1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
|
/*
* unbound.h - unbound validating resolver public API
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file contains functions to resolve DNS queries and
* validate the answers. Synchonously and asynchronously.
*
* Several ways to use this interface from an application wishing
* to perform (validated) DNS lookups.
*
* All start with
* ctx = ub_ctx_create();
* err = ub_ctx_add_ta(ctx, "...");
* err = ub_ctx_add_ta(ctx, "...");
* ... some lookups
* ... call ub_ctx_delete(ctx); when you want to stop.
*
* Application not threaded. Blocking.
* int err = ub_resolve(ctx, "www.example.com", ...
* if(err) fprintf(stderr, "lookup error: %s\n", ub_strerror(err));
* ... use the answer
*
* Application not threaded. Non-blocking ('asynchronous').
* err = ub_resolve_async(ctx, "www.example.com", ... my_callback);
* ... application resumes processing ...
* ... and when either ub_poll(ctx) is true
* ... or when the file descriptor ub_fd(ctx) is readable,
* ... or whenever, the app calls ...
* ub_process(ctx);
* ... if no result is ready, the app resumes processing above,
* ... or process() calls my_callback() with results.
*
* ... if the application has nothing more to do, wait for answer
* ub_wait(ctx);
*
* Application threaded. Blocking.
* Blocking, same as above. The current thread does the work.
* Multiple threads can use the *same context*, each does work and uses
* shared cache data from the context.
*
* Application threaded. Non-blocking ('asynchronous').
* ... setup threaded-asynchronous config option
* err = ub_ctx_async(ctx, 1);
* ... same as async for non-threaded
* ... the callbacks are called in the thread that calls process(ctx)
*
* Openssl needs to have locking in place, and the application must set
* it up, because a mere library cannot do this, use the calls
* CRYPTO_set_id_callback and CRYPTO_set_locking_callback.
*
* If no threading is compiled in, the above async example uses fork(2) to
* create a process to perform the work. The forked process exits when the
* calling process exits, or ctx_delete() is called.
* Otherwise, for asynchronous with threading, a worker thread is created.
*
* The blocking calls use shared ctx-cache when threaded. Thus
* ub_resolve() and ub_resolve_async() && ub_wait() are
* not the same. The first makes the current thread do the work, setting
* up buffers, etc, to perform the work (but using shared cache data).
* The second calls another worker thread (or process) to perform the work.
* And no buffers need to be set up, but a context-switch happens.
*/
#ifndef _UB_UNBOUND_H
#define _UB_UNBOUND_H
#ifdef __cplusplus
extern "C" {
#endif
/** the version of this header file */
#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
/**
* The validation context is created to hold the resolver status,
* validation keys and a small cache (containing messages, rrsets,
* roundtrip times, trusted keys, lameness information).
*
* Its contents are internally defined.
*/
struct ub_ctx;
/**
* The validation and resolution results.
* Allocated by the resolver, and need to be freed by the application
* with ub_resolve_free().
*/
struct ub_result {
/** The original question, name text string. */
char* qname;
/** the type asked for */
int qtype;
/** the class asked for */
int qclass;
/**
* a list of network order DNS rdata items, terminated with a
* NULL pointer, so that data[0] is the first result entry,
* data[1] the second, and the last entry is NULL.
* If there was no data, data[0] is NULL.
*/
char** data;
/** the length in bytes of the data items, len[i] for data[i] */
int* len;
/**
* canonical name for the result (the final cname).
* zero terminated string.
* May be NULL if no canonical name exists.
*/
char* canonname;
/**
* DNS RCODE for the result. May contain additional error code if
* there was no data due to an error. 0 (NOERROR) if okay.
*/
int rcode;
/**
* The DNS answer packet. Network formatted. Can contain DNSSEC types.
*/
void* answer_packet;
/** length of the answer packet in octets. */
int answer_len;
/**
* If there is any data, this is true.
* If false, there was no data (nxdomain may be true, rcode can be set).
*/
int havedata;
/**
* If there was no data, and the domain did not exist, this is true.
* If it is false, and there was no data, then the domain name
* is purported to exist, but the requested data type is not available.
*/
int nxdomain;
/**
* True, if the result is validated securely.
* False, if validation failed or domain queried has no security info.
*
* It is possible to get a result with no data (havedata is false),
* and secure is true. This means that the non-existance of the data
* was cryptographically proven (with signatures).
*/
int secure;
/**
* If the result was not secure (secure==0), and this result is due
* to a security failure, bogus is true.
* This means the data has been actively tampered with, signatures
* failed, expected signatures were not present, timestamps on
* signatures were out of date and so on.
*
* If !secure and !bogus, this can happen if the data is not secure
* because security is disabled for that domain name.
* This means the data is from a domain where data is not signed.
*/
int bogus;
/**
* If the result is bogus this contains a string (zero terminated)
* that describes the failure. There may be other errors as well
* as the one described, the description may not be perfectly accurate.
* Is NULL if the result is not bogus.
*/
char* why_bogus;
/**
* TTL for the result, in seconds. If the security is bogus, then
* you also cannot trust this value.
*/
int ttl;
};
/**
* Callback for results of async queries.
* The readable function definition looks like:
* void my_callback(void* my_arg, int err, struct ub_result* result);
* It is called with
* void* my_arg: your pointer to a (struct of) data of your choice,
* or NULL.
* int err: if 0 all is OK, otherwise an error occured and no results
* are forthcoming.
* struct result: pointer to more detailed result structure.
* This structure is allocated on the heap and needs to be
* freed with ub_resolve_free(result);
*/
typedef void (*ub_callback_t)(void*, int, struct ub_result*);
/**
* Create a resolving and validation context.
* The information from /etc/resolv.conf and /etc/hosts is not utilised by
* default. Use ub_ctx_resolvconf and ub_ctx_hosts to read them.
* @return a new context. default initialisation.
* returns NULL on error.
*/
struct ub_ctx* ub_ctx_create(void);
/**
* Destroy a validation context and free all its resources.
* Outstanding async queries are killed and callbacks are not called for them.
* @param ctx: context to delete.
*/
void ub_ctx_delete(struct ub_ctx* ctx);
/**
* Set an option for the context.
* @param ctx: context.
* @param opt: option name from the unbound.conf config file format.
* (not all settings applicable). The name includes the trailing ':'
* for example ub_ctx_set_option(ctx, "logfile:", "mylog.txt");
* This is a power-users interface that lets you specify all sorts
* of options.
* For some specific options, such as adding trust anchors, special
* routines exist.
* @param val: value of the option.
* @return: 0 if OK, else error.
*/
int ub_ctx_set_option(struct ub_ctx* ctx, const char* opt, const char* val);
/**
* Get an option from the context.
* @param ctx: context.
* @param opt: option name from the unbound.conf config file format.
* (not all settings applicable). The name excludes the trailing ':'
* for example ub_ctx_get_option(ctx, "logfile", &result);
* This is a power-users interface that lets you specify all sorts
* of options.
* @param str: the string is malloced and returned here. NULL on error.
* The caller must free() the string. In cases with multiple
* entries (auto-trust-anchor-file), a newline delimited list is
* returned in the string.
* @return 0 if OK else an error code (malloc failure, syntax error).
*/
int ub_ctx_get_option(struct ub_ctx* ctx, const char* opt, char** str);
/**
* setup configuration for the given context.
* @param ctx: context.
* @param fname: unbound config file (not all settings applicable).
* This is a power-users interface that lets you specify all sorts
* of options.
* For some specific options, such as adding trust anchors, special
* routines exist.
* @return: 0 if OK, else error.
*/
int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
/**
* Set machine to forward DNS queries to, the caching resolver to use.
* IP4 or IP6 address. Forwards all DNS requests to that machine, which
* is expected to run a recursive resolver. If the proxy is not
* DNSSEC-capable, validation may fail. Can be called several times, in
* that case the addresses are used as backup servers.
*
* To read the list of nameservers from /etc/resolv.conf (from DHCP or so),
* use the call ub_ctx_resolvconf.
*
* @param ctx: context.
* At this time it is only possible to set configuration before the
* first resolve is done.
* @param addr: address, IP4 or IP6 in string format.
* If the addr is NULL, forwarding is disabled.
* @return 0 if OK, else error.
*/
int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
/**
* Read list of nameservers to use from the filename given.
* Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
* If they do not support DNSSEC, validation may fail.
*
* Only nameservers are picked up, the searchdomain, ndots and other
* settings from resolv.conf(5) are ignored.
*
* @param ctx: context.
* At this time it is only possible to set configuration before the
* first resolve is done.
* @param fname: file name string. If NULL "/etc/resolv.conf" is used.
* @return 0 if OK, else error.
*/
int ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname);
/**
* Read list of hosts from the filename given.
* Usually "/etc/hosts".
* These addresses are not flagged as DNSSEC secure when queried for.
*
* @param ctx: context.
* At this time it is only possible to set configuration before the
* first resolve is done.
* @param fname: file name string. If NULL "/etc/hosts" is used.
* @return 0 if OK, else error.
*/
int ub_ctx_hosts(struct ub_ctx* ctx, const char* fname);
/**
* Add a trust anchor to the given context.
* The trust anchor is a string, on one line, that holds a valid DNSKEY or
* DS RR.
* @param ctx: context.
* At this time it is only possible to add trusted keys before the
* first resolve is done.
* @param ta: string, with zone-format RR on one line.
* [domainname] [TTL optional] [type] [class optional] [rdata contents]
* @return 0 if OK, else error.
*/
int ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta);
/**
* Add trust anchors to the given context.
* Pass name of a file with DS and DNSKEY records (like from dig or drill).
* @param ctx: context.
* At this time it is only possible to add trusted keys before the
* first resolve is done.
* @param fname: filename of file with keyfile with trust anchors.
* @return 0 if OK, else error.
*/
int ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname);
/**
* Add trust anchors to the given context.
* Pass the name of a bind-style config file with trusted-keys{}.
* @param ctx: context.
* At this time it is only possible to add trusted keys before the
* first resolve is done.
* @param fname: filename of file with bind-style config entries with trust
* anchors.
* @return 0 if OK, else error.
*/
int ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname);
/**
* Set debug output (and error output) to the specified stream.
* Pass NULL to disable. Default is stderr.
* @param ctx: context.
* @param out: FILE* out file stream to log to.
* Type void* to avoid stdio dependency of this header file.
* @return 0 if OK, else error.
*/
int ub_ctx_debugout(struct ub_ctx* ctx, void* out);
/**
* Set debug verbosity for the context
* Output is directed to stderr.
* @param ctx: context.
* @param d: debug level, 0 is off, 1 is very minimal, 2 is detailed,
* and 3 is lots.
* @return 0 if OK, else error.
*/
int ub_ctx_debuglevel(struct ub_ctx* ctx, int d);
/**
* Set a context behaviour for asynchronous action.
* @param ctx: context.
* @param dothread: if true, enables threading and a call to resolve_async()
* creates a thread to handle work in the background.
* If false, a process is forked to handle work in the background.
* Changes to this setting after async() calls have been made have
* no effect (delete and re-create the context to change).
* @return 0 if OK, else error.
*/
int ub_ctx_async(struct ub_ctx* ctx, int dothread);
/**
* Poll a context to see if it has any new results
* Do not poll in a loop, instead extract the fd below to poll for readiness,
* and then check, or wait using the wait routine.
* @param ctx: context.
* @return: 0 if nothing to read, or nonzero if a result is available.
* If nonzero, call ctx_process() to do callbacks.
*/
int ub_poll(struct ub_ctx* ctx);
/**
* Wait for a context to finish with results. Calls ub_process() after
* the wait for you. After the wait, there are no more outstanding
* asynchronous queries.
* @param ctx: context.
* @return: 0 if OK, else error.
*/
int ub_wait(struct ub_ctx* ctx);
/**
* Get file descriptor. Wait for it to become readable, at this point
* answers are returned from the asynchronous validating resolver.
* Then call the ub_process to continue processing.
* This routine works immediately after context creation, the fd
* does not change.
* @param ctx: context.
* @return: -1 on error, or file descriptor to use select(2) with.
*/
int ub_fd(struct ub_ctx* ctx);
/**
* Call this routine to continue processing results from the validating
* resolver (when the fd becomes readable).
* Will perform necessary callbacks.
* @param ctx: context
* @return: 0 if OK, else error.
*/
int ub_process(struct ub_ctx* ctx);
/**
* Perform resolution and validation of the target name.
* @param ctx: context.
* The context is finalized, and can no longer accept config changes.
* @param name: domain name in text format (a zero terminated text string).
* @param rrtype: type of RR in host order, 1 is A (address).
* @param rrclass: class of RR in host order, 1 is IN (for internet).
* @param result: the result data is returned in a newly allocated result
* structure. May be NULL on return, return value is set to an error
* in that case (out of memory).
* @return 0 if OK, else error.
*/
int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, struct ub_result** result);
/**
* Perform resolution and validation of the target name.
* Asynchronous, after a while, the callback will be called with your
* data and the result.
* @param ctx: context.
* If no thread or process has been created yet to perform the
* work in the background, it is created now.
* The context is finalized, and can no longer accept config changes.
* @param name: domain name in text format (a string).
* @param rrtype: type of RR in host order, 1 is A.
* @param rrclass: class of RR in host order, 1 is IN (for internet).
* @param mydata: this data is your own data (you can pass NULL),
* and is passed on to the callback function.
* @param callback: this is called on completion of the resolution.
* It is called as:
* void callback(void* mydata, int err, struct ub_result* result)
* with mydata: the same as passed here, you may pass NULL,
* with err: is 0 when a result has been found.
* with result: a newly allocated result structure.
* The result may be NULL, in that case err is set.
*
* If an error happens during processing, your callback will be called
* with error set to a nonzero value (and result==NULL).
* @param async_id: if you pass a non-NULL value, an identifier number is
* returned for the query as it is in progress. It can be used to
* cancel the query.
* @return 0 if OK, else error.
*/
int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, void* mydata, ub_callback_t callback, int* async_id);
/**
* Cancel an async query in progress.
* Its callback will not be called.
*
* @param ctx: context.
* @param async_id: which query to cancel.
* @return 0 if OK, else error.
* This routine can return an error if the async_id passed does not exist
* or has already been delivered. If another thread is processing results
* at the same time, the result may be delivered at the same time and the
* cancel fails with an error. Also the cancel can fail due to a system
* error, no memory or socket failures.
*/
int ub_cancel(struct ub_ctx* ctx, int async_id);
/**
* Free storage associated with a result structure.
* @param result: to free
*/
void ub_resolve_free(struct ub_result* result);
/**
* Convert error value to a human readable string.
* @param err: error code from one of the ub_val* functions.
* @return pointer to constant text string, zero terminated.
*/
const char* ub_strerror(int err);
/**
* Debug routine. Print the local zone information to debug output.
* @param ctx: context. Is finalized by the routine.
* @return 0 if OK, else error.
*/
int ub_ctx_print_local_zones(struct ub_ctx* ctx);
/**
* Add a new zone with the zonetype to the local authority info of the
* library.
* @param ctx: context. Is finalized by the routine.
* @param zone_name: name of the zone in text, "example.com"
* If it already exists, the type is updated.
* @param zone_type: type of the zone (like for unbound.conf) in text.
* @return 0 if OK, else error.
*/
int ub_ctx_zone_add(struct ub_ctx* ctx, const char *zone_name,
const char *zone_type);
/**
* Remove zone from local authority info of the library.
* @param ctx: context. Is finalized by the routine.
* @param zone_name: name of the zone in text, "example.com"
* If it does not exist, nothing happens.
* @return 0 if OK, else error.
*/
int ub_ctx_zone_remove(struct ub_ctx* ctx, const char *zone_name);
/**
* Add localdata to the library local authority info.
* Similar to local-data config statement.
* @param ctx: context. Is finalized by the routine.
* @param data: the resource record in text format, for example
* "www.example.com IN A 127.0.0.1"
* @return 0 if OK, else error.
*/
int ub_ctx_data_add(struct ub_ctx* ctx, const char *data);
/**
* Remove localdata from the library local authority info.
* @param ctx: context. Is finalized by the routine.
* @param data: the name to delete all data from, like "www.example.com".
* @return 0 if OK, else error.
*/
int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
/**
* Get a version string from the libunbound implementation.
* @return a static constant string with the version number.
*/
const char* ub_version(void);
#ifdef __cplusplus
}
#endif
#endif /* _UB_UNBOUND_H */
|