coredns-rfc2136/update.go

package rfc2136

import (
	"fmt"
	"strings"
	"time"

	"github.com/miekg/dns"
)

// handleUpdate implements the RFC 2136 UPDATE opcode against the
// on-disk zone file.
//
// Sequence per UPDATE message:
//  1. Validate the Zone section (RFC 2136 §2.3): must be exactly one
//     SOA-typed record whose name is a zone we manage.
//  2. Acquire the zone file's mutex.
//  3. Load the file's RRs into memory.
//  4. Check each prerequisite (§3.2) against the loaded RRs. First
//     failure short-circuits with the spec's rcode.
//  5. Apply each update RR (§3.4.2) to the in-memory slice.
//  6. Bump the SOA serial (CalVer YYYYMMDDNN).
//  7. Atomic write to disk (temp file + rename).
//  8. Optionally `git add && git commit` for audit trail.
//
// Steps 3-7 happen under the zone-file mutex. If 8 fails we log but
// don't roll back (the on-disk state is authoritative; lost commits
// can be re-staged via `git add` later).
func (p *RFC2136) handleUpdate(w dns.ResponseWriter, r *dns.Msg) (int, error) {
	resp := new(dns.Msg)
	resp.SetReply(r)
	signResponseIfSigned(resp, r)

	// 1. Validate the Zone section.
	if len(r.Question) != 1 {
		log.Debugf("UPDATE rejected: expected 1 Zone record, got %d", len(r.Question))
		return p.updateResp(w, resp, dns.RcodeFormatError)
	}
	zoneQ := r.Question[0]
	if zoneQ.Qtype != dns.TypeSOA {
		log.Debugf("UPDATE rejected: Zone section type=%d, want SOA", zoneQ.Qtype)
		return p.updateResp(w, resp, dns.RcodeFormatError)
	}
	zone := p.findZone(zoneQ.Name)
	if zone == "" {
		log.Debugf("UPDATE rejected: zone %q not authoritative", zoneQ.Name)
		return p.updateResp(w, resp, dns.RcodeNotAuth)
	}
	zf, ok := p.zones[zone]
	if !ok {
		log.Errorf("UPDATE rejected: no zone file handle for %q (setup bug?)", zone)
		return p.updateResp(w, resp, dns.RcodeServerFailure)
	}

	zf.mu.Lock()
	defer zf.mu.Unlock()

	// 3. Load the current zone contents.
	rrs, err := zf.loadRRs()
	if err != nil {
		log.Errorf("UPDATE failed: %v", err)
		return p.updateResp(w, resp, dns.RcodeServerFailure)
	}

	// 4. Check prerequisites.
	for _, rr := range r.Answer {
		rcode := checkPrereq(zone, rrs, rr)
		if rcode != dns.RcodeSuccess {
			log.Debugf("UPDATE prereq failed: %s → rcode=%d", rr.String(), rcode)
			return p.updateResp(w, resp, rcode)
		}
	}

	// 5. Apply updates. Build a fresh RR slice rather than mutating in
	// place — that way a partial application can't leave the slice in
	// a half-modified state if an early update fails.
	updated := rrs
	changed := false
	for _, rr := range r.Ns {
		next, rcode, modified := applyUpdate(zone, p.TTL, updated, rr)
		if rcode != dns.RcodeSuccess {
			return p.updateResp(w, resp, rcode)
		}
		updated = next
		if modified {
			changed = true
		}
	}

	if !changed {
		// UPDATE was a valid no-op (e.g. only contained adds for RRs
		// that were already present, deduped away). Return NOERROR
		// without rewriting the file.
		return p.updateResp(w, resp, dns.RcodeSuccess)
	}

	// 6. Bump SOA serial.
	now := time.Now()
	if err := bumpSerial(updated, now); err != nil {
		log.Errorf("UPDATE failed: %v", err)
		return p.updateResp(w, resp, dns.RcodeServerFailure)
	}

	// 7. Atomic write.
	if err := zf.writeAtomic(updated, now); err != nil {
		log.Errorf("UPDATE write failed: %v", err)
		return p.updateResp(w, resp, dns.RcodeServerFailure)
	}

	// 8. Auto-commit. Failure to commit isn't fatal to the UPDATE —
	// the on-disk state is authoritative — but we log loudly.
	msg := summarizeUpdate(zone, r.Ns)
	if err := zf.commit(msg); err != nil {
		log.Warningf("git auto-commit failed: %v", err)
	}

	log.Infof("UPDATE applied: zone=%s prereqs=%d updates=%d msg=%q",
		zone, len(r.Answer), len(r.Ns), msg)
	return p.updateResp(w, resp, dns.RcodeSuccess)
}

// updateResp writes the response and returns the rcode/err pair for ServeDNS.
func (p *RFC2136) updateResp(w dns.ResponseWriter, resp *dns.Msg, rcode int) (int, error) {
	resp.Rcode = rcode
	_ = w.WriteMsg(resp)
	return rcode, nil
}

// findZone returns the longest matching configured zone for qname, or
// "" if qname is outside all configured zones.
func (p *RFC2136) findZone(qname string) string {
	qname = canon(qname)
	var best string
	for _, z := range p.Zones {
		if qname == z || strings.HasSuffix(qname, "."+z) {
			if len(z) > len(best) {
				best = z
			}
		}
	}
	return best
}

// checkPrereq evaluates one record from the Prerequisite section
// against the loaded RR slice. Returns dns.RcodeSuccess if satisfied,
// or the spec rcode otherwise (§3.2).
func checkPrereq(zone string, rrs []dns.RR, rr dns.RR) int {
	hdr := rr.Header()
	name := canon(hdr.Name)
	if !inZone(name, zone) {
		return dns.RcodeNotZone
	}
	switch hdr.Class {
	case dns.ClassANY:
		if hdr.Rrtype == dns.TypeANY {
			if !nameExistsIn(rrs, name) {
				return dns.RcodeNameError
			}
			return dns.RcodeSuccess
		}
		if len(lookupIn(rrs, name, hdr.Rrtype)) == 0 {
			return dns.RcodeNXRrset
		}
		return dns.RcodeSuccess

	case dns.ClassNONE:
		if hdr.Rrtype == dns.TypeANY {
			if nameExistsIn(rrs, name) {
				return dns.RcodeYXDomain
			}
			return dns.RcodeSuccess
		}
		if len(lookupIn(rrs, name, hdr.Rrtype)) > 0 {
			return dns.RcodeYXRrset
		}
		return dns.RcodeSuccess

	default:
		// CLASS = zone class with rdata. Exact value-match prereqs
		// (§3.2.5). Not used by Caddy/caddy-dns/rfc2136; treating as
		// satisfied for now. v2 can implement value-prereq if a real
		// caller needs it.
		log.Debugf("prereq with rdata-match semantics not implemented; treating as satisfied")
		return dns.RcodeSuccess
	}
}

// applyUpdate handles one record in the Update section per §3.4.2.
// Returns the (possibly mutated) RR slice, an rcode (Success unless
// the update was rejected), and a flag indicating whether the slice
// was actually modified (to avoid no-op file rewrites).
func applyUpdate(zone string, defaultTTL uint32, rrs []dns.RR, rr dns.RR) ([]dns.RR, int, bool) {
	hdr := rr.Header()
	name := canon(hdr.Name)
	if !inZone(name, zone) {
		return rrs, dns.RcodeNotZone, false
	}

	switch hdr.Class {
	case dns.ClassANY:
		if hdr.Rrtype == dns.TypeANY {
			// Wipe the whole name. Refuse apex wipes — that would
			// destroy SOA + NS bedrock.
			if isApex(name, zone) {
				log.Debugf("apex wipe refused: %s", name)
				return rrs, dns.RcodeRefused, false
			}
			before := len(rrs)
			rrs = removeNameFrom(rrs, name)
			return rrs, dns.RcodeSuccess, len(rrs) != before
		}
		// Apex SOA/NS removal refused for the same reason.
		if isApex(name, zone) && (hdr.Rrtype == dns.TypeSOA || hdr.Rrtype == dns.TypeNS) {
			log.Debugf("apex %s removal refused", dns.TypeToString[hdr.Rrtype])
			return rrs, dns.RcodeRefused, false
		}
		before := len(rrs)
		rrs = removeRRsetFrom(rrs, name, hdr.Rrtype)
		return rrs, dns.RcodeSuccess, len(rrs) != before

	case dns.ClassNONE:
		// Refuse to delete apex SOA/NS by exact-RR match.
		if isApex(name, zone) && (hdr.Rrtype == dns.TypeSOA || hdr.Rrtype == dns.TypeNS) {
			return rrs, dns.RcodeRefused, false
		}
		before := len(rrs)
		rrs = removeRRFrom(rrs, rr)
		return rrs, dns.RcodeSuccess, len(rrs) != before

	default:
		// Apex SOA/NS adds refused — those are managed by the zone-file
		// owner, not by dynamic updates.
		if isApex(name, zone) && (hdr.Rrtype == dns.TypeSOA || hdr.Rrtype == dns.TypeNS) {
			log.Debugf("apex %s add refused", dns.TypeToString[hdr.Rrtype])
			return rrs, dns.RcodeRefused, false
		}
		if hdr.Ttl == 0 {
			hdr.Ttl = defaultTTL
		}
		before := len(rrs)
		rrs = addRRTo(rrs, rr)
		return rrs, dns.RcodeSuccess, len(rrs) != before
	}
}

// summarizeUpdate produces a one-line commit message describing the
// UPDATE for git history.
func summarizeUpdate(zone string, updates []dns.RR) string {
	if len(updates) == 1 {
		return fmt.Sprintf("rfc2136 %s: %s", zone, oneLineOp(updates[0]))
	}
	return fmt.Sprintf("rfc2136 %s: %d operations", zone, len(updates))
}

// oneLineOp returns a short human-readable description of a single
// update RR for inclusion in commit messages.
func oneLineOp(rr dns.RR) string {
	hdr := rr.Header()
	name := strings.TrimSuffix(canon(hdr.Name), ".")
	ttype := dns.TypeToString[hdr.Rrtype]
	switch hdr.Class {
	case dns.ClassANY:
		if hdr.Rrtype == dns.TypeANY {
			return fmt.Sprintf("delete all %s", name)
		}
		return fmt.Sprintf("delete %s %s", ttype, name)
	case dns.ClassNONE:
		return fmt.Sprintf("delete-rr %s %s", ttype, name)
	default:
		return fmt.Sprintf("add %s %s", ttype, name)
	}
}

// inZone reports whether name is within zone.
func inZone(name, zone string) bool {
	return name == zone || strings.HasSuffix(name, "."+zone)
}

// isApex reports whether name IS the zone's apex.
func isApex(name, zone string) bool {
	return name == zone
}