Commit Diff
Diff:
07e7314d36a1a18e4592260501076ee66695f777
c650d1b19462069410f602594762e555ab3a502e
Commit:
c650d1b19462069410f602594762e555ab3a502e
Tree:
0e0df86c48b5dc6061bedf1f5caaefb0bcf8527d
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Mon Jul 27 05:11:19 2020 UTC
Message:
add SOA constraints for the values retry, refresh, expire, that one can put on a rzone like so: rzone "internal.centroid.eu." { constraints 1800,1800,1800; tsigkey "mykey."; masterport 10053; master 10.0.0.1; zonename "internal.centroid.eu."; filename "/etc/delphinusdns/replicant/internal.centroid.eu.repl"; } The constraints line reflects 1800 seconds refresh, 1800 seconds retry, and 1800 seconds expire in this case. Any values below this will prevent a new zone from being loaded and a log will be generated. There is a default constraint of 60/60/60 which I believe is the minimum constraint for a delphinusdnsd in general. One can't shouldn't go below this. Not specifying a constraints line will use these default values.
blob - bbd6cceb2d296f79001797fef9caadf39f34c0bd
blob + 2eae83651b7740d3856dedf2365a35fa35a118c4
--- ddd-db.h
+++ ddd-db.h
@@ -27,7 +27,7 @@
*/
/*
- * $Id: ddd-db.h,v 1.50 2020/07/21 18:19:58 pjp Exp $
+ * $Id: ddd-db.h,v 1.51 2020/07/27 05:11:19 pjp Exp $
*/
#ifndef _DB_H
@@ -438,6 +438,12 @@ struct mzone {
#define DELPHINUS_RZONE_PATH DEFAULT_RZONE_DIR
#endif
+struct soa_constraints {
+ uint32_t refresh;
+ uint32_t retry;
+ uint32_t expire;
+};
+
struct rzone {
SLIST_ENTRY(rzone) rzone_entry;
int active;
@@ -449,7 +455,8 @@ struct rzone {
struct sockaddr_storage storage;
char *tsigkey;
char *filename;
- struct soa soa;
+ struct soa soa;
+ struct soa_constraints constraints;
} *rz, *rz0;
struct raxfr_logic {
blob - 0f0fbf3fd374a17da7c4187d3cceb737807095b6
blob + 6cba8d410a54316610424dc5e0f25a7692ab456e
--- parse.y
+++ parse.y
@@ -21,7 +21,7 @@
*/
/*
- * $Id: parse.y,v 1.111 2020/07/24 08:51:34 pjp Exp $
+ * $Id: parse.y,v 1.112 2020/07/27 05:11:19 pjp Exp $
*/
%{
@@ -798,6 +798,24 @@ rzonestatement:
free($1);
free($2);
}
+ |
+ STRING NUMBER COMMA NUMBER COMMA NUMBER SEMICOLON CRLF
+ {
+ if (strcmp($1, "constraints") == 0) {
+ rz = SLIST_FIRST(&rzones);
+ if (rz == NULL) {
+ return -1;
+ }
+
+ rz->active = 1;
+
+ rz->constraints.refresh = $2;
+ rz->constraints.retry = $4;
+ rz->constraints.expire = $6;
+ }
+
+ free ($1);
+ }
| comment CRLF
;
@@ -3862,6 +3880,9 @@ add_rzone(void)
lrz->tsigkey = NULL;
lrz->filename = NULL;
memset(&lrz->storage, 0, sizeof(struct sockaddr_storage));
+ lrz->constraints.refresh = 60;
+ lrz->constraints.retry = 60;
+ lrz->constraints.expire = 60;
SLIST_INSERT_HEAD(&rzones, lrz, rzone_entry);
#ifdef __OpenBSD__
blob - 216c5b6526c6e1b009533c7648c34f4bc61ac78d
blob + 33ab6d8808c0b23a7d19761968b4dc65467a1b98
--- query.c
+++ query.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: query.c,v 1.11 2020/07/26 17:08:14 pjp Exp $
+ * $Id: query.c,v 1.12 2020/07/27 05:11:19 pjp Exp $
*/
#include <sys/types.h>
@@ -159,12 +159,12 @@ extern int raxfr_nsec3(FILE *, u_char *, u_char *, u_c
extern int raxfr_ds(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
extern int raxfr_sshfp(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
extern u_int16_t raxfr_skip(FILE *, u_char *, u_char *);
-extern int raxfr_soa(FILE *, u_char *, u_char *, u_char *, struct soa *, int, u_int32_t, u_int16_t, HMAC_CTX *);
+extern int raxfr_soa(FILE *, u_char *, u_char *, u_char *, struct soa *, int, u_int32_t, u_int16_t, HMAC_CTX *, struct soa_constraints *);
extern int raxfr_peek(FILE *, u_char *, u_char *, u_char *, int *, int, u_int16_t *, u_int32_t, HMAC_CTX *, char *, int);
extern int memcasecmp(u_char *, u_char *, int);
extern int tsig_pseudoheader(char *, uint16_t, time_t, HMAC_CTX *);
-extern int lookup_axfr(FILE *, int, char *, struct soa *, u_int32_t, char *, char *, int *, int *, int *);
+extern int lookup_axfr(FILE *, int, char *, struct soa *, u_int32_t, char *, char *, int *, int *, int *, struct soa_constraints *);
extern int insert_tsig(char *, char *);
extern int find_tsig_key(char *, int, char *, int);
extern int insert_tsig_key(char *, int, char *);
@@ -218,6 +218,7 @@ dig(int argc, char *argv[])
int segment = 0;
int answers = 0;
int additionalcount = 0;
+ struct soa_constraints constraints = { 0, 0, 0 };
while ((ch = getopt(argc, argv, "c:@:DIP:TZp:Q:y:")) != -1) {
switch (ch) {
@@ -341,7 +342,7 @@ dig(int argc, char *argv[])
if ((format & ZONE_FORMAT) && f != NULL)
fprintf(f, "zone \"%s\" {\n", domainname);
- if (lookup_axfr(f, so, domainname, &mysoa, format, tsigkey, tsigpass, &segment, &answers, &additionalcount) < 0) {
+ if (lookup_axfr(f, so, domainname, &mysoa, format, tsigkey, tsigpass, &segment, &answers, &additionalcount, &constraints) < 0) {
exit(1);
}
@@ -447,6 +448,7 @@ lookup_name(FILE *f, int so, char *zonename, u_int16_t
struct whole_header {
struct dns_header dh;
} *wh, *rwh;
+ struct soa_constraints constraints = { 60, 60, 60 };
u_char *p, *name;
@@ -670,7 +672,7 @@ skip:
p = (estart + rrlen);
if (rrtype == DNS_TYPE_SOA) {
- if ((len = raxfr_soa(f, p, estart, end, mysoa, soacount, format, rdlen, NULL)) < 0) {
+ if ((len = raxfr_soa(f, p, estart, end, mysoa, soacount, format, rdlen, NULL, &constraints)) < 0) {
fprintf(stderr, "raxxfr_soa failed\n");
return -1;
}
blob - d927168780237f8a546dd675db42cb89cccd47b6
blob + 8cfb9d318987b81245d389d57e77fe8221c8df68
--- raxfr.c
+++ raxfr.c
@@ -26,7 +26,7 @@
*
*/
/*
- * $Id: raxfr.c,v 1.58 2020/07/26 17:08:14 pjp Exp $
+ * $Id: raxfr.c,v 1.59 2020/07/27 05:11:19 pjp Exp $
*/
#include <sys/types.h>
@@ -115,7 +115,7 @@ int raxfr_sshfp(FILE *, u_char *, u_char *, u_char *,
int raxfr_tlsa(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
int raxfr_srv(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
int raxfr_naptr(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
-int raxfr_soa(FILE *, u_char *, u_char *, u_char *, struct soa *, int, u_int32_t, u_int16_t, HMAC_CTX *);
+int raxfr_soa(FILE *, u_char *, u_char *, u_char *, struct soa *, int, u_int32_t, u_int16_t, HMAC_CTX *, struct soa_constraints *);
u_int16_t raxfr_skip(FILE *, u_char *, u_char *);
int raxfr_peek(FILE *, u_char *, u_char *, u_char *, int *, int, u_int16_t *, u_int32_t, HMAC_CTX *, char *, int);
@@ -165,7 +165,7 @@ extern void dolog(int, char *, ...);
extern struct rbtree * find_rrset(ddDB *db, char *name, int namelen);
extern struct rrset * find_rr(struct rbtree *rbt, u_int16_t rrtype);
extern struct question *build_question(char *, int, int, char *);
-extern int lookup_axfr(FILE *, int, char *, struct soa *, u_int32_t, char *, char *, int *, int *, int *);
+extern int lookup_axfr(FILE *, int, char *, struct soa *, u_int32_t, char *, char *, int *, int *, int *, struct soa_constraints *);
extern int find_tsig_key(char *, int, char *, int);
extern int tsig_pseudoheader(char *, uint16_t, time_t, HMAC_CTX *);
@@ -343,7 +343,7 @@ raxfr_skip(FILE *f, u_char *p, u_char *estart)
}
int
-raxfr_soa(FILE *f, u_char *p, u_char *estart, u_char *end, struct soa *mysoa, int soacount, u_int32_t format, u_int16_t rdlen, HMAC_CTX *ctx)
+raxfr_soa(FILE *f, u_char *p, u_char *estart, u_char *end, struct soa *mysoa, int soacount, u_int32_t format, u_int16_t rdlen, HMAC_CTX *ctx, struct soa_constraints *constraints)
{
u_int32_t rvalue;
char *save, *humanname;
@@ -435,6 +435,19 @@ raxfr_soa(FILE *f, u_char *p, u_char *estart, u_char *
rvalue = unpack32(q);
mysoa->minttl = rvalue;
q += sizeof(u_int32_t);
+
+ if (constraints->refresh > ntohl(mysoa->refresh) ||
+ constraints->retry > ntohl(mysoa->retry) ||
+ constraints->expire > ntohl(mysoa->expire)) {
+ dolog(LOG_INFO, "raxfr_soa: refresh/retry/expire values were below SOA constraints %u/%u, %u/%u, %u/%u, bailing out!\n", constraints->refresh, ntohl(mysoa->refresh), constraints->retry, ntohl(mysoa->retry), constraints->expire, ntohl(mysoa->expire));
+
+ if (f != NULL) {
+ fprintf(f, "constraints failure\n");
+ fflush(f);
+ }
+
+ return -1;
+ }
if (soacount < soalimit) {
if (f != NULL) {
@@ -2179,7 +2192,7 @@ get_remote_soa(struct rzone *rzone)
p = (estart + rrlen);
if (rrtype == DNS_TYPE_SOA) {
- if ((len = raxfr_soa(f, p, estart, end, &mysoa, soacount, format, rdlen, (dotsig == 1) ? ctx : NULL)) < 0) {
+ if ((len = raxfr_soa(f, p, estart, end, &mysoa, soacount, format, rdlen, (dotsig == 1) ? ctx : NULL, &rz->constraints)) < 0) {
dolog(LOG_INFO, "raxfr_soa failed\n");
close(so);
free(reply); free(dupreply);
@@ -2328,7 +2341,7 @@ do_raxfr(FILE *f, struct rzone *rzone)
if ((format & ZONE_FORMAT) && f != NULL)
fprintf(f, "zone \"%s\" {\n", rzone->zonename);
- if (lookup_axfr(f, so, rzone->zonename, &mysoa, format, ((dotsig == 0) ? NULL : rzone->tsigkey), humanpass, &segment, &answers, &additionalcount) < 0) {
+ if (lookup_axfr(f, so, rzone->zonename, &mysoa, format, ((dotsig == 0) ? NULL : rzone->tsigkey), humanpass, &segment, &answers, &additionalcount, &rzone->constraints) < 0) {
/* close the zone */
if ((format & ZONE_FORMAT) && f != NULL)
fprintf(f, "}\n");
blob - 4bae4719fdd09df4e096e75e81ae4f4ae8d660a2
blob + 62ccc016b509cd6bcbbd5904979d7f9b9267ace8
--- util.c
+++ util.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: util.c,v 1.79 2020/07/26 17:08:14 pjp Exp $
+ * $Id: util.c,v 1.80 2020/07/27 05:11:19 pjp Exp $
*/
#include <sys/types.h>
@@ -118,7 +118,7 @@ int tsig_pseudoheader(char *, uint16_t, time_t, HMAC_C
char * bin2hex(char *, int);
u_int64_t timethuman(time_t);
char * bitmap2human(char *, int);
-int lookup_axfr(FILE *, int, char *, struct soa *, u_int32_t, char *, char *, int *, int *, int *);
+int lookup_axfr(FILE *, int, char *, struct soa *, u_int32_t, char *, char *, int *, int *, int *, struct soa_constraints *);
int dn_contains(char *name, int len, char *anchorname, int alen);
uint16_t udp_cksum(u_int16_t *, uint16_t, struct ip *, struct udphdr *);
uint16_t udp_cksum6(u_int16_t *, uint16_t, struct ip6_hdr *, struct udphdr *);
@@ -163,7 +163,7 @@ extern int raxfr_caa(FILE *, u_char *, u_char *, u_cha
extern int raxfr_hinfo(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
extern int raxfr_sshfp(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *);
extern u_int16_t raxfr_skip(FILE *, u_char *, u_char *);
-extern int raxfr_soa(FILE *, u_char *, u_char *, u_char *, struct soa *, int, u_int32_t, u_int16_t, HMAC_CTX *);
+extern int raxfr_soa(FILE *, u_char *, u_char *, u_char *, struct soa *, int, u_int32_t, u_int16_t, HMAC_CTX *, struct soa_constraints *);
extern int raxfr_peek(FILE *, u_char *, u_char *, u_char *, int *, int, u_int16_t *, u_int32_t, HMAC_CTX *, char *, int);
extern int raxfr_tsig(FILE *, u_char *, u_char *, u_char *, struct soa *, u_int16_t, HMAC_CTX *, char *, int);
extern char *convert_name(char *, int);
@@ -1824,7 +1824,7 @@ bitmap2human(char *bitmap, int len)
int
-lookup_axfr(FILE *f, int so, char *zonename, struct soa *mysoa, u_int32_t format, char *tsigkey, char *tsigpass, int *segment, int *answers, int *additionalcount)
+lookup_axfr(FILE *f, int so, char *zonename, struct soa *mysoa, u_int32_t format, char *tsigkey, char *tsigpass, int *segment, int *answers, int *additionalcount, struct soa_constraints *constraints)
{
char query[512];
char pseudo_packet[512];
@@ -2136,11 +2136,6 @@ lookup_axfr(FILE *f, int so, char *zonename, struct so
rwh->dh.additional = saveadd;
}
-#if 0
- if (*segment == 0 && (format & ZONE_FORMAT) && f != NULL)
- fprintf(f, "zone \"%s\" {\n", zonename);
-#endif
-
(*segment)++;
for (count = 0; count < segmentcount; count++) {
@@ -2186,7 +2181,7 @@ lookup_axfr(FILE *f, int so, char *zonename, struct so
p = (estart + rrlen);
if (rrtype == DNS_TYPE_SOA) {
- if ((len = raxfr_soa(f, p, estart, end, mysoa, soacount, format, rdlen, ctx)) < 0) {
+ if ((len = raxfr_soa(f, p, estart, end, mysoa, soacount, format, rdlen, ctx, constraints)) < 0) {
fprintf(stderr, "raxfr_soa failed\n");
return -1;
}
repomaster@centroid.eu