/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * SPDX-License-Identifier: MPL-2.0 * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #if 0 /* * It has been recommended that DNS64 be changed to return excluded * AAAA addresses if DNS64 synthesis does not occur. This minimises * the impact on the lookup results. While most DNS AAAA lookups are * done to send IP packets to a host, not all of them are and filtering * excluded addresses has a negative impact on those uses. */ #define dns64_bis_return_excluded_addresses 1 #endif /* if 0 */ /*% * Maximum number of chained queries before we give up * to prevent CNAME loops. */ #define MAX_RESTARTS 16 #define QUERY_ERROR(qctx, r) \ do { \ (qctx)->result = r; \ (qctx)->want_restart = false; \ (qctx)->line = __LINE__; \ } while (0) /*% Partial answer? */ #define PARTIALANSWER(c) \ (((c)->query.attributes & NS_QUERYATTR_PARTIALANSWER) != 0) /*% Use Cache? */ #define USECACHE(c) (((c)->query.attributes & NS_QUERYATTR_CACHEOK) != 0) /*% Recursion OK? */ #define RECURSIONOK(c) (((c)->query.attributes & NS_QUERYATTR_RECURSIONOK) != 0) /*% Recursing? */ #define RECURSING(c) (((c)->query.attributes & NS_QUERYATTR_RECURSING) != 0) /*% Want Recursion? */ #define WANTRECURSION(c) \ (((c)->query.attributes & NS_QUERYATTR_WANTRECURSION) != 0) /*% Is TCP? */ #define TCP(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) /*% Want DNSSEC? */ #define WANTDNSSEC(c) (((c)->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) /*% Want WANTAD? */ #define WANTAD(c) (((c)->attributes & NS_CLIENTATTR_WANTAD) != 0) /*% Client presented a valid COOKIE. */ #define HAVECOOKIE(c) (((c)->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0) /*% Client presented a COOKIE. */ #define WANTCOOKIE(c) (((c)->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) /*% Client presented a CLIENT-SUBNET option. */ #define HAVEECS(c) (((c)->attributes & NS_CLIENTATTR_HAVEECS) != 0) /*% No authority? */ #define NOAUTHORITY(c) (((c)->query.attributes & NS_QUERYATTR_NOAUTHORITY) != 0) /*% No additional? */ #define NOADDITIONAL(c) \ (((c)->query.attributes & NS_QUERYATTR_NOADDITIONAL) != 0) /*% Secure? */ #define SECURE(c) (((c)->query.attributes & NS_QUERYATTR_SECURE) != 0) /*% DNS64 A lookup? */ #define DNS64(c) (((c)->query.attributes & NS_QUERYATTR_DNS64) != 0) #define DNS64EXCLUDE(c) \ (((c)->query.attributes & NS_QUERYATTR_DNS64EXCLUDE) != 0) #define REDIRECT(c) (((c)->query.attributes & NS_QUERYATTR_REDIRECT) != 0) /*% Was the client already sent a response? */ #define QUERY_ANSWERED(q) (((q)->attributes & NS_QUERYATTR_ANSWERED) != 0) /*% Have we already processed an answer via stale-answer-client-timeout? */ #define QUERY_STALEPENDING(q) \ (((q)->attributes & NS_QUERYATTR_STALEPENDING) != 0) /*% Does the query allow stale data in the response? */ #define QUERY_STALEOK(q) (((q)->attributes & NS_QUERYATTR_STALEOK) != 0) /*% Does the query wants to check for stale RRset due to a timeout? */ #define QUERY_STALETIMEOUT(q) (((q)->dboptions & DNS_DBFIND_STALETIMEOUT) != 0) /*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */ #define NOQNAME(r) (((r)->attributes & DNS_RDATASETATTR_NOQNAME) != 0) /*% Does the rdataset 'r' contain a stale answer? */ #define STALE(r) (((r)->attributes & DNS_RDATASETATTR_STALE) != 0) /*% Does the rdataset 'r' is stale and within stale-refresh-time? */ #define STALE_WINDOW(r) (((r)->attributes & DNS_RDATASETATTR_STALE_WINDOW) != 0) #ifdef WANT_QUERYTRACE static void client_trace(ns_client_t *client, int level, const char *message) { if (client != NULL && client->query.qname != NULL) { if (isc_log_wouldlog(ns_lctx, level)) { char qbuf[DNS_NAME_FORMATSIZE]; char tbuf[DNS_RDATATYPE_FORMATSIZE]; dns_name_format(client->query.qname, qbuf, sizeof(qbuf)); dns_rdatatype_format(client->query.qtype, tbuf, sizeof(tbuf)); isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, level, "query client=%p thread=0x%" PRIxPTR "(%s/%s): %s", client, isc_thread_self(), qbuf, tbuf, message); } } else { isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, level, "query client=%p thread=0x%" PRIxPTR "(): %s", client, isc_thread_self(), message); } } #define CTRACE(l, m) client_trace(client, l, m) #define CCTRACE(l, m) client_trace(qctx->client, l, m) #else /* ifdef WANT_QUERYTRACE */ #define CTRACE(l, m) ((void)m) #define CCTRACE(l, m) ((void)m) #endif /* WANT_QUERYTRACE */ #define DNS_GETDB_NOEXACT 0x01U #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U #define DNS_GETDB_IGNOREACL 0x08U #define DNS_GETDB_STALEFIRST 0X0CU #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) #define SFCACHE_CDFLAG 0x1 /* * These have the same semantics as: * * foo_attach(b, a); * foo_detach(&a); * * without the locking and magic testing. * * We use SAVE and RESTORE as that shows the operation being performed. */ #define SAVE(a, b) \ do { \ INSIST(a == NULL); \ a = b; \ b = NULL; \ } while (0) #define RESTORE(a, b) SAVE(a, b) static bool validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); static void query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_dbversion_t *version, ns_client_t *client, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_name_t *fname, bool exact, dns_name_t *found); static void log_queryerror(ns_client_t *client, isc_result_t result, int line, int level); static void rpz_st_clear(ns_client_t *client); static bool rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); static void log_noexistnodata(void *val, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); /* * Return the hooktable in use with 'qctx', or if there isn't one * set, return the default hooktable. */ static ns_hooktable_t * get_hooktab(query_ctx_t *qctx) { if (qctx == NULL || qctx->view == NULL || qctx->view->hooktable == NULL) { return (ns__hook_table); } return (qctx->view->hooktable); } /* * Call the specified hook function in every configured module that implements * that function. If any hook function returns NS_HOOK_RETURN, we * set 'result' and terminate processing by jumping to the 'cleanup' tag. * * (Note that a hook function may set the 'result' to ISC_R_SUCCESS but * still terminate processing within the calling function. That's why this * is a macro instead of a static function; it needs to be able to use * 'goto cleanup' regardless of the return value.) */ #define CALL_HOOK(_id, _qctx) \ do { \ isc_result_t _res; \ ns_hooktable_t *_tab = get_hooktab(_qctx); \ ns_hook_t *_hook; \ _hook = ISC_LIST_HEAD((*_tab)[_id]); \ while (_hook != NULL) { \ ns_hook_action_t _func = _hook->action; \ void *_data = _hook->action_data; \ INSIST(_func != NULL); \ switch (_func(_qctx, _data, &_res)) { \ case NS_HOOK_CONTINUE: \ _hook = ISC_LIST_NEXT(_hook, link); \ break; \ case NS_HOOK_RETURN: \ result = _res; \ goto cleanup; \ default: \ UNREACHABLE(); \ } \ } \ } while (false) /* * Call the specified hook function in every configured module that * implements that function. All modules are called; hook function return * codes are ignored. This is intended for use with initialization and * destruction calls which *must* run in every configured module. * * (This could be implemented as a static void function, but is left as a * macro for symmetry with CALL_HOOK above.) */ #define CALL_HOOK_NORETURN(_id, _qctx) \ do { \ isc_result_t _res; \ ns_hooktable_t *_tab = get_hooktab(_qctx); \ ns_hook_t *_hook; \ _hook = ISC_LIST_HEAD((*_tab)[_id]); \ while (_hook != NULL) { \ ns_hook_action_t _func = _hook->action; \ void *_data = _hook->action_data; \ INSIST(_func != NULL); \ _func(_qctx, _data, &_res); \ _hook = ISC_LIST_NEXT(_hook, link); \ } \ } while (false) /* * The functions defined below implement the query logic that previously lived * in the single very complex function query_find(). The query_ctx_t structure * defined in maintains state from function to function. The call * flow for the general query processing algorithm is described below: * * 1. Set up query context and other resources for a client * query (query_setup()) * * 2. Start the search (ns__query_start()) * * 3. Identify authoritative data sources which may have an answer; * search them (query_lookup()). If an answer is found, go to 7. * * 4. If recursion or cache access are allowed, search the cache * (query_lookup() again, using the cache database) to find a better * answer. If an answer is found, go to 7. * * 5. If recursion is allowed, begin recursion (ns_query_recurse()). * Go to 15 to clean up this phase of the query. When recursion * is complete, processing will resume at 6. * * 6. Resume from recursion; set up query context for resumed processing. * * 7. Determine what sort of answer we've found (query_gotanswer()) * and call other functions accordingly: * - not found (auth or cache), go to 8 * - delegation, go to 9 * - no such domain (auth), go to 10 * - empty answer (auth), go to 11 * - negative response (cache), go to 12 * - answer found, go to 13 * * 8. The answer was not found in the database (query_notfound(). * Set up a referral and go to 9. * * 9. Handle a delegation response (query_delegation()). If we need * to and are allowed to recurse (query_delegation_recurse()), go to 5, * otherwise go to 15 to clean up and return the delegation to the client. * * 10. No such domain (query_nxdomain()). Attempt redirection; if * unsuccessful, add authority section records (query_addsoa(), * query_addauth()), then go to 15 to return NXDOMAIN to client. * * 11. Empty answer (query_nodata()). Add authority section records * (query_addsoa(), query_addauth()) and signatures if authoritative * (query_sign_nodata()) then go to 15 and return * NOERROR/ANCOUNT=0 to client. * * 12. No such domain or empty answer returned from cache (query_ncache()). * Set response code appropriately, go to 11. * * 13. Prepare a response (query_prepresponse()) and then fill it * appropriately (query_respond(), or for type ANY, * query_respond_any()). * * 14. If a restart is needed due to CNAME/DNAME chaining, go to 2. * * 15. Clean up resources. If recursing, stop and wait for the event * handler to be called back (step 6). If an answer is ready, * return it to the client. * * (XXX: This description omits several special cases including * DNS64, RPZ, RRL, and the SERVFAIL cache. It also doesn't discuss * plugins.) */ static void query_trace(query_ctx_t *qctx); static void qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, query_ctx_t *qctx); static isc_result_t query_setup(ns_client_t *client, dns_rdatatype_t qtype); static isc_result_t query_lookup(query_ctx_t *qctx); static void fetch_callback(isc_task_t *task, isc_event_t *event); static void recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, const dns_name_t *qname, const dns_name_t *qdomain); static isc_result_t query_resume(query_ctx_t *qctx); static isc_result_t query_checkrrl(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_checkrpz(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_rpzcname(query_ctx_t *qctx, dns_name_t *cname); static isc_result_t query_gotanswer(query_ctx_t *qctx, isc_result_t result); static void query_addnoqnameproof(query_ctx_t *qctx); static isc_result_t query_respond_any(query_ctx_t *qctx); static isc_result_t query_respond(query_ctx_t *qctx); static isc_result_t query_dns64(query_ctx_t *qctx); static void query_filter64(query_ctx_t *qctx); static isc_result_t query_notfound(query_ctx_t *qctx); static isc_result_t query_zone_delegation(query_ctx_t *qctx); static isc_result_t query_delegation(query_ctx_t *qctx); static isc_result_t query_delegation_recurse(query_ctx_t *qctx); static void query_addds(query_ctx_t *qctx); static isc_result_t query_nodata(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_sign_nodata(query_ctx_t *qctx); static void query_addnxrrsetnsec(query_ctx_t *qctx); static isc_result_t query_nxdomain(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_redirect(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_ncache(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_coveringnsec(query_ctx_t *qctx); static isc_result_t query_zerottl_refetch(query_ctx_t *qctx); static isc_result_t query_cname(query_ctx_t *qctx); static isc_result_t query_dname(query_ctx_t *qctx); static isc_result_t query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl); static isc_result_t query_prepresponse(query_ctx_t *qctx); static isc_result_t query_addsoa(query_ctx_t *qctx, unsigned int override_ttl, dns_section_t section); static isc_result_t query_addns(query_ctx_t *qctx); static void query_addbestns(query_ctx_t *qctx); static void query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata); static void query_addauth(query_ctx_t *qctx); static void query_clear_stale(ns_client_t *client); /* * Increment query statistics counters. */ static void inc_stats(ns_client_t *client, isc_statscounter_t counter) { dns_zone_t *zone = client->query.authzone; dns_rdatatype_t qtype; dns_rdataset_t *rdataset; isc_stats_t *zonestats; dns_stats_t *querystats = NULL; ns_stats_increment(client->sctx->nsstats, counter); if (zone == NULL) { return; } /* Do regular response type stats */ zonestats = dns_zone_getrequeststats(zone); if (zonestats != NULL) { isc_stats_increment(zonestats, counter); } /* Do query type statistics * * We only increment per-type if we're using the authoritative * answer counter, preventing double-counting. */ if (counter == ns_statscounter_authans) { querystats = dns_zone_getrcvquerystats(zone); if (querystats != NULL) { rdataset = ISC_LIST_HEAD(client->query.qname->list); if (rdataset != NULL) { qtype = rdataset->type; dns_rdatatypestats_increment(querystats, qtype); } } } } static void query_send(ns_client_t *client) { isc_statscounter_t counter; if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0) { inc_stats(client, ns_statscounter_nonauthans); } else { inc_stats(client, ns_statscounter_authans); } if (client->message->rcode == dns_rcode_noerror) { dns_section_t answer = DNS_SECTION_ANSWER; if (ISC_LIST_EMPTY(client->message->sections[answer])) { if (client->query.isreferral) { counter = ns_statscounter_referral; } else { counter = ns_statscounter_nxrrset; } } else { counter = ns_statscounter_success; } } else if (client->message->rcode == dns_rcode_nxdomain) { counter = ns_statscounter_nxdomain; } else if (client->message->rcode == dns_rcode_badcookie) { counter = ns_statscounter_badcookie; } else { /* We end up here in case of YXDOMAIN, and maybe others */ counter = ns_statscounter_failure; } inc_stats(client, counter); ns_client_send(client); if (!client->nodetach) { isc_nmhandle_detach(&client->reqhandle); } } static void query_error(ns_client_t *client, isc_result_t result, int line) { int loglevel = ISC_LOG_DEBUG(3); switch (dns_result_torcode(result)) { case dns_rcode_servfail: loglevel = ISC_LOG_DEBUG(1); inc_stats(client, ns_statscounter_servfail); break; case dns_rcode_formerr: inc_stats(client, ns_statscounter_formerr); break; default: inc_stats(client, ns_statscounter_failure); break; } if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) { loglevel = ISC_LOG_INFO; } log_queryerror(client, result, line, loglevel); ns_client_error(client, result); if (!client->nodetach) { isc_nmhandle_detach(&client->reqhandle); } } static void query_next(ns_client_t *client, isc_result_t result) { if (result == DNS_R_DUPLICATE) { inc_stats(client, ns_statscounter_duplicate); } else if (result == DNS_R_DROP) { inc_stats(client, ns_statscounter_dropped); } else { inc_stats(client, ns_statscounter_failure); } ns_client_drop(client, result); if (!client->nodetach) { isc_nmhandle_detach(&client->reqhandle); } } static void query_freefreeversions(ns_client_t *client, bool everything) { ns_dbversion_t *dbversion, *dbversion_next; unsigned int i; for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0; dbversion != NULL; dbversion = dbversion_next, i++) { dbversion_next = ISC_LIST_NEXT(dbversion, link); /* * If we're not freeing everything, we keep the first three * dbversions structures around. */ if (i > 3 || everything) { ISC_LIST_UNLINK(client->query.freeversions, dbversion, link); isc_mem_put(client->mctx, dbversion, sizeof(*dbversion)); } } } void ns_query_cancel(ns_client_t *client) { REQUIRE(NS_CLIENT_VALID(client)); LOCK(&client->query.fetchlock); if (client->query.fetch != NULL) { dns_resolver_cancelfetch(client->query.fetch); client->query.fetch = NULL; } UNLOCK(&client->query.fetchlock); } static void query_reset(ns_client_t *client, bool everything) { isc_buffer_t *dbuf, *dbuf_next; ns_dbversion_t *dbversion, *dbversion_next; CTRACE(ISC_LOG_DEBUG(3), "query_reset"); /*% * Reset the query state of a client to its default state. */ /* * Cancel the fetch if it's running. */ ns_query_cancel(client); /* * Cleanup any active versions. */ for (dbversion = ISC_LIST_HEAD(client->query.activeversions); dbversion != NULL; dbversion = dbversion_next) { dbversion_next = ISC_LIST_NEXT(dbversion, link); dns_db_closeversion(dbversion->db, &dbversion->version, false); dns_db_detach(&dbversion->db); ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion, link); } ISC_LIST_INIT(client->query.activeversions); if (client->query.authdb != NULL) { dns_db_detach(&client->query.authdb); } if (client->query.authzone != NULL) { dns_zone_detach(&client->query.authzone); } if (client->query.dns64_aaaa != NULL) { ns_client_putrdataset(client, &client->query.dns64_aaaa); } if (client->query.dns64_sigaaaa != NULL) { ns_client_putrdataset(client, &client->query.dns64_sigaaaa); } if (client->query.dns64_aaaaok != NULL) { isc_mem_put(client->mctx, client->query.dns64_aaaaok, client->query.dns64_aaaaoklen * sizeof(bool)); client->query.dns64_aaaaok = NULL; client->query.dns64_aaaaoklen = 0; } ns_client_putrdataset(client, &client->query.redirect.rdataset); ns_client_putrdataset(client, &client->query.redirect.sigrdataset); if (client->query.redirect.db != NULL) { if (client->query.redirect.node != NULL) { dns_db_detachnode(client->query.redirect.db, &client->query.redirect.node); } dns_db_detach(&client->query.redirect.db); } if (client->query.redirect.zone != NULL) { dns_zone_detach(&client->query.redirect.zone); } query_freefreeversions(client, everything); for (dbuf = ISC_LIST_HEAD(client->query.namebufs); dbuf != NULL; dbuf = dbuf_next) { dbuf_next = ISC_LIST_NEXT(dbuf, link); if (dbuf_next != NULL || everything) { ISC_LIST_UNLINK(client->query.namebufs, dbuf, link); isc_buffer_free(&dbuf); } } if (client->query.restarts > 0) { /* * client->query.qname was dynamically allocated. */ dns_message_puttempname(client->message, &client->query.qname); } client->query.qname = NULL; client->query.attributes = (NS_QUERYATTR_RECURSIONOK | NS_QUERYATTR_CACHEOK | NS_QUERYATTR_SECURE); client->query.restarts = 0; client->query.timerset = false; if (client->query.rpz_st != NULL) { rpz_st_clear(client); if (everything) { INSIST(client->query.rpz_st->rpsdb == NULL); isc_mem_put(client->mctx, client->query.rpz_st, sizeof(*client->query.rpz_st)); client->query.rpz_st = NULL; } } client->query.origqname = NULL; client->query.dboptions = 0; client->query.fetchoptions = 0; client->query.gluedb = NULL; client->query.authdbset = false; client->query.isreferral = false; client->query.dns64_options = 0; client->query.dns64_ttl = UINT32_MAX; recparam_update(&client->query.recparam, 0, NULL, NULL); client->query.root_key_sentinel_keyid = 0; client->query.root_key_sentinel_is_ta = false; client->query.root_key_sentinel_not_ta = false; } static void query_cleanup(ns_client_t *client) { query_reset(client, false); } void ns_query_free(ns_client_t *client) { REQUIRE(NS_CLIENT_VALID(client)); query_reset(client, true); } isc_result_t ns_query_init(ns_client_t *client) { isc_result_t result = ISC_R_SUCCESS; REQUIRE(NS_CLIENT_VALID(client)); ISC_LIST_INIT(client->query.namebufs); ISC_LIST_INIT(client->query.activeversions); ISC_LIST_INIT(client->query.freeversions); client->query.restarts = 0; client->query.timerset = false; client->query.rpz_st = NULL; client->query.qname = NULL; /* * This mutex is destroyed when the client is destroyed in * exit_check(). */ isc_mutex_init(&client->query.fetchlock); client->query.fetch = NULL; client->query.prefetch = NULL; client->query.authdb = NULL; client->query.authzone = NULL; client->query.authdbset = false; client->query.isreferral = false; client->query.dns64_aaaa = NULL; client->query.dns64_sigaaaa = NULL; client->query.dns64_aaaaok = NULL; client->query.dns64_aaaaoklen = 0; client->query.redirect.db = NULL; client->query.redirect.node = NULL; client->query.redirect.zone = NULL; client->query.redirect.qtype = dns_rdatatype_none; client->query.redirect.result = ISC_R_SUCCESS; client->query.redirect.rdataset = NULL; client->query.redirect.sigrdataset = NULL; client->query.redirect.authoritative = false; client->query.redirect.is_zone = false; client->query.redirect.fname = dns_fixedname_initname(&client->query.redirect.fixed); query_reset(client, false); ns_client_newdbversion(client, 3); ns_client_newnamebuf(client); return (result); } /*% * Check if 'client' is allowed to query the cache of its associated view. * Unless 'options' has DNS_GETDB_NOLOG set, log the result of cache ACL * evaluation using the appropriate level, along with 'name' and 'qtype'. * * The cache ACL is only evaluated once for each client and then the result is * cached: if NS_QUERYATTR_CACHEACLOKVALID is set in client->query.attributes, * cache ACL evaluation has already been performed. The evaluation result is * also stored in client->query.attributes: if NS_QUERYATTR_CACHEACLOK is set, * the client is allowed cache access. * * Returns: * *\li #ISC_R_SUCCESS 'client' is allowed to access cache *\li #DNS_R_REFUSED 'client' is not allowed to access cache */ static isc_result_t query_checkcacheaccess(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, unsigned int options) { isc_result_t result; if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) == 0) { /* * The view's cache ACLs have not yet been evaluated. * Do it now. Both allow-query-cache and * allow-query-cache-on must be satsified. */ bool log = ((options & DNS_GETDB_NOLOG) == 0); char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; result = ns_client_checkaclsilent(client, NULL, client->view->cacheacl, true); if (result == ISC_R_SUCCESS) { result = ns_client_checkaclsilent( client, &client->destaddr, client->view->cacheonacl, true); } if (result == ISC_R_SUCCESS) { /* * We were allowed by the "allow-query-cache" ACL. */ client->query.attributes |= NS_QUERYATTR_CACHEACLOK; if (log && isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) { ns_client_aclmsg("query (cache)", name, qtype, client->view->rdclass, msg, sizeof(msg)); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "%s approved", msg); } } else if (log) { /* * We were denied by the "allow-query-cache" ACL. * There is no need to clear NS_QUERYATTR_CACHEACLOK * since it is cleared by query_reset(), before query * processing starts. */ ns_client_aclmsg("query (cache)", name, qtype, client->view->rdclass, msg, sizeof(msg)); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s denied", msg); } /* * Evaluation has been finished; make sure we will just consult * NS_QUERYATTR_CACHEACLOK for this client from now on. */ client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID; } return ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) != 0 ? ISC_R_SUCCESS : DNS_R_REFUSED); } static isc_result_t query_validatezonedb(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, unsigned int options, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t **versionp) { isc_result_t result; dns_acl_t *queryacl, *queryonacl; ns_dbversion_t *dbversion; REQUIRE(zone != NULL); REQUIRE(db != NULL); /* * Mirror zone data is treated as cache data. */ if (dns_zone_gettype(zone) == dns_zone_mirror) { return (query_checkcacheaccess(client, name, qtype, options)); } /* * This limits our searching to the zone where the first name * (the query target) was looked for. This prevents following * CNAMES or DNAMES into other zones and prevents returning * additional data from other zones. This does not apply if we're * answering a query where recursion is requested and allowed. */ if (client->query.rpz_st == NULL && !(WANTRECURSION(client) && RECURSIONOK(client)) && client->query.authdbset && db != client->query.authdb) { return (DNS_R_REFUSED); } /* * Non recursive query to a static-stub zone is prohibited; its * zone content is not public data, but a part of local configuration * and should not be disclosed. */ if (dns_zone_gettype(zone) == dns_zone_staticstub && !RECURSIONOK(client)) { return (DNS_R_REFUSED); } /* * If the zone has an ACL, we'll check it, otherwise * we use the view's "allow-query" ACL. Each ACL is only checked * once per query. * * Also, get the database version to use. */ /* * Get the current version of this database. */ dbversion = ns_client_findversion(client, db); if (dbversion == NULL) { CTRACE(ISC_LOG_ERROR, "unable to get db version"); return (DNS_R_SERVFAIL); } if ((options & DNS_GETDB_IGNOREACL) != 0) { goto approved; } if (dbversion->acl_checked) { if (!dbversion->queryok) { return (DNS_R_REFUSED); } goto approved; } queryacl = dns_zone_getqueryacl(zone); if (queryacl == NULL) { queryacl = client->view->queryacl; if ((client->query.attributes & NS_QUERYATTR_QUERYOKVALID) != 0) { /* * We've evaluated the view's queryacl already. If * NS_QUERYATTR_QUERYOK is set, then the client is * allowed to make queries, otherwise the query should * be refused. */ dbversion->acl_checked = true; if ((client->query.attributes & NS_QUERYATTR_QUERYOK) == 0) { dbversion->queryok = false; return (DNS_R_REFUSED); } dbversion->queryok = true; goto approved; } } result = ns_client_checkaclsilent(client, NULL, queryacl, true); if ((options & DNS_GETDB_NOLOG) == 0) { char msg[NS_CLIENT_ACLMSGSIZE("query")]; if (result == ISC_R_SUCCESS) { if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) { ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "%s approved", msg); } } else { ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s denied", msg); } } if (queryacl == client->view->queryacl) { if (result == ISC_R_SUCCESS) { /* * We were allowed by the default * "allow-query" ACL. Remember this so we * don't have to check again. */ client->query.attributes |= NS_QUERYATTR_QUERYOK; } /* * We've now evaluated the view's query ACL, and * the NS_QUERYATTR_QUERYOK attribute is now valid. */ client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; } /* If and only if we've gotten this far, check allow-query-on too */ if (result == ISC_R_SUCCESS) { queryonacl = dns_zone_getqueryonacl(zone); if (queryonacl == NULL) { queryonacl = client->view->queryonacl; } result = ns_client_checkaclsilent(client, &client->destaddr, queryonacl, true); if ((options & DNS_GETDB_NOLOG) == 0 && result != ISC_R_SUCCESS) { ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "query-on denied"); } } dbversion->acl_checked = true; if (result != ISC_R_SUCCESS) { dbversion->queryok = false; return (DNS_R_REFUSED); } dbversion->queryok = true; approved: /* Transfer ownership, if necessary. */ if (versionp != NULL) { *versionp = dbversion->version; } return (ISC_R_SUCCESS); } static isc_result_t query_getzonedb(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { isc_result_t result; unsigned int ztoptions; dns_zone_t *zone = NULL; dns_db_t *db = NULL; bool partial = false; REQUIRE(zonep != NULL && *zonep == NULL); REQUIRE(dbp != NULL && *dbp == NULL); /*% * Find a zone database to answer the query. */ ztoptions = DNS_ZTFIND_MIRROR; if ((options & DNS_GETDB_NOEXACT) != 0) { ztoptions |= DNS_ZTFIND_NOEXACT; } result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, &zone); if (result == DNS_R_PARTIALMATCH) { partial = true; } if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { result = dns_zone_getdb(zone, &db); } if (result != ISC_R_SUCCESS) { goto fail; } result = query_validatezonedb(client, name, qtype, options, zone, db, versionp); if (result != ISC_R_SUCCESS) { goto fail; } /* Transfer ownership. */ *zonep = zone; *dbp = db; if (partial && (options & DNS_GETDB_PARTIAL) != 0) { return (DNS_R_PARTIALMATCH); } return (ISC_R_SUCCESS); fail: if (zone != NULL) { dns_zone_detach(&zone); } if (db != NULL) { dns_db_detach(&db); } return (result); } static void rpz_log_rewrite(ns_client_t *client, bool disabled, dns_rpz_policy_t policy, dns_rpz_type_t type, dns_zone_t *p_zone, dns_name_t *p_name, dns_name_t *cname, dns_rpz_num_t rpz_num) { char cname_buf[DNS_NAME_FORMATSIZE] = { 0 }; char p_name_buf[DNS_NAME_FORMATSIZE]; char qname_buf[DNS_NAME_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; const char *s1 = cname_buf, *s2 = cname_buf; dns_rdataset_t *rdataset; dns_rpz_st_t *st; isc_stats_t *zonestats; /* * Count enabled rewrites in the global counter. * Count both enabled and disabled rewrites for each zone. */ if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) { ns_stats_increment(client->sctx->nsstats, ns_statscounter_rpz_rewrites); } if (p_zone != NULL) { zonestats = dns_zone_getrequeststats(p_zone); if (zonestats != NULL) { isc_stats_increment(zonestats, ns_statscounter_rpz_rewrites); } } if (!isc_log_wouldlog(ns_lctx, DNS_RPZ_INFO_LEVEL)) { return; } st = client->query.rpz_st; if ((st->popt.no_log & DNS_RPZ_ZBIT(rpz_num)) != 0) { return; } dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf)); dns_name_format(p_name, p_name_buf, sizeof(p_name_buf)); if (cname != NULL) { s1 = " (CNAME to: "; dns_name_format(cname, cname_buf, sizeof(cname_buf)); s2 = ")"; } /* * Log Qclass and Qtype in addition to existing * fields. */ rdataset = ISC_LIST_HEAD(client->query.origqname->list); INSIST(rdataset != NULL); dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s/%s/%s via %s%s%s%s", disabled ? "disabled " : "", dns_rpz_type2str(type), dns_rpz_policy2str(policy), qname_buf, typebuf, classbuf, p_name_buf, s1, cname_buf, s2); } static void rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name, dns_rpz_type_t rpz_type1, dns_rpz_type_t rpz_type2, const char *str, isc_result_t result) { char qnamebuf[DNS_NAME_FORMATSIZE]; char p_namebuf[DNS_NAME_FORMATSIZE]; const char *failed, *via, *slash, *str_blank; const char *rpztypestr1; const char *rpztypestr2; if (!isc_log_wouldlog(ns_lctx, level)) { return; } /* * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems. */ if (level <= DNS_RPZ_DEBUG_LEVEL1) { failed = " failed: "; } else { failed = ": "; } rpztypestr1 = dns_rpz_type2str(rpz_type1); if (rpz_type2 != DNS_RPZ_TYPE_BAD) { slash = "/"; rpztypestr2 = dns_rpz_type2str(rpz_type2); } else { slash = ""; rpztypestr2 = ""; } str_blank = (*str != ' ' && *str != '\0') ? " " : ""; dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); if (p_name != NULL) { via = " via "; dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); } else { via = ""; p_namebuf[0] = '\0'; } ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY, level, "rpz %s%s%s rewrite %s%s%s%s%s%s%s", rpztypestr1, slash, rpztypestr2, qnamebuf, via, p_namebuf, str_blank, str, failed, isc_result_totext(result)); } static void rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name, dns_rpz_type_t rpz_type, const char *str, isc_result_t result) { rpz_log_fail_helper(client, level, p_name, rpz_type, DNS_RPZ_TYPE_BAD, str, result); } /* * Get a policy rewrite zone database. */ static isc_result_t rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { char qnamebuf[DNS_NAME_FORMATSIZE]; char p_namebuf[DNS_NAME_FORMATSIZE]; dns_dbversion_t *rpz_version = NULL; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "rpz_getdb"); result = query_getzonedb(client, p_name, dns_rdatatype_any, DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version); if (result == ISC_R_SUCCESS) { dns_rpz_st_t *st = client->query.rpz_st; /* * It isn't meaningful to log this message when * logging is disabled for some policy zones. */ if (st->popt.no_log == 0 && isc_log_wouldlog(ns_lctx, DNS_RPZ_DEBUG_LEVEL2)) { dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2, "try rpz %s rewrite %s via %s", dns_rpz_type2str(rpz_type), qnamebuf, p_namebuf); } *versionp = rpz_version; return (ISC_R_SUCCESS); } rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "query_getzonedb()", result); return (result); } /*% * Find a cache database to answer the query. This may fail with DNS_R_REFUSED * if the client is not allowed to use the cache. */ static isc_result_t query_getcachedb(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, dns_db_t **dbp, unsigned int options) { isc_result_t result; dns_db_t *db = NULL; REQUIRE(dbp != NULL && *dbp == NULL); if (!USECACHE(client)) { return (DNS_R_REFUSED); } dns_db_attach(client->view->cachedb, &db); result = query_checkcacheaccess(client, name, qtype, options); if (result != ISC_R_SUCCESS) { dns_db_detach(&db); } /* * If query_checkcacheaccess() succeeded, transfer ownership of 'db'. * Otherwise, 'db' will be NULL due to the dns_db_detach() call above. */ *dbp = db; return (result); } static isc_result_t query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, bool *is_zonep) { isc_result_t result; isc_result_t tresult; unsigned int namelabels; unsigned int zonelabels; dns_zone_t *zone = NULL; REQUIRE(zonep != NULL && *zonep == NULL); /* Calculate how many labels are in name. */ namelabels = dns_name_countlabels(name); zonelabels = 0; /* Try to find name in bind's standard database. */ result = query_getzonedb(client, name, qtype, options, &zone, dbp, versionp); /* See how many labels are in the zone's name. */ if (result == ISC_R_SUCCESS && zone != NULL) { zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); } /* * If # zone labels < # name labels, try to find an even better match * Only try if DLZ drivers are loaded for this view */ if (ISC_UNLIKELY(zonelabels < namelabels && !ISC_LIST_EMPTY(client->view->dlz_searched))) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; dns_db_t *tdbp; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, &client->ecs, NULL); tdbp = NULL; tresult = dns_view_searchdlz(client->view, name, zonelabels, &cm, &ci, &tdbp); /* If we successful, we found a better match. */ if (tresult == ISC_R_SUCCESS) { ns_dbversion_t *dbversion; /* * If the previous search returned a zone, detach it. */ if (zone != NULL) { dns_zone_detach(&zone); } /* * If the previous search returned a database, * detach it. */ if (*dbp != NULL) { dns_db_detach(dbp); } /* * If the previous search returned a version, clear it. */ *versionp = NULL; dbversion = ns_client_findversion(client, tdbp); if (dbversion == NULL) { tresult = ISC_R_NOMEMORY; } else { /* * Be sure to return our database. */ *dbp = tdbp; *versionp = dbversion->version; } /* * We return a null zone, No stats for DLZ zones. */ zone = NULL; result = tresult; } } /* If successful, Transfer ownership of zone. */ if (result == ISC_R_SUCCESS) { *zonep = zone; /* * If neither attempt above succeeded, return the cache instead */ *is_zonep = true; } else { if (result == ISC_R_NOTFOUND) { result = query_getcachedb(client, name, qtype, dbp, options); } *is_zonep = false; } return (result); } static bool query_isduplicate(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, dns_name_t **mnamep) { dns_section_t section; dns_name_t *mname = NULL; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate"); for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; section++) { result = dns_message_findname(client->message, section, name, type, 0, &mname, NULL); if (result == ISC_R_SUCCESS) { /* * We've already got this RRset in the response. */ CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: true: " "done"); return (true); } else if (result == DNS_R_NXRRSET) { /* * The name exists, but the rdataset does not. */ if (section == DNS_SECTION_ADDITIONAL) { break; } } else { RUNTIME_CHECK(result == DNS_R_NXDOMAIN); } mname = NULL; } if (mnamep != NULL) { *mnamep = mname; } CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done"); return (false); } /* * Look up data for given 'name' and 'type' in given 'version' of 'db' for * 'client'. Called from query_additionalauth(). * * If the lookup is successful: * * - store the node containing the result at 'nodep', * * - store the owner name of the returned node in 'fname', * * - if 'type' is not ANY, dns_db_findext() will put the exact rdataset being * looked for in 'rdataset' and its signatures (if any) in 'sigrdataset', * * - if 'type' is ANY, dns_db_findext() will leave 'rdataset' and * 'sigrdataset' disassociated and the returned node will be iterated in * query_additional_cb(). * * If the lookup is not successful: * * - 'nodep' will not be written to, * - 'fname' may still be modified as it is passed to dns_db_findext(), * - 'rdataset' and 'sigrdataset' will remain disassociated. */ static isc_result_t query_additionalauthfind(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, dns_rdatatype_t type, ns_client_t *client, dns_dbnode_t **nodep, dns_name_t *fname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_clientinfomethods_t cm; dns_dbnode_t *node = NULL; dns_clientinfo_t ci; isc_result_t result; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Since we are looking for authoritative data, we do not set * the GLUEOK flag. Glue will be looked for later, but not * necessarily in the same database. */ result = dns_db_findext(db, name, version, type, client->query.dboptions, client->now, &node, fname, &cm, &ci, rdataset, sigrdataset); if (result != ISC_R_SUCCESS) { if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } return (result); } /* * Do not return signatures if the zone is not fully signed. */ if (sigrdataset != NULL && !dns_db_issecure(db) && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } *nodep = node; return (ISC_R_SUCCESS); } /* * For query context 'qctx', try finding authoritative additional data for * given 'name' and 'type'. Called from query_additional_cb(). * * If successful: * * - store pointers to the database and node which contain the result in * 'dbp' and 'nodep', respectively, * * - store the owner name of the returned node in 'fname', * * - potentially bind 'rdataset' and 'sigrdataset', as explained in the * comment for query_additionalauthfind(). * * If unsuccessful: * * - 'dbp' and 'nodep' will not be written to, * - 'fname' may still be modified as it is passed to dns_db_findext(), * - 'rdataset' and 'sigrdataset' will remain disassociated. */ static isc_result_t query_additionalauth(query_ctx_t *qctx, const dns_name_t *name, dns_rdatatype_t type, dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *fname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { ns_client_t *client = qctx->client; ns_dbversion_t *dbversion = NULL; dns_dbversion_t *version = NULL; dns_dbnode_t *node = NULL; dns_zone_t *zone = NULL; dns_db_t *db = NULL; isc_result_t result; /* * First, look within the same zone database for authoritative * additional data. */ if (!client->query.authdbset || client->query.authdb == NULL) { return (ISC_R_NOTFOUND); } dbversion = ns_client_findversion(client, client->query.authdb); if (dbversion == NULL) { return (ISC_R_NOTFOUND); } dns_db_attach(client->query.authdb, &db); version = dbversion->version; CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: same zone"); result = query_additionalauthfind(db, version, name, type, client, &node, fname, rdataset, sigrdataset); if (result != ISC_R_SUCCESS && qctx->view->minimalresponses == dns_minimal_no && RECURSIONOK(client)) { /* * If we aren't doing response minimization and recursion is * allowed, we can try and see if any other zone matches. */ version = NULL; dns_db_detach(&db); result = query_getzonedb(client, name, type, DNS_GETDB_NOLOG, &zone, &db, &version); if (result != ISC_R_SUCCESS) { return (result); } dns_zone_detach(&zone); CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: other zone"); result = query_additionalauthfind(db, version, name, type, client, &node, fname, rdataset, sigrdataset); } if (result != ISC_R_SUCCESS) { dns_db_detach(&db); } else { *nodep = node; node = NULL; *dbp = db; db = NULL; } return (result); } static isc_result_t query_additional_cb(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { query_ctx_t *qctx = arg; ns_client_t *client = qctx->client; isc_result_t result, eresult = ISC_R_SUCCESS; dns_dbnode_t *node = NULL; dns_db_t *db = NULL; dns_name_t *fname = NULL, *mname = NULL; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_rdataset_t *trdataset = NULL; isc_buffer_t *dbuf = NULL; isc_buffer_t b; ns_dbversion_t *dbversion = NULL; dns_dbversion_t *version = NULL; bool added_something = false, need_addname = false; dns_rdatatype_t type; dns_clientinfomethods_t cm; dns_clientinfo_t ci; dns_rdatasetadditional_t additionaltype = dns_rdatasetadditional_fromauth; REQUIRE(NS_CLIENT_VALID(client)); REQUIRE(qtype != dns_rdatatype_any); if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) { return (ISC_R_SUCCESS); } CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb"); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * We treat type A additional section processing as if it * were "any address type" additional section processing. * To avoid multiple lookups, we do an 'any' database * lookup and iterate over the node. */ if (qtype == dns_rdatatype_a) { type = dns_rdatatype_any; } else { type = qtype; } /* * Get some resources. */ dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); rdataset = ns_client_newrdataset(client); if (fname == NULL || rdataset == NULL) { goto cleanup; } if (WANTDNSSEC(client)) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { goto cleanup; } } /* * If we want only minimal responses and are here, then it must * be for glue. */ if (qctx->view->minimalresponses == dns_minimal_yes && client->query.qtype != dns_rdatatype_ns) { goto try_glue; } /* * First, look for authoritative additional data. */ result = query_additionalauth(qctx, name, type, &db, &node, fname, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { goto found; } /* * No authoritative data was found. The cache is our next best bet. */ if (!qctx->view->recursion) { goto try_glue; } additionaltype = dns_rdatasetadditional_fromcache; result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); if (result != ISC_R_SUCCESS) { /* * Most likely the client isn't allowed to query the cache. */ goto try_glue; } /* * Attempt to validate glue. */ if (sigrdataset == NULL) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { goto cleanup; } } version = NULL; result = dns_db_findext(db, name, version, type, client->query.dboptions | DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK, client->now, &node, fname, &cm, &ci, rdataset, sigrdataset); dns_cache_updatestats(qctx->view->cache, result); if (!WANTDNSSEC(client)) { ns_client_putrdataset(client, &sigrdataset); } if (result == ISC_R_SUCCESS) { goto found; } if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } dns_db_detach(&db); try_glue: /* * No cached data was found. Glue is our last chance. * RFC1035 sayeth: * * NS records cause both the usual additional section * processing to locate a type A record, and, when used * in a referral, a special search of the zone in which * they reside for glue information. * * This is the "special search". Note that we must search * the zone where the NS record resides, not the zone it * points to, and that we only do the search in the delegation * case (identified by client->query.gluedb being set). */ if (client->query.gluedb == NULL) { goto cleanup; } /* * Don't poison caches using the bailiwick protection model. */ if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) { goto cleanup; } dbversion = ns_client_findversion(client, client->query.gluedb); if (dbversion == NULL) { goto cleanup; } dns_db_attach(client->query.gluedb, &db); version = dbversion->version; additionaltype = dns_rdatasetadditional_fromglue; result = dns_db_findext(db, name, version, type, client->query.dboptions | DNS_DBFIND_GLUEOK, client->now, &node, fname, &cm, &ci, rdataset, sigrdataset); if (result != ISC_R_SUCCESS && result != DNS_R_ZONECUT && result != DNS_R_GLUE) { goto cleanup; } found: /* * We have found a potential additional data rdataset, or * at least a node to iterate over. */ ns_client_keepname(client, fname, dbuf); /* * If we have an rdataset, add it to the additional data * section. */ mname = NULL; if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { INSIST(mname != fname); ns_client_releasename(client, &fname); fname = mname; } else { need_addname = true; } ISC_LIST_APPEND(fname->list, rdataset, link); trdataset = rdataset; rdataset = NULL; added_something = true; /* * Note: we only add SIGs if we've added the type they cover, * so we do not need to check if the SIG rdataset is already * in the response. */ if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { ISC_LIST_APPEND(fname->list, sigrdataset, link); sigrdataset = NULL; } } if (qtype == dns_rdatatype_a) { /* * We now go looking for A and AAAA records, along with * their signatures. * * XXXRTH This code could be more efficient. */ if (rdataset != NULL) { if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } } else { rdataset = ns_client_newrdataset(client); if (rdataset == NULL) { goto addname; } } if (sigrdataset != NULL) { if (dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } } else if (WANTDNSSEC(client)) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { goto addname; } } if (query_isduplicate(client, fname, dns_rdatatype_a, NULL)) { goto aaaa_lookup; } result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0, client->now, rdataset, sigrdataset); if (result == DNS_R_NCACHENXDOMAIN) { goto addname; } else if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } } else if (result == ISC_R_SUCCESS) { bool invalid = false; mname = NULL; if (additionaltype == dns_rdatasetadditional_fromcache && (DNS_TRUST_PENDING(rdataset->trust) || DNS_TRUST_GLUE(rdataset->trust))) { /* validate() may change rdataset->trust */ invalid = !validate(client, db, fname, rdataset, sigrdataset); } if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } } else if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { if (mname != fname) { if (mname != NULL) { ns_client_releasename(client, &fname); fname = mname; } else { need_addname = true; } } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = true; if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { ISC_LIST_APPEND(fname->list, sigrdataset, link); sigrdataset = ns_client_newrdataset(client); } rdataset = ns_client_newrdataset(client); if (rdataset == NULL) { goto addname; } if (WANTDNSSEC(client) && sigrdataset == NULL) { goto addname; } } else { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } } } aaaa_lookup: if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL)) { goto addname; } result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa, 0, client->now, rdataset, sigrdataset); if (result == DNS_R_NCACHENXDOMAIN) { goto addname; } else if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } } else if (result == ISC_R_SUCCESS) { bool invalid = false; mname = NULL; if (additionaltype == dns_rdatasetadditional_fromcache && (DNS_TRUST_PENDING(rdataset->trust) || DNS_TRUST_GLUE(rdataset->trust))) { /* validate() may change rdataset->trust */ invalid = !validate(client, db, fname, rdataset, sigrdataset); } if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } } else if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { if (mname != fname) { if (mname != NULL) { ns_client_releasename(client, &fname); fname = mname; } else { need_addname = true; } } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = true; if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { ISC_LIST_APPEND(fname->list, sigrdataset, link); sigrdataset = NULL; } rdataset = NULL; } } } addname: CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: addname"); /* * If we haven't added anything, then we're done. */ if (!added_something) { goto cleanup; } /* * We may have added our rdatasets to an existing name, if so, then * need_addname will be false. Whether we used an existing name * or a new one, we must set fname to NULL to prevent cleanup. */ if (need_addname) { dns_message_addname(client->message, fname, DNS_SECTION_ADDITIONAL); } fname = NULL; /* * In some cases, a record that has been added as additional * data may *also* trigger the addition of additional data. * This cannot go more than MAX_RESTARTS levels deep. */ if (trdataset != NULL && dns_rdatatype_followadditional(type)) { eresult = dns_rdataset_additionaldata( trdataset, query_additional_cb, qctx); } cleanup: CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: cleanup"); ns_client_putrdataset(client, &rdataset); if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (fname != NULL) { ns_client_releasename(client, &fname); } if (node != NULL) { dns_db_detachnode(db, &node); } if (db != NULL) { dns_db_detach(&db); } CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: done"); return (eresult); } /* * Add 'rdataset' to 'name'. */ static void query_addtoname(dns_name_t *name, dns_rdataset_t *rdataset) { ISC_LIST_APPEND(name->list, rdataset, link); } /* * Set the ordering for 'rdataset'. */ static void query_setorder(query_ctx_t *qctx, dns_name_t *name, dns_rdataset_t *rdataset) { ns_client_t *client = qctx->client; dns_order_t *order = client->view->order; CTRACE(ISC_LOG_DEBUG(3), "query_setorder"); UNUSED(client); if (order != NULL) { rdataset->attributes |= dns_order_find( order, name, rdataset->type, rdataset->rdclass); } rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; } /* * Handle glue and fetch any other needed additional data for 'rdataset'. */ static void query_additional(query_ctx_t *qctx, dns_rdataset_t *rdataset) { ns_client_t *client = qctx->client; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "query_additional"); if (NOADDITIONAL(client)) { return; } /* * Try to process glue directly. */ if (qctx->view->use_glue_cache && (rdataset->type == dns_rdatatype_ns) && (client->query.gluedb != NULL) && dns_db_iszone(client->query.gluedb)) { ns_dbversion_t *dbversion; dbversion = ns_client_findversion(client, client->query.gluedb); if (dbversion == NULL) { goto regular; } result = dns_rdataset_addglue(rdataset, dbversion->version, client->message); if (result == ISC_R_SUCCESS) { return; } } regular: /* * Add other additional data if needed. * We don't care if dns_rdataset_additionaldata() fails. */ (void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx); CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); } static void query_addrrset(query_ctx_t *qctx, dns_name_t **namep, dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp, isc_buffer_t *dbuf, dns_section_t section) { isc_result_t result; ns_client_t *client = qctx->client; dns_name_t *name = *namep, *mname = NULL; dns_rdataset_t *rdataset = *rdatasetp, *mrdataset = NULL; dns_rdataset_t *sigrdataset = NULL; CTRACE(ISC_LOG_DEBUG(3), "query_addrrset"); REQUIRE(name != NULL); if (sigrdatasetp != NULL) { sigrdataset = *sigrdatasetp; } /*% * To the current response for 'client', add the answer RRset * '*rdatasetp' and an optional signature set '*sigrdatasetp', with * owner name '*namep', to section 'section', unless they are * already there. Also add any pertinent additional data. * * If 'dbuf' is not NULL, then '*namep' is the name whose data is * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ result = dns_message_findname(client->message, section, name, rdataset->type, rdataset->covers, &mname, &mrdataset); if (result == ISC_R_SUCCESS) { /* * We've already got an RRset of the given name and type. */ CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: dns_message_findname " "succeeded: done"); if (dbuf != NULL) { ns_client_releasename(client, namep); } if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) { mrdataset->attributes |= DNS_RDATASETATTR_REQUIRED; } if ((rdataset->attributes & DNS_RDATASETATTR_STALE_ADDED) != 0) { mrdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED; } return; } else if (result == DNS_R_NXDOMAIN) { /* * The name doesn't exist. */ if (dbuf != NULL) { ns_client_keepname(client, name, dbuf); } dns_message_addname(client->message, name, section); *namep = NULL; mname = name; } else { RUNTIME_CHECK(result == DNS_R_NXRRSET); if (dbuf != NULL) { ns_client_releasename(client, namep); } } if (rdataset->trust != dns_trust_secure && (section == DNS_SECTION_ANSWER || section == DNS_SECTION_AUTHORITY)) { client->query.attributes &= ~NS_QUERYATTR_SECURE; } /* * Update message name, set rdataset order, and do additional * section processing if needed. */ query_addtoname(mname, rdataset); query_setorder(qctx, mname, rdataset); query_additional(qctx, rdataset); /* * Note: we only add SIGs if we've added the type they cover, so * we do not need to check if the SIG rdataset is already in the * response. */ *rdatasetp = NULL; if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { /* * We have a signature. Add it to the response. */ ISC_LIST_APPEND(mname->list, sigrdataset, link); *sigrdatasetp = NULL; } CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done"); } /* * Mark the RRsets as secure. Update the cache (db) to reflect the * change in trust level. */ static void mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_dbnode_t *node = NULL; dns_clientinfomethods_t cm; dns_clientinfo_t ci; isc_stdtime_t now; rdataset->trust = dns_trust_secure; sigrdataset->trust = dns_trust_secure; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Save the updated secure state. Ignore failures. */ result = dns_db_findnodeext(db, name, true, &cm, &ci, &node); if (result != ISC_R_SUCCESS) { return; } isc_stdtime_get(&now); dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now, client->view->acceptexpired); (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, 0, NULL); (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, 0, NULL); dns_db_detachnode(db, &node); } /* * Find the secure key that corresponds to rrsig. * Note: 'keyrdataset' maintains state between successive calls, * there may be multiple keys with the same keyid. * Return false if we have exhausted all the possible keys. */ static bool get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, dns_rdataset_t *keyrdataset, dst_key_t **keyp) { isc_result_t result; dns_dbnode_t *node = NULL; bool secure = false; dns_clientinfomethods_t cm; dns_clientinfo_t ci; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); if (!dns_rdataset_isassociated(keyrdataset)) { result = dns_db_findnodeext(db, &rrsig->signer, false, &cm, &ci, &node); if (result != ISC_R_SUCCESS) { return (false); } result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, client->now, keyrdataset, NULL); dns_db_detachnode(db, &node); if (result != ISC_R_SUCCESS) { return (false); } if (keyrdataset->trust != dns_trust_secure) { return (false); } result = dns_rdataset_first(keyrdataset); } else { result = dns_rdataset_next(keyrdataset); } for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(keyrdataset)) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_buffer_t b; dns_rdataset_current(keyrdataset, &rdata); isc_buffer_init(&b, rdata.data, rdata.length); isc_buffer_add(&b, rdata.length); result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b, client->mctx, keyp); if (result != ISC_R_SUCCESS) { continue; } if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) && rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) && dst_key_iszonekey(*keyp)) { secure = true; break; } dst_key_free(keyp); } return (secure); } static bool verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, ns_client_t *client) { isc_result_t result; dns_fixedname_t fixed; bool ignore = false; dns_fixedname_init(&fixed); again: result = dns_dnssec_verify(name, rdataset, key, ignore, client->view->maxbits, client->mctx, rdata, NULL); if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) { ignore = true; goto again; } if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) { return (true); } return (false); } /* * Validate the rdataset if possible with available records. */ static bool validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_rrsig_t rrsig; dst_key_t *key = NULL; dns_rdataset_t keyrdataset; if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) { return (false); } for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(sigrdataset)) { dns_rdata_reset(&rdata); dns_rdataset_current(sigrdataset, &rdata); result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_algorithm_supported(client->view->resolver, name, rrsig.algorithm)) { continue; } if (!dns_name_issubdomain(name, &rrsig.signer)) { continue; } dns_rdataset_init(&keyrdataset); do { if (!get_key(client, db, &rrsig, &keyrdataset, &key)) { break; } if (verify(key, name, rdataset, &rdata, client)) { dst_key_free(&key); dns_rdataset_disassociate(&keyrdataset); mark_secure(client, db, name, &rrsig, rdataset, sigrdataset); return (true); } dst_key_free(&key); } while (1); if (dns_rdataset_isassociated(&keyrdataset)) { dns_rdataset_disassociate(&keyrdataset); } } return (false); } static void fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) { if (*rdataset == NULL) { *rdataset = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(*rdataset)) { dns_rdataset_disassociate(*rdataset); } } static void fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf, isc_buffer_t *nbuf) { if (*fname == NULL) { *dbuf = ns_client_getnamebuf(client); if (*dbuf == NULL) { return; } *fname = ns_client_newname(client, *dbuf, nbuf); } } static void free_devent(ns_client_t *client, isc_event_t **eventp, dns_fetchevent_t **deventp) { dns_fetchevent_t *devent = *deventp; REQUIRE((void *)(*eventp) == (void *)(*deventp)); CTRACE(ISC_LOG_DEBUG(3), "free_devent"); if (devent->fetch != NULL) { dns_resolver_destroyfetch(&devent->fetch); } if (devent->node != NULL) { dns_db_detachnode(devent->db, &devent->node); } if (devent->db != NULL) { dns_db_detach(&devent->db); } if (devent->rdataset != NULL) { ns_client_putrdataset(client, &devent->rdataset); } if (devent->sigrdataset != NULL) { ns_client_putrdataset(client, &devent->sigrdataset); } /* * If the two pointers are the same then leave the setting of * (*deventp) to NULL to isc_event_free. */ if ((void *)eventp != (void *)deventp) { (*deventp) = NULL; } isc_event_free(eventp); } static void prefetch_done(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent = (dns_fetchevent_t *)event; ns_client_t *client; UNUSED(task); REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); client = devent->ev_arg; REQUIRE(NS_CLIENT_VALID(client)); REQUIRE(task == client->task); CTRACE(ISC_LOG_DEBUG(3), "prefetch_done"); LOCK(&client->query.fetchlock); if (client->query.prefetch != NULL) { INSIST(devent->fetch == client->query.prefetch); client->query.prefetch = NULL; } UNLOCK(&client->query.fetchlock); /* * We're done prefetching, detach from quota. */ if (client->recursionquota != NULL) { isc_quota_detach(&client->recursionquota); ns_stats_decrement(client->sctx->nsstats, ns_statscounter_recursclients); } free_devent(client, &event, &devent); isc_nmhandle_detach(&client->prefetchhandle); } static void query_prefetch(ns_client_t *client, dns_name_t *qname, dns_rdataset_t *rdataset) { isc_result_t result; isc_sockaddr_t *peeraddr; dns_rdataset_t *tmprdataset; unsigned int options; CTRACE(ISC_LOG_DEBUG(3), "query_prefetch"); if (client->query.prefetch != NULL || client->view->prefetch_trigger == 0U || rdataset->ttl > client->view->prefetch_trigger || (rdataset->attributes & DNS_RDATASETATTR_PREFETCH) == 0) { return; } if (client->recursionquota == NULL) { result = isc_quota_attach(&client->sctx->recursionquota, &client->recursionquota); switch (result) { case ISC_R_SUCCESS: ns_stats_increment(client->sctx->nsstats, ns_statscounter_recursclients); break; case ISC_R_SOFTQUOTA: isc_quota_detach(&client->recursionquota); FALLTHROUGH; default: return; } } tmprdataset = ns_client_newrdataset(client); if (tmprdataset == NULL) { return; } if (!TCP(client)) { peeraddr = &client->peeraddr; } else { peeraddr = NULL; } isc_nmhandle_attach(client->handle, &client->prefetchhandle); options = client->query.fetchoptions | DNS_FETCHOPT_PREFETCH; result = dns_resolver_createfetch( client->view->resolver, qname, rdataset->type, NULL, NULL, NULL, peeraddr, client->message->id, options, 0, NULL, client->task, prefetch_done, client, tmprdataset, NULL, &client->query.prefetch); if (result != ISC_R_SUCCESS) { ns_client_putrdataset(client, &tmprdataset); isc_nmhandle_detach(&client->prefetchhandle); } dns_rdataset_clearprefetch(rdataset); ns_stats_increment(client->sctx->nsstats, ns_statscounter_prefetch); } static void rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp) { if (nodep != NULL && *nodep != NULL) { REQUIRE(dbp != NULL && *dbp != NULL); dns_db_detachnode(*dbp, nodep); } if (dbp != NULL && *dbp != NULL) { dns_db_detach(dbp); } if (zonep != NULL && *zonep != NULL) { dns_zone_detach(zonep); } if (rdatasetp != NULL && *rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { dns_rdataset_disassociate(*rdatasetp); } } static void rpz_match_clear(dns_rpz_st_t *st) { rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); st->m.version = NULL; } static isc_result_t rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { REQUIRE(rdatasetp != NULL); CTRACE(ISC_LOG_DEBUG(3), "rpz_ready"); if (*rdatasetp == NULL) { *rdatasetp = ns_client_newrdataset(client); if (*rdatasetp == NULL) { CTRACE(ISC_LOG_ERROR, "rpz_ready: " "ns_client_newrdataset failed"); return (DNS_R_SERVFAIL); } } else if (dns_rdataset_isassociated(*rdatasetp)) { dns_rdataset_disassociate(*rdatasetp); } return (ISC_R_SUCCESS); } static void rpz_st_clear(ns_client_t *client) { dns_rpz_st_t *st = client->query.rpz_st; CTRACE(ISC_LOG_DEBUG(3), "rpz_st_clear"); if (st->m.rdataset != NULL) { ns_client_putrdataset(client, &st->m.rdataset); } rpz_match_clear(st); rpz_clean(NULL, &st->r.db, NULL, NULL); if (st->r.ns_rdataset != NULL) { ns_client_putrdataset(client, &st->r.ns_rdataset); } if (st->r.r_rdataset != NULL) { ns_client_putrdataset(client, &st->r.r_rdataset); } rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL); if (st->q.rdataset != NULL) { ns_client_putrdataset(client, &st->q.rdataset); } if (st->q.sigrdataset != NULL) { ns_client_putrdataset(client, &st->q.sigrdataset); } st->state = 0; st->m.type = DNS_RPZ_TYPE_BAD; st->m.policy = DNS_RPZ_POLICY_MISS; if (st->rpsdb != NULL) { dns_db_detach(&st->rpsdb); } } static dns_rpz_zbits_t rpz_get_zbits(ns_client_t *client, dns_rdatatype_t ip_type, dns_rpz_type_t rpz_type) { dns_rpz_st_t *st; dns_rpz_zbits_t zbits = 0; REQUIRE(client != NULL); REQUIRE(client->query.rpz_st != NULL); st = client->query.rpz_st; #ifdef USE_DNSRPS if (st->popt.dnsrps_enabled) { if (st->rpsdb == NULL || librpz->have_trig(dns_dnsrps_type2trig(rpz_type), ip_type == dns_rdatatype_aaaa, ((rpsdb_t *)st->rpsdb)->rsp)) { return (DNS_RPZ_ALL_ZBITS); } return (0); } #endif /* ifdef USE_DNSRPS */ switch (rpz_type) { case DNS_RPZ_TYPE_CLIENT_IP: zbits = st->have.client_ip; break; case DNS_RPZ_TYPE_QNAME: zbits = st->have.qname; break; case DNS_RPZ_TYPE_IP: if (ip_type == dns_rdatatype_a) { zbits = st->have.ipv4; } else if (ip_type == dns_rdatatype_aaaa) { zbits = st->have.ipv6; } else { zbits = st->have.ip; } break; case DNS_RPZ_TYPE_NSDNAME: zbits = st->have.nsdname; break; case DNS_RPZ_TYPE_NSIP: if (ip_type == dns_rdatatype_a) { zbits = st->have.nsipv4; } else if (ip_type == dns_rdatatype_aaaa) { zbits = st->have.nsipv6; } else { zbits = st->have.nsip; } break; default: UNREACHABLE(); } /* * Choose * the earliest configured policy zone (rpz->num) * QNAME over IP over NSDNAME over NSIP (rpz_type) * the smallest name, * the longest IP address prefix, * the lexically smallest address. */ if (st->m.policy != DNS_RPZ_POLICY_MISS) { if (st->m.type >= rpz_type) { zbits &= DNS_RPZ_ZMASK(st->m.rpz->num); } else { zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1; } } /* * If the client wants recursion, allow only compatible policies. */ if (!RECURSIONOK(client)) { zbits &= st->popt.no_rd_ok; } return (zbits); } static void query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) { isc_result_t result; isc_sockaddr_t *peeraddr; dns_rdataset_t *tmprdataset; unsigned int options; CTRACE(ISC_LOG_DEBUG(3), "query_rpzfetch"); if (client->query.prefetch != NULL) { return; } if (client->recursionquota == NULL) { result = isc_quota_attach(&client->sctx->recursionquota, &client->recursionquota); switch (result) { case ISC_R_SUCCESS: ns_stats_increment(client->sctx->nsstats, ns_statscounter_recursclients); break; case ISC_R_SOFTQUOTA: isc_quota_detach(&client->recursionquota); FALLTHROUGH; default: return; } } tmprdataset = ns_client_newrdataset(client); if (tmprdataset == NULL) { return; } if (!TCP(client)) { peeraddr = &client->peeraddr; } else { peeraddr = NULL; } options = client->query.fetchoptions; isc_nmhandle_attach(client->handle, &client->prefetchhandle); result = dns_resolver_createfetch( client->view->resolver, qname, type, NULL, NULL, NULL, peeraddr, client->message->id, options, 0, NULL, client->task, prefetch_done, client, tmprdataset, NULL, &client->query.prefetch); if (result != ISC_R_SUCCESS) { ns_client_putrdataset(client, &tmprdataset); isc_nmhandle_detach(&client->prefetchhandle); } } /* * Get an NS, A, or AAAA rrset related to the response for the client * to check the contents of that rrset for hits by eligible policy zones. */ static isc_result_t rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp, dns_dbversion_t *version, dns_rdataset_t **rdatasetp, bool resuming) { dns_rpz_st_t *st; bool is_zone; dns_dbnode_t *node; dns_fixedname_t fixed; dns_name_t *found; isc_result_t result; dns_clientinfomethods_t cm; dns_clientinfo_t ci; CTRACE(ISC_LOG_DEBUG(3), "rpz_rrset_find"); st = client->query.rpz_st; if ((st->state & DNS_RPZ_RECURSING) != 0) { INSIST(st->r.r_type == type); INSIST(dns_name_equal(name, st->r_name)); INSIST(*rdatasetp == NULL || !dns_rdataset_isassociated(*rdatasetp)); st->state &= ~DNS_RPZ_RECURSING; RESTORE(*dbp, st->r.db); if (*rdatasetp != NULL) { ns_client_putrdataset(client, rdatasetp); } RESTORE(*rdatasetp, st->r.r_rdataset); result = st->r.r_result; if (result == DNS_R_DELEGATION) { CTRACE(ISC_LOG_ERROR, "RPZ recursing"); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, rpz_type, "rpz_rrset_find(1)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; result = DNS_R_SERVFAIL; } return (result); } result = rpz_ready(client, rdatasetp); if (result != ISC_R_SUCCESS) { st->m.policy = DNS_RPZ_POLICY_ERROR; return (result); } if (*dbp != NULL) { is_zone = false; } else { dns_zone_t *zone; version = NULL; zone = NULL; result = query_getdb(client, name, type, 0, &zone, dbp, &version, &is_zone); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, rpz_type, "rpz_rrset_find(2)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; if (zone != NULL) { dns_zone_detach(&zone); } return (result); } if (zone != NULL) { dns_zone_detach(&zone); } } node = NULL; found = dns_fixedname_initname(&fixed); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); result = dns_db_findext(*dbp, name, version, type, options, client->now, &node, found, &cm, &ci, *rdatasetp, NULL); if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) { /* * Try the cache if we're authoritative for an * ancestor but not the domain itself. */ rpz_clean(NULL, dbp, &node, rdatasetp); version = NULL; dns_db_attach(client->view->cachedb, dbp); result = dns_db_findext(*dbp, name, version, type, 0, client->now, &node, found, &cm, &ci, *rdatasetp, NULL); } rpz_clean(NULL, dbp, &node, NULL); if (result == DNS_R_DELEGATION) { rpz_clean(NULL, NULL, NULL, rdatasetp); /* * Recurse for NS rrset or A or AAAA rrset for an NS. * Do not recurse for addresses for the query name. */ if (rpz_type == DNS_RPZ_TYPE_IP) { result = DNS_R_NXRRSET; } else if (!client->view->rpzs->p.nsip_wait_recurse) { query_rpzfetch(client, name, type); result = DNS_R_NXRRSET; } else { dns_name_copynf(name, st->r_name); result = ns_query_recurse(client, type, st->r_name, NULL, NULL, resuming); if (result == ISC_R_SUCCESS) { st->state |= DNS_RPZ_RECURSING; result = DNS_R_DELEGATION; } } } return (result); } /* * Compute a policy owner name, p_name, in a policy zone given the needed * policy type and the trigger name. */ static isc_result_t rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_name_t *trig_name) { dns_offsets_t prefix_offsets; dns_name_t prefix, *suffix; unsigned int first, labels; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "rpz_get_p_name"); /* * The policy owner name consists of a suffix depending on the type * and policy zone and a prefix that is the longest possible string * from the trigger name that keesp the resulting policy owner name * from being too long. */ switch (rpz_type) { case DNS_RPZ_TYPE_CLIENT_IP: suffix = &rpz->client_ip; break; case DNS_RPZ_TYPE_QNAME: suffix = &rpz->origin; break; case DNS_RPZ_TYPE_IP: suffix = &rpz->ip; break; case DNS_RPZ_TYPE_NSDNAME: suffix = &rpz->nsdname; break; case DNS_RPZ_TYPE_NSIP: suffix = &rpz->nsip; break; default: UNREACHABLE(); } /* * Start with relative version of the full trigger name, * and trim enough allow the addition of the suffix. */ dns_name_init(&prefix, prefix_offsets); labels = dns_name_countlabels(trig_name); first = 0; for (;;) { dns_name_getlabelsequence(trig_name, first, labels - first - 1, &prefix); result = dns_name_concatenate(&prefix, suffix, p_name, NULL); if (result == ISC_R_SUCCESS) { break; } INSIST(result == DNS_R_NAMETOOLONG); /* * Trim the trigger name until the combination is not too long. */ if (labels - first < 2) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix, rpz_type, "concatenate()", result); return (ISC_R_FAILURE); } /* * Complain once about trimming the trigger name. */ if (first == 0) { rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix, rpz_type, "concatenate()", result); } ++first; } return (ISC_R_SUCCESS); } /* * Look in policy zone rpz for a policy of rpz_type by p_name. * The self-name (usually the client qname or an NS name) is compared with * the target of a CNAME policy for the old style passthru encoding. * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep, * *rdatasetp, and *policyp. * The target DNS type, qtype, chooses the best rdataset for *rdatasetp. * The caller must decide if the found policy is most suitable, including * better than a previously found policy. * If it is best, the caller records it in client->query.rpz_st->m. */ static isc_result_t rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, dns_rpz_policy_t *policyp) { dns_fixedname_t foundf; dns_name_t *found; isc_result_t result; dns_clientinfomethods_t cm; dns_clientinfo_t ci; bool found_a = false; REQUIRE(nodep != NULL); CTRACE(ISC_LOG_DEBUG(3), "rpz_find_p"); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Try to find either a CNAME or the type of record demanded by the * request from the policy zone. */ rpz_clean(zonep, dbp, nodep, rdatasetp); result = rpz_ready(client, rdatasetp); if (result != ISC_R_SUCCESS) { CTRACE(ISC_LOG_ERROR, "rpz_ready() failed"); return (DNS_R_SERVFAIL); } *versionp = NULL; result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); if (result != ISC_R_SUCCESS) { return (DNS_R_NXDOMAIN); } found = dns_fixedname_initname(&foundf); result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); /* * Choose the best rdataset if we found something. */ if (result == ISC_R_SUCCESS) { dns_rdatasetiter_t *rdsiter; rdsiter = NULL; result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, 0, &rdsiter); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "allrdatasets()", result); CTRACE(ISC_LOG_ERROR, "rpz_find_p: allrdatasets failed"); return (DNS_R_SERVFAIL); } if (qtype == dns_rdatatype_aaaa && !ISC_LIST_EMPTY(client->view->dns64)) { for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) { dns_rdatasetiter_current(rdsiter, *rdatasetp); if ((*rdatasetp)->type == dns_rdatatype_a) { found_a = true; } dns_rdataset_disassociate(*rdatasetp); } } for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) { dns_rdatasetiter_current(rdsiter, *rdatasetp); if ((*rdatasetp)->type == dns_rdatatype_cname || (*rdatasetp)->type == qtype) { break; } dns_rdataset_disassociate(*rdatasetp); } dns_rdatasetiter_destroy(&rdsiter); if (result != ISC_R_SUCCESS) { if (result != ISC_R_NOMORE) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "rdatasetiter", result); CTRACE(ISC_LOG_ERROR, "rpz_find_p: " "rdatasetiter failed"); return (DNS_R_SERVFAIL); } /* * Ask again to get the right DNS_R_DNAME/NXRRSET/... * result if there is neither a CNAME nor target type. */ if (dns_rdataset_isassociated(*rdatasetp)) { dns_rdataset_disassociate(*rdatasetp); } dns_db_detachnode(*dbp, nodep); if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) { result = DNS_R_NXRRSET; } else { result = dns_db_findext(*dbp, p_name, *versionp, qtype, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); } } } switch (result) { case ISC_R_SUCCESS: if ((*rdatasetp)->type != dns_rdatatype_cname) { *policyp = DNS_RPZ_POLICY_RECORD; } else { *policyp = dns_rpz_decode_cname(rpz, *rdatasetp, self_name); if ((*policyp == DNS_RPZ_POLICY_RECORD || *policyp == DNS_RPZ_POLICY_WILDCNAME) && qtype != dns_rdatatype_cname && qtype != dns_rdatatype_any) { return (DNS_R_CNAME); } } return (ISC_R_SUCCESS); case DNS_R_NXRRSET: if (found_a) { *policyp = DNS_RPZ_POLICY_DNS64; } else { *policyp = DNS_RPZ_POLICY_NODATA; } return (result); case DNS_R_DNAME: /* * DNAME policy RRs have very few if any uses that are not * better served with simple wildcards. Making them work would * require complications to get the number of labels matched * in the name or the found name to the main DNS_R_DNAME case * in query_dname(). The domain also does not appear in the * summary database at the right level, so this happens only * with a single policy zone when we have no summary database. * Treat it as a miss. */ case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: return (DNS_R_NXDOMAIN); default: rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", result); CTRACE(ISC_LOG_ERROR, "rpz_find_p: unexpected result"); return (DNS_R_SERVFAIL); } } static void rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix, isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, dns_dbversion_t *version) { dns_rdataset_t *trdataset = NULL; rpz_match_clear(st); st->m.rpz = rpz; st->m.type = rpz_type; st->m.policy = policy; dns_name_copynf(p_name, st->p_name); st->m.prefix = prefix; st->m.result = result; SAVE(st->m.zone, *zonep); SAVE(st->m.db, *dbp); SAVE(st->m.node, *nodep); if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { /* * Save the replacement rdataset from the policy * and make the previous replacement rdataset scratch. */ SAVE(trdataset, st->m.rdataset); SAVE(st->m.rdataset, *rdatasetp); SAVE(*rdatasetp, trdataset); st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl); } else { st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl); } SAVE(st->m.version, version); } #ifdef USE_DNSRPS /* * Check the results of a RPZ service interface lookup. * Stop after an error (<0) or not a hit on a disabled zone (0). * Continue after a hit on a disabled zone (>0). */ static int dnsrps_ck(librpz_emsg_t *emsg, ns_client_t *client, rpsdb_t *rpsdb, bool recursed) { isc_region_t region; librpz_domain_buf_t pname_buf; if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) { return (-1); } /* * Forget the state from before the IP address or domain check * if the lookup hit nothing. */ if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED || rpsdb->result.hit_id != rpsdb->hit_id || rpsdb->result.policy != LIBRPZ_POLICY_DISABLED) { if (!librpz->rsp_pop_discard(emsg, rpsdb->rsp)) { return (-1); } return (0); } /* * Log a hit on a disabled zone. * Forget the zone to not try it again, and restore the pre-hit state. */ if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) { return (-1); } region.base = pname_buf.d; region.length = pname_buf.size; dns_name_fromregion(client->query.rpz_st->p_name, ®ion); rpz_log_rewrite(client, true, dns_dnsrps_2policy(rpsdb->result.zpolicy), dns_dnsrps_trig2type(rpsdb->result.trig), NULL, client->query.rpz_st->p_name, NULL, rpsdb->result.cznum); if (!librpz->rsp_forget_zone(emsg, rpsdb->result.cznum, rpsdb->rsp) || !librpz->rsp_pop(emsg, &rpsdb->result, rpsdb->rsp)) { return (-1); } return (1); } /* * Ready the shim database and rdataset for a DNSRPS hit. */ static bool dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st, dns_rdatatype_t qtype, dns_rdataset_t **p_rdatasetp, bool recursed) { rpsdb_t *rpsdb; librpz_domain_buf_t pname_buf; isc_region_t region; dns_zone_t *p_zone; dns_db_t *p_db; dns_dbnode_t *p_node; dns_rpz_policy_t policy; dns_fixedname_t foundf; dns_name_t *found; dns_rdatatype_t foundtype, searchtype; isc_result_t result; rpsdb = (rpsdb_t *)st->rpsdb; if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) { return (false); } if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED) { return (true); } /* * Give the fake or shim DNSRPS database its new origin. */ if (!librpz->rsp_soa(emsg, NULL, NULL, &rpsdb->origin_buf, &rpsdb->result, rpsdb->rsp)) { return (false); } region.base = rpsdb->origin_buf.d; region.length = rpsdb->origin_buf.size; dns_name_fromregion(&rpsdb->common.origin, ®ion); if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) { return (false); } region.base = pname_buf.d; region.length = pname_buf.size; dns_name_fromregion(st->p_name, ®ion); p_zone = NULL; p_db = NULL; p_node = NULL; rpz_ready(client, p_rdatasetp); dns_db_attach(st->rpsdb, &p_db); policy = dns_dnsrps_2policy(rpsdb->result.policy); if (policy != DNS_RPZ_POLICY_RECORD) { result = ISC_R_SUCCESS; } else if (qtype == dns_rdatatype_rrsig) { /* * dns_find_db() refuses to look for and fail to * find dns_rdatatype_rrsig. */ result = DNS_R_NXRRSET; policy = DNS_RPZ_POLICY_NODATA; } else { /* * Get the next (and so first) RR from the policy node. * If it is a CNAME, then look for it regardless of the * query type. */ if (!librpz->rsp_rr(emsg, &foundtype, NULL, NULL, NULL, &rpsdb->result, rpsdb->qname->ndata, rpsdb->qname->length, rpsdb->rsp)) { return (false); } if (foundtype == dns_rdatatype_cname) { searchtype = dns_rdatatype_cname; } else { searchtype = qtype; } /* * Get the DNSPRS imitation rdataset. */ found = dns_fixedname_initname(&foundf); result = dns_db_find(p_db, st->p_name, NULL, searchtype, 0, 0, &p_node, found, *p_rdatasetp, NULL); if (result == ISC_R_SUCCESS) { if (searchtype == dns_rdatatype_cname && qtype != dns_rdatatype_cname) { result = DNS_R_CNAME; } } else if (result == DNS_R_NXRRSET) { policy = DNS_RPZ_POLICY_NODATA; } else { snprintf(emsg->c, sizeof(emsg->c), "dns_db_find(): %s", isc_result_totext(result)); return (false); } } rpz_save_p(st, client->view->rpzs->zones[rpsdb->result.cznum], dns_dnsrps_trig2type(rpsdb->result.trig), policy, st->p_name, 0, result, &p_zone, &p_db, &p_node, p_rdatasetp, NULL); rpz_clean(NULL, NULL, NULL, p_rdatasetp); return (true); } static isc_result_t dnsrps_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) { dns_rpz_st_t *st; rpsdb_t *rpsdb; librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP; bool recursed = false; int res; librpz_emsg_t emsg; isc_result_t result; st = client->query.rpz_st; rpsdb = (rpsdb_t *)st->rpsdb; result = rpz_ready(client, p_rdatasetp); if (result != ISC_R_SUCCESS) { st->m.policy = DNS_RPZ_POLICY_ERROR; return (result); } switch (rpz_type) { case DNS_RPZ_TYPE_CLIENT_IP: trig = LIBRPZ_TRIG_CLIENT_IP; recursed = false; break; case DNS_RPZ_TYPE_IP: trig = LIBRPZ_TRIG_IP; recursed = true; break; case DNS_RPZ_TYPE_NSIP: trig = LIBRPZ_TRIG_NSIP; recursed = true; break; default: UNREACHABLE(); } do { if (!librpz->rsp_push(&emsg, rpsdb->rsp) || !librpz->ck_ip(&emsg, netaddr->family == AF_INET ? (const void *)&netaddr->type.in : (const void *)&netaddr->type.in6, netaddr->family, trig, ++rpsdb->hit_id, recursed, rpsdb->rsp) || (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, rpz_type, emsg.c, DNS_R_SERVFAIL); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); } } while (res != 0); return (ISC_R_SUCCESS); } static isc_result_t dnsrps_rewrite_name(ns_client_t *client, dns_name_t *trig_name, bool recursed, dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) { dns_rpz_st_t *st; rpsdb_t *rpsdb; librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP; isc_region_t r; int res; librpz_emsg_t emsg; isc_result_t result; st = client->query.rpz_st; rpsdb = (rpsdb_t *)st->rpsdb; result = rpz_ready(client, p_rdatasetp); if (result != ISC_R_SUCCESS) { st->m.policy = DNS_RPZ_POLICY_ERROR; return (result); } switch (rpz_type) { case DNS_RPZ_TYPE_QNAME: trig = LIBRPZ_TRIG_QNAME; break; case DNS_RPZ_TYPE_NSDNAME: trig = LIBRPZ_TRIG_NSDNAME; break; default: UNREACHABLE(); } dns_name_toregion(trig_name, &r); do { if (!librpz->rsp_push(&emsg, rpsdb->rsp) || !librpz->ck_domain(&emsg, r.base, r.length, trig, ++rpsdb->hit_id, recursed, rpsdb->rsp) || (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, rpz_type, emsg.c, DNS_R_SERVFAIL); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); } } while (res != 0); return (ISC_R_SUCCESS); } #endif /* USE_DNSRPS */ /* * Check this address in every eligible policy zone. */ static isc_result_t rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) { dns_rpz_zones_t *rpzs; dns_rpz_st_t *st; dns_rpz_zone_t *rpz; dns_rpz_prefix_t prefix; dns_rpz_num_t rpz_num; dns_fixedname_t ip_namef, p_namef; dns_name_t *ip_name, *p_name; dns_zone_t *p_zone; dns_db_t *p_db; dns_dbversion_t *p_version; dns_dbnode_t *p_node; dns_rpz_policy_t policy; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip"); rpzs = client->view->rpzs; st = client->query.rpz_st; #ifdef USE_DNSRPS if (st->popt.dnsrps_enabled) { return (dnsrps_rewrite_ip(client, netaddr, rpz_type, p_rdatasetp)); } #endif /* ifdef USE_DNSRPS */ ip_name = dns_fixedname_initname(&ip_namef); p_zone = NULL; p_db = NULL; p_node = NULL; while (zbits != 0) { rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr, ip_name, &prefix); if (rpz_num == DNS_RPZ_INVALID_NUM) { break; } zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1); /* * Do not try applying policy zones that cannot replace a * previously found policy zone. * Stop looking if the next best choice cannot * replace what we already have. */ rpz = rpzs->zones[rpz_num]; if (st->m.policy != DNS_RPZ_POLICY_MISS) { if (st->m.rpz->num < rpz->num) { break; } if (st->m.rpz->num == rpz->num && (st->m.type < rpz_type || st->m.prefix > prefix)) { break; } } /* * Get the policy for a prefix at least as long * as the prefix of the entry we had before. */ p_name = dns_fixedname_initname(&p_namef); result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); if (result != ISC_R_SUCCESS) { continue; } result = rpz_find_p(client, ip_name, qtype, p_name, rpz, rpz_type, &p_zone, &p_db, &p_version, &p_node, p_rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: /* * Continue after a policy record that is missing * contrary to the summary data. The summary * data can out of date during races with and among * policy zone updates. */ CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip: mismatched " "summary data; " "continuing"); continue; case DNS_R_SERVFAIL: rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); default: /* * Forget this policy if it is not preferable * to the previously found policy. * If this policy is not good, then stop looking * because none of the later policy zones would work. * * With more than one applicable policy, prefer * the earliest configured policy, * client-IP over QNAME over IP over NSDNAME over NSIP, * the longest prefix * the lexically smallest address. * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num. * We can compare new and current p_name because * both are of the same type and in the same zone. * The tests above eliminate other reasons to * reject this policy. If this policy can't work, * then neither can later zones. */ if (st->m.policy != DNS_RPZ_POLICY_MISS && rpz->num == st->m.rpz->num && (st->m.type == rpz_type && st->m.prefix == prefix && 0 > dns_name_rdatacompare(st->p_name, p_name))) { break; } /* * Stop checking after saving an enabled hit in this * policy zone. The radix tree in the policy zone * ensures that we found the longest match. */ if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip: " "rpz_save_p"); rpz_save_p(st, rpz, rpz_type, policy, p_name, prefix, result, &p_zone, &p_db, &p_node, p_rdatasetp, p_version); break; } /* * Log DNS_RPZ_POLICY_DISABLED zones * and try the next eligible policy zone. */ rpz_log_rewrite(client, true, policy, rpz_type, p_zone, p_name, NULL, rpz_num); } } rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); return (ISC_R_SUCCESS); } /* * Check the IP addresses in the A or AAAA rrsets for name against * all eligible rpz_type (IP or NSIP) response policy rewrite rules. */ static isc_result_t rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, dns_rdatatype_t ip_type, dns_db_t **ip_dbp, dns_dbversion_t *ip_version, dns_rdataset_t **ip_rdatasetp, dns_rdataset_t **p_rdatasetp, bool resuming) { dns_rpz_zbits_t zbits; isc_netaddr_t netaddr; struct in_addr ina; struct in6_addr in6a; isc_result_t result; unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK; bool done = false; CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); do { zbits = rpz_get_zbits(client, ip_type, rpz_type); if (zbits == 0) { return (ISC_R_SUCCESS); } /* * Get the A or AAAA rdataset. */ result = rpz_rrset_find(client, name, ip_type, options, rpz_type, ip_dbp, ip_version, ip_rdatasetp, resuming); switch (result) { case ISC_R_SUCCESS: case DNS_R_GLUE: case DNS_R_ZONECUT: break; case DNS_R_EMPTYNAME: case DNS_R_EMPTYWILD: case DNS_R_NXDOMAIN: case DNS_R_NCACHENXDOMAIN: case DNS_R_NXRRSET: case DNS_R_NCACHENXRRSET: case ISC_R_NOTFOUND: return (ISC_R_SUCCESS); case DNS_R_DELEGATION: case DNS_R_DUPLICATE: case DNS_R_DROP: return (result); case DNS_R_CNAME: case DNS_R_DNAME: rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, "NS address rewrite rrset", result); return (ISC_R_SUCCESS); default: if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, rpz_type, "NS address rewrite rrset", result); } CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip_rrset: unexpected " "result"); return (DNS_R_SERVFAIL); } /* * If we are processing glue setup for the next loop * otherwise we are done. */ if (result == DNS_R_GLUE) { options = client->query.dboptions; } else { options = client->query.dboptions | DNS_DBFIND_GLUEOK; done = true; } /* * Check all of the IP addresses in the rdataset. */ for (result = dns_rdataset_first(*ip_rdatasetp); result == ISC_R_SUCCESS; result = dns_rdataset_next(*ip_rdatasetp)) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(*ip_rdatasetp, &rdata); switch (rdata.type) { case dns_rdatatype_a: INSIST(rdata.length == 4); memmove(&ina.s_addr, rdata.data, 4); isc_netaddr_fromin(&netaddr, &ina); break; case dns_rdatatype_aaaa: INSIST(rdata.length == 16); memmove(in6a.s6_addr, rdata.data, 16); isc_netaddr_fromin6(&netaddr, &in6a); break; default: continue; } result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type, zbits, p_rdatasetp); if (result != ISC_R_SUCCESS) { return (result); } } } while (!done && client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS); return (ISC_R_SUCCESS); } /* * Look for IP addresses in A and AAAA rdatasets * that trigger all eligible IP or NSIP policy rules. */ static isc_result_t rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, dns_rdataset_t **ip_rdatasetp, bool resuming) { dns_rpz_st_t *st; dns_dbversion_t *ip_version; dns_db_t *ip_db; dns_rdataset_t *p_rdataset; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrsets"); st = client->query.rpz_st; ip_version = NULL; ip_db = NULL; p_rdataset = NULL; if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && (qtype == dns_rdatatype_a || qtype == dns_rdatatype_any || rpz_type == DNS_RPZ_TYPE_NSIP)) { /* * Rewrite based on an IPv4 address that will appear * in the ANSWER section or if we are checking IP addresses. */ result = rpz_rewrite_ip_rrset( client, name, qtype, rpz_type, dns_rdatatype_a, &ip_db, ip_version, ip_rdatasetp, &p_rdataset, resuming); if (result == ISC_R_SUCCESS) { st->state |= DNS_RPZ_DONE_IPv4; } } else { result = ISC_R_SUCCESS; } if (result == ISC_R_SUCCESS && (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_any || rpz_type == DNS_RPZ_TYPE_NSIP)) { /* * Rewrite based on IPv6 addresses that will appear * in the ANSWER section or if we are checking IP addresses. */ result = rpz_rewrite_ip_rrset(client, name, qtype, rpz_type, dns_rdatatype_aaaa, &ip_db, ip_version, ip_rdatasetp, &p_rdataset, resuming); } if (ip_db != NULL) { dns_db_detach(&ip_db); } ns_client_putrdataset(client, &p_rdataset); return (result); } /* * Try to rewrite a request for a qtype rdataset based on the trigger name * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME). * Record the results including the replacement rdataset if any * in client->query.rpz_st. * *rdatasetp is a scratch rdataset. */ static isc_result_t rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, dns_rpz_zbits_t allowed_zbits, bool recursed, dns_rdataset_t **rdatasetp) { dns_rpz_zones_t *rpzs; dns_rpz_zone_t *rpz; dns_rpz_st_t *st; dns_fixedname_t p_namef; dns_name_t *p_name; dns_rpz_zbits_t zbits; dns_rpz_num_t rpz_num; dns_zone_t *p_zone; dns_db_t *p_db; dns_dbversion_t *p_version; dns_dbnode_t *p_node; dns_rpz_policy_t policy; isc_result_t result; #ifndef USE_DNSRPS UNUSED(recursed); #endif /* ifndef USE_DNSRPS */ CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name"); rpzs = client->view->rpzs; st = client->query.rpz_st; #ifdef USE_DNSRPS if (st->popt.dnsrps_enabled) { return (dnsrps_rewrite_name(client, trig_name, recursed, rpz_type, rdatasetp)); } #endif /* ifdef USE_DNSRPS */ zbits = rpz_get_zbits(client, qtype, rpz_type); zbits &= allowed_zbits; if (zbits == 0) { return (ISC_R_SUCCESS); } /* * Use the summary database to find the bit mask of policy zones * with policies for this trigger name. We do this even if there * is only one eligible policy zone so that wildcard triggers * are matched correctly, and not into their parent. */ zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name); if (zbits == 0) { return (ISC_R_SUCCESS); } p_name = dns_fixedname_initname(&p_namef); p_zone = NULL; p_db = NULL; p_node = NULL; /* * Check the trigger name in every policy zone that the summary data * says has a hit for the trigger name. * Most of the time there are no eligible zones and the summary data * keeps us from getting this far. * We check the most eligible zone first and so usually check only * one policy zone. */ for (rpz_num = 0; zbits != 0; ++rpz_num, zbits >>= 1) { if ((zbits & 1) == 0) { continue; } /* * Do not check policy zones that cannot replace a previously * found policy. */ rpz = rpzs->zones[rpz_num]; if (st->m.policy != DNS_RPZ_POLICY_MISS) { if (st->m.rpz->num < rpz->num) { break; } if (st->m.rpz->num == rpz->num && st->m.type < rpz_type) { break; } } /* * Get the next policy zone's record for this trigger name. */ result = rpz_get_p_name(client, p_name, rpz, rpz_type, trig_name); if (result != ISC_R_SUCCESS) { continue; } result = rpz_find_p(client, trig_name, qtype, p_name, rpz, rpz_type, &p_zone, &p_db, &p_version, &p_node, rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: /* * Continue after a missing policy record * contrary to the summary data. The summary * data can out of date during races with and among * policy zone updates. */ CTRACE(ISC_LOG_ERROR, "rpz_rewrite_name: mismatched " "summary data; " "continuing"); continue; case DNS_R_SERVFAIL: rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); default: /* * With more than one applicable policy, prefer * the earliest configured policy, * client-IP over QNAME over IP over NSDNAME over NSIP, * and the smallest name. * We known st->m.rpz->num >= rpz->num and either * st->m.rpz->num > rpz->num or st->m.type >= rpz_type */ if (st->m.policy != DNS_RPZ_POLICY_MISS && rpz->num == st->m.rpz->num && (st->m.type < rpz_type || (st->m.type == rpz_type && 0 >= dns_name_compare(p_name, st->p_name)))) { continue; } if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name: " "rpz_save_p"); rpz_save_p(st, rpz, rpz_type, policy, p_name, 0, result, &p_zone, &p_db, &p_node, rdatasetp, p_version); /* * After a hit, higher numbered policy zones * are irrelevant */ rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); return (ISC_R_SUCCESS); } /* * Log DNS_RPZ_POLICY_DISABLED zones * and try the next eligible policy zone. */ rpz_log_rewrite(client, true, policy, rpz_type, p_zone, p_name, NULL, rpz_num); break; } } rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); return (ISC_R_SUCCESS); } static void rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname, isc_result_t result, int level, const char *str) { dns_rpz_st_t *st; CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ns_skip"); st = client->query.rpz_st; if (str != NULL) { rpz_log_fail_helper(client, level, nsname, DNS_RPZ_TYPE_NSIP, DNS_RPZ_TYPE_NSDNAME, str, result); } if (st->r.ns_rdataset != NULL && dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_rdataset_disassociate(st->r.ns_rdataset); } st->r.label--; } /* * RPZ query result types */ typedef enum { qresult_type_done = 0, qresult_type_restart = 1, qresult_type_recurse = 2 } qresult_type_t; /* * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting. */ static isc_result_t rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, bool resuming, dns_rdataset_t *ordataset, dns_rdataset_t *osigset) { dns_rpz_zones_t *rpzs; dns_rpz_st_t *st; dns_rdataset_t *rdataset; dns_fixedname_t nsnamef; dns_name_t *nsname; qresult_type_t qresult_type; dns_rpz_zbits_t zbits; isc_result_t result = ISC_R_SUCCESS; dns_rpz_have_t have; dns_rpz_popt_t popt; int rpz_ver; unsigned int options; #ifdef USE_DNSRPS librpz_emsg_t emsg; #endif /* ifdef USE_DNSRPS */ CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite"); rpzs = client->view->rpzs; st = client->query.rpz_st; if (rpzs == NULL) { return (ISC_R_NOTFOUND); } if (st != NULL && (st->state & DNS_RPZ_REWRITTEN) != 0) { return (DNS_R_DISALLOWED); } if (RECURSING(client)) { return (DNS_R_DISALLOWED); } RWLOCK(&rpzs->search_lock, isc_rwlocktype_read); if ((rpzs->p.num_zones == 0 && !rpzs->p.dnsrps_enabled) || (!RECURSIONOK(client) && rpzs->p.no_rd_ok == 0) || !rpz_ck_dnssec(client, qresult, ordataset, osigset)) { RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); return (DNS_R_DISALLOWED); } have = rpzs->have; popt = rpzs->p; rpz_ver = rpzs->rpz_ver; RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); #ifndef USE_DNSRPS INSIST(!popt.dnsrps_enabled); #endif /* ifndef USE_DNSRPS */ if (st == NULL) { st = isc_mem_get(client->mctx, sizeof(*st)); st->state = 0; st->rpsdb = NULL; } if (st->state == 0) { st->state |= DNS_RPZ_ACTIVE; memset(&st->m, 0, sizeof(st->m)); st->m.type = DNS_RPZ_TYPE_BAD; st->m.policy = DNS_RPZ_POLICY_MISS; st->m.ttl = ~0; memset(&st->r, 0, sizeof(st->r)); memset(&st->q, 0, sizeof(st->q)); st->p_name = dns_fixedname_initname(&st->_p_namef); st->r_name = dns_fixedname_initname(&st->_r_namef); st->fname = dns_fixedname_initname(&st->_fnamef); st->have = have; st->popt = popt; st->rpz_ver = rpz_ver; client->query.rpz_st = st; #ifdef USE_DNSRPS if (popt.dnsrps_enabled) { if (st->rpsdb != NULL) { dns_db_detach(&st->rpsdb); } result = dns_dnsrps_rewrite_init( &emsg, st, rpzs, client->query.qname, client->mctx, RECURSIONOK(client)); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, DNS_RPZ_TYPE_QNAME, emsg.c, result); st->m.policy = DNS_RPZ_POLICY_ERROR; return (ISC_R_SUCCESS); } } #endif /* ifdef USE_DNSRPS */ } /* * There is nothing to rewrite if the main query failed. */ switch (qresult) { case ISC_R_SUCCESS: case DNS_R_GLUE: case DNS_R_ZONECUT: qresult_type = qresult_type_done; break; case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: case DNS_R_NXDOMAIN: case DNS_R_EMPTYWILD: case DNS_R_NCACHENXDOMAIN: case DNS_R_NCACHENXRRSET: case DNS_R_COVERINGNSEC: case DNS_R_CNAME: case DNS_R_DNAME: qresult_type = qresult_type_restart; break; case DNS_R_DELEGATION: case ISC_R_NOTFOUND: /* * If recursion is on, do only tentative rewriting. * If recursion is off, this the normal and only time we * can rewrite. */ if (RECURSIONOK(client)) { qresult_type = qresult_type_recurse; } else { qresult_type = qresult_type_restart; } break; case ISC_R_FAILURE: case ISC_R_TIMEDOUT: case DNS_R_BROKENCHAIN: rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL, DNS_RPZ_TYPE_QNAME, "stop on qresult in rpz_rewrite()", qresult); return (ISC_R_SUCCESS); default: rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, NULL, DNS_RPZ_TYPE_QNAME, "stop on unrecognized qresult in rpz_rewrite()", qresult); return (ISC_R_SUCCESS); } rdataset = NULL; if ((st->state & (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) != (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) { isc_netaddr_t netaddr; dns_rpz_zbits_t allowed; if (!st->popt.dnsrps_enabled && qresult_type == qresult_type_recurse) { /* * This request needs recursion that has not been done. * Get bits for the policy zones that do not need * to wait for the results of recursion. */ allowed = st->have.qname_skip_recurse; if (allowed == 0) { return (ISC_R_SUCCESS); } } else { allowed = DNS_RPZ_ALL_ZBITS; } /* * Check once for triggers for the client IP address. */ if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) { zbits = rpz_get_zbits(client, dns_rdatatype_none, DNS_RPZ_TYPE_CLIENT_IP); zbits &= allowed; if (zbits != 0) { isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); result = rpz_rewrite_ip(client, &netaddr, qtype, DNS_RPZ_TYPE_CLIENT_IP, zbits, &rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } } } /* * Check triggers for the query name if this is the first time * for the current qname. * There is a first time for each name in a CNAME chain */ if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { bool norec = (qresult_type != qresult_type_recurse); result = rpz_rewrite_name(client, client->query.qname, qtype, DNS_RPZ_TYPE_QNAME, allowed, norec, &rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } /* * Check IPv4 addresses in A RRs next. * Reset to the start of the NS names. */ st->r.label = dns_name_countlabels(client->query.qname); st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4); } /* * Quit if this was an attempt to find a qname or * client-IP trigger before recursion. * We will be back if no pre-recursion triggers hit. * For example, consider 2 policy zones, both with qname and * IP address triggers. If the qname misses the 1st zone, * then we cannot know whether a hit for the qname in the * 2nd zone matters until after recursing to get the A RRs and * testing them in the first zone. * Do not bother saving the work from this attempt, * because recursion is so slow. */ if (qresult_type == qresult_type_recurse) { goto cleanup; } /* * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP * is reset at the end of dealing with each CNAME. */ st->state |= (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME); } /* * Check known IP addresses for the query name if the database lookup * resulted in some addresses (qresult_type == qresult_type_done) * and if we have not already checked them. * Any recursion required for the query has already happened. * Do not check addresses that will not be in the ANSWER section. */ if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && qresult_type == qresult_type_done && rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) { result = rpz_rewrite_ip_rrsets(client, client->query.qname, qtype, DNS_RPZ_TYPE_IP, &rdataset, resuming); if (result != ISC_R_SUCCESS) { goto cleanup; } /* * We are finished checking the IP addresses for the qname. * Start with IPv4 if we will check NS IP addresses. */ st->state |= DNS_RPZ_DONE_QNAME_IP; st->state &= ~DNS_RPZ_DONE_IPv4; } /* * Stop looking for rules if there are none of the other kinds * that could override what we already have. */ if (rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSDNAME) == 0 && rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSIP) == 0) { result = ISC_R_SUCCESS; goto cleanup; } dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); options = client->query.dboptions | DNS_DBFIND_GLUEOK; while (st->r.label > st->popt.min_ns_labels) { bool was_glue = false; /* * Get NS rrset for each domain in the current qname. */ if (st->r.label == dns_name_countlabels(client->query.qname)) { nsname = client->query.qname; } else { nsname = dns_fixedname_name(&nsnamef); dns_name_split(client->query.qname, st->r.label, NULL, nsname); } if (st->r.ns_rdataset == NULL || !dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_db_t *db = NULL; result = rpz_rrset_find(client, nsname, dns_rdatatype_ns, options, DNS_RPZ_TYPE_NSDNAME, &db, NULL, &st->r.ns_rdataset, resuming); if (db != NULL) { dns_db_detach(&db); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { goto cleanup; } switch (result) { case DNS_R_GLUE: was_glue = true; FALLTHROUGH; case ISC_R_SUCCESS: result = dns_rdataset_first(st->r.ns_rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } st->state &= ~(DNS_RPZ_DONE_NSDNAME | DNS_RPZ_DONE_IPv4); break; case DNS_R_DELEGATION: case DNS_R_DUPLICATE: case DNS_R_DROP: goto cleanup; case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: case DNS_R_EMPTYWILD: case DNS_R_NXDOMAIN: case DNS_R_NCACHENXDOMAIN: case DNS_R_NCACHENXRRSET: case ISC_R_NOTFOUND: case DNS_R_CNAME: case DNS_R_DNAME: rpz_rewrite_ns_skip(client, nsname, result, 0, NULL); continue; case ISC_R_TIMEDOUT: case DNS_R_BROKENCHAIN: case ISC_R_FAILURE: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_DEBUG_LEVEL3, " NS rpz_rrset_find()"); continue; default: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_INFO_LEVEL, " unrecognized NS" " rpz_rrset_find()"); continue; } } /* * Check all NS names. */ do { dns_rdata_ns_t ns; dns_rdata_t nsrdata = DNS_RDATA_INIT; dns_rdataset_current(st->r.ns_rdataset, &nsrdata); result = dns_rdata_tostruct(&nsrdata, &ns, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdata_reset(&nsrdata); /* * Do nothing about "NS ." */ if (dns_name_equal(&ns.name, dns_rootname)) { dns_rdata_freestruct(&ns); result = dns_rdataset_next(st->r.ns_rdataset); continue; } /* * Check this NS name if we did not handle it * during a previous recursion. */ if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) { result = rpz_rewrite_name( client, &ns.name, qtype, DNS_RPZ_TYPE_NSDNAME, DNS_RPZ_ALL_ZBITS, true, &rdataset); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&ns); goto cleanup; } st->state |= DNS_RPZ_DONE_NSDNAME; } /* * Check all IP addresses for this NS name. */ result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype, DNS_RPZ_TYPE_NSIP, &rdataset, resuming); dns_rdata_freestruct(&ns); if (result != ISC_R_SUCCESS) { goto cleanup; } st->state &= ~(DNS_RPZ_DONE_NSDNAME | DNS_RPZ_DONE_IPv4); result = dns_rdataset_next(st->r.ns_rdataset); } while (result == ISC_R_SUCCESS); dns_rdataset_disassociate(st->r.ns_rdataset); /* * If we just checked a glue NS RRset retry without allowing * glue responses, otherwise setup for the next name. */ if (was_glue) { options = client->query.dboptions; } else { options = client->query.dboptions | DNS_DBFIND_GLUEOK; st->r.label--; } if (rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSDNAME) == 0 && rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSIP) == 0) { break; } } /* * Use the best hit, if any. */ result = ISC_R_SUCCESS; cleanup: #ifdef USE_DNSRPS if (st->popt.dnsrps_enabled && st->m.policy != DNS_RPZ_POLICY_ERROR && !dnsrps_set_p(&emsg, client, st, qtype, &rdataset, (qresult_type != qresult_type_recurse))) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, DNS_RPZ_TYPE_BAD, emsg.c, DNS_R_SERVFAIL); st->m.policy = DNS_RPZ_POLICY_ERROR; } #endif /* ifdef USE_DNSRPS */ if (st->m.policy != DNS_RPZ_POLICY_MISS && st->m.policy != DNS_RPZ_POLICY_ERROR && st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN) { st->m.policy = st->m.rpz->policy; } if (st->m.policy == DNS_RPZ_POLICY_MISS || st->m.policy == DNS_RPZ_POLICY_PASSTHRU || st->m.policy == DNS_RPZ_POLICY_ERROR) { if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && result != DNS_R_DELEGATION) { rpz_log_rewrite(client, false, st->m.policy, st->m.type, st->m.zone, st->p_name, NULL, st->m.rpz->num); } rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy"); st->m.type = DNS_RPZ_TYPE_BAD; result = DNS_R_SERVFAIL; } ns_client_putrdataset(client, &rdataset); if ((st->state & DNS_RPZ_RECURSING) == 0) { rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset); } return (result); } /* * See if response policy zone rewriting is allowed by a lack of interest * by the client in DNSSEC or a lack of signatures. */ static bool rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_fixedname_t fixed; dns_name_t *found; dns_rdataset_t trdataset; dns_rdatatype_t type; isc_result_t result; CTRACE(ISC_LOG_DEBUG(3), "rpz_ck_dnssec"); if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) { return (true); } /* * We do not know if there are signatures if we have not recursed * for them. */ if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) { return (false); } if (sigrdataset == NULL) { return (true); } if (dns_rdataset_isassociated(sigrdataset)) { return (false); } /* * We are happy to rewrite nothing. */ if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) { return (true); } /* * Do not rewrite if there is any sign of signatures. */ if (rdataset->type == dns_rdatatype_nsec || rdataset->type == dns_rdatatype_nsec3 || rdataset->type == dns_rdatatype_rrsig) { return (false); } /* * Look for a signature in a negative cache rdataset. */ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0) { return (true); } found = dns_fixedname_initname(&fixed); dns_rdataset_init(&trdataset); for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_ncache_current(rdataset, found, &trdataset); type = trdataset.type; dns_rdataset_disassociate(&trdataset); if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 || type == dns_rdatatype_rrsig) { return (false); } } return (true); } /* * Extract a network address from the RDATA of an A or AAAA * record. * * Returns: * ISC_R_SUCCESS * ISC_R_NOTIMPLEMENTED The rdata is not a known address type. */ static isc_result_t rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { struct in_addr ina; struct in6_addr in6a; switch (rdata->type) { case dns_rdatatype_a: INSIST(rdata->length == 4); memmove(&ina.s_addr, rdata->data, 4); isc_netaddr_fromin(netaddr, &ina); return (ISC_R_SUCCESS); case dns_rdatatype_aaaa: INSIST(rdata->length == 16); memmove(in6a.s6_addr, rdata->data, 16); isc_netaddr_fromin6(netaddr, &in6a); return (ISC_R_SUCCESS); default: return (ISC_R_NOTIMPLEMENTED); } } static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 }; static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 }; static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 }; static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA"; static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA"; static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA"; static dns_name_t rfc1918names[] = { DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets), DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets), DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets) }; static unsigned char prisoner_data[] = "\010prisoner\004iana\003org"; static unsigned char hostmaster_data[] = "\012hostmaster\014root-" "servers\003org"; static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 }; static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 }; static dns_name_t const prisoner = DNS_NAME_INITABSOLUTE(prisoner_data, prisoner_offsets); static dns_name_t const hostmaster = DNS_NAME_INITABSOLUTE(hostmaster_data, hostmaster_offsets); static void warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { unsigned int i; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_soa_t soa; dns_rdataset_t found; isc_result_t result; for (i = 0; i < (sizeof(rfc1918names) / sizeof(*rfc1918names)); i++) { if (dns_name_issubdomain(fname, &rfc1918names[i])) { dns_rdataset_init(&found); result = dns_ncache_getrdataset( rdataset, &rfc1918names[i], dns_rdatatype_soa, &found); if (result != ISC_R_SUCCESS) { return; } result = dns_rdataset_first(&found); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(&found, &rdata); result = dns_rdata_tostruct(&rdata, &soa, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dns_name_equal(&soa.origin, &prisoner) && dns_name_equal(&soa.contact, &hostmaster)) { char buf[DNS_NAME_FORMATSIZE]; dns_name_format(fname, buf, sizeof(buf)); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "RFC 1918 response from " "Internet for %s", buf); } dns_rdataset_disassociate(&found); return; } } } static void query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_dbversion_t *version, ns_client_t *client, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_name_t *fname, bool exact, dns_name_t *found) { unsigned char salt[256]; size_t salt_length; uint16_t iterations; isc_result_t result; unsigned int dboptions; dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; bool optout; dns_clientinfomethods_t cm; dns_clientinfo_t ci; salt_length = sizeof(salt); result = dns_db_getnsec3parameters(db, version, &hash, NULL, &iterations, salt, &salt_length); if (result != ISC_R_SUCCESS) { return; } dns_name_init(&name, NULL); dns_name_clone(qname, &name); labels = dns_name_countlabels(&name); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Map unknown algorithm to known value. */ if (hash == DNS_NSEC3_UNKNOWNALG) { hash = 1; } again: dns_fixedname_init(&fixed); result = dns_nsec3_hashname(&fixed, NULL, NULL, &name, dns_db_origin(db), hash, iterations, salt, salt_length); if (result != ISC_R_SUCCESS) { return; } dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3; result = dns_db_findext(db, dns_fixedname_name(&fixed), version, dns_rdatatype_nsec3, dboptions, client->now, NULL, fname, &cm, &ci, rdataset, sigrdataset); if (result == DNS_R_NXDOMAIN) { if (!dns_rdataset_isassociated(rdataset)) { return; } result = dns_rdataset_first(rdataset); INSIST(result == ISC_R_SUCCESS); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &nsec3, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); optout = ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && dns_name_issubdomain(&name, dns_db_origin(db))) { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } skip++; dns_name_getlabelsequence(qname, skip, labels - skip, &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); goto again; } if (exact) { ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected a exact match NSEC3, got " "a covering record"); } } else if (result != ISC_R_SUCCESS) { return; } else if (!exact) { ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); } if (found == qname) { if (skip != 0U) { dns_name_getlabelsequence(qname, skip, labels - skip, found); } } else if (found != NULL) { dns_name_copynf(&name, found); } return; } static uint32_t dns64_ttl(dns_db_t *db, dns_dbversion_t *version) { dns_dbnode_t *node = NULL; dns_rdata_soa_t soa; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; isc_result_t result; uint32_t ttl = UINT32_MAX; dns_rdataset_init(&rdataset); result = dns_db_getoriginnode(db, &node); if (result != ISC_R_SUCCESS) { goto cleanup; } result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, 0, 0, &rdataset, NULL); if (result != ISC_R_SUCCESS) { goto cleanup; } result = dns_rdataset_first(&rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &soa, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); ttl = ISC_MIN(rdataset.ttl, soa.minimum); cleanup: if (dns_rdataset_isassociated(&rdataset)) { dns_rdataset_disassociate(&rdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } return (ttl); } static bool dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_netaddr_t netaddr; dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->manager->interface->mgr); dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64); unsigned int flags = 0; unsigned int i, count; bool *aaaaok; INSIST(client->query.dns64_aaaaok == NULL); INSIST(client->query.dns64_aaaaoklen == 0); INSIST(client->query.dns64_aaaa == NULL); INSIST(client->query.dns64_sigaaaa == NULL); if (dns64 == NULL) { return (true); } if (RECURSIONOK(client)) { flags |= DNS_DNS64_RECURSIVE; } if (WANTDNSSEC(client) && sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { flags |= DNS_DNS64_DNSSEC; } count = dns_rdataset_count(rdataset); aaaaok = isc_mem_get(client->mctx, sizeof(bool) * count); isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); if (dns_dns64_aaaaok(dns64, &netaddr, client->signer, env, flags, rdataset, aaaaok, count)) { for (i = 0; i < count; i++) { if (aaaaok != NULL && !aaaaok[i]) { SAVE(client->query.dns64_aaaaok, aaaaok); client->query.dns64_aaaaoklen = count; break; } } if (aaaaok != NULL) { isc_mem_put(client->mctx, aaaaok, sizeof(bool) * count); } return (true); } if (aaaaok != NULL) { isc_mem_put(client->mctx, aaaaok, sizeof(bool) * count); } return (false); } /* * Look for the name and type in the redirection zone. If found update * the arguments as appropriate. Return true if a update was * performed. * * Only perform the update if the client is in the allow query acl and * returning the update would not cause a DNSSEC validation failure. */ static isc_result_t redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_rdatatype_t qtype) { dns_db_t *db = NULL; dns_dbnode_t *node = NULL; dns_fixedname_t fixed; dns_name_t *found; dns_rdataset_t trdataset; isc_result_t result; dns_rdatatype_t type; dns_clientinfomethods_t cm; dns_clientinfo_t ci; ns_dbversion_t *dbversion; CTRACE(ISC_LOG_DEBUG(3), "redirect"); if (client->view->redirect == NULL) { return (ISC_R_NOTFOUND); } found = dns_fixedname_initname(&fixed); dns_rdataset_init(&trdataset); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, &client->ecs, NULL); if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) { return (ISC_R_NOTFOUND); } if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { if (rdataset->trust == dns_trust_secure) { return (ISC_R_NOTFOUND); } if (rdataset->trust == dns_trust_ultimate && (rdataset->type == dns_rdatatype_nsec || rdataset->type == dns_rdatatype_nsec3)) { return (ISC_R_NOTFOUND); } if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_ncache_current(rdataset, found, &trdataset); type = trdataset.type; dns_rdataset_disassociate(&trdataset); if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 || type == dns_rdatatype_rrsig) { return (ISC_R_NOTFOUND); } } } } result = ns_client_checkaclsilent( client, NULL, dns_zone_getqueryacl(client->view->redirect), true); if (result != ISC_R_SUCCESS) { return (ISC_R_NOTFOUND); } result = dns_zone_getdb(client->view->redirect, &db); if (result != ISC_R_SUCCESS) { return (ISC_R_NOTFOUND); } dbversion = ns_client_findversion(client, db); if (dbversion == NULL) { dns_db_detach(&db); return (ISC_R_NOTFOUND); } /* * Lookup the requested data in the redirect zone. */ result = dns_db_findext(db, client->query.qname, dbversion->version, qtype, DNS_DBFIND_NOZONECUT, client->now, &node, found, &cm, &ci, &trdataset, NULL); if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); } goto nxrrset; } else if (result != ISC_R_SUCCESS) { if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } dns_db_detach(&db); return (ISC_R_NOTFOUND); } CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done"); dns_name_copynf(found, name); if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_clone(&trdataset, rdataset); dns_rdataset_disassociate(&trdataset); } nxrrset: if (*nodep != NULL) { dns_db_detachnode(*dbp, nodep); } dns_db_detach(dbp); dns_db_attachnode(db, node, nodep); dns_db_attach(db, dbp); dns_db_detachnode(db, &node); dns_db_detach(&db); *versionp = dbversion->version; client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); return (result); } static isc_result_t redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_rdatatype_t qtype, bool *is_zonep) { dns_db_t *db = NULL; dns_dbnode_t *node = NULL; dns_fixedname_t fixed; dns_fixedname_t fixedredirect; dns_name_t *found, *redirectname; dns_rdataset_t trdataset; isc_result_t result; dns_rdatatype_t type; dns_clientinfomethods_t cm; dns_clientinfo_t ci; dns_dbversion_t *version = NULL; dns_zone_t *zone = NULL; bool is_zone; unsigned int labels; unsigned int options; CTRACE(ISC_LOG_DEBUG(3), "redirect2"); if (client->view->redirectzone == NULL) { return (ISC_R_NOTFOUND); } if (dns_name_issubdomain(name, client->view->redirectzone)) { return (ISC_R_NOTFOUND); } found = dns_fixedname_initname(&fixed); dns_rdataset_init(&trdataset); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, &client->ecs, NULL); if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) { return (ISC_R_NOTFOUND); } if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { if (rdataset->trust == dns_trust_secure) { return (ISC_R_NOTFOUND); } if (rdataset->trust == dns_trust_ultimate && (rdataset->type == dns_rdatatype_nsec || rdataset->type == dns_rdatatype_nsec3)) { return (ISC_R_NOTFOUND); } if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_ncache_current(rdataset, found, &trdataset); type = trdataset.type; dns_rdataset_disassociate(&trdataset); if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 || type == dns_rdatatype_rrsig) { return (ISC_R_NOTFOUND); } } } } redirectname = dns_fixedname_initname(&fixedredirect); labels = dns_name_countlabels(client->query.qname); if (labels > 1U) { dns_name_t prefix; dns_name_init(&prefix, NULL); dns_name_getlabelsequence(client->query.qname, 0, labels - 1, &prefix); result = dns_name_concatenate(&prefix, client->view->redirectzone, redirectname, NULL); if (result != ISC_R_SUCCESS) { return (ISC_R_NOTFOUND); } } else { dns_name_copynf(redirectname, client->view->redirectzone); } options = 0; result = query_getdb(client, redirectname, qtype, options, &zone, &db, &version, &is_zone); if (result != ISC_R_SUCCESS) { return (ISC_R_NOTFOUND); } if (zone != NULL) { dns_zone_detach(&zone); } /* * Lookup the requested data in the redirect zone. */ result = dns_db_findext(db, redirectname, version, qtype, 0, client->now, &node, found, &cm, &ci, &trdataset, NULL); if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); } goto nxrrset; } else if (result == ISC_R_NOTFOUND || result == DNS_R_DELEGATION) { /* * Cleanup. */ if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } dns_db_detach(&db); /* * Don't loop forever if the lookup failed last time. */ if (!REDIRECT(client)) { result = ns_query_recurse(client, qtype, redirectname, NULL, NULL, true); if (result == ISC_R_SUCCESS) { client->query.attributes |= NS_QUERYATTR_RECURSING; client->query.attributes |= NS_QUERYATTR_REDIRECT; return (DNS_R_CONTINUE); } } return (ISC_R_NOTFOUND); } else if (result != ISC_R_SUCCESS) { if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } dns_db_detach(&db); return (ISC_R_NOTFOUND); } CTRACE(ISC_LOG_DEBUG(3), "redirect2: found data: done"); /* * Adjust the found name to not include the redirectzone suffix. */ dns_name_split(found, dns_name_countlabels(client->view->redirectzone), found, NULL); /* * Make the name absolute. */ result = dns_name_concatenate(found, dns_rootname, found, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_name_copynf(found, name); if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_clone(&trdataset, rdataset); dns_rdataset_disassociate(&trdataset); } nxrrset: if (*nodep != NULL) { dns_db_detachnode(*dbp, nodep); } dns_db_detach(dbp); dns_db_attachnode(db, node, nodep); dns_db_attach(db, dbp); dns_db_detachnode(db, &node); dns_db_detach(&db); *is_zonep = is_zone; *versionp = version; client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); return (result); } /*% * Initialize query context 'qctx'. Run by query_setup() when * first handling a client query, and by query_resume() when * returning from recursion. * * Whenever this function is called, qctx_destroy() must be called * when leaving the scope or freeing the qctx. */ static void qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, query_ctx_t *qctx) { REQUIRE(qctx != NULL); REQUIRE(client != NULL); memset(qctx, 0, sizeof(*qctx)); /* Set this first so CCTRACE will work */ qctx->client = client; dns_view_attach(client->view, &qctx->view); CCTRACE(ISC_LOG_DEBUG(3), "qctx_init"); if (eventp != NULL) { qctx->event = *eventp; *eventp = NULL; } else { qctx->event = NULL; } qctx->qtype = qctx->type = qtype; qctx->result = ISC_R_SUCCESS; qctx->findcoveringnsec = qctx->view->synthfromdnssec; /* * If it's an RRSIG or SIG query, we'll iterate the node. */ if (qctx->qtype == dns_rdatatype_rrsig || qctx->qtype == dns_rdatatype_sig) { qctx->type = dns_rdatatype_any; } CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); } /* * Make 'dst' and exact copy of 'src', with exception of the * option field, which is reset to zero. * This function also attaches dst's view and db to the src's * view and cachedb. */ static void qctx_copy(const query_ctx_t *qctx, query_ctx_t *dst) { REQUIRE(qctx != NULL); REQUIRE(dst != NULL); memmove(dst, qctx, sizeof(*dst)); dst->view = NULL; dst->db = NULL; dst->options = 0; dns_view_attach(qctx->view, &dst->view); dns_db_attach(qctx->view->cachedb, &dst->db); CCTRACE(ISC_LOG_DEBUG(3), "qctx_copy"); } /*% * Clean up and disassociate the rdataset and node pointers in qctx. */ static void qctx_clean(query_ctx_t *qctx) { if (qctx->rdataset != NULL && dns_rdataset_isassociated(qctx->rdataset)) { dns_rdataset_disassociate(qctx->rdataset); } if (qctx->sigrdataset != NULL && dns_rdataset_isassociated(qctx->sigrdataset)) { dns_rdataset_disassociate(qctx->sigrdataset); } if (qctx->db != NULL && qctx->node != NULL) { dns_db_detachnode(qctx->db, &qctx->node); } } /*% * Free any allocated memory associated with qctx. */ static void qctx_freedata(query_ctx_t *qctx) { if (qctx->rdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->rdataset); } if (qctx->sigrdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->sigrdataset); } if (qctx->fname != NULL) { ns_client_releasename(qctx->client, &qctx->fname); } if (qctx->db != NULL) { INSIST(qctx->node == NULL); dns_db_detach(&qctx->db); } if (qctx->zone != NULL) { dns_zone_detach(&qctx->zone); } if (qctx->zdb != NULL) { ns_client_putrdataset(qctx->client, &qctx->zsigrdataset); ns_client_putrdataset(qctx->client, &qctx->zrdataset); ns_client_releasename(qctx->client, &qctx->zfname); dns_db_detachnode(qctx->zdb, &qctx->znode); dns_db_detach(&qctx->zdb); } if (qctx->event != NULL && !qctx->client->nodetach) { free_devent(qctx->client, ISC_EVENT_PTR(&qctx->event), &qctx->event); } } static void qctx_destroy(query_ctx_t *qctx) { CALL_HOOK_NORETURN(NS_QUERY_QCTX_DESTROYED, qctx); dns_view_detach(&qctx->view); } /*% * Log detailed information about the query immediately after * the client request or a return from recursion. */ static void query_trace(query_ctx_t *qctx) { #ifdef WANT_QUERYTRACE char mbuf[2 * DNS_NAME_FORMATSIZE]; char qbuf[DNS_NAME_FORMATSIZE]; if (qctx->client->query.origqname != NULL) { dns_name_format(qctx->client->query.origqname, qbuf, sizeof(qbuf)); } else { snprintf(qbuf, sizeof(qbuf), ""); } snprintf(mbuf, sizeof(mbuf) - 1, "client attr:0x%x, query attr:0x%X, restarts:%u, " "origqname:%s, timer:%d, authdb:%d, referral:%d", qctx->client->attributes, qctx->client->query.attributes, qctx->client->query.restarts, qbuf, (int)qctx->client->query.timerset, (int)qctx->client->query.authdbset, (int)qctx->client->query.isreferral); CCTRACE(ISC_LOG_DEBUG(3), mbuf); #else /* ifdef WANT_QUERYTRACE */ UNUSED(qctx); #endif /* ifdef WANT_QUERYTRACE */ } /* * Set up query processing for the current query of 'client'. * Calls qctx_init() to initialize a query context, checks * the SERVFAIL cache, then hands off processing to ns__query_start(). * * This is called only from ns_query_start(), to begin a query * for the first time. Restarting an existing query (for * instance, to handle CNAME lookups), is done by calling * ns__query_start() again with the same query context. Resuming from * recursion is handled by query_resume(). */ static isc_result_t query_setup(ns_client_t *client, dns_rdatatype_t qtype) { isc_result_t result; query_ctx_t qctx; qctx_init(client, NULL, qtype, &qctx); query_trace(&qctx); CALL_HOOK(NS_QUERY_SETUP, &qctx); /* * Check SERVFAIL cache */ result = ns__query_sfcache(&qctx); if (result != ISC_R_COMPLETE) { qctx_destroy(&qctx); return (result); } result = ns__query_start(&qctx); cleanup: qctx_destroy(&qctx); return (result); } static bool get_root_key_sentinel_id(query_ctx_t *qctx, const char *ndata) { unsigned int v = 0; int i; for (i = 0; i < 5; i++) { if (!isdigit((unsigned char)ndata[i])) { return (false); } v *= 10; v += ndata[i] - '0'; } if (v > 65535U) { return (false); } qctx->client->query.root_key_sentinel_keyid = v; return (true); } /*% * Find out if the query is for a root key sentinel and if so, record the type * of root key sentinel query and the key id that is being checked for. * * The code is assuming a zero padded decimal field of width 5. */ static void root_key_sentinel_detect(query_ctx_t *qctx) { const char *ndata = (const char *)qctx->client->query.qname->ndata; if (qctx->client->query.qname->length > 30 && ndata[0] == 29 && strncasecmp(ndata + 1, "root-key-sentinel-is-ta-", 24) == 0) { if (!get_root_key_sentinel_id(qctx, ndata + 25)) { return; } qctx->client->query.root_key_sentinel_is_ta = true; /* * Simplify processing by disabling aggressive * negative caching. */ qctx->findcoveringnsec = false; ns_client_log(qctx->client, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "root-key-sentinel-is-ta query label found"); } else if (qctx->client->query.qname->length > 31 && ndata[0] == 30 && strncasecmp(ndata + 1, "root-key-sentinel-not-ta-", 25) == 0) { if (!get_root_key_sentinel_id(qctx, ndata + 26)) { return; } qctx->client->query.root_key_sentinel_not_ta = true; /* * Simplify processing by disabling aggressive * negative caching. */ qctx->findcoveringnsec = false; ns_client_log(qctx->client, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "root-key-sentinel-not-ta query label found"); } } /*% * Starting point for a client query or a chaining query. * * Called first by query_setup(), and then again as often as needed to * follow a CNAME chain. Determines which authoritative database to * search, then hands off processing to query_lookup(). */ isc_result_t ns__query_start(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start"); qctx->want_restart = false; qctx->authoritative = false; qctx->version = NULL; qctx->zversion = NULL; qctx->need_wildcardproof = false; qctx->rpz = false; CALL_HOOK(NS_QUERY_START_BEGIN, qctx); /* * If we require a server cookie then send back BADCOOKIE * before we have done too much work. */ if (!TCP(qctx->client) && qctx->view->requireservercookie && WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client)) { qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; qctx->client->message->rcode = dns_rcode_badcookie; return (ns_query_done(qctx)); } if (qctx->view->checknames && !dns_rdata_checkowner(qctx->client->query.qname, qctx->client->message->rdclass, qctx->qtype, false)) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; dns_name_format(qctx->client->query.qname, namebuf, sizeof(namebuf)); dns_rdatatype_format(qctx->qtype, typebuf, sizeof(typebuf)); dns_rdataclass_format(qctx->client->message->rdclass, classbuf, sizeof(classbuf)); ns_client_log(qctx->client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_ERROR, "check-names failure %s/%s/%s", namebuf, typebuf, classbuf); QUERY_ERROR(qctx, DNS_R_REFUSED); return (ns_query_done(qctx)); } /* * Setup for root key sentinel processing. */ if (qctx->view->root_key_sentinel && qctx->client->query.restarts == 0 && (qctx->qtype == dns_rdatatype_a || qctx->qtype == dns_rdatatype_aaaa) && (qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0) { root_key_sentinel_detect(qctx); } /* * First we must find the right database. */ qctx->options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */ if (dns_rdatatype_atparent(qctx->qtype) && !dns_name_equal(qctx->client->query.qname, dns_rootname)) { /* * If authoritative data for this QTYPE is supposed to live in * the parent zone, do not look for an exact match for QNAME, * but rather for its containing zone (unless the QNAME is * root). */ qctx->options |= DNS_GETDB_NOEXACT; } result = query_getdb(qctx->client, qctx->client->query.qname, qctx->qtype, qctx->options, &qctx->zone, &qctx->db, &qctx->version, &qctx->is_zone); if (ISC_UNLIKELY((result != ISC_R_SUCCESS || !qctx->is_zone) && qctx->qtype == dns_rdatatype_ds && !RECURSIONOK(qctx->client) && (qctx->options & DNS_GETDB_NOEXACT) != 0)) { /* * This is a non-recursive QTYPE=DS query with QNAME whose * parent we are not authoritative for. Check whether we are * authoritative for QNAME, because if so, we need to send a * "no data" response as required by RFC 4035, section 3.1.4.1. */ dns_db_t *tdb = NULL; dns_zone_t *tzone = NULL; dns_dbversion_t *tversion = NULL; isc_result_t tresult; tresult = query_getzonedb( qctx->client, qctx->client->query.qname, qctx->qtype, DNS_GETDB_PARTIAL, &tzone, &tdb, &tversion); if (tresult == ISC_R_SUCCESS) { /* * We are authoritative for QNAME. Attach the relevant * zone to query context, set result to ISC_R_SUCCESS. */ qctx->options &= ~DNS_GETDB_NOEXACT; ns_client_putrdataset(qctx->client, &qctx->rdataset); if (qctx->db != NULL) { dns_db_detach(&qctx->db); } if (qctx->zone != NULL) { dns_zone_detach(&qctx->zone); } qctx->version = NULL; RESTORE(qctx->version, tversion); RESTORE(qctx->db, tdb); RESTORE(qctx->zone, tzone); qctx->is_zone = true; result = ISC_R_SUCCESS; } else { /* * We are not authoritative for QNAME. Clean up and * leave result as it was. */ if (tdb != NULL) { dns_db_detach(&tdb); } if (tzone != NULL) { dns_zone_detach(&tzone); } } } /* * If we did not find a database from which we can answer the query, * respond with either REFUSED or SERVFAIL, depending on what the * result of query_getdb() was. */ if (result != ISC_R_SUCCESS) { if (result == DNS_R_REFUSED) { if (WANTRECURSION(qctx->client)) { inc_stats(qctx->client, ns_statscounter_recurserej); } else { inc_stats(qctx->client, ns_statscounter_authrej); } if (!PARTIALANSWER(qctx->client)) { QUERY_ERROR(qctx, DNS_R_REFUSED); } } else { CCTRACE(ISC_LOG_ERROR, "ns__query_start: query_getdb " "failed"); QUERY_ERROR(qctx, result); } return (ns_query_done(qctx)); } /* * We found a database from which we can answer the query. Update * relevant query context flags if the answer is to be prepared using * authoritative data. */ qctx->is_staticstub_zone = false; if (qctx->is_zone) { qctx->authoritative = true; if (qctx->zone != NULL) { if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) { qctx->authoritative = false; } if (dns_zone_gettype(qctx->zone) == dns_zone_staticstub) { qctx->is_staticstub_zone = true; } } } /* * Attach to the database which will be used to prepare the answer. * Update query statistics. */ if (qctx->event == NULL && qctx->client->query.restarts == 0) { if (qctx->is_zone) { if (qctx->zone != NULL) { /* * if is_zone = true, zone = NULL then this is * a DLZ zone. Don't attempt to attach zone. */ dns_zone_attach(qctx->zone, &qctx->client->query.authzone); } dns_db_attach(qctx->db, &qctx->client->query.authdb); } qctx->client->query.authdbset = true; /* Track TCP vs UDP stats per zone */ if (TCP(qctx->client)) { inc_stats(qctx->client, ns_statscounter_tcp); } else { inc_stats(qctx->client, ns_statscounter_udp); } } if (!qctx->is_zone && (qctx->view->staleanswerclienttimeout == 0) && dns_view_staleanswerenabled(qctx->view)) { /* * If stale answers are enabled and * stale-answer-client-timeout is zero, then we can promptly * answer with a stale RRset if one is available in cache. */ qctx->options |= DNS_GETDB_STALEFIRST; } result = query_lookup(qctx); /* * Clear "look-also-for-stale-data" flag. * If a fetch is created to resolve this query, then, * when it completes, this option is not expected to be set. */ qctx->options &= ~DNS_GETDB_STALEFIRST; cleanup: return (result); } /* * Allocate buffers in 'qctx' used to store query results. * * 'buffer' must be a pointer to an object whose lifetime * doesn't expire while 'qctx' is in use. */ static isc_result_t qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer) { REQUIRE(qctx != NULL); REQUIRE(qctx->client != NULL); REQUIRE(buffer != NULL); qctx->dbuf = ns_client_getnamebuf(qctx->client); if (ISC_UNLIKELY(qctx->dbuf == NULL)) { CCTRACE(ISC_LOG_ERROR, "qctx_prepare_buffers: ns_client_getnamebuf " "failed"); return (ISC_R_NOMEMORY); } qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, buffer); if (ISC_UNLIKELY(qctx->fname == NULL)) { CCTRACE(ISC_LOG_ERROR, "qctx_prepare_buffers: ns_client_newname failed"); return (ISC_R_NOMEMORY); } qctx->rdataset = ns_client_newrdataset(qctx->client); if (ISC_UNLIKELY(qctx->rdataset == NULL)) { CCTRACE(ISC_LOG_ERROR, "qctx_prepare_buffers: ns_client_newrdataset failed"); goto error; } if ((WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) && (!qctx->is_zone || dns_db_issecure(qctx->db))) { qctx->sigrdataset = ns_client_newrdataset(qctx->client); if (qctx->sigrdataset == NULL) { CCTRACE(ISC_LOG_ERROR, "qctx_prepare_buffers: " "ns_client_newrdataset failed (2)"); goto error; } } return (ISC_R_SUCCESS); error: if (qctx->fname != NULL) { ns_client_releasename(qctx->client, &qctx->fname); } if (qctx->rdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->rdataset); } return (ISC_R_NOMEMORY); } /* * Setup a new query context for resolving a query. * * This function is only called if both these conditions are met: * 1. BIND is configured with stale-answer-client-timeout 0. * 2. A stale RRset is found in cache during initial query * database lookup. * * We continue with this function for refreshing/resolving an RRset * after answering a client with stale data. */ static void query_refresh_rrset(query_ctx_t *orig_qctx) { isc_buffer_t buffer; query_ctx_t qctx; REQUIRE(orig_qctx != NULL); REQUIRE(orig_qctx->client != NULL); qctx_copy(orig_qctx, &qctx); qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT | DNS_DBFIND_STALEOK | DNS_DBFIND_STALEENABLED); qctx.client->nodetach = false; /* * We'll need some resources... */ if (qctx_prepare_buffers(&qctx, &buffer) != ISC_R_SUCCESS) { dns_db_detach(&qctx.db); qctx_destroy(&qctx); return; } /* * Pretend we didn't find anything in cache. */ (void)query_gotanswer(&qctx, ISC_R_NOTFOUND); if (qctx.fname != NULL) { ns_client_releasename(qctx.client, &qctx.fname); } if (qctx.rdataset != NULL) { ns_client_putrdataset(qctx.client, &qctx.rdataset); } qctx_destroy(&qctx); } /*% * Depending on the db lookup result, we can respond to the * client this stale answer. */ static bool stale_client_answer(isc_result_t result) { switch (result) { case ISC_R_SUCCESS: case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: case DNS_R_NCACHENXRRSET: case DNS_R_CNAME: case DNS_R_DNAME: return (true); default: return (false); } UNREACHABLE(); } /*% * Perform a local database lookup, in either an authoritative or * cache database. If unable to answer, call ns_query_done(); otherwise * hand off processing to query_gotanswer(). */ static isc_result_t query_lookup(query_ctx_t *qctx) { isc_buffer_t buffer; isc_result_t result = ISC_R_UNSET; dns_clientinfomethods_t cm; dns_clientinfo_t ci; dns_name_t *rpzqname = NULL; char namebuf[DNS_NAME_FORMATSIZE]; unsigned int dboptions; dns_ttl_t stale_refresh = 0; bool dbfind_stale = false; bool stale_timeout = false; bool answer_found = false; bool stale_found = false; bool stale_refresh_window = false; CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); CALL_HOOK(NS_QUERY_LOOKUP_BEGIN, qctx); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, qctx->client, HAVEECS(qctx->client) ? &qctx->client->ecs : NULL, NULL); /* * We'll need some resources... */ result = qctx_prepare_buffers(qctx, &buffer); if (result != ISC_R_SUCCESS) { QUERY_ERROR(qctx, result); return (ns_query_done(qctx)); } /* * Now look for an answer in the database. */ if (qctx->dns64 && qctx->rpz) { rpzqname = qctx->client->query.rpz_st->p_name; } else { rpzqname = qctx->client->query.qname; } if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) { /* * If DNS_GETDB_STALEFIRST is set, it means that a stale * RRset may be returned as part of this lookup. An attempt * to refresh the RRset will still take place if an * active RRset is not available. */ qctx->client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; } dboptions = qctx->client->query.dboptions; if (!qctx->is_zone && qctx->findcoveringnsec && (qctx->type != dns_rdatatype_null || !dns_name_istat(rpzqname))) { dboptions |= DNS_DBFIND_COVERINGNSEC; } (void)dns_db_getservestalerefresh(qctx->client->view->cachedb, &stale_refresh); if (stale_refresh > 0 && dns_view_staleanswerenabled(qctx->client->view)) { dboptions |= DNS_DBFIND_STALEENABLED; } result = dns_db_findext(qctx->db, rpzqname, qctx->version, qctx->type, dboptions, qctx->client->now, &qctx->node, qctx->fname, &cm, &ci, qctx->rdataset, qctx->sigrdataset); /* * Fixup fname and sigrdataset. */ if (qctx->dns64 && qctx->rpz) { dns_name_copynf(qctx->client->query.qname, qctx->fname); if (qctx->sigrdataset != NULL && dns_rdataset_isassociated(qctx->sigrdataset)) { dns_rdataset_disassociate(qctx->sigrdataset); } } if (!qctx->is_zone) { dns_cache_updatestats(qctx->view->cache, result); } /* * If DNS_DBFIND_STALEOK is set this means we are dealing with a * lookup following a failed lookup and it is okay to serve a stale * answer. This will (re)start the 'stale-refresh-time' window in * rbtdb, tracking the last time the RRset lookup failed. */ dbfind_stale = ((dboptions & DNS_DBFIND_STALEOK) != 0); /* * If DNS_DBFIND_STALEENABLED is set, this may be a normal lookup, but * we are allowed to immediately respond with a stale answer if the * request is within the 'stale-refresh-time' window. */ stale_refresh_window = (STALE_WINDOW(qctx->rdataset) && (dboptions & DNS_DBFIND_STALEENABLED) != 0); /* * If DNS_DBFIND_STALETIMEOUT is set, a stale answer is requested. * This can happen if 'stale-answer-client-timeout' is enabled. * * If 'stale-answer-client-timeout' is set to 0, and a stale * answer is found, send it to the client, and try to refresh the * RRset. * * If 'stale-answer-client-timeout' is non-zero, and a stale * answer is found, send it to the client. Don't try to refresh the * RRset because a fetch is already in progress. */ stale_timeout = ((dboptions & DNS_DBFIND_STALETIMEOUT) != 0); if (dns_rdataset_isassociated(qctx->rdataset) && dns_rdataset_count(qctx->rdataset) > 0 && !STALE(qctx->rdataset)) { /* Found non-stale usable rdataset. */ answer_found = true; } if (dbfind_stale || stale_refresh_window || stale_timeout) { dns_name_format(qctx->client->query.qname, namebuf, sizeof(namebuf)); inc_stats(qctx->client, ns_statscounter_trystale); if (dns_rdataset_isassociated(qctx->rdataset) && dns_rdataset_count(qctx->rdataset) > 0 && STALE(qctx->rdataset)) { qctx->rdataset->ttl = qctx->view->staleanswerttl; stale_found = true; inc_stats(qctx->client, ns_statscounter_usedstale); } else { stale_found = false; } } if (dbfind_stale) { isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s resolver failure, stale answer %s", namebuf, stale_found ? "used" : "unavailable"); if (!stale_found && !answer_found) { /* * Resolver failure, no stale data, nothing more we * can do, return SERVFAIL. */ QUERY_ERROR(qctx, DNS_R_SERVFAIL); return (ns_query_done(qctx)); } } else if (stale_refresh_window) { /* * A recent lookup failed, so during this time window we are * allowed to return stale data immediately. */ isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s query within stale refresh time, stale " "answer %s", namebuf, stale_found ? "used" : "unavailable"); if (!stale_found && !answer_found) { /* * During the stale refresh window explicitly do not try * to refresh the data, because a recent lookup failed. */ QUERY_ERROR(qctx, DNS_R_SERVFAIL); return (ns_query_done(qctx)); } } else if (stale_timeout) { if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) { if (!stale_found && !answer_found) { /* * We have nothing useful in cache to return * immediately. */ qctx_clean(qctx); qctx_freedata(qctx); dns_db_attach(qctx->client->view->cachedb, &qctx->db); qctx->client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT; qctx->options &= ~DNS_GETDB_STALEFIRST; if (qctx->client->query.fetch != NULL) { dns_resolver_destroyfetch( &qctx->client->query.fetch); } return (query_lookup(qctx)); } else if (stale_client_answer(result)) { /* * Immediately return the stale answer, start a * resolver fetch to refresh the data in cache. */ isc_log_write( ns_lctx, NS_LOGCATEGORY_SERVE_STALE, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s stale answer used, an attempt to " "refresh the RRset will still be made", namebuf); qctx->refresh_rrset = STALE(qctx->rdataset); /* * If we are refreshing the RRSet, we must not * detach from the client in query_send(). */ qctx->client->nodetach = qctx->refresh_rrset; } } else { /* * The 'stale-answer-client-timeout' triggered, return * the stale answer if available, otherwise wait until * the resolver finishes. */ isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s client timeout, stale answer %s", namebuf, stale_found ? "used" : "unavailable"); if (!stale_found && !answer_found) { return (result); } if (!stale_client_answer(result)) { return (result); } /* * There still might be real answer later. Mark the * query so we'll know we can skip answering. */ qctx->client->query.attributes |= NS_QUERYATTR_STALEPENDING; } } if (stale_timeout && (answer_found || stale_found)) { /* * Mark RRsets that we are adding to the client message on a * lookup during 'stale-answer-client-timeout', so we can * clean it up if needed when we resume from recursion. */ qctx->client->query.attributes |= NS_QUERYATTR_STALEOK; qctx->rdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED; } result = query_gotanswer(qctx, result); cleanup: return (result); } /* * Clear all rdatasets from the message that are in the given section and * that have the 'attr' attribute set. */ static void message_clearrdataset(dns_message_t *msg, unsigned int attr) { unsigned int i; dns_name_t *name, *next_name; dns_rdataset_t *rds, *next_rds; /* * Clean up name lists by calling the rdataset disassociate function. */ for (i = DNS_SECTION_ANSWER; i < DNS_SECTION_MAX; i++) { name = ISC_LIST_HEAD(msg->sections[i]); while (name != NULL) { next_name = ISC_LIST_NEXT(name, link); rds = ISC_LIST_HEAD(name->list); while (rds != NULL) { next_rds = ISC_LIST_NEXT(rds, link); if ((rds->attributes & attr) != attr) { rds = next_rds; continue; } ISC_LIST_UNLINK(name->list, rds, link); INSIST(dns_rdataset_isassociated(rds)); dns_rdataset_disassociate(rds); isc_mempool_put(msg->rdspool, rds); rds = next_rds; } if (ISC_LIST_EMPTY(name->list)) { ISC_LIST_UNLINK(msg->sections[i], name, link); if (dns_name_dynamic(name)) { dns_name_free(name, msg->mctx); } isc_mempool_put(msg->namepool, name); } name = next_name; } } } /* * Clear any rdatasets from the client's message that were added on a lookup * due to a client timeout. */ static void query_clear_stale(ns_client_t *client) { message_clearrdataset(client->message, DNS_RDATASETATTR_STALE_ADDED); } /* * Create a new query context with the sole intent of looking up for a stale * RRset in cache. If an entry is found, we mark the original query as * answered, in order to avoid answering the query twice, when the original * fetch finishes. */ static void query_lookup_stale(ns_client_t *client) { query_ctx_t qctx; qctx_init(client, NULL, client->query.qtype, &qctx); if (DNS64(client)) { qctx.qtype = qctx.type = dns_rdatatype_a; qctx.dns64 = true; } if (DNS64EXCLUDE(client)) { qctx.dns64_exclude = true; } dns_db_attach(client->view->cachedb, &qctx.db); client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; client->nodetach = true; (void)query_lookup(&qctx); if (qctx.node != NULL) { dns_db_detachnode(qctx.db, &qctx.node); } qctx_freedata(&qctx); qctx_destroy(&qctx); } /* * Event handler to resume processing a query after recursion, or when a * client timeout is triggered. If the query has timed out or been cancelled * or the system is shutting down, clean up and exit. If a client timeout is * triggered, see if we can respond with a stale answer from cache. Otherwise, * call query_resume() to continue the ongoing work. */ static void fetch_callback(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent = (dns_fetchevent_t *)event; dns_fetch_t *fetch = NULL; ns_client_t *client = NULL; bool fetch_canceled = false; bool fetch_answered = false; bool client_shuttingdown = false; isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_ERRORS; isc_result_t result; int errorloglevel; query_ctx_t qctx; UNUSED(task); REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE || event->ev_type == DNS_EVENT_TRYSTALE); client = devent->ev_arg; REQUIRE(NS_CLIENT_VALID(client)); REQUIRE(task == client->task); REQUIRE(RECURSING(client)); CTRACE(ISC_LOG_DEBUG(3), "fetch_callback"); if (event->ev_type == DNS_EVENT_TRYSTALE) { if (devent->result != ISC_R_CANCELED) { query_lookup_stale(client); } isc_event_free(ISC_EVENT_PTR(&event)); return; } /* * We are resuming from recursion. Reset any attributes, options * that a lookup due to stale-answer-client-timeout may have set. */ if (client->view->cachedb != NULL && client->view->recursion) { client->query.attributes |= NS_QUERYATTR_RECURSIONOK; } client->query.fetchoptions &= ~DNS_FETCHOPT_TRYSTALE_ONTIMEOUT; client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT; client->nodetach = false; LOCK(&client->query.fetchlock); INSIST(client->query.fetch == devent->fetch || client->query.fetch == NULL); if (QUERY_STALEPENDING(&client->query)) { /* * We've gotten an authoritative answer to a query that * was left pending after a stale timeout. We don't need * to do anything with it; free all the data and go home. */ client->query.fetch = NULL; fetch_answered = true; } else if (client->query.fetch != NULL) { /* * This is the fetch we've been waiting for. */ INSIST(devent->fetch == client->query.fetch); client->query.fetch = NULL; /* * Update client->now. */ isc_stdtime_get(&client->now); } else { /* * This is a fetch completion event for a canceled fetch. * Clean up and don't resume the find. */ fetch_canceled = true; } UNLOCK(&client->query.fetchlock); SAVE(fetch, devent->fetch); /* * We're done recursing, detach from quota and unlink from * the manager's recursing-clients list. */ if (client->recursionquota != NULL) { isc_quota_detach(&client->recursionquota); ns_stats_decrement(client->sctx->nsstats, ns_statscounter_recursclients); } LOCK(&client->manager->reclock); if (ISC_LINK_LINKED(client, rlink)) { ISC_LIST_UNLINK(client->manager->recursing, client, rlink); } UNLOCK(&client->manager->reclock); isc_nmhandle_detach(&client->fetchhandle); client->query.attributes &= ~NS_QUERYATTR_RECURSING; client->state = NS_CLIENTSTATE_WORKING; /* * Initialize a new qctx and use it to either resume from * recursion or clean up after cancelation. Transfer * ownership of devent to the new qctx in the process. */ qctx_init(client, &devent, 0, &qctx); client_shuttingdown = ns_client_shuttingdown(client); if (fetch_canceled || fetch_answered || client_shuttingdown) { /* * We've timed out or are shutting down. We can now * free the event and other resources held by qctx, but * don't call qctx_destroy() yet: it might destroy the * client, which we still need for a moment. */ qctx_freedata(&qctx); /* * Return an error to the client, or just drop. */ if (fetch_canceled) { CTRACE(ISC_LOG_ERROR, "fetch cancelled"); query_error(client, DNS_R_SERVFAIL, __LINE__); } else { query_next(client, ISC_R_CANCELED); } /* * Free any persistent plugin data that was allocated to * service the client, then detach the client object. */ qctx.detach_client = true; qctx_destroy(&qctx); } else { /* * Resume the find process. */ query_trace(&qctx); result = query_resume(&qctx); if (result != ISC_R_SUCCESS) { if (result == DNS_R_SERVFAIL) { errorloglevel = ISC_LOG_DEBUG(2); } else { errorloglevel = ISC_LOG_DEBUG(4); } if (isc_log_wouldlog(ns_lctx, errorloglevel)) { dns_resolver_logfetch(fetch, ns_lctx, logcategory, NS_LOGMODULE_QUERY, errorloglevel, false); } } qctx_destroy(&qctx); } dns_resolver_destroyfetch(&fetch); } /*% * Check whether the recursion parameters in 'param' match the current query's * recursion parameters provided in 'qtype', 'qname', and 'qdomain'. */ static bool recparam_match(const ns_query_recparam_t *param, dns_rdatatype_t qtype, const dns_name_t *qname, const dns_name_t *qdomain) { REQUIRE(param != NULL); return (param->qtype == qtype && param->qname != NULL && qname != NULL && param->qdomain != NULL && qdomain != NULL && dns_name_equal(param->qname, qname) && dns_name_equal(param->qdomain, qdomain)); } /*% * Update 'param' with current query's recursion parameters provided in * 'qtype', 'qname', and 'qdomain'. */ static void recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, const dns_name_t *qname, const dns_name_t *qdomain) { REQUIRE(param != NULL); param->qtype = qtype; if (qname == NULL) { param->qname = NULL; } else { param->qname = dns_fixedname_initname(¶m->fqname); dns_name_copynf(qname, param->qname); } if (qdomain == NULL) { param->qdomain = NULL; } else { param->qdomain = dns_fixedname_initname(¶m->fqdomain); dns_name_copynf(qdomain, param->qdomain); } } static atomic_uint_fast32_t last_soft, last_hard; isc_result_t ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, dns_name_t *qdomain, dns_rdataset_t *nameservers, bool resuming) { isc_result_t result; dns_rdataset_t *rdataset, *sigrdataset; isc_sockaddr_t *peeraddr = NULL; CTRACE(ISC_LOG_DEBUG(3), "ns_query_recurse"); /* * Check recursion parameters from the previous query to see if they * match. If not, update recursion parameters and proceed. */ if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "recursion loop detected"); return (ISC_R_ALREADYRUNNING); } recparam_update(&client->query.recparam, qtype, qname, qdomain); if (!resuming) { inc_stats(client, ns_statscounter_recursion); } /* * We are about to recurse, which means that this client will * be unavailable for serving new requests for an indeterminate * amount of time. If this client is currently responsible * for handling incoming queries, set up a new client * object to handle them while we are waiting for a * response. There is no need to replace TCP clients * because those have already been replaced when the * connection was accepted (if allowed by the TCP quota). */ if (client->recursionquota == NULL) { result = isc_quota_attach(&client->sctx->recursionquota, &client->recursionquota); if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { ns_stats_increment(client->sctx->nsstats, ns_statscounter_recursclients); } if (result == ISC_R_SOFTQUOTA) { isc_stdtime_t now; isc_stdtime_get(&now); if (now != atomic_load_relaxed(&last_soft)) { atomic_store_relaxed(&last_soft, now); ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "recursive-clients soft limit " "exceeded (%u/%u/%u), " "aborting oldest query", isc_quota_getused( client->recursionquota), isc_quota_getsoft( client->recursionquota), isc_quota_getmax( client->recursionquota)); } ns_client_killoldestquery(client); result = ISC_R_SUCCESS; } else if (result == ISC_R_QUOTA) { isc_stdtime_t now; isc_stdtime_get(&now); if (now != atomic_load_relaxed(&last_hard)) { ns_server_t *sctx = client->sctx; atomic_store_relaxed(&last_hard, now); ns_client_log( client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "no more recursive clients " "(%u/%u/%u): %s", isc_quota_getused( &sctx->recursionquota), isc_quota_getsoft( &sctx->recursionquota), isc_quota_getmax(&sctx->recursionquota), isc_result_totext(result)); } ns_client_killoldestquery(client); } if (result != ISC_R_SUCCESS) { return (result); } dns_message_clonebuffer(client->message); ns_client_recursing(client); } /* * Invoke the resolver. */ REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns); REQUIRE(client->query.fetch == NULL); rdataset = ns_client_newrdataset(client); if (rdataset == NULL) { return (ISC_R_NOMEMORY); } if (WANTDNSSEC(client)) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { ns_client_putrdataset(client, &rdataset); return (ISC_R_NOMEMORY); } } else { sigrdataset = NULL; } if (!client->query.timerset) { ns_client_settimeout(client, 60); } if (!TCP(client)) { peeraddr = &client->peeraddr; } if (client->view->staleanswerclienttimeout > 0 && client->view->staleanswerclienttimeout != (uint32_t)-1 && dns_view_staleanswerenabled(client->view)) { client->query.fetchoptions |= DNS_FETCHOPT_TRYSTALE_ONTIMEOUT; } isc_nmhandle_attach(client->handle, &client->fetchhandle); result = dns_resolver_createfetch( client->view->resolver, qname, qtype, qdomain, nameservers, NULL, peeraddr, client->message->id, client->query.fetchoptions, 0, NULL, client->task, fetch_callback, client, rdataset, sigrdataset, &client->query.fetch); if (result != ISC_R_SUCCESS) { isc_nmhandle_detach(&client->fetchhandle); ns_client_putrdataset(client, &rdataset); if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } } /* * We're now waiting for a fetch event. A client which is * shutting down will not be destroyed until all the events * have been received. */ return (result); } /*% * Restores the query context after resuming from recursion, and * continues the query processing if needed. */ static isc_result_t query_resume(query_ctx_t *qctx) { isc_result_t result; dns_name_t *tname; isc_buffer_t b; #ifdef WANT_QUERYTRACE char mbuf[4 * DNS_NAME_FORMATSIZE]; char qbuf[DNS_NAME_FORMATSIZE]; char tbuf[DNS_RDATATYPE_FORMATSIZE]; #endif /* ifdef WANT_QUERYTRACE */ CCTRACE(ISC_LOG_DEBUG(3), "query_resume"); CALL_HOOK(NS_QUERY_RESUME_BEGIN, qctx); qctx->want_restart = false; qctx->rpz_st = qctx->client->query.rpz_st; if (qctx->rpz_st != NULL && (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) { CCTRACE(ISC_LOG_DEBUG(3), "resume from RPZ recursion"); #ifdef WANT_QUERYTRACE { char pbuf[DNS_NAME_FORMATSIZE] = ""; char fbuf[DNS_NAME_FORMATSIZE] = ""; if (qctx->rpz_st->r_name != NULL) { dns_name_format(qctx->rpz_st->r_name, qbuf, sizeof(qbuf)); } else { snprintf(qbuf, sizeof(qbuf), ""); } if (qctx->rpz_st->p_name != NULL) { dns_name_format(qctx->rpz_st->p_name, pbuf, sizeof(pbuf)); } if (qctx->rpz_st->fname != NULL) { dns_name_format(qctx->rpz_st->fname, fbuf, sizeof(fbuf)); } snprintf(mbuf, sizeof(mbuf) - 1, "rpz rname:%s, pname:%s, qctx->fname:%s", qbuf, pbuf, fbuf); CCTRACE(ISC_LOG_DEBUG(3), mbuf); } #endif /* ifdef WANT_QUERYTRACE */ qctx->is_zone = qctx->rpz_st->q.is_zone; qctx->authoritative = qctx->rpz_st->q.authoritative; RESTORE(qctx->zone, qctx->rpz_st->q.zone); RESTORE(qctx->node, qctx->rpz_st->q.node); RESTORE(qctx->db, qctx->rpz_st->q.db); RESTORE(qctx->rdataset, qctx->rpz_st->q.rdataset); RESTORE(qctx->sigrdataset, qctx->rpz_st->q.sigrdataset); qctx->qtype = qctx->rpz_st->q.qtype; if (qctx->event->node != NULL) { dns_db_detachnode(qctx->event->db, &qctx->event->node); } SAVE(qctx->rpz_st->r.db, qctx->event->db); qctx->rpz_st->r.r_type = qctx->event->qtype; SAVE(qctx->rpz_st->r.r_rdataset, qctx->event->rdataset); ns_client_putrdataset(qctx->client, &qctx->event->sigrdataset); } else if (REDIRECT(qctx->client)) { /* * Restore saved state. */ CCTRACE(ISC_LOG_DEBUG(3), "resume from redirect recursion"); #ifdef WANT_QUERYTRACE dns_name_format(qctx->client->query.redirect.fname, qbuf, sizeof(qbuf)); dns_rdatatype_format(qctx->client->query.redirect.qtype, tbuf, sizeof(tbuf)); snprintf(mbuf, sizeof(mbuf) - 1, "redirect qctx->fname:%s, qtype:%s, auth:%d", qbuf, tbuf, qctx->client->query.redirect.authoritative); CCTRACE(ISC_LOG_DEBUG(3), mbuf); #endif /* ifdef WANT_QUERYTRACE */ qctx->qtype = qctx->client->query.redirect.qtype; INSIST(qctx->client->query.redirect.rdataset != NULL); RESTORE(qctx->rdataset, qctx->client->query.redirect.rdataset); RESTORE(qctx->sigrdataset, qctx->client->query.redirect.sigrdataset); RESTORE(qctx->db, qctx->client->query.redirect.db); RESTORE(qctx->node, qctx->client->query.redirect.node); RESTORE(qctx->zone, qctx->client->query.redirect.zone); qctx->authoritative = qctx->client->query.redirect.authoritative; /* * Free resources used while recursing. */ ns_client_putrdataset(qctx->client, &qctx->event->rdataset); ns_client_putrdataset(qctx->client, &qctx->event->sigrdataset); if (qctx->event->node != NULL) { dns_db_detachnode(qctx->event->db, &qctx->event->node); } if (qctx->event->db != NULL) { dns_db_detach(&qctx->event->db); } } else { CCTRACE(ISC_LOG_DEBUG(3), "resume from normal recursion"); qctx->authoritative = false; qctx->qtype = qctx->event->qtype; SAVE(qctx->db, qctx->event->db); SAVE(qctx->node, qctx->event->node); SAVE(qctx->rdataset, qctx->event->rdataset); SAVE(qctx->sigrdataset, qctx->event->sigrdataset); } INSIST(qctx->rdataset != NULL); if (qctx->qtype == dns_rdatatype_rrsig || qctx->qtype == dns_rdatatype_sig) { qctx->type = dns_rdatatype_any; } else { qctx->type = qctx->qtype; } CALL_HOOK(NS_QUERY_RESUME_RESTORED, qctx); if (DNS64(qctx->client)) { qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64; qctx->dns64 = true; } if (DNS64EXCLUDE(qctx->client)) { qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE; qctx->dns64_exclude = true; } if (qctx->rpz_st != NULL && (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) { /* * Has response policy changed out from under us? */ if (qctx->rpz_st->rpz_ver != qctx->view->rpzs->rpz_ver) { ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, "query_resume: RPZ settings " "out of date " "(rpz_ver %d, expected %d)", qctx->view->rpzs->rpz_ver, qctx->rpz_st->rpz_ver); QUERY_ERROR(qctx, DNS_R_SERVFAIL); return (ns_query_done(qctx)); } } /* * We'll need some resources... */ qctx->dbuf = ns_client_getnamebuf(qctx->client); if (qctx->dbuf == NULL) { CCTRACE(ISC_LOG_ERROR, "query_resume: ns_client_getnamebuf " "failed (1)"); QUERY_ERROR(qctx, ISC_R_NOMEMORY); return (ns_query_done(qctx)); } qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); if (qctx->fname == NULL) { CCTRACE(ISC_LOG_ERROR, "query_resume: ns_client_newname failed " "(1)"); QUERY_ERROR(qctx, ISC_R_NOMEMORY); return (ns_query_done(qctx)); } if (qctx->rpz_st != NULL && (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) { tname = qctx->rpz_st->fname; } else if (REDIRECT(qctx->client)) { tname = qctx->client->query.redirect.fname; } else { tname = dns_fixedname_name(&qctx->event->foundname); } dns_name_copynf(tname, qctx->fname); if (qctx->rpz_st != NULL && (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) { qctx->rpz_st->r.r_result = qctx->event->result; result = qctx->rpz_st->q.result; free_devent(qctx->client, ISC_EVENT_PTR(&qctx->event), &qctx->event); } else if (REDIRECT(qctx->client)) { result = qctx->client->query.redirect.result; } else { result = qctx->event->result; } qctx->resuming = true; return (query_gotanswer(qctx, result)); cleanup: return (result); } /*% * If the query is recursive, check the SERVFAIL cache to see whether * identical queries have failed recently. If we find a match, and it was * from a query with CD=1, *or* if the current query has CD=0, then we just * return SERVFAIL again. This prevents a validation failure from eliciting a * SERVFAIL response to a CD=1 query. */ isc_result_t ns__query_sfcache(query_ctx_t *qctx) { bool failcache; uint32_t flags; /* * The SERVFAIL cache doesn't apply to authoritative queries. */ if (!RECURSIONOK(qctx->client)) { return (ISC_R_COMPLETE); } flags = 0; #ifdef ENABLE_AFL if (qctx->client->sctx->fuzztype == isc_fuzz_resolver) { failcache = false; } else { failcache = dns_badcache_find( qctx->view->failcache, qctx->client->query.qname, qctx->qtype, &flags, &qctx->client->tnow); } #else /* ifdef ENABLE_AFL */ failcache = dns_badcache_find(qctx->view->failcache, qctx->client->query.qname, qctx->qtype, &flags, &qctx->client->tnow); #endif /* ifdef ENABLE_AFL */ if (failcache && (((flags & NS_FAILCACHE_CD) != 0) || ((qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0))) { if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; dns_name_format(qctx->client->query.qname, namebuf, sizeof(namebuf)); dns_rdatatype_format(qctx->qtype, typebuf, sizeof(typebuf)); ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(1), "servfail cache hit %s/%s (%s)", namebuf, typebuf, ((flags & NS_FAILCACHE_CD) != 0) ? "CD=1" : "CD=" "0"); } qctx->client->attributes |= NS_CLIENTATTR_NOSETFC; QUERY_ERROR(qctx, DNS_R_SERVFAIL); return (ns_query_done(qctx)); } return (ISC_R_COMPLETE); } /*% * Handle response rate limiting (RRL). */ static isc_result_t query_checkrrl(query_ctx_t *qctx, isc_result_t result) { /* * Rate limit these responses to this client. * Do not delay counting and handling obvious referrals, * since those won't come here again. * Delay handling delegations for which we are certain to recurse and * return here (DNS_R_DELEGATION, not a child of one of our * own zones, and recursion enabled) * Don't mess with responses rewritten by RPZ * Count each response at most once. */ /* * XXXMPA the rrl system tests fails sometimes and RRL_CHECKED * is set when we are called the second time preventing the * response being dropped. */ ns_client_log( qctx->client, DNS_LOGCATEGORY_RRL, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(99), "rrl=%p, HAVECOOKIE=%u, result=%s, " "fname=%p(%u), is_zone=%u, RECURSIONOK=%u, " "query.rpz_st=%p(%u), RRL_CHECKED=%u\n", qctx->client->view->rrl, HAVECOOKIE(qctx->client), isc_result_toid(result), qctx->fname, qctx->fname != NULL ? dns_name_isabsolute(qctx->fname) : 0, qctx->is_zone, RECURSIONOK(qctx->client), qctx->client->query.rpz_st, qctx->client->query.rpz_st != NULL ? ((qctx->client->query.rpz_st->state & DNS_RPZ_REWRITTEN) != 0) : 0, (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) != 0); if (qctx->view->rrl != NULL && !HAVECOOKIE(qctx->client) && ((qctx->fname != NULL && dns_name_isabsolute(qctx->fname)) || (result == ISC_R_NOTFOUND && !RECURSIONOK(qctx->client))) && !(result == DNS_R_DELEGATION && !qctx->is_zone && RECURSIONOK(qctx->client)) && (qctx->client->query.rpz_st == NULL || (qctx->client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) { dns_rdataset_t nc_rdataset; bool wouldlog; dns_fixedname_t fixed; const dns_name_t *constname; char log_buf[DNS_RRL_LOG_BUF_LEN]; isc_result_t nc_result, resp_result; dns_rrl_result_t rrl_result; qctx->client->query.attributes |= NS_QUERYATTR_RRL_CHECKED; wouldlog = isc_log_wouldlog(ns_lctx, DNS_RRL_LOG_DROP); constname = qctx->fname; if (result == DNS_R_NXDOMAIN) { /* * Use the database origin name to rate limit NXDOMAIN */ if (qctx->db != NULL) { constname = dns_db_origin(qctx->db); } resp_result = result; } else if (result == DNS_R_NCACHENXDOMAIN && qctx->rdataset != NULL && dns_rdataset_isassociated(qctx->rdataset) && (qctx->rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { /* * Try to use owner name in the negative cache SOA. */ dns_fixedname_init(&fixed); dns_rdataset_init(&nc_rdataset); for (nc_result = dns_rdataset_first(qctx->rdataset); nc_result == ISC_R_SUCCESS; nc_result = dns_rdataset_next(qctx->rdataset)) { dns_ncache_current(qctx->rdataset, dns_fixedname_name(&fixed), &nc_rdataset); if (nc_rdataset.type == dns_rdatatype_soa) { dns_rdataset_disassociate(&nc_rdataset); constname = dns_fixedname_name(&fixed); break; } dns_rdataset_disassociate(&nc_rdataset); } resp_result = DNS_R_NXDOMAIN; } else if (result == DNS_R_NXRRSET || result == DNS_R_EMPTYNAME) { resp_result = DNS_R_NXRRSET; } else if (result == DNS_R_DELEGATION) { resp_result = result; } else if (result == ISC_R_NOTFOUND) { /* * Handle referral to ".", including when recursion * is off or not requested and the hints have not * been loaded or we have "additional-from-cache no". */ constname = dns_rootname; resp_result = DNS_R_DELEGATION; } else { resp_result = ISC_R_SUCCESS; } rrl_result = dns_rrl( qctx->view, qctx->zone, &qctx->client->peeraddr, TCP(qctx->client), qctx->client->message->rdclass, qctx->qtype, constname, resp_result, qctx->client->now, wouldlog, log_buf, sizeof(log_buf)); if (rrl_result != DNS_RRL_RESULT_OK) { /* * Log dropped or slipped responses in the query * category so that requests are not silently lost. * Starts of rate-limited bursts are logged in * DNS_LOGCATEGORY_RRL. * * Dropped responses are counted with dropped queries * in QryDropped while slipped responses are counted * with other truncated responses in RespTruncated. */ if (wouldlog) { ns_client_log(qctx->client, DNS_LOGCATEGORY_RRL, NS_LOGMODULE_QUERY, DNS_RRL_LOG_DROP, "%s", log_buf); } if (!qctx->view->rrl->log_only) { if (rrl_result == DNS_RRL_RESULT_DROP) { /* * These will also be counted in * ns_statscounter_dropped */ inc_stats(qctx->client, ns_statscounter_ratedropped); QUERY_ERROR(qctx, DNS_R_DROP); } else { /* * These will also be counted in * ns_statscounter_truncatedresp */ inc_stats(qctx->client, ns_statscounter_rateslipped); if (WANTCOOKIE(qctx->client)) { qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; qctx->client->message->rcode = dns_rcode_badcookie; } else { qctx->client->message->flags |= DNS_MESSAGEFLAG_TC; if (resp_result == DNS_R_NXDOMAIN) { qctx->client->message ->rcode = dns_rcode_nxdomain; } } } return (DNS_R_DROP); } } } return (ISC_R_SUCCESS); } /*% * Do any RPZ rewriting that may be needed for this query. */ static isc_result_t query_checkrpz(query_ctx_t *qctx, isc_result_t result) { isc_result_t rresult; CCTRACE(ISC_LOG_DEBUG(3), "query_checkrpz"); rresult = rpz_rewrite(qctx->client, qctx->qtype, result, qctx->resuming, qctx->rdataset, qctx->sigrdataset); qctx->rpz_st = qctx->client->query.rpz_st; switch (rresult) { case ISC_R_SUCCESS: break; case ISC_R_NOTFOUND: case DNS_R_DISALLOWED: return (result); case DNS_R_DELEGATION: /* * recursing for NS names or addresses, * so save the main query state */ INSIST(!RECURSING(qctx->client)); qctx->rpz_st->q.qtype = qctx->qtype; qctx->rpz_st->q.is_zone = qctx->is_zone; qctx->rpz_st->q.authoritative = qctx->authoritative; SAVE(qctx->rpz_st->q.zone, qctx->zone); SAVE(qctx->rpz_st->q.db, qctx->db); SAVE(qctx->rpz_st->q.node, qctx->node); SAVE(qctx->rpz_st->q.rdataset, qctx->rdataset); SAVE(qctx->rpz_st->q.sigrdataset, qctx->sigrdataset); dns_name_copynf(qctx->fname, qctx->rpz_st->fname); qctx->rpz_st->q.result = result; qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; return (ISC_R_COMPLETE); default: QUERY_ERROR(qctx, rresult); return (ISC_R_COMPLETE); } if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS) { qctx->rpz_st->state |= DNS_RPZ_REWRITTEN; } if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS && qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY || !TCP(qctx->client)) && qctx->rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { /* * We got a hit and are going to answer with our * fiction. Ensure that we answer with the name * we looked up even if we were stopped short * in recursion or for a deferral. */ dns_name_copynf(qctx->client->query.qname, qctx->fname); rpz_clean(&qctx->zone, &qctx->db, &qctx->node, NULL); if (qctx->rpz_st->m.rdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->rdataset); RESTORE(qctx->rdataset, qctx->rpz_st->m.rdataset); } else { qctx_clean(qctx); } qctx->version = NULL; RESTORE(qctx->node, qctx->rpz_st->m.node); RESTORE(qctx->db, qctx->rpz_st->m.db); RESTORE(qctx->version, qctx->rpz_st->m.version); RESTORE(qctx->zone, qctx->rpz_st->m.zone); /* * Add SOA record to additional section */ if (qctx->rpz_st->m.rpz->addsoa) { bool override_ttl = dns_rdataset_isassociated(qctx->rdataset); rresult = query_addsoa(qctx, override_ttl, DNS_SECTION_ADDITIONAL); if (rresult != ISC_R_SUCCESS) { QUERY_ERROR(qctx, result); return (ISC_R_COMPLETE); } } switch (qctx->rpz_st->m.policy) { case DNS_RPZ_POLICY_TCP_ONLY: qctx->client->message->flags |= DNS_MESSAGEFLAG_TC; if (result == DNS_R_NXDOMAIN || result == DNS_R_NCACHENXDOMAIN) { qctx->client->message->rcode = dns_rcode_nxdomain; } rpz_log_rewrite(qctx->client, false, qctx->rpz_st->m.policy, qctx->rpz_st->m.type, qctx->zone, qctx->rpz_st->p_name, NULL, qctx->rpz_st->m.rpz->num); return (ISC_R_COMPLETE); case DNS_RPZ_POLICY_DROP: QUERY_ERROR(qctx, DNS_R_DROP); rpz_log_rewrite(qctx->client, false, qctx->rpz_st->m.policy, qctx->rpz_st->m.type, qctx->zone, qctx->rpz_st->p_name, NULL, qctx->rpz_st->m.rpz->num); return (ISC_R_COMPLETE); case DNS_RPZ_POLICY_NXDOMAIN: result = DNS_R_NXDOMAIN; qctx->nxrewrite = true; qctx->rpz = true; break; case DNS_RPZ_POLICY_NODATA: qctx->nxrewrite = true; FALLTHROUGH; case DNS_RPZ_POLICY_DNS64: result = DNS_R_NXRRSET; qctx->rpz = true; break; case DNS_RPZ_POLICY_RECORD: result = qctx->rpz_st->m.result; if (qctx->qtype == dns_rdatatype_any && result != DNS_R_CNAME) { /* * We will add all of the rdatasets of * the node by iterating later, * and set the TTL then. */ if (dns_rdataset_isassociated(qctx->rdataset)) { dns_rdataset_disassociate( qctx->rdataset); } } else { /* * We will add this rdataset. */ qctx->rdataset->ttl = ISC_MIN(qctx->rdataset->ttl, qctx->rpz_st->m.ttl); } qctx->rpz = true; break; case DNS_RPZ_POLICY_WILDCNAME: { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_cname_t cname; result = dns_rdataset_first(qctx->rdataset); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(qctx->rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); result = query_rpzcname(qctx, &cname.cname); if (result != ISC_R_SUCCESS) { return (ISC_R_COMPLETE); } qctx->fname = NULL; qctx->want_restart = true; return (ISC_R_COMPLETE); } case DNS_RPZ_POLICY_CNAME: /* * Add overriding CNAME from a named.conf * response-policy statement */ result = query_rpzcname(qctx, &qctx->rpz_st->m.rpz->cname); if (result != ISC_R_SUCCESS) { return (ISC_R_COMPLETE); } qctx->fname = NULL; qctx->want_restart = true; return (ISC_R_COMPLETE); default: UNREACHABLE(); } /* * Turn off DNSSEC because the results of a * response policy zone cannot verify. */ qctx->client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | NS_CLIENTATTR_WANTAD); qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; ns_client_putrdataset(qctx->client, &qctx->sigrdataset); qctx->rpz_st->q.is_zone = qctx->is_zone; qctx->is_zone = true; rpz_log_rewrite(qctx->client, false, qctx->rpz_st->m.policy, qctx->rpz_st->m.type, qctx->zone, qctx->rpz_st->p_name, NULL, qctx->rpz_st->m.rpz->num); } return (result); } /*% * Add a CNAME to a query response, including translating foo.evil.com and * *.evil.com CNAME *.example.com * to * foo.evil.com CNAME foo.evil.com.example.com */ static isc_result_t query_rpzcname(query_ctx_t *qctx, dns_name_t *cname) { ns_client_t *client; dns_fixedname_t prefix, suffix; unsigned int labels; isc_result_t result; REQUIRE(qctx != NULL && qctx->client != NULL); client = qctx->client; CTRACE(ISC_LOG_DEBUG(3), "query_rpzcname"); labels = dns_name_countlabels(cname); if (labels > 2 && dns_name_iswildcard(cname)) { dns_fixedname_init(&prefix); dns_name_split(client->query.qname, 1, dns_fixedname_name(&prefix), NULL); dns_fixedname_init(&suffix); dns_name_split(cname, labels - 1, NULL, dns_fixedname_name(&suffix)); result = dns_name_concatenate(dns_fixedname_name(&prefix), dns_fixedname_name(&suffix), qctx->fname, NULL); if (result == DNS_R_NAMETOOLONG) { client->message->rcode = dns_rcode_yxdomain; } else if (result != ISC_R_SUCCESS) { return (result); } } else { dns_name_copynf(cname, qctx->fname); } ns_client_keepname(client, qctx->fname, qctx->dbuf); result = query_addcname(qctx, dns_trust_authanswer, qctx->rpz_st->m.ttl); if (result != ISC_R_SUCCESS) { return (result); } rpz_log_rewrite(client, false, qctx->rpz_st->m.policy, qctx->rpz_st->m.type, qctx->rpz_st->m.zone, qctx->rpz_st->p_name, qctx->fname, qctx->rpz_st->m.rpz->num); ns_client_qnamereplace(client, qctx->fname); /* * Turn off DNSSEC because the results of a * response policy zone cannot verify. */ client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | NS_CLIENTATTR_WANTAD); return (ISC_R_SUCCESS); } /*% * Check the configured trust anchors for a root zone trust anchor * with a key id that matches qctx->client->query.root_key_sentinel_keyid. * * Return true when found, otherwise return false. */ static bool has_ta(query_ctx_t *qctx) { dns_keytable_t *keytable = NULL; dns_keynode_t *keynode = NULL; dns_rdataset_t dsset; dns_keytag_t sentinel = qctx->client->query.root_key_sentinel_keyid; isc_result_t result; result = dns_view_getsecroots(qctx->view, &keytable); if (result != ISC_R_SUCCESS) { return (false); } result = dns_keytable_find(keytable, dns_rootname, &keynode); if (result != ISC_R_SUCCESS) { if (keynode != NULL) { dns_keytable_detachkeynode(keytable, &keynode); } dns_keytable_detach(&keytable); return (false); } dns_rdataset_init(&dsset); if (dns_keynode_dsset(keynode, &dsset)) { for (result = dns_rdataset_first(&dsset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&dsset)) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_ds_t ds; dns_rdata_reset(&rdata); dns_rdataset_current(&dsset, &rdata); result = dns_rdata_tostruct(&rdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (ds.key_tag == sentinel) { dns_keytable_detachkeynode(keytable, &keynode); dns_keytable_detach(&keytable); dns_rdataset_disassociate(&dsset); return (true); } } dns_rdataset_disassociate(&dsset); } if (keynode != NULL) { dns_keytable_detachkeynode(keytable, &keynode); } dns_keytable_detach(&keytable); return (false); } /*% * Check if a root key sentinel SERVFAIL should be returned. */ static bool root_key_sentinel_return_servfail(query_ctx_t *qctx, isc_result_t result) { /* * Are we looking at a "root-key-sentinel" query? */ if (!qctx->client->query.root_key_sentinel_is_ta && !qctx->client->query.root_key_sentinel_not_ta) { return (false); } /* * We only care about the query if 'result' indicates we have a cached * answer. */ switch (result) { case ISC_R_SUCCESS: case DNS_R_CNAME: case DNS_R_DNAME: case DNS_R_NCACHENXDOMAIN: case DNS_R_NCACHENXRRSET: break; default: return (false); } /* * Do we meet the specified conditions to return SERVFAIL? */ if (!qctx->is_zone && qctx->rdataset->trust == dns_trust_secure && ((qctx->client->query.root_key_sentinel_is_ta && !has_ta(qctx)) || (qctx->client->query.root_key_sentinel_not_ta && has_ta(qctx)))) { return (true); } /* * As special processing may only be triggered by the original QNAME, * disable it after following a CNAME/DNAME. */ qctx->client->query.root_key_sentinel_is_ta = false; qctx->client->query.root_key_sentinel_not_ta = false; return (false); } /*% * If serving stale answers is allowed, set up 'qctx' to look for one and * return true; otherwise, return false. */ static bool query_usestale(query_ctx_t *qctx, isc_result_t result) { if ((qctx->client->query.dboptions & DNS_DBFIND_STALEOK) != 0) { /* * Query was already using stale, if that didn't work the * last time, it won't work this time either. */ return (false); } if (qctx->refresh_rrset) { /* * This is a refreshing query, we have already prioritized * stale data, so don't enable serve-stale again. */ return (false); } if (result == DNS_R_DUPLICATE || result == DNS_R_DROP || result == ISC_R_ALREADYRUNNING) { /* * Don't enable serve-stale if the result signals a duplicate * query or a query that is being dropped or can't proceed * because of a recursion loop. */ return (false); } qctx_clean(qctx); qctx_freedata(qctx); if (dns_view_staleanswerenabled(qctx->client->view)) { dns_db_attach(qctx->client->view->cachedb, &qctx->db); qctx->version = NULL; qctx->client->query.dboptions |= DNS_DBFIND_STALEOK; if (qctx->client->query.fetch != NULL) { dns_resolver_destroyfetch(&qctx->client->query.fetch); } /* * Start the stale-refresh-time window in case there was a * resolver query timeout. */ if (qctx->resuming && result == ISC_R_TIMEDOUT) { qctx->client->query.dboptions |= DNS_DBFIND_STALESTART; } return (true); } return (false); } /*% * Continue after doing a database lookup or returning from * recursion, and call out to the next function depending on the * result from the search. */ static isc_result_t query_gotanswer(query_ctx_t *qctx, isc_result_t result) { char errmsg[256]; CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); CALL_HOOK(NS_QUERY_GOT_ANSWER_BEGIN, qctx); if (query_checkrrl(qctx, result) != ISC_R_SUCCESS) { return (ns_query_done(qctx)); } if (!dns_name_equal(qctx->client->query.qname, dns_rootname)) { result = query_checkrpz(qctx, result); if (result == ISC_R_NOTFOUND) { /* * RPZ not configured for this view. */ goto root_key_sentinel; } if (RECURSING(qctx->client) && result == DNS_R_DISALLOWED) { /* * We are recursing, and thus RPZ processing is not * allowed at the moment. This could happen on a * "stale-answer-client-timeout" lookup. In this case, * bail out and wait for recursion to complete, as we * we can't perform the RPZ rewrite rules. */ return (result); } if (result == ISC_R_COMPLETE) { return (ns_query_done(qctx)); } } root_key_sentinel: /* * If required, handle special "root-key-sentinel-is-ta-" and * "root-key-sentinel-not-ta-" labels by returning SERVFAIL. */ if (root_key_sentinel_return_servfail(qctx, result)) { /* * Don't record this response in the SERVFAIL cache. */ qctx->client->attributes |= NS_CLIENTATTR_NOSETFC; QUERY_ERROR(qctx, DNS_R_SERVFAIL); return (ns_query_done(qctx)); } switch (result) { case ISC_R_SUCCESS: return (query_prepresponse(qctx)); case DNS_R_GLUE: case DNS_R_ZONECUT: INSIST(qctx->is_zone); qctx->authoritative = false; return (query_prepresponse(qctx)); case ISC_R_NOTFOUND: return (query_notfound(qctx)); case DNS_R_DELEGATION: return (query_delegation(qctx)); case DNS_R_EMPTYNAME: return (query_nodata(qctx, DNS_R_EMPTYNAME)); case DNS_R_NXRRSET: return (query_nodata(qctx, DNS_R_NXRRSET)); case DNS_R_EMPTYWILD: return (query_nxdomain(qctx, DNS_R_EMPTYWILD)); case DNS_R_NXDOMAIN: return (query_nxdomain(qctx, DNS_R_NXDOMAIN)); case DNS_R_COVERINGNSEC: return (query_coveringnsec(qctx)); case DNS_R_NCACHENXDOMAIN: result = query_redirect(qctx, result); if (result != ISC_R_COMPLETE) { return (result); } return (query_ncache(qctx, DNS_R_NCACHENXDOMAIN)); case DNS_R_NCACHENXRRSET: return (query_ncache(qctx, DNS_R_NCACHENXRRSET)); case DNS_R_CNAME: return (query_cname(qctx)); case DNS_R_DNAME: return (query_dname(qctx)); default: /* * Something has gone wrong. */ snprintf(errmsg, sizeof(errmsg) - 1, "query_gotanswer: unexpected error: %s", isc_result_totext(result)); CCTRACE(ISC_LOG_ERROR, errmsg); if (query_usestale(qctx, result)) { /* * If serve-stale is enabled, query_usestale() already * set up 'qctx' for looking up a stale response. */ return (query_lookup(qctx)); } /* * Regardless of the triggering result, we definitely * want to return SERVFAIL from here. */ qctx->client->rcode_override = dns_rcode_servfail; QUERY_ERROR(qctx, result); return (ns_query_done(qctx)); } cleanup: return (result); } static void query_addnoqnameproof(query_ctx_t *qctx) { ns_client_t *client = qctx->client; isc_buffer_t *dbuf, b; dns_name_t *fname = NULL; dns_rdataset_t *neg = NULL, *negsig = NULL; isc_result_t result = ISC_R_NOMEMORY; CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof"); if (qctx->noqname == NULL) { return; } dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); neg = ns_client_newrdataset(client); negsig = ns_client_newrdataset(client); if (fname == NULL || neg == NULL || negsig == NULL) { goto cleanup; } result = dns_rdataset_getnoqname(qctx->noqname, fname, neg, negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); query_addrrset(qctx, &fname, &neg, &negsig, dbuf, DNS_SECTION_AUTHORITY); if ((qctx->noqname->attributes & DNS_RDATASETATTR_CLOSEST) == 0) { goto cleanup; } if (fname == NULL) { dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); } if (neg == NULL) { neg = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(neg)) { dns_rdataset_disassociate(neg); } if (negsig == NULL) { negsig = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(negsig)) { dns_rdataset_disassociate(negsig); } if (fname == NULL || neg == NULL || negsig == NULL) { goto cleanup; } result = dns_rdataset_getclosest(qctx->noqname, fname, neg, negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); query_addrrset(qctx, &fname, &neg, &negsig, dbuf, DNS_SECTION_AUTHORITY); cleanup: if (neg != NULL) { ns_client_putrdataset(client, &neg); } if (negsig != NULL) { ns_client_putrdataset(client, &negsig); } if (fname != NULL) { ns_client_releasename(client, &fname); } } /*% * Build the response for a query for type ANY. */ static isc_result_t query_respond_any(query_ctx_t *qctx) { bool found = false, hidden = false; dns_rdatasetiter_t *rdsiter = NULL; isc_result_t result; dns_rdatatype_t onetype = 0; /* type to use for minimal-any */ isc_buffer_t b; CCTRACE(ISC_LOG_DEBUG(3), "query_respond_any"); CALL_HOOK(NS_QUERY_RESPOND_ANY_BEGIN, qctx); result = dns_db_allrdatasets(qctx->db, qctx->node, qctx->version, 0, 0, &rdsiter); if (result != ISC_R_SUCCESS) { CCTRACE(ISC_LOG_ERROR, "query_respond_any: allrdatasets " "failed"); QUERY_ERROR(qctx, result); return (ns_query_done(qctx)); } /* * Calling query_addrrset() with a non-NULL dbuf is going * to either keep or release the name. We don't want it to * release fname, since we may have to call query_addrrset() * more than once. That means we have to call ns_client_keepname() * now, and pass a NULL dbuf to query_addrrset(). * * If we do a query_addrrset() below, we must set qctx->fname to * NULL before leaving this block, otherwise we might try to * cleanup qctx->fname even though we're using it! */ ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); qctx->tname = qctx->fname; result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, qctx->rdataset); /* * We found an NS RRset; no need to add one later. */ if (qctx->qtype == dns_rdatatype_any && qctx->rdataset->type == dns_rdatatype_ns) { qctx->answer_has_ns = true; } /* * Note: if we're in this function, then qctx->type * is guaranteed to be ANY, but qctx->qtype (i.e. the * original type requested) might have been RRSIG or * SIG; we need to check for that. */ if (qctx->is_zone && qctx->qtype == dns_rdatatype_any && !dns_db_issecure(qctx->db) && dns_rdatatype_isdnssec(qctx->rdataset->type)) { /* * The zone may be transitioning from insecure * to secure. Hide DNSSEC records from ANY queries. */ dns_rdataset_disassociate(qctx->rdataset); hidden = true; } else if (qctx->view->minimal_any && !TCP(qctx->client) && !WANTDNSSEC(qctx->client) && qctx->qtype == dns_rdatatype_any && (qctx->rdataset->type == dns_rdatatype_sig || qctx->rdataset->type == dns_rdatatype_rrsig)) { CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " "minimal-any skip signature"); dns_rdataset_disassociate(qctx->rdataset); } else if (qctx->view->minimal_any && !TCP(qctx->client) && onetype != 0 && qctx->rdataset->type != onetype && qctx->rdataset->covers != onetype) { CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " "minimal-any skip rdataset"); dns_rdataset_disassociate(qctx->rdataset); } else if ((qctx->qtype == dns_rdatatype_any || qctx->rdataset->type == qctx->qtype) && qctx->rdataset->type != 0) { if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { qctx->noqname = qctx->rdataset; } else { qctx->noqname = NULL; } qctx->rpz_st = qctx->client->query.rpz_st; if (qctx->rpz_st != NULL) { qctx->rdataset->ttl = ISC_MIN(qctx->rdataset->ttl, qctx->rpz_st->m.ttl); } if (!qctx->is_zone && RECURSIONOK(qctx->client)) { dns_name_t *name; name = (qctx->fname != NULL) ? qctx->fname : qctx->tname; query_prefetch(qctx->client, name, qctx->rdataset); } /* * Remember the first RRtype we find so we * can skip others with minimal-any. */ if (qctx->rdataset->type == dns_rdatatype_sig || qctx->rdataset->type == dns_rdatatype_rrsig) { onetype = qctx->rdataset->covers; } else { onetype = qctx->rdataset->type; } query_addrrset(qctx, (qctx->fname != NULL) ? &qctx->fname : &qctx->tname, &qctx->rdataset, NULL, NULL, DNS_SECTION_ANSWER); query_addnoqnameproof(qctx); found = true; INSIST(qctx->tname != NULL); /* * rdataset is non-NULL only in certain * pathological cases involving DNAMEs. */ if (qctx->rdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->rdataset); } qctx->rdataset = ns_client_newrdataset(qctx->client); if (qctx->rdataset == NULL) { break; } } else { /* * We're not interested in this rdataset. */ dns_rdataset_disassociate(qctx->rdataset); } result = dns_rdatasetiter_next(rdsiter); } dns_rdatasetiter_destroy(&rdsiter); if (result != ISC_R_NOMORE) { CCTRACE(ISC_LOG_ERROR, "query_respond_any: rdataset iterator " "failed"); QUERY_ERROR(qctx, DNS_R_SERVFAIL); return (ns_query_done(qctx)); } if (found) { /* * Call hook if any answers were found. * Do this before releasing qctx->fname, in case * the hook function needs it. */ CALL_HOOK(NS_QUERY_RESPOND_ANY_FOUND, qctx); } if (qctx->fname != NULL) { dns_message_puttempname(qctx->client->message, &qctx->fname); } if (found) { /* * At least one matching rdataset was found */ query_addauth(qctx); } else if (qctx->qtype == dns_rdatatype_rrsig || qctx->qtype == dns_rdatatype_sig) { /* * No matching rdatasets were found, but we got * here on a search for RRSIG/SIG, so that's okay. */ if (!qctx->is_zone) { qctx->authoritative = false; qctx->client->attributes &= ~NS_CLIENTATTR_RA; query_addauth(qctx); return (ns_query_done(qctx)); } if (qctx->qtype == dns_rdatatype_rrsig && dns_db_issecure(qctx->db)) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(qctx->client->query.qname, namebuf, sizeof(namebuf)); ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "missing signature for %s", namebuf); } qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); return (query_sign_nodata(qctx)); } else if (!hidden) { /* * No matching rdatasets were found and nothing was * deliberately hidden: something must have gone wrong. */ QUERY_ERROR(qctx, DNS_R_SERVFAIL); } return (ns_query_done(qctx)); cleanup: return (result); } /* * Set the expire time, if requested, when answering from a slave, mirror, or * master zone. */ static void query_getexpire(query_ctx_t *qctx) { dns_zone_t *raw = NULL, *mayberaw; CCTRACE(ISC_LOG_DEBUG(3), "query_getexpire"); if (qctx->zone == NULL || !qctx->is_zone || qctx->qtype != dns_rdatatype_soa || qctx->client->query.restarts != 0 || (qctx->client->attributes & NS_CLIENTATTR_WANTEXPIRE) == 0) { return; } dns_zone_getraw(qctx->zone, &raw); mayberaw = (raw != NULL) ? raw : qctx->zone; if (dns_zone_gettype(mayberaw) == dns_zone_secondary || dns_zone_gettype(mayberaw) == dns_zone_mirror) { isc_time_t expiretime; uint32_t secs; dns_zone_getexpiretime(qctx->zone, &expiretime); secs = isc_time_seconds(&expiretime); if (secs >= qctx->client->now && qctx->result == ISC_R_SUCCESS) { qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; qctx->client->expire = secs - qctx->client->now; } } else if (dns_zone_gettype(mayberaw) == dns_zone_primary) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_soa_t soa; result = dns_rdataset_first(qctx->rdataset); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(qctx->rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &soa, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); qctx->client->expire = soa.expire; qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; } if (raw != NULL) { dns_zone_detach(&raw); } } /*% * Fill the ANSWER section of a positive response. */ static isc_result_t query_addanswer(query_ctx_t *qctx) { dns_rdataset_t **sigrdatasetp = NULL; isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_addanswer"); CALL_HOOK(NS_QUERY_ADDANSWER_BEGIN, qctx); /* * On normal lookups, clear any rdatasets that were added on a * lookup due to stale-answer-client-timeout. Do not clear if we * are going to refresh the RRset, because the stale contents are * prioritized. */ if (QUERY_STALEOK(&qctx->client->query) && !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) { CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); query_clear_stale(qctx->client); /* * We can clear the attribute to prevent redundant clearing * in subsequent lookups. */ qctx->client->query.attributes &= ~NS_QUERYATTR_STALEOK; } if (qctx->dns64) { result = query_dns64(qctx); qctx->noqname = NULL; dns_rdataset_disassociate(qctx->rdataset); dns_message_puttemprdataset(qctx->client->message, &qctx->rdataset); if (result == ISC_R_NOMORE) { #ifndef dns64_bis_return_excluded_addresses if (qctx->dns64_exclude) { if (!qctx->is_zone) { return (ns_query_done(qctx)); } /* * Add a fake SOA record. */ (void)query_addsoa(qctx, 600, DNS_SECTION_AUTHORITY); return (ns_query_done(qctx)); } #endif /* ifndef dns64_bis_return_excluded_addresses */ if (qctx->is_zone) { return (query_nodata(qctx, DNS_R_NXDOMAIN)); } else { return (query_ncache(qctx, DNS_R_NXDOMAIN)); } } else if (result != ISC_R_SUCCESS) { qctx->result = result; return (ns_query_done(qctx)); } } else if (qctx->client->query.dns64_aaaaok != NULL) { query_filter64(qctx); ns_client_putrdataset(qctx->client, &qctx->rdataset); } else { if (!qctx->is_zone && RECURSIONOK(qctx->client) && !QUERY_STALETIMEOUT(&qctx->client->query)) { query_prefetch(qctx->client, qctx->fname, qctx->rdataset); } if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { sigrdatasetp = &qctx->sigrdataset; } query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, qctx->dbuf, DNS_SECTION_ANSWER); } return (ISC_R_COMPLETE); cleanup: return (result); } /*% * Build a response for a "normal" query, for a type other than ANY, * for which we have an answer (either positive or negative). */ static isc_result_t query_respond(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_respond"); /* * Check to see if the AAAA RRset has non-excluded addresses * in it. If not look for a A RRset. */ INSIST(qctx->client->query.dns64_aaaaok == NULL); if (qctx->qtype == dns_rdatatype_aaaa && !qctx->dns64_exclude && !ISC_LIST_EMPTY(qctx->view->dns64) && qctx->client->message->rdclass == dns_rdataclass_in && !dns64_aaaaok(qctx->client, qctx->rdataset, qctx->sigrdataset)) { /* * Look to see if there are A records for this name. */ qctx->client->query.dns64_ttl = qctx->rdataset->ttl; SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset); ns_client_releasename(qctx->client, &qctx->fname); dns_db_detachnode(qctx->db, &qctx->node); qctx->type = qctx->qtype = dns_rdatatype_a; qctx->dns64_exclude = qctx->dns64 = true; return (query_lookup(qctx)); } /* * XXX: This hook is meant to be at the top of this function, * but is postponed until after DNS64 in order to avoid an * assertion if the hook causes recursion. (When DNS64 also * becomes a plugin, it will be necessary to find some * other way to prevent that assertion, since the order in * which plugins are configured can't be enforced.) */ CALL_HOOK(NS_QUERY_RESPOND_BEGIN, qctx); if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { qctx->noqname = qctx->rdataset; } else { qctx->noqname = NULL; } /* * Special case NS handling */ if (qctx->is_zone && qctx->qtype == dns_rdatatype_ns) { /* * We've already got an NS, no need to add one in * the authority section */ if (dns_name_equal(qctx->client->query.qname, dns_db_origin(qctx->db))) { qctx->answer_has_ns = true; } /* * Always add glue for root priming queries, regardless * of "minimal-responses" setting. */ if (dns_name_equal(qctx->client->query.qname, dns_rootname)) { qctx->client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; dns_db_attach(qctx->db, &qctx->client->query.gluedb); } } /* * Set expire time */ query_getexpire(qctx); result = query_addanswer(qctx); if (result != ISC_R_COMPLETE) { return (result); } query_addnoqnameproof(qctx); /* * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of * the message to be sent to the client already contains an RRset with * the same owner name and the same type as 'qctx->rdataset'. This * should never happen, with one exception: when chasing DNAME records, * one of the DNAME records placed in the ANSWER section may turn out * to be the final answer to the client's query, but we have no way of * knowing that until now. In such a case, 'qctx->rdataset' will be * freed later, so we do not need to free it here. */ INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname); query_addauth(qctx); return (ns_query_done(qctx)); cleanup: return (result); } static isc_result_t query_dns64(query_ctx_t *qctx) { ns_client_t *client = qctx->client; dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->manager->interface->mgr); dns_name_t *name, *mname; dns_rdata_t *dns64_rdata; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdatalist_t *dns64_rdatalist; dns_rdataset_t *dns64_rdataset; dns_rdataset_t *mrdataset; isc_buffer_t *buffer; isc_region_t r; isc_result_t result; dns_view_t *view = client->view; isc_netaddr_t netaddr; dns_dns64_t *dns64; unsigned int flags = 0; const dns_section_t section = DNS_SECTION_ANSWER; /*% * To the current response for 'qctx->client', add the answer RRset * '*rdatasetp' and an optional signature set '*sigrdatasetp', with * owner name '*namep', to the answer section, unless they are * already there. Also add any pertinent additional data. * * If 'qctx->dbuf' is not NULL, then 'qctx->fname' is the name * whose data is stored 'qctx->dbuf'. In this case, * query_addrrset() guarantees that when it returns the name * will either have been kept or released. */ CTRACE(ISC_LOG_DEBUG(3), "query_dns64"); qctx->qtype = qctx->type = dns_rdatatype_aaaa; name = qctx->fname; mname = NULL; mrdataset = NULL; buffer = NULL; dns64_rdata = NULL; dns64_rdataset = NULL; dns64_rdatalist = NULL; result = dns_message_findname( client->message, section, name, dns_rdatatype_aaaa, qctx->rdataset->covers, &mname, &mrdataset); if (result == ISC_R_SUCCESS) { /* * We've already got an RRset of the given name and type. * There's nothing else to do; */ CTRACE(ISC_LOG_DEBUG(3), "query_dns64: dns_message_findname " "succeeded: done"); if (qctx->dbuf != NULL) { ns_client_releasename(client, &qctx->fname); } return (ISC_R_SUCCESS); } else if (result == DNS_R_NXDOMAIN) { /* * The name doesn't exist. */ if (qctx->dbuf != NULL) { ns_client_keepname(client, name, qctx->dbuf); } dns_message_addname(client->message, name, section); qctx->fname = NULL; mname = name; } else { RUNTIME_CHECK(result == DNS_R_NXRRSET); if (qctx->dbuf != NULL) { ns_client_releasename(client, &qctx->fname); } } if (qctx->rdataset->trust != dns_trust_secure) { client->query.attributes &= ~NS_QUERYATTR_SECURE; } isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt * 16 * dns_rdataset_count(qctx->rdataset)); result = dns_message_gettemprdataset(client->message, &dns64_rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } result = dns_message_gettemprdatalist(client->message, &dns64_rdatalist); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdatalist_init(dns64_rdatalist); dns64_rdatalist->rdclass = dns_rdataclass_in; dns64_rdatalist->type = dns_rdatatype_aaaa; if (client->query.dns64_ttl != UINT32_MAX) { dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, client->query.dns64_ttl); } else { dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, 600); } if (RECURSIONOK(client)) { flags |= DNS_DNS64_RECURSIVE; } /* * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC * as this provides a easy way to see if the answer was signed. */ if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL && dns_rdataset_isassociated(qctx->sigrdataset)) { flags |= DNS_DNS64_DNSSEC; } for (result = dns_rdataset_first(qctx->rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(qctx->rdataset)) { for (dns64 = ISC_LIST_HEAD(client->view->dns64); dns64 != NULL; dns64 = dns_dns64_next(dns64)) { dns_rdataset_current(qctx->rdataset, &rdata); isc_buffer_availableregion(buffer, &r); INSIST(r.length >= 16); result = dns_dns64_aaaafroma(dns64, &netaddr, client->signer, env, flags, rdata.data, r.base); if (result != ISC_R_SUCCESS) { dns_rdata_reset(&rdata); continue; } isc_buffer_add(buffer, 16); isc_buffer_remainingregion(buffer, &r); isc_buffer_forward(buffer, 16); result = dns_message_gettemprdata(client->message, &dns64_rdata); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdata_init(dns64_rdata); dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in, dns_rdatatype_aaaa, &r); ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata, link); dns64_rdata = NULL; dns_rdata_reset(&rdata); } } if (result != ISC_R_NOMORE) { goto cleanup; } if (ISC_LIST_EMPTY(dns64_rdatalist->rdata)) { goto cleanup; } result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdataset_setownercase(dns64_rdataset, mname); client->query.attributes |= NS_QUERYATTR_NOADDITIONAL; dns64_rdataset->trust = qctx->rdataset->trust; query_addtoname(mname, dns64_rdataset); query_setorder(qctx, mname, dns64_rdataset); dns64_rdataset = NULL; dns64_rdatalist = NULL; dns_message_takebuffer(client->message, &buffer); inc_stats(client, ns_statscounter_dns64); result = ISC_R_SUCCESS; cleanup: if (buffer != NULL) { isc_buffer_free(&buffer); } if (dns64_rdata != NULL) { dns_message_puttemprdata(client->message, &dns64_rdata); } if (dns64_rdataset != NULL) { dns_message_puttemprdataset(client->message, &dns64_rdataset); } if (dns64_rdatalist != NULL) { for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata); dns64_rdata != NULL; dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata)) { ISC_LIST_UNLINK(dns64_rdatalist->rdata, dns64_rdata, link); dns_message_puttemprdata(client->message, &dns64_rdata); } dns_message_puttemprdatalist(client->message, &dns64_rdatalist); } CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done"); return (result); } static void query_filter64(query_ctx_t *qctx) { ns_client_t *client = qctx->client; dns_name_t *name, *mname; dns_rdata_t *myrdata; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdatalist_t *myrdatalist; dns_rdataset_t *myrdataset; isc_buffer_t *buffer; isc_region_t r; isc_result_t result; unsigned int i; const dns_section_t section = DNS_SECTION_ANSWER; CTRACE(ISC_LOG_DEBUG(3), "query_filter64"); INSIST(client->query.dns64_aaaaok != NULL); INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(qctx->rdataset)); name = qctx->fname; mname = NULL; buffer = NULL; myrdata = NULL; myrdataset = NULL; myrdatalist = NULL; result = dns_message_findname( client->message, section, name, dns_rdatatype_aaaa, qctx->rdataset->covers, &mname, &myrdataset); if (result == ISC_R_SUCCESS) { /* * We've already got an RRset of the given name and type. * There's nothing else to do; */ CTRACE(ISC_LOG_DEBUG(3), "query_filter64: dns_message_findname " "succeeded: done"); if (qctx->dbuf != NULL) { ns_client_releasename(client, &qctx->fname); } return; } else if (result == DNS_R_NXDOMAIN) { mname = name; qctx->fname = NULL; } else { RUNTIME_CHECK(result == DNS_R_NXRRSET); if (qctx->dbuf != NULL) { ns_client_releasename(client, &qctx->fname); } qctx->dbuf = NULL; } if (qctx->rdataset->trust != dns_trust_secure) { client->query.attributes &= ~NS_QUERYATTR_SECURE; } isc_buffer_allocate(client->mctx, &buffer, 16 * dns_rdataset_count(qctx->rdataset)); result = dns_message_gettemprdataset(client->message, &myrdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } result = dns_message_gettemprdatalist(client->message, &myrdatalist); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdatalist_init(myrdatalist); myrdatalist->rdclass = dns_rdataclass_in; myrdatalist->type = dns_rdatatype_aaaa; myrdatalist->ttl = qctx->rdataset->ttl; i = 0; for (result = dns_rdataset_first(qctx->rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(qctx->rdataset)) { if (!client->query.dns64_aaaaok[i++]) { continue; } dns_rdataset_current(qctx->rdataset, &rdata); INSIST(rdata.length == 16); isc_buffer_putmem(buffer, rdata.data, rdata.length); isc_buffer_remainingregion(buffer, &r); isc_buffer_forward(buffer, rdata.length); result = dns_message_gettemprdata(client->message, &myrdata); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdata_init(myrdata); dns_rdata_fromregion(myrdata, dns_rdataclass_in, dns_rdatatype_aaaa, &r); ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link); myrdata = NULL; dns_rdata_reset(&rdata); } if (result != ISC_R_NOMORE) { goto cleanup; } result = dns_rdatalist_tordataset(myrdatalist, myrdataset); if (result != ISC_R_SUCCESS) { goto cleanup; } dns_rdataset_setownercase(myrdataset, name); client->query.attributes |= NS_QUERYATTR_NOADDITIONAL; if (mname == name) { if (qctx->dbuf != NULL) { ns_client_keepname(client, name, qctx->dbuf); } dns_message_addname(client->message, name, section); qctx->dbuf = NULL; } myrdataset->trust = qctx->rdataset->trust; query_addtoname(mname, myrdataset); query_setorder(qctx, mname, myrdataset); myrdataset = NULL; myrdatalist = NULL; dns_message_takebuffer(client->message, &buffer); cleanup: if (buffer != NULL) { isc_buffer_free(&buffer); } if (myrdata != NULL) { dns_message_puttemprdata(client->message, &myrdata); } if (myrdataset != NULL) { dns_message_puttemprdataset(client->message, &myrdataset); } if (myrdatalist != NULL) { for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata); myrdata != NULL; myrdata = ISC_LIST_HEAD(myrdatalist->rdata)) { ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link); dns_message_puttemprdata(client->message, &myrdata); } dns_message_puttemprdatalist(client->message, &myrdatalist); } if (qctx->dbuf != NULL) { ns_client_releasename(client, &name); } CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done"); } /*% * Handle the case of a name not being found in a database lookup. * Called from query_gotanswer(). Passes off processing to * query_delegation() for a root referral if appropriate. */ static isc_result_t query_notfound(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_notfound"); CALL_HOOK(NS_QUERY_NOTFOUND_BEGIN, qctx); INSIST(!qctx->is_zone); if (qctx->db != NULL) { dns_db_detach(&qctx->db); } /* * If the cache doesn't even have the root NS, * try to get that from the hints DB. */ if (qctx->view->hints != NULL) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, qctx->client, NULL, NULL); dns_db_attach(qctx->view->hints, &qctx->db); result = dns_db_findext(qctx->db, dns_rootname, NULL, dns_rdatatype_ns, 0, qctx->client->now, &qctx->node, qctx->fname, &cm, &ci, qctx->rdataset, qctx->sigrdataset); } else { /* We have no hints. */ result = ISC_R_FAILURE; } if (result != ISC_R_SUCCESS) { /* * Nonsensical root hints may require cleanup. */ qctx_clean(qctx); /* * We don't have any root server hints, but * we may have working forwarders, so try to * recurse anyway. */ if (RECURSIONOK(qctx->client)) { INSIST(!REDIRECT(qctx->client)); result = ns_query_recurse(qctx->client, qctx->qtype, qctx->client->query.qname, NULL, NULL, qctx->resuming); if (result == ISC_R_SUCCESS) { CALL_HOOK(NS_QUERY_NOTFOUND_RECURSE, qctx); qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; if (qctx->dns64) { qctx->client->query.attributes |= NS_QUERYATTR_DNS64; } if (qctx->dns64_exclude) { qctx->client->query.attributes |= NS_QUERYATTR_DNS64EXCLUDE; } } else if (query_usestale(qctx, result)) { /* * If serve-stale is enabled, query_usestale() * already set up 'qctx' for looking up a * stale response. */ return (query_lookup(qctx)); } else { QUERY_ERROR(qctx, result); } return (ns_query_done(qctx)); } else { /* Unable to give root server referral. */ CCTRACE(ISC_LOG_ERROR, "unable to give root server " "referral"); QUERY_ERROR(qctx, result); return (ns_query_done(qctx)); } } return (query_delegation(qctx)); cleanup: return (result); } /*% * We have a delegation but recursion is not allowed, so return the delegation * to the client. */ static isc_result_t query_prepare_delegation_response(query_ctx_t *qctx) { isc_result_t result; dns_rdataset_t **sigrdatasetp = NULL; bool detach = false; CALL_HOOK(NS_QUERY_PREP_DELEGATION_BEGIN, qctx); /* * qctx->fname could be released in query_addrrset(), so save a copy of * it here in case we need it. */ dns_fixedname_init(&qctx->dsname); dns_name_copynf(qctx->fname, dns_fixedname_name(&qctx->dsname)); /* * This is the best answer. */ qctx->client->query.isreferral = true; if (!dns_db_iscache(qctx->db) && qctx->client->query.gluedb == NULL) { dns_db_attach(qctx->db, &qctx->client->query.gluedb); detach = true; } /* * We must ensure NOADDITIONAL is off, because the generation of * additional data is required in delegations. */ qctx->client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { sigrdatasetp = &qctx->sigrdataset; } query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, qctx->dbuf, DNS_SECTION_AUTHORITY); if (detach) { dns_db_detach(&qctx->client->query.gluedb); } /* * Add DS/NSEC(3) record(s) if needed. */ query_addds(qctx); return (ns_query_done(qctx)); cleanup: return (result); } /*% * Handle a delegation response from an authoritative lookup. This * may trigger additional lookups, e.g. from the cache database to * see if we have a better answer; if that is not allowed, return the * delegation to the client and call ns_query_done(). */ static isc_result_t query_zone_delegation(query_ctx_t *qctx) { isc_result_t result; CALL_HOOK(NS_QUERY_ZONE_DELEGATION_BEGIN, qctx); /* * If the query type is DS, look to see if we are * authoritative for the child zone */ if (!RECURSIONOK(qctx->client) && (qctx->options & DNS_GETDB_NOEXACT) != 0 && qctx->qtype == dns_rdatatype_ds) { dns_db_t *tdb = NULL; dns_zone_t *tzone = NULL; dns_dbversion_t *tversion = NULL; result = query_getzonedb( qctx->client, qctx->client->query.qname, qctx->qtype, DNS_GETDB_PARTIAL, &tzone, &tdb, &tversion); if (result != ISC_R_SUCCESS) { if (tdb != NULL) { dns_db_detach(&tdb); } if (tzone != NULL) { dns_zone_detach(&tzone); } } else { qctx->options &= ~DNS_GETDB_NOEXACT; ns_client_putrdataset(qctx->client, &qctx->rdataset); if (qctx->sigrdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->sigrdataset); } if (qctx->fname != NULL) { ns_client_releasename(qctx->client, &qctx->fname); } if (qctx->node != NULL) { dns_db_detachnode(qctx->db, &qctx->node); } if (qctx->db != NULL) { dns_db_detach(&qctx->db); } if (qctx->zone != NULL) { dns_zone_detach(&qctx->zone); } qctx->version = NULL; RESTORE(qctx->version, tversion); RESTORE(qctx->db, tdb); RESTORE(qctx->zone, tzone); qctx->authoritative = true; return (query_lookup(qctx)); } } if (USECACHE(qctx->client) && (RECURSIONOK(qctx->client) || (qctx->zone != NULL && dns_zone_gettype(qctx->zone) == dns_zone_mirror))) { /* * We might have a better answer or delegation in the * cache. We'll remember the current values of fname, * rdataset, and sigrdataset. We'll then go looking for * QNAME in the cache. If we find something better, we'll * use it instead. If not, then query_lookup() calls * query_notfound() which calls query_delegation(), and * we'll restore these values there. */ ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); SAVE(qctx->zdb, qctx->db); SAVE(qctx->znode, qctx->node); SAVE(qctx->zfname, qctx->fname); SAVE(qctx->zversion, qctx->version); SAVE(qctx->zrdataset, qctx->rdataset); SAVE(qctx->zsigrdataset, qctx->sigrdataset); dns_db_attach(qctx->view->cachedb, &qctx->db); qctx->is_zone = false; return (query_lookup(qctx)); } return (query_prepare_delegation_response(qctx)); cleanup: return (result); } /*% * Handle delegation responses, including root referrals. * * If the delegation was returned from authoritative data, * call query_zone_delgation(). Otherwise, we can start * recursion if allowed; or else return the delegation to the * client and call ns_query_done(). */ static isc_result_t query_delegation(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_delegation"); CALL_HOOK(NS_QUERY_DELEGATION_BEGIN, qctx); qctx->authoritative = false; if (qctx->is_zone) { return (query_zone_delegation(qctx)); } if (qctx->zfname != NULL && (!dns_name_issubdomain(qctx->fname, qctx->zfname) || (qctx->is_staticstub_zone && dns_name_equal(qctx->fname, qctx->zfname)))) { /* * In the following cases use "authoritative" * data instead of the cache delegation: * 1. We've already got a delegation from * authoritative data, and it is better * than what we found in the cache. * (See the comment above.) * 2. The query name matches the origin name * of a static-stub zone. This needs to be * considered for the case where the NS of * the static-stub zone and the cached NS * are different. We still need to contact * the nameservers configured in the * static-stub zone. */ ns_client_releasename(qctx->client, &qctx->fname); /* * We've already done ns_client_keepname() on * qctx->zfname, so we must set dbuf to NULL to * prevent query_addrrset() from trying to * call ns_client_keepname() again. */ qctx->dbuf = NULL; ns_client_putrdataset(qctx->client, &qctx->rdataset); if (qctx->sigrdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->sigrdataset); } qctx->version = NULL; dns_db_detachnode(qctx->db, &qctx->node); dns_db_detach(&qctx->db); RESTORE(qctx->db, qctx->zdb); RESTORE(qctx->node, qctx->znode); RESTORE(qctx->fname, qctx->zfname); RESTORE(qctx->version, qctx->zversion); RESTORE(qctx->rdataset, qctx->zrdataset); RESTORE(qctx->sigrdataset, qctx->zsigrdataset); } result = query_delegation_recurse(qctx); if (result != ISC_R_COMPLETE) { return (result); } return (query_prepare_delegation_response(qctx)); cleanup: return (result); } /*% * Handle recursive queries that are triggered as part of the * delegation process. */ static isc_result_t query_delegation_recurse(query_ctx_t *qctx) { isc_result_t result; dns_name_t *qname = qctx->client->query.qname; CCTRACE(ISC_LOG_DEBUG(3), "query_delegation_recurse"); if (!RECURSIONOK(qctx->client)) { return (ISC_R_COMPLETE); } CALL_HOOK(NS_QUERY_DELEGATION_RECURSE_BEGIN, qctx); /* * We have a delegation and recursion is allowed, * so we call ns_query_recurse() to follow it. * This phase of the query processing is done; * we'll resume via fetch_callback() and * query_resume() when the recursion is complete. */ INSIST(!REDIRECT(qctx->client)); if (dns_rdatatype_atparent(qctx->type)) { /* * Parent is authoritative for this RDATA type (i.e. DS). */ result = ns_query_recurse(qctx->client, qctx->qtype, qname, NULL, NULL, qctx->resuming); } else if (qctx->dns64) { /* * Look up an A record so we can synthesize DNS64. */ result = ns_query_recurse(qctx->client, dns_rdatatype_a, qname, NULL, NULL, qctx->resuming); } else { /* * Any other recursion. */ result = ns_query_recurse(qctx->client, qctx->qtype, qname, qctx->fname, qctx->rdataset, qctx->resuming); } if (result == ISC_R_SUCCESS) { qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; if (qctx->dns64) { qctx->client->query.attributes |= NS_QUERYATTR_DNS64; } if (qctx->dns64_exclude) { qctx->client->query.attributes |= NS_QUERYATTR_DNS64EXCLUDE; } } else if (query_usestale(qctx, result)) { /* * If serve-stale is enabled, query_usestale() already set up * 'qctx' for looking up a stale response. */ return (query_lookup(qctx)); } else { QUERY_ERROR(qctx, result); } return (ns_query_done(qctx)); cleanup: return (result); } /*% * Add DS/NSEC(3) record(s) if needed. */ static void query_addds(query_ctx_t *qctx) { ns_client_t *client = qctx->client; dns_fixedname_t fixed; dns_name_t *fname = NULL; dns_name_t *rname = NULL; dns_name_t *name; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; isc_buffer_t *dbuf, b; isc_result_t result; unsigned int count; CTRACE(ISC_LOG_DEBUG(3), "query_addds"); /* * DS not needed. */ if (!WANTDNSSEC(client)) { return; } /* * We'll need some resources... */ rdataset = ns_client_newrdataset(client); sigrdataset = ns_client_newrdataset(client); if (rdataset == NULL || sigrdataset == NULL) { goto cleanup; } /* * Look for the DS record, which may or may not be present. */ result = dns_db_findrdataset(qctx->db, qctx->node, qctx->version, dns_rdatatype_ds, 0, client->now, rdataset, sigrdataset); /* * If we didn't find it, look for an NSEC. */ if (result == ISC_R_NOTFOUND) { result = dns_db_findrdataset( qctx->db, qctx->node, qctx->version, dns_rdatatype_nsec, 0, client->now, rdataset, sigrdataset); } if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { goto addnsec3; } if (!dns_rdataset_isassociated(rdataset) || !dns_rdataset_isassociated(sigrdataset)) { goto addnsec3; } /* * We've already added the NS record, so if the name's not there, * we have other problems. */ result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY); if (result != ISC_R_SUCCESS) { goto cleanup; } /* * Find the delegation in the response message - it is not necessarily * the first name in the AUTHORITY section when wildcard processing is * involved. */ while (result == ISC_R_SUCCESS) { rname = NULL; dns_message_currentname(client->message, DNS_SECTION_AUTHORITY, &rname); result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL); if (result == ISC_R_SUCCESS) { break; } result = dns_message_nextname(client->message, DNS_SECTION_AUTHORITY); } if (result != ISC_R_SUCCESS) { goto cleanup; } /* * Add the relevant RRset (DS or NSEC) to the delegation. */ query_addrrset(qctx, &rname, &rdataset, &sigrdataset, NULL, DNS_SECTION_AUTHORITY); goto cleanup; addnsec3: if (!dns_db_iszone(qctx->db)) { goto cleanup; } /* * Add the NSEC3 which proves the DS does not exist. */ dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); dns_fixedname_init(&fixed); if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } name = dns_fixedname_name(&qctx->dsname); query_findclosestnsec3(name, qctx->db, qctx->version, client, rdataset, sigrdataset, fname, true, dns_fixedname_name(&fixed)); if (!dns_rdataset_isassociated(rdataset)) { goto cleanup; } query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); /* * Did we find the closest provable encloser instead? * If so add the nearest to the closest provable encloser. */ if (!dns_name_equal(name, dns_fixedname_name(&fixed))) { count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1; dns_name_getlabelsequence(name, dns_name_countlabels(name) - count, count, dns_fixedname_name(&fixed)); fixfname(client, &fname, &dbuf, &b); fixrdataset(client, &rdataset); fixrdataset(client, &sigrdataset); if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { goto cleanup; } query_findclosestnsec3(dns_fixedname_name(&fixed), qctx->db, qctx->version, client, rdataset, sigrdataset, fname, false, NULL); if (!dns_rdataset_isassociated(rdataset)) { goto cleanup; } query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); } cleanup: if (rdataset != NULL) { ns_client_putrdataset(client, &rdataset); } if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (fname != NULL) { ns_client_releasename(client, &fname); } } /*% * Handle authoritative NOERROR/NODATA responses. */ static isc_result_t query_nodata(query_ctx_t *qctx, isc_result_t res) { isc_result_t result = res; CCTRACE(ISC_LOG_DEBUG(3), "query_nodata"); CALL_HOOK(NS_QUERY_NODATA_BEGIN, qctx); #ifdef dns64_bis_return_excluded_addresses if (qctx->dns64) #else /* ifdef dns64_bis_return_excluded_addresses */ if (qctx->dns64 && !qctx->dns64_exclude) #endif /* ifdef dns64_bis_return_excluded_addresses */ { isc_buffer_t b; /* * Restore the answers from the previous AAAA lookup. */ if (qctx->rdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->rdataset); } if (qctx->sigrdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->sigrdataset); } RESTORE(qctx->rdataset, qctx->client->query.dns64_aaaa); RESTORE(qctx->sigrdataset, qctx->client->query.dns64_sigaaaa); if (qctx->fname == NULL) { qctx->dbuf = ns_client_getnamebuf(qctx->client); if (qctx->dbuf == NULL) { CCTRACE(ISC_LOG_ERROR, "query_nodata: " "ns_client_getnamebuf " "failed (3)"); QUERY_ERROR(qctx, ISC_R_NOMEMORY); return (ns_query_done(qctx)); } qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); if (qctx->fname == NULL) { CCTRACE(ISC_LOG_ERROR, "query_nodata: " "ns_client_newname " "failed (3)"); QUERY_ERROR(qctx, ISC_R_NOMEMORY); return (ns_query_done(qctx)); } } dns_name_copynf(qctx->client->query.qname, qctx->fname); qctx->dns64 = false; #ifdef dns64_bis_return_excluded_addresses /* * Resume the diverted processing of the AAAA response? */ if (qctx->dns64_exclude) { return (query_prepresponse(qctx)); } #endif /* ifdef dns64_bis_return_excluded_addresses */ } else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) && !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite && qctx->client->message->rdclass == dns_rdataclass_in && qctx->qtype == dns_rdatatype_aaaa) { /* * Look to see if there are A records for this name. */ switch (result) { case DNS_R_NCACHENXRRSET: /* * This is from the negative cache; if the ttl is * zero, we need to work out whether we have just * decremented to zero or there was no negative * cache ttl in the answer. */ if (qctx->rdataset->ttl != 0) { qctx->client->query.dns64_ttl = qctx->rdataset->ttl; break; } if (dns_rdataset_first(qctx->rdataset) == ISC_R_SUCCESS) { qctx->client->query.dns64_ttl = 0; } break; case DNS_R_NXRRSET: qctx->client->query.dns64_ttl = dns64_ttl(qctx->db, qctx->version); break; default: UNREACHABLE(); } SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset); ns_client_releasename(qctx->client, &qctx->fname); dns_db_detachnode(qctx->db, &qctx->node); qctx->type = qctx->qtype = dns_rdatatype_a; qctx->dns64 = true; return (query_lookup(qctx)); } if (qctx->is_zone) { return (query_sign_nodata(qctx)); } else { /* * We don't call query_addrrset() because we don't need any * of its extra features (and things would probably break!). */ if (dns_rdataset_isassociated(qctx->rdataset)) { ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); dns_message_addname(qctx->client->message, qctx->fname, DNS_SECTION_AUTHORITY); ISC_LIST_APPEND(qctx->fname->list, qctx->rdataset, link); qctx->fname = NULL; qctx->rdataset = NULL; } } return (ns_query_done(qctx)); cleanup: return (result); } /*% * Add RRSIGs for NOERROR/NODATA responses when answering authoritatively. */ isc_result_t query_sign_nodata(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_sign_nodata"); /* * Look for a NSEC3 record if we don't have a NSEC record. */ if (qctx->redirected) { return (ns_query_done(qctx)); } if (!dns_rdataset_isassociated(qctx->rdataset) && WANTDNSSEC(qctx->client)) { if ((qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) { dns_name_t *found; dns_name_t *qname; dns_fixedname_t fixed; isc_buffer_t b; found = dns_fixedname_initname(&fixed); qname = qctx->client->query.qname; query_findclosestnsec3(qname, qctx->db, qctx->version, qctx->client, qctx->rdataset, qctx->sigrdataset, qctx->fname, true, found); /* * Did we find the closest provable encloser * instead? If so add the nearest to the * closest provable encloser. */ if (dns_rdataset_isassociated(qctx->rdataset) && !dns_name_equal(qname, found) && (((qctx->client->sctx->options & NS_SERVER_NONEAREST) == 0) || qctx->qtype == dns_rdatatype_ds)) { unsigned int count; unsigned int skip; /* * Add the closest provable encloser. */ query_addrrset(qctx, &qctx->fname, &qctx->rdataset, &qctx->sigrdataset, qctx->dbuf, DNS_SECTION_AUTHORITY); count = dns_name_countlabels(found) + 1; skip = dns_name_countlabels(qname) - count; dns_name_getlabelsequence(qname, skip, count, found); fixfname(qctx->client, &qctx->fname, &qctx->dbuf, &b); fixrdataset(qctx->client, &qctx->rdataset); fixrdataset(qctx->client, &qctx->sigrdataset); if (qctx->fname == NULL || qctx->rdataset == NULL || qctx->sigrdataset == NULL) { CCTRACE(ISC_LOG_ERROR, "query_sign_" "nodata: " "failure " "getting " "closest " "encloser"); QUERY_ERROR(qctx, ISC_R_NOMEMORY); return (ns_query_done(qctx)); } /* * 'nearest' doesn't exist so * 'exist' is set to false. */ query_findclosestnsec3( found, qctx->db, qctx->version, qctx->client, qctx->rdataset, qctx->sigrdataset, qctx->fname, false, NULL); } } else { ns_client_releasename(qctx->client, &qctx->fname); query_addwildcardproof(qctx, false, true); } } if (dns_rdataset_isassociated(qctx->rdataset)) { /* * If we've got a NSEC record, we need to save the * name now because we're going call query_addsoa() * below, and it needs to use the name buffer. */ ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); } else if (qctx->fname != NULL) { /* * We're not going to use fname, and need to release * our hold on the name buffer so query_addsoa() * may use it. */ ns_client_releasename(qctx->client, &qctx->fname); } /* * The RPZ SOA has already been added to the additional section * if this was an RPZ rewrite, but if it wasn't, add it now. */ if (!qctx->nxrewrite) { result = query_addsoa(qctx, UINT32_MAX, DNS_SECTION_AUTHORITY); if (result != ISC_R_SUCCESS) { QUERY_ERROR(qctx, result); return (ns_query_done(qctx)); } } /* * Add NSEC record if we found one. */ if (WANTDNSSEC(qctx->client) && dns_rdataset_isassociated(qctx->rdataset)) { query_addnxrrsetnsec(qctx); } return (ns_query_done(qctx)); } static void query_addnxrrsetnsec(query_ctx_t *qctx) { ns_client_t *client = qctx->client; dns_rdata_t sigrdata; dns_rdata_rrsig_t sig; unsigned int labels; isc_buffer_t *dbuf, b; dns_name_t *fname; isc_result_t result; INSIST(qctx->fname != NULL); if ((qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) { query_addrrset(qctx, &qctx->fname, &qctx->rdataset, &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); return; } if (qctx->sigrdataset == NULL || !dns_rdataset_isassociated(qctx->sigrdataset)) { return; } if (dns_rdataset_first(qctx->sigrdataset) != ISC_R_SUCCESS) { return; } dns_rdata_init(&sigrdata); dns_rdataset_current(qctx->sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); labels = dns_name_countlabels(qctx->fname); if ((unsigned int)sig.labels + 1 >= labels) { return; } query_addwildcardproof(qctx, true, false); /* * We'll need some resources... */ dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { return; } fname = ns_client_newname(client, dbuf, &b); if (fname == NULL) { return; } dns_name_split(qctx->fname, sig.labels + 1, NULL, fname); /* This will succeed, since we've stripped labels. */ RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname, NULL) == ISC_R_SUCCESS); query_addrrset(qctx, &fname, &qctx->rdataset, &qctx->sigrdataset, dbuf, DNS_SECTION_AUTHORITY); } /*% * Handle NXDOMAIN and empty wildcard responses. */ static isc_result_t query_nxdomain(query_ctx_t *qctx, isc_result_t result) { dns_section_t section; uint32_t ttl; bool empty_wild = (result == DNS_R_EMPTYWILD); CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); CALL_HOOK(NS_QUERY_NXDOMAIN_BEGIN, qctx); INSIST(qctx->is_zone || REDIRECT(qctx->client)); if (!empty_wild) { result = query_redirect(qctx, result); if (result != ISC_R_COMPLETE) { return (result); } } if (dns_rdataset_isassociated(qctx->rdataset)) { /* * If we've got a NSEC record, we need to save the * name now because we're going call query_addsoa() * below, and it needs to use the name buffer. */ ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); } else if (qctx->fname != NULL) { /* * We're not going to use fname, and need to release * our hold on the name buffer so query_addsoa() * may use it. */ ns_client_releasename(qctx->client, &qctx->fname); } /* * Add SOA to the additional section if generated by a * RPZ rewrite. * * If the query was for a SOA record force the * ttl to zero so that it is possible for clients to find * the containing zone of an arbitrary name with a stub * resolver and not have it cached. */ section = qctx->nxrewrite ? DNS_SECTION_ADDITIONAL : DNS_SECTION_AUTHORITY; ttl = UINT32_MAX; if (!qctx->nxrewrite && qctx->qtype == dns_rdatatype_soa && qctx->zone != NULL && dns_zone_getzeronosoattl(qctx->zone)) { ttl = 0; } if (!qctx->nxrewrite || (qctx->rpz_st != NULL && qctx->rpz_st->m.rpz->addsoa)) { result = query_addsoa(qctx, ttl, section); if (result != ISC_R_SUCCESS) { QUERY_ERROR(qctx, result); return (ns_query_done(qctx)); } } if (WANTDNSSEC(qctx->client)) { /* * Add NSEC record if we found one. */ if (dns_rdataset_isassociated(qctx->rdataset)) { query_addrrset(qctx, &qctx->fname, &qctx->rdataset, &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); } query_addwildcardproof(qctx, false, false); } /* * Set message rcode. */ if (empty_wild) { qctx->client->message->rcode = dns_rcode_noerror; } else { qctx->client->message->rcode = dns_rcode_nxdomain; } return (ns_query_done(qctx)); cleanup: return (result); } /* * Handle both types of NXDOMAIN redirection, calling redirect() * (which implements type redirect zones) and redirect2() (which * implements recursive nxdomain-redirect lookups). * * Any result code other than ISC_R_COMPLETE means redirection was * successful and the result code should be returned up the call stack. * * ISC_R_COMPLETE means we reached the end of this function without * redirecting, so query processing should continue past it. */ static isc_result_t query_redirect(query_ctx_t *qctx, isc_result_t saved_result) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); result = redirect(qctx->client, qctx->fname, qctx->rdataset, &qctx->node, &qctx->db, &qctx->version, qctx->type); switch (result) { case ISC_R_SUCCESS: inc_stats(qctx->client, ns_statscounter_nxdomainredirect); return (query_prepresponse(qctx)); case DNS_R_NXRRSET: qctx->redirected = true; qctx->is_zone = true; return (query_nodata(qctx, DNS_R_NXRRSET)); case DNS_R_NCACHENXRRSET: qctx->redirected = true; qctx->is_zone = false; return (query_ncache(qctx, DNS_R_NCACHENXRRSET)); default: break; } result = redirect2(qctx->client, qctx->fname, qctx->rdataset, &qctx->node, &qctx->db, &qctx->version, qctx->type, &qctx->is_zone); switch (result) { case ISC_R_SUCCESS: inc_stats(qctx->client, ns_statscounter_nxdomainredirect); return (query_prepresponse(qctx)); case DNS_R_CONTINUE: inc_stats(qctx->client, ns_statscounter_nxdomainredirect_rlookup); SAVE(qctx->client->query.redirect.db, qctx->db); SAVE(qctx->client->query.redirect.node, qctx->node); SAVE(qctx->client->query.redirect.zone, qctx->zone); qctx->client->query.redirect.qtype = qctx->qtype; INSIST(qctx->rdataset != NULL); SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); SAVE(qctx->client->query.redirect.sigrdataset, qctx->sigrdataset); qctx->client->query.redirect.result = saved_result; dns_name_copynf(qctx->fname, qctx->client->query.redirect.fname); qctx->client->query.redirect.authoritative = qctx->authoritative; qctx->client->query.redirect.is_zone = qctx->is_zone; return (ns_query_done(qctx)); case DNS_R_NXRRSET: qctx->redirected = true; qctx->is_zone = true; return (query_nodata(qctx, DNS_R_NXRRSET)); case DNS_R_NCACHENXRRSET: qctx->redirected = true; qctx->is_zone = false; return (query_ncache(qctx, DNS_R_NCACHENXRRSET)); default: break; } return (ISC_R_COMPLETE); } /*% * Logging function to be passed to dns_nsec_noexistnodata. */ static void log_noexistnodata(void *val, int level, const char *fmt, ...) { query_ctx_t *qctx = val; va_list ap; va_start(ap, fmt); ns_client_logv(qctx->client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level, fmt, ap); va_end(ap); } static dns_ttl_t query_synthttl(dns_rdataset_t *soardataset, dns_rdataset_t *sigsoardataset, dns_rdataset_t *p1rdataset, dns_rdataset_t *sigp1rdataset, dns_rdataset_t *p2rdataset, dns_rdataset_t *sigp2rdataset) { dns_rdata_soa_t soa; dns_rdata_t rdata = DNS_RDATA_INIT; dns_ttl_t ttl; isc_result_t result; REQUIRE(soardataset != NULL); REQUIRE(sigsoardataset != NULL); REQUIRE(p1rdataset != NULL); REQUIRE(sigp1rdataset != NULL); result = dns_rdataset_first(soardataset); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(soardataset, &rdata); result = dns_rdata_tostruct(&rdata, &soa, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); ttl = ISC_MIN(soa.minimum, soardataset->ttl); ttl = ISC_MIN(ttl, sigsoardataset->ttl); ttl = ISC_MIN(ttl, p1rdataset->ttl); ttl = ISC_MIN(ttl, sigp1rdataset->ttl); if (p2rdataset != NULL) { ttl = ISC_MIN(ttl, p2rdataset->ttl); } if (sigp2rdataset != NULL) { ttl = ISC_MIN(ttl, sigp2rdataset->ttl); } return (ttl); } /* * Synthesize a NODATA response from the SOA and covering NSEC in cache. */ static isc_result_t query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer, dns_rdataset_t **soardatasetp, dns_rdataset_t **sigsoardatasetp) { dns_name_t *name = NULL; dns_ttl_t ttl; isc_buffer_t *dbuf, b; isc_result_t result; /* * Determine the correct TTL to use for the SOA and RRSIG */ ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset, qctx->sigrdataset, NULL, NULL); (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl; /* * We want the SOA record to be first, so save the * NODATA proof's name now or else discard it. */ if (WANTDNSSEC(qctx->client)) { ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); } else { ns_client_releasename(qctx->client, &qctx->fname); } dbuf = ns_client_getnamebuf(qctx->client); if (dbuf == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } name = ns_client_newname(qctx->client, dbuf, &b); if (name == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_name_copynf(signer, name); /* * Add SOA record. Omit the RRSIG if DNSSEC was not requested. */ if (!WANTDNSSEC(qctx->client)) { sigsoardatasetp = NULL; } query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf, DNS_SECTION_AUTHORITY); if (WANTDNSSEC(qctx->client)) { /* * Add NODATA proof. */ query_addrrset(qctx, &qctx->fname, &qctx->rdataset, &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); } result = ISC_R_SUCCESS; inc_stats(qctx->client, ns_statscounter_nodatasynth); cleanup: if (name != NULL) { ns_client_releasename(qctx->client, &name); } return (result); } /* * Synthesize a wildcard answer using the contents of 'rdataset'. * qctx contains the NODATA proof. */ static isc_result_t query_synthwildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_name_t *name = NULL; isc_buffer_t *dbuf, b; isc_result_t result; dns_rdataset_t *cloneset = NULL, *clonesigset = NULL; dns_rdataset_t **sigrdatasetp; CCTRACE(ISC_LOG_DEBUG(3), "query_synthwildcard"); /* * We want the answer to be first, so save the * NOQNAME proof's name now or else discard it. */ if (WANTDNSSEC(qctx->client)) { ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); } else { ns_client_releasename(qctx->client, &qctx->fname); } dbuf = ns_client_getnamebuf(qctx->client); if (dbuf == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } name = ns_client_newname(qctx->client, dbuf, &b); if (name == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_name_copynf(qctx->client->query.qname, name); cloneset = ns_client_newrdataset(qctx->client); if (cloneset == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_rdataset_clone(rdataset, cloneset); /* * Add answer RRset. Omit the RRSIG if DNSSEC was not requested. */ if (WANTDNSSEC(qctx->client)) { clonesigset = ns_client_newrdataset(qctx->client); if (clonesigset == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_rdataset_clone(sigrdataset, clonesigset); sigrdatasetp = &clonesigset; } else { sigrdatasetp = NULL; } query_addrrset(qctx, &name, &cloneset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); if (WANTDNSSEC(qctx->client)) { /* * Add NOQNAME proof. */ query_addrrset(qctx, &qctx->fname, &qctx->rdataset, &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); } result = ISC_R_SUCCESS; inc_stats(qctx->client, ns_statscounter_wildcardsynth); cleanup: if (name != NULL) { ns_client_releasename(qctx->client, &name); } if (cloneset != NULL) { ns_client_putrdataset(qctx->client, &cloneset); } if (clonesigset != NULL) { ns_client_putrdataset(qctx->client, &clonesigset); } return (result); } /* * Add a synthesized CNAME record from the wildard RRset (rdataset) * and NODATA proof by calling query_synthwildcard then setup to * follow the CNAME. */ static isc_result_t query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_name_t *tname = NULL; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_cname_t cname; result = query_synthwildcard(qctx, rdataset, sigrdataset); if (result != ISC_R_SUCCESS) { return (result); } qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; /* * Reset qname to be the target name of the CNAME and restart * the query. */ result = dns_message_gettempname(qctx->client->message, &tname); if (result != ISC_R_SUCCESS) { return (result); } result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) { dns_message_puttempname(qctx->client->message, &tname); return (result); } dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); if (dns_name_equal(qctx->client->query.qname, &cname.cname)) { dns_message_puttempname(qctx->client->message, &tname); dns_rdata_freestruct(&cname); return (ISC_R_SUCCESS); } dns_name_copynf(&cname.cname, tname); dns_rdata_freestruct(&cname); ns_client_qnamereplace(qctx->client, tname); qctx->want_restart = true; if (!WANTRECURSION(qctx->client)) { qctx->options |= DNS_GETDB_NOLOG; } return (result); } /* * Synthesize a NXDOMAIN response from qctx (which contains the * NODATA proof), nowild + nowildrdataset + signowildrdataset (which * contains the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp * which contain the SOA record + RRSIG for the negative answer. */ static isc_result_t query_synthnxdomain(query_ctx_t *qctx, dns_name_t *nowild, dns_rdataset_t *nowildrdataset, dns_rdataset_t *signowildrdataset, dns_name_t *signer, dns_rdataset_t **soardatasetp, dns_rdataset_t **sigsoardatasetp) { dns_name_t *name = NULL; dns_ttl_t ttl; isc_buffer_t *dbuf, b; isc_result_t result; dns_rdataset_t *cloneset = NULL, *clonesigset = NULL; CCTRACE(ISC_LOG_DEBUG(3), "query_synthnxdomain"); /* * Determine the correct TTL to use for the SOA and RRSIG */ ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset, qctx->sigrdataset, nowildrdataset, signowildrdataset); (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl; /* * We want the SOA record to be first, so save the * NOQNAME proof's name now or else discard it. */ if (WANTDNSSEC(qctx->client)) { ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); } else { ns_client_releasename(qctx->client, &qctx->fname); } dbuf = ns_client_getnamebuf(qctx->client); if (dbuf == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } name = ns_client_newname(qctx->client, dbuf, &b); if (name == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_name_copynf(signer, name); /* * Add SOA record. Omit the RRSIG if DNSSEC was not requested. */ if (!WANTDNSSEC(qctx->client)) { sigsoardatasetp = NULL; } query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf, DNS_SECTION_AUTHORITY); if (WANTDNSSEC(qctx->client)) { /* * Add NOQNAME proof. */ query_addrrset(qctx, &qctx->fname, &qctx->rdataset, &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); dbuf = ns_client_getnamebuf(qctx->client); if (dbuf == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } name = ns_client_newname(qctx->client, dbuf, &b); if (name == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_name_copynf(nowild, name); cloneset = ns_client_newrdataset(qctx->client); clonesigset = ns_client_newrdataset(qctx->client); if (cloneset == NULL || clonesigset == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_rdataset_clone(nowildrdataset, cloneset); dns_rdataset_clone(signowildrdataset, clonesigset); /* * Add NOWILDCARD proof. */ query_addrrset(qctx, &name, &cloneset, &clonesigset, dbuf, DNS_SECTION_AUTHORITY); } qctx->client->message->rcode = dns_rcode_nxdomain; result = ISC_R_SUCCESS; inc_stats(qctx->client, ns_statscounter_nxdomainsynth); cleanup: if (name != NULL) { ns_client_releasename(qctx->client, &name); } if (cloneset != NULL) { ns_client_putrdataset(qctx->client, &cloneset); } if (clonesigset != NULL) { ns_client_putrdataset(qctx->client, &clonesigset); } return (result); } /* * Check that all signer names in sigrdataset match the expected signer. */ static isc_result_t checksignames(dns_name_t *signer, dns_rdataset_t *sigrdataset) { isc_result_t result; for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(sigrdataset)) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_rrsig_t rrsig; dns_rdataset_current(sigrdataset, &rdata); result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dns_name_countlabels(signer) == 0) { dns_name_copynf(&rrsig.signer, signer); } else if (!dns_name_equal(signer, &rrsig.signer)) { return (ISC_R_FAILURE); } } return (ISC_R_SUCCESS); } /*% * Handle covering NSEC responses. * * Verify the NSEC record is appropriate for the QNAME; if not, * redo the initial query without DNS_DBFIND_COVERINGNSEC. * * If the covering NSEC proves that the name exists but not the type, * synthesize a NODATA response. * * If the name doesn't exist, compute the wildcard record and check whether * the wildcard name exists or not. If we can't determine this, redo the * initial query without DNS_DBFIND_COVERINGNSEC. * * If the wildcard name does not exist, compute the SOA name and look that * up. If the SOA record does not exist, redo the initial query without * DNS_DBFIND_COVERINGNSEC. If the SOA record exists, synthesize an * NXDOMAIN response from the found records. * * If the wildcard name does exist, perform a lookup for the requested * type at the wildcard name. */ static isc_result_t query_coveringnsec(query_ctx_t *qctx) { dns_db_t *db = NULL; dns_clientinfo_t ci; dns_clientinfomethods_t cm; dns_dbnode_t *node = NULL; dns_fixedname_t fixed; dns_fixedname_t fnowild; dns_fixedname_t fsigner; dns_fixedname_t fwild; dns_name_t *fname = NULL; dns_name_t *nowild = NULL; dns_name_t *signer = NULL; dns_name_t *wild = NULL; dns_rdataset_t *soardataset = NULL, *sigsoardataset = NULL; dns_rdataset_t rdataset, sigrdataset; bool done = false; bool exists = true, data = true; bool redirected = false; isc_result_t result = ISC_R_SUCCESS; unsigned int dboptions = qctx->client->query.dboptions; CCTRACE(ISC_LOG_DEBUG(3), "query_coveringnsec"); dns_rdataset_init(&rdataset); dns_rdataset_init(&sigrdataset); /* * If we have no signer name, stop immediately. */ if (!dns_rdataset_isassociated(qctx->sigrdataset)) { goto cleanup; } wild = dns_fixedname_initname(&fwild); fname = dns_fixedname_initname(&fixed); signer = dns_fixedname_initname(&fsigner); nowild = dns_fixedname_initname(&fnowild); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, qctx->client, NULL, NULL); /* * All signer names must be the same to accept. */ result = checksignames(signer, qctx->sigrdataset); if (result != ISC_R_SUCCESS) { result = ISC_R_SUCCESS; goto cleanup; } /* * Check that we have the correct NOQNAME NSEC record. */ result = dns_nsec_noexistnodata(qctx->qtype, qctx->client->query.qname, qctx->fname, qctx->rdataset, &exists, &data, wild, log_noexistnodata, qctx); if (result != ISC_R_SUCCESS || (exists && data)) { goto cleanup; } if (exists) { if (qctx->type == dns_rdatatype_any) { /* XXX not yet */ goto cleanup; } if (!ISC_LIST_EMPTY(qctx->view->dns64) && (qctx->type == dns_rdatatype_a || qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */ { goto cleanup; } if (!qctx->resuming && !STALE(qctx->rdataset) && qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client)) { goto cleanup; } soardataset = ns_client_newrdataset(qctx->client); sigsoardataset = ns_client_newrdataset(qctx->client); if (soardataset == NULL || sigsoardataset == NULL) { goto cleanup; } /* * Look for SOA record to construct NODATA response. */ dns_db_attach(qctx->db, &db); result = dns_db_findext(db, signer, qctx->version, dns_rdatatype_soa, dboptions, qctx->client->now, &node, fname, &cm, &ci, soardataset, sigsoardataset); if (result != ISC_R_SUCCESS) { goto cleanup; } (void)query_synthnodata(qctx, signer, &soardataset, &sigsoardataset); done = true; goto cleanup; } /* * Look up the no-wildcard proof. */ dns_db_attach(qctx->db, &db); result = dns_db_findext(db, wild, qctx->version, qctx->type, dboptions | DNS_DBFIND_COVERINGNSEC, qctx->client->now, &node, nowild, &cm, &ci, &rdataset, &sigrdataset); if (rdataset.trust != dns_trust_secure || sigrdataset.trust != dns_trust_secure) { goto cleanup; } /* * Zero TTL handling of wildcard record. * * We don't yet have code to handle synthesis and type ANY or dns64 * processing so we abort the synthesis here if there would be a * interaction. */ switch (result) { case ISC_R_SUCCESS: if (qctx->type == dns_rdatatype_any) { /* XXX not yet */ goto cleanup; } if (!ISC_LIST_EMPTY(qctx->view->dns64) && (qctx->type == dns_rdatatype_a || qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */ { goto cleanup; } FALLTHROUGH; case DNS_R_CNAME: if (!qctx->resuming && !STALE(&rdataset) && rdataset.ttl == 0 && RECURSIONOK(qctx->client)) { goto cleanup; } default: break; } switch (result) { case DNS_R_COVERINGNSEC: result = dns_nsec_noexistnodata(qctx->qtype, wild, nowild, &rdataset, &exists, &data, NULL, log_noexistnodata, qctx); if (result != ISC_R_SUCCESS || exists) { goto cleanup; } break; case ISC_R_SUCCESS: /* wild card match */ (void)query_synthwildcard(qctx, &rdataset, &sigrdataset); done = true; goto cleanup; case DNS_R_CNAME: /* wild card cname */ (void)query_synthcnamewildcard(qctx, &rdataset, &sigrdataset); done = true; goto cleanup; case DNS_R_NCACHENXRRSET: /* wild card nodata */ case DNS_R_NCACHENXDOMAIN: /* direct nxdomain */ default: goto cleanup; } /* * We now have the proof that we have an NXDOMAIN. Apply * NXDOMAIN redirection if configured. */ result = query_redirect(qctx, DNS_R_COVERINGNSEC); if (result != ISC_R_COMPLETE) { redirected = true; goto cleanup; } /* * Must be signed to accept. */ if (!dns_rdataset_isassociated(&sigrdataset)) { goto cleanup; } /* * Check signer signer names again. */ result = checksignames(signer, &sigrdataset); if (result != ISC_R_SUCCESS) { result = ISC_R_SUCCESS; goto cleanup; } if (node != NULL) { dns_db_detachnode(db, &node); } soardataset = ns_client_newrdataset(qctx->client); sigsoardataset = ns_client_newrdataset(qctx->client); if (soardataset == NULL || sigsoardataset == NULL) { goto cleanup; } /* * Look for SOA record to construct NXDOMAIN response. */ result = dns_db_findext(db, signer, qctx->version, dns_rdatatype_soa, dboptions, qctx->client->now, &node, fname, &cm, &ci, soardataset, sigsoardataset); if (result != ISC_R_SUCCESS) { goto cleanup; } (void)query_synthnxdomain(qctx, nowild, &rdataset, &sigrdataset, signer, &soardataset, &sigsoardataset); done = true; cleanup: if (dns_rdataset_isassociated(&rdataset)) { dns_rdataset_disassociate(&rdataset); } if (dns_rdataset_isassociated(&sigrdataset)) { dns_rdataset_disassociate(&sigrdataset); } if (soardataset != NULL) { ns_client_putrdataset(qctx->client, &soardataset); } if (sigsoardataset != NULL) { ns_client_putrdataset(qctx->client, &sigsoardataset); } if (db != NULL) { if (node != NULL) { dns_db_detachnode(db, &node); } dns_db_detach(&db); } if (redirected) { return (result); } if (!done) { /* * No covering NSEC was found; proceed with recursion. */ qctx->findcoveringnsec = false; if (qctx->fname != NULL) { ns_client_releasename(qctx->client, &qctx->fname); } if (qctx->node != NULL) { dns_db_detachnode(qctx->db, &qctx->node); } ns_client_putrdataset(qctx->client, &qctx->rdataset); if (qctx->sigrdataset != NULL) { ns_client_putrdataset(qctx->client, &qctx->sigrdataset); } return (query_lookup(qctx)); } return (ns_query_done(qctx)); } /*% * Handle negative cache responses, DNS_R_NCACHENXRRSET or * DNS_R_NCACHENXDOMAIN. (Note: may also be called with result * set to DNS_R_NXDOMAIN when handling DNS64 lookups.) */ static isc_result_t query_ncache(query_ctx_t *qctx, isc_result_t result) { INSIST(!qctx->is_zone); INSIST(result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || result == DNS_R_NXDOMAIN); CCTRACE(ISC_LOG_DEBUG(3), "query_ncache"); CALL_HOOK(NS_QUERY_NCACHE_BEGIN, qctx); qctx->authoritative = false; if (result == DNS_R_NCACHENXDOMAIN) { /* * Set message rcode. (This is not done when * result == DNS_R_NXDOMAIN because that means we're * being called after a DNS64 lookup and don't want * to update the rcode now.) */ qctx->client->message->rcode = dns_rcode_nxdomain; /* Look for RFC 1918 leakage from Internet. */ if (qctx->qtype == dns_rdatatype_ptr && qctx->client->message->rdclass == dns_rdataclass_in && dns_name_countlabels(qctx->fname) == 7) { warn_rfc1918(qctx->client, qctx->fname, qctx->rdataset); } } return (query_nodata(qctx, result)); cleanup: return (result); } /* * If we have a zero ttl from the cache, refetch. */ static isc_result_t query_zerottl_refetch(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_zerottl_refetch"); if (qctx->is_zone || qctx->resuming || STALE(qctx->rdataset) || qctx->rdataset->ttl != 0 || !RECURSIONOK(qctx->client)) { return (ISC_R_COMPLETE); } qctx_clean(qctx); INSIST(!REDIRECT(qctx->client)); result = ns_query_recurse(qctx->client, qctx->qtype, qctx->client->query.qname, NULL, NULL, qctx->resuming); if (result == ISC_R_SUCCESS) { CALL_HOOK(NS_QUERY_ZEROTTL_RECURSE, qctx); qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; if (qctx->dns64) { qctx->client->query.attributes |= NS_QUERYATTR_DNS64; } if (qctx->dns64_exclude) { qctx->client->query.attributes |= NS_QUERYATTR_DNS64EXCLUDE; } } else { /* * There was a zero ttl from the cache, don't fallback to * serve-stale lookup. */ QUERY_ERROR(qctx, result); } return (ns_query_done(qctx)); cleanup: return (result); } /* * Handle CNAME responses. */ static isc_result_t query_cname(query_ctx_t *qctx) { isc_result_t result = ISC_R_UNSET; dns_name_t *tname = NULL; dns_rdataset_t *trdataset = NULL; dns_rdataset_t **sigrdatasetp = NULL; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_cname_t cname; CCTRACE(ISC_LOG_DEBUG(3), "query_cname"); CALL_HOOK(NS_QUERY_CNAME_BEGIN, qctx); result = query_zerottl_refetch(qctx); if (result != ISC_R_COMPLETE) { return (result); } /* * Keep a copy of the rdataset. We have to do this because * query_addrrset may clear 'rdataset' (to prevent the * cleanup code from cleaning it up). */ trdataset = qctx->rdataset; /* * Add the CNAME to the answer section. */ if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { sigrdatasetp = &qctx->sigrdataset; } if (WANTDNSSEC(qctx->client) && (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) { dns_fixedname_init(&qctx->wildcardname); dns_name_copynf(qctx->fname, dns_fixedname_name(&qctx->wildcardname)); qctx->need_wildcardproof = true; } if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { qctx->noqname = qctx->rdataset; } else { qctx->noqname = NULL; } if (!qctx->is_zone && RECURSIONOK(qctx->client)) { query_prefetch(qctx->client, qctx->fname, qctx->rdataset); } query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, qctx->dbuf, DNS_SECTION_ANSWER); query_addnoqnameproof(qctx); /* * We set the PARTIALANSWER attribute so that if anything goes * wrong later on, we'll return what we've got so far. */ qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; /* * Reset qname to be the target name of the CNAME and restart * the query. */ result = dns_message_gettempname(qctx->client->message, &tname); if (result != ISC_R_SUCCESS) { return (ns_query_done(qctx)); } result = dns_rdataset_first(trdataset); if (result != ISC_R_SUCCESS) { dns_message_puttempname(qctx->client->message, &tname); return (ns_query_done(qctx)); } dns_rdataset_current(trdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); dns_name_copynf(&cname.cname, tname); dns_rdata_freestruct(&cname); ns_client_qnamereplace(qctx->client, tname); qctx->want_restart = true; if (!WANTRECURSION(qctx->client)) { qctx->options |= DNS_GETDB_NOLOG; } query_addauth(qctx); return (ns_query_done(qctx)); cleanup: return (result); } /* * Handle DNAME responses. */ static isc_result_t query_dname(query_ctx_t *qctx) { dns_name_t *tname, *prefix; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_dname_t dname; dns_fixedname_t fixed; dns_rdataset_t *trdataset; dns_rdataset_t **sigrdatasetp = NULL; dns_namereln_t namereln; isc_buffer_t b; int order; isc_result_t result; unsigned int nlabels; CCTRACE(ISC_LOG_DEBUG(3), "query_dname"); CALL_HOOK(NS_QUERY_DNAME_BEGIN, qctx); /* * Compare the current qname to the found name. We need * to know how many labels and bits are in common because * we're going to have to split qname later on. */ namereln = dns_name_fullcompare(qctx->client->query.qname, qctx->fname, &order, &nlabels); INSIST(namereln == dns_namereln_subdomain); /* * Keep a copy of the rdataset. We have to do this because * query_addrrset may clear 'rdataset' (to prevent the * cleanup code from cleaning it up). */ trdataset = qctx->rdataset; /* * Add the DNAME to the answer section. */ if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { sigrdatasetp = &qctx->sigrdataset; } if (WANTDNSSEC(qctx->client) && (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) { dns_fixedname_init(&qctx->wildcardname); dns_name_copynf(qctx->fname, dns_fixedname_name(&qctx->wildcardname)); qctx->need_wildcardproof = true; } if (!qctx->is_zone && RECURSIONOK(qctx->client)) { query_prefetch(qctx->client, qctx->fname, qctx->rdataset); } query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, qctx->dbuf, DNS_SECTION_ANSWER); /* * We set the PARTIALANSWER attribute so that if anything goes * wrong later on, we'll return what we've got so far. */ qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; /* * Get the target name of the DNAME. */ tname = NULL; result = dns_message_gettempname(qctx->client->message, &tname); if (result != ISC_R_SUCCESS) { return (ns_query_done(qctx)); } result = dns_rdataset_first(trdataset); if (result != ISC_R_SUCCESS) { dns_message_puttempname(qctx->client->message, &tname); return (ns_query_done(qctx)); } dns_rdataset_current(trdataset, &rdata); result = dns_rdata_tostruct(&rdata, &dname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); dns_name_copynf(&dname.dname, tname); dns_rdata_freestruct(&dname); /* * Construct the new qname consisting of * . */ prefix = dns_fixedname_initname(&fixed); dns_name_split(qctx->client->query.qname, nlabels, prefix, NULL); INSIST(qctx->fname == NULL); qctx->dbuf = ns_client_getnamebuf(qctx->client); if (qctx->dbuf == NULL) { dns_message_puttempname(qctx->client->message, &tname); return (ns_query_done(qctx)); } qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); if (qctx->fname == NULL) { dns_message_puttempname(qctx->client->message, &tname); return (ns_query_done(qctx)); } result = dns_name_concatenate(prefix, tname, qctx->fname, NULL); dns_message_puttempname(qctx->client->message, &tname); /* * RFC2672, section 4.1, subsection 3c says * we should return YXDOMAIN if the constructed * name would be too long. */ if (result == DNS_R_NAMETOOLONG) { qctx->client->message->rcode = dns_rcode_yxdomain; } if (result != ISC_R_SUCCESS) { return (ns_query_done(qctx)); } ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); /* * Synthesize a CNAME consisting of * CNAME * with * * Synthesize a CNAME so old old clients that don't understand * DNAME can chain. * * We do not try to synthesize a signature because we hope * that security aware servers will understand DNAME. Also, * even if we had an online key, making a signature * on-the-fly is costly, and not really legitimate anyway * since the synthesized CNAME is NOT in the zone. */ result = query_addcname(qctx, trdataset->trust, trdataset->ttl); if (result != ISC_R_SUCCESS) { return (ns_query_done(qctx)); } /* * If the original query was not for a CNAME or ANY then follow the * CNAME. */ if (qctx->qtype != dns_rdatatype_cname && qctx->qtype != dns_rdatatype_any) { /* * Switch to the new qname and restart. */ ns_client_qnamereplace(qctx->client, qctx->fname); qctx->fname = NULL; qctx->want_restart = true; if (!WANTRECURSION(qctx->client)) { qctx->options |= DNS_GETDB_NOLOG; } } query_addauth(qctx); return (ns_query_done(qctx)); cleanup: return (result); } /*% * Add CNAME to response. */ static isc_result_t query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl) { ns_client_t *client = qctx->client; dns_rdataset_t *rdataset = NULL; dns_rdatalist_t *rdatalist = NULL; dns_rdata_t *rdata = NULL; isc_region_t r; dns_name_t *aname = NULL; isc_result_t result; result = dns_message_gettempname(client->message, &aname); if (result != ISC_R_SUCCESS) { return (result); } dns_name_copynf(client->query.qname, aname); result = dns_message_gettemprdatalist(client->message, &rdatalist); if (result != ISC_R_SUCCESS) { dns_message_puttempname(client->message, &aname); return (result); } result = dns_message_gettemprdata(client->message, &rdata); if (result != ISC_R_SUCCESS) { dns_message_puttempname(client->message, &aname); dns_message_puttemprdatalist(client->message, &rdatalist); return (result); } result = dns_message_gettemprdataset(client->message, &rdataset); if (result != ISC_R_SUCCESS) { dns_message_puttempname(client->message, &aname); dns_message_puttemprdatalist(client->message, &rdatalist); dns_message_puttemprdata(client->message, &rdata); return (result); } rdatalist->type = dns_rdatatype_cname; rdatalist->rdclass = client->message->rdclass; rdatalist->ttl = ttl; dns_name_toregion(qctx->fname, &r); rdata->data = r.base; rdata->length = r.length; rdata->rdclass = client->message->rdclass; rdata->type = dns_rdatatype_cname; ISC_LIST_APPEND(rdatalist->rdata, rdata, link); RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS); rdataset->trust = trust; dns_rdataset_setownercase(rdataset, aname); query_addrrset(qctx, &aname, &rdataset, NULL, NULL, DNS_SECTION_ANSWER); if (rdataset != NULL) { if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } dns_message_puttemprdataset(client->message, &rdataset); } if (aname != NULL) { dns_message_puttempname(client->message, &aname); } return (ISC_R_SUCCESS); } /*% * Prepare to respond: determine whether a wildcard proof is needed, * then hand off to query_respond() or (for type ANY queries) * query_respond_any(). */ static isc_result_t query_prepresponse(query_ctx_t *qctx) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_prepresponse"); CALL_HOOK(NS_QUERY_PREP_RESPONSE_BEGIN, qctx); if (WANTDNSSEC(qctx->client) && (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) { dns_fixedname_init(&qctx->wildcardname); dns_name_copynf(qctx->fname, dns_fixedname_name(&qctx->wildcardname)); qctx->need_wildcardproof = true; } if (qctx->type == dns_rdatatype_any) { return (query_respond_any(qctx)); } result = query_zerottl_refetch(qctx); if (result != ISC_R_COMPLETE) { return (result); } return (query_respond(qctx)); cleanup: return (result); } /*% * Add SOA to the authority section when sending negative responses * (or to the additional section if sending negative responses triggered * by RPZ rewriting.) */ static isc_result_t query_addsoa(query_ctx_t *qctx, unsigned int override_ttl, dns_section_t section) { ns_client_t *client = qctx->client; dns_name_t *name; dns_dbnode_t *node; isc_result_t result, eresult; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_rdataset_t **sigrdatasetp = NULL; dns_clientinfomethods_t cm; dns_clientinfo_t ci; CTRACE(ISC_LOG_DEBUG(3), "query_addsoa"); /* * Initialization. */ eresult = ISC_R_SUCCESS; name = NULL; rdataset = NULL; node = NULL; dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Don't add the SOA record for test which set "-T nosoa". */ if (((client->sctx->options & NS_SERVER_NOSOA) != 0) && (!WANTDNSSEC(client) || !dns_rdataset_isassociated(qctx->rdataset))) { return (ISC_R_SUCCESS); } /* * Get resources and make 'name' be the database origin. */ result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { return (result); } /* * We'll be releasing 'name' before returning, so it's safe to * use clone instead of copying here. */ dns_name_clone(dns_db_origin(qctx->db), name); rdataset = ns_client_newrdataset(client); if (rdataset == NULL) { CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } } /* * Find the SOA. */ result = dns_db_getoriginnode(qctx->db, &node); if (result == ISC_R_SUCCESS) { result = dns_db_findrdataset(qctx->db, node, qctx->version, dns_rdatatype_soa, 0, client->now, rdataset, sigrdataset); } else { dns_fixedname_t foundname; dns_name_t *fname; fname = dns_fixedname_initname(&foundname); result = dns_db_findext(qctx->db, name, qctx->version, dns_rdatatype_soa, client->query.dboptions, 0, &node, fname, &cm, &ci, rdataset, sigrdataset); } if (result != ISC_R_SUCCESS) { /* * This is bad. We tried to get the SOA RR at the zone top * and it didn't work! */ CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex"); eresult = DNS_R_SERVFAIL; } else { /* * Extract the SOA MINIMUM. */ dns_rdata_soa_t soa; dns_rdata_t rdata = DNS_RDATA_INIT; result = dns_rdataset_first(rdataset); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &soa, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (override_ttl != UINT32_MAX && override_ttl < rdataset->ttl) { rdataset->ttl = override_ttl; if (sigrdataset != NULL) { sigrdataset->ttl = override_ttl; } } /* * Add the SOA and its SIG to the response, with the * TTLs adjusted per RFC2308 section 3. */ if (rdataset->ttl > soa.minimum) { rdataset->ttl = soa.minimum; } if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum) { sigrdataset->ttl = soa.minimum; } if (sigrdataset != NULL) { sigrdatasetp = &sigrdataset; } else { sigrdatasetp = NULL; } if (section == DNS_SECTION_ADDITIONAL) { rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; } query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL, section); } cleanup: ns_client_putrdataset(client, &rdataset); if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (name != NULL) { ns_client_releasename(client, &name); } if (node != NULL) { dns_db_detachnode(qctx->db, &node); } return (eresult); } /*% * Add NS to authority section (used when the zone apex is already known). */ static isc_result_t query_addns(query_ctx_t *qctx) { ns_client_t *client = qctx->client; isc_result_t result, eresult; dns_name_t *name = NULL, *fname; dns_dbnode_t *node = NULL; dns_fixedname_t foundname; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_rdataset_t **sigrdatasetp = NULL; dns_clientinfomethods_t cm; dns_clientinfo_t ci; CTRACE(ISC_LOG_DEBUG(3), "query_addns"); /* * Initialization. */ eresult = ISC_R_SUCCESS; fname = dns_fixedname_initname(&foundname); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Get resources and make 'name' be the database origin. */ result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_message_gettempname " "failed: done"); return (result); } dns_name_clone(dns_db_origin(qctx->db), name); rdataset = ns_client_newrdataset(client); if (rdataset == NULL) { CTRACE(ISC_LOG_ERROR, "query_addns: ns_client_newrdataset " "failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { CTRACE(ISC_LOG_ERROR, "query_addns: " "ns_client_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } } /* * Find the NS rdataset. */ result = dns_db_getoriginnode(qctx->db, &node); if (result == ISC_R_SUCCESS) { result = dns_db_findrdataset(qctx->db, node, qctx->version, dns_rdatatype_ns, 0, client->now, rdataset, sigrdataset); } else { CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find"); result = dns_db_findext(qctx->db, name, NULL, dns_rdatatype_ns, client->query.dboptions, 0, &node, fname, &cm, &ci, rdataset, sigrdataset); CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete"); } if (result != ISC_R_SUCCESS) { CTRACE(ISC_LOG_ERROR, "query_addns: " "dns_db_findrdataset or dns_db_find " "failed"); /* * This is bad. We tried to get the NS rdataset at the zone * top and it didn't work! */ eresult = DNS_R_SERVFAIL; } else { if (sigrdataset != NULL) { sigrdatasetp = &sigrdataset; } query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL, DNS_SECTION_AUTHORITY); } cleanup: CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup"); ns_client_putrdataset(client, &rdataset); if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (name != NULL) { ns_client_releasename(client, &name); } if (node != NULL) { dns_db_detachnode(qctx->db, &node); } CTRACE(ISC_LOG_DEBUG(3), "query_addns: done"); return (eresult); } /*% * Find the zone cut and add the best NS rrset to the authority section. */ static void query_addbestns(query_ctx_t *qctx) { ns_client_t *client = qctx->client; dns_db_t *db = NULL, *zdb = NULL; dns_dbnode_t *node = NULL; dns_name_t *fname = NULL, *zfname = NULL; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_rdataset_t *zrdataset = NULL, *zsigrdataset = NULL; bool is_zone = false, use_zone = false; isc_buffer_t *dbuf = NULL; isc_result_t result; dns_dbversion_t *version = NULL; dns_zone_t *zone = NULL; isc_buffer_t b; dns_clientinfomethods_t cm; dns_clientinfo_t ci; CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * Find the right database. */ result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0, &zone, &db, &version, &is_zone); if (result != ISC_R_SUCCESS) { goto cleanup; } db_find: /* * We'll need some resources... */ dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); rdataset = ns_client_newrdataset(client); if (fname == NULL || rdataset == NULL) { goto cleanup; } /* * Get the RRSIGs if the client requested them or if we may * need to validate answers from the cache. */ if (WANTDNSSEC(client) || !is_zone) { sigrdataset = ns_client_newrdataset(client); if (sigrdataset == NULL) { goto cleanup; } } /* * Now look for the zonecut. */ if (is_zone) { result = dns_db_findext( db, client->query.qname, version, dns_rdatatype_ns, client->query.dboptions, client->now, &node, fname, &cm, &ci, rdataset, sigrdataset); if (result != DNS_R_DELEGATION) { goto cleanup; } if (USECACHE(client)) { ns_client_keepname(client, fname, dbuf); dns_db_detachnode(db, &node); SAVE(zdb, db); SAVE(zfname, fname); SAVE(zrdataset, rdataset); SAVE(zsigrdataset, sigrdataset); version = NULL; dns_db_attach(client->view->cachedb, &db); is_zone = false; goto db_find; } } else { result = dns_db_findzonecut( db, client->query.qname, client->query.dboptions, client->now, &node, fname, NULL, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { if (zfname != NULL && !dns_name_issubdomain(fname, zfname)) { /* * We found a zonecut in the cache, but our * zone delegation is better. */ use_zone = true; } } else if (result == ISC_R_NOTFOUND && zfname != NULL) { /* * We didn't find anything in the cache, but we * have a zone delegation, so use it. */ use_zone = true; } else { goto cleanup; } } if (use_zone) { ns_client_releasename(client, &fname); /* * We've already done ns_client_keepname() on * zfname, so we must set dbuf to NULL to * prevent query_addrrset() from trying to * call ns_client_keepname() again. */ dbuf = NULL; ns_client_putrdataset(client, &rdataset); if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (node != NULL) { dns_db_detachnode(db, &node); } dns_db_detach(&db); RESTORE(db, zdb); RESTORE(fname, zfname); RESTORE(rdataset, zrdataset); RESTORE(sigrdataset, zsigrdataset); } /* * Attempt to validate RRsets that are pending or that are glue. */ if ((DNS_TRUST_PENDING(rdataset->trust) || (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) && !validate(client, db, fname, rdataset, sigrdataset) && !PENDINGOK(client->query.dboptions)) { goto cleanup; } if ((DNS_TRUST_GLUE(rdataset->trust) || (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) && !validate(client, db, fname, rdataset, sigrdataset) && SECURE(client) && WANTDNSSEC(client)) { goto cleanup; } /* * If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response. */ if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) && ((rdataset->trust != dns_trust_secure) || (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure))) { goto cleanup; } /* * If the client doesn't want DNSSEC we can discard the sigrdataset * now. */ if (!WANTDNSSEC(client)) { ns_client_putrdataset(client, &sigrdataset); } query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); cleanup: if (rdataset != NULL) { ns_client_putrdataset(client, &rdataset); } if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (fname != NULL) { ns_client_releasename(client, &fname); } if (node != NULL) { dns_db_detachnode(db, &node); } if (db != NULL) { dns_db_detach(&db); } if (zone != NULL) { dns_zone_detach(&zone); } if (zdb != NULL) { ns_client_putrdataset(client, &zrdataset); if (zsigrdataset != NULL) { ns_client_putrdataset(client, &zsigrdataset); } if (zfname != NULL) { ns_client_releasename(client, &zfname); } dns_db_detach(&zdb); } } static void query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata) { ns_client_t *client = qctx->client; isc_buffer_t *dbuf, b; dns_name_t *name; dns_name_t *fname = NULL; dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; dns_fixedname_t wfixed; dns_name_t *wname; dns_dbnode_t *node = NULL; unsigned int options; unsigned int olabels, nlabels, labels; isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_nsec_t nsec; bool have_wname; int order; dns_fixedname_t cfixed; dns_name_t *cname; dns_clientinfomethods_t cm; dns_clientinfo_t ci; CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof"); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); /* * If a name has been specifically flagged as needing * a wildcard proof then it will have been copied to * qctx->wildcardname. Otherwise we just use the client * QNAME. */ if (qctx->need_wildcardproof) { name = dns_fixedname_name(&qctx->wildcardname); } else { name = client->query.qname; } /* * Get the NOQNAME proof then if !ispositive * get the NOWILDCARD proof. * * DNS_DBFIND_NOWILD finds the NSEC records that covers the * name ignoring any wildcard. From the owner and next names * of this record you can compute which wildcard (if it exists) * will match by finding the longest common suffix of the * owner name and next names with the qname and prefixing that * with the wildcard label. * * e.g. * Given: * example SOA * example NSEC b.example * b.example A * b.example NSEC a.d.example * a.d.example A * a.d.example NSEC g.f.example * g.f.example A * g.f.example NSEC z.i.example * z.i.example A * z.i.example NSEC example * * QNAME: * a.example -> example NSEC b.example * owner common example * next common example * wild *.example * d.b.example -> b.example NSEC a.d.example * owner common b.example * next common example * wild *.b.example * a.f.example -> a.d.example NSEC g.f.example * owner common example * next common f.example * wild *.f.example * j.example -> z.i.example NSEC example * owner common example * next common example * wild *.example */ options = client->query.dboptions | DNS_DBFIND_NOWILD; wname = dns_fixedname_initname(&wfixed); again: have_wname = false; /* * We'll need some resources... */ dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); rdataset = ns_client_newrdataset(client); sigrdataset = ns_client_newrdataset(client); if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { goto cleanup; } result = dns_db_findext(qctx->db, name, qctx->version, dns_rdatatype_nsec, options, 0, &node, fname, &cm, &ci, rdataset, sigrdataset); if (node != NULL) { dns_db_detachnode(qctx->db, &node); } if (!dns_rdataset_isassociated(rdataset)) { /* * No NSEC proof available, return NSEC3 proofs instead. */ cname = dns_fixedname_initname(&cfixed); /* * Find the closest encloser. */ dns_name_copynf(name, cname); while (result == DNS_R_NXDOMAIN) { labels = dns_name_countlabels(cname) - 1; /* * Sanity check. */ if (labels == 0U) { goto cleanup; } dns_name_split(cname, labels, NULL, cname); result = dns_db_findext(qctx->db, cname, qctx->version, dns_rdatatype_nsec, options, 0, NULL, fname, &cm, &ci, NULL, NULL); } /* * Add closest (provable) encloser NSEC3. */ query_findclosestnsec3(cname, qctx->db, qctx->version, client, rdataset, sigrdataset, fname, true, cname); if (!dns_rdataset_isassociated(rdataset)) { goto cleanup; } if (!ispositive) { query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); } /* * Replace resources which were consumed by query_addrrset. */ if (fname == NULL) { dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); } if (rdataset == NULL) { rdataset = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (sigrdataset == NULL) { sigrdataset = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { goto cleanup; } /* * Add no qname proof. */ labels = dns_name_countlabels(cname) + 1; if (dns_name_countlabels(name) == labels) { dns_name_copynf(name, wname); } else { dns_name_split(name, labels, NULL, wname); } query_findclosestnsec3(wname, qctx->db, qctx->version, client, rdataset, sigrdataset, fname, false, NULL); if (!dns_rdataset_isassociated(rdataset)) { goto cleanup; } query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); if (ispositive) { goto cleanup; } /* * Replace resources which were consumed by query_addrrset. */ if (fname == NULL) { dbuf = ns_client_getnamebuf(client); if (dbuf == NULL) { goto cleanup; } fname = ns_client_newname(client, dbuf, &b); } if (rdataset == NULL) { rdataset = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); } if (sigrdataset == NULL) { sigrdataset = ns_client_newrdataset(client); } else if (dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_disassociate(sigrdataset); } if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { goto cleanup; } /* * Add the no wildcard proof. */ result = dns_name_concatenate(dns_wildcardname, cname, wname, NULL); if (result != ISC_R_SUCCESS) { goto cleanup; } query_findclosestnsec3(wname, qctx->db, qctx->version, client, rdataset, sigrdataset, fname, nodata, NULL); if (!dns_rdataset_isassociated(rdataset)) { goto cleanup; } query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); goto cleanup; } else if (result == DNS_R_NXDOMAIN) { if (!ispositive) { result = dns_rdataset_first(rdataset); } if (result == ISC_R_SUCCESS) { dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &nsec, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); (void)dns_name_fullcompare(name, fname, &order, &olabels); (void)dns_name_fullcompare(name, &nsec.next, &order, &nlabels); /* * Check for a pathological condition created when * serving some malformed signed zones and bail out. */ if (dns_name_countlabels(name) == nlabels) { goto cleanup; } if (olabels > nlabels) { dns_name_split(name, olabels, NULL, wname); } else { dns_name_split(name, nlabels, NULL, wname); } result = dns_name_concatenate(dns_wildcardname, wname, wname, NULL); if (result == ISC_R_SUCCESS) { have_wname = true; } dns_rdata_freestruct(&nsec); } query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); } if (rdataset != NULL) { ns_client_putrdataset(client, &rdataset); } if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (fname != NULL) { ns_client_releasename(client, &fname); } if (have_wname) { ispositive = true; /* prevent loop */ if (!dns_name_equal(name, wname)) { name = wname; goto again; } } cleanup: if (rdataset != NULL) { ns_client_putrdataset(client, &rdataset); } if (sigrdataset != NULL) { ns_client_putrdataset(client, &sigrdataset); } if (fname != NULL) { ns_client_releasename(client, &fname); } } /*% * Add NS records, and NSEC/NSEC3 wildcard proof records if needed, * to the authority section. */ static void query_addauth(query_ctx_t *qctx) { CCTRACE(ISC_LOG_DEBUG(3), "query_addauth"); /* * Add NS records to the authority section (if we haven't already * added them to the answer section). */ if (!qctx->want_restart && !NOAUTHORITY(qctx->client)) { if (qctx->is_zone) { if (!qctx->answer_has_ns) { (void)query_addns(qctx); } } else if (!qctx->answer_has_ns && qctx->qtype != dns_rdatatype_ns) { if (qctx->fname != NULL) { ns_client_releasename(qctx->client, &qctx->fname); } query_addbestns(qctx); } } /* * Add NSEC records to the authority section if they're needed for * DNSSEC wildcard proofs. */ if (qctx->need_wildcardproof && dns_db_issecure(qctx->db)) { query_addwildcardproof(qctx, true, false); } } /* * Find the sort order of 'rdata' in the topology-like * ACL forming the second element in a 2-element top-level * sortlist statement. */ static int query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) { isc_netaddr_t netaddr; if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) { return (INT_MAX); } return (ns_sortlist_addrorder2(&netaddr, arg)); } /* * Find the sort order of 'rdata' in the matching element * of a 1-element top-level sortlist statement. */ static int query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) { isc_netaddr_t netaddr; if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) { return (INT_MAX); } return (ns_sortlist_addrorder1(&netaddr, arg)); } /* * Find the sortlist statement that applies to 'client' and set up * the sortlist info in in client->message appropriately. */ static void query_setup_sortlist(query_ctx_t *qctx) { isc_netaddr_t netaddr; ns_client_t *client = qctx->client; dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->manager->interface->mgr); const void *order_arg = NULL; isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); switch (ns_sortlist_setup(client->view->sortlist, env, &netaddr, &order_arg)) { case NS_SORTLISTTYPE_1ELEMENT: dns_message_setsortorder(client->message, query_sortlist_order_1element, env, NULL, order_arg); break; case NS_SORTLISTTYPE_2ELEMENT: dns_message_setsortorder(client->message, query_sortlist_order_2element, env, order_arg, NULL); break; case NS_SORTLISTTYPE_NONE: break; default: UNREACHABLE(); } } /* * When sending a referral, if the answer to the question is * in the glue, sort it to the start of the additional section. */ static void query_glueanswer(query_ctx_t *qctx) { const dns_namelist_t *secs = qctx->client->message->sections; const dns_section_t section = DNS_SECTION_ADDITIONAL; dns_name_t *name; dns_message_t *msg; dns_rdataset_t *rdataset = NULL; if (!ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) || qctx->client->message->rcode != dns_rcode_noerror || (qctx->qtype != dns_rdatatype_a && qctx->qtype != dns_rdatatype_aaaa)) { return; } msg = qctx->client->message; for (name = ISC_LIST_HEAD(msg->sections[section]); name != NULL; name = ISC_LIST_NEXT(name, link)) { if (dns_name_equal(name, qctx->client->query.qname)) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type == qctx->qtype) { break; } } break; } } if (rdataset != NULL) { ISC_LIST_UNLINK(msg->sections[section], name, link); ISC_LIST_PREPEND(msg->sections[section], name, link); ISC_LIST_UNLINK(name->list, rdataset, link); ISC_LIST_PREPEND(name->list, rdataset, link); rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; } } isc_result_t ns_query_done(query_ctx_t *qctx) { isc_result_t result; const dns_namelist_t *secs = qctx->client->message->sections; bool nodetach; CCTRACE(ISC_LOG_DEBUG(3), "ns_query_done"); CALL_HOOK(NS_QUERY_DONE_BEGIN, qctx); /* * General cleanup. */ qctx->rpz_st = qctx->client->query.rpz_st; if (qctx->rpz_st != NULL && (qctx->rpz_st->state & DNS_RPZ_RECURSING) == 0) { rpz_match_clear(qctx->rpz_st); qctx->rpz_st->state &= ~DNS_RPZ_DONE_QNAME; } qctx_clean(qctx); qctx_freedata(qctx); if (qctx->client->query.gluedb != NULL) { dns_db_detach(&qctx->client->query.gluedb); } /* * Clear the AA bit if we're not authoritative. */ if (qctx->client->query.restarts == 0 && !qctx->authoritative) { qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; } /* * Do we need to restart the query (e.g. for CNAME chaining)? */ if (qctx->want_restart && qctx->client->query.restarts < MAX_RESTARTS) { qctx->client->query.restarts++; return (ns__query_start(qctx)); } if (qctx->result != ISC_R_SUCCESS && (!PARTIALANSWER(qctx->client) || WANTRECURSION(qctx->client) || qctx->result == DNS_R_DROP)) { if (qctx->result == DNS_R_DUPLICATE || qctx->result == DNS_R_DROP) { /* * This was a duplicate query that we are * recursing on or the result of rate limiting. * Don't send a response now for a duplicate query, * because the original will still cause a response. */ query_next(qctx->client, qctx->result); } else { /* * If we don't have any answer to give the client, * or if the client requested recursion and thus wanted * the complete answer, send an error response. */ INSIST(qctx->line >= 0); query_error(qctx->client, qctx->result, qctx->line); } qctx->detach_client = true; return (qctx->result); } /* * If we're recursing then just return; the query will * resume when recursion ends. */ if (RECURSING(qctx->client) && (!QUERY_STALETIMEOUT(&qctx->client->query) || ((qctx->options & DNS_GETDB_STALEFIRST) != 0))) { return (qctx->result); } /* * We are done. Set up sortlist data for the message * rendering code, sort the answer to the front of the * additional section if necessary, make a final tweak * to the AA bit if the auth-nxdomain config option * says so, then render and send the response. */ query_setup_sortlist(qctx); query_glueanswer(qctx); if (qctx->client->message->rcode == dns_rcode_nxdomain && qctx->view->auth_nxdomain) { qctx->client->message->flags |= DNS_MESSAGEFLAG_AA; } /* * If the response is somehow unexpected for the client and this * is a result of recursion, return an error to the caller * to indicate it may need to be logged. */ if (qctx->resuming && (ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) || qctx->client->message->rcode != dns_rcode_noerror)) { qctx->result = ISC_R_FAILURE; } CALL_HOOK(NS_QUERY_DONE_SEND, qctx); /* * Client may have been detached after query_send(), so * we test and store the flag state here, for safety. */ nodetach = qctx->client->nodetach; query_send(qctx->client); if (qctx->refresh_rrset) { /* * If we reached this point then it means that we have found a * stale RRset entry in cache and BIND is configured to allow * queries to be answered with stale data if no active RRset * is available, i.e. "stale-anwer-client-timeout 0". But, we * still need to refresh the RRset. To prevent adding duplicate * RRsets, clear the RRsets from the message before doing the * refresh. */ message_clearrdataset(qctx->client->message, 0); query_refresh_rrset(qctx); } if (!nodetach) { qctx->detach_client = true; } return (qctx->result); cleanup: return (result); } static void log_tat(ns_client_t *client) { char namebuf[DNS_NAME_FORMATSIZE]; char clientbuf[ISC_NETADDR_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; isc_netaddr_t netaddr; char *tags = NULL; size_t taglen = 0; if (!isc_log_wouldlog(ns_lctx, ISC_LOG_INFO)) { return; } if ((client->query.qtype != dns_rdatatype_null || !dns_name_istat(client->query.qname)) && (client->keytag == NULL || client->query.qtype != dns_rdatatype_dnskey)) { return; } isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); isc_netaddr_format(&netaddr, clientbuf, sizeof(clientbuf)); dns_rdataclass_format(client->view->rdclass, classbuf, sizeof(classbuf)); if (client->query.qtype == dns_rdatatype_dnskey) { uint16_t keytags = client->keytag_len / 2; size_t len = taglen = sizeof("65000") * keytags + 1; char *cp = tags = isc_mem_get(client->mctx, taglen); int i = 0; INSIST(client->keytag != NULL); if (tags != NULL) { while (keytags-- > 0U) { int n; uint16_t keytag; keytag = (client->keytag[i * 2] << 8) | client->keytag[i * 2 + 1]; n = snprintf(cp, len, " %u", keytag); if (n > 0 && (size_t)n <= len) { cp += n; len -= n; i++; } else { break; } } } } isc_log_write(ns_lctx, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "trust-anchor-telemetry '%s/%s' from %s%s", namebuf, classbuf, clientbuf, tags != NULL ? tags : ""); if (tags != NULL) { isc_mem_put(client->mctx, tags, taglen); } } static void log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; char onbuf[ISC_NETADDR_FORMATSIZE]; char ecsbuf[DNS_ECS_FORMATSIZE + sizeof(" [ECS ]") - 1] = { 0 }; char ednsbuf[sizeof("E(65535)")] = { 0 }; dns_rdataset_t *rdataset; int level = ISC_LOG_INFO; if (!isc_log_wouldlog(ns_lctx, level)) { return; } rdataset = ISC_LIST_HEAD(client->query.qname->list); INSIST(rdataset != NULL); dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf)); if (client->ednsversion >= 0) { snprintf(ednsbuf, sizeof(ednsbuf), "E(%hd)", client->ednsversion); } if (HAVEECS(client)) { strlcpy(ecsbuf, " [ECS ", sizeof(ecsbuf)); dns_ecs_format(&client->ecs, ecsbuf + 6, sizeof(ecsbuf) - 6); strlcat(ecsbuf, "]", sizeof(ecsbuf)); } ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level, "query: %s %s %s %s%s%s%s%s%s%s (%s)%s", namebuf, classbuf, typebuf, WANTRECURSION(client) ? "+" : "-", (client->signer != NULL) ? "S" : "", ednsbuf, TCP(client) ? "T" : "", ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "", ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "", HAVECOOKIE(client) ? "V" : WANTCOOKIE(client) ? "K" : "", onbuf, ecsbuf); } static void log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; const char *namep, *typep, *classp, *sep1, *sep2; dns_rdataset_t *rdataset; if (!isc_log_wouldlog(ns_lctx, level)) { return; } namep = typep = classp = sep1 = sep2 = ""; /* * Query errors can happen for various reasons. In some cases we cannot * even assume the query contains a valid question section, so we should * expect exceptional cases. */ if (client->query.origqname != NULL) { dns_name_format(client->query.origqname, namebuf, sizeof(namebuf)); namep = namebuf; sep1 = " for "; rdataset = ISC_LIST_HEAD(client->query.origqname->list); if (rdataset != NULL) { dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); classp = classbuf; dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); typep = typebuf; sep2 = "/"; } } ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY, level, "query failed (%s)%s%s%s%s%s%s at %s:%d", isc_result_totext(result), sep1, namep, sep2, classp, sep2, typep, __FILE__, line); } void ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) { isc_result_t result; dns_message_t *message; dns_rdataset_t *rdataset; dns_rdatatype_t qtype; unsigned int saved_extflags; unsigned int saved_flags; REQUIRE(NS_CLIENT_VALID(client)); /* * Attach to the request handle */ isc_nmhandle_attach(handle, &client->reqhandle); message = client->message; saved_extflags = client->extflags; saved_flags = client->message->flags; CTRACE(ISC_LOG_DEBUG(3), "ns_query_start"); /* * Ensure that appropriate cleanups occur. */ client->cleanup = query_cleanup; if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) { client->query.attributes |= NS_QUERYATTR_WANTRECURSION; } if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) { client->attributes |= NS_CLIENTATTR_WANTDNSSEC; } switch (client->view->minimalresponses) { case dns_minimal_no: break; case dns_minimal_yes: client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); break; case dns_minimal_noauth: client->query.attributes |= NS_QUERYATTR_NOAUTHORITY; break; case dns_minimal_noauthrec: if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) { client->query.attributes |= NS_QUERYATTR_NOAUTHORITY; } break; } if (client->view->cachedb == NULL || !client->view->recursion) { /* * We don't have a cache. Turn off cache support and * recursion. */ client->query.attributes &= ~(NS_QUERYATTR_RECURSIONOK | NS_QUERYATTR_CACHEOK); client->attributes |= NS_CLIENTATTR_NOSETFC; } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 || (message->flags & DNS_MESSAGEFLAG_RD) == 0) { /* * If the client isn't allowed to recurse (due to * "recursion no", the allow-recursion ACL, or the * lack of a resolver in this view), or if it * doesn't want recursion, turn recursion off. */ client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; client->attributes |= NS_CLIENTATTR_NOSETFC; } /* * Check for multiple question queries, since edns1 is dead. */ if (message->counts[DNS_SECTION_QUESTION] > 1) { query_error(client, DNS_R_FORMERR, __LINE__); return; } /* * Get the question name. */ result = dns_message_firstname(message, DNS_SECTION_QUESTION); if (result != ISC_R_SUCCESS) { query_error(client, result, __LINE__); return; } dns_message_currentname(message, DNS_SECTION_QUESTION, &client->query.qname); client->query.origqname = client->query.qname; result = dns_message_nextname(message, DNS_SECTION_QUESTION); if (result != ISC_R_NOMORE) { if (result == ISC_R_SUCCESS) { /* * There's more than one QNAME in the question * section. */ query_error(client, DNS_R_FORMERR, __LINE__); } else { query_error(client, result, __LINE__); } return; } if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) { log_query(client, saved_flags, saved_extflags); } /* * Check for meta-queries like IXFR and AXFR. */ rdataset = ISC_LIST_HEAD(client->query.qname->list); INSIST(rdataset != NULL); client->query.qtype = qtype = rdataset->type; dns_rdatatypestats_increment(client->sctx->rcvquerystats, qtype); log_tat(client); if (dns_rdatatype_ismeta(qtype)) { switch (qtype) { case dns_rdatatype_any: break; /* Let the query logic handle it. */ case dns_rdatatype_ixfr: case dns_rdatatype_axfr: ns_xfr_start(client, rdataset->type); return; case dns_rdatatype_maila: case dns_rdatatype_mailb: query_error(client, DNS_R_NOTIMP, __LINE__); return; case dns_rdatatype_tkey: result = dns_tkey_processquery( client->message, client->sctx->tkeyctx, client->view->dynamickeys); if (result == ISC_R_SUCCESS) { query_send(client); } else { query_error(client, result, __LINE__); } return; default: /* TSIG, etc. */ query_error(client, DNS_R_FORMERR, __LINE__); return; } } /* * Turn on minimal response for (C)DNSKEY and (C)DS queries. */ if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds || qtype == dns_rdatatype_cdnskey || qtype == dns_rdatatype_cds) { client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); } else if (qtype == dns_rdatatype_ns) { /* * Always turn on additional records for NS queries. */ client->query.attributes &= ~(NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); } /* * Maybe turn on minimal responses for ANY queries. */ if (qtype == dns_rdatatype_any && client->view->minimal_any && !TCP(client)) { client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); } /* * Turn on minimal responses for EDNS/UDP bufsize 512 queries. */ if (client->ednsversion >= 0 && client->udpsize <= 512U && !TCP(client)) { client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); } /* * If the client has requested that DNSSEC checking be disabled, * allow lookups to return pending data and instruct the resolver * to return data before validation has completed. * * We don't need to set DNS_DBFIND_PENDINGOK when validation is * disabled as there will be no pending data. */ if ((message->flags & DNS_MESSAGEFLAG_CD) != 0 || qtype == dns_rdatatype_rrsig) { client->query.dboptions |= DNS_DBFIND_PENDINGOK; client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; } else if (!client->view->enablevalidation) { client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; } if (client->view->qminimization) { client->query.fetchoptions |= DNS_FETCHOPT_QMINIMIZE | DNS_FETCHOPT_QMIN_SKIP_IP6A; if (client->view->qmin_strict) { client->query.fetchoptions |= DNS_FETCHOPT_QMIN_STRICT; } else { client->query.fetchoptions |= DNS_FETCHOPT_QMIN_USE_A; } } /* * Allow glue NS records to be added to the authority section * if the answer is secure. */ if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) { client->query.attributes &= ~NS_QUERYATTR_SECURE; } /* * Set NS_CLIENTATTR_WANTAD if the client has set AD in the query. * This allows AD to be returned on queries without DO set. */ if ((message->flags & DNS_MESSAGEFLAG_AD) != 0) { client->attributes |= NS_CLIENTATTR_WANTAD; } /* * This is an ordinary query. */ result = dns_message_reply(message, true); if (result != ISC_R_SUCCESS) { query_next(client, result); return; } /* * Assume authoritative response until it is known to be * otherwise. * * If "-T noaa" has been set on the command line don't set * AA on authoritative answers. */ if ((client->sctx->options & NS_SERVER_NOAA) == 0) { message->flags |= DNS_MESSAGEFLAG_AA; } /* * Set AD. We must clear it if we add non-validated data to a * response. */ if (WANTDNSSEC(client) || WANTAD(client)) { message->flags |= DNS_MESSAGEFLAG_AD; } (void)query_setup(client, qtype); }