Commit 2c90cda4 authored by Lubos Slovak's avatar Lubos Slovak

EDNS: Separated "real" RCODEs from error codes.

Although RFC6895 defines error code space to be common for all
response errors, one of them is defined twice (BADVERS / BADSIG).
Also, only Extended RCODE from OPT RR is interpreted together with
RCODE from Header as one number. All other "RCODEs" are separate
error codes with dedicated fields (in TSIG or TKEY RRs).
parent d8ff1a43
......@@ -726,7 +726,7 @@ static int zones_verify_tsig_query(const knot_pkt_t *query,
* or some other error.
*/
*rcode = KNOT_RCODE_NOTAUTH;
*tsig_rcode = KNOT_RCODE_BADKEY;
*tsig_rcode = KNOT_TSIG_ERR_BADKEY;
return KNOT_TSIG_EBADKEY;
}
......@@ -740,7 +740,7 @@ static int zones_verify_tsig_query(const knot_pkt_t *query,
if (!(key && kname && knot_dname_cmp(key->name, kname) == 0 &&
key->algorithm == alg)) {
*rcode = KNOT_RCODE_NOTAUTH;
*tsig_rcode = KNOT_RCODE_BADKEY;
*tsig_rcode = KNOT_TSIG_ERR_BADKEY;
return KNOT_TSIG_EBADKEY;
}
......@@ -779,15 +779,15 @@ static int zones_verify_tsig_query(const knot_pkt_t *query,
*rcode = KNOT_RCODE_NOERROR;
break;
case KNOT_TSIG_EBADKEY:
*tsig_rcode = KNOT_RCODE_BADKEY;
*tsig_rcode = KNOT_TSIG_ERR_BADKEY;
*rcode = KNOT_RCODE_NOTAUTH;
break;
case KNOT_TSIG_EBADSIG:
*tsig_rcode = KNOT_RCODE_BADSIG;
*tsig_rcode = KNOT_TSIG_ERR_BADSIG;
*rcode = KNOT_RCODE_NOTAUTH;
break;
case KNOT_TSIG_EBADTIME:
*tsig_rcode = KNOT_RCODE_BADTIME;
*tsig_rcode = KNOT_TSIG_ERR_BADTIME;
// store the time signed from the query
*tsig_prev_time_signed = tsig_rdata_time_signed(query->tsig_rr);
*rcode = KNOT_RCODE_NOTAUTH;
......
......@@ -121,7 +121,7 @@ static bool dname_cname_cannot_synth(const knot_rrset_t *rrset, const knot_dname
static bool have_dnssec(struct query_data *qdata)
{
return knot_pkt_has_dnssec(qdata->query) &&
qdata->rcode_ext != KNOT_EDNS_RCODE_BADVERS &&
qdata->rcode_ext != KNOT_RCODE_BADVERS &&
zone_contents_is_signed(qdata->zone->contents);
}
......
......@@ -230,7 +230,7 @@ static int answer_edns_init(const knot_pkt_t *query, knot_pkt_t *resp,
/* Check supported version. */
if (knot_edns_get_version(query->opt_rr) != KNOT_EDNS_VERSION) {
qdata->rcode_ext = KNOT_EDNS_RCODE_BADVERS;
qdata->rcode_ext = KNOT_RCODE_BADVERS;
}
/* Set DO bit if set (DNSSEC requested). */
......@@ -527,7 +527,7 @@ bool process_query_acl_check(list_t *acl, struct query_data *qdata)
if (match == NULL || (match->key && match->key->algorithm != key_alg)) {
dbg_ns("%s: no ACL match => NOTAUTH\n", __func__);
qdata->rcode = KNOT_RCODE_NOTAUTH;
qdata->rcode_tsig = KNOT_RCODE_BADKEY;
qdata->rcode_tsig = KNOT_TSIG_ERR_BADKEY;
return false;
}
......@@ -566,15 +566,15 @@ int process_query_verify(struct query_data *qdata)
break;
case KNOT_TSIG_EBADKEY:
qdata->rcode = KNOT_RCODE_NOTAUTH;
qdata->rcode_tsig = KNOT_RCODE_BADKEY;
qdata->rcode_tsig = KNOT_TSIG_ERR_BADKEY;
break;
case KNOT_TSIG_EBADSIG:
qdata->rcode = KNOT_RCODE_NOTAUTH;
qdata->rcode_tsig = KNOT_RCODE_BADSIG;
qdata->rcode_tsig = KNOT_TSIG_ERR_BADSIG;
break;
case KNOT_TSIG_EBADTIME:
qdata->rcode = KNOT_RCODE_NOTAUTH;
qdata->rcode_tsig = KNOT_RCODE_BADTIME;
qdata->rcode_tsig = KNOT_TSIG_ERR_BADTIME;
ctx->tsig_time_signed = tsig_rdata_time_signed(query->tsig_rr);
break;
case KNOT_EMALF:
......
......@@ -37,13 +37,22 @@ knot_lookup_table_t knot_rcode_names[] = {
{ KNOT_RCODE_NXRRSET, "NXRRSET" },
{ KNOT_RCODE_NOTAUTH, "NOTAUTH" },
{ KNOT_RCODE_NOTZONE, "NOTZONE" },
{ KNOT_RCODE_BADSIG, "BADSIG" },
{ KNOT_RCODE_BADKEY, "BADKEY" },
{ KNOT_RCODE_BADTIME, "BADTIME" },
{ KNOT_RCODE_BADMODE, "BADMODE" },
{ KNOT_RCODE_BADNAME, "BADNAME" },
{ KNOT_RCODE_BADALG, "BADALG" },
{ KNOT_RCODE_BADTRUNC, "BADTRUNC" },
{ KNOT_RCODE_BADVERS, "BADVERS" },
{ 0, NULL }
};
knot_lookup_table_t knot_tsig_err_names[] = {
{ KNOT_TSIG_ERR_BADSIG, "BADSIG" },
{ KNOT_TSIG_ERR_BADKEY, "BADKEY" },
{ KNOT_TSIG_ERR_BADTIME, "BADTIME" },
{ KNOT_TSIG_ERR_BADTRUNC, "BADTRUNC" },
{ 0, NULL }
};
knot_lookup_table_t knot_tkey_err_names[] = {
{ KNOT_TKEY_ERR_BADMODE, "BADMODE" },
{ KNOT_TKEY_ERR_BADNAME, "BADNAME" },
{ KNOT_TKEY_ERR_BADALG, "BADALG" },
{ 0, NULL }
};
......
......@@ -64,6 +64,10 @@ typedef enum {
* \brief DNS reply codes (RCODEs).
*
* http://www.iana.org/assignments/dns-parameters/dns-parameters.xml
*
* \note Here, only RCODEs present in Header or as an Extended RCODE in
* OPT + Header are listed. Other codes are used in dedicated fields of
* other RRs.
*/
typedef enum {
KNOT_RCODE_NOERROR = 0, /*!< No error. */
......@@ -75,17 +79,24 @@ typedef enum {
KNOT_RCODE_YXDOMAIN = 6, /*!< Name should not exist. */
KNOT_RCODE_YXRRSET = 7, /*!< RR set should not exist. */
KNOT_RCODE_NXRRSET = 8, /*!< RR set does not exist. */
KNOT_RCODE_NOTAUTH = 9, /*!< Server not authoritative. */
KNOT_RCODE_NOTAUTH = 9, /*!< Server not authoritative. / Query not authorized. */
KNOT_RCODE_NOTZONE = 10, /*!< Name is not inside zone. */
KNOT_RCODE_BADSIG = 16, /*!< TSIG signature failed. */
KNOT_RCODE_BADKEY = 17, /*!< Key is not supported. */
KNOT_RCODE_BADTIME = 18, /*!< Signature out of time window. */
KNOT_RCODE_BADMODE = 19, /*!< Bad TKEY mode. */
KNOT_RCODE_BADNAME = 20, /*!< Duplicate key name. */
KNOT_RCODE_BADALG = 21, /*!< Algorithm not supported. */
KNOT_RCODE_BADTRUNC = 22 /*!< Bad truncation. */
KNOT_RCODE_BADVERS = 16 /*!< Bad OPT Version. */
} knot_rcode_t;
typedef enum {
Please register or sign in to reply
KNOT_TSIG_ERR_BADSIG = 16, /*!< TSIG signature failed. */
KNOT_TSIG_ERR_BADKEY = 17, /*!< Key is not supported. */
KNOT_TSIG_ERR_BADTIME = 18, /*!< Signature out of time window. */
KNOT_TSIG_ERR_BADTRUNC = 22 /*!< Bad truncation. */
} knot_tsig_error_t;
typedef enum {
KNOT_TKEY_ERR_BADMODE = 19, /*!< Bad TKEY mode. */
KNOT_TKEY_ERR_BADNAME = 20, /*!< Duplicate key name. */
KNOT_TKEY_ERR_BADALG = 21 /*!< Algorithm not supported. */
} knot_tkey_error_t;
/*!
* \brief DNS packet section identifiers.
*/
......
......@@ -132,7 +132,7 @@ int tsig_create_rdata(knot_rrset_t *rr, const knot_dname_t *alg, uint16_t maclen
/* We already checked rr and know rdlen > 0, no need to check rets. */
int alg_len = knot_dname_size(alg);
size_t rdlen = alg_len + TSIG_FIXED_RDLEN + maclen;
if (tsig_err != KNOT_RCODE_BADTIME) {
if (tsig_err != KNOT_TSIG_ERR_BADTIME) {
rdlen -= TSIG_OTHER_MAXLEN;
}
uint8_t rd[rdlen];
......
......@@ -460,13 +460,13 @@ int knot_tsig_sign(uint8_t *msg, size_t *msg_len,
/* Create rdata for TSIG RR. */
uint16_t rdata_rcode = 0;
if (tsig_rcode == KNOT_RCODE_BADTIME)
if (tsig_rcode == KNOT_TSIG_ERR_BADTIME)
rdata_rcode = tsig_rcode;
tsig_create_rdata(tmp_tsig, tsig_alg_to_dname(key->algorithm),
knot_tsig_digest_length(key->algorithm), rdata_rcode);
/* Distinguish BADTIME response. */
if (tsig_rcode == KNOT_RCODE_BADTIME) {
if (tsig_rcode == KNOT_TSIG_ERR_BADTIME) {
/* Set client's time signed into the time signed field. */
tsig_rdata_set_time_signed(tmp_tsig, request_time_signed);
......@@ -799,7 +799,7 @@ int knot_tsig_add(uint8_t *msg, size_t *msg_len, size_t msg_max_len,
return KNOT_ENOMEM;
}
assert(tsig_rcode != KNOT_RCODE_BADTIME);
assert(tsig_rcode != KNOT_TSIG_ERR_BADTIME);
tsig_create_rdata(tmp_tsig, tsig_rdata_alg_name(tsig_rr), 0, tsig_rcode);
tsig_rdata_set_time_signed(tmp_tsig, tsig_rdata_time_signed(tsig_rr));
......
......@@ -169,7 +169,7 @@ int knot_tsig_append(uint8_t *msg, size_t *msg_len, size_t msg_max_len,
/*! \brief Return true if the TSIG RCODE allows signing the packet. */
static inline bool knot_tsig_can_sign(uint16_t tsig_rcode) {
return (tsig_rcode == KNOT_RCODE_NOERROR || tsig_rcode == KNOT_RCODE_BADTIME);
return (tsig_rcode == KNOT_RCODE_NOERROR || tsig_rcode == KNOT_TSIG_ERR_BADTIME);
}
/*! @} */
......@@ -57,6 +57,7 @@ static void print_header(const knot_pkt_t *packet, const style_t *style)
const char *opcode_str = "NULL";
knot_lookup_table_t *rcode, *opcode;
/* TODO[EDNS] Interpret Extended RCODE */
// Get codes.
rcode_id = knot_wire_get_rcode(packet->wire);
rcode = knot_lookup_by_id(knot_rcode_names, rcode_id);
......@@ -220,6 +221,7 @@ static void print_section_opt(const knot_rrset_t *rr, uint8_t rcode)
const char *ext_rcode_str = "NULL";
knot_lookup_table_t *ext_rcode;
/* TODO[EDNS] Extended RCODE to header */
ext_rcode = knot_lookup_by_id(knot_rcode_names, ext_rcode_id);
if (ext_rcode != NULL) {
ext_rcode_str = ext_rcode->name;
......@@ -437,6 +439,7 @@ static void print_error_host(const uint8_t code,
if (style->style.ascii_to_idn != NULL) {
style->style.ascii_to_idn(&owner);
}
/* TODO[EDNS] Interpret Extended RCODE?? */
rcode = knot_lookup_by_id(knot_rcode_names, code);
if (rcode != NULL) {
rcode_str = rcode->name;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment