zone-update.c 11.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
/*  Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include "knot/updates/zone-update.h"
18 19

#include "knot/common/log.h"
20 21
#include "knot/dnssec/zone-events.h"
#include "knot/updates/apply.h"
22 23 24 25 26 27
#include "knot/zone/serial.h"

#include "libknot/internal/lists.h"
#include "libknot/internal/mempool.h"

#include <urcu.h>
28

29
static int add_to_node(zone_node_t *node, const zone_node_t *add_node,
30 31 32 33 34
                       mm_ctx_t *mm)
{
	for (uint16_t i = 0; i < add_node->rrset_count; ++i) {
		knot_rrset_t rr = node_rrset_at(add_node, i);
		if (!knot_rrset_empty(&rr)) {
35
			int ret = node_add_rrset(node, &rr, mm);
36 37 38 39 40 41 42 43 44
			if (ret != KNOT_EOK) {
				return ret;
			}
		}
	}

	return KNOT_EOK;
}

45
static int rem_from_node(zone_node_t *node, const zone_node_t *rem_node,
46 47 48
                         mm_ctx_t *mm)
{
	for (uint16_t i = 0; i < rem_node->rrset_count; ++i) {
49
		// Remove each found RR from 'node'.
50
		knot_rrset_t rem_rrset = node_rrset_at(rem_node, i);
51
		knot_rdataset_t *to_change = node_rdataset(node, rem_rrset.type);
52
		if (to_change) {
53
			// Remove data from synthesized node
54
			int ret = knot_rdataset_subtract(to_change,
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
			                                 &rem_rrset.rrs,
			                                 mm);
			if (ret != KNOT_EOK) {
				return ret;
			}
		}
	}

	return KNOT_EOK;
}

static int apply_changes_to_node(zone_node_t *synth_node, const zone_node_t *add_node,
                                 const zone_node_t *rem_node, mm_ctx_t *mm)
{
	// Add changes to node
	if (!node_empty(add_node)) {
		int ret = add_to_node(synth_node, add_node, mm);
		if (ret != KNOT_EOK) {
			return ret;
		}
	}

	// Remove changes from node
	if (!node_empty(rem_node)) {
		int ret = rem_from_node(synth_node, rem_node, mm);
		if (ret != KNOT_EOK) {
			return ret;
		}
	}

	return KNOT_EOK;
}

88
static int deep_copy_node_data(zone_node_t *node_copy, const zone_node_t *node,
89 90
                               mm_ctx_t *mm)
{
91 92 93
	// Clear space for RRs
	node_copy->rrs = NULL;
	node_copy->rrset_count = 0;
94

95 96
	for (uint16_t i = 0; i < node->rrset_count; ++i) {
		knot_rrset_t rr = node_rrset_at(node, i);
97
		int ret = node_add_rrset(node_copy, &rr, mm);
98 99 100 101 102 103 104 105
		if (ret != KNOT_EOK) {
			return ret;
		}
	}

	return KNOT_EOK;
}

106
static zone_node_t *node_deep_copy(const zone_node_t *node, mm_ctx_t *mm)
107 108
{
	// Shallow copy old node
109
	zone_node_t *synth_node = node_shallow_copy(node, mm);
110 111 112 113 114
	if (synth_node == NULL) {
		return NULL;
	}

	// Deep copy data inside node copy.
115
	int ret = deep_copy_node_data(synth_node, node, mm);
116 117 118 119 120 121 122 123
	if (ret != KNOT_EOK) {
		node_free(&synth_node, mm);
		return NULL;
	}

	return synth_node;
}

124 125 126 127 128 129 130 131
static int init_incremental(zone_update_t *update, zone_t *zone)
{
	int ret = changeset_init(&update->change, zone->name);
	if (ret != KNOT_EOK) {
		return ret;
	}
	assert(zone->contents);

132 133 134 135 136 137
	// Copy base SOA RR.
	update->change.soa_from =
		node_create_rrset(update->zone->contents->apex, KNOT_RRTYPE_SOA);
	if (update->change.soa_from == NULL) {
		return KNOT_ENOMEM;
	}
138 139 140 141 142 143 144 145 146 147 148 149 150 151

	return KNOT_EOK;
}

static int init_full(zone_update_t *update, zone_t *zone)
{
	update->new_cont = zone_contents_new(zone->name);
	if (update->new_cont == NULL) {
		return KNOT_ENOMEM;
	}

	return KNOT_EOK;
}

152 153
/* ------------------------------- API -------------------------------------- */

154
int zone_update_init(zone_update_t *update, zone_t *zone, zone_update_flags_t flags)
155
{
156 157 158 159 160
	if (update == NULL || zone == NULL) {
		return KNOT_EINVAL;
	}

	memset(update, 0, sizeof(*update));
161
	update->zone = zone;
162

163
	mm_ctx_mempool(&update->mm, MM_DEFAULT_BLKSIZE);
164 165 166 167 168 169 170 171 172
	update->flags = flags;

	if (flags & UPDATE_INCREMENTAL) {
		return init_incremental(update, zone);
	} else if (flags & UPDATE_FULL) {
		return init_full(update, zone);
	} else {
		return KNOT_EINVAL;
	}
173 174 175 176 177 178 179 180
}

const zone_node_t *zone_update_get_node(zone_update_t *update, const knot_dname_t *dname)
{
	if (update == NULL || dname == NULL) {
		return NULL;
	}

181
	const zone_node_t *old_node =
182
		zone_contents_find_node(update->zone->contents, dname);
183
	const zone_node_t *add_node =
184
		zone_contents_find_node(update->change.add, dname);
185
	const zone_node_t *rem_node =
186
		zone_contents_find_node(update->change.remove, dname);
187 188 189

	const bool have_change = !node_empty(add_node) || !node_empty(rem_node);
	if (!have_change) {
190
		// Nothing to apply
191 192 193
		return old_node;
	}

194
	if (!old_node) {
195
		if (add_node && node_empty(rem_node)) {
196
			// Just addition
197 198
			return add_node;
		} else {
199 200 201
			// Addition and deletion
			old_node = add_node;
			add_node = NULL;
202 203
		}
	}
204 205 206 207 208 209 210 211 212 213 214

	// We have to apply changes to node.
	zone_node_t *synth_node = node_deep_copy(old_node, &update->mm);
	if (synth_node == NULL) {
		return NULL;
	}

	// Apply changes to node.
	int ret = apply_changes_to_node(synth_node, add_node, rem_node,
	                                &update->mm);
	if (ret != KNOT_EOK) {
215
		node_free_rrsets(synth_node, &update->mm);
Jan Kadlec's avatar
Jan Kadlec committed
216
		node_free(&synth_node, &update->mm);
217 218 219 220
		return NULL;
	}

	return synth_node;
221 222
}

223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254
const zone_node_t *zone_update_get_apex(zone_update_t *update)
{
	return zone_update_get_node(update, update->zone->name);
}

uint32_t zone_update_current_serial(zone_update_t *update)
{
	const zone_node_t *apex = zone_update_get_apex(update);
	if (apex) {
		return knot_soa_serial(node_rdataset(apex, KNOT_RRTYPE_SOA));
	} else {
		return 0;
	}
}

const knot_rdataset_t *zone_update_from(zone_update_t *update)
{
	const zone_node_t *apex = update->zone->contents->apex;
	return node_rdataset(apex, KNOT_RRTYPE_SOA);
}

const knot_rdataset_t *zone_update_to(zone_update_t *update)
{
	assert(update);

	if (update->change.soa_to == NULL) {
		return NULL;
	}

	return &update->change.soa_to->rrs;
}

255 256
void zone_update_clear(zone_update_t *update)
{
257
	if (update) {
258
		changeset_clear(&update->change);
259
		mp_delete(update->mm.ctx);
Jan Kadlec's avatar
Jan Kadlec committed
260
		memset(update, 0, sizeof(*update));
261
	}
262
}
263

264 265
int zone_update_add(zone_update_t *update, const knot_rrset_t *rrset)
{
266
	if (update->flags & UPDATE_INCREMENTAL) {
267 268 269 270 271 272 273 274 275 276 277
		return changeset_add_rrset(&update->change, rrset);
	} else if (update->flags & UPDATE_FULL) {
		zone_node_t *n = NULL;
		return zone_contents_add_rr(update->new_cont, rrset, &n);
	} else {
		return KNOT_EINVAL;
	}
}

int zone_update_remove(zone_update_t *update, const knot_rrset_t *rrset)
{
278
	if (update->flags & UPDATE_INCREMENTAL) {
279 280 281 282 283 284
		return changeset_rem_rrset(&update->change, rrset);
	} else {
		return KNOT_ENOTSUP;
	}
}

285 286 287 288 289 290 291 292 293 294
static bool apex_rr_changed(const zone_node_t *old_apex,
                            const zone_node_t *new_apex,
                            uint16_t type)
{
	knot_rrset_t old_rr = node_rrset(old_apex, type);
	knot_rrset_t new_rr = node_rrset(new_apex, type);

	return !knot_rrset_equal(&old_rr, &new_rr, KNOT_RRSET_COMPARE_WHOLE);
}

295
static bool apex_dnssec_changed(zone_update_t *update)
296 297 298 299 300 301 302 303 304 305
{
	assert(update->zone->contents);
	const zone_node_t *new_apex = zone_update_get_apex(update);
	const zone_node_t *old_apex = update->zone->contents->apex;
	return !changeset_empty(&update->change) &&
	       (apex_rr_changed(new_apex, old_apex, KNOT_RRTYPE_DNSKEY) ||
	        apex_rr_changed(new_apex, old_apex, KNOT_RRTYPE_NSEC3PARAM));
}

static int sign_update(zone_update_t *update,
306
                       zone_contents_t *new_contents)
307 308 309 310 311 312 313 314 315
{
	assert(update != NULL);

	/*
	 * Check if the UPDATE changed DNSKEYs or NSEC3PARAM.
	 * If so, we have to sign the whole zone.
	 */
	int ret = KNOT_EOK;
	uint32_t refresh_at = 0;
316 317 318 319 320 321
	changeset_t sec_ch;
	ret = changeset_init(&sec_ch, update->zone->name);
	if (ret != KNOT_EOK) {
		return ret;
	}

322
	const bool full_sign = changeset_empty(&update->change) ||
323
	                       apex_dnssec_changed(update);
324
	if (full_sign) {
325
		ret = knot_dnssec_zone_sign(new_contents, &sec_ch,
326 327 328 329 330
		                            ZONE_SIGN_KEEP_SOA_SERIAL,
		                            &refresh_at);
	} else {
		// Sign the created changeset
		ret = knot_dnssec_sign_changeset(new_contents, &update->change,
331
		                                 &sec_ch, &refresh_at);
332 333
	}
	if (ret != KNOT_EOK) {
334
		changeset_clear(&sec_ch);
335 336 337 338
		return ret;
	}

	// Apply DNSSEC changeset
339
	ret = apply_changeset_directly(new_contents, &sec_ch);
340
	if (ret != KNOT_EOK) {
341
		changeset_clear(&sec_ch);
342 343 344 345
		return ret;
	}

	// Merge changesets
346
	ret = changeset_merge(&update->change, &sec_ch);
347
	if (ret != KNOT_EOK) {
348 349
		update_rollback(&sec_ch);
		changeset_clear(&sec_ch);
350 351 352 353 354 355 356 357 358
		return ret;
	}

	// Plan next zone resign.
	const time_t resign_time = zone_events_get_time(update->zone, ZONE_EVENT_DNSSEC);
	if (refresh_at < resign_time) {
		zone_events_schedule_at(update->zone, ZONE_EVENT_DNSSEC, refresh_at);
	}

359 360 361 362 363 364
	/*
	 * We are not calling update_cleanup, as the rollback data are merged
	 * into the main changeset and will get cleaned up with that.
	 */
	changeset_clear(&sec_ch);

365 366 367
	return KNOT_EOK;
}

368 369
static int set_new_soa(zone_update_t *update)
{
370 371
	assert(update);

372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391
	knot_rrset_t *soa_cpy = node_create_rrset(zone_update_get_apex(update), KNOT_RRTYPE_SOA);
	if (soa_cpy == NULL) {
		return KNOT_ENOMEM;
	}

	conf_val_t val = conf_zone_get(conf(), C_SERIAL_POLICY, update->zone->name);
	uint32_t old_serial = knot_soa_serial(&soa_cpy->rrs);
	uint32_t new_serial = serial_next(old_serial, conf_opt(&val));
	if (serial_compare(old_serial, new_serial) >= 0) {
		log_zone_warning(update->zone->name, "updated serial is lower "
		                 "than current, serial %u -> %u",
		                  old_serial, new_serial);
	}

	knot_soa_serial_set(&soa_cpy->rrs, new_serial);
	update->change.soa_to = soa_cpy;

	return KNOT_EOK;
}

392
static int commit_incremental(zone_update_t *update)
393
{
394 395
	assert(update);

396 397 398 399 400
	if (changeset_empty(&update->change)) {
		changeset_clear(&update->change);
		return KNOT_EOK;
	}

401
	int ret = KNOT_EOK;
402 403 404 405 406 407 408 409 410
	if (zone_update_to(update) == NULL) {
		// No SOA in the update, create one according to the current policy
		ret = set_new_soa(update);
		if (ret != KNOT_EOK) {
			return ret;
		}
	}

	// Apply changes.
411
	zone_contents_t *new_contents = NULL;
412 413 414 415 416
	ret = apply_changeset(update->zone, &update->change, &new_contents);
	if (ret != KNOT_EOK) {
		changeset_clear(&update->change);
		return ret;
	}
417

418
	assert(new_contents);
419

420 421
	conf_val_t val = conf_zone_get(conf(), C_DNSSEC_SIGNING, update->zone->name);
	bool dnssec_enable = update->flags & UPDATE_SIGN && conf_bool(&val);
422

423 424
	// Sign the update.
	if (dnssec_enable) {
425
		ret = sign_update(update, new_contents);
426 427 428
		if (ret != KNOT_EOK) {
			update_rollback(&update->change);
			update_free_zone(&new_contents);
429
			changeset_clear(&update->change);
430 431
			return ret;
		}
432
	}
433

434 435 436 437 438 439 440
	// Write changes to journal if all went well. (DNSSEC merged)
	ret = zone_change_store(update->zone, &update->change);
	if (ret != KNOT_EOK) {
		update_rollback(&update->change);
		update_free_zone(&new_contents);
		return ret;
	}
441

442 443
	/* Temporarily unlock locked configuration. */
	rcu_read_unlock();
444

445 446 447 448 449 450 451 452 453 454 455
	// Switch zone contents.
	zone_contents_t *old_contents = zone_switch_contents(update->zone, new_contents);
	synchronize_rcu();

	rcu_read_lock();

	// Clear obsolete zone contents
	update_free_zone(&old_contents);

	update_cleanup(&update->change);
	changeset_clear(&update->change);
456

457 458 459
	return KNOT_EOK;
}

460 461 462 463 464 465 466 467 468
int zone_update_commit(zone_update_t *update)
{
	if (update->flags & UPDATE_INCREMENTAL) {
		return commit_incremental(update);
	}

	return KNOT_ENOTSUP;
}

469 470 471 472
bool zone_update_no_change(zone_update_t *up)
{
	return changeset_empty(&up->change);
}