2 * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: dighost.c,v 1.221.2.19.2.36 2006/12/07 01:26:33 marka Exp $ */
21 * Notice to programmers: Do not use this code as an example of how to
22 * use the ISC library to perform DNS lookups. Dig and Host both operate
23 * on the request level, since they allow fine-tuning of output and are
24 * intended as debugging tools. As a result, they perform many of the
25 * functions which could be better handled using the dns_resolver
26 * functions in most applications.
35 #include <dns/byaddr.h>
37 #include <dns/dnssec.h>
40 #include <isc/random.h>
43 #include <dns/fixedname.h>
44 #include <dns/message.h>
46 #include <dns/rdata.h>
47 #include <dns/rdataclass.h>
48 #include <dns/rdatalist.h>
49 #include <dns/rdataset.h>
50 #include <dns/rdatastruct.h>
51 #include <dns/rdatatype.h>
52 #include <dns/result.h>
58 #include <isc/base64.h>
59 #include <isc/entropy.h>
62 #include <isc/netaddr.h>
64 #include <isc/netdb.h>
66 #include <isc/print.h>
67 #include <isc/random.h>
68 #include <isc/result.h>
69 #include <isc/string.h>
71 #include <isc/timer.h>
72 #include <isc/types.h>
75 #include <lwres/lwres.h>
76 #include <lwres/net.h>
78 #include <bind9/getaddresses.h>
82 #if ! defined(NS_INADDRSZ)
86 #if ! defined(NS_IN6ADDRSZ)
87 #define NS_IN6ADDRSZ 16
90 static lwres_context_t *lwctx = NULL;
91 static lwres_conf_t *lwconf;
93 dig_lookuplist_t lookup_list;
94 dig_serverlist_t server_list;
95 dig_searchlistlist_t search_list;
98 have_ipv4 = ISC_FALSE,
99 have_ipv6 = ISC_FALSE,
100 specified_source = ISC_FALSE,
101 free_now = ISC_FALSE,
102 cancel_now = ISC_FALSE,
103 usesearch = ISC_FALSE,
105 is_dst_up = ISC_FALSE;
107 unsigned int timeout = 0;
108 isc_mem_t *mctx = NULL;
109 isc_taskmgr_t *taskmgr = NULL;
110 isc_task_t *global_task = NULL;
111 isc_timermgr_t *timermgr = NULL;
112 isc_socketmgr_t *socketmgr = NULL;
113 isc_sockaddr_t bind_address;
114 isc_sockaddr_t bind_any;
120 int lookup_counter = 0;
124 * 0 Everything went well, including things like NXDOMAIN
126 * 7 Got too many RR's or Names
127 * 8 Couldn't open batch file
128 * 9 No reply from server
133 char keynametext[MXNAME];
134 char keyfile[MXNAME] = "";
135 char keysecret[MXNAME] = "";
136 isc_buffer_t *namebuf = NULL;
137 dns_tsigkey_t *key = NULL;
138 isc_boolean_t validated = ISC_TRUE;
139 isc_entropy_t *entp = NULL;
140 isc_mempool_t *commctx = NULL;
141 isc_boolean_t debugging = ISC_FALSE;
142 isc_boolean_t memdebugging = ISC_FALSE;
143 char *progname = NULL;
144 isc_mutex_t lookup_lock;
145 dig_lookup_t *current_lookup = NULL;
149 isc_result_t get_trusted_key(isc_mem_t *mctx);
150 dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type,
151 dns_rdatatype_t covers,
152 isc_boolean_t *lookedup,
153 dns_name_t *rdata_name);
154 dns_rdataset_t * chase_scanname_section(dns_message_t *msg,
156 dns_rdatatype_t type,
157 dns_rdatatype_t covers,
159 isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset,
161 dns_rdatatype_t type,
162 dns_rdatatype_t covers,
163 isc_boolean_t *lookedup);
164 isc_result_t sigchase_verify_sig_key(dns_name_t *name,
165 dns_rdataset_t *rdataset,
166 dst_key_t* dnsseckey,
167 dns_rdataset_t *sigrdataset,
169 isc_result_t sigchase_verify_sig(dns_name_t *name,
170 dns_rdataset_t *rdataset,
171 dns_rdataset_t *keyrdataset,
172 dns_rdataset_t *sigrdataset,
174 isc_result_t sigchase_verify_ds(dns_name_t *name,
175 dns_rdataset_t *keyrdataset,
176 dns_rdataset_t *dsrdataset,
178 void sigchase(dns_message_t *msg);
179 void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
180 void print_rdataset(dns_name_t *name,
181 dns_rdataset_t *rdataset, isc_mem_t *mctx);
182 void dup_name(dns_name_t *source, dns_name_t* target,
184 void free_name(dns_name_t *name, isc_mem_t *mctx);
185 void dump_database(void);
186 void dump_database_section(dns_message_t *msg, int section);
187 dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type,
188 dns_rdatatype_t covers);
189 isc_result_t contains_trusted_key(dns_name_t *name,
190 dns_rdataset_t *rdataset,
191 dns_rdataset_t *sigrdataset,
193 void print_type(dns_rdatatype_t type);
194 isc_result_t prove_nx_domain(dns_message_t * msg,
196 dns_name_t * rdata_name,
197 dns_rdataset_t ** rdataset,
198 dns_rdataset_t ** sigrdataset);
199 isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name,
200 dns_rdataset_t *nsec,
201 dns_rdataclass_t class,
202 dns_rdatatype_t type,
203 dns_name_t * rdata_name,
204 dns_rdataset_t ** rdataset,
205 dns_rdataset_t ** sigrdataset);
206 isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name,
207 dns_rdataclass_t class,
208 dns_rdatatype_t type,
209 dns_name_t * rdata_name,
210 dns_rdataset_t ** rdataset,
211 dns_rdataset_t ** sigrdataset);
212 static void nameFromString(const char *str, dns_name_t *p_ret);
213 int inf_name(dns_name_t * name1, dns_name_t * name2);
214 isc_result_t opentmpkey(isc_mem_t *mctx, const char *file,
215 char **tempp, FILE **fp);
216 isc_result_t removetmpkey(isc_mem_t *mctx, const char *file);
217 void clean_trustedkey(void);
218 void insert_trustedkey(dst_key_t * key);
220 isc_result_t getneededrr(dns_message_t *msg);
221 void sigchase_bottom_up(dns_message_t *msg);
222 void sigchase_bu(dns_message_t *msg);
225 isc_result_t initialization(dns_name_t *name);
226 isc_result_t prepare_lookup(dns_name_t *name);
227 isc_result_t grandfather_pb_test(dns_name_t * zone_name,
228 dns_rdataset_t *sigrdataset);
229 isc_result_t child_of_zone(dns_name_t *name,
230 dns_name_t *zone_name,
231 dns_name_t *child_name);
232 void sigchase_td(dns_message_t *msg);
234 char trustedkey[MXNAME] = "";
236 dns_rdataset_t *chase_rdataset = NULL;
237 dns_rdataset_t *chase_sigrdataset = NULL;
238 dns_rdataset_t *chase_dsrdataset = NULL;
239 dns_rdataset_t *chase_sigdsrdataset = NULL;
240 dns_rdataset_t *chase_keyrdataset = NULL;
241 dns_rdataset_t *chase_sigkeyrdataset = NULL;
242 dns_rdataset_t *chase_nsrdataset = NULL;
244 dns_name_t chase_name; /* the query name */
247 * the current name is the parent name when we follow delegation
249 dns_name_t chase_current_name;
251 * the child name is used for delegation (NS DS responses in AUTHORITY section)
253 dns_name_t chase_authority_name;
256 dns_name_t chase_signame;
260 isc_boolean_t chase_siglookedup = ISC_FALSE;
261 isc_boolean_t chase_keylookedup = ISC_FALSE;
262 isc_boolean_t chase_sigkeylookedup = ISC_FALSE;
263 isc_boolean_t chase_dslookedup = ISC_FALSE;
264 isc_boolean_t chase_sigdslookedup = ISC_FALSE;
266 isc_boolean_t chase_nslookedup = ISC_FALSE;
267 isc_boolean_t chase_lookedup = ISC_FALSE;
270 isc_boolean_t delegation_follow = ISC_FALSE;
271 isc_boolean_t grandfather_pb = ISC_FALSE;
272 isc_boolean_t have_response = ISC_FALSE;
273 isc_boolean_t have_delegation_ns = ISC_FALSE;
274 dns_message_t * error_message = NULL;
277 isc_boolean_t dsvalidating = ISC_FALSE;
278 isc_boolean_t chase_name_dup = ISC_FALSE;
280 ISC_LIST(dig_message_t) chase_message_list;
281 ISC_LIST(dig_message_t) chase_message_list2;
284 #define MAX_TRUSTED_KEY 5
285 typedef struct struct_trusted_key_list {
286 dst_key_t * key[MAX_TRUSTED_KEY];
290 struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
294 #define DIG_MAX_ADDRESSES 20
297 * Apply and clear locks at the event level in global task.
298 * Can I get rid of these using shutdown events? XXX
300 #define LOCK_LOOKUP {\
301 debug("lock_lookup %s:%d", __FILE__, __LINE__);\
302 check_result(isc_mutex_lock((&lookup_lock)), "isc_mutex_lock");\
305 #define UNLOCK_LOOKUP {\
306 debug("unlock_lookup %s:%d", __FILE__, __LINE__);\
307 check_result(isc_mutex_unlock((&lookup_lock)),\
308 "isc_mutex_unlock");\
312 cancel_lookup(dig_lookup_t *lookup);
315 recv_done(isc_task_t *task, isc_event_t *event);
318 send_udp(dig_query_t *query);
321 connect_timeout(isc_task_t *task, isc_event_t *event);
324 launch_next_query(dig_query_t *query, isc_boolean_t include_question);
328 mem_alloc(void *arg, size_t size) {
329 return (isc_mem_get(arg, size));
333 mem_free(void *arg, void *mem, size_t size) {
334 isc_mem_put(arg, mem, size);
338 next_token(char **stringp, const char *delim) {
342 res = strsep(stringp, delim);
345 } while (*res == '\0');
350 count_dots(char *string) {
364 hex_dump(isc_buffer_t *b) {
368 isc_buffer_usedregion(b, &r);
370 printf("%d bytes\n", r.length);
371 for (len = 0; len < r.length; len++) {
372 printf("%02x ", r.base[len]);
381 * Append 'len' bytes of 'text' at '*p', failing with
382 * ISC_R_NOSPACE if that would advance p past 'end'.
385 append(const char *text, int len, char **p, char *end) {
387 return (ISC_R_NOSPACE);
388 memcpy(*p, text, len);
390 return (ISC_R_SUCCESS);
394 reverse_octets(const char *in, char **p, char *end) {
395 char *dot = strchr(in, '.');
399 result = reverse_octets(dot + 1, p, end);
400 if (result != ISC_R_SUCCESS)
402 result = append(".", 1, p, end);
403 if (result != ISC_R_SUCCESS)
409 return (append(in, len, p, end));
413 get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
414 isc_boolean_t strict)
420 addr.family = AF_INET6;
421 r = inet_pton(AF_INET6, value, &addr.type.in6);
423 /* This is a valid IPv6 address. */
424 dns_fixedname_t fname;
426 unsigned int options = 0;
429 options |= DNS_BYADDROPT_IPV6INT;
430 dns_fixedname_init(&fname);
431 name = dns_fixedname_name(&fname);
432 result = dns_byaddr_createptrname2(&addr, options, name);
433 if (result != ISC_R_SUCCESS)
435 dns_name_format(name, reverse, len);
436 return (ISC_R_SUCCESS);
439 * Not a valid IPv6 address. Assume IPv4.
440 * If 'strict' is not set, construct the
441 * in-addr.arpa name by blindly reversing
442 * octets whether or not they look like integers,
443 * so that this can be used for RFC2317 names
447 char *end = reverse + len;
448 if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
449 return (DNS_R_BADDOTTEDQUAD);
450 result = reverse_octets(value, &p, end);
451 if (result != ISC_R_SUCCESS)
453 /* Append .in-addr.arpa. and a terminating NUL. */
454 result = append(".in-addr.arpa.", 15, &p, end);
455 if (result != ISC_R_SUCCESS)
457 return (ISC_R_SUCCESS);
462 fatal(const char *format, ...) {
465 fprintf(stderr, "%s: ", progname);
466 va_start(args, format);
467 vfprintf(stderr, format, args);
469 fprintf(stderr, "\n");
473 exitcode = fatalexit;
478 debug(const char *format, ...) {
482 va_start(args, format);
483 vfprintf(stderr, format, args);
485 fprintf(stderr, "\n");
490 check_result(isc_result_t result, const char *msg) {
491 if (result != ISC_R_SUCCESS) {
492 fatal("%s: %s", msg, isc_result_totext(result));
497 * Create a server structure, which is part of the lookup structure.
498 * This is little more than a linked list of servers to query in hopes
499 * of finding the answer the user is looking for
502 make_server(const char *servname, const char *userarg) {
505 REQUIRE(servname != NULL);
507 debug("make_server(%s)", servname);
508 srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
510 fatal("memory allocation failure in %s:%d",
512 strncpy(srv->servername, servname, MXNAME);
513 strncpy(srv->userarg, userarg, MXNAME);
514 srv->servername[MXNAME-1] = 0;
515 srv->userarg[MXNAME-1] = 0;
516 ISC_LINK_INIT(srv, link);
521 addr2af(int lwresaddrtype)
525 switch (lwresaddrtype) {
526 case LWRES_ADDRTYPE_V4:
530 case LWRES_ADDRTYPE_V6:
539 * Create a copy of the server list from the lwres configuration structure.
540 * The dest list must have already had ISC_LIST_INIT applied.
543 copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
544 dig_server_t *newsrv;
545 char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
549 debug("copy_server_list()");
550 for (i = 0; i < confdata->nsnext; i++) {
551 af = addr2af(confdata->nameservers[i].family);
553 lwres_net_ntop(af, confdata->nameservers[i].address,
555 newsrv = make_server(tmp, tmp);
556 ISC_LINK_INIT(newsrv, link);
557 ISC_LIST_ENQUEUE(*dest, newsrv, link);
562 flush_server_list(void) {
563 dig_server_t *s, *ps;
565 debug("flush_server_list()");
566 s = ISC_LIST_HEAD(server_list);
569 s = ISC_LIST_NEXT(s, link);
570 ISC_LIST_DEQUEUE(server_list, ps, link);
571 isc_mem_free(mctx, ps);
576 set_nameserver(char *opt) {
578 isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
579 isc_netaddr_t netaddr;
582 char tmp[ISC_NETADDR_FORMATSIZE];
587 result = bind9_getaddresses(opt, 0, sockaddrs,
588 DIG_MAX_ADDRESSES, &count);
589 if (result != ISC_R_SUCCESS)
590 fatal("couldn't get address for '%s': %s",
591 opt, isc_result_totext(result));
595 for (i = 0; i < count; i++) {
596 isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
597 isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
598 srv = make_server(tmp, opt);
600 fatal("memory allocation failure");
601 ISC_LIST_APPEND(server_list, srv, link);
606 add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
608 int i = confdata->nsnext;
610 if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
611 return (ISC_R_FAILURE);
615 confdata->nameservers[i].family = LWRES_ADDRTYPE_V4;
616 confdata->nameservers[i].length = NS_INADDRSZ;
619 confdata->nameservers[i].family = LWRES_ADDRTYPE_V6;
620 confdata->nameservers[i].length = NS_IN6ADDRSZ;
623 return (ISC_R_FAILURE);
626 if (lwres_net_pton(af, addr, &confdata->nameservers[i].address) == 1) {
628 return (ISC_R_SUCCESS);
630 return (ISC_R_FAILURE);
634 * Produce a cloned server list. The dest list must have already had
635 * ISC_LIST_INIT applied.
638 clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
639 dig_server_t *srv, *newsrv;
641 debug("clone_server_list()");
642 srv = ISC_LIST_HEAD(src);
643 while (srv != NULL) {
644 newsrv = make_server(srv->servername, srv->userarg);
645 ISC_LINK_INIT(newsrv, link);
646 ISC_LIST_ENQUEUE(*dest, newsrv, link);
647 srv = ISC_LIST_NEXT(srv, link);
652 * Create an empty lookup structure, which holds all the information needed
653 * to get an answer to a user's question. This structure contains two
654 * linked lists: the server list (servers to query) and the query list
655 * (outstanding queries which have been made to the listed servers).
658 make_empty_lookup(void) {
659 dig_lookup_t *looknew;
661 debug("make_empty_lookup()");
665 looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
667 fatal("memory allocation failure in %s:%d",
669 looknew->pending = ISC_TRUE;
670 looknew->textname[0] = 0;
671 looknew->cmdline[0] = 0;
672 looknew->rdtype = dns_rdatatype_a;
673 looknew->qrdtype = dns_rdatatype_a;
674 looknew->rdclass = dns_rdataclass_in;
675 looknew->rdtypeset = ISC_FALSE;
676 looknew->rdclassset = ISC_FALSE;
677 looknew->sendspace = NULL;
678 looknew->sendmsg = NULL;
679 looknew->name = NULL;
680 looknew->oname = NULL;
681 looknew->timer = NULL;
682 looknew->xfr_q = NULL;
683 looknew->current_query = NULL;
684 looknew->doing_xfr = ISC_FALSE;
685 looknew->ixfr_serial = ISC_FALSE;
686 looknew->trace = ISC_FALSE;
687 looknew->trace_root = ISC_FALSE;
688 looknew->identify = ISC_FALSE;
689 looknew->identify_previous_line = ISC_FALSE;
690 looknew->ignore = ISC_FALSE;
691 looknew->servfail_stops = ISC_TRUE;
692 looknew->besteffort = ISC_TRUE;
693 looknew->dnssec = ISC_FALSE;
695 looknew->sigchase = ISC_FALSE;
697 looknew->do_topdown = ISC_FALSE;
698 looknew->trace_root_sigchase = ISC_FALSE;
699 looknew->rdtype_sigchaseset = ISC_FALSE;
700 looknew->rdtype_sigchase = dns_rdatatype_any;
701 looknew->qrdtype_sigchase = dns_rdatatype_any;
702 looknew->rdclass_sigchase = dns_rdataclass_in;
703 looknew->rdclass_sigchaseset = ISC_FALSE;
706 looknew->udpsize = 0;
707 looknew->recurse = ISC_TRUE;
708 looknew->aaonly = ISC_FALSE;
709 looknew->adflag = ISC_FALSE;
710 looknew->cdflag = ISC_FALSE;
711 looknew->ns_search_only = ISC_FALSE;
712 looknew->origin = NULL;
713 looknew->tsigctx = NULL;
714 looknew->querysig = NULL;
715 looknew->retries = tries;
716 looknew->nsfound = 0;
717 looknew->tcp_mode = ISC_FALSE;
718 looknew->ip6_int = ISC_FALSE;
719 looknew->comments = ISC_TRUE;
720 looknew->stats = ISC_TRUE;
721 looknew->section_question = ISC_TRUE;
722 looknew->section_answer = ISC_TRUE;
723 looknew->section_authority = ISC_TRUE;
724 looknew->section_additional = ISC_TRUE;
725 looknew->new_search = ISC_FALSE;
726 ISC_LINK_INIT(looknew, link);
727 ISC_LIST_INIT(looknew->q);
728 ISC_LIST_INIT(looknew->my_server_list);
733 * Clone a lookup, perhaps copying the server list. This does not clone
734 * the query list, since it will be regenerated by the setup_lookup()
735 * function, nor does it queue up the new lookup for processing.
736 * Caution: If you don't clone the servers, you MUST clone the server
737 * list seperately from somewhere else, or construct it by hand.
740 clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
741 dig_lookup_t *looknew;
743 debug("clone_lookup()");
747 looknew = make_empty_lookup();
748 INSIST(looknew != NULL);
749 strncpy(looknew->textname, lookold->textname, MXNAME);
751 strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
753 strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
754 looknew->textname[MXNAME-1] = 0;
755 looknew->rdtype = lookold->rdtype;
756 looknew->qrdtype = lookold->qrdtype;
757 looknew->rdclass = lookold->rdclass;
758 looknew->rdtypeset = lookold->rdtypeset;
759 looknew->rdclassset = lookold->rdclassset;
760 looknew->doing_xfr = lookold->doing_xfr;
761 looknew->ixfr_serial = lookold->ixfr_serial;
762 looknew->trace = lookold->trace;
763 looknew->trace_root = lookold->trace_root;
764 looknew->identify = lookold->identify;
765 looknew->identify_previous_line = lookold->identify_previous_line;
766 looknew->ignore = lookold->ignore;
767 looknew->servfail_stops = lookold->servfail_stops;
768 looknew->besteffort = lookold->besteffort;
769 looknew->dnssec = lookold->dnssec;
771 looknew->sigchase = lookold->sigchase;
773 looknew->do_topdown = lookold->do_topdown;
774 looknew->trace_root_sigchase = lookold->trace_root_sigchase;
775 looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset;
776 looknew->rdtype_sigchase = lookold->rdtype_sigchase;
777 looknew->qrdtype_sigchase = lookold->qrdtype_sigchase;
778 looknew->rdclass_sigchase = lookold->rdclass_sigchase;
779 looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset;
782 looknew->udpsize = lookold->udpsize;
783 looknew->recurse = lookold->recurse;
784 looknew->aaonly = lookold->aaonly;
785 looknew->adflag = lookold->adflag;
786 looknew->cdflag = lookold->cdflag;
787 looknew->ns_search_only = lookold->ns_search_only;
788 looknew->tcp_mode = lookold->tcp_mode;
789 looknew->comments = lookold->comments;
790 looknew->stats = lookold->stats;
791 looknew->section_question = lookold->section_question;
792 looknew->section_answer = lookold->section_answer;
793 looknew->section_authority = lookold->section_authority;
794 looknew->section_additional = lookold->section_additional;
795 looknew->retries = lookold->retries;
796 looknew->tsigctx = NULL;
799 clone_server_list(lookold->my_server_list,
800 &looknew->my_server_list);
805 * Requeue a lookup for further processing, perhaps copying the server
806 * list. The new lookup structure is returned to the caller, and is
807 * queued for processing. If servers are not cloned in the requeue, they
808 * must be added before allowing the current event to complete, since the
809 * completion of the event may result in the next entry on the lookup
813 requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
814 dig_lookup_t *looknew;
816 debug("requeue_lookup()");
819 if (lookup_counter > LOOKUP_LIMIT)
820 fatal("too many lookups");
822 looknew = clone_lookup(lookold, servers);
823 INSIST(looknew != NULL);
825 debug("before insertion, init@%p -> %p, new@%p -> %p",
826 lookold, lookold->link.next, looknew, looknew->link.next);
827 ISC_LIST_PREPEND(lookup_list, looknew, link);
828 debug("after insertion, init -> %p, new = %p, new -> %p",
829 lookold, looknew, looknew->link.next);
835 setup_text_key(void) {
838 isc_buffer_t secretbuf;
840 unsigned char *secretstore;
842 debug("setup_text_key()");
843 result = isc_buffer_allocate(mctx, &namebuf, MXNAME);
844 check_result(result, "isc_buffer_allocate");
845 dns_name_init(&keyname, NULL);
846 check_result(result, "dns_name_init");
847 isc_buffer_putstr(namebuf, keynametext);
848 secretsize = strlen(keysecret) * 3 / 4;
849 secretstore = isc_mem_allocate(mctx, secretsize);
850 if (secretstore == NULL)
851 fatal("memory allocation failure in %s:%d",
853 isc_buffer_init(&secretbuf, secretstore, secretsize);
854 result = isc_base64_decodestring(keysecret, &secretbuf);
855 if (result != ISC_R_SUCCESS)
858 secretsize = isc_buffer_usedlength(&secretbuf);
860 result = dns_name_fromtext(&keyname, namebuf,
861 dns_rootname, ISC_FALSE,
863 if (result != ISC_R_SUCCESS)
866 result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
867 secretstore, secretsize,
868 ISC_FALSE, NULL, 0, 0, mctx,
871 if (result != ISC_R_SUCCESS)
872 printf(";; Couldn't create key %s: %s\n",
873 keynametext, isc_result_totext(result));
875 isc_mem_free(mctx, secretstore);
876 dns_name_invalidate(&keyname);
877 isc_buffer_free(&namebuf);
881 setup_file_key(void) {
883 dst_key_t *dstkey = NULL;
885 debug("setup_file_key()");
886 result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
888 if (result != ISC_R_SUCCESS) {
889 fprintf(stderr, "Couldn't read key from %s: %s\n",
890 keyfile, isc_result_totext(result));
894 result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
895 dns_tsig_hmacmd5_name,
896 dstkey, ISC_FALSE, NULL, 0, 0,
898 if (result != ISC_R_SUCCESS) {
899 printf(";; Couldn't create key %s: %s\n",
900 keynametext, isc_result_totext(result));
906 dst_key_free(&dstkey);
909 static dig_searchlist_t *
910 make_searchlist_entry(char *domain) {
911 dig_searchlist_t *search;
912 search = isc_mem_allocate(mctx, sizeof(*search));
914 fatal("memory allocation failure in %s:%d",
916 strncpy(search->origin, domain, MXNAME);
917 search->origin[MXNAME-1] = 0;
918 ISC_LINK_INIT(search, link);
923 create_search_list(lwres_conf_t *confdata) {
925 dig_searchlist_t *search;
927 debug("create_search_list()");
928 ISC_LIST_INIT(search_list);
930 for (i = 0; i < confdata->searchnxt; i++) {
931 search = make_searchlist_entry(confdata->search[i]);
932 ISC_LIST_APPEND(search_list, search, link);
937 * Setup the system as a whole, reading key information and resolv.conf
942 dig_searchlist_t *domain = NULL;
943 lwres_result_t lwresult;
945 debug("setup_system()");
947 lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
948 if (lwresult != LWRES_R_SUCCESS)
949 fatal("lwres_context_create failed");
951 lwresult = lwres_conf_parse(lwctx, RESOLV_CONF);
952 if (lwresult != LWRES_R_SUCCESS && lwresult != LWRES_R_NOTFOUND)
953 fatal("parse of %s failed", RESOLV_CONF);
955 lwconf = lwres_conf_get(lwctx);
957 /* Make the search list */
958 if (lwconf->searchnxt > 0)
959 create_search_list(lwconf);
960 else { /* No search list. Use the domain name if any */
961 if (lwconf->domainname != NULL) {
962 domain = make_searchlist_entry(lwconf->domainname);
963 ISC_LIST_INITANDAPPEND(search_list, domain, link);
969 ndots = lwconf->ndots;
970 debug("ndots is %d.", ndots);
973 /* If we don't find a nameserver fall back to localhost */
974 if (lwconf->nsnext == 0) {
976 lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
977 if (lwresult != ISC_R_SUCCESS)
978 fatal("add_nameserver failed");
981 lwresult = add_nameserver(lwconf, "::1", AF_INET6);
982 if (lwresult != ISC_R_SUCCESS)
983 fatal("add_nameserver failed");
987 if (ISC_LIST_EMPTY(server_list))
988 copy_server_list(lwconf, &server_list);
992 else if (keysecret[0] != 0)
995 /* Setup the list of messages for +sigchase */
996 ISC_LIST_INIT(chase_message_list);
997 ISC_LIST_INIT(chase_message_list2);
998 dns_name_init(&chase_name, NULL);
1000 dns_name_init(&chase_current_name, NULL);
1001 dns_name_init(&chase_authority_name, NULL);
1004 dns_name_init(&chase_signame, NULL);
1012 clear_searchlist(void) {
1013 dig_searchlist_t *search;
1014 while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
1015 ISC_LIST_UNLINK(search_list, search, link);
1016 isc_mem_free(mctx, search);
1021 * Override the search list derived from resolv.conf by 'domain'.
1024 set_search_domain(char *domain) {
1025 dig_searchlist_t *search;
1028 search = make_searchlist_entry(domain);
1029 ISC_LIST_APPEND(search_list, search, link);
1033 * Setup the ISC and DNS libraries for use by the system.
1037 isc_result_t result;
1039 debug("setup_libs()");
1041 result = isc_net_probeipv4();
1042 if (result == ISC_R_SUCCESS)
1043 have_ipv4 = ISC_TRUE;
1045 result = isc_net_probeipv6();
1046 if (result == ISC_R_SUCCESS)
1047 have_ipv6 = ISC_TRUE;
1048 if (!have_ipv6 && !have_ipv4)
1049 fatal("can't find either v4 or v6 networking");
1051 result = isc_mem_create(0, 0, &mctx);
1052 check_result(result, "isc_mem_create");
1054 result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
1055 check_result(result, "isc_taskmgr_create");
1057 result = isc_task_create(taskmgr, 0, &global_task);
1058 check_result(result, "isc_task_create");
1060 result = isc_timermgr_create(mctx, &timermgr);
1061 check_result(result, "isc_timermgr_create");
1063 result = isc_socketmgr_create(mctx, &socketmgr);
1064 check_result(result, "isc_socketmgr_create");
1066 result = isc_entropy_create(mctx, &entp);
1067 check_result(result, "isc_entropy_create");
1069 result = dst_lib_init(mctx, entp, 0);
1070 check_result(result, "dst_lib_init");
1071 is_dst_up = ISC_TRUE;
1073 result = isc_mempool_create(mctx, COMMSIZE, &commctx);
1074 check_result(result, "isc_mempool_create");
1075 isc_mempool_setname(commctx, "COMMPOOL");
1077 * 6 and 2 set as reasonable parameters for 3 or 4 nameserver
1080 isc_mempool_setfreemax(commctx, 6);
1081 isc_mempool_setfillcount(commctx, 2);
1083 result = isc_mutex_init(&lookup_lock);
1084 check_result(result, "isc_mutex_init");
1086 dns_result_register();
1090 * Add EDNS0 option record to a message. Currently, the only supported
1091 * options are UDP buffer size and the DO bit.
1094 add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
1095 dns_rdataset_t *rdataset = NULL;
1096 dns_rdatalist_t *rdatalist = NULL;
1097 dns_rdata_t *rdata = NULL;
1098 isc_result_t result;
1101 result = dns_message_gettemprdataset(msg, &rdataset);
1102 check_result(result, "dns_message_gettemprdataset");
1103 dns_rdataset_init(rdataset);
1104 result = dns_message_gettemprdatalist(msg, &rdatalist);
1105 check_result(result, "dns_message_gettemprdatalist");
1106 result = dns_message_gettemprdata(msg, &rdata);
1107 check_result(result, "dns_message_gettemprdata");
1109 debug("setting udp size of %d", udpsize);
1110 rdatalist->type = dns_rdatatype_opt;
1111 rdatalist->covers = 0;
1112 rdatalist->rdclass = udpsize;
1115 rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
1118 ISC_LIST_INIT(rdatalist->rdata);
1119 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
1120 dns_rdatalist_tordataset(rdatalist, rdataset);
1121 result = dns_message_setopt(msg, rdataset);
1122 check_result(result, "dns_message_setopt");
1126 * Add a question section to a message, asking for the specified name,
1130 add_question(dns_message_t *message, dns_name_t *name,
1131 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype)
1133 dns_rdataset_t *rdataset;
1134 isc_result_t result;
1136 debug("add_question()");
1138 result = dns_message_gettemprdataset(message, &rdataset);
1139 check_result(result, "dns_message_gettemprdataset()");
1140 dns_rdataset_init(rdataset);
1141 dns_rdataset_makequestion(rdataset, rdclass, rdtype);
1142 ISC_LIST_APPEND(name->list, rdataset, link);
1146 * Check if we're done with all the queued lookups, which is true iff
1147 * all sockets, sends, and recvs are accounted for (counters == 0),
1148 * and the lookup list is empty.
1149 * If we are done, pass control back out to dighost_shutdown() (which is
1150 * part of dig.c, host.c, or nslookup.c) to either shutdown the system as
1151 * a whole or reseed the lookup list.
1154 check_if_done(void) {
1155 debug("check_if_done()");
1156 debug("list %s", ISC_LIST_EMPTY(lookup_list) ? "empty" : "full");
1157 if (ISC_LIST_EMPTY(lookup_list) && current_lookup == NULL &&
1159 INSIST(sockcount == 0);
1160 INSIST(recvcount == 0);
1161 debug("shutting down");
1167 * Clear out a query when we're done with it. WARNING: This routine
1168 * WILL invalidate the query pointer.
1171 clear_query(dig_query_t *query) {
1172 dig_lookup_t *lookup;
1174 REQUIRE(query != NULL);
1176 debug("clear_query(%p)", query);
1178 lookup = query->lookup;
1180 if (lookup->current_query == query)
1181 lookup->current_query = NULL;
1183 ISC_LIST_UNLINK(lookup->q, query, link);
1184 if (ISC_LINK_LINKED(&query->recvbuf, link))
1185 ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
1187 if (ISC_LINK_LINKED(&query->lengthbuf, link))
1188 ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
1190 INSIST(query->recvspace != NULL);
1191 if (query->sock != NULL) {
1192 isc_socket_detach(&query->sock);
1194 debug("sockcount=%d", sockcount);
1196 isc_mempool_put(commctx, query->recvspace);
1197 isc_buffer_invalidate(&query->recvbuf);
1198 isc_buffer_invalidate(&query->lengthbuf);
1199 if (query->waiting_senddone)
1200 query->pending_free = ISC_TRUE;
1202 isc_mem_free(mctx, query);
1206 * Try and clear out a lookup if we're done with it. Return ISC_TRUE if
1207 * the lookup was successfully cleared. If ISC_TRUE is returned, the
1208 * lookup pointer has been invalidated.
1210 static isc_boolean_t
1211 try_clear_lookup(dig_lookup_t *lookup) {
1216 REQUIRE(lookup != NULL);
1218 debug("try_clear_lookup(%p)", lookup);
1220 if (ISC_LIST_HEAD(lookup->q) != NULL) {
1222 q = ISC_LIST_HEAD(lookup->q);
1224 debug("query to %s still pending", q->servname);
1225 q = ISC_LIST_NEXT(q, link);
1232 * At this point, we know there are no queries on the lookup,
1233 * so can make it go away also.
1236 s = ISC_LIST_HEAD(lookup->my_server_list);
1238 debug("freeing server %p belonging to %p", s, lookup);
1240 s = ISC_LIST_NEXT(s, link);
1241 ISC_LIST_DEQUEUE(lookup->my_server_list,
1242 (dig_server_t *)ptr, link);
1243 isc_mem_free(mctx, ptr);
1245 if (lookup->sendmsg != NULL)
1246 dns_message_destroy(&lookup->sendmsg);
1247 if (lookup->querysig != NULL) {
1248 debug("freeing buffer %p", lookup->querysig);
1249 isc_buffer_free(&lookup->querysig);
1251 if (lookup->timer != NULL)
1252 isc_timer_detach(&lookup->timer);
1253 if (lookup->sendspace != NULL)
1254 isc_mempool_put(commctx, lookup->sendspace);
1256 if (lookup->tsigctx != NULL)
1257 dst_context_destroy(&lookup->tsigctx);
1259 isc_mem_free(mctx, lookup);
1264 * If we can, start the next lookup in the queue running.
1265 * This assumes that the lookup on the head of the queue hasn't been
1266 * started yet. It also removes the lookup from the head of the queue,
1267 * setting the current_lookup pointer pointing to it.
1270 start_lookup(void) {
1271 debug("start_lookup()");
1276 * If there's a current lookup running, we really shouldn't get
1279 INSIST(current_lookup == NULL);
1281 current_lookup = ISC_LIST_HEAD(lookup_list);
1283 * Put the current lookup somewhere so cancel_all can find it
1285 if (current_lookup != NULL) {
1286 ISC_LIST_DEQUEUE(lookup_list, current_lookup, link);
1288 if (current_lookup->do_topdown &&
1289 !current_lookup->rdtype_sigchaseset) {
1290 dst_key_t *trustedkey = NULL;
1291 isc_buffer_t *b = NULL;
1293 isc_result_t result;
1294 dns_name_t query_name;
1295 dns_name_t *key_name;
1298 result = get_trusted_key(mctx);
1299 if (result != ISC_R_SUCCESS) {
1300 printf("\n;; No trusted key, "
1301 "+sigchase option is disabled\n");
1302 current_lookup->sigchase = ISC_FALSE;
1305 dns_name_init(&query_name, NULL);
1306 nameFromString(current_lookup->textname, &query_name);
1308 for (i = 0; i < tk_list.nb_tk; i++) {
1309 key_name = dst_key_name(tk_list.key[i]);
1311 if (dns_name_issubdomain(&query_name,
1312 key_name) == ISC_TRUE)
1313 trustedkey = tk_list.key[i];
1315 * Verifier que la temp est bien la plus basse
1319 if (trustedkey == NULL) {
1320 printf("\n;; The queried zone: ");
1321 dns_name_print(&query_name, stdout);
1322 printf(" isn't a subdomain of any Trusted Keys"
1323 ": +sigchase option is disable\n");
1324 current_lookup->sigchase = ISC_FALSE;
1325 free_name(&query_name, mctx);
1328 free_name(&query_name, mctx);
1330 current_lookup->rdtype_sigchase
1331 = current_lookup->rdtype;
1332 current_lookup->rdtype_sigchaseset
1333 = current_lookup->rdtypeset;
1334 current_lookup->rdtype = dns_rdatatype_ns;
1336 current_lookup->qrdtype_sigchase
1337 = current_lookup->qrdtype;
1338 current_lookup->qrdtype = dns_rdatatype_ns;
1340 current_lookup->rdclass_sigchase
1341 = current_lookup->rdclass;
1342 current_lookup->rdclass_sigchaseset
1343 = current_lookup->rdclassset;
1344 current_lookup->rdclass = dns_rdataclass_in;
1346 strncpy(current_lookup->textnamesigchase,
1347 current_lookup->textname, MXNAME);
1349 current_lookup->trace_root_sigchase = ISC_TRUE;
1351 result = isc_buffer_allocate(mctx, &b, BUFSIZE);
1352 check_result(result, "isc_buffer_allocate");
1353 result = dns_name_totext(dst_key_name(trustedkey),
1355 check_result(result, "dns_name_totext");
1356 isc_buffer_usedregion(b, &r);
1357 r.base[r.length] = '\0';
1358 strncpy(current_lookup->textname, (char*)r.base,
1360 isc_buffer_free(&b);
1362 nameFromString(current_lookup->textnamesigchase,
1365 dns_name_init(&chase_authority_name, NULL);
1369 setup_lookup(current_lookup);
1370 do_lookup(current_lookup);
1377 * If we can, clear the current lookup and start the next one running.
1378 * This calls try_clear_lookup, so may invalidate the lookup pointer.
1381 check_next_lookup(dig_lookup_t *lookup) {
1385 debug("check_next_lookup(%p)", lookup);
1387 if (ISC_LIST_HEAD(lookup->q) != NULL) {
1388 debug("still have a worker");
1391 if (try_clear_lookup(lookup)) {
1392 current_lookup = NULL;
1398 * Create and queue a new lookup as a followup to the current lookup,
1399 * based on the supplied message and section. This is used in trace and
1400 * name server search modes to start a new lookup using servers from
1401 * NS records in a reply. Returns the number of followup lookups made.
1404 followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
1406 dig_lookup_t *lookup = NULL;
1407 dig_server_t *srv = NULL;
1408 dns_rdataset_t *rdataset = NULL;
1409 dns_rdata_t rdata = DNS_RDATA_INIT;
1410 dns_name_t *name = NULL;
1411 isc_result_t result;
1412 isc_boolean_t success = ISC_FALSE;
1417 debug("following up %s", query->lookup->textname);
1419 for (result = dns_message_firstname(msg, section);
1420 result == ISC_R_SUCCESS;
1421 result = dns_message_nextname(msg, section)) {
1423 dns_message_currentname(msg, section, &name);
1425 if (section == DNS_SECTION_AUTHORITY) {
1427 result = dns_message_findtype(name, dns_rdatatype_soa,
1429 if (result == ISC_R_SUCCESS)
1433 result = dns_message_findtype(name, dns_rdatatype_ns, 0,
1435 if (result != ISC_R_SUCCESS)
1438 debug("found NS set");
1440 for (result = dns_rdataset_first(rdataset);
1441 result == ISC_R_SUCCESS;
1442 result = dns_rdataset_next(rdataset)) {
1443 char namestr[DNS_NAME_FORMATSIZE];
1446 if (query->lookup->trace_root &&
1447 query->lookup->nsfound >= MXSERV)
1450 dns_rdataset_current(rdataset, &rdata);
1452 query->lookup->nsfound++;
1453 (void)dns_rdata_tostruct(&rdata, &ns, NULL);
1454 dns_name_format(&ns.name, namestr, sizeof(namestr));
1455 dns_rdata_freestruct(&ns);
1457 /* Initialize lookup if we've not yet */
1458 debug("found NS %d %s", numLookups, namestr);
1463 lookup = requeue_lookup(query->lookup,
1465 cancel_lookup(query->lookup);
1466 lookup->doing_xfr = ISC_FALSE;
1467 if (!lookup->trace_root &&
1468 section == DNS_SECTION_ANSWER)
1469 lookup->trace = ISC_FALSE;
1471 lookup->trace = query->lookup->trace;
1472 lookup->ns_search_only =
1473 query->lookup->ns_search_only;
1474 lookup->trace_root = ISC_FALSE;
1475 if (lookup->ns_search_only)
1476 lookup->recurse = ISC_FALSE;
1478 srv = make_server(namestr, namestr);
1479 debug("adding server %s", srv->servername);
1480 ISC_LIST_APPEND(lookup->my_server_list, srv, link);
1481 dns_rdata_reset(&rdata);
1485 if (lookup == NULL &&
1486 section == DNS_SECTION_ANSWER &&
1487 (query->lookup->trace || query->lookup->ns_search_only))
1488 return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
1494 * Create and queue a new lookup using the next origin from the search
1495 * list, read in setup_system().
1497 * Return ISC_TRUE iff there was another searchlist entry.
1499 static isc_boolean_t
1500 next_origin(dns_message_t *msg, dig_query_t *query) {
1501 dig_lookup_t *lookup;
1507 debug("next_origin()");
1508 debug("following up %s", query->lookup->textname);
1512 * We're not using a search list, so don't even think
1513 * about finding the next entry.
1516 if (query->lookup->origin == NULL)
1518 * Then we just did rootorg; there's nothing left.
1521 lookup = requeue_lookup(query->lookup, ISC_TRUE);
1522 lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
1523 cancel_lookup(query->lookup);
1528 * Insert an SOA record into the sendmessage in a lookup. Used for
1529 * creating IXFR queries.
1532 insert_soa(dig_lookup_t *lookup) {
1533 isc_result_t result;
1534 dns_rdata_soa_t soa;
1535 dns_rdata_t *rdata = NULL;
1536 dns_rdatalist_t *rdatalist = NULL;
1537 dns_rdataset_t *rdataset = NULL;
1538 dns_name_t *soaname = NULL;
1540 debug("insert_soa()");
1542 soa.serial = lookup->ixfr_serial;
1547 soa.common.rdclass = lookup->rdclass;
1548 soa.common.rdtype = dns_rdatatype_soa;
1550 dns_name_init(&soa.origin, NULL);
1551 dns_name_init(&soa.contact, NULL);
1553 dns_name_clone(dns_rootname, &soa.origin);
1554 dns_name_clone(dns_rootname, &soa.contact);
1556 isc_buffer_init(&lookup->rdatabuf, lookup->rdatastore,
1557 sizeof(lookup->rdatastore));
1559 result = dns_message_gettemprdata(lookup->sendmsg, &rdata);
1560 check_result(result, "dns_message_gettemprdata");
1562 result = dns_rdata_fromstruct(rdata, lookup->rdclass,
1563 dns_rdatatype_soa, &soa,
1565 check_result(result, "isc_rdata_fromstruct");
1567 result = dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist);
1568 check_result(result, "dns_message_gettemprdatalist");
1570 result = dns_message_gettemprdataset(lookup->sendmsg, &rdataset);
1571 check_result(result, "dns_message_gettemprdataset");
1573 dns_rdatalist_init(rdatalist);
1574 rdatalist->type = dns_rdatatype_soa;
1575 rdatalist->rdclass = lookup->rdclass;
1576 rdatalist->covers = 0;
1578 ISC_LIST_INIT(rdatalist->rdata);
1579 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
1581 dns_rdataset_init(rdataset);
1582 dns_rdatalist_tordataset(rdatalist, rdataset);
1584 result = dns_message_gettempname(lookup->sendmsg, &soaname);
1585 check_result(result, "dns_message_gettempname");
1586 dns_name_init(soaname, NULL);
1587 dns_name_clone(lookup->name, soaname);
1588 ISC_LIST_INIT(soaname->list);
1589 ISC_LIST_APPEND(soaname->list, rdataset, link);
1590 dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
1594 * Setup the supplied lookup structure, making it ready to start sending
1595 * queries to servers. Create and initialize the message to be sent as
1596 * well as the query structures and buffer space for the replies. If the
1597 * server list is empty, clone it from the system default list.
1600 setup_lookup(dig_lookup_t *lookup) {
1601 isc_result_t result;
1607 dns_compress_t cctx;
1610 REQUIRE(lookup != NULL);
1613 debug("setup_lookup(%p)", lookup);
1615 result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
1617 check_result(result, "dns_message_create");
1619 if (lookup->new_search) {
1620 debug("resetting lookup counter.");
1624 if (ISC_LIST_EMPTY(lookup->my_server_list)) {
1625 debug("cloning server list");
1626 clone_server_list(server_list, &lookup->my_server_list);
1628 result = dns_message_gettempname(lookup->sendmsg, &lookup->name);
1629 check_result(result, "dns_message_gettempname");
1630 dns_name_init(lookup->name, NULL);
1632 isc_buffer_init(&lookup->namebuf, lookup->namespace,
1633 sizeof(lookup->namespace));
1634 isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
1635 sizeof(lookup->onamespace));
1638 * If the name has too many dots, force the origin to be NULL
1639 * (which produces an absolute lookup). Otherwise, take the origin
1640 * we have if there's one in the struct already. If it's NULL,
1641 * take the first entry in the searchlist iff either usesearch
1642 * is TRUE or we got a domain line in the resolv.conf file.
1644 /* XXX New search here? */
1645 if ((count_dots(lookup->textname) >= ndots) || !usesearch)
1646 lookup->origin = NULL; /* Force abs lookup */
1647 else if (lookup->origin == NULL && lookup->new_search && usesearch)
1648 lookup->origin = ISC_LIST_HEAD(search_list);
1650 if (lookup->origin != NULL) {
1651 debug("trying origin %s", lookup->origin->origin);
1652 result = dns_message_gettempname(lookup->sendmsg,
1654 check_result(result, "dns_message_gettempname");
1655 dns_name_init(lookup->oname, NULL);
1656 /* XXX Helper funct to conv char* to name? */
1657 len = strlen(lookup->origin->origin);
1658 isc_buffer_init(&b, lookup->origin->origin, len);
1659 isc_buffer_add(&b, len);
1660 result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
1661 ISC_FALSE, &lookup->onamebuf);
1662 if (result != ISC_R_SUCCESS) {
1663 dns_message_puttempname(lookup->sendmsg,
1665 dns_message_puttempname(lookup->sendmsg,
1667 fatal("'%s' is not in legal name syntax (%s)",
1668 lookup->origin->origin,
1669 isc_result_totext(result));
1671 if (lookup->trace && lookup->trace_root) {
1672 dns_name_clone(dns_rootname, lookup->name);
1674 len = strlen(lookup->textname);
1675 isc_buffer_init(&b, lookup->textname, len);
1676 isc_buffer_add(&b, len);
1677 result = dns_name_fromtext(lookup->name, &b,
1678 lookup->oname, ISC_FALSE,
1681 if (result != ISC_R_SUCCESS) {
1682 dns_message_puttempname(lookup->sendmsg,
1684 dns_message_puttempname(lookup->sendmsg,
1686 fatal("'%s' is not in legal name syntax (%s)",
1687 lookup->textname, isc_result_totext(result));
1689 dns_message_puttempname(lookup->sendmsg, &lookup->oname);
1691 debug("using root origin");
1692 if (lookup->trace && lookup->trace_root)
1693 dns_name_clone(dns_rootname, lookup->name);
1695 len = strlen(lookup->textname);
1696 isc_buffer_init(&b, lookup->textname, len);
1697 isc_buffer_add(&b, len);
1698 result = dns_name_fromtext(lookup->name, &b,
1703 if (result != ISC_R_SUCCESS) {
1704 dns_message_puttempname(lookup->sendmsg,
1706 isc_buffer_init(&b, store, MXNAME);
1707 fatal("'%s' is not a legal name "
1708 "(%s)", lookup->textname,
1709 isc_result_totext(result));
1712 dns_name_format(lookup->name, store, sizeof(store));
1713 trying(store, lookup);
1714 INSIST(dns_name_isabsolute(lookup->name));
1716 isc_random_get(&id);
1717 lookup->sendmsg->id = (unsigned short)id & 0xFFFF;
1718 lookup->sendmsg->opcode = dns_opcode_query;
1719 lookup->msgcounter = 0;
1721 * If this is a trace request, completely disallow recursion, since
1722 * it's meaningless for traces.
1724 if (lookup->trace || (lookup->ns_search_only && !lookup->trace_root))
1725 lookup->recurse = ISC_FALSE;
1727 if (lookup->recurse &&
1728 lookup->rdtype != dns_rdatatype_axfr &&
1729 lookup->rdtype != dns_rdatatype_ixfr) {
1730 debug("recursive query");
1731 lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RD;
1735 if (lookup->aaonly) {
1737 lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AA;
1740 if (lookup->adflag) {
1742 lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AD;
1745 if (lookup->cdflag) {
1747 lookup->sendmsg->flags |= DNS_MESSAGEFLAG_CD;
1750 dns_message_addname(lookup->sendmsg, lookup->name,
1751 DNS_SECTION_QUESTION);
1753 if (lookup->trace && lookup->trace_root) {
1754 lookup->qrdtype = lookup->rdtype;
1755 lookup->rdtype = dns_rdatatype_ns;
1758 if ((lookup->rdtype == dns_rdatatype_axfr) ||
1759 (lookup->rdtype == dns_rdatatype_ixfr)) {
1760 lookup->doing_xfr = ISC_TRUE;
1762 * Force TCP mode if we're doing an xfr.
1763 * XXX UDP ixfr's would be useful
1765 lookup->tcp_mode = ISC_TRUE;
1768 add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
1772 if (lookup->rdtype == dns_rdatatype_ixfr)
1775 /* XXX Insist this? */
1776 lookup->tsigctx = NULL;
1777 lookup->querysig = NULL;
1779 debug("initializing keys");
1780 result = dns_message_settsigkey(lookup->sendmsg, key);
1781 check_result(result, "dns_message_settsigkey");
1784 lookup->sendspace = isc_mempool_get(commctx);
1785 if (lookup->sendspace == NULL)
1786 fatal("memory allocation failure");
1788 result = dns_compress_init(&cctx, -1, mctx);
1789 check_result(result, "dns_compress_init");
1791 debug("starting to render the message");
1792 isc_buffer_init(&lookup->renderbuf, lookup->sendspace, COMMSIZE);
1793 result = dns_message_renderbegin(lookup->sendmsg, &cctx,
1794 &lookup->renderbuf);
1795 check_result(result, "dns_message_renderbegin");
1796 if (lookup->udpsize > 0 || lookup->dnssec) {
1797 if (lookup->udpsize == 0)
1798 lookup->udpsize = 2048;
1799 add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec);
1802 result = dns_message_rendersection(lookup->sendmsg,
1803 DNS_SECTION_QUESTION, 0);
1804 check_result(result, "dns_message_rendersection");
1805 result = dns_message_rendersection(lookup->sendmsg,
1806 DNS_SECTION_AUTHORITY, 0);
1807 check_result(result, "dns_message_rendersection");
1808 result = dns_message_renderend(lookup->sendmsg);
1809 check_result(result, "dns_message_renderend");
1810 debug("done rendering");
1812 dns_compress_invalidate(&cctx);
1815 * Force TCP mode if the request is larger than 512 bytes.
1817 if (isc_buffer_usedlength(&lookup->renderbuf) > 512)
1818 lookup->tcp_mode = ISC_TRUE;
1820 lookup->pending = ISC_FALSE;
1822 for (serv = ISC_LIST_HEAD(lookup->my_server_list);
1824 serv = ISC_LIST_NEXT(serv, link)) {
1825 query = isc_mem_allocate(mctx, sizeof(dig_query_t));
1827 fatal("memory allocation failure in %s:%d",
1828 __FILE__, __LINE__);
1829 debug("create query %p linked to lookup %p",
1831 query->lookup = lookup;
1832 query->waiting_connect = ISC_FALSE;
1833 query->waiting_senddone = ISC_FALSE;
1834 query->pending_free = ISC_FALSE;
1835 query->recv_made = ISC_FALSE;
1836 query->first_pass = ISC_TRUE;
1837 query->first_soa_rcvd = ISC_FALSE;
1838 query->second_rr_rcvd = ISC_FALSE;
1839 query->first_repeat_rcvd = ISC_FALSE;
1840 query->warn_id = ISC_TRUE;
1841 query->first_rr_serial = 0;
1842 query->second_rr_serial = 0;
1843 query->servname = serv->servername;
1844 query->userarg = serv->userarg;
1845 query->rr_count = 0;
1846 query->msg_count = 0;
1847 ISC_LINK_INIT(query, link);
1848 ISC_LIST_INIT(query->recvlist);
1849 ISC_LIST_INIT(query->lengthlist);
1851 query->recvspace = isc_mempool_get(commctx);
1852 if (query->recvspace == NULL)
1853 fatal("memory allocation failure");
1855 isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
1856 isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
1857 isc_buffer_init(&query->slbuf, query->slspace, 2);
1858 query->sendbuf = lookup->renderbuf;
1860 ISC_LINK_INIT(query, link);
1861 ISC_LIST_ENQUEUE(lookup->q, query, link);
1863 /* XXX qrflag, print_query, etc... */
1864 if (!ISC_LIST_EMPTY(lookup->q) && qr) {
1865 printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
1871 * Event handler for send completion. Track send counter, and clear out
1872 * the query if the send was canceled.
1875 send_done(isc_task_t *_task, isc_event_t *event) {
1876 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
1877 isc_buffer_t *b = NULL;
1878 dig_query_t *query, *next;
1881 REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
1887 debug("send_done()");
1889 debug("sendcount=%d", sendcount);
1890 INSIST(sendcount >= 0);
1892 for (b = ISC_LIST_HEAD(sevent->bufferlist);
1894 b = ISC_LIST_HEAD(sevent->bufferlist))
1895 ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
1897 query = event->ev_arg;
1898 query->waiting_senddone = ISC_FALSE;
1901 if (l->ns_search_only && !l->trace_root) {
1902 debug("sending next, since searching");
1903 next = ISC_LIST_NEXT(query, link);
1908 isc_event_free(&event);
1910 if (query->pending_free)
1911 isc_mem_free(mctx, query);
1918 * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
1919 * IO sockets. The cancel handlers should take care of cleaning up the
1920 * query and lookup structures
1923 cancel_lookup(dig_lookup_t *lookup) {
1924 dig_query_t *query, *next;
1926 debug("cancel_lookup()");
1927 query = ISC_LIST_HEAD(lookup->q);
1928 while (query != NULL) {
1929 next = ISC_LIST_NEXT(query, link);
1930 if (query->sock != NULL) {
1931 isc_socket_cancel(query->sock, global_task,
1932 ISC_SOCKCANCEL_ALL);
1939 if (lookup->timer != NULL)
1940 isc_timer_detach(&lookup->timer);
1941 lookup->pending = ISC_FALSE;
1942 lookup->retries = 0;
1946 bringup_timer(dig_query_t *query, unsigned int default_timeout) {
1948 unsigned int local_timeout;
1949 isc_result_t result;
1951 debug("bringup_timer()");
1953 * If the timer already exists, that means we're calling this
1954 * a second time (for a retry). Don't need to recreate it,
1958 if (ISC_LIST_NEXT(query, link) != NULL)
1959 local_timeout = SERVER_TIMEOUT;
1962 local_timeout = default_timeout;
1964 local_timeout = timeout;
1966 debug("have local timeout of %d", local_timeout);
1967 isc_interval_set(&l->interval, local_timeout, 0);
1968 if (l->timer != NULL)
1969 isc_timer_detach(&l->timer);
1970 result = isc_timer_create(timermgr, isc_timertype_once, NULL,
1971 &l->interval, global_task, connect_timeout,
1973 check_result(result, "isc_timer_create");
1977 connect_done(isc_task_t *task, isc_event_t *event);
1980 * Unlike send_udp, this can't be called multiple times with the same
1981 * query. When we retry TCP, we requeue the whole lookup, which should
1985 send_tcp_connect(dig_query_t *query) {
1986 isc_result_t result;
1990 debug("send_tcp_connect(%p)", query);
1993 query->waiting_connect = ISC_TRUE;
1994 query->lookup->current_query = query;
1995 get_address(query->servname, port, &query->sockaddr);
1997 if (specified_source &&
1998 (isc_sockaddr_pf(&query->sockaddr) !=
1999 isc_sockaddr_pf(&bind_address))) {
2000 printf(";; Skipping server %s, incompatible "
2001 "address family\n", query->servname);
2002 query->waiting_connect = ISC_FALSE;
2003 next = ISC_LIST_NEXT(query, link);
2007 printf(";; No acceptable nameservers\n");
2008 check_next_lookup(l);
2011 send_tcp_connect(next);
2014 INSIST(query->sock == NULL);
2015 result = isc_socket_create(socketmgr,
2016 isc_sockaddr_pf(&query->sockaddr),
2017 isc_sockettype_tcp, &query->sock);
2018 check_result(result, "isc_socket_create");
2020 debug("sockcount=%d", sockcount);
2021 if (specified_source)
2022 result = isc_socket_bind(query->sock, &bind_address);
2024 if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) &&
2026 isc_sockaddr_any(&bind_any);
2028 isc_sockaddr_any6(&bind_any);
2029 result = isc_socket_bind(query->sock, &bind_any);
2031 check_result(result, "isc_socket_bind");
2032 bringup_timer(query, TCP_TIMEOUT);
2033 result = isc_socket_connect(query->sock, &query->sockaddr,
2034 global_task, connect_done, query);
2035 check_result(result, "isc_socket_connect");
2037 * If we're at the endgame of a nameserver search, we need to
2038 * immediately bring up all the queries. Do it here.
2040 if (l->ns_search_only && !l->trace_root) {
2041 debug("sending next, since searching");
2042 next = ISC_LIST_NEXT(query, link);
2044 send_tcp_connect(next);
2049 * Send a UDP packet to the remote nameserver, possible starting the
2050 * recv action as well. Also make sure that the timer is running and
2051 * is properly reset.
2054 send_udp(dig_query_t *query) {
2055 dig_lookup_t *l = NULL;
2056 isc_result_t result;
2058 debug("send_udp(%p)", query);
2061 bringup_timer(query, UDP_TIMEOUT);
2062 l->current_query = query;
2063 debug("working on lookup %p, query %p", query->lookup, query);
2064 if (!query->recv_made) {
2065 /* XXX Check the sense of this, need assertion? */
2066 query->waiting_connect = ISC_FALSE;
2067 get_address(query->servname, port, &query->sockaddr);
2069 result = isc_socket_create(socketmgr,
2070 isc_sockaddr_pf(&query->sockaddr),
2071 isc_sockettype_udp, &query->sock);
2072 check_result(result, "isc_socket_create");
2074 debug("sockcount=%d", sockcount);
2075 if (specified_source) {
2076 result = isc_socket_bind(query->sock, &bind_address);
2078 isc_sockaddr_anyofpf(&bind_any,
2079 isc_sockaddr_pf(&query->sockaddr));
2080 result = isc_socket_bind(query->sock, &bind_any);
2082 check_result(result, "isc_socket_bind");
2084 query->recv_made = ISC_TRUE;
2085 ISC_LINK_INIT(&query->recvbuf, link);
2086 ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf,
2088 debug("recving with lookup=%p, query=%p, sock=%p",
2089 query->lookup, query, query->sock);
2090 result = isc_socket_recvv(query->sock, &query->recvlist, 1,
2091 global_task, recv_done, query);
2092 check_result(result, "isc_socket_recvv");
2094 debug("recvcount=%d", recvcount);
2096 ISC_LIST_INIT(query->sendlist);
2097 ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
2098 debug("sending a request");
2099 TIME_NOW(&query->time_sent);
2100 INSIST(query->sock != NULL);
2101 query->waiting_senddone = ISC_TRUE;
2102 result = isc_socket_sendtov(query->sock, &query->sendlist,
2103 global_task, send_done, query,
2104 &query->sockaddr, NULL);
2105 check_result(result, "isc_socket_sendtov");
2110 * IO timeout handler, used for both connect and recv timeouts. If
2111 * retries are still allowed, either resend the UDP packet or queue a
2112 * new TCP lookup. Otherwise, cancel the lookup.
2115 connect_timeout(isc_task_t *task, isc_event_t *event) {
2116 dig_lookup_t *l = NULL;
2117 dig_query_t *query = NULL, *cq;
2120 REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
2122 debug("connect_timeout()");
2126 query = l->current_query;
2127 isc_event_free(&event);
2131 if ((query != NULL) && (query->lookup->current_query != NULL) &&
2132 (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
2133 debug("trying next server...");
2134 cq = query->lookup->current_query;
2136 send_udp(ISC_LIST_NEXT(cq, link));
2138 send_tcp_connect(ISC_LIST_NEXT(cq, link));
2143 if (l->retries > 1) {
2146 debug("resending UDP request to first server");
2147 send_udp(ISC_LIST_HEAD(l->q));
2149 debug("making new TCP request, %d tries left",
2152 requeue_lookup(l, ISC_TRUE);
2154 check_next_lookup(l);
2157 fputs(l->cmdline, stdout);
2158 printf(";; connection timed out; no servers could be "
2161 check_next_lookup(l);
2169 * Event handler for the TCP recv which gets the length header of TCP
2170 * packets. Start the next recv of length bytes.
2173 tcp_length_done(isc_task_t *task, isc_event_t *event) {
2174 isc_socketevent_t *sevent;
2175 isc_buffer_t *b = NULL;
2176 isc_result_t result;
2177 dig_query_t *query = NULL;
2179 isc_uint16_t length;
2181 REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
2186 debug("tcp_length_done()");
2189 sevent = (isc_socketevent_t *)event;
2190 query = event->ev_arg;
2193 INSIST(recvcount >= 0);
2195 b = ISC_LIST_HEAD(sevent->bufferlist);
2196 INSIST(b == &query->lengthbuf);
2197 ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
2199 if (sevent->result == ISC_R_CANCELED) {
2200 isc_event_free(&event);
2203 check_next_lookup(l);
2207 if (sevent->result != ISC_R_SUCCESS) {
2208 char sockstr[ISC_SOCKADDR_FORMATSIZE];
2209 isc_sockaddr_format(&query->sockaddr, sockstr,
2211 printf(";; communications error to %s: %s\n",
2212 sockstr, isc_result_totext(sevent->result));
2214 isc_socket_detach(&query->sock);
2216 debug("sockcount=%d", sockcount);
2217 INSIST(sockcount >= 0);
2218 isc_event_free(&event);
2220 check_next_lookup(l);
2224 length = isc_buffer_getuint16(b);
2226 isc_event_free(&event);
2227 launch_next_query(query, ISC_FALSE);
2233 * Even though the buffer was already init'ed, we need
2234 * to redo it now, to force the length we want.
2236 isc_buffer_invalidate(&query->recvbuf);
2237 isc_buffer_init(&query->recvbuf, query->recvspace, length);
2238 ENSURE(ISC_LIST_EMPTY(query->recvlist));
2239 ISC_LINK_INIT(&query->recvbuf, link);
2240 ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
2241 debug("recving with lookup=%p, query=%p", query->lookup, query);
2242 result = isc_socket_recvv(query->sock, &query->recvlist, length, task,
2244 check_result(result, "isc_socket_recvv");
2246 debug("resubmitted recv request with length %d, recvcount=%d",
2248 isc_event_free(&event);
2253 * For transfers that involve multiple recvs (XFR's in particular),
2254 * launch the next recv.
2257 launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
2258 isc_result_t result;
2263 debug("launch_next_query()");
2265 if (!query->lookup->pending) {
2266 debug("ignoring launch_next_query because !pending");
2267 isc_socket_detach(&query->sock);
2269 debug("sockcount=%d", sockcount);
2270 INSIST(sockcount >= 0);
2271 query->waiting_connect = ISC_FALSE;
2274 check_next_lookup(l);
2278 isc_buffer_clear(&query->slbuf);
2279 isc_buffer_clear(&query->lengthbuf);
2280 isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->sendbuf.used);
2281 ISC_LIST_INIT(query->sendlist);
2282 ISC_LINK_INIT(&query->slbuf, link);
2283 ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
2284 if (include_question)
2285 ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
2286 ISC_LINK_INIT(&query->lengthbuf, link);
2287 ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
2289 result = isc_socket_recvv(query->sock, &query->lengthlist, 0,
2290 global_task, tcp_length_done, query);
2291 check_result(result, "isc_socket_recvv");
2293 debug("recvcount=%d", recvcount);
2294 if (!query->first_soa_rcvd) {
2295 debug("sending a request in launch_next_query");
2296 TIME_NOW(&query->time_sent);
2297 query->waiting_senddone = ISC_TRUE;
2298 result = isc_socket_sendv(query->sock, &query->sendlist,
2299 global_task, send_done, query);
2300 check_result(result, "isc_socket_sendv");
2302 debug("sendcount=%d", sendcount);
2304 query->waiting_connect = ISC_FALSE;
2306 check_next_lookup(query->lookup);
2312 * Event handler for TCP connect complete. Make sure the connection was
2313 * successful, then pass into launch_next_query to actually send the
2317 connect_done(isc_task_t *task, isc_event_t *event) {
2318 isc_socketevent_t *sevent = NULL;
2319 dig_query_t *query = NULL, *next;
2324 REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
2327 debug("connect_done()");
2330 sevent = (isc_socketevent_t *)event;
2331 query = sevent->ev_arg;
2333 INSIST(query->waiting_connect);
2335 query->waiting_connect = ISC_FALSE;
2337 if (sevent->result == ISC_R_CANCELED) {
2338 debug("in cancel handler");
2339 isc_socket_detach(&query->sock);
2341 INSIST(sockcount >= 0);
2342 debug("sockcount=%d", sockcount);
2343 query->waiting_connect = ISC_FALSE;
2344 isc_event_free(&event);
2347 check_next_lookup(l);
2351 if (sevent->result != ISC_R_SUCCESS) {
2352 char sockstr[ISC_SOCKADDR_FORMATSIZE];
2354 debug("unsuccessful connection: %s",
2355 isc_result_totext(sevent->result));
2356 isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
2357 if (sevent->result != ISC_R_CANCELED)
2358 printf(";; Connection to %s(%s) for %s failed: "
2360 query->servname, query->lookup->textname,
2361 isc_result_totext(sevent->result));
2362 isc_socket_detach(&query->sock);
2364 INSIST(sockcount >= 0);
2365 /* XXX Clean up exitcodes */
2368 debug("sockcount=%d", sockcount);
2369 query->waiting_connect = ISC_FALSE;
2370 isc_event_free(&event);
2372 if (l->current_query != NULL)
2373 next = ISC_LIST_NEXT(l->current_query, link);
2378 bringup_timer(next, TCP_TIMEOUT);
2379 send_tcp_connect(next);
2381 check_next_lookup(l);
2386 launch_next_query(query, ISC_TRUE);
2387 isc_event_free(&event);
2392 * Check if the ongoing XFR needs more data before it's complete, using
2393 * the semantics of IXFR and AXFR protocols. Much of the complexity of
2394 * this routine comes from determining when an IXFR is complete.
2395 * ISC_FALSE means more data is on the way, and the recv has been issued.
2397 static isc_boolean_t
2398 check_for_more_data(dig_query_t *query, dns_message_t *msg,
2399 isc_socketevent_t *sevent)
2401 dns_rdataset_t *rdataset = NULL;
2402 dns_rdata_t rdata = DNS_RDATA_INIT;
2403 dns_rdata_soa_t soa;
2404 isc_uint32_t serial;
2405 isc_result_t result;
2407 debug("check_for_more_data()");
2410 * By the time we're in this routine, we know we're doing
2411 * either an AXFR or IXFR. If there's no second_rr_type,
2412 * then we don't yet know which kind of answer we got back
2413 * from the server. Here, we're going to walk through the
2414 * rr's in the message, acting as necessary whenever we hit
2419 result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
2420 if (result != ISC_R_SUCCESS) {
2421 puts("; Transfer failed.");
2427 dns_message_currentname(msg, DNS_SECTION_ANSWER,
2429 for (rdataset = ISC_LIST_HEAD(name->list);
2431 rdataset = ISC_LIST_NEXT(rdataset, link)) {
2432 result = dns_rdataset_first(rdataset);
2433 if (result != ISC_R_SUCCESS)
2437 dns_rdata_reset(&rdata);
2438 dns_rdataset_current(rdataset, &rdata);
2440 * If this is the first rr, make sure
2443 if ((!query->first_soa_rcvd) &&
2444 (rdata.type != dns_rdatatype_soa)) {
2445 puts("; Transfer failed. "
2446 "Didn't start with SOA answer.");
2449 if ((!query->second_rr_rcvd) &&
2450 (rdata.type != dns_rdatatype_soa)) {
2451 query->second_rr_rcvd = ISC_TRUE;
2452 query->second_rr_serial = 0;
2453 debug("got the second rr as nonsoa");
2458 * If the record is anything except an SOA
2459 * now, just continue on...
2461 if (rdata.type != dns_rdatatype_soa)
2463 /* Now we have an SOA. Work with it. */
2464 debug("got an SOA");
2465 (void)dns_rdata_tostruct(&rdata, &soa, NULL);
2466 serial = soa.serial;
2467 dns_rdata_freestruct(&soa);
2468 if (!query->first_soa_rcvd) {
2469 query->first_soa_rcvd = ISC_TRUE;
2470 query->first_rr_serial = serial;
2471 debug("this is the first %d",
2472 query->lookup->ixfr_serial);
2473 if (query->lookup->ixfr_serial >=
2478 if (query->lookup->rdtype ==
2479 dns_rdatatype_axfr) {
2480 debug("doing axfr, got second SOA");
2483 if (!query->second_rr_rcvd) {
2484 if (query->first_rr_serial == serial) {
2485 debug("doing ixfr, got "
2489 debug("this is the second %d",
2490 query->lookup->ixfr_serial);
2491 query->second_rr_rcvd = ISC_TRUE;
2492 query->second_rr_serial = serial;
2495 if (query->second_rr_serial == 0) {
2497 * If the second RR was a non-SOA
2498 * record, and we're getting any
2499 * other SOA, then this is an
2500 * AXFR, and we're done.
2502 debug("done, since axfr");
2506 * If we get to this point, we're doing an
2507 * IXFR and have to start really looking
2508 * at serial numbers.
2510 if (query->first_rr_serial == serial) {
2511 debug("got a match for ixfr");
2512 if (!query->first_repeat_rcvd) {
2513 query->first_repeat_rcvd =
2517 debug("done with ixfr");
2520 debug("meaningless soa %d", serial);
2522 result = dns_rdataset_next(rdataset);
2523 } while (result == ISC_R_SUCCESS);
2525 result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
2526 } while (result == ISC_R_SUCCESS);
2527 launch_next_query(query, ISC_FALSE);
2530 received(sevent->n, &sevent->address, query);
2535 * Event handler for recv complete. Perform whatever actions are necessary,
2536 * based on the specifics of the user's request.
2539 recv_done(isc_task_t *task, isc_event_t *event) {
2540 isc_socketevent_t *sevent = NULL;
2541 dig_query_t *query = NULL;
2542 isc_buffer_t *b = NULL;
2543 dns_message_t *msg = NULL;
2545 dig_message_t *chase_msg = NULL;
2546 dig_message_t *chase_msg2 = NULL;
2548 isc_result_t result;
2549 dig_lookup_t *n, *l;
2550 isc_boolean_t docancel = ISC_FALSE;
2551 isc_boolean_t match = ISC_TRUE;
2552 unsigned int parseflags;
2554 unsigned int msgflags;
2556 isc_result_t do_sigchase = ISC_FALSE;
2558 dns_message_t *msg_temp = NULL;
2560 isc_buffer_t *buf = NULL;
2566 debug("recv_done()");
2570 debug("recvcount=%d", recvcount);
2571 INSIST(recvcount >= 0);
2573 query = event->ev_arg;
2574 debug("lookup=%p, query=%p", query->lookup, query);
2578 REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
2579 sevent = (isc_socketevent_t *)event;
2581 b = ISC_LIST_HEAD(sevent->bufferlist);
2582 INSIST(b == &query->recvbuf);
2583 ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
2585 if ((l->tcp_mode) && (l->timer != NULL))
2586 isc_timer_touch(l->timer);
2587 if ((!l->pending && !l->ns_search_only) || cancel_now) {
2588 debug("no longer pending. Got %s",
2589 isc_result_totext(sevent->result));
2590 query->waiting_connect = ISC_FALSE;
2592 isc_event_free(&event);
2594 check_next_lookup(l);
2599 if (sevent->result != ISC_R_SUCCESS) {
2600 if (sevent->result == ISC_R_CANCELED) {
2601 debug("in recv cancel handler");
2602 query->waiting_connect = ISC_FALSE;
2604 printf(";; communications error: %s\n",
2605 isc_result_totext(sevent->result));
2606 isc_socket_detach(&query->sock);
2608 debug("sockcount=%d", sockcount);
2609 INSIST(sockcount >= 0);
2611 isc_event_free(&event);
2613 check_next_lookup(l);
2619 !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
2620 char buf1[ISC_SOCKADDR_FORMATSIZE];
2621 char buf2[ISC_SOCKADDR_FORMATSIZE];
2624 if (isc_sockaddr_pf(&query->sockaddr) == AF_INET)
2625 isc_sockaddr_any(&any);
2627 isc_sockaddr_any6(&any);
2629 #ifdef ISC_PLATFORM_HAVESCOPEID
2631 * Accept answers from any scope if we havn't specified the
2632 * scope as long as the address and port match.
2634 if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 &&
2635 query->sockaddr.type.sin6.sin6_scope_id == 0 &&
2636 memcmp(&sevent->address.type.sin6.sin6_addr,
2637 &query->sockaddr.type.sin6.sin6_addr,
2638 sizeof(query->sockaddr.type.sin6.sin6_addr)) == 0 &&
2639 isc_sockaddr_getport(&sevent->address) ==
2640 isc_sockaddr_getport(&query->sockaddr))
2645 * We don't expect a match above when the packet is
2646 * sent to 0.0.0.0, :: or to a multicast addresses.
2647 * XXXMPA broadcast needs to be handled here as well.
2649 if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
2650 !isc_sockaddr_ismulticast(&query->sockaddr)) ||
2651 isc_sockaddr_getport(&query->sockaddr) !=
2652 isc_sockaddr_getport(&sevent->address)) {
2653 isc_sockaddr_format(&sevent->address, buf1,
2655 isc_sockaddr_format(&query->sockaddr, buf2,
2657 printf(";; reply from unexpected source: %s,"
2658 " expected %s\n", buf1, buf2);
2663 result = dns_message_peekheader(b, &id, &msgflags);
2664 if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
2667 isc_boolean_t fail = ISC_TRUE;
2668 if (result == ISC_R_SUCCESS) {
2669 if (!query->first_soa_rcvd ||
2671 printf(";; %s: ID mismatch: "
2672 "expected ID %u, got %u\n",
2673 query->first_soa_rcvd ?
2674 "WARNING" : "ERROR",
2675 l->sendmsg->id, id);
2676 if (query->first_soa_rcvd)
2678 query->warn_id = ISC_FALSE;
2680 printf(";; ERROR: short "
2681 "(< header size) message\n");
2683 isc_event_free(&event);
2685 check_next_lookup(l);
2690 } else if (result == ISC_R_SUCCESS)
2691 printf(";; Warning: ID mismatch: "
2692 "expected ID %u, got %u\n", l->sendmsg->id, id);
2694 printf(";; Warning: short "
2695 "(< header size) message received\n");
2699 isc_buffer_invalidate(&query->recvbuf);
2700 isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
2701 ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
2702 result = isc_socket_recvv(query->sock, &query->recvlist, 1,
2703 global_task, recv_done, query);
2704 check_result(result, "isc_socket_recvv");
2706 isc_event_free(&event);
2711 result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
2712 check_result(result, "dns_message_create");
2715 if (l->querysig == NULL) {
2716 debug("getting initial querysig");
2717 result = dns_message_getquerytsig(l->sendmsg, mctx,
2719 check_result(result, "dns_message_getquerytsig");
2721 result = dns_message_setquerytsig(msg, l->querysig);
2722 check_result(result, "dns_message_setquerytsig");
2723 result = dns_message_settsigkey(msg, key);
2724 check_result(result, "dns_message_settsigkey");
2725 msg->tsigctx = l->tsigctx;
2727 if (l->msgcounter != 0)
2728 msg->tcp_continuation = 1;
2732 debug("before parse starts");
2733 parseflags = DNS_MESSAGEPARSE_PRESERVEORDER;
2736 do_sigchase = ISC_FALSE;
2739 do_sigchase = ISC_TRUE;
2742 if (l->besteffort) {
2743 parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
2744 parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
2746 result = dns_message_parse(msg, b, parseflags);
2747 if (result == DNS_R_RECOVERABLE) {
2748 printf(";; Warning: Message parser reports malformed "
2749 "message packet.\n");
2750 result = ISC_R_SUCCESS;
2752 if (result != ISC_R_SUCCESS) {
2753 printf(";; Got bad packet: %s\n", isc_result_totext(result));
2755 query->waiting_connect = ISC_FALSE;
2756 dns_message_destroy(&msg);
2757 isc_event_free(&event);
2760 check_next_lookup(l);
2764 if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0
2765 && !l->ignore && !l->tcp_mode) {
2766 printf(";; Truncated, retrying in TCP mode.\n");
2767 n = requeue_lookup(l, ISC_TRUE);
2768 n->tcp_mode = ISC_TRUE;
2769 n->origin = query->lookup->origin;
2770 dns_message_destroy(&msg);
2771 isc_event_free(&event);
2774 check_next_lookup(l);
2778 if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) {
2779 dig_query_t *next = ISC_LIST_NEXT(query, link);
2780 if (l->current_query == query)
2781 l->current_query = NULL;
2783 debug("sending query %p\n", next);
2785 send_tcp_connect(next);
2790 * If our query is at the head of the list and there
2791 * is no next, we're the only one left, so fall
2792 * through to print the message.
2794 if ((ISC_LIST_HEAD(l->q) != query) ||
2795 (ISC_LIST_NEXT(query, link) != NULL)) {
2796 printf(";; Got SERVFAIL reply from %s, "
2797 "trying next server\n",
2800 check_next_lookup(l);
2801 dns_message_destroy(&msg);
2802 isc_event_free(&event);
2809 result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
2810 if (result != ISC_R_SUCCESS) {
2811 printf(";; Couldn't verify signature: %s\n",
2812 isc_result_totext(result));
2813 validated = ISC_FALSE;
2815 l->tsigctx = msg->tsigctx;
2816 msg->tsigctx = NULL;
2817 if (l->querysig != NULL) {
2818 debug("freeing querysig buffer %p", l->querysig);
2819 isc_buffer_free(&l->querysig);
2821 result = dns_message_getquerytsig(msg, mctx, &l->querysig);
2822 check_result(result,"dns_message_getquerytsig");
2825 debug("after parse");
2826 if (l->doing_xfr && l->xfr_q == NULL) {
2829 * Once we are in the XFR message, increase
2830 * the timeout to much longer, so brief network
2831 * outages won't cause the XFR to abort
2833 if (timeout != INT_MAX && l->timer != NULL) {
2834 unsigned int local_timeout;
2838 local_timeout = TCP_TIMEOUT * 4;
2840 local_timeout = UDP_TIMEOUT * 4;
2842 if (timeout < (INT_MAX / 4))
2843 local_timeout = timeout * 4;
2845 local_timeout = INT_MAX;
2847 debug("have local timeout of %d", local_timeout);
2848 isc_interval_set(&l->interval, local_timeout, 0);
2849 result = isc_timer_reset(l->timer,
2854 check_result(result, "isc_timer_reset");
2858 if (!l->doing_xfr || l->xfr_q == query) {
2859 if (msg->rcode != dns_rcode_noerror && l->origin != NULL) {
2860 if (!next_origin(msg, query)) {
2861 printmessage(query, msg, ISC_TRUE);
2862 received(b->used, &sevent->address, query);
2864 } else if (!l->trace && !l->ns_search_only) {
2868 printmessage(query, msg, ISC_TRUE);
2869 } else if (l->trace) {
2871 int count = msg->counts[DNS_SECTION_ANSWER];
2873 debug("in TRACE code");
2874 if (!l->ns_search_only)
2875 printmessage(query, msg, ISC_TRUE);
2877 l->rdtype = l->qrdtype;
2878 if (l->trace_root || (l->ns_search_only && count > 0)) {
2880 l->rdtype = dns_rdatatype_soa;
2881 n = followup_lookup(msg, query,
2882 DNS_SECTION_ANSWER);
2883 l->trace_root = ISC_FALSE;
2884 } else if (count == 0)
2885 n = followup_lookup(msg, query,
2886 DNS_SECTION_AUTHORITY);
2888 docancel = ISC_TRUE;
2890 debug("in NSSEARCH code");
2892 if (l->trace_root) {
2894 * This is the initial NS query.
2898 l->rdtype = dns_rdatatype_soa;
2899 n = followup_lookup(msg, query,
2900 DNS_SECTION_ANSWER);
2902 docancel = ISC_TRUE;
2903 l->trace_root = ISC_FALSE;
2908 printmessage(query, msg, ISC_TRUE);
2912 chase_msg = isc_mem_allocate(mctx,
2913 sizeof(dig_message_t));
2914 if (chase_msg == NULL) {
2915 fatal("Memory allocation failure in %s:%d",
2916 __FILE__, __LINE__);
2918 ISC_LIST_INITANDAPPEND(chase_message_list, chase_msg,
2920 if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
2921 &msg_temp) != ISC_R_SUCCESS) {
2922 fatal("dns_message_create in %s:%d",
2923 __FILE__, __LINE__);
2926 isc_buffer_usedregion(b, &r);
2927 result = isc_buffer_allocate(mctx, &buf, r.length);
2929 check_result(result, "isc_buffer_allocate");
2930 result = isc_buffer_copyregion(buf, &r);
2931 check_result(result, "isc_buffer_copyregion");
2933 result = dns_message_parse(msg_temp, buf, 0);
2935 isc_buffer_free(&buf);
2936 chase_msg->msg = msg_temp;
2938 chase_msg2 = isc_mem_allocate(mctx,
2939 sizeof(dig_message_t));
2940 if (chase_msg2 == NULL) {
2941 fatal("Memory allocation failure in %s:%d",
2942 __FILE__, __LINE__);
2944 ISC_LIST_INITANDAPPEND(chase_message_list2, chase_msg2,
2946 chase_msg2->msg = msg;
2953 if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {
2959 debug("still pending.");
2961 if (query != l->xfr_q) {
2962 dns_message_destroy(&msg);
2963 isc_event_free(&event);
2964 query->waiting_connect = ISC_FALSE;
2969 docancel = check_for_more_data(query, msg, sevent);
2971 dns_message_destroy(&msg);
2974 check_next_lookup(l);
2978 if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
2983 received(b->used, &sevent->address, query);
2986 if (!query->lookup->ns_search_only)
2987 query->lookup->pending = ISC_FALSE;
2988 if (!query->lookup->ns_search_only ||
2989 query->lookup->trace_root || docancel) {
2993 dns_message_destroy(&msg);
2998 check_next_lookup(l);
3006 dns_message_destroy(&msg);
3008 isc_event_free(&event);
3013 * Turn a name into an address, using system-supplied routines. This is
3014 * used in looking up server names, etc... and needs to use system-supplied
3015 * routines, since they may be using a non-DNS system for these lookups.
3018 get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
3020 isc_result_t result;
3023 result = bind9_getaddresses(host, port, sockaddr, 1, &count);
3025 if (result != ISC_R_SUCCESS)
3026 fatal("couldn't get address for '%s': %s",
3027 host, isc_result_totext(result));
3032 * Initiate either a TCP or UDP lookup
3035 do_lookup(dig_lookup_t *lookup) {
3037 REQUIRE(lookup != NULL);
3039 debug("do_lookup()");
3040 lookup->pending = ISC_TRUE;
3041 if (lookup->tcp_mode)
3042 send_tcp_connect(ISC_LIST_HEAD(lookup->q));
3044 send_udp(ISC_LIST_HEAD(lookup->q));
3048 * Start everything in action upon task startup.
3051 onrun_callback(isc_task_t *task, isc_event_t *event) {
3054 isc_event_free(&event);
3061 * Make everything on the lookup queue go away. Mainly used by the
3066 dig_lookup_t *l, *n;
3067 dig_query_t *q, *nq;
3069 debug("cancel_all()");
3076 cancel_now = ISC_TRUE;
3077 if (current_lookup != NULL) {
3078 if (current_lookup->timer != NULL)
3079 isc_timer_detach(¤t_lookup->timer);
3080 q = ISC_LIST_HEAD(current_lookup->q);
3082 debug("cancelling query %p, belonging to %p",
3084 nq = ISC_LIST_NEXT(q, link);
3085 if (q->sock != NULL) {
3086 isc_socket_cancel(q->sock, NULL,
3087 ISC_SOCKCANCEL_ALL);
3094 l = ISC_LIST_HEAD(lookup_list);
3096 n = ISC_LIST_NEXT(l, link);
3097 ISC_LIST_DEQUEUE(lookup_list, l, link);
3098 try_clear_lookup(l);
3105 * Destroy all of the libs we are using, and get everything ready for a
3109 destroy_libs(void) {
3112 dig_message_t *chase_msg;
3115 debug("destroy_libs()");
3116 if (global_task != NULL) {
3117 debug("freeing task");
3118 isc_task_detach(&global_task);
3121 * The taskmgr_destroy() call blocks until all events are cleared
3124 if (taskmgr != NULL) {
3125 debug("freeing taskmgr");
3126 isc_taskmgr_destroy(&taskmgr);
3129 REQUIRE(sockcount == 0);
3130 REQUIRE(recvcount == 0);
3131 REQUIRE(sendcount == 0);
3133 INSIST(ISC_LIST_HEAD(lookup_list) == NULL);
3134 INSIST(current_lookup == NULL);
3137 free_now = ISC_TRUE;
3139 lwres_conf_clear(lwctx);
3140 lwres_context_destroy(&lwctx);
3142 flush_server_list();
3145 if (commctx != NULL) {
3146 debug("freeing commctx");
3147 isc_mempool_destroy(&commctx);
3149 if (socketmgr != NULL) {
3150 debug("freeing socketmgr");
3151 isc_socketmgr_destroy(&socketmgr);
3153 if (timermgr != NULL) {
3154 debug("freeing timermgr");
3155 isc_timermgr_destroy(&timermgr);
3158 debug("freeing key %p", key);
3159 dns_tsigkey_detach(&key);
3161 if (namebuf != NULL)
3162 isc_buffer_free(&namebuf);
3165 debug("destroy DST lib");
3167 is_dst_up = ISC_FALSE;
3170 debug("detach from entropy");
3171 isc_entropy_detach(&entp);
3175 DESTROYLOCK(&lookup_lock);
3178 debug("Destroy the messages kept for sigchase");
3179 /* Destroy the messages kept for sigchase */
3180 chase_msg = ISC_LIST_HEAD(chase_message_list);
3182 while (chase_msg != NULL) {
3183 INSIST(chase_msg->msg != NULL);
3184 dns_message_destroy(&(chase_msg->msg));
3186 chase_msg = ISC_LIST_NEXT(chase_msg, link);
3187 isc_mem_free(mctx, ptr);
3190 chase_msg = ISC_LIST_HEAD(chase_message_list2);
3192 while (chase_msg != NULL) {
3193 INSIST(chase_msg->msg != NULL);
3194 dns_message_destroy(&(chase_msg->msg));
3196 chase_msg = ISC_LIST_NEXT(chase_msg, link);
3197 isc_mem_free(mctx, ptr);
3199 if (dns_name_dynamic(&chase_name))
3200 free_name(&chase_name, mctx);
3202 if (dns_name_dynamic(&chase_current_name))
3203 free_name(&chase_current_name, mctx);
3204 if (dns_name_dynamic(&chase_authority_name))
3205 free_name(&chase_authority_name, mctx);
3208 if (dns_name_dynamic(&chase_signame))
3209 free_name(&chase_signame, mctx);
3212 debug("Destroy memory");
3215 if (memdebugging != 0)
3216 isc_mem_stats(mctx, stderr);
3218 isc_mem_destroy(&mctx);
3226 print_type(dns_rdatatype_t type)
3228 isc_buffer_t * b = NULL;
3229 isc_result_t result;
3232 result = isc_buffer_allocate(mctx, &b, 4000);
3233 check_result(result, "isc_buffer_allocate");
3235 result = dns_rdatatype_totext(type, b);
3236 check_result(result, "print_type");
3238 isc_buffer_usedregion(b, &r);
3239 r.base[r.length] = '\0';
3241 printf("%s", r.base);
3243 isc_buffer_free(&b);
3247 dump_database_section(dns_message_t *msg, int section)
3249 dns_name_t *msg_name=NULL;
3251 dns_rdataset_t *rdataset;
3254 dns_message_currentname(msg, section, &msg_name);
3256 for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
3257 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3258 dns_name_print(msg_name, stdout);
3260 print_rdataset(msg_name, rdataset, mctx);
3264 } while (dns_message_nextname(msg, section) == ISC_R_SUCCESS);
3268 dump_database(void) {
3269 dig_message_t * msg;
3271 for (msg = ISC_LIST_HEAD(chase_message_list); msg != NULL;
3272 msg = ISC_LIST_NEXT(msg, link)) {
3273 if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
3275 dump_database_section(msg->msg, DNS_SECTION_ANSWER);
3277 if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
3279 dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
3281 if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
3283 dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
3289 search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
3290 dns_rdataset_t *rdataset;
3291 dns_rdata_sig_t siginfo;
3292 dns_rdata_t sigrdata;
3293 isc_result_t result;
3295 for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
3296 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3297 if (type == dns_rdatatype_any) {
3298 if (rdataset->type != dns_rdatatype_rrsig)
3300 } else if ((type == dns_rdatatype_rrsig) &&
3301 (rdataset->type == dns_rdatatype_rrsig)) {
3302 dns_rdata_init(&sigrdata);
3303 result = dns_rdataset_first(rdataset);
3304 check_result(result, "empty rdataset");
3305 dns_rdataset_current(rdataset, &sigrdata);
3306 result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
3307 check_result(result, "sigrdata tostruct siginfo");
3309 if ((siginfo.covered == covers) ||
3310 (covers == dns_rdatatype_any)) {
3311 dns_rdata_reset(&sigrdata);
3312 dns_rdata_freestruct(&siginfo);
3315 dns_rdata_reset(&sigrdata);
3316 dns_rdata_freestruct(&siginfo);
3317 } else if (rdataset->type == type)
3324 chase_scanname_section(dns_message_t *msg, dns_name_t *name,
3325 dns_rdatatype_t type, dns_rdatatype_t covers,
3328 dns_rdataset_t *rdataset;
3329 dns_name_t *msg_name = NULL;
3332 dns_message_currentname(msg, section, &msg_name);
3333 if (dns_name_compare(msg_name, name) == 0) {
3334 rdataset = search_type(msg_name, type, covers);
3335 if (rdataset != NULL)
3339 } while (dns_message_nextname(msg, section) == ISC_R_SUCCESS);
3346 chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
3348 dns_rdataset_t *rdataset = NULL;
3349 dig_message_t * msg;
3351 for (msg = ISC_LIST_HEAD(chase_message_list2); msg != NULL;
3352 msg = ISC_LIST_NEXT(msg, link)) {
3353 if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
3355 rdataset = chase_scanname_section(msg->msg, name,
3357 DNS_SECTION_ANSWER);
3358 if (rdataset != NULL)
3360 if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
3363 chase_scanname_section(msg->msg, name,
3365 DNS_SECTION_AUTHORITY);
3366 if (rdataset != NULL)
3368 if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
3371 chase_scanname_section(msg->msg, name, type,
3373 DNS_SECTION_ADDITIONAL);
3374 if (rdataset != NULL)
3382 sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
3383 isc_boolean_t * lookedup, dns_name_t *rdata_name)
3385 dig_lookup_t *lookup;
3386 isc_buffer_t *b = NULL;
3388 isc_result_t result;
3389 dns_rdataset_t * temp;
3390 dns_rdatatype_t querytype;
3392 temp = chase_scanname(rdata_name, type, covers);
3396 if (*lookedup == ISC_TRUE)
3399 lookup = clone_lookup(current_lookup, ISC_TRUE);
3400 lookup->trace_root = ISC_FALSE;
3401 lookup->new_search = ISC_TRUE;
3403 result = isc_buffer_allocate(mctx, &b, BUFSIZE);
3404 check_result(result, "isc_buffer_allocate");
3405 result = dns_name_totext(rdata_name, ISC_FALSE, b);
3406 check_result(result, "dns_name_totext");
3407 isc_buffer_usedregion(b, &r);
3408 r.base[r.length] = '\0';
3409 strcpy(lookup->textname, (char*)r.base);
3410 isc_buffer_free(&b);
3412 if (type == dns_rdatatype_rrsig)
3417 if (querytype == 0 || querytype == 255) {
3418 printf("Error in the queried type: %d\n", querytype);
3422 lookup->rdtype = querytype;
3423 lookup->rdtypeset = ISC_TRUE;
3424 lookup->qrdtype = querytype;
3425 *lookedup = ISC_TRUE;
3427 ISC_LIST_APPEND(lookup_list, lookup, link);
3428 printf("\n\nLaunch a query to find a RRset of type ");
3430 printf(" for zone: %s\n", lookup->textname);
3435 insert_trustedkey(dst_key_t * key)
3439 if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
3442 tk_list.key[tk_list.nb_tk++] = key;
3451 for (i= 0; i < MAX_TRUSTED_KEY; i++) {
3452 if (tk_list.key[i] != NULL) {
3453 dst_key_free(&tk_list.key[i]);
3454 tk_list.key[i] = NULL;
3463 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
3466 removetmpkey(isc_mem_t *mctx, const char *file)
3468 char *tempnamekey = NULL;
3470 isc_result_t result;
3472 tempnamekeylen = strlen(file)+10;
3474 tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
3475 if (tempnamekey == NULL)
3476 return (ISC_R_NOMEMORY);
3478 memset(tempnamekey, 0, tempnamekeylen);
3480 strcat(tempnamekey, file);
3481 strcat(tempnamekey,".key");
3482 isc_file_remove(tempnamekey);
3484 result = isc_file_remove(tempnamekey);
3485 isc_mem_free(mctx, tempnamekey);
3490 opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
3492 isc_result_t result;
3493 char *tempname = NULL;
3494 char *tempnamekey = NULL;
3502 tempnamelen = strlen(file) + 20;
3503 tempname = isc_mem_allocate(mctx, tempnamelen);
3504 if (tempname == NULL)
3505 return (ISC_R_NOMEMORY);
3506 memset(tempname, 0, tempnamelen);
3508 result = isc_file_mktemplate(file, tempname, tempnamelen);
3509 if (result != ISC_R_SUCCESS)
3515 if (cp == tempname) {
3516 isc_mem_free(mctx, tempname);
3517 return (ISC_R_FAILURE);
3521 while (cp >= tempname && *cp == 'X') {
3522 isc_random_get(&which);
3523 *cp = alphnum[which % (sizeof(alphnum) - 1)];
3527 tempnamekeylen = tempnamelen+5;
3528 tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
3529 if (tempnamekey == NULL)
3530 return (ISC_R_NOMEMORY);
3532 memset(tempnamekey, 0, tempnamekeylen);
3533 strncpy(tempnamekey, tempname, tempnamelen);
3534 strcat(tempnamekey ,".key");
3537 if (isc_file_exists(tempnamekey)) {
3538 isc_mem_free(mctx, tempnamekey);
3539 isc_mem_free(mctx, tempname);
3543 if ((f = fopen(tempnamekey, "w")) == NULL) {
3544 printf("get_trusted_key(): trusted key not found %s\n",
3546 return (ISC_R_FAILURE);
3550 isc_mem_free(mctx, tempnamekey);
3553 return (ISC_R_SUCCESS);
3556 isc_mem_free(mctx, tempname);
3563 get_trusted_key(isc_mem_t *mctx)
3565 isc_result_t result;
3566 const char *filename = NULL;
3567 char *filetemp = NULL;
3570 dst_key_t *key = NULL;
3572 result = isc_file_exists(trustedkey);
3573 if (result != ISC_TRUE) {
3574 result = isc_file_exists("/etc/trusted-key.key");
3575 if (result != ISC_TRUE) {
3576 result = isc_file_exists("./trusted-key.key");
3577 if (result != ISC_TRUE)
3578 return (ISC_R_FAILURE);
3580 filename = "./trusted-key.key";
3582 filename = "/etc/trusted-key.key";
3584 filename = trustedkey;
3586 if (filename == NULL) {
3587 printf("No trusted key\n");
3588 return (ISC_R_FAILURE);
3591 if ((fp = fopen(filename, "r")) == NULL) {
3592 printf("get_trusted_key(): trusted key not found %s\n",
3594 return (ISC_R_FAILURE);
3596 while (fgets(buf, 1500, fp) != NULL) {
3597 result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp);
3598 if (result != ISC_R_SUCCESS) {
3600 return (ISC_R_FAILURE);
3602 if (fputs(buf, fptemp) < 0) {
3605 return (ISC_R_FAILURE);
3608 result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
3610 removetmpkey(mctx, filetemp);
3611 isc_mem_free(mctx, filetemp);
3612 if (result != ISC_R_SUCCESS) {
3614 return (ISC_R_FAILURE);
3616 insert_trustedkey(key);
3618 dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
3622 return (ISC_R_SUCCESS);
3627 nameFromString(const char *str, dns_name_t *p_ret) {
3628 size_t len = strlen(str);
3629 isc_result_t result;
3630 isc_buffer_t buffer;
3631 dns_fixedname_t fixedname;
3633 REQUIRE(p_ret != NULL);
3634 REQUIRE(str != NULL);
3636 isc_buffer_init(&buffer, str, len);
3637 isc_buffer_add(&buffer, len);
3639 dns_fixedname_init(&fixedname);
3640 result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
3641 dns_rootname, ISC_TRUE, NULL);
3642 check_result(result, "nameFromString");
3644 if (dns_name_dynamic(p_ret))
3645 free_name(p_ret, mctx);
3647 result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
3648 check_result(result, "nameFromString");
3654 prepare_lookup(dns_name_t *name)
3656 isc_result_t result;
3657 dig_lookup_t *lookup = NULL;
3661 lookup = clone_lookup(current_lookup, ISC_TRUE);
3662 lookup->trace_root = ISC_FALSE;
3663 lookup->new_search = ISC_TRUE;
3664 lookup->trace_root_sigchase = ISC_FALSE;
3666 strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
3668 lookup->rdtype = lookup->rdtype_sigchase;
3669 lookup->rdtypeset = ISC_TRUE;
3670 lookup->qrdtype = lookup->qrdtype_sigchase;
3672 s = ISC_LIST_HEAD(lookup->my_server_list);
3674 debug("freeing server %p belonging to %p",
3677 s = ISC_LIST_NEXT(s, link);
3678 ISC_LIST_DEQUEUE(lookup->my_server_list,
3679 (dig_server_t *)ptr, link);
3680 isc_mem_free(mctx, ptr);
3684 for (result = dns_rdataset_first(chase_nsrdataset);
3685 result == ISC_R_SUCCESS;
3686 result = dns_rdataset_next(chase_nsrdataset)) {
3687 char namestr[DNS_NAME_FORMATSIZE];
3689 dns_rdata_t rdata = DNS_RDATA_INIT;
3690 dig_server_t * srv = NULL;
3691 #define __FOLLOW_GLUE__
3692 #ifdef __FOLLOW_GLUE__
3693 isc_buffer_t *b = NULL;
3694 isc_result_t result;
3696 dns_rdataset_t *rdataset = NULL;
3697 isc_boolean_t true = ISC_TRUE;
3700 memset(namestr, 0, DNS_NAME_FORMATSIZE);
3702 dns_rdataset_current(chase_nsrdataset, &rdata);
3704 (void)dns_rdata_tostruct(&rdata, &ns, NULL);
3708 #ifdef __FOLLOW_GLUE__
3710 result = advanced_rrsearch(&rdataset, &ns.name,
3712 dns_rdatatype_any, &true);
3713 if (result == ISC_R_SUCCESS) {
3714 for (result = dns_rdataset_first(rdataset);
3715 result == ISC_R_SUCCESS;
3716 result = dns_rdataset_next(rdataset)) {
3717 dns_rdata_t aaaa = DNS_RDATA_INIT;
3718 dns_rdataset_current(rdataset, &aaaa);
3720 result = isc_buffer_allocate(mctx, &b, 80);
3721 check_result(result, "isc_buffer_allocate");
3723 dns_rdata_totext(&aaaa, &ns.name, b);
3724 isc_buffer_usedregion(b, &r);
3725 r.base[r.length] = '\0';
3726 strncpy(namestr, (char*)r.base,
3727 DNS_NAME_FORMATSIZE);
3728 isc_buffer_free(&b);
3729 dns_rdata_reset(&aaaa);
3732 srv = make_server(namestr, namestr);
3734 ISC_LIST_APPEND(lookup->my_server_list,
3740 result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
3741 dns_rdatatype_any, &true);
3742 if (result == ISC_R_SUCCESS) {
3743 for (result = dns_rdataset_first(rdataset);
3744 result == ISC_R_SUCCESS;
3745 result = dns_rdataset_next(rdataset)) {
3746 dns_rdata_t a = DNS_RDATA_INIT;
3747 dns_rdataset_current(rdataset, &a);
3749 result = isc_buffer_allocate(mctx, &b, 80);
3750 check_result(result, "isc_buffer_allocate");
3752 dns_rdata_totext(&a, &ns.name, b);
3753 isc_buffer_usedregion(b, &r);
3754 r.base[r.length] = '\0';
3755 strncpy(namestr, (char*)r.base,
3756 DNS_NAME_FORMATSIZE);
3757 isc_buffer_free(&b);
3758 dns_rdata_reset(&a);
3759 printf("ns name: %s\n", namestr);
3762 srv = make_server(namestr, namestr);
3764 ISC_LIST_APPEND(lookup->my_server_list,
3770 dns_name_format(&ns.name, namestr, sizeof(namestr));
3771 printf("ns name: ");
3772 dns_name_print(&ns.name, stdout);
3774 srv = make_server(namestr, namestr);
3776 ISC_LIST_APPEND(lookup->my_server_list, srv, link);
3779 dns_rdata_freestruct(&ns);
3780 dns_rdata_reset(&rdata);
3784 ISC_LIST_APPEND(lookup_list, lookup, link);
3785 printf("\nLaunch a query to find a RRset of type ");
3786 print_type(lookup->rdtype);
3787 printf(" for zone: %s", lookup->textname);
3788 printf(" with nameservers:");
3790 print_rdataset(name, chase_nsrdataset, mctx);
3791 return (ISC_R_SUCCESS);
3796 child_of_zone(dns_name_t * name, dns_name_t * zone_name,
3797 dns_name_t * child_name)
3799 dns_namereln_t name_reln;
3801 unsigned int nlabelsp;
3803 name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp);
3804 if (name_reln != dns_namereln_subdomain ||
3805 dns_name_countlabels(name) <= dns_name_countlabels(zone_name) + 1) {
3806 printf("\n;; ERROR : ");
3807 dns_name_print(name, stdout);
3808 printf(" is not a subdomain of: ");
3809 dns_name_print(zone_name, stdout);
3810 printf(" FAILED\n\n");
3811 return (ISC_R_FAILURE);
3814 dns_name_getlabelsequence(name,
3815 dns_name_countlabels(name) -
3816 dns_name_countlabels(zone_name) -1,
3817 dns_name_countlabels(zone_name) +1,
3819 return (ISC_R_SUCCESS);
3823 grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset)
3825 isc_result_t result;
3826 dns_rdata_t sigrdata;
3827 dns_rdata_sig_t siginfo;
3829 result = dns_rdataset_first(sigrdataset);
3830 check_result(result, "empty RRSIG dataset");
3831 dns_rdata_init(&sigrdata);
3834 dns_rdataset_current(sigrdataset, &sigrdata);
3836 result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
3837 check_result(result, "sigrdata tostruct siginfo");
3839 if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
3840 dns_rdata_freestruct(&siginfo);
3841 dns_rdata_reset(&sigrdata);
3842 return (ISC_R_SUCCESS);
3845 dns_rdata_freestruct(&siginfo);
3847 } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
3849 dns_rdata_reset(&sigrdata);
3851 return (ISC_R_FAILURE);
3856 initialization(dns_name_t *name)
3858 isc_result_t result;
3859 isc_boolean_t true = ISC_TRUE;
3861 chase_nsrdataset = NULL;
3862 result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns,
3863 dns_rdatatype_any, &true);
3864 if (result != ISC_R_SUCCESS) {
3865 printf("\n;; NS RRset is missing to continue validation:"
3867 return (ISC_R_FAILURE);
3869 INSIST(chase_nsrdataset != NULL);
3870 prepare_lookup(name);
3872 dup_name(name, &chase_current_name, mctx);
3874 return (ISC_R_SUCCESS);
3879 print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
3881 isc_buffer_t *b = NULL;
3882 isc_result_t result;
3885 result = isc_buffer_allocate(mctx, &b, 9000);
3886 check_result(result, "isc_buffer_allocate");
3888 printrdataset(name, rdataset, b);
3890 isc_buffer_usedregion(b, &r);
3891 r.base[r.length] = '\0';
3894 printf("%s\n", r.base);
3896 isc_buffer_free(&b);
3901 dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
3902 isc_result_t result;
3904 if (dns_name_dynamic(target))
3905 free_name(target, mctx);
3906 result = dns_name_dup(source, mctx, target);
3907 check_result(result, "dns_name_dup");
3911 free_name(dns_name_t *name, isc_mem_t *mctx) {
3912 dns_name_free(name, mctx);
3913 dns_name_init(name, NULL);
3918 * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter
3919 * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key
3920 * and the RRset is valid
3921 * return ISC_R_NOTFOUND if not contains trusted key
3922 or if the RRset isn't valid
3923 * return ISC_R_FAILURE if problem
3927 contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
3928 dns_rdataset_t *sigrdataset,
3931 isc_result_t result;
3933 dst_key_t *trustedKey = NULL;
3934 dst_key_t *dnsseckey = NULL;
3937 if (name == NULL || rdataset == NULL)
3938 return (ISC_R_FAILURE);
3940 result = dns_rdataset_first(rdataset);
3941 check_result(result, "empty rdataset");
3942 dns_rdata_init(&rdata);
3945 dns_rdataset_current(rdataset, &rdata);
3946 INSIST(rdata.type == dns_rdatatype_dnskey);
3948 result = dns_dnssec_keyfromrdata(name, &rdata,
3950 check_result(result, "dns_dnssec_keyfromrdata");
3953 for (i = 0; i < tk_list.nb_tk; i++) {
3954 if (dst_key_compare(tk_list.key[i], dnsseckey)
3956 dns_rdata_reset(&rdata);
3958 printf(";; Ok, find a Trusted Key in the "
3959 "DNSKEY RRset: %d\n",
3960 dst_key_id(dnsseckey));
3961 if (sigchase_verify_sig_key(name, rdataset,
3966 dst_key_free(&dnsseckey);
3968 return (ISC_R_SUCCESS);
3973 dns_rdata_reset(&rdata);
3974 if (dnsseckey != NULL)
3975 dst_key_free(&dnsseckey);
3976 } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
3978 if (trustedKey != NULL)
3979 dst_key_free(&trustedKey);
3982 return (ISC_R_NOTFOUND);
3986 sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
3987 dns_rdataset_t *keyrdataset,
3988 dns_rdataset_t *sigrdataset,
3991 isc_result_t result;
3992 dns_rdata_t keyrdata;
3993 dst_key_t *dnsseckey = NULL;
3995 result = dns_rdataset_first(keyrdataset);
3996 check_result(result, "empty DNSKEY dataset");
3997 dns_rdata_init(&keyrdata);
4000 dns_rdataset_current(keyrdataset, &keyrdata);
4001 INSIST(keyrdata.type == dns_rdatatype_dnskey);
4003 result = dns_dnssec_keyfromrdata(name, &keyrdata,
4005 check_result(result, "dns_dnssec_keyfromrdata");
4007 result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
4009 if (result == ISC_R_SUCCESS) {
4010 dns_rdata_reset(&keyrdata);
4011 dst_key_free(&dnsseckey);
4012 return (ISC_R_SUCCESS);
4014 dst_key_free(&dnsseckey);
4015 } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
4017 dns_rdata_reset(&keyrdata);
4019 return (ISC_R_NOTFOUND);
4023 sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
4024 dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
4027 isc_result_t result;
4028 dns_rdata_t sigrdata;
4029 dns_rdata_sig_t siginfo;
4031 result = dns_rdataset_first(sigrdataset);
4032 check_result(result, "empty RRSIG dataset");
4033 dns_rdata_init(&sigrdata);
4036 dns_rdataset_current(sigrdataset, &sigrdata);
4038 result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
4039 check_result(result, "sigrdata tostruct siginfo");
4042 * Test if the id of the DNSKEY is
4043 * the id of the DNSKEY signer's
4045 if (siginfo.keyid == dst_key_id(dnsseckey)) {
4047 result = dns_rdataset_first(rdataset);
4048 check_result(result, "empty DS dataset");
4050 result = dns_dnssec_verify(name, rdataset, dnsseckey,
4051 ISC_FALSE, mctx, &sigrdata);
4053 printf(";; VERIFYING ");
4054 print_type(rdataset->type);
4055 printf(" RRset for ");
4056 dns_name_print(name, stdout);
4057 printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
4058 isc_result_totext(result));
4060 if (result == ISC_R_SUCCESS) {
4061 dns_rdata_reset(&sigrdata);
4065 dns_rdata_freestruct(&siginfo);
4067 } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
4069 dns_rdata_reset(&sigrdata);
4071 return (ISC_R_NOTFOUND);
4076 sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
4077 dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
4079 isc_result_t result;
4080 dns_rdata_t keyrdata;
4081 dns_rdata_t newdsrdata;
4082 dns_rdata_t dsrdata;
4083 dns_rdata_ds_t dsinfo;
4084 dst_key_t *dnsseckey = NULL;
4085 unsigned char dsbuf[DNS_DS_BUFFERSIZE];
4087 result = dns_rdataset_first(dsrdataset);
4088 check_result(result, "empty DSset dataset");
4089 dns_rdata_init(&dsrdata);
4091 dns_rdataset_current(dsrdataset, &dsrdata);
4093 result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
4094 check_result(result, "dns_rdata_tostruct for DS");
4096 result = dns_rdataset_first(keyrdataset);
4097 check_result(result, "empty KEY dataset");
4098 dns_rdata_init(&keyrdata);
4101 dns_rdataset_current(keyrdataset, &keyrdata);
4102 INSIST(keyrdata.type == dns_rdatatype_dnskey);
4104 result = dns_dnssec_keyfromrdata(name, &keyrdata,
4106 check_result(result, "dns_dnssec_keyfromrdata");
4109 * Test if the id of the DNSKEY is the
4110 * id of DNSKEY referenced by the DS
4112 if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
4113 dns_rdata_init(&newdsrdata);
4115 result = dns_ds_buildrdata(name, &keyrdata,
4117 dsbuf, &newdsrdata);
4118 dns_rdata_freestruct(&dsinfo);
4120 if (result != ISC_R_SUCCESS) {
4121 dns_rdata_reset(&keyrdata);
4122 dns_rdata_reset(&newdsrdata);
4123 dns_rdata_reset(&dsrdata);
4124 dst_key_free(&dnsseckey);
4125 dns_rdata_freestruct(&dsinfo);
4126 printf("Oops: impossible to build"
4132 if (dns_rdata_compare(&dsrdata,
4133 &newdsrdata) == 0) {
4134 printf(";; OK a DS valids a DNSKEY"
4136 printf(";; Now verify that this"
4137 " DNSKEY validates the "
4140 result = sigchase_verify_sig_key(name,
4143 chase_sigkeyrdataset,
4145 if (result == ISC_R_SUCCESS) {
4146 dns_rdata_reset(&keyrdata);
4147 dns_rdata_reset(&newdsrdata);
4148 dns_rdata_reset(&dsrdata);
4149 dst_key_free(&dnsseckey);
4154 printf(";; This DS is NOT the DS for"
4155 " the chasing KEY: FAILED\n");
4158 dns_rdata_reset(&newdsrdata);
4160 dst_key_free(&dnsseckey);
4162 } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
4163 dns_rdata_reset(&keyrdata);
4165 } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
4167 dns_rdata_reset(&dsrdata); WARNING
4170 return (ISC_R_NOTFOUND);
4175 * take a pointer on a rdataset in parameter and try to resolv it.
4176 * the searched rrset is a rrset on 'name' with type 'type'
4177 * (and if the type is a rrsig the signature cover 'covers').
4178 * the lookedup is to known if you have already done the query on the net.
4179 * ISC_R_SUCCESS: if we found the rrset
4180 * ISC_R_NOTFOUND: we do not found the rrset in cache
4181 * and we do a query on the net
4182 * ISC_R_FAILURE: rrset not found
4185 advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name,
4186 dns_rdatatype_t type, dns_rdatatype_t covers,
4187 isc_boolean_t *lookedup)
4189 isc_boolean_t tmplookedup;
4191 INSIST(rdataset != NULL);
4193 if (*rdataset != NULL)
4194 return (ISC_R_SUCCESS);
4196 tmplookedup = *lookedup;
4197 if ((*rdataset = sigchase_scanname(type, covers,
4198 lookedup, name)) == NULL) {
4200 return (ISC_R_FAILURE);
4201 return (ISC_R_NOTFOUND);
4203 *lookedup = ISC_FALSE;
4204 return (ISC_R_SUCCESS);
4211 sigchase_td(dns_message_t *msg)
4213 isc_result_t result;
4214 dns_name_t *name = NULL;
4215 isc_boolean_t have_answer = ISC_FALSE;
4216 isc_boolean_t true = ISC_TRUE;
4218 if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
4220 dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
4221 if (current_lookup->trace_root_sigchase) {
4222 initialization(name);
4227 if (!current_lookup->trace_root_sigchase) {
4228 result = dns_message_firstname(msg,
4229 DNS_SECTION_AUTHORITY);
4230 if (result == ISC_R_SUCCESS)
4231 dns_message_currentname(msg,
4232 DNS_SECTION_AUTHORITY,
4235 = chase_scanname_section(msg, name,
4238 DNS_SECTION_AUTHORITY);
4239 dup_name(name, &chase_authority_name, mctx);
4240 if (chase_nsrdataset != NULL) {
4241 have_delegation_ns = ISC_TRUE;
4242 printf("no response but there is a delegation"
4243 " in authority section:");
4244 dns_name_print(name, stdout);
4247 printf("no response and no delegation in "
4248 "authority section but a reference"
4250 dns_name_print(name, stdout);
4252 error_message = msg;
4255 printf(";; NO ANSWERS: %s\n",
4256 isc_result_totext(result));
4257 free_name(&chase_name, mctx);
4266 = chase_scanname_section(msg, &chase_name,
4270 DNS_SECTION_ANSWER);
4271 if (chase_rdataset != NULL)
4272 have_response = ISC_TRUE;
4275 result = advanced_rrsearch(&chase_keyrdataset,
4276 &chase_current_name,
4277 dns_rdatatype_dnskey,
4279 &chase_keylookedup);
4280 if (result == ISC_R_FAILURE) {
4281 printf("\n;; DNSKEY is missing to continue validation:"
4285 if (result == ISC_R_NOTFOUND)
4287 INSIST(chase_keyrdataset != NULL);
4288 printf("\n;; DNSKEYset:\n");
4289 print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
4292 result = advanced_rrsearch(&chase_sigkeyrdataset,
4293 &chase_current_name,
4294 dns_rdatatype_rrsig,
4295 dns_rdatatype_dnskey,
4296 &chase_sigkeylookedup);
4297 if (result == ISC_R_FAILURE) {
4298 printf("\n;; RRSIG of DNSKEY is missing to continue validation:"
4302 if (result == ISC_R_NOTFOUND)
4304 INSIST(chase_sigkeyrdataset != NULL);
4305 printf("\n;; RRSIG of the DNSKEYset:\n");
4306 print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
4309 if (!chase_dslookedup && !chase_nslookedup) {
4310 if (!delegation_follow) {
4311 result = contains_trusted_key(&chase_current_name,
4313 chase_sigkeyrdataset,
4316 INSIST(chase_dsrdataset != NULL);
4317 INSIST(chase_sigdsrdataset != NULL);
4318 result = sigchase_verify_ds(&chase_current_name,
4324 if (result != ISC_R_SUCCESS) {
4325 printf("\n;; chain of trust can't be validated:"
4329 chase_dsrdataset = NULL;
4330 chase_sigdsrdataset = NULL;
4334 if (have_response || (!have_delegation_ns && !have_response)) {
4335 /* test if it's a grand father case */
4337 if (have_response) {
4338 result = advanced_rrsearch(&chase_sigrdataset,
4340 dns_rdatatype_rrsig,
4344 if (result == ISC_R_FAILURE) {
4345 printf("\n;; RRset is missing to continue"
4346 " validation SHOULD NOT APPEND:"
4352 result = advanced_rrsearch(&chase_sigrdataset,
4353 &chase_authority_name,
4354 dns_rdatatype_rrsig,
4357 if (result == ISC_R_FAILURE) {
4358 printf("\n;; RRSIG is missing to continue"
4359 " validation SHOULD NOT APPEND:"
4364 result = grandfather_pb_test(&chase_current_name,
4366 if (result != ISC_R_SUCCESS) {
4367 dns_name_t tmp_name;
4369 printf("\n;; We are in a Grand Father Problem:"
4370 " See 2.2.1 in RFC 3568\n");
4371 chase_rdataset = NULL;
4372 chase_sigrdataset = NULL;
4373 have_response = ISC_FALSE;
4374 have_delegation_ns = ISC_FALSE;
4376 dns_name_init(&tmp_name, NULL);
4377 result = child_of_zone(&chase_name, &chase_current_name,
4379 if (dns_name_dynamic(&chase_authority_name))
4380 free_name(&chase_authority_name, mctx);
4381 dup_name(&tmp_name, &chase_authority_name, mctx);
4382 printf(";; and we try to continue chain of trust"
4383 " validation of the zone: ");
4384 dns_name_print(&chase_authority_name, stdout);
4386 have_delegation_ns = ISC_TRUE;
4391 chase_sigrdataset = NULL;
4395 if (have_delegation_ns) {
4396 chase_nsrdataset = NULL;
4397 result = advanced_rrsearch(&chase_nsrdataset,
4398 &chase_authority_name,
4402 if (result == ISC_R_FAILURE) {
4403 printf("\n;;NSset is missing to continue validation:"
4407 if (result == ISC_R_NOTFOUND) {
4410 INSIST(chase_nsrdataset != NULL);
4412 result = advanced_rrsearch(&chase_dsrdataset,
4413 &chase_authority_name,
4417 if (result == ISC_R_FAILURE) {
4418 printf("\n;; DSset is missing to continue validation:"
4422 if (result == ISC_R_NOTFOUND)
4424 INSIST(chase_dsrdataset != NULL);
4425 printf("\n;; DSset:\n");
4426 print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
4428 result = advanced_rrsearch(&chase_sigdsrdataset,
4429 &chase_authority_name,
4430 dns_rdatatype_rrsig,
4433 if (result != ISC_R_SUCCESS) {
4434 printf("\n;; DSset is missing to continue validation:"
4438 printf("\n;; RRSIGset of DSset\n");
4439 print_rdataset(&chase_authority_name,
4440 chase_sigdsrdataset, mctx);
4441 INSIST(chase_sigdsrdataset != NULL);
4443 result = sigchase_verify_sig(&chase_authority_name,
4446 chase_sigdsrdataset, mctx);
4447 if (result != ISC_R_SUCCESS) {
4448 printf("\n;; Impossible to verify the DSset:"
4452 chase_keyrdataset = NULL;
4453 chase_sigkeyrdataset = NULL;
4456 prepare_lookup(&chase_authority_name);
4458 have_response = ISC_FALSE;
4459 have_delegation_ns = ISC_FALSE;
4460 delegation_follow = ISC_TRUE;
4461 error_message = NULL;
4462 dup_name(&chase_authority_name, &chase_current_name, mctx);
4463 free_name(&chase_authority_name, mctx);
4468 if (error_message != NULL) {
4469 dns_rdataset_t *rdataset;
4470 dns_rdataset_t *sigrdataset;
4471 dns_name_t rdata_name;
4472 isc_result_t ret = ISC_R_FAILURE;
4474 dns_name_init(&rdata_name, NULL);
4475 result = prove_nx(error_message, &chase_name,
4476 current_lookup->rdclass_sigchase,
4477 current_lookup->rdtype_sigchase, &rdata_name,
4478 &rdataset, &sigrdataset);
4479 if (rdataset == NULL || sigrdataset == NULL ||
4480 dns_name_countlabels(&rdata_name) == 0) {
4481 printf("\n;; Impossible to verify the non-existence,"
4482 " the NSEC RRset can't be validated:"
4486 ret = sigchase_verify_sig(&rdata_name, rdataset,
4489 if (ret != ISC_R_SUCCESS) {
4490 free_name(&rdata_name, mctx);
4491 printf("\n;; Impossible to verify the NSEC RR to prove"
4492 " the non-existence : FAILED\n\n");
4495 free_name(&rdata_name, mctx);
4496 if (result != ISC_R_SUCCESS) {
4497 printf("\n;; Impossible to verify the non-existence:"
4501 printf("\n;; OK the query doesn't have response but"
4502 " we have validate this fact : SUCCESS\n\n");
4508 printf(";; cleanandgo \n");
4509 if (dns_name_dynamic(&chase_current_name))
4510 free_name(&chase_current_name, mctx);
4511 if (dns_name_dynamic(&chase_authority_name))
4512 free_name(&chase_authority_name, mctx);
4517 result = advanced_rrsearch(&chase_rdataset, &chase_name,
4518 current_lookup->rdtype_sigchase,
4521 if (result == ISC_R_FAILURE) {
4522 printf("\n;; RRsig of RRset is missing to continue validation"
4523 " SHOULD NOT APPEND: FAILED\n\n");
4526 result = sigchase_verify_sig(&chase_name, chase_rdataset,
4528 chase_sigrdataset, mctx);
4529 if (result != ISC_R_SUCCESS) {
4530 printf("\n;; Impossible to verify the RRset : FAILED\n\n");
4533 print_rdataset(&chase_name , chase_rdataset, mctx);
4534 printf("DNSKEYset:\n");
4535 print_rdataset(&chase_name , chase_keyrdataset, mctx);
4536 printf("RRSIG of RRset:\n");
4537 print_rdataset(&chase_name , chase_sigrdataset, mctx);
4542 printf("\n;; The Answer:\n");
4543 print_rdataset(&chase_name , chase_rdataset, mctx);
4545 printf("\n;; FINISH : we have validate the DNSSEC chain"
4546 " of trust: SUCCESS\n\n");
4557 getneededrr(dns_message_t *msg)
4559 isc_result_t result;
4560 dns_name_t *name = NULL;
4561 dns_rdata_t sigrdata;
4562 dns_rdata_sig_t siginfo;
4563 isc_boolean_t true = ISC_TRUE;
4565 if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
4567 printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
4569 if (chase_name.ndata == NULL)
4570 return (ISC_R_ADDRNOTAVAIL);
4572 dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
4575 /* What do we chase? */
4576 if (chase_rdataset == NULL) {
4577 result = advanced_rrsearch(&chase_rdataset, name,
4579 dns_rdatatype_any, &true);
4580 if (result != ISC_R_SUCCESS) {
4581 printf("\n;; No Answers: Validation FAILED\n\n");
4582 return (ISC_R_NOTFOUND);
4584 dup_name(name, &chase_name, mctx);
4585 printf(";; RRset to chase:\n");
4586 print_rdataset(&chase_name, chase_rdataset, mctx);
4588 INSIST(chase_rdataset != NULL);
4591 if (chase_sigrdataset == NULL) {
4592 result = advanced_rrsearch(&chase_sigrdataset, name,
4593 dns_rdatatype_rrsig,
4594 chase_rdataset->type,
4595 &chase_siglookedup);
4596 if (result == ISC_R_FAILURE) {
4597 printf("\n;; RRSIG is missing for continue validation:"
4599 if (dns_name_dynamic(&chase_name))
4600 free_name(&chase_name, mctx);
4601 return (ISC_R_NOTFOUND);
4603 if (result == ISC_R_NOTFOUND) {
4604 return (ISC_R_NOTFOUND);
4606 printf("\n;; RRSIG of the RRset to chase:\n");
4607 print_rdataset(&chase_name, chase_sigrdataset, mctx);
4609 INSIST(chase_sigrdataset != NULL);
4612 /* first find the DNSKEY name */
4613 result = dns_rdataset_first(chase_sigrdataset);
4614 check_result(result, "empty RRSIG dataset");
4615 dns_rdata_init(&sigrdata);
4616 dns_rdataset_current(chase_sigrdataset, &sigrdata);
4617 result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
4618 check_result(result, "sigrdata tostruct siginfo");
4619 dup_name(&siginfo.signer, &chase_signame, mctx);
4620 dns_rdata_freestruct(&siginfo);
4621 dns_rdata_reset(&sigrdata);
4623 /* Do we have a key? */
4624 if (chase_keyrdataset == NULL) {
4625 result = advanced_rrsearch(&chase_keyrdataset,
4627 dns_rdatatype_dnskey,
4629 &chase_keylookedup);
4630 if (result == ISC_R_FAILURE) {
4631 printf("\n;; DNSKEY is missing to continue validation:"
4633 free_name(&chase_signame, mctx);
4634 if (dns_name_dynamic(&chase_name))
4635 free_name(&chase_name, mctx);
4636 return (ISC_R_NOTFOUND);
4638 if (result == ISC_R_NOTFOUND) {
4639 free_name(&chase_signame, mctx);
4640 return (ISC_R_NOTFOUND);
4642 printf("\n;; DNSKEYset that signs the RRset to chase:\n");
4643 print_rdataset(&chase_signame, chase_keyrdataset, mctx);
4645 INSIST(chase_keyrdataset != NULL);
4647 if (chase_sigkeyrdataset == NULL) {
4648 result = advanced_rrsearch(&chase_sigkeyrdataset,
4650 dns_rdatatype_rrsig,
4651 dns_rdatatype_dnskey,
4652 &chase_sigkeylookedup);
4653 if (result == ISC_R_FAILURE) {
4654 printf("\n;; RRSIG for DNSKEY is missing to continue"
4655 " validation : FAILED\n\n");
4656 free_name(&chase_signame, mctx);
4657 if (dns_name_dynamic(&chase_name))
4658 free_name(&chase_name, mctx);
4659 return (ISC_R_NOTFOUND);
4661 if (result == ISC_R_NOTFOUND) {
4662 free_name(&chase_signame, mctx);
4663 return (ISC_R_NOTFOUND);
4665 printf("\n;; RRSIG of the DNSKEYset that signs the "
4666 "RRset to chase:\n");
4667 print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
4669 INSIST(chase_sigkeyrdataset != NULL);
4672 if (chase_dsrdataset == NULL) {
4673 result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
4677 if (result == ISC_R_FAILURE) {
4678 printf("\n;; WARNING There is no DS for the zone: ");
4679 dns_name_print(&chase_signame, stdout);
4682 if (result == ISC_R_NOTFOUND) {
4683 free_name(&chase_signame, mctx);
4684 return (ISC_R_NOTFOUND);
4686 if (chase_dsrdataset != NULL) {
4687 printf("\n;; DSset of the DNSKEYset\n");
4688 print_rdataset(&chase_signame, chase_dsrdataset, mctx);
4692 if (chase_dsrdataset != NULL) {
4694 * if there is no RRSIG of DS,
4695 * we don't want to search on the network
4697 result = advanced_rrsearch(&chase_sigdsrdataset,
4699 dns_rdatatype_rrsig,
4700 dns_rdatatype_ds, &true);
4701 if (result == ISC_R_FAILURE) {
4702 printf(";; WARNING : NO RRSIG DS : RRSIG DS"
4703 " should come with DS\n");
4705 * We continue even the DS couldn't be validated,
4706 * because the DNSKEY could be a Trusted Key.
4708 chase_dsrdataset = NULL;
4710 printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
4711 print_rdataset(&chase_signame, chase_sigdsrdataset,
4721 sigchase_bu(dns_message_t *msg)
4723 isc_result_t result;
4726 if (tk_list.nb_tk == 0) {
4727 result = get_trusted_key(mctx);
4728 if (result != ISC_R_SUCCESS) {
4729 printf("No trusted keys present\n");
4735 ret = getneededrr(msg);
4736 if (ret == ISC_R_NOTFOUND)
4739 if (ret == ISC_R_ADDRNOTAVAIL) {
4740 /* We have no response */
4741 dns_rdataset_t *rdataset;
4742 dns_rdataset_t *sigrdataset;
4743 dns_name_t rdata_name;
4744 dns_name_t query_name;
4747 dns_name_init(&query_name, NULL);
4748 dns_name_init(&rdata_name, NULL);
4749 nameFromString(current_lookup->textname, &query_name);
4751 result = prove_nx(msg, &query_name, current_lookup->rdclass,
4752 current_lookup->rdtype, &rdata_name,
4753 &rdataset, &sigrdataset);
4754 free_name(&query_name, mctx);
4755 if (rdataset == NULL || sigrdataset == NULL ||
4756 dns_name_countlabels(&rdata_name) == 0) {
4757 printf("\n;; Impossible to verify the Non-existence,"
4758 " the NSEC RRset can't be validated: "
4764 if (result != ISC_R_SUCCESS) {
4765 printf("\n No Answers and impossible to prove the"
4766 " unsecurity : Validation FAILED\n\n");
4770 printf(";; An NSEC prove the non-existence of a answers,"
4771 " Now we want validate this NSEC\n");
4773 dup_name(&rdata_name, &chase_name, mctx);
4774 free_name(&rdata_name, mctx);
4775 chase_rdataset = rdataset;
4776 chase_sigrdataset = sigrdataset;
4777 chase_keyrdataset = NULL;
4778 chase_sigkeyrdataset = NULL;
4779 chase_dsrdataset = NULL;
4780 chase_sigdsrdataset = NULL;
4781 chase_siglookedup = ISC_FALSE;
4782 chase_keylookedup = ISC_FALSE;
4783 chase_dslookedup = ISC_FALSE;
4784 chase_sigdslookedup = ISC_FALSE;
4791 printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n");
4793 result = sigchase_verify_sig(&chase_name, chase_rdataset,
4795 chase_sigrdataset, mctx);
4796 if (result != ISC_R_SUCCESS) {
4797 free_name(&chase_name, mctx);
4798 free_name(&chase_signame, mctx);
4799 printf(";; No DNSKEY is valid to check the RRSIG"
4800 " of the RRset: FAILED\n");
4804 printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
4806 result = contains_trusted_key(&chase_signame, chase_keyrdataset,
4807 chase_sigkeyrdataset, mctx);
4808 if (result == ISC_R_SUCCESS) {
4809 free_name(&chase_name, mctx);
4810 free_name(&chase_signame, mctx);
4811 printf("\n;; Ok this DNSKEY is a Trusted Key,"
4812 " DNSSEC validation is ok: SUCCESS\n\n");
4817 printf(";; Now, we are going to validate this DNSKEY by the DS\n");
4819 if (chase_dsrdataset == NULL) {
4820 free_name(&chase_name, mctx);
4821 free_name(&chase_signame, mctx);
4822 printf(";; the DNSKEY isn't trusted-key and there isn't"
4823 " DS to validate the DNSKEY: FAILED\n");
4828 result = sigchase_verify_ds(&chase_signame, chase_keyrdataset,
4829 chase_dsrdataset, mctx);
4830 if (result != ISC_R_SUCCESS) {
4831 free_name(&chase_signame, mctx);
4832 free_name(&chase_name, mctx);
4833 printf(";; ERROR no DS validates a DNSKEY in the"
4834 " DNSKEY RRset: FAILED\n");
4838 printf(";; OK this DNSKEY (validated by the DS) validates"
4839 " the RRset of the DNSKEYs, thus the DNSKEY validates"
4841 INSIST(chase_sigdsrdataset != NULL);
4843 dup_name(&chase_signame, &chase_name, mctx);
4844 free_name(&chase_signame, mctx);
4845 chase_rdataset = chase_dsrdataset;
4846 chase_sigrdataset = chase_sigdsrdataset;
4847 chase_keyrdataset = NULL;
4848 chase_sigkeyrdataset = NULL;
4849 chase_dsrdataset = NULL;
4850 chase_sigdsrdataset = NULL;
4851 chase_siglookedup = chase_keylookedup = ISC_FALSE;
4852 chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
4854 printf(";; Now, we want to validate the DS : recursive call\n");
4861 sigchase(dns_message_t *msg) {
4863 if (current_lookup->do_topdown) {
4876 * return 1 if name1 < name2
4877 * 0 if name1 == name2
4878 * -1 if name1 > name2
4882 inf_name(dns_name_t *name1, dns_name_t *name2)
4886 unsigned int nblabel1;
4887 unsigned int nblabel2;
4892 nblabel1 = dns_name_countlabels(name1);
4893 nblabel2 = dns_name_countlabels(name2);
4895 if (nblabel1 >= nblabel2)
4896 min_lum_label = nblabel2;
4898 min_lum_label = nblabel1;
4901 for (i=1 ; i < min_lum_label; i++) {
4902 dns_name_getlabel(name1, nblabel1 -1 - i, &label1);
4903 dns_name_getlabel(name2, nblabel2 -1 - i, &label2);
4904 if ((ret = isc_region_compare(&label1, &label2)) != 0) {
4911 if (nblabel1 == nblabel2)
4914 if (nblabel1 < nblabel2)
4926 prove_nx_domain(dns_message_t *msg,
4928 dns_name_t *rdata_name,
4929 dns_rdataset_t **rdataset,
4930 dns_rdataset_t **sigrdataset)
4932 isc_result_t ret = ISC_R_FAILURE;
4933 isc_result_t result = ISC_R_NOTFOUND;
4934 dns_rdataset_t *nsecset = NULL;
4935 dns_rdataset_t *signsecset = NULL ;
4936 dns_rdata_t nsec = DNS_RDATA_INIT;
4937 dns_name_t *nsecname;
4938 dns_rdata_nsec_t nsecstruct;
4940 if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
4942 printf(";; nothing in authority section : impossible to"
4943 " validate the non-existence : FAILED\n");
4944 return (ISC_R_FAILURE);
4949 dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
4950 nsecset = search_type(nsecname, dns_rdatatype_nsec,
4952 if (nsecset == NULL)
4955 printf("There is a NSEC for this zone in the"
4956 " AUTHORITY section:\n");
4957 print_rdataset(nsecname, nsecset, mctx);
4959 for (result = dns_rdataset_first(nsecset);
4960 result == ISC_R_SUCCESS;
4961 result = dns_rdataset_next(nsecset)) {
4962 dns_rdataset_current(nsecset, &nsec);
4966 = chase_scanname_section(msg, nsecname,
4967 dns_rdatatype_rrsig,
4969 DNS_SECTION_AUTHORITY);
4970 if (signsecset == NULL) {
4971 printf(";; no RRSIG NSEC in authority section:"
4972 " impossible to validate the "
4973 "non-existence: FAILED\n");
4974 return (ISC_R_FAILURE);
4977 ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL);
4978 check_result(ret,"dns_rdata_tostruct");
4980 if ((inf_name(nsecname, &nsecstruct.next) == 1 &&
4981 inf_name(name, &nsecstruct.next) == 1) ||
4982 (inf_name(name, nsecname) == 1 &&
4983 inf_name(&nsecstruct.next, name) == 1)) {
4984 dns_rdata_freestruct(&nsecstruct);
4985 *rdataset = nsecset;
4986 *sigrdataset = signsecset;
4987 dup_name(nsecname, rdata_name, mctx);
4989 return (ISC_R_SUCCESS);
4992 dns_rdata_freestruct(&nsecstruct);
4994 } while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
4998 *sigrdataset = NULL;
5000 return (ISC_R_FAILURE);
5011 prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
5012 dns_rdataclass_t class, dns_rdatatype_t type,
5013 dns_name_t *rdata_name, dns_rdataset_t **rdataset,
5014 dns_rdataset_t **sigrdataset)
5017 dns_rdataset_t *signsecset;
5018 dns_rdata_t nsec = DNS_RDATA_INIT;
5022 ret = dns_rdataset_first(nsecset);
5023 check_result(ret,"dns_rdataset_first");
5025 dns_rdataset_current(nsecset, &nsec);
5027 ret = dns_nsec_typepresent(&nsec, type);
5028 if (ret == ISC_R_SUCCESS)
5029 printf("OK the NSEC said that the type doesn't exist \n");
5031 signsecset = chase_scanname_section(msg, name,
5032 dns_rdatatype_rrsig,
5034 DNS_SECTION_AUTHORITY);
5035 if (signsecset == NULL) {
5036 printf("There isn't RRSIG NSEC for the zone \n");
5037 return (ISC_R_FAILURE);
5039 dup_name(name, rdata_name, mctx);
5040 *rdataset = nsecset;
5041 *sigrdataset = signsecset;
5053 prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
5054 dns_rdatatype_t type, dns_name_t *rdata_name,
5055 dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset)
5058 dns_rdataset_t *nsecset = NULL;
5060 printf("We want to prove the non-existance of a type of rdata %d"
5061 " or of the zone: \n", type);
5063 if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
5065 printf(";; nothing in authority section : impossible to"
5066 " validate the non-existence : FAILED\n");
5067 return (ISC_R_FAILURE);
5070 nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec,
5072 DNS_SECTION_AUTHORITY);
5073 if (nsecset != NULL) {
5074 printf("We have a NSEC for this zone :OK\n");
5075 ret = prove_nx_type(msg, name, nsecset, class,
5076 type, rdata_name, rdataset,
5078 if (ret != ISC_R_SUCCESS) {
5079 printf("prove_nx: ERROR type exist\n");
5082 printf("prove_nx: OK type does not exist\n");
5083 return (ISC_R_SUCCESS);
5086 printf("there is no NSEC for this zone: validating "
5087 "that the zone doesn't exist\n");
5088 ret = prove_nx_domain(msg, name, rdata_name,
5089 rdataset, sigrdataset);
projects / dragonfly.git / blob