Commit fc71c1f0 authored by Daniel Salzman's avatar Daniel Salzman

module: make a mod-rrl module from query_processing rrl code

parent 283f68ca
......@@ -218,6 +218,8 @@ src/knot/conf/confdb.c
src/knot/conf/confdb.h
src/knot/conf/confio.c
src/knot/conf/confio.h
src/knot/conf/migration.c
src/knot/conf/migration.h
src/knot/conf/scheme.c
src/knot/conf/scheme.h
src/knot/conf/tools.c
......@@ -269,6 +271,10 @@ src/knot/modules/online_sign/online_sign.h
src/knot/modules/rosedb/rosedb.c
src/knot/modules/rosedb/rosedb.h
src/knot/modules/rosedb/rosedb_tool.c
src/knot/modules/rrl/functions.c
src/knot/modules/rrl/functions.h
src/knot/modules/rrl/rrl.c
src/knot/modules/rrl/rrl.h
src/knot/modules/stats/stats.c
src/knot/modules/stats/stats.h
src/knot/modules/synth_record/synth_record.c
......@@ -308,8 +314,6 @@ src/knot/server/dthreads.c
src/knot/server/dthreads.h
src/knot/server/journal.c
src/knot/server/journal.h
src/knot/server/rrl.c
src/knot/server/rrl.h
src/knot/server/serialization.c
src/knot/server/serialization.h
src/knot/server/server.c
......@@ -579,12 +583,12 @@ tests/libknot/test_yparser.c
tests/libknot/test_ypscheme.c
tests/libknot/test_yptrafo.c
tests/modules/online_sign.c
tests/modules/rrl.c
tests/node.c
tests/process_answer.c
tests/process_query.c
tests/query_module.c
tests/requestor.c
tests/rrl.c
tests/server.c
tests/test_conf.h
tests/utils/test_cert.c
......
......@@ -247,31 +247,6 @@ processed::
file: example.com.zone
acl: update_acl
Response rate limiting
======================
Response rate limiting (RRL) is a method to combat DNS reflection amplification
attacks. These attacks rely on the fact that source address of a UDP query
can be forged, and without a worldwide deployment of `BCP38
<https://tools.ietf.org/html/bcp38>`_, such a forgery cannot be prevented.
An attacker can use a DNS server (or multiple servers) as an amplification
source and can flood a victim with a large number of unsolicited DNS responses.
The RRL lowers the amplification factor of these attacks by sending some of
the responses as truncated or by dropping them altogether.
You can enable RRL by setting the :ref:`server_rate-limit` option in the
:ref:`server section<Server section>`. The option controls how many responses
per second are permitted for each flow. Responses exceeding this rate are
limited. The option :ref:`server_rate-limit-slip` then configures how many
limited responses are sent as truncated (slip) instead of being dropped.
::
server:
rate-limit: 200 # Allow 200 resp/s for each flow
rate-limit-slip: 2 # Every other response slips
.. _dnssec:
Automatic DNSSEC signing
......
......@@ -149,10 +149,6 @@ server:
max\-udp\-payload: SIZE
max\-ipv4\-udp\-payload: SIZE
max\-ipv6\-udp\-payload: SIZE
rate\-limit: INT
rate\-limit\-slip: INT
rate\-limit\-table\-size: INT
rate\-limit\-whitelist: ADDR[/INT] | ADDR\-ADDR ...
listen: ADDR[@INT] ...
.ft P
.fi
......@@ -243,69 +239,6 @@ A maximum number of TCP clients connected in parallel, set this below the file
descriptor limit to avoid resource exhaustion.
.sp
\fIDefault:\fP 100
.SS rate\-limit
.sp
Rate limiting is based on the token bucket scheme. A rate basically
represents a number of tokens available each second. Each response is
processed and classified (based on several discriminators, e.g.
source netblock, query type, zone name, rcode, etc.). Classified responses are
then hashed and assigned to a bucket containing number of available
tokens, timestamp and metadata. When available tokens are exhausted,
response is dropped or sent as truncated (see \fI\%rate\-limit\-slip\fP).
Number of available tokens is recalculated each second.
.sp
\fIDefault:\fP 0 (disabled)
.SS rate\-limit\-table\-size
.sp
Size of the hash table in a number of buckets. The larger the hash table, the lesser
the probability of a hash collision, but at the expense of additional memory costs.
Each bucket is estimated roughly to 32 bytes. The size should be selected as
a reasonably large prime due to better hash function distribution properties.
Hash table is internally chained and works well up to a fill rate of 90 %, general
rule of thumb is to select a prime near 1.2 * maximum_qps.
.sp
\fIDefault:\fP 393241
.SS rate\-limit\-slip
.sp
As attacks using DNS/UDP are usually based on a forged source address,
an attacker could deny services to the victim\(aqs netblock if all
responses would be completely blocked. The idea behind SLIP mechanism
is to send each N\s-2\uth\d\s0 response as truncated, thus allowing client to
reconnect via TCP for at least some degree of service. It is worth
noting, that some responses can\(aqt be truncated (e.g. SERVFAIL).
.INDENT 0.0
.IP \(bu 2
Setting the value to \fB0\fP will cause that all rate\-limited responses will
be dropped. The outbound bandwidth and packet rate will be strictly capped
by the \fI\%rate\-limit\fP option. All legitimate requestors affected
by the limit will face denial of service and will observe excessive timeouts.
Therefore this setting is not recommended.
.IP \(bu 2
Setting the value to \fB1\fP will cause that all rate\-limited responses will
be sent as truncated. The amplification factor of the attack will be reduced,
but the outbound data bandwidth won\(aqt be lower than the incoming bandwidth.
Also the outbound packet rate will be the same as without RRL.
.IP \(bu 2
Setting the value to \fB2\fP will cause that half of the rate\-limited responses
will be dropped, the other half will be sent as truncated. With this
configuration, both outbound bandwidth and packet rate will be lower than the
inbound. On the other hand, the dropped responses enlarge the time window
for possible cache poisoning attack on the resolver.
.IP \(bu 2
Setting the value to anything \fBlarger than 2\fP will keep on decreasing
the outgoing rate\-limited bandwidth, packet rate, and chances to notify
legitimate requestors to reconnect using TCP. These attributes are inversely
proportional to the configured value. Setting the value high is not advisable.
.UNINDENT
.sp
\fIDefault:\fP 1
.SS rate\-limit\-whitelist
.sp
A list of IP addresses, network subnets, or network ranges to exempt from
rate limiting. Empty list means that no incoming connection will be
white\-listed.
.sp
\fIDefault:\fP not set
.SS max\-udp\-payload
.sp
Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
......@@ -1089,6 +1022,90 @@ Minimum severity level for messages related to zones that are logged.
Minimum severity level for all message types that are logged.
.sp
\fIDefault:\fP not set
.SH MODULE RRL
.sp
A response rate limiting module.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
mod\-rrl:
\- id: STR
rate\-limit: INT
slip: INT
table\-size: INT
whitelist: ADDR[/INT] | ADDR\-ADDR ...
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A module identifier.
.SS rate\-limit
.sp
Rate limiting is based on the token bucket scheme. A rate basically
represents a number of tokens available each second. Each response is
processed and classified (based on several discriminators, e.g.
source netblock, query type, zone name, rcode, etc.). Classified responses are
then hashed and assigned to a bucket containing number of available
tokens, timestamp and metadata. When available tokens are exhausted,
response is dropped or sent as truncated (see \fI\%slip\fP).
Number of available tokens is recalculated each second.
.sp
\fIRequired\fP
.SS table\-size
.sp
Size of the hash table in a number of buckets. The larger the hash table, the lesser
the probability of a hash collision, but at the expense of additional memory costs.
Each bucket is estimated roughly to 32 bytes. The size should be selected as
a reasonably large prime due to better hash function distribution properties.
Hash table is internally chained and works well up to a fill rate of 90 %, general
rule of thumb is to select a prime near 1.2 * maximum_qps.
.sp
\fIDefault:\fP 393241
.SS slip
.sp
As attacks using DNS/UDP are usually based on a forged source address,
an attacker could deny services to the victim\(aqs netblock if all
responses would be completely blocked. The idea behind SLIP mechanism
is to send each N\s-2\uth\d\s0 response as truncated, thus allowing client to
reconnect via TCP for at least some degree of service. It is worth
noting, that some responses can\(aqt be truncated (e.g. SERVFAIL).
.INDENT 0.0
.IP \(bu 2
Setting the value to \fB0\fP will cause that all rate\-limited responses will
be dropped. The outbound bandwidth and packet rate will be strictly capped
by the \fI\%rate\-limit\fP option. All legitimate requestors affected
by the limit will face denial of service and will observe excessive timeouts.
Therefore this setting is not recommended.
.IP \(bu 2
Setting the value to \fB1\fP will cause that all rate\-limited responses will
be sent as truncated. The amplification factor of the attack will be reduced,
but the outbound data bandwidth won\(aqt be lower than the incoming bandwidth.
Also the outbound packet rate will be the same as without RRL.
.IP \(bu 2
Setting the value to \fB2\fP will cause that half of the rate\-limited responses
will be dropped, the other half will be sent as truncated. With this
configuration, both outbound bandwidth and packet rate will be lower than the
inbound. On the other hand, the dropped responses enlarge the time window
for possible cache poisoning attack on the resolver.
.IP \(bu 2
Setting the value to anything \fBlarger than 2\fP will keep on decreasing
the outgoing rate\-limited bandwidth, packet rate, and chances to notify
legitimate requestors to reconnect using TCP. These attributes are inversely
proportional to the configured value. Setting the value high is not advisable.
.UNINDENT
.sp
\fIDefault:\fP 1
.SS whitelist
.sp
A list of IP addresses, network subnets, or network ranges to exempt from
rate limiting. Empty list means that no incoming connection will be
white\-listed.
.sp
\fIDefault:\fP not set
.SH MODULE DNSTAP
.sp
The module dnstap allows query and response logging.
......
......@@ -31,7 +31,36 @@ an identifier must be created and then referenced in the form of
.. NOTE::
Query modules are processed in the order they are specified in the
zone/template configuration.
zone/template configuration. In most cases, the recommended order is::
mod-synth-record, mod-online-sign, mod-rrl, mod-dnstap, mod-stats
``rrl`` — Response rate limiting
--------------------------------
Response rate limiting (RRL) is a method to combat DNS reflection amplification
attacks. These attacks rely on the fact that source address of a UDP query
can be forged, and without a worldwide deployment of `BCP38
<https://tools.ietf.org/html/bcp38>`_, such a forgery cannot be prevented.
An attacker can use a DNS server (or multiple servers) as an amplification
source and can flood a victim with a large number of unsolicited DNS responses.
The RRL lowers the amplification factor of these attacks by sending some of
the responses as truncated or by dropping them altogether.
The module introduces two counters. The number of slipped and dropped responses.
You can enable RRL by setting the :ref:`mod-rrl<mod-rrl>` module globally or per zone.
::
mod-rrl:
- id: default
rate-limit: 200 # Allow 200 resp/s for each flow
slip: 2 # Every other response slips
template:
- id: default
global-module: mod-rrl/default # Enable RRL globally
``dnstap`` – dnstap-enabled query logging
-----------------------------------------
......@@ -503,7 +532,7 @@ AAAA-only glue records.
------------------------
The module sends empty truncated response to any UDP query. This is similar
to a slipped answer in :ref:`response rate limiting<server_rate-limit>`.
to a slipped answer in :ref:`response rate limiting<mod-rrl_rate-limit>`.
TCP queries are not affected.
To enable this module globally, you need to add something like the following
......
......@@ -102,10 +102,6 @@ General options related to the server.
max-udp-payload: SIZE
max-ipv4-udp-payload: SIZE
max-ipv6-udp-payload: SIZE
rate-limit: INT
rate-limit-slip: INT
rate-limit-table-size: INT
rate-limit-whitelist: ADDR[/INT] | ADDR-ADDR ...
listen: ADDR[@INT] ...
.. _server_identity:
......@@ -249,83 +245,6 @@ descriptor limit to avoid resource exhaustion.
*Default:* 100
.. _server_rate-limit:
rate-limit
----------
Rate limiting is based on the token bucket scheme. A rate basically
represents a number of tokens available each second. Each response is
processed and classified (based on several discriminators, e.g.
source netblock, query type, zone name, rcode, etc.). Classified responses are
then hashed and assigned to a bucket containing number of available
tokens, timestamp and metadata. When available tokens are exhausted,
response is dropped or sent as truncated (see :ref:`server_rate-limit-slip`).
Number of available tokens is recalculated each second.
*Default:* 0 (disabled)
.. _server_rate-limit-table-size:
rate-limit-table-size
---------------------
Size of the hash table in a number of buckets. The larger the hash table, the lesser
the probability of a hash collision, but at the expense of additional memory costs.
Each bucket is estimated roughly to 32 bytes. The size should be selected as
a reasonably large prime due to better hash function distribution properties.
Hash table is internally chained and works well up to a fill rate of 90 %, general
rule of thumb is to select a prime near 1.2 * maximum_qps.
*Default:* 393241
.. _server_rate-limit-slip:
rate-limit-slip
---------------
As attacks using DNS/UDP are usually based on a forged source address,
an attacker could deny services to the victim's netblock if all
responses would be completely blocked. The idea behind SLIP mechanism
is to send each N\ :sup:`th` response as truncated, thus allowing client to
reconnect via TCP for at least some degree of service. It is worth
noting, that some responses can't be truncated (e.g. SERVFAIL).
- Setting the value to **0** will cause that all rate-limited responses will
be dropped. The outbound bandwidth and packet rate will be strictly capped
by the :ref:`server_rate-limit` option. All legitimate requestors affected
by the limit will face denial of service and will observe excessive timeouts.
Therefore this setting is not recommended.
- Setting the value to **1** will cause that all rate-limited responses will
be sent as truncated. The amplification factor of the attack will be reduced,
but the outbound data bandwidth won't be lower than the incoming bandwidth.
Also the outbound packet rate will be the same as without RRL.
- Setting the value to **2** will cause that half of the rate-limited responses
will be dropped, the other half will be sent as truncated. With this
configuration, both outbound bandwidth and packet rate will be lower than the
inbound. On the other hand, the dropped responses enlarge the time window
for possible cache poisoning attack on the resolver.
- Setting the value to anything **larger than 2** will keep on decreasing
the outgoing rate-limited bandwidth, packet rate, and chances to notify
legitimate requestors to reconnect using TCP. These attributes are inversely
proportional to the configured value. Setting the value high is not advisable.
*Default:* 1
.. _server_rate-limit-whitelist:
rate-limit-whitelist
--------------------
A list of IP addresses, network subnets, or network ranges to exempt from
rate limiting. Empty list means that no incoming connection will be
white-listed.
*Default:* not set
.. _server_max-udp-payload:
max-udp-payload
......@@ -1274,6 +1193,106 @@ Minimum severity level for all message types that are logged.
*Default:* not set
.. _mod-rrl:
Module rrl
==========
A response rate limiting module.
::
mod-rrl:
- id: STR
rate-limit: INT
slip: INT
table-size: INT
whitelist: ADDR[/INT] | ADDR-ADDR ...
.. _mod-rrl_id:
id
--
A module identifier.
.. _mod-rrl_rate-limit:
rate-limit
----------
Rate limiting is based on the token bucket scheme. A rate basically
represents a number of tokens available each second. Each response is
processed and classified (based on several discriminators, e.g.
source netblock, query type, zone name, rcode, etc.). Classified responses are
then hashed and assigned to a bucket containing number of available
tokens, timestamp and metadata. When available tokens are exhausted,
response is dropped or sent as truncated (see :ref:`mod-rrl_slip`).
Number of available tokens is recalculated each second.
*Required*
.. _mod-rrl_table-size:
table-size
----------
Size of the hash table in a number of buckets. The larger the hash table, the lesser
the probability of a hash collision, but at the expense of additional memory costs.
Each bucket is estimated roughly to 32 bytes. The size should be selected as
a reasonably large prime due to better hash function distribution properties.
Hash table is internally chained and works well up to a fill rate of 90 %, general
rule of thumb is to select a prime near 1.2 * maximum_qps.
*Default:* 393241
.. _mod-rrl_slip:
slip
----
As attacks using DNS/UDP are usually based on a forged source address,
an attacker could deny services to the victim's netblock if all
responses would be completely blocked. The idea behind SLIP mechanism
is to send each N\ :sup:`th` response as truncated, thus allowing client to
reconnect via TCP for at least some degree of service. It is worth
noting, that some responses can't be truncated (e.g. SERVFAIL).
- Setting the value to **0** will cause that all rate-limited responses will
be dropped. The outbound bandwidth and packet rate will be strictly capped
by the :ref:`mod-rrl_rate-limit` option. All legitimate requestors affected
by the limit will face denial of service and will observe excessive timeouts.
Therefore this setting is not recommended.
- Setting the value to **1** will cause that all rate-limited responses will
be sent as truncated. The amplification factor of the attack will be reduced,
but the outbound data bandwidth won't be lower than the incoming bandwidth.
Also the outbound packet rate will be the same as without RRL.
- Setting the value to **2** will cause that half of the rate-limited responses
will be dropped, the other half will be sent as truncated. With this
configuration, both outbound bandwidth and packet rate will be lower than the
inbound. On the other hand, the dropped responses enlarge the time window
for possible cache poisoning attack on the resolver.
- Setting the value to anything **larger than 2** will keep on decreasing
the outgoing rate-limited bandwidth, packet rate, and chances to notify
legitimate requestors to reconnect using TCP. These attributes are inversely
proportional to the configured value. Setting the value high is not advisable.
*Default:* 1
.. _mod-rrl_whitelist:
whitelist
---------
A list of IP addresses, network subnets, or network ranges to exempt from
rate limiting. Empty list means that no incoming connection will be
white-listed.
*Default:* not set
.. _Module dnstap:
Module dnstap
......
......@@ -234,6 +234,8 @@ libknotd_la_SOURCES = \
knot/conf/confdb.h \
knot/conf/confio.c \
knot/conf/confio.h \
knot/conf/migration.c \
knot/conf/migration.h \
knot/conf/scheme.c \
knot/conf/scheme.h \
knot/conf/tools.c \
......@@ -280,6 +282,10 @@ libknotd_la_SOURCES = \
knot/modules/online_sign/online_sign.h \
knot/modules/online_sign/nsec_next.c \
knot/modules/online_sign/nsec_next.h \
knot/modules/rrl/functions.c \
knot/modules/rrl/functions.h \
knot/modules/rrl/rrl.c \
knot/modules/rrl/rrl.h \
knot/modules/stats/stats.c \
knot/modules/stats/stats.h \
knot/modules/synth_record/synth_record.c\
......@@ -331,8 +337,6 @@ libknotd_la_SOURCES = \
knot/server/dthreads.h \
knot/server/journal.c \
knot/server/journal.h \
knot/server/rrl.c \
knot/server/rrl.h \
knot/server/serialization.c \
knot/server/serialization.h \
knot/server/server.c \
......
......@@ -133,15 +133,10 @@ static void init_cache(
val = conf_get(conf, C_SRV, C_MAX_TCP_CLIENTS);
conf->cache.srv_max_tcp_clients = conf_int(&val);
val = conf_get(conf, C_SRV, C_RATE_LIMIT_SLIP);
conf->cache.srv_rate_limit_slip = conf_int(&val);
val = conf_get(conf, C_CTL, C_TIMEOUT);
conf->cache.ctl_timeout = conf_int(&val) * 1000;
conf->cache.srv_nsid = conf_get(conf, C_SRV, C_NSID);
conf->cache.srv_rate_limit_whitelist = conf_get(conf, C_SRV, C_RATE_LIMIT_WHITELIST);
}
int conf_new(
......
......@@ -106,10 +106,8 @@ typedef struct {
int32_t srv_tcp_idle_timeout;
int32_t srv_tcp_reply_timeout;
int32_t srv_max_tcp_clients;
int32_t srv_rate_limit_slip;
int32_t ctl_timeout;
conf_val_t srv_nsid;
conf_val_t srv_rate_limit_whitelist;
} cache;
/*! List of active query modules. */
......
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "knot/common/log.h"
#include "knot/conf/migration.h"
#include "knot/conf/confdb.h"
static void try_unset(conf_t *conf, knot_db_txn_t *txn, yp_name_t *key0, yp_name_t *key1)
{
int ret = conf_db_unset(conf, txn, key0, key1, NULL, 0, NULL, 0, true);
if (ret != KNOT_EOK && ret != KNOT_ENOENT) {
log_warning("conf, migration, failed to unset '%s%s%s' (%s)",
key0 + 1,
(key1 != NULL) ? "/" : "",
(key1 != NULL) ? key1 + 1 : "",
knot_strerror(ret));
}
}
#define check_set(conf, txn, key0, key1, id, id_len, data, data_len) \
ret = conf_db_set(conf, txn, key0, key1, id, id_len, data, data_len); \
if (ret != KNOT_EOK && ret != KNOT_CONF_EREDEFINE) { \
log_error("conf, migration, failed to set '%s%s%s' (%s)", \
key0 + 1, \
(key1 != NULL) ? "/" : "", \
(key1 != NULL) ? key1 + 1 : "", \
knot_strerror(ret)); \
return ret; \
}
static int migrate_rrl(
conf_t *conf,
knot_db_txn_t *txn)
{
#define MOD_RRL "\x07""mod-rrl"
#define MOD_RATE_LIMIT "\x0A""rate-limit"
#define MOD_SLIP "\x04""slip"
#define MOD_TBL_SIZE "\x0A""table-size"
#define MOD_WHITELIST "\x09""whitelist"
const uint8_t *id = CONF_DEFAULT_ID + 1;
const size_t id_len = CONF_DEFAULT_ID[0];
const uint8_t *dflt_rrl = (const uint8_t *)MOD_RRL "default\0";
const size_t dflt_rrl_len = 16;
conf_val_t val;
int ret = conf_db_get(conf, txn, C_SRV, C_RATE_LIMIT, NULL, 0, &val);
// Migrate old configuration if RRL enabled.
if (ret == KNOT_EOK && conf_int(&val) > 0) {
log_notice("config, migrating RRL configuration from server to mod-rrl");
// Create equivalent mod-rrl configuration.
check_set(conf, txn, MOD_RRL, C_ID, id, id_len, NULL, 0);
check_set(conf, txn, MOD_RRL, MOD_RATE_LIMIT, id, id_len,
val.data, val.len);
conf_db_get(conf, txn, C_SRV, C_RATE_LIMIT_SLIP, NULL, 0, &val);
if (val.code == KNOT_EOK) {
conf_val(&val);
check_set(conf, txn, MOD_RRL, MOD_SLIP, id, id_len,
val.data, val.len);
}
conf_db_get(conf, txn, C_SRV, C_RATE_LIMIT_TBL_SIZE, NULL, 0, &val);
if (val.code == KNOT_EOK) {
conf_val(&val);
check_set(conf, txn, MOD_RRL, MOD_TBL_SIZE, id, id_len,
val.data, val.len);
}
conf_db_get(conf, txn, C_SRV, C_RATE_LIMIT_WHITELIST, NULL, 0, &val);
while (val.code == KNOT_EOK) {
conf_val(&val);
check_set(conf, txn, MOD_RRL, MOD_WHITELIST, id, id_len,
val.data, val.len);
conf_val_next(&val);
}
// Create default template and assing global module.
check_set(conf, txn, C_TPL, C_ID, id, id_len, NULL, 0);
check_set(conf, txn, C_TPL, C_GLOBAL_MODULE, id, id_len,
dflt_rrl, dflt_rrl_len);
}
// Drop old RRL configuration.
try_unset(conf, txn, C_SRV, C_RATE_LIMIT);
try_unset(conf, txn, C_SRV, C_RATE_LIMIT_SLIP);
try_unset(conf, txn, C_SRV, C_RATE_LIMIT_TBL_SIZE);
try_unset(conf, txn, C_SRV, C_RATE_LIMIT_WHITELIST);
return KNOT_EOK;
}
int conf_migrate(
conf_t *conf)
{
if (conf == NULL) {
return KNOT_EINVAL;
}
knot_db_txn_t txn;
int ret = conf->api->txn_begin(conf->db, &txn, 0);
if (ret != KNOT_EOK) {
return ret;
}
ret = migrate_rrl(conf, &txn);
if (ret != KNOT_EOK) {
conf->api->txn_abort(&txn);
return ret;
}
ret = conf->api->txn_commit(&txn);
if (ret != KNOT_EOK) {
return ret;
}
return conf_refresh_txn(conf);
}
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#pragma once
#include "knot/conf/base.h"
/*!
* Migrates from an old configuration schema.
*
* \param[in] conf Configuration.
*
* \return Error code, KNOT_EOK if success.
*/
int conf_migrate(
conf_t *conf
);
......@@ -23,12 +23,12 @@
#include "knot/conf/confio.h"
#include "knot/conf/tools.h"
#include "knot/common/log.h"
#include "knot/server/rrl.h"
#include "knot/updates/acl.h"
#include "libknot/rrtype/opt.h"
#include "dnssec/lib/dnssec/tsig.h"
#include "dnssec/lib/dnssec/key.h"
#include "knot/modules/rrl/rrl.h"
#include "knot/modules/stats/stats.h"
#include "knot/modules/synth_record/synth_record.h"
#include "knot/modules/dnsproxy/dnsproxy.h"
......@@ -122,13 +122,14 @@ static const yp_item_t desc_server[] = {
{ C_MAX_IPV6_UDP_PAYLOAD, YP_TINT, YP_VINT = { KNOT_EDNS_MIN_UDP_PAYLOAD,
KNOT_EDNS_MAX_UDP_PAYLOAD,
4096, YP_SSIZE } },
{ C_LISTEN, YP_TADDR, YP_VADDR = { 53 }, YP_FMULTI },
{ C_COMMENT, YP_TSTR, YP_VNONE },
/* Obsolete items. */
{ C_RATE_LIMIT, YP_TINT, YP_VINT = { 0, INT32_MAX, 0 } },
{ C_RATE_LIMIT_SLIP, YP_TINT, YP_VINT = { 0, RRL_SLIP_MAX, 1 } },
{ C_RATE_LIMIT_SLIP, YP_TINT, YP_VINT = { 0, 100, 1 } },
{ C_RATE_LIMIT_TBL_SIZE, YP_TINT, YP_VINT = { 1, INT32_MAX, 393241 } },
{ C_RATE_LIMIT_WHITELIST, YP_TDATA, YP_VDATA = { 0, NULL, addr_range_to_bin,
addr_range_to_txt }, YP_FMULTI },
{ C_LISTEN, YP_TADDR, YP_VADDR = { 53 }, YP_FMULTI },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......@@ -266,7 +267,7 @@ static const yp_item_t desc_zone[] = {
};
const yp_item_t conf_scheme[] = {
{ C_SRV, YP_TGRP, YP_VGRP = { desc_server }, CONF_IO_FRLD_SRV },
{ C_SRV, YP_TGRP, YP_VGRP = { desc_server }, CONF_IO_FRLD_SRV, { check_server } },
{ C_CTL, YP_TGRP, YP_VGRP = { desc_control } },
{ C_LOG, YP_TGRP, YP_VGRP = { desc_log }, YP_FMULTI | CONF_IO_FRLD_LOG },
{ C_STATS, YP_TGRP, YP_VGRP = { desc_stats }, CONF_IO_FRLD_SRV },
......@@ -276,6 +277,8 @@ const yp_item_t conf_scheme[] = {
{ C_ACL, YP_TGRP, YP_VGRP = { desc_acl }, YP_FMULTI, { check_acl } },
{ C_RMT, YP_TGRP, YP_VGRP = { desc_remote }, YP_FMULTI, { check_remote } },
<