This repository was archived by the owner on Jun 30, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathdns_server.ml
1568 lines (1472 loc) · 63.5 KB
/
dns_server.ml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
(* (c) 2017, 2018 Hannes Mehnert, all rights reserved *)
open Rresult
open R.Infix
open Dns
let src = Logs.Src.create "dns_server" ~doc:"DNS server"
module Log = (val Logs.src_log src : Logs.LOG)
module IPM = Map.Make(Ipaddr.V4)
let guard p err = if p then Ok () else Error err
let guardf p err = if p then Ok () else Error (err ())
type proto = [ `Tcp | `Udp ]
module Authentication = struct
type operation = [
| `Update
| `Transfer
]
type a = Dns_trie.t -> proto -> ?key:[ `raw ] Domain_name.t -> operation -> zone:[ `raw ] Domain_name.t -> bool
type t = Dns_trie.t * a list
let operation_to_string = function
| `Update -> "_update"
| `Transfer -> "_transfer"
let is_op op name =
(* TODO should check that op is at the beginning? *)
let arr = Domain_name.to_array name in
Array.exists (String.equal (operation_to_string op)) arr
let find_zone_ips name =
(* the name of a key is primaryip.secondaryip._transfer.zone
e.g. 192.168.42.2.192.168.42.1._transfer.mirage
alternative: <whatever>.primaryip._transfer.zone *)
let arr = Domain_name.to_array name in
let transfer = operation_to_string `Transfer in
try
let rec go idx = if Array.get arr idx = transfer then idx else go (succ idx) in
let zone_idx = go 0 in
let zone = Domain_name.of_array (Array.sub arr 0 zone_idx) in
let start = succ zone_idx in
let ip start =
try
let subarr = Array.sub arr start 4 in
let host = Domain_name.of_array subarr in
match Ipaddr.V4.of_string (Domain_name.to_string host) with
| Error _ -> None
| Ok ip -> Some ip
with Invalid_argument _ -> None
in
match ip (start + 4), ip start with
| _, None -> None
| None, Some ip -> Some (zone, ip, None)
| Some primary, Some secondary -> Some (zone, primary, Some secondary)
with Invalid_argument _ -> None
let find_ns s (trie, _) zone =
let accumulate name _ acc =
let matches_zone z = Domain_name.(equal z root || equal z zone) in
match find_zone_ips name, s with
| None, _ -> acc
| Some (z, prim, _), `P when matches_zone z-> (name, prim) :: acc
| Some (z, _, Some sec), `S when matches_zone z -> (name, sec) :: acc
| Some _, _ -> acc
in
Dns_trie.fold Rr_map.Dnskey trie accumulate []
let secondaries t zone = find_ns `S t zone
let primaries t zone = find_ns `P t zone
let all_operations =
List.map operation_to_string [ `Update ; `Transfer ]
let zone name =
let arr = Domain_name.to_array name in
let len = Array.length arr in
let rec go idx =
if idx = len then
len
else if List.exists (String.equal (Array.get arr idx)) all_operations then
idx
else
go (succ idx)
in
let zidx = go 0 in
Domain_name.(host_exn (of_array (Array.sub arr 0 zidx)))
let soa name =
let nameserver = Domain_name.prepend_label_exn name "ns"
and hostmaster = Domain_name.prepend_label_exn name "hostmaster"
in
{ Soa.nameserver ; hostmaster ; serial = 0l ; refresh = 16384l ;
retry = 2048l ; expiry = 1048576l ; minimum = 300l }
let add_keys trie name keys =
let zone = zone name in
let soa =
match Dns_trie.lookup zone Rr_map.Soa trie with
| Ok soa -> { soa with Soa.serial = Int32.succ soa.Soa.serial }
| Error _ -> soa zone
in
let keys' = match Dns_trie.lookup name Rr_map.Dnskey trie with
| Error _ -> keys
| Ok (_, dnskeys) ->
Log.warn (fun m -> m "replacing Dnskeys (name %a, present %a, add %a)"
Domain_name.pp name
Fmt.(list ~sep:(unit ",") Dnskey.pp)
(Rr_map.Dnskey_set.elements dnskeys)
Fmt.(list ~sep:(unit ";") Dnskey.pp)
(Rr_map.Dnskey_set.elements keys) ) ;
keys
in
let trie' = Dns_trie.insert zone Rr_map.Soa soa trie in
Dns_trie.insert name Rr_map.Dnskey (0l, keys') trie'
let of_keys keys =
List.fold_left (fun trie (name, key) ->
add_keys trie name (Rr_map.Dnskey_set.singleton key))
Dns_trie.empty keys
let find_key t name =
match Dns_trie.lookup name Rr_map.Dnskey (fst t) with
| Ok (_, keys) ->
if Rr_map.Dnskey_set.cardinal keys = 1 then
Some (Rr_map.Dnskey_set.choose keys)
else begin
Log.warn (fun m -> m "found multiple (%d) keys for %a"
(Rr_map.Dnskey_set.cardinal keys)
Domain_name.pp name) ;
None
end
| Error e ->
Log.warn (fun m -> m "error %a while looking up key %a" Dns_trie.pp_e e
Domain_name.pp name) ;
None
let tsig_auth _ _ ?key op ~zone =
match key with
| None -> false
| Some subdomain ->
let op_string = operation_to_string op in
let root = Domain_name.of_string_exn op_string
and zone = Domain_name.prepend_label_exn zone op_string
in
Domain_name.sub ~subdomain ~domain:zone
|| Domain_name.sub ~subdomain ~domain:root
let authorise (data, authorised) proto ?key ~zone operation =
List.exists (fun a -> a data proto ?key operation ~zone) authorised
end
type t = {
data : Dns_trie.t ;
auth : Authentication.t ;
rng : int -> Cstruct.t ;
tsig_verify : Tsig_op.verify ;
tsig_sign : Tsig_op.sign ;
}
let text name data =
match Dns_trie.entries name data with
| Error e ->
Error (`Msg (Fmt.strf "text: couldn't find zone %a: %a" Domain_name.pp name Dns_trie.pp_e e))
| Ok (soa, map) ->
let buf = Buffer.create 1024 in
let origin, default_ttl =
Buffer.add_string buf
("$ORIGIN " ^ Domain_name.to_string ~trailing:true name ^ "\n") ;
let ttl = soa.minimum in
Buffer.add_string buf
("$TTL " ^ Int32.to_string ttl ^ "\n") ;
name, ttl
in
Buffer.add_string buf (Rr_map.text ~origin ~default_ttl name Soa soa) ;
Buffer.add_char buf '\n' ;
let out map =
Domain_name.Map.iter (fun name rrs ->
Rr_map.iter (fun b ->
Buffer.add_string buf (Rr_map.text_b ~origin ~default_ttl name b) ;
Buffer.add_char buf '\n')
rrs)
map
in
let is_special name _ =
(* if only domain-name had proper types *)
let arr = Domain_name.to_array name in
match Array.get arr (pred (Array.length arr)) with
| exception Invalid_argument _ -> false
| lbl -> try String.get lbl 0 = '_' with Not_found -> false
in
let service, entries = Domain_name.Map.partition is_special map in
out entries ;
Buffer.add_char buf '\n' ;
out service ;
Ok (Buffer.contents buf)
let create ?(tsig_verify = Tsig_op.no_verify) ?(tsig_sign = Tsig_op.no_sign) data auth rng =
{ data ; auth ; rng ; tsig_verify ; tsig_sign }
let find_glue trie names =
Domain_name.Host_set.fold (fun name map ->
match
match Dns_trie.lookup_glue name trie with
| Some v4, Some v6 -> Some Rr_map.(add A v4 (singleton Aaaa v6))
| Some v4, None -> Some (Rr_map.singleton A v4)
| None, Some v6 -> Some (Rr_map.singleton Aaaa v6)
| None, None -> None
with
| None -> map
| Some rrs -> Domain_name.Map.add (Domain_name.raw name) rrs map)
names Domain_name.Map.empty
let authoritative =
(* TODO should copy recursion desired *)
Packet.Flags.singleton `Authoritative
let err_flags = function
| Rcode.NotAuth -> Packet.Flags.empty
| _ -> authoritative
let lookup trie (name, typ) =
(* TODO: should randomize answers + ad? *)
let r = match typ with
| `Any -> Dns_trie.lookup_any name trie
| `K (Rr_map.K k) -> match Dns_trie.lookup_with_cname name k trie with
| Ok (B (k, v), au) -> Ok (Rr_map.singleton k v, au)
| Error e -> Error e
in
match r with
| Ok (an, (au, ttl, ns)) ->
let answer = Domain_name.Map.singleton name an in
let authority =
Name_rr_map.remove_sub (Name_rr_map.singleton au Ns (ttl, ns)) answer
in
let additional =
let names =
Rr_map.(fold (fun (B (k, v)) s -> Domain_name.Host_set.union (names k v) s) an ns)
in
Name_rr_map.remove_sub
(Name_rr_map.remove_sub (find_glue trie names) answer)
authority
in
Ok (authoritative, (answer, authority), Some additional)
| Error (`Delegation (name, (ttl, ns))) ->
let authority = Name_rr_map.singleton name Ns (ttl, ns) in
Ok (Packet.Flags.empty, (Name_rr_map.empty, authority), Some (find_glue trie ns))
| Error (`EmptyNonTerminal (zname, soa)) ->
let authority = Name_rr_map.singleton zname Soa soa in
Ok (authoritative, (Name_rr_map.empty, authority), None)
| Error (`NotFound (zname, soa)) ->
let authority = Name_rr_map.singleton zname Soa soa in
Error (Rcode.NXDomain, Some (Name_rr_map.empty, authority))
| Error `NotAuthoritative -> Error (Rcode.NotAuth, None)
let authorise_zone_transfer auth proto key zone =
guardf (proto = `Tcp) (fun () ->
Log.err (fun m -> m "refusing zone transfer of %a via UDP" Domain_name.pp zone);
Rcode.Refused) >>= fun () ->
guardf (Authentication.authorise auth proto ?key ~zone `Transfer) (fun () ->
Log.err (fun m -> m "refusing unauthorised zone transfer of %a" Domain_name.pp zone) ;
Rcode.NotAuth)
let axfr t proto key ((zone, _) as question) =
authorise_zone_transfer t.auth proto key zone >>= fun () ->
match Dns_trie.entries zone t.data with
| Ok (soa, entries) ->
Log.info (fun m -> m "transfer key %a authorised for AXFR %a"
Fmt.(option ~none:(unit "none") Domain_name.pp) key
Packet.Question.pp question);
Ok (soa, entries)
| Error e ->
Log.err (fun m -> m "AXFR attempted on %a, where we're not authoritative %a"
Domain_name.pp zone Dns_trie.pp_e e);
Error Rcode.NotAuth
module IM = Map.Make(Int32)
let find_trie m name serial =
match Domain_name.Map.find name m with
| None -> None
| Some m' -> IM.find_opt serial m'
let ixfr t m proto key ((zone, _) as question) soa =
authorise_zone_transfer t.auth proto key zone >>= fun () ->
Log.info (fun m -> m "transfer key %a authorised for IXFR %a"
Fmt.(option ~none:(unit "none") Domain_name.pp) key
Packet.Question.pp question);
let old = match find_trie m zone soa.Soa.serial with
| None -> Dns_trie.empty
| Some old -> old
in
match Dns_trie.diff zone soa ~old t.data with
| Ok ixfr -> Ok ixfr
| Error (`Msg msg) ->
Log.err (fun m -> m "IXFR attempted on %a, where diff failed with %s"
Domain_name.pp zone msg);
Error Rcode.NotAuth
let safe_decode buf =
match Packet.decode buf with
| Error e ->
Logs.err (fun m -> m "error %a while decoding, giving up" Packet.pp_err e);
Error Rcode.FormErr
(* | Error `Partial ->
Log.err (fun m -> m "partial frame (length %d)@.%a" (Cstruct.len buf) Cstruct.hexdump_pp buf) ;
Packet.create <<no header>> <<no question>> Dns_enum.FormErr
| Error (`Bad_edns_version i) ->
Log.err (fun m -> m "bad edns version error %u while decoding@.%a"
i Cstruct.hexdump_pp buf) ;
Error Dns_enum.BadVersOrSig
| Error (`Not_implemented (off, msg)) ->
Log.err (fun m -> m "not implemented at %d: %s while decoding@.%a"
off msg Cstruct.hexdump_pp buf) ;
Error Dns_enum.NotImp
| Error e ->
Log.err (fun m -> m "error %a while decoding@.%a"
Packet.pp_err e Cstruct.hexdump_pp buf) ;
Error Dns_enum.FormErr *)
| Ok v -> Ok v
let handle_question t (name, typ) =
(* TODO white/blacklist of allowed qtypes? what about ANY and UDP? *)
match typ with
(* this won't happen, decoder constructs `Axfr *)
| `Axfr | `Ixfr -> Error (Rcode.NotImp, None)
| (`K _ | `Any) as k -> lookup t.data (name, k)
(* | r ->
Log.err (fun m -> m "refusing query type %a" Rr.pp r) ;
Error (Rcode.Refused, None) *)
(* this implements RFC 2136 Section 2.4 + 3.2 *)
let handle_rr_prereq name trie = function
| Packet.Update.Name_inuse ->
begin match Dns_trie.lookup name A trie with
| Ok _ | Error (`EmptyNonTerminal _) -> Ok ()
| _ -> Error Rcode.NXDomain
end
| Packet.Update.Exists (K typ) ->
begin match Dns_trie.lookup name typ trie with
| Ok _ -> Ok ()
| _ -> Error Rcode.NXRRSet
end
| Packet.Update.Not_name_inuse ->
begin match Dns_trie.lookup name A trie with
| Error (`NotFound _) -> Ok ()
| _ -> Error Rcode.YXDomain
end
| Packet.Update.Not_exists (K typ) ->
begin match Dns_trie.lookup name typ trie with
| Error (`EmptyNonTerminal _ | `NotFound _) -> Ok ()
| _ -> Error Rcode.YXRRSet
end
| Packet.Update.Exists_data Rr_map.(B (k, v)) ->
match Dns_trie.lookup name k trie with
| Ok v' when Rr_map.equal_rr k v v' -> Ok ()
| _ -> Error Rcode.NXRRSet
(* RFC 2136 Section 2.5 + 3.4.2 *)
(* we partially ignore 3.4.2.3 and 3.4.2.4 by not special-handling of NS, SOA *)
let handle_rr_update name trie = function
| Packet.Update.Remove (K typ) ->
begin match typ with
| Soa ->
(* this does not follow 2136, but we want to be able to remove a zone *)
Dns_trie.remove_zone name trie
| _ -> Dns_trie.remove_ty name typ trie
end
| Packet.Update.Remove_all -> Dns_trie.remove_all name trie
| Packet.Update.Remove_single Rr_map.(B (k, v)) -> Dns_trie.remove name k v trie
| Packet.Update.Add Rr_map.(B (k, add)) ->
(* turns out, RFC 2136, 3.4.2.2 says "SOA with smaller or equal serial is silently ignored" *)
(* here we allow arbitrary, even out-of-zone updates. this is
crucial for the resolver operation as we have it right now:
add . 300 NS resolver ; add resolver . 300 A 141.1.1.1 would
otherwise fail (no SOA for . / delegation for resolver) *)
Dns_trie.insert name k add trie
let sign_outgoing ~max_size server keyname signed packet buf =
match Authentication.find_key server.auth keyname with
| None -> Log.err (fun m -> m "key %a not found (or multiple)" Domain_name.pp keyname) ; None
| Some key -> match Tsig.dnskey_to_tsig_algo key with
| Error (`Msg msg) ->
Log.err (fun m -> m "couldn't convert algorithm: %s" msg) ; None
| Ok algorithm ->
let original_id = fst packet.Packet.header in
match Tsig.tsig ~algorithm ~original_id ~signed () with
| None -> Log.err (fun m -> m "creation of tsig failed") ; None
| Some tsig -> match server.tsig_sign ?mac:None ~max_size keyname tsig ~key packet buf with
| None -> Log.err (fun m -> m "signing failed") ; None
| Some res -> Some res
module Notification = struct
(* TODO dnskey authentication of outgoing packets (preserve in connections, name of key should be enough) *)
(* needed for passive secondaries (behind NAT etc.) such as let's encrypt,
which initiated a signed! TCP session *)
type connections = ([ `raw ] Domain_name.t * Ipaddr.V4.t) list Domain_name.Host_map.t
let secondaries trie zone =
match Dns_trie.lookup_with_cname zone Rr_map.Soa trie with
| Ok (B (Soa, soa), (_, _, ns)) ->
let secondaries =
match Domain_name.host soa.Soa.nameserver with
| Error _ -> ns
| Ok prim -> Domain_name.Host_set.remove prim ns
in
(* TODO AAAA records / use lookup_glue? *)
Domain_name.Host_set.fold (fun ns acc ->
match Dns_trie.lookup ns Rr_map.A trie with
| Ok (_, ips) -> Rr_map.Ipv4_set.union ips acc
| _ ->
Log.err (fun m -> m "lookup for A %a returned nothing as well"
Domain_name.pp ns) ;
acc)
secondaries Rr_map.Ipv4_set.empty
| _ -> Rr_map.Ipv4_set.empty
let to_notify conn ~data ~auth zone =
(* for a given zone, compute the "ip -> key option" map of to-be-notiied secondaries
uses data from 3 sources:
- secondary NS of the zone as registered in data (ip only)
- keys of the form YY.secondary-ip._transfer.zone and YY.secondary-ip._transfer
- active connections (from the zone -> ip, key map above), used for lets encrypt etc. *)
let secondaries =
Rr_map.Ipv4_set.fold (fun ip m -> IPM.add ip None m)
(secondaries data zone)
IPM.empty
in
let of_list = List.fold_left (fun m (key, ip) -> IPM.add ip (Some key) m) in
let secondaries_and_keys =
of_list secondaries (Authentication.secondaries auth zone)
in
match Domain_name.Host_map.find zone conn with
| None -> secondaries_and_keys
| Some xs -> of_list secondaries_and_keys xs
let insert ~data ~auth cs ~zone ~key ip =
let cs' =
let old =
match Domain_name.Host_map.find zone cs with None -> [] | Some a -> a
in
Domain_name.Host_map.add zone ((key, ip) :: old) cs
in
match IPM.find_opt ip (to_notify cs ~data ~auth zone) with
| None ->
Log.info (fun m -> m "inserting notifications for %a key %a IP %a"
Domain_name.pp zone Domain_name.pp key Ipaddr.V4.pp ip);
cs'
| Some (Some k) ->
if Domain_name.equal k key then begin
Log.warn (fun m -> m "zone %a with key %a and IP %a already registered"
Domain_name.pp zone Domain_name.pp key Ipaddr.V4.pp ip);
cs
end else begin
Log.warn (fun m -> m "replacing key zone %a oldkey %a and IP %a, new key %a"
Domain_name.pp zone Domain_name.pp k Ipaddr.V4.pp ip
Domain_name.pp key);
cs'
end
| Some None ->
Log.info (fun m -> m "adding zone %a with key %a and IP %a (previously: no key)"
Domain_name.pp zone Domain_name.pp key Ipaddr.V4.pp ip);
cs'
let remove conn ip =
let is_not_it name (_, ip') =
if Ipaddr.V4.compare ip ip' = 0 then begin
Log.info (fun m -> m "removing notification for %a %a"
Domain_name.pp name Ipaddr.V4.pp ip);
false
end else true
in
Domain_name.Host_map.fold (fun name conns new_map ->
match List.filter (is_not_it name) conns with
| [] -> new_map
| xs -> Domain_name.Host_map.add name xs new_map)
conn Domain_name.Host_map.empty
let encode_and_sign key_opt server now packet =
let buf, max_size = Packet.encode `Tcp packet in
match key_opt with
| None -> buf, None
| Some key ->
match sign_outgoing ~max_size server key now packet buf with
| None -> buf, None
| Some (out, mac) -> out, Some mac
(* outstanding notifications, with timestamp and retry count
(at most one per zone per ip) *)
type outstanding =
(int64 * int * Cstruct.t option * Packet.t * [ `raw ] Domain_name.t option) Domain_name.Host_map.t IPM.t
(* operations:
- timer occured, retransmit outstanding or drop
- send out notification for a given zone
- a (signed?) notify response came in, drop it from outstanding
*)
(* TODO other timings, and also some in the far future *)
let retransmit = Array.map Duration.of_sec [| 1 ; 3 ; 7 ; 20 ; 40 ; 60 ; 180 |]
let retransmit server ns now ts =
let max = pred (Array.length retransmit) in
IPM.fold (fun ip map (new_ns, out) ->
let new_map, out =
Domain_name.Host_map.fold
(fun name (oldts, count, mac, packet, key) (new_map, outs) ->
if Int64.sub ts retransmit.(count) > oldts then
let out, mac = encode_and_sign key server now packet in
(if count = max then begin
Log.warn (fun m -> m "retransmitting notify to %a the last time %a"
Ipaddr.V4.pp ip Packet.pp packet) ;
new_map
end else
(Domain_name.Host_map.add name (oldts, succ count, mac, packet, key) new_map)),
(ip, out) :: outs
else
(Domain_name.Host_map.add name (oldts, count, mac, packet, key) new_map, outs))
map (Domain_name.Host_map.empty, out)
in
(if Domain_name.Host_map.is_empty new_map then new_ns else IPM.add ip new_map new_ns),
out)
ns (IPM.empty, [])
let notify_one ns server now ts zone soa ip key =
let packet =
let question = Packet.Question.create zone Soa
and header =
let id = Randomconv.int ~bound:(1 lsl 16 - 1) server.rng in
(id, authoritative)
in
Packet.create header question (`Notify (Some soa))
in
let add_to_ns ns ip key mac =
let data = (ts, 0, mac, packet, key) in
let map = match IPM.find_opt ip ns with
| None -> Domain_name.Host_map.empty
| Some map -> map
in
let map' = Domain_name.Host_map.add zone data map in
IPM.add ip map' ns
in
let out, mac = encode_and_sign key server now packet in
let ns = add_to_ns ns ip key mac in
(ns, (ip, out))
let notify conn ns server now ts zone soa =
let remotes = to_notify conn ~data:server.data ~auth:server.auth zone in
Log.debug (fun m -> m "notifying %a: %a" Domain_name.pp zone
Fmt.(list ~sep:(unit ",@ ")
(pair ~sep:(unit ", key ") Ipaddr.V4.pp
(option ~none:(unit "none") Domain_name.pp)))
(IPM.bindings remotes));
IPM.fold (fun ip key (ns, outs) ->
let ns, out = notify_one ns server now ts zone soa ip key in
ns, out :: outs)
remotes (ns, [])
let received_reply ns ip reply =
match IPM.find_opt ip ns with
| None -> ns
| Some map ->
match Domain_name.host (fst reply.Packet.question) with
| Error _ ->
Log.warn (fun m -> m "received notify reply for a non-hostname zone %a"
Domain_name.pp (fst reply.Packet.question));
ns
| Ok zone ->
let map' = match Domain_name.Host_map.find zone map with
| Some (_, _, _, request, _) ->
begin match Packet.reply_matches_request ~request reply with
| Ok r ->
let map' = Domain_name.Host_map.remove zone map in
(match r with `Notify_ack -> () | r -> Log.warn (fun m -> m "expected notify_ack, got %a" Packet.pp_reply r));
map'
| Error e ->
Log.warn (fun m -> m "notify reply didn't match our request %a (request %a, reply %a)"
Packet.pp_mismatch e Packet.pp request Packet.pp reply);
map
end
| _ -> map
in
if Domain_name.Host_map.is_empty map' then
IPM.remove ip ns
else
IPM.add ip map' ns
let mac ns ip reply =
match IPM.find_opt ip ns with
| None -> None
| Some map ->
match Domain_name.host (fst reply.Packet.question) with
| Error _ ->
Log.warn (fun m -> m "mac for a non-hostname zone %a"
Domain_name.pp (fst reply.Packet.question));
None
| Ok zone -> match Domain_name.Host_map.find zone map with
| Some (_, _, mac, _, _) -> mac
| None -> None
end
let in_zone zone name = Domain_name.sub ~subdomain:name ~domain:zone
let update_data trie zone (prereq, update) =
let in_zone = in_zone zone in
Domain_name.Map.fold (fun name prereqs acc ->
acc >>= fun () ->
guard (in_zone name) Rcode.NotZone >>= fun () ->
List.fold_left (fun acc prereq ->
acc >>= fun () ->
handle_rr_prereq name trie prereq)
(Ok ()) prereqs)
prereq (Ok ()) >>= fun () ->
Domain_name.Map.fold (fun name updates acc ->
acc >>= fun trie ->
guard (in_zone name) Rcode.NotZone >>| fun () ->
List.fold_left (handle_rr_update name) trie updates)
update (Ok trie) >>= fun trie' ->
(match Dns_trie.check trie' with
| Ok () -> Ok ()
| Error e ->
Log.err (fun m -> m "check after update returned %a" Dns_trie.pp_zone_check e) ;
Error Rcode.YXRRSet) >>= fun () ->
if Dns_trie.equal trie trie' then
(* should this error out? - RFC 2136 3.4.2.7 says NoError at the end *)
Ok (trie, None)
else match Dns_trie.lookup zone Soa trie, Dns_trie.lookup zone Soa trie' with
| Ok oldsoa, Ok soa when Soa.newer ~old:oldsoa soa -> Ok (trie', Some (zone, soa))
| _, Ok soa ->
let soa = { soa with Soa.serial = Int32.succ soa.Soa.serial } in
let trie'' = Dns_trie.insert zone Soa soa trie' in
Ok (trie'', Some (zone, soa))
| Ok oldsoa, Error _ ->
(* zone removal!? *)
Ok (trie', Some (zone, { oldsoa with Soa.serial = Int32.succ oldsoa.Soa.serial }))
| Error o, Error n ->
Log.warn (fun m -> m "should not happen: soa lookup for %a failed in old %a and new %a"
Domain_name.pp zone Dns_trie.pp_e o Dns_trie.pp_e n);
Ok (trie', None)
let handle_update t proto key (zone, _) u =
if Authentication.authorise t.auth proto ?key ~zone `Update then begin
Log.info (fun m -> m "update key %a authorised for update %a"
Fmt.(option ~none:(unit "none") Domain_name.pp) key
Packet.Update.pp u) ;
match Domain_name.host zone with
| Ok z ->
update_data t.data z u >>| fun (data', stuff) ->
data', stuff
| Error _ ->
Log.warn (fun m -> m "update on a zone not a hostname %a" Domain_name.pp zone);
Error Rcode.FormErr
end else
Error Rcode.NotAuth
let handle_tsig ?mac t now p buf =
match p.Packet.tsig with
| None -> Ok None
| Some (name, tsig, off) ->
let algo = tsig.Tsig.algorithm in
let key =
match Authentication.find_key t.auth name with
| None -> None
| Some key ->
match Tsig.dnskey_to_tsig_algo key with
| Ok a when a = algo -> Some key
| _ -> None
in
t.tsig_verify ?mac now p name ?key tsig (Cstruct.sub buf 0 off) >>= fun (tsig, mac, key) ->
Ok (Some (name, tsig, mac, key))
module Primary = struct
type s =
t * Dns_trie.t IM.t Domain_name.Map.t * Notification.connections * Notification.outstanding
let server (t, _, _, _) = t
let data (t, _, _, _) = t.data
(* TODO: not entirely sure how many old ones to keep. This keeps for each
zone the most recent 5 serials. It does _not_ remove removed zones.
since it updates all zones with the new trie, there should be at most
5 (well, 6) tries alive in memory *)
(* TODO use LRU here! *)
let update_trie_cache m trie =
Dns_trie.fold Soa trie (fun name soa acc ->
let recorded = match Domain_name.Map.find name m with
| None -> IM.empty
| Some xs ->
(* keep last 5 references around *)
if IM.cardinal xs >= 5 then
IM.remove (fst (IM.min_binding xs)) xs
else
xs
in
let m' = IM.add soa.Soa.serial trie recorded in
Domain_name.Map.add name m' acc)
Domain_name.Map.empty
let with_data (t, m, l, n) now ts data =
(* we're the primary and need to notify our friends! *)
let n', out =
Dns_trie.fold Soa data
(fun name soa (n, outs) ->
match Domain_name.host name with
| Error _ ->
Log.warn (fun m -> m "zone not a hostname %a" Domain_name.pp name);
(n, outs)
| Ok zone ->
match Dns_trie.lookup name Soa t.data with
| Error _ ->
let n', outs' = Notification.notify l n t now ts zone soa in
(n', outs @ outs')
| Ok old when Soa.newer ~old soa ->
let n', outs' = Notification.notify l n t now ts zone soa in
(n', outs @ outs')
| Ok _ -> (n, outs))
(n, [])
in
let n'', out' =
Dns_trie.fold Soa t.data (fun name soa (n, outs) ->
match Domain_name.host name with
| Error _ ->
Log.warn (fun m -> m "zone not a hostname %a" Domain_name.pp name);
(n, outs)
| Ok zone ->
match Dns_trie.lookup name Soa data with
| Error _ ->
let soa' = { soa with Soa.serial = Int32.succ soa.Soa.serial } in
let n', outs' = Notification.notify l n t now ts zone soa' in
(n', outs @ outs')
| Ok _ -> (n, outs))
(n', [])
in
let m' = update_trie_cache m t.data in
({ t with data }, m', l, n''), out @ out'
let create ?(keys = []) ?(a = []) ?tsig_verify ?tsig_sign ~rng data =
let keys = Authentication.of_keys keys in
let t = create ?tsig_verify ?tsig_sign data (keys, a) rng in
let notifications =
let f name soa ns =
Log.debug (fun m -> m "soa found for %a" Domain_name.pp name) ;
match Domain_name.host name with
| Error _ ->
Log.warn (fun m -> m "zone is not a valid hostname %a" Domain_name.pp name);
ns
| Ok zone ->
(* we drop notifications, the first call to timer will solve this :) *)
fst (Notification.notify Domain_name.Host_map.empty ns t Ptime.epoch 0L zone soa)
in
Dns_trie.fold Rr_map.Soa data f IPM.empty
in
t, update_trie_cache Domain_name.Map.empty data, Domain_name.Host_map.empty, notifications
let tcp_soa_query proto (name, typ) =
match proto, typ with
| `Tcp, `K (Rr_map.K Soa) ->
begin match Domain_name.host name with
| Ok h -> Ok h
| Error _ -> Error ()
end
| _ -> Error ()
let handle_packet (t, m, l, ns) now ts proto ip _port p key =
let key = match key with None -> None | Some k -> Some (Domain_name.raw k) in
match p.Packet.data with
| `Query ->
(* if there was a (transfer-key) signed SOA, and tcp, we add to notification list! *)
let l', ns', outs, keep = match tcp_soa_query proto p.question, key with
| Ok zone, Some key when Authentication.is_op `Transfer key ->
let zones, notify =
if Domain_name.(equal root zone) then
Dns_trie.fold Soa t.data (fun name soa (zs, n) ->
let zone = Domain_name.host_exn name in
Domain_name.Host_set.add zone zs, (zone, soa)::n)
(Domain_name.Host_set.empty, [])
else
Domain_name.Host_set.singleton zone, []
in
let l' = Domain_name.Host_set.fold (fun zone l ->
Notification.insert ~data:t.data ~auth:t.auth l ~zone ~key ip)
zones l
in
let ns, outs =
List.fold_left (fun (ns, outs) (name, soa) ->
let ns, out = Notification.notify_one ns t now ts name soa ip (Some key) in
ns, out :: outs)
(ns, []) notify
in
l', ns, outs, Some `Keep
| _ -> l, ns, [], None
in
let answer =
let flags, data, additional = match handle_question t p.question with
| Ok (flags, data, additional) -> flags, `Answer data, additional
| Error (rcode, data) -> err_flags rcode, `Rcode_error (rcode, Opcode.Query, data), None
in
Packet.create ?additional (fst p.header, flags) p.question data
in
(t, m, l', ns'), Some answer, outs, keep
| `Update u ->
let data, (flags, answer), stuff =
match handle_update t proto key p.question u with
| Ok (data, stuff) -> data, (authoritative, `Update_ack), stuff
| Error rcode -> t.data, (err_flags rcode, `Rcode_error (rcode, Opcode.Update, None)), None
in
let t' = { t with data }
and m' = update_trie_cache m data
in
let ns, out = match stuff with
| None -> ns, []
| Some (zone, soa) -> Notification.notify l ns t' now ts zone soa
in
let answer' = Packet.create (fst p.header, flags) p.question answer in
(t', m', l, ns), Some answer', out, None
| `Axfr_request ->
let flags, answer = match axfr t proto key p.question with
| Ok data -> authoritative, `Axfr_reply data
| Error rcode -> err_flags rcode, `Rcode_error (rcode, Opcode.Query, None)
in
let answer = Packet.create (fst p.header, flags) p.question answer in
(t, m, l, ns), Some answer, [], None
| `Ixfr_request soa ->
let flags, answer = match ixfr t m proto key p.question soa with
| Ok data -> authoritative, `Ixfr_reply data
| Error rcode -> err_flags rcode, `Rcode_error (rcode, Opcode.Query, None)
in
let answer = Packet.create (fst p.header, flags) p.question answer in
(t, m, l, ns), Some answer, [], None
| `Notify_ack | `Rcode_error (_, Opcode.Notify, _) ->
let ns' = Notification.received_reply ns ip p in
(t, m, l, ns'), None, [], None
| `Notify soa ->
Log.warn (fun m -> m "unsolicited notify request %a (replying anyways)"
Fmt.(option ~none:(unit "no") Soa.pp) soa) ;
let reply = Packet.create (fst p.header, authoritative) p.question `Notify_ack in
(t, m, l, ns), Some reply, [], Some (`Notify soa)
| p ->
Log.err (fun m -> m "ignoring unsolicited %a" Packet.pp_data p) ;
(t, m, l, ns), None, [], None
let handle_buf t now ts proto ip port buf =
match
safe_decode buf >>| fun res ->
Log.debug (fun m -> m "from %a received:@[%a@]" Ipaddr.V4.pp ip Packet.pp res) ;
res
with
| Error rcode ->
let answer = Packet.raw_error buf rcode in
Log.warn (fun m -> m "error %a while %a sent %a, answering with %a"
Rcode.pp rcode Ipaddr.V4.pp ip Cstruct.hexdump_pp buf
Fmt.(option ~none:(unit "no") Cstruct.hexdump_pp) answer) ;
t, answer, [], None
| Ok p ->
let handle_inner keyname =
let t, answer, out, notify =
handle_packet t now ts proto ip port p keyname
in
let answer = match answer with
| Some answer ->
let max_size, edns = Edns.reply p.edns in
let answer = Packet.with_edns answer edns in
(* be aware, this may be truncated... here's where AXFR is assembled! *)
let r = Packet.encode ?max_size proto answer in
Some (answer, r)
| None -> None
in
t, answer, out, notify
in
let server, _, _, ns = t in
let mac = match p.Packet.data with
| `Notify_ack | `Rcode_error _ -> Notification.mac ns ip p
| _ -> None
in
match handle_tsig ?mac server now p buf with
| Error (e, data) ->
Log.err (fun m -> m "error %a while handling tsig" Tsig_op.pp_e e) ;
t, data, [], None
| Ok None ->
let t, answer, out, notify = handle_inner None in
let answer' = match answer with
| None -> None
| Some (_, (cs, _)) -> Some cs
in
(t, answer', out, notify)
| Ok (Some (name, tsig, mac, key)) ->
let n = function Some (`Notify n) -> Some (`Signed_notify n) | Some `Keep -> Some `Keep | None -> None in
let t', answer, out, notify = handle_inner (Some name) in
let answer' = match answer with
| None -> None
| Some (answer, (buf, max_size)) ->
match server.tsig_sign ~max_size ~mac name tsig ~key answer buf with
| None ->
Log.warn (fun m -> m "couldn't use %a to tsig sign" Domain_name.pp name);
(* TODO - better send back unsigned answer? or an error? *)
None
| Some (buf, _) -> Some buf
in
(t', answer', out, n notify)
let closed (t, m, l, ns) ip =
let l' = Notification.remove l ip in
(t, m, l', ns)
let timer (t, m, l, ns) now ts =
let ns', out = Notification.retransmit t ns now ts in
(t, m, l, ns'), out
let to_be_notified (t, _, l, _) zone =
IPM.bindings (Notification.to_notify l ~data:t.data ~auth:t.auth zone)
end
module Secondary = struct
type state =
| Transferred of int64
| Requested_soa of int64 * int * int * Cstruct.t
| Requested_axfr of int64 * int * Cstruct.t
| Requested_ixfr of int64 * int * Soa.t * Cstruct.t
let id = function
| Transferred _ -> None
| Requested_soa (_, id, _, _) -> Some id
| Requested_axfr (_, id, _) -> Some id
| Requested_ixfr (_, id, _, _) -> Some id
(* TODO undefined what happens if there are multiple transfer keys for zone x *)
type s = t * (state * Ipaddr.V4.t * [ `raw ] Domain_name.t) Domain_name.Host_map.t
let data (t, _) = t.data
let with_data (t, zones) data = ({ t with data }, zones)
let create ?(a = []) ?primary ~tsig_verify ~tsig_sign ~rng keylist =
(* two kinds of keys: aaa._key-management and ip1.ip2._transfer.zone *)
let keys = Authentication.of_keys keylist in
let zones =
let f name _ zones =
Log.debug (fun m -> m "soa found for %a" Domain_name.pp name) ;
match Domain_name.host name with
| Error _ ->
Log.warn (fun m -> m "zone %a not a hostname" Domain_name.pp name);
zones
| Ok zone ->
match Authentication.primaries (keys, []) name with
| [] -> begin match primary with
| None ->
Log.warn (fun m -> m "no nameserver found for %a" Domain_name.pp name) ;
zones
| Some ip ->
List.fold_left (fun zones (keyname, _) ->
let keyname = Domain_name.raw keyname in
if
Authentication.is_op `Transfer keyname &&
Domain_name.sub ~domain:name ~subdomain:keyname
then begin
Log.app (fun m -> m "adding zone %a with key %a and ip %a"
Domain_name.pp name Domain_name.pp keyname
Ipaddr.V4.pp ip) ;
let v = Requested_soa (0L, 0, 0, Cstruct.empty), ip, keyname in
Domain_name.Host_map.add zone v zones
end else begin
Log.warn (fun m -> m "no transfer key found for %a" Domain_name.pp name) ;
zones
end) zones keylist
end
| primaries ->
List.fold_left (fun zones (keyname, ip) ->
Log.app (fun m -> m "adding transfer key %a for zone %a"
Domain_name.pp keyname Domain_name.pp name) ;
let v = Requested_soa (0L, 0, 0, Cstruct.empty), ip, keyname in
Domain_name.Host_map.add zone v zones)
zones primaries
in
Dns_trie.fold Rr_map.Soa keys f Domain_name.Host_map.empty
in
(create ~tsig_verify ~tsig_sign Dns_trie.empty (keys, a) rng, zones)
let header rng () =
let id = Randomconv.int ~bound:(1 lsl 16 - 1) rng in
id, Packet.Flags.empty
let axfr t proto now ts q_name name =
let header = header t.rng ()
and question = (Domain_name.raw q_name, `Axfr)
in
let p = Packet.create header question `Axfr_request in
let buf, max_size = Packet.encode proto p in
match sign_outgoing ~max_size t name now p buf with
| None -> None
| Some (buf, mac) -> Some (Requested_axfr (ts, fst header, mac), buf)