1*c0b5d9fbSchristos /* $NetBSD: rpz.h,v 1.9 2022/09/23 12:15:30 christos Exp $ */ 2e2b1b9c0Schristos 3e2b1b9c0Schristos /* 4e2b1b9c0Schristos * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5e2b1b9c0Schristos * 6*c0b5d9fbSchristos * SPDX-License-Identifier: MPL-2.0 7*c0b5d9fbSchristos * 8e2b1b9c0Schristos * This Source Code Form is subject to the terms of the Mozilla Public 9e2b1b9c0Schristos * License, v. 2.0. If a copy of the MPL was not distributed with this 1073584a28Schristos * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11e2b1b9c0Schristos * 12e2b1b9c0Schristos * See the COPYRIGHT file distributed with this work for additional 13e2b1b9c0Schristos * information regarding copyright ownership. 14e2b1b9c0Schristos */ 15e2b1b9c0Schristos 16e2b1b9c0Schristos #ifndef DNS_RPZ_H 17e2b1b9c0Schristos #define DNS_RPZ_H 1 18e2b1b9c0Schristos 19f2e20987Schristos #include <inttypes.h> 20f2e20987Schristos #include <stdbool.h> 21f2e20987Schristos 22e2b1b9c0Schristos #include <isc/deprecated.h> 23e2b1b9c0Schristos #include <isc/event.h> 24e2b1b9c0Schristos #include <isc/ht.h> 25e2b1b9c0Schristos #include <isc/lang.h> 26e2b1b9c0Schristos #include <isc/refcount.h> 27e2b1b9c0Schristos #include <isc/rwlock.h> 28e2b1b9c0Schristos #include <isc/time.h> 29e2b1b9c0Schristos #include <isc/timer.h> 30e2b1b9c0Schristos 31e2b1b9c0Schristos #include <dns/fixedname.h> 32e2b1b9c0Schristos #include <dns/rdata.h> 33e2b1b9c0Schristos #include <dns/types.h> 34e2b1b9c0Schristos 35e2b1b9c0Schristos ISC_LANG_BEGINDECLS 36e2b1b9c0Schristos 37e2b1b9c0Schristos #define DNS_RPZ_PREFIX "rpz-" 38e2b1b9c0Schristos /* 39e2b1b9c0Schristos * Sub-zones of various trigger types. 40e2b1b9c0Schristos */ 41e2b1b9c0Schristos #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX "client-ip" 42e2b1b9c0Schristos #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX "ip" 43e2b1b9c0Schristos #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX "nsip" 44e2b1b9c0Schristos #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX "nsdname" 45e2b1b9c0Schristos /* 46e2b1b9c0Schristos * Special policies. 47e2b1b9c0Schristos */ 48e2b1b9c0Schristos #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX "passthru" 49e2b1b9c0Schristos #define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX "drop" 50e2b1b9c0Schristos #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX "tcp-only" 51e2b1b9c0Schristos 52f2e20987Schristos typedef uint8_t dns_rpz_prefix_t; 53e2b1b9c0Schristos 54e2b1b9c0Schristos typedef enum { 55e2b1b9c0Schristos DNS_RPZ_TYPE_BAD, 56e2b1b9c0Schristos DNS_RPZ_TYPE_CLIENT_IP, 57e2b1b9c0Schristos DNS_RPZ_TYPE_QNAME, 58e2b1b9c0Schristos DNS_RPZ_TYPE_IP, 59e2b1b9c0Schristos DNS_RPZ_TYPE_NSDNAME, 60e2b1b9c0Schristos DNS_RPZ_TYPE_NSIP 61e2b1b9c0Schristos } dns_rpz_type_t; 62e2b1b9c0Schristos 63e2b1b9c0Schristos /* 64e2b1b9c0Schristos * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP 65e2b1b9c0Schristos * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA 66e2b1b9c0Schristos * < DNS_RPZ_POLICY_CNAME to choose among competing policies. 67e2b1b9c0Schristos */ 68e2b1b9c0Schristos typedef enum { 69e2b1b9c0Schristos DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 70e2b1b9c0Schristos DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ 71e2b1b9c0Schristos DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 72e2b1b9c0Schristos DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ 73e2b1b9c0Schristos DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ 74e2b1b9c0Schristos DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ 75e2b1b9c0Schristos DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ 76e2b1b9c0Schristos DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ 779ad14dd7Schristos DNS_RPZ_POLICY_DNS64, /* Apply DN64 to the A rewrite */ 78e2b1b9c0Schristos DNS_RPZ_POLICY_RECORD, 79e2b1b9c0Schristos DNS_RPZ_POLICY_WILDCNAME, 80e2b1b9c0Schristos DNS_RPZ_POLICY_MISS, 81e2b1b9c0Schristos DNS_RPZ_POLICY_ERROR 82e2b1b9c0Schristos } dns_rpz_policy_t; 83e2b1b9c0Schristos 84f2e20987Schristos typedef uint8_t dns_rpz_num_t; 85e2b1b9c0Schristos 86f2e20987Schristos #define DNS_RPZ_MAX_ZONES 64 87f2e20987Schristos /* 88f2e20987Schristos * Type dns_rpz_zbits_t must be an unsigned int wide enough to contain 89f2e20987Schristos * at least DNS_RPZ_MAX_ZONES bits. 90f2e20987Schristos */ 91f2e20987Schristos typedef uint64_t dns_rpz_zbits_t; 92e2b1b9c0Schristos 93e2b1b9c0Schristos #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) 94e2b1b9c0Schristos 95e2b1b9c0Schristos #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES 96e2b1b9c0Schristos 97e2b1b9c0Schristos #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) 98e2b1b9c0Schristos 99e2b1b9c0Schristos /* 100e2b1b9c0Schristos * Mask of the specified and higher numbered policy zones 101e2b1b9c0Schristos * Avoid hassles with (1<<33) or (1<<65) 102e2b1b9c0Schristos */ 1039742fdb4Schristos #define DNS_RPZ_ZMASK(n) \ 104fadf0758Schristos ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES - 1) \ 105fadf0758Schristos ? 0 \ 106fadf0758Schristos : (1ULL << ((n) + 1))) - \ 1079742fdb4Schristos 1)) 108e2b1b9c0Schristos 109e2b1b9c0Schristos /* 110e2b1b9c0Schristos * The trigger counter type. 111e2b1b9c0Schristos */ 112e2b1b9c0Schristos typedef size_t dns_rpz_trigger_counter_t; 113e2b1b9c0Schristos 114e2b1b9c0Schristos /* 115e2b1b9c0Schristos * The number of triggers of each type in a response policy zone. 116e2b1b9c0Schristos */ 117e2b1b9c0Schristos typedef struct dns_rpz_triggers dns_rpz_triggers_t; 118e2b1b9c0Schristos struct dns_rpz_triggers { 119e2b1b9c0Schristos dns_rpz_trigger_counter_t client_ipv4; 120e2b1b9c0Schristos dns_rpz_trigger_counter_t client_ipv6; 121e2b1b9c0Schristos dns_rpz_trigger_counter_t qname; 122e2b1b9c0Schristos dns_rpz_trigger_counter_t ipv4; 123e2b1b9c0Schristos dns_rpz_trigger_counter_t ipv6; 124e2b1b9c0Schristos dns_rpz_trigger_counter_t nsdname; 125e2b1b9c0Schristos dns_rpz_trigger_counter_t nsipv4; 126e2b1b9c0Schristos dns_rpz_trigger_counter_t nsipv6; 127e2b1b9c0Schristos }; 128e2b1b9c0Schristos 129e2b1b9c0Schristos /* 130e2b1b9c0Schristos * A single response policy zone. 131e2b1b9c0Schristos */ 132e2b1b9c0Schristos typedef struct dns_rpz_zone dns_rpz_zone_t; 133e2b1b9c0Schristos typedef struct dns_rpz_zones dns_rpz_zones_t; 134e2b1b9c0Schristos 135e2b1b9c0Schristos struct dns_rpz_zone { 136e2b1b9c0Schristos isc_refcount_t refs; 137e2b1b9c0Schristos dns_rpz_num_t num; /* ordinal in list of policy zones */ 138e2b1b9c0Schristos dns_name_t origin; /* Policy zone name */ 139e2b1b9c0Schristos dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ 140e2b1b9c0Schristos dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ 141e2b1b9c0Schristos dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 142e2b1b9c0Schristos dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ 143e2b1b9c0Schristos dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ 144e2b1b9c0Schristos dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ 145e2b1b9c0Schristos dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ 146e2b1b9c0Schristos dns_name_t cname; /* override value for ..._CNAME */ 147e2b1b9c0Schristos dns_ttl_t max_policy_ttl; 148e2b1b9c0Schristos dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 149e2b1b9c0Schristos 1509742fdb4Schristos uint32_t min_update_interval; /* minimal interval between 1519742fdb4Schristos * updates */ 152e2b1b9c0Schristos isc_ht_t *nodes; /* entries in zone */ 153e2b1b9c0Schristos dns_rpz_zones_t *rpzs; /* owner */ 1549742fdb4Schristos isc_time_t lastupdated; /* last time the zone was processed 1559742fdb4Schristos * */ 1569742fdb4Schristos bool updatepending; /* there is an update 1579742fdb4Schristos * pending/waiting */ 158f2e20987Schristos bool updaterunning; /* there is an update running */ 159e2b1b9c0Schristos dns_db_t *db; /* zones database */ 160e2b1b9c0Schristos dns_dbversion_t *dbversion; /* version we will be updating to */ 161e2b1b9c0Schristos dns_db_t *updb; /* zones database we're working on */ 1629742fdb4Schristos dns_dbversion_t *updbversion; /* version we're currently working 1639742fdb4Schristos * on */ 164e2b1b9c0Schristos dns_dbiterator_t *updbit; /* iterator to use when updating */ 165e2b1b9c0Schristos isc_ht_t *newnodes; /* entries in zone being updated */ 1669742fdb4Schristos bool db_registered; /* is the notify event 1679742fdb4Schristos * registered? */ 16877279b93Schristos bool addsoa; /* add soa to the additional section */ 169e2b1b9c0Schristos isc_timer_t *updatetimer; 170e2b1b9c0Schristos isc_event_t updateevent; 171e2b1b9c0Schristos }; 172e2b1b9c0Schristos 173e2b1b9c0Schristos /* 174e2b1b9c0Schristos * Radix tree node for response policy IP addresses 175e2b1b9c0Schristos */ 176e2b1b9c0Schristos typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; 177e2b1b9c0Schristos 178e2b1b9c0Schristos /* 179e2b1b9c0Schristos * Bitfields indicating which policy zones have policies of 180e2b1b9c0Schristos * which type. 181e2b1b9c0Schristos */ 182e2b1b9c0Schristos typedef struct dns_rpz_have dns_rpz_have_t; 183e2b1b9c0Schristos struct dns_rpz_have { 184e2b1b9c0Schristos dns_rpz_zbits_t client_ipv4; 185e2b1b9c0Schristos dns_rpz_zbits_t client_ipv6; 186e2b1b9c0Schristos dns_rpz_zbits_t client_ip; 187e2b1b9c0Schristos dns_rpz_zbits_t qname; 188e2b1b9c0Schristos dns_rpz_zbits_t ipv4; 189e2b1b9c0Schristos dns_rpz_zbits_t ipv6; 190e2b1b9c0Schristos dns_rpz_zbits_t ip; 191e2b1b9c0Schristos dns_rpz_zbits_t nsdname; 192e2b1b9c0Schristos dns_rpz_zbits_t nsipv4; 193e2b1b9c0Schristos dns_rpz_zbits_t nsipv6; 194e2b1b9c0Schristos dns_rpz_zbits_t nsip; 195e2b1b9c0Schristos dns_rpz_zbits_t qname_skip_recurse; 196e2b1b9c0Schristos }; 197e2b1b9c0Schristos 198e2b1b9c0Schristos /* 199e2b1b9c0Schristos * Policy options 200e2b1b9c0Schristos */ 201e2b1b9c0Schristos typedef struct dns_rpz_popt dns_rpz_popt_t; 202e2b1b9c0Schristos struct dns_rpz_popt { 203e2b1b9c0Schristos dns_rpz_zbits_t no_rd_ok; 204e2b1b9c0Schristos dns_rpz_zbits_t no_log; 205e2b1b9c0Schristos dns_rpz_zbits_t nsip_on; 206e2b1b9c0Schristos dns_rpz_zbits_t nsdname_on; 207f2e20987Schristos bool dnsrps_enabled; 208f2e20987Schristos bool break_dnssec; 209f2e20987Schristos bool qname_wait_recurse; 210f2e20987Schristos bool nsip_wait_recurse; 211e2b1b9c0Schristos unsigned int min_ns_labels; 212e2b1b9c0Schristos dns_rpz_num_t num_zones; 213e2b1b9c0Schristos }; 214e2b1b9c0Schristos 215e2b1b9c0Schristos /* 216e2b1b9c0Schristos * Response policy zones known to a view. 217e2b1b9c0Schristos */ 218e2b1b9c0Schristos struct dns_rpz_zones { 219e2b1b9c0Schristos dns_rpz_popt_t p; 220e2b1b9c0Schristos dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; 221e2b1b9c0Schristos dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; 222e2b1b9c0Schristos 223e2b1b9c0Schristos /* 224e2b1b9c0Schristos * RPZ policy version number. 225e2b1b9c0Schristos * It is initially 0 and it increases whenever the server is 226e2b1b9c0Schristos * reconfigured with new zones or policy. 227e2b1b9c0Schristos */ 228e2b1b9c0Schristos int rpz_ver; 229e2b1b9c0Schristos 230e2b1b9c0Schristos dns_rpz_zbits_t defined; 231e2b1b9c0Schristos 232e2b1b9c0Schristos /* 233e2b1b9c0Schristos * The set of records for a policy zone are in one of these states: 234e2b1b9c0Schristos * never loaded load_begun=0 have=0 235e2b1b9c0Schristos * during initial loading load_begun=1 have=0 236e2b1b9c0Schristos * and rbtdb->rpzsp == rbtdb->load_rpzsp 237e2b1b9c0Schristos * after good load load_begun=1 have!=0 238e2b1b9c0Schristos * after failed initial load load_begun=1 have=0 239e2b1b9c0Schristos * and rbtdb->load_rpzsp == NULL 240e2b1b9c0Schristos * reloading after failure load_begun=1 have=0 241e2b1b9c0Schristos * reloading after success 242e2b1b9c0Schristos * main rpzs load_begun=1 have!=0 243e2b1b9c0Schristos * load rpzs load_begun=1 have=0 244e2b1b9c0Schristos */ 245e2b1b9c0Schristos dns_rpz_zbits_t load_begun; 246e2b1b9c0Schristos dns_rpz_have_t have; 247e2b1b9c0Schristos 248e2b1b9c0Schristos /* 249e2b1b9c0Schristos * total_triggers maintains the total number of triggers in all 250e2b1b9c0Schristos * policy zones in the view. It is only used to print summary 251e2b1b9c0Schristos * statistics after a zone load of how the trigger counts 252e2b1b9c0Schristos * changed. 253e2b1b9c0Schristos */ 254e2b1b9c0Schristos dns_rpz_triggers_t total_triggers; 255e2b1b9c0Schristos 256e2b1b9c0Schristos isc_mem_t *mctx; 257e2b1b9c0Schristos isc_taskmgr_t *taskmgr; 258e2b1b9c0Schristos isc_timermgr_t *timermgr; 259e2b1b9c0Schristos isc_task_t *updater; 260e2b1b9c0Schristos isc_refcount_t refs; 2619ad14dd7Schristos isc_refcount_t irefs; 262e2b1b9c0Schristos /* 263e2b1b9c0Schristos * One lock for short term read-only search that guarantees the 264e2b1b9c0Schristos * consistency of the pointers. 265e2b1b9c0Schristos * A second lock for maintenance that guarantees no other thread 266e2b1b9c0Schristos * is adding or deleting nodes. 267e2b1b9c0Schristos */ 268e2b1b9c0Schristos isc_rwlock_t search_lock; 269e2b1b9c0Schristos isc_mutex_t maint_lock; 270e2b1b9c0Schristos 271e2b1b9c0Schristos dns_rpz_cidr_node_t *cidr; 272e2b1b9c0Schristos dns_rbt_t *rbt; 273e2b1b9c0Schristos 274e2b1b9c0Schristos /* 275e2b1b9c0Schristos * DNSRPZ librpz configuration string and handle on librpz connection 276e2b1b9c0Schristos */ 277e2b1b9c0Schristos char *rps_cstr; 278e2b1b9c0Schristos size_t rps_cstr_size; 279e2b1b9c0Schristos struct librpz_client *rps_client; 280e2b1b9c0Schristos }; 281e2b1b9c0Schristos 282e2b1b9c0Schristos /* 283e2b1b9c0Schristos * context for finding the best policy 284e2b1b9c0Schristos */ 285e2b1b9c0Schristos typedef struct { 286e2b1b9c0Schristos unsigned int state; 287e2b1b9c0Schristos #define DNS_RPZ_REWRITTEN 0x0001 288e2b1b9c0Schristos #define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ 289e2b1b9c0Schristos #define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ 290e2b1b9c0Schristos #define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ 291e2b1b9c0Schristos #define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ 292e2b1b9c0Schristos #define DNS_RPZ_DONE_IPv4 0x0020 293e2b1b9c0Schristos #define DNS_RPZ_RECURSING 0x0040 294e2b1b9c0Schristos #define DNS_RPZ_ACTIVE 0x0080 295e2b1b9c0Schristos /* 296e2b1b9c0Schristos * Best match so far. 297e2b1b9c0Schristos */ 298e2b1b9c0Schristos struct { 299e2b1b9c0Schristos dns_rpz_type_t type; 300e2b1b9c0Schristos dns_rpz_zone_t *rpz; 301e2b1b9c0Schristos dns_rpz_prefix_t prefix; 302e2b1b9c0Schristos dns_rpz_policy_t policy; 303e2b1b9c0Schristos dns_ttl_t ttl; 304e2b1b9c0Schristos isc_result_t result; 305e2b1b9c0Schristos dns_zone_t *zone; 306e2b1b9c0Schristos dns_db_t *db; 307e2b1b9c0Schristos dns_dbversion_t *version; 308e2b1b9c0Schristos dns_dbnode_t *node; 309e2b1b9c0Schristos dns_rdataset_t *rdataset; 310e2b1b9c0Schristos } m; 311e2b1b9c0Schristos /* 312e2b1b9c0Schristos * State for chasing IP addresses and NS names including recursion. 313e2b1b9c0Schristos */ 314e2b1b9c0Schristos struct { 315e2b1b9c0Schristos unsigned int label; 316e2b1b9c0Schristos dns_db_t *db; 317e2b1b9c0Schristos dns_rdataset_t *ns_rdataset; 318e2b1b9c0Schristos dns_rdatatype_t r_type; 319e2b1b9c0Schristos isc_result_t r_result; 320e2b1b9c0Schristos dns_rdataset_t *r_rdataset; 321e2b1b9c0Schristos } r; 322e2b1b9c0Schristos 323e2b1b9c0Schristos /* 324e2b1b9c0Schristos * State of real query while recursing for NSIP or NSDNAME. 325e2b1b9c0Schristos */ 326e2b1b9c0Schristos struct { 327e2b1b9c0Schristos isc_result_t result; 328f2e20987Schristos bool is_zone; 329f2e20987Schristos bool authoritative; 330e2b1b9c0Schristos dns_zone_t *zone; 331e2b1b9c0Schristos dns_db_t *db; 332e2b1b9c0Schristos dns_dbnode_t *node; 333e2b1b9c0Schristos dns_rdataset_t *rdataset; 334e2b1b9c0Schristos dns_rdataset_t *sigrdataset; 335e2b1b9c0Schristos dns_rdatatype_t qtype; 336e2b1b9c0Schristos } q; 337e2b1b9c0Schristos 338e2b1b9c0Schristos /* 339e2b1b9c0Schristos * A copy of the 'have' and 'p' structures and the RPZ 340e2b1b9c0Schristos * policy version as of the beginning of RPZ processing, 341e2b1b9c0Schristos * used to avoid problems when policy is updated while 342e2b1b9c0Schristos * RPZ recursion is ongoing. 343e2b1b9c0Schristos */ 344e2b1b9c0Schristos dns_rpz_have_t have; 345e2b1b9c0Schristos dns_rpz_popt_t popt; 346e2b1b9c0Schristos int rpz_ver; 347e2b1b9c0Schristos 348e2b1b9c0Schristos /* 349e2b1b9c0Schristos * Shim db between BIND and DNRPS librpz. 350e2b1b9c0Schristos */ 351e2b1b9c0Schristos dns_db_t *rpsdb; 352e2b1b9c0Schristos 353e2b1b9c0Schristos /* 354e2b1b9c0Schristos * p_name: current policy owner name 355e2b1b9c0Schristos * r_name: recursing for this name to possible policy triggers 356e2b1b9c0Schristos * f_name: saved found name from before recursion 357e2b1b9c0Schristos */ 358e2b1b9c0Schristos dns_name_t *p_name; 359e2b1b9c0Schristos dns_name_t *r_name; 360e2b1b9c0Schristos dns_name_t *fname; 361e2b1b9c0Schristos dns_fixedname_t _p_namef; 362e2b1b9c0Schristos dns_fixedname_t _r_namef; 363e2b1b9c0Schristos dns_fixedname_t _fnamef; 364e2b1b9c0Schristos } dns_rpz_st_t; 365e2b1b9c0Schristos 366e2b1b9c0Schristos #define DNS_RPZ_TTL_DEFAULT 5 367e2b1b9c0Schristos #define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 368e2b1b9c0Schristos #define DNS_RPZ_MINUPDATEINTERVAL_DEFAULT 60 369e2b1b9c0Schristos 370e2b1b9c0Schristos /* 371e2b1b9c0Schristos * So various response policy zone messages can be turned up or down. 372e2b1b9c0Schristos */ 373e2b1b9c0Schristos #define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 374e2b1b9c0Schristos #define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 375e2b1b9c0Schristos #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 376e2b1b9c0Schristos #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 377e2b1b9c0Schristos #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 378e2b1b9c0Schristos #define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3 + 1) 379e2b1b9c0Schristos 380e2b1b9c0Schristos const char * 381e2b1b9c0Schristos dns_rpz_type2str(dns_rpz_type_t type); 382e2b1b9c0Schristos 383e2b1b9c0Schristos dns_rpz_policy_t 384e2b1b9c0Schristos dns_rpz_str2policy(const char *str); 385e2b1b9c0Schristos 386e2b1b9c0Schristos const char * 387e2b1b9c0Schristos dns_rpz_policy2str(dns_rpz_policy_t policy); 388e2b1b9c0Schristos 389e2b1b9c0Schristos dns_rpz_policy_t 390e2b1b9c0Schristos dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 391e2b1b9c0Schristos dns_name_t *selfname); 392e2b1b9c0Schristos 393e2b1b9c0Schristos isc_result_t 3949742fdb4Schristos dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size, 3959742fdb4Schristos isc_mem_t *mctx, isc_taskmgr_t *taskmgr, 3969742fdb4Schristos isc_timermgr_t *timermgr); 397e2b1b9c0Schristos 398e2b1b9c0Schristos isc_result_t 399e2b1b9c0Schristos dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp); 400e2b1b9c0Schristos 401e2b1b9c0Schristos isc_result_t 402e2b1b9c0Schristos dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg); 403e2b1b9c0Schristos 404e2b1b9c0Schristos void 405e2b1b9c0Schristos dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); 406e2b1b9c0Schristos 407e2b1b9c0Schristos void 408e2b1b9c0Schristos dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); 409e2b1b9c0Schristos 410e2b1b9c0Schristos isc_result_t 4119742fdb4Schristos dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs, 4129742fdb4Schristos dns_rpz_num_t rpz_num) ISC_DEPRECATED; 413e2b1b9c0Schristos 414e2b1b9c0Schristos isc_result_t 4159742fdb4Schristos dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp, 4169742fdb4Schristos dns_rpz_num_t rpz_num) ISC_DEPRECATED; 417e2b1b9c0Schristos 418e2b1b9c0Schristos isc_result_t 419e2b1b9c0Schristos dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, 420e2b1b9c0Schristos const dns_name_t *name); 421e2b1b9c0Schristos 422e2b1b9c0Schristos void 423e2b1b9c0Schristos dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, 424e2b1b9c0Schristos const dns_name_t *name); 425e2b1b9c0Schristos 426e2b1b9c0Schristos dns_rpz_num_t 427e2b1b9c0Schristos dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 428e2b1b9c0Schristos dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, 429e2b1b9c0Schristos dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); 430e2b1b9c0Schristos 431e2b1b9c0Schristos dns_rpz_zbits_t 432e2b1b9c0Schristos dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 433e2b1b9c0Schristos dns_rpz_zbits_t zbits, dns_name_t *trig_name); 434e2b1b9c0Schristos 435e2b1b9c0Schristos ISC_LANG_ENDDECLS 436e2b1b9c0Schristos 437e2b1b9c0Schristos #endif /* DNS_RPZ_H */ 438