1 files changed, 207 insertions, 0 deletions

diff --git a/contrib/bind9/lib/dns/include/dns/rpz.h b/contrib/bind9/lib/dns/include/dns/rpz.h
new file mode 100644
index 000000000000..4227dd44e05b
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rpz.h
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef DNS_RPZ_H
+#define DNS_RPZ_H 1
+
+#include <isc/lang.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RPZ_IP_ZONE		"rpz-ip"
+#define DNS_RPZ_NSIP_ZONE	"rpz-nsip"
+#define DNS_RPZ_NSDNAME_ZONE	"rpz-nsdname"
+#define DNS_RPZ_PASSTHRU_ZONE	"rpz-passthru"
+
+typedef isc_uint8_t		dns_rpz_cidr_bits_t;
+
+typedef enum {
+	DNS_RPZ_TYPE_BAD,
+	DNS_RPZ_TYPE_QNAME,
+	DNS_RPZ_TYPE_IP,
+	DNS_RPZ_TYPE_NSDNAME,
+	DNS_RPZ_TYPE_NSIP
+} dns_rpz_type_t;
+
+/*
+ * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN <
+ * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing
+ * policies.
+ */
+typedef enum {
+	DNS_RPZ_POLICY_GIVEN = 0,	/* 'given': what policy record says */
+	DNS_RPZ_POLICY_DISABLED = 1,	/* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_PASSTHRU = 2,	/* 'passthru': do not rewrite */
+	DNS_RPZ_POLICY_NXDOMAIN = 3,	/* 'nxdomain': answer with NXDOMAIN */
+	DNS_RPZ_POLICY_NODATA = 4,	/* 'nodata': answer with ANCOUNT=0 */
+	DNS_RPZ_POLICY_CNAME = 5,	/* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_RECORD,
+	DNS_RPZ_POLICY_WILDCNAME,
+	DNS_RPZ_POLICY_MISS,
+	DNS_RPZ_POLICY_ERROR
+} dns_rpz_policy_t;
+
+/*
+ * Specify a response policy zone.
+ */
+typedef struct dns_rpz_zone dns_rpz_zone_t;
+
+struct dns_rpz_zone {
+	ISC_LINK(dns_rpz_zone_t) link;
+	int			 num;	  /* ordinal in list of policy zones */
+	dns_name_t		 origin;  /* Policy zone name */
+	dns_name_t		 nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
+	dns_name_t		 passthru;/* DNS_RPZ_PASSTHRU_ZONE. */
+	dns_name_t		 cname;	  /* override value for ..._CNAME */
+	dns_ttl_t		 max_policy_ttl;
+	dns_rpz_policy_t	 policy;  /* DNS_RPZ_POLICY_GIVEN or override */
+	isc_boolean_t		 recursive_only;
+};
+
+/*
+ * Radix trees for response policy IP addresses.
+ */
+typedef struct dns_rpz_cidr	dns_rpz_cidr_t;
+
+/*
+ * context for finding the best policy
+ */
+typedef struct {
+	unsigned int		state;
+# define DNS_RPZ_REWRITTEN	0x0001
+# define DNS_RPZ_DONE_QNAME	0x0002	/* qname checked */
+# define DNS_RPZ_DONE_QNAME_IP	0x0004	/* IP addresses of qname checked */
+# define DNS_RPZ_DONE_NSDNAME	0x0008	/* NS name missed; checking addresses */
+# define DNS_RPZ_DONE_IPv4 	0x0010
+# define DNS_RPZ_RECURSING	0x0020
+# define DNS_RPZ_HAVE_IP 	0x0040	/* a policy zone has IP addresses */
+# define DNS_RPZ_HAVE_NSIPv4	0x0080	/*		  IPv4 NISP addresses */
+# define DNS_RPZ_HAVE_NSIPv6	0x0100	/*		  IPv6 NISP addresses */
+# define DNS_RPZ_HAVE_NSDNAME	0x0200	/*		  NS names */
+	/*
+	 * Best match so far.
+	 */
+	struct {
+		dns_rpz_type_t		type;
+		dns_rpz_zone_t		*rpz;
+		dns_rpz_cidr_bits_t	prefix;
+		dns_rpz_policy_t	policy;
+		dns_ttl_t		ttl;
+		isc_result_t		result;
+		dns_zone_t		*zone;
+		dns_db_t		*db;
+		dns_dbversion_t		*version;
+		dns_dbnode_t		*node;
+		dns_rdataset_t		*rdataset;
+	} m;
+	/*
+	 * State for chasing IP addresses and NS names including recursion.
+	 */
+	struct {
+		unsigned int		label;
+		dns_db_t		*db;
+		dns_rdataset_t		*ns_rdataset;
+		dns_rdatatype_t		r_type;
+		isc_result_t		r_result;
+		dns_rdataset_t		*r_rdataset;
+	} r;
+	/*
+	 * State of real query while recursing for NSIP or NSDNAME.
+	 */
+	struct {
+		isc_result_t		result;
+		isc_boolean_t		is_zone;
+		isc_boolean_t		authoritative;
+		dns_zone_t		*zone;
+		dns_db_t		*db;
+		dns_dbnode_t		*node;
+		dns_rdataset_t		*rdataset;
+		dns_rdataset_t		*sigrdataset;
+		dns_rdatatype_t		qtype;
+	} q;
+	dns_name_t		*qname;
+	dns_name_t		*r_name;
+	dns_name_t		*fname;
+	dns_fixedname_t		_qnamef;
+	dns_fixedname_t		_r_namef;
+	dns_fixedname_t		_fnamef;
+} dns_rpz_st_t;
+
+#define DNS_RPZ_TTL_DEFAULT		5
+#define DNS_RPZ_MAX_TTL_DEFAULT		DNS_RPZ_TTL_DEFAULT
+
+/*
+ * So various response policy zone messages can be turned up or down.
+ */
+#define DNS_RPZ_ERROR_LEVEL	ISC_LOG_WARNING
+#define DNS_RPZ_INFO_LEVEL	ISC_LOG_INFO
+#define DNS_RPZ_DEBUG_LEVEL1	ISC_LOG_DEBUG(1)
+#define DNS_RPZ_DEBUG_LEVEL2	ISC_LOG_DEBUG(2)
+#define DNS_RPZ_DEBUG_LEVEL3	ISC_LOG_DEBUG(3)
+#define DNS_RPZ_DEBUG_QUIET	(DNS_RPZ_DEBUG_LEVEL3+1)
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type);
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str);
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy);
+
+void
+dns_rpz_set_need(isc_boolean_t need);
+
+isc_boolean_t
+dns_rpz_needed(void);
+
+void
+dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
+
+void
+dns_rpz_view_destroy(dns_view_t *view);
+
+isc_result_t
+dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
+		 dns_rpz_cidr_t **rbtdb_cidr);
+void
+dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
+
+void
+dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
+
+void
+dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
+
+isc_result_t
+dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
+		  dns_rpz_type_t type, dns_name_t *canon_name,
+		  dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
+
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RPZ_H */
+