Skip to content
Snippets Groups Projects

DDNS: allowed deleting non-apex DNSKEY and NSEC3PARAM records

Merged DDNS: allowed deleting non-apex DNSKEY and NSEC3PARAM records
ddns_check into master
Merged Libor Peltan requested to merge ddns_check into master
Compare
and
2 files
+ 35
5
Compare changes
  • Side-by-side
  • Inline
Files
2
src/knot/updates/ddns.c
+ 25
5
@@ -174,6 +174,24 @@ static bool rrset_empty(const knot_rrset_t *rrset)
return false;
}
/*< \brief Returns true if DDNS should deny updating DNSSEC-related record. */
static bool is_dnssec_protected(uint16_t type, bool is_apex)
{
switch (type) {
case KNOT_RRTYPE_RRSIG:
case KNOT_RRTYPE_NSEC:
case KNOT_RRTYPE_NSEC3:
case KNOT_RRTYPE_CDNSKEY:
case KNOT_RRTYPE_CDS:
return true;
case KNOT_RRTYPE_DNSKEY:
case KNOT_RRTYPE_NSEC3PARAM:
return is_apex;
default:
return false;
}
}
/*!< \brief Checks prereq for given packet RR. */
static int process_prereq(const knot_rrset_t *rrset, uint16_t qclass,
zone_update_t *update, uint16_t *rcode,
@@ -505,13 +523,14 @@ static int process_rem_rrset(const knot_rrset_t *rrset,
const zone_node_t *node,
zone_update_t *update)
{
if (rrset->type == KNOT_RRTYPE_SOA || knot_rrtype_is_dnssec(rrset->type)) {
bool is_apex = node_rrtype_exists(node, KNOT_RRTYPE_SOA);
if (rrset->type == KNOT_RRTYPE_SOA || is_dnssec_protected(rrset->type, is_apex)) {
// Ignore SOA and DNSSEC removals.
return KNOT_EOK;
}
if (node_rrtype_exists(node, KNOT_RRTYPE_SOA) &&
rrset->type == KNOT_RRTYPE_NS) {
if (is_apex && rrset->type == KNOT_RRTYPE_NS) {
// Ignore NS apex RRSet removals.
return KNOT_EOK;
}
@@ -614,12 +633,13 @@ static int check_update(const knot_rrset_t *rrset, const knot_pkt_t *query,
const knot_dname_t *owner = rrset->owner;
const knot_dname_t *qname = knot_pkt_qname(query);
const bool is_sub = knot_dname_is_sub(owner, qname);
if (!is_sub && !knot_dname_is_equal(owner, qname)) {
const bool is_apex = knot_dname_is_equal(owner, qname);
if (!is_sub && !is_apex) {
*rcode = KNOT_RCODE_NOTZONE;
return KNOT_EOUTOFZONE;
}
if (knot_rrtype_is_dnssec(rrset->type)) {
if (is_dnssec_protected(rrset->type, is_apex)) {
*rcode = KNOT_RCODE_REFUSED;
log_warning("DDNS, refusing to update DNSSEC-related record");
return KNOT_EDENIED;