1/* 2 * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14 * PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17/* $Id$ */ 18 19 20#ifndef DNS_RPZ_H 21#define DNS_RPZ_H 1 22 23#include <isc/lang.h> 24 25#include <dns/fixedname.h> 26#include <dns/rdata.h> 27#include <dns/types.h> 28 29ISC_LANG_BEGINDECLS 30 31#define DNS_RPZ_PREFIX "rpz-" 32#define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip" 33#define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip" 34#define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname" 35#define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru" 36 37typedef isc_uint8_t dns_rpz_cidr_bits_t; 38 39typedef enum { 40 DNS_RPZ_TYPE_BAD, 41 DNS_RPZ_TYPE_QNAME, 42 DNS_RPZ_TYPE_IP, 43 DNS_RPZ_TYPE_NSDNAME, 44 DNS_RPZ_TYPE_NSIP 45} dns_rpz_type_t; 46 47/* 48 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN < 49 * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing 50 * policies. 51 */ 52typedef enum { 53 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 54 DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */ 55 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 56 DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */ 57 DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */ 58 DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */ 59 DNS_RPZ_POLICY_RECORD, 60 DNS_RPZ_POLICY_WILDCNAME, 61 DNS_RPZ_POLICY_MISS, 62 DNS_RPZ_POLICY_ERROR 63} dns_rpz_policy_t; 64 65/* 66 * Specify a response policy zone. 67 */ 68typedef struct dns_rpz_zone dns_rpz_zone_t; 69 70struct dns_rpz_zone { 71 ISC_LINK(dns_rpz_zone_t) link; 72 int num; /* ordinal in list of policy zones */ 73 dns_name_t origin; /* Policy zone name */ 74 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 75 dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */ 76 dns_name_t cname; /* override value for ..._CNAME */ 77 dns_ttl_t max_policy_ttl; 78 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 79 isc_boolean_t recursive_only; 80 isc_boolean_t defined; 81}; 82 83/* 84 * Radix trees for response policy IP addresses. 85 */ 86typedef struct dns_rpz_cidr dns_rpz_cidr_t; 87 88/* 89 * context for finding the best policy 90 */ 91typedef struct { 92 unsigned int state; 93# define DNS_RPZ_REWRITTEN 0x0001 94# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */ 95# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */ 96# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */ 97# define DNS_RPZ_DONE_IPv4 0x0010 98# define DNS_RPZ_RECURSING 0x0020 99# define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */ 100# define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */ 101# define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */ 102# define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */ 103 /* 104 * Best match so far. 105 */ 106 struct { 107 dns_rpz_type_t type; 108 dns_rpz_zone_t *rpz; 109 dns_rpz_cidr_bits_t prefix; 110 dns_rpz_policy_t policy; 111 dns_ttl_t ttl; 112 isc_result_t result; 113 dns_zone_t *zone; 114 dns_db_t *db; 115 dns_dbversion_t *version; 116 dns_dbnode_t *node; 117 dns_rdataset_t *rdataset; 118 } m; 119 /* 120 * State for chasing IP addresses and NS names including recursion. 121 */ 122 struct { 123 unsigned int label; 124 dns_db_t *db; 125 dns_rdataset_t *ns_rdataset; 126 dns_rdatatype_t r_type; 127 isc_result_t r_result; 128 dns_rdataset_t *r_rdataset; 129 } r; 130 /* 131 * State of real query while recursing for NSIP or NSDNAME. 132 */ 133 struct { 134 isc_result_t result; 135 isc_boolean_t is_zone; 136 isc_boolean_t authoritative; 137 dns_zone_t *zone; 138 dns_db_t *db; 139 dns_dbnode_t *node; 140 dns_rdataset_t *rdataset; 141 dns_rdataset_t *sigrdataset; 142 dns_rdatatype_t qtype; 143 } q; 144 dns_name_t *qname; 145 dns_name_t *r_name; 146 dns_name_t *fname; 147 dns_fixedname_t _qnamef; 148 dns_fixedname_t _r_namef; 149 dns_fixedname_t _fnamef; 150} dns_rpz_st_t; 151 152#define DNS_RPZ_TTL_DEFAULT 5 153#define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 154 155/* 156 * So various response policy zone messages can be turned up or down. 157 */ 158#define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 159#define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 160#define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 161#define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 162#define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 163#define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1) 164 165const char * 166dns_rpz_type2str(dns_rpz_type_t type); 167 168dns_rpz_policy_t 169dns_rpz_str2policy(const char *str); 170 171const char * 172dns_rpz_policy2str(dns_rpz_policy_t policy); 173 174void 175dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); 176 177void 178dns_rpz_view_destroy(dns_view_t *view); 179 180isc_result_t 181dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, 182 dns_rpz_cidr_t **rbtdb_cidr); 183void 184dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); 185 186void 187dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); 188 189void 190dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); 191 192isc_result_t 193dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, 194 dns_rpz_type_t type, dns_name_t *canon_name, 195 dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); 196 197dns_rpz_policy_t 198dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 199 dns_name_t *selfname); 200 201ISC_LANG_ENDDECLS 202 203#endif /* DNS_RPZ_H */ 204 205