* axfr.c -- generating AXFR responses.

/*
* axfr.c -- generating AXFR responses.
*
* Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
*
* See LICENSE for the license.
*
*/

#include "config.h"

#include "axfr.h"
#include "dns.h"
#include "packet.h"
#include "options.h"
#include "ixfr.h"

/* draft-ietf-dnsop-rfc2845bis-06, section 5.3.1 says to sign every packet */
#define AXFR_TSIG_SIGN_EVERY_NTH 0 /* tsig sign every N packets. */

query_state_type
query_axfr(struct nsd *nsd, struct query *query, int wstats)
{
domain_type *closest_match;
domain_type *closest_encloser;
int exact;
int added;
uint16_t total_added = 0;

if (query->axfr_is_done)
return QUERY_PROCESSED;

if (query->maxlen > AXFR_MAX_MESSAGE_LEN)
query->maxlen = AXFR_MAX_MESSAGE_LEN;

assert(!query_overflow(query));
/* only keep running values for most packets */
query->tsig_prepare_it = 0;
query->tsig_update_it = 1;
if(query->tsig_sign_it) {
/* prepare for next updates */
query->tsig_prepare_it = 1;
query->tsig_sign_it = 0;
}

if (query->axfr_zone == NULL) {
domain_type* qdomain;
/* Start AXFR. */
if(wstats) {
STATUP(nsd, raxfr);
}
exact = namedb_lookup(nsd->db,
query->qname,
&closest_match,
&closest_encloser);

qdomain = closest_encloser;
query->axfr_zone = domain_find_zone(nsd->db, closest_encloser);

if (!exact
|| query->axfr_zone == NULL
|| query->axfr_zone->apex != qdomain
|| query->axfr_zone->soa_rrset == NULL)
{
/* No SOA no transfer */
RCODE_SET(query->packet, RCODE_NOTAUTH);
return QUERY_PROCESSED;
}
if(wstats) {
ZTATUP(nsd, query->axfr_zone, raxfr);
}

query->axfr_current_domain = qdomain;
query->axfr_current_rrset = NULL;
query->axfr_current_rr = 0;
if(query->tsig.status == TSIG_OK) {
query->tsig_sign_it = 1; /* sign first packet in stream */
}

query_add_compression_domain(query, qdomain, QHEADERSZ);

assert(query->axfr_zone->soa_rrset->rr_count == 1);
added = packet_encode_rr(query,
query->axfr_zone->apex,
&query->axfr_zone->soa_rrset->rrs[0],
query->axfr_zone->soa_rrset->rrs[0].ttl);
if (!added) {
/* XXX: This should never happen... generate error code? */
abort();
}
++total_added;
} else {
/*
* Query name and EDNS need not be repeated after the
* first response packet.
*/
query->edns.status = EDNS_NOT_PRESENT;
buffer_set_limit(query->packet, QHEADERSZ);
QDCOUNT_SET(query->packet, 0);
query_prepare_response(query);
}

/* Add zone RRs until answer is full. */
while (query->axfr_current_domain != NULL &&
domain_is_subdomain(query->axfr_current_domain,
query->axfr_zone->apex))
{
if (!query->axfr_current_rrset) {
query->axfr_current_rrset = domain_find_any_rrset(
query->axfr_current_domain,
query->axfr_zone);
query->axfr_current_rr = 0;
}
while (query->axfr_current_rrset) {
if (query->axfr_current_rrset != query->axfr_zone->soa_rrset
&& query->axfr_current_rrset->zone == query->axfr_zone)
{
while (query->axfr_current_rr < query->axfr_current_rrset->rr_count) {
size_t oldmaxlen = query->maxlen;
if(total_added == 0)
/* RR > 16K can be first RR */
query->maxlen = (query->tcp?TCP_MAX_MESSAGE_LEN:UDP_MAX_MESSAGE_LEN);
added = packet_encode_rr(
query,
query->axfr_current_domain,
&query->axfr_current_rrset->rrs[query->axfr_current_rr],
query->axfr_current_rrset->rrs[query->axfr_current_rr].ttl);
if(total_added == 0) {
query->maxlen = oldmaxlen;
if(query_overflow(query)) {
if(added) {
++total_added;
++query->axfr_current_rr;
goto return_answer;
}
}
}
if (!added)
goto return_answer;
++total_added;
++query->axfr_current_rr;
}
}

query->axfr_current_rrset = query->axfr_current_rrset->next;
query->axfr_current_rr = 0;
}
assert(query->axfr_current_domain);
query->axfr_current_domain
= domain_next(query->axfr_current_domain);
}

/* Add terminating SOA RR. */
assert(query->axfr_zone->soa_rrset->rr_count == 1);
added = packet_encode_rr(query,
query->axfr_zone->apex,
&query->axfr_zone->soa_rrset->rrs[0],
query->axfr_zone->soa_rrset->rrs[0].ttl);
if (added) {
++total_added;
query->tsig_sign_it = 1; /* sign last packet */
query->axfr_is_done = 1;
}

return_answer:
AA_SET(query->packet);
ANCOUNT_SET(query->packet, total_added);
NSCOUNT_SET(query->packet, 0);
ARCOUNT_SET(query->packet, 0);

/* check if it needs tsig signatures */
if(query->tsig.status == TSIG_OK) {
#if AXFR_TSIG_SIGN_EVERY_NTH > 0
if(query->tsig.updates_since_last_prepare >= AXFR_TSIG_SIGN_EVERY_NTH) {
#endif
query->tsig_sign_it = 1;
#if AXFR_TSIG_SIGN_EVERY_NTH > 0
}
#endif
}
query_clear_compression_tables(query);
return QUERY_IN_AXFR;
}

/* See if the query can be admitted. */
static int axfr_ixfr_can_admit_query(struct nsd* nsd, struct query* q)
{
struct acl_options *acl = NULL;
struct zone_options* zone_opt;
zone_opt = zone_options_find(nsd->options, q->qname);
if(zone_opt && q->is_proxied && acl_check_incoming_block_proxy(
zone_opt->pattern->provide_xfr, q, &acl) == -1) {
/* the proxy address is blocked */
if (verbosity >= 2) {
char address[128], proxy[128];
addr2str(&q->client_addr, address, sizeof(address));
addr2str(&q->remote_addr, proxy, sizeof(proxy));
VERBOSITY(2, (LOG_INFO, "%s for %s from %s via proxy %s refused because of proxy, %s %s",
(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
dname_to_string(q->qname, NULL),
address, proxy,
(acl?acl->ip_address_spec:"."),
(acl ? ( acl->nokey ? "NOKEY"
: acl->blocked ? "BLOCKED"
: acl->key_name )
: "no acl matches")));
}
RCODE_SET(q->packet, RCODE_REFUSE);
/* RFC8914 - Extended DNS Errors
* 4.19. Extended DNS Error Code 18 - Prohibited */
q->edns.ede = EDE_PROHIBITED;
return 0;
}
if(!zone_opt ||
acl_check_incoming(zone_opt->pattern->provide_xfr, q, &acl)==-1)
{
if (verbosity >= 2) {
char a[128];
addr2str(&q->client_addr, a, sizeof(a));
VERBOSITY(2, (LOG_INFO, "%s for %s from %s refused, %s",
(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
dname_to_string(q->qname, NULL), a, acl?"blocked":"no acl matches"));
}
DEBUG(DEBUG_XFRD,1, (LOG_INFO, "%s refused, %s",
(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
acl?"blocked":"no acl matches"));
if (!zone_opt) {
RCODE_SET(q->packet, RCODE_NOTAUTH);
} else {
RCODE_SET(q->packet, RCODE_REFUSE);
/* RFC8914 - Extended DNS Errors
* 4.19. Extended DNS Error Code 18 - Prohibited */
q->edns.ede = EDE_PROHIBITED;
}
return 0;
}
DEBUG(DEBUG_XFRD,1, (LOG_INFO, "%s admitted acl %s %s",
(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
acl->ip_address_spec, acl->key_name?acl->key_name:"NOKEY"));
if (verbosity >= 1) {
char a[128];
addr2str(&q->client_addr, a, sizeof(a));
VERBOSITY(1, (LOG_INFO, "%s for %s from %s",
(q->qtype==TYPE_AXFR?"axfr":"ixfr"),
dname_to_string(q->qname, NULL), a));
}
return 1;
}

/*
* Answer if this is an AXFR or IXFR query.
*/
query_state_type
answer_axfr_ixfr(struct nsd *nsd, struct query *q)
{
/* Is it AXFR? */
switch (q->qtype) {
case TYPE_AXFR:
if (q->tcp) {
if(!axfr_ixfr_can_admit_query(nsd, q))
return QUERY_PROCESSED;
return query_axfr(nsd, q, 1);
}
/* AXFR over UDP queries are discarded. */
RCODE_SET(q->packet, RCODE_IMPL);
return QUERY_PROCESSED;
case TYPE_IXFR:
if(!axfr_ixfr_can_admit_query(nsd, q)) {
/* get rid of authority section, if present */
NSCOUNT_SET(q->packet, 0);
ARCOUNT_SET(q->packet, 0);
if(QDCOUNT(q->packet) > 0 && (size_t)QHEADERSZ+4+
q->qname->name_size <= buffer_limit(q->packet)) {
buffer_set_position(q->packet, QHEADERSZ+4+
q->qname->name_size);
}
return QUERY_PROCESSED;
}
return query_ixfr(nsd, q);
default:
return QUERY_DISCARDED;
}
}