package rfc2136 import ( "fmt" "strings" "time" "github.com/miekg/dns" ) // handleUpdate implements the RFC 2136 UPDATE opcode against the // on-disk zone file. // // Sequence per UPDATE message: // 1. Validate the Zone section (RFC 2136 §2.3): must be exactly one // SOA-typed record whose name is a zone we manage. // 2. Acquire the zone file's mutex. // 3. Load the file's RRs into memory. // 4. Check each prerequisite (§3.2) against the loaded RRs. First // failure short-circuits with the spec's rcode. // 5. Apply each update RR (§3.4.2) to the in-memory slice. // 6. Bump the SOA serial (CalVer YYYYMMDDNN). // 7. Atomic write to disk (temp file + rename). // 8. Optionally `git add && git commit` for audit trail. // // Steps 3-7 happen under the zone-file mutex. If 8 fails we log but // don't roll back (the on-disk state is authoritative; lost commits // can be re-staged via `git add` later). func (p *RFC2136) handleUpdate(w dns.ResponseWriter, r *dns.Msg) (int, error) { resp := new(dns.Msg) resp.SetReply(r) signResponseIfSigned(resp, r) // 1. Validate the Zone section. if len(r.Question) != 1 { log.Debugf("UPDATE rejected: expected 1 Zone record, got %d", len(r.Question)) return p.updateResp(w, resp, dns.RcodeFormatError) } zoneQ := r.Question[0] if zoneQ.Qtype != dns.TypeSOA { log.Debugf("UPDATE rejected: Zone section type=%d, want SOA", zoneQ.Qtype) return p.updateResp(w, resp, dns.RcodeFormatError) } zone := p.findZone(zoneQ.Name) if zone == "" { log.Debugf("UPDATE rejected: zone %q not authoritative", zoneQ.Name) return p.updateResp(w, resp, dns.RcodeNotAuth) } zf, ok := p.zones[zone] if !ok { log.Errorf("UPDATE rejected: no zone file handle for %q (setup bug?)", zone) return p.updateResp(w, resp, dns.RcodeServerFailure) } zf.mu.Lock() defer zf.mu.Unlock() // 3. Load the current zone contents. rrs, err := zf.loadRRs() if err != nil { log.Errorf("UPDATE failed: %v", err) return p.updateResp(w, resp, dns.RcodeServerFailure) } // 4. Check prerequisites. for _, rr := range r.Answer { rcode := checkPrereq(zone, rrs, rr) if rcode != dns.RcodeSuccess { log.Debugf("UPDATE prereq failed: %s → rcode=%d", rr.String(), rcode) return p.updateResp(w, resp, rcode) } } // 5. Apply updates. Build a fresh RR slice rather than mutating in // place — that way a partial application can't leave the slice in // a half-modified state if an early update fails. updated := rrs changed := false for _, rr := range r.Ns { next, rcode, modified := applyUpdate(zone, p.TTL, updated, rr) if rcode != dns.RcodeSuccess { return p.updateResp(w, resp, rcode) } updated = next if modified { changed = true } } if !changed { // UPDATE was a valid no-op (e.g. only contained adds for RRs // that were already present, deduped away). Return NOERROR // without rewriting the file. return p.updateResp(w, resp, dns.RcodeSuccess) } // 6. Bump SOA serial. now := time.Now() if err := bumpSerial(updated, now); err != nil { log.Errorf("UPDATE failed: %v", err) return p.updateResp(w, resp, dns.RcodeServerFailure) } // 7. Atomic write. if err := zf.writeAtomic(updated, now); err != nil { log.Errorf("UPDATE write failed: %v", err) return p.updateResp(w, resp, dns.RcodeServerFailure) } // 8. Auto-commit. Failure to commit isn't fatal to the UPDATE — // the on-disk state is authoritative — but we log loudly. msg := summarizeUpdate(zone, r.Ns) if err := zf.commit(msg); err != nil { log.Warningf("git auto-commit failed: %v", err) } log.Infof("UPDATE applied: zone=%s prereqs=%d updates=%d msg=%q", zone, len(r.Answer), len(r.Ns), msg) return p.updateResp(w, resp, dns.RcodeSuccess) } // updateResp writes the response and returns the rcode/err pair for ServeDNS. func (p *RFC2136) updateResp(w dns.ResponseWriter, resp *dns.Msg, rcode int) (int, error) { resp.Rcode = rcode _ = w.WriteMsg(resp) return rcode, nil } // findZone returns the longest matching configured zone for qname, or // "" if qname is outside all configured zones. func (p *RFC2136) findZone(qname string) string { qname = canon(qname) var best string for _, z := range p.Zones { if qname == z || strings.HasSuffix(qname, "."+z) { if len(z) > len(best) { best = z } } } return best } // checkPrereq evaluates one record from the Prerequisite section // against the loaded RR slice. Returns dns.RcodeSuccess if satisfied, // or the spec rcode otherwise (§3.2). func checkPrereq(zone string, rrs []dns.RR, rr dns.RR) int { hdr := rr.Header() name := canon(hdr.Name) if !inZone(name, zone) { return dns.RcodeNotZone } switch hdr.Class { case dns.ClassANY: if hdr.Rrtype == dns.TypeANY { if !nameExistsIn(rrs, name) { return dns.RcodeNameError } return dns.RcodeSuccess } if len(lookupIn(rrs, name, hdr.Rrtype)) == 0 { return dns.RcodeNXRrset } return dns.RcodeSuccess case dns.ClassNONE: if hdr.Rrtype == dns.TypeANY { if nameExistsIn(rrs, name) { return dns.RcodeYXDomain } return dns.RcodeSuccess } if len(lookupIn(rrs, name, hdr.Rrtype)) > 0 { return dns.RcodeYXRrset } return dns.RcodeSuccess default: // CLASS = zone class with rdata. Exact value-match prereqs // (§3.2.5). Not used by Caddy/caddy-dns/rfc2136; treating as // satisfied for now. v2 can implement value-prereq if a real // caller needs it. log.Debugf("prereq with rdata-match semantics not implemented; treating as satisfied") return dns.RcodeSuccess } } // applyUpdate handles one record in the Update section per §3.4.2. // Returns the (possibly mutated) RR slice, an rcode (Success unless // the update was rejected), and a flag indicating whether the slice // was actually modified (to avoid no-op file rewrites). func applyUpdate(zone string, defaultTTL uint32, rrs []dns.RR, rr dns.RR) ([]dns.RR, int, bool) { hdr := rr.Header() name := canon(hdr.Name) if !inZone(name, zone) { return rrs, dns.RcodeNotZone, false } switch hdr.Class { case dns.ClassANY: if hdr.Rrtype == dns.TypeANY { // Wipe the whole name. Refuse apex wipes — that would // destroy SOA + NS bedrock. if isApex(name, zone) { log.Debugf("apex wipe refused: %s", name) return rrs, dns.RcodeRefused, false } before := len(rrs) rrs = removeNameFrom(rrs, name) return rrs, dns.RcodeSuccess, len(rrs) != before } // Apex SOA/NS removal refused for the same reason. if isApex(name, zone) && (hdr.Rrtype == dns.TypeSOA || hdr.Rrtype == dns.TypeNS) { log.Debugf("apex %s removal refused", dns.TypeToString[hdr.Rrtype]) return rrs, dns.RcodeRefused, false } before := len(rrs) rrs = removeRRsetFrom(rrs, name, hdr.Rrtype) return rrs, dns.RcodeSuccess, len(rrs) != before case dns.ClassNONE: // Refuse to delete apex SOA/NS by exact-RR match. if isApex(name, zone) && (hdr.Rrtype == dns.TypeSOA || hdr.Rrtype == dns.TypeNS) { return rrs, dns.RcodeRefused, false } before := len(rrs) rrs = removeRRFrom(rrs, rr) return rrs, dns.RcodeSuccess, len(rrs) != before default: // Apex SOA/NS adds refused — those are managed by the zone-file // owner, not by dynamic updates. if isApex(name, zone) && (hdr.Rrtype == dns.TypeSOA || hdr.Rrtype == dns.TypeNS) { log.Debugf("apex %s add refused", dns.TypeToString[hdr.Rrtype]) return rrs, dns.RcodeRefused, false } if hdr.Ttl == 0 { hdr.Ttl = defaultTTL } before := len(rrs) rrs = addRRTo(rrs, rr) return rrs, dns.RcodeSuccess, len(rrs) != before } } // summarizeUpdate produces a one-line commit message describing the // UPDATE for git history. func summarizeUpdate(zone string, updates []dns.RR) string { if len(updates) == 1 { return fmt.Sprintf("rfc2136 %s: %s", zone, oneLineOp(updates[0])) } return fmt.Sprintf("rfc2136 %s: %d operations", zone, len(updates)) } // oneLineOp returns a short human-readable description of a single // update RR for inclusion in commit messages. func oneLineOp(rr dns.RR) string { hdr := rr.Header() name := strings.TrimSuffix(canon(hdr.Name), ".") ttype := dns.TypeToString[hdr.Rrtype] switch hdr.Class { case dns.ClassANY: if hdr.Rrtype == dns.TypeANY { return fmt.Sprintf("delete all %s", name) } return fmt.Sprintf("delete %s %s", ttype, name) case dns.ClassNONE: return fmt.Sprintf("delete-rr %s %s", ttype, name) default: return fmt.Sprintf("add %s %s", ttype, name) } } // inZone reports whether name is within zone. func inZone(name, zone string) bool { return name == zone || strings.HasSuffix(name, "."+zone) } // isApex reports whether name IS the zone's apex. func isApex(name, zone string) bool { return name == zone }