass_t zclass; const char *ztypestr; - isc_boolean_t is_rpz; - dns_rpz_zone_t *rpz; + dns_rpz_num_t rpz_num; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -3559,18 +3847,15 @@ INSIST(dupzone == NULL); /* - * Note whether this is a response policy zone. + * Note whether this is a response policy zone and which one if so. */ - is_rpz = ISC_FALSE; - for (rpz = ISC_LIST_HEAD(view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) - { - if (dns_name_equal(&rpz->origin, origin)) { - is_rpz = ISC_TRUE; - rpz->defined = ISC_TRUE; + for (rpz_num = 0; ; ++rpz_num) { + if (view->rpzs == NULL || rpz_num >= view->rpzs->p.num_zones) { + rpz_num = DNS_RPZ_INVALID_NUM; break; } + if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, origin)) + break; } /* @@ -3581,7 +3866,9 @@ * - The zone is compatible with the config * options (e.g., an existing master zone cannot * be reused if the options specify a slave zone) - * - The zone was and is or was not and is not a policy zone + * - The zone was not and is still not a response policy zone + * or the zone is a policy zone with an unchanged number + * and we are using the old policy zone summary data. */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); @@ -3595,7 +3882,8 @@ if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); - if (zone != NULL && is_rpz != dns_zone_get_rpz(zone)) + if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || + (rpz_num != DNS_RPZ_INVALID_NUM && !old_rpz_ok))) dns_zone_detach(&zone); if (zone != NULL) { @@ -3620,8 +3908,8 @@ dns_zone_setstats(zone, ns_g_server->zonestats); } - if (is_rpz) { - result = dns_zone_rpz_enable(zone); + if (rpz_num != DNS_RPZ_INVALID_NUM) { + result = dns_zone_rpz_enable(zone, view->rpzs, rpz_num); if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -7834,7 +8122,8 @@ RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(view); result = configure_zone(cfg->config, parms, vconfig, - server->mctx, view, cfg->actx, ISC_FALSE); + server->mctx, view, cfg->actx, ISC_FALSE, + ISC_FALSE); dns_view_freeze(view); isc_task_endexclusive(server->task); if (result != ISC_R_SUCCESS) Index: bin/named/statschannel.c =================================================================== --- bin/named/statschannel.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/statschannel.c 2013-08-05 14:14:45.879498052 +0200 @@ -206,6 +206,10 @@ SET_NSSTATDESC(updatebadprereq, "updates rejected due to prerequisite failure", "UpdateBadPrereq"); + SET_NSSTATDESC(ratedropped, "responses dropped for rate limits", + "RateDropped"); + SET_NSSTATDESC(rateslipped, "responses truncated for rate limits", + "RateSlipped"); SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites", "RPZRewrites"); INSIST(i == dns_nsstatscounter_max); Index: bin/tests/system/README =================================================================== --- bin/tests/system/README.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/README 2013-08-05 14:14:45.879498052 +0200 @@ -17,6 +17,7 @@ nsupdate/ Dynamic update and IXFR tests resolver/ Regression tests for resolver bugs that have been fixed (not a complete resolver test suite) + rrl/ query rate limiting rpz/ Tests of response policy zone (RPZ) rewriting stub/ Tests of stub zone functionality unknown/ Unknown type and class tests Index: bin/tests/system/conf.sh.in =================================================================== --- bin/tests/system/conf.sh.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/conf.sh.in 2013-08-05 14:14:45.879498052 +0200 @@ -62,7 +62,7 @@ database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa formerr forward glue gost ixfr inline limits logfileconfig lwresd masterfile masterformat metadata notify nsupdate pending - pkcs11 redirect resolver rndc rpz rrsetorder rsabigexponent + pkcs11 redirect resolver rndc rpz rrl rrsetorder rsabigexponent smartsign sortlist spf staticstub stub tkey tsig tsiggss unknown upforwd verify views wildcard xfer xferquota zonechecks" Index: bin/tests/system/rpz/Makefile.in =================================================================== --- bin/tests/system/rpz/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/Makefile.in 2013-08-05 14:14:45.879498052 +0200 @@ -12,8 +12,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id$ - srcdir = @srcdir@ VPATH = @srcdir@ Index: bin/tests/system/rpz/clean.sh =================================================================== --- bin/tests/system/rpz/clean.sh.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/clean.sh 2013-08-05 14:14:45.879498052 +0200 @@ -12,8 +12,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id$ - # Clean up after rpz tests. Index: bin/tests/system/rpz/ns1/named.conf =================================================================== --- bin/tests/system/rpz/ns1/named.conf.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns1/named.conf 2013-08-05 14:14:45.880498065 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - controls { /* empty */ }; Index: bin/tests/system/rpz/ns1/root.db =================================================================== --- bin/tests/system/rpz/ns1/root.db.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns1/root.db 2013-08-05 14:14:45.880498065 +0200 @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - $TTL 120 . SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) Index: bin/tests/system/rpz/ns2/base-tld2s.db =================================================================== --- bin/tests/system/rpz/ns2/base-tld2s.db.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns2/base-tld2s.db 2013-08-05 14:14:45.880498065 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - ; RPZ rewrite responses from this signed zone Index: bin/tests/system/rpz/ns2/hints =================================================================== --- bin/tests/system/rpz/ns2/hints.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns2/hints 2013-08-05 14:14:45.880498065 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - . 120 NS ns. ns. 120 A 10.53.0.1 Index: bin/tests/system/rpz/ns2/named.conf =================================================================== --- bin/tests/system/rpz/ns2/named.conf.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns2/named.conf 2013-08-05 14:14:45.880498065 +0200 @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - controls { /* empty */ }; Index: bin/tests/system/rpz/ns2/tld2.db =================================================================== --- bin/tests/system/rpz/ns2/tld2.db.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns2/tld2.db 2013-08-05 14:14:45.880498065 +0200 @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - ; RPZ rewrite responses from this zone @@ -111,6 +109,9 @@ A 192.168.5.2 TXT "a5-1-2 tld2 text" +a5-2 A 192.168.5.2 + TXT "a5-2 tld2 text" + a5-3 A 192.168.5.3 TXT "a5-3 tld2 text" Index: bin/tests/system/rpz/ns3/base.db =================================================================== --- bin/tests/system/rpz/ns3/base.db.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns3/base.db 2013-08-05 14:14:45.880498065 +0200 @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - ; RPZ test Index: bin/tests/system/rpz/ns3/hints =================================================================== --- bin/tests/system/rpz/ns3/hints.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns3/hints 2013-08-05 14:14:45.909498434 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - . 120 NS ns. ns. 120 A 10.53.0.1 Index: bin/tests/system/rpz/ns3/named.conf =================================================================== --- bin/tests/system/rpz/ns3/named.conf.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns3/named.conf 2013-08-05 14:14:45.909498434 +0200 @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - /* @@ -46,7 +44,10 @@ zone "bl-cname" policy cname txt-only.tld2.; zone "bl-wildcname" policy cname *.tld4.; zone "bl-garden" policy cname a12.tld2.; - } min-ns-dots 0; + zone "bl-drop" policy drop; + } min-ns-dots 0 + # qname-wait-recurse no + ; }; key rndc_key { @@ -58,7 +59,6 @@ }; -// include "../trusted.conf"; zone "." { type hint; file "hints"; }; zone "bl." {type master; file "bl.db"; @@ -83,6 +83,8 @@ allow-update {any;};}; zone "bl-garden." {type master; file "bl-garden.db"; allow-update {any;};}; +zone "bl-drop." {type master; file "bl-drop.db"; + allow-update {any;};}; zone "crash1.tld2" {type master; file "crash1";}; zone "crash2.tld3." {type master; file "crash2";}; Index: bin/tests/system/rpz/ns4/hints =================================================================== --- bin/tests/system/rpz/ns4/hints.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns4/hints 2013-08-05 14:14:45.909498434 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - . 120 NS ns. ns. 120 A 10.53.0.1 Index: bin/tests/system/rpz/ns4/named.conf =================================================================== --- bin/tests/system/rpz/ns4/named.conf.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns4/named.conf 2013-08-05 14:14:45.910498444 +0200 @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - controls { /* empty */ }; Index: bin/tests/system/rpz/ns4/tld4.db =================================================================== --- bin/tests/system/rpz/ns4/tld4.db.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns4/tld4.db 2013-08-05 14:14:45.910498444 +0200 @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - ; RPZ rewrite responses from this zone Index: bin/tests/system/rpz/ns5/hints =================================================================== --- bin/tests/system/rpz/ns5/hints.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns5/hints 2013-08-05 14:14:45.910498444 +0200 @@ -12,8 +12,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id$ - . 120 NS ns. ns. 120 A 10.53.0.1 Index: bin/tests/system/rpz/ns5/named.conf =================================================================== --- bin/tests/system/rpz/ns5/named.conf.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns5/named.conf 2013-08-05 14:14:45.910498444 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - /* @@ -56,3 +54,20 @@ zone "bl0." {type master; file "bl.db"; }; zone "bl1." {type master; file "bl.db"; }; zone "bl2." {type master; file "bl.db"; }; +zone "bl3." {type master; file "bl.db"; }; +zone "bl4." {type master; file "bl.db"; }; +zone "bl5." {type master; file "bl.db"; }; +zone "bl6." {type master; file "bl.db"; }; +zone "bl7." {type master; file "bl.db"; }; +zone "bl8." {type master; file "bl.db"; }; +zone "bl9." {type master; file "bl.db"; }; +zone "bl10." {type master; file "bl.db"; }; +zone "bl11." {type master; file "bl.db"; }; +zone "bl12." {type master; file "bl.db"; }; +zone "bl13." {type master; file "bl.db"; }; +zone "bl14." {type master; file "bl.db"; }; +zone "bl15." {type master; file "bl.db"; }; +zone "bl16." {type master; file "bl.db"; }; +zone "bl17." {type master; file "bl.db"; }; +zone "bl18." {type master; file "bl.db"; }; +zone "bl19." {type master; file "bl.db"; }; Index: bin/tests/system/rpz/ns5/tld5.db =================================================================== --- bin/tests/system/rpz/ns5/tld5.db.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/ns5/tld5.db 2013-08-05 14:14:45.910498444 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above Index: bin/tests/system/rpz/qperf.sh =================================================================== --- bin/tests/system/rpz/qperf.sh.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/qperf.sh 2013-08-05 14:14:45.910498444 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # -# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -14,8 +14,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id$ - for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do QPERF=$QDIR/queryperf Index: bin/tests/system/rpz/rpz.c =================================================================== --- bin/tests/system/rpz/rpz.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/rpz.c 2013-08-05 14:14:45.910498444 +0200 @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - #include Index: bin/tests/system/rpz/setup.sh =================================================================== --- bin/tests/system/rpz/setup.sh.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/setup.sh 2013-08-05 14:14:45.910498444 +0200 @@ -14,8 +14,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id$ - set -e @@ -30,7 +28,7 @@ # bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden} # are used to check policy overrides in named.conf. # NO-OP is an obsolete synonym for PASSHTRU -for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do +for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop; do sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done @@ -51,7 +49,10 @@ # Performance checks. cat <ns5/rpz-switch response-policy { - zone "bl0"; zone "bl1"; zone "bl2"; + zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4"; + zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9"; + zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14"; + zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19"; } recursive-only no max-policy-ttl 90 # min-ns-dots 0 Index: bin/tests/system/rpz/test1 =================================================================== --- bin/tests/system/rpz/test1.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/test1 2013-08-05 14:14:45.910498444 +0200 @@ -24,13 +24,13 @@ ; QNAME tests ; NXDOMAIN -; 2, 20, 25 +; 2, 25 update add a0-1.tld2.bl. 300 CNAME . ; NODATA -; 3, 21 +; 3 update add a3-1.tld2.bl. 300 CNAME *. ; and no assert-botch -; 4, 5, 22, 23 +; 4, 5 update add a3-2.tld2.bl. 300 DNAME example.com. ; ; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2. @@ -77,6 +77,14 @@ ; 19 update add a4-6.tld2.bl. 300 CNAME . update add a4-6-cname.tld2.bl. 300 A 127.0.0.17 +; no change instead of NXDOMAIN because +norecurse +; 20 +update add a5-2.tld2.bl. 300 CNAME . +; no change instead of NODATA because +norecurse +; 21 +update add a5-3.tld2.bl. 300 CNAME *. +; 22, 23 +update add a5-4.tld2.bl. 300 DNAME example.com. ; ; assert in rbtdb.c ; 24 @@ -84,4 +92,6 @@ ; DO=1 without signatures, DO=0 with signatures are rewritten ; 26 - 27 update add a0-1.tld2s.bl. 300 CNAME . +; 32 +update add a3-8.tld2.bl. 300 CNAME rpz-drop. send Index: bin/tests/system/rpz/test2 =================================================================== --- bin/tests/system/rpz/test2.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/test2 2013-08-05 14:14:45.910498444 +0200 @@ -58,7 +58,7 @@ send ; prefer QNAME to IP for a5-4.tld2 -; 13 +; 13, 14 update add 32.4.5.168.192.rpz-ip.bl 300 CNAME a12.tld2. update add a5-4.tld2.bl 300 CNAME a14.tld4. ; @@ -72,3 +72,8 @@ send update add c2.crash2.tld3.bl-2 300 A 127.0.0.16 send + +; client-IP address trigger +; 17 +update add 32.1.0.53.10.rpz-client-ip.bl 300 A 127.0.0.17 +send Index: bin/tests/system/rpz/test3 =================================================================== --- bin/tests/system/rpz/test3.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/test3 2013-08-05 14:14:45.910498444 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above Index: bin/tests/system/rpz/test4 =================================================================== --- bin/tests/system/rpz/test4.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/test4 2013-08-05 14:14:45.911498455 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2011, 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above Index: bin/tests/system/rpz/test4a =================================================================== --- bin/tests/system/rpz/test4a.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/test4a 2013-08-05 14:14:45.911498455 +0200 @@ -1,4 +1,4 @@ -; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above Index: bin/tests/system/rpz/test5 =================================================================== --- bin/tests/system/rpz/test5.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/test5 2013-08-05 14:14:45.911498455 +0200 @@ -57,3 +57,6 @@ ; 16 update add a3-16.tld2.bl. 300 A 127.0.0.16 send +; 18 +update add a3-18.tld2.bl-drop. 300 A 127.0.0.18 +send Index: bin/tests/system/rpz/tests.sh =================================================================== --- bin/tests/system/rpz/tests.sh.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tests/system/rpz/tests.sh 2013-08-05 14:14:45.911498455 +0200 @@ -12,8 +12,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id$ - # test response policy zones (RPZ) @@ -21,15 +19,19 @@ . $SYSTEMTESTTOP/conf.sh ns=10.53.0 -ns1=$ns.1 # root, defining the others -ns2=$ns.2 # server whose answers are rewritten -ns3=$ns.3 # resolve that does the rewriting -ns4=$ns.4 # another server that is rewritten -ns5=$ns.5 # check performance with this server +ns1=$ns.1 # root, defining the others +ns2=$ns.2 # authoritative server whose answers are rewritten +ns3=$ns.3 # resolver that does the rewriting +ns4=$ns.4 # another authoritative server that is rewritten +ns5=$ns.5 # resolver to check performance and give un-rewritten + # responses for comparisons HAVE_CORE= SAVE_RESULTS= -NS3_STATS=47 + +# "response policy zone rewrites" from ns3/named.stats if none of the +# conditional tests are done. +NS3_STATS=50 USAGE="$0: [-x]" while getopts "x" c; do @@ -87,10 +89,10 @@ # (re)load the reponse policy zones with the rules in the file $TEST_FILE load_db () { if test -n "$TEST_FILE"; then - $NSUPDATE -v $TEST_FILE || { + if ! $NSUPDATE -v $TEST_FILE; then echo "I:failed to update policy zone with $TEST_FILE" exit 1 - } + fi fi } @@ -213,6 +215,13 @@ ckresult "$*" proto.nodata } +# check dropped response +drop () { + make_dignm + digcmd $* >$DIGNM + ckresult "$*" proto.drop +} + # check rewrite to an address # modify the output so that it is easily compared, but save the original line # $1=IPv4 address $2=digcmd args $3=optional TTL @@ -239,7 +248,7 @@ nochange () { make_dignm digcmd $* >$DIGNM - digcmd $* @$ns2 >${DIGNM}_OK + digcmd $* @$ns5 >${DIGNM}_OK ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } @@ -254,6 +263,12 @@ # make prototype files to check against rewritten results digcmd nonexistent @$ns2 >proto.nxdomain digcmd txt-only.tld2 @$ns2 >proto.nodata +cat <proto.drop + +; hello +;; global options: +;; connection timed out; no servers could be reached +EOF status=0 @@ -278,18 +293,19 @@ addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain -nochange a0-1.tld2 +norecurse # 20 check that RD=1 is required -nochange a3-1.tld2 +norecurse # 21 -nochange a3-2.tld2 +norecurse # 22 -nochange sub.a3-2.tld2 +norecurse # 23 +nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required +nochange a5-3.tld2 +norecurse # 21 +nochange a5-4.tld2 +norecurse # 22 +nochange sub.a5-4.tld2 +norecurse # 23 nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures -nxdomain a0-1.tld2s # 26 simple DO=0 with signatures +nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain -nochange a0-1.tld2s srv +auth +dnssec # 30 no write for +DNSSEC and no record -nxdomain a0-1.tld2s srv # 31 +nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record +nxdomain a0-1.tld2s srv +nodnssec # 31 +drop a3-8.tld2 # 32 drop end_group start_group "IP rewrites" test2 @@ -305,10 +321,11 @@ nochange a4-1-aaaa.tld2 -taaaa # 10 addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone -addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP -nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required +nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 +addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP nochange a4-4.tld2 # 15 PASSTHRU nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c +addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger end_group # check that IP addresses for previous group were deleted from the radix tree @@ -356,15 +373,15 @@ nochange a3-1.tld4 # 4 different NS IP address end_group -# start_group "walled garden NSIP rewrites" test4a -# addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 -# addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 -# here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 -# ;; status: NOERROR, x -# a3-1.tld2. x IN TXT "NSIP walled garden" -#EOF -# end_group - NS3_STATS=`expr $NS3_STATS + 1` + start_group "walled garden NSIP rewrites" test4a + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + ;; status: NOERROR, x + a3-1.tld2. x IN TXT "NSIP walled garden" +EOF + end_group + NS3_STATS=`expr $NS3_STATS + 4` else echo "I:NSIP not checked; named configured with --disable-rpz-nsip" fi @@ -393,6 +410,7 @@ addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 +drop a3-18.tld2 # 18 bl-drop end_group # check that miscellaneous bugs are still absent @@ -412,6 +430,9 @@ end_group +ckstats $ns3 ns3 $NS3_STATS + + # superficial test for major performance bugs QPERF=`sh qperf.sh` if test -n "$QPERF"; then @@ -464,8 +485,6 @@ fi -ckstats $ns3 ns3 55 - # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then $PERL $SYSTEMTESTTOP/stop.pl . ns3 Index: bin/tests/system/rrl/clean.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/clean.sh 2013-08-05 14:14:45.911498455 +0200 @@ -0,0 +1,21 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + + +# Clean up after rrl tests. + +rm -f dig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid Index: bin/tests/system/rrl/ns1/named.conf =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns1/named.conf 2013-08-05 14:14:45.911498455 +0200 @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." {type master; file "root.db";}; Index: bin/tests/system/rrl/ns1/root.db =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns1/root.db 2013-08-05 14:14:45.911498455 +0200 @@ -0,0 +1,31 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. Index: bin/tests/system/rrl/ns2/hints =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns2/hints 2013-08-05 14:14:45.911498455 +0200 @@ -0,0 +1,18 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 Index: bin/tests/system/rrl/ns2/named.conf =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns2/named.conf 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; + + additional-from-cache no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type master; file "tld2.db"; }; Index: bin/tests/system/rrl/ns2/tld2.db =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns2/tld2.db 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,47 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 Index: bin/tests/system/rrl/ns3/hints =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns3/hints 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,18 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 Index: bin/tests/system/rrl/ns3/named.conf =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns3/named.conf 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type master; file "tld3.db"; }; Index: bin/tests/system/rrl/ns3/tld3.db =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/ns3/tld3.db 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,25 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 Index: bin/tests/system/rrl/setup.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/setup.sh 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + Index: bin/tests/system/rrl/tests.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ bin/tests/system/rrl/tests.sh 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,258 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=result name $2=domain name $3=dig options +digcmd () { + OFILE=$1; shift + DIG_DOM=$1; shift + ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2" + #echo I:dig $ARGS 1>&2 + START=`date +%y%m%d%H%M.%S` + RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/;; connection timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' \ + | tr -d '\n'` + mv "$OFILE=TEMP" "$OFILE=$RESULT" + touch -t $START "$OFILE=$RESULT" +} + + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + while test "$BURST_LIMIT" -ge 1; do + CNT=`expr "00$QNUM" : '.*\(...\)'` + eval BURST_DOM="$BURST_DOM_BASE" + FILE="dig.out-$BURST_DOM-$CNT" + digcmd $FILE $BURST_DOM $* & + QNUM=`expr $QNUM + 1` + BURST_LIMIT=`expr "$BURST_LIMIT" - 1` + done +} + + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + BAD= + wait + ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l` + DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \ + | wc -l` + SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l` + if test $ADDRS -ne "$3"; then + setret "I:"$ADDRS" instead of $3 '$2' responses for $1" + BAD=yes + fi + if test $TC -ne "$4"; then + setret "I:"$TC" instead of $4 truncation responses for $1" + BAD=yes + fi + if test $DROP -ne "$5"; then + setret "I:"$DROP" instead of $5 dropped responses for $1" + BAD=yes + fi + if test $NXDOMAIN -ne "$6"; then + setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1" + BAD=yes + fi + if test $SERVFAIL -ne "$7"; then + setret "I:"$SERVFAIL" instead of $7 error responses for $1" + BAD=yes + fi + if test -z "$BAD"; then + rm -f dig.out-$1-* + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + ns2/named.stats | tail -1` + C=`expr 0$C + 0` + if test "$C" -ne $EXPECTED; then + setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" + fi +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# 1 second delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'x$CNT.a2.tld2' +# These should be counted and limited but are not. See RT33138. +burst 10 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL +# referrals to "." +ck_result a1.tld3 '' 2 1 2 0 0 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 + +# Check the wild card answers. +# The parent name of the 30 requests is counted. +ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 + +# These should be limited but are not. See RT33138. +ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 AAAA +burst 2 a8.tld2 TXT +burst 2 a8.tld2 SPF + +# IP TC drop NXDOMAIN SERVFAIL +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 '' 2 2 2 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + + +echo "I:exit status: $ret" +# exit $ret +[ $ret -ne 0 ] && echo "I:test failure overridden" +exit 0 Index: clean.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ clean.sh 2013-08-05 14:14:45.912498466 +0200 @@ -0,0 +1,21 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + + +# Clean up after rrl tests. + +rm -f dig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid Index: doc/arm/Bv9ARM-book.xml =================================================================== --- doc/arm/Bv9ARM-book.xml.orig 2013-07-17 00:13:06.000000000 +0200 +++ doc/arm/Bv9ARM-book.xml 2013-08-05 14:14:45.916498518 +0200 @@ -4818,6 +4818,32 @@ + + + rate-limit + + + + The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + info severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. + + + Rate limiting of individual requests + is logged in the query-errors category. + + + @@ -5318,7 +5344,7 @@ match-mapped-addresses yes_or_no; filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); filter-aaaa { address_match_list }; - dns64 IPv6-prefix { + dns64 ipv6-prefix { clients { address_match_list }; mapped { address_match_list }; exclude { address_match_list }; @@ -5351,8 +5377,25 @@ resolver-query-timeout number ; deny-answer-addresses { address_match_list } except-from { namelist } ; deny-answer-aliases { namelist } except-from { namelist } ; + rate-limit { + responses-per-second number ; + referrals-per-second number ; + nodata-per-second number ; + nxdomains-per-second number ; + errors-per-second number ; + all-per-second number ; + window number ; + log-only yes_or_no ; + qps-scale number ; + ipv4-prefix-length number ; + ipv6-prefix-length number ; + slip number ; + exempt-clients { address_match_list } ; + max-table-size number ; + min-table-size number ; + } ; response-policy { zone_name - policy given | disabled | passthru | nxdomain | nodata | cname domain + policy given | disabled | passthru | drop | nxdomain | nodata | cname domain recursive-only yes_or_no max-policy-ttl number ; } recursive-only yes_or_no max-policy-ttl number break-dnssec yes_or_no min-ns-dots number ; @@ -9645,30 +9688,25 @@ Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. - RPZs are ordinary DNS zones containing RRsets + Response policy zones are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query { localhost; };. - Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, - and NSDNAME. - QNAME RPZ records triggered by query names of requests and targets - of CNAME records resolved to generate the response. - The owner name of a QNAME RPZ record is the query name relativized - to the RPZ. - - - - The second kind of RPZ trigger is an IP address in an A and AAAA - record in the ANSWER section of a response. - IP address triggers are encoded in records that have owner names - that are subdomains of rpz-ip relativized - to the RPZ origin name and encode an IP address or address block. - IPv4 trigger addresses are represented as + Five policy triggers can be encoded in RPZ records, CLIENT-IP, + QNAME, IP, NSDNAME, and NSIP. + CLIENT-IP records are triggered by the IP address of the + DNS client. + Client IP address triggers are encoded in records that have + owner names that are subdomains of + rpz-client-ip relativized to the + policy zone origin name + and encode an address or address block. + IPv4 addresses are represented as prefixlength.B4.B3.B2.B1.rpz-ip. - The prefix length must be between 1 and 32. + The IPv4 prefix length must be between 1 and 32. All four bytes, B4, B3, B2, and B1, must be present. B4 is the decimal value of the least significant byte of the IPv4 address as in IN-ADDR.ARPA. @@ -9678,10 +9716,25 @@ Each of W8,...,W1 is a one to four digit hexadecimal number representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. - All 8 words must be present except when consecutive - zero words are replaced with .zz. + All 8 words must be present except when one set of consecutive + zero words is replaced with .zz. analogous to double colons (::) in standard IPv6 text encodings. - The prefix length must be between 1 and 128. + The IPv6 prefix length must be between 64 and 128. + + + + QNAME policy records are triggered by query names of requests and + targets of CNAME records resolved to generate the response. + The owner name of a QNAME policy record is + the query name relativized to the policy zone. + + + + The third kind of trigger is an IP address in an A and AAAA + record in the ANSWER section of a response. + IP address triggers + IP triggers are encoded like client-IP triggers except as + subdomains of rpz-ip. @@ -9703,7 +9756,7 @@ - The query response is checked against all RPZs, so + The query response is checked against all response policy zones, so two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than @@ -9714,8 +9767,8 @@ Choose the triggered record in the zone that appears first in the response-policy option. - Prefer QNAME to IP to NSDNAME to NSIP triggers - in a single zone. + Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP + triggers in a single zone. Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. @@ -9734,14 +9787,25 @@ When the processing of a response is restarted to resolve DNAME or CNAME records and a policy record set has not been triggered, - all RPZs are again consulted for the DNAME or CNAME names - and addresses. + all response policy zones are again consulted for the + DNAME or CNAME names and addresses. RPZ record sets are sets of any types of DNS record except DNAME or DNSSEC that encode actions or responses to queries. + The PASSTHRU policy is specified + by a CNAME whose target is rpz-passthru. + It causes the response to not be rewritten + and is most often used to "poke holes" in policies for + CIDR blocks. + + The DROP policy is specified + by a CNAME whose target is rpz-drop. + It causes the response to discarded. + Nothing is sent to the DNS client. + The NXDOMAIN response is encoded by a CNAME whose target is the root domain (.) @@ -9761,23 +9825,16 @@ The purpose for this special form is query logging in the walled garden's authority DNS server. - The PASSTHRU policy is specified - by a CNAME whose target is rpz-passthru. - It causes the response to not be rewritten - and is most often used to "poke holes" in policies for - CIDR blocks. - (A CNAME whose target is the variable part of its owner name - is an obsolete specification of the PASSTHRU policy.) - - The actions specified in an RPZ can be overridden with a + The actions specified in a policy zone can be overridden with a policy clause in the response-policy option. - An organization using an RPZ provided by another organization might - use this mechanism to redirect domains to its own walled garden. + An organization using a policy zone provided by another + organization might use this mechanism to redirect domains + to its own walled garden. GIVEN says "do not override but perform the action specified in the zone." @@ -9808,9 +9865,10 @@ - By default, the actions encoded in an RPZ are applied - only to queries that ask for recursion (RD=1). - That default can be changed for a single RPZ or all RPZs in a view + By default, the actions encoded in a response policy zone + are applied only to queries that ask for recursion (RD=1). + That default can be changed for a single policy zone or + all response policy zones in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to @@ -9819,15 +9877,37 @@ - Also by default, RPZ actions are applied only to DNS requests that - either do not request DNSSEC metadata (DO=0) or when no DNSSEC - records are available for request name in the original zone (not - the response policy zone). - This default can be changed for all RPZs in a view with a - break-dnssec yes clause. - In that case, RPZ actions are applied regardless of DNSSEC. - The name of the clause option reflects the fact that results - rewritten by RPZ actions cannot verify. + Also by default, RPZ actions are applied only to DNS requests + that either do not request DNSSEC metadata (DO=0) or when no + DNSSEC records are available for request name in the original + zone (not the response policy zone). This default can be + changed for all response policy zones in a view with a + break-dnssec yes clause. In that case, RPZ + actions are applied regardless of DNSSEC. The name of the + clause option reflects the fact that results rewritten by RPZ + actions cannot verify. + + + + No DNS records are needed to trigger a QNAME action. The name + itself is sufficient, so in principle the query name need not + be recursively resolved. However, not resolving the requested + name leaks the fact that response policy rewriting is in use + and that the name is listed in a policy zone to operators of + servers for listed names. To prevent that information leak, by + default any recursion needed for a request is done before any + policy triggers are considered. Because listed domains often + have slow authoritative servers, this default behavior can cost + significant time. The qname-wait-recurse no + option overrides the default behavior when recursion cannot + change the response. qname-wait-recurse no + does not affect QNAME triggers in policy zones listed after + other zones containing IP, NSIP and NSDNAME triggers, because + those may depend on the A, AAAA, and NS records that would be + found during recursive resolution. It also does not affect + DNSSEC requests (DO=1) unless break-dnssec yes + is in use, because the response would depend on whether or not + RRSIG records were found during resolution. @@ -9897,6 +9977,223 @@ RPZRewrites statistics. + + + Response Rate Limiting + + Excessive almost-identical UDP responses + can be controlled by configuring a + rate-limit clause in an + options or view statement. + This mechanism keeps authoritative BIND 9 from being used + in amplifying reflection denial of service (DoS) attacks. + Short truncated (TC=1) responses can be sent to provide + rate-limited responses to legitimate clients within + a range of forged, attacked IP addresses. + Legitimate clients react to dropped or truncated response + by retrying with UDP or with TCP respectively. + + + + This mechanism is intended for authoritative DNS servers. + It can be used on recursive servers but can slow + applications such as SMTP servers (mail receivers) and + HTTP clients (web browsers) that repeatedly request the + same domains. + When possible, closing "open" recursive servers is better. + + + + Response rate limiting uses a "credit" or "token bucket" scheme. + Each combination of identical response and client + has a conceptual account that earns a specified number + of credits every second. + A prospective response debits its account by one. + Responses are dropped or truncated + while the account is negative. + Responses are tracked within a rolling window of time + which defaults to 15 seconds, but can be configured with + the window option to any value from + 1 to 3600 seconds (1 hour). + The account cannot become more positive than + the per-second limit + or more negative than window + times the per-second limit. + When the specified number of credits for a class of + responses is set to 0, those responses are not rate limited. + + + + The notions of "identical response" and "DNS client" + for rate limiting are not simplistic. + All responses to an address block are counted as if to a + single client. + The prefix lengths of addresses blocks are + specified with ipv4-prefix-length (default 24) + and ipv6-prefix-length (default 56). + + + + All non-empty responses for a valid domain name (qname) + and record type (qtype) are identical and have a limit specified + with responses-per-second + (default 0 or no limit). + All empty (NODATA) responses for a valid domain, + regardless of query type, are identical. + Responses in the NODATA class are limited by + nodata-per-second + (default responses-per-second). + Requests for any and all undefined subdomains of a given + valid domain result in NXDOMAIN errors, and are identical + regardless of query type. + They are limited by nxdomain-per-second + (default responses-per-second). + This controls some attacks using random names, but + can be relaxed or turned off (set to 0) + on servers that expect many legitimate + NXDOMAIN responses, such as from anti-spam blacklists. + Referrals or delegations to the server of a given + domain are identical and are limited by + referrals-per-second + (default responses-per-second). + + + + Responses generated from local wildcards are counted and limited + as if they were for the parent domain name. + This controls flooding using random.wild.example.com. + + + + All requests that result in DNS errors other + than NXDOMAIN, such as SERVFAIL and FORMERR, are identical + regardless of requested name (qname) or record type (qtype). + This controls attacks using invalid requests or distant, + broken authoritative servers. + By default the limit on errors is the same as the + responses-per-second value, + but it can be set separately with + errors-per-second. + + + + Many attacks using DNS involve UDP requests with forged source + addresses. + Rate limiting prevents the use of BIND 9 to flood a network + with responses to requests with forged source addresses, + but could let a third party block responses to legitimate requests. + There is a mechanism that can answer some legitimate + requests from a client whose address is being forged in a flood. + Setting slip to 2 (its default) causes every + other UDP request to be answered with a small truncated (TC=1) + response. + The small size and reduced frequency, and so lack of + amplification, of "slipped" responses make them unattractive + for reflection DoS attacks. + slip must be between 0 and 10. + A value of 0 does not "slip"; + no truncated responses are sent due to rate limiting. + Some error responses including REFUSED and SERVFAIL + cannot be replaced with truncated responses and are instead + leaked at the slip rate. + + + + When the approximate query per second rate exceeds + the qps-scale value, + then the responses-per-second, + errors-per-second, + nxdomains-per-second and + all-per-second values are reduced by the + ratio of the current rate to the qps-scale value. + This feature can tighten defenses during attacks. + For example, with + qps-scale 250; responses-per-second 20; and + a total query rate of 1000 queries/second for all queries from + all DNS clients including via TCP, + then the effective responses/second limit changes to + (250/1000)*20 or 5. + Responses sent via TCP are not limited + but are counted to compute the query per second rate. + + + + Communities of DNS clients can be given their own parameters or no + rate limiting by putting + rate-limit statements in view + statements instead of the global option + statement. + A rate-limit statement in a view replaces, + rather than supplementing, a rate-limit + statement among the main options. + DNS clients within a view can be exempted from rate limits + with the exempt-clients clause. + + + + UDP responses of all kinds can be limited with the + all-per-second phrase. + This rate limiting is unlike the rate limiting provided by + responses-per-second, + errors-per-second, and + nxdomains-per-second on a DNS server + which are often invisible to the victim of a DNS reflection attack. + Unless the forged requests of the attack are the same as the + legitimate requests of the victim, the victim's requests are + not affected. + Responses affected by an all-per-second limit + are always dropped; the slip value has no + effect. + An all-per-second limit should be + at least 4 times as large as the other limits, + because single DNS clients often send bursts of legitimate + requests. + For example, the receipt of a single mail message can prompt + requests from an SMTP server for NS, PTR, A, and AAAA records + as the incoming SMTP/TCP/IP connection is considered. + The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF + records as it considers the STMP Mail From + command. + Web browsers often repeatedly resolve the same names that + are repeated in HTML <IMG> tags in a page. + All-per-second is similar to the + rate limiting offered by firewalls but often inferior. + Attacks that justify ignoring the + contents of DNS responses are likely to be attacks on the + DNS server itself. + They usually should be discarded before the DNS server + spends resources make TCP connections or parsing DNS requesets, + but that rate limiting must be done before the + DNS server sees the requests. + + + + The maximum size of the table used to track requests and + rate limit responses is set with max-table-size. + Each entry in the table is between 40 and 80 bytes. + The table needs approximately as many entries as the number + of requests received per second. + The default is 20,000. + To reduce the cold start of growing the table, + min-table-size (default 500) + can set the minimum table size. + Enable rate-limit category logging to monitor + expansions of the table and inform + choices for the initial and maximum table size. + + + + Use log-only yes to test rate limiting parameters + without actually dropping any requests. + + + + Responses dropped by rate limits are included in the + RateDropped and QryDropped + statistics. + Responses that truncated by rate limits are included in + RateSlipped and RespTruncated. + @@ -14649,6 +14946,32 @@ + + + RateDropped + + + + + + + Responses dropped by rate limits. + + + + + + RateSlipped + + + + + + + Responses truncated by rate limits. + + + Index: hints =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ hints 2013-08-05 14:14:45.916498518 +0200 @@ -0,0 +1,36 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 Index: lib/dns/Makefile.in =================================================================== --- lib/dns/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/Makefile.in 2013-08-05 14:14:45.916498518 +0200 @@ -67,8 +67,8 @@ portlist.@O@ private.@O@ \ rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \ rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \ - request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \ - rriterator.@O@ sdb.@O@ \ + request.@O@ resolver.@O@ result.@O@ rootns.@O@ \ + rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \ sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \ stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \ tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \ @@ -95,7 +95,7 @@ name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \ rdataset.c rdatasetiter.c rdataslab.c request.c \ - resolver.c result.c rootns.c rpz.c rriterator.c \ + resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \ sdb.c sdlz.c soa.c ssu.c ssu_external.c \ stats.c tcpmsg.c time.c timer.c tkey.c \ tsec.c tsig.c ttl.c update.c validator.c \ Index: lib/dns/db.c =================================================================== --- lib/dns/db.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/db.c 2013-08-05 14:14:45.916498518 +0200 @@ -1007,21 +1007,23 @@ (db->methods->resigned)(db, rdataset, version); } -isc_result_t -dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) -{ - if (db->methods->rpz_enabled != NULL) - return ((db->methods->rpz_enabled)(db, st)); - return (ISC_R_SUCCESS); +/* + * Attach a database to policy zone databases. + * This should only happen when the caller has already ensured that + * it is dealing with a database that understands response policy zones. + */ +void +dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + REQUIRE(db->methods->rpz_attach != NULL); + (db->methods->rpz_attach)(db, rpzs, rpz_num); } -void -dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname) -{ - if (db->methods->rpz_findips != NULL) - (db->methods->rpz_findips)(rpz, rpz_type, zone, db, version, - ardataset, st, query_qname); +/* + * Finish loading a response policy zone. + */ +isc_result_t +dns_db_rpz_ready(dns_db_t *db) { + if (db->methods->rpz_ready == NULL) + return (ISC_R_SUCCESS); + return ((db->methods->rpz_ready)(db)); } Index: lib/dns/ecdb.c =================================================================== --- lib/dns/ecdb.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/ecdb.c 2013-08-05 14:14:45.916498518 +0200 @@ -582,8 +582,8 @@ NULL, /* resigned */ NULL, /* isdnssec */ NULL, /* getrrsetstats */ - NULL, /* rpz_enabled */ - NULL, /* rpz_findips */ + NULL, /* rpz_attach */ + NULL, /* rpz_ready */ NULL, /* findnodeext */ NULL /* findext */ }; Index: lib/dns/include/dns/db.h =================================================================== --- lib/dns/include/dns/db.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/include/dns/db.h 2013-08-05 14:14:45.917498530 +0200 @@ -172,14 +172,9 @@ dns_dbversion_t *version); isc_boolean_t (*isdnssec)(dns_db_t *db); dns_stats_t *(*getrrsetstats)(dns_db_t *db); - isc_result_t (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st); - void (*rpz_findips)(dns_rpz_zone_t *rpz, - dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *version, - dns_rdataset_t *ardataset, - dns_rpz_st_t *st, - dns_name_t *query_qname); + void (*rpz_attach)(dns_db_t *db, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num); + isc_result_t (*rpz_ready)(dns_db_t *db); isc_result_t (*findnodeext)(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_clientinfomethods_t *methods, @@ -1542,30 +1537,17 @@ * dns_rdatasetstats_create(); otherwise NULL. */ -isc_result_t -dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st); +void +dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); /*%< - * Mark a database for response policy rewriting - * or find which RPZ data is available. + * Attach the response policy information for a view to a database for a + * zone for the view. */ -void -dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname); -/*%< - * Search the CDIR block tree of a response policy tree of trees for the best - * match to any of the IP addresses in an A or AAAA rdataset. - * - * Requires: - * \li search in policy zone 'rpz' for a match of 'rpz_type' either - * DNS_RPZ_TYPE_IP or DNS_RPZ_TYPE_NSIP - * \li 'zone' and 'db' are the database corresponding to 'rpz' - * \li 'version' is the required version of the database - * \li 'ardataset' is an A or AAAA rdataset of addresses to check - * \li 'found' specifies the previous best match if any or - * or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0 +isc_result_t +dns_db_rpz_ready(dns_db_t *db); +/*%< + * Finish loading a response policy zone. */ ISC_LANG_ENDDECLS Index: lib/dns/include/dns/log.h =================================================================== --- lib/dns/include/dns/log.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/include/dns/log.h 2013-08-05 14:14:45.917498530 +0200 @@ -43,6 +43,7 @@ #define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10]) #define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11]) #define DNS_LOGCATEGORY_RPZ (&dns_categories[12]) +#define DNS_LOGCATEGORY_RRL (&dns_categories[13]) /* Backwards compatibility. */ #define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL Index: lib/dns/include/dns/rpz.h =================================================================== --- lib/dns/include/dns/rpz.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/include/dns/rpz.h 2013-08-05 14:14:45.917498530 +0200 @@ -14,7 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ #ifndef DNS_RPZ_H @@ -25,19 +24,30 @@ #include #include #include +#include ISC_LANG_BEGINDECLS #define DNS_RPZ_PREFIX "rpz-" +/* + * Sub-zones of various trigger types. + */ +#define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX"client-ip" #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip" #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip" #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname" -#define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru" +/* + * Special policies. + */ +#define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX"passthru" +#define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX"drop" -typedef isc_uint8_t dns_rpz_cidr_bits_t; + +typedef isc_uint8_t dns_rpz_prefix_t; typedef enum { DNS_RPZ_TYPE_BAD, + DNS_RPZ_TYPE_CLIENT_IP, DNS_RPZ_TYPE_QNAME, DNS_RPZ_TYPE_IP, DNS_RPZ_TYPE_NSDNAME, @@ -45,45 +55,148 @@ } dns_rpz_type_t; /* - * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN < - * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing - * policies. + * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP < + * DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME + * to choose among competing policies. */ typedef enum { DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ - DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */ + DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ - DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */ - DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */ - DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */ + DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ + DNS_RPZ_POLICY_NXDOMAIN = 4, /* 'nxdomain': answer with NXDOMAIN */ + DNS_RPZ_POLICY_NODATA = 5, /* 'nodata': answer with ANCOUNT=0 */ + DNS_RPZ_POLICY_CNAME = 6, /* 'cname x': answer with x's rrsets */ DNS_RPZ_POLICY_RECORD, DNS_RPZ_POLICY_WILDCNAME, DNS_RPZ_POLICY_MISS, DNS_RPZ_POLICY_ERROR } dns_rpz_policy_t; +typedef isc_uint8_t dns_rpz_num_t; + +#define DNS_RPZ_MAX_ZONES 32 +#if DNS_RPZ_MAX_ZONES > 32 +# if DNS_RPZ_MAX_ZONES > 64 +# error "rpz zone bit masks must fit in a word" +# endif +typedef isc_uint64_t dns_rpz_zbits_t; +#else +typedef isc_uint32_t dns_rpz_zbits_t; +#endif + +#define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) + +#define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES + +#define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) + /* - * Specify a response policy zone. + * Mask of the specified and higher numbered policy zones + * Avoid hassles with (1<<33) or (1<<65) */ -typedef struct dns_rpz_zone dns_rpz_zone_t; +#define DNS_RPZ_ZMASK(n) ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \ + 0 : (1<<((n)+1))) -1)) +/* + * The number of triggers of each type in a response policy zone. + */ +typedef struct dns_rpz_triggers dns_rpz_triggers_t; +struct dns_rpz_triggers { + int client_ipv4; + int client_ipv6; + int qname; + int ipv4; + int ipv6; + int nsdname; + int nsipv4; + int nsipv6; +}; +/* + * A single response policy zone. + */ +typedef struct dns_rpz_zone dns_rpz_zone_t; struct dns_rpz_zone { - ISC_LINK(dns_rpz_zone_t) link; - int num; /* ordinal in list of policy zones */ - dns_name_t origin; /* Policy zone name */ - dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ - dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */ - dns_name_t cname; /* override value for ..._CNAME */ - dns_ttl_t max_policy_ttl; - dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ - isc_boolean_t recursive_only; - isc_boolean_t defined; + isc_refcount_t refs; + dns_rpz_num_t num; /* ordinal in list of policy zones */ + dns_name_t origin; /* Policy zone name */ + dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ + dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ + dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ + dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ + dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ + dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ + dns_name_t cname; /* override value for ..._CNAME */ + dns_ttl_t max_policy_ttl; + dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ + dns_rpz_triggers_t triggers; }; /* - * Radix trees for response policy IP addresses. + * Radix tree node for response policy IP addresses + */ +typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; + +/* + * Response policy zones known to a view. */ -typedef struct dns_rpz_cidr dns_rpz_cidr_t; +typedef struct dns_rpz_zones dns_rpz_zones_t; +struct dns_rpz_zones { + struct { + dns_rpz_zbits_t no_rd_ok; + isc_boolean_t break_dnssec; + isc_boolean_t qname_wait_recurse; + unsigned int min_ns_labels; + dns_rpz_num_t num_zones; + } p; + dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; + + dns_rpz_zbits_t defined; + + /* + * The set of records for a policy zone are in one of these states: + * never loaded load_begun=0 have=0 + * during initial loading load_begun=1 have=0 + * and rbtdb->rpzsp == rbtdb->load_rpzsp + * after good load load_begun=1 have!=0 + * after failed initial load load_begun=1 have=0 + * and rbtdb->load_rpzsp == NULL + * reloading after failure load_begun=1 have=0 + * reloading after success + * main rpzs load_begun=1 have!=0 + * load rpzs load_begun=1 have=0 + */ + dns_rpz_zbits_t load_begun; + struct { + dns_rpz_zbits_t client_ipv4; + dns_rpz_zbits_t client_ipv6; + dns_rpz_zbits_t client_ip; + dns_rpz_zbits_t qname; + dns_rpz_zbits_t ipv4; + dns_rpz_zbits_t ipv6; + dns_rpz_zbits_t ip; + dns_rpz_zbits_t nsdname; + dns_rpz_zbits_t nsipv4; + dns_rpz_zbits_t nsipv6; + dns_rpz_zbits_t nsip; + dns_rpz_zbits_t qname_skip_recurse; + } have; + + isc_mem_t *mctx; + isc_refcount_t refs; + /* + * One lock for short term read-only search that guarantees the + * consistency of the pointers. + * A second lock for maintenance that guarantees no other thread + * is adding or deleting nodes. + */ + isc_mutex_t search_lock; + isc_mutex_t maint_lock; + + dns_rpz_cidr_node_t *cidr; + dns_rbt_t *rbt; +}; + /* * context for finding the best policy @@ -91,22 +204,19 @@ typedef struct { unsigned int state; # define DNS_RPZ_REWRITTEN 0x0001 -# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */ -# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */ -# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */ -# define DNS_RPZ_DONE_IPv4 0x0010 -# define DNS_RPZ_RECURSING 0x0020 -# define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */ -# define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */ -# define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */ -# define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */ +# define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ +# define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ +# define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ +# define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ +# define DNS_RPZ_DONE_IPv4 0x0020 +# define DNS_RPZ_RECURSING 0x0040 /* * Best match so far. */ struct { dns_rpz_type_t type; dns_rpz_zone_t *rpz; - dns_rpz_cidr_bits_t prefix; + dns_rpz_prefix_t prefix; dns_rpz_policy_t policy; dns_ttl_t ttl; isc_result_t result; @@ -141,10 +251,15 @@ dns_rdataset_t *sigrdataset; dns_rdatatype_t qtype; } q; - dns_name_t *qname; + /* + * p_name: current policy owner name + * r_name: recursing for this name to possible policy triggers + * f_name: saved found name from before recursion + */ + dns_name_t *p_name; dns_name_t *r_name; dns_name_t *fname; - dns_fixedname_t _qnamef; + dns_fixedname_t _p_namef; dns_fixedname_t _r_namef; dns_fixedname_t _fnamef; } dns_rpz_st_t; @@ -171,32 +286,41 @@ const char * dns_rpz_policy2str(dns_rpz_policy_t policy); -void -dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); - -void -dns_rpz_view_destroy(dns_view_t *view); +dns_rpz_policy_t +dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, + dns_name_t *selfname); isc_result_t -dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, - dns_rpz_cidr_t **rbtdb_cidr); -void -dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); +dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx); void -dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); +dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); void -dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); +dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); isc_result_t -dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, - dns_rpz_type_t type, dns_name_t *canon_name, - dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); +dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, + dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); -dns_rpz_policy_t -dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, - dns_name_t *selfname); +isc_result_t +dns_rpz_ready(dns_rpz_zones_t *rpzs, + dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num); + +isc_result_t +dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); + +void +dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); + +dns_rpz_num_t +dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, + dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); + +dns_rpz_zbits_t +dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_name_t *trig_name); ISC_LANG_ENDDECLS Index: lib/dns/include/dns/rrl.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ lib/dns/include/dns/rrl.h 2013-08-05 14:14:45.917498530 +0200 @@ -0,0 +1,278 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +#ifndef DNS_RRL_H +#define DNS_RRL_H 1 + +/* + * Rate limit DNS responses. + */ + +#include + +#include +#include +#include + +ISC_LANG_BEGINDECLS + + +/* + * Memory allocation or other failures. + */ +#define DNS_RRL_LOG_FAIL ISC_LOG_WARNING +/* + * dropped or slipped responses. + */ +#define DNS_RRL_LOG_DROP ISC_LOG_INFO +/* + * Major events in dropping or slipping. + */ +#define DNS_RRL_LOG_DEBUG1 ISC_LOG_DEBUG(3) +/* + * Limit computations. + */ +#define DNS_RRL_LOG_DEBUG2 ISC_LOG_DEBUG(4) +/* + * Even less interesting. + */ +#define DNS_RRL_LOG_DEBUG3 ISC_LOG_DEBUG(9) + + +#define DNS_RRL_LOG_ERR_LEN 64 +#define DNS_RRL_LOG_BUF_LEN (sizeof("would continue limiting") + \ + DNS_RRL_LOG_ERR_LEN + \ + sizeof(" responses to ") + \ + ISC_NETADDR_FORMATSIZE + \ + sizeof("/128 for IN ") + \ + DNS_RDATATYPE_FORMATSIZE + \ + DNS_NAME_FORMATSIZE) + + +typedef struct dns_rrl_hash dns_rrl_hash_t; + +/* + * Response types. + */ +typedef enum { + DNS_RRL_RTYPE_FREE = 0, + DNS_RRL_RTYPE_QUERY, + DNS_RRL_RTYPE_REFERRAL, + DNS_RRL_RTYPE_NODATA, + DNS_RRL_RTYPE_NXDOMAIN, + DNS_RRL_RTYPE_ERROR, + DNS_RRL_RTYPE_ALL, + DNS_RRL_RTYPE_TCP, +} dns_rrl_rtype_t; + +/* + * A rate limit bucket key. + * This should be small to limit the total size of the database. + * The hash of the qname should be wide enough to make the probability + * of collisions among requests from a single IP address block less than 50%. + * We need a 32-bit hash value for 10000 qps (e.g. random qnames forged + * by attacker) to collide with legitimate qnames from the target with + * probability at most 1%. + */ +#define DNS_RRL_MAX_PREFIX 64 +typedef union dns_rrl_key dns_rrl_key_t; +union dns_rrl_key { + struct { + isc_uint32_t ip[DNS_RRL_MAX_PREFIX/32]; + isc_uint32_t qname_hash; + dns_rdatatype_t qtype; + isc_uint8_t qclass; + dns_rrl_rtype_t rtype :4; /* 3 bits + sign bit */ + isc_boolean_t ipv6 :1; + } s; + isc_uint16_t w[1]; +}; + +/* + * A rate-limit entry. + * This should be small to limit the total size of the table of entries. + */ +typedef struct dns_rrl_entry dns_rrl_entry_t; +typedef ISC_LIST(dns_rrl_entry_t) dns_rrl_bin_t; +struct dns_rrl_entry { + ISC_LINK(dns_rrl_entry_t) lru; + ISC_LINK(dns_rrl_entry_t) hlink; + dns_rrl_key_t key; +# define DNS_RRL_RESPONSE_BITS 24 + signed int responses :DNS_RRL_RESPONSE_BITS; +# define DNS_RRL_QNAMES_BITS 8 + unsigned int log_qname :DNS_RRL_QNAMES_BITS; + +# define DNS_RRL_TS_GEN_BITS 2 + unsigned int ts_gen :DNS_RRL_TS_GEN_BITS; + isc_boolean_t ts_valid :1; +# define DNS_RRL_HASH_GEN_BITS 1 + unsigned int hash_gen :DNS_RRL_HASH_GEN_BITS; + isc_boolean_t logged :1; +# define DNS_RRL_LOG_BITS 11 + unsigned int log_secs :DNS_RRL_LOG_BITS; + +# define DNS_RRL_TS_BITS 12 + unsigned int ts :DNS_RRL_TS_BITS; + +# define DNS_RRL_MAX_SLIP 10 + unsigned int slip_cnt :4; +}; + +#define DNS_RRL_MAX_TIME_TRAVEL 5 +#define DNS_RRL_FOREVER (1<= DNS_RRL_MAX_TS +#error "DNS_RRL_MAX_WINDOW is too large" +#endif +#define DNS_RRL_MAX_RATE 1000 +#if DNS_RRL_MAX_RATE >= (DNS_RRL_MAX_RESPONSES / DNS_RRL_MAX_WINDOW) +#error "DNS_RRL_MAX_rate is too large" +#endif + +#if (1<= DNS_RRL_FOREVER +#error DNS_RRL_LOG_BITS is too big +#endif +#define DNS_RRL_MAX_LOG_SECS 1800 +#if DNS_RRL_MAX_LOG_SECS >= (1<= (1< #include +#include #include #include #include @@ -142,6 +143,7 @@ dns_rbt_t * answeracl_exclude; dns_rbt_t * denyanswernames; dns_rbt_t * answernames_exclude; + dns_rrl_t * rrl; isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; @@ -162,10 +164,7 @@ dns_acl_t * v4_aaaa_acl; dns_dns64list_t dns64; unsigned int dns64cnt; - ISC_LIST(dns_rpz_zone_t) rpz_zones; - isc_boolean_t rpz_recursive_only; - isc_boolean_t rpz_break_dnssec; - unsigned int rpz_min_ns_labels; + dns_rpz_zones_t *rpzs; /* * Configurable data for server use only, Index: lib/dns/include/dns/zone.h =================================================================== --- lib/dns/include/dns/zone.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/include/dns/zone.h 2013-08-05 14:14:45.918498542 +0200 @@ -2081,13 +2081,14 @@ */ isc_result_t -dns_zone_rpz_enable(dns_zone_t *zone); +dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num); /*% * Set the response policy associated with a zone. */ -isc_boolean_t -dns_zone_get_rpz(dns_zone_t *zone); +dns_rpz_num_t +dns_zone_get_rpz_num(dns_zone_t *zone); void dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level); Index: lib/dns/log.c =================================================================== --- lib/dns/log.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/log.c 2013-08-05 14:14:45.918498542 +0200 @@ -45,6 +45,7 @@ { "delegation-only", 0 }, { "edns-disabled", 0 }, { "rpz", 0 }, + { "rate-limit", 0 }, { NULL, 0 } }; Index: lib/dns/rbtdb.c =================================================================== --- lib/dns/rbtdb.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/rbtdb.c 2013-08-05 14:14:45.919498555 +0200 @@ -453,7 +453,9 @@ dns_rbt_t * tree; dns_rbt_t * nsec; dns_rbt_t * nsec3; - dns_rpz_cidr_t * rpz_cidr; + dns_rpz_zones_t *rpzs; + dns_rpz_num_t rpz_num; + dns_rpz_zones_t *load_rpzs; /* Unlocked */ unsigned int quantum; @@ -972,8 +974,18 @@ dns_stats_detach(&rbtdb->rrsetstats); #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_free(&rbtdb->rpz_cidr); + if (rbtdb->load_rpzs != NULL) { + /* + * We must be cleaning up after a failed zone loading. + */ + REQUIRE(rbtdb->rpzs != NULL && + rbtdb->rpz_num < rbtdb->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&rbtdb->load_rpzs); + } + if (rbtdb->rpzs != NULL) { + REQUIRE(rbtdb->rpz_num < rbtdb->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&rbtdb->rpzs); + } #endif isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks, @@ -1515,11 +1527,11 @@ switch (node->nsec) { case DNS_RBT_NSEC_NORMAL: #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) { + if (rbtdb->rpzs != NULL) { dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_rbt_fullnamefromnode(node, name); - dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name); + dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name); } #endif result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); @@ -1555,11 +1567,11 @@ isc_result_totext(result)); } } + result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name); + if (rbtdb->rpzs != NULL) + dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name); #endif - result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); break; case DNS_RBT_NSEC_NSEC: result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE); @@ -1573,7 +1585,7 @@ DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_WARNING, - "delete_cnode(): " + "delete_node(): " "dns_rbt_deletenode: %s", isc_result_totext(result)); } @@ -2538,14 +2550,15 @@ result = dns_rbt_addnode(tree, name, &node); if (result == ISC_R_SUCCESS) { #ifdef BIND9 - if (tree == rbtdb->tree && rbtdb->rpz_cidr != NULL) { + if (rbtdb->rpzs != NULL && tree == rbtdb->tree) { dns_fixedname_t fnamef; dns_name_t *fname; dns_fixedname_init(&fnamef); fname = dns_fixedname_name(&fnamef); dns_rbt_fullnamefromnode(node, fname); - dns_rpz_cidr_addip(rbtdb->rpz_cidr, fname); + result = dns_rpz_add(rbtdb->rpzs, + rbtdb->rpz_num, fname); } #endif dns_rbt_namefromnode(node, &nodename); @@ -4547,228 +4560,45 @@ return (result); } +#ifdef BIND9 /* - * Mark a database for response policy rewriting - * or find which RPZ data is available. + * Connect this RBTDB to the response policy zone summary data for the view. */ -#ifdef BIND9 -static isc_result_t -rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) -{ - dns_rbtdb_t *rbtdb; - isc_result_t result; +static void +rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + dns_rbtdb_t * rbtdb; - result = ISC_R_SUCCESS; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - if (st != NULL) { - dns_rpz_enabled_get(rbtdb->rpz_cidr, st); - } else { - result = dns_rpz_new_cidr(rbtdb->common.mctx, - &rbtdb->common.origin, - &rbtdb->rpz_cidr); - } - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return (result); + + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + REQUIRE(rbtdb->rpzs == NULL && rbtdb->rpz_num == DNS_RPZ_INVALID_NUM); + dns_rpz_attach_rpzs(rpzs, &rbtdb->rpzs); + rbtdb->rpz_num = rpz_num; + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } /* - * Search the CDIR block tree of a response policy tree of trees for all of - * the IP addresses in an A or AAAA rdataset. - * Among the policies for all IPv4 and IPv6 addresses for a name, choose - * the earliest configured policy, - * QNAME over IP over NSDNAME over NSIP, - * the longest prefix, - * the lexically smallest address. - * The caller must have already checked that any existing policy was not - * configured earlier than this policy zone and does not have a higher - * precedence type. + * Enable this RBTDB as a response policy zone. */ -static void -rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname) -{ - dns_rbtdb_t *rbtdb; - struct in_addr ina; - struct in6_addr in6a; - isc_netaddr_t netaddr; - dns_fixedname_t selfnamef, qnamef; - dns_name_t *selfname, *qname; - dns_rbtnode_t *node; - dns_rdataset_t zrdataset; - dns_rpz_cidr_bits_t prefix; +static isc_result_t +rpz_ready(dns_db_t *db) { + dns_rbtdb_t * rbtdb; isc_result_t result; - dns_rpz_policy_t rpz_policy; - dns_ttl_t ttl; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - - if (rbtdb->rpz_cidr == NULL) { - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return; - } - - dns_fixedname_init(&selfnamef); - dns_fixedname_init(&qnamef); - selfname = dns_fixedname_name(&selfnamef); - qname = dns_fixedname_name(&qnamef); - - for (result = dns_rdataset_first(ardataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(ardataset)) { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_current(ardataset, &rdata); - switch (rdata.type) { - case dns_rdatatype_a: - INSIST(rdata.length == 4); - memcpy(&ina.s_addr, rdata.data, 4); - isc_netaddr_fromin(&netaddr, &ina); - break; - case dns_rdatatype_aaaa: - INSIST(rdata.length == 16); - memcpy(in6a.s6_addr, rdata.data, 16); - isc_netaddr_fromin6(&netaddr, &in6a); - break; - default: - continue; - } - result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type, - selfname, qname, &prefix); - if (result != ISC_R_SUCCESS) - continue; - - /* - * If we already have a rule, discard this new rule if - * is not better. - * The caller has checked that st->m.rpz->num > rpz->num - * or st->m.rpz->num == rpz->num and st->m.type >= rpz_type - */ - if (st->m.policy != DNS_RPZ_POLICY_MISS && - st->m.rpz->num == rpz->num && - (st->m.type < rpz_type || - (st->m.type == rpz_type && - (st->m.prefix > prefix || - (st->m.prefix == prefix && - 0 > dns_name_rdatacompare(st->qname, qname)))))) - continue; - - /* - * We have rpz_st an entry with a prefix at least as long as - * the prefix of the entry we had before. Find the node - * corresponding to CDIR tree entry. - */ - node = NULL; - result = dns_rbt_findnode(rbtdb->tree, qname, NULL, - &node, NULL, 0, NULL, NULL); - if (result != ISC_R_SUCCESS) { - char namebuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(qname, namebuf, sizeof(namebuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz_findips findnode(%s) failed: %s", - namebuf, isc_result_totext(result)); - continue; - } - /* - * First look for a simple rewrite of the IP address. - * If that fails, look for a CNAME. If we cannot find - * a CNAME or the CNAME is neither of the special forms - * "*" or ".", treat it like a real CNAME. - */ - dns_rdataset_init(&zrdataset); - result = dns_db_findrdataset(db, node, version, ardataset->type, - 0, 0, &zrdataset, NULL); - if (result != ISC_R_SUCCESS) - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_cname, - 0, 0, &zrdataset, NULL); - if (result == ISC_R_SUCCESS) { - if (zrdataset.type != dns_rdatatype_cname) { - rpz_policy = DNS_RPZ_POLICY_RECORD; - } else { - rpz_policy = dns_rpz_decode_cname(rpz, - &zrdataset, - selfname); - if (rpz_policy == DNS_RPZ_POLICY_RECORD || - rpz_policy == DNS_RPZ_POLICY_WILDCNAME) - result = DNS_R_CNAME; - } - ttl = zrdataset.ttl; - } else { - rpz_policy = DNS_RPZ_POLICY_RECORD; - result = DNS_R_NXRRSET; - ttl = DNS_RPZ_TTL_DEFAULT; - } - - /* - * Use an overriding action specified in the configuration file - */ - if (rpz->policy != DNS_RPZ_POLICY_GIVEN) { - /* - * only log DNS_RPZ_POLICY_DISABLED hits - */ - if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - if (isc_log_wouldlog(dns_lctx, - DNS_RPZ_INFO_LEVEL)) { - char qname_buf[DNS_NAME_FORMATSIZE]; - char rpz_qname_buf[DNS_NAME_FORMATSIZE]; - dns_name_format(query_qname, qname_buf, - sizeof(qname_buf)); - dns_name_format(qname, rpz_qname_buf, - sizeof(rpz_qname_buf)); - - isc_log_write(dns_lctx, - DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, - DNS_RPZ_INFO_LEVEL, - "disabled rpz %s %s rewrite" - " %s via %s", - dns_rpz_type2str(rpz_type), - dns_rpz_policy2str(rpz_policy), - qname_buf, rpz_qname_buf); - } - continue; - } - - rpz_policy = rpz->policy; - } - - if (dns_rdataset_isassociated(st->m.rdataset)) - dns_rdataset_disassociate(st->m.rdataset); - if (st->m.node != NULL) - dns_db_detachnode(st->m.db, &st->m.node); - if (st->m.db != NULL) - dns_db_detach(&st->m.db); - if (st->m.zone != NULL) - dns_zone_detach(&st->m.zone); - st->m.rpz = rpz; - st->m.type = rpz_type; - st->m.prefix = prefix; - st->m.policy = rpz_policy; - st->m.ttl = ISC_MIN(ttl, rpz->max_policy_ttl); - st->m.result = result; - dns_name_copy(qname, st->qname, NULL); - if ((rpz_policy == DNS_RPZ_POLICY_RECORD || - rpz_policy == DNS_RPZ_POLICY_WILDCNAME) && - result != DNS_R_NXRRSET) { - dns_rdataset_clone(&zrdataset,st->m.rdataset); - dns_db_attachnode(db, node, &st->m.node); - } - dns_db_attach(db, &st->m.db); - st->m.version = version; - dns_zone_attach(zone, &st->m.zone); - if (dns_rdataset_isassociated(&zrdataset)) - dns_rdataset_disassociate(&zrdataset); + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + if (rbtdb->rpzs == NULL) { + INSIST(rbtdb->rpz_num == DNS_RPZ_INVALID_NUM); + result = ISC_R_SUCCESS; + } else { + result = dns_rpz_ready(rbtdb->rpzs, &rbtdb->load_rpzs, + rbtdb->rpz_num); } - - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + return (result); } #endif @@ -6874,8 +6704,9 @@ noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep); #ifdef BIND9 - if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_addip(rbtdb->rpz_cidr, name); + if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) + noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num, + name); #endif if (!hasnsec) @@ -7060,6 +6891,20 @@ RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); +#ifdef BIND9 + if (rbtdb->rpzs != NULL) { + isc_result_t result; + + result = dns_rpz_beginload(&rbtdb->load_rpzs, + rbtdb->rpzs, rbtdb->rpz_num); + if (result != ISC_R_SUCCESS) { + isc_mem_put(rbtdb->common.mctx, loadctx, + sizeof(*loadctx)); + return (result); + } + } +#endif + REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING)) == 0); rbtdb->attributes |= RBTDB_ATTR_LOADING; @@ -7461,8 +7306,8 @@ isdnssec, NULL, #ifdef BIND9 - rpz_enabled, - rpz_findips, + rpz_attach, + rpz_ready, #else NULL, NULL, @@ -7776,6 +7621,9 @@ } rbtdb->attributes = 0; rbtdb->task = NULL; + rbtdb->rpzs = NULL; + rbtdb->load_rpzs = NULL; + rbtdb->rpz_num = DNS_RPZ_INVALID_NUM; /* * Version Initialization. Index: lib/dns/rpz.c =================================================================== --- lib/dns/rpz.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/rpz.c 2013-08-05 14:14:45.921498580 +0200 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include @@ -44,9 +45,13 @@ /* * Parallel radix trees for databases of response policy IP addresses * - * The radix or Patricia trees are somewhat specialized to handle response - * policy addresses by representing the two test of IP IP addresses and name - * server IP addresses in a single tree. + * The radix or patricia trees are somewhat specialized to handle response + * policy addresses by representing the two sets of IP addresses and name + * server IP addresses in a single tree. One set of IP addresses is + * for rpz-ip policies or policies triggered by addresses in A or + * AAAA records in responses. + * The second set is for rpz-nsip policies or policies triggered by addresses + * in A or AAAA records for NS records that are authorities for responses. * * Each leaf indicates that an IP address is listed in the IP address or the * name server IP address policy sub-zone (or both) of the corresponding @@ -55,7 +60,8 @@ * tree, the node in the policy zone's database is found by converting * the IP address to a domain name in a canonical form. * - * The response policy zone canonical form of IPv6 addresses is one of: + * + * The response policy zone canonical form of an IPv6 address is one of: * prefix.W.W.W.W.W.W.W.W * prefix.WORDS.zz * prefix.WORDS.zz.WORDS @@ -72,7 +78,7 @@ * prefix is the prefix length of the address between 1 and 32 * B is a number between 0 and 255 * - * IPv4 addresses are distinguished from IPv6 addresses by having + * Names for IPv4 addresses are distinguished from IPv6 addresses by having * 5 labels all of which are numbers, and a prefix between 1 and 32. */ @@ -90,43 +96,89 @@ } dns_rpz_cidr_key_t; #define ADDR_V4MAPPED 0xffff +#define KEY_IS_IPV4(prefix,ip) ((prefix) >= 96 && (ip)->w[0] == 0 && \ + (ip)->w[1] == 0 && (ip)->w[2] == ADDR_V4MAPPED) + +#define DNS_RPZ_WORD_MASK(b) ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \ + : ((dns_rpz_cidr_word_t)(-1) \ + << (DNS_RPZ_CIDR_WORD_BITS - (b)))) + +/* + * Get bit #n from the array of words of an IP address. + */ +#define DNS_RPZ_IP_BIT(ip, n) (1 & ((ip)->w[(n)/DNS_RPZ_CIDR_WORD_BITS] >> \ + (DNS_RPZ_CIDR_WORD_BITS \ + - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS)))) -#define DNS_RPZ_WORD_MASK(b) \ - ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \ - : ((dns_rpz_cidr_word_t)(-1) \ - << (DNS_RPZ_CIDR_WORD_BITS - (b)))) - -#define DNS_RPZ_IP_BIT(ip, bitno) \ - (1 & ((ip)->w[(bitno)/DNS_RPZ_CIDR_WORD_BITS] >> \ - (DNS_RPZ_CIDR_WORD_BITS - 1 - ((bitno) % DNS_RPZ_CIDR_WORD_BITS)))) +/* + * A triplet of arrays of bits flagging the existence of + * client-IP, IP, and NSIP policy triggers. + */ +typedef struct dns_rpz_addr_zbits dns_rpz_addr_zbits_t; +struct dns_rpz_addr_zbits { + dns_rpz_zbits_t client_ip; + dns_rpz_zbits_t ip; + dns_rpz_zbits_t nsip; +}; -typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; -typedef isc_uint8_t dns_rpz_cidr_flags_t; +/* + * A CIDR or radix tree node. + */ struct dns_rpz_cidr_node { - dns_rpz_cidr_node_t *parent; - dns_rpz_cidr_node_t *child[2]; - dns_rpz_cidr_key_t ip; - dns_rpz_cidr_bits_t bits; - dns_rpz_cidr_flags_t flags; -#define DNS_RPZ_CIDR_FG_IP 0x01 /* has IP data or is parent of IP */ -#define DNS_RPZ_CIDR_FG_IP_DATA 0x02 /* has IP data */ -#define DNS_RPZ_CIDR_FG_NSIPv4 0x04 /* has or is parent of NSIPv4 data */ -#define DNS_RPZ_CIDR_FG_NSIPv6 0x08 /* has or is parent of NSIPv6 data */ -#define DNS_RPZ_CIDR_FG_NSIP_DATA 0x10 /* has NSIP data */ + dns_rpz_cidr_node_t *parent; + dns_rpz_cidr_node_t *child[2]; + dns_rpz_cidr_key_t ip; + dns_rpz_prefix_t prefix; + dns_rpz_addr_zbits_t set; + dns_rpz_addr_zbits_t sum; +}; + +/* + * The data in a RBT node has two pairs of bits for policy zones. + * One pair is for the corresponding name of the node such as example.com + * and the other pair is for a wildcard child such as *.example.com. + */ +/* + * A pair of arrays of bits flagging the existence of + * QNAME and NSDNAME policy triggers. + */ +typedef struct dns_rpz_nm_zbits dns_rpz_nm_zbits_t; +struct dns_rpz_nm_zbits { + dns_rpz_zbits_t qname; + dns_rpz_zbits_t ns; }; -struct dns_rpz_cidr { - isc_mem_t *mctx; - isc_boolean_t have_nsdname; /* zone has NSDNAME record */ - dns_rpz_cidr_node_t *root; - dns_name_t ip_name; /* RPZ_IP_ZONE.origin. */ - dns_name_t nsip_name; /* RPZ_NSIP_ZONE.origin. */ - dns_name_t nsdname_name; /* RPZ_NSDNAME_ZONE.origin */ +typedef struct dns_rpz_nm_data dns_rpz_nm_data_t; +struct dns_rpz_nm_data { + dns_rpz_nm_zbits_t set; + dns_rpz_nm_zbits_t wild; }; +#if 0 +/* + * Catch a name while debugging. + */ +static void +catch_name(const dns_name_t *src_name, const char *tgt, const char *str) { + dns_fixedname_t tgt_namef; + dns_name_t *tgt_name; + + dns_fixedname_init(&tgt_namef); + tgt_name = dns_fixedname_name(&tgt_namef); + dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL); + if (dns_name_equal(src_name, tgt_name)) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz hit failed: %s %s", str, tgt); + } +} +#endif + const char * dns_rpz_type2str(dns_rpz_type_t type) { switch (type) { + case DNS_RPZ_TYPE_CLIENT_IP: + return ("CLIENT-IP"); case DNS_RPZ_TYPE_QNAME: return ("QNAME"); case DNS_RPZ_TYPE_IP: @@ -138,32 +190,33 @@ case DNS_RPZ_TYPE_BAD: break; } - FATAL_ERROR(__FILE__, __LINE__, - "impossible rpz type %d", type); + FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type); return ("impossible"); } dns_rpz_policy_t dns_rpz_str2policy(const char *str) { + static struct { + const char *str; + dns_rpz_policy_t policy; + } tbl[] = { + {"given", DNS_RPZ_POLICY_GIVEN}, + {"disabled", DNS_RPZ_POLICY_DISABLED}, + {"passthru", DNS_RPZ_POLICY_PASSTHRU}, + {"drop", DNS_RPZ_POLICY_DROP}, + {"nxdomain", DNS_RPZ_POLICY_NXDOMAIN}, + {"nodata", DNS_RPZ_POLICY_NODATA}, + {"cname", DNS_RPZ_POLICY_CNAME}, + {"no-op", DNS_RPZ_POLICY_PASSTHRU}, /* Obsolete */ + }; + unsigned int n; + if (str == NULL) return (DNS_RPZ_POLICY_ERROR); - if (!strcasecmp(str, "given")) - return (DNS_RPZ_POLICY_GIVEN); - if (!strcasecmp(str, "disabled")) - return (DNS_RPZ_POLICY_DISABLED); - if (!strcasecmp(str, "passthru")) - return (DNS_RPZ_POLICY_PASSTHRU); - if (!strcasecmp(str, "nxdomain")) - return (DNS_RPZ_POLICY_NXDOMAIN); - if (!strcasecmp(str, "nodata")) - return (DNS_RPZ_POLICY_NODATA); - if (!strcasecmp(str, "cname")) - return (DNS_RPZ_POLICY_CNAME); - /* - * Obsolete - */ - if (!strcasecmp(str, "no-op")) - return (DNS_RPZ_POLICY_PASSTHRU); + for (n = 0; n < sizeof(tbl)/sizeof(tbl[0]); ++n) { + if (!strcasecmp(tbl[n].str, str)) + return (tbl[n].policy); + } return (DNS_RPZ_POLICY_ERROR); } @@ -175,6 +228,9 @@ case DNS_RPZ_POLICY_PASSTHRU: str = "PASSTHRU"; break; + case DNS_RPZ_POLICY_DROP: + str = "DROP"; + break; case DNS_RPZ_POLICY_NXDOMAIN: str = "NXDOMAIN"; break; @@ -196,243 +252,276 @@ return (str); } -/* - * Free the radix tree of a response policy database. - */ -void -dns_rpz_cidr_free(dns_rpz_cidr_t **cidrp) { - dns_rpz_cidr_node_t *cur, *child, *parent; - dns_rpz_cidr_t *cidr; - - REQUIRE(cidrp != NULL); - - cidr = *cidrp; - if (cidr == NULL) - return; - - cur = cidr->root; - while (cur != NULL) { - /* Depth first. */ - child = cur->child[0]; - if (child != NULL) { - cur = child; - continue; - } - child = cur->child[1]; - if (child != NULL) { - cur = child; - continue; - } +static int +zbit_to_num(dns_rpz_zbits_t zbit) { + dns_rpz_num_t rpz_num; - /* Delete this leaf and go up. */ - parent = cur->parent; - if (parent == NULL) - cidr->root = NULL; - else - parent->child[parent->child[1] == cur] = NULL; - isc_mem_put(cidr->mctx, cur, sizeof(*cur)); - cur = parent; + INSIST(zbit != 0); + rpz_num = 0; +#if DNS_RPZ_MAX_ZONES > 32 + if ((zbit & 0xffffffff00000000L) != 0) { + zbit >>= 32; + rpz_num += 32; } - - dns_name_free(&cidr->ip_name, cidr->mctx); - dns_name_free(&cidr->nsip_name, cidr->mctx); - dns_name_free(&cidr->nsdname_name, cidr->mctx); - isc_mem_put(cidr->mctx, cidr, sizeof(*cidr)); - *cidrp = NULL; +#endif + if ((zbit & 0xffff0000) != 0) { + zbit >>= 16; + rpz_num += 16; + } + if ((zbit & 0xff00) != 0) { + zbit >>= 8; + rpz_num += 8; + } + if ((zbit & 0xf0) != 0) { + zbit >>= 4; + rpz_num += 4; + } + if ((zbit & 0xc) != 0) { + zbit >>= 2; + rpz_num += 2; + } + if ((zbit & 2) != 0) + ++rpz_num; + return (rpz_num); } /* - * Forget a view's list of policy zones. + * Make a set of bit masks given one or more bits and their type. */ -void -dns_rpz_view_destroy(dns_view_t *view) { - dns_rpz_zone_t *zone; - - REQUIRE(view != NULL); +static void +make_addr_set(dns_rpz_addr_zbits_t *tgt_set, dns_rpz_zbits_t zbits, + dns_rpz_type_t type) +{ + switch (type) { + case DNS_RPZ_TYPE_CLIENT_IP: + tgt_set->client_ip = zbits; + tgt_set->ip = 0; + tgt_set->nsip = 0; + break; + case DNS_RPZ_TYPE_IP: + tgt_set->client_ip = 0; + tgt_set->ip = zbits; + tgt_set->nsip = 0; + break; + case DNS_RPZ_TYPE_NSIP: + tgt_set->client_ip = 0; + tgt_set->ip = 0; + tgt_set->nsip = zbits; + break; + default: + INSIST(0); + break; + } +} - while (!ISC_LIST_EMPTY(view->rpz_zones)) { - zone = ISC_LIST_HEAD(view->rpz_zones); - ISC_LIST_UNLINK(view->rpz_zones, zone, link); - if (dns_name_dynamic(&zone->origin)) - dns_name_free(&zone->origin, view->mctx); - if (dns_name_dynamic(&zone->passthru)) - dns_name_free(&zone->passthru, view->mctx); - if (dns_name_dynamic(&zone->nsdname)) - dns_name_free(&zone->nsdname, view->mctx); - if (dns_name_dynamic(&zone->cname)) - dns_name_free(&zone->cname, view->mctx); - isc_mem_put(view->mctx, zone, sizeof(*zone)); +static void +make_nm_set(dns_rpz_nm_zbits_t *tgt_set, + dns_rpz_num_t rpz_num, dns_rpz_type_t type) +{ + switch (type) { + case DNS_RPZ_TYPE_QNAME: + tgt_set->qname = DNS_RPZ_ZBIT(rpz_num); + tgt_set->ns = 0; + break; + case DNS_RPZ_TYPE_NSDNAME: + tgt_set->qname = 0; + tgt_set->ns = DNS_RPZ_ZBIT(rpz_num); + break; + default: + INSIST(0); + break; } } /* - * Start a new radix tree for a response policy zone. + * Mark a node and all of its parents as having client-IP, IP, or NSIP data */ -isc_result_t -dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, - dns_rpz_cidr_t **rbtdb_cidr) -{ - isc_result_t result; - dns_rpz_cidr_t *cidr; - - REQUIRE(rbtdb_cidr != NULL && *rbtdb_cidr == NULL); - - cidr = isc_mem_get(mctx, sizeof(*cidr)); - if (cidr == NULL) - return (ISC_R_NOMEMORY); - memset(cidr, 0, sizeof(*cidr)); - cidr->mctx = mctx; +static void +set_sum_pair(dns_rpz_cidr_node_t *cnode) { + dns_rpz_cidr_node_t *child; + dns_rpz_addr_zbits_t sum; - dns_name_init(&cidr->ip_name, NULL); - result = dns_name_fromstring2(&cidr->ip_name, DNS_RPZ_IP_ZONE, origin, - DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + do { + sum = cnode->set; - dns_name_init(&cidr->nsip_name, NULL); - result = dns_name_fromstring2(&cidr->nsip_name, DNS_RPZ_NSIP_ZONE, - origin, DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - dns_name_free(&cidr->ip_name, mctx); - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + child = cnode->child[0]; + if (child != NULL) { + sum.client_ip |= child->sum.client_ip; + sum.ip |= child->sum.ip; + sum.nsip |= child->sum.nsip; + } - dns_name_init(&cidr->nsdname_name, NULL); - result = dns_name_fromstring2(&cidr->nsdname_name, DNS_RPZ_NSDNAME_ZONE, - origin, DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - dns_name_free(&cidr->nsip_name, mctx); - dns_name_free(&cidr->ip_name, mctx); - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + child = cnode->child[1]; + if (child != NULL) { + sum.client_ip |= child->sum.client_ip; + sum.ip |= child->sum.ip; + sum.nsip |= child->sum.nsip; + } - *rbtdb_cidr = cidr; - return (ISC_R_SUCCESS); + if (cnode->sum.client_ip == sum.client_ip && + cnode->sum.ip == sum.ip && + cnode->sum.nsip == sum.nsip) + break; + cnode->sum = sum; + cnode = cnode->parent; + } while (cnode != NULL); } -/* - * See if a policy zone has IP, NSIP, or NSDNAME rules or records. - */ -void -dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) { - if (cidr == NULL) - return; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_IP) != 0) - st->state |= DNS_RPZ_HAVE_IP; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv4) != 0) - st->state |= DNS_RPZ_HAVE_NSIPv4; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv6) != 0) - st->state |= DNS_RPZ_HAVE_NSIPv6; - if (cidr->have_nsdname) - st->state |= DNS_RPZ_HAVE_NSDNAME; -} - -static inline dns_rpz_cidr_flags_t -get_flags(const dns_rpz_cidr_key_t *ip, dns_rpz_cidr_bits_t prefix, - dns_rpz_type_t rpz_type) -{ - if (rpz_type == DNS_RPZ_TYPE_NSIP) { - if (prefix >= 96 && - ip->w[0] == 0 && ip->w[1] == 0 && - ip->w[2] == ADDR_V4MAPPED) - return (DNS_RPZ_CIDR_FG_NSIP_DATA | - DNS_RPZ_CIDR_FG_NSIPv4); - else - return (DNS_RPZ_CIDR_FG_NSIP_DATA | - DNS_RPZ_CIDR_FG_NSIPv6); +static void +fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) { + dns_rpz_zbits_t zbits; + + /* + * Get a mask covering all policy zones that are not subordinate to + * other policy zones containing triggers that require that the + * qname be resolved before they can be checked. + */ + if (rpzs->p.qname_wait_recurse) { + zbits = 0; } else { - return (DNS_RPZ_CIDR_FG_IP | DNS_RPZ_CIDR_FG_IP_DATA); + zbits = (rpzs->have.ipv4 || rpzs->have.ipv6 || + rpzs->have.nsdname || + rpzs->have.nsipv4 || rpzs->have.nsipv6); + if (zbits == 0) { + zbits = DNS_RPZ_ALL_ZBITS; + } else { + zbits = DNS_RPZ_ZMASK(zbit_to_num(zbits)); + } } + rpzs->have.qname_skip_recurse = zbits; + + rpzs->have.client_ip = rpzs->have.client_ipv4 | rpzs->have.client_ipv6; + rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6; + rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6; } -/* - * Mark a node as having IP or NSIP data and all of its parents - * as members of the IP or NSIP tree. - */ static void -set_node_flags(dns_rpz_cidr_node_t *node, dns_rpz_type_t rpz_type) { - dns_rpz_cidr_flags_t flags; +adj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, + const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + isc_boolean_t inc) +{ + dns_rpz_zone_t *rpz; + int *cnt; + dns_rpz_zbits_t *have; + + rpz = rpzs->zones[rpz_num]; + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpz->triggers.client_ipv4; + have = &rpzs->have.client_ipv4; + } else { + cnt = &rpz->triggers.client_ipv6; + have = &rpzs->have.client_ipv6; + } + break; + case DNS_RPZ_TYPE_QNAME: + cnt = &rpz->triggers.qname; + have = &rpzs->have.qname; + break; + case DNS_RPZ_TYPE_IP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpz->triggers.ipv4; + have = &rpzs->have.ipv4; + } else { + cnt = &rpz->triggers.ipv6; + have = &rpzs->have.ipv6; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + cnt = &rpz->triggers.nsdname; + have = &rpzs->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpz->triggers.nsipv4; + have = &rpzs->have.nsipv4; + } else { + cnt = &rpz->triggers.nsipv6; + have = &rpzs->have.nsipv6; + } + break; + default: + INSIST(0); + } - flags = get_flags(&node->ip, node->bits, rpz_type); - node->flags |= flags; - flags &= ~(DNS_RPZ_CIDR_FG_NSIP_DATA | DNS_RPZ_CIDR_FG_IP_DATA); - for (;;) { - node = node->parent; - if (node == NULL) - return; - node->flags |= flags; + if (inc) { + if (++*cnt == 1) { + *have |= DNS_RPZ_ZBIT(rpz_num); + fix_qname_skip_recurse(rpzs); + } + } else { + REQUIRE(*cnt > 0); + if (--*cnt == 0) { + *have &= ~DNS_RPZ_ZBIT(rpz_num); + fix_qname_skip_recurse(rpzs); + } } } -/* - * Make a radix tree node. - */ static dns_rpz_cidr_node_t * -new_node(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *ip, - dns_rpz_cidr_bits_t bits, dns_rpz_cidr_flags_t flags) +new_node(dns_rpz_zones_t *rpzs, + const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix, + const dns_rpz_cidr_node_t *child) { - dns_rpz_cidr_node_t *node; + dns_rpz_cidr_node_t *new; int i, words, wlen; - node = isc_mem_get(cidr->mctx, sizeof(*node)); - if (node == NULL) + new = isc_mem_get(rpzs->mctx, sizeof(*new)); + if (new == NULL) return (NULL); - memset(node, 0, sizeof(*node)); + memset(new, 0, sizeof(*new)); - node->flags = flags & ~(DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); + if (child != NULL) + new->sum = child->sum; - node->bits = bits; - words = bits / DNS_RPZ_CIDR_WORD_BITS; - wlen = bits % DNS_RPZ_CIDR_WORD_BITS; + new->prefix = prefix; + words = prefix / DNS_RPZ_CIDR_WORD_BITS; + wlen = prefix % DNS_RPZ_CIDR_WORD_BITS; i = 0; while (i < words) { - node->ip.w[i] = ip->w[i]; + new->ip.w[i] = ip->w[i]; ++i; } if (wlen != 0) { - node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen); + new->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen); ++i; } while (i < DNS_RPZ_CIDR_WORDS) - node->ip.w[i++] = 0; + new->ip.w[i++] = 0; - return (node); + return (new); } static void badname(int level, dns_name_t *name, const char *str1, const char *str2) { - char printname[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; /* * bin/tests/system/rpz/tests.sh looks for "invalid rpz". */ - if (level < DNS_RPZ_DEBUG_QUIET - && isc_log_wouldlog(dns_lctx, level)) { - dns_name_format(name, printname, sizeof(printname)); + if (level < DNS_RPZ_DEBUG_QUIET && + isc_log_wouldlog(dns_lctx, level)) { + dns_name_format(name, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, level, "invalid rpz IP address \"%s\"%s%s", - printname, str1, str2); + namebuf, str1, str2); } } /* * Convert an IP address from radix tree binary (host byte order) to - * to its canonical response policy domain name and its name in the + * to its canonical response policy domain name without the origin of the * policy zone. */ static isc_result_t -ip2name(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type, - dns_name_t *canon_name, dns_name_t *search_name) +ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + dns_name_t *base_name, dns_name_t *ip_name) { #ifndef INET6_ADDRSTRLEN #define INET6_ADDRSTRLEN 46 @@ -440,22 +529,18 @@ int w[DNS_RPZ_CIDR_WORDS*2]; char str[1+8+1+INET6_ADDRSTRLEN+1]; isc_buffer_t buffer; - dns_name_t *name; isc_result_t result; isc_boolean_t zeros; int i, n, len; - if (tgt_prefix > 96 && - tgt_ip->w[0] == 0 && - tgt_ip->w[1] == 0 && - tgt_ip->w[2] == ADDR_V4MAPPED) { + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d", tgt_prefix - 96, tgt_ip->w[3] & 0xff, (tgt_ip->w[3]>>8) & 0xff, (tgt_ip->w[3]>>16) & 0xff, (tgt_ip->w[3]>>24) & 0xff); - if (len == -1 || len > (int)sizeof(str)) + if (len < 0 || len > (int)sizeof(str)) return (ISC_R_FAILURE); } else { for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) { @@ -469,9 +554,9 @@ return (ISC_R_FAILURE); i = 0; while (i < DNS_RPZ_CIDR_WORDS * 2) { - if (w[i] != 0 || zeros - || i >= DNS_RPZ_CIDR_WORDS * 2 - 1 - || w[i+1] != 0) { + if (w[i] != 0 || zeros || + i >= DNS_RPZ_CIDR_WORDS * 2 - 1 || + w[i+1] != 0) { INSIST((size_t)len <= sizeof(str)); n = snprintf(&str[len], sizeof(str) - len, ".%x", w[i++]); @@ -495,48 +580,31 @@ } } - if (canon_name != NULL) { - isc__buffer_init(&buffer, str, sizeof(str)); - isc__buffer_add(&buffer, len); - result = dns_name_fromtext(canon_name, &buffer, - dns_rootname, 0, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - if (search_name != NULL) { - isc__buffer_init(&buffer, str, sizeof(str)); - isc__buffer_add(&buffer, len); - if (type == DNS_RPZ_TYPE_NSIP) - name = &cidr->nsip_name; - else - name = &cidr->ip_name; - result = dns_name_fromtext(search_name, &buffer, name, 0, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - return (ISC_R_SUCCESS); + isc__buffer_init(&buffer, str, sizeof(str)); + isc__buffer_add(&buffer, len); + result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL); + return (result); } /* - * Decide which kind of IP address response policy zone a name is in. + * Determine the type a of a name in a response policy zone. */ static dns_rpz_type_t -set_type(dns_rpz_cidr_t *cidr, dns_name_t *name) { +type_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) { - if (dns_name_issubdomain(name, &cidr->ip_name)) + if (dns_name_issubdomain(name, &rpz->ip)) return (DNS_RPZ_TYPE_IP); - /* - * Require `./configure --enable-rpz-nsip` and nsdname - * until consistency problems are resolved. - */ + if (dns_name_issubdomain(name, &rpz->client_ip)) + return (DNS_RPZ_TYPE_CLIENT_IP); + #ifdef ENABLE_RPZ_NSIP - if (dns_name_issubdomain(name, &cidr->nsip_name)) + if (dns_name_issubdomain(name, &rpz->nsip)) return (DNS_RPZ_TYPE_NSIP); #endif #ifdef ENABLE_RPZ_NSDNAME - if (dns_name_issubdomain(name, &cidr->nsdname_name)) + if (dns_name_issubdomain(name, &rpz->nsdname)) return (DNS_RPZ_TYPE_NSDNAME); #endif @@ -545,73 +613,80 @@ /* * Convert an IP address from canonical response policy domain name form - * to radix tree binary (host byte order). + * to radix tree binary (host byte order) for adding or deleting IP or NSIP + * data. */ static isc_result_t -name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, - dns_rpz_type_t type, dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t *tgt_prefix) +name2ipkey(int log_level, + const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name, + dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix, + dns_rpz_addr_zbits_t *new_set) { - isc_result_t result; - dns_fixedname_t fname; - dns_name_t *ipname; - char ipstr[DNS_NAME_FORMATSIZE]; + dns_rpz_zone_t *rpz; + char ip_str[DNS_NAME_FORMATSIZE]; + dns_offsets_t ip_name_offsets; + dns_fixedname_t ip_name2f; + dns_name_t ip_name, *ip_name2; const char *prefix_str, *cp, *end; char *cp2; int ip_labels; - dns_rpz_cidr_bits_t bits; - unsigned long prefix, l; + dns_rpz_prefix_t prefix; + unsigned long prefix_num, l; + isc_result_t result; int i; - /* - * Need at least enough labels for the shortest name, - * :: or 128.*.RPZ_x_ZONE.rpz.LOCALHOST. - */ + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + make_addr_set(new_set, DNS_RPZ_ZBIT(rpz_num), rpz_type); + ip_labels = dns_name_countlabels(src_name); - ip_labels -= dns_name_countlabels(&cidr->ip_name); - ip_labels--; - if (ip_labels < 1) { - badname(level, src_name, "; too short", ""); + if (rpz_type == DNS_RPZ_TYPE_QNAME) + ip_labels -= dns_name_countlabels(&rpz->origin); + else + ip_labels -= dns_name_countlabels(&rpz->nsdname); + if (ip_labels < 2) { + badname(log_level, src_name, "; too short", ""); return (ISC_R_FAILURE); } + dns_name_init(&ip_name, ip_name_offsets); + dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name); /* * Get text for the IP address */ - dns_fixedname_init(&fname); - ipname = dns_fixedname_name(&fname); - dns_name_split(src_name, dns_name_countlabels(&cidr->ip_name), - ipname, NULL); - dns_name_format(ipname, ipstr, sizeof(ipstr)); - end = &ipstr[strlen(ipstr)+1]; - prefix_str = ipstr; + dns_name_format(&ip_name, ip_str, sizeof(ip_str)); + end = &ip_str[strlen(ip_str)+1]; + prefix_str = ip_str; - prefix = strtoul(prefix_str, &cp2, 10); + prefix_num = strtoul(prefix_str, &cp2, 10); if (*cp2 != '.') { - badname(level, src_name, + badname(log_level, src_name, "; invalid leading prefix length", ""); return (ISC_R_FAILURE); } *cp2 = '\0'; - if (prefix < 1U || prefix > 128U) { - badname(level, src_name, + if (prefix_num < 1U || prefix_num > 128U) { + badname(log_level, src_name, "; invalid prefix length of ", prefix_str); return (ISC_R_FAILURE); } cp = cp2+1; - if (ip_labels == 4 && !strchr(cp, 'z')) { + if (--ip_labels == 4 && !strchr(cp, 'z')) { /* * Convert an IPv4 address * from the form "prefix.w.z.y.x" */ - if (prefix > 32U) { - badname(level, src_name, + if (prefix_num > 32U) { + badname(log_level, src_name, "; invalid IPv4 prefix length of ", prefix_str); return (ISC_R_FAILURE); } - prefix += 96; - *tgt_prefix = (dns_rpz_cidr_bits_t)prefix; + prefix_num += 96; + *tgt_prefix = (dns_rpz_prefix_t)prefix_num; tgt_ip->w[0] = 0; tgt_ip->w[1] = 0; tgt_ip->w[2] = ADDR_V4MAPPED; @@ -621,7 +696,7 @@ if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) { if (*cp2 == '.') *cp2 = '\0'; - badname(level, src_name, + badname(log_level, src_name, "; invalid IPv4 octet ", cp); return (ISC_R_FAILURE); } @@ -632,7 +707,7 @@ /* * Convert a text IPv6 address. */ - *tgt_prefix = (dns_rpz_cidr_bits_t)prefix; + *tgt_prefix = (dns_rpz_prefix_t)prefix_num; for (i = 0; ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2; ip_labels--) { @@ -651,7 +726,7 @@ (*cp2 != '.' && *cp2 != '\0')) { if (*cp2 == '.') *cp2 = '\0'; - badname(level, src_name, + badname(log_level, src_name, "; invalid IPv6 word ", cp); return (ISC_R_FAILURE); } @@ -665,36 +740,37 @@ } } if (cp != end) { - badname(level, src_name, "", ""); + badname(log_level, src_name, "", ""); return (ISC_R_FAILURE); } /* * Check for 1s after the prefix length. */ - bits = (dns_rpz_cidr_bits_t)prefix; - while (bits < DNS_RPZ_CIDR_KEY_BITS) { + prefix = (dns_rpz_prefix_t)prefix_num; + while (prefix < DNS_RPZ_CIDR_KEY_BITS) { dns_rpz_cidr_word_t aword; - i = bits % DNS_RPZ_CIDR_WORD_BITS; - aword = tgt_ip->w[bits / DNS_RPZ_CIDR_WORD_BITS]; + i = prefix % DNS_RPZ_CIDR_WORD_BITS; + aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS]; if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) { - badname(level, src_name, + badname(log_level, src_name, "; too small prefix length of ", prefix_str); return (ISC_R_FAILURE); } - bits -= i; - bits += DNS_RPZ_CIDR_WORD_BITS; + prefix -= i; + prefix += DNS_RPZ_CIDR_WORD_BITS; } /* - * Convert the address back to a canonical policy domain name - * to ensure that it is in canonical form. + * Convert the address back to a canonical domain name + * to ensure that the original name is in canonical form. */ - result = ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t) prefix, - type, NULL, ipname); - if (result != ISC_R_SUCCESS || !dns_name_equal(src_name, ipname)) { - badname(level, src_name, "; not canonical", ""); + dns_fixedname_init(&ip_name2f); + ip_name2 = dns_fixedname_name(&ip_name2f); + result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL, ip_name2); + if (result != ISC_R_SUCCESS || !dns_name_equal(&ip_name, ip_name2)) { + badname(log_level, src_name, "; not canonical", ""); return (ISC_R_FAILURE); } @@ -702,10 +778,54 @@ } /* - * Find first differing bit. + * Get trigger name and data bits for adding or deleting summary NSDNAME + * or QNAME data. */ -static int -ffbit(dns_rpz_cidr_word_t w) { +static void +name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, const dns_name_t *src_name, + dns_name_t *trig_name, dns_rpz_nm_data_t *new_data) +{ + dns_rpz_zone_t *rpz; + dns_offsets_t tmp_name_offsets; + dns_name_t tmp_name; + unsigned int prefix_len, n; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + /* + * Handle wildcards by putting only the parent into the + * summary RBT. The summary database only causes a check of the + * real policy zone where wildcards will be handled. + */ + if (dns_name_iswildcard(src_name)) { + prefix_len = 1; + memset(&new_data->set, 0, sizeof(new_data->set)); + make_nm_set(&new_data->wild, rpz_num, rpz_type); + } else { + prefix_len = 0; + make_nm_set(&new_data->set, rpz_num, rpz_type); + memset(&new_data->wild, 0, sizeof(new_data->wild)); + } + + dns_name_init(&tmp_name, tmp_name_offsets); + n = dns_name_countlabels(src_name); + n -= prefix_len; + if (rpz_type == DNS_RPZ_TYPE_QNAME) + n -= dns_name_countlabels(&rpz->origin); + else + n -= dns_name_countlabels(&rpz->nsdname); + dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name); + (void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL); +} + +/* + * Find the first differing bit in a key (IP address) word. + */ +static inline int +ffs_keybit(dns_rpz_cidr_word_t w) { int bit; bit = DNS_RPZ_CIDR_WORD_BITS-1; @@ -731,17 +851,17 @@ } /* - * Find the first differing bit in two keys. + * Find the first differing bit in two keys (IP addresses). */ static int -diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_cidr_bits_t bits1, - const dns_rpz_cidr_key_t *key2, dns_rpz_cidr_bits_t bits2) +diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1, + const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2) { dns_rpz_cidr_word_t delta; - dns_rpz_cidr_bits_t maxbit, bit; + dns_rpz_prefix_t maxbit, bit; int i; - maxbit = ISC_MIN(bits1, bits2); + maxbit = ISC_MIN(prefix1, prefix2); /* * find the first differing words @@ -751,7 +871,7 @@ i++, bit += DNS_RPZ_CIDR_WORD_BITS) { delta = key1->w[i] ^ key2->w[i]; if (delta != 0) { - bit += ffbit(delta); + bit += ffs_keybit(delta); break; } } @@ -759,133 +879,170 @@ } /* + * Given a hit while searching the radix trees, + * clear all bits for higher numbered zones. + */ +static inline dns_rpz_zbits_t +trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) { + dns_rpz_zbits_t x; + + /* + * Isolate the first or smallest numbered hit bit. + * Make a mask of that bit and all smaller numbered bits. + */ + x = zbits & found; + x &= (~x + 1); + x = (x << 1) - 1; + return (zbits &= x); +} + +/* * Search a radix tree for an IP address for ordinary lookup * or for a CIDR block adding or deleting an entry - * The tree read (for simple search) or write lock must be held by the caller. * - * Return ISC_R_SUCCESS, ISC_R_NOTFOUND, DNS_R_PARTIALMATCH, ISC_R_EXISTS, - * ISC_R_NOMEMORY + * Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND, + * and *found=longest match node + * or with create==ISC_TRUE, ISC_R_EXISTS or ISC_R_NOMEMORY */ static isc_result_t -search(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type, - isc_boolean_t create, - dns_rpz_cidr_node_t **found) /* NULL or longest match node */ +search(dns_rpz_zones_t *rpzs, + const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + const dns_rpz_addr_zbits_t *tgt_set, isc_boolean_t create, + dns_rpz_cidr_node_t **found) { dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling; + dns_rpz_addr_zbits_t set; int cur_num, child_num; - dns_rpz_cidr_bits_t dbit; - dns_rpz_cidr_flags_t flags, data_flag; + dns_rpz_prefix_t dbit; isc_result_t find_result; - flags = get_flags(tgt_ip, tgt_prefix, type); - data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); - + set = *tgt_set; find_result = ISC_R_NOTFOUND; - if (found != NULL) - *found = NULL; - cur = cidr->root; + *found = NULL; + cur = rpzs->cidr; parent = NULL; cur_num = 0; for (;;) { if (cur == NULL) { /* - * No child so we cannot go down. Fail or - * add the target as a child of the current parent. + * No child so we cannot go down. + * Quit with whatever we already found + * or add the target as a child of the current parent. */ if (!create) return (find_result); - child = new_node(cidr, tgt_ip, tgt_prefix, 0); + child = new_node(rpzs, tgt_ip, tgt_prefix, NULL); if (child == NULL) return (ISC_R_NOMEMORY); if (parent == NULL) - cidr->root = child; + rpzs->cidr = child; else parent->child[cur_num] = child; child->parent = parent; - set_node_flags(child, type); - if (found != NULL) - *found = cur; + child->set.client_ip |= tgt_set->client_ip; + child->set.ip |= tgt_set->ip; + child->set.nsip |= tgt_set->nsip; + set_sum_pair(child); + *found = cur; return (ISC_R_SUCCESS); } - /* - * Pretend a node not in the correct tree does not exist - * if we are not adding to the tree, - * If we are adding, then continue down to eventually - * add a node and mark/put this node in the correct tree. - */ - if ((cur->flags & flags) == 0 && !create) - return (find_result); + if ((cur->sum.client_ip & set.client_ip) == 0 && + (cur->sum.ip & set.ip) == 0 && + (cur->sum.nsip & set.nsip) == 0) { + /* + * This node has no relevant data + * and is in none of the target trees. + * Pretend it does not exist if we are not adding. + * + * If we are adding, continue down to eventually add + * a node and mark/put this node in the correct tree. + */ + if (!create) + return (find_result); + } - dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->bits); + dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix); /* - * dbit <= tgt_prefix and dbit <= cur->bits always. + * dbit <= tgt_prefix and dbit <= cur->prefix always. * We are finished searching if we matched all of the target. */ if (dbit == tgt_prefix) { - if (tgt_prefix == cur->bits) { + if (tgt_prefix == cur->prefix) { /* - * The current node matches the target exactly. - * It is the answer if it has data. + * The node's key matches the target exactly. */ - if ((cur->flags & data_flag) != 0) { - if (create) - return (ISC_R_EXISTS); - if (found != NULL) - *found = cur; - return (ISC_R_SUCCESS); + if ((cur->set.client_ip & set.client_ip) != 0 || + (cur->set.ip & set.ip) != 0 || + (cur->set.nsip & set.nsip) != 0) { + /* + * It is the answer if it has data. + */ + *found = cur; + if (create) { + find_result = ISC_R_EXISTS; + } else { + find_result = ISC_R_SUCCESS; + } } else if (create) { /* - * The node had no data but does now. + * The node lacked relevant data, + * but will have it now. */ - set_node_flags(cur, type); - if (found != NULL) - *found = cur; - return (ISC_R_SUCCESS); + cur->set.client_ip |= tgt_set->client_ip; + cur->set.ip |= tgt_set->ip; + cur->set.nsip |= tgt_set->nsip; + set_sum_pair(cur); + *found = cur; + find_result = ISC_R_SUCCESS; } return (find_result); } /* - * We know tgt_prefix < cur_bits which means that + * We know tgt_prefix < cur->prefix which means that * the target is shorter than the current node. * Add the target as the current node's parent. */ if (!create) return (find_result); - new_parent = new_node(cidr, tgt_ip, tgt_prefix, - cur->flags); + new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur); if (new_parent == NULL) return (ISC_R_NOMEMORY); new_parent->parent = parent; if (parent == NULL) - cidr->root = new_parent; + rpzs->cidr = new_parent; else parent->child[cur_num] = new_parent; child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1); new_parent->child[child_num] = cur; cur->parent = new_parent; - set_node_flags(new_parent, type); - if (found != NULL) - *found = new_parent; + new_parent->set = *tgt_set; + set_sum_pair(new_parent); + *found = new_parent; return (ISC_R_SUCCESS); } - if (dbit == cur->bits) { - /* - * We have a partial match by matching of all of the - * current node but only part of the target. - * Try to go down. - */ - if ((cur->flags & data_flag) != 0) { + if (dbit == cur->prefix) { + if ((cur->set.client_ip & set.client_ip) != 0 || + (cur->set.ip & set.ip) != 0 || + (cur->set.nsip & set.nsip) != 0) { + /* + * We have a partial match between of all of the + * current node but only part of the target. + * Continue searching for other hits in the + * same or lower numbered trees. + */ find_result = DNS_R_PARTIALMATCH; - if (found != NULL) - *found = cur; + *found = cur; + set.client_ip = trim_zbits(set.ip, + cur->set.client_ip); + set.ip = trim_zbits(set.ip, + cur->set.ip); + set.nsip = trim_zbits(set.nsip, + cur->set.nsip); } - parent = cur; cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit); cur = cur->child[cur_num]; @@ -894,7 +1051,7 @@ /* - * dbit < tgt_prefix and dbit < cur->bits, + * dbit < tgt_prefix and dbit < cur->prefix, * so we failed to match both the target and the current node. * Insert a fork of a parent above the current node and * add the target as a sibling of the current node @@ -902,17 +1059,17 @@ if (!create) return (find_result); - sibling = new_node(cidr, tgt_ip, tgt_prefix, 0); + sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL); if (sibling == NULL) return (ISC_R_NOMEMORY); - new_parent = new_node(cidr, tgt_ip, dbit, cur->flags); + new_parent = new_node(rpzs, tgt_ip, dbit, cur); if (new_parent == NULL) { - isc_mem_put(cidr->mctx, sibling, sizeof(*sibling)); + isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling)); return (ISC_R_NOMEMORY); } new_parent->parent = parent; if (parent == NULL) - cidr->root = new_parent; + rpzs->cidr = new_parent; else parent->child[cur_num] = new_parent; child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit); @@ -920,129 +1077,675 @@ new_parent->child[1-child_num] = cur; cur->parent = new_parent; sibling->parent = new_parent; - set_node_flags(sibling, type); - if (found != NULL) - *found = sibling; + sibling->set = *tgt_set; + set_sum_pair(sibling); + *found = sibling; return (ISC_R_SUCCESS); } } /* - * Add an IP address to the radix tree of a response policy database. - * The tree write lock must be held by the caller. + * Add an IP address to the radix tree. */ -void -dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) { - isc_result_t result; +static isc_result_t +add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ dns_rpz_cidr_key_t tgt_ip; - dns_rpz_cidr_bits_t tgt_prefix; - dns_rpz_type_t type; - - REQUIRE(cidr != NULL); + dns_rpz_prefix_t tgt_prefix; + dns_rpz_addr_zbits_t set; + dns_rpz_cidr_node_t *found; + isc_result_t result; + result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type, + src_name, &tgt_ip, &tgt_prefix, &set); /* - * No worries if the new name is not an IP address. + * Log complaints about bad owner names but let the zone load. */ - type = set_type(cidr, name); - switch (type) { - case DNS_RPZ_TYPE_IP: - case DNS_RPZ_TYPE_NSIP: - break; - case DNS_RPZ_TYPE_NSDNAME: - cidr->have_nsdname = ISC_TRUE; - return; - case DNS_RPZ_TYPE_QNAME: - case DNS_RPZ_TYPE_BAD: - return; - } - result = name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name, - type, &tgt_ip, &tgt_prefix); if (result != ISC_R_SUCCESS) - return; + return (ISC_R_SUCCESS); - result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_TRUE, NULL); - if (result == ISC_R_EXISTS && - isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL)) - { - char printname[DNS_NAME_FORMATSIZE]; + result = search(rpzs, &tgt_ip, tgt_prefix, &set, ISC_TRUE, &found); + if (result != ISC_R_SUCCESS) { + char namebuf[DNS_NAME_FORMATSIZE]; /* * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ - dns_name_format(name, printname, sizeof(printname)); + dns_name_format(src_name, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz add failed; \"%s\" is a duplicate name", - printname); + "rpz add_cidr(%s) failed: %s", + namebuf, isc_result_totext(result)); + return (result); } + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_TRUE); + return (result); } -/* - * Delete an IP address from the radix tree of a response policy database. - * The tree write lock must be held by the caller. - */ -void -dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) { +static isc_result_t +add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name, + const dns_rpz_nm_data_t *new_data) +{ + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data; isc_result_t result; - dns_rpz_cidr_key_t tgt_ip; - dns_rpz_cidr_bits_t tgt_prefix; - dns_rpz_type_t type; - dns_rpz_cidr_node_t *tgt = NULL, *parent, *child; - dns_rpz_cidr_flags_t flags, data_flag; - if (cidr == NULL) - return; + nmnode = NULL; + result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode); + switch (result) { + case ISC_R_SUCCESS: + case ISC_R_EXISTS: + nm_data = nmnode->data; + if (nm_data == NULL) { + nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data)); + if (nm_data == NULL) + return (ISC_R_NOMEMORY); + *nm_data = *new_data; + nmnode->data = nm_data; + return (ISC_R_SUCCESS); + } + break; + default: + return (result); + } /* - * Decide which kind of policy zone IP address it is, if either - * and then find its node. + * Do not count bits that are already present */ - type = set_type(cidr, name); - switch (type) { - case DNS_RPZ_TYPE_IP: - case DNS_RPZ_TYPE_NSIP: - break; - case DNS_RPZ_TYPE_NSDNAME: + if ((nm_data->set.qname & new_data->set.qname) != 0 || + (nm_data->set.ns & new_data->set.ns) != 0 || + (nm_data->wild.qname & new_data->wild.qname) != 0 || + (nm_data->wild.ns & new_data->wild.ns) != 0) { + char namebuf[DNS_NAME_FORMATSIZE]; + /* - * We cannot easily count nsdnames because - * internal rbt nodes get deleted. + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ + dns_name_format(trig_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz add_nm(%s): bits already set", namebuf); + return (ISC_R_EXISTS); + } + + nm_data->set.qname |= new_data->set.qname; + nm_data->set.ns |= new_data->set.ns; + nm_data->wild.qname |= new_data->wild.qname; + nm_data->wild.ns |= new_data->wild.ns; + return (ISC_R_SUCCESS); +} + +static isc_result_t +add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + dns_rpz_nm_data_t new_data; + dns_fixedname_t trig_namef; + dns_name_t *trig_name; + isc_result_t result; + + dns_fixedname_init(&trig_namef); + trig_name = dns_fixedname_name(&trig_namef); + name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data); + + result = add_nm(rpzs, trig_name, &new_data); + if (result == ISC_R_SUCCESS) + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE); + return (result); +} + +/* + * Callback to free the data for a node in the summary RBT database. + */ +static void +rpz_node_deleter(void *nm_data, void *mctx) { + isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t)); +} + +/* + * Get ready for a new set of policy zones. + */ +isc_result_t +dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) { + dns_rpz_zones_t *new; + isc_result_t result; + + REQUIRE(rpzsp != NULL && *rpzsp == NULL); + + *rpzsp = NULL; + + new = isc_mem_get(mctx, sizeof(*new)); + if (new == NULL) + return (ISC_R_NOMEMORY); + memset(new, 0, sizeof(*new)); + + result = isc_mutex_init(&new->search_lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = isc_mutex_init(&new->maint_lock); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = isc_refcount_init(&new->refs, 1); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&new->maint_lock); + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = dns_rbt_create(mctx, rpz_node_deleter, mctx, &new->rbt); + if (result != ISC_R_SUCCESS) { + isc_refcount_decrement(&new->refs, NULL); + isc_refcount_destroy(&new->refs); + DESTROYLOCK(&new->maint_lock); + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + isc_mem_attach(mctx, &new->mctx); + + *rpzsp = new; + return (ISC_R_SUCCESS); +} + +/* + * Free the radix tree of a response policy database. + */ +static void +cidr_free(dns_rpz_zones_t *rpzs) { + dns_rpz_cidr_node_t *cur, *child, *parent; + + cur = rpzs->cidr; + while (cur != NULL) { + /* Depth first. */ + child = cur->child[0]; + if (child != NULL) { + cur = child; + continue; + } + child = cur->child[1]; + if (child != NULL) { + cur = child; + continue; + } + + /* Delete this leaf and go up. */ + parent = cur->parent; + if (parent == NULL) + rpzs->cidr = NULL; + else + parent->child[parent->child[1] == cur] = NULL; + isc_mem_put(rpzs->mctx, cur, sizeof(*cur)); + cur = parent; + } +} + +/* + * Discard a response policy zone blob + * before discarding the overall rpz structure. + */ +static void +rpz_detach(dns_rpz_zone_t **rpzp, dns_rpz_zones_t *rpzs) { + dns_rpz_zone_t *rpz; + unsigned int refs; + + rpz = *rpzp; + *rpzp = NULL; + isc_refcount_decrement(&rpz->refs, &refs); + if (refs != 0) return; - case DNS_RPZ_TYPE_QNAME: - case DNS_RPZ_TYPE_BAD: - return; + isc_refcount_destroy(&rpz->refs); + + if (dns_name_dynamic(&rpz->origin)) + dns_name_free(&rpz->origin, rpzs->mctx); + if (dns_name_dynamic(&rpz->client_ip)) + dns_name_free(&rpz->client_ip, rpzs->mctx); + if (dns_name_dynamic(&rpz->ip)) + dns_name_free(&rpz->ip, rpzs->mctx); + if (dns_name_dynamic(&rpz->nsdname)) + dns_name_free(&rpz->nsdname, rpzs->mctx); + if (dns_name_dynamic(&rpz->nsip)) + dns_name_free(&rpz->nsip, rpzs->mctx); + if (dns_name_dynamic(&rpz->passthru)) + dns_name_free(&rpz->passthru, rpzs->mctx); + if (dns_name_dynamic(&rpz->drop)) + dns_name_free(&rpz->drop, rpzs->mctx); + if (dns_name_dynamic(&rpz->cname)) + dns_name_free(&rpz->cname, rpzs->mctx); + + isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz)); +} + +void +dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) { + REQUIRE(rpzsp != NULL && *rpzsp == NULL); + isc_refcount_increment(&rpzs->refs, NULL); + *rpzsp = rpzs; +} + +/* + * Forget a view's policy zones. + */ +void +dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) { + dns_rpz_zones_t *rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_num_t rpz_num; + unsigned int refs; + + REQUIRE(rpzsp != NULL); + rpzs = *rpzsp; + REQUIRE(rpzs != NULL); + + *rpzsp = NULL; + isc_refcount_decrement(&rpzs->refs, &refs); + + /* + * Forget the last of view's rpz machinery after the last reference. + */ + if (refs == 0) { + for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) { + rpz = rpzs->zones[rpz_num]; + rpzs->zones[rpz_num] = NULL; + if (rpz != NULL) + rpz_detach(&rpz, rpzs); + } + + cidr_free(rpzs); + dns_rbt_destroy(&rpzs->rbt); + DESTROYLOCK(&rpzs->maint_lock); + DESTROYLOCK(&rpzs->search_lock); + isc_refcount_destroy(&rpzs->refs); + isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs)); + } +} + +/* + * Create empty summary database to load one zone. + * The RBTDB write tree lock must be held. + */ +isc_result_t +dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, + dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) +{ + dns_rpz_zones_t *load_rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_zbits_t tgt; + isc_result_t result; + + REQUIRE(rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + /* + * When reloading a zone, there are usually records among the summary + * data for the zone. Some of those records might be deleted by the + * reloaded zone data. To deal with that case: + * reload the new zone data into a new blank summary database + * if the reload fails, discard the new summary database + * if the new zone data is acceptable, copy the records for the + * other zones into the new summary database and replace the + * old summary database with the new. + * + * At the first attempt to load a zone, there is no summary data + * for the zone and so no records that need to be deleted. + * This is also the most common case of policy zone loading. + * Most policy zone maintenance should be by incremental changes + * and so by the addition and deletion of individual records. + * Detect that case and load records the first time into the + * operational summary database + */ + tgt = DNS_RPZ_ZBIT(rpz_num); + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + if ((rpzs->load_begun & tgt) == 0) { + rpzs->load_begun |= tgt; + dns_rpz_attach_rpzs(rpzs, load_rpzsp); + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + + } else { + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + + result = dns_rpz_new_zones(load_rpzsp, rpzs->mctx); + if (result != ISC_R_SUCCESS) + return (result); + load_rpzs = *load_rpzsp; + load_rpzs->p.num_zones = rpzs->p.num_zones; + load_rpzs->zones[rpz_num] = rpz; + isc_refcount_increment(&rpz->refs, NULL); + } + + return (ISC_R_SUCCESS); +} + +static void +fix_triggers(dns_rpz_zones_t *rpzs, dns_rpz_triggers_t *totals) { + dns_rpz_num_t rpz_num; + const dns_rpz_zone_t *rpz; + dns_rpz_zbits_t zbit; + +# define SET_TRIG(type) \ + if (rpz == NULL || rpz->triggers.type == 0) { \ + rpzs->have.type &= ~zbit; \ + } else { \ + totals->type += rpz->triggers.type; \ + rpzs->have.type |= zbit; \ + } + + memset(totals, 0, sizeof(*totals)); + for (rpz_num = 0; rpz_num < rpzs->p.num_zones; ++rpz_num) { + rpz = rpzs->zones[rpz_num]; + zbit = DNS_RPZ_ZBIT(rpz_num); + SET_TRIG(client_ipv4); + SET_TRIG(client_ipv6); + SET_TRIG(qname); + SET_TRIG(ipv4); + SET_TRIG(ipv6); + SET_TRIG(nsdname); + SET_TRIG(nsipv4); + SET_TRIG(nsipv6); + } + + fix_qname_skip_recurse(rpzs); + +# undef SET_TRIG +} + +/* + * Finish loading one zone. + * The RBTDB write tree lock must be held. + */ +isc_result_t +dns_rpz_ready(dns_rpz_zones_t *rpzs, + dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_rpz_zones_t *load_rpzs; + const dns_rpz_cidr_node_t *cnode, *next_cnode, *parent_cnode; + dns_rpz_cidr_node_t *found; + dns_rpz_zbits_t new_bit; + dns_rpz_addr_zbits_t new_ip; + dns_rbt_t *rbt; + dns_rbtnodechain_t chain; + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data, new_data; + dns_rpz_triggers_t old_totals, new_totals; + dns_fixedname_t labelf, originf, namef; + dns_name_t *label, *origin, *name; + isc_result_t result; + + INSIST(rpzs != NULL); + LOCK(&rpzs->maint_lock); + load_rpzs = *load_rpzsp; + INSIST(load_rpzs != NULL); + + if (load_rpzs == rpzs) { + /* + * This is a successful initial zone loading, + * perhaps for a new instance of a view. + */ + fix_triggers(rpzs, &new_totals); + UNLOCK(&rpzs->maint_lock); + dns_rpz_detach_rpzs(load_rpzsp); + + if (rpz_num == rpzs->p.num_zones-1) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL, + "loaded policy %d zones with" + " %d client-IPv4, %d client-IPv6," + " %d qname, %d nsdname," + " %d IPv4, %d IPv6," + " %d NSIPv4, %d NSIPv6 entries", + rpzs->p.num_zones, + new_totals.client_ipv4, + new_totals.client_ipv6, + new_totals.qname, + new_totals.nsdname, + new_totals.ipv4, + new_totals.ipv6, + new_totals.nsipv4, + new_totals.nsipv6); + return (ISC_R_SUCCESS); + } + + LOCK(&load_rpzs->maint_lock); + LOCK(&load_rpzs->search_lock); + + /* + * Copy the other policy zones to the new summary databases + * unless there is only one policy zone. + */ + if (rpzs->p.num_zones > 1) { + new_bit = ~DNS_RPZ_ZBIT(rpz_num); + + /* + * Copy to the radix tree. + */ + for (cnode = rpzs->cidr; cnode != NULL; cnode = next_cnode) { + new_ip.ip = cnode->set.ip & new_bit; + new_ip.client_ip = cnode->set.client_ip & new_bit; + new_ip.nsip = cnode->set.nsip & new_bit; + if (new_ip.client_ip != 0 || + new_ip.ip != 0 || + new_ip.nsip != 0) { + result = search(load_rpzs, + &cnode->ip, cnode->prefix, + &new_ip, ISC_TRUE, &found); + if (result == ISC_R_NOMEMORY) + goto unlock_and_detach; + INSIST(result == ISC_R_SUCCESS); + } + /* + * Do down and to the left as far as possible. + */ + next_cnode = cnode->child[0]; + if (next_cnode != NULL) + continue; + /* + * Go up until we find a branch to the right where + * we previously took the branch to the left. + */ + for (;;) { + parent_cnode = cnode->parent; + if (parent_cnode == NULL) + break; + if (parent_cnode->child[0] == cnode) { + next_cnode = parent_cnode->child[1]; + if (next_cnode != NULL) + break; + } + cnode = parent_cnode; + } + } + + /* + * Copy to the summary RBT. + */ + dns_fixedname_init(&namef); + name = dns_fixedname_name(&namef); + dns_fixedname_init(&labelf); + label = dns_fixedname_name(&labelf); + dns_fixedname_init(&originf); + origin = dns_fixedname_name(&originf); + dns_rbtnodechain_init(&chain, NULL); + result = dns_rbtnodechain_first(&chain, rpzs->rbt, NULL, NULL); + while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) { + result = dns_rbtnodechain_current(&chain, label, origin, + &nmnode); + INSIST(result == ISC_R_SUCCESS); + nm_data = nmnode->data; + if (nm_data != NULL) { + new_data.set.qname = (nm_data->set.qname & + new_bit); + new_data.set.ns = nm_data->set.ns & new_bit; + new_data.wild.qname = (nm_data->wild.qname & + new_bit); + new_data.wild.ns = nm_data->wild.ns & new_bit; + if (new_data.set.qname != 0 || + new_data.set.ns != 0 || + new_data.wild.qname != 0 || + new_data.wild.ns != 0) { + result = dns_name_concatenate(label, + origin, name, NULL); + INSIST(result == ISC_R_SUCCESS); + result = add_nm(load_rpzs, name, + &new_data); + if (result != ISC_R_SUCCESS) + goto unlock_and_detach; + } + } + result = dns_rbtnodechain_next(&chain, NULL, NULL); + } + if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "dns_rpz_ready(): unexpected %s", + isc_result_totext(result)); + goto unlock_and_detach; + } } + fix_triggers(rpzs, &old_totals); + fix_triggers(load_rpzs, &new_totals); + + dns_name_format(&load_rpzs->zones[rpz_num]->origin, + namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL, + "reloading policy zone '%s' changed from" + " %d to %d qname, %d to %d nsdname," + " %d to %d IP, %d to %d NSIP entries", + namebuf, + old_totals.qname, new_totals.qname, + old_totals.nsdname, new_totals.nsdname, + old_totals.ipv4 + old_totals.ipv6, + new_totals.ipv4 + new_totals.ipv6, + old_totals.nsipv4 + old_totals.nsipv6, + new_totals.nsipv4 + new_totals.nsipv6); + /* - * Do not get excited about the deletion of interior rbt nodes. + * Exchange the summary databases. */ - result = name2ipkey(cidr, DNS_RPZ_DEBUG_QUIET, name, - type, &tgt_ip, &tgt_prefix); + LOCK(&rpzs->search_lock); + + found = rpzs->cidr; + rpzs->cidr = load_rpzs->cidr; + load_rpzs->cidr = found; + + rbt = rpzs->rbt; + rpzs->rbt = load_rpzs->rbt; + load_rpzs->rbt = rbt; + + UNLOCK(&rpzs->search_lock); + result = ISC_R_SUCCESS; + + unlock_and_detach: + UNLOCK(&rpzs->maint_lock); + UNLOCK(&load_rpzs->search_lock); + UNLOCK(&load_rpzs->maint_lock); + dns_rpz_detach_rpzs(load_rpzsp); + return (result); +} + +/* + * Add an IP address to the radix tree or a name to the summary database. + */ +isc_result_t +dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *src_name) +{ + dns_rpz_zone_t *rpz; + dns_rpz_type_t rpz_type; + isc_result_t result = ISC_R_FAILURE; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + rpz_type = type_from_name(rpz, src_name); + + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + + switch (rpz_type) { + case DNS_RPZ_TYPE_QNAME: + case DNS_RPZ_TYPE_NSDNAME: + result = add_name(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_CLIENT_IP: + case DNS_RPZ_TYPE_IP: + case DNS_RPZ_TYPE_NSIP: + result = add_cidr(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_BAD: + break; + } + + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + return (result); +} + +/* + * Remove an IP address from the radix tree. + */ +static void +del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + isc_result_t result; + dns_rpz_cidr_key_t tgt_ip; + dns_rpz_prefix_t tgt_prefix; + dns_rpz_addr_zbits_t tgt_set; + dns_rpz_cidr_node_t *tgt, *parent, *child; + + /* + * Do not worry about invalid rpz IP address names. If we + * are here, then something relevant was added and so was + * valid. Invalid names here are usually internal RBTDB nodes. + */ + result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type, + src_name, &tgt_ip, &tgt_prefix, &tgt_set); if (result != ISC_R_SUCCESS) return; - result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_FALSE, &tgt); + result = search(rpzs, &tgt_ip, tgt_prefix, &tgt_set, ISC_FALSE, &tgt); if (result != ISC_R_SUCCESS) { - badname(DNS_RPZ_ERROR_LEVEL, name, "; missing rpz node", ""); + INSIST(result == ISC_R_NOTFOUND || + result == DNS_R_PARTIALMATCH); + /* + * Do not worry about missing summary RBT nodes that probably + * correspond to RBTDB nodes that were implicit RBT nodes + * that were later added for (often empty) wildcards + * and then to the RBTDB deferred cleanup list. + */ return; } /* * Mark the node and its parents to reflect the deleted IP address. + * Do not count bits that are already clear for internal RBTDB nodes. */ - flags = get_flags(&tgt_ip, tgt_prefix, type); - data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); - tgt->flags &= ~data_flag; - for (parent = tgt; parent != NULL; parent = parent->parent) { - if ((parent->flags & data_flag) != 0 || - (parent->child[0] != NULL && - (parent->child[0]->flags & flags) != 0) || - (parent->child[1] != NULL && - (parent->child[1]->flags & flags) != 0)) - break; - parent->flags &= ~flags; - } + tgt_set.client_ip &= tgt->set.client_ip; + tgt_set.ip &= tgt->set.ip; + tgt_set.nsip &= tgt->set.nsip; + tgt->set.client_ip &= ~tgt_set.client_ip; + tgt->set.ip &= ~tgt_set.ip; + tgt->set.nsip &= ~tgt_set.nsip; + set_sum_pair(tgt); + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_FALSE); /* * We might need to delete 2 nodes. @@ -1054,13 +1757,14 @@ */ if ((child = tgt->child[0]) != NULL) { if (tgt->child[1] != NULL) - return; + break; } else { child = tgt->child[1]; } - if ((tgt->flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA)) != 0) - return; + if (tgt->set.client_ip != 0 || + tgt->set.ip != 0 || + tgt->set.nsip != 0) + break; /* * Replace the pointer to this node in the parent with @@ -1068,7 +1772,7 @@ */ parent = tgt->parent; if (parent == NULL) { - cidr->root = child; + rpzs->cidr = child; } else { parent->child[parent->child[1] == tgt] = child; } @@ -1077,26 +1781,144 @@ */ if (child != NULL) child->parent = parent; - isc_mem_put(cidr->mctx, tgt, sizeof(*tgt)); + isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt)); tgt = parent; } while (tgt != NULL); } +static void +del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_fixedname_t trig_namef; + dns_name_t *trig_name; + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data, del_data; + isc_result_t result; + + dns_fixedname_init(&trig_namef); + trig_name = dns_fixedname_name(&trig_namef); + name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data); + + /* + * No need for a summary database of names with only 1 policy zone. + */ + if (rpzs->p.num_zones <= 1) { + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); + return; + } + + nmnode = NULL; + result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0, + NULL, NULL); + if (result != ISC_R_SUCCESS) { + /* + * Do not worry about missing summary RBT nodes that probably + * correspond to RBTDB nodes that were implicit RBT nodes + * that were later added for (often empty) wildcards + * and then to the RBTDB deferred cleanup list. + */ + if (result == ISC_R_NOTFOUND) + return; + dns_name_format(src_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz del_name(%s) node search failed: %s", + namebuf, isc_result_totext(result)); + return; + } + + nm_data = nmnode->data; + INSIST(nm_data != NULL); + + /* + * Do not count bits that next existed for RBT nodes that would we + * would not have found in a summary for a single RBTDB tree. + */ + del_data.set.qname &= nm_data->set.qname; + del_data.set.ns &= nm_data->set.ns; + del_data.wild.qname &= nm_data->wild.qname; + del_data.wild.ns &= nm_data->wild.ns; + + nm_data->set.qname &= ~del_data.set.qname; + nm_data->set.ns &= ~del_data.set.ns; + nm_data->wild.qname &= ~del_data.wild.qname; + nm_data->wild.ns &= ~del_data.wild.ns; + + if (nm_data->set.qname == 0 && nm_data->set.ns == 0 && + nm_data->wild.qname == 0 && nm_data->wild.ns == 0) { + result = dns_rbt_deletenode(rpzs->rbt, nmnode, ISC_FALSE); + if (result != ISC_R_SUCCESS) { + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + dns_name_format(src_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz del_name(%s) node delete failed: %s", + namebuf, isc_result_totext(result)); + } + } + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); +} + /* - * Caller must hold tree lock. - * Return ISC_R_NOTFOUND - * or ISC_R_SUCCESS and the found entry's canonical and search names - * and its prefix length + * Remove an IP address from the radix tree or a name from the summary database. */ -isc_result_t -dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, - dns_rpz_type_t type, dns_name_t *canon_name, - dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix) +void +dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_name_t *src_name) { + dns_rpz_zone_t *rpz; + dns_rpz_type_t rpz_type; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + rpz_type = type_from_name(rpz, src_name); + + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + + switch (rpz_type) { + case DNS_RPZ_TYPE_QNAME: + case DNS_RPZ_TYPE_NSDNAME: + del_name(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_CLIENT_IP: + case DNS_RPZ_TYPE_IP: + case DNS_RPZ_TYPE_NSIP: + del_cidr(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_BAD: + break; + } + + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); +} + +/* + * Search the summary radix tree to get a relative owner name in a + * policy zone relevant to a triggering IP address. + * rpz_type and zbits limit the search for IP address netaddr + * return the policy zone's number or DNS_RPZ_INVALID_NUM + * ip_name is the relative owner name found and + * *prefixp is its prefix length. + */ +dns_rpz_num_t +dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, + dns_name_t *ip_name, dns_rpz_prefix_t *prefixp) { dns_rpz_cidr_key_t tgt_ip; - isc_result_t result; + dns_rpz_addr_zbits_t tgt_set; dns_rpz_cidr_node_t *found; + isc_result_t result; + dns_rpz_num_t rpz_num; int i; /* @@ -1107,29 +1929,163 @@ tgt_ip.w[1] = 0; tgt_ip.w[2] = ADDR_V4MAPPED; tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr); + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits &= rpzs->have.client_ipv4; + break; + case DNS_RPZ_TYPE_IP: + zbits &= rpzs->have.ipv4; + break; + case DNS_RPZ_TYPE_NSIP: + zbits &= rpzs->have.nsipv4; + break; + default: + INSIST(0); + break; + } } else if (netaddr->family == AF_INET6) { dns_rpz_cidr_key_t src_ip6; /* * Given the int aligned struct in_addr member of netaddr->type * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *, - * but there are objections. + * but some people object. */ memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w)); for (i = 0; i < 4; i++) { tgt_ip.w[i] = ntohl(src_ip6.w[i]); } + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits &= rpzs->have.client_ipv6; + break; + case DNS_RPZ_TYPE_IP: + zbits &= rpzs->have.ipv6; + break; + case DNS_RPZ_TYPE_NSIP: + zbits &= rpzs->have.nsipv6; + break; + default: + INSIST(0); + break; + } } else { - return (ISC_R_NOTFOUND); + return (DNS_RPZ_INVALID_NUM); } - result = search(cidr, &tgt_ip, 128, type, ISC_FALSE, &found); - if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH) - return (result); + if (zbits == 0) + return (DNS_RPZ_INVALID_NUM); + make_addr_set(&tgt_set, zbits, rpz_type); + + LOCK(&rpzs->search_lock); + result = search(rpzs, &tgt_ip, 128, &tgt_set, ISC_FALSE, &found); + if (result == ISC_R_NOTFOUND) { + /* + * There are no eligible zones for this IP address. + */ + UNLOCK(&rpzs->search_lock); + return (DNS_RPZ_INVALID_NUM); + } + + /* + * Construct the trigger name for the longest matching trigger + * in the first eligible zone with a match. + */ + *prefixp = found->prefix; + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + rpz_num = zbit_to_num(found->set.client_ip & tgt_set.client_ip); + break; + case DNS_RPZ_TYPE_IP: + rpz_num = zbit_to_num(found->set.ip & tgt_set.ip); + break; + case DNS_RPZ_TYPE_NSIP: + rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip); + break; + default: + INSIST(0); + break; + } + result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name); + UNLOCK(&rpzs->search_lock); + if (result != ISC_R_SUCCESS) { + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz ip2name() failed: %s", + isc_result_totext(result)); + return (DNS_RPZ_INVALID_NUM); + } + return (rpz_num); +} - *prefix = found->bits; - return (ip2name(cidr, &found->ip, found->bits, type, - canon_name, search_name)); +/* + * Search the summary radix tree for policy zones with triggers matching + * a name. + */ +dns_rpz_zbits_t +dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_name_t *trig_name) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_rbtnode_t *nmnode; + const dns_rpz_nm_data_t *nm_data; + dns_rpz_zbits_t found_zbits; + isc_result_t result; + + if (zbits == 0) + return (0); + + found_zbits = 0; + + LOCK(&rpzs->search_lock); + + nmnode = NULL; + result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, + DNS_RBTFIND_EMPTYDATA, NULL, NULL); + switch (result) { + case ISC_R_SUCCESS: + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) + found_zbits = nm_data->set.qname; + else + found_zbits = nm_data->set.ns; + } + nmnode = nmnode->parent; + /* fall thru */ + case DNS_R_PARTIALMATCH: + while (nmnode != NULL) { + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) + found_zbits |= nm_data->wild.qname; + else + found_zbits |= nm_data->wild.ns; + } + nmnode = nmnode->parent; + } + break; + + case ISC_R_NOTFOUND: + break; + + default: + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + dns_name_format(trig_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "dns_rpz_find_name(%s) failed: %s", + namebuf, isc_result_totext(result)); + break; + } + + UNLOCK(&rpzs->search_lock); + return (zbits & found_zbits); } /* @@ -1144,10 +2100,10 @@ isc_result_t result; result = dns_rdataset_first(rdataset); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + INSIST(result == ISC_R_SUCCESS); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + INSIST(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); /* @@ -1174,7 +2130,13 @@ } /* - * CNAME PASSTHRU.origin means "do not rewrite. + * CNAME rpz-drop. means "do respond." + */ + if (dns_name_equal(&cname.cname, &rpz->drop)) + return (DNS_RPZ_POLICY_DROP); + + /* + * CNAME rpz-passthru. means "do not rewrite." */ if (dns_name_equal(&cname.cname, &rpz->passthru)) return (DNS_RPZ_POLICY_PASSTHRU); Index: lib/dns/rrl.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ lib/dns/rrl.c 2013-08-05 14:14:45.921498580 +0200 @@ -0,0 +1,1324 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/*! \file */ + +/* + * Rate limit DNS responses. + */ + +/* #define ISC_LIST_CHECKINIT */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +static void +log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early, + char *log_buf, unsigned int log_buf_len); + +/* + * Get a modulus for a hash function that is tolerably likely to be + * relatively prime to most inputs. Of course, we get a prime for for initial + * values not larger than the square of the last prime. We often get a prime + * after that. + * This works well in practice for hash tables up to at least 100 + * times the square of the last prime and better than a multiplicative hash. + */ +static int +hash_divisor(unsigned int initial) { + static isc_uint16_t primes[] = { + 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, + 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, +#if 0 + 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, + 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, + 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, + 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, + 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, + 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, + 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, + 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, + 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, + 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, + 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, + 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997,1009, +#endif + }; + int divisions, tries; + unsigned int result; + isc_uint16_t *pp, p; + + result = initial; + + if (primes[sizeof(primes)/sizeof(primes[0])-1] >= result) { + pp = primes; + while (*pp < result) + ++pp; + return (*pp); + } + + if ((result & 1) == 0) + ++result; + + divisions = 0; + tries = 1; + pp = primes; + do { + p = *pp++; + ++divisions; + if ((result % p) == 0) { + ++tries; + result += 2; + pp = primes; + } + } while (pp < &primes[sizeof(primes) / sizeof(primes[0])]); + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3, + "%d hash_divisor() divisions in %d tries" + " to get %d from %d", + divisions, tries, result, initial); + + return (result); +} + +/* + * Convert a timestamp to a number of seconds in the past. + */ +static inline int +delta_rrl_time(isc_stdtime_t ts, isc_stdtime_t now) { + int delta; + + delta = now - ts; + if (delta >= 0) + return (delta); + + /* + * The timestamp is in the future. That future might result from + * re-ordered requests, because we use timestamps on requests + * instead of consulting a clock. Timestamps in the distant future are + * assumed to result from clock changes. When the clock changes to + * the past, make existing timestamps appear to be in the past. + */ + if (delta < -DNS_RRL_MAX_TIME_TRAVEL) + return (DNS_RRL_FOREVER); + return (0); +} + +static inline int +get_age(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, isc_stdtime_t now) { + if (!e->ts_valid) + return (DNS_RRL_FOREVER); + return (delta_rrl_time(e->ts + rrl->ts_bases[e->ts_gen], now)); +} + +static inline void +set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) { + dns_rrl_entry_t *e_old; + unsigned int ts_gen; + int i, ts; + + ts_gen = rrl->ts_gen; + ts = now - rrl->ts_bases[ts_gen]; + if (ts < 0) { + if (ts < -DNS_RRL_MAX_TIME_TRAVEL) + ts = DNS_RRL_FOREVER; + else + ts = 0; + } + + /* + * Make a new timestamp base if the current base is too old. + * All entries older than DNS_RRL_MAX_WINDOW seconds are ancient, + * useless history. Their timestamps can be treated as if they are + * all the same. + * We only do arithmetic on more recent timestamps, so bases for + * older timestamps can be recycled provided the old timestamps are + * marked as ancient history. + * This loop is almost always very short because most entries are + * recycled after one second and any entries that need to be marked + * are older than (DNS_RRL_TS_BASES)*DNS_RRL_MAX_TS seconds. + */ + if (ts >= DNS_RRL_MAX_TS) { + ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES; + for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0; + e_old != NULL && (e_old->ts_gen == ts_gen || + !ISC_LINK_LINKED(e_old, hlink)); + e_old = ISC_LIST_PREV(e_old, lru), ++i) + { + e_old->ts_valid = ISC_FALSE; + } + if (i != 0) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, + "rrl new time base scanned %d entries" + " at %d for %d %d %d %d", + i, now, rrl->ts_bases[ts_gen], + rrl->ts_bases[(ts_gen + 1) % + DNS_RRL_TS_BASES], + rrl->ts_bases[(ts_gen + 2) % + DNS_RRL_TS_BASES], + rrl->ts_bases[(ts_gen + 3) % + DNS_RRL_TS_BASES]); + rrl->ts_gen = ts_gen; + rrl->ts_bases[ts_gen] = now; + ts = 0; + } + + e->ts_gen = ts_gen; + e->ts = ts; + e->ts_valid = ISC_TRUE; +} + +static isc_result_t +expand_entries(dns_rrl_t *rrl, int new) { + unsigned int bsize; + dns_rrl_block_t *b; + dns_rrl_entry_t *e; + double rate; + int i; + + if (rrl->num_entries+new >= rrl->max_entries && rrl->max_entries != 0) { + if (rrl->num_entries >= rrl->max_entries) + return (ISC_R_SUCCESS); + new = rrl->max_entries - rrl->num_entries; + if (new <= 0) + return (ISC_R_NOMEMORY); + } + + /* + * Log expansions so that the user can tune max-table-size + * and min-table-size. + */ + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && + rrl->hash != NULL) { + rate = rrl->probes; + if (rrl->searches != 0) + rate /= rrl->searches; + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "increase from %d to %d RRL entries with" + " %d bins; average search length %.1f", + rrl->num_entries, rrl->num_entries+new, + rrl->hash->length, rate); + } + + bsize = sizeof(dns_rrl_block_t) + (new-1)*sizeof(dns_rrl_entry_t); + b = isc_mem_get(rrl->mctx, bsize); + if (b == NULL) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL, + "isc_mem_get(%d) failed for RRL entries", + bsize); + return (ISC_R_NOMEMORY); + } + memset(b, 0, bsize); + b->size = bsize; + + e = b->entries; + for (i = 0; i < new; ++i, ++e) { + ISC_LINK_INIT(e, hlink); + ISC_LIST_INITANDAPPEND(rrl->lru, e, lru); + } + rrl->num_entries += new; + ISC_LIST_INITANDAPPEND(rrl->blocks, b, link); + + return (ISC_R_SUCCESS); +} + +static inline dns_rrl_bin_t * +get_bin(dns_rrl_hash_t *hash, unsigned int hval) { + return (&hash->bins[hval % hash->length]); +} + +static void +free_old_hash(dns_rrl_t *rrl) { + dns_rrl_hash_t *old_hash; + dns_rrl_bin_t *old_bin; + dns_rrl_entry_t *e, *e_next; + + old_hash = rrl->old_hash; + for (old_bin = &old_hash->bins[0]; + old_bin < &old_hash->bins[old_hash->length]; + ++old_bin) + { + for (e = ISC_LIST_HEAD(*old_bin); e != NULL; e = e_next) { + e_next = ISC_LIST_NEXT(e, hlink); + ISC_LINK_INIT(e, hlink); + } + } + + isc_mem_put(rrl->mctx, old_hash, + sizeof(*old_hash) + + (old_hash->length - 1) * sizeof(old_hash->bins[0])); + rrl->old_hash = NULL; +} + +static isc_result_t +expand_rrl_hash(dns_rrl_t *rrl, isc_stdtime_t now) { + dns_rrl_hash_t *hash; + int old_bins, new_bins, hsize; + double rate; + + if (rrl->old_hash != NULL) + free_old_hash(rrl); + + /* + * Most searches fail and so go to the end of the chain. + * Use a small hash table load factor. + */ + old_bins = (rrl->hash == NULL) ? 0 : rrl->hash->length; + new_bins = old_bins/8 + old_bins; + if (new_bins < rrl->num_entries) + new_bins = rrl->num_entries; + new_bins = hash_divisor(new_bins); + + hsize = sizeof(dns_rrl_hash_t) + (new_bins-1)*sizeof(hash->bins[0]); + hash = isc_mem_get(rrl->mctx, hsize); + if (hash == NULL) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL, + "isc_mem_get(%d) failed for" + " RRL hash table", + hsize); + return (ISC_R_NOMEMORY); + } + memset(hash, 0, hsize); + hash->length = new_bins; + rrl->hash_gen ^= 1; + hash->gen = rrl->hash_gen; + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && old_bins != 0) { + rate = rrl->probes; + if (rrl->searches != 0) + rate /= rrl->searches; + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "increase from %d to %d RRL bins for" + " %d entries; average search length %.1f", + old_bins, new_bins, rrl->num_entries, rate); + } + + rrl->old_hash = rrl->hash; + if (rrl->old_hash != NULL) + rrl->old_hash->check_time = now; + rrl->hash = hash; + + return (ISC_R_SUCCESS); +} + +static void +ref_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, int probes, isc_stdtime_t now) { + /* + * Make the entry most recently used. + */ + if (ISC_LIST_HEAD(rrl->lru) != e) { + if (e == rrl->last_logged) + rrl->last_logged = ISC_LIST_PREV(e, lru); + ISC_LIST_UNLINK(rrl->lru, e, lru); + ISC_LIST_PREPEND(rrl->lru, e, lru); + } + + /* + * Expand the hash table if it is time and necessary. + * This will leave the newly referenced entry in a chain in the + * old hash table. It will migrate to the new hash table the next + * time it is used or be cut loose when the old hash table is destroyed. + */ + rrl->probes += probes; + ++rrl->searches; + if (rrl->searches > 100 && + delta_rrl_time(rrl->hash->check_time, now) > 1) { + if (rrl->probes/rrl->searches > 2) + expand_rrl_hash(rrl, now); + rrl->hash->check_time = now; + rrl->probes = 0; + rrl->searches = 0; + } +} + +static inline isc_boolean_t +key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) { + if (memcmp(a, b, sizeof(dns_rrl_key_t)) == 0) + return (ISC_TRUE); + return (ISC_FALSE); +} + +static inline isc_uint32_t +hash_key(const dns_rrl_key_t *key) { + isc_uint32_t hval; + int i; + + hval = key->w[0]; + for (i = sizeof(*key) / sizeof(key->w[0]) - 1; i >= 0; --i) { + hval = key->w[i] + (hval<<1); + } + return (hval); +} + +/* + * Construct the hash table key. + * Use a hash of the DNS query name to save space in the database. + * Collisions result in legitimate rate limiting responses for one + * query name also limiting responses for other names to the + * same client. This is rare and benign enough given the large + * space costs compared to keeping the entire name in the database + * entry or the time costs of dynamic allocation. + */ +static void +make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key, + const isc_sockaddr_t *client_addr, + dns_rdatatype_t qtype, dns_name_t *qname, dns_rdataclass_t qclass, + dns_rrl_rtype_t rtype) +{ + dns_name_t base; + dns_offsets_t base_offsets; + int labels, i; + + memset(key, 0, sizeof(*key)); + + key->s.rtype = rtype; + if (rtype == DNS_RRL_RTYPE_QUERY) { + key->s.qtype = qtype; + key->s.qclass = qclass & 0xff; + } else if (rtype == DNS_RRL_RTYPE_REFERRAL || + rtype == DNS_RRL_RTYPE_NODATA) { + /* + * Because there is no qtype in the empty answer sections of + * referral and NODATA responses, count them as the same. + */ + key->s.qclass = qclass & 0xff; + } + + if (qname != NULL && qname->labels != 0) { + /* + * Ignore the first label of wildcards. + */ + if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 && + (labels = dns_name_countlabels(qname)) > 1) + { + dns_name_init(&base, base_offsets); + dns_name_getlabelsequence(qname, 1, labels-1, &base); + key->s.qname_hash = dns_name_hashbylabel(&base, + ISC_FALSE); + } else { + key->s.qname_hash = dns_name_hashbylabel(qname, + ISC_FALSE); + } + } + + switch (client_addr->type.sa.sa_family) { + case AF_INET: + key->s.ip[0] = (client_addr->type.sin.sin_addr.s_addr & + rrl->ipv4_mask); + break; + case AF_INET6: + key->s.ipv6 = ISC_TRUE; + memcpy(key->s.ip, &client_addr->type.sin6.sin6_addr, + sizeof(key->s.ip)); + for (i = 0; i < DNS_RRL_MAX_PREFIX/32; ++i) + key->s.ip[i] &= rrl->ipv6_mask[i]; + break; + } +} + +static inline dns_rrl_rate_t * +get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) { + switch (rtype) { + case DNS_RRL_RTYPE_QUERY: + return (&rrl->responses_per_second); + case DNS_RRL_RTYPE_REFERRAL: + return (&rrl->referrals_per_second); + case DNS_RRL_RTYPE_NODATA: + return (&rrl->nodata_per_second); + case DNS_RRL_RTYPE_NXDOMAIN: + return (&rrl->nxdomains_per_second); + case DNS_RRL_RTYPE_ERROR: + return (&rrl->errors_per_second); + case DNS_RRL_RTYPE_ALL: + return (&rrl->all_per_second); + default: + INSIST(0); + } + return (NULL); +} + +static int +response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) { + dns_rrl_rate_t *ratep; + int balance, rate; + + if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) { + rate = 1; + } else { + ratep = get_rate(rrl, e->key.s.rtype); + rate = ratep->scaled; + } + + balance = e->responses + age * rate; + if (balance > rate) + balance = rate; + return (balance); +} + +/* + * Search for an entry for a response and optionally create it. + */ +static dns_rrl_entry_t * +get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr, + dns_rdataclass_t qclass, dns_rdatatype_t qtype, dns_name_t *qname, + dns_rrl_rtype_t rtype, isc_stdtime_t now, isc_boolean_t create, + char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_key_t key; + isc_uint32_t hval; + dns_rrl_entry_t *e; + dns_rrl_hash_t *hash; + dns_rrl_bin_t *new_bin, *old_bin; + int probes, age; + + make_key(rrl, &key, client_addr, qtype, qname, qclass, rtype); + hval = hash_key(&key); + + /* + * Look for the entry in the current hash table. + */ + new_bin = get_bin(rrl->hash, hval); + probes = 1; + e = ISC_LIST_HEAD(*new_bin); + while (e != NULL) { + if (key_cmp(&e->key, &key)) { + ref_entry(rrl, e, probes, now); + return (e); + } + ++probes; + e = ISC_LIST_NEXT(e, hlink); + } + + /* + * Look in the old hash table. + */ + if (rrl->old_hash != NULL) { + old_bin = get_bin(rrl->old_hash, hval); + e = ISC_LIST_HEAD(*old_bin); + while (e != NULL) { + if (key_cmp(&e->key, &key)) { + ISC_LIST_UNLINK(*old_bin, e, hlink); + ISC_LIST_PREPEND(*new_bin, e, hlink); + e->hash_gen = rrl->hash_gen; + ref_entry(rrl, e, probes, now); + return (e); + } + e = ISC_LIST_NEXT(e, hlink); + } + + /* + * Discard prevous hash table when all of its entries are old. + */ + age = delta_rrl_time(rrl->old_hash->check_time, now); + if (age > rrl->window) + free_old_hash(rrl); + } + + if (!create) + return (NULL); + + /* + * The entry does not exist, so create it by finding a free entry. + * Keep currently penalized and logged entries. + * Try to make more entries if none are idle. + * Steal the oldest entry if we cannot create more. + */ + for (e = ISC_LIST_TAIL(rrl->lru); + e != NULL; + e = ISC_LIST_PREV(e, lru)) + { + if (!ISC_LINK_LINKED(e, hlink)) + break; + age = get_age(rrl, e, now); + if (age <= 1) { + e = NULL; + break; + } + if (!e->logged && response_balance(rrl, e, age) > 0) + break; + } + if (e == NULL) { + expand_entries(rrl, ISC_MIN((rrl->num_entries+1)/2, 1000)); + e = ISC_LIST_TAIL(rrl->lru); + } + if (e->logged) + log_end(rrl, e, ISC_TRUE, log_buf, log_buf_len); + if (ISC_LINK_LINKED(e, hlink)) { + if (e->hash_gen == rrl->hash_gen) + hash = rrl->hash; + else + hash = rrl->old_hash; + old_bin = get_bin(hash, hash_key(&e->key)); + ISC_LIST_UNLINK(*old_bin, e, hlink); + } + ISC_LIST_PREPEND(*new_bin, e, hlink); + e->hash_gen = rrl->hash_gen; + e->key = key; + e->ts_valid = ISC_FALSE; + ref_entry(rrl, e, probes, now); + return (e); +} + +static void +debit_log(const dns_rrl_entry_t *e, int age, const char *action) { + char buf[sizeof("age=12345678")]; + const char *age_str; + + if (age == DNS_RRL_FOREVER) { + age_str = ""; + } else { + snprintf(buf, sizeof(buf), "age=%d", age); + age_str = buf; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3, + "rrl %08x %6s responses=%-3d %s", + hash_key(&e->key), age_str, e->responses, action); +} + +static inline dns_rrl_result_t +debit_rrl_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, double qps, double scale, + const isc_sockaddr_t *client_addr, isc_stdtime_t now, + char *log_buf, unsigned int log_buf_len) +{ + int rate, new_rate, slip, new_slip, age, log_secs, min; + dns_rrl_rate_t *ratep; + dns_rrl_entry_t const *credit_e; + + /* + * Pick the rate counter. + * Optionally adjust the rate by the estimated query/second rate. + */ + ratep = get_rate(rrl, e->key.s.rtype); + rate = ratep->r; + if (rate == 0) + return (DNS_RRL_RESULT_OK); + + if (scale < 1.0) { + /* + * The limit for clients that have used TCP is not scaled. + */ + credit_e = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, ISC_FALSE, + log_buf, log_buf_len); + if (credit_e != NULL) { + age = get_age(rrl, e, now); + if (age < rrl->window) + scale = 1.0; + } + } + if (scale < 1.0) { + new_rate = (int) (rate * scale); + if (new_rate < 1) + new_rate = 1; + if (ratep->scaled != new_rate) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, + "%d qps scaled %s by %.2f" + " from %d to %d", + (int)qps, ratep->str, scale, + rate, new_rate); + rate = new_rate; + ratep->scaled = rate; + } + } + + min = -rrl->window * rate; + + /* + * Treat time jumps into the recent past as no time. + * Treat entries older than the window as if they were just created + * Credit other entries. + */ + age = get_age(rrl, e, now); + if (age > 0) { + /* + * Credit tokens earned during elapsed time. + */ + if (age > rrl->window) { + e->responses = rate; + e->slip_cnt = 0; + } else { + e->responses += rate*age; + if (e->responses > rate) { + e->responses = rate; + e->slip_cnt = 0; + } + } + /* + * Find the seconds since last log message without overflowing + * small counter. This counter is reset when an entry is + * created. It is not necessarily reset when some requests + * are answered provided other requests continue to be dropped + * or slipped. This can happen when the request rate is just + * at the limit. + */ + if (e->logged) { + log_secs = e->log_secs; + log_secs += age; + if (log_secs > DNS_RRL_MAX_LOG_SECS || log_secs < 0) + log_secs = DNS_RRL_MAX_LOG_SECS; + e->log_secs = log_secs; + } + } + set_age(rrl, e, now); + + /* + * Debit the entry for this response. + */ + if (--e->responses >= 0) { + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, ""); + return (DNS_RRL_RESULT_OK); + } + + if (e->responses < min) + e->responses = min; + + /* + * Drop this response unless it should slip or leak. + */ + slip = rrl->slip.r; + if (slip > 2 && scale < 1.0) { + new_slip = (int) (slip * scale); + if (new_slip < 2) + new_slip = 2; + if (rrl->slip.scaled != new_slip) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, + "%d qps scaled slip" + " by %.2f from %d to %d", + (int)qps, scale, + slip, new_slip); + slip = new_slip; + rrl->slip.scaled = slip; + } + } + if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) { + if (e->slip_cnt++ == 0) { + if ((int) e->slip_cnt >= slip) + e->slip_cnt = 0; + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, "slip"); + return (DNS_RRL_RESULT_SLIP); + } else if ((int) e->slip_cnt >= slip) { + e->slip_cnt = 0; + } + } + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, "drop"); + return (DNS_RRL_RESULT_DROP); +} + +static inline dns_rrl_qname_buf_t * +get_qname(dns_rrl_t *rrl, const dns_rrl_entry_t *e) { + dns_rrl_qname_buf_t *qbuf; + + qbuf = rrl->qnames[e->log_qname]; + if (qbuf == NULL || qbuf->e != e) + return (NULL); + return (qbuf); +} + +static inline void +free_qname(dns_rrl_t *rrl, dns_rrl_entry_t *e) { + dns_rrl_qname_buf_t *qbuf; + + qbuf = get_qname(rrl, e); + if (qbuf != NULL) { + qbuf->e = NULL; + ISC_LIST_APPEND(rrl->qname_free, qbuf, link); + } +} + +static void +add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) { + isc_region_t region; + + isc_buffer_availableregion(lb, ®ion); + if (str_len >= region.length) { + if (region.length <= 0) + return; + str_len = region.length; + } + memcpy(region.base, str, str_len); + isc_buffer_add(lb, str_len); +} + +#define ADD_LOG_CSTR(eb, s) add_log_str(eb, s, sizeof(s)-1) + +/* + * Build strings for the logs + */ +static void +make_log_buf(dns_rrl_t *rrl, dns_rrl_entry_t *e, + const char *str1, const char *str2, isc_boolean_t plural, + dns_name_t *qname, isc_boolean_t save_qname, + dns_rrl_result_t rrl_result, isc_result_t resp_result, + char *log_buf, unsigned int log_buf_len) +{ + isc_buffer_t lb; + dns_rrl_qname_buf_t *qbuf; + isc_netaddr_t cidr; + char strbuf[ISC_MAX(sizeof("/123"), sizeof(" (12345678)"))]; + const char *rstr; + isc_result_t msg_result; + + if (log_buf_len <= 1) { + if (log_buf_len == 1) + log_buf[0] = '\0'; + return; + } + isc_buffer_init(&lb, log_buf, log_buf_len-1); + + if (str1 != NULL) + add_log_str(&lb, str1, strlen(str1)); + if (str2 != NULL) + add_log_str(&lb, str2, strlen(str2)); + + switch (rrl_result) { + case DNS_RRL_RESULT_OK: + break; + case DNS_RRL_RESULT_DROP: + ADD_LOG_CSTR(&lb, "drop "); + break; + case DNS_RRL_RESULT_SLIP: + ADD_LOG_CSTR(&lb, "slip "); + break; + default: + INSIST(0); + break; + } + + switch (e->key.s.rtype) { + case DNS_RRL_RTYPE_QUERY: + break; + case DNS_RRL_RTYPE_REFERRAL: + ADD_LOG_CSTR(&lb, "referral "); + break; + case DNS_RRL_RTYPE_NODATA: + ADD_LOG_CSTR(&lb, "NODATA "); + break; + case DNS_RRL_RTYPE_NXDOMAIN: + ADD_LOG_CSTR(&lb, "NXDOMAIN "); + break; + case DNS_RRL_RTYPE_ERROR: + if (resp_result == ISC_R_SUCCESS) { + ADD_LOG_CSTR(&lb, "error "); + } else { + rstr = isc_result_totext(resp_result); + add_log_str(&lb, rstr, strlen(rstr)); + ADD_LOG_CSTR(&lb, " error "); + } + break; + case DNS_RRL_RTYPE_ALL: + ADD_LOG_CSTR(&lb, "all "); + break; + default: + INSIST(0); + } + + if (plural) + ADD_LOG_CSTR(&lb, "responses to "); + else + ADD_LOG_CSTR(&lb, "response to "); + + memset(&cidr, 0, sizeof(cidr)); + if (e->key.s.ipv6) { + snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv6_prefixlen); + cidr.family = AF_INET6; + memset(&cidr.type.in6, 0, sizeof(cidr.type.in6)); + memcpy(&cidr.type.in6, e->key.s.ip, sizeof(e->key.s.ip)); + } else { + snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv4_prefixlen); + cidr.family = AF_INET; + cidr.type.in.s_addr = e->key.s.ip[0]; + } + msg_result = isc_netaddr_totext(&cidr, &lb); + if (msg_result != ISC_R_SUCCESS) + ADD_LOG_CSTR(&lb, "?"); + add_log_str(&lb, strbuf, strlen(strbuf)); + + if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY || + e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL || + e->key.s.rtype == DNS_RRL_RTYPE_NODATA || + e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN) { + qbuf = get_qname(rrl, e); + if (save_qname && qbuf == NULL && + qname != NULL && dns_name_isabsolute(qname)) { + /* + * Capture the qname for the "stop limiting" message. + */ + qbuf = ISC_LIST_TAIL(rrl->qname_free); + if (qbuf != NULL) { + ISC_LIST_UNLINK(rrl->qname_free, qbuf, link); + } else if (rrl->num_qnames < DNS_RRL_QNAMES) { + qbuf = isc_mem_get(rrl->mctx, sizeof(*qbuf)); + if (qbuf != NULL) { + memset(qbuf, 0, sizeof(*qbuf)); + ISC_LINK_INIT(qbuf, link); + qbuf->index = rrl->num_qnames; + rrl->qnames[rrl->num_qnames++] = qbuf; + } else { + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_FAIL, + "isc_mem_get(%d)" + " failed for RRL qname", + (int)sizeof(*qbuf)); + } + } + if (qbuf != NULL) { + e->log_qname = qbuf->index; + qbuf->e = e; + dns_fixedname_init(&qbuf->qname); + dns_name_copy(qname, + dns_fixedname_name(&qbuf->qname), + NULL); + } + } + if (qbuf != NULL) + qname = dns_fixedname_name(&qbuf->qname); + if (qname != NULL) { + ADD_LOG_CSTR(&lb, " for "); + (void)dns_name_totext(qname, ISC_TRUE, &lb); + } else { + ADD_LOG_CSTR(&lb, " for (?)"); + } + if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) { + ADD_LOG_CSTR(&lb, " "); + (void)dns_rdataclass_totext(e->key.s.qclass, &lb); + if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) { + ADD_LOG_CSTR(&lb, " "); + (void)dns_rdatatype_totext(e->key.s.qtype, &lb); + } + } + snprintf(strbuf, sizeof(strbuf), " (%08x)", + e->key.s.qname_hash); + add_log_str(&lb, strbuf, strlen(strbuf)); + } + + /* + * We saved room for '\0'. + */ + log_buf[isc_buffer_usedlength(&lb)] = '\0'; +} + +static void +log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early, + char *log_buf, unsigned int log_buf_len) +{ + if (e->logged) { + make_log_buf(rrl, e, + early ? "*" : NULL, + rrl->log_only ? "would stop limiting " + : "stop limiting ", + ISC_TRUE, NULL, ISC_FALSE, + DNS_RRL_RESULT_OK, ISC_R_SUCCESS, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "%s", log_buf); + free_qname(rrl, e); + e->logged = ISC_FALSE; + --rrl->num_logged; + } +} + +/* + * Log messages for streams that have stopped being rate limited. + */ +static void +log_stops(dns_rrl_t *rrl, isc_stdtime_t now, int limit, + char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_entry_t *e; + int age; + + for (e = rrl->last_logged; e != NULL; e = ISC_LIST_PREV(e, lru)) { + if (!e->logged) + continue; + if (now != 0) { + age = get_age(rrl, e, now); + if (age < DNS_RRL_STOP_LOG_SECS || + response_balance(rrl, e, age) < 0) + break; + } + + log_end(rrl, e, now == 0, log_buf, log_buf_len); + if (rrl->num_logged <= 0) + break; + + /* + * Too many messages could stall real work. + */ + if (--limit < 0) { + rrl->last_logged = ISC_LIST_PREV(e, lru); + return; + } + } + if (e == NULL) { + INSIST(rrl->num_logged == 0); + rrl->log_stops_time = now; + } + rrl->last_logged = e; +} + +/* + * Main rate limit interface. + */ +dns_rrl_result_t +dns_rrl(dns_view_t *view, + const isc_sockaddr_t *client_addr, isc_boolean_t is_tcp, + dns_rdataclass_t qclass, dns_rdatatype_t qtype, + dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now, + isc_boolean_t wouldlog, char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_t *rrl; + dns_rrl_rtype_t rtype; + dns_rrl_entry_t *e; + isc_netaddr_t netclient; + int secs; + double qps, scale; + int exempt_match; + isc_result_t result; + dns_rrl_result_t rrl_result; + + INSIST(log_buf != NULL && log_buf_len > 0); + + rrl = view->rrl; + if (rrl->exempt != NULL) { + isc_netaddr_fromsockaddr(&netclient, client_addr); + result = dns_acl_match(&netclient, NULL, rrl->exempt, + &view->aclenv, &exempt_match, NULL); + if (result == ISC_R_SUCCESS && exempt_match > 0) + return (DNS_RRL_RESULT_OK); + } + + LOCK(&rrl->lock); + + /* + * Estimate total query per second rate when scaling by qps. + */ + if (rrl->qps_scale == 0) { + qps = 0.0; + scale = 1.0; + } else { + ++rrl->qps_responses; + secs = delta_rrl_time(rrl->qps_time, now); + if (secs <= 0) { + qps = rrl->qps; + } else { + qps = (1.0*rrl->qps_responses) / secs; + if (secs >= rrl->window) { + if (isc_log_wouldlog(dns_lctx, + DNS_RRL_LOG_DEBUG3)) + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG3, + "%d responses/%d seconds" + " = %d qps", + rrl->qps_responses, secs, + (int)qps); + rrl->qps = qps; + rrl->qps_responses = 0; + rrl->qps_time = now; + } else if (qps < rrl->qps) { + qps = rrl->qps; + } + } + scale = rrl->qps_scale / qps; + } + + /* + * Do maintenance once per second. + */ + if (rrl->num_logged > 0 && rrl->log_stops_time != now) + log_stops(rrl, now, 8, log_buf, log_buf_len); + + /* + * Notice TCP responses when scaling limits by qps. + * Do not try to rate limit TCP responses. + */ + if (is_tcp) { + if (scale < 1.0) { + e = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, ISC_TRUE, + log_buf, log_buf_len); + if (e != NULL) { + e->responses = -(rrl->window+1); + set_age(rrl, e, now); + } + } + UNLOCK(&rrl->lock); + return (ISC_R_SUCCESS); + } + + /* + * Find the right kind of entry, creating it if necessary. + * If that is impossible, then nothing more can be done + */ + switch (resp_result) { + case ISC_R_SUCCESS: + rtype = DNS_RRL_RTYPE_QUERY; + break; + case DNS_R_DELEGATION: + rtype = DNS_RRL_RTYPE_REFERRAL; + break; + case DNS_R_NXRRSET: + rtype = DNS_RRL_RTYPE_NODATA; + break; + case DNS_R_NXDOMAIN: + rtype = DNS_RRL_RTYPE_NXDOMAIN; + break; + default: + rtype = DNS_RRL_RTYPE_ERROR; + break; + } + e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype, + now, ISC_TRUE, log_buf, log_buf_len); + if (e == NULL) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) { + /* + * Do not worry about speed or releasing the lock. + * This message appears before messages from debit_rrl_entry(). + */ + make_log_buf(rrl, e, "consider limiting ", NULL, ISC_FALSE, + qname, ISC_FALSE, DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, + "%s", log_buf); + } + + rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now, + log_buf, log_buf_len); + + if (rrl->all_per_second.r != 0) { + /* + * We must debit the all-per-second token bucket if we have + * an all-per-second limit for the IP address. + * The all-per-second limit determines the log message + * when both limits are hit. + * The response limiting must continue if the + * all-per-second limiting lapses. + */ + dns_rrl_entry_t *e_all; + dns_rrl_result_t rrl_all_result; + + e_all = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_ALL, now, ISC_TRUE, + log_buf, log_buf_len); + if (e_all == NULL) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + rrl_all_result = debit_rrl_entry(rrl, e_all, qps, scale, + client_addr, now, + log_buf, log_buf_len); + if (rrl_all_result != DNS_RRL_RESULT_OK) { + int level; + + e = e_all; + rrl_result = rrl_all_result; + if (rrl_result == DNS_RRL_RESULT_OK) + level = DNS_RRL_LOG_DEBUG2; + else + level = DNS_RRL_LOG_DEBUG1; + if (isc_log_wouldlog(dns_lctx, level)) { + make_log_buf(rrl, e, + "prefer all-per-second limiting ", + NULL, ISC_TRUE, qname, ISC_FALSE, + DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, level, + "%s", log_buf); + } + } + } + + if (rrl_result == DNS_RRL_RESULT_OK) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + + /* + * Log occassionally in the rate-limit category. + */ + if ((!e->logged || e->log_secs >= DNS_RRL_MAX_LOG_SECS) && + isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP)) { + make_log_buf(rrl, e, rrl->log_only ? "would " : NULL, + e->logged ? "continue limiting " : "limit ", + ISC_TRUE, qname, ISC_TRUE, + DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + if (!e->logged) { + e->logged = ISC_TRUE; + if (++rrl->num_logged <= 1) + rrl->last_logged = e; + } + e->log_secs = 0; + + /* + * Avoid holding the lock. + */ + if (!wouldlog) { + UNLOCK(&rrl->lock); + e = NULL; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "%s", log_buf); + } + + /* + * Make a log message for the caller. + */ + if (wouldlog) + make_log_buf(rrl, e, + rrl->log_only ? "would rate limit " : "rate limit ", + NULL, ISC_FALSE, qname, ISC_FALSE, + rrl_result, resp_result, log_buf, log_buf_len); + + if (e != NULL) { + /* + * Do not save the qname unless we might need it for + * the ending log message. + */ + if (!e->logged) + free_qname(rrl, e); + UNLOCK(&rrl->lock); + } + + return (rrl_result); +} + +void +dns_rrl_view_destroy(dns_view_t *view) { + dns_rrl_t *rrl; + dns_rrl_block_t *b; + dns_rrl_hash_t *h; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + int i; + + rrl = view->rrl; + if (rrl == NULL) + return; + view->rrl = NULL; + + /* + * Assume the caller takes care of locking the view and anything else. + */ + + if (rrl->num_logged > 0) + log_stops(rrl, 0, ISC_INT32_MAX, log_buf, sizeof(log_buf)); + + for (i = 0; i < DNS_RRL_QNAMES; ++i) { + if (rrl->qnames[i] == NULL) + break; + isc_mem_put(rrl->mctx, rrl->qnames[i], sizeof(*rrl->qnames[i])); + } + + if (rrl->exempt != NULL) + dns_acl_detach(&rrl->exempt); + + DESTROYLOCK(&rrl->lock); + + while (!ISC_LIST_EMPTY(rrl->blocks)) { + b = ISC_LIST_HEAD(rrl->blocks); + ISC_LIST_UNLINK(rrl->blocks, b, link); + isc_mem_put(rrl->mctx, b, b->size); + } + + h = rrl->hash; + if (h != NULL) + isc_mem_put(rrl->mctx, h, + sizeof(*h) + (h->length - 1) * sizeof(h->bins[0])); + + h = rrl->old_hash; + if (h != NULL) + isc_mem_put(rrl->mctx, h, + sizeof(*h) + (h->length - 1) * sizeof(h->bins[0])); + + isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl)); +} + +isc_result_t +dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries) { + dns_rrl_t *rrl; + isc_result_t result; + + *rrlp = NULL; + + rrl = isc_mem_get(view->mctx, sizeof(*rrl)); + if (rrl == NULL) + return (ISC_R_NOMEMORY); + memset(rrl, 0, sizeof(*rrl)); + isc_mem_attach(view->mctx, &rrl->mctx); + result = isc_mutex_init(&rrl->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl)); + return (result); + } + isc_stdtime_get(&rrl->ts_bases[0]); + + view->rrl = rrl; + + result = expand_entries(rrl, min_entries); + if (result != ISC_R_SUCCESS) { + dns_rrl_view_destroy(view); + return (result); + } + result = expand_rrl_hash(rrl, 0); + if (result != ISC_R_SUCCESS) { + dns_rrl_view_destroy(view); + return (result); + } + + *rrlp = rrl; + return (ISC_R_SUCCESS); +} Index: lib/dns/view.c =================================================================== --- lib/dns/view.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/view.c 2013-08-05 14:14:45.922498593 +0200 @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include @@ -184,6 +185,7 @@ view->answeracl_exclude = NULL; view->denyanswernames = NULL; view->answernames_exclude = NULL; + view->rrl = NULL; view->provideixfr = ISC_TRUE; view->maxcachettl = 7 * 24 * 3600; view->maxncachettl = 3 * 3600; @@ -195,9 +197,7 @@ view->maxbits = 0; view->v4_aaaa = dns_v4_aaaa_ok; view->v4_aaaa_acl = NULL; - ISC_LIST_INIT(view->rpz_zones); - view->rpz_recursive_only = ISC_TRUE; - view->rpz_break_dnssec = ISC_FALSE; + view->rpzs = NULL; dns_fixedname_init(&view->dlv_fixed); view->managed_keys = NULL; view->redirect = NULL; @@ -334,10 +334,13 @@ dns_acache_putdb(view->acache, view->cachedb); dns_acache_detach(&view->acache); } - dns_rpz_view_destroy(view); + if (view->rpzs != NULL) + dns_rpz_detach_rpzs(&view->rpzs); + dns_rrl_view_destroy(view); #else INSIST(view->acache == NULL); - INSIST(ISC_LIST_EMPTY(view->rpz_zones)); + INSIST(view->rpzs == NULL); + INSIST(view->rrl == NULL); #endif if (view->requestmgr != NULL) dns_requestmgr_detach(&view->requestmgr); Index: lib/dns/win32/libdns.def =================================================================== --- lib/dns/win32/libdns.def.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/win32/libdns.def 2013-08-05 14:14:45.922498593 +0200 @@ -130,8 +130,8 @@ dns_db_overmem dns_db_printnode dns_db_register -dns_db_rpz_enabled -dns_db_rpz_findips +dns_db_rpz_attach +dns_db_rpz_ready dns_db_subtractrdataset dns_db_unregister dns_dbiterator_current @@ -639,17 +639,22 @@ dns_result_torcode dns_result_totext dns_rootns_create +dns_rpz_add +dns_rpz_attach_rpzs +dns_rpz_beginload dns_rpz_cidr_addip -dns_rpz_cidr_deleteip dns_rpz_cidr_find -dns_rpz_cidr_free dns_rpz_decode_cname -dns_rpz_enabled_get -dns_rpz_new_cidr +dns_rpz_delete +dns_rpz_delete_node +dns_rpz_detach_rpzs +dns_rpz_find_ip +dns_rpz_find_name +dns_rpz_new_zones dns_rpz_policy2str +dns_rpz_ready dns_rpz_str2policy dns_rpz_type2str -dns_rpz_view_destroy dns_rriterator_current dns_rriterator_destroy dns_rriterator_first @@ -657,6 +662,9 @@ dns_rriterator_next dns_rriterator_nextrrset dns_rriterator_pause +dns_rrl +dns_rrl_init +dns_rrl_view_destroy dns_sdb_putnamedrr dns_sdb_putrdata dns_sdb_putrr @@ -806,7 +814,7 @@ dns_zone_forcereload dns_zone_forwardupdate dns_zone_fulldumptostream -dns_zone_get_rpz +dns_zone_get_rpz_num dns_zone_getadded dns_zone_getchecknames dns_zone_getclass @@ -834,6 +842,7 @@ dns_zone_getqueryonacl dns_zone_getraw dns_zone_getrequeststats +dns_zone_getrpz_num dns_zone_getserial dns_zone_getserial2 dns_zone_getserialupdatemethod @@ -871,6 +880,7 @@ dns_zone_refresh dns_zone_rekey dns_zone_replacedb +dns_zone_rpz_attach dns_zone_rpz_enable dns_zone_setacache dns_zone_setadded Index: lib/dns/win32/libdns.dsp =================================================================== --- lib/dns/win32/libdns.dsp.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/win32/libdns.dsp 2013-08-05 14:14:45.922498593 +0200 @@ -346,6 +346,10 @@ # End Source File # Begin Source File +SOURCE=..\include\dns\rrl.h +# End Source File +# Begin Source File + SOURCE=..\include\dns\rriterator.h # End Source File # Begin Source File @@ -650,6 +654,10 @@ # End Source File # Begin Source File +SOURCE=..\rrl.c +# End Source File +# Begin Source File + SOURCE=..\rriterator.c # End Source File # Begin Source File Index: lib/dns/win32/libdns.mak =================================================================== --- lib/dns/win32/libdns.mak.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/win32/libdns.mak 2013-08-05 14:14:45.922498593 +0200 @@ -184,6 +184,7 @@ -@erase "$(INTDIR)\result.obj" -@erase "$(INTDIR)\rootns.obj" -@erase "$(INTDIR)\rpz.obj" + -@erase "$(INTDIR)\rrl.obj" -@erase "$(INTDIR)\sdb.obj" -@erase "$(INTDIR)\sdlz.obj" -@erase "$(INTDIR)\soa.obj" @@ -309,6 +310,7 @@ "$(INTDIR)\result.obj" \ "$(INTDIR)\rootns.obj" \ "$(INTDIR)\rpz.obj" \ + "$(INTDIR)\rrl.obj" \ "$(INTDIR)\rriterator.obj" \ "$(INTDIR)\sdb.obj" \ "$(INTDIR)\sdlz.obj" \ @@ -505,6 +507,8 @@ -@erase "$(INTDIR)\rootns.sbr" -@erase "$(INTDIR)\rpz.obj" -@erase "$(INTDIR)\rpz.sbr" + -@erase "$(INTDIR)\rrl.obj" + -@erase "$(INTDIR)\rrl.sbr" -@erase "$(INTDIR)\rriterator.obj" -@erase "$(INTDIR)\rriterator.sbr" -@erase "$(INTDIR)\sdb.obj" @@ -651,6 +655,7 @@ "$(INTDIR)\result.sbr" \ "$(INTDIR)\rootns.sbr" \ "$(INTDIR)\rpz.sbr" \ + "$(INTDIR)\rrl.sbr" \ "$(INTDIR)\rriterator.sbr" \ "$(INTDIR)\sdb.sbr" \ "$(INTDIR)\sdlz.sbr" \ @@ -748,6 +753,7 @@ "$(INTDIR)\result.obj" \ "$(INTDIR)\rootns.obj" \ "$(INTDIR)\rpz.obj" \ + "$(INTDIR)\rrl.obj" \ "$(INTDIR)\rriterator.obj" \ "$(INTDIR)\sdb.obj" \ "$(INTDIR)\sdlz.obj" \ @@ -1724,6 +1730,24 @@ $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + +SOURCE=..\rrl.c + +!IF "$(CFG)" == "libdns - Win32 Release" + + +"$(INTDIR)\rrl.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libdns - Win32 Debug" + + +"$(INTDIR)\rrl.obj" "$(INTDIR)\rrl.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\rriterator.c Index: lib/dns/zone.c =================================================================== --- lib/dns/zone.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/dns/zone.c 2013-08-05 14:14:45.925498630 +0200 @@ -346,9 +346,10 @@ isc_boolean_t added; /*% - * whether this is a response policy zone + * response policy data to be relayed to the database */ - isc_boolean_t is_rpz; + dns_rpz_zones_t *rpzs; + dns_rpz_num_t rpz_num; /*% * Serial number update method. @@ -917,7 +918,8 @@ zone->nodes = 100; zone->privatetype = (dns_rdatatype_t)0xffffU; zone->added = ISC_FALSE; - zone->is_rpz = ISC_FALSE; + zone->rpzs = NULL; + zone->rpz_num = DNS_RPZ_INVALID_NUM; ISC_LIST_INIT(zone->forwards); zone->raw = NULL; zone->secure = NULL; @@ -1021,6 +1023,13 @@ zone_detachdb(zone); if (zone->acache != NULL) dns_acache_detach(&zone->acache); +#ifdef BIND9 + if (zone->rpzs != NULL) { + REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&zone->rpzs); + zone->rpz_num = DNS_RPZ_INVALID_NUM; + } +#endif zone_freedbargs(zone); RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0) == ISC_R_SUCCESS); @@ -1513,7 +1522,9 @@ * Set the response policy index and information for a zone. */ isc_result_t -dns_zone_rpz_enable(dns_zone_t *zone) { +dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num) +{ /* * Only RBTDB zones can be used for response policy zones, * because only they have the code to load the create the summary data. @@ -1524,14 +1535,26 @@ strcmp(zone->db_argv[0], "rbt64") != 0) return (ISC_R_NOTIMPLEMENTED); - zone->is_rpz = ISC_TRUE; + /* + * This must happen only once or be redundant. + */ + LOCK_ZONE(zone); + if (zone->rpzs != NULL) { + REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num); + } else { + REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM); + dns_rpz_attach_rpzs(rpzs, &zone->rpzs); + zone->rpz_num = rpz_num; + } + rpzs->defined |= DNS_RPZ_ZBIT(rpz_num); + UNLOCK_ZONE(zone); return (ISC_R_SUCCESS); } -isc_boolean_t -dns_zone_get_rpz(dns_zone_t *zone) { - return (zone->is_rpz); +dns_rpz_num_t +dns_zone_get_rpz_num(dns_zone_t *zone) { + return (zone->rpz_num); } static isc_result_t @@ -1988,10 +2011,9 @@ unsigned int options; #ifdef BIND9 - if (zone->is_rpz) { - result = dns_db_rpz_enabled(db, NULL); - if (result != ISC_R_SUCCESS) - return (result); + if (zone->rpz_num != DNS_RPZ_INVALID_NUM) { + REQUIRE(zone->rpzs != NULL); + dns_db_rpz_attach(db, zone->rpzs, zone->rpz_num); } #endif @@ -4120,6 +4142,11 @@ if (result != ISC_R_SUCCESS) goto cleanup; } else { +#ifdef BIND9 + result = dns_db_rpz_ready(db); + if (result != ISC_R_SUCCESS) + goto cleanup; +#endif zone_attachdb(zone, db); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); DNS_ZONE_SETFLAG(zone, @@ -13047,6 +13074,12 @@ REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(LOCKED_ZONE(zone)); +#ifdef BIND9 + result = dns_db_rpz_ready(db); + if (result != ISC_R_SUCCESS) + return (result); +#endif + result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL, NULL, NULL, NULL, NULL); if (result == ISC_R_SUCCESS) { Index: lib/isccfg/namedconf.c =================================================================== --- lib/isccfg/namedconf.c.orig 2013-07-17 00:13:06.000000000 +0200 +++ lib/isccfg/namedconf.c 2013-08-05 14:14:45.937498781 +0200 @@ -1054,11 +1054,12 @@ /*% * response-policy { - * zone [ policy (given|disabled|passthru| + * zone [ policy (given|disabled|passthru|drop| * nxdomain|nodata|cname ) ] * [ recursive-only yes|no ] [ max-policy-ttl number ] ; * } [ recursive-only yes|no ] [ max-policy-ttl number ] ; - * [ break-dnssec yes|no ] [ min-ns-dots number ] ; + * [ break-dnssec yes|no ] [ min-ns-dots number ] + * [ qname-wait-recurse yes|no ] */ static void @@ -1083,7 +1084,7 @@ /* * Parse - * given|disabled|passthru|nxdomain|nodata|cname + * given|disabled|passthru|drop|nxdomain|nodata|cname */ static isc_result_t cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type, @@ -1214,8 +1215,11 @@ doc_keyvalue, &cfg_rep_string, &zone_kw }; +/* + * "no-op" is an obsolete equivalent of "passthru". + */ static const char *rpz_policies[] = { - "given", "disabled", "passthru", "no-op", "nxdomain", "nodata", + "given", "disabled", "passthru", "no-op", "drop", "nxdomain", "nodata", "cname", NULL }; static cfg_type_t cfg_type_rpz_policy_name = { @@ -1261,6 +1265,7 @@ { "break-dnssec", &cfg_type_boolean, 0 }, { "max-policy-ttl", &cfg_type_uint32, 0 }, { "min-ns-dots", &cfg_type_uint32, 0 }, + { "qname-wait-recurse", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz = { @@ -1270,6 +1275,40 @@ }; +/* + * rate-limit + */ +static cfg_clausedef_t rrl_clauses[] = { + { "responses-per-second", &cfg_type_uint32, 0 }, + { "referrals-per-second", &cfg_type_uint32, 0 }, + { "nodata-per-second", &cfg_type_uint32, 0 }, + { "nxdomains-per-second", &cfg_type_uint32, 0 }, + { "errors-per-second", &cfg_type_uint32, 0 }, + { "all-per-second", &cfg_type_uint32, 0 }, + { "slip", &cfg_type_uint32, 0 }, + { "window", &cfg_type_uint32, 0 }, + { "log-only", &cfg_type_boolean, 0 }, + { "qps-scale", &cfg_type_uint32, 0 }, + { "ipv4-prefix-length", &cfg_type_uint32, 0 }, + { "ipv6-prefix-length", &cfg_type_uint32, 0 }, + { "exempt-clients", &cfg_type_bracketed_aml, 0 }, + { "max-table-size", &cfg_type_uint32, 0 }, + { "min-table-size", &cfg_type_uint32, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_clausedef_t *rrl_clausesets[] = { + rrl_clauses, + NULL +}; + +static cfg_type_t cfg_type_rrl = { + "rate-limit", cfg_parse_map, cfg_print_map, cfg_doc_map, + &cfg_rep_map, rrl_clausesets +}; + + + /*% * dnssec-lookaside */ @@ -1423,6 +1462,7 @@ CFG_CLAUSEFLAG_NOTCONFIGURED }, #endif { "response-policy", &cfg_type_rpz, 0 }, + { "rate-limit", &cfg_type_rrl, 0 }, { NULL, NULL, 0 } }; Index: named.conf =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ named.conf 2013-08-05 14:14:45.937498781 +0200 @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type master; file "tld3.db"; }; +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; + + additional-from-cache no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type master; file "tld2.db"; }; +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." {type master; file "root.db";}; Index: root.db =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ root.db 2013-08-05 14:14:45.938498793 +0200 @@ -0,0 +1,31 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. Index: setup.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ setup.sh 2013-08-05 14:14:45.938498793 +0200 @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + Index: tests.sh =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tests.sh 2013-08-05 14:14:45.938498793 +0200 @@ -0,0 +1,258 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=result name $2=domain name $3=dig options +digcmd () { + OFILE=$1; shift + DIG_DOM=$1; shift + ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2" + #echo I:dig $ARGS 1>&2 + START=`date +%y%m%d%H%M.%S` + RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/;; connection timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' \ + | tr -d '\n'` + mv "$OFILE=TEMP" "$OFILE=$RESULT" + touch -t $START "$OFILE=$RESULT" +} + + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + while test "$BURST_LIMIT" -ge 1; do + CNT=`expr "00$QNUM" : '.*\(...\)'` + eval BURST_DOM="$BURST_DOM_BASE" + FILE="dig.out-$BURST_DOM-$CNT" + digcmd $FILE $BURST_DOM $* & + QNUM=`expr $QNUM + 1` + BURST_LIMIT=`expr "$BURST_LIMIT" - 1` + done +} + + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + BAD= + wait + ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l` + DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \ + | wc -l` + SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l` + if test $ADDRS -ne "$3"; then + setret "I:"$ADDRS" instead of $3 '$2' responses for $1" + BAD=yes + fi + if test $TC -ne "$4"; then + setret "I:"$TC" instead of $4 truncation responses for $1" + BAD=yes + fi + if test $DROP -ne "$5"; then + setret "I:"$DROP" instead of $5 dropped responses for $1" + BAD=yes + fi + if test $NXDOMAIN -ne "$6"; then + setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1" + BAD=yes + fi + if test $SERVFAIL -ne "$7"; then + setret "I:"$SERVFAIL" instead of $7 error responses for $1" + BAD=yes + fi + if test -z "$BAD"; then + rm -f dig.out-$1-* + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + ns2/named.stats | tail -1` + C=`expr 0$C + 0` + if test "$C" -ne $EXPECTED; then + setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" + fi +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# 1 second delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'x$CNT.a2.tld2' +# These should be counted and limited but are not. See RT33138. +burst 10 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL +# referrals to "." +ck_result a1.tld3 '' 2 1 2 0 0 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 + +# Check the wild card answers. +# The parent name of the 30 requests is counted. +ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 + +# These should be limited but are not. See RT33138. +ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 AAAA +burst 2 a8.tld2 TXT +burst 2 a8.tld2 SPF + +# IP TC drop NXDOMAIN SERVFAIL +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 '' 2 2 2 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + + +echo "I:exit status: $ret" +# exit $ret +[ $ret -ne 0 ] && echo "I:test failure overridden" +exit 0 Index: tld2.db =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tld2.db 2013-08-05 14:14:45.938498793 +0200 @@ -0,0 +1,47 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 Index: tld3.db =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tld3.db 2013-08-05 14:14:45.938498793 +0200 @@ -0,0 +1,25 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 Index: version =================================================================== --- version.orig 2013-07-17 00:13:06.000000000 +0200 +++ version 2013-08-05 14:14:45.938498793 +0200 @@ -7,6 +7,6 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=9 -PATCHVER=3 +PATCHVER=3-rpz2+rl.156.01 RELEASETYPE=-P RELEASEVER=2