2 Unix SMB/CIFS implementation.
4 DNS server handler for update requests
6 Copyright (C) 2010 Kai Blin <kai@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/util/ntstatus.h"
24 #include "librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/ndr_dns.h"
26 #include "librpc/gen_ndr/ndr_dnsp.h"
28 #include "param/param.h"
29 #include "param/loadparm.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "dsdb/common/util.h"
32 #include "smbd/service_task.h"
33 #include "dns_server/dns_server.h"
34 #include "auth/auth.h"
37 #define DBGC_CLASS DBGC_DNS
39 static WERROR dns_rr_to_dnsp(TALLOC_CTX *mem_ctx,
40 const struct dns_res_rec *rrec,
41 struct dnsp_DnssrvRpcRecord *r);
43 static WERROR check_one_prerequisite(struct dns_server *dns,
45 const struct dns_name_question *zone,
46 const struct dns_res_rec *pr,
54 struct dnsp_DnssrvRpcRecord *rec = NULL;
55 struct dnsp_DnssrvRpcRecord *ans;
58 size_t host_part_len = 0;
63 return DNS_ERR(FORMAT_ERROR);
66 match = dns_name_match(zone->name, pr->name, &host_part_len);
68 return DNS_ERR(NOTZONE);
71 werror = dns_name2dn(dns, mem_ctx, pr->name, &dn);
72 W_ERROR_NOT_OK_RETURN(werror);
74 if (pr->rr_class == DNS_QCLASS_ANY) {
76 if (pr->length != 0) {
77 return DNS_ERR(FORMAT_ERROR);
81 if (pr->rr_type == DNS_QTYPE_ALL) {
84 werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount);
85 W_ERROR_NOT_OK_RETURN(werror);
88 return DNS_ERR(NAME_ERROR);
93 werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount);
94 if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) {
95 return DNS_ERR(NXRRSET);
97 W_ERROR_NOT_OK_RETURN(werror);
99 for (i = 0; i < acount; i++) {
100 if (ans[i].wType == pr->rr_type) {
106 return DNS_ERR(NXRRSET);
111 * RFC2136 3.2.5 doesn't actually mention the need to return
112 * OK here, but otherwise we'd always return a FORMAT_ERROR
113 * later on. This also matches Microsoft DNS behavior.
118 if (pr->rr_class == DNS_QCLASS_NONE) {
119 if (pr->length != 0) {
120 return DNS_ERR(FORMAT_ERROR);
123 if (pr->rr_type == DNS_QTYPE_ALL) {
126 werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount);
127 if (W_ERROR_EQUAL(werror, WERR_OK)) {
128 return DNS_ERR(YXDOMAIN);
133 werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount);
134 if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) {
140 for (i = 0; i < acount; i++) {
141 if (ans[i].wType == pr->rr_type) {
147 return DNS_ERR(YXRRSET);
152 * RFC2136 3.2.5 doesn't actually mention the need to return
153 * OK here, but otherwise we'd always return a FORMAT_ERROR
154 * later on. This also matches Microsoft DNS behavior.
159 if (pr->rr_class != zone->question_class) {
160 return DNS_ERR(FORMAT_ERROR);
163 *final_result = false;
165 werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount);
166 if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) {
167 return DNS_ERR(NXRRSET);
169 W_ERROR_NOT_OK_RETURN(werror);
171 rec = talloc_zero(mem_ctx, struct dnsp_DnssrvRpcRecord);
172 W_ERROR_HAVE_NO_MEMORY(rec);
174 werror = dns_rr_to_dnsp(rec, pr, rec);
175 W_ERROR_NOT_OK_RETURN(werror);
177 for (i = 0; i < acount; i++) {
178 if (dns_records_match(rec, &ans[i])) {
185 return DNS_ERR(NXRRSET);
191 static WERROR check_prerequisites(struct dns_server *dns,
193 const struct dns_name_question *zone,
194 const struct dns_res_rec *prereqs, uint16_t count)
197 WERROR final_error = WERR_OK;
199 for (i = 0; i < count; i++) {
203 werror = check_one_prerequisite(dns, mem_ctx, zone,
204 &prereqs[i], &final);
205 if (!W_ERROR_IS_OK(werror)) {
209 if (W_ERROR_IS_OK(final_error)) {
210 final_error = werror;
215 if (!W_ERROR_IS_OK(final_error)) {
222 static WERROR update_prescan(const struct dns_name_question *zone,
223 const struct dns_res_rec *updates, uint16_t count)
225 const struct dns_res_rec *r;
227 size_t host_part_len;
230 for (i = 0; i < count; i++) {
232 match = dns_name_match(zone->name, r->name, &host_part_len);
234 return DNS_ERR(NOTZONE);
236 if (zone->question_class == r->rr_class) {
237 if (r->rr_type == DNS_QTYPE_ALL) {
238 return DNS_ERR(FORMAT_ERROR);
240 if (r->rr_type == DNS_QTYPE_AXFR) {
241 return DNS_ERR(FORMAT_ERROR);
243 if (r->rr_type == DNS_QTYPE_MAILB) {
244 return DNS_ERR(FORMAT_ERROR);
246 if (r->rr_type == DNS_QTYPE_MAILA) {
247 return DNS_ERR(FORMAT_ERROR);
249 } else if (r->rr_class == DNS_QCLASS_ANY) {
251 return DNS_ERR(FORMAT_ERROR);
253 if (r->length != 0) {
254 return DNS_ERR(FORMAT_ERROR);
256 if (r->rr_type == DNS_QTYPE_AXFR) {
257 return DNS_ERR(FORMAT_ERROR);
259 if (r->rr_type == DNS_QTYPE_MAILB) {
260 return DNS_ERR(FORMAT_ERROR);
262 if (r->rr_type == DNS_QTYPE_MAILA) {
263 return DNS_ERR(FORMAT_ERROR);
265 } else if (r->rr_class == DNS_QCLASS_NONE) {
267 return DNS_ERR(FORMAT_ERROR);
269 if (r->rr_type == DNS_QTYPE_ALL) {
270 return DNS_ERR(FORMAT_ERROR);
272 if (r->rr_type == DNS_QTYPE_AXFR) {
273 return DNS_ERR(FORMAT_ERROR);
275 if (r->rr_type == DNS_QTYPE_MAILB) {
276 return DNS_ERR(FORMAT_ERROR);
278 if (r->rr_type == DNS_QTYPE_MAILA) {
279 return DNS_ERR(FORMAT_ERROR);
282 return DNS_ERR(FORMAT_ERROR);
288 static WERROR dns_rr_to_dnsp(TALLOC_CTX *mem_ctx,
289 const struct dns_res_rec *rrec,
290 struct dnsp_DnssrvRpcRecord *r)
293 char *txt_record_txt;
294 char *saveptr = NULL;
296 if (rrec->rr_type == DNS_QTYPE_ALL) {
297 return DNS_ERR(FORMAT_ERROR);
302 r->wType = rrec->rr_type;
303 r->dwTtlSeconds = rrec->ttl;
304 r->rank = DNS_RANK_ZONE;
305 /* TODO: Autogenerate this somehow */
308 /* If we get QCLASS_ANY, we're done here */
309 if (rrec->rr_class == DNS_QCLASS_ANY) {
313 switch(rrec->rr_type) {
315 r->data.ipv4 = talloc_strdup(mem_ctx, rrec->rdata.ipv4_record);
316 W_ERROR_HAVE_NO_MEMORY(r->data.ipv4);
319 r->data.ipv6 = talloc_strdup(mem_ctx, rrec->rdata.ipv6_record);
320 W_ERROR_HAVE_NO_MEMORY(r->data.ipv6);
323 r->data.ns = talloc_strdup(mem_ctx, rrec->rdata.ns_record);
324 W_ERROR_HAVE_NO_MEMORY(r->data.ns);
326 case DNS_QTYPE_CNAME:
327 r->data.cname = talloc_strdup(mem_ctx, rrec->rdata.cname_record);
328 W_ERROR_HAVE_NO_MEMORY(r->data.cname);
331 r->data.srv.wPriority = rrec->rdata.srv_record.priority;
332 r->data.srv.wWeight = rrec->rdata.srv_record.weight;
333 r->data.srv.wPort = rrec->rdata.srv_record.port;
334 r->data.srv.nameTarget = talloc_strdup(mem_ctx,
335 rrec->rdata.srv_record.target);
336 W_ERROR_HAVE_NO_MEMORY(r->data.srv.nameTarget);
339 r->data.ptr = talloc_strdup(mem_ctx, rrec->rdata.ptr_record);
340 W_ERROR_HAVE_NO_MEMORY(r->data.ptr);
343 r->data.mx.wPriority = rrec->rdata.mx_record.preference;
344 r->data.mx.nameTarget = talloc_strdup(mem_ctx,
345 rrec->rdata.mx_record.exchange);
346 W_ERROR_HAVE_NO_MEMORY(r->data.mx.nameTarget);
349 r->data.txt.count = 0;
350 r->data.txt.str = talloc_array(mem_ctx, const char *,
352 W_ERROR_HAVE_NO_MEMORY(r->data.txt.str);
354 txt_record_txt = talloc_strdup(r->data.txt.str,
355 rrec->rdata.txt_record.txt);
356 W_ERROR_HAVE_NO_MEMORY(txt_record_txt);
358 tmp = strtok_r(txt_record_txt, "\"", &saveptr);
360 if (strcmp(tmp, " ") == 0) {
361 tmp = strtok_r(NULL, "\"", &saveptr);
364 r->data.txt.str = talloc_realloc(mem_ctx, r->data.txt.str, const char *,
365 r->data.txt.count+1);
366 r->data.txt.str[r->data.txt.count] = talloc_strdup(r->data.txt.str, tmp);
367 W_ERROR_HAVE_NO_MEMORY(r->data.txt.str[r->data.txt.count]);
370 tmp = strtok_r(NULL, "\"", &saveptr);
375 DEBUG(0, ("Got a qytpe of %d\n", rrec->rr_type));
376 return DNS_ERR(NOT_IMPLEMENTED);
385 static WERROR handle_one_update(struct dns_server *dns,
387 const struct dns_name_question *zone,
388 const struct dns_res_rec *update,
389 const struct dns_server_tkey *tkey)
391 struct dnsp_DnssrvRpcRecord *recs = NULL;
396 bool needs_add = false;
398 DEBUG(2, ("Looking at record: \n"));
400 NDR_PRINT_DEBUG(dns_res_rec, discard_const(update));
403 switch (update->rr_type) {
406 case DNS_QTYPE_CNAME:
415 DEBUG(0, ("Can't handle updates of type %u yet\n",
417 return DNS_ERR(NOT_IMPLEMENTED);
420 werror = dns_name2dn(dns, mem_ctx, update->name, &dn);
421 W_ERROR_NOT_OK_RETURN(werror);
423 werror = dns_lookup_records(dns, mem_ctx, dn, &recs, &rcount);
424 if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) {
430 W_ERROR_NOT_OK_RETURN(werror);
432 if (update->rr_class == zone->question_class) {
433 if (update->rr_type == DNS_QTYPE_CNAME) {
435 * If there is a record in the directory
436 * that's not a CNAME, ignore update
438 for (i = 0; i < rcount; i++) {
439 if (recs[i].wType != DNS_TYPE_CNAME) {
440 DEBUG(5, ("Skipping update\n"));
447 * There should be no entries besides one CNAME record
448 * per name, so replace everything with the new CNAME
452 recs = talloc_realloc(mem_ctx, recs,
453 struct dnsp_DnssrvRpcRecord, rcount);
454 W_ERROR_HAVE_NO_MEMORY(recs);
456 werror = dns_rr_to_dnsp(recs, update, &recs[0]);
457 W_ERROR_NOT_OK_RETURN(werror);
459 werror = dns_replace_records(dns, mem_ctx, dn,
460 needs_add, recs, rcount);
461 W_ERROR_NOT_OK_RETURN(werror);
466 * If there is a CNAME record for this name,
469 for (i = 0; i < rcount; i++) {
470 if (recs[i].wType == DNS_TYPE_CNAME) {
471 DEBUG(5, ("Skipping update\n"));
476 if (update->rr_type == DNS_QTYPE_SOA) {
480 * If the zone has no SOA record?? or update's
481 * serial number is smaller than existing SOA's,
484 for (i = 0; i < rcount; i++) {
485 if (recs[i].wType == DNS_TYPE_SOA) {
488 n = update->rdata.soa_record.serial;
489 o = recs[i].data.soa.serial;
491 * TODO: Implement RFC 1982 comparison
495 DEBUG(5, ("Skipping update\n"));
503 DEBUG(5, ("Skipping update\n"));
507 werror = dns_rr_to_dnsp(mem_ctx, update, &recs[i]);
508 W_ERROR_NOT_OK_RETURN(werror);
510 for (i++; i < rcount; i++) {
511 if (recs[i].wType != DNS_TYPE_SOA) {
515 ZERO_STRUCT(recs[i]);
518 werror = dns_replace_records(dns, mem_ctx, dn,
519 needs_add, recs, rcount);
520 W_ERROR_NOT_OK_RETURN(werror);
525 recs = talloc_realloc(mem_ctx, recs,
526 struct dnsp_DnssrvRpcRecord, rcount+1);
527 W_ERROR_HAVE_NO_MEMORY(recs);
529 werror = dns_rr_to_dnsp(recs, update, &recs[rcount]);
530 W_ERROR_NOT_OK_RETURN(werror);
532 for (i = 0; i < rcount; i++) {
533 if (!dns_records_match(&recs[i], &recs[rcount])) {
537 recs[i] = recs[rcount];
539 werror = dns_replace_records(dns, mem_ctx, dn,
540 needs_add, recs, rcount);
541 W_ERROR_NOT_OK_RETURN(werror);
546 werror = dns_replace_records(dns, mem_ctx, dn,
547 needs_add, recs, rcount+1);
548 W_ERROR_NOT_OK_RETURN(werror);
551 } else if (update->rr_class == DNS_QCLASS_ANY) {
552 if (update->rr_type == DNS_QTYPE_ALL) {
553 if (dns_name_equal(update->name, zone->name)) {
554 for (i = 0; i < rcount; i++) {
556 if (recs[i].wType == DNS_TYPE_SOA) {
560 if (recs[i].wType == DNS_TYPE_NS) {
564 ZERO_STRUCT(recs[i]);
568 for (i = 0; i < rcount; i++) {
569 ZERO_STRUCT(recs[i]);
573 } else if (dns_name_equal(update->name, zone->name)) {
575 if (update->rr_type == DNS_QTYPE_SOA) {
579 if (update->rr_type == DNS_QTYPE_NS) {
583 for (i = 0; i < rcount; i++) {
584 if (recs[i].wType == update->rr_type) {
585 ZERO_STRUCT(recs[i]);
589 werror = dns_replace_records(dns, mem_ctx, dn,
590 needs_add, recs, rcount);
591 W_ERROR_NOT_OK_RETURN(werror);
594 } else if (update->rr_class == DNS_QCLASS_NONE) {
595 struct dnsp_DnssrvRpcRecord *del_rec;
597 if (update->rr_type == DNS_QTYPE_SOA) {
600 if (update->rr_type == DNS_QTYPE_NS) {
602 struct dnsp_DnssrvRpcRecord *ns_rec = talloc(mem_ctx,
603 struct dnsp_DnssrvRpcRecord);
604 W_ERROR_HAVE_NO_MEMORY(ns_rec);
607 werror = dns_rr_to_dnsp(ns_rec, update, ns_rec);
608 W_ERROR_NOT_OK_RETURN(werror);
610 for (i = 0; i < rcount; i++) {
611 if (dns_records_match(ns_rec, &recs[i])) {
621 del_rec = talloc(mem_ctx, struct dnsp_DnssrvRpcRecord);
622 W_ERROR_HAVE_NO_MEMORY(del_rec);
624 werror = dns_rr_to_dnsp(del_rec, update, del_rec);
625 W_ERROR_NOT_OK_RETURN(werror);
627 for (i = 0; i < rcount; i++) {
628 if (dns_records_match(del_rec, &recs[i])) {
629 ZERO_STRUCT(recs[i]);
633 werror = dns_replace_records(dns, mem_ctx, dn,
634 needs_add, recs, rcount);
635 W_ERROR_NOT_OK_RETURN(werror);
641 static WERROR handle_updates(struct dns_server *dns,
643 const struct dns_name_question *zone,
644 const struct dns_res_rec *prereqs, uint16_t pcount,
645 struct dns_res_rec *updates, uint16_t upd_count,
646 struct dns_server_tkey *tkey)
648 struct ldb_dn *zone_dn = NULL;
649 WERROR werror = WERR_OK;
652 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
655 ret = ldb_set_opaque(dns->samdb, "sessionInfo", tkey->session_info);
656 if (ret != LDB_SUCCESS) {
657 DEBUG(1, ("unable to set session info\n"));
658 werror = DNS_ERR(SERVER_FAILURE);
663 werror = dns_name2dn(dns, tmp_ctx, zone->name, &zone_dn);
664 W_ERROR_NOT_OK_GOTO(werror, failed);
666 ret = ldb_transaction_start(dns->samdb);
667 if (ret != LDB_SUCCESS) {
668 werror = DNS_ERR(SERVER_FAILURE);
672 werror = check_prerequisites(dns, tmp_ctx, zone, prereqs, pcount);
673 W_ERROR_NOT_OK_GOTO(werror, failed);
675 DEBUG(1, ("update count is %u\n", upd_count));
677 for (ri = 0; ri < upd_count; ri++) {
678 werror = handle_one_update(dns, tmp_ctx, zone,
680 W_ERROR_NOT_OK_GOTO(werror, failed);
683 ldb_transaction_commit(dns->samdb);
684 TALLOC_FREE(tmp_ctx);
687 ldb_set_opaque(dns->samdb, "sessionInfo",
688 system_session(dns->task->lp_ctx));
694 ldb_transaction_cancel(dns->samdb);
697 ldb_set_opaque(dns->samdb, "sessionInfo",
698 system_session(dns->task->lp_ctx));
701 TALLOC_FREE(tmp_ctx);
706 static WERROR dns_update_allowed(struct dns_server *dns,
707 struct dns_request_state *state,
708 struct dns_server_tkey **tkey)
710 if (lpcfg_allow_dns_updates(dns->task->lp_ctx) == DNS_UPDATE_ON) {
711 DEBUG(2, ("All updates allowed.\n"));
715 if (lpcfg_allow_dns_updates(dns->task->lp_ctx) == DNS_UPDATE_OFF) {
716 DEBUG(2, ("Updates disabled.\n"));
717 return DNS_ERR(REFUSED);
720 if (state->authenticated == false ) {
721 DEBUG(2, ("Update not allowed for unsigned packet.\n"));
722 return DNS_ERR(REFUSED);
725 *tkey = dns_find_tkey(dns->tkeys, state->key_name);
727 DEBUG(0, ("Authenticated, but key not found. Something is wrong.\n"));
728 return DNS_ERR(REFUSED);
735 WERROR dns_server_process_update(struct dns_server *dns,
736 struct dns_request_state *state,
738 struct dns_name_packet *in,
739 struct dns_res_rec **prereqs, uint16_t *prereq_count,
740 struct dns_res_rec **updates, uint16_t *update_count,
741 struct dns_res_rec **additional, uint16_t *arcount)
743 struct dns_name_question *zone;
744 const struct dns_server_zone *z;
745 size_t host_part_len = 0;
746 WERROR werror = DNS_ERR(NOT_IMPLEMENTED);
747 struct dns_server_tkey *tkey = NULL;
749 if (in->qdcount != 1) {
750 return DNS_ERR(FORMAT_ERROR);
753 zone = &in->questions[0];
755 if (zone->question_class != DNS_QCLASS_IN &&
756 zone->question_class != DNS_QCLASS_ANY) {
757 return DNS_ERR(NOT_IMPLEMENTED);
760 if (zone->question_type != DNS_QTYPE_SOA) {
761 return DNS_ERR(FORMAT_ERROR);
764 DEBUG(2, ("Got a dns update request.\n"));
766 for (z = dns->zones; z != NULL; z = z->next) {
769 match = dns_name_match(z->name, zone->name, &host_part_len);
776 DEBUG(1, ("We're not authoritative for this zone\n"));
777 return DNS_ERR(NOTAUTH);
780 if (host_part_len != 0) {
781 /* TODO: We need to delegate this one */
782 DEBUG(1, ("Would have to delegate zone '%s'.\n", zone->name));
783 return DNS_ERR(NOT_IMPLEMENTED);
786 *prereq_count = in->ancount;
787 *prereqs = in->answers;
788 werror = check_prerequisites(dns, mem_ctx, in->questions, *prereqs,
790 W_ERROR_NOT_OK_RETURN(werror);
792 werror = dns_update_allowed(dns, state, &tkey);
793 if (!W_ERROR_IS_OK(werror)) {
797 *update_count = in->nscount;
798 *updates = in->nsrecs;
799 werror = update_prescan(in->questions, *updates, *update_count);
800 W_ERROR_NOT_OK_RETURN(werror);
802 werror = handle_updates(dns, mem_ctx, in->questions, *prereqs,
803 *prereq_count, *updates, *update_count, tkey);
804 W_ERROR_NOT_OK_RETURN(werror);
git.samba.org / sfrench / samba-autobuild / .git / blob