search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / external / bsd / bind / dist / bin / named / query.c
blobac88437ee4fb3419b5bc79996ac06b6a35e56d03
1 /* $NetBSD$ */
2
3 /*
4 * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
5 * Copyright (C) 1999-2003 Internet Software Consortium.
6 *
7 * Permission to use, copy, modify, and/or distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 * PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 /* Id: query.c,v 1.335 2009/11/28 15:57:36 vjs Exp */
21
22 /*! \file */
23
24 #include <config.h>
25
26 #include <string.h>
27
28 #include <isc/hex.h>
29 #include <isc/mem.h>
30 #include <isc/stats.h>
31 #include <isc/util.h>
32
33 #include <dns/adb.h>
34 #include <dns/byaddr.h>
35 #include <dns/db.h>
36 #ifdef DLZ
37 #include <dns/dlz.h>
38 #endif
39 #include <dns/dnssec.h>
40 #include <dns/events.h>
41 #include <dns/message.h>
42 #include <dns/ncache.h>
43 #include <dns/nsec3.h>
44 #include <dns/order.h>
45 #include <dns/rdata.h>
46 #include <dns/rdataclass.h>
47 #include <dns/rdatalist.h>
48 #include <dns/rdataset.h>
49 #include <dns/rdatasetiter.h>
50 #include <dns/rdatastruct.h>
51 #include <dns/rdatatype.h>
52 #include <dns/resolver.h>
53 #include <dns/result.h>
54 #include <dns/stats.h>
55 #include <dns/tkey.h>
56 #include <dns/view.h>
57 #include <dns/zone.h>
58 #include <dns/zt.h>
59
60 #include <named/client.h>
61 #include <named/log.h>
62 #include <named/server.h>
63 #include <named/sortlist.h>
64 #include <named/xfrout.h>
65
66 /*% Partial answer? */
67 #define PARTIALANSWER(c) (((c)->query.attributes & \
68 NS_QUERYATTR_PARTIALANSWER) != 0)
69 /*% Use Cache? */
70 #define USECACHE(c) (((c)->query.attributes & \
71 NS_QUERYATTR_CACHEOK) != 0)
72 /*% Recursion OK? */
73 #define RECURSIONOK(c) (((c)->query.attributes & \
74 NS_QUERYATTR_RECURSIONOK) != 0)
75 /*% Recursing? */
76 #define RECURSING(c) (((c)->query.attributes & \
77 NS_QUERYATTR_RECURSING) != 0)
78 /*% Cache glue ok? */
79 #define CACHEGLUEOK(c) (((c)->query.attributes & \
80 NS_QUERYATTR_CACHEGLUEOK) != 0)
81 /*% Want Recursion? */
82 #define WANTRECURSION(c) (((c)->query.attributes & \
83 NS_QUERYATTR_WANTRECURSION) != 0)
84 /*% Want DNSSEC? */
85 #define WANTDNSSEC(c) (((c)->attributes & \
86 NS_CLIENTATTR_WANTDNSSEC) != 0)
87 /*% No authority? */
88 #define NOAUTHORITY(c) (((c)->query.attributes & \
89 NS_QUERYATTR_NOAUTHORITY) != 0)
90 /*% No additional? */
91 #define NOADDITIONAL(c) (((c)->query.attributes & \
92 NS_QUERYATTR_NOADDITIONAL) != 0)
93 /*% Secure? */
94 #define SECURE(c) (((c)->query.attributes & \
95 NS_QUERYATTR_SECURE) != 0)
96
97 /*% No QNAME Proof? */
98 #define NOQNAME(r) (((r)->attributes & \
99 DNS_RDATASETATTR_NOQNAME) != 0)
100
101 #if 0
102 #define CTRACE(m) isc_log_write(ns_g_lctx, \
103 NS_LOGCATEGORY_CLIENT, \
104 NS_LOGMODULE_QUERY, \
105 ISC_LOG_DEBUG(3), \
106 "client %p: %s", client, (m))
107 #define QTRACE(m) isc_log_write(ns_g_lctx, \
108 NS_LOGCATEGORY_GENERAL, \
109 NS_LOGMODULE_QUERY, \
110 ISC_LOG_DEBUG(3), \
111 "query %p: %s", query, (m))
112 #else
113 #define CTRACE(m) ((void)m)
114 #define QTRACE(m) ((void)m)
115 #endif
116
117 #define DNS_GETDB_NOEXACT 0x01U
118 #define DNS_GETDB_NOLOG 0x02U
119 #define DNS_GETDB_PARTIAL 0x04U
120
121 #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
122
123 typedef struct client_additionalctx {
124 ns_client_t *client;
125 dns_rdataset_t *rdataset;
126 } client_additionalctx_t;
127
128 static isc_result_t
129 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
130
131 static isc_boolean_t
132 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
133 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
134
135 static void
136 query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
137 dns_dbversion_t *version, ns_client_t *client,
138 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
139 dns_name_t *fname, isc_boolean_t exact,
140 dns_name_t *found);
141
142 static inline void
143 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
144
145 /*%
146 * Increment query statistics counters.
147 */
148 static inline void
149 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
150 dns_zone_t *zone = client->query.authzone;
151
152 isc_stats_increment(ns_g_server->nsstats, counter);
153
154 if (zone != NULL) {
155 isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
156 if (zonestats != NULL)
157 isc_stats_increment(zonestats, counter);
158 }
159 }
160
161 static void
162 query_send(ns_client_t *client) {
163 isc_statscounter_t counter;
164 if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
165 inc_stats(client, dns_nsstatscounter_nonauthans);
166 else
167 inc_stats(client, dns_nsstatscounter_authans);
168 if (client->message->rcode == dns_rcode_noerror) {
169 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
170 if (client->query.isreferral) {
171 counter = dns_nsstatscounter_referral;
172 } else {
173 counter = dns_nsstatscounter_nxrrset;
174 }
175 } else {
176 counter = dns_nsstatscounter_success;
177 }
178 } else if (client->message->rcode == dns_rcode_nxdomain) {
179 counter = dns_nsstatscounter_nxdomain;
180 } else {
181 /* We end up here in case of YXDOMAIN, and maybe others */
182 counter = dns_nsstatscounter_failure;
183 }
184 inc_stats(client, counter);
185 ns_client_send(client);
186 }
187
188 static void
189 query_error(ns_client_t *client, isc_result_t result, int line) {
190 int loglevel = ISC_LOG_DEBUG(3);
191
192 switch (result) {
193 case DNS_R_SERVFAIL:
194 loglevel = ISC_LOG_DEBUG(1);
195 inc_stats(client, dns_nsstatscounter_servfail);
196 break;
197 case DNS_R_FORMERR:
198 inc_stats(client, dns_nsstatscounter_formerr);
199 break;
200 default:
201 inc_stats(client, dns_nsstatscounter_failure);
202 break;
203 }
204
205 log_queryerror(client, result, line, loglevel);
206
207 ns_client_error(client, result);
208 }
209
210 static void
211 query_next(ns_client_t *client, isc_result_t result) {
212 if (result == DNS_R_DUPLICATE)
213 inc_stats(client, dns_nsstatscounter_duplicate);
214 else if (result == DNS_R_DROP)
215 inc_stats(client, dns_nsstatscounter_dropped);
216 else
217 inc_stats(client, dns_nsstatscounter_failure);
218 ns_client_next(client, result);
219 }
220
221 static inline void
222 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
223 ns_dbversion_t *dbversion, *dbversion_next;
224 unsigned int i;
225
226 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
227 dbversion != NULL;
228 dbversion = dbversion_next, i++)
229 {
230 dbversion_next = ISC_LIST_NEXT(dbversion, link);
231 /*
232 * If we're not freeing everything, we keep the first three
233 * dbversions structures around.
234 */
235 if (i > 3 || everything) {
236 ISC_LIST_UNLINK(client->query.freeversions, dbversion,
237 link);
238 isc_mem_put(client->mctx, dbversion,
239 sizeof(*dbversion));
240 }
241 }
242 }
243
244 void
245 ns_query_cancel(ns_client_t *client) {
246 LOCK(&client->query.fetchlock);
247 if (client->query.fetch != NULL) {
248 dns_resolver_cancelfetch(client->query.fetch);
249
250 client->query.fetch = NULL;
251 }
252 UNLOCK(&client->query.fetchlock);
253 }
254
255 static inline void
256 query_reset(ns_client_t *client, isc_boolean_t everything) {
257 isc_buffer_t *dbuf, *dbuf_next;
258 ns_dbversion_t *dbversion, *dbversion_next;
259
260 /*%
261 * Reset the query state of a client to its default state.
262 */
263
264 /*
265 * Cancel the fetch if it's running.
266 */
267 ns_query_cancel(client);
268
269 /*
270 * Cleanup any active versions.
271 */
272 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
273 dbversion != NULL;
274 dbversion = dbversion_next) {
275 dbversion_next = ISC_LIST_NEXT(dbversion, link);
276 dns_db_closeversion(dbversion->db, &dbversion->version,
277 ISC_FALSE);
278 dns_db_detach(&dbversion->db);
279 ISC_LIST_INITANDAPPEND(client->query.freeversions,
280 dbversion, link);
281 }
282 ISC_LIST_INIT(client->query.activeversions);
283
284 if (client->query.authdb != NULL)
285 dns_db_detach(&client->query.authdb);
286 if (client->query.authzone != NULL)
287 dns_zone_detach(&client->query.authzone);
288
289 query_freefreeversions(client, everything);
290
291 for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
292 dbuf != NULL;
293 dbuf = dbuf_next) {
294 dbuf_next = ISC_LIST_NEXT(dbuf, link);
295 if (dbuf_next != NULL || everything) {
296 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
297 isc_buffer_free(&dbuf);
298 }
299 }
300
301 if (client->query.restarts > 0) {
302 /*
303 * client->query.qname was dynamically allocated.
304 */
305 dns_message_puttempname(client->message,
306 &client->query.qname);
307 }
308 client->query.qname = NULL;
309 client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
310 NS_QUERYATTR_CACHEOK |
311 NS_QUERYATTR_SECURE);
312 client->query.restarts = 0;
313 client->query.timerset = ISC_FALSE;
314 client->query.origqname = NULL;
315 client->query.qname = NULL;
316 client->query.dboptions = 0;
317 client->query.fetchoptions = 0;
318 client->query.gluedb = NULL;
319 client->query.authdbset = ISC_FALSE;
320 client->query.isreferral = ISC_FALSE;
321 }
322
323 static void
324 query_next_callback(ns_client_t *client) {
325 query_reset(client, ISC_FALSE);
326 }
327
328 void
329 ns_query_free(ns_client_t *client) {
330 query_reset(client, ISC_TRUE);
331 }
332
333 static inline isc_result_t
334 query_newnamebuf(ns_client_t *client) {
335 isc_buffer_t *dbuf;
336 isc_result_t result;
337
338 CTRACE("query_newnamebuf");
339 /*%
340 * Allocate a name buffer.
341 */
342
343 dbuf = NULL;
344 result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
345 if (result != ISC_R_SUCCESS) {
346 CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
347 return (result);
348 }
349 ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
350
351 CTRACE("query_newnamebuf: done");
352 return (ISC_R_SUCCESS);
353 }
354
355 static inline isc_buffer_t *
356 query_getnamebuf(ns_client_t *client) {
357 isc_buffer_t *dbuf;
358 isc_result_t result;
359 isc_region_t r;
360
361 CTRACE("query_getnamebuf");
362 /*%
363 * Return a name buffer with space for a maximal name, allocating
364 * a new one if necessary.
365 */
366
367 if (ISC_LIST_EMPTY(client->query.namebufs)) {
368 result = query_newnamebuf(client);
369 if (result != ISC_R_SUCCESS) {
370 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
371 return (NULL);
372 }
373 }
374
375 dbuf = ISC_LIST_TAIL(client->query.namebufs);
376 INSIST(dbuf != NULL);
377 isc_buffer_availableregion(dbuf, &r);
378 if (r.length < 255) {
379 result = query_newnamebuf(client);
380 if (result != ISC_R_SUCCESS) {
381 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
382 return (NULL);
383
384 }
385 dbuf = ISC_LIST_TAIL(client->query.namebufs);
386 isc_buffer_availableregion(dbuf, &r);
387 INSIST(r.length >= 255);
388 }
389 CTRACE("query_getnamebuf: done");
390 return (dbuf);
391 }
392
393 static inline void
394 query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
395 isc_region_t r;
396
397 CTRACE("query_keepname");
398 /*%
399 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
400 * adjusted to take account of that. We do the adjustment.
401 */
402
403 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
404
405 dns_name_toregion(name, &r);
406 isc_buffer_add(dbuf, r.length);
407 dns_name_setbuffer(name, NULL);
408 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
409 }
410
411 static inline void
412 query_releasename(ns_client_t *client, dns_name_t **namep) {
413 dns_name_t *name = *namep;
414
415 /*%
416 * 'name' is no longer needed. Return it to our pool of temporary
417 * names. If it is using a name buffer, relinquish its exclusive
418 * rights on the buffer.
419 */
420
421 CTRACE("query_releasename");
422 if (dns_name_hasbuffer(name)) {
423 INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
424 != 0);
425 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
426 }
427 dns_message_puttempname(client->message, namep);
428 CTRACE("query_releasename: done");
429 }
430
431 static inline dns_name_t *
432 query_newname(ns_client_t *client, isc_buffer_t *dbuf,
433 isc_buffer_t *nbuf)
434 {
435 dns_name_t *name;
436 isc_region_t r;
437 isc_result_t result;
438
439 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
440
441 CTRACE("query_newname");
442 name = NULL;
443 result = dns_message_gettempname(client->message, &name);
444 if (result != ISC_R_SUCCESS) {
445 CTRACE("query_newname: dns_message_gettempname failed: done");
446 return (NULL);
447 }
448 isc_buffer_availableregion(dbuf, &r);
449 isc_buffer_init(nbuf, r.base, r.length);
450 dns_name_init(name, NULL);
451 dns_name_setbuffer(name, nbuf);
452 client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
453
454 CTRACE("query_newname: done");
455 return (name);
456 }
457
458 static inline dns_rdataset_t *
459 query_newrdataset(ns_client_t *client) {
460 dns_rdataset_t *rdataset;
461 isc_result_t result;
462
463 CTRACE("query_newrdataset");
464 rdataset = NULL;
465 result = dns_message_gettemprdataset(client->message, &rdataset);
466 if (result != ISC_R_SUCCESS) {
467 CTRACE("query_newrdataset: "
468 "dns_message_gettemprdataset failed: done");
469 return (NULL);
470 }
471 dns_rdataset_init(rdataset);
472
473 CTRACE("query_newrdataset: done");
474 return (rdataset);
475 }
476
477 static inline void
478 query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
479 dns_rdataset_t *rdataset = *rdatasetp;
480
481 CTRACE("query_putrdataset");
482 if (rdataset != NULL) {
483 if (dns_rdataset_isassociated(rdataset))
484 dns_rdataset_disassociate(rdataset);
485 dns_message_puttemprdataset(client->message, rdatasetp);
486 }
487 CTRACE("query_putrdataset: done");
488 }
489
490
491 static inline isc_result_t
492 query_newdbversion(ns_client_t *client, unsigned int n) {
493 unsigned int i;
494 ns_dbversion_t *dbversion;
495
496 for (i = 0; i < n; i++) {
497 dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
498 if (dbversion != NULL) {
499 dbversion->db = NULL;
500 dbversion->version = NULL;
501 ISC_LIST_INITANDAPPEND(client->query.freeversions,
502 dbversion, link);
503 } else {
504 /*
505 * We only return ISC_R_NOMEMORY if we couldn't
506 * allocate anything.
507 */
508 if (i == 0)
509 return (ISC_R_NOMEMORY);
510 else
511 return (ISC_R_SUCCESS);
512 }
513 }
514
515 return (ISC_R_SUCCESS);
516 }
517
518 static inline ns_dbversion_t *
519 query_getdbversion(ns_client_t *client) {
520 isc_result_t result;
521 ns_dbversion_t *dbversion;
522
523 if (ISC_LIST_EMPTY(client->query.freeversions)) {
524 result = query_newdbversion(client, 1);
525 if (result != ISC_R_SUCCESS)
526 return (NULL);
527 }
528 dbversion = ISC_LIST_HEAD(client->query.freeversions);
529 INSIST(dbversion != NULL);
530 ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
531
532 return (dbversion);
533 }
534
535 isc_result_t
536 ns_query_init(ns_client_t *client) {
537 isc_result_t result;
538
539 ISC_LIST_INIT(client->query.namebufs);
540 ISC_LIST_INIT(client->query.activeversions);
541 ISC_LIST_INIT(client->query.freeversions);
542 client->query.restarts = 0;
543 client->query.timerset = ISC_FALSE;
544 client->query.qname = NULL;
545 result = isc_mutex_init(&client->query.fetchlock);
546 if (result != ISC_R_SUCCESS)
547 return (result);
548 client->query.fetch = NULL;
549 client->query.authdb = NULL;
550 client->query.authzone = NULL;
551 client->query.authdbset = ISC_FALSE;
552 client->query.isreferral = ISC_FALSE;
553 query_reset(client, ISC_FALSE);
554 result = query_newdbversion(client, 3);
555 if (result != ISC_R_SUCCESS) {
556 DESTROYLOCK(&client->query.fetchlock);
557 return (result);
558 }
559 result = query_newnamebuf(client);
560 if (result != ISC_R_SUCCESS)
561 query_freefreeversions(client, ISC_TRUE);
562
563 return (result);
564 }
565
566 static inline ns_dbversion_t *
567 query_findversion(ns_client_t *client, dns_db_t *db,
568 isc_boolean_t *newzonep)
569 {
570 ns_dbversion_t *dbversion;
571
572 /*%
573 * We may already have done a query related to this
574 * database. If so, we must be sure to make subsequent
575 * queries from the same version.
576 */
577 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
578 dbversion != NULL;
579 dbversion = ISC_LIST_NEXT(dbversion, link)) {
580 if (dbversion->db == db)
581 break;
582 }
583
584 if (dbversion == NULL) {
585 /*
586 * This is a new zone for this query. Add it to
587 * the active list.
588 */
589 dbversion = query_getdbversion(client);
590 if (dbversion == NULL)
591 return (NULL);
592 dns_db_attach(db, &dbversion->db);
593 dns_db_currentversion(db, &dbversion->version);
594 dbversion->queryok = ISC_FALSE;
595 ISC_LIST_APPEND(client->query.activeversions,
596 dbversion, link);
597 *newzonep = ISC_TRUE;
598 } else
599 *newzonep = ISC_FALSE;
600
601 return (dbversion);
602 }
603
604 static inline isc_result_t
605 query_validatezonedb(ns_client_t *client, dns_name_t *name,
606 dns_rdatatype_t qtype, unsigned int options,
607 dns_zone_t *zone, dns_db_t *db,
608 dns_dbversion_t **versionp)
609 {
610 isc_result_t result;
611 isc_boolean_t check_acl, new_zone;
612 dns_acl_t *queryacl;
613 ns_dbversion_t *dbversion;
614
615 REQUIRE(zone != NULL);
616 REQUIRE(db != NULL);
617
618 /*
619 * This limits our searching to the zone where the first name
620 * (the query target) was looked for. This prevents following
621 * CNAMES or DNAMES into other zones and prevents returning
622 * additional data from other zones.
623 */
624 if (!client->view->additionalfromauth &&
625 client->query.authdbset &&
626 db != client->query.authdb)
627 goto refuse;
628
629 /*
630 * If the zone has an ACL, we'll check it, otherwise
631 * we use the view's "allow-query" ACL. Each ACL is only checked
632 * once per query.
633 *
634 * Also, get the database version to use.
635 */
636
637 check_acl = ISC_TRUE; /* Keep compiler happy. */
638 queryacl = NULL;
639
640 /*
641 * Get the current version of this database.
642 */
643 dbversion = query_findversion(client, db, &new_zone);
644 if (dbversion == NULL) {
645 result = DNS_R_SERVFAIL;
646 goto fail;
647 }
648 if (new_zone) {
649 check_acl = ISC_TRUE;
650 } else if (!dbversion->queryok) {
651 goto refuse;
652 } else {
653 check_acl = ISC_FALSE;
654 }
655
656 queryacl = dns_zone_getqueryacl(zone);
657 if (queryacl == NULL) {
658 queryacl = client->view->queryacl;
659 if ((client->query.attributes &
660 NS_QUERYATTR_QUERYOKVALID) != 0) {
661 /*
662 * We've evaluated the view's queryacl already. If
663 * NS_QUERYATTR_QUERYOK is set, then the client is
664 * allowed to make queries, otherwise the query should
665 * be refused.
666 */
667 check_acl = ISC_FALSE;
668 if ((client->query.attributes &
669 NS_QUERYATTR_QUERYOK) == 0)
670 goto refuse;
671 } else {
672 /*
673 * We haven't evaluated the view's queryacl yet.
674 */
675 check_acl = ISC_TRUE;
676 }
677 }
678
679 if (check_acl) {
680 isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
681
682 result = ns_client_checkaclsilent(client, NULL, queryacl,
683 ISC_TRUE);
684 if (log) {
685 char msg[NS_CLIENT_ACLMSGSIZE("query")];
686 if (result == ISC_R_SUCCESS) {
687 if (isc_log_wouldlog(ns_g_lctx,
688 ISC_LOG_DEBUG(3)))
689 {
690 ns_client_aclmsg("query", name, qtype,
691 client->view->rdclass,
692 msg, sizeof(msg));
693 ns_client_log(client,
694 DNS_LOGCATEGORY_SECURITY,
695 NS_LOGMODULE_QUERY,
696 ISC_LOG_DEBUG(3),
697 "%s approved", msg);
698 }
699 } else {
700 ns_client_aclmsg("query", name, qtype,
701 client->view->rdclass,
702 msg, sizeof(msg));
703 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
704 NS_LOGMODULE_QUERY, ISC_LOG_INFO,
705 "%s denied", msg);
706 }
707 }
708
709 if (queryacl == client->view->queryacl) {
710 if (result == ISC_R_SUCCESS) {
711 /*
712 * We were allowed by the default
713 * "allow-query" ACL. Remember this so we
714 * don't have to check again.
715 */
716 client->query.attributes |=
717 NS_QUERYATTR_QUERYOK;
718 }
719 /*
720 * We've now evaluated the view's query ACL, and
721 * the NS_QUERYATTR_QUERYOK attribute is now valid.
722 */
723 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
724 }
725
726 if (result != ISC_R_SUCCESS)
727 goto refuse;
728 }
729
730 /* Approved. */
731
732 /*
733 * Remember the result of the ACL check so we
734 * don't have to check again.
735 */
736 dbversion->queryok = ISC_TRUE;
737
738 /* Transfer ownership, if necessary. */
739 if (versionp != NULL)
740 *versionp = dbversion->version;
741
742 return (ISC_R_SUCCESS);
743
744 refuse:
745 return (DNS_R_REFUSED);
746
747 fail:
748 return (result);
749 }
750
751 static inline isc_result_t
752 query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
753 unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
754 dns_dbversion_t **versionp)
755 {
756 isc_result_t result;
757 unsigned int ztoptions;
758 dns_zone_t *zone = NULL;
759 dns_db_t *db = NULL;
760 isc_boolean_t partial = ISC_FALSE;
761
762 REQUIRE(zonep != NULL && *zonep == NULL);
763 REQUIRE(dbp != NULL && *dbp == NULL);
764
765 /*%
766 * Find a zone database to answer the query.
767 */
768 ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
769 DNS_ZTFIND_NOEXACT : 0;
770
771 result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
772 &zone);
773 if (result == DNS_R_PARTIALMATCH)
774 partial = ISC_TRUE;
775 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
776 result = dns_zone_getdb(zone, &db);
777
778 if (result != ISC_R_SUCCESS)
779 goto fail;
780
781 result = query_validatezonedb(client, name, qtype, options, zone, db,
782 versionp);
783
784 if (result != ISC_R_SUCCESS)
785 goto fail;
786
787 /* Transfer ownership. */
788 *zonep = zone;
789 *dbp = db;
790
791 if (partial && (options & DNS_GETDB_PARTIAL) != 0)
792 return (DNS_R_PARTIALMATCH);
793 return (ISC_R_SUCCESS);
794
795 fail:
796 if (zone != NULL)
797 dns_zone_detach(&zone);
798 if (db != NULL)
799 dns_db_detach(&db);
800
801 return (result);
802 }
803
804 static inline isc_result_t
805 query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
806 dns_db_t **dbp, unsigned int options)
807 {
808 isc_result_t result;
809 isc_boolean_t check_acl;
810 dns_db_t *db = NULL;
811
812 REQUIRE(dbp != NULL && *dbp == NULL);
813
814 /*%
815 * Find a cache database to answer the query.
816 * This may fail with DNS_R_REFUSED if the client
817 * is not allowed to use the cache.
818 */
819
820 if (!USECACHE(client))
821 return (DNS_R_REFUSED);
822 dns_db_attach(client->view->cachedb, &db);
823
824 if ((client->query.attributes &
825 NS_QUERYATTR_QUERYOKVALID) != 0) {
826 /*
827 * We've evaluated the view's queryacl already. If
828 * NS_QUERYATTR_QUERYOK is set, then the client is
829 * allowed to make queries, otherwise the query should
830 * be refused.
831 */
832 check_acl = ISC_FALSE;
833 if ((client->query.attributes &
834 NS_QUERYATTR_QUERYOK) == 0)
835 goto refuse;
836 } else {
837 /*
838 * We haven't evaluated the view's queryacl yet.
839 */
840 check_acl = ISC_TRUE;
841 }
842
843 if (check_acl) {
844 isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
845 char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
846
847 result = ns_client_checkaclsilent(client, NULL,
848 client->view->queryacl,
849 ISC_TRUE);
850 if (result == ISC_R_SUCCESS) {
851 /*
852 * We were allowed by the default
853 * "allow-query" ACL. Remember this so we
854 * don't have to check again.
855 */
856 client->query.attributes |=
857 NS_QUERYATTR_QUERYOK;
858 if (log && isc_log_wouldlog(ns_g_lctx,
859 ISC_LOG_DEBUG(3)))
860 {
861 ns_client_aclmsg("query (cache)", name, qtype,
862 client->view->rdclass,
863 msg, sizeof(msg));
864 ns_client_log(client,
865 DNS_LOGCATEGORY_SECURITY,
866 NS_LOGMODULE_QUERY,
867 ISC_LOG_DEBUG(3),
868 "%s approved", msg);
869 }
870 } else if (log) {
871 ns_client_aclmsg("query (cache)", name, qtype,
872 client->view->rdclass, msg,
873 sizeof(msg));
874 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
875 NS_LOGMODULE_QUERY, ISC_LOG_INFO,
876 "%s denied", msg);
877 }
878 /*
879 * We've now evaluated the view's query ACL, and
880 * the NS_QUERYATTR_QUERYOK attribute is now valid.
881 */
882 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
883
884 if (result != ISC_R_SUCCESS)
885 goto refuse;
886 }
887
888 /* Approved. */
889
890 /* Transfer ownership. */
891 *dbp = db;
892
893 return (ISC_R_SUCCESS);
894
895 refuse:
896 result = DNS_R_REFUSED;
897
898 if (db != NULL)
899 dns_db_detach(&db);
900
901 return (result);
902 }
903
904
905 static inline isc_result_t
906 query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
907 unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
908 dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
909 {
910 isc_result_t result;
911
912 #ifdef DLZ
913 isc_result_t tresult;
914 unsigned int namelabels;
915 unsigned int zonelabels;
916 dns_zone_t *zone = NULL;
917 dns_db_t *tdbp;
918
919 REQUIRE(zonep != NULL && *zonep == NULL);
920
921 tdbp = NULL;
922
923 /* Calculate how many labels are in name. */
924 namelabels = dns_name_countlabels(name);
925 zonelabels = 0;
926
927 /* Try to find name in bind's standard database. */
928 result = query_getzonedb(client, name, qtype, options, &zone,
929 dbp, versionp);
930
931 /* See how many labels are in the zone's name. */
932 if (result == ISC_R_SUCCESS && zone != NULL)
933 zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
934 /*
935 * If # zone labels < # name labels, try to find an even better match
936 * Only try if a DLZ driver is loaded for this view
937 */
938 if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
939 tresult = dns_dlzfindzone(client->view, name,
940 zonelabels, &tdbp);
941 /* If we successful, we found a better match. */
942 if (tresult == ISC_R_SUCCESS) {
943 /*
944 * If the previous search returned a zone, detach it.
945 */
946 if (zone != NULL)
947 dns_zone_detach(&zone);
948
949 /*
950 * If the previous search returned a database,
951 * detach it.
952 */
953 if (*dbp != NULL)
954 dns_db_detach(dbp);
955
956 /*
957 * If the previous search returned a version, clear it.
958 */
959 *versionp = NULL;
960
961 /*
962 * Get our database version.
963 */
964 dns_db_currentversion(tdbp, versionp);
965
966 /*
967 * Be sure to return our database.
968 */
969 *dbp = tdbp;
970
971 /*
972 * We return a null zone, No stats for DLZ zones.
973 */
974 zone = NULL;
975 result = tresult;
976 }
977 }
978 #else
979 result = query_getzonedb(client, name, qtype, options,
980 zonep, dbp, versionp);
981 #endif
982
983 /* If successful, Transfer ownership of zone. */
984 if (result == ISC_R_SUCCESS) {
985 #ifdef DLZ
986 *zonep = zone;
987 #endif
988 /*
989 * If neither attempt above succeeded, return the cache instead
990 */
991 *is_zonep = ISC_TRUE;
992 } else if (result == ISC_R_NOTFOUND) {
993 result = query_getcachedb(client, name, qtype, dbp, options);
994 *is_zonep = ISC_FALSE;
995 }
996 return (result);
997 }
998
999 static inline isc_boolean_t
1000 query_isduplicate(ns_client_t *client, dns_name_t *name,
1001 dns_rdatatype_t type, dns_name_t **mnamep)
1002 {
1003 dns_section_t section;
1004 dns_name_t *mname = NULL;
1005 isc_result_t result;
1006
1007 CTRACE("query_isduplicate");
1008
1009 for (section = DNS_SECTION_ANSWER;
1010 section <= DNS_SECTION_ADDITIONAL;
1011 section++) {
1012 result = dns_message_findname(client->message, section,
1013 name, type, 0, &mname, NULL);
1014 if (result == ISC_R_SUCCESS) {
1015 /*
1016 * We've already got this RRset in the response.
1017 */
1018 CTRACE("query_isduplicate: true: done");
1019 return (ISC_TRUE);
1020 } else if (result == DNS_R_NXRRSET) {
1021 /*
1022 * The name exists, but the rdataset does not.
1023 */
1024 if (section == DNS_SECTION_ADDITIONAL)
1025 break;
1026 } else
1027 RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
1028 mname = NULL;
1029 }
1030
1031 /*
1032 * If the dns_name_t we're looking up is already in the message,
1033 * we don't want to trigger the caller's name replacement logic.
1034 */
1035 if (name == mname)
1036 mname = NULL;
1037
1038 *mnamep = mname;
1039
1040 CTRACE("query_isduplicate: false: done");
1041 return (ISC_FALSE);
1042 }
1043
1044 static isc_result_t
1045 query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
1046 ns_client_t *client = arg;
1047 isc_result_t result, eresult;
1048 dns_dbnode_t *node;
1049 dns_db_t *db;
1050 dns_name_t *fname, *mname;
1051 dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
1052 isc_buffer_t *dbuf;
1053 isc_buffer_t b;
1054 dns_dbversion_t *version;
1055 isc_boolean_t added_something, need_addname;
1056 dns_zone_t *zone;
1057 dns_rdatatype_t type;
1058
1059 REQUIRE(NS_CLIENT_VALID(client));
1060 REQUIRE(qtype != dns_rdatatype_any);
1061
1062 if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
1063 return (ISC_R_SUCCESS);
1064
1065 CTRACE("query_addadditional");
1066
1067 /*
1068 * Initialization.
1069 */
1070 eresult = ISC_R_SUCCESS;
1071 fname = NULL;
1072 rdataset = NULL;
1073 sigrdataset = NULL;
1074 trdataset = NULL;
1075 db = NULL;
1076 version = NULL;
1077 node = NULL;
1078 added_something = ISC_FALSE;
1079 need_addname = ISC_FALSE;
1080 zone = NULL;
1081
1082 /*
1083 * We treat type A additional section processing as if it
1084 * were "any address type" additional section processing.
1085 * To avoid multiple lookups, we do an 'any' database
1086 * lookup and iterate over the node.
1087 */
1088 if (qtype == dns_rdatatype_a)
1089 type = dns_rdatatype_any;
1090 else
1091 type = qtype;
1092
1093 /*
1094 * Get some resources.
1095 */
1096 dbuf = query_getnamebuf(client);
1097 if (dbuf == NULL)
1098 goto cleanup;
1099 fname = query_newname(client, dbuf, &b);
1100 rdataset = query_newrdataset(client);
1101 if (fname == NULL || rdataset == NULL)
1102 goto cleanup;
1103 if (WANTDNSSEC(client)) {
1104 sigrdataset = query_newrdataset(client);
1105 if (sigrdataset == NULL)
1106 goto cleanup;
1107 }
1108
1109 /*
1110 * Look for a zone database that might contain authoritative
1111 * additional data.
1112 */
1113 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1114 &zone, &db, &version);
1115 if (result != ISC_R_SUCCESS)
1116 goto try_cache;
1117
1118 CTRACE("query_addadditional: db_find");
1119
1120 /*
1121 * Since we are looking for authoritative data, we do not set
1122 * the GLUEOK flag. Glue will be looked for later, but not
1123 * necessarily in the same database.
1124 */
1125 node = NULL;
1126 result = dns_db_find(db, name, version, type, client->query.dboptions,
1127 client->now, &node, fname, rdataset,
1128 sigrdataset);
1129 if (result == ISC_R_SUCCESS) {
1130 if (sigrdataset != NULL && !dns_db_issecure(db) &&
1131 dns_rdataset_isassociated(sigrdataset))
1132 dns_rdataset_disassociate(sigrdataset);
1133 goto found;
1134 }
1135
1136 if (dns_rdataset_isassociated(rdataset))
1137 dns_rdataset_disassociate(rdataset);
1138 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
1139 dns_rdataset_disassociate(sigrdataset);
1140 if (node != NULL)
1141 dns_db_detachnode(db, &node);
1142 version = NULL;
1143 dns_db_detach(&db);
1144
1145 /*
1146 * No authoritative data was found. The cache is our next best bet.
1147 */
1148
1149 try_cache:
1150 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1151 if (result != ISC_R_SUCCESS)
1152 /*
1153 * Most likely the client isn't allowed to query the cache.
1154 */
1155 goto try_glue;
1156 /*
1157 * Attempt to validate glue.
1158 */
1159 if (sigrdataset == NULL) {
1160 sigrdataset = query_newrdataset(client);
1161 if (sigrdataset == NULL)
1162 goto cleanup;
1163 }
1164 result = dns_db_find(db, name, version, type,
1165 client->query.dboptions |
1166 DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
1167 client->now, &node, fname, rdataset,
1168 sigrdataset);
1169 if (result == DNS_R_GLUE &&
1170 validate(client, db, fname, rdataset, sigrdataset))
1171 result = ISC_R_SUCCESS;
1172 if (!WANTDNSSEC(client))
1173 query_putrdataset(client, &sigrdataset);
1174 if (result == ISC_R_SUCCESS)
1175 goto found;
1176
1177 if (dns_rdataset_isassociated(rdataset))
1178 dns_rdataset_disassociate(rdataset);
1179 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
1180 dns_rdataset_disassociate(sigrdataset);
1181 if (node != NULL)
1182 dns_db_detachnode(db, &node);
1183 dns_db_detach(&db);
1184
1185 try_glue:
1186 /*
1187 * No cached data was found. Glue is our last chance.
1188 * RFC1035 sayeth:
1189 *
1190 * NS records cause both the usual additional section
1191 * processing to locate a type A record, and, when used
1192 * in a referral, a special search of the zone in which
1193 * they reside for glue information.
1194 *
1195 * This is the "special search". Note that we must search
1196 * the zone where the NS record resides, not the zone it
1197 * points to, and that we only do the search in the delegation
1198 * case (identified by client->query.gluedb being set).
1199 */
1200
1201 if (client->query.gluedb == NULL)
1202 goto cleanup;
1203
1204 /*
1205 * Don't poison caches using the bailiwick protection model.
1206 */
1207 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1208 goto cleanup;
1209
1210 dns_db_attach(client->query.gluedb, &db);
1211 result = dns_db_find(db, name, version, type,
1212 client->query.dboptions | DNS_DBFIND_GLUEOK,
1213 client->now, &node, fname, rdataset,
1214 sigrdataset);
1215 if (!(result == ISC_R_SUCCESS ||
1216 result == DNS_R_ZONECUT ||
1217 result == DNS_R_GLUE))
1218 goto cleanup;
1219
1220 found:
1221 /*
1222 * We have found a potential additional data rdataset, or
1223 * at least a node to iterate over.
1224 */
1225 query_keepname(client, fname, dbuf);
1226
1227 /*
1228 * If we have an rdataset, add it to the additional data
1229 * section.
1230 */
1231 mname = NULL;
1232 if (dns_rdataset_isassociated(rdataset) &&
1233 !query_isduplicate(client, fname, type, &mname)) {
1234 if (mname != NULL) {
1235 query_releasename(client, &fname);
1236 fname = mname;
1237 } else
1238 need_addname = ISC_TRUE;
1239 ISC_LIST_APPEND(fname->list, rdataset, link);
1240 trdataset = rdataset;
1241 rdataset = NULL;
1242 added_something = ISC_TRUE;
1243 /*
1244 * Note: we only add SIGs if we've added the type they cover,
1245 * so we do not need to check if the SIG rdataset is already
1246 * in the response.
1247 */
1248 if (sigrdataset != NULL &&
1249 dns_rdataset_isassociated(sigrdataset))
1250 {
1251 ISC_LIST_APPEND(fname->list, sigrdataset, link);
1252 sigrdataset = NULL;
1253 }
1254 }
1255
1256 if (qtype == dns_rdatatype_a) {
1257 /*
1258 * We now go looking for A and AAAA records, along with
1259 * their signatures.
1260 *
1261 * XXXRTH This code could be more efficient.
1262 */
1263 if (rdataset != NULL) {
1264 if (dns_rdataset_isassociated(rdataset))
1265 dns_rdataset_disassociate(rdataset);
1266 } else {
1267 rdataset = query_newrdataset(client);
1268 if (rdataset == NULL)
1269 goto addname;
1270 }
1271 if (sigrdataset != NULL) {
1272 if (dns_rdataset_isassociated(sigrdataset))
1273 dns_rdataset_disassociate(sigrdataset);
1274 } else if (WANTDNSSEC(client)) {
1275 sigrdataset = query_newrdataset(client);
1276 if (sigrdataset == NULL)
1277 goto addname;
1278 }
1279 result = dns_db_findrdataset(db, node, version,
1280 dns_rdatatype_a, 0,
1281 client->now, rdataset,
1282 sigrdataset);
1283 if (result == DNS_R_NCACHENXDOMAIN)
1284 goto addname;
1285 if (result == DNS_R_NCACHENXRRSET) {
1286 dns_rdataset_disassociate(rdataset);
1287 /*
1288 * Negative cache entries don't have sigrdatasets.
1289 */
1290 INSIST(sigrdataset == NULL ||
1291 ! dns_rdataset_isassociated(sigrdataset));
1292 }
1293 if (result == ISC_R_SUCCESS) {
1294 mname = NULL;
1295 if (!query_isduplicate(client, fname,
1296 dns_rdatatype_a, &mname)) {
1297 if (mname != NULL) {
1298 query_releasename(client, &fname);
1299 fname = mname;
1300 } else
1301 need_addname = ISC_TRUE;
1302 ISC_LIST_APPEND(fname->list, rdataset, link);
1303 added_something = ISC_TRUE;
1304 if (sigrdataset != NULL &&
1305 dns_rdataset_isassociated(sigrdataset))
1306 {
1307 ISC_LIST_APPEND(fname->list,
1308 sigrdataset, link);
1309 sigrdataset =
1310 query_newrdataset(client);
1311 }
1312 rdataset = query_newrdataset(client);
1313 if (rdataset == NULL)
1314 goto addname;
1315 if (WANTDNSSEC(client) && sigrdataset == NULL)
1316 goto addname;
1317 } else {
1318 dns_rdataset_disassociate(rdataset);
1319 if (sigrdataset != NULL &&
1320 dns_rdataset_isassociated(sigrdataset))
1321 dns_rdataset_disassociate(sigrdataset);
1322 }
1323 }
1324 result = dns_db_findrdataset(db, node, version,
1325 dns_rdatatype_aaaa, 0,
1326 client->now, rdataset,
1327 sigrdataset);
1328 if (result == DNS_R_NCACHENXDOMAIN)
1329 goto addname;
1330 if (result == DNS_R_NCACHENXRRSET) {
1331 dns_rdataset_disassociate(rdataset);
1332 INSIST(sigrdataset == NULL ||
1333 ! dns_rdataset_isassociated(sigrdataset));
1334 }
1335 if (result == ISC_R_SUCCESS) {
1336 mname = NULL;
1337 if (!query_isduplicate(client, fname,
1338 dns_rdatatype_aaaa, &mname)) {
1339 if (mname != NULL) {
1340 query_releasename(client, &fname);
1341 fname = mname;
1342 } else
1343 need_addname = ISC_TRUE;
1344 ISC_LIST_APPEND(fname->list, rdataset, link);
1345 added_something = ISC_TRUE;
1346 if (sigrdataset != NULL &&
1347 dns_rdataset_isassociated(sigrdataset))
1348 {
1349 ISC_LIST_APPEND(fname->list,
1350 sigrdataset, link);
1351 sigrdataset = NULL;
1352 }
1353 rdataset = NULL;
1354 }
1355 }
1356 }
1357
1358 addname:
1359 CTRACE("query_addadditional: addname");
1360 /*
1361 * If we haven't added anything, then we're done.
1362 */
1363 if (!added_something)
1364 goto cleanup;
1365
1366 /*
1367 * We may have added our rdatasets to an existing name, if so, then
1368 * need_addname will be ISC_FALSE. Whether we used an existing name
1369 * or a new one, we must set fname to NULL to prevent cleanup.
1370 */
1371 if (need_addname)
1372 dns_message_addname(client->message, fname,
1373 DNS_SECTION_ADDITIONAL);
1374 fname = NULL;
1375
1376 /*
1377 * In a few cases, we want to add additional data for additional
1378 * data. It's simpler to just deal with special cases here than
1379 * to try to create a general purpose mechanism and allow the
1380 * rdata implementations to do it themselves.
1381 *
1382 * This involves recursion, but the depth is limited. The
1383 * most complex case is adding a SRV rdataset, which involves
1384 * recursing to add address records, which in turn can cause
1385 * recursion to add KEYs.
1386 */
1387 if (type == dns_rdatatype_srv && trdataset != NULL) {
1388 /*
1389 * If we're adding SRV records to the additional data
1390 * section, it's helpful if we add the SRV additional data
1391 * as well.
1392 */
1393 eresult = dns_rdataset_additionaldata(trdataset,
1394 query_addadditional,
1395 client);
1396 }
1397
1398 cleanup:
1399 CTRACE("query_addadditional: cleanup");
1400 query_putrdataset(client, &rdataset);
1401 if (sigrdataset != NULL)
1402 query_putrdataset(client, &sigrdataset);
1403 if (fname != NULL)
1404 query_releasename(client, &fname);
1405 if (node != NULL)
1406 dns_db_detachnode(db, &node);
1407 if (db != NULL)
1408 dns_db_detach(&db);
1409 if (zone != NULL)
1410 dns_zone_detach(&zone);
1411
1412 CTRACE("query_addadditional: done");
1413 return (eresult);
1414 }
1415
1416 static inline void
1417 query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
1418 dns_rdatasetadditional_t additionaltype,
1419 dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
1420 dns_dbversion_t **versionp, dns_dbnode_t **nodep,
1421 dns_name_t *fname)
1422 {
1423 dns_rdataset_t *rdataset;
1424
1425 while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
1426 ISC_LIST_UNLINK(fname->list, rdataset, link);
1427 query_putrdataset(client, &rdataset);
1428 }
1429 if (*versionp != NULL)
1430 dns_db_closeversion(*dbp, versionp, ISC_FALSE);
1431 if (*nodep != NULL)
1432 dns_db_detachnode(*dbp, nodep);
1433 if (*dbp != NULL)
1434 dns_db_detach(dbp);
1435 if (*zonep != NULL)
1436 dns_zone_detach(zonep);
1437 (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
1438 additionaltype, type);
1439 }
1440
1441 static inline isc_result_t
1442 query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
1443 dns_dbversion_t *version)
1444 {
1445 isc_result_t result = ISC_R_SUCCESS;
1446 dns_dbversion_t *version_current = NULL;
1447 dns_db_t *db_current = db0;
1448
1449 if (db_current == NULL) {
1450 result = dns_zone_getdb(zone, &db_current);
1451 if (result != ISC_R_SUCCESS)
1452 return (result);
1453 }
1454 dns_db_currentversion(db_current, &version_current);
1455 if (db_current != db || version_current != version) {
1456 result = ISC_R_FAILURE;
1457 goto cleanup;
1458 }
1459
1460 cleanup:
1461 dns_db_closeversion(db_current, &version_current, ISC_FALSE);
1462 if (db0 == NULL && db_current != NULL)
1463 dns_db_detach(&db_current);
1464
1465 return (result);
1466 }
1467
1468 static isc_result_t
1469 query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
1470 client_additionalctx_t *additionalctx = arg;
1471 dns_rdataset_t *rdataset_base;
1472 ns_client_t *client;
1473 isc_result_t result, eresult;
1474 dns_dbnode_t *node, *cnode;
1475 dns_db_t *db, *cdb;
1476 dns_name_t *fname, *mname0, cfname;
1477 dns_rdataset_t *rdataset, *sigrdataset;
1478 dns_rdataset_t *crdataset, *crdataset_next;
1479 isc_buffer_t *dbuf;
1480 isc_buffer_t b;
1481 dns_dbversion_t *version, *cversion;
1482 isc_boolean_t added_something, need_addname, needadditionalcache;
1483 isc_boolean_t need_sigrrset;
1484 dns_zone_t *zone;
1485 dns_rdatatype_t type;
1486 dns_rdatasetadditional_t additionaltype;
1487
1488 if (qtype != dns_rdatatype_a) {
1489 /*
1490 * This function is optimized for "address" types. For other
1491 * types, use a generic routine.
1492 * XXX: ideally, this function should be generic enough.
1493 */
1494 return (query_addadditional(additionalctx->client,
1495 name, qtype));
1496 }
1497
1498 /*
1499 * Initialization.
1500 */
1501 rdataset_base = additionalctx->rdataset;
1502 client = additionalctx->client;
1503 REQUIRE(NS_CLIENT_VALID(client));
1504 eresult = ISC_R_SUCCESS;
1505 fname = NULL;
1506 rdataset = NULL;
1507 sigrdataset = NULL;
1508 db = NULL;
1509 cdb = NULL;
1510 version = NULL;
1511 cversion = NULL;
1512 node = NULL;
1513 cnode = NULL;
1514 added_something = ISC_FALSE;
1515 need_addname = ISC_FALSE;
1516 zone = NULL;
1517 needadditionalcache = ISC_FALSE;
1518 additionaltype = dns_rdatasetadditional_fromauth;
1519 dns_name_init(&cfname, NULL);
1520
1521 CTRACE("query_addadditional2");
1522
1523 /*
1524 * We treat type A additional section processing as if it
1525 * were "any address type" additional section processing.
1526 * To avoid multiple lookups, we do an 'any' database
1527 * lookup and iterate over the node.
1528 * XXXJT: this approach can cause a suboptimal result when the cache
1529 * DB only has partial address types and the glue DB has remaining
1530 * ones.
1531 */
1532 type = dns_rdatatype_any;
1533
1534 /*
1535 * Get some resources.
1536 */
1537 dbuf = query_getnamebuf(client);
1538 if (dbuf == NULL)
1539 goto cleanup;
1540 fname = query_newname(client, dbuf, &b);
1541 if (fname == NULL)
1542 goto cleanup;
1543 dns_name_setbuffer(&cfname, &b); /* share the buffer */
1544
1545 /* Check additional cache */
1546 result = dns_rdataset_getadditional(rdataset_base, additionaltype,
1547 type, client->view->acache, &zone,
1548 &cdb, &cversion, &cnode, &cfname,
1549 client->message, client->now);
1550 if (result != ISC_R_SUCCESS)
1551 goto findauthdb;
1552 if (zone == NULL) {
1553 CTRACE("query_addadditional2: auth zone not found");
1554 goto try_cache;
1555 }
1556
1557 /* Is the cached DB up-to-date? */
1558 result = query_iscachevalid(zone, cdb, NULL, cversion);
1559 if (result != ISC_R_SUCCESS) {
1560 CTRACE("query_addadditional2: old auth additional cache");
1561 query_discardcache(client, rdataset_base, additionaltype,
1562 type, &zone, &cdb, &cversion, &cnode,
1563 &cfname);
1564 goto findauthdb;
1565 }
1566
1567 if (cnode == NULL) {
1568 /*
1569 * We have a negative cache. We don't have to check the zone
1570 * ACL, since the result (not using this zone) would be same
1571 * regardless of the result.
1572 */
1573 CTRACE("query_addadditional2: negative auth additional cache");
1574 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1575 dns_db_detach(&cdb);
1576 dns_zone_detach(&zone);
1577 goto try_cache;
1578 }
1579
1580 result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
1581 zone, cdb, NULL);
1582 if (result != ISC_R_SUCCESS) {
1583 query_discardcache(client, rdataset_base, additionaltype,
1584 type, &zone, &cdb, &cversion, &cnode,
1585 &cfname);
1586 goto try_cache;
1587 }
1588
1589 /* We've got an active cache. */
1590 CTRACE("query_addadditional2: auth additional cache");
1591 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1592 db = cdb;
1593 node = cnode;
1594 dns_name_clone(&cfname, fname);
1595 query_keepname(client, fname, dbuf);
1596 goto foundcache;
1597
1598 /*
1599 * Look for a zone database that might contain authoritative
1600 * additional data.
1601 */
1602 findauthdb:
1603 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1604 &zone, &db, &version);
1605 if (result != ISC_R_SUCCESS) {
1606 /* Cache the negative result */
1607 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1608 type, client->view->acache,
1609 NULL, NULL, NULL, NULL,
1610 NULL);
1611 goto try_cache;
1612 }
1613
1614 CTRACE("query_addadditional2: db_find");
1615
1616 /*
1617 * Since we are looking for authoritative data, we do not set
1618 * the GLUEOK flag. Glue will be looked for later, but not
1619 * necessarily in the same database.
1620 */
1621 node = NULL;
1622 result = dns_db_find(db, name, version, type, client->query.dboptions,
1623 client->now, &node, fname, NULL, NULL);
1624 if (result == ISC_R_SUCCESS)
1625 goto found;
1626
1627 /* Cache the negative result */
1628 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1629 type, client->view->acache, zone, db,
1630 version, NULL, fname);
1631
1632 if (node != NULL)
1633 dns_db_detachnode(db, &node);
1634 version = NULL;
1635 dns_db_detach(&db);
1636
1637 /*
1638 * No authoritative data was found. The cache is our next best bet.
1639 */
1640
1641 try_cache:
1642 additionaltype = dns_rdatasetadditional_fromcache;
1643 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1644 if (result != ISC_R_SUCCESS)
1645 /*
1646 * Most likely the client isn't allowed to query the cache.
1647 */
1648 goto try_glue;
1649
1650 result = dns_db_find(db, name, version, type,
1651 client->query.dboptions |
1652 DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
1653 client->now, &node, fname, NULL, NULL);
1654 if (result == ISC_R_SUCCESS)
1655 goto found;
1656
1657 if (node != NULL)
1658 dns_db_detachnode(db, &node);
1659 dns_db_detach(&db);
1660
1661 try_glue:
1662 /*
1663 * No cached data was found. Glue is our last chance.
1664 * RFC1035 sayeth:
1665 *
1666 * NS records cause both the usual additional section
1667 * processing to locate a type A record, and, when used
1668 * in a referral, a special search of the zone in which
1669 * they reside for glue information.
1670 *
1671 * This is the "special search". Note that we must search
1672 * the zone where the NS record resides, not the zone it
1673 * points to, and that we only do the search in the delegation
1674 * case (identified by client->query.gluedb being set).
1675 */
1676 if (client->query.gluedb == NULL)
1677 goto cleanup;
1678
1679 /*
1680 * Don't poison caches using the bailiwick protection model.
1681 */
1682 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1683 goto cleanup;
1684
1685 /* Check additional cache */
1686 additionaltype = dns_rdatasetadditional_fromglue;
1687 result = dns_rdataset_getadditional(rdataset_base, additionaltype,
1688 type, client->view->acache, NULL,
1689 &cdb, &cversion, &cnode, &cfname,
1690 client->message, client->now);
1691 if (result != ISC_R_SUCCESS)
1692 goto findglue;
1693
1694 result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
1695 if (result != ISC_R_SUCCESS) {
1696 CTRACE("query_addadditional2: old glue additional cache");
1697 query_discardcache(client, rdataset_base, additionaltype,
1698 type, &zone, &cdb, &cversion, &cnode,
1699 &cfname);
1700 goto findglue;
1701 }
1702
1703 if (cnode == NULL) {
1704 /* We have a negative cache. */
1705 CTRACE("query_addadditional2: negative glue additional cache");
1706 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1707 dns_db_detach(&cdb);
1708 goto cleanup;
1709 }
1710
1711 /* Cache hit. */
1712 CTRACE("query_addadditional2: glue additional cache");
1713 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1714 db = cdb;
1715 node = cnode;
1716 dns_name_clone(&cfname, fname);
1717 query_keepname(client, fname, dbuf);
1718 goto foundcache;
1719
1720 findglue:
1721 dns_db_attach(client->query.gluedb, &db);
1722 result = dns_db_find(db, name, version, type,
1723 client->query.dboptions | DNS_DBFIND_GLUEOK,
1724 client->now, &node, fname, NULL, NULL);
1725 if (!(result == ISC_R_SUCCESS ||
1726 result == DNS_R_ZONECUT ||
1727 result == DNS_R_GLUE)) {
1728 /* cache the negative result */
1729 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1730 type, client->view->acache,
1731 NULL, db, version, NULL,
1732 fname);
1733 goto cleanup;
1734 }
1735
1736 found:
1737 /*
1738 * We have found a DB node to iterate over from a DB.
1739 * We are going to look for address RRsets (i.e., A and AAAA) in the DB
1740 * node we've just found. We'll then store the complete information
1741 * in the additional data cache.
1742 */
1743 dns_name_clone(fname, &cfname);
1744 query_keepname(client, fname, dbuf);
1745 needadditionalcache = ISC_TRUE;
1746
1747 rdataset = query_newrdataset(client);
1748 if (rdataset == NULL)
1749 goto cleanup;
1750
1751 sigrdataset = query_newrdataset(client);
1752 if (sigrdataset == NULL)
1753 goto cleanup;
1754
1755 /*
1756 * Find A RRset with sig RRset. Even if we don't find a sig RRset
1757 * for a client using DNSSEC, we'll continue the process to make a
1758 * complete list to be cached. However, we need to cancel the
1759 * caching when something unexpected happens, in order to avoid
1760 * caching incomplete information.
1761 */
1762 result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
1763 client->now, rdataset, sigrdataset);
1764 /*
1765 * If we can't promote glue/pending from the cache to secure
1766 * then drop it.
1767 */
1768 if (result == ISC_R_SUCCESS &&
1769 additionaltype == dns_rdatasetadditional_fromcache &&
1770 (DNS_TRUST_PENDING(rdataset->trust) ||
1771 DNS_TRUST_GLUE(rdataset->trust)) &&
1772 !validate(client, db, fname, rdataset, sigrdataset)) {
1773 dns_rdataset_disassociate(rdataset);
1774 if (dns_rdataset_isassociated(sigrdataset))
1775 dns_rdataset_disassociate(sigrdataset);
1776 result = ISC_R_NOTFOUND;
1777 }
1778 if (result == DNS_R_NCACHENXDOMAIN)
1779 goto setcache;
1780 if (result == DNS_R_NCACHENXRRSET) {
1781 dns_rdataset_disassociate(rdataset);
1782 /*
1783 * Negative cache entries don't have sigrdatasets.
1784 */
1785 INSIST(! dns_rdataset_isassociated(sigrdataset));
1786 }
1787 if (result == ISC_R_SUCCESS) {
1788 /* Remember the result as a cache */
1789 ISC_LIST_APPEND(cfname.list, rdataset, link);
1790 if (dns_rdataset_isassociated(sigrdataset)) {
1791 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
1792 sigrdataset = query_newrdataset(client);
1793 }
1794 rdataset = query_newrdataset(client);
1795 if (sigrdataset == NULL || rdataset == NULL) {
1796 /* do not cache incomplete information */
1797 goto foundcache;
1798 }
1799 }
1800
1801 /* Find AAAA RRset with sig RRset */
1802 result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
1803 0, client->now, rdataset, sigrdataset);
1804 /*
1805 * If we can't promote glue/pending from the cache to secure
1806 * then drop it.
1807 */
1808 if (result == ISC_R_SUCCESS &&
1809 additionaltype == dns_rdatasetadditional_fromcache &&
1810 (DNS_TRUST_PENDING(rdataset->trust) ||
1811 DNS_TRUST_GLUE(rdataset->trust)) &&
1812 !validate(client, db, fname, rdataset, sigrdataset)) {
1813 dns_rdataset_disassociate(rdataset);
1814 if (dns_rdataset_isassociated(sigrdataset))
1815 dns_rdataset_disassociate(sigrdataset);
1816 result = ISC_R_NOTFOUND;
1817 }
1818 if (result == ISC_R_SUCCESS) {
1819 ISC_LIST_APPEND(cfname.list, rdataset, link);
1820 rdataset = NULL;
1821 if (dns_rdataset_isassociated(sigrdataset)) {
1822 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
1823 sigrdataset = NULL;
1824 }
1825 }
1826
1827 setcache:
1828 /*
1829 * Set the new result in the cache if required. We do not support
1830 * caching additional data from a cache DB.
1831 */
1832 if (needadditionalcache == ISC_TRUE &&
1833 (additionaltype == dns_rdatasetadditional_fromauth ||
1834 additionaltype == dns_rdatasetadditional_fromglue)) {
1835 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1836 type, client->view->acache,
1837 zone, db, version, node,
1838 &cfname);
1839 }
1840
1841 foundcache:
1842 need_sigrrset = ISC_FALSE;
1843 mname0 = NULL;
1844 for (crdataset = ISC_LIST_HEAD(cfname.list);
1845 crdataset != NULL;
1846 crdataset = crdataset_next) {
1847 dns_name_t *mname;
1848
1849 crdataset_next = ISC_LIST_NEXT(crdataset, link);
1850
1851 mname = NULL;
1852 if (crdataset->type == dns_rdatatype_a ||
1853 crdataset->type == dns_rdatatype_aaaa) {
1854 if (!query_isduplicate(client, fname, crdataset->type,
1855 &mname)) {
1856 if (mname != NULL) {
1857 /*
1858 * A different type of this name is
1859 * already stored in the additional
1860 * section. We'll reuse the name.
1861 * Note that this should happen at most
1862 * once. Otherwise, fname->link could
1863 * leak below.
1864 */
1865 INSIST(mname0 == NULL);
1866
1867 query_releasename(client, &fname);
1868 fname = mname;
1869 mname0 = mname;
1870 } else
1871 need_addname = ISC_TRUE;
1872 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1873 ISC_LIST_APPEND(fname->list, crdataset, link);
1874 added_something = ISC_TRUE;
1875 need_sigrrset = ISC_TRUE;
1876 } else
1877 need_sigrrset = ISC_FALSE;
1878 } else if (crdataset->type == dns_rdatatype_rrsig &&
1879 need_sigrrset && WANTDNSSEC(client)) {
1880 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1881 ISC_LIST_APPEND(fname->list, crdataset, link);
1882 added_something = ISC_TRUE; /* just in case */
1883 need_sigrrset = ISC_FALSE;
1884 }
1885 }
1886
1887 CTRACE("query_addadditional2: addname");
1888
1889 /*
1890 * If we haven't added anything, then we're done.
1891 */
1892 if (!added_something)
1893 goto cleanup;
1894
1895 /*
1896 * We may have added our rdatasets to an existing name, if so, then
1897 * need_addname will be ISC_FALSE. Whether we used an existing name
1898 * or a new one, we must set fname to NULL to prevent cleanup.
1899 */
1900 if (need_addname)
1901 dns_message_addname(client->message, fname,
1902 DNS_SECTION_ADDITIONAL);
1903 fname = NULL;
1904
1905 cleanup:
1906 CTRACE("query_addadditional2: cleanup");
1907
1908 if (rdataset != NULL)
1909 query_putrdataset(client, &rdataset);
1910 if (sigrdataset != NULL)
1911 query_putrdataset(client, &sigrdataset);
1912 while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
1913 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1914 query_putrdataset(client, &crdataset);
1915 }
1916 if (fname != NULL)
1917 query_releasename(client, &fname);
1918 if (node != NULL)
1919 dns_db_detachnode(db, &node);
1920 if (db != NULL)
1921 dns_db_detach(&db);
1922 if (zone != NULL)
1923 dns_zone_detach(&zone);
1924
1925 CTRACE("query_addadditional2: done");
1926 return (eresult);
1927 }
1928
1929 static inline void
1930 query_addrdataset(ns_client_t *client, dns_name_t *fname,
1931 dns_rdataset_t *rdataset)
1932 {
1933 client_additionalctx_t additionalctx;
1934
1935 /*
1936 * Add 'rdataset' and any pertinent additional data to
1937 * 'fname', a name in the response message for 'client'.
1938 */
1939
1940 CTRACE("query_addrdataset");
1941
1942 ISC_LIST_APPEND(fname->list, rdataset, link);
1943
1944 if (client->view->order != NULL)
1945 rdataset->attributes |= dns_order_find(client->view->order,
1946 fname, rdataset->type,
1947 rdataset->rdclass);
1948 rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
1949
1950 if (NOADDITIONAL(client))
1951 return;
1952
1953 /*
1954 * Add additional data.
1955 *
1956 * We don't care if dns_rdataset_additionaldata() fails.
1957 */
1958 additionalctx.client = client;
1959 additionalctx.rdataset = rdataset;
1960 (void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
1961 &additionalctx);
1962 CTRACE("query_addrdataset: done");
1963 }
1964
1965 static void
1966 query_addrrset(ns_client_t *client, dns_name_t **namep,
1967 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
1968 isc_buffer_t *dbuf, dns_section_t section)
1969 {
1970 dns_name_t *name, *mname;
1971 dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
1972 isc_result_t result;
1973
1974 /*%
1975 * To the current response for 'client', add the answer RRset
1976 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
1977 * owner name '*namep', to section 'section', unless they are
1978 * already there. Also add any pertinent additional data.
1979 *
1980 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
1981 * stored in 'dbuf'. In this case, query_addrrset() guarantees that
1982 * when it returns the name will either have been kept or released.
1983 */
1984 CTRACE("query_addrrset");
1985 name = *namep;
1986 rdataset = *rdatasetp;
1987 if (sigrdatasetp != NULL)
1988 sigrdataset = *sigrdatasetp;
1989 else
1990 sigrdataset = NULL;
1991 mname = NULL;
1992 mrdataset = NULL;
1993 result = dns_message_findname(client->message, section,
1994 name, rdataset->type, rdataset->covers,
1995 &mname, &mrdataset);
1996 if (result == ISC_R_SUCCESS) {
1997 /*
1998 * We've already got an RRset of the given name and type.
1999 * There's nothing else to do;
2000 */
2001 CTRACE("query_addrrset: dns_message_findname succeeded: done");
2002 if (dbuf != NULL)
2003 query_releasename(client, namep);
2004 return;
2005 } else if (result == DNS_R_NXDOMAIN) {
2006 /*
2007 * The name doesn't exist.
2008 */
2009 if (dbuf != NULL)
2010 query_keepname(client, name, dbuf);
2011 dns_message_addname(client->message, name, section);
2012 *namep = NULL;
2013 mname = name;
2014 } else {
2015 RUNTIME_CHECK(result == DNS_R_NXRRSET);
2016 if (dbuf != NULL)
2017 query_releasename(client, namep);
2018 }
2019
2020 if (rdataset->trust != dns_trust_secure &&
2021 (section == DNS_SECTION_ANSWER ||
2022 section == DNS_SECTION_AUTHORITY))
2023 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2024 /*
2025 * Note: we only add SIGs if we've added the type they cover, so
2026 * we do not need to check if the SIG rdataset is already in the
2027 * response.
2028 */
2029 query_addrdataset(client, mname, rdataset);
2030 *rdatasetp = NULL;
2031 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
2032 /*
2033 * We have a signature. Add it to the response.
2034 */
2035 ISC_LIST_APPEND(mname->list, sigrdataset, link);
2036 *sigrdatasetp = NULL;
2037 }
2038 CTRACE("query_addrrset: done");
2039 }
2040
2041 static inline isc_result_t
2042 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
2043 isc_boolean_t zero_ttl)
2044 {
2045 dns_name_t *name;
2046 dns_dbnode_t *node;
2047 isc_result_t result, eresult;
2048 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2049 dns_rdataset_t **sigrdatasetp = NULL;
2050
2051 CTRACE("query_addsoa");
2052 /*
2053 * Initialization.
2054 */
2055 eresult = ISC_R_SUCCESS;
2056 name = NULL;
2057 rdataset = NULL;
2058 node = NULL;
2059
2060 /*
2061 * Get resources and make 'name' be the database origin.
2062 */
2063 result = dns_message_gettempname(client->message, &name);
2064 if (result != ISC_R_SUCCESS)
2065 return (result);
2066 dns_name_init(name, NULL);
2067 dns_name_clone(dns_db_origin(db), name);
2068 rdataset = query_newrdataset(client);
2069 if (rdataset == NULL) {
2070 eresult = DNS_R_SERVFAIL;
2071 goto cleanup;
2072 }
2073 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2074 sigrdataset = query_newrdataset(client);
2075 if (sigrdataset == NULL) {
2076 eresult = DNS_R_SERVFAIL;
2077 goto cleanup;
2078 }
2079 }
2080
2081 /*
2082 * Find the SOA.
2083 */
2084 result = dns_db_getoriginnode(db, &node);
2085 if (result == ISC_R_SUCCESS) {
2086 result = dns_db_findrdataset(db, node, version,
2087 dns_rdatatype_soa,
2088 0, client->now, rdataset,
2089 sigrdataset);
2090 } else {
2091 dns_fixedname_t foundname;
2092 dns_name_t *fname;
2093
2094 dns_fixedname_init(&foundname);
2095 fname = dns_fixedname_name(&foundname);
2096
2097 result = dns_db_find(db, name, version, dns_rdatatype_soa,
2098 client->query.dboptions, 0, &node,
2099 fname, rdataset, sigrdataset);
2100 }
2101 if (result != ISC_R_SUCCESS) {
2102 /*
2103 * This is bad. We tried to get the SOA RR at the zone top
2104 * and it didn't work!
2105 */
2106 eresult = DNS_R_SERVFAIL;
2107 } else {
2108 /*
2109 * Extract the SOA MINIMUM.
2110 */
2111 dns_rdata_soa_t soa;
2112 dns_rdata_t rdata = DNS_RDATA_INIT;
2113 result = dns_rdataset_first(rdataset);
2114 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2115 dns_rdataset_current(rdataset, &rdata);
2116 result = dns_rdata_tostruct(&rdata, &soa, NULL);
2117 if (result != ISC_R_SUCCESS)
2118 goto cleanup;
2119
2120 if (zero_ttl) {
2121 rdataset->ttl = 0;
2122 if (sigrdataset != NULL)
2123 sigrdataset->ttl = 0;
2124 }
2125
2126 /*
2127 * Add the SOA and its SIG to the response, with the
2128 * TTLs adjusted per RFC2308 section 3.
2129 */
2130 if (rdataset->ttl > soa.minimum)
2131 rdataset->ttl = soa.minimum;
2132 if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum)
2133 sigrdataset->ttl = soa.minimum;
2134
2135 if (sigrdataset != NULL)
2136 sigrdatasetp = &sigrdataset;
2137 else
2138 sigrdatasetp = NULL;
2139 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2140 DNS_SECTION_AUTHORITY);
2141 }
2142
2143 cleanup:
2144 query_putrdataset(client, &rdataset);
2145 if (sigrdataset != NULL)
2146 query_putrdataset(client, &sigrdataset);
2147 if (name != NULL)
2148 query_releasename(client, &name);
2149 if (node != NULL)
2150 dns_db_detachnode(db, &node);
2151
2152 return (eresult);
2153 }
2154
2155 static inline isc_result_t
2156 query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
2157 dns_name_t *name, *fname;
2158 dns_dbnode_t *node;
2159 isc_result_t result, eresult;
2160 dns_fixedname_t foundname;
2161 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2162 dns_rdataset_t **sigrdatasetp = NULL;
2163
2164 CTRACE("query_addns");
2165 /*
2166 * Initialization.
2167 */
2168 eresult = ISC_R_SUCCESS;
2169 name = NULL;
2170 rdataset = NULL;
2171 node = NULL;
2172 dns_fixedname_init(&foundname);
2173 fname = dns_fixedname_name(&foundname);
2174
2175 /*
2176 * Get resources and make 'name' be the database origin.
2177 */
2178 result = dns_message_gettempname(client->message, &name);
2179 if (result != ISC_R_SUCCESS) {
2180 CTRACE("query_addns: dns_message_gettempname failed: done");
2181 return (result);
2182 }
2183 dns_name_init(name, NULL);
2184 dns_name_clone(dns_db_origin(db), name);
2185 rdataset = query_newrdataset(client);
2186 if (rdataset == NULL) {
2187 CTRACE("query_addns: query_newrdataset failed");
2188 eresult = DNS_R_SERVFAIL;
2189 goto cleanup;
2190 }
2191 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2192 sigrdataset = query_newrdataset(client);
2193 if (sigrdataset == NULL) {
2194 CTRACE("query_addns: query_newrdataset failed");
2195 eresult = DNS_R_SERVFAIL;
2196 goto cleanup;
2197 }
2198 }
2199
2200 /*
2201 * Find the NS rdataset.
2202 */
2203 result = dns_db_getoriginnode(db, &node);
2204 if (result == ISC_R_SUCCESS) {
2205 result = dns_db_findrdataset(db, node, version,
2206 dns_rdatatype_ns,
2207 0, client->now, rdataset,
2208 sigrdataset);
2209 } else {
2210 CTRACE("query_addns: calling dns_db_find");
2211 result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
2212 client->query.dboptions, 0, &node,
2213 fname, rdataset, sigrdataset);
2214 CTRACE("query_addns: dns_db_find complete");
2215 }
2216 if (result != ISC_R_SUCCESS) {
2217 CTRACE("query_addns: "
2218 "dns_db_findrdataset or dns_db_find failed");
2219 /*
2220 * This is bad. We tried to get the NS rdataset at the zone
2221 * top and it didn't work!
2222 */
2223 eresult = DNS_R_SERVFAIL;
2224 } else {
2225 if (sigrdataset != NULL)
2226 sigrdatasetp = &sigrdataset;
2227 else
2228 sigrdatasetp = NULL;
2229 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2230 DNS_SECTION_AUTHORITY);
2231 }
2232
2233 cleanup:
2234 CTRACE("query_addns: cleanup");
2235 query_putrdataset(client, &rdataset);
2236 if (sigrdataset != NULL)
2237 query_putrdataset(client, &sigrdataset);
2238 if (name != NULL)
2239 query_releasename(client, &name);
2240 if (node != NULL)
2241 dns_db_detachnode(db, &node);
2242
2243 CTRACE("query_addns: done");
2244 return (eresult);
2245 }
2246
2247 static inline isc_result_t
2248 query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
2249 dns_rdataset_t *dname, dns_name_t **anamep,
2250 dns_rdatatype_t type)
2251 {
2252 dns_rdataset_t *rdataset;
2253 dns_rdatalist_t *rdatalist;
2254 dns_rdata_t *rdata;
2255 isc_result_t result;
2256 isc_region_t r;
2257
2258 /*
2259 * We assume the name data referred to by tname won't go away.
2260 */
2261
2262 REQUIRE(anamep != NULL);
2263
2264 rdatalist = NULL;
2265 result = dns_message_gettemprdatalist(client->message, &rdatalist);
2266 if (result != ISC_R_SUCCESS)
2267 return (result);
2268 rdata = NULL;
2269 result = dns_message_gettemprdata(client->message, &rdata);
2270 if (result != ISC_R_SUCCESS)
2271 return (result);
2272 rdataset = NULL;
2273 result = dns_message_gettemprdataset(client->message, &rdataset);
2274 if (result != ISC_R_SUCCESS)
2275 return (result);
2276 dns_rdataset_init(rdataset);
2277 result = dns_name_dup(qname, client->mctx, *anamep);
2278 if (result != ISC_R_SUCCESS) {
2279 dns_message_puttemprdataset(client->message, &rdataset);
2280 return (result);
2281 }
2282
2283 rdatalist->type = type;
2284 rdatalist->covers = 0;
2285 rdatalist->rdclass = client->message->rdclass;
2286 rdatalist->ttl = dname->ttl;
2287
2288 dns_name_toregion(tname, &r);
2289 rdata->data = r.base;
2290 rdata->length = r.length;
2291 rdata->rdclass = client->message->rdclass;
2292 rdata->type = type;
2293
2294 ISC_LIST_INIT(rdatalist->rdata);
2295 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
2296 RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
2297 == ISC_R_SUCCESS);
2298 rdataset->trust = dname->trust;
2299
2300 query_addrrset(client, anamep, &rdataset, NULL, NULL,
2301 DNS_SECTION_ANSWER);
2302
2303 if (rdataset != NULL) {
2304 if (dns_rdataset_isassociated(rdataset))
2305 dns_rdataset_disassociate(rdataset);
2306 dns_message_puttemprdataset(client->message, &rdataset);
2307 }
2308
2309 return (ISC_R_SUCCESS);
2310 }
2311
2312 /*
2313 * Mark the RRsets as secure. Update the cache (db) to reflect the
2314 * change in trust level.
2315 */
2316 static void
2317 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2318 isc_uint32_t ttl, dns_rdataset_t *rdataset,
2319 dns_rdataset_t *sigrdataset)
2320 {
2321 isc_result_t result;
2322 dns_dbnode_t *node = NULL;
2323
2324 rdataset->trust = dns_trust_secure;
2325 sigrdataset->trust = dns_trust_secure;
2326
2327 /*
2328 * Save the updated secure state. Ignore failures.
2329 */
2330 result = dns_db_findnode(db, name, ISC_TRUE, &node);
2331 if (result != ISC_R_SUCCESS)
2332 return;
2333 /*
2334 * Bound the validated ttls then minimise.
2335 */
2336 if (sigrdataset->ttl > ttl)
2337 sigrdataset->ttl = ttl;
2338 if (rdataset->ttl > ttl)
2339 rdataset->ttl = ttl;
2340 if (rdataset->ttl > sigrdataset->ttl)
2341 rdataset->ttl = sigrdataset->ttl;
2342 else
2343 sigrdataset->ttl = rdataset->ttl;
2344
2345 (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
2346 0, NULL);
2347 (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
2348 0, NULL);
2349 dns_db_detachnode(db, &node);
2350 }
2351
2352 /*
2353 * Find the secure key that corresponds to rrsig.
2354 * Note: 'keyrdataset' maintains state between successive calls,
2355 * there may be multiple keys with the same keyid.
2356 * Return ISC_FALSE if we have exhausted all the possible keys.
2357 */
2358 static isc_boolean_t
2359 get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
2360 dns_rdataset_t *keyrdataset, dst_key_t **keyp)
2361 {
2362 isc_result_t result;
2363 dns_dbnode_t *node = NULL;
2364 isc_boolean_t secure = ISC_FALSE;
2365
2366 if (!dns_rdataset_isassociated(keyrdataset)) {
2367 result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node);
2368 if (result != ISC_R_SUCCESS)
2369 return (ISC_FALSE);
2370
2371 result = dns_db_findrdataset(db, node, NULL,
2372 dns_rdatatype_dnskey, 0,
2373 client->now, keyrdataset, NULL);
2374 dns_db_detachnode(db, &node);
2375 if (result != ISC_R_SUCCESS)
2376 return (ISC_FALSE);
2377
2378 if (keyrdataset->trust != dns_trust_secure)
2379 return (ISC_FALSE);
2380
2381 result = dns_rdataset_first(keyrdataset);
2382 } else
2383 result = dns_rdataset_next(keyrdataset);
2384
2385 for ( ; result == ISC_R_SUCCESS;
2386 result = dns_rdataset_next(keyrdataset)) {
2387 dns_rdata_t rdata = DNS_RDATA_INIT;
2388 isc_buffer_t b;
2389
2390 dns_rdataset_current(keyrdataset, &rdata);
2391 isc_buffer_init(&b, rdata.data, rdata.length);
2392 isc_buffer_add(&b, rdata.length);
2393 result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b,
2394 client->mctx, keyp);
2395 if (result != ISC_R_SUCCESS)
2396 continue;
2397 if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) &&
2398 rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) &&
2399 dst_key_iszonekey(*keyp)) {
2400 secure = ISC_TRUE;
2401 break;
2402 }
2403 dst_key_free(keyp);
2404 }
2405 return (secure);
2406 }
2407
2408 static isc_boolean_t
2409 verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
2410 dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
2411 {
2412 isc_result_t result;
2413 dns_fixedname_t fixed;
2414 isc_boolean_t ignore = ISC_FALSE;
2415
2416 dns_fixedname_init(&fixed);
2417
2418 again:
2419 result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
2420 rdata, NULL);
2421 if (result == DNS_R_SIGEXPIRED && acceptexpired) {
2422 ignore = ISC_TRUE;
2423 goto again;
2424 }
2425 if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)
2426 return (ISC_TRUE);
2427 return (ISC_FALSE);
2428 }
2429
2430 /*
2431 * Validate the rdataset if possible with available records.
2432 */
2433 static isc_boolean_t
2434 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2435 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
2436 {
2437 isc_result_t result;
2438 dns_rdata_t rdata = DNS_RDATA_INIT;
2439 dns_rdata_rrsig_t rrsig;
2440 dst_key_t *key = NULL;
2441 dns_rdataset_t keyrdataset;
2442
2443 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
2444 return (ISC_FALSE);
2445
2446 for (result = dns_rdataset_first(sigrdataset);
2447 result == ISC_R_SUCCESS;
2448 result = dns_rdataset_next(sigrdataset)) {
2449
2450 dns_rdata_reset(&rdata);
2451 dns_rdataset_current(sigrdataset, &rdata);
2452 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
2453 if (result != ISC_R_SUCCESS)
2454 return (ISC_FALSE);
2455 if (!dns_resolver_algorithm_supported(client->view->resolver,
2456 name, rrsig.algorithm))
2457 continue;
2458 if (!dns_name_issubdomain(name, &rrsig.signer))
2459 continue;
2460 dns_rdataset_init(&keyrdataset);
2461 do {
2462 if (!get_key(client, db, &rrsig, &keyrdataset, &key))
2463 break;
2464 if (verify(key, name, rdataset, &rdata, client->mctx,
2465 client->view->acceptexpired)) {
2466 dst_key_free(&key);
2467 dns_rdataset_disassociate(&keyrdataset);
2468 mark_secure(client, db, name,
2469 rrsig.originalttl,
2470 rdataset, sigrdataset);
2471 return (ISC_TRUE);
2472 }
2473 dst_key_free(&key);
2474 } while (1);
2475 if (dns_rdataset_isassociated(&keyrdataset))
2476 dns_rdataset_disassociate(&keyrdataset);
2477 }
2478 return (ISC_FALSE);
2479 }
2480
2481 static void
2482 query_addbestns(ns_client_t *client) {
2483 dns_db_t *db, *zdb;
2484 dns_dbnode_t *node;
2485 dns_name_t *fname, *zfname;
2486 dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset;
2487 isc_boolean_t is_zone, use_zone;
2488 isc_buffer_t *dbuf;
2489 isc_result_t result;
2490 dns_dbversion_t *version;
2491 dns_zone_t *zone;
2492 isc_buffer_t b;
2493
2494 CTRACE("query_addbestns");
2495 fname = NULL;
2496 zfname = NULL;
2497 rdataset = NULL;
2498 zrdataset = NULL;
2499 sigrdataset = NULL;
2500 zsigrdataset = NULL;
2501 node = NULL;
2502 db = NULL;
2503 zdb = NULL;
2504 version = NULL;
2505 zone = NULL;
2506 is_zone = ISC_FALSE;
2507 use_zone = ISC_FALSE;
2508
2509 /*
2510 * Find the right database.
2511 */
2512 result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
2513 &zone, &db, &version, &is_zone);
2514 if (result != ISC_R_SUCCESS)
2515 goto cleanup;
2516
2517 db_find:
2518 /*
2519 * We'll need some resources...
2520 */
2521 dbuf = query_getnamebuf(client);
2522 if (dbuf == NULL)
2523 goto cleanup;
2524 fname = query_newname(client, dbuf, &b);
2525 rdataset = query_newrdataset(client);
2526 if (fname == NULL || rdataset == NULL)
2527 goto cleanup;
2528 /*
2529 * Get the RRSIGs if the client requested them or if we may
2530 * need to validate answers from the cache.
2531 */
2532 if (WANTDNSSEC(client) || !is_zone) {
2533 sigrdataset = query_newrdataset(client);
2534 if (sigrdataset == NULL)
2535 goto cleanup;
2536 }
2537
2538 /*
2539 * Now look for the zonecut.
2540 */
2541 if (is_zone) {
2542 result = dns_db_find(db, client->query.qname, version,
2543 dns_rdatatype_ns, client->query.dboptions,
2544 client->now, &node, fname,
2545 rdataset, sigrdataset);
2546 if (result != DNS_R_DELEGATION)
2547 goto cleanup;
2548 if (USECACHE(client)) {
2549 query_keepname(client, fname, dbuf);
2550 zdb = db;
2551 zfname = fname;
2552 fname = NULL;
2553 zrdataset = rdataset;
2554 rdataset = NULL;
2555 zsigrdataset = sigrdataset;
2556 sigrdataset = NULL;
2557 dns_db_detachnode(db, &node);
2558 version = NULL;
2559 db = NULL;
2560 dns_db_attach(client->view->cachedb, &db);
2561 is_zone = ISC_FALSE;
2562 goto db_find;
2563 }
2564 } else {
2565 result = dns_db_findzonecut(db, client->query.qname,
2566 client->query.dboptions,
2567 client->now, &node, fname,
2568 rdataset, sigrdataset);
2569 if (result == ISC_R_SUCCESS) {
2570 if (zfname != NULL &&
2571 !dns_name_issubdomain(fname, zfname)) {
2572 /*
2573 * We found a zonecut in the cache, but our
2574 * zone delegation is better.
2575 */
2576 use_zone = ISC_TRUE;
2577 }
2578 } else if (result == ISC_R_NOTFOUND && zfname != NULL) {
2579 /*
2580 * We didn't find anything in the cache, but we
2581 * have a zone delegation, so use it.
2582 */
2583 use_zone = ISC_TRUE;
2584 } else
2585 goto cleanup;
2586 }
2587
2588 if (use_zone) {
2589 query_releasename(client, &fname);
2590 fname = zfname;
2591 zfname = NULL;
2592 /*
2593 * We've already done query_keepname() on
2594 * zfname, so we must set dbuf to NULL to
2595 * prevent query_addrrset() from trying to
2596 * call query_keepname() again.
2597 */
2598 dbuf = NULL;
2599 query_putrdataset(client, &rdataset);
2600 if (sigrdataset != NULL)
2601 query_putrdataset(client, &sigrdataset);
2602 rdataset = zrdataset;
2603 zrdataset = NULL;
2604 sigrdataset = zsigrdataset;
2605 zsigrdataset = NULL;
2606 }
2607
2608 /*
2609 * Attempt to validate RRsets that are pending or that are glue.
2610 */
2611 if ((DNS_TRUST_PENDING(rdataset->trust) ||
2612 (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
2613 && !validate(client, db, fname, rdataset, sigrdataset) &&
2614 !PENDINGOK(client->query.dboptions))
2615 goto cleanup;
2616
2617 if ((DNS_TRUST_GLUE(rdataset->trust) ||
2618 (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
2619 !validate(client, db, fname, rdataset, sigrdataset) &&
2620 SECURE(client) && WANTDNSSEC(client))
2621 goto cleanup;
2622
2623 /*
2624 * If the client doesn't want DNSSEC we can discard the sigrdataset
2625 * now.
2626 */
2627 if (!WANTDNSSEC(client))
2628 query_putrdataset(client, &sigrdataset);
2629 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
2630 DNS_SECTION_AUTHORITY);
2631
2632 cleanup:
2633 if (rdataset != NULL)
2634 query_putrdataset(client, &rdataset);
2635 if (sigrdataset != NULL)
2636 query_putrdataset(client, &sigrdataset);
2637 if (fname != NULL)
2638 query_releasename(client, &fname);
2639 if (node != NULL)
2640 dns_db_detachnode(db, &node);
2641 if (db != NULL)
2642 dns_db_detach(&db);
2643 if (zone != NULL)
2644 dns_zone_detach(&zone);
2645 if (zdb != NULL) {
2646 query_putrdataset(client, &zrdataset);
2647 if (zsigrdataset != NULL)
2648 query_putrdataset(client, &zsigrdataset);
2649 if (zfname != NULL)
2650 query_releasename(client, &zfname);
2651 dns_db_detach(&zdb);
2652 }
2653 }
2654
2655 static void
2656 fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
2657 if (*rdataset == NULL)
2658 *rdataset = query_newrdataset(client);
2659 else if (dns_rdataset_isassociated(*rdataset))
2660 dns_rdataset_disassociate(*rdataset);
2661 }
2662
2663 static void
2664 fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
2665 isc_buffer_t *nbuf)
2666 {
2667 if (*fname == NULL) {
2668 *dbuf = query_getnamebuf(client);
2669 if (*dbuf == NULL)
2670 return;
2671 *fname = query_newname(client, *dbuf, nbuf);
2672 }
2673 }
2674
2675 static void
2676 query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
2677 dns_dbversion_t *version, dns_name_t *name)
2678 {
2679 dns_fixedname_t fixed;
2680 dns_name_t *fname = NULL;
2681 dns_name_t *rname;
2682 dns_rdataset_t *rdataset, *sigrdataset;
2683 isc_buffer_t *dbuf, b;
2684 isc_result_t result;
2685 unsigned int count;
2686
2687 CTRACE("query_addds");
2688 rname = NULL;
2689 rdataset = NULL;
2690 sigrdataset = NULL;
2691
2692 /*
2693 * We'll need some resources...
2694 */
2695 rdataset = query_newrdataset(client);
2696 sigrdataset = query_newrdataset(client);
2697 if (rdataset == NULL || sigrdataset == NULL)
2698 goto cleanup;
2699
2700 /*
2701 * Look for the DS record, which may or may not be present.
2702 */
2703 result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0,
2704 client->now, rdataset, sigrdataset);
2705 /*
2706 * If we didn't find it, look for an NSEC.
2707 */
2708 if (result == ISC_R_NOTFOUND)
2709 result = dns_db_findrdataset(db, node, version,
2710 dns_rdatatype_nsec, 0, client->now,
2711 rdataset, sigrdataset);
2712 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
2713 goto addnsec3;
2714 if (!dns_rdataset_isassociated(rdataset) ||
2715 !dns_rdataset_isassociated(sigrdataset))
2716 goto addnsec3;
2717
2718 /*
2719 * We've already added the NS record, so if the name's not there,
2720 * we have other problems. Use this name rather than calling
2721 * query_addrrset().
2722 */
2723 result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
2724 if (result != ISC_R_SUCCESS)
2725 goto cleanup;
2726
2727 rname = NULL;
2728 dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
2729 &rname);
2730 result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
2731 if (result != ISC_R_SUCCESS)
2732 goto cleanup;
2733
2734 ISC_LIST_APPEND(rname->list, rdataset, link);
2735 ISC_LIST_APPEND(rname->list, sigrdataset, link);
2736 rdataset = NULL;
2737 sigrdataset = NULL;
2738 return;
2739
2740 addnsec3:
2741 if (!dns_db_iszone(db))
2742 goto cleanup;
2743 /*
2744 * Add the NSEC3 which proves the DS does not exist.
2745 */
2746 dbuf = query_getnamebuf(client);
2747 if (dbuf == NULL)
2748 goto cleanup;
2749 fname = query_newname(client, dbuf, &b);
2750 dns_fixedname_init(&fixed);
2751 if (dns_rdataset_isassociated(rdataset))
2752 dns_rdataset_disassociate(rdataset);
2753 if (dns_rdataset_isassociated(sigrdataset))
2754 dns_rdataset_disassociate(sigrdataset);
2755 query_findclosestnsec3(name, db, version, client, rdataset,
2756 sigrdataset, fname, ISC_TRUE,
2757 dns_fixedname_name(&fixed));
2758 if (!dns_rdataset_isassociated(rdataset))
2759 goto cleanup;
2760 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
2761 DNS_SECTION_AUTHORITY);
2762 /*
2763 * Did we find the closest provable encloser instead?
2764 * If so add the nearest to the closest provable encloser.
2765 */
2766 if (!dns_name_equal(name, dns_fixedname_name(&fixed))) {
2767 count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1;
2768 dns_name_getlabelsequence(name,
2769 dns_name_countlabels(name) - count,
2770 count, dns_fixedname_name(&fixed));
2771 fixfname(client, &fname, &dbuf, &b);
2772 fixrdataset(client, &rdataset);
2773 fixrdataset(client, &sigrdataset);
2774 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
2775 goto cleanup;
2776 query_findclosestnsec3(dns_fixedname_name(&fixed), db, version,
2777 client, rdataset, sigrdataset, fname,
2778 ISC_FALSE, NULL);
2779 if (!dns_rdataset_isassociated(rdataset))
2780 goto cleanup;
2781 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
2782 DNS_SECTION_AUTHORITY);
2783 }
2784
2785 cleanup:
2786 if (rdataset != NULL)
2787 query_putrdataset(client, &rdataset);
2788 if (sigrdataset != NULL)
2789 query_putrdataset(client, &sigrdataset);
2790 if (fname != NULL)
2791 query_releasename(client, &fname);
2792 }
2793
2794 static void
2795 query_addwildcardproof(ns_client_t *client, dns_db_t *db,
2796 dns_dbversion_t *version, dns_name_t *name,
2797 isc_boolean_t ispositive)
2798 {
2799 isc_buffer_t *dbuf, b;
2800 dns_name_t *fname;
2801 dns_rdataset_t *rdataset, *sigrdataset;
2802 dns_fixedname_t wfixed;
2803 dns_name_t *wname;
2804 dns_dbnode_t *node;
2805 unsigned int options;
2806 unsigned int olabels, nlabels, labels;
2807 isc_result_t result;
2808 dns_rdata_t rdata = DNS_RDATA_INIT;
2809 dns_rdata_nsec_t nsec;
2810 isc_boolean_t have_wname;
2811 int order;
2812 dns_fixedname_t cfixed;
2813 dns_name_t *cname;
2814
2815 CTRACE("query_addwildcardproof");
2816 fname = NULL;
2817 rdataset = NULL;
2818 sigrdataset = NULL;
2819 node = NULL;
2820
2821 /*
2822 * Get the NOQNAME proof then if !ispositive
2823 * get the NOWILDCARD proof.
2824 *
2825 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
2826 * name ignoring any wildcard. From the owner and next names
2827 * of this record you can compute which wildcard (if it exists)
2828 * will match by finding the longest common suffix of the
2829 * owner name and next names with the qname and prefixing that
2830 * with the wildcard label.
2831 *
2832 * e.g.
2833 * Given:
2834 * example SOA
2835 * example NSEC b.example
2836 * b.example A
2837 * b.example NSEC a.d.example
2838 * a.d.example A
2839 * a.d.example NSEC g.f.example
2840 * g.f.example A
2841 * g.f.example NSEC z.i.example
2842 * z.i.example A
2843 * z.i.example NSEC example
2844 *
2845 * QNAME:
2846 * a.example -> example NSEC b.example
2847 * owner common example
2848 * next common example
2849 * wild *.example
2850 * d.b.example -> b.example NSEC a.d.example
2851 * owner common b.example
2852 * next common example
2853 * wild *.b.example
2854 * a.f.example -> a.d.example NSEC g.f.example
2855 * owner common example
2856 * next common f.example
2857 * wild *.f.example
2858 * j.example -> z.i.example NSEC example
2859 * owner common example
2860 * next common example
2861 * wild *.example
2862 */
2863 options = client->query.dboptions | DNS_DBFIND_NOWILD;
2864 dns_fixedname_init(&wfixed);
2865 wname = dns_fixedname_name(&wfixed);
2866 again:
2867 have_wname = ISC_FALSE;
2868 /*
2869 * We'll need some resources...
2870 */
2871 dbuf = query_getnamebuf(client);
2872 if (dbuf == NULL)
2873 goto cleanup;
2874 fname = query_newname(client, dbuf, &b);
2875 rdataset = query_newrdataset(client);
2876 sigrdataset = query_newrdataset(client);
2877 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
2878 goto cleanup;
2879
2880 result = dns_db_find(db, name, version, dns_rdatatype_nsec, options,
2881 0, &node, fname, rdataset, sigrdataset);
2882 if (node != NULL)
2883 dns_db_detachnode(db, &node);
2884
2885 if (!dns_rdataset_isassociated(rdataset)) {
2886 /*
2887 * No NSEC proof available, return NSEC3 proofs instead.
2888 */
2889 dns_fixedname_init(&cfixed);
2890 cname = dns_fixedname_name(&cfixed);
2891 /*
2892 * Find the closest encloser.
2893 */
2894 dns_name_copy(name, cname, NULL);
2895 while (result == DNS_R_NXDOMAIN) {
2896 labels = dns_name_countlabels(cname) - 1;
2897 dns_name_split(cname, labels, NULL, cname);
2898 result = dns_db_find(db, cname, version,
2899 dns_rdatatype_nsec,
2900 options, 0, NULL, fname,
2901 NULL, NULL);
2902 }
2903 /*
2904 * Add closest (provable) encloser NSEC3.
2905 */
2906 query_findclosestnsec3(cname, db, NULL, client, rdataset,
2907 sigrdataset, fname, ISC_TRUE, cname);
2908 if (!dns_rdataset_isassociated(rdataset))
2909 goto cleanup;
2910 query_addrrset(client, &fname, &rdataset, &sigrdataset,
2911 dbuf, DNS_SECTION_AUTHORITY);
2912
2913 /*
2914 * Replace resources which were consumed by query_addrrset.
2915 */
2916 if (fname == NULL) {
2917 dbuf = query_getnamebuf(client);
2918 if (dbuf == NULL)
2919 goto cleanup;
2920 fname = query_newname(client, dbuf, &b);
2921 }
2922
2923 if (rdataset == NULL)
2924 rdataset = query_newrdataset(client);
2925 else if (dns_rdataset_isassociated(rdataset))
2926 dns_rdataset_disassociate(rdataset);
2927
2928 if (sigrdataset == NULL)
2929 sigrdataset = query_newrdataset(client);
2930 else if (dns_rdataset_isassociated(sigrdataset))
2931 dns_rdataset_disassociate(sigrdataset);
2932
2933 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
2934 goto cleanup;
2935 /*
2936 * Add no qname proof.
2937 */
2938 labels = dns_name_countlabels(cname) + 1;
2939 if (dns_name_countlabels(name) == labels)
2940 dns_name_copy(name, wname, NULL);
2941 else
2942 dns_name_split(name, labels, NULL, wname);
2943
2944 query_findclosestnsec3(wname, db, NULL, client, rdataset,
2945 sigrdataset, fname, ISC_FALSE, NULL);
2946 if (!dns_rdataset_isassociated(rdataset))
2947 goto cleanup;
2948 query_addrrset(client, &fname, &rdataset, &sigrdataset,
2949 dbuf, DNS_SECTION_AUTHORITY);
2950
2951 if (ispositive)
2952 goto cleanup;
2953
2954 /*
2955 * Replace resources which were consumed by query_addrrset.
2956 */
2957 if (fname == NULL) {
2958 dbuf = query_getnamebuf(client);
2959 if (dbuf == NULL)
2960 goto cleanup;
2961 fname = query_newname(client, dbuf, &b);
2962 }
2963
2964 if (rdataset == NULL)
2965 rdataset = query_newrdataset(client);
2966 else if (dns_rdataset_isassociated(rdataset))
2967 dns_rdataset_disassociate(rdataset);
2968
2969 if (sigrdataset == NULL)
2970 sigrdataset = query_newrdataset(client);
2971 else if (dns_rdataset_isassociated(sigrdataset))
2972 dns_rdataset_disassociate(sigrdataset);
2973
2974 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
2975 goto cleanup;
2976 /*
2977 * Add the no wildcard proof.
2978 */
2979 result = dns_name_concatenate(dns_wildcardname,
2980 cname, wname, NULL);
2981 if (result != ISC_R_SUCCESS)
2982 goto cleanup;
2983
2984 query_findclosestnsec3(wname, db, NULL, client, rdataset,
2985 sigrdataset, fname, ISC_FALSE, NULL);
2986 if (!dns_rdataset_isassociated(rdataset))
2987 goto cleanup;
2988 query_addrrset(client, &fname, &rdataset, &sigrdataset,
2989 dbuf, DNS_SECTION_AUTHORITY);
2990
2991 goto cleanup;
2992 } else if (result == DNS_R_NXDOMAIN) {
2993 if (!ispositive)
2994 result = dns_rdataset_first(rdataset);
2995 if (result == ISC_R_SUCCESS) {
2996 dns_rdataset_current(rdataset, &rdata);
2997 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
2998 }
2999 if (result == ISC_R_SUCCESS) {
3000 (void)dns_name_fullcompare(name, fname, &order,
3001 &olabels);
3002 (void)dns_name_fullcompare(name, &nsec.next, &order,
3003 &nlabels);
3004 /*
3005 * Check for a pathological condition created when
3006 * serving some malformed signed zones and bail out.
3007 */
3008 if (dns_name_countlabels(name) == nlabels)
3009 goto cleanup;
3010
3011 if (olabels > nlabels)
3012 dns_name_split(name, olabels, NULL, wname);
3013 else
3014 dns_name_split(name, nlabels, NULL, wname);
3015 result = dns_name_concatenate(dns_wildcardname,
3016 wname, wname, NULL);
3017 if (result == ISC_R_SUCCESS)
3018 have_wname = ISC_TRUE;
3019 dns_rdata_freestruct(&nsec);
3020 }
3021 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3022 dbuf, DNS_SECTION_AUTHORITY);
3023 }
3024 if (rdataset != NULL)
3025 query_putrdataset(client, &rdataset);
3026 if (sigrdataset != NULL)
3027 query_putrdataset(client, &sigrdataset);
3028 if (fname != NULL)
3029 query_releasename(client, &fname);
3030 if (have_wname) {
3031 ispositive = ISC_TRUE; /* prevent loop */
3032 if (!dns_name_equal(name, wname)) {
3033 name = wname;
3034 goto again;
3035 }
3036 }
3037 cleanup:
3038 if (rdataset != NULL)
3039 query_putrdataset(client, &rdataset);
3040 if (sigrdataset != NULL)
3041 query_putrdataset(client, &sigrdataset);
3042 if (fname != NULL)
3043 query_releasename(client, &fname);
3044 }
3045
3046 static void
3047 query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
3048 dns_dbversion_t *version, dns_name_t **namep,
3049 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
3050 {
3051 dns_name_t *name;
3052 dns_rdataset_t *sigrdataset;
3053 dns_rdata_t sigrdata;
3054 dns_rdata_rrsig_t sig;
3055 unsigned int labels;
3056 isc_buffer_t *dbuf, b;
3057 dns_name_t *fname;
3058 isc_result_t result;
3059
3060 name = *namep;
3061 if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
3062 query_addrrset(client, namep, rdatasetp, sigrdatasetp,
3063 NULL, DNS_SECTION_AUTHORITY);
3064 return;
3065 }
3066
3067 if (sigrdatasetp == NULL)
3068 return;
3069
3070 sigrdataset = *sigrdatasetp;
3071 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
3072 return;
3073 result = dns_rdataset_first(sigrdataset);
3074 if (result != ISC_R_SUCCESS)
3075 return;
3076 dns_rdata_init(&sigrdata);
3077 dns_rdataset_current(sigrdataset, &sigrdata);
3078 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
3079 if (result != ISC_R_SUCCESS)
3080 return;
3081
3082 labels = dns_name_countlabels(name);
3083 if ((unsigned int)sig.labels + 1 >= labels)
3084 return;
3085
3086 /* XXX */
3087 query_addwildcardproof(client, db, version, client->query.qname,
3088 ISC_TRUE);
3089
3090 /*
3091 * We'll need some resources...
3092 */
3093 dbuf = query_getnamebuf(client);
3094 if (dbuf == NULL)
3095 return;
3096 fname = query_newname(client, dbuf, &b);
3097 if (fname == NULL)
3098 return;
3099 dns_name_split(name, sig.labels + 1, NULL, fname);
3100 /* This will succeed, since we've stripped labels. */
3101 RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
3102 NULL) == ISC_R_SUCCESS);
3103 query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
3104 dbuf, DNS_SECTION_AUTHORITY);
3105 }
3106
3107 static void
3108 query_resume(isc_task_t *task, isc_event_t *event) {
3109 dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
3110 dns_fetch_t *fetch;
3111 ns_client_t *client;
3112 isc_boolean_t fetch_canceled, client_shuttingdown;
3113 isc_result_t result;
3114 isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_EERRORS;
3115 int errorloglevel;
3116
3117 /*
3118 * Resume a query after recursion.
3119 */
3120
3121 UNUSED(task);
3122
3123 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
3124 client = devent->ev_arg;
3125 REQUIRE(NS_CLIENT_VALID(client));
3126 REQUIRE(task == client->task);
3127 REQUIRE(RECURSING(client));
3128
3129 LOCK(&client->query.fetchlock);
3130 if (client->query.fetch != NULL) {
3131 /*
3132 * This is the fetch we've been waiting for.
3133 */
3134 INSIST(devent->fetch == client->query.fetch);
3135 client->query.fetch = NULL;
3136 fetch_canceled = ISC_FALSE;
3137 /*
3138 * Update client->now.
3139 */
3140 isc_stdtime_get(&client->now);
3141 } else {
3142 /*
3143 * This is a fetch completion event for a canceled fetch.
3144 * Clean up and don't resume the find.
3145 */
3146 fetch_canceled = ISC_TRUE;
3147 }
3148 UNLOCK(&client->query.fetchlock);
3149 INSIST(client->query.fetch == NULL);
3150
3151 client->query.attributes &= ~NS_QUERYATTR_RECURSING;
3152 fetch = devent->fetch;
3153 devent->fetch = NULL;
3154
3155 /*
3156 * If this client is shutting down, or this transaction
3157 * has timed out, do not resume the find.
3158 */
3159 client_shuttingdown = ns_client_shuttingdown(client);
3160 if (fetch_canceled || client_shuttingdown) {
3161 if (devent->node != NULL)
3162 dns_db_detachnode(devent->db, &devent->node);
3163 if (devent->db != NULL)
3164 dns_db_detach(&devent->db);
3165 query_putrdataset(client, &devent->rdataset);
3166 if (devent->sigrdataset != NULL)
3167 query_putrdataset(client, &devent->sigrdataset);
3168 isc_event_free(&event);
3169 if (fetch_canceled)
3170 query_error(client, DNS_R_SERVFAIL, __LINE__);
3171 else
3172 query_next(client, ISC_R_CANCELED);
3173 /*
3174 * This may destroy the client.
3175 */
3176 ns_client_detach(&client);
3177 } else {
3178 result = query_find(client, devent, 0);
3179 if (result != ISC_R_SUCCESS) {
3180 if (result == DNS_R_SERVFAIL)
3181 errorloglevel = ISC_LOG_DEBUG(2);
3182 else
3183 errorloglevel = ISC_LOG_DEBUG(4);
3184 if (isc_log_wouldlog(ns_g_lctx, errorloglevel)) {
3185 dns_resolver_logfetch(fetch, ns_g_lctx,
3186 logcategory,
3187 NS_LOGMODULE_QUERY,
3188 errorloglevel, ISC_FALSE);
3189 }
3190 }
3191 }
3192
3193 dns_resolver_destroyfetch(&fetch);
3194 }
3195
3196 static isc_result_t
3197 query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
3198 dns_rdataset_t *nameservers, isc_boolean_t resuming)
3199 {
3200 isc_result_t result;
3201 dns_rdataset_t *rdataset, *sigrdataset;
3202 isc_sockaddr_t *peeraddr;
3203
3204 if (!resuming)
3205 inc_stats(client, dns_nsstatscounter_recursion);
3206
3207 /*
3208 * We are about to recurse, which means that this client will
3209 * be unavailable for serving new requests for an indeterminate
3210 * amount of time. If this client is currently responsible
3211 * for handling incoming queries, set up a new client
3212 * object to handle them while we are waiting for a
3213 * response. There is no need to replace TCP clients
3214 * because those have already been replaced when the
3215 * connection was accepted (if allowed by the TCP quota).
3216 */
3217 if (client->recursionquota == NULL) {
3218 result = isc_quota_attach(&ns_g_server->recursionquota,
3219 &client->recursionquota);
3220 if (result == ISC_R_SOFTQUOTA) {
3221 static isc_stdtime_t last = 0;
3222 isc_stdtime_t now;
3223 isc_stdtime_get(&now);
3224 if (now != last) {
3225 last = now;
3226 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3227 NS_LOGMODULE_QUERY,
3228 ISC_LOG_WARNING,
3229 "recursive-clients soft limit "
3230 "exceeded (%d/%d/%d), "
3231 "aborting oldest query",
3232 client->recursionquota->used,
3233 client->recursionquota->soft,
3234 client->recursionquota->max);
3235 }
3236 ns_client_killoldestquery(client);
3237 result = ISC_R_SUCCESS;
3238 } else if (result == ISC_R_QUOTA) {
3239 static isc_stdtime_t last = 0;
3240 isc_stdtime_t now;
3241 isc_stdtime_get(&now);
3242 if (now != last) {
3243 last = now;
3244 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3245 NS_LOGMODULE_QUERY,
3246 ISC_LOG_WARNING,
3247 "no more recursive clients "
3248 "(%d/%d/%d): %s",
3249 ns_g_server->recursionquota.used,
3250 ns_g_server->recursionquota.soft,
3251 ns_g_server->recursionquota.max,
3252 isc_result_totext(result));
3253 }
3254 ns_client_killoldestquery(client);
3255 }
3256 if (result == ISC_R_SUCCESS && !client->mortal &&
3257 (client->attributes & NS_CLIENTATTR_TCP) == 0) {
3258 result = ns_client_replace(client);
3259 if (result != ISC_R_SUCCESS) {
3260 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3261 NS_LOGMODULE_QUERY,
3262 ISC_LOG_WARNING,
3263 "ns_client_replace() failed: %s",
3264 isc_result_totext(result));
3265 isc_quota_detach(&client->recursionquota);
3266 }
3267 }
3268 if (result != ISC_R_SUCCESS)
3269 return (result);
3270 ns_client_recursing(client);
3271 }
3272
3273 /*
3274 * Invoke the resolver.
3275 */
3276 REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
3277 REQUIRE(client->query.fetch == NULL);
3278
3279 rdataset = query_newrdataset(client);
3280 if (rdataset == NULL)
3281 return (ISC_R_NOMEMORY);
3282 if (WANTDNSSEC(client)) {
3283 sigrdataset = query_newrdataset(client);
3284 if (sigrdataset == NULL) {
3285 query_putrdataset(client, &rdataset);
3286 return (ISC_R_NOMEMORY);
3287 }
3288 } else
3289 sigrdataset = NULL;
3290
3291 if (client->query.timerset == ISC_FALSE)
3292 ns_client_settimeout(client, 60);
3293 if ((client->attributes & NS_CLIENTATTR_TCP) == 0)
3294 peeraddr = &client->peeraddr;
3295 else
3296 peeraddr = NULL;
3297 result = dns_resolver_createfetch2(client->view->resolver,
3298 client->query.qname,
3299 qtype, qdomain, nameservers,
3300 NULL, peeraddr, client->message->id,
3301 client->query.fetchoptions,
3302 client->task,
3303 query_resume, client,
3304 rdataset, sigrdataset,
3305 &client->query.fetch);
3306
3307 if (result == ISC_R_SUCCESS) {
3308 /*
3309 * Record that we're waiting for an event. A client which
3310 * is shutting down will not be destroyed until all the
3311 * events have been received.
3312 */
3313 } else {
3314 query_putrdataset(client, &rdataset);
3315 if (sigrdataset != NULL)
3316 query_putrdataset(client, &sigrdataset);
3317 }
3318
3319 return (result);
3320 }
3321
3322 #define MAX_RESTARTS 16
3323
3324 #define QUERY_ERROR(r) \
3325 do { \
3326 eresult = r; \
3327 want_restart = ISC_FALSE; \
3328 line = __LINE__; \
3329 } while (0)
3330
3331 #define RECURSE_ERROR(r) \
3332 do { \
3333 if ((r) == DNS_R_DUPLICATE || (r) == DNS_R_DROP) \
3334 QUERY_ERROR(r); \
3335 else \
3336 QUERY_ERROR(DNS_R_SERVFAIL); \
3337 } while (0)
3338
3339 /*
3340 * Extract a network address from the RDATA of an A or AAAA
3341 * record.
3342 *
3343 * Returns:
3344 * ISC_R_SUCCESS
3345 * ISC_R_NOTIMPLEMENTED The rdata is not a known address type.
3346 */
3347 static isc_result_t
3348 rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
3349 struct in_addr ina;
3350 struct in6_addr in6a;
3351
3352 switch (rdata->type) {
3353 case dns_rdatatype_a:
3354 INSIST(rdata->length == 4);
3355 memcpy(&ina.s_addr, rdata->data, 4);
3356 isc_netaddr_fromin(netaddr, &ina);
3357 return (ISC_R_SUCCESS);
3358 case dns_rdatatype_aaaa:
3359 INSIST(rdata->length == 16);
3360 memcpy(in6a.s6_addr, rdata->data, 16);
3361 isc_netaddr_fromin6(netaddr, &in6a);
3362 return (ISC_R_SUCCESS);
3363 default:
3364 return (ISC_R_NOTIMPLEMENTED);
3365 }
3366 }
3367
3368 /*
3369 * Find the sort order of 'rdata' in the topology-like
3370 * ACL forming the second element in a 2-element top-level
3371 * sortlist statement.
3372 */
3373 static int
3374 query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
3375 isc_netaddr_t netaddr;
3376
3377 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
3378 return (INT_MAX);
3379 return (ns_sortlist_addrorder2(&netaddr, arg));
3380 }
3381
3382 /*
3383 * Find the sort order of 'rdata' in the matching element
3384 * of a 1-element top-level sortlist statement.
3385 */
3386 static int
3387 query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
3388 isc_netaddr_t netaddr;
3389
3390 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
3391 return (INT_MAX);
3392 return (ns_sortlist_addrorder1(&netaddr, arg));
3393 }
3394
3395 /*
3396 * Find the sortlist statement that applies to 'client' and set up
3397 * the sortlist info in in client->message appropriately.
3398 */
3399 static void
3400 setup_query_sortlist(ns_client_t *client) {
3401 isc_netaddr_t netaddr;
3402 dns_rdatasetorderfunc_t order = NULL;
3403 const void *order_arg = NULL;
3404
3405 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
3406 switch (ns_sortlist_setup(client->view->sortlist,
3407 &netaddr, &order_arg)) {
3408 case NS_SORTLISTTYPE_1ELEMENT:
3409 order = query_sortlist_order_1element;
3410 break;
3411 case NS_SORTLISTTYPE_2ELEMENT:
3412 order = query_sortlist_order_2element;
3413 break;
3414 case NS_SORTLISTTYPE_NONE:
3415 order = NULL;
3416 break;
3417 default:
3418 INSIST(0);
3419 break;
3420 }
3421 dns_message_setsortorder(client->message, order, order_arg);
3422 }
3423
3424 static void
3425 query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
3426 isc_buffer_t *dbuf, b;
3427 dns_name_t *fname;
3428 dns_rdataset_t *neg, *negsig;
3429 isc_result_t result = ISC_R_NOMEMORY;
3430
3431 CTRACE("query_addnoqnameproof");
3432
3433 fname = NULL;
3434 neg = NULL;
3435 negsig = NULL;
3436
3437 dbuf = query_getnamebuf(client);
3438 if (dbuf == NULL)
3439 goto cleanup;
3440 fname = query_newname(client, dbuf, &b);
3441 neg = query_newrdataset(client);
3442 negsig = query_newrdataset(client);
3443 if (fname == NULL || neg == NULL || negsig == NULL)
3444 goto cleanup;
3445
3446 result = dns_rdataset_getnoqname(rdataset, fname, neg, negsig);
3447 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3448
3449 query_addrrset(client, &fname, &neg, &negsig, dbuf,
3450 DNS_SECTION_AUTHORITY);
3451
3452 if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) == 0)
3453 goto cleanup;
3454
3455 if (fname == NULL) {
3456 dbuf = query_getnamebuf(client);
3457 if (dbuf == NULL)
3458 goto cleanup;
3459 fname = query_newname(client, dbuf, &b);
3460 }
3461 if (neg == NULL)
3462 neg = query_newrdataset(client);
3463 else if (dns_rdataset_isassociated(neg))
3464 dns_rdataset_disassociate(neg);
3465 if (negsig == NULL)
3466 negsig = query_newrdataset(client);
3467 else if (dns_rdataset_isassociated(negsig))
3468 dns_rdataset_disassociate(negsig);
3469 if (fname == NULL || neg == NULL || negsig == NULL)
3470 goto cleanup;
3471 result = dns_rdataset_getclosest(rdataset, fname, neg, negsig);
3472 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3473
3474 query_addrrset(client, &fname, &neg, &negsig, dbuf,
3475 DNS_SECTION_AUTHORITY);
3476
3477 cleanup:
3478 if (neg != NULL)
3479 query_putrdataset(client, &neg);
3480 if (negsig != NULL)
3481 query_putrdataset(client, &negsig);
3482 if (fname != NULL)
3483 query_releasename(client, &fname);
3484 }
3485
3486 static inline void
3487 answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
3488 dns_name_t *name;
3489 dns_message_t *msg;
3490 dns_section_t section = DNS_SECTION_ADDITIONAL;
3491 dns_rdataset_t *rdataset = NULL;
3492
3493 msg = client->message;
3494 for (name = ISC_LIST_HEAD(msg->sections[section]);
3495 name != NULL;
3496 name = ISC_LIST_NEXT(name, link))
3497 if (dns_name_equal(name, client->query.qname)) {
3498 for (rdataset = ISC_LIST_HEAD(name->list);
3499 rdataset != NULL;
3500 rdataset = ISC_LIST_NEXT(rdataset, link))
3501 if (rdataset->type == qtype)
3502 break;
3503 break;
3504 }
3505 if (rdataset != NULL) {
3506 ISC_LIST_UNLINK(msg->sections[section], name, link);
3507 ISC_LIST_PREPEND(msg->sections[section], name, link);
3508 ISC_LIST_UNLINK(name->list, rdataset, link);
3509 ISC_LIST_PREPEND(name->list, rdataset, link);
3510 rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
3511 }
3512 }
3513
3514 #define NS_NAME_INIT(A,B) \
3515 { \
3516 DNS_NAME_MAGIC, \
3517 A, sizeof(A), sizeof(B), \
3518 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
3519 B, NULL, { (void *)-1, (void *)-1}, \
3520 {NULL, NULL} \
3521 }
3522
3523 static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
3524 static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
3525 static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
3526
3527 static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
3528
3529 static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
3530 static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
3531 static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
3532 static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
3533 static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
3534 static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
3535 static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
3536 static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
3537 static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
3538 static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
3539 static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
3540 static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
3541 static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
3542 static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
3543 static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
3544 static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
3545
3546 static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
3547
3548 static dns_name_t rfc1918names[] = {
3549 NS_NAME_INIT(inaddr10, inaddr10_offsets),
3550 NS_NAME_INIT(inaddr16172, inaddr172_offsets),
3551 NS_NAME_INIT(inaddr17172, inaddr172_offsets),
3552 NS_NAME_INIT(inaddr18172, inaddr172_offsets),
3553 NS_NAME_INIT(inaddr19172, inaddr172_offsets),
3554 NS_NAME_INIT(inaddr20172, inaddr172_offsets),
3555 NS_NAME_INIT(inaddr21172, inaddr172_offsets),
3556 NS_NAME_INIT(inaddr22172, inaddr172_offsets),
3557 NS_NAME_INIT(inaddr23172, inaddr172_offsets),
3558 NS_NAME_INIT(inaddr24172, inaddr172_offsets),
3559 NS_NAME_INIT(inaddr25172, inaddr172_offsets),
3560 NS_NAME_INIT(inaddr26172, inaddr172_offsets),
3561 NS_NAME_INIT(inaddr27172, inaddr172_offsets),
3562 NS_NAME_INIT(inaddr28172, inaddr172_offsets),
3563 NS_NAME_INIT(inaddr29172, inaddr172_offsets),
3564 NS_NAME_INIT(inaddr30172, inaddr172_offsets),
3565 NS_NAME_INIT(inaddr31172, inaddr172_offsets),
3566 NS_NAME_INIT(inaddr168192, inaddr192_offsets)
3567 };
3568
3569
3570 static unsigned char prisoner_data[] = "\010prisoner\004iana\003org";
3571 static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org";
3572
3573 static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 };
3574 static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 };
3575
3576 static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets);
3577 static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets);
3578
3579 static void
3580 warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
3581 unsigned int i;
3582 dns_rdata_t rdata = DNS_RDATA_INIT;
3583 dns_rdata_soa_t soa;
3584 dns_rdataset_t found;
3585 isc_result_t result;
3586
3587 for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) {
3588 if (dns_name_issubdomain(fname, &rfc1918names[i])) {
3589 dns_rdataset_init(&found);
3590 result = dns_ncache_getrdataset(rdataset,
3591 &rfc1918names[i],
3592 dns_rdatatype_soa,
3593 &found);
3594 if (result != ISC_R_SUCCESS)
3595 return;
3596
3597 result = dns_rdataset_first(&found);
3598 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3599 dns_rdataset_current(&found, &rdata);
3600 result = dns_rdata_tostruct(&rdata, &soa, NULL);
3601 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3602 if (dns_name_equal(&soa.origin, &prisoner) &&
3603 dns_name_equal(&soa.contact, &hostmaster)) {
3604 char buf[DNS_NAME_FORMATSIZE];
3605 dns_name_format(fname, buf, sizeof(buf));
3606 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
3607 NS_LOGMODULE_QUERY,
3608 ISC_LOG_WARNING,
3609 "RFC 1918 response from "
3610 "Internet for %s", buf);
3611 }
3612 dns_rdataset_disassociate(&found);
3613 return;
3614 }
3615 }
3616 }
3617
3618 static void
3619 query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
3620 dns_dbversion_t *version, ns_client_t *client,
3621 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
3622 dns_name_t *fname, isc_boolean_t exact,
3623 dns_name_t *found)
3624 {
3625 unsigned char salt[256];
3626 size_t salt_length;
3627 isc_uint16_t iterations;
3628 isc_result_t result;
3629 unsigned int dboptions;
3630 dns_fixedname_t fixed;
3631 dns_hash_t hash;
3632 dns_name_t name;
3633 int order;
3634 unsigned int count;
3635 dns_rdata_nsec3_t nsec3;
3636 dns_rdata_t rdata = DNS_RDATA_INIT;
3637 isc_boolean_t optout;
3638
3639 salt_length = sizeof(salt);
3640 result = dns_db_getnsec3parameters(db, version, &hash, NULL,
3641 &iterations, salt, &salt_length);
3642 if (result != ISC_R_SUCCESS)
3643 return;
3644
3645 dns_name_init(&name, NULL);
3646 dns_name_clone(qname, &name);
3647
3648 /*
3649 * Map unknown algorithm to known value.
3650 */
3651 if (hash == DNS_NSEC3_UNKNOWNALG)
3652 hash = 1;
3653
3654 again:
3655 dns_fixedname_init(&fixed);
3656 result = dns_nsec3_hashname(&fixed, NULL, NULL, &name,
3657 dns_db_origin(db), hash,
3658 iterations, salt, salt_length);
3659 if (result != ISC_R_SUCCESS)
3660 return;
3661
3662 dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
3663 result = dns_db_find(db, dns_fixedname_name(&fixed), version,
3664 dns_rdatatype_nsec3, dboptions, client->now,
3665 NULL, fname, rdataset, sigrdataset);
3666
3667 if (result == DNS_R_NXDOMAIN) {
3668 if (!dns_rdataset_isassociated(rdataset)) {
3669 return;
3670 }
3671 result = dns_rdataset_first(rdataset);
3672 INSIST(result == ISC_R_SUCCESS);
3673 dns_rdataset_current(rdataset, &rdata);
3674 dns_rdata_tostruct(&rdata, &nsec3, NULL);
3675 dns_rdata_reset(&rdata);
3676 optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
3677 if (found != NULL && optout &&
3678 dns_name_fullcompare(&name, dns_db_origin(db), &order,
3679 &count) == dns_namereln_subdomain) {
3680 dns_rdataset_disassociate(rdataset);
3681 if (dns_rdataset_isassociated(sigrdataset))
3682 dns_rdataset_disassociate(sigrdataset);
3683 count = dns_name_countlabels(&name) - 1;
3684 dns_name_getlabelsequence(&name, 1, count, &name);
3685 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
3686 NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
3687 "looking for closest provable encloser");
3688 goto again;
3689 }
3690 if (exact)
3691 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
3692 NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
3693 "expected a exact match NSEC3, got "
3694 "a covering record");
3695
3696 } else if (result != ISC_R_SUCCESS) {
3697 return;
3698 } else if (!exact)
3699 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
3700 NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
3701 "expected covering NSEC3, got an exact match");
3702 if (found != NULL)
3703 dns_name_copy(&name, found, NULL);
3704 return;
3705 }
3706
3707 /*
3708 * Do the bulk of query processing for the current query of 'client'.
3709 * If 'event' is non-NULL, we are returning from recursion and 'qtype'
3710 * is ignored. Otherwise, 'qtype' is the query type.
3711 */
3712 static isc_result_t
3713 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
3714 {
3715 dns_db_t *db, *zdb;
3716 dns_dbnode_t *node;
3717 dns_rdatatype_t type;
3718 dns_name_t *fname, *zfname, *tname, *prefix;
3719 dns_rdataset_t *rdataset, *trdataset;
3720 dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
3721 dns_rdataset_t **sigrdatasetp;
3722 dns_rdata_t rdata = DNS_RDATA_INIT;
3723 dns_rdatasetiter_t *rdsiter;
3724 isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
3725 unsigned int n, nlabels;
3726 dns_namereln_t namereln;
3727 int order;
3728 isc_buffer_t *dbuf;
3729 isc_buffer_t b;
3730 isc_result_t result, eresult;
3731 dns_fixedname_t fixed;
3732 dns_fixedname_t wildcardname;
3733 dns_dbversion_t *version, *zversion;
3734 dns_zone_t *zone;
3735 dns_rdata_cname_t cname;
3736 dns_rdata_dname_t dname;
3737 unsigned int options;
3738 isc_boolean_t empty_wild;
3739 dns_rdataset_t *noqname;
3740 isc_boolean_t resuming;
3741 int line = -1;
3742 dns_rdataset_t tmprdataset;
3743 unsigned int dboptions;
3744
3745 CTRACE("query_find");
3746
3747 /*
3748 * One-time initialization.
3749 *
3750 * It's especially important to initialize anything that the cleanup
3751 * code might cleanup.
3752 */
3753
3754 eresult = ISC_R_SUCCESS;
3755 fname = NULL;
3756 zfname = NULL;
3757 rdataset = NULL;
3758 zrdataset = NULL;
3759 sigrdataset = NULL;
3760 zsigrdataset = NULL;
3761 zversion = NULL;
3762 node = NULL;
3763 db = NULL;
3764 zdb = NULL;
3765 version = NULL;
3766 zone = NULL;
3767 need_wildcardproof = ISC_FALSE;
3768 empty_wild = ISC_FALSE;
3769 options = 0;
3770 resuming = ISC_FALSE;
3771 is_zone = ISC_FALSE;
3772
3773 if (event != NULL) {
3774 /*
3775 * We're returning from recursion. Restore the query context
3776 * and resume.
3777 */
3778
3779 want_restart = ISC_FALSE;
3780 authoritative = ISC_FALSE;
3781
3782 qtype = event->qtype;
3783 if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
3784 type = dns_rdatatype_any;
3785 else
3786 type = qtype;
3787 db = event->db;
3788 node = event->node;
3789 rdataset = event->rdataset;
3790 sigrdataset = event->sigrdataset;
3791
3792 /*
3793 * We'll need some resources...
3794 */
3795 dbuf = query_getnamebuf(client);
3796 if (dbuf == NULL) {
3797 QUERY_ERROR(DNS_R_SERVFAIL);
3798 goto cleanup;
3799 }
3800 fname = query_newname(client, dbuf, &b);
3801 if (fname == NULL) {
3802 QUERY_ERROR(DNS_R_SERVFAIL);
3803 goto cleanup;
3804 }
3805 tname = dns_fixedname_name(&event->foundname);
3806 result = dns_name_copy(tname, fname, NULL);
3807 if (result != ISC_R_SUCCESS) {
3808 QUERY_ERROR(DNS_R_SERVFAIL);
3809 goto cleanup;
3810 }
3811
3812 result = event->result;
3813 resuming = ISC_TRUE;
3814
3815 goto resume;
3816 }
3817
3818 /*
3819 * Not returning from recursion.
3820 */
3821
3822 /*
3823 * If it's a SIG query, we'll iterate the node.
3824 */
3825 if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
3826 type = dns_rdatatype_any;
3827 else
3828 type = qtype;
3829
3830 restart:
3831 CTRACE("query_find: restart");
3832 want_restart = ISC_FALSE;
3833 authoritative = ISC_FALSE;
3834 version = NULL;
3835 need_wildcardproof = ISC_FALSE;
3836
3837 if (client->view->checknames &&
3838 !dns_rdata_checkowner(client->query.qname,
3839 client->message->rdclass,
3840 qtype, ISC_FALSE)) {
3841 char namebuf[DNS_NAME_FORMATSIZE];
3842 char typename[DNS_RDATATYPE_FORMATSIZE];
3843 char classname[DNS_RDATACLASS_FORMATSIZE];
3844
3845 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
3846 dns_rdatatype_format(qtype, typename, sizeof(typename));
3847 dns_rdataclass_format(client->message->rdclass, classname,
3848 sizeof(classname));
3849 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
3850 NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
3851 "check-names failure %s/%s/%s", namebuf,
3852 typename, classname);
3853 QUERY_ERROR(DNS_R_REFUSED);
3854 goto cleanup;
3855 }
3856
3857 /*
3858 * First we must find the right database.
3859 */
3860 options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
3861 if (dns_rdatatype_atparent(qtype) &&
3862 !dns_name_equal(client->query.qname, dns_rootname))
3863 options |= DNS_GETDB_NOEXACT;
3864 result = query_getdb(client, client->query.qname, qtype, options,
3865 &zone, &db, &version, &is_zone);
3866 if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
3867 (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
3868 /*
3869 * Look to see if we are authoritative for the
3870 * child zone if the query type is DS.
3871 */
3872 dns_db_t *tdb = NULL;
3873 dns_zone_t *tzone = NULL;
3874 dns_dbversion_t *tversion = NULL;
3875 isc_result_t tresult;
3876
3877 tresult = query_getzonedb(client, client->query.qname, qtype,
3878 DNS_GETDB_PARTIAL, &tzone, &tdb,
3879 &tversion);
3880 if (tresult == ISC_R_SUCCESS) {
3881 options &= ~DNS_GETDB_NOEXACT;
3882 query_putrdataset(client, &rdataset);
3883 if (db != NULL)
3884 dns_db_detach(&db);
3885 if (zone != NULL)
3886 dns_zone_detach(&zone);
3887 version = tversion;
3888 db = tdb;
3889 zone = tzone;
3890 is_zone = ISC_TRUE;
3891 result = ISC_R_SUCCESS;
3892 } else {
3893 if (tdb != NULL)
3894 dns_db_detach(&tdb);
3895 if (tzone != NULL)
3896 dns_zone_detach(&tzone);
3897 }
3898 }
3899 if (result != ISC_R_SUCCESS) {
3900 if (result == DNS_R_REFUSED) {
3901 if (WANTRECURSION(client)) {
3902 inc_stats(client,
3903 dns_nsstatscounter_recurserej);
3904 } else
3905 inc_stats(client, dns_nsstatscounter_authrej);
3906 if (!PARTIALANSWER(client))
3907 QUERY_ERROR(DNS_R_REFUSED);
3908 } else
3909 QUERY_ERROR(DNS_R_SERVFAIL);
3910 goto cleanup;
3911 }
3912
3913 if (is_zone)
3914 authoritative = ISC_TRUE;
3915
3916 if (event == NULL && client->query.restarts == 0) {
3917 if (is_zone) {
3918 #ifdef DLZ
3919 if (zone != NULL) {
3920 /*
3921 * if is_zone = true, zone = NULL then this is
3922 * a DLZ zone. Don't attempt to attach zone.
3923 */
3924 #endif
3925 dns_zone_attach(zone, &client->query.authzone);
3926 #ifdef DLZ
3927 }
3928 #endif
3929 dns_db_attach(db, &client->query.authdb);
3930 }
3931 client->query.authdbset = ISC_TRUE;
3932 }
3933
3934 db_find:
3935 CTRACE("query_find: db_find");
3936 /*
3937 * We'll need some resources...
3938 */
3939 dbuf = query_getnamebuf(client);
3940 if (dbuf == NULL) {
3941 QUERY_ERROR(DNS_R_SERVFAIL);
3942 goto cleanup;
3943 }
3944 fname = query_newname(client, dbuf, &b);
3945 rdataset = query_newrdataset(client);
3946 if (fname == NULL || rdataset == NULL) {
3947 QUERY_ERROR(DNS_R_SERVFAIL);
3948 goto cleanup;
3949 }
3950 if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
3951 sigrdataset = query_newrdataset(client);
3952 if (sigrdataset == NULL) {
3953 QUERY_ERROR(DNS_R_SERVFAIL);
3954 goto cleanup;
3955 }
3956 }
3957
3958 /*
3959 * Now look for an answer in the database.
3960 */
3961 dboptions = client->query.dboptions;
3962 if (sigrdataset == NULL && client->view->enablednssec) {
3963 /*
3964 * If the client doesn't want DNSSEC we still want to
3965 * look for any data pending validation to save a remote
3966 * lookup if possible.
3967 */
3968 dns_rdataset_init(&tmprdataset);
3969 sigrdataset = &tmprdataset;
3970 dboptions |= DNS_DBFIND_PENDINGOK;
3971 }
3972 refind:
3973 result = dns_db_find(db, client->query.qname, version, type,
3974 dboptions, client->now, &node, fname,
3975 rdataset, sigrdataset);
3976 /*
3977 * If we have found pending data try to validate it.
3978 * If the data does not validate as secure and we can't
3979 * use the unvalidated data requery the database with
3980 * pending disabled to prevent infinite looping.
3981 */
3982 if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
3983 goto validation_done;
3984 if (validate(client, db, fname, rdataset, sigrdataset))
3985 goto validation_done;
3986 if (rdataset->trust != dns_trust_pending_answer ||
3987 !PENDINGOK(client->query.dboptions)) {
3988 dns_rdataset_disassociate(rdataset);
3989 if (sigrdataset != NULL &&
3990 dns_rdataset_isassociated(sigrdataset))
3991 dns_rdataset_disassociate(sigrdataset);
3992 if (sigrdataset == &tmprdataset)
3993 sigrdataset = NULL;
3994 dns_db_detachnode(db, &node);
3995 dboptions &= ~DNS_DBFIND_PENDINGOK;
3996 goto refind;
3997 }
3998 validation_done:
3999 if (sigrdataset == &tmprdataset) {
4000 if (dns_rdataset_isassociated(sigrdataset))
4001 dns_rdataset_disassociate(sigrdataset);
4002 sigrdataset = NULL;
4003 }
4004
4005 resume:
4006 CTRACE("query_find: resume");
4007 switch (result) {
4008 case ISC_R_SUCCESS:
4009 /*
4010 * This case is handled in the main line below.
4011 */
4012 break;
4013 case DNS_R_GLUE:
4014 case DNS_R_ZONECUT:
4015 /*
4016 * These cases are handled in the main line below.
4017 */
4018 INSIST(is_zone);
4019 authoritative = ISC_FALSE;
4020 break;
4021 case ISC_R_NOTFOUND:
4022 /*
4023 * The cache doesn't even have the root NS. Get them from
4024 * the hints DB.
4025 */
4026 INSIST(!is_zone);
4027 if (db != NULL)
4028 dns_db_detach(&db);
4029
4030 if (client->view->hints == NULL) {
4031 /* We have no hints. */
4032 result = ISC_R_FAILURE;
4033 } else {
4034 dns_db_attach(client->view->hints, &db);
4035 result = dns_db_find(db, dns_rootname,
4036 NULL, dns_rdatatype_ns,
4037 0, client->now, &node, fname,
4038 rdataset, sigrdataset);
4039 }
4040 if (result != ISC_R_SUCCESS) {
4041 /*
4042 * Nonsensical root hints may require cleanup.
4043 */
4044 if (dns_rdataset_isassociated(rdataset))
4045 dns_rdataset_disassociate(rdataset);
4046 if (sigrdataset != NULL &&
4047 dns_rdataset_isassociated(sigrdataset))
4048 dns_rdataset_disassociate(sigrdataset);
4049 if (node != NULL)
4050 dns_db_detachnode(db, &node);
4051
4052 /*
4053 * We don't have any root server hints, but
4054 * we may have working forwarders, so try to
4055 * recurse anyway.
4056 */
4057 if (RECURSIONOK(client)) {
4058 result = query_recurse(client, qtype,
4059 NULL, NULL, resuming);
4060 if (result == ISC_R_SUCCESS)
4061 client->query.attributes |=
4062 NS_QUERYATTR_RECURSING;
4063 else
4064 RECURSE_ERROR(result);
4065 goto cleanup;
4066 } else {
4067 /* Unable to give root server referral. */
4068 QUERY_ERROR(DNS_R_SERVFAIL);
4069 goto cleanup;
4070 }
4071 }
4072 /*
4073 * XXXRTH We should trigger root server priming here.
4074 */
4075 /* FALLTHROUGH */
4076 case DNS_R_DELEGATION:
4077 authoritative = ISC_FALSE;
4078 if (is_zone) {
4079 /*
4080 * Look to see if we are authoritative for the
4081 * child zone if the query type is DS.
4082 */
4083 if (!RECURSIONOK(client) &&
4084 (options & DNS_GETDB_NOEXACT) != 0 &&
4085 qtype == dns_rdatatype_ds) {
4086 dns_db_t *tdb = NULL;
4087 dns_zone_t *tzone = NULL;
4088 dns_dbversion_t *tversion = NULL;
4089 result = query_getzonedb(client,
4090 client->query.qname,
4091 qtype,
4092 DNS_GETDB_PARTIAL,
4093 &tzone, &tdb,
4094 &tversion);
4095 if (result == ISC_R_SUCCESS) {
4096 options &= ~DNS_GETDB_NOEXACT;
4097 query_putrdataset(client, &rdataset);
4098 if (sigrdataset != NULL)
4099 query_putrdataset(client,
4100 &sigrdataset);
4101 if (fname != NULL)
4102 query_releasename(client,
4103 &fname);
4104 if (node != NULL)
4105 dns_db_detachnode(db, &node);
4106 if (db != NULL)
4107 dns_db_detach(&db);
4108 if (zone != NULL)
4109 dns_zone_detach(&zone);
4110 version = tversion;
4111 db = tdb;
4112 zone = tzone;
4113 authoritative = ISC_TRUE;
4114 goto db_find;
4115 }
4116 if (tdb != NULL)
4117 dns_db_detach(&tdb);
4118 if (tzone != NULL)
4119 dns_zone_detach(&tzone);
4120 }
4121 /*
4122 * We're authoritative for an ancestor of QNAME.
4123 */
4124 if (!USECACHE(client) || !RECURSIONOK(client)) {
4125 dns_fixedname_t fixed;
4126
4127 dns_fixedname_init(&fixed);
4128 dns_name_copy(fname,
4129 dns_fixedname_name(&fixed), NULL);
4130
4131 /*
4132 * If we don't have a cache, this is the best
4133 * answer.
4134 *
4135 * If the client is making a nonrecursive
4136 * query we always give out the authoritative
4137 * delegation. This way even if we get
4138 * junk in our cache, we won't fail in our
4139 * role as the delegating authority if another
4140 * nameserver asks us about a delegated
4141 * subzone.
4142 *
4143 * We enable the retrieval of glue for this
4144 * database by setting client->query.gluedb.
4145 */
4146 client->query.gluedb = db;
4147 client->query.isreferral = ISC_TRUE;
4148 /*
4149 * We must ensure NOADDITIONAL is off,
4150 * because the generation of
4151 * additional data is required in
4152 * delegations.
4153 */
4154 client->query.attributes &=
4155 ~NS_QUERYATTR_NOADDITIONAL;
4156 if (sigrdataset != NULL)
4157 sigrdatasetp = &sigrdataset;
4158 else
4159 sigrdatasetp = NULL;
4160 query_addrrset(client, &fname,
4161 &rdataset, sigrdatasetp,
4162 dbuf, DNS_SECTION_AUTHORITY);
4163 client->query.gluedb = NULL;
4164 if (WANTDNSSEC(client))
4165 query_addds(client, db, node, version,
4166 dns_fixedname_name(&fixed));
4167 } else {
4168 /*
4169 * We might have a better answer or delegation
4170 * in the cache. We'll remember the current
4171 * values of fname, rdataset, and sigrdataset.
4172 * We'll then go looking for QNAME in the
4173 * cache. If we find something better, we'll
4174 * use it instead.
4175 */
4176 query_keepname(client, fname, dbuf);
4177 zdb = db;
4178 zfname = fname;
4179 fname = NULL;
4180 zrdataset = rdataset;
4181 rdataset = NULL;
4182 zsigrdataset = sigrdataset;
4183 sigrdataset = NULL;
4184 dns_db_detachnode(db, &node);
4185 zversion = version;
4186 version = NULL;
4187 db = NULL;
4188 dns_db_attach(client->view->cachedb, &db);
4189 is_zone = ISC_FALSE;
4190 goto db_find;
4191 }
4192 } else {
4193 if (zfname != NULL &&
4194 !dns_name_issubdomain(fname, zfname)) {
4195 /*
4196 * We've already got a delegation from
4197 * authoritative data, and it is better
4198 * than what we found in the cache. Use
4199 * it instead of the cache delegation.
4200 */
4201 query_releasename(client, &fname);
4202 fname = zfname;
4203 zfname = NULL;
4204 /*
4205 * We've already done query_keepname() on
4206 * zfname, so we must set dbuf to NULL to
4207 * prevent query_addrrset() from trying to
4208 * call query_keepname() again.
4209 */
4210 dbuf = NULL;
4211 query_putrdataset(client, &rdataset);
4212 if (sigrdataset != NULL)
4213 query_putrdataset(client,
4214 &sigrdataset);
4215 rdataset = zrdataset;
4216 zrdataset = NULL;
4217 sigrdataset = zsigrdataset;
4218 zsigrdataset = NULL;
4219 version = zversion;
4220 zversion = NULL;
4221 /*
4222 * We don't clean up zdb here because we
4223 * may still need it. It will get cleaned
4224 * up by the main cleanup code.
4225 */
4226 }
4227
4228 if (RECURSIONOK(client)) {
4229 /*
4230 * Recurse!
4231 */
4232 if (dns_rdatatype_atparent(type))
4233 result = query_recurse(client, qtype,
4234 NULL, NULL,
4235 resuming);
4236 else
4237 result = query_recurse(client, qtype,
4238 fname, rdataset,
4239 resuming);
4240 if (result == ISC_R_SUCCESS)
4241 client->query.attributes |=
4242 NS_QUERYATTR_RECURSING;
4243 else
4244 RECURSE_ERROR(result);
4245 } else {
4246 dns_fixedname_t fixed;
4247
4248 dns_fixedname_init(&fixed);
4249 dns_name_copy(fname,
4250 dns_fixedname_name(&fixed), NULL);
4251 /*
4252 * This is the best answer.
4253 */
4254 client->query.attributes |=
4255 NS_QUERYATTR_CACHEGLUEOK;
4256 client->query.gluedb = zdb;
4257 client->query.isreferral = ISC_TRUE;
4258 /*
4259 * We must ensure NOADDITIONAL is off,
4260 * because the generation of
4261 * additional data is required in
4262 * delegations.
4263 */
4264 client->query.attributes &=
4265 ~NS_QUERYATTR_NOADDITIONAL;
4266 if (sigrdataset != NULL)
4267 sigrdatasetp = &sigrdataset;
4268 else
4269 sigrdatasetp = NULL;
4270 query_addrrset(client, &fname,
4271 &rdataset, sigrdatasetp,
4272 dbuf, DNS_SECTION_AUTHORITY);
4273 client->query.gluedb = NULL;
4274 client->query.attributes &=
4275 ~NS_QUERYATTR_CACHEGLUEOK;
4276 if (WANTDNSSEC(client))
4277 query_addds(client, db, node, version,
4278 dns_fixedname_name(&fixed));
4279 }
4280 }
4281 goto cleanup;
4282 case DNS_R_EMPTYNAME:
4283 result = DNS_R_NXRRSET;
4284 /* FALLTHROUGH */
4285 case DNS_R_NXRRSET:
4286 INSIST(is_zone);
4287 /*
4288 * Look for a NSEC3 record if we don't have a NSEC record.
4289 */
4290 if (!dns_rdataset_isassociated(rdataset) &&
4291 WANTDNSSEC(client)) {
4292 if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
4293 dns_name_t *found;
4294 dns_name_t *qname;
4295
4296 dns_fixedname_init(&fixed);
4297 found = dns_fixedname_name(&fixed);
4298 qname = client->query.qname;
4299
4300 query_findclosestnsec3(qname, db, version,
4301 client, rdataset,
4302 sigrdataset, fname,
4303 ISC_TRUE, found);
4304 /*
4305 * Did we find the closest provable encloser
4306 * instead? If so add the nearest to the
4307 * closest provable encloser.
4308 */
4309 if (found &&
4310 dns_rdataset_isassociated(rdataset) &&
4311 !dns_name_equal(qname, found))
4312 {
4313 unsigned int count;
4314 unsigned int skip;
4315
4316 /*
4317 * Add the closest provable encloser.
4318 */
4319 query_addrrset(client, &fname,
4320 &rdataset, &sigrdataset,
4321 dbuf,
4322 DNS_SECTION_AUTHORITY);
4323
4324 count = dns_name_countlabels(found)
4325 + 1;
4326 skip = dns_name_countlabels(qname) -
4327 count;
4328 dns_name_getlabelsequence(qname, skip,
4329 count,
4330 found);
4331
4332 fixfname(client, &fname, &dbuf, &b);
4333 fixrdataset(client, &rdataset);
4334 fixrdataset(client, &sigrdataset);
4335 if (fname == NULL ||
4336 rdataset == NULL ||
4337 sigrdataset == NULL) {
4338 QUERY_ERROR(DNS_R_SERVFAIL);
4339 goto cleanup;
4340 }
4341 /*
4342 * 'nearest' doesn't exist so
4343 * 'exist' is set to ISC_FALSE.
4344 */
4345 query_findclosestnsec3(found, db,
4346 version,
4347 client,
4348 rdataset,
4349 sigrdataset,
4350 fname,
4351 ISC_FALSE,
4352 NULL);
4353 }
4354 } else {
4355 query_releasename(client, &fname);
4356 query_addwildcardproof(client, db, version,
4357 client->query.qname,
4358 ISC_FALSE);
4359 }
4360 }
4361 if (dns_rdataset_isassociated(rdataset)) {
4362 /*
4363 * If we've got a NSEC record, we need to save the
4364 * name now because we're going call query_addsoa()
4365 * below, and it needs to use the name buffer.
4366 */
4367 query_keepname(client, fname, dbuf);
4368 } else if (fname != NULL) {
4369 /*
4370 * We're not going to use fname, and need to release
4371 * our hold on the name buffer so query_addsoa()
4372 * may use it.
4373 */
4374 query_releasename(client, &fname);
4375 }
4376 /*
4377 * Add SOA.
4378 */
4379 result = query_addsoa(client, db, version, ISC_FALSE);
4380 if (result != ISC_R_SUCCESS) {
4381 QUERY_ERROR(result);
4382 goto cleanup;
4383 }
4384 /*
4385 * Add NSEC record if we found one.
4386 */
4387 if (WANTDNSSEC(client)) {
4388 if (dns_rdataset_isassociated(rdataset))
4389 query_addnxrrsetnsec(client, db, version,
4390 &fname, &rdataset,
4391 &sigrdataset);
4392 }
4393 goto cleanup;
4394
4395 case DNS_R_EMPTYWILD:
4396 empty_wild = ISC_TRUE;
4397 /* FALLTHROUGH */
4398
4399 case DNS_R_NXDOMAIN:
4400 INSIST(is_zone);
4401 if (dns_rdataset_isassociated(rdataset)) {
4402 /*
4403 * If we've got a NSEC record, we need to save the
4404 * name now because we're going call query_addsoa()
4405 * below, and it needs to use the name buffer.
4406 */
4407 query_keepname(client, fname, dbuf);
4408 } else if (fname != NULL) {
4409 /*
4410 * We're not going to use fname, and need to release
4411 * our hold on the name buffer so query_addsoa()
4412 * may use it.
4413 */
4414 query_releasename(client, &fname);
4415 }
4416 /*
4417 * Add SOA. If the query was for a SOA record force the
4418 * ttl to zero so that it is possible for clients to find
4419 * the containing zone of an arbitrary name with a stub
4420 * resolver and not have it cached.
4421 */
4422 if (qtype == dns_rdatatype_soa &&
4423 #ifdef DLZ
4424 zone != NULL &&
4425 #endif
4426 dns_zone_getzeronosoattl(zone))
4427 result = query_addsoa(client, db, version, ISC_TRUE);
4428 else
4429 result = query_addsoa(client, db, version, ISC_FALSE);
4430 if (result != ISC_R_SUCCESS) {
4431 QUERY_ERROR(result);
4432 goto cleanup;
4433 }
4434
4435 if (WANTDNSSEC(client)) {
4436 /*
4437 * Add NSEC record if we found one.
4438 */
4439 if (dns_rdataset_isassociated(rdataset))
4440 query_addrrset(client, &fname, &rdataset,
4441 &sigrdataset,
4442 NULL, DNS_SECTION_AUTHORITY);
4443 query_addwildcardproof(client, db, version,
4444 client->query.qname, ISC_FALSE);
4445 }
4446
4447 /*
4448 * Set message rcode.
4449 */
4450 if (empty_wild)
4451 client->message->rcode = dns_rcode_noerror;
4452 else
4453 client->message->rcode = dns_rcode_nxdomain;
4454 goto cleanup;
4455
4456 case DNS_R_NCACHENXDOMAIN:
4457 case DNS_R_NCACHENXRRSET:
4458 INSIST(!is_zone);
4459 authoritative = ISC_FALSE;
4460 /*
4461 * Set message rcode, if required.
4462 */
4463 if (result == DNS_R_NCACHENXDOMAIN)
4464 client->message->rcode = dns_rcode_nxdomain;
4465 /*
4466 * Look for RFC 1918 leakage from Internet.
4467 */
4468 if (result == DNS_R_NCACHENXDOMAIN &&
4469 qtype == dns_rdatatype_ptr &&
4470 client->message->rdclass == dns_rdataclass_in &&
4471 dns_name_countlabels(fname) == 7)
4472 warn_rfc1918(client, fname, rdataset);
4473 /*
4474 * We don't call query_addrrset() because we don't need any
4475 * of its extra features (and things would probably break!).
4476 */
4477 query_keepname(client, fname, dbuf);
4478 dns_message_addname(client->message, fname,
4479 DNS_SECTION_AUTHORITY);
4480 ISC_LIST_APPEND(fname->list, rdataset, link);
4481 fname = NULL;
4482 rdataset = NULL;
4483 goto cleanup;
4484
4485 case DNS_R_CNAME:
4486 /*
4487 * Keep a copy of the rdataset. We have to do this because
4488 * query_addrrset may clear 'rdataset' (to prevent the
4489 * cleanup code from cleaning it up).
4490 */
4491 trdataset = rdataset;
4492 /*
4493 * Add the CNAME to the answer section.
4494 */
4495 if (sigrdataset != NULL)
4496 sigrdatasetp = &sigrdataset;
4497 else
4498 sigrdatasetp = NULL;
4499 if (WANTDNSSEC(client) &&
4500 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
4501 {
4502 dns_fixedname_init(&wildcardname);
4503 dns_name_copy(fname, dns_fixedname_name(&wildcardname),
4504 NULL);
4505 need_wildcardproof = ISC_TRUE;
4506 }
4507 if (NOQNAME(rdataset) && WANTDNSSEC(client))
4508 noqname = rdataset;
4509 else
4510 noqname = NULL;
4511 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
4512 DNS_SECTION_ANSWER);
4513 if (noqname != NULL)
4514 query_addnoqnameproof(client, noqname);
4515 /*
4516 * We set the PARTIALANSWER attribute so that if anything goes
4517 * wrong later on, we'll return what we've got so far.
4518 */
4519 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
4520 /*
4521 * Reset qname to be the target name of the CNAME and restart
4522 * the query.
4523 */
4524 tname = NULL;
4525 result = dns_message_gettempname(client->message, &tname);
4526 if (result != ISC_R_SUCCESS)
4527 goto cleanup;
4528 result = dns_rdataset_first(trdataset);
4529 if (result != ISC_R_SUCCESS) {
4530 dns_message_puttempname(client->message, &tname);
4531 goto cleanup;
4532 }
4533 dns_rdataset_current(trdataset, &rdata);
4534 result = dns_rdata_tostruct(&rdata, &cname, NULL);
4535 dns_rdata_reset(&rdata);
4536 if (result != ISC_R_SUCCESS) {
4537 dns_message_puttempname(client->message, &tname);
4538 goto cleanup;
4539 }
4540 dns_name_init(tname, NULL);
4541 result = dns_name_dup(&cname.cname, client->mctx, tname);
4542 if (result != ISC_R_SUCCESS) {
4543 dns_message_puttempname(client->message, &tname);
4544 dns_rdata_freestruct(&cname);
4545 goto cleanup;
4546 }
4547 dns_rdata_freestruct(&cname);
4548 ns_client_qnamereplace(client, tname);
4549 want_restart = ISC_TRUE;
4550 if (!WANTRECURSION(client))
4551 options |= DNS_GETDB_NOLOG;
4552 goto addauth;
4553 case DNS_R_DNAME:
4554 /*
4555 * Compare the current qname to the found name. We need
4556 * to know how many labels and bits are in common because
4557 * we're going to have to split qname later on.
4558 */
4559 namereln = dns_name_fullcompare(client->query.qname, fname,
4560 &order, &nlabels);
4561 INSIST(namereln == dns_namereln_subdomain);
4562 /*
4563 * Keep a copy of the rdataset. We have to do this because
4564 * query_addrrset may clear 'rdataset' (to prevent the
4565 * cleanup code from cleaning it up).
4566 */
4567 trdataset = rdataset;
4568 /*
4569 * Add the DNAME to the answer section.
4570 */
4571 if (sigrdataset != NULL)
4572 sigrdatasetp = &sigrdataset;
4573 else
4574 sigrdatasetp = NULL;
4575 if (WANTDNSSEC(client) &&
4576 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
4577 {
4578 dns_fixedname_init(&wildcardname);
4579 dns_name_copy(fname, dns_fixedname_name(&wildcardname),
4580 NULL);
4581 need_wildcardproof = ISC_TRUE;
4582 }
4583 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
4584 DNS_SECTION_ANSWER);
4585 /*
4586 * We set the PARTIALANSWER attribute so that if anything goes
4587 * wrong later on, we'll return what we've got so far.
4588 */
4589 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
4590 /*
4591 * Get the target name of the DNAME.
4592 */
4593 tname = NULL;
4594 result = dns_message_gettempname(client->message, &tname);
4595 if (result != ISC_R_SUCCESS)
4596 goto cleanup;
4597 result = dns_rdataset_first(trdataset);
4598 if (result != ISC_R_SUCCESS) {
4599 dns_message_puttempname(client->message, &tname);
4600 goto cleanup;
4601 }
4602 dns_rdataset_current(trdataset, &rdata);
4603 result = dns_rdata_tostruct(&rdata, &dname, NULL);
4604 dns_rdata_reset(&rdata);
4605 if (result != ISC_R_SUCCESS) {
4606 dns_message_puttempname(client->message, &tname);
4607 goto cleanup;
4608 }
4609 dns_name_init(tname, NULL);
4610 dns_name_clone(&dname.dname, tname);
4611 dns_rdata_freestruct(&dname);
4612 /*
4613 * Construct the new qname.
4614 */
4615 dns_fixedname_init(&fixed);
4616 prefix = dns_fixedname_name(&fixed);
4617 dns_name_split(client->query.qname, nlabels, prefix, NULL);
4618 INSIST(fname == NULL);
4619 dbuf = query_getnamebuf(client);
4620 if (dbuf == NULL) {
4621 dns_message_puttempname(client->message, &tname);
4622 goto cleanup;
4623 }
4624 fname = query_newname(client, dbuf, &b);
4625 if (fname == NULL) {
4626 dns_message_puttempname(client->message, &tname);
4627 goto cleanup;
4628 }
4629 result = dns_name_concatenate(prefix, tname, fname, NULL);
4630 if (result != ISC_R_SUCCESS) {
4631 dns_message_puttempname(client->message, &tname);
4632 if (result == ISC_R_NOSPACE) {
4633 /*
4634 * RFC2672, section 4.1, subsection 3c says
4635 * we should return YXDOMAIN if the constructed
4636 * name would be too long.
4637 */
4638 client->message->rcode = dns_rcode_yxdomain;
4639 }
4640 goto cleanup;
4641 }
4642 query_keepname(client, fname, dbuf);
4643 /*
4644 * Synthesize a CNAME for this DNAME.
4645 *
4646 * We want to synthesize a CNAME since if we don't
4647 * then older software that doesn't understand DNAME
4648 * will not chain like it should.
4649 *
4650 * We do not try to synthesize a signature because we hope
4651 * that security aware servers will understand DNAME. Also,
4652 * even if we had an online key, making a signature
4653 * on-the-fly is costly, and not really legitimate anyway
4654 * since the synthesized CNAME is NOT in the zone.
4655 */
4656 dns_name_init(tname, NULL);
4657 (void)query_addcnamelike(client, client->query.qname, fname,
4658 trdataset, &tname,
4659 dns_rdatatype_cname);
4660 if (tname != NULL)
4661 dns_message_puttempname(client->message, &tname);
4662 /*
4663 * Switch to the new qname and restart.
4664 */
4665 ns_client_qnamereplace(client, fname);
4666 fname = NULL;
4667 want_restart = ISC_TRUE;
4668 if (!WANTRECURSION(client))
4669 options |= DNS_GETDB_NOLOG;
4670 goto addauth;
4671 default:
4672 /*
4673 * Something has gone wrong.
4674 */
4675 QUERY_ERROR(DNS_R_SERVFAIL);
4676 goto cleanup;
4677 }
4678
4679 if (WANTDNSSEC(client) &&
4680 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
4681 {
4682 dns_fixedname_init(&wildcardname);
4683 dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
4684 need_wildcardproof = ISC_TRUE;
4685 }
4686
4687 if (type == dns_rdatatype_any) {
4688 #ifdef ALLOW_FILTER_AAAA_ON_V4
4689 isc_boolean_t have_aaaa, have_a, have_sig;
4690
4691 /*
4692 * The filter-aaaa-on-v4 option should
4693 * suppress AAAAs for IPv4 clients if there is an A.
4694 * If we are not authoritative, assume there is a A
4695 * even in if it is not in our cache. This assumption could
4696 * be wrong but it is a good bet.
4697 */
4698 have_aaaa = ISC_FALSE;
4699 have_a = !authoritative;
4700 have_sig = ISC_FALSE;
4701 #endif
4702 /*
4703 * XXXRTH Need to handle zonecuts with special case
4704 * code.
4705 */
4706 n = 0;
4707 rdsiter = NULL;
4708 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
4709 if (result != ISC_R_SUCCESS) {
4710 QUERY_ERROR(DNS_R_SERVFAIL);
4711 goto cleanup;
4712 }
4713 /*
4714 * Calling query_addrrset() with a non-NULL dbuf is going
4715 * to either keep or release the name. We don't want it to
4716 * release fname, since we may have to call query_addrrset()
4717 * more than once. That means we have to call query_keepname()
4718 * now, and pass a NULL dbuf to query_addrrset().
4719 *
4720 * If we do a query_addrrset() below, we must set fname to
4721 * NULL before leaving this block, otherwise we might try to
4722 * cleanup fname even though we're using it!
4723 */
4724 query_keepname(client, fname, dbuf);
4725 tname = fname;
4726 result = dns_rdatasetiter_first(rdsiter);
4727 while (result == ISC_R_SUCCESS) {
4728 dns_rdatasetiter_current(rdsiter, rdataset);
4729 #ifdef ALLOW_FILTER_AAAA_ON_V4
4730 /*
4731 * Notice the presence of A and AAAAs so
4732 * that AAAAs can be hidden from IPv4 clients.
4733 */
4734 if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
4735 client->peeraddr_valid &&
4736 client->peeraddr.type.sa.sa_family == AF_INET) {
4737 if (rdataset->type == dns_rdatatype_aaaa)
4738 have_aaaa = ISC_TRUE;
4739 else if (rdataset->type == dns_rdatatype_a)
4740 have_a = ISC_TRUE;
4741 }
4742 #endif
4743 if (is_zone && qtype == dns_rdatatype_any &&
4744 !dns_db_issecure(db) &&
4745 dns_rdatatype_isdnssec(rdataset->type)) {
4746 /*
4747 * The zone is transitioning from insecure
4748 * to secure. Hide the dnssec records from
4749 * ANY queries.
4750 */
4751 dns_rdataset_disassociate(rdataset);
4752 } else if ((qtype == dns_rdatatype_any ||
4753 rdataset->type == qtype) && rdataset->type != 0) {
4754 #ifdef ALLOW_FILTER_AAAA_ON_V4
4755 if (dns_rdatatype_isdnssec(rdataset->type))
4756 have_sig = ISC_TRUE;
4757 #endif
4758 if (NOQNAME(rdataset) && WANTDNSSEC(client))
4759 noqname = rdataset;
4760 else
4761 noqname = NULL;
4762 query_addrrset(client,
4763 fname != NULL ? &fname : &tname,
4764 &rdataset, NULL,
4765 NULL, DNS_SECTION_ANSWER);
4766 if (noqname != NULL)
4767 query_addnoqnameproof(client, noqname);
4768 n++;
4769 INSIST(tname != NULL);
4770 /*
4771 * rdataset is non-NULL only in certain
4772 * pathological cases involving DNAMEs.
4773 */
4774 if (rdataset != NULL)
4775 query_putrdataset(client, &rdataset);
4776 rdataset = query_newrdataset(client);
4777 if (rdataset == NULL)
4778 break;
4779 } else {
4780 /*
4781 * We're not interested in this rdataset.
4782 */
4783 dns_rdataset_disassociate(rdataset);
4784 }
4785 result = dns_rdatasetiter_next(rdsiter);
4786 }
4787
4788 #ifdef ALLOW_FILTER_AAAA_ON_V4
4789 /*
4790 * Filter AAAAs if there is an A and there is no signature
4791 * or we are supposed to break DNSSEC.
4792 */
4793 if (have_aaaa && have_a &&
4794 (!have_sig || !WANTDNSSEC(client) ||
4795 client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
4796 client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
4797 #endif
4798 if (fname != NULL)
4799 dns_message_puttempname(client->message, &fname);
4800
4801 if (n == 0 && is_zone) {
4802 /*
4803 * We didn't match any rdatasets.
4804 */
4805 if (qtype == dns_rdatatype_rrsig &&
4806 result == ISC_R_NOMORE) {
4807 /*
4808 * XXXRTH If this is a secure zone and we
4809 * didn't find any SIGs, we should generate
4810 * an error unless we were searching for
4811 * glue. Ugh.
4812 */
4813 if (!is_zone) {
4814 authoritative = ISC_FALSE;
4815 dns_rdatasetiter_destroy(&rdsiter);
4816 if (RECURSIONOK(client)) {
4817 result = query_recurse(client,
4818 qtype,
4819 NULL,
4820 NULL,
4821 resuming);
4822 if (result == ISC_R_SUCCESS)
4823 client->query.attributes |=
4824 NS_QUERYATTR_RECURSING;
4825 else
4826 RECURSE_ERROR(result);
4827 }
4828 goto addauth;
4829 }
4830 /*
4831 * We were searching for SIG records in
4832 * a nonsecure zone. Send a "no error,
4833 * no data" response.
4834 */
4835 /*
4836 * Add SOA.
4837 */
4838 result = query_addsoa(client, db, version,
4839 ISC_FALSE);
4840 if (result == ISC_R_SUCCESS)
4841 result = ISC_R_NOMORE;
4842 } else {
4843 /*
4844 * Something went wrong.
4845 */
4846 result = DNS_R_SERVFAIL;
4847 }
4848 }
4849 dns_rdatasetiter_destroy(&rdsiter);
4850 if (result != ISC_R_NOMORE) {
4851 QUERY_ERROR(DNS_R_SERVFAIL);
4852 goto cleanup;
4853 }
4854 } else {
4855 /*
4856 * This is the "normal" case -- an ordinary question to which
4857 * we know the answer.
4858 */
4859 #ifdef ALLOW_FILTER_AAAA_ON_V4
4860 /*
4861 * Optionally hide AAAAs from IPv4 clients if there is an A.
4862 * We add the AAAAs now, but might refuse to render them later
4863 * after DNSSEC is figured out.
4864 * This could be more efficient, but the whole idea is
4865 * so fundamentally wrong, unavoidably inaccurate, and
4866 * unneeded that it is best to keep it as short as possible.
4867 */
4868 if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
4869 client->peeraddr_valid &&
4870 client->peeraddr.type.sa.sa_family == AF_INET &&
4871 (!WANTDNSSEC(client) ||
4872 sigrdataset == NULL ||
4873 !dns_rdataset_isassociated(sigrdataset) ||
4874 client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) {
4875 if (qtype == dns_rdatatype_aaaa) {
4876 trdataset = query_newrdataset(client);
4877 result = dns_db_findrdataset(db, node, version,
4878 dns_rdatatype_a, 0,
4879 client->now,
4880 trdataset, NULL);
4881 if (dns_rdataset_isassociated(trdataset))
4882 dns_rdataset_disassociate(trdataset);
4883 query_putrdataset(client, &trdataset);
4884
4885 /*
4886 * We have an AAAA but the A is not in our cache.
4887 * Assume any result other than DNS_R_DELEGATION
4888 * or ISC_R_NOTFOUND means there is no A and
4889 * so AAAAs are ok.
4890 * Assume there is no A if we can't recurse
4891 * for this client, although that could be
4892 * the wrong answer. What else can we do?
4893 * Besides, that we have the AAAA and are using
4894 * this mechanism suggests that we care more
4895 * about As than AAAAs and would have cached
4896 * the A if it existed.
4897 */
4898 if (result == ISC_R_SUCCESS) {
4899 client->attributes |=
4900 NS_CLIENTATTR_FILTER_AAAA;
4901
4902 } else if (authoritative ||
4903 !RECURSIONOK(client) ||
4904 (result != DNS_R_DELEGATION &&
4905 result != ISC_R_NOTFOUND)) {
4906 client->attributes &=
4907 ~NS_CLIENTATTR_FILTER_AAAA;
4908 } else {
4909 /*
4910 * This is an ugly kludge to recurse
4911 * for the A and discard the result.
4912 *
4913 * Continue to add the AAAA now.
4914 * We'll make a note to not render it
4915 * if the recursion for the A succeeds.
4916 */
4917 result = query_recurse(client,
4918 dns_rdatatype_a,
4919 NULL, NULL, resuming);
4920 if (result == ISC_R_SUCCESS) {
4921 client->attributes |=
4922 NS_CLIENTATTR_FILTER_AAAA_RC;
4923 client->query.attributes |=
4924 NS_QUERYATTR_RECURSING;
4925 }
4926 }
4927
4928 } else if (qtype == dns_rdatatype_a &&
4929 (client->attributes &
4930 NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
4931 client->attributes &=
4932 ~NS_CLIENTATTR_FILTER_AAAA_RC;
4933 client->attributes |=
4934 NS_CLIENTATTR_FILTER_AAAA;
4935 dns_rdataset_disassociate(rdataset);
4936 if (sigrdataset != NULL &&
4937 dns_rdataset_isassociated(sigrdataset))
4938 dns_rdataset_disassociate(sigrdataset);
4939 goto cleanup;
4940 }
4941 }
4942 #endif
4943 if (sigrdataset != NULL)
4944 sigrdatasetp = &sigrdataset;
4945 else
4946 sigrdatasetp = NULL;
4947 if (NOQNAME(rdataset) && WANTDNSSEC(client))
4948 noqname = rdataset;
4949 else
4950 noqname = NULL;
4951 /*
4952 * BIND 8 priming queries need the additional section.
4953 */
4954 if (is_zone && qtype == dns_rdatatype_ns &&
4955 dns_name_equal(client->query.qname, dns_rootname))
4956 client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
4957
4958 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
4959 DNS_SECTION_ANSWER);
4960 if (noqname != NULL)
4961 query_addnoqnameproof(client, noqname);
4962 /*
4963 * We shouldn't ever fail to add 'rdataset'
4964 * because it's already in the answer.
4965 */
4966 INSIST(rdataset == NULL);
4967 }
4968
4969 addauth:
4970 CTRACE("query_find: addauth");
4971 /*
4972 * Add NS records to the authority section (if we haven't already
4973 * added them to the answer section).
4974 */
4975 if (!want_restart && !NOAUTHORITY(client)) {
4976 if (is_zone) {
4977 if (!((qtype == dns_rdatatype_ns ||
4978 qtype == dns_rdatatype_any) &&
4979 dns_name_equal(client->query.qname,
4980 dns_db_origin(db))))
4981 (void)query_addns(client, db, version);
4982 } else if (qtype != dns_rdatatype_ns) {
4983 if (fname != NULL)
4984 query_releasename(client, &fname);
4985 query_addbestns(client);
4986 }
4987 }
4988
4989 /*
4990 * Add NSEC records to the authority section if they're needed for
4991 * DNSSEC wildcard proofs.
4992 */
4993 if (need_wildcardproof && dns_db_issecure(db))
4994 query_addwildcardproof(client, db, version,
4995 dns_fixedname_name(&wildcardname),
4996 ISC_TRUE);
4997 cleanup:
4998 CTRACE("query_find: cleanup");
4999 /*
5000 * General cleanup.
5001 */
5002 if (rdataset != NULL)
5003 query_putrdataset(client, &rdataset);
5004 if (sigrdataset != NULL)
5005 query_putrdataset(client, &sigrdataset);
5006 if (fname != NULL)
5007 query_releasename(client, &fname);
5008 if (node != NULL)
5009 dns_db_detachnode(db, &node);
5010 if (db != NULL)
5011 dns_db_detach(&db);
5012 if (zone != NULL)
5013 dns_zone_detach(&zone);
5014 if (zdb != NULL) {
5015 query_putrdataset(client, &zrdataset);
5016 if (zsigrdataset != NULL)
5017 query_putrdataset(client, &zsigrdataset);
5018 if (zfname != NULL)
5019 query_releasename(client, &zfname);
5020 dns_db_detach(&zdb);
5021 }
5022 if (event != NULL)
5023 isc_event_free(ISC_EVENT_PTR(&event));
5024
5025 /*
5026 * AA bit.
5027 */
5028 if (client->query.restarts == 0 && !authoritative) {
5029 /*
5030 * We're not authoritative, so we must ensure the AA bit
5031 * isn't set.
5032 */
5033 client->message->flags &= ~DNS_MESSAGEFLAG_AA;
5034 }
5035
5036 /*
5037 * Restart the query?
5038 */
5039 if (want_restart && client->query.restarts < MAX_RESTARTS) {
5040 client->query.restarts++;
5041 goto restart;
5042 }
5043
5044 if (eresult != ISC_R_SUCCESS &&
5045 (!PARTIALANSWER(client) || WANTRECURSION(client))) {
5046 if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) {
5047 /*
5048 * This was a duplicate query that we are
5049 * recursing on. Don't send a response now.
5050 * The original query will still cause a response.
5051 */
5052 query_next(client, eresult);
5053 } else {
5054 /*
5055 * If we don't have any answer to give the client,
5056 * or if the client requested recursion and thus wanted
5057 * the complete answer, send an error response.
5058 */
5059 INSIST(line >= 0);
5060 query_error(client, eresult, line);
5061 }
5062 ns_client_detach(&client);
5063 } else if (!RECURSING(client)) {
5064 /*
5065 * We are done. Set up sortlist data for the message
5066 * rendering code, make a final tweak to the AA bit if the
5067 * auth-nxdomain config option says so, then render and
5068 * send the response.
5069 */
5070 setup_query_sortlist(client);
5071
5072 /*
5073 * If this is a referral and the answer to the question
5074 * is in the glue sort it to the start of the additional
5075 * section.
5076 */
5077 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
5078 client->message->rcode == dns_rcode_noerror &&
5079 (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
5080 answer_in_glue(client, qtype);
5081
5082 if (client->message->rcode == dns_rcode_nxdomain &&
5083 client->view->auth_nxdomain == ISC_TRUE)
5084 client->message->flags |= DNS_MESSAGEFLAG_AA;
5085
5086 /*
5087 * If the response is somehow unexpected for the client and this
5088 * is a result of recursion, return an error to the caller
5089 * to indicate it may need to be logged.
5090 */
5091 if (resuming &&
5092 (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
5093 client->message->rcode != dns_rcode_noerror))
5094 eresult = ISC_R_FAILURE;
5095
5096 query_send(client);
5097 ns_client_detach(&client);
5098 }
5099 CTRACE("query_find: done");
5100
5101 return (eresult);
5102 }
5103
5104 static inline void
5105 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
5106 char namebuf[DNS_NAME_FORMATSIZE];
5107 char typename[DNS_RDATATYPE_FORMATSIZE];
5108 char classname[DNS_RDATACLASS_FORMATSIZE];
5109 char onbuf[ISC_NETADDR_FORMATSIZE];
5110 dns_rdataset_t *rdataset;
5111 int level = ISC_LOG_INFO;
5112
5113 if (! isc_log_wouldlog(ns_g_lctx, level))
5114 return;
5115
5116 rdataset = ISC_LIST_HEAD(client->query.qname->list);
5117 INSIST(rdataset != NULL);
5118 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
5119 dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
5120 dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
5121 isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
5122
5123 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
5124 level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf,
5125 classname, typename, WANTRECURSION(client) ? "+" : "-",
5126 (client->signer != NULL) ? "S": "",
5127 (client->opt != NULL) ? "E" : "",
5128 ((client->attributes & NS_CLIENTATTR_TCP) != 0) ?
5129 "T" : "",
5130 ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
5131 ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
5132 onbuf);
5133 }
5134
5135 static inline void
5136 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
5137 char namebuf[DNS_NAME_FORMATSIZE];
5138 char typename[DNS_RDATATYPE_FORMATSIZE];
5139 char classname[DNS_RDATACLASS_FORMATSIZE];
5140 const char *namep, *typep, *classp, *sep1, *sep2;
5141 dns_rdataset_t *rdataset;
5142
5143 if (!isc_log_wouldlog(ns_g_lctx, level))
5144 return;
5145
5146 namep = typep = classp = sep1 = sep2 = "";
5147
5148 /*
5149 * Query errors can happen for various reasons. In some cases we cannot
5150 * even assume the query contains a valid question section, so we should
5151 * expect exceptional cases.
5152 */
5153 if (client->query.origqname != NULL) {
5154 dns_name_format(client->query.origqname, namebuf,
5155 sizeof(namebuf));
5156 namep = namebuf;
5157 sep1 = " for ";
5158
5159 rdataset = ISC_LIST_HEAD(client->query.origqname->list);
5160 if (rdataset != NULL) {
5161 dns_rdataclass_format(rdataset->rdclass, classname,
5162 sizeof(classname));
5163 classp = classname;
5164 dns_rdatatype_format(rdataset->type, typename,
5165 sizeof(typename));
5166 typep = typename;
5167 sep2 = "/";
5168 }
5169 }
5170
5171 ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY,
5172 level, "query failed (%s)%s%s%s%s%s%s at %s:%d",
5173 isc_result_totext(result), sep1, namep, sep2,
5174 classp, sep2, typep, __FILE__, line);
5175 }
5176
5177 void
5178 ns_query_start(ns_client_t *client) {
5179 isc_result_t result;
5180 dns_message_t *message = client->message;
5181 dns_rdataset_t *rdataset;
5182 ns_client_t *qclient;
5183 dns_rdatatype_t qtype;
5184 unsigned int saved_extflags = client->extflags;
5185 unsigned int saved_flags = client->message->flags;
5186 isc_boolean_t want_ad;
5187
5188 CTRACE("ns_query_start");
5189
5190 /*
5191 * Test only.
5192 */
5193 if (ns_g_clienttest && (client->attributes & NS_CLIENTATTR_TCP) == 0)
5194 RUNTIME_CHECK(ns_client_replace(client) == ISC_R_SUCCESS);
5195
5196 /*
5197 * Ensure that appropriate cleanups occur.
5198 */
5199 client->next = query_next_callback;
5200
5201 /*
5202 * Behave as if we don't support DNSSEC if not enabled.
5203 */
5204 if (!client->view->enablednssec) {
5205 message->flags &= ~DNS_MESSAGEFLAG_CD;
5206 client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
5207 if (client->opt != NULL)
5208 client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
5209 }
5210
5211 if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
5212 client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
5213
5214 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
5215 client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
5216
5217 if (client->view->minimalresponses)
5218 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
5219 NS_QUERYATTR_NOADDITIONAL);
5220
5221 if ((client->view->cachedb == NULL)
5222 || (!client->view->additionalfromcache)) {
5223 /*
5224 * We don't have a cache. Turn off cache support and
5225 * recursion.
5226 */
5227 client->query.attributes &=
5228 ~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK);
5229 } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
5230 (message->flags & DNS_MESSAGEFLAG_RD) == 0) {
5231 /*
5232 * If the client isn't allowed to recurse (due to
5233 * "recursion no", the allow-recursion ACL, or the
5234 * lack of a resolver in this view), or if it
5235 * doesn't want recursion, turn recursion off.
5236 */
5237 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
5238 }
5239
5240 /*
5241 * Get the question name.
5242 */
5243 result = dns_message_firstname(message, DNS_SECTION_QUESTION);
5244 if (result != ISC_R_SUCCESS) {
5245 query_error(client, result, __LINE__);
5246 return;
5247 }
5248 dns_message_currentname(message, DNS_SECTION_QUESTION,
5249 &client->query.qname);
5250 client->query.origqname = client->query.qname;
5251 result = dns_message_nextname(message, DNS_SECTION_QUESTION);
5252 if (result != ISC_R_NOMORE) {
5253 if (result == ISC_R_SUCCESS) {
5254 /*
5255 * There's more than one QNAME in the question
5256 * section.
5257 */
5258 query_error(client, DNS_R_FORMERR, __LINE__);
5259 } else
5260 query_error(client, result, __LINE__);
5261 return;
5262 }
5263
5264 if (ns_g_server->log_queries)
5265 log_query(client, saved_flags, saved_extflags);
5266
5267 /*
5268 * Check for multiple question queries, since edns1 is dead.
5269 */
5270 if (message->counts[DNS_SECTION_QUESTION] > 1) {
5271 query_error(client, DNS_R_FORMERR, __LINE__);
5272 return;
5273 }
5274
5275 /*
5276 * Check for meta-queries like IXFR and AXFR.
5277 */
5278 rdataset = ISC_LIST_HEAD(client->query.qname->list);
5279 INSIST(rdataset != NULL);
5280 qtype = rdataset->type;
5281 dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
5282 if (dns_rdatatype_ismeta(qtype)) {
5283 switch (qtype) {
5284 case dns_rdatatype_any:
5285 break; /* Let query_find handle it. */
5286 case dns_rdatatype_ixfr:
5287 case dns_rdatatype_axfr:
5288 ns_xfr_start(client, rdataset->type);
5289 return;
5290 case dns_rdatatype_maila:
5291 case dns_rdatatype_mailb:
5292 query_error(client, DNS_R_NOTIMP, __LINE__);
5293 return;
5294 case dns_rdatatype_tkey:
5295 result = dns_tkey_processquery(client->message,
5296 ns_g_server->tkeyctx,
5297 client->view->dynamickeys);
5298 if (result == ISC_R_SUCCESS)
5299 query_send(client);
5300 else
5301 query_error(client, result, __LINE__);
5302 return;
5303 default: /* TSIG, etc. */
5304 query_error(client, DNS_R_FORMERR, __LINE__);
5305 return;
5306 }
5307 }
5308
5309 /*
5310 * Turn on minimal response for DNSKEY and DS queries.
5311 */
5312 if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds)
5313 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
5314 NS_QUERYATTR_NOADDITIONAL);
5315
5316 /*
5317 * Turn on minimal responses for EDNS/UDP bufsize 512 queries.
5318 */
5319 if (client->opt != NULL && client->udpsize <= 512U &&
5320 (client->attributes & NS_CLIENTATTR_TCP) == 0)
5321 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
5322 NS_QUERYATTR_NOADDITIONAL);
5323
5324 /*
5325 * If the client has requested that DNSSEC checking be disabled,
5326 * allow lookups to return pending data and instruct the resolver
5327 * to return data before validation has completed.
5328 *
5329 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
5330 * disabled as there will be no pending data.
5331 */
5332 if (message->flags & DNS_MESSAGEFLAG_CD ||
5333 qtype == dns_rdatatype_rrsig)
5334 {
5335 client->query.dboptions |= DNS_DBFIND_PENDINGOK;
5336 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
5337 } else if (!client->view->enablevalidation)
5338 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
5339
5340 /*
5341 * Allow glue NS records to be added to the authority section
5342 * if the answer is secure.
5343 */
5344 if (message->flags & DNS_MESSAGEFLAG_CD)
5345 client->query.attributes &= ~NS_QUERYATTR_SECURE;
5346
5347 /*
5348 * Set 'want_ad' if the client has set AD in the query.
5349 * This allows AD to be returned on queries without DO set.
5350 */
5351 if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
5352 want_ad = ISC_TRUE;
5353 else
5354 want_ad = ISC_FALSE;
5355
5356 /*
5357 * This is an ordinary query.
5358 */
5359 result = dns_message_reply(message, ISC_TRUE);
5360 if (result != ISC_R_SUCCESS) {
5361 query_next(client, result);
5362 return;
5363 }
5364
5365 /*
5366 * Assume authoritative response until it is known to be
5367 * otherwise.
5368 */
5369 message->flags |= DNS_MESSAGEFLAG_AA;
5370
5371 /*
5372 * Set AD. We must clear it if we add non-validated data to a
5373 * response.
5374 */
5375 if (WANTDNSSEC(client) || want_ad)
5376 message->flags |= DNS_MESSAGEFLAG_AD;
5377
5378 qclient = NULL;
5379 ns_client_attach(client, &qclient);
5380 (void)query_find(qclient, NULL, qtype);
5381 }
NetBSD on the FriendlyARM MINI2440