2 * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: query.c,v 1.298.48.15.2.1 2009/11/18 23:41:17 marka Exp $ */
27 #include <isc/stats.h>
31 #include <dns/byaddr.h>
36 #include <dns/dnssec.h>
37 #include <dns/events.h>
38 #include <dns/message.h>
39 #include <dns/ncache.h>
40 #include <dns/order.h>
41 #include <dns/rdata.h>
42 #include <dns/rdataclass.h>
43 #include <dns/rdatalist.h>
44 #include <dns/rdataset.h>
45 #include <dns/rdatasetiter.h>
46 #include <dns/rdatastruct.h>
47 #include <dns/rdatatype.h>
48 #include <dns/resolver.h>
49 #include <dns/result.h>
50 #include <dns/stats.h>
56 #include <named/client.h>
57 #include <named/log.h>
58 #include <named/server.h>
59 #include <named/sortlist.h>
60 #include <named/xfrout.h>
62 /*% Partial answer? */
63 #define PARTIALANSWER(c) (((c)->query.attributes & \
64 NS_QUERYATTR_PARTIALANSWER) != 0)
66 #define USECACHE(c) (((c)->query.attributes & \
67 NS_QUERYATTR_CACHEOK) != 0)
69 #define RECURSIONOK(c) (((c)->query.attributes & \
70 NS_QUERYATTR_RECURSIONOK) != 0)
72 #define RECURSING(c) (((c)->query.attributes & \
73 NS_QUERYATTR_RECURSING) != 0)
75 #define CACHEGLUEOK(c) (((c)->query.attributes & \
76 NS_QUERYATTR_CACHEGLUEOK) != 0)
77 /*% Want Recursion? */
78 #define WANTRECURSION(c) (((c)->query.attributes & \
79 NS_QUERYATTR_WANTRECURSION) != 0)
81 #define WANTDNSSEC(c) (((c)->attributes & \
82 NS_CLIENTATTR_WANTDNSSEC) != 0)
84 #define NOAUTHORITY(c) (((c)->query.attributes & \
85 NS_QUERYATTR_NOAUTHORITY) != 0)
87 #define NOADDITIONAL(c) (((c)->query.attributes & \
88 NS_QUERYATTR_NOADDITIONAL) != 0)
90 #define SECURE(c) (((c)->query.attributes & \
91 NS_QUERYATTR_SECURE) != 0)
94 #define CTRACE(m) isc_log_write(ns_g_lctx, \
95 NS_LOGCATEGORY_CLIENT, \
98 "client %p: %s", client, (m))
99 #define QTRACE(m) isc_log_write(ns_g_lctx, \
100 NS_LOGCATEGORY_GENERAL, \
101 NS_LOGMODULE_QUERY, \
103 "query %p: %s", query, (m))
105 #define CTRACE(m) ((void)m)
106 #define QTRACE(m) ((void)m)
109 #define DNS_GETDB_NOEXACT 0x01U
110 #define DNS_GETDB_NOLOG 0x02U
111 #define DNS_GETDB_PARTIAL 0x04U
113 #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
115 typedef struct client_additionalctx {
117 dns_rdataset_t *rdataset;
118 } client_additionalctx_t;
121 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
124 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
125 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
128 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
131 * Increment query statistics counters.
134 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
135 dns_zone_t *zone = client->query.authzone;
137 isc_stats_increment(ns_g_server->nsstats, counter);
140 isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
141 if (zonestats != NULL)
142 isc_stats_increment(zonestats, counter);
147 query_send(ns_client_t *client) {
148 isc_statscounter_t counter;
149 if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
150 inc_stats(client, dns_nsstatscounter_nonauthans);
152 inc_stats(client, dns_nsstatscounter_authans);
153 if (client->message->rcode == dns_rcode_noerror) {
154 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
155 if (client->query.isreferral) {
156 counter = dns_nsstatscounter_referral;
158 counter = dns_nsstatscounter_nxrrset;
161 counter = dns_nsstatscounter_success;
163 } else if (client->message->rcode == dns_rcode_nxdomain) {
164 counter = dns_nsstatscounter_nxdomain;
166 /* We end up here in case of YXDOMAIN, and maybe others */
167 counter = dns_nsstatscounter_failure;
169 inc_stats(client, counter);
170 ns_client_send(client);
174 query_error(ns_client_t *client, isc_result_t result, int line) {
175 int loglevel = ISC_LOG_DEBUG(3);
179 loglevel = ISC_LOG_DEBUG(1);
180 inc_stats(client, dns_nsstatscounter_servfail);
183 inc_stats(client, dns_nsstatscounter_formerr);
186 inc_stats(client, dns_nsstatscounter_failure);
190 log_queryerror(client, result, line, loglevel);
192 ns_client_error(client, result);
196 query_next(ns_client_t *client, isc_result_t result) {
197 if (result == DNS_R_DUPLICATE)
198 inc_stats(client, dns_nsstatscounter_duplicate);
199 else if (result == DNS_R_DROP)
200 inc_stats(client, dns_nsstatscounter_dropped);
202 inc_stats(client, dns_nsstatscounter_failure);
203 ns_client_next(client, result);
207 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
208 ns_dbversion_t *dbversion, *dbversion_next;
211 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
213 dbversion = dbversion_next, i++)
215 dbversion_next = ISC_LIST_NEXT(dbversion, link);
217 * If we're not freeing everything, we keep the first three
218 * dbversions structures around.
220 if (i > 3 || everything) {
221 ISC_LIST_UNLINK(client->query.freeversions, dbversion,
223 isc_mem_put(client->mctx, dbversion,
230 ns_query_cancel(ns_client_t *client) {
231 LOCK(&client->query.fetchlock);
232 if (client->query.fetch != NULL) {
233 dns_resolver_cancelfetch(client->query.fetch);
235 client->query.fetch = NULL;
237 UNLOCK(&client->query.fetchlock);
241 query_reset(ns_client_t *client, isc_boolean_t everything) {
242 isc_buffer_t *dbuf, *dbuf_next;
243 ns_dbversion_t *dbversion, *dbversion_next;
246 * Reset the query state of a client to its default state.
250 * Cancel the fetch if it's running.
252 ns_query_cancel(client);
255 * Cleanup any active versions.
257 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
259 dbversion = dbversion_next) {
260 dbversion_next = ISC_LIST_NEXT(dbversion, link);
261 dns_db_closeversion(dbversion->db, &dbversion->version,
263 dns_db_detach(&dbversion->db);
264 ISC_LIST_INITANDAPPEND(client->query.freeversions,
267 ISC_LIST_INIT(client->query.activeversions);
269 if (client->query.authdb != NULL)
270 dns_db_detach(&client->query.authdb);
271 if (client->query.authzone != NULL)
272 dns_zone_detach(&client->query.authzone);
274 query_freefreeversions(client, everything);
276 for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
279 dbuf_next = ISC_LIST_NEXT(dbuf, link);
280 if (dbuf_next != NULL || everything) {
281 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
282 isc_buffer_free(&dbuf);
286 if (client->query.restarts > 0) {
288 * client->query.qname was dynamically allocated.
290 dns_message_puttempname(client->message,
291 &client->query.qname);
293 client->query.qname = NULL;
294 client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
295 NS_QUERYATTR_CACHEOK |
296 NS_QUERYATTR_SECURE);
297 client->query.restarts = 0;
298 client->query.timerset = ISC_FALSE;
299 client->query.origqname = NULL;
300 client->query.qname = NULL;
301 client->query.dboptions = 0;
302 client->query.fetchoptions = 0;
303 client->query.gluedb = NULL;
304 client->query.authdbset = ISC_FALSE;
305 client->query.isreferral = ISC_FALSE;
309 query_next_callback(ns_client_t *client) {
310 query_reset(client, ISC_FALSE);
314 ns_query_free(ns_client_t *client) {
315 query_reset(client, ISC_TRUE);
318 static inline isc_result_t
319 query_newnamebuf(ns_client_t *client) {
323 CTRACE("query_newnamebuf");
325 * Allocate a name buffer.
329 result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
330 if (result != ISC_R_SUCCESS) {
331 CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
334 ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
336 CTRACE("query_newnamebuf: done");
337 return (ISC_R_SUCCESS);
340 static inline isc_buffer_t *
341 query_getnamebuf(ns_client_t *client) {
346 CTRACE("query_getnamebuf");
348 * Return a name buffer with space for a maximal name, allocating
349 * a new one if necessary.
352 if (ISC_LIST_EMPTY(client->query.namebufs)) {
353 result = query_newnamebuf(client);
354 if (result != ISC_R_SUCCESS) {
355 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
360 dbuf = ISC_LIST_TAIL(client->query.namebufs);
361 INSIST(dbuf != NULL);
362 isc_buffer_availableregion(dbuf, &r);
363 if (r.length < 255) {
364 result = query_newnamebuf(client);
365 if (result != ISC_R_SUCCESS) {
366 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
370 dbuf = ISC_LIST_TAIL(client->query.namebufs);
371 isc_buffer_availableregion(dbuf, &r);
372 INSIST(r.length >= 255);
374 CTRACE("query_getnamebuf: done");
379 query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
382 CTRACE("query_keepname");
384 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
385 * adjusted to take account of that. We do the adjustment.
388 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
390 dns_name_toregion(name, &r);
391 isc_buffer_add(dbuf, r.length);
392 dns_name_setbuffer(name, NULL);
393 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
397 query_releasename(ns_client_t *client, dns_name_t **namep) {
398 dns_name_t *name = *namep;
401 * 'name' is no longer needed. Return it to our pool of temporary
402 * names. If it is using a name buffer, relinquish its exclusive
403 * rights on the buffer.
406 CTRACE("query_releasename");
407 if (dns_name_hasbuffer(name)) {
408 INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
410 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
412 dns_message_puttempname(client->message, namep);
413 CTRACE("query_releasename: done");
416 static inline dns_name_t *
417 query_newname(ns_client_t *client, isc_buffer_t *dbuf,
424 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
426 CTRACE("query_newname");
428 result = dns_message_gettempname(client->message, &name);
429 if (result != ISC_R_SUCCESS) {
430 CTRACE("query_newname: dns_message_gettempname failed: done");
433 isc_buffer_availableregion(dbuf, &r);
434 isc_buffer_init(nbuf, r.base, r.length);
435 dns_name_init(name, NULL);
436 dns_name_setbuffer(name, nbuf);
437 client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
439 CTRACE("query_newname: done");
443 static inline dns_rdataset_t *
444 query_newrdataset(ns_client_t *client) {
445 dns_rdataset_t *rdataset;
448 CTRACE("query_newrdataset");
450 result = dns_message_gettemprdataset(client->message, &rdataset);
451 if (result != ISC_R_SUCCESS) {
452 CTRACE("query_newrdataset: "
453 "dns_message_gettemprdataset failed: done");
456 dns_rdataset_init(rdataset);
458 CTRACE("query_newrdataset: done");
463 query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
464 dns_rdataset_t *rdataset = *rdatasetp;
466 CTRACE("query_putrdataset");
467 if (rdataset != NULL) {
468 if (dns_rdataset_isassociated(rdataset))
469 dns_rdataset_disassociate(rdataset);
470 dns_message_puttemprdataset(client->message, rdatasetp);
472 CTRACE("query_putrdataset: done");
476 static inline isc_result_t
477 query_newdbversion(ns_client_t *client, unsigned int n) {
479 ns_dbversion_t *dbversion;
481 for (i = 0; i < n; i++) {
482 dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
483 if (dbversion != NULL) {
484 dbversion->db = NULL;
485 dbversion->version = NULL;
486 ISC_LIST_INITANDAPPEND(client->query.freeversions,
490 * We only return ISC_R_NOMEMORY if we couldn't
494 return (ISC_R_NOMEMORY);
496 return (ISC_R_SUCCESS);
500 return (ISC_R_SUCCESS);
503 static inline ns_dbversion_t *
504 query_getdbversion(ns_client_t *client) {
506 ns_dbversion_t *dbversion;
508 if (ISC_LIST_EMPTY(client->query.freeversions)) {
509 result = query_newdbversion(client, 1);
510 if (result != ISC_R_SUCCESS)
513 dbversion = ISC_LIST_HEAD(client->query.freeversions);
514 INSIST(dbversion != NULL);
515 ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
521 ns_query_init(ns_client_t *client) {
524 ISC_LIST_INIT(client->query.namebufs);
525 ISC_LIST_INIT(client->query.activeversions);
526 ISC_LIST_INIT(client->query.freeversions);
527 client->query.restarts = 0;
528 client->query.timerset = ISC_FALSE;
529 client->query.qname = NULL;
530 result = isc_mutex_init(&client->query.fetchlock);
531 if (result != ISC_R_SUCCESS)
533 client->query.fetch = NULL;
534 client->query.authdb = NULL;
535 client->query.authzone = NULL;
536 client->query.authdbset = ISC_FALSE;
537 client->query.isreferral = ISC_FALSE;
538 query_reset(client, ISC_FALSE);
539 result = query_newdbversion(client, 3);
540 if (result != ISC_R_SUCCESS) {
541 DESTROYLOCK(&client->query.fetchlock);
544 result = query_newnamebuf(client);
545 if (result != ISC_R_SUCCESS)
546 query_freefreeversions(client, ISC_TRUE);
551 static inline ns_dbversion_t *
552 query_findversion(ns_client_t *client, dns_db_t *db,
553 isc_boolean_t *newzonep)
555 ns_dbversion_t *dbversion;
558 * We may already have done a query related to this
559 * database. If so, we must be sure to make subsequent
560 * queries from the same version.
562 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
564 dbversion = ISC_LIST_NEXT(dbversion, link)) {
565 if (dbversion->db == db)
569 if (dbversion == NULL) {
571 * This is a new zone for this query. Add it to
574 dbversion = query_getdbversion(client);
575 if (dbversion == NULL)
577 dns_db_attach(db, &dbversion->db);
578 dns_db_currentversion(db, &dbversion->version);
579 dbversion->queryok = ISC_FALSE;
580 ISC_LIST_APPEND(client->query.activeversions,
582 *newzonep = ISC_TRUE;
584 *newzonep = ISC_FALSE;
589 static inline isc_result_t
590 query_validatezonedb(ns_client_t *client, dns_name_t *name,
591 dns_rdatatype_t qtype, unsigned int options,
592 dns_zone_t *zone, dns_db_t *db,
593 dns_dbversion_t **versionp)
596 isc_boolean_t check_acl, new_zone;
598 ns_dbversion_t *dbversion;
600 REQUIRE(zone != NULL);
604 * This limits our searching to the zone where the first name
605 * (the query target) was looked for. This prevents following
606 * CNAMES or DNAMES into other zones and prevents returning
607 * additional data from other zones.
609 if (!client->view->additionalfromauth &&
610 client->query.authdbset &&
611 db != client->query.authdb)
615 * If the zone has an ACL, we'll check it, otherwise
616 * we use the view's "allow-query" ACL. Each ACL is only checked
619 * Also, get the database version to use.
622 check_acl = ISC_TRUE; /* Keep compiler happy. */
626 * Get the current version of this database.
628 dbversion = query_findversion(client, db, &new_zone);
629 if (dbversion == NULL) {
630 result = DNS_R_SERVFAIL;
634 check_acl = ISC_TRUE;
635 } else if (!dbversion->queryok) {
638 check_acl = ISC_FALSE;
641 queryacl = dns_zone_getqueryacl(zone);
642 if (queryacl == NULL) {
643 queryacl = client->view->queryacl;
644 if ((client->query.attributes &
645 NS_QUERYATTR_QUERYOKVALID) != 0) {
647 * We've evaluated the view's queryacl already. If
648 * NS_QUERYATTR_QUERYOK is set, then the client is
649 * allowed to make queries, otherwise the query should
652 check_acl = ISC_FALSE;
653 if ((client->query.attributes &
654 NS_QUERYATTR_QUERYOK) == 0)
658 * We haven't evaluated the view's queryacl yet.
660 check_acl = ISC_TRUE;
665 isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
667 result = ns_client_checkaclsilent(client, NULL, queryacl,
670 char msg[NS_CLIENT_ACLMSGSIZE("query")];
671 if (result == ISC_R_SUCCESS) {
672 if (isc_log_wouldlog(ns_g_lctx,
675 ns_client_aclmsg("query", name, qtype,
676 client->view->rdclass,
678 ns_client_log(client,
679 DNS_LOGCATEGORY_SECURITY,
685 ns_client_aclmsg("query", name, qtype,
686 client->view->rdclass,
688 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
689 NS_LOGMODULE_QUERY, ISC_LOG_INFO,
694 if (queryacl == client->view->queryacl) {
695 if (result == ISC_R_SUCCESS) {
697 * We were allowed by the default
698 * "allow-query" ACL. Remember this so we
699 * don't have to check again.
701 client->query.attributes |=
702 NS_QUERYATTR_QUERYOK;
705 * We've now evaluated the view's query ACL, and
706 * the NS_QUERYATTR_QUERYOK attribute is now valid.
708 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
711 if (result != ISC_R_SUCCESS)
718 * Remember the result of the ACL check so we
719 * don't have to check again.
721 dbversion->queryok = ISC_TRUE;
723 /* Transfer ownership, if necessary. */
724 if (versionp != NULL)
725 *versionp = dbversion->version;
727 return (ISC_R_SUCCESS);
730 return (DNS_R_REFUSED);
736 static inline isc_result_t
737 query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
738 unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
739 dns_dbversion_t **versionp)
742 unsigned int ztoptions;
743 dns_zone_t *zone = NULL;
745 isc_boolean_t partial = ISC_FALSE;
747 REQUIRE(zonep != NULL && *zonep == NULL);
748 REQUIRE(dbp != NULL && *dbp == NULL);
751 * Find a zone database to answer the query.
753 ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
754 DNS_ZTFIND_NOEXACT : 0;
756 result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
758 if (result == DNS_R_PARTIALMATCH)
760 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
761 result = dns_zone_getdb(zone, &db);
763 if (result != ISC_R_SUCCESS)
766 result = query_validatezonedb(client, name, qtype, options, zone, db,
769 if (result != ISC_R_SUCCESS)
772 /* Transfer ownership. */
776 if (partial && (options & DNS_GETDB_PARTIAL) != 0)
777 return (DNS_R_PARTIALMATCH);
778 return (ISC_R_SUCCESS);
782 dns_zone_detach(&zone);
789 static inline isc_result_t
790 query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
791 dns_db_t **dbp, unsigned int options)
794 isc_boolean_t check_acl;
797 REQUIRE(dbp != NULL && *dbp == NULL);
800 * Find a cache database to answer the query.
801 * This may fail with DNS_R_REFUSED if the client
802 * is not allowed to use the cache.
805 if (!USECACHE(client))
806 return (DNS_R_REFUSED);
807 dns_db_attach(client->view->cachedb, &db);
809 if ((client->query.attributes &
810 NS_QUERYATTR_QUERYOKVALID) != 0) {
812 * We've evaluated the view's queryacl already. If
813 * NS_QUERYATTR_QUERYOK is set, then the client is
814 * allowed to make queries, otherwise the query should
817 check_acl = ISC_FALSE;
818 if ((client->query.attributes &
819 NS_QUERYATTR_QUERYOK) == 0)
823 * We haven't evaluated the view's queryacl yet.
825 check_acl = ISC_TRUE;
829 isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
830 char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
832 result = ns_client_checkaclsilent(client, NULL,
833 client->view->queryacl,
835 if (result == ISC_R_SUCCESS) {
837 * We were allowed by the default
838 * "allow-query" ACL. Remember this so we
839 * don't have to check again.
841 client->query.attributes |=
842 NS_QUERYATTR_QUERYOK;
843 if (log && isc_log_wouldlog(ns_g_lctx,
846 ns_client_aclmsg("query (cache)", name, qtype,
847 client->view->rdclass,
849 ns_client_log(client,
850 DNS_LOGCATEGORY_SECURITY,
856 ns_client_aclmsg("query (cache)", name, qtype,
857 client->view->rdclass, msg,
859 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
860 NS_LOGMODULE_QUERY, ISC_LOG_INFO,
864 * We've now evaluated the view's query ACL, and
865 * the NS_QUERYATTR_QUERYOK attribute is now valid.
867 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
869 if (result != ISC_R_SUCCESS)
875 /* Transfer ownership. */
878 return (ISC_R_SUCCESS);
881 result = DNS_R_REFUSED;
890 static inline isc_result_t
891 query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
892 unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
893 dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
898 isc_result_t tresult;
899 unsigned int namelabels;
900 unsigned int zonelabels;
901 dns_zone_t *zone = NULL;
904 REQUIRE(zonep != NULL && *zonep == NULL);
908 /* Calculate how many labels are in name. */
909 namelabels = dns_name_countlabels(name);
912 /* Try to find name in bind's standard database. */
913 result = query_getzonedb(client, name, qtype, options, &zone,
916 /* See how many labels are in the zone's name. */
917 if (result == ISC_R_SUCCESS && zone != NULL)
918 zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
920 * If # zone labels < # name labels, try to find an even better match
921 * Only try if a DLZ driver is loaded for this view
923 if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
924 tresult = dns_dlzfindzone(client->view, name,
926 /* If we successful, we found a better match. */
927 if (tresult == ISC_R_SUCCESS) {
929 * If the previous search returned a zone, detach it.
932 dns_zone_detach(&zone);
935 * If the previous search returned a database,
942 * If the previous search returned a version, clear it.
947 * Get our database version.
949 dns_db_currentversion(tdbp, versionp);
952 * Be sure to return our database.
957 * We return a null zone, No stats for DLZ zones.
964 result = query_getzonedb(client, name, qtype, options,
965 zonep, dbp, versionp);
968 /* If successful, Transfer ownership of zone. */
969 if (result == ISC_R_SUCCESS) {
974 * If neither attempt above succeeded, return the cache instead
976 *is_zonep = ISC_TRUE;
977 } else if (result == ISC_R_NOTFOUND) {
978 result = query_getcachedb(client, name, qtype, dbp, options);
979 *is_zonep = ISC_FALSE;
984 static inline isc_boolean_t
985 query_isduplicate(ns_client_t *client, dns_name_t *name,
986 dns_rdatatype_t type, dns_name_t **mnamep)
988 dns_section_t section;
989 dns_name_t *mname = NULL;
992 CTRACE("query_isduplicate");
994 for (section = DNS_SECTION_ANSWER;
995 section <= DNS_SECTION_ADDITIONAL;
997 result = dns_message_findname(client->message, section,
998 name, type, 0, &mname, NULL);
999 if (result == ISC_R_SUCCESS) {
1001 * We've already got this RRset in the response.
1003 CTRACE("query_isduplicate: true: done");
1005 } else if (result == DNS_R_NXRRSET) {
1007 * The name exists, but the rdataset does not.
1009 if (section == DNS_SECTION_ADDITIONAL)
1012 RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
1017 * If the dns_name_t we're looking up is already in the message,
1018 * we don't want to trigger the caller's name replacement logic.
1025 CTRACE("query_isduplicate: false: done");
1030 query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
1031 ns_client_t *client = arg;
1032 isc_result_t result, eresult;
1035 dns_name_t *fname, *mname;
1036 dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
1039 dns_dbversion_t *version;
1040 isc_boolean_t added_something, need_addname;
1042 dns_rdatatype_t type;
1044 REQUIRE(NS_CLIENT_VALID(client));
1045 REQUIRE(qtype != dns_rdatatype_any);
1047 if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
1048 return (ISC_R_SUCCESS);
1050 CTRACE("query_addadditional");
1055 eresult = ISC_R_SUCCESS;
1063 added_something = ISC_FALSE;
1064 need_addname = ISC_FALSE;
1068 * We treat type A additional section processing as if it
1069 * were "any address type" additional section processing.
1070 * To avoid multiple lookups, we do an 'any' database
1071 * lookup and iterate over the node.
1073 if (qtype == dns_rdatatype_a)
1074 type = dns_rdatatype_any;
1079 * Get some resources.
1081 dbuf = query_getnamebuf(client);
1084 fname = query_newname(client, dbuf, &b);
1085 rdataset = query_newrdataset(client);
1086 if (fname == NULL || rdataset == NULL)
1088 if (WANTDNSSEC(client)) {
1089 sigrdataset = query_newrdataset(client);
1090 if (sigrdataset == NULL)
1095 * Look for a zone database that might contain authoritative
1098 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1099 &zone, &db, &version);
1100 if (result != ISC_R_SUCCESS)
1103 CTRACE("query_addadditional: db_find");
1106 * Since we are looking for authoritative data, we do not set
1107 * the GLUEOK flag. Glue will be looked for later, but not
1108 * necessarily in the same database.
1111 result = dns_db_find(db, name, version, type, client->query.dboptions,
1112 client->now, &node, fname, rdataset,
1114 if (result == ISC_R_SUCCESS)
1117 if (dns_rdataset_isassociated(rdataset))
1118 dns_rdataset_disassociate(rdataset);
1119 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
1120 dns_rdataset_disassociate(sigrdataset);
1122 dns_db_detachnode(db, &node);
1127 * No authoritative data was found. The cache is our next best bet.
1131 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1132 if (result != ISC_R_SUCCESS)
1134 * Most likely the client isn't allowed to query the cache.
1138 * Attempt to validate glue.
1140 if (sigrdataset == NULL) {
1141 sigrdataset = query_newrdataset(client);
1142 if (sigrdataset == NULL)
1145 result = dns_db_find(db, name, version, type,
1146 client->query.dboptions | DNS_DBFIND_GLUEOK,
1147 client->now, &node, fname, rdataset,
1149 if (result == DNS_R_GLUE &&
1150 validate(client, db, fname, rdataset, sigrdataset))
1151 result = ISC_R_SUCCESS;
1152 if (!WANTDNSSEC(client))
1153 query_putrdataset(client, &sigrdataset);
1154 if (result == ISC_R_SUCCESS)
1157 if (dns_rdataset_isassociated(rdataset))
1158 dns_rdataset_disassociate(rdataset);
1159 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
1160 dns_rdataset_disassociate(sigrdataset);
1162 dns_db_detachnode(db, &node);
1167 * No cached data was found. Glue is our last chance.
1170 * NS records cause both the usual additional section
1171 * processing to locate a type A record, and, when used
1172 * in a referral, a special search of the zone in which
1173 * they reside for glue information.
1175 * This is the "special search". Note that we must search
1176 * the zone where the NS record resides, not the zone it
1177 * points to, and that we only do the search in the delegation
1178 * case (identified by client->query.gluedb being set).
1181 if (client->query.gluedb == NULL)
1185 * Don't poison caches using the bailiwick protection model.
1187 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1190 dns_db_attach(client->query.gluedb, &db);
1191 result = dns_db_find(db, name, version, type,
1192 client->query.dboptions | DNS_DBFIND_GLUEOK,
1193 client->now, &node, fname, rdataset,
1195 if (!(result == ISC_R_SUCCESS ||
1196 result == DNS_R_ZONECUT ||
1197 result == DNS_R_GLUE))
1202 * We have found a potential additional data rdataset, or
1203 * at least a node to iterate over.
1205 query_keepname(client, fname, dbuf);
1208 * If we have an rdataset, add it to the additional data
1212 if (dns_rdataset_isassociated(rdataset) &&
1213 !query_isduplicate(client, fname, type, &mname)) {
1214 if (mname != NULL) {
1215 query_releasename(client, &fname);
1218 need_addname = ISC_TRUE;
1219 ISC_LIST_APPEND(fname->list, rdataset, link);
1220 trdataset = rdataset;
1222 added_something = ISC_TRUE;
1224 * Note: we only add SIGs if we've added the type they cover,
1225 * so we do not need to check if the SIG rdataset is already
1228 if (sigrdataset != NULL &&
1229 dns_rdataset_isassociated(sigrdataset))
1231 ISC_LIST_APPEND(fname->list, sigrdataset, link);
1236 if (qtype == dns_rdatatype_a) {
1238 * We now go looking for A and AAAA records, along with
1241 * XXXRTH This code could be more efficient.
1243 if (rdataset != NULL) {
1244 if (dns_rdataset_isassociated(rdataset))
1245 dns_rdataset_disassociate(rdataset);
1247 rdataset = query_newrdataset(client);
1248 if (rdataset == NULL)
1251 if (sigrdataset != NULL) {
1252 if (dns_rdataset_isassociated(sigrdataset))
1253 dns_rdataset_disassociate(sigrdataset);
1254 } else if (WANTDNSSEC(client)) {
1255 sigrdataset = query_newrdataset(client);
1256 if (sigrdataset == NULL)
1259 result = dns_db_findrdataset(db, node, version,
1261 client->now, rdataset,
1263 if (result == DNS_R_NCACHENXDOMAIN)
1265 if (result == DNS_R_NCACHENXRRSET) {
1266 dns_rdataset_disassociate(rdataset);
1268 * Negative cache entries don't have sigrdatasets.
1270 INSIST(sigrdataset == NULL ||
1271 ! dns_rdataset_isassociated(sigrdataset));
1273 if (result == ISC_R_SUCCESS) {
1275 if (!query_isduplicate(client, fname,
1276 dns_rdatatype_a, &mname)) {
1277 if (mname != NULL) {
1278 query_releasename(client, &fname);
1281 need_addname = ISC_TRUE;
1282 ISC_LIST_APPEND(fname->list, rdataset, link);
1283 added_something = ISC_TRUE;
1284 if (sigrdataset != NULL &&
1285 dns_rdataset_isassociated(sigrdataset))
1287 ISC_LIST_APPEND(fname->list,
1290 query_newrdataset(client);
1292 rdataset = query_newrdataset(client);
1293 if (rdataset == NULL)
1295 if (WANTDNSSEC(client) && sigrdataset == NULL)
1298 dns_rdataset_disassociate(rdataset);
1299 if (sigrdataset != NULL &&
1300 dns_rdataset_isassociated(sigrdataset))
1301 dns_rdataset_disassociate(sigrdataset);
1304 result = dns_db_findrdataset(db, node, version,
1305 dns_rdatatype_aaaa, 0,
1306 client->now, rdataset,
1308 if (result == DNS_R_NCACHENXDOMAIN)
1310 if (result == DNS_R_NCACHENXRRSET) {
1311 dns_rdataset_disassociate(rdataset);
1312 INSIST(sigrdataset == NULL ||
1313 ! dns_rdataset_isassociated(sigrdataset));
1315 if (result == ISC_R_SUCCESS) {
1317 if (!query_isduplicate(client, fname,
1318 dns_rdatatype_aaaa, &mname)) {
1319 if (mname != NULL) {
1320 query_releasename(client, &fname);
1323 need_addname = ISC_TRUE;
1324 ISC_LIST_APPEND(fname->list, rdataset, link);
1325 added_something = ISC_TRUE;
1326 if (sigrdataset != NULL &&
1327 dns_rdataset_isassociated(sigrdataset))
1329 ISC_LIST_APPEND(fname->list,
1339 CTRACE("query_addadditional: addname");
1341 * If we haven't added anything, then we're done.
1343 if (!added_something)
1347 * We may have added our rdatasets to an existing name, if so, then
1348 * need_addname will be ISC_FALSE. Whether we used an existing name
1349 * or a new one, we must set fname to NULL to prevent cleanup.
1352 dns_message_addname(client->message, fname,
1353 DNS_SECTION_ADDITIONAL);
1357 * In a few cases, we want to add additional data for additional
1358 * data. It's simpler to just deal with special cases here than
1359 * to try to create a general purpose mechanism and allow the
1360 * rdata implementations to do it themselves.
1362 * This involves recursion, but the depth is limited. The
1363 * most complex case is adding a SRV rdataset, which involves
1364 * recursing to add address records, which in turn can cause
1365 * recursion to add KEYs.
1367 if (type == dns_rdatatype_srv && trdataset != NULL) {
1369 * If we're adding SRV records to the additional data
1370 * section, it's helpful if we add the SRV additional data
1373 eresult = dns_rdataset_additionaldata(trdataset,
1374 query_addadditional,
1379 CTRACE("query_addadditional: cleanup");
1380 query_putrdataset(client, &rdataset);
1381 if (sigrdataset != NULL)
1382 query_putrdataset(client, &sigrdataset);
1384 query_releasename(client, &fname);
1386 dns_db_detachnode(db, &node);
1390 dns_zone_detach(&zone);
1392 CTRACE("query_addadditional: done");
1397 query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
1398 dns_rdatasetadditional_t additionaltype,
1399 dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
1400 dns_dbversion_t **versionp, dns_dbnode_t **nodep,
1403 dns_rdataset_t *rdataset;
1405 while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
1406 ISC_LIST_UNLINK(fname->list, rdataset, link);
1407 query_putrdataset(client, &rdataset);
1409 if (*versionp != NULL)
1410 dns_db_closeversion(*dbp, versionp, ISC_FALSE);
1412 dns_db_detachnode(*dbp, nodep);
1416 dns_zone_detach(zonep);
1417 (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
1418 additionaltype, type);
1421 static inline isc_result_t
1422 query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
1423 dns_dbversion_t *version)
1425 isc_result_t result = ISC_R_SUCCESS;
1426 dns_dbversion_t *version_current = NULL;
1427 dns_db_t *db_current = db0;
1429 if (db_current == NULL) {
1430 result = dns_zone_getdb(zone, &db_current);
1431 if (result != ISC_R_SUCCESS)
1434 dns_db_currentversion(db_current, &version_current);
1435 if (db_current != db || version_current != version) {
1436 result = ISC_R_FAILURE;
1441 dns_db_closeversion(db_current, &version_current, ISC_FALSE);
1442 if (db0 == NULL && db_current != NULL)
1443 dns_db_detach(&db_current);
1449 query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
1450 client_additionalctx_t *additionalctx = arg;
1451 dns_rdataset_t *rdataset_base;
1452 ns_client_t *client;
1453 isc_result_t result, eresult;
1454 dns_dbnode_t *node, *cnode;
1456 dns_name_t *fname, *mname0, cfname;
1457 dns_rdataset_t *rdataset, *sigrdataset;
1458 dns_rdataset_t *crdataset, *crdataset_next;
1461 dns_dbversion_t *version, *cversion;
1462 isc_boolean_t added_something, need_addname, needadditionalcache;
1463 isc_boolean_t need_sigrrset;
1465 dns_rdatatype_t type;
1466 dns_rdatasetadditional_t additionaltype;
1468 if (qtype != dns_rdatatype_a) {
1470 * This function is optimized for "address" types. For other
1471 * types, use a generic routine.
1472 * XXX: ideally, this function should be generic enough.
1474 return (query_addadditional(additionalctx->client,
1481 rdataset_base = additionalctx->rdataset;
1482 client = additionalctx->client;
1483 REQUIRE(NS_CLIENT_VALID(client));
1484 eresult = ISC_R_SUCCESS;
1494 added_something = ISC_FALSE;
1495 need_addname = ISC_FALSE;
1497 needadditionalcache = ISC_FALSE;
1498 additionaltype = dns_rdatasetadditional_fromauth;
1499 dns_name_init(&cfname, NULL);
1501 CTRACE("query_addadditional2");
1504 * We treat type A additional section processing as if it
1505 * were "any address type" additional section processing.
1506 * To avoid multiple lookups, we do an 'any' database
1507 * lookup and iterate over the node.
1508 * XXXJT: this approach can cause a suboptimal result when the cache
1509 * DB only has partial address types and the glue DB has remaining
1512 type = dns_rdatatype_any;
1515 * Get some resources.
1517 dbuf = query_getnamebuf(client);
1520 fname = query_newname(client, dbuf, &b);
1523 dns_name_setbuffer(&cfname, &b); /* share the buffer */
1525 /* Check additional cache */
1526 result = dns_rdataset_getadditional(rdataset_base, additionaltype,
1527 type, client->view->acache, &zone,
1528 &cdb, &cversion, &cnode, &cfname,
1529 client->message, client->now);
1530 if (result != ISC_R_SUCCESS)
1533 CTRACE("query_addadditional2: auth zone not found");
1537 /* Is the cached DB up-to-date? */
1538 result = query_iscachevalid(zone, cdb, NULL, cversion);
1539 if (result != ISC_R_SUCCESS) {
1540 CTRACE("query_addadditional2: old auth additional cache");
1541 query_discardcache(client, rdataset_base, additionaltype,
1542 type, &zone, &cdb, &cversion, &cnode,
1547 if (cnode == NULL) {
1549 * We have a negative cache. We don't have to check the zone
1550 * ACL, since the result (not using this zone) would be same
1551 * regardless of the result.
1553 CTRACE("query_addadditional2: negative auth additional cache");
1554 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1555 dns_db_detach(&cdb);
1556 dns_zone_detach(&zone);
1560 result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
1562 if (result != ISC_R_SUCCESS) {
1563 query_discardcache(client, rdataset_base, additionaltype,
1564 type, &zone, &cdb, &cversion, &cnode,
1569 /* We've got an active cache. */
1570 CTRACE("query_addadditional2: auth additional cache");
1571 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1574 dns_name_clone(&cfname, fname);
1575 query_keepname(client, fname, dbuf);
1579 * Look for a zone database that might contain authoritative
1583 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1584 &zone, &db, &version);
1585 if (result != ISC_R_SUCCESS) {
1586 /* Cache the negative result */
1587 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1588 type, client->view->acache,
1589 NULL, NULL, NULL, NULL,
1594 CTRACE("query_addadditional2: db_find");
1597 * Since we are looking for authoritative data, we do not set
1598 * the GLUEOK flag. Glue will be looked for later, but not
1599 * necessarily in the same database.
1602 result = dns_db_find(db, name, version, type, client->query.dboptions,
1603 client->now, &node, fname, NULL, NULL);
1604 if (result == ISC_R_SUCCESS)
1607 /* Cache the negative result */
1608 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1609 type, client->view->acache, zone, db,
1610 version, NULL, fname);
1613 dns_db_detachnode(db, &node);
1618 * No authoritative data was found. The cache is our next best bet.
1622 additionaltype = dns_rdatasetadditional_fromcache;
1623 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1624 if (result != ISC_R_SUCCESS)
1626 * Most likely the client isn't allowed to query the cache.
1630 result = dns_db_find(db, name, version, type,
1631 client->query.dboptions | DNS_DBFIND_GLUEOK,
1632 client->now, &node, fname, NULL, NULL);
1633 if (result == ISC_R_SUCCESS)
1637 dns_db_detachnode(db, &node);
1642 * No cached data was found. Glue is our last chance.
1645 * NS records cause both the usual additional section
1646 * processing to locate a type A record, and, when used
1647 * in a referral, a special search of the zone in which
1648 * they reside for glue information.
1650 * This is the "special search". Note that we must search
1651 * the zone where the NS record resides, not the zone it
1652 * points to, and that we only do the search in the delegation
1653 * case (identified by client->query.gluedb being set).
1655 if (client->query.gluedb == NULL)
1659 * Don't poison caches using the bailiwick protection model.
1661 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1664 /* Check additional cache */
1665 additionaltype = dns_rdatasetadditional_fromglue;
1666 result = dns_rdataset_getadditional(rdataset_base, additionaltype,
1667 type, client->view->acache, NULL,
1668 &cdb, &cversion, &cnode, &cfname,
1669 client->message, client->now);
1670 if (result != ISC_R_SUCCESS)
1673 result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
1674 if (result != ISC_R_SUCCESS) {
1675 CTRACE("query_addadditional2: old glue additional cache");
1676 query_discardcache(client, rdataset_base, additionaltype,
1677 type, &zone, &cdb, &cversion, &cnode,
1682 if (cnode == NULL) {
1683 /* We have a negative cache. */
1684 CTRACE("query_addadditional2: negative glue additional cache");
1685 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1686 dns_db_detach(&cdb);
1691 CTRACE("query_addadditional2: glue additional cache");
1692 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1695 dns_name_clone(&cfname, fname);
1696 query_keepname(client, fname, dbuf);
1700 dns_db_attach(client->query.gluedb, &db);
1701 result = dns_db_find(db, name, version, type,
1702 client->query.dboptions | DNS_DBFIND_GLUEOK,
1703 client->now, &node, fname, NULL, NULL);
1704 if (!(result == ISC_R_SUCCESS ||
1705 result == DNS_R_ZONECUT ||
1706 result == DNS_R_GLUE)) {
1707 /* cache the negative result */
1708 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1709 type, client->view->acache,
1710 NULL, db, version, NULL,
1717 * We have found a DB node to iterate over from a DB.
1718 * We are going to look for address RRsets (i.e., A and AAAA) in the DB
1719 * node we've just found. We'll then store the complete information
1720 * in the additional data cache.
1722 dns_name_clone(fname, &cfname);
1723 query_keepname(client, fname, dbuf);
1724 needadditionalcache = ISC_TRUE;
1726 rdataset = query_newrdataset(client);
1727 if (rdataset == NULL)
1730 sigrdataset = query_newrdataset(client);
1731 if (sigrdataset == NULL)
1735 * Find A RRset with sig RRset. Even if we don't find a sig RRset
1736 * for a client using DNSSEC, we'll continue the process to make a
1737 * complete list to be cached. However, we need to cancel the
1738 * caching when something unexpected happens, in order to avoid
1739 * caching incomplete information.
1741 result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
1742 client->now, rdataset, sigrdataset);
1744 * If we can't promote glue/pending from the cache to secure
1747 if (result == ISC_R_SUCCESS &&
1748 additionaltype == dns_rdatasetadditional_fromcache &&
1749 (DNS_TRUST_PENDING(rdataset->trust) ||
1750 DNS_TRUST_GLUE(rdataset->trust)) &&
1751 !validate(client, db, fname, rdataset, sigrdataset)) {
1752 dns_rdataset_disassociate(rdataset);
1753 if (dns_rdataset_isassociated(sigrdataset))
1754 dns_rdataset_disassociate(sigrdataset);
1755 result = ISC_R_NOTFOUND;
1757 if (result == DNS_R_NCACHENXDOMAIN)
1759 if (result == DNS_R_NCACHENXRRSET) {
1760 dns_rdataset_disassociate(rdataset);
1762 * Negative cache entries don't have sigrdatasets.
1764 INSIST(! dns_rdataset_isassociated(sigrdataset));
1766 if (result == ISC_R_SUCCESS) {
1767 /* Remember the result as a cache */
1768 ISC_LIST_APPEND(cfname.list, rdataset, link);
1769 if (dns_rdataset_isassociated(sigrdataset)) {
1770 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
1771 sigrdataset = query_newrdataset(client);
1773 rdataset = query_newrdataset(client);
1774 if (sigrdataset == NULL || rdataset == NULL) {
1775 /* do not cache incomplete information */
1780 /* Find AAAA RRset with sig RRset */
1781 result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
1782 0, client->now, rdataset, sigrdataset);
1784 * If we can't promote glue/pending from the cache to secure
1787 if (result == ISC_R_SUCCESS &&
1788 additionaltype == dns_rdatasetadditional_fromcache &&
1789 (DNS_TRUST_PENDING(rdataset->trust) ||
1790 DNS_TRUST_GLUE(rdataset->trust)) &&
1791 !validate(client, db, fname, rdataset, sigrdataset)) {
1792 dns_rdataset_disassociate(rdataset);
1793 if (dns_rdataset_isassociated(sigrdataset))
1794 dns_rdataset_disassociate(sigrdataset);
1795 result = ISC_R_NOTFOUND;
1797 if (result == ISC_R_SUCCESS) {
1798 ISC_LIST_APPEND(cfname.list, rdataset, link);
1800 if (dns_rdataset_isassociated(sigrdataset)) {
1801 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
1808 * Set the new result in the cache if required. We do not support
1809 * caching additional data from a cache DB.
1811 if (needadditionalcache == ISC_TRUE &&
1812 (additionaltype == dns_rdatasetadditional_fromauth ||
1813 additionaltype == dns_rdatasetadditional_fromglue)) {
1814 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1815 type, client->view->acache,
1816 zone, db, version, node,
1821 need_sigrrset = ISC_FALSE;
1823 for (crdataset = ISC_LIST_HEAD(cfname.list);
1825 crdataset = crdataset_next) {
1828 crdataset_next = ISC_LIST_NEXT(crdataset, link);
1831 if (crdataset->type == dns_rdatatype_a ||
1832 crdataset->type == dns_rdatatype_aaaa) {
1833 if (!query_isduplicate(client, fname, crdataset->type,
1835 if (mname != NULL) {
1837 * A different type of this name is
1838 * already stored in the additional
1839 * section. We'll reuse the name.
1840 * Note that this should happen at most
1841 * once. Otherwise, fname->link could
1844 INSIST(mname0 == NULL);
1846 query_releasename(client, &fname);
1850 need_addname = ISC_TRUE;
1851 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1852 ISC_LIST_APPEND(fname->list, crdataset, link);
1853 added_something = ISC_TRUE;
1854 need_sigrrset = ISC_TRUE;
1856 need_sigrrset = ISC_FALSE;
1857 } else if (crdataset->type == dns_rdatatype_rrsig &&
1858 need_sigrrset && WANTDNSSEC(client)) {
1859 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1860 ISC_LIST_APPEND(fname->list, crdataset, link);
1861 added_something = ISC_TRUE; /* just in case */
1862 need_sigrrset = ISC_FALSE;
1866 CTRACE("query_addadditional2: addname");
1869 * If we haven't added anything, then we're done.
1871 if (!added_something)
1875 * We may have added our rdatasets to an existing name, if so, then
1876 * need_addname will be ISC_FALSE. Whether we used an existing name
1877 * or a new one, we must set fname to NULL to prevent cleanup.
1880 dns_message_addname(client->message, fname,
1881 DNS_SECTION_ADDITIONAL);
1885 CTRACE("query_addadditional2: cleanup");
1887 if (rdataset != NULL)
1888 query_putrdataset(client, &rdataset);
1889 if (sigrdataset != NULL)
1890 query_putrdataset(client, &sigrdataset);
1891 while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
1892 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1893 query_putrdataset(client, &crdataset);
1896 query_releasename(client, &fname);
1898 dns_db_detachnode(db, &node);
1902 dns_zone_detach(&zone);
1904 CTRACE("query_addadditional2: done");
1909 query_addrdataset(ns_client_t *client, dns_name_t *fname,
1910 dns_rdataset_t *rdataset)
1912 client_additionalctx_t additionalctx;
1915 * Add 'rdataset' and any pertinent additional data to
1916 * 'fname', a name in the response message for 'client'.
1919 CTRACE("query_addrdataset");
1921 ISC_LIST_APPEND(fname->list, rdataset, link);
1923 if (client->view->order != NULL)
1924 rdataset->attributes |= dns_order_find(client->view->order,
1925 fname, rdataset->type,
1927 rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
1929 if (NOADDITIONAL(client))
1933 * Add additional data.
1935 * We don't care if dns_rdataset_additionaldata() fails.
1937 additionalctx.client = client;
1938 additionalctx.rdataset = rdataset;
1939 (void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
1941 CTRACE("query_addrdataset: done");
1945 query_addrrset(ns_client_t *client, dns_name_t **namep,
1946 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
1947 isc_buffer_t *dbuf, dns_section_t section)
1949 dns_name_t *name, *mname;
1950 dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
1951 isc_result_t result;
1954 * To the current response for 'client', add the answer RRset
1955 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
1956 * owner name '*namep', to section 'section', unless they are
1957 * already there. Also add any pertinent additional data.
1959 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
1960 * stored in 'dbuf'. In this case, query_addrrset() guarantees that
1961 * when it returns the name will either have been kept or released.
1963 CTRACE("query_addrrset");
1965 rdataset = *rdatasetp;
1966 if (sigrdatasetp != NULL)
1967 sigrdataset = *sigrdatasetp;
1972 result = dns_message_findname(client->message, section,
1973 name, rdataset->type, rdataset->covers,
1974 &mname, &mrdataset);
1975 if (result == ISC_R_SUCCESS) {
1977 * We've already got an RRset of the given name and type.
1978 * There's nothing else to do;
1980 CTRACE("query_addrrset: dns_message_findname succeeded: done");
1982 query_releasename(client, namep);
1984 } else if (result == DNS_R_NXDOMAIN) {
1986 * The name doesn't exist.
1989 query_keepname(client, name, dbuf);
1990 dns_message_addname(client->message, name, section);
1994 RUNTIME_CHECK(result == DNS_R_NXRRSET);
1996 query_releasename(client, namep);
1999 if (rdataset->trust != dns_trust_secure &&
2000 (section == DNS_SECTION_ANSWER ||
2001 section == DNS_SECTION_AUTHORITY))
2002 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2004 * Note: we only add SIGs if we've added the type they cover, so
2005 * we do not need to check if the SIG rdataset is already in the
2008 query_addrdataset(client, mname, rdataset);
2010 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
2012 * We have a signature. Add it to the response.
2014 ISC_LIST_APPEND(mname->list, sigrdataset, link);
2015 *sigrdatasetp = NULL;
2017 CTRACE("query_addrrset: done");
2020 static inline isc_result_t
2021 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
2022 isc_boolean_t zero_ttl)
2026 isc_result_t result, eresult;
2027 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2028 dns_rdataset_t **sigrdatasetp = NULL;
2030 CTRACE("query_addsoa");
2034 eresult = ISC_R_SUCCESS;
2040 * Get resources and make 'name' be the database origin.
2042 result = dns_message_gettempname(client->message, &name);
2043 if (result != ISC_R_SUCCESS)
2045 dns_name_init(name, NULL);
2046 dns_name_clone(dns_db_origin(db), name);
2047 rdataset = query_newrdataset(client);
2048 if (rdataset == NULL) {
2049 eresult = DNS_R_SERVFAIL;
2052 if (WANTDNSSEC(client)) {
2053 sigrdataset = query_newrdataset(client);
2054 if (sigrdataset == NULL) {
2055 eresult = DNS_R_SERVFAIL;
2063 result = dns_db_getoriginnode(db, &node);
2064 if (result == ISC_R_SUCCESS) {
2065 result = dns_db_findrdataset(db, node, version,
2067 0, client->now, rdataset,
2070 dns_fixedname_t foundname;
2073 dns_fixedname_init(&foundname);
2074 fname = dns_fixedname_name(&foundname);
2076 result = dns_db_find(db, name, version, dns_rdatatype_soa,
2077 client->query.dboptions, 0, &node,
2078 fname, rdataset, sigrdataset);
2080 if (result != ISC_R_SUCCESS) {
2082 * This is bad. We tried to get the SOA RR at the zone top
2083 * and it didn't work!
2085 eresult = DNS_R_SERVFAIL;
2088 * Extract the SOA MINIMUM.
2090 dns_rdata_soa_t soa;
2091 dns_rdata_t rdata = DNS_RDATA_INIT;
2092 result = dns_rdataset_first(rdataset);
2093 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2094 dns_rdataset_current(rdataset, &rdata);
2095 result = dns_rdata_tostruct(&rdata, &soa, NULL);
2096 if (result != ISC_R_SUCCESS)
2101 if (sigrdataset != NULL)
2102 sigrdataset->ttl = 0;
2106 * Add the SOA and its SIG to the response, with the
2107 * TTLs adjusted per RFC2308 section 3.
2109 if (rdataset->ttl > soa.minimum)
2110 rdataset->ttl = soa.minimum;
2111 if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum)
2112 sigrdataset->ttl = soa.minimum;
2114 if (sigrdataset != NULL)
2115 sigrdatasetp = &sigrdataset;
2117 sigrdatasetp = NULL;
2118 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2119 DNS_SECTION_AUTHORITY);
2123 query_putrdataset(client, &rdataset);
2124 if (sigrdataset != NULL)
2125 query_putrdataset(client, &sigrdataset);
2127 query_releasename(client, &name);
2129 dns_db_detachnode(db, &node);
2134 static inline isc_result_t
2135 query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
2136 dns_name_t *name, *fname;
2138 isc_result_t result, eresult;
2139 dns_fixedname_t foundname;
2140 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2141 dns_rdataset_t **sigrdatasetp = NULL;
2143 CTRACE("query_addns");
2147 eresult = ISC_R_SUCCESS;
2151 dns_fixedname_init(&foundname);
2152 fname = dns_fixedname_name(&foundname);
2155 * Get resources and make 'name' be the database origin.
2157 result = dns_message_gettempname(client->message, &name);
2158 if (result != ISC_R_SUCCESS) {
2159 CTRACE("query_addns: dns_message_gettempname failed: done");
2162 dns_name_init(name, NULL);
2163 dns_name_clone(dns_db_origin(db), name);
2164 rdataset = query_newrdataset(client);
2165 if (rdataset == NULL) {
2166 CTRACE("query_addns: query_newrdataset failed");
2167 eresult = DNS_R_SERVFAIL;
2170 if (WANTDNSSEC(client)) {
2171 sigrdataset = query_newrdataset(client);
2172 if (sigrdataset == NULL) {
2173 CTRACE("query_addns: query_newrdataset failed");
2174 eresult = DNS_R_SERVFAIL;
2180 * Find the NS rdataset.
2182 result = dns_db_getoriginnode(db, &node);
2183 if (result == ISC_R_SUCCESS) {
2184 result = dns_db_findrdataset(db, node, version,
2186 0, client->now, rdataset,
2189 CTRACE("query_addns: calling dns_db_find");
2190 result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
2191 client->query.dboptions, 0, &node,
2192 fname, rdataset, sigrdataset);
2193 CTRACE("query_addns: dns_db_find complete");
2195 if (result != ISC_R_SUCCESS) {
2196 CTRACE("query_addns: "
2197 "dns_db_findrdataset or dns_db_find failed");
2199 * This is bad. We tried to get the NS rdataset at the zone
2200 * top and it didn't work!
2202 eresult = DNS_R_SERVFAIL;
2204 if (sigrdataset != NULL)
2205 sigrdatasetp = &sigrdataset;
2207 sigrdatasetp = NULL;
2208 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2209 DNS_SECTION_AUTHORITY);
2213 CTRACE("query_addns: cleanup");
2214 query_putrdataset(client, &rdataset);
2215 if (sigrdataset != NULL)
2216 query_putrdataset(client, &sigrdataset);
2218 query_releasename(client, &name);
2220 dns_db_detachnode(db, &node);
2222 CTRACE("query_addns: done");
2226 static inline isc_result_t
2227 query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
2228 dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
2230 dns_rdataset_t *rdataset;
2231 dns_rdatalist_t *rdatalist;
2233 isc_result_t result;
2237 * We assume the name data referred to by tname won't go away.
2240 REQUIRE(anamep != NULL);
2243 result = dns_message_gettemprdatalist(client->message, &rdatalist);
2244 if (result != ISC_R_SUCCESS)
2247 result = dns_message_gettemprdata(client->message, &rdata);
2248 if (result != ISC_R_SUCCESS)
2251 result = dns_message_gettemprdataset(client->message, &rdataset);
2252 if (result != ISC_R_SUCCESS)
2254 dns_rdataset_init(rdataset);
2255 result = dns_name_dup(qname, client->mctx, *anamep);
2256 if (result != ISC_R_SUCCESS) {
2257 dns_message_puttemprdataset(client->message, &rdataset);
2261 rdatalist->type = type;
2262 rdatalist->covers = 0;
2263 rdatalist->rdclass = client->message->rdclass;
2266 dns_name_toregion(tname, &r);
2267 rdata->data = r.base;
2268 rdata->length = r.length;
2269 rdata->rdclass = client->message->rdclass;
2272 ISC_LIST_INIT(rdatalist->rdata);
2273 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
2274 RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
2276 rdataset->trust = trust;
2278 query_addrrset(client, anamep, &rdataset, NULL, NULL,
2279 DNS_SECTION_ANSWER);
2281 if (rdataset != NULL) {
2282 if (dns_rdataset_isassociated(rdataset))
2283 dns_rdataset_disassociate(rdataset);
2284 dns_message_puttemprdataset(client->message, &rdataset);
2287 return (ISC_R_SUCCESS);
2291 * Mark the RRsets as secure. Update the cache (db) to reflect the
2292 * change in trust level.
2295 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2296 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
2298 isc_result_t result;
2299 dns_dbnode_t *node = NULL;
2301 rdataset->trust = dns_trust_secure;
2302 sigrdataset->trust = dns_trust_secure;
2305 * Save the updated secure state. Ignore failures.
2307 result = dns_db_findnode(db, name, ISC_TRUE, &node);
2308 if (result != ISC_R_SUCCESS)
2310 (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
2312 (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
2314 dns_db_detachnode(db, &node);
2318 * Find the secure key that corresponds to rrsig.
2319 * Note: 'keyrdataset' maintains state between successive calls,
2320 * there may be multiple keys with the same keyid.
2321 * Return ISC_FALSE if we have exhausted all the possible keys.
2323 static isc_boolean_t
2324 get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
2325 dns_rdataset_t *keyrdataset, dst_key_t **keyp)
2327 isc_result_t result;
2328 dns_dbnode_t *node = NULL;
2329 isc_boolean_t secure = ISC_FALSE;
2331 if (!dns_rdataset_isassociated(keyrdataset)) {
2332 result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node);
2333 if (result != ISC_R_SUCCESS)
2336 result = dns_db_findrdataset(db, node, NULL,
2337 dns_rdatatype_dnskey, 0,
2338 client->now, keyrdataset, NULL);
2339 dns_db_detachnode(db, &node);
2340 if (result != ISC_R_SUCCESS)
2343 if (keyrdataset->trust != dns_trust_secure)
2346 result = dns_rdataset_first(keyrdataset);
2348 result = dns_rdataset_next(keyrdataset);
2350 for ( ; result == ISC_R_SUCCESS;
2351 result = dns_rdataset_next(keyrdataset)) {
2352 dns_rdata_t rdata = DNS_RDATA_INIT;
2355 dns_rdataset_current(keyrdataset, &rdata);
2356 isc_buffer_init(&b, rdata.data, rdata.length);
2357 isc_buffer_add(&b, rdata.length);
2358 result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b,
2359 client->mctx, keyp);
2360 if (result != ISC_R_SUCCESS)
2362 if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) &&
2363 rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) &&
2364 dst_key_iszonekey(*keyp)) {
2373 static isc_boolean_t
2374 verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
2375 dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
2377 isc_result_t result;
2378 dns_fixedname_t fixed;
2379 isc_boolean_t ignore = ISC_FALSE;
2381 dns_fixedname_init(&fixed);
2384 result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
2386 if (result == DNS_R_SIGEXPIRED && acceptexpired) {
2390 if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)
2396 * Validate the rdataset if possible with available records.
2398 static isc_boolean_t
2399 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2400 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
2402 isc_result_t result;
2403 dns_rdata_t rdata = DNS_RDATA_INIT;
2404 dns_rdata_rrsig_t rrsig;
2405 dst_key_t *key = NULL;
2406 dns_rdataset_t keyrdataset;
2408 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
2411 for (result = dns_rdataset_first(sigrdataset);
2412 result == ISC_R_SUCCESS;
2413 result = dns_rdataset_next(sigrdataset)) {
2415 dns_rdata_reset(&rdata);
2416 dns_rdataset_current(sigrdataset, &rdata);
2417 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
2418 if (result != ISC_R_SUCCESS)
2420 if (!dns_resolver_algorithm_supported(client->view->resolver,
2421 name, rrsig.algorithm))
2423 if (!dns_name_issubdomain(name, &rrsig.signer))
2425 dns_rdataset_init(&keyrdataset);
2427 if (!get_key(client, db, &rrsig, &keyrdataset, &key))
2429 if (verify(key, name, rdataset, &rdata, client->mctx,
2430 client->view->acceptexpired)) {
2432 dns_rdataset_disassociate(&keyrdataset);
2433 mark_secure(client, db, name, rdataset,
2439 if (dns_rdataset_isassociated(&keyrdataset))
2440 dns_rdataset_disassociate(&keyrdataset);
2446 query_addbestns(ns_client_t *client) {
2449 dns_name_t *fname, *zfname;
2450 dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset;
2451 isc_boolean_t is_zone, use_zone;
2453 isc_result_t result;
2454 dns_dbversion_t *version;
2458 CTRACE("query_addbestns");
2464 zsigrdataset = NULL;
2470 is_zone = ISC_FALSE;
2471 use_zone = ISC_FALSE;
2474 * Find the right database.
2476 result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
2477 &zone, &db, &version, &is_zone);
2478 if (result != ISC_R_SUCCESS)
2483 * We'll need some resources...
2485 dbuf = query_getnamebuf(client);
2488 fname = query_newname(client, dbuf, &b);
2489 rdataset = query_newrdataset(client);
2490 if (fname == NULL || rdataset == NULL)
2493 * Get the RRSIGs if the client requested them or if we may
2494 * need to validate answers from the cache.
2496 if (WANTDNSSEC(client) || !is_zone) {
2497 sigrdataset = query_newrdataset(client);
2498 if (sigrdataset == NULL)
2503 * Now look for the zonecut.
2506 result = dns_db_find(db, client->query.qname, version,
2507 dns_rdatatype_ns, client->query.dboptions,
2508 client->now, &node, fname,
2509 rdataset, sigrdataset);
2510 if (result != DNS_R_DELEGATION)
2512 if (USECACHE(client)) {
2513 query_keepname(client, fname, dbuf);
2517 zrdataset = rdataset;
2519 zsigrdataset = sigrdataset;
2521 dns_db_detachnode(db, &node);
2524 dns_db_attach(client->view->cachedb, &db);
2525 is_zone = ISC_FALSE;
2529 result = dns_db_findzonecut(db, client->query.qname,
2530 client->query.dboptions,
2531 client->now, &node, fname,
2532 rdataset, sigrdataset);
2533 if (result == ISC_R_SUCCESS) {
2534 if (zfname != NULL &&
2535 !dns_name_issubdomain(fname, zfname)) {
2537 * We found a zonecut in the cache, but our
2538 * zone delegation is better.
2540 use_zone = ISC_TRUE;
2542 } else if (result == ISC_R_NOTFOUND && zfname != NULL) {
2544 * We didn't find anything in the cache, but we
2545 * have a zone delegation, so use it.
2547 use_zone = ISC_TRUE;
2553 query_releasename(client, &fname);
2557 * We've already done query_keepname() on
2558 * zfname, so we must set dbuf to NULL to
2559 * prevent query_addrrset() from trying to
2560 * call query_keepname() again.
2563 query_putrdataset(client, &rdataset);
2564 if (sigrdataset != NULL)
2565 query_putrdataset(client, &sigrdataset);
2566 rdataset = zrdataset;
2568 sigrdataset = zsigrdataset;
2569 zsigrdataset = NULL;
2573 * Attempt to validate RRsets that are pending or that are glue.
2575 if ((DNS_TRUST_PENDING(rdataset->trust) ||
2576 (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
2577 && !validate(client, db, fname, rdataset, sigrdataset) &&
2578 !PENDINGOK(client->query.dboptions))
2581 if ((DNS_TRUST_GLUE(rdataset->trust) ||
2582 (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
2583 !validate(client, db, fname, rdataset, sigrdataset) &&
2584 SECURE(client) && WANTDNSSEC(client))
2588 * If the client doesn't want DNSSEC we can discard the sigrdataset
2591 if (!WANTDNSSEC(client))
2592 query_putrdataset(client, &sigrdataset);
2593 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
2594 DNS_SECTION_AUTHORITY);
2597 if (rdataset != NULL)
2598 query_putrdataset(client, &rdataset);
2599 if (sigrdataset != NULL)
2600 query_putrdataset(client, &sigrdataset);
2602 query_releasename(client, &fname);
2604 dns_db_detachnode(db, &node);
2608 dns_zone_detach(&zone);
2610 query_putrdataset(client, &zrdataset);
2611 if (zsigrdataset != NULL)
2612 query_putrdataset(client, &zsigrdataset);
2614 query_releasename(client, &zfname);
2615 dns_db_detach(&zdb);
2620 query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
2621 dns_dbversion_t *version)
2624 dns_rdataset_t *rdataset, *sigrdataset;
2625 isc_result_t result;
2627 CTRACE("query_addds");
2633 * We'll need some resources...
2635 rdataset = query_newrdataset(client);
2636 sigrdataset = query_newrdataset(client);
2637 if (rdataset == NULL || sigrdataset == NULL)
2641 * Look for the DS record, which may or may not be present.
2643 result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0,
2644 client->now, rdataset, sigrdataset);
2646 * If we didn't find it, look for an NSEC. */
2647 if (result == ISC_R_NOTFOUND)
2648 result = dns_db_findrdataset(db, node, version,
2649 dns_rdatatype_nsec, 0, client->now,
2650 rdataset, sigrdataset);
2651 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
2653 if (!dns_rdataset_isassociated(rdataset) ||
2654 !dns_rdataset_isassociated(sigrdataset))
2658 * We've already added the NS record, so if the name's not there,
2659 * we have other problems. Use this name rather than calling
2662 result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
2663 if (result != ISC_R_SUCCESS)
2667 dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
2669 result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
2670 if (result != ISC_R_SUCCESS)
2673 ISC_LIST_APPEND(rname->list, rdataset, link);
2674 ISC_LIST_APPEND(rname->list, sigrdataset, link);
2679 if (rdataset != NULL)
2680 query_putrdataset(client, &rdataset);
2681 if (sigrdataset != NULL)
2682 query_putrdataset(client, &sigrdataset);
2686 query_addwildcardproof(ns_client_t *client, dns_db_t *db,
2687 dns_dbversion_t *version, dns_name_t *name,
2688 isc_boolean_t ispositive)
2690 isc_buffer_t *dbuf, b;
2692 dns_rdataset_t *rdataset, *sigrdataset;
2693 dns_fixedname_t wfixed;
2696 unsigned int options;
2697 unsigned int olabels, nlabels;
2698 isc_result_t result;
2699 dns_rdata_t rdata = DNS_RDATA_INIT;
2700 dns_rdata_nsec_t nsec;
2701 isc_boolean_t have_wname;
2704 CTRACE("query_addwildcardproof");
2711 * Get the NOQNAME proof then if !ispositive
2712 * get the NOWILDCARD proof.
2714 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
2715 * name ignoring any wildcard. From the owner and next names
2716 * of this record you can compute which wildcard (if it exists)
2717 * will match by finding the longest common suffix of the
2718 * owner name and next names with the qname and prefixing that
2719 * with the wildcard label.
2724 * example NSEC b.example
2726 * b.example NSEC a.d.example
2728 * a.d.example NSEC g.f.example
2730 * g.f.example NSEC z.i.example
2732 * z.i.example NSEC example
2735 * a.example -> example NSEC b.example
2736 * owner common example
2737 * next common example
2739 * d.b.example -> b.example NSEC a.d.example
2740 * owner common b.example
2741 * next common example
2743 * a.f.example -> a.d.example NSEC g.f.example
2744 * owner common example
2745 * next common f.example
2747 * j.example -> z.i.example NSEC example
2748 * owner common example
2749 * next common example
2752 options = client->query.dboptions | DNS_DBFIND_NOWILD;
2753 dns_fixedname_init(&wfixed);
2754 wname = dns_fixedname_name(&wfixed);
2756 have_wname = ISC_FALSE;
2758 * We'll need some resources...
2760 dbuf = query_getnamebuf(client);
2763 fname = query_newname(client, dbuf, &b);
2764 rdataset = query_newrdataset(client);
2765 sigrdataset = query_newrdataset(client);
2766 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
2769 result = dns_db_find(db, name, version, dns_rdatatype_nsec, options,
2770 0, &node, fname, rdataset, sigrdataset);
2772 dns_db_detachnode(db, &node);
2773 if (result == DNS_R_NXDOMAIN) {
2775 result = dns_rdataset_first(rdataset);
2776 if (result == ISC_R_SUCCESS) {
2777 dns_rdataset_current(rdataset, &rdata);
2778 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
2780 if (result == ISC_R_SUCCESS) {
2781 (void)dns_name_fullcompare(name, fname, &order,
2783 (void)dns_name_fullcompare(name, &nsec.next, &order,
2786 * Check for a pathological condition created when
2787 * serving some malformed signed zones and bail out.
2789 if (dns_name_countlabels(name) == nlabels)
2792 if (olabels > nlabels)
2793 dns_name_split(name, olabels, NULL, wname);
2795 dns_name_split(name, nlabels, NULL, wname);
2796 result = dns_name_concatenate(dns_wildcardname,
2797 wname, wname, NULL);
2798 if (result == ISC_R_SUCCESS)
2799 have_wname = ISC_TRUE;
2800 dns_rdata_freestruct(&nsec);
2802 query_addrrset(client, &fname, &rdataset, &sigrdataset,
2803 dbuf, DNS_SECTION_AUTHORITY);
2805 if (rdataset != NULL)
2806 query_putrdataset(client, &rdataset);
2807 if (sigrdataset != NULL)
2808 query_putrdataset(client, &sigrdataset);
2810 query_releasename(client, &fname);
2812 ispositive = ISC_TRUE; /* prevent loop */
2813 if (!dns_name_equal(name, wname)) {
2819 if (rdataset != NULL)
2820 query_putrdataset(client, &rdataset);
2821 if (sigrdataset != NULL)
2822 query_putrdataset(client, &sigrdataset);
2824 query_releasename(client, &fname);
2828 query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
2829 dns_dbversion_t *version, dns_name_t **namep,
2830 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
2833 dns_rdataset_t *sigrdataset;
2834 dns_rdata_t sigrdata;
2835 dns_rdata_rrsig_t sig;
2836 unsigned int labels;
2837 isc_buffer_t *dbuf, b;
2839 isc_result_t result;
2842 if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
2843 query_addrrset(client, namep, rdatasetp, sigrdatasetp,
2844 NULL, DNS_SECTION_AUTHORITY);
2848 if (sigrdatasetp == NULL)
2850 sigrdataset = *sigrdatasetp;
2851 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
2853 result = dns_rdataset_first(sigrdataset);
2854 if (result != ISC_R_SUCCESS)
2856 dns_rdata_init(&sigrdata);
2857 dns_rdataset_current(sigrdataset, &sigrdata);
2858 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
2859 if (result != ISC_R_SUCCESS)
2862 labels = dns_name_countlabels(name);
2863 if ((unsigned int)sig.labels + 1 >= labels)
2867 query_addwildcardproof(client, db, version, client->query.qname,
2871 * We'll need some resources...
2873 dbuf = query_getnamebuf(client);
2876 fname = query_newname(client, dbuf, &b);
2879 dns_name_split(name, sig.labels + 1, NULL, fname);
2880 /* This will succeed, since we've stripped labels. */
2881 RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
2882 NULL) == ISC_R_SUCCESS);
2883 query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
2884 dbuf, DNS_SECTION_AUTHORITY);
2888 query_resume(isc_task_t *task, isc_event_t *event) {
2889 dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
2891 ns_client_t *client;
2892 isc_boolean_t fetch_canceled, client_shuttingdown;
2893 isc_result_t result;
2894 isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_EERRORS;
2898 * Resume a query after recursion.
2903 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
2904 client = devent->ev_arg;
2905 REQUIRE(NS_CLIENT_VALID(client));
2906 REQUIRE(task == client->task);
2907 REQUIRE(RECURSING(client));
2909 LOCK(&client->query.fetchlock);
2910 if (client->query.fetch != NULL) {
2912 * This is the fetch we've been waiting for.
2914 INSIST(devent->fetch == client->query.fetch);
2915 client->query.fetch = NULL;
2916 fetch_canceled = ISC_FALSE;
2918 * Update client->now.
2920 isc_stdtime_get(&client->now);
2923 * This is a fetch completion event for a canceled fetch.
2924 * Clean up and don't resume the find.
2926 fetch_canceled = ISC_TRUE;
2928 UNLOCK(&client->query.fetchlock);
2929 INSIST(client->query.fetch == NULL);
2931 client->query.attributes &= ~NS_QUERYATTR_RECURSING;
2932 fetch = devent->fetch;
2933 devent->fetch = NULL;
2936 * If this client is shutting down, or this transaction
2937 * has timed out, do not resume the find.
2939 client_shuttingdown = ns_client_shuttingdown(client);
2940 if (fetch_canceled || client_shuttingdown) {
2941 if (devent->node != NULL)
2942 dns_db_detachnode(devent->db, &devent->node);
2943 if (devent->db != NULL)
2944 dns_db_detach(&devent->db);
2945 query_putrdataset(client, &devent->rdataset);
2946 if (devent->sigrdataset != NULL)
2947 query_putrdataset(client, &devent->sigrdataset);
2948 isc_event_free(&event);
2950 query_error(client, DNS_R_SERVFAIL, __LINE__);
2952 query_next(client, ISC_R_CANCELED);
2954 * This may destroy the client.
2956 ns_client_detach(&client);
2958 result = query_find(client, devent, 0);
2959 if (result != ISC_R_SUCCESS) {
2960 if (result == DNS_R_SERVFAIL)
2961 errorloglevel = ISC_LOG_DEBUG(2);
2963 errorloglevel = ISC_LOG_DEBUG(4);
2964 if (isc_log_wouldlog(ns_g_lctx, errorloglevel)) {
2965 dns_resolver_logfetch(fetch, ns_g_lctx,
2968 errorloglevel, ISC_FALSE);
2973 dns_resolver_destroyfetch(&fetch);
2977 query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
2978 dns_rdataset_t *nameservers, isc_boolean_t resuming)
2980 isc_result_t result;
2981 dns_rdataset_t *rdataset, *sigrdataset;
2982 isc_sockaddr_t *peeraddr;
2985 inc_stats(client, dns_nsstatscounter_recursion);
2988 * We are about to recurse, which means that this client will
2989 * be unavailable for serving new requests for an indeterminate
2990 * amount of time. If this client is currently responsible
2991 * for handling incoming queries, set up a new client
2992 * object to handle them while we are waiting for a
2993 * response. There is no need to replace TCP clients
2994 * because those have already been replaced when the
2995 * connection was accepted (if allowed by the TCP quota).
2997 if (client->recursionquota == NULL) {
2998 result = isc_quota_attach(&ns_g_server->recursionquota,
2999 &client->recursionquota);
3000 if (result == ISC_R_SOFTQUOTA) {
3001 static isc_stdtime_t last = 0;
3003 isc_stdtime_get(&now);
3006 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3009 "recursive-clients soft limit "
3010 "exceeded, aborting oldest query");
3012 ns_client_killoldestquery(client);
3013 result = ISC_R_SUCCESS;
3014 } else if (result == ISC_R_QUOTA) {
3015 static isc_stdtime_t last = 0;
3017 isc_stdtime_get(&now);
3020 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3023 "no more recursive clients: %s",
3024 isc_result_totext(result));
3026 ns_client_killoldestquery(client);
3028 if (result == ISC_R_SUCCESS && !client->mortal &&
3029 (client->attributes & NS_CLIENTATTR_TCP) == 0) {
3030 result = ns_client_replace(client);
3031 if (result != ISC_R_SUCCESS) {
3032 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3035 "ns_client_replace() failed: %s",
3036 isc_result_totext(result));
3037 isc_quota_detach(&client->recursionquota);
3040 if (result != ISC_R_SUCCESS)
3042 ns_client_recursing(client);
3046 * Invoke the resolver.
3048 REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
3049 REQUIRE(client->query.fetch == NULL);
3051 rdataset = query_newrdataset(client);
3052 if (rdataset == NULL)
3053 return (ISC_R_NOMEMORY);
3054 if (WANTDNSSEC(client)) {
3055 sigrdataset = query_newrdataset(client);
3056 if (sigrdataset == NULL) {
3057 query_putrdataset(client, &rdataset);
3058 return (ISC_R_NOMEMORY);
3063 if (client->query.timerset == ISC_FALSE)
3064 ns_client_settimeout(client, 60);
3065 if ((client->attributes & NS_CLIENTATTR_TCP) == 0)
3066 peeraddr = &client->peeraddr;
3069 result = dns_resolver_createfetch2(client->view->resolver,
3070 client->query.qname,
3071 qtype, qdomain, nameservers,
3072 NULL, peeraddr, client->message->id,
3073 client->query.fetchoptions,
3075 query_resume, client,
3076 rdataset, sigrdataset,
3077 &client->query.fetch);
3079 if (result == ISC_R_SUCCESS) {
3081 * Record that we're waiting for an event. A client which
3082 * is shutting down will not be destroyed until all the
3083 * events have been received.
3086 query_putrdataset(client, &rdataset);
3087 if (sigrdataset != NULL)
3088 query_putrdataset(client, &sigrdataset);
3094 #define MAX_RESTARTS 16
3096 #define QUERY_ERROR(r) \
3099 want_restart = ISC_FALSE; \
3104 * Extract a network address from the RDATA of an A or AAAA
3109 * ISC_R_NOTIMPLEMENTED The rdata is not a known address type.
3112 rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
3114 struct in6_addr in6a;
3116 switch (rdata->type) {
3117 case dns_rdatatype_a:
3118 INSIST(rdata->length == 4);
3119 memcpy(&ina.s_addr, rdata->data, 4);
3120 isc_netaddr_fromin(netaddr, &ina);
3121 return (ISC_R_SUCCESS);
3122 case dns_rdatatype_aaaa:
3123 INSIST(rdata->length == 16);
3124 memcpy(in6a.s6_addr, rdata->data, 16);
3125 isc_netaddr_fromin6(netaddr, &in6a);
3126 return (ISC_R_SUCCESS);
3128 return (ISC_R_NOTIMPLEMENTED);
3133 * Find the sort order of 'rdata' in the topology-like
3134 * ACL forming the second element in a 2-element top-level
3135 * sortlist statement.
3138 query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
3139 isc_netaddr_t netaddr;
3141 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
3143 return (ns_sortlist_addrorder2(&netaddr, arg));
3147 * Find the sort order of 'rdata' in the matching element
3148 * of a 1-element top-level sortlist statement.
3151 query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
3152 isc_netaddr_t netaddr;
3154 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
3156 return (ns_sortlist_addrorder1(&netaddr, arg));
3160 * Find the sortlist statement that applies to 'client' and set up
3161 * the sortlist info in in client->message appropriately.
3164 setup_query_sortlist(ns_client_t *client) {
3165 isc_netaddr_t netaddr;
3166 dns_rdatasetorderfunc_t order = NULL;
3167 const void *order_arg = NULL;
3169 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
3170 switch (ns_sortlist_setup(client->view->sortlist,
3171 &netaddr, &order_arg)) {
3172 case NS_SORTLISTTYPE_1ELEMENT:
3173 order = query_sortlist_order_1element;
3175 case NS_SORTLISTTYPE_2ELEMENT:
3176 order = query_sortlist_order_2element;
3178 case NS_SORTLISTTYPE_NONE:
3185 dns_message_setsortorder(client->message, order, order_arg);
3189 query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
3190 isc_buffer_t *dbuf, b;
3192 dns_rdataset_t *nsec, *nsecsig;
3193 isc_result_t result = ISC_R_NOMEMORY;
3195 CTRACE("query_addnoqnameproof");
3201 dbuf = query_getnamebuf(client);
3204 fname = query_newname(client, dbuf, &b);
3205 nsec = query_newrdataset(client);
3206 nsecsig = query_newrdataset(client);
3207 if (fname == NULL || nsec == NULL || nsecsig == NULL)
3210 result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig);
3211 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3213 query_addrrset(client, &fname, &nsec, &nsecsig, dbuf,
3214 DNS_SECTION_AUTHORITY);
3218 query_putrdataset(client, &nsec);
3219 if (nsecsig != NULL)
3220 query_putrdataset(client, &nsecsig);
3222 query_releasename(client, &fname);
3226 answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
3229 dns_section_t section = DNS_SECTION_ADDITIONAL;
3230 dns_rdataset_t *rdataset = NULL;
3232 msg = client->message;
3233 for (name = ISC_LIST_HEAD(msg->sections[section]);
3235 name = ISC_LIST_NEXT(name, link))
3236 if (dns_name_equal(name, client->query.qname)) {
3237 for (rdataset = ISC_LIST_HEAD(name->list);
3239 rdataset = ISC_LIST_NEXT(rdataset, link))
3240 if (rdataset->type == qtype)
3244 if (rdataset != NULL) {
3245 ISC_LIST_UNLINK(msg->sections[section], name, link);
3246 ISC_LIST_PREPEND(msg->sections[section], name, link);
3247 ISC_LIST_UNLINK(name->list, rdataset, link);
3248 ISC_LIST_PREPEND(name->list, rdataset, link);
3249 rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
3253 #define NS_NAME_INIT(A,B) \
3256 A, sizeof(A), sizeof(B), \
3257 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
3258 B, NULL, { (void *)-1, (void *)-1}, \
3262 static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
3263 static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
3264 static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
3266 static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
3268 static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
3269 static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
3270 static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
3271 static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
3272 static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
3273 static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
3274 static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
3275 static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
3276 static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
3277 static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
3278 static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
3279 static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
3280 static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
3281 static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
3282 static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
3283 static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
3285 static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
3287 static dns_name_t rfc1918names[] = {
3288 NS_NAME_INIT(inaddr10, inaddr10_offsets),
3289 NS_NAME_INIT(inaddr16172, inaddr172_offsets),
3290 NS_NAME_INIT(inaddr17172, inaddr172_offsets),
3291 NS_NAME_INIT(inaddr18172, inaddr172_offsets),
3292 NS_NAME_INIT(inaddr19172, inaddr172_offsets),
3293 NS_NAME_INIT(inaddr20172, inaddr172_offsets),
3294 NS_NAME_INIT(inaddr21172, inaddr172_offsets),
3295 NS_NAME_INIT(inaddr22172, inaddr172_offsets),
3296 NS_NAME_INIT(inaddr23172, inaddr172_offsets),
3297 NS_NAME_INIT(inaddr24172, inaddr172_offsets),
3298 NS_NAME_INIT(inaddr25172, inaddr172_offsets),
3299 NS_NAME_INIT(inaddr26172, inaddr172_offsets),
3300 NS_NAME_INIT(inaddr27172, inaddr172_offsets),
3301 NS_NAME_INIT(inaddr28172, inaddr172_offsets),
3302 NS_NAME_INIT(inaddr29172, inaddr172_offsets),
3303 NS_NAME_INIT(inaddr30172, inaddr172_offsets),
3304 NS_NAME_INIT(inaddr31172, inaddr172_offsets),
3305 NS_NAME_INIT(inaddr168192, inaddr192_offsets)
3309 static unsigned char prisoner_data[] = "\010prisoner\004iana\003org";
3310 static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org";
3312 static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 };
3313 static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 };
3315 static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets);
3316 static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets);
3319 warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
3321 dns_rdata_t rdata = DNS_RDATA_INIT;
3322 dns_rdata_soa_t soa;
3323 dns_rdataset_t found;
3324 isc_result_t result;
3326 for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) {
3327 if (dns_name_issubdomain(fname, &rfc1918names[i])) {
3328 dns_rdataset_init(&found);
3329 result = dns_ncache_getrdataset(rdataset,
3333 if (result != ISC_R_SUCCESS)
3336 result = dns_rdataset_first(&found);
3337 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3338 dns_rdataset_current(&found, &rdata);
3339 result = dns_rdata_tostruct(&rdata, &soa, NULL);
3340 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3341 if (dns_name_equal(&soa.origin, &prisoner) &&
3342 dns_name_equal(&soa.contact, &hostmaster)) {
3343 char buf[DNS_NAME_FORMATSIZE];
3344 dns_name_format(fname, buf, sizeof(buf));
3345 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
3348 "RFC 1918 response from "
3349 "Internet for %s", buf);
3351 dns_rdataset_disassociate(&found);
3358 * Do the bulk of query processing for the current query of 'client'.
3359 * If 'event' is non-NULL, we are returning from recursion and 'qtype'
3360 * is ignored. Otherwise, 'qtype' is the query type.
3363 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
3367 dns_rdatatype_t type;
3368 dns_name_t *fname, *zfname, *tname, *prefix;
3369 dns_rdataset_t *rdataset, *trdataset;
3370 dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
3371 dns_rdataset_t **sigrdatasetp;
3372 dns_rdata_t rdata = DNS_RDATA_INIT;
3373 dns_rdatasetiter_t *rdsiter;
3374 isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
3375 unsigned int n, nlabels;
3376 dns_namereln_t namereln;
3380 isc_result_t result, eresult;
3381 dns_fixedname_t fixed;
3382 dns_fixedname_t wildcardname;
3383 dns_dbversion_t *version;
3385 dns_rdata_cname_t cname;
3386 dns_rdata_dname_t dname;
3387 unsigned int options;
3388 isc_boolean_t empty_wild;
3389 dns_rdataset_t *noqname;
3390 isc_boolean_t resuming;
3392 dns_rdataset_t tmprdataset;
3393 unsigned int dboptions;
3395 CTRACE("query_find");
3398 * One-time initialization.
3400 * It's especially important to initialize anything that the cleanup
3401 * code might cleanup.
3404 eresult = ISC_R_SUCCESS;
3410 zsigrdataset = NULL;
3416 need_wildcardproof = ISC_FALSE;
3417 empty_wild = ISC_FALSE;
3419 resuming = ISC_FALSE;
3420 is_zone = ISC_FALSE;
3422 if (event != NULL) {
3424 * We're returning from recursion. Restore the query context
3428 want_restart = ISC_FALSE;
3429 authoritative = ISC_FALSE;
3431 qtype = event->qtype;
3432 if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
3433 type = dns_rdatatype_any;
3438 rdataset = event->rdataset;
3439 sigrdataset = event->sigrdataset;
3442 * We'll need some resources...
3444 dbuf = query_getnamebuf(client);
3446 QUERY_ERROR(DNS_R_SERVFAIL);
3449 fname = query_newname(client, dbuf, &b);
3450 if (fname == NULL) {
3451 QUERY_ERROR(DNS_R_SERVFAIL);
3454 tname = dns_fixedname_name(&event->foundname);
3455 result = dns_name_copy(tname, fname, NULL);
3456 if (result != ISC_R_SUCCESS) {
3457 QUERY_ERROR(DNS_R_SERVFAIL);
3461 result = event->result;
3462 resuming = ISC_TRUE;
3468 * Not returning from recursion.
3472 * If it's a SIG query, we'll iterate the node.
3474 if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
3475 type = dns_rdatatype_any;
3480 CTRACE("query_find: restart");
3481 want_restart = ISC_FALSE;
3482 authoritative = ISC_FALSE;
3484 need_wildcardproof = ISC_FALSE;
3486 if (client->view->checknames &&
3487 !dns_rdata_checkowner(client->query.qname,
3488 client->message->rdclass,
3489 qtype, ISC_FALSE)) {
3490 char namebuf[DNS_NAME_FORMATSIZE];
3491 char typename[DNS_RDATATYPE_FORMATSIZE];
3492 char classname[DNS_RDATACLASS_FORMATSIZE];
3494 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
3495 dns_rdatatype_format(qtype, typename, sizeof(typename));
3496 dns_rdataclass_format(client->message->rdclass, classname,
3498 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
3499 NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
3500 "check-names failure %s/%s/%s", namebuf,
3501 typename, classname);
3502 QUERY_ERROR(DNS_R_REFUSED);
3507 * First we must find the right database.
3509 options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
3510 if (dns_rdatatype_atparent(qtype) &&
3511 !dns_name_equal(client->query.qname, dns_rootname))
3512 options |= DNS_GETDB_NOEXACT;
3513 result = query_getdb(client, client->query.qname, qtype, options,
3514 &zone, &db, &version, &is_zone);
3515 if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
3516 (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
3518 * Look to see if we are authoritative for the
3519 * child zone if the query type is DS.
3521 dns_db_t *tdb = NULL;
3522 dns_zone_t *tzone = NULL;
3523 dns_dbversion_t *tversion = NULL;
3524 isc_result_t tresult;
3526 tresult = query_getzonedb(client, client->query.qname, qtype,
3527 DNS_GETDB_PARTIAL, &tzone, &tdb,
3529 if (tresult == ISC_R_SUCCESS) {
3530 options &= ~DNS_GETDB_NOEXACT;
3531 query_putrdataset(client, &rdataset);
3535 dns_zone_detach(&zone);
3540 result = ISC_R_SUCCESS;
3543 dns_db_detach(&tdb);
3545 dns_zone_detach(&tzone);
3548 if (result != ISC_R_SUCCESS) {
3549 if (result == DNS_R_REFUSED) {
3550 if (WANTRECURSION(client)) {
3552 dns_nsstatscounter_recurserej);
3554 inc_stats(client, dns_nsstatscounter_authrej);
3555 if (!PARTIALANSWER(client))
3556 QUERY_ERROR(DNS_R_REFUSED);
3558 QUERY_ERROR(DNS_R_SERVFAIL);
3563 authoritative = ISC_TRUE;
3565 if (event == NULL && client->query.restarts == 0) {
3570 * if is_zone = true, zone = NULL then this is
3571 * a DLZ zone. Don't attempt to attach zone.
3574 dns_zone_attach(zone, &client->query.authzone);
3578 dns_db_attach(db, &client->query.authdb);
3580 client->query.authdbset = ISC_TRUE;
3584 CTRACE("query_find: db_find");
3586 * We'll need some resources...
3588 dbuf = query_getnamebuf(client);
3590 QUERY_ERROR(DNS_R_SERVFAIL);
3593 fname = query_newname(client, dbuf, &b);
3594 rdataset = query_newrdataset(client);
3595 if (fname == NULL || rdataset == NULL) {
3596 QUERY_ERROR(DNS_R_SERVFAIL);
3599 if (WANTDNSSEC(client)) {
3600 sigrdataset = query_newrdataset(client);
3601 if (sigrdataset == NULL) {
3602 QUERY_ERROR(DNS_R_SERVFAIL);
3608 * Now look for an answer in the database.
3610 dboptions = client->query.dboptions;
3611 if (sigrdataset == NULL && client->view->enablednssec) {
3613 * If the client doesn't want DNSSEC we still want to
3614 * look for any data pending validation to save a remote
3615 * lookup if possible.
3617 dns_rdataset_init(&tmprdataset);
3618 sigrdataset = &tmprdataset;
3619 dboptions |= DNS_DBFIND_PENDINGOK;
3622 result = dns_db_find(db, client->query.qname, version, type,
3623 dboptions, client->now, &node, fname,
3624 rdataset, sigrdataset);
3626 * If we have found pending data try to validate it.
3627 * If the data does not validate as secure and we can't
3628 * use the unvalidated data requery the database with
3629 * pending disabled to prevent infinite looping.
3631 if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
3632 goto validation_done;
3633 if (validate(client, db, fname, rdataset, sigrdataset))
3634 goto validation_done;
3635 if (rdataset->trust != dns_trust_pending_answer ||
3636 !PENDINGOK(client->query.dboptions)) {
3637 dns_rdataset_disassociate(rdataset);
3638 if (sigrdataset != NULL &&
3639 dns_rdataset_isassociated(sigrdataset))
3640 dns_rdataset_disassociate(sigrdataset);
3641 if (sigrdataset == &tmprdataset)
3643 dns_db_detachnode(db, &node);
3644 dboptions &= ~DNS_DBFIND_PENDINGOK;
3648 if (sigrdataset == &tmprdataset) {
3649 if (dns_rdataset_isassociated(sigrdataset))
3650 dns_rdataset_disassociate(sigrdataset);
3655 CTRACE("query_find: resume");
3659 * This case is handled in the main line below.
3665 * These cases are handled in the main line below.
3668 authoritative = ISC_FALSE;
3670 case ISC_R_NOTFOUND:
3672 * The cache doesn't even have the root NS. Get them from
3679 if (client->view->hints == NULL) {
3680 /* We have no hints. */
3681 result = ISC_R_FAILURE;
3683 dns_db_attach(client->view->hints, &db);
3684 result = dns_db_find(db, dns_rootname,
3685 NULL, dns_rdatatype_ns,
3686 0, client->now, &node, fname,
3687 rdataset, sigrdataset);
3689 if (result != ISC_R_SUCCESS) {
3691 * Nonsensical root hints may require cleanup.
3693 if (dns_rdataset_isassociated(rdataset))
3694 dns_rdataset_disassociate(rdataset);
3695 if (sigrdataset != NULL &&
3696 dns_rdataset_isassociated(sigrdataset))
3697 dns_rdataset_disassociate(sigrdataset);
3699 dns_db_detachnode(db, &node);
3702 * We don't have any root server hints, but
3703 * we may have working forwarders, so try to
3706 if (RECURSIONOK(client)) {
3707 result = query_recurse(client, qtype,
3708 NULL, NULL, resuming);
3709 if (result == ISC_R_SUCCESS)
3710 client->query.attributes |=
3711 NS_QUERYATTR_RECURSING;
3712 else if (result == DNS_R_DUPLICATE ||
3713 result == DNS_R_DROP) {
3714 /* Duplicate query. */
3715 QUERY_ERROR(result);
3717 /* Unable to recurse. */
3718 QUERY_ERROR(DNS_R_SERVFAIL);
3722 /* Unable to give root server referral. */
3723 QUERY_ERROR(DNS_R_SERVFAIL);
3728 * XXXRTH We should trigger root server priming here.
3731 case DNS_R_DELEGATION:
3732 authoritative = ISC_FALSE;
3735 * Look to see if we are authoritative for the
3736 * child zone if the query type is DS.
3738 if (!RECURSIONOK(client) &&
3739 (options & DNS_GETDB_NOEXACT) != 0 &&
3740 qtype == dns_rdatatype_ds) {
3741 dns_db_t *tdb = NULL;
3742 dns_zone_t *tzone = NULL;
3743 dns_dbversion_t *tversion = NULL;
3744 result = query_getzonedb(client,
3745 client->query.qname,
3750 if (result == ISC_R_SUCCESS) {
3751 options &= ~DNS_GETDB_NOEXACT;
3752 query_putrdataset(client, &rdataset);
3753 if (sigrdataset != NULL)
3754 query_putrdataset(client,
3757 query_releasename(client,
3760 dns_db_detachnode(db, &node);
3764 dns_zone_detach(&zone);
3768 authoritative = ISC_TRUE;
3772 dns_db_detach(&tdb);
3774 dns_zone_detach(&tzone);
3777 * We're authoritative for an ancestor of QNAME.
3779 if (!USECACHE(client) || !RECURSIONOK(client)) {
3781 * If we don't have a cache, this is the best
3784 * If the client is making a nonrecursive
3785 * query we always give out the authoritative
3786 * delegation. This way even if we get
3787 * junk in our cache, we won't fail in our
3788 * role as the delegating authority if another
3789 * nameserver asks us about a delegated
3792 * We enable the retrieval of glue for this
3793 * database by setting client->query.gluedb.
3795 client->query.gluedb = db;
3796 client->query.isreferral = ISC_TRUE;
3798 * We must ensure NOADDITIONAL is off,
3799 * because the generation of
3800 * additional data is required in
3803 client->query.attributes &=
3804 ~NS_QUERYATTR_NOADDITIONAL;
3805 if (sigrdataset != NULL)
3806 sigrdatasetp = &sigrdataset;
3808 sigrdatasetp = NULL;
3809 query_addrrset(client, &fname,
3810 &rdataset, sigrdatasetp,
3811 dbuf, DNS_SECTION_AUTHORITY);
3812 client->query.gluedb = NULL;
3813 if (WANTDNSSEC(client) && dns_db_issecure(db))
3814 query_addds(client, db, node, version);
3817 * We might have a better answer or delegation
3818 * in the cache. We'll remember the current
3819 * values of fname, rdataset, and sigrdataset.
3820 * We'll then go looking for QNAME in the
3821 * cache. If we find something better, we'll
3824 query_keepname(client, fname, dbuf);
3828 zrdataset = rdataset;
3830 zsigrdataset = sigrdataset;
3832 dns_db_detachnode(db, &node);
3835 dns_db_attach(client->view->cachedb, &db);
3836 is_zone = ISC_FALSE;
3840 if (zfname != NULL &&
3841 !dns_name_issubdomain(fname, zfname)) {
3843 * We've already got a delegation from
3844 * authoritative data, and it is better
3845 * than what we found in the cache. Use
3846 * it instead of the cache delegation.
3848 query_releasename(client, &fname);
3852 * We've already done query_keepname() on
3853 * zfname, so we must set dbuf to NULL to
3854 * prevent query_addrrset() from trying to
3855 * call query_keepname() again.
3858 query_putrdataset(client, &rdataset);
3859 if (sigrdataset != NULL)
3860 query_putrdataset(client,
3862 rdataset = zrdataset;
3864 sigrdataset = zsigrdataset;
3865 zsigrdataset = NULL;
3867 * We don't clean up zdb here because we
3868 * may still need it. It will get cleaned
3869 * up by the main cleanup code.
3873 if (RECURSIONOK(client)) {
3877 if (dns_rdatatype_atparent(type))
3878 result = query_recurse(client, qtype,
3882 result = query_recurse(client, qtype,
3885 if (result == ISC_R_SUCCESS)
3886 client->query.attributes |=
3887 NS_QUERYATTR_RECURSING;
3888 else if (result == DNS_R_DUPLICATE ||
3889 result == DNS_R_DROP)
3890 QUERY_ERROR(result);
3892 QUERY_ERROR(DNS_R_SERVFAIL);
3895 * This is the best answer.
3897 client->query.attributes |=
3898 NS_QUERYATTR_CACHEGLUEOK;
3899 client->query.gluedb = zdb;
3900 client->query.isreferral = ISC_TRUE;
3902 * We must ensure NOADDITIONAL is off,
3903 * because the generation of
3904 * additional data is required in
3907 client->query.attributes &=
3908 ~NS_QUERYATTR_NOADDITIONAL;
3909 if (sigrdataset != NULL)
3910 sigrdatasetp = &sigrdataset;
3912 sigrdatasetp = NULL;
3913 query_addrrset(client, &fname,
3914 &rdataset, sigrdatasetp,
3915 dbuf, DNS_SECTION_AUTHORITY);
3916 client->query.gluedb = NULL;
3917 client->query.attributes &=
3918 ~NS_QUERYATTR_CACHEGLUEOK;
3919 if (WANTDNSSEC(client))
3920 query_addds(client, db, node, version);
3924 case DNS_R_EMPTYNAME:
3925 result = DNS_R_NXRRSET;
3929 if (dns_rdataset_isassociated(rdataset)) {
3931 * If we've got a NSEC record, we need to save the
3932 * name now because we're going call query_addsoa()
3933 * below, and it needs to use the name buffer.
3935 query_keepname(client, fname, dbuf);
3938 * We're not going to use fname, and need to release
3939 * our hold on the name buffer so query_addsoa()
3942 query_releasename(client, &fname);
3947 result = query_addsoa(client, db, version, ISC_FALSE);
3948 if (result != ISC_R_SUCCESS) {
3949 QUERY_ERROR(result);
3953 * Add NSEC record if we found one.
3955 if (WANTDNSSEC(client)) {
3956 if (dns_rdataset_isassociated(rdataset))
3957 query_addnxrrsetnsec(client, db, version,
3962 case DNS_R_EMPTYWILD:
3963 empty_wild = ISC_TRUE;
3965 case DNS_R_NXDOMAIN:
3967 if (dns_rdataset_isassociated(rdataset)) {
3969 * If we've got a NSEC record, we need to save the
3970 * name now because we're going call query_addsoa()
3971 * below, and it needs to use the name buffer.
3973 query_keepname(client, fname, dbuf);
3976 * We're not going to use fname, and need to release
3977 * our hold on the name buffer so query_addsoa()
3980 query_releasename(client, &fname);
3983 * Add SOA. If the query was for a SOA record force the
3984 * ttl to zero so that it is possible for clients to find
3985 * the containing zone of an arbitrary name with a stub
3986 * resolver and not have it cached.
3988 if (qtype == dns_rdatatype_soa &&
3992 dns_zone_getzeronosoattl(zone))
3993 result = query_addsoa(client, db, version, ISC_TRUE);
3995 result = query_addsoa(client, db, version, ISC_FALSE);
3996 if (result != ISC_R_SUCCESS) {
3997 QUERY_ERROR(result);
4001 * Add NSEC record if we found one.
4003 if (dns_rdataset_isassociated(rdataset)) {
4004 if (WANTDNSSEC(client)) {
4005 query_addrrset(client, &fname, &rdataset,
4007 NULL, DNS_SECTION_AUTHORITY);
4008 query_addwildcardproof(client, db, version,
4009 client->query.qname,
4014 * Set message rcode.
4017 client->message->rcode = dns_rcode_noerror;
4019 client->message->rcode = dns_rcode_nxdomain;
4021 case DNS_R_NCACHENXDOMAIN:
4022 case DNS_R_NCACHENXRRSET:
4024 authoritative = ISC_FALSE;
4026 * Set message rcode, if required.
4028 if (result == DNS_R_NCACHENXDOMAIN)
4029 client->message->rcode = dns_rcode_nxdomain;
4031 * Look for RFC 1918 leakage from Internet.
4033 if (result == DNS_R_NCACHENXDOMAIN &&
4034 qtype == dns_rdatatype_ptr &&
4035 client->message->rdclass == dns_rdataclass_in &&
4036 dns_name_countlabels(fname) == 7)
4037 warn_rfc1918(client, fname, rdataset);
4039 * We don't call query_addrrset() because we don't need any
4040 * of its extra features (and things would probably break!).
4042 query_keepname(client, fname, dbuf);
4043 dns_message_addname(client->message, fname,
4044 DNS_SECTION_AUTHORITY);
4045 ISC_LIST_APPEND(fname->list, rdataset, link);
4051 * Keep a copy of the rdataset. We have to do this because
4052 * query_addrrset may clear 'rdataset' (to prevent the
4053 * cleanup code from cleaning it up).
4055 trdataset = rdataset;
4057 * Add the CNAME to the answer section.
4059 if (sigrdataset != NULL)
4060 sigrdatasetp = &sigrdataset;
4062 sigrdatasetp = NULL;
4063 if (WANTDNSSEC(client) &&
4064 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
4066 dns_fixedname_init(&wildcardname);
4067 dns_name_copy(fname, dns_fixedname_name(&wildcardname),
4069 need_wildcardproof = ISC_TRUE;
4071 if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
4076 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
4077 DNS_SECTION_ANSWER);
4078 if (noqname != NULL)
4079 query_addnoqnameproof(client, noqname);
4081 * We set the PARTIALANSWER attribute so that if anything goes
4082 * wrong later on, we'll return what we've got so far.
4084 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
4086 * Reset qname to be the target name of the CNAME and restart
4090 result = dns_message_gettempname(client->message, &tname);
4091 if (result != ISC_R_SUCCESS)
4093 result = dns_rdataset_first(trdataset);
4094 if (result != ISC_R_SUCCESS) {
4095 dns_message_puttempname(client->message, &tname);
4098 dns_rdataset_current(trdataset, &rdata);
4099 result = dns_rdata_tostruct(&rdata, &cname, NULL);
4100 dns_rdata_reset(&rdata);
4101 if (result != ISC_R_SUCCESS) {
4102 dns_message_puttempname(client->message, &tname);
4105 dns_name_init(tname, NULL);
4106 result = dns_name_dup(&cname.cname, client->mctx, tname);
4107 if (result != ISC_R_SUCCESS) {
4108 dns_message_puttempname(client->message, &tname);
4109 dns_rdata_freestruct(&cname);
4112 dns_rdata_freestruct(&cname);
4113 ns_client_qnamereplace(client, tname);
4114 want_restart = ISC_TRUE;
4115 if (!WANTRECURSION(client))
4116 options |= DNS_GETDB_NOLOG;
4120 * Compare the current qname to the found name. We need
4121 * to know how many labels and bits are in common because
4122 * we're going to have to split qname later on.
4124 namereln = dns_name_fullcompare(client->query.qname, fname,
4126 INSIST(namereln == dns_namereln_subdomain);
4128 * Keep a copy of the rdataset. We have to do this because
4129 * query_addrrset may clear 'rdataset' (to prevent the
4130 * cleanup code from cleaning it up).
4132 trdataset = rdataset;
4134 * Add the DNAME to the answer section.
4136 if (sigrdataset != NULL)
4137 sigrdatasetp = &sigrdataset;
4139 sigrdatasetp = NULL;
4140 if (WANTDNSSEC(client) &&
4141 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
4143 dns_fixedname_init(&wildcardname);
4144 dns_name_copy(fname, dns_fixedname_name(&wildcardname),
4146 need_wildcardproof = ISC_TRUE;
4148 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
4149 DNS_SECTION_ANSWER);
4151 * We set the PARTIALANSWER attribute so that if anything goes
4152 * wrong later on, we'll return what we've got so far.
4154 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
4156 * Get the target name of the DNAME.
4159 result = dns_message_gettempname(client->message, &tname);
4160 if (result != ISC_R_SUCCESS)
4162 result = dns_rdataset_first(trdataset);
4163 if (result != ISC_R_SUCCESS) {
4164 dns_message_puttempname(client->message, &tname);
4167 dns_rdataset_current(trdataset, &rdata);
4168 result = dns_rdata_tostruct(&rdata, &dname, NULL);
4169 dns_rdata_reset(&rdata);
4170 if (result != ISC_R_SUCCESS) {
4171 dns_message_puttempname(client->message, &tname);
4174 dns_name_init(tname, NULL);
4175 dns_name_clone(&dname.dname, tname);
4176 dns_rdata_freestruct(&dname);
4178 * Construct the new qname.
4180 dns_fixedname_init(&fixed);
4181 prefix = dns_fixedname_name(&fixed);
4182 dns_name_split(client->query.qname, nlabels, prefix, NULL);
4183 INSIST(fname == NULL);
4184 dbuf = query_getnamebuf(client);
4186 dns_message_puttempname(client->message, &tname);
4189 fname = query_newname(client, dbuf, &b);
4190 if (fname == NULL) {
4191 dns_message_puttempname(client->message, &tname);
4194 result = dns_name_concatenate(prefix, tname, fname, NULL);
4195 if (result != ISC_R_SUCCESS) {
4196 dns_message_puttempname(client->message, &tname);
4197 if (result == ISC_R_NOSPACE) {
4199 * RFC2672, section 4.1, subsection 3c says
4200 * we should return YXDOMAIN if the constructed
4201 * name would be too long.
4203 client->message->rcode = dns_rcode_yxdomain;
4207 query_keepname(client, fname, dbuf);
4209 * Synthesize a CNAME for this DNAME.
4211 * We want to synthesize a CNAME since if we don't
4212 * then older software that doesn't understand DNAME
4213 * will not chain like it should.
4215 * We do not try to synthesize a signature because we hope
4216 * that security aware servers will understand DNAME. Also,
4217 * even if we had an online key, making a signature
4218 * on-the-fly is costly, and not really legitimate anyway
4219 * since the synthesized CNAME is NOT in the zone.
4221 dns_name_init(tname, NULL);
4222 (void)query_addcnamelike(client, client->query.qname, fname,
4223 trdataset->trust, &tname,
4224 dns_rdatatype_cname);
4226 dns_message_puttempname(client->message, &tname);
4228 * Switch to the new qname and restart.
4230 ns_client_qnamereplace(client, fname);
4232 want_restart = ISC_TRUE;
4233 if (!WANTRECURSION(client))
4234 options |= DNS_GETDB_NOLOG;
4238 * Something has gone wrong.
4240 QUERY_ERROR(DNS_R_SERVFAIL);
4244 if (WANTDNSSEC(client) &&
4245 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
4247 dns_fixedname_init(&wildcardname);
4248 dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
4249 need_wildcardproof = ISC_TRUE;
4252 if (type == dns_rdatatype_any) {
4254 * XXXRTH Need to handle zonecuts with special case
4259 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
4260 if (result != ISC_R_SUCCESS) {
4261 QUERY_ERROR(DNS_R_SERVFAIL);
4265 * Calling query_addrrset() with a non-NULL dbuf is going
4266 * to either keep or release the name. We don't want it to
4267 * release fname, since we may have to call query_addrrset()
4268 * more than once. That means we have to call query_keepname()
4269 * now, and pass a NULL dbuf to query_addrrset().
4271 * If we do a query_addrrset() below, we must set fname to
4272 * NULL before leaving this block, otherwise we might try to
4273 * cleanup fname even though we're using it!
4275 query_keepname(client, fname, dbuf);
4277 result = dns_rdatasetiter_first(rdsiter);
4278 while (result == ISC_R_SUCCESS) {
4279 dns_rdatasetiter_current(rdsiter, rdataset);
4280 if ((qtype == dns_rdatatype_any ||
4281 rdataset->type == qtype) && rdataset->type != 0) {
4282 query_addrrset(client,
4283 fname != NULL ? &fname : &tname,
4285 NULL, DNS_SECTION_ANSWER);
4287 INSIST(tname != NULL);
4289 * rdataset is non-NULL only in certain pathological
4290 * cases involving DNAMEs.
4292 if (rdataset != NULL)
4293 query_putrdataset(client, &rdataset);
4294 rdataset = query_newrdataset(client);
4295 if (rdataset == NULL)
4299 * We're not interested in this rdataset.
4301 dns_rdataset_disassociate(rdataset);
4303 result = dns_rdatasetiter_next(rdsiter);
4307 dns_message_puttempname(client->message, &fname);
4311 * We didn't match any rdatasets.
4313 if (qtype == dns_rdatatype_rrsig &&
4314 result == ISC_R_NOMORE) {
4316 * XXXRTH If this is a secure zone and we
4317 * didn't find any SIGs, we should generate
4318 * an error unless we were searching for
4322 authoritative = ISC_FALSE;
4323 dns_rdatasetiter_destroy(&rdsiter);
4324 if (RECURSIONOK(client)) {
4325 result = query_recurse(client,
4330 if (result == ISC_R_SUCCESS)
4331 client->query.attributes |=
4332 NS_QUERYATTR_RECURSING;
4334 QUERY_ERROR(DNS_R_SERVFAIL); }
4338 * We were searching for SIG records in
4339 * a nonsecure zone. Send a "no error,
4340 * no data" response.
4345 result = query_addsoa(client, db, version,
4347 if (result == ISC_R_SUCCESS)
4348 result = ISC_R_NOMORE;
4351 * Something went wrong.
4353 result = DNS_R_SERVFAIL;
4356 dns_rdatasetiter_destroy(&rdsiter);
4357 if (result != ISC_R_NOMORE) {
4358 QUERY_ERROR(DNS_R_SERVFAIL);
4363 * This is the "normal" case -- an ordinary question to which
4364 * we know the answer.
4366 if (sigrdataset != NULL)
4367 sigrdatasetp = &sigrdataset;
4369 sigrdatasetp = NULL;
4370 if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
4376 * BIND 8 priming queries need the additional section.
4378 if (is_zone && qtype == dns_rdatatype_ns &&
4379 dns_name_equal(client->query.qname, dns_rootname))
4380 client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
4382 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
4383 DNS_SECTION_ANSWER);
4384 if (noqname != NULL)
4385 query_addnoqnameproof(client, noqname);
4387 * We shouldn't ever fail to add 'rdataset'
4388 * because it's already in the answer.
4390 INSIST(rdataset == NULL);
4394 CTRACE("query_find: addauth");
4396 * Add NS records to the authority section (if we haven't already
4397 * added them to the answer section).
4399 if (!want_restart && !NOAUTHORITY(client)) {
4401 if (!((qtype == dns_rdatatype_ns ||
4402 qtype == dns_rdatatype_any) &&
4403 dns_name_equal(client->query.qname,
4404 dns_db_origin(db))))
4405 (void)query_addns(client, db, version);
4406 } else if (qtype != dns_rdatatype_ns) {
4408 query_releasename(client, &fname);
4409 query_addbestns(client);
4414 * Add NSEC records to the authority section if they're needed for
4415 * DNSSEC wildcard proofs.
4417 if (need_wildcardproof && dns_db_issecure(db))
4418 query_addwildcardproof(client, db, version,
4419 dns_fixedname_name(&wildcardname),
4422 CTRACE("query_find: cleanup");
4426 if (rdataset != NULL)
4427 query_putrdataset(client, &rdataset);
4428 if (sigrdataset != NULL)
4429 query_putrdataset(client, &sigrdataset);
4431 query_releasename(client, &fname);
4433 dns_db_detachnode(db, &node);
4437 dns_zone_detach(&zone);
4439 query_putrdataset(client, &zrdataset);
4440 if (zsigrdataset != NULL)
4441 query_putrdataset(client, &zsigrdataset);
4443 query_releasename(client, &zfname);
4444 dns_db_detach(&zdb);
4447 isc_event_free(ISC_EVENT_PTR(&event));
4452 if (client->query.restarts == 0 && !authoritative) {
4454 * We're not authoritative, so we must ensure the AA bit
4457 client->message->flags &= ~DNS_MESSAGEFLAG_AA;
4461 * Restart the query?
4463 if (want_restart && client->query.restarts < MAX_RESTARTS) {
4464 client->query.restarts++;
4468 if (eresult != ISC_R_SUCCESS &&
4469 (!PARTIALANSWER(client) || WANTRECURSION(client))) {
4470 if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) {
4472 * This was a duplicate query that we are
4473 * recursing on. Don't send a response now.
4474 * The original query will still cause a response.
4476 query_next(client, eresult);
4479 * If we don't have any answer to give the client,
4480 * or if the client requested recursion and thus wanted
4481 * the complete answer, send an error response.
4484 query_error(client, eresult, line);
4486 ns_client_detach(&client);
4487 } else if (!RECURSING(client)) {
4489 * We are done. Set up sortlist data for the message
4490 * rendering code, make a final tweak to the AA bit if the
4491 * auth-nxdomain config option says so, then render and
4492 * send the response.
4494 setup_query_sortlist(client);
4497 * If this is a referral and the answer to the question
4498 * is in the glue sort it to the start of the additional
4501 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
4502 client->message->rcode == dns_rcode_noerror &&
4503 (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
4504 answer_in_glue(client, qtype);
4506 if (client->message->rcode == dns_rcode_nxdomain &&
4507 client->view->auth_nxdomain == ISC_TRUE)
4508 client->message->flags |= DNS_MESSAGEFLAG_AA;
4511 * If the response is somehow unexpected for the client and this
4512 * is a result of recursion, return an error to the caller
4513 * to indicate it may need to be logged.
4516 (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
4517 client->message->rcode != dns_rcode_noerror))
4518 eresult = ISC_R_FAILURE;
4521 ns_client_detach(&client);
4523 CTRACE("query_find: done");
4529 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
4530 char namebuf[DNS_NAME_FORMATSIZE];
4531 char typename[DNS_RDATATYPE_FORMATSIZE];
4532 char classname[DNS_RDATACLASS_FORMATSIZE];
4533 dns_rdataset_t *rdataset;
4534 int level = ISC_LOG_INFO;
4536 if (! isc_log_wouldlog(ns_g_lctx, level))
4539 rdataset = ISC_LIST_HEAD(client->query.qname->list);
4540 INSIST(rdataset != NULL);
4541 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
4542 dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
4543 dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
4545 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
4546 level, "query: %s %s %s %s%s%s%s%s", namebuf, classname,
4547 typename, WANTRECURSION(client) ? "+" : "-",
4548 (client->signer != NULL) ? "S": "",
4549 (client->opt != NULL) ? "E" : "",
4550 ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
4551 ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "");
4555 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
4556 char namebuf[DNS_NAME_FORMATSIZE];
4557 char typename[DNS_RDATATYPE_FORMATSIZE];
4558 char classname[DNS_RDATACLASS_FORMATSIZE];
4559 const char *namep, *typep, *classp, *sep1, *sep2;
4560 dns_rdataset_t *rdataset;
4562 if (!isc_log_wouldlog(ns_g_lctx, level))
4565 namep = typep = classp = sep1 = sep2 = "";
4568 * Query errors can happen for various reasons. In some cases we cannot
4569 * even assume the query contains a valid question section, so we should
4570 * expect exceptional cases.
4572 if (client->query.origqname != NULL) {
4573 dns_name_format(client->query.origqname, namebuf,
4578 rdataset = ISC_LIST_HEAD(client->query.origqname->list);
4579 if (rdataset != NULL) {
4580 dns_rdataclass_format(rdataset->rdclass, classname,
4583 dns_rdatatype_format(rdataset->type, typename,
4590 ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY,
4591 level, "query failed (%s)%s%s%s%s%s%s at %s:%d",
4592 isc_result_totext(result), sep1, namep, sep2,
4593 classp, sep2, typep, __FILE__, line);
4597 ns_query_start(ns_client_t *client) {
4598 isc_result_t result;
4599 dns_message_t *message = client->message;
4600 dns_rdataset_t *rdataset;
4601 ns_client_t *qclient;
4602 dns_rdatatype_t qtype;
4603 unsigned int saved_extflags = client->extflags;
4604 unsigned int saved_flags = client->message->flags;
4605 isc_boolean_t want_ad;
4607 CTRACE("ns_query_start");
4610 * Ensure that appropriate cleanups occur.
4612 client->next = query_next_callback;
4615 * Behave as if we don't support DNSSEC if not enabled.
4617 if (!client->view->enablednssec) {
4618 message->flags &= ~DNS_MESSAGEFLAG_CD;
4619 client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
4620 if (client->opt != NULL)
4621 client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
4624 if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
4625 client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
4627 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
4628 client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
4630 if (client->view->minimalresponses)
4631 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
4632 NS_QUERYATTR_NOADDITIONAL);
4634 if ((client->view->cachedb == NULL)
4635 || (!client->view->additionalfromcache)) {
4637 * We don't have a cache. Turn off cache support and
4640 client->query.attributes &=
4641 ~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK);
4642 } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
4643 (message->flags & DNS_MESSAGEFLAG_RD) == 0) {
4645 * If the client isn't allowed to recurse (due to
4646 * "recursion no", the allow-recursion ACL, or the
4647 * lack of a resolver in this view), or if it
4648 * doesn't want recursion, turn recursion off.
4650 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
4654 * Get the question name.
4656 result = dns_message_firstname(message, DNS_SECTION_QUESTION);
4657 if (result != ISC_R_SUCCESS) {
4658 query_error(client, result, __LINE__);
4661 dns_message_currentname(message, DNS_SECTION_QUESTION,
4662 &client->query.qname);
4663 client->query.origqname = client->query.qname;
4664 result = dns_message_nextname(message, DNS_SECTION_QUESTION);
4665 if (result != ISC_R_NOMORE) {
4666 if (result == ISC_R_SUCCESS) {
4668 * There's more than one QNAME in the question
4671 query_error(client, DNS_R_FORMERR, __LINE__);
4673 query_error(client, result, __LINE__);
4677 if (ns_g_server->log_queries)
4678 log_query(client, saved_flags, saved_extflags);
4681 * Check for multiple question queries, since edns1 is dead.
4683 if (message->counts[DNS_SECTION_QUESTION] > 1) {
4684 query_error(client, DNS_R_FORMERR, __LINE__);
4689 * Check for meta-queries like IXFR and AXFR.
4691 rdataset = ISC_LIST_HEAD(client->query.qname->list);
4692 INSIST(rdataset != NULL);
4693 qtype = rdataset->type;
4694 dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
4695 if (dns_rdatatype_ismeta(qtype)) {
4697 case dns_rdatatype_any:
4698 break; /* Let query_find handle it. */
4699 case dns_rdatatype_ixfr:
4700 case dns_rdatatype_axfr:
4701 ns_xfr_start(client, rdataset->type);
4703 case dns_rdatatype_maila:
4704 case dns_rdatatype_mailb:
4705 query_error(client, DNS_R_NOTIMP, __LINE__);
4707 case dns_rdatatype_tkey:
4708 result = dns_tkey_processquery(client->message,
4709 ns_g_server->tkeyctx,
4710 client->view->dynamickeys);
4711 if (result == ISC_R_SUCCESS)
4714 query_error(client, result, __LINE__);
4716 default: /* TSIG, etc. */
4717 query_error(client, DNS_R_FORMERR, __LINE__);
4723 * Turn on minimal response for DNSKEY and DS queries.
4725 if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds)
4726 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
4727 NS_QUERYATTR_NOADDITIONAL);
4730 * If the client has requested that DNSSEC checking be disabled,
4731 * allow lookups to return pending data and instruct the resolver
4732 * to return data before validation has completed.
4734 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
4735 * disabled as there will be no pending data.
4737 if (message->flags & DNS_MESSAGEFLAG_CD ||
4738 qtype == dns_rdatatype_rrsig)
4740 client->query.dboptions |= DNS_DBFIND_PENDINGOK;
4741 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
4742 } else if (!client->view->enablevalidation)
4743 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
4746 * Allow glue NS records to be added to the authority section
4747 * if the answer is secure.
4749 if (message->flags & DNS_MESSAGEFLAG_CD)
4750 client->query.attributes &= ~NS_QUERYATTR_SECURE;
4753 * Set 'want_ad' if the client has set AD in the query.
4754 * This allows AD to be returned on queries without DO set.
4756 if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
4759 want_ad = ISC_FALSE;
4762 * This is an ordinary query.
4764 result = dns_message_reply(message, ISC_TRUE);
4765 if (result != ISC_R_SUCCESS) {
4766 query_next(client, result);
4771 * Assume authoritative response until it is known to be
4774 message->flags |= DNS_MESSAGEFLAG_AA;
4777 * Set AD. We must clear it if we add non-validated data to a
4780 if (WANTDNSSEC(client) || want_ad)
4781 message->flags |= DNS_MESSAGEFLAG_AD;
4784 ns_client_attach(client, &qclient);
4785 (void)query_find(qclient, NULL, qtype);