diff --git a/daemon/README.rst b/daemon/README.rst
index 0a4d27a56609ded92dff55f02e32950fc72dac9a..975c01c1bf4dea08a7387365a89204dcd21ee407 100644
--- a/daemon/README.rst
+++ b/daemon/README.rst
@@ -1024,6 +1024,8 @@ The daemon also supports `systemd socket activation`_, it is automatically detec
See ``kresd.systemd(7)`` for details.
+.. _enabling-dnssec:
+
Enabling DNSSEC
===============
diff --git a/daemon/bindings.c b/daemon/bindings.c
index b9045b358ac4e2f81d9c88dd0b44092253f39377..e3dd725849a5d69c55a6402830f16b60637508f9 100644
--- a/daemon/bindings.c
+++ b/daemon/bindings.c
@@ -26,6 +26,7 @@
#include "daemon/bindings.h"
#include "daemon/worker.h"
#include "daemon/tls.h"
+#include "daemon/zimport.h"
#define xstr(s) str(s)
#define str(s) #s
@@ -1149,6 +1150,90 @@ static int cache_ns_tout(lua_State *L)
return 1;
}
+/** Zone import completion callback.
+ * Deallocates zone import context. */
+static void cache_zone_import_cb(int state, void *param)
+{
+ assert (param);
+ (void)state;
+ struct worker_ctx *worker = (struct worker_ctx *)param;
+ assert (worker->z_import);
+ zi_free(worker->z_import);
+ worker->z_import = NULL;
+}
+
+/** Import zone from file. */
+static int cache_zone_import(lua_State *L)
+{
+ int ret = -1;
+ char msg[128];
+
+ struct worker_ctx *worker = wrk_luaget(L);
+ if (!worker) {
+ strncpy(msg, "internal error, empty worker pointer", sizeof(msg));
+ goto finish;
+ }
+
+ if (worker->z_import && zi_import_started(worker->z_import)) {
+ strncpy(msg, "import already started", sizeof(msg));
+ goto finish;
+ }
+
+ struct engine *engine = engine_luaget(L);
+ if (!engine) {
+ strncpy(msg, "internal error, empty engine pointer", sizeof(msg));
+ goto finish;
+ }
+ struct kr_cache *cache = &engine->resolver.cache;
+ if (!kr_cache_is_open(cache)) {
+ strncpy(msg, "cache isn't open", sizeof(msg));
+ goto finish;
+ }
+
+ /* Check parameters */
+ int n = lua_gettop(L);
+ if (n < 1 || !lua_isstring(L, 1)) {
+ strncpy(msg, "expected 'cache.zone_import(path to zone file)'", sizeof(msg));
+ goto finish;
+ }
+
+ /* Parse zone file */
+ const char *zone_file = lua_tostring(L, 1);
+
+ const char *default_origin = NULL; /* TODO */
+ uint16_t default_rclass = 1;
+ uint32_t default_ttl = 0;
+
+ if (worker->z_import == NULL) {
+ worker->z_import = zi_allocate(worker, cache_zone_import_cb, worker);
+ if (worker->z_import == NULL) {
+ strncpy(msg, "can't allocate zone import context", sizeof(msg));
+ goto finish;
+ }
+ }
+
+ ret = zi_zone_import(worker->z_import, zone_file, default_origin,
+ default_rclass, default_ttl);
+
+ lua_newtable(L);
+ if (ret == 0) {
+ strncpy(msg, "zone file successfully parsed, import started", sizeof(msg));
+ } else if (ret == 1) {
+ strncpy(msg, "TA not found", sizeof(msg));
+ } else {
+ strncpy(msg, "error parsing zone file", sizeof(msg));
+ }
+
+finish:
+ msg[sizeof(msg) - 1] = 0;
+ lua_newtable(L);
+ lua_pushstring(L, msg);
+ lua_setfield(L, -2, "msg");
+ lua_pushnumber(L, ret);
+ lua_setfield(L, -2, "code");
+
+ return 1;
+}
int lib_cache(lua_State *L)
{
@@ -1165,6 +1250,7 @@ int lib_cache(lua_State *L)
{ "max_ttl", cache_max_ttl },
{ "min_ttl", cache_min_ttl },
{ "ns_tout", cache_ns_tout },
+ { "zone_import", cache_zone_import },
{ NULL, NULL }
};
diff --git a/daemon/daemon.mk b/daemon/daemon.mk
index cf28be0ff010c8e11a22bea21914d6454ef93962..3d655f0ceed9eee1d7e6f32cdd1c1a8cdfe09441 100644
--- a/daemon/daemon.mk
+++ b/daemon/daemon.mk
@@ -7,6 +7,7 @@ kresd_SOURCES := \
daemon/ffimodule.c \
daemon/tls.c \
daemon/tls_ephemeral_credentials.c \
+ daemon/zimport.c \
daemon/main.c
kresd_DIST := daemon/lua/kres.lua daemon/lua/kres-gen.lua \
diff --git a/daemon/worker.c b/daemon/worker.c
index 4392dbd001dd72527d3cebb3b038eedce31f5604..f91b95cf75c86c7fde17d16df2d0e2bee157e0e6 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -35,6 +35,7 @@
#include "daemon/engine.h"
#include "daemon/io.h"
#include "daemon/tls.h"
+#include "daemon/zimport.h"
#define VERBOSE_MSG(qry, fmt...) QRVERBOSE(qry, "wrkr", fmt)
@@ -484,6 +485,18 @@ static inline void pool_release(struct worker_ctx *worker, struct mempool *mp)
}
}
+/** Create a key for an outgoing subrequest: qname, qclass, qtype.
+ * @param key Destination buffer for key size, MUST be SUBREQ_KEY_LEN or larger.
+ * @return key length if successful or an error
+ */
+static const size_t SUBREQ_KEY_LEN = KR_RRKEY_LEN;
+static int subreq_key(char *dst, knot_pkt_t *pkt)
+{
+ assert(pkt);
+ return kr_rrkey(dst, knot_pkt_qclass(pkt), knot_pkt_qname(pkt),
+ knot_pkt_qtype(pkt), knot_pkt_qtype(pkt));
+}
+
/** Create and initialize a request_ctx (on a fresh mempool).
*
* handle and addr point to the source of the request, and they are NULL
@@ -1403,35 +1416,6 @@ static int timer_start(struct session *session, uv_timer_cb cb,
return 0;
}
-/** Create a key for an outgoing subrequest: qname, qclass, qtype.
- * @param key Destination buffer for key size, MUST be SUBREQ_KEY_LEN or larger.
- * @return key length if successful or an error
- */
-static int subreq_key(char *dst, knot_pkt_t *pkt)
-{
- assert(dst && pkt);
- const char * const dst_begin = dst;
-
- int ret = knot_dname_to_wire((uint8_t *)dst, knot_pkt_qname(pkt), KNOT_DNAME_MAXLEN);
- if (ret <= 0) {
- assert(false); /*EINVAL*/
- return kr_error(ret);
- }
- knot_dname_to_lower((knot_dname_t *)dst);
- dst += ret;
-
- const uint16_t qclass = knot_pkt_qclass(pkt);
- memcpy(dst, &qclass, sizeof(qclass));
- dst += sizeof(qclass);
-
- const uint16_t qtype = knot_pkt_qtype(pkt);
- memcpy(dst, &qtype, sizeof(qtype));
- dst += sizeof(qtype);
-
- return dst - dst_begin;
-}
-static const size_t SUBREQ_KEY_LEN = KNOT_DNAME_MAXLEN + 2 * sizeof(uint16_t);
-
static void subreq_finalize(struct qr_task *task, const struct sockaddr *packet_source, knot_pkt_t *pkt)
{
/* Close pending timer */
@@ -2385,6 +2369,11 @@ struct kr_request *worker_task_request(struct qr_task *task)
return &task->ctx->req;
}
+int worker_task_finalize(struct qr_task *task, int state)
+{
+ return qr_task_finalize(task, state);
+}
+
void worker_session_close(struct session *session)
{
session_close(session);
@@ -2434,6 +2423,10 @@ void worker_reclaim(struct worker_ctx *worker)
worker->subreq_out = NULL;
map_clear(&worker->tcp_connected);
map_clear(&worker->tcp_waiting);
+ if (worker->z_import != NULL) {
+ zi_free(worker->z_import);
+ worker->z_import = NULL;
+ }
}
struct worker_ctx *worker_create(struct engine *engine, knot_mm_t *pool,
diff --git a/daemon/worker.h b/daemon/worker.h
index 7d50c74df0cbe6b8c8e736ac68bb70c9afbf28aa..ec3e0f8857481988bf5625faa696b37d59a3ad71 100644
--- a/daemon/worker.h
+++ b/daemon/worker.h
@@ -29,6 +29,8 @@ struct qr_task;
struct worker_ctx;
/** Transport session (opaque). */
struct session;
+/** Zone import context (opaque). */
+struct zone_import_ctx;
/** Create and initialize the worker. */
struct worker_ctx *worker_create(struct engine *engine, knot_mm_t *pool,
@@ -94,6 +96,9 @@ ssize_t worker_gnutls_push(gnutls_transport_ptr_t h, const void *buf, size_t len
ssize_t worker_gnutls_client_push(gnutls_transport_ptr_t h, const void *buf, size_t len);
+/** Finalize given task */
+int worker_task_finalize(struct qr_task *task, int state);
+
/** @cond internal */
/** Number of request within timeout window. */
@@ -140,6 +145,7 @@ struct worker_ctx {
size_t timeout;
} stats;
+ struct zone_import_ctx* z_import;
bool too_many_open;
size_t rconcurrent_highwatermark;
/** List of active outbound TCP sessions */
diff --git a/daemon/zimport.c b/daemon/zimport.c
new file mode 100644
index 0000000000000000000000000000000000000000..24f3f3971b7d582fd6e38691dcb9b8230e333e21
--- /dev/null
+++ b/daemon/zimport.c
@@ -0,0 +1,803 @@
+/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/* Module is intended to import resource records from file into resolver's cache.
+ * File supposed to be a standard DNS zone file
+ * which contains text representations of resource records.
+ * For now only root zone import is supported.
+ *
+ * Import process consists of two stages.
+ * 1) Zone file parsing.
+ * 2) Import of parsed entries into the cache.
+ *
+ * These stages are implemented as two separate functions
+ * (zi_zone_import and zi_zone_process) which runs sequentially with the
+ * pause between them. This is done because resolver is a single-threaded
+ * application, so it can't process user's requests during the whole import
+ * process. Separation into two stages allows to reduce the
+ * continuous time interval when resolver can't serve user requests.
+ * Since root zone isn't large it is imported as single
+ * chunk. If it would be considered as necessary, import stage can be
+ * split into shorter stages.
+ *
+ * zi_zone_import() uses libzscanner to parse zone file.
+ * Parsed records are stored to internal storage from where they are imported to
+ * cache during the second stage.
+ *
+ * zi_zone_process() imports parsed resource records to cache.
+ * It imports rrset by creating request that will never be sent to upstream.
+ * After request creation resolver creates pseudo-answer which must contain
+ * all necessary data for validation. Then resolver process answer as if he had
+ * been received from network.
+ */
+
+#include <stdlib.h>
+#include <uv.h>
+#include <ucw/mempool.h>
+#include <libknot/rrset.h>
+#include <zscanner/scanner.h>
+
+#include "lib/utils.h"
+#include "lib/dnssec/ta.h"
+#include "daemon/worker.h"
+#include "daemon/zimport.h"
+#include "lib/generic/map.h"
+#include "lib/generic/array.h"
+
+#define VERBOSE_MSG(qry, fmt...) QRVERBOSE(qry, "zimport", fmt)
+
+/* Pause between parse and import stages, milliseconds.
+ * See comment in zi_zone_import() */
+#define ZONE_IMPORT_PAUSE 100
+
+typedef array_t(knot_rrset_t *) qr_rrsetlist_t;
+
+struct zone_import_ctx {
+ struct worker_ctx *worker;
+ bool started;
+ knot_dname_t *origin;
+ knot_rrset_t *ta;
+ knot_rrset_t *key;
+ uint64_t start_timestamp;
+ size_t rrset_idx;
+ uv_timer_t timer;
+ map_t rrset_indexed;
+ qr_rrsetlist_t rrset_sorted;
+ knot_mm_t pool;
+ zi_callback cb;
+ void *cb_param;
+};
+
+typedef struct zone_import_ctx zone_import_ctx_t;
+
+static int RRSET_IS_ALREADY_IMPORTED = 1;
+
+/** @internal Allocate zone import context.
+ * @return pointer to zone import context or NULL. */
+static zone_import_ctx_t *zi_ctx_alloc()
+{
+ return (zone_import_ctx_t *)malloc(sizeof(zone_import_ctx_t));
+}
+
+/** @internal Free zone import context. */
+static void zi_ctx_free(zone_import_ctx_t *z_import)
+{
+ if (z_import != NULL) {
+ free(z_import);
+ }
+}
+
+/** @internal Reset all fields in the zone import context to their default values.
+ * Flushes memory pool, but doesn't reallocate memory pool buffer.
+ * Doesn't affect timer handle, pointers to callback and callback parameter.
+ * @return 0 if success; -1 if failed. */
+static int zi_reset(struct zone_import_ctx *z_import, size_t rrset_sorted_list_size)
+{
+ mp_flush(z_import->pool.ctx);
+
+ z_import->started = false;
+ z_import->start_timestamp = 0;
+ z_import->rrset_idx = 0;
+ z_import->pool.alloc = (knot_mm_alloc_t) mp_alloc;
+ z_import->rrset_indexed = map_make(&z_import->pool);
+
+ array_init(z_import->rrset_sorted);
+
+ int ret = 0;
+ if (rrset_sorted_list_size) {
+ ret = array_reserve_mm(z_import->rrset_sorted, rrset_sorted_list_size,
+ kr_memreserve, &z_import->pool);
+ }
+
+ return ret;
+}
+
+/** @internal Close callback for timer handle.
+ * @note Actually frees zone import context. */
+static void on_timer_close(uv_handle_t *handle)
+{
+ zone_import_ctx_t *z_import = (zone_import_ctx_t *)handle->data;
+ if (z_import != NULL) {
+ zi_ctx_free(z_import);
+ }
+}
+
+zone_import_ctx_t *zi_allocate(struct worker_ctx *worker,
+ zi_callback cb, void *param)
+{
+ if (worker->loop == NULL) {
+ return NULL;
+ }
+ zone_import_ctx_t *z_import = zi_ctx_alloc();
+ if (!z_import) {
+ return NULL;
+ }
+ void *mp = mp_new (8192);
+ if (!mp) {
+ zi_ctx_free(z_import);
+ return NULL;
+ }
+ memset(z_import, 0, sizeof(*z_import));
+ z_import->pool.ctx = mp;
+ z_import->worker = worker;
+ int ret = zi_reset(z_import, 0);
+ if (ret < 0) {
+ mp_delete(mp);
+ zi_ctx_free(z_import);
+ return NULL;
+ }
+ uv_timer_init(z_import->worker->loop, &z_import->timer);
+ z_import->timer.data = z_import;
+ z_import->cb = cb;
+ z_import->cb_param = param;
+ return z_import;
+}
+
+void zi_free(zone_import_ctx_t *z_import)
+{
+ z_import->started = false;
+ z_import->start_timestamp = 0;
+ z_import->rrset_idx = 0;
+ mp_delete(z_import->pool.ctx);
+ z_import->pool.ctx = NULL;
+ z_import->pool.alloc = NULL;
+ z_import->worker = NULL;
+ z_import->cb = NULL;
+ z_import->cb_param = NULL;
+ uv_close((uv_handle_t *)&z_import->timer, on_timer_close);
+}
+
+/** @internal Mark rrset that has been already imported
+ * to avoid repeated import. */
+static inline void zi_rrset_mark_as_imported(knot_rrset_t *rr)
+{
+ rr->additional = (void *)&RRSET_IS_ALREADY_IMPORTED;
+}
+
+/** @internal Check if rrset is marked as "already imported".
+ * @return true if marked, false if isn't */
+static inline bool zi_rrset_is_marked_as_imported(knot_rrset_t *rr)
+{
+ return (rr->additional == &RRSET_IS_ALREADY_IMPORTED);
+}
+
+/** @internal Try to find rrset with given requisites amongst parsed rrsets
+ * and put it to given packet. If there is RRSIG which covers that rrset, it
+ * will be added as well. If rrset found and successfully put, it marked as
+ * "already imported" to avoid repeated import. The same is true for RRSIG.
+ * @return -1 if failed
+ * 0 if required record been actually put into the packet
+ * 1 if required record could not be found */
+static int zi_rrset_find_put(struct zone_import_ctx *z_import,
+ knot_pkt_t *pkt, const knot_dname_t *owner,
+ uint16_t class, uint16_t type, uint16_t additional)
+{
+ if (type != KNOT_RRTYPE_RRSIG) {
+ /* If required rrset isn't rrsig, these must be the same values */
+ additional = type;
+ }
+
+ char key[KR_RRKEY_LEN];
+ int err = kr_rrkey(key, class, owner, type, additional);
+ if (err <= 0) {
+ return -1;
+ }
+ knot_rrset_t *rr = map_get(&z_import->rrset_indexed, key);
+ if (!rr) {
+ return 1;
+ }
+ err = knot_pkt_put(pkt, 0, rr, 0);
+ if (err != KNOT_EOK) {
+ return -1;
+ }
+ zi_rrset_mark_as_imported(rr);
+
+ if (type != KNOT_RRTYPE_RRSIG) {
+ /* Try to find corresponding rrsig */
+ err = zi_rrset_find_put(z_import, pkt, owner,
+ class, KNOT_RRTYPE_RRSIG, type);
+ if (err < 0) {
+ return err;
+ }
+ }
+
+ return 0;
+}
+
+/** @internal Try to put given rrset to the given packet.
+ * If there is RRSIG which covers that rrset, it will be added as well.
+ * If rrset successfully put in the packet, it marked as
+ * "already imported" to avoid repeated import.
+ * The same is true for RRSIG.
+ * @return -1 if failed
+ * 0 if required record been actually put into the packet */
+static int zi_rrset_put(struct zone_import_ctx *z_import, knot_pkt_t *pkt,
+ knot_rrset_t *rr)
+{
+ assert(rr);
+ assert(rr->type != KNOT_RRTYPE_RRSIG);
+ int err = knot_pkt_put(pkt, 0, rr, 0);
+ if (err != KNOT_EOK) {
+ return -1;
+ }
+ zi_rrset_mark_as_imported(rr);
+ /* Try to find corresponding RRSIG */
+ err = zi_rrset_find_put(z_import, pkt, rr->owner, rr->rclass,
+ KNOT_RRTYPE_RRSIG, rr->type);
+ return (err < 0) ? err : 0;
+}
+
+/** @internal Try to put DS & NSEC* for rset->owner to given packet.
+ * @return -1 if failed;
+ * 0 if no errors occurred (it doesn't mean
+ * that records were actually added). */
+static int zi_put_delegation(zone_import_ctx_t *z_import, knot_pkt_t *pkt,
+ knot_rrset_t *rr)
+{
+ int err = zi_rrset_find_put(z_import, pkt, rr->owner,
+ rr->rclass, KNOT_RRTYPE_DS, 0);
+ if (err == 1) {
+ /* DS not found, maybe there are NSEC* */
+ err = zi_rrset_find_put(z_import, pkt, rr->owner,
+ rr->rclass, KNOT_RRTYPE_NSEC, 0);
+ if (err >= 0) {
+ err = zi_rrset_find_put(z_import, pkt, rr->owner,
+ rr->rclass, KNOT_RRTYPE_NSEC3, 0);
+ }
+ }
+ return err < 0 ? err : 0;
+}
+
+/** @internal Try to put A & AAAA records for rset->owner to given packet.
+ * @return -1 if failed;
+ * 0 if no errors occurred (it doesn't mean
+ * that records were actually added). */
+static int zi_put_glue(zone_import_ctx_t *z_import, knot_pkt_t *pkt,
+ knot_rrset_t *rr)
+{
+ int err = 0;
+ for (uint16_t i = 0; i < rr->rrs.rr_count; ++i) {
+ const knot_dname_t *ns_name = knot_ns_name(&rr->rrs, i);
+ err = zi_rrset_find_put(z_import, pkt, ns_name,
+ rr->rclass, KNOT_RRTYPE_A, 0);
+ if (err < 0) {
+ break;
+ }
+
+ err = zi_rrset_find_put(z_import, pkt, ns_name,
+ rr->rclass, KNOT_RRTYPE_AAAA, 0);
+ if (err < 0) {
+ break;
+ }
+ }
+ return err < 0 ? err : 0;
+}
+
+/** @internal Create query. */
+static knot_pkt_t *zi_query_create(zone_import_ctx_t *z_import, knot_rrset_t *rr)
+{
+ knot_mm_t *pool = &z_import->pool;
+
+ uint32_t msgid = kr_rand_uint(0);
+
+ knot_pkt_t *query = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, pool);
+ if (!query) {
+ return NULL;
+ }
+
+ knot_pkt_put_question(query, rr->owner, rr->rclass, rr->type);
+ knot_pkt_begin(query, KNOT_ANSWER);
+ knot_wire_set_rd(query->wire);
+ knot_wire_set_id(query->wire, msgid);
+ int err = knot_pkt_parse(query, 0);
+ if (err != KNOT_EOK) {
+ knot_pkt_free(&query);
+ return NULL;
+ }
+
+ return query;
+}
+
+/** @internal Import given rrset to cache.
+ * @return -1 if failed; 0 if success */
+static int zi_rrset_import(zone_import_ctx_t *z_import, knot_rrset_t *rr)
+{
+ struct worker_ctx *worker = z_import->worker;
+
+ assert(worker);
+
+ /* Create "pseudo query" which asks for given rrset. */
+ knot_pkt_t *query = zi_query_create(z_import, rr);
+ if (!query) {
+ return -1;
+ }
+
+ knot_mm_t *pool = &z_import->pool;
+ uint8_t *dname = rr->owner;
+ uint16_t rrtype = rr->type;
+ uint16_t rrclass = rr->rclass;
+
+ /* Create "pseudo answer". */
+ knot_pkt_t *answer = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, pool);
+ if (!answer) {
+ knot_pkt_free(&query);
+ return -1;
+ }
+ knot_pkt_put_question(answer, dname, rrclass, rrtype);
+ knot_pkt_begin(answer, KNOT_ANSWER);
+
+ struct kr_qflags options;
+ memset(&options, 0, sizeof(options));
+ options.DNSSEC_WANT = true;
+ options.NO_MINIMIZE = true;
+
+ /* This call creates internal structures which necessary for
+ * resolving - qr_task & request_ctx. */
+ struct qr_task *task = worker_resolve_start(worker, query, options);
+ if (!task) {
+ knot_pkt_free(&query);
+ knot_pkt_free(&answer);
+ return -1;
+ }
+
+ /* Push query to the request resolve plan.
+ * Actually query will never been sent to upstream. */
+ struct kr_request *request = worker_task_request(task);
+ struct kr_rplan *rplan = &request->rplan;
+ struct kr_query *qry = kr_rplan_push(rplan, NULL, dname, rrclass, rrtype);
+ int state = KR_STATE_FAIL;
+ bool origin_is_owner = knot_dname_is_equal(rr->owner, z_import->origin);
+ bool is_referral = (rrtype == KNOT_RRTYPE_NS && !origin_is_owner);
+ uint32_t msgid = knot_wire_get_id(query->wire);
+
+ qry->id = msgid;
+
+ /* Prepare zonecut. It must have all the necessary requisites for
+ * successful validation - matched zone name & keys & trust-anchors. */
+ kr_zonecut_init(&qry->zone_cut, z_import->origin, pool);
+ qry->zone_cut.key = z_import->key;
+ qry->zone_cut.trust_anchor = z_import->ta;
+
+ if (knot_pkt_init_response(request->answer, query) != 0) {
+ goto cleanup;
+ }
+
+ /* Since "pseudo" query asks for NS for subzone,
+ * "pseudo" answer must simulate referral. */
+ if (is_referral) {
+ knot_pkt_begin(answer, KNOT_AUTHORITY);
+ }
+
+ /* Put target rrset to ANSWER\AUTHORIRY as well as corresponding RRSIG */
+ int err = zi_rrset_put(z_import, answer, rr);
+ if (err != 0) {
+ goto cleanup;
+ }
+
+ if (!is_referral) {
+ knot_wire_set_aa(answer->wire);
+ } else {
+ /* Type is KNOT_RRTYPE_NS and owner is not equal to origin.
+ * It will be "referral" answer and must contain delegation. */
+ err = zi_put_delegation(z_import, answer, rr);
+ if (err < 0) {
+ goto cleanup;
+ }
+ }
+
+ knot_pkt_begin(answer, KNOT_ADDITIONAL);
+
+ if (rrtype == KNOT_RRTYPE_NS) {
+ /* Try to find glue addresses. */
+ err = zi_put_glue(z_import, answer, rr);
+ if (err < 0) {
+ goto cleanup;
+ }
+ }
+
+ knot_wire_set_id(answer->wire, msgid);
+ answer->parsed = answer->size;
+ err = knot_pkt_parse(answer, 0);
+ if (err != KNOT_EOK) {
+ goto cleanup;
+ }
+
+ /* Importing doesn't imply communication with upstream at all.
+ * "answer" contains pseudo-answer from upstream and must be successfully
+ * validated in CONSUME stage. If not, something gone wrong. */
+ state = kr_resolve_consume(request, NULL, answer);
+
+cleanup:
+
+ knot_pkt_free(&query);
+ knot_pkt_free(&answer);
+ worker_task_finalize(task, state);
+ return state == (is_referral ? KR_STATE_PRODUCE : KR_STATE_DONE) ? 0 : -1;
+}
+
+/** @internal Create element in qr_rrsetlist_t rrset_list for
+ * given node of map_t rrset_sorted. */
+static int zi_mapwalk_preprocess(const char *k, void *v, void *baton)
+{
+ zone_import_ctx_t *z_import = (zone_import_ctx_t *)baton;
+
+ int ret = array_push_mm(z_import->rrset_sorted, v, kr_memreserve, &z_import->pool);
+
+ return (ret < 0);
+}
+
+/** @internal Iterate over parsed rrsets and try to import each of them. */
+static void zi_zone_process(uv_timer_t* handle)
+{
+ zone_import_ctx_t *z_import = (zone_import_ctx_t *)handle->data;
+
+ assert(z_import->worker);
+
+ size_t failed = 0;
+ size_t ns_imported = 0;
+ size_t other_imported = 0;
+
+ /* At the moment import of root zone only is supported.
+ * Check the name of the parsed zone.
+ * TODO - implement importing of arbitrary zone. */
+ char zone_name_str[KNOT_DNAME_MAXLEN];
+ knot_dname_to_str(zone_name_str, z_import->origin, sizeof(zone_name_str));
+ if (strcmp(".", zone_name_str) != 0) {
+ kr_log_error("[zimport] unexpected zone name `%s` (root zone expected), fail\n",
+ zone_name_str);
+ failed = 1;
+ goto finish;
+ }
+
+ if (z_import->rrset_sorted.len <= 0) {
+ VERBOSE_MSG(NULL, "zone is empty\n");
+ goto finish;
+ }
+
+ /* TA have been found, zone is secured.
+ * DNSKEY must be somewhere amongst the imported records. Find it.
+ * TODO - For those zones that provenly do not have TA this step must be skipped. */
+ char key[KR_RRKEY_LEN];
+ int err = kr_rrkey(key, KNOT_CLASS_IN, z_import->origin,
+ KNOT_RRTYPE_DNSKEY, KNOT_RRTYPE_DNSKEY);
+ if (err <= 0) {
+ failed = 1;
+ goto finish;
+ }
+
+ knot_rrset_t *rr = map_get(&z_import->rrset_indexed, key);
+ if (!rr) {
+ /* DNSKEY MUST be here. If not found - fail. */
+ kr_log_error("[zimport] DNSKEY not found for `%s`, fail\n", zone_name_str);
+ failed = 1;
+ goto finish;
+ }
+ z_import->key = rr;
+
+ VERBOSE_MSG(NULL, "started: zone: '%s'\n", zone_name_str);
+
+ z_import->start_timestamp = kr_now();
+
+ /* Import DNSKEY at first step. If any validation problems will appear,
+ * cancel import of whole zone. */
+ char qname_str[KNOT_DNAME_MAXLEN], type_str[16];
+ knot_dname_to_str(qname_str, rr->owner, sizeof(qname_str));
+ knot_rrtype_to_string(rr->type, type_str, sizeof(type_str));
+ VERBOSE_MSG(NULL, "importing: qname: '%s' type: '%s'\n",
+ qname_str, type_str);
+
+ int res = zi_rrset_import(z_import, rr);
+ if (res != 0) {
+ VERBOSE_MSG(NULL, "import failed: qname: '%s' type: '%s'\n",
+ qname_str, type_str);
+ failed = 1;
+ goto finish;
+ }
+
+ /* Import all NS records */
+ for (size_t i = 0; i < z_import->rrset_sorted.len; ++i) {
+ knot_rrset_t *rr = z_import->rrset_sorted.at[i];
+
+ if (rr->type != KNOT_RRTYPE_NS) {
+ continue;
+ }
+
+ knot_dname_to_str(qname_str, rr->owner, sizeof(qname_str));
+ knot_rrtype_to_string(rr->type, type_str, sizeof(type_str));
+ VERBOSE_MSG(NULL, "importing: qname: '%s' type: '%s'\n",
+ qname_str, type_str);
+ int res = zi_rrset_import(z_import, rr);
+ if (res == 0) {
+ ++ns_imported;
+ } else {
+ VERBOSE_MSG(NULL, "import failed: qname: '%s' type: '%s'\n",
+ qname_str, type_str);
+ ++failed;
+ }
+ z_import->rrset_sorted.at[i] = NULL;
+ }
+
+ /* NS records have been imported as well as relative DS, NSEC* and glue.
+ * Now import what's left. */
+ for (size_t i = 0; i < z_import->rrset_sorted.len; ++i) {
+
+ knot_rrset_t *rr = z_import->rrset_sorted.at[i];
+ if (rr == NULL) {
+ continue;
+ }
+
+ if (zi_rrset_is_marked_as_imported(rr)) {
+ continue;
+ }
+
+ if (rr->type == KNOT_RRTYPE_DNSKEY || rr->type == KNOT_RRTYPE_RRSIG) {
+ continue;
+ }
+
+ knot_dname_to_str(qname_str, rr->owner, sizeof(qname_str));
+ knot_rrtype_to_string(rr->type, type_str, sizeof(type_str));
+ VERBOSE_MSG(NULL, "importing: qname: '%s' type: '%s'\n",
+ qname_str, type_str);
+ res = zi_rrset_import(z_import, rr);
+ if (res == 0) {
+ ++other_imported;
+ } else {
+ VERBOSE_MSG(NULL, "import failed: qname: '%s' type: '%s'\n",
+ qname_str, type_str);
+ ++failed;
+ }
+ }
+
+ uint64_t elapsed = kr_now() - z_import->start_timestamp;
+ elapsed = elapsed > UINT_MAX ? UINT_MAX : elapsed;
+
+ VERBOSE_MSG(NULL, "finished in %lu ms; zone: `%s`; ns: %zd; other: %zd; failed: %zd\n",
+ elapsed, zone_name_str, ns_imported, other_imported, failed);
+
+finish:
+
+ uv_timer_stop(&z_import->timer);
+ z_import->started = false;
+
+ int import_state = 0;
+
+ if (failed != 0) {
+ if (ns_imported == 0 && other_imported == 0) {
+ import_state = -1;
+ VERBOSE_MSG(NULL, "import failed; zone `%s` \n", zone_name_str);
+ } else {
+ import_state = 1;
+ }
+ } else {
+ import_state = 0;
+ }
+
+ if (z_import->cb != NULL) {
+ z_import->cb(import_state, z_import->cb_param);
+ }
+}
+
+/** @internal Store rrset that has been imported to zone import context memory pool.
+ * @return -1 if failed; 0 if success. */
+static int zi_record_store(zs_scanner_t *s)
+{
+ if (s->r_data_length > UINT16_MAX) {
+ /* Due to knot_rrset_add_rdata(..., const uint16_t size, ...); */
+ kr_log_error("[zscanner] line %lu: rdata is too long\n", s->line_counter);
+ return -1;
+ }
+
+ if (knot_dname_size(s->r_owner) != strlen((const char *)(s->r_owner)) + 1) {
+ kr_log_error("[zscanner] line %lu: owner name contains zero byte, skip\n", s->line_counter);
+ return 0;
+ }
+
+ zone_import_ctx_t *z_import = (zone_import_ctx_t *)s->process.data;
+
+ knot_rrset_t *new_rr = knot_rrset_new(s->r_owner, s->r_type, s->r_class,
+ &z_import->pool);
+ if (!new_rr) {
+ kr_log_error("[zscanner] line %lu: error creating rrset\n", s->line_counter);
+ return -1;
+ }
+ int res = knot_rrset_add_rdata(new_rr, s->r_data, s->r_data_length,
+ s->r_ttl, &z_import->pool);
+ if (res != KNOT_EOK) {
+ kr_log_error("[zscanner] line %lu: error adding rdata to rrset\n", s->line_counter);
+ return -1;
+ }
+
+ /* Records in zone file may not be grouped by name and RR type.
+ * Use map to create search key and
+ * avoid ineffective searches across all the imported records. */
+ char key[KR_RRKEY_LEN];
+ uint16_t additional_key_field = kr_rrset_type_maysig(new_rr);
+
+ res = kr_rrkey(key, new_rr->rclass, new_rr->owner, new_rr->type,
+ additional_key_field);
+ if (res <= 0) {
+ kr_log_error("[zscanner] line %lu: error constructing rrkey\n", s->line_counter);
+ return -1;
+ }
+
+ knot_rrset_t *saved_rr = map_get(&z_import->rrset_indexed, key);
+ if (saved_rr) {
+ res = knot_rdataset_merge(&saved_rr->rrs, &new_rr->rrs,
+ &z_import->pool);
+ } else {
+ res = map_set(&z_import->rrset_indexed, key, new_rr);
+ }
+ if (res != 0) {
+ kr_log_error("[zscanner] line %lu: error saving parsed rrset\n", s->line_counter);
+ return -1;
+ }
+
+ return 0;
+}
+
+/** @internal zscanner callback. */
+static int zi_state_parsing(zs_scanner_t *s)
+{
+ while (zs_parse_record(s) == 0) {
+ switch (s->state) {
+ case ZS_STATE_DATA:
+ if (zi_record_store(s) != 0) {
+ return -1;
+ }
+ zone_import_ctx_t *z_import = (zone_import_ctx_t *) s->process.data;
+ if (z_import->origin == 0) {
+ z_import->origin = knot_dname_copy(s->zone_origin,
+ &z_import->pool);
+ } else if (!knot_dname_is_equal(z_import->origin, s->zone_origin)) {
+ kr_log_error("[zscanner] line: %lu: zone origin changed unexpectedly\n",
+ s->line_counter);
+ return -1;
+ }
+ break;
+ case ZS_STATE_ERROR:
+ kr_log_error("[zscanner] line: %lu: parse error; code: %i ('%s')\n",
+ s->line_counter, s->error.code, zs_strerror(s->error.code));
+ return -1;
+ case ZS_STATE_INCLUDE:
+ kr_log_error("[zscanner] line: %lu: INCLUDE is not supported\n",
+ s->line_counter);
+ return -1;
+ case ZS_STATE_EOF:
+ case ZS_STATE_STOP:
+ return (s->error.counter == 0) ? 0 : -1;
+ default:
+ kr_log_error("[zscanner] line: %lu: unexpected parse state: %i\n",
+ s->line_counter, s->state);
+ return -1;
+ }
+ }
+
+ return -1;
+}
+
+int zi_zone_import(struct zone_import_ctx *z_import,
+ const char *zone_file, const char *origin,
+ uint16_t rclass, uint32_t ttl)
+{
+ assert (z_import != NULL && "[zimport] empty <z_import> parameter");
+ assert (z_import->worker != NULL && "[zimport] invalid <z_import> parameter\n");
+ assert (zone_file != NULL && "[zimport] empty <zone_file> parameter\n");
+
+ zs_scanner_t *s = malloc(sizeof(zs_scanner_t));
+ if (s == NULL) {
+ kr_log_error("[zscanner] error creating instance of zone scanner (malloc() fails)\n");
+ return -1;
+ }
+
+ /* zs_init(), zs_set_input_file(), zs_set_processing() returns -1 in case of error,
+ * so don't print error code as it meaningless. */
+ int res = zs_init(s, origin, rclass, ttl);
+ if (res != 0) {
+ kr_log_error("[zscanner] error initializing zone scanner instance, error: %i (%s)\n",
+ s->error.code, zs_strerror(s->error.code));
+ free(s);
+ return -1;
+ }
+
+ res = zs_set_input_file(s, zone_file);
+ if (res != 0) {
+ kr_log_error("[zscanner] error opening zone file `%s`, error: %i (%s)\n",
+ zone_file, s->error.code, zs_strerror(s->error.code));
+ zs_deinit(s);
+ free(s);
+ return -1;
+ }
+
+ /* Don't set processing and error callbacks as we don't use automatic parsing.
+ * Parsing as well error processing will be performed in zi_state_parsing().
+ * Store pointer to zone import context for further use. */
+ if (zs_set_processing(s, NULL, NULL, (void *)z_import) != 0) {
+ kr_log_error("[zscanner] zs_set_processing() failed for zone file `%s`, "
+ "error: %i (%s)\n",
+ zone_file, s->error.code, zs_strerror(s->error.code));
+ zs_deinit(s);
+ free(s);
+ return -1;
+ }
+
+ uint64_t elapsed = 0;
+ int ret = zi_reset(z_import, 4096);
+ if (ret == 0) {
+ z_import->started = true;
+ z_import->start_timestamp = kr_now();
+ VERBOSE_MSG(NULL, "[zscanner] started; zone file `%s`\n",
+ zone_file);
+ ret = zi_state_parsing(s);
+ /* Try to find TA for worker->z_import.origin. */
+ map_t *trust_anchors = &z_import->worker->engine->resolver.trust_anchors;
+ knot_rrset_t *rr = kr_ta_get(trust_anchors, z_import->origin);
+ if (rr) {
+ z_import->ta = rr;
+ } else {
+ /* For now - fail.
+ * TODO - query DS and continue after answer had been obtained. */
+ char zone_name_str[KNOT_DNAME_MAXLEN];
+ knot_dname_to_str(zone_name_str, z_import->origin, sizeof(zone_name_str));
+ kr_log_error("[zimport] no TA found for `%s`, fail\n", zone_name_str);
+ ret = 1;
+ }
+ elapsed = kr_now() - z_import->start_timestamp;
+ elapsed = elapsed > UINT_MAX ? UINT_MAX : elapsed;
+ }
+ zs_deinit(s);
+ free(s);
+
+ if (ret != 0) {
+ kr_log_error("[zscanner] error parsing zone file `%s`\n", zone_file);
+ z_import->started = false;
+ return ret;
+ }
+
+ VERBOSE_MSG(NULL, "[zscanner] finished in %lu ms; zone file `%s`\n",
+ elapsed, zone_file);
+ map_walk(&z_import->rrset_indexed, zi_mapwalk_preprocess, z_import);
+
+ /* Zone have been parsed already, so start the import. */
+ uv_timer_start(&z_import->timer, zi_zone_process,
+ ZONE_IMPORT_PAUSE, ZONE_IMPORT_PAUSE);
+
+ return 0;
+}
+
+bool zi_import_started(struct zone_import_ctx *z_import)
+{
+ return z_import ? z_import->started : false;
+}
diff --git a/daemon/zimport.h b/daemon/zimport.h
new file mode 100644
index 0000000000000000000000000000000000000000..57b246e95bdc08925b2a3f453ba3c09f2c38ff74
--- /dev/null
+++ b/daemon/zimport.h
@@ -0,0 +1,68 @@
+/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <stdbool.h>
+
+struct worker_ctx;
+/** Zone import context (opaque). */
+struct zone_import_ctx;
+
+/**
+ * Completion callback
+ *
+ * @param state -1 - fail
+ * 0 - success
+ * 1 - success, but there are non-critical errors
+ * @param pointer to user data
+ */
+typedef void (*zi_callback)(int state, void *param);
+
+/**
+ * Allocate and initialize zone import context.
+ *
+ * @param worker pointer to worker state
+ * @return NULL or pointer to zone import context.
+ */
+struct zone_import_ctx *zi_allocate(struct worker_ctx *worker,
+ zi_callback cb, void *param);
+
+/** Free zone import context. */
+void zi_free(struct zone_import_ctx *z_import);
+
+/**
+ * Import zone from file.
+ *
+ * @note only root zone import is supported; origin must be NULL or "."
+ * @param z_import pointer to zone import context
+ * @param zone_file zone file name
+ * @param origin default origin
+ * @param rclass default class
+ * @param ttl default ttl
+ * @return 0 or an error code
+ */
+int zi_zone_import(struct zone_import_ctx *z_import,
+ const char *zone_file, const char *origin,
+ uint16_t rclass, uint32_t ttl);
+
+/**
+ * Check if import already in process.
+ *
+ * @param z_import pointer to zone import context.
+ * @return true if import already in process; false otherwise.
+ */
+bool zi_import_started(struct zone_import_ctx *z_import);
diff --git a/doc/modules.rst b/doc/modules.rst
index f109b3c8850b28f7fd42fb5e4592a5629013a198..1d4491f0e25c7c6b2d3d38a5e5b9d635cae1f6e2 100644
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -31,3 +31,4 @@ Knot DNS Resolver modules
.. include:: ../modules/serve_stale/README.rst
.. include:: ../modules/detect_time_skew/README.rst
.. include:: ../modules/detect_time_jump/README.rst
+.. include:: ../modules/prefill/README.rst
diff --git a/lib/generic/array.h b/lib/generic/array.h
index fb10c0cd13462aa36192223efb5115f629fbc480..ece4dd147667162ecd412db00e7b37c4f1a2b855 100644
--- a/lib/generic/array.h
+++ b/lib/generic/array.h
@@ -124,14 +124,6 @@ static inline void array_std_free(void *baton, void *p)
#define array_reserve_mm(array, n, reserve, baton) \
(reserve)((baton), (char **) &(array).at, sizeof((array).at[0]), (n), &(array).cap)
-/**
- * Push value at the end of the array, resize it if necessary (plain malloc/free).
- * @note May fail if the capacity is not reserved.
- * @return element index on success, <0 on failure
- */
-#define array_push(array, val) \
- array_push_mm(array, val, array_std_reserve, NULL)
-
/**
* Push value at the end of the array, resize it if necessary.
* Mempool usage: pass kr_memreserve and a knot_mm_t* .
@@ -143,6 +135,14 @@ static inline void array_std_free(void *baton, void *p)
: (array_reserve_mm(array, ((array).cap + 1), reserve, baton) < 0 ? -1 \
: ((array).at[(array).len] = val, (array).len++)))
+/**
+ * Push value at the end of the array, resize it if necessary (plain malloc/free).
+ * @note May fail if the capacity is not reserved.
+ * @return element index on success, <0 on failure
+ */
+#define array_push(array, val) \
+ array_push_mm(array, val, array_std_reserve, NULL)
+
/**
* Pop value from the end of the array.
*/
diff --git a/lib/utils.c b/lib/utils.c
index 922ac3a9b1cb9b2624223dae17f87686da458a71..9a60b4356f80f2f2054bc196a6f9f4d85b4e8ff3 100644
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -581,21 +581,33 @@ int kr_bitcmp(const char *a, const char *b, int bits)
return ret;
}
-int kr_rrkey(char *key, const knot_dname_t *owner, uint16_t type, uint8_t rank)
+int kr_rrkey(char *key, uint16_t class, const knot_dname_t *owner,
+ uint16_t type, uint16_t additional)
{
if (!key || !owner) {
return kr_error(EINVAL);
}
- key[0] = (rank << 2) | 0x01; /* Must be non-zero */
- uint8_t *key_buf = (uint8_t *)key + 1;
- int ret = knot_dname_to_wire(key_buf, owner, KNOT_DNAME_MAXLEN);
+ uint8_t *key_buf = (uint8_t *)key;
+ int ret = u16tostr(key_buf, class);
+ if (ret <= 0) {
+ return ret;
+ }
+ key_buf += ret;
+ ret = knot_dname_to_wire(key_buf, owner, KNOT_DNAME_MAXLEN);
if (ret <= 0) {
return ret;
}
knot_dname_to_lower(key_buf);
key_buf += ret - 1;
- /* Must convert to string, as the key must not contain 0x00 */
ret = u16tostr(key_buf, type);
+ if (ret <= 0) {
+ return ret;
+ }
+ key_buf += ret;
+ ret = u16tostr(key_buf, additional);
+ if (ret <= 0) {
+ return ret;
+ }
key_buf[ret] = '\0';
return (char *)&key_buf[ret] - key;
}
diff --git a/lib/utils.h b/lib/utils.h
index 306830cae6699a8fed3c07fb266b1921f21e65e2..e47ee7aee36227341c36f5aa081e371e2581a1d1 100644
--- a/lib/utils.h
+++ b/lib/utils.h
@@ -286,17 +286,20 @@ static inline uint8_t KEY_FLAG_RANK(const char *key)
static inline bool KEY_COVERING_RRSIG(const char *key)
{ return ((uint8_t)(key[0])) & KEY_FLAG_RRSIG; }
-/* Stash key = {[1] flags, [1-255] owner, [5] type, [1] \x00 } */
-#define KR_RRKEY_LEN (9 + KNOT_DNAME_MAXLEN)
+/* Stash key = {[5] class, [1-255] owner, [5] type, [5] additional, [1] \x00 } */
+#define KR_RRKEY_LEN (16 + KNOT_DNAME_MAXLEN)
/** Create unique null-terminated string key for RR.
* @param key Destination buffer for key size, MUST be KR_RRKEY_LEN or larger.
- * @param owner RR owner domain name.
+ * @param class RR class.
+ * @param owner RR owner name.
* @param type RR type.
- * @param rank RR rank (8 bit tag usable for anything).
+ * @param additional flags (for instance can be used for storing covered type
+ * when RR type is RRSIG).
* @return key length if successful or an error
* */
KR_EXPORT
-int kr_rrkey(char *key, const knot_dname_t *owner, uint16_t type, uint8_t rank);
+int kr_rrkey(char *key, uint16_t class, const knot_dname_t *owner,
+ uint16_t type, uint16_t additional);
/** @internal Add RRSet copy to ranked RR array. */
KR_EXPORT
diff --git a/modules/modules.mk b/modules/modules.mk
index 864058f679bfcd2271e4ad501462a96b9060d868..e4e5f9268bba84247180ecd8b0dfa025002be610 100644
--- a/modules/modules.mk
+++ b/modules/modules.mk
@@ -38,7 +38,8 @@ modules_TARGETS += etcd \
priming \
serve_stale \
detect_time_skew \
- detect_time_jump
+ detect_time_jump \
+ prefill
endif
# Make C module
diff --git a/modules/prefill/README.rst b/modules/prefill/README.rst
new file mode 100644
index 0000000000000000000000000000000000000000..678e9f2d51113084b638d73d77914fe9daea9095
--- /dev/null
+++ b/modules/prefill/README.rst
@@ -0,0 +1,39 @@
+Cache prefilling
+----------------
+
+This module provides ability to periodically prefill DNS cache by importing root zone data obtained over HTTPS.
+
+Intended users of this module are big resolver operators which will benefit from decreased latencies and smaller amount of traffic towards DNS root servets.
+
+Example configuration is:
+
+.. code-block:: lua
+
+ modules.load('prefill')
+ prefill.config({
+ ['.'] = {
+ url = 'https://www.internic.net/domain/root.zone',
+ ca_file = '/etc/pki/tls/certs/ca-bundle.crt',
+ interval = 86400 -- seconds
+ }
+ })
+
+This configuration downloads zone file from URL `https://www.internic.net/domain/root.zone` and imports it into cache every 86400 seconds (1 day). The HTTPS connection is authenticated using CA certificate from file `/etc/pki/tls/certs/ca-bundle.crt` and signed zone content is validated using DNSSEC.
+
+Root zone to import must be signed using DNSSEC and the resolver must have valid DNSSEC configuration. (For further details please see :ref:`enabling-dnssec`.)
+
+.. csv-table::
+ :header: "Parameter", "Description"
+
+ "ca_file", "path to CA certificate bundle used to authenticate the HTTPS connection"
+ "interval", "number of seconds between zone data refresh attempts"
+ "url", "URL of a file in :rfc:`1035` zone file format"
+
+Only root zone import is supported at the moment.
+
+Dependencies
+^^^^^^^^^^^^
+
+Depends on the luasec_ library.
+
+.. _luasec: https://luarocks.org/modules/brunoos/luasec
diff --git a/modules/prefill/prefill.lua b/modules/prefill/prefill.lua
new file mode 100644
index 0000000000000000000000000000000000000000..d1c372e80fa9973de73568f9124e3324d509eb9b
--- /dev/null
+++ b/modules/prefill/prefill.lua
@@ -0,0 +1,211 @@
+local https = require('ssl.https')
+local ltn12 = require('ltn12')
+local lfs = require('lfs')
+
+local rz_url = "https://www.internic.net/domain/root.zone"
+local rz_local_fname = "root.zone"
+local rz_ca_file = nil
+local rz_event_id = nil
+
+local rz_default_interval = 86400
+local rz_https_fail_interval = 600
+local rz_no_ta_interval = 600
+local rz_cur_interval = rz_default_interval
+local rz_interval_randomizator_limit = 10
+local rz_interval_threshold = 5
+local rz_interval_min = 3600
+
+local prefill = {
+}
+
+
+-- Fetch over HTTPS with peert cert checked
+local function https_fetch(url, ca_file)
+ assert(string.match(url, '^https://'))
+ assert(ca_file)
+
+ local resp = {}
+ local r, c = https.request{
+ url = url,
+ verify = {'peer', 'fail_if_no_peer_cert' },
+ cafile = ca_file,
+ protocol = 'tlsv1_2',
+ sink = ltn12.sink.table(resp),
+ }
+ if r == nil then
+ return r, c
+ end
+ return resp, "[prefill] "..url.." downloaded"
+end
+
+-- Write zone to a file
+local function zone_write(zone, fname)
+ local file, errmsg = io.open(fname, 'w')
+ if not file then
+ error(string.format("[prefill] unable to open file %s (%s)",
+ fname, errmsg))
+ end
+ for i = 1, #zone do
+ local zone_chunk = zone[i]
+ file:write(zone_chunk)
+ end
+ file:close()
+end
+
+local function display_delay(time)
+ local days = math.floor(time / 86400)
+ local hours = math.floor((time % 86400) / 3600)
+ local minutes = math.floor((time % 3600) / 60)
+ local seconds = math.floor(time % 60)
+ if days > 0 then
+ return string.format("%d days %02d hours", days, hours)
+ elseif hours > 0 then
+ return string.format("%02d hours %02d minutes", hours, minutes)
+ elseif minutes > 0 then
+ return string.format("%02d minutes %02d seconds", minutes, seconds)
+ end
+ return string.format("%02d seconds", seconds)
+end
+
+-- returns: number of seconds the file is valid for
+-- 0 indicates immediate download
+local function get_file_ttl(fname)
+ local attrs = lfs.attributes(fname)
+ if attrs then
+ local age = os.time() - attrs.modification
+ return math.max(
+ rz_cur_interval - age,
+ 0)
+ else
+ return 0 -- file does not exist, download now
+ end
+end
+
+local function download(url, fname)
+ log("[prefill] downloading root zone...")
+ local rzone, err = https_fetch(url, rz_ca_file)
+ if rzone == nil then
+ error(string.format("[prefill] fetch of `%s` failed: %s", url, err))
+ end
+
+ log("[prefill] saving root zone...")
+ zone_write(rzone, fname)
+end
+
+local function import(fname)
+ local res = cache.zone_import(fname)
+ if res.code == 1 then -- no TA found, wait
+ error("[prefill] no trust anchor found for root zone, import aborted")
+ elseif res.code == 0 then
+ log("[prefill] root zone successfully parsed, import started")
+ else
+ error(string.format("[prefill] root zone import failed (%s)", res.msg))
+ end
+end
+
+local function timer()
+ local file_ttl = get_file_ttl(rz_local_fname)
+
+ if file_ttl > rz_interval_threshold then
+ log("[prefill] root zone file valid for %s, reusing data from disk",
+ display_delay(file_ttl))
+ else
+ local ok, errmsg = pcall(download, rz_url, rz_local_fname)
+ if not ok then
+ rz_cur_interval = rz_https_fail_interval
+ - math.random(rz_interval_randomizator_limit)
+ log("[prefill] cannot download new zone (%s), "
+ .. "will retry root zone download in %s",
+ errmsg, display_delay(rz_cur_interval))
+ event.reschedule(rz_event_id, rz_cur_interval * sec)
+ return
+ end
+ file_ttl = rz_default_interval
+ end
+ -- file is up to date, import
+ -- import/filter function gets executed after resolver/module
+ local ok, errmsg = pcall(import, rz_local_fname)
+ if not ok then
+ rz_cur_interval = rz_no_ta_interval
+ - math.random(rz_interval_randomizator_limit)
+ log("[prefill] root zone import failed (%s), retry in %s",
+ errmsg, display_delay(rz_cur_interval))
+ else
+ -- re-download before TTL expires
+ rz_cur_interval = (file_ttl - rz_interval_threshold
+ - math.random(rz_interval_randomizator_limit))
+ log("[prefill] root zone refresh in %s",
+ display_delay(rz_cur_interval))
+ end
+ event.reschedule(rz_event_id, rz_cur_interval * sec)
+end
+
+function prefill.init()
+ math.randomseed(os.time())
+end
+
+function prefill.deinit()
+ if rz_event_id then
+ event.cancel(rz_event_id)
+ rz_event_id = nil
+ end
+end
+
+-- process one item from configuration table
+-- right now it supports only root zone because
+-- prefill module uses global variables
+local function config_zone(zone_cfg)
+ if zone_cfg.interval then
+ zone_cfg.interval = tonumber(zone_cfg.interval)
+ if zone_cfg.interval < rz_interval_min then
+ error(string.format('[prefill] refresh interval %d s is too short, '
+ .. 'minimal interval is %d s',
+ zone_cfg.interval, rz_interval_min))
+ end
+ rz_default_interval = zone_cfg.interval
+ rz_cur_interval = zone_cfg.interval
+ end
+
+ if not zone_cfg.ca_file then
+ error('[prefill] option ca_file must point '
+ .. 'to a directory with CA certificates in PEM format')
+ else
+ local _, dir_obj = lfs.dir(zone_cfg.ca_file)
+ dir_obj:close()
+ end
+ rz_ca_file = zone_cfg.ca_file
+
+ if not zone_cfg.url or not string.match(zone_cfg.url, '^https://') then
+ error('[prefill] option url must contain a '
+ .. 'https:// URL of a zone file')
+ else
+ rz_url = zone_cfg.url
+ end
+end
+
+function prefill.config(config)
+ local root_configured = false
+ if not config or type(config) ~= 'table' then
+ error('[prefill] configuration must be in table '
+ .. '{owner name = {per-zone config}}')
+ end
+ for owner, zone_cfg in pairs(config) do
+ if owner ~= '.' then
+ error('[prefill] only root zone can be imported '
+ .. 'at the moment')
+ else
+ config_zone(zone_cfg)
+ root_configured = true
+ end
+ end
+ if not root_configured then
+ error('[prefill] this module version requires configuration '
+ .. 'for root zone')
+ end
+
+ -- ability to change intervals
+ prefill.deinit()
+ rz_event_id = event.after(0, timer)
+end
+
+return prefill
diff --git a/modules/prefill/prefill.mk b/modules/prefill/prefill.mk
new file mode 100644
index 0000000000000000000000000000000000000000..7b10ba9ec9e9146af9dc1b12263031e1c43e8e91
--- /dev/null
+++ b/modules/prefill/prefill.mk
@@ -0,0 +1,2 @@
+prefill_SOURCES := prefill.lua
+$(call make_lua_module,prefill)