diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index f8cbee27f4..4253a73821 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -203,6 +203,11 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, isc_mem_t *mctx = dns_zone_getmctx(zone); bool autoddns = false; isc_result_t result = ISC_R_SUCCESS; + char debug[1024]; + isc_buffer_t dbuf; + + isc_buffer_init(&dbuf, debug, sizeof(debug)); + isc_buffer_setmctx(&dbuf, mctx); (void)cfg_map_get(zconfig, "update-policy", &updatepolicy); @@ -237,7 +242,9 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, isc_buffer_t b; dns_ssuruletype_t *types; unsigned int i, n; + char namebuf[DNS_NAME_FORMATSIZE]; + isc_buffer_clear(&dbuf); str = cfg_obj_asstring(mode); if (strcasecmp(str, "grant") == 0) { grant = true; @@ -246,14 +253,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, } else { UNREACHABLE(); } - - str = cfg_obj_asstring(matchtype); - CHECK(dns_ssu_mtypefromstring(str, &mtype)); - if (mtype == dns_ssumatchtype_subdomain && - strcasecmp(str, "zonesub") == 0) - { - usezone = true; - } + isc_buffer_putstr(&dbuf, str); dns_fixedname_init(&fident); str = cfg_obj_asstring(identity); @@ -266,6 +266,20 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, "'%s' is not a valid name", str); goto cleanup; } + dns_name_format(dns_fixedname_name(&fident), namebuf, + sizeof(namebuf)); + isc_buffer_putstr(&dbuf, " "); + isc_buffer_putstr(&dbuf, namebuf); + + str = cfg_obj_asstring(matchtype); + CHECK(dns_ssu_mtypefromstring(str, &mtype)); + if (mtype == dns_ssumatchtype_subdomain && + strcasecmp(str, "zonesub") == 0) + { + usezone = true; + } + isc_buffer_putstr(&dbuf, " "); + isc_buffer_putstr(&dbuf, str); dns_fixedname_init(&fname); if (usezone) { @@ -282,6 +296,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, "'%s' is not a valid name", str); goto cleanup; } + dns_name_format(dns_fixedname_name(&fname), namebuf, + sizeof(namebuf)); + isc_buffer_putstr(&dbuf, " "); + isc_buffer_putstr(&dbuf, namebuf); } n = named_config_listcount(typelist); @@ -305,6 +323,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, typeobj = cfg_listelt_value(element2); str = cfg_obj_asstring(typeobj); r.base = UNCONST(str); + isc_buffer_putstr(&dbuf, " "); + isc_buffer_putstr(&dbuf, str); bracket = strchr(str, '(' /*)*/); if (bracket != NULL) { @@ -337,9 +357,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, } INSIST(i == n); + isc_buffer_putuint8(&dbuf, '\0'); dns_ssutable_addrule(table, grant, dns_fixedname_name(&fident), mtype, dns_fixedname_name(&fname), n, - types); + types, isc_buffer_base(&dbuf)); if (types != NULL) { isc_mem_cput(mctx, types, n, sizeof(*types)); } @@ -363,15 +384,16 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, goto cleanup; } - dns_ssutable_addrule(table, true, - named_g_server->session_keyname, - dns_ssumatchtype_local, - dns_zone_getorigin(zone), 1, &any); + dns_ssutable_addrule( + table, true, named_g_server->session_keyname, + dns_ssumatchtype_local, dns_zone_getorigin(zone), 1, + &any, "local"); } dns_zone_setssutable(zone, table); cleanup: + isc_buffer_clearmctx(&dbuf); dns_ssutable_detach(&table); return (result); } diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h index ead0097632..b26f750911 100644 --- a/lib/dns/include/dns/ssu.h +++ b/lib/dns/include/dns/ssu.h @@ -111,7 +111,7 @@ void dns_ssutable_addrule(dns_ssutable_t *table, bool grant, const dns_name_t *identity, dns_ssumatchtype_t matchtype, const dns_name_t *name, unsigned int ntypes, - dns_ssuruletype_t *types); + dns_ssuruletype_t *types, const char *debug); /*%< * Adds a new rule to a simple-secure-update rule table. The rule * either grants or denies update privileges of an identity (or set of @@ -134,6 +134,7 @@ dns_ssutable_addrule(dns_ssutable_t *table, bool grant, *\li 'matchtype' must be one of the defined constants. *\li 'name' is a valid absolute name *\li If 'ntypes' > 0, 'types' must not be NULL + *\li 'debug' must not be NULL * * Returns: *\li ISC_R_SUCCESS diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c index fdfd3f6981..18782209d2 100644 --- a/lib/dns/ssu.c +++ b/lib/dns/ssu.c @@ -47,6 +47,7 @@ struct dns_ssurule { dns_ssuruletype_t *types; /*%< the data types. Can include */ /* ANY. if NULL, defaults to all */ /* types except SIG, SOA, and NS */ + char *debug; /*%< text version for debugging */ ISC_LINK(dns_ssurule_t) link; }; @@ -96,6 +97,9 @@ destroy(dns_ssutable_t *table) { isc_mem_cput(mctx, rule->types, rule->ntypes, sizeof(*rule->types)); } + if (rule->debug != NULL) { + isc_mem_free(mctx, rule->debug); + } ISC_LIST_UNLINK(table->rules, rule, link); rule->magic = 0; isc_mem_put(mctx, rule, sizeof(dns_ssurule_t)); @@ -129,11 +133,56 @@ dns_ssutable_detach(dns_ssutable_t **tablep) { } } +static const char * +mtypetostring(dns_ssumatchtype_t matchtype) { + switch (matchtype) { + case dns_ssumatchtype_name: + return ("name"); + case dns_ssumatchtype_wildcard: + return ("wildcard"); + case dns_ssumatchtype_self: + return ("self"); + case dns_ssumatchtype_selfsub: + return ("selfsub"); + case dns_ssumatchtype_selfwild: + return ("selfwild"); + case dns_ssumatchtype_selfms: + return ("ms-self"); + case dns_ssumatchtype_selfsubms: + return ("ms-selfsub"); + case dns_ssumatchtype_selfkrb5: + return ("krb5-self"); + case dns_ssumatchtype_selfsubkrb5: + return ("krb5-selfsub"); + case dns_ssumatchtype_subdomainms: + return ("ms-subdomain"); + case dns_ssumatchtype_subdomainselfmsrhs: + return ("ms-subdomain-self-rhs"); + case dns_ssumatchtype_subdomainkrb5: + return ("krb5-subdomain"); + case dns_ssumatchtype_subdomainselfkrb5rhs: + return ("krb5-subdomain-self-rhs"); + case dns_ssumatchtype_tcpself: + return ("tcp-self"); + case dns_ssumatchtype_6to4self: + return ("6to4-self"); + case dns_ssumatchtype_subdomain: + return ("subdomain"); + case dns_ssumatchtype_external: + return ("external"); + case dns_ssumatchtype_local: + return ("local"); + case dns_ssumatchtype_dlz: + return ("dlz"); + } + return ("UnknownMatchType"); +} + void dns_ssutable_addrule(dns_ssutable_t *table, bool grant, const dns_name_t *identity, dns_ssumatchtype_t matchtype, const dns_name_t *name, unsigned int ntypes, - dns_ssuruletype_t *types) { + dns_ssuruletype_t *types, const char *debug) { dns_ssurule_t *rule; isc_mem_t *mctx; @@ -147,35 +196,34 @@ dns_ssutable_addrule(dns_ssutable_t *table, bool grant, if (ntypes > 0) { REQUIRE(types != NULL); } + REQUIRE(debug != NULL); mctx = table->mctx; rule = isc_mem_get(mctx, sizeof(*rule)); + *rule = (dns_ssurule_t){ + .grant = grant, + .matchtype = matchtype, + .identity = isc_mem_get(mctx, sizeof(*rule->identity)), + .name = isc_mem_get(mctx, sizeof(*rule->name)), + .ntypes = ntypes, + .types = ntypes == 0 ? NULL + : isc_mem_cget(mctx, ntypes, + sizeof(*rule->types)), + .link = ISC_LINK_INITIALIZER, + .magic = SSURULEMAGIC, + }; - rule->identity = NULL; - rule->name = NULL; - rule->types = NULL; - - rule->grant = grant; - - rule->identity = isc_mem_get(mctx, sizeof(*rule->identity)); dns_name_init(rule->identity, NULL); dns_name_dup(identity, mctx, rule->identity); - - rule->name = isc_mem_get(mctx, sizeof(*rule->name)); dns_name_init(rule->name, NULL); dns_name_dup(name, mctx, rule->name); - rule->matchtype = matchtype; - - rule->ntypes = ntypes; if (ntypes > 0) { - rule->types = isc_mem_cget(mctx, ntypes, sizeof(*rule->types)); memmove(rule->types, types, ntypes * sizeof(*rule->types)); - } else { - rule->types = NULL; } - rule->magic = SSURULEMAGIC; + rule->debug = isc_mem_strdup(mctx, debug); + ISC_LIST_INITANDAPPEND(table->rules, rule, link); } @@ -289,12 +337,40 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, int match; isc_result_t result; unsigned int i; + bool logit = isc_log_wouldlog(99); REQUIRE(VALID_SSUTABLE(table)); REQUIRE(signer == NULL || dns_name_isabsolute(signer)); REQUIRE(dns_name_isabsolute(name)); REQUIRE(addr == NULL || env != NULL); + if (logit) { + char signerbuf[DNS_NAME_FORMATSIZE] = { 0 }; + char namebuf[DNS_NAME_FORMATSIZE] = { 0 }; + char targetbuf[DNS_NAME_FORMATSIZE] = { 0 }; + char addrbuf[ISC_NETADDR_FORMATSIZE] = { 0 }; + char typebuf[DNS_RDATATYPE_FORMATSIZE] = { 0 }; + + if (signer != NULL) { + dns_name_format(signer, signerbuf, sizeof(signerbuf)); + } + dns_name_format(name, namebuf, sizeof(namebuf)); + if (target != NULL) { + dns_name_format(target, targetbuf, sizeof(targetbuf)); + } + dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + if (addr != NULL) { + isc_netaddr_format(addr, addrbuf, sizeof(addrbuf)); + } + + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: using: signer=%s name=%s addr=%s " + "tcp=%u type=%s target=%s", + signerbuf, namebuf, addrbuf, tcp, typebuf, + targetbuf); + } + if (signer == NULL && addr == NULL) { return (false); } @@ -302,6 +378,49 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, for (rule = ISC_LIST_HEAD(table->rules); rule != NULL; rule = ISC_LIST_NEXT(rule, link)) { + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99), + "update-policy: trying: %s", + rule->debug != NULL ? rule->debug + : "not available"); + + if (tcp && addr != NULL) { + char namebuf[DNS_NAME_FORMATSIZE] = { 0 }; + switch (rule->matchtype) { + case dns_ssumatchtype_tcpself: + tcpself = + dns_fixedname_initname(&fixed); + reverse_from_address(tcpself, addr); + dns_name_format(tcpself, namebuf, + sizeof(namebuf)); + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: %s=%s", + mtypetostring(rule->matchtype), + namebuf); + break; + case dns_ssumatchtype_6to4self: + stfself = + dns_fixedname_initname(&fixed); + stf_from_address(stfself, addr); + dns_name_format(stfself, namebuf, + sizeof(namebuf)); + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: %s=%s", + mtypetostring(rule->matchtype), + namebuf); + break; + default: + break; + } + } + } switch (rule->matchtype) { case dns_ssumatchtype_local: case dns_ssumatchtype_name: @@ -311,16 +430,43 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, case dns_ssumatchtype_subdomain: case dns_ssumatchtype_wildcard: if (signer == NULL) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: no signer"); + } continue; } if (dns_name_iswildcard(rule->identity)) { if (!dns_name_matcheswildcard(signer, rule->identity)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: signer does not " + "match wildcard " + "identity"); + } continue; } } else { if (!dns_name_equal(signer, rule->identity)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: signer does not " + "match identity"); + } continue; } } @@ -334,12 +480,28 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, case dns_ssumatchtype_subdomainselfkrb5rhs: case dns_ssumatchtype_subdomainselfmsrhs: if (signer == NULL) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: no signer"); + } continue; } break; case dns_ssumatchtype_tcpself: case dns_ssumatchtype_6to4self: if (!tcp || addr == NULL) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: %s", + tcp ? "no address" : "not TCP"); + } continue; } break; @@ -351,19 +513,51 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, switch (rule->matchtype) { case dns_ssumatchtype_name: if (!dns_name_equal(name, rule->name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: name mismatch"); + } continue; } break; case dns_ssumatchtype_subdomain: if (!dns_name_issubdomain(name, rule->name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "name/subdomain mismatch"); + } continue; } break; case dns_ssumatchtype_local: if (addr == NULL) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: no address"); + } continue; } if (!dns_name_issubdomain(name, rule->name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "name/subdomain mismatch"); + } continue; } rcu_read_lock(); @@ -381,21 +575,56 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, "key not from " "localhost"); } + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "address not local"); + } continue; } break; case dns_ssumatchtype_wildcard: if (!dns_name_matcheswildcard(name, rule->name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: record name does " + "not match wilcard name"); + } continue; } break; case dns_ssumatchtype_self: if (!dns_name_equal(signer, name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: record named not " + "equal signer"); + } continue; } break; case dns_ssumatchtype_selfsub: if (!dns_name_issubdomain(name, signer)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: record name not " + "subdomain of signer"); + } continue; } break; @@ -404,9 +633,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, result = dns_name_concatenate(dns_wildcardname, signer, wildcard, NULL); if (result != ISC_R_SUCCESS) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: wilcard, signer " + "concatenation failed"); + } continue; } if (!dns_name_matcheswildcard(name, wildcard)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "record name does not match " + "wildcarded signer"); + } continue; } break; @@ -416,6 +663,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, { break; } + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99), + "update-policy: next rule: krb5 signer " + "doesn't map to record name"); + } continue; case dns_ssumatchtype_selfms: if (dst_gssapi_identitymatchesrealmms( @@ -423,6 +677,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, { break; } + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99), + "update-policy: next rule: MS Windows " + "signer doesn't map to record name"); + } continue; case dns_ssumatchtype_selfsubkrb5: if (dst_gssapi_identitymatchesrealmkrb5( @@ -430,6 +691,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, { break; } + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "record name not a subdomain of " + "krb5 signer mapped name"); + } continue; case dns_ssumatchtype_selfsubms: if (dst_gssapi_identitymatchesrealmms( @@ -437,10 +706,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, { break; } + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "record name not a subdomain of " + "MS Windows signer mapped name"); + } continue; case dns_ssumatchtype_subdomainkrb5: case dns_ssumatchtype_subdomainselfkrb5rhs: if (!dns_name_issubdomain(name, rule->name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: record name not a " + "subdomain of rule name"); + } continue; } tname = NULL; @@ -461,10 +747,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, { break; } + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: rdata " + "name does not match krb5 signer " + "mapped name"); + } continue; case dns_ssumatchtype_subdomainms: case dns_ssumatchtype_subdomainselfmsrhs: if (!dns_name_issubdomain(name, rule->name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: record name not a " + "subdomain of rule name"); + } continue; } tname = NULL; @@ -485,6 +788,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, { break; } + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: rdata " + "name does not match MS Windows " + "signer mapped name"); + } continue; case dns_ssumatchtype_tcpself: tcpself = dns_fixedname_initname(&fixed); @@ -493,14 +804,43 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, if (!dns_name_matcheswildcard(tcpself, rule->identity)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: tcp-self name " + "does not match " + "wildcard identity"); + } continue; } } else { if (!dns_name_equal(tcpself, rule->identity)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: tcp-self name " + "does not match " + "identity"); + } continue; } } if (!dns_name_equal(tcpself, name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "tcp-self name does not match " + "record name"); + } continue; } break; @@ -511,14 +851,47 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, if (!dns_name_matcheswildcard(stfself, rule->identity)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: %s name " + "does not match " + "wildcard identity", + mtypetostring( + rule->matchtype)); + } continue; } } else { if (!dns_name_equal(stfself, rule->identity)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: %s name does " + "not match identity", + mtypetostring( + rule->matchtype)); + } continue; } } if (!dns_name_equal(stfself, name)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: %s name does not " + "match record name", + mtypetostring(rule->matchtype)); + } continue; } break; @@ -527,6 +900,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, name, addr, type, key, table->mctx)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "external match failed"); + } continue; } break; @@ -534,6 +915,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, if (!dns_dlz_ssumatch(table->dlzdatabase, signer, name, addr, type, key)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: dlz match failed"); + } continue; } break; @@ -547,6 +936,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, if (rule->matchtype != dns_ssumatchtype_dlz && !isusertype(type)) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next " + "rule: not user type"); + } continue; } } else { @@ -558,14 +955,34 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, } } if (i == rule->ntypes) { + if (logit) { + isc_log_write( + DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: next rule: " + "type not in type list"); + } continue; } } if (rule->grant && rulep != NULL) { *rulep = rule; } + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, + DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99), + "update-policy: matched: %s", + rule->debug != NULL ? rule->debug + : "not available"); + } return (rule->grant); } + if (logit) { + isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, DNS_LOGMODULE_SSU, + ISC_LOG_DEBUG(99), + "update-policy: no match found"); + } return (false); } @@ -653,13 +1070,13 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t)); - rule->identity = NULL; - rule->name = NULL; - rule->grant = true; - rule->matchtype = dns_ssumatchtype_dlz; - rule->ntypes = 0; - rule->types = NULL; - rule->magic = SSURULEMAGIC; + *rule = (dns_ssurule_t){ + .grant = true, + .matchtype = dns_ssumatchtype_dlz, + .magic = SSURULEMAGIC, + }; + + rule->debug = isc_mem_strdup(mctx, "grant dlz"); ISC_LIST_INITANDAPPEND(table->rules, rule, link); *tablep = table;