1 /*
2  * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
3  *
4  * Permission to use, copy, modify, and/or distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14  * PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 /* $Id$ */
18 
19 
20 #ifndef DNS_RPZ_H
21 #define DNS_RPZ_H 1
22 
23 #include <isc/lang.h>
24 
25 #include <dns/fixedname.h>
26 #include <dns/rdata.h>
27 #include <dns/types.h>
28 
29 ISC_LANG_BEGINDECLS
30 
31 #define DNS_RPZ_PREFIX		"rpz-"
32 #define DNS_RPZ_IP_ZONE		DNS_RPZ_PREFIX"ip"
33 #define DNS_RPZ_NSIP_ZONE	DNS_RPZ_PREFIX"nsip"
34 #define DNS_RPZ_NSDNAME_ZONE	DNS_RPZ_PREFIX"nsdname"
35 #define DNS_RPZ_PASSTHRU_ZONE	DNS_RPZ_PREFIX"passthru"
36 
37 typedef isc_uint8_t		dns_rpz_cidr_bits_t;
38 
39 typedef enum {
40 	DNS_RPZ_TYPE_BAD,
41 	DNS_RPZ_TYPE_QNAME,
42 	DNS_RPZ_TYPE_IP,
43 	DNS_RPZ_TYPE_NSDNAME,
44 	DNS_RPZ_TYPE_NSIP
45 } dns_rpz_type_t;
46 
47 /*
48  * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN <
49  * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing
50  * policies.
51  */
52 typedef enum {
53 	DNS_RPZ_POLICY_GIVEN = 0,	/* 'given': what policy record says */
54 	DNS_RPZ_POLICY_DISABLED = 1,	/* 'cname x': answer with x's rrsets */
55 	DNS_RPZ_POLICY_PASSTHRU = 2,	/* 'passthru': do not rewrite */
56 	DNS_RPZ_POLICY_NXDOMAIN = 3,	/* 'nxdomain': answer with NXDOMAIN */
57 	DNS_RPZ_POLICY_NODATA = 4,	/* 'nodata': answer with ANCOUNT=0 */
58 	DNS_RPZ_POLICY_CNAME = 5,	/* 'cname x': answer with x's rrsets */
59 	DNS_RPZ_POLICY_RECORD,
60 	DNS_RPZ_POLICY_WILDCNAME,
61 	DNS_RPZ_POLICY_MISS,
62 	DNS_RPZ_POLICY_ERROR
63 } dns_rpz_policy_t;
64 
65 /*
66  * Specify a response policy zone.
67  */
68 typedef struct dns_rpz_zone dns_rpz_zone_t;
69 
70 struct dns_rpz_zone {
71 	ISC_LINK(dns_rpz_zone_t) link;
72 	int			 num;	  /* ordinal in list of policy zones */
73 	dns_name_t		 origin;  /* Policy zone name */
74 	dns_name_t		 nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
75 	dns_name_t		 passthru;/* DNS_RPZ_PASSTHRU_ZONE. */
76 	dns_name_t		 cname;	  /* override value for ..._CNAME */
77 	dns_ttl_t		 max_policy_ttl;
78 	dns_rpz_policy_t	 policy;  /* DNS_RPZ_POLICY_GIVEN or override */
79 	isc_boolean_t		 recursive_only;
80 	isc_boolean_t		 defined;
81 };
82 
83 /*
84  * Radix trees for response policy IP addresses.
85  */
86 typedef struct dns_rpz_cidr	dns_rpz_cidr_t;
87 
88 /*
89  * context for finding the best policy
90  */
91 typedef struct {
92 	unsigned int		state;
93 # define DNS_RPZ_REWRITTEN	0x0001
94 # define DNS_RPZ_DONE_QNAME	0x0002	/* qname checked */
95 # define DNS_RPZ_DONE_QNAME_IP	0x0004	/* IP addresses of qname checked */
96 # define DNS_RPZ_DONE_NSDNAME	0x0008	/* NS name missed; checking addresses */
97 # define DNS_RPZ_DONE_IPv4 	0x0010
98 # define DNS_RPZ_RECURSING	0x0020
99 # define DNS_RPZ_HAVE_IP 	0x0040	/* a policy zone has IP addresses */
100 # define DNS_RPZ_HAVE_NSIPv4	0x0080	/*		  IPv4 NISP addresses */
101 # define DNS_RPZ_HAVE_NSIPv6	0x0100	/*		  IPv6 NISP addresses */
102 # define DNS_RPZ_HAVE_NSDNAME	0x0200	/*		  NS names */
103 	/*
104 	 * Best match so far.
105 	 */
106 	struct {
107 		dns_rpz_type_t		type;
108 		dns_rpz_zone_t		*rpz;
109 		dns_rpz_cidr_bits_t	prefix;
110 		dns_rpz_policy_t	policy;
111 		dns_ttl_t		ttl;
112 		isc_result_t		result;
113 		dns_zone_t		*zone;
114 		dns_db_t		*db;
115 		dns_dbversion_t		*version;
116 		dns_dbnode_t		*node;
117 		dns_rdataset_t		*rdataset;
118 	} m;
119 	/*
120 	 * State for chasing IP addresses and NS names including recursion.
121 	 */
122 	struct {
123 		unsigned int		label;
124 		dns_db_t		*db;
125 		dns_rdataset_t		*ns_rdataset;
126 		dns_rdatatype_t		r_type;
127 		isc_result_t		r_result;
128 		dns_rdataset_t		*r_rdataset;
129 	} r;
130 	/*
131 	 * State of real query while recursing for NSIP or NSDNAME.
132 	 */
133 	struct {
134 		isc_result_t		result;
135 		isc_boolean_t		is_zone;
136 		isc_boolean_t		authoritative;
137 		dns_zone_t		*zone;
138 		dns_db_t		*db;
139 		dns_dbnode_t		*node;
140 		dns_rdataset_t		*rdataset;
141 		dns_rdataset_t		*sigrdataset;
142 		dns_rdatatype_t		qtype;
143 	} q;
144 	dns_name_t		*qname;
145 	dns_name_t		*r_name;
146 	dns_name_t		*fname;
147 	dns_fixedname_t		_qnamef;
148 	dns_fixedname_t		_r_namef;
149 	dns_fixedname_t		_fnamef;
150 } dns_rpz_st_t;
151 
152 #define DNS_RPZ_TTL_DEFAULT		5
153 #define DNS_RPZ_MAX_TTL_DEFAULT		DNS_RPZ_TTL_DEFAULT
154 
155 /*
156  * So various response policy zone messages can be turned up or down.
157  */
158 #define DNS_RPZ_ERROR_LEVEL	ISC_LOG_WARNING
159 #define DNS_RPZ_INFO_LEVEL	ISC_LOG_INFO
160 #define DNS_RPZ_DEBUG_LEVEL1	ISC_LOG_DEBUG(1)
161 #define DNS_RPZ_DEBUG_LEVEL2	ISC_LOG_DEBUG(2)
162 #define DNS_RPZ_DEBUG_LEVEL3	ISC_LOG_DEBUG(3)
163 #define DNS_RPZ_DEBUG_QUIET	(DNS_RPZ_DEBUG_LEVEL3+1)
164 
165 const char *
166 dns_rpz_type2str(dns_rpz_type_t type);
167 
168 dns_rpz_policy_t
169 dns_rpz_str2policy(const char *str);
170 
171 const char *
172 dns_rpz_policy2str(dns_rpz_policy_t policy);
173 
174 void
175 dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
176 
177 void
178 dns_rpz_view_destroy(dns_view_t *view);
179 
180 isc_result_t
181 dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
182 		 dns_rpz_cidr_t **rbtdb_cidr);
183 void
184 dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
185 
186 void
187 dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
188 
189 void
190 dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
191 
192 isc_result_t
193 dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
194 		  dns_rpz_type_t type, dns_name_t *canon_name,
195 		  dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
196 
197 dns_rpz_policy_t
198 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
199 		     dns_name_t *selfname);
200 
201 ISC_LANG_ENDDECLS
202 
203 #endif /* DNS_RPZ_H */
204 
205