designate.mdns.handler

Source code for designate.mdns.handler

# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Author: Kiall Mac Innes <kiall@hpe.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import dns
import dns.flags
import dns.message
import dns.opcode
import dns.rcode
import dns.rdataclass
import dns.rdatatype
from oslo_config import cfg
from oslo_log import log as logging

from designate import exceptions
from designate.worker import rpcapi as worker_api


LOG = logging.getLogger(__name__)
CONF = cfg.CONF

CONF.import_opt('default_pool_id', 'designate.central',
                group='service:central')

# 10 Bytes of RR metadata, 64 bytes of TSIG RR data, variable length TSIG Key
# name (restricted in designate to 160 chars), 1 byte for trailing dot.
TSIG_RRSIZE = 10 + 64 + 160 + 1


[docs]class RequestHandler(object): def __init__(self, storage, tg): self._worker_api = None self.storage = storage self.tg = tg @property def worker_api(self): if not self._worker_api: self._worker_api = worker_api.WorkerAPI.get_instance() return self._worker_api def __call__(self, request): """ :param request: DNS Request Message :return: DNS Response Message """ if request.opcode() == dns.opcode.QUERY: # Currently we expect exactly 1 question in the section # TSIG places the pseudo records into the additional section. if (len(request.question) != 1 or request.question[0].rdclass != dns.rdataclass.IN): LOG.debug('Refusing due to numbers of questions or rdclass') yield self._handle_query_error(request, dns.rcode.REFUSED) return q_rrset = request.question[0] # Handle AXFR and IXFR requests with an AXFR responses for now. # It is permissible for a server to send an AXFR response when # receiving an IXFR request. if q_rrset.rdtype in (dns.rdatatype.AXFR, dns.rdatatype.IXFR): for response in self._handle_axfr(request): yield response return else: for response in self._handle_record_query(request): yield response return elif request.opcode() == dns.opcode.NOTIFY: for response in self._handle_notify(request): yield response return else: # Unhandled OpCode's include STATUS, IQUERY, UPDATE LOG.debug('Refusing unhandled opcode') yield self._handle_query_error(request, dns.rcode.REFUSED) return def _handle_notify(self, request): """ Constructs the response to a NOTIFY and acts accordingly on it. * Checks if the master sending the NOTIFY is in the Zone's masters, if not it is ignored. * Checks if SOA query response serial != local serial. """ context = request.environ['context'] response = dns.message.make_response(request) if len(request.question) != 1: response.set_rcode(dns.rcode.FORMERR) yield response return else: question = request.question[0] name = question.name.to_text() if isinstance(name, bytes): name = name.decode('utf-8') criterion = { 'name': name, 'type': 'SECONDARY', 'deleted': False } try: zone = self.storage.find_zone(context, criterion) except exceptions.ZoneNotFound: response.set_rcode(dns.rcode.NOTAUTH) yield response return notify_addr = request.environ['addr'][0] # We check if the src_master which is the assumed master for the zone # that is sending this NOTIFY OP is actually the master. If it's not # We'll reply but don't do anything with the NOTIFY. master_addr = zone.get_master_by_ip(notify_addr) if not master_addr: LOG.warning( 'NOTIFY for %(name)s from non-master server %(addr)s, ' 'refusing.', { 'name': zone.name, 'addr': notify_addr } ) response.set_rcode(dns.rcode.REFUSED) yield response return resolver = dns.resolver.Resolver() # According to RFC we should query the server that sent the NOTIFY resolver.nameservers = [notify_addr] soa_answer = resolver.query(zone.name, 'SOA') soa_serial = soa_answer[0].serial if soa_serial == zone.serial: LOG.info( 'Serial %(serial)s is the same for master and us for ' '%(zone_id)s', { 'serial': soa_serial, 'zone_id': zone.id } ) else: LOG.info( 'Scheduling AXFR for %(zone_id)s from %(master_addr)s', { 'zone_id': zone.id, 'master_addr': master_addr.to_data() } ) self.worker_api.perform_zone_xfr(context, zone, [master_addr]) response.flags |= dns.flags.AA yield response return def _zone_criterion_from_request(self, request, criterion=None): """Builds a bare criterion dict based on the request attributes""" criterion = criterion or {} tsigkey = request.environ.get('tsigkey') if tsigkey is None and CONF['service:mdns'].query_enforce_tsig: raise exceptions.Forbidden('Request is not TSIG signed') elif tsigkey is None: # Default to using the default_pool_id when no TSIG key is # available criterion['pool_id'] = CONF['service:central'].default_pool_id else: if tsigkey.scope == 'POOL': criterion['pool_id'] = tsigkey.resource_id elif tsigkey.scope == 'ZONE': criterion['id'] = tsigkey.resource_id else: raise NotImplementedError('Support for %s scoped TSIG Keys is ' 'not implemented') return criterion def _handle_axfr(self, request): context = request.environ['context'] q_rrset = request.question[0] # First check if there is an existing zone # TODO(vinod) once validation is separated from the api, # validate the parameters try: name = q_rrset.name.to_text() if isinstance(name, bytes): name = name.decode('utf-8') criterion = self._zone_criterion_from_request( request, {'name': name}) zone = self.storage.find_zone(context, criterion) except exceptions.ZoneNotFound: LOG.warning('ZoneNotFound while handling axfr request. ' 'Question was %(qr)s', {'qr': q_rrset}) yield self._handle_query_error(request, dns.rcode.REFUSED) return except exceptions.Forbidden: LOG.warning('Forbidden while handling axfr request. ' 'Question was %(qr)s', {'qr': q_rrset}) yield self._handle_query_error(request, dns.rcode.REFUSED) return # The AXFR response needs to have a SOA at the beginning and end. criterion = {'zone_id': zone.id, 'type': 'SOA'} soa_records = self.storage.find_recordsets_axfr(context, criterion) # Get all the records other than SOA criterion = {'zone_id': zone.id, 'type': '!SOA'} records = self.storage.find_recordsets_axfr(context, criterion) # Place the SOA RRSet at the front and end of the RRSet list records.insert(0, soa_records[0]) records.append(soa_records[0]) # Handle multi message response with tsig multi_messages = False multi_messages_context = None # Render the results, yielding a packet after each TooBig exception. renderer = None while records: record = records.pop(0) rrname = str(record[3]) ttl = int(record[2]) if record[2] is not None else zone.ttl rrtype = str(record[1]) rdata = [str(record[4])] rrset = dns.rrset.from_text_list( rrname, ttl, dns.rdataclass.IN, rrtype, rdata, ) while True: try: if not renderer: renderer = self._create_axfr_renderer(request) renderer.add_rrset(dns.renderer.ANSWER, rrset) break except dns.exception.TooBig: # The response will span multiple messages since one # message is not enough multi_messages = True if renderer.counts[dns.renderer.ANSWER] == 0: # We've received a TooBig from the first attempted # RRSet in this packet. Log a warning and abort the # AXFR. LOG.warning( 'Aborted AXFR of %(zone)s, a single RR ' '(%(rrset_type)s %(rrset_name)s) ' 'exceeded the max message size.', { 'zone': zone.name, 'rrset_type': rrtype, 'rrset_name': rrname, } ) yield self._handle_query_error( request, dns.rcode.SERVFAIL ) return renderer, multi_messages_context = self._finalize_packet( renderer, request, multi_messages, multi_messages_context) yield renderer renderer = None if renderer: renderer, multi_messages_context = self._finalize_packet( renderer, request, multi_messages, multi_messages_context) yield renderer return def _handle_record_query(self, request): """Handle a DNS QUERY request for a record""" context = request.environ['context'] response = dns.message.make_response(request) try: q_rrset = request.question[0] name = q_rrset.name.to_text() if isinstance(name, bytes): name = name.decode('utf-8') # TODO(vinod) once validation is separated from the api, # validate the parameters criterion = { 'name': name, 'type': dns.rdatatype.to_text(q_rrset.rdtype), 'zones_deleted': False } recordset = self.storage.find_recordset(context, criterion) except exceptions.NotFound: # If an FQDN exists, like www.rackspace.com, but the specific # record type doesn't exist, like type SPF, then the return code # would be NOERROR and the SOA record is returned. This tells # caching nameservers that the FQDN does exist, so don't negatively # cache it, but the specific record doesn't exist. # # If an FQDN doesn't exist with any record type, that is NXDOMAIN. # However, an authoritative nameserver shouldn't return NXDOMAIN # for a zone it isn't authoritative for. It would be more # appropriate for it to return REFUSED. It should still return # NXDOMAIN if it is authoritative for a zone but the FQDN doesn't # exist, like abcdef.rackspace.com. Of course, a wildcard within a # zone would mean that NXDOMAIN isn't ever returned for a zone. # # To simply things currently this returns a REFUSED in all cases. # If zone transfers needs different errors, we could revisit this. LOG.info('NotFound, refusing. Question was %(qr)s', {'qr': q_rrset}) yield self._handle_query_error(request, dns.rcode.REFUSED) return except exceptions.Forbidden: LOG.info('Forbidden, refusing. Question was %(qr)s', {'qr': q_rrset}) yield self._handle_query_error(request, dns.rcode.REFUSED) return try: criterion = self._zone_criterion_from_request( request, {'id': recordset.zone_id}) zone = self.storage.find_zone(context, criterion) except exceptions.ZoneNotFound: LOG.warning('ZoneNotFound while handling query request. ' 'Question was %(qr)s', {'qr': q_rrset}) yield self._handle_query_error(request, dns.rcode.REFUSED) return except exceptions.Forbidden: LOG.warning('Forbidden while handling query request. ' 'Question was %(qr)s', {'qr': q_rrset}) yield self._handle_query_error(request, dns.rcode.REFUSED) return r_rrset = self._convert_to_rrset(zone, recordset) response.answer = [r_rrset] if r_rrset else [] response.set_rcode(dns.rcode.NOERROR) # For all the data stored in designate mdns is Authoritative response.flags |= dns.flags.AA yield response def _create_axfr_renderer(self, request): # Build up a dummy response, we're stealing it's logic for building # the Flags. response = dns.message.make_response(request) response.flags |= dns.flags.AA response.set_rcode(dns.rcode.NOERROR) max_message_size = self._get_max_message_size(request.had_tsig) renderer = dns.renderer.Renderer( response.id, response.flags, max_message_size) for q in request.question: renderer.add_question(q.name, q.rdtype, q.rdclass) return renderer @staticmethod def _convert_to_rrset(zone, recordset): # Fetch the zone or the config ttl if the recordset ttl is null ttl = recordset.ttl or zone.ttl # construct rdata from all the records # TODO(Ron): this should be handled in the Storage query where we # find the recordsets. rdata = [str(record.data) for record in recordset.records if record.action != 'DELETE'] # Now put the records into dnspython's RRsets # answer section has 1 RR set. If the RR set has multiple # records, DNSpython puts each record in a separate answer # section. # RRSet has name, ttl, class, type and rdata # The rdata has one or more records if not rdata: return None return dns.rrset.from_text_list( recordset.name, ttl, dns.rdataclass.IN, recordset.type, rdata) @staticmethod def _finalize_packet(renderer, request, multi_messages=False, multi_messages_context=None): renderer.write_header() if request.had_tsig: # Make the space we reserved for TSIG available for use renderer.max_size += TSIG_RRSIZE if multi_messages: # The first message context will be None then the # context for the prev message is used for the next multi_messages_context = renderer.add_multi_tsig( multi_messages_context, request.keyname, request.keyring[request.keyname], request.fudge, request.original_id, request.tsig_error, request.other_data, request.mac, request.keyalgorithm) else: renderer.add_tsig(request.keyname, request.keyring[request.keyname], request.fudge, request.original_id, request.tsig_error, request.other_data, request.mac, request.keyalgorithm) return renderer, multi_messages_context @staticmethod def _get_max_message_size(had_tsig): max_message_size = CONF['service:mdns'].max_message_size if max_message_size > 65535: LOG.warning('MDNS max message size must not be greater than 65535') max_message_size = 65535 if had_tsig: # Make some room for the TSIG RR to be appended at the end of the # rendered message. max_message_size = max_message_size - TSIG_RRSIZE return max_message_size @staticmethod def _handle_query_error(request, rcode): """ Construct an error response with the rcode passed in. :param request: The decoded request from the wire. :param rcode: The response code to send back. :return: A dns response message with the response code set to rcode """ response = dns.message.make_response(request) response.set_rcode(rcode) return response
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.