From 3b9b6d0b8e7f798023c9d109c490449d528fde80 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 17:59:48 +0200 Subject: Adding upstream version 1:9.18.19. Signed-off-by: Daniel Baumann --- lib/ns/Makefile.am | 57 + lib/ns/Makefile.in | 1035 +++ lib/ns/client.c | 3093 +++++++++ lib/ns/hooks.c | 363 ++ lib/ns/include/ns/client.h | 578 ++ lib/ns/include/ns/events.h | 25 + lib/ns/include/ns/hooks.h | 612 ++ lib/ns/include/ns/interfacemgr.h | 192 + lib/ns/include/ns/listenlist.h | 137 + lib/ns/include/ns/log.h | 72 + lib/ns/include/ns/notify.h | 44 + lib/ns/include/ns/query.h | 271 + lib/ns/include/ns/server.h | 201 + lib/ns/include/ns/sortlist.h | 80 + lib/ns/include/ns/stats.h | 138 + lib/ns/include/ns/types.h | 33 + lib/ns/include/ns/update.h | 43 + lib/ns/include/ns/xfrout.h | 30 + lib/ns/interfacemgr.c | 1438 +++++ lib/ns/listenlist.c | 350 ++ lib/ns/log.c | 62 + lib/ns/notify.c | 180 + lib/ns/query.c | 12446 +++++++++++++++++++++++++++++++++++++ lib/ns/server.c | 264 + lib/ns/sortlist.c | 181 + lib/ns/stats.c | 128 + lib/ns/update.c | 3866 ++++++++++++ lib/ns/xfrout.c | 1829 ++++++ 28 files changed, 27748 insertions(+) create mode 100644 lib/ns/Makefile.am create mode 100644 lib/ns/Makefile.in create mode 100644 lib/ns/client.c create mode 100644 lib/ns/hooks.c create mode 100644 lib/ns/include/ns/client.h create mode 100644 lib/ns/include/ns/events.h create mode 100644 lib/ns/include/ns/hooks.h create mode 100644 lib/ns/include/ns/interfacemgr.h create mode 100644 lib/ns/include/ns/listenlist.h create mode 100644 lib/ns/include/ns/log.h create mode 100644 lib/ns/include/ns/notify.h create mode 100644 lib/ns/include/ns/query.h create mode 100644 lib/ns/include/ns/server.h create mode 100644 lib/ns/include/ns/sortlist.h create mode 100644 lib/ns/include/ns/stats.h create mode 100644 lib/ns/include/ns/types.h create mode 100644 lib/ns/include/ns/update.h create mode 100644 lib/ns/include/ns/xfrout.h create mode 100644 lib/ns/interfacemgr.c create mode 100644 lib/ns/listenlist.c create mode 100644 lib/ns/log.c create mode 100644 lib/ns/notify.c create mode 100644 lib/ns/query.c create mode 100644 lib/ns/server.c create mode 100644 lib/ns/sortlist.c create mode 100644 lib/ns/stats.c create mode 100644 lib/ns/update.c create mode 100644 lib/ns/xfrout.c (limited to 'lib/ns') diff --git a/lib/ns/Makefile.am b/lib/ns/Makefile.am new file mode 100644 index 0000000..eb86aeb --- /dev/null +++ b/lib/ns/Makefile.am @@ -0,0 +1,57 @@ +include $(top_srcdir)/Makefile.top + +AM_CPPFLAGS += \ + -DNAMED_PLUGINDIR=\"$(pkglibdir)\" + +lib_LTLIBRARIES = libns.la + +libns_ladir = $(includedir)/ns + +libns_la_HEADERS = \ + include/ns/client.h \ + include/ns/events.h \ + include/ns/hooks.h \ + include/ns/interfacemgr.h \ + include/ns/listenlist.h \ + include/ns/log.h \ + include/ns/notify.h \ + include/ns/query.h \ + include/ns/server.h \ + include/ns/sortlist.h \ + include/ns/stats.h \ + include/ns/types.h \ + include/ns/update.h \ + include/ns/xfrout.h + +libns_la_SOURCES = \ + $(libns_la_HEADERS) \ + client.c \ + hooks.c \ + interfacemgr.c \ + listenlist.c \ + log.c \ + notify.c \ + query.c \ + server.c \ + sortlist.c \ + stats.c \ + update.c \ + xfrout.c + +libns_la_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + $(LIBDNS_CFLAGS) \ + $(LIBISC_CFLAGS) \ + $(LIBNS_CFLAGS) \ + $(LIBUV_CFLAGS) \ + $(OPENSSL_CFLAGS) + +libns_la_LIBADD = \ + $(LIBDNS_LIBS) \ + $(LIBISC_LIBS) \ + $(LIBUV_LIBS) \ + $(OPENSSL_LIBS) + +libns_la_LDFLAGS = \ + $(AM_LDFLAGS) \ + -release "$(PACKAGE_VERSION)" diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in new file mode 100644 index 0000000..ba30d74 --- /dev/null +++ b/lib/ns/Makefile.in @@ -0,0 +1,1035 @@ +# Makefile.in generated by automake 1.16.5 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2021 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Hey Emacs, this is -*- makefile-automake -*- file! +# vim: filetype=automake + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +@HOST_MACOS_TRUE@am__append_1 = \ +@HOST_MACOS_TRUE@ -Wl,-flat_namespace + +subdir = lib/ns +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_check_openssl.m4 \ + $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ + $(top_srcdir)/m4/ax_jemalloc.m4 \ + $(top_srcdir)/m4/ax_lib_lmdb.m4 \ + $(top_srcdir)/m4/ax_perl_module.m4 \ + $(top_srcdir)/m4/ax_posix_shell.m4 \ + $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ + $(top_srcdir)/m4/ax_pthread.m4 \ + $(top_srcdir)/m4/ax_python_module.m4 \ + $(top_srcdir)/m4/ax_restore_flags.m4 \ + $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(libns_la_HEADERS) \ + $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libns_ladir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +am__DEPENDENCIES_1 = +libns_la_DEPENDENCIES = $(LIBDNS_LIBS) $(LIBISC_LIBS) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +am__objects_1 = +am_libns_la_OBJECTS = $(am__objects_1) libns_la-client.lo \ + libns_la-hooks.lo libns_la-interfacemgr.lo \ + libns_la-listenlist.lo libns_la-log.lo libns_la-notify.lo \ + libns_la-query.lo libns_la-server.lo libns_la-sortlist.lo \ + libns_la-stats.lo libns_la-update.lo libns_la-xfrout.lo +libns_la_OBJECTS = $(am_libns_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libns_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libns_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/libns_la-client.Plo \ + ./$(DEPDIR)/libns_la-hooks.Plo \ + ./$(DEPDIR)/libns_la-interfacemgr.Plo \ + ./$(DEPDIR)/libns_la-listenlist.Plo \ + ./$(DEPDIR)/libns_la-log.Plo ./$(DEPDIR)/libns_la-notify.Plo \ + ./$(DEPDIR)/libns_la-query.Plo ./$(DEPDIR)/libns_la-server.Plo \ + ./$(DEPDIR)/libns_la-sortlist.Plo \ + ./$(DEPDIR)/libns_la-stats.Plo ./$(DEPDIR)/libns_la-update.Plo \ + ./$(DEPDIR)/libns_la-xfrout.Plo +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libns_la_SOURCES) +DIST_SOURCES = $(libns_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +HEADERS = $(libns_la_HEADERS) +am__extra_recursive_targets = test-recursive unit-recursive \ + doc-recursive +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Makefile.top \ + $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EXEEXT = @BUILD_EXEEXT@ +BUILD_OBJEXT = @BUILD_OBJEXT@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@ +CMOCKA_CFLAGS = @CMOCKA_CFLAGS@ +CMOCKA_LIBS = @CMOCKA_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ +CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ +CURL = @CURL@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DEVELOPER_MODE = @DEVELOPER_MODE@ +DLLTOOL = @DLLTOOL@ +DNSTAP_CFLAGS = @DNSTAP_CFLAGS@ +DNSTAP_LIBS = @DNSTAP_LIBS@ +DOXYGEN = @DOXYGEN@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +ETAGS = @ETAGS@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FILECMD = @FILECMD@ +FSTRM_CAPTURE = @FSTRM_CAPTURE@ +FUZZ_LDFLAGS = @FUZZ_LDFLAGS@ +FUZZ_LOG_COMPILER = @FUZZ_LOG_COMPILER@ +GREP = @GREP@ +GSSAPI_CFLAGS = @GSSAPI_CFLAGS@ +GSSAPI_LIBS = @GSSAPI_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +JEMALLOC_CFLAGS = @JEMALLOC_CFLAGS@ +JEMALLOC_LIBS = @JEMALLOC_LIBS@ +JSON_C_CFLAGS = @JSON_C_CFLAGS@ +JSON_C_LIBS = @JSON_C_LIBS@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_CONFIG = @KRB5_CONFIG@ +KRB5_LIBS = @KRB5_LIBS@ +LATEXMK = @LATEXMK@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ +LIBCAP_LIBS = @LIBCAP_LIBS@ +LIBIDN2_CFLAGS = @LIBIDN2_CFLAGS@ +LIBIDN2_LIBS = @LIBIDN2_LIBS@ +LIBNGHTTP2_CFLAGS = @LIBNGHTTP2_CFLAGS@ +LIBNGHTTP2_LIBS = @LIBNGHTTP2_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIBUV_CFLAGS = @LIBUV_CFLAGS@ +LIBUV_LIBS = @LIBUV_LIBS@ +LIBXML2_CFLAGS = @LIBXML2_CFLAGS@ +LIBXML2_LIBS = @LIBXML2_LIBS@ +LIPO = @LIPO@ +LMDB_CFLAGS = @LMDB_CFLAGS@ +LMDB_LIBS = @LMDB_LIBS@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@ +MAXMINDDB_LIBS = @MAXMINDDB_LIBS@ +MAXMINDDB_PREFIX = @MAXMINDDB_PREFIX@ +MKDIR_P = @MKDIR_P@ +NC = @NC@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LDFLAGS = @OPENSSL_LDFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PROTOC_C = @PROTOC_C@ +PTHREAD_CC = @PTHREAD_CC@ +PTHREAD_CFLAGS = @PTHREAD_CFLAGS@ +PTHREAD_CXX = @PTHREAD_CXX@ +PTHREAD_LIBS = @PTHREAD_LIBS@ +PYTEST = @PYTEST@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +READLINE_CFLAGS = @READLINE_CFLAGS@ +READLINE_LIBS = @READLINE_LIBS@ +RELEASE_DATE = @RELEASE_DATE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SPHINX_BUILD = @SPHINX_BUILD@ +STD_CFLAGS = @STD_CFLAGS@ +STD_CPPFLAGS = @STD_CPPFLAGS@ +STD_LDFLAGS = @STD_LDFLAGS@ +STRIP = @STRIP@ +TEST_CFLAGS = @TEST_CFLAGS@ +VERSION = @VERSION@ +XELATEX = @XELATEX@ +XSLTPROC = @XSLTPROC@ +ZLIB_CFLAGS = @ZLIB_CFLAGS@ +ZLIB_LIBS = @ZLIB_LIBS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +ax_pthread_config = @ax_pthread_config@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4 +AM_CFLAGS = \ + $(STD_CFLAGS) + +AM_CPPFLAGS = $(STD_CPPFLAGS) -include $(top_builddir)/config.h \ + -I$(srcdir)/include -DNAMED_PLUGINDIR=\"$(pkglibdir)\" +AM_LDFLAGS = $(STD_LDFLAGS) $(am__append_1) +LDADD = +LIBISC_CFLAGS = \ + -I$(top_srcdir)/include \ + -I$(top_srcdir)/lib/isc/include \ + -I$(top_builddir)/lib/isc/include + +LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la +LIBDNS_CFLAGS = \ + -I$(top_srcdir)/lib/dns/include \ + -I$(top_builddir)/lib/dns/include + +LIBDNS_LIBS = \ + $(top_builddir)/lib/dns/libdns.la + +LIBNS_CFLAGS = \ + -I$(top_srcdir)/lib/ns/include + +LIBNS_LIBS = \ + $(top_builddir)/lib/ns/libns.la + +LIBIRS_CFLAGS = \ + -I$(top_srcdir)/lib/irs/include + +LIBIRS_LIBS = \ + $(top_builddir)/lib/irs/libirs.la + +LIBISCCFG_CFLAGS = \ + -I$(top_srcdir)/lib/isccfg/include + +LIBISCCFG_LIBS = \ + $(top_builddir)/lib/isccfg/libisccfg.la + +LIBISCCC_CFLAGS = \ + -I$(top_srcdir)/lib/isccc/include/ + +LIBISCCC_LIBS = \ + $(top_builddir)/lib/isccc/libisccc.la + +LIBBIND9_CFLAGS = \ + -I$(top_srcdir)/lib/bind9/include + +LIBBIND9_LIBS = \ + $(top_builddir)/lib/bind9/libbind9.la + +lib_LTLIBRARIES = libns.la +libns_ladir = $(includedir)/ns +libns_la_HEADERS = \ + include/ns/client.h \ + include/ns/events.h \ + include/ns/hooks.h \ + include/ns/interfacemgr.h \ + include/ns/listenlist.h \ + include/ns/log.h \ + include/ns/notify.h \ + include/ns/query.h \ + include/ns/server.h \ + include/ns/sortlist.h \ + include/ns/stats.h \ + include/ns/types.h \ + include/ns/update.h \ + include/ns/xfrout.h + +libns_la_SOURCES = \ + $(libns_la_HEADERS) \ + client.c \ + hooks.c \ + interfacemgr.c \ + listenlist.c \ + log.c \ + notify.c \ + query.c \ + server.c \ + sortlist.c \ + stats.c \ + update.c \ + xfrout.c + +libns_la_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + $(LIBDNS_CFLAGS) \ + $(LIBISC_CFLAGS) \ + $(LIBNS_CFLAGS) \ + $(LIBUV_CFLAGS) \ + $(OPENSSL_CFLAGS) + +libns_la_LIBADD = \ + $(LIBDNS_LIBS) \ + $(LIBISC_LIBS) \ + $(LIBUV_LIBS) \ + $(OPENSSL_LIBS) + +libns_la_LDFLAGS = \ + $(AM_LDFLAGS) \ + -release "$(PACKAGE_VERSION)" + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.top $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/ns/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign lib/ns/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; +$(top_srcdir)/Makefile.top $(am__empty): + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libns.la: $(libns_la_OBJECTS) $(libns_la_DEPENDENCIES) $(EXTRA_libns_la_DEPENDENCIES) + $(AM_V_CCLD)$(libns_la_LINK) -rpath $(libdir) $(libns_la_OBJECTS) $(libns_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-client.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-hooks.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-interfacemgr.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-listenlist.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-log.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-notify.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-query.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-server.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-sortlist.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-stats.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-update.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libns_la-xfrout.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +libns_la-client.lo: client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-client.lo -MD -MP -MF $(DEPDIR)/libns_la-client.Tpo -c -o libns_la-client.lo `test -f 'client.c' || echo '$(srcdir)/'`client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-client.Tpo $(DEPDIR)/libns_la-client.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='client.c' object='libns_la-client.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-client.lo `test -f 'client.c' || echo '$(srcdir)/'`client.c + +libns_la-hooks.lo: hooks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-hooks.lo -MD -MP -MF $(DEPDIR)/libns_la-hooks.Tpo -c -o libns_la-hooks.lo `test -f 'hooks.c' || echo '$(srcdir)/'`hooks.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-hooks.Tpo $(DEPDIR)/libns_la-hooks.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hooks.c' object='libns_la-hooks.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-hooks.lo `test -f 'hooks.c' || echo '$(srcdir)/'`hooks.c + +libns_la-interfacemgr.lo: interfacemgr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-interfacemgr.lo -MD -MP -MF $(DEPDIR)/libns_la-interfacemgr.Tpo -c -o libns_la-interfacemgr.lo `test -f 'interfacemgr.c' || echo '$(srcdir)/'`interfacemgr.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-interfacemgr.Tpo $(DEPDIR)/libns_la-interfacemgr.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='interfacemgr.c' object='libns_la-interfacemgr.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-interfacemgr.lo `test -f 'interfacemgr.c' || echo '$(srcdir)/'`interfacemgr.c + +libns_la-listenlist.lo: listenlist.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-listenlist.lo -MD -MP -MF $(DEPDIR)/libns_la-listenlist.Tpo -c -o libns_la-listenlist.lo `test -f 'listenlist.c' || echo '$(srcdir)/'`listenlist.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-listenlist.Tpo $(DEPDIR)/libns_la-listenlist.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='listenlist.c' object='libns_la-listenlist.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-listenlist.lo `test -f 'listenlist.c' || echo '$(srcdir)/'`listenlist.c + +libns_la-log.lo: log.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-log.lo -MD -MP -MF $(DEPDIR)/libns_la-log.Tpo -c -o libns_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-log.Tpo $(DEPDIR)/libns_la-log.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='log.c' object='libns_la-log.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c + +libns_la-notify.lo: notify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-notify.lo -MD -MP -MF $(DEPDIR)/libns_la-notify.Tpo -c -o libns_la-notify.lo `test -f 'notify.c' || echo '$(srcdir)/'`notify.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-notify.Tpo $(DEPDIR)/libns_la-notify.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='notify.c' object='libns_la-notify.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-notify.lo `test -f 'notify.c' || echo '$(srcdir)/'`notify.c + +libns_la-query.lo: query.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-query.lo -MD -MP -MF $(DEPDIR)/libns_la-query.Tpo -c -o libns_la-query.lo `test -f 'query.c' || echo '$(srcdir)/'`query.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-query.Tpo $(DEPDIR)/libns_la-query.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='query.c' object='libns_la-query.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-query.lo `test -f 'query.c' || echo '$(srcdir)/'`query.c + +libns_la-server.lo: server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-server.lo -MD -MP -MF $(DEPDIR)/libns_la-server.Tpo -c -o libns_la-server.lo `test -f 'server.c' || echo '$(srcdir)/'`server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-server.Tpo $(DEPDIR)/libns_la-server.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='server.c' object='libns_la-server.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-server.lo `test -f 'server.c' || echo '$(srcdir)/'`server.c + +libns_la-sortlist.lo: sortlist.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-sortlist.lo -MD -MP -MF $(DEPDIR)/libns_la-sortlist.Tpo -c -o libns_la-sortlist.lo `test -f 'sortlist.c' || echo '$(srcdir)/'`sortlist.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-sortlist.Tpo $(DEPDIR)/libns_la-sortlist.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sortlist.c' object='libns_la-sortlist.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-sortlist.lo `test -f 'sortlist.c' || echo '$(srcdir)/'`sortlist.c + +libns_la-stats.lo: stats.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-stats.lo -MD -MP -MF $(DEPDIR)/libns_la-stats.Tpo -c -o libns_la-stats.lo `test -f 'stats.c' || echo '$(srcdir)/'`stats.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-stats.Tpo $(DEPDIR)/libns_la-stats.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='stats.c' object='libns_la-stats.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-stats.lo `test -f 'stats.c' || echo '$(srcdir)/'`stats.c + +libns_la-update.lo: update.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-update.lo -MD -MP -MF $(DEPDIR)/libns_la-update.Tpo -c -o libns_la-update.lo `test -f 'update.c' || echo '$(srcdir)/'`update.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-update.Tpo $(DEPDIR)/libns_la-update.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='update.c' object='libns_la-update.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-update.lo `test -f 'update.c' || echo '$(srcdir)/'`update.c + +libns_la-xfrout.lo: xfrout.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libns_la-xfrout.lo -MD -MP -MF $(DEPDIR)/libns_la-xfrout.Tpo -c -o libns_la-xfrout.lo `test -f 'xfrout.c' || echo '$(srcdir)/'`xfrout.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libns_la-xfrout.Tpo $(DEPDIR)/libns_la-xfrout.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xfrout.c' object='libns_la-xfrout.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libns_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libns_la-xfrout.lo `test -f 'xfrout.c' || echo '$(srcdir)/'`xfrout.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-libns_laHEADERS: $(libns_la_HEADERS) + @$(NORMAL_INSTALL) + @list='$(libns_la_HEADERS)'; test -n "$(libns_ladir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(libns_ladir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libns_ladir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(libns_ladir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(libns_ladir)" || exit $$?; \ + done + +uninstall-libns_laHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(libns_la_HEADERS)'; test -n "$(libns_ladir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(libns_ladir)'; $(am__uninstall_files_from_dir) +test-local: +unit-local: +doc-local: + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libns_ladir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/libns_la-client.Plo + -rm -f ./$(DEPDIR)/libns_la-hooks.Plo + -rm -f ./$(DEPDIR)/libns_la-interfacemgr.Plo + -rm -f ./$(DEPDIR)/libns_la-listenlist.Plo + -rm -f ./$(DEPDIR)/libns_la-log.Plo + -rm -f ./$(DEPDIR)/libns_la-notify.Plo + -rm -f ./$(DEPDIR)/libns_la-query.Plo + -rm -f ./$(DEPDIR)/libns_la-server.Plo + -rm -f ./$(DEPDIR)/libns_la-sortlist.Plo + -rm -f ./$(DEPDIR)/libns_la-stats.Plo + -rm -f ./$(DEPDIR)/libns_la-update.Plo + -rm -f ./$(DEPDIR)/libns_la-xfrout.Plo + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +doc: doc-am + +doc-am: doc-local + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-libns_laHEADERS + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/libns_la-client.Plo + -rm -f ./$(DEPDIR)/libns_la-hooks.Plo + -rm -f ./$(DEPDIR)/libns_la-interfacemgr.Plo + -rm -f ./$(DEPDIR)/libns_la-listenlist.Plo + -rm -f ./$(DEPDIR)/libns_la-log.Plo + -rm -f ./$(DEPDIR)/libns_la-notify.Plo + -rm -f ./$(DEPDIR)/libns_la-query.Plo + -rm -f ./$(DEPDIR)/libns_la-server.Plo + -rm -f ./$(DEPDIR)/libns_la-sortlist.Plo + -rm -f ./$(DEPDIR)/libns_la-stats.Plo + -rm -f ./$(DEPDIR)/libns_la-update.Plo + -rm -f ./$(DEPDIR)/libns_la-xfrout.Plo + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +test: test-am + +test-am: test-local + +uninstall-am: uninstall-libLTLIBRARIES uninstall-libns_laHEADERS + +unit: unit-am + +unit-am: unit-local + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir doc-am doc-local dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-libLTLIBRARIES \ + install-libns_laHEADERS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am test-am test-local uninstall uninstall-am \ + uninstall-libLTLIBRARIES uninstall-libns_laHEADERS unit-am \ + unit-local + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/lib/ns/client.c b/lib/ns/client.c new file mode 100644 index 0000000..5ed64fd --- /dev/null +++ b/lib/ns/client.c @@ -0,0 +1,3093 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +/*** + *** Client + ***/ + +/*! \file + * Client Routines + * + * Important note! + * + * All client state changes, other than that from idle to listening, occur + * as a result of events. This guarantees serialization and avoids the + * need for locking. + * + * If a routine is ever created that allows someone other than the client's + * task to change the client, then the client will have to be locked. + */ + +#ifdef NS_CLIENT_TRACE +#define CTRACE(m) \ + ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, \ + ISC_LOG_DEBUG(3), "%s", (m)) +#define MTRACE(m) \ + isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, \ + ISC_LOG_DEBUG(3), "clientmgr @%p: %s", manager, (m)) +#else /* ifdef NS_CLIENT_TRACE */ +#define CTRACE(m) ((void)(m)) +#define MTRACE(m) ((void)(m)) +#endif /* ifdef NS_CLIENT_TRACE */ + +#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) + +#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ +#define ECS_SIZE 20U /* 2 + 1 + 1 + [0..16] */ + +#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) +#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) +#define WANTPAD(x) (((x)->attributes & NS_CLIENTATTR_WANTPAD) != 0) +#define USEKEEPALIVE(x) (((x)->attributes & NS_CLIENTATTR_USEKEEPALIVE) != 0) + +#define MANAGER_MAGIC ISC_MAGIC('N', 'S', 'C', 'm') +#define VALID_MANAGER(m) ISC_MAGIC_VALID(m, MANAGER_MAGIC) + +/* + * Enable ns_client_dropport() by default. + */ +#ifndef NS_CLIENT_DROPPORT +#define NS_CLIENT_DROPPORT 1 +#endif /* ifndef NS_CLIENT_DROPPORT */ + +atomic_uint_fast64_t ns_client_requests = 0; + +static void +clientmgr_attach(ns_clientmgr_t *source, ns_clientmgr_t **targetp); +static void +clientmgr_destroy(ns_clientmgr_t *manager); +static void +ns_client_endrequest(ns_client_t *client); +static void +ns_client_dumpmessage(ns_client_t *client, const char *reason); +static void +compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce, + const unsigned char *secret, isc_buffer_t *buf); + +void +ns_client_recursing(ns_client_t *client) { + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(client->state == NS_CLIENTSTATE_WORKING); + + LOCK(&client->manager->reclock); + client->state = NS_CLIENTSTATE_RECURSING; + ISC_LIST_APPEND(client->manager->recursing, client, rlink); + UNLOCK(&client->manager->reclock); +} + +void +ns_client_killoldestquery(ns_client_t *client) { + ns_client_t *oldest; + REQUIRE(NS_CLIENT_VALID(client)); + + LOCK(&client->manager->reclock); + oldest = ISC_LIST_HEAD(client->manager->recursing); + if (oldest != NULL) { + ISC_LIST_UNLINK(client->manager->recursing, oldest, rlink); + ns_query_cancel(oldest); + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_reclimitdropped); + } + UNLOCK(&client->manager->reclock); +} + +void +ns_client_settimeout(ns_client_t *client, unsigned int seconds) { + UNUSED(client); + UNUSED(seconds); + /* XXXWPK TODO use netmgr to set timeout */ +} + +static void +client_extendederror_reset(ns_client_t *client) { + if (client->ede == NULL) { + return; + } + isc_mem_put(client->mctx, client->ede->value, client->ede->length); + isc_mem_put(client->mctx, client->ede, sizeof(dns_ednsopt_t)); + client->ede = NULL; +} + +void +ns_client_extendederror(ns_client_t *client, uint16_t code, const char *text) { + unsigned char ede[DNS_EDE_EXTRATEXT_LEN + 2]; + isc_buffer_t buf; + uint16_t len = sizeof(uint16_t); + + REQUIRE(NS_CLIENT_VALID(client)); + + if (client->ede != NULL) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), + "already have ede, ignoring %u %s", code, + text == NULL ? "(null)" : text); + return; + } + + ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(1), "set ede: info-code %u extra-text %s", + code, text == NULL ? "(null)" : text); + + isc_buffer_init(&buf, ede, sizeof(ede)); + isc_buffer_putuint16(&buf, code); + if (text != NULL && strlen(text) > 0) { + if (strlen(text) < DNS_EDE_EXTRATEXT_LEN) { + isc_buffer_putstr(&buf, text); + len += (uint16_t)(strlen(text)); + } else { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, + "ede extra-text too long, ignoring"); + } + } + + client->ede = isc_mem_get(client->mctx, sizeof(dns_ednsopt_t)); + client->ede->code = DNS_OPT_EDE; + client->ede->length = len; + client->ede->value = isc_mem_get(client->mctx, len); + memmove(client->ede->value, ede, len); +}; + +static void +ns_client_endrequest(ns_client_t *client) { + INSIST(client->nupdates == 0); + INSIST(client->state == NS_CLIENTSTATE_WORKING || + client->state == NS_CLIENTSTATE_RECURSING); + + CTRACE("endrequest"); + + if (client->state == NS_CLIENTSTATE_RECURSING) { + LOCK(&client->manager->reclock); + if (ISC_LINK_LINKED(client, rlink)) { + ISC_LIST_UNLINK(client->manager->recursing, client, + rlink); + } + UNLOCK(&client->manager->reclock); + } + + if (client->cleanup != NULL) { + (client->cleanup)(client); + client->cleanup = NULL; + } + + if (client->view != NULL) { +#ifdef ENABLE_AFL + if (client->sctx->fuzztype == isc_fuzz_resolver) { + dns_cache_clean(client->view->cache, INT_MAX); + dns_adb_flush(client->view->adb); + } +#endif /* ifdef ENABLE_AFL */ + dns_view_detach(&client->view); + } + if (client->opt != NULL) { + INSIST(dns_rdataset_isassociated(client->opt)); + dns_rdataset_disassociate(client->opt); + dns_message_puttemprdataset(client->message, &client->opt); + } + + client_extendederror_reset(client); + client->signer = NULL; + client->udpsize = 512; + client->extflags = 0; + client->ednsversion = -1; + client->additionaldepth = 0; + dns_ecs_init(&client->ecs); + dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE); + + /* + * Clean up from recursion - normally this would be done in + * fetch_callback(), but if we're shutting down and canceling then + * it might not have happened. + */ + if (client->recursionquota != NULL) { + isc_quota_detach(&client->recursionquota); + ns_stats_decrement(client->sctx->nsstats, + ns_statscounter_recursclients); + } + + /* + * Clear all client attributes that are specific to the request + */ + client->attributes = 0; +#ifdef ENABLE_AFL + if (client->sctx->fuzznotify != NULL && + (client->sctx->fuzztype == isc_fuzz_client || + client->sctx->fuzztype == isc_fuzz_tcpclient || + client->sctx->fuzztype == isc_fuzz_resolver)) + { + client->sctx->fuzznotify(); + } +#endif /* ENABLE_AFL */ +} + +void +ns_client_drop(ns_client_t *client, isc_result_t result) { + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(client->state == NS_CLIENTSTATE_WORKING || + client->state == NS_CLIENTSTATE_RECURSING); + + CTRACE("drop"); + if (result != ISC_R_SUCCESS) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request failed: %s", isc_result_totext(result)); + } +} + +static void +client_senddone(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { + ns_client_t *client = cbarg; + + REQUIRE(client->sendhandle == handle); + + CTRACE("senddone"); + + /* + * Set sendhandle to NULL, but don't detach it immediately, in + * case we need to retry the send. If we do resend, then + * sendhandle will be reattached. Whether or not we resend, + * we will then detach the handle from *this* send by detaching + * 'handle' directly below. + */ + client->sendhandle = NULL; + + if (result != ISC_R_SUCCESS) { + if (!TCP_CLIENT(client) && result == ISC_R_MAXSIZE) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "send exceeded maximum size: truncating"); + client->query.attributes &= ~NS_QUERYATTR_ANSWERED; + client->rcode_override = dns_rcode_noerror; + ns_client_error(client, ISC_R_MAXSIZE); + } else { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "send failed: %s", + isc_result_totext(result)); + } + } + + isc_nmhandle_detach(&handle); +} + +static void +client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer, + unsigned char **datap) { + unsigned char *data; + uint32_t bufsize; + + REQUIRE(datap != NULL); + + if (TCP_CLIENT(client)) { + INSIST(client->tcpbuf == NULL); + client->tcpbuf = isc_mem_get(client->manager->send_mctx, + NS_CLIENT_TCP_BUFFER_SIZE); + client->tcpbuf_size = NS_CLIENT_TCP_BUFFER_SIZE; + data = client->tcpbuf; + isc_buffer_init(buffer, data, NS_CLIENT_TCP_BUFFER_SIZE); + } else { + data = client->sendbuf; + if ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) == 0) { + if (client->view != NULL) { + bufsize = client->view->nocookieudp; + } else { + bufsize = 512; + } + } else { + bufsize = client->udpsize; + } + if (bufsize > client->udpsize) { + bufsize = client->udpsize; + } + if (bufsize > NS_CLIENT_SEND_BUFFER_SIZE) { + bufsize = NS_CLIENT_SEND_BUFFER_SIZE; + } + isc_buffer_init(buffer, data, bufsize); + } + *datap = data; +} + +static void +client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { + isc_result_t result; + isc_region_t r; + dns_ttl_t min_ttl = 0; + + REQUIRE(client->sendhandle == NULL); + + if (isc_buffer_base(buffer) == client->tcpbuf) { + size_t used = isc_buffer_usedlength(buffer); + client->tcpbuf = isc_mem_reget(client->manager->send_mctx, + client->tcpbuf, + client->tcpbuf_size, used); + client->tcpbuf_size = used; + r.base = client->tcpbuf; + r.length = used; + } else { + isc_buffer_usedregion(buffer, &r); + } + isc_nmhandle_attach(client->handle, &client->sendhandle); + + if (isc_nm_is_http_handle(client->handle)) { + result = dns_message_response_minttl(client->message, &min_ttl); + if (result == ISC_R_SUCCESS) { + isc_nm_set_maxage(client->handle, min_ttl); + } + } + isc_nm_send(client->handle, &r, client_senddone, client); +} + +void +ns_client_sendraw(ns_client_t *client, dns_message_t *message) { + isc_result_t result; + unsigned char *data = NULL; + isc_buffer_t buffer; + isc_region_t r; + isc_region_t *mr = NULL; + + REQUIRE(NS_CLIENT_VALID(client)); + + CTRACE("sendraw"); + + mr = dns_message_getrawmessage(message); + if (mr == NULL) { + result = ISC_R_UNEXPECTEDEND; + goto done; + } + + client_allocsendbuf(client, &buffer, &data); + + if (mr->length > isc_buffer_length(&buffer)) { + result = ISC_R_NOSPACE; + goto done; + } + + /* + * Copy message to buffer and fixup id. + */ + isc_buffer_availableregion(&buffer, &r); + result = isc_buffer_copyregion(&buffer, mr); + if (result != ISC_R_SUCCESS) { + goto done; + } + r.base[0] = (client->message->id >> 8) & 0xff; + r.base[1] = client->message->id & 0xff; + +#ifdef HAVE_DNSTAP + if (client->view != NULL) { + bool tcp = TCP_CLIENT(client); + dns_dtmsgtype_t dtmsgtype; + if (client->message->opcode == dns_opcode_update) { + dtmsgtype = DNS_DTTYPE_UR; + } else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) { + dtmsgtype = DNS_DTTYPE_CR; + } else { + dtmsgtype = DNS_DTTYPE_AR; + } + dns_dt_send(client->view, dtmsgtype, &client->peeraddr, + &client->destsockaddr, tcp, NULL, + &client->requesttime, NULL, &buffer); + } +#endif + + client_sendpkg(client, &buffer); + + return; +done: + if (client->tcpbuf != NULL) { + isc_mem_put(client->manager->send_mctx, client->tcpbuf, + client->tcpbuf_size); + } + + ns_client_drop(client, result); +} + +void +ns_client_send(ns_client_t *client) { + isc_result_t result; + unsigned char *data = NULL; + isc_buffer_t buffer = { .magic = 0 }; + isc_region_t r; + dns_compress_t cctx; + bool cleanup_cctx = false; + unsigned int render_opts; + unsigned int preferred_glue; + bool opt_included = false; + size_t respsize; + dns_aclenv_t *env = NULL; +#ifdef HAVE_DNSTAP + unsigned char zone[DNS_NAME_MAXWIRE]; + dns_dtmsgtype_t dtmsgtype; + isc_region_t zr; +#endif /* HAVE_DNSTAP */ + + REQUIRE(NS_CLIENT_VALID(client)); + + if ((client->query.attributes & NS_QUERYATTR_ANSWERED) != 0) { + return; + } + + /* + * XXXWPK TODO + * Delay the response according to the -T delay option + */ + + env = client->manager->aclenv; + + CTRACE("send"); + + if (client->message->opcode == dns_opcode_query && + (client->attributes & NS_CLIENTATTR_RA) != 0) + { + client->message->flags |= DNS_MESSAGEFLAG_RA; + } + + if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) { + render_opts = 0; + } else { + render_opts = DNS_MESSAGERENDER_OMITDNSSEC; + } + + preferred_glue = 0; + if (client->view != NULL) { + if (client->view->preferred_glue == dns_rdatatype_a) { + preferred_glue = DNS_MESSAGERENDER_PREFER_A; + } else if (client->view->preferred_glue == dns_rdatatype_aaaa) { + preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; + } + } + if (preferred_glue == 0) { + if (isc_sockaddr_pf(&client->peeraddr) == AF_INET) { + preferred_glue = DNS_MESSAGERENDER_PREFER_A; + } else { + preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; + } + } + + /* + * Create an OPT for our reply. + */ + if ((client->attributes & NS_CLIENTATTR_WANTOPT) != 0) { + result = ns_client_addopt(client, client->message, + &client->opt); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + } + + client_allocsendbuf(client, &buffer, &data); + + result = dns_compress_init(&cctx, -1, client->mctx); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + if (client->peeraddr_valid && client->view != NULL) { + isc_netaddr_t netaddr; + dns_name_t *name = NULL; + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + if (client->message->tsigkey != NULL) { + name = &client->message->tsigkey->name; + } + + if (client->view->nocasecompress == NULL || + !dns_acl_allowed(&netaddr, name, + client->view->nocasecompress, env)) + { + dns_compress_setsensitive(&cctx, true); + } + + if (!client->view->msgcompression) { + dns_compress_disable(&cctx); + } + } + cleanup_cctx = true; + + result = dns_message_renderbegin(client->message, &cctx, &buffer); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + if (client->opt != NULL) { + result = dns_message_setopt(client->message, client->opt); + opt_included = true; + client->opt = NULL; + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + } + result = dns_message_rendersection(client->message, + DNS_SECTION_QUESTION, 0); + if (result == ISC_R_NOSPACE) { + client->message->flags |= DNS_MESSAGEFLAG_TC; + goto renderend; + } + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + /* + * Stop after the question if TC was set for rate limiting. + */ + if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) { + goto renderend; + } + result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER, + DNS_MESSAGERENDER_PARTIAL | + render_opts); + if (result == ISC_R_NOSPACE) { + client->message->flags |= DNS_MESSAGEFLAG_TC; + goto renderend; + } + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = dns_message_rendersection( + client->message, DNS_SECTION_AUTHORITY, + DNS_MESSAGERENDER_PARTIAL | render_opts); + if (result == ISC_R_NOSPACE) { + client->message->flags |= DNS_MESSAGEFLAG_TC; + goto renderend; + } + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = dns_message_rendersection(client->message, + DNS_SECTION_ADDITIONAL, + preferred_glue | render_opts); + if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE) { + goto cleanup; + } +renderend: + result = dns_message_renderend(client->message); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + +#ifdef HAVE_DNSTAP + memset(&zr, 0, sizeof(zr)); + if (((client->message->flags & DNS_MESSAGEFLAG_AA) != 0) && + (client->query.authzone != NULL)) + { + isc_result_t eresult; + isc_buffer_t b; + dns_name_t *zo = dns_zone_getorigin(client->query.authzone); + + isc_buffer_init(&b, zone, sizeof(zone)); + dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE); + eresult = dns_name_towire(zo, &cctx, &b); + if (eresult == ISC_R_SUCCESS) { + isc_buffer_usedregion(&b, &zr); + } + } + + if (client->message->opcode == dns_opcode_update) { + dtmsgtype = DNS_DTTYPE_UR; + } else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) { + dtmsgtype = DNS_DTTYPE_CR; + } else { + dtmsgtype = DNS_DTTYPE_AR; + } +#endif /* HAVE_DNSTAP */ + + if (cleanup_cctx) { + dns_compress_invalidate(&cctx); + } + + if (client->sendcb != NULL) { + client->sendcb(&buffer); + } else if (TCP_CLIENT(client)) { + isc_buffer_usedregion(&buffer, &r); +#ifdef HAVE_DNSTAP + if (client->view != NULL) { + dns_dt_send(client->view, dtmsgtype, &client->peeraddr, + &client->destsockaddr, true, &zr, + &client->requesttime, NULL, &buffer); + } +#endif /* HAVE_DNSTAP */ + + respsize = isc_buffer_usedlength(&buffer); + + client_sendpkg(client, &buffer); + + switch (isc_sockaddr_pf(&client->peeraddr)) { + case AF_INET: + isc_stats_increment(client->sctx->tcpoutstats4, + ISC_MIN((int)respsize / 16, 256)); + break; + case AF_INET6: + isc_stats_increment(client->sctx->tcpoutstats6, + ISC_MIN((int)respsize / 16, 256)); + break; + default: + UNREACHABLE(); + } + } else { +#ifdef HAVE_DNSTAP + /* + * Log dnstap data first, because client_sendpkg() may + * leave client->view set to NULL. + */ + if (client->view != NULL) { + dns_dt_send(client->view, dtmsgtype, &client->peeraddr, + &client->destsockaddr, false, &zr, + &client->requesttime, NULL, &buffer); + } +#endif /* HAVE_DNSTAP */ + + respsize = isc_buffer_usedlength(&buffer); + + client_sendpkg(client, &buffer); + + switch (isc_sockaddr_pf(&client->peeraddr)) { + case AF_INET: + isc_stats_increment(client->sctx->udpoutstats4, + ISC_MIN((int)respsize / 16, 256)); + break; + case AF_INET6: + isc_stats_increment(client->sctx->udpoutstats6, + ISC_MIN((int)respsize / 16, 256)); + break; + default: + UNREACHABLE(); + } + } + + /* update statistics (XXXJT: is it okay to access message->xxxkey?) */ + ns_stats_increment(client->sctx->nsstats, ns_statscounter_response); + + dns_rcodestats_increment(client->sctx->rcodestats, + client->message->rcode); + if (opt_included) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_edns0out); + } + if (client->message->tsigkey != NULL) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_tsigout); + } + if (client->message->sig0key != NULL) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_sig0out); + } + if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_truncatedresp); + } + + client->query.attributes |= NS_QUERYATTR_ANSWERED; + + return; + +cleanup: + if (client->tcpbuf != NULL) { + isc_mem_put(client->manager->send_mctx, client->tcpbuf, + client->tcpbuf_size); + } + + if (cleanup_cctx) { + dns_compress_invalidate(&cctx); + } +} + +#if NS_CLIENT_DROPPORT +#define DROPPORT_NO 0 +#define DROPPORT_REQUEST 1 +#define DROPPORT_RESPONSE 2 +/*% + * ns_client_dropport determines if certain requests / responses + * should be dropped based on the port number. + * + * Returns: + * \li 0: Don't drop. + * \li 1: Drop request. + * \li 2: Drop (error) response. + */ +static int +ns_client_dropport(in_port_t port) { + switch (port) { + case 7: /* echo */ + case 13: /* daytime */ + case 19: /* chargen */ + case 37: /* time */ + return (DROPPORT_REQUEST); + case 464: /* kpasswd */ + return (DROPPORT_RESPONSE); + } + return (DROPPORT_NO); +} +#endif /* if NS_CLIENT_DROPPORT */ + +void +ns_client_error(ns_client_t *client, isc_result_t result) { + dns_message_t *message = NULL; + dns_rcode_t rcode; + bool trunc = false; + + REQUIRE(NS_CLIENT_VALID(client)); + + CTRACE("error"); + + message = client->message; + + if (client->rcode_override == -1) { + rcode = dns_result_torcode(result); + } else { + rcode = (dns_rcode_t)(client->rcode_override & 0xfff); + } + + if (result == ISC_R_MAXSIZE) { + trunc = true; + } + +#if NS_CLIENT_DROPPORT + /* + * Don't send FORMERR to ports on the drop port list. + */ + if (rcode == dns_rcode_formerr && + ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) != + DROPPORT_NO) + { + char buf[64]; + isc_buffer_t b; + + isc_buffer_init(&b, buf, sizeof(buf) - 1); + if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS) { + isc_buffer_putstr(&b, "UNKNOWN RCODE"); + } + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), + "dropped error (%.*s) response: suspicious port", + (int)isc_buffer_usedlength(&b), buf); + ns_client_drop(client, ISC_R_SUCCESS); + return; + } +#endif /* if NS_CLIENT_DROPPORT */ + + /* + * Try to rate limit error responses. + */ + if (client->view != NULL && client->view->rrl != NULL) { + bool wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + dns_rrl_result_t rrl_result; + int loglevel; + + if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) { + loglevel = DNS_RRL_LOG_DROP; + } else { + loglevel = ISC_LOG_DEBUG(1); + } + wouldlog = isc_log_wouldlog(ns_lctx, loglevel); + rrl_result = dns_rrl(client->view, NULL, &client->peeraddr, + TCP_CLIENT(client), dns_rdataclass_in, + dns_rdatatype_none, NULL, result, + client->now, wouldlog, log_buf, + sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped errors in the query category + * so that they are not lost in silence. + * Starts of rate-limited bursts are logged in + * NS_LOGCATEGORY_RRL. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_ERRORS, + NS_LOGMODULE_CLIENT, loglevel, + "%s", log_buf); + } + /* + * Some error responses cannot be 'slipped', + * so don't try to slip any error responses. + */ + if (!client->view->rrl->log_only) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_ratedropped); + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_dropped); + ns_client_drop(client, DNS_R_DROP); + return; + } + } + } + + /* + * Message may be an in-progress reply that we had trouble + * with, in which case QR will be set. We need to clear QR before + * calling dns_message_reply() to avoid triggering an assertion. + */ + message->flags &= ~DNS_MESSAGEFLAG_QR; + /* + * AA and AD shouldn't be set. + */ + message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD); + result = dns_message_reply(message, true); + if (result != ISC_R_SUCCESS) { + /* + * It could be that we've got a query with a good header, + * but a bad question section, so we try again with + * want_question_section set to false. + */ + result = dns_message_reply(message, false); + if (result != ISC_R_SUCCESS) { + ns_client_drop(client, result); + return; + } + } + + message->rcode = rcode; + if (trunc) { + message->flags |= DNS_MESSAGEFLAG_TC; + } + + if (rcode == dns_rcode_formerr) { + /* + * FORMERR loop avoidance: If we sent a FORMERR message + * with the same ID to the same client less than two + * seconds ago, assume that we are in an infinite error + * packet dialog with a server for some protocol whose + * error responses look enough like DNS queries to + * elicit a FORMERR response. Drop a packet to break + * the loop. + */ + if (isc_sockaddr_equal(&client->peeraddr, + &client->formerrcache.addr) && + message->id == client->formerrcache.id && + (isc_time_seconds(&client->requesttime) - + client->formerrcache.time) < 2) + { + /* Drop packet. */ + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), + "possible error packet loop, " + "FORMERR dropped"); + ns_client_drop(client, result); + return; + } + client->formerrcache.addr = client->peeraddr; + client->formerrcache.time = + isc_time_seconds(&client->requesttime); + client->formerrcache.id = message->id; + } else if (rcode == dns_rcode_servfail && client->query.qname != NULL && + client->view != NULL && client->view->fail_ttl != 0 && + ((client->attributes & NS_CLIENTATTR_NOSETFC) == 0)) + { + /* + * SERVFAIL caching: store qname/qtype of failed queries + */ + isc_time_t expire; + isc_interval_t i; + uint32_t flags = 0; + + if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) { + flags = NS_FAILCACHE_CD; + } + + isc_interval_set(&i, client->view->fail_ttl, 0); + result = isc_time_nowplusinterval(&expire, &i); + if (result == ISC_R_SUCCESS) { + dns_badcache_add( + client->view->failcache, client->query.qname, + client->query.qtype, true, flags, &expire); + } + } + + ns_client_send(client); +} + +isc_result_t +ns_client_addopt(ns_client_t *client, dns_message_t *message, + dns_rdataset_t **opt) { + unsigned char ecs[ECS_SIZE]; + char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL; + unsigned char cookie[COOKIE_SIZE]; + isc_result_t result; + dns_view_t *view = NULL; + dns_resolver_t *resolver = NULL; + uint16_t udpsize; + dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS]; + int count = 0; + unsigned int flags; + unsigned char expire[4]; + unsigned char advtimo[2]; + dns_aclenv_t *env = NULL; + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(opt != NULL && *opt == NULL); + REQUIRE(message != NULL); + + env = client->manager->aclenv; + view = client->view; + resolver = (view != NULL) ? view->resolver : NULL; + if (resolver != NULL) { + udpsize = dns_resolver_getudpsize(resolver); + } else { + udpsize = client->sctx->udpsize; + } + + flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; + + /* Set EDNS options if applicable */ + if (WANTNSID(client)) { + if (client->sctx->server_id != NULL) { + nsidp = client->sctx->server_id; + } else if (client->sctx->usehostname) { + result = gethostname(nsid, sizeof(nsid)); + if (result != ISC_R_SUCCESS) { + goto no_nsid; + } + nsidp = nsid; + } else { + goto no_nsid; + } + + INSIST(count < DNS_EDNSOPTIONS); + ednsopts[count].code = DNS_OPT_NSID; + ednsopts[count].length = (uint16_t)strlen(nsidp); + ednsopts[count].value = (unsigned char *)nsidp; + count++; + } +no_nsid: + if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) { + isc_buffer_t buf; + isc_stdtime_t now; + uint32_t nonce; + + isc_buffer_init(&buf, cookie, sizeof(cookie)); + isc_stdtime_get(&now); + + isc_random_buf(&nonce, sizeof(nonce)); + + compute_cookie(client, now, nonce, client->sctx->secret, &buf); + + INSIST(count < DNS_EDNSOPTIONS); + ednsopts[count].code = DNS_OPT_COOKIE; + ednsopts[count].length = COOKIE_SIZE; + ednsopts[count].value = cookie; + count++; + } + if ((client->attributes & NS_CLIENTATTR_HAVEEXPIRE) != 0) { + isc_buffer_t buf; + + INSIST(count < DNS_EDNSOPTIONS); + + isc_buffer_init(&buf, expire, sizeof(expire)); + isc_buffer_putuint32(&buf, client->expire); + ednsopts[count].code = DNS_OPT_EXPIRE; + ednsopts[count].length = 4; + ednsopts[count].value = expire; + count++; + } + if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) && + (client->ecs.addr.family == AF_INET || + client->ecs.addr.family == AF_INET6 || + client->ecs.addr.family == AF_UNSPEC)) + { + isc_buffer_t buf; + uint8_t addr[16]; + uint32_t plen, addrl; + uint16_t family = 0; + + /* Add CLIENT-SUBNET option. */ + + plen = client->ecs.source; + + /* Round up prefix len to a multiple of 8 */ + addrl = (plen + 7) / 8; + + switch (client->ecs.addr.family) { + case AF_UNSPEC: + INSIST(plen == 0); + family = 0; + break; + case AF_INET: + INSIST(plen <= 32); + family = 1; + memmove(addr, &client->ecs.addr.type, addrl); + break; + case AF_INET6: + INSIST(plen <= 128); + family = 2; + memmove(addr, &client->ecs.addr.type, addrl); + break; + default: + UNREACHABLE(); + } + + isc_buffer_init(&buf, ecs, sizeof(ecs)); + /* family */ + isc_buffer_putuint16(&buf, family); + /* source prefix-length */ + isc_buffer_putuint8(&buf, client->ecs.source); + /* scope prefix-length */ + isc_buffer_putuint8(&buf, client->ecs.scope); + + /* address */ + if (addrl > 0) { + /* Mask off last address byte */ + if ((plen % 8) != 0) { + addr[addrl - 1] &= ~0U << (8 - (plen % 8)); + } + isc_buffer_putmem(&buf, addr, (unsigned)addrl); + } + + ednsopts[count].code = DNS_OPT_CLIENT_SUBNET; + ednsopts[count].length = addrl + 4; + ednsopts[count].value = ecs; + count++; + } + if (TCP_CLIENT(client) && USEKEEPALIVE(client)) { + isc_buffer_t buf; + uint32_t adv; + + INSIST(count < DNS_EDNSOPTIONS); + + isc_nm_gettimeouts(isc_nmhandle_netmgr(client->handle), NULL, + NULL, NULL, &adv); + adv /= 100; /* units of 100 milliseconds */ + isc_buffer_init(&buf, advtimo, sizeof(advtimo)); + isc_buffer_putuint16(&buf, (uint16_t)adv); + ednsopts[count].code = DNS_OPT_TCP_KEEPALIVE; + ednsopts[count].length = 2; + ednsopts[count].value = advtimo; + count++; + } + + if (client->ede != NULL) { + INSIST(count < DNS_EDNSOPTIONS); + ednsopts[count].code = DNS_OPT_EDE; + ednsopts[count].length = client->ede->length; + ednsopts[count].value = client->ede->value; + count++; + } + + /* Padding must be added last */ + if ((view != NULL) && (view->padding > 0) && WANTPAD(client) && + (TCP_CLIENT(client) || + ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0))) + { + isc_netaddr_t netaddr; + int match; + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + result = dns_acl_match(&netaddr, NULL, view->pad_acl, env, + &match, NULL); + if (result == ISC_R_SUCCESS && match > 0) { + INSIST(count < DNS_EDNSOPTIONS); + + ednsopts[count].code = DNS_OPT_PAD; + ednsopts[count].length = 0; + ednsopts[count].value = NULL; + count++; + + dns_message_setpadding(message, view->padding); + } + } + + result = dns_message_buildopt(message, opt, 0, udpsize, flags, ednsopts, + count); + return (result); +} + +static void +compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce, + const unsigned char *secret, isc_buffer_t *buf) { + unsigned char digest[ISC_MAX_MD_SIZE] ISC_NONSTRING = { 0 }; + STATIC_ASSERT(ISC_MAX_MD_SIZE >= ISC_SIPHASH24_TAG_LENGTH, "You need " + "to " + "increase " + "the digest " + "buffer."); + STATIC_ASSERT(ISC_MAX_MD_SIZE >= ISC_AES_BLOCK_LENGTH, "You need to " + "increase the " + "digest " + "buffer."); + + switch (client->sctx->cookiealg) { + case ns_cookiealg_siphash24: { + unsigned char input[16 + 16] ISC_NONSTRING = { 0 }; + size_t inputlen = 0; + isc_netaddr_t netaddr; + unsigned char *cp; + + cp = isc_buffer_used(buf); + isc_buffer_putmem(buf, client->cookie, 8); + isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1); + isc_buffer_putuint24(buf, 0); /* Reserved */ + isc_buffer_putuint32(buf, when); + + memmove(input, cp, 16); + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + switch (netaddr.family) { + case AF_INET: + cp = (unsigned char *)&netaddr.type.in; + memmove(input + 16, cp, 4); + inputlen = 20; + break; + case AF_INET6: + cp = (unsigned char *)&netaddr.type.in6; + memmove(input + 16, cp, 16); + inputlen = 32; + break; + default: + UNREACHABLE(); + } + + isc_siphash24(secret, input, inputlen, digest); + isc_buffer_putmem(buf, digest, 8); + break; + } + case ns_cookiealg_aes: { + unsigned char input[4 + 4 + 16] ISC_NONSTRING = { 0 }; + isc_netaddr_t netaddr; + unsigned char *cp; + unsigned int i; + + cp = isc_buffer_used(buf); + isc_buffer_putmem(buf, client->cookie, 8); + isc_buffer_putuint32(buf, nonce); + isc_buffer_putuint32(buf, when); + memmove(input, cp, 16); + isc_aes128_crypt(secret, input, digest); + for (i = 0; i < 8; i++) { + input[i] = digest[i] ^ digest[i + 8]; + } + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + switch (netaddr.family) { + case AF_INET: + cp = (unsigned char *)&netaddr.type.in; + memmove(input + 8, cp, 4); + memset(input + 12, 0, 4); + isc_aes128_crypt(secret, input, digest); + break; + case AF_INET6: + cp = (unsigned char *)&netaddr.type.in6; + memmove(input + 8, cp, 16); + isc_aes128_crypt(secret, input, digest); + for (i = 0; i < 8; i++) { + input[i + 8] = digest[i] ^ digest[i + 8]; + } + isc_aes128_crypt(client->sctx->secret, input + 8, + digest); + break; + default: + UNREACHABLE(); + } + for (i = 0; i < 8; i++) { + digest[i] ^= digest[i + 8]; + } + isc_buffer_putmem(buf, digest, 8); + break; + } + + default: + UNREACHABLE(); + } +} + +static void +process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { + ns_altsecret_t *altsecret; + unsigned char dbuf[COOKIE_SIZE]; + unsigned char *old; + isc_stdtime_t now; + uint32_t when; + uint32_t nonce; + isc_buffer_t db; + + /* + * If we have already seen a cookie option skip this cookie option. + */ + if ((!client->sctx->answercookie) || + (client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) + { + isc_buffer_forward(buf, (unsigned int)optlen); + return; + } + + client->attributes |= NS_CLIENTATTR_WANTCOOKIE; + + ns_stats_increment(client->sctx->nsstats, ns_statscounter_cookiein); + + if (optlen != COOKIE_SIZE) { + /* + * Not our token. + */ + INSIST(optlen >= 8U); + memmove(client->cookie, isc_buffer_current(buf), 8); + isc_buffer_forward(buf, (unsigned int)optlen); + + if (optlen == 8U) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_cookienew); + } else { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_cookiebadsize); + } + return; + } + + /* + * Process all of the incoming buffer. + */ + old = isc_buffer_current(buf); + memmove(client->cookie, old, 8); + isc_buffer_forward(buf, 8); + nonce = isc_buffer_getuint32(buf); + when = isc_buffer_getuint32(buf); + isc_buffer_forward(buf, 8); + + /* + * Allow for a 5 minute clock skew between servers sharing a secret. + * Only accept COOKIE if we have talked to the client in the last hour. + */ + isc_stdtime_get(&now); + if (isc_serial_gt(when, (now + 300)) || /* In the future. */ + isc_serial_lt(when, (now - 3600))) + { /* In the past. */ + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_cookiebadtime); + return; + } + + isc_buffer_init(&db, dbuf, sizeof(dbuf)); + compute_cookie(client, when, nonce, client->sctx->secret, &db); + + if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_cookiematch); + client->attributes |= NS_CLIENTATTR_HAVECOOKIE; + return; + } + + for (altsecret = ISC_LIST_HEAD(client->sctx->altsecrets); + altsecret != NULL; altsecret = ISC_LIST_NEXT(altsecret, link)) + { + isc_buffer_init(&db, dbuf, sizeof(dbuf)); + compute_cookie(client, when, nonce, altsecret->secret, &db); + if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_cookiematch); + client->attributes |= NS_CLIENTATTR_HAVECOOKIE; + return; + } + } + + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_cookienomatch); +} + +static isc_result_t +process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { + uint16_t family; + uint8_t addrlen, addrbytes, scope, *paddr; + isc_netaddr_t caddr; + + /* + * If we have already seen a ECS option skip this ECS option. + */ + if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); + } + + /* + * XXXMUKS: Is there any need to repeat these checks here + * (except query's scope length) when they are done in the OPT + * RDATA fromwire code? + */ + + if (optlen < 4U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option too short"); + return (DNS_R_FORMERR); + } + + family = isc_buffer_getuint16(buf); + addrlen = isc_buffer_getuint8(buf); + scope = isc_buffer_getuint8(buf); + optlen -= 4; + + if (scope != 0U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option: invalid scope"); + return (DNS_R_OPTERR); + } + + memset(&caddr, 0, sizeof(caddr)); + switch (family) { + case 0: + /* + * XXXMUKS: In queries, if FAMILY is set to 0, SOURCE + * PREFIX-LENGTH must be 0 and ADDRESS should not be + * present as the address and prefix lengths don't make + * sense because the family is unknown. + */ + if (addrlen != 0U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option: invalid " + "address length (%u) for FAMILY=0", + addrlen); + return (DNS_R_OPTERR); + } + caddr.family = AF_UNSPEC; + break; + case 1: + if (addrlen > 32U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option: invalid " + "address length (%u) for IPv4", + addrlen); + return (DNS_R_OPTERR); + } + caddr.family = AF_INET; + break; + case 2: + if (addrlen > 128U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option: invalid " + "address length (%u) for IPv6", + addrlen); + return (DNS_R_OPTERR); + } + caddr.family = AF_INET6; + break; + default: + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option: invalid family"); + return (DNS_R_OPTERR); + } + + addrbytes = (addrlen + 7) / 8; + if (isc_buffer_remaininglength(buf) < addrbytes) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client-subnet option: address too short"); + return (DNS_R_OPTERR); + } + + paddr = (uint8_t *)&caddr.type; + if (addrbytes != 0U) { + memmove(paddr, isc_buffer_current(buf), addrbytes); + isc_buffer_forward(buf, addrbytes); + optlen -= addrbytes; + + if ((addrlen % 8) != 0) { + uint8_t bits = ~0U << (8 - (addrlen % 8)); + bits &= paddr[addrbytes - 1]; + if (bits != paddr[addrbytes - 1]) { + return (DNS_R_OPTERR); + } + } + } + + memmove(&client->ecs.addr, &caddr, sizeof(caddr)); + client->ecs.source = addrlen; + client->ecs.scope = 0; + client->attributes |= NS_CLIENTATTR_HAVEECS; + + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); +} + +static isc_result_t +process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { + if (optlen == 0 || (optlen % 2) != 0) { + isc_buffer_forward(buf, (unsigned int)optlen); + return (DNS_R_OPTERR); + } + + /* Silently drop additional keytag options. */ + if (client->keytag != NULL) { + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); + } + + client->keytag = isc_mem_get(client->mctx, optlen); + { + client->keytag_len = (uint16_t)optlen; + memmove(client->keytag, isc_buffer_current(buf), optlen); + } + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); +} + +static isc_result_t +process_opt(ns_client_t *client, dns_rdataset_t *opt) { + dns_rdata_t rdata; + isc_buffer_t optbuf; + isc_result_t result; + uint16_t optcode; + uint16_t optlen; + + /* + * Set the client's UDP buffer size. + */ + client->udpsize = opt->rdclass; + + /* + * If the requested UDP buffer size is less than 512, + * ignore it and use 512. + */ + if (client->udpsize < 512) { + client->udpsize = 512; + } + + /* + * Get the flags out of the OPT record. + */ + client->extflags = (uint16_t)(opt->ttl & 0xFFFF); + + /* + * Do we understand this version of EDNS? + * + * XXXRTH need library support for this! + */ + client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; + if (client->ednsversion > DNS_EDNS_VERSION) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_badednsver); + result = ns_client_addopt(client, client->message, + &client->opt); + if (result == ISC_R_SUCCESS) { + result = DNS_R_BADVERS; + } + ns_client_error(client, result); + return (result); + } + + /* Check for NSID request */ + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { + dns_rdata_init(&rdata); + dns_rdataset_current(opt, &rdata); + isc_buffer_init(&optbuf, rdata.data, rdata.length); + isc_buffer_add(&optbuf, rdata.length); + while (isc_buffer_remaininglength(&optbuf) >= 4) { + optcode = isc_buffer_getuint16(&optbuf); + optlen = isc_buffer_getuint16(&optbuf); + switch (optcode) { + case DNS_OPT_NSID: + if (!WANTNSID(client)) { + ns_stats_increment( + client->sctx->nsstats, + ns_statscounter_nsidopt); + } + client->attributes |= NS_CLIENTATTR_WANTNSID; + isc_buffer_forward(&optbuf, optlen); + break; + case DNS_OPT_COOKIE: + process_cookie(client, &optbuf, optlen); + break; + case DNS_OPT_EXPIRE: + if (!WANTEXPIRE(client)) { + ns_stats_increment( + client->sctx->nsstats, + ns_statscounter_expireopt); + } + client->attributes |= NS_CLIENTATTR_WANTEXPIRE; + isc_buffer_forward(&optbuf, optlen); + break; + case DNS_OPT_CLIENT_SUBNET: + result = process_ecs(client, &optbuf, optlen); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); + return (result); + } + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_ecsopt); + break; + case DNS_OPT_TCP_KEEPALIVE: + if (!USEKEEPALIVE(client)) { + ns_stats_increment( + client->sctx->nsstats, + ns_statscounter_keepaliveopt); + } + client->attributes |= + NS_CLIENTATTR_USEKEEPALIVE; + isc_nmhandle_keepalive(client->handle, true); + isc_buffer_forward(&optbuf, optlen); + break; + case DNS_OPT_PAD: + client->attributes |= NS_CLIENTATTR_WANTPAD; + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_padopt); + isc_buffer_forward(&optbuf, optlen); + break; + case DNS_OPT_KEY_TAG: + result = process_keytag(client, &optbuf, + optlen); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); + return (result); + } + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_keytagopt); + break; + default: + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_otheropt); + isc_buffer_forward(&optbuf, optlen); + break; + } + } + } + + ns_stats_increment(client->sctx->nsstats, ns_statscounter_edns0in); + client->attributes |= NS_CLIENTATTR_WANTOPT; + + return (result); +} + +void +ns__client_reset_cb(void *client0) { + ns_client_t *client = client0; + + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), "reset client"); + + /* + * We never started processing this client, possible if we're + * shutting down, just exit. + */ + if (client->state == NS_CLIENTSTATE_READY) { + return; + } + + ns_client_endrequest(client); + if (client->tcpbuf != NULL) { + isc_mem_put(client->manager->send_mctx, client->tcpbuf, + client->tcpbuf_size); + } + + if (client->keytag != NULL) { + isc_mem_put(client->mctx, client->keytag, client->keytag_len); + client->keytag_len = 0; + } + + client->state = NS_CLIENTSTATE_READY; + INSIST(client->recursionquota == NULL); + +#ifdef WANT_SINGLETRACE + isc_log_setforcelog(false); +#endif /* WANT_SINGLETRACE */ +} + +void +ns__client_put_cb(void *client0) { + ns_client_t *client = client0; + + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), "freeing client"); + + /* + * Call this first because it requires a valid client. + */ + ns_query_free(client); + + client->magic = 0; + client->shuttingdown = true; + + isc_mem_put(client->manager->send_mctx, client->sendbuf, + NS_CLIENT_SEND_BUFFER_SIZE); + if (client->opt != NULL) { + INSIST(dns_rdataset_isassociated(client->opt)); + dns_rdataset_disassociate(client->opt); + dns_message_puttemprdataset(client->message, &client->opt); + } + client_extendederror_reset(client); + + dns_message_detach(&client->message); + + if (client->manager != NULL) { + ns_clientmgr_detach(&client->manager); + } + + /* + * Detaching the task must be done after unlinking from + * the manager's lists because the manager accesses + * client->task. + */ + if (client->task != NULL) { + isc_task_detach(&client->task); + } + + /* + * Destroy the fetchlock mutex that was created in + * ns_query_init(). + */ + isc_mutex_destroy(&client->query.fetchlock); + + if (client->sctx != NULL) { + ns_server_detach(&client->sctx); + } + + isc_mem_detach(&client->mctx); +} + +/* + * Handle an incoming request event from the socket (UDP case) + * or tcpmsg (TCP case). + */ +void +ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, + isc_region_t *region, void *arg) { + ns_client_t *client = NULL; + isc_result_t result; + isc_result_t sigresult = ISC_R_SUCCESS; + isc_buffer_t *buffer = NULL; + isc_buffer_t tbuffer; + dns_rdataset_t *opt = NULL; + const dns_name_t *signame = NULL; + bool ra; /* Recursion available. */ + isc_netaddr_t netaddr; + int match; + dns_messageid_t id; + unsigned int flags; + bool notimp; + size_t reqsize; + dns_aclenv_t *env = NULL; +#ifdef HAVE_DNSTAP + dns_dtmsgtype_t dtmsgtype; +#endif /* ifdef HAVE_DNSTAP */ + static const char *ra_reasons[] = { + "ACLs not processed yet", + "no resolver in view", + "recursion not enabled for view", + "allow-recursion did not match", + "allow-query-cache did not match", + "allow-recursion-on did not match", + "allow-query-cache-on did not match", + }; + enum refusal_reasons { + INVALID, + NO_RESOLVER, + RECURSION_DISABLED, + ALLOW_RECURSION, + ALLOW_QUERY_CACHE, + ALLOW_RECURSION_ON, + ALLOW_QUERY_CACHE_ON + } ra_refusal_reason = INVALID; + + if (eresult != ISC_R_SUCCESS) { + return; + } + + client = isc_nmhandle_getdata(handle); + if (client == NULL) { + ns_interface_t *ifp = (ns_interface_t *)arg; + ns_clientmgr_t *clientmgr = + ns_interfacemgr_getclientmgr(ifp->mgr); + + INSIST(VALID_MANAGER(clientmgr)); + + client = isc_nmhandle_getextra(handle); + + result = ns__client_setup(client, clientmgr, true); + if (result != ISC_R_SUCCESS) { + return; + } + + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "allocate new client"); + } else { + result = ns__client_setup(client, NULL, false); + if (result != ISC_R_SUCCESS) { + return; + } + } + + client->state = NS_CLIENTSTATE_READY; + + if (client->handle == NULL) { + isc_nmhandle_setdata(handle, client, ns__client_reset_cb, + ns__client_put_cb); + client->handle = handle; + } + + if (isc_nmhandle_is_stream(handle)) { + client->attributes |= NS_CLIENTATTR_TCP; + } + + INSIST(client->recursionquota == NULL); + + INSIST(client->state == NS_CLIENTSTATE_READY); + + (void)atomic_fetch_add_relaxed(&ns_client_requests, 1); + + isc_buffer_init(&tbuffer, region->base, region->length); + isc_buffer_add(&tbuffer, region->length); + buffer = &tbuffer; + + client->peeraddr = isc_nmhandle_peeraddr(handle); + client->peeraddr_valid = true; + + reqsize = isc_buffer_usedlength(buffer); + + client->state = NS_CLIENTSTATE_WORKING; + + TIME_NOW(&client->requesttime); + client->tnow = client->requesttime; + client->now = isc_time_seconds(&client->tnow); + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + +#if NS_CLIENT_DROPPORT + if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) == + DROPPORT_REQUEST) + { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), + "dropped request: suspicious port"); + isc_nm_bad_request(handle); + return; + } +#endif /* if NS_CLIENT_DROPPORT */ + + env = client->manager->aclenv; + if (client->sctx->blackholeacl != NULL && + (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl, env, + &match, NULL) == ISC_R_SUCCESS) && + match > 0) + { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), + "dropped request: blackholed peer"); + isc_nm_bad_request(handle); + return; + } + + ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), "%s request", + TCP_CLIENT(client) ? "TCP" : "UDP"); + + result = dns_message_peekheader(buffer, &id, &flags); + if (result != ISC_R_SUCCESS) { + /* + * There isn't enough header to determine whether + * this was a request or a response. Drop it. + */ + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), + "dropped request: invalid message header"); + isc_nm_bad_request(handle); + return; + } + +#ifdef WANT_SINGLETRACE + if (id == 0) { + isc_log_setforcelog(true); + } +#endif /* WANT_SINGLETRACE */ + + /* + * The client object handles requests, not responses. + * If this is a UDP response, forward it to the dispatcher. + * If it's a TCP response, discard it here. + */ + if ((flags & DNS_MESSAGEFLAG_QR) != 0) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), + "dropped request: unexpected response"); + isc_nm_bad_request(handle); + return; + } + + /* + * Update some statistics counters. Don't count responses. + */ + if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_requestv4); + } else { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_requestv6); + } + if (TCP_CLIENT(client)) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_requesttcp); + switch (isc_sockaddr_pf(&client->peeraddr)) { + case AF_INET: + isc_stats_increment(client->sctx->tcpinstats4, + ISC_MIN((int)reqsize / 16, 18)); + break; + case AF_INET6: + isc_stats_increment(client->sctx->tcpinstats6, + ISC_MIN((int)reqsize / 16, 18)); + break; + default: + UNREACHABLE(); + } + } else { + switch (isc_sockaddr_pf(&client->peeraddr)) { + case AF_INET: + isc_stats_increment(client->sctx->udpinstats4, + ISC_MIN((int)reqsize / 16, 18)); + break; + case AF_INET6: + isc_stats_increment(client->sctx->udpinstats6, + ISC_MIN((int)reqsize / 16, 18)); + break; + default: + UNREACHABLE(); + } + } + + /* + * It's a request. Parse it. + */ + result = dns_message_parse(client->message, buffer, 0); + if (result != ISC_R_SUCCESS) { + /* + * Parsing the request failed. Send a response + * (typically FORMERR or SERVFAIL). + */ + if (result == DNS_R_OPTERR) { + (void)ns_client_addopt(client, client->message, + &client->opt); + } + + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), + "message parsing failed: %s", + isc_result_totext(result)); + if (result == ISC_R_NOSPACE || result == DNS_R_BADTSIG) { + result = DNS_R_FORMERR; + } + ns_client_error(client, result); + return; + } + + /* + * Disable pipelined TCP query processing if necessary. + */ + if (TCP_CLIENT(client) && + (client->message->opcode != dns_opcode_query || + (client->sctx->keepresporder != NULL && + dns_acl_allowed(&netaddr, NULL, client->sctx->keepresporder, + env)))) + { + isc_nm_sequential(handle); + } + + dns_opcodestats_increment(client->sctx->opcodestats, + client->message->opcode); + switch (client->message->opcode) { + case dns_opcode_query: + case dns_opcode_update: + case dns_opcode_notify: + notimp = false; + break; + case dns_opcode_iquery: + default: + notimp = true; + break; + } + + client->message->rcode = dns_rcode_noerror; + client->ede = NULL; + + /* + * Deal with EDNS. + */ + if ((client->sctx->options & NS_SERVER_NOEDNS) != 0) { + opt = NULL; + } else { + opt = dns_message_getopt(client->message); + } + + client->ecs.source = 0; + client->ecs.scope = 0; + + if (opt != NULL) { + /* + * Are returning FORMERR to all EDNS queries? + * Simulate a STD13 compliant server. + */ + if ((client->sctx->options & NS_SERVER_EDNSFORMERR) != 0) { + ns_client_error(client, DNS_R_FORMERR); + return; + } + + /* + * Are returning NOTIMP to all EDNS queries? + */ + if ((client->sctx->options & NS_SERVER_EDNSNOTIMP) != 0) { + ns_client_error(client, DNS_R_NOTIMP); + return; + } + + /* + * Are returning REFUSED to all EDNS queries? + */ + if ((client->sctx->options & NS_SERVER_EDNSREFUSED) != 0) { + ns_client_error(client, DNS_R_REFUSED); + return; + } + + /* + * Are we dropping all EDNS queries? + */ + if ((client->sctx->options & NS_SERVER_DROPEDNS) != 0) { + ns_client_drop(client, ISC_R_SUCCESS); + return; + } + + result = process_opt(client, opt); + if (result != ISC_R_SUCCESS) { + return; + } + } + + if (client->message->rdclass == 0) { + if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0 && + client->message->opcode == dns_opcode_query && + client->message->counts[DNS_SECTION_QUESTION] == 0U) + { + result = dns_message_reply(client->message, true); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); + return; + } + + if (notimp) { + client->message->rcode = dns_rcode_notimp; + } + + ns_client_send(client); + return; + } + + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), + "message class could not be determined"); + ns_client_dumpmessage(client, "message class could not be " + "determined"); + ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR); + return; + } + + client->destsockaddr = isc_nmhandle_localaddr(handle); + isc_netaddr_fromsockaddr(&client->destaddr, &client->destsockaddr); + + result = client->sctx->matchingview(&netaddr, &client->destaddr, + client->message, env, &sigresult, + &client->view); + if (result != ISC_R_SUCCESS) { + char classname[DNS_RDATACLASS_FORMATSIZE]; + + /* + * Do a dummy TSIG verification attempt so that the + * response will have a TSIG if the query did, as + * required by RFC2845. + */ + isc_buffer_t b; + isc_region_t *r; + + dns_message_resetsig(client->message); + + r = dns_message_getrawmessage(client->message); + isc_buffer_init(&b, r->base, r->length); + isc_buffer_add(&b, r->length); + (void)dns_tsig_verify(&b, client->message, NULL, NULL); + + dns_rdataclass_format(client->message->rdclass, classname, + sizeof(classname)); + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), + "no matching view in class '%s'", classname); + ns_client_dumpmessage(client, "no matching view in class"); + ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); + ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED); + return; + } + + ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(5), "using view '%s'", client->view->name); + + /* + * Check for a signature. We log bad signatures regardless of + * whether they ultimately cause the request to be rejected or + * not. We do not log the lack of a signature unless we are + * debugging. + */ + client->signer = NULL; + dns_name_init(&client->signername, NULL); + result = dns_message_signer(client->message, &client->signername); + if (result != ISC_R_NOTFOUND) { + signame = NULL; + if (dns_message_gettsig(client->message, &signame) != NULL) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_tsigin); + } else { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_sig0in); + } + } + if (result == ISC_R_SUCCESS) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(&client->signername, namebuf, sizeof(namebuf)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request has valid signature: %s", namebuf); + client->signer = &client->signername; + } else if (result == ISC_R_NOTFOUND) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request is not signed"); + } else if (result == DNS_R_NOIDENTITY) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "request is signed by a nonauthoritative key"); + } else { + char tsigrcode[64]; + isc_buffer_t b; + dns_rcode_t status; + isc_result_t tresult; + + /* There is a signature, but it is bad. */ + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_invalidsig); + signame = NULL; + if (dns_message_gettsig(client->message, &signame) != NULL) { + char namebuf[DNS_NAME_FORMATSIZE]; + char cnamebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(signame, namebuf, sizeof(namebuf)); + status = client->message->tsigstatus; + isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); + tresult = dns_tsigrcode_totext(status, &b); + INSIST(tresult == ISC_R_SUCCESS); + tsigrcode[isc_buffer_usedlength(&b)] = '\0'; + if (client->message->tsigkey->generated) { + dns_name_format( + client->message->tsigkey->creator, + cnamebuf, sizeof(cnamebuf)); + ns_client_log( + client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: " + "TSIG %s (%s): %s (%s)", + namebuf, cnamebuf, + isc_result_totext(result), tsigrcode); + } else { + ns_client_log( + client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: " + "TSIG %s: %s (%s)", + namebuf, isc_result_totext(result), + tsigrcode); + } + } else { + status = client->message->sig0status; + isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); + tresult = dns_tsigrcode_totext(status, &b); + INSIST(tresult == ISC_R_SUCCESS); + tsigrcode[isc_buffer_usedlength(&b)] = '\0'; + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: %s (%s)", + isc_result_totext(result), tsigrcode); + } + + /* + * Accept update messages signed by unknown keys so that + * update forwarding works transparently through slaves + * that don't have all the same keys as the primary. + */ + if (!(client->message->tsigstatus == dns_tsigerror_badkey && + client->message->opcode == dns_opcode_update)) + { + ns_client_error(client, sigresult); + return; + } + } + + /* + * Decide whether recursive service is available to this client. + * We do this here rather than in the query code so that we can + * set the RA bit correctly on all kinds of responses, not just + * responses to ordinary queries. Note if you can't query the + * cache there is no point in setting RA. + */ + ra = false; + + /* must be initialized before ns_client_log uses it as index */ + if (client->view->resolver == NULL) { + ra_refusal_reason = NO_RESOLVER; + } else if (!client->view->recursion) { + ra_refusal_reason = RECURSION_DISABLED; + } else if (ns_client_checkaclsilent(client, NULL, + client->view->recursionacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_RECURSION; + } else if (ns_client_checkaclsilent(client, NULL, + client->view->cacheacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_QUERY_CACHE; + } else if (ns_client_checkaclsilent(client, &client->destaddr, + client->view->recursiononacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_RECURSION_ON; + } else if (ns_client_checkaclsilent(client, &client->destaddr, + client->view->cacheonacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_QUERY_CACHE_ON; + } else { + ra = true; + client->attributes |= NS_CLIENTATTR_RA; + } + + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), + ra ? "recursion available" + : "recursion not available (%s)", + ra_reasons[ra_refusal_reason]); + + /* + * Adjust maximum UDP response size for this client. + */ + if (client->udpsize > 512) { + dns_peer_t *peer = NULL; + uint16_t udpsize = client->view->maxudp; + (void)dns_peerlist_peerbyaddr(client->view->peers, &netaddr, + &peer); + if (peer != NULL) { + dns_peer_getmaxudp(peer, &udpsize); + } + if (client->udpsize > udpsize) { + client->udpsize = udpsize; + } + } + + /* + * Dispatch the request. + */ + switch (client->message->opcode) { + case dns_opcode_query: + CTRACE("query"); +#ifdef HAVE_DNSTAP + if (ra && (client->message->flags & DNS_MESSAGEFLAG_RD) != 0) { + dtmsgtype = DNS_DTTYPE_CQ; + } else { + dtmsgtype = DNS_DTTYPE_AQ; + } + + dns_dt_send(client->view, dtmsgtype, &client->peeraddr, + &client->destsockaddr, TCP_CLIENT(client), NULL, + &client->requesttime, NULL, buffer); +#endif /* HAVE_DNSTAP */ + + ns_query_start(client, handle); + break; + case dns_opcode_update: + CTRACE("update"); +#ifdef HAVE_DNSTAP + dns_dt_send(client->view, DNS_DTTYPE_UQ, &client->peeraddr, + &client->destsockaddr, TCP_CLIENT(client), NULL, + &client->requesttime, NULL, buffer); +#endif /* HAVE_DNSTAP */ + ns_client_settimeout(client, 60); + ns_update_start(client, handle, sigresult); + break; + case dns_opcode_notify: + CTRACE("notify"); + ns_client_settimeout(client, 60); + ns_notify_start(client, handle); + break; + case dns_opcode_iquery: + CTRACE("iquery"); + ns_client_error(client, DNS_R_NOTIMP); + break; + default: + CTRACE("unknown opcode"); + ns_client_error(client, DNS_R_NOTIMP); + } +} + +isc_result_t +ns__client_tcpconn(isc_nmhandle_t *handle, isc_result_t result, void *arg) { + ns_interface_t *ifp = (ns_interface_t *)arg; + dns_aclenv_t *env = ns_interfacemgr_getaclenv(ifp->mgr); + ns_server_t *sctx = ns_interfacemgr_getserver(ifp->mgr); + unsigned int tcpquota; + isc_sockaddr_t peeraddr; + isc_netaddr_t netaddr; + int match; + + if (result != ISC_R_SUCCESS) { + return (result); + } + + if (handle != NULL) { + peeraddr = isc_nmhandle_peeraddr(handle); + isc_netaddr_fromsockaddr(&netaddr, &peeraddr); + + if (sctx->blackholeacl != NULL && + (dns_acl_match(&netaddr, NULL, sctx->blackholeacl, env, + &match, NULL) == ISC_R_SUCCESS) && + match > 0) + { + return (ISC_R_CONNREFUSED); + } + } + + tcpquota = isc_quota_getused(&sctx->tcpquota); + ns_stats_update_if_greater(sctx->nsstats, ns_statscounter_tcphighwater, + tcpquota); + + return (ISC_R_SUCCESS); +} + +isc_result_t +ns__client_setup(ns_client_t *client, ns_clientmgr_t *mgr, bool new) { + isc_result_t result; + + /* + * Caller must be holding the manager lock. + * + * Note: creating a client does not add the client to the + * manager's client list or set the client's manager pointer. + * The caller is responsible for that. + */ + + if (new) { + REQUIRE(VALID_MANAGER(mgr)); + REQUIRE(client != NULL); + REQUIRE(mgr->tid == isc_nm_tid()); + + *client = (ns_client_t){ .magic = 0, .tid = mgr->tid }; + + isc_mem_attach(mgr->mctx, &client->mctx); + clientmgr_attach(mgr, &client->manager); + ns_server_attach(mgr->sctx, &client->sctx); + isc_task_attach(mgr->task, &client->task); + + dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE, + &client->message); + + client->sendbuf = isc_mem_get(client->manager->send_mctx, + NS_CLIENT_SEND_BUFFER_SIZE); + /* + * Set magic earlier than usual because ns_query_init() + * and the functions it calls will require it. + */ + client->magic = NS_CLIENT_MAGIC; + result = ns_query_init(client); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + } else { + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(client->tid == isc_nm_tid()); + + ns_clientmgr_t *oldmgr = client->manager; + ns_server_t *sctx = client->sctx; + isc_task_t *task = client->task; + unsigned char *sendbuf = client->sendbuf; + dns_message_t *message = client->message; + isc_mem_t *oldmctx = client->mctx; + ns_query_t query = client->query; + int tid = client->tid; + + /* + * Retain these values from the existing client, but + * zero every thing else. + */ + *client = (ns_client_t){ .magic = 0, + .mctx = oldmctx, + .manager = oldmgr, + .sctx = sctx, + .task = task, + .sendbuf = sendbuf, + .message = message, + .query = query, + .tid = tid }; + } + + client->query.attributes &= ~NS_QUERYATTR_ANSWERED; + client->state = NS_CLIENTSTATE_INACTIVE; + client->udpsize = 512; + client->ednsversion = -1; + dns_name_init(&client->signername, NULL); + dns_ecs_init(&client->ecs); + isc_sockaddr_any(&client->formerrcache.addr); + client->formerrcache.time = 0; + client->formerrcache.id = 0; + ISC_LINK_INIT(client, rlink); + client->rcode_override = -1; /* not set */ + + client->magic = NS_CLIENT_MAGIC; + + CTRACE("client_setup"); + + return (ISC_R_SUCCESS); + +cleanup: + if (client->sendbuf != NULL) { + isc_mem_put(client->manager->send_mctx, client->sendbuf, + NS_CLIENT_SEND_BUFFER_SIZE); + } + + if (client->message != NULL) { + dns_message_detach(&client->message); + } + + if (client->task != NULL) { + isc_task_detach(&client->task); + } + + if (client->manager != NULL) { + ns_clientmgr_detach(&client->manager); + } + isc_mem_detach(&client->mctx); + if (client->sctx != NULL) { + ns_server_detach(&client->sctx); + } + + return (result); +} + +bool +ns_client_shuttingdown(ns_client_t *client) { + return (client->shuttingdown); +} + +/*** + *** Client Manager + ***/ + +static void +clientmgr_attach(ns_clientmgr_t *source, ns_clientmgr_t **targetp) { + int32_t oldrefs; + + REQUIRE(VALID_MANAGER(source)); + REQUIRE(targetp != NULL && *targetp == NULL); + + oldrefs = isc_refcount_increment0(&source->references); + isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), "clientmgr @%p attach: %d", source, + oldrefs + 1); + + *targetp = source; +} + +void +ns_clientmgr_detach(ns_clientmgr_t **mp) { + int32_t oldrefs; + ns_clientmgr_t *mgr = *mp; + *mp = NULL; + + oldrefs = isc_refcount_decrement(&mgr->references); + isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), "clientmgr @%p detach: %d", mgr, + oldrefs - 1); + if (oldrefs == 1) { + clientmgr_destroy(mgr); + } +} + +static void +clientmgr_destroy(ns_clientmgr_t *manager) { + MTRACE("clientmgr_destroy"); + + isc_refcount_destroy(&manager->references); + manager->magic = 0; + + dns_aclenv_detach(&manager->aclenv); + + isc_mutex_destroy(&manager->reclock); + + isc_task_detach(&manager->task); + ns_server_detach(&manager->sctx); + + isc_mem_detach(&manager->send_mctx); + + isc_mem_putanddetach(&manager->mctx, manager, sizeof(*manager)); +} + +isc_result_t +ns_clientmgr_create(ns_server_t *sctx, isc_taskmgr_t *taskmgr, + isc_timermgr_t *timermgr, dns_aclenv_t *aclenv, int tid, + ns_clientmgr_t **managerp) { + ns_clientmgr_t *manager = NULL; + isc_mem_t *mctx = NULL; + isc_result_t result; + + isc_mem_create(&mctx); + isc_mem_setname(mctx, "clientmgr"); + + manager = isc_mem_get(mctx, sizeof(*manager)); + *manager = (ns_clientmgr_t){ .magic = 0, .mctx = mctx }; + + isc_mutex_init(&manager->reclock); + + manager->taskmgr = taskmgr; + manager->timermgr = timermgr; + manager->tid = tid; + + dns_aclenv_attach(aclenv, &manager->aclenv); + + result = isc_task_create_bound(manager->taskmgr, 20, &manager->task, + manager->tid); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_task_setname(manager->task, "clientmgr", NULL); + + isc_refcount_init(&manager->references, 1); + manager->sctx = NULL; + ns_server_attach(sctx, &manager->sctx); + + ISC_LIST_INIT(manager->recursing); + + /* + * We create specialised per-worker memory context specifically + * dedicated and tuned for allocating send buffers as it is a very + * common operation. Not doing so may result in excessive memory + * use in certain workloads. + * + * Please see this thread for more details: + * + * https://github.com/jemalloc/jemalloc/issues/2483 + * + * In particular, this information from the jemalloc developers is + * of the most interest: + * + * https://github.com/jemalloc/jemalloc/issues/2483#issuecomment-1639019699 + * https://github.com/jemalloc/jemalloc/issues/2483#issuecomment-1698173849 + * + * In essence, we use the following memory management strategy: + * + * 1. We use a per-worker memory arena for send buffers memory + * allocation to reduce lock contention (In reality, we create a + * per-client manager arena, but we have one client manager per + * worker). + * + * 2. The automatically created arenas settings remain unchanged + * and may be controlled by users (e.g. by setting the + * "MALLOC_CONF" variable). + * + * 3. We attune the arenas to not use dirty pages cache as the + * cache would have a poor reuse rate, and that is known to + * significantly contribute to excessive memory use. + * + * 4. There is no strict need for the dirty cache, as there is a + * per arena bin for each allocation size, so because we initially + * allocate strictly 64K per send buffer (enough for a DNS + * message), allocations would get directed to one bin (an "object + * pool" or a "slab") maintained within an arena. That is, there + * is an object pool already, specifically to optimise for the + * case of frequent allocations of objects of the given size. The + * object pool should suffice our needs, as we will end up + * recycling the objects from there without the need to back it by + * an additional layer of dirty pages cache. The dirty pages cache + * would have worked better in the case when there are more + * allocation bins involved due to a higher reuse rate (the case + * of a more "generic" memory management). + */ + isc_mem_create_arena(&manager->send_mctx); + isc_mem_setname(manager->send_mctx, "sendbufs"); + (void)isc_mem_arena_set_dirty_decay_ms(manager->send_mctx, 0); + /* + * Disable muzzy pages cache too, as versions < 5.2.0 have it + * enabled by default. The muzzy pages cache goes right below the + * dirty pages cache and backs it. + */ + (void)isc_mem_arena_set_muzzy_decay_ms(manager->send_mctx, 0); + + manager->magic = MANAGER_MAGIC; + + MTRACE("create"); + + *managerp = manager; + + return (ISC_R_SUCCESS); +} + +void +ns_clientmgr_shutdown(ns_clientmgr_t *manager) { + ns_client_t *client; + + REQUIRE(VALID_MANAGER(manager)); + + MTRACE("destroy"); + + LOCK(&manager->reclock); + for (client = ISC_LIST_HEAD(manager->recursing); client != NULL; + client = ISC_LIST_NEXT(client, rlink)) + { + ns_query_cancel(client); + } + UNLOCK(&manager->reclock); +} + +isc_sockaddr_t * +ns_client_getsockaddr(ns_client_t *client) { + return (&client->peeraddr); +} + +isc_sockaddr_t * +ns_client_getdestaddr(ns_client_t *client) { + return (&client->destsockaddr); +} + +isc_result_t +ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, + dns_acl_t *acl, bool default_allow) { + isc_result_t result; + dns_aclenv_t *env = client->manager->aclenv; + isc_netaddr_t tmpnetaddr; + int match; + isc_sockaddr_t local; + + if (acl == NULL) { + if (default_allow) { + goto allow; + } else { + goto deny; + } + } + + if (netaddr == NULL) { + isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr); + netaddr = &tmpnetaddr; + } + + local = isc_nmhandle_localaddr(client->handle); + result = dns_acl_match_port_transport( + netaddr, isc_sockaddr_getport(&local), + isc_nm_socket_type(client->handle), + isc_nm_has_encryption(client->handle), client->signer, acl, env, + &match, NULL); + + if (result != ISC_R_SUCCESS) { + goto deny; /* Internal error, already logged. */ + } + + if (match > 0) { + goto allow; + } + goto deny; /* Negative match or no match. */ + +allow: + return (ISC_R_SUCCESS); + +deny: + return (DNS_R_REFUSED); +} + +isc_result_t +ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr, + const char *opname, dns_acl_t *acl, bool default_allow, + int log_level) { + isc_result_t result; + isc_netaddr_t netaddr; + + if (sockaddr != NULL) { + isc_netaddr_fromsockaddr(&netaddr, sockaddr); + } + + result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, + acl, default_allow); + + if (result == ISC_R_SUCCESS) { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "%s approved", opname); + } else { + ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, log_level, "%s denied", + opname); + } + return (result); +} + +static void +ns_client_name(ns_client_t *client, char *peerbuf, size_t len) { + if (client->peeraddr_valid) { + isc_sockaddr_format(&client->peeraddr, peerbuf, + (unsigned int)len); + } else { + snprintf(peerbuf, len, "@%p", client); + } +} + +void +ns_client_logv(ns_client_t *client, isc_logcategory_t *category, + isc_logmodule_t *module, int level, const char *fmt, + va_list ap) { + char msgbuf[4096]; + char signerbuf[DNS_NAME_FORMATSIZE], qnamebuf[DNS_NAME_FORMATSIZE]; + char peerbuf[ISC_SOCKADDR_FORMATSIZE]; + const char *viewname = ""; + const char *sep1 = "", *sep2 = "", *sep3 = "", *sep4 = ""; + const char *signer = "", *qname = ""; + dns_name_t *q = NULL; + + REQUIRE(client != NULL); + + vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); + + if (client->signer != NULL) { + dns_name_format(client->signer, signerbuf, sizeof(signerbuf)); + sep1 = "/key "; + signer = signerbuf; + } + + q = client->query.origqname != NULL ? client->query.origqname + : client->query.qname; + if (q != NULL) { + dns_name_format(q, qnamebuf, sizeof(qnamebuf)); + sep2 = " ("; + sep3 = ")"; + qname = qnamebuf; + } + + if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 && + strcmp(client->view->name, "_default") != 0) + { + sep4 = ": view "; + viewname = client->view->name; + } + + if (client->peeraddr_valid) { + isc_sockaddr_format(&client->peeraddr, peerbuf, + sizeof(peerbuf)); + } else { + snprintf(peerbuf, sizeof(peerbuf), "(no-peer)"); + } + + isc_log_write(ns_lctx, category, module, level, + "client @%p %s%s%s%s%s%s%s%s: %s", client, peerbuf, sep1, + signer, sep2, qname, sep3, sep4, viewname, msgbuf); +} + +void +ns_client_log(ns_client_t *client, isc_logcategory_t *category, + isc_logmodule_t *module, int level, const char *fmt, ...) { + va_list ap; + + if (!isc_log_wouldlog(ns_lctx, level)) { + return; + } + + va_start(ap, fmt); + ns_client_logv(client, category, module, level, fmt, ap); + va_end(ap); +} + +void +ns_client_aclmsg(const char *msg, const dns_name_t *name, dns_rdatatype_t type, + dns_rdataclass_t rdclass, char *buf, size_t len) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + + dns_name_format(name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf)); + (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf, + classbuf); +} + +static void +ns_client_dumpmessage(ns_client_t *client, const char *reason) { + isc_buffer_t buffer; + char *buf = NULL; + int len = 1024; + isc_result_t result; + + if (!isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) { + return; + } + + /* + * Note that these are multiline debug messages. We want a newline + * to appear in the log after each message. + */ + + do { + buf = isc_mem_get(client->mctx, len); + isc_buffer_init(&buffer, buf, len); + result = dns_message_totext( + client->message, &dns_master_style_debug, 0, &buffer); + if (result == ISC_R_NOSPACE) { + isc_mem_put(client->mctx, buf, len); + len += 1024; + } else if (result == ISC_R_SUCCESS) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), + "%s\n%.*s", reason, + (int)isc_buffer_usedlength(&buffer), buf); + } + } while (result == ISC_R_NOSPACE); + + if (buf != NULL) { + isc_mem_put(client->mctx, buf, len); + } +} + +void +ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) { + ns_client_t *client; + char namebuf[DNS_NAME_FORMATSIZE]; + char original[DNS_NAME_FORMATSIZE]; + char peerbuf[ISC_SOCKADDR_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + const char *name; + const char *sep; + const char *origfor; + dns_rdataset_t *rdataset; + + REQUIRE(VALID_MANAGER(manager)); + + LOCK(&manager->reclock); + client = ISC_LIST_HEAD(manager->recursing); + while (client != NULL) { + INSIST(client->state == NS_CLIENTSTATE_RECURSING); + + ns_client_name(client, peerbuf, sizeof(peerbuf)); + if (client->view != NULL && + strcmp(client->view->name, "_bind") != 0 && + strcmp(client->view->name, "_default") != 0) + { + name = client->view->name; + sep = ": view "; + } else { + name = ""; + sep = ""; + } + + LOCK(&client->query.fetchlock); + INSIST(client->query.qname != NULL); + dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); + if (client->query.qname != client->query.origqname && + client->query.origqname != NULL) + { + origfor = " for "; + dns_name_format(client->query.origqname, original, + sizeof(original)); + } else { + origfor = ""; + original[0] = '\0'; + } + rdataset = ISC_LIST_HEAD(client->query.qname->list); + if (rdataset == NULL && client->query.origqname != NULL) { + rdataset = ISC_LIST_HEAD(client->query.origqname->list); + } + if (rdataset != NULL) { + dns_rdatatype_format(rdataset->type, typebuf, + sizeof(typebuf)); + dns_rdataclass_format(rdataset->rdclass, classbuf, + sizeof(classbuf)); + } else { + strlcpy(typebuf, "-", sizeof(typebuf)); + strlcpy(classbuf, "-", sizeof(classbuf)); + } + UNLOCK(&client->query.fetchlock); + fprintf(f, + "; client %s%s%s: id %u '%s/%s/%s'%s%s " + "requesttime %u\n", + peerbuf, sep, name, client->message->id, namebuf, + typebuf, classbuf, origfor, original, + isc_time_seconds(&client->requesttime)); + client = ISC_LIST_NEXT(client, rlink); + } + UNLOCK(&manager->reclock); +} + +void +ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) { + LOCK(&client->query.fetchlock); + if (client->query.restarts > 0) { + /* + * client->query.qname was dynamically allocated. + */ + dns_message_puttempname(client->message, &client->query.qname); + } + client->query.qname = name; + client->query.attributes &= ~NS_QUERYATTR_REDIRECT; + UNLOCK(&client->query.fetchlock); +} + +isc_result_t +ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp) { + ns_client_t *client = (ns_client_t *)ci->data; + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(addrp != NULL); + + *addrp = &client->peeraddr; + return (ISC_R_SUCCESS); +} + +dns_rdataset_t * +ns_client_newrdataset(ns_client_t *client) { + dns_rdataset_t *rdataset; + isc_result_t result; + + REQUIRE(NS_CLIENT_VALID(client)); + + rdataset = NULL; + result = dns_message_gettemprdataset(client->message, &rdataset); + if (result != ISC_R_SUCCESS) { + return (NULL); + } + + return (rdataset); +} + +void +ns_client_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) { + dns_rdataset_t *rdataset; + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(rdatasetp != NULL); + + rdataset = *rdatasetp; + + if (rdataset != NULL) { + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + dns_message_puttemprdataset(client->message, rdatasetp); + } +} + +isc_result_t +ns_client_newnamebuf(ns_client_t *client) { + isc_buffer_t *dbuf = NULL; + + CTRACE("ns_client_newnamebuf"); + + isc_buffer_allocate(client->mctx, &dbuf, 1024); + ISC_LIST_APPEND(client->query.namebufs, dbuf, link); + + CTRACE("ns_client_newnamebuf: done"); + return (ISC_R_SUCCESS); +} + +dns_name_t * +ns_client_newname(ns_client_t *client, isc_buffer_t *dbuf, isc_buffer_t *nbuf) { + dns_name_t *name = NULL; + isc_region_t r; + isc_result_t result; + + REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0); + + CTRACE("ns_client_newname"); + + result = dns_message_gettempname(client->message, &name); + if (result != ISC_R_SUCCESS) { + CTRACE("ns_client_newname: " + "dns_message_gettempname failed: done"); + return (NULL); + } + isc_buffer_availableregion(dbuf, &r); + isc_buffer_init(nbuf, r.base, r.length); + dns_name_setbuffer(name, NULL); + dns_name_setbuffer(name, nbuf); + client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED; + + CTRACE("ns_client_newname: done"); + return (name); +} + +isc_buffer_t * +ns_client_getnamebuf(ns_client_t *client) { + isc_buffer_t *dbuf; + isc_region_t r; + + CTRACE("ns_client_getnamebuf"); + + /*% + * Return a name buffer with space for a maximal name, allocating + * a new one if necessary. + */ + if (ISC_LIST_EMPTY(client->query.namebufs)) { + ns_client_newnamebuf(client); + } + + dbuf = ISC_LIST_TAIL(client->query.namebufs); + INSIST(dbuf != NULL); + isc_buffer_availableregion(dbuf, &r); + if (r.length < DNS_NAME_MAXWIRE) { + ns_client_newnamebuf(client); + dbuf = ISC_LIST_TAIL(client->query.namebufs); + isc_buffer_availableregion(dbuf, &r); + INSIST(r.length >= 255); + } + CTRACE("ns_client_getnamebuf: done"); + return (dbuf); +} + +void +ns_client_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { + isc_region_t r; + + CTRACE("ns_client_keepname"); + + /*% + * 'name' is using space in 'dbuf', but 'dbuf' has not yet been + * adjusted to take account of that. We do the adjustment. + */ + REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0); + + dns_name_toregion(name, &r); + isc_buffer_add(dbuf, r.length); + dns_name_setbuffer(name, NULL); + client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; +} + +void +ns_client_releasename(ns_client_t *client, dns_name_t **namep) { + /*% + * 'name' is no longer needed. Return it to our pool of temporary + * names. If it is using a name buffer, relinquish its exclusive + * rights on the buffer. + */ + + CTRACE("ns_client_releasename"); + client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; + dns_message_puttempname(client->message, namep); + CTRACE("ns_client_releasename: done"); +} + +isc_result_t +ns_client_newdbversion(ns_client_t *client, unsigned int n) { + unsigned int i; + ns_dbversion_t *dbversion = NULL; + + for (i = 0; i < n; i++) { + dbversion = isc_mem_get(client->mctx, sizeof(*dbversion)); + *dbversion = (ns_dbversion_t){ 0 }; + ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion, + link); + } + + return (ISC_R_SUCCESS); +} + +static ns_dbversion_t * +client_getdbversion(ns_client_t *client) { + ns_dbversion_t *dbversion = NULL; + + if (ISC_LIST_EMPTY(client->query.freeversions)) { + ns_client_newdbversion(client, 1); + } + dbversion = ISC_LIST_HEAD(client->query.freeversions); + INSIST(dbversion != NULL); + ISC_LIST_UNLINK(client->query.freeversions, dbversion, link); + + return (dbversion); +} + +ns_dbversion_t * +ns_client_findversion(ns_client_t *client, dns_db_t *db) { + ns_dbversion_t *dbversion; + + for (dbversion = ISC_LIST_HEAD(client->query.activeversions); + dbversion != NULL; dbversion = ISC_LIST_NEXT(dbversion, link)) + { + if (dbversion->db == db) { + break; + } + } + + if (dbversion == NULL) { + /* + * This is a new zone for this query. Add it to + * the active list. + */ + dbversion = client_getdbversion(client); + if (dbversion == NULL) { + return (NULL); + } + dns_db_attach(db, &dbversion->db); + dns_db_currentversion(db, &dbversion->version); + dbversion->acl_checked = false; + dbversion->queryok = false; + ISC_LIST_APPEND(client->query.activeversions, dbversion, link); + } + + return (dbversion); +} diff --git a/lib/ns/hooks.c b/lib/ns/hooks.c new file mode 100644 index 0000000..3f614b6 --- /dev/null +++ b/lib/ns/hooks.c @@ -0,0 +1,363 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +#include + +#define CHECK(op) \ + do { \ + result = (op); \ + if (result != ISC_R_SUCCESS) { \ + goto cleanup; \ + } \ + } while (0) + +struct ns_plugin { + isc_mem_t *mctx; + uv_lib_t handle; + void *inst; + char *modpath; + ns_plugin_check_t *check_func; + ns_plugin_register_t *register_func; + ns_plugin_destroy_t *destroy_func; + LINK(ns_plugin_t) link; +}; + +static ns_hooklist_t default_hooktable[NS_HOOKPOINTS_COUNT]; +ns_hooktable_t *ns__hook_table = &default_hooktable; + +isc_result_t +ns_plugin_expandpath(const char *src, char *dst, size_t dstsize) { + int result; + + /* + * On Unix systems, differentiate between paths and filenames. + */ + if (strchr(src, '/') != NULL) { + /* + * 'src' is an absolute or relative path. Copy it verbatim. + */ + result = snprintf(dst, dstsize, "%s", src); + } else { + /* + * 'src' is a filename. Prepend default plugin directory path. + */ + result = snprintf(dst, dstsize, "%s/%s", NAMED_PLUGINDIR, src); + } + + if (result < 0) { + return (isc_errno_toresult(errno)); + } else if ((size_t)result >= dstsize) { + return (ISC_R_NOSPACE); + } else { + return (ISC_R_SUCCESS); + } +} + +static isc_result_t +load_symbol(uv_lib_t *handle, const char *modpath, const char *symbol_name, + void **symbolp) { + void *symbol = NULL; + int r; + + REQUIRE(handle != NULL); + REQUIRE(symbolp != NULL && *symbolp == NULL); + + r = uv_dlsym(handle, symbol_name, &symbol); + if (r != 0) { + const char *errmsg = uv_dlerror(handle); + if (errmsg == NULL) { + errmsg = "returned function pointer is NULL"; + } + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_HOOKS, ISC_LOG_ERROR, + "failed to look up symbol %s in " + "plugin '%s': %s", + symbol_name, modpath, errmsg); + return (ISC_R_FAILURE); + } + + *symbolp = symbol; + + return (ISC_R_SUCCESS); +} + +static void +unload_plugin(ns_plugin_t **pluginp); + +static isc_result_t +load_plugin(isc_mem_t *mctx, const char *modpath, ns_plugin_t **pluginp) { + isc_result_t result; + ns_plugin_t *plugin = NULL; + ns_plugin_version_t *version_func = NULL; + int version; + int r; + + REQUIRE(pluginp != NULL && *pluginp == NULL); + + plugin = isc_mem_get(mctx, sizeof(*plugin)); + memset(plugin, 0, sizeof(*plugin)); + isc_mem_attach(mctx, &plugin->mctx); + + plugin->modpath = isc_mem_strdup(plugin->mctx, modpath); + + ISC_LINK_INIT(plugin, link); + + r = uv_dlopen(modpath, &plugin->handle); + if (r != 0) { + const char *errmsg = uv_dlerror(&plugin->handle); + if (errmsg == NULL) { + errmsg = "unknown error"; + } + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_HOOKS, ISC_LOG_ERROR, + "failed to dlopen() plugin '%s': %s", modpath, + errmsg); + CHECK(ISC_R_FAILURE); + } + + CHECK(load_symbol(&plugin->handle, modpath, "plugin_version", + (void **)&version_func)); + + version = version_func(); + if (version < (NS_PLUGIN_VERSION - NS_PLUGIN_AGE) || + version > NS_PLUGIN_VERSION) + { + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_HOOKS, ISC_LOG_ERROR, + "plugin API version mismatch: %d/%d", version, + NS_PLUGIN_VERSION); + CHECK(ISC_R_FAILURE); + } + + CHECK(load_symbol(&plugin->handle, modpath, "plugin_check", + (void **)&plugin->check_func)); + CHECK(load_symbol(&plugin->handle, modpath, "plugin_register", + (void **)&plugin->register_func)); + CHECK(load_symbol(&plugin->handle, modpath, "plugin_destroy", + (void **)&plugin->destroy_func)); + + *pluginp = plugin; + + return (ISC_R_SUCCESS); + +cleanup: + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, + ISC_LOG_ERROR, + "failed to dynamically load plugin '%s': %s", modpath, + isc_result_totext(result)); + + unload_plugin(&plugin); + + return (result); +} + +static void +unload_plugin(ns_plugin_t **pluginp) { + ns_plugin_t *plugin = NULL; + + REQUIRE(pluginp != NULL && *pluginp != NULL); + + plugin = *pluginp; + *pluginp = NULL; + + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, + ISC_LOG_DEBUG(1), "unloading plugin '%s'", + plugin->modpath); + + if (plugin->inst != NULL) { + plugin->destroy_func(&plugin->inst); + } + + uv_dlclose(&plugin->handle); + isc_mem_free(plugin->mctx, plugin->modpath); + isc_mem_putanddetach(&plugin->mctx, plugin, sizeof(*plugin)); +} + +isc_result_t +ns_plugin_register(const char *modpath, const char *parameters, const void *cfg, + const char *cfg_file, unsigned long cfg_line, + isc_mem_t *mctx, isc_log_t *lctx, void *actx, + dns_view_t *view) { + isc_result_t result; + ns_plugin_t *plugin = NULL; + + REQUIRE(mctx != NULL); + REQUIRE(lctx != NULL); + REQUIRE(view != NULL); + + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, + ISC_LOG_INFO, "loading plugin '%s'", modpath); + + CHECK(load_plugin(mctx, modpath, &plugin)); + + isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, + ISC_LOG_INFO, "registering plugin '%s'", modpath); + + CHECK(plugin->register_func(parameters, cfg, cfg_file, cfg_line, mctx, + lctx, actx, view->hooktable, + &plugin->inst)); + + ISC_LIST_APPEND(*(ns_plugins_t *)view->plugins, plugin, link); + +cleanup: + if (result != ISC_R_SUCCESS && plugin != NULL) { + unload_plugin(&plugin); + } + + return (result); +} + +isc_result_t +ns_plugin_check(const char *modpath, const char *parameters, const void *cfg, + const char *cfg_file, unsigned long cfg_line, isc_mem_t *mctx, + isc_log_t *lctx, void *actx) { + isc_result_t result; + ns_plugin_t *plugin = NULL; + + CHECK(load_plugin(mctx, modpath, &plugin)); + + result = plugin->check_func(parameters, cfg, cfg_file, cfg_line, mctx, + lctx, actx); + +cleanup: + if (plugin != NULL) { + unload_plugin(&plugin); + } + + return (result); +} + +void +ns_hooktable_init(ns_hooktable_t *hooktable) { + int i; + + for (i = 0; i < NS_HOOKPOINTS_COUNT; i++) { + ISC_LIST_INIT((*hooktable)[i]); + } +} + +isc_result_t +ns_hooktable_create(isc_mem_t *mctx, ns_hooktable_t **tablep) { + ns_hooktable_t *hooktable = NULL; + + REQUIRE(tablep != NULL && *tablep == NULL); + + hooktable = isc_mem_get(mctx, sizeof(*hooktable)); + + ns_hooktable_init(hooktable); + + *tablep = hooktable; + + return (ISC_R_SUCCESS); +} + +void +ns_hooktable_free(isc_mem_t *mctx, void **tablep) { + ns_hooktable_t *table = NULL; + ns_hook_t *hook = NULL, *next = NULL; + int i = 0; + + REQUIRE(tablep != NULL && *tablep != NULL); + + table = *tablep; + *tablep = NULL; + + for (i = 0; i < NS_HOOKPOINTS_COUNT; i++) { + for (hook = ISC_LIST_HEAD((*table)[i]); hook != NULL; + hook = next) + { + next = ISC_LIST_NEXT(hook, link); + ISC_LIST_UNLINK((*table)[i], hook, link); + if (hook->mctx != NULL) { + isc_mem_putanddetach(&hook->mctx, hook, + sizeof(*hook)); + } + } + } + + isc_mem_put(mctx, table, sizeof(*table)); +} + +void +ns_hook_add(ns_hooktable_t *hooktable, isc_mem_t *mctx, + ns_hookpoint_t hookpoint, const ns_hook_t *hook) { + ns_hook_t *copy = NULL; + + REQUIRE(hooktable != NULL); + REQUIRE(mctx != NULL); + REQUIRE(hookpoint < NS_HOOKPOINTS_COUNT); + REQUIRE(hook != NULL); + + copy = isc_mem_get(mctx, sizeof(*copy)); + memset(copy, 0, sizeof(*copy)); + + copy->action = hook->action; + copy->action_data = hook->action_data; + isc_mem_attach(mctx, ©->mctx); + + ISC_LINK_INIT(copy, link); + ISC_LIST_APPEND((*hooktable)[hookpoint], copy, link); +} + +void +ns_plugins_create(isc_mem_t *mctx, ns_plugins_t **listp) { + ns_plugins_t *plugins = NULL; + + REQUIRE(listp != NULL && *listp == NULL); + + plugins = isc_mem_get(mctx, sizeof(*plugins)); + memset(plugins, 0, sizeof(*plugins)); + ISC_LIST_INIT(*plugins); + + *listp = plugins; +} + +void +ns_plugins_free(isc_mem_t *mctx, void **listp) { + ns_plugins_t *list = NULL; + ns_plugin_t *plugin = NULL, *next = NULL; + + REQUIRE(listp != NULL && *listp != NULL); + + list = *listp; + *listp = NULL; + + for (plugin = ISC_LIST_HEAD(*list); plugin != NULL; plugin = next) { + next = ISC_LIST_NEXT(plugin, link); + ISC_LIST_UNLINK(*list, plugin, link); + unload_plugin(&plugin); + } + + isc_mem_put(mctx, list, sizeof(*list)); +} diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h new file mode 100644 index 0000000..7a7196f --- /dev/null +++ b/lib/ns/include/ns/client.h @@ -0,0 +1,578 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/***** +***** Module Info +*****/ + +/*! \file + * \brief + * This module defines two objects, ns_client_t and ns_clientmgr_t. + * + * An ns_client_t object handles incoming DNS requests from clients + * on a given network interface. + * + * Each ns_client_t object can handle only one TCP connection or UDP + * request at a time. Therefore, several ns_client_t objects are + * typically created to serve each network interface, e.g., one + * for handling TCP requests and a few (one per CPU) for handling + * UDP requests. + * + * Incoming requests are classified as queries, zone transfer + * requests, update requests, notify requests, etc, and handed off + * to the appropriate request handler. When the request has been + * fully handled (which can be much later), the ns_client_t must be + * notified of this by calling one of the following functions + * exactly once in the context of its task: + * \code + * ns_client_send() (sending a non-error response) + * ns_client_sendraw() (sending a raw response) + * ns_client_error() (sending an error response) + * ns_client_drop() (sending no response, logging the reason) + *\endcode + * This will release any resources used by the request and + * and allow the ns_client_t to listen for the next request. + * + * A ns_clientmgr_t manages a number of ns_client_t objects. + * New ns_client_t objects are created by calling + * ns_clientmgr_createclients(). They are destroyed by + * destroying their manager. + */ + +/*** + *** Imports + ***/ + +#include +#include + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +/*** + *** Types + ***/ + +#define NS_CLIENT_TCP_BUFFER_SIZE 65535 +#define NS_CLIENT_SEND_BUFFER_SIZE 4096 + +/*! + * Client object states. Ordering is significant: higher-numbered + * states are generally "more active", meaning that the client can + * have more dynamically allocated data, outstanding events, etc. + * In the list below, any such properties listed for state N + * also apply to any state > N. + */ + +typedef enum { + NS_CLIENTSTATE_FREED = 0, + /*%< + * The client object no longer exists. + */ + + NS_CLIENTSTATE_INACTIVE = 1, + /*%< + * The client object exists and has a task and timer. + * Its "query" struct and sendbuf are initialized. + * It has a message and OPT, both in the reset state. + */ + + NS_CLIENTSTATE_READY = 2, + /*%< + * The client object is either a TCP or a UDP one, and + * it is associated with a network interface. It is on the + * client manager's list of active clients. + * + * If it is a TCP client object, it has a TCP listener socket + * and an outstanding TCP listen request. + * + * If it is a UDP client object, it has a UDP listener socket + * and an outstanding UDP receive request. + */ + + NS_CLIENTSTATE_WORKING = 3, + /*%< + * The client object has received a request and is working + * on it. It has a view, and it may have any of a non-reset OPT, + * recursion quota, and an outstanding write request. + */ + + NS_CLIENTSTATE_RECURSING = 4, + /*%< + * The client object is recursing. It will be on the + * 'recursing' list. + */ + + NS_CLIENTSTATE_MAX = 5 + /*%< + * Sentinel value used to indicate "no state". + */ +} ns_clientstate_t; + +typedef ISC_LIST(ns_client_t) client_list_t; + +/*% nameserver client manager structure */ +struct ns_clientmgr { + /* Unlocked. */ + unsigned int magic; + + isc_mem_t *mctx; + isc_mem_t *send_mctx; + ns_server_t *sctx; + isc_taskmgr_t *taskmgr; + isc_timermgr_t *timermgr; + isc_refcount_t references; + int tid; + + /* Attached by clients, needed for e.g. recursion */ + isc_task_t *task; + + dns_aclenv_t *aclenv; + + /* Lock covers the recursing list */ + isc_mutex_t reclock; + client_list_t recursing; /*%< Recursing clients */ +}; + +/*% nameserver client structure */ +struct ns_client { + unsigned int magic; + isc_mem_t *mctx; + int tid; + bool allocated; /* Do we need to free it? */ + ns_server_t *sctx; + ns_clientmgr_t *manager; + ns_clientstate_t state; + int nupdates; + bool nodetach; + bool shuttingdown; + unsigned int attributes; + isc_task_t *task; + dns_view_t *view; + dns_dispatch_t *dispatch; + isc_nmhandle_t *handle; /* Permanent pointer to handle */ + isc_nmhandle_t *sendhandle; /* Waiting for send callback */ + isc_nmhandle_t *reqhandle; /* Waiting for request callback + (query, update, notify) */ + isc_nmhandle_t *fetchhandle; /* Waiting for recursive fetch */ + isc_nmhandle_t *prefetchhandle; /* Waiting for prefetch / rpzfetch */ + isc_nmhandle_t *updatehandle; /* Waiting for update callback */ + unsigned char *tcpbuf; + size_t tcpbuf_size; + dns_message_t *message; + unsigned char *sendbuf; + dns_rdataset_t *opt; + dns_ednsopt_t *ede; + uint16_t udpsize; + uint16_t extflags; + int16_t ednsversion; /* -1 noedns */ + uint16_t additionaldepth; + void (*cleanup)(ns_client_t *); + ns_query_t query; + isc_time_t requesttime; + isc_stdtime_t now; + isc_time_t tnow; + dns_name_t signername; /*%< [T]SIG key name */ + dns_name_t *signer; /*%< NULL if not valid sig */ + bool mortal; /*%< Die after handling request */ + isc_quota_t *recursionquota; + + isc_sockaddr_t peeraddr; + bool peeraddr_valid; + isc_netaddr_t destaddr; + isc_sockaddr_t destsockaddr; + + dns_ecs_t ecs; /*%< EDNS client subnet sent by client */ + + struct in6_pktinfo pktinfo; + /*% + * Information about recent FORMERR response(s), for + * FORMERR loop avoidance. This is separate for each + * client object rather than global only to avoid + * the need for locking. + */ + struct { + isc_sockaddr_t addr; + isc_stdtime_t time; + dns_messageid_t id; + } formerrcache; + + /*% Callback function to send a response when unit testing */ + void (*sendcb)(isc_buffer_t *buf); + + ISC_LINK(ns_client_t) rlink; + unsigned char cookie[8]; + uint32_t expire; + unsigned char *keytag; + uint16_t keytag_len; + + /*% + * Used to override the DNS response code in ns_client_error(). + * If set to -1, the rcode is determined from the result code, + * but if set to any other value, the least significant 12 + * bits will be used as the rcode in the response message. + */ + int32_t rcode_override; +}; + +#define NS_CLIENT_MAGIC ISC_MAGIC('N', 'S', 'C', 'c') +#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC) + +#define NS_CLIENTATTR_TCP 0x00001 +#define NS_CLIENTATTR_RA 0x00002 /*%< Client gets recursive service */ +#define NS_CLIENTATTR_PKTINFO 0x00004 /*%< pktinfo is valid */ +#define NS_CLIENTATTR_MULTICAST 0x00008 /*%< recv'd from multicast */ +#define NS_CLIENTATTR_WANTDNSSEC 0x00010 /*%< include dnssec records */ +#define NS_CLIENTATTR_WANTNSID 0x00020 /*%< include nameserver ID */ +/* Obsolete: NS_CLIENTATTR_FILTER_AAAA 0x00040 */ +/* Obsolete: NS_CLIENTATTR_FILTER_AAAA_RC 0x00080 */ +#define NS_CLIENTATTR_WANTAD 0x00100 /*%< want AD in response if possible */ +#define NS_CLIENTATTR_WANTCOOKIE 0x00200 /*%< return a COOKIE */ +#define NS_CLIENTATTR_HAVECOOKIE 0x00400 /*%< has a valid COOKIE */ +#define NS_CLIENTATTR_WANTEXPIRE 0x00800 /*%< return seconds to expire */ +#define NS_CLIENTATTR_HAVEEXPIRE 0x01000 /*%< return seconds to expire */ +#define NS_CLIENTATTR_WANTOPT 0x02000 /*%< add opt to reply */ +#define NS_CLIENTATTR_HAVEECS 0x04000 /*%< received an ECS option */ +#define NS_CLIENTATTR_WANTPAD 0x08000 /*%< pad reply */ +#define NS_CLIENTATTR_USEKEEPALIVE 0x10000 /*%< use TCP keepalive */ + +#define NS_CLIENTATTR_NOSETFC 0x20000 /*%< don't set servfail cache */ + +/* + * Flag to use with the SERVFAIL cache to indicate + * that a query had the CD bit set. + */ +#define NS_FAILCACHE_CD 0x01 + +extern atomic_uint_fast64_t ns_client_requests; + +/*** + *** Functions + ***/ + +/* + * Note! These ns_client_ routines MUST be called ONLY from the client's + * task in order to ensure synchronization. + */ + +void +ns_client_send(ns_client_t *client); +/*%< + * Finish processing the current client request and + * send client->message as a response. + * \brief + * Note! These ns_client_ routines MUST be called ONLY from the client's + * task in order to ensure synchronization. + */ + +void +ns_client_sendraw(ns_client_t *client, dns_message_t *msg); +/*%< + * Finish processing the current client request and + * send msg as a response using client->message->id for the id. + */ + +void +ns_client_error(ns_client_t *client, isc_result_t result); +/*%< + * Finish processing the current client request and return + * an error response to the client. The error response + * will have an RCODE determined by 'result'. + */ + +void +ns_client_extendederror(ns_client_t *client, uint16_t code, const char *text); +/*%< + * Set extended error with INFO-CODE and EXTRA-TEXT . + */ + +void +ns_client_drop(ns_client_t *client, isc_result_t result); +/*%< + * Log the reason the current client request has failed; no response + * will be sent. + */ + +bool +ns_client_shuttingdown(ns_client_t *client); +/*%< + * Return true iff the client is currently shutting down. + */ + +isc_result_t +ns_client_replace(ns_client_t *client); +/*%< + * Try to replace the current client with a new one, so that the + * current one can go off and do some lengthy work without + * leaving the dispatch/socket without service. + */ + +void +ns_client_settimeout(ns_client_t *client, unsigned int seconds); +/*%< + * Set a timer in the client to go off in the specified amount of time. + */ + +isc_result_t +ns_clientmgr_create(ns_server_t *sctx, isc_taskmgr_t *taskmgr, + isc_timermgr_t *timermgr, dns_aclenv_t *aclenv, int tid, + ns_clientmgr_t **managerp); +/*%< + * Create a client manager. + */ + +void +ns_clientmgr_shutdown(ns_clientmgr_t *manager); +/*%< + * Shutdown a client manager and all ns_client_t objects + * managed by it + */ + +void +ns_clientmgr_detach(ns_clientmgr_t **managerp); +/*%< + * Detach from a client manager. + */ + +isc_sockaddr_t * +ns_client_getsockaddr(ns_client_t *client); +/*%< + * Get the socket address of the client whose request is + * currently being processed. + */ + +isc_sockaddr_t * +ns_client_getdestaddr(ns_client_t *client); +/*%< + * Get the destination address (server) for the request that is + * currently being processed. + */ + +isc_result_t +ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, + dns_acl_t *acl, bool default_allow); + +/*%< + * Convenience function for client request ACL checking. + * + * Check the current client request against 'acl'. If 'acl' + * is NULL, allow the request iff 'default_allow' is true. + * If netaddr is NULL, check the ACL against client->peeraddr; + * otherwise check it against netaddr. + * + * Notes: + *\li This is appropriate for checking allow-update, + * allow-query, allow-transfer, etc. It is not appropriate + * for checking the blackhole list because we treat positive + * matches as "allow" and negative matches as "deny"; in + * the case of the blackhole list this would be backwards. + * + * Requires: + *\li 'client' points to a valid client. + *\li 'netaddr' points to a valid address, or is NULL. + *\li 'acl' points to a valid ACL, or is NULL. + * + * Returns: + *\li ISC_R_SUCCESS if the request should be allowed + * \li DNS_R_REFUSED if the request should be denied + *\li No other return values are possible. + */ + +isc_result_t +ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr, + const char *opname, dns_acl_t *acl, bool default_allow, + int log_level); +/*%< + * Like ns_client_checkaclsilent, except the outcome of the check is + * logged at log level 'log_level' if denied, and at debug 3 if approved. + * Log messages will refer to the request as an 'opname' request. + * + * Requires: + *\li 'client' points to a valid client. + *\li 'sockaddr' points to a valid address, or is NULL. + *\li 'acl' points to a valid ACL, or is NULL. + *\li 'opname' points to a null-terminated string. + */ + +void +ns_client_log(ns_client_t *client, isc_logcategory_t *category, + isc_logmodule_t *module, int level, const char *fmt, ...) + ISC_FORMAT_PRINTF(5, 6); + +void +ns_client_logv(ns_client_t *client, isc_logcategory_t *category, + isc_logmodule_t *module, int level, const char *fmt, va_list ap) + ISC_FORMAT_PRINTF(5, 0); + +void +ns_client_aclmsg(const char *msg, const dns_name_t *name, dns_rdatatype_t type, + dns_rdataclass_t rdclass, char *buf, size_t len); + +#define NS_CLIENT_ACLMSGSIZE(x) \ + (DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \ + DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'")) + +void +ns_client_recursing(ns_client_t *client); +/*%< + * Add client to end of th recursing list. + */ + +void +ns_client_killoldestquery(ns_client_t *client); +/*%< + * Kill the oldest recursive query (recursing list head). + */ + +void +ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager); +/*%< + * Dump the outstanding recursive queries to 'f'. + */ + +void +ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); +/*%< + * Replace the qname. + */ + +isc_result_t +ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp); + +isc_result_t +ns_client_addopt(ns_client_t *client, dns_message_t *message, + dns_rdataset_t **opt); + +/*%< + * Get a client object from the inactive queue, or create one, as needed. + * (Not intended for use outside this module and associated tests.) + */ + +void +ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, + isc_region_t *region, void *arg); + +/*%< + * Handle client requests. + * (Not intended for use outside this module and associated tests.) + */ + +isc_result_t +ns__client_tcpconn(isc_nmhandle_t *handle, isc_result_t result, void *arg); + +/*%< + * Called every time a TCP connection is establish. This is used for + * updating TCP statistics. + */ + +dns_rdataset_t * +ns_client_newrdataset(ns_client_t *client); + +void +ns_client_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp); +/*%< + * Get and release temporary rdatasets in the client message; + * used in query.c and in plugins. + */ + +isc_result_t +ns_client_newnamebuf(ns_client_t *client); +/*%< + * Allocate a name buffer for the client message. + */ + +dns_name_t * +ns_client_newname(ns_client_t *client, isc_buffer_t *dbuf, isc_buffer_t *nbuf); +/*%< + * Get a temporary name for the client message. + */ + +isc_buffer_t * +ns_client_getnamebuf(ns_client_t *client); +/*%< + * Get a name buffer from the pool, or allocate a new one if needed. + */ + +void +ns_client_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf); +/*%< + * Adjust buffer 'dbuf' to reflect that 'name' is using space in it, + * and set client attributes appropriately. + */ + +void +ns_client_releasename(ns_client_t *client, dns_name_t **namep); +/*%< + * Release 'name' back to the pool of temporary names for the client + * message. If it is using a name buffer, relinquish its exclusive + * rights on the buffer. + */ + +isc_result_t +ns_client_newdbversion(ns_client_t *client, unsigned int n); +/*%< + * Allocate 'n' new database versions for use by client queries. + */ + +ns_dbversion_t * +ns_client_getdbversion(ns_client_t *client); +/*%< + * Get a free database version for use by a client query, allocating + * a new one if necessary. + */ + +ns_dbversion_t * +ns_client_findversion(ns_client_t *client, dns_db_t *db); +/*%< + * Find the correct database version to use with a client query. + * If we have already done a query related to the database 'db', + * make sure subsequent queries are from the same version; + * otherwise, take a database version from the list of dbversions + * allocated by ns_client_newdbversion(). + */ + +isc_result_t +ns__client_setup(ns_client_t *client, ns_clientmgr_t *manager, bool new); +/*%< + * Perform initial setup of an allocated client. + */ + +void +ns__client_reset_cb(void *client0); +/*%< + * Reset the client object so that it can be reused. + */ + +void +ns__client_put_cb(void *client0); +/*%< + * Free all resources allocated to this client object, so that + * it can be freed. + */ diff --git a/lib/ns/include/ns/events.h b/lib/ns/include/ns/events.h new file mode 100644 index 0000000..b651827 --- /dev/null +++ b/lib/ns/include/ns/events.h @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +#include + +/*! \file ns/events.h + * \brief + * Registry of NS event numbers. + */ + +#define NS_EVENT_CLIENTCONTROL (ISC_EVENTCLASS_NS + 0) +#define NS_EVENT_HOOKASYNCDONE (ISC_EVENTCLASS_NS + 1) +#define NS_EVENT_IFSCAN (ISC_EVENTCLASS_NS + 2) diff --git a/lib/ns/include/ns/hooks.h b/lib/ns/include/ns/hooks.h new file mode 100644 index 0000000..cb146ff --- /dev/null +++ b/lib/ns/include/ns/hooks.h @@ -0,0 +1,612 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file */ + +#include + +#include +#include +#include +#include +#include +#include + +#include + +#include +#include +/* + * "Hooks" are a mechanism to call a defined function or set of functions once + * a certain place in code is reached. Hook actions can inspect and alter the + * state of an ongoing process, allowing processing to continue afterward or + * triggering an early return. + * + * Currently hooks are used in two ways: in plugins, which use them to + * add functionality to query processing, and in the unit tests for libns, + * where they are used to inspect state before and after certain functions have + * run. + * + * Both of these uses are limited to libns, so hooks are currently defined in + * the ns/hooks.h header file, and hook-related macro and function names are + * prefixed with `NS_` and `ns_`. However, the design is fairly generic and + * could be repurposed for general use, e.g. as part of libisc, after some + * further customization. + * + * Hooks are created by defining a hook point identifier in the ns_hookpoint_t + * enum below, and placing a special call at a corresponding location in the + * code which invokes the action(s) for that hook; there are two such special + * calls currently implemented, namely the CALL_HOOK() and CALL_HOOK_NORETURN() + * macros in query.c. The former macro contains a "goto cleanup" statement + * which is inlined into the function into which the hook has been inserted; + * this enables the hook action to cause the calling function to return from + * the hook insertion point. For functions returning isc_result_t, if a hook + * action intends to cause a return at hook insertion point, it also has to set + * the value to be returned by the calling function. + * + * A hook table is an array (indexed by the value of the hook point identifier) + * in which each cell contains a linked list of structures, each of which + * contains a function pointer to a hook action and a pointer to data which is + * to be passed to the action function when it is called. + * + * Each view has its own separate hook table, populated by loading plugin + * modules specified in the "plugin" statements in named.conf. There is also a + * special, global hook table (ns__hook_table) that is only used by libns unit + * tests and whose existence can be safely ignored by plugin modules. + * + * Hook actions are functions which: + * + * - return an ns_hookresult_t value: + * - if NS_HOOK_RETURN is returned by the hook action, the function + * into which the hook is inserted will return and no further hook + * actions at the same hook point will be invoked, + * - if NS_HOOK_CONTINUE is returned by the hook action and there are + * further hook actions set up at the same hook point, they will be + * processed; if NS_HOOK_CONTINUE is returned and there are no + * further hook actions set up at the same hook point, execution of + * the function into which the hook has been inserted will be + * resumed. + * + * - accept three pointers as arguments: + * - a pointer specified by the special call at the hook insertion point, + * - a pointer specified upon inserting the action into the hook table, + * - a pointer to an isc_result_t value which will be returned by the + * function into which the hook is inserted if the action returns + * NS_HOOK_RETURN. + * + * In order for a hook action to be called for a given hook, a pointer to that + * action function (along with an optional pointer to action-specific data) has + * to be inserted into the relevant hook table entry for that hook using an + * ns_hook_add() call. If multiple actions are set up at a single hook point + * (e.g. by multiple plugin modules), they are processed in FIFO order, that is + * they are performed in the same order in which their relevant ns_hook_add() + * calls were issued. Since the configuration is loaded from a single thread, + * this means that multiple actions at a single hook point are determined by + * the order in which the relevant plugin modules were declared in the + * configuration file(s). The hook API currently does not support changing + * this order. + * + * As an example, consider the following hypothetical function in query.c: + * + * ---------------------------------------------------------------------------- + * static isc_result_t + * query_foo(query_ctx_t *qctx) { + * isc_result_t result; + * + * CALL_HOOK(NS_QUERY_FOO_BEGIN, qctx); + * + * ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, + * ISC_LOG_DEBUG(99), "Lorem ipsum dolor sit amet..."); + * + * result = ISC_R_COMPLETE; + * + * cleanup: + * return (result); + * } + * ---------------------------------------------------------------------------- + * + * and the following hook action: + * + * ---------------------------------------------------------------------------- + * static ns_hookresult_t + * cause_failure(void *hook_data, void *action_data, isc_result_t *resultp) { + * UNUSED(hook_data); + * UNUSED(action_data); + * + * *resultp = ISC_R_FAILURE; + * + * return (NS_HOOK_RETURN); + * } + * ---------------------------------------------------------------------------- + * + * If this hook action was installed in the hook table using: + * + * ---------------------------------------------------------------------------- + * const ns_hook_t foo_fail = { + * .action = cause_failure, + * }; + * + * ns_hook_add(..., NS_QUERY_FOO_BEGIN, &foo_fail); + * ---------------------------------------------------------------------------- + * + * then query_foo() would return ISC_R_FAILURE every time it is called due + * to the cause_failure() hook action returning NS_HOOK_RETURN and setting + * '*resultp' to ISC_R_FAILURE. query_foo() would also never log the + * "Lorem ipsum dolor sit amet..." message. + * + * Consider a different hook action: + * + * ---------------------------------------------------------------------------- + * static ns_hookresult_t + * log_qtype(void *hook_data, void *action_data, isc_result_t *resultp) { + * query_ctx_t *qctx = (query_ctx_t *)hook_data; + * FILE *stream = (FILE *)action_data; + * + * UNUSED(resultp); + * + * fprintf(stream, "QTYPE=%u\n", qctx->qtype); + * + * return (NS_HOOK_CONTINUE); + * } + * ---------------------------------------------------------------------------- + * + * If this hook action was installed in the hook table instead of + * cause_failure(), using: + * + * ---------------------------------------------------------------------------- + * const ns_hook_t foo_log_qtype = { + * .action = log_qtype, + * .action_data = stderr, + * }; + * + * ns_hook_add(..., NS_QUERY_FOO_BEGIN, &foo_log_qtype); + * ---------------------------------------------------------------------------- + * + * then the QTYPE stored in the query context passed to query_foo() would be + * logged to stderr upon each call to that function; 'qctx' would be passed to + * the hook action in 'hook_data' since it is specified in the CALL_HOOK() call + * inside query_foo() while stderr would be passed to the hook action in + * 'action_data' since it is specified in the ns_hook_t structure passed to + * ns_hook_add(). As the hook action returns NS_HOOK_CONTINUE, + * query_foo() would also be logging the "Lorem ipsum dolor sit amet..." + * message before returning ISC_R_COMPLETE. + * + * ASYNCHRONOUS EVENT HANDLING IN QUERY HOOKS + * + * Usually a hook action works synchronously; it completes some particular + * job in the middle of query processing, thus blocking the caller (and the + * worker thread handling the query). But sometimes an action can be time + * consuming and the blocking behavior may not be acceptable. For example, + * a hook may need to send some kind of query (like a DB lookup) to an + * external backend server and wait for the response to complete the hook's + * action. Depending on the network condition, the external server's load, + * etc, it may take several seconds or more. + * + * In order to handle such a situation, a hook action can start an + * asynchronous event by calling ns_query_hookasync(). This is similar + * to ns_query_recurse(), but more generic. ns_query_hookasync() will + * call the 'runasync' function with a specified 'arg' (both passed to + * ns_query_hookasync()) and a set of task and associated event arguments + * to be called to resume query handling upon completion of the + * asynchronous event. + * + * The implementation of 'runasync' is assumed to allocate and build an + * instance of ns_hook_resevent_t whose action, arg, and task are set to + * the passed values from ns_query_hookasync(). Other fields of + * ns_hook_resevent_t must be correctly set in the hook implementation + * by the time it's sent to the specified task: + * + * - hookpoint: the point from which the query handling should be resumed + * (which should usually be the hook point that triggered the asynchronous + * event). + * - origresult: the result code passed to the hook action that triggers the + * asynchronous event through the 'resultp' pointer. Some hook points need + * this value to correctly resume the query handling. + * - saved_qctx: the 'qctx' passed to 'runasync'. This holds some + * intermediate data for resolving the query, and will be used to resume the + * query handling. The 'runasync' implementation must not modify it. + * + * The hook implementation should somehow maintain the created event + * instance so that it can eventually send the event. + * + * 'runasync' then creates an instance of ns_hookasync_t with specifying its + * own cancel and destroy function, and returns it to ns_query_hookasync() + * in the passed pointer. + * + * On return from ns_query_hookasync(), the hook action MUST return + * NS_HOOK_RETURN to suspend the query handling. + * + * On the completion of the asynchronous event, the hook implementation is + * supposed to send the resumeevent to the corresponding task. The query + * module resumes the query handling so that the hook action of the + * specified hook point will be called, skipping some intermediate query + * handling steps. So, typically, the same hook action will be called + * twice. The hook implementation must somehow remember the context, and + * handle the second call to complete its action using the result of the + * asynchronous event. + * + * Example: assume the following hook-specific structure to manage + * asynchronous events: + * + * typedef struct hookstate { + * bool async; + * ns_hook_resevent_t *rev + * ns_hookpoint_t hookpoint; + * isc_result_t origresult; + * } hookstate_t; + * + * 'async' is supposed to be true if and only if hook-triggered + * asynchronous processing is taking place. + * + * A hook action that uses an asynchronous event would look something + * like this: + * + * hook_recurse(void *hook_data, void *action_data, isc_result_t *resultp) { + * hookstate_t *state = somehow_retrieve_from(action_data); + * if (state->async) { + * // just resumed from an asynchronous hook action. + * // complete the hook's action using the result of the + * // internal asynchronous event. + * state->async = false; + * return (NS_HOOK_CONTINUE); + * } + * + * // Initial call to the hook action. Start the internal + * // asynchronous event, and have the query module suspend + * // its own handling by returning NS_HOOK_RETURN. + * state->hookpoint = ...; // would be hook point for this hook + * state->origresult = *resultp; + * ns_query_hookasync(hook_data, runasync, state); + * state->async = true; + * return (NS_HOOK_RETURN); + * } + * + * And the 'runasync' function would be something like this: + * + * static isc_result_t + * runasync(query_ctx_t *qctx, void *arg, isc_taskaction_t action, + * void *evarg, isc_task_t *task, ns_hookasync_t **ctxp) { + * hookstate_t *state = arg; + * ns_hook_resevent_t *rev = isc_event_allocate( + * mctx, task, NS_EVENT_HOOKASYNCDONE, action, evarg, + * sizeof(*rev)); + * ns_hookasync_t *ctx = isc_mem_get(mctx, sizeof(*ctx)); + * + * *ctx = (ns_hookasync_t){ .private = NULL }; + * isc_mem_attach(mctx, &ctx->mctx); + * ctx->cancel = ...; // set the cancel function, which cancels the + * // internal asynchronous event (if necessary). + * // it should eventually result in sending + * // the 'rev' event to the calling task. + * ctx->destroy = ...; // set the destroy function, which frees 'ctx' + * + * rev->hookpoint = state->hookpoint; + * rev->origresult = state->origresult; + * rev->saved_qctx = qctx; + * rev->ctx = ctx; + * + * state->rev = rev; // store the resume event so we can send it later + * + * // initiate some asynchronous process here - for example, a + * // recursive fetch. + * + * *ctxp = ctx; + * return (ISC_R_SUCCESS); + * } + * + * Finally, in the completion handler for the asynchronous process, we + * need to send a resumption event so that query processing can resume. + * For example, the completion handler might call this function: + * + * static void + * asyncproc_done(hookstate_t *state) { + * isc_event_t *ev = (isc_event_t *)state->rev; + * isc_task_send(ev->ev_sender, &ev); + * } + * + * Caveats: + * - On resuming from a hook-initiated asynchronous process, code in + * the query module before the hook point needs to be exercised. + * So if this part has side effects, it's possible that the resuming + * doesn't work well. Currently, NS_QUERY_RESPOND_ANY_FOUND is + * explicitly prohibited to be used as the resume point. + * - In general, hooks other than those called at the beginning of the + * caller function may not work safely with asynchronous processing for + * the reason stated in the previous bullet. For example, a hook action + * for NS_QUERY_DONE_SEND may not be able to start an asychronous + * function safely. + * - Hook-triggered asynchronous processing is not allowed to be running + * while the standard DNS recursive fetch is taking place (starting + * from a call to dns_resolver_createfetch()), as the two would be + * using some of the same context resources. For this reason the + * NS_QUERY_NOTFOUND_RECURSE and NS_QUERY_ZEROTTL_RECURSE hook points + * are explicitly prohibited from being used for asynchronous hook + * actions. + * - Specifying multiple hook actions for the same hook point at the + * same time may cause problems, as resumption from one hook action + * could cause another hook to be called twice unintentionally. + * It's generally not safe to assume such a use case works, + * especially if the hooks are developed independently. (Note that + * that's not necessarily specific to the use of asynchronous hook + * actions. As long as hook actions have side effects, including + * modifying the internal query state, it's not guaranteed safe + * to use multiple independent hooks at the same time.) + */ + +/*! + * Currently-defined hook points. So long as these are unique, the order in + * which they are declared is unimportant, but it currently matches the + * order in which they are referenced in query.c. + */ +typedef enum { + /* hookpoints from query.c */ + NS_QUERY_QCTX_INITIALIZED, + NS_QUERY_QCTX_DESTROYED, + NS_QUERY_SETUP, + NS_QUERY_START_BEGIN, + NS_QUERY_LOOKUP_BEGIN, + NS_QUERY_RESUME_BEGIN, + NS_QUERY_RESUME_RESTORED, + NS_QUERY_GOT_ANSWER_BEGIN, + NS_QUERY_RESPOND_ANY_BEGIN, + NS_QUERY_RESPOND_ANY_FOUND, + NS_QUERY_ADDANSWER_BEGIN, + NS_QUERY_RESPOND_BEGIN, + NS_QUERY_NOTFOUND_BEGIN, + NS_QUERY_NOTFOUND_RECURSE, + NS_QUERY_PREP_DELEGATION_BEGIN, + NS_QUERY_ZONE_DELEGATION_BEGIN, + NS_QUERY_DELEGATION_BEGIN, + NS_QUERY_DELEGATION_RECURSE_BEGIN, + NS_QUERY_NODATA_BEGIN, + NS_QUERY_NXDOMAIN_BEGIN, + NS_QUERY_NCACHE_BEGIN, + NS_QUERY_ZEROTTL_RECURSE, + NS_QUERY_CNAME_BEGIN, + NS_QUERY_DNAME_BEGIN, + NS_QUERY_PREP_RESPONSE_BEGIN, + NS_QUERY_DONE_BEGIN, + NS_QUERY_DONE_SEND, + + /* XXX other files could be added later */ + + NS_HOOKPOINTS_COUNT /* MUST BE LAST */ +} ns_hookpoint_t; + +/* + * Returned by a hook action to indicate how to proceed after it has + * been called: continue processing, or return immediately. + */ +typedef enum { + NS_HOOK_CONTINUE, + NS_HOOK_RETURN, +} ns_hookresult_t; + +typedef ns_hookresult_t (*ns_hook_action_t)(void *arg, void *data, + isc_result_t *resultp); + +typedef struct ns_hook { + isc_mem_t *mctx; + ns_hook_action_t action; + void *action_data; + ISC_LINK(struct ns_hook) link; +} ns_hook_t; + +typedef ISC_LIST(ns_hook_t) ns_hooklist_t; +typedef ns_hooklist_t ns_hooktable_t[NS_HOOKPOINTS_COUNT]; + +/*% + * ns__hook_table is a global hook table, which is used if view->hooktable + * is NULL. It's intended only for use by unit tests. + */ +extern ns_hooktable_t *ns__hook_table; + +typedef void (*ns_hook_cancelasync_t)(ns_hookasync_t *); +typedef void (*ns_hook_destroyasync_t)(ns_hookasync_t **); + +/*% + * Context for a hook-initiated asynchronous process. This works + * similarly to dns_fetch_t. + */ +struct ns_hookasync { + isc_mem_t *mctx; + + /* + * The following two are equivalent to dns_resolver_cancelfetch and + * dns_resolver_destroyfetch, respectively, but specified as function + * pointers since they can be hook-specific. + */ + ns_hook_cancelasync_t cancel; + ns_hook_destroyasync_t destroy; + + void *private; /* hook-specific data */ +}; + +/* + * isc_event to be sent on the completion of a hook-initiated asyncronous + * process, similar to dns_fetchevent_t. + */ +typedef struct ns_hook_resevent { + ISC_EVENT_COMMON(struct ns_hook_resevent); + ns_hookasync_t *ctx; /* asynchronous processing context */ + ns_hookpoint_t hookpoint; /* hook point from which to resume */ + isc_result_t origresult; /* result code at the point of call to hook */ + query_ctx_t *saved_qctx; /* qctx at the point of call to hook */ +} ns_hook_resevent_t; + +/* + * Plugin API version + * + * When the API changes, increment NS_PLUGIN_VERSION. If the + * change is backward-compatible (e.g., adding a new function call + * but not changing or removing an old one), increment NS_PLUGIN_AGE + * as well; if not, set NS_PLUGIN_AGE to 0. + */ +#ifndef NS_PLUGIN_VERSION +#define NS_PLUGIN_VERSION 1 +#define NS_PLUGIN_AGE 0 +#endif /* ifndef NS_PLUGIN_VERSION */ + +typedef isc_result_t +ns_plugin_register_t(const char *parameters, const void *cfg, const char *file, + unsigned long line, isc_mem_t *mctx, isc_log_t *lctx, + void *actx, ns_hooktable_t *hooktable, void **instp); +/*%< + * Called when registering a new plugin. + * + * 'parameters' contains the plugin configuration text. + * + * '*instp' will be set to the module instance handle if the function + * is successful. + * + * Returns: + *\li #ISC_R_SUCCESS + *\li #ISC_R_NOMEMORY + *\li Other errors are possible + */ + +typedef void +ns_plugin_destroy_t(void **instp); +/*%< + * Destroy a plugin instance. + * + * '*instp' must be set to NULL by the function before it returns. + */ + +typedef isc_result_t +ns_plugin_check_t(const char *parameters, const void *cfg, const char *file, + unsigned long line, isc_mem_t *mctx, isc_log_t *lctx, + void *actx); +/*%< + * Check the validity of 'parameters'. + */ + +typedef int +ns_plugin_version_t(void); +/*%< + * Return the API version number a plugin was compiled with. + * + * If the returned version number is no greater than + * NS_PLUGIN_VERSION, and no less than NS_PLUGIN_VERSION - NS_PLUGIN_AGE, + * then the module is API-compatible with named. + */ + +/*% + * Prototypes for API functions to be defined in each module. + */ +ns_plugin_check_t plugin_check; +ns_plugin_destroy_t plugin_destroy; +ns_plugin_register_t plugin_register; +ns_plugin_version_t plugin_version; + +isc_result_t +ns_plugin_expandpath(const char *src, char *dst, size_t dstsize); +/*%< + * Prepare the plugin location to be passed to dlopen() based on the plugin + * path or filename found in the configuration file ('src'). Store the result + * in 'dst', which is 'dstsize' bytes large. + * + * On Unix systems, two classes of 'src' are recognized: + * + * - If 'src' is an absolute or relative path, it will be copied to 'dst' + * verbatim. + * + * - If 'src' is a filename (i.e. does not contain a path separator), the + * path to the directory into which named plugins are installed will be + * prepended to it and the result will be stored in 'dst'. + * + * Returns: + *\li #ISC_R_SUCCESS Success + *\li #ISC_R_NOSPACE 'dst' is not large enough to hold the output string + *\li Other result snprintf() returned a negative value + */ + +isc_result_t +ns_plugin_register(const char *modpath, const char *parameters, const void *cfg, + const char *cfg_file, unsigned long cfg_line, + isc_mem_t *mctx, isc_log_t *lctx, void *actx, + dns_view_t *view); +/*%< + * Load the plugin module specified from the file 'modpath', and + * register an instance using 'parameters'. + * + * 'cfg_file' and 'cfg_line' specify the location of the plugin + * declaration in the configuration file. + * + * 'cfg' and 'actx' are the configuration context and ACL configuration + * context, respectively; they are passed as void * here in order to + * prevent this library from having a dependency on libisccfg). + * + * 'instp' will be left pointing to the instance of the plugin + * created by the module's plugin_register function. + */ + +isc_result_t +ns_plugin_check(const char *modpath, const char *parameters, const void *cfg, + const char *cfg_file, unsigned long cfg_line, isc_mem_t *mctx, + isc_log_t *lctx, void *actx); +/*%< + * Open the plugin module at 'modpath' and check the validity of + * 'parameters', logging any errors or warnings found, then + * close it without configuring it. + */ + +void +ns_plugins_create(isc_mem_t *mctx, ns_plugins_t **listp); +/*%< + * Create and initialize a plugin list. + */ + +void +ns_plugins_free(isc_mem_t *mctx, void **listp); +/*%< + * Close each plugin module in a plugin list, then free the list object. + */ + +void +ns_hooktable_free(isc_mem_t *mctx, void **tablep); +/*%< + * Free a hook table. + */ + +void +ns_hook_add(ns_hooktable_t *hooktable, isc_mem_t *mctx, + ns_hookpoint_t hookpoint, const ns_hook_t *hook); +/*%< + * Allocate (using memory context 'mctx') a copy of the 'hook' structure + * describing a hook action and append it to the list of hooks at 'hookpoint' + * in 'hooktable'. + * + * Requires: + *\li 'hooktable' is not NULL + * + *\li 'mctx' is not NULL + * + *\li 'hookpoint' is less than NS_QUERY_HOOKS_COUNT + * + *\li 'hook' is not NULL + */ + +void +ns_hooktable_init(ns_hooktable_t *hooktable); +/*%< + * Initialize a hook table. + */ + +isc_result_t +ns_hooktable_create(isc_mem_t *mctx, ns_hooktable_t **tablep); +/*%< + * Allocate and initialize a hook table. + */ diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h new file mode 100644 index 0000000..028f86d --- /dev/null +++ b/lib/ns/include/ns/interfacemgr.h @@ -0,0 +1,192 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/***** +***** Module Info +*****/ + +/*! \file + * \brief + * The interface manager monitors the operating system's list + * of network interfaces, creating and destroying listeners + * as needed. + * + * Reliability: + *\li No impact expected. + * + * Resources: + * + * Security: + * \li The server will only be able to bind to the DNS port on + * newly discovered interfaces if it is running as root. + * + * Standards: + *\li The API for scanning varies greatly among operating systems. + * This module attempts to hide the differences. + */ + +/*** + *** Imports + ***/ + +#include + +#include +#include +#include +#include +#include + +#include + +#include +#include + +/*** + *** Types + ***/ + +#define IFACE_MAGIC ISC_MAGIC('I', ':', '-', ')') +#define NS_INTERFACE_VALID(t) ISC_MAGIC_VALID(t, IFACE_MAGIC) + +#define NS_INTERFACEFLAG_ANYADDR 0x01U /*%< bound to "any" address */ +#define NS_INTERFACEFLAG_LISTENING 0x02U /*%< listening */ +#define MAX_UDP_DISPATCH \ + 128 /*%< Maximum number of UDP dispatchers \ + * to start per interface */ +/*% The nameserver interface structure */ +struct ns_interface { + unsigned int magic; /*%< Magic number. */ + ns_interfacemgr_t *mgr; /*%< Interface manager. */ + isc_mutex_t lock; + unsigned int generation; /*%< Generation number. */ + isc_sockaddr_t addr; /*%< Address and port. */ + unsigned int flags; /*%< Interface flags */ + char name[32]; /*%< Null terminated. */ + isc_nmsocket_t *udplistensocket; + isc_nmsocket_t *tcplistensocket; + isc_nmsocket_t *http_listensocket; + isc_nmsocket_t *http_secure_listensocket; + isc_quota_t *http_quota; + isc_refcount_t ntcpaccepting; /*%< Number of clients + * ready to accept new + * TCP connections on this + * interface */ + isc_refcount_t ntcpactive; /*%< Number of clients + * servicing TCP queries + * (whether accepting or + * connected) */ + ns_clientmgr_t *clientmgr; /*%< Client manager. */ + ISC_LINK(ns_interface_t) link; +}; + +/*** + *** Functions + ***/ + +isc_result_t +ns_interfacemgr_create(isc_mem_t *mctx, ns_server_t *sctx, + isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, + isc_nm_t *nm, dns_dispatchmgr_t *dispatchmgr, + isc_task_t *task, dns_geoip_databases_t *geoip, + int ncpus, bool scan, ns_interfacemgr_t **mgrp); +/*%< + * Create a new interface manager. + * + * Initially, the new manager will not listen on any interfaces. + * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6() + * to set nonempty listen-on lists. + */ + +void +ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target); + +void +ns_interfacemgr_detach(ns_interfacemgr_t **targetp); + +void +ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr); + +void +ns_interfacemgr_setbacklog(ns_interfacemgr_t *mgr, int backlog); +/*%< + * Set the size of the listen() backlog queue. + */ + +bool +ns_interfacemgr_islistening(ns_interfacemgr_t *mgr); +/*%< + * Return if the manager is listening on any interface. It can be called + * after a scan or adjust. + */ + +isc_result_t +ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose, bool config); +/*%< + * Scan the operatings system's list of network interfaces + * and create listeners when new interfaces are discovered. + * Shut down the sockets for interfaces that go away. + * + * When 'config' is true, also shut down and recreate any existing TLS and HTTPS + * interfaces in order to use their new configuration. + * + * This should be called once on server startup and then + * periodically according to the 'interface-interval' option + * in named.conf. + */ + +void +ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value); +/*%< + * Set the IPv4 "listen-on" list of 'mgr' to 'value'. + * The previous IPv4 listen-on list is freed. + */ + +void +ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value); +/*%< + * Set the IPv6 "listen-on" list of 'mgr' to 'value'. + * The previous IPv6 listen-on list is freed. + */ + +dns_aclenv_t * +ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr); + +void +ns_interface_shutdown(ns_interface_t *ifp); +/*%< + * Stop listening for queries on interface 'ifp'. + * May safely be called multiple times. + */ + +void +ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr); + +bool +ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, const isc_sockaddr_t *addr); + +ns_server_t * +ns_interfacemgr_getserver(ns_interfacemgr_t *mgr); +/*%< + * Returns the ns_server object associated with the interface manager. + */ + +ns_clientmgr_t * +ns_interfacemgr_getclientmgr(ns_interfacemgr_t *mgr); +/*%< + * + * Returns the client manager for the current worker thread. + * (This cannot be run from outside a network manager thread.) + */ diff --git a/lib/ns/include/ns/listenlist.h b/lib/ns/include/ns/listenlist.h new file mode 100644 index 0000000..5d0a19b --- /dev/null +++ b/lib/ns/include/ns/listenlist.h @@ -0,0 +1,137 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/***** +***** Module Info +*****/ + +/*! \file + * \brief + * "Listen lists", as in the "listen-on" configuration statement. + */ + +/*** + *** Imports + ***/ + +#include + +#include +#include + +#include + +/*** + *** Types + ***/ + +typedef struct ns_listenelt ns_listenelt_t; +typedef struct ns_listenlist ns_listenlist_t; + +struct ns_listenelt { + isc_mem_t *mctx; + in_port_t port; + bool is_http; + dns_acl_t *acl; + isc_tlsctx_t *sslctx; + isc_tlsctx_cache_t *sslctx_cache; + char **http_endpoints; + size_t http_endpoints_number; + uint32_t http_max_clients; + uint32_t max_concurrent_streams; + ISC_LINK(ns_listenelt_t) link; +}; + +struct ns_listenlist { + isc_mem_t *mctx; + int refcount; + ISC_LIST(ns_listenelt_t) elts; +}; + +typedef struct ns_listen_tls_params { + const char *name; + const char *key; + const char *cert; + const char *ca_file; + uint32_t protocols; + const char *dhparam_file; + const char *ciphers; + bool prefer_server_ciphers; + bool prefer_server_ciphers_set; + bool session_tickets; + bool session_tickets_set; +} ns_listen_tls_params_t; + +/*** + *** Functions + ***/ + +isc_result_t +ns_listenelt_create(isc_mem_t *mctx, in_port_t port, dns_acl_t *acl, + const uint16_t family, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, ns_listenelt_t **target); +/*%< + * Create a listen-on list element. + * + * Requires: + * \li 'targetp' is a valid pointer to a pointer containing 'NULL'; + * \li 'tls_params' is a valid, non-'NULL' pointer if 'tls' equals 'true'. + * \li 'tlsctx_cache' is a valid, non-'NULL' pointer if 'tls' equals 'true'. + */ + +isc_result_t +ns_listenelt_create_http(isc_mem_t *mctx, in_port_t http_port, dns_acl_t *acl, + const uint16_t family, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, char **endpoints, + size_t nendpoints, const uint32_t max_clients, + const uint32_t max_streams, ns_listenelt_t **target); +/*%< + * Create a listen-on list element for HTTP(S). + */ + +void +ns_listenelt_destroy(ns_listenelt_t *elt); +/*%< + * Destroy a listen-on list element. + */ + +isc_result_t +ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target); +/*%< + * Create a new, empty listen-on list. + */ + +void +ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target); +/*%< + * Attach '*target' to '*source'. + */ + +void +ns_listenlist_detach(ns_listenlist_t **listp); +/*%< + * Detach 'listp'. + */ + +isc_result_t +ns_listenlist_default(isc_mem_t *mctx, in_port_t port, bool enabled, + const uint16_t family, ns_listenlist_t **target); +/*%< + * Create a listen-on list with default contents, matching + * all addresses with port 'port' (if 'enabled' is true), + * or no addresses (if 'enabled' is false). + */ diff --git a/lib/ns/include/ns/log.h b/lib/ns/include/ns/log.h new file mode 100644 index 0000000..3ade016 --- /dev/null +++ b/lib/ns/include/ns/log.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file */ + +#include +#include + +extern isc_log_t *ns_lctx; +extern isc_logcategory_t ns_categories[]; +extern isc_logmodule_t ns_modules[]; + +#define NS_LOGCATEGORY_CLIENT (&ns_categories[0]) +#define NS_LOGCATEGORY_NETWORK (&ns_categories[1]) +#define NS_LOGCATEGORY_UPDATE (&ns_categories[2]) +#define NS_LOGCATEGORY_QUERIES (&ns_categories[3]) +#define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_categories[4]) +#define NS_LOGCATEGORY_QUERY_ERRORS (&ns_categories[5]) +#define NS_LOGCATEGORY_TAT (&ns_categories[6]) +#define NS_LOGCATEGORY_SERVE_STALE (&ns_categories[7]) + +/* + * Backwards compatibility. + */ +#define NS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL + +#define NS_LOGMODULE_CLIENT (&ns_modules[0]) +#define NS_LOGMODULE_QUERY (&ns_modules[1]) +#define NS_LOGMODULE_INTERFACEMGR (&ns_modules[2]) +#define NS_LOGMODULE_UPDATE (&ns_modules[3]) +#define NS_LOGMODULE_XFER_IN (&ns_modules[4]) +#define NS_LOGMODULE_XFER_OUT (&ns_modules[5]) +#define NS_LOGMODULE_NOTIFY (&ns_modules[6]) +#define NS_LOGMODULE_HOOKS (&ns_modules[7]) + +void +ns_log_init(isc_log_t *lctx); +/*%< + * Make the libns categories and modules available for use with the + * ISC logging library. + * + * Requires: + *\li lctx is a valid logging context. + * + *\li ns_log_init() is called only once. + * + * Ensures: + *\li The categories and modules defined above are available for + * use by isc_log_usechannnel() and isc_log_write(). + */ + +void +ns_log_setcontext(isc_log_t *lctx); +/*%< + * Make the libns library use the provided context for logging internal + * messages. + * + * Requires: + *\li lctx is a valid logging context. + */ diff --git a/lib/ns/include/ns/notify.h b/lib/ns/include/ns/notify.h new file mode 100644 index 0000000..b7e6f7c --- /dev/null +++ b/lib/ns/include/ns/notify.h @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +#include + +/*** + *** Module Info + ***/ + +/*! \file + * \brief + * RFC1996 + * A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) + */ + +/*** + *** Functions. + ***/ + +void +ns_notify_start(ns_client_t *client, isc_nmhandle_t *handle); + +/*%< + * Examines the incoming message to determine appropriate zone. + * Returns FORMERR if there is not exactly one question. + * Returns REFUSED if we do not serve the listed zone. + * Pass the message to the zone module for processing + * and returns the return status. + * + * Requires + *\li client to be valid. + */ diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h new file mode 100644 index 0000000..37e5567 --- /dev/null +++ b/lib/ns/include/ns/query.h @@ -0,0 +1,271 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file */ + +#include + +#include +#include +#include +#include + +#include +#include +#include +#include + +#include + +/*% nameserver database version structure */ +typedef struct ns_dbversion { + dns_db_t *db; + dns_dbversion_t *version; + bool acl_checked; + bool queryok; + ISC_LINK(struct ns_dbversion) link; +} ns_dbversion_t; + +/*% + * nameserver recursion parameters, to uniquely identify a recursion + * query; this is used to detect a recursion loop + */ +typedef struct ns_query_recparam { + dns_rdatatype_t qtype; + dns_name_t *qname; + dns_fixedname_t fqname; + dns_name_t *qdomain; + dns_fixedname_t fqdomain; +} ns_query_recparam_t; + +/*% nameserver query structure */ +struct ns_query { + unsigned int attributes; + unsigned int restarts; + bool timerset; + dns_name_t *qname; + dns_name_t *origqname; + dns_rdatatype_t qtype; + unsigned int dboptions; + unsigned int fetchoptions; + dns_db_t *gluedb; + dns_db_t *authdb; + dns_zone_t *authzone; + bool authdbset; + bool isreferral; + isc_mutex_t fetchlock; + dns_fetch_t *fetch; + dns_fetch_t *prefetch; + ns_hookasync_t *hookactx; + dns_rpz_st_t *rpz_st; + isc_bufferlist_t namebufs; + ISC_LIST(ns_dbversion_t) activeversions; + ISC_LIST(ns_dbversion_t) freeversions; + dns_rdataset_t *dns64_aaaa; + dns_rdataset_t *dns64_sigaaaa; + bool *dns64_aaaaok; + unsigned int dns64_aaaaoklen; + unsigned int dns64_options; + unsigned int dns64_ttl; + + struct { + dns_db_t *db; + dns_zone_t *zone; + dns_dbnode_t *node; + dns_rdatatype_t qtype; + dns_name_t *fname; + dns_fixedname_t fixed; + isc_result_t result; + dns_rdataset_t *rdataset; + dns_rdataset_t *sigrdataset; + bool authoritative; + bool is_zone; + } redirect; + + ns_query_recparam_t recparam; + + dns_keytag_t root_key_sentinel_keyid; + bool root_key_sentinel_is_ta; + bool root_key_sentinel_not_ta; +}; + +#define NS_QUERYATTR_RECURSIONOK 0x000001 +#define NS_QUERYATTR_CACHEOK 0x000002 +#define NS_QUERYATTR_PARTIALANSWER 0x000004 +#define NS_QUERYATTR_NAMEBUFUSED 0x000008 +#define NS_QUERYATTR_RECURSING 0x000010 +#define NS_QUERYATTR_QUERYOKVALID 0x000040 +#define NS_QUERYATTR_QUERYOK 0x000080 +#define NS_QUERYATTR_WANTRECURSION 0x000100 +#define NS_QUERYATTR_SECURE 0x000200 +#define NS_QUERYATTR_NOAUTHORITY 0x000400 +#define NS_QUERYATTR_NOADDITIONAL 0x000800 +#define NS_QUERYATTR_CACHEACLOKVALID 0x001000 +#define NS_QUERYATTR_CACHEACLOK 0x002000 +#define NS_QUERYATTR_DNS64 0x004000 +#define NS_QUERYATTR_DNS64EXCLUDE 0x008000 +#define NS_QUERYATTR_RRL_CHECKED 0x010000 +#define NS_QUERYATTR_REDIRECT 0x020000 +#define NS_QUERYATTR_ANSWERED 0x040000 +#define NS_QUERYATTR_STALEOK 0x080000 +#define NS_QUERYATTR_STALEPENDING 0x100000 + +typedef struct query_ctx query_ctx_t; + +/* query context structure */ +struct query_ctx { + isc_buffer_t *dbuf; /* name buffer */ + dns_name_t *fname; /* found name from DB lookup */ + dns_name_t *tname; /* temporary name, used + * when processing ANY + * queries */ + dns_rdataset_t *rdataset; /* found rdataset */ + dns_rdataset_t *sigrdataset; /* found sigrdataset */ + dns_rdataset_t *noqname; /* rdataset needing + * NOQNAME proof */ + dns_rdatatype_t qtype; + dns_rdatatype_t type; + + unsigned int options; /* DB lookup options */ + + bool redirected; /* nxdomain redirected? */ + bool is_zone; /* is DB a zone DB? */ + bool is_staticstub_zone; + bool resuming; /* resumed from recursion? */ + bool dns64, dns64_exclude, rpz; + bool authoritative; /* authoritative query? */ + bool want_restart; /* CNAME chain or other + * restart needed */ + bool refresh_rrset; /* stale RRset refresh needed */ + bool need_wildcardproof; /* wildcard proof needed */ + bool nxrewrite; /* negative answer from RPZ */ + bool findcoveringnsec; /* lookup covering NSEC */ + bool answer_has_ns; /* NS is in answer */ + dns_fixedname_t wildcardname; /* name needing wcard proof */ + dns_fixedname_t dsname; /* name needing DS */ + + ns_client_t *client; /* client object */ + bool detach_client; /* client needs detaching */ + + dns_fetchevent_t *event; /* recursion event */ + + dns_db_t *db; /* zone or cache database */ + dns_dbversion_t *version; /* DB version */ + dns_dbnode_t *node; /* DB node */ + + dns_db_t *zdb; /* zone DB values, saved */ + dns_dbnode_t *znode; /* while searching cache */ + dns_name_t *zfname; /* for a better answer */ + dns_dbversion_t *zversion; + dns_rdataset_t *zrdataset; + dns_rdataset_t *zsigrdataset; + + dns_rpz_st_t *rpz_st; /* RPZ state */ + dns_zone_t *zone; /* zone to search */ + + dns_view_t *view; /* client view */ + + isc_result_t result; /* query result */ + int line; /* line to report error */ +}; + +typedef isc_result_t (*ns_query_starthookasync_t)( + query_ctx_t *qctx, isc_mem_t *mctx, void *arg, isc_task_t *task, + isc_taskaction_t action, void *evarg, ns_hookasync_t **ctxp); + +/* + * The following functions are expected to be used only within query.c + * and query modules. + */ + +isc_result_t +ns_query_done(query_ctx_t *qctx); +/*%< + * Finalize this phase of the query process: + * + * - Clean up. + * - If we have an answer ready (positive or negative), send it. + * - If we need to restart for a chaining query, call ns__query_start() again. + * - If we've started recursion, then just clean up; things will be + * restarted via fetch_callback()/query_resume(). + */ + +isc_result_t +ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, + dns_name_t *qdomain, dns_rdataset_t *nameservers, + bool resuming); +/*%< + * Prepare client for recursion, then create a resolver fetch, with + * the event callback set to fetch_callback(). Afterward we terminate + * this phase of the query, and resume with a new query context when + * recursion completes. + */ + +isc_result_t +ns_query_hookasync(query_ctx_t *qctx, ns_query_starthookasync_t runasync, + void *arg); +/*%< + * Prepare the client for an asynchronous hook action, then call the + * specified 'runasync' function to start an asynchronous process running + * in the background. This function works similarly to ns_query_recurse(), + * but is expected to be called from a query hook action to support + * asynchronous event handling in a hook. A typical use case would be for + * a plugin to initiate recursion, but it may also be used to carry out + * other time-consuming tasks without blocking the caller or the worker + * thread. + * + * The calling plugin action must pass 'qctx' as passed from the query + * module. + * + * Once a plugin action calls this function, the ownership of 'qctx' is + * essentially transferred to the query module. Regardless of the return + * value of this function, the hook must not use 'qctx' anymore. + * + * This function must not be called after ns_query_recurse() is called, + * until the fetch is completed, as it needs resources that + * ns_query_recurse() would also use. + * + * See hooks.h for details about how 'runasync' is supposed to work, and + * other aspects of hook-triggered asynchronous event handling. + */ + +isc_result_t +ns_query_init(ns_client_t *client); + +void +ns_query_free(ns_client_t *client); + +void +ns_query_start(ns_client_t *client, isc_nmhandle_t *handle); + +void +ns_query_cancel(ns_client_t *client); + +/* + * The following functions are expected to be used only within query.c + * and query modules. + */ + +isc_result_t +ns__query_sfcache(query_ctx_t *qctx); +/*%< + * (Must not be used outside this module and its associated unit tests.) + */ + +isc_result_t +ns__query_start(query_ctx_t *qctx); +/*%< + * (Must not be used outside this module and its associated unit tests.) + */ diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h new file mode 100644 index 0000000..206c495 --- /dev/null +++ b/lib/ns/include/ns/server.h @@ -0,0 +1,201 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#define NS_SERVER_LOGQUERIES 0x00000001U /*%< log queries */ +#define NS_SERVER_NOAA 0x00000002U /*%< -T noaa */ +#define NS_SERVER_NOSOA 0x00000004U /*%< -T nosoa */ +#define NS_SERVER_NONEAREST 0x00000008U /*%< -T nonearest */ +#define NS_SERVER_NOEDNS 0x00000020U /*%< -T noedns */ +#define NS_SERVER_DROPEDNS 0x00000040U /*%< -T dropedns */ +#define NS_SERVER_NOTCP 0x00000080U /*%< -T notcp */ +#define NS_SERVER_DISABLE4 0x00000100U /*%< -6 */ +#define NS_SERVER_DISABLE6 0x00000200U /*%< -4 */ +#define NS_SERVER_FIXEDLOCAL 0x00000400U /*%< -T fixedlocal */ +#define NS_SERVER_SIGVALINSECS 0x00000800U /*%< -T sigvalinsecs */ +#define NS_SERVER_EDNSFORMERR 0x00001000U /*%< -T ednsformerr (STD13) */ +#define NS_SERVER_EDNSNOTIMP 0x00002000U /*%< -T ednsnotimp */ +#define NS_SERVER_EDNSREFUSED 0x00004000U /*%< -T ednsrefused */ +#define NS_SERVER_TRANSFERINSECS 0x00008000U /*%< -T transferinsecs */ +#define NS_SERVER_TRANSFERSLOWLY 0x00010000U /*%< -T transferslowly */ +#define NS_SERVER_TRANSFERSTUCK 0x00020000U /*%< -T transferstuck */ + +/*% + * Type for callback function to get hostname. + */ +typedef isc_result_t (*ns_hostnamecb_t)(char *buf, size_t len); + +/*% + * Type for callback function to signal the fuzzer thread + * when built with AFL. + */ +typedef void (*ns_fuzzcb_t)(void); + +/*% + * Type for callback function to get the view that can answer a query. + */ +typedef isc_result_t (*ns_matchview_t)( + isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, dns_message_t *message, + dns_aclenv_t *env, isc_result_t *sigresultp, dns_view_t **viewp); + +/*% + * Server context. + */ +struct ns_server { + unsigned int magic; + isc_mem_t *mctx; + + isc_refcount_t references; + + /*% Server cookie secret and algorithm */ + unsigned char secret[32]; + ns_cookiealg_t cookiealg; + ns_altsecretlist_t altsecrets; + bool answercookie; + + /*% Quotas */ + isc_quota_t recursionquota; + isc_quota_t tcpquota; + isc_quota_t xfroutquota; + isc_quota_t updquota; + ISC_LIST(isc_quota_t) http_quotas; + isc_mutex_t http_quotas_lock; + + /*% Test options and other configurables */ + uint32_t options; + + dns_acl_t *blackholeacl; + dns_acl_t *keepresporder; + uint16_t udpsize; + uint16_t transfer_tcp_message_size; + bool interface_auto; + dns_tkeyctx_t *tkeyctx; + + /*% Server id for NSID */ + char *server_id; + bool usehostname; + + /*% Fuzzer callback */ + isc_fuzztype_t fuzztype; + ns_fuzzcb_t fuzznotify; + + /*% Callback to find a matching view for a query */ + ns_matchview_t matchingview; + + /*% Stats counters */ + ns_stats_t *nsstats; + dns_stats_t *rcvquerystats; + dns_stats_t *opcodestats; + dns_stats_t *rcodestats; + + isc_stats_t *udpinstats4; + isc_stats_t *udpoutstats4; + isc_stats_t *udpinstats6; + isc_stats_t *udpoutstats6; + + isc_stats_t *tcpinstats4; + isc_stats_t *tcpoutstats4; + isc_stats_t *tcpinstats6; + isc_stats_t *tcpoutstats6; +}; + +struct ns_altsecret { + ISC_LINK(ns_altsecret_t) link; + unsigned char secret[32]; +}; + +isc_result_t +ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + ns_server_t **sctxp); +/*%< + * Create a server context object with default settings. + */ + +void +ns_server_attach(ns_server_t *src, ns_server_t **dest); +/*%< + * Attach a server context. + * + * Requires: + *\li 'src' is valid. + */ + +void +ns_server_detach(ns_server_t **sctxp); +/*%< + * Detach from a server context. If its reference count drops to zero, destroy + * it, freeing its memory. + * + * Requires: + *\li '*sctxp' is valid. + * Ensures: + *\li '*sctxp' is NULL on return. + */ + +isc_result_t +ns_server_setserverid(ns_server_t *sctx, const char *serverid); +/*%< + * Set sctx->server_id to 'serverid'. If it was set previously, free the memory. + * + * Requires: + *\li 'sctx' is valid. + */ + +void +ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value); +/*%< + * Set the given options on (if 'value' == #true) + * or off (if 'value' == #false). + * + * Requires: + *\li 'sctx' is valid + */ + +bool +ns_server_getoption(ns_server_t *sctx, unsigned int option); +/*%< + * Returns the current value of the specified server option. + * + * Requires: + *\li 'sctx' is valid. + */ + +void +ns_server_append_http_quota(ns_server_t *sctx, isc_quota_t *http_quota); +/*%< + * Add a quota to the list of HTTP quotas to destroy it safely later. + * + * Requires: + *\li 'sctx' is valid; + *\li 'http_quota' is not 'NULL'. + */ diff --git a/lib/ns/include/ns/sortlist.h b/lib/ns/include/ns/sortlist.h new file mode 100644 index 0000000..3333e9c --- /dev/null +++ b/lib/ns/include/ns/sortlist.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file */ + +#include + +#include +#include + +/*% + * Type for callback functions that rank addresses. + */ +typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address, + const void *arg); + +/*% + * Return value type for setup_sortlist. + */ +typedef enum { + NS_SORTLISTTYPE_NONE, + NS_SORTLISTTYPE_1ELEMENT, + NS_SORTLISTTYPE_2ELEMENT +} ns_sortlisttype_t; + +ns_sortlisttype_t +ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr, + void **argp); +/*%< + * Find the sortlist statement in 'acl' (for ACL environment 'env') + * that applies to 'clientaddr', if any. + * + * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and + * make '*argp' point to the matching subelement. + * + * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and + * make '*argp' point to ACL that forms the second element. + * + * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp' + * to NULL. + */ + +int +ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg); +/*%< + * Find the sort order of 'addr' in 'arg', the matching element + * of a 1-element top-level sortlist statement. + */ + +int +ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg); +/*%< + * Find the sort order of 'addr' in 'arg', a topology-like + * ACL forming the second element in a 2-element top-level + * sortlist statement. + */ + +void +ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, dns_aclenv_t *env, + isc_netaddr_t *client_addr, + dns_addressorderfunc_t *orderp, void **argp); +/*%< + * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. + * If a sortlist statement applies, return in '*orderp' a pointer to a function + * for ranking network addresses based on that sortlist statement, and in + * '*argp' an argument to pass to said function. If no sortlist statement + * applies, set '*orderp' and '*argp' to NULL. + */ diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h new file mode 100644 index 0000000..c235384 --- /dev/null +++ b/lib/ns/include/ns/stats.h @@ -0,0 +1,138 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file include/ns/stats.h */ + +#include + +/*% + * Server statistics counters. Used as isc_statscounter_t values. + */ +enum { + ns_statscounter_requestv4 = 0, + ns_statscounter_requestv6 = 1, + ns_statscounter_edns0in = 2, + ns_statscounter_badednsver = 3, + ns_statscounter_tsigin = 4, + ns_statscounter_sig0in = 5, + ns_statscounter_invalidsig = 6, + ns_statscounter_requesttcp = 7, + + ns_statscounter_authrej = 8, + ns_statscounter_recurserej = 9, + ns_statscounter_xfrrej = 10, + ns_statscounter_updaterej = 11, + + ns_statscounter_response = 12, + ns_statscounter_truncatedresp = 13, + ns_statscounter_edns0out = 14, + ns_statscounter_tsigout = 15, + ns_statscounter_sig0out = 16, + + ns_statscounter_success = 17, + ns_statscounter_authans = 18, + ns_statscounter_nonauthans = 19, + ns_statscounter_referral = 20, + ns_statscounter_nxrrset = 21, + ns_statscounter_servfail = 22, + ns_statscounter_formerr = 23, + ns_statscounter_nxdomain = 24, + ns_statscounter_recursion = 25, + ns_statscounter_duplicate = 26, + ns_statscounter_dropped = 27, + ns_statscounter_failure = 28, + + ns_statscounter_xfrdone = 29, + + ns_statscounter_updatereqfwd = 30, + ns_statscounter_updaterespfwd = 31, + ns_statscounter_updatefwdfail = 32, + ns_statscounter_updatedone = 33, + ns_statscounter_updatefail = 34, + ns_statscounter_updatebadprereq = 35, + + ns_statscounter_recursclients = 36, + + ns_statscounter_dns64 = 37, + + ns_statscounter_ratedropped = 38, + ns_statscounter_rateslipped = 39, + + ns_statscounter_rpz_rewrites = 40, + + ns_statscounter_udp = 41, + ns_statscounter_tcp = 42, + + ns_statscounter_nsidopt = 43, + ns_statscounter_expireopt = 44, + ns_statscounter_otheropt = 45, + ns_statscounter_ecsopt = 46, + ns_statscounter_padopt = 47, + ns_statscounter_keepaliveopt = 48, + + ns_statscounter_nxdomainredirect = 49, + ns_statscounter_nxdomainredirect_rlookup = 50, + + ns_statscounter_cookiein = 51, + ns_statscounter_cookiebadsize = 52, + ns_statscounter_cookiebadtime = 53, + ns_statscounter_cookienomatch = 54, + ns_statscounter_cookiematch = 55, + ns_statscounter_cookienew = 56, + ns_statscounter_badcookie = 57, + + ns_statscounter_nxdomainsynth = 58, + ns_statscounter_nodatasynth = 59, + ns_statscounter_wildcardsynth = 60, + + ns_statscounter_trystale = 61, + ns_statscounter_usedstale = 62, + + ns_statscounter_prefetch = 63, + ns_statscounter_keytagopt = 64, + + ns_statscounter_tcphighwater = 65, + + ns_statscounter_reclimitdropped = 66, + + ns_statscounter_updatequota = 67, + + ns_statscounter_max = 68, +}; + +void +ns_stats_attach(ns_stats_t *stats, ns_stats_t **statsp); + +void +ns_stats_detach(ns_stats_t **statsp); + +isc_result_t +ns_stats_create(isc_mem_t *mctx, int ncounters, ns_stats_t **statsp); + +void +ns_stats_increment(ns_stats_t *stats, isc_statscounter_t counter); + +void +ns_stats_decrement(ns_stats_t *stats, isc_statscounter_t counter); + +isc_stats_t * +ns_stats_get(ns_stats_t *stats); + +void +ns_stats_update_if_greater(ns_stats_t *stats, isc_statscounter_t counter, + isc_statscounter_t value); + +isc_statscounter_t +ns_stats_get_counter(ns_stats_t *stats, isc_statscounter_t counter); diff --git a/lib/ns/include/ns/types.h b/lib/ns/include/ns/types.h new file mode 100644 index 0000000..85205d7 --- /dev/null +++ b/lib/ns/include/ns/types.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/*! \file */ + +typedef struct ns_altsecret ns_altsecret_t; +typedef ISC_LIST(ns_altsecret_t) ns_altsecretlist_t; +typedef struct ns_client ns_client_t; +typedef struct ns_clientmgr ns_clientmgr_t; +typedef struct ns_plugin ns_plugin_t; +typedef ISC_LIST(ns_plugin_t) ns_plugins_t; +typedef struct ns_interface ns_interface_t; +typedef struct ns_interfacemgr ns_interfacemgr_t; +typedef struct ns_query ns_query_t; +typedef struct ns_server ns_server_t; +typedef struct ns_stats ns_stats_t; +typedef struct ns_hookasync ns_hookasync_t; + +typedef enum { ns_cookiealg_aes, ns_cookiealg_siphash24 } ns_cookiealg_t; + +#define NS_COOKIE_VERSION_1 1 diff --git a/lib/ns/include/ns/update.h b/lib/ns/include/ns/update.h new file mode 100644 index 0000000..fbabdf9 --- /dev/null +++ b/lib/ns/include/ns/update.h @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/***** +***** Module Info +*****/ + +/*! \file + * \brief + * RFC2136 Dynamic Update + */ + +/*** + *** Imports + ***/ + +#include + +#include + +/*** + *** Types. + ***/ + +/*** + *** Functions + ***/ + +void +ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, + isc_result_t sigresult); diff --git a/lib/ns/include/ns/xfrout.h b/lib/ns/include/ns/xfrout.h new file mode 100644 index 0000000..d36060e --- /dev/null +++ b/lib/ns/include/ns/xfrout.h @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +/***** +***** Module Info +*****/ + +/*! \file + * \brief + * Outgoing zone transfers (AXFR + IXFR). + */ + +/*** + *** Functions + ***/ + +void +ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype); diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c new file mode 100644 index 0000000..50b87df --- /dev/null +++ b/lib/ns/interfacemgr.c @@ -0,0 +1,1438 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include +#include +#include +#include + +#ifdef HAVE_NET_ROUTE_H +#include +#if defined(RTM_VERSION) && defined(RTM_NEWADDR) && defined(RTM_DELADDR) +#define MSGHDR rt_msghdr +#define MSGTYPE rtm_type +#endif /* if defined(RTM_VERSION) && defined(RTM_NEWADDR) && \ + * defined(RTM_DELADDR) */ +#endif /* ifdef HAVE_NET_ROUTE_H */ + +#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H) +#define LINUX_NETLINK_AVAILABLE +#include +#include +#if defined(RTM_NEWADDR) && defined(RTM_DELADDR) +#define MSGHDR nlmsghdr +#define MSGTYPE nlmsg_type +#endif /* if defined(RTM_NEWADDR) && defined(RTM_DELADDR) */ +#endif /* if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H) \ + */ + +#define LISTENING(ifp) (((ifp)->flags & NS_INTERFACEFLAG_LISTENING) != 0) + +#ifdef TUNE_LARGE +#define UDPBUFFERS 32768 +#else /* ifdef TUNE_LARGE */ +#define UDPBUFFERS 1000 +#endif /* TUNE_LARGE */ + +#define IFMGR_MAGIC ISC_MAGIC('I', 'F', 'M', 'G') +#define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC) + +#define IFMGR_COMMON_LOGARGS \ + ns_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR + +/*% nameserver interface manager structure */ +struct ns_interfacemgr { + unsigned int magic; /*%< Magic number */ + isc_refcount_t references; + isc_mutex_t lock; + isc_mem_t *mctx; /*%< Memory context */ + ns_server_t *sctx; /*%< Server context */ + isc_taskmgr_t *taskmgr; /*%< Task manager */ + isc_task_t *task; /*%< Task */ + isc_timermgr_t *timermgr; /*%< Timer manager */ + isc_nm_t *nm; /*%< Net manager */ + int ncpus; /*%< Number of workers */ + dns_dispatchmgr_t *dispatchmgr; + unsigned int generation; /*%< Current generation no */ + ns_listenlist_t *listenon4; + ns_listenlist_t *listenon6; + dns_aclenv_t *aclenv; /*%< Localhost/localnets ACLs */ + ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces */ + ISC_LIST(isc_sockaddr_t) listenon; + int backlog; /*%< Listen queue size */ + atomic_bool shuttingdown; /*%< Interfacemgr shutting down */ + ns_clientmgr_t **clientmgrs; /*%< Client managers */ + isc_nmhandle_t *route; +}; + +static void +purge_old_interfaces(ns_interfacemgr_t *mgr); + +static void +clearlistenon(ns_interfacemgr_t *mgr); + +static bool +need_rescan(ns_interfacemgr_t *mgr, struct MSGHDR *rtm, size_t len) { + if (rtm->MSGTYPE != RTM_NEWADDR && rtm->MSGTYPE != RTM_DELADDR) { + return (false); + } + +#ifndef LINUX_NETLINK_AVAILABLE + UNUSED(mgr); + UNUSED(len); + /* On most systems, any NEWADDR or DELADDR means we rescan */ + return (true); +#else /* LINUX_NETLINK_AVAILABLE */ + /* ...but on linux we need to check the messages more carefully */ + for (struct MSGHDR *nlh = rtm; + NLMSG_OK(nlh, len) && nlh->nlmsg_type != NLMSG_DONE; + nlh = NLMSG_NEXT(nlh, len)) + { + struct ifaddrmsg *ifa = (struct ifaddrmsg *)NLMSG_DATA(nlh); + struct rtattr *rth = IFA_RTA(ifa); + size_t rtl = IFA_PAYLOAD(nlh); + + while (rtl > 0 && RTA_OK(rth, rtl)) { + /* + * Look for IFA_ADDRESS to detect IPv6 interface + * state changes. + */ + if (rth->rta_type == IFA_ADDRESS && + ifa->ifa_family == AF_INET6) + { + bool existed = false; + bool was_listening = false; + isc_netaddr_t addr = { 0 }; + ns_interface_t *ifp = NULL; + + isc_netaddr_fromin6(&addr, RTA_DATA(rth)); + INSIST(isc_netaddr_getzone(&addr) == 0); + + /* + * Check whether we were listening on the + * address. We need to do this as the + * Linux kernel seems to issue messages + * containing IFA_ADDRESS far more often + * than the actual state changes (on + * router advertisements?) + */ + LOCK(&mgr->lock); + for (ifp = ISC_LIST_HEAD(mgr->interfaces); + ifp != NULL; + ifp = ISC_LIST_NEXT(ifp, link)) + { + isc_netaddr_t tmp = { 0 }; + isc_netaddr_fromsockaddr(&tmp, + &ifp->addr); + if (tmp.family != AF_INET6) { + continue; + } + + /* + * We have to nullify the zone (IPv6 + * scope ID) because we haven't got one + * from the kernel. Otherwise match + * could fail even for an existing + * address. + */ + isc_netaddr_setzone(&tmp, 0); + if (isc_netaddr_equal(&tmp, &addr)) { + was_listening = LISTENING(ifp); + existed = true; + break; + } + } + UNLOCK(&mgr->lock); + + /* + * Do rescan if the state of the interface + * has changed. + */ + if ((!existed && rtm->MSGTYPE == RTM_NEWADDR) || + (existed && was_listening && + rtm->MSGTYPE == RTM_DELADDR)) + { + return (true); + } + } else if (rth->rta_type == IFA_ADDRESS && + ifa->ifa_family == AF_INET) + { + /* + * It seems that the IPv4 P2P link state + * has changed. + */ + return (true); + } else if (rth->rta_type == IFA_LOCAL) { + /* + * Local address state has changed - do + * rescan. + */ + return (true); + } + rth = RTA_NEXT(rth, rtl); + } + } +#endif /* LINUX_NETLINK_AVAILABLE */ + + return (false); +} + +static void +route_recv(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, + void *arg) { + ns_interfacemgr_t *mgr = (ns_interfacemgr_t *)arg; + struct MSGHDR *rtm = NULL; + size_t rtmlen; + + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_DEBUG(9), "route_recv: %s", + isc_result_totext(eresult)); + + if (handle == NULL) { + return; + } + + if (eresult != ISC_R_SUCCESS) { + if (eresult != ISC_R_CANCELED && eresult != ISC_R_SHUTTINGDOWN) + { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "automatic interface scanning " + "terminated: %s", + isc_result_totext(eresult)); + } + isc_nmhandle_detach(&mgr->route); + ns_interfacemgr_detach(&mgr); + return; + } + + rtm = (struct MSGHDR *)region->base; + rtmlen = region->length; + +#ifdef RTM_VERSION + if (rtm->rtm_version != RTM_VERSION) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "automatic interface rescanning disabled: " + "rtm->rtm_version mismatch (%u != %u) " + "recompile required", + rtm->rtm_version, RTM_VERSION); + isc_nmhandle_detach(&mgr->route); + ns_interfacemgr_detach(&mgr); + return; + } +#endif /* ifdef RTM_VERSION */ + + REQUIRE(mgr->route != NULL); + + if (need_rescan(mgr, rtm, rtmlen) && mgr->sctx->interface_auto) { + ns_interfacemgr_scan(mgr, false, false); + } + + isc_nm_read(handle, route_recv, mgr); + return; +} + +static void +route_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { + ns_interfacemgr_t *mgr = (ns_interfacemgr_t *)arg; + + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_DEBUG(9), + "route_connected: %s", isc_result_totext(eresult)); + + if (eresult != ISC_R_SUCCESS) { + ns_interfacemgr_detach(&mgr); + return; + } + + INSIST(mgr->route == NULL); + + isc_nmhandle_attach(handle, &mgr->route); + isc_nm_read(handle, route_recv, mgr); +} + +isc_result_t +ns_interfacemgr_create(isc_mem_t *mctx, ns_server_t *sctx, + isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, + isc_nm_t *nm, dns_dispatchmgr_t *dispatchmgr, + isc_task_t *task, dns_geoip_databases_t *geoip, + int ncpus, bool scan, ns_interfacemgr_t **mgrp) { + isc_result_t result; + ns_interfacemgr_t *mgr = NULL; + + UNUSED(task); + + REQUIRE(mctx != NULL); + REQUIRE(mgrp != NULL); + REQUIRE(*mgrp == NULL); + + mgr = isc_mem_get(mctx, sizeof(*mgr)); + *mgr = (ns_interfacemgr_t){ .taskmgr = taskmgr, + .timermgr = timermgr, + .nm = nm, + .dispatchmgr = dispatchmgr, + .generation = 1, + .ncpus = ncpus }; + + isc_mem_attach(mctx, &mgr->mctx); + ns_server_attach(sctx, &mgr->sctx); + + isc_mutex_init(&mgr->lock); + + result = isc_task_create_bound(taskmgr, 0, &mgr->task, 0); + if (result != ISC_R_SUCCESS) { + goto cleanup_lock; + } + + atomic_init(&mgr->shuttingdown, false); + + ISC_LIST_INIT(mgr->interfaces); + ISC_LIST_INIT(mgr->listenon); + + /* + * The listen-on lists are initially empty. + */ + result = ns_listenlist_create(mctx, &mgr->listenon4); + if (result != ISC_R_SUCCESS) { + goto cleanup_task; + } + ns_listenlist_attach(mgr->listenon4, &mgr->listenon6); + + result = dns_aclenv_create(mctx, &mgr->aclenv); + if (result != ISC_R_SUCCESS) { + goto cleanup_listenon; + } +#if defined(HAVE_GEOIP2) + mgr->aclenv->geoip = geoip; +#else /* if defined(HAVE_GEOIP2) */ + UNUSED(geoip); +#endif /* if defined(HAVE_GEOIP2) */ + + isc_refcount_init(&mgr->references, 1); + mgr->magic = IFMGR_MAGIC; + *mgrp = mgr; + + mgr->clientmgrs = isc_mem_get(mgr->mctx, + mgr->ncpus * sizeof(mgr->clientmgrs[0])); + for (size_t i = 0; i < (size_t)mgr->ncpus; i++) { + result = ns_clientmgr_create(mgr->sctx, mgr->taskmgr, + mgr->timermgr, mgr->aclenv, (int)i, + &mgr->clientmgrs[i]); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + } + + if (scan) { + ns_interfacemgr_t *imgr = NULL; + + ns_interfacemgr_attach(mgr, &imgr); + + result = isc_nm_routeconnect(nm, route_connected, imgr, 0); + if (result == ISC_R_NOTIMPLEMENTED) { + ns_interfacemgr_detach(&imgr); + } + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "unable to open route socket: %s", + isc_result_totext(result)); + } + } + + return (ISC_R_SUCCESS); + +cleanup_listenon: + ns_listenlist_detach(&mgr->listenon4); + ns_listenlist_detach(&mgr->listenon6); +cleanup_task: + isc_task_detach(&mgr->task); +cleanup_lock: + isc_mutex_destroy(&mgr->lock); + ns_server_detach(&mgr->sctx); + isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr)); + return (result); +} + +static void +ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + isc_refcount_destroy(&mgr->references); + + dns_aclenv_detach(&mgr->aclenv); + ns_listenlist_detach(&mgr->listenon4); + ns_listenlist_detach(&mgr->listenon6); + clearlistenon(mgr); + isc_mutex_destroy(&mgr->lock); + for (size_t i = 0; i < (size_t)mgr->ncpus; i++) { + ns_clientmgr_detach(&mgr->clientmgrs[i]); + } + isc_mem_put(mgr->mctx, mgr->clientmgrs, + mgr->ncpus * sizeof(mgr->clientmgrs[0])); + + if (mgr->sctx != NULL) { + ns_server_detach(&mgr->sctx); + } + isc_task_detach(&mgr->task); + mgr->magic = 0; + isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr)); +} + +void +ns_interfacemgr_setbacklog(ns_interfacemgr_t *mgr, int backlog) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + LOCK(&mgr->lock); + mgr->backlog = backlog; + UNLOCK(&mgr->lock); +} + +dns_aclenv_t * +ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) { + dns_aclenv_t *aclenv = NULL; + + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + LOCK(&mgr->lock); + aclenv = mgr->aclenv; + UNLOCK(&mgr->lock); + + return (aclenv); +} + +void +ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) { + REQUIRE(NS_INTERFACEMGR_VALID(source)); + isc_refcount_increment(&source->references); + *target = source; +} + +void +ns_interfacemgr_detach(ns_interfacemgr_t **targetp) { + ns_interfacemgr_t *target = *targetp; + *targetp = NULL; + REQUIRE(target != NULL); + REQUIRE(NS_INTERFACEMGR_VALID(target)); + if (isc_refcount_decrement(&target->references) == 1) { + ns_interfacemgr_destroy(target); + } +} + +void +ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + /*% + * Shut down and detach all interfaces. + * By incrementing the generation count, we make + * purge_old_interfaces() consider all interfaces "old". + */ + mgr->generation++; + atomic_store(&mgr->shuttingdown, true); + + purge_old_interfaces(mgr); + + if (mgr->route != NULL) { + isc_nm_cancelread(mgr->route); + } + + for (size_t i = 0; i < (size_t)mgr->ncpus; i++) { + ns_clientmgr_shutdown(mgr->clientmgrs[i]); + } +} + +static void +interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name, + ns_interface_t **ifpret) { + ns_interface_t *ifp = NULL; + + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + ifp = isc_mem_get(mgr->mctx, sizeof(*ifp)); + *ifp = (ns_interface_t){ .generation = mgr->generation, .addr = *addr }; + + strlcpy(ifp->name, name, sizeof(ifp->name)); + + isc_mutex_init(&ifp->lock); + + isc_refcount_init(&ifp->ntcpaccepting, 0); + isc_refcount_init(&ifp->ntcpactive, 0); + + ISC_LINK_INIT(ifp, link); + + ns_interfacemgr_attach(mgr, &ifp->mgr); + ifp->magic = IFACE_MAGIC; + + LOCK(&mgr->lock); + ISC_LIST_APPEND(mgr->interfaces, ifp, link); + UNLOCK(&mgr->lock); + + *ifpret = ifp; +} + +static isc_result_t +ns_interface_listenudp(ns_interface_t *ifp) { + isc_result_t result; + + /* Reserve space for an ns_client_t with the netmgr handle */ + result = isc_nm_listenudp(ifp->mgr->nm, &ifp->addr, ns__client_request, + ifp, sizeof(ns_client_t), + &ifp->udplistensocket); + return (result); +} + +static isc_result_t +ns_interface_listentcp(ns_interface_t *ifp) { + isc_result_t result; + + result = isc_nm_listentcpdns( + ifp->mgr->nm, &ifp->addr, ns__client_request, ifp, + ns__client_tcpconn, ifp, sizeof(ns_client_t), ifp->mgr->backlog, + &ifp->mgr->sctx->tcpquota, &ifp->tcplistensocket); + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "creating TCP socket: %s", + isc_result_totext(result)); + } + + /* + * We call this now to update the tcp-highwater statistic: + * this is necessary because we are adding to the TCP quota just + * by listening. + */ + result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp); + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "connecting TCP socket: %s", + isc_result_totext(result)); + } + + return (result); +} + +/* + * XXXWPK we should probably pass a complete object with key, cert, and other + * TLS related options. + */ +static isc_result_t +ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) { + isc_result_t result; + + result = isc_nm_listentlsdns( + ifp->mgr->nm, &ifp->addr, ns__client_request, ifp, + ns__client_tcpconn, ifp, sizeof(ns_client_t), ifp->mgr->backlog, + &ifp->mgr->sctx->tcpquota, sslctx, &ifp->tcplistensocket); + + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "creating TLS socket: %s", + isc_result_totext(result)); + return (result); + } + + /* + * We call this now to update the tcp-highwater statistic: + * this is necessary because we are adding to the TCP quota just + * by listening. + */ + result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp); + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "updating TCP stats: %s", + isc_result_totext(result)); + } + + return (result); +} + +#ifdef HAVE_LIBNGHTTP2 +static isc_result_t +load_http_endpoints(isc_nm_http_endpoints_t *epset, ns_interface_t *ifp, + char **eps, size_t neps) { + isc_result_t result = ISC_R_FAILURE; + + for (size_t i = 0; i < neps; i++) { + result = isc_nm_http_endpoints_add(epset, eps[i], + ns__client_request, ifp, + sizeof(ns_client_t)); + if (result != ISC_R_SUCCESS) { + break; + } + } + + return (result); +} +#endif /* HAVE_LIBNGHTTP2 */ + +static isc_result_t +ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps, + size_t neps, uint32_t max_clients, + uint32_t max_concurrent_streams) { +#if HAVE_LIBNGHTTP2 + isc_result_t result = ISC_R_FAILURE; + isc_nmsocket_t *sock = NULL; + isc_nm_http_endpoints_t *epset = NULL; + isc_quota_t *quota = NULL; + + epset = isc_nm_http_endpoints_new(ifp->mgr->mctx); + + result = load_http_endpoints(epset, ifp, eps, neps); + + if (result == ISC_R_SUCCESS) { + quota = isc_mem_get(ifp->mgr->mctx, sizeof(*quota)); + isc_quota_init(quota, max_clients); + result = isc_nm_listenhttp( + ifp->mgr->nm, &ifp->addr, ifp->mgr->backlog, quota, + sslctx, epset, max_concurrent_streams, &sock); + } + + isc_nm_http_endpoints_detach(&epset); + + if (quota != NULL) { + if (result != ISC_R_SUCCESS) { + isc_quota_destroy(quota); + isc_mem_put(ifp->mgr->mctx, quota, sizeof(*quota)); + } else { + ifp->http_quota = quota; + ns_server_append_http_quota(ifp->mgr->sctx, quota); + } + } + + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "creating %s socket: %s", + sslctx ? "HTTPS" : "HTTP", + isc_result_totext(result)); + return (result); + } + + if (sslctx) { + ifp->http_secure_listensocket = sock; + } else { + ifp->http_listensocket = sock; + } + + /* + * We call this now to update the tcp-highwater statistic: + * this is necessary because we are adding to the TCP quota just + * by listening. + */ + result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp); + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "updating TCP stats: %s", + isc_result_totext(result)); + } + + return (result); +#else + UNUSED(ifp); + UNUSED(sslctx); + UNUSED(eps); + UNUSED(neps); + UNUSED(max_clients); + UNUSED(max_concurrent_streams); + return (ISC_R_NOTIMPLEMENTED); +#endif +} + +static isc_result_t +interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name, + ns_interface_t **ifpret, ns_listenelt_t *elt, + bool *addr_in_use) { + isc_result_t result; + ns_interface_t *ifp = NULL; + + REQUIRE(ifpret != NULL); + REQUIRE(addr_in_use == NULL || !*addr_in_use); + + ifp = *ifpret; + + if (ifp == NULL) { + interface_create(mgr, addr, name, &ifp); + } else { + REQUIRE(!LISTENING(ifp)); + } + + ifp->flags |= NS_INTERFACEFLAG_LISTENING; + + if (elt->is_http) { + result = ns_interface_listenhttp( + ifp, elt->sslctx, elt->http_endpoints, + elt->http_endpoints_number, elt->http_max_clients, + elt->max_concurrent_streams); + if (result != ISC_R_SUCCESS) { + goto cleanup_interface; + } + *ifpret = ifp; + return (result); + } + + if (elt->sslctx != NULL) { + result = ns_interface_listentls(ifp, elt->sslctx); + if (result != ISC_R_SUCCESS) { + goto cleanup_interface; + } + *ifpret = ifp; + return (result); + } + + result = ns_interface_listenudp(ifp); + if (result != ISC_R_SUCCESS) { + if ((result == ISC_R_ADDRINUSE) && (addr_in_use != NULL)) { + *addr_in_use = true; + } + goto cleanup_interface; + } + + if (((mgr->sctx->options & NS_SERVER_NOTCP) == 0)) { + result = ns_interface_listentcp(ifp); + if (result != ISC_R_SUCCESS) { + if ((result == ISC_R_ADDRINUSE) && + (addr_in_use != NULL)) + { + *addr_in_use = true; + } + + /* + * XXXRTH We don't currently have a way to easily stop + * dispatch service, so we currently return + * ISC_R_SUCCESS (the UDP stuff will work even if TCP + * creation failed). This will be fixed later. + */ + result = ISC_R_SUCCESS; + } + } + *ifpret = ifp; + return (result); + +cleanup_interface: + ns_interface_shutdown(ifp); + return (result); +} + +void +ns_interface_shutdown(ns_interface_t *ifp) { + ifp->flags &= ~NS_INTERFACEFLAG_LISTENING; + + if (ifp->udplistensocket != NULL) { + isc_nm_stoplistening(ifp->udplistensocket); + isc_nmsocket_close(&ifp->udplistensocket); + } + if (ifp->tcplistensocket != NULL) { + isc_nm_stoplistening(ifp->tcplistensocket); + isc_nmsocket_close(&ifp->tcplistensocket); + } + if (ifp->http_listensocket != NULL) { + isc_nm_stoplistening(ifp->http_listensocket); + isc_nmsocket_close(&ifp->http_listensocket); + } + if (ifp->http_secure_listensocket != NULL) { + isc_nm_stoplistening(ifp->http_secure_listensocket); + isc_nmsocket_close(&ifp->http_secure_listensocket); + } + ifp->http_quota = NULL; +} + +static void +interface_destroy(ns_interface_t **interfacep) { + ns_interface_t *ifp = NULL; + ns_interfacemgr_t *mgr = NULL; + + REQUIRE(interfacep != NULL); + + ifp = *interfacep; + *interfacep = NULL; + + REQUIRE(NS_INTERFACE_VALID(ifp)); + + mgr = ifp->mgr; + + ns_interface_shutdown(ifp); + + ifp->magic = 0; + isc_mutex_destroy(&ifp->lock); + ns_interfacemgr_detach(&ifp->mgr); + isc_refcount_destroy(&ifp->ntcpactive); + isc_refcount_destroy(&ifp->ntcpaccepting); + + isc_mem_put(mgr->mctx, ifp, sizeof(*ifp)); +} + +/*% + * Search the interface list for an interface whose address and port + * both match those of 'addr'. Return a pointer to it, or NULL if not found. + */ +static ns_interface_t * +find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { + ns_interface_t *ifp; + LOCK(&mgr->lock); + for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; + ifp = ISC_LIST_NEXT(ifp, link)) + { + if (isc_sockaddr_equal(&ifp->addr, addr)) { + break; + } + } + UNLOCK(&mgr->lock); + return (ifp); +} + +/*% + * Remove any interfaces whose generation number is not the current one. + */ +static void +purge_old_interfaces(ns_interfacemgr_t *mgr) { + ns_interface_t *ifp = NULL, *next = NULL; + ISC_LIST(ns_interface_t) interfaces; + + ISC_LIST_INIT(interfaces); + + LOCK(&mgr->lock); + for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; ifp = next) { + INSIST(NS_INTERFACE_VALID(ifp)); + next = ISC_LIST_NEXT(ifp, link); + if (ifp->generation != mgr->generation) { + ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link); + ISC_LIST_APPEND(interfaces, ifp, link); + } + } + UNLOCK(&mgr->lock); + + for (ifp = ISC_LIST_HEAD(interfaces); ifp != NULL; ifp = next) { + next = ISC_LIST_NEXT(ifp, link); + if (LISTENING(ifp)) { + char sabuf[256]; + isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "no longer listening on %s", sabuf); + ns_interface_shutdown(ifp); + } + ISC_LIST_UNLINK(interfaces, ifp, link); + interface_destroy(&ifp); + } +} + +static bool +listenon_is_ip6_any(ns_listenelt_t *elt) { + REQUIRE(elt && elt->acl); + return (dns_acl_isany(elt->acl)); +} + +static isc_result_t +setup_locals(isc_interface_t *interface, dns_acl_t *localhost, + dns_acl_t *localnets) { + isc_result_t result; + unsigned int prefixlen; + isc_netaddr_t *netaddr; + + netaddr = &interface->address; + + /* First add localhost address */ + prefixlen = (netaddr->family == AF_INET) ? 32 : 128; + result = dns_iptable_addprefix(localhost->iptable, netaddr, prefixlen, + true); + if (result != ISC_R_SUCCESS) { + return (result); + } + + /* Then add localnets prefix */ + result = isc_netaddr_masktoprefixlen(&interface->netmask, &prefixlen); + + /* Non contiguous netmasks not allowed by IPv6 arch. */ + if (result != ISC_R_SUCCESS && netaddr->family == AF_INET6) { + return (result); + } + + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING, + "omitting IPv4 interface %s from " + "localnets ACL: %s", + interface->name, isc_result_totext(result)); + return (ISC_R_SUCCESS); + } + + if (prefixlen == 0U) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING, + "omitting %s interface %s from localnets ACL: " + "zero prefix length detected", + (netaddr->family == AF_INET) ? "IPv4" : "IPv6", + interface->name); + return (ISC_R_SUCCESS); + } + + result = dns_iptable_addprefix(localnets->iptable, netaddr, prefixlen, + true); + if (result != ISC_R_SUCCESS) { + return (result); + } + + return (ISC_R_SUCCESS); +} + +static void +setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface, + in_port_t port) { + isc_sockaddr_t *addr; + isc_sockaddr_t *old; + + addr = isc_mem_get(mgr->mctx, sizeof(*addr)); + + isc_sockaddr_fromnetaddr(addr, &interface->address, port); + + LOCK(&mgr->lock); + for (old = ISC_LIST_HEAD(mgr->listenon); old != NULL; + old = ISC_LIST_NEXT(old, link)) + { + if (isc_sockaddr_equal(addr, old)) { + /* We found an existing address */ + isc_mem_put(mgr->mctx, addr, sizeof(*addr)); + goto unlock; + } + } + + ISC_LIST_APPEND(mgr->listenon, addr, link); +unlock: + UNLOCK(&mgr->lock); +} + +static void +clearlistenon(ns_interfacemgr_t *mgr) { + ISC_LIST(isc_sockaddr_t) listenon; + isc_sockaddr_t *old; + + ISC_LIST_INIT(listenon); + + LOCK(&mgr->lock); + ISC_LIST_MOVE(listenon, mgr->listenon); + UNLOCK(&mgr->lock); + + old = ISC_LIST_HEAD(listenon); + while (old != NULL) { + ISC_LIST_UNLINK(listenon, old, link); + isc_mem_put(mgr->mctx, old, sizeof(*old)); + old = ISC_LIST_HEAD(listenon); + } +} + +static void +replace_listener_tlsctx(ns_interface_t *ifp, isc_tlsctx_t *newctx) { + char sabuf[ISC_SOCKADDR_FORMATSIZE]; + + isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "updating TLS context on %s", sabuf); + if (ifp->tcplistensocket != NULL) { + /* 'tcplistensocket' is used for DoT */ + isc_nmsocket_set_tlsctx(ifp->tcplistensocket, newctx); + } else if (ifp->http_secure_listensocket != NULL) { + isc_nmsocket_set_tlsctx(ifp->http_secure_listensocket, newctx); + } +} + +#ifdef HAVE_LIBNGHTTP2 +static void +update_http_settings(ns_interface_t *ifp, ns_listenelt_t *le) { + isc_result_t result; + isc_nmsocket_t *listener; + isc_nm_http_endpoints_t *epset; + + REQUIRE(le->is_http); + + INSIST(ifp->http_quota != NULL); + isc_quota_max(ifp->http_quota, le->http_max_clients); + + if (ifp->http_secure_listensocket != NULL) { + listener = ifp->http_secure_listensocket; + } else { + INSIST(ifp->http_listensocket != NULL); + listener = ifp->http_listensocket; + } + + isc_nmsocket_set_max_streams(listener, le->max_concurrent_streams); + + epset = isc_nm_http_endpoints_new(ifp->mgr->mctx); + + result = load_http_endpoints(epset, ifp, le->http_endpoints, + le->http_endpoints_number); + + if (result == ISC_R_SUCCESS) { + isc_nm_http_set_endpoints(listener, epset); + } + + isc_nm_http_endpoints_detach(&epset); +} +#endif /* HAVE_LIBNGHTTP2 */ + +static void +update_listener_configuration(ns_interfacemgr_t *mgr, ns_interface_t *ifp, + ns_listenelt_t *le) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + REQUIRE(NS_INTERFACE_VALID(ifp)); + REQUIRE(le != NULL); + + LOCK(&mgr->lock); + /* + * We need to update the TLS contexts + * inside the TLS/HTTPS listeners during + * a reconfiguration because the + * certificates could have been changed. + */ + if (le->sslctx != NULL) { + replace_listener_tlsctx(ifp, le->sslctx); + } + +#ifdef HAVE_LIBNGHTTP2 + /* + * Let's update HTTP listener settings + * on reconfiguration. + */ + if (le->is_http) { + update_http_settings(ifp, le); + } +#endif /* HAVE_LIBNGHTTP2 */ + + UNLOCK(&mgr->lock); +} + +static isc_result_t +do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { + isc_interfaceiter_t *iter = NULL; + bool scan_ipv4 = false; + bool scan_ipv6 = false; + bool ipv6only = true; + bool ipv6pktinfo = true; + isc_result_t result; + isc_netaddr_t zero_address, zero_address6; + ns_listenelt_t *le = NULL; + isc_sockaddr_t listen_addr; + ns_interface_t *ifp = NULL; + bool log_explicit = false; + bool dolistenon; + char sabuf[ISC_SOCKADDR_FORMATSIZE]; + bool tried_listening; + bool all_addresses_in_use; + dns_acl_t *localhost = NULL; + dns_acl_t *localnets = NULL; + + if (isc_net_probeipv6() == ISC_R_SUCCESS) { + scan_ipv6 = true; + } else if ((mgr->sctx->options & NS_SERVER_DISABLE6) == 0) { + isc_log_write(IFMGR_COMMON_LOGARGS, + verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), + "no IPv6 interfaces found"); + } + + if (isc_net_probeipv4() == ISC_R_SUCCESS) { + scan_ipv4 = true; + } else if ((mgr->sctx->options & NS_SERVER_DISABLE4) == 0) { + isc_log_write(IFMGR_COMMON_LOGARGS, + verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), + "no IPv4 interfaces found"); + } + + /* + * A special, but typical case; listen-on-v6 { any; }. + * When we can make the socket IPv6-only, open a single wildcard + * socket for IPv6 communication. Otherwise, make separate + * socket for each IPv6 address in order to avoid accepting IPv4 + * packets as the form of mapped addresses unintentionally + * unless explicitly allowed. + */ + if (scan_ipv6 && isc_net_probe_ipv6only() != ISC_R_SUCCESS) { + ipv6only = false; + log_explicit = true; + } + if (scan_ipv6 && isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) { + ipv6pktinfo = false; + log_explicit = true; + } + if (scan_ipv6 && ipv6only && ipv6pktinfo) { + for (le = ISC_LIST_HEAD(mgr->listenon6->elts); le != NULL; + le = ISC_LIST_NEXT(le, link)) + { + struct in6_addr in6a; + + if (!listenon_is_ip6_any(le)) { + continue; + } + + in6a = in6addr_any; + isc_sockaddr_fromin6(&listen_addr, &in6a, le->port); + + ifp = find_matching_interface(mgr, &listen_addr); + if (ifp != NULL) { + ifp->generation = mgr->generation; + if (LISTENING(ifp)) { + if (config) { + update_listener_configuration( + mgr, ifp, le); + } + continue; + } + } + + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "listening on IPv6 " + "interfaces, port %u", + le->port); + result = interface_setup(mgr, &listen_addr, "", + &ifp, le, NULL); + if (result == ISC_R_SUCCESS) { + ifp->flags |= NS_INTERFACEFLAG_ANYADDR; + } else { + isc_log_write(IFMGR_COMMON_LOGARGS, + ISC_LOG_ERROR, + "listening on all IPv6 " + "interfaces failed"); + } + /* Continue. */ + } + } + + isc_netaddr_any(&zero_address); + isc_netaddr_any6(&zero_address6); + + result = isc_interfaceiter_create(mgr->mctx, &iter); + if (result != ISC_R_SUCCESS) { + return (result); + } + + result = dns_acl_create(mgr->mctx, 0, &localhost); + if (result != ISC_R_SUCCESS) { + goto cleanup_iter; + } + result = dns_acl_create(mgr->mctx, 0, &localnets); + if (result != ISC_R_SUCCESS) { + goto cleanup_localhost; + } + + clearlistenon(mgr); + + tried_listening = false; + all_addresses_in_use = true; + for (result = isc_interfaceiter_first(iter); result == ISC_R_SUCCESS; + result = isc_interfaceiter_next(iter)) + { + isc_interface_t interface; + ns_listenlist_t *ll = NULL; + unsigned int family; + + result = isc_interfaceiter_current(iter, &interface); + if (result != ISC_R_SUCCESS) { + break; + } + + family = interface.address.family; + if (family != AF_INET && family != AF_INET6) { + continue; + } + if (!scan_ipv4 && family == AF_INET) { + continue; + } + if (!scan_ipv6 && family == AF_INET6) { + continue; + } + + /* + * Test for the address being nonzero rather than testing + * INTERFACE_F_UP, because on some systems the latter + * follows the media state and we could end up ignoring + * the interface for an entire rescan interval due to + * a temporary media glitch at rescan time. + */ + if (family == AF_INET && + isc_netaddr_equal(&interface.address, &zero_address)) + { + continue; + } + if (family == AF_INET6 && + isc_netaddr_equal(&interface.address, &zero_address6)) + { + continue; + } + + /* + * If running with -T fixedlocal, then we only + * want 127.0.0.1 and ::1 in the localhost ACL. + */ + if (((mgr->sctx->options & NS_SERVER_FIXEDLOCAL) != 0) && + !isc_netaddr_isloopback(&interface.address)) + { + goto listenon; + } + + result = setup_locals(&interface, localhost, localnets); + if (result != ISC_R_SUCCESS) { + goto ignore_interface; + } + + listenon: + ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6; + dolistenon = true; + for (le = ISC_LIST_HEAD(ll->elts); le != NULL; + le = ISC_LIST_NEXT(le, link)) + { + int match; + bool addr_in_use = false; + bool ipv6_wildcard = false; + isc_sockaddr_t listen_sockaddr; + + isc_sockaddr_fromnetaddr(&listen_sockaddr, + &interface.address, le->port); + + /* + * See if the address matches the listen-on statement; + * if not, ignore the interface, but store it in + * the interface table so we know we've seen it + * before. + */ + (void)dns_acl_match(&interface.address, NULL, le->acl, + mgr->aclenv, &match, NULL); + if (match <= 0) { + ns_interface_t *new = NULL; + interface_create(mgr, &listen_sockaddr, + interface.name, &new); + continue; + } + + if (dolistenon) { + setup_listenon(mgr, &interface, le->port); + dolistenon = false; + } + + /* + * The case of "any" IPv6 address will require + * special considerations later, so remember it. + */ + if (family == AF_INET6 && ipv6only && ipv6pktinfo && + listenon_is_ip6_any(le)) + { + ipv6_wildcard = true; + } + + ifp = find_matching_interface(mgr, &listen_sockaddr); + if (ifp != NULL) { + ifp->generation = mgr->generation; + if (LISTENING(ifp)) { + if (config) { + update_listener_configuration( + mgr, ifp, le); + } + continue; + } + } + + if (ipv6_wildcard) { + continue; + } + + if (log_explicit && family == AF_INET6 && + listenon_is_ip6_any(le)) + { + isc_log_write(IFMGR_COMMON_LOGARGS, + verbose ? ISC_LOG_INFO + : ISC_LOG_DEBUG(1), + "IPv6 socket API is " + "incomplete; explicitly " + "binding to each IPv6 " + "address separately"); + log_explicit = false; + } + isc_sockaddr_format(&listen_sockaddr, sabuf, + sizeof(sabuf)); + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, + "listening on %s interface " + "%s, %s", + (family == AF_INET) ? "IPv4" : "IPv6", + interface.name, sabuf); + + result = interface_setup(mgr, &listen_sockaddr, + interface.name, &ifp, le, + &addr_in_use); + + tried_listening = true; + if (!addr_in_use) { + all_addresses_in_use = false; + } + + if (result != ISC_R_SUCCESS) { + isc_log_write( + IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "creating %s interface " + "%s failed; interface ignored", + (family == AF_INET) ? "IPv4" : "IPv6", + interface.name); + } + /* Continue. */ + } + continue; + + ignore_interface: + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, + "ignoring %s interface %s: %s", + (family == AF_INET) ? "IPv4" : "IPv6", + interface.name, isc_result_totext(result)); + continue; + } + if (result != ISC_R_NOMORE) { + UNEXPECTED_ERROR("interface iteration failed: %s", + isc_result_totext(result)); + } else { + result = ((tried_listening && all_addresses_in_use) + ? ISC_R_ADDRINUSE + : ISC_R_SUCCESS); + } + + dns_aclenv_set(mgr->aclenv, localhost, localnets); + + /* cleanup_localnets: */ + dns_acl_detach(&localnets); + +cleanup_localhost: + dns_acl_detach(&localhost); + +cleanup_iter: + isc_interfaceiter_destroy(&iter); + return (result); +} + +isc_result_t +ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { + isc_result_t result; + bool purge = true; + + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + REQUIRE(isc_nm_tid() == 0); + + mgr->generation++; /* Increment the generation count. */ + + result = do_scan(mgr, verbose, config); + if ((result != ISC_R_SUCCESS) && (result != ISC_R_ADDRINUSE)) { + purge = false; + } + + /* + * Now go through the interface list and delete anything that + * does not have the current generation number. This is + * how we catch interfaces that go away or change their + * addresses. + */ + if (purge) { + purge_old_interfaces(mgr); + } + + /* + * Warn if we are not listening on any interface. + */ + if (ISC_LIST_EMPTY(mgr->interfaces)) { + isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING, + "not listening on any interfaces"); + } + + return (result); +} + +bool +ns_interfacemgr_islistening(ns_interfacemgr_t *mgr) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + return (ISC_LIST_EMPTY(mgr->interfaces) ? false : true); +} + +void +ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + LOCK(&mgr->lock); + ns_listenlist_detach(&mgr->listenon4); + ns_listenlist_attach(value, &mgr->listenon4); + UNLOCK(&mgr->lock); +} + +void +ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + LOCK(&mgr->lock); + ns_listenlist_detach(&mgr->listenon6); + ns_listenlist_attach(value, &mgr->listenon6); + UNLOCK(&mgr->lock); +} + +void +ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + LOCK(&mgr->lock); + for (size_t i = 0; i < (size_t)mgr->ncpus; i++) { + ns_client_dumprecursing(f, mgr->clientmgrs[i]); + } + UNLOCK(&mgr->lock); +} + +bool +ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, + const isc_sockaddr_t *addr) { + isc_sockaddr_t *old; + bool result = false; + + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + /* + * If the manager is shutting down it's safer to + * return true. + */ + if (atomic_load(&mgr->shuttingdown)) { + return (true); + } + LOCK(&mgr->lock); + for (old = ISC_LIST_HEAD(mgr->listenon); old != NULL; + old = ISC_LIST_NEXT(old, link)) + { + if (isc_sockaddr_equal(old, addr)) { + result = true; + break; + } + } + UNLOCK(&mgr->lock); + + return (result); +} + +ns_server_t * +ns_interfacemgr_getserver(ns_interfacemgr_t *mgr) { + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + + return (mgr->sctx); +} + +ns_clientmgr_t * +ns_interfacemgr_getclientmgr(ns_interfacemgr_t *mgr) { + int tid = isc_nm_tid(); + + REQUIRE(NS_INTERFACEMGR_VALID(mgr)); + REQUIRE(tid >= 0); + REQUIRE(tid < mgr->ncpus); + + return (mgr->clientmgrs[tid]); +} diff --git a/lib/ns/listenlist.c b/lib/ns/listenlist.c new file mode 100644 index 0000000..c0f9e59 --- /dev/null +++ b/lib/ns/listenlist.c @@ -0,0 +1,350 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include + +#include +#include +#include + +#include + +#include + +static void +destroy(ns_listenlist_t *list); + +static isc_result_t +listenelt_create(isc_mem_t *mctx, in_port_t port, dns_acl_t *acl, + const uint16_t family, const bool is_http, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, ns_listenelt_t **target) { + ns_listenelt_t *elt = NULL; + isc_result_t result = ISC_R_SUCCESS; + isc_tlsctx_t *sslctx = NULL; + isc_tls_cert_store_t *store = NULL, *found_store = NULL; + + REQUIRE(target != NULL && *target == NULL); + REQUIRE(!tls || (tls_params != NULL && tlsctx_cache != NULL)); + + if (tls) { + const isc_tlsctx_cache_transport_t transport = + is_http ? isc_tlsctx_cache_https : isc_tlsctx_cache_tls; + + /* + * Let's try to reuse the existing context from the cache in + * order to avoid excessive TLS contexts creation. + */ + result = isc_tlsctx_cache_find(tlsctx_cache, tls_params->name, + transport, family, &sslctx, + &found_store, NULL); + if (result != ISC_R_SUCCESS) { + /* + * The lookup failed, let's try to create a new context + * and store it within the cache. + */ + INSIST(tls_params->name != NULL && + *tls_params->name != '\0'); + + result = isc_tlsctx_createserver( + tls_params->key, tls_params->cert, &sslctx); + if (result != ISC_R_SUCCESS) { + goto tls_error; + } + + /* + * We need to initialise session ID context to make TLS + * session resumption work correctly - in particular in + * the case when client certificates are used (Mutual + * TLS) - otherwise resumption attempts will lead to + * handshake failures. See OpenSSL documentation for + * 'SSL_CTX_set_session_id_context()', the "Warnings" + * section. + */ + isc_tlsctx_set_random_session_id_context(sslctx); + + /* + * If CA-bundle file is specified - enable client + * certificates validation. + */ + if (tls_params->ca_file != NULL) { + if (found_store == NULL) { + result = isc_tls_cert_store_create( + tls_params->ca_file, &store); + if (result != ISC_R_SUCCESS) { + goto tls_error; + } + } else { + store = found_store; + } + + result = isc_tlsctx_enable_peer_verification( + sslctx, true, store, NULL, false); + if (result != ISC_R_SUCCESS) { + goto tls_error; + } + + /* + * Load the list of allowed client certificate + * issuers to send to TLS clients. + */ + result = isc_tlsctx_load_client_ca_names( + sslctx, tls_params->ca_file); + if (result != ISC_R_SUCCESS) { + goto tls_error; + } + } + + if (tls_params->protocols != 0) { + isc_tlsctx_set_protocols(sslctx, + tls_params->protocols); + } + + if (tls_params->dhparam_file != NULL) { + if (!isc_tlsctx_load_dhparams( + sslctx, tls_params->dhparam_file)) + { + result = ISC_R_FAILURE; + goto tls_error; + } + } + + if (tls_params->ciphers != NULL) { + isc_tlsctx_set_cipherlist(sslctx, + tls_params->ciphers); + } + + if (tls_params->prefer_server_ciphers_set) { + isc_tlsctx_prefer_server_ciphers( + sslctx, + tls_params->prefer_server_ciphers); + } + + if (tls_params->session_tickets_set) { + isc_tlsctx_session_tickets( + sslctx, tls_params->session_tickets); + } + +#ifdef HAVE_LIBNGHTTP2 + if (is_http) { + isc_tlsctx_enable_http2server_alpn(sslctx); + } +#endif /* HAVE_LIBNGHTTP2 */ + + if (!is_http) { + isc_tlsctx_enable_dot_server_alpn(sslctx); + } + + /* + * The storing in the cache should not fail because the + * (re)initialisation happens from within a single + * thread. + * + * Taking into account that the most recent call to + * 'isc_tlsctx_cache_find()' has failed, it means that + * the TLS context has not been found. Considering that + * the initialisation happens from within the context of + * a single thread, the call to 'isc_tlsctx_cache_add()' + * is expected not to fail. + */ + RUNTIME_CHECK(isc_tlsctx_cache_add( + tlsctx_cache, tls_params->name, + transport, family, sslctx, store, + NULL, NULL, NULL, + NULL) == ISC_R_SUCCESS); + } else { + INSIST(sslctx != NULL); + } + } + + elt = isc_mem_get(mctx, sizeof(*elt)); + elt->mctx = mctx; + ISC_LINK_INIT(elt, link); + elt->port = port; + elt->is_http = false; + elt->acl = acl; + elt->sslctx = sslctx; + elt->sslctx_cache = NULL; + if (sslctx != NULL && tlsctx_cache != NULL) { + isc_tlsctx_cache_attach(tlsctx_cache, &elt->sslctx_cache); + } + elt->http_endpoints = NULL; + elt->http_endpoints_number = 0; + elt->http_max_clients = 0; + elt->max_concurrent_streams = 0; + + *target = elt; + return (ISC_R_SUCCESS); +tls_error: + if (sslctx != NULL) { + isc_tlsctx_free(&sslctx); + } + + if (store != NULL && store != found_store) { + isc_tls_cert_store_free(&store); + } + return (result); +} + +isc_result_t +ns_listenelt_create(isc_mem_t *mctx, in_port_t port, dns_acl_t *acl, + const uint16_t family, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, ns_listenelt_t **target) { + return listenelt_create(mctx, port, acl, family, false, tls, tls_params, + tlsctx_cache, target); +} + +isc_result_t +ns_listenelt_create_http(isc_mem_t *mctx, in_port_t http_port, dns_acl_t *acl, + const uint16_t family, bool tls, + const ns_listen_tls_params_t *tls_params, + isc_tlsctx_cache_t *tlsctx_cache, char **endpoints, + size_t nendpoints, const uint32_t max_clients, + const uint32_t max_streams, ns_listenelt_t **target) { + isc_result_t result; + + REQUIRE(target != NULL && *target == NULL); + REQUIRE(endpoints != NULL && *endpoints != NULL); + REQUIRE(nendpoints > 0); + + result = listenelt_create(mctx, http_port, acl, family, true, tls, + tls_params, tlsctx_cache, target); + if (result == ISC_R_SUCCESS) { + (*target)->is_http = true; + (*target)->http_endpoints = endpoints; + (*target)->http_endpoints_number = nendpoints; + /* + * 0 sized quota - means unlimited quota. We used to not + * create a quota object in such a case, but we might need to + * update the value of the quota during reconfiguration, so we + * need to have a quota object in place anyway. + */ + (*target)->http_max_clients = max_clients == 0 ? UINT32_MAX + : max_clients; + (*target)->max_concurrent_streams = max_streams; + } else { + size_t i; + for (i = 0; i < nendpoints; i++) { + isc_mem_free(mctx, endpoints[i]); + } + isc_mem_free(mctx, endpoints); + } + return (result); +} + +void +ns_listenelt_destroy(ns_listenelt_t *elt) { + if (elt->acl != NULL) { + dns_acl_detach(&elt->acl); + } + + elt->sslctx = NULL; /* this one is going to be destroyed alongside the + sslctx_cache */ + if (elt->sslctx_cache != NULL) { + isc_tlsctx_cache_detach(&elt->sslctx_cache); + } + if (elt->http_endpoints != NULL) { + size_t i; + INSIST(elt->http_endpoints_number > 0); + for (i = 0; i < elt->http_endpoints_number; i++) { + isc_mem_free(elt->mctx, elt->http_endpoints[i]); + } + isc_mem_free(elt->mctx, elt->http_endpoints); + } + isc_mem_put(elt->mctx, elt, sizeof(*elt)); +} + +isc_result_t +ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target) { + ns_listenlist_t *list = NULL; + REQUIRE(target != NULL && *target == NULL); + list = isc_mem_get(mctx, sizeof(*list)); + list->mctx = mctx; + list->refcount = 1; + ISC_LIST_INIT(list->elts); + *target = list; + return (ISC_R_SUCCESS); +} + +static void +destroy(ns_listenlist_t *list) { + ns_listenelt_t *elt, *next; + for (elt = ISC_LIST_HEAD(list->elts); elt != NULL; elt = next) { + next = ISC_LIST_NEXT(elt, link); + ns_listenelt_destroy(elt); + } + isc_mem_put(list->mctx, list, sizeof(*list)); +} + +void +ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) { + INSIST(source->refcount > 0); + source->refcount++; + *target = source; +} + +void +ns_listenlist_detach(ns_listenlist_t **listp) { + ns_listenlist_t *list = *listp; + *listp = NULL; + INSIST(list->refcount > 0); + list->refcount--; + if (list->refcount == 0) { + destroy(list); + } +} + +isc_result_t +ns_listenlist_default(isc_mem_t *mctx, in_port_t port, bool enabled, + const uint16_t family, ns_listenlist_t **target) { + isc_result_t result; + dns_acl_t *acl = NULL; + ns_listenelt_t *elt = NULL; + ns_listenlist_t *list = NULL; + + REQUIRE(target != NULL && *target == NULL); + if (enabled) { + result = dns_acl_any(mctx, &acl); + } else { + result = dns_acl_none(mctx, &acl); + } + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + result = ns_listenelt_create(mctx, port, acl, family, false, NULL, NULL, + &elt); + if (result != ISC_R_SUCCESS) { + goto cleanup_acl; + } + + result = ns_listenlist_create(mctx, &list); + if (result != ISC_R_SUCCESS) { + goto cleanup_listenelt; + } + + ISC_LIST_APPEND(list->elts, elt, link); + + *target = list; + return (ISC_R_SUCCESS); + +cleanup_listenelt: + ns_listenelt_destroy(elt); +cleanup_acl: + dns_acl_detach(&acl); +cleanup: + return (result); +} diff --git a/lib/ns/log.c b/lib/ns/log.c new file mode 100644 index 0000000..4a7ff20 --- /dev/null +++ b/lib/ns/log.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include +#include + +#include + +#ifndef ISC_FACILITY +#define ISC_FACILITY LOG_DAEMON +#endif /* ifndef ISC_FACILITY */ + +/*% + * When adding a new category, be sure to add the appropriate + * \#define to + */ +isc_logcategory_t ns_categories[] = { { "client", 0 }, + { "network", 0 }, + { "update", 0 }, + { "queries", 0 }, + { "update-security", 0 }, + { "query-errors", 0 }, + { "trust-anchor-telemetry", 0 }, + { "serve-stale", 0 }, + { NULL, 0 } }; + +/*% + * When adding a new module, be sure to add the appropriate + * \#define to . + */ +isc_logmodule_t ns_modules[] = { + { "ns/client", 0 }, { "ns/query", 0 }, { "ns/interfacemgr", 0 }, + { "ns/update", 0 }, { "ns/xfer-in", 0 }, { "ns/xfer-out", 0 }, + { "ns/notify", 0 }, { "ns/hooks", 0 }, { NULL, 0 } +}; + +isc_log_t *ns_lctx = NULL; + +void +ns_log_init(isc_log_t *lctx) { + REQUIRE(lctx != NULL); + + isc_log_registercategories(lctx, ns_categories); + isc_log_registermodules(lctx, ns_modules); +} + +void +ns_log_setcontext(isc_log_t *lctx) { + ns_lctx = lctx; +} diff --git a/lib/ns/notify.c b/lib/ns/notify.c new file mode 100644 index 0000000..35b6b91 --- /dev/null +++ b/lib/ns/notify.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +/*! \file + * \brief + * This module implements notify as in RFC1996. + */ + +static void +notify_log(ns_client_t *client, int level, const char *fmt, ...) { + va_list ap; + + va_start(ap, fmt); + ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY, + level, fmt, ap); + va_end(ap); +} + +static void +respond(ns_client_t *client, isc_result_t result) { + dns_rcode_t rcode; + dns_message_t *message; + isc_result_t msg_result; + + message = client->message; + rcode = dns_result_torcode(result); + + msg_result = dns_message_reply(message, true); + if (msg_result != ISC_R_SUCCESS) { + msg_result = dns_message_reply(message, false); + } + if (msg_result != ISC_R_SUCCESS) { + ns_client_drop(client, msg_result); + isc_nmhandle_detach(&client->reqhandle); + return; + } + message->rcode = rcode; + if (rcode == dns_rcode_noerror) { + message->flags |= DNS_MESSAGEFLAG_AA; + } else { + message->flags &= ~DNS_MESSAGEFLAG_AA; + } + + ns_client_send(client); + isc_nmhandle_detach(&client->reqhandle); +} + +void +ns_notify_start(ns_client_t *client, isc_nmhandle_t *handle) { + dns_message_t *request = client->message; + isc_result_t result; + dns_name_t *zonename; + dns_rdataset_t *zone_rdataset; + dns_zone_t *zone = NULL; + char namebuf[DNS_NAME_FORMATSIZE]; + char tsigbuf[DNS_NAME_FORMATSIZE * 2 + sizeof(": TSIG '' ()")]; + dns_tsigkey_t *tsigkey; + + /* + * Attach to the request handle + */ + isc_nmhandle_attach(handle, &client->reqhandle); + + /* + * Interpret the question section. + */ + result = dns_message_firstname(request, DNS_SECTION_QUESTION); + if (result != ISC_R_SUCCESS) { + notify_log(client, ISC_LOG_NOTICE, + "notify question section empty"); + result = DNS_R_FORMERR; + goto done; + } + + /* + * The question section must contain exactly one question. + */ + zonename = NULL; + dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename); + zone_rdataset = ISC_LIST_HEAD(zonename->list); + if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) { + notify_log(client, ISC_LOG_NOTICE, + "notify question section contains multiple RRs"); + result = DNS_R_FORMERR; + goto done; + } + + /* The zone section must have exactly one name. */ + result = dns_message_nextname(request, DNS_SECTION_ZONE); + if (result != ISC_R_NOMORE) { + notify_log(client, ISC_LOG_NOTICE, + "notify question section contains multiple RRs"); + result = DNS_R_FORMERR; + goto done; + } + + /* The one rdataset must be an SOA. */ + if (zone_rdataset->type != dns_rdatatype_soa) { + notify_log(client, ISC_LOG_NOTICE, + "notify question section contains no SOA"); + result = DNS_R_FORMERR; + goto done; + } + + tsigkey = dns_message_gettsigkey(request); + if (tsigkey != NULL) { + dns_name_format(&tsigkey->name, namebuf, sizeof(namebuf)); + + if (tsigkey->generated) { + char cnamebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(tsigkey->creator, cnamebuf, + sizeof(cnamebuf)); + snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s' (%s)", + namebuf, cnamebuf); + } else { + snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", + namebuf); + } + } else { + tsigbuf[0] = '\0'; + } + + dns_name_format(zonename, namebuf, sizeof(namebuf)); + result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone); + if (result == ISC_R_SUCCESS) { + dns_zonetype_t zonetype = dns_zone_gettype(zone); + + if ((zonetype == dns_zone_primary) || + (zonetype == dns_zone_secondary) || + (zonetype == dns_zone_mirror) || + (zonetype == dns_zone_stub)) + { + isc_sockaddr_t *from = ns_client_getsockaddr(client); + isc_sockaddr_t *to = ns_client_getdestaddr(client); + notify_log(client, ISC_LOG_INFO, + "received notify for zone '%s'%s", namebuf, + tsigbuf); + result = dns_zone_notifyreceive(zone, from, to, + request); + goto done; + } + } + + notify_log(client, ISC_LOG_NOTICE, + "received notify for zone '%s'%s: not authoritative", + namebuf, tsigbuf); + result = DNS_R_NOTAUTH; + +done: + if (zone != NULL) { + dns_zone_detach(&zone); + } + respond(client, result); +} diff --git a/lib/ns/query.c b/lib/ns/query.c new file mode 100644 index 0000000..00ef955 --- /dev/null +++ b/lib/ns/query.c @@ -0,0 +1,12446 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#if 0 +/* + * It has been recommended that DNS64 be changed to return excluded + * AAAA addresses if DNS64 synthesis does not occur. This minimises + * the impact on the lookup results. While most DNS AAAA lookups are + * done to send IP packets to a host, not all of them are and filtering + * excluded addresses has a negative impact on those uses. + */ +#define dns64_bis_return_excluded_addresses 1 +#endif /* if 0 */ + +/*% + * Maximum number of chained queries before we give up + * to prevent CNAME loops. + */ +#define MAX_RESTARTS 16 + +#define QUERY_ERROR(qctx, r) \ + do { \ + (qctx)->result = r; \ + (qctx)->want_restart = false; \ + (qctx)->line = __LINE__; \ + } while (0) + +/*% Partial answer? */ +#define PARTIALANSWER(c) \ + (((c)->query.attributes & NS_QUERYATTR_PARTIALANSWER) != 0) +/*% Use Cache? */ +#define USECACHE(c) (((c)->query.attributes & NS_QUERYATTR_CACHEOK) != 0) +/*% Recursion OK? */ +#define RECURSIONOK(c) (((c)->query.attributes & NS_QUERYATTR_RECURSIONOK) != 0) +/*% Recursing? */ +#define RECURSING(c) (((c)->query.attributes & NS_QUERYATTR_RECURSING) != 0) +/*% Want Recursion? */ +#define WANTRECURSION(c) \ + (((c)->query.attributes & NS_QUERYATTR_WANTRECURSION) != 0) +/*% Is TCP? */ +#define TCP(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) + +/*% Want DNSSEC? */ +#define WANTDNSSEC(c) (((c)->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) +/*% Want WANTAD? */ +#define WANTAD(c) (((c)->attributes & NS_CLIENTATTR_WANTAD) != 0) +/*% Client presented a valid COOKIE. */ +#define HAVECOOKIE(c) (((c)->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0) +/*% Client presented a COOKIE. */ +#define WANTCOOKIE(c) (((c)->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) +/*% Client presented a CLIENT-SUBNET option. */ +#define HAVEECS(c) (((c)->attributes & NS_CLIENTATTR_HAVEECS) != 0) +/*% No authority? */ +#define NOAUTHORITY(c) (((c)->query.attributes & NS_QUERYATTR_NOAUTHORITY) != 0) +/*% No additional? */ +#define NOADDITIONAL(c) \ + (((c)->query.attributes & NS_QUERYATTR_NOADDITIONAL) != 0) +/*% Secure? */ +#define SECURE(c) (((c)->query.attributes & NS_QUERYATTR_SECURE) != 0) +/*% DNS64 A lookup? */ +#define DNS64(c) (((c)->query.attributes & NS_QUERYATTR_DNS64) != 0) + +#define DNS64EXCLUDE(c) \ + (((c)->query.attributes & NS_QUERYATTR_DNS64EXCLUDE) != 0) + +#define REDIRECT(c) (((c)->query.attributes & NS_QUERYATTR_REDIRECT) != 0) + +/*% Was the client already sent a response? */ +#define QUERY_ANSWERED(q) (((q)->attributes & NS_QUERYATTR_ANSWERED) != 0) + +/*% Have we already processed an answer via stale-answer-client-timeout? */ +#define QUERY_STALEPENDING(q) \ + (((q)->attributes & NS_QUERYATTR_STALEPENDING) != 0) + +/*% Does the query allow stale data in the response? */ +#define QUERY_STALEOK(q) (((q)->attributes & NS_QUERYATTR_STALEOK) != 0) + +/*% Does the query wants to check for stale RRset due to a timeout? */ +#define QUERY_STALETIMEOUT(q) (((q)->dboptions & DNS_DBFIND_STALETIMEOUT) != 0) + +/*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */ +#define NOQNAME(r) (((r)->attributes & DNS_RDATASETATTR_NOQNAME) != 0) + +/*% Does the rdataset 'r' contain a stale answer? */ +#define STALE(r) (((r)->attributes & DNS_RDATASETATTR_STALE) != 0) + +/*% Does the rdataset 'r' is stale and within stale-refresh-time? */ +#define STALE_WINDOW(r) (((r)->attributes & DNS_RDATASETATTR_STALE_WINDOW) != 0) + +#ifdef WANT_QUERYTRACE +static void +client_trace(ns_client_t *client, int level, const char *message) { + if (client != NULL && client->query.qname != NULL) { + if (isc_log_wouldlog(ns_lctx, level)) { + char qbuf[DNS_NAME_FORMATSIZE]; + char tbuf[DNS_RDATATYPE_FORMATSIZE]; + dns_name_format(client->query.qname, qbuf, + sizeof(qbuf)); + dns_rdatatype_format(client->query.qtype, tbuf, + sizeof(tbuf)); + isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, level, + "query client=%p thread=0x%" PRIxPTR + "(%s/%s): %s", + client, isc_thread_self(), qbuf, tbuf, + message); + } + } else { + isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, level, + "query client=%p thread=0x%" PRIxPTR + "(): %s", + client, isc_thread_self(), message); + } +} +#define CTRACE(l, m) client_trace(client, l, m) +#define CCTRACE(l, m) client_trace(qctx->client, l, m) +#else /* ifdef WANT_QUERYTRACE */ +#define CTRACE(l, m) ((void)m) +#define CCTRACE(l, m) ((void)m) +#endif /* WANT_QUERYTRACE */ + +#define DNS_GETDB_NOEXACT 0x01U +#define DNS_GETDB_NOLOG 0x02U +#define DNS_GETDB_PARTIAL 0x04U +#define DNS_GETDB_IGNOREACL 0x08U +#define DNS_GETDB_STALEFIRST 0X0CU + +#define PENDINGOK(x) (((x)&DNS_DBFIND_PENDINGOK) != 0) + +#define SFCACHE_CDFLAG 0x1 + +/* + * SAVE and RESTORE have the same semantics as: + * + * foo_attach(b, &a); + * foo_detach(&b); + * + * without the locking and magic testing. + * + * We use the names SAVE and RESTORE to show the operation being performed, + * even though the two macros are identical. + */ +#define SAVE(a, b) \ + do { \ + INSIST(a == NULL); \ + a = b; \ + b = NULL; \ + } while (0) +#define RESTORE(a, b) SAVE(a, b) + +static bool +validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); + +static void +query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, + dns_dbversion_t *version, ns_client_t *client, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + dns_name_t *fname, bool exact, dns_name_t *found); + +static void +log_queryerror(ns_client_t *client, isc_result_t result, int line, int level); + +static void +rpz_st_clear(ns_client_t *client); + +static bool +rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); + +static void +log_noexistnodata(void *val, int level, const char *fmt, ...) + ISC_FORMAT_PRINTF(3, 4); + +static isc_result_t +query_addanswer(query_ctx_t *qctx); + +static isc_result_t +query_prepare_delegation_response(query_ctx_t *qctx); + +/* + * Return the hooktable in use with 'qctx', or if there isn't one + * set, return the default hooktable. + */ +static ns_hooktable_t * +get_hooktab(query_ctx_t *qctx) { + if (qctx == NULL || qctx->view == NULL || qctx->view->hooktable == NULL) + { + return (ns__hook_table); + } + + return (qctx->view->hooktable); +} + +/* + * Call the specified hook function in every configured module that implements + * that function. If any hook function returns NS_HOOK_RETURN, we + * set 'result' and terminate processing by jumping to the 'cleanup' tag. + * + * (Note that a hook function may set the 'result' to ISC_R_SUCCESS but + * still terminate processing within the calling function. That's why this + * is a macro instead of a static function; it needs to be able to use + * 'goto cleanup' regardless of the return value.) + */ +#define CALL_HOOK(_id, _qctx) \ + do { \ + isc_result_t _res = result; \ + ns_hooktable_t *_tab = get_hooktab(_qctx); \ + ns_hook_t *_hook; \ + _hook = ISC_LIST_HEAD((*_tab)[_id]); \ + while (_hook != NULL) { \ + ns_hook_action_t _func = _hook->action; \ + void *_data = _hook->action_data; \ + INSIST(_func != NULL); \ + switch (_func(_qctx, _data, &_res)) { \ + case NS_HOOK_CONTINUE: \ + _hook = ISC_LIST_NEXT(_hook, link); \ + break; \ + case NS_HOOK_RETURN: \ + result = _res; \ + goto cleanup; \ + default: \ + UNREACHABLE(); \ + } \ + } \ + } while (false) + +/* + * Call the specified hook function in every configured module that + * implements that function. All modules are called; hook function return + * codes are ignored. This is intended for use with initialization and + * destruction calls which *must* run in every configured module. + * + * (This could be implemented as a static void function, but is left as a + * macro for symmetry with CALL_HOOK above.) + */ +#define CALL_HOOK_NORETURN(_id, _qctx) \ + do { \ + isc_result_t _res; \ + ns_hooktable_t *_tab = get_hooktab(_qctx); \ + ns_hook_t *_hook; \ + _hook = ISC_LIST_HEAD((*_tab)[_id]); \ + while (_hook != NULL) { \ + ns_hook_action_t _func = _hook->action; \ + void *_data = _hook->action_data; \ + INSIST(_func != NULL); \ + _func(_qctx, _data, &_res); \ + _hook = ISC_LIST_NEXT(_hook, link); \ + } \ + } while (false) + +/* + * The functions defined below implement the query logic that previously lived + * in the single very complex function query_find(). The query_ctx_t structure + * defined in maintains state from function to function. The call + * flow for the general query processing algorithm is described below: + * + * 1. Set up query context and other resources for a client + * query (query_setup()) + * + * 2. Start the search (ns__query_start()) + * + * 3. Identify authoritative data sources which may have an answer; + * search them (query_lookup()). If an answer is found, go to 7. + * + * 4. If recursion or cache access are allowed, search the cache + * (query_lookup() again, using the cache database) to find a better + * answer. If an answer is found, go to 7. + * + * 5. If recursion is allowed, begin recursion (ns_query_recurse()). + * Go to 15 to clean up this phase of the query. When recursion + * is complete, processing will resume at 6. + * + * 6. Resume from recursion; set up query context for resumed processing. + * + * 7. Determine what sort of answer we've found (query_gotanswer()) + * and call other functions accordingly: + * - not found (auth or cache), go to 8 + * - delegation, go to 9 + * - no such domain (auth), go to 10 + * - empty answer (auth), go to 11 + * - negative response (cache), go to 12 + * - answer found, go to 13 + * + * 8. The answer was not found in the database (query_notfound(). + * Set up a referral and go to 9. + * + * 9. Handle a delegation response (query_delegation()). If we need + * to and are allowed to recurse (query_delegation_recurse()), go to 5, + * otherwise go to 15 to clean up and return the delegation to the client. + * + * 10. No such domain (query_nxdomain()). Attempt redirection; if + * unsuccessful, add authority section records (query_addsoa(), + * query_addauth()), then go to 15 to return NXDOMAIN to client. + * + * 11. Empty answer (query_nodata()). Add authority section records + * (query_addsoa(), query_addauth()) and signatures if authoritative + * (query_sign_nodata()) then go to 15 and return + * NOERROR/ANCOUNT=0 to client. + * + * 12. No such domain or empty answer returned from cache (query_ncache()). + * Set response code appropriately, go to 11. + * + * 13. Prepare a response (query_prepresponse()) and then fill it + * appropriately (query_respond(), or for type ANY, + * query_respond_any()). + * + * 14. If a restart is needed due to CNAME/DNAME chaining, go to 2. + * + * 15. Clean up resources. If recursing, stop and wait for the event + * handler to be called back (step 6). If an answer is ready, + * return it to the client. + * + * (XXX: This description omits several special cases including + * DNS64, RPZ, RRL, and the SERVFAIL cache. It also doesn't discuss + * plugins.) + */ + +static void +query_trace(query_ctx_t *qctx); + +static void +qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, + query_ctx_t *qctx); + +static isc_result_t +query_setup(ns_client_t *client, dns_rdatatype_t qtype); + +static isc_result_t +query_lookup(query_ctx_t *qctx); + +static void +fetch_callback(isc_task_t *task, isc_event_t *event); + +static void +recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, + const dns_name_t *qname, const dns_name_t *qdomain); + +static isc_result_t +query_resume(query_ctx_t *qctx); + +static isc_result_t +query_checkrrl(query_ctx_t *qctx, isc_result_t result); + +static isc_result_t +query_checkrpz(query_ctx_t *qctx, isc_result_t result); + +static isc_result_t +query_rpzcname(query_ctx_t *qctx, dns_name_t *cname); + +static isc_result_t +query_gotanswer(query_ctx_t *qctx, isc_result_t result); + +static void +query_addnoqnameproof(query_ctx_t *qctx); + +static isc_result_t +query_respond_any(query_ctx_t *qctx); + +static isc_result_t +query_respond(query_ctx_t *qctx); + +static isc_result_t +query_dns64(query_ctx_t *qctx); + +static void +query_filter64(query_ctx_t *qctx); + +static isc_result_t +query_notfound(query_ctx_t *qctx); + +static isc_result_t +query_zone_delegation(query_ctx_t *qctx); + +static isc_result_t +query_delegation(query_ctx_t *qctx); + +static isc_result_t +query_delegation_recurse(query_ctx_t *qctx); + +static void +query_addds(query_ctx_t *qctx); + +static isc_result_t +query_nodata(query_ctx_t *qctx, isc_result_t result); + +static isc_result_t +query_sign_nodata(query_ctx_t *qctx); + +static void +query_addnxrrsetnsec(query_ctx_t *qctx); + +static isc_result_t +query_nxdomain(query_ctx_t *qctx, isc_result_t res); + +static isc_result_t +query_redirect(query_ctx_t *qctx); + +static isc_result_t +query_ncache(query_ctx_t *qctx, isc_result_t result); + +static isc_result_t +query_coveringnsec(query_ctx_t *qctx); + +static isc_result_t +query_zerottl_refetch(query_ctx_t *qctx); + +static isc_result_t +query_cname(query_ctx_t *qctx); + +static isc_result_t +query_dname(query_ctx_t *qctx); + +static isc_result_t +query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl); + +static isc_result_t +query_prepresponse(query_ctx_t *qctx); + +static isc_result_t +query_addsoa(query_ctx_t *qctx, unsigned int override_ttl, + dns_section_t section); + +static isc_result_t +query_addns(query_ctx_t *qctx); + +static void +query_addbestns(query_ctx_t *qctx); + +static void +query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata); + +static void +query_addauth(query_ctx_t *qctx); + +static void +query_clear_stale(ns_client_t *client); + +/* + * Increment query statistics counters. + */ +static void +inc_stats(ns_client_t *client, isc_statscounter_t counter) { + dns_zone_t *zone = client->query.authzone; + dns_rdatatype_t qtype; + dns_rdataset_t *rdataset; + isc_stats_t *zonestats; + dns_stats_t *querystats = NULL; + + ns_stats_increment(client->sctx->nsstats, counter); + + if (zone == NULL) { + return; + } + + /* Do regular response type stats */ + zonestats = dns_zone_getrequeststats(zone); + + if (zonestats != NULL) { + isc_stats_increment(zonestats, counter); + } + + /* Do query type statistics + * + * We only increment per-type if we're using the authoritative + * answer counter, preventing double-counting. + */ + if (counter == ns_statscounter_authans) { + querystats = dns_zone_getrcvquerystats(zone); + if (querystats != NULL) { + rdataset = ISC_LIST_HEAD(client->query.qname->list); + if (rdataset != NULL) { + qtype = rdataset->type; + dns_rdatatypestats_increment(querystats, qtype); + } + } + } +} + +static void +query_send(ns_client_t *client) { + isc_statscounter_t counter; + + if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0) { + inc_stats(client, ns_statscounter_nonauthans); + } else { + inc_stats(client, ns_statscounter_authans); + } + + if (client->message->rcode == dns_rcode_noerror) { + dns_section_t answer = DNS_SECTION_ANSWER; + if (ISC_LIST_EMPTY(client->message->sections[answer])) { + if (client->query.isreferral) { + counter = ns_statscounter_referral; + } else { + counter = ns_statscounter_nxrrset; + } + } else { + counter = ns_statscounter_success; + } + } else if (client->message->rcode == dns_rcode_nxdomain) { + counter = ns_statscounter_nxdomain; + } else if (client->message->rcode == dns_rcode_badcookie) { + counter = ns_statscounter_badcookie; + } else { /* We end up here in case of YXDOMAIN, and maybe others */ + counter = ns_statscounter_failure; + } + + inc_stats(client, counter); + ns_client_send(client); + + if (!client->nodetach) { + isc_nmhandle_detach(&client->reqhandle); + } +} + +static void +query_error(ns_client_t *client, isc_result_t result, int line) { + int loglevel = ISC_LOG_DEBUG(3); + + switch (dns_result_torcode(result)) { + case dns_rcode_servfail: + loglevel = ISC_LOG_DEBUG(1); + inc_stats(client, ns_statscounter_servfail); + break; + case dns_rcode_formerr: + inc_stats(client, ns_statscounter_formerr); + break; + default: + inc_stats(client, ns_statscounter_failure); + break; + } + + if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) { + loglevel = ISC_LOG_INFO; + } + + log_queryerror(client, result, line, loglevel); + + ns_client_error(client, result); + + if (!client->nodetach) { + isc_nmhandle_detach(&client->reqhandle); + } +} + +static void +query_next(ns_client_t *client, isc_result_t result) { + if (result == DNS_R_DUPLICATE) { + inc_stats(client, ns_statscounter_duplicate); + } else if (result == DNS_R_DROP) { + inc_stats(client, ns_statscounter_dropped); + } else { + inc_stats(client, ns_statscounter_failure); + } + ns_client_drop(client, result); + + if (!client->nodetach) { + isc_nmhandle_detach(&client->reqhandle); + } +} + +static void +query_freefreeversions(ns_client_t *client, bool everything) { + ns_dbversion_t *dbversion, *dbversion_next; + unsigned int i; + + for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0; + dbversion != NULL; dbversion = dbversion_next, i++) + { + dbversion_next = ISC_LIST_NEXT(dbversion, link); + /* + * If we're not freeing everything, we keep the first three + * dbversions structures around. + */ + if (i > 3 || everything) { + ISC_LIST_UNLINK(client->query.freeversions, dbversion, + link); + isc_mem_put(client->mctx, dbversion, + sizeof(*dbversion)); + } + } +} + +void +ns_query_cancel(ns_client_t *client) { + REQUIRE(NS_CLIENT_VALID(client)); + + LOCK(&client->query.fetchlock); + if (client->query.fetch != NULL) { + dns_resolver_cancelfetch(client->query.fetch); + + client->query.fetch = NULL; + } + if (client->query.hookactx != NULL) { + client->query.hookactx->cancel(client->query.hookactx); + client->query.hookactx = NULL; + } + UNLOCK(&client->query.fetchlock); +} + +static void +query_reset(ns_client_t *client, bool everything) { + isc_buffer_t *dbuf, *dbuf_next; + ns_dbversion_t *dbversion, *dbversion_next; + + CTRACE(ISC_LOG_DEBUG(3), "query_reset"); + + /*% + * Reset the query state of a client to its default state. + */ + + /* + * Cancel the fetch if it's running. + */ + ns_query_cancel(client); + + /* + * Cleanup any active versions. + */ + for (dbversion = ISC_LIST_HEAD(client->query.activeversions); + dbversion != NULL; dbversion = dbversion_next) + { + dbversion_next = ISC_LIST_NEXT(dbversion, link); + dns_db_closeversion(dbversion->db, &dbversion->version, false); + dns_db_detach(&dbversion->db); + ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion, + link); + } + ISC_LIST_INIT(client->query.activeversions); + + if (client->query.authdb != NULL) { + dns_db_detach(&client->query.authdb); + } + if (client->query.authzone != NULL) { + dns_zone_detach(&client->query.authzone); + } + + if (client->query.dns64_aaaa != NULL) { + ns_client_putrdataset(client, &client->query.dns64_aaaa); + } + if (client->query.dns64_sigaaaa != NULL) { + ns_client_putrdataset(client, &client->query.dns64_sigaaaa); + } + if (client->query.dns64_aaaaok != NULL) { + isc_mem_put(client->mctx, client->query.dns64_aaaaok, + client->query.dns64_aaaaoklen * sizeof(bool)); + client->query.dns64_aaaaok = NULL; + client->query.dns64_aaaaoklen = 0; + } + + ns_client_putrdataset(client, &client->query.redirect.rdataset); + ns_client_putrdataset(client, &client->query.redirect.sigrdataset); + if (client->query.redirect.db != NULL) { + if (client->query.redirect.node != NULL) { + dns_db_detachnode(client->query.redirect.db, + &client->query.redirect.node); + } + dns_db_detach(&client->query.redirect.db); + } + if (client->query.redirect.zone != NULL) { + dns_zone_detach(&client->query.redirect.zone); + } + + query_freefreeversions(client, everything); + + for (dbuf = ISC_LIST_HEAD(client->query.namebufs); dbuf != NULL; + dbuf = dbuf_next) + { + dbuf_next = ISC_LIST_NEXT(dbuf, link); + if (dbuf_next != NULL || everything) { + ISC_LIST_UNLINK(client->query.namebufs, dbuf, link); + isc_buffer_free(&dbuf); + } + } + + if (client->query.restarts > 0) { + /* + * client->query.qname was dynamically allocated. + */ + dns_message_puttempname(client->message, &client->query.qname); + } + client->query.qname = NULL; + client->query.attributes = (NS_QUERYATTR_RECURSIONOK | + NS_QUERYATTR_CACHEOK | NS_QUERYATTR_SECURE); + client->query.restarts = 0; + client->query.timerset = false; + if (client->query.rpz_st != NULL) { + rpz_st_clear(client); + if (everything) { + INSIST(client->query.rpz_st->rpsdb == NULL); + isc_mem_put(client->mctx, client->query.rpz_st, + sizeof(*client->query.rpz_st)); + client->query.rpz_st = NULL; + } + } + client->query.origqname = NULL; + client->query.dboptions = 0; + client->query.fetchoptions = 0; + client->query.gluedb = NULL; + client->query.authdbset = false; + client->query.isreferral = false; + client->query.dns64_options = 0; + client->query.dns64_ttl = UINT32_MAX; + recparam_update(&client->query.recparam, 0, NULL, NULL); + client->query.root_key_sentinel_keyid = 0; + client->query.root_key_sentinel_is_ta = false; + client->query.root_key_sentinel_not_ta = false; +} + +static void +query_cleanup(ns_client_t *client) { + query_reset(client, false); +} + +void +ns_query_free(ns_client_t *client) { + REQUIRE(NS_CLIENT_VALID(client)); + + query_reset(client, true); +} + +isc_result_t +ns_query_init(ns_client_t *client) { + isc_result_t result = ISC_R_SUCCESS; + + REQUIRE(NS_CLIENT_VALID(client)); + + ISC_LIST_INIT(client->query.namebufs); + ISC_LIST_INIT(client->query.activeversions); + ISC_LIST_INIT(client->query.freeversions); + client->query.restarts = 0; + client->query.timerset = false; + client->query.rpz_st = NULL; + client->query.qname = NULL; + /* + * This mutex is destroyed when the client is destroyed in + * exit_check(). + */ + isc_mutex_init(&client->query.fetchlock); + + client->query.fetch = NULL; + client->query.prefetch = NULL; + client->query.authdb = NULL; + client->query.authzone = NULL; + client->query.authdbset = false; + client->query.isreferral = false; + client->query.dns64_aaaa = NULL; + client->query.dns64_sigaaaa = NULL; + client->query.dns64_aaaaok = NULL; + client->query.dns64_aaaaoklen = 0; + client->query.redirect.db = NULL; + client->query.redirect.node = NULL; + client->query.redirect.zone = NULL; + client->query.redirect.qtype = dns_rdatatype_none; + client->query.redirect.result = ISC_R_SUCCESS; + client->query.redirect.rdataset = NULL; + client->query.redirect.sigrdataset = NULL; + client->query.redirect.authoritative = false; + client->query.redirect.is_zone = false; + client->query.redirect.fname = + dns_fixedname_initname(&client->query.redirect.fixed); + query_reset(client, false); + ns_client_newdbversion(client, 3); + ns_client_newnamebuf(client); + + return (result); +} + +/*% + * Check if 'client' is allowed to query the cache of its associated view. + * Unless 'options' has DNS_GETDB_NOLOG set, log the result of cache ACL + * evaluation using the appropriate level, along with 'name' and 'qtype'. + * + * The cache ACL is only evaluated once for each client and then the result is + * cached: if NS_QUERYATTR_CACHEACLOKVALID is set in client->query.attributes, + * cache ACL evaluation has already been performed. The evaluation result is + * also stored in client->query.attributes: if NS_QUERYATTR_CACHEACLOK is set, + * the client is allowed cache access. + * + * Returns: + * + *\li #ISC_R_SUCCESS 'client' is allowed to access cache + *\li #DNS_R_REFUSED 'client' is not allowed to access cache + */ +static isc_result_t +query_checkcacheaccess(ns_client_t *client, const dns_name_t *name, + dns_rdatatype_t qtype, unsigned int options) { + isc_result_t result; + + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) == 0) { + enum refusal_reasons { + ALLOW_QUERY_CACHE, + ALLOW_QUERY_CACHE_ON + }; + static const char *acl_desc[] = { + "allow-query-cache did not match", + "allow-query-cache-on did not match", + }; + + /* + * The view's cache ACLs have not yet been evaluated. + * Do it now. Both allow-query-cache and + * allow-query-cache-on must be satisfied. + */ + bool log = ((options & DNS_GETDB_NOLOG) == 0); + char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; + + enum refusal_reasons refusal_reason = ALLOW_QUERY_CACHE; + result = ns_client_checkaclsilent(client, NULL, + client->view->cacheacl, true); + if (result == ISC_R_SUCCESS) { + refusal_reason = ALLOW_QUERY_CACHE_ON; + result = ns_client_checkaclsilent( + client, &client->destaddr, + client->view->cacheonacl, true); + } + if (result == ISC_R_SUCCESS) { + /* + * We were allowed by the "allow-query-cache" ACL. + */ + client->query.attributes |= NS_QUERYATTR_CACHEACLOK; + if (log && isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) + { + ns_client_aclmsg("query (cache)", name, qtype, + client->view->rdclass, msg, + sizeof(msg)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, + ISC_LOG_DEBUG(3), "%s approved", + msg); + } + } else { + /* + * We were denied by the "allow-query-cache" ACL. + * There is no need to clear NS_QUERYATTR_CACHEACLOK + * since it is cleared by query_reset(), before query + * processing starts. + */ + ns_client_extendederror(client, DNS_EDE_PROHIBITED, + NULL); + + if (log) { + ns_client_aclmsg("query (cache)", name, qtype, + client->view->rdclass, msg, + sizeof(msg)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s denied (%s)", msg, + acl_desc[refusal_reason]); + } + } + + /* + * Evaluation has been finished; make sure we will just consult + * NS_QUERYATTR_CACHEACLOK for this client from now on. + */ + client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID; + } + + return ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) != 0 + ? ISC_R_SUCCESS + : DNS_R_REFUSED); +} + +static isc_result_t +query_validatezonedb(ns_client_t *client, const dns_name_t *name, + dns_rdatatype_t qtype, unsigned int options, + dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t **versionp) { + isc_result_t result; + dns_acl_t *queryacl, *queryonacl; + ns_dbversion_t *dbversion; + + REQUIRE(zone != NULL); + REQUIRE(db != NULL); + + /* + * Mirror zone data is treated as cache data. + */ + if (dns_zone_gettype(zone) == dns_zone_mirror) { + return (query_checkcacheaccess(client, name, qtype, options)); + } + + /* + * This limits our searching to the zone where the first name + * (the query target) was looked for. This prevents following + * CNAMES or DNAMES into other zones and prevents returning + * additional data from other zones. This does not apply if we're + * answering a query where recursion is requested and allowed. + */ + if (client->query.rpz_st == NULL && + !(WANTRECURSION(client) && RECURSIONOK(client)) && + client->query.authdbset && db != client->query.authdb) + { + return (DNS_R_REFUSED); + } + + /* + * Non recursive query to a static-stub zone is prohibited; its + * zone content is not public data, but a part of local configuration + * and should not be disclosed. + */ + if (dns_zone_gettype(zone) == dns_zone_staticstub && + !RECURSIONOK(client)) + { + return (DNS_R_REFUSED); + } + + /* + * If the zone has an ACL, we'll check it, otherwise + * we use the view's "allow-query" ACL. Each ACL is only checked + * once per query. + * + * Also, get the database version to use. + */ + + /* + * Get the current version of this database. + */ + dbversion = ns_client_findversion(client, db); + if (dbversion == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to get db version"); + return (DNS_R_SERVFAIL); + } + + if ((options & DNS_GETDB_IGNOREACL) != 0) { + goto approved; + } + if (dbversion->acl_checked) { + if (!dbversion->queryok) { + return (DNS_R_REFUSED); + } + goto approved; + } + + queryacl = dns_zone_getqueryacl(zone); + if (queryacl == NULL) { + queryacl = client->view->queryacl; + if ((client->query.attributes & NS_QUERYATTR_QUERYOKVALID) != 0) + { + /* + * We've evaluated the view's queryacl already. If + * NS_QUERYATTR_QUERYOK is set, then the client is + * allowed to make queries, otherwise the query should + * be refused. + */ + dbversion->acl_checked = true; + if ((client->query.attributes & NS_QUERYATTR_QUERYOK) == + 0) + { + dbversion->queryok = false; + return (DNS_R_REFUSED); + } + dbversion->queryok = true; + goto approved; + } + } + + result = ns_client_checkaclsilent(client, NULL, queryacl, true); + if ((options & DNS_GETDB_NOLOG) == 0) { + char msg[NS_CLIENT_ACLMSGSIZE("query")]; + if (result == ISC_R_SUCCESS) { + if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) { + ns_client_aclmsg("query", name, qtype, + client->view->rdclass, msg, + sizeof(msg)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, + ISC_LOG_DEBUG(3), "%s approved", + msg); + } + } else { + ns_client_aclmsg("query", name, qtype, + client->view->rdclass, msg, + sizeof(msg)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s denied", msg); + ns_client_extendederror(client, DNS_EDE_PROHIBITED, + NULL); + } + } + + if (queryacl == client->view->queryacl) { + if (result == ISC_R_SUCCESS) { + /* + * We were allowed by the default + * "allow-query" ACL. Remember this so we + * don't have to check again. + */ + client->query.attributes |= NS_QUERYATTR_QUERYOK; + } + /* + * We've now evaluated the view's query ACL, and + * the NS_QUERYATTR_QUERYOK attribute is now valid. + */ + client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; + } + + /* If and only if we've gotten this far, check allow-query-on too */ + if (result == ISC_R_SUCCESS) { + queryonacl = dns_zone_getqueryonacl(zone); + if (queryonacl == NULL) { + queryonacl = client->view->queryonacl; + } + + result = ns_client_checkaclsilent(client, &client->destaddr, + queryonacl, true); + if (result != ISC_R_SUCCESS) { + ns_client_extendederror(client, DNS_EDE_PROHIBITED, + NULL); + } + if ((options & DNS_GETDB_NOLOG) == 0 && result != ISC_R_SUCCESS) + { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "query-on denied"); + } + } + + dbversion->acl_checked = true; + if (result != ISC_R_SUCCESS) { + dbversion->queryok = false; + return (DNS_R_REFUSED); + } + dbversion->queryok = true; + +approved: + /* Transfer ownership, if necessary. */ + if (versionp != NULL) { + *versionp = dbversion->version; + } + return (ISC_R_SUCCESS); +} + +static isc_result_t +query_getzonedb(ns_client_t *client, const dns_name_t *name, + dns_rdatatype_t qtype, unsigned int options, dns_zone_t **zonep, + dns_db_t **dbp, dns_dbversion_t **versionp) { + isc_result_t result; + unsigned int ztoptions; + dns_zone_t *zone = NULL; + dns_db_t *db = NULL; + bool partial = false; + + REQUIRE(zonep != NULL && *zonep == NULL); + REQUIRE(dbp != NULL && *dbp == NULL); + + /*% + * Find a zone database to answer the query. + */ + ztoptions = DNS_ZTFIND_MIRROR; + if ((options & DNS_GETDB_NOEXACT) != 0) { + ztoptions |= DNS_ZTFIND_NOEXACT; + } + + result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, + &zone); + + if (result == DNS_R_PARTIALMATCH) { + partial = true; + } + if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { + result = dns_zone_getdb(zone, &db); + } + + if (result != ISC_R_SUCCESS) { + goto fail; + } + + result = query_validatezonedb(client, name, qtype, options, zone, db, + versionp); + + if (result != ISC_R_SUCCESS) { + goto fail; + } + + /* Transfer ownership. */ + *zonep = zone; + *dbp = db; + + if (partial && (options & DNS_GETDB_PARTIAL) != 0) { + return (DNS_R_PARTIALMATCH); + } + return (ISC_R_SUCCESS); + +fail: + if (zone != NULL) { + dns_zone_detach(&zone); + } + if (db != NULL) { + dns_db_detach(&db); + } + + return (result); +} + +static void +rpz_log_rewrite(ns_client_t *client, bool disabled, dns_rpz_policy_t policy, + dns_rpz_type_t type, dns_zone_t *p_zone, dns_name_t *p_name, + dns_name_t *cname, dns_rpz_num_t rpz_num) { + char cname_buf[DNS_NAME_FORMATSIZE] = { 0 }; + char p_name_buf[DNS_NAME_FORMATSIZE]; + char qname_buf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + const char *s1 = cname_buf, *s2 = cname_buf; + dns_rdataset_t *rdataset; + dns_rpz_st_t *st; + isc_stats_t *zonestats; + + /* + * Count enabled rewrites in the global counter. + * Count both enabled and disabled rewrites for each zone. + */ + if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_rpz_rewrites); + } + if (p_zone != NULL) { + zonestats = dns_zone_getrequeststats(p_zone); + if (zonestats != NULL) { + isc_stats_increment(zonestats, + ns_statscounter_rpz_rewrites); + } + } + + if (!isc_log_wouldlog(ns_lctx, DNS_RPZ_INFO_LEVEL)) { + return; + } + + st = client->query.rpz_st; + if ((st->popt.no_log & DNS_RPZ_ZBIT(rpz_num)) != 0) { + return; + } + + dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf)); + dns_name_format(p_name, p_name_buf, sizeof(p_name_buf)); + if (cname != NULL) { + s1 = " (CNAME to: "; + dns_name_format(cname, cname_buf, sizeof(cname_buf)); + s2 = ")"; + } + + /* + * Log Qclass and Qtype in addition to existing + * fields. + */ + rdataset = ISC_LIST_HEAD(client->query.origqname->list); + INSIST(rdataset != NULL); + dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); + dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); + + /* It's possible to have a separate log channel for rpz passthru. */ + isc_logcategory_t *log_cat = (policy == DNS_RPZ_POLICY_PASSTHRU) + ? DNS_LOGCATEGORY_RPZ_PASSTHRU + : DNS_LOGCATEGORY_RPZ; + + ns_client_log(client, log_cat, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, + "%srpz %s %s rewrite %s/%s/%s via %s%s%s%s", + disabled ? "disabled " : "", dns_rpz_type2str(type), + dns_rpz_policy2str(policy), qname_buf, typebuf, classbuf, + p_name_buf, s1, cname_buf, s2); +} + +static void +rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name, + dns_rpz_type_t rpz_type1, dns_rpz_type_t rpz_type2, + const char *str, isc_result_t result) { + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; + const char *failed, *via, *slash, *str_blank; + const char *rpztypestr1; + const char *rpztypestr2; + + if (!isc_log_wouldlog(ns_lctx, level)) { + return; + } + + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems. + */ + if (level <= DNS_RPZ_DEBUG_LEVEL1) { + failed = " failed: "; + } else { + failed = ": "; + } + + rpztypestr1 = dns_rpz_type2str(rpz_type1); + if (rpz_type2 != DNS_RPZ_TYPE_BAD) { + slash = "/"; + rpztypestr2 = dns_rpz_type2str(rpz_type2); + } else { + slash = ""; + rpztypestr2 = ""; + } + + str_blank = (*str != ' ' && *str != '\0') ? " " : ""; + + dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); + + if (p_name != NULL) { + via = " via "; + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); + } else { + via = ""; + p_namebuf[0] = '\0'; + } + + ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY, + level, "rpz %s%s%s rewrite %s%s%s%s%s%s%s", rpztypestr1, + slash, rpztypestr2, qnamebuf, via, p_namebuf, str_blank, + str, failed, isc_result_totext(result)); +} + +static void +rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name, + dns_rpz_type_t rpz_type, const char *str, isc_result_t result) { + rpz_log_fail_helper(client, level, p_name, rpz_type, DNS_RPZ_TYPE_BAD, + str, result); +} + +/* + * Get a policy rewrite zone database. + */ +static isc_result_t +rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type, + dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; + dns_dbversion_t *rpz_version = NULL; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_getdb"); + + result = query_getzonedb(client, p_name, dns_rdatatype_any, + DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version); + if (result == ISC_R_SUCCESS) { + dns_rpz_st_t *st = client->query.rpz_st; + + /* + * It isn't meaningful to log this message when + * logging is disabled for some policy zones. + */ + if (st->popt.no_log == 0 && + isc_log_wouldlog(ns_lctx, DNS_RPZ_DEBUG_LEVEL2)) + { + dns_name_format(client->query.qname, qnamebuf, + sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); + ns_client_log(client, DNS_LOGCATEGORY_RPZ, + NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2, + "try rpz %s rewrite %s via %s", + dns_rpz_type2str(rpz_type), qnamebuf, + p_namebuf); + } + *versionp = rpz_version; + return (ISC_R_SUCCESS); + } + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, + "query_getzonedb()", result); + return (result); +} + +/*% + * Find a cache database to answer the query. This may fail with DNS_R_REFUSED + * if the client is not allowed to use the cache. + */ +static isc_result_t +query_getcachedb(ns_client_t *client, const dns_name_t *name, + dns_rdatatype_t qtype, dns_db_t **dbp, unsigned int options) { + isc_result_t result; + dns_db_t *db = NULL; + + REQUIRE(dbp != NULL && *dbp == NULL); + + if (!USECACHE(client)) { + return (DNS_R_REFUSED); + } + + dns_db_attach(client->view->cachedb, &db); + + result = query_checkcacheaccess(client, name, qtype, options); + if (result != ISC_R_SUCCESS) { + dns_db_detach(&db); + } + + /* + * If query_checkcacheaccess() succeeded, transfer ownership of 'db'. + * Otherwise, 'db' will be NULL due to the dns_db_detach() call above. + */ + *dbp = db; + + return (result); +} + +static isc_result_t +query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, + unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp, bool *is_zonep) { + isc_result_t result; + isc_result_t tresult; + unsigned int namelabels; + unsigned int zonelabels; + dns_zone_t *zone = NULL; + + REQUIRE(zonep != NULL && *zonep == NULL); + + /* Calculate how many labels are in name. */ + namelabels = dns_name_countlabels(name); + zonelabels = 0; + + /* Try to find name in bind's standard database. */ + result = query_getzonedb(client, name, qtype, options, &zone, dbp, + versionp); + + /* See how many labels are in the zone's name. */ + if (result == ISC_R_SUCCESS && zone != NULL) { + zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); + } + + /* + * If # zone labels < # name labels, try to find an even better match + * Only try if DLZ drivers are loaded for this view + */ + if (zonelabels < namelabels && + !ISC_LIST_EMPTY(client->view->dlz_searched)) + { + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + dns_db_t *tdbp; + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + dns_clientinfo_setecs(&ci, &client->ecs); + + tdbp = NULL; + tresult = dns_view_searchdlz(client->view, name, zonelabels, + &cm, &ci, &tdbp); + /* If we successful, we found a better match. */ + if (tresult == ISC_R_SUCCESS) { + ns_dbversion_t *dbversion; + + /* + * If the previous search returned a zone, detach it. + */ + if (zone != NULL) { + dns_zone_detach(&zone); + } + + /* + * If the previous search returned a database, + * detach it. + */ + if (*dbp != NULL) { + dns_db_detach(dbp); + } + + /* + * If the previous search returned a version, clear it. + */ + *versionp = NULL; + + dbversion = ns_client_findversion(client, tdbp); + if (dbversion == NULL) { + tresult = ISC_R_NOMEMORY; + } else { + /* + * Be sure to return our database. + */ + *dbp = tdbp; + *versionp = dbversion->version; + } + + /* + * We return a null zone, No stats for DLZ zones. + */ + zone = NULL; + result = tresult; + } + } + + /* If successful, Transfer ownership of zone. */ + if (result == ISC_R_SUCCESS) { + *zonep = zone; + /* + * If neither attempt above succeeded, return the cache instead + */ + *is_zonep = true; + } else { + if (result == ISC_R_NOTFOUND) { + result = query_getcachedb(client, name, qtype, dbp, + options); + } + *is_zonep = false; + } + return (result); +} + +static bool +query_isduplicate(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, + dns_name_t **mnamep) { + dns_section_t section; + dns_name_t *mname = NULL; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate"); + + for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; + section++) + { + result = dns_message_findname(client->message, section, name, + type, 0, &mname, NULL); + if (result == ISC_R_SUCCESS) { + /* + * We've already got this RRset in the response. + */ + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: true: " + "done"); + return (true); + } else if (result == DNS_R_NXRRSET) { + /* + * The name exists, but the rdataset does not. + */ + if (section == DNS_SECTION_ADDITIONAL) { + break; + } + } else { + RUNTIME_CHECK(result == DNS_R_NXDOMAIN); + } + mname = NULL; + } + + if (mnamep != NULL) { + *mnamep = mname; + } + + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done"); + return (false); +} + +/* + * Look up data for given 'name' and 'type' in given 'version' of 'db' for + * 'client'. Called from query_additionalauth(). + * + * If the lookup is successful: + * + * - store the node containing the result at 'nodep', + * + * - store the owner name of the returned node in 'fname', + * + * - if 'type' is not ANY, dns_db_findext() will put the exact rdataset being + * looked for in 'rdataset' and its signatures (if any) in 'sigrdataset', + * + * - if 'type' is ANY, dns_db_findext() will leave 'rdataset' and + * 'sigrdataset' disassociated and the returned node will be iterated in + * query_additional_cb(). + * + * If the lookup is not successful: + * + * - 'nodep' will not be written to, + * - 'fname' may still be modified as it is passed to dns_db_findext(), + * - 'rdataset' and 'sigrdataset' will remain disassociated. + */ +static isc_result_t +query_additionalauthfind(dns_db_t *db, dns_dbversion_t *version, + const dns_name_t *name, dns_rdatatype_t type, + ns_client_t *client, dns_dbnode_t **nodep, + dns_name_t *fname, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + dns_clientinfomethods_t cm; + dns_dbnode_t *node = NULL; + dns_clientinfo_t ci; + isc_result_t result; + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Since we are looking for authoritative data, we do not set + * the GLUEOK flag. Glue will be looked for later, but not + * necessarily in the same database. + */ + result = dns_db_findext(db, name, version, type, + client->query.dboptions, client->now, &node, + fname, &cm, &ci, rdataset, sigrdataset); + if (result != ISC_R_SUCCESS) { + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + + if (node != NULL) { + dns_db_detachnode(db, &node); + } + + return (result); + } + + /* + * Do not return signatures if the zone is not fully signed. + */ + if (sigrdataset != NULL && !dns_db_issecure(db) && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + + *nodep = node; + + return (ISC_R_SUCCESS); +} + +/* + * For query context 'qctx', try finding authoritative additional data for + * given 'name' and 'type'. Called from query_additional_cb(). + * + * If successful: + * + * - store pointers to the database and node which contain the result in + * 'dbp' and 'nodep', respectively, + * + * - store the owner name of the returned node in 'fname', + * + * - potentially bind 'rdataset' and 'sigrdataset', as explained in the + * comment for query_additionalauthfind(). + * + * If unsuccessful: + * + * - 'dbp' and 'nodep' will not be written to, + * - 'fname' may still be modified as it is passed to dns_db_findext(), + * - 'rdataset' and 'sigrdataset' will remain disassociated. + */ +static isc_result_t +query_additionalauth(query_ctx_t *qctx, const dns_name_t *name, + dns_rdatatype_t type, dns_db_t **dbp, dns_dbnode_t **nodep, + dns_name_t *fname, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + ns_client_t *client = qctx->client; + ns_dbversion_t *dbversion = NULL; + dns_dbversion_t *version = NULL; + dns_dbnode_t *node = NULL; + dns_zone_t *zone = NULL; + dns_db_t *db = NULL; + isc_result_t result; + + /* + * First, look within the same zone database for authoritative + * additional data. + */ + if (!client->query.authdbset || client->query.authdb == NULL) { + return (ISC_R_NOTFOUND); + } + + dbversion = ns_client_findversion(client, client->query.authdb); + if (dbversion == NULL) { + return (ISC_R_NOTFOUND); + } + + dns_db_attach(client->query.authdb, &db); + version = dbversion->version; + + CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: same zone"); + + result = query_additionalauthfind(db, version, name, type, client, + &node, fname, rdataset, sigrdataset); + if (result != ISC_R_SUCCESS && + qctx->view->minimalresponses == dns_minimal_no && + RECURSIONOK(client)) + { + /* + * If we aren't doing response minimization and recursion is + * allowed, we can try and see if any other zone matches. + */ + version = NULL; + dns_db_detach(&db); + result = query_getzonedb(client, name, type, DNS_GETDB_NOLOG, + &zone, &db, &version); + if (result != ISC_R_SUCCESS) { + return (result); + } + dns_zone_detach(&zone); + + CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: other zone"); + + result = query_additionalauthfind(db, version, name, type, + client, &node, fname, + rdataset, sigrdataset); + } + + if (result != ISC_R_SUCCESS) { + dns_db_detach(&db); + } else { + *nodep = node; + node = NULL; + + *dbp = db; + db = NULL; + } + + return (result); +} + +static isc_result_t +query_additional_cb(void *arg, const dns_name_t *name, dns_rdatatype_t qtype, + dns_rdataset_t *found) { + query_ctx_t *qctx = arg; + ns_client_t *client = qctx->client; + isc_result_t result, eresult = ISC_R_SUCCESS; + dns_dbnode_t *node = NULL; + dns_db_t *db = NULL; + dns_name_t *fname = NULL, *mname = NULL; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t *trdataset = NULL; + isc_buffer_t *dbuf = NULL; + isc_buffer_t b; + ns_dbversion_t *dbversion = NULL; + dns_dbversion_t *version = NULL; + bool added_something = false, need_addname = false; + dns_rdatatype_t type; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + dns_rdatasetadditional_t additionaltype = + dns_rdatasetadditional_fromauth; + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(qtype != dns_rdatatype_any); + + if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) { + return (ISC_R_SUCCESS); + } + + CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb"); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * We treat type A additional section processing as if it + * were "any address type" additional section processing. + * To avoid multiple lookups, we do an 'any' database + * lookup and iterate over the node. + */ + if (qtype == dns_rdatatype_a) { + type = dns_rdatatype_any; + } else { + type = qtype; + } + + /* + * Get some resources. + */ + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + rdataset = ns_client_newrdataset(client); + if (fname == NULL || rdataset == NULL) { + goto cleanup; + } + if (WANTDNSSEC(client)) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + goto cleanup; + } + } + + /* + * If we want only minimal responses and are here, then it must + * be for glue. + */ + if (qctx->view->minimalresponses == dns_minimal_yes && + client->query.qtype != dns_rdatatype_ns) + { + goto try_glue; + } + + /* + * First, look for authoritative additional data. + */ + result = query_additionalauth(qctx, name, type, &db, &node, fname, + rdataset, sigrdataset); + if (result == ISC_R_SUCCESS) { + goto found; + } + + /* + * No authoritative data was found. The cache is our next best bet. + */ + if (!qctx->view->recursion) { + goto try_glue; + } + + additionaltype = dns_rdatasetadditional_fromcache; + result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); + if (result != ISC_R_SUCCESS) { + /* + * Most likely the client isn't allowed to query the cache. + */ + goto try_glue; + } + /* + * Attempt to validate glue. + */ + if (sigrdataset == NULL) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + goto cleanup; + } + } + + version = NULL; + result = dns_db_findext(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK | + DNS_DBFIND_ADDITIONALOK, + client->now, &node, fname, &cm, &ci, rdataset, + sigrdataset); + + dns_cache_updatestats(qctx->view->cache, result); + if (!WANTDNSSEC(client)) { + ns_client_putrdataset(client, &sigrdataset); + } + if (result == ISC_R_SUCCESS) { + goto found; + } + + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { + dns_rdataset_disassociate(sigrdataset); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + dns_db_detach(&db); + +try_glue: + /* + * No cached data was found. Glue is our last chance. + * RFC1035 sayeth: + * + * NS records cause both the usual additional section + * processing to locate a type A record, and, when used + * in a referral, a special search of the zone in which + * they reside for glue information. + * + * This is the "special search". Note that we must search + * the zone where the NS record resides, not the zone it + * points to, and that we only do the search in the delegation + * case (identified by client->query.gluedb being set). + */ + + if (client->query.gluedb == NULL) { + goto cleanup; + } + + /* + * Don't poison caches using the bailiwick protection model. + */ + if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) { + goto cleanup; + } + + dbversion = ns_client_findversion(client, client->query.gluedb); + if (dbversion == NULL) { + goto cleanup; + } + + dns_db_attach(client->query.gluedb, &db); + version = dbversion->version; + additionaltype = dns_rdatasetadditional_fromglue; + result = dns_db_findext(db, name, version, type, + client->query.dboptions | DNS_DBFIND_GLUEOK, + client->now, &node, fname, &cm, &ci, rdataset, + sigrdataset); + if (result != ISC_R_SUCCESS && result != DNS_R_ZONECUT && + result != DNS_R_GLUE) + { + goto cleanup; + } + +found: + /* + * We have found a potential additional data rdataset, or + * at least a node to iterate over. + */ + ns_client_keepname(client, fname, dbuf); + + /* + * Does the caller want the found rdataset? + */ + if (found != NULL && dns_rdataset_isassociated(rdataset)) { + dns_rdataset_clone(rdataset, found); + } + + /* + * If we have an rdataset, add it to the additional data + * section. + */ + mname = NULL; + if (dns_rdataset_isassociated(rdataset) && + !query_isduplicate(client, fname, type, &mname)) + { + if (mname != NULL) { + INSIST(mname != fname); + ns_client_releasename(client, &fname); + fname = mname; + } else { + need_addname = true; + } + ISC_LIST_APPEND(fname->list, rdataset, link); + trdataset = rdataset; + rdataset = NULL; + added_something = true; + /* + * Note: we only add SIGs if we've added the type they cover, + * so we do not need to check if the SIG rdataset is already + * in the response. + */ + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + ISC_LIST_APPEND(fname->list, sigrdataset, link); + sigrdataset = NULL; + } + } + + if (qtype == dns_rdatatype_a) { + /* + * We now go looking for A and AAAA records, along with + * their signatures. + * + * XXXRTH This code could be more efficient. + */ + if (rdataset != NULL) { + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + } else { + rdataset = ns_client_newrdataset(client); + if (rdataset == NULL) { + goto addname; + } + } + if (sigrdataset != NULL) { + if (dns_rdataset_isassociated(sigrdataset)) { + dns_rdataset_disassociate(sigrdataset); + } + } else if (WANTDNSSEC(client)) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + goto addname; + } + } + if (query_isduplicate(client, fname, dns_rdatatype_a, NULL)) { + goto aaaa_lookup; + } + result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, + 0, client->now, rdataset, + sigrdataset); + if (result == DNS_R_NCACHENXDOMAIN) { + goto addname; + } else if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + } else if (result == ISC_R_SUCCESS) { + bool invalid = false; + mname = NULL; + if (additionaltype == + dns_rdatasetadditional_fromcache && + (DNS_TRUST_PENDING(rdataset->trust) || + DNS_TRUST_GLUE(rdataset->trust))) + { + /* validate() may change rdataset->trust */ + invalid = !validate(client, db, fname, rdataset, + sigrdataset); + } + if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + } else if (!query_isduplicate(client, fname, + dns_rdatatype_a, &mname)) + { + if (mname != fname) { + if (mname != NULL) { + ns_client_releasename(client, + &fname); + fname = mname; + } else { + need_addname = true; + } + } + ISC_LIST_APPEND(fname->list, rdataset, link); + added_something = true; + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + ISC_LIST_APPEND(fname->list, + sigrdataset, link); + sigrdataset = + ns_client_newrdataset(client); + } + rdataset = ns_client_newrdataset(client); + if (rdataset == NULL) { + goto addname; + } + if (WANTDNSSEC(client) && sigrdataset == NULL) { + goto addname; + } + } else { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + } + } + aaaa_lookup: + if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL)) + { + goto addname; + } + result = dns_db_findrdataset(db, node, version, + dns_rdatatype_aaaa, 0, client->now, + rdataset, sigrdataset); + if (result == DNS_R_NCACHENXDOMAIN) { + goto addname; + } else if (result == DNS_R_NCACHENXRRSET) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + } else if (result == ISC_R_SUCCESS) { + bool invalid = false; + mname = NULL; + + if (additionaltype == + dns_rdatasetadditional_fromcache && + (DNS_TRUST_PENDING(rdataset->trust) || + DNS_TRUST_GLUE(rdataset->trust))) + { + /* validate() may change rdataset->trust */ + invalid = !validate(client, db, fname, rdataset, + sigrdataset); + } + + if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { + dns_rdataset_disassociate(rdataset); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + dns_rdataset_disassociate(sigrdataset); + } + } else if (!query_isduplicate(client, fname, + dns_rdatatype_aaaa, + &mname)) + { + if (mname != fname) { + if (mname != NULL) { + ns_client_releasename(client, + &fname); + fname = mname; + } else { + need_addname = true; + } + } + ISC_LIST_APPEND(fname->list, rdataset, link); + added_something = true; + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + ISC_LIST_APPEND(fname->list, + sigrdataset, link); + sigrdataset = NULL; + } + rdataset = NULL; + } + } + } + +addname: + CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: addname"); + /* + * If we haven't added anything, then we're done. + */ + if (!added_something) { + goto cleanup; + } + + /* + * We may have added our rdatasets to an existing name, if so, then + * need_addname will be false. Whether we used an existing name + * or a new one, we must set fname to NULL to prevent cleanup. + */ + if (need_addname) { + dns_message_addname(client->message, fname, + DNS_SECTION_ADDITIONAL); + } + + /* + * In some cases, a record that has been added as additional + * data may *also* trigger the addition of additional data. + * This cannot go more than MAX_RESTARTS levels deep. + */ + if (trdataset != NULL && dns_rdatatype_followadditional(type)) { + if (client->additionaldepth++ < MAX_RESTARTS) { + eresult = dns_rdataset_additionaldata( + trdataset, fname, query_additional_cb, qctx); + } + client->additionaldepth--; + } + + /* + * Don't release fname. + */ + fname = NULL; + +cleanup: + CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: cleanup"); + ns_client_putrdataset(client, &rdataset); + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (fname != NULL) { + ns_client_releasename(client, &fname); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + if (db != NULL) { + dns_db_detach(&db); + } + + CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: done"); + return (eresult); +} + +/* + * Add 'rdataset' to 'name'. + */ +static void +query_addtoname(dns_name_t *name, dns_rdataset_t *rdataset) { + ISC_LIST_APPEND(name->list, rdataset, link); +} + +/* + * Set the ordering for 'rdataset'. + */ +static void +query_setorder(query_ctx_t *qctx, dns_name_t *name, dns_rdataset_t *rdataset) { + ns_client_t *client = qctx->client; + dns_order_t *order = client->view->order; + + CTRACE(ISC_LOG_DEBUG(3), "query_setorder"); + + UNUSED(client); + + if (order != NULL) { + rdataset->attributes |= dns_order_find( + order, name, rdataset->type, rdataset->rdclass); + } + rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; +} + +/* + * Handle glue and fetch any other needed additional data for 'rdataset'. + */ +static void +query_additional(query_ctx_t *qctx, dns_name_t *name, + dns_rdataset_t *rdataset) { + ns_client_t *client = qctx->client; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "query_additional"); + + if (NOADDITIONAL(client)) { + return; + } + + /* + * Try to process glue directly. + */ + if (qctx->view->use_glue_cache && + (rdataset->type == dns_rdatatype_ns) && + (client->query.gluedb != NULL) && + dns_db_iszone(client->query.gluedb)) + { + ns_dbversion_t *dbversion; + + dbversion = ns_client_findversion(client, client->query.gluedb); + if (dbversion == NULL) { + goto regular; + } + + result = dns_rdataset_addglue(rdataset, dbversion->version, + client->message); + if (result == ISC_R_SUCCESS) { + return; + } + } + +regular: + /* + * Add other additional data if needed. + * We don't care if dns_rdataset_additionaldata() fails. + */ + (void)dns_rdataset_additionaldata(rdataset, name, query_additional_cb, + qctx); + CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); +} + +static void +query_addrrset(query_ctx_t *qctx, dns_name_t **namep, + dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp, + isc_buffer_t *dbuf, dns_section_t section) { + isc_result_t result; + ns_client_t *client = qctx->client; + dns_name_t *name = *namep, *mname = NULL; + dns_rdataset_t *rdataset = *rdatasetp, *mrdataset = NULL; + dns_rdataset_t *sigrdataset = NULL; + + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset"); + + REQUIRE(name != NULL); + + if (sigrdatasetp != NULL) { + sigrdataset = *sigrdatasetp; + } + + /*% + * To the current response for 'client', add the answer RRset + * '*rdatasetp' and an optional signature set '*sigrdatasetp', with + * owner name '*namep', to section 'section', unless they are + * already there. Also add any pertinent additional data. + * + * If 'dbuf' is not NULL, then '*namep' is the name whose data is + * stored in 'dbuf'. In this case, query_addrrset() guarantees that + * when it returns the name will either have been kept or released. + */ + result = dns_message_findname(client->message, section, name, + rdataset->type, rdataset->covers, &mname, + &mrdataset); + if (result == ISC_R_SUCCESS) { + /* + * We've already got an RRset of the given name and type. + */ + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: dns_message_findname " + "succeeded: done"); + if (dbuf != NULL) { + ns_client_releasename(client, namep); + } + if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) { + mrdataset->attributes |= DNS_RDATASETATTR_REQUIRED; + } + if ((rdataset->attributes & DNS_RDATASETATTR_STALE_ADDED) != 0) + { + mrdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED; + } + return; + } else if (result == DNS_R_NXDOMAIN) { + /* + * The name doesn't exist. + */ + if (dbuf != NULL) { + ns_client_keepname(client, name, dbuf); + } + dns_message_addname(client->message, name, section); + *namep = NULL; + mname = name; + } else { + RUNTIME_CHECK(result == DNS_R_NXRRSET); + if (dbuf != NULL) { + ns_client_releasename(client, namep); + } + } + + if (rdataset->trust != dns_trust_secure && + (section == DNS_SECTION_ANSWER || section == DNS_SECTION_AUTHORITY)) + { + client->query.attributes &= ~NS_QUERYATTR_SECURE; + } + + /* + * Update message name, set rdataset order, and do additional + * section processing if needed. + */ + query_addtoname(mname, rdataset); + query_setorder(qctx, mname, rdataset); + query_additional(qctx, mname, rdataset); + + /* + * Note: we only add SIGs if we've added the type they cover, so + * we do not need to check if the SIG rdataset is already in the + * response. + */ + *rdatasetp = NULL; + if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { + /* + * We have a signature. Add it to the response. + */ + ISC_LIST_APPEND(mname->list, sigrdataset, link); + *sigrdatasetp = NULL; + } + + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done"); +} + +/* + * Mark the RRsets as secure. Update the cache (db) to reflect the + * change in trust level. + */ +static void +mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + isc_result_t result; + dns_dbnode_t *node = NULL; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + isc_stdtime_t now; + + rdataset->trust = dns_trust_secure; + sigrdataset->trust = dns_trust_secure; + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Save the updated secure state. Ignore failures. + */ + result = dns_db_findnodeext(db, name, true, &cm, &ci, &node); + if (result != ISC_R_SUCCESS) { + return; + } + + isc_stdtime_get(&now); + dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now, + client->view->acceptexpired); + + (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, 0, + NULL); + (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, 0, + NULL); + dns_db_detachnode(db, &node); +} + +/* + * Find the secure key that corresponds to rrsig. + * Note: 'keyrdataset' maintains state between successive calls, + * there may be multiple keys with the same keyid. + * Return false if we have exhausted all the possible keys. + */ +static bool +get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, + dns_rdataset_t *keyrdataset, dst_key_t **keyp) { + isc_result_t result; + dns_dbnode_t *node = NULL; + bool secure = false; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + if (!dns_rdataset_isassociated(keyrdataset)) { + result = dns_db_findnodeext(db, &rrsig->signer, false, &cm, &ci, + &node); + if (result != ISC_R_SUCCESS) { + return (false); + } + + result = dns_db_findrdataset(db, node, NULL, + dns_rdatatype_dnskey, 0, + client->now, keyrdataset, NULL); + dns_db_detachnode(db, &node); + if (result != ISC_R_SUCCESS) { + return (false); + } + + if (keyrdataset->trust != dns_trust_secure) { + return (false); + } + + result = dns_rdataset_first(keyrdataset); + } else { + result = dns_rdataset_next(keyrdataset); + } + + for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(keyrdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_buffer_t b; + + dns_rdataset_current(keyrdataset, &rdata); + isc_buffer_init(&b, rdata.data, rdata.length); + isc_buffer_add(&b, rdata.length); + result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b, + client->mctx, keyp); + if (result != ISC_R_SUCCESS) { + continue; + } + if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) && + rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) && + dst_key_iszonekey(*keyp)) + { + secure = true; + break; + } + dst_key_free(keyp); + } + return (secure); +} + +static bool +verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdata_t *rdata, ns_client_t *client) { + isc_result_t result; + dns_fixedname_t fixed; + bool ignore = false; + + dns_fixedname_init(&fixed); + +again: + result = dns_dnssec_verify(name, rdataset, key, ignore, + client->view->maxbits, client->mctx, rdata, + NULL); + if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) { + ignore = true; + goto again; + } + if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) { + return (true); + } + return (false); +} + +/* + * Validate the rdataset if possible with available records. + */ +static bool +validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_rrsig_t rrsig; + dst_key_t *key = NULL; + dns_rdataset_t keyrdataset; + + if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) { + return (false); + } + + for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(sigrdataset)) + { + dns_rdata_reset(&rdata); + dns_rdataset_current(sigrdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &rrsig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (!dns_resolver_algorithm_supported(client->view->resolver, + name, rrsig.algorithm)) + { + continue; + } + if (!dns_name_issubdomain(name, &rrsig.signer)) { + continue; + } + dns_rdataset_init(&keyrdataset); + do { + if (!get_key(client, db, &rrsig, &keyrdataset, &key)) { + break; + } + if (verify(key, name, rdataset, &rdata, client)) { + dst_key_free(&key); + dns_rdataset_disassociate(&keyrdataset); + mark_secure(client, db, name, &rrsig, rdataset, + sigrdataset); + return (true); + } + dst_key_free(&key); + } while (1); + if (dns_rdataset_isassociated(&keyrdataset)) { + dns_rdataset_disassociate(&keyrdataset); + } + } + return (false); +} + +static void +fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) { + if (*rdataset == NULL) { + *rdataset = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(*rdataset)) { + dns_rdataset_disassociate(*rdataset); + } +} + +static void +fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf, + isc_buffer_t *nbuf) { + if (*fname == NULL) { + *dbuf = ns_client_getnamebuf(client); + if (*dbuf == NULL) { + return; + } + *fname = ns_client_newname(client, *dbuf, nbuf); + } +} + +static void +free_devent(ns_client_t *client, isc_event_t **eventp, + dns_fetchevent_t **deventp) { + dns_fetchevent_t *devent = *deventp; + + REQUIRE((void *)(*eventp) == (void *)(*deventp)); + + CTRACE(ISC_LOG_DEBUG(3), "free_devent"); + + if (devent->fetch != NULL) { + dns_resolver_destroyfetch(&devent->fetch); + } + if (devent->node != NULL) { + dns_db_detachnode(devent->db, &devent->node); + } + if (devent->db != NULL) { + dns_db_detach(&devent->db); + } + if (devent->rdataset != NULL) { + ns_client_putrdataset(client, &devent->rdataset); + } + if (devent->sigrdataset != NULL) { + ns_client_putrdataset(client, &devent->sigrdataset); + } + + /* + * If the two pointers are the same then leave the setting of + * (*deventp) to NULL to isc_event_free. + */ + if ((void *)eventp != (void *)deventp) { + (*deventp) = NULL; + } + isc_event_free(eventp); +} + +static void +prefetch_done(isc_task_t *task, isc_event_t *event) { + dns_fetchevent_t *devent = (dns_fetchevent_t *)event; + ns_client_t *client; + + UNUSED(task); + + REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); + client = devent->ev_arg; + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(task == client->task); + + CTRACE(ISC_LOG_DEBUG(3), "prefetch_done"); + + LOCK(&client->query.fetchlock); + if (client->query.prefetch != NULL) { + INSIST(devent->fetch == client->query.prefetch); + client->query.prefetch = NULL; + } + UNLOCK(&client->query.fetchlock); + + /* + * We're done prefetching, detach from quota. + */ + if (client->recursionquota != NULL) { + isc_quota_detach(&client->recursionquota); + ns_stats_decrement(client->sctx->nsstats, + ns_statscounter_recursclients); + } + + free_devent(client, &event, &devent); + isc_nmhandle_detach(&client->prefetchhandle); +} + +static void +query_prefetch(ns_client_t *client, dns_name_t *qname, + dns_rdataset_t *rdataset) { + isc_result_t result; + isc_sockaddr_t *peeraddr; + dns_rdataset_t *tmprdataset; + unsigned int options; + + CTRACE(ISC_LOG_DEBUG(3), "query_prefetch"); + + if (client->query.prefetch != NULL || + client->view->prefetch_trigger == 0U || + rdataset->ttl > client->view->prefetch_trigger || + (rdataset->attributes & DNS_RDATASETATTR_PREFETCH) == 0) + { + return; + } + + if (client->recursionquota == NULL) { + result = isc_quota_attach(&client->sctx->recursionquota, + &client->recursionquota); + switch (result) { + case ISC_R_SUCCESS: + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_recursclients); + break; + case ISC_R_SOFTQUOTA: + isc_quota_detach(&client->recursionquota); + FALLTHROUGH; + default: + return; + } + } + + tmprdataset = ns_client_newrdataset(client); + if (tmprdataset == NULL) { + return; + } + + if (!TCP(client)) { + peeraddr = &client->peeraddr; + } else { + peeraddr = NULL; + } + + isc_nmhandle_attach(client->handle, &client->prefetchhandle); + options = client->query.fetchoptions | DNS_FETCHOPT_PREFETCH; + result = dns_resolver_createfetch( + client->view->resolver, qname, rdataset->type, NULL, NULL, NULL, + peeraddr, client->message->id, options, 0, NULL, client->task, + prefetch_done, client, tmprdataset, NULL, + &client->query.prefetch); + if (result != ISC_R_SUCCESS) { + ns_client_putrdataset(client, &tmprdataset); + isc_nmhandle_detach(&client->prefetchhandle); + } + + dns_rdataset_clearprefetch(rdataset); + ns_stats_increment(client->sctx->nsstats, ns_statscounter_prefetch); +} + +static void +rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, + dns_rdataset_t **rdatasetp) { + if (nodep != NULL && *nodep != NULL) { + REQUIRE(dbp != NULL && *dbp != NULL); + dns_db_detachnode(*dbp, nodep); + } + if (dbp != NULL && *dbp != NULL) { + dns_db_detach(dbp); + } + if (zonep != NULL && *zonep != NULL) { + dns_zone_detach(zonep); + } + if (rdatasetp != NULL && *rdatasetp != NULL && + dns_rdataset_isassociated(*rdatasetp)) + { + dns_rdataset_disassociate(*rdatasetp); + } +} + +static void +rpz_match_clear(dns_rpz_st_t *st) { + rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); + st->m.version = NULL; +} + +static isc_result_t +rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { + REQUIRE(rdatasetp != NULL); + + CTRACE(ISC_LOG_DEBUG(3), "rpz_ready"); + + if (*rdatasetp == NULL) { + *rdatasetp = ns_client_newrdataset(client); + if (*rdatasetp == NULL) { + CTRACE(ISC_LOG_ERROR, "rpz_ready: " + "ns_client_newrdataset failed"); + return (DNS_R_SERVFAIL); + } + } else if (dns_rdataset_isassociated(*rdatasetp)) { + dns_rdataset_disassociate(*rdatasetp); + } + return (ISC_R_SUCCESS); +} + +static void +rpz_st_clear(ns_client_t *client) { + dns_rpz_st_t *st = client->query.rpz_st; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_st_clear"); + + if (st->m.rdataset != NULL) { + ns_client_putrdataset(client, &st->m.rdataset); + } + rpz_match_clear(st); + + rpz_clean(NULL, &st->r.db, NULL, NULL); + if (st->r.ns_rdataset != NULL) { + ns_client_putrdataset(client, &st->r.ns_rdataset); + } + if (st->r.r_rdataset != NULL) { + ns_client_putrdataset(client, &st->r.r_rdataset); + } + + rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL); + if (st->q.rdataset != NULL) { + ns_client_putrdataset(client, &st->q.rdataset); + } + if (st->q.sigrdataset != NULL) { + ns_client_putrdataset(client, &st->q.sigrdataset); + } + st->state = 0; + st->m.type = DNS_RPZ_TYPE_BAD; + st->m.policy = DNS_RPZ_POLICY_MISS; + if (st->rpsdb != NULL) { + dns_db_detach(&st->rpsdb); + } +} + +static dns_rpz_zbits_t +rpz_get_zbits(ns_client_t *client, dns_rdatatype_t ip_type, + dns_rpz_type_t rpz_type) { + dns_rpz_st_t *st; + dns_rpz_zbits_t zbits = 0; + + REQUIRE(client != NULL); + REQUIRE(client->query.rpz_st != NULL); + + st = client->query.rpz_st; + +#ifdef USE_DNSRPS + if (st->popt.dnsrps_enabled) { + if (st->rpsdb == NULL || + librpz->have_trig(dns_dnsrps_type2trig(rpz_type), + ip_type == dns_rdatatype_aaaa, + ((rpsdb_t *)st->rpsdb)->rsp)) + { + return (DNS_RPZ_ALL_ZBITS); + } + return (0); + } +#endif /* ifdef USE_DNSRPS */ + + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits = st->have.client_ip; + break; + case DNS_RPZ_TYPE_QNAME: + zbits = st->have.qname; + break; + case DNS_RPZ_TYPE_IP: + if (ip_type == dns_rdatatype_a) { + zbits = st->have.ipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = st->have.ipv6; + } else { + zbits = st->have.ip; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + zbits = st->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + if (ip_type == dns_rdatatype_a) { + zbits = st->have.nsipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = st->have.nsipv6; + } else { + zbits = st->have.nsip; + } + break; + default: + UNREACHABLE(); + } + + /* + * Choose + * the earliest configured policy zone (rpz->num) + * QNAME over IP over NSDNAME over NSIP (rpz_type) + * the smallest name, + * the longest IP address prefix, + * the lexically smallest address. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.type >= rpz_type) { + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num); + } else { + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1; + } + } + + /* + * If the client wants recursion, allow only compatible policies. + */ + if (!RECURSIONOK(client)) { + zbits &= st->popt.no_rd_ok; + } + + return (zbits); +} + +static void +query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) { + isc_result_t result; + isc_sockaddr_t *peeraddr; + dns_rdataset_t *tmprdataset; + unsigned int options; + + CTRACE(ISC_LOG_DEBUG(3), "query_rpzfetch"); + + if (client->query.prefetch != NULL) { + return; + } + + if (client->recursionquota == NULL) { + result = isc_quota_attach(&client->sctx->recursionquota, + &client->recursionquota); + switch (result) { + case ISC_R_SUCCESS: + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_recursclients); + break; + case ISC_R_SOFTQUOTA: + isc_quota_detach(&client->recursionquota); + FALLTHROUGH; + default: + return; + } + } + + tmprdataset = ns_client_newrdataset(client); + if (tmprdataset == NULL) { + return; + } + + if (!TCP(client)) { + peeraddr = &client->peeraddr; + } else { + peeraddr = NULL; + } + + options = client->query.fetchoptions; + isc_nmhandle_attach(client->handle, &client->prefetchhandle); + result = dns_resolver_createfetch( + client->view->resolver, qname, type, NULL, NULL, NULL, peeraddr, + client->message->id, options, 0, NULL, client->task, + prefetch_done, client, tmprdataset, NULL, + &client->query.prefetch); + if (result != ISC_R_SUCCESS) { + ns_client_putrdataset(client, &tmprdataset); + isc_nmhandle_detach(&client->prefetchhandle); + } +} + +/* + * Get an NS, A, or AAAA rrset related to the response for the client + * to check the contents of that rrset for hits by eligible policy zones. + */ +static isc_result_t +rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, + unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp, + dns_dbversion_t *version, dns_rdataset_t **rdatasetp, + bool resuming) { + dns_rpz_st_t *st; + bool is_zone; + dns_dbnode_t *node; + dns_fixedname_t fixed; + dns_name_t *found; + isc_result_t result; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rrset_find"); + + st = client->query.rpz_st; + if ((st->state & DNS_RPZ_RECURSING) != 0) { + INSIST(st->r.r_type == type); + INSIST(dns_name_equal(name, st->r_name)); + INSIST(*rdatasetp == NULL || + !dns_rdataset_isassociated(*rdatasetp)); + st->state &= ~DNS_RPZ_RECURSING; + RESTORE(*dbp, st->r.db); + if (*rdatasetp != NULL) { + ns_client_putrdataset(client, rdatasetp); + } + RESTORE(*rdatasetp, st->r.r_rdataset); + result = st->r.r_result; + if (result == DNS_R_DELEGATION) { + CTRACE(ISC_LOG_ERROR, "RPZ recursing"); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, "rpz_rrset_find(1)", result); + st->m.policy = DNS_RPZ_POLICY_ERROR; + result = DNS_R_SERVFAIL; + } + return (result); + } + + result = rpz_ready(client, rdatasetp); + if (result != ISC_R_SUCCESS) { + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (result); + } + if (*dbp != NULL) { + is_zone = false; + } else { + dns_zone_t *zone; + + version = NULL; + zone = NULL; + result = query_getdb(client, name, type, 0, &zone, dbp, + &version, &is_zone); + if (result != ISC_R_SUCCESS) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, "rpz_rrset_find(2)", result); + st->m.policy = DNS_RPZ_POLICY_ERROR; + if (zone != NULL) { + dns_zone_detach(&zone); + } + return (result); + } + if (zone != NULL) { + dns_zone_detach(&zone); + } + } + + node = NULL; + found = dns_fixedname_initname(&fixed); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + result = dns_db_findext(*dbp, name, version, type, options, client->now, + &node, found, &cm, &ci, *rdatasetp, NULL); + if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) { + /* + * Try the cache if we're authoritative for an + * ancestor but not the domain itself. + */ + rpz_clean(NULL, dbp, &node, rdatasetp); + version = NULL; + dns_db_attach(client->view->cachedb, dbp); + result = dns_db_findext(*dbp, name, version, type, 0, + client->now, &node, found, &cm, &ci, + *rdatasetp, NULL); + } + rpz_clean(NULL, dbp, &node, NULL); + if (result == DNS_R_DELEGATION) { + rpz_clean(NULL, NULL, NULL, rdatasetp); + /* + * Recurse for NS rrset or A or AAAA rrset for an NS. + * Do not recurse for addresses for the query name. + */ + if (rpz_type == DNS_RPZ_TYPE_IP) { + result = DNS_R_NXRRSET; + } else if (!client->view->rpzs->p.nsip_wait_recurse || + (!client->view->rpzs->p.nsdname_wait_recurse && + rpz_type == DNS_RPZ_TYPE_NSDNAME)) + { + query_rpzfetch(client, name, type); + result = DNS_R_NXRRSET; + } else { + dns_name_copy(name, st->r_name); + result = ns_query_recurse(client, type, st->r_name, + NULL, NULL, resuming); + if (result == ISC_R_SUCCESS) { + st->state |= DNS_RPZ_RECURSING; + result = DNS_R_DELEGATION; + } + } + } + return (result); +} + +/* + * Compute a policy owner name, p_name, in a policy zone given the needed + * policy type and the trigger name. + */ +static isc_result_t +rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, dns_rpz_zone_t *rpz, + dns_rpz_type_t rpz_type, dns_name_t *trig_name) { + dns_offsets_t prefix_offsets; + dns_name_t prefix, *suffix; + unsigned int first, labels; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_get_p_name"); + + /* + * The policy owner name consists of a suffix depending on the type + * and policy zone and a prefix that is the longest possible string + * from the trigger name that keesp the resulting policy owner name + * from being too long. + */ + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + suffix = &rpz->client_ip; + break; + case DNS_RPZ_TYPE_QNAME: + suffix = &rpz->origin; + break; + case DNS_RPZ_TYPE_IP: + suffix = &rpz->ip; + break; + case DNS_RPZ_TYPE_NSDNAME: + suffix = &rpz->nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + suffix = &rpz->nsip; + break; + default: + UNREACHABLE(); + } + + /* + * Start with relative version of the full trigger name, + * and trim enough allow the addition of the suffix. + */ + dns_name_init(&prefix, prefix_offsets); + labels = dns_name_countlabels(trig_name); + first = 0; + for (;;) { + dns_name_getlabelsequence(trig_name, first, labels - first - 1, + &prefix); + result = dns_name_concatenate(&prefix, suffix, p_name, NULL); + if (result == ISC_R_SUCCESS) { + break; + } + INSIST(result == DNS_R_NAMETOOLONG); + /* + * Trim the trigger name until the combination is not too long. + */ + if (labels - first < 2) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix, + rpz_type, "concatenate()", result); + return (ISC_R_FAILURE); + } + /* + * Complain once about trimming the trigger name. + */ + if (first == 0) { + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix, + rpz_type, "concatenate()", result); + } + ++first; + } + return (ISC_R_SUCCESS); +} + +/* + * Look in policy zone rpz for a policy of rpz_type by p_name. + * The self-name (usually the client qname or an NS name) is compared with + * the target of a CNAME policy for the old style passthru encoding. + * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep, + * *rdatasetp, and *policyp. + * The target DNS type, qtype, chooses the best rdataset for *rdatasetp. + * The caller must decide if the found policy is most suitable, including + * better than a previously found policy. + * If it is best, the caller records it in client->query.rpz_st->m. + */ +static isc_result_t +rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, + dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_rpz_policy_t *policyp) { + dns_fixedname_t foundf; + dns_name_t *found; + isc_result_t result; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + bool found_a = false; + + REQUIRE(nodep != NULL); + + CTRACE(ISC_LOG_DEBUG(3), "rpz_find_p"); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Try to find either a CNAME or the type of record demanded by the + * request from the policy zone. + */ + rpz_clean(zonep, dbp, nodep, rdatasetp); + result = rpz_ready(client, rdatasetp); + if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, "rpz_ready() failed"); + return (DNS_R_SERVFAIL); + } + *versionp = NULL; + result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); + if (result != ISC_R_SUCCESS) { + return (DNS_R_NXDOMAIN); + } + found = dns_fixedname_initname(&foundf); + + result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0, + client->now, nodep, found, &cm, &ci, *rdatasetp, + NULL); + /* + * Choose the best rdataset if we found something. + */ + if (result == ISC_R_SUCCESS) { + dns_rdatasetiter_t *rdsiter; + + rdsiter = NULL; + result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, 0, + &rdsiter); + if (result != ISC_R_SUCCESS) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, + rpz_type, "allrdatasets()", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: allrdatasets failed"); + return (DNS_R_SERVFAIL); + } + if (qtype == dns_rdatatype_aaaa && + !ISC_LIST_EMPTY(client->view->dns64)) + { + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) + { + dns_rdatasetiter_current(rdsiter, *rdatasetp); + if ((*rdatasetp)->type == dns_rdatatype_a) { + found_a = true; + } + dns_rdataset_disassociate(*rdatasetp); + } + } + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) + { + dns_rdatasetiter_current(rdsiter, *rdatasetp); + if ((*rdatasetp)->type == dns_rdatatype_cname || + (*rdatasetp)->type == qtype) + { + break; + } + dns_rdataset_disassociate(*rdatasetp); + } + dns_rdatasetiter_destroy(&rdsiter); + if (result != ISC_R_SUCCESS) { + if (result != ISC_R_NOMORE) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, + p_name, rpz_type, "rdatasetiter", + result); + CTRACE(ISC_LOG_ERROR, "rpz_find_p: " + "rdatasetiter failed"); + return (DNS_R_SERVFAIL); + } + /* + * Ask again to get the right DNS_R_DNAME/NXRRSET/... + * result if there is neither a CNAME nor target type. + */ + if (dns_rdataset_isassociated(*rdatasetp)) { + dns_rdataset_disassociate(*rdatasetp); + } + dns_db_detachnode(*dbp, nodep); + + if (qtype == dns_rdatatype_rrsig || + qtype == dns_rdatatype_sig) + { + result = DNS_R_NXRRSET; + } else { + result = dns_db_findext(*dbp, p_name, *versionp, + qtype, 0, client->now, + nodep, found, &cm, &ci, + *rdatasetp, NULL); + } + } + } + switch (result) { + case ISC_R_SUCCESS: + if ((*rdatasetp)->type != dns_rdatatype_cname) { + *policyp = DNS_RPZ_POLICY_RECORD; + } else { + *policyp = dns_rpz_decode_cname(rpz, *rdatasetp, + self_name); + if ((*policyp == DNS_RPZ_POLICY_RECORD || + *policyp == DNS_RPZ_POLICY_WILDCNAME) && + qtype != dns_rdatatype_cname && + qtype != dns_rdatatype_any) + { + return (DNS_R_CNAME); + } + } + return (ISC_R_SUCCESS); + case DNS_R_NXRRSET: + if (found_a) { + *policyp = DNS_RPZ_POLICY_DNS64; + } else { + *policyp = DNS_RPZ_POLICY_NODATA; + } + return (result); + case DNS_R_DNAME: + /* + * DNAME policy RRs have very few if any uses that are not + * better served with simple wildcards. Making them work would + * require complications to get the number of labels matched + * in the name or the found name to the main DNS_R_DNAME case + * in query_dname(). The domain also does not appear in the + * summary database at the right level, so this happens only + * with a single policy zone when we have no summary database. + * Treat it as a miss. + */ + case DNS_R_NXDOMAIN: + case DNS_R_EMPTYNAME: + return (DNS_R_NXDOMAIN); + default: + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", + result); + CTRACE(ISC_LOG_ERROR, "rpz_find_p: unexpected result"); + return (DNS_R_SERVFAIL); + } +} + +static void +rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix, + isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_dbversion_t *version) { + dns_rdataset_t *trdataset = NULL; + + rpz_match_clear(st); + st->m.rpz = rpz; + st->m.type = rpz_type; + st->m.policy = policy; + dns_name_copy(p_name, st->p_name); + st->m.prefix = prefix; + st->m.result = result; + SAVE(st->m.zone, *zonep); + SAVE(st->m.db, *dbp); + SAVE(st->m.node, *nodep); + if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { + /* + * Save the replacement rdataset from the policy + * and make the previous replacement rdataset scratch. + */ + SAVE(trdataset, st->m.rdataset); + SAVE(st->m.rdataset, *rdatasetp); + SAVE(*rdatasetp, trdataset); + st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl); + } else { + st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl); + } + SAVE(st->m.version, version); +} + +#ifdef USE_DNSRPS +/* + * Check the results of a RPZ service interface lookup. + * Stop after an error (<0) or not a hit on a disabled zone (0). + * Continue after a hit on a disabled zone (>0). + */ +static int +dnsrps_ck(librpz_emsg_t *emsg, ns_client_t *client, rpsdb_t *rpsdb, + bool recursed) { + isc_region_t region; + librpz_domain_buf_t pname_buf; + + if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) { + return (-1); + } + + /* + * Forget the state from before the IP address or domain check + * if the lookup hit nothing. + */ + if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED || + rpsdb->result.hit_id != rpsdb->hit_id || + rpsdb->result.policy != LIBRPZ_POLICY_DISABLED) + { + if (!librpz->rsp_pop_discard(emsg, rpsdb->rsp)) { + return (-1); + } + return (0); + } + + /* + * Log a hit on a disabled zone. + * Forget the zone to not try it again, and restore the pre-hit state. + */ + if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) { + return (-1); + } + region.base = pname_buf.d; + region.length = pname_buf.size; + dns_name_fromregion(client->query.rpz_st->p_name, ®ion); + rpz_log_rewrite(client, true, dns_dnsrps_2policy(rpsdb->result.zpolicy), + dns_dnsrps_trig2type(rpsdb->result.trig), NULL, + client->query.rpz_st->p_name, NULL, + rpsdb->result.cznum); + + if (!librpz->rsp_forget_zone(emsg, rpsdb->result.cznum, rpsdb->rsp) || + !librpz->rsp_pop(emsg, &rpsdb->result, rpsdb->rsp)) + { + return (-1); + } + return (1); +} + +/* + * Ready the shim database and rdataset for a DNSRPS hit. + */ +static bool +dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st, + dns_rdatatype_t qtype, dns_rdataset_t **p_rdatasetp, + bool recursed) { + rpsdb_t *rpsdb; + librpz_domain_buf_t pname_buf; + isc_region_t region; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbnode_t *p_node; + dns_rpz_policy_t policy; + dns_fixedname_t foundf; + dns_name_t *found; + dns_rdatatype_t foundtype, searchtype; + isc_result_t result; + + rpsdb = (rpsdb_t *)st->rpsdb; + + if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) { + return (false); + } + + if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED) { + return (true); + } + + /* + * Give the fake or shim DNSRPS database its new origin. + */ + if (!librpz->rsp_soa(emsg, NULL, NULL, &rpsdb->origin_buf, + &rpsdb->result, rpsdb->rsp)) + { + return (false); + } + region.base = rpsdb->origin_buf.d; + region.length = rpsdb->origin_buf.size; + dns_name_fromregion(&rpsdb->common.origin, ®ion); + + if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) { + return (false); + } + region.base = pname_buf.d; + region.length = pname_buf.size; + dns_name_fromregion(st->p_name, ®ion); + + p_zone = NULL; + p_db = NULL; + p_node = NULL; + rpz_ready(client, p_rdatasetp); + dns_db_attach(st->rpsdb, &p_db); + policy = dns_dnsrps_2policy(rpsdb->result.policy); + if (policy != DNS_RPZ_POLICY_RECORD) { + result = ISC_R_SUCCESS; + } else if (qtype == dns_rdatatype_rrsig) { + /* + * dns_find_db() refuses to look for and fail to + * find dns_rdatatype_rrsig. + */ + result = DNS_R_NXRRSET; + policy = DNS_RPZ_POLICY_NODATA; + } else { + /* + * Get the next (and so first) RR from the policy node. + * If it is a CNAME, then look for it regardless of the + * query type. + */ + if (!librpz->rsp_rr(emsg, &foundtype, NULL, NULL, NULL, + &rpsdb->result, rpsdb->qname->ndata, + rpsdb->qname->length, rpsdb->rsp)) + { + return (false); + } + if (foundtype == dns_rdatatype_cname) { + searchtype = dns_rdatatype_cname; + } else { + searchtype = qtype; + } + /* + * Get the DNSPRS imitation rdataset. + */ + found = dns_fixedname_initname(&foundf); + result = dns_db_find(p_db, st->p_name, NULL, searchtype, 0, 0, + &p_node, found, *p_rdatasetp, NULL); + + if (result == ISC_R_SUCCESS) { + if (searchtype == dns_rdatatype_cname && + qtype != dns_rdatatype_cname) + { + result = DNS_R_CNAME; + } + } else if (result == DNS_R_NXRRSET) { + policy = DNS_RPZ_POLICY_NODATA; + } else { + snprintf(emsg->c, sizeof(emsg->c), "dns_db_find(): %s", + isc_result_totext(result)); + return (false); + } + } + + rpz_save_p(st, client->view->rpzs->zones[rpsdb->result.cznum], + dns_dnsrps_trig2type(rpsdb->result.trig), policy, st->p_name, + 0, result, &p_zone, &p_db, &p_node, p_rdatasetp, NULL); + + rpz_clean(NULL, NULL, NULL, p_rdatasetp); + + return (true); +} + +static isc_result_t +dnsrps_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, + dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) { + dns_rpz_st_t *st; + rpsdb_t *rpsdb; + librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP; + bool recursed = false; + int res; + librpz_emsg_t emsg; + isc_result_t result; + + st = client->query.rpz_st; + rpsdb = (rpsdb_t *)st->rpsdb; + + result = rpz_ready(client, p_rdatasetp); + if (result != ISC_R_SUCCESS) { + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (result); + } + + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + trig = LIBRPZ_TRIG_CLIENT_IP; + recursed = false; + break; + case DNS_RPZ_TYPE_IP: + trig = LIBRPZ_TRIG_IP; + recursed = true; + break; + case DNS_RPZ_TYPE_NSIP: + trig = LIBRPZ_TRIG_NSIP; + recursed = true; + break; + default: + UNREACHABLE(); + } + + do { + if (!librpz->rsp_push(&emsg, rpsdb->rsp) || + !librpz->ck_ip(&emsg, + netaddr->family == AF_INET + ? (const void *)&netaddr->type.in + : (const void *)&netaddr->type.in6, + netaddr->family, trig, ++rpsdb->hit_id, + recursed, rpsdb->rsp) || + (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0) + { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, + rpz_type, emsg.c, DNS_R_SERVFAIL); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + } + } while (res != 0); + return (ISC_R_SUCCESS); +} + +static isc_result_t +dnsrps_rewrite_name(ns_client_t *client, dns_name_t *trig_name, bool recursed, + dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) { + dns_rpz_st_t *st; + rpsdb_t *rpsdb; + librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP; + isc_region_t r; + int res; + librpz_emsg_t emsg; + isc_result_t result; + + st = client->query.rpz_st; + rpsdb = (rpsdb_t *)st->rpsdb; + + result = rpz_ready(client, p_rdatasetp); + if (result != ISC_R_SUCCESS) { + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (result); + } + + switch (rpz_type) { + case DNS_RPZ_TYPE_QNAME: + trig = LIBRPZ_TRIG_QNAME; + break; + case DNS_RPZ_TYPE_NSDNAME: + trig = LIBRPZ_TRIG_NSDNAME; + break; + default: + UNREACHABLE(); + } + + dns_name_toregion(trig_name, &r); + do { + if (!librpz->rsp_push(&emsg, rpsdb->rsp) || + !librpz->ck_domain(&emsg, r.base, r.length, trig, + ++rpsdb->hit_id, recursed, rpsdb->rsp) || + (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0) + { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, + rpz_type, emsg.c, DNS_R_SERVFAIL); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + } + } while (res != 0); + return (ISC_R_SUCCESS); +} +#endif /* USE_DNSRPS */ + +/* + * Check this address in every eligible policy zone. + */ +static isc_result_t +rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) { + dns_rpz_zones_t *rpzs; + dns_rpz_st_t *st; + dns_rpz_zone_t *rpz; + dns_rpz_prefix_t prefix; + dns_rpz_num_t rpz_num; + dns_fixedname_t ip_namef, p_namef; + dns_name_t *ip_name, *p_name; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; + dns_rpz_policy_t policy; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip"); + + rpzs = client->view->rpzs; + st = client->query.rpz_st; +#ifdef USE_DNSRPS + if (st->popt.dnsrps_enabled) { + return (dnsrps_rewrite_ip(client, netaddr, rpz_type, + p_rdatasetp)); + } +#endif /* ifdef USE_DNSRPS */ + + ip_name = dns_fixedname_initname(&ip_namef); + + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + while (zbits != 0) { + rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr, + ip_name, &prefix); + if (rpz_num == DNS_RPZ_INVALID_NUM) { + break; + } + zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1); + + /* + * Do not try applying policy zones that cannot replace a + * previously found policy zone. + * Stop looking if the next best choice cannot + * replace what we already have. + */ + rpz = rpzs->zones[rpz_num]; + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.rpz->num < rpz->num) { + break; + } + if (st->m.rpz->num == rpz->num && + (st->m.type < rpz_type || st->m.prefix > prefix)) + { + break; + } + } + + /* + * Get the policy for a prefix at least as long + * as the prefix of the entry we had before. + */ + p_name = dns_fixedname_initname(&p_namef); + result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); + if (result != ISC_R_SUCCESS) { + continue; + } + result = rpz_find_p(client, ip_name, qtype, p_name, rpz, + rpz_type, &p_zone, &p_db, &p_version, + &p_node, p_rdatasetp, &policy); + switch (result) { + case DNS_R_NXDOMAIN: + /* + * Continue after a policy record that is missing + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. + */ + CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip: mismatched " + "summary data; " + "continuing"); + continue; + case DNS_R_SERVFAIL: + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + default: + /* + * Forget this policy if it is not preferable + * to the previously found policy. + * If this policy is not good, then stop looking + * because none of the later policy zones would work. + * + * With more than one applicable policy, prefer + * the earliest configured policy, + * client-IP over QNAME over IP over NSDNAME over NSIP, + * the longest prefix + * the lexically smallest address. + * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num. + * We can compare new and current p_name because + * both are of the same type and in the same zone. + * The tests above eliminate other reasons to + * reject this policy. If this policy can't work, + * then neither can later zones. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS && + rpz->num == st->m.rpz->num && + (st->m.type == rpz_type && st->m.prefix == prefix && + 0 > dns_name_rdatacompare(st->p_name, p_name))) + { + break; + } + + /* + * Stop checking after saving an enabled hit in this + * policy zone. The radix tree in the policy zone + * ensures that we found the longest match. + */ + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip: " + "rpz_save_p"); + rpz_save_p(st, rpz, rpz_type, policy, p_name, + prefix, result, &p_zone, &p_db, + &p_node, p_rdatasetp, p_version); + break; + } + + /* + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. + */ + rpz_log_rewrite(client, true, policy, rpz_type, p_zone, + p_name, NULL, rpz_num); + } + } + + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + return (ISC_R_SUCCESS); +} + +/* + * Check the IP addresses in the A or AAAA rrsets for name against + * all eligible rpz_type (IP or NSIP) response policy rewrite rules. + */ +static isc_result_t +rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rdatatype_t ip_type, dns_db_t **ip_dbp, + dns_dbversion_t *ip_version, dns_rdataset_t **ip_rdatasetp, + dns_rdataset_t **p_rdatasetp, bool resuming) { + dns_rpz_zbits_t zbits; + isc_netaddr_t netaddr; + struct in_addr ina; + struct in6_addr in6a; + isc_result_t result; + unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK; + bool done = false; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); + + do { + zbits = rpz_get_zbits(client, ip_type, rpz_type); + if (zbits == 0) { + return (ISC_R_SUCCESS); + } + + /* + * Get the A or AAAA rdataset. + */ + result = rpz_rrset_find(client, name, ip_type, options, + rpz_type, ip_dbp, ip_version, + ip_rdatasetp, resuming); + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: + break; + case DNS_R_EMPTYNAME: + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case ISC_R_NOTFOUND: + return (ISC_R_SUCCESS); + case DNS_R_DELEGATION: + case DNS_R_DUPLICATE: + case DNS_R_DROP: + return (result); + case DNS_R_CNAME: + case DNS_R_DNAME: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, + rpz_type, "NS address rewrite rrset", + result); + return (ISC_R_SUCCESS); + default: + if (client->query.rpz_st->m.policy != + DNS_RPZ_POLICY_ERROR) + { + client->query.rpz_st->m.policy = + DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, + "NS address rewrite rrset", + result); + } + CTRACE(ISC_LOG_ERROR, + "rpz_rewrite_ip_rrset: unexpected " + "result"); + return (DNS_R_SERVFAIL); + } + + /* + * If we are processing glue setup for the next loop + * otherwise we are done. + */ + if (result == DNS_R_GLUE) { + options = client->query.dboptions; + } else { + options = client->query.dboptions | DNS_DBFIND_GLUEOK; + done = true; + } + + /* + * Check all of the IP addresses in the rdataset. + */ + for (result = dns_rdataset_first(*ip_rdatasetp); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(*ip_rdatasetp)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(*ip_rdatasetp, &rdata); + switch (rdata.type) { + case dns_rdatatype_a: + INSIST(rdata.length == 4); + memmove(&ina.s_addr, rdata.data, 4); + isc_netaddr_fromin(&netaddr, &ina); + break; + case dns_rdatatype_aaaa: + INSIST(rdata.length == 16); + memmove(in6a.s6_addr, rdata.data, 16); + isc_netaddr_fromin6(&netaddr, &in6a); + break; + default: + continue; + } + + result = rpz_rewrite_ip(client, &netaddr, qtype, + rpz_type, zbits, p_rdatasetp); + if (result != ISC_R_SUCCESS) { + return (result); + } + } + } while (!done && + client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS); + + return (ISC_R_SUCCESS); +} + +/* + * Look for IP addresses in A and AAAA rdatasets + * that trigger all eligible IP or NSIP policy rules. + */ +static isc_result_t +rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rdataset_t **ip_rdatasetp, bool resuming) { + dns_rpz_st_t *st; + dns_dbversion_t *ip_version; + dns_db_t *ip_db; + dns_rdataset_t *p_rdataset; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrsets"); + + st = client->query.rpz_st; + ip_version = NULL; + ip_db = NULL; + p_rdataset = NULL; + if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && + (qtype == dns_rdatatype_a || qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) + { + /* + * Rewrite based on an IPv4 address that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset( + client, name, qtype, rpz_type, dns_rdatatype_a, &ip_db, + ip_version, ip_rdatasetp, &p_rdataset, resuming); + if (result == ISC_R_SUCCESS) { + st->state |= DNS_RPZ_DONE_IPv4; + } + } else { + result = ISC_R_SUCCESS; + } + if (result == ISC_R_SUCCESS && + (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) + { + /* + * Rewrite based on IPv6 addresses that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, rpz_type, + dns_rdatatype_aaaa, &ip_db, + ip_version, ip_rdatasetp, + &p_rdataset, resuming); + } + if (ip_db != NULL) { + dns_db_detach(&ip_db); + } + ns_client_putrdataset(client, &p_rdataset); + return (result); +} + +/* + * Try to rewrite a request for a qtype rdataset based on the trigger name + * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME). + * Record the results including the replacement rdataset if any + * in client->query.rpz_st. + * *rdatasetp is a scratch rdataset. + */ +static isc_result_t +rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t allowed_zbits, bool recursed, + dns_rdataset_t **rdatasetp) { + dns_rpz_zones_t *rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_st_t *st; + dns_fixedname_t p_namef; + dns_name_t *p_name; + dns_rpz_zbits_t zbits; + dns_rpz_num_t rpz_num; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; + dns_rpz_policy_t policy; + isc_result_t result; + +#ifndef USE_DNSRPS + UNUSED(recursed); +#endif /* ifndef USE_DNSRPS */ + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name"); + + rpzs = client->view->rpzs; + st = client->query.rpz_st; + +#ifdef USE_DNSRPS + if (st->popt.dnsrps_enabled) { + return (dnsrps_rewrite_name(client, trig_name, recursed, + rpz_type, rdatasetp)); + } +#endif /* ifdef USE_DNSRPS */ + + zbits = rpz_get_zbits(client, qtype, rpz_type); + zbits &= allowed_zbits; + if (zbits == 0) { + return (ISC_R_SUCCESS); + } + + /* + * Use the summary database to find the bit mask of policy zones + * with policies for this trigger name. We do this even if there + * is only one eligible policy zone so that wildcard triggers + * are matched correctly, and not into their parent. + */ + zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name); + if (zbits == 0) { + return (ISC_R_SUCCESS); + } + + p_name = dns_fixedname_initname(&p_namef); + + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + /* + * Check the trigger name in every policy zone that the summary data + * says has a hit for the trigger name. + * Most of the time there are no eligible zones and the summary data + * keeps us from getting this far. + * We check the most eligible zone first and so usually check only + * one policy zone. + */ + for (rpz_num = 0; zbits != 0; ++rpz_num, zbits >>= 1) { + if ((zbits & 1) == 0) { + continue; + } + + /* + * Do not check policy zones that cannot replace a previously + * found policy. + */ + rpz = rpzs->zones[rpz_num]; + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.rpz->num < rpz->num) { + break; + } + if (st->m.rpz->num == rpz->num && st->m.type < rpz_type) + { + break; + } + } + + /* + * Get the next policy zone's record for this trigger name. + */ + result = rpz_get_p_name(client, p_name, rpz, rpz_type, + trig_name); + if (result != ISC_R_SUCCESS) { + continue; + } + result = rpz_find_p(client, trig_name, qtype, p_name, rpz, + rpz_type, &p_zone, &p_db, &p_version, + &p_node, rdatasetp, &policy); + switch (result) { + case DNS_R_NXDOMAIN: + /* + * Continue after a missing policy record + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. + */ + CTRACE(ISC_LOG_ERROR, "rpz_rewrite_name: mismatched " + "summary data; " + "continuing"); + continue; + case DNS_R_SERVFAIL: + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + default: + /* + * With more than one applicable policy, prefer + * the earliest configured policy, + * client-IP over QNAME over IP over NSDNAME over NSIP, + * and the smallest name. + * We known st->m.rpz->num >= rpz->num and either + * st->m.rpz->num > rpz->num or st->m.type >= rpz_type + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS && + rpz->num == st->m.rpz->num && + (st->m.type < rpz_type || + (st->m.type == rpz_type && + 0 >= dns_name_compare(p_name, st->p_name)))) + { + continue; + } + + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name: " + "rpz_save_p"); + rpz_save_p(st, rpz, rpz_type, policy, p_name, 0, + result, &p_zone, &p_db, &p_node, + rdatasetp, p_version); + /* + * After a hit, higher numbered policy zones + * are irrelevant + */ + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); + return (ISC_R_SUCCESS); + } + /* + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. + */ + rpz_log_rewrite(client, true, policy, rpz_type, p_zone, + p_name, NULL, rpz_num); + break; + } + } + + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); + return (ISC_R_SUCCESS); +} + +static void +rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname, + isc_result_t result, int level, const char *str) { + dns_rpz_st_t *st; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ns_skip"); + + st = client->query.rpz_st; + + if (str != NULL) { + rpz_log_fail_helper(client, level, nsname, DNS_RPZ_TYPE_NSIP, + DNS_RPZ_TYPE_NSDNAME, str, result); + } + if (st->r.ns_rdataset != NULL && + dns_rdataset_isassociated(st->r.ns_rdataset)) + { + dns_rdataset_disassociate(st->r.ns_rdataset); + } + + st->r.label--; +} + +/* + * RPZ query result types + */ +typedef enum { + qresult_type_done = 0, + qresult_type_restart = 1, + qresult_type_recurse = 2 +} qresult_type_t; + +/* + * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting. + */ +static isc_result_t +rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, + bool resuming, dns_rdataset_t *ordataset, dns_rdataset_t *osigset) { + dns_rpz_zones_t *rpzs; + dns_rpz_st_t *st; + dns_rdataset_t *rdataset; + dns_fixedname_t nsnamef; + dns_name_t *nsname; + qresult_type_t qresult_type; + dns_rpz_zbits_t zbits; + isc_result_t result = ISC_R_SUCCESS; + dns_rpz_have_t have; + dns_rpz_popt_t popt; + int rpz_ver; + unsigned int options; +#ifdef USE_DNSRPS + librpz_emsg_t emsg; +#endif /* ifdef USE_DNSRPS */ + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite"); + + rpzs = client->view->rpzs; + st = client->query.rpz_st; + + if (rpzs == NULL) { + return (ISC_R_NOTFOUND); + } + if (st != NULL && (st->state & DNS_RPZ_REWRITTEN) != 0) { + return (DNS_R_DISALLOWED); + } + if (RECURSING(client)) { + return (DNS_R_DISALLOWED); + } + + RWLOCK(&rpzs->search_lock, isc_rwlocktype_read); + if ((rpzs->p.num_zones == 0 && !rpzs->p.dnsrps_enabled) || + (!RECURSIONOK(client) && rpzs->p.no_rd_ok == 0) || + !rpz_ck_dnssec(client, qresult, ordataset, osigset)) + { + RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); + return (DNS_R_DISALLOWED); + } + have = rpzs->have; + popt = rpzs->p; + rpz_ver = rpzs->rpz_ver; + RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); + +#ifndef USE_DNSRPS + INSIST(!popt.dnsrps_enabled); +#endif /* ifndef USE_DNSRPS */ + + if (st == NULL) { + st = isc_mem_get(client->mctx, sizeof(*st)); + st->state = 0; + st->rpsdb = NULL; + } + if (st->state == 0) { + st->state |= DNS_RPZ_ACTIVE; + memset(&st->m, 0, sizeof(st->m)); + st->m.type = DNS_RPZ_TYPE_BAD; + st->m.policy = DNS_RPZ_POLICY_MISS; + st->m.ttl = ~0; + memset(&st->r, 0, sizeof(st->r)); + memset(&st->q, 0, sizeof(st->q)); + st->p_name = dns_fixedname_initname(&st->_p_namef); + st->r_name = dns_fixedname_initname(&st->_r_namef); + st->fname = dns_fixedname_initname(&st->_fnamef); + st->have = have; + st->popt = popt; + st->rpz_ver = rpz_ver; + client->query.rpz_st = st; +#ifdef USE_DNSRPS + if (popt.dnsrps_enabled) { + if (st->rpsdb != NULL) { + dns_db_detach(&st->rpsdb); + } + result = dns_dnsrps_rewrite_init( + &emsg, st, rpzs, client->query.qname, + client->mctx, RECURSIONOK(client)); + if (result != ISC_R_SUCCESS) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, + DNS_RPZ_TYPE_QNAME, emsg.c, + result); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (ISC_R_SUCCESS); + } + } +#endif /* ifdef USE_DNSRPS */ + } + + /* + * There is nothing to rewrite if the main query failed. + */ + switch (qresult) { + case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: + qresult_type = qresult_type_done; + break; + case DNS_R_EMPTYNAME: + case DNS_R_NXRRSET: + case DNS_R_NXDOMAIN: + case DNS_R_EMPTYWILD: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NCACHENXRRSET: + case DNS_R_COVERINGNSEC: + case DNS_R_CNAME: + case DNS_R_DNAME: + qresult_type = qresult_type_restart; + break; + case DNS_R_DELEGATION: + case ISC_R_NOTFOUND: + /* + * If recursion is on, do only tentative rewriting. + * If recursion is off, this the normal and only time we + * can rewrite. + */ + if (RECURSIONOK(client)) { + qresult_type = qresult_type_recurse; + } else { + qresult_type = qresult_type_restart; + } + break; + case ISC_R_FAILURE: + case ISC_R_TIMEDOUT: + case DNS_R_BROKENCHAIN: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL, + DNS_RPZ_TYPE_QNAME, + "stop on qresult in rpz_rewrite()", qresult); + return (ISC_R_SUCCESS); + default: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, NULL, + DNS_RPZ_TYPE_QNAME, + "stop on unrecognized qresult in rpz_rewrite()", + qresult); + return (ISC_R_SUCCESS); + } + + rdataset = NULL; + + if ((st->state & (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) != + (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) + { + isc_netaddr_t netaddr; + dns_rpz_zbits_t allowed; + + if (!st->popt.dnsrps_enabled && + qresult_type == qresult_type_recurse) + { + /* + * This request needs recursion that has not been done. + * Get bits for the policy zones that do not need + * to wait for the results of recursion. + */ + allowed = st->have.qname_skip_recurse; + if (allowed == 0) { + return (ISC_R_SUCCESS); + } + } else { + allowed = DNS_RPZ_ALL_ZBITS; + } + + /* + * Check once for triggers for the client IP address. + */ + if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) { + zbits = rpz_get_zbits(client, dns_rdatatype_none, + DNS_RPZ_TYPE_CLIENT_IP); + zbits &= allowed; + if (zbits != 0) { + isc_netaddr_fromsockaddr(&netaddr, + &client->peeraddr); + result = rpz_rewrite_ip(client, &netaddr, qtype, + DNS_RPZ_TYPE_CLIENT_IP, + zbits, &rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + } + } + + /* + * Check triggers for the query name if this is the first time + * for the current qname. + * There is a first time for each name in a CNAME chain + */ + if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { + bool norec = (qresult_type != qresult_type_recurse); + result = rpz_rewrite_name(client, client->query.qname, + qtype, DNS_RPZ_TYPE_QNAME, + allowed, norec, &rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + /* + * Check IPv4 addresses in A RRs next. + * Reset to the start of the NS names. + */ + st->r.label = dns_name_countlabels(client->query.qname); + st->state &= ~(DNS_RPZ_DONE_QNAME_IP | + DNS_RPZ_DONE_IPv4); + } + + /* + * Quit if this was an attempt to find a qname or + * client-IP trigger before recursion. + * We will be back if no pre-recursion triggers hit. + * For example, consider 2 policy zones, both with qname and + * IP address triggers. If the qname misses the 1st zone, + * then we cannot know whether a hit for the qname in the + * 2nd zone matters until after recursing to get the A RRs and + * testing them in the first zone. + * Do not bother saving the work from this attempt, + * because recursion is so slow. + */ + if (qresult_type == qresult_type_recurse) { + goto cleanup; + } + + /* + * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP + * is reset at the end of dealing with each CNAME. + */ + st->state |= (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME); + } + + /* + * Check known IP addresses for the query name if the database lookup + * resulted in some addresses (qresult_type == qresult_type_done) + * and if we have not already checked them. + * Any recursion required for the query has already happened. + * Do not check addresses that will not be in the ANSWER section. + */ + if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && + qresult_type == qresult_type_done && + rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) + { + result = rpz_rewrite_ip_rrsets(client, client->query.qname, + qtype, DNS_RPZ_TYPE_IP, + &rdataset, resuming); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + /* + * We are finished checking the IP addresses for the qname. + * Start with IPv4 if we will check NS IP addresses. + */ + st->state |= DNS_RPZ_DONE_QNAME_IP; + st->state &= ~DNS_RPZ_DONE_IPv4; + } + + /* + * Stop looking for rules if there are none of the other kinds + * that could override what we already have. + */ + if (rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSDNAME) == + 0 && + rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSIP) == 0) + { + result = ISC_R_SUCCESS; + goto cleanup; + } + + dns_fixedname_init(&nsnamef); + dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); + options = client->query.dboptions | DNS_DBFIND_GLUEOK; + while (st->r.label > st->popt.min_ns_labels) { + bool was_glue = false; + /* + * Get NS rrset for each domain in the current qname. + */ + if (st->r.label == dns_name_countlabels(client->query.qname)) { + nsname = client->query.qname; + } else { + nsname = dns_fixedname_name(&nsnamef); + dns_name_split(client->query.qname, st->r.label, NULL, + nsname); + } + if (st->r.ns_rdataset == NULL || + !dns_rdataset_isassociated(st->r.ns_rdataset)) + { + dns_db_t *db = NULL; + result = rpz_rrset_find(client, nsname, + dns_rdatatype_ns, options, + DNS_RPZ_TYPE_NSDNAME, &db, NULL, + &st->r.ns_rdataset, resuming); + if (db != NULL) { + dns_db_detach(&db); + } + if (st->m.policy == DNS_RPZ_POLICY_ERROR) { + goto cleanup; + } + switch (result) { + case DNS_R_GLUE: + was_glue = true; + FALLTHROUGH; + case ISC_R_SUCCESS: + result = dns_rdataset_first(st->r.ns_rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + st->state &= ~(DNS_RPZ_DONE_NSDNAME | + DNS_RPZ_DONE_IPv4); + break; + case DNS_R_DELEGATION: + case DNS_R_DUPLICATE: + case DNS_R_DROP: + goto cleanup; + case DNS_R_EMPTYNAME: + case DNS_R_NXRRSET: + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NCACHENXRRSET: + case ISC_R_NOTFOUND: + case DNS_R_CNAME: + case DNS_R_DNAME: + rpz_rewrite_ns_skip(client, nsname, result, 0, + NULL); + continue; + case ISC_R_TIMEDOUT: + case DNS_R_BROKENCHAIN: + case ISC_R_FAILURE: + rpz_rewrite_ns_skip(client, nsname, result, + DNS_RPZ_DEBUG_LEVEL3, + " NS rpz_rrset_find()"); + continue; + default: + rpz_rewrite_ns_skip(client, nsname, result, + DNS_RPZ_INFO_LEVEL, + " unrecognized NS" + " rpz_rrset_find()"); + continue; + } + } + + /* + * Check all NS names. + */ + do { + dns_rdata_ns_t ns; + dns_rdata_t nsrdata = DNS_RDATA_INIT; + + dns_rdataset_current(st->r.ns_rdataset, &nsrdata); + result = dns_rdata_tostruct(&nsrdata, &ns, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&nsrdata); + + /* + * Do nothing about "NS ." + */ + if (dns_name_equal(&ns.name, dns_rootname)) { + dns_rdata_freestruct(&ns); + result = dns_rdataset_next(st->r.ns_rdataset); + continue; + } + /* + * Check this NS name if we did not handle it + * during a previous recursion. + */ + if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) { + result = rpz_rewrite_name( + client, &ns.name, qtype, + DNS_RPZ_TYPE_NSDNAME, DNS_RPZ_ALL_ZBITS, + true, &rdataset); + if (result != ISC_R_SUCCESS) { + dns_rdata_freestruct(&ns); + goto cleanup; + } + st->state |= DNS_RPZ_DONE_NSDNAME; + } + /* + * Check all IP addresses for this NS name. + */ + result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype, + DNS_RPZ_TYPE_NSIP, + &rdataset, resuming); + dns_rdata_freestruct(&ns); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + st->state &= ~(DNS_RPZ_DONE_NSDNAME | + DNS_RPZ_DONE_IPv4); + result = dns_rdataset_next(st->r.ns_rdataset); + } while (result == ISC_R_SUCCESS); + dns_rdataset_disassociate(st->r.ns_rdataset); + + /* + * If we just checked a glue NS RRset retry without allowing + * glue responses, otherwise setup for the next name. + */ + if (was_glue) { + options = client->query.dboptions; + } else { + options = client->query.dboptions | DNS_DBFIND_GLUEOK; + st->r.label--; + } + + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) + { + break; + } + } + + /* + * Use the best hit, if any. + */ + result = ISC_R_SUCCESS; + +cleanup: +#ifdef USE_DNSRPS + if (st->popt.dnsrps_enabled && st->m.policy != DNS_RPZ_POLICY_ERROR && + !dnsrps_set_p(&emsg, client, st, qtype, &rdataset, + (qresult_type != qresult_type_recurse))) + { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, + DNS_RPZ_TYPE_BAD, emsg.c, DNS_R_SERVFAIL); + st->m.policy = DNS_RPZ_POLICY_ERROR; + } +#endif /* ifdef USE_DNSRPS */ + if (st->m.policy != DNS_RPZ_POLICY_MISS && + st->m.policy != DNS_RPZ_POLICY_ERROR && + st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN) + { + st->m.policy = st->m.rpz->policy; + } + if (st->m.policy == DNS_RPZ_POLICY_MISS || + st->m.policy == DNS_RPZ_POLICY_PASSTHRU || + st->m.policy == DNS_RPZ_POLICY_ERROR) + { + if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && + result != DNS_R_DELEGATION) + { + rpz_log_rewrite(client, false, st->m.policy, st->m.type, + st->m.zone, st->p_name, NULL, + st->m.rpz->num); + } + rpz_match_clear(st); + } + if (st->m.policy == DNS_RPZ_POLICY_ERROR) { + CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy"); + st->m.type = DNS_RPZ_TYPE_BAD; + result = DNS_R_SERVFAIL; + } + ns_client_putrdataset(client, &rdataset); + if ((st->state & DNS_RPZ_RECURSING) == 0) { + rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset); + } + + return (result); +} + +/* + * See if response policy zone rewriting is allowed by a lack of interest + * by the client in DNSSEC or a lack of signatures. + */ +static bool +rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { + dns_fixedname_t fixed; + dns_name_t *found; + dns_rdataset_t trdataset; + dns_rdatatype_t type; + isc_result_t result; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_ck_dnssec"); + + if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) { + return (true); + } + + /* + * We do not know if there are signatures if we have not recursed + * for them. + */ + if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) { + return (false); + } + + if (sigrdataset == NULL) { + return (true); + } + if (dns_rdataset_isassociated(sigrdataset)) { + return (false); + } + + /* + * We are happy to rewrite nothing. + */ + if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) { + return (true); + } + /* + * Do not rewrite if there is any sign of signatures. + */ + if (rdataset->type == dns_rdatatype_nsec || + rdataset->type == dns_rdatatype_nsec3 || + rdataset->type == dns_rdatatype_rrsig) + { + return (false); + } + + /* + * Look for a signature in a negative cache rdataset. + */ + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0) { + return (true); + } + found = dns_fixedname_initname(&fixed); + dns_rdataset_init(&trdataset); + for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) + { + dns_ncache_current(rdataset, found, &trdataset); + type = trdataset.type; + dns_rdataset_disassociate(&trdataset); + if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 || + type == dns_rdatatype_rrsig) + { + return (false); + } + } + return (true); +} + +/* + * Extract a network address from the RDATA of an A or AAAA + * record. + * + * Returns: + * ISC_R_SUCCESS + * ISC_R_NOTIMPLEMENTED The rdata is not a known address type. + */ +static isc_result_t +rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { + struct in_addr ina; + struct in6_addr in6a; + + switch (rdata->type) { + case dns_rdatatype_a: + INSIST(rdata->length == 4); + memmove(&ina.s_addr, rdata->data, 4); + isc_netaddr_fromin(netaddr, &ina); + return (ISC_R_SUCCESS); + case dns_rdatatype_aaaa: + INSIST(rdata->length == 16); + memmove(in6a.s6_addr, rdata->data, 16); + isc_netaddr_fromin6(netaddr, &in6a); + return (ISC_R_SUCCESS); + default: + return (ISC_R_NOTIMPLEMENTED); + } +} + +static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 }; +static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 }; +static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 }; + +static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA"; + +static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA"; +static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA"; + +static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA"; + +static dns_name_t rfc1918names[] = { + DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets), + DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets), + DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets) +}; + +static unsigned char prisoner_data[] = "\010prisoner\004iana\003org"; +static unsigned char hostmaster_data[] = "\012hostmaster\014root-" + "servers\003org"; + +static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 }; +static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 }; + +static dns_name_t const prisoner = DNS_NAME_INITABSOLUTE(prisoner_data, + prisoner_offsets); +static dns_name_t const hostmaster = DNS_NAME_INITABSOLUTE(hostmaster_data, + hostmaster_offsets); + +static void +warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { + unsigned int i; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_soa_t soa; + dns_rdataset_t found; + isc_result_t result; + + for (i = 0; i < (sizeof(rfc1918names) / sizeof(*rfc1918names)); i++) { + if (dns_name_issubdomain(fname, &rfc1918names[i])) { + dns_rdataset_init(&found); + result = dns_ncache_getrdataset( + rdataset, &rfc1918names[i], dns_rdatatype_soa, + &found); + if (result != ISC_R_SUCCESS) { + return; + } + + result = dns_rdataset_first(&found); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(&found, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (dns_name_equal(&soa.origin, &prisoner) && + dns_name_equal(&soa.contact, &hostmaster)) + { + char buf[DNS_NAME_FORMATSIZE]; + dns_name_format(fname, buf, sizeof(buf)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "RFC 1918 response from " + "Internet for %s", + buf); + } + dns_rdataset_disassociate(&found); + return; + } + } +} + +static void +query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, + dns_dbversion_t *version, ns_client_t *client, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + dns_name_t *fname, bool exact, dns_name_t *found) { + unsigned char salt[256]; + size_t salt_length; + uint16_t iterations; + isc_result_t result; + unsigned int dboptions; + dns_fixedname_t fixed; + dns_hash_t hash; + dns_name_t name; + unsigned int skip = 0, labels; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata = DNS_RDATA_INIT; + bool optout; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + salt_length = sizeof(salt); + result = dns_db_getnsec3parameters(db, version, &hash, NULL, + &iterations, salt, &salt_length); + if (result != ISC_R_SUCCESS) { + return; + } + + dns_name_init(&name, NULL); + dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Map unknown algorithm to known value. + */ + if (hash == DNS_NSEC3_UNKNOWNALG) { + hash = 1; + } + +again: + dns_fixedname_init(&fixed); + result = dns_nsec3_hashname(&fixed, NULL, NULL, &name, + dns_db_origin(db), hash, iterations, salt, + salt_length); + if (result != ISC_R_SUCCESS) { + return; + } + + dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3; + result = dns_db_findext(db, dns_fixedname_name(&fixed), version, + dns_rdatatype_nsec3, dboptions, client->now, + NULL, fname, &cm, &ci, rdataset, sigrdataset); + + if (result == DNS_R_NXDOMAIN) { + if (!dns_rdataset_isassociated(rdataset)) { + return; + } + result = dns_rdataset_first(rdataset); + INSIST(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &nsec3, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&rdata); + optout = ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); + if (found != NULL && optout && + dns_name_issubdomain(&name, dns_db_origin(db))) + { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) { + dns_rdataset_disassociate(sigrdataset); + } + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), + "looking for closest provable encloser"); + goto again; + } + if (exact) { + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected a exact match NSEC3, got " + "a covering record"); + } + } else if (result != ISC_R_SUCCESS) { + return; + } else if (!exact) { + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected covering NSEC3, got an exact match"); + } + if (found == qname) { + if (skip != 0U) { + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } + } else if (found != NULL) { + dns_name_copy(&name, found); + } + return; +} + +static uint32_t +dns64_ttl(dns_db_t *db, dns_dbversion_t *version) { + dns_dbnode_t *node = NULL; + dns_rdata_soa_t soa; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t rdataset; + isc_result_t result; + uint32_t ttl = UINT32_MAX; + + dns_rdataset_init(&rdataset); + + result = dns_db_getoriginnode(db, &node); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, 0, 0, + &rdataset, NULL); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = dns_rdataset_first(&rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + dns_rdataset_current(&rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + ttl = ISC_MIN(rdataset.ttl, soa.minimum); + +cleanup: + if (dns_rdataset_isassociated(&rdataset)) { + dns_rdataset_disassociate(&rdataset); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + return (ttl); +} + +static bool +dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + isc_netaddr_t netaddr; + dns_aclenv_t *env = client->manager->aclenv; + dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64); + unsigned int flags = 0; + unsigned int i, count; + bool *aaaaok; + + INSIST(client->query.dns64_aaaaok == NULL); + INSIST(client->query.dns64_aaaaoklen == 0); + INSIST(client->query.dns64_aaaa == NULL); + INSIST(client->query.dns64_sigaaaa == NULL); + + if (dns64 == NULL) { + return (true); + } + + if (RECURSIONOK(client)) { + flags |= DNS_DNS64_RECURSIVE; + } + + if (WANTDNSSEC(client) && sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + { + flags |= DNS_DNS64_DNSSEC; + } + + count = dns_rdataset_count(rdataset); + aaaaok = isc_mem_get(client->mctx, sizeof(bool) * count); + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + if (dns_dns64_aaaaok(dns64, &netaddr, client->signer, env, flags, + rdataset, aaaaok, count)) + { + for (i = 0; i < count; i++) { + if (aaaaok != NULL && !aaaaok[i]) { + SAVE(client->query.dns64_aaaaok, aaaaok); + client->query.dns64_aaaaoklen = count; + break; + } + } + if (aaaaok != NULL) { + isc_mem_put(client->mctx, aaaaok, sizeof(bool) * count); + } + return (true); + } + if (aaaaok != NULL) { + isc_mem_put(client->mctx, aaaaok, sizeof(bool) * count); + } + return (false); +} + +/* + * Look for the name and type in the redirection zone. If found update + * the arguments as appropriate. Return true if a update was + * performed. + * + * Only perform the update if the client is in the allow query acl and + * returning the update would not cause a DNSSEC validation failure. + */ +static isc_result_t +redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, + dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp, + dns_rdatatype_t qtype) { + dns_db_t *db = NULL; + dns_dbnode_t *node = NULL; + dns_fixedname_t fixed; + dns_name_t *found; + dns_rdataset_t trdataset; + isc_result_t result; + dns_rdatatype_t type; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + ns_dbversion_t *dbversion; + + CTRACE(ISC_LOG_DEBUG(3), "redirect"); + + if (client->view->redirect == NULL) { + return (ISC_R_NOTFOUND); + } + + found = dns_fixedname_initname(&fixed); + dns_rdataset_init(&trdataset); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + dns_clientinfo_setecs(&ci, &client->ecs); + + if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) + { + return (ISC_R_NOTFOUND); + } + + if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { + if (rdataset->trust == dns_trust_secure) { + return (ISC_R_NOTFOUND); + } + if (rdataset->trust == dns_trust_ultimate && + (rdataset->type == dns_rdatatype_nsec || + rdataset->type == dns_rdatatype_nsec3)) + { + return (ISC_R_NOTFOUND); + } + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) + { + dns_ncache_current(rdataset, found, &trdataset); + type = trdataset.type; + dns_rdataset_disassociate(&trdataset); + if (type == dns_rdatatype_nsec || + type == dns_rdatatype_nsec3 || + type == dns_rdatatype_rrsig) + { + return (ISC_R_NOTFOUND); + } + } + } + } + + result = ns_client_checkaclsilent( + client, NULL, dns_zone_getqueryacl(client->view->redirect), + true); + if (result != ISC_R_SUCCESS) { + return (ISC_R_NOTFOUND); + } + + result = dns_zone_getdb(client->view->redirect, &db); + if (result != ISC_R_SUCCESS) { + return (ISC_R_NOTFOUND); + } + + dbversion = ns_client_findversion(client, db); + if (dbversion == NULL) { + dns_db_detach(&db); + return (ISC_R_NOTFOUND); + } + + /* + * Lookup the requested data in the redirect zone. + */ + result = dns_db_findext(db, client->query.qname, dbversion->version, + qtype, DNS_DBFIND_NOZONECUT, client->now, &node, + found, &cm, &ci, &trdataset, NULL); + if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_disassociate(&trdataset); + } + goto nxrrset; + } else if (result != ISC_R_SUCCESS) { + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_disassociate(&trdataset); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + dns_db_detach(&db); + return (ISC_R_NOTFOUND); + } + + CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done"); + dns_name_copy(found, name); + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_clone(&trdataset, rdataset); + dns_rdataset_disassociate(&trdataset); + } +nxrrset: + if (*nodep != NULL) { + dns_db_detachnode(*dbp, nodep); + } + dns_db_detach(dbp); + dns_db_attachnode(db, node, nodep); + dns_db_attach(db, dbp); + dns_db_detachnode(db, &node); + dns_db_detach(&db); + *versionp = dbversion->version; + + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + + return (result); +} + +static isc_result_t +redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, + dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp, + dns_rdatatype_t qtype, bool *is_zonep) { + dns_db_t *db = NULL; + dns_dbnode_t *node = NULL; + dns_fixedname_t fixed; + dns_fixedname_t fixedredirect; + dns_name_t *found, *redirectname; + dns_rdataset_t trdataset; + isc_result_t result; + dns_rdatatype_t type; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + dns_dbversion_t *version = NULL; + dns_zone_t *zone = NULL; + bool is_zone; + unsigned int labels; + unsigned int options; + + CTRACE(ISC_LOG_DEBUG(3), "redirect2"); + + if (client->view->redirectzone == NULL) { + return (ISC_R_NOTFOUND); + } + + if (dns_name_issubdomain(name, client->view->redirectzone)) { + return (ISC_R_NOTFOUND); + } + + found = dns_fixedname_initname(&fixed); + dns_rdataset_init(&trdataset); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + dns_clientinfo_setecs(&ci, &client->ecs); + + if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) + { + return (ISC_R_NOTFOUND); + } + + if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { + if (rdataset->trust == dns_trust_secure) { + return (ISC_R_NOTFOUND); + } + if (rdataset->trust == dns_trust_ultimate && + (rdataset->type == dns_rdatatype_nsec || + rdataset->type == dns_rdatatype_nsec3)) + { + return (ISC_R_NOTFOUND); + } + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) + { + dns_ncache_current(rdataset, found, &trdataset); + type = trdataset.type; + dns_rdataset_disassociate(&trdataset); + if (type == dns_rdatatype_nsec || + type == dns_rdatatype_nsec3 || + type == dns_rdatatype_rrsig) + { + return (ISC_R_NOTFOUND); + } + } + } + } + + redirectname = dns_fixedname_initname(&fixedredirect); + labels = dns_name_countlabels(client->query.qname); + if (labels > 1U) { + dns_name_t prefix; + + dns_name_init(&prefix, NULL); + dns_name_getlabelsequence(client->query.qname, 0, labels - 1, + &prefix); + result = dns_name_concatenate(&prefix, + client->view->redirectzone, + redirectname, NULL); + if (result != ISC_R_SUCCESS) { + return (ISC_R_NOTFOUND); + } + } else { + dns_name_copy(redirectname, client->view->redirectzone); + } + + options = 0; + result = query_getdb(client, redirectname, qtype, options, &zone, &db, + &version, &is_zone); + if (result != ISC_R_SUCCESS) { + return (ISC_R_NOTFOUND); + } + if (zone != NULL) { + dns_zone_detach(&zone); + } + + /* + * Lookup the requested data in the redirect zone. + */ + result = dns_db_findext(db, redirectname, version, qtype, 0, + client->now, &node, found, &cm, &ci, &trdataset, + NULL); + if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_disassociate(&trdataset); + } + goto nxrrset; + } else if (result == ISC_R_NOTFOUND || result == DNS_R_DELEGATION) { + /* + * Cleanup. + */ + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_disassociate(&trdataset); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + dns_db_detach(&db); + /* + * Don't loop forever if the lookup failed last time. + */ + if (!REDIRECT(client)) { + result = ns_query_recurse(client, qtype, redirectname, + NULL, NULL, true); + if (result == ISC_R_SUCCESS) { + client->query.attributes |= + NS_QUERYATTR_RECURSING; + client->query.attributes |= + NS_QUERYATTR_REDIRECT; + return (DNS_R_CONTINUE); + } + } + return (ISC_R_NOTFOUND); + } else if (result != ISC_R_SUCCESS) { + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_disassociate(&trdataset); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + dns_db_detach(&db); + return (ISC_R_NOTFOUND); + } + + CTRACE(ISC_LOG_DEBUG(3), "redirect2: found data: done"); + /* + * Adjust the found name to not include the redirectzone suffix. + */ + dns_name_split(found, dns_name_countlabels(client->view->redirectzone), + found, NULL); + /* + * Make the name absolute. + */ + result = dns_name_concatenate(found, dns_rootname, found, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + dns_name_copy(found, name); + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + if (dns_rdataset_isassociated(&trdataset)) { + dns_rdataset_clone(&trdataset, rdataset); + dns_rdataset_disassociate(&trdataset); + } +nxrrset: + if (*nodep != NULL) { + dns_db_detachnode(*dbp, nodep); + } + dns_db_detach(dbp); + dns_db_attachnode(db, node, nodep); + dns_db_attach(db, dbp); + dns_db_detachnode(db, &node); + dns_db_detach(&db); + *is_zonep = is_zone; + *versionp = version; + + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + + return (result); +} + +/*% + * Initialize query context 'qctx'. Run by query_setup() when + * first handling a client query, and by query_resume() when + * returning from recursion. + * + * Whenever this function is called, qctx_destroy() must be called + * when leaving the scope or freeing the qctx. + */ +static void +qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, + query_ctx_t *qctx) { + REQUIRE(qctx != NULL); + REQUIRE(client != NULL); + + memset(qctx, 0, sizeof(*qctx)); + + /* Set this first so CCTRACE will work */ + qctx->client = client; + + dns_view_attach(client->view, &qctx->view); + + CCTRACE(ISC_LOG_DEBUG(3), "qctx_init"); + + if (eventp != NULL) { + qctx->event = *eventp; + *eventp = NULL; + } else { + qctx->event = NULL; + } + qctx->qtype = qctx->type = qtype; + qctx->result = ISC_R_SUCCESS; + qctx->findcoveringnsec = qctx->view->synthfromdnssec; + + /* + * If it's an RRSIG or SIG query, we'll iterate the node. + */ + if (qctx->qtype == dns_rdatatype_rrsig || + qctx->qtype == dns_rdatatype_sig) + { + qctx->type = dns_rdatatype_any; + } + + CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); +} + +/* + * Make 'dst' and exact copy of 'src', with exception of the + * option field, which is reset to zero. + * This function also attaches dst's view and db to the src's + * view and cachedb. + */ +static void +qctx_copy(const query_ctx_t *qctx, query_ctx_t *dst) { + REQUIRE(qctx != NULL); + REQUIRE(dst != NULL); + + memmove(dst, qctx, sizeof(*dst)); + dst->view = NULL; + dst->db = NULL; + dst->options = 0; + dns_view_attach(qctx->view, &dst->view); + dns_db_attach(qctx->view->cachedb, &dst->db); + CCTRACE(ISC_LOG_DEBUG(3), "qctx_copy"); +} + +/*% + * Clean up and disassociate the rdataset and node pointers in qctx. + */ +static void +qctx_clean(query_ctx_t *qctx) { + if (qctx->rdataset != NULL && dns_rdataset_isassociated(qctx->rdataset)) + { + dns_rdataset_disassociate(qctx->rdataset); + } + if (qctx->sigrdataset != NULL && + dns_rdataset_isassociated(qctx->sigrdataset)) + { + dns_rdataset_disassociate(qctx->sigrdataset); + } + if (qctx->db != NULL && qctx->node != NULL) { + dns_db_detachnode(qctx->db, &qctx->node); + } +} + +/*% + * Free any allocated memory associated with qctx. + */ +static void +qctx_freedata(query_ctx_t *qctx) { + if (qctx->rdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->rdataset); + } + + if (qctx->sigrdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->sigrdataset); + } + + if (qctx->fname != NULL) { + ns_client_releasename(qctx->client, &qctx->fname); + } + + if (qctx->db != NULL) { + INSIST(qctx->node == NULL); + dns_db_detach(&qctx->db); + } + + if (qctx->zone != NULL) { + dns_zone_detach(&qctx->zone); + } + + if (qctx->zdb != NULL) { + ns_client_putrdataset(qctx->client, &qctx->zsigrdataset); + ns_client_putrdataset(qctx->client, &qctx->zrdataset); + ns_client_releasename(qctx->client, &qctx->zfname); + dns_db_detachnode(qctx->zdb, &qctx->znode); + dns_db_detach(&qctx->zdb); + } + + if (qctx->event != NULL && !qctx->client->nodetach) { + free_devent(qctx->client, ISC_EVENT_PTR(&qctx->event), + &qctx->event); + } +} + +static void +qctx_destroy(query_ctx_t *qctx) { + CALL_HOOK_NORETURN(NS_QUERY_QCTX_DESTROYED, qctx); + + dns_view_detach(&qctx->view); +} + +/* + * Call SAVE but set 'a' to NULL first so as not to assert. + */ +#define INITANDSAVE(a, b) \ + do { \ + a = NULL; \ + SAVE(a, b); \ + } while (0) + +/* + * "save" qctx data from 'src' to 'tgt'. + * It essentially moves ownership of the data from src to tgt, so the former + * becomes unusable except for final cleanup (such as by qctx_destroy). + * Note: this function doesn't attach to the client's handle. It's the caller's + * responsibility to do it if it's necessary. + */ +static void +qctx_save(query_ctx_t *src, query_ctx_t *tgt) { + /* First copy all fields in a straightforward way */ + *tgt = *src; + + /* Then "move" pointers (except client and view) */ + INITANDSAVE(tgt->dbuf, src->dbuf); + INITANDSAVE(tgt->fname, src->fname); + INITANDSAVE(tgt->tname, src->tname); + INITANDSAVE(tgt->rdataset, src->rdataset); + INITANDSAVE(tgt->sigrdataset, src->sigrdataset); + INITANDSAVE(tgt->noqname, src->noqname); + INITANDSAVE(tgt->event, src->event); + INITANDSAVE(tgt->db, src->db); + INITANDSAVE(tgt->version, src->version); + INITANDSAVE(tgt->node, src->node); + INITANDSAVE(tgt->zdb, src->zdb); + INITANDSAVE(tgt->znode, src->znode); + INITANDSAVE(tgt->zfname, src->zfname); + INITANDSAVE(tgt->zversion, src->zversion); + INITANDSAVE(tgt->zrdataset, src->zrdataset); + INITANDSAVE(tgt->zsigrdataset, src->zsigrdataset); + INITANDSAVE(tgt->rpz_st, src->rpz_st); + INITANDSAVE(tgt->zone, src->zone); + + /* View has to stay in 'src' for qctx_destroy. */ + tgt->view = NULL; + dns_view_attach(src->view, &tgt->view); +} + +/*% + * Log detailed information about the query immediately after + * the client request or a return from recursion. + */ +static void +query_trace(query_ctx_t *qctx) { +#ifdef WANT_QUERYTRACE + char mbuf[2 * DNS_NAME_FORMATSIZE]; + char qbuf[DNS_NAME_FORMATSIZE]; + + if (qctx->client->query.origqname != NULL) { + dns_name_format(qctx->client->query.origqname, qbuf, + sizeof(qbuf)); + } else { + snprintf(qbuf, sizeof(qbuf), ""); + } + + snprintf(mbuf, sizeof(mbuf) - 1, + "client attr:0x%x, query attr:0x%X, restarts:%u, " + "origqname:%s, timer:%d, authdb:%d, referral:%d", + qctx->client->attributes, qctx->client->query.attributes, + qctx->client->query.restarts, qbuf, + (int)qctx->client->query.timerset, + (int)qctx->client->query.authdbset, + (int)qctx->client->query.isreferral); + CCTRACE(ISC_LOG_DEBUG(3), mbuf); +#else /* ifdef WANT_QUERYTRACE */ + UNUSED(qctx); +#endif /* ifdef WANT_QUERYTRACE */ +} + +/* + * Set up query processing for the current query of 'client'. + * Calls qctx_init() to initialize a query context, checks + * the SERVFAIL cache, then hands off processing to ns__query_start(). + * + * This is called only from ns_query_start(), to begin a query + * for the first time. Restarting an existing query (for + * instance, to handle CNAME lookups), is done by calling + * ns__query_start() again with the same query context. Resuming from + * recursion is handled by query_resume(). + */ +static isc_result_t +query_setup(ns_client_t *client, dns_rdatatype_t qtype) { + isc_result_t result = ISC_R_UNSET; + query_ctx_t qctx; + + qctx_init(client, NULL, qtype, &qctx); + query_trace(&qctx); + + CALL_HOOK(NS_QUERY_SETUP, &qctx); + + /* + * Check SERVFAIL cache + */ + result = ns__query_sfcache(&qctx); + if (result != ISC_R_COMPLETE) { + qctx_destroy(&qctx); + return (result); + } + + result = ns__query_start(&qctx); + +cleanup: + qctx_destroy(&qctx); + return (result); +} + +static bool +get_root_key_sentinel_id(query_ctx_t *qctx, const char *ndata) { + unsigned int v = 0; + int i; + + for (i = 0; i < 5; i++) { + if (!isdigit((unsigned char)ndata[i])) { + return (false); + } + v *= 10; + v += ndata[i] - '0'; + } + if (v > 65535U) { + return (false); + } + qctx->client->query.root_key_sentinel_keyid = v; + return (true); +} + +/*% + * Find out if the query is for a root key sentinel and if so, record the type + * of root key sentinel query and the key id that is being checked for. + * + * The code is assuming a zero padded decimal field of width 5. + */ +static void +root_key_sentinel_detect(query_ctx_t *qctx) { + const char *ndata = (const char *)qctx->client->query.qname->ndata; + + if (qctx->client->query.qname->length > 30 && ndata[0] == 29 && + strncasecmp(ndata + 1, "root-key-sentinel-is-ta-", 24) == 0) + { + if (!get_root_key_sentinel_id(qctx, ndata + 25)) { + return; + } + qctx->client->query.root_key_sentinel_is_ta = true; + /* + * Simplify processing by disabling aggressive + * negative caching. + */ + qctx->findcoveringnsec = false; + ns_client_log(qctx->client, NS_LOGCATEGORY_TAT, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "root-key-sentinel-is-ta query label found"); + } else if (qctx->client->query.qname->length > 31 && ndata[0] == 30 && + strncasecmp(ndata + 1, "root-key-sentinel-not-ta-", 25) == 0) + { + if (!get_root_key_sentinel_id(qctx, ndata + 26)) { + return; + } + qctx->client->query.root_key_sentinel_not_ta = true; + /* + * Simplify processing by disabling aggressive + * negative caching. + */ + qctx->findcoveringnsec = false; + ns_client_log(qctx->client, NS_LOGCATEGORY_TAT, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "root-key-sentinel-not-ta query label found"); + } +} + +/*% + * Starting point for a client query or a chaining query. + * + * Called first by query_setup(), and then again as often as needed to + * follow a CNAME chain. Determines which authoritative database to + * search, then hands off processing to query_lookup(). + */ +isc_result_t +ns__query_start(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start"); + qctx->want_restart = false; + qctx->authoritative = false; + qctx->version = NULL; + qctx->zversion = NULL; + qctx->need_wildcardproof = false; + qctx->rpz = false; + + CALL_HOOK(NS_QUERY_START_BEGIN, qctx); + + /* + * If we require a server cookie then send back BADCOOKIE + * before we have done too much work. + */ + if (!TCP(qctx->client) && qctx->view->requireservercookie && + WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client)) + { + qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; + qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; + qctx->client->message->rcode = dns_rcode_badcookie; + return (ns_query_done(qctx)); + } + + if (qctx->view->checknames && + !dns_rdata_checkowner(qctx->client->query.qname, + qctx->client->message->rdclass, qctx->qtype, + false)) + { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + + dns_name_format(qctx->client->query.qname, namebuf, + sizeof(namebuf)); + dns_rdatatype_format(qctx->qtype, typebuf, sizeof(typebuf)); + dns_rdataclass_format(qctx->client->message->rdclass, classbuf, + sizeof(classbuf)); + ns_client_log(qctx->client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_ERROR, + "check-names failure %s/%s/%s", namebuf, typebuf, + classbuf); + QUERY_ERROR(qctx, DNS_R_REFUSED); + return (ns_query_done(qctx)); + } + + /* + * Setup for root key sentinel processing. + */ + if (qctx->view->root_key_sentinel && + qctx->client->query.restarts == 0 && + (qctx->qtype == dns_rdatatype_a || + qctx->qtype == dns_rdatatype_aaaa) && + (qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0) + { + root_key_sentinel_detect(qctx); + } + + /* + * First we must find the right database. + */ + qctx->options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */ + if (dns_rdatatype_atparent(qctx->qtype) && + !dns_name_equal(qctx->client->query.qname, dns_rootname)) + { + /* + * If authoritative data for this QTYPE is supposed to live in + * the parent zone, do not look for an exact match for QNAME, + * but rather for its containing zone (unless the QNAME is + * root). + */ + qctx->options |= DNS_GETDB_NOEXACT; + } + + result = query_getdb(qctx->client, qctx->client->query.qname, + qctx->qtype, qctx->options, &qctx->zone, &qctx->db, + &qctx->version, &qctx->is_zone); + if ((result != ISC_R_SUCCESS || !qctx->is_zone) && + qctx->qtype == dns_rdatatype_ds && !RECURSIONOK(qctx->client) && + (qctx->options & DNS_GETDB_NOEXACT) != 0) + { + /* + * This is a non-recursive QTYPE=DS query with QNAME whose + * parent we are not authoritative for. Check whether we are + * authoritative for QNAME, because if so, we need to send a + * "no data" response as required by RFC 4035, section 3.1.4.1. + */ + dns_db_t *tdb = NULL; + dns_zone_t *tzone = NULL; + dns_dbversion_t *tversion = NULL; + isc_result_t tresult; + + tresult = query_getzonedb( + qctx->client, qctx->client->query.qname, qctx->qtype, + DNS_GETDB_PARTIAL, &tzone, &tdb, &tversion); + if (tresult == ISC_R_SUCCESS) { + /* + * We are authoritative for QNAME. Attach the relevant + * zone to query context, set result to ISC_R_SUCCESS. + */ + qctx->options &= ~DNS_GETDB_NOEXACT; + ns_client_putrdataset(qctx->client, &qctx->rdataset); + if (qctx->db != NULL) { + dns_db_detach(&qctx->db); + } + if (qctx->zone != NULL) { + dns_zone_detach(&qctx->zone); + } + qctx->version = NULL; + RESTORE(qctx->version, tversion); + RESTORE(qctx->db, tdb); + RESTORE(qctx->zone, tzone); + qctx->is_zone = true; + result = ISC_R_SUCCESS; + } else { + /* + * We are not authoritative for QNAME. Clean up and + * leave result as it was. + */ + if (tdb != NULL) { + dns_db_detach(&tdb); + } + if (tzone != NULL) { + dns_zone_detach(&tzone); + } + } + } + /* + * If we did not find a database from which we can answer the query, + * respond with either REFUSED or SERVFAIL, depending on what the + * result of query_getdb() was. + */ + if (result != ISC_R_SUCCESS) { + if (result == DNS_R_REFUSED) { + if (WANTRECURSION(qctx->client)) { + inc_stats(qctx->client, + ns_statscounter_recurserej); + } else { + inc_stats(qctx->client, + ns_statscounter_authrej); + } + if (!PARTIALANSWER(qctx->client)) { + QUERY_ERROR(qctx, DNS_R_REFUSED); + } + } else { + CCTRACE(ISC_LOG_ERROR, "ns__query_start: query_getdb " + "failed"); + QUERY_ERROR(qctx, result); + } + return (ns_query_done(qctx)); + } + + /* + * We found a database from which we can answer the query. Update + * relevant query context flags if the answer is to be prepared using + * authoritative data. + */ + qctx->is_staticstub_zone = false; + if (qctx->is_zone) { + qctx->authoritative = true; + if (qctx->zone != NULL) { + if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) { + qctx->authoritative = false; + } + if (dns_zone_gettype(qctx->zone) == dns_zone_staticstub) + { + qctx->is_staticstub_zone = true; + } + } + } + + /* + * Attach to the database which will be used to prepare the answer. + * Update query statistics. + */ + if (qctx->event == NULL && qctx->client->query.restarts == 0) { + if (qctx->is_zone) { + if (qctx->zone != NULL) { + /* + * if is_zone = true, zone = NULL then this is + * a DLZ zone. Don't attempt to attach zone. + */ + dns_zone_attach(qctx->zone, + &qctx->client->query.authzone); + } + dns_db_attach(qctx->db, &qctx->client->query.authdb); + } + qctx->client->query.authdbset = true; + + /* Track TCP vs UDP stats per zone */ + if (TCP(qctx->client)) { + inc_stats(qctx->client, ns_statscounter_tcp); + } else { + inc_stats(qctx->client, ns_statscounter_udp); + } + } + + if (!qctx->is_zone && (qctx->view->staleanswerclienttimeout == 0) && + dns_view_staleanswerenabled(qctx->view)) + { + /* + * If stale answers are enabled and + * stale-answer-client-timeout is zero, then we can promptly + * answer with a stale RRset if one is available in cache. + */ + qctx->options |= DNS_GETDB_STALEFIRST; + } + + result = query_lookup(qctx); + + /* + * Clear "look-also-for-stale-data" flag. + * If a fetch is created to resolve this query, then, + * when it completes, this option is not expected to be set. + */ + qctx->options &= ~DNS_GETDB_STALEFIRST; + +cleanup: + return (result); +} + +/* + * Allocate buffers in 'qctx' used to store query results. + * + * 'buffer' must be a pointer to an object whose lifetime + * doesn't expire while 'qctx' is in use. + */ +static isc_result_t +qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer) { + REQUIRE(qctx != NULL); + REQUIRE(qctx->client != NULL); + REQUIRE(buffer != NULL); + + qctx->dbuf = ns_client_getnamebuf(qctx->client); + if (qctx->dbuf == NULL) { + CCTRACE(ISC_LOG_ERROR, + "qctx_prepare_buffers: ns_client_getnamebuf " + "failed"); + return (ISC_R_NOMEMORY); + } + + qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, buffer); + if (qctx->fname == NULL) { + CCTRACE(ISC_LOG_ERROR, + "qctx_prepare_buffers: ns_client_newname failed"); + + return (ISC_R_NOMEMORY); + } + + qctx->rdataset = ns_client_newrdataset(qctx->client); + if (qctx->rdataset == NULL) { + CCTRACE(ISC_LOG_ERROR, + "qctx_prepare_buffers: ns_client_newrdataset failed"); + goto error; + } + + if ((WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) && + (!qctx->is_zone || dns_db_issecure(qctx->db))) + { + qctx->sigrdataset = ns_client_newrdataset(qctx->client); + if (qctx->sigrdataset == NULL) { + CCTRACE(ISC_LOG_ERROR, + "qctx_prepare_buffers: " + "ns_client_newrdataset failed (2)"); + goto error; + } + } + + return (ISC_R_SUCCESS); + +error: + if (qctx->fname != NULL) { + ns_client_releasename(qctx->client, &qctx->fname); + } + if (qctx->rdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->rdataset); + } + + return (ISC_R_NOMEMORY); +} + +/* + * Setup a new query context for resolving a query. + * + * This function is only called if both these conditions are met: + * 1. BIND is configured with stale-answer-client-timeout 0. + * 2. A stale RRset is found in cache during initial query + * database lookup. + * + * We continue with this function for refreshing/resolving an RRset + * after answering a client with stale data. + */ +static void +query_refresh_rrset(query_ctx_t *orig_qctx) { + isc_buffer_t buffer; + query_ctx_t qctx; + + REQUIRE(orig_qctx != NULL); + REQUIRE(orig_qctx->client != NULL); + + qctx_copy(orig_qctx, &qctx); + qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT | + DNS_DBFIND_STALEOK | + DNS_DBFIND_STALEENABLED); + qctx.client->nodetach = false; + + /* + * We'll need some resources... + */ + if (qctx_prepare_buffers(&qctx, &buffer) != ISC_R_SUCCESS) { + dns_db_detach(&qctx.db); + qctx_destroy(&qctx); + return; + } + + /* + * Pretend we didn't find anything in cache. + */ + (void)query_gotanswer(&qctx, ISC_R_NOTFOUND); + + if (qctx.fname != NULL) { + ns_client_releasename(qctx.client, &qctx.fname); + } + if (qctx.rdataset != NULL) { + ns_client_putrdataset(qctx.client, &qctx.rdataset); + } + + qctx_destroy(&qctx); +} + +/*% + * Depending on the db lookup result, we can respond to the + * client this stale answer. + */ +static bool +stale_client_answer(isc_result_t result) { + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_EMPTYNAME: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case DNS_R_CNAME: + case DNS_R_DNAME: + return (true); + default: + return (false); + } + + UNREACHABLE(); +} + +/*% + * Perform a local database lookup, in either an authoritative or + * cache database. If unable to answer, call ns_query_done(); otherwise + * hand off processing to query_gotanswer(). + */ +static isc_result_t +query_lookup(query_ctx_t *qctx) { + isc_buffer_t buffer; + isc_result_t result = ISC_R_UNSET; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + dns_name_t *rpzqname = NULL; + char namebuf[DNS_NAME_FORMATSIZE]; + unsigned int dboptions; + dns_ttl_t stale_refresh = 0; + bool dbfind_stale = false; + bool stale_timeout = false; + bool answer_found = false; + bool stale_found = false; + bool stale_refresh_window = false; + uint16_t ede = 0; + + CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); + + CALL_HOOK(NS_QUERY_LOOKUP_BEGIN, qctx); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, qctx->client, NULL); + if (HAVEECS(qctx->client)) { + dns_clientinfo_setecs(&ci, &qctx->client->ecs); + } + + /* + * We'll need some resources... + */ + result = qctx_prepare_buffers(qctx, &buffer); + if (result != ISC_R_SUCCESS) { + QUERY_ERROR(qctx, result); + return (ns_query_done(qctx)); + } + + /* + * Now look for an answer in the database. + */ + if (qctx->dns64 && qctx->rpz) { + rpzqname = qctx->client->query.rpz_st->p_name; + } else { + rpzqname = qctx->client->query.qname; + } + + if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) { + /* + * If DNS_GETDB_STALEFIRST is set, it means that a stale + * RRset may be returned as part of this lookup. An attempt + * to refresh the RRset will still take place if an + * active RRset is not available. + */ + qctx->client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; + } + + dboptions = qctx->client->query.dboptions; + if (!qctx->is_zone && qctx->findcoveringnsec && + (qctx->type != dns_rdatatype_null || !dns_name_istat(rpzqname))) + { + dboptions |= DNS_DBFIND_COVERINGNSEC; + } + + (void)dns_db_getservestalerefresh(qctx->client->view->cachedb, + &stale_refresh); + if (stale_refresh > 0 && + dns_view_staleanswerenabled(qctx->client->view)) + { + dboptions |= DNS_DBFIND_STALEENABLED; + } + + result = dns_db_findext(qctx->db, rpzqname, qctx->version, qctx->type, + dboptions, qctx->client->now, &qctx->node, + qctx->fname, &cm, &ci, qctx->rdataset, + qctx->sigrdataset); + + /* + * Fixup fname and sigrdataset. + */ + if (qctx->dns64 && qctx->rpz) { + dns_name_copy(qctx->client->query.qname, qctx->fname); + if (qctx->sigrdataset != NULL && + dns_rdataset_isassociated(qctx->sigrdataset)) + { + dns_rdataset_disassociate(qctx->sigrdataset); + } + } + + if (!qctx->is_zone) { + dns_cache_updatestats(qctx->view->cache, result); + } + + /* + * If DNS_DBFIND_STALEOK is set this means we are dealing with a + * lookup following a failed lookup and it is okay to serve a stale + * answer. This will (re)start the 'stale-refresh-time' window in + * rbtdb, tracking the last time the RRset lookup failed. + */ + dbfind_stale = ((dboptions & DNS_DBFIND_STALEOK) != 0); + + /* + * If DNS_DBFIND_STALEENABLED is set, this may be a normal lookup, but + * we are allowed to immediately respond with a stale answer if the + * request is within the 'stale-refresh-time' window. + */ + stale_refresh_window = (STALE_WINDOW(qctx->rdataset) && + (dboptions & DNS_DBFIND_STALEENABLED) != 0); + + /* + * If DNS_DBFIND_STALETIMEOUT is set, a stale answer is requested. + * This can happen if 'stale-answer-client-timeout' is enabled. + * + * If 'stale-answer-client-timeout' is set to 0, and a stale + * answer is found, send it to the client, and try to refresh the + * RRset. + * + * If 'stale-answer-client-timeout' is non-zero, and a stale + * answer is found, send it to the client. Don't try to refresh the + * RRset because a fetch is already in progress. + */ + stale_timeout = ((dboptions & DNS_DBFIND_STALETIMEOUT) != 0); + + if (dns_rdataset_isassociated(qctx->rdataset) && + dns_rdataset_count(qctx->rdataset) > 0 && !STALE(qctx->rdataset)) + { + /* Found non-stale usable rdataset. */ + answer_found = true; + } + + if (dbfind_stale || stale_refresh_window || stale_timeout) { + dns_name_format(qctx->client->query.qname, namebuf, + sizeof(namebuf)); + + inc_stats(qctx->client, ns_statscounter_trystale); + + if (dns_rdataset_isassociated(qctx->rdataset) && + dns_rdataset_count(qctx->rdataset) > 0 && + STALE(qctx->rdataset)) + { + stale_found = true; + if (result == DNS_R_NCACHENXDOMAIN || + result == DNS_R_NXDOMAIN) + { + ede = DNS_EDE_STALENXANSWER; + } else { + ede = DNS_EDE_STALEANSWER; + } + qctx->rdataset->ttl = qctx->view->staleanswerttl; + inc_stats(qctx->client, ns_statscounter_usedstale); + } else { + stale_found = false; + } + } + + if (dbfind_stale) { + isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s resolver failure, stale answer %s", namebuf, + stale_found ? "used" : "unavailable"); + if (stale_found) { + ns_client_extendederror(qctx->client, ede, + "resolver failure"); + } else if (!answer_found) { + /* + * Resolver failure, no stale data, nothing more we + * can do, return SERVFAIL. + */ + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + return (ns_query_done(qctx)); + } + } else if (stale_refresh_window) { + /* + * A recent lookup failed, so during this time window we are + * allowed to return stale data immediately. + */ + isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s query within stale refresh time, stale " + "answer %s", + namebuf, stale_found ? "used" : "unavailable"); + + if (stale_found) { + ns_client_extendederror( + qctx->client, ede, + "query within stale refresh time window"); + } else if (!answer_found) { + /* + * During the stale refresh window explicitly do not try + * to refresh the data, because a recent lookup failed. + */ + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + return (ns_query_done(qctx)); + } + } else if (stale_timeout) { + if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) { + if (!stale_found && !answer_found) { + /* + * We have nothing useful in cache to return + * immediately. + */ + qctx_clean(qctx); + qctx_freedata(qctx); + dns_db_attach(qctx->client->view->cachedb, + &qctx->db); + qctx->client->query.dboptions &= + ~DNS_DBFIND_STALETIMEOUT; + qctx->options &= ~DNS_GETDB_STALEFIRST; + if (qctx->client->query.fetch != NULL) { + dns_resolver_destroyfetch( + &qctx->client->query.fetch); + } + return (query_lookup(qctx)); + } else if (stale_client_answer(result)) { + /* + * Immediately return the stale answer, start a + * resolver fetch to refresh the data in cache. + */ + isc_log_write( + ns_lctx, NS_LOGCATEGORY_SERVE_STALE, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s stale answer used, an attempt to " + "refresh the RRset will still be made", + namebuf); + + qctx->refresh_rrset = STALE(qctx->rdataset); + /* + * If we are refreshing the RRSet, we must not + * detach from the client in query_send(). + */ + qctx->client->nodetach = qctx->refresh_rrset; + + if (stale_found) { + ns_client_extendederror( + qctx->client, ede, + "stale data prioritized over " + "lookup"); + } + } + } else { + /* + * The 'stale-answer-client-timeout' triggered, return + * the stale answer if available, otherwise wait until + * the resolver finishes. + */ + isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s client timeout, stale answer %s", + namebuf, + stale_found ? "used" : "unavailable"); + if (stale_found) { + ns_client_extendederror(qctx->client, ede, + "client timeout"); + } else if (!answer_found) { + return (result); + } + + if (!stale_client_answer(result)) { + return (result); + } + + /* + * There still might be real answer later. Mark the + * query so we'll know we can skip answering. + */ + qctx->client->query.attributes |= + NS_QUERYATTR_STALEPENDING; + } + } + + if (stale_timeout && (answer_found || stale_found)) { + /* + * Mark RRsets that we are adding to the client message on a + * lookup during 'stale-answer-client-timeout', so we can + * clean it up if needed when we resume from recursion. + */ + qctx->client->query.attributes |= NS_QUERYATTR_STALEOK; + qctx->rdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED; + } + + result = query_gotanswer(qctx, result); + +cleanup: + return (result); +} + +/* + * Clear all rdatasets from the message that are in the given section and + * that have the 'attr' attribute set. + */ +static void +message_clearrdataset(dns_message_t *msg, unsigned int attr) { + unsigned int i; + dns_name_t *name, *next_name; + dns_rdataset_t *rds, *next_rds; + + /* + * Clean up name lists by calling the rdataset disassociate function. + */ + for (i = DNS_SECTION_ANSWER; i < DNS_SECTION_MAX; i++) { + name = ISC_LIST_HEAD(msg->sections[i]); + while (name != NULL) { + next_name = ISC_LIST_NEXT(name, link); + + rds = ISC_LIST_HEAD(name->list); + while (rds != NULL) { + next_rds = ISC_LIST_NEXT(rds, link); + if ((rds->attributes & attr) != attr) { + rds = next_rds; + continue; + } + ISC_LIST_UNLINK(name->list, rds, link); + INSIST(dns_rdataset_isassociated(rds)); + dns_rdataset_disassociate(rds); + isc_mempool_put(msg->rdspool, rds); + rds = next_rds; + } + + if (ISC_LIST_EMPTY(name->list)) { + ISC_LIST_UNLINK(msg->sections[i], name, link); + if (dns_name_dynamic(name)) { + dns_name_free(name, msg->mctx); + } + isc_mempool_put(msg->namepool, name); + } + + name = next_name; + } + } +} + +/* + * Clear any rdatasets from the client's message that were added on a lookup + * due to a client timeout. + */ +static void +query_clear_stale(ns_client_t *client) { + message_clearrdataset(client->message, DNS_RDATASETATTR_STALE_ADDED); +} + +/* + * Create a new query context with the sole intent of looking up for a stale + * RRset in cache. If an entry is found, we mark the original query as + * answered, in order to avoid answering the query twice, when the original + * fetch finishes. + */ +static void +query_lookup_stale(ns_client_t *client) { + query_ctx_t qctx; + + qctx_init(client, NULL, client->query.qtype, &qctx); + dns_db_attach(client->view->cachedb, &qctx.db); + client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; + client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; + client->nodetach = true; + (void)query_lookup(&qctx); + if (qctx.node != NULL) { + dns_db_detachnode(qctx.db, &qctx.node); + } + qctx_freedata(&qctx); + qctx_destroy(&qctx); +} + +/* + * Event handler to resume processing a query after recursion, or when a + * client timeout is triggered. If the query has timed out or been cancelled + * or the system is shutting down, clean up and exit. If a client timeout is + * triggered, see if we can respond with a stale answer from cache. Otherwise, + * call query_resume() to continue the ongoing work. + */ +static void +fetch_callback(isc_task_t *task, isc_event_t *event) { + dns_fetchevent_t *devent = (dns_fetchevent_t *)event; + dns_fetch_t *fetch = NULL; + ns_client_t *client = NULL; + bool fetch_canceled = false; + bool fetch_answered = false; + bool client_shuttingdown = false; + isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_ERRORS; + isc_result_t result; + int errorloglevel; + query_ctx_t qctx; + + UNUSED(task); + + REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE || + event->ev_type == DNS_EVENT_TRYSTALE); + + client = devent->ev_arg; + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(task == client->task); + REQUIRE(RECURSING(client)); + + CTRACE(ISC_LOG_DEBUG(3), "fetch_callback"); + + if (event->ev_type == DNS_EVENT_TRYSTALE) { + if (devent->result != ISC_R_CANCELED) { + query_lookup_stale(client); + } + isc_event_free(ISC_EVENT_PTR(&event)); + return; + } + /* + * We are resuming from recursion. Reset any attributes, options + * that a lookup due to stale-answer-client-timeout may have set. + */ + if (client->view->cachedb != NULL && client->view->recursion) { + client->query.attributes |= NS_QUERYATTR_RECURSIONOK; + } + client->query.fetchoptions &= ~DNS_FETCHOPT_TRYSTALE_ONTIMEOUT; + client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT; + client->nodetach = false; + + LOCK(&client->query.fetchlock); + INSIST(client->query.fetch == devent->fetch || + client->query.fetch == NULL); + if (QUERY_STALEPENDING(&client->query)) { + /* + * We've gotten an authoritative answer to a query that + * was left pending after a stale timeout. We don't need + * to do anything with it; free all the data and go home. + */ + client->query.fetch = NULL; + fetch_answered = true; + } else if (client->query.fetch != NULL) { + /* + * This is the fetch we've been waiting for. + */ + INSIST(devent->fetch == client->query.fetch); + client->query.fetch = NULL; + + /* + * Update client->now. + */ + isc_stdtime_get(&client->now); + } else { + /* + * This is a fetch completion event for a canceled fetch. + * Clean up and don't resume the find. + */ + fetch_canceled = true; + } + UNLOCK(&client->query.fetchlock); + + SAVE(fetch, devent->fetch); + + /* + * We're done recursing, detach from quota and unlink from + * the manager's recursing-clients list. + */ + + if (client->recursionquota != NULL) { + isc_quota_detach(&client->recursionquota); + ns_stats_decrement(client->sctx->nsstats, + ns_statscounter_recursclients); + } + + LOCK(&client->manager->reclock); + if (ISC_LINK_LINKED(client, rlink)) { + ISC_LIST_UNLINK(client->manager->recursing, client, rlink); + } + UNLOCK(&client->manager->reclock); + + isc_nmhandle_detach(&client->fetchhandle); + + client->query.attributes &= ~NS_QUERYATTR_RECURSING; + client->state = NS_CLIENTSTATE_WORKING; + + /* + * Initialize a new qctx and use it to either resume from + * recursion or clean up after cancelation. Transfer + * ownership of devent to the new qctx in the process. + */ + qctx_init(client, &devent, 0, &qctx); + + client_shuttingdown = ns_client_shuttingdown(client); + if (fetch_canceled || fetch_answered || client_shuttingdown) { + /* + * We've timed out or are shutting down. We can now + * free the event and other resources held by qctx, but + * don't call qctx_destroy() yet: it might destroy the + * client, which we still need for a moment. + */ + qctx_freedata(&qctx); + + /* + * Return an error to the client, or just drop. + */ + if (fetch_canceled) { + CTRACE(ISC_LOG_ERROR, "fetch cancelled"); + query_error(client, DNS_R_SERVFAIL, __LINE__); + } else { + query_next(client, ISC_R_CANCELED); + } + + /* + * Free any persistent plugin data that was allocated to + * service the client, then detach the client object. + */ + qctx.detach_client = true; + qctx_destroy(&qctx); + } else { + /* + * Resume the find process. + */ + query_trace(&qctx); + + result = query_resume(&qctx); + if (result != ISC_R_SUCCESS) { + if (result == DNS_R_SERVFAIL) { + errorloglevel = ISC_LOG_DEBUG(2); + } else { + errorloglevel = ISC_LOG_DEBUG(4); + } + if (isc_log_wouldlog(ns_lctx, errorloglevel)) { + dns_resolver_logfetch(fetch, ns_lctx, + logcategory, + NS_LOGMODULE_QUERY, + errorloglevel, false); + } + } + + qctx_destroy(&qctx); + } + + dns_resolver_destroyfetch(&fetch); +} + +/*% + * Check whether the recursion parameters in 'param' match the current query's + * recursion parameters provided in 'qtype', 'qname', and 'qdomain'. + */ +static bool +recparam_match(const ns_query_recparam_t *param, dns_rdatatype_t qtype, + const dns_name_t *qname, const dns_name_t *qdomain) { + REQUIRE(param != NULL); + + return (param->qtype == qtype && param->qname != NULL && + qname != NULL && param->qdomain != NULL && qdomain != NULL && + dns_name_equal(param->qname, qname) && + dns_name_equal(param->qdomain, qdomain)); +} + +/*% + * Update 'param' with current query's recursion parameters provided in + * 'qtype', 'qname', and 'qdomain'. + */ +static void +recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, + const dns_name_t *qname, const dns_name_t *qdomain) { + REQUIRE(param != NULL); + + param->qtype = qtype; + + if (qname == NULL) { + param->qname = NULL; + } else { + param->qname = dns_fixedname_initname(¶m->fqname); + dns_name_copy(qname, param->qname); + } + + if (qdomain == NULL) { + param->qdomain = NULL; + } else { + param->qdomain = dns_fixedname_initname(¶m->fqdomain); + dns_name_copy(qdomain, param->qdomain); + } +} +static atomic_uint_fast32_t last_soft, last_hard; + +/*% + * Check recursion quota before making the current client "recursing". + */ +static isc_result_t +check_recursionquota(ns_client_t *client) { + isc_result_t result = ISC_R_SUCCESS; + + /* + * We are about to recurse, which means that this client will + * be unavailable for serving new requests for an indeterminate + * amount of time. If this client is currently responsible + * for handling incoming queries, set up a new client + * object to handle them while we are waiting for a + * response. There is no need to replace TCP clients + * because those have already been replaced when the + * connection was accepted (if allowed by the TCP quota). + */ + if (client->recursionquota == NULL) { + result = isc_quota_attach(&client->sctx->recursionquota, + &client->recursionquota); + if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_recursclients); + } + + if (result == ISC_R_SOFTQUOTA) { + isc_stdtime_t now; + isc_stdtime_get(&now); + if (now != atomic_load_relaxed(&last_soft)) { + atomic_store_relaxed(&last_soft, now); + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "recursive-clients soft limit " + "exceeded (%u/%u/%u), " + "aborting oldest query", + isc_quota_getused( + client->recursionquota), + isc_quota_getsoft( + client->recursionquota), + isc_quota_getmax( + client->recursionquota)); + } + ns_client_killoldestquery(client); + result = ISC_R_SUCCESS; + } else if (result == ISC_R_QUOTA) { + isc_stdtime_t now; + isc_stdtime_get(&now); + if (now != atomic_load_relaxed(&last_hard)) { + ns_server_t *sctx = client->sctx; + atomic_store_relaxed(&last_hard, now); + ns_client_log( + client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "no more recursive clients " + "(%u/%u/%u): %s", + isc_quota_getused( + &sctx->recursionquota), + isc_quota_getsoft( + &sctx->recursionquota), + isc_quota_getmax(&sctx->recursionquota), + isc_result_totext(result)); + } + ns_client_killoldestquery(client); + } + if (result != ISC_R_SUCCESS) { + return (result); + } + + dns_message_clonebuffer(client->message); + ns_client_recursing(client); + } + + return (result); +} + +isc_result_t +ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, + dns_name_t *qdomain, dns_rdataset_t *nameservers, + bool resuming) { + isc_result_t result; + dns_rdataset_t *rdataset, *sigrdataset; + isc_sockaddr_t *peeraddr = NULL; + + CTRACE(ISC_LOG_DEBUG(3), "ns_query_recurse"); + + /* + * Check recursion parameters from the previous query to see if they + * match. If not, update recursion parameters and proceed. + */ + if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, + ISC_LOG_INFO, "recursion loop detected"); + return (ISC_R_ALREADYRUNNING); + } + + recparam_update(&client->query.recparam, qtype, qname, qdomain); + + if (!resuming) { + inc_stats(client, ns_statscounter_recursion); + } + + result = check_recursionquota(client); + if (result != ISC_R_SUCCESS) { + return (result); + } + + /* + * Invoke the resolver. + */ + REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns); + REQUIRE(client->query.fetch == NULL); + + rdataset = ns_client_newrdataset(client); + if (rdataset == NULL) { + return (ISC_R_NOMEMORY); + } + + if (WANTDNSSEC(client)) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + ns_client_putrdataset(client, &rdataset); + return (ISC_R_NOMEMORY); + } + } else { + sigrdataset = NULL; + } + + if (!client->query.timerset) { + ns_client_settimeout(client, 60); + } + + if (!TCP(client)) { + peeraddr = &client->peeraddr; + } + + if (client->view->staleanswerclienttimeout > 0 && + client->view->staleanswerclienttimeout != (uint32_t)-1 && + dns_view_staleanswerenabled(client->view)) + { + client->query.fetchoptions |= DNS_FETCHOPT_TRYSTALE_ONTIMEOUT; + } + + isc_nmhandle_attach(client->handle, &client->fetchhandle); + result = dns_resolver_createfetch( + client->view->resolver, qname, qtype, qdomain, nameservers, + NULL, peeraddr, client->message->id, client->query.fetchoptions, + 0, NULL, client->task, fetch_callback, client, rdataset, + sigrdataset, &client->query.fetch); + if (result != ISC_R_SUCCESS) { + isc_nmhandle_detach(&client->fetchhandle); + ns_client_putrdataset(client, &rdataset); + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + } + + /* + * We're now waiting for a fetch event. A client which is + * shutting down will not be destroyed until all the events + * have been received. + */ + + return (result); +} + +/*% + * Restores the query context after resuming from recursion, and + * continues the query processing if needed. + */ +static isc_result_t +query_resume(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + dns_name_t *tname; + isc_buffer_t b; +#ifdef WANT_QUERYTRACE + char mbuf[4 * DNS_NAME_FORMATSIZE]; + char qbuf[DNS_NAME_FORMATSIZE]; + char tbuf[DNS_RDATATYPE_FORMATSIZE]; +#endif /* ifdef WANT_QUERYTRACE */ + + CCTRACE(ISC_LOG_DEBUG(3), "query_resume"); + + CALL_HOOK(NS_QUERY_RESUME_BEGIN, qctx); + + qctx->want_restart = false; + + qctx->rpz_st = qctx->client->query.rpz_st; + if (qctx->rpz_st != NULL && + (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) + { + CCTRACE(ISC_LOG_DEBUG(3), "resume from RPZ recursion"); +#ifdef WANT_QUERYTRACE + { + char pbuf[DNS_NAME_FORMATSIZE] = ""; + char fbuf[DNS_NAME_FORMATSIZE] = ""; + if (qctx->rpz_st->r_name != NULL) { + dns_name_format(qctx->rpz_st->r_name, qbuf, + sizeof(qbuf)); + } else { + snprintf(qbuf, sizeof(qbuf), ""); + } + if (qctx->rpz_st->p_name != NULL) { + dns_name_format(qctx->rpz_st->p_name, pbuf, + sizeof(pbuf)); + } + if (qctx->rpz_st->fname != NULL) { + dns_name_format(qctx->rpz_st->fname, fbuf, + sizeof(fbuf)); + } + + snprintf(mbuf, sizeof(mbuf) - 1, + "rpz rname:%s, pname:%s, qctx->fname:%s", qbuf, + pbuf, fbuf); + CCTRACE(ISC_LOG_DEBUG(3), mbuf); + } +#endif /* ifdef WANT_QUERYTRACE */ + + qctx->is_zone = qctx->rpz_st->q.is_zone; + qctx->authoritative = qctx->rpz_st->q.authoritative; + RESTORE(qctx->zone, qctx->rpz_st->q.zone); + RESTORE(qctx->node, qctx->rpz_st->q.node); + RESTORE(qctx->db, qctx->rpz_st->q.db); + RESTORE(qctx->rdataset, qctx->rpz_st->q.rdataset); + RESTORE(qctx->sigrdataset, qctx->rpz_st->q.sigrdataset); + qctx->qtype = qctx->rpz_st->q.qtype; + + if (qctx->event->node != NULL) { + dns_db_detachnode(qctx->event->db, &qctx->event->node); + } + SAVE(qctx->rpz_st->r.db, qctx->event->db); + qctx->rpz_st->r.r_type = qctx->event->qtype; + SAVE(qctx->rpz_st->r.r_rdataset, qctx->event->rdataset); + ns_client_putrdataset(qctx->client, &qctx->event->sigrdataset); + } else if (REDIRECT(qctx->client)) { + /* + * Restore saved state. + */ + CCTRACE(ISC_LOG_DEBUG(3), "resume from redirect recursion"); +#ifdef WANT_QUERYTRACE + dns_name_format(qctx->client->query.redirect.fname, qbuf, + sizeof(qbuf)); + dns_rdatatype_format(qctx->client->query.redirect.qtype, tbuf, + sizeof(tbuf)); + snprintf(mbuf, sizeof(mbuf) - 1, + "redirect qctx->fname:%s, qtype:%s, auth:%d", qbuf, + tbuf, qctx->client->query.redirect.authoritative); + CCTRACE(ISC_LOG_DEBUG(3), mbuf); +#endif /* ifdef WANT_QUERYTRACE */ + qctx->qtype = qctx->client->query.redirect.qtype; + INSIST(qctx->client->query.redirect.rdataset != NULL); + RESTORE(qctx->rdataset, qctx->client->query.redirect.rdataset); + RESTORE(qctx->sigrdataset, + qctx->client->query.redirect.sigrdataset); + RESTORE(qctx->db, qctx->client->query.redirect.db); + RESTORE(qctx->node, qctx->client->query.redirect.node); + RESTORE(qctx->zone, qctx->client->query.redirect.zone); + qctx->authoritative = + qctx->client->query.redirect.authoritative; + + /* + * Free resources used while recursing. + */ + ns_client_putrdataset(qctx->client, &qctx->event->rdataset); + ns_client_putrdataset(qctx->client, &qctx->event->sigrdataset); + if (qctx->event->node != NULL) { + dns_db_detachnode(qctx->event->db, &qctx->event->node); + } + if (qctx->event->db != NULL) { + dns_db_detach(&qctx->event->db); + } + } else { + CCTRACE(ISC_LOG_DEBUG(3), "resume from normal recursion"); + qctx->authoritative = false; + + qctx->qtype = qctx->event->qtype; + SAVE(qctx->db, qctx->event->db); + SAVE(qctx->node, qctx->event->node); + SAVE(qctx->rdataset, qctx->event->rdataset); + SAVE(qctx->sigrdataset, qctx->event->sigrdataset); + } + INSIST(qctx->rdataset != NULL); + + if (qctx->qtype == dns_rdatatype_rrsig || + qctx->qtype == dns_rdatatype_sig) + { + qctx->type = dns_rdatatype_any; + } else { + qctx->type = qctx->qtype; + } + + CALL_HOOK(NS_QUERY_RESUME_RESTORED, qctx); + + if (DNS64(qctx->client)) { + qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64; + qctx->dns64 = true; + } + + if (DNS64EXCLUDE(qctx->client)) { + qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE; + qctx->dns64_exclude = true; + } + + if (qctx->rpz_st != NULL && + (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) + { + /* + * Has response policy changed out from under us? + */ + if (qctx->rpz_st->rpz_ver != qctx->view->rpzs->rpz_ver) { + ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, + "query_resume: RPZ settings " + "out of date " + "(rpz_ver %d, expected %d)", + qctx->view->rpzs->rpz_ver, + qctx->rpz_st->rpz_ver); + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + return (ns_query_done(qctx)); + } + } + + /* + * We'll need some resources... + */ + qctx->dbuf = ns_client_getnamebuf(qctx->client); + if (qctx->dbuf == NULL) { + CCTRACE(ISC_LOG_ERROR, "query_resume: ns_client_getnamebuf " + "failed (1)"); + QUERY_ERROR(qctx, ISC_R_NOMEMORY); + return (ns_query_done(qctx)); + } + + qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); + if (qctx->fname == NULL) { + CCTRACE(ISC_LOG_ERROR, "query_resume: ns_client_newname failed " + "(1)"); + QUERY_ERROR(qctx, ISC_R_NOMEMORY); + return (ns_query_done(qctx)); + } + + if (qctx->rpz_st != NULL && + (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) + { + tname = qctx->rpz_st->fname; + } else if (REDIRECT(qctx->client)) { + tname = qctx->client->query.redirect.fname; + } else { + tname = qctx->event->foundname; + } + + dns_name_copy(tname, qctx->fname); + + if (qctx->rpz_st != NULL && + (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) + { + qctx->rpz_st->r.r_result = qctx->event->result; + result = qctx->rpz_st->q.result; + free_devent(qctx->client, ISC_EVENT_PTR(&qctx->event), + &qctx->event); + } else if (REDIRECT(qctx->client)) { + result = qctx->client->query.redirect.result; + } else { + result = qctx->event->result; + } + + qctx->resuming = true; + + return (query_gotanswer(qctx, result)); + +cleanup: + return (result); +} + +static void +query_hookresume(isc_task_t *task, isc_event_t *event) { + ns_hook_resevent_t *rev = (ns_hook_resevent_t *)event; + ns_hookasync_t *hctx = NULL; + ns_client_t *client = rev->ev_arg; + query_ctx_t *qctx = rev->saved_qctx; + bool canceled; + + CTRACE(ISC_LOG_DEBUG(3), "query_hookresume"); + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(task == client->task); + REQUIRE(event->ev_type == NS_EVENT_HOOKASYNCDONE); + + LOCK(&client->query.fetchlock); + if (client->query.hookactx != NULL) { + INSIST(rev->ctx == client->query.hookactx); + client->query.hookactx = NULL; + canceled = false; + isc_stdtime_get(&client->now); + } else { + canceled = true; + } + UNLOCK(&client->query.fetchlock); + SAVE(hctx, rev->ctx); + + if (client->recursionquota != NULL) { + isc_quota_detach(&client->recursionquota); + ns_stats_decrement(client->sctx->nsstats, + ns_statscounter_recursclients); + } + + LOCK(&client->manager->reclock); + if (ISC_LINK_LINKED(client, rlink)) { + ISC_LIST_UNLINK(client->manager->recursing, client, rlink); + } + UNLOCK(&client->manager->reclock); + + /* + * This event is running under a client task, so it's safe to detach + * the fetch handle. And it should be done before resuming query + * processing below, since that may trigger another recursion or + * asynchronous hook event. + */ + isc_nmhandle_detach(&client->fetchhandle); + + client->state = NS_CLIENTSTATE_WORKING; + + if (canceled) { + /* + * Note: unlike fetch_callback, this function doesn't bother + * to check the 'shutdown' condition, as that doesn't seem to + * happen in the latest implementation. + */ + query_error(client, DNS_R_SERVFAIL, __LINE__); + + /* + * There's no other place to free/release any data maintained + * in qctx. We need to do it here to prevent leak. + */ + qctx_clean(qctx); + qctx_freedata(qctx); + + /* + * As we're almost done with this client, make sure any internal + * resource for hooks will be released (if necessary) via the + * QCTX_DESTROYED hook. + */ + qctx->detach_client = true; + } else { + switch (rev->hookpoint) { + case NS_QUERY_SETUP: + (void)query_setup(client, qctx->qtype); + break; + case NS_QUERY_START_BEGIN: + (void)ns__query_start(qctx); + break; + case NS_QUERY_LOOKUP_BEGIN: + (void)query_lookup(qctx); + break; + case NS_QUERY_RESUME_BEGIN: + case NS_QUERY_RESUME_RESTORED: + (void)query_resume(qctx); + break; + case NS_QUERY_GOT_ANSWER_BEGIN: + (void)query_gotanswer(qctx, rev->origresult); + break; + case NS_QUERY_RESPOND_ANY_BEGIN: + (void)query_respond_any(qctx); + break; + case NS_QUERY_ADDANSWER_BEGIN: + (void)query_addanswer(qctx); + break; + case NS_QUERY_NOTFOUND_BEGIN: + (void)query_notfound(qctx); + break; + case NS_QUERY_PREP_DELEGATION_BEGIN: + (void)query_prepare_delegation_response(qctx); + break; + case NS_QUERY_ZONE_DELEGATION_BEGIN: + (void)query_zone_delegation(qctx); + break; + case NS_QUERY_DELEGATION_BEGIN: + (void)query_delegation(qctx); + break; + case NS_QUERY_DELEGATION_RECURSE_BEGIN: + (void)query_delegation_recurse(qctx); + break; + case NS_QUERY_NODATA_BEGIN: + (void)query_nodata(qctx, rev->origresult); + break; + case NS_QUERY_NXDOMAIN_BEGIN: + (void)query_nxdomain(qctx, rev->origresult); + break; + case NS_QUERY_NCACHE_BEGIN: + (void)query_ncache(qctx, rev->origresult); + break; + case NS_QUERY_CNAME_BEGIN: + (void)query_cname(qctx); + break; + case NS_QUERY_DNAME_BEGIN: + (void)query_dname(qctx); + break; + case NS_QUERY_RESPOND_BEGIN: + (void)query_respond(qctx); + break; + case NS_QUERY_PREP_RESPONSE_BEGIN: + (void)query_prepresponse(qctx); + break; + case NS_QUERY_DONE_BEGIN: + case NS_QUERY_DONE_SEND: + (void)ns_query_done(qctx); + break; + + /* Not all hookpoints can use recursion. Catch violations */ + case NS_QUERY_RESPOND_ANY_FOUND: /* due to side effect */ + case NS_QUERY_NOTFOUND_RECURSE: /* in recursion */ + case NS_QUERY_ZEROTTL_RECURSE: /* in recursion */ + default: /* catch-all just in case */ + INSIST(false); + } + } + + hctx->destroy(&hctx); + qctx_destroy(qctx); + isc_mem_put(client->mctx, qctx, sizeof(*qctx)); + isc_event_free(&event); +} + +isc_result_t +ns_query_hookasync(query_ctx_t *qctx, ns_query_starthookasync_t runasync, + void *arg) { + isc_result_t result; + ns_client_t *client = qctx->client; + query_ctx_t *saved_qctx = NULL; + + CTRACE(ISC_LOG_DEBUG(3), "ns_query_hookasync"); + + REQUIRE(NS_CLIENT_VALID(client)); + REQUIRE(client->query.hookactx == NULL); + REQUIRE(client->query.fetch == NULL); + + result = check_recursionquota(client); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + saved_qctx = isc_mem_get(client->mctx, sizeof(*saved_qctx)); + qctx_save(qctx, saved_qctx); + result = runasync(saved_qctx, client->mctx, arg, client->task, + query_hookresume, client, &client->query.hookactx); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + /* + * Typically the runasync() function will trigger recursion, but + * there is no need to set NS_QUERYATTR_RECURSING. The calling hook + * is expected to return NS_HOOK_RETURN, and the RECURSING + * attribute won't be checked anywhere. + * + * Hook-based asynchronous processing cannot coincide with normal + * recursion, so we can safely use fetchhandle here. Unlike in + * ns_query_recurse(), we attach to the handle only if 'runasync' + * succeeds. It should be safe since we're either in the client + * task or pausing it. + */ + isc_nmhandle_attach(client->handle, &client->fetchhandle); + return (ISC_R_SUCCESS); + +cleanup: + /* + * If we fail, send SERVFAIL now. It may be better to let the caller + * decide what to do on failure of this function, but hooks don't have + * access to query_error(). + */ + query_error(client, DNS_R_SERVFAIL, __LINE__); + + /* + * Free all resource related to the query and set detach_client, + * similar to the cancel case of query_hookresume; the callers will + * simply return on failure of this function, so there's no other + * place for this to prevent leak. + */ + if (saved_qctx != NULL) { + qctx_clean(saved_qctx); + qctx_freedata(saved_qctx); + qctx_destroy(saved_qctx); + isc_mem_put(client->mctx, saved_qctx, sizeof(*saved_qctx)); + } + qctx->detach_client = true; + return (result); +} + +/*% + * If the query is recursive, check the SERVFAIL cache to see whether + * identical queries have failed recently. If we find a match, and it was + * from a query with CD=1, *or* if the current query has CD=0, then we just + * return SERVFAIL again. This prevents a validation failure from eliciting a + * SERVFAIL response to a CD=1 query. + */ +isc_result_t +ns__query_sfcache(query_ctx_t *qctx) { + bool failcache; + uint32_t flags; + + /* + * The SERVFAIL cache doesn't apply to authoritative queries. + */ + if (!RECURSIONOK(qctx->client)) { + return (ISC_R_COMPLETE); + } + + flags = 0; +#ifdef ENABLE_AFL + if (qctx->client->sctx->fuzztype == isc_fuzz_resolver) { + failcache = false; + } else { + failcache = dns_badcache_find( + qctx->view->failcache, qctx->client->query.qname, + qctx->qtype, &flags, &qctx->client->tnow); + } +#else /* ifdef ENABLE_AFL */ + failcache = dns_badcache_find(qctx->view->failcache, + qctx->client->query.qname, qctx->qtype, + &flags, &qctx->client->tnow); +#endif /* ifdef ENABLE_AFL */ + if (failcache && + (((flags & NS_FAILCACHE_CD) != 0) || + ((qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0))) + { + if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_name_format(qctx->client->query.qname, namebuf, + sizeof(namebuf)); + dns_rdatatype_format(qctx->qtype, typebuf, + sizeof(typebuf)); + ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(1), + "servfail cache hit %s/%s (%s)", namebuf, + typebuf, + ((flags & NS_FAILCACHE_CD) != 0) ? "CD=1" + : "CD=" + "0"); + } + + qctx->client->attributes |= NS_CLIENTATTR_NOSETFC; + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + return (ns_query_done(qctx)); + } + + return (ISC_R_COMPLETE); +} + +/*% + * Handle response rate limiting (RRL). + */ +static isc_result_t +query_checkrrl(query_ctx_t *qctx, isc_result_t result) { + /* + * Rate limit these responses to this client. + * Do not delay counting and handling obvious referrals, + * since those won't come here again. + * Delay handling delegations for which we are certain to recurse and + * return here (DNS_R_DELEGATION, not a child of one of our + * own zones, and recursion enabled) + * Don't mess with responses rewritten by RPZ + * Count each response at most once. + */ + + /* + * XXXMPA the rrl system tests fails sometimes and RRL_CHECKED + * is set when we are called the second time preventing the + * response being dropped. + */ + ns_client_log( + qctx->client, DNS_LOGCATEGORY_RRL, NS_LOGMODULE_QUERY, + ISC_LOG_DEBUG(99), + "rrl=%p, HAVECOOKIE=%u, result=%s, " + "fname=%p(%u), is_zone=%u, RECURSIONOK=%u, " + "query.rpz_st=%p(%u), RRL_CHECKED=%u\n", + qctx->client->view->rrl, HAVECOOKIE(qctx->client), + isc_result_toid(result), qctx->fname, + qctx->fname != NULL ? dns_name_isabsolute(qctx->fname) : 0, + qctx->is_zone, RECURSIONOK(qctx->client), + qctx->client->query.rpz_st, + qctx->client->query.rpz_st != NULL + ? ((qctx->client->query.rpz_st->state & + DNS_RPZ_REWRITTEN) != 0) + : 0, + (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) != + 0); + + if (qctx->view->rrl != NULL && !HAVECOOKIE(qctx->client) && + ((qctx->fname != NULL && dns_name_isabsolute(qctx->fname)) || + (result == ISC_R_NOTFOUND && !RECURSIONOK(qctx->client))) && + !(result == DNS_R_DELEGATION && !qctx->is_zone && + RECURSIONOK(qctx->client)) && + (qctx->client->query.rpz_st == NULL || + (qctx->client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && + (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) + { + dns_rdataset_t nc_rdataset; + bool wouldlog; + dns_fixedname_t fixed; + const dns_name_t *constname; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + isc_result_t nc_result, resp_result; + dns_rrl_result_t rrl_result; + + qctx->client->query.attributes |= NS_QUERYATTR_RRL_CHECKED; + + wouldlog = isc_log_wouldlog(ns_lctx, DNS_RRL_LOG_DROP); + constname = qctx->fname; + if (result == DNS_R_NXDOMAIN) { + /* + * Use the database origin name to rate limit NXDOMAIN + */ + if (qctx->db != NULL) { + constname = dns_db_origin(qctx->db); + } + resp_result = result; + } else if (result == DNS_R_NCACHENXDOMAIN && + qctx->rdataset != NULL && + dns_rdataset_isassociated(qctx->rdataset) && + (qctx->rdataset->attributes & + DNS_RDATASETATTR_NEGATIVE) != 0) + { + /* + * Try to use owner name in the negative cache SOA. + */ + dns_fixedname_init(&fixed); + dns_rdataset_init(&nc_rdataset); + for (nc_result = dns_rdataset_first(qctx->rdataset); + nc_result == ISC_R_SUCCESS; + nc_result = dns_rdataset_next(qctx->rdataset)) + { + dns_ncache_current(qctx->rdataset, + dns_fixedname_name(&fixed), + &nc_rdataset); + if (nc_rdataset.type == dns_rdatatype_soa) { + dns_rdataset_disassociate(&nc_rdataset); + constname = dns_fixedname_name(&fixed); + break; + } + dns_rdataset_disassociate(&nc_rdataset); + } + resp_result = DNS_R_NXDOMAIN; + } else if (result == DNS_R_NXRRSET || result == DNS_R_EMPTYNAME) + { + resp_result = DNS_R_NXRRSET; + } else if (result == DNS_R_DELEGATION) { + resp_result = result; + } else if (result == ISC_R_NOTFOUND) { + /* + * Handle referral to ".", including when recursion + * is off or not requested and the hints have not + * been loaded. + */ + constname = dns_rootname; + resp_result = DNS_R_DELEGATION; + } else { + resp_result = ISC_R_SUCCESS; + } + + rrl_result = dns_rrl( + qctx->view, qctx->zone, &qctx->client->peeraddr, + TCP(qctx->client), qctx->client->message->rdclass, + qctx->qtype, constname, resp_result, qctx->client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped or slipped responses in the query + * category so that requests are not silently lost. + * Starts of rate-limited bursts are logged in + * DNS_LOGCATEGORY_RRL. + * + * Dropped responses are counted with dropped queries + * in QryDropped while slipped responses are counted + * with other truncated responses in RespTruncated. + */ + if (wouldlog) { + ns_client_log(qctx->client, DNS_LOGCATEGORY_RRL, + NS_LOGMODULE_QUERY, + DNS_RRL_LOG_DROP, "%s", log_buf); + } + + if (!qctx->view->rrl->log_only) { + if (rrl_result == DNS_RRL_RESULT_DROP) { + /* + * These will also be counted in + * ns_statscounter_dropped + */ + inc_stats(qctx->client, + ns_statscounter_ratedropped); + QUERY_ERROR(qctx, DNS_R_DROP); + } else { + /* + * These will also be counted in + * ns_statscounter_truncatedresp + */ + inc_stats(qctx->client, + ns_statscounter_rateslipped); + if (WANTCOOKIE(qctx->client)) { + qctx->client->message->flags &= + ~DNS_MESSAGEFLAG_AA; + qctx->client->message->flags &= + ~DNS_MESSAGEFLAG_AD; + qctx->client->message->rcode = + dns_rcode_badcookie; + } else { + qctx->client->message->flags |= + DNS_MESSAGEFLAG_TC; + if (resp_result == + DNS_R_NXDOMAIN) + { + qctx->client->message + ->rcode = + dns_rcode_nxdomain; + } + } + } + return (DNS_R_DROP); + } + } + } + + return (ISC_R_SUCCESS); +} + +/*% + * Do any RPZ rewriting that may be needed for this query. + */ +static isc_result_t +query_checkrpz(query_ctx_t *qctx, isc_result_t result) { + isc_result_t rresult; + + CCTRACE(ISC_LOG_DEBUG(3), "query_checkrpz"); + + rresult = rpz_rewrite(qctx->client, qctx->qtype, result, qctx->resuming, + qctx->rdataset, qctx->sigrdataset); + qctx->rpz_st = qctx->client->query.rpz_st; + switch (rresult) { + case ISC_R_SUCCESS: + break; + case ISC_R_NOTFOUND: + case DNS_R_DISALLOWED: + return (result); + case DNS_R_DELEGATION: + /* + * recursing for NS names or addresses, + * so save the main query state + */ + INSIST(!RECURSING(qctx->client)); + qctx->rpz_st->q.qtype = qctx->qtype; + qctx->rpz_st->q.is_zone = qctx->is_zone; + qctx->rpz_st->q.authoritative = qctx->authoritative; + SAVE(qctx->rpz_st->q.zone, qctx->zone); + SAVE(qctx->rpz_st->q.db, qctx->db); + SAVE(qctx->rpz_st->q.node, qctx->node); + SAVE(qctx->rpz_st->q.rdataset, qctx->rdataset); + SAVE(qctx->rpz_st->q.sigrdataset, qctx->sigrdataset); + dns_name_copy(qctx->fname, qctx->rpz_st->fname); + qctx->rpz_st->q.result = result; + qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; + return (ISC_R_COMPLETE); + default: + QUERY_ERROR(qctx, rresult); + return (ISC_R_COMPLETE); + } + + if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS) { + qctx->rpz_st->state |= DNS_RPZ_REWRITTEN; + } + + if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS && + qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && + (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY || + !TCP(qctx->client)) && + qctx->rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) + { + /* + * We got a hit and are going to answer with our + * fiction. Ensure that we answer with the name + * we looked up even if we were stopped short + * in recursion or for a deferral. + */ + dns_name_copy(qctx->client->query.qname, qctx->fname); + rpz_clean(&qctx->zone, &qctx->db, &qctx->node, NULL); + if (qctx->rpz_st->m.rdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->rdataset); + RESTORE(qctx->rdataset, qctx->rpz_st->m.rdataset); + } else { + qctx_clean(qctx); + } + qctx->version = NULL; + + RESTORE(qctx->node, qctx->rpz_st->m.node); + RESTORE(qctx->db, qctx->rpz_st->m.db); + RESTORE(qctx->version, qctx->rpz_st->m.version); + RESTORE(qctx->zone, qctx->rpz_st->m.zone); + + /* + * Add SOA record to additional section + */ + if (qctx->rpz_st->m.rpz->addsoa) { + bool override_ttl = + dns_rdataset_isassociated(qctx->rdataset); + rresult = query_addsoa(qctx, override_ttl, + DNS_SECTION_ADDITIONAL); + if (rresult != ISC_R_SUCCESS) { + QUERY_ERROR(qctx, result); + return (ISC_R_COMPLETE); + } + } + + switch (qctx->rpz_st->m.policy) { + case DNS_RPZ_POLICY_TCP_ONLY: + qctx->client->message->flags |= DNS_MESSAGEFLAG_TC; + if (result == DNS_R_NXDOMAIN || + result == DNS_R_NCACHENXDOMAIN) + { + qctx->client->message->rcode = + dns_rcode_nxdomain; + } + rpz_log_rewrite(qctx->client, false, + qctx->rpz_st->m.policy, + qctx->rpz_st->m.type, qctx->zone, + qctx->rpz_st->p_name, NULL, + qctx->rpz_st->m.rpz->num); + return (ISC_R_COMPLETE); + case DNS_RPZ_POLICY_DROP: + QUERY_ERROR(qctx, DNS_R_DROP); + rpz_log_rewrite(qctx->client, false, + qctx->rpz_st->m.policy, + qctx->rpz_st->m.type, qctx->zone, + qctx->rpz_st->p_name, NULL, + qctx->rpz_st->m.rpz->num); + return (ISC_R_COMPLETE); + case DNS_RPZ_POLICY_NXDOMAIN: + result = DNS_R_NXDOMAIN; + qctx->nxrewrite = true; + qctx->rpz = true; + break; + case DNS_RPZ_POLICY_NODATA: + qctx->nxrewrite = true; + FALLTHROUGH; + case DNS_RPZ_POLICY_DNS64: + result = DNS_R_NXRRSET; + qctx->rpz = true; + break; + case DNS_RPZ_POLICY_RECORD: + result = qctx->rpz_st->m.result; + if (qctx->qtype == dns_rdatatype_any && + result != DNS_R_CNAME) + { + /* + * We will add all of the rdatasets of + * the node by iterating later, + * and set the TTL then. + */ + if (dns_rdataset_isassociated(qctx->rdataset)) { + dns_rdataset_disassociate( + qctx->rdataset); + } + } else { + /* + * We will add this rdataset. + */ + qctx->rdataset->ttl = + ISC_MIN(qctx->rdataset->ttl, + qctx->rpz_st->m.ttl); + } + qctx->rpz = true; + break; + case DNS_RPZ_POLICY_WILDCNAME: { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_cname_t cname; + result = dns_rdataset_first(qctx->rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(qctx->rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &cname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&rdata); + result = query_rpzcname(qctx, &cname.cname); + if (result != ISC_R_SUCCESS) { + return (ISC_R_COMPLETE); + } + qctx->fname = NULL; + qctx->want_restart = true; + return (ISC_R_COMPLETE); + } + case DNS_RPZ_POLICY_CNAME: + /* + * Add overriding CNAME from a named.conf + * response-policy statement + */ + result = query_rpzcname(qctx, + &qctx->rpz_st->m.rpz->cname); + if (result != ISC_R_SUCCESS) { + return (ISC_R_COMPLETE); + } + qctx->fname = NULL; + qctx->want_restart = true; + return (ISC_R_COMPLETE); + default: + UNREACHABLE(); + } + + /* + * Turn off DNSSEC because the results of a + * response policy zone cannot verify. + */ + qctx->client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | + NS_CLIENTATTR_WANTAD); + qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; + ns_client_putrdataset(qctx->client, &qctx->sigrdataset); + qctx->rpz_st->q.is_zone = qctx->is_zone; + qctx->is_zone = true; + rpz_log_rewrite(qctx->client, false, qctx->rpz_st->m.policy, + qctx->rpz_st->m.type, qctx->zone, + qctx->rpz_st->p_name, NULL, + qctx->rpz_st->m.rpz->num); + } + + return (result); +} + +/*% + * Add a CNAME to a query response, including translating foo.evil.com and + * *.evil.com CNAME *.example.com + * to + * foo.evil.com CNAME foo.evil.com.example.com + */ +static isc_result_t +query_rpzcname(query_ctx_t *qctx, dns_name_t *cname) { + ns_client_t *client; + dns_fixedname_t prefix, suffix; + unsigned int labels; + isc_result_t result; + + REQUIRE(qctx != NULL && qctx->client != NULL); + + client = qctx->client; + + CTRACE(ISC_LOG_DEBUG(3), "query_rpzcname"); + + labels = dns_name_countlabels(cname); + if (labels > 2 && dns_name_iswildcard(cname)) { + dns_fixedname_init(&prefix); + dns_name_split(client->query.qname, 1, + dns_fixedname_name(&prefix), NULL); + dns_fixedname_init(&suffix); + dns_name_split(cname, labels - 1, NULL, + dns_fixedname_name(&suffix)); + result = dns_name_concatenate(dns_fixedname_name(&prefix), + dns_fixedname_name(&suffix), + qctx->fname, NULL); + if (result == DNS_R_NAMETOOLONG) { + client->message->rcode = dns_rcode_yxdomain; + } else if (result != ISC_R_SUCCESS) { + return (result); + } + } else { + dns_name_copy(cname, qctx->fname); + } + + ns_client_keepname(client, qctx->fname, qctx->dbuf); + result = query_addcname(qctx, dns_trust_authanswer, + qctx->rpz_st->m.ttl); + if (result != ISC_R_SUCCESS) { + return (result); + } + + rpz_log_rewrite(client, false, qctx->rpz_st->m.policy, + qctx->rpz_st->m.type, qctx->rpz_st->m.zone, + qctx->rpz_st->p_name, qctx->fname, + qctx->rpz_st->m.rpz->num); + + ns_client_qnamereplace(client, qctx->fname); + + /* + * Turn off DNSSEC because the results of a + * response policy zone cannot verify. + */ + client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | + NS_CLIENTATTR_WANTAD); + + return (ISC_R_SUCCESS); +} + +/*% + * Check the configured trust anchors for a root zone trust anchor + * with a key id that matches qctx->client->query.root_key_sentinel_keyid. + * + * Return true when found, otherwise return false. + */ +static bool +has_ta(query_ctx_t *qctx) { + dns_keytable_t *keytable = NULL; + dns_keynode_t *keynode = NULL; + dns_rdataset_t dsset; + dns_keytag_t sentinel = qctx->client->query.root_key_sentinel_keyid; + isc_result_t result; + + result = dns_view_getsecroots(qctx->view, &keytable); + if (result != ISC_R_SUCCESS) { + return (false); + } + + result = dns_keytable_find(keytable, dns_rootname, &keynode); + if (result != ISC_R_SUCCESS) { + if (keynode != NULL) { + dns_keytable_detachkeynode(keytable, &keynode); + } + dns_keytable_detach(&keytable); + return (false); + } + + dns_rdataset_init(&dsset); + if (dns_keynode_dsset(keynode, &dsset)) { + for (result = dns_rdataset_first(&dsset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&dsset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_ds_t ds; + + dns_rdata_reset(&rdata); + dns_rdataset_current(&dsset, &rdata); + result = dns_rdata_tostruct(&rdata, &ds, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (ds.key_tag == sentinel) { + dns_keytable_detachkeynode(keytable, &keynode); + dns_keytable_detach(&keytable); + dns_rdataset_disassociate(&dsset); + return (true); + } + } + dns_rdataset_disassociate(&dsset); + } + + if (keynode != NULL) { + dns_keytable_detachkeynode(keytable, &keynode); + } + + dns_keytable_detach(&keytable); + + return (false); +} + +/*% + * Check if a root key sentinel SERVFAIL should be returned. + */ +static bool +root_key_sentinel_return_servfail(query_ctx_t *qctx, isc_result_t result) { + /* + * Are we looking at a "root-key-sentinel" query? + */ + if (!qctx->client->query.root_key_sentinel_is_ta && + !qctx->client->query.root_key_sentinel_not_ta) + { + return (false); + } + + /* + * We only care about the query if 'result' indicates we have a cached + * answer. + */ + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_CNAME: + case DNS_R_DNAME: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NCACHENXRRSET: + break; + default: + return (false); + } + + /* + * Do we meet the specified conditions to return SERVFAIL? + */ + if (!qctx->is_zone && qctx->rdataset->trust == dns_trust_secure && + ((qctx->client->query.root_key_sentinel_is_ta && !has_ta(qctx)) || + (qctx->client->query.root_key_sentinel_not_ta && has_ta(qctx)))) + { + return (true); + } + + /* + * As special processing may only be triggered by the original QNAME, + * disable it after following a CNAME/DNAME. + */ + qctx->client->query.root_key_sentinel_is_ta = false; + qctx->client->query.root_key_sentinel_not_ta = false; + + return (false); +} + +/*% + * If serving stale answers is allowed, set up 'qctx' to look for one and + * return true; otherwise, return false. + */ +static bool +query_usestale(query_ctx_t *qctx, isc_result_t result) { + if ((qctx->client->query.dboptions & DNS_DBFIND_STALEOK) != 0) { + /* + * Query was already using stale, if that didn't work the + * last time, it won't work this time either. + */ + return (false); + } + + if (qctx->refresh_rrset) { + /* + * This is a refreshing query, we have already prioritized + * stale data, so don't enable serve-stale again. + */ + return (false); + } + + if (result == DNS_R_DUPLICATE || result == DNS_R_DROP || + result == ISC_R_ALREADYRUNNING) + { + /* + * Don't enable serve-stale if the result signals a duplicate + * query or a query that is being dropped or can't proceed + * because of a recursion loop. + */ + return (false); + } + + qctx_clean(qctx); + qctx_freedata(qctx); + + if (dns_view_staleanswerenabled(qctx->client->view)) { + dns_db_attach(qctx->client->view->cachedb, &qctx->db); + qctx->version = NULL; + qctx->client->query.dboptions |= DNS_DBFIND_STALEOK; + if (qctx->client->query.fetch != NULL) { + dns_resolver_destroyfetch(&qctx->client->query.fetch); + } + + /* + * Start the stale-refresh-time window in case there was a + * resolver query timeout. + */ + if (qctx->resuming && result == ISC_R_TIMEDOUT) { + qctx->client->query.dboptions |= DNS_DBFIND_STALESTART; + } + return (true); + } + + return (false); +} + +/*% + * Continue after doing a database lookup or returning from + * recursion, and call out to the next function depending on the + * result from the search. + */ +static isc_result_t +query_gotanswer(query_ctx_t *qctx, isc_result_t res) { + isc_result_t result = res; + char errmsg[256]; + + CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); + + CALL_HOOK(NS_QUERY_GOT_ANSWER_BEGIN, qctx); + + if (query_checkrrl(qctx, result) != ISC_R_SUCCESS) { + return (ns_query_done(qctx)); + } + + if (!dns_name_equal(qctx->client->query.qname, dns_rootname)) { + result = query_checkrpz(qctx, result); + if (result == ISC_R_NOTFOUND) { + /* + * RPZ not configured for this view. + */ + goto root_key_sentinel; + } + if (RECURSING(qctx->client) && result == DNS_R_DISALLOWED) { + /* + * We are recursing, and thus RPZ processing is not + * allowed at the moment. This could happen on a + * "stale-answer-client-timeout" lookup. In this case, + * bail out and wait for recursion to complete, as we + * we can't perform the RPZ rewrite rules. + */ + return (result); + } + if (result == ISC_R_COMPLETE) { + return (ns_query_done(qctx)); + } + } + +root_key_sentinel: + /* + * If required, handle special "root-key-sentinel-is-ta-" and + * "root-key-sentinel-not-ta-" labels by returning SERVFAIL. + */ + if (root_key_sentinel_return_servfail(qctx, result)) { + /* + * Don't record this response in the SERVFAIL cache. + */ + qctx->client->attributes |= NS_CLIENTATTR_NOSETFC; + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + return (ns_query_done(qctx)); + } + + switch (result) { + case ISC_R_SUCCESS: + return (query_prepresponse(qctx)); + + case DNS_R_GLUE: + case DNS_R_ZONECUT: + INSIST(qctx->is_zone); + qctx->authoritative = false; + return (query_prepresponse(qctx)); + + case ISC_R_NOTFOUND: + return (query_notfound(qctx)); + + case DNS_R_DELEGATION: + return (query_delegation(qctx)); + + case DNS_R_EMPTYNAME: + case DNS_R_NXRRSET: + return (query_nodata(qctx, result)); + + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + return (query_nxdomain(qctx, result)); + + case DNS_R_COVERINGNSEC: + return (query_coveringnsec(qctx)); + + case DNS_R_NCACHENXDOMAIN: + result = query_redirect(qctx); + if (result != ISC_R_COMPLETE) { + return (result); + } + return (query_ncache(qctx, DNS_R_NCACHENXDOMAIN)); + + case DNS_R_NCACHENXRRSET: + return (query_ncache(qctx, DNS_R_NCACHENXRRSET)); + + case DNS_R_CNAME: + return (query_cname(qctx)); + + case DNS_R_DNAME: + return (query_dname(qctx)); + + default: + /* + * Something has gone wrong. + */ + snprintf(errmsg, sizeof(errmsg) - 1, + "query_gotanswer: unexpected error: %s", + isc_result_totext(result)); + CCTRACE(ISC_LOG_ERROR, errmsg); + if (query_usestale(qctx, result)) { + /* + * If serve-stale is enabled, query_usestale() already + * set up 'qctx' for looking up a stale response. + */ + return (query_lookup(qctx)); + } + + /* + * Regardless of the triggering result, we definitely + * want to return SERVFAIL from here. + */ + qctx->client->rcode_override = dns_rcode_servfail; + + QUERY_ERROR(qctx, result); + return (ns_query_done(qctx)); + } + +cleanup: + return (result); +} + +static void +query_addnoqnameproof(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + isc_buffer_t *dbuf, b; + dns_name_t *fname = NULL; + dns_rdataset_t *neg = NULL, *negsig = NULL; + isc_result_t result = ISC_R_NOMEMORY; + + CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof"); + + if (qctx->noqname == NULL) { + return; + } + + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + + fname = ns_client_newname(client, dbuf, &b); + neg = ns_client_newrdataset(client); + negsig = ns_client_newrdataset(client); + if (fname == NULL || neg == NULL || negsig == NULL) { + goto cleanup; + } + + result = dns_rdataset_getnoqname(qctx->noqname, fname, neg, negsig); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + query_addrrset(qctx, &fname, &neg, &negsig, dbuf, + DNS_SECTION_AUTHORITY); + + if ((qctx->noqname->attributes & DNS_RDATASETATTR_CLOSEST) == 0) { + goto cleanup; + } + + if (fname == NULL) { + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + } + + if (neg == NULL) { + neg = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(neg)) { + dns_rdataset_disassociate(neg); + } + + if (negsig == NULL) { + negsig = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(negsig)) { + dns_rdataset_disassociate(negsig); + } + + if (fname == NULL || neg == NULL || negsig == NULL) { + goto cleanup; + } + result = dns_rdataset_getclosest(qctx->noqname, fname, neg, negsig); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + query_addrrset(qctx, &fname, &neg, &negsig, dbuf, + DNS_SECTION_AUTHORITY); + +cleanup: + if (neg != NULL) { + ns_client_putrdataset(client, &neg); + } + if (negsig != NULL) { + ns_client_putrdataset(client, &negsig); + } + if (fname != NULL) { + ns_client_releasename(client, &fname); + } +} + +/*% + * Build the response for a query for type ANY. + */ +static isc_result_t +query_respond_any(query_ctx_t *qctx) { + bool found = false, hidden = false; + dns_rdatasetiter_t *rdsiter = NULL; + isc_result_t result = ISC_R_UNSET; + dns_rdatatype_t onetype = 0; /* type to use for minimal-any */ + isc_buffer_t b; + + CCTRACE(ISC_LOG_DEBUG(3), "query_respond_any"); + + CALL_HOOK(NS_QUERY_RESPOND_ANY_BEGIN, qctx); + + result = dns_db_allrdatasets(qctx->db, qctx->node, qctx->version, 0, 0, + &rdsiter); + if (result != ISC_R_SUCCESS) { + CCTRACE(ISC_LOG_ERROR, "query_respond_any: allrdatasets " + "failed"); + QUERY_ERROR(qctx, result); + return (ns_query_done(qctx)); + } + + /* + * Calling query_addrrset() with a non-NULL dbuf is going + * to either keep or release the name. We don't want it to + * release fname, since we may have to call query_addrrset() + * more than once. That means we have to call ns_client_keepname() + * now, and pass a NULL dbuf to query_addrrset(). + * + * If we do a query_addrrset() below, we must set qctx->fname to + * NULL before leaving this block, otherwise we might try to + * cleanup qctx->fname even though we're using it! + */ + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + qctx->tname = qctx->fname; + + result = dns_rdatasetiter_first(rdsiter); + while (result == ISC_R_SUCCESS) { + dns_rdatasetiter_current(rdsiter, qctx->rdataset); + + /* + * We found an NS RRset; no need to add one later. + */ + if (qctx->qtype == dns_rdatatype_any && + qctx->rdataset->type == dns_rdatatype_ns) + { + qctx->answer_has_ns = true; + } + + /* + * Note: if we're in this function, then qctx->type + * is guaranteed to be ANY, but qctx->qtype (i.e. the + * original type requested) might have been RRSIG or + * SIG; we need to check for that. + */ + if (qctx->is_zone && qctx->qtype == dns_rdatatype_any && + !dns_db_issecure(qctx->db) && + dns_rdatatype_isdnssec(qctx->rdataset->type)) + { + /* + * The zone may be transitioning from insecure + * to secure. Hide DNSSEC records from ANY queries. + */ + dns_rdataset_disassociate(qctx->rdataset); + hidden = true; + } else if (qctx->view->minimal_any && !TCP(qctx->client) && + !WANTDNSSEC(qctx->client) && + qctx->qtype == dns_rdatatype_any && + (qctx->rdataset->type == dns_rdatatype_sig || + qctx->rdataset->type == dns_rdatatype_rrsig)) + { + CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " + "minimal-any skip signature"); + dns_rdataset_disassociate(qctx->rdataset); + } else if (qctx->view->minimal_any && !TCP(qctx->client) && + onetype != 0 && qctx->rdataset->type != onetype && + qctx->rdataset->covers != onetype) + { + CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " + "minimal-any skip rdataset"); + dns_rdataset_disassociate(qctx->rdataset); + } else if ((qctx->qtype == dns_rdatatype_any || + qctx->rdataset->type == qctx->qtype) && + qctx->rdataset->type != 0) + { + if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) + { + qctx->noqname = qctx->rdataset; + } else { + qctx->noqname = NULL; + } + + qctx->rpz_st = qctx->client->query.rpz_st; + if (qctx->rpz_st != NULL) { + qctx->rdataset->ttl = + ISC_MIN(qctx->rdataset->ttl, + qctx->rpz_st->m.ttl); + } + + if (!qctx->is_zone && RECURSIONOK(qctx->client)) { + dns_name_t *name; + name = (qctx->fname != NULL) ? qctx->fname + : qctx->tname; + query_prefetch(qctx->client, name, + qctx->rdataset); + } + + /* + * Remember the first RRtype we find so we + * can skip others with minimal-any. + */ + if (qctx->rdataset->type == dns_rdatatype_sig || + qctx->rdataset->type == dns_rdatatype_rrsig) + { + onetype = qctx->rdataset->covers; + } else { + onetype = qctx->rdataset->type; + } + + query_addrrset(qctx, + (qctx->fname != NULL) ? &qctx->fname + : &qctx->tname, + &qctx->rdataset, NULL, NULL, + DNS_SECTION_ANSWER); + + query_addnoqnameproof(qctx); + + found = true; + INSIST(qctx->tname != NULL); + + /* + * rdataset is non-NULL only in certain + * pathological cases involving DNAMEs. + */ + if (qctx->rdataset != NULL) { + ns_client_putrdataset(qctx->client, + &qctx->rdataset); + } + + qctx->rdataset = ns_client_newrdataset(qctx->client); + if (qctx->rdataset == NULL) { + break; + } + } else { + /* + * We're not interested in this rdataset. + */ + dns_rdataset_disassociate(qctx->rdataset); + } + + result = dns_rdatasetiter_next(rdsiter); + } + + dns_rdatasetiter_destroy(&rdsiter); + + if (result != ISC_R_NOMORE) { + CCTRACE(ISC_LOG_ERROR, "query_respond_any: rdataset iterator " + "failed"); + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + return (ns_query_done(qctx)); + } + + if (found) { + /* + * Call hook if any answers were found. + * Do this before releasing qctx->fname, in case + * the hook function needs it. + */ + CALL_HOOK(NS_QUERY_RESPOND_ANY_FOUND, qctx); + } + + if (qctx->fname != NULL) { + dns_message_puttempname(qctx->client->message, &qctx->fname); + } + + if (found) { + /* + * At least one matching rdataset was found + */ + query_addauth(qctx); + } else if (qctx->qtype == dns_rdatatype_rrsig || + qctx->qtype == dns_rdatatype_sig) + { + /* + * No matching rdatasets were found, but we got + * here on a search for RRSIG/SIG, so that's okay. + */ + if (!qctx->is_zone) { + qctx->authoritative = false; + qctx->client->attributes &= ~NS_CLIENTATTR_RA; + query_addauth(qctx); + return (ns_query_done(qctx)); + } + + if (qctx->qtype == dns_rdatatype_rrsig && + dns_db_issecure(qctx->db)) + { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(qctx->client->query.qname, namebuf, + sizeof(namebuf)); + ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "missing signature for %s", namebuf); + } + + qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); + return (query_sign_nodata(qctx)); + } else if (!hidden) { + /* + * No matching rdatasets were found and nothing was + * deliberately hidden: something must have gone wrong. + */ + QUERY_ERROR(qctx, DNS_R_SERVFAIL); + } + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/* + * Set the expire time, if requested, when answering from a secondary, + * mirror, or primary zone. + */ +static void +query_getexpire(query_ctx_t *qctx) { + dns_zone_t *raw = NULL, *mayberaw; + + CCTRACE(ISC_LOG_DEBUG(3), "query_getexpire"); + + if (qctx->zone == NULL || !qctx->is_zone || + qctx->qtype != dns_rdatatype_soa || + qctx->client->query.restarts != 0 || + (qctx->client->attributes & NS_CLIENTATTR_WANTEXPIRE) == 0) + { + return; + } + + dns_zone_getraw(qctx->zone, &raw); + mayberaw = (raw != NULL) ? raw : qctx->zone; + + if (dns_zone_gettype(mayberaw) == dns_zone_secondary || + dns_zone_gettype(mayberaw) == dns_zone_mirror) + { + isc_time_t expiretime; + uint32_t secs; + dns_zone_getexpiretime(qctx->zone, &expiretime); + secs = isc_time_seconds(&expiretime); + if (secs >= qctx->client->now && qctx->result == ISC_R_SUCCESS) + { + qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; + qctx->client->expire = secs - qctx->client->now; + } + } else if (dns_zone_gettype(mayberaw) == dns_zone_primary) { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_soa_t soa; + + result = dns_rdataset_first(qctx->rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + dns_rdataset_current(qctx->rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + qctx->client->expire = soa.expire; + qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; + } + + if (raw != NULL) { + dns_zone_detach(&raw); + } +} + +/*% + * Fill the ANSWER section of a positive response. + */ +static isc_result_t +query_addanswer(query_ctx_t *qctx) { + dns_rdataset_t **sigrdatasetp = NULL; + isc_result_t result = ISC_R_UNSET; + + CCTRACE(ISC_LOG_DEBUG(3), "query_addanswer"); + + CALL_HOOK(NS_QUERY_ADDANSWER_BEGIN, qctx); + + /* + * On normal lookups, clear any rdatasets that were added on a + * lookup due to stale-answer-client-timeout. Do not clear if we + * are going to refresh the RRset, because the stale contents are + * prioritized. + */ + if (QUERY_STALEOK(&qctx->client->query) && + !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) + { + CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); + query_clear_stale(qctx->client); + /* + * We can clear the attribute to prevent redundant clearing + * in subsequent lookups. + */ + qctx->client->query.attributes &= ~NS_QUERYATTR_STALEOK; + } + + if (qctx->dns64) { + result = query_dns64(qctx); + qctx->noqname = NULL; + dns_rdataset_disassociate(qctx->rdataset); + dns_message_puttemprdataset(qctx->client->message, + &qctx->rdataset); + if (result == ISC_R_NOMORE) { +#ifndef dns64_bis_return_excluded_addresses + if (qctx->dns64_exclude) { + if (!qctx->is_zone) { + return (ns_query_done(qctx)); + } + /* + * Add a fake SOA record. + */ + (void)query_addsoa(qctx, 600, + DNS_SECTION_AUTHORITY); + return (ns_query_done(qctx)); + } +#endif /* ifndef dns64_bis_return_excluded_addresses */ + if (qctx->is_zone) { + return (query_nodata(qctx, DNS_R_NXDOMAIN)); + } else { + return (query_ncache(qctx, DNS_R_NXDOMAIN)); + } + } else if (result != ISC_R_SUCCESS) { + qctx->result = result; + return (ns_query_done(qctx)); + } + } else if (qctx->client->query.dns64_aaaaok != NULL) { + query_filter64(qctx); + ns_client_putrdataset(qctx->client, &qctx->rdataset); + } else { + if (!qctx->is_zone && RECURSIONOK(qctx->client) && + !QUERY_STALETIMEOUT(&qctx->client->query)) + { + query_prefetch(qctx->client, qctx->fname, + qctx->rdataset); + } + if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { + sigrdatasetp = &qctx->sigrdataset; + } + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, + sigrdatasetp, qctx->dbuf, DNS_SECTION_ANSWER); + } + + return (ISC_R_COMPLETE); + +cleanup: + return (result); +} + +/*% + * Build a response for a "normal" query, for a type other than ANY, + * for which we have an answer (either positive or negative). + */ +static isc_result_t +query_respond(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + + CCTRACE(ISC_LOG_DEBUG(3), "query_respond"); + + /* + * Check to see if the AAAA RRset has non-excluded addresses + * in it. If not look for a A RRset. + */ + INSIST(qctx->client->query.dns64_aaaaok == NULL); + + if (qctx->qtype == dns_rdatatype_aaaa && !qctx->dns64_exclude && + !ISC_LIST_EMPTY(qctx->view->dns64) && + qctx->client->message->rdclass == dns_rdataclass_in && + !dns64_aaaaok(qctx->client, qctx->rdataset, qctx->sigrdataset)) + { + /* + * Look to see if there are A records for this name. + */ + qctx->client->query.dns64_ttl = qctx->rdataset->ttl; + SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); + SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset); + ns_client_releasename(qctx->client, &qctx->fname); + dns_db_detachnode(qctx->db, &qctx->node); + qctx->type = qctx->qtype = dns_rdatatype_a; + qctx->dns64_exclude = qctx->dns64 = true; + + return (query_lookup(qctx)); + } + + /* + * XXX: This hook is meant to be at the top of this function, + * but is postponed until after DNS64 in order to avoid an + * assertion if the hook causes recursion. (When DNS64 also + * becomes a plugin, it will be necessary to find some + * other way to prevent that assertion, since the order in + * which plugins are configured can't be enforced.) + */ + CALL_HOOK(NS_QUERY_RESPOND_BEGIN, qctx); + + if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { + qctx->noqname = qctx->rdataset; + } else { + qctx->noqname = NULL; + } + + /* + * Special case NS handling + */ + if (qctx->is_zone && qctx->qtype == dns_rdatatype_ns) { + /* + * We've already got an NS, no need to add one in + * the authority section + */ + if (dns_name_equal(qctx->client->query.qname, + dns_db_origin(qctx->db))) + { + qctx->answer_has_ns = true; + } + + /* + * Always add glue for root priming queries, regardless + * of "minimal-responses" setting. + */ + if (dns_name_equal(qctx->client->query.qname, dns_rootname)) { + qctx->client->query.attributes &= + ~NS_QUERYATTR_NOADDITIONAL; + dns_db_attach(qctx->db, &qctx->client->query.gluedb); + } + } + + /* + * Set expire time + */ + query_getexpire(qctx); + + result = query_addanswer(qctx); + if (result != ISC_R_COMPLETE) { + return (result); + } + + query_addnoqnameproof(qctx); + + /* + * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of + * the message to be sent to the client already contains an RRset with + * the same owner name and the same type as 'qctx->rdataset'. This + * should never happen, with one exception: when chasing DNAME records, + * one of the DNAME records placed in the ANSWER section may turn out + * to be the final answer to the client's query, but we have no way of + * knowing that until now. In such a case, 'qctx->rdataset' will be + * freed later, so we do not need to free it here. + */ + INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname); + + query_addauth(qctx); + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +static isc_result_t +query_dns64(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + dns_aclenv_t *env = client->manager->aclenv; + dns_name_t *name, *mname; + dns_rdata_t *dns64_rdata; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t *dns64_rdatalist; + dns_rdataset_t *dns64_rdataset; + dns_rdataset_t *mrdataset; + isc_buffer_t *buffer; + isc_region_t r; + isc_result_t result; + dns_view_t *view = client->view; + isc_netaddr_t netaddr; + dns_dns64_t *dns64; + unsigned int flags = 0; + const dns_section_t section = DNS_SECTION_ANSWER; + + /*% + * To the current response for 'qctx->client', add the answer RRset + * '*rdatasetp' and an optional signature set '*sigrdatasetp', with + * owner name '*namep', to the answer section, unless they are + * already there. Also add any pertinent additional data. + * + * If 'qctx->dbuf' is not NULL, then 'qctx->fname' is the name + * whose data is stored 'qctx->dbuf'. In this case, + * query_addrrset() guarantees that when it returns the name + * will either have been kept or released. + */ + CTRACE(ISC_LOG_DEBUG(3), "query_dns64"); + + qctx->qtype = qctx->type = dns_rdatatype_aaaa; + + name = qctx->fname; + mname = NULL; + mrdataset = NULL; + buffer = NULL; + dns64_rdata = NULL; + dns64_rdataset = NULL; + dns64_rdatalist = NULL; + result = dns_message_findname( + client->message, section, name, dns_rdatatype_aaaa, + qctx->rdataset->covers, &mname, &mrdataset); + if (result == ISC_R_SUCCESS) { + /* + * We've already got an RRset of the given name and type. + * There's nothing else to do; + */ + CTRACE(ISC_LOG_DEBUG(3), "query_dns64: dns_message_findname " + "succeeded: done"); + if (qctx->dbuf != NULL) { + ns_client_releasename(client, &qctx->fname); + } + return (ISC_R_SUCCESS); + } else if (result == DNS_R_NXDOMAIN) { + /* + * The name doesn't exist. + */ + if (qctx->dbuf != NULL) { + ns_client_keepname(client, name, qctx->dbuf); + } + dns_message_addname(client->message, name, section); + qctx->fname = NULL; + mname = name; + } else { + RUNTIME_CHECK(result == DNS_R_NXRRSET); + if (qctx->dbuf != NULL) { + ns_client_releasename(client, &qctx->fname); + } + } + + if (qctx->rdataset->trust != dns_trust_secure) { + client->query.attributes &= ~NS_QUERYATTR_SECURE; + } + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + + isc_buffer_allocate(client->mctx, &buffer, + view->dns64cnt * 16 * + dns_rdataset_count(qctx->rdataset)); + result = dns_message_gettemprdataset(client->message, &dns64_rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = dns_message_gettemprdatalist(client->message, + &dns64_rdatalist); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + dns_rdatalist_init(dns64_rdatalist); + dns64_rdatalist->rdclass = dns_rdataclass_in; + dns64_rdatalist->type = dns_rdatatype_aaaa; + if (client->query.dns64_ttl != UINT32_MAX) { + dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, + client->query.dns64_ttl); + } else { + dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, 600); + } + + if (RECURSIONOK(client)) { + flags |= DNS_DNS64_RECURSIVE; + } + + /* + * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC + * as this provides a easy way to see if the answer was signed. + */ + if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL && + dns_rdataset_isassociated(qctx->sigrdataset)) + { + flags |= DNS_DNS64_DNSSEC; + } + + for (result = dns_rdataset_first(qctx->rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(qctx->rdataset)) + { + for (dns64 = ISC_LIST_HEAD(client->view->dns64); dns64 != NULL; + dns64 = dns_dns64_next(dns64)) + { + dns_rdataset_current(qctx->rdataset, &rdata); + isc_buffer_availableregion(buffer, &r); + INSIST(r.length >= 16); + result = dns_dns64_aaaafroma(dns64, &netaddr, + client->signer, env, flags, + rdata.data, r.base); + if (result != ISC_R_SUCCESS) { + dns_rdata_reset(&rdata); + continue; + } + isc_buffer_add(buffer, 16); + isc_buffer_remainingregion(buffer, &r); + isc_buffer_forward(buffer, 16); + result = dns_message_gettemprdata(client->message, + &dns64_rdata); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + dns_rdata_init(dns64_rdata); + dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in, + dns_rdatatype_aaaa, &r); + ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata, + link); + dns64_rdata = NULL; + dns_rdata_reset(&rdata); + } + } + if (result != ISC_R_NOMORE) { + goto cleanup; + } + + if (ISC_LIST_EMPTY(dns64_rdatalist->rdata)) { + goto cleanup; + } + + result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + dns_rdataset_setownercase(dns64_rdataset, mname); + client->query.attributes |= NS_QUERYATTR_NOADDITIONAL; + dns64_rdataset->trust = qctx->rdataset->trust; + + query_addtoname(mname, dns64_rdataset); + query_setorder(qctx, mname, dns64_rdataset); + + dns64_rdataset = NULL; + dns64_rdatalist = NULL; + dns_message_takebuffer(client->message, &buffer); + inc_stats(client, ns_statscounter_dns64); + result = ISC_R_SUCCESS; + +cleanup: + if (buffer != NULL) { + isc_buffer_free(&buffer); + } + + if (dns64_rdata != NULL) { + dns_message_puttemprdata(client->message, &dns64_rdata); + } + + if (dns64_rdataset != NULL) { + dns_message_puttemprdataset(client->message, &dns64_rdataset); + } + + if (dns64_rdatalist != NULL) { + for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata); + dns64_rdata != NULL; + dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata)) + { + ISC_LIST_UNLINK(dns64_rdatalist->rdata, dns64_rdata, + link); + dns_message_puttemprdata(client->message, &dns64_rdata); + } + dns_message_puttemprdatalist(client->message, &dns64_rdatalist); + } + + CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done"); + return (result); +} + +static void +query_filter64(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + dns_name_t *name, *mname; + dns_rdata_t *myrdata; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t *myrdatalist; + dns_rdataset_t *myrdataset; + isc_buffer_t *buffer; + isc_region_t r; + isc_result_t result; + unsigned int i; + const dns_section_t section = DNS_SECTION_ANSWER; + + CTRACE(ISC_LOG_DEBUG(3), "query_filter64"); + + INSIST(client->query.dns64_aaaaok != NULL); + INSIST(client->query.dns64_aaaaoklen == + dns_rdataset_count(qctx->rdataset)); + + name = qctx->fname; + mname = NULL; + buffer = NULL; + myrdata = NULL; + myrdataset = NULL; + myrdatalist = NULL; + result = dns_message_findname( + client->message, section, name, dns_rdatatype_aaaa, + qctx->rdataset->covers, &mname, &myrdataset); + if (result == ISC_R_SUCCESS) { + /* + * We've already got an RRset of the given name and type. + * There's nothing else to do; + */ + CTRACE(ISC_LOG_DEBUG(3), "query_filter64: dns_message_findname " + "succeeded: done"); + if (qctx->dbuf != NULL) { + ns_client_releasename(client, &qctx->fname); + } + return; + } else if (result == DNS_R_NXDOMAIN) { + mname = name; + qctx->fname = NULL; + } else { + RUNTIME_CHECK(result == DNS_R_NXRRSET); + if (qctx->dbuf != NULL) { + ns_client_releasename(client, &qctx->fname); + } + qctx->dbuf = NULL; + } + + if (qctx->rdataset->trust != dns_trust_secure) { + client->query.attributes &= ~NS_QUERYATTR_SECURE; + } + + isc_buffer_allocate(client->mctx, &buffer, + 16 * dns_rdataset_count(qctx->rdataset)); + result = dns_message_gettemprdataset(client->message, &myrdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = dns_message_gettemprdatalist(client->message, &myrdatalist); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + dns_rdatalist_init(myrdatalist); + myrdatalist->rdclass = dns_rdataclass_in; + myrdatalist->type = dns_rdatatype_aaaa; + myrdatalist->ttl = qctx->rdataset->ttl; + + i = 0; + for (result = dns_rdataset_first(qctx->rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(qctx->rdataset)) + { + if (!client->query.dns64_aaaaok[i++]) { + continue; + } + dns_rdataset_current(qctx->rdataset, &rdata); + INSIST(rdata.length == 16); + isc_buffer_putmem(buffer, rdata.data, rdata.length); + isc_buffer_remainingregion(buffer, &r); + isc_buffer_forward(buffer, rdata.length); + result = dns_message_gettemprdata(client->message, &myrdata); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + dns_rdata_init(myrdata); + dns_rdata_fromregion(myrdata, dns_rdataclass_in, + dns_rdatatype_aaaa, &r); + ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link); + myrdata = NULL; + dns_rdata_reset(&rdata); + } + if (result != ISC_R_NOMORE) { + goto cleanup; + } + + result = dns_rdatalist_tordataset(myrdatalist, myrdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + dns_rdataset_setownercase(myrdataset, name); + client->query.attributes |= NS_QUERYATTR_NOADDITIONAL; + if (mname == name) { + if (qctx->dbuf != NULL) { + ns_client_keepname(client, name, qctx->dbuf); + } + dns_message_addname(client->message, name, section); + qctx->dbuf = NULL; + } + myrdataset->trust = qctx->rdataset->trust; + + query_addtoname(mname, myrdataset); + query_setorder(qctx, mname, myrdataset); + + myrdataset = NULL; + myrdatalist = NULL; + dns_message_takebuffer(client->message, &buffer); + +cleanup: + if (buffer != NULL) { + isc_buffer_free(&buffer); + } + + if (myrdata != NULL) { + dns_message_puttemprdata(client->message, &myrdata); + } + + if (myrdataset != NULL) { + dns_message_puttemprdataset(client->message, &myrdataset); + } + + if (myrdatalist != NULL) { + for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata); + myrdata != NULL; + myrdata = ISC_LIST_HEAD(myrdatalist->rdata)) + { + ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link); + dns_message_puttemprdata(client->message, &myrdata); + } + dns_message_puttemprdatalist(client->message, &myrdatalist); + } + if (qctx->dbuf != NULL) { + ns_client_releasename(client, &name); + } + + CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done"); +} + +/*% + * Handle the case of a name not being found in a database lookup. + * Called from query_gotanswer(). Passes off processing to + * query_delegation() for a root referral if appropriate. + */ +static isc_result_t +query_notfound(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + + CCTRACE(ISC_LOG_DEBUG(3), "query_notfound"); + + CALL_HOOK(NS_QUERY_NOTFOUND_BEGIN, qctx); + + INSIST(!qctx->is_zone); + + if (qctx->db != NULL) { + dns_db_detach(&qctx->db); + } + + /* + * If the cache doesn't even have the root NS, + * try to get that from the hints DB. + */ + if (qctx->view->hints != NULL) { + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, qctx->client, NULL); + + dns_db_attach(qctx->view->hints, &qctx->db); + result = dns_db_findext(qctx->db, dns_rootname, NULL, + dns_rdatatype_ns, 0, qctx->client->now, + &qctx->node, qctx->fname, &cm, &ci, + qctx->rdataset, qctx->sigrdataset); + } else { + /* We have no hints. */ + result = ISC_R_FAILURE; + } + if (result != ISC_R_SUCCESS) { + /* + * Nonsensical root hints may require cleanup. + */ + qctx_clean(qctx); + + /* + * We don't have any root server hints, but + * we may have working forwarders, so try to + * recurse anyway. + */ + if (RECURSIONOK(qctx->client)) { + INSIST(!REDIRECT(qctx->client)); + result = ns_query_recurse(qctx->client, qctx->qtype, + qctx->client->query.qname, + NULL, NULL, qctx->resuming); + if (result == ISC_R_SUCCESS) { + CALL_HOOK(NS_QUERY_NOTFOUND_RECURSE, qctx); + qctx->client->query.attributes |= + NS_QUERYATTR_RECURSING; + + if (qctx->dns64) { + qctx->client->query.attributes |= + NS_QUERYATTR_DNS64; + } + if (qctx->dns64_exclude) { + qctx->client->query.attributes |= + NS_QUERYATTR_DNS64EXCLUDE; + } + } else if (query_usestale(qctx, result)) { + /* + * If serve-stale is enabled, query_usestale() + * already set up 'qctx' for looking up a + * stale response. + */ + return (query_lookup(qctx)); + } else { + QUERY_ERROR(qctx, result); + } + return (ns_query_done(qctx)); + } else { + /* Unable to give root server referral. */ + CCTRACE(ISC_LOG_ERROR, "unable to give root server " + "referral"); + QUERY_ERROR(qctx, result); + return (ns_query_done(qctx)); + } + } + + return (query_delegation(qctx)); + +cleanup: + return (result); +} + +/*% + * We have a delegation but recursion is not allowed, so return the delegation + * to the client. + */ +static isc_result_t +query_prepare_delegation_response(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + dns_rdataset_t **sigrdatasetp = NULL; + bool detach = false; + + CALL_HOOK(NS_QUERY_PREP_DELEGATION_BEGIN, qctx); + + /* + * qctx->fname could be released in query_addrrset(), so save a copy of + * it here in case we need it. + */ + dns_fixedname_init(&qctx->dsname); + dns_name_copy(qctx->fname, dns_fixedname_name(&qctx->dsname)); + + /* + * This is the best answer. + */ + qctx->client->query.isreferral = true; + + if (!dns_db_iscache(qctx->db) && qctx->client->query.gluedb == NULL) { + dns_db_attach(qctx->db, &qctx->client->query.gluedb); + detach = true; + } + + /* + * We must ensure NOADDITIONAL is off, because the generation of + * additional data is required in delegations. + */ + qctx->client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; + if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { + sigrdatasetp = &qctx->sigrdataset; + } + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, + qctx->dbuf, DNS_SECTION_AUTHORITY); + if (detach) { + dns_db_detach(&qctx->client->query.gluedb); + } + + /* + * Add DS/NSEC(3) record(s) if needed. + */ + query_addds(qctx); + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/*% + * Handle a delegation response from an authoritative lookup. This + * may trigger additional lookups, e.g. from the cache database to + * see if we have a better answer; if that is not allowed, return the + * delegation to the client and call ns_query_done(). + */ +static isc_result_t +query_zone_delegation(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + + CALL_HOOK(NS_QUERY_ZONE_DELEGATION_BEGIN, qctx); + + /* + * If the query type is DS, look to see if we are + * authoritative for the child zone + */ + if (!RECURSIONOK(qctx->client) && + (qctx->options & DNS_GETDB_NOEXACT) != 0 && + qctx->qtype == dns_rdatatype_ds) + { + dns_db_t *tdb = NULL; + dns_zone_t *tzone = NULL; + dns_dbversion_t *tversion = NULL; + result = query_getzonedb( + qctx->client, qctx->client->query.qname, qctx->qtype, + DNS_GETDB_PARTIAL, &tzone, &tdb, &tversion); + if (result != ISC_R_SUCCESS) { + if (tdb != NULL) { + dns_db_detach(&tdb); + } + if (tzone != NULL) { + dns_zone_detach(&tzone); + } + } else { + qctx->options &= ~DNS_GETDB_NOEXACT; + ns_client_putrdataset(qctx->client, &qctx->rdataset); + if (qctx->sigrdataset != NULL) { + ns_client_putrdataset(qctx->client, + &qctx->sigrdataset); + } + if (qctx->fname != NULL) { + ns_client_releasename(qctx->client, + &qctx->fname); + } + if (qctx->node != NULL) { + dns_db_detachnode(qctx->db, &qctx->node); + } + if (qctx->db != NULL) { + dns_db_detach(&qctx->db); + } + if (qctx->zone != NULL) { + dns_zone_detach(&qctx->zone); + } + qctx->version = NULL; + RESTORE(qctx->version, tversion); + RESTORE(qctx->db, tdb); + RESTORE(qctx->zone, tzone); + qctx->authoritative = true; + + return (query_lookup(qctx)); + } + } + + if (USECACHE(qctx->client) && + (RECURSIONOK(qctx->client) || + (qctx->zone != NULL && + dns_zone_gettype(qctx->zone) == dns_zone_mirror))) + { + /* + * We might have a better answer or delegation in the + * cache. We'll remember the current values of fname, + * rdataset, and sigrdataset. We'll then go looking for + * QNAME in the cache. If we find something better, we'll + * use it instead. If not, then query_lookup() calls + * query_notfound() which calls query_delegation(), and + * we'll restore these values there. + */ + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + SAVE(qctx->zdb, qctx->db); + SAVE(qctx->znode, qctx->node); + SAVE(qctx->zfname, qctx->fname); + SAVE(qctx->zversion, qctx->version); + SAVE(qctx->zrdataset, qctx->rdataset); + SAVE(qctx->zsigrdataset, qctx->sigrdataset); + dns_db_attach(qctx->view->cachedb, &qctx->db); + qctx->is_zone = false; + + return (query_lookup(qctx)); + } + + return (query_prepare_delegation_response(qctx)); + +cleanup: + return (result); +} + +/*% + * Handle delegation responses, including root referrals. + * + * If the delegation was returned from authoritative data, + * call query_zone_delgation(). Otherwise, we can start + * recursion if allowed; or else return the delegation to the + * client and call ns_query_done(). + */ +static isc_result_t +query_delegation(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + + CCTRACE(ISC_LOG_DEBUG(3), "query_delegation"); + + CALL_HOOK(NS_QUERY_DELEGATION_BEGIN, qctx); + + qctx->authoritative = false; + + if (qctx->is_zone) { + return (query_zone_delegation(qctx)); + } + + if (qctx->zfname != NULL && + (!dns_name_issubdomain(qctx->fname, qctx->zfname) || + (qctx->is_staticstub_zone && + dns_name_equal(qctx->fname, qctx->zfname)))) + { + /* + * In the following cases use "authoritative" + * data instead of the cache delegation: + * 1. We've already got a delegation from + * authoritative data, and it is better + * than what we found in the cache. + * (See the comment above.) + * 2. The query name matches the origin name + * of a static-stub zone. This needs to be + * considered for the case where the NS of + * the static-stub zone and the cached NS + * are different. We still need to contact + * the nameservers configured in the + * static-stub zone. + */ + ns_client_releasename(qctx->client, &qctx->fname); + + /* + * We've already done ns_client_keepname() on + * qctx->zfname, so we must set dbuf to NULL to + * prevent query_addrrset() from trying to + * call ns_client_keepname() again. + */ + qctx->dbuf = NULL; + ns_client_putrdataset(qctx->client, &qctx->rdataset); + if (qctx->sigrdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->sigrdataset); + } + qctx->version = NULL; + + dns_db_detachnode(qctx->db, &qctx->node); + dns_db_detach(&qctx->db); + RESTORE(qctx->db, qctx->zdb); + RESTORE(qctx->node, qctx->znode); + RESTORE(qctx->fname, qctx->zfname); + RESTORE(qctx->version, qctx->zversion); + RESTORE(qctx->rdataset, qctx->zrdataset); + RESTORE(qctx->sigrdataset, qctx->zsigrdataset); + } + + result = query_delegation_recurse(qctx); + if (result != ISC_R_COMPLETE) { + return (result); + } + + return (query_prepare_delegation_response(qctx)); + +cleanup: + return (result); +} + +/*% + * Handle recursive queries that are triggered as part of the + * delegation process. + */ +static isc_result_t +query_delegation_recurse(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + dns_name_t *qname = qctx->client->query.qname; + + CCTRACE(ISC_LOG_DEBUG(3), "query_delegation_recurse"); + + if (!RECURSIONOK(qctx->client)) { + return (ISC_R_COMPLETE); + } + + CALL_HOOK(NS_QUERY_DELEGATION_RECURSE_BEGIN, qctx); + + /* + * We have a delegation and recursion is allowed, + * so we call ns_query_recurse() to follow it. + * This phase of the query processing is done; + * we'll resume via fetch_callback() and + * query_resume() when the recursion is complete. + */ + + INSIST(!REDIRECT(qctx->client)); + + if (dns_rdatatype_atparent(qctx->type)) { + /* + * Parent is authoritative for this RDATA type (i.e. DS). + */ + result = ns_query_recurse(qctx->client, qctx->qtype, qname, + NULL, NULL, qctx->resuming); + } else if (qctx->dns64) { + /* + * Look up an A record so we can synthesize DNS64. + */ + result = ns_query_recurse(qctx->client, dns_rdatatype_a, qname, + NULL, NULL, qctx->resuming); + } else { + /* + * Any other recursion. + */ + result = ns_query_recurse(qctx->client, qctx->qtype, qname, + qctx->fname, qctx->rdataset, + qctx->resuming); + } + + if (result == ISC_R_SUCCESS) { + qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; + if (qctx->dns64) { + qctx->client->query.attributes |= NS_QUERYATTR_DNS64; + } + if (qctx->dns64_exclude) { + qctx->client->query.attributes |= + NS_QUERYATTR_DNS64EXCLUDE; + } + } else if (query_usestale(qctx, result)) { + /* + * If serve-stale is enabled, query_usestale() already set up + * 'qctx' for looking up a stale response. + */ + return (query_lookup(qctx)); + } else { + QUERY_ERROR(qctx, result); + } + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/*% + * Add DS/NSEC(3) record(s) if needed. + */ +static void +query_addds(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + dns_fixedname_t fixed; + dns_name_t *fname = NULL; + dns_name_t *rname = NULL; + dns_name_t *name; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + isc_buffer_t *dbuf, b; + isc_result_t result; + unsigned int count; + + CTRACE(ISC_LOG_DEBUG(3), "query_addds"); + + /* + * DS not needed. + */ + if (!WANTDNSSEC(client)) { + return; + } + + /* + * We'll need some resources... + */ + rdataset = ns_client_newrdataset(client); + sigrdataset = ns_client_newrdataset(client); + if (rdataset == NULL || sigrdataset == NULL) { + goto cleanup; + } + + /* + * Look for the DS record, which may or may not be present. + */ + result = dns_db_findrdataset(qctx->db, qctx->node, qctx->version, + dns_rdatatype_ds, 0, client->now, rdataset, + sigrdataset); + /* + * If we didn't find it, look for an NSEC. + */ + if (result == ISC_R_NOTFOUND) { + result = dns_db_findrdataset( + qctx->db, qctx->node, qctx->version, dns_rdatatype_nsec, + 0, client->now, rdataset, sigrdataset); + } + if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { + goto addnsec3; + } + if (!dns_rdataset_isassociated(rdataset) || + !dns_rdataset_isassociated(sigrdataset)) + { + goto addnsec3; + } + + /* + * We've already added the NS record, so if the name's not there, + * we have other problems. + */ + result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + /* + * Find the delegation in the response message - it is not necessarily + * the first name in the AUTHORITY section when wildcard processing is + * involved. + */ + while (result == ISC_R_SUCCESS) { + rname = NULL; + dns_message_currentname(client->message, DNS_SECTION_AUTHORITY, + &rname); + result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL); + if (result == ISC_R_SUCCESS) { + break; + } + result = dns_message_nextname(client->message, + DNS_SECTION_AUTHORITY); + } + + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + /* + * Add the relevant RRset (DS or NSEC) to the delegation. + */ + query_addrrset(qctx, &rname, &rdataset, &sigrdataset, NULL, + DNS_SECTION_AUTHORITY); + goto cleanup; + +addnsec3: + if (!dns_db_iszone(qctx->db)) { + goto cleanup; + } + /* + * Add the NSEC3 which proves the DS does not exist. + */ + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + dns_fixedname_init(&fixed); + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + if (dns_rdataset_isassociated(sigrdataset)) { + dns_rdataset_disassociate(sigrdataset); + } + name = dns_fixedname_name(&qctx->dsname); + query_findclosestnsec3(name, qctx->db, qctx->version, client, rdataset, + sigrdataset, fname, true, + dns_fixedname_name(&fixed)); + if (!dns_rdataset_isassociated(rdataset)) { + goto cleanup; + } + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + /* + * Did we find the closest provable encloser instead? + * If so add the nearest to the closest provable encloser. + */ + if (!dns_name_equal(name, dns_fixedname_name(&fixed))) { + count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1; + dns_name_getlabelsequence(name, + dns_name_countlabels(name) - count, + count, dns_fixedname_name(&fixed)); + fixfname(client, &fname, &dbuf, &b); + fixrdataset(client, &rdataset); + fixrdataset(client, &sigrdataset); + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + goto cleanup; + } + query_findclosestnsec3(dns_fixedname_name(&fixed), qctx->db, + qctx->version, client, rdataset, + sigrdataset, fname, false, NULL); + if (!dns_rdataset_isassociated(rdataset)) { + goto cleanup; + } + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + } + +cleanup: + if (rdataset != NULL) { + ns_client_putrdataset(client, &rdataset); + } + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (fname != NULL) { + ns_client_releasename(client, &fname); + } +} + +/*% + * Handle authoritative NOERROR/NODATA responses. + */ +static isc_result_t +query_nodata(query_ctx_t *qctx, isc_result_t res) { + isc_result_t result = res; + + CCTRACE(ISC_LOG_DEBUG(3), "query_nodata"); + + CALL_HOOK(NS_QUERY_NODATA_BEGIN, qctx); + +#ifdef dns64_bis_return_excluded_addresses + if (qctx->dns64) +#else /* ifdef dns64_bis_return_excluded_addresses */ + if (qctx->dns64 && !qctx->dns64_exclude) +#endif /* ifdef dns64_bis_return_excluded_addresses */ + { + isc_buffer_t b; + /* + * Restore the answers from the previous AAAA lookup. + */ + if (qctx->rdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->rdataset); + } + if (qctx->sigrdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->sigrdataset); + } + RESTORE(qctx->rdataset, qctx->client->query.dns64_aaaa); + RESTORE(qctx->sigrdataset, qctx->client->query.dns64_sigaaaa); + if (qctx->fname == NULL) { + qctx->dbuf = ns_client_getnamebuf(qctx->client); + if (qctx->dbuf == NULL) { + CCTRACE(ISC_LOG_ERROR, "query_nodata: " + "ns_client_getnamebuf " + "failed (3)"); + QUERY_ERROR(qctx, ISC_R_NOMEMORY); + return (ns_query_done(qctx)); + } + qctx->fname = ns_client_newname(qctx->client, + qctx->dbuf, &b); + if (qctx->fname == NULL) { + CCTRACE(ISC_LOG_ERROR, "query_nodata: " + "ns_client_newname " + "failed (3)"); + QUERY_ERROR(qctx, ISC_R_NOMEMORY); + return (ns_query_done(qctx)); + } + } + dns_name_copy(qctx->client->query.qname, qctx->fname); + qctx->dns64 = false; +#ifdef dns64_bis_return_excluded_addresses + /* + * Resume the diverted processing of the AAAA response? + */ + if (qctx->dns64_exclude) { + return (query_prepresponse(qctx)); + } +#endif /* ifdef dns64_bis_return_excluded_addresses */ + } else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) && + !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite && + qctx->client->message->rdclass == dns_rdataclass_in && + qctx->qtype == dns_rdatatype_aaaa) + { + /* + * Look to see if there are A records for this name. + */ + switch (result) { + case DNS_R_NCACHENXRRSET: + /* + * This is from the negative cache; if the ttl is + * zero, we need to work out whether we have just + * decremented to zero or there was no negative + * cache ttl in the answer. + */ + if (qctx->rdataset->ttl != 0) { + qctx->client->query.dns64_ttl = + qctx->rdataset->ttl; + break; + } + if (dns_rdataset_first(qctx->rdataset) == ISC_R_SUCCESS) + { + qctx->client->query.dns64_ttl = 0; + } + break; + case DNS_R_NXRRSET: + qctx->client->query.dns64_ttl = + dns64_ttl(qctx->db, qctx->version); + break; + default: + UNREACHABLE(); + } + + SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); + SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset); + ns_client_releasename(qctx->client, &qctx->fname); + dns_db_detachnode(qctx->db, &qctx->node); + qctx->type = qctx->qtype = dns_rdatatype_a; + qctx->dns64 = true; + return (query_lookup(qctx)); + } + + if (qctx->is_zone) { + return (query_sign_nodata(qctx)); + } else { + /* + * We don't call query_addrrset() because we don't need any + * of its extra features (and things would probably break!). + */ + if (dns_rdataset_isassociated(qctx->rdataset)) { + ns_client_keepname(qctx->client, qctx->fname, + qctx->dbuf); + dns_message_addname(qctx->client->message, qctx->fname, + DNS_SECTION_AUTHORITY); + ISC_LIST_APPEND(qctx->fname->list, qctx->rdataset, + link); + qctx->fname = NULL; + qctx->rdataset = NULL; + } + } + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/*% + * Add RRSIGs for NOERROR/NODATA responses when answering authoritatively. + */ +isc_result_t +query_sign_nodata(query_ctx_t *qctx) { + isc_result_t result; + + CCTRACE(ISC_LOG_DEBUG(3), "query_sign_nodata"); + + /* + * Look for a NSEC3 record if we don't have a NSEC record. + */ + if (qctx->redirected) { + return (ns_query_done(qctx)); + } + if (!dns_rdataset_isassociated(qctx->rdataset) && + WANTDNSSEC(qctx->client)) + { + if ((qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) { + dns_name_t *found; + dns_name_t *qname; + dns_fixedname_t fixed; + isc_buffer_t b; + + found = dns_fixedname_initname(&fixed); + qname = qctx->client->query.qname; + + query_findclosestnsec3(qname, qctx->db, qctx->version, + qctx->client, qctx->rdataset, + qctx->sigrdataset, qctx->fname, + true, found); + /* + * Did we find the closest provable encloser + * instead? If so add the nearest to the + * closest provable encloser. + */ + if (dns_rdataset_isassociated(qctx->rdataset) && + !dns_name_equal(qname, found) && + (((qctx->client->sctx->options & + NS_SERVER_NONEAREST) == 0) || + qctx->qtype == dns_rdatatype_ds)) + { + unsigned int count; + unsigned int skip; + + /* + * Add the closest provable encloser. + */ + query_addrrset(qctx, &qctx->fname, + &qctx->rdataset, + &qctx->sigrdataset, qctx->dbuf, + DNS_SECTION_AUTHORITY); + + count = dns_name_countlabels(found) + 1; + skip = dns_name_countlabels(qname) - count; + dns_name_getlabelsequence(qname, skip, count, + found); + + fixfname(qctx->client, &qctx->fname, + &qctx->dbuf, &b); + fixrdataset(qctx->client, &qctx->rdataset); + fixrdataset(qctx->client, &qctx->sigrdataset); + if (qctx->fname == NULL || + qctx->rdataset == NULL || + qctx->sigrdataset == NULL) + { + CCTRACE(ISC_LOG_ERROR, "query_sign_" + "nodata: " + "failure " + "getting " + "closest " + "encloser"); + QUERY_ERROR(qctx, ISC_R_NOMEMORY); + return (ns_query_done(qctx)); + } + /* + * 'nearest' doesn't exist so + * 'exist' is set to false. + */ + query_findclosestnsec3( + found, qctx->db, qctx->version, + qctx->client, qctx->rdataset, + qctx->sigrdataset, qctx->fname, false, + NULL); + } + } else { + ns_client_releasename(qctx->client, &qctx->fname); + query_addwildcardproof(qctx, false, true); + } + } + if (dns_rdataset_isassociated(qctx->rdataset)) { + /* + * If we've got a NSEC record, we need to save the + * name now because we're going call query_addsoa() + * below, and it needs to use the name buffer. + */ + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + } else if (qctx->fname != NULL) { + /* + * We're not going to use fname, and need to release + * our hold on the name buffer so query_addsoa() + * may use it. + */ + ns_client_releasename(qctx->client, &qctx->fname); + } + + /* + * The RPZ SOA has already been added to the additional section + * if this was an RPZ rewrite, but if it wasn't, add it now. + */ + if (!qctx->nxrewrite) { + result = query_addsoa(qctx, UINT32_MAX, DNS_SECTION_AUTHORITY); + if (result != ISC_R_SUCCESS) { + QUERY_ERROR(qctx, result); + return (ns_query_done(qctx)); + } + } + + /* + * Add NSEC record if we found one. + */ + if (WANTDNSSEC(qctx->client) && + dns_rdataset_isassociated(qctx->rdataset)) + { + query_addnxrrsetnsec(qctx); + } + + return (ns_query_done(qctx)); +} + +static void +query_addnxrrsetnsec(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + dns_rdata_t sigrdata; + dns_rdata_rrsig_t sig; + unsigned int labels; + isc_buffer_t *dbuf, b; + dns_name_t *fname; + isc_result_t result; + + INSIST(qctx->fname != NULL); + + if ((qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) { + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, + &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); + return; + } + + if (qctx->sigrdataset == NULL || + !dns_rdataset_isassociated(qctx->sigrdataset)) + { + return; + } + + if (dns_rdataset_first(qctx->sigrdataset) != ISC_R_SUCCESS) { + return; + } + + dns_rdata_init(&sigrdata); + dns_rdataset_current(qctx->sigrdataset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + labels = dns_name_countlabels(qctx->fname); + if ((unsigned int)sig.labels + 1 >= labels) { + return; + } + + query_addwildcardproof(qctx, true, false); + + /* + * We'll need some resources... + */ + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + return; + } + + fname = ns_client_newname(client, dbuf, &b); + if (fname == NULL) { + return; + } + + dns_name_split(qctx->fname, sig.labels + 1, NULL, fname); + /* This will succeed, since we've stripped labels. */ + RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname, + NULL) == ISC_R_SUCCESS); + query_addrrset(qctx, &fname, &qctx->rdataset, &qctx->sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); +} + +/*% + * Handle NXDOMAIN and empty wildcard responses. + */ +static isc_result_t +query_nxdomain(query_ctx_t *qctx, isc_result_t res) { + dns_section_t section; + uint32_t ttl; + isc_result_t result = res; + bool empty_wild = (res == DNS_R_EMPTYWILD); + + CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); + + CALL_HOOK(NS_QUERY_NXDOMAIN_BEGIN, qctx); + + INSIST(qctx->is_zone || REDIRECT(qctx->client)); + + if (!empty_wild) { + result = query_redirect(qctx); + if (result != ISC_R_COMPLETE) { + return (result); + } + } + + if (dns_rdataset_isassociated(qctx->rdataset)) { + /* + * If we've got a NSEC record, we need to save the + * name now because we're going call query_addsoa() + * below, and it needs to use the name buffer. + */ + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + } else if (qctx->fname != NULL) { + /* + * We're not going to use fname, and need to release + * our hold on the name buffer so query_addsoa() + * may use it. + */ + ns_client_releasename(qctx->client, &qctx->fname); + } + + /* + * Add SOA to the additional section if generated by a + * RPZ rewrite. + * + * If the query was for a SOA record force the + * ttl to zero so that it is possible for clients to find + * the containing zone of an arbitrary name with a stub + * resolver and not have it cached. + */ + section = qctx->nxrewrite ? DNS_SECTION_ADDITIONAL + : DNS_SECTION_AUTHORITY; + ttl = UINT32_MAX; + if (!qctx->nxrewrite && qctx->qtype == dns_rdatatype_soa && + qctx->zone != NULL && dns_zone_getzeronosoattl(qctx->zone)) + { + ttl = 0; + } + if (!qctx->nxrewrite || + (qctx->rpz_st != NULL && qctx->rpz_st->m.rpz->addsoa)) + { + result = query_addsoa(qctx, ttl, section); + if (result != ISC_R_SUCCESS) { + QUERY_ERROR(qctx, result); + return (ns_query_done(qctx)); + } + } + + if (WANTDNSSEC(qctx->client)) { + /* + * Add NSEC record if we found one. + */ + if (dns_rdataset_isassociated(qctx->rdataset)) { + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, + &qctx->sigrdataset, NULL, + DNS_SECTION_AUTHORITY); + } + query_addwildcardproof(qctx, false, false); + } + + /* + * Set message rcode. + */ + if (empty_wild) { + qctx->client->message->rcode = dns_rcode_noerror; + } else { + qctx->client->message->rcode = dns_rcode_nxdomain; + } + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/* + * Handle both types of NXDOMAIN redirection, calling redirect() + * (which implements type redirect zones) and redirect2() (which + * implements recursive nxdomain-redirect lookups). + * + * Any result code other than ISC_R_COMPLETE means redirection was + * successful and the result code should be returned up the call stack. + * + * ISC_R_COMPLETE means we reached the end of this function without + * redirecting, so query processing should continue past it. + */ +static isc_result_t +query_redirect(query_ctx_t *qctx) { + isc_result_t result; + + CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); + + result = redirect(qctx->client, qctx->fname, qctx->rdataset, + &qctx->node, &qctx->db, &qctx->version, qctx->type); + switch (result) { + case ISC_R_SUCCESS: + inc_stats(qctx->client, ns_statscounter_nxdomainredirect); + return (query_prepresponse(qctx)); + case DNS_R_NXRRSET: + qctx->redirected = true; + qctx->is_zone = true; + return (query_nodata(qctx, DNS_R_NXRRSET)); + case DNS_R_NCACHENXRRSET: + qctx->redirected = true; + qctx->is_zone = false; + return (query_ncache(qctx, DNS_R_NCACHENXRRSET)); + default: + break; + } + + result = redirect2(qctx->client, qctx->fname, qctx->rdataset, + &qctx->node, &qctx->db, &qctx->version, qctx->type, + &qctx->is_zone); + switch (result) { + case ISC_R_SUCCESS: + inc_stats(qctx->client, ns_statscounter_nxdomainredirect); + return (query_prepresponse(qctx)); + case DNS_R_CONTINUE: + inc_stats(qctx->client, + ns_statscounter_nxdomainredirect_rlookup); + SAVE(qctx->client->query.redirect.db, qctx->db); + SAVE(qctx->client->query.redirect.node, qctx->node); + SAVE(qctx->client->query.redirect.zone, qctx->zone); + qctx->client->query.redirect.qtype = qctx->qtype; + INSIST(qctx->rdataset != NULL); + SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); + SAVE(qctx->client->query.redirect.sigrdataset, + qctx->sigrdataset); + qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN; + dns_name_copy(qctx->fname, qctx->client->query.redirect.fname); + qctx->client->query.redirect.authoritative = + qctx->authoritative; + qctx->client->query.redirect.is_zone = qctx->is_zone; + return (ns_query_done(qctx)); + case DNS_R_NXRRSET: + qctx->redirected = true; + qctx->is_zone = true; + return (query_nodata(qctx, DNS_R_NXRRSET)); + case DNS_R_NCACHENXRRSET: + qctx->redirected = true; + qctx->is_zone = false; + return (query_ncache(qctx, DNS_R_NCACHENXRRSET)); + default: + break; + } + + return (ISC_R_COMPLETE); +} + +/*% + * Logging function to be passed to dns_nsec_noexistnodata. + */ +static void +log_noexistnodata(void *val, int level, const char *fmt, ...) { + query_ctx_t *qctx = val; + va_list ap; + + va_start(ap, fmt); + ns_client_logv(qctx->client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, + level, fmt, ap); + va_end(ap); +} + +static dns_ttl_t +query_synthttl(dns_rdataset_t *soardataset, dns_rdataset_t *sigsoardataset, + dns_rdataset_t *p1rdataset, dns_rdataset_t *sigp1rdataset, + dns_rdataset_t *p2rdataset, dns_rdataset_t *sigp2rdataset) { + dns_rdata_soa_t soa; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_ttl_t ttl; + isc_result_t result; + + REQUIRE(soardataset != NULL); + REQUIRE(sigsoardataset != NULL); + REQUIRE(p1rdataset != NULL); + REQUIRE(sigp1rdataset != NULL); + + result = dns_rdataset_first(soardataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(soardataset, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + ttl = ISC_MIN(soa.minimum, soardataset->ttl); + ttl = ISC_MIN(ttl, sigsoardataset->ttl); + ttl = ISC_MIN(ttl, p1rdataset->ttl); + ttl = ISC_MIN(ttl, sigp1rdataset->ttl); + if (p2rdataset != NULL) { + ttl = ISC_MIN(ttl, p2rdataset->ttl); + } + if (sigp2rdataset != NULL) { + ttl = ISC_MIN(ttl, sigp2rdataset->ttl); + } + + return (ttl); +} + +/* + * Synthesize a NODATA response from the SOA and covering NSEC in cache. + */ +static isc_result_t +query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer, + dns_rdataset_t **soardatasetp, + dns_rdataset_t **sigsoardatasetp) { + dns_name_t *name = NULL; + dns_ttl_t ttl; + isc_buffer_t *dbuf, b; + isc_result_t result; + + /* + * Determine the correct TTL to use for the SOA and RRSIG + */ + ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset, + qctx->sigrdataset, NULL, NULL); + (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl; + + /* + * We want the SOA record to be first, so save the + * NODATA proof's name now or else discard it. + */ + if (WANTDNSSEC(qctx->client)) { + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + } else { + ns_client_releasename(qctx->client, &qctx->fname); + } + + dbuf = ns_client_getnamebuf(qctx->client); + if (dbuf == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + name = ns_client_newname(qctx->client, dbuf, &b); + if (name == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + dns_name_copy(signer, name); + + /* + * Add SOA record. Omit the RRSIG if DNSSEC was not requested. + */ + if (!WANTDNSSEC(qctx->client)) { + sigsoardatasetp = NULL; + } + query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf, + DNS_SECTION_AUTHORITY); + + if (WANTDNSSEC(qctx->client)) { + /* + * Add NODATA proof. + */ + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, + &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); + } + + result = ISC_R_SUCCESS; + inc_stats(qctx->client, ns_statscounter_nodatasynth); + +cleanup: + if (name != NULL) { + ns_client_releasename(qctx->client, &name); + } + return (result); +} + +/* + * Synthesize a wildcard answer using the contents of 'rdataset'. + * qctx contains the NODATA proof. + */ +static isc_result_t +query_synthwildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + dns_name_t *name = NULL; + isc_buffer_t *dbuf, b; + isc_result_t result; + dns_rdataset_t *cloneset = NULL, *clonesigset = NULL; + dns_rdataset_t **sigrdatasetp; + + CCTRACE(ISC_LOG_DEBUG(3), "query_synthwildcard"); + + /* + * We want the answer to be first, so save the + * NOQNAME proof's name now or else discard it. + */ + if (WANTDNSSEC(qctx->client)) { + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + } else { + ns_client_releasename(qctx->client, &qctx->fname); + } + + dbuf = ns_client_getnamebuf(qctx->client); + if (dbuf == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + name = ns_client_newname(qctx->client, dbuf, &b); + if (name == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + dns_name_copy(qctx->client->query.qname, name); + + cloneset = ns_client_newrdataset(qctx->client); + if (cloneset == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + dns_rdataset_clone(rdataset, cloneset); + + /* + * Add answer RRset. Omit the RRSIG if DNSSEC was not requested. + */ + if (WANTDNSSEC(qctx->client)) { + clonesigset = ns_client_newrdataset(qctx->client); + if (clonesigset == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + dns_rdataset_clone(sigrdataset, clonesigset); + sigrdatasetp = &clonesigset; + } else { + sigrdatasetp = NULL; + } + + query_addrrset(qctx, &name, &cloneset, sigrdatasetp, dbuf, + DNS_SECTION_ANSWER); + + if (WANTDNSSEC(qctx->client)) { + /* + * Add NOQNAME proof. + */ + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, + &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); + } + + result = ISC_R_SUCCESS; + inc_stats(qctx->client, ns_statscounter_wildcardsynth); + +cleanup: + if (name != NULL) { + ns_client_releasename(qctx->client, &name); + } + if (cloneset != NULL) { + ns_client_putrdataset(qctx->client, &cloneset); + } + if (clonesigset != NULL) { + ns_client_putrdataset(qctx->client, &clonesigset); + } + return (result); +} + +/* + * Add a synthesized CNAME record from the wildard RRset (rdataset) + * and NODATA proof by calling query_synthwildcard then setup to + * follow the CNAME. + */ +static isc_result_t +query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + isc_result_t result; + dns_name_t *tname = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_cname_t cname; + + result = query_synthwildcard(qctx, rdataset, sigrdataset); + if (result != ISC_R_SUCCESS) { + return (result); + } + + qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; + + /* + * Reset qname to be the target name of the CNAME and restart + * the query. + */ + result = dns_message_gettempname(qctx->client->message, &tname); + if (result != ISC_R_SUCCESS) { + return (result); + } + + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(qctx->client->message, &tname); + return (result); + } + + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &cname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&rdata); + + if (dns_name_equal(qctx->client->query.qname, &cname.cname)) { + dns_message_puttempname(qctx->client->message, &tname); + dns_rdata_freestruct(&cname); + return (ISC_R_SUCCESS); + } + + dns_name_copy(&cname.cname, tname); + + dns_rdata_freestruct(&cname); + ns_client_qnamereplace(qctx->client, tname); + qctx->want_restart = true; + if (!WANTRECURSION(qctx->client)) { + qctx->options |= DNS_GETDB_NOLOG; + } + + return (result); +} + +/* + * Synthesize a NXDOMAIN or NODATA response from qctx (which contains the + * NOQNAME proof), nowild + nowildrdataset + signowildrdataset (which + * contains the NOWILDCARD proof or NODATA at wildcard) and + * signer + soardatasetp + sigsoardatasetp which contain the + * SOA record + RRSIG for the negative answer. + */ +static isc_result_t +query_synthnxdomainnodata(query_ctx_t *qctx, bool nodata, dns_name_t *nowild, + dns_rdataset_t *nowildrdataset, + dns_rdataset_t *signowildrdataset, dns_name_t *signer, + dns_rdataset_t **soardatasetp, + dns_rdataset_t **sigsoardatasetp) { + dns_name_t *name = NULL; + dns_ttl_t ttl; + isc_buffer_t *dbuf, b; + isc_result_t result; + dns_rdataset_t *cloneset = NULL, *clonesigset = NULL; + + CCTRACE(ISC_LOG_DEBUG(3), "query_synthnxdomain"); + + /* + * Determine the correct TTL to use for the SOA and RRSIG + */ + ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset, + qctx->sigrdataset, nowildrdataset, + signowildrdataset); + (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl; + + /* + * We want the SOA record to be first, so save the + * NOQNAME proof's name now or else discard it. + */ + if (WANTDNSSEC(qctx->client)) { + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + } else { + ns_client_releasename(qctx->client, &qctx->fname); + } + + dbuf = ns_client_getnamebuf(qctx->client); + if (dbuf == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + name = ns_client_newname(qctx->client, dbuf, &b); + if (name == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + dns_name_copy(signer, name); + + /* + * Add SOA record. Omit the RRSIG if DNSSEC was not requested. + */ + if (!WANTDNSSEC(qctx->client)) { + sigsoardatasetp = NULL; + } + query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf, + DNS_SECTION_AUTHORITY); + + if (WANTDNSSEC(qctx->client)) { + /* + * Add NOQNAME proof. + */ + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, + &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); + + dbuf = ns_client_getnamebuf(qctx->client); + if (dbuf == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + name = ns_client_newname(qctx->client, dbuf, &b); + if (name == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + dns_name_copy(nowild, name); + + cloneset = ns_client_newrdataset(qctx->client); + clonesigset = ns_client_newrdataset(qctx->client); + if (cloneset == NULL || clonesigset == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + dns_rdataset_clone(nowildrdataset, cloneset); + dns_rdataset_clone(signowildrdataset, clonesigset); + + /* + * Add NOWILDCARD proof. + */ + query_addrrset(qctx, &name, &cloneset, &clonesigset, dbuf, + DNS_SECTION_AUTHORITY); + } + + if (nodata) { + inc_stats(qctx->client, ns_statscounter_nodatasynth); + } else { + qctx->client->message->rcode = dns_rcode_nxdomain; + inc_stats(qctx->client, ns_statscounter_nxdomainsynth); + } + result = ISC_R_SUCCESS; + +cleanup: + if (name != NULL) { + ns_client_releasename(qctx->client, &name); + } + if (cloneset != NULL) { + ns_client_putrdataset(qctx->client, &cloneset); + } + if (clonesigset != NULL) { + ns_client_putrdataset(qctx->client, &clonesigset); + } + return (result); +} + +/* + * Check that all signer names in sigrdataset match the expected signer. + */ +static isc_result_t +checksignames(dns_name_t *signer, dns_rdataset_t *sigrdataset) { + isc_result_t result; + + for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(sigrdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_rrsig_t rrsig; + + dns_rdataset_current(sigrdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &rrsig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (dns_name_countlabels(signer) == 0) { + dns_name_copy(&rrsig.signer, signer); + } else if (!dns_name_equal(signer, &rrsig.signer)) { + return (ISC_R_FAILURE); + } + } + + return (ISC_R_SUCCESS); +} + +/*% + * Handle covering NSEC responses. + * + * Verify the NSEC record is appropriate for the QNAME; if not, + * redo the initial query without DNS_DBFIND_COVERINGNSEC. + * + * If the covering NSEC proves that the name exists but not the type, + * synthesize a NODATA response. + * + * If the name doesn't exist, compute the wildcard record and check whether + * the wildcard name exists or not. If we can't determine this, redo the + * initial query without DNS_DBFIND_COVERINGNSEC. + * + * If the wildcard name does not exist, compute the SOA name and look that + * up. If the SOA record does not exist, redo the initial query without + * DNS_DBFIND_COVERINGNSEC. If the SOA record exists, synthesize an + * NXDOMAIN response from the found records. + * + * If the wildcard name does exist, perform a lookup for the requested + * type at the wildcard name. + */ +static isc_result_t +query_coveringnsec(query_ctx_t *qctx) { + dns_db_t *db = NULL; + dns_clientinfo_t ci; + dns_clientinfomethods_t cm; + dns_dbnode_t *node = NULL; + dns_fixedname_t fixed; + dns_fixedname_t fnamespace; + dns_fixedname_t fnowild; + dns_fixedname_t fsigner; + dns_fixedname_t fwild; + dns_name_t *fname = NULL; + dns_name_t *namespace = NULL; + dns_name_t *nowild = NULL; + dns_name_t *signer = NULL; + dns_name_t *wild = NULL; + dns_name_t qname; + dns_rdataset_t *soardataset = NULL, *sigsoardataset = NULL; + dns_rdataset_t rdataset, sigrdataset; + bool done = false; + bool exists = true, data = true; + bool redirected = false; + isc_result_t result = ISC_R_SUCCESS; + unsigned int dboptions = qctx->client->query.dboptions; + unsigned int labels; + + CCTRACE(ISC_LOG_DEBUG(3), "query_coveringnsec"); + + dns_name_init(&qname, NULL); + dns_rdataset_init(&rdataset); + dns_rdataset_init(&sigrdataset); + namespace = dns_fixedname_initname(&fnamespace); + + /* + * Check that the NSEC record is from the correct namespace. + * For records that belong to the parent zone (i.e. DS), + * remove a label to find the correct namespace. + */ + dns_name_clone(qctx->client->query.qname, &qname); + labels = dns_name_countlabels(&qname); + if (dns_rdatatype_atparent(qctx->qtype) && labels > 1) { + dns_name_getlabelsequence(&qname, 1, labels - 1, &qname); + } + dns_view_sfd_find(qctx->view, &qname, namespace); + if (!dns_name_issubdomain(qctx->fname, namespace)) { + goto cleanup; + } + + /* + * If we have no signer name, stop immediately. + */ + if (!dns_rdataset_isassociated(qctx->sigrdataset)) { + goto cleanup; + } + + wild = dns_fixedname_initname(&fwild); + fname = dns_fixedname_initname(&fixed); + signer = dns_fixedname_initname(&fsigner); + nowild = dns_fixedname_initname(&fnowild); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, qctx->client, NULL); + + /* + * All signer names must be the same to accept. + */ + result = checksignames(signer, qctx->sigrdataset); + if (result != ISC_R_SUCCESS) { + result = ISC_R_SUCCESS; + goto cleanup; + } + + /* + * If NSEC or RRSIG are missing from the type map + * reject the NSEC RRset. + */ + if (!dns_nsec_requiredtypespresent(qctx->rdataset)) { + goto cleanup; + } + + /* + * Check that we have the correct NOQNAME NSEC record. + */ + result = dns_nsec_noexistnodata(qctx->qtype, qctx->client->query.qname, + qctx->fname, qctx->rdataset, &exists, + &data, wild, log_noexistnodata, qctx); + + if (result != ISC_R_SUCCESS || (exists && data)) { + goto cleanup; + } + + if (exists) { + if (qctx->type == dns_rdatatype_any) { /* XXX not yet */ + goto cleanup; + } + if (!ISC_LIST_EMPTY(qctx->view->dns64) && + (qctx->type == dns_rdatatype_a || + qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */ + { + goto cleanup; + } + if (!qctx->resuming && !STALE(qctx->rdataset) && + qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client)) + { + goto cleanup; + } + + soardataset = ns_client_newrdataset(qctx->client); + sigsoardataset = ns_client_newrdataset(qctx->client); + if (soardataset == NULL || sigsoardataset == NULL) { + goto cleanup; + } + + /* + * Look for SOA record to construct NODATA response. + */ + dns_db_attach(qctx->db, &db); + result = dns_db_findext(db, signer, qctx->version, + dns_rdatatype_soa, dboptions, + qctx->client->now, &node, fname, &cm, + &ci, soardataset, sigsoardataset); + + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + (void)query_synthnodata(qctx, signer, &soardataset, + &sigsoardataset); + done = true; + goto cleanup; + } + + /* + * Look up the no-wildcard proof. + */ + dns_db_attach(qctx->db, &db); + result = dns_db_findext(db, wild, qctx->version, qctx->type, + dboptions | DNS_DBFIND_COVERINGNSEC, + qctx->client->now, &node, nowild, &cm, &ci, + &rdataset, &sigrdataset); + + if (rdataset.trust != dns_trust_secure || + sigrdataset.trust != dns_trust_secure) + { + goto cleanup; + } + + /* + * Zero TTL handling of wildcard record. + * + * We don't yet have code to handle synthesis and type ANY or dns64 + * processing so we abort the synthesis here if there would be a + * interaction. + */ + switch (result) { + case ISC_R_SUCCESS: + if (qctx->type == dns_rdatatype_any) { /* XXX not yet */ + goto cleanup; + } + if (!ISC_LIST_EMPTY(qctx->view->dns64) && + (qctx->type == dns_rdatatype_a || + qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */ + { + goto cleanup; + } + FALLTHROUGH; + case DNS_R_CNAME: + if (!qctx->resuming && !STALE(&rdataset) && rdataset.ttl == 0 && + RECURSIONOK(qctx->client)) + { + goto cleanup; + } + default: + break; + } + + switch (result) { + case DNS_R_COVERINGNSEC: + /* + * Check that the covering NSEC record is from the right + * namespace. + */ + if (!dns_name_issubdomain(nowild, namespace)) { + goto cleanup; + } + result = dns_nsec_noexistnodata(qctx->qtype, wild, nowild, + &rdataset, &exists, &data, NULL, + log_noexistnodata, qctx); + if (result != ISC_R_SUCCESS || (exists && data)) { + goto cleanup; + } + break; + case ISC_R_SUCCESS: /* wild card match */ + (void)query_synthwildcard(qctx, &rdataset, &sigrdataset); + done = true; + goto cleanup; + case DNS_R_CNAME: /* wild card cname */ + (void)query_synthcnamewildcard(qctx, &rdataset, &sigrdataset); + done = true; + goto cleanup; + case DNS_R_NCACHENXRRSET: /* wild card nodata */ + case DNS_R_NCACHENXDOMAIN: /* direct nxdomain */ + default: + goto cleanup; + } + + /* + * We now have the proof that we have an NXDOMAIN. Apply + * NXDOMAIN redirection if configured. + */ + result = query_redirect(qctx); + if (result != ISC_R_COMPLETE) { + redirected = true; + goto cleanup; + } + + /* + * Must be signed to accept. + */ + if (!dns_rdataset_isassociated(&sigrdataset)) { + goto cleanup; + } + + /* + * Check signer signer names again. + */ + result = checksignames(signer, &sigrdataset); + if (result != ISC_R_SUCCESS) { + result = ISC_R_SUCCESS; + goto cleanup; + } + + if (node != NULL) { + dns_db_detachnode(db, &node); + } + + soardataset = ns_client_newrdataset(qctx->client); + sigsoardataset = ns_client_newrdataset(qctx->client); + if (soardataset == NULL || sigsoardataset == NULL) { + goto cleanup; + } + + /* + * Look for SOA record to construct NXDOMAIN response. + */ + result = dns_db_findext(db, signer, qctx->version, dns_rdatatype_soa, + dboptions, qctx->client->now, &node, fname, &cm, + &ci, soardataset, sigsoardataset); + + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + (void)query_synthnxdomainnodata(qctx, exists, nowild, &rdataset, + &sigrdataset, signer, &soardataset, + &sigsoardataset); + done = true; + +cleanup: + if (dns_rdataset_isassociated(&rdataset)) { + dns_rdataset_disassociate(&rdataset); + } + if (dns_rdataset_isassociated(&sigrdataset)) { + dns_rdataset_disassociate(&sigrdataset); + } + if (soardataset != NULL) { + ns_client_putrdataset(qctx->client, &soardataset); + } + if (sigsoardataset != NULL) { + ns_client_putrdataset(qctx->client, &sigsoardataset); + } + if (db != NULL) { + if (node != NULL) { + dns_db_detachnode(db, &node); + } + dns_db_detach(&db); + } + + if (redirected) { + return (result); + } + + if (!done) { + /* + * No covering NSEC was found; proceed with recursion. + */ + qctx->findcoveringnsec = false; + if (qctx->fname != NULL) { + ns_client_releasename(qctx->client, &qctx->fname); + } + if (qctx->node != NULL) { + dns_db_detachnode(qctx->db, &qctx->node); + } + ns_client_putrdataset(qctx->client, &qctx->rdataset); + if (qctx->sigrdataset != NULL) { + ns_client_putrdataset(qctx->client, &qctx->sigrdataset); + } + return (query_lookup(qctx)); + } + + return (ns_query_done(qctx)); +} + +/*% + * Handle negative cache responses, DNS_R_NCACHENXRRSET or + * DNS_R_NCACHENXDOMAIN. (Note: may also be called with result + * set to DNS_R_NXDOMAIN when handling DNS64 lookups.) + */ +static isc_result_t +query_ncache(query_ctx_t *qctx, isc_result_t result) { + INSIST(!qctx->is_zone); + INSIST(result == DNS_R_NCACHENXDOMAIN || + result == DNS_R_NCACHENXRRSET || result == DNS_R_NXDOMAIN); + + CCTRACE(ISC_LOG_DEBUG(3), "query_ncache"); + + CALL_HOOK(NS_QUERY_NCACHE_BEGIN, qctx); + + qctx->authoritative = false; + + if (result == DNS_R_NCACHENXDOMAIN) { + /* + * Set message rcode. (This is not done when + * result == DNS_R_NXDOMAIN because that means we're + * being called after a DNS64 lookup and don't want + * to update the rcode now.) + */ + qctx->client->message->rcode = dns_rcode_nxdomain; + + /* Look for RFC 1918 leakage from Internet. */ + if (qctx->qtype == dns_rdatatype_ptr && + qctx->client->message->rdclass == dns_rdataclass_in && + dns_name_countlabels(qctx->fname) == 7) + { + warn_rfc1918(qctx->client, qctx->fname, qctx->rdataset); + } + } + + return (query_nodata(qctx, result)); + +cleanup: + return (result); +} + +/* + * If we have a zero ttl from the cache, refetch. + */ +static isc_result_t +query_zerottl_refetch(query_ctx_t *qctx) { + isc_result_t result; + + CCTRACE(ISC_LOG_DEBUG(3), "query_zerottl_refetch"); + + if (qctx->is_zone || qctx->resuming || STALE(qctx->rdataset) || + qctx->rdataset->ttl != 0 || !RECURSIONOK(qctx->client)) + { + return (ISC_R_COMPLETE); + } + + qctx_clean(qctx); + + INSIST(!REDIRECT(qctx->client)); + + result = ns_query_recurse(qctx->client, qctx->qtype, + qctx->client->query.qname, NULL, NULL, + qctx->resuming); + if (result == ISC_R_SUCCESS) { + CALL_HOOK(NS_QUERY_ZEROTTL_RECURSE, qctx); + qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; + + if (qctx->dns64) { + qctx->client->query.attributes |= NS_QUERYATTR_DNS64; + } + if (qctx->dns64_exclude) { + qctx->client->query.attributes |= + NS_QUERYATTR_DNS64EXCLUDE; + } + } else { + /* + * There was a zero ttl from the cache, don't fallback to + * serve-stale lookup. + */ + QUERY_ERROR(qctx, result); + } + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/* + * Handle CNAME responses. + */ +static isc_result_t +query_cname(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + dns_name_t *tname = NULL; + dns_rdataset_t *trdataset = NULL; + dns_rdataset_t **sigrdatasetp = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_cname_t cname; + + CCTRACE(ISC_LOG_DEBUG(3), "query_cname"); + + CALL_HOOK(NS_QUERY_CNAME_BEGIN, qctx); + + result = query_zerottl_refetch(qctx); + if (result != ISC_R_COMPLETE) { + return (result); + } + + /* + * Keep a copy of the rdataset. We have to do this because + * query_addrrset may clear 'rdataset' (to prevent the + * cleanup code from cleaning it up). + */ + trdataset = qctx->rdataset; + + /* + * Add the CNAME to the answer section. + */ + if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { + sigrdatasetp = &qctx->sigrdataset; + } + + if (WANTDNSSEC(qctx->client) && + (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) + { + dns_fixedname_init(&qctx->wildcardname); + dns_name_copy(qctx->fname, + dns_fixedname_name(&qctx->wildcardname)); + qctx->need_wildcardproof = true; + } + + if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { + qctx->noqname = qctx->rdataset; + } else { + qctx->noqname = NULL; + } + + if (!qctx->is_zone && RECURSIONOK(qctx->client)) { + query_prefetch(qctx->client, qctx->fname, qctx->rdataset); + } + + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, + qctx->dbuf, DNS_SECTION_ANSWER); + + query_addnoqnameproof(qctx); + + /* + * We set the PARTIALANSWER attribute so that if anything goes + * wrong later on, we'll return what we've got so far. + */ + qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; + + /* + * Reset qname to be the target name of the CNAME and restart + * the query. + */ + result = dns_message_gettempname(qctx->client->message, &tname); + if (result != ISC_R_SUCCESS) { + return (ns_query_done(qctx)); + } + + result = dns_rdataset_first(trdataset); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(qctx->client->message, &tname); + return (ns_query_done(qctx)); + } + + dns_rdataset_current(trdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &cname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&rdata); + + dns_name_copy(&cname.cname, tname); + + dns_rdata_freestruct(&cname); + ns_client_qnamereplace(qctx->client, tname); + qctx->want_restart = true; + if (!WANTRECURSION(qctx->client)) { + qctx->options |= DNS_GETDB_NOLOG; + } + + query_addauth(qctx); + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/* + * Handle DNAME responses. + */ +static isc_result_t +query_dname(query_ctx_t *qctx) { + dns_name_t *tname, *prefix; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_dname_t dname; + dns_fixedname_t fixed; + dns_rdataset_t *trdataset; + dns_rdataset_t **sigrdatasetp = NULL; + dns_namereln_t namereln; + isc_buffer_t b; + int order; + isc_result_t result = ISC_R_UNSET; + unsigned int nlabels; + + CCTRACE(ISC_LOG_DEBUG(3), "query_dname"); + + CALL_HOOK(NS_QUERY_DNAME_BEGIN, qctx); + + /* + * Compare the current qname to the found name. We need + * to know how many labels and bits are in common because + * we're going to have to split qname later on. + */ + namereln = dns_name_fullcompare(qctx->client->query.qname, qctx->fname, + &order, &nlabels); + INSIST(namereln == dns_namereln_subdomain); + + /* + * Keep a copy of the rdataset. We have to do this because + * query_addrrset may clear 'rdataset' (to prevent the + * cleanup code from cleaning it up). + */ + trdataset = qctx->rdataset; + + /* + * Add the DNAME to the answer section. + */ + if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { + sigrdatasetp = &qctx->sigrdataset; + } + + if (WANTDNSSEC(qctx->client) && + (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) + { + dns_fixedname_init(&qctx->wildcardname); + dns_name_copy(qctx->fname, + dns_fixedname_name(&qctx->wildcardname)); + qctx->need_wildcardproof = true; + } + + if (!qctx->is_zone && RECURSIONOK(qctx->client)) { + query_prefetch(qctx->client, qctx->fname, qctx->rdataset); + } + query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, + qctx->dbuf, DNS_SECTION_ANSWER); + + /* + * We set the PARTIALANSWER attribute so that if anything goes + * wrong later on, we'll return what we've got so far. + */ + qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; + + /* + * Get the target name of the DNAME. + */ + tname = NULL; + result = dns_message_gettempname(qctx->client->message, &tname); + if (result != ISC_R_SUCCESS) { + return (ns_query_done(qctx)); + } + + result = dns_rdataset_first(trdataset); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(qctx->client->message, &tname); + return (ns_query_done(qctx)); + } + + dns_rdataset_current(trdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&rdata); + + dns_name_copy(&dname.dname, tname); + dns_rdata_freestruct(&dname); + + /* + * Construct the new qname consisting of + * . + */ + prefix = dns_fixedname_initname(&fixed); + dns_name_split(qctx->client->query.qname, nlabels, prefix, NULL); + INSIST(qctx->fname == NULL); + qctx->dbuf = ns_client_getnamebuf(qctx->client); + if (qctx->dbuf == NULL) { + dns_message_puttempname(qctx->client->message, &tname); + return (ns_query_done(qctx)); + } + qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); + if (qctx->fname == NULL) { + dns_message_puttempname(qctx->client->message, &tname); + return (ns_query_done(qctx)); + } + result = dns_name_concatenate(prefix, tname, qctx->fname, NULL); + dns_message_puttempname(qctx->client->message, &tname); + + /* + * RFC2672, section 4.1, subsection 3c says + * we should return YXDOMAIN if the constructed + * name would be too long. + */ + if (result == DNS_R_NAMETOOLONG) { + qctx->client->message->rcode = dns_rcode_yxdomain; + } + if (result != ISC_R_SUCCESS) { + return (ns_query_done(qctx)); + } + + ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); + + /* + * Synthesize a CNAME consisting of + * CNAME + * with + * + * Synthesize a CNAME so old old clients that don't understand + * DNAME can chain. + * + * We do not try to synthesize a signature because we hope + * that security aware servers will understand DNAME. Also, + * even if we had an online key, making a signature + * on-the-fly is costly, and not really legitimate anyway + * since the synthesized CNAME is NOT in the zone. + */ + result = query_addcname(qctx, trdataset->trust, trdataset->ttl); + if (result != ISC_R_SUCCESS) { + return (ns_query_done(qctx)); + } + + /* + * If the original query was not for a CNAME or ANY then follow the + * CNAME. + */ + if (qctx->qtype != dns_rdatatype_cname && + qctx->qtype != dns_rdatatype_any) + { + /* + * Switch to the new qname and restart. + */ + ns_client_qnamereplace(qctx->client, qctx->fname); + qctx->fname = NULL; + qctx->want_restart = true; + if (!WANTRECURSION(qctx->client)) { + qctx->options |= DNS_GETDB_NOLOG; + } + } + + query_addauth(qctx); + + return (ns_query_done(qctx)); + +cleanup: + return (result); +} + +/*% + * Add CNAME to response. + */ +static isc_result_t +query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl) { + ns_client_t *client = qctx->client; + dns_rdataset_t *rdataset = NULL; + dns_rdatalist_t *rdatalist = NULL; + dns_rdata_t *rdata = NULL; + isc_region_t r; + dns_name_t *aname = NULL; + isc_result_t result; + + result = dns_message_gettempname(client->message, &aname); + if (result != ISC_R_SUCCESS) { + return (result); + } + + dns_name_copy(client->query.qname, aname); + + result = dns_message_gettemprdatalist(client->message, &rdatalist); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(client->message, &aname); + return (result); + } + + result = dns_message_gettemprdata(client->message, &rdata); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(client->message, &aname); + dns_message_puttemprdatalist(client->message, &rdatalist); + return (result); + } + + result = dns_message_gettemprdataset(client->message, &rdataset); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(client->message, &aname); + dns_message_puttemprdatalist(client->message, &rdatalist); + dns_message_puttemprdata(client->message, &rdata); + return (result); + } + + rdatalist->type = dns_rdatatype_cname; + rdatalist->rdclass = client->message->rdclass; + rdatalist->ttl = ttl; + + dns_name_toregion(qctx->fname, &r); + rdata->data = r.base; + rdata->length = r.length; + rdata->rdclass = client->message->rdclass; + rdata->type = dns_rdatatype_cname; + + ISC_LIST_APPEND(rdatalist->rdata, rdata, link); + RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == + ISC_R_SUCCESS); + rdataset->trust = trust; + dns_rdataset_setownercase(rdataset, aname); + + query_addrrset(qctx, &aname, &rdataset, NULL, NULL, DNS_SECTION_ANSWER); + if (rdataset != NULL) { + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + dns_message_puttemprdataset(client->message, &rdataset); + } + if (aname != NULL) { + dns_message_puttempname(client->message, &aname); + } + + return (ISC_R_SUCCESS); +} + +/*% + * Prepare to respond: determine whether a wildcard proof is needed, + * then hand off to query_respond() or (for type ANY queries) + * query_respond_any(). + */ +static isc_result_t +query_prepresponse(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + + CCTRACE(ISC_LOG_DEBUG(3), "query_prepresponse"); + + CALL_HOOK(NS_QUERY_PREP_RESPONSE_BEGIN, qctx); + + if (WANTDNSSEC(qctx->client) && + (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) + { + dns_fixedname_init(&qctx->wildcardname); + dns_name_copy(qctx->fname, + dns_fixedname_name(&qctx->wildcardname)); + qctx->need_wildcardproof = true; + } + + if (qctx->type == dns_rdatatype_any) { + return (query_respond_any(qctx)); + } + + result = query_zerottl_refetch(qctx); + if (result != ISC_R_COMPLETE) { + return (result); + } + + return (query_respond(qctx)); + +cleanup: + return (result); +} + +/*% + * Add SOA to the authority section when sending negative responses + * (or to the additional section if sending negative responses triggered + * by RPZ rewriting.) + */ +static isc_result_t +query_addsoa(query_ctx_t *qctx, unsigned int override_ttl, + dns_section_t section) { + ns_client_t *client = qctx->client; + dns_name_t *name = NULL; + dns_dbnode_t *node = NULL; + isc_result_t result, eresult = ISC_R_SUCCESS; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t **sigrdatasetp = NULL; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + CTRACE(ISC_LOG_DEBUG(3), "query_addsoa"); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Don't add the SOA record for test which set "-T nosoa". + */ + if (((client->sctx->options & NS_SERVER_NOSOA) != 0) && + (!WANTDNSSEC(client) || !dns_rdataset_isassociated(qctx->rdataset))) + { + return (ISC_R_SUCCESS); + } + + /* + * Get resources and make 'name' be the database origin. + */ + result = dns_message_gettempname(client->message, &name); + if (result != ISC_R_SUCCESS) { + return (result); + } + + /* + * We'll be releasing 'name' before returning, so it's safe to + * use clone instead of copying here. + */ + dns_name_clone(dns_db_origin(qctx->db), name); + + rdataset = ns_client_newrdataset(client); + if (rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset"); + eresult = DNS_R_SERVFAIL; + goto cleanup; + } + if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset"); + eresult = DNS_R_SERVFAIL; + goto cleanup; + } + } + + /* + * Find the SOA. + */ + result = dns_db_getoriginnode(qctx->db, &node); + if (result == ISC_R_SUCCESS) { + result = dns_db_findrdataset(qctx->db, node, qctx->version, + dns_rdatatype_soa, 0, client->now, + rdataset, sigrdataset); + } else { + dns_fixedname_t foundname; + dns_name_t *fname; + + fname = dns_fixedname_initname(&foundname); + + result = dns_db_findext(qctx->db, name, qctx->version, + dns_rdatatype_soa, + client->query.dboptions, 0, &node, + fname, &cm, &ci, rdataset, sigrdataset); + } + if (result != ISC_R_SUCCESS) { + /* + * This is bad. We tried to get the SOA RR at the zone top + * and it didn't work! + */ + CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex"); + eresult = DNS_R_SERVFAIL; + } else { + /* + * Extract the SOA MINIMUM. + */ + dns_rdata_soa_t soa; + dns_rdata_t rdata = DNS_RDATA_INIT; + result = dns_rdataset_first(rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + if (override_ttl != UINT32_MAX && override_ttl < rdataset->ttl) + { + rdataset->ttl = override_ttl; + if (sigrdataset != NULL) { + sigrdataset->ttl = override_ttl; + } + } + + /* + * Add the SOA and its SIG to the response, with the + * TTLs adjusted per RFC2308 section 3. + */ + if (rdataset->ttl > soa.minimum) { + rdataset->ttl = soa.minimum; + } + if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum) { + sigrdataset->ttl = soa.minimum; + } + + if (sigrdataset != NULL) { + sigrdatasetp = &sigrdataset; + } else { + sigrdatasetp = NULL; + } + + if (section == DNS_SECTION_ADDITIONAL) { + rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; + } + query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL, + section); + } + +cleanup: + ns_client_putrdataset(client, &rdataset); + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (name != NULL) { + ns_client_releasename(client, &name); + } + if (node != NULL) { + dns_db_detachnode(qctx->db, &node); + } + + return (eresult); +} + +/*% + * Add NS to authority section (used when the zone apex is already known). + */ +static isc_result_t +query_addns(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + isc_result_t result, eresult; + dns_name_t *name = NULL, *fname; + dns_dbnode_t *node = NULL; + dns_fixedname_t foundname; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t **sigrdatasetp = NULL; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + CTRACE(ISC_LOG_DEBUG(3), "query_addns"); + + /* + * Initialization. + */ + eresult = ISC_R_SUCCESS; + fname = dns_fixedname_initname(&foundname); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Get resources and make 'name' be the database origin. + */ + result = dns_message_gettempname(client->message, &name); + if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_message_gettempname " + "failed: done"); + return (result); + } + dns_name_clone(dns_db_origin(qctx->db), name); + rdataset = ns_client_newrdataset(client); + if (rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "query_addns: ns_client_newrdataset " + "failed"); + eresult = DNS_R_SERVFAIL; + goto cleanup; + } + + if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "query_addns: " + "ns_client_newrdataset failed"); + eresult = DNS_R_SERVFAIL; + goto cleanup; + } + } + + /* + * Find the NS rdataset. + */ + result = dns_db_getoriginnode(qctx->db, &node); + if (result == ISC_R_SUCCESS) { + result = dns_db_findrdataset(qctx->db, node, qctx->version, + dns_rdatatype_ns, 0, client->now, + rdataset, sigrdataset); + } else { + CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find"); + result = dns_db_findext(qctx->db, name, NULL, dns_rdatatype_ns, + client->query.dboptions, 0, &node, + fname, &cm, &ci, rdataset, sigrdataset); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete"); + } + if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, "query_addns: " + "dns_db_findrdataset or dns_db_find " + "failed"); + /* + * This is bad. We tried to get the NS rdataset at the zone + * top and it didn't work! + */ + eresult = DNS_R_SERVFAIL; + } else { + if (sigrdataset != NULL) { + sigrdatasetp = &sigrdataset; + } + query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL, + DNS_SECTION_AUTHORITY); + } + +cleanup: + CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup"); + ns_client_putrdataset(client, &rdataset); + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (name != NULL) { + ns_client_releasename(client, &name); + } + if (node != NULL) { + dns_db_detachnode(qctx->db, &node); + } + + CTRACE(ISC_LOG_DEBUG(3), "query_addns: done"); + return (eresult); +} + +/*% + * Find the zone cut and add the best NS rrset to the authority section. + */ +static void +query_addbestns(query_ctx_t *qctx) { + ns_client_t *client = qctx->client; + dns_db_t *db = NULL, *zdb = NULL; + dns_dbnode_t *node = NULL; + dns_name_t *fname = NULL, *zfname = NULL; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t *zrdataset = NULL, *zsigrdataset = NULL; + bool is_zone = false, use_zone = false; + isc_buffer_t *dbuf = NULL; + isc_result_t result; + dns_dbversion_t *version = NULL; + dns_zone_t *zone = NULL; + isc_buffer_t b; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * Find the right database. + */ + result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0, + &zone, &db, &version, &is_zone); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + +db_find: + /* + * We'll need some resources... + */ + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + rdataset = ns_client_newrdataset(client); + if (fname == NULL || rdataset == NULL) { + goto cleanup; + } + + /* + * Get the RRSIGs if the client requested them or if we may + * need to validate answers from the cache. + */ + if (WANTDNSSEC(client) || !is_zone) { + sigrdataset = ns_client_newrdataset(client); + if (sigrdataset == NULL) { + goto cleanup; + } + } + + /* + * Now look for the zonecut. + */ + if (is_zone) { + result = dns_db_findext( + db, client->query.qname, version, dns_rdatatype_ns, + client->query.dboptions, client->now, &node, fname, &cm, + &ci, rdataset, sigrdataset); + if (result != DNS_R_DELEGATION) { + goto cleanup; + } + if (USECACHE(client)) { + ns_client_keepname(client, fname, dbuf); + dns_db_detachnode(db, &node); + SAVE(zdb, db); + SAVE(zfname, fname); + SAVE(zrdataset, rdataset); + SAVE(zsigrdataset, sigrdataset); + version = NULL; + dns_db_attach(client->view->cachedb, &db); + is_zone = false; + goto db_find; + } + } else { + result = dns_db_findzonecut( + db, client->query.qname, client->query.dboptions, + client->now, &node, fname, NULL, rdataset, sigrdataset); + if (result == ISC_R_SUCCESS) { + if (zfname != NULL && + !dns_name_issubdomain(fname, zfname)) + { + /* + * We found a zonecut in the cache, but our + * zone delegation is better. + */ + use_zone = true; + } + } else if (result == ISC_R_NOTFOUND && zfname != NULL) { + /* + * We didn't find anything in the cache, but we + * have a zone delegation, so use it. + */ + use_zone = true; + } else { + goto cleanup; + } + } + + if (use_zone) { + ns_client_releasename(client, &fname); + /* + * We've already done ns_client_keepname() on + * zfname, so we must set dbuf to NULL to + * prevent query_addrrset() from trying to + * call ns_client_keepname() again. + */ + dbuf = NULL; + ns_client_putrdataset(client, &rdataset); + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + + if (node != NULL) { + dns_db_detachnode(db, &node); + } + dns_db_detach(&db); + + RESTORE(db, zdb); + RESTORE(fname, zfname); + RESTORE(rdataset, zrdataset); + RESTORE(sigrdataset, zsigrdataset); + } + + /* + * Attempt to validate RRsets that are pending or that are glue. + */ + if ((DNS_TRUST_PENDING(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) && + !validate(client, db, fname, rdataset, sigrdataset) && + !PENDINGOK(client->query.dboptions)) + { + goto cleanup; + } + + if ((DNS_TRUST_GLUE(rdataset->trust) || + (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) && + !validate(client, db, fname, rdataset, sigrdataset) && + SECURE(client) && WANTDNSSEC(client)) + { + goto cleanup; + } + + /* + * If the answer is secure only add NS records if they are secure + * when the client may be looking for AD in the response. + */ + if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) && + ((rdataset->trust != dns_trust_secure) || + (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure))) + { + goto cleanup; + } + + /* + * If the client doesn't want DNSSEC we can discard the sigrdataset + * now. + */ + if (!WANTDNSSEC(client)) { + ns_client_putrdataset(client, &sigrdataset); + } + + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + +cleanup: + if (rdataset != NULL) { + ns_client_putrdataset(client, &rdataset); + } + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (fname != NULL) { + ns_client_releasename(client, &fname); + } + if (node != NULL) { + dns_db_detachnode(db, &node); + } + if (db != NULL) { + dns_db_detach(&db); + } + if (zone != NULL) { + dns_zone_detach(&zone); + } + if (zdb != NULL) { + ns_client_putrdataset(client, &zrdataset); + if (zsigrdataset != NULL) { + ns_client_putrdataset(client, &zsigrdataset); + } + if (zfname != NULL) { + ns_client_releasename(client, &zfname); + } + dns_db_detach(&zdb); + } +} + +static void +query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata) { + ns_client_t *client = qctx->client; + isc_buffer_t *dbuf, b; + dns_name_t *name; + dns_name_t *fname = NULL; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_fixedname_t wfixed; + dns_name_t *wname; + dns_dbnode_t *node = NULL; + unsigned int options; + unsigned int olabels, nlabels, labels; + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_nsec_t nsec; + bool have_wname; + int order; + dns_fixedname_t cfixed; + dns_name_t *cname; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + + CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof"); + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client, NULL); + + /* + * If a name has been specifically flagged as needing + * a wildcard proof then it will have been copied to + * qctx->wildcardname. Otherwise we just use the client + * QNAME. + */ + if (qctx->need_wildcardproof) { + name = dns_fixedname_name(&qctx->wildcardname); + } else { + name = client->query.qname; + } + + /* + * Get the NOQNAME proof then if !ispositive + * get the NOWILDCARD proof. + * + * DNS_DBFIND_NOWILD finds the NSEC records that covers the + * name ignoring any wildcard. From the owner and next names + * of this record you can compute which wildcard (if it exists) + * will match by finding the longest common suffix of the + * owner name and next names with the qname and prefixing that + * with the wildcard label. + * + * e.g. + * Given: + * example SOA + * example NSEC b.example + * b.example A + * b.example NSEC a.d.example + * a.d.example A + * a.d.example NSEC g.f.example + * g.f.example A + * g.f.example NSEC z.i.example + * z.i.example A + * z.i.example NSEC example + * + * QNAME: + * a.example -> example NSEC b.example + * owner common example + * next common example + * wild *.example + * d.b.example -> b.example NSEC a.d.example + * owner common b.example + * next common example + * wild *.b.example + * a.f.example -> a.d.example NSEC g.f.example + * owner common example + * next common f.example + * wild *.f.example + * j.example -> z.i.example NSEC example + * owner common example + * next common example + * wild *.example + */ + options = client->query.dboptions | DNS_DBFIND_NOWILD; + wname = dns_fixedname_initname(&wfixed); +again: + have_wname = false; + /* + * We'll need some resources... + */ + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + rdataset = ns_client_newrdataset(client); + sigrdataset = ns_client_newrdataset(client); + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + goto cleanup; + } + + result = dns_db_findext(qctx->db, name, qctx->version, + dns_rdatatype_nsec, options, 0, &node, fname, + &cm, &ci, rdataset, sigrdataset); + if (node != NULL) { + dns_db_detachnode(qctx->db, &node); + } + + if (!dns_rdataset_isassociated(rdataset)) { + /* + * No NSEC proof available, return NSEC3 proofs instead. + */ + cname = dns_fixedname_initname(&cfixed); + /* + * Find the closest encloser. + */ + dns_name_copy(name, cname); + while (result == DNS_R_NXDOMAIN) { + labels = dns_name_countlabels(cname) - 1; + /* + * Sanity check. + */ + if (labels == 0U) { + goto cleanup; + } + dns_name_split(cname, labels, NULL, cname); + result = dns_db_findext(qctx->db, cname, qctx->version, + dns_rdatatype_nsec, options, 0, + NULL, fname, &cm, &ci, NULL, + NULL); + } + /* + * Add closest (provable) encloser NSEC3. + */ + query_findclosestnsec3(cname, qctx->db, qctx->version, client, + rdataset, sigrdataset, fname, true, + cname); + if (!dns_rdataset_isassociated(rdataset)) { + goto cleanup; + } + if (!ispositive) { + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, + dbuf, DNS_SECTION_AUTHORITY); + } + + /* + * Replace resources which were consumed by query_addrrset. + */ + if (fname == NULL) { + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + } + + if (rdataset == NULL) { + rdataset = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + + if (sigrdataset == NULL) { + sigrdataset = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(sigrdataset)) { + dns_rdataset_disassociate(sigrdataset); + } + + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + goto cleanup; + } + /* + * Add no qname proof. + */ + labels = dns_name_countlabels(cname) + 1; + if (dns_name_countlabels(name) == labels) { + dns_name_copy(name, wname); + } else { + dns_name_split(name, labels, NULL, wname); + } + + query_findclosestnsec3(wname, qctx->db, qctx->version, client, + rdataset, sigrdataset, fname, false, + NULL); + if (!dns_rdataset_isassociated(rdataset)) { + goto cleanup; + } + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + + if (ispositive) { + goto cleanup; + } + + /* + * Replace resources which were consumed by query_addrrset. + */ + if (fname == NULL) { + dbuf = ns_client_getnamebuf(client); + if (dbuf == NULL) { + goto cleanup; + } + fname = ns_client_newname(client, dbuf, &b); + } + + if (rdataset == NULL) { + rdataset = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } + + if (sigrdataset == NULL) { + sigrdataset = ns_client_newrdataset(client); + } else if (dns_rdataset_isassociated(sigrdataset)) { + dns_rdataset_disassociate(sigrdataset); + } + + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + goto cleanup; + } + /* + * Add the no wildcard proof. + */ + result = dns_name_concatenate(dns_wildcardname, cname, wname, + NULL); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + query_findclosestnsec3(wname, qctx->db, qctx->version, client, + rdataset, sigrdataset, fname, nodata, + NULL); + if (!dns_rdataset_isassociated(rdataset)) { + goto cleanup; + } + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + + goto cleanup; + } else if (result == DNS_R_NXDOMAIN) { + if (!ispositive) { + result = dns_rdataset_first(rdataset); + } + if (result == ISC_R_SUCCESS) { + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &nsec, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + (void)dns_name_fullcompare(name, fname, &order, + &olabels); + (void)dns_name_fullcompare(name, &nsec.next, &order, + &nlabels); + /* + * Check for a pathological condition created when + * serving some malformed signed zones and bail out. + */ + if (dns_name_countlabels(name) == nlabels) { + goto cleanup; + } + + if (olabels > nlabels) { + dns_name_split(name, olabels, NULL, wname); + } else { + dns_name_split(name, nlabels, NULL, wname); + } + result = dns_name_concatenate(dns_wildcardname, wname, + wname, NULL); + if (result == ISC_R_SUCCESS) { + have_wname = true; + } + dns_rdata_freestruct(&nsec); + } + query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, + DNS_SECTION_AUTHORITY); + } + if (rdataset != NULL) { + ns_client_putrdataset(client, &rdataset); + } + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (fname != NULL) { + ns_client_releasename(client, &fname); + } + if (have_wname) { + ispositive = true; /* prevent loop */ + if (!dns_name_equal(name, wname)) { + name = wname; + goto again; + } + } +cleanup: + if (rdataset != NULL) { + ns_client_putrdataset(client, &rdataset); + } + if (sigrdataset != NULL) { + ns_client_putrdataset(client, &sigrdataset); + } + if (fname != NULL) { + ns_client_releasename(client, &fname); + } +} + +/*% + * Add NS records, and NSEC/NSEC3 wildcard proof records if needed, + * to the authority section. + */ +static void +query_addauth(query_ctx_t *qctx) { + CCTRACE(ISC_LOG_DEBUG(3), "query_addauth"); + /* + * Add NS records to the authority section (if we haven't already + * added them to the answer section). + */ + if (!qctx->want_restart && !NOAUTHORITY(qctx->client)) { + if (qctx->is_zone) { + if (!qctx->answer_has_ns) { + (void)query_addns(qctx); + } + } else if (!qctx->answer_has_ns && + qctx->qtype != dns_rdatatype_ns) + { + if (qctx->fname != NULL) { + ns_client_releasename(qctx->client, + &qctx->fname); + } + query_addbestns(qctx); + } + } + + /* + * Add NSEC records to the authority section if they're needed for + * DNSSEC wildcard proofs. + */ + if (qctx->need_wildcardproof && dns_db_issecure(qctx->db)) { + query_addwildcardproof(qctx, true, false); + } +} + +/* + * Find the sort order of 'rdata' in the topology-like + * ACL forming the second element in a 2-element top-level + * sortlist statement. + */ +static int +query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) { + isc_netaddr_t netaddr; + + if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) { + return (INT_MAX); + } + return (ns_sortlist_addrorder2(&netaddr, arg)); +} + +/* + * Find the sort order of 'rdata' in the matching element + * of a 1-element top-level sortlist statement. + */ +static int +query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) { + isc_netaddr_t netaddr; + + if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) { + return (INT_MAX); + } + return (ns_sortlist_addrorder1(&netaddr, arg)); +} + +/* + * Find the sortlist statement that applies to 'client' and set up + * the sortlist info in in client->message appropriately. + */ +static void +query_setup_sortlist(query_ctx_t *qctx) { + isc_netaddr_t netaddr; + ns_client_t *client = qctx->client; + dns_aclenv_t *env = client->manager->aclenv; + dns_acl_t *acl = NULL; + dns_aclelement_t *elt = NULL; + void *order_arg = NULL; + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + switch (ns_sortlist_setup(client->view->sortlist, env, &netaddr, + &order_arg)) + { + case NS_SORTLISTTYPE_1ELEMENT: + elt = order_arg; + dns_message_setsortorder(client->message, + query_sortlist_order_1element, env, + NULL, elt); + break; + case NS_SORTLISTTYPE_2ELEMENT: + acl = order_arg; + dns_message_setsortorder(client->message, + query_sortlist_order_2element, env, + acl, NULL); + dns_acl_detach(&acl); + break; + case NS_SORTLISTTYPE_NONE: + break; + default: + UNREACHABLE(); + } +} + +/* + * When sending a referral, if the answer to the question is + * in the glue, sort it to the start of the additional section. + */ +static void +query_glueanswer(query_ctx_t *qctx) { + const dns_namelist_t *secs = qctx->client->message->sections; + const dns_section_t section = DNS_SECTION_ADDITIONAL; + dns_name_t *name; + dns_message_t *msg; + dns_rdataset_t *rdataset = NULL; + + if (!ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) || + qctx->client->message->rcode != dns_rcode_noerror || + (qctx->qtype != dns_rdatatype_a && + qctx->qtype != dns_rdatatype_aaaa)) + { + return; + } + + msg = qctx->client->message; + for (name = ISC_LIST_HEAD(msg->sections[section]); name != NULL; + name = ISC_LIST_NEXT(name, link)) + { + if (dns_name_equal(name, qctx->client->query.qname)) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (rdataset->type == qctx->qtype) { + break; + } + } + break; + } + } + if (rdataset != NULL) { + ISC_LIST_UNLINK(msg->sections[section], name, link); + ISC_LIST_PREPEND(msg->sections[section], name, link); + ISC_LIST_UNLINK(name->list, rdataset, link); + ISC_LIST_PREPEND(name->list, rdataset, link); + rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; + } +} + +isc_result_t +ns_query_done(query_ctx_t *qctx) { + isc_result_t result = ISC_R_UNSET; + const dns_namelist_t *secs = qctx->client->message->sections; + bool nodetach; + + CCTRACE(ISC_LOG_DEBUG(3), "ns_query_done"); + + CALL_HOOK(NS_QUERY_DONE_BEGIN, qctx); + + /* + * General cleanup. + */ + qctx->rpz_st = qctx->client->query.rpz_st; + if (qctx->rpz_st != NULL && + (qctx->rpz_st->state & DNS_RPZ_RECURSING) == 0) + { + rpz_match_clear(qctx->rpz_st); + qctx->rpz_st->state &= ~DNS_RPZ_DONE_QNAME; + } + + qctx_clean(qctx); + qctx_freedata(qctx); + + if (qctx->client->query.gluedb != NULL) { + dns_db_detach(&qctx->client->query.gluedb); + } + + /* + * Clear the AA bit if we're not authoritative. + */ + if (qctx->client->query.restarts == 0 && !qctx->authoritative) { + qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; + } + + /* + * Do we need to restart the query (e.g. for CNAME chaining)? + */ + if (qctx->want_restart && qctx->client->query.restarts < MAX_RESTARTS) { + qctx->client->query.restarts++; + return (ns__query_start(qctx)); + } + + if (qctx->result != ISC_R_SUCCESS && + (!PARTIALANSWER(qctx->client) || WANTRECURSION(qctx->client) || + qctx->result == DNS_R_DROP)) + { + if (qctx->result == DNS_R_DUPLICATE || + qctx->result == DNS_R_DROP) + { + /* + * This was a duplicate query that we are + * recursing on or the result of rate limiting. + * Don't send a response now for a duplicate query, + * because the original will still cause a response. + */ + query_next(qctx->client, qctx->result); + } else { + /* + * If we don't have any answer to give the client, + * or if the client requested recursion and thus wanted + * the complete answer, send an error response. + */ + INSIST(qctx->line >= 0); + query_error(qctx->client, qctx->result, qctx->line); + } + + qctx->detach_client = true; + return (qctx->result); + } + + /* + * If we're recursing then just return; the query will + * resume when recursion ends. + */ + if (RECURSING(qctx->client) && + (!QUERY_STALETIMEOUT(&qctx->client->query) || + ((qctx->options & DNS_GETDB_STALEFIRST) != 0))) + { + return (qctx->result); + } + + /* + * We are done. Set up sortlist data for the message + * rendering code, sort the answer to the front of the + * additional section if necessary, make a final tweak + * to the AA bit if the auth-nxdomain config option + * says so, then render and send the response. + */ + query_setup_sortlist(qctx); + query_glueanswer(qctx); + + if (qctx->client->message->rcode == dns_rcode_nxdomain && + qctx->view->auth_nxdomain) + { + qctx->client->message->flags |= DNS_MESSAGEFLAG_AA; + } + + /* + * If the response is somehow unexpected for the client and this + * is a result of recursion, return an error to the caller + * to indicate it may need to be logged. + */ + if (qctx->resuming && + (ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) || + qctx->client->message->rcode != dns_rcode_noerror)) + { + qctx->result = ISC_R_FAILURE; + } + + CALL_HOOK(NS_QUERY_DONE_SEND, qctx); + + /* + * Client may have been detached after query_send(), so + * we test and store the flag state here, for safety. + */ + nodetach = qctx->client->nodetach; + query_send(qctx->client); + + if (qctx->refresh_rrset) { + /* + * If we reached this point then it means that we have found a + * stale RRset entry in cache and BIND is configured to allow + * queries to be answered with stale data if no active RRset + * is available, i.e. "stale-anwer-client-timeout 0". But, we + * still need to refresh the RRset. To prevent adding duplicate + * RRsets, clear the RRsets from the message before doing the + * refresh. + */ + message_clearrdataset(qctx->client->message, 0); + query_refresh_rrset(qctx); + } + + if (!nodetach) { + qctx->detach_client = true; + } + return (qctx->result); + +cleanup: + return (result); +} + +static void +log_tat(ns_client_t *client) { + char namebuf[DNS_NAME_FORMATSIZE]; + char clientbuf[ISC_NETADDR_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + isc_netaddr_t netaddr; + char *tags = NULL; + size_t taglen = 0; + + if (!isc_log_wouldlog(ns_lctx, ISC_LOG_INFO)) { + return; + } + + if ((client->query.qtype != dns_rdatatype_null || + !dns_name_istat(client->query.qname)) && + (client->keytag == NULL || + client->query.qtype != dns_rdatatype_dnskey)) + { + return; + } + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); + isc_netaddr_format(&netaddr, clientbuf, sizeof(clientbuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); + + if (client->query.qtype == dns_rdatatype_dnskey) { + uint16_t keytags = client->keytag_len / 2; + size_t len = taglen = sizeof("65000") * keytags + 1; + char *cp = tags = isc_mem_get(client->mctx, taglen); + int i = 0; + + INSIST(client->keytag != NULL); + if (tags != NULL) { + while (keytags-- > 0U) { + int n; + uint16_t keytag; + keytag = (client->keytag[i * 2] << 8) | + client->keytag[i * 2 + 1]; + n = snprintf(cp, len, " %u", keytag); + if (n > 0 && (size_t)n <= len) { + cp += n; + len -= n; + i++; + } else { + break; + } + } + } + } + + isc_log_write(ns_lctx, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY, + ISC_LOG_INFO, "trust-anchor-telemetry '%s/%s' from %s%s", + namebuf, classbuf, clientbuf, tags != NULL ? tags : ""); + if (tags != NULL) { + isc_mem_put(client->mctx, tags, taglen); + } +} + +static void +log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + char onbuf[ISC_NETADDR_FORMATSIZE]; + char ecsbuf[DNS_ECS_FORMATSIZE + sizeof(" [ECS ]") - 1] = { 0 }; + char ednsbuf[sizeof("E(65535)")] = { 0 }; + dns_rdataset_t *rdataset; + int level = ISC_LOG_INFO; + + if (!isc_log_wouldlog(ns_lctx, level)) { + return; + } + + rdataset = ISC_LIST_HEAD(client->query.qname->list); + INSIST(rdataset != NULL); + dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); + dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); + dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); + isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf)); + + if (client->ednsversion >= 0) { + snprintf(ednsbuf, sizeof(ednsbuf), "E(%hd)", + client->ednsversion); + } + + if (HAVEECS(client)) { + strlcpy(ecsbuf, " [ECS ", sizeof(ecsbuf)); + dns_ecs_format(&client->ecs, ecsbuf + 6, sizeof(ecsbuf) - 6); + strlcat(ecsbuf, "]", sizeof(ecsbuf)); + } + + ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level, + "query: %s %s %s %s%s%s%s%s%s%s (%s)%s", namebuf, + classbuf, typebuf, WANTRECURSION(client) ? "+" : "-", + (client->signer != NULL) ? "S" : "", ednsbuf, + TCP(client) ? "T" : "", + ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "", + ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "", + HAVECOOKIE(client) ? "V" + : WANTCOOKIE(client) ? "K" + : "", + onbuf, ecsbuf); +} + +static void +log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + const char *namep, *typep, *classp, *sep1, *sep2; + dns_rdataset_t *rdataset; + + if (!isc_log_wouldlog(ns_lctx, level)) { + return; + } + + namep = typep = classp = sep1 = sep2 = ""; + + /* + * Query errors can happen for various reasons. In some cases we cannot + * even assume the query contains a valid question section, so we should + * expect exceptional cases. + */ + if (client->query.origqname != NULL) { + dns_name_format(client->query.origqname, namebuf, + sizeof(namebuf)); + namep = namebuf; + sep1 = " for "; + + rdataset = ISC_LIST_HEAD(client->query.origqname->list); + if (rdataset != NULL) { + dns_rdataclass_format(rdataset->rdclass, classbuf, + sizeof(classbuf)); + classp = classbuf; + dns_rdatatype_format(rdataset->type, typebuf, + sizeof(typebuf)); + typep = typebuf; + sep2 = "/"; + } + } + + ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY, + level, "query failed (%s)%s%s%s%s%s%s at %s:%d", + isc_result_totext(result), sep1, namep, sep2, classp, + sep2, typep, __FILE__, line); +} + +void +ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) { + isc_result_t result; + dns_message_t *message; + dns_rdataset_t *rdataset; + dns_rdatatype_t qtype; + unsigned int saved_extflags; + unsigned int saved_flags; + + REQUIRE(NS_CLIENT_VALID(client)); + + /* + * Attach to the request handle + */ + isc_nmhandle_attach(handle, &client->reqhandle); + + message = client->message; + saved_extflags = client->extflags; + saved_flags = client->message->flags; + + CTRACE(ISC_LOG_DEBUG(3), "ns_query_start"); + + /* + * Ensure that appropriate cleanups occur. + */ + client->cleanup = query_cleanup; + + if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) { + client->query.attributes |= NS_QUERYATTR_WANTRECURSION; + } + + if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) { + client->attributes |= NS_CLIENTATTR_WANTDNSSEC; + } + + switch (client->view->minimalresponses) { + case dns_minimal_no: + break; + case dns_minimal_yes: + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + break; + case dns_minimal_noauth: + client->query.attributes |= NS_QUERYATTR_NOAUTHORITY; + break; + case dns_minimal_noauthrec: + if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) { + client->query.attributes |= NS_QUERYATTR_NOAUTHORITY; + } + break; + } + + if (client->view->cachedb == NULL || !client->view->recursion) { + /* + * We don't have a cache. Turn off cache support and + * recursion. + */ + client->query.attributes &= ~(NS_QUERYATTR_RECURSIONOK | + NS_QUERYATTR_CACHEOK); + client->attributes |= NS_CLIENTATTR_NOSETFC; + } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 || + (message->flags & DNS_MESSAGEFLAG_RD) == 0) + { + /* + * If the client isn't allowed to recurse (due to + * "recursion no", the allow-recursion ACL, or the + * lack of a resolver in this view), or if it + * doesn't want recursion, turn recursion off. + */ + client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; + client->attributes |= NS_CLIENTATTR_NOSETFC; + } + + /* + * Check for multiple question queries, since edns1 is dead. + */ + if (message->counts[DNS_SECTION_QUESTION] > 1) { + query_error(client, DNS_R_FORMERR, __LINE__); + return; + } + + /* + * Get the question name. + */ + result = dns_message_firstname(message, DNS_SECTION_QUESTION); + if (result != ISC_R_SUCCESS) { + query_error(client, result, __LINE__); + return; + } + dns_message_currentname(message, DNS_SECTION_QUESTION, + &client->query.qname); + client->query.origqname = client->query.qname; + result = dns_message_nextname(message, DNS_SECTION_QUESTION); + if (result != ISC_R_NOMORE) { + if (result == ISC_R_SUCCESS) { + /* + * There's more than one QNAME in the question + * section. + */ + query_error(client, DNS_R_FORMERR, __LINE__); + } else { + query_error(client, result, __LINE__); + } + return; + } + + if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) { + log_query(client, saved_flags, saved_extflags); + } + + /* + * Check for meta-queries like IXFR and AXFR. + */ + rdataset = ISC_LIST_HEAD(client->query.qname->list); + INSIST(rdataset != NULL); + client->query.qtype = qtype = rdataset->type; + dns_rdatatypestats_increment(client->sctx->rcvquerystats, qtype); + + log_tat(client); + + if (dns_rdatatype_ismeta(qtype)) { + switch (qtype) { + case dns_rdatatype_any: + break; /* Let the query logic handle it. */ + case dns_rdatatype_ixfr: + case dns_rdatatype_axfr: + if (isc_nm_is_http_handle(handle)) { + /* + * We cannot use DoH for zone transfers. + * According to RFC 8484 a DoH request contains + * exactly one DNS message (see Section 6: + * Definition of the "application/dns-message" + * Media Type). + * + * This makes DoH unsuitable for zone transfers + * as often (and usually!) these need more than + * one DNS message, especially for larger zones. + * As zone transfers over DoH are not (yet) + * standardised, nor discussed in RFC 8484, + * the best thing we can do is to return "not + * implemented". + */ + query_error(client, DNS_R_NOTIMP, __LINE__); + return; + } + if (isc_nm_socket_type(handle) == isc_nm_tlsdnssocket) { + /* + * Currently this code is here for DoT, which + * has more complex requirements for zone + * transfers compared to other stream + * protocols. See RFC 9103 for details. + */ + switch (isc_nm_xfr_checkperm(handle)) { + case ISC_R_SUCCESS: + break; + case ISC_R_DOTALPNERROR: + query_error(client, DNS_R_NOALPN, + __LINE__); + return; + default: + query_error(client, DNS_R_REFUSED, + __LINE__); + return; + } + } + ns_xfr_start(client, rdataset->type); + return; + case dns_rdatatype_maila: + case dns_rdatatype_mailb: + query_error(client, DNS_R_NOTIMP, __LINE__); + return; + case dns_rdatatype_tkey: + result = dns_tkey_processquery( + client->message, client->sctx->tkeyctx, + client->view->dynamickeys); + if (result == ISC_R_SUCCESS) { + query_send(client); + } else { + query_error(client, result, __LINE__); + } + return; + default: /* TSIG, etc. */ + query_error(client, DNS_R_FORMERR, __LINE__); + return; + } + } + + /* + * Turn on minimal response for (C)DNSKEY and (C)DS queries. + */ + if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds || + qtype == dns_rdatatype_cdnskey || qtype == dns_rdatatype_cds) + { + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + } else if (qtype == dns_rdatatype_ns) { + /* + * Always turn on additional records for NS queries. + */ + client->query.attributes &= ~(NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + } + + /* + * Maybe turn on minimal responses for ANY queries. + */ + if (qtype == dns_rdatatype_any && client->view->minimal_any && + !TCP(client)) + { + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + } + + /* + * Turn on minimal responses for EDNS/UDP bufsize 512 queries. + */ + if (client->ednsversion >= 0 && client->udpsize <= 512U && !TCP(client)) + { + client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | + NS_QUERYATTR_NOADDITIONAL); + } + + /* + * If the client has requested that DNSSEC checking be disabled, + * allow lookups to return pending data and instruct the resolver + * to return data before validation has completed. + * + * We don't need to set DNS_DBFIND_PENDINGOK when validation is + * disabled as there will be no pending data. + */ + if ((message->flags & DNS_MESSAGEFLAG_CD) != 0 || + qtype == dns_rdatatype_rrsig) + { + client->query.dboptions |= DNS_DBFIND_PENDINGOK; + client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; + } else if (!client->view->enablevalidation) { + client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; + } + + if (client->view->qminimization) { + client->query.fetchoptions |= DNS_FETCHOPT_QMINIMIZE | + DNS_FETCHOPT_QMIN_SKIP_IP6A; + if (client->view->qmin_strict) { + client->query.fetchoptions |= DNS_FETCHOPT_QMIN_STRICT; + } + } + + /* + * Allow glue NS records to be added to the authority section + * if the answer is secure. + */ + if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) { + client->query.attributes &= ~NS_QUERYATTR_SECURE; + } + + /* + * Set NS_CLIENTATTR_WANTAD if the client has set AD in the query. + * This allows AD to be returned on queries without DO set. + */ + if ((message->flags & DNS_MESSAGEFLAG_AD) != 0) { + client->attributes |= NS_CLIENTATTR_WANTAD; + } + + /* + * This is an ordinary query. + */ + result = dns_message_reply(message, true); + if (result != ISC_R_SUCCESS) { + query_next(client, result); + return; + } + + /* + * Assume authoritative response until it is known to be + * otherwise. + * + * If "-T noaa" has been set on the command line don't set + * AA on authoritative answers. + */ + if ((client->sctx->options & NS_SERVER_NOAA) == 0) { + message->flags |= DNS_MESSAGEFLAG_AA; + } + + /* + * Set AD. We must clear it if we add non-validated data to a + * response. + */ + if (WANTDNSSEC(client) || WANTAD(client)) { + message->flags |= DNS_MESSAGEFLAG_AD; + } + + (void)query_setup(client, qtype); +} diff --git a/lib/ns/server.c b/lib/ns/server.c new file mode 100644 index 0000000..7b245c3 --- /dev/null +++ b/lib/ns/server.c @@ -0,0 +1,264 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include + +#include +#include +#include + +#include +#include + +#include +#include +#include + +#define SCTX_MAGIC ISC_MAGIC('S', 'c', 't', 'x') +#define SCTX_VALID(s) ISC_MAGIC_VALID(s, SCTX_MAGIC) + +#define CHECKFATAL(op) \ + do { \ + result = (op); \ + RUNTIME_CHECK(result == ISC_R_SUCCESS); \ + } while (0) + +isc_result_t +ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + ns_server_t **sctxp) { + ns_server_t *sctx; + isc_result_t result; + + REQUIRE(sctxp != NULL && *sctxp == NULL); + + sctx = isc_mem_get(mctx, sizeof(*sctx)); + + memset(sctx, 0, sizeof(*sctx)); + + isc_mem_attach(mctx, &sctx->mctx); + + /* + * See here for more details: + * https://github.com/jemalloc/jemalloc/issues/2483 + */ + + isc_refcount_init(&sctx->references, 1); + + isc_quota_init(&sctx->xfroutquota, 10); + isc_quota_init(&sctx->tcpquota, 10); + isc_quota_init(&sctx->recursionquota, 100); + isc_quota_init(&sctx->updquota, 100); + ISC_LIST_INIT(sctx->http_quotas); + isc_mutex_init(&sctx->http_quotas_lock); + + CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx)); + + CHECKFATAL(ns_stats_create(mctx, ns_statscounter_max, &sctx->nsstats)); + + CHECKFATAL(dns_rdatatypestats_create(mctx, &sctx->rcvquerystats)); + + CHECKFATAL(dns_opcodestats_create(mctx, &sctx->opcodestats)); + + CHECKFATAL(dns_rcodestats_create(mctx, &sctx->rcodestats)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->udpinstats4, + dns_sizecounter_in_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->udpoutstats4, + dns_sizecounter_out_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->udpinstats6, + dns_sizecounter_in_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->udpoutstats6, + dns_sizecounter_out_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->tcpinstats4, + dns_sizecounter_in_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->tcpoutstats4, + dns_sizecounter_out_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->tcpinstats6, + dns_sizecounter_in_max)); + + CHECKFATAL(isc_stats_create(mctx, &sctx->tcpoutstats6, + dns_sizecounter_out_max)); + + sctx->udpsize = 1232; + sctx->transfer_tcp_message_size = 20480; + + sctx->fuzztype = isc_fuzz_none; + sctx->fuzznotify = NULL; + + sctx->matchingview = matchingview; + sctx->answercookie = true; + + ISC_LIST_INIT(sctx->altsecrets); + + sctx->magic = SCTX_MAGIC; + *sctxp = sctx; + + return (ISC_R_SUCCESS); +} + +void +ns_server_attach(ns_server_t *src, ns_server_t **dest) { + REQUIRE(SCTX_VALID(src)); + REQUIRE(dest != NULL && *dest == NULL); + + isc_refcount_increment(&src->references); + + *dest = src; +} + +void +ns_server_detach(ns_server_t **sctxp) { + ns_server_t *sctx; + + REQUIRE(sctxp != NULL && SCTX_VALID(*sctxp)); + sctx = *sctxp; + *sctxp = NULL; + + if (isc_refcount_decrement(&sctx->references) == 1) { + ns_altsecret_t *altsecret; + isc_quota_t *http_quota; + + while ((altsecret = ISC_LIST_HEAD(sctx->altsecrets)) != NULL) { + ISC_LIST_UNLINK(sctx->altsecrets, altsecret, link); + isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret)); + } + + isc_quota_destroy(&sctx->updquota); + isc_quota_destroy(&sctx->recursionquota); + isc_quota_destroy(&sctx->tcpquota); + isc_quota_destroy(&sctx->xfroutquota); + + http_quota = ISC_LIST_HEAD(sctx->http_quotas); + while (http_quota != NULL) { + isc_quota_t *next = NULL; + + next = ISC_LIST_NEXT(http_quota, link); + ISC_LIST_DEQUEUE(sctx->http_quotas, http_quota, link); + isc_quota_destroy(http_quota); + isc_mem_put(sctx->mctx, http_quota, + sizeof(*http_quota)); + http_quota = next; + } + isc_mutex_destroy(&sctx->http_quotas_lock); + + if (sctx->server_id != NULL) { + isc_mem_free(sctx->mctx, sctx->server_id); + } + + if (sctx->blackholeacl != NULL) { + dns_acl_detach(&sctx->blackholeacl); + } + if (sctx->keepresporder != NULL) { + dns_acl_detach(&sctx->keepresporder); + } + if (sctx->tkeyctx != NULL) { + dns_tkeyctx_destroy(&sctx->tkeyctx); + } + + if (sctx->nsstats != NULL) { + ns_stats_detach(&sctx->nsstats); + } + + if (sctx->rcvquerystats != NULL) { + dns_stats_detach(&sctx->rcvquerystats); + } + if (sctx->opcodestats != NULL) { + dns_stats_detach(&sctx->opcodestats); + } + if (sctx->rcodestats != NULL) { + dns_stats_detach(&sctx->rcodestats); + } + + if (sctx->udpinstats4 != NULL) { + isc_stats_detach(&sctx->udpinstats4); + } + if (sctx->tcpinstats4 != NULL) { + isc_stats_detach(&sctx->tcpinstats4); + } + if (sctx->udpoutstats4 != NULL) { + isc_stats_detach(&sctx->udpoutstats4); + } + if (sctx->tcpoutstats4 != NULL) { + isc_stats_detach(&sctx->tcpoutstats4); + } + + if (sctx->udpinstats6 != NULL) { + isc_stats_detach(&sctx->udpinstats6); + } + if (sctx->tcpinstats6 != NULL) { + isc_stats_detach(&sctx->tcpinstats6); + } + if (sctx->udpoutstats6 != NULL) { + isc_stats_detach(&sctx->udpoutstats6); + } + if (sctx->tcpoutstats6 != NULL) { + isc_stats_detach(&sctx->tcpoutstats6); + } + + sctx->magic = 0; + + isc_mem_putanddetach(&sctx->mctx, sctx, sizeof(*sctx)); + } +} + +isc_result_t +ns_server_setserverid(ns_server_t *sctx, const char *serverid) { + REQUIRE(SCTX_VALID(sctx)); + + if (sctx->server_id != NULL) { + isc_mem_free(sctx->mctx, sctx->server_id); + sctx->server_id = NULL; + } + + if (serverid != NULL) { + sctx->server_id = isc_mem_strdup(sctx->mctx, serverid); + } + + return (ISC_R_SUCCESS); +} + +void +ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value) { + REQUIRE(SCTX_VALID(sctx)); + if (value) { + sctx->options |= option; + } else { + sctx->options &= ~option; + } +} + +bool +ns_server_getoption(ns_server_t *sctx, unsigned int option) { + REQUIRE(SCTX_VALID(sctx)); + + return ((sctx->options & option) != 0); +} + +void +ns_server_append_http_quota(ns_server_t *sctx, isc_quota_t *http_quota) { + REQUIRE(SCTX_VALID(sctx)); + REQUIRE(http_quota != NULL); + + LOCK(&sctx->http_quotas_lock); + ISC_LINK_INIT(http_quota, link); + ISC_LIST_APPEND(sctx->http_quotas, http_quota, link); + UNLOCK(&sctx->http_quotas_lock); +} diff --git a/lib/ns/sortlist.c b/lib/ns/sortlist.c new file mode 100644 index 0000000..2aada90 --- /dev/null +++ b/lib/ns/sortlist.c @@ -0,0 +1,181 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include +#include +#include + +#include +#include + +#include +#include + +ns_sortlisttype_t +ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr, + void **argp) { + if (acl == NULL) { + goto dont_sort; + } + + for (size_t i = 0; i < acl->length; i++) { + /* + * 'e' refers to the current 'top level statement' + * in the sortlist (see ARM). + */ + dns_aclelement_t *e = &acl->elements[i]; + dns_aclelement_t *try_elt; + dns_aclelement_t *order_elt = NULL; + dns_aclelement_t *matched_elt = NULL; + + if (e->type == dns_aclelementtype_nestedacl) { + dns_acl_t *inner = e->nestedacl; + + if (inner->length == 0) { + try_elt = e; + } else if (inner->length > 2) { + goto dont_sort; + } else if (inner->elements[0].negative) { + goto dont_sort; + } else { + try_elt = &inner->elements[0]; + if (inner->length == 2) { + order_elt = &inner->elements[1]; + } + } + } else { + /* + * BIND 8 allows bare elements at the top level + * as an undocumented feature. + */ + try_elt = e; + } + + if (!dns_aclelement_match( + clientaddr, NULL, try_elt, env, + (const dns_aclelement_t **)&matched_elt)) + { + continue; + } + + if (order_elt == NULL) { + INSIST(matched_elt != NULL); + *argp = matched_elt; + return (NS_SORTLISTTYPE_1ELEMENT); + } + + if (order_elt->type == dns_aclelementtype_nestedacl) { + dns_acl_t *inner = NULL; + dns_acl_attach(order_elt->nestedacl, &inner); + *argp = inner; + return (NS_SORTLISTTYPE_2ELEMENT); + } + + if (order_elt->type == dns_aclelementtype_localhost) { + dns_acl_t *inner = NULL; + RWLOCK(&env->rwlock, isc_rwlocktype_read); + if (env->localhost != NULL) { + dns_acl_attach(env->localhost, &inner); + } + RWUNLOCK(&env->rwlock, isc_rwlocktype_read); + + if (inner != NULL) { + *argp = inner; + return (NS_SORTLISTTYPE_2ELEMENT); + } + } + + if (order_elt->type == dns_aclelementtype_localnets) { + dns_acl_t *inner = NULL; + RWLOCK(&env->rwlock, isc_rwlocktype_read); + if (env->localnets != NULL) { + dns_acl_attach(env->localnets, &inner); + } + RWUNLOCK(&env->rwlock, isc_rwlocktype_read); + if (inner != NULL) { + *argp = inner; + return (NS_SORTLISTTYPE_2ELEMENT); + } + } + + /* + * BIND 8 allows a bare IP prefix as + * the 2nd element of a 2-element + * sortlist statement. + */ + *argp = order_elt; + return (NS_SORTLISTTYPE_1ELEMENT); + } + +dont_sort: + *argp = NULL; + return (NS_SORTLISTTYPE_NONE); +} + +int +ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) { + const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg; + dns_aclenv_t *env = sla->env; + const dns_acl_t *sortacl = sla->acl; + int match; + + (void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL); + if (match > 0) { + return (match); + } else if (match < 0) { + return (INT_MAX - (-match)); + } else { + return (INT_MAX / 2); + } +} + +int +ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) { + const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg; + dns_aclenv_t *env = sla->env; + const dns_aclelement_t *element = sla->element; + + if (dns_aclelement_match(addr, NULL, element, env, NULL)) { + return (0); + } + + return (INT_MAX); +} + +void +ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, dns_aclenv_t *env, + isc_netaddr_t *client_addr, + dns_addressorderfunc_t *orderp, void **argp) { + ns_sortlisttype_t sortlisttype; + + sortlisttype = ns_sortlist_setup(sortlist_acl, env, client_addr, argp); + + switch (sortlisttype) { + case NS_SORTLISTTYPE_1ELEMENT: + *orderp = ns_sortlist_addrorder1; + break; + case NS_SORTLISTTYPE_2ELEMENT: + *orderp = ns_sortlist_addrorder2; + break; + case NS_SORTLISTTYPE_NONE: + *orderp = NULL; + break; + default: + UNEXPECTED_ERROR( + "unexpected return from ns_sortlist_setup(): %d", + sortlisttype); + break; + } +} diff --git a/lib/ns/stats.c b/lib/ns/stats.c new file mode 100644 index 0000000..de5b083 --- /dev/null +++ b/lib/ns/stats.c @@ -0,0 +1,128 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include +#include +#include +#include +#include + +#include + +#define NS_STATS_MAGIC ISC_MAGIC('N', 's', 't', 't') +#define NS_STATS_VALID(x) ISC_MAGIC_VALID(x, NS_STATS_MAGIC) + +struct ns_stats { + /*% Unlocked */ + unsigned int magic; + isc_mem_t *mctx; + isc_stats_t *counters; + isc_refcount_t references; +}; + +void +ns_stats_attach(ns_stats_t *stats, ns_stats_t **statsp) { + REQUIRE(NS_STATS_VALID(stats)); + REQUIRE(statsp != NULL && *statsp == NULL); + + isc_refcount_increment(&stats->references); + + *statsp = stats; +} + +void +ns_stats_detach(ns_stats_t **statsp) { + ns_stats_t *stats; + + REQUIRE(statsp != NULL && NS_STATS_VALID(*statsp)); + + stats = *statsp; + *statsp = NULL; + + if (isc_refcount_decrement(&stats->references) == 1) { + isc_stats_detach(&stats->counters); + isc_refcount_destroy(&stats->references); + isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats)); + } +} + +isc_result_t +ns_stats_create(isc_mem_t *mctx, int ncounters, ns_stats_t **statsp) { + ns_stats_t *stats; + isc_result_t result; + + REQUIRE(statsp != NULL && *statsp == NULL); + + stats = isc_mem_get(mctx, sizeof(*stats)); + stats->counters = NULL; + + isc_refcount_init(&stats->references, 1); + + result = isc_stats_create(mctx, &stats->counters, ncounters); + if (result != ISC_R_SUCCESS) { + goto clean_mem; + } + + stats->magic = NS_STATS_MAGIC; + stats->mctx = NULL; + isc_mem_attach(mctx, &stats->mctx); + *statsp = stats; + + return (ISC_R_SUCCESS); + +clean_mem: + isc_mem_put(mctx, stats, sizeof(*stats)); + + return (result); +} + +/*% + * Increment/Decrement methods + */ +void +ns_stats_increment(ns_stats_t *stats, isc_statscounter_t counter) { + REQUIRE(NS_STATS_VALID(stats)); + + isc_stats_increment(stats->counters, counter); +} + +void +ns_stats_decrement(ns_stats_t *stats, isc_statscounter_t counter) { + REQUIRE(NS_STATS_VALID(stats)); + + isc_stats_decrement(stats->counters, counter); +} + +isc_stats_t * +ns_stats_get(ns_stats_t *stats) { + REQUIRE(NS_STATS_VALID(stats)); + + return (stats->counters); +} + +void +ns_stats_update_if_greater(ns_stats_t *stats, isc_statscounter_t counter, + isc_statscounter_t value) { + REQUIRE(NS_STATS_VALID(stats)); + + isc_stats_update_if_greater(stats->counters, counter, value); +} + +isc_statscounter_t +ns_stats_get_counter(ns_stats_t *stats, isc_statscounter_t counter) { + REQUIRE(NS_STATS_VALID(stats)); + + return (isc_stats_get_counter(stats->counters, counter)); +} diff --git a/lib/ns/update.c b/lib/ns/update.c new file mode 100644 index 0000000..983ca84 --- /dev/null +++ b/lib/ns/update.c @@ -0,0 +1,3866 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +/*! \file + * \brief + * This module implements dynamic update as in RFC2136. + */ + +/* + * XXX TODO: + * - document strict minimality + */ + +/**************************************************************************/ + +/*% + * Log level for tracing dynamic update protocol requests. + */ +#define LOGLEVEL_PROTOCOL ISC_LOG_INFO + +/*% + * Log level for low-level debug tracing. + */ +#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) + +/*% + * Check an operation for failure. These macros all assume that + * the function using them has a 'result' variable and a 'failure' + * label. + */ +#define CHECK(op) \ + do { \ + result = (op); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +/*% + * Fail unconditionally with result 'code', which must not + * be ISC_R_SUCCESS. The reason for failure presumably has + * been logged already. + * + * The test against ISC_R_SUCCESS is there to keep the Solaris compiler + * from complaining about "end-of-loop code not reached". + */ + +#define FAIL(code) \ + do { \ + result = (code); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +/*% + * Fail unconditionally and log as a client error. + * The test against ISC_R_SUCCESS is there to keep the Solaris compiler + * from complaining about "end-of-loop code not reached". + */ +#define FAILC(code, msg) \ + do { \ + const char *_what = "failed"; \ + result = (code); \ + switch (result) { \ + case DNS_R_NXDOMAIN: \ + case DNS_R_YXDOMAIN: \ + case DNS_R_YXRRSET: \ + case DNS_R_NXRRSET: \ + _what = "unsuccessful"; \ + default: \ + break; \ + } \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ + "update %s: %s (%s)", _what, msg, \ + isc_result_totext(result)); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) +#define PREREQFAILC(code, msg) \ + do { \ + inc_stats(client, zone, ns_statscounter_updatebadprereq); \ + FAILC(code, msg); \ + } while (0) + +#define FAILN(code, name, msg) \ + do { \ + const char *_what = "failed"; \ + result = (code); \ + switch (result) { \ + case DNS_R_NXDOMAIN: \ + case DNS_R_YXDOMAIN: \ + case DNS_R_YXRRSET: \ + case DNS_R_NXRRSET: \ + _what = "unsuccessful"; \ + default: \ + break; \ + } \ + if (isc_log_wouldlog(ns_lctx, LOGLEVEL_PROTOCOL)) { \ + char _nbuf[DNS_NAME_FORMATSIZE]; \ + dns_name_format(name, _nbuf, sizeof(_nbuf)); \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ + "update %s: %s: %s (%s)", _what, _nbuf, \ + msg, isc_result_totext(result)); \ + } \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) +#define PREREQFAILN(code, name, msg) \ + do { \ + inc_stats(client, zone, ns_statscounter_updatebadprereq); \ + FAILN(code, name, msg); \ + } while (0) + +#define FAILNT(code, name, type, msg) \ + do { \ + const char *_what = "failed"; \ + result = (code); \ + switch (result) { \ + case DNS_R_NXDOMAIN: \ + case DNS_R_YXDOMAIN: \ + case DNS_R_YXRRSET: \ + case DNS_R_NXRRSET: \ + _what = "unsuccessful"; \ + default: \ + break; \ + } \ + if (isc_log_wouldlog(ns_lctx, LOGLEVEL_PROTOCOL)) { \ + char _nbuf[DNS_NAME_FORMATSIZE]; \ + char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \ + dns_name_format(name, _nbuf, sizeof(_nbuf)); \ + dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ + "update %s: %s/%s: %s (%s)", _what, _nbuf, \ + _tbuf, msg, isc_result_totext(result)); \ + } \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) +#define PREREQFAILNT(code, name, type, msg) \ + do { \ + inc_stats(client, zone, ns_statscounter_updatebadprereq); \ + FAILNT(code, name, type, msg); \ + } while (0) + +/*% + * Fail unconditionally and log as a server error. + * The test against ISC_R_SUCCESS is there to keep the Solaris compiler + * from complaining about "end-of-loop code not reached". + */ +#define FAILS(code, msg) \ + do { \ + result = (code); \ + update_log(client, zone, LOGLEVEL_PROTOCOL, "error: %s: %s", \ + msg, isc_result_totext(result)); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +/* + * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE. + */ +#define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0) + +/**************************************************************************/ + +typedef struct rr rr_t; + +struct rr { + /* dns_name_t name; */ + uint32_t ttl; + dns_rdata_t rdata; +}; + +typedef struct update_event update_event_t; + +struct update_event { + ISC_EVENT_COMMON(update_event_t); + dns_zone_t *zone; + isc_result_t result; + dns_message_t *answer; + const dns_ssurule_t **rules; + size_t ruleslen; +}; + +/*% + * Prepare an RR for the addition of the new RR 'ctx->update_rr', + * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting + * the RRs if it is replaced by the new RR or has a conflicting TTL. + * The necessary changes are appended to ctx->del_diff and ctx->add_diff; + * we need to do all deletions before any additions so that we don't run + * into transient states with conflicting TTLs. + */ + +typedef struct { + dns_db_t *db; + dns_dbversion_t *ver; + dns_diff_t *diff; + dns_name_t *name; + dns_name_t *oldname; + dns_rdata_t *update_rr; + dns_ttl_t update_rr_ttl; + bool ignore_add; + dns_diff_t del_diff; + dns_diff_t add_diff; +} add_rr_prepare_ctx_t; + +/**************************************************************************/ +/* + * Forward declarations. + */ + +static void +update_action(isc_task_t *task, isc_event_t *event); +static void +updatedone_action(isc_task_t *task, isc_event_t *event); +static isc_result_t +send_forward_event(ns_client_t *client, dns_zone_t *zone); +static void +forward_done(isc_task_t *task, isc_event_t *event); +static isc_result_t +add_rr_prepare_action(void *data, rr_t *rr); +static isc_result_t +rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + const dns_rdata_t *rdata, bool *flag); + +/**************************************************************************/ + +static void +update_log(ns_client_t *client, dns_zone_t *zone, int level, const char *fmt, + ...) ISC_FORMAT_PRINTF(4, 5); + +static void +update_log(ns_client_t *client, dns_zone_t *zone, int level, const char *fmt, + ...) { + va_list ap; + char message[4096]; + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + + if (client == NULL) { + return; + } + + if (!isc_log_wouldlog(ns_lctx, level)) { + return; + } + + va_start(ap, fmt); + vsnprintf(message, sizeof(message), fmt, ap); + va_end(ap); + + if (zone != NULL) { + dns_name_format(dns_zone_getorigin(zone), namebuf, + sizeof(namebuf)); + dns_rdataclass_format(dns_zone_getclass(zone), classbuf, + sizeof(classbuf)); + + ns_client_log(client, NS_LOGCATEGORY_UPDATE, + NS_LOGMODULE_UPDATE, level, + "updating zone '%s/%s': %s", namebuf, classbuf, + message); + } else { + ns_client_log(client, NS_LOGCATEGORY_UPDATE, + NS_LOGMODULE_UPDATE, level, "%s", message); + } +} + +static void +update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) { + update_log(arg, zone, level, "%s", message); +} + +/*% + * Increment updated-related statistics counters. + */ +static void +inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) { + ns_stats_increment(client->sctx->nsstats, counter); + + if (zone != NULL) { + isc_stats_t *zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) { + isc_stats_increment(zonestats, counter); + } + } +} + +/*% + * Check if we could have queried for the contents of this zone or + * if the zone is potentially updateable. + * If the zone can potentially be updated and the check failed then + * log a error otherwise we log a informational message. + */ +static isc_result_t +checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename, + dns_acl_t *updateacl, dns_ssutable_t *ssutable) { + isc_result_t result; + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + bool update_possible = + ((updateacl != NULL && !dns_acl_isnone(updateacl)) || + ssutable != NULL); + + result = ns_client_checkaclsilent(client, NULL, queryacl, true); + if (result != ISC_R_SUCCESS) { + int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO; + + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); + + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, level, + "update '%s/%s' denied due to allow-query", + namebuf, classbuf); + } else if (!update_possible) { + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); + + result = DNS_R_REFUSED; + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, ISC_LOG_INFO, + "update '%s/%s' denied", namebuf, classbuf); + } + return (result); +} + +/*% + * Override the default acl logging when checking whether a client + * can update the zone or whether we can forward the request to the + * primary server based on IP address. + * + * 'message' contains the type of operation that is being attempted. + * + * 'secondary' indicates whether this is a secondary zone. + * + * If the zone has no access controls configured ('acl' == NULL && + * 'has_ssutable == false`), log the attempt at info, otherwise at error. + * If 'secondary' is true, log at debug=3. + * + * If the request was signed, log that we received it. + */ +static isc_result_t +checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, + dns_name_t *zonename, bool secondary, bool has_ssutable) { + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + int level = ISC_LOG_ERROR; + const char *msg = "denied"; + isc_result_t result; + + if (secondary && acl == NULL) { + result = DNS_R_NOTIMP; + level = ISC_LOG_DEBUG(3); + msg = "disabled"; + } else { + result = ns_client_checkaclsilent(client, NULL, acl, false); + if (result == ISC_R_SUCCESS) { + level = ISC_LOG_DEBUG(3); + msg = "approved"; + } else if (acl == NULL && !has_ssutable) { + level = ISC_LOG_INFO; + } + } + + if (client->signer != NULL) { + dns_name_format(client->signer, namebuf, sizeof(namebuf)); + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, ISC_LOG_INFO, + "signer \"%s\" %s", namebuf, msg); + } + + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); + + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", message, + namebuf, classbuf, msg); + return (result); +} + +/*% + * Update a single RR in version 'ver' of 'db' and log the + * update in 'diff'. + * + * Ensures: + * \li '*tuple' == NULL. Either the tuple is freed, or its + * ownership has been transferred to the diff. + */ +static isc_result_t +do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, + dns_diff_t *diff) { + dns_diff_t temp_diff; + isc_result_t result; + + /* + * Create a singleton diff. + */ + dns_diff_init(diff->mctx, &temp_diff); + ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); + + /* + * Apply it to the database. + */ + result = dns_diff_apply(&temp_diff, db, ver); + ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); + if (result != ISC_R_SUCCESS) { + dns_difftuple_free(tuple); + return (result); + } + + /* + * Merge it into the current pending journal entry. + */ + dns_diff_appendminimal(diff, tuple); + + /* + * Do not clear temp_diff. + */ + return (ISC_R_SUCCESS); +} + +/*% + * Perform the updates in 'updates' in version 'ver' of 'db' and log the + * update in 'diff'. + * + * Ensures: + * \li 'updates' is empty. + */ +static isc_result_t +do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, + dns_diff_t *diff) { + isc_result_t result; + while (!ISC_LIST_EMPTY(updates->tuples)) { + dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples); + ISC_LIST_UNLINK(updates->tuples, t, link); + CHECK(do_one_tuple(&t, db, ver, diff)); + } + return (ISC_R_SUCCESS); + +failure: + dns_diff_clear(diff); + return (result); +} + +static isc_result_t +update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, + dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl, + dns_rdata_t *rdata) { + dns_difftuple_t *tuple = NULL; + isc_result_t result; + result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple); + if (result != ISC_R_SUCCESS) { + return (result); + } + return (do_one_tuple(&tuple, db, ver, diff)); +} + +/**************************************************************************/ +/* + * Callback-style iteration over rdatasets and rdatas. + * + * foreach_rrset() can be used to iterate over the RRsets + * of a name and call a callback function with each + * one. Similarly, foreach_rr() can be used to iterate + * over the individual RRs at name, optionally restricted + * to RRs of a given type. + * + * The callback functions are called "actions" and take + * two arguments: a void pointer for passing arbitrary + * context information, and a pointer to the current RRset + * or RR. By convention, their names end in "_action". + */ + +/* + * XXXRTH We might want to make this public somewhere in libdns. + */ + +/*% + * Function type for foreach_rrset() iterator actions. + */ +typedef isc_result_t +rrset_func(void *data, dns_rdataset_t *rrset); + +/*% + * Function type for foreach_rr() iterator actions. + */ +typedef isc_result_t +rr_func(void *data, rr_t *rr); + +/*% + * Internal context struct for foreach_node_rr(). + */ +typedef struct { + rr_func *rr_action; + void *rr_action_data; +} foreach_node_rr_ctx_t; + +/*% + * Internal helper function for foreach_node_rr(). + */ +static isc_result_t +foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { + isc_result_t result; + foreach_node_rr_ctx_t *ctx = data; + for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) + { + rr_t rr = { 0, DNS_RDATA_INIT }; + + dns_rdataset_current(rdataset, &rr.rdata); + rr.ttl = rdataset->ttl; + result = (*ctx->rr_action)(ctx->rr_action_data, &rr); + if (result != ISC_R_SUCCESS) { + return (result); + } + } + if (result != ISC_R_NOMORE) { + return (result); + } + return (ISC_R_SUCCESS); +} + +/*% + * For each rdataset of 'name' in 'ver' of 'db', call 'action' + * with the rdataset and 'action_data' as arguments. If the name + * does not exist, do nothing. + * + * If 'action' returns an error, abort iteration and return the error. + */ +static isc_result_t +foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + rrset_func *action, void *action_data) { + isc_result_t result; + dns_dbnode_t *node; + dns_rdatasetiter_t *iter; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + dns_dbversion_t *oldver = NULL; + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + + /* + * Only set the clientinfo 'versionp' if the new version is + * different from the current version + */ + dns_db_currentversion(db, &oldver); + dns_clientinfo_init(&ci, NULL, (ver != oldver) ? ver : NULL); + dns_db_closeversion(db, &oldver, false); + + node = NULL; + result = dns_db_findnodeext(db, name, false, &cm, &ci, &node); + if (result == ISC_R_NOTFOUND) { + return (ISC_R_SUCCESS); + } + if (result != ISC_R_SUCCESS) { + return (result); + } + + iter = NULL; + result = dns_db_allrdatasets(db, node, ver, 0, (isc_stdtime_t)0, &iter); + if (result != ISC_R_SUCCESS) { + goto cleanup_node; + } + + for (result = dns_rdatasetiter_first(iter); result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(iter)) + { + dns_rdataset_t rdataset; + + dns_rdataset_init(&rdataset); + dns_rdatasetiter_current(iter, &rdataset); + + result = (*action)(action_data, &rdataset); + + dns_rdataset_disassociate(&rdataset); + if (result != ISC_R_SUCCESS) { + goto cleanup_iterator; + } + } + if (result == ISC_R_NOMORE) { + result = ISC_R_SUCCESS; + } + +cleanup_iterator: + dns_rdatasetiter_destroy(&iter); + +cleanup_node: + dns_db_detachnode(db, &node); + + return (result); +} + +/*% + * For each RR of 'name' in 'ver' of 'db', call 'action' + * with the RR and 'action_data' as arguments. If the name + * does not exist, do nothing. + * + * If 'action' returns an error, abort iteration + * and return the error. + */ +static isc_result_t +foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + rr_func *rr_action, void *rr_action_data) { + foreach_node_rr_ctx_t ctx; + ctx.rr_action = rr_action; + ctx.rr_action_data = rr_action_data; + return (foreach_rrset(db, ver, name, foreach_node_rr_action, &ctx)); +} + +/*% + * For each of the RRs specified by 'db', 'ver', 'name', 'type', + * (which can be dns_rdatatype_any to match any type), and 'covers', call + * 'action' with the RR and 'action_data' as arguments. If the name + * does not exist, or if no RRset of the given type exists at the name, + * do nothing. + * + * If 'action' returns an error, abort iteration and return the error. + */ +static isc_result_t +foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action, + void *rr_action_data) { + isc_result_t result; + dns_dbnode_t *node; + dns_rdataset_t rdataset; + dns_clientinfomethods_t cm; + dns_clientinfo_t ci; + dns_dbversion_t *oldver = NULL; + dns_fixedname_t fixed; + + dns_clientinfomethods_init(&cm, ns_client_sourceip); + + /* + * Only set the clientinfo 'versionp' if the new version is + * different from the current version + */ + dns_db_currentversion(db, &oldver); + dns_clientinfo_init(&ci, NULL, (ver != oldver) ? ver : NULL); + dns_db_closeversion(db, &oldver, false); + + if (type == dns_rdatatype_any) { + return (foreach_node_rr(db, ver, name, rr_action, + rr_action_data)); + } + + node = NULL; + if (type == dns_rdatatype_nsec3 || + (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3)) + { + result = dns_db_findnsec3node(db, name, false, &node); + } else { + result = dns_db_findnodeext(db, name, false, &cm, &ci, &node); + } + if (result == ISC_R_NOTFOUND) { + return (ISC_R_SUCCESS); + } + if (result != ISC_R_SUCCESS) { + return (result); + } + + dns_rdataset_init(&rdataset); + result = dns_db_findrdataset(db, node, ver, type, covers, + (isc_stdtime_t)0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) { + result = ISC_R_SUCCESS; + goto cleanup_node; + } + if (result != ISC_R_SUCCESS) { + goto cleanup_node; + } + + if (rr_action == add_rr_prepare_action) { + add_rr_prepare_ctx_t *ctx = rr_action_data; + + ctx->oldname = dns_fixedname_initname(&fixed); + dns_name_copy(name, ctx->oldname); + dns_rdataset_getownercase(&rdataset, ctx->oldname); + } + + for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + rr_t rr = { 0, DNS_RDATA_INIT }; + dns_rdataset_current(&rdataset, &rr.rdata); + rr.ttl = rdataset.ttl; + result = (*rr_action)(rr_action_data, &rr); + if (result != ISC_R_SUCCESS) { + goto cleanup_rdataset; + } + } + if (result != ISC_R_NOMORE) { + goto cleanup_rdataset; + } + result = ISC_R_SUCCESS; + +cleanup_rdataset: + dns_rdataset_disassociate(&rdataset); +cleanup_node: + dns_db_detachnode(db, &node); + + return (result); +} + +/**************************************************************************/ +/* + * Various tests on the database contents (for prerequisites, etc). + */ + +/*% + * Function type for predicate functions that compare a database RR 'db_rr' + * against an update RR 'update_rr'. + */ +typedef bool +rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr); + +static isc_result_t +count_action(void *data, rr_t *rr) { + unsigned int *ui = (unsigned int *)data; + + UNUSED(rr); + + (*ui)++; + + return (ISC_R_SUCCESS); +} + +/*% + * Helper function for rrset_exists(). + */ +static isc_result_t +rrset_exists_action(void *data, rr_t *rr) { + UNUSED(data); + UNUSED(rr); + return (ISC_R_EXISTS); +} + +/*% + * Utility macro for RR existence checking functions. + * + * If the variable 'result' has the value ISC_R_EXISTS or + * ISC_R_SUCCESS, set *exists to true or false, + * respectively, and return success. + * + * If 'result' has any other value, there was a failure. + * Return the failure result code and do not set *exists. + * + * This would be more readable as "do { if ... } while(0)", + * but that form generates tons of warnings on Solaris 2.6. + */ +#define RETURN_EXISTENCE_FLAG \ + return ((result == ISC_R_EXISTS) \ + ? (*exists = true, ISC_R_SUCCESS) \ + : ((result == ISC_R_SUCCESS) \ + ? (*exists = false, ISC_R_SUCCESS) \ + : result)) + +/*% + * Set '*exists' to true iff an rrset of the given type exists, + * to false otherwise. + */ +static isc_result_t +rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, bool *exists) { + isc_result_t result; + result = foreach_rr(db, ver, name, type, covers, rrset_exists_action, + NULL); + RETURN_EXISTENCE_FLAG; +} + +/*% + * Helper function for cname_incompatible_rrset_exists. + */ +static isc_result_t +cname_compatibility_action(void *data, dns_rdataset_t *rrset) { + UNUSED(data); + if (rrset->type != dns_rdatatype_cname && + !dns_rdatatype_atcname(rrset->type)) + { + return (ISC_R_EXISTS); + } + return (ISC_R_SUCCESS); +} + +/*% + * Check whether there is an rrset incompatible with adding a CNAME RR, + * i.e., anything but another CNAME (which can be replaced) or a + * DNSSEC RR (which can coexist). + * + * If such an incompatible rrset exists, set '*exists' to true. + * Otherwise, set it to false. + */ +static isc_result_t +cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, + dns_name_t *name, bool *exists) { + isc_result_t result; + result = foreach_rrset(db, ver, name, cname_compatibility_action, NULL); + RETURN_EXISTENCE_FLAG; +} + +/*% + * Helper function for rr_count(). + */ +static isc_result_t +count_rr_action(void *data, rr_t *rr) { + int *countp = data; + UNUSED(rr); + (*countp)++; + return (ISC_R_SUCCESS); +} + +/*% + * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'. + */ +static isc_result_t +rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, dns_rdatatype_t covers, int *countp) { + *countp = 0; + return (foreach_rr(db, ver, name, type, covers, count_rr_action, + countp)); +} + +/*% + * Context struct and helper function for name_exists(). + */ + +static isc_result_t +name_exists_action(void *data, dns_rdataset_t *rrset) { + UNUSED(data); + UNUSED(rrset); + return (ISC_R_EXISTS); +} + +/*% + * Set '*exists' to true iff the given name exists, to false otherwise. + */ +static isc_result_t +name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + bool *exists) { + isc_result_t result; + result = foreach_rrset(db, ver, name, name_exists_action, NULL); + RETURN_EXISTENCE_FLAG; +} + +/* + * 'ssu_check_t' is used to pass the arguments to + * dns_ssutable_checkrules() to the callback function + * ssu_checkrule(). + */ +typedef struct { + /* The ownername of the record to be updated. */ + dns_name_t *name; + + /* The signature's name if the request was signed. */ + dns_name_t *signer; + + /* The address of the client. */ + isc_netaddr_t *addr; + + /* The ACL environment */ + dns_aclenv_t *aclenv; + + /* Whether the request was sent via TCP. */ + bool tcp; + + /* The ssu table to check against. */ + dns_ssutable_t *table; + + /* the key used for TKEY requests */ + dst_key_t *key; +} ssu_check_t; + +static isc_result_t +ssu_checkrule(void *data, dns_rdataset_t *rrset) { + ssu_check_t *ssuinfo = data; + bool rule_ok = false; + + /* + * If we're deleting all records, it's ok to delete RRSIG and NSEC even + * if we're normally not allowed to. + */ + if (rrset->type == dns_rdatatype_rrsig || + rrset->type == dns_rdatatype_nsec) + { + return (ISC_R_SUCCESS); + } + + /* + * krb5-subdomain-self-rhs and ms-subdomain-self-rhs need + * to check the PTR and SRV target names so extract them + * from the resource records. + */ + if (rrset->rdclass == dns_rdataclass_in && + (rrset->type == dns_rdatatype_srv || + rrset->type == dns_rdatatype_ptr)) + { + dns_name_t *target = NULL; + dns_rdata_ptr_t ptr; + dns_rdata_in_srv_t srv; + dns_rdataset_t rdataset; + isc_result_t result; + + dns_rdataset_init(&rdataset); + dns_rdataset_clone(rrset, &rdataset); + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &rdata); + if (rrset->type == dns_rdatatype_ptr) { + result = dns_rdata_tostruct(&rdata, &ptr, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + target = &ptr.ptr; + } + if (rrset->type == dns_rdatatype_srv) { + result = dns_rdata_tostruct(&rdata, &srv, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + target = &srv.target; + } + rule_ok = dns_ssutable_checkrules( + ssuinfo->table, ssuinfo->signer, ssuinfo->name, + ssuinfo->addr, ssuinfo->tcp, ssuinfo->aclenv, + rrset->type, target, ssuinfo->key, NULL); + if (!rule_ok) { + break; + } + } + if (result != ISC_R_NOMORE) { + rule_ok = false; + } + dns_rdataset_disassociate(&rdataset); + } else { + rule_ok = dns_ssutable_checkrules( + ssuinfo->table, ssuinfo->signer, ssuinfo->name, + ssuinfo->addr, ssuinfo->tcp, ssuinfo->aclenv, + rrset->type, NULL, ssuinfo->key, NULL); + } + return (rule_ok ? ISC_R_SUCCESS : ISC_R_FAILURE); +} + +static bool +ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_ssutable_t *ssutable, dns_name_t *signer, isc_netaddr_t *addr, + dns_aclenv_t *aclenv, bool tcp, dst_key_t *key) { + isc_result_t result; + ssu_check_t ssuinfo; + + ssuinfo.name = name; + ssuinfo.table = ssutable; + ssuinfo.signer = signer; + ssuinfo.addr = addr; + ssuinfo.aclenv = aclenv; + ssuinfo.tcp = tcp; + ssuinfo.key = key; + result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo); + return (result == ISC_R_SUCCESS); +} + +static isc_result_t +ssu_checkrr(void *data, rr_t *rr) { + isc_result_t result; + ssu_check_t *ssuinfo = data; + dns_name_t *target = NULL; + dns_rdata_ptr_t ptr; + dns_rdata_in_srv_t srv; + bool answer; + + if (rr->rdata.type == dns_rdatatype_ptr) { + result = dns_rdata_tostruct(&rr->rdata, &ptr, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + target = &ptr.ptr; + } + if (rr->rdata.type == dns_rdatatype_srv) { + result = dns_rdata_tostruct(&rr->rdata, &srv, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + target = &srv.target; + } + + answer = dns_ssutable_checkrules( + ssuinfo->table, ssuinfo->signer, ssuinfo->name, ssuinfo->addr, + ssuinfo->tcp, ssuinfo->aclenv, rr->rdata.type, target, + ssuinfo->key, NULL); + return (answer ? ISC_R_SUCCESS : ISC_R_FAILURE); +} + +/**************************************************************************/ +/* + * Checking of "RRset exists (value dependent)" prerequisites. + * + * In the RFC2136 section 3.2.5, this is the pseudocode involving + * a variable called "temp", a mapping of tuples to rrsets. + * + * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t" + * where each tuple has op==DNS_DIFFOP_EXISTS. + */ + +/*% + * Append a tuple asserting the existence of the RR with + * 'name' and 'rdata' to 'diff'. + */ +static isc_result_t +temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) { + isc_result_t result; + dns_difftuple_t *tuple = NULL; + + REQUIRE(DNS_DIFF_VALID(diff)); + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS, name, 0, + rdata, &tuple)); + ISC_LIST_APPEND(diff->tuples, tuple, link); +failure: + return (result); +} + +/*% + * Compare two rdatasets represented as sorted lists of tuples. + * All list elements must have the same owner name and type. + * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset) + * if not. + */ +static isc_result_t +temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) { + for (;;) { + if (a == NULL || b == NULL) { + break; + } + INSIST(a->op == DNS_DIFFOP_EXISTS && + b->op == DNS_DIFFOP_EXISTS); + INSIST(a->rdata.type == b->rdata.type); + INSIST(dns_name_equal(&a->name, &b->name)); + if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0) { + return (DNS_R_NXRRSET); + } + a = ISC_LIST_NEXT(a, link); + b = ISC_LIST_NEXT(b, link); + } + if (a != NULL || b != NULL) { + return (DNS_R_NXRRSET); + } + return (ISC_R_SUCCESS); +} + +/*% + * A comparison function defining the sorting order for the entries + * in the "temp" data structure. The major sort key is the owner name, + * followed by the type and rdata. + */ +static int +temp_order(const void *av, const void *bv) { + dns_difftuple_t const *const *ap = av; + dns_difftuple_t const *const *bp = bv; + dns_difftuple_t const *a = *ap; + dns_difftuple_t const *b = *bp; + int r; + r = dns_name_compare(&a->name, &b->name); + if (r != 0) { + return (r); + } + r = (b->rdata.type - a->rdata.type); + if (r != 0) { + return (r); + } + r = dns_rdata_casecompare(&a->rdata, &b->rdata); + return (r); +} + +/*% + * Check the "RRset exists (value dependent)" prerequisite information + * in 'temp' against the contents of the database 'db'. + * + * Return ISC_R_SUCCESS if the prerequisites are satisfied, + * rcode(dns_rcode_nxrrset) if not. + * + * 'temp' must be pre-sorted. + */ + +static isc_result_t +temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, + dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep) { + isc_result_t result; + dns_name_t *name; + dns_dbnode_t *node; + dns_difftuple_t *t; + dns_diff_t trash; + + dns_diff_init(mctx, &trash); + + /* + * For each name and type in the prerequisites, + * construct a sorted rdata list of the corresponding + * database contents, and compare the lists. + */ + t = ISC_LIST_HEAD(temp->tuples); + while (t != NULL) { + name = &t->name; + dns_name_copy(name, tmpname); + *typep = t->rdata.type; + + /* A new unique name begins here. */ + node = NULL; + result = dns_db_findnode(db, name, false, &node); + if (result == ISC_R_NOTFOUND) { + dns_diff_clear(&trash); + return (DNS_R_NXRRSET); + } + if (result != ISC_R_SUCCESS) { + dns_diff_clear(&trash); + return (result); + } + + /* A new unique type begins here. */ + while (t != NULL && dns_name_equal(&t->name, name)) { + dns_rdatatype_t type, covers; + dns_rdataset_t rdataset; + dns_diff_t d_rrs; /* Database RRs with + * this name and type */ + dns_diff_t u_rrs; /* Update RRs with + * this name and type */ + + *typep = type = t->rdata.type; + if (type == dns_rdatatype_rrsig || + type == dns_rdatatype_sig) + { + covers = dns_rdata_covers(&t->rdata); + } else if (type == dns_rdatatype_any) { + dns_db_detachnode(db, &node); + dns_diff_clear(&trash); + return (DNS_R_NXRRSET); + } else { + covers = 0; + } + + /* + * Collect all database RRs for this name and type + * onto d_rrs and sort them. + */ + dns_rdataset_init(&rdataset); + result = dns_db_findrdataset(db, node, ver, type, + covers, (isc_stdtime_t)0, + &rdataset, NULL); + if (result != ISC_R_SUCCESS) { + dns_db_detachnode(db, &node); + dns_diff_clear(&trash); + return (DNS_R_NXRRSET); + } + + dns_diff_init(mctx, &d_rrs); + dns_diff_init(mctx, &u_rrs); + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &rdata); + result = temp_append(&d_rrs, name, &rdata); + if (result != ISC_R_SUCCESS) { + goto failure; + } + } + if (result != ISC_R_NOMORE) { + goto failure; + } + result = dns_diff_sort(&d_rrs, temp_order); + if (result != ISC_R_SUCCESS) { + goto failure; + } + + /* + * Collect all update RRs for this name and type + * onto u_rrs. No need to sort them here - + * they are already sorted. + */ + while (t != NULL && dns_name_equal(&t->name, name) && + t->rdata.type == type) + { + dns_difftuple_t *next = ISC_LIST_NEXT(t, link); + ISC_LIST_UNLINK(temp->tuples, t, link); + ISC_LIST_APPEND(u_rrs.tuples, t, link); + t = next; + } + + /* Compare the two sorted lists. */ + result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples), + ISC_LIST_HEAD(d_rrs.tuples)); + if (result != ISC_R_SUCCESS) { + goto failure; + } + + /* + * We are done with the tuples, but we can't free + * them yet because "name" still points into one + * of them. Move them on a temporary list. + */ + ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link); + ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link); + dns_rdataset_disassociate(&rdataset); + + continue; + + failure: + dns_diff_clear(&d_rrs); + dns_diff_clear(&u_rrs); + dns_diff_clear(&trash); + dns_rdataset_disassociate(&rdataset); + dns_db_detachnode(db, &node); + return (result); + } + + dns_db_detachnode(db, &node); + } + + dns_diff_clear(&trash); + return (ISC_R_SUCCESS); +} + +/**************************************************************************/ +/* + * Conditional deletion of RRs. + */ + +/*% + * Context structure for delete_if(). + */ + +typedef struct { + rr_predicate *predicate; + dns_db_t *db; + dns_dbversion_t *ver; + dns_diff_t *diff; + dns_name_t *name; + dns_rdata_t *update_rr; +} conditional_delete_ctx_t; + +/*% + * Predicate functions for delete_if(). + */ + +/*% + * Return true iff 'db_rr' is neither a SOA nor an NS RR nor + * an RRSIG nor an NSEC3PARAM nor a NSEC. + */ +static bool +type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + UNUSED(update_rr); + return ((db_rr->type != dns_rdatatype_soa && + db_rr->type != dns_rdatatype_ns && + db_rr->type != dns_rdatatype_nsec3param && + db_rr->type != dns_rdatatype_rrsig && + db_rr->type != dns_rdatatype_nsec) + ? true + : false); +} + +/*% + * Return true iff 'db_rr' is neither a RRSIG nor a NSEC. + */ +static bool +type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + UNUSED(update_rr); + return ((db_rr->type != dns_rdatatype_rrsig && + db_rr->type != dns_rdatatype_nsec) + ? true + : false); +} + +/*% + * Return true always. + */ +static bool +true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + UNUSED(update_rr); + UNUSED(db_rr); + return (true); +} + +/*% + * Return true iff the two RRs have identical rdata. + */ +static bool +rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + /* + * XXXRTH This is not a problem, but we should consider creating + * dns_rdata_equal() (that used dns_name_equal()), since it + * would be faster. Not a priority. + */ + return (dns_rdata_casecompare(update_rr, db_rr) == 0 ? true : false); +} + +/*% + * Return true iff 'update_rr' should replace 'db_rr' according + * to the special RFC2136 rules for CNAME, SOA, and WKS records. + * + * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs + * make little sense, so we replace those, too. + * + * Additionally replace RRSIG that have been generated by the same key + * for the same type. This simplifies refreshing a offline KSK by not + * requiring that the old RRSIG be deleted. It also simplifies key + * rollover by only requiring that the new RRSIG be added. + */ +static bool +replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + dns_rdata_rrsig_t updatesig, dbsig; + isc_result_t result; + + if (db_rr->type != update_rr->type) { + return (false); + } + if (db_rr->type == dns_rdatatype_cname) { + return (true); + } + if (db_rr->type == dns_rdatatype_dname) { + return (true); + } + if (db_rr->type == dns_rdatatype_soa) { + return (true); + } + if (db_rr->type == dns_rdatatype_nsec) { + return (true); + } + if (db_rr->type == dns_rdatatype_rrsig) { + /* + * Replace existing RRSIG with the same keyid, + * covered and algorithm. + */ + result = dns_rdata_tostruct(db_rr, &dbsig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + result = dns_rdata_tostruct(update_rr, &updatesig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (dbsig.keyid == updatesig.keyid && + dbsig.covered == updatesig.covered && + dbsig.algorithm == updatesig.algorithm) + { + return (true); + } + } + if (db_rr->type == dns_rdatatype_wks) { + /* + * Compare the address and protocol fields only. These + * form the first five bytes of the RR data. Do a + * raw binary comparison; unpacking the WKS RRs using + * dns_rdata_tostruct() might be cleaner in some ways. + */ + INSIST(db_rr->length >= 5 && update_rr->length >= 5); + return (memcmp(db_rr->data, update_rr->data, 5) == 0 ? true + : false); + } + + if (db_rr->type == dns_rdatatype_nsec3param) { + if (db_rr->length != update_rr->length) { + return (false); + } + INSIST(db_rr->length >= 4 && update_rr->length >= 4); + /* + * Replace NSEC3PARAM records that only differ by the + * flags field. + */ + if (db_rr->data[0] == update_rr->data[0] && + memcmp(db_rr->data + 2, update_rr->data + 2, + update_rr->length - 2) == 0) + { + return (true); + } + } + return (false); +} + +/*% + * Internal helper function for delete_if(). + */ +static isc_result_t +delete_if_action(void *data, rr_t *rr) { + conditional_delete_ctx_t *ctx = data; + if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) { + isc_result_t result; + result = update_one_rr(ctx->db, ctx->ver, ctx->diff, + DNS_DIFFOP_DEL, ctx->name, rr->ttl, + &rr->rdata); + return (result); + } else { + return (ISC_R_SUCCESS); + } +} + +/*% + * Conditionally delete RRs. Apply 'predicate' to the RRs + * specified by 'db', 'ver', 'name', and 'type' (which can + * be dns_rdatatype_any to match any type). Delete those + * RRs for which the predicate returns true, and log the + * deletions in 'diff'. + */ +static isc_result_t +delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver, + dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, + dns_rdata_t *update_rr, dns_diff_t *diff) { + conditional_delete_ctx_t ctx; + ctx.predicate = predicate; + ctx.db = db; + ctx.ver = ver; + ctx.diff = diff; + ctx.name = name; + ctx.update_rr = update_rr; + return (foreach_rr(db, ver, name, type, covers, delete_if_action, + &ctx)); +} + +/**************************************************************************/ + +static isc_result_t +add_rr_prepare_action(void *data, rr_t *rr) { + isc_result_t result = ISC_R_SUCCESS; + add_rr_prepare_ctx_t *ctx = data; + dns_difftuple_t *tuple = NULL; + bool equal, case_equal, ttl_equal; + + /* + * Are the new and old cases equal? + */ + case_equal = dns_name_caseequal(ctx->name, ctx->oldname); + + /* + * Are the ttl's equal? + */ + ttl_equal = rr->ttl == ctx->update_rr_ttl; + + /* + * If the update RR is a "duplicate" of a existing RR, + * the update should be silently ignored. + */ + equal = (dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0); + if (equal && case_equal && ttl_equal) { + ctx->ignore_add = true; + return (ISC_R_SUCCESS); + } + + /* + * If this RR is "equal" to the update RR, it should + * be deleted before the update RR is added. + */ + if (replaces_p(ctx->update_rr, &rr->rdata)) { + CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL, + ctx->oldname, rr->ttl, &rr->rdata, + &tuple)); + dns_diff_append(&ctx->del_diff, &tuple); + return (ISC_R_SUCCESS); + } + + /* + * If this RR differs in TTL or case from the update RR, + * its TTL and case must be adjusted. + */ + if (!ttl_equal || !case_equal) { + CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL, + ctx->oldname, rr->ttl, &rr->rdata, + &tuple)); + dns_diff_append(&ctx->del_diff, &tuple); + if (!equal) { + CHECK(dns_difftuple_create( + ctx->add_diff.mctx, DNS_DIFFOP_ADD, ctx->name, + ctx->update_rr_ttl, &rr->rdata, &tuple)); + dns_diff_append(&ctx->add_diff, &tuple); + } + } +failure: + return (result); +} + +/**************************************************************************/ +/* + * Miscellaneous subroutines. + */ + +/*% + * Extract a single update RR from 'section' of dynamic update message + * 'msg', with consistency checking. + * + * Stores the owner name, rdata, and TTL of the update RR at 'name', + * 'rdata', and 'ttl', respectively. + */ +static void +get_current_rr(dns_message_t *msg, dns_section_t section, + dns_rdataclass_t zoneclass, dns_name_t **name, + dns_rdata_t *rdata, dns_rdatatype_t *covers, dns_ttl_t *ttl, + dns_rdataclass_t *update_class) { + dns_rdataset_t *rdataset; + isc_result_t result; + dns_message_currentname(msg, section, name); + rdataset = ISC_LIST_HEAD((*name)->list); + INSIST(rdataset != NULL); + INSIST(ISC_LIST_NEXT(rdataset, link) == NULL); + *covers = rdataset->covers; + *ttl = rdataset->ttl; + result = dns_rdataset_first(rdataset); + INSIST(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, rdata); + INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE); + *update_class = rdata->rdclass; + rdata->rdclass = zoneclass; +} + +/*% + * Increment the SOA serial number of database 'db', version 'ver'. + * Replace the SOA record in the database, and log the + * change in 'diff'. + */ + +/* + * XXXRTH Failures in this routine will be worth logging, when + * we have a logging system. Failure to find the zonename + * or the SOA rdataset warrant at least an UNEXPECTED_ERROR(). + */ + +static isc_result_t +update_soa_serial(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, + isc_mem_t *mctx, dns_updatemethod_t method) { + dns_difftuple_t *deltuple = NULL; + dns_difftuple_t *addtuple = NULL; + uint32_t serial; + isc_result_t result; + + CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple)); + CHECK(dns_difftuple_copy(deltuple, &addtuple)); + addtuple->op = DNS_DIFFOP_ADD; + + serial = dns_soa_getserial(&addtuple->rdata); + serial = dns_update_soaserial(serial, method, NULL); + dns_soa_setserial(serial, &addtuple->rdata); + CHECK(do_one_tuple(&deltuple, db, ver, diff)); + CHECK(do_one_tuple(&addtuple, db, ver, diff)); + result = ISC_R_SUCCESS; + +failure: + if (addtuple != NULL) { + dns_difftuple_free(&addtuple); + } + if (deltuple != NULL) { + dns_difftuple_free(&deltuple); + } + return (result); +} + +/*% + * Check that the new SOA record at 'update_rdata' does not + * illegally cause the SOA serial number to decrease or stay + * unchanged relative to the existing SOA in 'db'. + * + * Sets '*ok' to true if the update is legal, false if not. + * + * William King points out that RFC2136 is inconsistent about + * the case where the serial number stays unchanged: + * + * section 3.4.2.2 requires a server to ignore a SOA update request + * if the serial number on the update SOA is less_than_or_equal to + * the zone SOA serial. + * + * section 3.6 requires a server to ignore a SOA update request if + * the serial is less_than the zone SOA serial. + * + * Paul says 3.4.2.2 is correct. + * + */ +static isc_result_t +check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, + dns_rdata_t *update_rdata, bool *ok) { + uint32_t db_serial; + uint32_t update_serial; + isc_result_t result; + + update_serial = dns_soa_getserial(update_rdata); + + result = dns_db_getsoaserial(db, ver, &db_serial); + if (result != ISC_R_SUCCESS) { + return (result); + } + + if (DNS_SERIAL_GE(db_serial, update_serial)) { + *ok = false; + } else { + *ok = true; + } + + return (ISC_R_SUCCESS); +} + +/**************************************************************************/ +/*% + * The actual update code in all its glory. We try to follow + * the RFC2136 pseudocode as closely as possible. + */ + +static isc_result_t +send_update_event(ns_client_t *client, dns_zone_t *zone) { + isc_result_t result = ISC_R_SUCCESS; + update_event_t *event = NULL; + isc_task_t *zonetask = NULL; + dns_ssutable_t *ssutable = NULL; + dns_message_t *request = client->message; + isc_mem_t *mctx = client->manager->mctx; + dns_aclenv_t *env = client->manager->aclenv; + dns_rdataclass_t zoneclass; + dns_rdatatype_t covers; + dns_name_t *zonename = NULL; + const dns_ssurule_t **rules = NULL; + size_t rule = 0, ruleslen = 0; + dns_db_t *db = NULL; + dns_dbversion_t *ver = NULL; + + CHECK(dns_zone_getdb(zone, &db)); + zonename = dns_db_origin(db); + zoneclass = dns_db_class(db); + dns_zone_getssutable(zone, &ssutable); + dns_db_currentversion(db, &ver); + + /* + * Update message processing can leak record existence information + * so check that we are allowed to query this zone. Additionally, + * if we would refuse all updates for this zone, we bail out here. + */ + CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), + dns_zone_getorigin(zone), + dns_zone_getupdateacl(zone), ssutable)); + + /* + * Check requestor's permissions. + */ + if (ssutable == NULL) { + CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), + "update", dns_zone_getorigin(zone), false, + false)); + } else if (client->signer == NULL && !TCPCLIENT(client)) { + CHECK(checkupdateacl(client, NULL, "update", + dns_zone_getorigin(zone), false, true)); + } + + if (dns_zone_getupdatedisabled(zone)) { + FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled " + "because the zone is frozen. Use " + "'rndc thaw' to re-enable updates."); + } + + /* + * Prescan the update section, checking for updates that + * are illegal or violate policy. + */ + if (ssutable != NULL) { + ruleslen = request->counts[DNS_SECTION_UPDATE]; + rules = isc_mem_get(mctx, sizeof(*rules) * ruleslen); + memset(rules, 0, sizeof(*rules) * ruleslen); + } + + for (rule = 0, + result = dns_message_firstname(request, DNS_SECTION_UPDATE); + result == ISC_R_SUCCESS; + rule++, result = dns_message_nextname(request, DNS_SECTION_UPDATE)) + { + dns_name_t *name = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_ttl_t ttl; + dns_rdataclass_t update_class; + + INSIST(ssutable == NULL || rule < ruleslen); + + get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name, + &rdata, &covers, &ttl, &update_class); + + if (!dns_name_issubdomain(name, zonename)) { + FAILC(DNS_R_NOTZONE, "update RR is outside zone"); + } + if (update_class == zoneclass) { + /* + * Check for meta-RRs. The RFC2136 pseudocode says + * check for ANY|AXFR|MAILA|MAILB, but the text adds + * "or any other QUERY metatype" + */ + if (dns_rdatatype_ismeta(rdata.type)) { + FAILC(DNS_R_FORMERR, "meta-RR in update"); + } + result = dns_zone_checknames(zone, name, &rdata); + if (result != ISC_R_SUCCESS) { + FAIL(DNS_R_REFUSED); + } + } else if (update_class == dns_rdataclass_any) { + if (ttl != 0 || rdata.length != 0 || + (dns_rdatatype_ismeta(rdata.type) && + rdata.type != dns_rdatatype_any)) + { + FAILC(DNS_R_FORMERR, "meta-RR in update"); + } + } else if (update_class == dns_rdataclass_none) { + if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) { + FAILC(DNS_R_FORMERR, "meta-RR in update"); + } + } else { + update_log(client, zone, ISC_LOG_WARNING, + "update RR has incorrect class %d", + update_class); + FAIL(DNS_R_FORMERR); + } + + /* + * draft-ietf-dnsind-simple-secure-update-01 says + * "Unlike traditional dynamic update, the client + * is forbidden from updating NSEC records." + */ + if (rdata.type == dns_rdatatype_nsec3) { + FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not " + "allowed " + "in secure zones"); + } else if (rdata.type == dns_rdatatype_nsec) { + FAILC(DNS_R_REFUSED, "explicit NSEC updates are not " + "allowed " + "in secure zones"); + } else if (rdata.type == dns_rdatatype_rrsig && + !dns_name_equal(name, zonename)) + { + FAILC(DNS_R_REFUSED, "explicit RRSIG updates are " + "currently " + "not supported in secure zones " + "except " + "at the apex"); + } + + if (ssutable != NULL) { + isc_netaddr_t netaddr; + dns_name_t *target = NULL; + dst_key_t *tsigkey = NULL; + dns_rdata_ptr_t ptr; + dns_rdata_in_srv_t srv; + + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); + + if (client->message->tsigkey != NULL) { + tsigkey = client->message->tsigkey->key; + } + + if ((update_class == dns_rdataclass_in || + update_class == dns_rdataclass_none) && + rdata.type == dns_rdatatype_ptr) + { + result = dns_rdata_tostruct(&rdata, &ptr, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + target = &ptr.ptr; + } + + if ((update_class == dns_rdataclass_in || + update_class == dns_rdataclass_none) && + rdata.type == dns_rdatatype_srv) + { + result = dns_rdata_tostruct(&rdata, &srv, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + target = &srv.target; + } + + if (update_class == dns_rdataclass_any && + zoneclass == dns_rdataclass_in && + (rdata.type == dns_rdatatype_ptr || + rdata.type == dns_rdatatype_srv)) + { + ssu_check_t ssuinfo; + + ssuinfo.name = name; + ssuinfo.table = ssutable; + ssuinfo.signer = client->signer; + ssuinfo.addr = &netaddr; + ssuinfo.aclenv = env; + ssuinfo.tcp = TCPCLIENT(client); + ssuinfo.key = tsigkey; + + result = foreach_rr(db, ver, name, rdata.type, + dns_rdatatype_none, + ssu_checkrr, &ssuinfo); + if (result != ISC_R_SUCCESS) { + FAILC(DNS_R_REFUSED, + "rejected by secure update"); + } + } else if (target != NULL && + update_class == dns_rdataclass_none) + { + bool flag; + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag && + !dns_ssutable_checkrules( + ssutable, client->signer, name, + &netaddr, TCPCLIENT(client), env, + rdata.type, target, tsigkey, + &rules[rule])) + { + FAILC(DNS_R_REFUSED, + "rejected by secure update"); + } + } else if (rdata.type != dns_rdatatype_any) { + if (!dns_ssutable_checkrules( + ssutable, client->signer, name, + &netaddr, TCPCLIENT(client), env, + rdata.type, target, tsigkey, + &rules[rule])) + { + FAILC(DNS_R_REFUSED, "rejected by " + "secure update"); + } + } else { + if (!ssu_checkall(db, ver, name, ssutable, + client->signer, &netaddr, env, + TCPCLIENT(client), tsigkey)) + { + FAILC(DNS_R_REFUSED, "rejected by " + "secure update"); + } + } + } + } + if (result != ISC_R_NOMORE) { + FAIL(result); + } + + update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK"); + + result = isc_quota_attach(&client->manager->sctx->updquota, + &(isc_quota_t *){ NULL }); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update failed: too many DNS UPDATEs queued (%s)", + isc_result_totext(result)); + ns_stats_increment(client->manager->sctx->nsstats, + ns_statscounter_updatequota); + CHECK(DNS_R_DROP); + } + + event = (update_event_t *)isc_event_allocate( + client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL, + sizeof(*event)); + event->zone = zone; + event->result = ISC_R_SUCCESS; + event->rules = rules; + event->ruleslen = ruleslen; + rules = NULL; + + INSIST(client->nupdates == 0); + client->nupdates++; + event->ev_arg = client; + + isc_nmhandle_attach(client->handle, &client->updatehandle); + dns_zone_gettask(zone, &zonetask); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); + +failure: + if (db != NULL) { + dns_db_closeversion(db, &ver, false); + dns_db_detach(&db); + } + + if (rules != NULL) { + isc_mem_put(mctx, rules, sizeof(*rules) * ruleslen); + } + + if (ssutable != NULL) { + dns_ssutable_detach(&ssutable); + } + + return (result); +} + +static void +respond(ns_client_t *client, isc_result_t result) { + isc_result_t msg_result; + + msg_result = dns_message_reply(client->message, true); + if (msg_result != ISC_R_SUCCESS) { + isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE, + NS_LOGMODULE_UPDATE, ISC_LOG_ERROR, + "could not create update response message: %s", + isc_result_totext(msg_result)); + ns_client_drop(client, msg_result); + isc_nmhandle_detach(&client->reqhandle); + return; + } + + client->message->rcode = dns_result_torcode(result); + ns_client_send(client); + isc_nmhandle_detach(&client->reqhandle); +} + +void +ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, + isc_result_t sigresult) { + dns_message_t *request = client->message; + isc_result_t result; + dns_name_t *zonename; + dns_rdataset_t *zone_rdataset; + dns_zone_t *zone = NULL, *raw = NULL; + + /* + * Attach to the request handle. This will be held until + * we respond, or drop the request. + */ + isc_nmhandle_attach(handle, &client->reqhandle); + + /* + * Interpret the zone section. + */ + result = dns_message_firstname(request, DNS_SECTION_ZONE); + if (result != ISC_R_SUCCESS) { + FAILC(DNS_R_FORMERR, "update zone section empty"); + } + + /* + * The zone section must contain exactly one "question", and + * it must be of type SOA. + */ + zonename = NULL; + dns_message_currentname(request, DNS_SECTION_ZONE, &zonename); + zone_rdataset = ISC_LIST_HEAD(zonename->list); + if (zone_rdataset->type != dns_rdatatype_soa) { + FAILC(DNS_R_FORMERR, "update zone section contains non-SOA"); + } + if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) { + FAILC(DNS_R_FORMERR, "update zone section contains multiple " + "RRs"); + } + + /* The zone section must have exactly one name. */ + result = dns_message_nextname(request, DNS_SECTION_ZONE); + if (result != ISC_R_NOMORE) { + FAILC(DNS_R_FORMERR, "update zone section contains multiple " + "RRs"); + } + + result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone); + if (result != ISC_R_SUCCESS) { + /* + * If we found a zone that is a parent of the update zonename, + * detach it so it isn't mentioned in log - it is irrelevant. + */ + if (zone != NULL) { + dns_zone_detach(&zone); + } + FAILN(DNS_R_NOTAUTH, zonename, + "not authoritative for update zone"); + } + + /* + * If there is a raw (unsigned) zone associated with this + * zone then it processes the UPDATE request. + */ + dns_zone_getraw(zone, &raw); + if (raw != NULL) { + dns_zone_detach(&zone); + dns_zone_attach(raw, &zone); + dns_zone_detach(&raw); + } + + switch (dns_zone_gettype(zone)) { + case dns_zone_primary: + case dns_zone_dlz: + /* + * We can now fail due to a bad signature as we now know + * that we are the primary. + */ + if (sigresult != ISC_R_SUCCESS) { + FAIL(sigresult); + } + dns_message_clonebuffer(client->message); + CHECK(send_update_event(client, zone)); + break; + case dns_zone_secondary: + case dns_zone_mirror: + dns_message_clonebuffer(client->message); + CHECK(send_forward_event(client, zone)); + break; + default: + FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); + } + return; + +failure: + if (result == DNS_R_REFUSED) { + inc_stats(client, zone, ns_statscounter_updaterej); + } + + /* + * We failed without having sent an update event to the zone. + * We are still in the client task context, so we can + * simply give an error response without switching tasks. + */ + if (result == DNS_R_DROP) { + ns_client_drop(client, result); + isc_nmhandle_detach(&client->reqhandle); + } else { + respond(client, result); + } + + if (zone != NULL) { + dns_zone_detach(&zone); + } +} + +/*% + * DS records are not allowed to exist without corresponding NS records, + * RFC 3658, 2.2 Protocol Change, + * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". + */ + +static isc_result_t +remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { + isc_result_t result; + bool ns_exists; + dns_difftuple_t *tuple; + dns_diff_t temp_diff; + + dns_diff_init(diff->mctx, &temp_diff); + + for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; + tuple = ISC_LIST_NEXT(tuple, link)) + { + if (!((tuple->op == DNS_DIFFOP_DEL && + tuple->rdata.type == dns_rdatatype_ns) || + (tuple->op == DNS_DIFFOP_ADD && + tuple->rdata.type == dns_rdatatype_ds))) + { + continue; + } + CHECK(rrset_exists(db, newver, &tuple->name, dns_rdatatype_ns, + 0, &ns_exists)); + if (ns_exists && + !dns_name_equal(&tuple->name, dns_db_origin(db))) + { + continue; + } + CHECK(delete_if(true_p, db, newver, &tuple->name, + dns_rdatatype_ds, 0, NULL, &temp_diff)); + } + result = ISC_R_SUCCESS; + +failure: + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = ISC_LIST_HEAD(temp_diff.tuples)) + { + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + } + return (result); +} + +/* + * This implements the post load integrity checks for mx records. + */ +static isc_result_t +check_mx(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *newver, dns_diff_t *diff) { + char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")]; + char ownerbuf[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; + char altbuf[DNS_NAME_FORMATSIZE]; + dns_difftuple_t *t; + dns_fixedname_t fixed; + dns_name_t *foundname; + dns_rdata_mx_t mx; + dns_rdata_t rdata; + bool ok = true; + bool isaddress; + isc_result_t result; + struct in6_addr addr6; + struct in_addr addr; + dns_zoneopt_t options; + + foundname = dns_fixedname_initname(&fixed); + dns_rdata_init(&rdata); + options = dns_zone_getoptions(zone); + + for (t = ISC_LIST_HEAD(diff->tuples); t != NULL; + t = ISC_LIST_NEXT(t, link)) + { + if (t->op != DNS_DIFFOP_ADD || + t->rdata.type != dns_rdatatype_mx) + { + continue; + } + + result = dns_rdata_tostruct(&t->rdata, &mx, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + /* + * Check if we will error out if we attempt to reload the + * zone. + */ + dns_name_format(&mx.mx, namebuf, sizeof(namebuf)); + dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf)); + isaddress = false; + if ((options & DNS_ZONEOPT_CHECKMX) != 0 && + strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) + { + if (tmp[strlen(tmp) - 1] == '.') { + tmp[strlen(tmp) - 1] = '\0'; + } + if (inet_pton(AF_INET, tmp, &addr) == 1 || + inet_pton(AF_INET6, tmp, &addr6) == 1) + { + isaddress = true; + } + } + + if (isaddress && (options & DNS_ZONEOPT_CHECKMXFAIL) != 0) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX: '%s': %s", ownerbuf, namebuf, + isc_result_totext(DNS_R_MXISADDRESS)); + ok = false; + } else if (isaddress) { + update_log(client, zone, ISC_LOG_WARNING, + "%s/MX: warning: '%s': %s", ownerbuf, + namebuf, + isc_result_totext(DNS_R_MXISADDRESS)); + } + + /* + * Check zone integrity checks. + */ + if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) { + continue; + } + result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, 0, 0, + NULL, foundname, NULL, NULL); + if (result == ISC_R_SUCCESS) { + continue; + } + + if (result == DNS_R_NXRRSET) { + result = dns_db_find(db, &mx.mx, newver, + dns_rdatatype_aaaa, 0, 0, NULL, + foundname, NULL, NULL); + if (result == ISC_R_SUCCESS) { + continue; + } + } + + if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' has no address records " + "(A or AAAA)", + ownerbuf, namebuf); + ok = false; + } else if (result == DNS_R_CNAME) { + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' is a CNAME (illegal)", ownerbuf, + namebuf); + ok = false; + } else if (result == DNS_R_DNAME) { + dns_name_format(foundname, altbuf, sizeof altbuf); + update_log(client, zone, ISC_LOG_ERROR, + "%s/MX '%s' is below a DNAME '%s' (illegal)", + ownerbuf, namebuf, altbuf); + ok = false; + } + } + return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED); +} + +static isc_result_t +rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + const dns_rdata_t *rdata, bool *flag) { + dns_rdataset_t rdataset; + dns_dbnode_t *node = NULL; + isc_result_t result; + + dns_rdataset_init(&rdataset); + if (rdata->type == dns_rdatatype_nsec3) { + result = dns_db_findnsec3node(db, name, false, &node); + } else { + result = dns_db_findnode(db, name, false, &node); + } + if (result == ISC_R_NOTFOUND) { + *flag = false; + result = ISC_R_SUCCESS; + goto failure; + } else { + CHECK(result); + } + result = dns_db_findrdataset(db, node, ver, rdata->type, 0, + (isc_stdtime_t)0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) { + *flag = false; + result = ISC_R_SUCCESS; + goto failure; + } + + for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t myrdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &myrdata); + if (!dns_rdata_casecompare(&myrdata, rdata)) { + break; + } + } + dns_rdataset_disassociate(&rdataset); + if (result == ISC_R_SUCCESS) { + *flag = true; + } else if (result == ISC_R_NOMORE) { + *flag = false; + result = ISC_R_SUCCESS; + } + +failure: + if (node != NULL) { + dns_db_detachnode(db, &node); + } + return (result); +} + +static isc_result_t +get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype, + unsigned int *iterationsp) { + dns_dbnode_t *node = NULL; + dns_rdata_nsec3param_t nsec3param; + dns_rdataset_t rdataset; + isc_result_t result; + unsigned int iterations = 0; + + dns_rdataset_init(&rdataset); + + result = dns_db_getoriginnode(db, &node); + if (result != ISC_R_SUCCESS) { + return (result); + } + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, + (isc_stdtime_t)0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) { + goto try_private; + } + if (result != ISC_R_SUCCESS) { + goto failure; + } + + for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &rdata); + CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); + if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { + continue; + } + if (nsec3param.iterations > iterations) { + iterations = nsec3param.iterations; + } + } + if (result != ISC_R_NOMORE) { + goto failure; + } + + dns_rdataset_disassociate(&rdataset); + +try_private: + if (privatetype == 0) { + goto success; + } + + result = dns_db_findrdataset(db, node, ver, privatetype, 0, + (isc_stdtime_t)0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) { + goto success; + } + if (result != ISC_R_SUCCESS) { + goto failure; + } + + for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; + dns_rdata_t private = DNS_RDATA_INIT; + dns_rdata_t rdata = DNS_RDATA_INIT; + + dns_rdataset_current(&rdataset, &rdata); + if (!dns_nsec3param_fromprivate(&private, &rdata, buf, + sizeof(buf))) + { + continue; + } + CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL)); + if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) { + continue; + } + if (nsec3param.iterations > iterations) { + iterations = nsec3param.iterations; + } + } + if (result != ISC_R_NOMORE) { + goto failure; + } + +success: + *iterationsp = iterations; + result = ISC_R_SUCCESS; + +failure: + if (node != NULL) { + dns_db_detachnode(db, &node); + } + if (dns_rdataset_isassociated(&rdataset)) { + dns_rdataset_disassociate(&rdataset); + } + return (result); +} + +/* + * Prevent the zone entering a inconsistent state where + * NSEC only DNSKEYs are present with NSEC3 chains. + */ +static isc_result_t +check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_diff_t *diff) { + isc_result_t result; + unsigned int iterations = 0; + dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); + + /* Refuse to allow NSEC3 with NSEC-only keys */ + if (!dns_zone_check_dnskey_nsec3(zone, db, ver, diff, NULL, 0)) { + update_log(client, zone, ISC_LOG_ERROR, + "NSEC only DNSKEYs and NSEC3 chains not allowed"); + result = DNS_R_REFUSED; + goto failure; + } + + /* Verify NSEC3 params */ + CHECK(get_iterations(db, ver, privatetype, &iterations)); + if (iterations > dns_nsec3_maxiterations()) { + update_log(client, zone, ISC_LOG_ERROR, + "too many NSEC3 iterations (%u)", iterations); + result = DNS_R_REFUSED; + goto failure; + } + +failure: + return (result); +} + +/* + * Delay NSEC3PARAM changes as they need to be applied to the whole zone. + */ +static isc_result_t +add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_diff_t *diff) { + isc_result_t result = ISC_R_SUCCESS; + dns_difftuple_t *tuple, *newtuple = NULL, *next; + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1]; + dns_diff_t temp_diff; + dns_diffop_t op; + bool flag; + dns_name_t *name = dns_zone_getorigin(zone); + dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); + uint32_t ttl = 0; + bool ttl_good = false; + + update_log(client, zone, ISC_LOG_DEBUG(3), + "checking for NSEC3PARAM changes"); + + dns_diff_init(diff->mctx, &temp_diff); + + /* + * Extract NSEC3PARAM tuples from list. + */ + for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) { + next = ISC_LIST_NEXT(tuple, link); + + if (tuple->rdata.type != dns_rdatatype_nsec3param || + !dns_name_equal(name, &tuple->name)) + { + continue; + } + ISC_LIST_UNLINK(diff->tuples, tuple, link); + ISC_LIST_APPEND(temp_diff.tuples, tuple, link); + } + + /* + * Extract TTL changes pairs, we don't need to convert these to + * delayed changes. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = next) + { + if (tuple->op == DNS_DIFFOP_ADD) { + if (!ttl_good) { + /* + * Any adds here will contain the final + * NSEC3PARAM RRset TTL. + */ + ttl = tuple->ttl; + ttl_good = true; + } + /* + * Walk the temp_diff list looking for the + * corresponding delete. + */ + next = ISC_LIST_HEAD(temp_diff.tuples); + while (next != NULL) { + unsigned char *next_data = next->rdata.data; + unsigned char *tuple_data = tuple->rdata.data; + if (next->op == DNS_DIFFOP_DEL && + next->rdata.length == tuple->rdata.length && + !memcmp(next_data, tuple_data, + next->rdata.length)) + { + ISC_LIST_UNLINK(temp_diff.tuples, next, + link); + ISC_LIST_APPEND(diff->tuples, next, + link); + break; + } + next = ISC_LIST_NEXT(next, link); + } + /* + * If we have not found a pair move onto the next + * tuple. + */ + if (next == NULL) { + next = ISC_LIST_NEXT(tuple, link); + continue; + } + /* + * Find the next tuple to be processed before + * unlinking then complete moving the pair to 'diff'. + */ + next = ISC_LIST_NEXT(tuple, link); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + ISC_LIST_APPEND(diff->tuples, tuple, link); + } else { + next = ISC_LIST_NEXT(tuple, link); + } + } + + /* + * Preserve any ongoing changes from a BIND 9.6.x upgrade. + * + * Any NSEC3PARAM records with flags other than OPTOUT named + * in managing and should not be touched so revert such changes + * taking into account any TTL change of the NSEC3PARAM RRset. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = next) + { + next = ISC_LIST_NEXT(tuple, link); + if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) { + /* + * If we haven't had any adds then the tuple->ttl must + * be the original ttl and should be used for any + * future changes. + */ + if (!ttl_good) { + ttl = tuple->ttl; + ttl_good = true; + } + op = (tuple->op == DNS_DIFFOP_DEL) ? DNS_DIFFOP_ADD + : DNS_DIFFOP_DEL; + CHECK(dns_difftuple_create(diff->mctx, op, name, ttl, + &tuple->rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + } + } + + /* + * We now have just the actual changes to the NSEC3PARAM RRset. + * Convert the adds to delayed adds and the deletions into delayed + * deletions. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = next) + { + /* + * If we haven't had any adds then the tuple->ttl must be the + * original ttl and should be used for any future changes. + */ + if (!ttl_good) { + ttl = tuple->ttl; + ttl_good = true; + } + if (tuple->op == DNS_DIFFOP_ADD) { + bool nseconly = false; + + /* + * Look for any deletes which match this ADD ignoring + * flags. We don't need to explicitly remove them as + * they will be removed a side effect of processing + * the add. + */ + next = ISC_LIST_HEAD(temp_diff.tuples); + while (next != NULL) { + unsigned char *next_data = next->rdata.data; + unsigned char *tuple_data = tuple->rdata.data; + if (next->op != DNS_DIFFOP_DEL || + next->rdata.length != tuple->rdata.length || + next_data[0] != tuple_data[0] || + next_data[2] != tuple_data[2] || + next_data[3] != tuple_data[3] || + memcmp(next_data + 4, tuple_data + 4, + tuple->rdata.length - 4)) + { + next = ISC_LIST_NEXT(next, link); + continue; + } + ISC_LIST_UNLINK(temp_diff.tuples, next, link); + ISC_LIST_APPEND(diff->tuples, next, link); + next = ISC_LIST_HEAD(temp_diff.tuples); + } + + /* + * Create a private-type record to signal that + * we want a delayed NSEC3 chain add/delete + */ + dns_nsec3param_toprivate(&tuple->rdata, &rdata, + privatetype, buf, sizeof(buf)); + buf[2] |= DNS_NSEC3FLAG_CREATE; + + /* + * If the zone is not currently capable of + * supporting an NSEC3 chain, then we set the + * INITIAL flag to indicate that these parameters + * are to be used later. + * + * Don't provide a 'diff' here because we want to + * know the capability of the current database. + */ + result = dns_nsec_nseconly(db, ver, NULL, &nseconly); + if (result == ISC_R_NOTFOUND || nseconly) { + buf[2] |= DNS_NSEC3FLAG_INITIAL; + } + + /* + * See if this CREATE request already exists. + */ + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + + if (!flag) { + CHECK(dns_difftuple_create( + diff->mctx, DNS_DIFFOP_ADD, name, 0, + &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + } + + /* + * Remove any existing CREATE request to add an + * otherwise identical chain with a reversed + * OPTOUT state. + */ + buf[2] ^= DNS_NSEC3FLAG_OPTOUT; + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + + if (flag) { + CHECK(dns_difftuple_create( + diff->mctx, DNS_DIFFOP_DEL, name, 0, + &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + } + + /* + * Find the next tuple to be processed and remove the + * temporary add record. + */ + next = ISC_LIST_NEXT(tuple, link); + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, + name, ttl, &tuple->rdata, + &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + dns_rdata_reset(&rdata); + } else { + next = ISC_LIST_NEXT(tuple, link); + } + } + + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = next) + { + INSIST(ttl_good); + + next = ISC_LIST_NEXT(tuple, link); + /* + * See if we already have a REMOVE request in progress. + */ + dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype, + buf, sizeof(buf)); + + buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC; + + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (!flag) { + buf[2] &= ~DNS_NSEC3FLAG_NONSEC; + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + } + + if (!flag) { + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, + name, 0, &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + } + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, + ttl, &tuple->rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + dns_diff_appendminimal(diff, &tuple); + dns_rdata_reset(&rdata); + } + + result = ISC_R_SUCCESS; +failure: + dns_diff_clear(&temp_diff); + return (result); +} + +static isc_result_t +rollback_private(dns_db_t *db, dns_rdatatype_t privatetype, + dns_dbversion_t *ver, dns_diff_t *diff) { + dns_diff_t temp_diff; + dns_diffop_t op; + dns_difftuple_t *tuple, *newtuple = NULL, *next; + dns_name_t *name = dns_db_origin(db); + isc_mem_t *mctx = diff->mctx; + isc_result_t result; + + if (privatetype == 0) { + return (ISC_R_SUCCESS); + } + + dns_diff_init(mctx, &temp_diff); + + /* + * Extract the changes to be rolled back. + */ + for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) { + next = ISC_LIST_NEXT(tuple, link); + + if (tuple->rdata.type != privatetype || + !dns_name_equal(name, &tuple->name)) + { + continue; + } + + /* + * Allow records which indicate that a zone has been + * signed with a DNSKEY to be removed. + */ + if (tuple->op == DNS_DIFFOP_DEL && tuple->rdata.length == 5 && + tuple->rdata.data[0] != 0 && tuple->rdata.data[4] != 0) + { + continue; + } + + ISC_LIST_UNLINK(diff->tuples, tuple, link); + ISC_LIST_PREPEND(temp_diff.tuples, tuple, link); + } + + /* + * Rollback the changes. + */ + while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) { + op = (tuple->op == DNS_DIFFOP_DEL) ? DNS_DIFFOP_ADD + : DNS_DIFFOP_DEL; + CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl, + &tuple->rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff)); + } + result = ISC_R_SUCCESS; + +failure: + dns_diff_clear(&temp_diff); + return (result); +} + +/* + * Add records to cause the delayed signing of the zone by added DNSKEY + * to remove the RRSIG records generated by a deleted DNSKEY. + */ +static isc_result_t +add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, + dns_dbversion_t *ver, dns_diff_t *diff) { + dns_difftuple_t *tuple, *newtuple = NULL, *next; + dns_rdata_dnskey_t dnskey; + dns_rdata_t rdata = DNS_RDATA_INIT; + bool flag; + isc_region_t r; + isc_result_t result = ISC_R_SUCCESS; + uint16_t keyid; + unsigned char buf[5]; + dns_name_t *name = dns_db_origin(db); + dns_diff_t temp_diff; + + dns_diff_init(diff->mctx, &temp_diff); + + /* + * Extract the DNSKEY tuples from the list. + */ + for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) { + next = ISC_LIST_NEXT(tuple, link); + + if (tuple->rdata.type != dns_rdatatype_dnskey) { + continue; + } + + ISC_LIST_UNLINK(diff->tuples, tuple, link); + ISC_LIST_APPEND(temp_diff.tuples, tuple, link); + } + + /* + * Extract TTL changes pairs, we don't need signing records for these. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = next) + { + if (tuple->op == DNS_DIFFOP_ADD) { + /* + * Walk the temp_diff list looking for the + * corresponding delete. + */ + next = ISC_LIST_HEAD(temp_diff.tuples); + while (next != NULL) { + unsigned char *next_data = next->rdata.data; + unsigned char *tuple_data = tuple->rdata.data; + if (next->op == DNS_DIFFOP_DEL && + dns_name_equal(&tuple->name, &next->name) && + next->rdata.length == tuple->rdata.length && + !memcmp(next_data, tuple_data, + next->rdata.length)) + { + ISC_LIST_UNLINK(temp_diff.tuples, next, + link); + ISC_LIST_APPEND(diff->tuples, next, + link); + break; + } + next = ISC_LIST_NEXT(next, link); + } + /* + * If we have not found a pair move onto the next + * tuple. + */ + if (next == NULL) { + next = ISC_LIST_NEXT(tuple, link); + continue; + } + /* + * Find the next tuple to be processed before + * unlinking then complete moving the pair to 'diff'. + */ + next = ISC_LIST_NEXT(tuple, link); + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + ISC_LIST_APPEND(diff->tuples, tuple, link); + } else { + next = ISC_LIST_NEXT(tuple, link); + } + } + + /* + * Process the remaining DNSKEY entries. + */ + for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; + tuple = ISC_LIST_HEAD(temp_diff.tuples)) + { + ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); + ISC_LIST_APPEND(diff->tuples, tuple, link); + + result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK | + DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) + { + continue; + } + + dns_rdata_toregion(&tuple->rdata, &r); + + keyid = dst_region_computeid(&r); + + buf[0] = dnskey.algorithm; + buf[1] = (keyid & 0xff00) >> 8; + buf[2] = (keyid & 0xff); + buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1; + buf[4] = 0; + rdata.data = buf; + rdata.length = sizeof(buf); + rdata.type = privatetype; + rdata.rdclass = tuple->rdata.rdclass; + + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag) { + continue; + } + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, + &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + INSIST(newtuple == NULL); + /* + * Remove any record which says this operation has already + * completed. + */ + buf[4] = 1; + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag) { + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, + name, 0, &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + INSIST(newtuple == NULL); + } + } + +failure: + dns_diff_clear(&temp_diff); + return (result); +} + +static bool +isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) { + isc_result_t result; + bool build_nsec, build_nsec3; + + if (dns_db_issecure(db)) { + return (true); + } + + result = dns_private_chains(db, ver, privatetype, &build_nsec, + &build_nsec3); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + return (build_nsec || build_nsec3); +} + +static void +update_action(isc_task_t *task, isc_event_t *event) { + update_event_t *uev = (update_event_t *)event; + dns_zone_t *zone = uev->zone; + ns_client_t *client = (ns_client_t *)event->ev_arg; + const dns_ssurule_t **rules = uev->rules; + size_t rule = 0, ruleslen = uev->ruleslen; + isc_result_t result; + dns_db_t *db = NULL; + dns_dbversion_t *oldver = NULL; + dns_dbversion_t *ver = NULL; + dns_diff_t diff; /* Pending updates. */ + dns_diff_t temp; /* Pending RR existence assertions. */ + bool soa_serial_changed = false; + isc_mem_t *mctx = client->mctx; + dns_rdatatype_t covers; + dns_message_t *request = client->message; + dns_rdataclass_t zoneclass; + dns_name_t *zonename = NULL; + dns_ssutable_t *ssutable = NULL; + dns_fixedname_t tmpnamefixed; + dns_name_t *tmpname = NULL; + dns_zoneopt_t options; + dns_difftuple_t *tuple; + dns_rdata_dnskey_t dnskey; + bool had_dnskey; + dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); + dns_ttl_t maxttl = 0; + uint32_t maxrecords; + uint64_t records; + + INSIST(event->ev_type == DNS_EVENT_UPDATE); + + dns_diff_init(mctx, &diff); + dns_diff_init(mctx, &temp); + + CHECK(dns_zone_getdb(zone, &db)); + zonename = dns_db_origin(db); + zoneclass = dns_db_class(db); + dns_zone_getssutable(zone, &ssutable); + options = dns_zone_getoptions(zone); + + /* + * Get old and new versions now that queryacl has been checked. + */ + dns_db_currentversion(db, &oldver); + CHECK(dns_db_newversion(db, &ver)); + + /* + * Check prerequisites. + */ + + for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE); + result == ISC_R_SUCCESS; + result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE)) + { + dns_name_t *name = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_ttl_t ttl; + dns_rdataclass_t update_class; + bool flag; + + get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass, + &name, &rdata, &covers, &ttl, &update_class); + + if (ttl != 0) { + PREREQFAILC(DNS_R_FORMERR, "prerequisite TTL is not " + "zero"); + } + + if (!dns_name_issubdomain(name, zonename)) { + PREREQFAILN(DNS_R_NOTZONE, name, + "prerequisite name is out of zone"); + } + + if (update_class == dns_rdataclass_any) { + if (rdata.length != 0) { + PREREQFAILC(DNS_R_FORMERR, "class ANY " + "prerequisite " + "RDATA is not " + "empty"); + } + if (rdata.type == dns_rdatatype_any) { + CHECK(name_exists(db, ver, name, &flag)); + if (!flag) { + PREREQFAILN(DNS_R_NXDOMAIN, name, + "'name in use' " + "prerequisite not " + "satisfied"); + } + } else { + CHECK(rrset_exists(db, ver, name, rdata.type, + covers, &flag)); + if (!flag) { + /* RRset does not exist. */ + PREREQFAILNT(DNS_R_NXRRSET, name, + rdata.type, + "'rrset exists (value " + "independent)' " + "prerequisite not " + "satisfied"); + } + } + } else if (update_class == dns_rdataclass_none) { + if (rdata.length != 0) { + PREREQFAILC(DNS_R_FORMERR, "class NONE " + "prerequisite " + "RDATA is not " + "empty"); + } + if (rdata.type == dns_rdatatype_any) { + CHECK(name_exists(db, ver, name, &flag)); + if (flag) { + PREREQFAILN(DNS_R_YXDOMAIN, name, + "'name not in use' " + "prerequisite not " + "satisfied"); + } + } else { + CHECK(rrset_exists(db, ver, name, rdata.type, + covers, &flag)); + if (flag) { + /* RRset exists. */ + PREREQFAILNT(DNS_R_YXRRSET, name, + rdata.type, + "'rrset does not exist' " + "prerequisite not " + "satisfied"); + } + } + } else if (update_class == zoneclass) { + /* "temp += rr;" */ + result = temp_append(&temp, name, &rdata); + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR( + "temp entry creation failed: %s", + isc_result_totext(result)); + FAIL(ISC_R_UNEXPECTED); + } + } else { + PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite"); + } + } + if (result != ISC_R_NOMORE) { + FAIL(result); + } + + /* + * Perform the final check of the "rrset exists (value dependent)" + * prerequisites. + */ + if (ISC_LIST_HEAD(temp.tuples) != NULL) { + dns_rdatatype_t type; + + /* + * Sort the prerequisite records by owner name, + * type, and rdata. + */ + result = dns_diff_sort(&temp, temp_order); + if (result != ISC_R_SUCCESS) { + FAILC(result, "'RRset exists (value dependent)' " + "prerequisite not satisfied"); + } + + tmpname = dns_fixedname_initname(&tmpnamefixed); + result = temp_check(mctx, &temp, db, ver, tmpname, &type); + if (result != ISC_R_SUCCESS) { + FAILNT(result, tmpname, type, + "'RRset exists (value dependent)' " + "prerequisite not satisfied"); + } + } + + update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK"); + + /* + * Process the Update Section. + */ + INSIST(ssutable == NULL || rules != NULL); + for (rule = 0, + result = dns_message_firstname(request, DNS_SECTION_UPDATE); + result == ISC_R_SUCCESS; + rule++, result = dns_message_nextname(request, DNS_SECTION_UPDATE)) + { + dns_name_t *name = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_ttl_t ttl; + dns_rdataclass_t update_class; + bool flag; + + INSIST(ssutable == NULL || rule < ruleslen); + + get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name, + &rdata, &covers, &ttl, &update_class); + + if (update_class == zoneclass) { + unsigned int max = 0; + + /* + * RFC1123 doesn't allow MF and MD in master files. + */ + if (rdata.type == dns_rdatatype_md || + rdata.type == dns_rdatatype_mf) + { + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_rdatatype_format(rdata.type, typebuf, + sizeof(typebuf)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add %s ignored", + typebuf); + continue; + } + if ((rdata.type == dns_rdatatype_ns || + rdata.type == dns_rdatatype_dname) && + dns_name_iswildcard(name)) + { + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_rdatatype_format(rdata.type, typebuf, + sizeof(typebuf)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add wildcard %s record " + "ignored", + typebuf); + continue; + } + if (rdata.type == dns_rdatatype_cname) { + CHECK(cname_incompatible_rrset_exists( + db, ver, name, &flag)); + if (flag) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to add CNAME " + "alongside non-CNAME " + "ignored"); + continue; + } + } else { + CHECK(rrset_exists(db, ver, name, + dns_rdatatype_cname, 0, + &flag)); + if (flag && !dns_rdatatype_atcname(rdata.type)) + { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to add non-CNAME " + "alongside CNAME ignored"); + continue; + } + } + if (rdata.type == dns_rdatatype_soa) { + bool ok; + CHECK(rrset_exists(db, ver, name, + dns_rdatatype_soa, 0, + &flag)); + if (!flag) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to create 2nd " + "SOA ignored"); + continue; + } + CHECK(check_soa_increment(db, ver, &rdata, + &ok)); + if (!ok) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "SOA update failed to " + "increment serial, " + "ignoring it"); + continue; + } + soa_serial_changed = true; + } + + if (dns_rdatatype_atparent(rdata.type) && + dns_name_equal(name, zonename)) + { + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_rdatatype_format(rdata.type, typebuf, + sizeof(typebuf)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add a %s record at " + "zone apex ignored", + typebuf); + continue; + } + + if (rdata.type == privatetype) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add a private type " + "(%u) record rejected internal " + "use only", + privatetype); + continue; + } + + if (rdata.type == dns_rdatatype_nsec3param) { + /* + * Ignore attempts to add NSEC3PARAM records + * with any flags other than OPTOUT. + */ + if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != + 0) + { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to add NSEC3PARAM " + "record with non OPTOUT " + "flag"); + continue; + } + } + + if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 && + dns_name_internalwildcard(name)) + { + char namestr[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namestr, sizeof(namestr)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "warning: ownername '%s' contains " + "a non-terminal wildcard", + namestr); + } + + if ((options & DNS_ZONEOPT_CHECKTTL) != 0) { + maxttl = dns_zone_getmaxttl(zone); + if (ttl > maxttl) { + ttl = maxttl; + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "reducing TTL to the " + "configured max-zone-ttl %d", + maxttl); + } + } + + if (rules != NULL && rules[rule] != NULL) { + max = dns_ssurule_max(rules[rule], rdata.type); + } + if (max != 0) { + unsigned int count = 0; + CHECK(foreach_rr(db, ver, name, rdata.type, + covers, count_action, &count)); + if (count >= max) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to add more " + "records than permitted by " + "policy max=%u", + max); + continue; + } + } + + if (isc_log_wouldlog(ns_lctx, LOGLEVEL_PROTOCOL)) { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + char rdstr[2048]; + isc_buffer_t buf; + int len = 0; + const char *truncated = ""; + + dns_name_format(name, namestr, sizeof(namestr)); + dns_rdatatype_format(rdata.type, typestr, + sizeof(typestr)); + isc_buffer_init(&buf, rdstr, sizeof(rdstr)); + result = dns_rdata_totext(&rdata, NULL, &buf); + if (result == ISC_R_NOSPACE) { + len = (int)isc_buffer_usedlength(&buf); + truncated = " [TRUNCATED]"; + } else if (result != ISC_R_SUCCESS) { + snprintf(rdstr, sizeof(rdstr), + "[dns_" + "rdata_totext failed: %s]", + isc_result_totext(result)); + len = strlen(rdstr); + } else { + len = (int)isc_buffer_usedlength(&buf); + } + update_log(client, zone, LOGLEVEL_PROTOCOL, + "adding an RR at '%s' %s %.*s%s", + namestr, typestr, len, rdstr, + truncated); + } + + /* Prepare the affected RRset for the addition. */ + { + add_rr_prepare_ctx_t ctx; + ctx.db = db; + ctx.ver = ver; + ctx.diff = &diff; + ctx.name = name; + ctx.oldname = name; + ctx.update_rr = &rdata; + ctx.update_rr_ttl = ttl; + ctx.ignore_add = false; + dns_diff_init(mctx, &ctx.del_diff); + dns_diff_init(mctx, &ctx.add_diff); + CHECK(foreach_rr(db, ver, name, rdata.type, + covers, add_rr_prepare_action, + &ctx)); + + if (ctx.ignore_add) { + dns_diff_clear(&ctx.del_diff); + dns_diff_clear(&ctx.add_diff); + } else { + result = do_diff(&ctx.del_diff, db, ver, + &diff); + if (result == ISC_R_SUCCESS) { + result = do_diff(&ctx.add_diff, + db, ver, + &diff); + } + if (result != ISC_R_SUCCESS) { + dns_diff_clear(&ctx.del_diff); + dns_diff_clear(&ctx.add_diff); + goto failure; + } + CHECK(update_one_rr(db, ver, &diff, + DNS_DIFFOP_ADD, + name, ttl, &rdata)); + } + } + } else if (update_class == dns_rdataclass_any) { + if (rdata.type == dns_rdatatype_any) { + if (isc_log_wouldlog(ns_lctx, + LOGLEVEL_PROTOCOL)) + { + char namestr[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "delete all rrsets from " + "name '%s'", + namestr); + } + if (dns_name_equal(name, zonename)) { + CHECK(delete_if(type_not_soa_nor_ns_p, + db, ver, name, + dns_rdatatype_any, 0, + &rdata, &diff)); + } else { + CHECK(delete_if(type_not_dnssec, db, + ver, name, + dns_rdatatype_any, 0, + &rdata, &diff)); + } + } else if (dns_name_equal(name, zonename) && + (rdata.type == dns_rdatatype_soa || + rdata.type == dns_rdatatype_ns)) + { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to delete all SOA " + "or NS records ignored"); + continue; + } else { + if (isc_log_wouldlog(ns_lctx, + LOGLEVEL_PROTOCOL)) + { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + dns_rdatatype_format(rdata.type, + typestr, + sizeof(typestr)); + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "deleting rrset at '%s' %s", + namestr, typestr); + } + CHECK(delete_if(true_p, db, ver, name, + rdata.type, covers, &rdata, + &diff)); + } + } else if (update_class == dns_rdataclass_none) { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + + /* + * The (name == zonename) condition appears in + * RFC2136 3.4.2.4 but is missing from the pseudocode. + */ + if (dns_name_equal(name, zonename)) { + if (rdata.type == dns_rdatatype_soa) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to delete SOA " + "ignored"); + continue; + } + if (rdata.type == dns_rdatatype_ns) { + int count; + CHECK(rr_count(db, ver, name, + dns_rdatatype_ns, 0, + &count)); + if (count == 1) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to " + "delete last " + "NS ignored"); + continue; + } + } + } + dns_name_format(name, namestr, sizeof(namestr)); + dns_rdatatype_format(rdata.type, typestr, + sizeof(typestr)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "deleting an RR at %s %s", namestr, typestr); + CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type, + covers, &rdata, &diff)); + } + } + if (result != ISC_R_NOMORE) { + FAIL(result); + } + + /* + * Check that any changes to DNSKEY/NSEC3PARAM records make sense. + * If they don't then back out all changes to DNSKEY/NSEC3PARAM + * records. + */ + if (!ISC_LIST_EMPTY(diff.tuples)) { + CHECK(check_dnssec(client, zone, db, ver, &diff)); + } + + if (!ISC_LIST_EMPTY(diff.tuples)) { + unsigned int errors = 0; + CHECK(dns_zone_nscheck(zone, db, ver, &errors)); + if (errors != 0) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update rejected: post update name server " + "sanity check failed"); + result = DNS_R_REFUSED; + goto failure; + } + } + if (!ISC_LIST_EMPTY(diff.tuples)) { + result = dns_zone_cdscheck(zone, db, ver); + if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update rejected: bad %s RRset", + result == DNS_R_BADCDS ? "CDS" : "CDNSKEY"); + result = DNS_R_REFUSED; + goto failure; + } + if (result != ISC_R_SUCCESS) { + goto failure; + } + } + + /* + * If any changes were made, increment the SOA serial number, + * update RRSIGs and NSECs (if zone is secure), and write the update + * to the journal. + */ + if (!ISC_LIST_EMPTY(diff.tuples)) { + char *journalfile; + dns_journal_t *journal; + bool has_dnskey; + + /* + * Increment the SOA serial, but only if it was not + * changed as a result of an update operation. + */ + if (!soa_serial_changed) { + CHECK(update_soa_serial( + db, ver, &diff, mctx, + dns_zone_getserialupdatemethod(zone))); + } + + CHECK(check_mx(client, zone, db, ver, &diff)); + + CHECK(remove_orphaned_ds(db, ver, &diff)); + + CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, 0, + &has_dnskey)); + +#define ALLOW_SECURE_TO_INSECURE(zone) \ + ((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0) + + CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey, + 0, &had_dnskey)); + if (!ALLOW_SECURE_TO_INSECURE(zone)) { + if (had_dnskey && !has_dnskey) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update rejected: all DNSKEY " + "records removed and " + "'dnssec-secure-to-insecure' " + "not set"); + result = DNS_R_REFUSED; + goto failure; + } + } + + CHECK(rollback_private(db, privatetype, ver, &diff)); + + CHECK(add_signing_records(db, privatetype, ver, &diff)); + + CHECK(add_nsec3param_records(client, zone, db, ver, &diff)); + + if (had_dnskey && !has_dnskey) { + /* + * We are transitioning from secure to insecure. + * Cause all NSEC3 chains to be deleted. When the + * the last signature for the DNSKEY records are + * remove any NSEC chain present will also be removed. + */ + CHECK(dns_nsec3param_deletechains(db, ver, zone, true, + &diff)); + } else if (has_dnskey && isdnssec(db, ver, privatetype)) { + dns_update_log_t log; + uint32_t interval = + dns_zone_getsigvalidityinterval(zone); + + log.func = update_log_cb; + log.arg = client; + result = dns_update_signatures(&log, zone, db, oldver, + ver, &diff, interval); + + if (result != ISC_R_SUCCESS) { + update_log(client, zone, ISC_LOG_ERROR, + "RRSIG/NSEC/NSEC3 update failed: %s", + isc_result_totext(result)); + goto failure; + } + } + + maxrecords = dns_zone_getmaxrecords(zone); + if (maxrecords != 0U) { + result = dns_db_getsize(db, ver, &records, NULL); + if (result == ISC_R_SUCCESS && records > maxrecords) { + update_log(client, zone, ISC_LOG_ERROR, + "records in zone (%" PRIu64 ") " + "exceeds max-records (%u)", + records, maxrecords); + result = DNS_R_TOOMANYRECORDS; + goto failure; + } + } + + journalfile = dns_zone_getjournal(zone); + if (journalfile != NULL) { + update_log(client, zone, LOGLEVEL_DEBUG, + "writing journal %s", journalfile); + + journal = NULL; + result = dns_journal_open(mctx, journalfile, + DNS_JOURNAL_CREATE, &journal); + if (result != ISC_R_SUCCESS) { + FAILS(result, "journal open failed"); + } + + result = dns_journal_write_transaction(journal, &diff); + if (result != ISC_R_SUCCESS) { + dns_journal_destroy(&journal); + FAILS(result, "journal write failed"); + } + + dns_journal_destroy(&journal); + } + + /* + * XXXRTH Just a note that this committing code will have + * to change to handle databases that need two-phase + * commit, but this isn't a priority. + */ + update_log(client, zone, LOGLEVEL_DEBUG, + "committing update transaction"); + + dns_db_closeversion(db, &ver, true); + + /* + * Mark the zone as dirty so that it will be written to disk. + */ + dns_zone_markdirty(zone); + + /* + * Notify secondaries of the change we just made. + */ + dns_zone_notify(zone); + + /* + * Cause the zone to be signed with the key that we + * have just added or have the corresponding signatures + * deleted. + * + * Note: we are already committed to this course of action. + */ + for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL; + tuple = ISC_LIST_NEXT(tuple, link)) + { + isc_region_t r; + dns_secalg_t algorithm; + uint16_t keyid; + + if (tuple->rdata.type != dns_rdatatype_dnskey) { + continue; + } + + dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); + if ((dnskey.flags & + (DNS_KEYFLAG_OWNERMASK | DNS_KEYTYPE_NOAUTH)) != + DNS_KEYOWNER_ZONE) + { + continue; + } + + dns_rdata_toregion(&tuple->rdata, &r); + algorithm = dnskey.algorithm; + keyid = dst_region_computeid(&r); + + result = dns_zone_signwithkey( + zone, algorithm, keyid, + (tuple->op == DNS_DIFFOP_DEL)); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, ISC_LOG_ERROR, + "dns_zone_signwithkey failed: %s", + isc_result_totext(result)); + } + } + + /* + * Cause the zone to add/delete NSEC3 chains for the + * deferred NSEC3PARAM changes. + * + * Note: we are already committed to this course of action. + */ + for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL; + tuple = ISC_LIST_NEXT(tuple, link)) + { + unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_nsec3param_t nsec3param; + + if (tuple->rdata.type != privatetype || + tuple->op != DNS_DIFFOP_ADD) + { + continue; + } + + if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata, + buf, sizeof(buf))) + { + continue; + } + dns_rdata_tostruct(&rdata, &nsec3param, NULL); + if (nsec3param.flags == 0) { + continue; + } + + result = dns_zone_addnsec3chain(zone, &nsec3param); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, ISC_LOG_ERROR, + "dns_zone_addnsec3chain failed: %s", + isc_result_totext(result)); + } + } + } else { + update_log(client, zone, LOGLEVEL_DEBUG, "redundant request"); + dns_db_closeversion(db, &ver, true); + } + result = ISC_R_SUCCESS; + goto common; + +failure: + /* + * The reason for failure should have been logged at this point. + */ + if (ver != NULL) { + update_log(client, zone, LOGLEVEL_DEBUG, "rolling back"); + dns_db_closeversion(db, &ver, false); + } + +common: + dns_diff_clear(&temp); + dns_diff_clear(&diff); + + if (oldver != NULL) { + dns_db_closeversion(db, &oldver, false); + } + + if (db != NULL) { + dns_db_detach(&db); + } + + if (rules != NULL) { + isc_mem_put(mctx, rules, sizeof(*rules) * ruleslen); + } + + if (ssutable != NULL) { + dns_ssutable_detach(&ssutable); + } + + isc_task_detach(&task); + uev->result = result; + if (zone != NULL) { + INSIST(uev->zone == zone); /* we use this later */ + } + uev->ev_type = DNS_EVENT_UPDATEDONE; + uev->ev_action = updatedone_action; + + isc_task_send(client->task, &event); + + INSIST(ver == NULL); + INSIST(event == NULL); +} + +static void +updatedone_action(isc_task_t *task, isc_event_t *event) { + update_event_t *uev = (update_event_t *)event; + ns_client_t *client = (ns_client_t *)event->ev_arg; + + UNUSED(task); + + REQUIRE(event->ev_type == DNS_EVENT_UPDATEDONE); + REQUIRE(task == client->task); + REQUIRE(client->updatehandle == client->handle); + + INSIST(client->nupdates > 0); + switch (uev->result) { + case ISC_R_SUCCESS: + inc_stats(client, uev->zone, ns_statscounter_updatedone); + break; + case DNS_R_REFUSED: + inc_stats(client, uev->zone, ns_statscounter_updaterej); + break; + default: + inc_stats(client, uev->zone, ns_statscounter_updatefail); + break; + } + if (uev->zone != NULL) { + dns_zone_detach(&uev->zone); + } + + client->nupdates--; + + respond(client, uev->result); + + isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota }); + isc_event_free(&event); + isc_nmhandle_detach(&client->updatehandle); +} + +/*% + * Update forwarding support. + */ +static void +forward_fail(isc_task_t *task, isc_event_t *event) { + ns_client_t *client = (ns_client_t *)event->ev_arg; + + UNUSED(task); + + INSIST(client->nupdates > 0); + client->nupdates--; + respond(client, DNS_R_SERVFAIL); + + isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota }); + isc_event_free(&event); + isc_nmhandle_detach(&client->updatehandle); +} + +static void +forward_callback(void *arg, isc_result_t result, dns_message_t *answer) { + update_event_t *uev = arg; + ns_client_t *client = uev->ev_arg; + dns_zone_t *zone = uev->zone; + + if (result != ISC_R_SUCCESS) { + INSIST(answer == NULL); + uev->ev_type = DNS_EVENT_UPDATEDONE; + uev->ev_action = forward_fail; + inc_stats(client, zone, ns_statscounter_updatefwdfail); + } else { + uev->ev_type = DNS_EVENT_UPDATEDONE; + uev->ev_action = forward_done; + uev->answer = answer; + inc_stats(client, zone, ns_statscounter_updaterespfwd); + } + + isc_task_send(client->task, ISC_EVENT_PTR(&uev)); + dns_zone_detach(&zone); +} + +static void +forward_done(isc_task_t *task, isc_event_t *event) { + update_event_t *uev = (update_event_t *)event; + ns_client_t *client = (ns_client_t *)event->ev_arg; + + UNUSED(task); + + INSIST(client->nupdates > 0); + client->nupdates--; + ns_client_sendraw(client, uev->answer); + dns_message_detach(&uev->answer); + + isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota }); + isc_event_free(&event); + isc_nmhandle_detach(&client->reqhandle); + isc_nmhandle_detach(&client->updatehandle); +} + +static void +forward_action(isc_task_t *task, isc_event_t *event) { + update_event_t *uev = (update_event_t *)event; + dns_zone_t *zone = uev->zone; + ns_client_t *client = (ns_client_t *)event->ev_arg; + isc_result_t result; + + result = dns_zone_forwardupdate(zone, client->message, forward_callback, + event); + if (result != ISC_R_SUCCESS) { + uev->ev_type = DNS_EVENT_UPDATEDONE; + uev->ev_action = forward_fail; + isc_task_send(client->task, &event); + inc_stats(client, zone, ns_statscounter_updatefwdfail); + dns_zone_detach(&zone); + } else { + inc_stats(client, zone, ns_statscounter_updatereqfwd); + } + + isc_task_detach(&task); +} + +static isc_result_t +send_forward_event(ns_client_t *client, dns_zone_t *zone) { + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + isc_result_t result = ISC_R_SUCCESS; + update_event_t *event = NULL; + isc_task_t *zonetask = NULL; + + result = checkupdateacl(client, dns_zone_getforwardacl(zone), + "update forwarding", dns_zone_getorigin(zone), + true, false); + if (result != ISC_R_SUCCESS) { + return (result); + } + + result = isc_quota_attach(&client->manager->sctx->updquota, + &(isc_quota_t *){ NULL }); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, LOGLEVEL_PROTOCOL, + "update failed: too many DNS UPDATEs queued (%s)", + isc_result_totext(result)); + ns_stats_increment(client->manager->sctx->nsstats, + ns_statscounter_updatequota); + return (DNS_R_DROP); + } + + event = (update_event_t *)isc_event_allocate( + client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL, + sizeof(*event)); + event->zone = zone; + event->result = ISC_R_SUCCESS; + + INSIST(client->nupdates == 0); + client->nupdates++; + event->ev_arg = client; + + dns_name_format(dns_zone_getorigin(zone), namebuf, sizeof(namebuf)); + dns_rdataclass_format(dns_zone_getclass(zone), classbuf, + sizeof(classbuf)); + + ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE, + LOGLEVEL_PROTOCOL, "forwarding update for zone '%s/%s'", + namebuf, classbuf); + + dns_zone_gettask(zone, &zonetask); + isc_nmhandle_attach(client->handle, &client->updatehandle); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); + + if (event != NULL) { + isc_event_free(ISC_EVENT_PTR(&event)); + } + return (result); +} diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c new file mode 100644 index 0000000..9380924 --- /dev/null +++ b/lib/ns/xfrout.c @@ -0,0 +1,1829 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +/*! \file + * \brief + * Outgoing AXFR and IXFR. + */ + +/* + * TODO: + * - IXFR over UDP + */ + +#define XFROUT_COMMON_LOGARGS \ + ns_lctx, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT + +#define XFROUT_PROTOCOL_LOGARGS XFROUT_COMMON_LOGARGS, ISC_LOG_INFO + +#define XFROUT_DEBUG_LOGARGS(n) XFROUT_COMMON_LOGARGS, ISC_LOG_DEBUG(n) + +#define XFROUT_RR_LOGARGS XFROUT_COMMON_LOGARGS, XFROUT_RR_LOGLEVEL + +#define XFROUT_RR_LOGLEVEL ISC_LOG_DEBUG(8) + +/*% + * Fail unconditionally and log as a client error. + * The test against ISC_R_SUCCESS is there to keep the Solaris compiler + * from complaining about "end-of-loop code not reached". + */ +#define FAILC(code, msg) \ + do { \ + result = (code); \ + ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \ + NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \ + "bad zone transfer request: %s (%s)", msg, \ + isc_result_totext(code)); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +#define FAILQ(code, msg, question, rdclass) \ + do { \ + char _buf1[DNS_NAME_FORMATSIZE]; \ + char _buf2[DNS_RDATACLASS_FORMATSIZE]; \ + result = (code); \ + dns_name_format(question, _buf1, sizeof(_buf1)); \ + dns_rdataclass_format(rdclass, _buf2, sizeof(_buf2)); \ + ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \ + NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \ + "bad zone transfer request: '%s/%s': %s (%s)", \ + _buf1, _buf2, msg, isc_result_totext(code)); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +#define CHECK(op) \ + do { \ + result = (op); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +/**************************************************************************/ + +static void +inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) { + ns_stats_increment(client->sctx->nsstats, counter); + if (zone != NULL) { + isc_stats_t *zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) { + isc_stats_increment(zonestats, counter); + } + } +} + +/**************************************************************************/ + +/*% Log an RR (for debugging) */ + +static void +log_rr(dns_name_t *name, dns_rdata_t *rdata, uint32_t ttl) { + isc_result_t result; + isc_buffer_t buf; + char mem[2000]; + dns_rdatalist_t rdl; + dns_rdataset_t rds; + dns_rdata_t rd = DNS_RDATA_INIT; + + dns_rdatalist_init(&rdl); + rdl.type = rdata->type; + rdl.rdclass = rdata->rdclass; + rdl.ttl = ttl; + if (rdata->type == dns_rdatatype_sig || + rdata->type == dns_rdatatype_rrsig) + { + rdl.covers = dns_rdata_covers(rdata); + } else { + rdl.covers = dns_rdatatype_none; + } + dns_rdataset_init(&rds); + dns_rdata_init(&rd); + dns_rdata_clone(rdata, &rd); + ISC_LIST_APPEND(rdl.rdata, &rd, link); + RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS); + + isc_buffer_init(&buf, mem, sizeof(mem)); + result = dns_rdataset_totext(&rds, name, false, false, &buf); + + /* + * We could use xfrout_log(), but that would produce + * very long lines with a repetitive prefix. + */ + if (result == ISC_R_SUCCESS) { + /* + * Get rid of final newline. + */ + INSIST(buf.used >= 1 && + ((char *)buf.base)[buf.used - 1] == '\n'); + buf.used--; + + isc_log_write(XFROUT_RR_LOGARGS, "%.*s", + (int)isc_buffer_usedlength(&buf), + (char *)isc_buffer_base(&buf)); + } else { + isc_log_write(XFROUT_RR_LOGARGS, ""); + } +} + +/**************************************************************************/ +/* + * An 'rrstream_t' is a polymorphic iterator that returns + * a stream of resource records. There are multiple implementations, + * e.g. for generating AXFR and IXFR records streams. + */ + +typedef struct rrstream_methods rrstream_methods_t; + +typedef struct rrstream { + isc_mem_t *mctx; + rrstream_methods_t *methods; +} rrstream_t; + +struct rrstream_methods { + isc_result_t (*first)(rrstream_t *); + isc_result_t (*next)(rrstream_t *); + void (*current)(rrstream_t *, dns_name_t **, uint32_t *, + dns_rdata_t **); + void (*pause)(rrstream_t *); + void (*destroy)(rrstream_t **); +}; + +static void +rrstream_noop_pause(rrstream_t *rs) { + UNUSED(rs); +} + +/**************************************************************************/ +/* + * An 'ixfr_rrstream_t' is an 'rrstream_t' that returns + * an IXFR-like RR stream from a journal file. + * + * The SOA at the beginning of each sequence of additions + * or deletions are included in the stream, but the extra + * SOAs at the beginning and end of the entire transfer are + * not included. + */ + +typedef struct ixfr_rrstream { + rrstream_t common; + dns_journal_t *journal; +} ixfr_rrstream_t; + +/* Forward declarations. */ +static void +ixfr_rrstream_destroy(rrstream_t **sp); + +static rrstream_methods_t ixfr_rrstream_methods; + +/* + * Returns: anything dns_journal_open() or dns_journal_iter_init() + * may return. + */ + +static isc_result_t +ixfr_rrstream_create(isc_mem_t *mctx, const char *journal_filename, + uint32_t begin_serial, uint32_t end_serial, size_t *sizep, + rrstream_t **sp) { + isc_result_t result; + ixfr_rrstream_t *s = NULL; + + INSIST(sp != NULL && *sp == NULL); + + s = isc_mem_get(mctx, sizeof(*s)); + s->common.mctx = NULL; + isc_mem_attach(mctx, &s->common.mctx); + s->common.methods = &ixfr_rrstream_methods; + s->journal = NULL; + + CHECK(dns_journal_open(mctx, journal_filename, DNS_JOURNAL_READ, + &s->journal)); + CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial, + sizep)); + + *sp = (rrstream_t *)s; + return (ISC_R_SUCCESS); + +failure: + ixfr_rrstream_destroy((rrstream_t **)(void *)&s); + return (result); +} + +static isc_result_t +ixfr_rrstream_first(rrstream_t *rs) { + ixfr_rrstream_t *s = (ixfr_rrstream_t *)rs; + return (dns_journal_first_rr(s->journal)); +} + +static isc_result_t +ixfr_rrstream_next(rrstream_t *rs) { + ixfr_rrstream_t *s = (ixfr_rrstream_t *)rs; + return (dns_journal_next_rr(s->journal)); +} + +static void +ixfr_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl, + dns_rdata_t **rdata) { + ixfr_rrstream_t *s = (ixfr_rrstream_t *)rs; + dns_journal_current_rr(s->journal, name, ttl, rdata); +} + +static void +ixfr_rrstream_destroy(rrstream_t **rsp) { + ixfr_rrstream_t *s = (ixfr_rrstream_t *)*rsp; + if (s->journal != NULL) { + dns_journal_destroy(&s->journal); + } + isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s)); +} + +static rrstream_methods_t ixfr_rrstream_methods = { + ixfr_rrstream_first, ixfr_rrstream_next, ixfr_rrstream_current, + rrstream_noop_pause, ixfr_rrstream_destroy +}; + +/**************************************************************************/ +/* + * An 'axfr_rrstream_t' is an 'rrstream_t' that returns + * an AXFR-like RR stream from a database. + * + * The SOAs at the beginning and end of the transfer are + * not included in the stream. + */ + +typedef struct axfr_rrstream { + rrstream_t common; + dns_rriterator_t it; + bool it_valid; +} axfr_rrstream_t; + +/* + * Forward declarations. + */ +static void +axfr_rrstream_destroy(rrstream_t **rsp); + +static rrstream_methods_t axfr_rrstream_methods; + +static isc_result_t +axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver, + rrstream_t **sp) { + axfr_rrstream_t *s; + isc_result_t result; + + INSIST(sp != NULL && *sp == NULL); + + s = isc_mem_get(mctx, sizeof(*s)); + s->common.mctx = NULL; + isc_mem_attach(mctx, &s->common.mctx); + s->common.methods = &axfr_rrstream_methods; + s->it_valid = false; + + CHECK(dns_rriterator_init(&s->it, db, ver, 0)); + s->it_valid = true; + + *sp = (rrstream_t *)s; + return (ISC_R_SUCCESS); + +failure: + axfr_rrstream_destroy((rrstream_t **)(void *)&s); + return (result); +} + +static isc_result_t +axfr_rrstream_first(rrstream_t *rs) { + axfr_rrstream_t *s = (axfr_rrstream_t *)rs; + isc_result_t result; + result = dns_rriterator_first(&s->it); + if (result != ISC_R_SUCCESS) { + return (result); + } + /* Skip SOA records. */ + for (;;) { + dns_name_t *name_dummy = NULL; + uint32_t ttl_dummy; + dns_rdata_t *rdata = NULL; + dns_rriterator_current(&s->it, &name_dummy, &ttl_dummy, NULL, + &rdata); + if (rdata->type != dns_rdatatype_soa) { + break; + } + result = dns_rriterator_next(&s->it); + if (result != ISC_R_SUCCESS) { + break; + } + } + return (result); +} + +static isc_result_t +axfr_rrstream_next(rrstream_t *rs) { + axfr_rrstream_t *s = (axfr_rrstream_t *)rs; + isc_result_t result; + + /* Skip SOA records. */ + for (;;) { + dns_name_t *name_dummy = NULL; + uint32_t ttl_dummy; + dns_rdata_t *rdata = NULL; + result = dns_rriterator_next(&s->it); + if (result != ISC_R_SUCCESS) { + break; + } + dns_rriterator_current(&s->it, &name_dummy, &ttl_dummy, NULL, + &rdata); + if (rdata->type != dns_rdatatype_soa) { + break; + } + } + return (result); +} + +static void +axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl, + dns_rdata_t **rdata) { + axfr_rrstream_t *s = (axfr_rrstream_t *)rs; + dns_rriterator_current(&s->it, name, ttl, NULL, rdata); +} + +static void +axfr_rrstream_pause(rrstream_t *rs) { + axfr_rrstream_t *s = (axfr_rrstream_t *)rs; + dns_rriterator_pause(&s->it); +} + +static void +axfr_rrstream_destroy(rrstream_t **rsp) { + axfr_rrstream_t *s = (axfr_rrstream_t *)*rsp; + if (s->it_valid) { + dns_rriterator_destroy(&s->it); + } + isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s)); +} + +static rrstream_methods_t axfr_rrstream_methods = { + axfr_rrstream_first, axfr_rrstream_next, axfr_rrstream_current, + axfr_rrstream_pause, axfr_rrstream_destroy +}; + +/**************************************************************************/ +/* + * An 'soa_rrstream_t' is a degenerate 'rrstream_t' that returns + * a single SOA record. + */ + +typedef struct soa_rrstream { + rrstream_t common; + dns_difftuple_t *soa_tuple; +} soa_rrstream_t; + +/* + * Forward declarations. + */ +static void +soa_rrstream_destroy(rrstream_t **rsp); + +static rrstream_methods_t soa_rrstream_methods; + +static isc_result_t +soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver, + rrstream_t **sp) { + soa_rrstream_t *s; + isc_result_t result; + + INSIST(sp != NULL && *sp == NULL); + + s = isc_mem_get(mctx, sizeof(*s)); + s->common.mctx = NULL; + isc_mem_attach(mctx, &s->common.mctx); + s->common.methods = &soa_rrstream_methods; + s->soa_tuple = NULL; + + CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS, + &s->soa_tuple)); + + *sp = (rrstream_t *)s; + return (ISC_R_SUCCESS); + +failure: + soa_rrstream_destroy((rrstream_t **)(void *)&s); + return (result); +} + +static isc_result_t +soa_rrstream_first(rrstream_t *rs) { + UNUSED(rs); + return (ISC_R_SUCCESS); +} + +static isc_result_t +soa_rrstream_next(rrstream_t *rs) { + UNUSED(rs); + return (ISC_R_NOMORE); +} + +static void +soa_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl, + dns_rdata_t **rdata) { + soa_rrstream_t *s = (soa_rrstream_t *)rs; + *name = &s->soa_tuple->name; + *ttl = s->soa_tuple->ttl; + *rdata = &s->soa_tuple->rdata; +} + +static void +soa_rrstream_destroy(rrstream_t **rsp) { + soa_rrstream_t *s = (soa_rrstream_t *)*rsp; + if (s->soa_tuple != NULL) { + dns_difftuple_free(&s->soa_tuple); + } + isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s)); +} + +static rrstream_methods_t soa_rrstream_methods = { + soa_rrstream_first, soa_rrstream_next, soa_rrstream_current, + rrstream_noop_pause, soa_rrstream_destroy +}; + +/**************************************************************************/ +/* + * A 'compound_rrstream_t' objects owns a soa_rrstream + * and another rrstream, the "data stream". It returns + * a concatenated stream consisting of the soa_rrstream, then + * the data stream, then the soa_rrstream again. + * + * The component streams are owned by the compound_rrstream_t + * and are destroyed with it. + */ + +typedef struct compound_rrstream { + rrstream_t common; + rrstream_t *components[3]; + int state; + isc_result_t result; +} compound_rrstream_t; + +/* + * Forward declarations. + */ +static void +compound_rrstream_destroy(rrstream_t **rsp); + +static isc_result_t +compound_rrstream_next(rrstream_t *rs); + +static rrstream_methods_t compound_rrstream_methods; + +/* + * Requires: + * soa_stream != NULL && *soa_stream != NULL + * data_stream != NULL && *data_stream != NULL + * sp != NULL && *sp == NULL + * + * Ensures: + * *soa_stream == NULL + * *data_stream == NULL + * *sp points to a valid compound_rrstream_t + * The soa and data streams will be destroyed + * when the compound_rrstream_t is destroyed. + */ +static isc_result_t +compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream, + rrstream_t **data_stream, rrstream_t **sp) { + compound_rrstream_t *s; + + INSIST(sp != NULL && *sp == NULL); + + s = isc_mem_get(mctx, sizeof(*s)); + s->common.mctx = NULL; + isc_mem_attach(mctx, &s->common.mctx); + s->common.methods = &compound_rrstream_methods; + s->components[0] = *soa_stream; + s->components[1] = *data_stream; + s->components[2] = *soa_stream; + s->state = -1; + s->result = ISC_R_FAILURE; + + *data_stream = NULL; + *soa_stream = NULL; + *sp = (rrstream_t *)s; + return (ISC_R_SUCCESS); +} + +static isc_result_t +compound_rrstream_first(rrstream_t *rs) { + compound_rrstream_t *s = (compound_rrstream_t *)rs; + s->state = 0; + do { + rrstream_t *curstream = s->components[s->state]; + s->result = curstream->methods->first(curstream); + } while (s->result == ISC_R_NOMORE && s->state < 2); + return (s->result); +} + +static isc_result_t +compound_rrstream_next(rrstream_t *rs) { + compound_rrstream_t *s = (compound_rrstream_t *)rs; + rrstream_t *curstream = s->components[s->state]; + s->result = curstream->methods->next(curstream); + while (s->result == ISC_R_NOMORE) { + /* + * Make sure locks held by the current stream + * are released before we switch streams. + */ + curstream->methods->pause(curstream); + if (s->state == 2) { + return (ISC_R_NOMORE); + } + s->state++; + curstream = s->components[s->state]; + s->result = curstream->methods->first(curstream); + } + return (s->result); +} + +static void +compound_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl, + dns_rdata_t **rdata) { + compound_rrstream_t *s = (compound_rrstream_t *)rs; + rrstream_t *curstream; + INSIST(0 <= s->state && s->state < 3); + INSIST(s->result == ISC_R_SUCCESS); + curstream = s->components[s->state]; + curstream->methods->current(curstream, name, ttl, rdata); +} + +static void +compound_rrstream_pause(rrstream_t *rs) { + compound_rrstream_t *s = (compound_rrstream_t *)rs; + rrstream_t *curstream; + INSIST(0 <= s->state && s->state < 3); + curstream = s->components[s->state]; + curstream->methods->pause(curstream); +} + +static void +compound_rrstream_destroy(rrstream_t **rsp) { + compound_rrstream_t *s = (compound_rrstream_t *)*rsp; + s->components[0]->methods->destroy(&s->components[0]); + s->components[1]->methods->destroy(&s->components[1]); + s->components[2] = NULL; /* Copy of components[0]. */ + isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s)); +} + +static rrstream_methods_t compound_rrstream_methods = { + compound_rrstream_first, compound_rrstream_next, + compound_rrstream_current, compound_rrstream_pause, + compound_rrstream_destroy +}; + +/**************************************************************************/ + +/*% + * Structure holding outgoing transfer statistics + */ +struct xfr_stats { + uint64_t nmsg; /*%< Number of messages sent */ + uint64_t nrecs; /*%< Number of records sent */ + uint64_t nbytes; /*%< Number of bytes sent */ + isc_time_t start; /*%< Start time of the transfer */ + isc_time_t end; /*%< End time of the transfer */ +}; + +/*% + * An 'xfrout_ctx_t' contains the state of an outgoing AXFR or IXFR + * in progress. + */ +typedef struct { + isc_mem_t *mctx; + ns_client_t *client; + unsigned int id; /* ID of request */ + dns_name_t *qname; /* Question name of request */ + dns_rdatatype_t qtype; /* dns_rdatatype_{a,i}xfr */ + dns_rdataclass_t qclass; + dns_zone_t *zone; /* (necessary for stats) */ + dns_db_t *db; + dns_dbversion_t *ver; + isc_quota_t *quota; + rrstream_t *stream; /* The XFR RR stream */ + bool question_added; /* QUESTION section sent? */ + bool end_of_stream; /* EOS has been reached */ + isc_buffer_t buf; /* Buffer for message owner + * names and rdatas */ + isc_buffer_t txbuf; /* Transmit message buffer */ + size_t cbytes; /* Length of current message */ + void *txmem; + unsigned int txmemlen; + dns_tsigkey_t *tsigkey; /* Key used to create TSIG */ + isc_buffer_t *lasttsig; /* the last TSIG */ + bool verified_tsig; /* verified request MAC */ + bool many_answers; + int sends; /* Send in progress */ + bool shuttingdown; + bool poll; + const char *mnemonic; /* Style of transfer */ + uint32_t end_serial; /* Serial number after XFR is done */ + struct xfr_stats stats; /*%< Transfer statistics */ + + /* Timeouts */ + uint64_t maxtime; /*%< Maximum XFR timeout (in ms) */ + isc_nm_timer_t *maxtime_timer; + + uint64_t idletime; /*%< XFR idle timeout (in ms) */ +} xfrout_ctx_t; + +static void +xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, + dns_name_t *qname, dns_rdatatype_t qtype, + dns_rdataclass_t qclass, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, isc_quota_t *quota, rrstream_t *stream, + dns_tsigkey_t *tsigkey, isc_buffer_t *lasttsig, + bool verified_tsig, unsigned int maxtime, + unsigned int idletime, bool many_answers, + xfrout_ctx_t **xfrp); + +static void +sendstream(xfrout_ctx_t *xfr); + +static void +xfrout_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg); + +static void +xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg); + +static void +xfrout_maybe_destroy(xfrout_ctx_t *xfr); + +static void +xfrout_ctx_destroy(xfrout_ctx_t **xfrp); + +static void +xfrout_client_timeout(void *arg, isc_result_t result); + +static void +xfrout_log1(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass, + int level, const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6); + +static void +xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) + ISC_FORMAT_PRINTF(3, 4); + +/**************************************************************************/ + +void +ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { + isc_result_t result; + dns_name_t *question_name; + dns_rdataset_t *question_rdataset; + dns_zone_t *zone = NULL, *raw = NULL, *mayberaw; + dns_db_t *db = NULL; + dns_dbversion_t *ver = NULL; + dns_rdataclass_t question_class; + rrstream_t *soa_stream = NULL; + rrstream_t *data_stream = NULL; + rrstream_t *stream = NULL; + dns_difftuple_t *current_soa_tuple = NULL; + dns_name_t *soa_name; + dns_rdataset_t *soa_rdataset; + dns_rdata_t soa_rdata = DNS_RDATA_INIT; + bool have_soa = false; + const char *mnemonic = NULL; + isc_mem_t *mctx = client->mctx; + dns_message_t *request = client->message; + xfrout_ctx_t *xfr = NULL; + isc_quota_t *quota = NULL; + dns_transfer_format_t format = client->view->transfer_format; + isc_netaddr_t na; + dns_peer_t *peer = NULL; + isc_buffer_t *tsigbuf = NULL; + char *journalfile; + char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")]; + char keyname[DNS_NAME_FORMATSIZE]; + bool is_poll = false; + bool is_dlz = false; + bool is_ixfr = false; + bool useviewacl = false; + uint32_t begin_serial = 0, current_serial; + + switch (reqtype) { + case dns_rdatatype_axfr: + mnemonic = "AXFR"; + break; + case dns_rdatatype_ixfr: + mnemonic = "IXFR"; + break; + default: + UNREACHABLE(); + } + + ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT, + ISC_LOG_DEBUG(6), "%s request", mnemonic); + /* + * Apply quota. + */ + result = isc_quota_attach(&client->sctx->xfroutquota, "a); + if (result != ISC_R_SUCCESS) { + isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING, + "%s request denied: %s", mnemonic, + isc_result_totext(result)); + goto failure; + } + + /* + * Interpret the question section. + */ + result = dns_message_firstname(request, DNS_SECTION_QUESTION); + INSIST(result == ISC_R_SUCCESS); + + /* + * The question section must contain exactly one question, and + * it must be for AXFR/IXFR as appropriate. + */ + question_name = NULL; + dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name); + question_rdataset = ISC_LIST_HEAD(question_name->list); + question_class = question_rdataset->rdclass; + INSIST(question_rdataset->type == reqtype); + if (ISC_LIST_NEXT(question_rdataset, link) != NULL) { + FAILC(DNS_R_FORMERR, "multiple questions"); + } + result = dns_message_nextname(request, DNS_SECTION_QUESTION); + if (result != ISC_R_NOMORE) { + FAILC(DNS_R_FORMERR, "multiple questions"); + } + + result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, + &zone); + + if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { + /* + * The normal zone table does not have a match, or this is + * marked in the zone table as a DLZ zone. Check the DLZ + * databases for a match. + */ + if (!ISC_LIST_EMPTY(client->view->dlz_searched)) { + result = dns_dlzallowzonexfr(client->view, + question_name, + &client->peeraddr, &db); + if (result == ISC_R_DEFAULT) { + useviewacl = true; + result = ISC_R_SUCCESS; + } + if (result == ISC_R_NOPERM) { + char _buf1[DNS_NAME_FORMATSIZE]; + char _buf2[DNS_RDATACLASS_FORMATSIZE]; + + result = DNS_R_REFUSED; + dns_name_format(question_name, _buf1, + sizeof(_buf1)); + dns_rdataclass_format(question_class, _buf2, + sizeof(_buf2)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_XFER_OUT, + ISC_LOG_ERROR, + "zone transfer '%s/%s' denied", + _buf1, _buf2); + goto failure; + } + if (result != ISC_R_SUCCESS) { + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); + } + is_dlz = true; + } else { + /* + * not DLZ and not in normal zone table, we are + * not authoritative + */ + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); + } + } else { + /* zone table has a match */ + switch (dns_zone_gettype(zone)) { + /* + * Primary, secondary, and mirror zones are OK for transfer. + */ + case dns_zone_primary: + case dns_zone_secondary: + case dns_zone_mirror: + case dns_zone_dlz: + break; + default: + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); + } + CHECK(dns_zone_getdb(zone, &db)); + dns_db_currentversion(db, &ver); + } + + xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6), + "%s question section OK", mnemonic); + + /* + * Check the authority section. Look for a SOA record with + * the same name and class as the question. + */ + for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY); + result == ISC_R_SUCCESS; + result = dns_message_nextname(request, DNS_SECTION_AUTHORITY)) + { + soa_name = NULL; + dns_message_currentname(request, DNS_SECTION_AUTHORITY, + &soa_name); + + /* + * Ignore data whose owner name is not the zone apex. + */ + if (!dns_name_equal(soa_name, question_name)) { + continue; + } + + for (soa_rdataset = ISC_LIST_HEAD(soa_name->list); + soa_rdataset != NULL; + soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link)) + { + /* + * Ignore non-SOA data. + */ + if (soa_rdataset->type != dns_rdatatype_soa) { + continue; + } + if (soa_rdataset->rdclass != question_class) { + continue; + } + + CHECK(dns_rdataset_first(soa_rdataset)); + dns_rdataset_current(soa_rdataset, &soa_rdata); + result = dns_rdataset_next(soa_rdataset); + if (result == ISC_R_SUCCESS) { + FAILC(DNS_R_FORMERR, "IXFR authority section " + "has multiple SOAs"); + } + have_soa = true; + goto got_soa; + } + } +got_soa: + if (result != ISC_R_NOMORE) { + CHECK(result); + } + + xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6), + "%s authority section OK", mnemonic); + + /* + * If not a DLZ zone or we are falling back to the view's transfer + * ACL, decide whether to allow this transfer. + */ + if (!is_dlz || useviewacl) { + dns_acl_t *acl; + + ns_client_aclmsg("zone transfer", question_name, reqtype, + client->view->rdclass, msg, sizeof(msg)); + if (useviewacl) { + acl = client->view->transferacl; + } else { + acl = dns_zone_getxfracl(zone); + } + CHECK(ns_client_checkacl(client, NULL, msg, acl, true, + ISC_LOG_ERROR)); + } + + /* + * AXFR over UDP is not possible. + */ + if (reqtype == dns_rdatatype_axfr && + (client->attributes & NS_CLIENTATTR_TCP) == 0) + { + FAILC(DNS_R_FORMERR, "attempted AXFR over UDP"); + } + + /* + * Look up the requesting server in the peer table. + */ + isc_netaddr_fromsockaddr(&na, &client->peeraddr); + (void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer); + + /* + * Decide on the transfer format (one-answer or many-answers). + */ + if (peer != NULL) { + (void)dns_peer_gettransferformat(peer, &format); + } + + /* + * Get a dynamically allocated copy of the current SOA. + */ + if (is_dlz) { + dns_db_currentversion(db, &ver); + } + + CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS, + ¤t_soa_tuple)); + + current_serial = dns_soa_getserial(¤t_soa_tuple->rdata); + if (reqtype == dns_rdatatype_ixfr) { + size_t jsize; + uint64_t dbsize; + + if (!have_soa) { + FAILC(DNS_R_FORMERR, "IXFR request missing SOA"); + } + + begin_serial = dns_soa_getserial(&soa_rdata); + + /* + * RFC1995 says "If an IXFR query with the same or + * newer version number than that of the server + * is received, it is replied to with a single SOA + * record of the server's current version, just as + * in AXFR". The claim about AXFR is incorrect, + * but other than that, we do as the RFC says. + * + * Sending a single SOA record is also how we refuse + * IXFR over UDP (currently, we always do). + */ + if (DNS_SERIAL_GE(begin_serial, current_serial) || + (client->attributes & NS_CLIENTATTR_TCP) == 0) + { + CHECK(soa_rrstream_create(mctx, db, ver, &stream)); + is_poll = true; + goto have_stream; + } + + /* + * Outgoing IXFR may have been disabled for this peer + * or globally. + */ + if ((client->attributes & NS_CLIENTATTR_TCP) != 0) { + bool provide_ixfr; + + provide_ixfr = client->view->provideixfr; + if (peer != NULL) { + (void)dns_peer_getprovideixfr(peer, + &provide_ixfr); + } + if (!provide_ixfr) { + xfrout_log1(client, question_name, + question_class, ISC_LOG_DEBUG(4), + "IXFR delta response disabled due " + "to 'provide-ixfr no;' being set"); + mnemonic = "AXFR-style IXFR"; + goto axfr_fallback; + } + } + + journalfile = is_dlz ? NULL : dns_zone_getjournal(zone); + if (journalfile != NULL) { + result = ixfr_rrstream_create( + mctx, journalfile, begin_serial, current_serial, + &jsize, &data_stream); + } else { + result = ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) { + xfrout_log1(client, question_name, question_class, + ISC_LOG_INFO, + "IXFR version not in journal, " + "falling back to AXFR"); + mnemonic = "AXFR-style IXFR"; + goto axfr_fallback; + } + CHECK(result); + + result = dns_db_getsize(db, ver, NULL, &dbsize); + if (result == ISC_R_SUCCESS) { + uint32_t ratio = dns_zone_getixfrratio(zone); + if (ratio != 0 && ((100 * jsize) / dbsize) > ratio) { + data_stream->methods->destroy(&data_stream); + data_stream = NULL; + xfrout_log1(client, question_name, + question_class, ISC_LOG_INFO, + "IXFR delta size (%zu bytes) " + "exceeds the maximum ratio to " + "database size " + "(%" PRIu64 " bytes), " + "falling back to AXFR", + jsize, dbsize); + mnemonic = "AXFR-style IXFR"; + goto axfr_fallback; + } else { + xfrout_log1(client, question_name, + question_class, ISC_LOG_DEBUG(4), + "IXFR delta size (%zu bytes); " + "database size " + "(%" PRIu64 " bytes)", + jsize, dbsize); + } + } + is_ixfr = true; + } else { + axfr_fallback: + CHECK(axfr_rrstream_create(mctx, db, ver, &data_stream)); + } + + /* + * Bracket the data stream with SOAs. + */ + CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream)); + CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream, + &stream)); + soa_stream = NULL; + data_stream = NULL; + +have_stream: + CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf)); + /* + * Create the xfrout context object. This transfers the ownership + * of "stream", "db", "ver", and "quota" to the xfrout context object. + */ + + if (is_dlz) { + xfrout_ctx_create(mctx, client, request->id, question_name, + reqtype, question_class, zone, db, ver, quota, + stream, dns_message_gettsigkey(request), + tsigbuf, request->verified_sig, 3600, 3600, + (format == dns_many_answers) ? true : false, + &xfr); + } else { + xfrout_ctx_create( + mctx, client, request->id, question_name, reqtype, + question_class, zone, db, ver, quota, stream, + dns_message_gettsigkey(request), tsigbuf, + request->verified_sig, dns_zone_getmaxxfrout(zone), + dns_zone_getidleout(zone), + (format == dns_many_answers) ? true : false, &xfr); + } + + xfr->end_serial = current_serial; + xfr->mnemonic = mnemonic; + stream = NULL; + quota = NULL; + + CHECK(xfr->stream->methods->first(xfr->stream)); + + if (xfr->tsigkey != NULL) { + dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname)); + } else { + keyname[0] = '\0'; + } + xfr->poll = is_poll; + if (is_poll) { + xfr->mnemonic = "IXFR poll response"; + xfrout_log1(client, question_name, question_class, + ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s", + (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname); + } else if (is_ixfr) { + xfrout_log1(client, question_name, question_class, ISC_LOG_INFO, + "%s started%s%s (serial %u -> %u)", mnemonic, + (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname, + begin_serial, current_serial); + } else { + xfrout_log1(client, question_name, question_class, ISC_LOG_INFO, + "%s started%s%s (serial %u)", mnemonic, + (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname, + current_serial); + } + + if (zone != NULL) { + dns_zone_getraw(zone, &raw); + mayberaw = (raw != NULL) ? raw : zone; + if ((client->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0 && + (dns_zone_gettype(mayberaw) == dns_zone_secondary || + dns_zone_gettype(mayberaw) == dns_zone_mirror)) + { + isc_time_t expiretime; + uint32_t secs; + dns_zone_getexpiretime(zone, &expiretime); + secs = isc_time_seconds(&expiretime); + if (secs >= client->now && result == ISC_R_SUCCESS) { + client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; + client->expire = secs - client->now; + } + } + if (raw != NULL) { + dns_zone_detach(&raw); + } + } + + /* Start the timers */ + if (xfr->maxtime > 0) { + xfrout_log(xfr, ISC_LOG_DEBUG(1), + "starting maxtime timer %" PRIu64 " ms", + xfr->maxtime); + isc_nm_timer_start(xfr->maxtime_timer, xfr->maxtime); + } + + /* + * Hand the context over to sendstream(). Set xfr to NULL; + * sendstream() is responsible for either passing the + * context on to a later event handler or destroying it. + */ + sendstream(xfr); + xfr = NULL; + + result = ISC_R_SUCCESS; + +failure: + if (result == DNS_R_REFUSED) { + inc_stats(client, zone, ns_statscounter_xfrrej); + } + if (quota != NULL) { + isc_quota_detach("a); + } + if (current_soa_tuple != NULL) { + dns_difftuple_free(¤t_soa_tuple); + } + if (stream != NULL) { + stream->methods->destroy(&stream); + } + if (soa_stream != NULL) { + soa_stream->methods->destroy(&soa_stream); + } + if (data_stream != NULL) { + data_stream->methods->destroy(&data_stream); + } + if (ver != NULL) { + dns_db_closeversion(db, &ver, false); + } + if (db != NULL) { + dns_db_detach(&db); + } + if (zone != NULL) { + dns_zone_detach(&zone); + } + /* XXX kludge */ + if (xfr != NULL) { + xfrout_fail(xfr, result, "setting up zone transfer"); + } else if (result != ISC_R_SUCCESS) { + ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, + NS_LOGMODULE_XFER_OUT, ISC_LOG_DEBUG(3), + "zone transfer setup failed"); + ns_client_error(client, result); + isc_nmhandle_detach(&client->reqhandle); + } +} + +static void +xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, + dns_name_t *qname, dns_rdatatype_t qtype, + dns_rdataclass_t qclass, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, isc_quota_t *quota, rrstream_t *stream, + dns_tsigkey_t *tsigkey, isc_buffer_t *lasttsig, + bool verified_tsig, unsigned int maxtime, + unsigned int idletime, bool many_answers, + xfrout_ctx_t **xfrp) { + xfrout_ctx_t *xfr = NULL; + unsigned int len = NS_CLIENT_TCP_BUFFER_SIZE; + void *mem = NULL; + + REQUIRE(xfrp != NULL && *xfrp == NULL); + + xfr = isc_mem_get(mctx, sizeof(*xfr)); + *xfr = (xfrout_ctx_t){ + .client = client, + .id = id, + .qname = qname, + .qtype = qtype, + .qclass = qclass, + .maxtime = maxtime * 1000, /* in milliseconds */ + .idletime = idletime * 1000, /* In milliseconds */ + .tsigkey = tsigkey, + .lasttsig = lasttsig, + .verified_tsig = verified_tsig, + .many_answers = many_answers, + }; + + isc_mem_attach(mctx, &xfr->mctx); + + if (zone != NULL) { /* zone will be NULL if it's DLZ */ + dns_zone_attach(zone, &xfr->zone); + } + dns_db_attach(db, &xfr->db); + dns_db_attachversion(db, ver, &xfr->ver); + + isc_time_now(&xfr->stats.start); + + isc_nm_timer_create(xfr->client->handle, xfrout_client_timeout, xfr, + &xfr->maxtime_timer); + + /* + * Allocate a temporary buffer for the uncompressed response + * message data. The buffer size must be 65535 bytes + * (NS_CLIENT_TCP_BUFFER_SIZE): small enough that compressed + * data will fit in a single TCP message, and big enough to + * hold a maximum-sized RR. + * + * Note that although 65535-byte RRs are allowed in principle, they + * cannot be zone-transferred (at least not if uncompressible), + * because the message and RR headers would push the size of the + * TCP message over the 65536 byte limit. + */ + mem = isc_mem_get(mctx, len); + isc_buffer_init(&xfr->buf, mem, len); + + /* + * Allocate another temporary buffer for the compressed + * response message. + */ + mem = isc_mem_get(mctx, len); + isc_buffer_init(&xfr->txbuf, (char *)mem, len); + xfr->txmem = mem; + xfr->txmemlen = len; + + /* + * These MUST be after the last "goto failure;" / CHECK to + * prevent a double free by the caller. + */ + xfr->quota = quota; + xfr->stream = stream; + + *xfrp = xfr; +} + +/* + * Arrange to send as much as we can of "stream" without blocking. + * + * Requires: + * The stream iterator is initialized and points at an RR, + * or possibly at the end of the stream (that is, the + * _first method of the iterator has been called). + */ +static void +sendstream(xfrout_ctx_t *xfr) { + dns_message_t *tcpmsg = NULL; + dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */ + isc_result_t result; + dns_rdataset_t *qrdataset; + dns_name_t *msgname = NULL; + dns_rdata_t *msgrdata = NULL; + dns_rdatalist_t *msgrdl = NULL; + dns_rdataset_t *msgrds = NULL; + dns_compress_t cctx; + bool cleanup_cctx = false; + bool is_tcp; + int n_rrs; + + isc_buffer_clear(&xfr->buf); + isc_buffer_clear(&xfr->txbuf); + + is_tcp = ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0); + if (!is_tcp) { + /* + * In the UDP case, we put the response data directly into + * the client message. + */ + msg = xfr->client->message; + CHECK(dns_message_reply(msg, true)); + } else { + /* + * TCP. Build a response dns_message_t, temporarily storing + * the raw, uncompressed owner names and RR data contiguously + * in xfr->buf. We know that if the uncompressed data fits + * in xfr->buf, the compressed data will surely fit in a TCP + * message. + */ + + dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER, + &tcpmsg); + msg = tcpmsg; + + msg->id = xfr->id; + msg->rcode = dns_rcode_noerror; + msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA; + if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0) { + msg->flags |= DNS_MESSAGEFLAG_RA; + } + CHECK(dns_message_settsigkey(msg, xfr->tsigkey)); + CHECK(dns_message_setquerytsig(msg, xfr->lasttsig)); + if (xfr->lasttsig != NULL) { + isc_buffer_free(&xfr->lasttsig); + } + msg->verified_sig = xfr->verified_tsig; + + /* + * Add a EDNS option to the message? + */ + if ((xfr->client->attributes & NS_CLIENTATTR_WANTOPT) != 0) { + dns_rdataset_t *opt = NULL; + + CHECK(ns_client_addopt(xfr->client, msg, &opt)); + CHECK(dns_message_setopt(msg, opt)); + /* + * Add to first message only. + */ + xfr->client->attributes &= ~NS_CLIENTATTR_WANTNSID; + xfr->client->attributes &= ~NS_CLIENTATTR_HAVEEXPIRE; + } + + /* + * Account for reserved space. + */ + if (xfr->tsigkey != NULL) { + INSIST(msg->reserved != 0U); + } + isc_buffer_add(&xfr->buf, msg->reserved); + + /* + * Include a question section in the first message only. + * BIND 8.2.1 will not recognize an IXFR if it does not + * have a question section. + */ + if (!xfr->question_added) { + dns_name_t *qname = NULL; + isc_region_t r; + + /* + * Reserve space for the 12-byte message header + * and 4 bytes of question. + */ + isc_buffer_add(&xfr->buf, 12 + 4); + + qrdataset = NULL; + result = dns_message_gettemprdataset(msg, &qrdataset); + if (result != ISC_R_SUCCESS) { + goto failure; + } + dns_rdataset_makequestion(qrdataset, + xfr->client->message->rdclass, + xfr->qtype); + + result = dns_message_gettempname(msg, &qname); + if (result != ISC_R_SUCCESS) { + goto failure; + } + isc_buffer_availableregion(&xfr->buf, &r); + INSIST(r.length >= xfr->qname->length); + r.length = xfr->qname->length; + isc_buffer_putmem(&xfr->buf, xfr->qname->ndata, + xfr->qname->length); + dns_name_fromregion(qname, &r); + ISC_LIST_INIT(qname->list); + ISC_LIST_APPEND(qname->list, qrdataset, link); + + dns_message_addname(msg, qname, DNS_SECTION_QUESTION); + xfr->question_added = true; + } else { + /* + * Reserve space for the 12-byte message header + */ + isc_buffer_add(&xfr->buf, 12); + msg->tcp_continuation = 1; + } + } + + /* + * Try to fit in as many RRs as possible, unless "one-answer" + * format has been requested. + */ + for (n_rrs = 0;; n_rrs++) { + dns_name_t *name = NULL; + uint32_t ttl; + dns_rdata_t *rdata = NULL; + + unsigned int size; + isc_region_t r; + + msgname = NULL; + msgrdata = NULL; + msgrdl = NULL; + msgrds = NULL; + + xfr->stream->methods->current(xfr->stream, &name, &ttl, &rdata); + size = name->length + 10 + rdata->length; + isc_buffer_availableregion(&xfr->buf, &r); + if (size >= r.length) { + /* + * RR would not fit. If there are other RRs in the + * buffer, send them now and leave this RR to the + * next message. If this RR overflows the buffer + * all by itself, fail. + * + * In theory some RRs might fit in a TCP message + * when compressed even if they do not fit when + * uncompressed, but surely we don't want + * to send such monstrosities to an unsuspecting + * secondary. + */ + if (n_rrs == 0) { + xfrout_log(xfr, ISC_LOG_WARNING, + "RR too large for zone transfer " + "(%d bytes)", + size); + /* XXX DNS_R_RRTOOLARGE? */ + result = ISC_R_NOSPACE; + goto failure; + } + break; + } + + if (isc_log_wouldlog(ns_lctx, XFROUT_RR_LOGLEVEL)) { + log_rr(name, rdata, ttl); /* XXX */ + } + + result = dns_message_gettempname(msg, &msgname); + if (result != ISC_R_SUCCESS) { + goto failure; + } + isc_buffer_availableregion(&xfr->buf, &r); + INSIST(r.length >= name->length); + r.length = name->length; + isc_buffer_putmem(&xfr->buf, name->ndata, name->length); + dns_name_fromregion(msgname, &r); + + /* Reserve space for RR header. */ + isc_buffer_add(&xfr->buf, 10); + + result = dns_message_gettemprdata(msg, &msgrdata); + if (result != ISC_R_SUCCESS) { + goto failure; + } + isc_buffer_availableregion(&xfr->buf, &r); + r.length = rdata->length; + isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length); + dns_rdata_init(msgrdata); + dns_rdata_fromregion(msgrdata, rdata->rdclass, rdata->type, &r); + + result = dns_message_gettemprdatalist(msg, &msgrdl); + if (result != ISC_R_SUCCESS) { + goto failure; + } + msgrdl->type = rdata->type; + msgrdl->rdclass = rdata->rdclass; + msgrdl->ttl = ttl; + if (rdata->type == dns_rdatatype_sig || + rdata->type == dns_rdatatype_rrsig) + { + msgrdl->covers = dns_rdata_covers(rdata); + } else { + msgrdl->covers = dns_rdatatype_none; + } + ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link); + + result = dns_message_gettemprdataset(msg, &msgrds); + if (result != ISC_R_SUCCESS) { + goto failure; + } + result = dns_rdatalist_tordataset(msgrdl, msgrds); + INSIST(result == ISC_R_SUCCESS); + + ISC_LIST_APPEND(msgname->list, msgrds, link); + + dns_message_addname(msg, msgname, DNS_SECTION_ANSWER); + msgname = NULL; + + xfr->stats.nrecs++; + + result = xfr->stream->methods->next(xfr->stream); + if (result == ISC_R_NOMORE) { + xfr->end_of_stream = true; + break; + } + CHECK(result); + + if (!xfr->many_answers) { + break; + } + /* + * At this stage, at least 1 RR has been rendered into + * the message. Check if we want to clamp this message + * here (TCP only). + */ + if ((isc_buffer_usedlength(&xfr->buf) >= + xfr->client->sctx->transfer_tcp_message_size) && + is_tcp) + { + break; + } + } + + if (is_tcp) { + isc_region_t used; + CHECK(dns_compress_init(&cctx, -1, xfr->mctx)); + dns_compress_setsensitive(&cctx, true); + cleanup_cctx = true; + CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf)); + CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0)); + CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0)); + CHECK(dns_message_renderend(msg)); + dns_compress_invalidate(&cctx); + cleanup_cctx = false; + + isc_buffer_usedregion(&xfr->txbuf, &used); + + xfrout_log(xfr, ISC_LOG_DEBUG(8), + "sending TCP message of %d bytes", used.length); + + /* System test helper options to simulate network issues. */ + if (ns_server_getoption(xfr->client->manager->sctx, + NS_SERVER_TRANSFERSLOWLY)) + { + /* Sleep for a bit over a second. */ + select(0, NULL, NULL, NULL, + &(struct timeval){ 1, 1000 }); + } + if (ns_server_getoption(xfr->client->manager->sctx, + NS_SERVER_TRANSFERSTUCK)) + { + /* Sleep for a bit over a minute. */ + select(0, NULL, NULL, NULL, + &(struct timeval){ 60, 1000 }); + } + + isc_nmhandle_attach(xfr->client->handle, + &xfr->client->sendhandle); + if (xfr->idletime > 0) { + isc_nmhandle_setwritetimeout(xfr->client->sendhandle, + xfr->idletime); + } + isc_nm_send(xfr->client->sendhandle, &used, xfrout_senddone, + xfr); + xfr->sends++; + xfr->cbytes = used.length; + } else { + xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response"); + + /* System test helper options to simulate network issues. */ + if (ns_server_getoption(xfr->client->manager->sctx, + NS_SERVER_TRANSFERSLOWLY)) + { + /* Sleep for a bit over a second. */ + select(0, NULL, NULL, NULL, + &(struct timeval){ 1, 1000 }); + } + if (ns_server_getoption(xfr->client->manager->sctx, + NS_SERVER_TRANSFERSTUCK)) + { + /* Sleep for a bit over a minute. */ + select(0, NULL, NULL, NULL, + &(struct timeval){ 60, 1000 }); + } + + ns_client_send(xfr->client); + xfr->stream->methods->pause(xfr->stream); + isc_nmhandle_detach(&xfr->client->reqhandle); + xfrout_ctx_destroy(&xfr); + return; + } + + /* Advance lasttsig to be the last TSIG generated */ + CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig)); + +failure: + if (msgname != NULL) { + if (msgrds != NULL) { + if (dns_rdataset_isassociated(msgrds)) { + dns_rdataset_disassociate(msgrds); + } + dns_message_puttemprdataset(msg, &msgrds); + } + if (msgrdl != NULL) { + ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link); + dns_message_puttemprdatalist(msg, &msgrdl); + } + if (msgrdata != NULL) { + dns_message_puttemprdata(msg, &msgrdata); + } + dns_message_puttempname(msg, &msgname); + } + + if (tcpmsg != NULL) { + dns_message_detach(&tcpmsg); + } + + if (cleanup_cctx) { + dns_compress_invalidate(&cctx); + } + /* + * Make sure to release any locks held by database + * iterators before returning from the event handler. + */ + xfr->stream->methods->pause(xfr->stream); + + if (result == ISC_R_SUCCESS) { + return; + } + + if (xfr->client->sendhandle != NULL) { + isc_nmhandle_detach(&xfr->client->sendhandle); + } + + xfrout_fail(xfr, result, "sending zone data"); +} + +static void +xfrout_ctx_destroy(xfrout_ctx_t **xfrp) { + xfrout_ctx_t *xfr = *xfrp; + *xfrp = NULL; + + INSIST(xfr->sends == 0); + + isc_nm_timer_stop(xfr->maxtime_timer); + isc_nm_timer_detach(&xfr->maxtime_timer); + + if (xfr->stream != NULL) { + xfr->stream->methods->destroy(&xfr->stream); + } + if (xfr->buf.base != NULL) { + isc_mem_put(xfr->mctx, xfr->buf.base, xfr->buf.length); + } + if (xfr->txmem != NULL) { + isc_mem_put(xfr->mctx, xfr->txmem, xfr->txmemlen); + } + if (xfr->lasttsig != NULL) { + isc_buffer_free(&xfr->lasttsig); + } + if (xfr->quota != NULL) { + isc_quota_detach(&xfr->quota); + } + if (xfr->ver != NULL) { + dns_db_closeversion(xfr->db, &xfr->ver, false); + } + if (xfr->zone != NULL) { + dns_zone_detach(&xfr->zone); + } + if (xfr->db != NULL) { + dns_db_detach(&xfr->db); + } + + isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr)); +} + +static void +xfrout_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) { + xfrout_ctx_t *xfr = (xfrout_ctx_t *)arg; + + REQUIRE((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0); + + INSIST(handle == xfr->client->handle); + + xfr->sends--; + INSIST(xfr->sends == 0); + + isc_nmhandle_detach(&xfr->client->sendhandle); + + /* + * Update transfer statistics if sending succeeded, accounting for the + * two-byte TCP length prefix included in the number of bytes sent. + */ + if (result == ISC_R_SUCCESS) { + xfr->stats.nmsg++; + xfr->stats.nbytes += xfr->cbytes; + } + + if (xfr->shuttingdown) { + xfrout_maybe_destroy(xfr); + } else if (result != ISC_R_SUCCESS) { + xfrout_fail(xfr, result, "send"); + } else if (!xfr->end_of_stream) { + sendstream(xfr); + } else { + /* End of zone transfer stream. */ + uint64_t msecs, persec; + + inc_stats(xfr->client, xfr->zone, ns_statscounter_xfrdone); + isc_time_now(&xfr->stats.end); + msecs = isc_time_microdiff(&xfr->stats.end, &xfr->stats.start); + msecs /= 1000; + if (msecs == 0) { + msecs = 1; + } + persec = (xfr->stats.nbytes * 1000) / msecs; + xfrout_log(xfr, xfr->poll ? ISC_LOG_DEBUG(1) : ISC_LOG_INFO, + "%s ended: " + "%" PRIu64 " messages, %" PRIu64 " records, " + "%" PRIu64 " bytes, " + "%u.%03u secs (%u bytes/sec) (serial %u)", + xfr->mnemonic, xfr->stats.nmsg, xfr->stats.nrecs, + xfr->stats.nbytes, (unsigned int)(msecs / 1000), + (unsigned int)(msecs % 1000), (unsigned int)persec, + xfr->end_serial); + + /* + * We're done, unreference the handle and destroy the xfr + * context. + */ + isc_nmhandle_detach(&xfr->client->reqhandle); + xfrout_ctx_destroy(&xfr); + } +} + +static void +xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg) { + xfr->shuttingdown = true; + xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s", msg, + isc_result_totext(result)); + xfrout_maybe_destroy(xfr); +} + +static void +xfrout_maybe_destroy(xfrout_ctx_t *xfr) { + REQUIRE(xfr->shuttingdown); + + ns_client_drop(xfr->client, ISC_R_CANCELED); + isc_nmhandle_detach(&xfr->client->reqhandle); + xfrout_ctx_destroy(&xfr); +} + +static void +xfrout_client_timeout(void *arg, isc_result_t result) { + xfrout_ctx_t *xfr = (xfrout_ctx_t *)arg; + + xfr->shuttingdown = true; + xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s", "aborted", + isc_result_totext(result)); +} + +/* + * Log outgoing zone transfer messages in a format like + * : transfer of : + */ + +static void +xfrout_logv(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass, + int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0); + +static void +xfrout_logv(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass, + int level, const char *fmt, va_list ap) { + char msgbuf[2048]; + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf)); + vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); + ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT, + level, "transfer of '%s/%s': %s", namebuf, classbuf, + msgbuf); +} + +/* + * Logging function for use when a xfrout_ctx_t has not yet been created. + */ +static void +xfrout_log1(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass, + int level, const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); + xfrout_logv(client, zonename, rdclass, level, fmt, ap); + va_end(ap); +} + +/* + * Logging function for use when there is a xfrout_ctx_t. + */ +static void +xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); + xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap); + va_end(ap); +} -- cgit v1.2.3