2 Unix SMB/CIFS implementation.
4 DNS server handler for queries
6 Copyright (C) 2010 Kai Blin <kai@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "smbd/service_task.h"
24 #include "libcli/util/werror.h"
25 #include "librpc/ndr/libndr.h"
26 #include "librpc/gen_ndr/ndr_dns.h"
27 #include "librpc/gen_ndr/ndr_dnsp.h"
29 #include "param/param.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "dsdb/common/util.h"
32 #include "dns_server/dns_server.h"
33 #include "libcli/dns/libdns.h"
34 #include "lib/util/dlinklist.h"
35 #include "lib/util/util_net.h"
36 #include "lib/util/tevent_werror.h"
37 #include "auth/auth.h"
38 #include "auth/credentials/credentials.h"
39 #include "auth/gensec/gensec.h"
42 #define DBGC_CLASS DBGC_DNS
43 #define MAX_Q_RECURSION_DEPTH 20
45 struct forwarder_string
{
46 const char *forwarder
;
47 struct forwarder_string
*prev
, *next
;
50 static WERROR
add_response_rr(const char *name
,
51 const struct dnsp_DnssrvRpcRecord
*rec
,
52 struct dns_res_rec
**answers
)
54 struct dns_res_rec
*ans
= *answers
;
55 uint16_t ai
= talloc_array_length(ans
);
56 enum ndr_err_code ndr_err
;
58 if (ai
== UINT16_MAX
) {
59 return WERR_BUFFER_OVERFLOW
;
63 * "ans" is always non-NULL and thus its own talloc context
65 ans
= talloc_realloc(ans
, ans
, struct dns_res_rec
, ai
+1);
67 return WERR_NOT_ENOUGH_MEMORY
;
74 ans
[ai
].rdata
.cname_record
= talloc_strdup(ans
, rec
->data
.cname
);
75 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.cname_record
);
78 ans
[ai
].rdata
.ipv4_record
= talloc_strdup(ans
, rec
->data
.ipv4
);
79 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.ipv4_record
);
82 ans
[ai
].rdata
.ipv6_record
= talloc_strdup(ans
, rec
->data
.ipv6
);
83 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.ipv6_record
);
86 ans
[ai
].rdata
.ns_record
= talloc_strdup(ans
, rec
->data
.ns
);
87 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.ns_record
);
90 ans
[ai
].rdata
.srv_record
.priority
= rec
->data
.srv
.wPriority
;
91 ans
[ai
].rdata
.srv_record
.weight
= rec
->data
.srv
.wWeight
;
92 ans
[ai
].rdata
.srv_record
.port
= rec
->data
.srv
.wPort
;
93 ans
[ai
].rdata
.srv_record
.target
= talloc_strdup(
94 ans
, rec
->data
.srv
.nameTarget
);
95 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.srv_record
.target
);
98 ans
[ai
].rdata
.soa_record
.mname
= talloc_strdup(
99 ans
, rec
->data
.soa
.mname
);
100 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.soa_record
.mname
);
101 ans
[ai
].rdata
.soa_record
.rname
= talloc_strdup(
102 ans
, rec
->data
.soa
.rname
);
103 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.soa_record
.rname
);
104 ans
[ai
].rdata
.soa_record
.serial
= rec
->data
.soa
.serial
;
105 ans
[ai
].rdata
.soa_record
.refresh
= rec
->data
.soa
.refresh
;
106 ans
[ai
].rdata
.soa_record
.retry
= rec
->data
.soa
.retry
;
107 ans
[ai
].rdata
.soa_record
.expire
= rec
->data
.soa
.expire
;
108 ans
[ai
].rdata
.soa_record
.minimum
= rec
->data
.soa
.minimum
;
111 ans
[ai
].rdata
.ptr_record
= talloc_strdup(ans
, rec
->data
.ptr
);
112 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].rdata
.ptr_record
);
115 ans
[ai
].rdata
.mx_record
.preference
= rec
->data
.mx
.wPriority
;
116 ans
[ai
].rdata
.mx_record
.exchange
= talloc_strdup(
117 ans
, rec
->data
.mx
.nameTarget
);
118 if (ans
[ai
].rdata
.mx_record
.exchange
== NULL
) {
119 return WERR_NOT_ENOUGH_MEMORY
;
123 ndr_err
= ndr_dnsp_string_list_copy(ans
,
125 &ans
[ai
].rdata
.txt_record
.txt
);
126 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
127 return WERR_NOT_ENOUGH_MEMORY
;
131 DEBUG(0, ("Got unhandled type %u query.\n", rec
->wType
));
132 return DNS_ERR(NOT_IMPLEMENTED
);
135 ans
[ai
].name
= talloc_strdup(ans
, name
);
136 W_ERROR_HAVE_NO_MEMORY(ans
[ai
].name
);
137 ans
[ai
].rr_type
= (enum dns_qtype
)rec
->wType
;
138 ans
[ai
].rr_class
= DNS_QCLASS_IN
;
139 ans
[ai
].ttl
= rec
->dwTtlSeconds
;
140 ans
[ai
].length
= UINT16_MAX
;
147 static WERROR
add_dns_res_rec(struct dns_res_rec
**pdst
,
148 const struct dns_res_rec
*src
)
150 struct dns_res_rec
*dst
= *pdst
;
151 uint16_t di
= talloc_array_length(dst
);
152 enum ndr_err_code ndr_err
;
154 if (di
== UINT16_MAX
) {
155 return WERR_BUFFER_OVERFLOW
;
158 dst
= talloc_realloc(dst
, dst
, struct dns_res_rec
, di
+1);
160 return WERR_NOT_ENOUGH_MEMORY
;
163 ZERO_STRUCT(dst
[di
]);
165 dst
[di
] = (struct dns_res_rec
) {
166 .name
= talloc_strdup(dst
, src
->name
),
167 .rr_type
= src
->rr_type
,
168 .rr_class
= src
->rr_class
,
170 .length
= src
->length
173 if (dst
[di
].name
== NULL
) {
174 return WERR_NOT_ENOUGH_MEMORY
;
177 switch (src
->rr_type
) {
178 case DNS_QTYPE_CNAME
:
179 dst
[di
].rdata
.cname_record
= talloc_strdup(
180 dst
, src
->rdata
.cname_record
);
181 if (dst
[di
].rdata
.cname_record
== NULL
) {
182 return WERR_NOT_ENOUGH_MEMORY
;
186 dst
[di
].rdata
.ipv4_record
= talloc_strdup(
187 dst
, src
->rdata
.ipv4_record
);
188 if (dst
[di
].rdata
.ipv4_record
== NULL
) {
189 return WERR_NOT_ENOUGH_MEMORY
;
193 dst
[di
].rdata
.ipv6_record
= talloc_strdup(
194 dst
, src
->rdata
.ipv6_record
);
195 if (dst
[di
].rdata
.ipv6_record
== NULL
) {
196 return WERR_NOT_ENOUGH_MEMORY
;
200 dst
[di
].rdata
.ns_record
= talloc_strdup(
201 dst
, src
->rdata
.ns_record
);
202 if (dst
[di
].rdata
.ns_record
== NULL
) {
203 return WERR_NOT_ENOUGH_MEMORY
;
207 dst
[di
].rdata
.srv_record
= (struct dns_srv_record
) {
208 .priority
= src
->rdata
.srv_record
.priority
,
209 .weight
= src
->rdata
.srv_record
.weight
,
210 .port
= src
->rdata
.srv_record
.port
,
211 .target
= talloc_strdup(
212 dst
, src
->rdata
.srv_record
.target
)
214 if (dst
[di
].rdata
.srv_record
.target
== NULL
) {
215 return WERR_NOT_ENOUGH_MEMORY
;
219 dst
[di
].rdata
.soa_record
= (struct dns_soa_record
) {
220 .mname
= talloc_strdup(
221 dst
, src
->rdata
.soa_record
.mname
),
222 .rname
= talloc_strdup(
223 dst
, src
->rdata
.soa_record
.rname
),
224 .serial
= src
->rdata
.soa_record
.serial
,
225 .refresh
= src
->rdata
.soa_record
.refresh
,
226 .retry
= src
->rdata
.soa_record
.retry
,
227 .expire
= src
->rdata
.soa_record
.expire
,
228 .minimum
= src
->rdata
.soa_record
.minimum
231 if ((dst
[di
].rdata
.soa_record
.mname
== NULL
) ||
232 (dst
[di
].rdata
.soa_record
.rname
== NULL
)) {
233 return WERR_NOT_ENOUGH_MEMORY
;
238 dst
[di
].rdata
.ptr_record
= talloc_strdup(
239 dst
, src
->rdata
.ptr_record
);
240 if (dst
[di
].rdata
.ptr_record
== NULL
) {
241 return WERR_NOT_ENOUGH_MEMORY
;
245 dst
[di
].rdata
.mx_record
= (struct dns_mx_record
) {
246 .preference
= src
->rdata
.mx_record
.preference
,
247 .exchange
= talloc_strdup(
248 src
, src
->rdata
.mx_record
.exchange
)
251 if (dst
[di
].rdata
.mx_record
.exchange
== NULL
) {
252 return WERR_NOT_ENOUGH_MEMORY
;
256 ndr_err
= ndr_dnsp_string_list_copy(dst
,
257 &src
->rdata
.txt_record
.txt
,
258 &dst
[di
].rdata
.txt_record
.txt
);
259 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
260 return WERR_NOT_ENOUGH_MEMORY
;
264 DBG_WARNING("Got unhandled type %u query.\n", src
->rr_type
);
265 return DNS_ERR(NOT_IMPLEMENTED
);
273 struct ask_forwarder_state
{
274 struct dns_name_packet
*reply
;
277 static void ask_forwarder_done(struct tevent_req
*subreq
);
279 static struct tevent_req
*ask_forwarder_send(
280 TALLOC_CTX
*mem_ctx
, struct tevent_context
*ev
,
281 const char *forwarder
, struct dns_name_question
*question
)
283 struct tevent_req
*req
, *subreq
;
284 struct ask_forwarder_state
*state
;
286 req
= tevent_req_create(mem_ctx
, &state
, struct ask_forwarder_state
);
291 subreq
= dns_cli_request_send(state
, ev
, forwarder
,
292 question
->name
, question
->question_class
,
293 question
->question_type
);
294 if (tevent_req_nomem(subreq
, req
)) {
295 return tevent_req_post(req
, ev
);
297 tevent_req_set_callback(subreq
, ask_forwarder_done
, req
);
301 static void ask_forwarder_done(struct tevent_req
*subreq
)
303 struct tevent_req
*req
= tevent_req_callback_data(
304 subreq
, struct tevent_req
);
305 struct ask_forwarder_state
*state
= tevent_req_data(
306 req
, struct ask_forwarder_state
);
309 ret
= dns_cli_request_recv(subreq
, state
, &state
->reply
);
313 tevent_req_werror(req
, unix_to_werror(ret
));
317 tevent_req_done(req
);
320 static WERROR
ask_forwarder_recv(
321 struct tevent_req
*req
, TALLOC_CTX
*mem_ctx
,
322 struct dns_res_rec
**answers
, uint16_t *ancount
,
323 struct dns_res_rec
**nsrecs
, uint16_t *nscount
,
324 struct dns_res_rec
**additional
, uint16_t *arcount
)
326 struct ask_forwarder_state
*state
= tevent_req_data(
327 req
, struct ask_forwarder_state
);
328 struct dns_name_packet
*in_packet
= state
->reply
;
331 if (tevent_req_is_werror(req
, &err
)) {
335 *ancount
= in_packet
->ancount
;
336 *answers
= talloc_move(mem_ctx
, &in_packet
->answers
);
338 *nscount
= in_packet
->nscount
;
339 *nsrecs
= talloc_move(mem_ctx
, &in_packet
->nsrecs
);
341 *arcount
= in_packet
->arcount
;
342 *additional
= talloc_move(mem_ctx
, &in_packet
->additional
);
347 static WERROR
add_zone_authority_record(struct dns_server
*dns
,
349 const struct dns_name_question
*question
,
350 struct dns_res_rec
**nsrecs
)
352 const char *zone
= NULL
;
353 struct dnsp_DnssrvRpcRecord
*recs
;
354 struct dns_res_rec
*ns
= *nsrecs
;
356 struct ldb_dn
*dn
= NULL
;
360 zone
= dns_get_authoritative_zone(dns
, question
->name
);
361 DEBUG(10, ("Creating zone authority record for '%s'\n", zone
));
363 werror
= dns_name2dn(dns
, mem_ctx
, zone
, &dn
);
364 if (!W_ERROR_IS_OK(werror
)) {
368 werror
= dns_lookup_records(dns
, mem_ctx
, dn
, &recs
, &rec_count
);
369 if (!W_ERROR_IS_OK(werror
)) {
373 for (ri
= 0; ri
< rec_count
; ri
++) {
374 if (recs
[ri
].wType
== DNS_TYPE_SOA
) {
375 werror
= add_response_rr(zone
, &recs
[ri
], &ns
);
376 if (!W_ERROR_IS_OK(werror
)) {
387 static struct tevent_req
*handle_authoritative_send(
388 TALLOC_CTX
*mem_ctx
, struct tevent_context
*ev
,
389 struct dns_server
*dns
, const char *forwarder
,
390 struct dns_name_question
*question
,
391 struct dns_res_rec
**answers
, struct dns_res_rec
**nsrecs
,
393 static WERROR
handle_authoritative_recv(struct tevent_req
*req
);
395 struct handle_dnsrpcrec_state
{
396 struct dns_res_rec
**answers
;
397 struct dns_res_rec
**nsrecs
;
400 static void handle_dnsrpcrec_gotauth(struct tevent_req
*subreq
);
401 static void handle_dnsrpcrec_gotforwarded(struct tevent_req
*subreq
);
403 static struct tevent_req
*handle_dnsrpcrec_send(
404 TALLOC_CTX
*mem_ctx
, struct tevent_context
*ev
,
405 struct dns_server
*dns
, const char *forwarder
,
406 const struct dns_name_question
*question
,
407 struct dnsp_DnssrvRpcRecord
*rec
,
408 struct dns_res_rec
**answers
, struct dns_res_rec
**nsrecs
,
411 struct tevent_req
*req
, *subreq
;
412 struct handle_dnsrpcrec_state
*state
;
413 struct dns_name_question
*new_q
;
417 req
= tevent_req_create(mem_ctx
, &state
,
418 struct handle_dnsrpcrec_state
);
422 state
->answers
= answers
;
423 state
->nsrecs
= nsrecs
;
425 if (cname_depth
>= MAX_Q_RECURSION_DEPTH
) {
426 tevent_req_done(req
);
427 return tevent_req_post(req
, ev
);
430 resolve_cname
= ((rec
->wType
== DNS_TYPE_CNAME
) &&
431 ((question
->question_type
== DNS_QTYPE_A
) ||
432 (question
->question_type
== DNS_QTYPE_AAAA
)));
434 if (!resolve_cname
) {
435 if ((question
->question_type
!= DNS_QTYPE_ALL
) &&
437 (enum dns_record_type
) question
->question_type
)) {
438 tevent_req_done(req
);
439 return tevent_req_post(req
, ev
);
442 werr
= add_response_rr(question
->name
, rec
, state
->answers
);
443 if (tevent_req_werror(req
, werr
)) {
444 return tevent_req_post(req
, ev
);
447 tevent_req_done(req
);
448 return tevent_req_post(req
, ev
);
451 werr
= add_response_rr(question
->name
, rec
, state
->answers
);
452 if (tevent_req_werror(req
, werr
)) {
453 return tevent_req_post(req
, ev
);
456 new_q
= talloc(state
, struct dns_name_question
);
457 if (tevent_req_nomem(new_q
, req
)) {
458 return tevent_req_post(req
, ev
);
461 *new_q
= (struct dns_name_question
) {
462 .question_type
= question
->question_type
,
463 .question_class
= question
->question_class
,
464 .name
= rec
->data
.cname
467 if (dns_authoritative_for_zone(dns
, new_q
->name
)) {
468 subreq
= handle_authoritative_send(
469 state
, ev
, dns
, forwarder
, new_q
,
470 state
->answers
, state
->nsrecs
,
472 if (tevent_req_nomem(subreq
, req
)) {
473 return tevent_req_post(req
, ev
);
475 tevent_req_set_callback(subreq
, handle_dnsrpcrec_gotauth
, req
);
479 subreq
= ask_forwarder_send(state
, ev
, forwarder
, new_q
);
480 if (tevent_req_nomem(subreq
, req
)) {
481 return tevent_req_post(req
, ev
);
483 tevent_req_set_callback(subreq
, handle_dnsrpcrec_gotforwarded
, req
);
488 static void handle_dnsrpcrec_gotauth(struct tevent_req
*subreq
)
490 struct tevent_req
*req
= tevent_req_callback_data(
491 subreq
, struct tevent_req
);
494 werr
= handle_authoritative_recv(subreq
);
496 if (tevent_req_werror(req
, werr
)) {
499 tevent_req_done(req
);
502 static void handle_dnsrpcrec_gotforwarded(struct tevent_req
*subreq
)
504 struct tevent_req
*req
= tevent_req_callback_data(
505 subreq
, struct tevent_req
);
506 struct handle_dnsrpcrec_state
*state
= tevent_req_data(
507 req
, struct handle_dnsrpcrec_state
);
508 struct dns_res_rec
*answers
, *nsrecs
, *additional
;
509 uint16_t ancount
= 0;
510 uint16_t nscount
= 0;
511 uint16_t arcount
= 0;
515 werr
= ask_forwarder_recv(subreq
, state
, &answers
, &ancount
,
516 &nsrecs
, &nscount
, &additional
, &arcount
);
517 if (tevent_req_werror(req
, werr
)) {
521 for (i
=0; i
<ancount
; i
++) {
522 werr
= add_dns_res_rec(state
->answers
, &answers
[i
]);
523 if (tevent_req_werror(req
, werr
)) {
528 for (i
=0; i
<nscount
; i
++) {
529 werr
= add_dns_res_rec(state
->nsrecs
, &nsrecs
[i
]);
530 if (tevent_req_werror(req
, werr
)) {
535 tevent_req_done(req
);
538 static WERROR
handle_dnsrpcrec_recv(struct tevent_req
*req
)
540 return tevent_req_simple_recv_werror(req
);
543 struct handle_authoritative_state
{
544 struct tevent_context
*ev
;
545 struct dns_server
*dns
;
546 struct dns_name_question
*question
;
547 const char *forwarder
;
549 struct dnsp_DnssrvRpcRecord
*recs
;
553 struct dns_res_rec
**answers
;
554 struct dns_res_rec
**nsrecs
;
559 static void handle_authoritative_done(struct tevent_req
*subreq
);
561 static struct tevent_req
*handle_authoritative_send(
562 TALLOC_CTX
*mem_ctx
, struct tevent_context
*ev
,
563 struct dns_server
*dns
, const char *forwarder
,
564 struct dns_name_question
*question
,
565 struct dns_res_rec
**answers
, struct dns_res_rec
**nsrecs
,
568 struct tevent_req
*req
, *subreq
;
569 struct handle_authoritative_state
*state
;
570 struct ldb_dn
*dn
= NULL
;
573 req
= tevent_req_create(mem_ctx
, &state
,
574 struct handle_authoritative_state
);
580 state
->question
= question
;
581 state
->forwarder
= forwarder
;
582 state
->answers
= answers
;
583 state
->nsrecs
= nsrecs
;
584 state
->cname_depth
= cname_depth
;
586 werr
= dns_name2dn(dns
, state
, question
->name
, &dn
);
587 if (tevent_req_werror(req
, werr
)) {
588 return tevent_req_post(req
, ev
);
590 werr
= dns_lookup_records_wildcard(dns
, state
, dn
, &state
->recs
,
593 if (tevent_req_werror(req
, werr
)) {
594 return tevent_req_post(req
, ev
);
597 if (state
->rec_count
== 0) {
598 tevent_req_werror(req
, DNS_ERR(NAME_ERROR
));
599 return tevent_req_post(req
, ev
);
602 subreq
= handle_dnsrpcrec_send(
603 state
, state
->ev
, state
->dns
, state
->forwarder
,
604 state
->question
, &state
->recs
[state
->recs_done
],
605 state
->answers
, state
->nsrecs
,
607 if (tevent_req_nomem(subreq
, req
)) {
608 return tevent_req_post(req
, ev
);
610 tevent_req_set_callback(subreq
, handle_authoritative_done
, req
);
614 static void handle_authoritative_done(struct tevent_req
*subreq
)
616 struct tevent_req
*req
= tevent_req_callback_data(
617 subreq
, struct tevent_req
);
618 struct handle_authoritative_state
*state
= tevent_req_data(
619 req
, struct handle_authoritative_state
);
622 werr
= handle_dnsrpcrec_recv(subreq
);
624 if (tevent_req_werror(req
, werr
)) {
628 state
->recs_done
+= 1;
630 if (state
->recs_done
== state
->rec_count
) {
631 tevent_req_done(req
);
635 subreq
= handle_dnsrpcrec_send(
636 state
, state
->ev
, state
->dns
, state
->forwarder
,
637 state
->question
, &state
->recs
[state
->recs_done
],
638 state
->answers
, state
->nsrecs
,
640 if (tevent_req_nomem(subreq
, req
)) {
643 tevent_req_set_callback(subreq
, handle_authoritative_done
, req
);
646 static WERROR
handle_authoritative_recv(struct tevent_req
*req
)
648 struct handle_authoritative_state
*state
= tevent_req_data(
649 req
, struct handle_authoritative_state
);
652 if (tevent_req_is_werror(req
, &werr
)) {
656 werr
= add_zone_authority_record(state
->dns
, state
, state
->question
,
658 if (!W_ERROR_IS_OK(werr
)) {
665 static NTSTATUS
create_tkey(struct dns_server
*dns
,
667 const char* algorithm
,
668 const struct tsocket_address
*remote_address
,
669 const struct tsocket_address
*local_address
,
670 struct dns_server_tkey
**tkey
)
673 struct dns_server_tkey_store
*store
= dns
->tkeys
;
674 struct dns_server_tkey
*k
= talloc_zero(store
, struct dns_server_tkey
);
677 return NT_STATUS_NO_MEMORY
;
680 k
->name
= talloc_strdup(k
, name
);
682 if (k
->name
== NULL
) {
683 return NT_STATUS_NO_MEMORY
;
686 k
->algorithm
= talloc_strdup(k
, algorithm
);
687 if (k
->algorithm
== NULL
) {
688 return NT_STATUS_NO_MEMORY
;
692 * We only allow SPNEGO/KRB5 currently
693 * and rely on the backend to be RPC/IPC free.
695 * It allows gensec_update() not to block.
697 status
= samba_server_gensec_krb5_start(k
,
698 dns
->task
->event_ctx
,
701 dns
->server_credentials
,
704 if (!NT_STATUS_IS_OK(status
)) {
705 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status
)));
710 gensec_want_feature(k
->gensec
, GENSEC_FEATURE_SIGN
);
712 status
= gensec_set_remote_address(k
->gensec
,
714 if (!NT_STATUS_IS_OK(status
)) {
715 DEBUG(1, ("Failed to set remote address into GENSEC: %s\n",
721 status
= gensec_set_local_address(k
->gensec
,
723 if (!NT_STATUS_IS_OK(status
)) {
724 DEBUG(1, ("Failed to set local address into GENSEC: %s\n",
730 status
= gensec_start_mech_by_oid(k
->gensec
, GENSEC_OID_SPNEGO
);
732 if (!NT_STATUS_IS_OK(status
)) {
733 DEBUG(1, ("Failed to start GENSEC server code: %s\n",
739 TALLOC_FREE(store
->tkeys
[store
->next_idx
]);
741 store
->tkeys
[store
->next_idx
] = k
;
743 store
->next_idx
%= store
->size
;
749 static NTSTATUS
accept_gss_ticket(TALLOC_CTX
*mem_ctx
,
750 struct dns_server
*dns
,
751 struct dns_server_tkey
*tkey
,
752 const DATA_BLOB
*key
,
754 uint16_t *dns_auth_error
)
759 * We use samba_server_gensec_krb5_start(),
760 * which only allows SPNEGO/KRB5 currently
761 * and makes sure the backend to be RPC/IPC free.
763 * See gensec_gssapi_update_internal() as
766 * It allows gensec_update() not to block.
768 * If that changes in future we need to use
769 * gensec_update_send/recv here!
771 status
= gensec_update(tkey
->gensec
, mem_ctx
,
774 if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED
, status
)) {
775 *dns_auth_error
= DNS_RCODE_OK
;
779 if (NT_STATUS_IS_OK(status
)) {
781 status
= gensec_session_info(tkey
->gensec
, tkey
, &tkey
->session_info
);
782 if (!NT_STATUS_IS_OK(status
)) {
783 *dns_auth_error
= DNS_RCODE_BADKEY
;
786 *dns_auth_error
= DNS_RCODE_OK
;
792 static WERROR
handle_tkey(struct dns_server
*dns
,
794 const struct dns_name_packet
*in
,
795 struct dns_request_state
*state
,
796 struct dns_res_rec
**answers
,
799 struct dns_res_rec
*in_tkey
= NULL
;
800 struct dns_res_rec
*ret_tkey
;
803 for (i
= 0; i
< in
->arcount
; i
++) {
804 if (in
->additional
[i
].rr_type
== DNS_QTYPE_TKEY
) {
805 in_tkey
= &in
->additional
[i
];
810 /* If this is a TKEY query, it should have a TKEY RR.
811 * Behaviour is not really specified in RFC 2930 or RFC 3645, but
812 * FORMAT_ERROR seems to be what BIND uses .*/
813 if (in_tkey
== NULL
) {
814 return DNS_ERR(FORMAT_ERROR
);
817 ret_tkey
= talloc_zero(mem_ctx
, struct dns_res_rec
);
818 if (ret_tkey
== NULL
) {
819 return WERR_NOT_ENOUGH_MEMORY
;
822 ret_tkey
->name
= talloc_strdup(ret_tkey
, in_tkey
->name
);
823 if (ret_tkey
->name
== NULL
) {
824 return WERR_NOT_ENOUGH_MEMORY
;
827 ret_tkey
->rr_type
= DNS_QTYPE_TKEY
;
828 ret_tkey
->rr_class
= DNS_QCLASS_ANY
;
829 ret_tkey
->length
= UINT16_MAX
;
831 ret_tkey
->rdata
.tkey_record
.algorithm
= talloc_strdup(ret_tkey
,
832 in_tkey
->rdata
.tkey_record
.algorithm
);
833 if (ret_tkey
->rdata
.tkey_record
.algorithm
== NULL
) {
834 return WERR_NOT_ENOUGH_MEMORY
;
837 ret_tkey
->rdata
.tkey_record
.inception
= in_tkey
->rdata
.tkey_record
.inception
;
838 ret_tkey
->rdata
.tkey_record
.expiration
= in_tkey
->rdata
.tkey_record
.expiration
;
839 ret_tkey
->rdata
.tkey_record
.mode
= in_tkey
->rdata
.tkey_record
.mode
;
841 switch (in_tkey
->rdata
.tkey_record
.mode
) {
842 case DNS_TKEY_MODE_DH
:
843 /* FIXME: According to RFC 2930, we MUST support this, but we don't.
844 * Still, claim it's a bad key instead of a bad mode */
845 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_BADKEY
;
847 case DNS_TKEY_MODE_GSSAPI
: {
849 struct dns_server_tkey
*tkey
;
853 tkey
= dns_find_tkey(dns
->tkeys
, in
->questions
[0].name
);
854 if (tkey
!= NULL
&& tkey
->complete
) {
855 /* TODO: check if the key is still valid */
856 DEBUG(1, ("Rejecting tkey negotiation for already established key\n"));
857 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_BADNAME
;
862 status
= create_tkey(dns
, in
->questions
[0].name
,
863 in_tkey
->rdata
.tkey_record
.algorithm
,
864 state
->remote_address
,
865 state
->local_address
,
867 if (!NT_STATUS_IS_OK(status
)) {
868 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_BADKEY
;
869 return ntstatus_to_werror(status
);
873 key
.data
= in_tkey
->rdata
.tkey_record
.key_data
;
874 key
.length
= in_tkey
->rdata
.tkey_record
.key_size
;
876 status
= accept_gss_ticket(ret_tkey
, dns
, tkey
, &key
, &reply
,
877 &ret_tkey
->rdata
.tkey_record
.error
);
878 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
879 DEBUG(1, ("More processing required\n"));
880 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_BADKEY
;
881 } else if (NT_STATUS_IS_OK(status
)) {
882 DBG_DEBUG("Tkey handshake completed\n");
883 ret_tkey
->rdata
.tkey_record
.key_size
= reply
.length
;
884 ret_tkey
->rdata
.tkey_record
.key_data
= talloc_memdup(ret_tkey
,
887 if (ret_tkey
->rdata
.tkey_record
.key_data
== NULL
) {
888 return WERR_NOT_ENOUGH_MEMORY
;
891 state
->key_name
= talloc_strdup(state
->mem_ctx
, tkey
->name
);
892 if (state
->key_name
== NULL
) {
893 return WERR_NOT_ENOUGH_MEMORY
;
896 DEBUG(1, ("GSS key negotiation returned %s\n", nt_errstr(status
)));
897 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_BADKEY
;
902 case DNS_TKEY_MODE_DELETE
:
903 /* TODO: implement me */
904 DEBUG(1, ("Should delete tkey here\n"));
905 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_OK
;
907 case DNS_TKEY_MODE_NULL
:
908 case DNS_TKEY_MODE_SERVER
:
909 case DNS_TKEY_MODE_CLIENT
:
910 case DNS_TKEY_MODE_LAST
:
911 /* We don't have to implement these, return a mode error */
912 ret_tkey
->rdata
.tkey_record
.error
= DNS_RCODE_BADMODE
;
915 DEBUG(1, ("Unsupported TKEY mode %d\n",
916 in_tkey
->rdata
.tkey_record
.mode
));
925 struct dns_server_process_query_state
{
926 struct tevent_context
*ev
;
927 struct dns_server
*dns
;
928 struct dns_name_question
*question
;
930 struct dns_res_rec
*answers
;
932 struct dns_res_rec
*nsrecs
;
934 struct dns_res_rec
*additional
;
936 struct forwarder_string
*forwarders
;
939 static void dns_server_process_query_got_auth(struct tevent_req
*subreq
);
940 static void dns_server_process_query_got_response(struct tevent_req
*subreq
);
942 struct tevent_req
*dns_server_process_query_send(
943 TALLOC_CTX
*mem_ctx
, struct tevent_context
*ev
,
944 struct dns_server
*dns
, struct dns_request_state
*req_state
,
945 const struct dns_name_packet
*in
)
947 struct tevent_req
*req
, *subreq
;
948 struct dns_server_process_query_state
*state
;
949 const char **forwarders
= NULL
;
952 req
= tevent_req_create(mem_ctx
, &state
,
953 struct dns_server_process_query_state
);
957 if (in
->qdcount
!= 1) {
958 tevent_req_werror(req
, DNS_ERR(FORMAT_ERROR
));
959 return tevent_req_post(req
, ev
);
962 /* Windows returns NOT_IMPLEMENTED on this as well */
963 if (in
->questions
[0].question_class
== DNS_QCLASS_NONE
) {
964 tevent_req_werror(req
, DNS_ERR(NOT_IMPLEMENTED
));
965 return tevent_req_post(req
, ev
);
968 if (in
->questions
[0].question_type
== DNS_QTYPE_TKEY
) {
971 err
= handle_tkey(dns
, state
, in
, req_state
,
972 &state
->answers
, &state
->ancount
);
973 if (tevent_req_werror(req
, err
)) {
974 return tevent_req_post(req
, ev
);
976 tevent_req_done(req
);
977 return tevent_req_post(req
, ev
);
982 state
->question
= &in
->questions
[0];
984 forwarders
= lpcfg_dns_forwarder(dns
->task
->lp_ctx
);
985 for (i
= 0; forwarders
!= NULL
&& forwarders
[i
] != NULL
; i
++) {
986 struct forwarder_string
*f
= talloc_zero(state
,
987 struct forwarder_string
);
988 f
->forwarder
= forwarders
[i
];
989 DLIST_ADD_END(state
->forwarders
, f
);
992 if (dns_authoritative_for_zone(dns
, in
->questions
[0].name
)) {
994 req_state
->flags
|= DNS_FLAG_AUTHORITATIVE
;
997 * Initialize the response arrays, so that we can use
998 * them as their own talloc contexts when doing the
1001 state
->answers
= talloc_array(state
, struct dns_res_rec
, 0);
1002 if (tevent_req_nomem(state
->answers
, req
)) {
1003 return tevent_req_post(req
, ev
);
1005 state
->nsrecs
= talloc_array(state
, struct dns_res_rec
, 0);
1006 if (tevent_req_nomem(state
->nsrecs
, req
)) {
1007 return tevent_req_post(req
, ev
);
1010 subreq
= handle_authoritative_send(
1011 state
, ev
, dns
, (forwarders
== NULL
? NULL
: forwarders
[0]),
1012 &in
->questions
[0], &state
->answers
, &state
->nsrecs
,
1013 0); /* cname_depth */
1014 if (tevent_req_nomem(subreq
, req
)) {
1015 return tevent_req_post(req
, ev
);
1017 tevent_req_set_callback(
1018 subreq
, dns_server_process_query_got_auth
, req
);
1022 if ((req_state
->flags
& DNS_FLAG_RECURSION_DESIRED
) &&
1023 (req_state
->flags
& DNS_FLAG_RECURSION_AVAIL
)) {
1024 DEBUG(5, ("Not authoritative for '%s', forwarding\n",
1025 in
->questions
[0].name
));
1027 subreq
= ask_forwarder_send(state
, ev
,
1028 (forwarders
== NULL
? NULL
: forwarders
[0]),
1030 if (tevent_req_nomem(subreq
, req
)) {
1031 return tevent_req_post(req
, ev
);
1033 tevent_req_set_callback(
1034 subreq
, dns_server_process_query_got_response
, req
);
1038 tevent_req_werror(req
, DNS_ERR(NAME_ERROR
));
1039 return tevent_req_post(req
, ev
);
1042 static void dns_server_process_query_got_response(struct tevent_req
*subreq
)
1044 struct tevent_req
*req
= tevent_req_callback_data(
1045 subreq
, struct tevent_req
);
1046 struct dns_server_process_query_state
*state
= tevent_req_data(
1047 req
, struct dns_server_process_query_state
);
1050 werr
= ask_forwarder_recv(subreq
, state
,
1051 &state
->answers
, &state
->ancount
,
1052 &state
->nsrecs
, &state
->nscount
,
1053 &state
->additional
, &state
->arcount
);
1054 TALLOC_FREE(subreq
);
1056 /* If you get an error, attempt a different forwarder */
1057 if (!W_ERROR_IS_OK(werr
)) {
1058 if (state
->forwarders
!= NULL
) {
1059 DLIST_REMOVE(state
->forwarders
, state
->forwarders
);
1062 /* If you have run out of forwarders, simply finish */
1063 if (state
->forwarders
== NULL
) {
1064 tevent_req_werror(req
, werr
);
1068 DEBUG(5, ("DNS query returned %s, trying another forwarder.\n",
1070 subreq
= ask_forwarder_send(state
, state
->ev
,
1071 state
->forwarders
->forwarder
,
1074 if (tevent_req_nomem(subreq
, req
)) {
1078 tevent_req_set_callback(subreq
,
1079 dns_server_process_query_got_response
,
1084 tevent_req_done(req
);
1087 static void dns_server_process_query_got_auth(struct tevent_req
*subreq
)
1089 struct tevent_req
*req
= tevent_req_callback_data(
1090 subreq
, struct tevent_req
);
1091 struct dns_server_process_query_state
*state
= tevent_req_data(
1092 req
, struct dns_server_process_query_state
);
1095 werr
= handle_authoritative_recv(subreq
);
1096 TALLOC_FREE(subreq
);
1098 /* If you get an error, attempt a different forwarder */
1099 if (!W_ERROR_IS_OK(werr
)) {
1100 if (state
->forwarders
!= NULL
) {
1101 DLIST_REMOVE(state
->forwarders
, state
->forwarders
);
1104 /* If you have run out of forwarders, simply finish */
1105 if (state
->forwarders
== NULL
) {
1106 tevent_req_werror(req
, werr
);
1110 DEBUG(5, ("Error: %s, trying a different forwarder.\n",
1112 subreq
= handle_authoritative_send(state
, state
->ev
, state
->dns
,
1113 state
->forwarders
->forwarder
,
1114 state
->question
, &state
->answers
,
1116 0); /* cname_depth */
1118 if (tevent_req_nomem(subreq
, req
)) {
1122 tevent_req_set_callback(subreq
,
1123 dns_server_process_query_got_auth
,
1128 state
->ancount
= talloc_array_length(state
->answers
);
1129 state
->nscount
= talloc_array_length(state
->nsrecs
);
1130 state
->arcount
= talloc_array_length(state
->additional
);
1132 tevent_req_done(req
);
1135 WERROR
dns_server_process_query_recv(
1136 struct tevent_req
*req
, TALLOC_CTX
*mem_ctx
,
1137 struct dns_res_rec
**answers
, uint16_t *ancount
,
1138 struct dns_res_rec
**nsrecs
, uint16_t *nscount
,
1139 struct dns_res_rec
**additional
, uint16_t *arcount
)
1141 struct dns_server_process_query_state
*state
= tevent_req_data(
1142 req
, struct dns_server_process_query_state
);
1143 WERROR err
= WERR_OK
;
1145 if (tevent_req_is_werror(req
, &err
)) {
1147 if ((!W_ERROR_EQUAL(err
, DNS_ERR(NAME_ERROR
))) &&
1148 (!W_ERROR_EQUAL(err
, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST
))) {
1152 *answers
= talloc_move(mem_ctx
, &state
->answers
);
1153 *ancount
= state
->ancount
;
1154 *nsrecs
= talloc_move(mem_ctx
, &state
->nsrecs
);
1155 *nscount
= state
->nscount
;
1156 *additional
= talloc_move(mem_ctx
, &state
->additional
);
1157 *arcount
= state
->arcount
;