2 Unix SMB/CIFS implementation.
6 Copyright (C) 2010 Kai Blin
7 Copyright (C) 2014 Stefan Metzmacher
8 Copyright (C) 2015 Andrew Bartlett
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/util/ntstatus.h"
26 #include "libcli/util/werror.h"
27 #include "librpc/ndr/libndr.h"
28 #include "librpc/gen_ndr/ndr_dns.h"
29 #include "librpc/gen_ndr/ndr_dnsp.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "dsdb/common/util.h"
33 #include "dns_server/dnsserver_common.h"
34 #include "lib/util/dlinklist.h"
37 #define DBGC_CLASS DBGC_DNS
39 uint8_t werr_to_dns_err(WERROR werr)
41 if (W_ERROR_EQUAL(WERR_OK, werr)) {
43 } else if (W_ERROR_EQUAL(DNS_ERR(FORMAT_ERROR), werr)) {
44 return DNS_RCODE_FORMERR;
45 } else if (W_ERROR_EQUAL(DNS_ERR(SERVER_FAILURE), werr)) {
46 return DNS_RCODE_SERVFAIL;
47 } else if (W_ERROR_EQUAL(DNS_ERR(NAME_ERROR), werr)) {
48 return DNS_RCODE_NXDOMAIN;
49 } else if (W_ERROR_EQUAL(WERR_DNS_ERROR_NAME_DOES_NOT_EXIST, werr)) {
50 return DNS_RCODE_NXDOMAIN;
51 } else if (W_ERROR_EQUAL(DNS_ERR(NOT_IMPLEMENTED), werr)) {
52 return DNS_RCODE_NOTIMP;
53 } else if (W_ERROR_EQUAL(DNS_ERR(REFUSED), werr)) {
54 return DNS_RCODE_REFUSED;
55 } else if (W_ERROR_EQUAL(DNS_ERR(YXDOMAIN), werr)) {
56 return DNS_RCODE_YXDOMAIN;
57 } else if (W_ERROR_EQUAL(DNS_ERR(YXRRSET), werr)) {
58 return DNS_RCODE_YXRRSET;
59 } else if (W_ERROR_EQUAL(DNS_ERR(NXRRSET), werr)) {
60 return DNS_RCODE_NXRRSET;
61 } else if (W_ERROR_EQUAL(DNS_ERR(NOTAUTH), werr)) {
62 return DNS_RCODE_NOTAUTH;
63 } else if (W_ERROR_EQUAL(DNS_ERR(NOTZONE), werr)) {
64 return DNS_RCODE_NOTZONE;
65 } else if (W_ERROR_EQUAL(DNS_ERR(BADKEY), werr)) {
66 return DNS_RCODE_BADKEY;
68 DEBUG(5, ("No mapping exists for %s\n", win_errstr(werr)));
69 return DNS_RCODE_SERVFAIL;
72 WERROR dns_common_extract(struct ldb_context *samdb,
73 const struct ldb_message_element *el,
75 struct dnsp_DnssrvRpcRecord **records,
76 uint16_t *num_records)
79 struct dnsp_DnssrvRpcRecord *recs;
84 recs = talloc_zero_array(mem_ctx, struct dnsp_DnssrvRpcRecord,
87 return WERR_NOT_ENOUGH_MEMORY;
89 for (ri = 0; ri < el->num_values; ri++) {
92 const char *dnsHostName = NULL;
93 struct ldb_val *v = &el->values[ri];
94 enum ndr_err_code ndr_err;
95 ndr_err = ndr_pull_struct_blob(v, recs, &recs[ri],
96 (ndr_pull_flags_fn_t)ndr_pull_dnsp_DnssrvRpcRecord);
97 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
99 DEBUG(0, ("Failed to grab dnsp_DnssrvRpcRecord\n"));
100 return DNS_ERR(SERVER_FAILURE);
104 * In AD, except on an RODC (where we should list a random RWDC,
105 * we should over-stamp the MNAME with our own hostname
107 if (recs[ri].wType != DNS_TYPE_SOA) {
111 ret = samdb_rodc(samdb, &am_rodc);
112 if (ret != LDB_SUCCESS) {
113 DEBUG(0, ("Failed to confirm we are not an RODC: %s\n",
114 ldb_errstring(samdb)));
115 return DNS_ERR(SERVER_FAILURE);
122 ret = samdb_dns_host_name(samdb, &dnsHostName);
123 if (ret != LDB_SUCCESS || dnsHostName == NULL) {
124 DEBUG(0, ("Failed to get dnsHostName from rootDSE"));
125 return DNS_ERR(SERVER_FAILURE);
128 recs[ri].data.soa.mname = talloc_strdup(recs, dnsHostName);
132 *num_records = el->num_values;
136 WERROR dns_common_lookup(struct ldb_context *samdb,
139 struct dnsp_DnssrvRpcRecord **records,
140 uint16_t *num_records,
143 static const char * const attrs[] = {
150 struct ldb_message *msg = NULL;
151 struct ldb_message_element *el;
156 if (tombstoned != NULL) {
158 ret = dsdb_search_one(samdb, mem_ctx, &msg, dn,
159 LDB_SCOPE_BASE, attrs, 0,
160 "(objectClass=dnsNode)");
162 ret = dsdb_search_one(samdb, mem_ctx, &msg, dn,
163 LDB_SCOPE_BASE, attrs, 0,
164 "(&(objectClass=dnsNode)(!(dNSTombstoned=TRUE)))");
166 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
167 return WERR_DNS_ERROR_NAME_DOES_NOT_EXIST;
169 if (ret != LDB_SUCCESS) {
170 /* TODO: we need to check if there's a glue record we need to
171 * create a referral to */
172 return DNS_ERR(NAME_ERROR);
175 if (tombstoned != NULL) {
176 *tombstoned = ldb_msg_find_attr_as_bool(msg,
177 "dNSTombstoned", false);
180 el = ldb_msg_find_element(msg, "dnsRecord");
184 * records produced by older Samba releases
185 * keep dnsNode objects without dnsRecord and
186 * without setting dNSTombstoned=TRUE.
188 * We just pretend they're tombstones.
190 if (tombstoned != NULL) {
191 struct dnsp_DnssrvRpcRecord *recs;
192 recs = talloc_array(mem_ctx,
193 struct dnsp_DnssrvRpcRecord,
196 return WERR_NOT_ENOUGH_MEMORY;
198 recs[0] = (struct dnsp_DnssrvRpcRecord) {
199 .wType = DNS_TYPE_TOMBSTONE,
201 * A value of timestamp != 0
202 * indicated that the object was already
203 * a tombstone, this will be used
204 * in dns_common_replace()
215 * Because we are not looking for a tombstone
216 * in this codepath, we just pretend it does
219 return WERR_DNS_ERROR_NAME_DOES_NOT_EXIST;
223 werr = dns_common_extract(samdb, el, mem_ctx, records, num_records);
225 if (!W_ERROR_IS_OK(werr)) {
232 static int rec_cmp(const struct dnsp_DnssrvRpcRecord *r1,
233 const struct dnsp_DnssrvRpcRecord *r2)
235 if (r1->wType != r2->wType) {
237 * The records are sorted with higher types first
239 return r2->wType - r1->wType;
243 * Then we need to sort from the oldest to newest timestamp
245 return r1->dwTimeStamp - r2->dwTimeStamp;
249 * Check for valid DNS names. These are names which:
251 * - do not start with a dot
252 * - do not have any empty labels
253 * - have no more than 127 labels
254 * - are no longer than 253 characters
255 * - none of the labels exceed 63 characters
257 WERROR dns_name_check(TALLOC_CTX *mem_ctx, size_t len, const char *name)
260 unsigned int labels = 0;
261 unsigned int label_len = 0;
264 return WERR_DS_INVALID_DN_SYNTAX;
267 if (len > 1 && name[0] == '.') {
268 return WERR_DS_INVALID_DN_SYNTAX;
271 if ((len - 1) > DNS_MAX_DOMAIN_LENGTH) {
272 return WERR_DS_INVALID_DN_SYNTAX;
275 for (i = 0; i < len - 1; i++) {
276 if (name[i] == '.' && name[i+1] == '.') {
277 return WERR_DS_INVALID_DN_SYNTAX;
279 if (name[i] == '.') {
281 if (labels > DNS_MAX_LABELS) {
282 return WERR_DS_INVALID_DN_SYNTAX;
287 if (label_len > DNS_MAX_LABEL_LENGTH) {
288 return WERR_DS_INVALID_DN_SYNTAX;
296 static WERROR check_name_list(TALLOC_CTX *mem_ctx, uint16_t rec_count,
297 struct dnsp_DnssrvRpcRecord *records)
302 struct dnsp_DnssrvRpcRecord record;
305 for (i = 0; i < rec_count; i++) {
308 switch (record.wType) {
311 len = strlen(record.data.ns);
312 werr = dns_name_check(mem_ctx, len, record.data.ns);
315 len = strlen(record.data.cname);
316 werr = dns_name_check(mem_ctx, len, record.data.cname);
319 len = strlen(record.data.soa.mname);
320 werr = dns_name_check(mem_ctx, len, record.data.soa.mname);
321 if (!W_ERROR_IS_OK(werr)) {
324 len = strlen(record.data.soa.rname);
325 werr = dns_name_check(mem_ctx, len, record.data.soa.rname);
328 len = strlen(record.data.ptr);
329 werr = dns_name_check(mem_ctx, len, record.data.ptr);
332 len = strlen(record.data.mx.nameTarget);
333 werr = dns_name_check(mem_ctx, len, record.data.mx.nameTarget);
336 len = strlen(record.data.srv.nameTarget);
337 werr = dns_name_check(mem_ctx, len,
338 record.data.srv.nameTarget);
341 * In the default case, the record doesn't have a DN, so it
348 if (!W_ERROR_IS_OK(werr)) {
356 WERROR dns_common_replace(struct ldb_context *samdb,
361 struct dnsp_DnssrvRpcRecord *records,
364 struct ldb_message_element *el;
368 struct ldb_message *msg = NULL;
369 bool was_tombstoned = false;
370 bool become_tombstoned = false;
372 msg = ldb_msg_new(mem_ctx);
373 W_ERROR_HAVE_NO_MEMORY(msg);
377 werr = check_name_list(mem_ctx, rec_count, records);
378 if (!W_ERROR_IS_OK(werr)) {
382 ret = ldb_msg_add_empty(msg, "dnsRecord", LDB_FLAG_MOD_REPLACE, &el);
383 if (ret != LDB_SUCCESS) {
384 return DNS_ERR(SERVER_FAILURE);
388 * we have at least one value,
389 * which might be used for the tombstone marker
391 el->values = talloc_zero_array(el, struct ldb_val, MAX(1, rec_count));
393 W_ERROR_HAVE_NO_MEMORY(el->values);
396 * We store a sorted list with the high wType values first
397 * that's what windows does. It also simplifies the
398 * filtering of DNS_TYPE_TOMBSTONE records
400 TYPESAFE_QSORT(records, rec_count, rec_cmp);
403 for (i = 0; i < rec_count; i++) {
404 struct ldb_val *v = &el->values[el->num_values];
405 enum ndr_err_code ndr_err;
407 if (records[i].wType == DNS_TYPE_TOMBSTONE) {
408 if (records[i].data.timestamp != 0) {
409 was_tombstoned = true;
414 records[i].dwSerial = serial;
415 ndr_err = ndr_push_struct_blob(v, el->values, &records[i],
416 (ndr_push_flags_fn_t)ndr_push_dnsp_DnssrvRpcRecord);
417 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
418 DEBUG(0, ("Failed to push dnsp_DnssrvRpcRecord\n"));
419 return DNS_ERR(SERVER_FAILURE);
425 if (el->num_values == 0) {
429 ret = ldb_msg_add_string(msg, "objectClass", "dnsNode");
430 if (ret != LDB_SUCCESS) {
431 return DNS_ERR(SERVER_FAILURE);
434 ret = ldb_add(samdb, msg);
435 if (ret != LDB_SUCCESS) {
436 return DNS_ERR(SERVER_FAILURE);
442 if (el->num_values == 0) {
443 struct dnsp_DnssrvRpcRecord tbs;
444 struct ldb_val *v = &el->values[el->num_values];
445 enum ndr_err_code ndr_err;
448 if (was_tombstoned) {
450 * This is already a tombstoned object.
451 * Just leave it instead of updating the time stamp.
456 tv = timeval_current();
457 tbs = (struct dnsp_DnssrvRpcRecord) {
458 .wType = DNS_TYPE_TOMBSTONE,
460 .data.timestamp = timeval_to_nttime(&tv),
463 ndr_err = ndr_push_struct_blob(v, el->values, &tbs,
464 (ndr_push_flags_fn_t)ndr_push_dnsp_DnssrvRpcRecord);
465 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
466 DEBUG(0, ("Failed to push dnsp_DnssrvRpcRecord\n"));
467 return DNS_ERR(SERVER_FAILURE);
471 become_tombstoned = true;
474 if (was_tombstoned || become_tombstoned) {
475 ret = ldb_msg_add_empty(msg, "dNSTombstoned",
476 LDB_FLAG_MOD_REPLACE, NULL);
477 if (ret != LDB_SUCCESS) {
478 return DNS_ERR(SERVER_FAILURE);
481 ret = ldb_msg_add_fmt(msg, "dNSTombstoned", "%s",
482 become_tombstoned ? "TRUE" : "FALSE");
483 if (ret != LDB_SUCCESS) {
484 return DNS_ERR(SERVER_FAILURE);
488 ret = ldb_modify(samdb, msg);
489 if (ret != LDB_SUCCESS) {
490 NTSTATUS nt = dsdb_ldb_err_to_ntstatus(ret);
491 return ntstatus_to_werror(nt);
497 bool dns_name_match(const char *zone, const char *name, size_t *host_part_len)
499 size_t zl = strlen(zone);
500 size_t nl = strlen(name);
502 static const size_t fixup = 'a' - 'A';
508 for (zi = zl, ni = nl; zi >= 0; zi--, ni--) {
512 /* convert to lower case */
513 if (zc >= 'A' && zc <= 'Z') {
516 if (nc >= 'A' && nc <= 'Z') {
526 if (name[ni] != '.') {
533 *host_part_len = ni+1;
538 WERROR dns_common_name2dn(struct ldb_context *samdb,
539 struct dns_server_zone *zones,
546 const struct dns_server_zone *z;
547 size_t host_part_len = 0;
551 return DNS_ERR(FORMAT_ERROR);
554 if (strcmp(name, "") == 0) {
555 base = ldb_get_default_basedn(samdb);
556 dn = ldb_dn_copy(mem_ctx, base);
557 ldb_dn_add_child_fmt(dn, "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System");
562 /* Check non-empty names */
563 werr = dns_name_check(mem_ctx, strlen(name), name);
564 if (!W_ERROR_IS_OK(werr)) {
568 for (z = zones; z != NULL; z = z->next) {
571 match = dns_name_match(z->name, name, &host_part_len);
578 return DNS_ERR(NAME_ERROR);
581 if (host_part_len == 0) {
582 dn = ldb_dn_copy(mem_ctx, z->dn);
583 ldb_dn_add_child_fmt(dn, "DC=@");
588 dn = ldb_dn_copy(mem_ctx, z->dn);
589 ldb_dn_add_child_fmt(dn, "DC=%*.*s", (int)host_part_len, (int)host_part_len, name);
594 static int dns_common_sort_zones(struct ldb_message **m1, struct ldb_message **m2)
599 n1 = ldb_msg_find_attr_as_string(*m1, "name", NULL);
600 n2 = ldb_msg_find_attr_as_string(*m2, "name", NULL);
605 /* If the string lengths are not equal just sort by length */
607 /* If m1 is the larger zone name, return it first */
611 /*TODO: We need to compare DNs here, we want the DomainDNSZones first */
615 NTSTATUS dns_common_zones(struct ldb_context *samdb,
617 struct ldb_dn *base_dn,
618 struct dns_server_zone **zones_ret)
621 static const char * const attrs[] = { "name", NULL};
622 struct ldb_result *res;
624 struct dns_server_zone *new_list = NULL;
625 TALLOC_CTX *frame = talloc_stackframe();
628 /* This search will work against windows */
629 ret = dsdb_search(samdb, frame, &res,
630 base_dn, LDB_SCOPE_SUBTREE,
631 attrs, 0, "(objectClass=dnsZone)");
633 /* TODO: this search does not work against windows */
634 ret = dsdb_search(samdb, frame, &res, NULL,
637 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
638 "(objectClass=dnsZone)");
640 if (ret != LDB_SUCCESS) {
642 return NT_STATUS_INTERNAL_DB_CORRUPTION;
645 TYPESAFE_QSORT(res->msgs, res->count, dns_common_sort_zones);
647 for (i=0; i < res->count; i++) {
648 struct dns_server_zone *z;
650 z = talloc_zero(mem_ctx, struct dns_server_zone);
653 return NT_STATUS_NO_MEMORY;
656 z->name = ldb_msg_find_attr_as_string(res->msgs[i], "name", NULL);
657 talloc_steal(z, z->name);
658 z->dn = talloc_move(z, &res->msgs[i]->dn);
660 * Ignore the RootDNSServers zone and zones that we don't support yet
661 * RootDNSServers should never be returned (Windows DNS server don't)
662 * ..TrustAnchors should never be returned as is, (Windows returns
663 * TrustAnchors) and for the moment we don't support DNSSEC so we'd better
664 * not return this zone.
666 if ((strcmp(z->name, "RootDNSServers") == 0) ||
667 (strcmp(z->name, "..TrustAnchors") == 0))
669 DEBUG(10, ("Ignoring zone %s\n", z->name));
673 DLIST_ADD_END(new_list, z);
676 *zones_ret = new_list;