Commit 847a0875 authored by Marek Vavrusa's avatar Marek Vavrusa

nameserver: zone existence and contents existence must be checked

separately
parent c78bc96e
......@@ -197,11 +197,10 @@ int axfr_answer(knot_pkt_t *pkt, knot_nameserver_t *ns, struct query_data *qdata
/* Initialize on first call. */
if (qdata->ext == NULL) {
/* Check zone state. */
NS_NEED_VALID_ZONE(qdata, KNOT_RCODE_NOTAUTH);
/* Need valid transaction security. */
/* Check valid zone, transaction security and contents. */
NS_NEED_ZONE(qdata, KNOT_RCODE_NOTAUTH);
NS_NEED_AUTH(qdata->zone->xfr_out, qdata);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Check expiration. */
ret = axfr_answer_init(qdata);
if (ret != KNOT_EOK) {
......
......@@ -656,6 +656,9 @@ int internet_answer(knot_pkt_t *response, struct query_data *qdata)
return NS_PROC_FAIL;
}
/* Check valid zone, transaction security (optional) and contents. */
NS_NEED_ZONE(qdata, KNOT_RCODE_REFUSED);
/* No applicable ACL, refuse transaction security. */
if (knot_pkt_have_tsig(qdata->query)) {
/* We have been challenged... */
......@@ -665,7 +668,7 @@ int internet_answer(knot_pkt_t *response, struct query_data *qdata)
knot_pkt_reserve(response, tsig_wire_maxsize(qdata->sign.tsig_key));
}
NS_NEED_VALID_ZONE(qdata, KNOT_RCODE_REFUSED);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Expired */
/* Get answer to QNAME. */
dbg_ns("%s: writing %p ANSWER\n", __func__, response);
......
......@@ -53,15 +53,17 @@ int internet_answer(knot_pkt_t *resp, struct query_data *qdata);
return NS_PROC_FAIL; \
}
/*! \brief Require valid zone or return error code. */
#define NS_NEED_VALID_ZONE(qdata, error_rcode) \
switch(zone_state((qdata)->zone)) { \
case KNOT_EOK: \
break; \
case KNOT_ENOENT: \
/*! \brief Require existing zone or return failure. */
#define NS_NEED_ZONE(qdata, error_rcode) \
if ((qdata)->zone == NULL) { \
qdata->rcode = (error_rcode); \
return NS_PROC_FAIL; \
default: /* SERVFAIL */ \
}
/*! \brief Require existing zone contents or return failure. */
#define NS_NEED_ZONE_CONTENTS(qdata, error_rcode) \
if ((qdata)->zone->contents == NULL) { \
qdata->rcode = (error_rcode); \
return NS_PROC_FAIL; \
}
......
......@@ -155,8 +155,9 @@ static int ixfr_load_chsets(knot_changesets_t **chgsets, const zone_t *zone,
static int ixfr_query_check(struct query_data *qdata)
{
/* Check zone state. */
NS_NEED_VALID_ZONE(qdata, KNOT_RCODE_NOTAUTH);
/* Check if zone exists. */
NS_NEED_ZONE(qdata, KNOT_RCODE_NOTAUTH);
/* Need IXFR query type. */
NS_NEED_QTYPE(qdata, KNOT_RRTYPE_IXFR, KNOT_RCODE_FORMERR);
/* Need SOA authority record. */
......@@ -169,8 +170,9 @@ static int ixfr_query_check(struct query_data *qdata)
/* SOA needs to match QNAME. */
NS_NEED_QNAME(qdata, their_soa->owner, KNOT_RCODE_FORMERR);
/* Need valid transaction security. */
/* Check transcation security and zone contents. */
NS_NEED_AUTH(qdata->zone->xfr_out, qdata);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Check expiration. */
return NS_PROC_DONE;
}
......
......@@ -112,19 +112,19 @@ int update_answer(knot_pkt_t *pkt, knot_nameserver_t *ns, struct query_data *qda
/* RFC1996 require SOA question. */
NS_NEED_QTYPE(qdata, KNOT_RRTYPE_SOA, KNOT_RCODE_FORMERR);
/* Need valid transaction security. */
zone_t *zone = (zone_t *)qdata->zone;
NS_NEED_AUTH(zone->update_in, qdata);
/*! \note NOTIFY/RFC1996 isn't clear on error RCODEs.
* Most servers use NOTAUTH from RFC2136. */
NS_NEED_VALID_ZONE(qdata, KNOT_RCODE_NOTAUTH);
/* Check valid zone, transaction security and contents. */
NS_NEED_ZONE(qdata, KNOT_RCODE_NOTAUTH);
/* Allow pass-through of an unknown TSIG in DDNS forwarding (must have zone). */
zone_t *zone = (zone_t *)qdata->zone;
if (zone->xfr_in.has_master) {
return update_forward(qdata);
}
/* Need valid transaction security. */
NS_NEED_AUTH(zone->update_in, qdata);
NS_NEED_ZONE_CONTENTS(qdata, KNOT_RCODE_SERVFAIL); /* Check expiration. */
/*
* Check if UPDATE not running already.
*/
......
......@@ -70,11 +70,9 @@ int notify_process_response(knot_pkt_t *notify, int msgid)
return KNOT_EOK;
}
static int notify_reschedule(knot_nameserver_t *ns,
const zone_t *zone,
sockaddr_t *from)
static int notify_reschedule(knot_nameserver_t *ns, const zone_t *zone)
{
dbg_ns("%s(%p, %p, %p)\n", __func__, ns, zone, from);
dbg_ns("%s(%p, %p)\n", __func__, ns, zone);
if (ns == NULL || zone == NULL) {
return KNOT_EINVAL;
}
......@@ -106,15 +104,10 @@ int internet_notify(knot_pkt_t *pkt, knot_nameserver_t *ns, struct query_data *q
/* RFC1996 require SOA question. */
NS_NEED_QTYPE(qdata, KNOT_RRTYPE_SOA, KNOT_RCODE_FORMERR);
/* Need valid transaction security. */
/* Check valid zone, transaction security. */
NS_NEED_ZONE(qdata, KNOT_RCODE_NOTAUTH);
NS_NEED_AUTH(qdata->zone->notify_in, qdata);
/*! \note NOTIFY/RFC1996 isn't clear on error RCODEs.
* Most servers use NOTAUTH from RFC2136. */
/*! \note SERVFAIL is going to be sent if the zone is
* being bootstrapped, this is harmless. */
NS_NEED_VALID_ZONE(qdata, KNOT_RCODE_NOTAUTH);
/* Reserve space for TSIG. */
knot_pkt_reserve(pkt, tsig_wire_maxsize(qdata->sign.tsig_key));
......@@ -132,7 +125,7 @@ int internet_notify(knot_pkt_t *pkt, knot_nameserver_t *ns, struct query_data *q
}
int next_state = NS_PROC_FAIL;
int ret = notify_reschedule(ns, qdata->zone, NULL /*! \todo API */);
int ret = notify_reschedule(ns, qdata->zone);
/* Format resulting log message. */
if (ret != KNOT_EOK) {
......
......@@ -306,13 +306,3 @@ knot_zone_contents_t *zone_switch_contents(zone_t *zone,
return old_contents;
}
int zone_state(const zone_t *zone)
{
if (zone == NULL) {
return KNOT_ENOENT;
} else if (zone->contents == NULL) {
return KNOT_ENOZONE;
}
return KNOT_EOK;
}
......@@ -171,13 +171,4 @@ static inline bool zone_is_master(const zone_t *zone)
knot_zone_contents_t *zone_switch_contents(zone_t *zone,
knot_zone_contents_t *new_contents);
/*!
* \brief Return zone state.
* \param zone Inspected zone.
* \retval KNOT_EOK if OK
* \retval KNOT_ENOENT if not exists
* \retval KNOT_ENOZONE if expired or stub
*/
int zone_state(const zone_t *zone);
/*! @} */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment